Respect provided live-view credentials

[aryanputta]

Summary

• make the headful live-view client use caller-supplied pwd and usr values when present
• preserve the current kernel/admin fallback for existing deployments that do not provide explicit credentials

Why
The live-view client already parses pwd and usr from the URL and reads persisted login state, but the mounted login path currently ignores those values and always logs in as kernel/admin.

That means credential-bearing embed links and custom login state do not work as intended, and the client always falls back to the hardcoded admin path even when explicit credentials were supplied.

This PR keeps the change narrow. It does not redesign Neko auth or change existing default behavior when no credentials are supplied. It only makes the existing credential hooks actually take effect.

Testing

• manual code-path validation on images/chromium-headful/client/src/components/connect.vue
• no frontend test harness appears to be configured in this repository for the Vue client

---

Note

Medium Risk
Changes the headful client’s auto-login behavior to use URL/persisted usr/pwd when present, which can affect authentication flows and embedded link behavior. Risk is limited because it preserves the existing kernel/admin fallback when no credentials are provided.

Overview
Updates the headful live-view client’s connect.vue auto-login path to prefer caller-supplied credentials (URL usr/pwd or persisted accessor values) instead of always logging in as kernel/admin.

Keeps the legacy kernel/admin defaults as a fallback, while still removing usr/pwd from the URL after they’re consumed.

^{Reviewed by Cursor Bugbot for commit 1b7411d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: PR modifies live-view client code (Vue components), not kernel API endpoints or Temporal workflows as specified in the filter.

To monitor this PR anyway, reply with @firetiger monitor this.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1b7411d. Configure here.}

[cursor]

URL usr param ignored when persisted displayname exists

High Severity

The pwd and usr URL parameters are handled inconsistently. For pwd, the URL param unconditionally overrides the persisted this.$accessor.password. But for usr, line 102 does displayname = this.$accessor.displayname || usr, meaning the persisted displayname takes precedence and the URL usr value is silently discarded. Before this PR the inconsistency was harmless because both values were thrown away. Now that the login call actually uses them, a credential-bearing embed link like ?usr=bob&pwd=secret will authenticate with the correct password but the wrong username whenever a persisted displayname exists.

Additional Locations (1)

• images/chromium-headful/client/src/components/connect.vue#L107-L111

 

^{Reviewed by Cursor Bugbot for commit 1b7411d. Configure here.}