Update Codex handoff notes

HANDOFF.md

@@ -2,11 +2,11 @@
 
 Project: `ina-trading-web`
 Current branch: `main`
-Latest verified commit: `7e6446b`
+Latest verified commit: `aa406f5`
 
 ## Summary
 
-This codebase has recent updates around auth/onboarding, help/privacy pages, dashboard search, product creation/edit/review/detail, admin review/detail, stock/price editing, seller in-review listing, and backend request logging.
+This codebase has recent updates around auth/onboarding, help/privacy pages, dashboard search, product creation/edit/review/detail, admin review/detail, stock/price editing, seller in-review listing, backend request logging, expired-session redirects, product keyword limits, and sanitized backend error display.
 
 The latest build was verified successfully with:
 
@@ -14,6 +14,85 @@ The latest build was verified successfully with:
 npm run build
 ```
 
+Latest TypeScript verification after `aa406f5`:
+
+```bash
+npx tsc --noEmit
+```
+
+## Latest Codex Changes After `aa406f5`
+
+### Backend URL
+
+Local `.env.local` now points to:
+
+```bash
+NEXT_PUBLIC_API_URL=https://api.inatrading.co.id
+```
+
+The previous local value was `https://be.inatrading.co.id`.
+
+### Expired session / access denied handling
+
+Files:
+- `src/components/auth-session-guard.tsx`
+- `src/app/layout.tsx`
+
+Behavior:
+- A global client guard wraps local `/api/*` fetch calls, excluding `/api/auth/*`.
+- If a response is `401`, `403`, or contains auth-style error text such as:
+  - `access denied`
+  - `unauthorized`
+  - `session expired`
+  - `token expired`
+  - `invalid token`
+- It clears `token` and `role` from `localStorage` and `sessionStorage`, then redirects to `/login`.
+
+### Product create keyword limit
+
+Files:
+- `src/app/(dashboard)/products/new/details/page.tsx`
+- `src/lib/product-draft.tsx`
+- `src/lib/use-product-submit.ts`
+- `src/lib/translations/id.ts`
+- `src/lib/translations/en.ts`
+
+Behavior:
+- Create-product search keywords are limited to 3.
+- The keyword input and add button are disabled after 3 keywords.
+- Existing saved wizard drafts are normalized to a maximum of 3 keywords when loaded from `sessionStorage`.
+- Submit payload uses only the first 3 keywords as a backend guard.
+
+### Sanitized backend error display
+
+Files:
+- `src/lib/error-message.ts`
+- `src/lib/use-product-submit.ts`
+- `src/components/upload-field.tsx`
+- `src/app/(dashboard)/products/new/review/page.tsx`
+- `src/app/(dashboard)/products/[productId]/edit/page.tsx`
+- plus updated callers across dashboard, admin, settings, onboarding, upload, news, places, categories, and warehouse forms
+
+Behavior:
+- Raw JSON request/response error logs are no longer shown to users.
+- `Copy Error Log` UI was removed from create-product review and edit-product save errors.
+- `getBackendErrorMessage()` extracts a user-safe message from:
+  - `responseDesc`
+  - `message`
+  - `error`
+  - `details`
+  - nested `data`
+- JSON-looking strings are parsed for a useful message; if none is found, the UI falls back to the local generic error.
+- Long text messages are capped to avoid large raw dumps in the UI.
+
+### Verification notes
+
+- `npx tsc --noEmit` passed after the latest changes.
+- `npm run lint` still has pre-existing unrelated errors in:
+  - `src/app/(dashboard)/dashboard/page.tsx`
+  - `src/app/(dashboard)/layout.tsx`
+- Local dev server was running at `http://localhost:3000`.
+
 ## Current Local Changes After `7e6446b`
 
 These are the important local changes made after the last recorded commit. The latest local build was verified successfully with `npm run build`, and the production local server was restarted on `http://localhost:3000`.