A-M1+A-M2: Запретить переопределение runtime Rox Design через env-переменные в упакован...

## Что это ## Резюме (RU) A-M1+A-M2: Запретить переопределение runtime Rox Design через env-переменные в упакованных сборках *Полный перевод тела — в работе. Английский оригинал ниже.* --- # Original (EN) ## Objective Close two trust-boundary findings from the PR #268 release-readiness audit: * **A-M1**: `ROX_DESIGN_WEB_URL` env var is loaded verbatim with no scheme/host allowlist. A poisoned shell profile or launcher injection could silently redirect the embedded WebContentsView to an attacker host that inherits the `rox-design-bridge:*` IPC surface. * **A-M2**: `ROX_DESIGN_RUNTIME_ROOT` env var points the runtime manager at an arbitrary directory containing `open-design-config.json`. The manager then `spawn`s the binary at that bundle's `nodeCommandRelative` — **arbitrary-code execution in main-process context**. These overrides remain useful during dev/debug but cross a trust boundary the user does not see in a packaged build. Gate both behind `!app.isPackaged`; log a warn-level message when the env attempt is detected in production builds. ## Source Links * GitHub repo: [https://github.com/agisota/rox.one]() * GitHub PR (parent, merged): [https://github.com/agisota/rox.one/pull/268]() * GitHub branch: `feat/rox-design-clean` * GitHub Project item: [https://github.com/users/agisota/projects/9]() * DeepWiki: [https://deepwiki.com/agisota/rox.one]() * Local branch / cwd: `/home/dev/craft/rox-one-terminal` on `feat/rox-design-clean` * Commit (already landed): `a8f90784` — `fix(design): refuse env-var runtime overrides in packaged builds (A-M1, A-M2)` * Audit doc: `docs/audits/2026-05-20-pr268-release-readiness-audit.md` (findings A-M1, A-M2) * Audit memory: `project_pr268_audit_outcome.md` * Related: [PZD-65](https://linear.app/id-2/issue/PZD-65) (T541 URL origin pin — compounds with this fix) ## Current State Implementation landed on `feat/rox-design-clean` as commit `a8f90784`: * Import `app` from `electron` in `apps/electron/src/main/rox-design-runtime-manager.ts`. * In `_doStart()`: compute `allowEnvOverrides = !app.isPackaged`. If `ROX_DESIGN_WEB_URL` is set in a packaged build, log warn and ignore. * In `findBundledRuntimeLayout()`: same gate for `ROX_DESIGN_RUNTIME_ROOT`. Attacker-supplied root is removed from candidates list with a warn log. * Test mock updated to e... ## Статус Это задача из текущего backlog'а ROX.ONE (Linear). Текущий статус в Linear: `На ревью — In Review`. Метки: —. ## 🔗 Linear - [PZD-66](https://linear.app/kuhjie/issue/PZD-66/a-m1a-m2-zapretit-pereopredelenie-runtime-rox-design-cherez-env) — backing ticket - Parent epic: [PZD-120](https://linear.app/kuhjie/issue/PZD-120)