refactor(frontend): route protected API access through server session

.sisyphus/evidence/task-T8-protected-nav.md

@@ -0,0 +1,18 @@
+# Task T8 Protected Navigation
+
+- QA app: `http://127.0.0.1:4175`
+- Backend: `http://127.0.0.1:8002`
+- Mock OIDC issuer: `http://127.0.0.1:9100`
+- Backend DB: `.sisyphus/evidence/task-T8-qa.sqlite`
+
+Authenticated shell and protected route checks executed with Playwright:
+
+- `/` -> title `Dashboard - innercontext`, heading `Dashboard`, shell user `Playwright User`, role `Użytkownik`, logout visible `true`
+- `/products` -> title `Produkty — innercontext`, heading `Produkty`, shell user `Playwright User`, role `Użytkownik`, logout visible `true`
+- `/profile` -> title `Profil — innercontext`, heading `Profil`, shell user `Playwright User`, role `Użytkownik`, logout visible `true`
+- `/routines` -> title `Rutyny — innercontext`, heading `Rutyny`, shell user `Playwright User`, role `Użytkownik`, logout visible `true`
+
+Logout endpoint check executed with Playwright request API:
+
+- `GET /auth/logout` -> `303`
+- Location -> `http://127.0.0.1:9100/logout?client_id=innercontext-web&post_logout_redirect_uri=http%3A%2F%2F127.0.0.1%3A4175%2F`

.sisyphus/evidence/task-T8-signed-out-network.txt

@@ -0,0 +1,10 @@
+Playwright unauthenticated request check
+
+request: GET http://127.0.0.1:4175/products
+cookies: none
+maxRedirects: 0
+
+status: 303
+location: /auth/login?returnTo=%2Fproducts
+
+result: protected page redirects to the login flow before returning page content.