feat: add endpoint and controlAPIHost to signed config

Add support for endpoint and controlAPIHost parameters in the signed
config system to restore custom endpoint configuration that was lost
in PR #129.

Changes:
- Update SignRequest interface to accept optional endpoint and controlAPIHost
- Modify signCredentials() to include endpoint fields in config when provided
- Update /api/sign endpoint and vite middleware to accept and pass through endpoint params
- Maintain backward compatibility - endpoints are optional

This allows implementations to specify custom Ably endpoints (e.g., staging)
which will be signed and validated via HMAC.

Related to: PR #129 (d454d36)

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

Author: kennethkalmer

examples/web-cli/api/sign.ts

@@ -13,6 +13,8 @@ import { signCredentials, getSigningSecret } from "../server/sign-handler.js";
  * Request Body:
  * - apiKey: string (required) - Ably API key in format "appId.keyId:secret"
  * - bypassRateLimit: boolean (optional) - Set to true for CI/testing
+ * - endpoint: string (optional) - Custom Ably endpoint URL
+ * - controlAPIHost: string (optional) - Custom control API host URL
  *
  * Response:
  * - signedConfig: string - JSON-encoded config that was signed
@@ -35,14 +37,14 @@ export default async function handler(
     return res.status(500).json({ error: "Signing secret not configured" });
   }
 
-  const { apiKey, bypassRateLimit } = req.body;
+  const { apiKey, bypassRateLimit, endpoint, controlAPIHost } = req.body;
 
   if (!apiKey) {
     return res.status(400).json({ error: "apiKey is required" });
   }
 
   // Use shared signing logic
-  const result = signCredentials({ apiKey, bypassRateLimit }, secret);
+  const result = signCredentials({ apiKey, bypassRateLimit, endpoint, controlAPIHost }, secret);
 
   res.status(200).json(result);
 }

examples/web-cli/server/sign-handler.ts

@@ -8,6 +8,8 @@ import crypto from "crypto";
 export interface SignRequest {
   apiKey: string;
   bypassRateLimit?: boolean;
+  endpoint?: string;
+  controlAPIHost?: string;
 }
 
 export interface SignResponse {
@@ -25,13 +27,15 @@ export function signCredentials(
   request: SignRequest,
   secret: string,
 ): SignResponse {
-  const { apiKey, bypassRateLimit } = request;
+  const { apiKey, bypassRateLimit, endpoint, controlAPIHost } = request;
 
   // Build config object (matches terminal server expectations)
   const config = {
     apiKey,
     timestamp: Date.now(),
     bypassRateLimit: bypassRateLimit || false,
+    ...(endpoint && { endpoint }),
+    ...(controlAPIHost && { controlAPIHost }),
   };
 
   // Serialize to JSON - this exact string is what gets signed

examples/web-cli/vite.config.ts

@@ -36,7 +36,7 @@ function apiSignPlugin(): Plugin {
 
     req.on("end", () => {
       try {
-        const { apiKey, bypassRateLimit } = JSON.parse(body);
+        const { apiKey, bypassRateLimit, endpoint, controlAPIHost } = JSON.parse(body);
 
         if (!apiKey) {
           res.statusCode = 400;
@@ -46,7 +46,7 @@ function apiSignPlugin(): Plugin {
         }
 
         // Use shared signing logic
-        const result = signCredentials({ apiKey, bypassRateLimit }, secret);
+        const result = signCredentials({ apiKey, bypassRateLimit, endpoint, controlAPIHost }, secret);
 
         res.statusCode = 200;
         res.setHeader("Content-Type", "application/json");