Use store auth sessions for theme commands

[alfonso-noriega]

WHY are these changes introduced?

Fixes https://github.com/shop/issues-develop/issues/22916.

Preview stores created by shopify store create preview persist an Admin API token in the store-auth cache. theme pull and theme push should be able to use that cached token when the user does not provide a Theme Access/Admin token via --password.

WHAT is this pull request doing?

• Adds a small @shopify/store helper that loads a matching store-auth cached Admin session using the same store-auth session path as store execute.
• Updates theme command session creation so explicit --password still wins, but missing --password can fall back to a matching cached store-auth Admin API token before normal theme authentication.
• Allows multi-environment theme configs to omit password when the matching store-auth cache session satisfies auth.
• Adds focused tests for explicit password precedence, store-auth fallback, missing-cache fallback, and multi-environment validation.

How to test your changes?

• pnpm --filter @shopify/theme exec vitest run src/cli/utilities/theme-command.test.ts
• pnpm --filter @shopify/store exec vitest run src/cli/services/store/auth/theme-session.test.ts
• pnpm --filter @shopify/theme run type-check
• pnpm --filter @shopify/store run type-check
• pnpm nx run theme:lint --skip-nx-cache --output-style=stream
• pnpm nx run store:lint --skip-nx-cache --output-style=stream
• pnpm --filter @shopify/theme run build
• pnpm --filter @shopify/store run build
• node bin/run-knip-ci.js
• /usr/bin/git diff --check

Post-release steps

None.

Checklist

• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've considered possible documentation changes
• I've considered analytics changes to measure impact
• The change is user-facing — I've identified the correct bump type and added a changeset

[alfonso-noriega]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Use store auth sessions for theme commands #7783 👈 (View in Graphite)
• Add production preview store create command #7764
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

Differences in type declarations

We detected differences in the type declarations generated by Typescript for this branch compared to the baseline ('main' branch). Please, review them to ensure they are backward-compatible. Here are some important things to keep in mind:

• Some seemingly private modules might be re-exported through public modules.
• If the branch is behind main you might see odd diffs, rebase main into this branch.

New type declarations

We found no new type declarations in this PR

Existing type declarations

packages/cli-kit/dist/public/common/url.d.ts

@@ -12,20 +12,4 @@ export declare function isValidURL(url: string): boolean;
  * @param url - The string to parse into a URL.
  * @returns A URL object if the parsing is successful, undefined otherwise.
  */
-export declare function safeParseURL(url: string): URL | undefined;
-/**
- * Extracts the lowercased hostname from a URL-shaped string. Tolerates
- * bare hosts (without a scheme) and inputs that come back from APIs as
- * either  or .
- *
- * @param value - A URL or bare host string, possibly null/undefined.
- * @returns The lowercased hostname, or undefined when the input is empty.
- */
-export declare function extractHost(value: string | null | undefined): string | undefined;
-/**
- * Extracts the subdomain handle from a  URL or host.
- *
- * @param value - A URL or host string, possibly null/undefined.
- * @returns The myshopify subdomain handle, or undefined when the input isn't a  URL.
- */
-export declare function extractMyshopifyHandle(value: string | null | undefined): string | undefined;
\ No newline at end of file
+export declare function safeParseURL(url: string): URL | undefined;
\ No newline at end of file