Add Dream Server desktop dev source

[gabsprogrammer]

No description provided.

[Lightheartdevs]

Thanks for sending this. I�m requesting changes rather than approving because this is a 1.3M-line source/vendor import with licensing and dependency issues that need an explicit maintainer decision before it lands in the Apache-2.0 DreamServer repo.

Blocking findings:

1. AGPL-licensed vendor source is bundled but not disclosed in the notices. The PR adds resources/dev/dream-server-desktop/vendor/aperant-upstream/LICENSE, which is AGPL-3.0 (LICENSE:1-12). The desktop package config includes vendor/**/* in packaged builds (resources/dev/dream-server-desktop/package.json:38-47), but THIRD_PARTY_NOTICES.md only calls out Hermes Agent, Ghostty shaders, and JetBrains Mono (THIRD_PARTY_NOTICES.md:3-26). This needs legal/maintainer approval and complete third-party notices before merge. In an Apache-2.0 repo, silently adding an AGPL vendor tree is not a routine dev-source change.

2. The PR is mostly unreviewable vendor/source bulk. It adds 3,808 files / 1,325,309 lines, including 3,710 files / 1,268,580 lines under resources/dev/dream-server-desktop/vendor. The PR body is empty, so there are no upstream SHAs, provenance notes, reason for vendoring vs submodule/subtree/artifact repo, or explanation of why websites/docs/tests/assets should live in the main DreamServer repository. This should be split or documented as an intentional repository-architecture decision.

3. Fresh install reports a critical production dependency vulnerability. After npm ci, npm audit --omit=dev --json reports protobufjs <7.5.5 as critical arbitrary code execution (GHSA-xq3m-2v4x-88gg). The lock currently resolves @grpc/proto-loader@0.8.0 and protobufjs@7.5.4 (package-lock.json:504-512, 4124-4128). Please update the lock/dependency chain before merging a desktop runtime source tree.

4. Full audit also reports Electron/high dev-distribution vulnerabilities. npm audit --json reports 4 total issues: 1 critical and 3 high, including Electron advisories. Even if Electron is a devDependency, this project uses Electron to produce distributed desktop artifacts, so those advisories need to be resolved or explicitly accepted with rationale.

Validation I ran:

• git diff --check origin/main...HEAD ?
• cmd /c npm ci ?, but audit reported vulnerabilities
• cmd /c npm run test:runtime ?
• cmd /c npm audit --omit=dev --json ?, 1 critical production vulnerability
• cmd /c npm audit --json ?, 4 total vulnerabilities

Recommendation: do not merge as-is. If the goal is to preserve desktop dev source in-tree, make this a deliberate maintainer-approved import PR with provenance/SHAs, complete notices, a license decision for AGPL code, and a clean npm audit. If the goal is only to unblock #1127, this should not be coupled to that service PR.