@odeva/cli 0.0.6 → 0.0.7

package/dist/commands/app/dev.js

@@ -163,6 +163,13 @@ class AppDev extends Command {
         `install_url is ${installUrl} \u2014 installs from your org will redirect there, not to this tunnel. Update odeva.app.toml + \`odeva app config link\` if you want installs to hit the dev tunnel.`
       ));
     }
+    const adminEntryUrl = loaded.config.admin?.entry_url.trim();
+    const expectedAdmin = `${tunnelUrl}/admin`;
+    if (adminEntryUrl && !adminEntryUrl.startsWith(tunnelUrl) && !/localhost|127\.0\.0\.1/.test(adminEntryUrl)) {
+      this.log(ui.warn(
+        `admin.entry_url is ${adminEntryUrl} \u2014 the admin sidebar will iframe that URL, not this tunnel. Set it to ${expectedAdmin} and re-run \`odeva app config link\` for local embed testing.`
+      ));
+    }
     this.log("");
   }
   async registerDevWebhooks(api, loaded, tunnelUrl) {

package/dist/commands/app/init.js

@@ -9,7 +9,6 @@ import { withErrorHandling } from "../../lib/run.js";
 import { isValidSlug, slugify } from "../../lib/slug.js";
 import { listTemplates, renderTemplate } from "../../lib/templates.js";
 import { ui } from "../../lib/ui.js";
-import { detectShell, isCompletionInstalled } from "../autocomplete.js";
 const DEFAULT_TEMPLATE = "hono-bun";
 class AppInit extends Command {
   static description = "Scaffold a new Odeva app";
@@ -69,23 +68,17 @@ class AppInit extends Command {
         }
       });
       spinner.stop(`Wrote ${filesWritten} file${filesWritten === 1 ? "" : "s"} from template '${template}'.`);
-      const outroLines = [
-        ui.ok(`Created ${ui.bold(displayName)}`),
-        "",
-        "  Next steps:",
-        `    ${ui.code(`cd ${basename(directory)}`)}`,
-        `    ${ui.code("bun install")}`,
-        `    ${ui.code("odeva app config link")}    ${ui.dim("# register on Odeva")}`,
-        `    ${ui.code("odeva app dev")}             ${ui.dim("# start local dev with a tunnel")}`
-      ];
-      const shell = detectShell();
-      if (shell && !isCompletionInstalled(shell, "odeva")) {
-        outroLines.push(
+      p.outro(
+        [
+          ui.ok(`Created ${ui.bold(displayName)}`),
           "",
-          `  ${ui.dim("Tip:")} ${ui.code("odeva autocomplete --install")} ${ui.dim("to enable tab-completion.")}`
-        );
-      }
-      p.outro(outroLines.join("\n"));
+          "  Next steps:",
+          `    ${ui.code(`cd ${basename(directory)}`)}`,
+          `    ${ui.code("bun install")}`,
+          `    ${ui.code("odeva app config link")}    ${ui.dim("# register on Odeva")}`,
+          `    ${ui.code("odeva app dev")}             ${ui.dim("# start local dev with a tunnel")}`
+        ].join("\n")
+      );
     });
   }
   async resolveDirectory(nameArg, skipPrompts) {

package/dist/commands/autocomplete.js

@@ -1,90 +1,36 @@
-import { Args, Command, Flags } from "@oclif/core";
-import { existsSync, mkdirSync, writeFileSync } from "node:fs";
-import { homedir } from "node:os";
-import { basename, dirname, join } from "node:path";
+import { Args, Command } from "@oclif/core";
 import { CliError } from "../lib/errors.js";
 import { withErrorHandling } from "../lib/run.js";
-import { ui } from "../lib/ui.js";
 const SUPPORTED_SHELLS = ["fish", "zsh"];
 class Autocomplete extends Command {
-  static description = "Print or install a shell completion script for the odeva CLI";
+  static description = "Print a shell completion script for the odeva CLI";
   static examples = [
-    "$ odeva autocomplete --install                                  # detect shell and install",
-    "$ odeva autocomplete fish --install                             # explicit shell",
-    "$ odeva autocomplete fish > ~/.config/fish/completions/odeva.fish"
+    "$ odeva autocomplete fish > ~/.config/fish/completions/odeva.fish",
+    "$ odeva autocomplete zsh > ~/.odeva/_odeva  # then source it from .zshrc"
   ];
   static args = {
     shell: Args.string({
-      description: "Target shell (auto-detected from $SHELL when omitted with --install)",
+      description: "Target shell",
       options: [...SUPPORTED_SHELLS],
-      required: false
-    })
-  };
-  static flags = {
-    install: Flags.boolean({
-      description: "Write the completion script to the conventional path for the shell",
-      default: false
+      required: true
     })
   };
   async run() {
-    const { args, flags } = await this.parse(Autocomplete);
+    const { args } = await this.parse(Autocomplete);
     await withErrorHandling(this, async () => {
-      const bin = this.config.bin;
-      const shell = args.shell ?? (flags.install ? detectShell() : void 0);
-      if (!shell) {
-        if (flags.install) {
-          throw new CliError("Couldn't detect shell from $SHELL.", {
-            hint: `Pass it explicitly: \`${bin} autocomplete <${SUPPORTED_SHELLS.join("|")}> --install\`.`
-          });
-        }
-        throw new CliError("A shell is required.", {
-          hint: `Usage: \`${bin} autocomplete <${SUPPORTED_SHELLS.join("|")}>\`. Add --install to write the script to the conventional path.`
+      const shell = args.shell;
+      if (!SUPPORTED_SHELLS.includes(shell)) {
+        throw new CliError(`Unsupported shell '${shell}'.`, {
+          hint: `Supported: ${SUPPORTED_SHELLS.join(", ")}.`
         });
       }
+      const bin = this.config.bin;
       const tree = buildCommandTree(this.config.commands, bin);
       const script = shell === "fish" ? renderFish(bin, tree) : renderZsh(bin, tree);
-      if (!flags.install) {
-        process.stdout.write(script);
-        return;
-      }
-      const target = completionInstallPath(shell, bin);
-      mkdirSync(dirname(target), { recursive: true });
-      writeFileSync(target, script, { mode: 420 });
-      this.log(ui.ok(`Wrote ${shell} completion to ${ui.code(target)}`));
-      if (shell === "fish") {
-        this.log(ui.dim("  Open a new fish shell \u2014 completions auto-load from this path."));
-      } else {
-        const fpathDir = dirname(target);
-        this.log("");
-        this.log("  Add this to your ~/.zshrc (if you haven't already):");
-        this.log("");
-        this.log(ui.code(`    fpath=(${fpathDir} $fpath)`));
-        this.log(ui.code(`    autoload -U compinit && compinit`));
-        this.log("");
-        this.log(ui.dim("  Then open a new zsh shell."));
-      }
+      process.stdout.write(script);
     });
   }
 }
-function detectShell(env = process.env) {
-  const shell = env["SHELL"];
-  if (!shell) return null;
-  const name = basename(shell);
-  if (name === "fish" || name === "zsh") return name;
-  return null;
-}
-function completionInstallPath(shell, bin, env = process.env) {
-  const home = env["HOME"] || homedir();
-  if (shell === "fish") {
-    const config = env["XDG_CONFIG_HOME"] || join(home, ".config");
-    return join(config, "fish", "completions", `${bin}.fish`);
-  }
-  const data = env["XDG_DATA_HOME"] || join(home, ".local", "share");
-  return join(data, bin, "completions", `_${bin}`);
-}
-function isCompletionInstalled(shell, bin, env = process.env) {
-  return existsSync(completionInstallPath(shell, bin, env));
-}
 function buildCommandTree(commands, binName) {
   const root = { name: "", description: "", children: /* @__PURE__ */ new Map() };
   for (const cmd of commands) {
@@ -206,10 +152,7 @@ _${bin} "$@"
 }
 export {
   buildCommandTree,
-  completionInstallPath,
   Autocomplete as default,
-  detectShell,
-  isCompletionInstalled,
   renderFish,
   renderZsh
 };

package/dist/commands/webhook/trigger.js

@@ -61,7 +61,9 @@ class WebhookTrigger extends Command {
             hint: flags.url || configSubscription ? "Run `odeva app dev` to generate one, or pass --secret <value>, or use --no-sign for unsigned testing." : `Add a '${event}' subscription to odeva.app.toml, let \`odeva app dev\` reload, then try again.`
           });
         }
-        headers["x-odeva-signature"] = signPayload(body, secret);
+        const timestamp = Math.floor(Date.now() / 1e3).toString();
+        headers["x-odeva-timestamp"] = timestamp;
+        headers["x-odeva-signature"] = signPayload(body, secret, timestamp);
       }
       this.log(`${ui.bold("POST")} ${url}`);
       this.log(`  ${ui.dim("event:")}     ${event}`);

package/dist/lib/webhook-fixtures.js

@@ -20,6 +20,16 @@ const FIXTURES = {
     },
     changes: ["checkIn", "checkOut"]
   },
+  "reservation.confirmed": {
+    reservation: {
+      id: "res_test_abc123",
+      reservationNumber: "R-2026-0001",
+      status: "confirmed",
+      checkIn: "2026-07-01",
+      checkOut: "2026-07-05",
+      total: { amount: "480.00", currency: "EUR" }
+    }
+  },
   "reservation.cancelled": {
     reservation: {
       id: "res_test_abc123",
@@ -47,8 +57,9 @@ function buildFixture(event, overrides) {
     data
   };
 }
-function signPayload(rawBody, secret) {
-  return createHmac("sha256", secret).update(rawBody).digest("hex");
+function signPayload(rawBody, secret, timestamp) {
+  const digest = createHmac("sha256", secret).update(`${timestamp}.${rawBody}`).digest("hex");
+  return `sha256=${digest}`;
 }
 function listFixtureEvents() {
   return Object.keys(FIXTURES);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@odeva/cli",
-  "version": "0.0.6",
+  "version": "0.0.7",
   "description": "Build apps on the Odeva booking platform — scaffold, develop, deploy.",
   "license": "MIT",
   "type": "module",

package/templates/hono-bun/README.md.tmpl

@@ -13,14 +13,15 @@ odeva app dev            # local server + tunnel + webhook delivery
 In another terminal:
 
 ```sh
-odeva webhook trigger reservation.created
+odeva webhook trigger reservation.confirmed
+odeva webhook trigger payment.succeeded
 ```
 
 ## Project layout
 
 - `odeva.app.toml` — app config (name, slug, webhooks, scopes)
 - `src/index.ts` — Hono server with a webhook handler stub
-- `src/webhook.ts` — HMAC signature verification
+- `src/webhook.ts` — timestamped `sha256=` HMAC signature verification
 - `src/admin.ts` — iframe session-token verification
 
 ## Embed in the merchant admin

package/templates/hono-bun/odeva.app.toml.tmpl

@@ -21,8 +21,12 @@ api_version = "2026-01"
 # tunnel URL. List supported events with: `odeva webhook list --available`.
 #
 # [[webhooks.subscriptions]]
-# topic = "reservation.created"
-# uri = "/webhooks/reservation.created"
+# topic = "reservation.confirmed"
+# uri = "/webhooks/reservation.confirmed"
+#
+# [[webhooks.subscriptions]]
+# topic = "payment.succeeded"
+# uri = "/webhooks/payment.succeeded"
 
 # Uncomment to embed this app inside the merchant admin sidebar.
 # The merchant admin will iframe `entry_url?session_token=<short-lived JWT>`

package/templates/hono-bun/src/index.ts

@@ -57,19 +57,20 @@ app.post("/webhooks/:topic", async (c) => {
   const topic = c.req.param("topic");
   const rawBody = await c.req.text();
   const signature = c.req.header("x-odeva-signature");
+  const timestamp = c.req.header("x-odeva-timestamp");
   const secret =
     process.env[`ODEVA_WEBHOOK_SECRET__${topic.toUpperCase().replace(/[^A-Z0-9]+/g, "_")}`] ??
     process.env.ODEVA_WEBHOOK_SECRET;
 
-  if (secret && !verifyWebhook(rawBody, signature, secret)) {
+  if (secret && !verifyWebhook(rawBody, signature, secret, timestamp)) {
     return c.json({ error: "invalid signature" }, 401);
   }
 
   const payload = JSON.parse(rawBody) as Record<string, unknown>;
   logger.info(`[webhook] ${topic}`, payload);
 
-  // TODO: handle the event.
-  // Tip: run `odeva webhook trigger <topic>` to fire a sample payload at this handler.
+  // Route work by topic here. Tip: run `odeva webhook trigger <topic>` to fire
+  // a signed sample payload at this handler.
 
   return c.json({ received: true });
 });

package/templates/hono-bun/src/install.ts

@@ -27,7 +27,7 @@ const EXCHANGE_MUTATION = `
 `;
 
 interface ExchangeResponse {
-  data: {
+  data?: {
     exchangeAppInstallCode: {
       appInstallation: {
         id: string;
@@ -37,10 +37,14 @@ interface ExchangeResponse {
       rawKey: string | null;
       errors: string[];
     } | null;
-  };
+  } | null;
   errors?: Array<{ message: string }>;
 }
 
+function isExchangeResponse(value: unknown): value is ExchangeResponse {
+  return typeof value === "object" && value !== null;
+}
+
 export function makeInstallHandler(store: InstallationStore) {
   return async (c: Context): Promise<Response> => {
     const installCode = c.req.query("install_code");
@@ -68,13 +72,23 @@ export function makeInstallHandler(store: InstallationStore) {
       }),
     });
 
-    const body = (await response.json()) as ExchangeResponse;
+    let body: ExchangeResponse;
+    try {
+      const parsed: unknown = await response.json();
+      if (!isExchangeResponse(parsed)) {
+        return c.text(`Install failed: Odeva returned an unexpected response (${response.status}).`, 502);
+      }
+      body = parsed;
+    } catch {
+      return c.text(`Install failed: Could not parse Odeva response (${response.status}).`, 502);
+    }
+
     const topErrors = body.errors?.map((e) => e.message) ?? [];
     const payload = body.data?.exchangeAppInstallCode ?? null;
     const userErrors = payload?.errors ?? [];
 
     if (topErrors.length > 0 || userErrors.length > 0 || !payload?.rawKey || !payload.appInstallation) {
-      const msg = [...topErrors, ...userErrors].join("; ") || "Exchange failed";
+      const msg = [...topErrors, ...userErrors].join("; ") || `Exchange failed (${response.status})`;
       return c.text(`Install failed: ${msg}`, 400);
     }
 

package/templates/hono-bun/src/webhook.ts

@@ -3,12 +3,19 @@ import { createHmac, timingSafeEqual } from "node:crypto";
 /**
  * Verify a webhook signature from the Odeva platform.
  *
- * The CLI's `odeva webhook trigger` and the platform itself both sign payloads
- * with HMAC-SHA256(secret, rawBody), hex-encoded, sent as `x-odeva-signature`.
+ * Webhooks are signed as HMAC-SHA256(secret, `${timestamp}.${rawBody}`),
+ * hex-encoded and sent as `x-odeva-signature: sha256=<digest>`.
  */
-export function verifyWebhook(rawBody: string, signature: string | undefined, secret: string): boolean {
+export function verifyWebhook(
+  rawBody: string,
+  signature: string | undefined,
+  secret: string,
+  timestamp: string | undefined,
+): boolean {
   if (!signature) return false;
-  const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
+  if (!timestamp) return false;
+  const digest = createHmac("sha256", secret).update(`${timestamp}.${rawBody}`).digest("hex");
+  const expected = `sha256=${digest}`;
   const a = Buffer.from(expected, "utf8");
   const b = Buffer.from(signature, "utf8");
   if (a.length !== b.length) return false;