| name | electron-app-architecture |
| description | Architect secure, performant Electron desktop apps with clear separation of concerns |
| triggers | Create an Electron app, Set up Electron main process, Add IPC to Electron, Secure Electron app, Electron preload script |
| version | 1.0.0 |
| author | Agent Skills Package |
| tags | electron, desktop, security, ipc, typescript |
Electron App Architecture
Architect secure, performant Electron desktop apps with clear separation of concerns.
Prerequisites
- Node.js 18+ installed
- Understanding of main/renderer process separation
- TypeScript knowledge recommended
Process Separation
Electron has three distinct processes:
- Main Process - Node.js environment, manages app lifecycle and windows
- Renderer Process - Browser context, renders UI (no Node.js access)
- Preload Script - Bridge between main and renderer, exposes safe APIs
Security Checklist
-
nodeIntegration: falsein BrowserWindow -
contextIsolation: trueenabled - Preload script with
contextBridge.exposeInMainWorld - Strict Content Security Policy (no
unsafe-inline) - Validate all IPC payloads
- Don't expose entire Node.js API to renderer
Project Structure
src/
├── main/ # Main process code
│ ├── main.ts # Entry point
│ ├── ipc/ # IPC handlers
│ └── windows/ # Window management
├── preload/ # Preload scripts
│ └── preload.ts
└── renderer/ # Frontend code
├── src/
└── index.html
Best Practices
- Separate concerns - Keep main, renderer, and preload responsibilities distinct
- Prefer request/response - Use
ipcRenderer.invokewithipcMain.handleover events - Narrow IPC API - Expose minimal, versioned interfaces via contextBridge
- Handle errors - Don't pass raw Error objects across IPC; serialize safe fields
- Package scripts - Use proper packaging for distribution
See Also
reference.md- Security checklist, IPC patterns, threat modeltemplates/main.ts- Minimal, secure main processtemplates/preload.ts- ContextBridge example exposing safe APIstemplates/renderer-bridge.ts- Typed front-end interface around IPC