From 8e7f5d6a6612ecad3bf78027c13091a378e3eec3 Mon Sep 17 00:00:00 2001 From: Saagar Date: Sun, 7 Jun 2026 04:17:36 -0700 Subject: [PATCH] Harden Tauri app baseline --- .codex/scripts/run_verify_commands.sh | 17 ++++++ .../src-tauri/capabilities/default.json | 7 +++ .../src-tauri/gen/schemas/capabilities.json | 2 +- apps/desktop-tauri/src-tauri/tauri.conf.json | 14 ++--- apps/desktop-tauri/ui/package.json | 1 + docs/deck/README.md | 25 +++++++++ docs/demo/README.md | 55 +++++++++++++++++++ docs/one-pager/README.md | 33 +++++++++++ docs/screenshots/README.md | 32 +++++++++++ package.json | 1 + 10 files changed, 176 insertions(+), 11 deletions(-) create mode 100755 .codex/scripts/run_verify_commands.sh create mode 100644 apps/desktop-tauri/src-tauri/capabilities/default.json create mode 100644 docs/deck/README.md create mode 100644 docs/demo/README.md create mode 100644 docs/one-pager/README.md create mode 100644 docs/screenshots/README.md diff --git a/.codex/scripts/run_verify_commands.sh b/.codex/scripts/run_verify_commands.sh new file mode 100755 index 0000000..12e8105 --- /dev/null +++ b/.codex/scripts/run_verify_commands.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +set -euo pipefail + +COMMANDS_FILE="${1:-.codex/verify.commands}" + +if [[ ! -f "$COMMANDS_FILE" ]]; then + echo "Missing $COMMANDS_FILE" + exit 2 +fi + +while IFS= read -r cmd || [[ -n "$cmd" ]]; do + [[ -z "${cmd//[[:space:]]/}" ]] && continue + [[ "$cmd" =~ ^[[:space:]]*# ]] && continue + + echo ">> $cmd" + eval "$cmd" +done < "$COMMANDS_FILE" diff --git a/apps/desktop-tauri/src-tauri/capabilities/default.json b/apps/desktop-tauri/src-tauri/capabilities/default.json new file mode 100644 index 0000000..ca88540 --- /dev/null +++ b/apps/desktop-tauri/src-tauri/capabilities/default.json @@ -0,0 +1,7 @@ +{ + "$schema": "../gen/schemas/desktop-schema.json", + "identifier": "default", + "description": "Main window capability for DevTools Translator desktop.", + "windows": ["main"], + "permissions": ["core:default"] +} diff --git a/apps/desktop-tauri/src-tauri/gen/schemas/capabilities.json b/apps/desktop-tauri/src-tauri/gen/schemas/capabilities.json index 9e26dfe..6fb499a 100644 --- a/apps/desktop-tauri/src-tauri/gen/schemas/capabilities.json +++ b/apps/desktop-tauri/src-tauri/gen/schemas/capabilities.json @@ -1 +1 @@ -{} \ No newline at end of file +{"default":{"identifier":"default","description":"Main window capability for DevTools Translator desktop.","local":true,"windows":["main"],"permissions":["core:default"]}} \ No newline at end of file diff --git a/apps/desktop-tauri/src-tauri/tauri.conf.json b/apps/desktop-tauri/src-tauri/tauri.conf.json index eb8ccfd..b4e4912 100644 --- a/apps/desktop-tauri/src-tauri/tauri.conf.json +++ b/apps/desktop-tauri/src-tauri/tauri.conf.json @@ -4,7 +4,9 @@ "version": "0.1.0", "identifier": "com.devtoolstranslator.desktop", "build": { + "beforeDevCommand": "pnpm --filter @dtt/desktop-ui dev -- --host 127.0.0.1 --port 1420", "beforeBuildCommand": "pnpm --filter @dtt/desktop-ui build", + "devUrl": "http://127.0.0.1:1420", "frontendDist": "../ui/.vite-dist" }, "app": { @@ -21,13 +23,7 @@ }, "bundle": { "active": true, - "targets": [ - "app", - "dmg", - "msi", - "deb", - "appimage" - ], + "targets": ["app", "dmg", "msi", "deb", "appimage"], "macOS": { "hardenedRuntime": true } @@ -35,9 +31,7 @@ "plugins": { "deep-link": { "desktop": { - "schemes": [ - "dtt" - ] + "schemes": ["dtt"] } } } diff --git a/apps/desktop-tauri/ui/package.json b/apps/desktop-tauri/ui/package.json index 0d27d85..b87b2cc 100644 --- a/apps/desktop-tauri/ui/package.json +++ b/apps/desktop-tauri/ui/package.json @@ -9,6 +9,7 @@ "typecheck": "tsc -p tsconfig.json --noEmit", "test": "pnpm run typecheck && vitest run", "build": "pnpm run typecheck && vite build --outDir .vite-dist", + "preview": "vite preview --host 127.0.0.1 --port 1420 --outDir .vite-dist", "dev": "vite" }, "dependencies": { diff --git a/docs/deck/README.md b/docs/deck/README.md new file mode 100644 index 0000000..830be17 --- /dev/null +++ b/docs/deck/README.md @@ -0,0 +1,25 @@ +# Demo Deck Outline + +## Purpose + +Use this outline to build a short demo deck after the screenshot capture pass. The deck should support a live walkthrough, not replace it. + +## Suggested Slides + +1. **Problem**: DevTools traffic is noisy, technical, and hard to share safely. +2. **Product**: DevTools Translator captures browser diagnostics and turns them into traceable findings. +3. **Local-First Architecture**: Chrome MV3 extension, Tauri 2 desktop shell, Rust analysis pipeline, SQLite storage, and share-safe export. +4. **Capture Workflow**: Pairing, consent, Live Capture, and controlled fixture traffic. +5. **Analysis Workflow**: Normalization, correlation, detector packs, claims, confidence, and evidence references. +6. **Evidence Drilldown**: Every explanation links back to concrete captured rows and fields. +7. **Export Workflow**: Share-safe export, manifest, report, integrity files, and verification. +8. **Security Posture**: Metadata-only defaults, redaction contracts, no telemetry, scoped Tauri capability, and sanitized demo rules. +9. **Verification**: Automated tests, local beta smoke, interactive Chrome release smoke, and unresolved external release gates. +10. **Next Steps**: Screenshot capture, one-pager rendering, deck build, and release evidence refresh. + +## Rehearsal Notes + +- Keep the live demo on sanitized fixtures and a disposable browser profile. +- State the active privacy mode before capture begins. +- Do not open real accounts, private browser profiles, Keychain prompts, `.env` files, signing keys, or extension-store credentials. +- Keep a fallback path: screenshots can carry the story if the desktop shell, extension, or browser profile is unavailable. diff --git a/docs/demo/README.md b/docs/demo/README.md new file mode 100644 index 0000000..18ea4dc --- /dev/null +++ b/docs/demo/README.md @@ -0,0 +1,55 @@ +# DevTools Translator Demo Plan + +## Purpose + +Use this plan for local, sanitized demos of DevTools Translator. The demo should show Chrome DevTools capture, deterministic analysis, evidence drilldown, and share-safe export without exposing real accounts, secrets, cookies, proprietary API payloads, or private browsing history. + +## Demo Safety Rules + +- Use a disposable browser profile with sanitized fixture pages. +- Do not capture real production accounts, authenticated sessions, private URLs, cookies, authorization headers, API keys, or customer data. +- Keep `metadata_only` as the default privacy mode unless the demo explicitly explains a safer fixture-only override. +- Use the share-safe export profile for demo bundles. +- Do not show local Keychain prompts, `.env` files, signing keys, extension store credentials, or updater signing material. +- Treat screenshots in `docs/screenshots/` as UI evidence only, not proof of non-dry-run public release readiness. + +## Baseline Scenario + +1. Build the desktop UI and MV3 extension from the local workspace. +2. Launch the Tauri desktop shell and load the unpacked extension in a disposable browser profile. +3. Pair the extension to the desktop app through localhost discovery. +4. Enable explicit capture consent. +5. Start a live capture against a sanitized fixture page. +6. Generate controlled browser activity that produces network, console, and lifecycle events. +7. Stop capture and confirm session persistence. +8. Open the findings view and drill into claim/evidence chains. +9. Generate a share-safe export and validate integrity status. +10. Review diagnostics and release-gate status without exposing secrets or local private paths. + +## Evidence To Capture + +- Extension pairing and consent state. +- Live Capture view with sanitized tab and session state. +- Timeline or Network view with fixture-only rows. +- Findings list with severity, claim, confidence, and evidence references. +- Evidence drilldown showing exact row or field pointer. +- Export flow with share-safe selected. +- Export integrity result. +- Diagnostics or release-gate panel showing safe status only. + +## Verification Notes + +Before using this demo externally, run: + +```bash +pnpm --filter @dtt/desktop-ui build +pnpm --filter @dtt/extension build +cargo test -p dtt-desktop-core +cargo test -p dtt-storage +``` + +Record what was not verified, especially public extension publishing, updater signing, notarization, and any browser interaction that was not run in a real interactive profile. + +## Current Status + +The repository already contains local beta and interactive Chrome release smoke evidence in `docs/PHASE6_SMOKE_EVIDENCE.md`. This folder is the reusable demo-script surface for future captures and rehearsals. diff --git a/docs/one-pager/README.md b/docs/one-pager/README.md new file mode 100644 index 0000000..794d8df --- /dev/null +++ b/docs/one-pager/README.md @@ -0,0 +1,33 @@ +# One-Pager Outline + +## Product Summary + +DevTools Translator is a local-first diagnostic desktop app and Chrome MV3 extension that captures DevTools/CDP signals, translates them into human-readable findings, and preserves auditable evidence chains for every claim. + +## Audience + +- Engineer debugging frontend, API, LLM, or browser integration issues. +- Product or support teammate who needs a safe, understandable diagnostic bundle. +- Reviewer evaluating local-first desktop product quality across Tauri, Rust, React, SQLite, and extension surfaces. + +## Key Value + +- Turns noisy DevTools traffic into severity-ranked findings with traceable EvidenceRefs. +- Keeps capture, analysis, storage, and export local by default. +- Uses privacy modes and share-safe export defaults to reduce accidental data exposure. +- Provides deterministic detector packs so fixture replay and export integrity can be verified. + +## Proof Points + +- Tauri 2 desktop shell with scoped capabilities and Rust command surface. +- Chrome MV3 extension pairs to the desktop app over localhost with explicit consent. +- SQLite-backed local storage for raw events, normalized records, findings, claims, exports, and release evidence. +- Detector packs cover general web failures and LLM-specific traffic patterns. +- Share-safe exports include manifest, report, session data, and integrity artifacts. + +## Current Demo Limits + +- Public extension publishing, updater signing, and notarization require separate release evidence. +- Real authenticated browsing sessions should not be used in public demos. +- Full body capture should remain fixture-only unless a release owner explicitly approves the privacy posture. +- Browser interaction evidence should distinguish automated smoke, local beta validation, and human/operator release sign-off. diff --git a/docs/screenshots/README.md b/docs/screenshots/README.md new file mode 100644 index 0000000..8b919ca --- /dev/null +++ b/docs/screenshots/README.md @@ -0,0 +1,32 @@ +# Screenshot Capture Plan + +## Purpose + +This folder tracks screenshots needed for portfolio review, release notes, and demo rehearsal. Captures must use sanitized fixture data only. + +## Capture Matrix + +| File | Surface | Caption | +| --------------------------- | ------------------- | ------------------------------------------------------------------- | +| `01-pairing.png` | Pairing | Extension paired to the desktop app through localhost discovery. | +| `02-live-capture.png` | Live Capture | Sanitized browser tab with explicit consent and active capture. | +| `03-session-timeline.png` | Session timeline | Captured fixture events organized for inspection. | +| `04-network-console.png` | Network and console | Network requests and console entries without secrets or real data. | +| `05-findings.png` | Findings | Severity-ranked findings with claims and confidence. | +| `06-evidence-drilldown.png` | Evidence drilldown | Claim evidence resolving to a concrete row or field pointer. | +| `07-share-safe-export.png` | Export | Share-safe export selected before bundle generation. | +| `08-integrity-result.png` | Integrity | Completed export with integrity validation passing. | +| `09-diagnostics.png` | Diagnostics | Safe bridge, consent, and release-gate status without secrets. | +| `10-release-readiness.png` | Release readiness | Dry-run or readiness checks with unresolved external gates visible. | + +## Capture Rules + +- Use deterministic fixture traffic or a disposable local test page. +- Hide or replace local filesystem paths unless they are intentionally generic. +- Do not show cookies, authorization headers, API keys, account identifiers, private URLs, extension-store credentials, or updater signing material. +- Include a short caption beside each final screenshot in release or portfolio materials. +- Re-capture screenshots after visible UI changes, detector model changes, export contract changes, or release-gate changes. + +## Current Status + +No screenshots are committed yet. This plan is the source of truth for the first capture pass. diff --git a/package.json b/package.json index 79cbe99..5674da3 100644 --- a/package.json +++ b/package.json @@ -9,6 +9,7 @@ "typecheck": "pnpm -r --if-present typecheck", "test": "pnpm -r --if-present test", "build": "pnpm -r --if-present build", + "preview": "pnpm --filter @dtt/desktop-ui preview", "release:desktop:mac:dry-run": "node scripts/release/release_desktop_mac.mjs --dry-run", "release:desktop:mac": "node scripts/release/release_desktop_mac.mjs", "release:desktop:windows:dry-run": "node scripts/release/release_desktop_windows.mjs --dry-run",