fix(ui): support external bearer-auth websocket hosts

[onutc]

TL;DR

This fixes the external-UI auth path in the Spritz web client. Chat and terminal WebSockets now honor an absolute Spritz API base URL and can authenticate with the configured bearer token instead of assuming same-origin cookie auth.

Summary

• add a shared UI helper for building API-backed WebSocket URLs from relative or absolute API base URLs
• pass the configured bearer token through ACP chat WebSocket connects, matching the existing terminal token model
• add regression coverage for external UI chat and terminal connections against an absolute Spritz API host

Review focus

• URL construction for native same-origin /api mode versus absolute external API hosts
• bearer token propagation into browser WebSocket connects without affecting normal cookie-backed REST flows
• regression test coverage for the two browser WebSocket surfaces

Test plan

• pnpm --dir /Users/onur/repos/spritz/ui test src/pages/chat.test.tsx src/pages/terminal.test.tsx
• pnpm --dir /Users/onur/repos/spritz/ui test
• pnpm --dir /Users/onur/repos/spritz/ui typecheck
• pnpm --dir /Users/onur/repos/spritz/ui build

[onutc]

Final report for fa779e7

What changed:

• keep ACP and terminal websockets on the current UI host by default, even when apiBaseUrl is absolute
• add explicit websocketBaseUrl config/runtime wiring for deployments that intentionally want cross-host websocket upgrades
• refresh bearer auth correctly for chat and terminal websocket reconnects
• guard terminal socket teardown so a late close from an older socket cannot clear the active connection
• add regression coverage for same-host defaults, explicit cross-host overrides, stale-token reconnects, and the stale-terminal-socket race

Local validation:

• pnpm --dir ui test src/pages/chat.test.tsx src/pages/terminal.test.tsx -> passed
• pnpm --dir ui test src/pages/terminal.test.tsx -> passed
• pnpm --dir ui test -> passed (19 files, 145 tests)
• pnpm --dir ui typecheck -> passed
• pnpm --dir ui build -> passed
• git diff --check -> passed

Review / PR status:

• codex review --base main was rerun after the fix; the local CLI scanned the branch but stalled before printing its usual footer, and it emitted no P0/P1 findings before I killed the stuck subprocess
• PR issue comments: none
• PR inline review comments: none
• GitHub checks on the current head are green: helm-tests and ui-tests

PR is ready for merge from my side.

[gitrank-connector]

👍 GitRank PR Analysis

Score: 20 points

Metric	Value
Component	Other (1× multiplier)
Severity	P2 - Medium (20 base pts)
Final Score	20 × 1 = 20

Eligibility Checks

Check	Status
Issue/Bug Fix	✅
Fix Implementation	✅
PR Documented	✅
Tests	✅
Lines Within Limit	✅

Impact Summary

This PR fixes WebSocket authentication for external Spritz API hosts by adding support for bearer token propagation in WebSocket URLs and implementing auth token refresh on connection failures. The changes enable the UI to connect to remote API servers with proper authentication, supporting both same-origin and cross-origin deployment scenarios. Comprehensive test coverage is added for chat and terminal WebSocket connections with various authentication configurations.

Analysis Details

Component Classification: This PR affects the UI layer's WebSocket connectivity and authentication handling, which doesn't fit neatly into a specific business component category. It's a cross-cutting infrastructure improvement for external API integration.

Severity Justification: This is a Medium (P2) severity fix addressing a functional bug where external bearer-auth WebSocket connections were not properly supported. The issue has a workaround (same-origin connections) and doesn't cause data loss or complete service failure, but it does prevent legitimate use cases for external API hosts.

Eligibility Notes: Issue: True - PR title indicates a bug fix ('support external bearer-auth websocket hosts'). Fix Implementation: True - code changes align with the stated goal of adding bearer token support and WebSocket URL construction for external hosts. PR Linked: True - detailed description with TL;DR, summary, review focus, and test plan. Tests: True - 387 lines of test additions across chat.test.tsx and terminal.test.tsx. Tests Required: True - this is a bug fix in business logic (authentication and WebSocket connectivity) that requires regression testing to ensure the fix works correctly and doesn't break existing same-origin scenarios.

---

Analyzed by GitRank 🤖