@openparachute/hub 0.3.0-rc.1 → 0.5.1

package/src/__tests__/cli.test.ts

@@ -122,6 +122,56 @@ describe("cli per-subcommand help", () => {
     expect(stderr).toMatch(/--cloudflare only applies to `public`/);
   });
 
+  test("expose public --tailnet --cloudflare rejected as mutually exclusive", async () => {
+    const { code, stderr } = await runCli([
+      "expose",
+      "public",
+      "--tailnet",
+      "--cloudflare",
+      "--domain",
+      "vault.example.com",
+    ]);
+    expect(code).toBe(1);
+    expect(stderr).toMatch(/mutually exclusive/);
+  });
+
+  test("expose tailnet --tailnet rejected (tailnet flag scoped to public layer)", async () => {
+    const { code, stderr } = await runCli(["expose", "tailnet", "--tailnet"]);
+    expect(code).toBe(1);
+    expect(stderr).toMatch(/--tailnet pins the public layer/);
+  });
+
+  test("expose --help mentions --tailnet, --skip-provider-check, --tunnel-name", async () => {
+    const { code, stdout } = await runCli(["expose", "--help"]);
+    expect(code).toBe(0);
+    expect(stdout).toMatch(/--tailnet\b/);
+    expect(stdout).toMatch(/--skip-provider-check\b/);
+    expect(stdout).toMatch(/--tunnel-name\b/);
+  });
+
+  test("expose public --skip-provider-check pins to Tailscale-Funnel default (skips auto-pick)", async () => {
+    // With PATH="" tailscale isn't on PATH, so exposePublic prints its own
+    // install hint. That's distinct from the auto-pick "no exposure provider
+    // is set up" output — proving the skip flag bypassed auto-pick and went
+    // straight to the Funnel path. If we regressed and skip-flag tumbled
+    // into auto-pick, we'd see the auto-pick neither-ready report instead.
+    const proc = Bun.spawn([process.execPath, CLI, "expose", "public", "--skip-provider-check"], {
+      stdout: "pipe",
+      stderr: "pipe",
+      env: {
+        ...process.env,
+        PATH: "",
+        HOME: "/tmp/parachute-hub-nonexistent-home",
+        PARACHUTE_HOME: "/tmp/parachute-hub-nonexistent-home",
+      },
+    });
+    const [stdout, code] = await Promise.all([new Response(proc.stdout).text(), proc.exited]);
+    expect(code).toBe(1);
+    expect(stdout).toMatch(/tailscale is not installed or not on PATH/);
+    expect(stdout).not.toMatch(/no exposure provider is set up/);
+    expect(stdout).not.toMatch(/Auto-detected/);
+  });
+
   test("expose with missing --domain value exits 1", async () => {
     const { code, stderr } = await runCli(["expose", "public", "--cloudflare", "--domain"]);
     expect(code).toBe(1);

package/src/__tests__/clients.test.ts

@@ -0,0 +1,264 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import {
+  InvalidRedirectUriError,
+  approveClient,
+  getClient,
+  isValidRedirectUri,
+  listClientsByStatus,
+  registerClient,
+  requireRegisteredRedirectUri,
+  verifyClientSecret,
+} from "../clients.ts";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+
+function makeDb() {
+  const configDir = mkdtempSync(join(tmpdir(), "phub-clients-"));
+  const db = openHubDb(hubDbPath(configDir));
+  return {
+    db,
+    cleanup: () => {
+      db.close();
+      rmSync(configDir, { recursive: true, force: true });
+    },
+  };
+}
+
+describe("registerClient", () => {
+  test("public client has no client_secret", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const r = registerClient(db, {
+        redirectUris: ["https://example.com/cb"],
+        scopes: ["vault.read"],
+        clientName: "test",
+      });
+      expect(r.clientSecret).toBeNull();
+      expect(r.client.clientSecretHash).toBeNull();
+      expect(r.client.clientId.length).toBeGreaterThan(0);
+      expect(r.client.redirectUris).toEqual(["https://example.com/cb"]);
+      expect(r.client.scopes).toEqual(["vault.read"]);
+      expect(r.client.clientName).toBe("test");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("confidential client returns plaintext secret once and stores hash", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const r = registerClient(db, {
+        redirectUris: ["https://example.com/cb"],
+        confidential: true,
+      });
+      expect(r.clientSecret).not.toBeNull();
+      expect(r.clientSecret?.length).toBeGreaterThan(20);
+      // Hash is sha256 hex (64 chars).
+      expect(r.client.clientSecretHash).toMatch(/^[0-9a-f]{64}$/);
+      // The plaintext is not recoverable from the row.
+      const fetched = getClient(db, r.client.clientId);
+      expect(fetched?.clientSecretHash).toBe(r.client.clientSecretHash);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("rejects empty redirect_uris", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      expect(() => registerClient(db, { redirectUris: [] })).toThrow(/redirect_uri/);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("rejects non-http(s) redirect_uri", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      expect(() => registerClient(db, { redirectUris: ["javascript:alert(1)"] })).toThrow(
+        /invalid redirect_uri/,
+      );
+      expect(() => registerClient(db, { redirectUris: ["/relative/path"] })).toThrow(
+        /invalid redirect_uri/,
+      );
+    } finally {
+      cleanup();
+    }
+  });
+});
+
+describe("getClient", () => {
+  test("returns null for unknown clientId", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      expect(getClient(db, "nope")).toBeNull();
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("round-trips a registered client", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const r = registerClient(db, {
+        redirectUris: ["https://a.example/cb", "https://b.example/cb"],
+        scopes: ["vault.read", "vault.write"],
+      });
+      const fetched = getClient(db, r.client.clientId);
+      expect(fetched?.redirectUris).toEqual(["https://a.example/cb", "https://b.example/cb"]);
+      expect(fetched?.scopes).toEqual(["vault.read", "vault.write"]);
+    } finally {
+      cleanup();
+    }
+  });
+});
+
+describe("requireRegisteredRedirectUri", () => {
+  test("returns the matched URI on exact match", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const r = registerClient(db, { redirectUris: ["https://example.com/cb"] });
+      expect(requireRegisteredRedirectUri(r.client, "https://example.com/cb")).toBe(
+        "https://example.com/cb",
+      );
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("throws on prefix-only / loose match (open-redirect guard)", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const r = registerClient(db, { redirectUris: ["https://example.com/cb"] });
+      expect(() => requireRegisteredRedirectUri(r.client, "https://example.com/cb/extra")).toThrow(
+        InvalidRedirectUriError,
+      );
+      expect(() => requireRegisteredRedirectUri(r.client, "https://evil.com/cb")).toThrow(
+        InvalidRedirectUriError,
+      );
+    } finally {
+      cleanup();
+    }
+  });
+});
+
+describe("verifyClientSecret", () => {
+  test("matches the issued secret, rejects others", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const r = registerClient(db, {
+        redirectUris: ["https://example.com/cb"],
+        confidential: true,
+      });
+      expect(r.clientSecret).not.toBeNull();
+      expect(verifyClientSecret(r.client, r.clientSecret ?? "")).toBe(true);
+      expect(verifyClientSecret(r.client, "wrong")).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("returns false for public clients regardless of presented secret", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const r = registerClient(db, { redirectUris: ["https://example.com/cb"] });
+      expect(verifyClientSecret(r.client, "anything")).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+});
+
+describe("approval gate (#74)", () => {
+  test("registerClient defaults status to approved (direct callers)", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const r = registerClient(db, { redirectUris: ["https://example.com/cb"] });
+      expect(r.client.status).toBe("approved");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("registerClient honors explicit status: pending (DCR path)", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const r = registerClient(db, {
+        redirectUris: ["https://example.com/cb"],
+        status: "pending",
+      });
+      expect(r.client.status).toBe("pending");
+      expect(getClient(db, r.client.clientId)?.status).toBe("pending");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("approveClient promotes pending → approved and is idempotent", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const r = registerClient(db, {
+        redirectUris: ["https://example.com/cb"],
+        status: "pending",
+      });
+      expect(approveClient(db, r.client.clientId)).toBe(true);
+      expect(getClient(db, r.client.clientId)?.status).toBe("approved");
+      // Second call is a no-op but still returns true.
+      expect(approveClient(db, r.client.clientId)).toBe(true);
+      expect(getClient(db, r.client.clientId)?.status).toBe("approved");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("approveClient returns false for unknown client", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      expect(approveClient(db, "no-such-client")).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("listClientsByStatus filters and orders by registered_at", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const a = registerClient(db, {
+        redirectUris: ["https://a.example/cb"],
+        status: "pending",
+        now: () => new Date("2026-01-01T00:00:00Z"),
+      });
+      const b = registerClient(db, {
+        redirectUris: ["https://b.example/cb"],
+        status: "approved",
+        now: () => new Date("2026-01-02T00:00:00Z"),
+      });
+      const c = registerClient(db, {
+        redirectUris: ["https://c.example/cb"],
+        status: "pending",
+        now: () => new Date("2026-01-03T00:00:00Z"),
+      });
+      const pending = listClientsByStatus(db, "pending").map((r) => r.clientId);
+      expect(pending).toEqual([a.client.clientId, c.client.clientId]);
+      const approved = listClientsByStatus(db, "approved").map((r) => r.clientId);
+      expect(approved).toEqual([b.client.clientId]);
+    } finally {
+      cleanup();
+    }
+  });
+});
+
+describe("isValidRedirectUri", () => {
+  test("accepts http and https", () => {
+    expect(isValidRedirectUri("http://localhost:3000/cb")).toBe(true);
+    expect(isValidRedirectUri("https://example.com/cb")).toBe(true);
+  });
+  test("rejects javascript:, data:, relative paths, garbage", () => {
+    expect(isValidRedirectUri("javascript:alert(1)")).toBe(false);
+    expect(isValidRedirectUri("data:text/html,x")).toBe(false);
+    expect(isValidRedirectUri("/relative")).toBe(false);
+    expect(isValidRedirectUri("not a url")).toBe(false);
+  });
+});

package/src/__tests__/cloudflare-state.test.ts

@@ -1,12 +1,17 @@
 import { describe, expect, test } from "bun:test";
-import { existsSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { existsSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import {
   type CloudflaredState,
   CloudflaredStateError,
+  type CloudflaredTunnelRecord,
   clearCloudflaredState,
+  findTunnelRecord,
+  listTunnelRecords,
   readCloudflaredState,
+  withTunnelRecord,
+  withoutTunnelRecord,
   writeCloudflaredState,
 } from "../cloudflare/state.ts";
 
@@ -18,14 +23,18 @@ function makeTempPath(): { path: string; cleanup: () => void } {
   };
 }
 
-const sample: CloudflaredState = {
-  version: 1,
+const sampleRecord: CloudflaredTunnelRecord = {
   pid: 12345,
   tunnelUuid: "2c1a7c7e-1234-5678-9abc-def012345678",
   tunnelName: "parachute",
   hostname: "vault.example.com",
   startedAt: "2026-04-22T12:00:00.000Z",
-  configPath: "/home/x/.parachute/cloudflared/config.yml",
+  configPath: "/home/x/.parachute/cloudflared/parachute/config.yml",
+};
+
+const sample: CloudflaredState = {
+  version: 2,
+  tunnels: { parachute: sampleRecord },
 };
 
 describe("cloudflared state", () => {
@@ -63,23 +72,45 @@ describe("cloudflared state", () => {
   test("throws on unsupported version", () => {
     const { path, cleanup } = makeTempPath();
     try {
-      writeFileSync(path, JSON.stringify({ ...sample, version: 99 }));
+      writeFileSync(path, JSON.stringify({ version: 99, tunnels: {} }));
       expect(() => readCloudflaredState(path)).toThrow(/unsupported version/);
     } finally {
       cleanup();
     }
   });
 
-  test("throws on non-positive pid", () => {
+  test("throws on non-positive pid in a tunnel record", () => {
     const { path, cleanup } = makeTempPath();
     try {
-      writeFileSync(path, JSON.stringify({ ...sample, pid: -1 }));
+      writeFileSync(
+        path,
+        JSON.stringify({
+          version: 2,
+          tunnels: { parachute: { ...sampleRecord, pid: -1 } },
+        }),
+      );
       expect(() => readCloudflaredState(path)).toThrow(CloudflaredStateError);
     } finally {
       cleanup();
     }
   });
 
+  test("throws when tunnel record's name doesn't match its key", () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      writeFileSync(
+        path,
+        JSON.stringify({
+          version: 2,
+          tunnels: { parachute: { ...sampleRecord, tunnelName: "different" } },
+        }),
+      );
+      expect(() => readCloudflaredState(path)).toThrow(/must equal its key/);
+    } finally {
+      cleanup();
+    }
+  });
+
   test("throws on malformed JSON", () => {
     const { path, cleanup } = makeTempPath();
     try {
@@ -89,4 +120,133 @@ describe("cloudflared state", () => {
       cleanup();
     }
   });
+
+  test("migrates v1 single-record state to v2 on read", () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      // v1 — pre-#32 shape with the single record at the top level. cloudflared
+      // installs in the wild may still have this on disk; reading it must not
+      // explode and must yield the canonical v2 shape.
+      const legacy = {
+        version: 1,
+        pid: 12345,
+        tunnelUuid: "2c1a7c7e-1234-5678-9abc-def012345678",
+        tunnelName: "parachute",
+        hostname: "vault.example.com",
+        startedAt: "2026-04-22T12:00:00.000Z",
+        configPath: "/home/x/.parachute/cloudflared/config.yml",
+      };
+      writeFileSync(path, JSON.stringify(legacy));
+
+      const state = readCloudflaredState(path);
+      expect(state).toEqual({
+        version: 2,
+        tunnels: {
+          parachute: {
+            pid: 12345,
+            tunnelUuid: "2c1a7c7e-1234-5678-9abc-def012345678",
+            tunnelName: "parachute",
+            hostname: "vault.example.com",
+            startedAt: "2026-04-22T12:00:00.000Z",
+            configPath: "/home/x/.parachute/cloudflared/config.yml",
+          },
+        },
+      });
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("v1 migration is read-only until the next write", () => {
+    // The migration is silent on read but doesn't rewrite disk on its own —
+    // disk only flips when the next write commits. Mirrors how other state
+    // migrations in the repo behave; documents the contract.
+    const { path, cleanup } = makeTempPath();
+    try {
+      const legacy = {
+        version: 1,
+        pid: 12345,
+        tunnelUuid: "2c1a7c7e-1234-5678-9abc-def012345678",
+        tunnelName: "parachute",
+        hostname: "vault.example.com",
+        startedAt: "2026-04-22T12:00:00.000Z",
+        configPath: "/home/x/.parachute/cloudflared/config.yml",
+      };
+      writeFileSync(path, JSON.stringify(legacy));
+      readCloudflaredState(path); // returns v2 in memory
+      const onDisk = JSON.parse(readFileSync(path, "utf8"));
+      expect(onDisk.version).toBe(1);
+
+      // After a write, disk reflects v2.
+      const state = readCloudflaredState(path);
+      writeCloudflaredState(state as CloudflaredState, path);
+      const onDiskAfter = JSON.parse(readFileSync(path, "utf8"));
+      expect(onDiskAfter.version).toBe(2);
+      expect(onDiskAfter.tunnels.parachute.tunnelName).toBe("parachute");
+    } finally {
+      cleanup();
+    }
+  });
+});
+
+describe("cloudflared state — record helpers", () => {
+  const recordA: CloudflaredTunnelRecord = {
+    pid: 1001,
+    tunnelUuid: "aaaaaaaa-0000-0000-0000-000000000001",
+    tunnelName: "alpha",
+    hostname: "alpha.example.com",
+    startedAt: "2026-04-23T10:00:00.000Z",
+    configPath: "/tmp/alpha/config.yml",
+  };
+  const recordB: CloudflaredTunnelRecord = {
+    pid: 1002,
+    tunnelUuid: "bbbbbbbb-0000-0000-0000-000000000002",
+    tunnelName: "beta",
+    hostname: "beta.example.com",
+    startedAt: "2026-04-23T11:00:00.000Z",
+    configPath: "/tmp/beta/config.yml",
+  };
+
+  test("findTunnelRecord returns undefined for unknown name and the record for known name", () => {
+    const state: CloudflaredState = { version: 2, tunnels: { alpha: recordA } };
+    expect(findTunnelRecord(state, "alpha")).toEqual(recordA);
+    expect(findTunnelRecord(state, "beta")).toBeUndefined();
+    expect(findTunnelRecord(undefined, "alpha")).toBeUndefined();
+  });
+
+  test("withTunnelRecord inserts into empty/undefined state", () => {
+    const next = withTunnelRecord(undefined, recordA);
+    expect(next).toEqual({ version: 2, tunnels: { alpha: recordA } });
+  });
+
+  test("withTunnelRecord adds a second tunnel without disturbing the first", () => {
+    const initial = withTunnelRecord(undefined, recordA);
+    const next = withTunnelRecord(initial, recordB);
+    expect(next.tunnels).toEqual({ alpha: recordA, beta: recordB });
+  });
+
+  test("withTunnelRecord replaces an existing record under the same name", () => {
+    const initial = withTunnelRecord(undefined, recordA);
+    const replaced: CloudflaredTunnelRecord = { ...recordA, pid: 9999 };
+    const next = withTunnelRecord(initial, replaced);
+    expect(next.tunnels.alpha).toEqual(replaced);
+    expect(Object.keys(next.tunnels)).toEqual(["alpha"]);
+  });
+
+  test("withoutTunnelRecord drops the named tunnel and returns undefined when empty", () => {
+    const initial = withTunnelRecord(undefined, recordA);
+    expect(withoutTunnelRecord(initial, "alpha")).toBeUndefined();
+  });
+
+  test("withoutTunnelRecord leaves other tunnels in place", () => {
+    const both = withTunnelRecord(withTunnelRecord(undefined, recordA), recordB);
+    const next = withoutTunnelRecord(both, "alpha");
+    expect(next).toEqual({ version: 2, tunnels: { beta: recordB } });
+  });
+
+  test("listTunnelRecords returns sorted-by-name order", () => {
+    const both = withTunnelRecord(withTunnelRecord(undefined, recordB), recordA);
+    expect(listTunnelRecords(both).map((r) => r.tunnelName)).toEqual(["alpha", "beta"]);
+    expect(listTunnelRecords(undefined)).toEqual([]);
+  });
 });

package/src/__tests__/csrf.test.ts

@@ -0,0 +1,117 @@
+import { describe, expect, test } from "bun:test";
+import {
+  CSRF_COOKIE_NAME,
+  CSRF_FIELD_NAME,
+  buildCsrfCookie,
+  ensureCsrfToken,
+  generateCsrfToken,
+  parseCsrfCookie,
+  renderCsrfHiddenInput,
+  verifyCsrfToken,
+} from "../csrf.ts";
+
+function reqWith(cookie: string | null, formToken?: string | null): Request {
+  const headers = new Headers();
+  if (cookie !== null) headers.set("cookie", cookie);
+  return new Request("https://hub.example/oauth/authorize", { headers });
+}
+
+describe("generateCsrfToken", () => {
+  test("returns a base64url string with > 32 chars of entropy", () => {
+    const token = generateCsrfToken();
+    expect(token.length).toBeGreaterThan(32);
+    expect(token).toMatch(/^[A-Za-z0-9_-]+$/);
+  });
+
+  test("two calls produce distinct tokens", () => {
+    expect(generateCsrfToken()).not.toBe(generateCsrfToken());
+  });
+});
+
+describe("buildCsrfCookie", () => {
+  test("emits the expected attributes", () => {
+    const v = buildCsrfCookie("abc");
+    expect(v).toContain(`${CSRF_COOKIE_NAME}=abc`);
+    expect(v).toContain("HttpOnly");
+    expect(v).toContain("Secure");
+    expect(v).toContain("SameSite=Lax");
+    expect(v).toContain("Path=/");
+    expect(v).toContain("Max-Age=");
+  });
+});
+
+describe("parseCsrfCookie", () => {
+  test("extracts the token from a cookie header", () => {
+    expect(parseCsrfCookie(`${CSRF_COOKIE_NAME}=xyz`)).toBe("xyz");
+    expect(parseCsrfCookie(`other=foo; ${CSRF_COOKIE_NAME}=xyz; bar=baz`)).toBe("xyz");
+  });
+
+  test("returns null when absent or empty", () => {
+    expect(parseCsrfCookie(null)).toBeNull();
+    expect(parseCsrfCookie("")).toBeNull();
+    expect(parseCsrfCookie("other=foo")).toBeNull();
+  });
+});
+
+describe("ensureCsrfToken", () => {
+  test("mints a fresh cookie when none is present", () => {
+    const result = ensureCsrfToken(reqWith(null));
+    expect(result.token.length).toBeGreaterThan(32);
+    expect(result.setCookie).toContain(`${CSRF_COOKIE_NAME}=${result.token}`);
+  });
+
+  test("reuses the existing cookie token without re-setting", () => {
+    const result = ensureCsrfToken(reqWith(`${CSRF_COOKIE_NAME}=existing-token`));
+    expect(result.token).toBe("existing-token");
+    expect(result.setCookie).toBeUndefined();
+  });
+
+  test("mints fresh when the cookie is empty", () => {
+    const result = ensureCsrfToken(reqWith(`${CSRF_COOKIE_NAME}=`));
+    expect(result.token.length).toBeGreaterThan(0);
+    expect(result.setCookie).toBeDefined();
+  });
+});
+
+describe("verifyCsrfToken", () => {
+  test("returns true when cookie and form match", () => {
+    const token = "match-me";
+    const req = reqWith(`${CSRF_COOKIE_NAME}=${token}`);
+    expect(verifyCsrfToken(req, token)).toBe(true);
+  });
+
+  test("returns false when the form token differs", () => {
+    const req = reqWith(`${CSRF_COOKIE_NAME}=cookie-token`);
+    expect(verifyCsrfToken(req, "form-token")).toBe(false);
+  });
+
+  test("returns false when cookie token is missing", () => {
+    expect(verifyCsrfToken(reqWith(null), "form-token")).toBe(false);
+  });
+
+  test("returns false when form token is missing", () => {
+    const req = reqWith(`${CSRF_COOKIE_NAME}=cookie-token`);
+    expect(verifyCsrfToken(req, null)).toBe(false);
+  });
+
+  test("returns false when lengths differ (avoids timingSafeEqual throw)", () => {
+    const req = reqWith(`${CSRF_COOKIE_NAME}=abcd`);
+    expect(verifyCsrfToken(req, "abcdef")).toBe(false);
+  });
+});
+
+describe("renderCsrfHiddenInput", () => {
+  test("renders an HTML hidden input with the field name", () => {
+    const html = renderCsrfHiddenInput("token-123");
+    expect(html).toContain(`name="${CSRF_FIELD_NAME}"`);
+    expect(html).toContain('value="token-123"');
+    expect(html).toContain('type="hidden"');
+  });
+
+  test("escapes hostile token content into the value attribute", () => {
+    const html = renderCsrfHiddenInput(`"><script>alert(1)</script>`);
+    expect(html).not.toContain("<script>");
+    expect(html).toContain("&quot;");
+    expect(html).toContain("&lt;script");
+  });
+});