what

Dev Inspector

One dev-only dashboard that shows what your app is and why it behaves a certain way — routes and their resolved auth, every collection with its policy, config inheritance, sessions, write scopes, template lints, and a live feed of recent activity. Zero configuration, zero JavaScript.

Opening it

Run the dev server and the inspector URL is printed in the startup banner:

run-what dev
  ...
  Inspect: http://127.0.0.1:8085/w-inspector

Open that URL, or call What.inspect() from the browser console on any page. The route exists only in dev mode — it returns 404 under --production, so there's nothing to disable before shipping.

What it shows

PanelAnswers
OverviewFramework version, mode, and the config that's actually in effect (port, css mode, sessions/auth/uploads, source viewer, strict).
RoutesEvery page, with the auth level and layout it resolves to after application.what inheritance — not just what the page declares. "Why is this page public?" is answered here.
Collections & PoliciesEach collection's row count next to its authorization rules (create/read/update/delete/owner/filter/fields). "Why can't I see this record?" is answered here.
application.what InheritanceWhich config files exist in the tree and what each one declares.
SessionsActive session count and (truncated) IDs.
Write ScopesWhich wired.* / app.* variables are role-gated for w-set.
Template LintsAuthoring mistakes across all pages — unclosed <if>/<loop>, trailing <else/>, legacy cond=, and raw built-in tags inside <code> samples.
ActivityA rolling feed of the last 200 events — every request (method, path, status, duration), every policy denial with the rule that fired, and every fetch.* directive with its result and timing. "What just happened?" is answered here.
Built for building fast. When an app is generated or edited quickly — by you or by a coding agent — the inspector is the one place to confirm the routes, policies, and config came out the way you intended, and to catch template mistakes before they ship.

The activity feed

The Activity panel shows the newest events first. Three kinds of events are recorded, in dev mode only — production requests never touch the buffer:

  • requestGET /todos → 200 (3ms). Every request except the framework's own internal routes. Errors (4xx/5xx) are highlighted.
  • deny — the exact collection, action, and rule behind every policy denial, so a mysterious "not allowed" flash message takes seconds to diagnose.
  • fetch — each fetch.* directive a page ran, with its source, row count, and timing.

The page stays zero-JS. For a self-updating view, click auto-refresh in the panel header (or open /w-inspector?refresh=2) — a plain <meta http-equiv="refresh"> reloads the page every 2 seconds. The buffer keeps the last 200 events in memory and resets on restart; nothing is written to disk.