Documents and verifies the web UI against all 10 acceptance criteria
from issue #28, plus one visual bug surfaced during the pass and
fixed in the same PR.

Bug fix:
* `.main-content` grid column was overflowing the viewport on the
  right whenever a bubble contained an unbreakable child (long code
  block, long URL, long tool-call output). Header + title rendered
  fine because they live outside the grid. Cause: grid items default
  to `min-width: auto`, which refuses to shrink below intrinsic
  min-content. Fix: add `.main-content { min-width: 0 }` so the
  existing `overflow-x: auto` on `.prose pre` and
  `word-break: break-all` on `.tool-call-content` can take over inside
  the bubble.

QA artifacts:
* `tests/web-ui-qa-checklist.md` — 9 sections covering: environment,
  server launch, 5 major views (home, workspace, conversation, search,
  config), exports, cross-browser parity, regression notes, sign-off.
  Every check that could be answered backend-side is filled in with
  the actual probe / inspection result.

* `tests/web-ui-smoke.sh` — boots app.py on an alt port and probes
  11 routes (page routes + JSON API + workspace-scoped routes).
  Exits non-zero on any unexpected status.

* `samples/qa/*.png` — 10 screenshots, Chrome + Firefox for home,
  workspace detail, conversation view, search results, and config.

Verification highlights:
  - 11/11 smoke probes pass
  - All 5 export formats download from both Chrome and Firefox
  - .md / .html / .json / .csv are byte-identical across browsers
    (proves the JS pipeline in static/js/download.js is portable)
  - PDF is a valid 153-page document (Chrome + Firefox both produce
    valid 153-page PDFs; bytes differ because the server embeds a
    fresh /CreationDate on each /api/generate-pdf call)
  - Backend data shape verified: a sampled conversation tab carries
    387 bubbles, including toolCalls (name="glob_file_search",
    status="completed") and thinking blocks (durationMs=3569)

Two CodeRabbit follow-ups on PR #34:

* tests/web-ui-qa-checklist.md: the fenced block describing the
  /api/generate-pdf probe was missing a language hint and tripped
  markdownlint MD040. Tagged as `text`.

* tests/web-ui-smoke.sh: every curl call now goes through
  CURL_FLAGS=(--silent --show-error --connect-timeout 2 --max-time 5)
  so a stalled socket can't hang the script indefinitely. The boot-wait
  loop also redirects stderr to /dev/null because connection-refused
  during the polling phase is expected; if the wait times out, the
  final fall-through check re-runs with stderr visible so the failure
  reason is preserved.

Verified: bash tests/web-ui-smoke.sh — 11/11 pass, no noise on stdout.

The WS_ID extraction was suppressing python3's stderr with `2>/dev/null`
and treating a missing parse result the same as "no non-global workspace
exists". So /api/workspaces returning 200 with malformed JSON would
silently skip the three workspace-scoped probes and the script would
still exit 0 — a false green.

Wrapped the parse in `if ... ; then ... else fail=$((fail+1)); fi` so
python3's non-zero exit (raised by json.load on bad input) routes
through the FAIL printf, the workspace block is skipped explicitly,
and the script exits non-zero with the rest of the failures.

Happy path: 11/11 probes still pass.

Five PR #34 review findings closed in one commit. All polish; no
behaviour change on the happy path.

Checklist (tests/web-ui-qa-checklist.md):
* §6 export-frontmatter table was citing the CLI export schema
  (log_id / workspace / created_at / updated_at). The web UI pipeline
  in static/js/download.js actually emits title / created /
  conversation_id (plus optional models_used / token / cost). Fixed,
  with an inline NOTE so a future reader doesn't swap them back.
* §7 cross-browser-parity table was unfinished AND tested phantom
  features (per-bubble copy button + arrow-key sidebar nav don't
  exist in the codebase). Replaced with the four checks that target
  features actually shipped today; phantom rows documented as
  enhancement ideas.
* §8 post-fix screenshot row was an unticked TODO even though the
  workspace + conversation screenshots in samples/qa/ were captured
  after the .main-content fix landed. Flipped to [x] with explicit
  evidence pointer.
* §9 sign-off table was empty rows. Filled in with this PR's state
  (4 of 5 rows resolved; reviewer-approval row stays pending).
* Added a verification-method legend at the top so a reviewer can tell
  visual vs probe vs code-inferred vs deferred (⏳) ticks apart. The
  default is "visual"; deviations carry an explicit tag.

Smoke script (tests/web-ui-smoke.sh):
* Page-route probes now sniff the body for the expected `<title>`
  string in addition to the 200 status, so an "empty 200" template
  regression can no longer slip through.
* Workspace-scoped probes no longer skip silently when /api/workspaces
  returns no non-global rows — the message is now a loud [WARN] block
  in the output, and the new env var CLAW_QA_REQUIRE_WORKSPACE=1
  converts the skip into a hard failure for CI runs that seed fixture
  data. Documented in the script header.

Verified: bash tests/web-ui-smoke.sh — 11/11 pass with body sniff;
negative test (fake needle) correctly exits 1 with the missing-needle
message; empty-workspace test with CLAW_QA_REQUIRE_WORKSPACE=1 exits 1
as expected.

Brad's review on PR #34 flagged that .sidebar-item-title already
truncates with overflow: hidden + text-overflow: ellipsis +
white-space: nowrap, but the .sidebar-item-time row beneath it had
no overflow handling. A long model badge or localised timestamp
would overflow the fixed 280px .sidebar column horizontally.

Mirrored the title row's three properties on .sidebar-item-time so
the truncation is symmetric. Invisible on current data (timestamps +
model names fit today) — forward-looking guard against a future
sidebar-child addition.

§8 of tests/web-ui-qa-checklist.md updated to list both this and the
.main-content overflow fix as regression notes for PR #34.