fix(ci): invalidate Gradle cache when Tauri config or capabilities ch…

[AnthonyRonning]

…ange

The Gradle cache was causing production builds to use old capabilities even after changes were committed. This happened because:

1. Gradle cache included the built APK (gen/android/app/build)
2. Cache key only checked gradle files, not tauri config/capabilities
3. When capabilities changed, CI restored old cached build
4. Result: Production APKs had old permissions, missing OAuth URLs

Fix:

• Add tauri.conf.json to Gradle cache key
• Add capabilities/** directory to cache key
• Now cache invalidates when these files change
• Ensures CI always builds with current configuration

This fixes Android OAuth not working in production releases despite working in local builds.

Summary by CodeRabbit

• Chores

  • Expanded CI Android cache sensitivity to include local Tauri config/capability changes and added an explicit Gradle build cache cleanup step to ensure fresh builds when configuration changes.
  • Updated Tauri opener dependency to a fixed, earlier version in both frontend and native manifest.

• Bug Fixes

  • Improved desktop (Tauri) OAuth sign-in for GitHub, Google, and Apple with staged fallbacks, enhanced runtime logging, and clearer error reporting.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Expand CI Gradle cache hashing and add a Gradle cache-clean step; add Tauri opener-first OAuth flow with a dynamic-import fallback, extensive runtime debug logging, and richer error propagation; pin/downstream changes to the Tauri opener dependency in frontend manifests.

Changes

Cohort / File(s)	Summary
GitHub Actions — Android cache & cleanup \.github/workflows/android-build.yml, \.github/workflows/release.yml	Expanded hashFiles() inputs to include frontend/src-tauri/tauri.conf.json and frontend/src-tauri/capabilities/**; added a new "Clean Gradle build cache" step to purge Gradle/Android build caches before Android jobs.
Frontend — Tauri OAuth login flow frontend/src/routes/login.tsx	Added per-click debug state and runtime logging; changed opener sequence to attempt the Tauri plugin opener first and fall back to a dynamic import of @tauri-apps/plugin-opener → openUrl; mirrored across GitHub/Google/Apple flows and expanded error handling via setError.
Dependency manifests — tauri opener pinned frontend/package.json, frontend/src-tauri/Cargo.toml	@tauri-apps/plugin-opener version changed/pinned (frontend package) and tauri-plugin-opener dependency version updated in Cargo.toml (2.5.2 → 2.2.6).

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Frontend
    participant TauriPlugin as Tauri plugin
    participant DynImport as Dynamic importer
    participant OAuth as OAuth Provider

    User->>Frontend: Click "Sign in"
    Frontend->>Frontend: setDebugState / log(click)
    alt Tauri environment
        Frontend->>TauriPlugin: opener.open(authURL)
        alt plugin succeeds
            TauriPlugin->>OAuth: Open auth URL (native)
            OAuth-->>User: Show auth UI
        else plugin missing/fails
            Frontend->>DynImport: import `@tauri-apps/plugin-opener`
            DynImport-->>Frontend: opener API
            Frontend->>DynImport: openUrl(authURL)
            DynImport->>OAuth: Open auth URL (native)
            OAuth-->>User: Show auth UI
        end
    else Web environment
        Frontend->>OAuth: window/tab open(authURL)
        OAuth-->>User: Show auth UI
    end
    alt any error
        Frontend->>Frontend: setError(detail) / log
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Inspect CI YAML: verify glob patterns, hashFiles() effectiveness, and that the new cache-clean step is safe idempotent.
• Review frontend/src/routes/login.tsx fallback paths for unhandled promise rejections, race conditions, and sensitive logging.
• Confirm dependency version changes align between JS and Cargo manifests.

Possibly related PRs

• fix: enable Apple OAuth for desktop users #96 — Touches frontend/src/routes/login.tsx and Tauri OAuth handling; likely overlaps with opener fallback and logging changes.
• Add android to release workflow #257 — Modifies Android release/build workflow; related to cache-key changes and Gradle cache-clean step.
• Update Tauri to 2.9.2 and all plugins to latest versions #296 — Changes Tauri opener dependency versions; directly related to the pinned dependency edits.

Poem

🐰
I hopped through workflows, neat and spry,
Cleaned caches and watched hashes fly,
Tried plugins first, then fetched a friend,
Logged every click from end to end,
A rabbit cheers — build and login mend.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: fixing CI by invalidating Gradle cache when Tauri config or capabilities change, which matches the core objective of adding tauri.conf.json and capabilities/** to the cache key.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/ci-gradle-cache-invalidation

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3ae17e8 and b337026.

⛔ Files ignored due to path filters (2)

• frontend/bun.lock is excluded by !**/*.lock
• frontend/src-tauri/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• frontend/package.json (1 hunks)
• frontend/src-tauri/Cargo.toml (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-03-25T19:50:07.925Z

Learnt from: AnthonyRonning
Repo: OpenSecretCloud/Maple PR: 23
File: frontend/src-tauri/src/lib.rs:14-16
Timestamp: 2025-03-25T19:50:07.925Z
Learning: In Tauri applications, updater security configurations (including endpoints, public key for verification, and dialog settings) should be defined in the tauri.conf.json file rather than duplicated in the code. When initialized with tauri_plugin_updater::Builder::new().build(), the plugin automatically reads and uses these settings from the configuration file.

Applied to files:

• frontend/src-tauri/Cargo.toml

📚 Learning: 2025-03-25T19:50:07.925Z

Learnt from: AnthonyRonning
Repo: OpenSecretCloud/Maple PR: 23
File: frontend/src-tauri/src/lib.rs:14-16
Timestamp: 2025-03-25T19:50:07.925Z
Learning: In Tauri applications, the updater configuration (including security settings like server URL and public key) should be defined in tauri.conf.json rather than hardcoded in the application code. The code only needs to initialize the updater plugin with tauri_plugin_updater::Builder::new().build(), which will automatically use the settings from the configuration file.

Applied to files:

• frontend/src-tauri/Cargo.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: build-ios
• GitHub Check: build-linux
• GitHub Check: build-android
• GitHub Check: build-macos (universal-apple-darwin)
• GitHub Check: Cloudflare Pages

🔇 Additional comments (2)

frontend/src-tauri/Cargo.toml (1)

31-31: Confirm tauri-plugin-opener 2.2.6 is available and maintains version consistency with package.json.

Version 2.2.6 is published and maintained on crates.io (released Feb 27, 2025), so availability is not a concern. The downgrade from 2.5.2 mirrors the package.json change, keeping Rust and Node layers aligned. The pinned-version strategy (no caret) is consistent with other tauri-plugin-* dependencies in this file.

To proceed, verify in the PR description or related issue tracker why 2.5.2 was downgraded (regression, incompatibility, or CI-related concern). Ensure this version choice resolves the root cause rather than applying a temporary workaround.

frontend/package.json (1)

39-39: Confirm the actual previous version before @tauri-apps/plugin-opener 2.2.6.

The version 2.5.2 does not exist in published releases; the latest 2.5.x version is 2.5.0 (Nov 14, 2025). Verify which version was actually changed to 2.2.6 and provide the specific rationale for this downgrade, including whether it addresses the OAuth failures mentioned in the PR objectives.

Additionally, reconsider exact version pinning (2.2.6 instead of ^2.2.6) as it conflicts with the project's dependency strategy where all other @tauri-apps packages use caret constraints for flexibility.

Likely an incorrect or invalid review comment.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying maple with    Cloudflare Pages

Latest commit:	b337026
Status:	✅  Deploy successful!
Preview URL:	https://0402b44c.maple-ca8.pages.dev
Branch Preview URL:	https://fix-ci-gradle-cache-invalida.maple-ca8.pages.dev

View logs

[greptile-apps]

Greptile Overview

Greptile Summary

This PR fixes Android OAuth issues caused by stale Gradle cache and a broken opener plugin version. The CI cache key now includes tauri.conf.json and capabilities/** to ensure cache invalidation when configuration changes. Additionally, a Gradle cache cleanup step was added, tauri-plugin-opener was downgraded from 2.5.2 to 2.2.6, and Android 11+ URL opening support was added via the <queries> manifest element.

• CI Cache Fix: Added tauri.conf.json and capabilities/** to Gradle cache hash in both android-build.yml and release.yml
• Gradle Cache Cleanup: New step removes Gradle build cache before building to ensure fresh builds
• Plugin Downgrade: tauri-plugin-opener downgraded 2.5.2 → 2.2.6 to fix Android URL opening
• Android 11+ Support: Added <queries> element in AndroidManifest.xml for URL intent visibility
• Debug Code: login.tsx contains debug statements displaying [DEBUG] messages to users - commit 14dbb12 notes "Login Debug - delete after" which indicates this should be removed before merging

Confidence Score: 2/5

• PR contains intentional debug code that should be removed before merging to production.
• The CI and Android fixes are sound and well-implemented. However, the PR includes debug code in login.tsx that displays [DEBUG] messages to end users, with a commit message explicitly stating "delete after". This debug code should be removed before merging.
• frontend/src/routes/login.tsx contains debug code that displays internal debug messages to users and needs cleanup before merge.

Important Files Changed

File Analysis

Filename	Score	Overview
.github/workflows/android-build.yml	5/5	Added tauri.conf.json and capabilities/** to Gradle cache key hash, and added a step to clean Gradle build cache before building.
.github/workflows/release.yml	5/5	Same cache key and cleanup changes as android-build.yml for production release workflow.
frontend/src-tauri/gen/android/app/src/main/AndroidManifest.xml	5/5	Added <queries> element for Android 11+ (API 30+) URL opening compatibility.
frontend/src-tauri/gen/android/gradle.properties	5/5	Disabled Gradle caching (org.gradle.caching=true commented out) to prevent stale builds.
frontend/src/routes/login.tsx	1/5	Contains debug code that displays [DEBUG] messages to users via setError(). Commit message says "Login Debug - delete after" - this should not be merged.

Sequence Diagram

sequenceDiagram
    participant User
    participant LoginPage
    participant TauriOpener
    participant ExternalBrowser
    participant OAuthProvider

    User->>LoginPage: Click OAuth login (GitHub/Google/Apple)
    LoginPage->>LoginPage: setError("[DEBUG] click detected...")
    LoginPage->>TauriOpener: invoke("plugin:opener|open_url")
    alt invoke succeeds
        TauriOpener->>ExternalBrowser: Open auth URL
        ExternalBrowser->>OAuthProvider: Navigate to provider
        LoginPage->>LoginPage: setError("[DEBUG] invoke succeeded...")
    else invoke fails
        LoginPage->>LoginPage: setError("[DEBUG] Trying fallback...")
        LoginPage->>TauriOpener: import openUrl from plugin
        TauriOpener->>ExternalBrowser: Open auth URL (fallback)
    end

Loading

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{3 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: Debug code displaying [DEBUG] messages to users via setError(). The commit message says "Login Debug - delete after" - this should be removed before merging to production.

Prompt To Fix With AI

This is a comment left during a code review.
Path: frontend/src/routes/login.tsx
Line: 109:111

Comment:
**logic:** Debug code displaying `[DEBUG]` messages to users via `setError()`. The commit message says "Login Debug - delete after" - this should be removed before merging to production.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: Same debug pattern in handleGoogleLogin - displays debug info to users.

Prompt To Fix With AI

This is a comment left during a code review.
Path: frontend/src/routes/login.tsx
Line: 173:175

Comment:
**logic:** Same debug pattern in `handleGoogleLogin` - displays debug info to users.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

logic: Same debug pattern in handleAppleLogin - displays debug info to users.

Prompt To Fix With AI

This is a comment left during a code review.
Path: frontend/src/routes/login.tsx
Line: 363:365

Comment:
**logic:** Same debug pattern in `handleAppleLogin` - displays debug info to users.

How can I resolve this? If you propose a fix, please make it concise.

[coderabbitai]

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 206be8e and 14dbb12.

📒 Files selected for processing (1)

• frontend/src/routes/login.tsx (4 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx,js,jsx}: Use 2-space indentation, double quotes, and a 100-character line limit for formatting
Use camelCase for variable and function names
Use try/catch with specific error types for error handling

Files:

• frontend/src/routes/login.tsx

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Use strict TypeScript typing and avoid any when possible

Files:

• frontend/src/routes/login.tsx

🧠 Learnings (1)

📓 Common learnings

Learnt from: AnthonyRonning
Repo: OpenSecretCloud/Maple PR: 23
File: frontend/src-tauri/src/lib.rs:14-16
Timestamp: 2025-03-25T19:50:07.925Z
Learning: In Tauri applications, updater security configurations (including endpoints, public key for verification, and dialog settings) should be defined in the tauri.conf.json file rather than duplicated in the code. When initialized with tauri_plugin_updater::Builder::new().build(), the plugin automatically reads and uses these settings from the configuration file.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build-android
• GitHub Check: build-macos (universal-apple-darwin)
• GitHub Check: build-linux
• GitHub Check: build-ios

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove debug code from production or gate behind a feature flag.

The code uses setError to display debug messages directly to users via the AlertDestructive component. This is inappropriate for production:

• Users will see technical debug messages like [DEBUG] GitHub click detected. Tauri=true, Platform=iOS
• This violates the purpose of error messaging which should communicate actionable user-facing information

Additionally, multiple sequential setError calls throughout these handlers will overwrite each other due to React's state batching, making the debug traces unreliable.

Apply this pattern to remove debug setError calls and rely solely on console logging:

  const handleGitHubLogin = async () => {
-   setError(null);
-   const platform = isIOSPlatform ? "iOS" : "Android/Desktop";
-   setError(`[DEBUG] GitHub click detected. Tauri=${isTauriEnv}, Platform=${platform}`);
-
    try {
+     setError(null);
      console.log("[OAuth] Using", isTauriEnv ? "Tauri" : "web", "flow");
+     console.log("[OAuth] Platform:", isIOSPlatform ? "iOS" : "Android/Desktop");

If you need to keep debug traces for troubleshooting production issues, gate them behind a feature flag:

const DEBUG_OAUTH = import.meta.env.DEV || sessionStorage.getItem('debug_oauth') === 'true';

if (DEBUG_OAUTH) {
  setError(`[DEBUG] GitHub click detected. Tauri=${isTauriEnv}, Platform=${platform}`);
}

Also applies to: 173-175, 363-365

🤖 Prompt for AI Agents

In frontend/src/routes/login.tsx around lines 109-111 (and similarly at 173-175
and 363-365), remove the debug setError calls that write debug strings into
user-facing error state; instead log debug information to console
(console.debug/console.log) or gate the debug setError behind a runtime feature
flag (e.g., DEBUG_OAUTH derived from DEV env or sessionStorage) so that non-dev
users never see technical messages; ensure you consolidate multiple sequential
debug setError calls into a single gated log and keep user-facing setError
messages reserved for actionable errors only.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Sequential setError calls will not work as intended.

The code attempts to trace execution by calling setError multiple times sequentially (lines 128, 133, 138, 142, 145, 152). Due to React's state batching, only the final setError call in each synchronous execution block will take effect. The intermediate debug traces will be lost.

If you need step-by-step debugging visibility, consider:

1. Accumulating messages in an array and displaying all at once
2. Using console logging exclusively (recommended)
3. Implementing a dedicated debug message array state separate from error state

Example with accumulated debug messages (if feature-flagged):

const debugMessages: string[] = [];

try {
  debugMessages.push(`Attempting to open: ${desktopAuthUrl}`);
  const result = await invoke("plugin:opener|open_url", { url: desktopAuthUrl });
  debugMessages.push(`invoke succeeded: ${JSON.stringify(result)}`);
  if (DEBUG_OAUTH) setError(debugMessages.join('\n'));
} catch (invokeError) {
  // ...
}

However, console logging remains the cleaner approach for debugging.

🤖 Prompt for AI Agents

frontend/src/routes/login.tsx lines 128-154: the code uses multiple sequential
setError(...) calls for debug tracing which will be batched by React so
intermediate messages are lost; replace the debug setError calls with
console.log/debug statements (or, if you must display multiple steps, collect
messages into a local array and call setError once with the joined string or use
a separate debugMessages state) and keep a single setError call for the final
error message that includes both invoke and fallback error details.

---

🛠️ Refactor suggestion | 🟠 Major

Extract the two-step opener pattern to eliminate code duplication.

The same two-step opener logic (invoke → fallback with dynamic import) is duplicated across all three OAuth handlers (GitHub, Google, Apple non-iOS). This violates the DRY principle and creates a maintenance burden.

Extract the shared logic into a reusable helper function:

async function openTauriUrl(url: string): Promise<void> {
  console.log("[OAuth] Opening URL in external browser:", url);
  
  try {
    const result = await invoke("plugin:opener|open_url", { url });
    console.log("[OAuth] invoke result:", result);
  } catch (invokeError) {
    console.error("[OAuth] invoke failed, trying fallback:", invokeError);
    
    // Fallback: dynamically import and use plugin-opener
    const { openUrl } = await import("@tauri-apps/plugin-opener");
    await openUrl(url);
    console.log("[OAuth] Fallback openUrl succeeded");
  }
}

Then simplify each handler:

if (isTauriEnv) {
  let desktopAuthUrl = `https://trymaple.ai/desktop-auth?provider=github`;
  
  if (selected_plan) {
    desktopAuthUrl += `&selected_plan=${encodeURIComponent(selected_plan)}`;
  }
  
  if (code) {
    desktopAuthUrl += `&code=${encodeURIComponent(code)}`;
  }
  
  await openTauriUrl(desktopAuthUrl);
}

This reduces ~75 lines of duplicated code to a single reusable function.

Also applies to: 192-217, 378-403

🤖 Prompt for AI Agents

frontend/src/routes/login.tsx around lines 128-154 (also apply same change at
192-217 and 378-403): the two-step opener logic (invoke → fallback dynamic
import) is duplicated across three OAuth handlers; extract it to a single helper
async function openTauriUrl(url: string) that (1) logs the URL, (2) attempts
invoke("plugin:opener|open_url", { url }), (3) on invoke failure dynamically
imports @tauri-apps/plugin-opener and calls openUrl(url), and (4) if both
methods fail throws a new Error that includes both error messages; then replace
the duplicated blocks in each handler with await openTauriUrl(desktopAuthUrl)
wrapped in try/catch in the handler so setError/console.error behavior is
preserved, and keep the existing desktopAuthUrl query param encoding logic
unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove [ERROR] prefix from user-facing error messages.

While extracting the error message properly (using instanceof Error check) is good, the [ERROR] Outer catch: prefix should be removed from production code. Users don't need to see technical debugging markers.

Apply this diff:

  } catch (error) {
    const errMsg = error instanceof Error ? error.message : JSON.stringify(error);
    console.error("Failed to initiate GitHub login:", error);
-   setError(`[ERROR] Outer catch: ${errMsg}`);
+   setError(errMsg || "Failed to initiate GitHub login. Please try again.");
  }

Also applies to: 229-232

🤖 Prompt for AI Agents

In frontend/src/routes/login.tsx around lines 166-169 and 229-232, remove the
technical “[ERROR] Outer catch:” prefix from user-facing error strings; instead
set the error state to the extracted message only (use errMsg or the same
extracted string variable) and keep console.error for debugging. Update both
locations to call setError(errMsg) (or a short user-friendly variant) rather
than prepending the “[ERROR]” tag, ensuring consistent messages shown to users
while retaining the detailed console.error logs for developers.

[greptile-apps]

_{5 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{7 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}