feat: opt-in transcript auto-delete with retention window

[arfrank]

What

Adds a privacy-focused, opt-in transcript retention feature to Ghost Pepper:

• A global retention window in Settings → Privacy (Never / 7 / 14 / 30 / 60 / 90 / 180 / 365 days).
• A per-meeting "auto-delete" checkbox on the meeting window (shows only when retention is set). Stored as auto_delete: true in the markdown file's YAML frontmatter.
• A scope picker: Flagged meetings only (default) or All meetings. In flagged mode only meetings the user has opted in get swept; in global mode every meeting older than the window gets swept.
• A background sweeper that runs at launch, every 6h thereafter, and immediately when any related setting changes. It strips only the ## Transcript section — notes, summary, and trailing sections (e.g. Granola ## Chapters) are preserved. A parseable marker <!-- ghost-pepper-transcript-expired: YYYY-MM-DD --> is stamped so the operation is idempotent.
• The meeting window shows a "Transcript auto-deleted" banner in place of the transcript section for expired files.

Why opt-in by default

An always-on global auto-delete is an easy footgun — users with important meetings could lose them silently. The opt-in flag forces an explicit choice per meeting. The global scope toggle is available for users who know they want it that way.

Privacy — honest about the caveat

This is not secure erasure. String.write(atomically:) does an atomic rename-replace, so the previous file's blocks linger in APFS free space until reused, and Time Machine snapshots may retain earlier versions. FileVault encrypts these blocks at rest but does not prevent recovery once the disk is unlocked.

The UI copy, the sweeper doc comment, and PRIVACY_AUDIT.md all say this explicitly. An earlier draft claimed FileVault provided secure erasure; that claim has been removed.

How it was built

• TDD: failing XCTest cases written first, then implementation.
• Two rounds of Codex review, findings addressed before merging:
  • Round 1 (6 findings): open-tab/sweep race (a swept file could be resurrected by a stale in-memory tab), markdown-header fragility (trailing whitespace on ## Transcript), false privacy claim, silent directory-scan failures, sticky expired flag in renderer, DateFormatter thread-safety.
  • Round 2 (3 findings after opt-in + scope toggle): saveActiveTab still bypassed the new on-disk guard, per-folder scan failures were still swallowed, scope-picker description copy could leak stale state when retention was set to Never.

Files

New

• `GhostPepper/Meeting/TranscriptExpirySweeper.swift` — the sweeper (227 lines).
• `GhostPepperTests/TranscriptExpirySweeperTests.swift` — 21 tests (age boundary, CRLF, BOM, trailing-whitespace headers, flagged-only vs global, silent-scan vs surfaced-scan, nested sections, idempotency, never-setting).
• `GhostPepperTests/MeetingMarkdownWriterTests.swift` — 12 tests (frontmatter round-trip, marker parse/emit, race-guard on `write`, segment preservation when the expired flag is spuriously set).

Modified

• `GhostPepper/Meeting/MeetingMarkdownWriter.swift` — frontmatter emit/parse, expiry marker helpers, pre-write on-disk marker guard.
• `GhostPepper/Meeting/MeetingTranscript.swift` — `transcriptExpiredDate` + `autoDeleteFlagged` properties.
• `GhostPepper/AppState.swift` — `runTranscriptExpirySweep()` + 6-hour timer + two new `@AppStorage` settings.
• `GhostPepper/UI/SettingsWindow.swift` — Privacy card with retention picker, scope picker, honest caveat copy.
• `GhostPepper/UI/MeetingTranscriptWindow.swift` — expired banner, per-meeting auto-delete checkbox, route `saveActiveTab` through the guarded write path.
• `PRIVACY_AUDIT.md` — row 8 added with accurate caveats.

Tests

33 new unit tests, all green. Full app build clean. Touching `@MainActor` on AppState; sweep I/O runs on a detached Task and hops back to main for logging.

```
Executed 33 tests, with 0 failures in 0.07 seconds
** BUILD SUCCEEDED **
```

Test plan

• Unit tests pass (see above)
• Manual: set retention → flag a meeting → wait/toggle → transcript strips, banner appears
• Manual: unset retention ("Never") → per-meeting checkbox disappears; Settings description reads "No transcripts are auto-deleted"
• Manual: switch to global mode → per-meeting checkbox disappears; all old meetings strip on next sweep
• Manual: open a meeting in a tab, change retention so it qualifies, then edit notes — verify the file retains its expiry (no resurrection bug)
• Signed/notarized release build via `./scripts/build-dmg.sh` (requires Developer ID cert)

🤖 Generated with Claude Code