feat(security): per-window capabilities, overlay locked down

Removed `core:window:allow-set-opacity` from the default capability —
that permission identifier doesn't exist in Tauri 2.11.x. Window
opacity is exposed only on the Rust side; the JS layer routes through
our custom `set_window_opacity` command (added in Task 16).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src-tauri/capabilities/default.json

@@ -1,10 +1,19 @@
 {
   "$schema": "../gen/schemas/desktop-schema.json",
   "identifier": "default",
-  "description": "Capability for the main window",
+  "description": "Capability for the main control window",
   "windows": ["main"],
   "permissions": [
     "core:default",
-    "opener:default"
+    "core:webview:allow-create-webview-window",
+    "core:window:allow-set-always-on-top",
+    "core:window:allow-set-ignore-cursor-events",
+    "core:window:allow-close",
+    "core:window:allow-current-monitor",
+    "opener:default",
+    "store:default",
+    "global-shortcut:allow-register",
+    "global-shortcut:allow-unregister",
+    "global-shortcut:allow-is-registered"
   ]
 }

src-tauri/capabilities/overlay.json

@@ -0,0 +1,7 @@
+{
+  "$schema": "../gen/schemas/desktop-schema.json",
+  "identifier": "overlay",
+  "description": "Locked-down capability for the overlay window — pages loaded here cannot call Tauri APIs",
+  "windows": ["overlay"],
+  "permissions": []
+}