fix(acl): rebase runtime-resolved scope ids past baked ACL

[derek-knox]

Summary

Runtime-added capabilities (feature dynamic-acl) collided with build-time-baked ACL scopes because Resolved::resolve restarts scope_id at 0 on each call. Fresh scope entries were merged into an unrelated plugin's bucket — e.g. an http url-shape entry landing inside opener's path-shape bucket at scope_id=1, later failing plugin-http's EntryRaw deserializer.

Adds a small rebase_scope_ids helper that offsets every scope_id in the fresh Resolved by the current max baked scope_id before the existing merge loop. Zero-offset is a no-op for the first-capability case.

Note

I'm under the impression I followed all guidelines, but if I missed something just let me know

Happy to add an integration-level test exercising the full add_capability path if preferred—kept it out to keep the diff tight. Just let me know.

Why this is safe

• Reached only via #[cfg(feature = "dynamic-acl")] — default builds unaffected.
• No public API change; rebase_scope_ids is crate-private and feature-gated.
• No new dependencies, no schema/config surface changes.
• Offset is additive and deterministic; baked scope ids are immutable after RuntimeAuthority::new.

Verification

• New unit tests in crates/tauri/src/ipc/authority.rs mod tests:
  • rebase_scope_ids_shifts_keys_and_scope_ids
  • rebase_scope_ids_zero_offset_is_noop
  • rebase_scope_ids_prevents_cross_plugin_scope_collision (regression for the exact bug)
• cargo fmt --all -- --check, cargo clippy --all-targets --all-features -- -D warnings, cargo test -p tauri --all-features pass locally.
• Manually verified against a Tauri app that registers a plugin-http capability at runtime via app.add_capability(...) — EntryRaw deserialization no longer fails.

Change file: .changes/fix-dynamic-acl-scope-id-collision.md (patch:bug on tauri).

[github-actions]

Package Changes Through 6dce431

There are 1 changes which include tauri with patch

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package	current	next
tauri	2.11.0	2.11.1

Add another change file through the GitHub UI by following this link.

---

Read about change files or the docs at github.com/jbolda/covector

[derek-knox]

@tweidinger No worries if this isn't top-of-your list as I know open source is hard. Is there anything I can do/improve in the PR to make it easier for you?

[tweidinger]

I'm traveling without personal laptop and asked @chippers to review this and get it merged into dev.

[chippers]

I'm traveling without personal laptop and asked @chippers to review this and get it merged into dev.

Seen this, I have eyes on it but I don't have an ETA for when I can get to it. Ideally this weekend.

[derek-knox]

@chippers Sounds good, thanks for the heads up.