Fix/365 enforce latest oauth gate from 351

[M3gA-Mind]

Closes #365

Summary

• What changed and why.
• Keep this to 3-6 bullets focused on user-visible or architecture-impacting changes.

Problem

• What issue or risk this PR addresses.
• Include context needed for reviewers to evaluate correctness quickly.

Solution

• How the implementation solves the problem.
• Note important design decisions and tradeoffs.

Submission Checklist

• Unit tests — Vitest (app/) and/or cargo test (core) for logic you add or change
• E2E / integration — Where behavior is user-visible or crosses UI → Tauri → sidecar → JSON-RPC; use existing harnesses (app/test/e2e, mock backend, tests/json_rpc_e2e.rs as appropriate)
• N/A — If truly not applicable, say why (e.g. change is documentation-only)
• Doc comments — /// / //! (Rust), JSDoc or brief file/module headers (TS) on public APIs and non-obvious modules
• Inline comments — Where logic, invariants, or edge cases aren’t clear from names alone (keep them grep-friendly; avoid restating the code)

(Any feature related checklist can go in here)

Impact

• Runtime/platform impact (desktop/mobile/web/CLI), if any.
• Performance, security, migration, or compatibility implications.

Related

• Issue(s):
• Follow-up PR(s)/TODOs:

Summary by CodeRabbit

• New Features
  • OAuth authentication now enforces a minimum desktop app version; outdated builds are blocked and directed to download the latest installer.
• Configuration
  • Two optional frontend settings added to configure the minimum supported app version and the download URL shown when blocked.
• Tests
  • Added semantic-versioning tests to validate version checks.
• Documentation
  • New release policy/runbook documenting version-gating behavior and release guidance.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a build-time Vite env var injection and implements an OAuth deep-link version gate: semver utilities, gate evaluator, integration into deep-link handling (blocks stale desktop apps), CI changes, tests, and release documentation. (≤50 words)

Changes

Cohort / File(s)	Summary
CI Workflow Environment Variables .github/workflows/build-windows.yml, .github/workflows/release.yml	Pass VITE_MINIMUM_SUPPORTED_APP_VERSION and VITE_LATEST_APP_DOWNLOAD_URL (from GitHub Actions vars) into frontend yarn build and the Tauri packaging step.
Config & Env Example app/.env.example, app/src/utils/config.ts	Add VITE_MINIMUM_SUPPORTED_APP_VERSION and VITE_LATEST_APP_DOWNLOAD_URL to example env; export MINIMUM_SUPPORTED_APP_VERSION (trimmed, default empty) and LATEST_APP_DOWNLOAD_URL (trimmed, fallback to GitHub releases/latest).
Semver Utilities & Tests app/src/utils/semver.ts, app/src/utils/semver.test.ts	New semver parser/comparator (parseSemverParts, compareSemver, isVersionAtLeast) with unit tests covering parsing, comparison, and >= semantics (supports optional v prefix).
OAuth Version Gate app/src/utils/oauthAppVersionGate.ts	New evaluateOAuthAppVersionGate() and OAuthAppVersionGateResult union; reads MINIMUM, uses Tauri getVersion() when applicable, and returns allow/block result with downloadUrl on block. Designed to avoid throwing.
Deep Link Handling app/src/utils/desktopDeepLinkListener.ts	Integrates version gate into openhuman://oauth/success: if gate blocks, opens download URL, enqueues a manual Sentry event, dispatches oauth:stale-app event with metadata, and returns early; reduces logging of raw deep-link URLs on errors.
Release Docs docs/RELEASE_POLICY.md	New runbook documenting OAuth version-gating, distribution/release guidance, CI variable injection, and a release checklist for enforcing latest installers.

Sequence Diagram

sequenceDiagram
    participant User
    participant DesktopApp as "Desktop App"
    participant Listener as "Deep Link Listener"
    participant Gate as "OAuth Version Gate"
    participant Tauri as "Tauri Runtime"
    participant Reporter as "Error Reporter"

    User->>DesktopApp: Click OAuth callback (openhuman://oauth/success)
    DesktopApp->>Listener: Deliver deep link
    Listener->>Listener: Validate params (integrationId, skillId)
    Listener->>Gate: evaluateOAuthAppVersionGate()
    Gate->>Tauri: getVersion() (if Tauri)
    Tauri-->>Gate: current version (or error)
    Gate->>Gate: compare current vs MINIMUM_SUPPORTED_APP_VERSION
    alt allowed (minimum unset/invalid or current >= minimum or non-Tauri)
        Gate-->>Listener: { ok: true }
        Listener->>DesktopApp: Continue OAuth completion flow (clientKeyShare, startSkill...)
    else blocked (current < minimum)
        Gate-->>Listener: { ok: false, current, minimum, downloadUrl }
        Listener->>Reporter: enqueueError(buildManualSentryEvent(...))
        Listener->>DesktopApp: openUrl(downloadUrl) (try)
        DesktopApp->>User: Browser opens download page
        Listener->>DesktopApp: dispatch CustomEvent 'oauth:stale-app' with metadata
        Listener-->>DesktopApp: return early (block OAuth completion)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix(windows): fix install script and add Windows build workflow #281 — Modifies Windows build/release CI workflows to inject Vite environment variables into the frontend build step (overlaps workflow area and variables).

Suggested reviewers

• senamakel

Poem

🐰 I nudged the versions, small and bright,
I check each deep-link in the night,
If your app is stale, I tap the brake,
Send you a download, for safety's sake,
Semver snug, so OAuth takes flight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix/365 enforce latest oauth gate from 351' refers to issue #365 and describes the core change: enforcing an OAuth version gate for the latest app version.
Linked Issues check	✅ Passed	The PR comprehensively addresses issue #365 objectives: adds minimum version gating for OAuth [desktopDeepLinkListener.ts, oauthAppVersionGate.ts], documents release policy [RELEASE_POLICY.md], and propagates environment variables through CI/build workflows [build-windows.yml, release.yml, config.ts].
Out of Scope Changes check	✅ Passed	All changes are directly scoped to enforcing OAuth version gating and supporting infrastructure: environment variable setup, configuration exports, OAuth flow blocking logic, version comparison utilities, test coverage, and release policy documentation.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

305-314: ⚠️ Potential issue | 🟠 Major

Fail the release if the configured OAuth floor is above the version being shipped.

These variables are manual. If VITE_MINIMUM_SUPPORTED_APP_VERSION is accidentally set higher than needs.prepare-release.outputs.version, the freshly published build will block its own OAuth flow on first use. Please add a pre-build guard that aborts when minimum > release version.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 305 - 314, Add a pre-build guard
step before the "Build frontend" run that reads the prepared release version
(needs.prepare-release.outputs.version) and the configured
VITE_MINIMUM_SUPPORTED_APP_VERSION and fails the job if the minimum required
version is greater than the release version; implement the check by running a
small version-compare script (e.g., node/python using a semver-aware compare)
that exits non-zero when VITE_MINIMUM_SUPPORTED_APP_VERSION >
needs.prepare-release.outputs.version and emits a clear error message so the
workflow aborts before the yarn build.

🧹 Nitpick comments (2)

app/src/utils/semver.ts (1)

6-29: Prefer const arrow exports for new utility helpers.

Small consistency nit for app/src utilities.

As per coding guidelines, **/*.{js,jsx,ts,tsx}: Prefer arrow functions over function declarations.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/src/utils/semver.ts` around lines 6 - 29, Convert the three exported
function declarations to exported const arrow functions to follow the module
style: replace "export function parseSemverParts(...)", "export function
compareSemver(...)" and "export function isVersionAtLeast(...)" with "export
const parseSemverParts = (...) => { ... }", "export const compareSemver = (...)
=> { ... }" and "export const isVersionAtLeast = (...) => { ... }" respectively,
preserving the same parameter names, return types, internal logic (including
regex, parseInt behavior, and fallback returns) and export names so callers and
semantics of parseSemverParts, compareSemver and isVersionAtLeast remain
unchanged.

app/src/utils/oauthAppVersionGate.ts (1)

17-47: Harden env-string handling to avoid brittle gate behavior under misconfiguration.

minimum and downloadUrl are used as already-valid strings. Adding nullish normalization + download URL fallback makes this flow safer if config defaults change or are blank.

♻️ Suggested hardening diff

 export async function evaluateOAuthAppVersionGate(): Promise<OAuthAppVersionGateResult> {
-  const minimum = MINIMUM_SUPPORTED_APP_VERSION.trim();
+  const minimum = (MINIMUM_SUPPORTED_APP_VERSION ?? '').trim();
   if (!minimum) {
     return { ok: true };
   }
@@
-  console.warn('[oauth-app-version] blocked OAuth success deep link', { current, minimum });
-  return { ok: false, current, minimum, downloadUrl: LATEST_APP_DOWNLOAD_URL };
+  const downloadUrl =
+    (LATEST_APP_DOWNLOAD_URL ?? '').trim() ||
+    'https://github.com/tinyhumansai/openhuman/releases/latest';
+  console.warn('[oauth-app-version] blocked OAuth success deep link', { current, minimum, downloadUrl });
+  return { ok: false, current, minimum, downloadUrl };
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/src/utils/oauthAppVersionGate.ts` around lines 17 - 47, Normalize and
guard MINIMUM_SUPPORTED_APP_VERSION and LATEST_APP_DOWNLOAD_URL before using
them: ensure MINIMUM_SUPPORTED_APP_VERSION is nullish-checked and trimmed
(fallback to empty string) before calling parseSemverParts/minimum checks, and
normalize the result of getVersion similarly; additionally provide a safe
fallback for download URL (fallback LATEST_APP_DOWNLOAD_URL to a known constant
or empty string) before returning it; update checks around parseSemverParts,
isTauri, getVersion, and isVersionAtLeast in oauthAppVersionGate so blank or
undefined env values don’t cause brittle behavior and the returned downloadUrl
is never undefined.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@app/src/utils/config.ts`:
- Around line 48-59: The current approach exports MINIMUM_SUPPORTED_APP_VERSION
and LATEST_APP_DOWNLOAD_URL from utils/config.ts using build-time env vars,
which freezes the minimum-version gate into shipped installers; change the
gating to a runtime check instead by adding logic that fetches the current
minimum supported version from a server/updater endpoint at app startup and
compares it to the local app version (use the existing
MINIMUM_SUPPORTED_APP_VERSION constant as a fallback/default only), and ensure
the code that enforces the block (wherever OAuth deep-link completion is
checked) consults the runtime-fetched value first and falls back to the bundled
value; also update any UI or redirect logic that uses LATEST_APP_DOWNLOAD_URL to
accept a server-provided URL with the bundled constant as fallback.

In `@app/src/utils/semver.ts`:
- Around line 6-17: Update the semver regex to require a full-string match by
adding an end anchor so malformed inputs like "0.51.x" or "1.2beta" are rejected
(change the regex in parseSemverParts to use
/^v?(\d+)(?:\.(\d+))?(?:\.(\d+))?$/). Also refactor parseSemverParts,
compareSemver, and isVersionAtLeast from function declarations to arrow function
expressions to match style guidelines, keeping their current behavior and return
types.

---

Outside diff comments:
In @.github/workflows/release.yml:
- Around line 305-314: Add a pre-build guard step before the "Build frontend"
run that reads the prepared release version
(needs.prepare-release.outputs.version) and the configured
VITE_MINIMUM_SUPPORTED_APP_VERSION and fails the job if the minimum required
version is greater than the release version; implement the check by running a
small version-compare script (e.g., node/python using a semver-aware compare)
that exits non-zero when VITE_MINIMUM_SUPPORTED_APP_VERSION >
needs.prepare-release.outputs.version and emits a clear error message so the
workflow aborts before the yarn build.

---

Nitpick comments:
In `@app/src/utils/oauthAppVersionGate.ts`:
- Around line 17-47: Normalize and guard MINIMUM_SUPPORTED_APP_VERSION and
LATEST_APP_DOWNLOAD_URL before using them: ensure MINIMUM_SUPPORTED_APP_VERSION
is nullish-checked and trimmed (fallback to empty string) before calling
parseSemverParts/minimum checks, and normalize the result of getVersion
similarly; additionally provide a safe fallback for download URL (fallback
LATEST_APP_DOWNLOAD_URL to a known constant or empty string) before returning
it; update checks around parseSemverParts, isTauri, getVersion, and
isVersionAtLeast in oauthAppVersionGate so blank or undefined env values don’t
cause brittle behavior and the returned downloadUrl is never undefined.

In `@app/src/utils/semver.ts`:
- Around line 6-29: Convert the three exported function declarations to exported
const arrow functions to follow the module style: replace "export function
parseSemverParts(...)", "export function compareSemver(...)" and "export
function isVersionAtLeast(...)" with "export const parseSemverParts = (...) => {
... }", "export const compareSemver = (...) => { ... }" and "export const
isVersionAtLeast = (...) => { ... }" respectively, preserving the same parameter
names, return types, internal logic (including regex, parseInt behavior, and
fallback returns) and export names so callers and semantics of parseSemverParts,
compareSemver and isVersionAtLeast remain unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 12e94415-0134-4f41-b678-673aa69b38f5

📥 Commits

Reviewing files that changed from the base of the PR and between eded18a and c2f3386.

📒 Files selected for processing (9)

• .github/workflows/build-windows.yml
• .github/workflows/release.yml
• app/.env.example
• app/src/utils/config.ts
• app/src/utils/desktopDeepLinkListener.ts
• app/src/utils/oauthAppVersionGate.ts
• app/src/utils/semver.test.ts
• app/src/utils/semver.ts
• docs/RELEASE_POLICY.md

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@app/src/utils/oauthAppVersionGate.ts`:
- Around line 16-52: Issue: evaluateOAuthAppVersionGate currently "fails open"
for unknown/malformed desktop versions; it should "fail closed" once a minimum
is configured. Fix: inside evaluateOAuthAppVersionGate, when getVersion() throws
or parseSemverParts(current) returns falsy (i.e., current is unparseable) change
the early returns that currently return { ok: true } to return { ok: false,
current?: current, minimum, downloadUrl: LATEST_APP_DOWNLOAD_URL } so unknown
versions are blocked; also change the outer catch to return { ok: false,
minimum, downloadUrl: LATEST_APP_DOWNLOAD_URL } instead of allowing OAuth. Use
the existing symbols getVersion, parseSemverParts, current, minimum,
LATEST_APP_DOWNLOAD_URL and preserve non-throwing behavior while returning the
failure payload.

In `@docs/RELEASE_POLICY.md`:
- Around line 5-9: Add an explicit retirement checklist entry under the
"Distribution" section: ensure deprecated installers, old updater manifests, and
stale release artifacts are removed or redirected and verify they are
unreachable from primary distribution surfaces (website, CDN, GitHub Releases,
and the Tauri updater configured by prepareTauriConfig.js); include concrete
steps to (1) identify obsolete artifacts by tag/asset name, (2) delete or
replace artifacts on GitHub Releases and CDN, (3) add HTTP redirects or 410
responses where removal isn’t possible, and (4) run a verification step that
attempts to fetch known-old installer/update URLs and fails, and duplicate this
checklist addition in the other distribution-related section (lines referenced
in review).
- Around line 12-21: The tauri build step is missing the
VITE_MINIMUM_SUPPORTED_APP_VERSION and VITE_LATEST_APP_DOWNLOAD_URL env vars so
shipped installers bake unset defaults; update the tauri-action step in both
`.github/workflows/release.yml` and `.github/workflows/build-windows.yml` to add
VITE_MINIMUM_SUPPORTED_APP_VERSION: ${{ vars.VITE_MINIMUM_SUPPORTED_APP_VERSION
}} and VITE_LATEST_APP_DOWNLOAD_URL: ${{ vars.VITE_LATEST_APP_DOWNLOAD_URL }} to
the env block of the tauri-action invocation (the same env used by the
standalone yarn build), and also update the release runbook to state that both
the standalone frontend build and the tauri-action rebuild must receive these
two variables so the gate in app/src/utils/oauthAppVersionGate.ts and
desktopDeepLinkListener (app/src/utils/desktopDeepLinkListener.ts) is enabled in
shipped installers.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2ac5e0c7-ac5f-4a6a-a7ff-3b38870cd413

📥 Commits

Reviewing files that changed from the base of the PR and between c2f3386 and e45d70c.

📒 Files selected for processing (6)

• app/src/utils/config.ts
• app/src/utils/desktopDeepLinkListener.ts
• app/src/utils/oauthAppVersionGate.ts
• app/src/utils/semver.test.ts
• app/src/utils/semver.ts
• docs/RELEASE_POLICY.md

✅ Files skipped from review due to trivial changes (3)

• app/src/utils/config.ts
• app/src/utils/semver.test.ts
• app/src/utils/semver.ts

[coderabbitai]

🧹 Nitpick comments (2)

docs/RELEASE_POLICY.md (1)

13-13: Good documentation of the build-time limitation.

The note about runtime API as future work is valuable. The current approach means users who never upgrade will still have whatever minimum was baked into their build. Consider opening an issue to track this enhancement if it's not already captured.

Would you like me to draft an issue for tracking the runtime minimum version API enhancement?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/RELEASE_POLICY.md` at line 13, Create a new issue tracking the "runtime
minimum version API" enhancement referenced in RELEASE_POLICY.md: title it
something like "Implement runtime API to enforce moving minimum supported app
semver", include a clear description referencing the build-time limitation text
in RELEASE_POLICY.md and the desired runtime behavior, list motivation and
acceptance criteria (API surface, fallback to bundled value, migration plan,
tests), add relevant labels (enhancement, backlog) and link the new issue from
RELEASE_POLICY.md or the release docs so the future work is discoverable; assign
or suggest owners if known.

app/src/utils/desktopDeepLinkListener.ts (1)

127-134: Consider aligning catch fallback with fail-closed intent.

The gate function (evaluateOAuthAppVersionGate) is designed to never throw and handles all internal errors. However, if it somehow does throw, this catch block allows OAuth to proceed (ok: true). For consistency with the fail-closed principle documented in oauthAppVersionGate.ts, consider blocking here as well when the gate unexpectedly throws—especially since a minimum version is presumably configured in production.

That said, since the gate is explicitly non-throwing by design, this is a defensive edge case. If the current fail-open behavior is intentional for this outer fallback, a brief inline comment clarifying the rationale would help future maintainers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/src/utils/desktopDeepLinkListener.ts` around lines 127 - 134, The catch
currently sets versionGate = { ok: true } which fails open; change the fallback
to fail closed by setting versionGate = { ok: false } (or an appropriate
blocking shape expected by downstream logic) so that when
evaluateOAuthAppVersionGate unexpectedly throws the OAuth flow is blocked;
update the catch in desktopDeepLinkListener around evaluateOAuthAppVersionGate()
and add a short inline comment explaining this defensive fail-closed behavior
(or, if the original fail-open was intentional, replace with a brief comment
clarifying that choice).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@app/src/utils/desktopDeepLinkListener.ts`:
- Around line 127-134: The catch currently sets versionGate = { ok: true } which
fails open; change the fallback to fail closed by setting versionGate = { ok:
false } (or an appropriate blocking shape expected by downstream logic) so that
when evaluateOAuthAppVersionGate unexpectedly throws the OAuth flow is blocked;
update the catch in desktopDeepLinkListener around evaluateOAuthAppVersionGate()
and add a short inline comment explaining this defensive fail-closed behavior
(or, if the original fail-open was intentional, replace with a brief comment
clarifying that choice).

In `@docs/RELEASE_POLICY.md`:
- Line 13: Create a new issue tracking the "runtime minimum version API"
enhancement referenced in RELEASE_POLICY.md: title it something like "Implement
runtime API to enforce moving minimum supported app semver", include a clear
description referencing the build-time limitation text in RELEASE_POLICY.md and
the desired runtime behavior, list motivation and acceptance criteria (API
surface, fallback to bundled value, migration plan, tests), add relevant labels
(enhancement, backlog) and link the new issue from RELEASE_POLICY.md or the
release docs so the future work is discoverable; assign or suggest owners if
known.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e72734db-2f63-471a-926b-b5722e3ac54e

📥 Commits

Reviewing files that changed from the base of the PR and between e45d70c and 08f416a.

📒 Files selected for processing (5)

• .github/workflows/build-windows.yml
• .github/workflows/release.yml
• app/src/utils/desktopDeepLinkListener.ts
• app/src/utils/oauthAppVersionGate.ts
• docs/RELEASE_POLICY.md

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/build-windows.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/release.yml