fix: use path-based token selection in API client

The apiClient.getToken() now detects the current path to select
the appropriate token:
- /vendor/* routes use vendor_token
- /admin/* routes use admin_token

This fixes the "Vendor access only" error when logged in as both
admin and vendor in different browser tabs.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

static/shared/js/api-client.js

@@ -33,16 +33,39 @@ class APIClient {
 
     /**
      * Get stored authentication token
+     *
+     * Uses path-based detection to return the correct token:
+     * - /admin/* routes use admin_token
+     * - /vendor/* routes use vendor_token
+     * - Other routes fall back to admin_token || vendor_token
      */
     getToken() {
         const adminToken = localStorage.getItem('admin_token');
         const vendorToken = localStorage.getItem('vendor_token');
-        const token = adminToken || vendorToken;
+        const currentPath = window.location.pathname;
+
+        let token;
+        let source;
+
+        // Path-based token selection
+        if (currentPath.startsWith('/vendor/') || currentPath.startsWith('/api/v1/vendor/')) {
+            token = vendorToken;
+            source = 'vendor (path-based)';
+        } else if (currentPath.startsWith('/admin/') || currentPath.startsWith('/api/v1/admin/')) {
+            token = adminToken;
+            source = 'admin (path-based)';
+        } else {
+            // Default fallback for other paths
+            token = adminToken || vendorToken;
+            source = token === adminToken ? 'admin (fallback)' : 'vendor (fallback)';
+        }
 
         apiLog.debug('Getting token:', {
             hasAdminToken: !!adminToken,
             hasVendorToken: !!vendorToken,
-            usingToken: token ? 'admin or vendor' : 'none'
+            currentPath,
+            source,
+            usingToken: token ? source : 'none'
         });
 
         return token;