// Tauri commands, permissions, capabilities, security config, path handling, cross-platform file ops, and native filesystem APIs. Use when mentioning Tauri, desktop apps, Rust commands, invoke, capabilities, permissions, ResourceId, file paths, or platform differences.
Svelte 5 component patterns for `.svelte` files: runes, snippets, keyed lifecycles, `{#await}`, TanStack Query, SvelteMap, shadcn-svelte, and workspace observers. Use when editing Svelte components or Svelte state modules.
How a workspace-backed app under `apps/*` is composed: the isomorphic doc factory (`create<App>`), the environment factories (`open<App>Browser` / `open<App>Extension` / tauri), the `#platform/*` build-time platform DI for multi-platform (Tauri) apps, the `session` singleton, daemon/script placement under per-project `workspaces/<app>/`, and the file layout itself. Use when creating a new app, naming or placing the iso/browser/extension factory, wiring `#platform/*` subpath imports for a Tauri seam, choosing between auth-gated (Shape A) vs module-singleton (Shape B), placing the session singleton, or registering daemon/script bindings.
Epicenter auth packages: `@epicenter/auth` and the Svelte wrapper at `@epicenter/svelte/auth`, OAuth sessions, identity state, auth-owned fetch/WebSocket, and workspace lifecycle binding. Use when editing Epicenter auth clients, session state, hosted sign-in, or auth/workspace integration.
Better Auth security hardening: rate limits, secrets, CSRF, trusted origins, cookies, sessions, OAuth tokens, and audit logging. Use when reviewing auth security, brute-force protection, token handling, or deployment safety.
Run a continuous collapse-and-simplify pass that surgically removes indirection failing to earn its boundary. Use when the user says 'collapse pass', 'simplify pass', 'reduce indirection', 'shrink the surface', 'find what to delete', when asking to audit a package for dead abstractions, or when the goal is a sequence of small refactor commits that delete more than they add. Pairs with code-audit (smell catalog), refactoring (per-change mechanics), one-sentence-test (cohesion gate), cohesive-clean-breaks (deep redesigns), approachability-audit (first-read sanity), and post-implementation-review (second-read after each commit).
TypeScript config conventions for this monorepo: the two-base layering, the eight leaf tiers, and the never-redeclare list. Use when adding a package, editing any tsconfig.json, picking a tier for a new app, or debugging module resolution.
| name | tauri |
| description | Tauri commands, permissions, capabilities, security config, path handling, cross-platform file ops, and native filesystem APIs. Use when mentioning Tauri, desktop apps, Rust commands, invoke, capabilities, permissions, ResourceId, file paths, or platform differences. |
| metadata | {"author":"epicenter","version":"1.0"} |
Use this pattern when you need to:
@tauri-apps/api/path and Node/Bun path APIs.join(), dirname(), and related helpers.@tauri-apps/plugin-fs operations.#[tauri::command], register them with generate_handler!, and return Result<T, E> for fallible work.app.security.capabilities, scoped to the windows or webviews that need them. Avoid broad permission wildcards.devCsp, asset protocol configuration, convertFileSrc, freezePrototype, and remote IPC as security-sensitive config.ResourceIds. Do not serialize complex long-lived objects through command responses.Never ship app.security.csp: null (that disables CSP entirely). The
highest-value directive is connect-src: locking it to your API origin plus
Tauri's IPC blocks an injected same-origin script from exfiltrating in-memory
secrets (tokens, keys) to an attacker host. Set both csp (production) and
devCsp (the dev override, which replaces csp during tauri dev):
"security": {
// Tauri's tauri-codegen hashes every inline <script> in the built
// frontendDist and injects the hashes, so production script-src does NOT
// need 'unsafe-inline' (a SvelteKit SPA still boots via its hash).
"csp": "default-src 'self'; connect-src 'self' ipc: http://ipc.localhost https://api.example.com wss://api.example.com; img-src 'self' data: blob: https:; style-src 'self' 'unsafe-inline'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'",
// Dev loads from the Vite server (not the hashed build), so its inline/HMR
// scripts ARE unhashed: devCsp must keep 'unsafe-inline' (+ 'unsafe-eval')
// and add the localhost dev origins.
"devCsp": "default-src 'self'; connect-src 'self' ipc: http://ipc.localhost http://localhost:5173 ws://localhost:5173 https://api.example.com wss://api.example.com; img-src 'self' data: blob: https:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; base-uri 'self'"
}
Rules: always include ipc: http://ipc.localhost in connect-src or invoke()
breaks; only list asset: / http://asset.localhost if the asset protocol is
actually enabled (convertFileSrc); always smoke-test a real tauri dev AND a
release build, watching the webview console for CSP violations.
When a Tauri app uses tauri-specta, keep the Rust command registry, generated TypeScript bindings, and handwritten frontend wrapper in sync.
tauri_specta::collect_commands! builder.tauri_specta::collect_events!, even when no command returns that event type.#[tauri_specta(event_name = "...")] on the event type. Do not invent #[tauri_specta::event(...)] unless installed macro docs or local macro source prove that form exists.lib.rs imports them for the builder.bindings.gen.ts as derived output. Commit regenerated bindings only when the Rust IPC surface intentionally changed. If a command only fixes Rust compile shape without changing the public IPC contract, avoid broad generated churn.tauri::ipc::Response cannot be generated by specta because the body is not specta::Type. Mount those through a separate tauri::generate_handler! route and keep a small handwritten TypeScript wrapper.Verification for IPC changes usually needs both sides:
cargo check --manifest-path apps/whispering/src-tauri/Cargo.toml
bun run --cwd apps/whispering bindings:tauri
If binding generation rewrites unrelated sections, inspect the diff before committing it.
Before choosing a path API, determine your execution context:
| Context | Location | Correct API |
|---|---|---|
| Tauri frontend | apps/*/src/**/*.ts, apps/*/src/**/*.svelte | @tauri-apps/api/path |
| Node.js/Bun backend | packages/**/*.ts, CLI tools | Node.js path module |
Rule: If the code runs in the browser (Tauri webview), use Tauri's path APIs. If it runs in Node.js/Bun, use the Node.js path module.
@tauri-apps/api/path| Function | Purpose | Example |
|---|---|---|
join(...paths) | Join path segments with platform separator | await join(baseDir, 'workspaces', id) |
dirname(path) | Get parent directory | await dirname('/foo/bar/file.txt') → /foo/bar |
basename(path, ext?) | Get filename, optionally strip extension | await basename('/foo/bar.txt', '.txt') → bar |
extname(path) | Get file extension | await extname('file.txt') → .txt |
normalize(path) | Resolve .. and . segments | await normalize('/foo/bar/../baz') → /foo/baz |
resolve(...paths) | Resolve to absolute path | await resolve('relative', 'path') |
isAbsolute(path) | Check if path is absolute | await isAbsolute('/foo') → true |
| Function | Purpose | Returns |
|---|---|---|
sep() | Platform path separator | \ on Windows, / on POSIX |
delimiter() | Platform path delimiter | ; on Windows, : on POSIX |
| Function | Purpose |
|---|---|
appLocalDataDir() | App's local data directory |
appDataDir() | App's roaming data directory |
appConfigDir() | App's config directory |
appCacheDir() | App's cache directory |
appLogDir() | App's log directory |
tempDir() | System temp directory |
resourceDir() | App's resource directory |
resolveResource(path) | Resolve path relative to resources |
import { appLocalDataDir, dirname, join } from '@tauri-apps/api/path';
// Join path segments; handles platform separators automatically
const baseDir = await appLocalDataDir();
const filePath = await join(baseDir, 'workspaces', workspaceId, 'data.json');
// Get parent directory; cleaner than manual slicing
const parentDir = await dirname(filePath);
await mkdir(parentDir, { recursive: true });
For human-readable log output, hardcoded / is acceptable since it's not used for filesystem operations:
// OK for logging; consistent cross-platform log output
const logPath = pathSegments.join('/');
console.log(`[Persistence] Loading from ${logPath}`);
// BAD: Hardcoded separator breaks on Windows
const filePath = baseDir + '/' + 'workspaces' + '/' + id;
// BAD: Template literal with hardcoded separator
const filePath = `${baseDir}/workspaces/${id}`;
// GOOD: Use join()
const filePath = await join(baseDir, 'workspaces', id);
// BAD: Manual slicing is error-prone
const parentSegments = pathSegments.slice(0, -1);
const parentDir = await join(baseDir, ...parentSegments);
// GOOD: Use dirname()
const parentDir = await dirname(filePath);
// BAD: Windows uses backslashes
const configPath = appDir + '/config.json';
// GOOD: Platform-agnostic
const configPath = await join(appDir, 'config.json');
// BAD: Splitting on '/' fails on Windows paths
const parts = filePath.split('/');
// GOOD: Use dirname/basename for extraction
const dir = await dirname(filePath);
const file = await basename(filePath);
Always import from @tauri-apps/api/path:
import {
appLocalDataDir,
dirname,
join,
basename,
extname,
normalize,
resolve,
sep,
} from '@tauri-apps/api/path';
All Tauri path functions are async because they communicate with the Rust backend via IPC. Always await them:
// All path operations return Promises
const baseDir = await appLocalDataDir();
const filePath = await join(baseDir, 'file.txt');
const parent = await dirname(filePath);
const separator = await sep();
Use @tauri-apps/plugin-fs for file operations, combined with Tauri path APIs:
import { appLocalDataDir, dirname, join } from '@tauri-apps/api/path';
import { mkdir, readFile, writeFile } from '@tauri-apps/plugin-fs';
async function saveData(segments: string[], data: Uint8Array) {
const baseDir = await appLocalDataDir();
const filePath = await join(baseDir, ...segments);
// Ensure parent directory exists
const parentDir = await dirname(filePath);
await mkdir(parentDir, { recursive: true });
await writeFile(filePath, data);
}
Prefer app-owned identifiers over frontend-controlled paths when the native side owns data.
capabilities/*.json, Cargo.toml, or package.json should be paired with removing stale docs and UI that still describe that permission.The frontend can remember user intent. Rust enforces the filesystem boundary.