Desktop: Preload Least Privilege

Repository: mem-labs/mem

Back to Policies Cancel

activeUpdated Feb 19, 2026, 9:36 PM

Name

Status

Markdown

Desktop preload bridge must preserve least-privilege exposure.

Rationale:
- Preload APIs define the renderer trust boundary; over-exposure increases attack surface.

Scope:
- PR review policy for preload bridge changes under:
  - `domains/typescript/mem-client-desktop/preload/**`

Trigger:
- A PR adds/changes `contextBridge` exposure or renderer-accessible desktop APIs.

Approval checks:
1) Renderer exposure remains narrow and method-based (no exposing raw Electron primitives such as `ipcRenderer`, `shell`, `process`, or `BrowserWindow`).
2) Exposed methods map to explicit IPC channels/handlers rather than dynamic pass-through invocation.
3) Exposed APIs remain typed (arguments/returns documented in typed contract surfaces).
4) New privileged capabilities include tests or explicit validation steps for allow/deny behavior.

Evidence:
- Diff shows least-privilege API surface and explicit channel mappings.

Exception path:
- Allow deviation only when all are true:
1) PR description includes `Policy Exception: desktop-preload-least-privilege`.
2) PR explains why broader exposure is required.
3) PR documents time-bound mitigation plan.

Decision:
- Return NOT APPROVED when trigger is met and least-privilege constraints are violated without a valid exception.

Cancel