activeUpdated Feb 19, 2026, 9:36 PM
Policy ID js71cstqq2b120f443xgt5q71981f4gr
Desktop external URL opening must enforce protocol safety and validation. Rationale: - Unsafe protocol handling in desktop shells can create high-impact security vulnerabilities. Scope: - PR review policy for desktop URL-opening logic under: - `domains/typescript/mem-client-desktop/src/**` - `domains/typescript/mem-client-desktop/preload/**` Trigger: - A PR adds/changes behavior that opens external URLs (for example `shell.openExternal` paths or wrappers). Approval checks: 1) URL open paths validate protocol against an explicit allowlist before opening. 2) URL strings are parsed/normalized before open calls where input can be user-controlled or cross-process. 3) Invalid/blocked URLs fail closed (do not open) and emit explicit handling/logging signal. 4) URL-safety logic changes include tests for allowed and blocked protocol cases. Evidence: - Diff shows allowlist validation and tests asserting blocked/allowed behavior. Exception path: - Allow deviation only when all are true: 1) PR description includes `Policy Exception: desktop-external-url-safety`. 2) PR explains why allowlist or normalization cannot be applied as usual. 3) PR documents compensating controls. Decision: - Return NOT APPROVED when trigger is met and URL-safety controls are missing without a valid exception.