feat: support remote-hosted iframe docks with local RPC connection#294
Merged
Conversation
Plugin authors can now set `remote: true` on an iframe dock to point at a hosted website instead of bundling a SPA dist. The core injects a session-only auth token and WS URL into the iframe URL (as a fragment by default, or optionally as a query param), and the hosted page connects back via the new `connectRemoteDevTools()` helper in `@vitejs/devtools-kit/client`. Tokens are origin-locked by default and revoked on dock re-registration. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@vitejs/devtools
@vitejs/devtools-kit
@vitejs/devtools-rolldown
@vitejs/devtools-rpc
@vitejs/devtools-self-inspect
commit: |
…round - `docs/kit/remote-demo.md`: live page that uses `connectRemoteDevTools()` to open a WS back to the local dev server when opened through a remote dock, and renders a friendly standalone message otherwise. Subscribes to the built-in `devtoolskit:internal:docks` shared state to display a live dock registry. - Playground registers a `remote: true` iframe dock pointing at that page (configurable via `DEVTOOLS_REMOTE_DEMO_URL`). - Pin the docs dev server to port 5174 so it doesn't collide with the playground on 5173 when both are running for dogfooding. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Point the playground's remote dock at https://devtools.vite.dev/kit/remote-demo so the demo works out of the box without running the docs dev server. Local dev still overrides via DEVTOOLS_REMOTE_DEMO_URL. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a second path for building custom DevTools UIs: plugin authors can point an iframe dock at a hosted website instead of bundling a SPA dist with their plugin. The core allocates a session-only, origin-locked auth token per dock registration and injects a connection descriptor (WS URL + token) into the iframe URL — as a fragment by default, or optionally as a query param. The hosted page connects back with the new one-liner
connectRemoteDevTools()from@vitejs/devtools-kit/client, which reuses the existingDevToolsRpcClient.The new
RemoteConnectionInfotype extendsConnectionMeta, so a parsed descriptor drops straight intogetDevToolsRpcClient({ connectionMeta })with no shape translation. Tokens live in memory only, are bound to the dock URL's origin by default (opt-out viaoriginLock: false), and are revoked on force re-registration. The WS handshake check inws.tsruns before the persisted trust store so revoked remote tokens can't accidentally match stale entries. Full docs live atdocs/kit/remote-client.mdwith a mermaid flow, the transport/origin-lock tradeoffs, and the trust model.Linked Issues
Additional context
when-clause defaulting to hide in build mode, force-register revocation, and origin-locked trust logic.ViewIframe.vuestrips the descriptor so the auth token isn't visible or copyable.wsEndpointtiming dance inws.ts+host-docks.ts—register()runs before the WS port is allocated, so enrichment happens lazily invalues()andcreateWsServerre-emitsdock:entry:updatedfor remote docks once the endpoint is known.🤖 Generated with Claude Code