One Header That Prevented a Class of Bugs

Three issues, one root cause pattern: the frontend assumed things about the backend that were no longer true.

Issue #136: deleted quotes returned a generic 404. A customer clicking an old quote link saw "Page not found" — the same message they'd see for a typo in the URL. Now deleted quotes return HTTP 410 Gone, and the frontend shows a distinct message: "This quote has expired." Different error, different meaning, different response from the customer.

Issues #133 and #135 shared a single root cause: the frontend never explicitly sent tenant context. Every API call relied on the backend's default-tenant fallback in the EnsureTenantContext middleware. When the fallback failed — widget configuration on the Settings page, activity timeline on the Orders page — the endpoint returned 400 "No tenant selected."

The fix was one line in one file: add X-Tenant-Id to getAuthHeaders() in the central auth utility. Every API call in the application flows through this function. One header, added once, prevents an entire class of tenant-context bugs. The frontend now explicitly declares which tenant it's acting on behalf of, instead of hoping the backend can figure it out.