Plan 0 (workspaces): add workspaces + workspace_memberships schema, extend
JWT/Actor/claims with primary_workspace_id, seed default workspace per tenant,
thread workspace_id through tenant monitoring quota.
Plan A (desktop skeleton): new Electron app (apps/desktop-client) with main/
preload/renderer, shared Vue component package (packages/ui-shared), and server
surface — desktop client registration + token rotation + heartbeat, SSE task
event stream, desktop accounts/tasks/content handlers, publish job endpoint,
and supporting repositories, services, sqlc queries, and migrations.
Hard cutover per plan: remove browser-extension monitoring callback endpoints,
stub legacy media API in admin-web, and delete monitoring_callback_handler.go.
- Collect per-request auth diagnostics (header presence, scheme, token
fingerprint, failure stage/reason, subject, expiry) in the auth
middleware and expose them through RequestLogContextFromGin so the
shared logger middleware can emit them.
- Add route, query, user-agent, and referer fields to the request log.
- Log knowledge resolve outcome per stage (no_search_points,
no_candidate_text, no_active_candidates, rerank_failed_fallback,
resolved) with candidate/selected snippet previews and precise facts.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>