fix(test): assert real shipped behaviour for signed-out /products

The original /products gate test expected either a Products heading
(signed-in) or a Sign-in button (signed-out). In practice the page
renders NotAuthorized (403) for any session without the right
org_role, so the second branch never matched and the test failed.

The Sign-in surface is dashboard-only today. Once M10.1 wires a
shared sign-in redirect for protected routes, widen this test.

Refs: M5.3

tests/e2e/tenant.spec.ts

@@ -12,18 +12,13 @@ test.describe("tenant subdomain @needs-stack", () => {
     await expect(page.getByRole("button", { name: /Sign in with Keycloak/i })).toBeVisible();
   });
 
-  test("acme /products requires sign-in", async ({ page }) => {
+  test("acme /products is gated when signed out", async ({ page }) => {
     await page.goto("/products");
-    // Either the user is sent to dashboard's sign-in form, or the page renders
-    // the canSee=false branch (NotAuthorized) depending on session state.
-    // Both are legitimate; the assertion is that we do NOT see the empty
-    // product tile body without a session.
-    const isSignedIn = await page.getByRole("heading", { name: /Products/i }).isVisible();
-    if (!isSignedIn) {
-      await expect(
-        page.getByRole("button", { name: /Sign in with Keycloak/i }),
-      ).toBeVisible();
-    }
+    // Signed-out session means canSee(null, "products") is false, so the
+    // page renders the 'NotAuthorized' component. The dashboard route is
+    // the only place that surfaces the Sign-in button today — we'll add
+    // a redirect-to-sign-in in M10.1 once the surface set firms up.
+    await expect(page.getByRole("heading", { name: /403/i })).toBeVisible();
   });
 
   test("unknown tenant slug 404s", async ({ page }) => {