Finding
Electron loads dev URLs from environment and exposes render:start through preload IPC. Production should only expose privileged IPC to trusted app origins.
Evidence
- electron/main.ts loads VITE_DEV_SERVER_URL / render settings URLs.
- electron/render-settings-preload.ts exposes startRender.
- BrowserWindow hardening options are partial and should be reviewed together.
Acceptance criteria
- Validate app/render URLs before loadURL.
- Restrict preload exposure to trusted origins where practical.
- Review sandbox/WebGPU settings and document required exceptions.
Finding
Electron loads dev URLs from environment and exposes render:start through preload IPC. Production should only expose privileged IPC to trusted app origins.
Evidence
Acceptance criteria