Skip to content

feat!: migrate to devframe 0.6 — official plugins, crossws + OTP auth#396

Merged
antfu merged 8 commits into
mainfrom
busy-houses-buy
Jul 9, 2026
Merged

feat!: migrate to devframe 0.6 — official plugins, crossws + OTP auth#396
antfu merged 8 commits into
mainfrom
busy-houses-buy

Conversation

@antfubot

@antfubot antfubot commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Description

Upgrades devframe and @devframes/hub to 0.6.0-beta.3 and adopts the official portable devframe plugins in place of the hand-rolled panels.

Terminals & messages — the built-in terminals and messages tabs are now provided by @devframes/plugin-terminals and @devframes/plugin-messages, mounted as built-ins (gated by builtinDevTools). The hub's built-in ~terminals/~messages docks are suppressed via the builtinDocks option. The core message store/RPC is retained so toasts keep working (re-pointed at the messages plugin dock). The old webcomponents panels, the core terminals RPC, and the @xterm/* deps are removed.

Self-inspect — meta-introspection moves from the local packages/self-inspect package to the official @devframes/plugin-inspect; the local package is deleted.

Auth — client auth is rewritten to devframe's OTP / magic-link model via the createInteractiveAuth recipe: the anonymous:devframe:auth / anonymous:devframe:auth:exchange handshake, the built-in devframe:auth:revoke self-revoke (wired to a new Revoke Access button in Settings → Advanced), and the one-time-code banner. The RPC resolver gates purely on the anonymous: prefix (isAnonymousRpcMethod).

WebSocket transport — migrated from ws to crossws. When embedded in a Vite dev server the RPC socket attaches to Vite's own HTTP server on the /__devtools/__ws route (friendlier to proxies/HTTPS); standalone/CLI keeps the dedicated-port fallback.

Dock grouping — terminals, messages, and inspector live in the ~builtin dock category alongside the built-in Settings dock; the ~viteplus ("Vite+") group is left for integrations like Rolldown. Playground demo docks are collected under a "Playground" group.

pnpm lint, pnpm typecheck, pnpm test (188 passing), and pnpm build all pass.

Breaking changes

Warning

This is a breaking release. @vitejs/devtools* and @vitejs/devtools-kit are pre-1.0 / experimental, and it pins a devframe pre-release.

  • @vitejs/devtools-self-inspect is removed. The inspector is now the built-in @devframes/plugin-inspect (on by default). Migration: drop the @vitejs/devtools-self-inspect dependency and the DevToolsSelfInspect() plugin from your Vite config — the "Inspect" dock ships out of the box.
  • Requires devframe / @devframes/hub 0.6.0-beta.3 (up from 0.5.4), inheriting devframe 0.6's own breaking changes (crossws transport, OTP auth, renamed RPC methods, nostics 1.x). Kit consumers get devframe 0.6 transitively.
  • Auth flow changed. The old token flow + dedicated WS port + /__devtools/auth page is replaced by an OTP code / ?devframe_otp= magic link over a route-bound socket. Anything that dialed ws://…:7812?devframe_auth_token=… or drove the old page breaks; devtools.clientAuthTokens still works for automation.
  • Internal RPC surface changeddevtoolskit:internal:terminals:* removed; auth methods renamed to the anonymous:devframe:auth* scope. These are @internal (not documented public API).

Plugin-author surface is unchanged: Plugin.devtools.setup, createPluginFromDevframe, DevTools(), and ctx.terminals / ctx.messages all keep their signatures.

Linked Issues

Additional context

Reviewer focus (not covered by CI): please manually exercise the OTP auth handshake and the live WS/PTY paths via pnpm -C packages/core run play — code entry + ?devframe_otp= magic link, reconnect, Revoke Access, non-TTY — and confirm the route-bound socket connects (and coexists with Vite HMR) plus the terminals/messages/inspect panels render.

BREAKING CHANGE: removes the published @vitejs/devtools-self-inspect package (use the built-in @devframes/plugin-inspect), requires devframe/@devframes/hub 0.6.0-beta.3, and replaces the token auth flow with devframe's OTP / magic-link handshake.

This PR was created with the help of an agent.

…nspect

Upgrade devframe and @devframes/hub to 0.6.0-beta.2 and replace the
hand-rolled panels with the official portable devframe plugins:

- Terminals and messages tabs are now provided by
  @devframes/plugin-terminals and @devframes/plugin-messages, mounted as
  built-ins. The hub's built-in ~terminals/~messages docks are suppressed
  via the new builtinDocks option; the message store/RPC is retained so
  toasts keep working.
- Meta-introspection moves from the local self-inspect package to the
  official @devframes/plugin-inspect.
- Align with the hub's reworked internals: crossws WebSocket transport and
  the OTP / magic-link auth handshake.

Co-authored with the help of an agent.
@pkg-pr-new

pkg-pr-new Bot commented Jul 8, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@vitejs/devtools@396
npm i https://pkg.pr.new/@vitejs/devtools-kit@396
npm i https://pkg.pr.new/@vitejs/devtools-rolldown@396

commit: 0a9448d

antfubot added 7 commits July 8, 2026 06:13
Collect the terminals, messages, and inspect panels under the shared
"Vite+" dock group (alongside Rolldown) instead of each claiming its own
top-level dock button.
When embedded in a Vite dev server, attach the RPC socket to Vite's own
HTTP server on the /__devtools/__ws upgrade route instead of opening a
separate port — friendlier to proxies and HTTPS. Standalone and CLI keep
the dedicated-port fallback (no Vite server to share).
Add a "Revoke Access" action in Settings → Advanced that de-authorizes
the current browser. A trusted-only `devtoolskit:internal:auth:revoke`
RPC revokes the session's node-issued bearer token via devframe's
`revokeAuthToken`; the resulting `devframe:auth:revoked` broadcast drops
this (and any sibling) client back to untrusted.
- DTK0013: document the OTP code / magic-link trust flow, the
  `devframe:auth:exchange` pre-auth method, and Settings → Advanced →
  Revoke Access.
- terminals / messages / kit index: attribute the panels to the official
  @devframes/plugin-terminals and @devframes/plugin-messages built-ins,
  and drop the removed built-in xterm panel / messages dock-badge notes.
- remote-client: show the route-bound WS endpoint (shared Vite origin).
Bump devframe, @devframes/hub, and the plugins to 0.6.0-beta.3 and replace
the hand-rolled auth wiring with devframe's new `createInteractiveAuth`
recipe. It registers the renamed `anonymous:devframe:auth` / `:exchange`
handshake, the built-in `devframe:auth:revoke` self-revoke, and the
one-time-code banner — so the core no longer maintains its own handshake
handlers or revoke RPC.

The RPC resolver now gates purely on the `anonymous:` prefix
(`isAnonymousRpcMethod`), dropping the hard-coded pre-auth allowlist. The
connect-time bearer/remote-dock trust is preserved. The Revoke Access
button calls the built-in `devframe:auth:revoke`.
Move the terminals, messages, and inspector panels into the `~builtin`
dock category — alongside the built-in Settings dock — instead of the
`~viteplus` group, which is reserved for integrations like Rolldown.

In the playground, collect the demo docks under a dedicated "Playground"
group (renamed from "Local Test").
@antfubot antfubot changed the title feat: adopt devframe 0.6 official plugins for terminals, messages & inspect feat!: migrate to devframe 0.6 — official plugins, crossws + OTP auth Jul 9, 2026
@antfu antfu merged commit ae9555f into main Jul 9, 2026
10 checks passed
@antfu antfu deleted the busy-houses-buy branch July 9, 2026 13:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants