fix(preload): add URL protocol filter for openExternal

[zerob13]

Summary by CodeRabbit

• Bug Fixes

  • Added validation for external URLs, restricting supported protocols to http, https, mailto, tel, and deepchat.

• Chores

  • Updated macOS application entitlements configuration by removing an unused security setting.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR removes a macOS security entitlement and introduces URL protocol validation in the preload script, restricting which URL schemes can be opened externally through a whitelist mechanism.

Changes

Cohort / File(s)	Summary
macOS Entitlements Configuration build/entitlements.mac.plist	Removed the com.apple.security.cs.allow-dyld-environment-variables entitlement.
External URL Protocol Validation src/preload/index.ts	Added whitelist-based URL protocol validation (http, https, mailto, tel, deepchat) that rejects disallowed schemes with a warning instead of unconditionally delegating to shell.openExternal.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A whitelist guards each URL with care,
Only trusted protocols pass through there,
http, https, and mailto too,
No sneaky schemes will ever break through!
One entitlement gone, the security's tight,
Our little rabbit burrow's locked up right! 🔒

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding a URL protocol filter to the openExternal function in the preload module. It accurately reflects the primary modification across the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into dev

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/openExternal

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

src/preload/index.ts (1)

13-22: Good security hardening with URL protocol validation.

The whitelist approach and safe URL parsing with try/catch are solid. One small suggestion: mark the array as const to get a readonly tuple type and prevent accidental mutation.

♻️ Suggested refinement

-const ALLOWED_PROTOCOLS = ['http:', 'https:', 'mailto:', 'tel:', 'deepchat:']
+const ALLOWED_PROTOCOLS = ['http:', 'https:', 'mailto:', 'tel:', 'deepchat:'] as const

With as const, isValidExternalUrl would need a minor type adjustment:

-    return ALLOWED_PROTOCOLS.includes(parsed.protocol.toLowerCase())
+    return (ALLOWED_PROTOCOLS as readonly string[]).includes(parsed.protocol.toLowerCase())

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}