feat: add top apps by screen time percentage table to profile README#3952
feat: add top apps by screen time percentage table to profile README#3952marcusquinn merged 2 commits intomainfrom
Conversation
Query macOS Knowledge DB /app/usage stream for per-app foreground time, calculate percentage share across Today/7 Days/28 Days periods, and render as a top-10 table in the profile README. Includes bundle ID to friendly name mapping for system apps, common third-party apps, and Brave PWAs (GitHub, X, YouTube, etc.). Percentages are accurate regardless of Knowledge DB coverage gaps -- relative proportions between apps are correct even when absolute hours undercount vs macOS Screen Time.
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a dynamic feature to enrich the GitHub profile README by displaying a 'Top Apps by Screen Time' table. It leverages macOS system data to provide insights into application usage, presenting a clear overview of how time is spent across various applications over different periods. This enhancement aims to offer a more personalized and informative profile without requiring manual updates. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughIntroduces macOS-specific screen-time tracking to the profile-readme-helper script by adding a new data collector that reads per-app usage metrics from the Knowledge database and displays them in a generated Markdown table with friendly app names. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🔍 Code Quality Report�[0;35m[MONITOR]�[0m Code Review Monitoring Report �[0;34m[INFO]�[0m Latest Quality Status: �[0;34m[INFO]�[0m Recent monitoring activity: 📈 Current Quality Metrics
Generated on: Mon Mar 9 03:03:13 UTC 2026 Generated by AI DevOps Framework Code Review Monitoring |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new feature to display top apps by screen time on the profile README. However, it also introduces significant security vulnerabilities, most notably a high-severity command injection flaw via bash arithmetic expansion and a medium-severity JSON injection flaw, stemming from trusting unvalidated data from the macOS Knowledge database. My review focuses on improving robustness, security, and performance by suggesting fixes like removing error suppression, using jq for safe JSON construction to prevent injection issues from special characters, consolidating jq calls for efficiency, and implementing strict input validation for variables used in arithmetic operations.
| today_pct=$(((today_s * 100 + total_today / 2) / total_today)) | ||
| fi | ||
| if [[ $total_week -gt 0 ]]; then | ||
| week_pct=$(((week_s * 100 + total_week / 2) / total_week)) | ||
| fi | ||
| if [[ $total_month -gt 0 ]]; then | ||
| month_pct=$(((month_s * 100 + total_month / 2) / total_month)) |
There was a problem hiding this comment.
The variables today_s, week_s, and month_s (lines 288, 291, 294) are used in arithmetic expansions without validation. These values, derived from the external Knowledge database, can be manipulated via crafted bundle IDs, posing a high-severity command injection risk. Additionally, the current manual JSON string concatenation is fragile and susceptible to issues if app names contain special characters. It is recommended to implement strict input validation for these variables and use a robust method like jq for safe JSON construction to mitigate both the command injection and JSON fragility issues.
| total_today=$((total_today + today_s)) | ||
| total_week=$((total_week + week_s)) | ||
| total_month=$((total_month + month_s)) |
There was a problem hiding this comment.
The script is vulnerable to command injection via bash arithmetic expansion. The variables today_s, week_s, and month_s are populated from the macOS Knowledge database (knowledgeC.db), which contains app bundle IDs. An attacker can influence this database by running an app with a crafted bundle ID containing a payload like |a[$(id >&2)0]. When these values are used in an arithmetic context $((...)), bash evaluates the embedded command. This could allow a malicious app to execute arbitrary commands with the privileges of the script, potentially stealing GitHub tokens or other sensitive data.
| total_today=$((total_today + today_s)) | |
| total_week=$((total_week + week_s)) | |
| total_month=$((total_month + month_s)) | |
| [[ "$today_s" =~ ^[0-9]+$ ]] && total_today=$((total_today + today_s)) | |
| [[ "$week_s" =~ ^[0-9]+$ ]] && total_week=$((total_week + week_s)) | |
| [[ "$month_s" =~ ^[0-9]+$ ]] && total_month=$((total_month + month_s)) |
| else | ||
| json_arr="${json_arr}," | ||
| fi | ||
| json_arr="${json_arr}{\"app\":\"${name}\",\"today_pct\":${today_pct},\"week_pct\":${week_pct},\"month_pct\":${month_pct}}" |
There was a problem hiding this comment.
The script constructs a JSON string by direct variable interpolation. If the app name (derived from the bundle ID) contains double quotes or other JSON-special characters, it will result in invalid JSON or allow for JSON injection. This can cause the script to fail when parsing with jq or allow an attacker to inject arbitrary data into the generated profile README.
| json_arr="${json_arr}{\"app\":\"${name}\",\"today_pct\":${today_pct},\"week_pct\":${week_pct},\"month_pct\":${month_pct}}" | |
| json_arr="${json_arr}{\"app\":$(jq -n --arg name "$name" '$name'),\"today_pct\":${today_pct},\"week_pct\":${week_pct},\"month_pct\":${month_pct}}" |
References
- In shell scripts, use
jq --argfor strings and--argjsonfor other JSON types (like numbers) to safely pass variables into ajqfilter. This avoids syntax errors if the variables contain special characters. - To reliably wrap the entire content of a shell variable as a single JSON string, use
jq -Rn --arg v "$VAR" '$v'. This is more robust than piping the variable tojq -Rs '.'.
| AND ZSTARTDATE > (strftime('%s', 'now') - 978307200 - 86400*28) | ||
| GROUP BY ZVALUESTRING | ||
| HAVING month_secs > 0; | ||
| " 2>/dev/null) || { |
There was a problem hiding this comment.
You're suppressing stderr from the sqlite3 command by redirecting it to /dev/null. This can hide important errors, such as a corrupted database, syntax errors in the query, or sqlite3 not being available, which makes debugging difficult. It's better to allow error messages to be printed to stderr. The || { ... } construct will still correctly handle the failure and prevent the script from exiting.
| " 2>/dev/null) || { | |
| ") || { |
References
- Avoid using '2>/dev/null' for blanket suppression of command errors in shell scripts to ensure that authentication, syntax, or system issues remain visible for debugging.
| app=$(echo "$row" | jq -r '.app') | ||
| today_pct=$(echo "$row" | jq -r '.today_pct') | ||
| week_pct=$(echo "$row" | jq -r '.week_pct') | ||
| month_pct=$(echo "$row" | jq -r '.month_pct') |
There was a problem hiding this comment.
You are calling jq four times inside a loop to extract values from a single JSON object. This is inefficient. You can consolidate these into a single jq call and use read to populate the variables. This is more performant and idiomatic.
| app=$(echo "$row" | jq -r '.app') | |
| today_pct=$(echo "$row" | jq -r '.today_pct') | |
| week_pct=$(echo "$row" | jq -r '.week_pct') | |
| month_pct=$(echo "$row" | jq -r '.month_pct') | |
| IFS=$'\t' read -r app today_pct week_pct month_pct < <(echo "$row" | jq -r '[.app, .today_pct, .week_pct, .month_pct] | @tsv') |
References
- Consolidate multiple 'jq' calls into a single pass where possible to improve performance and script efficiency.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.agents/scripts/profile-readme-helper.sh (1)
297-307: Consider usingjqfor JSON construction to ensure proper escaping.The manual JSON string building works correctly with the current
_friendly_app_namemappings since all return values are safe strings. However, if a bundle ID's final component ever contained a quote or backslash, this could produce malformed JSON.For zero-tech-debt robustness, consider using
jqto safely construct the JSON objects:♻️ Optional: Use jq for safer JSON construction
- json_arr="${json_arr}{\"app\":\"${name}\",\"today_pct\":${today_pct},\"week_pct\":${week_pct},\"month_pct\":${month_pct}}" + local entry + entry=$(jq -n --arg app "$name" --argjson t "$today_pct" --argjson w "$week_pct" --argjson m "$month_pct" \ + '{app: $app, today_pct: $t, week_pct: $w, month_pct: $m}') + json_arr="${json_arr}${entry}"This is a defensive improvement — the current implementation is functional given the controlled inputs.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.agents/scripts/profile-readme-helper.sh around lines 297 - 307, The current loop builds json_arr by concatenating strings (variables json_arr, name, today_pct, week_pct, month_pct) which can produce invalid JSON if app names contain quotes/backslashes; replace the manual concatenation with jq-based construction: for each record use jq -n to create an object with --arg for the app name (from _friendly_app_name/name) and --argjson for numeric fields (today_pct, week_pct, month_pct), then collect objects into an array (e.g., piping objects into jq -s to produce the final array) and echo that result instead of the hand-assembled json_arr.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.agents/scripts/profile-readme-helper.sh:
- Around line 297-307: The current loop builds json_arr by concatenating strings
(variables json_arr, name, today_pct, week_pct, month_pct) which can produce
invalid JSON if app names contain quotes/backslashes; replace the manual
concatenation with jq-based construction: for each record use jq -n to create an
object with --arg for the app name (from _friendly_app_name/name) and --argjson
for numeric fields (today_pct, week_pct, month_pct), then collect objects into
an array (e.g., piping objects into jq -s to produce the final array) and echo
that result instead of the hand-assembled json_arr.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: fe709e97-7dd1-4ae3-a295-2403c9c89717
📒 Files selected for processing (1)
.agents/scripts/profile-readme-helper.sh
Address CodeRabbit review: validate that sqlite3 output values are integers before using in bash arithmetic (prevents injection via crafted DB records), and use jq --arg for JSON construction instead of string interpolation (prevents injection from special characters in app names).
🔍 Code Quality Report�[0;35m[MONITOR]�[0m Code Review Monitoring Report �[0;34m[INFO]�[0m Latest Quality Status: �[0;34m[INFO]�[0m Recent monitoring activity: 📈 Current Quality Metrics
Generated on: Mon Mar 9 03:07:51 UTC 2026 Generated by AI DevOps Framework Code Review Monitoring |
|
1 participant
Summary
/app/usagestream for per-app foreground timeExample output
Testing
generatecommand outputs correct table with real dataupdate --dry-runshows correct diffupdatesuccessfully pushed to profile repo (live at github.com/marcusquinn)Summary by CodeRabbit