chore(cli): pre-merge cleanup — docker images, comments, tsconfig lib

- docker-compose.yaml: revert api/web from build: back to image tags
  (1.14.1); fix api_websocket/worker/worker_beat downgraded to 1.14.0
- Remove verbose internal design comments from openapi controllers
- web/next.config.ts: trim anti-framing comment to one line
- cli/tsconfig.json: drop lib:ES2015 override (broke Error.cause typing)
- eslint.config.mjs: ignore cli/context/** and cli/docs/** (local caches)
- pnpm-lock.yaml: regenerate after fresh install

api/controllers/openapi/_models.py

@@ -9,9 +9,7 @@ from pydantic import BaseModel, ConfigDict, Field, field_validator
 from libs.helper import UUIDStrOrEmpty, uuid_value
 from models.model import AppMode
 
-# Server-side cap on `limit` query param for any /openapi/v1/* list endpoint.
-# Sibling endpoints (`/apps`, `/account/sessions`, future routes) all clamp to
-# this; do not introduce per-endpoint caps without raising the constant.
+# Server-side cap on `limit` query param for /openapi/v1/* list endpoints.
 MAX_PAGE_LIMIT = 200
 
 

api/controllers/openapi/apps.py

@@ -46,9 +46,6 @@ from services.app_service import AppListParams, AppService
 from services.openapi.visibility import apply_openapi_gate, is_openapi_visible
 from services.tag_service import TagService
 
-# method_decorators applies left-to-right innermost-first; flask_restx wraps
-# in order, so the LAST entry is the outermost. Execution flows
-# validate_bearer → accept_subjects → require_scope → handler.
 _APPS_READ_DECORATORS = [
     require_scope(Scope.APPS_READ),
     accept_subjects(SubjectType.ACCOUNT),

api/controllers/openapi/apps_permitted_external.py

@@ -37,13 +37,6 @@ from services.openapi.visibility import apply_openapi_gate
 
 @openapi_ns.route("/permitted-external-apps")
 class PermittedExternalAppsListApi(Resource):
-    # method_decorators applies left-to-right innermost-first; execution
-    # flows enterprise_only → validate_bearer → accept_subjects →
-    # license_required → require_scope → handler. validate_bearer is
-    # widened to ACCEPT_USER_ANY so accept_subjects can emit the
-    # `openapi.wrong_surface_denied` audit on dfoa_→external misses
-    # instead of validate_bearer rejecting silently with "subject type
-    # not accepted here".
     method_decorators = [
         require_scope(Scope.APPS_READ_PERMITTED_EXTERNAL),
         license_required,
@@ -104,7 +97,6 @@ class PermittedExternalAppsListApi(Resource):
                     workspace_name=tenant.name if tenant else None,
                 )
             )
-        # total/has_more reflect the EE-side allow-list; len(items) may be < limit when local rows are dropped.
         env = PermittedExternalAppsListResponse(
             page=query.page,
             limit=query.limit,

api/controllers/openapi/auth/composition.py

@@ -35,12 +35,6 @@ def _resolve_app_authz_strategy() -> AppAuthzStrategy:
     return MembershipStrategy()
 
 
-# Pipeline currently serves only `/openapi/v1/apps/<id>/run` — an account
-# (dfoa_) surface route. SurfaceCheck runs right after BearerCheck so
-# pipeline-guarded routes get the same wrong_surface 403 + audit emit as
-# the inline `@accept_subjects` decorator on read endpoints. When the
-# external-surface run route lands, swap in an external-pipeline builder
-# that constructs SurfaceCheck(accepted=frozenset({USER_EXT_SSO})).
 OAUTH_BEARER_PIPELINE = Pipeline(
     BearerCheck(),
     SurfaceCheck(accepted=frozenset({SubjectType.ACCOUNT})),

api/controllers/openapi/auth/steps.py

@@ -160,8 +160,6 @@ class CallerMount:
         raise Unauthorized("no caller mounter for subject type")
 
 
-# AuthContext re-export so callers reading `g.auth_ctx` after a pipeline
-# run get a consistent import location next to the step that writes it.
 __all__ = [
     "AppAuthzCheck",
     "AppResolver",