fix: prefix /api/session and /api/preferences with VITE_API_BASE

Both stores hardcoded /api/* paths without reading VITE_API_BASE, causing
/api/session to hit the menagerie root (no /snipe prefix) and receive a
302 redirect to circuitforge.tech/login instead of a session response.
Every other store already read VITE_API_BASE correctly.

web/src/stores/preferences.ts

@@ -11,6 +11,8 @@ export interface UserPreferences {
   }
 }
 
+const apiBase = (import.meta.env.VITE_API_BASE as string) ?? ''
+
 export const usePreferencesStore = defineStore('preferences', () => {
   const session = useSessionStore()
   const prefs = ref<UserPreferences>({})
@@ -25,7 +27,7 @@ export const usePreferencesStore = defineStore('preferences', () => {
     loading.value = true
     error.value = null
     try {
-      const res = await fetch('/api/preferences')
+      const res = await fetch(`${apiBase}/api/preferences`)
       if (res.ok) {
         prefs.value = await res.json()
       }
@@ -40,7 +42,7 @@ export const usePreferencesStore = defineStore('preferences', () => {
     if (!session.isLoggedIn) return
     error.value = null
     try {
-      const res = await fetch('/api/preferences', {
+      const res = await fetch(`${apiBase}/api/preferences`, {
         method: 'PATCH',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ path, value }),

web/src/stores/session.ts

@@ -42,8 +42,9 @@ export const useSessionStore = defineStore('session', () => {
   const isLoggedIn = computed(() => isCloud.value && userId.value !== 'anonymous' && !isGuest.value)
 
   async function bootstrap() {
+    const apiBase = (import.meta.env.VITE_API_BASE as string) ?? ''
     try {
-      const res = await fetch('/api/session')
+      const res = await fetch(`${apiBase}/api/session`)
       if (!res.ok) return  // local-mode with no session endpoint — keep defaults
       const data = await res.json()
       userId.value = data.user_id