refactor(auth)!: use "authenticate" wording and document the auth flow

Replace the "pair/pairing" vocabulary with "authenticate/authentication"
across the auth surface, and rename the API for consistency:

- `getTempAuthToken` → `getTempAuthCode` and `refreshTempAuthToken` →
  `refreshTempAuthCode` (they handle the one-time code, not a token)
- `buildOtpPairingUrl` → `buildOtpAuthUrl`
- `pairWithUrlOtp` → `authenticateWithUrlOtp`

Document the auth methods (RPC wire contract + `devframe/node/auth` and
client primitives) and the end-to-end auth flow in the security guide.

BREAKING CHANGE: `getTempAuthToken` → `getTempAuthCode`,
`refreshTempAuthToken` → `refreshTempAuthCode`, `buildOtpPairingUrl` →
`buildOtpAuthUrl`, `pairWithUrlOtp` → `authenticateWithUrlOtp`. All unreleased.

Author: antfubot

docs/guide/client.md

@@ -66,7 +66,7 @@ The client picks a mode automatically from the backend field. Mode-specific code
 
 ## Trust & auth (WebSocket mode)
 
-Dev-mode connections become trusted by pairing. A client that has paired before presents its stored token automatically on reconnect, and `ensureTrusted()` resolves once the server accepts it:
+Dev-mode connections become trusted by authenticating. A client that authenticated before presents its stored token automatically on reconnect, and `ensureTrusted()` resolves once the server accepts it:
 
 ```ts
 const rpc = await connectDevframe()
@@ -75,11 +75,11 @@ const rpc = await connectDevframe()
 const trusted = await rpc.ensureTrusted()
 
 if (!trusted) {
-  console.warn('Not paired yet')
+  console.warn('Not authenticated yet')
 }
 ```
 
-### Pairing with a one-time code
+### Authenticating with a one-time code
 
 A fresh client holds no token. The dev server prints a 6-digit one-time code; pass it to `requestTrustWithCode` to exchange it for a node-issued token. The token is persisted for future reconnections and shared with sibling tabs, which become trusted without re-entering the code:
 
@@ -89,7 +89,7 @@ const ok = await rpc.requestTrustWithCode('047204')
 
 The code is single-use, expires after five minutes, and is rotated after repeated wrong attempts, so re-display the current code if an exchange fails.
 
-To pair without typing, a host can print a link embedding the code (`buildOtpPairingUrl(origin)`); `connectDevframe` reads the `devframe_otp` query parameter, exchanges it, and strips it from the URL. Rename it with the `otpParam` option, or set `otpParam: false` and drive pairing yourself with the exposed `pairWithUrlOtp(rpc)` / `consumeOtpFromUrl()` utilities.
+To authenticate without typing, a host can print a link embedding the code (`buildOtpAuthUrl(origin)`); `connectDevframe` reads the `devframe_otp` query parameter, exchanges it, and strips it from the URL. Rename it with the `otpParam` option, or set `otpParam: false` and drive authentication yourself with the exposed `authenticateWithUrlOtp(rpc)` / `consumeOtpFromUrl()` utilities.
 
 ### Re-using an existing token
 
@@ -101,7 +101,7 @@ const ok = await rpc.requestTrustWithToken('a1b2c3…')
 
 ### Broadcast-channel sync
 
-`connectDevframe` listens on a shared `BroadcastChannel` (named `devframe-auth` for cross-tab handshake interop with Vite DevTools' auth page) for `auth-update` messages. When another tab completes a pairing — or an auth page announces a token — every open client trusts it automatically, no reload required.
+`connectDevframe` listens on a shared `BroadcastChannel` (named `devframe-auth` for cross-tab handshake interop with Vite DevTools' auth page) for `auth-update` messages. When another tab authenticates — or an auth page announces a token — every open client trusts it automatically, no reload required.
 
 ## Calling functions
 

docs/guide/security.md

@@ -12,42 +12,65 @@ An RPC handler runs with the full privileges of the process hosting it — files
 
 Two postures cover that boundary:
 
-- **Authenticated (default).** `auth` defaults to `true`. The browser pairs with the server before calls are accepted, and reconnects by presenting a node-issued bearer token. Devframe supplies the node-side primitives (`exchangeTempAuthCode`, `verifyAuthToken`); the host adapter — e.g. Vite DevTools — provides the interactive handler and pairing UI.
+- **Authenticated (default).** `auth` defaults to `true`. The browser authenticates with the server before calls are accepted, and reconnects by presenting a node-issued bearer token. Devframe supplies the node-side primitives (`exchangeTempAuthCode`, `verifyAuthToken`); the host adapter — e.g. Vite DevTools — provides the interactive handler and authentication UI.
 - **Unauthenticated opt-out.** Setting `auth: false` starts the server with an auto-trust handshake. It exists for single-user tools talking to their own `localhost`, where a round-trip would only add friction.
 
 > [!WARNING]
 > `auth: false` trusts every connection that can reach the port. Only use it when the surface is reachable solely by the local developer. Never combine it with a non-loopback bind host, a tunnelled port, or a shared/CI environment.
 
-## Pairing and tokens
+## Authentication flow
 
-Pairing exchanges a short code for a long token:
+Authentication exchanges a short code for a long-lived token. A node mints and owns the token; the browser only ever sends the short code, and only over the open socket.
 
-1. The dev server shows a 6-digit one-time code in the developer's terminal.
-2. The developer types it into the browser, which calls `requestTrustWithCode(code)`.
-3. The server verifies the code, mints a high-entropy bearer token, records it as trusted, and returns it.
-4. The browser persists the token and presents it on reconnect; sibling tabs receive it over the `devframe-auth` channel.
+1. A fresh client connects unauthenticated and calls `devframe:anonymous:auth` with its stored token (empty on first run). The server returns `{ isTrusted: false }`, so the trust gate stays open while the UI prompts for a code.
+2. The dev server shows a 6-digit one-time code in the developer's terminal.
+3. The developer enters it; the browser calls `requestTrustWithCode(code)` → `devframe:auth:exchange`.
+4. The server verifies the code, mints a high-entropy bearer token, records it as trusted, marks the session trusted, and returns the token.
+5. The browser persists the token and presents it on reconnect (`devframe:anonymous:auth` → `verifyAuthToken`); sibling tabs receive it over the `devframe-auth` channel and become trusted too.
 
 The 6-digit code is single-use, expires after five minutes, is compared in constant time, and rotates after repeated wrong attempts — which is what keeps a short code brute-force resistant. Show it only in a trusted channel (the terminal), never over the network.
 
 The bearer token is a secret. It travels to the server on the WebSocket URL (`?devframe_auth_token=…`), so serve over `wss://`/`https://` whenever the surface is reachable beyond loopback. Revoke a token with `revokeAuthToken(context, storage, token)`; affected clients drop to untrusted via the `devframe:auth:revoked` event.
 
-### Magic-link pairing
+### Auth methods
 
-To skip typing, a host can print a link that embeds the code and open the browser straight into a paired session. Build it from the current code with `buildOtpPairingUrl(origin)` (devframe stays headless, so the host prints its own banner):
+Devframe owns the wire contract; the host adapter registers the handlers on top of the `devframe/node/auth` primitives (the standalone server registers a noop auto-trust handler when `auth: false`).
+
+| RPC method | Direction | Shape |
+|------------|-----------|-------|
+| `devframe:anonymous:auth` | client → server | `{ authToken, ua, origin }` → `{ isTrusted }` — re-authenticate a stored token |
+| `devframe:auth:exchange` | client → server | `{ code, ua, origin }` → `{ authToken \| null }` — exchange a one-time code for a token |
+| `devframe:auth:revoked` | server → client | event — the connection's token was revoked |
+
+Node primitives (`devframe/node/auth`):
+
+| Function | Role |
+|----------|------|
+| `getTempAuthCode()` / `refreshTempAuthCode()` | read / rotate the current one-time code to display |
+| `exchangeTempAuthCode(code, session, { ua, origin }, storage)` | verify a code, mint + store the token, trust the session, return the token (or `null`) |
+| `verifyAuthToken(token, session, storage)` | trust a session presenting a known token (reconnect) |
+| `buildOtpAuthUrl(origin, code?)` | build a magic-link URL embedding the code |
+| `revokeAuthToken(context, storage, token)` | delete a token and disconnect any sessions using it |
+
+Client methods (`devframe/client`): `requestTrustWithCode(code)` (exchange a code), `requestTrustWithToken(token)` (re-authenticate a token), `ensureTrusted(timeout?)` / `isTrusted` (the trust gate).
+
+### Magic-link authentication
+
+To skip typing, a host can print a link that embeds the code and open the browser straight into an authenticated session. Build it from the current code with `buildOtpAuthUrl(origin)` (devframe stays headless, so the host prints its own banner):
 
 ```
-Devtools ready — pair this browser: http://localhost:3000/?devframe_otp=123456
+Devtools ready — authenticate this browser: http://localhost:3000/?devframe_otp=123456
 ```
 
 `connectDevframe` reads the `devframe_otp` parameter, exchanges it, and removes it from the URL before anything else. Only the short-lived, single-use **code** ever rides the URL — the resulting bearer token is stored, never written back to it. Because the link grants trust to whoever opens it within the code's lifetime, print it only to a trusted channel (the terminal), exactly as you would the bare code.
 
-Higher-level integrations can drive their own pairing UI instead: disable the built-in handling with the `otpParam: false` client option, then call the exposed `pairWithUrlOtp(rpc)` (consume the code from the URL and exchange it) or `consumeOtpFromUrl()` (read and strip the code) from `devframe/client`.
+Higher-level integrations can drive their own authentication UI instead: disable the built-in handling with the `otpParam: false` client option, then call the exposed `authenticateWithUrlOtp(rpc)` (consume the code from the URL and exchange it) or `consumeOtpFromUrl()` (read and strip the code) from `devframe/client`.
 
 ## Practices for tools built on devframe
 
 - **Stay on loopback.** The default bind host is `localhost`. Bind to a routable address only when you intend to, and require authentication when you do.
 - **Keep `auth: false` local.** Reach for it only for single-user localhost tools; leave the default in place anywhere a connection could originate elsewhere.
-- **Treat tokens as secrets.** Never log the bearer token or the pairing code, and never bake either into build output.
+- **Treat tokens as secrets.** Never log the bearer token or the one-time code, and never bake either into build output.
 - **Authorize every handler.** A registered function is callable by any trusted client. Validate inputs, and mark state-changing functions `type: 'destructive'` so MCP and agent clients prompt before invoking them.
 - **Origin-lock remote docks.** When a hub embeds a remote-UI dock, enable `originLock` so a dock token is only honored from its expected origin.
 - **Serve encrypted off-machine.** Use `https://`/`wss://` for any surface reachable beyond `localhost`.

packages/devframe/src/client/__tests__/otp.test.ts

@@ -1,5 +1,5 @@
 import { afterEach, describe, expect, it, vi } from 'vitest'
-import { consumeOtpFromUrl, pairWithUrlOtp, readOtpFromUrl } from '../otp'
+import { authenticateWithUrlOtp, consumeOtpFromUrl, readOtpFromUrl } from '../otp'
 
 afterEach(() => {
   vi.unstubAllGlobals()
@@ -46,13 +46,13 @@ describe('otp url helpers', () => {
   })
 })
 
-describe('pairWithUrlOtp', () => {
+describe('authenticateWithUrlOtp', () => {
   it('exchanges the OTP via the client and resolves true on success', async () => {
     vi.stubGlobal('location', { search: '?devframe_otp=123456', href: 'http://localhost:3000/?devframe_otp=123456' })
     vi.stubGlobal('history', { state: null, replaceState: vi.fn() })
     const requestTrustWithCode = vi.fn().mockResolvedValue(true)
 
-    const ok = await pairWithUrlOtp({ isTrusted: false, requestTrustWithCode })
+    const ok = await authenticateWithUrlOtp({ isTrusted: false, requestTrustWithCode })
 
     expect(requestTrustWithCode).toHaveBeenCalledWith('123456')
     expect(ok).toBe(true)
@@ -62,7 +62,7 @@ describe('pairWithUrlOtp', () => {
     vi.stubGlobal('location', { search: '', href: 'http://localhost:3000/' })
     const requestTrustWithCode = vi.fn()
 
-    const ok = await pairWithUrlOtp({ isTrusted: false, requestTrustWithCode })
+    const ok = await authenticateWithUrlOtp({ isTrusted: false, requestTrustWithCode })
 
     expect(requestTrustWithCode).not.toHaveBeenCalled()
     expect(ok).toBe(false)
@@ -74,7 +74,7 @@ describe('pairWithUrlOtp', () => {
     vi.stubGlobal('history', { state: null, replaceState })
     const requestTrustWithCode = vi.fn()
 
-    const ok = await pairWithUrlOtp({ isTrusted: true, requestTrustWithCode })
+    const ok = await authenticateWithUrlOtp({ isTrusted: true, requestTrustWithCode })
 
     expect(ok).toBe(true)
     expect(requestTrustWithCode).not.toHaveBeenCalled()

packages/devframe/src/client/otp.ts

@@ -1,14 +1,14 @@
 import type { DevframeRpcClient } from './rpc'
 import { DEVFRAME_OTP_URL_PARAM } from 'devframe/constants'
 
-// Browser-only helpers for "magic link" pairing: a host prints a URL carrying a
-// one-time pairing code (OTP), and the client reads it, exchanges it for a
-// token, and removes it from the address bar. Only the short-lived, single-use
-// OTP ever rides the URL — never the resulting bearer token.
+// Browser-only helpers for "magic link" authentication: a host prints a URL
+// carrying a one-time authentication code (OTP), and the client reads it,
+// exchanges it for a token, and removes it from the address bar. Only the
+// short-lived, single-use OTP ever rides the URL — never the resulting token.
 
 /**
- * Read a one-time pairing code from the current page URL's query string,
- * without side effects. Returns `undefined` when the parameter is absent.
+ * Read a one-time authentication code (OTP) from the current page URL's query
+ * string, without side effects. Returns `undefined` when the parameter is absent.
  */
 export function readOtpFromUrl(param: string = DEVFRAME_OTP_URL_PARAM): string | undefined {
   try {
@@ -46,14 +46,14 @@ export function consumeOtpFromUrl(param: string = DEVFRAME_OTP_URL_PARAM): strin
 /**
  * Consume a one-time code from the page URL (see {@link consumeOtpFromUrl}) and
  * exchange it for a token via the client. Resolves `true` when the client is
- * paired (already trusted, or the exchange succeeded), and `false` when no code
- * is present or the exchange failed.
+ * authenticated (already trusted, or the exchange succeeded), and `false` when
+ * no code is present or the exchange failed.
  *
  * Higher-level integrations (e.g. Vite DevTools) that want to drive their own
- * pairing UI can disable `connectDevframe`'s built-in handling with
+ * authentication UI can disable `connectDevframe`'s built-in handling with
  * `otpParam: false` and call this — or {@link consumeOtpFromUrl} — themselves.
  */
-export async function pairWithUrlOtp(
+export async function authenticateWithUrlOtp(
   rpc: Pick<DevframeRpcClient, 'isTrusted' | 'requestTrustWithCode'>,
   options: { param?: string } = {},
 ): Promise<boolean> {

packages/devframe/src/client/rpc-ws.ts

@@ -94,7 +94,7 @@ export function createWsRpcClientMode(
 
     isTrusted = result.isTrusted
     // Only settle the trust gate on success; on failure the client can still
-    // pair via `requestTrustWithCode`, so leave `ensureTrusted` waiting.
+    // authenticate via `requestTrustWithCode`, so leave `ensureTrusted` waiting.
     if (isTrusted)
       trustedPromise.resolve(true)
     events.emit('rpc:is-trusted:updated', isTrusted)
@@ -123,8 +123,9 @@ export function createWsRpcClientMode(
       return true
     // Always announce on connect. The standalone (`auth: false`) noop handler
     // auto-trusts regardless of token; the host adapter looks the token up and
-    // returns `false` for an unpaired client (empty/unknown token), which then
-    // pairs via `requestTrustWithCode`. The trust gate stays open until then.
+    // returns `false` for an unauthenticated client (empty/unknown token), which
+    // then authenticates via `requestTrustWithCode`. The trust gate stays open
+    // until then.
     return requestTrustWithToken(currentAuthToken ?? '')
   }
 

packages/devframe/src/client/rpc.ts

@@ -10,7 +10,7 @@ import {
 } from 'devframe/constants'
 import { RpcCacheManager, RpcFunctionsCollectorBase } from 'devframe/rpc'
 import { createEventEmitter } from 'devframe/utils/events'
-import { pairWithUrlOtp } from './otp'
+import { authenticateWithUrlOtp } from './otp'
 import { createRpcSharedStateClientHost } from './rpc-shared-state'
 import { createStaticRpcClientMode } from './rpc-static'
 import { createRpcStreamingClientHost } from './rpc-streaming'
@@ -41,11 +41,11 @@ export interface DevframeRpcClientOptions {
    */
   authToken?: string
   /**
-   * Query-param name on the page URL carrying a one-time pairing code (OTP) for
-   * "magic link" auth (e.g. a link the dev server prints). When present, the
-   * client exchanges the code for a token and removes the parameter from the
-   * URL. Set `false` to disable — e.g. integrations that drive their own
-   * pairing via `pairWithUrlOtp`. Default: `'devframe_otp'`.
+   * Query-param name on the page URL carrying a one-time authentication code
+   * (OTP) for "magic link" auth (e.g. a link the dev server prints). When
+   * present, the client exchanges the code for a token and removes the parameter
+   * from the URL. Set `false` to disable — e.g. integrations that drive their
+   * own authentication via `authenticateWithUrlOtp`. Default: `'devframe_otp'`.
    */
   otpParam?: string | false
   wsOptions?: Partial<WsRpcChannelOptions>
@@ -92,9 +92,10 @@ export interface DevframeRpcClient {
   requestTrustWithToken: (token: string) => Promise<boolean>
 
   /**
-   * Pair this client by exchanging a one-time code (shown by the dev server)
-   * for a node-issued auth token. On success the token is persisted for future
-   * reconnections and shared with sibling tabs. Resolves `true` when paired.
+   * Authenticate this client by exchanging a one-time code (shown by the dev
+   * server) for a node-issued auth token. On success the token is persisted for
+   * future reconnections and shared with sibling tabs. Resolves `true` when
+   * authenticated.
    */
   requestTrustWithCode: (code: string) => Promise<boolean>
 
@@ -178,8 +179,8 @@ function getStoredAuthToken(userAuthToken?: string): string | undefined {
     catch {}
   }
 
-  // No token yet — the client is unpaired and must exchange a one-time code
-  // (see `requestTrustWithCode`) to obtain a node-issued token.
+  // No token yet — the client is unauthenticated and must exchange a one-time
+  // code (see `requestTrustWithCode`) to obtain a node-issued token.
   return undefined
 }
 
@@ -393,14 +394,14 @@ export async function getDevframeRpcClient(
   context.rpc = rpc
   void mode.requestTrust()
 
-  // Magic-link pairing: if the page URL carries a one-time code, exchange it
-  // and strip it from the URL. The code is single-use and short-lived; the
+  // Magic-link authentication: if the page URL carries a one-time code, exchange
+  // it and strip it from the URL. The code is single-use and short-lived; the
   // resulting bearer token is persisted (never written back to the URL).
-  // Integrations that drive their own pairing UI opt out with `otpParam: false`
-  // and call `pairWithUrlOtp` / `consumeOtpFromUrl` directly.
+  // Integrations that drive their own auth UI opt out with `otpParam: false`
+  // and call `authenticateWithUrlOtp` / `consumeOtpFromUrl` directly.
   const otpParam = options.otpParam ?? DEVFRAME_OTP_URL_PARAM
   if (otpParam)
-    void pairWithUrlOtp(rpc, { param: otpParam })
+    void authenticateWithUrlOtp(rpc, { param: otpParam })
 
   // Listen for auth updates from other tabs (e.g., the auth page, or another
   // tab that just completed a code exchange).

packages/devframe/src/constants.ts

@@ -17,10 +17,10 @@ export const DEVFRAME_RPC_DUMP_DIRNAME = '__rpc-dump'
 export const REMOTE_CONNECTION_KEY = 'devframe-remote-connection'
 
 /**
- * Page-URL query parameter carrying a one-time pairing code (OTP) for "magic
- * link" auth. A host can print a link like `<origin>/?devframe_otp=<code>`; the
- * client reads the code, exchanges it for a token, and strips the parameter
- * from the URL. See `buildOtpPairingUrl` (node) and the `pairWithUrlOtp` /
+ * Page-URL query parameter carrying a one-time authentication code (OTP) for
+ * "magic link" auth. A host can print a link like `<origin>/?devframe_otp=<code>`;
+ * the client reads the code, exchanges it for a token, and strips the parameter
+ * from the URL. See `buildOtpAuthUrl` (node) and the `authenticateWithUrlOtp` /
  * `consumeOtpFromUrl` client utilities (or `connectDevframe`'s `otpParam`).
  */
 export const DEVFRAME_OTP_URL_PARAM = 'devframe_otp'