@ottocode/server 0.1.230 → 0.1.231

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ottocode/server",
-	"version": "0.1.230",
+	"version": "0.1.231",
 	"description": "HTTP API server for ottocode",
 	"type": "module",
 	"main": "./src/index.ts",
@@ -49,8 +49,8 @@
 		"typecheck": "tsc --noEmit"
 	},
 	"dependencies": {
-		"@ottocode/sdk": "0.1.230",
-		"@ottocode/database": "0.1.230",
+		"@ottocode/sdk": "0.1.231",
+		"@ottocode/database": "0.1.231",
 		"drizzle-orm": "^0.44.5",
 		"hono": "^4.9.9",
 		"zod": "^4.3.6"

package/src/index.ts

@@ -108,7 +108,6 @@ export type StandaloneAppConfig = {
 export function createStandaloneApp(_config?: StandaloneAppConfig) {
 	const honoApp = new Hono();
 
-	// Enable CORS for localhost and local network access
 	honoApp.use(
 		'*',
 		cors({
@@ -192,6 +191,7 @@ export type EmbeddedAppConfig = {
 		model?: string;
 		agent?: string;
 		toolApproval?: 'auto' | 'dangerous' | 'all';
+		fullWidthContent?: boolean;
 	};
 	/** Additional CORS origins for proxies/Tailscale (e.g., ['https://myapp.ts.net', 'https://example.com']) */
 	corsOrigins?: string[];
@@ -214,7 +214,6 @@ export function createEmbeddedApp(config: EmbeddedAppConfig = {}) {
 		await next();
 	});
 
-	// Enable CORS for localhost and local network access
 	honoApp.use(
 		'*',
 		cors({

package/src/openapi/paths/config.ts

@@ -178,6 +178,7 @@ export const configPaths = {
 								agent: { type: 'string' },
 								provider: { type: 'string' },
 								model: { type: 'string' },
+								fullWidthContent: { type: 'boolean' },
 								reasoningText: { type: 'boolean' },
 								reasoningLevel: {
 									type: 'string',
@@ -208,6 +209,7 @@ export const configPaths = {
 											agent: { type: 'string' },
 											provider: { type: 'string' },
 											model: { type: 'string' },
+											fullWidthContent: { type: 'boolean' },
 											reasoningText: { type: 'boolean' },
 											reasoningLevel: {
 												type: 'string',

package/src/openapi/schemas.ts

@@ -196,6 +196,7 @@ export const schemas = {
 					agent: { type: 'string' },
 					provider: { $ref: '#/components/schemas/Provider' },
 					model: { type: 'string' },
+					fullWidthContent: { type: 'boolean' },
 					reasoningText: { type: 'boolean' },
 					reasoningLevel: {
 						type: 'string',

package/src/routes/config/defaults.ts

@@ -21,6 +21,7 @@ export function registerDefaultsRoute(app: Hono) {
 				reasoningText?: boolean;
 				reasoningLevel?: ReasoningLevel;
 				theme?: string;
+				fullWidthContent?: boolean;
 				scope?: 'global' | 'local';
 			}>();
 
@@ -34,6 +35,7 @@ export function registerDefaultsRoute(app: Hono) {
 				reasoningText: boolean;
 				reasoningLevel: ReasoningLevel;
 				theme: string;
+				fullWidthContent: boolean;
 			}> = {};
 
 			if (body.agent) updates.agent = body.agent;
@@ -45,6 +47,8 @@ export function registerDefaultsRoute(app: Hono) {
 				updates.reasoningText = body.reasoningText;
 			if (body.reasoningLevel) updates.reasoningLevel = body.reasoningLevel;
 			if (body.theme) updates.theme = body.theme;
+			if (body.fullWidthContent !== undefined)
+				updates.fullWidthContent = body.fullWidthContent;
 
 			await setConfig(scope, updates, projectRoot);
 

package/src/routes/config/main.ts

@@ -63,6 +63,12 @@ export function registerMainConfigRoute(app: Hono) {
 				reasoningText: cfg.defaults.reasoningText ?? true,
 				reasoningLevel: cfg.defaults.reasoningLevel ?? 'high',
 				theme: cfg.defaults.theme,
+				fullWidthContent:
+					getDefault(
+						undefined,
+						embeddedConfig?.defaults?.fullWidthContent,
+						cfg.defaults.fullWidthContent,
+					) ?? false,
 			};
 
 			return c.json({

package/src/routes/config/models.ts

@@ -138,6 +138,7 @@ export function registerModelsRoutes(app: Hono) {
 					reasoningText: m.reasoningText,
 					vision: m.modalities?.input?.includes('image') ?? false,
 					attachment: m.attachment ?? false,
+					free: m.cost?.input === 0 && m.cost?.output === 0,
 				})),
 				default: getDefault(
 					embeddedConfig?.model,
@@ -205,6 +206,7 @@ export function registerModelsRoutes(app: Hono) {
 							reasoningText: m.reasoningText,
 							vision: m.modalities?.input?.includes('image') ?? false,
 							attachment: m.attachment ?? false,
+							free: m.cost?.input === 0 && m.cost?.output === 0,
 						})),
 					};
 				}

package/src/routes/mcp.ts

@@ -1,36 +1,21 @@
 import type { Hono } from 'hono';
 import {
+	COPILOT_MCP_SCOPE,
 	getMCPManager,
+	getCopilotMCPOAuthKey,
+	getStoredCopilotMCPToken,
 	initializeMCP,
+	isGitHubCopilotUrl,
 	loadMCPConfig,
 	getGlobalConfigDir,
 	MCPClientWrapper,
+	OAuthCredentialStore,
 	addMCPServerToConfig,
 	removeMCPServerFromConfig,
 } from '@ottocode/sdk';
-import {
-	authorizeCopilot,
-	pollForCopilotTokenOnce,
-	getAuth,
-	setAuth,
-} from '@ottocode/sdk';
+import { authorizeCopilot, pollForCopilotTokenOnce } from '@ottocode/sdk';
 
-const GITHUB_COPILOT_HOSTS = [
-	'api.githubcopilot.com',
-	'copilot-proxy.githubusercontent.com',
-];
-
-function isGitHubCopilotUrl(url?: string): boolean {
-	if (!url) return false;
-	try {
-		const parsed = new URL(url);
-		return GITHUB_COPILOT_HOSTS.some(
-			(h) => parsed.hostname === h || parsed.hostname.endsWith(`.${h}`),
-		);
-	} catch {
-		return false;
-	}
-}
+const copilotMCPOAuthStore = new OAuthCredentialStore();
 
 const copilotMCPSessions = new Map<
 	string,
@@ -184,13 +169,14 @@ export function registerMCPRoutes(app: Hono) {
 			);
 
 			if (isGitHubCopilotUrl(serverConfig.url) && !status?.connected) {
-				const MCP_SCOPES =
-					'repo read:org read:packages gist notifications read:project security_events';
-				const existingAuth = await getAuth('copilot');
-				const hasMCPScopes =
-					existingAuth?.type === 'oauth' && existingAuth.scopes === MCP_SCOPES;
+				const existingAuth = await getStoredCopilotMCPToken(
+					copilotMCPOAuthStore,
+					name,
+					serverConfig.scope ?? 'global',
+					projectRoot,
+				);
 
-				if (!existingAuth || existingAuth.type !== 'oauth' || !hasMCPScopes) {
+				if (!existingAuth.token || existingAuth.needsReauth) {
 					const deviceData = await authorizeCopilot({ mcp: true });
 					const sessionId = crypto.randomUUID();
 					copilotMCPSessions.set(sessionId, {
@@ -256,14 +242,13 @@ export function registerMCPRoutes(app: Hono) {
 
 		if (isGitHubCopilotUrl(serverConfig.url)) {
 			try {
-				const MCP_SCOPES =
-					'repo read:org read:packages gist notifications read:project security_events';
-				const existingAuth = await getAuth('copilot');
-				if (
-					existingAuth?.type === 'oauth' &&
-					existingAuth.refresh &&
-					existingAuth.scopes === MCP_SCOPES
-				) {
+				const existingAuth = await getStoredCopilotMCPToken(
+					copilotMCPOAuthStore,
+					name,
+					serverConfig.scope ?? 'global',
+					projectRoot,
+				);
+				if (existingAuth.token && !existingAuth.needsReauth) {
 					return c.json({
 						ok: true,
 						name,
@@ -334,29 +319,31 @@ export function registerMCPRoutes(app: Hono) {
 				const result = await pollForCopilotTokenOnce(session.deviceCode);
 				if (result.status === 'complete') {
 					copilotMCPSessions.delete(sessionId);
-					await setAuth(
-						'copilot',
-						{
-							type: 'oauth',
-							refresh: result.accessToken,
-							access: result.accessToken,
-							expires: 0,
-							scopes:
-								'repo read:org read:packages gist notifications read:project security_events',
-						},
-						undefined,
-						'global',
-					);
 					const projectRoot = process.cwd();
 					const config = await loadMCPConfig(projectRoot, getGlobalConfigDir());
 					const serverConfig = config.servers.find((s) => s.name === name);
+					if (!serverConfig) {
+						return c.json(
+							{ ok: false, error: `Server "${name}" not found` },
+							404,
+						);
+					}
+					await copilotMCPOAuthStore.saveTokens(
+						getCopilotMCPOAuthKey(
+							name,
+							serverConfig.scope ?? 'global',
+							projectRoot,
+						),
+						{
+							access_token: result.accessToken,
+							scope: COPILOT_MCP_SCOPE,
+						},
+					);
 					let mcpMgr = getMCPManager();
-					if (serverConfig) {
-						if (!mcpMgr) {
-							mcpMgr = await initializeMCP({ servers: [] }, projectRoot);
-						}
-						await mcpMgr.restartServer(serverConfig);
+					if (!mcpMgr) {
+						mcpMgr = await initializeMCP({ servers: [] }, projectRoot);
 					}
+					await mcpMgr.restartServer(serverConfig);
 					mcpMgr = getMCPManager();
 					const status = mcpMgr
 						? (await mcpMgr.getStatusAsync()).find((s) => s.name === name)
@@ -421,8 +408,13 @@ export function registerMCPRoutes(app: Hono) {
 
 		if (serverConfig && isGitHubCopilotUrl(serverConfig.url)) {
 			try {
-				const auth = await getAuth('copilot');
-				const authenticated = auth?.type === 'oauth' && !!auth.refresh;
+				const auth = await getStoredCopilotMCPToken(
+					copilotMCPOAuthStore,
+					name,
+					serverConfig.scope ?? 'global',
+					projectRoot,
+				);
+				const authenticated = !!auth.token && !auth.needsReauth;
 				return c.json({ authenticated, authType: 'copilot-device' });
 			} catch {
 				return c.json({ authenticated: false, authType: 'copilot-device' });
@@ -450,10 +442,22 @@ export function registerMCPRoutes(app: Hono) {
 
 		if (serverConfig && isGitHubCopilotUrl(serverConfig.url)) {
 			try {
-				const { removeAuth } = await import('@ottocode/sdk');
-				await removeAuth('copilot');
+				const key = getCopilotMCPOAuthKey(
+					name,
+					serverConfig.scope ?? 'global',
+					projectRoot,
+				);
+				await copilotMCPOAuthStore.clearServer(key);
+				if (key !== name) {
+					await copilotMCPOAuthStore.clearServer(name);
+				}
 				const manager = getMCPManager();
 				if (manager) {
+					await manager.clearAuthData(
+						name,
+						serverConfig.scope ?? 'global',
+						projectRoot,
+					);
 					await manager.stopServer(name);
 				}
 				return c.json({ ok: true, name });

package/src/routes/session-stream.ts

@@ -1,3 +1,4 @@
+import type { Context } from 'hono';
 import type { Hono } from 'hono';
 import { subscribe } from '../events/bus.ts';
 import type { OttoEvent } from '../events/types.ts';
@@ -8,54 +9,54 @@ function safeStringify(obj: unknown): string {
 	);
 }
 
-export function registerSessionStreamRoute(app: Hono) {
-	app.get('/v1/sessions/:id/stream', async (c) => {
-		const sessionId = c.req.param('id');
-		const headers = new Headers({
-			'Content-Type': 'text/event-stream',
-			'Cache-Control': 'no-cache, no-transform',
-			Connection: 'keep-alive',
-		});
-
-		const encoder = new TextEncoder();
+function handleSessionStream(c: Context) {
+	const sessionId = c.req.param('id');
+	const headers = new Headers({
+		'Content-Type': 'text/event-stream',
+		'Cache-Control': 'no-cache, no-transform',
+		Connection: 'keep-alive',
+	});
 
-		const stream = new ReadableStream<Uint8Array>({
-			start(controller) {
-				const write = (evt: OttoEvent) => {
-					let line: string;
-					try {
-						line =
-							`event: ${evt.type}\n` +
-							`data: ${safeStringify(evt.payload ?? {})}\n\n`;
-					} catch {
-						line = `event: ${evt.type}\ndata: {}\n\n`;
-					}
-					controller.enqueue(encoder.encode(line));
-				};
-				const unsubscribe = subscribe(sessionId, write);
-				// Initial ping
-				controller.enqueue(encoder.encode(`: connected ${sessionId}\n\n`));
-				// Heartbeat every 5s to prevent idle timeout (Bun default is 10s)
-				const hb = setInterval(() => {
-					try {
-						controller.enqueue(encoder.encode(`: hb ${Date.now()}\n\n`));
-					} catch {
-						// Controller might be closed
-						clearInterval(hb);
-					}
-				}, 5000);
+	const encoder = new TextEncoder();
 
-				const signal = c.req.raw?.signal as AbortSignal | undefined;
-				signal?.addEventListener('abort', () => {
+	const stream = new ReadableStream<Uint8Array>({
+		start(controller) {
+			const write = (evt: OttoEvent) => {
+				let line: string;
+				try {
+					line =
+						`event: ${evt.type}\n` +
+						`data: ${safeStringify(evt.payload ?? {})}\n\n`;
+				} catch {
+					line = `event: ${evt.type}\ndata: {}\n\n`;
+				}
+				controller.enqueue(encoder.encode(line));
+			};
+			const unsubscribe = subscribe(sessionId, write);
+			controller.enqueue(encoder.encode(`: connected ${sessionId}\n\n`));
+			const hb = setInterval(() => {
+				try {
+					controller.enqueue(encoder.encode(`: hb ${Date.now()}\n\n`));
+				} catch {
 					clearInterval(hb);
-					unsubscribe();
-					try {
-						controller.close();
-					} catch {}
-				});
-			},
-		});
+				}
+			}, 5000);
 
-		return new Response(stream, { headers });
+			const signal = c.req.raw?.signal as AbortSignal | undefined;
+			signal?.addEventListener('abort', () => {
+				clearInterval(hb);
+				unsubscribe();
+				try {
+					controller.close();
+				} catch {}
+			});
+		},
 	});
+
+	return new Response(stream, { headers });
+}
+
+export function registerSessionStreamRoute(app: Hono) {
+	app.get('/v1/sessions/:id/stream', handleSessionStream);
+	app.post('/v1/sessions/:id/stream', handleSessionStream);
 }

package/src/routes/terminals.ts

@@ -1,3 +1,4 @@
+import type { Context } from 'hono';
 import type { Hono } from 'hono';
 import { streamSSE } from 'hono/streaming';
 import type { TerminalManager } from '@ottocode/sdk';
@@ -77,7 +78,7 @@ export function registerTerminalsRoutes(
 		return c.json({ terminal: terminal.toJSON() });
 	});
 
-	app.get('/v1/terminals/:id/output', async (c) => {
+	const handleTerminalOutput = async (c: Context) => {
 		const id = c.req.param('id');
 		logger.debug('SSE client connecting to terminal', { id });
 		const terminal = terminalManager.get(id);
@@ -91,7 +92,6 @@ export function registerTerminalsRoutes(
 
 		return streamSSE(c, async (stream) => {
 			logger.debug('SSE stream started for terminal', { id });
-			// Send historical buffer first (unless skipHistory is set)
 			const skipHistory = c.req.query('skipHistory') === 'true';
 			if (!skipHistory) {
 				const history = activeTerminal.read();
@@ -121,10 +121,19 @@ export function registerTerminalsRoutes(
 			let resolveStream: (() => void) | null = null;
 			let finished = false;
 
+			const hb = setInterval(async () => {
+				try {
+					await stream.write(`: hb ${Date.now()}\n\n`);
+				} catch {
+					clearInterval(hb);
+				}
+			}, 15000);
+
 			function cleanup() {
 				activeTerminal.removeDataListener(onData);
 				activeTerminal.removeExitListener(onExit);
 				c.req.raw.signal.removeEventListener('abort', onAbort);
+				clearInterval(hb);
 			}
 
 			function finish() {
@@ -168,7 +177,10 @@ export function registerTerminalsRoutes(
 
 			await waitForClose;
 		});
-	});
+	};
+
+	app.get('/v1/terminals/:id/output', handleTerminalOutput);
+	app.post('/v1/terminals/:id/output', handleTerminalOutput);
 
 	app.post('/v1/terminals/:id/input', async (c) => {
 		const id = c.req.param('id');

package/src/routes/tunnel.ts

@@ -1,4 +1,5 @@
 import type { Hono } from 'hono';
+import type { Context } from 'hono';
 import { streamSSE } from 'hono/streaming';
 import {
 	OttoTunnel,
@@ -159,8 +160,8 @@ export function registerTunnelRoutes(app: Hono) {
 		}
 	});
 
-	app.get('/v1/tunnel/stream', async (c) => {
-		return streamSSE(c, async (stream) => {
+	const handleTunnelStream = async (c: Context) => {
+		return streamSSE(c as Context, async (stream) => {
 			const sendEvent = async (data: Record<string, unknown>) => {
 				try {
 					await stream.write(`data: ${JSON.stringify(data)}\n\n`);
@@ -202,7 +203,10 @@ export function registerTunnelRoutes(app: Hono) {
 
 			clearInterval(interval);
 		});
-	});
+	};
+
+	app.get('/v1/tunnel/stream', handleTunnelStream);
+	app.post('/v1/tunnel/stream', handleTunnelStream);
 }
 
 export function stopActiveTunnel() {

package/src/runtime/message/service.ts

@@ -130,7 +130,14 @@ export async function dispatchAssistantMessage(
 	publish({
 		type: 'message.created',
 		sessionId,
-		payload: { id: userMessageId, role: 'user', agent, provider, model },
+		payload: {
+			id: userMessageId,
+			role: 'user',
+			agent,
+			provider,
+			model,
+			content: String(content),
+		},
 	});
 
 	const assistantMessageId = crypto.randomUUID();

package/src/runtime/tools/guards.ts

@@ -1,9 +1,19 @@
+import { resolve as resolvePath } from 'node:path';
+
 export type GuardAction =
 	| { type: 'block'; reason: string }
 	| { type: 'approve'; reason: string }
 	| { type: 'allow' };
 
-export function guardToolCall(toolName: string, args: unknown): GuardAction {
+export type GuardContext = {
+	projectRoot?: string;
+};
+
+export function guardToolCall(
+	toolName: string,
+	args: unknown,
+	context: GuardContext = {},
+): GuardAction {
 	const a = (args ?? {}) as Record<string, unknown>;
 
 	switch (toolName) {
@@ -12,7 +22,7 @@ export function guardToolCall(toolName: string, args: unknown): GuardAction {
 		case 'terminal':
 			return guardTerminal(a);
 		case 'read':
-			return guardReadPath(String(a.path ?? ''));
+			return guardReadPath(String(a.path ?? ''), context.projectRoot);
 		case 'write':
 		case 'edit':
 		case 'multiedit':
@@ -118,7 +128,42 @@ const SENSITIVE_READ_PATHS: Array<{ pattern: RegExp; reason: string }> = [
 	{ pattern: /^~?\/?\.docker\/config\.json$/, reason: 'Docker credentials' },
 ];
 
-function guardReadPath(path: string): GuardAction {
+function normalizeForComparison(value: string): string {
+	const withForwardSlashes = value.replace(/\\/g, '/');
+	return process.platform === 'win32'
+		? withForwardSlashes.toLowerCase()
+		: withForwardSlashes;
+}
+
+function expandTilde(path: string): string {
+	const home = process.env.HOME || process.env.USERPROFILE || '';
+	if (!home) return path;
+	if (path === '~') return home;
+	if (path.startsWith('~/')) return `${home}/${path.slice(2)}`;
+	return path;
+}
+
+function isAbsoluteLike(path: string): boolean {
+	return (
+		path.startsWith('/') || path.startsWith('~') || /^[A-Za-z]:[\\/]/.test(path)
+	);
+}
+
+function isPathInProject(path: string, projectRoot?: string): boolean {
+	if (!projectRoot || !isAbsoluteLike(path)) return false;
+	const root = resolvePath(projectRoot);
+	const target = resolvePath(expandTilde(path));
+	const rootNorm = (() => {
+		const normalized = normalizeForComparison(root);
+		if (normalized === '/') return '/';
+		return normalized.replace(/[\\/]+$/, '');
+	})();
+	const targetNorm = normalizeForComparison(target);
+	const rootWithSlash = rootNorm === '/' ? '/' : `${rootNorm}/`;
+	return targetNorm === rootNorm || targetNorm.startsWith(rootWithSlash);
+}
+
+function guardReadPath(path: string, projectRoot?: string): GuardAction {
 	if (!path) return { type: 'allow' };
 	const p = path.trim();
 
@@ -128,7 +173,10 @@ function guardReadPath(path: string): GuardAction {
 	for (const { pattern, reason } of SENSITIVE_READ_PATHS) {
 		if (pattern.test(p)) return { type: 'approve', reason };
 	}
-	if (p.startsWith('/') || p.startsWith('~')) {
+	if (isPathInProject(p, projectRoot)) {
+		return { type: 'allow' };
+	}
+	if (isAbsoluteLike(p)) {
 		return { type: 'approve', reason: 'Reading path outside project root' };
 	}
 	return { type: 'allow' };

package/src/tools/adapter.ts

@@ -393,7 +393,9 @@ export function adaptTools(
 						args,
 					);
 				}
-				const guard = guardToolCall(name, args);
+				const guard = guardToolCall(name, args, {
+					projectRoot: ctx.projectRoot,
+				});
 				if (guard.type === 'block') {
 					meta.blocked = true;
 					meta.blockReason = guard.reason;