@odeva/cli 0.0.5 → 0.0.7

package/dist/commands/app/dev.js

@@ -163,6 +163,13 @@ class AppDev extends Command {
         `install_url is ${installUrl} \u2014 installs from your org will redirect there, not to this tunnel. Update odeva.app.toml + \`odeva app config link\` if you want installs to hit the dev tunnel.`
       ));
     }
+    const adminEntryUrl = loaded.config.admin?.entry_url.trim();
+    const expectedAdmin = `${tunnelUrl}/admin`;
+    if (adminEntryUrl && !adminEntryUrl.startsWith(tunnelUrl) && !/localhost|127\.0\.0\.1/.test(adminEntryUrl)) {
+      this.log(ui.warn(
+        `admin.entry_url is ${adminEntryUrl} \u2014 the admin sidebar will iframe that URL, not this tunnel. Set it to ${expectedAdmin} and re-run \`odeva app config link\` for local embed testing.`
+      ));
+    }
     this.log("");
   }
   async registerDevWebhooks(api, loaded, tunnelUrl) {

package/dist/commands/webhook/trigger.js

@@ -61,7 +61,9 @@ class WebhookTrigger extends Command {
             hint: flags.url || configSubscription ? "Run `odeva app dev` to generate one, or pass --secret <value>, or use --no-sign for unsigned testing." : `Add a '${event}' subscription to odeva.app.toml, let \`odeva app dev\` reload, then try again.`
           });
         }
-        headers["x-odeva-signature"] = signPayload(body, secret);
+        const timestamp = Math.floor(Date.now() / 1e3).toString();
+        headers["x-odeva-timestamp"] = timestamp;
+        headers["x-odeva-signature"] = signPayload(body, secret, timestamp);
       }
       this.log(`${ui.bold("POST")} ${url}`);
       this.log(`  ${ui.dim("event:")}     ${event}`);

package/dist/lib/webhook-fixtures.js

@@ -20,6 +20,16 @@ const FIXTURES = {
     },
     changes: ["checkIn", "checkOut"]
   },
+  "reservation.confirmed": {
+    reservation: {
+      id: "res_test_abc123",
+      reservationNumber: "R-2026-0001",
+      status: "confirmed",
+      checkIn: "2026-07-01",
+      checkOut: "2026-07-05",
+      total: { amount: "480.00", currency: "EUR" }
+    }
+  },
   "reservation.cancelled": {
     reservation: {
       id: "res_test_abc123",
@@ -47,8 +57,9 @@ function buildFixture(event, overrides) {
     data
   };
 }
-function signPayload(rawBody, secret) {
-  return createHmac("sha256", secret).update(rawBody).digest("hex");
+function signPayload(rawBody, secret, timestamp) {
+  const digest = createHmac("sha256", secret).update(`${timestamp}.${rawBody}`).digest("hex");
+  return `sha256=${digest}`;
 }
 function listFixtureEvents() {
   return Object.keys(FIXTURES);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@odeva/cli",
-  "version": "0.0.5",
+  "version": "0.0.7",
   "description": "Build apps on the Odeva booking platform — scaffold, develop, deploy.",
   "license": "MIT",
   "type": "module",

package/templates/hono-bun/README.md.tmpl

@@ -13,14 +13,15 @@ odeva app dev            # local server + tunnel + webhook delivery
 In another terminal:
 
 ```sh
-odeva webhook trigger reservation.created
+odeva webhook trigger reservation.confirmed
+odeva webhook trigger payment.succeeded
 ```
 
 ## Project layout
 
 - `odeva.app.toml` — app config (name, slug, webhooks, scopes)
 - `src/index.ts` — Hono server with a webhook handler stub
-- `src/webhook.ts` — HMAC signature verification
+- `src/webhook.ts` — timestamped `sha256=` HMAC signature verification
 - `src/admin.ts` — iframe session-token verification
 
 ## Embed in the merchant admin

package/templates/hono-bun/odeva.app.toml.tmpl

@@ -21,8 +21,12 @@ api_version = "2026-01"
 # tunnel URL. List supported events with: `odeva webhook list --available`.
 #
 # [[webhooks.subscriptions]]
-# topic = "reservation.created"
-# uri = "/webhooks/reservation.created"
+# topic = "reservation.confirmed"
+# uri = "/webhooks/reservation.confirmed"
+#
+# [[webhooks.subscriptions]]
+# topic = "payment.succeeded"
+# uri = "/webhooks/payment.succeeded"
 
 # Uncomment to embed this app inside the merchant admin sidebar.
 # The merchant admin will iframe `entry_url?session_token=<short-lived JWT>`

package/templates/hono-bun/src/index.ts

@@ -57,19 +57,20 @@ app.post("/webhooks/:topic", async (c) => {
   const topic = c.req.param("topic");
   const rawBody = await c.req.text();
   const signature = c.req.header("x-odeva-signature");
+  const timestamp = c.req.header("x-odeva-timestamp");
   const secret =
     process.env[`ODEVA_WEBHOOK_SECRET__${topic.toUpperCase().replace(/[^A-Z0-9]+/g, "_")}`] ??
     process.env.ODEVA_WEBHOOK_SECRET;
 
-  if (secret && !verifyWebhook(rawBody, signature, secret)) {
+  if (secret && !verifyWebhook(rawBody, signature, secret, timestamp)) {
     return c.json({ error: "invalid signature" }, 401);
   }
 
   const payload = JSON.parse(rawBody) as Record<string, unknown>;
   logger.info(`[webhook] ${topic}`, payload);
 
-  // TODO: handle the event.
-  // Tip: run `odeva webhook trigger <topic>` to fire a sample payload at this handler.
+  // Route work by topic here. Tip: run `odeva webhook trigger <topic>` to fire
+  // a signed sample payload at this handler.
 
   return c.json({ received: true });
 });

package/templates/hono-bun/src/install.ts

@@ -27,7 +27,7 @@ const EXCHANGE_MUTATION = `
 `;
 
 interface ExchangeResponse {
-  data: {
+  data?: {
     exchangeAppInstallCode: {
       appInstallation: {
         id: string;
@@ -37,10 +37,14 @@ interface ExchangeResponse {
       rawKey: string | null;
       errors: string[];
     } | null;
-  };
+  } | null;
   errors?: Array<{ message: string }>;
 }
 
+function isExchangeResponse(value: unknown): value is ExchangeResponse {
+  return typeof value === "object" && value !== null;
+}
+
 export function makeInstallHandler(store: InstallationStore) {
   return async (c: Context): Promise<Response> => {
     const installCode = c.req.query("install_code");
@@ -68,13 +72,23 @@ export function makeInstallHandler(store: InstallationStore) {
       }),
     });
 
-    const body = (await response.json()) as ExchangeResponse;
+    let body: ExchangeResponse;
+    try {
+      const parsed: unknown = await response.json();
+      if (!isExchangeResponse(parsed)) {
+        return c.text(`Install failed: Odeva returned an unexpected response (${response.status}).`, 502);
+      }
+      body = parsed;
+    } catch {
+      return c.text(`Install failed: Could not parse Odeva response (${response.status}).`, 502);
+    }
+
     const topErrors = body.errors?.map((e) => e.message) ?? [];
     const payload = body.data?.exchangeAppInstallCode ?? null;
     const userErrors = payload?.errors ?? [];
 
     if (topErrors.length > 0 || userErrors.length > 0 || !payload?.rawKey || !payload.appInstallation) {
-      const msg = [...topErrors, ...userErrors].join("; ") || "Exchange failed";
+      const msg = [...topErrors, ...userErrors].join("; ") || `Exchange failed (${response.status})`;
       return c.text(`Install failed: ${msg}`, 400);
     }
 

package/templates/hono-bun/src/webhook.ts

@@ -3,12 +3,19 @@ import { createHmac, timingSafeEqual } from "node:crypto";
 /**
  * Verify a webhook signature from the Odeva platform.
  *
- * The CLI's `odeva webhook trigger` and the platform itself both sign payloads
- * with HMAC-SHA256(secret, rawBody), hex-encoded, sent as `x-odeva-signature`.
+ * Webhooks are signed as HMAC-SHA256(secret, `${timestamp}.${rawBody}`),
+ * hex-encoded and sent as `x-odeva-signature: sha256=<digest>`.
  */
-export function verifyWebhook(rawBody: string, signature: string | undefined, secret: string): boolean {
+export function verifyWebhook(
+  rawBody: string,
+  signature: string | undefined,
+  secret: string,
+  timestamp: string | undefined,
+): boolean {
   if (!signature) return false;
-  const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
+  if (!timestamp) return false;
+  const digest = createHmac("sha256", secret).update(`${timestamp}.${rawBody}`).digest("hex");
+  const expected = `sha256=${digest}`;
   const a = Buffer.from(expected, "utf8");
   const b = Buffer.from(signature, "utf8");
   if (a.length !== b.length) return false;