feat: add deep-link support and Raycast extension

[Angelebeats]

This PR adds deep-link support to Cap (cap://record, cap://stop, cap://pause) and includes a dedicated Raycast extension for remote control.

Greptile Summary

This PR adds three new deep-link actions (StartDefaultRecording, PauseRecording, ResumeRecording) and a new cap:// URL scheme to complement the existing cap-desktop:// scheme, enabling Raycast and other external tools to remotely control Cap's recording lifecycle via cap://record, cap://stop, cap://pause, and cap://resume.

Key issues found:

• P0 – Wrong event payload in StartDefaultRecording: app.emit("request-open-recording-picker", ()) emits a JSON null payload, but the RequestOpenRecordingPicker tauri_specta struct expects { "target_mode": null }. Every other call site in hotkeys.rs correctly uses RequestOpenRecordingPicker { target_mode: None }.emit(&app). This mismatch will cause the frontend event listener to receive an unexpected payload, likely causing cap://record to silently do nothing.
• P2 – Generic cap:// scheme expands the attack surface: Registering the short, guessable cap scheme system-wide means any local application or browser link (e.g., a <a href="cap://record"> on a web page) can invisibly trigger screen recording. The existing cap-desktop://action?value=... format was harder to exploit accidentally; the new URLs remove that friction.

Confidence Score: 2/5

• Not safe to merge — the cap://record action will silently fail due to a payload type mismatch in the emitted event.
• The StartDefaultRecording handler emits the request-open-recording-picker event with a () (unit/null) payload instead of the typed RequestOpenRecordingPicker { target_mode: None } struct used everywhere else in the codebase. This payload mismatch means the primary advertised feature (cap://record opening the recording picker) will not function correctly. The fix is straightforward but the bug must be resolved before merging.
• apps/desktop/src-tauri/src/deeplink_actions.rs — specifically the StartDefaultRecording arm in the execute match.

Important Files Changed

Filename	Overview
apps/desktop/src-tauri/src/deeplink_actions.rs	Adds StartDefaultRecording, PauseRecording, and ResumeRecording variants and a cap:// URL parsing branch; contains a P0 event payload bug — app.emit("request-open-recording-picker", ()) emits null instead of the expected { target_mode: null }, causing frontend deserialization failure. Also bypasses the typed tauri_specta event system used everywhere else in the codebase.
apps/desktop/src-tauri/tauri.conf.json	Adds "cap" alongside "cap-desktop" in the deep-link scheme registration; mechanically correct but introduces a short, guessable system-wide scheme.

Sequence Diagram

sequenceDiagram
    participant Raycast as Raycast or Browser
    participant OS as OS Deep-Link Router
    participant Tauri as Tauri Plugin
    participant Handler as deeplink_actions
    participant Recording as recording module
    participant Frontend as Frontend Webview

    Raycast->>OS: "open cap://record"
    OS->>Tauri: "cap scheme triggered"
    Tauri->>Handler: "urls: [cap://record]"
    Handler->>Handler: "parse: scheme==cap, host==record"
    Handler->>Handler: "Ok(StartDefaultRecording)"
    Handler->>Frontend: "app.emit(request-open-recording-picker, null) ⚠️"
    Note over Frontend: "Expected payload: {target_mode:null}, got: null"

    Raycast->>OS: "open cap://stop"
    OS->>Tauri: "cap scheme triggered"
    Tauri->>Handler: "urls: [cap://stop]"
    Handler->>Handler: "Ok(StopRecording)"
    Handler->>Recording: "stop_recording(app, state)"

    Raycast->>OS: "open cap://pause"
    OS->>Tauri: "cap scheme triggered"
    Tauri->>Handler: "urls: [cap://pause]"
    Handler->>Handler: "Ok(PauseRecording)"
    Handler->>Recording: "pause_recording(app, state)"

    Raycast->>OS: "open cap://resume"
    OS->>Tauri: "cap scheme triggered"
    Tauri->>Handler: "urls: [cap://resume]"
    Handler->>Handler: "Ok(ResumeRecording)"
    Handler->>Recording: "resume_recording(app, state)"

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: apps/desktop/src-tauri/src/deeplink_actions.rs
Line: 169-171

Comment:
**Wrong event payload causes frontend deserialization failure**

`app.emit("request-open-recording-picker", ())` sends a JSON `null` payload, but the `RequestOpenRecordingPicker` struct has a `target_mode: Option<RecordingTargetMode>` field. The auto-generated frontend type expects `{ target_mode: null }`, not `null`. This payload mismatch will likely cause the event to silently fail or be ignored by the frontend listener.

All other call sites in `hotkeys.rs` correctly use the typed `tauri_specta` event. Use the same pattern here:

```suggestion
            DeepLinkAction::StartDefaultRecording => {
                RequestOpenRecordingPicker { target_mode: None }.emit(app).map_err(|e| e.to_string())
            }
```

You'll also need to import `RequestOpenRecordingPicker` at the top of the file (or reference it as `crate::RequestOpenRecordingPicker`).

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: apps/desktop/src-tauri/src/deeplink_actions.rs
Line: 94-102

Comment:
**Security: generic `cap://` scheme is accessible by any app or web page**

Registering `cap` as a system-wide URL scheme means any application — including browsers that silently follow `cap://` links in web pages — can trigger `cap://record`, `cap://stop`, `cap://pause`, and `cap://resume` without user confirmation. A malicious web page could embed `<a href="cap://record">` or automatically redirect to it, invisibly starting a screen capture session.

The existing `cap-desktop://action?value=...` scheme has the same surface area, but its JSON-in-query-string format is significantly harder to invoke accidentally or from a web page. The new `cap://` URLs reduce the exploit complexity to a single, guessable link.

Consider requiring explicit user-facing confirmation (e.g., showing a toast/alert before acting), or at minimum documenting this behavior so users are aware that any local app can control their recording session via these URLs.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "feat: implement cap:// deep-link protoco..." | Re-trigger Greptile}

Greptile also left 2 inline comments on this PR.

[tembo]

Host matching is currently case-sensitive, so cap://Stop etc would be rejected. Might be worth using eq_ignore_ascii_case here for resilience.

Suggested change

	if url.scheme() == "cap" {
	if url.scheme() == "cap" {
	return match url.host_str() {
	Some(host) if host.eq_ignore_ascii_case("record") => Ok(Self::StartDefaultRecording),
	Some(host) if host.eq_ignore_ascii_case("stop") => Ok(Self::StopRecording),
	Some(host) if host.eq_ignore_ascii_case("pause") => Ok(Self::PauseRecording),
	Some(host) if host.eq_ignore_ascii_case("resume") => Ok(Self::ResumeRecording),
	_ => Err(ActionParseFromUrlError::Invalid),
	};
	}

[tembo]

StartDefaultRecording currently emits a stringly-typed event and (from the name) reads like it should start immediately. If the intent is to open the picker, using the existing typed event keeps emit patterns consistent.

Suggested change

	app.emit("request-open-recording-picker", ()).map_err(|e| e.to_string())
	DeepLinkAction::StartDefaultRecording => {
	crate::RequestOpenRecordingPicker { target_mode: None }
	.emit(app)
	.map_err(|e| e.to_string())
	}

[greptile-apps]

Wrong event payload causes frontend deserialization failure

app.emit("request-open-recording-picker", ()) sends a JSON null payload, but the RequestOpenRecordingPicker struct has a target_mode: Option<RecordingTargetMode> field. The auto-generated frontend type expects { target_mode: null }, not null. This payload mismatch will likely cause the event to silently fail or be ignored by the frontend listener.

All other call sites in hotkeys.rs correctly use the typed tauri_specta event. Use the same pattern here:

Suggested change

	DeepLinkAction::StartDefaultRecording => {
	app.emit("request-open-recording-picker", ()).map_err(|e| e.to_string())
	}
	DeepLinkAction::StartDefaultRecording => {
	RequestOpenRecordingPicker { target_mode: None }.emit(app).map_err(|e| e.to_string())
	}

You'll also need to import RequestOpenRecordingPicker at the top of the file (or reference it as crate::RequestOpenRecordingPicker).

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/desktop/src-tauri/src/deeplink_actions.rs
Line: 169-171

Comment:
**Wrong event payload causes frontend deserialization failure**

`app.emit("request-open-recording-picker", ())` sends a JSON `null` payload, but the `RequestOpenRecordingPicker` struct has a `target_mode: Option<RecordingTargetMode>` field. The auto-generated frontend type expects `{ target_mode: null }`, not `null`. This payload mismatch will likely cause the event to silently fail or be ignored by the frontend listener.

All other call sites in `hotkeys.rs` correctly use the typed `tauri_specta` event. Use the same pattern here:

```suggestion
            DeepLinkAction::StartDefaultRecording => {
                RequestOpenRecordingPicker { target_mode: None }.emit(app).map_err(|e| e.to_string())
            }
```

You'll also need to import `RequestOpenRecordingPicker` at the top of the file (or reference it as `crate::RequestOpenRecordingPicker`).

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Security: generic cap:// scheme is accessible by any app or web page

Registering cap as a system-wide URL scheme means any application — including browsers that silently follow cap:// links in web pages — can trigger cap://record, cap://stop, cap://pause, and cap://resume without user confirmation. A malicious web page could embed <a href="cap://record"> or automatically redirect to it, invisibly starting a screen capture session.

The existing cap-desktop://action?value=... scheme has the same surface area, but its JSON-in-query-string format is significantly harder to invoke accidentally or from a web page. The new cap:// URLs reduce the exploit complexity to a single, guessable link.

Consider requiring explicit user-facing confirmation (e.g., showing a toast/alert before acting), or at minimum documenting this behavior so users are aware that any local app can control their recording session via these URLs.

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/desktop/src-tauri/src/deeplink_actions.rs
Line: 94-102

Comment:
**Security: generic `cap://` scheme is accessible by any app or web page**

Registering `cap` as a system-wide URL scheme means any application — including browsers that silently follow `cap://` links in web pages — can trigger `cap://record`, `cap://stop`, `cap://pause`, and `cap://resume` without user confirmation. A malicious web page could embed `<a href="cap://record">` or automatically redirect to it, invisibly starting a screen capture session.

The existing `cap-desktop://action?value=...` scheme has the same surface area, but its JSON-in-query-string format is significantly harder to invoke accidentally or from a web page. The new `cap://` URLs reduce the exploit complexity to a single, guessable link.

Consider requiring explicit user-facing confirmation (e.g., showing a toast/alert before acting), or at minimum documenting this behavior so users are aware that any local app can control their recording session via these URLs.

How can I resolve this? If you propose a fix, please make it concise.

[tembo]

This currently accepts any path after the host (e.g. cap://record/anything). If the intent is to support only the exact host actions, consider rejecting non-root paths to avoid surprising matches.

Suggested change

	if url.scheme().eq_ignore_ascii_case("cap") {
	if url.scheme().eq_ignore_ascii_case("cap") {
	if url.path() != "/" {
	return Err(ActionParseFromUrlError::Invalid);
	}
	return match url.host_str() {
	Some(h) if h.eq_ignore_ascii_case("record") => Ok(Self::StartDefaultRecording),
	Some(h) if h.eq_ignore_ascii_case("stop") => Ok(Self::StopRecording),
	Some(h) if h.eq_ignore_ascii_case("pause") => Ok(Self::PauseRecording),
	Some(h) if h.eq_ignore_ascii_case("resume") => Ok(Self::ResumeRecording),
	_ => Err(ActionParseFromUrlError::Invalid),
	};
	}

[tembo]

NotificationType::DeepLinkTriggered is gated by enable_notifications (see send_notification). If this is meant as a security heads-up, users who disabled notifications won’t get any signal that a deep-link triggered recording actions. Might be worth using an always-on in-app toast for deep links, or bypassing that setting just for this case.

[tembo]

Changing send_notification to require always is a breaking API change — any existing send_notification(app, ty) call sites will stop compiling. Might be cleaner to keep the 2-arg send_notification and add a separate send_notification_always (or a private inner helper) for the bypass.

[tembo]

Minor: cap://pause maps to TogglePauseRecording, but the enum still has PauseRecording (and an execute arm). If it’s not used by the JSON deep-link path, consider dropping it to reduce confusion / surface area.

[tembo]

This will fire an always-on OS notification for every deep-link action (including pause/resume toggles), which feels like it could get pretty noisy for Raycast/automation and also bypasses the user's notification preference. Consider only forcing the notification for actions that start recording, and let the others respect the setting.

Suggested change

	crate::notifications::NotificationType::DeepLinkTriggered.send_always(app);
	match &self {
	DeepLinkAction::StartRecording { .. } | DeepLinkAction::StartDefaultRecording => {
	crate::notifications::NotificationType::DeepLinkTriggered.send_always(app);
	}
	DeepLinkAction::StopRecording
	| DeepLinkAction::ResumeRecording
	| DeepLinkAction::TogglePauseRecording => {
	crate::notifications::NotificationType::DeepLinkTriggered.send(app);
	}
	_ => {}
	}

[tembo]

url.host_str().map(|h| h.to_lowercase().as_str()) returns an &str pointing at a temporary String (won’t compile). Matching on host_str() directly avoids the allocation and fixes the lifetime issue.

Suggested change

	return match url.host_str().map(|h| h.to_lowercase().as_str()) {
	if scheme == "cap" {
	let path = url.path().trim_matches("/");
	if !path.is_empty() {
	return Err(ActionParseFromUrlError::Invalid);
	}
	return match url.host_str() {
	Some(host) if host.eq_ignore_ascii_case("record") => Ok(Self::StartDefaultRecording),
	Some(host) if host.eq_ignore_ascii_case("stop") => Ok(Self::StopRecording),
	Some(host) if host.eq_ignore_ascii_case("pause") => Ok(Self::TogglePauseRecording),
	Some(host) if host.eq_ignore_ascii_case("resume") => Ok(Self::ResumeRecording),
	_ => Err(ActionParseFromUrlError::Invalid),
	};
	}