From ddfb03935ad44cc49841960e7b5d209469fff198 Mon Sep 17 00:00:00 2001
From: Simon Hagger <simon.hagger@gmail.com>
Date: Thu, 12 Feb 2026 11:19:14 +0000
Subject: [PATCH] chore(security): tighten window defaults and IPC envelope
 schema

---
 apps/desktop-main/src/main.ts                     |  3 +++
 libs/shared/contracts/src/lib/request-envelope.ts | 12 +++++++-----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/apps/desktop-main/src/main.ts b/apps/desktop-main/src/main.ts
index 0f9217a..454af77 100644
--- a/apps/desktop-main/src/main.ts
+++ b/apps/desktop-main/src/main.ts
@@ -203,6 +203,9 @@ const createMainWindow = async (): Promise<BrowserWindow> => {
       contextIsolation: true,
       nodeIntegration: false,
       sandbox: true,
+      webSecurity: true,
+      allowRunningInsecureContent: false,
+      experimentalFeatures: false,
     },
   });
 
diff --git a/libs/shared/contracts/src/lib/request-envelope.ts b/libs/shared/contracts/src/lib/request-envelope.ts
index bca8517..4a17927 100644
--- a/libs/shared/contracts/src/lib/request-envelope.ts
+++ b/libs/shared/contracts/src/lib/request-envelope.ts
@@ -4,10 +4,12 @@ import { contractVersionSchema } from './contract-version';
 export const requestEnvelope = <TPayload extends z.ZodTypeAny>(
   payload: TPayload,
 ) =>
-  z.object({
-    contractVersion: contractVersionSchema,
-    correlationId: z.string().min(1).max(128),
-    payload,
-  });
+  z
+    .object({
+      contractVersion: contractVersionSchema,
+      correlationId: z.string().min(1).max(128),
+      payload,
+    })
+    .strict();
 
 export const emptyPayloadSchema = z.object({}).strict();