Critical Electron Security Flaw: Renderer Process Bypasses Sandbox via Direct Node.js Access

A critical security vulnerability has been identified in the application's Electron renderer process, allowing full Node.js API access without proper context isolation. The renderer process (src/renderer/renderer.js) directly requires Electron modules via `require('electron')` on line 1, bypassing Electron's security architecture. Without a preload script, the renderer has unrestricted access to Node.js APIs — a complete bypass of Electron's security model.

The vulnerability extends across the entire renderer layer. All 12 script tags in src/renderer/index.html load with full Node.js capabilities. Twelve separate UI component files are affected, including ButtonStatePreview.js, ContextManagerUI.js, KeyboardShortcutPicker.js, LEDManagerUI.js, LogViewer.js, MacroRecorderUI.js, PerformanceUI.js, PluginManagerUI.js, ProfileManagerUI.js, SystemIntegrationUI.js, UpdateUI.js, and VoiceRecognitionUI.js. When combined with the related nodeIntegration:true setting (Issue #1), the exposure becomes complete — the sandbox is effectively disabled for all renderer-side code.

The recommended remediation involves creating a dedicated preload script (src/preload.js) that uses contextBridge.exposeInMainWorld() to selectively expose only the specific IPC channels required by the UI. This approach maintains application functionality while restoring Electron's security boundaries. The vulnerability poses significant risk of arbitrary code execution if renderer-side input is compromised.