feat(desktop): bump Electron ^33.2.1 → ^39.8.8 (CVE patches)

Covers 4 dependabot high-severity alerts (all Electron itself):
- CVE-2026-34769 commandLineSwitches injection (patched 38.8.6)
- CVE-2026-34770 PowerMonitor UAF (patched 38.8.6)
- CVE-2026-34771 WebContents permission callback UAF (patched 38.8.6)
- CVE-2026-34774 offscreen child window paint UAF (patched 39.8.1)

done-verify.ts: console-message listener now handles both positional
(Electron <35) and Event-object (35+) signatures. Without this the
Electron 35+ runtime would silently pass an Event object in place of
'level' and the whole pre-handoff verify pipeline would stop catching
browser console errors.

better-sqlite3 12.9.0 postinstall auto-fetches the Electron 39 ABI
prebuild; PR-A blocker from 980a217 resolved.

Validated: typecheck/lint/test all green (389 tests, 10 packages);
electron-builder --dir on darwin-arm64 produces a bootable .app.
Stays within CLAUDE.md constraint: does NOT use Electron 41.x.

Author: hqhq1025

apps/desktop/package.json

@@ -45,7 +45,7 @@
     "@types/react-dom": "^19.0.0",
     "@vitejs/plugin-react": "^4.3.4",
     "autoprefixer": "^10.4.20",
-    "electron": "^33.2.1",
+    "electron": "^39.8.8",
     "electron-builder": "^26.8.1",
     "electron-builder-squirrel-windows": "26.8.1",
     "electron-vite": "^2.3.0",

apps/desktop/src/main/done-verify.ts

@@ -55,16 +55,31 @@ export function makeRuntimeVerifier(): DoneRuntimeVerifier {
     type ConsoleMessageEvent = {
       level: 'verbose' | 'info' | 'warning' | 'error' | number;
       message: string;
+      // Electron < 35 emits `line` (positional), 35+ emits an Event object
+      // with `lineNumber`. Accept both so the listener survives the signature
+      // change without a runtime branch at every call site.
       line?: number;
+      lineNumber?: number;
       sourceId?: string;
     };
 
-    const onConsole = (
-      _event: unknown,
-      level: ConsoleMessageEvent['level'],
-      message: string,
-      line?: number,
-    ) => {
+    const onConsole = (...args: unknown[]) => {
+      // Electron 35+ emits a single Event-like object; older majors emit
+      // positional (event, level, message, line, sourceId). Detect by
+      // arity — a single object argument means the new shape.
+      let level: ConsoleMessageEvent['level'];
+      let message: string;
+      let line: number | undefined;
+      if (args.length === 1 && typeof args[0] === 'object' && args[0] !== null) {
+        const e = args[0] as ConsoleMessageEvent;
+        level = e.level;
+        message = e.message;
+        line = e.lineNumber ?? e.line;
+      } else {
+        level = args[1] as ConsoleMessageEvent['level'];
+        message = args[2] as string;
+        line = args[3] as number | undefined;
+      }
       // Electron <26 emits a numeric level (0-3); newer builds emit a string.
       const isError = level === 'error' || level === 3;
       const isWarning = level === 'warning' || level === 2;