@ottocode/server 0.1.213 → 0.1.215

package/src/openapi/schemas.ts

@@ -349,4 +349,40 @@ export const schemas = {
 			uptime: { type: 'integer' },
 		},
 	},
+	MCPServer: {
+		type: 'object',
+		properties: {
+			name: { type: 'string' },
+			transport: {
+				type: 'string',
+				enum: ['stdio', 'http', 'sse'],
+			},
+			command: { type: 'string' },
+			args: {
+				type: 'array',
+				items: { type: 'string' },
+			},
+			url: { type: 'string' },
+			disabled: { type: 'boolean' },
+			connected: { type: 'boolean' },
+			tools: {
+				type: 'array',
+				items: {
+					type: 'object',
+					properties: {
+						name: { type: 'string' },
+						description: { type: 'string' },
+					},
+				},
+			},
+			authRequired: { type: 'boolean' },
+			authenticated: { type: 'boolean' },
+			scope: {
+				type: 'string',
+				enum: ['global', 'project'],
+			},
+			authType: { type: 'string' },
+		},
+		required: ['name', 'transport', 'connected'],
+	},
 } as const;

package/src/openapi/spec.ts

@@ -1,14 +1,24 @@
 import { askPaths } from './paths/ask';
+import { authPaths } from './paths/auth';
+import { branchPaths } from './paths/branch';
 import { configPaths } from './paths/config';
+import { doctorPaths } from './paths/doctor';
 import { filesPaths } from './paths/files';
 import { gitPaths } from './paths/git';
+import { mcpPaths } from './paths/mcp';
 import { messagesPaths } from './paths/messages';
+import { providerUsagePaths } from './paths/provider-usage';
+import { researchPaths } from './paths/research';
+import { sessionApprovalPaths } from './paths/session-approval';
+import { sessionExtrasPaths } from './paths/session-extras';
+import { sessionFilesPaths } from './paths/session-files';
 import { sessionsPaths } from './paths/sessions';
+import { setuPaths } from './paths/setu';
+import { skillsPaths } from './paths/skills';
 import { streamPaths } from './paths/stream';
-import { schemas } from './schemas';
-
 import { terminalsPath } from './paths/terminals';
-import { setuPaths } from './paths/setu';
+import { tunnelPaths } from './paths/tunnel';
+import { schemas } from './schemas';
 
 export function getOpenAPISpec() {
 	const spec = {
@@ -29,17 +39,31 @@ export function getOpenAPISpec() {
 			{ name: 'git' },
 			{ name: 'terminals' },
 			{ name: 'setu' },
+			{ name: 'auth' },
+			{ name: 'mcp' },
+			{ name: 'tunnel' },
 		],
 		paths: {
 			...askPaths,
-			...sessionsPaths,
-			...messagesPaths,
-			...streamPaths,
+			...authPaths,
+			...branchPaths,
 			...configPaths,
+			...doctorPaths,
 			...filesPaths,
 			...gitPaths,
-			...terminalsPath,
+			...mcpPaths,
+			...messagesPaths,
+			...providerUsagePaths,
+			...researchPaths,
+			...sessionApprovalPaths,
+			...sessionExtrasPaths,
+			...sessionFilesPaths,
+			...sessionsPaths,
 			...setuPaths,
+			...skillsPaths,
+			...streamPaths,
+			...terminalsPath,
+			...tunnelPaths,
 		},
 		components: {
 			schemas,

package/src/routes/doctor.ts

@@ -0,0 +1,229 @@
+import type { Hono } from 'hono';
+import { readdir } from 'node:fs/promises';
+import {
+	readConfig,
+	isAuthorized,
+	buildFsTools,
+	buildGitTools,
+	getSecureAuthPath,
+	getGlobalAgentsJsonPath,
+	getGlobalToolsDir,
+	getGlobalCommandsDir,
+	logger,
+} from '@ottocode/sdk';
+import type { ProviderId } from '@ottocode/sdk';
+import { serializeError } from '../runtime/errors/api-error.ts';
+
+const PROVIDERS: ProviderId[] = [
+	'openai',
+	'anthropic',
+	'google',
+	'openrouter',
+	'opencode',
+	'setu',
+];
+
+function providerEnvVar(p: ProviderId): string | null {
+	if (p === 'openai') return 'OPENAI_API_KEY';
+	if (p === 'anthropic') return 'ANTHROPIC_API_KEY';
+	if (p === 'google') return 'GOOGLE_GENERATIVE_AI_API_KEY';
+	if (p === 'opencode') return 'OPENCODE_API_KEY';
+	if (p === 'setu') return 'SETU_PRIVATE_KEY';
+	return null;
+}
+
+async function fileExists(path: string | null): Promise<boolean> {
+	if (!path) return false;
+	try {
+		return await Bun.file(path).exists();
+	} catch {
+		return false;
+	}
+}
+
+async function readJsonSafe<T>(path: string | null): Promise<T | null> {
+	if (!path) return null;
+	try {
+		const file = Bun.file(path);
+		if (!(await file.exists())) return null;
+		return (await file.json()) as T;
+	} catch {
+		return null;
+	}
+}
+
+async function listDir(dir: string | null): Promise<string[]> {
+	if (!dir) return [];
+	try {
+		return await readdir(dir);
+	} catch {
+		return [];
+	}
+}
+
+export function registerDoctorRoutes(app: Hono) {
+	app.get('/v1/doctor', async (c) => {
+		try {
+			const projectRoot = c.req.query('project') || process.cwd();
+			const { cfg, auth } = await readConfig(projectRoot);
+
+			const providers = await Promise.all(
+				PROVIDERS.map(async (id) => {
+					const ok = await isAuthorized(id, projectRoot);
+					const envVar = providerEnvVar(id);
+					const envConfigured = envVar ? !!process.env[envVar] : false;
+
+					const globalAuthPath = getSecureAuthPath();
+					let hasGlobalAuth = false;
+					if (globalAuthPath) {
+						const contents =
+							await readJsonSafe<Record<string, unknown>>(globalAuthPath);
+						hasGlobalAuth = Boolean(contents?.[id]);
+					}
+
+					const authInfo = auth?.[id];
+					const hasStoredSecret = (() => {
+						if (!authInfo) return false;
+						if (authInfo.type === 'api')
+							return Boolean((authInfo as { key?: string }).key);
+						if (authInfo.type === 'wallet')
+							return Boolean((authInfo as { secret?: string }).secret);
+						if (authInfo.type === 'oauth')
+							return Boolean(
+								(authInfo as { access?: string; refresh?: string }).access ||
+									(authInfo as { access?: string; refresh?: string }).refresh,
+							);
+						return false;
+					})();
+
+					const sources: string[] = [];
+					if (envConfigured && envVar) sources.push(`env:${envVar}`);
+					if (hasGlobalAuth) sources.push('auth.json');
+
+					const configured =
+						envConfigured ||
+						hasGlobalAuth ||
+						cfg.defaults.provider === id ||
+						hasStoredSecret;
+
+					return { id, ok, configured, sources };
+				}),
+			);
+
+			const defaults = {
+				agent: cfg.defaults.agent,
+				provider: cfg.defaults.provider,
+				model: cfg.defaults.model,
+				providerAuthorized: await isAuthorized(
+					cfg.defaults.provider as ProviderId,
+					projectRoot,
+				),
+			};
+
+			const globalAgentsPath = getGlobalAgentsJsonPath();
+			const localAgentsPath = `${projectRoot}/.otto/agents.json`;
+			const globalAgents =
+				(await readJsonSafe<Record<string, unknown>>(globalAgentsPath)) ?? {};
+			const localAgents =
+				(await readJsonSafe<Record<string, unknown>>(localAgentsPath)) ?? {};
+
+			const agents = {
+				globalPath: (await fileExists(globalAgentsPath))
+					? globalAgentsPath
+					: null,
+				localPath: (await fileExists(localAgentsPath)) ? localAgentsPath : null,
+				globalNames: Object.keys(globalAgents).sort(),
+				localNames: Object.keys(localAgents).sort(),
+			};
+
+			const defaultToolNames = Array.from(
+				new Set([
+					...buildFsTools(projectRoot).map((t) => t.name),
+					...buildGitTools(projectRoot).map((t) => t.name),
+					'finish',
+				]),
+			).sort();
+
+			const globalToolsDir = getGlobalToolsDir();
+			const localToolsDir = `${projectRoot}/.otto/tools`;
+			const globalToolNames = await listDir(globalToolsDir);
+			const localToolNames = await listDir(localToolsDir);
+
+			const tools = {
+				defaultNames: defaultToolNames,
+				globalPath: globalToolNames.length ? globalToolsDir : null,
+				globalNames: globalToolNames.sort(),
+				localPath: localToolNames.length ? localToolsDir : null,
+				localNames: localToolNames.sort(),
+				effectiveNames: Array.from(
+					new Set([...defaultToolNames, ...globalToolNames, ...localToolNames]),
+				).sort(),
+			};
+
+			const globalCommandsDir = getGlobalCommandsDir();
+			const localCommandsDir = `${projectRoot}/.otto/commands`;
+			const globalCommandFiles = await listDir(globalCommandsDir);
+			const localCommandFiles = await listDir(localCommandsDir);
+
+			const commands = {
+				globalPath: globalCommandFiles.length ? globalCommandsDir : null,
+				globalNames: globalCommandFiles
+					.filter((f) => f.endsWith('.json'))
+					.map((f) => f.replace(/\.json$/, ''))
+					.sort(),
+				localPath: localCommandFiles.length ? localCommandsDir : null,
+				localNames: localCommandFiles
+					.filter((f) => f.endsWith('.json'))
+					.map((f) => f.replace(/\.json$/, ''))
+					.sort(),
+			};
+
+			const issues: string[] = [];
+			if (!defaults.providerAuthorized) {
+				issues.push(
+					`Default provider '${defaults.provider}' is not authorized`,
+				);
+			}
+			for (const [scope, entries] of [
+				['global', globalAgents],
+				['local', localAgents],
+			] as const) {
+				for (const [name, entry] of Object.entries(entries)) {
+					if (
+						entry &&
+						typeof entry === 'object' &&
+						Object.hasOwn(entry, 'tools') &&
+						!Array.isArray((entry as { tools?: unknown }).tools)
+					) {
+						issues.push(`${scope}:${name} tools field must be an array`);
+					}
+				}
+			}
+
+			const suggestions: string[] = [];
+			if (!defaults.providerAuthorized) {
+				suggestions.push(
+					`Run: otto auth login ${defaults.provider} — or switch defaults with: otto models`,
+				);
+			}
+			if (issues.length) {
+				suggestions.push('Review agents.json fields.');
+			}
+
+			return c.json({
+				providers,
+				defaults,
+				agents,
+				tools,
+				commands,
+				issues,
+				suggestions,
+				globalAuthPath: getSecureAuthPath(),
+			});
+		} catch (error) {
+			logger.error('Failed to run doctor', error);
+			const errorResponse = serializeError(error);
+			return c.json(errorResponse, (errorResponse.error.status || 500) as 500);
+		}
+	});
+}

package/src/routes/sessions.ts

@@ -721,6 +721,61 @@ export function registerSessionsRoutes(app: Hono) {
 		});
 	});
 
+	app.delete('/v1/sessions/:sessionId/share', async (c) => {
+		const sessionId = c.req.param('sessionId');
+		const projectRoot = c.req.query('project') || process.cwd();
+		const cfg = await loadConfig(projectRoot);
+		const db = await getDb(cfg.projectRoot);
+
+		const share = await db
+			.select()
+			.from(shares)
+			.where(eq(shares.sessionId, sessionId))
+			.limit(1);
+
+		if (!share.length) {
+			return c.json({ error: 'Session is not shared' }, 404);
+		}
+
+		try {
+			const res = await fetch(`${SHARE_API_URL}/share/${share[0].shareId}`, {
+				method: 'DELETE',
+				headers: { 'X-Share-Secret': share[0].secret },
+			});
+
+			if (!res.ok && res.status !== 404) {
+				const err = await res.text();
+				return c.json({ error: `Failed to delete share: ${err}` }, 500);
+			}
+		} catch {}
+
+		await db.delete(shares).where(eq(shares.sessionId, sessionId));
+
+		return c.json({ deleted: true, sessionId });
+	});
+
+	app.get('/v1/shares', async (c) => {
+		const projectRoot = c.req.query('project') || process.cwd();
+		const cfg = await loadConfig(projectRoot);
+		const db = await getDb(cfg.projectRoot);
+
+		const rows = await db
+			.select({
+				sessionId: shares.sessionId,
+				shareId: shares.shareId,
+				url: shares.url,
+				title: shares.title,
+				createdAt: shares.createdAt,
+				lastSyncedAt: shares.lastSyncedAt,
+			})
+			.from(shares)
+			.innerJoin(sessions, eq(shares.sessionId, sessions.id))
+			.where(eq(sessions.projectPath, cfg.projectRoot))
+			.orderBy(desc(shares.lastSyncedAt));
+
+		return c.json({ shares: rows });
+	});
+
 	// Retry a failed assistant message
 	app.post('/v1/sessions/:sessionId/messages/:messageId/retry', async (c) => {
 		try {

package/src/routes/skills.ts

@@ -0,0 +1,90 @@
+import type { Hono } from 'hono';
+import {
+	discoverSkills,
+	loadSkill,
+	findGitRoot,
+	validateSkillName,
+	parseSkillFile,
+	logger,
+} from '@ottocode/sdk';
+import { serializeError } from '../runtime/errors/api-error.ts';
+
+export function registerSkillsRoutes(app: Hono) {
+	app.get('/v1/skills', async (c) => {
+		try {
+			const projectRoot = c.req.query('project') || process.cwd();
+			const repoRoot = (await findGitRoot(projectRoot)) ?? projectRoot;
+			const skills = await discoverSkills(projectRoot, repoRoot);
+			return c.json({
+				skills: skills.map((s) => ({
+					name: s.name,
+					description: s.description,
+					scope: s.scope,
+					path: s.path,
+				})),
+			});
+		} catch (error) {
+			logger.error('Failed to list skills', error);
+			const errorResponse = serializeError(error);
+			return c.json(errorResponse, (errorResponse.error.status || 500) as 500);
+		}
+	});
+
+	app.get('/v1/skills/:name', async (c) => {
+		try {
+			const name = c.req.param('name');
+			const projectRoot = c.req.query('project') || process.cwd();
+			const repoRoot = (await findGitRoot(projectRoot)) ?? projectRoot;
+			await discoverSkills(projectRoot, repoRoot);
+
+			const skill = await loadSkill(name);
+			if (!skill) {
+				return c.json({ error: `Skill '${name}' not found` }, 404);
+			}
+
+			return c.json({
+				name: skill.metadata.name,
+				description: skill.metadata.description,
+				license: skill.metadata.license ?? null,
+				compatibility: skill.metadata.compatibility ?? null,
+				metadata: skill.metadata.metadata ?? null,
+				allowedTools: skill.metadata.allowedTools ?? null,
+				path: skill.path,
+				scope: skill.scope,
+				content: skill.content,
+			});
+		} catch (error) {
+			logger.error('Failed to load skill', error);
+			const errorResponse = serializeError(error);
+			return c.json(errorResponse, (errorResponse.error.status || 500) as 500);
+		}
+	});
+
+	app.post('/v1/skills/validate', async (c) => {
+		try {
+			const body = await c.req.json<{ content: string; path?: string }>();
+			if (!body.content) {
+				return c.json({ error: 'content is required' }, 400);
+			}
+
+			const skillPath = body.path ?? 'SKILL.md';
+			const skill = parseSkillFile(body.content, skillPath, 'cwd');
+			return c.json({
+				valid: true,
+				name: skill.metadata.name,
+				description: skill.metadata.description,
+				license: skill.metadata.license ?? null,
+			});
+		} catch (error) {
+			return c.json({
+				valid: false,
+				error: (error as Error).message,
+			});
+		}
+	});
+
+	app.get('/v1/skills/validate-name/:name', async (c) => {
+		const name = c.req.param('name');
+		return c.json({ valid: validateSkillName(name) });
+	});
+}

package/src/runtime/agent/runner-setup.ts

@@ -11,7 +11,8 @@ import { discoverProjectTools } from '@ottocode/sdk';
 import type { Tool } from 'ai';
 import { adaptTools } from '../../tools/adapter.ts';
 import { buildDatabaseTools } from '../../tools/database/index.ts';
-import { debugLog, time, isDebugEnabled } from '../debug/index.ts';
+import { debugLog, time } from '../debug/index.ts';
+import { isDevtoolsEnabled } from '../debug/state.ts';
 import { buildHistoryMessages } from '../message/history-builder.ts';
 import { getMaxOutputTokens } from '../utils/token.ts';
 import { setupToolContext } from '../tools/setup.ts';
@@ -184,7 +185,7 @@ export async function setupRunner(opts: RunOpts): Promise<SetupResult> {
 		sessionId: opts.sessionId,
 		messageId: opts.assistantMessageId,
 	});
-	const wrappedModel = isDebugEnabled()
+	const wrappedModel = isDevtoolsEnabled()
 		? wrapLanguageModel({
 				// biome-ignore lint/suspicious/noExplicitAny: OpenRouter provider uses v2 spec
 				model: model as any,

package/src/runtime/debug/state.ts

@@ -65,6 +65,13 @@ function checkEnvTrace(): boolean {
 	return false;
 }
 
+function checkEnvDevtools(): boolean {
+	const raw = process.env.OTTO_DEVTOOLS;
+	if (!raw) return false;
+	const trimmed = raw.trim().toLowerCase();
+	return TRUTHY.has(trimmed);
+}
+
 /**
  * Initialize debug state from environment
  */
@@ -96,6 +103,10 @@ export function isTraceEnabled(): boolean {
 	return state.enabled && state.traceEnabled;
 }
 
+export function isDevtoolsEnabled(): boolean {
+	return checkEnvDevtools();
+}
+
 /**
  * Enable or disable debug mode at runtime
  * Overrides environment variable settings

package/src/runtime/provider/setu.ts

@@ -5,7 +5,7 @@ import {
 	loadConfig,
 } from '@ottocode/sdk';
 import { devToolsMiddleware } from '@ai-sdk/devtools';
-import { isDebugEnabled } from '../debug/index.ts';
+import { isDevtoolsEnabled } from '../debug/state.ts';
 import { publish } from '../../events/bus.ts';
 import {
 	waitForTopupMethodSelection,
@@ -123,7 +123,7 @@ export async function resolveSetuModel(
 		baseURL,
 		rpcURL,
 		callbacks,
-		middleware: isDebugEnabled() ? devToolsMiddleware() : undefined,
+		middleware: isDevtoolsEnabled() ? devToolsMiddleware() : undefined,
 		payment: {
 			topupApprovalMode,
 			autoPayThresholdUsd,

package/src/runtime/tools/guards.ts

@@ -140,7 +140,7 @@ const SENSITIVE_WRITE_PATHS: Array<{ pattern: RegExp; reason: string }> = [
 ];
 
 function guardWritePath(
-	toolName: string,
+	_toolName: string,
 	args: Record<string, unknown>,
 ): GuardAction {
 	const path =