Skills
skills/jwynia/agent-skills/electron-best-practices

electron-best-practices

SKILL.md

Electron + React Best Practices

Guide AI agents in building secure, production-ready Electron applications with React. This skill provides security patterns, type-safe IPC communication, project setup guidance, packaging and code signing workflows, and tools for analysis, scaffolding, and type generation.

When to Use This Skill

Use this skill when:

  • Generating Electron main, preload, or renderer process code
  • Configuring electron-vite or Electron Forge
  • Setting up IPC communication between processes
  • Implementing security patterns (contextBridge, sandbox, CSP)
  • Packaging, signing, and notarizing desktop applications
  • Testing Electron apps with Playwright
  • Designing multi-window architectures

Do NOT use this skill when:

  • Building Tauri apps (different paradigm, use Tauri-specific guidance)
  • Building pure web apps with no desktop requirements
  • Targeting Electron versions below 20 (security defaults differ)
  • Using non-React renderer frameworks (use framework-specific skills)

Core Principles

1. Security First Architecture

Modern Electron security relies on three defaults that became standard in Electron 20+: context isolation, sandbox mode, and nodeIntegration disabled. Disabling any of them allows XSS attacks to escalate to full remote code execution. All main-renderer communication must flow through contextBridge:

// preload.ts - SECURE pattern
contextBridge.exposeInMainWorld('electronAPI', {
  loadPreferences: () => ipcRenderer.invoke('load-prefs'),
  saveFile: (content: string) => ipcRenderer.invoke('save-file', content),
  onUpdateCounter: (callback: (value: number) => void) => {
    const handler = (_event: IpcRendererEvent, value: number) => callback(value);
    ipcRenderer.on('update-counter', handler);
    return () => ipcRenderer.removeListener('update-counter', handler);
  }
});

Set Content Security Policy via HTTP headers for apps loading local files, restricting script sources to 'self'.

2. Type-Safe IPC Communication

The invoke/handle pattern is preferred over send/on for request-response communication, providing proper async/await semantics and error propagation. For typed channels, use a mapped type pattern:

type IpcChannelMap = {
  'load-prefs': { args: []; return: UserPreferences };
  'save-file': { args: [content: string]; return: { success: boolean } };
};

For complex applications, electron-trpc provides full type safety using tRPC's router pattern with Zod validation:

export const appRouter = t.router({
  greeting: t.procedure
    .input(z.object({ name: z.string() }))
    .query(({ input }) => `Hello, ${input.name}!`),
});

Error handling across the IPC boundary requires attention because Electron only serializes the message property of Error objects. Wrap responses in a { success, data, error } result type to preserve full error context.

3. Modern Project Setup

The recommended stack uses electron-vite for development and Electron Forge for packaging. electron-vite provides a unified configuration managing main, preload, and renderer processes with sub-second dev server startup and instant HMR. Electron Forge uses first-party Electron packages for signing and notarization.

src/
├── main/           # Main process (Node.js environment)
│   ├── index.ts
│   └── ipc/        # IPC handlers
├── preload/        # Secure bridge via contextBridge
│   ├── index.ts
│   └── index.d.ts  # TypeScript declarations for exposed APIs
└── renderer/       # React application (pure web, no Node access)
    ├── src/
    └── index.html

4. React Integration Patterns

React 18's concurrent features work normally in Electron's Chromium-based renderer. Strict Mode's double-invocation of effects catches IPC listener leaks that would otherwise cause memory issues. Always return cleanup functions from effects that register IPC listeners:

useEffect(() => {
  const cleanup = window.electronAPI.onUpdateCounter((value) => {
    setCount(value);
  });
  return cleanup;
}, []);

For multi-window applications, the main process should serve as the single source of truth for shared state. Use electron-store for persistence combined with IPC broadcasting so any window's mutation updates all others.

Quick Reference

Category Prefer Avoid
Security contextBridge.exposeInMainWorld() nodeIntegration: true
IPC invoke/handle pattern send/on for request-response
Preload Typed function wrappers Exposing raw ipcRenderer
Build tool electron-vite webpack-based toolchains
Packaging Electron Forge Manual packaging
State Zustand + electron-store Redux for simple apps
Testing Playwright E2E Spectron (deprecated)
Updates electron-updater Manual update checks
Signing CI-integrated code signing Unsigned releases
CSP HTTP headers, 'self' only No CSP
Error handling Result type {success, data, error} Raw Error across IPC
Multi-window Main process as state hub Direct window-to-window

Code Generation Guidelines

When generating Electron code, follow these patterns:

BrowserWindow Creation

const win = new BrowserWindow({
  webPreferences: {
    preload: path.join(__dirname, '../preload/index.js'),
    contextIsolation: true,
    sandbox: true,
    nodeIntegration: false,
  },
});

Always enable contextIsolation and sandbox. Never enable nodeIntegration. The preload path must resolve to the built output location.

IPC Handler Module

export function registerFileHandlers(): void {
  ipcMain.handle('save-file', async (_event, content: string) => {
    try {
      await fs.writeFile(filePath, content);
      return { success: true, data: filePath };
    } catch (err) {
      return { success: false, error: (err as Error).message };
    }
  });
}

Group related handlers into modules. Use the result type pattern for all return values. Validate all arguments received from the renderer process.

Common Anti-Patterns

Avoid these patterns when generating Electron code:

Anti-Pattern Problem Solution
nodeIntegration: true XSS escalates to full RCE Keep disabled (default)
Exposing ipcRenderer directly Full IPC access from renderer Wrap in contextBridge functions
Missing contextIsolation Renderer accesses preload scope Keep enabled (default since Electron 12)
No code signing OS security warnings, Gatekeeper blocks Sign and notarize for all platforms
BrowserWindow without sandbox Preload has full Node.js access Enable sandbox (default since Electron 20)
Unvalidated IPC arguments Injection attacks from renderer Validate with Zod or manual checks
0.0.0.0 server binding Network-exposed local server Always bind to 127.0.0.1
Missing CSP headers Script injection vectors Set strict CSP via HTTP headers
No IPC error serialization Lost error context across boundary Use Result type pattern
Spectron for testing Deprecated, Electron 13 max Use Playwright

See references/security/security-checklist.md for the full security audit checklist.

Scripts Reference

analyze-security.ts

Analyze Electron projects for security misconfigurations:

deno run --allow-read scripts/analyze-security.ts <path> [options]

Options:
  --strict    Enable all checks
  --json      Output JSON for CI
  -h, --help  Show help

Examples:
  # Analyze a project
  deno run --allow-read scripts/analyze-security.ts ./src

  # Strict mode for CI pipeline
  deno run --allow-read scripts/analyze-security.ts ./src --strict --json

scaffold-electron-app.ts

Scaffold a new Electron + React project with secure defaults:

deno run --allow-read --allow-write scripts/scaffold-electron-app.ts [options]

Options:
  --name <name>     App name (required)
  --path <path>     Target directory (default: ./)
  --with-react      Include React setup
  --with-trpc       Include electron-trpc
  --with-tests      Include Playwright tests

Examples:
  # Basic app with React
  deno run --allow-read --allow-write scripts/scaffold-electron-app.ts \
    --name "my-app" --with-react

  # Full setup with trpc and tests
  deno run --allow-read --allow-write scripts/scaffold-electron-app.ts \
    --name "my-app" --with-react --with-trpc --with-tests

generate-ipc-types.ts

Generate TypeScript type definitions from IPC handler files:

deno run --allow-read --allow-write scripts/generate-ipc-types.ts [options]

Options:
  --handlers <path>  Path to IPC handler files
  --output <path>    Output path for type definitions
  --validate         Validate existing types match handlers

Examples:
  # Generate types from handlers
  deno run --allow-read --allow-write scripts/generate-ipc-types.ts \
    --handlers ./src/main/ipc --output ./src/preload/ipc-types.d.ts

  # Validate types in CI
  deno run --allow-read scripts/generate-ipc-types.ts \
    --handlers ./src/main/ipc --validate

Additional Resources

Security

  • references/security/context-isolation.md - contextBridge and isolation patterns
  • references/security/csp-and-permissions.md - Content Security Policy configuration
  • references/security/security-checklist.md - Full security audit checklist

IPC Communication

  • references/ipc/typed-ipc.md - Typed channel map patterns
  • references/ipc/electron-trpc.md - tRPC integration for full type safety
  • references/ipc/error-serialization.md - Result types across IPC boundary

Architecture

  • references/architecture/project-structure.md - Directory organization
  • references/architecture/process-separation.md - Main, preload, and renderer roles
  • references/architecture/multi-window-state.md - Shared state across windows

React Integration

  • references/integration/react-patterns.md - useEffect cleanup, Strict Mode
  • references/integration/state-management.md - Zustand and electron-store patterns

Packaging & Distribution

  • references/packaging/code-signing.md - Platform-specific signing workflows
  • references/packaging/auto-updates.md - electron-updater configuration
  • references/packaging/bundle-optimization.md - Size reduction techniques
  • references/packaging/ci-cd-patterns.md - GitHub Actions matrix builds

Testing

  • references/testing/playwright-e2e.md - Playwright Electron support
  • references/testing/unit-testing.md - Jest/Vitest multi-project configuration
  • references/testing/test-structure.md - Test organization patterns

Tooling

  • references/tooling/electron-vite.md - Build tool configuration
  • references/tooling/electron-forge.md - Packaging and distribution
  • references/tooling/tauri-comparison.md - When to choose Tauri instead

Templates

  • assets/templates/main-process.ts.md - Main process starter template
  • assets/templates/preload-script.ts.md - Preload script with contextBridge
  • assets/templates/ipc-handler.ts.md - IPC handler module template
  • assets/templates/react-root.tsx.md - React root component template

Configuration Examples

  • assets/configs/electron-vite.config.ts.md - electron-vite configuration
  • assets/configs/forge.config.js.md - Electron Forge configuration
  • assets/configs/tsconfig.json.md - TypeScript configuration presets
  • assets/configs/playwright.config.ts.md - Playwright Electron test config

Complete Examples

  • assets/examples/typed-ipc-example.md - End-to-end typed IPC walkthrough
  • assets/examples/multi-window-example.md - Multi-window state management
Weekly Installs
100
Repository
jwynia/agent-skills
GitHub Stars
35
First Seen
Feb 4, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
codex94
opencode92
gemini-cli91
github-copilot89
cursor84
kimi-cli83