feat: add deep-link support and Raycast extension#1708
feat: add deep-link support and Raycast extension#1708Angelebeats wants to merge 11 commits intoCapSoftware:mainfrom
Conversation
![tembo[bot]](https://avatars.githubusercontent.com/in/1223475?s=60&v=4){kind=small}
| .map_err(|_| ActionParseFromUrlError::Invalid); | ||
| } | ||
|
|
||
| if url.scheme() == "cap" { |
There was a problem hiding this comment.
Host matching is currently case-sensitive, so cap://Stop etc would be rejected. Might be worth using eq_ignore_ascii_case here for resilience.
| if url.scheme() == "cap" { | |
| if url.scheme() == "cap" { | |
| return match url.host_str() { | |
| Some(host) if host.eq_ignore_ascii_case("record") => Ok(Self::StartDefaultRecording), | |
| Some(host) if host.eq_ignore_ascii_case("stop") => Ok(Self::StopRecording), | |
| Some(host) if host.eq_ignore_ascii_case("pause") => Ok(Self::PauseRecording), | |
| Some(host) if host.eq_ignore_ascii_case("resume") => Ok(Self::ResumeRecording), | |
| _ => Err(ActionParseFromUrlError::Invalid), | |
| }; | |
| } |
| crate::show_window(app.clone(), ShowCapWindow::Settings { page }).await | ||
| } | ||
| DeepLinkAction::StartDefaultRecording => { | ||
| app.emit("request-open-recording-picker", ()).map_err(|e| e.to_string()) |
There was a problem hiding this comment.
StartDefaultRecording currently emits a stringly-typed event and (from the name) reads like it should start immediately. If the intent is to open the picker, using the existing typed event keeps emit patterns consistent.
| app.emit("request-open-recording-picker", ()).map_err(|e| e.to_string()) | |
| DeepLinkAction::StartDefaultRecording => { | |
| crate::RequestOpenRecordingPicker { target_mode: None } | |
| .emit(app) | |
| .map_err(|e| e.to_string()) | |
| } |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| DeepLinkAction::StartDefaultRecording => { | ||
| app.emit("request-open-recording-picker", ()).map_err(|e| e.to_string()) | ||
| } |
There was a problem hiding this comment.
app.emit("request-open-recording-picker", ()) sends a JSON null payload, but the RequestOpenRecordingPicker struct has a target_mode: Option<RecordingTargetMode> field. The auto-generated frontend type expects { target_mode: null }, not null. This payload mismatch will likely cause the event to silently fail or be ignored by the frontend listener.
All other call sites in hotkeys.rs correctly use the typed tauri_specta event. Use the same pattern here:
| DeepLinkAction::StartDefaultRecording => { | |
| app.emit("request-open-recording-picker", ()).map_err(|e| e.to_string()) | |
| } | |
| DeepLinkAction::StartDefaultRecording => { | |
| RequestOpenRecordingPicker { target_mode: None }.emit(app).map_err(|e| e.to_string()) | |
| } |
You'll also need to import RequestOpenRecordingPicker at the top of the file (or reference it as crate::RequestOpenRecordingPicker).
Prompt To Fix With AI
This is a comment left during a code review.
Path: apps/desktop/src-tauri/src/deeplink_actions.rs
Line: 169-171
Comment:
**Wrong event payload causes frontend deserialization failure**
`app.emit("request-open-recording-picker", ())` sends a JSON `null` payload, but the `RequestOpenRecordingPicker` struct has a `target_mode: Option<RecordingTargetMode>` field. The auto-generated frontend type expects `{ target_mode: null }`, not `null`. This payload mismatch will likely cause the event to silently fail or be ignored by the frontend listener.
All other call sites in `hotkeys.rs` correctly use the typed `tauri_specta` event. Use the same pattern here:
```suggestion
DeepLinkAction::StartDefaultRecording => {
RequestOpenRecordingPicker { target_mode: None }.emit(app).map_err(|e| e.to_string())
}
```
You'll also need to import `RequestOpenRecordingPicker` at the top of the file (or reference it as `crate::RequestOpenRecordingPicker`).
How can I resolve this? If you propose a fix, please make it concise.| if url.scheme() == "cap" { | ||
| return match url.host_str() { | ||
| Some("record") => Ok(Self::StartDefaultRecording), | ||
| Some("stop") => Ok(Self::StopRecording), | ||
| Some("pause") => Ok(Self::PauseRecording), | ||
| Some("resume") => Ok(Self::ResumeRecording), | ||
| _ => Err(ActionParseFromUrlError::Invalid), | ||
| }; | ||
| } |
There was a problem hiding this comment.
cap:// scheme is accessible by any app or web page
Registering cap as a system-wide URL scheme means any application — including browsers that silently follow cap:// links in web pages — can trigger cap://record, cap://stop, cap://pause, and cap://resume without user confirmation. A malicious web page could embed <a href="cap://record"> or automatically redirect to it, invisibly starting a screen capture session.
The existing cap-desktop://action?value=... scheme has the same surface area, but its JSON-in-query-string format is significantly harder to invoke accidentally or from a web page. The new cap:// URLs reduce the exploit complexity to a single, guessable link.
Consider requiring explicit user-facing confirmation (e.g., showing a toast/alert before acting), or at minimum documenting this behavior so users are aware that any local app can control their recording session via these URLs.
Prompt To Fix With AI
This is a comment left during a code review.
Path: apps/desktop/src-tauri/src/deeplink_actions.rs
Line: 94-102
Comment:
**Security: generic `cap://` scheme is accessible by any app or web page**
Registering `cap` as a system-wide URL scheme means any application — including browsers that silently follow `cap://` links in web pages — can trigger `cap://record`, `cap://stop`, `cap://pause`, and `cap://resume` without user confirmation. A malicious web page could embed `<a href="cap://record">` or automatically redirect to it, invisibly starting a screen capture session.
The existing `cap-desktop://action?value=...` scheme has the same surface area, but its JSON-in-query-string format is significantly harder to invoke accidentally or from a web page. The new `cap://` URLs reduce the exploit complexity to a single, guessable link.
Consider requiring explicit user-facing confirmation (e.g., showing a toast/alert before acting), or at minimum documenting this behavior so users are aware that any local app can control their recording session via these URLs.
How can I resolve this? If you propose a fix, please make it concise.
| .map_err(|_| ActionParseFromUrlError::Invalid); | ||
| } | ||
|
|
||
| if url.scheme().eq_ignore_ascii_case("cap") { |
There was a problem hiding this comment.
This currently accepts any path after the host (e.g. cap://record/anything). If the intent is to support only the exact host actions, consider rejecting non-root paths to avoid surprising matches.
| if url.scheme().eq_ignore_ascii_case("cap") { | |
| if url.scheme().eq_ignore_ascii_case("cap") { | |
| if url.path() != "/" { | |
| return Err(ActionParseFromUrlError::Invalid); | |
| } | |
| return match url.host_str() { | |
| Some(h) if h.eq_ignore_ascii_case("record") => Ok(Self::StartDefaultRecording), | |
| Some(h) if h.eq_ignore_ascii_case("stop") => Ok(Self::StopRecording), | |
| Some(h) if h.eq_ignore_ascii_case("pause") => Ok(Self::PauseRecording), | |
| Some(h) if h.eq_ignore_ascii_case("resume") => Ok(Self::ResumeRecording), | |
| _ => Err(ActionParseFromUrlError::Invalid), | |
| }; | |
| } |
| | DeepLinkAction::StartDefaultRecording | ||
| | DeepLinkAction::PauseRecording | ||
| | DeepLinkAction::ResumeRecording => { | ||
| crate::notifications::NotificationType::DeepLinkTriggered.send(app); |
There was a problem hiding this comment.
NotificationType::DeepLinkTriggered is gated by enable_notifications (see send_notification). If this is meant as a security heads-up, users who disabled notifications won’t get any signal that a deep-link triggered recording actions. Might be worth using an always-on in-app toast for deep links, or bypassing that setting just for this case.
…or deep-link security
…command to toggle
| let enable_notifications = GeneralSettingsStore::get(app) | ||
| .map(|settings| settings.is_some_and(|s| s.enable_notifications)) | ||
| .unwrap_or(false); | ||
| pub fn send_notification(app: &tauri::AppHandle, notification_type: NotificationType, always: bool) { |
There was a problem hiding this comment.
Changing send_notification to require always is a breaking API change — any existing send_notification(app, ty) call sites will stop compiling. Might be cleaner to keep the 2-arg send_notification and add a separate send_notification_always (or a private inner helper) for the bypass.
| return match url.host_str() { | ||
| Some(h) if h.eq_ignore_ascii_case("record") => Ok(Self::StartDefaultRecording), | ||
| Some(h) if h.eq_ignore_ascii_case("stop") => Ok(Self::StopRecording), | ||
| Some(h) if h.eq_ignore_ascii_case("pause") => Ok(Self::TogglePauseRecording), |
There was a problem hiding this comment.
Minor: cap://pause maps to TogglePauseRecording, but the enum still has PauseRecording (and an execute arm). If it’s not used by the JSON deep-link path, consider dropping it to reduce confusion / surface area.
| | DeepLinkAction::StartDefaultRecording | ||
| | DeepLinkAction::ResumeRecording | ||
| | DeepLinkAction::TogglePauseRecording => { | ||
| crate::notifications::NotificationType::DeepLinkTriggered.send_always(app); |
There was a problem hiding this comment.
This will fire an always-on OS notification for every deep-link action (including pause/resume toggles), which feels like it could get pretty noisy for Raycast/automation and also bypasses the user's notification preference. Consider only forcing the notification for actions that start recording, and let the others respect the setting.
| crate::notifications::NotificationType::DeepLinkTriggered.send_always(app); | |
| match &self { | |
| DeepLinkAction::StartRecording { .. } | DeepLinkAction::StartDefaultRecording => { | |
| crate::notifications::NotificationType::DeepLinkTriggered.send_always(app); | |
| } | |
| DeepLinkAction::StopRecording | |
| | DeepLinkAction::ResumeRecording | |
| | DeepLinkAction::TogglePauseRecording => { | |
| crate::notifications::NotificationType::DeepLinkTriggered.send(app); | |
| } | |
| _ => {} | |
| } |
… security notifications
| return Err(ActionParseFromUrlError::Invalid); | ||
| } | ||
|
|
||
| return match url.host_str().map(|h| h.to_lowercase().as_str()) { |
There was a problem hiding this comment.
url.host_str().map(|h| h.to_lowercase().as_str()) returns an &str pointing at a temporary String (won’t compile). Matching on host_str() directly avoids the allocation and fixes the lifetime issue.
| return match url.host_str().map(|h| h.to_lowercase().as_str()) { | |
| if scheme == "cap" { | |
| let path = url.path().trim_matches("/"); | |
| if !path.is_empty() { | |
| return Err(ActionParseFromUrlError::Invalid); | |
| } | |
| return match url.host_str() { | |
| Some(host) if host.eq_ignore_ascii_case("record") => Ok(Self::StartDefaultRecording), | |
| Some(host) if host.eq_ignore_ascii_case("stop") => Ok(Self::StopRecording), | |
| Some(host) if host.eq_ignore_ascii_case("pause") => Ok(Self::TogglePauseRecording), | |
| Some(host) if host.eq_ignore_ascii_case("resume") => Ok(Self::ResumeRecording), | |
| _ => Err(ActionParseFromUrlError::Invalid), | |
| }; | |
| } |
|
Refined the deep-link implementation based on the feedback:
Please let me know if there are any other nits or logic gaps to address! |
| return Err(ActionParseFromUrlError::Invalid); | ||
| } | ||
|
|
||
| return match url.host_str().map(|h| h.to_lowercase()) { |
There was a problem hiding this comment.
Minor tweak: url.host_str().map(|h| h.to_lowercase()) allocates for every deep link. You can keep this allocation-free and a bit clearer with eq_ignore_ascii_case:
| return match url.host_str().map(|h| h.to_lowercase()) { | |
| return match url.host_str() { | |
| Some(h) if h.eq_ignore_ascii_case("record") => Ok(Self::StartDefaultRecording), | |
| Some(h) if h.eq_ignore_ascii_case("stop") => Ok(Self::StopRecording), | |
| Some(h) if h.eq_ignore_ascii_case("pause") => Ok(Self::TogglePauseRecording), | |
| Some(h) if h.eq_ignore_ascii_case("resume") => Ok(Self::ResumeRecording), | |
| _ => Err(ActionParseFromUrlError::Invalid), | |
| }; |
|
|
||
| impl DeepLinkAction { | ||
| pub async fn execute(self, app: &AppHandle) -> Result<(), String> { | ||
| // Handle security/visibility notification for deep link actions |
There was a problem hiding this comment.
Repo style note: we try to avoid inline code comments. Here there are a few // ... lines (path check + notification rationale + payload note). I’d drop the comments and let naming / structure carry the intent (or extract the deep-link notification into a small helper).
| "deep-link": { | ||
| "desktop": { | ||
| "schemes": ["cap-desktop"] | ||
| "schemes": ["cap-desktop", "cap"] |
There was a problem hiding this comment.
Registering the short cap scheme makes it very easy for other local apps (and sometimes browsers) to trigger recording actions. Since this expands the surface area, consider making the deep-link notification unconditionally visible for all deep-link actions (not just start), or gating deep-link control behind an explicit user setting.
|
Latest round of refinements implemented to meet the project's industrial-grade standards:
Ready for final review and merge! @tembo-bot please check the new logic. |
| ActionParseFromUrlError::ParseFailed(msg) => { | ||
| eprintln!("Failed to parse deep link \"{}\": {}", &url, msg) | ||
| error!("Failed to parse deep link \"{}\": {}", &url, msg) | ||
| } | ||
| ActionParseFromUrlError::Invalid => { | ||
| eprintln!("Invalid deep link format \"{}\"", &url) | ||
| warn!("Invalid deep link format \"{}\"", &url) | ||
| } |
There was a problem hiding this comment.
These logs can include the full deep-link URL (including the value= query payload). Consider stripping query/fragment before logging to avoid leaking potentially sensitive data.
| ActionParseFromUrlError::ParseFailed(msg) => { | |
| eprintln!("Failed to parse deep link \"{}\": {}", &url, msg) | |
| error!("Failed to parse deep link \"{}\": {}", &url, msg) | |
| } | |
| ActionParseFromUrlError::Invalid => { | |
| eprintln!("Invalid deep link format \"{}\"", &url) | |
| warn!("Invalid deep link format \"{}\"", &url) | |
| } | |
| ActionParseFromUrlError::ParseFailed(msg) => { | |
| let mut redacted = url.clone(); | |
| redacted.set_query(None); | |
| redacted.set_fragment(None); | |
| error!("Failed to parse deep link \"{}\": {}", redacted, msg) | |
| } | |
| ActionParseFromUrlError::Invalid => { | |
| let mut redacted = url.clone(); | |
| redacted.set_query(None); | |
| redacted.set_fragment(None); | |
| warn!("Invalid deep link format \"{}\"", redacted) | |
| } |
| use std::path::{Path, PathBuf}; | ||
| use tauri::{AppHandle, Manager, Url}; | ||
| use tracing::trace; | ||
| use tracing::{trace, warn, error}; |
There was a problem hiding this comment.
Minor: trace is imported but unused now; dropping it avoids warnings.
| use tracing::{trace, warn, error}; | |
| use tracing::{error, warn}; |
| ScreenshotCopiedToClipboard, | ||
| ScreenshotSaveFailed, | ||
| ScreenshotCopyFailed, | ||
| DeepLinkTriggered, |
There was a problem hiding this comment.
Since DeepLinkTriggered is sent via send_always (bypassing user notification preference), consider also suppressing the notification sound for it so other apps can’t spam audio via deep links.
| DeepLinkTriggered, | |
| let skip_sound = matches!( | |
| notification_type, | |
| NotificationType::DeepLinkTriggered | |
| | NotificationType::ScreenshotSaved | |
| | NotificationType::ScreenshotCopiedToClipboard | |
| | NotificationType::ScreenshotSaveFailed | |
| | NotificationType::ScreenshotCopyFailed | |
| ); |
| .map_err(|_| ActionParseFromUrlError::Invalid); | ||
| } | ||
|
|
||
| if scheme == "cap" { |
There was a problem hiding this comment.
cap://record works, but some launchers produce cap:///record (no host, path-only). Accepting a single path segment as a fallback makes this a bit more robust without changing behavior for normal URLs.
| if scheme == "cap" { | |
| if scheme == "cap" { | |
| let path = url.path().trim_matches('/'); | |
| let (action, extra) = match (url.host_str(), path) { | |
| (Some(host), "") => (host, ""), | |
| (Some(_), _) => return Err(ActionParseFromUrlError::Invalid), | |
| (None, "") => return Err(ActionParseFromUrlError::Invalid), | |
| (None, path) => { | |
| let mut parts = path.split('/'); | |
| (parts.next().unwrap_or(""), parts.next().unwrap_or("")) | |
| } | |
| }; | |
| if !extra.is_empty() { | |
| return Err(ActionParseFromUrlError::Invalid); | |
| } | |
| return match action { | |
| host if host.eq_ignore_ascii_case("record") => Ok(Self::StartDefaultRecording), | |
| host if host.eq_ignore_ascii_case("stop") => Ok(Self::StopRecording), | |
| host if host.eq_ignore_ascii_case("pause") => Ok(Self::TogglePauseRecording), | |
| host if host.eq_ignore_ascii_case("resume") => Ok(Self::ResumeRecording), | |
| _ => Err(ActionParseFromUrlError::Invalid), | |
| }; | |
| } |
| crate::recording::resume_recording(app.clone(), app.state()).await | ||
| } | ||
| DeepLinkAction::TogglePauseRecording => { | ||
| crate::recording::toggle_pause_recording(app.clone(), app.state()).await |
There was a problem hiding this comment.
cap://pause currently maps to TogglePauseRecording, so sending pause twice will resume. If the intent is separate pause/resume deep links, this arm probably wants to pause only.
| crate::recording::toggle_pause_recording(app.clone(), app.state()).await | |
| DeepLinkAction::TogglePauseRecording => { | |
| crate::recording::pause_recording(app.clone(), app.state()).await | |
| } |
1 participant
This PR adds deep-link support to Cap (cap://record, cap://stop, cap://pause) and includes a dedicated Raycast extension for remote control.
Greptile Summary
This PR adds three new deep-link actions (
StartDefaultRecording,PauseRecording,ResumeRecording) and a newcap://URL scheme to complement the existingcap-desktop://scheme, enabling Raycast and other external tools to remotely control Cap's recording lifecycle viacap://record,cap://stop,cap://pause, andcap://resume.Key issues found:
StartDefaultRecording:app.emit("request-open-recording-picker", ())emits a JSONnullpayload, but theRequestOpenRecordingPickertauri_specta struct expects{ "target_mode": null }. Every other call site inhotkeys.rscorrectly usesRequestOpenRecordingPicker { target_mode: None }.emit(&app). This mismatch will cause the frontend event listener to receive an unexpected payload, likely causingcap://recordto silently do nothing.cap://scheme expands the attack surface: Registering the short, guessablecapscheme system-wide means any local application or browser link (e.g., a<a href="cap://record">on a web page) can invisibly trigger screen recording. The existingcap-desktop://action?value=...format was harder to exploit accidentally; the new URLs remove that friction.Confidence Score: 2/5
cap://recordaction will silently fail due to a payload type mismatch in the emitted event.StartDefaultRecordinghandler emits therequest-open-recording-pickerevent with a()(unit/null) payload instead of the typedRequestOpenRecordingPicker { target_mode: None }struct used everywhere else in the codebase. This payload mismatch means the primary advertised feature (cap://recordopening the recording picker) will not function correctly. The fix is straightforward but the bug must be resolved before merging.apps/desktop/src-tauri/src/deeplink_actions.rs— specifically theStartDefaultRecordingarm in theexecutematch.Important Files Changed
StartDefaultRecording,PauseRecording, andResumeRecordingvariants and acap://URL parsing branch; contains a P0 event payload bug —app.emit("request-open-recording-picker", ())emitsnullinstead of the expected{ target_mode: null }, causing frontend deserialization failure. Also bypasses the typedtauri_spectaevent system used everywhere else in the codebase."cap"alongside"cap-desktop"in the deep-link scheme registration; mechanically correct but introduces a short, guessable system-wide scheme.Sequence Diagram
sequenceDiagram participant Raycast as Raycast or Browser participant OS as OS Deep-Link Router participant Tauri as Tauri Plugin participant Handler as deeplink_actions participant Recording as recording module participant Frontend as Frontend Webview Raycast->>OS: "open cap://record" OS->>Tauri: "cap scheme triggered" Tauri->>Handler: "urls: [cap://record]" Handler->>Handler: "parse: scheme==cap, host==record" Handler->>Handler: "Ok(StartDefaultRecording)" Handler->>Frontend: "app.emit(request-open-recording-picker, null) ⚠️" Note over Frontend: "Expected payload: {target_mode:null}, got: null" Raycast->>OS: "open cap://stop" OS->>Tauri: "cap scheme triggered" Tauri->>Handler: "urls: [cap://stop]" Handler->>Handler: "Ok(StopRecording)" Handler->>Recording: "stop_recording(app, state)" Raycast->>OS: "open cap://pause" OS->>Tauri: "cap scheme triggered" Tauri->>Handler: "urls: [cap://pause]" Handler->>Handler: "Ok(PauseRecording)" Handler->>Recording: "pause_recording(app, state)" Raycast->>OS: "open cap://resume" OS->>Tauri: "cap scheme triggered" Tauri->>Handler: "urls: [cap://resume]" Handler->>Handler: "Ok(ResumeRecording)" Handler->>Recording: "resume_recording(app, state)"Prompt To Fix All With AI
Reviews (1): Last reviewed commit: "feat: implement cap:// deep-link protoco..." | Re-trigger Greptile