feat: add a new option to remove unused commands (#12890)

* Add a new option to remove unused commands

* Fix compile

* Add markers to all core plugins

* Clippy

* Add allow unused when running with this

* Use build script to generate allowed-commands.json

* Clean up and add proper reruns

* Wrong path

* Revert to #[cfg_attr(not(debug_assertions), allow(unused))]

* Add change files

* Some more docs

* Add version requirement note

* Avoid rerun if no capabilities folder

* Remove unused box

* small cleanup

* fix channel

* implement for app handler too

* rely on core:default for channel perms

* Move this feature to config

* Docs change

* Forget one last remove_unused_commands

* Remove removeUnusedCommands from helloworld

* tell handler that the app ACL manifest exists

* update change file

* update doc

* update change file

* Use a struct to pass the data instead of env var

* Clippy

* Fix can't exclude inlined plugins on Windows
due to UNC paths...

* Apply suggestion from code review

* Remove remove on empty to tauri-build

* Revert "Remove remove on empty to tauri-build"

This reverts commit b727dd6.

* Centralize remove_file(allowed_commands_file_path)

* Escape glob pattern

* update change file

* remove unused commands for dev too

* Update crates/tauri-utils/src/config.rs

Co-authored-by: Fabian-Lars <github@fabianlars.de>

* regen schema

---------

Co-authored-by: Lucas Nogueira <lucas@tauri.app>
Co-authored-by: Fabian-Lars <github@fabianlars.de>

Author: 3 people

.changes/remove-unused-commands-cli.md

@@ -0,0 +1,5 @@
+---
+tauri-cli: 'minor:feat'
+---
+
+Reads `build > removeUnusedCommands` from the config file and pass in the environment variables on the build command to trigger the build scripts and macros to remove unused commands based on the capabilities you defined. For this to work on inlined plugins you must add a `#![plugin(<insert_plugin_name>)]` inside the `tauri::generate_handler![]` usage and the app manifest must be set.

.changes/remove-unused-commands.md

@@ -0,0 +1,10 @@
+---
+tauri: 'minor:feat'
+tauri-build: 'minor:feat'
+tauri-codegen: 'minor:feat'
+tauri-macros: 'minor:feat'
+tauri-plugin: 'minor:feat'
+tauri-utils: 'minor:feat'
+---
+
+Added `build > removeUnusedCommands` to trigger the build scripts and macros to remove unused commands based on the capabilities you defined. Note this won't be accounting for dynamically added ACLs so make sure to check it when using this.

Cargo.lock

@@ -70,3 +70,4 @@ opt-level = "s"
 [patch.crates-io]
 schemars_derive = { git = 'https://github.com/tauri-apps/schemars.git', branch = 'feat/preserve-description-newlines' }
 tauri = { path = "./crates/tauri" }
+tauri-plugin = { path = "./crates/tauri-plugin" }

Cargo.toml

@@ -11,7 +11,9 @@ use std::{
 use anyhow::{Context, Result};
 use tauri_utils::{
   acl::{
-    capability::Capability, manifest::Manifest, schema::CAPABILITIES_SCHEMA_FOLDER_PATH,
+    capability::Capability,
+    manifest::{Manifest, PermissionFile},
+    schema::CAPABILITIES_SCHEMA_FOLDER_PATH,
     ACL_MANIFESTS_FILE_NAME, APP_ACL_KEY, CAPABILITIES_FILE_NAME,
   },
   platform::Target,
@@ -155,11 +157,17 @@ fn read_plugins_manifests() -> Result<BTreeMap<String, Manifest>> {
   Ok(manifests)
 }
 
+struct InlinedPuginsAcl {
+  manifests: BTreeMap<String, Manifest>,
+  permission_files: BTreeMap<String, Vec<PermissionFile>>,
+}
+
 fn inline_plugins(
   out_dir: &Path,
   inlined_plugins: HashMap<&'static str, InlinedPlugin>,
-) -> Result<BTreeMap<String, Manifest>> {
+) -> Result<InlinedPuginsAcl> {
   let mut acl_manifests = BTreeMap::new();
+  let mut permission_files_map = BTreeMap::new();
 
   for (name, plugin) in inlined_plugins {
     let plugin_out_dir = out_dir.join("plugins").join(name);
@@ -236,18 +244,29 @@ permissions = [{default_permissions}]
       )?);
     }
 
+    permission_files_map.insert(name.into(), permission_files.clone());
+
     let manifest = tauri_utils::acl::manifest::Manifest::new(permission_files, None);
     acl_manifests.insert(name.into(), manifest);
   }
 
-  Ok(acl_manifests)
+  Ok(InlinedPuginsAcl {
+    manifests: acl_manifests,
+    permission_files: permission_files_map,
+  })
+}
+
+#[derive(Debug)]
+struct AppManifestAcl {
+  manifest: Manifest,
+  permission_files: Vec<PermissionFile>,
 }
 
 fn app_manifest_permissions(
   out_dir: &Path,
   manifest: AppManifest,
   inlined_plugins: &HashMap<&'static str, InlinedPlugin>,
-) -> Result<Manifest> {
+) -> Result<AppManifestAcl> {
   let app_out_dir = out_dir.join("app-manifest");
   fs::create_dir_all(&app_out_dir)?;
   let pkg_name = "__app__";
@@ -290,6 +309,7 @@ fn app_manifest_permissions(
     let inlined_plugins_permissions: Vec<_> = inlined_plugins
       .keys()
       .map(|name| permissions_root.join(name))
+      .flat_map(|p| p.canonicalize())
       .collect();
 
     permission_files.extend(tauri_utils::acl::build::define_permissions(
@@ -308,10 +328,10 @@ fn app_manifest_permissions(
     )?);
   }
 
-  Ok(tauri_utils::acl::manifest::Manifest::new(
-    permission_files,
-    None,
-  ))
+  Ok(AppManifestAcl {
+    permission_files: permission_files.clone(),
+    manifest: tauri_utils::acl::manifest::Manifest::new(permission_files, None),
+  })
 }
 
 fn validate_capabilities(
@@ -380,19 +400,21 @@ fn validate_capabilities(
 pub fn build(out_dir: &Path, target: Target, attributes: &Attributes) -> super::Result<()> {
   let mut acl_manifests = read_plugins_manifests()?;
 
-  let app_manifest = app_manifest_permissions(
+  let app_acl = app_manifest_permissions(
     out_dir,
     attributes.app_manifest,
     &attributes.inlined_plugins,
   )?;
-  if app_manifest.default_permission.is_some()
-    || !app_manifest.permission_sets.is_empty()
-    || !app_manifest.permissions.is_empty()
-  {
-    acl_manifests.insert(APP_ACL_KEY.into(), app_manifest);
+  let has_app_manifest = app_acl.manifest.default_permission.is_some()
+    || !app_acl.manifest.permission_sets.is_empty()
+    || !app_acl.manifest.permissions.is_empty();
+  if has_app_manifest {
+    acl_manifests.insert(APP_ACL_KEY.into(), app_acl.manifest);
   }
 
-  acl_manifests.extend(inline_plugins(out_dir, attributes.inlined_plugins.clone())?);
+  let inline_plugins_acl = inline_plugins(out_dir, attributes.inlined_plugins.clone())?;
+
+  acl_manifests.extend(inline_plugins_acl.manifests);
 
   let acl_manifests_path = save_acl_manifests(&acl_manifests)?;
   fs::copy(acl_manifests_path, out_dir.join(ACL_MANIFESTS_FILE_NAME))?;
@@ -412,5 +434,12 @@ pub fn build(out_dir: &Path, target: Target, attributes: &Attributes) -> super::
 
   tauri_utils::plugin::save_global_api_scripts_paths(out_dir);
 
+  let mut permissions_map = inline_plugins_acl.permission_files;
+  if has_app_manifest {
+    permissions_map.insert(APP_ACL_KEY.to_string(), app_acl.permission_files);
+  }
+
+  tauri_utils::acl::build::generate_allowed_commands(out_dir, permissions_map)?;
+
   Ok(())
 }

crates/tauri-build/src/acl.rs

@@ -456,12 +456,6 @@ pub fn try_build(attributes: Attributes) -> Result<()> {
   use anyhow::anyhow;
 
   println!("cargo:rerun-if-env-changed=TAURI_CONFIG");
-  #[cfg(feature = "config-json")]
-  println!("cargo:rerun-if-changed=tauri.conf.json");
-  #[cfg(feature = "config-json5")]
-  println!("cargo:rerun-if-changed=tauri.conf.json5");
-  #[cfg(feature = "config-toml")]
-  println!("cargo:rerun-if-changed=Tauri.toml");
 
   let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap();
   let mobile = target_os == "ios" || target_os == "android";
@@ -471,12 +465,11 @@ pub fn try_build(attributes: Attributes) -> Result<()> {
   let target_triple = env::var("TARGET").unwrap();
   let target = tauri_utils::platform::Target::from_triple(&target_triple);
 
-  let (config, merged_config_path) =
-    tauri_utils::config::parse::read_from(target, env::current_dir().unwrap())?;
-  if let Some(merged_config_path) = merged_config_path {
-    println!("cargo:rerun-if-changed={}", merged_config_path.display());
+  let (mut config, config_paths) =
+    tauri_utils::config::parse::read_from(target, &env::current_dir().unwrap())?;
+  for config_file_path in config_paths {
+    println!("cargo:rerun-if-changed={}", config_file_path.display());
   }
-  let mut config = serde_json::from_value(config)?;
   if let Ok(env) = env::var("TAURI_CONFIG") {
     let merge_config: serde_json::Value = serde_json::from_str(&env)?;
     json_patch::merge(&mut config, &merge_config);

crates/tauri-build/src/lib.rs

@@ -69,7 +69,9 @@
     },
     "build": {
       "description": "The build configuration.",
-      "default": {},
+      "default": {
+        "removeUnusedCommands": false
+      },
       "allOf": [
         {
           "$ref": "#/definitions/BuildConfig"
@@ -1797,6 +1799,11 @@
           "items": {
             "type": "string"
           }
+        },
+        "removeUnusedCommands": {
+          "description": "Try to remove unused commands registered from plugins base on the ACL list during `tauri build`,\n the way it works is that tauri-cli will read this and set the environment variables for the build script and macros,\n and they'll try to get all the allowed commands and remove the rest\n\n Note:\n   - This won't be accounting for dynamically added ACLs so make sure to check it when using this\n   - This feature requires tauri-plugin 2.1 and tauri 2.4",
+          "default": false,
+          "type": "boolean"
         }
       },
       "additionalProperties": false

crates/tauri-cli/config.schema.json

@@ -182,7 +182,7 @@ pub fn setup(
       return Err(anyhow::anyhow!(
           "The configured frontendDist includes the `{:?}` {}. Please isolate your web assets on a separate folder and update `tauri.conf.json > build > frontendDist`.",
           out_folders,
-          if out_folders.len() == 1 { "folder" }else { "folders" }
+          if out_folders.len() == 1 { "folder" } else { "folders" }
         )
       );
     }

crates/tauri-cli/src/build.rs

@@ -6,6 +6,7 @@ use itertools::Itertools;
 use json_patch::merge;
 use serde_json::Value as JsonValue;
 
+use tauri_utils::acl::REMOVE_UNUSED_COMMANDS_ENV_VAR;
 pub use tauri_utils::{config::*, platform::Target};
 
 use std::{
@@ -153,7 +154,7 @@ fn get_internal(
   let mut extensions = HashMap::new();
 
   if let Some((platform_config, config_path)) =
-    tauri_utils::config::parse::read_platform(target, tauri_dir.to_path_buf())?
+    tauri_utils::config::parse::read_platform(target, tauri_dir)?
   {
     merge(&mut config, &platform_config);
     extensions.insert(
@@ -213,6 +214,10 @@ fn get_internal(
     );
   }
 
+  if config.build.remove_unused_commands {
+    std::env::set_var(REMOVE_UNUSED_COMMANDS_ENV_VAR, tauri_dir);
+  }
+
   *config_handle().lock().unwrap() = Some(ConfigMetadata {
     target,
     inner: config,

crates/tauri-cli/src/helpers/config.rs

@@ -18,13 +18,13 @@ use proc_macro2::TokenStream;
 use quote::quote;
 use sha2::{Digest, Sha256};
 use syn::Expr;
-use tauri_utils::acl::{ACL_MANIFESTS_FILE_NAME, CAPABILITIES_FILE_NAME};
 use tauri_utils::{
-  acl::capability::{Capability, CapabilityFile},
-  acl::manifest::Manifest,
-  acl::resolved::Resolved,
+  acl::{
+    get_capabilities, manifest::Manifest, resolved::Resolved, ACL_MANIFESTS_FILE_NAME,
+    CAPABILITIES_FILE_NAME,
+  },
   assets::AssetKey,
-  config::{CapabilityEntry, Config, FrontendDist, PatternKind},
+  config::{Config, FrontendDist, PatternKind},
   html::{inject_nonce_token, parse as parse_html, serialize_node as serialize_html_node, NodeRef},
   platform::Target,
   tokens::{map_lit, str_lit},
@@ -386,34 +386,14 @@ pub fn context_codegen(data: ContextData) -> EmbeddedAssetsResult<TokenStream> {
   };
 
   let capabilities_file_path = out_dir.join(CAPABILITIES_FILE_NAME);
-  let mut capabilities_from_files: BTreeMap<String, Capability> = if capabilities_file_path.exists()
-  {
-    let capabilities_file =
-      std::fs::read_to_string(capabilities_file_path).expect("failed to read capabilities");
-    serde_json::from_str(&capabilities_file).expect("failed to parse capabilities")
-  } else {
-    Default::default()
-  };
+  let capabilities = get_capabilities(
+    &config,
+    Some(&capabilities_file_path),
+    additional_capabilities.as_deref(),
+  )
+  .unwrap();
 
-  let mut capabilities = if config.app.security.capabilities.is_empty() {
-    capabilities_from_files
-  } else {
-    let mut capabilities = BTreeMap::new();
-    for capability_entry in &config.app.security.capabilities {
-      match capability_entry {
-        CapabilityEntry::Inlined(capability) => {
-          capabilities.insert(capability.identifier.clone(), capability.clone());
-        }
-        CapabilityEntry::Reference(id) => {
-          let capability = capabilities_from_files
-            .remove(id)
-            .unwrap_or_else(|| panic!("capability with identifier {id} not found"));
-          capabilities.insert(id.clone(), capability);
-        }
-      }
-    }
-    capabilities
-  };
+  let resolved = Resolved::resolve(&acl, capabilities, target).expect("failed to resolve ACL");
 
   let acl_tokens = map_lit(
     quote! { ::std::collections::BTreeMap },
@@ -422,29 +402,6 @@ pub fn context_codegen(data: ContextData) -> EmbeddedAssetsResult<TokenStream> {
     identity,
   );
 
-  if let Some(paths) = additional_capabilities {
-    for path in paths {
-      let capability = CapabilityFile::load(&path)
-        .unwrap_or_else(|e| panic!("failed to read capability {}: {e}", path.display()));
-      match capability {
-        CapabilityFile::Capability(c) => {
-          capabilities.insert(c.identifier.clone(), c);
-        }
-        CapabilityFile::List(capabilities_list)
-        | CapabilityFile::NamedList {
-          capabilities: capabilities_list,
-        } => {
-          capabilities.extend(
-            capabilities_list
-              .into_iter()
-              .map(|c| (c.identifier.clone(), c)),
-          );
-        }
-      }
-    }
-  }
-
-  let resolved = Resolved::resolve(&acl, capabilities, target).expect("failed to resolve ACL");
   let runtime_authority = quote!(#root::ipc::RuntimeAuthority::new(#acl_tokens, #resolved));
 
   let plugin_global_api_scripts = if config.app.with_global_tauri {