Windows port PR 1: compile + launch + unsigned CI

.github/workflows/desktop-build.yml

@@ -231,3 +231,90 @@ jobs:
             frontend/src-tauri/target/release/bundle/appimage/*.AppImage
             frontend/src-tauri/target/release/bundle/deb/*.deb
           retention-days: 5
+
+  build-windows:
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # was v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 # was v1
+        with:
+          bun-version: 1.3.5
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # was stable
+        with:
+          toolchain: 1.95.0
+
+      - name: Install sccache
+        shell: bash
+        run: |
+          SCCACHE_VERSION=0.8.2
+          SCCACHE_SHA256="de5e9f66bb8a6bbdf0e28cb8a086a8d12699af796bf70bcd9dc40d80715bf9b8"
+          SCCACHE_ARCHIVE="sccache-v${SCCACHE_VERSION}-x86_64-pc-windows-msvc.tar.gz"
+          SCCACHE_URL="https://github.com/mozilla/sccache/releases/download/v${SCCACHE_VERSION}/${SCCACHE_ARCHIVE}"
+          # Run download/verify/extract inside a subshell cd'd to RUNNER_TEMP so
+          # the archive and target dir are referenced by relative names. MSYS2 tar
+          # mangles Windows paths like D:\a when given absolute -C/-f arguments
+          # (even with --force-local); relative paths sidestep that.
+          (
+            cd "$RUNNER_TEMP"
+            curl --fail --location --show-error --silent "$SCCACHE_URL" --output "$SCCACHE_ARCHIVE"
+            echo "${SCCACHE_SHA256}  ${SCCACHE_ARCHIVE}" | sha256sum --check -
+            tar xzf "$SCCACHE_ARCHIVE"
+          )
+          SCCACHE_BIN_DIR="$RUNNER_TEMP/sccache-v${SCCACHE_VERSION}-x86_64-pc-windows-msvc"
+          echo "$SCCACHE_BIN_DIR" >> "$GITHUB_PATH"
+          "$SCCACHE_BIN_DIR/sccache.exe" --version
+
+      - name: Cache sccache
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # was v4
+        with:
+          path: ~\AppData\Local\Mozilla\sccache
+          key: ${{ runner.os }}-sccache-windows-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-sccache-windows-
+            ${{ runner.os }}-sccache-
+
+      - name: Provide ONNX Runtime (Windows)
+        shell: bash
+        run: |
+          ./frontend/src-tauri/scripts/provide-windows-onnxruntime.sh >> "$GITHUB_ENV"
+
+      - name: Install frontend dependencies
+        working-directory: ./frontend
+        run: bun install --frozen-lockfile --ignore-scripts
+
+      - name: Configure sccache
+        shell: bash
+        run: |
+          {
+            echo "RUSTC_WRAPPER=sccache"
+            echo "SCCACHE_CACHE_SIZE=2G"
+          } >> "$GITHUB_ENV"
+
+      - name: Build Tauri App (Windows)
+        uses: tauri-apps/tauri-action@84b9d35b5fc46c1e45415bdb6144030364f7ebc5 # was v0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+          VITE_OPEN_SECRET_API_URL: https://enclave.trymaple.ai
+          VITE_MAPLE_BILLING_API_URL: https://billing.opensecret.cloud
+          VITE_CLIENT_ID: ba5a14b5-d915-47b1-b7b1-afda52bc5fc6
+        with:
+          projectPath: './frontend'
+
+      - name: Show sccache stats
+        run: sccache --show-stats
+
+      - name: Upload Windows Build
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # was v4
+        with:
+          name: maple-windows-x64
+          path: |
+            frontend/src-tauri/target/release/bundle/nsis/*.exe
+          retention-days: 5

.github/workflows/desktop-pr-build.yml

@@ -197,3 +197,87 @@ jobs:
             frontend/src-tauri/target/release/bundle/appimage/*.AppImage
             frontend/src-tauri/target/release/bundle/deb/*.deb
           retention-days: 5
+
+  build-windows:
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # was v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 # was v1
+        with:
+          bun-version: 1.3.5
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # was stable
+        with:
+          toolchain: 1.95.0
+
+      - name: Install sccache
+        shell: bash
+        run: |
+          SCCACHE_VERSION=0.8.2
+          SCCACHE_SHA256="de5e9f66bb8a6bbdf0e28cb8a086a8d12699af796bf70bcd9dc40d80715bf9b8"
+          SCCACHE_ARCHIVE="sccache-v${SCCACHE_VERSION}-x86_64-pc-windows-msvc.tar.gz"
+          SCCACHE_URL="https://github.com/mozilla/sccache/releases/download/v${SCCACHE_VERSION}/${SCCACHE_ARCHIVE}"
+          # Run download/verify/extract inside a subshell cd'd to RUNNER_TEMP so
+          # the archive and target dir are referenced by relative names. MSYS2 tar
+          # mangles Windows paths like D:\a when given absolute -C/-f arguments
+          # (even with --force-local); relative paths sidestep that.
+          (
+            cd "$RUNNER_TEMP"
+            curl --fail --location --show-error --silent "$SCCACHE_URL" --output "$SCCACHE_ARCHIVE"
+            echo "${SCCACHE_SHA256}  ${SCCACHE_ARCHIVE}" | sha256sum --check -
+            tar xzf "$SCCACHE_ARCHIVE"
+          )
+          SCCACHE_BIN_DIR="$RUNNER_TEMP/sccache-v${SCCACHE_VERSION}-x86_64-pc-windows-msvc"
+          echo "$SCCACHE_BIN_DIR" >> "$GITHUB_PATH"
+          "$SCCACHE_BIN_DIR/sccache.exe" --version
+
+      - name: Cache sccache
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # was v4
+        with:
+          path: ~\AppData\Local\Mozilla\sccache
+          key: ${{ runner.os }}-sccache-windows-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-sccache-windows-
+            ${{ runner.os }}-sccache-
+
+      - name: Provide ONNX Runtime (Windows)
+        shell: bash
+        run: |
+          ./frontend/src-tauri/scripts/provide-windows-onnxruntime.sh >> "$GITHUB_ENV"
+
+      - name: Install frontend dependencies
+        working-directory: ./frontend
+        run: bun install --frozen-lockfile --ignore-scripts
+
+      - name: Configure sccache
+        shell: bash
+        run: |
+          {
+            echo "RUSTC_WRAPPER=sccache"
+            echo "SCCACHE_CACHE_SIZE=2G"
+          } >> "$GITHUB_ENV"
+
+      - name: Build Tauri App (Windows, unsigned)
+        working-directory: ./frontend
+        shell: bash
+        run: bun tauri build --no-sign --config '{"bundle":{"createUpdaterArtifacts":false}}'
+        env:
+          VITE_OPEN_SECRET_API_URL: https://enclave.secretgpt.ai
+          VITE_MAPLE_BILLING_API_URL: https://billing-dev.opensecret.cloud
+          VITE_CLIENT_ID: ba5a14b5-d915-47b1-b7b1-afda52bc5fc6
+
+      - name: Show sccache stats
+        run: sccache --show-stats
+
+      - name: Upload Windows PR Build
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # was v4
+        with:
+          name: maple-windows-x64-pr
+          path: |
+            frontend/src-tauri/target/release/bundle/nsis/*.exe
+          retention-days: 5

frontend/src-tauri/capabilities/default.json

@@ -11,38 +11,23 @@
     "fs:default",
     {
       "identifier": "fs:allow-read-file",
-      "allow": [
-        { "path": "$APPCONFIG/**" },
-        { "path": "$HOME/.config/maple/**" }
-      ]
+      "allow": [{ "path": "$APPCONFIG/**" }]
     },
     {
       "identifier": "fs:allow-write-file",
-      "allow": [
-        { "path": "$APPCONFIG/**" },
-        { "path": "$HOME/.config/maple/**" }
-      ]
+      "allow": [{ "path": "$APPCONFIG/**" }]
     },
     {
       "identifier": "fs:allow-create",
-      "allow": [
-        { "path": "$APPCONFIG/**" },
-        { "path": "$HOME/.config/maple/**" }
-      ]
+      "allow": [{ "path": "$APPCONFIG/**" }]
     },
     {
       "identifier": "fs:allow-exists",
-      "allow": [
-        { "path": "$APPCONFIG/**" },
-        { "path": "$HOME/.config/maple/**" }
-      ]
+      "allow": [{ "path": "$APPCONFIG/**" }]
     },
     {
       "identifier": "fs:allow-mkdir",
-      "allow": [
-        { "path": "$APPCONFIG" },
-        { "path": "$HOME/.config/maple" }
-      ]
+      "allow": [{ "path": "$APPCONFIG" }]
     },
     {
       "identifier": "opener:allow-open-url",

frontend/src-tauri/scripts/onnxruntime-pins.sh

@@ -24,6 +24,30 @@ onnxruntime_linux_x64_dylib_sha256_for_version() {
   esac
 }
 
+onnxruntime_windows_x64_archive_sha256_for_version() {
+  case "$1" in
+    1.22.0)
+      printf '%s\n' "174c616efc0271194488642a72f1a514e01487da4dfe84c49296d66e40ebe0da"
+      ;;
+    *)
+      echo "No pinned Windows x64 ONNX Runtime archive SHA-256 for version '$1'." >&2
+      return 1
+      ;;
+  esac
+}
+
+onnxruntime_windows_x64_dll_sha256_for_version() {
+  case "$1" in
+    1.22.0)
+      printf '%s\n' "579b636403983254346a5c1d80bd28f1519cd1e284cd204f8d4ff41f8d711559"
+      ;;
+    *)
+      echo "No pinned Windows x64 ONNX Runtime DLL SHA-256 for version '$1'." >&2
+      return 1
+      ;;
+  esac
+}
+
 onnxruntime_ios_commit_for_version() {
   case "$1" in
     1.22.2)

frontend/src-tauri/scripts/provide-windows-onnxruntime.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ORT_VERSION="${ORT_VERSION:-1.22.0}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/onnxruntime-pins.sh"
+
+TAURI_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+ORT_ROOT="${TAURI_DIR}/onnxruntime-windows"
+ORT_DIR="${ORT_ROOT}/onnxruntime-win-x64-${ORT_VERSION}"
+ORT_ARCHIVE="onnxruntime-win-x64-${ORT_VERSION}.zip"
+ORT_URL="https://github.com/microsoft/onnxruntime/releases/download/v${ORT_VERSION}/${ORT_ARCHIVE}"
+ORT_DLL="${ORT_DIR}/lib/onnxruntime.dll"
+ORT_ARCHIVE_SHA256="$(onnxruntime_windows_x64_archive_sha256_for_version "${ORT_VERSION}")"
+ORT_DLL_SHA256="$(onnxruntime_windows_x64_dll_sha256_for_version "${ORT_VERSION}")"
+
+sha256_file() {
+  local path="$1"
+
+  if command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "${path}" | awk '{print $1}'
+  elif command -v shasum >/dev/null 2>&1; then
+    shasum -a 256 "${path}" | awk '{print $1}'
+  elif command -v openssl >/dev/null 2>&1; then
+    openssl dgst -sha256 -r "${path}" | awk '{print $1}'
+  else
+    echo "No SHA-256 tool found. Install sha256sum, shasum, or openssl." >&2
+    return 1
+  fi
+}
+
+verify_sha256() {
+  local label="$1"
+  local path="$2"
+  local expected="$3"
+  local actual
+
+  actual="$(sha256_file "${path}")"
+  if [ "${actual}" != "${expected}" ]; then
+    echo "${label} SHA-256 mismatch for ${path}" >&2
+    echo "expected: ${expected}" >&2
+    echo "actual:   ${actual}" >&2
+    return 1
+  fi
+}
+
+# Internal bash operations (curl, unzip, sha256sum, file checks) work fine with
+# MSYS2-style /d/a/... paths. But ORT_LIB_LOCATION and ORT_DYLIB_PATH are
+# consumed by the native Windows Rust toolchain (ort crate build script) in a
+# later step, which interprets a leading /d/... as drive-relative and fails to
+# resolve. Convert paths to native Windows form at the GITHUB_ENV boundary.
+# Falls through unchanged on platforms without cygpath so the script stays
+# runnable for local sanity checks.
+to_native_path() {
+  if command -v cygpath >/dev/null 2>&1; then
+    cygpath -w "$1"
+  else
+    printf '%s' "$1"
+  fi
+}
+
+if [ ! -f "${ORT_DLL}" ]; then
+  rm -rf "${ORT_ROOT}"
+  mkdir -p "${ORT_ROOT}"
+  archive_path="${ORT_ROOT}/${ORT_ARCHIVE}"
+
+  curl -fL --retry 5 --retry-delay 2 --retry-all-errors \
+    "${ORT_URL}" \
+    --output "${archive_path}"
+
+  verify_sha256 "ONNX Runtime archive" "${archive_path}" "${ORT_ARCHIVE_SHA256}"
+  unzip -q "${archive_path}" -d "${ORT_ROOT}"
+  rm -f "${archive_path}"
+fi
+
+verify_sha256 "ONNX Runtime DLL" "${ORT_DLL}" "${ORT_DLL_SHA256}"
+
+echo "ORT_LIB_LOCATION=$(to_native_path "${ORT_DIR}")"
+echo "ORT_SKIP_DOWNLOAD=true"
+echo "ORT_DYLIB_PATH=$(to_native_path "${ORT_DLL}")"