vdavid
diff --git a/‎AGENTS.md‎
Lines changed: 12 additions & 0 deletions b/‎AGENTS.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 32 additions & 0 deletions b/‎CONTRIBUTING.md‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎docs/security.md‎
Lines changed: 19 additions & 0 deletions b/‎docs/security.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎eslint.config.js‎
Lines changed: 17 additions & 0 deletions b/‎eslint.config.js‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎knip.json‎
Lines changed: 1 addition & 1 deletion b/‎knip.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎scripts/tauri-wrapper.js‎
Lines changed: 26 additions & 0 deletions b/‎scripts/tauri-wrapper.js‎
Lines changed: 26 additions & 0 deletions
@@ -95,6 +95,18 @@ See [docs/adr](docs/adr) for all key technical decisions, and the
   [ADR-005](docs/adr/005-scoped-css-for-file-explorer.md)
 - **Clippy `--allow-dirty --allow-staged`** is used locally to allow auto-fixes even with uncommitted changes
 
+## MCP
+
+There should be an MCP server available to access Tauri. If it isn't, and you need it, ask the user for it! (There are
+guidelines to add it in [CONTRIBUTING.md](CONTRIBUTING.md).) Run the app in dev mode, then use the MCP server to take
+screenshots, click buttons, read front-end logs, and the such.
+
+## Security warnings
+
+- When adding new code that loads remote content (like `fetch` from external URLs or `iframe`), always add a condition
+  to **disable** that functionality in dev mode, and use static/mock data instead. See
+  [security docs](docs/security.md#withglobaltauri) for more reasoning.
+
 ## Useful references
 
 - Tauri docs: https://tauri.app/v2/
 
@@ -49,4 +49,36 @@ pnpm tauri build
 
 This creates a production build for your current platform in `src-tauri/target/release/`.
 
+## Agent integration (MCP)
+
+The app uses [MCP Server Tauri](https://github.com/hypothesi/mcp-server-tauri) to let AI assistants (Claude Code,
+Cursor, etc.) control this app: take screenshots, click buttons, read front-end logs, etc. It's quite helpful.
+
+### Setting up your AI assistant
+
+For `claude-code`, `cursor`, `vscode`, or `windsurf`, there is autoconfig available. Run this command in your terminal
+for your specific client: `npx -y install-mcp @hypothesi/tauri-mcp-server --client <your-client>`.
+([source](https://github.com/hypothesi/mcp-server-tauri)).
+
+If the automated setup doesn't work for you, check the MCP documentation for your specific client. For example:
+
+- [Claude Desktop](https://docs.anthropic.com/en/docs/agents-and-tools/mcp)
+- [Cursor](https://docs.cursor.com/context/model-context-protocol)
+- [Antigravity](https://medium.com/google-developer-experts/google-antigravity-custom-mcp-server-integration-to-improve-vibe-coding-f92ddbc1c22d)
+
+This snippet will likely come handy:
+
+```json
+{
+    "mcpServers": {
+        "tauri": {
+            "command": "npx",
+            "args": ["-y", "@hypothesi/tauri-mcp-server"]
+        }
+    }
+}
+```
+
+Since the agent shares the context with your IDE/client, enabling the MCP server makes the tools available to the agent automatically.
+
 Happy coding!
@@ -0,0 +1,19 @@
+# Security
+
+## withGlobalTauri
+
+The app uses [MCP Server Tauri](https://github.com/hypothesi/mcp-server-tauri) to let AI assistants (Claude Code,
+Cursor, etc.) control this app: take screenshots, click buttons, read front-end logs, etc.
+
+The MCP bridge requires `withGlobalTauri: true` which exposes `window.__TAURI__` to the frontend. This would be a huge
+security risk in production (untrusted JS could access system APIs, not good), so we enable it **only in development**:
+
+1. **Compile-time exclusion**: The MCP plugin is only registered via `#[cfg(debug_assertions)]` in `lib.rs`
+2. **Config separation**: `"withGlobalTauri": false` in `tauri.conf.json` (production), only overridden via
+   `tauri.dev.json` during dev
+3. **Wrapper script**: `scripts/tauri-wrapper.js` injects `-c src-tauri/tauri.dev.json` only for `dev` commands.
+   (`pnpm tauri dev` calls `scripts/tauri-wrapper.js` which adds `-c src-tauri/tauri.dev.json`, then Tauri merges this
+   with `tauri.conf.json` via [JSON Merge Patch (RFC 7396)](https://datatracker.ietf.org/doc/html/rfc7396).))
+
+To avoid security issues in dev mode, always add a condition to **disable** that functionality in dev mode. This way,
+malicious websites can't access the system APIs even on your machine.
@@ -77,6 +77,23 @@ export default tseslint.config(
             ],
         },
     },
+    {
+        // Node.js scripts (like tauri-wrapper.js) need Node globals
+        files: ['scripts/*.js'],
+        plugins: {
+            prettier,
+        },
+        languageOptions: {
+            ecmaVersion: 'latest',
+            sourceType: 'module',
+            globals: {
+                ...globals.node,
+            },
+        },
+        rules: {
+            'prettier/prettier': 'error',
+        },
+    },
     {
         files: ['vite.config.js', 'vitest.config.ts', 'playwright.config.ts'],
         plugins: {
 
@@ -1,6 +1,6 @@
 {
     "$schema": "https://unpkg.com/knip@5/schema.json",
     "ignore": ["src/lib/icon-cache.ts"],
-    "ignoreDependencies": ["@tauri-apps/plugin-window-state", "@testing-library/svelte"],
+    "ignoreDependencies": ["@tauri-apps/cli", "@tauri-apps/plugin-window-state", "@testing-library/svelte"],
     "ignoreExportsUsedInFile": true
 }
@@ -9,7 +9,7 @@
         "preview": "vite preview",
         "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --compiler-warnings \"a11y_no_noninteractive_element_interactions:ignore,a11y_click_events_have_key_events:ignore,a11y_no_noninteractive_tabindex:ignore,state_referenced_locally:ignore\"",
         "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch --compiler-warnings \"a11y_no_noninteractive_element_interactions:ignore,a11y_click_events_have_key_events:ignore,a11y_no_noninteractive_tabindex:ignore,state_referenced_locally:ignore\"",
-        "tauri": "tauri",
+        "tauri": "node scripts/tauri-wrapper.js",
         "lint": "eslint .",
         "lint:fix": "eslint . --fix",
         "format": "prettier --write .",
 
@@ -0,0 +1,26 @@
+// See docs/security.md#withglobaltauri for more info on why this script exists.
+
+import { spawn } from 'child_process'
+
+// Get arguments passed to the script
+const args = process.argv.slice(2)
+
+// Check if the command is 'dev'
+const isDev = args.includes('dev')
+
+// If dev, inject the dev configuration
+if (isDev) {
+    // Add -c src-tauri/tauri.dev.json to merge config
+    args.push('-c', 'src-tauri/tauri.dev.json')
+}
+
+// Spawn the tauri process (relies on pnpm/npm adding node_modules/.bin to PATH)
+const tauriProcess = spawn('tauri', args, {
+    stdio: 'inherit',
+    shell: true,
+})
+
+// Handle process exit
+tauriProcess.on('exit', (code) => {
+    process.exit(code ?? 0)
+})
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"$schema": "https://unpkg.com/knip@5/schema.json",`
`3`	`3`	`"ignore": ["src/lib/icon-cache.ts"],`
`4`		`- "ignoreDependencies": ["@tauri-apps/plugin-window-state", "@testing-library/svelte"],`
	`4`	`+ "ignoreDependencies": ["@tauri-apps/cli", "@tauri-apps/plugin-window-state", "@testing-library/svelte"],`
`5`	`5`	`"ignoreExportsUsedInFile": true`
`6`	`6`	`}`