Feat/web saas single user

[cllarisy]

非常抱歉！我是 GitHub 菜鸟，不小心将自己 fork 分支的 commits 推送到了大佬的主项目中，我想挖个坑跳进去！
I'm really sorry! I'm a GitHub newbie, and I accidentally pushed commits from my fork branch to your main project. I feel so embarrassed that I just want to dig a hole and hide in it!

Summary

Feature Quality Contract

• Changed surface:
• Tests added or updated:
• Coverage evidence:
• E2E / live-model evidence:
• Known risk / rollback:

Verification

• I ran the relevant local checks, or explained why they do not apply.
• I added or updated same-area tests for every production behavior change.
• I ran bun run verify for code changes, including the coverage gate.
• New or changed executable production lines meet the changed-line coverage threshold, or the blocker/maintainer override is documented.
• I attached or summarized the quality report path, JUnit/log artifact path, and pass/fail/skip counts.
• I ran E2E/live smoke for cross-boundary, provider/runtime, desktop chat, agent-loop, native, or release changes, or documented the blocker.

Risk

• This PR does not touch CLI core paths, or it has maintainer approval for allow-cli-core-change.
• Production code changes include matching tests, or have maintainer approval for allow-missing-tests.
• Coverage baseline/threshold changes have maintainer approval for allow-coverage-baseline-change.
• Quarantined tests still have owners, exit criteria, and unexpired review windows.
• Provider/runtime changes were covered by mock contract tests, and live smoke was run or explicitly deferred.

@dosubot review this PR for changed-area risk, missing tests, docs impact, desktop startup risk, and CLI core impact.

[github-actions]

PR quality triage

Changed areas: area:desktop, area:docs, area:server

CLI core policy: No CLI-core policy block detected.

Missing-test policy: Blocked by policy until a maintainer applies allow-missing-tests or matching tests are added.

Coverage baseline policy: No coverage-baseline policy block detected.

CLI core files:

• none

Coverage policy files:

• none

Expected checks:

• change-policy
• desktop-checks
• server-checks
• desktop-native-checks
• docs-checks
• coverage-checks

Test coverage signals:

• BLOCKING unless allow-missing-tests is applied: Desktop product files changed without a desktop test file in the PR.
• BLOCKING unless allow-missing-tests is applied: Agent/runtime product files changed without a tools/utils test file in the PR.
• Agent/model runtime path changed: use mock/request-shape tests in PR and maintainer live-model smoke before release.

Risk notes:

• Desktop state/API layer changed: verify store persistence, WebSocket behavior, and startup errors.
• Session runtime changed: review reconnect, startup diagnostics, provider selection, and thinking settings.

Hard merge gates still come from GitHub Actions, not AI review.

Dosu handoff: Dosu can be used as the AI reviewer for risk explanation, missing-test prompts, and maintainer Q&A. If it does not comment automatically from the PR template, ask:

@dosubot review this PR for changed-area risk, missing tests, docs impact, desktop startup risk, and CLI core impact.

[dosubot]

Hi @cllarisy! I'm Dosu and I’m helping the cc-haha team.

Here's my review of PR #476 across the requested dimensions:

---

Changed-Area Risk

High Risk 🔴

1. Authentication fully disabled — requireAuth middleware now returns null for all requests. This is only safe for single-user deployments on isolated/trusted networks. Any internet-facing exposure without a reverse proxy or network isolation is a critical vulnerability.

2. Permissive CORS — All origins are now allowed. Same concern as above: only acceptable behind a trusted boundary.

3. --dangerously-skip-permissions always used — The workspace root becomes the sole security boundary. A bug in path validation = unrestricted filesystem access.

Medium Risk 🟡

4. Breaking API contract — Session creation changed from workDir → workspaceName. Existing clients calling this API will break with no documented migration path.

5. Removed endpoints — Computer Use, OAuth, Doctor, H5-access all return 404. No version negotiation or graceful degradation for existing integrations.

6. Workspace root path edge cases — Cross-platform path normalization (Windows vs Unix) is tested but real-world edge cases may surface.

---

Missing Tests

Test coverage is good overall — 5 new test files and 6 updated test files. Gaps I'd flag:

• No tests for isWebRuntime() runtime detection logic in the desktop frontend.
• No tests verifying that desktop components gracefully handle disabled APIs when running in web mode.
• No integration tests for the Vite path-alias reuse (@desktop/*) to catch breakage from desktop component changes.
• No negative tests for the workspace root singleton lifecycle (e.g., what happens if configureWorkspaceRoot() is never called before a request arrives).

---

Docs Impact

✅ New documentation added at docs/web-saas/01-quickstart.md covering:

• Server startup with CC_HAHA_WORKSPACES_ROOT env var
• Web frontend build/dev instructions
• Intentionally disabled features
• Workspace root security model

Gap: No documentation on the API contract change (workDir → workspaceName) or client migration steps.

---

Desktop Startup Risk

Moderate. Three files affect startup flow:

• AppShell.tsx — Conditionally skips initializeDesktopServerUrl() when isWebRuntime() is true.
• desktopRuntime.ts — New runWebRuntimeBootstrap() sets base URL to window.location.origin and auth token to null.
• web/src/main.tsx — Calls bootstrap before render.

Risk: if isWebRuntime() detection fails or is misconfigured, the desktop app could skip server URL init (broken desktop) or the web app could attempt Tauri-specific calls (runtime errors). No automated tests cover this branch.

---

CLI Core Impact

✅ No CLI core paths appear to be touched. Changes are confined to:

• Server API/routing
• Desktop/web frontend
• Service layer (workspace root, sessions, filesystem)

---

Summary Verdict

This is a major architectural change that introduces a single-user web deployment profile. The security trade-offs (disabled auth, permissive CORS, skipped permissions) are intentional but must be clearly communicated as deployment constraints. The test and docs coverage is reasonable but has the gaps noted above.

Recommendations before merge:

1. Document the workDir → workspaceName migration path for API consumers.
2. Add at least a smoke test for isWebRuntime() desktop startup branching.
3. Consider adding a startup warning log if the server binds to a public interface with auth disabled.
4. Verify workspace root singleton initialization has a fail-safe if called before configuration.

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.