API Client (`src/lib/apiClient.ts`) (Frontend Standard)

This document defines the standard API client shape used by UI code.

Rule: UI code calls the BFF only

Client-side code must call same-origin endpoints like /api/v1/....

Do not call backend service URLs from the browser.

Responsibilities

The API client should:

centralize fetch defaults (headers, credentials)
normalize errors into a consistent shape
be easy to mock in tests

Credential handling

Use cookie-based auth: requests should include credentials where appropriate.
CSRF tokens must be attached on unsafe requests (see Security → CSRF).