fix: config-based auth tokens should not persist to trusted storage

clientAuthTokens from config were being stored in trusted storage on
auto-approve, which meant revoking them from self-inspect had no effect
since the next auth request would re-match the config and re-store.

Now config-based tokens only grant session-level trust (in-memory meta)
without persisting to storage. Only terminal-approved and temp-token
approved auth tokens are persisted.

Also use delete instead of = undefined for immer draft cleanup on revoke.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: antfu

packages/core/src/node/auth-revoke.ts

@@ -14,7 +14,7 @@ export async function revokeAuthToken(
 ): Promise<void> {
   // Remove from persistent storage
   storage.mutate((state) => {
-    state.trusted[token] = undefined
+    delete state.trusted[token]
   })
 
   const rpcHost = context.rpc as unknown as RpcFunctionsHost

packages/core/src/node/rpc/anonymous/auth.ts

@@ -40,9 +40,18 @@ export const anonymousAuth = defineRpcFunction({
           }
         }
 
-        // Auto-approve if authToken matches a configured auth token or the temp auth ID
+        // Auto-approve if authToken matches a configured auth token (session-only, not persisted)
         const tokens = (context.viteConfig.devtools?.config as any)?.clientAuthTokens as string[] ?? []
-        if (tokens.includes(query.authToken) || query.authToken === getTempAuthToken()) {
+        if (tokens.includes(query.authToken)) {
+          session.meta.clientAuthToken = query.authToken
+          session.meta.isTrusted = true
+          return {
+            isTrusted: true,
+          }
+        }
+
+        // Auto-approve if authToken matches the server-generated temp auth token
+        if (query.authToken === getTempAuthToken()) {
           storage.mutate((state) => {
             state.trusted[query.authToken] = {
               authToken: query.authToken,