tauri-scope_skill

This skill guides configuring Tauri scopes to enforce secure, fine-grained command access and runtime policy in desktop apps.

12

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill dchuk/claude-code-tauri-skills --skill tauri-scope

  • SKILL.md10.6 KB

Overview

This skill guides you through configuring Tauri v2 command scopes to secure command and resource access. It covers filesystem and HTTP scope patterns, dynamic runtime scope management, remote URL capabilities, and practical configuration examples. The content focuses on actionable rules you can apply to capability files and Rust code to enforce least privilege.

How this skill works

Scopes are declared in capability JSON or TOML files and passed to commands at runtime. Commands must validate and enforce the provided scopes; deny rules take precedence over allow rules. Filesystem scopes use glob-compatible path patterns and runtime-injected path variables, while HTTP scopes use URL patterns. Dynamic scope changes can be made safely from Rust via FsExt with explicit validation.

When to use it

  • When you need fine-grained control over which filesystem paths a command may access
  • When restricting outbound network access to specific APIs or domains
  • When you must prevent access to sensitive directories inside otherwise allowed paths
  • When granting temporary or user-approved access at runtime
  • When defining reusable permission sets for multiple windows or platforms

Best practices

  • Minimize scopes: allow only the exact paths or URLs your feature requires
  • Use deny rules to explicitly block sensitive folders even inside allowed globs
  • Prefer command-specific permissions instead of broad global scopes
  • Validate and sanitize any path or URL before expanding scopes at runtime
  • Use injected path variables (e.g., $APPDATA, $DOCUMENT) instead of hardcoded paths
  • Audit command implementations: enforce scope checks server-side in your command code

Example use cases

  • Allow read-only access to application data: permit $APPDATA/** for read commands and deny sensitive subfolders
  • Limit HTTP access to backend APIs and CDNs using https://api.example.com/\* and https://*.cdn.example.com/**
  • Restrict document editing to $DOCUMENT/** while denying hidden files or private key patterns
  • Dynamically allow a user-selected directory for file import after verifying existence and intent
  • Define a permission set that combines recursive appdata access with deny rules for .ssh and .gnupg

FAQ

Deny rules take precedence. If a path matches any deny pattern, access is blocked even if an allow pattern also matches.

Can I modify scopes at runtime?

Yes. Use the FsExt trait in Rust (e.g., allow_directory, allow_file) but always validate paths and prefer static configuration when possible.

Which files define scopes?

Primary capability files are in src-tauri/capabilities/default.json and additional files in src-tauri/capabilities/*.json; plugins or custom permissions can use TOML files under permissions.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational