@odeva/cli 0.0.10 → 0.0.12

package/dist/commands/app/config/link.js

@@ -1,14 +1,20 @@
 import { Command, Flags } from "@oclif/core";
 import * as p from "@clack/prompts";
 import { OdevaApi } from "../../../lib/api.js";
-import { loadAppConfig, saveAppConfig, ADMIN_ICONS } from "../../../lib/config.js";
+import { loadAppConfig, resolveAppConfigUrl, saveAppConfig, ADMIN_ICONS } from "../../../lib/config.js";
 import { saveAppEnv } from "../../../lib/app-env.js";
 import { loadCredentials } from "../../../lib/credentials.js";
 import { withErrorHandling } from "../../../lib/run.js";
 import { ui } from "../../../lib/ui.js";
 import { ApiError, CliError } from "../../../lib/errors.js";
 import { isValidSlug } from "../../../lib/slug.js";
-function buildAdminEmbedInput(admin, configPath) {
+function buildAdminEmbedInput(config, configPath) {
+  const admin = config.admin;
+  if (!admin) {
+    throw new CliError("Cannot build admin embed input without an [admin] section.", {
+      hint: `Edit ${configPath}`
+    });
+  }
   const validIcons = ADMIN_ICONS;
   if (!validIcons.includes(admin.sidebar.icon)) {
     const iconList = ADMIN_ICONS.join(", ");
@@ -17,8 +23,20 @@ function buildAdminEmbedInput(admin, configPath) {
       { hint: `Edit ${configPath}` }
     );
   }
+  const entryUrl = resolveAppConfigUrl({
+    config,
+    configuredUrl: admin.entry_url,
+    defaultPath: "/admin",
+    fieldName: "admin.entry_url",
+    configPath
+  });
+  if (!entryUrl) {
+    throw new CliError(`Invalid odeva.app.toml: missing 'admin.entry_url'.`, {
+      hint: `Set 'tunnel_url' or add 'admin.entry_url' in ${configPath}.`
+    });
+  }
   return {
-    entryUrl: admin.entry_url,
+    entryUrl,
     sidebar: {
       label: admin.sidebar.label,
       icon: admin.sidebar.icon
@@ -38,16 +56,25 @@ class AppConfigLink extends Command {
     const { flags } = await this.parse(AppConfigLink);
     await withErrorHandling(this, async () => {
       const loaded = loadAppConfig();
-      const adminInput = loaded.config.admin ? buildAdminEmbedInput(loaded.config.admin, loaded.path) : void 0;
+      const adminInput = loaded.config.admin ? buildAdminEmbedInput(loaded.config, loaded.path) : void 0;
+      const installUrl = resolveAppConfigUrl({
+        config: loaded.config,
+        configuredUrl: loaded.config.install_url,
+        defaultPath: "/install",
+        fieldName: "install_url",
+        configPath: loaded.path
+      });
       p.intro(ui.brand("odeva app config link"));
       p.note(
         [
           `${ui.dim("name:")}        ${loaded.config.name}`,
           `${ui.dim("slug:")}        ${loaded.config.slug}`,
           `${ui.dim("client_id:")}   ${loaded.config.client_id ?? ui.dim("(new)")}`,
+          `${ui.dim("tunnel_url:")}  ${loaded.config.tunnel_url ?? ui.dim("(none)")}`,
           `${ui.dim("homepage:")}    ${loaded.config.homepage_url ?? ui.dim("(none)")}`,
+          `${ui.dim("install:")}     ${installUrl ?? ui.dim("(none)")}`,
           `${ui.dim("scopes:")}      ${(loaded.config.access_scopes?.scopes ?? []).join(", ") || ui.dim("(none)")}`,
-          ...loaded.config.admin ? [`${ui.dim("admin:")}       ${loaded.config.admin.sidebar.label} (${loaded.config.admin.entry_url})`] : []
+          ...loaded.config.admin ? [`${ui.dim("admin:")}       ${loaded.config.admin.sidebar.label} (${adminInput?.entryUrl})`] : []
         ].join("\n"),
         "Will register this app"
       );
@@ -65,7 +92,7 @@ class AppConfigLink extends Command {
         if (match) existingId = match.id;
       }
       spinner.message(existingId ? "Updating app on Odeva" : "Creating app on Odeva");
-      const { app, rawClientSecret } = await upsertWithSlugRetry(api, spinner, loaded, existingId, adminInput);
+      const { app, rawClientSecret } = await upsertWithSlugRetry(api, spinner, loaded, existingId, installUrl, adminInput);
       spinner.stop(`${existingId ? "Updated" : "Registered"} app ${ui.code(app.slug)} (client_id ${ui.code(app.clientId)})`);
       loaded.config.client_id = app.clientId;
       saveAppConfig(loaded);
@@ -102,7 +129,7 @@ class AppConfigLink extends Command {
   }
 }
 const SLUG_TAKEN_RE = /slug.*(?:already been taken|taken|in use|exists)/i;
-async function upsertWithSlugRetry(api, spinner, loaded, existingId, adminInput) {
+async function upsertWithSlugRetry(api, spinner, loaded, existingId, installUrl, adminInput) {
   for (; ; ) {
     try {
       return await api.upsertDeveloperApp({
@@ -111,7 +138,7 @@ async function upsertWithSlugRetry(api, spinner, loaded, existingId, adminInput)
         slug: loaded.config.slug,
         description: loaded.config.description,
         homepageUrl: loaded.config.homepage_url,
-        installUrl: loaded.config.install_url,
+        installUrl,
         privacyUrl: loaded.config.privacy_url,
         requestedScopes: loaded.config.access_scopes?.scopes,
         ...adminInput ? { adminEmbed: adminInput } : {}

package/dist/commands/app/dev.js

@@ -13,6 +13,7 @@ import {
   preflightChecks,
   registeredWebhookEnv,
   registerWebhookSubscriptions,
+  saveDevTunnelUrl,
   spawnDevServer,
   syncDevAppUrls,
   watchedDevInputPaths,
@@ -66,22 +67,44 @@ class AppDev extends Command {
           PORT: String(port)
         }
       });
+      let tunnel;
+      let stopWatcher = () => {
+      };
+      let reloading = Promise.resolve();
+      let shuttingDown = false;
+      installShutdownHandler(async () => {
+        shuttingDown = true;
+        this.log("\n" + ui.dim("Cleaning up..."));
+        stopWatcher();
+        await reloading;
+        await Promise.allSettled([
+          server.stop(),
+          tunnel?.stop(),
+          cleanupSubscriptions(api, registered)
+        ]);
+        this.log(ui.ok("Done."));
+      });
       await this.verifyLocalDevServer(port, server, api, registered);
-      const tunnel = await this.startReachableTunnel(port, server);
-      registered = await this.registerDevWebhooks(api, loaded, tunnel.url);
+      tunnel = await this.startReachableTunnel(port, server, (startedTunnel) => {
+        tunnel = startedTunnel;
+      });
+      const activeTunnel = tunnel;
+      if (saveDevTunnelUrl(loaded, activeTunnel.url)) {
+        this.log(ui.ok(`Wrote tunnel_url to ${ui.code(loaded.path)}`));
+      }
+      registered = await this.registerDevWebhooks(api, loaded, activeTunnel.url);
       this.log("");
-      this.log(`${ui.bold("Tunnel:")}     ${tunnel.url}`);
+      this.log(`${ui.bold("Tunnel:")}     ${activeTunnel.url}`);
       this.log(`${ui.bold("Local:")}      http://localhost:${port}`);
       for (const reg of registered) {
         this.log(`  ${ui.dim("\u2192")} ${reg.config.topic.padEnd(28)} ${reg.fullUrl}`);
       }
       this.log("");
-      const syncedUrls = await this.syncDevAppUrls(api, loaded, tunnel.url);
+      const syncedUrls = await this.syncDevAppUrls(api, loaded, activeTunnel.url);
       this.printDevAppInfo(syncedUrls);
-      await this.ensureDevAppInstalled(api, loaded, tunnel, port, server, registered);
+      await this.ensureDevAppInstalled(api, loaded, activeTunnel, port, server, registered);
       this.log(ui.dim("Press Ctrl-C to stop. Subscriptions will be cleaned up on exit."));
       this.log("");
-      let shuttingDown = false;
       let restartingServer = false;
       let serverExited = () => {
       };
@@ -94,8 +117,7 @@ class AppDev extends Command {
         });
       };
       watchServerExit(server);
-      let reloading = Promise.resolve();
-      const stopWatcher = this.watchDevInputs(loaded.path, async () => {
+      stopWatcher = this.watchDevInputs(loaded.path, async () => {
         reloading = reloading.then(async () => {
           this.log("\n" + ui.dim("Reloading app dev config..."));
           const nextLoaded = loadAppConfig(loaded.root);
@@ -103,7 +125,10 @@ class AppDev extends Command {
           if (nextPort !== port) {
             this.log(ui.warn(`Port changed to ${nextPort}; restart \`odeva app dev\` to recreate the tunnel.`));
           }
-          const nextRegistered = await this.registerDevWebhooks(api, nextLoaded, tunnel.url);
+          if (saveDevTunnelUrl(nextLoaded, activeTunnel.url)) {
+            this.log(ui.ok(`Wrote tunnel_url to ${ui.code(nextLoaded.path)}`));
+          }
+          const nextRegistered = await this.registerDevWebhooks(api, nextLoaded, activeTunnel.url);
           await cleanupSubscriptions(api, registered);
           registered = nextRegistered;
           const nextAppEnv = loadAppEnv(nextLoaded.path);
@@ -116,32 +141,20 @@ class AppDev extends Command {
             env: {
               ...nextAppEnv,
               PORT: String(port),
-              ODEVA_TUNNEL_URL: tunnel.url,
+              ODEVA_TUNNEL_URL: activeTunnel.url,
               ...registeredWebhookEnv(registered)
             }
           });
           server = nextServer;
           watchServerExit(server);
-          await this.verifyDevServerReachable(tunnel, port, server, api, registered);
-          await this.syncDevAppUrls(api, nextLoaded, tunnel.url);
+          await this.verifyDevServerReachable(activeTunnel, port, server, api, registered);
+          await this.syncDevAppUrls(api, nextLoaded, activeTunnel.url);
           this.log(ui.ok("Reloaded app dev config."));
         }).catch((err) => {
           restartingServer = false;
           this.log(ui.err(`Reload failed: ${err.message}`));
         });
       });
-      installShutdownHandler(async () => {
-        shuttingDown = true;
-        this.log("\n" + ui.dim("Cleaning up..."));
-        stopWatcher();
-        await reloading;
-        await Promise.allSettled([
-          server.stop(),
-          tunnel.stop(),
-          cleanupSubscriptions(api, registered)
-        ]);
-        this.log(ui.ok("Done."));
-      });
       await serverExit;
       shuttingDown = true;
       stopWatcher();
@@ -241,19 +254,19 @@ class AppDev extends Command {
       throw err;
     }
   }
-  async startReachableTunnel(port, server) {
+  async startReachableTunnel(port, server, onTunnelStarted) {
     let lastError;
     for (let attempt = 1; attempt <= 3; attempt += 1) {
       this.log(ui.dim(`Starting Cloudflare tunnel${attempt > 1 ? ` (attempt ${attempt}/3)` : ""}...`));
       const tunnel = await startQuickTunnel(port);
+      onTunnelStarted?.(tunnel);
       this.log(ui.ok(`Tunnel ready at ${ui.code(tunnel.url)}`));
-      this.log(ui.dim("Waiting 20s for trycloudflare DNS to propagate before first probe..."));
-      await new Promise((resolve) => setTimeout(resolve, 2e4));
-      this.log(ui.dim("Verifying dev server and tunnel... (trycloudflare can take up to 60s to propagate)"));
+      this.log(ui.dim("Verifying dev server and tunnel... (retrying for up to 60s while trycloudflare becomes reachable)"));
       try {
         const result = await waitForDevServerReachable({
           localPort: port,
-          tunnelUrl: tunnel.url
+          tunnelUrl: tunnel.url,
+          onProbeFailure: this.logTunnelProbeProgress()
         });
         this.log(ui.ok(`Tunnel verified via ${ui.code(result.path)} (HTTP ${result.tunnelStatus})`));
         return tunnel;
@@ -274,7 +287,8 @@ class AppDev extends Command {
     try {
       const result = await waitForDevServerReachable({
         localPort: port,
-        tunnelUrl: tunnel.url
+        tunnelUrl: tunnel.url,
+        onProbeFailure: this.logTunnelProbeProgress()
       });
       this.log(ui.ok(`Tunnel verified via ${ui.code(result.path)} (HTTP ${result.tunnelStatus})`));
     } catch (err) {
@@ -287,6 +301,17 @@ class AppDev extends Command {
       throw err;
     }
   }
+  logTunnelProbeProgress() {
+    let lastLogAt = 0;
+    return (probe) => {
+      const now = Date.now();
+      if (probe.elapsedMs < 5e3 || now - lastLogAt < 5e3) return;
+      lastLogAt = now;
+      this.log(ui.dim(
+        `Still waiting for tunnel ${ui.code(probe.path)} after ${Math.round(probe.elapsedMs / 1e3)}s: ${probe.lastError}`
+      ));
+    };
+  }
   watchDevInputs(appConfigPath, onChange) {
     const paths = watchedDevInputPaths(appConfigPath);
     let timer;

package/dist/lib/config.js

@@ -14,6 +14,20 @@ const ADMIN_ICONS = [
   "bar-chart",
   "wallet"
 ];
+function resolveAppConfigUrl(opts) {
+  const configured = opts.configuredUrl?.trim();
+  if (configured) {
+    if (isAbsoluteHttpUrl(configured)) return new URL(configured).toString();
+    if (configured.startsWith("/")) {
+      return appUrlFromTunnel(opts.config.tunnel_url, configured, opts.fieldName, opts.configPath);
+    }
+    throw new CliError(`Invalid '${opts.fieldName}' in ${APP_CONFIG_FILE}: must be an absolute URL or path starting with '/'.`, {
+      hint: `Edit ${opts.configPath}`
+    });
+  }
+  if (!opts.config.tunnel_url) return void 0;
+  return appUrlFromTunnel(opts.config.tunnel_url, opts.defaultPath, "tunnel_url", opts.configPath);
+}
 function findAppConfigPath(startDir = process.cwd()) {
   let dir = resolve(startDir);
   while (true) {
@@ -70,27 +84,68 @@ function validateConfig(config, path) {
       };
     });
   }
+  if (config.tunnel_url !== void 0) {
+    validateTunnelUrl(config.tunnel_url, path);
+  }
+  if (config.install_url !== void 0 && config.install_url !== "") {
+    validateResolvableUrl(config.install_url, "install_url", config.tunnel_url, path);
+  }
   if (config.admin !== void 0) {
-    validateAdminSection(config.admin, path);
+    validateAdminSection(config.admin, config.tunnel_url, path);
+  }
+}
+function validateTunnelUrl(value, path) {
+  if (typeof value !== "string" || !value) {
+    throw new CliError(`Invalid ${APP_CONFIG_FILE}: 'tunnel_url' must be a non-empty string.`, {
+      hint: `Edit ${path}`
+    });
+  }
+  if (!isAbsoluteHttpUrl(value)) {
+    throw new CliError(`Invalid 'tunnel_url' in ${APP_CONFIG_FILE}: must start with https:// or http://.`, {
+      hint: `Edit ${path}`
+    });
+  }
+}
+function validateResolvableUrl(value, fieldName, tunnelUrl, path) {
+  if (typeof value !== "string" || !value) {
+    throw new CliError(`Invalid ${APP_CONFIG_FILE}: '${fieldName}' must be a non-empty string.`, {
+      hint: `Edit ${path}`
+    });
+  }
+  if (isAbsoluteHttpUrl(value)) {
+    if (fieldName === "admin.entry_url" && !value.startsWith("https://")) {
+      throw new CliError(
+        `Invalid 'admin.entry_url' in ${APP_CONFIG_FILE}: must start with https://.`,
+        { hint: `Edit ${path}` }
+      );
+    }
+    return;
   }
+  if (value.startsWith("/") && tunnelUrl) return;
+  throw new CliError(
+    `Invalid '${fieldName}' in ${APP_CONFIG_FILE}: must be an absolute URL or a path with 'tunnel_url' set.`,
+    { hint: `Edit ${path}` }
+  );
 }
-function validateAdminSection(admin, path) {
+function validateAdminSection(admin, tunnelUrl, path) {
   if (typeof admin !== "object" || admin === null || Array.isArray(admin)) {
     throw new CliError(`Invalid ${APP_CONFIG_FILE}: 'admin' must be a table.`, {
       hint: `Edit ${path}`
     });
   }
   const a = admin;
-  if (typeof a["entry_url"] !== "string" || !a["entry_url"]) {
+  if (a["entry_url"] === void 0) {
+    if (!tunnelUrl) {
+      throw new CliError(`Invalid ${APP_CONFIG_FILE}: missing 'admin.entry_url'.`, {
+        hint: `Set 'tunnel_url' or add 'admin.entry_url' in ${path}.`
+      });
+    }
+  } else if (a["entry_url"] === "") {
     throw new CliError(`Invalid ${APP_CONFIG_FILE}: missing 'admin.entry_url'.`, {
       hint: `Edit ${path}`
     });
-  }
-  if (!a["entry_url"].startsWith("https://")) {
-    throw new CliError(
-      `Invalid 'admin.entry_url' in ${APP_CONFIG_FILE}: must start with https://.`,
-      { hint: `Edit ${path}` }
-    );
+  } else {
+    validateResolvableUrl(a["entry_url"], "admin.entry_url", tunnelUrl, path);
   }
   const sidebar = a["sidebar"];
   if (typeof sidebar !== "object" || sidebar === null || Array.isArray(sidebar)) {
@@ -122,10 +177,30 @@ function validateAdminSection(admin, path) {
     );
   }
 }
+function appUrlFromTunnel(tunnelUrl, pathValue, fieldName, configPath) {
+  if (!tunnelUrl) {
+    throw new CliError(`Cannot resolve '${fieldName}' without 'tunnel_url'.`, {
+      hint: `Set tunnel_url in ${configPath}.`
+    });
+  }
+  const url = new URL(tunnelUrl);
+  url.pathname = pathValue;
+  url.search = "";
+  return url.toString();
+}
+function isAbsoluteHttpUrl(value) {
+  try {
+    const url = new URL(value);
+    return url.protocol === "http:" || url.protocol === "https:";
+  } catch {
+    return false;
+  }
+}
 export {
   ADMIN_ICONS,
   findAppConfigPath,
   loadAppConfig,
+  resolveAppConfigUrl,
   saveAppConfig,
   writeAppConfigAt
 };

package/dist/lib/dev-runner.js

@@ -1,6 +1,7 @@
 import { spawn } from "node:child_process";
 import { existsSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
+import { saveAppConfig } from "./config.js";
 import { APP_DEV_ENV_FILE, APP_ENV_FILE, APP_ENV_LOCAL_FILE, readEnvFile } from "./app-env.js";
 import { CliError } from "./errors.js";
 async function registerWebhookSubscriptions(api, appName, tunnelUrl, subscriptions) {
@@ -98,15 +99,20 @@ function spawnDevServer(opts) {
 }
 async function waitForDevServerReachable(opts) {
   const fetchImpl = opts.fetchImpl ?? fetch;
+  const startedAt = Date.now();
   const deadline = Date.now() + (opts.timeoutMs ?? 6e4);
   const requestTimeoutMs = opts.requestTimeoutMs ?? 2500;
   const mismatchGraceMs = opts.mismatchGraceMs ?? 45e3;
+  const cloudflareErrorGraceMs = opts.cloudflareErrorGraceMs ?? 1e4;
+  const networkErrorGraceMs = opts.networkErrorGraceMs ?? 1e4;
   const probe = await waitForLocalProbe(opts.localPort, deadline, requestTimeoutMs, fetchImpl);
   const tunnelUrl = new URL(opts.tunnelUrl);
   tunnelUrl.pathname = probe.path;
   tunnelUrl.search = "";
   let lastError = "not ready";
   let mismatchSince = null;
+  let cloudflareErrorSince = null;
+  let networkErrorSince = null;
   while (Date.now() < deadline) {
     try {
       const response = await fetchWithTimeout(fetchImpl, tunnelUrl, requestTimeoutMs);
@@ -118,18 +124,40 @@ async function waitForDevServerReachable(opts) {
         };
       }
       lastError = `HTTP ${response.status}`;
-      mismatchSince ??= Date.now();
-      if (Date.now() - mismatchSince >= mismatchGraceMs) break;
+      if (isCloudflareTunnelErrorStatus(response.status)) {
+        cloudflareErrorSince ??= Date.now();
+        mismatchSince = null;
+        networkErrorSince = null;
+        if (Date.now() - cloudflareErrorSince >= cloudflareErrorGraceMs) break;
+      } else {
+        mismatchSince ??= Date.now();
+        cloudflareErrorSince = null;
+        networkErrorSince = null;
+        if (Date.now() - mismatchSince >= mismatchGraceMs) break;
+      }
     } catch (err) {
       lastError = err instanceof Error ? err.message : String(err);
       mismatchSince = null;
+      cloudflareErrorSince = null;
+      networkErrorSince ??= Date.now();
+      if (Date.now() - networkErrorSince >= networkErrorGraceMs) break;
     }
+    opts.onProbeFailure?.({
+      elapsedMs: Date.now() - startedAt,
+      path: probe.path,
+      localStatus: probe.status,
+      tunnelUrl: tunnelUrl.toString(),
+      lastError
+    });
     await delay(500);
   }
   throw new CliError(`Cloudflare tunnel did not reach the local dev server at ${tunnelUrl.toString()}.`, {
     hint: `Local ${probe.path} returned HTTP ${probe.status}, but the tunnel returned ${lastError}. Restart \`odeva app dev\` if the quick tunnel URL expired.`
   });
 }
+function isCloudflareTunnelErrorStatus(status) {
+  return status === 530 || status === 502 || status === 503 || status === 504;
+}
 async function waitForLocalDevServer(opts) {
   const fetchImpl = opts.fetchImpl ?? fetch;
   const deadline = Date.now() + (opts.timeoutMs ?? 3e4);
@@ -148,13 +176,19 @@ function devInstallCallbackUrl(opts) {
 }
 function devAppTunnelUrl(opts) {
   const url = new URL(opts.tunnelUrl);
-  if (opts.configuredUrl) {
+  const configuredUrl = opts.configuredUrl?.trim();
+  if (configuredUrl) {
+    if (configuredUrl.startsWith("/")) {
+      url.pathname = configuredUrl;
+      url.search = "";
+      return url.toString();
+    }
     let configured;
     try {
-      configured = new URL(opts.configuredUrl);
+      configured = new URL(configuredUrl);
     } catch {
-      throw new CliError(`Invalid ${opts.configField ?? "URL"}: ${opts.configuredUrl}`, {
-        hint: "Fix odeva.app.toml or run `odeva app config link` with a valid URL."
+      throw new CliError(`Invalid ${opts.configField ?? "URL"}: ${configuredUrl}`, {
+        hint: "Use an absolute URL, a path starting with '/', or omit it so `tunnel_url` can infer it."
       });
     }
     url.pathname = configured.pathname;
@@ -165,6 +199,12 @@ function devAppTunnelUrl(opts) {
   }
   return url.toString();
 }
+function saveDevTunnelUrl(loaded, tunnelUrl) {
+  if (loaded.config.tunnel_url === tunnelUrl) return false;
+  loaded.config.tunnel_url = tunnelUrl;
+  saveAppConfig(loaded);
+  return true;
+}
 function writeDevEnvFile(cwd, registered) {
   if (registered.length === 0) return null;
   const path = join(cwd, APP_DEV_ENV_FILE);
@@ -361,6 +401,7 @@ export {
   preflightChecks,
   registerWebhookSubscriptions,
   registeredWebhookEnv,
+  saveDevTunnelUrl,
   spawnDevServer,
   syncDevAppUrls,
   waitForDevServerReachable,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@odeva/cli",
-  "version": "0.0.10",
+  "version": "0.0.12",
   "description": "Build apps on the Odeva booking platform — scaffold, develop, deploy.",
   "license": "MIT",
   "type": "module",

package/templates/hono-bun/README.md.tmpl

@@ -30,10 +30,13 @@ This template ships a `/admin` route that verifies Odeva session tokens against
 the platform's JWKS. To surface your app inside the merchant admin sidebar:
 
 1. Uncomment the `[admin]` block at the bottom of `odeva.app.toml` and set
-   `entry_url` to a publicly reachable URL (your `odeva app dev` tunnel works).
+   `entry_url = "/admin"` or omit it to use the default `/admin` path.
 2. Run `odeva app config link` to push the embed config to Odeva.
 3. Reinstall the app on a test org; the sidebar entry appears.
 
+`odeva app dev` writes the active public tunnel to `tunnel_url`; the CLI
+resolves relative app URLs such as `/install` and `/admin` against it.
+
 `/admin` reads `?session_token=<jwt>` from the iframe URL, verifies it via
 `jose` + the JWKS at `${ODEVA_API_URL}/.well-known/odeva/apps/jwks.json`,
 and renders `Hello, org <org_id>`. See `src/admin.ts` for the verification

package/templates/hono-bun/odeva.app.toml.tmpl

@@ -2,10 +2,11 @@ name = "{{name}}"
 slug = "{{slug}}"
 description = "An Odeva app."
 
-# Where Odeva redirects users when they install this app on their org.
-# Must be a publicly reachable URL once you submit for marketplace review.
-# During development you can leave it blank or point it at your `odeva app dev` tunnel.
-install_url = ""
+# `odeva app dev` keeps this set to the active public tunnel.
+# `install_url` and `[admin].entry_url` can be omitted or written as paths;
+# the CLI resolves them against tunnel_url when syncing the app record.
+tunnel_url = ""
+install_url = "/install"
 
 [build]
 dev = "bun run dev"
@@ -35,7 +36,7 @@ api_version = "2026-01"
 # Icons: puzzle, box, plug, bot, sparkles, wrench, database, bar-chart, wallet.
 #
 # [admin]
-# entry_url = "https://<your-app-dev-url>/admin"
+# entry_url = "/admin"
 #
 # [admin.sidebar]
 # label = "{{name}}"