feat: local-first polish — magic-link gating, task-use bug, no_user_yet route + SPA copy

[buremba]

Summary

Five real gaps from the post-passkey audit, bundled.

Server

• auth/config.ts: hide magic-link button when RESEND_API_KEY is unset. Previously rendered a dead button in dev that logged the URL to stdout instead of emailing.
• auth/routes.ts /api/local-init: no_user_yet response's signup_url now points at /auth/sign-up (Owletto's actual SPA route, mapped via /auth/$pathname.tsx). The previous /sign-up fell into the $owner catch-all and looped.

Scripts

• task-use.sh: same $script_dir/.. → git rev-parse --path-format=absolute --git-common-dir fix as task-setup.sh in fix(cli): task-setup uses --path-format=absolute for git-common-dir #900. Without it, running from inside a worktree retargets symlinks at nested paths.

Owletto submodule (lobu-ai/owletto#191, 19221e9)

• login.tsx: single-user-mode copy ("Set up your local install", "stays on this machine", etc.). Post-signup addPasskey() auto-enrolls Touch ID from the same form-submit click context.
• AppState.swift: handles no_user_yet from /api/local-init by opening the signup URL in the browser. Resolves the URL via URL APIs so absolute signup_url and base URLs with path prefixes both work.

Codex review

Caught two bugs in the polish PR's first draft:

1. /sign-up route → /auth/sign-up (would otherwise loop into $owner catch-all).
2. Mac side concatenated strings to build URL; now uses URL APIs to handle absolute paths and prefixes.

Both fixed before push.

Test plan

• make typecheck clean.
• bun test packages/server/src/__tests__/unit — 201 pass.
• xcodebuild Owletto Debug — BUILD SUCCEEDED.
• E2E on fresh PGlite: Mac app opens browser at /auth/sign-up, operator types name+password+email, post-submit OS prompts for Touch ID, Mac app picks up the session via /api/local-init.

Summary by CodeRabbit

• Bug Fixes
  • Magic link authentication option now displays only when email delivery is configured.
  • Corrected signup URL routing in the authentication initialization flow.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: dc753098-adb9-40d6-8cab-406d3d087a31

📥 Commits

Reviewing files that changed from the base of the PR and between 54de2e0 and bcdb488.

📒 Files selected for processing (4)

• packages/owletto
• packages/server/src/auth/config.ts
• packages/server/src/auth/routes.ts
• scripts/task-use.sh

---

📝 Walkthrough

Walkthrough

This PR consolidates four independent fixes: an owletto subproject version bump, auth configuration to require email delivery setup for magic-link availability, local-init routing to use the correct sign-up URL path, and a worktree-aware repository resolution fix in the task-use script.

Changes

Bug fixes and dependency updates

Layer / File(s)	Summary
Owletto subproject pointer update packages/owletto	Subproject commit reference updated to a new revision hash.
Auth magic-link configuration and local-init routing packages/server/src/auth/config.ts, packages/server/src/auth/routes.ts	Magic-link enablement now requires RESEND_API_KEY environment variable; local-init no-user-yet response redirects to /auth/sign-up instead of /sign-up with clarifying comments on routing behavior.
Task-use.sh repository resolution fix scripts/task-use.sh	Repository root resolution now uses git rev-parse with --git-common-dir to properly point symlinks to the main checkout regardless of which worktree the script is executed from.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• lobu-ai/lobu#905: Modifies getAuthConfig in the same file as this PR's magic-link logic update.
• lobu-ai/lobu#899: Updates the same CLI worktree scripts to compute repo via git rev-parse --git-common-dir, directly related to the task-use.sh fix.
• lobu-ai/lobu#886: Updates the packages/owletto submodule pointer to a different revision, overlapping at the same submodule location.

Poem

🐰 A little hop through auth and git,
Magic links now need their kit,
Worktrees dance in sync at last,
Small fixes keep the system fast! ✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/local-first-polish

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!