feat: Improve content recording prevention across main and child windows

[KarthikrajanTP]

• Previously, the users were able to record or capture the application screen using third-party tools, and child windows were not protected against screen recording.
• There was no mechanism to detect and prevent screen recording applications from running.
• setContentProtection(true) was applied only to the main window, leaving child BrowserWindow instances unprotected.
• This commit fixes this issue by adding a periodic check (every 10 seconds) on macOS to detect known screen recording applications like OBS, QuickTime, Loom, etc., and exit the app if any are found.
• Hooked into the 'web-contents-created' event to apply setContentProtection(true) to all dynamically created child windows, ensuring consistent protection across the app.

Summary by CodeRabbit

• New Features

  • Enhanced security on macOS by automatically detecting and closing the app if prohibited screen recording or capture software is running.
  • Improved protection for child windows, preventing their contents from being captured.

• Chores

  • Updated the application version and added a new dependency to support process detection.

[codetortoiseai]

@coderabbitai review

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The changes update the project version in package.json and add the find-process dependency. In src/main.ts, a new function is introduced to periodically check for and terminate the app if forbidden screen recording processes are detected on macOS. Additional security is enforced by enabling content protection on all child windows.

Changes

File(s)	Change Summary
package.json	Bumped version from 1.0.3 to 1.0.4; added "find-process" 1.4.10 to dependencies.
src/main.ts	Added periodic macOS process check for forbidden recorders; enforced content protection on windows.

Sequence Diagram(s)

sequenceDiagram
    participant ElectronApp as Electron App
    participant Finder as find-process
    participant System as macOS System
    participant Logger as Logger

    ElectronApp->>ElectronApp: On app ready
    ElectronApp->>ElectronApp: registerCheckerForRecordersOnMacOS()
    loop Every 10 seconds
        ElectronApp->>Finder: Query for forbidden process names
        Finder->>System: Scan running processes
        System-->>Finder: Return list of running processes
        Finder-->>ElectronApp: Return matches
        alt Forbidden app found
            ElectronApp->>Logger: Log warning
            ElectronApp->>ElectronApp: app.exit()
            ElectronApp->>System: process.exit(0)
        else No forbidden app
            ElectronApp->>Logger: No action
        end
    end
    ElectronApp->>ElectronApp: On web-contents-created
    ElectronApp->>ElectronApp: Set content protection on child window

Loading

Poem

A bunny hops with watchful eyes,
Guarding screens from sneaky spies.
If recorders start to play,
The app will quickly hop away!
With windows safe and secrets tight,
This code now sleeps well every night.
🐰✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

src/main.ts (2)

41-43: Redundant double-exit – stick to one shutdown path

Calling both app.exit(1) and process.exit(1) is overkill.
app.exit already terminates the Electron process; a second process.exit can skip Electron’s graceful shutdown hooks.

Prefer a single call:

- app.exit(1);
- process.exit(1);
+ app.quit();          // lets Electron run its shutdown sequence

---

85-89: Content protection listener misses windows created via your own new BrowserWindow calls

did-create-window fires only for windows spawned by existing web-contents (e.g. window.open).
If elsewhere in code you instantiate new BrowserWindow(...), you still need to call setContentProtection(true) manually.

Consider wrapping BrowserWindow creation:

export function secureBrowserWindow(opts: BrowserWindowConstructorOptions) {
  const win = new BrowserWindow(opts);
  win.setContentProtection(true);
  return win;
}

This guarantees protection regardless of the creation path.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dbb2b9a and 9689526.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• package.json (2 hunks)
• src/main.ts (3 hunks)

🔇 Additional comments (1)

package.json (1)

29-31: Double-check security & licensing of the new find-process runtime dependency

Adding find-process@1.4.10 brings native process-scanning to production builds.
Before shipping, validate:

• The package still receives security updates (last publish was 2019).
• Its MIT licence – or any change thereof – is compatible with your distribution model.
• No known CVEs are registered for versions ≤ 1.4.10.

If anything looks stale, consider a maintained alternative (e.g. ps-list) or vendor a minimal in-house helper.

[coderabbitai]

🛠️ Refactor suggestion

Interval scanner is unnecessarily slow & can hog CPU

The current implementation issues sequential ps invocations – one per forbidden app – every 10 s:

for (const appName of forbiddenApps) {
  const found = await find('name', appName);   // 20× serial
}

On macOS this spawns ~20 shell processes each cycle; that’s ~12,000 per hour and shows up in Activity Monitor.

A single process list fetch (or a Promise.all) is plenty:

- setInterval(async () => {
-   for (const appName of forbiddenApps) {
-     const found = await find('name', appName);
-     if (found.length > 0) {
-       terminate();
-       return;
-     }
-   }
- }, 10000);
+ const intervalId = setInterval(async () => {
+   try {
+     const processes = await find('name');          // one `ps` call
+     const hit = processes.find(p =>
+       forbiddenApps.some(f => p.name.toLowerCase().includes(f)));
+     if (hit) terminate();
+   } catch (err) {
+     console.error('Recorder scan failed:', err);
+   }
+ }, 10_000);
+
+ app.once('will-quit', () => clearInterval(intervalId));

This slashes process-spawn overhead and cleans up the timer on quit.

🤖 Prompt for AI Agents

In src/main.ts between lines 15 and 50, the current code sequentially checks
each forbidden app by awaiting find calls one after another inside setInterval,
causing high CPU and process spawn overhead. To fix this, refactor the code to
fetch the full process list once per interval, then check all forbidden apps
against that list in memory, or use Promise.all to run all find calls
concurrently. Also, ensure to clear the interval when the app quits to avoid
lingering timers.

[coderabbitai]

🛠️ Refactor suggestion

Type safety might be lost – find-process ships no bundled typings

find-process does not provide first-party .d.ts files and there is no @types/find-process package.
With typescript strict mode, import find from 'find-process' will be typed as any, silently disabling type-checking for every call site.

Options:

-import find from 'find-process';
+// 1. Keep type safety with an ad-hoc declaration file:
+//    declare module 'find-process' { export default function
+//      find(type: 'name' | 'pid', value?: string | number): Promise<any[]>; }
+// 2. Or fall back to CommonJS import with explicit any:
+// const find: any = require('find-process');

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In src/main.ts at line 3, the import of 'find-process' lacks TypeScript typings,
causing loss of type safety under strict mode. To fix this, create a custom type
declaration file (e.g., find-process.d.ts) in your project with appropriate type
definitions for the 'find-process' module, or declare the module with minimal
types to avoid using 'any'. Then ensure TypeScript picks up this declaration to
restore type checking for all uses of 'find-process'.