vdavid
diff --git a/‎.claude/rules/docs-maintenance.md‎
Lines changed: 9 additions & 0 deletions b/‎.claude/rules/docs-maintenance.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 40 additions & 12 deletions b/‎AGENTS.md‎
Lines changed: 40 additions & 12 deletions
diff --git a/‎apps/desktop/src-tauri/src/file_system/listing/CLAUDE.md‎
Lines changed: 103 additions & 0 deletions b/‎apps/desktop/src-tauri/src/file_system/listing/CLAUDE.md‎
Lines changed: 103 additions & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/file_viewer/CLAUDE.md‎
Lines changed: 50 additions & 0 deletions b/‎apps/desktop/src-tauri/src/file_viewer/CLAUDE.md‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/mcp/CLAUDE.md‎
Lines changed: 129 additions & 0 deletions b/‎apps/desktop/src-tauri/src/mcp/CLAUDE.md‎
Lines changed: 129 additions & 0 deletions
@@ -0,0 +1,9 @@
+---
+paths:
+  - "apps/**"
+  - "scripts/**"
+---
+
+When modifying code in a directory that contains a `CLAUDE.md` file, check whether your changes affect the documented
+architecture, key decisions, or gotchas. If they do, update the `CLAUDE.md` to stay in sync.
+Skip this for trivial changes like bug fixes, formatting, small refactors that don't change the architecture).
@@ -31,15 +31,15 @@ Core structure:
     - `license-server/` - Cloudflare Worker (Hono). Receives Paddle webhooks, generates&validates Ed25519-signed keys.
     - `website/` - Marketing website (getcmdr.com)
 - `/scripts/check/` - Go-based unified check runner (replaces individual scripts)
-- `/docs/` - Docs including `style-guide.md`
-    - `artifacts/` - Development byproducts kept for reference. They describe the history of the system, not its state.
-      - `adr/` - Architecture decisions
-      - `notes/` - Other notes
-      - `specs/` - Temporary spec docs and task lists kept during development
-    - `features/` - Description of each major feature of the system
+- `/docs/` - Dev docs
+    - `adr/` - Architecture decision records
     - `guides/` - How-to guides
-    - `tooling/` - Like "features", but for internal tooling
-    - `user-docs/` - The rest of `/docs` are all dev docs. These are user-facing, written with that audience in mind. 
+    - `tooling/` - Internal tooling docs
+    - `architecture.md` - Map of all subsystems with pointers to colocated `CLAUDE.md` files
+    - `style-guide.md` - Writing and code style rules
+    - `security.md` - Security policies
+- Feature-level docs live in **colocated `CLAUDE.md` files** next to the code (for example,
+  `src/lib/settings/CLAUDE.md`). Claude Code auto-discovers these. See `docs/architecture.md` for the full map.
 
 ## Testing & checking
 
@@ -108,15 +108,39 @@ There are two MCP servers available to you:
 ## Things to avoid
 
 - ❌ Don't touch git, user handles commits manually. Unless explicitly asked to.
-- ❌ Don't use classes in TypeScript (use functional components/modules)
 - ❌ Don't add JSDoc that just repeats types or obvious function names
-- ❌ Don't use `any` type (ESLint will error)
 - ❌ Don't ignore linter warnings (fix them or justify with a comment)
 - ❌ Don't add dependencies without checking license compatibility (`cargo deny check`)
 
+### TypeScript
+
+- Only functional components and modules. No classes.
+- Don't use classes. Use functional components/modules.
+- Don't use `any` type. ESLint will error.
+- Prefer functional programming (map, reduce, some, forEach) and pure functions wherever it makes sense.
+- Use `const` for everything, unless it makes the code unnecessarily verbose.
+- Start function names with a verb, unless unidiomatic in the specific case.
+- Use `camelCase` for variable and constant names, including module-level constants.
+- Put constants closest to where they are used. If a constant is only used in one function, put it in that function.
+- For maps, try to name them like `somethingToSomeethingElseMap`. That avoids unnecessary comments.
+- Keep interfaces minimal: only export what you must export.
+
+### Rust
+
+- Max 120 char lines, 4-space indent, cognitive complexity threshold: 15, enforced by clippy.
+
+### CSS
+
+- `html { font-size: 16px; }` is set so `1rem = 16px`. Use `px` by default but can use `rem` if it's more descriptive.
+- Use variables for colors, spacing, and the such, in `app.css`.
+- Always think about accessibility when designing, and dark+light modes.
+
 ## Planning
-- When coming up with a plan for a development, save it to `docs/specs/{feature}-plan.md in this repo.
-- Also create an  accompanying task list that fully covers but doesn't duplicate the plan on a high level.
+
+- When getting oriented, consider the docs: `docs` folder and `CLAUDE.md` files in each directory.
+- When coming up with a plan for a development, save it to `docs/specs/{feature}-plan.md` in this repo (we clean out old
+  plans every few weeks/months, git history remembers them).
+- Also create an accompanying task list that fully covers but doesn't duplicate the plan on a high level.
   If all items on the task list are honestly marked as done, the plan is fully implemented in great quality.
   Tasks should be one-liners, grouped by milestones. Include docs, testing, and running all necessary checks.
 
@@ -126,6 +150,10 @@ There are two MCP servers available to you:
 - When testing, consider using Rust/Go tests, Vitest, Playwright, and manual tests with the MCP servers, whatever is
   needed to feel confident about the development. Do this per milestone. Don't go overboard with unit tests. Test
   exactly so that you feel confident.
+- **Keep docs alive**: When modifying a feature directory that has a `CLAUDE.md`, check if the doc still matches the
+  code. Update it if your changes affect architecture, key decisions, or gotchas. Don't update for trivial changes.
+  If there is no `CLAUDE.md` file yet, but you want to capture high-level info about a module or feature, create one.
+  Make it faster for the next person or agent to get oriented. 
 
 Always do a last round of checks before wrapping up:
 
 
@@ -0,0 +1,103 @@
+# File system listing module
+
+Backend directory reading, caching, sorting, and streaming for the file explorer. Handles 100k+ file directories with non-blocking I/O and progress events.
+
+## Architecture
+
+### Module structure
+
+- **mod.rs** – Public API exports, re-exports for crate-internal use
+- **reading.rs** – Low-level disk I/O (`list_directory_core()`, `get_single_entry()`, macOS metadata)
+- **streaming.rs** – Async streaming with progress events, cancellation
+- **operations.rs** – Synchronous frontend-facing API (lifecycle, cache accessors)
+- **caching.rs** – `LISTING_CACHE` global state, `CachedListing` struct
+- **sorting.rs** – `SortColumn`, `SortOrder`, `sort_entries()`
+- **metadata.rs** – `FileEntry` struct, macOS extended metadata
+
+### Data flow
+
+```
+Frontend                          Backend
+   |                                   |
+   |-- listDirectoryStartStreaming -->| (returns immediately)
+   |<-- { listingId, status: loading }|
+   |                                   |
+   |                            [background task spawns]
+   |                                   |
+   |<--- listing-opening event --------| (just before read_dir)
+   |<--- listing-progress event -------| (every 500ms)
+   |     { listingId, loadedCount }    |
+   |                                   |
+   |<--- listing-read-complete event --| (when read_dir finishes)
+   |     { listingId, totalCount }     |
+   |                                   |
+   |                            [sorting + caching + watcher start]
+   |                                   |
+   |<--- listing-complete event -------| (ready for use)
+   |     { listingId, totalCount,      |
+   |       maxFilenameWidth }          |
+   |                                   |
+   |-- getFileRange(listingId, ...) -->| (on-demand fetching)
+   |<-- [FileEntry, FileEntry, ...]    |
+```
+
+### Caching strategy
+
+**LISTING_CACHE**: Global `RwLock<HashMap<String, CachedListing>>`
+**Key**: `listing_id` (UUID per navigation)
+**Value**: `CachedListing { volume_id, path, entries, sort_by, sort_order }`
+
+**Lifecycle**:
+1. `list_directory_start_streaming()` generates ID, spawns task
+2. Background task reads directory, sorts, stores in cache
+3. Frontend calls `get_file_range()` for visible entries (on-demand)
+4. `list_directory_end()` stops watcher, removes from cache
+
+**Concurrency**: Multiple listings can coexist (different panes, rapid navigation). Each has unique ID.
+
+## Key decisions
+
+**Decision**: Streaming with background task, not chunked IPC
+**Why**: Chunked approach required multiple IPC calls, complex state tracking. Streaming spawns `tokio::task::spawn_blocking()`, emits events. Frontend stays responsive—Tab works, ESC cancels.
+
+**Decision**: Cancellation via `AtomicBool` checked per-entry
+**Why**: Network folders iterate slowly (seconds per entry). Checking on each iteration ensures responsive cancellation. ESC → cancel within ~100ms.
+
+**Decision**: Three-stage progress: opening → progress → read-complete → complete
+**Why**: Gives user fine-grained feedback:
+- `listing-opening`: "About to start slow I/O" (for network folders)
+- `listing-progress`: "Loaded N files..." (every 500ms)
+- `listing-read-complete`: "All files read, sorting now"
+- `listing-complete`: "Ready to render"
+
+**Decision**: Sorting happens AFTER read, BEFORE caching
+**Why**: Frontend expects sorted order. Sorting 50k entries takes ~15ms (fast enough). Done in background task after all entries collected.
+
+**Decision**: Hidden files filtering in Rust, not frontend
+**Why**: Cannot know visible count until all files read. APIs accept `include_hidden: bool`, filter during `get_file_range()` iteration.
+
+**Decision**: Font metrics in Rust binary cache, not frontend canvas measurement
+**Why**: Measuring 50k filenames in JS is slow. Rust precomputes metrics for system fonts, stores in `.bin` cache. `calculate_max_width()` is a hash lookup.
+
+**Decision**: File watcher starts AFTER listing complete
+**Why**: Watcher diffs rely on cached entries. Starting before cache is populated would miss initial state.
+
+## Gotchas
+
+**Gotcha**: Background task runs to completion even if cancelled on frontend
+**Why**: `loadGeneration` discards stale results, but Rust keeps iterating. Mitigation: `AtomicBool` checked per-entry stops early.
+
+**Gotcha**: `get_file_range()` with `include_hidden=false` skips hidden entries
+**Why**: Indices are for VISIBLE items only. If item 5 is hidden, index 5 in `include_hidden=false` mode is actually item 6 in the full list. Backend handles filtering, frontend sees dense array.
+
+**Gotcha**: Watcher diffs must update both cache AND emit events
+**Why**: Cache is source of truth for `get_file_range()`. Events notify frontend to re-fetch visible range. Missing either = stale data or no UI update.
+
+**Gotcha**: Sorting changes invalidate cached range on frontend
+**Why**: Frontend cache holds entries in old sort order. Backend re-sorts, but frontend must re-fetch. `cacheGeneration` bump triggers this.
+
+**Gotcha**: macOS extended metadata (addedAt, openedAt) requires extra syscalls
+**Why**: `list_directory_core()` uses fast `fs::read_dir()` + `metadata()`. Extended metadata needs `listxattr()`/`getxattr()`. Available via `get_extended_metadata_batch()` but not wired into streaming path yet.
+
+**Gotcha**: `CANCELLATION_POLL_INTERVAL` is 100ms, but check happens per-entry
+**Why**: Named confusingly. The interval is for waiting on channels, not polling the flag. Actual cancellation is checked on EVERY entry iteration.
@@ -0,0 +1,50 @@
+# File viewer module (Rust backend)
+
+Provides three backend strategies for serving file content line-by-line with instant open, virtual scrolling, and background search.
+
+## Key files
+
+- `mod.rs` — public API, constants (1MB threshold, 256-line checkpoints, 8KB backward scan limit)
+- `session.rs` — session orchestration, backend switching, search state
+- `full_load.rs` — loads entire file into `String` (<1MB files)
+- `byte_seek.rs` — seeks by byte offset, scans backward for newline (instant open)
+- `line_index.rs` — sparse newline index (1 checkpoint per 256 lines), SIMD-accelerated via `memchr`
+
+## Backend selection logic
+
+```rust
+if file_size < 1MB {
+    FullLoadBackend
+} else {
+    // Start with ByteSeek (instant)
+    ByteSeekBackend
+    // Spawn background thread to build LineIndex
+    // Upgrade to LineIndexBackend when ready
+}
+```
+
+## Tauri commands
+
+- `viewer_open(path)` → `ViewerOpenResult` (session ID, metadata, initial lines, backend type)
+- `viewer_get_lines(session_id, target_type, target_value, count)` → `LineChunk`
+- `viewer_search_start(session_id, query)` → starts background search
+- `viewer_search_poll(session_id)` → `SearchPollResult` (matches, progress, status)
+- `viewer_search_cancel(session_id)` → cancels running search
+- `viewer_close(session_id)` → frees resources
+- `viewer_setup_menu(label)` — builds viewer menu with word wrap item
+- `viewer_set_word_wrap(label, checked)` — syncs menu state
+
+## Gotchas
+
+- **VIEWER_SESSIONS is unbounded** — grows with each `viewer_open`. Must call `viewer_close` when window closes (not automatic).
+- **LineIndex build is async** — `ViewerSession` upgrades backend when ready. Frontend sees backend type change via status query.
+- **Search state per session** — only one search can run per session. Starting a new search cancels the previous one.
+- **UTF-16 offsets for JS compatibility** — `SearchMatch.column` and `.length` are in UTF-16 code units, matching JS `String.substring()`.
+- **ByteSeek backward scan limit** — 8KB max. If newline not found, line starts at scan boundary (truncated).
+- **LineIndex memory** — O(total_lines / 256) for checkpoints. For a 100M line file: ~390K checkpoints × 8 bytes = ~3MB.
+
+## Performance targets
+
+- **Open latency**: <10ms for any file size (ByteSeek), <50ms for 1GB file after LineIndex builds
+- **Scroll latency**: <16ms (60fps) for 50-line fetch
+- **Search**: ~500MB/s (SIMD-accelerated), progress updates every 10MB
@@ -0,0 +1,129 @@
+# MCP server
+
+## Purpose
+
+Expose Cmdr functionality to AI agents via the Model Context Protocol (MCP). Agents can control the app using the same capabilities available to users—no more, no less.
+
+## Architecture
+
+### Server (`server.rs`)
+
+- Runs in a background tokio task spawned at app startup
+- Binds to `127.0.0.1:9224` (localhost only for security)
+- Streamable HTTP transport (MCP spec 2025-11-25)
+- Endpoints: `POST /mcp` (JSON-RPC), `GET /mcp/sse` (optional SSE), `GET /mcp/health`
+
+### Protocol (`protocol.rs`)
+
+- JSON-RPC 2.0 message parsing
+- Routes to `initialize`, `tools/list`, `tools/call`, `resources/list`, `resources/read`
+- Session management (though most clients don't use sessions)
+
+### Tools (`tools.rs`)
+
+18 semantic tools grouped by category:
+- Navigation (6): `select_volume`, `nav_to_path`, `move_cursor`, etc.
+- Cursor/Selection (3): `move_cursor`, `open_under_cursor`, `select`
+- File operations (3): `copy`, `mkdir`, `refresh`
+- View (3): `sort`, `toggle_hidden`, `set_view_mode`
+- Dialogs (1): `dialog` (unified open/focus/close)
+- App (2): `switch_pane`, `quit`
+
+### Resources (`resources.rs`)
+
+- `cmdr://state`: Complete app state in YAML (both panes, volumes, dialogs)
+- `cmdr://dialogs/available`: Static metadata about available dialogs
+
+### Executor (`executor.rs`)
+
+Routes tool calls to implementations. Most tools emit Tauri events that trigger the same code paths as keyboard shortcuts or menu clicks.
+
+### State stores
+
+- `PaneStateStore`: Current state of left/right panes (path, files, cursor, selection)
+- `SoftDialogTracker`: Which dialogs MCP thinks are open
+- `SettingsStateStore`: Current settings window state (section, settings, shortcuts)
+
+Frontend syncs state to these stores via Tauri commands (`update_left_pane_state`, `mcp_update_settings_sections`, etc.).
+
+## Key decisions
+
+### Why agent-centric API?
+
+The original design mirrored keyboard shortcuts (43 tools like `nav_up`, `nav_down`). This forced agents to make dozens of calls to find a file. The agent-centric redesign (Jan 2026) consolidated to 18 semantic tools (`move_cursor(index=42)`, `nav_to_path("/Users")`). This reduced round-trips from 6+ reads to 1 (`cmdr://state` resource).
+
+### Why YAML over JSON for resources?
+
+LLMs consume resources, not machines. YAML is 30-40% smaller and more readable. The `cmdr://state` resource is optimized for LLM token usage, not parsing speed.
+
+### Why plain text responses?
+
+Tool results are plain text (`"OK: Navigated to /Users"`, `"ERROR: Path not found"`), not JSON objects. This reduces token usage and is easier for LLMs to parse. Errors are still JSON-RPC error objects, but the `content` field is plain text.
+
+### Why stateful architecture?
+
+Without state, resources would need to query the frontend on every read (slow, async). Storing state in Rust allows synchronous reads. The frontend syncs state after meaningful changes (file load, cursor move, selection).
+
+### Why no file system access?
+
+Security via parity: agents can only do what users can do. Giving agents `fs.read`/`fs.write` would violate this. Agents navigate the UI just like users, using `move_cursor`, `open_under_cursor`, etc.
+
+### Why localhost only?
+
+Binding to `0.0.0.0` would expose the server to the network. An attacker could quit the app, change settings, or navigate to sensitive directories. Localhost binding ensures only local processes can connect.
+
+### Why separate state stores?
+
+`PaneStateStore` is always synced (file pane changes frequently). `SettingsStateStore` is only synced when settings window is open (rare). `SoftDialogTracker` is updated by MCP tools themselves. Separating concerns keeps each store simple.
+
+## Gotchas
+
+### Server starts in background task
+
+`start_mcp_server()` spawns a tokio task and returns immediately. If the server crashes, the app continues but MCP stops working. Check logs for "MCP server crashed" errors.
+
+### State sync is best-effort
+
+Frontend calls `update_left_pane_state()` after loading files, but there's no guarantee it completes before an MCP resource read. In practice, updates are fast and this isn't an issue. If stale data is a concern, add explicit sync waits.
+
+### Dialog state is "soft"
+
+`SoftDialogTracker` stores which dialogs MCP thinks are open, but if a dialog is closed manually (not via MCP), the tracker isn't updated. The `cmdr://state` resource double-checks reality by querying Tauri windows.
+
+### View mode affects resource detail
+
+`cmdr://state` shows file details differently based on view mode:
+- Full mode: all file info inline (`i:42 f package.json 1183b lm:2025-01-10`)
+- Brief mode: only cursor file gets details, rest are just names (`i:42 f package.json`)
+
+This prevents overwhelming agents with data they can't see in the UI.
+
+### Pane state includes pagination
+
+Large directories (50k+ files) are paginated. The `totalFiles`, `loadedStart`, `loadedEnd` fields indicate what's currently loaded. Agents must use `scroll_to(index)` to load different regions.
+
+### Resources don't require initialization
+
+Unlike tools (which need a session via `initialize`), resources can be read immediately after server start. This is by design for debugging with curl.
+
+### Settings state sync is window-specific
+
+The settings window calls `syncSettingsState()` on mount and section changes. The main window doesn't sync settings state (it doesn't need to). This means `cmdr://state` only includes settings when the settings window is open.
+
+### MCP-settings bridge vs MCP-shortcuts listener
+
+Settings window: full bridge (`mcp-settings-bridge.ts`) syncs all state and handles all MCP events.
+Main window: lightweight listener (`mcp-shortcuts-listener.ts`) only handles shortcut changes.
+This separation keeps main window overhead minimal.
+
+### Tool execution is synchronous
+
+`execute_tool()` is a synchronous function. Tools that trigger async operations (like `copy`, `mkdir`) return immediately after emitting the event. The tool result doesn't wait for the operation to complete. This is intentional—tools return "OK: Copy dialog opened" not "OK: Files copied".
+
+### Error codes are JSON-RPC standard
+
+`INVALID_PARAMS = -32602`, `INTERNAL_ERROR = -32603`, etc. These are defined by the JSON-RPC spec, not MCP. Don't change them.
+
+### Schema version doesn't apply to MCP state
+
+MCP state stores don't have `_schemaVersion` fields. They're runtime-only, not persisted. If the state format changes, just restart the app.