Do not autofocus Allow in the Desktop permission gate

[DeliciousBuding]

Summary

PermissionDialog automatically focuses the Allow button whenever a pending permission request is rendered. In a permission gate, the default focused action should not be the dangerous/privilege-granting action: a stray Enter/Space key press can approve a file write, command, network call, or remote-control action without an intentional click.

Evidence

• app/desktop/src/components/PermissionDialog.tsx creates allowRef for the Allow button.
• The pending-item effect calls allowRef.current?.focus() as soon as the request is pending.
• The Allow button calls onDecide(request.requestId, 'allow').
• The component also has a 60-second auto-deny timeout, which means the safer default already exists; focus should not move to the allow action.

Relevant path:

• app/desktop/src/components/PermissionDialog.tsx

Impact

• Keyboard users can accidentally approve high-risk actions by pressing Enter/Space after the dialog appears.
• Remote-triggered runs and local command/file approvals become easier to misapprove.
• The UI trains the safest path as timeout/deny, but focus behavior makes Allow the implicit primary action.

Suggested fix

• Do not autofocus Allow.
• Either focus a neutral dialog container/title, focus Deny, or leave focus where it was and require an explicit click/keyboard navigation to Allow.
• Consider ordering/visual hierarchy so Deny/Cancel is the default keyboard-safe action and Allow requires deliberate selection.

Acceptance criteria

• A newly displayed permission request does not focus the Allow button.
• Pressing Enter immediately after a permission request appears does not approve it.
• Add a component test that renders a pending permission request and asserts the active element is not the Allow button.
• Existing manual allow/deny buttons still work after keyboard navigation or explicit click.