⚠️

重要前提

安装AI Skills的关键前提是：必须科学上网，且开启TUN模式，这一点至关重要，直接决定安装能否顺利完成，在此郑重提醒三遍：科学上网，科学上网，科学上网。查看完整安装教程 →

Tauri 能力配置详解：权限管理与安全边界设置指南

configuring-tauri-capabilities by dchuk/claude-code-tauri-skills

48 周安装量

12 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/dchuk/claude-code-tauri-skills --skill configuring-tauri-capabilities

桌面应用 Rust 安全

🇨🇳中文介绍

Tauri 能力配置

能力是 Tauri 的权限管理系统，用于精细控制前端可以访问哪些 API 和命令。它们通过指定哪些权限适用于哪些窗口或 Webview 来定义安全边界。

什么是能力？

能力充当权限与窗口/Webview 之间的桥梁。它们：

定义特定窗口被授予或拒绝哪些权限
使开发者能够最小化前端被入侵的影响
基于窗口标签（而非标题）创建安全边界
支持特定平台目标（桌面端与移动端）

能力文件位置

能力文件位于 src-tauri/capabilities/ 目录下，使用 JSON 或 TOML 格式。

能力文件结构

能力文件包含以下字段：

字段	必需	描述
`identifier`	是	唯一的能力名称
`description`	否	用途说明

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

方法 1：独立文件（推荐）

将独立的能力文件存储在能力目录中：

src-tauri/
  capabilities/
    main.json
    editor.json
    settings.json

在 tauri.conf.json 中通过标识符引用：

{
  "app": {
    "security": {
      "capabilities": ["main-capability", "editor-capability", "settings-capability"]
    }
  }
}

方法 2：内联定义

直接在 tauri.conf.json 中嵌入能力：

{
  "app": {
    "security": {
      "capabilities": [
        {
          "identifier": "my-capability",
          "description": "用于所有窗口的能力",
          "windows": ["*"],
          "permissions": ["fs:default", "core:window:default"]
        }
      ]
    }
  }
}

方法 3：混合方法

结合基于文件的能力和内联能力：

{
  "app": {
    "security": {
      "capabilities": [
        {
          "identifier": "inline-capability",
          "windows": ["*"],
          "permissions": ["fs:default"]
        },
        "file-based-capability"
      ]
    }
  }
}

按窗口分配能力

使用窗口标签为不同窗口分配不同的权限：

{
  "identifier": "main-capability",
  "windows": ["main"],
  "permissions": ["core:window:default", "fs:default"]
}

{
  "identifier": "editor-capability",
  "windows": ["editor", "preview"],
  "permissions": ["fs:read-files", "core:event:default"]
}

通配符（所有窗口）

{
  "identifier": "global-capability",
  "windows": ["*"],
  "permissions": ["core:event:default"]
}

{
  "identifier": "dialog-capability",
  "windows": ["dialog-*"],
  "permissions": ["core:window:allow-close"]
}

权限遵循命名约定：

模式	描述
`<plugin>:default`	插件的默认权限集
`<plugin>:allow-<command>`	允许特定命令
`<plugin>:deny-<command>`	拒绝特定命令

{
  "permissions": [
    "core:path:default",
    "core:event:default",
    "core:window:default",
    "core:window:allow-set-title",
    "core:window:allow-close",
    "core:app:default",
    "core:resources:default",
    "core:menu:default",
    "core:tray:default"
  ]
}

{
  "permissions": [
    "fs:default",
    "fs:allow-read-file",
    "fs:allow-write-file",
    "shell:allow-open",
    "dialog:allow-open",
    "dialog:allow-save",
    "http:default",
    "clipboard-manager:allow-read",
    "clipboard-manager:allow-write"
  ]
}

使用 platforms 数组来定位特定平台。

仅限桌面的能力

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "desktop-capability",
  "windows": ["main"],
  "platforms": ["linux", "macOS", "windows"],
  "permissions": [
    "global-shortcut:allow-register",
    "global-shortcut:allow-unregister",
    "shell:allow-execute"
  ]
}

仅限移动端的能力

{
  "$schema": "../gen/schemas/mobile-schema.json",
  "identifier": "mobile-capability",
  "windows": ["main"],
  "platforms": ["iOS", "android"],
  "permissions": [
    "nfc:allow-scan",
    "biometric:allow-authenticate",
    "barcode-scanner:allow-scan"
  ]
}

为平台变体创建独立文件

创建平台特定的能力文件：

src-tauri/capabilities/desktop.json：

{
  "identifier": "desktop-features",
  "windows": ["main"],
  "platforms": ["linux", "macOS", "windows"],
  "permissions": ["global-shortcut:default", "shell:default"]
}

src-tauri/capabilities/mobile.json：

{
  "identifier": "mobile-features",
  "windows": ["main"],
  "platforms": ["iOS", "android"],
  "permissions": ["haptics:default", "biometric:default"]
}

允许远程 URL 访问 Tauri 命令（请谨慎使用）：

{
  "$schema": "../gen/schemas/remote-schema.json",
  "identifier": "remote-capability",
  "windows": ["main"],
  "remote": {
    "urls": ["https://*.example.com"]
  },
  "permissions": ["http:default"]
}

自定义能力示例

一个具有不同权限级别的多窗口应用程序：

src-tauri/capabilities/main.json：

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "main-window",
  "description": "主应用程序窗口的完全访问权限",
  "windows": ["main"],
  "permissions": [
    "core:default",
    "fs:default",
    "shell:allow-open",
    "dialog:default",
    "http:default",
    "clipboard-manager:default"
  ]
}

src-tauri/capabilities/settings.json：

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "settings-window",
  "description": "设置窗口的有限访问权限",
  "windows": ["settings"],
  "permissions": [
    "core:window:allow-close",
    "core:event:default",
    "fs:allow-read-file",
    "fs:allow-write-file"
  ]
}

src-tauri/capabilities/preview.json：

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "preview-window",
  "description": "预览窗口的只读访问权限",
  "windows": ["preview"],
  "permissions": [
    "core:window:default",
    "core:event:default",
    "fs:allow-read-file"
  ]
}

能力可以防范：

前端被入侵的影响
系统接口的意外暴露
前端到后端的权限提升

能力不能防范：

恶意的 Rust 代码
过于宽松的作用域
WebView 漏洞

最小权限原则：仅授予每个窗口所需的权限
按窗口分离能力：为不同的窗口创建独立的能力文件
使用描述性标识符：清晰地命名能力（例如，main-window、editor-readonly）
记录能力：包含说明其用途的描述
审查远程访问：仔细审核任何远程 URL 访问配置
测试权限边界：验证窗口无法访问未经许可的 API

生成的模式提供 IDE 自动补全功能。在能力文件中引用它们：

{
  "$schema": "../gen/schemas/desktop-schema.json"
}

构建后可用的模式：

desktop-schema.json - 桌面平台
mobile-schema.json - 移动平台
remote-schema.json - 远程访问能力

权限被拒绝错误

检查能力是否包含所需的权限，并且目标窗口标签是否正确。

确认能力文件位于 src-tauri/capabilities/ 目录中，或者在 tauri.conf.json 中明确列出。

窗口标签不匹配

能力中的窗口标签必须与在 Rust 代码中创建窗口时定义的标签匹配。标签区分大小写。

2026 年 1 月 24 日

🇺🇸English

Tauri Capabilities Configuration

Capabilities are Tauri's permission management system that granularly controls which APIs and commands the frontend can access. They define security boundaries by specifying which permissions apply to which windows or webviews.

What Are Capabilities?

Capabilities serve as the bridge between permissions and windows/webviews. They:

Define which permissions are granted or denied for specific windows
Enable developers to minimize the impact of frontend compromises
Create security boundaries based on window labels (not titles)
Support platform-specific targeting (desktop vs mobile)

Capability File Location

Capability files reside in src-tauri/capabilities/ and use JSON or TOML format.

Capability File Structure

A capability file contains:

Field	Required	Description
`identifier`	Yes	Unique capability name
`description`	No	Purpose explanation
`windows`	Yes	Target window labels (supports wildcards)
`permissions`	Yes	Array of allowed/denied operations
`platforms`	No	Target platforms (linux, macOS, windows, iOS, android)
`remote`	No	Remote URL access configuration
`$schema`	No	Reference to generated schema for IDE support

Basic Capability Example

Create src-tauri/capabilities/main.json:

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "main-capability",
  "description": "Capability for the main window",
  "windows": ["main"],
  "permissions": [
    "core:path:default",
    "core:event:default",
    "core:window:default",
    "core:app:default",
    "core:resources:default",
    "core:menu:default",
    "core:tray:default"
  ]
}

Default Capabilities

All capabilities in src-tauri/capabilities/ are automatically enabled by default. No additional configuration is required.

To explicitly control which capabilities are active, configure them in tauri.conf.json:

{
  "app": {
    "security": {
      "capabilities": ["main-capability", "editor-capability"]
    }
  }
}

When explicitly configured, only the listed capabilities apply.

Configuration Methods

Method 1: Separate Files (Recommended)

Store individual capability files in the capabilities directory:

src-tauri/
  capabilities/
    main.json
    editor.json
    settings.json

Reference by identifier in tauri.conf.json:

{
  "app": {
    "security": {
      "capabilities": ["main-capability", "editor-capability", "settings-capability"]
    }
  }
}

Method 2: Inline Definition

Embed capabilities directly in tauri.conf.json:

{
  "app": {
    "security": {
      "capabilities": [
        {
          "identifier": "my-capability",
          "description": "Capability used for all windows",
          "windows": ["*"],
          "permissions": ["fs:default", "core:window:default"]
        }
      ]
    }
  }
}

Method 3: Mixed Approach

Combine file-based and inline capabilities:

{
  "app": {
    "security": {
      "capabilities": [
        {
          "identifier": "inline-capability",
          "windows": ["*"],
          "permissions": ["fs:default"]
        },
        "file-based-capability"
      ]
    }
  }
}

Per-Window Capabilities

Assign different permissions to different windows using window labels:

Single Window

{
  "identifier": "main-capability",
  "windows": ["main"],
  "permissions": ["core:window:default", "fs:default"]
}

Multiple Specific Windows

{
  "identifier": "editor-capability",
  "windows": ["editor", "preview"],
  "permissions": ["fs:read-files", "core:event:default"]
}

Wildcard (All Windows)

{
  "identifier": "global-capability",
  "windows": ["*"],
  "permissions": ["core:event:default"]
}

Pattern Matching

{
  "identifier": "dialog-capability",
  "windows": ["dialog-*"],
  "permissions": ["core:window:allow-close"]
}

Permission Syntax

Permissions follow a naming convention:

Pattern	Description
`<plugin>:default`	Default permission set for a plugin
`<plugin>:allow-<command>`	Allow a specific command
`<plugin>:deny-<command>`	Deny a specific command

Core Permissions

{
  "permissions": [
    "core:path:default",
    "core:event:default",
    "core:window:default",
    "core:window:allow-set-title",
    "core:window:allow-close",
    "core:app:default",
    "core:resources:default",
    "core:menu:default",
    "core:tray:default"
  ]
}

Plugin Permissions

{
  "permissions": [
    "fs:default",
    "fs:allow-read-file",
    "fs:allow-write-file",
    "shell:allow-open",
    "dialog:allow-open",
    "dialog:allow-save",
    "http:default",
    "clipboard-manager:allow-read",
    "clipboard-manager:allow-write"
  ]
}

Platform-Specific Capabilities

Target specific platforms using the platforms array.

Desktop-Only Capability

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "desktop-capability",
  "windows": ["main"],
  "platforms": ["linux", "macOS", "windows"],
  "permissions": [
    "global-shortcut:allow-register",
    "global-shortcut:allow-unregister",
    "shell:allow-execute"
  ]
}

Mobile-Only Capability

{
  "$schema": "../gen/schemas/mobile-schema.json",
  "identifier": "mobile-capability",
  "windows": ["main"],
  "platforms": ["iOS", "android"],
  "permissions": [
    "nfc:allow-scan",
    "biometric:allow-authenticate",
    "barcode-scanner:allow-scan"
  ]
}

Separate Files for Platform Variants

Create platform-specific capability files:

src-tauri/capabilities/desktop.json:

{
  "identifier": "desktop-features",
  "windows": ["main"],
  "platforms": ["linux", "macOS", "windows"],
  "permissions": ["global-shortcut:default", "shell:default"]
}

src-tauri/capabilities/mobile.json:

{
  "identifier": "mobile-features",
  "windows": ["main"],
  "platforms": ["iOS", "android"],
  "permissions": ["haptics:default", "biometric:default"]
}

Remote API Access

Allow remote URLs to access Tauri commands (use with caution):

{
  "$schema": "../gen/schemas/remote-schema.json",
  "identifier": "remote-capability",
  "windows": ["main"],
  "remote": {
    "urls": ["https://*.example.com"]
  },
  "permissions": ["http:default"]
}

Custom Capabilities Example

A multi-window application with different permission levels:

src-tauri/capabilities/main.json:

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "main-window",
  "description": "Full access for main application window",
  "windows": ["main"],
  "permissions": [
    "core:default",
    "fs:default",
    "shell:allow-open",
    "dialog:default",
    "http:default",
    "clipboard-manager:default"
  ]
}

src-tauri/capabilities/settings.json:

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "settings-window",
  "description": "Limited access for settings window",
  "windows": ["settings"],
  "permissions": [
    "core:window:allow-close",
    "core:event:default",
    "fs:allow-read-file",
    "fs:allow-write-file"
  ]
}

src-tauri/capabilities/preview.json:

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "preview-window",
  "description": "Read-only access for preview window",
  "windows": ["preview"],
  "permissions": [
    "core:window:default",
    "core:event:default",
    "fs:allow-read-file"
  ]
}

Security Boundaries

Capabilities protect against:

Frontend compromise impact
Unintended system interface exposure
Frontend-to-backend privilege escalation

Capabilities do NOT protect against:

Malicious Rust code
Overly permissive scopes
WebView vulnerabilities

Best Practices

Principle of Least Privilege : Grant only the permissions each window needs
Separate Capabilities by Window : Create distinct capability files for different windows
Use Descriptive Identifiers : Name capabilities clearly (e.g., main-window, editor-readonly)
Document Capabilities : Include descriptions explaining the purpose
Review Remote Access : Carefully audit any remote URL access configurations
Test Permission Boundaries : Verify windows cannot access unpermitted APIs

Schema Support

Generated schemas provide IDE autocompletion. Reference them in capability files:

{
  "$schema": "../gen/schemas/desktop-schema.json"
}

Available schemas after build:

desktop-schema.json - Desktop platforms
mobile-schema.json - Mobile platforms
remote-schema.json - Remote access capabilities

Troubleshooting

Permission Denied Errors

Check that the capability includes the required permission and targets the correct window label.

Capability Not Applied

Verify the capability file is in src-tauri/capabilities/ or explicitly listed in tauri.conf.json.

Window Label Mismatch

Window labels in capabilities must match the labels defined when creating windows in Rust code. Labels are case-sensitive.

Weekly Installs

Repository

dchuk/claude-co…i-skills

GitHub Stars

First Seen

Jan 24, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

gemini-cli41

opencode39

codex38

cursor38

claude-code35

github-copilot35

Lark Mail CLI 使用指南：邮件管理、安全规则与自动化工作流

47,900 周安装