Fetch preview store claim URL

[alfonso-noriega]

WHY are these changes introduced?

Preview store creation now returns an access URL for immediately opening the store, but saving/claiming the preview store is a separate backend step. This PR extends shopify store create preview to request the claim URL after a successful create so the command output includes both access and claim links.

Backend endpoint contract:

POST /services/preview-stores/:shop_id/claim

Headers:

• Requires the preview store Admin API token returned by create.

Request:

{
  "email": "optional recipient email"
}

Response:

{
  "claim_url": "https://admin.shopify.com/store-transfer/accept/:claim_token"
}

WHAT is this pull request doing?

• Adds a preview-store claim client for POST /services/preview-stores/:shop_id/claim.
• Sends the returned Admin API token in the claim request headers.
• Calls the claim endpoint after preview store creation and local auth persistence.
• Includes the returned claim_url in store create preview JSON output.
• Displays the claim URL in text output and next steps.
• Redacts tokenized claim URLs from malformed-response diagnostics.

How to test your changes?

• pnpm --filter @shopify/store exec vitest run src/cli/commands/store/create/preview.test.ts src/cli/services/store/create/preview/client.test.ts src/cli/services/store/create/preview/index.test.ts src/cli/services/store/create/preview/result.test.ts
• pnpm nx run store:lint --skip-nx-cache --output-style=stream
• pnpm --filter @shopify/store run type-check
• /usr/bin/git diff --check

Post-release steps

None.

Checklist

• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've considered possible documentation changes
• I've considered analytics changes to measure impact
• The change is user-facing — changeset added for @shopify/store

[alfonso-noriega]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Use store auth sessions for theme commands #7783
• Fetch preview store claim URL #7788 👈 (View in Graphite)
• Add production preview store create command #7764
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[dmerand]

I think this language needs updating from the doc -- currently it reads "Create an account (https://x12y45z.myshopify.com/?foo=bar) for free to save progress."

[dmerand]

'bot had a good point on this one.

[dmerand]

🔒 Security: Worth reviewing the claim URL construction because shopId is interpolated directly into a path segment. In this file, shopId ultimately comes from response narrowing that accepts any string or number, so a value containing /, ?, #, or traversal-like characters could change the requested path on the same host while still sending the Admin API token headers.

Suggestion: Encode the path segment before interpolation.

Suggested change

	const url = `https://${fqdn}/services/preview-stores/${request.shopId}/claim`
	const url = `https://${fqdn}/services/preview-stores/${encodeURIComponent(request.shopId)}/claim`