G2.2.1.C

## Что это ## Резюме (RU) G2.2.1.C — Базовые sandbox-хелперы + примитивы границы доверия (Week 0 foundation) *Полный перевод тела — в работе. Английский оригинал ниже.* --- # Original (EN) ## Objective Provide WebContentsView spawning helper that enforces security baseline by default. Generalize the trust-boundary helpers from PZD-65 (URL origin pinning) and PZD-66 (env-var hardening) so future integrations inherit them automatically. ## Source Links * Design doc section: `docs/superpowers/specs/2026-05-20-rox-integration-vision-design.md` § 3 (Section 3 → 2.1.C) * Parent: PZD-77 * Audit context: `docs/audits/2026-05-20-pr268-release-readiness-audit.md` ## Tasks (a) Create `apps/electron/src/main/integrations/sandbox-baseline.ts` exporting `createSecureWebContentsView(manifest)` (b) Helper enforces: sandbox:true, contextIsolation:true, nodeIntegration:false, webviewTag:false, no devtools in production (c) Manifest validator rejects any attempt to weaken these (compile-time + runtime) (d) Generalize `isRoxDesignUrlOriginAuthorized` → `isUrlOriginAuthorized(allowlist, candidate)` taking explicit allowlist (e) Generalize env-var hardening pattern → `isEnvOverrideAllowed(): boolean` based on `app.isPackaged` (f) Unit tests for all helpers; integration test that the security baseline is non-bypassable (g) Doc block explaining why each restriction exists, referencing CLAUDE.md security rules ## Acceptance Criteria Implementation passes typecheck + lint + targeted unit tests + relevant audit gates. PR backlinks to this Linear issue. ## Implementation Plan 1. Read design doc section 3 (Section 3 → 2.1.C) for full context. 2. Implement tasks above on a feature branch off current main + my 3 PR #268 audit commits (`0d8bf3d2`, `a8f90784`, `4d223078`) or current main if those land first. 3. Atomic commits per task; PR when complete. 4. Update this issue with verification evidence. ## Status / Priority / Estimate Status: **Todo** (Week 0) Priority: **High** Estimate: **S** (\~1-3 dev-days) Workstream: КОД ## Update Log * **2026-05-20** Sub-issue created during integration-vision brainstorm. Dispatched to autonomous agent. ## Статус Это задача из текущего backlog'а ROX.ONE (Linear). Текущий статус в Linear: `К работе — Todo`. Метки: —. ## 🔗 Linear - [PZD-79](https://linear.app/kuhjie/issue/PZD-79/g221c-bazovye-sandbox-helpery-primitivy-granicy-doveriya-week-0) — backing ticket - Parent epic: [PZD-120](https://linear.app/kuhjie/issue/PZD-120)