@odeva/cli 0.0.1 → 0.0.3

package/dist/commands/app/dev.js

@@ -1,5 +1,6 @@
 import { Command, Flags } from "@oclif/core";
 import * as p from "@clack/prompts";
+import { unwatchFile, watchFile } from "node:fs";
 import { OdevaApi } from "../../lib/api.js";
 import { loadAppConfig } from "../../lib/config.js";
 import { loadAppEnv } from "../../lib/app-env.js";
@@ -7,8 +8,10 @@ import { startQuickTunnel } from "../../lib/cloudflared.js";
 import {
   cleanupSubscriptions,
   preflightChecks,
+  registeredWebhookEnv,
   registerWebhookSubscriptions,
   spawnDevServer,
+  watchedDevInputPaths,
   writeDevEnvFile
 } from "../../lib/dev-runner.js";
 import { CliError } from "../../lib/errors.js";
@@ -31,7 +34,6 @@ class AppDev extends Command {
       const loaded = loadAppConfig();
       const appEnv = loadAppEnv(loaded.path);
       const port = flags.port ?? loaded.config.build?.port ?? 3e3;
-      const subscriptions = loaded.config.webhooks?.subscriptions ?? [];
       for (const warning of preflightChecks(loaded.root).warnings) {
         this.log(ui.warn(warning));
       }
@@ -54,24 +56,7 @@ class AppDev extends Command {
       const tunnel = await startQuickTunnel(port);
       tunnelSpinner.stop(`Tunnel ready at ${ui.code(tunnel.url)}`);
       let registered = [];
-      if (subscriptions.length > 0) {
-        const whSpinner = p.spinner();
-        whSpinner.start(`Registering ${subscriptions.length} webhook subscription${subscriptions.length === 1 ? "" : "s"}`);
-        try {
-          registered = await registerWebhookSubscriptions(api, loaded.config.name, tunnel.url, subscriptions);
-          whSpinner.stop(`Registered ${registered.length} subscription${registered.length === 1 ? "" : "s"}`);
-        } catch (err) {
-          whSpinner.stop(ui.err("Webhook registration failed"));
-          await tunnel.stop();
-          throw err instanceof CliError ? err : new CliError(`Webhook registration failed: ${err.message}`);
-        }
-        const envPath = writeDevEnvFile(loaded.root, registered);
-        if (envPath) {
-          this.log(ui.ok(`Wrote ${ui.code(envPath)} (add to .gitignore \u2014 it contains secrets)`));
-        }
-      } else {
-        this.log(ui.dim("No webhook subscriptions in odeva.app.toml \u2014 skipping registration."));
-      }
+      registered = await this.registerDevWebhooks(api, loaded, tunnel.url);
       this.log("");
       this.log(`${ui.bold("Tunnel:")}     ${tunnel.url}`);
       this.log(`${ui.bold("Local:")}      http://localhost:${port}`);
@@ -81,18 +66,68 @@ class AppDev extends Command {
       this.log("");
       this.log(ui.dim("Press Ctrl-C to stop. Subscriptions will be cleaned up on exit."));
       this.log("");
-      const server = spawnDevServer({
+      let server = spawnDevServer({
         cwd: loaded.root,
         config: loaded.config,
         env: {
           ...appEnv,
           PORT: String(port),
           ODEVA_TUNNEL_URL: tunnel.url,
-          ...registered[0] ? { ODEVA_WEBHOOK_SECRET: registered[0].secret } : {}
+          ...registeredWebhookEnv(registered)
         }
       });
+      let shuttingDown = false;
+      let restartingServer = false;
+      let serverExited = () => {
+      };
+      const serverExit = new Promise((resolve) => {
+        serverExited = resolve;
+      });
+      const watchServerExit = (devServer) => {
+        devServer.process.once("exit", (code) => {
+          if (!restartingServer && !shuttingDown) serverExited(code);
+        });
+      };
+      watchServerExit(server);
+      let reloading = Promise.resolve();
+      const stopWatcher = this.watchDevInputs(loaded.path, async () => {
+        reloading = reloading.then(async () => {
+          this.log("\n" + ui.dim("Reloading app dev config..."));
+          const nextLoaded = loadAppConfig(loaded.root);
+          const nextPort = flags.port ?? nextLoaded.config.build?.port ?? 3e3;
+          if (nextPort !== port) {
+            this.log(ui.warn(`Port changed to ${nextPort}; restart \`odeva app dev\` to recreate the tunnel.`));
+          }
+          const nextRegistered = await this.registerDevWebhooks(api, nextLoaded, tunnel.url);
+          await cleanupSubscriptions(api, registered);
+          registered = nextRegistered;
+          const nextAppEnv = loadAppEnv(nextLoaded.path);
+          restartingServer = true;
+          await server.stop();
+          restartingServer = false;
+          const nextServer = spawnDevServer({
+            cwd: nextLoaded.root,
+            config: nextLoaded.config,
+            env: {
+              ...nextAppEnv,
+              PORT: String(port),
+              ODEVA_TUNNEL_URL: tunnel.url,
+              ...registeredWebhookEnv(registered)
+            }
+          });
+          server = nextServer;
+          watchServerExit(server);
+          this.log(ui.ok("Reloaded app dev config."));
+        }).catch((err) => {
+          restartingServer = false;
+          this.log(ui.err(`Reload failed: ${err.message}`));
+        });
+      });
       installShutdownHandler(async () => {
+        shuttingDown = true;
         this.log("\n" + ui.dim("Cleaning up..."));
+        stopWatcher();
+        await reloading;
         await Promise.allSettled([
           server.stop(),
           tunnel.stop(),
@@ -100,10 +135,51 @@ class AppDev extends Command {
         ]);
         this.log(ui.ok("Done."));
       });
-      await server.waitForExit();
+      await serverExit;
+      shuttingDown = true;
+      stopWatcher();
+      await reloading;
       await Promise.allSettled([tunnel.stop(), cleanupSubscriptions(api, registered)]);
     });
   }
+  async registerDevWebhooks(api, loaded, tunnelUrl) {
+    const subscriptions = loaded.config.webhooks?.subscriptions ?? [];
+    if (subscriptions.length === 0) {
+      this.log(ui.dim("No webhook subscriptions in odeva.app.toml \u2014 skipping registration."));
+      return [];
+    }
+    const whSpinner = p.spinner();
+    whSpinner.start(`Registering ${subscriptions.length} webhook subscription${subscriptions.length === 1 ? "" : "s"}`);
+    try {
+      const registered = await registerWebhookSubscriptions(api, loaded.config.name, tunnelUrl, subscriptions);
+      whSpinner.stop(`Registered ${registered.length} subscription${registered.length === 1 ? "" : "s"}`);
+      const envPath = writeDevEnvFile(loaded.root, registered);
+      if (envPath) {
+        this.log(ui.ok(`Wrote ${ui.code(envPath)} (add to .gitignore \u2014 it contains secrets)`));
+      }
+      return registered;
+    } catch (err) {
+      whSpinner.stop(ui.err("Webhook registration failed"));
+      throw err instanceof CliError ? err : new CliError(`Webhook registration failed: ${err.message}`);
+    }
+  }
+  watchDevInputs(appConfigPath, onChange) {
+    const paths = watchedDevInputPaths(appConfigPath);
+    let timer;
+    const queue = () => {
+      if (timer) clearTimeout(timer);
+      timer = setTimeout(onChange, 250);
+    };
+    for (const path of paths) {
+      watchFile(path, { interval: 500 }, (curr, prev) => {
+        if (curr.mtimeMs !== prev.mtimeMs || curr.size !== prev.size) queue();
+      });
+    }
+    return () => {
+      if (timer) clearTimeout(timer);
+      for (const path of paths) unwatchFile(path);
+    };
+  }
 }
 let shutdownInstalled = false;
 function installShutdownHandler(handler) {

package/dist/commands/auth/login.js

@@ -10,6 +10,8 @@ import { pickOrganization } from "../../lib/org-picker.js";
 import { withErrorHandling } from "../../lib/run.js";
 import { ui } from "../../lib/ui.js";
 const POLL_TIMEOUT_MS = 15 * 60 * 1e3;
+const MIN_POLL_INTERVAL_MS = 10 * 1e3;
+const RATE_LIMIT_BACKOFF_MS = 30 * 1e3;
 class AuthLogin extends Command {
   static description = "Authenticate the CLI with your Odeva account";
   static examples = [
@@ -42,6 +44,7 @@ class AuthLogin extends Command {
       const api = new OdevaApi({ apiUrl });
       p.intro(ui.brand("odeva auth login"));
       const begin = await api.cliAuthBegin(osHostname());
+      const pollIntervalMs = Math.max(begin.interval * 1e3, MIN_POLL_INTERVAL_MS);
       p.note(
         [
           `Verify this code matches the one shown on the approval page:`,
@@ -58,18 +61,28 @@ class AuthLogin extends Command {
           this.log(ui.warn(`Could not open a browser automatically. Visit the URL above to approve.`));
         }
       }
-      const token = await this.pollUntilResolved(api, begin.deviceCode, begin.interval);
+      const token = await this.pollUntilResolved(api, begin.deviceCode, pollIntervalMs);
       await this.completeWithToken(token, apiUrl);
     });
   }
-  async pollUntilResolved(api, deviceCode, intervalSec) {
+  async pollUntilResolved(api, deviceCode, intervalMs) {
     const spinner = p.spinner();
     spinner.start("Waiting for approval in your browser\u2026");
     const deadline = Date.now() + POLL_TIMEOUT_MS;
     try {
       while (Date.now() < deadline) {
-        await sleep(intervalSec * 1e3);
-        const result = await api.cliAuthPoll(deviceCode);
+        await sleep(intervalMs);
+        let result;
+        try {
+          result = await api.cliAuthPoll(deviceCode);
+        } catch (err) {
+          if (isRateLimitError(err)) {
+            spinner.message("Waiting for approval in your browser\u2026");
+            await sleep(RATE_LIMIT_BACKOFF_MS);
+            continue;
+          }
+          throw err;
+        }
         switch (result.status) {
           case "approved":
             if (!result.token) {
@@ -131,6 +144,15 @@ class AuthLogin extends Command {
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
+function isRateLimitError(err) {
+  if (!(err instanceof ApiError)) return false;
+  return err.graphqlErrors?.some((gqlError) => {
+    const extensions = gqlError.extensions;
+    if (!extensions || typeof extensions !== "object") return false;
+    const code = extensions.code;
+    return typeof code === "string" && code.toUpperCase() === "RATE_LIMITED";
+  }) ?? /rate limit/i.test(err.message);
+}
 export {
   AuthLogin as default
 };

package/dist/commands/webhook/trigger.js

@@ -5,7 +5,7 @@ import { loadAppConfig, findAppConfigPath } from "../../lib/config.js";
 import { buildFixture, signPayload } from "../../lib/webhook-fixtures.js";
 import { CliError } from "../../lib/errors.js";
 import { withErrorHandling } from "../../lib/run.js";
-import { readEnvFile } from "../../lib/dev-runner.js";
+import { readEnvFile, webhookSecretForEvent } from "../../lib/dev-runner.js";
 import { ui } from "../../lib/ui.js";
 import { join } from "node:path";
 class WebhookTrigger extends Command {
@@ -45,10 +45,11 @@ class WebhookTrigger extends Command {
     const { args, flags } = await this.parse(WebhookTrigger);
     await withErrorHandling(this, async () => {
       const event = args.event;
-      const url = flags.url ?? this.urlFromConfig(event, flags.port);
+      const configSubscription = this.subscriptionFromConfig(event);
+      const url = flags.url ?? this.urlFromConfig(event, flags.port, configSubscription?.uri);
       const payload = flags.payload ? this.readPayload(flags.payload, event) : buildFixture(event);
       const body = JSON.stringify(payload);
-      const secret = flags.secret ?? this.secretFromEnvFile();
+      const secret = flags.secret ?? this.secretFromEnvFile(event);
       const headers = {
         "content-type": "application/json",
         "x-odeva-event": event,
@@ -57,7 +58,7 @@ class WebhookTrigger extends Command {
       if (!flags["no-sign"]) {
         if (!secret) {
           throw new CliError("No webhook secret available.", {
-            hint: "Run `odeva app dev` first to generate one, or pass --secret <value>, or use --no-sign for unsigned testing."
+            hint: flags.url || configSubscription ? "Run `odeva app dev` to generate one, or pass --secret <value>, or use --no-sign for unsigned testing." : `Add a '${event}' subscription to odeva.app.toml, let \`odeva app dev\` reload, then try again.`
           });
         }
         headers["x-odeva-signature"] = signPayload(body, secret);
@@ -83,7 +84,13 @@ class WebhookTrigger extends Command {
       if (text) this.log(ui.dim(text.length > 500 ? `${text.slice(0, 500)}\u2026` : text));
     });
   }
-  urlFromConfig(event, portFlag) {
+  subscriptionFromConfig(event) {
+    const cfgPath = findAppConfigPath();
+    if (!cfgPath) return void 0;
+    const loaded = loadAppConfig();
+    return loaded.config.webhooks?.subscriptions?.find((s) => s.topic === event);
+  }
+  urlFromConfig(event, portFlag, subscriptionUri) {
     const cfgPath = findAppConfigPath();
     if (!cfgPath) {
       throw new CliError("No odeva.app.toml found, and no --url provided.", {
@@ -91,17 +98,16 @@ class WebhookTrigger extends Command {
       });
     }
     const loaded = loadAppConfig();
-    const sub = loaded.config.webhooks?.subscriptions?.find((s) => s.topic === event);
     const port = portFlag ?? loaded.config.build?.port ?? 3e3;
-    const path = sub?.uri ?? `/webhooks/${event}`;
+    const path = subscriptionUri ?? `/webhooks/${event}`;
     return `http://localhost:${port}${path.startsWith("/") ? path : `/${path}`}`;
   }
-  secretFromEnvFile() {
+  secretFromEnvFile(event) {
     const cfgPath = findAppConfigPath();
     if (!cfgPath) return void 0;
     const envPath = join(resolve(cfgPath, ".."), ".env.odeva.local");
     const env = readEnvFile(envPath);
-    return env["ODEVA_WEBHOOK_SECRET"];
+    return webhookSecretForEvent(event, env);
   }
   readPayload(path, event) {
     const abs = resolve(process.cwd(), path);

package/dist/lib/api.js

@@ -246,7 +246,7 @@ class OdevaApi {
           appInstallationId: $appInstallationId
         ) {
           webhookSubscription { id name endpointUrl eventTypes status }
-          webhookSecret
+          signingSecret
           errors
         }
       }
@@ -257,7 +257,10 @@ class OdevaApi {
     if (payload.errors?.length) {
       throw new ApiError(`Could not create webhook subscription: ${payload.errors.join(", ")}`);
     }
-    return { subscription: payload.webhookSubscription, webhookSecret: payload.webhookSecret };
+    if (!payload.signingSecret) {
+      throw new ApiError("Could not create webhook subscription: no signing secret returned");
+    }
+    return { subscription: payload.webhookSubscription, signingSecret: payload.signingSecret };
   }
   async deleteWebhookSubscription(id) {
     await this.request(

package/dist/lib/config.js

@@ -42,6 +42,23 @@ function validateConfig(config, path) {
       { hint: `Edit ${path}` }
     );
   }
+  if (config.webhooks?.subscriptions) {
+    const rawSubscriptions = config.webhooks.subscriptions;
+    config.webhooks.subscriptions = rawSubscriptions.map((subscription) => {
+      if (typeof subscription === "string") {
+        return { topic: subscription, uri: `/webhooks/${subscription}` };
+      }
+      if (!subscription.topic || typeof subscription.topic !== "string") {
+        throw new CliError(`Invalid ${APP_CONFIG_FILE}: webhook subscription missing 'topic'.`, {
+          hint: `Edit ${path}`
+        });
+      }
+      return {
+        ...subscription,
+        uri: subscription.uri || `/webhooks/${subscription.topic}`
+      };
+    });
+  }
 }
 export {
   findAppConfigPath,

package/dist/lib/dev-runner.js

@@ -1,16 +1,17 @@
 import { spawn } from "node:child_process";
 import { existsSync, readFileSync, writeFileSync } from "node:fs";
-import { join } from "node:path";
+import { dirname, join } from "node:path";
+import { APP_ENV_FILE } from "./app-env.js";
 async function registerWebhookSubscriptions(api, appName, tunnelUrl, subscriptions) {
   const created = [];
   for (const sub of subscriptions) {
     const fullUrl = joinUrl(tunnelUrl, sub.uri);
-    const { subscription, webhookSecret } = await api.createWebhookSubscription({
+    const { subscription, signingSecret } = await api.createWebhookSubscription({
       name: `${appName} (dev) \u2014 ${sub.topic}`,
       endpointUrl: fullUrl,
       eventTypes: [sub.topic]
     });
-    created.push({ config: sub, subscription, secret: webhookSecret, fullUrl });
+    created.push({ config: sub, subscription, secret: signingSecret, fullUrl });
   }
   return created;
 }
@@ -26,6 +27,7 @@ function spawnDevServer(opts) {
   const command = opts.config.build?.dev ?? "bun run dev";
   const proc = spawn(command, {
     cwd: opts.cwd,
+    detached: process.platform !== "win32",
     shell: true,
     stdio: "inherit",
     env: {
@@ -53,14 +55,28 @@ function writeDevEnvFile(cwd, registered) {
   lines.push(`ODEVA_WEBHOOK_SECRET=${primary.secret}`);
   for (const reg of registered) {
     lines.push(`# ${reg.config.topic} \u2192 ${reg.fullUrl}`);
-    lines.push(`ODEVA_WEBHOOK_SECRET__${secretEnvKey(reg.config.topic)}=${reg.secret}`);
+    lines.push(`ODEVA_WEBHOOK_SECRET__${webhookSecretEnvKey(reg.config.topic)}=${reg.secret}`);
   }
   writeFileSync(path, lines.join("\n") + "\n", { mode: 384 });
   return path;
 }
-function secretEnvKey(topic) {
+function registeredWebhookEnv(registered) {
+  const env = {};
+  if (registered[0]) env.ODEVA_WEBHOOK_SECRET = registered[0].secret;
+  for (const reg of registered) {
+    env[`ODEVA_WEBHOOK_SECRET__${webhookSecretEnvKey(reg.config.topic)}`] = reg.secret;
+  }
+  return env;
+}
+function webhookSecretEnvKey(topic) {
   return topic.toUpperCase().replace(/[^A-Z0-9]+/g, "_");
 }
+function webhookSecretForEvent(event, env) {
+  return env[`ODEVA_WEBHOOK_SECRET__${webhookSecretEnvKey(event)}`] ?? env["ODEVA_WEBHOOK_SECRET"];
+}
+function watchedDevInputPaths(appConfigPath) {
+  return [appConfigPath, join(dirname(appConfigPath), APP_ENV_FILE)];
+}
 function joinUrl(base, path) {
   const trimmedBase = base.replace(/\/$/, "");
   const trimmedPath = path.startsWith("/") ? path : `/${path}`;
@@ -71,7 +87,7 @@ function stopProcess(proc) {
     if (proc.exitCode !== null) return resolve();
     proc.once("exit", () => resolve());
     try {
-      proc.kill("SIGTERM");
+      killDevProcess(proc, "SIGTERM");
     } catch {
       resolve();
       return;
@@ -79,13 +95,24 @@ function stopProcess(proc) {
     setTimeout(() => {
       if (proc.exitCode === null) {
         try {
-          proc.kill("SIGKILL");
+          killDevProcess(proc, "SIGKILL");
         } catch {
         }
       }
     }, 2e3);
   });
 }
+function killDevProcess(proc, signal) {
+  if (process.platform === "win32") {
+    proc.kill(signal);
+    return;
+  }
+  if (proc.pid) {
+    process.kill(-proc.pid, signal);
+  } else {
+    proc.kill(signal);
+  }
+}
 function preflightChecks(cwd) {
   const warnings = [];
   if (!existsSync(join(cwd, "node_modules"))) {
@@ -110,6 +137,10 @@ export {
   preflightChecks,
   readEnvFile,
   registerWebhookSubscriptions,
+  registeredWebhookEnv,
   spawnDevServer,
+  watchedDevInputPaths,
+  webhookSecretEnvKey,
+  webhookSecretForEvent,
   writeDevEnvFile
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@odeva/cli",
-  "version": "0.0.1",
+  "version": "0.0.3",
   "description": "Build apps on the Odeva booking platform — scaffold, develop, deploy.",
   "license": "MIT",
   "type": "module",

package/templates/hono-bun/src/index.ts

@@ -1,7 +1,9 @@
 import { Hono } from "hono";
+import { OdevaClient } from "@odeva/booking-sdk";
 import { verifyWebhook } from "./webhook.js";
 import { makeInstallHandler } from "./install.js";
 import { SqliteInstallationStore } from "./installations.js";
+import { logger } from "./logger.js";
 
 // Default store: SQLite file next to the app. Swap to your own
 // `InstallationStore` impl (e.g. Postgres) for multi-instance deploys.
@@ -13,12 +15,34 @@ app.get("/", (c) =>
   c.json({
     app: "{{slug}}",
     ok: true,
-    routes: ["GET /", "GET /healthz", "GET /install", "POST /webhooks/:topic"],
+    routes: ["GET /", "GET /healthz", "GET /install", "GET /sdk/accommodations", "POST /webhooks/:topic"],
   }),
 );
 
 app.get("/healthz", (c) => c.json({ ok: true }));
 
+// SDK example. Set ODEVA_ORGANIZATION_SLUG to query public booking data for an
+// organization, then visit /sdk/accommodations while the app is running.
+app.get("/sdk/accommodations", async (c) => {
+  const organizationSlug = process.env.ODEVA_ORGANIZATION_SLUG;
+  if (!organizationSlug) {
+    return c.json({
+      error: "missing ODEVA_ORGANIZATION_SLUG",
+      hint: "Set ODEVA_ORGANIZATION_SLUG in .odeva.env, then let `odeva app dev` reload.",
+    }, 400);
+  }
+
+  const odeva = new OdevaClient({ organizationSlug });
+  const accommodations = await odeva.searchAccommodations({
+    startDate: "2026-07-01",
+    endDate: "2026-07-08",
+    guests: 2,
+    limit: 5,
+  });
+
+  return c.json({ accommodations });
+});
+
 // Install handshake. Odeva redirects here with `?install_code=...`.
 app.get("/install", makeInstallHandler(installations));
 
@@ -28,14 +52,16 @@ app.post("/webhooks/:topic", async (c) => {
   const topic = c.req.param("topic");
   const rawBody = await c.req.text();
   const signature = c.req.header("x-odeva-signature");
-  const secret = process.env.ODEVA_WEBHOOK_SECRET;
+  const secret =
+    process.env[`ODEVA_WEBHOOK_SECRET__${topic.toUpperCase().replace(/[^A-Z0-9]+/g, "_")}`] ??
+    process.env.ODEVA_WEBHOOK_SECRET;
 
   if (secret && !verifyWebhook(rawBody, signature, secret)) {
     return c.json({ error: "invalid signature" }, 401);
   }
 
   const payload = JSON.parse(rawBody) as Record<string, unknown>;
-  console.log(`[webhook] ${topic}`, payload);
+  logger.info(`[webhook] ${topic}`, payload);
 
   // TODO: handle the event.
   // Tip: run `odeva webhook trigger <topic>` to fire a sample payload at this handler.
@@ -44,6 +70,6 @@ app.post("/webhooks/:topic", async (c) => {
 });
 
 const port = Number(process.env.PORT ?? 3000);
-console.log(`{{name}} listening on http://localhost:${port}`);
+logger.info(`{{name}} listening on http://localhost:${port}`);
 
 export default { port, fetch: app.fetch };

package/templates/hono-bun/src/logger.ts

@@ -0,0 +1,20 @@
+import { inspect } from "node:util";
+
+type LogLevel = "info" | "warn" | "error";
+
+function log(level: LogLevel, message: string, details?: unknown): void {
+  const prefix = `[${new Date().toISOString()}] ${level.toUpperCase()} ${message}`;
+  if (details === undefined) {
+    console.log(prefix);
+    return;
+  }
+
+  console.log(prefix);
+  console.log(inspect(details, { colors: true, depth: 6, compact: false }));
+}
+
+export const logger = {
+  info: (message: string, details?: unknown) => log("info", message, details),
+  warn: (message: string, details?: unknown) => log("warn", message, details),
+  error: (message: string, details?: unknown) => log("error", message, details),
+};