From cb24750cb77ff270d7fe834a625e08eb17db634d Mon Sep 17 00:00:00 2001
From: salmanrajz <contributor@example.com>
Date: Wed, 1 Apr 2026 12:10:31 +0400
Subject: [PATCH] security: remove runtime require of unverified modifiers-napi
 package

Fixes #7. The modifiers-napi package is an Anthropic-internal native
addon, but a package with the same name exists on npm and could be a
supply chain attack vector. The build script already stubs it, but
the source code had live require() calls that would execute when
running without the bundler (e.g. bun dev, ts-node).

Replaced both functions with safe no-ops since modifier key detection
is not needed in the open-source build. Build verified passing.
---
 src/utils/modifiers.ts | 34 ++++++++++------------------------
 1 file changed, 10 insertions(+), 24 deletions(-)

diff --git a/src/utils/modifiers.ts b/src/utils/modifiers.ts
index 08bde4bc..09f95639 100644
--- a/src/utils/modifiers.ts
+++ b/src/utils/modifiers.ts
@@ -1,36 +1,22 @@
 export type ModifierKey = 'shift' | 'command' | 'control' | 'option'
 
-let prewarmed = false
-
 /**
  * Pre-warm the native module by loading it in advance.
- * Call this early to avoid delay on first use.
+ *
+ * NOTE: The `modifiers-napi` package is an Anthropic-internal native addon
+ * that is not shipped with the open-source build. All calls are no-ops here
+ * to avoid supply-chain risk from unverified npm packages with the same name.
  */
 export function prewarmModifiers(): void {
-  if (prewarmed || process.platform !== 'darwin') {
-    return
-  }
-  prewarmed = true
-  // Load module in background
-  try {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const { prewarm } = require('modifiers-napi') as { prewarm: () => void }
-    prewarm()
-  } catch {
-    // Ignore errors during prewarm
-  }
+  // No-op in open-source build — native modifier detection is not available.
 }
 
 /**
  * Check if a specific modifier key is currently pressed (synchronous).
+ *
+ * Always returns false in the open-source build since the native addon
+ * is not available.
  */
-export function isModifierPressed(modifier: ModifierKey): boolean {
-  if (process.platform !== 'darwin') {
-    return false
-  }
-  // Dynamic import to avoid loading native module at top level
-  const { isModifierPressed: nativeIsModifierPressed } =
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    require('modifiers-napi') as { isModifierPressed: (m: string) => boolean }
-  return nativeIsModifierPressed(modifier)
+export function isModifierPressed(_modifier: ModifierKey): boolean {
+  return false
 }