all: refactor to cargo workspace, remove config shared library, remove protocol perms, add dpms cli (#7)

2026-06-06 23:14:53 -04:00 · 2026-06-06 23:14:53 -04:00 · bfc2a525de
commit bfc2a525de
parent 5db14936e7
616 changed files with 32344 additions and 31026 deletions
--- a/book/src/window-rules.md
+++ b/book/src/window-rules.md
@ -31,12 +31,6 @@ Each client rule can have the following fields:
 `latch`
 : An action to run when a client stops matching.

-`capabilities`
-: Wayland protocol access granted to matching clients.
-
-`sandbox-bounding-capabilities`
-: Upper bounds for protocols available to child sandboxes.
-
 ### Client Match Criteria

 All client match criteria are constant over the lifetime of a client. If no
@ -70,142 +64,6 @@ implicitly AND-combined.
 `exe` / `exe-regex`
 : The client's `/proc/pid/exe` path.

-`tag` / `tag-regex`
-: The connection tag of the client.
-
-### Granting Privileges
-
-Jay splits Wayland protocols into unprivileged and privileged. By default,
-applications only have access to unprivileged protocols. This means that tools
-like screen lockers, status bars, screen-capture utilities, and clipboard
-managers will not work unless you explicitly grant them the necessary
-privileges.
-
-See the [Protocol Support](features.md#protocol-support) table in the Features
-chapter for the full list of protocols and whether they are privileged.
-
-There are three ways to grant privileges, from simplest to most fine-grained.
-
-#### 1. Grant all privileges via `privileged = true` (exec) or `jay run-privileged`
-
-The simplest approach gives a program access to **all** privileged protocols.
-This is appropriate for trusted tools like screen lockers where you don't want
-to think about which specific protocols they need.
-
-In the config, set `privileged = true` in the exec table:
-
-```toml
-on-idle = {
-    type = "exec",
-    exec = {
-        prog = "swaylock",
-        privileged = true,
-    },
-}
-```
-
-From the command line, use `jay run-privileged`:
-
-```shell
-~$ jay run-privileged waybar
-```
-
-Both methods connect the program to a privileged Wayland socket that grants
-access to all privileged protocols.
-
-#### 2. Grant capabilities via connection tags
-
-Connection tags let you combine the CLI with client rules for precise control.
-You tag a program at launch time, then write a client rule that matches
-the tag and grants specific capabilities.
-
-First, launch the program with a tag -- either from the command line:
-
-```shell
-~$ jay run-tagged bar waybar
-```
-
-Or from the config using the `tag` field in an exec action:
-
-```toml
-[shortcuts]
-alt-w = {
-    type = "exec",
-    exec = {
-        prog = "waybar",
-        tag = "bar",
-    },
-}
-```
-
-Then write a client rule that matches the tag and grants capabilities:
-
-```toml
-[[clients]]
-match.tag = "bar"
-capabilities = ["layer-shell", "foreign-toplevel-list"]
-```
-
-This way, only the specific instance you launched with the tag receives the
-privileges -- other programs with the same binary name do not.
-
-Available capability values: `none`, `all`, `data-control`,
-`virtual-keyboard`, `foreign-toplevel-list`, `idle-notifier`, `session-lock`,
-`layer-shell`, `screencopy`, `seat-manager`, `drm-lease`, `input-method`,
-`workspace-manager`, `foreign-toplevel-manager`, `head-manager`,
-`gamma-control-manager`, `virtual-pointer`.
-
-**Default capabilities:** unsandboxed clients receive `layer-shell` and
-`drm-lease`. Sandboxed clients receive only `drm-lease`. If any client rule
-matches, its capabilities **replace** the defaults entirely. If multiple rules
-match, their capabilities are unioned together, but the defaults are not
-included unless a matching rule also grants them.
-
-#### 3. Grant capabilities via client match rules
-
-Client rules can also match programs by properties like their executable name
-instead of a tag. This is convenient when you always want a given program to
-have certain capabilities, regardless of how it was launched:
-
-```toml
-[[clients]]
-match.comm = "waybar"
-capabilities = ["layer-shell", "foreign-toplevel-list"]
-
-# Vim 9.2 uses the data-control protocol for seamless wayland integration.
-[[clients]]
-match.comm = "vim"
-match.sandboxed = false
-capabilities = "data-control"
-
-# Older versions use wl-copy and wl-paste.
-[[clients]]
-match.any = [
-    { comm = "wl-copy" },
-    { comm = "wl-paste" },
-]
-match.sandboxed = false
-capabilities = "data-control"
-```
-
-> [!NOTE]
-> Client match criteria like `comm`, `exe`, and `pid` are checked when a
-> client connects. Any process with a matching name receives the specified
-> capabilities. If you need to restrict privileges to programs you launch
-> yourself, use connection tags (method 2) instead.
-
-#### Bounding capabilities (sandboxes)
-
-Capabilities can never exceed the client's **bounding capabilities**. Use
-`sandbox-bounding-capabilities` on a client rule to set the upper bound for
-protocols available to sandboxes created by that client:
-
-```toml
-[[clients]]
-match.comm = "flatpak-portal"
-sandbox-bounding-capabilities = ["drm-lease", "layer-shell"]
-```
-
 ## Window Rules

 Window rules operate on individual windows. They are defined with `[[windows]]`
@ -456,18 +314,6 @@ action = {
 }
 ```

-### Grant Protocol Access to a Trusted App
-
-```toml
-[[clients]]
-match.comm = "swaylock"
-capabilities = ["session-lock", "layer-shell"]
-
-[[clients]]
-match.comm = "waybar"
-capabilities = ["layer-shell", "foreign-toplevel-list"]
-```
-
 ### Suppress Focus Stealing for Chromium Screen-Share Windows

 ```toml