fix(server): bypass auth for frontend static paths

[heimoshuiyu]

Issue for this PR

• fix: PWA failed because HTTP basic auth block static assets #12447
• fix: Web UI: Basic Auth incompatible with crossorigin attributes on assets #9206
• fix: Terminal Failure & Authentication Loop on Mobile #18189

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

This PR bypasses HTTP basic auth for frontend static routes required to bootstrap OpenCode Web correctly when OPENCODE_SERVER_PASSWORD is enabled.

With basic auth enabled, browsers may request static assets/manifests in ways that do not consistently include credentials (e.g. module/crossorigin behavior), causing bootstrap failures and repeated auth prompts.

• Add a web(path, method) guard for frontend static requests.
• Allow unauthenticated GET/HEAD for:
  • /
  • /index.html
  • /site.webmanifest
  • /favicon.ico
  • /robots.txt
  • /oc-theme-preload.js
  • /assets/*
• Keep auth protection for non-static API routes.

How did you verify your code works?

none, it is simple

Screenshots / recordings

none

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

Hey! Your PR title server: bypass auth for frontend static paths doesn't follow conventional commit format.

Please update it to start with one of:

• feat: or feat(scope): new feature
• fix: or fix(scope): bug fix
• docs: or docs(scope): documentation changes
• chore: or chore(scope): maintenance tasks
• refactor: or refactor(scope): code refactoring
• test: or test(scope): adding or updating tests

Where scope is the package name (e.g., app, desktop, opencode).

See CONTRIBUTING.md for details.

[github-actions]

The following comment was made by an LLM, it may be inaccurate:

[github-actions]

Thanks for updating your PR! It now meets our contributing guidelines. 👍