feat(bundler/cli): Add feature flag to use system certificates

[tomerqodo]

Benchmark PR from qodo-benchmark#172

Summary by CodeRabbit

• New Features

  • The bundler and CLI now automatically read and use system-installed TLS certificates when downloading tools and checking versions. This enhances security and improves compatibility with enterprise certificate configurations and custom certificate authorities.

• Improvements

  • Enhanced HTTP request handling with support for platform certificate verification across bundler and CLI operations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The PR introduces a new "platform-certs" feature across tauri-bundler and tauri-cli that enables reading system-installed TLS certificates when downloading tools and checking package versions. A shared base_ureq_agent() helper consolidates HTTP agent configuration, conditionally using platform certificate verification when the feature is enabled.

Changes

Cohort / File(s)	Change Summary
Cargo Configuration crates/tauri-bundler/Cargo.toml, crates/tauri-cli/Cargo.toml	Added platform-certs feature with ureq/platform-verifier dependency. Updated default features from ["rustls"] to ["rustls", "platform-certs"] in both crates.
HTTP Utilities Refactoring crates/tauri-bundler/src/utils/http_utils.rs	Introduced base_ureq_agent() helper function that configures ureq agents with platform root certificates when platform-certs feature is enabled, otherwise uses proxy-based defaults. Updated create_agent_and_url() to use the new helper.
Windows Bundle Utilities crates/tauri-bundler/src/bundle/windows/util.rs	Replaced inline agent construction with base_ureq_agent() in webview2_guid_path(). Changed WebView2 installer download from download(url)? to direct GET request with manual response body handling.
CLI Manifest Handling crates/tauri-cli/src/helpers/cargo_manifest.rs	Added conditional TLS setup for crates.io API requests using platform certificates when feature enabled. Inverted guard condition for lock_version attachment from empty to non-empty crate_lock_packages.
Changelog Entry .changes/feat-bundler-platform-certs.md	Documents new behavior: bundler and CLI read system TLS certificates when downloading tools and checking versions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A bundler hops through system roots,
With certificates from trusted boots,
Platform whispers TLS cheer,
Downloads flow with crystal clear!
Secure paths now pave the way, 🔐
For tools to fetch and certs to play!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a feature flag to enable system certificate usage in the bundler and CLI components.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

crates/tauri-bundler/src/utils/http_utils.rs (1)

33-40: Bug: Mirror URL function ignores the github_url parameter.

The generate_github_mirror_url_from_base function takes github_url as a parameter but never uses it. It only returns the CDN base URL without appending the GitHub asset path, which breaks the mirror functionality.

The function should combine the CDN base with the path portion of the GitHub URL.

🐛 Proposed fix

 fn generate_github_mirror_url_from_base(github_url: &str) -> Option<String> {
   std::env::var("TAURI_BUNDLER_TOOLS_GITHUB_MIRROR")
     .ok()
     .and_then(|cdn| Url::parse(&cdn).ok())
-    .map(|cdn| {
-      cdn.to_string()
-    })
+    .and_then(|cdn| {
+      Url::parse(github_url).ok().map(|github| {
+        let mut mirror = cdn;
+        mirror.set_path(github.path());
+        mirror.to_string()
+      })
+    })
 }

🤖 Fix all issues with AI agents

In `@crates/tauri-bundler/src/bundle/windows/util.rs`:
- Around line 65-68: The code currently uses ureq::get(url) which bypasses
platform TLS certs and proxy config; replace this direct call with the shared
download helper (or use base_ureq_agent()) so the request uses platform
certificates and proxy settings. Specifically, in the block that builds
response/bytes and writes to file_path, call the existing download(url,
&file_path) helper (or construct the request via
base_ureq_agent().get(url).call() and handle errors the same way) so TLS/proxy
configuration is applied and the file is written to file_path with the same
error propagation.

In `@crates/tauri-cli/src/helpers/cargo_manifest.rs`:
- Around line 120-131: The agent built inside the #[cfg(feature =
"platform-certs")] block does not pick up proxy settings, so modify that agent
construction to include the same proxy configuration used by base_ureq_agent()
in tauri-bundler: when building the ureq::Agent via
ureq::Agent::config_builder(), add the proxy configuration from
ureq::Proxy::try_from_env() (or the same proxy helper used by base_ureq_agent())
into the builder before calling .build(), keep the existing tls_config(...) and
.new_agent() calls, and preserve the existing agent.get(&url).call().ok()? error
handling; this ensures users behind a proxy can fetch crate versions when
platform-certs is enabled.

🧹 Nitpick comments (1)

crates/tauri-bundler/src/utils/http_utils.rs (1)

56-73: Consider removing explicit return statement.

Idiomatic Rust omits the return keyword for the final expression.

♻️ Suggested change

   #[cfg(not(feature = "platform-certs"))]
   let agent: ureq::Agent = ureq::Agent::config_builder()
     .proxy(ureq::Proxy::try_from_env())
     .build()
     .into();
-  return agent;
+  agent
 }

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9592489 and 7b5f451.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• .changes/feat-bundler-platform-certs.md
• crates/tauri-bundler/Cargo.toml
• crates/tauri-bundler/src/bundle/windows/util.rs
• crates/tauri-bundler/src/utils/http_utils.rs
• crates/tauri-cli/Cargo.toml
• crates/tauri-cli/src/helpers/cargo_manifest.rs

🧰 Additional context used

🧬 Code graph analysis (1)

crates/tauri-bundler/src/bundle/windows/util.rs (1)

crates/tauri-bundler/src/utils/http_utils.rs (2)

• base_ureq_agent (56-73)
• download (76-85)

🔇 Additional comments (5)

.changes/feat-bundler-platform-certs.md (1)

1-7: LGTM!

The changelog entry accurately documents the new TLS certificate behavior for the bundler and CLI tools.

crates/tauri-bundler/Cargo.toml (1)

76-81: LGTM!

The platform-certs feature is correctly defined with the ureq/platform-verifier dependency, and appropriately included in the default features alongside rustls.

crates/tauri-cli/Cargo.toml (1)

140-149: LGTM!

The platform-certs feature correctly propagates to tauri-bundler/platform-certs and enables ureq/platform-verifier for the CLI's direct ureq usage.

crates/tauri-cli/src/helpers/cargo_manifest.rs (1)

194-204: LGTM!

The condition fix correctly ensures lock_version is populated only when there are actual lock packages present.

crates/tauri-bundler/src/bundle/windows/util.rs (1)

27-28: LGTM!

Correctly uses the shared base_ureq_agent() for consistent TLS and proxy configuration.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Inconsistent HTTP client usage bypasses platform-certs and proxy configuration.

This code uses ureq::get(url) directly instead of base_ureq_agent() or the download() helper. This bypasses the platform certificates TLS configuration and proxy settings that are applied elsewhere, defeating the purpose of this PR.

🐛 Proposed fix using download() helper

   if !file_path.exists() {
     create_dir_all(dir_path)?;
-    let response = ureq::get(url).call().map_err(Box::new)?;
-    let mut bytes = Vec::new();
-    response.into_body().into_reader().read_to_end(&mut bytes)?;
-    std::fs::write(&file_path, bytes)?;
+    std::fs::write(&file_path, download(url)?)?;
   }

🤖 Prompt for AI Agents

In `@crates/tauri-bundler/src/bundle/windows/util.rs` around lines 65 - 68, The
code currently uses ureq::get(url) which bypasses platform TLS certs and proxy
config; replace this direct call with the shared download helper (or use
base_ureq_agent()) so the request uses platform certificates and proxy settings.
Specifically, in the block that builds response/bytes and writes to file_path,
call the existing download(url, &file_path) helper (or construct the request via
base_ureq_agent().get(url).call() and handle errors the same way) so TLS/proxy
configuration is applied and the file is written to file_path with the same
error propagation.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing proxy configuration when platform-certs is enabled.

The custom agent for platform-certs doesn't include proxy configuration via ureq::Proxy::try_from_env(), whereas the base_ureq_agent() in tauri-bundler does. This inconsistency means users behind a proxy won't be able to fetch crate versions when platform-certs is enabled.

🐛 Proposed fix

   #[cfg(feature = "platform-certs")]
   let mut response = {
     let agent = ureq::Agent::config_builder()
       .tls_config(
         ureq::tls::TlsConfig::builder()
           .root_certs(ureq::tls::RootCerts::PlatformVerifier)
           .build(),
       )
+      .proxy(ureq::Proxy::try_from_env())
       .build()
       .new_agent();
     agent.get(&url).call().ok()?
   };

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	#[cfg(feature = "platform-certs")]
	let mut response = {
	let agent = ureq::Agent::config_builder()
	.tls_config(
	ureq::tls::TlsConfig::builder()
	.root_certs(ureq::tls::RootCerts::PlatformVerifier)
	.build(),
	)
	.build()
	.new_agent();
	agent.get(&url).call().ok()?
	};
	#[cfg(feature = "platform-certs")]
	let mut response = {
	let agent = ureq::Agent::config_builder()
	.tls_config(
	ureq::tls::TlsConfig::builder()
	.root_certs(ureq::tls::RootCerts::PlatformVerifier)
	.build(),
	)
	.proxy(ureq::Proxy::try_from_env())
	.build()
	.new_agent();
	agent.get(&url).call().ok()?
	};

🤖 Prompt for AI Agents

In `@crates/tauri-cli/src/helpers/cargo_manifest.rs` around lines 120 - 131, The
agent built inside the #[cfg(feature = "platform-certs")] block does not pick up
proxy settings, so modify that agent construction to include the same proxy
configuration used by base_ureq_agent() in tauri-bundler: when building the
ureq::Agent via ureq::Agent::config_builder(), add the proxy configuration from
ureq::Proxy::try_from_env() (or the same proxy helper used by base_ureq_agent())
into the builder before calling .build(), keep the existing tls_config(...) and
.new_agent() calls, and preserve the existing agent.get(&url).call().ok()? error
handling; this ensures users behind a proxy can fetch crate versions when
platform-certs is enabled.