feat: enforce tenant route isolation

frontend/portal/src/utils/request.js

@@ -3,7 +3,10 @@ import { getTenantCode } from './tenant';
 
 export async function request(endpoint, options = {}) {
     const tenantCode = getTenantCode();
-    const baseUrl = tenantCode ? `/t/${tenantCode}/v1` : '/v1';
+    if (!tenantCode) {
+        throw new Error('Tenant code missing in URL');
+    }
+    const baseUrl = `/t/${tenantCode}/v1`;
     const token = localStorage.getItem('token');
     
     const headers = {
@@ -42,7 +45,7 @@ export async function request(endpoint, options = {}) {
             if (res.status === 401) {
                 localStorage.removeItem('token');
                 localStorage.removeItem('user');
-                const loginPath = tenantCode ? `/t/${tenantCode}/auth/login` : '/auth/login';
+                const loginPath = `/t/${tenantCode}/auth/login`;
                 // Redirect to login if not already there
                 if (!window.location.pathname.includes('/auth/login')) {
                     window.location.href = loginPath;