Uncategorized

The Problem

Implementing native drag-and-drop functionality in a Flutter macOS application that works seamlessly with scrolling and file selection proved to be one of the most challenging features we’ve built. The goal was simple: allow users to drag files into and out of CodeFrog, supporting both local and network (SSH) projects, while maintaining smooth scrolling and file selection.

Initial Attempt: super_drag_and_drop

We started with the super_drag_and_drop package, which provides cross-platform drag-and-drop support. While it worked for basic scenarios, we encountered several issues:

1. Unreliable drag-out for remote files – Files on network/SSH connections needed to be downloaded before dragging, and the async nature of this operation caused frequent failures
2. Gesture conflicts – The package’s gesture recognizers conflicted with Flutter’s built-in scrolling and selection mechanisms
3. Limited control – We needed more fine-grained control over the drag-and-drop behavior, especially for handling remote file downloads

After many hours of debugging and attempting workarounds (pre-downloading files, using virtual files, adjusting gesture recognizers, etc.), we decided to build a custom solution using native macOS APIs.

The Custom Solution: flutter_macos_drag

We built a custom Flutter plugin (flutter_macos_drag) that uses native macOS NSDraggingSource and NSDraggingDestination protocols directly. This gave us complete control over the drag-and-drop behavior.

Key Components

1. MacOSDraggable – A Flutter widget for dragging files out of the app
2. MacOSDroppable – A Flutter widget for accepting file drops from Finder
3. DraggableNSView – Native Swift view implementing NSDraggingSource and NSDraggingDestination

The Challenge: Scrolling vs Drag-and-Drop

The biggest challenge was making drag-and-drop work while preserving scrolling functionality. The native AppKitView needed to be in the widget hierarchy to receive drag events, but it was blocking pointer events needed for scrolling.

Failed Approaches:

• Using IgnorePointer – Blocked drag events
• Using AbsorbPointer – No effect
• Using Listener with HitTestBehavior – Still blocked events
• Reversing Stack order – Drag events didn’t reach the native view

The Solution: hitTest Override

The breakthrough came from understanding how macOS handles drag events vs pointer events:

1. Drag events work at the NSView level and query all registered views directly, completely bypassing Flutter’s pointer system and hit testing
2. Pointer events (scrolling, clicking) go through normal hit testing

By overriding hitTest in the native view to return nil for drop zones, we allow pointer events to pass through to Flutter widgets below, while drag events still work because they query registered views directly.

override func hitTest(_ point: NSPoint) -> NSView? {
    // For drop zones, return nil to let pointer events pass through to Flutter
    // Drag events don't use hitTest - they query all registered views directly
    if acceptDrops && filePath == nil {
        return nil
    }
    return super.hitTest(point)
}

Additionally, we made mouse event handlers return early for drop zones:

override func mouseDown(with event: NSEvent) {
    // For drop zones, don't handle mouse events - let them pass through for scrolling
    if acceptDrops && filePath == nil {
        return // Don't call super - allows events to pass through
    }
    // ... handle drag-out logic
}

Widget Structure

The final widget structure uses a Stack with the native view on top:

Stack(
  children: [
    // Native view on top - configured to not block pointer events
    Positioned.fill(
      child: Opacity(
        opacity: 0.01,
        child: AppKitView(...),
      ),
    ),
    // Flutter widgets below - receive pointer events for scrolling
    widget.child,
  ],
)

Features Achieved

✅ Drag files out – Works for both local and network files
✅ Drag files in – Accepts drops from Finder into any directory
✅ Scrolling – File tree pane scrolls smoothly
✅ File selection – Click to select files works normally
✅ Remote file handling – Downloads remote files on-demand during drag
✅ Root directory support – Can drop files at project root (empty path)

Key Technical Insights

1. macOS drag events bypass Flutter’s pointer system – They query all registered views directly, so IgnorePointer and similar widgets don’t affect them
2. hitTest controls pointer events, not drag events – Returning nil from hitTest allows pointer events to pass through while drag events still work
3. View registration is separate from hit testing – Views registered with registerForDraggedTypes receive drag events regardless of hitTest results
4. Mouse event handlers must return early – For drop zones, don’t call super in mouse event handlers to allow events to pass through

Lessons Learned

• Sometimes a custom native solution is necessary when cross-platform packages don’t meet specific requirements
• Understanding the underlying platform APIs (NSDraggingSource/NSDraggingDestination) is crucial
• The interaction between Flutter’s pointer system and native platform views requires careful consideration
• Persistence pays off – this took many hours but resulted in a robust, maintainable solution

This solution was developed over many hours of debugging and research. The key was understanding that macOS drag events operate at a different level than pointer events, allowing us to let pointer events pass through while still receiving drag events.

CodeFrog is a professional, Flutter‑based mobile and desktop app that brings modern development workflows to your pocket. With API integrations from GitHub, Linode, Hetzner, and Sendgrid, secure SSH server management, GitHub PR review integrations, and a powerful Web Testing and Security Scanning toolkit, CodeFrog helps you diagnose, fix, and ship software faster—from anywhere. You can develop on your phone while connected to a remote server like mac.

CodeFrog is currently in development. I hope to have a macOS release before the end of the year, with mobile apps following soon after.

Ethical and legal use notice: Only run security scans against systems you own or are explicitly authorized to test. Unauthorized scanning may violate laws and terms of service.

Security Scanning Features

CodeFrog’s security scanners focus on high‑signal, read‑only checks inspired by OWASP guidance and industry best practices.

• Single‑site security scanner with OWASP‑based checks
• Bulk security scanner connected to Linode API for DNS with concurrent scanning of multiple targets
• HTTPS/HTTP automatic fallback with clear indicators
• Real‑time streaming results as scans complete
• Critical findings popup alerts
• Severity‑based filtering (Critical, High, Medium, Low, Info)
• Live findings display while scanning is in progress
• HTTP fallback indicators throughout the UI
• Selectable/copyable URLs and findings
• “Open in browser” buttons for quick access

What this means in practice:

• CodeFrog performs safe, read‑only HTTP methods (HEAD/GET/OPTIONS)
• Results stream in as each target finishes—no need to wait for the entire batch
• If HTTPS fails, CodeFrog retries over HTTP and clearly marks any fallback usage
• Critical results trigger a blocking alert so you can prioritize remediation immediately

Export & share:

• Export findings as JSON/Markdown/CSV
• Copy‑to‑clipboard for single findings or entire result sets
• Summary chips by severity filtering in bulk mode

Web Testing & Code Analysis Features

A practical suite for validating web experiences and inspecting network characteristics—all in one place.

• HTML validation

• Meta tags analysis

• Page timing metrics

• Size analysis

• Accessibility scanning

• Open Source Vulnerability scanning (OSV.dev)

• Static analysis with OpenGrep/Semgrep (macOS desktop)

• Line counting with configurable exclusions (e.g., *.log files)

• Secrets scanning with Gitleaks (MIT licensed, install with Homebrew)

• Exclusion of third‑party directories (e.g., Pods) from secrets scans

• Exclusion of Flutter build artifacts (.dart_tool, build) from scans

• Selectable/copyable validator results with “Copy All Errors” action

• Display of zero‑count severities in bulk scanner

• “Scan first N unscanned” functionality for incremental scanning

Highlights:

• Accurate timing breakdown (DNS, TCP connect, TLS handshake, TTFB, download)
• Resource inventory with compressed/uncompressed size insights
• Meta tags validator for Open Graph and Twitter Card with quick previews

GitHub Integration

Turn PR feedback into action with lightweight, mobile‑friendly workflows.

• PR comments viewer with CodeRabbit integration
• Easy export of GitHub PR comments into Augment Code markdown task list format
• Task titles prefixed with PR number and comment number (e.g., “PR#45 Comment #123: task title”)
• Bulk selection and delete/re‑import functionality for GitHub tasks
• Filtering for unresolved comments only
• Hide/expand first comment by default
• Import options (first/5/10/all comments)
• Structured AI suggestion parsing with title and description sections
• Export/post all remaining raw comment texts when lacking AI summary

Benefits:

• Create actionable tasks from PR comments in seconds
• Keep review context portable across devices and sessions
• Maintain signal by filtering unresolved items and hiding nitpicks by default

Servers Screen Features

Manage and monitor your development infrastructure securely.

• At‑a‑glance server statistics dashboard showing all servers simultaneously
• Real‑time disk space monitoring with cron job setup
• SSH connection pooling (one login per unique server)
• Server management with RSA 4096‑bit SSH keys
• Secure private key storage via Flutter Secure Storage

Why it matters:

• Strong, key‑based authentication by default (RSA‑4096)
• Minimal re‑authentication thanks to connection pooling
• Early warning on low‑disk conditions—right inside the app

API Integrations & Automation Value

CodeFrog connects to your ecosystem to eliminate manual tasks and coordinate workflows.

Hetzner API

• SSH key management
• Server statistics retrieval

Linode API

• Automated domain discovery for bulk security scanning
• DNS record enumeration
• Website target generation from domain records

SendGrid API

• Disk space notification service (low-disk alerts via email)

GitHub API

• PR comments retrieval and parsing
• Issue/comment status management (resolve/unresolve)
• Task import automation
• Integration with Augment Code workflow

Each integration replaces multi‑tool manual steps with streamlined, in‑app actions. The result: fewer context switches and faster cycles from feedback to fix.

Architecture and Privacy at a Glance

• Flutter + Dart with Riverpod for reactive state
• Read‑only scanners; no active exploitation or credential use
• Hybrid data model: local SQLite (drift) for session data; secure storage for secrets
• HTTPS/HTTP fallback clearly indicated; TLS verification on by default
• Accessibility and WCAG AA contrast targets across the UI

Getting Started

1. Open CodeFrog and navigate to Web Testing → Security Scan
2. Enter a URL or switch to Bulk mode to scan multiple targets
3. Watch live results stream in; use filters and “Open in browser” to inspect quickly
4. Export findings and copy summaries directly to issues or tasks

For GitHub PR workflows, open the PR viewer to import comments as tasks, filter unresolved discussions, and keep your reviews moving—wherever you are.

A safer, faster path from feedback to fix

With practical, read‑only checks and tight integrations, CodeFrog turns security scanning and web diagnostics into a fast, mobile‑ready workflow. Combine it with GitHub PR tooling and server management to close the loop—from detection to resolution—without leaving your device.