fix: scope VTEX ID calls to commerce stable

[vmourac-vtex]

What is the purpose of this pull request?

Scope VTEX ID calls in @vtex/api to the requesting account commerce stable host instead of the global vtexid.vtex.com.br host.

What problem is this solving?

This mirrors the rewriter cross-account request fix by validating VTEX ID tokens through {{account}}.vtexcommercestable.com.br and POST /api/vtexid/credential/validate?an={{account}}, avoiding cross-account token validation through the global VTEX ID endpoint.

CODEOWNERS: @vtex/composable-commerce-sq4.

How should this be manually tested?

• yarn test ID.test.ts Auth.test.ts --runInBand
• Changed-file lint with tslint for ID.ts, ID.test.ts, Auth.ts, and Auth.test.ts
• yarn build
• Search confirmed no remaining runtime references to vtexid.vtex.com.br or pub/authenticated/user
• Linked local @vtex/api into rewriter/node and validated negative internal.save / internal.saveMany requests reached ensureAuthorization in storecomponents/victormoura
• Positive live validation with a valid VtexIdclientAutCookie token still needs to be run in a secure shell session with VTEX_ID_TOKEN set

Known repo-wide verification notes:

• Full yarn test --runInBand still fails in pre-existing OpenTelemetry OTLP resolution and axios ESM parsing suites unrelated to this change.
• Full yarn lint still reports pre-existing repo-wide lint errors; changed files pass scoped lint.

Screenshots or example usage

N/A.

Types of changes

• Bug fix (a non-breaking change which fixes an issue)
• New feature (a non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Requires change to documentation, which has been updated accordingly.

Made with Cursor