A-H1 / T541: Привязать origin URL view-show Rox Design к доверенному runtime-эндпоинту

## Что это ## Резюме (RU) A-H1 / T541: Привязать origin URL view-show Rox Design к доверенному runtime-эндпоинту *Полный перевод тела — в работе. Английский оригинал ниже.* --- # Original (EN) ## Objective Close the security gap audited as **A-H1** in the PR #268 release-readiness audit: the `rox-design:view-show` IPC handler accepted a renderer-supplied URL and validated only its `http(s):` scheme before `webContents.loadURL`. The resulting `WebContentsView` inherits the privileged `rox-design-bridge:*` IPC surface (`openExternal`, `pickFolder`, `pickAndImport`, `openPath`, `printPdf`). A compromised main renderer (XSS in any allowed origin, supply-chain script injection) could redirect that view to an attacker host and pivot through those handlers — a classic confused-deputy pattern. ## Source Links * GitHub repo: [https://github.com/agisota/rox.one]() * GitHub PR (parent, merged): [https://github.com/agisota/rox.one/pull/268]() * GitHub branch: `feat/rox-design-clean` * GitHub Project item: [https://github.com/users/agisota/projects/9]() * DeepWiki: [https://deepwiki.com/agisota/rox.one]() * Local branch / cwd: `/home/dev/craft/rox-one-terminal` on `feat/rox-design-clean` * Commit (already landed): `0d8bf3d2` — `fix(design): pin view-show URL origin to trusted runtime endpoint (T541)` * Audit doc: `docs/audits/2026-05-20-pr268-release-readiness-audit.md` (finding A-H1, committed `12a1093f`) * Audit memory: `project_pr268_audit_outcome.md` ## Current State Implementation already landed on `feat/rox-design-clean` as commit `0d8bf3d2`: * Added `isRoxDesignUrlOriginAuthorized(expectedWebUrl, candidateUrl)` helper in `apps/electron/src/main/rox-design-view-policy.ts`. Returns false unless the candidate is `http(s):` and origin-matches the expected URL. * `RoxDesignViewManager.show()` extended to accept `expectedWebUrl?: string | null`; throws on origin mismatch. * The IPC handler in `apps/electron/src/main/index.ts:627-639` resolves `expectedWebUrl` from `runtimeManager.getStatus().webUrl`, but only when `status === 'running'`. A non-running runtime resolves to `null`, which fails the check intentionally — refusing to load any URL until the runtime has come up is safer than fallback validation against an unknown origin. * Test added at `apps/electron/src/main/__tests__/rox-desi... ## Статус Это задача из текущего backlog'а ROX.ONE (Linear). Текущий статус в Linear: `На ревью — In Review`. Метки: —. ## 🔗 Linear - [PZD-65](https://linear.app/kuhjie/issue/PZD-65/a-h1-t541-privyazat-origin-url-view-show-rox-design-k-doverennomu) — backing ticket - Parent epic: [PZD-120](https://linear.app/kuhjie/issue/PZD-120)