Dev Inspector
One dev-only dashboard that shows what your app is and why it behaves a certain way — routes and their resolved auth, every collection with its policy, config inheritance, sessions, write scopes, template lints, and a live feed of recent activity. Zero configuration, zero JavaScript.
Opening it
Run the dev server and the inspector URL is printed in the startup banner:
run-what dev
...
Inspect: http://127.0.0.1:8085/w-inspector
Open that URL, or call What.inspect() from the browser console on any page. The route exists only in dev mode — it returns 404 under --production, so there's nothing to disable before shipping.
What it shows
| Panel | Answers |
|---|---|
| Overview | Framework version, mode, and the config that's actually in effect (port, css mode, sessions/auth/uploads, source viewer, strict). |
| Routes | Every page, with the auth level and layout it resolves to after application.what inheritance — not just what the page declares. "Why is this page public?" is answered here. |
| Collections & Policies | Each collection's row count next to its authorization rules (create/read/update/delete/owner/filter/fields). "Why can't I see this record?" is answered here. |
| application.what Inheritance | Which config files exist in the tree and what each one declares. |
| Sessions | Active session count and (truncated) IDs. |
| Write Scopes | Which wired.* / app.* variables are role-gated for w-set. |
| Template Lints | Authoring mistakes across all pages — unclosed <if>/<loop>, trailing <else/>, legacy cond=, and raw built-in tags inside <code> samples. |
| Activity | A rolling feed of the last 200 events — every request (method, path, status, duration), every policy denial with the rule that fired, and every fetch.* directive with its result and timing. "What just happened?" is answered here. |
The activity feed
The Activity panel shows the newest events first. Three kinds of events are recorded, in dev mode only — production requests never touch the buffer:
- request —
GET /todos → 200 (3ms). Every request except the framework's own internal routes. Errors (4xx/5xx) are highlighted. - deny — the exact collection, action, and rule behind every policy denial, so a mysterious "not allowed" flash message takes seconds to diagnose.
- fetch — each
fetch.*directive a page ran, with its source, row count, and timing.
The page stays zero-JS. For a self-updating view, click auto-refresh in the panel header (or open /w-inspector?refresh=2) — a plain <meta http-equiv="refresh"> reloads the page every 2 seconds. The buffer keeps the last 200 events in memory and resets on restart; nothing is written to disk.