[codex] Sync Windows app pnpm lockfile

[tianmind-studio]

Summary

• Remove the stale @huggingface/transformers importer entry from desktop/windows/pnpm-lock.yaml.
• Bring the Windows app lockfile back in sync with desktop/windows/package.json without broad dependency resolution changes.

Why

A frozen pnpm install in desktop/windows failed before dependency installation because the lockfile still listed @huggingface/transformers, which is no longer present in package.json.

Before:

[ERR_PNPM_OUTDATED_LOCKFILE] Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with <ROOT>\package.json
Failure reason:
* 1 dependencies were removed: @huggingface/transformers@^4.2.0

After this change, a full frozen dependency install accepts the lockfile.

Refresh

• Rebased on main at 9ed12aea07.
• Current head: 0fe7edf8ca.

Validation

• npx --yes pnpm@11.6.0 install --frozen-lockfile --ignore-scripts -> passed
• npm run typecheck -> passed
• git diff --check origin/main...HEAD
• C:\Program Files\Git\bin\sh.exe -c 'scripts/pre-commit'

Note: earlier validation used --lockfile-only; this refresh verifies the stronger full frozen install path while still skipping package scripts.

[ThomsenDrake]

ClawSweeper local pilot review

Recommendation: keep open; looks suitable for normal maintainer and CI review.

What it found:

• The Windows package manifest no longer declares @huggingface/transformers, but the Windows pnpm lockfile root importer still does.
• This PR removes only the stale lockfile importer entry, without broader dependency churn.
• No blocking correctness or security finding was found.

Suggested next step: land the narrow lockfile cleanup after normal review.

Posted from a local report-only ClawSweeper pilot by request; no labels, closes, repairs, or merges were performed.