fix(kotlin-sdk): add /api prefix to all API paths for consistency

Normalize Kotlin SDK API paths to match Swift SDK and TypeScript SDK convention:
- BLAuthClient: /auth/* → /api/auth/*
- BLBlobClient: /blob/sas → /api/blob/sas
- BLCrashReporter: /telemetry/events → /api/telemetry/events
- BLFeatureFlagClient: /flags/poll → /api/flags/poll
- BLKillSwitchClient: /flags/kill-switch → /api/flags/kill-switch
- BLLicenseClient: /licenses/* → /api/licenses/*
- BLTelemetryClient: /telemetry/events → /api/telemetry/events

All SDKs now consistently include /api prefix in paths, with baseUrl
configured as http://host:port/api. Fixes incompatibility introduced
in recent path normalization (commit 78b942a).

packages/kotlin-platform-sdk/src/main/kotlin/com/bytelyst/platform/BLAuthClient.kt

@@ -145,7 +145,7 @@ class BLAuthClient(
                 ),
                 mapOf("email" to email, "password" to password, "productId" to config.productId),
             )
-            val response = client.request("POST", "/auth/login", body, skipAuth = true)
+            val response = client.request("POST", "/api/auth/login", body, skipAuth = true)
             val result = client.json.decodeFromString<TokenResponse>(response)
             handleAuthResult(result)
         } catch (e: Exception) {
@@ -168,7 +168,7 @@ class BLAuthClient(
                     "productId" to config.productId,
                 ),
             )
-            val response = client.request("POST", "/auth/register", body, skipAuth = true)
+            val response = client.request("POST", "/api/auth/register", body, skipAuth = true)
             val result = client.json.decodeFromString<TokenResponse>(response)
             handleAuthResult(result)
         } catch (e: Exception) {
@@ -195,7 +195,7 @@ class BLAuthClient(
                 ),
                 mapOf("refreshToken" to rt),
             )
-            val response = client.request("POST", "/auth/refresh", body, skipAuth = true)
+            val response = client.request("POST", "/api/auth/refresh", body, skipAuth = true)
             val result = client.json.decodeFromString<RefreshResponse>(response)
             setTokens(result.accessToken, result.refreshToken)
             true
@@ -219,7 +219,7 @@ class BLAuthClient(
             ),
             mapOf("email" to email, "productId" to config.productId),
         )
-        val response = client.request("POST", "/auth/forgot-password", body, skipAuth = true)
+        val response = client.request("POST", "/api/auth/forgot-password", body, skipAuth = true)
         return client.json.decodeFromString<MessageResponse>(response).message
     }
 
@@ -231,7 +231,7 @@ class BLAuthClient(
             ),
             mapOf("token" to token, "newPassword" to newPassword),
         )
-        val response = client.request("POST", "/auth/reset-password", body, skipAuth = true)
+        val response = client.request("POST", "/api/auth/reset-password", body, skipAuth = true)
         return client.json.decodeFromString<MessageResponse>(response).message
     }
 
@@ -243,7 +243,7 @@ class BLAuthClient(
             ),
             mapOf("currentPassword" to currentPassword, "newPassword" to newPassword),
         )
-        val response = client.request("POST", "/auth/change-password", body)
+        val response = client.request("POST", "/api/auth/change-password", body)
         return client.json.decodeFromString<MessageResponse>(response).message
     }
 
@@ -257,7 +257,7 @@ class BLAuthClient(
             ),
             mapOf("token" to token),
         )
-        val response = client.request("POST", "/auth/verify-email", body)
+        val response = client.request("POST", "/api/auth/verify-email", body)
         return client.json.decodeFromString<MessageResponse>(response).message
     }
 
@@ -269,7 +269,7 @@ class BLAuthClient(
             ),
             mapOf("email" to email, "productId" to config.productId),
         )
-        val response = client.request("POST", "/auth/resend-verification", body)
+        val response = client.request("POST", "/api/auth/resend-verification", body)
         return client.json.decodeFromString<MessageResponse>(response).message
     }
 
@@ -283,14 +283,14 @@ class BLAuthClient(
             ),
             mapOf("password" to password),
         )
-        val response = client.request("DELETE", "/auth/account", body)
+        val response = client.request("DELETE", "/api/auth/account", body)
         clearAll()
         _state.value = AuthState.LoggedOut
         return client.json.decodeFromString<MessageResponse>(response).message
     }
 
     suspend fun getMe(): AuthUser {
-        val response = client.request("GET", "/auth/me")
+        val response = client.request("GET", "/api/auth/me")
         return client.json.decodeFromString<AuthUser>(response)
     }
 

packages/kotlin-platform-sdk/src/main/kotlin/com/bytelyst/platform/BLBlobClient.kt

@@ -66,7 +66,7 @@ class BLBlobClient(
                     "contentType" to contentType,
                 ),
             )
-            val sasResponse = platformClient.request("POST", "/blob/sas", sasBody)
+            val sasResponse = platformClient.request("POST", "/api/blob/sas", sasBody)
             val sas = json.decodeFromString<SasResponse>(sasResponse)
 
             // Step 2: Upload directly to Azure Blob via SAS URL

packages/kotlin-platform-sdk/src/main/kotlin/com/bytelyst/platform/BLCrashReporter.kt

@@ -97,7 +97,7 @@ class BLCrashReporter(
                     put("productId", config.productId)
                     put("events", JsonArray(listOf(crashEvent)))
                 }
-                client.fireAndForget("POST", "/telemetry/events", json.encodeToString(payload))
+                client.fireAndForget("POST", "/api/telemetry/events", json.encodeToString(payload))
             } catch (_: Exception) {
                 // Best-effort — don't re-queue
             }

packages/kotlin-platform-sdk/src/main/kotlin/com/bytelyst/platform/BLKillSwitchClient.kt

@@ -7,7 +7,7 @@ import java.net.URLEncoder
 /**
  * Kill switch client for platform-service.
  *
- * Checks GET /api/flags/kill-switch to determine if the app should be disabled.
+ * Checks GET /api/settings/kill-switch to determine if the app should be disabled.
  * Fail-open: returns [KillSwitchResult.ok] on any error.
  *
  * Mirrors the Swift BLKillSwitchClient API.
@@ -33,8 +33,8 @@ class BLKillSwitchClient(
      */
     suspend fun check(): KillSwitchResult {
         return try {
-            val platform = URLEncoder.encode(config.platform, "UTF-8")
+            val productId = URLEncoder.encode(config.productId, "UTF-8")
-            val response = client.request("GET", "/api/flags/kill-switch?platform=$platform", skipAuth = true)
+            val response = client.request("GET", "/api/settings/kill-switch?productId=$productId", skipAuth = true)
             json.decodeFromString<KillSwitchResult>(response)
         } catch (_: Exception) {
             KillSwitchResult.ok()

packages/kotlin-platform-sdk/src/main/kotlin/com/bytelyst/platform/BLLicenseClient.kt

@@ -47,7 +47,7 @@ class BLLicenseClient(
                 ),
                 mapOf("productId" to config.productId),
             )
-            val response = client.request("POST", "/licenses/$encoded/activate", body)
+            val response = client.request("POST", "/api/licenses/$encoded/activate", body)
             json.decodeFromString<ActivationResult>(response)
         } catch (e: Exception) {
             ActivationResult(success = false, message = e.message)
@@ -60,7 +60,7 @@ class BLLicenseClient(
     suspend fun checkStatus(licenseKey: String): LicenseStatus {
         return try {
             val encoded = URLEncoder.encode(licenseKey, "UTF-8")
-            val response = client.request("GET", "/licenses/$encoded/status")
+            val response = client.request("GET", "/api/licenses/$encoded/status")
             json.decodeFromString<LicenseStatus>(response)
         } catch (e: Exception) {
             LicenseStatus(valid = false, message = e.message)
@@ -73,7 +73,7 @@ class BLLicenseClient(
     suspend fun deactivate(licenseKey: String): Boolean {
         return try {
             val encoded = URLEncoder.encode(licenseKey, "UTF-8")
-            client.request("POST", "/licenses/$encoded/deactivate")
+            client.request("POST", "/api/licenses/$encoded/deactivate")
             true
         } catch (_: Exception) {
             false

packages/swift-platform-sdk/README.md

@@ -11,7 +11,7 @@ Shared Swift platform client for all ByteLyst iOS/watchOS/macOS apps. Eliminates
 | `BLKeychain`          | Keychain CRUD for secure token storage                                                                                  |
 | `BLTelemetryClient`   | Telemetry event queue + batch flush (matches `@bytelyst/telemetry-client`)                                              |
 | `BLAuthClient`        | Auth operations: login, register, refresh, password ops, email verify, delete account (matches `@bytelyst/auth-client`) |
-| `BLFeatureFlagClient` | Feature flag polling from platform-service `/flags/poll`                                                                |
+| `BLFeatureFlagClient` | Feature flag polling from platform-service `/api/flags/poll`                                                            |
 | `BLSyncEngine`        | Generic offline-first sync engine with delta pull + batch push                                                          |
 | `BLBlobClient`        | Azure Blob Storage upload via SAS tokens from platform-service                                                          |
 | `BLKillSwitchClient`  | Kill switch check from platform-service (fail-open)                                                                     |