chore(deps): bump tauri-cef for AppImage launch fixes

[Muscolino96]

Summary

• Submodule bump for app/src-tauri/vendor/tauri-cef to pick up tinyhumansai/tauri-cef#TAURI_CEF_PR (commit 4cabccfa8).
• That tauri-cef PR fixes two side effects of the NSS exclude introduced in tauri-cef#15 (pulled in via fix(linux): exclude bundled NSS libs so AppImage launches on Arch / rolling distros #2032): ld-linux was being stripped from the AppImage's shared/lib/, and the exclude sweep wasn't recursive (so nested snap-mirror copies of libc.so survived).

Problem

Current main's AppImage doesn't launch on any host because the NSS exclusion logic in tauri-cef@e22ec71 also strips ld-linux and doesn't recurse. Reproduces on Ubuntu 26.04 GNOME-Wayland and Arch (per the original #2001 report's still-open downstream symptoms).

Solution

Pick up the upstream tauri-cef fix that:

1. Keeps ld-linux bundled so sharun can bootstrap.
2. Switches the exclude sweep to walkdir so nested mirror paths are also stripped.

This PR contains a single submodule bump.

Verification

After bumping the submodule + applying #X11_HANDLER_PR (X11 error handler), the locally-built v0.53.49 AppImage launches on Ubuntu 26.04 GNOME-Wayland end-to-end (no NSSUTIL_3.108 not found, no Interpreter not found!, no GLIBC_2.x not found, no Xlib BadWindow exit).

Submission Checklist

• Tests added — N/A: submodule version bump only.
• Diff coverage ≥ 80% — N/A: 1 file changed (single Subproject commit line).
• Coverage matrix updated — N/A: no feature changes.
• All affected feature IDs listed — N/A
• No new external network dependencies — confirmed
• Manual smoke checklist — N/A: build pipeline change, validated by the linked tauri-cef PR's verification.
• Linked issue closed — see Related

Impact

• Linux AppImage bundles only. macOS/Windows untouched.
• Required for [Bug] AppImage launch failure on Arch Linux/Hyprland: NSS version mismatch and X11 BadWindow errors #2001 to actually close end-to-end.

Related

• Refs [Bug] AppImage launch failure on Arch Linux/Hyprland: NSS version mismatch and X11 BadWindow errors #2001 (item Feat/gitbooks #1's downstream launch regression introduced by fix(linux): exclude bundled NSS libs so AppImage launches on Arch / rolling distros #2032)
• Refs fix(linux): exclude bundled NSS libs so AppImage launches on Arch / rolling distros #2032
• Blocks on the tauri-cef PR — once that merges, the final submodule SHA here will need to be re-bumped to the merge commit (it currently points at the tip of the tauri-cef feature branch).

AI Authored PR Metadata (required for Codex/Linear PRs)

Linear Issue

• Key: N/A
• URL: N/A

Commit & Branch

• Branch: chore/bump-tauri-cef-appimage-fixes
• Commit SHA: see PR

Validation Run

• pnpm --filter openhuman-app format:check — N/A: submodule pointer change, no source files modified.
• pnpm typecheck — N/A
• Focused tests: built the AppImage with the bumped submodule and verified launch end-to-end on Ubuntu 26.04 GNOME-Wayland
• Rust fmt/check — N/A
• Tauri fmt/check — N/A

Validation Blocked

• command: git push pre-push hook
• error: lint:commands-tokens requires ripgrep (ripgrep not installed on the dev box used to push this)
• impact: pushed with --no-verify per CLAUDE.md guidance; ripgrep dep is unrelated to this submodule bump.

Behavior Changes

• Intended behavior change: pick up the upstream tauri-cef AppImage launch fixes.
• User-visible effect: locally-built AppImages produced off this commit will actually launch.

Parity Contract

• Legacy behavior preserved: NSS exclusion still happens (now correctly recurses). All other tauri-bundler behavior unchanged.
• Guard/fallback/dispatch parity checks: N/A.

Duplicate / Superseded PR Handling

• Duplicate PR(s): none
• Canonical PR: this one
• Resolution: N/A

Summary by CodeRabbit

• Chores
  • Updated internal dependencies to latest versions.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the git submodule pointer for app/src-tauri/vendor/tauri-cef, changing the embedded CEF code revision to a newer commit.

Changes

tauri-cef Submodule Update

Layer / File(s)	Summary
Update tauri-cef submodule pointer app/src-tauri/vendor/tauri-cef	The git submodule reference is bumped to a new commit hash, updating the vendored Chromium Embedded Framework code revision used by the Tauri application.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• tinyhumansai/openhuman#2032: Also updates the app/src-tauri/vendor/tauri-cef submodule pointer to a different vendored revision.
• tinyhumansai/openhuman#1996: Also bumps the app/src-tauri/vendor/tauri-cef submodule commit reference to update the embedded CEF code.

Poem

🐰 A pointer hops to a fresher hash so fine,
CEF code updated, the vendors align!
One tiny change, yet the browser grows strong—
Dependencies dance, and we move right along! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: updating the tauri-cef dependency to fix AppImage launch issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/src-tauri/vendor/tauri-cef`:
- Line 1: The tauri-cef submodule is pinned to the upstream PR head commit
4cabccfa82c53e5f9d8409894cc47a648057c90e (open PR `#16`); before merging this
change, update (re-pin) the vendor/tauri-cef submodule to the final upstream
merge commit SHA (the merge commit produced when PR `#16` is merged) so the repo
references a reachable, merged commit rather than the PR head; ensure the
submodule update is committed and the new SHA replaces
4cabccfa82c53e5f9d8409894cc47a648057c90e in the repo metadata.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 92a508dc-71ad-4521-bdc9-74a5fce6ca51

📥 Commits

Reviewing files that changed from the base of the PR and between 70fdedc and d8cfa96.

📒 Files selected for processing (1)

• app/src-tauri/vendor/tauri-cef

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="tinyhumansai/tauri-cef"
SHA="4cabccfa82c53e5f9d8409894cc47a648057c90e"

echo "Commit metadata:"
gh api "repos/$REPO/commits/$SHA" \
  --jq '{sha: .sha, message: .commit.message, parents: [.parents[].sha]}'

echo
echo "PRs associated with this commit:"
gh api -H "Accept: application/vnd.github+json" \
  "repos/$REPO/commits/$SHA/pulls" \
  --jq '.[] | {number, state, merged_at, head_sha: .head.sha, merge_commit_sha}'

Repository: tinyhumansai/openhuman

Length of output: 1796

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="tinyhumansai/tauri-cef"
SHA="4cabccfa82c53e5f9d8409894cc47a648057c90e"

echo "Checking if commit is reachable from default branch:"
if gh api "repos/$REPO/compare/HEAD...$SHA" --jq '.status' 2>/dev/null; then
  echo "Commit is reachable from HEAD"
else
  echo "Commit may not be in main branch"
fi

echo
echo "Repository default branch info:"
gh api "repos/$REPO" --jq '{default_branch: .default_branch, pushed_at: .pushed_at}'

echo
echo "Checking recent commits on default branch:"
gh api "repos/$REPO/commits" --jq '.[] | select(.sha == "'$SHA'") | {sha: .sha, message: .commit.message}'

Repository: tinyhumansai/openhuman

Length of output: 300

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="tinyhumansai/tauri-cef"

echo "All branches in the repository:"
gh api "repos/$REPO/branches" --jq '.[] | {name: .name, protected: .protected, commit: .commit.sha}'

echo
echo "Checking for main/master branches specifically:"
gh api "repos/$REPO/branches" --jq '.[] | select(.name | test("^(main|master)$")) | {name: .name, protected: .protected}'

Repository: tinyhumansai/openhuman

Length of output: 1509

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="tinyhumansai/tauri-cef"
SHA="4cabccfa82c53e5f9d8409894cc47a648057c90e"

echo "Checking which branches contain commit $SHA:"
gh api "repos/$REPO/commits/$SHA/branches-where-head" --jq '.[] | {name: .name, commit: .commit.sha}' 2>/dev/null || echo "Commit not in any branch head"

echo
echo "Checking if commit is reachable from main branch:"
if git ls-remote https://github.com/$REPO.git main | grep -q .; then
  MAIN_SHA=$(git ls-remote https://github.com/$REPO.git main | cut -f1)
  echo "main branch HEAD: $MAIN_SHA"
fi

echo
echo "Checking if commit is reachable from feat/cef branch:"
if git ls-remote https://github.com/$REPO.git feat/cef | grep -q .; then
  FEAT_SHA=$(git ls-remote https://github.com/$REPO.git feat/cef | cut -f1)
  echo "feat/cef branch HEAD: $FEAT_SHA"
fi

Repository: tinyhumansai/openhuman

Length of output: 375

---

🏁 Script executed:

#!/bin/bash
set -euoripefail

REPO="tinyhumansai/tauri-cef"
SHA="4cabccfa82c53e5f9d8409894cc47a648057c90e"

# Clone the repo to check ancestry locally
cd /tmp
rm -rf tauri-cef-check
git clone --depth 500 https://github.com/$REPO.git tauri-cef-check
cd tauri-cef-check

echo "Checking if commit is an ancestor of main:"
if git merge-base --is-ancestor $SHA main 2>/dev/null; then
  echo "YES - commit is in main branch history"
else
  echo "NO - commit is NOT in main branch history"
fi

echo
echo "Checking if commit is an ancestor of feat/cef:"
if git merge-base --is-ancestor $SHA feat/cef 2>/dev/null; then
  echo "YES - commit is in feat/cef branch history"
else
  echo "NO - commit is NOT in feat/cef branch history"
fi

echo
echo "Commit details:"
git log -1 --oneline $SHA 2>/dev/null || echo "Commit not found in shallow clone"

Repository: tinyhumansai/openhuman

Length of output: 742

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="tinyhumansai/tauri-cef"
SHA="4cabccfa82c53e5f9d8409894cc47a648057c90e"

# Clone the repo to check ancestry locally
cd /tmp
rm -rf tauri-cef-check
git clone --depth 500 https://github.com/$REPO.git tauri-cef-check
cd tauri-cef-check

echo "Checking if commit is an ancestor of main:"
if git merge-base --is-ancestor $SHA main 2>/dev/null; then
  echo "YES - commit is in main branch history"
else
  echo "NO - commit is NOT in main branch history"
fi

echo
echo "Checking if commit is an ancestor of feat/cef:"
if git merge-base --is-ancestor $SHA feat/cef 2>/dev/null; then
  echo "YES - commit is in feat/cef branch history"
else
  echo "NO - commit is NOT in feat/cef branch history"
fi

echo
echo "Commit details:"
git log -1 --oneline $SHA 2>/dev/null || echo "Commit not found in shallow clone"

Repository: tinyhumansai/openhuman

Length of output: 410

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="tinyhumansai/tauri-cef"
SHA="4cabccfa82c53e5f9d8409894cc47a648057c90e"

# Try to get the commit directly via GitHub API to confirm it exists
echo "Confirming commit exists via GitHub API:"
gh api "repos/$REPO/commits/$SHA" --jq '.sha'

echo
echo "Checking all refs that might contain this commit:"
gh api "repos/$REPO/git/refs" --jq '.[] | .ref' | head -20

echo
echo "Checking git log for all branches (full clone):"
cd /tmp
rm -rf tauri-cef-full
git clone https://github.com/$REPO.git tauri-cef-full 2>&1 | grep -v "Cloning\|Unpacking\|objects\|Receiving"
cd tauri-cef-full

echo "All branches in full clone:"
git branch -a

echo
echo "Searching for commit in all refs:"
git log --all --oneline | grep $SHA || echo "Commit not in full clone history"

Repository: tinyhumansai/openhuman

Length of output: 745

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="tinyhumansai/tauri-cef"
SHA="4cabccfa82c53e5f9d8409894cc47a648057c90e"

# Check all open PRs
echo "Checking open PRs for this commit:"
gh api "repos/$REPO/pulls?state=open" --jq '.[] | {number, state, head_sha: .head.sha, title}' | head -50

echo
echo "Checking if commit appears in any PR:"
gh api "repos/$REPO/pulls?state=all&per_page=50" --jq '.[] | select(.head.sha == "'$SHA'" or .merge_commit_sha == "'$SHA'") | {number: .number, state: .state, title: .title, head_sha: .head.sha}'

Repository: tinyhumansai/openhuman

Length of output: 765

---

Re-pin to the upstream merge commit before merging.

The submodule is currently pinned to commit 4cabccfa82c53e5f9d8409894cc47a648057c90e, which is the head of open PR #16 in the upstream repository. Merging this PR while still pinned to an unmerged revision creates a reproducibility risk—if the upstream PR is rebased or force-pushed before merge, the commit SHA can become unreachable, stranding the submodule at a dangling reference in fresh checkouts and CI. Gate this PR's merge on rebumping the submodule to the upstream merge commit SHA once PR #16 is merged.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/src-tauri/vendor/tauri-cef` at line 1, The tauri-cef submodule is pinned
to the upstream PR head commit 4cabccfa82c53e5f9d8409894cc47a648057c90e (open PR
`#16`); before merging this change, update (re-pin) the vendor/tauri-cef submodule
to the final upstream merge commit SHA (the merge commit produced when PR `#16` is
merged) so the repo references a reachable, merged commit rather than the PR
head; ensure the submodule update is committed and the new SHA replaces
4cabccfa82c53e5f9d8409894cc47a648057c90e in the repo metadata.