The API infrastructure is under active development. Some features described here are planned but not yet fully implemented. This document reflects both current implementation and planned architecture.
Architecture Overview
All API requests flow through a common pipeline:Session Management
Sessions encapsulate all request context, replacing simple parameter passing with structured metadata:API Dispatcher
The dispatcher provides a unified interface for all operations:- Validates session permissions
- Ensures library context for library operations
- Tracks request metadata
- Converts errors to API errors
Permission System
Permissions control access to specific operations:Permission Enforcement
Configure enforcement behavior:Authorization Levels
Four hierarchical levels provide increasing access: None: No authentication required (public operations only). Device: Authenticated device with basic permissions. User: Authenticated user with full library access. Admin: System administrator with all permissions. Higher levels inherit permissions from lower levels.Error Handling
API errors provide structured information for clients:Middleware Pipeline
Middleware pipeline is partially implemented. The infrastructure exists but middleware chaining is not yet active.
Logging Middleware
Tracks all requests with timing information:Metrics Middleware
Records operation metrics for monitoring:- Request count by operation
- Response times (p50, p90, p99)
- Error rates by type
- Active request count
Request Sources
Track where API calls originate:Tauri desktop app currently uses
Other("tauri") or Internal. A dedicated Tauri variant is planned.API Discovery
API discovery is a planned feature, not yet implemented.
Integration Examples
CLI Integration
Tauri Integration
The Tauri desktop app integrates with the core through Rust FFI:- In-Process: Daemon runs within the Tauri app process
- Background Process: Daemon runs as a separate system process (requires macOS entitlements)
Swift Integration
Security Best Practices
Always use strict permissions in production: Development warnings help identify missing permissions during development. Validate library context: Library operations must havecurrent_library_id set in the session.
Track request metadata: Use request IDs for debugging distributed operations.
Handle errors appropriately: Convert internal errors to user-friendly messages at the boundary.
Future Enhancements
Planned improvements include: User Authentication: OAuth and session token support. Rate Limiting: Per-user and per-operation limits. Request Caching: Smart caching for read operations. WebSocket Support: Real-time operation subscriptions.The API infrastructure is designed to be transport-agnostic. While examples
show Rust usage, the same patterns apply to REST endpoints and FFI boundaries.
