test: 補齊 runPreflight 測試並 triage preflight findings

triage 6 筆 review findings：1 筆修正、5 筆移入 exclusions。

修正（Maya, warning）：runPreflight 僅測過 env 缺失早退，缺成功路徑與
各失敗點覆蓋。將其驗證步驟改為可注入的 deps 參數（預設沿用原函式，
行為不變），並補上完整成功、comment 略過、各失敗點早停、workspace
傳遞共 8 個測試。

移入 exclusions（誤報，保留原文）：
- Rex critical：GITEA_SKIP_TLS_VERIFY 為預設開啟驗證的 opt-in 設定，
  與既有 gitea.js 排除一致，非漏洞
- Leo warning：verifyLLM 內聚清楚，拆分屬主觀重構
- Zara warning：每把 key 30s timeout 為刻意的可靠性下限，僅失敗時累積
- Rex info：axios 錯誤訊息不含認證標頭/內容
- Aria info：預設參數引用 config 常數為刻意且利於測試的 pattern

findings.json 清空（全部已修正或排除）。app/ 測試 112 pass。

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app/preflight.test.js

@@ -188,10 +188,76 @@ describe('verifyLLM', () => {
 });
 
 describe('runPreflight', () => {
+  // Stub deps that all succeed; individual tests override one to fail.
+  function makeDeps(overrides = {}) {
+    return {
+      checkEnv: () => ({ ok: true, missing: [] }),
+      verifyToken: async () => ({ ok: true }),
+      verifyComment: async () => ({ ok: true }),
+      verifyRemote: () => ({ ok: true }),
+      verifyLLMFn: async () => ({ ok: true, provider: 'openai', keyIndex: 1, total: 1 }),
+      ...overrides,
+    };
+  }
+
   it('returns false and stops early when required env is missing', async () => {
     // Config constants default to empty in the test environment, so the
     // required-env check fails before any network call is attempted.
     const result = await runPreflight();
     assert.equal(result, false);
   });
+
+  it('returns true when every verification step succeeds', async () => {
+    const result = await runPreflight('/ws', makeDeps());
+    assert.equal(result, true);
+  });
+
+  it('returns true when the comment token check is skipped', async () => {
+    const result = await runPreflight('/ws', makeDeps({
+      verifyComment: async () => ({ ok: true, skipped: true }),
+    }));
+    assert.equal(result, true);
+  });
+
+  it('returns false when the Gitea token check fails', async () => {
+    let remoteCalled = false;
+    const result = await runPreflight('/ws', makeDeps({
+      verifyToken: async () => ({ ok: false, error: 'HTTP 401' }),
+      verifyRemote: () => { remoteCalled = true; return { ok: true }; },
+    }));
+    assert.equal(result, false);
+    assert.equal(remoteCalled, false, 'should stop before later checks');
+  });
+
+  it('returns false when the comment token check fails', async () => {
+    const result = await runPreflight('/ws', makeDeps({
+      verifyComment: async () => ({ ok: false, error: 'HTTP 401' }),
+    }));
+    assert.equal(result, false);
+  });
+
+  it('returns false when git remote access fails', async () => {
+    let llmCalled = false;
+    const result = await runPreflight('/ws', makeDeps({
+      verifyRemote: () => ({ ok: false, error: 'auth failed' }),
+      verifyLLMFn: async () => { llmCalled = true; return { ok: true }; },
+    }));
+    assert.equal(result, false);
+    assert.equal(llmCalled, false, 'should stop before the LLM check');
+  });
+
+  it('returns false when LLM verification fails', async () => {
+    const result = await runPreflight('/ws', makeDeps({
+      verifyLLMFn: async () => ({ ok: false, error: '所有 key 驗證失敗' }),
+    }));
+    assert.equal(result, false);
+  });
+
+  it('passes the workspace through to the remote-access check', async () => {
+    let captured;
+    await runPreflight('/custom/ws', makeDeps({
+      verifyRemote: (ws) => { captured = ws; return { ok: true }; },
+    }));
+    assert.equal(captured, '/custom/ws');
+  });
 });