[codex] Harden Tauri app baseline

.codex/scripts/run_verify_commands.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+COMMANDS_FILE="${1:-.codex/verify.commands}"
+
+if [[ ! -f "$COMMANDS_FILE" ]]; then
+  echo "Missing $COMMANDS_FILE"
+  exit 2
+fi
+
+while IFS= read -r cmd || [[ -n "$cmd" ]]; do
+  [[ -z "${cmd//[[:space:]]/}" ]] && continue
+  [[ "$cmd" =~ ^[[:space:]]*# ]] && continue
+
+  echo ">> $cmd"
+  eval "$cmd"
+done < "$COMMANDS_FILE"

apps/desktop-tauri/src-tauri/capabilities/default.json

@@ -0,0 +1,7 @@
+{
+  "$schema": "../gen/schemas/desktop-schema.json",
+  "identifier": "default",
+  "description": "Main window capability for DevTools Translator desktop.",
+  "windows": ["main"],
+  "permissions": ["core:default"]
+}

apps/desktop-tauri/src-tauri/gen/schemas/capabilities.json

@@ -1 +1 @@
-{}
+{"default":{"identifier":"default","description":"Main window capability for DevTools Translator desktop.","local":true,"windows":["main"],"permissions":["core:default"]}}

apps/desktop-tauri/src-tauri/tauri.conf.json

@@ -4,7 +4,9 @@
   "version": "0.1.0",
   "identifier": "com.devtoolstranslator.desktop",
   "build": {
+    "beforeDevCommand": "pnpm --filter @dtt/desktop-ui dev -- --host 127.0.0.1 --port 1420",
     "beforeBuildCommand": "pnpm --filter @dtt/desktop-ui build",
+    "devUrl": "http://127.0.0.1:1420",
     "frontendDist": "../ui/.vite-dist"
   },
   "app": {
@@ -21,23 +23,15 @@
   },
   "bundle": {
     "active": true,
-    "targets": [
-      "app",
-      "dmg",
-      "msi",
-      "deb",
-      "appimage"
-    ],
+    "targets": ["app", "dmg", "msi", "deb", "appimage"],
     "macOS": {
       "hardenedRuntime": true
     }
   },
   "plugins": {
     "deep-link": {
       "desktop": {
-        "schemes": [
-          "dtt"
-        ]
+        "schemes": ["dtt"]
       }
     }
   }

apps/desktop-tauri/ui/package.json

@@ -9,6 +9,7 @@
     "typecheck": "tsc -p tsconfig.json --noEmit",
     "test": "pnpm run typecheck && vitest run",
     "build": "pnpm run typecheck && vite build --outDir .vite-dist",
+    "preview": "vite preview --host 127.0.0.1 --port 1420 --outDir .vite-dist",
     "dev": "vite"
   },
   "dependencies": {

docs/deck/README.md

@@ -0,0 +1,25 @@
+# Demo Deck Outline
+
+## Purpose
+
+Use this outline to build a short demo deck after the screenshot capture pass. The deck should support a live walkthrough, not replace it.
+
+## Suggested Slides
+
+1. **Problem**: DevTools traffic is noisy, technical, and hard to share safely.
+2. **Product**: DevTools Translator captures browser diagnostics and turns them into traceable findings.
+3. **Local-First Architecture**: Chrome MV3 extension, Tauri 2 desktop shell, Rust analysis pipeline, SQLite storage, and share-safe export.
+4. **Capture Workflow**: Pairing, consent, Live Capture, and controlled fixture traffic.
+5. **Analysis Workflow**: Normalization, correlation, detector packs, claims, confidence, and evidence references.
+6. **Evidence Drilldown**: Every explanation links back to concrete captured rows and fields.
+7. **Export Workflow**: Share-safe export, manifest, report, integrity files, and verification.
+8. **Security Posture**: Metadata-only defaults, redaction contracts, no telemetry, scoped Tauri capability, and sanitized demo rules.
+9. **Verification**: Automated tests, local beta smoke, interactive Chrome release smoke, and unresolved external release gates.
+10. **Next Steps**: Screenshot capture, one-pager rendering, deck build, and release evidence refresh.
+
+## Rehearsal Notes
+
+- Keep the live demo on sanitized fixtures and a disposable browser profile.
+- State the active privacy mode before capture begins.
+- Do not open real accounts, private browser profiles, Keychain prompts, `.env` files, signing keys, or extension-store credentials.
+- Keep a fallback path: screenshots can carry the story if the desktop shell, extension, or browser profile is unavailable.

docs/demo/README.md

@@ -0,0 +1,55 @@
+# DevTools Translator Demo Plan
+
+## Purpose
+
+Use this plan for local, sanitized demos of DevTools Translator. The demo should show Chrome DevTools capture, deterministic analysis, evidence drilldown, and share-safe export without exposing real accounts, secrets, cookies, proprietary API payloads, or private browsing history.
+
+## Demo Safety Rules
+
+- Use a disposable browser profile with sanitized fixture pages.
+- Do not capture real production accounts, authenticated sessions, private URLs, cookies, authorization headers, API keys, or customer data.
+- Keep `metadata_only` as the default privacy mode unless the demo explicitly explains a safer fixture-only override.
+- Use the share-safe export profile for demo bundles.
+- Do not show local Keychain prompts, `.env` files, signing keys, extension store credentials, or updater signing material.
+- Treat screenshots in `docs/screenshots/` as UI evidence only, not proof of non-dry-run public release readiness.
+
+## Baseline Scenario
+
+1. Build the desktop UI and MV3 extension from the local workspace.
+2. Launch the Tauri desktop shell and load the unpacked extension in a disposable browser profile.
+3. Pair the extension to the desktop app through localhost discovery.
+4. Enable explicit capture consent.
+5. Start a live capture against a sanitized fixture page.
+6. Generate controlled browser activity that produces network, console, and lifecycle events.
+7. Stop capture and confirm session persistence.
+8. Open the findings view and drill into claim/evidence chains.
+9. Generate a share-safe export and validate integrity status.
+10. Review diagnostics and release-gate status without exposing secrets or local private paths.
+
+## Evidence To Capture
+
+- Extension pairing and consent state.
+- Live Capture view with sanitized tab and session state.
+- Timeline or Network view with fixture-only rows.
+- Findings list with severity, claim, confidence, and evidence references.
+- Evidence drilldown showing exact row or field pointer.
+- Export flow with share-safe selected.
+- Export integrity result.
+- Diagnostics or release-gate panel showing safe status only.
+
+## Verification Notes
+
+Before using this demo externally, run:
+
+```bash
+pnpm --filter @dtt/desktop-ui build
+pnpm --filter @dtt/extension build
+cargo test -p dtt-desktop-core
+cargo test -p dtt-storage
+```
+
+Record what was not verified, especially public extension publishing, updater signing, notarization, and any browser interaction that was not run in a real interactive profile.
+
+## Current Status
+
+The repository already contains local beta and interactive Chrome release smoke evidence in `docs/PHASE6_SMOKE_EVIDENCE.md`. This folder is the reusable demo-script surface for future captures and rehearsals.

docs/one-pager/README.md

@@ -0,0 +1,33 @@
+# One-Pager Outline
+
+## Product Summary
+
+DevTools Translator is a local-first diagnostic desktop app and Chrome MV3 extension that captures DevTools/CDP signals, translates them into human-readable findings, and preserves auditable evidence chains for every claim.
+
+## Audience
+
+- Engineer debugging frontend, API, LLM, or browser integration issues.
+- Product or support teammate who needs a safe, understandable diagnostic bundle.
+- Reviewer evaluating local-first desktop product quality across Tauri, Rust, React, SQLite, and extension surfaces.
+
+## Key Value
+
+- Turns noisy DevTools traffic into severity-ranked findings with traceable EvidenceRefs.
+- Keeps capture, analysis, storage, and export local by default.
+- Uses privacy modes and share-safe export defaults to reduce accidental data exposure.
+- Provides deterministic detector packs so fixture replay and export integrity can be verified.
+
+## Proof Points
+
+- Tauri 2 desktop shell with scoped capabilities and Rust command surface.
+- Chrome MV3 extension pairs to the desktop app over localhost with explicit consent.
+- SQLite-backed local storage for raw events, normalized records, findings, claims, exports, and release evidence.
+- Detector packs cover general web failures and LLM-specific traffic patterns.
+- Share-safe exports include manifest, report, session data, and integrity artifacts.
+
+## Current Demo Limits
+
+- Public extension publishing, updater signing, and notarization require separate release evidence.
+- Real authenticated browsing sessions should not be used in public demos.
+- Full body capture should remain fixture-only unless a release owner explicitly approves the privacy posture.
+- Browser interaction evidence should distinguish automated smoke, local beta validation, and human/operator release sign-off.

docs/screenshots/README.md

@@ -0,0 +1,32 @@
+# Screenshot Capture Plan
+
+## Purpose
+
+This folder tracks screenshots needed for portfolio review, release notes, and demo rehearsal. Captures must use sanitized fixture data only.
+
+## Capture Matrix
+
+| File                        | Surface             | Caption                                                             |
+| --------------------------- | ------------------- | ------------------------------------------------------------------- |
+| `01-pairing.png`            | Pairing             | Extension paired to the desktop app through localhost discovery.    |
+| `02-live-capture.png`       | Live Capture        | Sanitized browser tab with explicit consent and active capture.     |
+| `03-session-timeline.png`   | Session timeline    | Captured fixture events organized for inspection.                   |
+| `04-network-console.png`    | Network and console | Network requests and console entries without secrets or real data.  |
+| `05-findings.png`           | Findings            | Severity-ranked findings with claims and confidence.                |
+| `06-evidence-drilldown.png` | Evidence drilldown  | Claim evidence resolving to a concrete row or field pointer.        |
+| `07-share-safe-export.png`  | Export              | Share-safe export selected before bundle generation.                |
+| `08-integrity-result.png`   | Integrity           | Completed export with integrity validation passing.                 |
+| `09-diagnostics.png`        | Diagnostics         | Safe bridge, consent, and release-gate status without secrets.      |
+| `10-release-readiness.png`  | Release readiness   | Dry-run or readiness checks with unresolved external gates visible. |
+
+## Capture Rules
+
+- Use deterministic fixture traffic or a disposable local test page.
+- Hide or replace local filesystem paths unless they are intentionally generic.
+- Do not show cookies, authorization headers, API keys, account identifiers, private URLs, extension-store credentials, or updater signing material.
+- Include a short caption beside each final screenshot in release or portfolio materials.
+- Re-capture screenshots after visible UI changes, detector model changes, export contract changes, or release-gate changes.
+
+## Current Status
+
+No screenshots are committed yet. This plan is the source of truth for the first capture pass.

package.json

@@ -9,6 +9,7 @@
     "typecheck": "pnpm -r --if-present typecheck",
     "test": "pnpm -r --if-present test",
     "build": "pnpm -r --if-present build",
+    "preview": "pnpm --filter @dtt/desktop-ui preview",
     "release:desktop:mac:dry-run": "node scripts/release/release_desktop_mac.mjs --dry-run",
     "release:desktop:mac": "node scripts/release/release_desktop_mac.mjs",
     "release:desktop:windows:dry-run": "node scripts/release/release_desktop_windows.mjs --dry-run",