@agentuity/cli 0.1.42 → 0.1.44

package/src/cli.ts

@@ -1198,9 +1198,12 @@ async function registerSubcommand(
 						// Recreate apiClient with auth credentials
 						ctx.apiClient = createAPIClient(baseCtx, ctx.config as Config | null);
 					}
+					// Auto-select org when --confirm flag is used
+					const autoSelectOrg = options.confirm === true;
 					if (normalized.requiresOrg) {
 						ctx.orgId = await requireOrg(
-							ctx as CommandContext & { apiClient: APIClientType }
+							ctx as CommandContext & { apiClient: APIClientType },
+							autoSelectOrg
 						);
 					}
 					// Skip org handling if --no-register is set (org only needed for registration)
@@ -1212,7 +1215,8 @@ async function registerSubcommand(
 
 					if (normalized.optionalOrg && ctx.auth && !skipOrg) {
 						ctx.orgId = await selectOptionalOrg(
-							ctx as CommandContext & { apiClient: APIClientType }
+							ctx as CommandContext & { apiClient: APIClientType },
+							autoSelectOrg
 						);
 					}
 					// Skip region handling if --no-register is set (region only needed for registration)
@@ -1302,8 +1306,13 @@ async function registerSubcommand(
 					// Recreate apiClient with auth credentials
 					ctx.apiClient = createAPIClient(baseCtx, ctx.config as Config | null);
 				}
+				// Auto-select org when --confirm flag is used
+				const autoSelectOrg2 = options.confirm === true;
 				if (normalized.requiresOrg) {
-					ctx.orgId = await requireOrg(ctx as CommandContext & { apiClient: APIClientType });
+					ctx.orgId = await requireOrg(
+						ctx as CommandContext & { apiClient: APIClientType },
+						autoSelectOrg2
+					);
 				}
 				// Skip org handling if --no-register is set (org only needed for registration)
 				const skipOrg =
@@ -1314,7 +1323,8 @@ async function registerSubcommand(
 
 				if (normalized.optionalOrg && ctx.auth && !skipOrg) {
 					ctx.orgId = await selectOptionalOrg(
-						ctx as CommandContext & { apiClient: APIClientType }
+						ctx as CommandContext & { apiClient: APIClientType },
+						autoSelectOrg2
 					);
 				}
 				// Skip region handling if --no-register is set (region only needed for registration)
@@ -1454,9 +1464,12 @@ async function registerSubcommand(
 						!!ctx.apiClient,
 						!!auth
 					);
+					// Auto-select org when --confirm flag is used
+					const autoSelectOrg3 = options.confirm === true;
 					if (normalized.requiresOrg && ctx.apiClient) {
 						ctx.orgId = await requireOrg(
-							ctx as CommandContext & { apiClient: APIClientType }
+							ctx as CommandContext & { apiClient: APIClientType },
+							autoSelectOrg3
 						);
 					}
 					// Skip org handling if --no-register is set (org only needed for registration)
@@ -1468,7 +1481,8 @@ async function registerSubcommand(
 
 					if (normalized.optionalOrg && ctx.apiClient && auth && !skipOrg) {
 						ctx.orgId = await selectOptionalOrg(
-							ctx as CommandContext & { apiClient?: APIClientType; auth?: AuthData }
+							ctx as CommandContext & { apiClient?: APIClientType; auth?: AuthData },
+							autoSelectOrg3
 						);
 						baseCtx.logger.trace('selected orgId: %s', ctx.orgId);
 					}
@@ -1551,8 +1565,13 @@ async function registerSubcommand(
 					// Recreate apiClient with auth credentials if auth was provided
 					ctx.apiClient = createAPIClient(baseCtx, ctx.config as Config | null);
 				}
+				// Auto-select org when --confirm flag is used
+				const autoSelectOrg4 = options.confirm === true;
 				if (normalized.requiresOrg && ctx.apiClient) {
-					ctx.orgId = await requireOrg(ctx as CommandContext & { apiClient: APIClientType });
+					ctx.orgId = await requireOrg(
+						ctx as CommandContext & { apiClient: APIClientType },
+						autoSelectOrg4
+					);
 				}
 				// Skip org handling if --no-register is set (org only needed for registration)
 				// For non-schema commands, check options directly (Commander passes all options)
@@ -1563,7 +1582,8 @@ async function registerSubcommand(
 
 				if (normalized.optionalOrg && ctx.apiClient && !skipOrg) {
 					ctx.orgId = await selectOptionalOrg(
-						ctx as CommandContext & { apiClient?: APIClientType; auth?: AuthData }
+						ctx as CommandContext & { apiClient?: APIClientType; auth?: AuthData },
+						autoSelectOrg4
 					);
 				}
 				// Skip region handling if --no-register is set (region only needed for registration)
@@ -1656,14 +1676,18 @@ async function registerSubcommand(
 					if (normalized.requiresAPIClient && !ctx.apiClient) {
 						ctx.apiClient = createAPIClient(baseCtx, ctx.config as Config | null);
 					}
+					// Auto-select org when --confirm flag is used
+					const autoSelectOrg5 = options.confirm === true;
 					if (normalized.requiresOrg && ctx.apiClient) {
 						ctx.orgId = await requireOrg(
-							ctx as CommandContext & { apiClient: APIClientType }
+							ctx as CommandContext & { apiClient: APIClientType },
+							autoSelectOrg5
 						);
 					}
 					if (normalized.optionalOrg && ctx.apiClient && ctx.auth) {
 						ctx.orgId = await requireOrg(
-							ctx as CommandContext & { apiClient: APIClientType }
+							ctx as CommandContext & { apiClient: APIClientType },
+							autoSelectOrg5
 						);
 					}
 					await executeOrValidate(
@@ -1697,11 +1721,19 @@ async function registerSubcommand(
 				if (normalized.requiresAPIClient && !ctx.apiClient) {
 					ctx.apiClient = createAPIClient(baseCtx, ctx.config as Config | null);
 				}
+				// Auto-select org when --confirm flag is used
+				const autoSelectOrg6 = options.confirm === true;
 				if (normalized.requiresOrg && ctx.apiClient) {
-					ctx.orgId = await requireOrg(ctx as CommandContext & { apiClient: APIClientType });
+					ctx.orgId = await requireOrg(
+						ctx as CommandContext & { apiClient: APIClientType },
+						autoSelectOrg6
+					);
 				}
 				if (normalized.optionalOrg && ctx.apiClient && ctx.auth) {
-					ctx.orgId = await requireOrg(ctx as CommandContext & { apiClient: APIClientType });
+					ctx.orgId = await requireOrg(
+						ctx as CommandContext & { apiClient: APIClientType },
+						autoSelectOrg6
+					);
 				}
 				if ((normalized.requiresRegion || normalized.optionalRegion) && ctx.apiClient) {
 					const apiClient: APIClientType = ctx.apiClient as APIClientType;

package/src/cmd/build/entry-generator.ts

@@ -154,10 +154,11 @@ if (hasWorkbench) {
 if (isDevelopment() && process.env.VITE_PORT) {
 	const VITE_ASSET_PORT = parseInt(process.env.VITE_PORT, 10);
 
-	const proxyToVite = async (c: Context) => {
-		const viteUrl = \`http://127.0.0.1:\${VITE_ASSET_PORT}\${c.req.path}\`;
+	const proxyToVite = async (c: Context, pathOverride?: string) => {
+		const targetPath = pathOverride ?? c.req.path;
+		const viteUrl = \`http://127.0.0.1:\${VITE_ASSET_PORT}\${targetPath}\`;
 		try {
-			otel.logger.debug(\`[Proxy] \${c.req.method} \${c.req.path} -> Vite:\${VITE_ASSET_PORT}\`);
+			otel.logger.debug(\`[Proxy] \${c.req.method} \${c.req.path} -> Vite:\${VITE_ASSET_PORT}\${targetPath}\`);
 			const res = await fetch(viteUrl, { signal: AbortSignal.timeout(10000) });
 			otel.logger.debug(\`[Proxy] \${c.req.path} -> \${res.status} (\${res.headers.get('content-type')})\`);
 			return new Response(res.body, {
@@ -174,35 +175,144 @@ if (isDevelopment() && process.env.VITE_PORT) {
 		}
 	};
 
+	// HMR WebSocket proxy - enables hot reload through tunnels (*.agentuity.live)
+	// This proxies the Vite HMR WebSocket connection from the Bun server to Vite
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	const viteHmrWebsocket = (globalThis as any).__AGENTUITY_VITE_HMR_WEBSOCKET__ = {
+		// Map of client WebSocket -> Vite WebSocket
+		connections: new Map<WebSocket, WebSocket>(),
+
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		open(clientWs: any) {
+			// Get the query string from ws.data (set during upgrade)
+			const queryString = clientWs.data?.queryString || '';
+			const viteWsUrl = \`ws://127.0.0.1:\${VITE_ASSET_PORT}/__vite_hmr\${queryString}\`;
+			otel.logger.debug('[HMR Proxy] Client connected, opening connection to Vite at %s', viteWsUrl);
+
+			// Connect to Vite with the 'vite-hmr' subprotocol (required by Vite)
+			const viteWs = new WebSocket(viteWsUrl, ['vite-hmr']);
+
+			viteWs.onopen = () => {
+				otel.logger.debug('[HMR Proxy] Connected to Vite HMR server');
+			};
+
+			viteWs.onmessage = (event) => {
+				// Forward messages from Vite to client
+				if (clientWs.readyState === WebSocket.OPEN) {
+					clientWs.send(event.data);
+				}
+			};
+
+			viteWs.onerror = (error) => {
+				otel.logger.error('[HMR Proxy] Vite WebSocket error: %s', error);
+			};
+
+			viteWs.onclose = () => {
+				otel.logger.debug('[HMR Proxy] Vite WebSocket closed');
+				viteHmrWebsocket.connections.delete(clientWs);
+				if (clientWs.readyState === WebSocket.OPEN) {
+					clientWs.close();
+				}
+			};
+
+			viteHmrWebsocket.connections.set(clientWs, viteWs);
+		},
+
+		message(clientWs: WebSocket, message: string | Buffer) {
+			// Forward messages from client to Vite
+			const viteWs = viteHmrWebsocket.connections.get(clientWs);
+			if (viteWs && viteWs.readyState === WebSocket.OPEN) {
+				viteWs.send(message);
+			}
+		},
+
+		close(clientWs: WebSocket) {
+			otel.logger.debug('[HMR Proxy] Client WebSocket closed');
+			const viteWs = viteHmrWebsocket.connections.get(clientWs);
+			if (viteWs) {
+				viteWs.close();
+				viteHmrWebsocket.connections.delete(clientWs);
+			}
+		},
+	};
+
+	// Register HMR WebSocket route - must be before other routes
+	app.get('/__vite_hmr', (c: Context) => {
+		const upgradeHeader = c.req.header('upgrade');
+		if (upgradeHeader?.toLowerCase() === 'websocket') {
+			// Get the Bun server from context using Hono's pattern
+			// When app.fetch(req, server) is called, Hono stores server as c.env
+			// eslint-disable-next-line @typescript-eslint/no-explicit-any
+			const server = 'server' in (c.env as any) ? (c.env as any).server : c.env;
+
+			if (server?.upgrade) {
+				// Extract query string to forward to Vite (includes token parameter)
+				const url = new URL(c.req.url);
+				const queryString = url.search; // Includes the '?' prefix
+
+				// Get the requested WebSocket subprotocol (Vite uses 'vite-hmr')
+				const requestedProtocol = c.req.header('sec-websocket-protocol');
+
+				const success = server.upgrade(c.req.raw, {
+					data: { type: 'vite-hmr', queryString },
+					// Echo back the requested subprotocol so the browser accepts the connection
+					headers: requestedProtocol ? {
+						'Sec-WebSocket-Protocol': requestedProtocol,
+					} : undefined,
+				});
+				if (success) {
+					otel.logger.debug('[HMR Proxy] WebSocket upgrade successful (protocol: %s)', requestedProtocol || 'none');
+					return new Response(null);
+				}
+				otel.logger.error('[HMR Proxy] WebSocket upgrade returned false');
+			} else {
+				otel.logger.error('[HMR Proxy] Server upgrade method not available. c.env type: %s, keys: %s',
+					typeof c.env,
+					Object.keys(c.env || {}).join(', '));
+			}
+			return c.text('WebSocket upgrade failed', 500);
+		}
+		// Non-WebSocket request to HMR endpoint - proxy to Vite
+		return proxyToVite(c);
+	});
+
 	// Vite client scripts and HMR
-	app.get('/@vite/*', proxyToVite);
-	app.get('/@react-refresh', proxyToVite);
+	app.get('/@vite/*', (c: Context) => proxyToVite(c));
+	app.get('/@react-refresh', (c: Context) => proxyToVite(c));
 
 	// Source files for HMR
-	app.get('/src/web/*', proxyToVite);
-	app.get('/src/*', proxyToVite); // Catch-all for other source files
+	app.get('/src/web/*', (c: Context) => proxyToVite(c));
+	app.get('/src/*', (c: Context) => proxyToVite(c)); // Catch-all for other source files
 
 	// Workbench source files (in .agentuity/workbench-src/)
-	app.get('/.agentuity/workbench-src/*', proxyToVite);
+	app.get('/.agentuity/workbench-src/*', (c: Context) => proxyToVite(c));
 
 	// Node modules (Vite transforms these)
-	app.get('/node_modules/*', proxyToVite);
+	app.get('/node_modules/*', (c: Context) => proxyToVite(c));
 
 	// Scoped packages (e.g., @agentuity/*, @types/*)
-	app.get('/@*', proxyToVite);
+	app.get('/@*', (c: Context) => proxyToVite(c));
 
 	// File system access (for Vite's @fs protocol)
-	app.get('/@fs/*', proxyToVite);
+	app.get('/@fs/*', (c: Context) => proxyToVite(c));
 
 	// Module resolution (for Vite's @id protocol)
-	app.get('/@id/*', proxyToVite);
+	app.get('/@id/*', (c: Context) => proxyToVite(c));
+
+	// Static assets - Vite serves src/web/public/* at root, but code uses /public/* paths
+	// In production, the plugin transforms /public/foo.svg to CDN URLs
+	// Rewrite /public/foo.svg -> /foo.svg before proxying to Vite
+	app.get('/public/*', (c: Context) => {
+		const rootPath = c.req.path.replace(/^\\/public/, '');
+		return proxyToVite(c, rootPath);
+	});
 
 	// Any .js, .jsx, .ts, .tsx files (catch remaining modules)
-	app.get('/*.js', proxyToVite);
-	app.get('/*.jsx', proxyToVite);
-	app.get('/*.ts', proxyToVite);
-	app.get('/*.tsx', proxyToVite);
-	app.get('/*.css', proxyToVite);
+	app.get('/*.js', (c: Context) => proxyToVite(c));
+	app.get('/*.jsx', (c: Context) => proxyToVite(c));
+	app.get('/*.ts', (c: Context) => proxyToVite(c));
+	app.get('/*.tsx', (c: Context) => proxyToVite(c));
+	app.get('/*.css', (c: Context) => proxyToVite(c));
 }
 `;
 
@@ -358,13 +468,48 @@ if (typeof Bun !== 'undefined') {
 	enableProcessExitProtection();
 
 	const port = parseInt(process.env.PORT || '3500', 10);
+
+	// Create custom WebSocket handler that supports both regular WebSockets and HMR proxy
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
+	const hmrHandler = (globalThis as any).__AGENTUITY_VITE_HMR_WEBSOCKET__;
+	const customWebsocket = {
+		...websocket,
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		open(ws: any) {
+			// Check if this is an HMR connection
+			if (ws.data?.type === 'vite-hmr' && hmrHandler) {
+				hmrHandler.open(ws);
+			} else if (websocket.open) {
+				websocket.open(ws);
+			}
+		},
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		message(ws: any, message: string | Buffer) {
+			// Check if this is an HMR connection
+			if (ws.data?.type === 'vite-hmr' && hmrHandler) {
+				hmrHandler.message(ws, message);
+			} else if (websocket.message) {
+				websocket.message(ws, message);
+			}
+		},
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		close(ws: any, code?: number, reason?: string) {
+			// Check if this is an HMR connection
+			if (ws.data?.type === 'vite-hmr' && hmrHandler) {
+				hmrHandler.close(ws);
+			} else if (websocket.close) {
+				websocket.close(ws, code, reason);
+			}
+		},
+	};
+
 	const server = Bun.serve({
 		fetch: (req, server) => {
 			// Get timeout from config on each request (0 = no timeout)
 			server.timeout(req, getAppConfig()?.requestTimeout ?? 0);
 			return app.fetch(req, server);
 		},
-		websocket,
+		websocket: customWebsocket,
 		port,
 		hostname: '127.0.0.1',
 		development: isDevelopment(),

package/src/cmd/build/vite/metadata-generator.ts

@@ -370,24 +370,35 @@ export async function generateMetadata(options: MetadataGeneratorOptions): Promi
 		}
 	}
 
-	// Scan public/ directory for static files
-	const publicDir = join(rootDir, 'public');
-	if (existsSync(publicDir)) {
+	// Scan client directory for static files copied from public/
+	// Vite copies src/web/public/* to .agentuity/client/* (at root, not in public/ subfolder)
+	// We need to find these files and add them to assets for CDN upload
+	const clientDir = join(agentuityDir, 'client');
+	if (existsSync(clientDir)) {
 		try {
-			function scanDirectory(dir: string, prefix: string = '') {
+			function scanClientDirectory(dir: string, prefix: string = '') {
 				const entries = readdirSync(dir, { withFileTypes: true });
 				for (const entry of entries) {
 					const relativePath = prefix ? `${prefix}/${entry.name}` : entry.name;
 					const fullPath = join(dir, entry.name);
 
+					// Skip directories we already process (assets from manifest, .vite metadata)
 					if (entry.isDirectory()) {
-						scanDirectory(fullPath, relativePath);
+						if (entry.name === 'assets' || entry.name === '.vite') {
+							continue;
+						}
+						scanClientDirectory(fullPath, relativePath);
 					} else if (entry.isFile()) {
+						// Skip files we already added from manifest (index.html is the entry point)
+						if (entry.name === 'index.html') {
+							continue;
+						}
+
 						const stats = statSync(fullPath);
 						// Skip empty files
 						if (stats.size === 0) continue;
 
-						const assetPath = `public/${relativePath}`;
+						const assetPath = `client/${relativePath}`;
 						if (!seenAssets.has(assetPath)) {
 							seenAssets.add(assetPath);
 							const contentType = getContentType(entry.name);
@@ -406,10 +417,10 @@ export async function generateMetadata(options: MetadataGeneratorOptions): Promi
 				}
 			}
 
-			scanDirectory(publicDir);
-			logger.trace(`Found ${assets.length} total assets (including public/)`);
+			scanClientDirectory(clientDir);
+			logger.trace(`Found ${assets.length} total assets (including static files)`);
 		} catch (error) {
-			logger.warn(`Failed to scan public directory: ${error}`);
+			logger.warn(`Failed to scan client directory for static files: ${error}`);
 		}
 	}
 

package/src/cmd/build/vite/public-asset-path-plugin.ts

@@ -1,17 +1,21 @@
 /**
  * Vite plugin to fix incorrect public asset paths
  *
- * Developers sometimes accidentally use source paths or relative paths instead
- * of the correct absolute production path '/public/...'. This plugin:
+ * Developers should use /public/ paths for static assets from src/web/public/.
+ * In production, these paths are transformed to CDN URLs.
  *
- * 1. During build: Rewrites incorrect paths to '/public/*' in the bundle
- * 2. During dev: Warns about incorrect paths so developers can fix them
+ * This plugin:
+ * 1. During build: Rewrites /public/* paths to CDN URLs
+ * 2. During dev: Warns only about incorrect source paths (src/web/public/)
  *
- * Patterns handled:
- * - '/src/web/public/...'  → '/public/...'
- * - './src/web/public/...' → '/public/...'
- * - 'src/web/public/...'   → '/public/...'
- * - './public/...'         → '/public/...'
+ * Supported patterns (work in dev, rewritten to CDN in production):
+ * - '/public/foo.svg'   → CDN URL (recommended)
+ * - './public/foo.svg'  → CDN URL
+ *
+ * Incorrect patterns (warned in dev, rewritten in production):
+ * - '/src/web/public/foo.svg'  → CDN URL
+ * - './src/web/public/foo.svg' → CDN URL
+ * - 'src/web/public/foo.svg'   → CDN URL
  */
 
 import type { Plugin } from 'vite';
@@ -19,46 +23,69 @@ import type { Plugin } from 'vite';
 export interface PublicAssetPathPluginOptions {
 	/** Whether to show warnings in dev mode (default: true) */
 	warnInDev?: boolean;
+	/** CDN base URL for production builds (e.g., 'https://cdn.agentuity.com/{deploymentId}/client/') */
+	cdnBaseUrl?: string;
 }
 
 interface PathPattern {
 	regex: RegExp;
 	description: string;
+	/** Replacement template - use {base} for the target base URL */
+	replacement: string;
 }
 
 /**
- * Create fresh regex instances for each transform call
- * (RegExp with global flag maintains state via lastIndex)
+ * Patterns that are incorrect - reference source paths directly
  */
-function createPatterns(): PathPattern[] {
+function createIncorrectPatterns(): PathPattern[] {
 	return [
 		// '/src/web/public/...' or './src/web/public/...' or 'src/web/public/...'
 		{
 			regex: /(['"`])(?:\.?\/)?src\/web\/public\//g,
 			description: 'src/web/public/',
+			replacement: '$1{base}',
 		},
-		// './public/...' (relative public path - should be absolute)
+	];
+}
+
+/**
+ * Patterns that need rewriting for production CDN
+ * Both patterns simply replace the prefix while preserving the rest of the path naturally.
+ */
+function createPublicPatterns(): PathPattern[] {
+	return [
+		// './public/...' (relative public path) - replace prefix, keep rest
 		{
 			regex: /(['"`])\.\/public\//g,
 			description: './public/',
+			replacement: '$1{base}',
+		},
+		// '/public/...' (absolute public path) - replace prefix, keep rest
+		{
+			regex: /(['"`])\/public\//g,
+			description: '/public/',
+			replacement: '$1{base}',
 		},
 	];
 }
 
 /**
- * Vite plugin that fixes incorrect public asset paths
+ * Vite plugin that fixes public asset paths and rewrites to CDN URLs
+ *
+ * Rewrites all public asset paths to CDN URLs in production.
  *
  * @example
  * // In vite config:
- * plugins: [publicAssetPathPlugin()]
+ * plugins: [publicAssetPathPlugin({ cdnBaseUrl: 'https://cdn.example.com/deploy/client/' })]
  *
- * // Transforms:
- * // '/src/web/public/logo.svg'  → '/public/logo.svg'
- * // './src/web/public/logo.svg' → '/public/logo.svg'
- * // './public/logo.svg'         → '/public/logo.svg'
+ * // In code, use /public/ paths:
+ * <img src="/public/logo.svg" />
+ *
+ * // Transforms in production:
+ * // '/public/logo.svg' → 'https://cdn.example.com/deploy/client/logo.svg'
  */
 export function publicAssetPathPlugin(options: PublicAssetPathPluginOptions = {}): Plugin {
-	const { warnInDev = true } = options;
+	const { warnInDev = true, cdnBaseUrl } = options;
 
 	let isDev = false;
 	const warnedFiles = new Map<string, Set<string>>(); // file -> set of patterns warned
@@ -77,53 +104,78 @@ export function publicAssetPathPlugin(options: PublicAssetPathPluginOptions = {}
 			}
 
 			// Quick check: does the code contain any patterns we care about?
-			const hasIncorrectPaths = code.includes('src/web/public/') || code.includes('./public/');
+			const hasIncorrectSourcePaths = code.includes('src/web/public/');
+			const hasPublicPaths = code.includes('/public/') || code.includes('./public/');
 
-			if (!hasIncorrectPaths) {
+			if (!hasIncorrectSourcePaths && !hasPublicPaths) {
 				return null;
 			}
 
-			// Create fresh patterns for this transform
-			const patterns = createPatterns();
-
-			// Track which patterns were found for warnings
-			const foundPatterns: string[] = [];
-			let transformed = code;
-
-			for (const { regex, description } of patterns) {
-				if (regex.test(transformed)) {
-					foundPatterns.push(description);
-
-					// Create a fresh regex for the replacement (test() consumed the previous one)
-					const replaceRegex = new RegExp(regex.source, regex.flags);
-					transformed = transformed.replace(replaceRegex, '$1/public/');
-				}
-			}
-
-			// In dev mode, optionally warn but don't transform (Vite serves from source paths)
+			// In dev mode, only warn about incorrect source paths (src/web/public/)
+			// /public/ and ./public/ paths work correctly in dev mode
 			if (isDev) {
-				if (warnInDev && foundPatterns.length > 0) {
-					const fileWarnings = warnedFiles.get(id) || new Set();
-					const newWarnings = foundPatterns.filter((p) => !fileWarnings.has(p));
+				if (warnInDev && hasIncorrectSourcePaths) {
+					const patterns = createIncorrectPatterns();
+					const foundPatterns: string[] = [];
 
-					if (newWarnings.length > 0) {
-						for (const p of newWarnings) {
-							fileWarnings.add(p);
+					for (const { regex, description } of patterns) {
+						if (regex.test(code)) {
+							foundPatterns.push(description);
 						}
-						warnedFiles.set(id, fileWarnings);
+					}
 
-						this.warn(
-							`Found incorrect asset path(s) in ${id}:\n` +
-								newWarnings.map((p) => `  - '${p}' should be '/public/'`).join('\n') +
-								`\nUse absolute '/public/...' paths for production compatibility.`
-						);
+					if (foundPatterns.length > 0) {
+						const fileWarnings = warnedFiles.get(id) || new Set();
+						const newWarnings = foundPatterns.filter((p) => !fileWarnings.has(p));
+
+						if (newWarnings.length > 0) {
+							for (const p of newWarnings) {
+								fileWarnings.add(p);
+							}
+							warnedFiles.set(id, fileWarnings);
+
+							this.warn(
+								`Found incorrect asset path(s) in ${id}:\n` +
+									newWarnings.map((p) => `  - '${p}' should be '/public/'`).join('\n') +
+									`\nUse '/public/...' paths for static assets.`
+							);
+						}
 					}
 				}
 				// In dev mode, never transform - Vite serves from source paths
+				// and the Bun server proxies /public/* to Vite
 				return null;
 			}
 
-			// In build mode, return transformed code if changed
+			// Build mode: transform paths to CDN URLs
+			let transformed = code;
+
+			// Determine target URL: CDN base if provided, otherwise root
+			const targetBase = cdnBaseUrl
+				? cdnBaseUrl.endsWith('/')
+					? cdnBaseUrl
+					: `${cdnBaseUrl}/`
+				: '/';
+
+			// Transform incorrect source paths (src/web/public/) → CDN
+			if (hasIncorrectSourcePaths) {
+				const patterns = createIncorrectPatterns();
+				for (const { regex, replacement } of patterns) {
+					const replaceRegex = new RegExp(regex.source, regex.flags);
+					transformed = transformed.replace(replaceRegex, replacement.replace('{base}', targetBase));
+				}
+			}
+
+			// Transform public paths → CDN
+			if (hasPublicPaths) {
+				const publicPatterns = createPublicPatterns();
+				for (const { regex, replacement } of publicPatterns) {
+					const replaceRegex = new RegExp(regex.source, regex.flags);
+					transformed = transformed.replace(replaceRegex, replacement.replace('{base}', targetBase));
+				}
+			}
+
+			// Return transformed code if changed
 			if (transformed !== code) {
 				return {
 					code: transformed,