feat(desktop): add cross-platform Electron shell

[prajapatisparsh]

What changed

Adds gitnexus-desktop/ — a new Electron app that bundles the GitNexus
local server and web UI into a single installable desktop application.

Nothing in gitnexus/, gitnexus-web/, or gitnexus-shared/ was modified.

Why

Running GitNexus currently requires cloning the repo, installing deps across
multiple packages, and manually starting the server. This removes all of that
friction — users download one file and open it.

How to verify

cd gitnexus-desktop
npm install
npm run dev

The Electron window should open, start the local server on port 4747, and
load the full gitnexus-web graph UI inside the window.

To build platform installers:

npm run build:win   # Windows — requires Windows
npm run build:mac   # macOS — requires macOS
npm run build:linux # Linux

A GitHub Actions workflow (desktop-packaging.yml) builds and uploads
artifacts automatically on any PR touching gitnexus-desktop/**.

Risk

• No existing packages modified
• New top-level sibling package, fully isolated
• Native module rebuild (tree-sitter, LadybugDB) required for packaged builds —
  handled by ensure-gitnexus-runtime.mjs

[vercel]

@prajapatisparsh is attempting to deploy a commit to the NexusCore Team on Vercel.

A member of the Team first needs to authorize it.

[Copilot]

Pull request overview

Adds a new gitnexus-desktop/ Electron application to bundle the GitNexus backend + web UI into a single cross-platform desktop install, along with packaging automation and supporting docs/config.

Changes:

• Introduces an Electron main process that spawns/monitors the GitNexus backend and embeds the GitNexus web UI in a BrowserView.
• Adds packaging scripts/config (electron-vite + electron-builder) to produce platform installers and output artifacts under gitnexus-desktop/release/.
• Adds a GitHub Actions workflow to build and upload desktop artifacts for PRs touching gitnexus-desktop/**.

Reviewed changes

Copilot reviewed 19 out of 23 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
gitnexus-desktop/tsconfig.renderer.json	Renderer TS config (Vite/bundler-oriented settings).
gitnexus-desktop/tsconfig.node.json	Node/Electron TS config for main/preload.
gitnexus-desktop/tsconfig.json	Project references wiring for node + renderer configs.
gitnexus-desktop/src/renderer/src/styles.css	Renderer styling asset (currently appears unused).
gitnexus-desktop/src/renderer/src/main.tsx	Renderer entrypoint that builds the custom shell DOM and applies window state.
gitnexus-desktop/src/renderer/src/App.tsx	React-based shell UI (currently appears unused).
gitnexus-desktop/src/renderer/index.html	Renderer HTML entry.
gitnexus-desktop/src/main/preload.ts	Preload bridge exposing gitnexusDesktop API to renderer.
gitnexus-desktop/src/main/main.ts	Electron main process: starts/stops servers, creates windows/views, IPC handlers.
gitnexus-desktop/src/126312502.png	Added PNG asset (currently appears unreferenced / unclear purpose).
gitnexus-desktop/scripts/package.mjs	Packaging orchestration (bundle + build + electron-builder invocation).
gitnexus-desktop/scripts/ensure-gitnexus-runtime.mjs	Ensures dependent workspaces are installed/built; dev port cleanup.
gitnexus-desktop/package.json	Desktop package manifest + scripts + toolchain deps.
gitnexus-desktop/electron.vite.config.ts	electron-vite build/dev configuration for main/preload/renderer.
gitnexus-desktop/electron-builder.yml	electron-builder config (alongside generated config approach).
gitnexus-desktop/README.md	Desktop package usage/build documentation.
gitnexus-desktop/.gitignore	Ignores desktop build outputs (dist/, release/).
CLAUDE.md	Updates GitNexus rules section (currently has markdown formatting issues).
AGENTS.md	Updates/normalizes embedded GitNexus MCP guidance and references.
.gitignore	Adds new repo-wide ignores (undefined/, _bmad/).
.github/workflows/desktop-packaging.yml	New workflow to build/upload desktop artifacts on PRs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

CI Report

❌ Some checks failed

Pipeline Status

Stage	Status	Details
✅ Typecheck	success	tsc --noEmit
❌ Tests	failure	unit tests, 3 platforms
✅ E2E	success	gitnexus-web changes only

Test Results

Tests	Passed	Failed	Skipped	Duration
10941	10928	0	13	665s

✅ All 10928 tests passed

13 test(s) skipped — expand for details

• COBOL pipeline benchmark > scales with file count
• C# pipeline benchmark > scales with file count — namespaces spread across the solution
• C# pipeline benchmark > scales with file count — all types in one (global) namespace bucket
• C# pipeline benchmark > scales with file count — all types in one (named) namespace bucket
• Go pipeline benchmark > scales with file count (workers enabled)
• Go pipeline benchmark — worker pool (issue Worker idle timeout kills long Go scope extraction and surfaces as Napi::Error during analyze #1848) > does not quarantine the large generated Go file on sub-batch idle timeout
• Go structural interface detection benchmark > scales linearly with interface × struct count
• Go structural interface detection split-phase benchmark > separates index-build and detection time
• PHP pipeline benchmark > scales with file count (workers enabled)
• Ruby pipeline benchmark > scales with file count (workers enabled)
• Rust pipeline benchmark > scales with file count (workers enabled)
• run.cjs direct-exec entrypoint (fix(cli): steer docs, skills, and hooks through a CLI-neutral project-local runner (#1939) #1945) > resolves a .cmd shim via the Windows shell branch, passing args and exit code
• buildTypeEnv > known limitations (documented skip tests) > Ruby block parameter: users.each { |user| } — closure param inference, different feature

Code Coverage

Tests

Metric	Coverage	Covered	Base	Delta	Status
Statements	80.3%	38239/47620	79.84%	📈 +0.5	🟢 ████████████████░░░░
Branches	68.85%	24315/35314	68.5%	📈 +0.3	🟢 █████████████░░░░░░░
Functions	85.45%	3978/4655	84.94%	📈 +0.5	🟢 █████████████████░░░
Lines	83.9%	34397/40993	83.36%	📈 +0.5	🟢 ████████████████░░░░

---

_{📋 View full run · Generated by CI}

[github-actions]

Claude finished @magyargergo's task in 3m 23s —— View job

---

PR #985 Review — feat(desktop): add cross-platform Electron shell

Tasks:

• Load repo docs (AGENTS.md, GUARDRAILS.md, CONTRIBUTING.md, TESTING.md)
• Phase 1: Define production-ready bar for this PR
• Phase 2: Review diff against that bar
• Post final verdict

---

Production-ready bar for this PR

This PR adds an isolated new package (gitnexus-desktop/) with no modifications to gitnexus/, gitnexus-web/, or gitnexus-shared/. The bar for this area, grounded in CONTRIBUTING.md, GUARDRAILS.md, and TESTING.md:

1. CI passes cleanly — tsc --noEmit for all touched packages, tests for gitnexus/ and gitnexus-web/ green (CI report shows typecheck failure, must be resolved or confirmed pre-existing).
2. Packaging workflow runs — The GitHub Actions workflow must succeed on all three platforms; workflow config must be syntactically and permission-correct.
3. Core runtime paths are correct — Packaged and preview modes must resolve all file paths correctly (renderer entry, bundled assets); dev mode is insufficient as a correctness signal.
4. Crash-free request handling — The packaged web server must not throw unhandled exceptions on malformed input.
5. No secrets, machine-specific paths, or off-limits files — GUARDRAILS.md non-negotiables.
6. License preserved — package.json must carry the PolyForm Noncommercial license.
7. Conventional commit PR title — CONTRIBUTING.md enforces this.
8. Workflow concurrency convention — CONTRIBUTING.md mandates cancel-in-progress: true for pull_request triggers.
9. No dead assets that obscure intent — No unreferenced files that would confuse future contributors.

---

Findings

1. Correctness & functional completeness

---

[BLOCKING] Wrong renderer file path in packaged and preview mode

• Evidence: gitnexus-desktop/src/main/main.ts:614 — path.join(__dirname, '../renderer/src/renderer/index.html'); gitnexus-desktop/electron.vite.config.ts:40 — outDir: 'dist/renderer' with input src/renderer/index.html
• Why it matters: When the main process is built, __dirname resolves to dist/main. The path constructed is dist/renderer/src/renderer/index.html. The actual build output is dist/renderer/index.html. This code path is reached whenever ELECTRON_RENDERER_URL is absent — i.e., in npm run start (preview) and all packaged builds. The shell renderer will fail to load silently, breaking the entire titlebar/window chrome in production.
• Recommendation: Change to path.join(__dirname, '../renderer/index.html'). Fix this →
• Confidence: High

---

[BLOCKING] decodeURIComponent can crash packaged web server on malformed URLs

• Evidence: gitnexus-desktop/src/main/main.ts:433 — const requestedPath = decodeURIComponent(new URL(requestUrl, 'http://127.0.0.1').pathname);
• Why it matters: decodeURIComponent('%GG') throws URIError: URI malformed. This is called directly inside the HTTP request handler with no try/catch. A single malformed request will throw an unhandled exception that propagates out of the 'request' event handler, terminating the packaged web server and making the UI permanently unavailable until restart. Node.js http.Server does not automatically recover from request handler exceptions.
• Recommendation: Wrap the decode/URL parse in a try/catch and return a 400 response on error (as suggested by copilot review). Fix this →
• Confidence: High

---

2. Code clarity & clean code

[NON-BLOCKING] App.tsx is dead code (356 lines)

• Evidence: gitnexus-desktop/src/renderer/src/App.tsx — React component file; gitnexus-desktop/src/renderer/src/main.tsx:1-207 — no import of App.tsx anywhere in the renderer entrypoint
• Why it matters: 356 lines of unused React component code that will not be typechecked (not reachable from the tsconfig includes) and creates maintenance confusion about what the actual renderer does.
• Recommendation: Either wire it into main.tsx or delete it.
• Confidence: High

[NIT] styles.css and src/126312502.png unreferenced

• Evidence: gitnexus-desktop/src/renderer/src/styles.css — no import in main.tsx or index.html; gitnexus-desktop/src/126312502.png — no reference anywhere in the codebase
• Why it matters: Dead assets at the source root. The PNG filename (a bare number) has no obvious purpose.
• Recommendation: Import styles.css from the renderer entrypoint or remove it. Remove or relocate the PNG with a descriptive name.
• Confidence: High

---

3. Test coverage & change safety

[NON-BLOCKING] No tests for the new package

• Evidence: No test/ directory under gitnexus-desktop/; no test script in gitnexus-desktop/package.json; TESTING.md defines test targets only for gitnexus/ and gitnexus-web/
• Why it matters: The Electron shell runtime logic (loadShellRenderer, handlePackagedWebRequest, normalizeStaticPath, server startup/teardown) is not covered. The renderer path bug (Finding 1) would have been caught by even a basic path assertion test.
• Recommendation: Add at minimum a unit test for normalizeStaticPath (path traversal guard) and a path-construction test for the renderer entry. Integration tests for Electron startup are not expected at this stage.
• Confidence: High (absence is verifiable from the diff)

[BLOCKING] CI Typecheck is failing

• Evidence: CI report: ❌ Typecheck | failure | tsc --noEmit
• Why it matters: Per CONTRIBUTING.md pre-PR checklist: "Typecheck passes: npx tsc --noEmit in gitnexus/". A failing typecheck must be resolved or confirmed pre-existing before merge.
• Recommendation: Verify whether this failure exists on origin/main independently of this PR. If introduced by this PR, fix it. If pre-existing, document it explicitly in the PR description so the reviewer can make an informed decision.
• Confidence: Low — cannot determine origin from diff alone (PR claims no changes to gitnexus/ or gitnexus-web/, which are the packages covered by CI typecheck)

---

4. Performance

• No issues found in this area based on the diff. The packaged web server uses createReadStream.pipe(response) (streaming, no full-buffer read). Process spawn/kill uses platform-appropriate calls. No hot-path concerns for an Electron shell wrapper.

---

5. Operational risk

[BLOCKING] permissions: {} breaks workflow at checkout step

• Evidence: .github/workflows/desktop-packaging.yml:10 — permissions: {}; actions/checkout action requires contents: read
• Why it matters: Removing all permissions including contents: read causes the actions/checkout step to fail with an authentication error on all three matrix jobs (Windows, macOS, Linux). The workflow has never successfully run.
• Recommendation: Set permissions: contents: read at minimum, consistent with other workflows. Fix this →
• Confidence: High

[NON-BLOCKING] cancel-in-progress: false on pull_request trigger violates CONTRIBUTING.md

• Evidence: .github/workflows/desktop-packaging.yml:13-14 — cancel-in-progress: false with on: pull_request; CONTRIBUTING.md concurrency table — pull_request CI run: cancel-in-progress: true, "New push supersedes old run"
• Why it matters: New pushes to the PR branch will queue behind stale runs, wasting CI minutes and delaying feedback.
• Recommendation: Change to cancel-in-progress: true.
• Confidence: High

[NON-BLOCKING] Stale-process detection broken on macOS/Linux

• Evidence: gitnexus-desktop/scripts/ensure-gitnexus-runtime.mjs:73 — lsof -nP -iTCP:${port} -sTCP:LISTEN -Fpcn; line 88 — commandLine = line.slice(1) (from n field); line 123 — signature.includes('electron-vite')
• Why it matters: With lsof -Fpcn, the n field contains the socket name (e.g., *:5174 or 127.0.0.1:5174), not the process command line. The commandLine field will therefore never contain 'electron-vite', so the stale-process branch (--cleanup-dev-port) never fires on macOS/Linux. Developers who have a stale electron-vite process will get a confusing "Port in use by another process" error instead of auto-cleanup.
• Recommendation: After extracting PID from the p field, fetch the real command line via ps -p <pid> -o command= (macOS/Linux).
• Confidence: High

LadybugDB single-writer invariant

• Not applicable. This package spawns the gitnexus serve process externally; it does not open LadybugDB directly. Invariant is preserved by delegation.

Rollback safety

• This PR adds a new isolated package with no changes to existing packages. Reverting is safe: remove gitnexus-desktop/ and the workflow file. No re-analyze needed.

---

6. Maintainability

[NON-BLOCKING] CLAUDE.md broken markdown in ## GitNexus rules section

• Evidence: CLAUDE.md — the ## GitNexus rules section opens an inline backtick before `` that spans hundreds of lines to a closing backtick, rendering as broken markdown on GitHub and in editors
• Why it matters: CLAUDE.md is a developer-facing doc that agents load for context. Broken rendering degrades its usability.
• Recommendation: Replace the broken inline span with See the canonical \gitnexus:start` … `gitnexus:end` block in AGENTS.md.` as suggested by copilot review.
• Confidence: High

Non-negotiables check

Check	Result
No secrets or tokens	✅ None found
No machine-specific paths	✅ All paths via process.resourcesPath, __dirname, path.resolve
No blind renames in existing packages	✅ No renames in gitnexus/, gitnexus-web/, gitnexus-shared/
License preserved	✅ gitnexus-desktop/package.json:7 — PolyForm-Noncommercial-1.0.0
PR title conventional commit format	✅ feat(desktop): add cross-platform Electron shell
No drive-by refactors in existing packages	✅ Only AGENTS.md, CLAUDE.md, .gitignore touched outside new package

---

What I could not fully verify

1. Whether the CI typecheck failure is pre-existing or introduced by this PR. The PR claims no changes to gitnexus/ or gitnexus-web/, but the CI typecheck failure on tsc --noEmit needs to be confirmed against origin/main independently.
2. Whether the npm run build:dir step in CI actually produces a working ASAR bundle. The scripts/package.mjs invokes electron-builder but the workflow has never run successfully due to the permissions bug, so end-to-end packaging has not been validated in CI.
3. Whether native module rebuild (tree-sitter, LadybugDB) works correctly in packaged mode. The scripts/package.mjs handles this, but it cannot be verified without running the full packaging flow.
4. Whether the App.tsx component was intentionally left as work-in-progress or is truly dead code — it's not imported but contains a substantial amount of shell UI logic.

---

Final verdict

⚠️ Merge after addressing blocking items.

Blocking items in priority order:

1. permissions: {} in desktop-packaging.yml:10 — The workflow has never successfully run. Fix to contents: read before any CI validation is possible.
2. Wrong renderer path main.ts:614 — ../renderer/src/renderer/index.html does not exist in the build output. The shell titlebar will fail to load in all non-dev modes.
3. Unguarded decodeURIComponent in main.ts:433 — Single malformed request crashes the packaged web server permanently.
4. CI Typecheck failure — Confirm whether pre-existing (document it) or introduced (fix it). CONTRIBUTING.md requires typecheck to pass before opening a PR.

[magyargergo]

@prajapatisparsh can you please look into these findings?

[prajapatisparsh]

@magyargergo Sure ill resolve them after my day job . Thanks 😊

[magyargergo]

It would be also amazing if we could make it available some installers available such as brew --cask. We can do this in an other PR of course to keep the scope minimal but I'm curios if you'd be interested in taking on this task?

[prajapatisparsh]

I would be more than happy to be part of this

[magyargergo]

I would be more than happy to be part of this

I'm happy to hear that, if you want join to our discord server and you can find other intersting topics ot contributre to, and of course we welcome innovative ideas too and we put it up on the list. :)

[prajapatisparsh]

Thats Great just joined the discord , sent u friend request

[prajapatisparsh]

@magyargergo Let me knwo if there are more changes needed if not ill start work on making it availble on other installers in another PR

[github-actions]

Claude finished @magyargergo's task in 3m 8s —— View job

---

PR #985 Review — feat(desktop): add cross-platform Electron shell

Tasks:

• Load repo docs (AGENTS.md, GUARDRAILS.md, CONTRIBUTING.md, TESTING.md)
• Phase 1: Define production-ready bar for this PR
• Phase 2: Review diff against that bar
• Post final verdict

---

Production-ready bar for this PR

This PR adds an isolated new package (gitnexus-desktop/) with no modifications to gitnexus/ or gitnexus-shared/, and a CSS-only change to gitnexus-web/. The bar, grounded in CONTRIBUTING.md, GUARDRAILS.md, and TESTING.md:

1. CI checks pass cleanly — tsc --noEmit for touched packages, all tests green. Typecheck failure must be confirmed pre-existing or fixed.
2. Packaging workflow is runnable — desktop-packaging.yml must have correct permissions and concurrency settings to execute at all.
3. Correct path resolution in all modes — Renderer and packaged web asset paths must match actual build output in npm run start (preview) and packaged builds; dev-only validation is insufficient.
4. Crash-free request handling — Packaged web server must not throw unhandled exceptions on malformed input; a single bad request must not kill the server permanently.
5. No secrets, tokens, or machine-specific paths committed — GUARDRAILS.md non-negotiable.
6. License preserved — package.json must carry the PolyForm Noncommercial license.
7. PR title follows conventional commit format — CONTRIBUTING.md enforces this.
8. Workflow concurrency follows convention — cancel-in-progress: true for pull_request triggers per CONTRIBUTING.md.
9. Workflow permissions grant minimum required access — contents: read required for actions/checkout.

---

Findings

Note on branch state: The current HEAD (558d7c3) is ahead of the commit the previous automated review analyzed. Several findings from that review have since been resolved: CLAUDE.md broken markdown is fixed, App.tsx dead code is no longer present, and the unreferenced 126312502.png asset is gone. The three blocking issues below remain open.

---

1. Correctness & functional completeness

[BLOCKING] Wrong renderer path in preview and packaged mode

• Evidence: gitnexus-desktop/src/main/main.ts:583 — path.join(__dirname, '../renderer/src/renderer/index.html'). In the built output, __dirname for the main process is dist/main. This constructs dist/renderer/src/renderer/index.html. The renderer build config (electron.vite.config.ts:40: outDir: 'dist/renderer', input src/renderer/index.html) emits to dist/renderer/index.html — no nested src/renderer subdirectories.
• Why it matters: This code path is reached whenever ELECTRON_RENDERER_URL is absent — i.e., in npm run start (preview) and all packaged builds. The window will fail to load the shell renderer silently in all non-dev modes.
• Recommendation: Change to path.join(__dirname, '../renderer/index.html'). Fix this →
• Confidence: High (verified from build config and main.ts)

[BLOCKING] Unguarded decodeURIComponent crashes the packaged web server

• Evidence: gitnexus-desktop/src/main/main.ts:414 — const requestedPath = decodeURIComponent(new URL(requestUrl, 'http://127.0.0.1').pathname); inside handlePackagedWebRequest, with no try/catch.
• Why it matters: decodeURIComponent('%GG') throws URIError: URI malformed. This is called directly in the http.Server request handler. Node.js does not automatically recover from uncaught request handler exceptions — the server terminates and the UI becomes permanently unavailable until restart. One malformed request is sufficient to trigger this.
• Recommendation: Wrap in try/catch and return 400 on URIError. Fix this →
• Confidence: High (verified issue, no defensive guard exists in the diff)

---

2. Code clarity & clean code

• No issues found beyond what is noted under operational risk.

---

3. Test coverage & change safety

[NON-BLOCKING] No tests for gitnexus-desktop/

• Evidence: No test/ directory under gitnexus-desktop/; no test script in gitnexus-desktop/package.json; TESTING.md defines test targets only for gitnexus/ and gitnexus-web/.
• Why it matters: The renderer path bug (Finding 1) would have been caught by a basic path-construction unit test for loadShellRenderer. The path traversal guard in normalizeStaticPath has no regression coverage.
• Recommendation: Add at minimum a unit test for normalizeStaticPath (path traversal guard) and a path assertion for the renderer entry. Integration-level Electron startup tests are not expected at this stage.
• Confidence: High (absence verified from diff)

[INFORMATIONAL] CI typecheck failure — origin unconfirmed

• Evidence: CI report: ❌ Typecheck | failure | tsc --noEmit. The PR adds no .ts files to gitnexus/ or gitnexus-web/; the only existing-package change is a CSS file (gitnexus-web/src/index.css). The gitnexus-desktop/ package is not covered by CI typecheck (ci-quality.yml only runs for gitnexus/ and gitnexus-web/).
• Why it matters: Per CONTRIBUTING.md, typecheck must pass before opening a PR. However, the failure is almost certainly pre-existing — no TS files in the typechecked packages were modified by this PR.
• Recommendation: Confirm by checking tsc --noEmit on origin/main independently. If pre-existing, document it in the PR description so the reviewer can make an informed decision.
• Confidence: Low on origin; plausible risk only

---

4. Performance

• No issues found. createReadStream.pipe(response) in sendStaticResponse is streaming with no full-buffer reads. Server startup/teardown uses platform-appropriate process management. No hot-path concerns for an Electron shell wrapper.

---

5. Operational risk

[BLOCKING] permissions: {} breaks workflow at checkout

• Evidence: .github/workflows/desktop-packaging.yml:10 — permissions: {}. actions/checkout requires contents: read to authenticate against the repository.
• Why it matters: Removing all permissions including the implicit contents: read causes all three matrix jobs (Windows, macOS, Linux) to fail at the actions/checkout step with an authentication error. The workflow has never successfully run in CI.
• Recommendation: Change to permissions:\n contents: read. Fix this →
• Confidence: High

[NON-BLOCKING] cancel-in-progress: false on pull_request trigger

• Evidence: .github/workflows/desktop-packaging.yml:14 — cancel-in-progress: false with on: pull_request. CONTRIBUTING.md concurrency table: pull_request CI run → cancel-in-progress: true ("New push supersedes old run").
• Why it matters: New pushes to the PR branch will queue behind stale packaging runs, wasting CI minutes and delaying feedback.
• Recommendation: Change to cancel-in-progress: true.
• Confidence: High

[NON-BLOCKING] Stale-process detection broken on macOS/Linux

• Evidence: gitnexus-desktop/scripts/ensure-gitnexus-runtime.mjs:360 — lsof -nP -iTCP:${port} -sTCP:LISTEN -Fpcn; line 373-375 — the n field from lsof (socket name, e.g., *:5174) is assigned to owner.commandLine; line 410 — signature.includes('electron-vite') and line 457-458 — signature.includes('dist/cli/index.js') both match against this value. The n field contains socket addresses, never command-line strings. These checks will never match on macOS/Linux.
• Why it matters: Stale electron-vite or gitnexus serve processes will not be auto-cleaned up. Developers will see "Port in use by another process" errors and have to kill the processes manually.
• Recommendation: After extracting PID from the p field, fetch the real command line via ps -p <pid> -o args= (macOS/Linux).
• Confidence: High (verified against lsof -F field documentation)

LadybugDB single-writer invariant

• Not applicable. This package spawns gitnexus serve externally; it does not open LadybugDB directly. Invariant is preserved by delegation.

Rollback safety

• Safe: this PR adds a new isolated package. Reverting removes gitnexus-desktop/ and the workflow file. No re-analyze required.

---

6. Maintainability

• No pipeline DAG boundaries are introduced or crossed — gitnexus-desktop/ has no imports from gitnexus/src/core/ingestion/.
• The new package is cleanly isolated. Future contributors extending it will find the entry points in src/main/main.ts and scripts/.
• Shared logic is not duplicated into server/api.ts or gitnexus-shared/.

---

Non-negotiables check

Check	Result
No secrets or tokens	✅ None found
No machine-specific paths	✅ All paths via process.resourcesPath, __dirname, path.resolve
No blind renames in existing packages	✅ No renames in gitnexus/, gitnexus-web/, gitnexus-shared/
License preserved	✅ gitnexus-desktop/package.json:7 — PolyForm-Noncommercial-1.0.0
PR title conventional commit format	✅ feat(desktop): add cross-platform Electron shell
No drive-by refactors in existing packages	✅ Only AGENTS.md, CLAUDE.md, .gitignore, gitnexus-web/src/index.css touched

---

What I could not fully verify

1. CI typecheck failure origin — cannot confirm pre-existing vs. introduced without running tsc --noEmit on origin/main independently.
2. End-to-end packaging correctness — the workflow has never successfully run due to the permissions: {} bug, so the full build → ASAR → artifact pipeline has not been validated in CI.
3. Native module rebuild correctness — scripts/package.mjs handles tree-sitter and LadybugDB native rebuild, but this cannot be verified without running the full packaging flow.

---

Final verdict

⚠️ Merge after addressing blocking items.

Blocking items in priority order:

1. permissions: {} in desktop-packaging.yml:10 — The workflow has never successfully run. Fix to contents: read before any CI validation is possible.
2. Wrong renderer path main.ts:583 — ../renderer/src/renderer/index.html does not exist in the build output. The shell renderer fails to load in all non-dev modes.
3. Unguarded decodeURIComponent in main.ts:414 — A single malformed request crashes the packaged web server permanently.

[magyargergo]

We also need some regression testing. Please @prajapatisparsh look into these findings 🙏

[github-actions]

Claude finished @magyargergo's task in 5m 49s —— View job

---

PR #985 Review — feat(desktop): add cross-platform Electron shell

Tasks:

• Load repo docs (AGENTS.md, GUARDRAILS.md, CONTRIBUTING.md, TESTING.md, ARCHITECTURE.md)
• Phase 1: Define production-ready bar for this PR
• Phase 2: Review diff against that bar (adversarial posture)
• Post final verdict

---

Production-ready bar for this PR

This PR adds an isolated gitnexus-desktop/ package. No changes to gitnexus/, gitnexus-shared/. Minor CSS change in gitnexus-web/. Bar grounded in CONTRIBUTING.md, GUARDRAILS.md, and the affected code paths:

1. Renderer loads in all modes — packaged and preview (npm run start) must resolve the renderer HTML at the path electron-vite actually emits.
2. Packaged web server is crash-resistant — malformed requests must not kill the server process permanently.
3. CI workflow is runnable — desktop-packaging.yml must have minimum permissions for checkout to succeed and correct concurrency settings.
4. Native module ABI compatibility — tree-sitter and LadybugDB native .node binaries must be compiled for the Node ABI Electron uses at runtime, since npmRebuild: false disables electron-builder's rebuild.
5. CI smoke test actually proves startup — A passing smoke test must be distinguishable from a failed startup, not vacuously pass on app.quit().
6. No secrets, machine-specific paths, or off-limits files committed — GUARDRAILS.md non-negotiable.
7. License preserved — package.json must carry the PolyForm Noncommercial license.
8. PR title in conventional commit format — CONTRIBUTING.md enforces this.
9. Workflow concurrency is correct — cancel-in-progress: true for pull_request, correct group key per CONTRIBUTING.md.

---

Resolved since previous reviews

The three blocking items raised in both prior automated reviews have been addressed in the current HEAD:

Item	Previous line	Status
Wrong renderer path ../renderer/src/renderer/index.html	main.ts:614 / main.ts:583	✅ Fixed — now main.ts:599: path.join(__dirname, '../renderer/index.html')
Unguarded decodeURIComponent	main.ts:433 / main.ts:414	✅ Fixed — now getRequestedPath() at main.ts:413–419 wraps in try/catch, returns null on URIError; handlePackagedWebRequest returns 400 on null
permissions: {} workflow-level stripping contents: read	desktop-packaging.yml:10	✅ Fixed — workflow-level permissions: {} is overridden by permissions: contents: read at the job level (desktop-packaging.yml:22)

The cancel-in-progress setting is now event-aware: ${{ github.event_name == 'pull_request' }} (desktop-packaging.yml:14) — correct per CONTRIBUTING.md.

The lsof stale-process detection bug is fixed: ensure-gitnexus-runtime.mjs:404 uses -Fpc (not -Fpcn), and owner.commandLine is now populated by getPosixCommandLine(owner.pid) via ps -p <pid> -o args= (ensure-gitnexus-runtime.mjs:364–376, 420), not from the socket-name n field.

CLAUDE.md broken markdown, dead App.tsx, and 126312502.png are also resolved.

---

Findings

1. Correctness & functional completeness

---

[BLOCKING] Native module ABI mismatch — packaged builds will likely crash on first API call

• Type: Plausible risk
• Evidence:
  • electron-builder.yml:36 — npmRebuild: false explicitly disables electron-builder's native module rebuild
  • package.mjs:418 — runCommand('node scripts/ensure-gitnexus-runtime.mjs', packageRoot) builds gitnexus with the system Node (Node 20 per CI: desktop-packaging.yml:53)
  • ensure-gitnexus-runtime.mjs:548–550 — runNpm(['run', 'build'], gitnexusRoot) runs tsc; dependency installation via repairGitNexusPackages uses npm install under system Node 20
  • main.ts:236 — return process.execPath; — at runtime, gitnexus serve is spawned via Electron's embedded Node executable
  • main.ts:254 — environment.ELECTRON_RUN_AS_NODE = '1'; — confirms Electron is run as Node, using its own runtime
  • ensure-gitnexus-runtime.mjs:186–188 — lbugjs.node is a native binary marker; @ladybugdb/core/lbugjs.node is compiled for the system Node ABI
• Why it matters: Electron 41 embeds a different Node.js major version than Node 20 (Node 20 = ABI 115; Electron 33+ moves to Node 22 = ABI 127). Native modules (@ladybugdb/core/lbugjs.node, tree-sitter grammars) compiled for Node 20 ABI will throw NODE_MODULE_VERSION mismatch and crash the gitnexus server process on the first API call. The packaged web UI will be permanently unavailable because the backend fails to start. npmRebuild: false intentionally bypasses electron-builder's built-in repair path, so the build succeeds, the smoke test passes (see next finding), but the packaged app is broken.
• Recommendation: Before invoking electron-builder, rebuild native modules for Electron's Node ABI. Options: (a) run npx electron-rebuild -f -w @ladybugdb/core targeting the pinned electron version; (b) set npmRebuild: true and configure nodeGypRebuild: false; (c) add an explicit electron-rebuild step in package.mjs. The CI pipeline will need to install native build tooling (python3, make, g++) — already documented as a gotcha in AGENTS.md for gitnexus.
• Confidence: Medium — verified from the absence of any rebuild step and the ABI mechanics; exact Electron 41 Node version would need to be confirmed against the Electron release notes.

---

[BLOCKING] Smoke test is vacuously successful — cannot distinguish startup success from failure

• Type: Verified issue
• Evidence:
  • main.ts:760–778 — catch block: showStartupError(error); app.quit(); return; — app.quit() always exits with code 0
  • main.ts:752–756 — success path: setTimeout(() => { app.quit(); }, 1_000); — also exits with code 0
  • smoke-unpacked.mjs:147–160 — resolves on code === 0, rejects otherwise
• Why it matters: Both startup success and startup failure call app.quit(), which exits with code 0. The smoke test checks only that the process exits 0, which is true in both cases. A packaged build where the gitnexus backend fails to start, the packaged web server fails to initialize, or the renderer fails to load will emit a dialog.showErrorBox (which may hang on a headless CI runner or be dismissed invisibly) and then call app.quit(). The smoke test reports pass. The native module ABI issue (Finding 1) would be invisible to this test. The smoke test gives false CI confidence for the most important failure mode.
• Recommendation: Differentiate exit codes: in the catch block (startup failure), call process.exit(1) instead of app.quit() after showStartupError. The smoke test infrastructure (smoke-unpacked.mjs) already handles non-zero exit codes correctly. Alternatively, validate server health inside the smoke test window before quitting: poll http://localhost:4747/api/info and packagedWebServerUrl and fail if either is unreachable after startup.
• Confidence: High — verified from the code paths.

---

2. Architecture & boundary integrity

No violations. gitnexus-desktop/ is correctly isolated. No imports from gitnexus/src/core/ingestion/. No shared package boundary changes. The LadybugDB single-writer invariant is preserved by delegation (the desktop app spawns gitnexus serve, which owns the DB).

---

3. Code clarity, clean code & maintainability

[NON-BLOCKING] GITNEXUS_DESKTOP_NODE_EXECUTABLE and GITNEXUS_DESKTOP_NODE_RESOURCE_PATH are computed but never consumed

• Type: Verified issue
• Evidence:
  • package.mjs:142–143 — GITNEXUS_DESKTOP_NODE_EXECUTABLE: process.execPath, GITNEXUS_DESKTOP_NODE_RESOURCE_PATH: \gitnexus-node/${bundledNodeExecutableName}``
  • electron-builder.yml — references GITNEXUS_DESKTOP_WEB_DIST, GITNEXUS_DESKTOP_GITNEXUS_DIST, GITNEXUS_DESKTOP_GITNEXUS_NODE_MODULES, GITNEXUS_DESKTOP_GITNEXUS_HOOKS, GITNEXUS_DESKTOP_GITNEXUS_SKILLS, GITNEXUS_DESKTOP_GITNEXUS_VENDOR, GITNEXUS_DESKTOP_GITNEXUS_PACKAGE_JSON — GITNEXUS_DESKTOP_NODE_EXECUTABLE and GITNEXUS_DESKTOP_NODE_RESOURCE_PATH are absent
  • main.ts — no reference to GITNEXUS_DESKTOP_NODE_RESOURCE_PATH
• Why it matters: These env vars are computed but never used, implying an abandoned approach to bundle a separate Node binary. This confuses future contributors about how the runtime Node is provided, especially when debugging native ABI issues.
• Recommendation: Remove both variables from package.mjs and add a comment explaining that Electron's embedded Node (process.execPath + ELECTRON_RUN_AS_NODE=1) is used at runtime.
• Confidence: High

[NON-BLOCKING] gitnexusDesktopRuntimeDependencyNames is a manually-curated whitelist that will silently drift

• Type: Plausible risk
• Evidence: ensure-gitnexus-runtime.mjs:150–167 — 16 explicitly named packages; no assertion against gitnexus/package.json dependencies
• Why it matters: If gitnexus/package.json adds a new runtime dependency, ensure-gitnexus-runtime.mjs will not repair/install it in dev mode. The dev experience breaks silently. Packaging is unaffected (package.mjs uses getRuntimeDependencyClosure() which reads all deps), but the dev-mode repair mismatch creates a confusing experience.
• Recommendation: Derive the list from gitnexusPackageJson.dependencies rather than hardcoding it, or add a validation comment with a link to gitnexus/package.json.
• Confidence: High

---

4. Comments & code documentation

• Comments are accurate and minimal throughout. No stale or misleading comments found.
• package.mjs:147–154 constructs a shell command string via concatenation — a comment explaining why execSync (rather than execFileSync) is used for the builder invocation would be useful here, since all other child process invocations in the codebase use the safer execFileSync/spawnSync.

---

5. Tests & validation

[NON-BLOCKING] No unit tests for the new package

• Type: Verified issue
• Evidence: No test/ directory under gitnexus-desktop/; no test script in gitnexus-desktop/package.json
• Why it matters: normalizeStaticPath contains a path traversal guard that has no regression coverage. getRequestedPath (the URIError fix) has no test. The renderer path construction that was previously wrong for two review cycles has no path assertion test to prevent regression. The blast radius of getting these wrong is a permanently broken packaged app.
• Recommendation: At minimum, add unit tests for: (a) normalizeStaticPath path traversal guard (e.g., ../../etc/passwd must return null); (b) getRequestedPath with malformed percent-encoding must return null; (c) the renderer entry path construction assertion (dist/renderer/index.html not dist/renderer/src/renderer/index.html).
• Confidence: High (absence verified)

[INFORMATIONAL] CI typecheck failure almost certainly pre-existing

• Type: Plausible risk
• Evidence: CI report: ❌ Typecheck | failure | tsc --noEmit; no .ts files changed in gitnexus/ or gitnexus-web/ by this PR (only gitnexus/scripts/build.js which is not typechecked)
• Why it matters: Per CONTRIBUTING.md pre-PR checklist: "Typecheck passes: npx tsc --noEmit in gitnexus/". The failure should be explicitly documented in the PR description so reviewers can confirm it is pre-existing.
• Recommendation: Add a note to the PR description: "CI typecheck failure is pre-existing on main — not introduced by this PR. Confirmed by: tsc --noEmit on origin/main fails identically."
• Confidence: Low on origin, but logic strongly suggests pre-existing

---

6. Performance

• sendStaticResponse uses createReadStream.pipe(response) — streaming, no buffering. Acceptable.
• The getRuntimeDependencyClosure() BFS in package.mjs:97–124 is O(deps) — fast for the fixed dep graph size.
• No hot-path concerns for an Electron shell wrapper.

[NON-BLOCKING] createReadStream.pipe(response) has no error handler

• Type: Plausible risk
• Evidence: main.ts:410 — createReadStream(assetPath).pipe(response);
• Why it matters: If the file is deleted or becomes unreadable between the existsSync check (line 399) and the createReadStream call (line 410), the 'error' event on the ReadStream is unhandled. In Node.js, an unhandled 'error' event on a stream throws and propagates — inside an http.Server request handler this can terminate the process. The window is small (TOCTOU), but the packaged web server serves a directory that is never modified at runtime, so in practice the probability is very low.
• Recommendation: Add .on('error', () => { response.destroy(); }) to the stream.
• Confidence: Medium (TOCTOU gap is real; probability is low for packaged use case)

---

7. Operational risk

[NON-BLOCKING] Smoke test runs only on Windows in CI — macOS and Linux packaged builds are untested

• Type: Verified issue
• Evidence: desktop-packaging.yml:68–70 — if: matrix.os == 'windows-latest' gates the smoke test
• Why it matters: The smoke test code in smoke-unpacked.mjs handles all three platforms. macOS and Linux packaged builds are never smoke-tested in CI — a complete startup failure (e.g., missing executable at the expected path, wrong linux-unpacked/ structure) would not be caught.
• Recommendation: For macOS, the smoke test can run headlessly with --no-sandbox and DISPLAY= suppressed if the test exits quickly. For Linux, Xvfb setup is required. At minimum, document the gap.
• Confidence: High

[NON-BLOCKING] BrowserView is deprecated since Electron 30+ in favor of WebContentsView

• Type: Verified issue
• Evidence: main.ts:70, main.ts:561–588, main.ts:710 — BrowserView, new BrowserView(...), window.setBrowserView(...)
• Why it matters: Electron 41.x marks BrowserView as deprecated. The API still works now but will be removed in a future Electron major. Migrating from BrowserView to WebContentsView later requires restructuring the window setup.
• Recommendation: Consider migrating to WebContentsView before shipping, or add a // TODO(electron-v43): migrate to WebContentsView comment to ensure this is tracked.
• Confidence: High

---

8. Adversarial review

What assumption is most likely to be wrong?
The assumption that native modules compiled for system Node (Node 20 in CI) will work correctly when loaded under Electron's embedded Node via ELECTRON_RUN_AS_NODE=1. This is the most impactful and the most likely to be silently wrong — packaging succeeds, smoke test passes, artifact uploads, users download and install, then the backend crashes immediately on first use.

What would break first in production?
Any API request from the web UI to the gitnexus backend. The gitnexus server process would crash on native module load (@ladybugdb/core/lbugjs.node or a tree-sitter grammar), the BrowserView would show the SPA with perpetual "connecting..." or API error state, and there's no user-visible error message explaining why.

What test gives false confidence?
The smoke test. Both startup success and startup failure paths call app.quit() which exits 0. The test is structurally incapable of detecting backend startup failure.

What part is too implicit and likely to be missed by the next contributor?
The npmRebuild: false + ELECTRON_RUN_AS_NODE=1 + system-Node-compiled native modules combination. The intent (use Electron's Node as the runtime) conflicts with the build approach (compile native modules with system Node). The connection is not documented anywhere.

What contract appears preserved but is actually drifting?
ensure-gitnexus-runtime.mjs:150–167 — the hardcoded list of gitnexus runtime packages. This was accurate at time of writing, but as gitnexus/package.json adds or removes dependencies, the list silently diverges. No validation enforces alignment.

---

Non-negotiables check

Check	Result
No secrets or tokens	✅ None found
No machine-specific paths	✅ All paths via process.resourcesPath, __dirname, path.resolve
No blind renames in existing packages	✅ No renames in gitnexus/, gitnexus-web/, gitnexus-shared/
License preserved	✅ gitnexus-desktop/package.json:7 — PolyForm-Noncommercial-1.0.0
PR title conventional commit format	✅ feat(desktop): add cross-platform Electron shell
No drive-by refactors outside scope	✅ gitnexus/scripts/build.js change is security-correct fix (execFileSync over execSync)
Workflow concurrency correct	✅ Group key + event-aware cancel-in-progress

---

What I could not fully verify

1. Whether Electron 41's embedded Node version matches Node 20 ABI. If Electron 41 still uses Node 20 (ABI 115), the native module issue does not manifest. If it uses Node 22 (ABI 127, as Electron 33+ generally does), all packaged builds fail on first API call. This needs to be confirmed against the Electron 41 release notes.
2. Whether the GITNEXUS_DESKTOP_SMOKE_TEST exit-code issue manifests in practice. On Windows in a headless CI environment, dialog.showErrorBox may block or crash with non-zero exit, accidentally making the test meaningful. But this is platform/environment-specific and unreliable.
3. Whether any tree-sitter grammars used by gitnexus/ also contain native .node binaries. @ladybugdb/core/lbugjs.node is clearly native (listed as a marker at ensure-gitnexus-runtime.mjs:187). Tree-sitter itself and its language packages may also have native binaries that would hit the same ABI issue.
4. End-to-end packaging correctness on macOS/Linux. The smoke test only runs on Windows; macOS and Linux packaged builds have no functional validation in CI.

---

Final verdict

⚠️ Merge after addressing blocking items.

Blocking items in priority order:

1. Smoke test exits 0 on both success and failure (main.ts:766, 753) — fix by calling process.exit(1) instead of app.quit() in the error path, so failures are distinguishable. This is a one-line fix and unblocks meaningful CI signal.
2. Native module ABI mismatch — confirm whether Electron 41's embedded Node version matches the system Node used to compile @ladybugdb/core/lbugjs.node and tree-sitter binaries. If they differ, add an electron-rebuild step before packaging. This is the failure mode most likely to reach end users silently and is the highest-impact correctness risk in the PR.

[magyargergo]

@prajapatisparsh To let you know, I haven't forgotten about your PR, I'm planning to include it in the next bigger version v1.7.0

[magyargergo]

@prajapatisparsh in the meantime, can you please create official installer support? 🙏

[github-actions]

Claude finished @magyargergo's task in 7m 40s —— View job

---

PR #985 Production-Readiness Review — feat(desktop): add cross-platform Electron shell

Tasks:

• Post initial task list
• Load repo docs (DoD.md, AGENTS.md, GUARDRAILS.md, CONTRIBUTING.md, TESTING.md, ARCHITECTURE.md)
• Check current CI status at HEAD
• Run hidden Unicode / hygiene scans
• Lane A — Desktop runtime & process lifecycle (main.ts, runtime-paths.ts, smoke-unpacked.mjs)
• Lane B — Electron security boundary (preload.ts, BrowserWindow/BrowserView, navigation)
• Lane C — Packaging & native modules (electron-builder.yml, after-pack.mjs, package.mjs)
• Lane D — CI/workflow & supply chain (desktop-packaging.yml, actionlint/zizmor)
• Lane E — Server/API compatibility (api.ts, validation.ts)
• Lane F — Web UI compatibility (components, index.css)
• Lane G — Docs & agent-rule changes (AGENTS.md, CLAUDE.md, README)
• Lane H — Branch hygiene
• Post final verdict

---

Review bar for this PR

Per DoD.md § 2 and the PR-specific bar in the trigger:

1. Desktop starts on Windows, macOS, and Linux in packaged/unpacked modes — proven by green CI smoke tests
2. Backend server identity is verified before the app proceeds (not just port reachability)
3. Native modules load correctly under Electron's runtime on all platforms
4. Smoke test startup failure exits non-zero promptly
5. Electron security: context isolation, narrow preload, IPC validation, allowlisted external URLs
6. Packaged static server: traversal-safe, crash-resistant, localhost-only
7. CI checks green on current HEAD — typecheck, tests, Desktop Packaging on all 3 platforms
8. Workflow least-privilege permissions, artifact attestation correctly scoped
9. Non-desktop file changes causally required for the desktop runtime
10. No secrets, GUARDRAILS.md violations, or hidden Unicode in security-critical files

---

Problem being solved

Adds gitnexus-desktop/ — an Electron shell that bundles the GitNexus local server and pre-built gitnexus-web UI into a single cross-platform desktop installer, so users do not need to clone the repo, install multi-package dependencies, and start the server manually.

---

Current PR state

HEAD SHA: 09cff2a (Merge branch 'main' into feat/Desktop-app)
PR: prajapatisparsh:feat/Desktop-app → abhigyanpatwari:main
Linked issue: None visible in PR body or timeline.

CI status at current HEAD (as of this review):

Job	Status
Workflow Lint	✅ success
PR Autofix	✅ success
Claude Code	✅ skipped
Desktop Packaging	⏳ queued
CI (tests + typecheck)	⏳ queued
CodeQL	⏳ in_progress
Docker Build & Push	⏳ in_progress
Dependency Review	⏳ in_progress
Gitleaks	⏳ queued

No required platform packaging or test checks are green at current HEAD. Desktop Packaging (the primary validation gate for this PR) is queued and has not produced a result.

---

Merge status and mergeability

Not mergeable. Required checks are pending/queued. Per DoD.md § 4.5 and the review bar above, the Desktop Packaging workflow must complete successfully on all three platforms before merge can be approved.

---

Branch hygiene assessment

The branch has 112 commits including 9+ Merge branch 'main' into feat/Desktop-app commits and multiple self-merge commits from the contributor's fork. History is noisy. The final diff vs main is coherent and scope-appropriate. Non-desktop changes are all causally motivated (see Lane E and F). Branch hygiene is acceptable for a squash merge on landing, but a linear history would be cleaner.

---

Understanding of the change

gitnexus-desktop/ is a new Electron shell that:

1. Spawns the gitnexus server as a child process (node dist/cli/index.js serve --host localhost)
2. Serves the pre-built gitnexus-web assets via a local HTTP file server (random port, 127.0.0.1-bound)
3. Opens a BrowserWindow (shell renderer with custom title bar) + BrowserView embedding the web UI
4. On Windows, uses a bundled node.exe (copied from the CI Node binary by after-pack.mjs) to avoid the PE-import issue with lbugjs.node; on POSIX, uses ELECTRON_RUN_AS_NODE=1 on Electron's binary

Non-desktop changes that are causally required:

• gitnexus/src/server/api.ts: adds shouldEnableMcpHttp() / GITNEXUS_DISABLE_MCP_HTTP=1 gate to avoid MCP SDK module-resolution conflicts in Electron's ELECTRON_RUN_AS_NODE mode
• gitnexus/src/server/validation.ts: restores IPv6 /56 subnet normalization comment and correct 'unknown' fallback bucket in rate-limiter
• gitnexus-web/src/components/*: removes stale scrollbar-thin className references; scrollbar styling moved to global *::-webkit-scrollbar rules in index.css (required for consistent rendering in Electron's Chromium)
• gitnexus/package-lock.json: lockfile update from the express-rate-limit and validation changes

---

Resolved since prior review cycles

All blocking items from the previous five automated review cycles are confirmed fixed at current HEAD:

Previous finding	Current state
Wrong renderer path ../renderer/src/renderer/index.html	✅ runtime-paths.ts:45: path.join(currentDir, '../renderer/index.html')
Unguarded decodeURIComponent crash	✅ getRequestedPath() in try/catch, returns null on URIError
permissions: {} stripping contents: read	✅ Job-level permissions: contents: read on each job
dialog.showErrorBox() blocking CI smoke tests	✅ Guarded by if (!IS_DESKTOP_SMOKE_TEST)
Native module ABI mismatch	✅ Bundled node.exe for Windows via after-pack.mjs; POSIX uses Electron's Node 22
Smoke test exits 0 on startup failure	✅ exitStartupFailure() calls process.exit(1)
npm.cmd EINVAL on Windows	✅ shell: needsShell in runCommand
Stream error handler missing	✅ .once('error', ...) with response.destroy() in sendStaticResponse
repairGitNexusPackages using npm install --no-package-lock	✅ Now uses npm ci
lsof stale-process detection broken	✅ getPosixCommandLine(pid) via ps -p <pid> -o args=

---

Findings

---

[BLOCKING] CI required checks are not green at current HEAD

Risk: The primary validation gate for this PR (Desktop Packaging) and the general test suite (CI) have not completed at HEAD 09cff2a. All three platform packaging jobs (Windows NSIS, macOS DMG, Linux AppImage), the smoke tests, the full test suite, Gitleaks, and Dependency Review are all either queued or in progress.

Evidence: CI status confirms Desktop Packaging is queued, CI (tests) is queued. Per DoD.md § 4.5, the workflow must pass a triggered run before merge; per the review bar, all CI checks must be green on the current head.

Blocks merge: Yes. This is non-negotiable.

---

[MAJOR] Port 4747 server identity not verified — app may attach to an unrelated process

Risk: If any HTTP server is listening on port 4747 before the desktop app starts and returns any 200 OK response for GET /api/info, the desktop app will treat it as a ready GitNexus backend, skip spawning its own server, and proceed to load the embedded web UI — which will then send all API requests to the unrelated server.

Evidence: main.ts:701:

if (await isAnyHttpUrlReady(GITNEXUS_SERVER_HEALTH_URLS)) {
  return;  // ← Exits without spawning, no identity verification
}

isAnyHttpUrlReady is called with no expectedMarkers. It returns true if any URL in GITNEXUS_SERVER_HEALTH_URLS responds with any non-null text. There is no check that the response body contains a GitNexus-specific marker (e.g., { "name": "gitnexus", ... }).

Why it matters: A developer who has any local web server on port 4747 — or another GitNexus instance started from the CLI — will have the desktop app connect to the wrong backend silently. The embedded web UI will receive incorrect API responses. No error is shown; the app appears to start correctly.

Recommended fix: Check the /api/info response for a GitNexus-specific field (e.g., response.name === 'gitnexus' or similar unique marker) before treating the server as ready. Fix this →

Blocks merge: Yes — the review bar explicitly states "blocks merge: yes if the app can attach to an unrelated process."

---

[MEDIUM] gitnexusDesktopRuntimeDependencyNames hardcoded — staleness detection may miss missing packages

Risk: Dev-mode repair (npm run dev) may not trigger when an unmanaged package (e.g., tree-sitter, pino, onnxruntime-node) is missing, since the staleness check only watches the 17 hardcoded package markers.

Evidence: ensure-gitnexus-runtime.mjs:135-153 — 17 packages hardcoded. unmanagedGitNexusRuntimeDependencyNames at line 154 correctly computes the gap and warns, but the staleness detection at isGitNexusRuntimeInstallStale() only uses the 17 hardcoded markers. Note: when triggered, repairGitNexusPackages runs npm ci (full install), so the installed state is correct. The issue is the trigger condition.

Impact: If tree-sitter grammars are absent but all 17 markers are present and fresh, gitnexus serve will fail with module-not-found errors in dev mode. Packaged builds are unaffected (use full closure from package.mjs:75).

Recommended fix: Derive gitnexusDesktopRuntimeInstallMarkerPaths from Object.keys(gitnexusPackageJson.dependencies ?? {}) to match package.mjs:75. Fix this →

Blocks merge: No — packaged builds unaffected. But will cause confusing dev setup failures.

---

[LOW] BrowserView is deprecated — migration tracked but deferred

Evidence: main.ts:594: new BrowserView(...) with comment // BrowserView is deprecated in Electron; keep this isolated until we migrate to WebContentsView. Electron 41 still supports it.

Blocks merge: No — tracked, migration is a follow-up item.

---

[LOW] No unit test for shouldEnableMcpHttp()

Evidence: api.ts:42-44 — one-liner function, no test in gitnexus/test/. Previous review cycle flagged this. The function gates the entire MCP HTTP subsystem.

Blocks merge: No — low-risk one-liner, but a regression guard is warranted.

---

[INFORMATIONAL] Artifact attestation does not fire on PR events

Evidence: desktop-packaging.yml:175: if: github.event_name != 'pull_request' — correct behavior for fork-PR OIDC restrictions. PR preview artifacts are unattested by design (per maintainer agreement). Attestation will fire on workflow_dispatch, which has not yet been validated end-to-end.

Blocks merge: No — documented design decision.

---

PR-specific assessment sections

Lane A — Desktop runtime & process lifecycle ⚠️

• Renderer path: getPackagedRendererEntry(__dirname) → path.join(currentDir, '../renderer/index.html') — correct ✅
• Startup failure: exitStartupFailure() calls process.exit(1); showStartupError skips dialog in smoke test mode ✅
• Process lifecycle: before-quit and window-all-closed handlers call all stop functions; macOS activate handler calls ensureGitNexusServerStarted() before createWindow() ✅
• Port collision: isAddressInUseError detects EADDRINUSE and shows actionable dialog ✅
• Server identity: ❌ Not verified — see MAJOR finding above

Lane B — Electron security boundary ✅

• BrowserWindow: contextIsolation: true, nodeIntegration: false ✅
• BrowserView (embedded web UI): additionally sandbox: true ✅
• preload.ts:26: contextBridge.exposeInMainWorld('gitnexusDesktop', {...}) — narrow surface, no raw ipcRenderer, no process/filesystem exposed ✅
• IPC DESKTOP_WINDOW_ACTION_CHANNEL handler uses switch/default: throw — invalid actions throw ✅
• isAllowedExternalUrl: permits only http:, https:, mailto: ✅
• setWindowOpenHandler and will-navigate block cross-origin navigation ✅
• GITNEXUS_DISABLE_MCP_HTTP=1 injected in packaged mode; dynamic import prevents eager loading ✅
• Packaged web server binds to 127.0.0.1 only, not 0.0.0.0 ✅

Lane C — Packaging & native modules ✅ (macOS/Linux; Windows pending CI)

• after-pack.mjs: copies CI's process.execPath as resources/runtime/node.exe for Windows — correct ABI (both compiled under Node 22) ✅
• main.ts:247-252: getNodeCommand() prefers bundled node.exe on Windows if present, falls back to process.execPath + ELECTRON_RUN_AS_NODE=1 on POSIX ✅
• npmRebuild: false is intentional — ABI handled by bundled node strategy ✅
• syncPackagedRuntimeResources() trims node_modules to runtime closure after electron-builder runs ✅
• gitnexusRuntimeDependencyNames = Object.keys(gitnexusPackageJson.dependencies ?? {}) in package.mjs:75 — dynamic, correct ✅
• macOS quarantine: smoke-unpacked.mjs:114: xattr -cr called in prepareExecutableForSmokeTest ✅
• Windows smoke test outcome at current HEAD unknown (Desktop Packaging queued) ⏳

Lane D — CI/workflow & supply chain ✅ (structure; results pending)

• permissions: {} at workflow level; job-level contents: read, id-token: write, attestations: write on package jobs ✅
• All Actions pinned to full commit SHAs ✅
• persist-credentials: false on all checkouts ✅
• cancel-in-progress: ${{ github.event_name == 'pull_request' }} — event-aware ✅
• fail-fast: false — all three platforms test even when one fails ✅
• if-no-files-found: error on artifact upload ✅
• Path triggers now include gitnexus/**, gitnexus-web/**, gitnexus-shared/** — correct given the non-desktop changes ✅
• Workflow Lint passes ✅
• Desktop Packaging results: not yet available ⏳

Lane E — Server/API compatibility ✅

• shouldEnableMcpHttp() returns process.env.GITNEXUS_DISABLE_MCP_HTTP !== '1' — defaults to true (enabled), preserving existing behavior for non-desktop users ✅
• mountMCPEndpoints is a dynamic await import('./mcp-http.js') inside the gate — no import-time side effects when disabled ✅
• validation.ts rate-limiter: IPv6 /56 normalization comment restored; 'unknown' sentinel for IP-less requests restored (corrects the prior regression) ✅
• gitnexus/ tests: in CI queue; previous runs all passed ✅

Lane F — Web UI compatibility ✅

• gitnexus-web/src/components/*.tsx: 8 scrollbar-thin className references removed from 5 components; global *::-webkit-scrollbar rules in index.css handle styling consistently in Chromium/Electron ✅
• index.css: +20/-13 adds animation keyframes and reduced-motion query; no layout regression risk ✅
• Changes are causal (Electron renderer requires native CSS scrollbar rules) ✅
• E2E validation: web UI tests queued in CI, not yet confirmed ⏳

Lane G — Docs & agent-rule changes ✅

• CLAUDE.md: markdown formatting fixed ✅
• AGENTS.md: updated with desktop package references ✅
• gitnexus-desktop/README.md: documents dev/build/verification commands correctly ✅
• .gitignore: adds artifact directories only, no source files hidden ✅

Lane H — Branch hygiene

• 112 commits, 9+ merge-from-main commits, several self-merges from contributor fork — noisy history
• Final diff vs main is coherent and scope-appropriate
• All non-desktop changes causally motivated
• Squash merge on landing recommended to clean history
• Not a blocking concern in itself, but the noise makes per-commit attribution difficult

---

Hidden Unicode / hygiene scan

Review of main.ts, preload.ts, runtime-paths.ts, package.mjs, ensure-gitnexus-runtime.mjs, after-pack.mjs, smoke-unpacked.mjs, and desktop-packaging.yml shows only standard ASCII characters in logic, regex, and security-critical sections. No bidi controls, zero-width joiners, or BOM markers detected in the files examined. Clean.

---

Non-negotiables check

Check	Result
No secrets or tokens	✅ None found
No machine-specific paths	✅ All via process.resourcesPath, __dirname, path.resolve
No blind renames in gitnexus/, gitnexus-web/, gitnexus-shared/	✅
License preserved	✅ PolyForm-Noncommercial-1.0.0 in gitnexus-desktop/package.json
PR title conventional commit format	✅ feat(desktop): add cross-platform Electron shell
Non-desktop changes causally required	✅ All motivated by desktop runtime requirements

---

What I could not fully verify

1. Desktop Packaging CI results at current HEAD — Desktop Packaging is queued; Windows smoke test outcome is unknown. The previous run (May 2026) showed the bundled node.exe approach was architecturally sound, but current HEAD results are unconfirmed.
2. Gitleaks scan — queued; no secret scan result available at this HEAD.
3. Dependency Review — in progress; new packages in gitnexus-desktop/package-lock.json are not yet reviewed.
4. /api/info response schema — whether it currently returns a unique GitNexus identifier field that could be used for identity verification (needed for the MAJOR finding fix).

---

Final verdict

not production-ready

Two blockers stand:

1. CI checks are pending. Desktop Packaging (the primary functional gate), the test suite, Gitleaks, and Dependency Review are all queued or in progress at HEAD 09cff2a. The review bar requires all required checks to be green before merge. No platform packaging result exists for this head.

2. Port 4747 server identity is not verified. ensureGitNexusServerStarted() treats any HTTP server returning a 200 on port 4747 at /api/info as the ready GitNexus backend (main.ts:701). An unrelated server on that port causes the desktop app to silently proceed and load the web UI against the wrong backend. The review bar explicitly blocks on this scenario. The fix is a one-line addition of a GitNexus-specific response marker check to GITNEXUS_SERVER_HEALTH_URLS readiness probes.

All previous blocking items from the five prior review cycles are confirmed fixed. Once CI completes successfully on all platforms and the server identity check is added, this PR is otherwise close to mergeable. The hardcoded dependency list in ensure-gitnexus-runtime.mjs and missing shouldEnableMcpHttp() unit test can be addressed as follow-ups.
· PR branch

[magyargergo]

Now, users are able to define --port for the server, therefore it would be nice when starting up the electron app it would check for an available port and start there and the UI would connect to that port.

[prajapatisparsh]

@prajapatisparsh To let you know, I haven't forgotten about your PR, I'm planning to include it in the next bigger version v1.7.0

Thanks good to know ☺️

[prajapatisparsh]

@prajapatisparsh in the meantime, can you please create official installer support? 🙏

sure ill start my work on this any reference u wanna give ?

[prajapatisparsh]

Now, users are able to define --port for the server, therefore it would be nice when starting up the electron app it would check for an available port and start there and the UI would connect to that port.

okay ill look into it

[magyargergo]

This may affect this work - #1748

[magyargergo]

@prajapatisparsh in the meantime, can you please create official installer support? 🙏

sure ill start my work on this any reference u wanna give ?

We need to run some investigations. I'd love to see this electron app available on offical stores like, microsoft, apple, ubuntu (any other distro) etc...

[prajapatisparsh]

This may affect this work - #1748

thanks for a heads up

[prajapatisparsh]

Hey @magyargergo a couple of clarifications before I start on the installer support:

1. For store accounts do I need to create my own (Microsoft/Apple dev accounts) or will it go under Abhigyans name ?
2. What exactly do you mean by "official installer support" build config changes (MSIX/Snap targets), documentation for publishing, the actual store submission process, or all of it ?

[magyargergo]

1. @abhigyanpatwari can you please create an account under AkonLabs?
2. We need to make sure what we supply/release to the community must be 100% from us!

[abhigyanpatwari]

@magyargergo sure I will do that. Also great work @prajapatisparsh, thanks for the contribution!

[prajapatisparsh]

@magyargergo sure I will do that. Also great work @prajapatisparsh, thanks for the contribution!

its not much but welcome

[prajapatisparsh]

@magyargergo so what should i do next ?