Agent Skills
› muratgur/ordinus
› electron-secure-boundary
electron-secure-boundary
GitHub维护Ordinus Electron安全边界,确保特权代码与UI分离。适用于修改BrowserWindow配置、进程职责、原生API访问或涉及文件系统/数据库的操作,防止渲染层暴露Node/Electron能力。
Trigger Scenarios
修改 BrowserWindow 选项
调整 main/preload/renderer 职责
涉及特权 OS 访问
使用文件系统、数据库或子进程
可能向渲染器代码暴露 Electron 或 Node 能力的变更
Install
npx skills add muratgur/ordinus --skill electron-secure-boundary -g -y
SKILL.md
Frontmatter
{
"name": "electron-secure-boundary",
"description": "Maintain Ordinus Electron security boundaries. Use when changing BrowserWindow options, main\/preload\/renderer responsibilities, privileged OS access, filesystem\/database\/process usage, or anything that could expose Electron or Node capabilities to renderer code."
}
Electron Secure Boundary
Objective
Keep Ordinus secure by preserving the separation between privileged desktop code and UI code.
Rules
- Keep privileged work in Electron main process: filesystem, SQLite, child processes, provider runtimes, secrets, native dialogs, and OS integration.
- Keep renderer as UI-only React code. Do not import or use Node APIs, Electron APIs, SQLite clients, filesystem modules, or child process modules in renderer.
- Keep preload small and typed. Expose only purpose-built
window.ordinus.*methods. - Never expose raw
ipcRenderer,electron, filesystem, process, database, or generic command execution APIs to renderer. - Preserve
nodeIntegration: false,contextIsolation: true, andsandbox: trueunless the user explicitly asks for a security model redesign. - Avoid third-party runtime imports in preload. In sandboxed preload, prefer type-only imports plus
ipcRenderer.invoke.
Workflow
- Identify which side of the boundary the change touches: main, preload, renderer, or shared contracts.
- Move privileged behavior to main process services or IPC handlers.
- Add the narrowest preload method needed for renderer.
- Keep validation and trust decisions in main/shared, not renderer.
- Run
npm run typecheck,npm run lint, andnpm run build. - For boundary changes, smoke test
npm run devor the packaged app.
Red Flags
- Renderer imports from
electron,node:*,fs,path,child_process,better-sqlite3, or main-process modules. - Preload exposes general-purpose methods such as
invoke(channel, payload)orrunCommand(command). - IPC handlers trust renderer payloads without validation.
- A UI feature requires relaxing sandbox settings before simpler IPC design has been tried.
Version History
- f507122 Current 2026-07-05 18:19


