@xh/hoist 75.0.0-SNAPSHOT.1753720955374 → 75.0.0-SNAPSHOT.1753726213836

package/CHANGELOG.md

@@ -37,6 +37,10 @@
 
 ### ⚙️ Technical
 
+* WebSockets are now enabled by default for client apps, as they have been on the server since Hoist
+  Core v20.2. Maintaining a WebSocket connection back to the Hoist server enables useful Admin
+  Console functionality and is recommended, but clients that must disable WebSockets can do so via
+  `AppSpec.disableWebSockets`. Note `AppSpec.enableWebSockets` is deprecated and can be removed.
 * Hoist now sets a reference to an app's singleton `AuthModel` on a static `instance` property of
   the app-specified class. App developers can declare a typed static `instance` property on their
   model class and use it to access the singleton with its proper type, vs. `XH.authModel`.

package/build/types/core/AppSpec.d.ts

@@ -1,85 +1,103 @@
-import { HoistAppModel, HoistAuthModel, ElementFactory, HoistProps } from '@xh/hoist/core';
+import { ElementFactory, HoistAppModel, HoistAuthModel, HoistProps } from '@xh/hoist/core';
 import { Component, ComponentClass, FunctionComponent } from 'react';
 /**
- * Specification for a client-side Hoist application.
- * Passed to XH.renderApp() to kick-off app rendering and available thereafter as `XH.appSpec`.
+ * Spec for a client-side Hoist application. A config matching this class's shape is provided
+ * to {@link XHApi.renderApp} to kick-off app rendering and is available thereafter as `XH.appSpec`.
  */
 export declare class AppSpec<T extends HoistAppModel = HoistAppModel> {
+    /**
+     * AuthModel class for the application. Note this is a reference to the class itself, not an
+     * instance, and must extend {@link HoistAuthModel}. If not provided, Hoist will fallback to
+     * the superclass implementation, but note that class would only be suitable for fully
+     * transparent SSO based solutions such as NTLM. Common patterns such as OAuth will require an
+     * extended implementation.
+     */
+    authModelClass?: new () => HoistAuthModel;
+    /**
+     * Method for determining if user may access the app. If a string, will be interpreted as the
+     * role required for basic UI access. Return false to show a generated lockout message, or use
+     * the object form to provide a custom message.
+     */
+    checkAccess: string | ((user: object) => boolean | {
+        hasAccess: boolean;
+        message: string;
+    });
     /**
      *  Short code for this particular JS client application.
+     *
      *  Will default to the `appCode` specified within the project's Webpack config, but can be
      *  set to a more specific value (e.g. 'myAppMobile') to identify the client app in common
-     *  code or configs.
+     *  code or configs that support distinct settings for different client apps.
      */
     clientAppCode?: string;
     /**
      * Display name for this particular JS client application.
+     *
      * As with `clientAppCode` above, this will default to the global `appName` specified by
      * the project's Webpack config, but can be set here to a more specific value (e.g.
      * 'MyApp Mobile').
      */
     clientAppName?: string;
     /**
-     * Root Model class for the application. Note this is a reference to the class itself, not an
-     * instance, and must extend {@link HoistAppModel}.
-     */
-    modelClass: new () => T;
-    /**
-     * AuthModel class for the application.  Note this is a reference to the class itself, not an
-     * instance, and must extend {@link HoistAuthModel}.
-     */
-    authModelClass?: new () => HoistAuthModel;
-    /**
-     * Root HoistComponent for the application. Despite the name, functional components are fully
-     * supported and expected.
+     * Root HoistComponent for the application.
+     * Despite the name, functional components are fully supported and expected.
      */
     componentClass: ComponentClass<HoistProps> | FunctionComponent<HoistProps>;
     /**
      * Container component to be used to host this application.
-     * This class determines the platform used by Hoist. The value should be imported from
+     *
+     * This class determines the platform used by Hoist - almost all apps will import and specify
      * either `@xh/hoist/desktop/AppContainer` or `@xh/hoist/mobile/AppContainer`.
      */
     containerClass: ComponentClass<HoistProps> | FunctionComponent<HoistProps>;
-    /** True if the app should use the Hoist mobile toolkit.*/
-    isMobileApp: boolean;
-    /** True to show a login form on initialization when not authenticated. (default false) */
-    enableLoginForm?: boolean;
     /**
-     * True to show logout options in the app, for apps with auth schemes that can support this
-     * operation (e.g. OAuth). (default false)
+     * True to disable Hoist's built-in WebSocket support for this client app. Even if the app
+     * itself is not using WebSockets for business data, the Hoist Admin Console's "Clients" tab and
+     * related functionality benefit from having them enabled, so disable only if there is a good
+     * reason to do so.
      */
-    enableLogout?: boolean;
+    disableWebSockets?: boolean;
     /**
-     * Method for determining if user may access the app.
-     * If a string, will be interpreted as the role required for basic UI access.
+     * True to disable Field-level XSS protection by default across all Stores/Fields in the app.
+     * For use with secure, internal apps that do not display arbitrary/external user input and
+     * have tight performance tolerances and/or load very large record sets.
+     * @see FieldSpec.disableXssProtection
      */
-    checkAccess: string | ((user: object) => boolean | {
-        hasAccess: boolean;
-        message: string;
-    });
+    disableXssProtection?: boolean;
     /**
-     *  Write a track log statement after the app has loaded and fully initialized?
-     *  Message will include elapsed time of asset loading and init.
+     * True to show a login form on initialization when not authenticated. Default is `false` as
+     * most Hoist applications are expected to use OAuth or SSO for authn.
      */
-    trackAppLoad?: boolean;
-    /** True to enable Hoist websocket connectivity. (default false) */
-    webSocketsEnabled?: boolean;
+    enableLoginForm?: boolean;
     /**
-     * Optional custom Component to display when App has been suspended. The component will
-     * receive a single prop -- onReactivate -- a callback called when the user has acknowledged
+     * True to show logout options in the app, for apps with auth schemes that can support this
+     * operation (e.g. OAuth). Default is `false` as most Hoist applications are expected to use
+     * SSO or to run in internal environments where logout is not required / typical.
+     */
+    enableLogout?: boolean;
+    /**
+     * Optional custom Component to display when the app has been suspended. The component will
+     * receive a single `onReactivate` prop, a no-arg callback fired when the user has acknowledged
      * the suspension and wishes to reload the app.
      */
     idlePanel?: ElementFactory | FunctionComponent | Component;
+    /** True if the app should use the Hoist mobile toolkit.*/
+    isMobileApp: boolean;
     /**
      * Optional custom Component to display when the user is denied access to app. Intended for
      * apps that implement custom auth flows. See also `lockoutMessage` for a more lightweight
      * customization option.
      */
     lockoutPanel?: ElementFactory | FunctionComponent | Component;
-    /** Optional message to show on login form (see showLoginForm). */
-    loginMessage?: string;
     /** Optional message to show users when denied access to app. */
     lockoutMessage?: string;
+    /** Optional message to show on login form, if `showLoginForm: true`. */
+    loginMessage?: string;
+    /**
+     * Root Model class for the application. Note this is a reference to the class itself, not an
+     * instance, and must extend {@link HoistAppModel}.
+     */
+    modelClass: new () => T;
     /**
      * True to show the built-in browser context menu when no app-specific menu would be shown
      * (e.g. from a Grid). False (the default) prevents the browser menu from being shown anywhere
@@ -87,30 +105,31 @@ export declare class AppSpec<T extends HoistAppModel = HoistAppModel> {
      */
     showBrowserContextMenu?: boolean;
     /**
-     * True to disable Field-level XSS protection by default across all Stores/Fields in the app.
-     * For use with secure, internal apps that do not display arbitrary/external user input and
-     * have tight performance tolerances and/or load very large record sets.
-     * @see FieldConfig.disableXssProtection
+     *  True (default) to write a track log statement after the app has loaded and fully
+     *  initialized, including a breakdown of elapsed time throughout the init process.
      */
-    disableXssProtection?: boolean;
-    constructor({ clientAppCode, clientAppName, modelClass, componentClass, containerClass, authModelClass, isMobileApp, checkAccess, enableLoginForm, enableLogout, trackAppLoad, webSocketsEnabled, idlePanel, lockoutPanel, loginMessage, lockoutMessage, showBrowserContextMenu, disableXssProtection }: {
+    trackAppLoad?: boolean;
+    /** @deprecated - use {@link AppSpec.disableWebSockets} instead. */
+    webSocketsEnabled?: boolean;
+    constructor({ authModelClass, checkAccess, clientAppCode, clientAppName, componentClass, containerClass, disableWebSockets, disableXssProtection, enableLoginForm, enableLogout, idlePanel, isMobileApp, lockoutMessage, lockoutPanel, loginMessage, modelClass, showBrowserContextMenu, trackAppLoad, webSocketsEnabled }: {
+        authModelClass?: typeof HoistAuthModel;
+        checkAccess: any;
         clientAppCode?: string;
         clientAppName?: string;
-        modelClass: any;
         componentClass: any;
         containerClass: any;
-        authModelClass?: typeof HoistAuthModel;
-        isMobileApp: any;
-        checkAccess: any;
+        disableWebSockets?: boolean;
+        disableXssProtection?: boolean;
         enableLoginForm?: boolean;
         enableLogout?: boolean;
-        trackAppLoad?: boolean;
-        webSocketsEnabled?: boolean;
         idlePanel?: any;
+        isMobileApp: any;
+        lockoutMessage?: any;
         lockoutPanel?: any;
         loginMessage?: any;
-        lockoutMessage?: any;
+        modelClass: any;
         showBrowserContextMenu?: boolean;
-        disableXssProtection?: boolean;
+        trackAppLoad?: boolean;
+        webSocketsEnabled: any;
     });
 }

package/build/types/core/HoistAuthModel.d.ts

@@ -2,13 +2,13 @@ import { HoistModel, PlainObject } from './';
 /**
  *  Base class for managing authentication lifecycle.
  *
- *  Hoist will consult this model early in  the initialization sequence, prior to full Hoist
+ *  Hoist will consult this model early in the initialization sequence, prior to full Hoist
  *  initialization. This means that several core services (identity, configs, prefs) will *not* be
  *  available, but it provides the app a hook to do early service initialization or other work to
  *  support flows such as OAuth.
  *
  *  The base implementation of this class is minimal and would be adequate only for fully
- *  transparent SSO based solutions such as NTLM.  Applications wishing to provide custom
+ *  transparent SSO based solutions such as NTLM. Applications wishing to provide custom
  *  authentication should spec an extended version of this class in the {@link AppSpec} passed to
  *  {@link XHApi#renderApp}.
  */

package/build/types/svc/WebSocketService.d.ts

@@ -24,14 +24,14 @@ import { HoistService, PlainObject } from '@xh/hoist/core';
  */
 export declare class WebSocketService extends HoistService {
     static instance: WebSocketService;
-    readonly HEARTBEAT_TOPIC = "xhHeartbeat";
     /** Check connection and send a new heartbeat (which should be promptly ack'd) every 10s. */
+    readonly HEARTBEAT_TOPIC = "xhHeartbeat";
     readonly HEARTBEAT_INTERVAL: number;
     readonly REG_SUCCESS_TOPIC = "xhRegistrationSuccess";
     readonly FORCE_APP_SUSPEND_TOPIC = "xhForceAppSuspend";
     readonly REQ_CLIENT_HEALTH_RPT_TOPIC = "xhRequestClientHealthReport";
     readonly METADATA_FOR_HANDSHAKE: string[];
-    /** True if WebSockets generally enabled - set statically in code via {@link AppSpec}. */
+    /** True if WebSockets not explicitly disabled via {@link AppSpec.disableWebSockets}. */
     enabled: boolean;
     /** Unique channel assigned by server upon successful connection. */
     channelKey: string;

package/core/AppSpec.ts

@@ -4,26 +4,44 @@
  *
  * Copyright © 2025 Extremely Heavy Industries Inc.
  */
-import {XH, HoistAppModel, HoistAuthModel, ElementFactory, HoistProps} from '@xh/hoist/core';
-import {throwIf} from '@xh/hoist/utils/js';
-import {isFunction, isNil, isString} from 'lodash';
+import {ElementFactory, HoistAppModel, HoistAuthModel, HoistProps, XH} from '@xh/hoist/core';
+import {apiDeprecated, throwIf} from '@xh/hoist/utils/js';
+import {isFunction, isNil, isString, isUndefined} from 'lodash';
 import {Component, ComponentClass, FunctionComponent} from 'react';
 
 /**
- * Specification for a client-side Hoist application.
- * Passed to XH.renderApp() to kick-off app rendering and available thereafter as `XH.appSpec`.
+ * Spec for a client-side Hoist application. A config matching this class's shape is provided
+ * to {@link XHApi.renderApp} to kick-off app rendering and is available thereafter as `XH.appSpec`.
  */
 export class AppSpec<T extends HoistAppModel = HoistAppModel> {
+    /**
+     * AuthModel class for the application. Note this is a reference to the class itself, not an
+     * instance, and must extend {@link HoistAuthModel}. If not provided, Hoist will fallback to
+     * the superclass implementation, but note that class would only be suitable for fully
+     * transparent SSO based solutions such as NTLM. Common patterns such as OAuth will require an
+     * extended implementation.
+     */
+    authModelClass?: new () => HoistAuthModel;
+
+    /**
+     * Method for determining if user may access the app. If a string, will be interpreted as the
+     * role required for basic UI access. Return false to show a generated lockout message, or use
+     * the object form to provide a custom message.
+     */
+    checkAccess: string | ((user: object) => boolean | {hasAccess: boolean; message: string});
+
     /**
      *  Short code for this particular JS client application.
+     *
      *  Will default to the `appCode` specified within the project's Webpack config, but can be
      *  set to a more specific value (e.g. 'myAppMobile') to identify the client app in common
-     *  code or configs.
+     *  code or configs that support distinct settings for different client apps.
      */
     clientAppCode?: string;
 
     /**
      * Display name for this particular JS client application.
+     *
      * As with `clientAppCode` above, this will default to the global `appName` specified by
      * the project's Webpack config, but can be set here to a more specific value (e.g.
      * 'MyApp Mobile').
@@ -31,64 +49,58 @@ export class AppSpec<T extends HoistAppModel = HoistAppModel> {
     clientAppName?: string;
 
     /**
-     * Root Model class for the application. Note this is a reference to the class itself, not an
-     * instance, and must extend {@link HoistAppModel}.
-     */
-    modelClass: new () => T;
-
-    /**
-     * AuthModel class for the application.  Note this is a reference to the class itself, not an
-     * instance, and must extend {@link HoistAuthModel}.
-     */
-    authModelClass?: new () => HoistAuthModel;
-
-    /**
-     * Root HoistComponent for the application. Despite the name, functional components are fully
-     * supported and expected.
+     * Root HoistComponent for the application.
+     * Despite the name, functional components are fully supported and expected.
      */
     componentClass: ComponentClass<HoistProps> | FunctionComponent<HoistProps>;
 
     /**
      * Container component to be used to host this application.
-     * This class determines the platform used by Hoist. The value should be imported from
+     *
+     * This class determines the platform used by Hoist - almost all apps will import and specify
      * either `@xh/hoist/desktop/AppContainer` or `@xh/hoist/mobile/AppContainer`.
      */
     containerClass: ComponentClass<HoistProps> | FunctionComponent<HoistProps>;
 
-    /** True if the app should use the Hoist mobile toolkit.*/
-    isMobileApp: boolean;
-
-    /** True to show a login form on initialization when not authenticated. (default false) */
-    enableLoginForm?: boolean;
-
     /**
-     * True to show logout options in the app, for apps with auth schemes that can support this
-     * operation (e.g. OAuth). (default false)
+     * True to disable Hoist's built-in WebSocket support for this client app. Even if the app
+     * itself is not using WebSockets for business data, the Hoist Admin Console's "Clients" tab and
+     * related functionality benefit from having them enabled, so disable only if there is a good
+     * reason to do so.
      */
-    enableLogout?: boolean;
+    disableWebSockets?: boolean;
 
     /**
-     * Method for determining if user may access the app.
-     * If a string, will be interpreted as the role required for basic UI access.
+     * True to disable Field-level XSS protection by default across all Stores/Fields in the app.
+     * For use with secure, internal apps that do not display arbitrary/external user input and
+     * have tight performance tolerances and/or load very large record sets.
+     * @see FieldSpec.disableXssProtection
      */
-    checkAccess: string | ((user: object) => boolean | {hasAccess: boolean; message: string});
+    disableXssProtection?: boolean;
 
     /**
-     *  Write a track log statement after the app has loaded and fully initialized?
-     *  Message will include elapsed time of asset loading and init.
+     * True to show a login form on initialization when not authenticated. Default is `false` as
+     * most Hoist applications are expected to use OAuth or SSO for authn.
      */
-    trackAppLoad?: boolean;
+    enableLoginForm?: boolean;
 
-    /** True to enable Hoist websocket connectivity. (default false) */
-    webSocketsEnabled?: boolean;
+    /**
+     * True to show logout options in the app, for apps with auth schemes that can support this
+     * operation (e.g. OAuth). Default is `false` as most Hoist applications are expected to use
+     * SSO or to run in internal environments where logout is not required / typical.
+     */
+    enableLogout?: boolean;
 
     /**
-     * Optional custom Component to display when App has been suspended. The component will
-     * receive a single prop -- onReactivate -- a callback called when the user has acknowledged
+     * Optional custom Component to display when the app has been suspended. The component will
+     * receive a single `onReactivate` prop, a no-arg callback fired when the user has acknowledged
      * the suspension and wishes to reload the app.
      */
     idlePanel?: ElementFactory | FunctionComponent | Component;
 
+    /** True if the app should use the Hoist mobile toolkit.*/
+    isMobileApp: boolean;
+
     /**
      * Optional custom Component to display when the user is denied access to app. Intended for
      * apps that implement custom auth flows. See also `lockoutMessage` for a more lightweight
@@ -96,12 +108,18 @@ export class AppSpec<T extends HoistAppModel = HoistAppModel> {
      */
     lockoutPanel?: ElementFactory | FunctionComponent | Component;
 
-    /** Optional message to show on login form (see showLoginForm). */
-    loginMessage?: string;
-
     /** Optional message to show users when denied access to app. */
     lockoutMessage?: string;
 
+    /** Optional message to show on login form, if `showLoginForm: true`. */
+    loginMessage?: string;
+
+    /**
+     * Root Model class for the application. Note this is a reference to the class itself, not an
+     * instance, and must extend {@link HoistAppModel}.
+     */
+    modelClass: new () => T;
+
     /**
      * True to show the built-in browser context menu when no app-specific menu would be shown
      * (e.g. from a Grid). False (the default) prevents the browser menu from being shown anywhere
@@ -110,67 +128,80 @@ export class AppSpec<T extends HoistAppModel = HoistAppModel> {
     showBrowserContextMenu?: boolean;
 
     /**
-     * True to disable Field-level XSS protection by default across all Stores/Fields in the app.
-     * For use with secure, internal apps that do not display arbitrary/external user input and
-     * have tight performance tolerances and/or load very large record sets.
-     * @see FieldConfig.disableXssProtection
+     *  True (default) to write a track log statement after the app has loaded and fully
+     *  initialized, including a breakdown of elapsed time throughout the init process.
      */
-    disableXssProtection?: boolean;
+    trackAppLoad?: boolean;
+
+    /** @deprecated - use {@link AppSpec.disableWebSockets} instead. */
+    webSocketsEnabled?: boolean;
 
     constructor({
+        authModelClass = HoistAuthModel,
+        checkAccess,
         clientAppCode = XH.appCode,
         clientAppName = XH.appName,
-        modelClass,
         componentClass,
         containerClass,
-        authModelClass = HoistAuthModel,
-        isMobileApp,
-        checkAccess,
+        disableWebSockets = false,
+        disableXssProtection = false,
         enableLoginForm = false,
         enableLogout = false,
-        trackAppLoad = true,
-        webSocketsEnabled = false,
         idlePanel = null,
+        isMobileApp,
+        lockoutMessage = null,
         lockoutPanel = null,
         loginMessage = null,
-        lockoutMessage = null,
+        modelClass,
         showBrowserContextMenu = false,
-        disableXssProtection = false
+        trackAppLoad = true,
+        webSocketsEnabled
     }) {
-        throwIf(!modelClass, 'A Hoist App must define a modelClass.');
         throwIf(!componentClass, 'A Hoist App must define a componentClass');
-        throwIf(isNil(isMobileApp), 'A Hoist App must define isMobileApp');
+
         throwIf(
             !containerClass,
-            `Please import and provide containerClass from "@xh/hoist/${
-                isMobileApp ? 'mobile' : 'desktop'
-            }/AppContainer".`
+            `Please import and provide containerClass from "@xh/hoist/${isMobileApp ? 'mobile' : 'desktop'}/AppContainer".`
         );
 
+        throwIf(!modelClass, 'A Hoist App must define a modelClass.');
+
+        throwIf(isNil(isMobileApp), 'A Hoist App must define isMobileApp');
+
         throwIf(
             !isString(checkAccess) && !isFunction(checkAccess),
             'A Hoist App must specify a required role string or a function for checkAccess.'
         );
 
+        if (!isUndefined(webSocketsEnabled)) {
+            let msg: string;
+            if (webSocketsEnabled === false) {
+                disableWebSockets = true;
+                msg = `Specify disableWebSockets: true to continue actively disabling WebSockets if required.`;
+            } else {
+                msg = `WebSockets are now enabled by default - this property can be safely removed from your appSpec.`;
+            }
+            apiDeprecated('webSocketsEnabled', {msg, v: 'v78'});
+        }
+
+        this.authModelClass = authModelClass;
+        this.checkAccess = checkAccess;
         this.clientAppCode = clientAppCode;
         this.clientAppName = clientAppName;
-
-        this.modelClass = modelClass;
         this.componentClass = componentClass;
         this.containerClass = containerClass;
-        this.authModelClass = authModelClass;
-        this.isMobileApp = isMobileApp;
-        this.checkAccess = checkAccess;
-
-        this.trackAppLoad = trackAppLoad;
-        this.webSocketsEnabled = webSocketsEnabled;
+        this.disableWebSockets = disableWebSockets;
+        this.disableXssProtection = disableXssProtection;
+        this.enableLoginForm = enableLoginForm;
+        this.enableLogout = enableLogout;
         this.idlePanel = idlePanel;
+        this.isMobileApp = isMobileApp;
+        this.lockoutMessage = lockoutMessage;
         this.lockoutPanel = lockoutPanel;
-        this.enableLogout = enableLogout;
-        this.enableLoginForm = enableLoginForm;
         this.loginMessage = loginMessage;
-        this.lockoutMessage = lockoutMessage;
+        this.modelClass = modelClass;
         this.showBrowserContextMenu = showBrowserContextMenu;
-        this.disableXssProtection = disableXssProtection;
+        this.trackAppLoad = trackAppLoad;
+        this.webSocketsEnabled = !disableWebSockets;
     }
 }

package/core/HoistAuthModel.ts

@@ -9,13 +9,13 @@ import {HoistModel, PlainObject, XH} from './';
 /**
  *  Base class for managing authentication lifecycle.
  *
- *  Hoist will consult this model early in  the initialization sequence, prior to full Hoist
+ *  Hoist will consult this model early in the initialization sequence, prior to full Hoist
  *  initialization. This means that several core services (identity, configs, prefs) will *not* be
  *  available, but it provides the app a hook to do early service initialization or other work to
  *  support flows such as OAuth.
  *
  *  The base implementation of this class is minimal and would be adequate only for fully
- *  transparent SSO based solutions such as NTLM.  Applications wishing to provide custom
+ *  transparent SSO based solutions such as NTLM. Applications wishing to provide custom
  *  authentication should spec an extended version of this class in the {@link AppSpec} passed to
  *  {@link XHApi#renderApp}.
  */

package/core/XH.ts

@@ -386,7 +386,6 @@ export class XHApi {
             clientAppCode: 'admin',
             clientAppName: `${this.appName} Admin`,
             isMobileApp: false,
-            webSocketsEnabled: true,
             checkAccess: 'HOIST_ADMIN_READER',
             ...appSpec
         });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xh/hoist",
-  "version": "75.0.0-SNAPSHOT.1753720955374",
+  "version": "75.0.0-SNAPSHOT.1753726213836",
   "description": "Hoist add-on for building and deploying React Applications.",
   "repository": "github:xh/hoist-react",
   "homepage": "https://xh.io",

package/svc/WebSocketService.ts

@@ -38,8 +38,8 @@ import {find, pull} from 'lodash';
 export class WebSocketService extends HoistService {
     static instance: WebSocketService;
 
-    readonly HEARTBEAT_TOPIC = 'xhHeartbeat';
     /** Check connection and send a new heartbeat (which should be promptly ack'd) every 10s. */
+    readonly HEARTBEAT_TOPIC = 'xhHeartbeat';
     readonly HEARTBEAT_INTERVAL = 10 * SECONDS;
 
     readonly REG_SUCCESS_TOPIC = 'xhRegistrationSuccess';
@@ -47,8 +47,8 @@ export class WebSocketService extends HoistService {
     readonly REQ_CLIENT_HEALTH_RPT_TOPIC = 'xhRequestClientHealthReport';
     readonly METADATA_FOR_HANDSHAKE = ['appVersion', 'appBuild', 'loadId', 'tabId'];
 
-    /** True if WebSockets generally enabled - set statically in code via {@link AppSpec}. */
-    enabled: boolean = XH.appSpec.webSocketsEnabled;
+    /** True if WebSockets not explicitly disabled via {@link AppSpec.disableWebSockets}. */
+    enabled: boolean = !XH.appSpec.disableWebSockets;
 
     /** Unique channel assigned by server upon successful connection. */
     @observable channelKey: string = null;
@@ -84,7 +84,7 @@ export class WebSocketService extends HoistService {
         const {environmentService} = XH;
         if (environmentService.get('webSocketsEnabled') === false) {
             this.logError(
-                `WebSockets enabled on this client app but disabled on server. Adjust your server-side config.`
+                `WebSockets enabled on this client app but disabled on server - unexpected! WebSockets will not be available, review and reconcile your server configuration.`
             );
             this.enabled = false;
             return;