feat: add configurable ActivityWatch server URL and Basic Auth

[liv10let]

Summary

Add runtime-configurable ActivityWatch server URL and HTTP Basic Auth support, so users can point the extension at a custom server (including servers behind nginx reverse proxy with auth_basic) without rebuilding.

Changes

• Add settings page fields for Server URL, Username, Password
• Store configured URL in browser local storage
• Use configured URL for all API requests (heartbeats, bucket creation)
• Add HTTP Basic Auth header when credentials are provided
• Popup WebUI link syncs with configured server URL

Usage

1. Open extension settings
2. Enter your server URL (e.g. http://your-server:5601)
3. Enter username and password if behind nginx auth_basic
4. Save — all requests now go to the configured server

[greptile-apps]

Greptile Summary

This PR is a fork-customisation layer for aw-watcher-web that adds a Chinese README, image assets required by the popup, and two Firefox-specific manifest changes (new extension ID and data_collection_permissions). The PR description promises runtime-configurable server URL and HTTP Basic Auth, but none of that implementation appears in the diff — the settings page, background client, and storage layer are unchanged.

• Manifest: Firefox extension ID is changed to aw-watcher-web-configurable@local and data_collection_permissions.required: ["browsingActivity"] is added for AMO compliance; however, Firefox permissions still only cover 127.0.0.1, which would silently block requests to any user-configured server URL.
• Assets: Three PNG files are added (public/logo-128.png, public/media/banners/banner.png, public/media/logo/logo-128.png), but all three are byte-for-byte identical, so the banner rendered in the popup will be a square logo stretched to full width rather than a proper banner image.
• Documentation: README.zh-CN.md documents the fork thoroughly but describes features (server URL field, Basic Auth, popup link sync) that are absent from the actual changed files.

Confidence Score: 2/5

Not safe to merge: the central feature described in the PR is absent from the diff, and the Firefox manifest change would leave custom-server requests silently blocked even if the feature were added later.

The PR's stated purpose — runtime-configurable server URL and Basic Auth — does not appear in any changed file. The settings page has no new inputs, the client ignores any stored URL, and there is no auth-header injection anywhere. On top of that, the Firefox manifest only whitelists two localhost origins; any custom server a user might configure would be refused by the browser. Both gaps would result in the advertised feature simply not working for Firefox users.

src/manifest.json needs wildcard host permissions for Firefox to support the described custom-server feature. The banner asset at public/media/banners/banner.png should be replaced with an actual banner-dimensioned image rather than a copy of the logo.

Important Files Changed

Filename	Overview
src/manifest.json	Firefox extension ID changed to fork-specific value and data_collection_permissions added; Firefox host permissions still locked to 127.0.0.1 only, which will block the advertised custom-server feature for all Firefox users
README.zh-CN.md	New Chinese README describing the fork's URL-configuration feature; documentation is thorough but describes capabilities (Basic Auth, server URL settings) that are absent from the actual diff
public/logo-128.png	New logo asset added; binary content is identical to the banner and subdirectory logo, suggesting copy-paste rather than intentional distinct assets
public/media/banners/banner.png	Banner image added for popup display, but is byte-for-byte identical to the 128×128 logo, which will render incorrectly as a full-width popup header
public/media/logo/logo-128.png	Logo asset mirrored into a subdirectory path expected by popup/index.html; content is identical to the top-level logo

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[User opens Settings] --> B{Server URL field?}
    B -- "Claimed in PR desc" --> C[Enter custom URL + credentials]
    B -- "Actual code state" --> D[Only Browser & Hostname fields]
    C --> E[Save to localStorage]
    E --> F[getClient uses runtime URL + Basic Auth]
    D --> G[getClient uses AWClient default URL]
    G --> H{Firefox?}
    H -- Yes --> I[Only 127.0.0.1:5600 & 5666 allowed]
    H -- No --> J[all_urls host permission — OK]
    I --> K[Custom URL request blocked by browser]
    J --> L[Request succeeds]

Loading

Comments Outside Diff (2)

1. src/manifest.json, line 37-45 (link)

   Firefox host permissions block custom server requests

   The PR description says users can configure any custom ActivityWatch server URL, but Firefox's permissions array only permits http://127.0.0.1:5600/api/* and http://127.0.0.1:5666/api/*. Any request to a user-supplied URL (e.g. http://your-server:5601) will be blocked by Firefox's permission system at runtime. Chrome and Safari both declare <all_urls> host permissions, but Firefox has no equivalent wildcard here. To support arbitrary user-configured servers on Firefox you'd need "<all_urls>" in host_permissions (MV3) or a wildcard in permissions (MV2).

2. public/media/banners/banner.png, line 1 (link)

   Banner and logo assets are byte-for-byte identical

   public/logo-128.png, public/media/banners/banner.png, and public/media/logo/logo-128.png all share the same git blob hash (d21c861). A banner image is typically a different shape and dimensions than a square logo. Using the logo as the popup banner (<img src="/media/banners/banner.png" style="width: 100%" />) will likely render a tall, narrow logo stretched across the full popup width rather than a proper banner.

_{Reviews (1): Last reviewed commit: "Add configurable ActivityWatch server su..." | Re-trigger Greptile}

[greptile-apps]

Core features described in the PR are not present in the diff

The PR description promises settings-page fields for Server URL, Username, and Password; Basic Auth header injection; and syncing the popup's webUI link with the configured server. None of these appear in this diff. Examining the current source: settings/index.html has no URL/auth inputs, settings/main.ts saves only browser name and hostname, and client.ts creates AWClient with no configurable base URL or auth headers. As submitted, the PR only changes the Firefox extension ID, adds data_collection_permissions, a Chinese README, and image assets — the central advertised functionality is missing entirely.

[greptile-apps]

Extension ID uses an informal @local domain

AMO (addons.mozilla.org) extension IDs are expected to follow an email-address style format with a real domain (e.g. aw-watcher-web-configurable@activitywatch.net). The @local suffix is informal and may cause friction during AMO review. It also means any end-user who installs this from AMO alongside the upstream extension will have two entries with no naming collision guard, since the ID no longer matches the upstream {ef87d84c-…} UUID.