Add Cashtab to the assetlinks.json

[Fabcien]

This adds Cashtab as an authorized deeplink handling app.

Summary by CodeRabbit

• New Features
  • Added URL handling support for the Cashtab app, enabling seamless integration with web links.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new Digital Asset Link entry for com.cashtab.app is added to assetlinks.json, enabling URL delegation permissions with three SHA-256 fingerprints. No existing entries are modified, only the new entry is appended.

Changes

Cohort / File(s)	Summary
Digital Asset Links Configuration public/.well-known/assetlinks.json	Added new Digital Asset Link entry for com.cashtab.app with delegate_permission/common.handle_all_urls relation and three SHA-256 fingerprints for Android app verification.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Update assetlinks.json #1107: Updates Android app fingerprints in assetlinks.json for existing app entries
• feat: assetlinks json #1104: Adds Digital Asset Link entry for com.marlinwallet.app to the same assetlinks.json file

Suggested labels

enhancement (behind the scenes)

Suggested reviewers

• Klakurka

Poem

🐰 A new app link hops into place,
With fingerprints three, setting the pace,
URLs delegated, permissions all clear,
CashTab now welcomed, with digital cheer! 🪙✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The pull request description is minimal but lacks required template sections like issue reference, test plan, and detailed rationale.	Expand the description to follow the template: add issue reference (#), provide a test plan for verifying deeplink handling, and include any relevant remarks.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding Cashtab to the assetlinks.json file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@public/.well-known/assetlinks.json`:
- Around line 14-23: The assetlinks.json entry for package_name
"com.cashtab.app" currently includes the sha256_cert_fingerprint
"FA:C6:17:45:DC:09:03:78:6F:B9:ED:E6:2A:96:2B:39:9F:73:48:F0:BB:6F:89:9B:83:32:66:75:91:03:3B:9C"
which also appears in the Marlin Wallet entry; confirm whether Cashtab and
Marlin intentionally share the signing key, and if not, replace that fingerprint
in the "target" block for com.cashtab.app with the correct Cashtab release
SHA-256 fingerprint(s) (or remove any stale fingerprints), then re-generate and
redeploy public/.well-known/assetlinks.json so app-link verification uses the
correct certificate(s).

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 070f7ba and 0174388.

📒 Files selected for processing (1)

• public/.well-known/assetlinks.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat public/.well-known/assetlinks.json

Repository: PayButton/paybutton-server

Length of output: 1273

---

🏁 Script executed:

find . -type f \( -name "README*" -o -name "*.md" \) | head -20

Repository: PayButton/paybutton-server

Length of output: 173

---

🏁 Script executed:

cat README.md

Repository: PayButton/paybutton-server

Length of output: 10201

---

🏁 Script executed:

git log --oneline public/.well-known/assetlinks.json | head -20

Repository: PayButton/paybutton-server

Length of output: 112

---

🏁 Script executed:

git show 0174388 --stat

Repository: PayButton/paybutton-server

Length of output: 22681

---

🏁 Script executed:

git show 0174388:public/.well-known/assetlinks.json

Repository: PayButton/paybutton-server

Length of output: 1273

---

🏁 Script executed:

rg -i "cashtab\|marlin" --type md --type json --type ts --type tsx -A 2 -B 2 | head -100

Repository: PayButton/paybutton-server

Length of output: 97

---

🏁 Script executed:

rg -i "cashtab\|marlin" -A 2 -B 2 | head -100

Repository: PayButton/paybutton-server

Length of output: 52

---

🏁 Script executed:

git log --all --oneline | grep -i "cashtab\|marlin\|assetlinks"

Repository: PayButton/paybutton-server

Length of output: 189

---

🏁 Script executed:

git show af2d13c --stat

Repository: PayButton/paybutton-server

Length of output: 339

---

🏁 Script executed:

git show af2d13c:public/.well-known/assetlinks.json

Repository: PayButton/paybutton-server

Length of output: 366

---

🏁 Script executed:

git show 0a91e41:public/.well-known/assetlinks.json

Repository: PayButton/paybutton-server

Length of output: 675

---

🏁 Script executed:

git log --all --format="%H %s" | grep -i "cashtab\|marlin"

Repository: PayButton/paybutton-server

Length of output: 145

---

🏁 Script executed:

git show 0a91e41 --stat

Repository: PayButton/paybutton-server

Length of output: 417

---

🏁 Script executed:

git show 0a91e41

Repository: PayButton/paybutton-server

Length of output: 1129

---

🏁 Script executed:

git log --all --oneline -- public/.well-known/assetlinks.json

Repository: PayButton/paybutton-server

Length of output: 223

---

Confirm whether Cashtab and Marlin Wallet intentionally share the signing certificate.

The fingerprint FA:C6:17:45:DC:09:03:78:6F:B9:ED:E6:2A:96:2B:39:9F:73:48:F0:BB:6F:89:9B:83:32:66:75:91:03:3B:9C is present in both app entries. This could be correct if they use a shared signing key, but if Cashtab has different release certificates, this will break app-link verification or grant the wrong app URL handling permissions. Please verify Cashtab's actual signing cert(s) and confirm whether the shared key is intentional.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@public/.well-known/assetlinks.json` around lines 14 - 23, The assetlinks.json
entry for package_name "com.cashtab.app" currently includes the
sha256_cert_fingerprint
"FA:C6:17:45:DC:09:03:78:6F:B9:ED:E6:2A:96:2B:39:9F:73:48:F0:BB:6F:89:9B:83:32:66:75:91:03:3B:9C"
which also appears in the Marlin Wallet entry; confirm whether Cashtab and
Marlin intentionally share the signing key, and if not, replace that fingerprint
in the "target" block for com.cashtab.app with the correct Cashtab release
SHA-256 fingerprint(s) (or remove any stale fingerprints), then re-generate and
redeploy public/.well-known/assetlinks.json so app-link verification uses the
correct certificate(s).