otavia 0.1.0

package/src/commands/dev/__tests__/gateway-sso-base-url.test.ts

@@ -0,0 +1,93 @@
+import { describe, expect, test } from "bun:test";
+import { applyResourceNameEnvVars, resolveGatewaySsoBaseUrl } from "../gateway";
+import { resolveRootRedirectMount } from "../mount-selection";
+
+describe("resolveGatewaySsoBaseUrl", () => {
+  test("prefers configured SSO base URL from env", () => {
+    expect(resolveGatewaySsoBaseUrl("http://localhost:7100/sso", 8900, "sso")).toBe(
+      "http://localhost:7100/sso"
+    );
+  });
+
+  test("falls back to backend mount URL when env is missing", () => {
+    expect(resolveGatewaySsoBaseUrl(undefined, 8900, "sso")).toBe("http://localhost:8900/sso");
+  });
+
+  test("uses tunnel host when provided and env is missing", () => {
+    expect(resolveGatewaySsoBaseUrl(undefined, 8900, "sso", "https://mybox.dev.example.com")).toBe(
+      "https://mybox.dev.example.com/sso"
+    );
+  });
+
+  test("overrides localhost SSO base URL in tunnel mode", () => {
+    expect(
+      resolveGatewaySsoBaseUrl(
+        "http://localhost:7100/sso",
+        8900,
+        "sso",
+        "https://mybox.dev.example.com"
+      )
+    ).toBe("https://mybox.dev.example.com/sso");
+  });
+
+  test("keeps non-local configured SSO base URL in tunnel mode", () => {
+    expect(
+      resolveGatewaySsoBaseUrl(
+        "https://sso.example.com",
+        8900,
+        "sso",
+        "https://mybox.dev.example.com"
+      )
+    ).toBe("https://sso.example.com");
+  });
+});
+
+describe("applyResourceNameEnvVars", () => {
+  test("injects DYNAMODB_TABLE_* and S3_BUCKET_* env vars from stack/mount/key", () => {
+    const cells = [
+      {
+        mount: "agent",
+        cellDir: "/tmp/agent",
+        packageName: "@otavia/agent",
+        config: {
+          name: "agent",
+          params: [],
+          tables: {
+            settings: { keys: { pk: "S", sk: "S" } },
+            pending_client_info: { keys: { pk: "S" } },
+          },
+          buckets: {
+            uploads: {},
+          },
+        },
+        env: {} as Record<string, string>,
+      },
+    ] as any;
+
+    applyResourceNameEnvVars(cells, "otavia-local");
+
+    expect(cells[0].env.DYNAMODB_TABLE_SETTINGS).toBe("otavia-local-agent-settings");
+    expect(cells[0].env.DYNAMODB_TABLE_PENDING_CLIENT_INFO).toBe(
+      "otavia-local-agent-pending-client-info"
+    );
+    expect(cells[0].env.S3_BUCKET_UPLOADS).toBe("otavia-local-agent-uploads");
+  });
+});
+
+describe("resolveRootRedirectMount", () => {
+  test("prefers configured mount when it is mounted", () => {
+    expect(resolveRootRedirectMount(["sso", "drive", "agent"], "drive")).toBe("drive");
+  });
+
+  test("falls back to first mount when configured mount is absent", () => {
+    expect(resolveRootRedirectMount(["sso", "agent"], "drive")).toBe("sso");
+  });
+
+  test("falls back to first mount when no preferred mount is configured", () => {
+    expect(resolveRootRedirectMount(["sso", "drive", "agent"])).toBe("sso");
+  });
+
+  test("returns empty string when there are no mounts", () => {
+    expect(resolveRootRedirectMount([])).toBe("");
+  });
+});

package/src/commands/dev/__tests__/tunnel.test.ts

@@ -0,0 +1,93 @@
+import { describe, expect, test } from "bun:test";
+import {
+  buildCloudflaredTunnelCommand,
+  extractTunnelHostFromConfig,
+  normalizeTunnelPublicBaseUrl,
+  resolveTunnelLogLevel,
+  resolveTunnelProtocol,
+} from "../tunnel";
+
+describe("extractTunnelHostFromConfig", () => {
+  test("returns first non-wildcard hostname in ingress", () => {
+    const config = `
+tunnel: otavia-dev-mybox
+credentials-file: /tmp/credentials.json
+ingress:
+  - hostname: "*.mybox.dev.example.com"
+    service: http://127.0.0.1:7100
+  - hostname: "mybox.dev.example.com"
+    service: http://127.0.0.1:7100
+  - service: http_status:404
+`;
+    expect(extractTunnelHostFromConfig(config)).toBe("mybox.dev.example.com");
+  });
+
+  test("returns null when no hostname is configured", () => {
+    const config = `
+tunnel: otavia-dev-mybox
+credentials-file: /tmp/credentials.json
+ingress:
+  - service: http://127.0.0.1:7100
+  - service: http_status:404
+`;
+    expect(extractTunnelHostFromConfig(config)).toBeNull();
+  });
+});
+
+describe("normalizeTunnelPublicBaseUrl", () => {
+  test("adds https scheme for plain host", () => {
+    expect(normalizeTunnelPublicBaseUrl("mybox.dev.example.com")).toBe(
+      "https://mybox.dev.example.com"
+    );
+  });
+
+  test("trims trailing slash when already full URL", () => {
+    expect(normalizeTunnelPublicBaseUrl("https://mybox.dev.example.com/")).toBe(
+      "https://mybox.dev.example.com"
+    );
+  });
+});
+
+describe("resolveTunnelLogLevel", () => {
+  test("defaults to warn", () => {
+    expect(resolveTunnelLogLevel()).toBe("warn");
+  });
+
+  test("normalizes mixed-case level", () => {
+    expect(resolveTunnelLogLevel("InFo")).toBe("info");
+  });
+
+  test("throws on invalid value", () => {
+    expect(() => resolveTunnelLogLevel("verbose")).toThrow(
+      'Invalid tunnel log level "verbose". Expected one of: debug, info, warn, error.'
+    );
+  });
+});
+
+describe("buildCloudflaredTunnelCommand", () => {
+  test("builds command with quoted config path and log level", () => {
+    expect(buildCloudflaredTunnelCommand("/tmp/dev config.yml", "warn", "quic")).toBe(
+      'cloudflared tunnel --loglevel warn --protocol quic --config "/tmp/dev config.yml" run'
+    );
+  });
+});
+
+describe("resolveTunnelProtocol", () => {
+  test("defaults to quic", () => {
+    expect(resolveTunnelProtocol()).toBe("quic");
+  });
+
+  test("normalizes mixed-case protocol", () => {
+    expect(resolveTunnelProtocol("Http2")).toBe("http2");
+  });
+
+  test("allows auto protocol", () => {
+    expect(resolveTunnelProtocol("auto")).toBe("auto");
+  });
+
+  test("throws on invalid protocol", () => {
+    expect(() => resolveTunnelProtocol("ws")).toThrow(
+      'Invalid tunnel protocol "ws". Expected one of: auto, quic, http2.'
+    );
+  });
+});

package/src/commands/dev/__tests__/vite-dev-proxy-rules.test.ts

@@ -0,0 +1,220 @@
+import { describe, expect, test } from "bun:test";
+import {
+  buildMainDevGeneratedConfig,
+  deriveFrontendModuleProxySpecs,
+  deriveFrontendRouteRulesFromCellConfig,
+  deriveRouteRulesFromCellConfig,
+} from "../vite-dev.js";
+
+describe("deriveRouteRulesFromCellConfig", () => {
+  test("converts backend routes into exact/prefix rules", () => {
+    const config = {
+      name: "agent",
+      backend: {
+        runtime: "nodejs20.x",
+        entries: {
+          api: {
+            handler: "lambda.ts",
+            timeout: 30,
+            memory: 1024,
+            routes: ["/api/*", "/oauth/login", "/.well-known/*"],
+          },
+        },
+      },
+    } as any;
+
+    expect(deriveRouteRulesFromCellConfig(config)).toEqual([
+      { path: "/api", match: "prefix" },
+      { path: "/oauth/login", match: "exact" },
+      { path: "/.well-known", match: "prefix" },
+    ]);
+  });
+
+  test("throws when a backend route does not start with slash", () => {
+    const config = {
+      name: "broken-cell",
+      backend: {
+        runtime: "nodejs20.x",
+        entries: {
+          api: {
+            handler: "lambda.ts",
+            timeout: 30,
+            memory: 1024,
+            routes: ["api/*"],
+          },
+        },
+      },
+    } as any;
+
+    expect(() => deriveRouteRulesFromCellConfig(config)).toThrow(
+      'Invalid backend route "api": route must start with "/"'
+    );
+  });
+});
+
+describe("buildMainDevGeneratedConfig", () => {
+  test("builds mounted proxy rules from per-cell route rules", () => {
+    const generated = buildMainDevGeneratedConfig(
+      [
+        {
+          mount: "sso",
+          routeRules: [
+            { path: "/oauth/authorize", match: "exact" },
+            { path: "/oauth/callback", match: "exact" },
+          ],
+          moduleProxySpecs: [],
+          frontendRouteRules: [],
+        },
+        {
+          mount: "agent",
+          routeRules: [
+            { path: "/api", match: "prefix" },
+            { path: "/oauth/login", match: "exact" },
+          ],
+          moduleProxySpecs: [
+            {
+              mount: "agent",
+              routePath: "/agent/sw.js",
+              sourcePath: "/repo/cells/agent/frontend/sw.ts",
+            },
+          ],
+          frontendRouteRules: [],
+        },
+      ],
+      8900
+    );
+
+    expect(generated.firstMount).toBe("sso");
+    expect(generated.mounts).toEqual(["sso", "agent"]);
+    expect(generated.frontendModuleProxyRules).toEqual([
+      {
+        path: "/agent/sw.js",
+        sourcePath: "/repo/cells/agent/frontend/sw.ts",
+      },
+    ]);
+    expect(generated.routeRules).toEqual(
+      expect.arrayContaining([
+        { path: "/api", match: "prefix" },
+        { path: "/oauth/login", match: "exact" },
+        { path: "/oauth/authorize", match: "exact" },
+        { path: "/oauth/callback", match: "exact" },
+        { path: "/.well-known", match: "prefix" },
+      ])
+    );
+    expect(generated.proxyRules).toEqual(
+      expect.arrayContaining([
+        {
+          mount: "__global__",
+          path: "/.well-known",
+          match: "prefix",
+          target: "http://localhost:8900",
+        },
+        {
+          mount: "agent",
+          path: "/agent/api",
+          match: "prefix",
+          target: "http://localhost:8900",
+        },
+        {
+          mount: "agent",
+          path: "/agent/oauth/login",
+          match: "exact",
+          target: "http://localhost:8900",
+        },
+        {
+          mount: "sso",
+          path: "/sso/oauth/authorize",
+          match: "exact",
+          target: "http://localhost:8900",
+        },
+      ])
+    );
+  });
+
+  test("converts module source paths to paths relative to base dir", () => {
+    const generated = buildMainDevGeneratedConfig(
+      [
+        {
+          mount: "agent",
+          routeRules: [],
+          moduleProxySpecs: [
+            {
+              mount: "agent",
+              routePath: "/agent/sw.js",
+              sourcePath: "/repo/apps/main/node_modules/@otavia/agent/frontend/sw.ts",
+            },
+          ],
+          frontendRouteRules: [],
+        },
+      ],
+      8900,
+      "/repo/apps/main"
+    );
+
+    expect(generated.frontendModuleProxyRules).toEqual([
+      {
+        path: "/agent/sw.js",
+        sourcePath: "node_modules/@otavia/agent/frontend/sw.ts",
+      },
+    ]);
+  });
+});
+
+describe("deriveFrontendRouteRulesFromCellConfig", () => {
+  test("converts frontend entry routes into mounted route rules", () => {
+    const config = {
+      name: "agent",
+      frontend: {
+        dir: "frontend",
+        entries: {
+          main: { entry: "index.html", routes: ["/*"] },
+          sw: { entry: "sw.ts", routes: ["/sw.js"] },
+        },
+      },
+    } as any;
+
+    expect(deriveFrontendRouteRulesFromCellConfig("agent", config)).toEqual([
+      { mount: "agent", path: "/agent", match: "prefix", entryName: "main", entryType: "html" },
+      { mount: "agent", path: "/agent/sw.js", match: "exact", entryName: "sw", entryType: "module" },
+    ]);
+  });
+});
+
+describe("deriveFrontendModuleProxySpecs", () => {
+  test("creates module proxy specs from non-html entries", () => {
+    const config = {
+      name: "agent",
+      frontend: {
+        dir: "frontend",
+        entries: {
+          main: { entry: "index.html", routes: ["/*"] },
+          sw: { entry: "sw.ts", routes: ["/sw.js"] },
+        },
+      },
+    } as any;
+
+    expect(deriveFrontendModuleProxySpecs("agent", "/repo/cells/agent", config)).toEqual([
+      {
+        mount: "agent",
+        routePath: "/agent/sw.js",
+        sourcePath: "/repo/cells/agent/frontend/sw.ts",
+      },
+    ]);
+  });
+
+  test("throws for wildcard module routes", () => {
+    const config = {
+      name: "broken",
+      frontend: {
+        dir: "frontend",
+        entries: {
+          worker: { entry: "worker.ts", routes: ["/workers/*"] },
+        },
+      },
+    } as any;
+
+    expect(() => deriveFrontendModuleProxySpecs("broken", "/repo/cells/broken", config)).toThrow(
+      'Invalid module frontend route "/workers/*" for mount "broken": wildcard routes are only supported for HTML entries'
+    );
+  });
+});

package/src/commands/dev/__tests__/well-known.test.ts

@@ -0,0 +1,88 @@
+import { describe, expect, test } from "bun:test";
+import {
+  buildOAuthAuthorizationServerMetadata,
+  buildOAuthProtectedResourceMetadata,
+  createOAuthDiscoveryRegistry,
+  extractMountFromAuthorizationServerWellKnownPath,
+  extractProtectedResourcePathFromWellKnown,
+} from "../well-known.js";
+
+describe("extractMountFromAuthorizationServerWellKnownPath", () => {
+  test("extracts mount from RFC 8414 well-known path suffix", () => {
+    expect(
+      extractMountFromAuthorizationServerWellKnownPath(
+        "/.well-known/oauth-authorization-server/agent"
+      )
+    ).toBe("agent");
+  });
+
+  test("returns null for root no-suffix discovery path", () => {
+    expect(
+      extractMountFromAuthorizationServerWellKnownPath(
+        "/.well-known/oauth-authorization-server"
+      )
+    ).toBeNull();
+  });
+
+  test("returns null for invalid suffix with extra segments", () => {
+    expect(
+      extractMountFromAuthorizationServerWellKnownPath(
+        "/.well-known/oauth-authorization-server/agent/nested"
+      )
+    ).toBeNull();
+  });
+});
+
+describe("createOAuthDiscoveryRegistry", () => {
+  test("registers only oauth-enabled cells", () => {
+    const registry = createOAuthDiscoveryRegistry([
+      { mount: "agent", config: { oauth: { enabled: true, role: "both", scopes: ["use_mcp"] } } },
+      { mount: "drive", config: { oauth: { enabled: false, role: "both", scopes: ["use_mcp"] } } },
+      { mount: "plain", config: {} },
+    ] as any);
+    expect(Array.from(registry.keys())).toEqual(["agent"]);
+  });
+});
+
+describe("buildOAuthAuthorizationServerMetadata", () => {
+  test("builds metadata with issuer at mount path", () => {
+    const metadata = buildOAuthAuthorizationServerMetadata("http://localhost:8900", "agent", ["use_mcp"]);
+    expect(metadata.issuer).toBe("http://localhost:8900/agent");
+    expect(metadata.authorization_endpoint).toBe("http://localhost:8900/agent/oauth/authorize");
+    expect(metadata.token_endpoint).toBe("http://localhost:8900/agent/oauth/token");
+    expect(metadata.registration_endpoint).toBe("http://localhost:8900/agent/oauth/register");
+    expect(metadata.scopes_supported).toEqual(["use_mcp"]);
+  });
+});
+
+describe("extractProtectedResourcePathFromWellKnown", () => {
+  test("extracts protected resource path from RFC 9728 suffix", () => {
+    expect(
+      extractProtectedResourcePathFromWellKnown(
+        "/.well-known/oauth-protected-resource/drive/mcp"
+      )
+    ).toBe("/drive/mcp");
+  });
+
+  test("returns null for root path without suffix", () => {
+    expect(
+      extractProtectedResourcePathFromWellKnown(
+        "/.well-known/oauth-protected-resource"
+      )
+    ).toBeNull();
+  });
+});
+
+describe("buildOAuthProtectedResourceMetadata", () => {
+  test("builds resource metadata for mounted MCP route", () => {
+    const metadata = buildOAuthProtectedResourceMetadata(
+      "http://localhost:7100",
+      "/drive/mcp",
+      "drive",
+      ["use_mcp"]
+    );
+    expect(metadata.authorization_servers).toEqual(["http://localhost:7100/drive"]);
+    expect(metadata.resource).toBe("http://localhost:7100/drive/mcp");
+    expect(metadata.scopes_supported).toEqual(["use_mcp"]);
+  });
+});

package/src/commands/dev/forward-url.ts

@@ -0,0 +1,7 @@
+export function buildForwardUrlForCellMount(rawUrl: string, prefix: string): URL {
+  const url = new URL(rawUrl);
+  const afterPrefix = url.pathname.slice(prefix.length) || "/";
+  const newUrl = new URL(afterPrefix, url.origin);
+  newUrl.search = url.search;
+  return newUrl;
+}