fix: auto-login after signup and context-aware token clearing

This fixes the "Authorization header required for API calls" error during
vendor onboarding after signup.

Changes:
- Generate JWT access token on signup completion
- Set vendor_token cookie for page navigation
- Return access_token in signup response for localStorage
- Store vendor_token in localStorage after signup completion
- Make clearTokens() context-aware to prevent cross-portal interference
- Fix vendor logout to not clear admin/customer tokens

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

static/shared/js/api-client.js

@@ -233,35 +233,66 @@ class APIClient {
     }
 
     /**
-     * Clear authentication tokens
+     * Clear authentication tokens for current context only.
+     *
+     * Uses path-based detection to clear only the relevant token:
+     * - /admin/* paths clear admin_token
+     * - /vendor/* paths clear vendor_token
+     * - /shop/* paths clear customer_token
+     * - Other paths clear all tokens (fallback)
      */
     clearTokens() {
-        apiLog.info('Clearing all authentication tokens...');
+        const currentPath = window.location.pathname;
+
+        apiLog.info('Clearing authentication tokens for path:', currentPath);
 
         const tokensBefore = {
             admin_token: !!localStorage.getItem('admin_token'),
             admin_user: !!localStorage.getItem('admin_user'),
             vendor_token: !!localStorage.getItem('vendor_token'),
             vendor_user: !!localStorage.getItem('vendor_user'),
+            customer_token: !!localStorage.getItem('customer_token'),
             token: !!localStorage.getItem('token')
         };
         apiLog.debug('Tokens before clear:', tokensBefore);
 
-        localStorage.removeItem('admin_token');
-        localStorage.removeItem('admin_user');
-        localStorage.removeItem('vendor_token');
-        localStorage.removeItem('vendor_user');
-        localStorage.removeItem('token');
+        // Context-aware token clearing to prevent cross-context interference
+        if (currentPath.startsWith('/admin/') || currentPath.startsWith('/api/v1/admin/')) {
+            apiLog.info('Clearing admin tokens only');
+            localStorage.removeItem('admin_token');
+            localStorage.removeItem('admin_user');
+        } else if (currentPath.startsWith('/vendor/') || currentPath.startsWith('/api/v1/vendor/')) {
+            apiLog.info('Clearing vendor tokens only');
+            localStorage.removeItem('vendor_token');
+            localStorage.removeItem('vendor_user');
+            localStorage.removeItem('currentUser');
+            localStorage.removeItem('vendorCode');
+        } else if (currentPath.includes('/shop/') || currentPath.startsWith('/api/v1/shop/')) {
+            apiLog.info('Clearing customer tokens only');
+            localStorage.removeItem('customer_token');
+        } else {
+            // Fallback: clear all tokens for unknown paths
+            apiLog.info('Unknown path context, clearing all tokens');
+            localStorage.removeItem('admin_token');
+            localStorage.removeItem('admin_user');
+            localStorage.removeItem('vendor_token');
+            localStorage.removeItem('vendor_user');
+            localStorage.removeItem('customer_token');
+            localStorage.removeItem('currentUser');
+            localStorage.removeItem('vendorCode');
+            localStorage.removeItem('token');
+        }
 
         const tokensAfter = {
             admin_token: !!localStorage.getItem('admin_token'),
             admin_user: !!localStorage.getItem('admin_user'),
             vendor_token: !!localStorage.getItem('vendor_token'),
             vendor_user: !!localStorage.getItem('vendor_user'),
+            customer_token: !!localStorage.getItem('customer_token'),
             token: !!localStorage.getItem('token')
         };
         apiLog.debug('Tokens after clear:', tokensAfter);
-        apiLog.info('All tokens cleared');
+        apiLog.info('Context-specific tokens cleared');
     }
 
     /**

static/vendor/js/init-alpine.js

@@ -106,12 +106,13 @@ function data() {
             } catch (error) {
                 console.error('⚠️ Logout API error (continuing anyway):', error);
             } finally {
-                // Clear all tokens and data
-                console.log('🧹 Clearing tokens...');
+                // Clear vendor tokens only (not admin or customer tokens)
+                console.log('🧹 Clearing vendor tokens...');
                 localStorage.removeItem('vendor_token');
+                localStorage.removeItem('vendor_user');
                 localStorage.removeItem('currentUser');
                 localStorage.removeItem('vendorCode');
-                localStorage.clear(); // Clear everything to be safe
+                // Note: Do NOT use localStorage.clear() - it would clear admin/customer tokens too
 
                 console.log('🔄 Redirecting to login...');
                 window.location.href = `/vendor/${this.vendorCode}/login`;