@ottocode/server 0.1.173

package/package.json

@@ -0,0 +1,42 @@
+{
+	"name": "@ottocode/server",
+	"version": "0.1.173",
+	"description": "HTTP API server for ottocode",
+	"type": "module",
+	"main": "./src/index.ts",
+	"types": "./src/index.ts",
+	"exports": {
+		".": {
+			"import": "./src/index.ts",
+			"types": "./src/index.ts"
+		},
+		"./runtime/agent-registry": {
+			"import": "./src/runtime/agent-registry.ts",
+			"types": "./src/runtime/agent-registry.ts"
+		},
+		"./runtime/ask-service.ts": {
+			"import": "./src/runtime/ask-service.ts",
+			"types": "./src/runtime/ask-service.ts"
+		},
+		"./routes/ask.ts": {
+			"import": "./src/routes/ask.ts",
+			"types": "./src/routes/ask.ts"
+		}
+	},
+	"scripts": {
+		"dev": "bun run src/index.ts",
+		"test": "bun test",
+		"typecheck": "tsc --noEmit"
+	},
+	"dependencies": {
+		"@ottocode/sdk": "0.1.173",
+		"@ottocode/database": "0.1.173",
+		"drizzle-orm": "^0.44.5",
+		"hono": "^4.9.9",
+		"zod": "^4.1.8"
+	},
+	"devDependencies": {
+		"@types/bun": "latest",
+		"typescript": "^5"
+	}
+}

package/src/events/bus.ts

@@ -0,0 +1,43 @@
+import type { OttoEvent } from './types.ts';
+
+type Subscriber = (evt: OttoEvent) => void;
+
+const subscribers = new Map<string, Set<Subscriber>>(); // sessionId -> subs
+
+function sanitizeBigInt<T>(obj: T): T {
+	if (obj === null || obj === undefined) return obj;
+	if (typeof obj === 'bigint') return Number(obj) as T;
+	if (Array.isArray(obj)) return obj.map(sanitizeBigInt) as T;
+	if (typeof obj === 'object') {
+		const result: Record<string, unknown> = {};
+		for (const [key, value] of Object.entries(obj)) {
+			result[key] = sanitizeBigInt(value);
+		}
+		return result as T;
+	}
+	return obj;
+}
+
+export function publish(event: OttoEvent) {
+	const sanitizedEvent = sanitizeBigInt(event);
+	const subs = subscribers.get(event.sessionId);
+	if (!subs) return;
+	for (const sub of subs) {
+		try {
+			sub(sanitizedEvent);
+		} catch {}
+	}
+}
+
+export function subscribe(sessionId: string, handler: Subscriber) {
+	let set = subscribers.get(sessionId);
+	if (!set) {
+		set = new Set();
+		subscribers.set(sessionId, set);
+	}
+	set.add(handler);
+	return () => {
+		set?.delete(handler);
+		if (set && set.size === 0) subscribers.delete(sessionId);
+	};
+}

package/src/events/types.ts

@@ -0,0 +1,32 @@
+export type OttoEventType =
+	| 'tool.approval.required'
+	| 'tool.approval.resolved'
+	| 'setu.payment.required'
+	| 'setu.payment.signing'
+	| 'setu.payment.complete'
+	| 'setu.payment.error'
+	| 'setu.topup.required'
+	| 'setu.topup.method_selected'
+	| 'setu.topup.cancelled'
+	| 'setu.fiat.checkout_created'
+	| 'session.created'
+	| 'session.updated'
+	| 'message.created'
+	| 'message.part.delta'
+	| 'reasoning.delta'
+	| 'message.completed'
+	| 'tool.call'
+	| 'tool.delta'
+	| 'tool.result'
+	| 'plan.updated'
+	| 'finish-step'
+	| 'usage'
+	| 'queue.updated'
+	| 'error'
+	| 'heartbeat';
+
+export interface OttoEvent<T = unknown> {
+	type: OttoEventType;
+	sessionId: string;
+	payload?: T;
+}

package/src/index.ts

@@ -0,0 +1,281 @@
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import type { ProviderId, AuthInfo } from '@ottocode/sdk';
+import { TerminalManager } from '@ottocode/sdk';
+import { setTerminalManager } from '@ottocode/sdk';
+import { registerRootRoutes } from './routes/root.ts';
+import { registerOpenApiRoute } from './routes/openapi.ts';
+import { registerSessionsRoutes } from './routes/sessions.ts';
+import { registerSessionMessagesRoutes } from './routes/session-messages.ts';
+import { registerSessionStreamRoute } from './routes/session-stream.ts';
+import { registerAskRoutes } from './routes/ask.ts';
+import { registerConfigRoutes } from './routes/config/index.ts';
+import { registerFilesRoutes } from './routes/files.ts';
+import { registerGitRoutes } from './routes/git/index.ts';
+import { registerTerminalsRoutes } from './routes/terminals.ts';
+import { registerSessionFilesRoutes } from './routes/session-files.ts';
+import { registerBranchRoutes } from './routes/branch.ts';
+import { registerResearchRoutes } from './routes/research.ts';
+import { registerSessionApprovalRoute } from './routes/session-approval.ts';
+import { registerSetuRoutes } from './routes/setu.ts';
+import { registerAuthRoutes } from './routes/auth.ts';
+import type { AgentConfigEntry } from './runtime/agent/registry.ts';
+
+const globalTerminalManager = new TerminalManager();
+setTerminalManager(globalTerminalManager);
+
+function initApp() {
+	const app = new Hono();
+
+	// Enable CORS for localhost and local network access
+	app.use(
+		'*',
+		cors({
+			origin: (origin) => {
+				// Allow all localhost and 127.0.0.1 on any port
+				if (
+					origin.startsWith('http://localhost:') ||
+					origin.startsWith('http://127.0.0.1:') ||
+					origin.startsWith('https://localhost:') ||
+					origin.startsWith('https://127.0.0.1:')
+				) {
+					return origin;
+				}
+				// Allow local network IPs (192.168.x.x, 10.x.x.x, 172.16-31.x.x)
+				const localNetworkPattern =
+					/^https?:\/\/(192\.168\.\d{1,3}\.\d{1,3}|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}):\d+$/;
+				if (localNetworkPattern.test(origin)) {
+					return origin;
+				}
+				// Default to allowing the origin (can be restricted in production)
+				return origin;
+			},
+			allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
+			allowHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
+			exposeHeaders: ['Content-Length', 'X-Request-Id'],
+			credentials: true,
+			maxAge: 600,
+		}),
+	);
+
+	registerRootRoutes(app);
+	registerOpenApiRoute(app);
+	registerSessionsRoutes(app);
+	registerSessionApprovalRoute(app);
+	registerSessionMessagesRoutes(app);
+	registerSessionStreamRoute(app);
+	registerAskRoutes(app);
+	registerConfigRoutes(app);
+	registerFilesRoutes(app);
+	registerGitRoutes(app);
+	registerTerminalsRoutes(app, globalTerminalManager);
+	registerSessionFilesRoutes(app);
+	registerBranchRoutes(app);
+	registerResearchRoutes(app);
+	registerSetuRoutes(app);
+	registerAuthRoutes(app);
+
+	return app;
+}
+
+const app = initApp();
+
+export default {
+	port: 0,
+	fetch: app.fetch,
+};
+
+export function createApp() {
+	return app;
+}
+
+export type StandaloneAppConfig = {
+	provider?: ProviderId;
+	model?: string;
+	defaultAgent?: string;
+};
+
+export function createStandaloneApp(_config?: StandaloneAppConfig) {
+	const honoApp = new Hono();
+
+	// Enable CORS for localhost and local network access
+	honoApp.use(
+		'*',
+		cors({
+			origin: (origin) => {
+				// Allow all localhost and 127.0.0.1 on any port
+				if (
+					origin.startsWith('http://localhost:') ||
+					origin.startsWith('http://127.0.0.1:') ||
+					origin.startsWith('https://localhost:') ||
+					origin.startsWith('https://127.0.0.1:')
+				) {
+					return origin;
+				}
+				// Allow local network IPs (192.168.x.x, 10.x.x.x, 172.16-31.x.x)
+				const localNetworkPattern =
+					/^https?:\/\/(192\.168\.\d{1,3}\.\d{1,3}|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}):\d+$/;
+				if (localNetworkPattern.test(origin)) {
+					return origin;
+				}
+				// Default to allowing the origin
+				return origin;
+			},
+			allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
+			allowHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
+			exposeHeaders: ['Content-Length', 'X-Request-Id'],
+			credentials: true,
+			maxAge: 600,
+		}),
+	);
+
+	registerRootRoutes(honoApp);
+	registerOpenApiRoute(honoApp);
+	registerSessionsRoutes(honoApp);
+	registerSessionApprovalRoute(honoApp);
+	registerSessionMessagesRoutes(honoApp);
+	registerSessionStreamRoute(honoApp);
+	registerAskRoutes(honoApp);
+	registerConfigRoutes(honoApp);
+	registerFilesRoutes(honoApp);
+	registerGitRoutes(honoApp);
+	registerTerminalsRoutes(honoApp, globalTerminalManager);
+	registerSessionFilesRoutes(honoApp);
+	registerBranchRoutes(honoApp);
+	registerResearchRoutes(honoApp);
+	registerSetuRoutes(honoApp);
+	registerAuthRoutes(honoApp);
+
+	return honoApp;
+}
+
+/**
+ * Embedded app configuration with hybrid fallback:
+ * 1. Injected config (highest priority)
+ * 2. Environment variables
+ * 3. auth.json/config.json files (fallback)
+ *
+ * All fields are optional - if not provided, falls back to files/env
+ */
+export type EmbeddedAppConfig = {
+	/** Primary provider (optional - falls back to config.json or env) */
+	provider?: ProviderId;
+	/** Primary model (optional - falls back to config.json) */
+	model?: string;
+	/** Primary API key (optional - falls back to env vars or auth.json) */
+	apiKey?: string;
+	/** Default agent (optional - falls back to config.json) */
+	agent?: string;
+	/** Multi-provider auth (optional - falls back to auth.json) */
+	auth?: Record<string, { apiKey: string } | AuthInfo>;
+	/** Custom agents (optional - falls back to .otto/agents/) */
+	agents?: Record<
+		string,
+		Omit<AgentConfigEntry, 'tools'> & { tools?: readonly string[] | string[] }
+	>;
+	/** Default settings (optional - falls back to config.json) */
+	defaults?: {
+		provider?: ProviderId;
+		model?: string;
+		agent?: string;
+	};
+	/** Additional CORS origins for proxies/Tailscale (e.g., ['https://myapp.ts.net', 'https://example.com']) */
+	corsOrigins?: string[];
+};
+
+export function createEmbeddedApp(config: EmbeddedAppConfig = {}) {
+	const honoApp = new Hono();
+
+	// Store injected config in Hono context for routes to access
+	// Config can be empty - routes will fall back to files/env
+	honoApp.use('*', async (c, next) => {
+		c.set('embeddedConfig', config);
+		await next();
+	});
+
+	// Enable CORS for localhost and local network access
+	honoApp.use(
+		'*',
+		cors({
+			origin: (origin) => {
+				// Allow all localhost and 127.0.0.1 on any port
+				if (
+					origin.startsWith('http://localhost:') ||
+					origin.startsWith('http://127.0.0.1:') ||
+					origin.startsWith('https://localhost:') ||
+					origin.startsWith('https://127.0.0.1:')
+				) {
+					return origin;
+				}
+				// Allow local network IPs (192.168.x.x, 10.x.x.x, 172.16-31.x.x)
+				const localNetworkPattern =
+					/^https?:\/\/(192\.168\.\d{1,3}\.\d{1,3}|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}):\d+$/;
+				if (localNetworkPattern.test(origin)) {
+					return origin;
+				}
+				// Allow custom CORS origins (for Tailscale, proxies, etc.)
+				if (config.corsOrigins?.includes(origin)) {
+					return origin;
+				}
+				// Default to allowing the origin
+				return origin;
+			},
+			allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
+			allowHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
+			exposeHeaders: ['Content-Length', 'X-Request-Id'],
+			credentials: true,
+			maxAge: 600,
+		}),
+	);
+
+	registerRootRoutes(honoApp);
+	registerOpenApiRoute(honoApp);
+	registerSessionsRoutes(honoApp);
+	registerSessionApprovalRoute(honoApp);
+	registerSessionMessagesRoutes(honoApp);
+	registerSessionStreamRoute(honoApp);
+	registerAskRoutes(honoApp);
+	registerConfigRoutes(honoApp);
+	registerFilesRoutes(honoApp);
+	registerGitRoutes(honoApp);
+	registerTerminalsRoutes(honoApp, globalTerminalManager);
+	registerSessionFilesRoutes(honoApp);
+	registerBranchRoutes(honoApp);
+	registerResearchRoutes(honoApp);
+	registerSetuRoutes(honoApp);
+	registerAuthRoutes(honoApp);
+
+	return honoApp;
+}
+
+export {
+	resolveAgentConfig,
+	defaultToolsForAgent,
+} from './runtime/agent/registry.ts';
+export {
+	composeSystemPrompt,
+	type ComposedSystemPrompt,
+} from './runtime/prompt/builder.ts';
+export {
+	AskServiceError,
+	handleAskRequest,
+	deriveStatusFromMessage,
+	inferStatus,
+} from './runtime/ask/service.ts';
+export { registerSessionsRoutes } from './routes/sessions.ts';
+export { registerAskRoutes } from './routes/ask.ts';
+export {
+	BUILTIN_AGENTS,
+	BUILTIN_TOOLS,
+	type BuiltinAgent,
+	type BuiltinTool,
+} from './presets.ts';
+
+// Export debug state management
+export {
+	setDebugEnabled,
+	isDebugEnabled,
+	setTraceEnabled,
+	isTraceEnabled,
+} from './runtime/debug/state.ts';
+export { logger } from '@ottocode/sdk';

package/src/openapi/helpers.ts

@@ -0,0 +1,64 @@
+export function projectQueryParam() {
+	return {
+		in: 'query',
+		name: 'project',
+		required: false,
+		schema: { type: 'string' },
+		description:
+			'Project root override (defaults to current working directory).',
+	} as const;
+}
+
+export function sessionIdParam() {
+	return {
+		in: 'path',
+		name: 'id',
+		required: true,
+		schema: { type: 'string' },
+	} as const;
+}
+
+export function withoutParam() {
+	return {
+		in: 'query',
+		name: 'without',
+		required: false,
+		schema: { type: 'string', enum: ['parts'] },
+		description:
+			'Exclude parts from the response. By default, parts are included.',
+	} as const;
+}
+
+export function errorResponse() {
+	return {
+		description: 'Bad Request',
+		content: {
+			'application/json': {
+				schema: {
+					type: 'object',
+					properties: { error: { type: 'string' } },
+					required: ['error'],
+				},
+			},
+		},
+	} as const;
+}
+
+export function gitErrorResponse() {
+	return {
+		description: 'Error',
+		content: {
+			'application/json': {
+				schema: {
+					type: 'object',
+					properties: {
+						status: { type: 'string', enum: ['error'] },
+						error: { type: 'string' },
+						code: { type: 'string' },
+					},
+					required: ['status', 'error'],
+				},
+			},
+		},
+	} as const;
+}

package/src/openapi/paths/ask.ts

@@ -0,0 +1,70 @@
+import { errorResponse, projectQueryParam } from '../helpers';
+
+export const askPaths = {
+	'/v1/ask': {
+		post: {
+			tags: ['ask'],
+			operationId: 'ask',
+			summary: 'Send a prompt using the ask service',
+			description:
+				'Streamlined endpoint used by the CLI to send prompts and receive assistant responses. Creates sessions as needed and reuses the last session when requested.',
+			parameters: [projectQueryParam()],
+			requestBody: {
+				required: true,
+				content: {
+					'application/json': {
+						schema: {
+							type: 'object',
+							required: ['prompt'],
+							properties: {
+								prompt: {
+									type: 'string',
+									description: 'User prompt to send to the assistant.',
+								},
+								agent: {
+									type: 'string',
+									description: 'Optional agent name to use for this request.',
+								},
+								provider: {
+									$ref: '#/components/schemas/Provider',
+									description:
+										'Optional provider override. When omitted the agent and config defaults apply.',
+								},
+								model: {
+									type: 'string',
+									description:
+										'Optional model override for the selected provider.',
+								},
+								sessionId: {
+									type: 'string',
+									description: 'Send the prompt to a specific session.',
+								},
+								last: {
+									type: 'boolean',
+									description:
+										'If true, reuse the most recent session for the project.',
+								},
+								jsonMode: {
+									type: 'boolean',
+									description:
+										'Request structured JSON output when supported by the agent.',
+								},
+							},
+						},
+					},
+				},
+			},
+			responses: {
+				202: {
+					description: 'Accepted',
+					content: {
+						'application/json': {
+							schema: { $ref: '#/components/schemas/AskResponse' },
+						},
+					},
+				},
+				400: errorResponse(),
+			},
+		},
+	},
+} as const;