Narong reported: signing in at another company's portal URL logged you in anyway — ending in a confusing "logged in but not your account" state. Fixed on the NIX Commerce side (login + backend). Gate-2 3/3 + staging smoke 5/5.
nix_session cookie is scoped to .nixtech.app, so
it travels to every tenant subdomain. The backend already rejected cross-tenant cookies on authed routes, but the
public /login route didn't scope to the subdomain (so a tenant-A account got a valid session at
tenant-B's URL), and the client left the resulting mismatch in a broken state.
/login now scopes to the subdomain from the request Origin
(server-authoritative); the portal passes its subdomain at sign-in and, on a TENANT_MISMATCH, clears the
stale session and bounces to this portal's login. No product data was ever cross-accessible — the JWT is
tenant-scoped — so this is an auth-hygiene fix, not a data-leak fix.
Entering a demo account's credentials at lumiere-coffee's portal is now rejected —
no session is issued.

The same account at its own portal signs in normally.

With a live demo session, visiting lumiere-coffee's portal no longer shows the
confusing "not your account" state — the stale session is cleared and you land on that portal's login.

nix-outdoor-sales-backend ddeae51 (staging Fly 17b8985) +
nix-commerce 3ec952f (staging 916a368). Touches shared tenant auth (Commerce + Cafe/Outdoor SSO
login) — parked on staging for a scheduled prod promote.