fix(ui): gate desktop privileges by host and window context (#347)

Don't let remote server windows use local features like local file browser etc

packages/ui/src/lib/hooks/use-folder-drop.ts

@@ -7,7 +7,7 @@ import {
   normalizeDroppedDirectoryPaths,
   supportsDesktopFolderDrop,
 } from "../native/desktop-file-drop"
-import { runtimeEnv } from "../runtime-env"
+import { isTauriHost } from "../runtime-env"
 
 interface UseFolderDropOptions {
   enabled: Accessor<boolean>
@@ -94,7 +94,7 @@ export function useFolderDrop(options: UseFolderDropOptions): {
 
   const bind: FolderDropBindings = {
     onDragEnter(event) {
-      if (!isSupported || runtimeEnv.host === "tauri" || !options.enabled() || !containsFileDrop(event)) {
+      if (!isSupported || isTauriHost() || !options.enabled() || !containsFileDrop(event)) {
         return
       }
       event.preventDefault()
@@ -102,7 +102,7 @@ export function useFolderDrop(options: UseFolderDropOptions): {
       setIsActive(true)
     },
     onDragOver(event) {
-      if (!isSupported || runtimeEnv.host === "tauri" || !options.enabled() || !containsFileDrop(event)) {
+      if (!isSupported || isTauriHost() || !options.enabled() || !containsFileDrop(event)) {
         return
       }
       event.preventDefault()
@@ -112,7 +112,7 @@ export function useFolderDrop(options: UseFolderDropOptions): {
       setIsActive(true)
     },
     onDragLeave(event) {
-      if (!isSupported || runtimeEnv.host === "tauri" || !containsFileDrop(event)) {
+      if (!isSupported || isTauriHost() || !containsFileDrop(event)) {
         return
       }
       event.preventDefault()
@@ -134,7 +134,7 @@ export function useFolderDrop(options: UseFolderDropOptions): {
         return
       }
 
-      if (runtimeEnv.host === "tauri") {
+      if (isTauriHost()) {
         reset()
         return
       }

packages/ui/src/lib/native/cli.ts

@@ -1,12 +1,16 @@
 import { invoke } from "@tauri-apps/api/core"
-import { runtimeEnv } from "../runtime-env"
+import { canRestartCli, isElectronHost, isTauriHost } from "../runtime-env"
 import { getLogger } from "../logger"
 const log = getLogger("actions")
 
 
 export async function restartCli(): Promise<boolean> {
+  if (!canRestartCli()) {
+    return false
+  }
+
   try {
-    if (runtimeEnv.host === "electron") {
+    if (isElectronHost()) {
       const api = (window as typeof window & { electronAPI?: { restartCli?: () => Promise<unknown> } }).electronAPI
       if (api?.restartCli) {
         await api.restartCli()
@@ -15,7 +19,7 @@ export async function restartCli(): Promise<boolean> {
       return false
     }
 
-    if (runtimeEnv.host === "tauri") {
+    if (isTauriHost()) {
       if (typeof window.__TAURI__?.core?.invoke === "function") {
         await invoke("cli_restart")
         return true

packages/ui/src/lib/native/desktop-file-drop.ts

@@ -1,6 +1,6 @@
 import { listen } from "@tauri-apps/api/event"
 import { getLogger } from "../logger"
-import { runtimeEnv } from "../runtime-env"
+import { canUseDesktopFolderDrop, isElectronHost, isTauriHost, runtimeEnv } from "../runtime-env"
 
 const log = getLogger("actions")
 
@@ -21,7 +21,7 @@ function getFilePath(file: File): string | null {
   if (typeof file.path === "string" && file.path.trim().length > 0) {
     return file.path
   }
-  if (runtimeEnv.host === "electron") {
+  if (isElectronHost()) {
     const electronPath = (window as Window & { electronAPI?: ElectronAPI }).electronAPI?.getPathForFile?.(file)
     if (typeof electronPath === "string" && electronPath.trim().length > 0) {
       return electronPath
@@ -44,7 +44,7 @@ async function resolveElectronDirectoryPaths(paths: string[]): Promise<string[]>
 }
 
 export function supportsDesktopFolderDrop(): boolean {
-  return runtimeEnv.platform === "desktop" && runtimeEnv.host !== "web"
+  return runtimeEnv.platform === "desktop" && canUseDesktopFolderDrop()
 }
 
 export function containsFileDrop(event: DragEvent): boolean {
@@ -97,14 +97,14 @@ export async function normalizeDroppedDirectoryPaths(paths: string[]): Promise<s
   if (uniquePaths.length === 0) {
     return []
   }
-  if (runtimeEnv.host === "electron") {
+  if (isElectronHost()) {
     return resolveElectronDirectoryPaths(uniquePaths)
   }
   return uniquePaths
 }
 
 export async function listenForNativeFolderDrops(onDrop: (paths: string[]) => void): Promise<() => void> {
-  if (runtimeEnv.host !== "tauri") {
+  if (!isTauriHost()) {
     return () => {}
   }
 
@@ -126,7 +126,7 @@ export async function listenForNativeFolderDrops(onDrop: (paths: string[]) => vo
 }
 
 export async function listenForNativeFolderDropState(onState: (state: NativeFolderDropState) => void): Promise<() => void> {
-  if (runtimeEnv.host !== "tauri") {
+  if (!isTauriHost()) {
     return () => {}
   }
 

packages/ui/src/lib/native/native-functions.ts

@@ -1,4 +1,4 @@
-import { runtimeEnv } from "../runtime-env"
+import { canUseNativeDialogs, isElectronHost, isTauriHost } from "../runtime-env"
 import type { NativeDialogOptions } from "./types"
 import { openElectronNativeDialog } from "./electron/functions"
 import { openTauriNativeDialog } from "./tauri/functions"
@@ -6,20 +6,23 @@ import { openTauriNativeDialog } from "./tauri/functions"
 export type { NativeDialogOptions, NativeDialogFilter, NativeDialogMode } from "./types"
 
 function resolveNativeHandler(): ((options: NativeDialogOptions) => Promise<string | null>) | null {
-  switch (runtimeEnv.host) {
-    case "electron":
-      return openElectronNativeDialog
-    case "tauri":
-      return openTauriNativeDialog
-    default:
-      return null
+  if (isElectronHost()) {
+    return openElectronNativeDialog
   }
+  if (isTauriHost()) {
+    return openTauriNativeDialog
+  }
+  return null
 }
 
 export function supportsNativeDialogs(): boolean {
   return resolveNativeHandler() !== null
 }
 
+export function supportsNativeDialogsInCurrentWindow(): boolean {
+  return canUseNativeDialogs()
+}
+
 async function openNativeDialog(options: NativeDialogOptions): Promise<string | null> {
   const handler = resolveNativeHandler()
   if (!handler) {

packages/ui/src/lib/native/remote-window.ts

@@ -2,7 +2,7 @@ import { invoke } from "@tauri-apps/api/core"
 import type { RemoteServerProfile } from "../../../../server/src/api-types"
 import { showConfirmDialog } from "../../stores/alerts"
 import { tGlobal } from "../i18n"
-import { runtimeEnv } from "../runtime-env"
+import { canOpenRemoteWindows, isElectronHost, isTauriHost } from "../runtime-env"
 
 export interface RemoteWindowOpenPayload {
   id: string
@@ -18,6 +18,10 @@ export async function openRemoteServerWindow(
   entryUrl?: string,
   proxySessionId?: string,
 ): Promise<void> {
+  if (!canOpenRemoteWindows()) {
+    throw new Error("Remote server windows can only be opened from a local desktop window")
+  }
+
   const payload: RemoteWindowOpenPayload = {
     id: profile.id,
     name: profile.name,
@@ -27,7 +31,7 @@ export async function openRemoteServerWindow(
     skipTlsVerify: profile.skipTlsVerify,
   }
 
-  if (runtimeEnv.host === "electron") {
+  if (isElectronHost()) {
     const api = (window as Window & { electronAPI?: ElectronAPI }).electronAPI
     if (typeof api?.openRemoteWindow === "function") {
       await api.openRemoteWindow(payload)
@@ -35,7 +39,7 @@ export async function openRemoteServerWindow(
     }
   }
 
-  if (runtimeEnv.host === "tauri") {
+  if (isTauriHost()) {
     const requiresLocalCertificate =
       proxySessionId !== undefined && (entryUrl ?? profile.baseUrl).startsWith("https://")
 

packages/ui/src/lib/native/wake-lock.ts

@@ -1,5 +1,5 @@
 import { invoke } from "@tauri-apps/api/core"
-import { runtimeEnv } from "../runtime-env"
+import { isElectronHost, isTauriHost } from "../runtime-env"
 import { getLogger } from "../logger"
 
 const log = getLogger("actions")
@@ -56,11 +56,11 @@ async function setWebWakeLock(enabled: boolean): Promise<boolean> {
 
 function hasAnyWakeLockSupport(): boolean {
   if (typeof window === "undefined") return false
-  if (runtimeEnv.host === "electron") {
+  if (isElectronHost()) {
     const api = (window as any).electronAPI
     if (api?.setWakeLock) return true
   }
-  if (runtimeEnv.host === "tauri") {
+  if (isTauriHost()) {
     return typeof window.__TAURI__?.core?.invoke === "function"
   }
   return Boolean((navigator as any)?.wakeLock?.request)
@@ -106,13 +106,13 @@ async function setTauriWakeLock(enabled: boolean): Promise<boolean> {
 async function applyWakeLock(enabled: boolean): Promise<boolean> {
   if (typeof window === "undefined") return false
 
-  if (runtimeEnv.host === "electron") {
+  if (isElectronHost()) {
     const ok = await setElectronWakeLock(enabled)
     if (ok || !enabled) return ok
     // fallback to web API if electron preload didn't expose it
   }
 
-  if (runtimeEnv.host === "tauri") {
+  if (isTauriHost()) {
     const ok = await setTauriWakeLock(enabled)
     if (ok || !enabled) return ok
     // fallback to web API if tauri command isn't available

packages/ui/src/lib/runtime-env.ts

@@ -2,10 +2,12 @@ import { getLogger } from "./logger"
 
 export type HostRuntime = "electron" | "tauri" | "web"
 export type PlatformKind = "desktop" | "mobile"
+export type WindowContextKind = "local" | "remote"
 
 export interface RuntimeEnvironment {
   host: HostRuntime
   platform: PlatformKind
+  windowContext: WindowContextKind
 }
 
 declare global {
@@ -14,6 +16,7 @@ declare global {
   }
 
   interface Window {
+    __CODENOMAD_WINDOW_CONTEXT__?: WindowContextKind
     electronAPI?: unknown
     __TAURI__?: {
       core?: TauriCoreModule
@@ -21,11 +24,41 @@ declare global {
   }
 }
 
+function detectWindowContext(): WindowContextKind {
+  if (typeof window === "undefined") {
+    return "remote"
+  }
+
+  if (window.__CODENOMAD_WINDOW_CONTEXT__ === "remote") {
+    return "remote"
+  }
+
+  if (window.__CODENOMAD_WINDOW_CONTEXT__ === "local") {
+    return "local"
+  }
+
+  const win = window as Window & { electronAPI?: unknown }
+  if (typeof win.electronAPI !== "undefined" || typeof win.__TAURI__ !== "undefined") {
+    return "local"
+  }
+
+  if (typeof navigator !== "undefined" && /tauri/i.test(navigator.userAgent)) {
+    return "local"
+  }
+
+  return "remote"
+}
+
 function detectHost(): HostRuntime {
   if (typeof window === "undefined") {
     return "web"
   }
 
+  const explicitHost = window.__CODENOMAD_RUNTIME_HOST__
+  if (explicitHost) {
+    return explicitHost
+  }
+
   const win = window as Window & { electronAPI?: unknown }
   if (typeof win.electronAPI !== "undefined") {
     return "electron"
@@ -71,16 +104,24 @@ export function detectRuntimeEnvironment(): RuntimeEnvironment {
   cachedEnv = {
     host: detectHost(),
     platform: detectPlatform(),
+    windowContext: detectWindowContext(),
   }
   if (typeof window !== "undefined") {
-    log.info(`[runtime] host=${cachedEnv.host} platform=${cachedEnv.platform}`)
+    log.info(`[runtime] host=${cachedEnv.host} platform=${cachedEnv.platform} context=${cachedEnv.windowContext}`)
   }
   return cachedEnv
 }
 
 export const runtimeEnv = detectRuntimeEnvironment()
 
-export const isElectronHost = () => runtimeEnv.host === "electron"
-export const isTauriHost = () => runtimeEnv.host === "tauri"
-export const isWebHost = () => runtimeEnv.host === "web"
-export const isMobilePlatform = () => runtimeEnv.platform === "mobile"
+export const isElectronHost = () => detectHost() === "electron"
+export const isTauriHost = () => detectHost() === "tauri"
+export const isWebHost = () => detectHost() === "web"
+export const isDesktopHost = () => isElectronHost() || isTauriHost()
+export const isMobilePlatform = () => detectPlatform() === "mobile"
+export const isLocalWindow = () => detectWindowContext() === "local"
+export const isRemoteWindow = () => detectWindowContext() === "remote"
+export const canUseNativeDialogs = () => isDesktopHost() && isLocalWindow()
+export const canOpenRemoteWindows = () => isDesktopHost() && isLocalWindow()
+export const canRestartCli = () => isDesktopHost() && isLocalWindow()
+export const canUseDesktopFolderDrop = () => isDesktopHost() && isLocalWindow()

packages/ui/src/lib/settings/behavior-registry.ts

@@ -6,7 +6,7 @@ import type {
 } from "../../stores/preferences"
 import type { Command } from "../commands"
 import { tGlobal } from "../i18n"
-import { runtimeEnv } from "../runtime-env"
+import { isWebHost } from "../runtime-env"
 
 export type BehaviorSettingKind = "toggle" | "enum"
 
@@ -84,7 +84,7 @@ export function getBehaviorSettings(actions: BehaviorRegistryActions): BehaviorS
           next,
         )
       },
-      disabled: () => runtimeEnv.host === "web",
+      disabled: () => isWebHost(),
     },
     {
       kind: "toggle",
@@ -337,13 +337,13 @@ export function getBehaviorCommands(actions: BehaviorRegistryActions): Command[]
         ),
       description: () =>
         tGlobal(
-          runtimeEnv.host === "web"
+          isWebHost()
             ? "commands.keyboardShortcutHints.description.disabledWeb"
             : "commands.keyboardShortcutHints.description",
         ),
       category: "System",
       keywords: () => splitKeywords("commands.keyboardShortcutHints.keywords"),
-      disabled: () => runtimeEnv.host === "web",
+      disabled: () => isWebHost(),
       action: actions.toggleKeyboardShortcutHints,
     },
     {