Cloud Web Studio¶
Cloud Web is the Open Cowork Studio running in the browser for cloud workspaces. It is not a separate UI. The single renderer at packages/app/src powers both Desktop (Electron, over the real window.coworkApi IPC bridge) and Cloud Web (the browser, over a typed CoworkAPI shim at packages/app/src/browser/cowork-api.ts). The shim is backed by the cloud HTTP + SSE API, so the browser build of the renderer runs unchanged against the same tenant-scoped sessions, projections, workflows, artifacts, policy, and gateway records used by Desktop Cloud and Gateway. The cloud server serves the renderer at GET / and must not expose server-only stores, secret adapters, runtime adapters, or OpenCode SDK surfaces to the browser.
The canonical workspace and sync promises live in Product Contract. This page is the release contract for the browser surface.
Route/API Matrix¶
The browser surface and its cloud backing are documented below. The cloud HTTP API (packages/cloud-server/src/http-routes) and the browser CoworkAPI shim (packages/app/src/browser/cowork-api.ts) enforce required role, backing endpoint ids, loading/empty/error states, disabled-state behavior, pagination or cursor notes, and redaction requirements. Cloud HTTP server and renderer tests fail if a route omits its limit/cursor mode, raw-secret policy, or loading/empty/error state contract.
| Route id | Surface | Required role | Backing endpoint ids | Pagination / cursor | Redaction and disabled behavior |
|---|---|---|---|---|---|
threads | Studio | Member | sessions, sessionView, projectSourceValidate, projectSnapshots | Projects is a Kanban-first board backed by coordination APIs, with visible project-source chat creation and chat history paging. The browser consumes /api/sessions cursor pages with Load more, preserves loaded pages across workspace SSE refreshes, and only displays total estimates returned by the backend. | Chat controls disable when policy blocks chat. Local host paths and local MCP process details are never sent as chat context. |
chat | Studio | Public | sessionView, sessionEvents, sessionPrompt, sessionPermissionRespond, sessionQuestionReply, sessionQuestionReject | Session SSE resumes from the durable Cloud projection sequence. | Chat Home is the default public route while auth resolves. Signed-out composer controls stay disabled; signed-in prompts create chat-only Cloud sessions on first send. Runtime state is rendered from Cloud projections, not a browser-only projection model. |
agents | Studio | Member | workspace, capabilitiesCatalog | Capability filtering is local and performance-tested. | Coworker metadata is cloud profile metadata only; local stdio MCP commands and secrets are not rendered. |
capabilities | Studio | Member | capabilitiesCatalog, capabilityTools, capabilitySkills | Local capability filtering is bounded; API cursoring is deferred. | Machine-scoped MCPs are visible only as policy-limited metadata. |
workflows | Studio | Member | workflows, workflow, workflowRun, workflowPause, workflowResume, workflowArchive | Playbook summary rendering is bounded to 100 playbooks and 50 recent runs in the browser; run-history cursoring is deferred. | Playbook controls disable when profile policy blocks workflows. Rows never expose worker credentials or local paths. |
channels | Studio | Member | channelAgents, channelBindings, channelDeliveries | Channel coworkers and bindings request limit=100; delivery status requests and renders the first 50 rows with member-facing bounded-list copy. Delivery stream cursoring stays with Gateway/admin flows. | User route is read-only and focused on reach, delivery status, and linked chats. Credential refs, payload secrets, signed URLs, tokens, and provider internals are stripped before rendering. |
artifacts | Studio | Member | artifactsIndex, sessionArtifacts, sessionArtifact | Cross-project artifact library rendering is bounded to 100 artifacts, with kind/status filters, author coworker, source project, Open, and Export actions. When truncated, search, filters, and bulk export are explicitly scoped to loaded results. | Artifact bodies fetch only after explicit action. Signed URLs, object keys, buckets, tokens, and object-store internals are stripped from metadata. |
knowledge | Studio | Member | knowledgeSnapshot, knowledgeProposalCreate, knowledgeProposalAccept, knowledgeProposalDecline, knowledgePageHistory | Knowledge loads a bounded workspace snapshot plus selected-page version history; cursoring is deferred until large Spaces require it. | Reader Spaces render read-only; proposal creation requires Contributor or Maintainer, and review controls require Maintainer. Knowledge backlinks expose safe task/thread/artifact labels only and never expose local paths, object-store internals, secrets, or runtime payloads. |
settings | Studio | Member | authMe, config, workspace, settings, setting | Not applicable; user settings use one bounded user-scoped metadata record plus bootstrap/workspace metadata. | Tenant-managed branding disables theme and accent controls. Provider keys, local machine runtime permissions, and organization policy internals never render in user settings. |
org | Admin | Public | authMe, config, workspace | Not applicable. | Org is an explicit public org/profile surface, not the signed-out fallback. Bootstrap JSON carries public branding, route metadata, endpoint metadata, and feature metadata only. |
members | Admin | Admin | adminMembers, adminMemberInvite, adminMemberUpdate | Members endpoint supports q and limit; the browser requests limit=100 and renders at most 100 rows. | Member rows expose identity, role, and status only. Invite and role controls disable for non-admins and non-invite signup modes. |
policy | Admin | Member | adminPolicy, adminWorkerPools, adminWorkers, adminWorkerHeartbeats | Worker pools and workers load first pages with limit=100; heartbeat detail is worker-scoped. | Policy and worker health summaries are read-only in v1 and exclude credentials, heartbeat tokens, and worker secrets. |
byok | Admin | Admin | byok, byokSave, byokValidate, byokDisable | Not applicable. | Provider keys are write-only. The browser only renders provider id, credential kind, last4/fingerprint/status, and validation timestamps. |
connections | Admin | Admin | apiTokens, apiTokenCreate, apiTokenRevoke | API token list requests limit=100 and the browser renders at most 100 rows; cursoring is deferred. | Token plaintext is shown once after creation and never stored in persistent browser storage. |
billing | Admin | Admin | billingSubscription, billingCheckout, billingPortal | Not applicable. | Billing renders entitlement state and plan metadata only. Self-host mode disables managed billing controls. |
gateway | Admin | Admin | channelAgents, channelAgentCreate, channelBindings, channelBindingCreate, channelDeliveries, channelDeliveryRetry, channelDeliveryDeadLetter | Headless agents and bindings request limit=100; delivery backlog requests and renders the first 50 rows. Provider streams are handled by Gateway, not the browser. | Channel credential refs are metadata only. Delivery payloads are browser-sanitized before details render. Retry and dead-letter actions require admin controls and confirmation. |
audit | Admin | Admin | adminAudit | Audit endpoint loads the first 100 events. Cursor export is deferred. | Audit metadata must be server-redacted and is browser-sanitized again before display or export. |
usage | Admin | Member | usageEvents, usageSummary | Usage events load limit=20; summaries load limit=100. | Usage events include metering dimensions only, not prompts, provider keys, or tokens. |
diagnostics | Admin | Admin | diagnostics, runtimeStatus, workerHeartbeats | Diagnostics includes bounded worker heartbeat and gateway delivery samples. Browser diagnostics arrays are recursively capped before rendering. | Diagnostics are redacted recursively. Cloud Web hides controls from non-admin users, and the API may still require operator-token privileges for global operational state. |
Desktop/Cloud Studio Parity Matrix¶
Because Desktop and Cloud Web run the same renderer, visual and behavioral parity is intrinsic — there is no second implementation to drift. The only differences are the capabilities the browser shim cannot provide (local filesystem, local stdio MCP processes, native dialogs, machine runtime config), which the renderer detects through workspace.support() and the shim's WORKSPACE_SUPPORT_APIS. The matrix below documents which shared Desktop concepts are available, cloud-only, or desktop-only so the product boundary stays explicit.
| Concept | Availability | Cloud route(s) | Cloud Web affordance | Product boundary |
|---|---|---|---|---|
| Projects and Kanban | Shared with Desktop | threads | Browse project objectives, five-column Kanban task state, task drawer details, and linked Cloud work without exposing local paths. | Cloud Web reads and mutates durable coordination state through the Cloud API; execution and session semantics remain OpenCode-owned. |
| Home Launchpad and Chat | Shared with Desktop | chat | Open a Studio launchpad with assign-to coworker selection, starter cards, in-motion feed, and team strip; create a chat-only Cloud session on first send; submit prompts through durable Cloud commands. | Cloud Web never builds a browser-only projection model or invokes local OpenCode runtime commands. |
| Runtime Status | Shared with Desktop | chat | Show status, streaming state, cost, token usage, context, compactions, tool calls, task runs, todos, and errors from Cloud projections. | Cloud Web reports projected Cloud runtime state only; machine health and local model controls remain Desktop-owned. |
| Approvals & Questions | Shared with Desktop | chat, approvals | Render a standalone cross-chat queue plus inline chat cards; allow once, deny, reply, and reject through Cloud API endpoints. | Approval and question semantics remain OpenCode-owned; Cloud Web only submits tenant-scoped responses. |
| Coworkers | Shared with Desktop | agents | Show profile-allowed coworkers, built-in/custom metadata, and a Start chat action. | Cloud Web displays policy-safe coworker metadata and cannot edit local custom agent files. |
| Hire a Coworker | Desktop-only | agents | Show policy-safe coworker metadata and Start chat only; custom coworker creation and permission editing remain unavailable. | The Hire wizard edits local custom-agent files, provider/model preferences, and OpenCode permission config owned by the Desktop runtime boundary. |
| Tools & Skills | Shared with Desktop | capabilities | Show allowed tools, skills, MCP metadata, linked coworkers, and policy verdicts. | Cloud Web renders cloud-safe capability metadata; runtime execution remains owned by OpenCode workers. |
| Objectives and Tasks | Shared with Desktop | threads | Show durable project objectives, task specs, stage chips, assignees, Cleo planning, and linked-session work targets. | Cloud Web consumes the coordination API only; it does not invent project/task state or execute task work in the browser. |
| Artifacts | Shared with Desktop | artifacts, chat | Show an index-backed cross-project artifact library with kind/status filters, author coworker, source project, sanitized metadata, and explicit Open/Export actions. | Cloud Web reads artifact index metadata through Cloud APIs and fetches artifact bodies only after explicit user action while stripping object-store internals. |
| Knowledge | Shared with Desktop | knowledge, chat | Show Spaces, versioned pages, reviewable proposals, knowledge-trail backlinks, graph navigation, and a Capture to knowledge action that creates pending proposals. | Cloud Web consumes the Knowledge API only; Open Cowork stores versioned product knowledge while OpenCode remains responsible for execution and chat events. |
| Playbooks | Shared with Desktop | workflows, chat | Create, list, run, pause, resume, archive, and inspect Cloud playbook definitions and run chats. | Cloud Web runs saved playbooks through Cloud workflow APIs; local launch-at-login and native notifications remain Desktop settings. |
| Channels | Shared with Desktop | channels, chat | Show provider reach, connected channel bindings, People roles, Watches, delivery status, and linked Cloud run chats with admin-gated setup controls. | Cloud Web reads channel state through tenant-scoped Cloud APIs; Gateway delivery, provider adapters, and OpenCode execution remain service-owned. |
| User Settings | Shared with Desktop | settings | Show user-scoped Appearance, Notifications, Privacy, and read-only AI provider/profile status without exposing admin BYOK or local machine runtime controls. | Cloud Web persists durable user-scoped appearance, notification, and privacy preferences through the Cloud settings API; org secrets, provider keys, and local OpenCode runtime settings remain Admin/Desktop-owned. |
| Cloud Project Sources | Cloud-only | threads | Start project-backed Cloud chats from allowed git repositories or explicit browser-uploaded snapshots. | Cloud policy validates git and snapshot sources before execution. |
| Local Filesystem | Unavailable in Cloud | threads, artifacts | Use git URLs, managed Cloud project sources, uploaded snapshots, and Cloud artifacts instead. | Browser sessions must not implicitly read or upload host paths from the user machine. |
| Local Stdio MCPs | Unavailable in Cloud | capabilities, agents | Show only policy-safe MCP metadata that has been converted into the Cloud profile. | Cloud Web cannot spawn local stdio MCP processes or expose command lines, environment variables, or secret refs. |
| Machine Runtime Config | Desktop-only | chat, agents, capabilities | Show current Cloud profile, feature flags, and projected runtime state. | Cloud Web does not configure the local machine runtime, provider defaults, local approvals mode, or desktop notification settings. |
Admin/Settings Surface Matrix¶
Cloud Web admin route summaries, rendered admin surface cards, and locked-control copy are owned by the renderer's admin/settings surfaces. The matrix below documents every admin surface, its desktop analog, and its sensitive boundary so the admin path stays a secondary surface and its authorization stays server-side.
| Surface | Route | Desktop analog | Cloud Web affordance | Sensitive boundary |
|---|---|---|---|---|
| Workspace Profile | org | Desktop account, workspace, and profile status surfaces | Show signed-in org identity, role, profile, and public sign-in state. | Bootstrap and signed-out state expose only public branding, route metadata, endpoint metadata, and feature flags. |
| Members | members | Desktop account/settings identity context | Manage org member roles, invites, activation, suspension, and invite-mode state. | Member rows expose identity, role, and status only; authorization remains server-side. |
| Profiles & Policy | policy | Desktop runtime settings, capability policy, and Health Center | Show Cloud profile features, project-source policy, runtime guardrails, gateway policy, and worker health. | Cloud Web reports policy and health summaries without configuring local runtime, host paths, or stdio MCP processes. |
| BYOK | byok | Desktop provider credential setup | Add, rotate, validate, and disable provider credentials through write-only Cloud APIs. | Provider keys are never rendered after submission; the browser receives metadata such as provider id, status, last4, and validation timestamps. |
| Connections | connections | Desktop Cloud connection and Gateway pairing surfaces | Issue scoped Desktop, Gateway, and admin API tokens with one-time plaintext reveal. | Token plaintext is shown once after creation and is not stored in persistent browser state. |
| Billing | billing | Desktop entitlement and setup status surfaces | Show managed billing mode, plan state, checkout/portal actions, and resolved entitlements. | Billing renders plan and entitlement metadata only; provider integration stays behind the Cloud API. |
| Headless Gateway | gateway | Desktop Gateway connection and workflow delivery status | Configure headless agents, channel bindings, setup guidance, and delivery backlog controls. | Channel credential refs, delivery targets, payloads, provider internals, and errors are browser-sanitized before rendering. |
| Audit | audit | Desktop diagnostics and sensitive-action history context | Browse and export redacted administrative events for sensitive Cloud actions. | Audit metadata must be server-redacted and is sanitized again before display or export. |
| Usage | usage | Desktop chat cost, token, and runtime status summaries | Show quota windows, recent metering totals, and bounded usage event samples. | Usage events include metering dimensions only, never prompts, provider keys, or tokens. |
| Diagnostics | diagnostics | Desktop Health Center and support bundle surfaces | Prepare redacted health summaries and support bundles for Cloud runtime, BYOK, gateway, and object-store state. | Diagnostics are recursively redacted and array-capped before rendering or download. |
End-User Studio Contract¶
Cloud Web must keep parity with Desktop Cloud for cloud workspaces:
- start and continue Cloud chats
- hydrate from the full Cloud
SessionViewprojection - render messages, task runs, tool calls, approvals, questions, todos, artifacts, cost, status, and errors
- send prompts through durable Cloud commands
- answer approvals and questions through Cloud APIs
- reconnect SSE from durable projection cursors
- browse artifact metadata and fetch bodies only on explicit action
- run playbooks through the Cloud workflow API
- review connected channel coworkers, bindings, and delivery status without exposing admin controls or delivery payloads
- show custom coworker, skill, and MCP metadata with policy verdicts
The browser must not create a second projection model. It consumes Cloud snapshots and events through the shared API contract.
Shared IA Contract¶
Cloud Web and Desktop share the same Studio IA because they are the same renderer. The shared layout primitives expose stable data-workbench-* hooks for tests:
data-workbench-pane="threads"marks the thread list/sidebar.data-workbench-pane="conversation"marks the active chat surface.data-workbench-pane="review"marks the contextual review pane.data-action-cluster="true"marks the consolidated chat/action toolbar.data-diff-view="true"marks review-first artifact and diff surfaces.
The renderer uses WorkbenchLayout, ActionCluster, and DiffView from @open-cowork/ui on both surfaces. The Cloud review pane presents runtime status and sanitized artifacts; artifact metadata remains review-first and fetches bodies only after explicit view or download actions. Desktop-only actions, such as local runtime or git-native controls, stay absent or disabled in Cloud because the browser shim reports them as unsupported through workspace.support().
Unified Renderer¶
Cloud Web is the browser build of the desktop renderer (packages/app/src). pnpm cloud:build runs pnpm --filter @open-cowork/desktop build:browser to emit the renderer's browser bundle (apps/desktop/dist-browser), and the cloud server serves it at GET / through packages/cloud-server/src/browser-renderer-app.ts. The entry document loads hashed module/asset scripts and installs the browser CoworkAPI shim (packages/app/src/browser/cowork-api.ts), which derives the endpoint base from window.location, reads the CSRF token from /auth/me, and talks only to the same-origin cloud /api, /auth, and SSE event routes under the server's CSP nonce boundary.
The renderer is written entirely against the typed CoworkAPI surface (from @open-cowork/shared). On Electron the preload supplies that object over IPC; in the browser the shim supplies the identical object backed by cloud HTTP + SSE, so no feature code branches on environment. Electron-only methods (native dialogs, runtime restart, desktop pairing, local FS imports, app reset) have no cloud equivalent and the shim implements them as signature-satisfying stubs that no-op or reject with a clear "unavailable in the browser build" message. New feature work uses the shared CoworkAPI contract (defined in packages/shared/src) through the browser client packages/app/src/browser/cowork-api.ts rather than direct fetch, EventSource, or window.coworkApi access.
/api/sessions cursors are opaque, scoped to the authenticated tenant, user, and active filters, and invalid or mismatched cursors fail closed with 400. Workspace SSE refreshes rehydrate the same number of loaded pages rather than collapsing a large thread list back to page one.
Admin Contract¶
Admin and operator surfaces must avoid direct database or shell access for normal operations:
- members, invite mode, roles, and status
- profile, capability, project-source, runtime, and gateway policy summaries
- BYOK provider status and write-only key rotation
- API tokens for Desktop and Gateway clients
- billing and entitlement status
- quota windows, usage totals, and usage event samples
- org-scoped managed worker pools and worker health summaries
- headless agents, channel bindings, and delivery backlog
- redacted audit logs and diagnostics
Sensitive mutations must be role-checked by the Cloud API and auditable. Browser disabled controls are only ergonomic hints; authorization remains server-side.
Browser Quality Gates¶
Because Cloud Web is the same renderer as Desktop, its UI is covered by the renderer suite and the cloud HTTP/continuation suites. Cloud Web changes should run:
For release-sensitive changes also run:
pnpm lint
pnpm typecheck
pnpm test
pnpm test:cloud-continuation
pnpm cloud:smoke
pnpm docs:build
git diff --check
These gates cover renderer behavior and accessibility, the cloud HTTP route and redaction contract, backend cursor validation, package-boundary checks that keep the renderer out of server-only modules, and a production cloud-bundle build + import smoke so the browser renderer build keeps shipping in the cloud image.
Visual QA Checklist¶
For visual or surface-organization changes, compare Cloud Web and Desktop side-by-side before merge. The expected match is product language and workflow parity, not pixel-perfect screenshots.
The matrix below must cover every Cloud Web route at desktop, tablet, and mobile widths. Because Desktop and Cloud Web are the same renderer, a desktop-verified surface only needs the browser to confirm the cloud shim's boundaries (no local filesystem, no stdio MCPs, server-side authorization) and responsive layout.
Studio Production Visual QA Matrix¶
| Surface | Cloud route(s) | Desktop surface | Cloud Web check | Required states | Product boundary |
|---|---|---|---|---|---|
| Home launchpad, Chat, and composer | chat | Home launchpad and Chat composer-first runtime surface | Default route opens to the launchpad with assign-to coworker selection, starter cards, in-motion feed, team strip, disabled signed-out send controls, and Cloud command submission after auth. | loading, empty, error, disabled, permission-gated, offline-disconnected, retry | Cloud Web consumes Cloud session projections and commands only; OpenCode owns session execution and event semantics. |
| Projects and Kanban | threads | Projects list, five-column Kanban board, task drawer, and Cleo planning controls | Projects render objective cards, progress, team avatars, Backlog to Done columns, task drawer actions, and API-backed Plan with Cleo behavior instead of a thread table. | loading, empty, error, disabled, permission-gated, offline-disconnected, retry | Cloud Web reads and mutates coordination state through Cloud APIs only; OpenCode remains the owner of execution, sessions, approvals, and runtime events. |
| Runtime review, approvals, and questions | chat, approvals, artifacts | Chat transcript, task lanes, approvals, questions, todos, runtime status, cost, tokens, and review panel | Messages, delegated specialist lanes, running/completed/error task states, inline and standalone approval/question queues, deliverables, todos, artifacts, cost, token usage, and follow-up actions are visible from Cloud projections. | loading, empty, error, disabled, permission-gated, offline-disconnected, retry, destructive-confirmation | Approval and question semantics remain OpenCode-owned; Cloud Web only submits tenant-scoped responses through Cloud API endpoints. |
| Coworkers, tools, and skills | agents, capabilities | Team and Tools & Skills capability catalog | Coworker cards expose Lead/Specialist filters and Brain/Temperature/Max steps config specs; Tools & Skills renders tabbed Abilities and Connections with MCP policy verdicts and shared Studio primitives. | loading, empty, error, disabled, permission-gated, retry | Cloud Web renders policy-safe metadata only and cannot edit local custom agent files or spawn local stdio MCPs. |
| Hire a coworker wizard boundary | agents | Desktop four-step Hire a coworker wizard with Role, Abilities, Brain, and Permissions | Agents route keeps the same coworker vocabulary and Start chat path while showing no local custom-agent editor; the parity matrix documents the Desktop-only reason. | disabled, permission-gated | Cloud Web cannot edit local custom-agent files, local provider settings, or machine OpenCode permission config. |
| Playbooks and runs | workflows | Playbooks list, saved workflow setup chats, run controls, and run history | Playbook cards and selected details show numbered ordered steps, Runs as metadata, last-run status, run rows, pause/resume/archive actions, empty states, and blocked policy copy. | loading, empty, error, disabled, permission-gated, offline-disconnected, retry, destructive-confirmation | Cloud Web runs saved playbooks through Cloud workflow APIs; OpenCode-native agents still execute the work. |
| Channels and artifacts | channels, artifacts, chat | Channel status, linked run chats, indexed artifact library cards, and review-first artifact previews | Connected channel coworkers, bindings, delivery status, searchable artifact library with status/provenance, sanitized metadata, explicit Open/Export actions, and selected-chat previews stay reachable without admin controls. | loading, empty, error, disabled, permission-gated, offline-disconnected, retry | Provider payloads, signed URLs, object-store internals, channel secrets, and delivery targets are stripped before rendering. |
| Knowledge and capture | knowledge, chat | Desktop Knowledge page, chat Capture to knowledge action, review queue, page history, and graph | Knowledge route renders Space rail, page reader, review queue, version history, graph navigation, and the Chat route exposes Capture to knowledge for reviewable proposals. | loading, empty, error, disabled, permission-gated, retry | Knowledge is an app-owned native module; Cloud Web consumes Knowledge APIs only and never couples to a local OpenWiki checkout or owns OpenCode execution. |
| Team and member admin boundary | org, members, policy, usage | Desktop account, Team context, Settings policy, Health Center, and usage summaries | Org profile, member rows, invite/role controls, policy summaries, usage quotas, and worker health are visually grouped under Admin without dominating the default Studio path. | loading, empty, error, disabled, permission-gated, retry, destructive-confirmation | Browser disabled controls are ergonomic only; Cloud API authorization remains server-side and tenant-scoped. |
| User Settings | settings | Desktop Settings dialog: appearance, permissions, notifications, privacy, and profile status | Cloud Web exposes user-scoped Appearance, Notifications, Privacy, and read-only AI provider/profile status as a Studio route, while keeping BYOK and org policy in Admin. | loading, disabled, permission-gated | Cloud Web persists durable user-scoped preferences through Cloud settings metadata; provider keys, local machine runtime config, and org policy stay Desktop/Admin-owned. |
| Secrets, Gateway, audit, and diagnostics | byok, connections, billing, gateway, audit, diagnostics | Desktop Cloud connection setup, Gateway pairing, provider credentials, billing, audit, and Health Center support bundle surfaces | BYOK write-only rotation, one-time token reveal, gateway delivery controls, billing portal actions, audit export, diagnostics redaction, confirmations, and settled disabled states are visible and keyboard-reachable. | loading, empty, error, disabled, permission-gated, offline-disconnected, retry, destructive-confirmation, one-time-reveal | Raw secrets, provider keys, auth headers, signed URLs, object-store internals, local paths, command lines, and environment variables must not render outside intentional safe reveal flows. |
- App shell, sidebar, topbar, active route, status text, and density use the same dark product language.
- Cards, panels, tables, rows, badges, notices, empty states, focus rings, and destructive/primary/secondary controls read like Desktop primitives.
- Projects, chat, runtime status, approvals, questions, coworkers, tools, skills, playbooks, channels, artifacts, and Knowledge map to the Desktop/Cloud parity matrix.
- Org, members, policy, BYOK, connections, gateway, billing, audit, usage, and diagnostics map to the admin/settings surface matrix.
GET /returns the renderer entry document, which loads hashed/assets/*module scripts under the server CSP nonce and boots against the cloud API.- Loading, empty, error, disabled, confirmation, and one-time reveal states stay visible and consistent without exposing secrets.
- Desktop-only boundaries remain explicit: no local host paths, local stdio MCP process controls, machine runtime config, or browser-owned OpenCode runtime.
- Responsive desktop and mobile views have no horizontal overflow, clipped controls, or unreachable keyboard focus targets.
/assets/fonts/*.woff2requests return200 font/woff2and computed fonts resolve to Mona Sans / Schibsted Grotesk in the real-browser smoke.- The renderer's hashed
/assets/*module and stylesheet routes are served with long-lived immutable cache headers, and the real-browser smoke verifies the nonce'd entry document loads and mounts the renderer.
Production Audit Checklist¶
This checklist is the closeout audit for Studio parity work before the roadmap can be considered complete. Since Desktop and Cloud Web are the same renderer, most rows are satisfied by the renderer suite plus the cloud HTTP/redaction suite.
| Check id | Requirement | Evidence |
|---|---|---|
canonical-shared-tokens | Shared design tokens are the only canonical Studio token source for Desktop and Cloud Web. | packages/shared/src/design-tokens.ts, tests/design-tokens-sync.test.ts, docs/design-tokens.md |
shared-primitives-first | Shared Studio primitives are preferred before app-local component duplication. | packages/ui/src/, docs/design-system.md, renderer vitest suite |
shared-product-vocabulary | Desktop and Cloud Web use the same user-facing vocabulary for shared concepts. | docs/desktop-app.md, docs/cloud-web-workbench.md, single renderer at packages/app/src |
cloud-api-client-only | Cloud Web remains a Cloud API client and does not own execution, projection semantics, or OpenCode runtime behavior. | packages/app/src/browser/cowork-api.ts, tests/cloud-modularity-boundaries.test.ts, docs/architecture.md |
admin-not-default-path | Admin/setup controls are explicit secondary surfaces and do not dominate the default user path. | packages/app/src admin/settings surfaces, docs/cloud-web-workbench.md |
safe-redaction | No raw secrets, signed URLs, object-store internals, local paths, command lines, environment variables, or provider payloads render outside intentional safe reveal flows. | packages/cloud-server/src/http-routes, packages/app/src/browser/cowork-api.ts, tests/cloud-http-server.test.ts |
honest-performance-budgets | Performance budgets stay honest for added routes, surfaces, large fixtures, and responsive layouts. | renderer vitest suite, tests/cloud-http-server.test.ts, docs/cloud-web-workbench.md |
docs-match-shipped-behavior | Docs describe shipped behavior and explicit boundaries, not aspirational runtime behavior. | docs/cloud-web-workbench.md, docs/release-checklist.md, renderer + cloud HTTP suites |
Knowledge/OpenWiki Integration¶
Knowledge now ships as an app-owned native module: Cloud Web exposes a Knowledge route, the Chat route includes a Capture to knowledge CTA, and both Desktop and Cloud Web consume the same Cloud/API-client contract for Spaces, versioned pages, pending proposals, review decisions, page history, and graph context.
This phase deliberately does not embed or depend on a local OpenWiki checkout. Do not couple Cloud Web, Desktop, Gateway, or the Cloud API to a local OpenWiki checkout. External OpenWiki embedding remains a later roadmap phase; until that roadmap replaces this contract, Knowledge stays a native Open Cowork product module layered around OpenCode sessions rather than a second runtime.