@odeva/cli 0.0.1

package/dist/lib/org-picker.js

@@ -0,0 +1,34 @@
+import * as p from "@clack/prompts";
+import { CliError } from "./errors.js";
+import { ui } from "./ui.js";
+async function pickOrganization(api, options = {}) {
+  const session = await api.session();
+  const orgs = session.organizations;
+  if (orgs.length === 0) {
+    throw new CliError("Your account has no organization.", {
+      hint: "Create one at https://booking.odeva.app, then run `odeva auth login` again."
+    });
+  }
+  if (orgs.length === 1) {
+    return { organization: orgs[0], email: session.email };
+  }
+  const preferred = options.preferOrganizationId ? orgs.find((o) => o.id === options.preferOrganizationId) : void 0;
+  const choice = await p.select({
+    message: "Which organization should the CLI act on?",
+    options: orgs.map((o) => ({
+      value: o.id,
+      label: o.name,
+      hint: ui.dim(o.slug)
+    })),
+    initialValue: preferred?.id ?? orgs[0].id
+  });
+  if (p.isCancel(choice)) {
+    throw new CliError("Cancelled.");
+  }
+  const picked = orgs.find((o) => o.id === choice);
+  if (!picked) throw new CliError("Could not resolve selected organization.");
+  return { organization: picked, email: session.email };
+}
+export {
+  pickOrganization
+};

package/dist/lib/paths.js

@@ -0,0 +1,13 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+const xdgConfigHome = process.env["XDG_CONFIG_HOME"] || join(homedir(), ".config");
+const CONFIG_DIR = join(xdgConfigHome, "odeva");
+const CREDENTIALS_PATH = join(CONFIG_DIR, "credentials.json");
+const APP_CONFIG_FILE = "odeva.app.toml";
+const DEFAULT_API_URL = process.env["ODEVA_API_URL"] || "https://booking.odeva.app";
+export {
+  APP_CONFIG_FILE,
+  CONFIG_DIR,
+  CREDENTIALS_PATH,
+  DEFAULT_API_URL
+};

package/dist/lib/run.js

@@ -0,0 +1,17 @@
+import { CliError } from "./errors.js";
+import { ui } from "./ui.js";
+async function withErrorHandling(cmd, body) {
+  try {
+    await body();
+  } catch (err) {
+    if (err instanceof CliError) {
+      cmd.log(ui.err(err.message));
+      if (err.hint) cmd.log(ui.dim(`  \u2192 ${err.hint}`));
+      cmd.exit(err.exitCode);
+    }
+    throw err;
+  }
+}
+export {
+  withErrorHandling
+};

package/dist/lib/slug.js

@@ -0,0 +1,10 @@
+function slugify(input) {
+  return input.normalize("NFKD").replace(/[̀-ͯ]/g, "").toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 64);
+}
+function isValidSlug(input) {
+  return /^[a-z0-9][a-z0-9-]*$/.test(input) && input.length <= 64;
+}
+export {
+  isValidSlug,
+  slugify
+};

package/dist/lib/templates.js

@@ -0,0 +1,115 @@
+import {
+  cpSync,
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  readdirSync,
+  renameSync,
+  statSync,
+  writeFileSync
+} from "node:fs";
+import { dirname, join, relative } from "node:path";
+import { fileURLToPath } from "node:url";
+import { CliError } from "./errors.js";
+const here = dirname(fileURLToPath(import.meta.url));
+function templatesRoot() {
+  const candidates = [
+    join(here, "..", "..", "..", "templates"),
+    // dist/lib → repo/templates
+    join(here, "..", "..", "templates")
+    // src/lib  → repo/templates
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) return candidate;
+  }
+  throw new CliError("Could not locate the templates directory.", {
+    hint: "Reinstall @odeva/cli \u2014 the packaged templates may be missing."
+  });
+}
+function listTemplates() {
+  const root = templatesRoot();
+  return readdirSync(root).filter((name) => {
+    const stat = statSync(join(root, name));
+    return stat.isDirectory();
+  });
+}
+function renderTemplate(opts) {
+  const root = templatesRoot();
+  const src = join(root, opts.template);
+  if (!existsSync(src)) {
+    throw new CliError(`Template '${opts.template}' not found.`, {
+      hint: `Available templates: ${listTemplates().join(", ")}`
+    });
+  }
+  if (existsSync(opts.destination) && !opts.overwrite) {
+    const entries = readdirSync(opts.destination);
+    if (entries.length > 0) {
+      throw new CliError(`Destination '${opts.destination}' is not empty.`, {
+        hint: "Choose a different directory or remove the existing files."
+      });
+    }
+  }
+  mkdirSync(opts.destination, { recursive: true });
+  cpSync(src, opts.destination, { recursive: true });
+  let filesWritten = 0;
+  walk(opts.destination, (path) => {
+    const isTmpl = path.endsWith(".tmpl");
+    const finalPath = isTmpl ? path.slice(0, -".tmpl".length) : path;
+    if (isTmpl || isTextFile(path)) {
+      const content = readFileSync(path, "utf8");
+      const rendered = substitute(content, opts.variables);
+      writeFileSync(path, rendered, "utf8");
+    }
+    if (isTmpl) {
+      renameSync(path, finalPath);
+    }
+    filesWritten++;
+  });
+  return { filesWritten };
+}
+function walk(dir, visit) {
+  for (const entry of readdirSync(dir)) {
+    const full = join(dir, entry);
+    const stat = statSync(full);
+    if (stat.isDirectory()) {
+      walk(full, visit);
+    } else if (stat.isFile()) {
+      visit(full);
+    }
+  }
+}
+const TEXT_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".json",
+  ".toml",
+  ".ts",
+  ".tsx",
+  ".js",
+  ".jsx",
+  ".md",
+  ".txt",
+  ".yml",
+  ".yaml",
+  ".gitignore",
+  ".env"
+]);
+function isTextFile(path) {
+  const lastDot = path.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  return TEXT_EXTENSIONS.has(path.slice(lastDot).toLowerCase());
+}
+function substitute(content, variables) {
+  return content.replace(/\{\{\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, (match, key) => {
+    if (key in variables) return variables[key];
+    return match;
+  });
+}
+function relativeTo(from, to) {
+  const rel = relative(from, to);
+  return rel === "" ? "." : rel;
+}
+export {
+  listTemplates,
+  relativeTo,
+  renderTemplate,
+  templatesRoot
+};

package/dist/lib/ui.js

@@ -0,0 +1,13 @@
+import pc from "picocolors";
+const ui = {
+  brand: (s) => pc.bold(pc.magenta(s)),
+  ok: (s) => `${pc.green("\u2713")} ${s}`,
+  warn: (s) => `${pc.yellow("!")} ${s}`,
+  err: (s) => `${pc.red("\u2717")} ${s}`,
+  dim: (s) => pc.dim(s),
+  bold: (s) => pc.bold(s),
+  code: (s) => pc.cyan(s)
+};
+export {
+  ui
+};

package/dist/lib/webhook-fixtures.js

@@ -0,0 +1,60 @@
+import { createHmac, randomBytes } from "node:crypto";
+const FIXTURES = {
+  "reservation.created": {
+    reservation: {
+      id: "res_test_abc123",
+      status: "confirmed",
+      checkIn: "2026-07-01",
+      checkOut: "2026-07-05",
+      guests: { adults: 2, children: 1 },
+      accommodation: { id: "acc_test_001", name: "Sample Cabin" },
+      total: { amount: "480.00", currency: "EUR" }
+    }
+  },
+  "reservation.updated": {
+    reservation: {
+      id: "res_test_abc123",
+      status: "confirmed",
+      checkIn: "2026-07-02",
+      checkOut: "2026-07-06"
+    },
+    changes: ["checkIn", "checkOut"]
+  },
+  "reservation.cancelled": {
+    reservation: {
+      id: "res_test_abc123",
+      status: "cancelled",
+      cancelledAt: (/* @__PURE__ */ new Date()).toISOString(),
+      reason: "guest_request"
+    }
+  },
+  "payment.succeeded": {
+    payment: {
+      id: "pay_test_xyz789",
+      reservationId: "res_test_abc123",
+      amount: "480.00",
+      currency: "EUR",
+      provider: "mollie"
+    }
+  }
+};
+function buildFixture(event, overrides) {
+  const data = overrides ?? FIXTURES[event] ?? { note: "no fixture defined for this event" };
+  return {
+    event,
+    id: `evt_test_${randomBytes(8).toString("hex")}`,
+    occurredAt: (/* @__PURE__ */ new Date()).toISOString(),
+    data
+  };
+}
+function signPayload(rawBody, secret) {
+  return createHmac("sha256", secret).update(rawBody).digest("hex");
+}
+function listFixtureEvents() {
+  return Object.keys(FIXTURES);
+}
+export {
+  buildFixture,
+  listFixtureEvents,
+  signPayload
+};

package/package.json

@@ -0,0 +1,74 @@
+{
+  "name": "@odeva/cli",
+  "version": "0.0.1",
+  "description": "Build apps on the Odeva booking platform — scaffold, develop, deploy.",
+  "license": "MIT",
+  "type": "module",
+  "bin": {
+    "odeva": "./bin/run.js"
+  },
+  "files": [
+    "bin",
+    "dist",
+    "templates"
+  ],
+  "engines": {
+    "bun": ">=1.1.0",
+    "node": ">=20"
+  },
+  "scripts": {
+    "build": "tsup",
+    "build:watch": "tsup --watch",
+    "lint": "oxlint --deny-warnings src",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit",
+    "odeva": "bun ./bin/run.js",
+    "dev": "bun ./bin/dev.js",
+    "prepublishOnly": "bun run typecheck && bun run lint && bun run test && bun run build"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@clack/prompts": "^0.9.0",
+    "@oclif/core": "^4.0.0",
+    "@oclif/plugin-help": "^6.2.0",
+    "@oclif/plugin-not-found": "^3.2.0",
+    "graphql-request": "^7.1.0",
+    "picocolors": "^1.1.0",
+    "smol-toml": "^1.3.0"
+  },
+  "devDependencies": {
+    "@types/bun": "^1.1.0",
+    "@types/node": "^22.0.0",
+    "oxlint": "^1.50.0",
+    "tsup": "^8.3.0",
+    "typescript": "^5.6.0",
+    "vitest": "^2.1.0"
+  },
+  "oclif": {
+    "bin": "odeva",
+    "dirname": "odeva",
+    "commands": "./dist/commands",
+    "topicSeparator": " ",
+    "plugins": [
+      "@oclif/plugin-help",
+      "@oclif/plugin-not-found"
+    ],
+    "topics": {
+      "auth": {
+        "description": "Authenticate with Odeva"
+      },
+      "app": {
+        "description": "Manage and develop your Odeva app"
+      },
+      "app:config": {
+        "description": "Sync local config with the Odeva platform"
+      },
+      "webhook": {
+        "description": "Inspect and test webhook delivery"
+      }
+    }
+  }
+}

package/templates/hono-bun/.gitignore.tmpl

@@ -0,0 +1,9 @@
+node_modules
+.env
+.env.local
+.odeva.env
+.DS_Store
+dist
+*.log
+installations.db
+installations.db-journal

package/templates/hono-bun/README.md.tmpl

@@ -0,0 +1,23 @@
+# {{name}}
+
+An app built on the [Odeva](https://odeva.app) booking platform.
+
+## Develop
+
+```sh
+bun install
+odeva app config link    # register this app on Odeva (writes client_id)
+odeva app dev            # local server + tunnel + webhook delivery
+```
+
+In another terminal:
+
+```sh
+odeva webhook trigger reservation.created
+```
+
+## Project layout
+
+- `odeva.app.toml` — app config (name, slug, webhooks, scopes)
+- `src/index.ts` — Hono server with a webhook handler stub
+- `src/webhook.ts` — HMAC signature verification

package/templates/hono-bun/odeva.app.toml.tmpl

@@ -0,0 +1,25 @@
+name = "{{name}}"
+slug = "{{slug}}"
+description = "An Odeva app."
+
+# Where Odeva redirects users when they install this app on their org.
+# Must be a publicly reachable URL once you submit for marketplace review.
+# During development you can leave it blank or point it at your `odeva app dev` tunnel.
+install_url = ""
+
+[build]
+dev = "bun run dev"
+port = 3000
+
+[access_scopes]
+scopes = []
+
+[webhooks]
+api_version = "2026-01"
+
+# Add subscriptions here. `odeva app dev` will auto-register them with your
+# tunnel URL. List supported events with: `odeva webhook list --available`.
+#
+# [[webhooks.subscriptions]]
+# topic = "reservation.created"
+# uri = "/webhooks/reservation.created"

package/templates/hono-bun/package.json.tmpl

@@ -0,0 +1,19 @@
+{
+  "name": "{{slug}}",
+  "version": "0.0.1",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "bun --hot src/index.ts",
+    "start": "bun src/index.ts",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@odeva/booking-sdk": "^0.1.0",
+    "hono": "^4.6.0"
+  },
+  "devDependencies": {
+    "@types/bun": "^1.1.0",
+    "typescript": "^5.6.0"
+  }
+}

package/templates/hono-bun/src/index.ts

@@ -0,0 +1,49 @@
+import { Hono } from "hono";
+import { verifyWebhook } from "./webhook.js";
+import { makeInstallHandler } from "./install.js";
+import { SqliteInstallationStore } from "./installations.js";
+
+// Default store: SQLite file next to the app. Swap to your own
+// `InstallationStore` impl (e.g. Postgres) for multi-instance deploys.
+const installations = new SqliteInstallationStore();
+
+const app = new Hono();
+
+app.get("/", (c) =>
+  c.json({
+    app: "{{slug}}",
+    ok: true,
+    routes: ["GET /", "GET /healthz", "GET /install", "POST /webhooks/:topic"],
+  }),
+);
+
+app.get("/healthz", (c) => c.json({ ok: true }));
+
+// Install handshake. Odeva redirects here with `?install_code=...`.
+app.get("/install", makeInstallHandler(installations));
+
+// Webhook handler. `odeva app dev` registers subscriptions from odeva.app.toml
+// against the dev tunnel, so payloads from the Odeva platform arrive here.
+app.post("/webhooks/:topic", async (c) => {
+  const topic = c.req.param("topic");
+  const rawBody = await c.req.text();
+  const signature = c.req.header("x-odeva-signature");
+  const secret = process.env.ODEVA_WEBHOOK_SECRET;
+
+  if (secret && !verifyWebhook(rawBody, signature, secret)) {
+    return c.json({ error: "invalid signature" }, 401);
+  }
+
+  const payload = JSON.parse(rawBody) as Record<string, unknown>;
+  console.log(`[webhook] ${topic}`, payload);
+
+  // TODO: handle the event.
+  // Tip: run `odeva webhook trigger <topic>` to fire a sample payload at this handler.
+
+  return c.json({ received: true });
+});
+
+const port = Number(process.env.PORT ?? 3000);
+console.log(`{{name}} listening on http://localhost:${port}`);
+
+export default { port, fetch: app.fetch };

package/templates/hono-bun/src/install.ts

@@ -0,0 +1,97 @@
+// Install handshake. Odeva redirects the org admin here with `?install_code=...`
+// after they click "Install" in the marketplace. We exchange that code (plus
+// our client_id + client_secret) for an `sk_live_...` API key scoped to the
+// installation, persist it, and show a success page.
+//
+// See: https://booking.odeva.app/docs/apps/install-flow
+
+import type { Context } from "hono";
+import type { InstallationStore } from "./installations.js";
+
+const EXCHANGE_MUTATION = `
+  mutation ExchangeAppInstallCode($clientId: String!, $clientSecret: String!, $installCode: String!) {
+    exchangeAppInstallCode(
+      appClientId: $clientId,
+      appClientSecret: $clientSecret,
+      installCode: $installCode
+    ) {
+      appInstallation {
+        id
+        status
+        grantedScopes
+      }
+      rawKey
+      errors
+    }
+  }
+`;
+
+interface ExchangeResponse {
+  data: {
+    exchangeAppInstallCode: {
+      appInstallation: {
+        id: string;
+        status: string;
+        grantedScopes: string[];
+      } | null;
+      rawKey: string | null;
+      errors: string[];
+    } | null;
+  };
+  errors?: Array<{ message: string }>;
+}
+
+export function makeInstallHandler(store: InstallationStore) {
+  return async (c: Context): Promise<Response> => {
+    const installCode = c.req.query("install_code");
+    if (!installCode) {
+      return c.text("Missing install_code in the redirect from Odeva.", 400);
+    }
+
+    const clientId = process.env.ODEVA_APP_CLIENT_ID;
+    const clientSecret = process.env.ODEVA_APP_CLIENT_SECRET;
+    if (!clientId || !clientSecret) {
+      return c.text(
+        "Server is missing ODEVA_APP_CLIENT_ID / ODEVA_APP_CLIENT_SECRET. " +
+          "Set them via `.odeva.env` (managed by `odeva app config link`).",
+        500,
+      );
+    }
+
+    const apiUrl = process.env.ODEVA_API_URL ?? "https://booking.odeva.app";
+    const response = await fetch(`${apiUrl}/graphql`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        query: EXCHANGE_MUTATION,
+        variables: { clientId, clientSecret, installCode },
+      }),
+    });
+
+    const body = (await response.json()) as ExchangeResponse;
+    const topErrors = body.errors?.map((e) => e.message) ?? [];
+    const payload = body.data?.exchangeAppInstallCode ?? null;
+    const userErrors = payload?.errors ?? [];
+
+    if (topErrors.length > 0 || userErrors.length > 0 || !payload?.rawKey || !payload.appInstallation) {
+      const msg = [...topErrors, ...userErrors].join("; ") || "Exchange failed";
+      return c.text(`Install failed: ${msg}`, 400);
+    }
+
+    await store.save({
+      installationId: payload.appInstallation.id,
+      apiKey: payload.rawKey,
+      scopes: payload.appInstallation.grantedScopes,
+      installedAt: new Date().toISOString(),
+    });
+
+    return c.html(`
+      <!doctype html>
+      <html><head><title>Installed</title></head>
+      <body style="font-family: system-ui; max-width: 32rem; margin: 4rem auto; padding: 0 1rem;">
+        <h1>Installed</h1>
+        <p>This organization is now connected. You can close this tab.</p>
+      </body></html>
+    `);
+  };
+}

package/templates/hono-bun/src/installations.ts

@@ -0,0 +1,84 @@
+// Where the app remembers its per-installation API keys.
+//
+// Each time an organization installs this app, Odeva mints an `sk_live_...`
+// API key scoped to that installation. The app must persist it and use it
+// (via the `X-Api-Key` header) for every subsequent request made on that
+// org's behalf. The key itself carries the org context — your code does not
+// need to track org_id separately for API calls.
+//
+// The default implementation is a SQLite file (zero-config; bun has SQLite
+// built in). This is fine for single-instance dev and small deployments.
+// For production scale, implement `InstallationStore` against your real
+// database and swap it in `index.ts`.
+
+import { Database } from "bun:sqlite";
+
+export interface Installation {
+  installationId: string;
+  apiKey: string;
+  scopes: string[];
+  installedAt: string;
+}
+
+export interface InstallationStore {
+  save(installation: Installation): Promise<void>;
+  load(installationId: string): Promise<Installation | null>;
+  list(): Promise<Installation[]>;
+}
+
+export class SqliteInstallationStore implements InstallationStore {
+  private readonly db: Database;
+
+  constructor(path = "installations.db") {
+    this.db = new Database(path);
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS installations (
+        installation_id TEXT PRIMARY KEY,
+        api_key TEXT NOT NULL,
+        scopes TEXT NOT NULL,
+        installed_at TEXT NOT NULL
+      );
+    `);
+  }
+
+  async save(installation: Installation): Promise<void> {
+    this.db
+      .prepare(
+        `INSERT INTO installations (installation_id, api_key, scopes, installed_at)
+         VALUES (?, ?, ?, ?)
+         ON CONFLICT(installation_id) DO UPDATE SET
+           api_key = excluded.api_key,
+           scopes = excluded.scopes,
+           installed_at = excluded.installed_at`,
+      )
+      .run(
+        installation.installationId,
+        installation.apiKey,
+        JSON.stringify(installation.scopes),
+        installation.installedAt,
+      );
+  }
+
+  async load(installationId: string): Promise<Installation | null> {
+    const row = this.db
+      .prepare("SELECT * FROM installations WHERE installation_id = ?")
+      .get(installationId) as Record<string, unknown> | null;
+    return row ? this.rowToInstallation(row) : null;
+  }
+
+  async list(): Promise<Installation[]> {
+    const rows = this.db
+      .prepare("SELECT * FROM installations ORDER BY installed_at DESC")
+      .all() as Array<Record<string, unknown>>;
+    return rows.map((r) => this.rowToInstallation(r));
+  }
+
+  private rowToInstallation(row: Record<string, unknown>): Installation {
+    return {
+      installationId: row.installation_id as string,
+      apiKey: row.api_key as string,
+      scopes: JSON.parse(row.scopes as string),
+      installedAt: row.installed_at as string,
+    };
+  }
+}

package/templates/hono-bun/src/webhook.ts

@@ -0,0 +1,16 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+
+/**
+ * Verify a webhook signature from the Odeva platform.
+ *
+ * The CLI's `odeva webhook trigger` and the platform itself both sign payloads
+ * with HMAC-SHA256(secret, rawBody), hex-encoded, sent as `x-odeva-signature`.
+ */
+export function verifyWebhook(rawBody: string, signature: string | undefined, secret: string): boolean {
+  if (!signature) return false;
+  const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
+  const a = Buffer.from(expected, "utf8");
+  const b = Buffer.from(signature, "utf8");
+  if (a.length !== b.length) return false;
+  return timingSafeEqual(a, b);
+}