pew pew

[maker-or]

Summary by CodeRabbit

• New Features
  • Added hotkey activation modes: Toggle (press to toggle) and Hold (active while held).
  • New Settings UI to select and persist preferred activation mode.
  • Hotkey behavior updated: separate actions for toggle, hold-start, and hold-end for more reliable recording control and to avoid repeated triggers.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a HotkeyActivationMode (toggle vs hold), refactors HotkeyManager to emit onToggle/onHoldStart/onHoldEnd and support hold/toggle behavior, wires mode selection into Settings with persistence, updates app wiring to use new hotkey callbacks, and expands CI workflow pull_request event types.

Changes

Cohort / File(s)	Summary
CI Workflow ​.github/workflows/ci.yml	Adds pull_request event types (opened, synchronize, reopened, ready_for_review) to the CI trigger; no other workflow steps changed.
Hotkey Manager dhavnii/Features/Hotkeys/HotkeyManager.swift	Introduces HotkeyActivationMode enum with UserDefaults persistence; replaces single onTrigger with onToggle, onHoldStart, onHoldEnd; adds hold-state tracking, debouncing, multi-event handling, updateActivationMode(_:), and currentActivationMode accessor.
Settings UI dhavnii/Features/Settings/SettingsView.swift	Adds activationMode state bound to defaults, new Activation menu for mode selection, applies and persists mode changes, and propagates mode to HotkeyManager on appear/change.
App Integration openwispher/openwispherApp.swift	Updates HotkeyManager initialization to pass activationMode and separate callbacks; implements onToggle, onHoldStart, and onHoldEnd handlers with state guards, recording start/stop, logging, and analytics hooks.

Sequence Diagram

sequenceDiagram
    participant User as User
    participant Settings as SettingsView
    participant HotkeyMgr as HotkeyManager
    participant App as openwispherApp
    participant Svc as RecordingService

    User->>Settings: select activation mode
    Settings->>HotkeyMgr: updateActivationMode(newMode)
    HotkeyMgr->>HotkeyMgr: save mode to UserDefaults

    alt Toggle mode
        User->>HotkeyMgr: press hotkey
        HotkeyMgr->>App: onToggle()
        App->>App: check state (idle/recording)
        alt idle
            App->>Svc: start recording
        else recording
            App->>Svc: stop recording
        end
    else Hold mode
        User->>HotkeyMgr: press & hold hotkey
        HotkeyMgr->>App: onHoldStart()
        App->>Svc: start recording (if idle)
        User->>HotkeyMgr: release hotkey
        HotkeyMgr->>App: onHoldEnd()
        App->>Svc: stop recording (if recording)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• nothing 4a #8: Touches hotkey handling in openwispherApp.swift and injects analytics into hotkey callbacks — directly overlaps new callback points.
• new board #7: Updates HotkeyManager usage across callsites (OnboardingView, etc.), which may need adjustment due to the changed initializer/signature.
• hey here #5: Modifies CI workflow files; related to the pull_request trigger edits in this PR.

Poem

🐰 A tap or a hold, the choice is made,
I guard the keys in forest shade.
Toggle to flip, hold to sustain,
Settings remember sunshine or rain.
Hop—recording starts, and then—refrain!

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 9.09% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'pew pew' is vague and does not convey meaningful information about the changeset, which adds hotkey activation modes, refactors event handling, and updates the CI workflow.	Replace the title with a descriptive summary of the main change, such as 'Add hotkey activation modes (toggle and hold)' or 'Refactor hotkey manager to support multiple activation modes'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch new

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/ci.yml:
- Around line 7-9: The workflow currently uses the pull_request_target trigger
and checks out untrusted fork HEAD (pull_request_target), which can execute
attacker-controlled code; change the workflow trigger to pull_request for any
steps that build or checkout PR code (i.e., move build/checkout steps out of
pull_request_target), or split into two workflows: keep pull_request_target only
for metadata actions (labeling/commenting) and create a separate pull_request or
workflow_run flow to perform checkouts/builds and consume artifacts with
secrets; ensure no step in the pull_request_target workflow (the one named by
pull_request_target) performs actions that checkout or run head PR code.
- Around line 30-31: The POSTHOG_API_KEY and POSTHOG_HOST env lines use a faulty
`&& ||` expression that never blanks secrets for pull_request_target; replace
that expression with an explicit conditional expression (e.g. use the `format`
or ternary-like idiom) or move secret population into a prior step that sets the
env only when `github.event_name != 'pull_request_target'`; specifically, update
the lines referencing POSTHOG_API_KEY and POSTHOG_HOST so they evaluate to an
empty string when `github.event_name == 'pull_request_target'` (for example
using `format('{0}', github.event_name == 'pull_request_target' && '' ||
secrets.POSTHOG_API_KEY)` corrected to `github.event_name ==
'pull_request_target' && '' || secrets.POSTHOG_API_KEY` replaced by an explicit
if/else via `format` or a step that conditionally sets env based on
`github.event_name`) and ensure the secret is never directly expanded when the
event is pull_request_target.

In `@dhavnii/Features/Hotkeys/HotkeyManager.swift`:
- Around line 312-315: When changing modes in updateActivationMode, ensure any
active hold is properly ended: if the current activationMode is .hold (or if
isHoldActive is true) and newMode is not .hold, call onHoldEnd() before
resetting isHoldActive and updating activationMode; this guarantees recordings
started by onHoldStart are stopped when switching to toggle. Reference
updateActivationMode, onHoldEnd, onHoldStart, activationMode, and isHoldActive.

🧹 Nitpick comments (1)

dhavnii/Features/Hotkeys/HotkeyManager.swift (1)

176-178: Callbacks are exposed as public let properties — consider restricting access.

onToggle, onHoldStart, and onHoldEnd are implicitly internal. Since they're only expected to be invoked by the event handler within this class, they could be private to prevent external callers from triggering them directly.

Proposed fix

-    let onToggle: () -> Void
-    let onHoldStart: () -> Void
-    let onHoldEnd: () -> Void
+    private let onToggle: () -> Void
+    private let onHoldStart: () -> Void
+    private let onHoldEnd: () -> Void

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Ternary expressions don't actually blank secrets for pull_request_target.

In GitHub Actions expressions, && returns the last truthy operand (or the first falsy one), and || returns the first truthy operand. When github.event_name == 'pull_request_target':

true && '' || secrets.POSTHOG_API_KEY
→ ''  || secrets.POSTHOG_API_KEY
→ secrets.POSTHOG_API_KEY   ← empty string is falsy, so || falls through!

The secrets are never blanked — they always resolve to the secret value. Combined with the pull_request_target checkout of fork code (Line 26), this exposes secrets to attacker-controlled builds.

Use an explicit if/else via the format function or a dedicated step:

🔒 Proposed fix

      - name: Build (unsigned)
        env:
-          POSTHOG_API_KEY: ${{ github.event_name == 'pull_request_target' && '' || secrets.POSTHOG_API_KEY }}
-          POSTHOG_HOST: ${{ github.event_name == 'pull_request_target' && '' || secrets.POSTHOG_HOST }}
+          POSTHOG_API_KEY: ${{ github.event_name != 'pull_request_target' && secrets.POSTHOG_API_KEY || '' }}
+          POSTHOG_HOST: ${{ github.event_name != 'pull_request_target' && secrets.POSTHOG_HOST || '' }}

This way, when the event is pull_request_target, the condition is false && secret || '' → '' , which correctly yields empty. When it's not pull_request_target, it's true && secret || '' → secret (assuming the secret is non-empty).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	POSTHOG_API_KEY: ${{ github.event_name == 'pull_request_target' && '' || secrets.POSTHOG_API_KEY }}
	POSTHOG_HOST: ${{ github.event_name == 'pull_request_target' && '' || secrets.POSTHOG_HOST }}
	POSTHOG_API_KEY: ${{ github.event_name != 'pull_request_target' && secrets.POSTHOG_API_KEY || '' }}
	POSTHOG_HOST: ${{ github.event_name != 'pull_request_target' && secrets.POSTHOG_HOST || '' }}

🤖 Prompt for AI Agents

In @.github/workflows/ci.yml around lines 30 - 31, The POSTHOG_API_KEY and
POSTHOG_HOST env lines use a faulty `&& ||` expression that never blanks secrets
for pull_request_target; replace that expression with an explicit conditional
expression (e.g. use the `format` or ternary-like idiom) or move secret
population into a prior step that sets the env only when `github.event_name !=
'pull_request_target'`; specifically, update the lines referencing
POSTHOG_API_KEY and POSTHOG_HOST so they evaluate to an empty string when
`github.event_name == 'pull_request_target'` (for example using `format('{0}',
github.event_name == 'pull_request_target' && '' || secrets.POSTHOG_API_KEY)`
corrected to `github.event_name == 'pull_request_target' && '' ||
secrets.POSTHOG_API_KEY` replaced by an explicit if/else via `format` or a step
that conditionally sets env based on `github.event_name`) and ensure the secret
is never directly expanded when the event is pull_request_target.