feat: add Google Antigravity support

[maxmarines]

Resolves #987

Description

This PR adds support for Google Antigravity as a selectable code editor in Nuxt DevTools.

Since Antigravity is a browser-based IDE, it cannot use standard CLI spawn commands (which results in an ENOENT error when using launch-editor). To solve this, this implementation intercepts the openInEditor request on the server if antigravity is selected, and instead broadcasts an openUrl event to the client to handle the navigation via the browser.

Changes

• Added antigravity to the editor options in settings.vue.
• Added openUrl to ClientFunctions RPC types.
• Implemented openUrl in client-rpc.ts using window.open.
• Refactored setupGeneralRPC slightly to access ctx.rpc.broadcast and handle the Antigravity URL scheme bypassing launch-editor.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds support for Google Antigravity as a selectable editor in Nuxt DevTools. The implementation adds a new RPC method openUrl(url: string) to the client functions interface and implements it on the client side to open URLs in a new browser tab via window.open(). On the server side, when "antigravity" is selected as the editor, the openInEditor function broadcasts the file URL through this new RPC method instead of attempting to spawn an editor process. The settings UI is updated to include "Google Antigravity" as a new editor option. The function signature of setupGeneralRPC is also refactored to accept the full context object and destructure its properties within the function.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'feat: add Google Antigravity support' clearly and concisely summarizes the main change: adding Antigravity as a supported editor in Nuxt DevTools.
Description check	✅ Passed	The pull request description provides relevant context about the changes, explains the rationale for the implementation approach, and lists the specific files modified.
Linked Issues check	✅ Passed	The code changes fully implement the requirements from issue #987: Antigravity is added to editor options, URL-based opening is implemented to bypass spawn limitations, and the RPC mechanism enables browser-based navigation.
Out of Scope Changes check	✅ Passed	All changes are directly related to adding Antigravity support and are within the scope of the linked issue. No extraneous modifications are present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

packages/devtools/client/setup/client-rpc.ts (1)

43-45: ⚡ Quick win

Add noopener,noreferrer to window.open().

Links opened via the window.open JavaScript function are also vulnerable to reverse tabnapping. Unlike HTML <a target="_blank"> anchor elements, <a>, <area>, and <form> elements with target="_blank" implicitly provide the same rel behavior as rel="noopener" — but window.open() does not receive this implicit protection. If window.opener is set, a page can trigger a navigation in the opener regardless of security origin; to prevent this, use rel=noopener.

🛡️ Proposed fix

-    async openUrl(url: string) {
-      window.open(url, '_blank')
-    },
+    async openUrl(url: string) {
+      window.open(url, '_blank', 'noopener,noreferrer')
+    },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/devtools/client/setup/client-rpc.ts` around lines 43 - 45, The
openUrl method currently calls window.open(url, '_blank') which is vulnerable to
reverse tabnabbing; update the openUrl function to pass the appropriate features
string (e.g., 'noopener,noreferrer') or explicitly set the new window's opener
to null so that window.opener cannot be used: modify async openUrl(url: string)
in client-rpc.ts to call window.open(url, '_blank', 'noopener,noreferrer') (or
set const win = window.open(...); if (win) win.opener = null;) to ensure
noopener behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/devtools/client/setup/client-rpc.ts`:
- Around line 43-45: The openUrl client RPC (function openUrl) currently calls
window.open(url, '_blank') with no validation, allowing arbitrary-URL injection
when broadcast; fix by validating and sanitizing the incoming URL before
opening: parse the url string (new URL(url) in a try/catch), ensure the protocol
is either "https:" (and optionally "http:" if acceptable), and optionally check
against a small whitelist of allowed hostnames or same-origin rules; if
validation fails, do not call window.open and instead call console.warn or log
the rejected URL; update the openUrl handler to perform this validation and only
call window.open for validated URLs.

In `@packages/devtools/src/server-rpc/general.ts`:
- Around line 222-225: The URL built in the antigravity branch uses raw path and
suffix which breaks for spaces, backslashes and special characters; update the
branch where editor === 'antigravity' to URL-encode both path and suffix before
calling ctx.rpc.broadcast.openUrl (e.g., normalize Windows backslashes to
forward slashes on path, then apply encodeURIComponent to the path and to
suffix) and use those encoded values when constructing the query string so
openUrl receives a safe, valid URL.

---

Nitpick comments:
In `@packages/devtools/client/setup/client-rpc.ts`:
- Around line 43-45: The openUrl method currently calls window.open(url,
'_blank') which is vulnerable to reverse tabnabbing; update the openUrl function
to pass the appropriate features string (e.g., 'noopener,noreferrer') or
explicitly set the new window's opener to null so that window.opener cannot be
used: modify async openUrl(url: string) in client-rpc.ts to call
window.open(url, '_blank', 'noopener,noreferrer') (or set const win =
window.open(...); if (win) win.opener = null;) to ensure noopener behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2fc096cf-cf0f-4b8d-9910-068684c6b6bb

📥 Commits

Reviewing files that changed from the base of the PR and between 481947a and d0c47eb.

📒 Files selected for processing (4)

• packages/devtools-kit/src/_types/rpc.ts
• packages/devtools/client/pages/settings.vue
• packages/devtools/client/setup/client-rpc.ts
• packages/devtools/src/server-rpc/general.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

openUrl broadcasts to all clients with no URL validation — arbitrary-URL injection risk.

openUrl is now a general-purpose client RPC callable by any server-side code holding ctx.rpc. A malicious or compromised Nuxt module can call ctx.rpc.broadcast.openUrl('https://attacker.example/phish'), causing every connected DevTools client to open the attacker URL silently in a new tab. There is no restriction at the client handler to antigravity.google or even to the https: scheme (a javascript: URL, while blocked by most browsers in window.open, is a valid string today).

At minimum, validate the protocol before calling window.open:

🛡️ Proposed fix

     async openUrl(url: string) {
-      window.open(url, '_blank')
+      if (!url.startsWith('https://'))
+        return
+      window.open(url, '_blank', 'noopener,noreferrer')
     },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	async openUrl(url: string) {
	window.open(url, '_blank')
	},
	async openUrl(url: string) {
	if (!url.startsWith('https://'))
	return
	window.open(url, '_blank', 'noopener,noreferrer')
	},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/devtools/client/setup/client-rpc.ts` around lines 43 - 45, The
openUrl client RPC (function openUrl) currently calls window.open(url, '_blank')
with no validation, allowing arbitrary-URL injection when broadcast; fix by
validating and sanitizing the incoming URL before opening: parse the url string
(new URL(url) in a try/catch), ensure the protocol is either "https:" (and
optionally "http:" if acceptable), and optionally check against a small
whitelist of allowed hostnames or same-origin rules; if validation fails, do not
call window.open and instead call console.warn or log the rejected URL; update
the openUrl handler to perform this validation and only call window.open for
validated URLs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

File path is not URL-encoded — paths with spaces or special characters will generate broken URLs.

path is an absolute OS path (e.g., /home/john/my projects/src/App.vue) and suffix contains colons (e.g., :10:5). Neither is encoded before being spliced into the query string, so:

• A space in any directory name produces an invalid URL (space is not a legal query-string character).
• Characters like #, &, and ? in a path fragment or break the query string.
• Windows paths with backslashes pass through unescaped.

🐛 Proposed fix

-          ctx.rpc.broadcast.openUrl(`https://antigravity.google/open?file=${path}${suffix}`)
+          ctx.rpc.broadcast.openUrl(`https://antigravity.google/open?file=${encodeURIComponent(path + suffix)}`)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (editor === 'antigravity') {
	ctx.rpc.broadcast.openUrl(`https://antigravity.google/open?file=${path}${suffix}`)
	return true
	}
	if (editor === 'antigravity') {
	ctx.rpc.broadcast.openUrl(`https://antigravity.google/open?file=${encodeURIComponent(path + suffix)}`)
	return true
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/devtools/src/server-rpc/general.ts` around lines 222 - 225, The URL
built in the antigravity branch uses raw path and suffix which breaks for
spaces, backslashes and special characters; update the branch where editor ===
'antigravity' to URL-encode both path and suffix before calling
ctx.rpc.broadcast.openUrl (e.g., normalize Windows backslashes to forward
slashes on path, then apply encodeURIComponent to the path and to suffix) and
use those encoded values when constructing the query string so openUrl receives
a safe, valid URL.