The Electron Security Model
Electron combines Node.js (full system power) with Chromium (executing untrusted web code). If web code gets direct access to Node.js APIs (require('fs')), a malicious script injected via XSS could instantly format a user's hard drive.
Flowork OS enforces strict security rules to prevent this.
Context Isolation
The primary defense is Context Isolation.
In main.js, the main UI window is created with new BrowserWindow({ webPreferences: { contextIsolation: true, nodeIntegration: false } }).
This creates a rigid boundary. The Vue SPA in the renderer process has absolutely zero direct access to Node.js.
The Preload Bridge: Your Checkpoint
To allow the Vue UI to perform system tasks (like saving a file), it must ask the Main Process. This is facilitated by preload.js.
The preload script is a highly privileged file that executes before the Vue app loads. It has access to both Node.js IPC modules and the browser window object.
Using contextBridge.exposeInMainWorld('floworkDesktop', { ... }), the preload script intentionally exposes only secure, tightly controlled functions.
IPC (Inter-Process Communication)
When the Vue app calls window.floworkDesktop.shutdownApp():
1. The Bridge serializes the request.
2. It sends an IPC message to the Main Process.
3. The Main Process receives the message via ipcMain.handle('app:shutdown').
4. The Main Process executes the potentially dangerous action (app.quit()) in its secure environment.