fix(ctl): match bare /control path in route

Author: vhscom

packages/control/src/index.ts

@@ -79,31 +79,29 @@ export function controlPlugin(
 	// Static asset reverse proxy + WebSocket upgrade on /control path.
 	// The control UI derives its WebSocket URL from location.pathname,
 	// so upgrade requests arrive at /ops/control rather than /ops/ws.
-	opsRouter.all(
-		"/control/*",
-		cloakedAuth,
-		userOneGuard,
-		ipAllowlist,
-		async (ctx, next) => {
-			const env = ctx.env as ControlBindings;
-			if (!env.GATEWAY_URL) {
-				return ctx.notFound();
-			}
-
-			// WebSocket upgrade → transparent proxy (same handler as /ws cookie path)
-			if (ctx.req.header("upgrade")?.toLowerCase() === "websocket") {
-				if (!env.GATEWAY_TOKEN) return ctx.notFound();
-				return proxyUpgrade(ctx, next);
-			}
-
-			deps.obsEmitEvent?.(ctx, {
-				type: "control.proxy",
-				detail: { path: ctx.req.path, method: ctx.req.method },
-			});
-
-			return proxyToGateway(ctx, env.GATEWAY_URL);
-		},
-	);
+	const controlHandler: MiddlewareHandler = async (ctx, next) => {
+		const env = ctx.env as ControlBindings;
+		if (!env.GATEWAY_URL) {
+			return ctx.notFound();
+		}
+
+		// WebSocket upgrade → transparent proxy (same handler as /ws cookie path)
+		if (ctx.req.header("upgrade")?.toLowerCase() === "websocket") {
+			if (!env.GATEWAY_TOKEN) return ctx.notFound();
+			return proxyUpgrade(ctx, next);
+		}
+
+		deps.obsEmitEvent?.(ctx, {
+			type: "control.proxy",
+			detail: { path: ctx.req.path, method: ctx.req.method },
+		});
+
+		return proxyToGateway(ctx, env.GATEWAY_URL);
+	};
+
+	// Both /control and /control/* are needed — Hono's wildcard doesn't match the bare path.
+	opsRouter.all("/control", cloakedAuth, userOneGuard, ipAllowlist, controlHandler);
+	opsRouter.all("/control/*", cloakedAuth, userOneGuard, ipAllowlist, controlHandler);
 
 	// WebSocket proxy multiplexer (ADR-010 §WebSocket Multiplexing)
 	// Intercepts cookie-based connections on /ws for the proxy handler.