activeUpdated Feb 19, 2026, 9:36 PM
Policy ID js7d7at10wnr6edr0c1aq9vc5s81f8cb
Desktop preload bridge must preserve least-privilege exposure. Rationale: - Preload APIs define the renderer trust boundary; over-exposure increases attack surface. Scope: - PR review policy for preload bridge changes under: - `domains/typescript/mem-client-desktop/preload/**` Trigger: - A PR adds/changes `contextBridge` exposure or renderer-accessible desktop APIs. Approval checks: 1) Renderer exposure remains narrow and method-based (no exposing raw Electron primitives such as `ipcRenderer`, `shell`, `process`, or `BrowserWindow`). 2) Exposed methods map to explicit IPC channels/handlers rather than dynamic pass-through invocation. 3) Exposed APIs remain typed (arguments/returns documented in typed contract surfaces). 4) New privileged capabilities include tests or explicit validation steps for allow/deny behavior. Evidence: - Diff shows least-privilege API surface and explicit channel mappings. Exception path: - Allow deviation only when all are true: 1) PR description includes `Policy Exception: desktop-preload-least-privilege`. 2) PR explains why broader exposure is required. 3) PR documents time-bound mitigation plan. Decision: - Return NOT APPROVED when trigger is met and least-privilege constraints are violated without a valid exception.