fix(release): refresh Cargo.lock on bump, attach uid to core Sentry, hide debug settings

[senamakel]

Summary

• Release workflows now refresh Cargo.lock / app/src-tauri/Cargo.lock after the version bump and stage them in the release commit, so the lockfiles no longer drift on every release.
• Core before_send (src/main.rs) attaches the cached account uid (peek_cached_current_user_identity().id only — no name/email/IP) so Sentry can group issues by user and report "users affected".
• Settings → Developer Options: Memory Data, Memory Debug, and Screen Awareness Debug entries commented out (routes retained for re-enable).

Problem

• Every staging/prod release left an uncommitted Cargo.lock diff because bump-version.js updates Cargo.toml but never refreshes the matching [package].version entries in the lockfiles. The next local cargo invocation rewrote them and dirtied the tree.
• The Rust core's Sentry before_send had event.user = None;, so even though the React side already attaches event.user = { id }, no core-side event carried a uid. Sentry could not count unique users affected by core errors.
• Three debug-only settings entries were exposed in Developer Options that should not ship to end users right now.

Solution

• Workflows (release-staging.yml, release-production.yml): added a cargo update --workspace --manifest-path … step on both manifests after the bump, then included both lockfiles in the git add line of the release commit. --workspace constrains updates to workspace members only, so transitive dep churn stays out.
• Core Sentry (src/main.rs): replaced event.user = None; with a lookup against the existing peek_cached_current_user_identity() (which already strips everything but id / name / email). Only id is attached; consistent with send_default_pii: false. Empty on early-startup events before the auth_get_me cache populates — same trade-off the frontend has.
• Settings: commented out the three entries in DeveloperOptionsPanel.tsx and the "Advanced settings" shortcut on ScreenIntelligencePanel.tsx. Removed the now-unused navigateToSettings from the destructure. Routes in pages/Settings.tsx are intact, matching the Autocomplete/Voice Debug precedent (Temporarily hide Text-to-Speech and Auto-complete from UI #717).

Submission Checklist

• N/A: workflow + small UI hide + Sentry scope tweak — no behavioural code paths added that warrant new tests; the lockfile refresh is observable end-to-end via the next release run
• N/A: changed lines are CI workflow YAML, comment-only TSX edits, and a single Sentry before_send branch — diff-cover scope is minimal
• N/A: no feature rows added/removed in the coverage matrix
• N/A: no feature IDs touched
• No new external network dependencies introduced
• N/A: release-cut surfaces unchanged at the user level
• N/A: no linked issue

Impact

• Desktop: hidden Developer Options entries are no longer visible; routes still resolvable by direct URL.
• Sentry dashboard: core events will start carrying user.id, enabling "users affected" rollups across React + Rust surfaces.
• Release pipeline: next staging/prod cut will commit refreshed lockfiles and stop leaving an uncommitted diff locally.

Related

• Closes:
• Follow-up PR(s)/TODOs:

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Linear Issue

• Key: N/A
• URL: N/A

Commit & Branch

• Branch: fix/may-10
• Commit SHA: 20a183c

Validation Run

• `pnpm lint` — 0 errors (38 pre-existing warnings)
• `pnpm exec tsc --noEmit` — clean
• N/A: Focused tests — no behavioural code paths added
• Rust fmt/check (if changed): `cargo check --bin openhuman-core` clean
• N/A: Tauri fmt/check — Tauri shell unchanged

Validation Blocked

• `command:` N/A
• `error:` N/A
• `impact:` N/A

Behavior Changes

• Intended behavior change: Sentry events from the Rust core now carry an account uid; three debug-settings entries are no longer linked from the Developer Options menu; release commits include refreshed Cargo.lock files.
• User-visible effect: Three settings entries disappear; no other user-visible change.

Parity Contract

• Legacy behavior preserved: Routes for hidden settings panels remain reachable by direct URL; `send_default_pii: false` policy preserved (only `id` is added).
• Guard/fallback/dispatch parity checks: Sentry `before_send` still strips secrets and `server_name`.

Duplicate / Superseded PR Handling

• Duplicate PR(s): N/A
• Canonical PR: N/A
• Resolution (closed/superseded/updated): N/A

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR makes three independent changes: production and staging release workflows now refresh and commit Cargo.lock files during version bumps; debug menu routes are hidden from the Developer Options and Screen Intelligence panels; and the Sentry telemetry hook attaches cached user identity to events instead of stripping it.

Changes

Release Workflow Lockfile Sync

Layer / File(s)	Summary
Production workflow Cargo.lock refresh .github/workflows/release-production.yml	main_head release flow adds a cargo update step after version sync to refresh workspace and Tauri sub-crate lockfiles, then stages both Cargo.lock and app/src-tauri/Cargo.lock in the version bump commit.
Staging workflow Cargo.lock refresh .github/workflows/release-staging.yml	Staging release flow adds a cargo update step after patch bump for both workspace and Tauri crate, then includes both Cargo.lock files in the staging cut commit alongside manifest/config files.

Debug UI Routes Hidden

Layer / File(s)	Summary
Developer Options panel routes disabled app/src/components/settings/panels/DeveloperOptionsPanel.tsx	developerItems removes active screen-awareness-debug, memory-data, and memory-debug menu entries by replacing them with commented-out configuration blocks.
Screen Intelligence advanced settings hidden app/src/components/settings/panels/ScreenIntelligencePanel.tsx	Removes navigateToSettings from useSettingsNavigation() destructuring and comments out the "Advanced settings" debug button that previously navigated to screen-awareness-debug.

Sentry User Identity Telemetry

Layer / File(s)	Summary
User identity in Sentry events src/main.rs	The before_send hook now populates event.user from openhuman_core::openhuman::app_state::peek_cached_current_user_identity(), attaching only the user id, replacing prior behavior that cleared user context.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• tinyhumansai/openhuman#1082: Both PRs involve Cargo.lock handling during release workflows—this PR refreshes and commits lockfiles while that PR contains the actual lockfile updates.
• tinyhumansai/openhuman#1094: Both PRs modify release workflows' prepare-build/commit logic in release-staging.yml and release-production.yml.
• tinyhumansai/openhuman#453: Both PRs modify the same settings UI files (DeveloperOptionsPanel.tsx and ScreenIntelligencePanel.tsx) to hide/comment out debug route entries.

Suggested reviewers

• M3gA-Mind

Poem

🐰 Lockfiles locked down with Cargo's might,
Debug routes fade to commented night,
Sentry now knows who we are,
Clean workflows star by star! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes all three main changes: Cargo.lock refresh on bump, Sentry user ID attachment, and debug settings being hidden. It is specific, concise, and clearly conveys the primary changes without being vague.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/release-staging.yml (1)

105-112: ⚡ Quick win

Add explicit Rust toolchain setup before lockfile refresh

Lines 105–112 execute cargo update without explicitly installing the Rust toolchain. While this may work on runner images with pre-installed Rust, adding an explicit setup step will make lockfile refreshes deterministic across runner image updates and align with the repository's declared rust-toolchain.toml (1.93.0).

Suggested patch

       - name: Verify version sync
         run: node scripts/release/verify-version-sync.js "${{ steps.bump.outputs.version }}"
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@1.93.0
       - name: Refresh Cargo.lock files

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-staging.yml around lines 105 - 112, Add an
explicit Rust toolchain setup step before the "Refresh Cargo.lock files" step:
call a setup action (e.g., actions-rs/toolchain or rust-lang/setup-rust) to
install and set the toolchain to 1.93.0 (matching rust-toolchain.toml) and make
it the default for the job, then run the existing cargo update commands (the
step named "Refresh Cargo.lock files") so lockfile refreshes are deterministic
across runners.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/release-staging.yml:
- Around line 105-112: Add an explicit Rust toolchain setup step before the
"Refresh Cargo.lock files" step: call a setup action (e.g., actions-rs/toolchain
or rust-lang/setup-rust) to install and set the toolchain to 1.93.0 (matching
rust-toolchain.toml) and make it the default for the job, then run the existing
cargo update commands (the step named "Refresh Cargo.lock files") so lockfile
refreshes are deterministic across runners.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 401c913c-c8c8-4661-9c48-ac31ec187e58

📥 Commits

Reviewing files that changed from the base of the PR and between 12ef69b and 20a183c.

⛔ Files ignored due to path filters (2)

• Cargo.lock is excluded by !**/*.lock
• app/src-tauri/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/workflows/release-production.yml
• .github/workflows/release-staging.yml
• app/src/components/settings/panels/DeveloperOptionsPanel.tsx
• app/src/components/settings/panels/ScreenIntelligencePanel.tsx
• src/main.rs