electron-ipc-bridgelisted

# Electron IPC Bridge Skill ## Governing Principle The IPC bridge is the security boundary of the application. A renderer compromise must never become a main process compromise. Every channel is a potential attack surface. Every payload is untrusted input. --- ## Security Rules (Non-Negotiable) ### Context Isolation - `contextIsolation: true` and `nodeIntegration: false` on every `BrowserWindow`. Always. No exceptions for dev builds. - The only surface exposed to the renderer is `contextBridge.exposeInMainWorld()` in `preload.ts`. Nothing else. ### Payload Validation Every `ipcMain.handle` handler must validate its payload before executing. Treat renderer input like HTTP input from an untrusted client. ```typescript ipcMain.handle('history:save', async (_event, payload: unknown) => { if (typeof payload !== 'string' || payload.length > 100_000) { return { success: false, error: 'Invalid payload' } } // proceed }) ``` ### Path Traversal Prevention Any handler that constructs a file path from renderer input must validate the resolved path stays within the intended directory: ```typescript const resolved = path.resolve(baseDir, userInput) if (!resolved.startsWith(baseDir)) { return { success: false, error: 'Path traversal rejected' } } ``` ### Shell Input Sanitization Never interpolate renderer-supplied strings into shell commands, `exec`, or AppleScript without full sanitization. `replace(/"/g, '\\"')` is not sufficient. See `mac-os-integration` skill for th