feat: add local analysis orchestration

[seonghobae]

Summary

• add typed analysis job request and status contracts across shared types, the desktop shell, Tauri commands, and the Python engine CLI
• expose a narrow allowlisted Tauri IPC boundary for starting and polling local analysis jobs without opening a loopback HTTP listener
• harden the orchestration boundary with runtime engine discovery, strict schema validation, localized UI states, in-flight limiting, timeout handling, and pinned SBOM tooling

Verification

• ./scripts/harness/quickcheck.sh
• cargo check --manifest-path apps/desktop/src-tauri/Cargo.toml

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8c908b58-b9dd-4e47-83c2-a3608957d917

📥 Commits

Reviewing files that changed from the base of the PR and between c28e363 and f708c01.

⛔ Files ignored due to path filters (6)

• apps/desktop/src-tauri/Cargo.lock is excluded by !**/*.lock
• apps/desktop/src-tauri/gen/schemas/acl-manifests.json is excluded by !**/gen/**
• apps/desktop/src-tauri/gen/schemas/capabilities.json is excluded by !**/gen/**
• apps/desktop/src-tauri/gen/schemas/desktop-schema.json is excluded by !**/gen/**
• apps/desktop/src-tauri/gen/schemas/macOS-schema.json is excluded by !**/gen/**
• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (26)

• .github/workflows/sbom.yml
• ARCHITECTURE.md
• apps/desktop/package.json
• apps/desktop/src-tauri/Cargo.toml
• apps/desktop/src-tauri/build.rs
• apps/desktop/src-tauri/capabilities/main.json
• apps/desktop/src-tauri/permissions/autogenerated/get_analysis_job_status.toml
• apps/desktop/src-tauri/permissions/autogenerated/start_analysis_job.toml
• apps/desktop/src-tauri/src/main.rs
• apps/desktop/src-tauri/tauri.conf.json
• apps/desktop/src/App.test.tsx
• apps/desktop/src/App.tsx
• apps/desktop/src/i18n/index.ts
• apps/desktop/src/lib/analysis.ts
• apps/desktop/src/locales/en/common.json
• apps/desktop/src/locales/ko/common.json
• docs/architecture/overview.md
• docs/plans/2026-03-12-issue-32-analysis-orchestration-design.md
• docs/plans/2026-03-12-issue-32-analysis-orchestration.md
• docs/security/app-security.md
• packages/shared-types/src/index.ts
• packages/shared-types/test/index.test.ts
• services/analysis-engine/src/bandscope_analysis/api.py
• services/analysis-engine/src/bandscope_analysis/cli.py
• services/analysis-engine/tests/test_api.py
• services/analysis-engine/tests/test_cli.py

Cache: Disabled due to Reviews > Disable Cache setting

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

---

📝 Walkthrough

Summary by CodeRabbit

• 새로운 기능
  • 분석 작업 오케스트레이션 추가: 분석 시작 및 상태 조회 명령과 데스크탑 UI(시작 버튼, 진행 표시, 결과 렌더링, 폴링).
  • 브라우저 폴백 시뮬레이션으로 Tauri 미설치 환경에서도 동작 가능.
• 현지화
  • 한국어 문자열(분석 시작, 대기/실행/완료/실패 등) 추가
• 문서
  • 분석 오케스트레이션 설계 및 보안 가이드 문서화
• 테스트
  • 분석 플로우 검증을 위한 광범위한 단위·통합·엔드투엔드 스타일 테스트 추가

Walkthrough

데스크톱 앱에 로컬 분석 오케스트레이션을 추가: React → Tauri IPC 명령(start_analysis_job, get_analysis_job_status)을 통해 Rust가 메모리 기반 작업 큐와 워커를 관리하고, Python 서브프로세스(stdin/stdout)로 분석 엔진을 실행하며 타입·테스트·문서·UI·SBOM 워크플로우를 함께 추가/수정함.

Changes

Cohort / File(s)	Summary
CI: SBOM 워크플로우 \.github/workflows/sbom.yml	Syft 바이너리 설치 스텝 추가 및 sbom-action 제거, Syft로 CycloneDX JSON(bandscope-sbom.cdx.json) 생성 후 기존 업로드 단계 유지.
Tauri 설정·권한 apps/desktop/src-tauri/build.rs, apps/desktop/src-tauri/tauri.conf.json, apps/desktop/src-tauri/capabilities/main.json, apps/desktop/src-tauri/permissions/autogenerated/*	start/get 명령용 매니페스트·capabilities·권한 파일 추가 및 build 호출을 try_build로 변경.
데스크톱 의존성 apps/desktop/package.json, apps/desktop/src-tauri/Cargo.toml	프론트엔드/백엔드 의존성 추가: @tauri-apps/api, serde, serde_json, time.
Tauri 백엔드 구현 apps/desktop/src-tauri/src/main.rs	인-프로세스 비동기 작업 큐, 고정 동시 실행 제한, 워커 모델, Python 서브프로세스 실행(stdin/stdout), start_analysis_job/get_analysis_job_status 명령 구현(상태 추적·타임스탬프·에러 모델 포함).
프론트엔드: 브리지·폴백·UI·테스트 apps/desktop/src/lib/analysis.ts, apps/desktop/src/App.tsx, apps/desktop/src/App.test.tsx	Tauri 브리지 감지와 브라우저 폴백 구현, createDefaultAnalysisRequest/startAnalysisJob/getAnalysisJobStatus API 추가, UI 폴링·렌더링 로직 도입 및 광범위한 모의 테스트로 교체.
공유 타입·검증·테스트 packages/shared-types/src/index.ts, packages/shared-types/test/index.test.ts	AnalysisJob 관련 타입(요청/상태/에러/스냅샷) 및 엄격한 유효성 검사·생성 유틸 추가, 관련 단위 테스트 확장.
분석 엔진: API·CLI·테스트 services/analysis-engine/src/bandscope_analysis/api.py, .../cli.py, services/analysis-engine/tests/*	TypedDict 기반 API(요청/상태/에러 등), validate/run 함수 및 stdin/stdout 기반 CLI 엔트리포인트 추가, 단위·통합 테스트 포함.
로케일·i18n apps/desktop/src/locales/*/common.json, apps/desktop/src/i18n/index.ts	분석 상태/메시지 6개 로케일 키 추가 및 TranslationKey 타입 공개/적용.
문서 ARCHITECTURE.md, docs/architecture/overview.md, docs/security/app-security.md, docs/plans/2026-03-12-issue-32-*	분석 오케스트레이션 설계·계획·보안 고려사항 문서 추가 및 업데이트.

Sequence Diagram(s)

sequenceDiagram
    participant React as React UI
    participant Tauri as Tauri (Rust)
    participant Queue as In‑memory Queue
    participant Worker as Worker Task
    participant Python as Python Subprocess

    React->>Tauri: start_analysis_job(request)
    Tauri->>Tauri: validate request
    Tauri->>Queue: enqueue job (jobId)
    Tauri-->>React: return queued status

    Worker->>Python: spawn subprocess (stdin: request)
    Python->>Python: run_analysis_job()
    Python-->>Worker: stdout -> AnalysisJobStatus
    Worker->>Queue: update job status

    React->>Tauri: get_analysis_job_status(jobId)
    Tauri->>Queue: lookup status
    Tauri-->>React: return current AnalysisJobStatus

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• chore: promote bootstrap baseline to main #5 — 동일한 데스크톱/Tauri 스캐폴딩 및 SBOM 워크플로우(Anchore→Syft 전환)와 직접 연관.
• chore: bootstrap setup baseline #1 — 초기 데스크톱/Tauri 및 SBOM 도입 PR로 파일·설정 충돌 가능성 높음.

시

🐰 오늘도 키보드 위를 뛰어다닌다,
Rust로 길을 닦고 Python엔 당근을 건네며,
큐는 차곡히 쌓이고 작업은 스르륵 달려가네.
React는 묻고 폴링해 소식 전하고, 타입은 안전히 수호하네.
로컬 오케스트라는 조용히 노래한다. 🎵

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/issue-32-analysis-orchestration-v4

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[seonghobae]

Superseded by #49 to clear the final stale CodeRabbit failure state after all required checks passed and no actionable review remained.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.