fix(renderer): gate cmd shortcuts on physical key code, not character

[nguyenthienthanh]

Problem

Typing Vietnamese (Telex via EVKey) into a remote Slack tab could yank focus to the URL bar mid-word. Typing chayj was fine, but chajy — which forces a mid-syllable tone rewrite — broke: the next keystrokes landed in the address bar instead of the chat.

Root cause

The only path that focuses the URL bar is the Cmd+L shortcut, and on focus it select()s the URL — so subsequent keystrokes overwrite it. The global hotkey handler matched shortcuts on e.key (the produced character). When EVKey fixes a word mid-syllable it re-posts characters as synthetic key events (CGEvent) that can carry a stray Cmd flag with a non-physical key — which e.key matching misread as Cmd+L.

Proof: chajy contains no physical L key, so the only way case "l" fires is an event whose e.key === "l" but whose physical key isn't L — the signature of a synthetic injection.

Fix

Match the letter/punctuation Cmd-shortcuts on the physical e.code ("KeyL") instead of e.key — the convention already used by isOsReservedKey, the ⌥N handler, and Cmd+1..9 ("Match on e.code — Option rewrites e.key"). A real Cmd+L always carries e.code === "KeyL"; the synthetic injection does not, so it falls through and is forwarded to the remote page untouched. Also fixes the iPadOS uppercase-e.key edge the old comment called out.

No shortcuts added/removed/changed — only the matching logic. Converted: ⌘K, ⌘⇧T, ⌘⌥L, and the main switch (T/W/D/L/S/R/F/C/V/A + , [ ]).

Test

• pnpm typecheck clean.
• Manual smoke (Electron + EVKey): type chajy, toán, nghiệm into remote Slack — focus stays in the chat, no jump to the URL bar. All Cmd shortcuts still work from a real keyboard.

[duongdev]

@claude review this

[dokploy-2026-03-01-6ei3s7]

🚨 Preview Deployment Blocked - Security Protection

Your pull request was blocked from triggering preview deployments

Why was this blocked?

• User: nguyenthienthanh
• Repository: cdp-browser
• Permission Level: read
• Required Level: write, maintain, or admin

How to resolve this:

Option 1: Get Collaborator Access (Recommended)
Ask a repository maintainer to invite you as a collaborator with write permissions or higher.

Option 2: Request Permission Override
Ask a repository administrator to disable security validation for this specific application if appropriate.

For Repository Administrators:

To disable this security check (⚠️ not recommended for public repositories):
Enter to preview settings and disable the security check.

---

This security measure protects against malicious code execution in preview deployments. Only trusted collaborators should have the ability to trigger deployments.

🛡️ Learn more about this security feature

This protection prevents unauthorized users from:

• Executing malicious code on the deployment server
• Accessing environment variables and secrets
• Potentially compromising the infrastructure

Preview deployments are powerful but require trust. Only users with repository write access can trigger them.