feat(desktop): implement workspace foundation + desktop-client skeleton

Plan 0 (workspaces): add workspaces + workspace_memberships schema, extend
JWT/Actor/claims with primary_workspace_id, seed default workspace per tenant,
thread workspace_id through tenant monitoring quota.

Plan A (desktop skeleton): new Electron app (apps/desktop-client) with main/
preload/renderer, shared Vue component package (packages/ui-shared), and server
surface — desktop client registration + token rotation + heartbeat, SSE task
event stream, desktop accounts/tasks/content handlers, publish job endpoint,
and supporting repositories, services, sqlc queries, and migrations.

Hard cutover per plan: remove browser-extension monitoring callback endpoints,
stub legacy media API in admin-web, and delete monitoring_callback_handler.go.
This commit is contained in:
2026-04-19 14:18:20 +08:00
parent 98f9e95875
commit b16e9f0bd1
141 changed files with 21533 additions and 357 deletions
@@ -30,7 +30,7 @@ func setupTestMiddleware(t *testing.T) (*Manager, *SessionStore, *miniredis.Mini
func TestAuthMiddleware_ValidToken(t *testing.T) {
mgr, sessions, _ := setupTestMiddleware(t)
pair, err := mgr.Issue(1, 10, "editor")
pair, err := mgr.Issue(1, 10, 100, "editor")
require.NoError(t, err)
r := gin.New()
@@ -52,6 +52,7 @@ func TestAuthMiddleware_ValidToken(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
assert.Equal(t, int64(1), gotActor.UserID)
assert.Equal(t, int64(10), gotActor.TenantID)
assert.Equal(t, int64(100), gotActor.PrimaryWorkspaceID)
assert.Equal(t, "editor", gotActor.Role)
}
@@ -87,7 +88,7 @@ func TestAuthMiddleware_InvalidToken(t *testing.T) {
func TestAuthMiddleware_RefreshTokenRejected(t *testing.T) {
mgr, sessions, _ := setupTestMiddleware(t)
pair, err := mgr.Issue(1, 10, "editor")
pair, err := mgr.Issue(1, 10, 100, "editor")
require.NoError(t, err)
r := gin.New()
@@ -105,7 +106,7 @@ func TestAuthMiddleware_RefreshTokenRejected(t *testing.T) {
func TestAuthMiddleware_BlacklistedToken(t *testing.T) {
mgr, sessions, mr := setupTestMiddleware(t)
pair, err := mgr.Issue(1, 10, "editor")
pair, err := mgr.Issue(1, 10, 100, "editor")
require.NoError(t, err)
// Blacklist the access token's JTI