fix: prevent URL substring injection in platform detection

Parse URL hostname properly instead of using substring matching
to prevent malicious URLs from being detected as legitimate
meeting platforms.

Before: url.includes("meet.google.com") matched evil.com/meet.google.com
After: hostname === "meet.google.com" or hostname.endsWith(".zoom.us")

Fixes security vulnerability identified by GitHub security bot.

Author: lucasheriques

src/main/services/recallRecording.ts

@@ -186,18 +186,36 @@ export function initializeRecallSDK(
 }
 
 function detectPlatform(window: { url?: string; title?: string }): string {
-  const url = window.url?.toLowerCase() || "";
+  const urlString = window.url?.toLowerCase() || "";
   const title = window.title?.toLowerCase() || "";
 
-  if (url.includes("zoom.us") || title.includes("zoom")) {
+  let hostname = "";
+  try {
+    if (urlString) {
+      const parsedUrl = new URL(urlString);
+      hostname = parsedUrl.hostname;
+    }
+  } catch {
+    // Invalid URL, fall back to title-based detection only
+  }
+
+  if (
+    hostname === "zoom.us" ||
+    hostname.endsWith(".zoom.us") ||
+    title.includes("zoom")
+  ) {
     return "zoom";
   }
 
-  if (url.includes("teams.microsoft.com") || title.includes("teams")) {
+  if (
+    hostname === "teams.microsoft.com" ||
+    hostname.endsWith(".teams.microsoft.com") ||
+    title.includes("teams")
+  ) {
     return "teams";
   }
 
-  if (url.includes("meet.google.com") || title.includes("google meet")) {
+  if (hostname === "meet.google.com" || title.includes("google meet")) {
     return "meet";
   }