@openparachute/hub 0.3.0-rc.1

package/src/__tests__/status.test.ts

@@ -0,0 +1,347 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { status } from "../commands/status.ts";
+import { writePid } from "../process-state.ts";
+import { upsertService } from "../services-manifest.ts";
+
+function makeTempPath(): { path: string; cleanup: () => void; configDir: string } {
+  const dir = mkdtempSync(join(tmpdir(), "pcli-status-"));
+  return {
+    path: join(dir, "services.json"),
+    configDir: dir,
+    cleanup: () => rmSync(dir, { recursive: true, force: true }),
+  };
+}
+
+describe("status", () => {
+  test("empty manifest prints hint and exits 0", async () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      const lines: string[] = [];
+      const code = await status({
+        manifestPath: path,
+        fetchImpl: async () => new Response(null, { status: 200 }),
+        print: (l) => lines.push(l),
+      });
+      expect(code).toBe(0);
+      expect(lines.join("\n")).toMatch(/No services installed/);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("all-healthy returns 0 and prints table", async () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        { name: "parachute-vault", port: 1940, paths: ["/"], health: "/health", version: "0.2.4" },
+        path,
+      );
+      upsertService(
+        {
+          name: "parachute-scribe",
+          port: 3200,
+          paths: ["/scribe"],
+          health: "/scribe/health",
+          version: "0.1.0",
+        },
+        path,
+      );
+      const seen: string[] = [];
+      const lines: string[] = [];
+      const code = await status({
+        manifestPath: path,
+        fetchImpl: async (url) => {
+          seen.push(String(url));
+          return new Response(null, { status: 200 });
+        },
+        print: (l) => lines.push(l),
+      });
+      expect(code).toBe(0);
+      expect(seen).toContain("http://localhost:1940/health");
+      expect(seen).toContain("http://localhost:3200/scribe/health");
+      expect(lines[0]).toMatch(/SERVICE/);
+      expect(lines.some((l) => l.includes("parachute-vault"))).toBe(true);
+      expect(lines.some((l) => l.includes("ok"))).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("any-failing returns 1", async () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        { name: "parachute-vault", port: 1940, paths: ["/"], health: "/health", version: "0.2.4" },
+        path,
+      );
+      const lines: string[] = [];
+      const code = await status({
+        manifestPath: path,
+        fetchImpl: async () => {
+          throw new Error("ECONNREFUSED");
+        },
+        print: (l) => lines.push(l),
+      });
+      expect(code).toBe(1);
+      expect(lines.some((l) => l.includes("ECONNREFUSED"))).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("http non-2xx counts as unhealthy with status code", async () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        { name: "parachute-vault", port: 1940, paths: ["/"], health: "/health", version: "0.2.4" },
+        path,
+      );
+      const lines: string[] = [];
+      const code = await status({
+        manifestPath: path,
+        fetchImpl: async () => new Response(null, { status: 503 }),
+        print: (l) => lines.push(l),
+      });
+      expect(code).toBe(1);
+      expect(lines.some((l) => l.includes("http 503"))).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("running process shows pid + uptime and still probes", async () => {
+    const { path, configDir, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        { name: "parachute-vault", port: 1940, paths: ["/"], health: "/health", version: "0.2.4" },
+        path,
+      );
+      writePid("vault", 4242, configDir);
+      const lines: string[] = [];
+      const code = await status({
+        manifestPath: path,
+        configDir,
+        alive: () => true,
+        fetchImpl: async () => new Response(null, { status: 200 }),
+        print: (l) => lines.push(l),
+      });
+      expect(code).toBe(0);
+      expect(lines.some((l) => l.includes("running"))).toBe(true);
+      expect(lines.some((l) => l.includes("4242"))).toBe(true);
+      expect(lines.some((l) => l.includes("ok"))).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("known-stopped process skips probe and doesn't fail exit", async () => {
+    const { path, configDir, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        { name: "parachute-vault", port: 1940, paths: ["/"], health: "/health", version: "0.2.4" },
+        path,
+      );
+      writePid("vault", 4242, configDir);
+      let probed = false;
+      const lines: string[] = [];
+      const code = await status({
+        manifestPath: path,
+        configDir,
+        alive: () => false,
+        fetchImpl: async () => {
+          probed = true;
+          return new Response(null, { status: 200 });
+        },
+        print: (l) => lines.push(l),
+      });
+      expect(code).toBe(0);
+      expect(probed).toBe(false);
+      expect(lines.some((l) => l.includes("stopped"))).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("unknown process state (no pid file) still probes — externally managed OK", async () => {
+    const { path, configDir, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        { name: "parachute-vault", port: 1940, paths: ["/"], health: "/health", version: "0.2.4" },
+        path,
+      );
+      let probed = false;
+      const code = await status({
+        manifestPath: path,
+        configDir,
+        fetchImpl: async () => {
+          probed = true;
+          return new Response(null, { status: 200 });
+        },
+        print: () => {},
+      });
+      expect(code).toBe(0);
+      expect(probed).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  // URL column: the launch-day pain was a user staring at the table not
+  // knowing where to point Claude.ai or curl. Each row gets a "  → URL"
+  // continuation line so the next step is obvious.
+  test("vault row prints MCP URL beneath it (path + /mcp suffix)", async () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/vault/default"],
+          health: "/vault/default/health",
+          version: "0.2.4",
+        },
+        path,
+      );
+      const lines: string[] = [];
+      await status({
+        manifestPath: path,
+        fetchImpl: async () => new Response(null, { status: 200 }),
+        print: (l) => lines.push(l),
+      });
+      expect(lines.some((l) => l.includes("→ http://127.0.0.1:1940/vault/default/mcp"))).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("scribe row prints root URL (API is at /, ignore path prefix)", async () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        {
+          name: "parachute-scribe",
+          port: 1943,
+          paths: ["/scribe"],
+          health: "/scribe/health",
+          version: "0.1.0",
+        },
+        path,
+      );
+      const lines: string[] = [];
+      await status({
+        manifestPath: path,
+        fetchImpl: async () => new Response(null, { status: 200 }),
+        print: (l) => lines.push(l),
+      });
+      expect(lines.some((l) => l === "  → http://127.0.0.1:1943")).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("notes row prints UI URL (port + /notes mount)", async () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        {
+          name: "parachute-notes",
+          port: 1942,
+          paths: ["/notes"],
+          health: "/notes/health",
+          version: "0.0.1",
+        },
+        path,
+      );
+      const lines: string[] = [];
+      await status({
+        manifestPath: path,
+        fetchImpl: async () => new Response(null, { status: 200 }),
+        print: (l) => lines.push(l),
+      });
+      expect(lines.some((l) => l === "  → http://127.0.0.1:1942/notes")).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("channel row prints port + /channel mount", async () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        {
+          name: "parachute-channel",
+          port: 1941,
+          paths: ["/channel"],
+          health: "/channel/health",
+          version: "0.1.0",
+        },
+        path,
+      );
+      const lines: string[] = [];
+      await status({
+        manifestPath: path,
+        fetchImpl: async () => new Response(null, { status: 200 }),
+        print: (l) => lines.push(l),
+      });
+      expect(lines.some((l) => l === "  → http://127.0.0.1:1941/channel")).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("unknown service falls back to bare host:port + paths[0]", async () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        {
+          name: "third-party-thing",
+          port: 9000,
+          paths: ["/widget"],
+          health: "/health",
+          version: "1.0.0",
+        },
+        path,
+      );
+      const lines: string[] = [];
+      await status({
+        manifestPath: path,
+        fetchImpl: async () => new Response(null, { status: 200 }),
+        print: (l) => lines.push(l),
+      });
+      expect(lines.some((l) => l === "  → http://127.0.0.1:9000/widget")).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("stopped services still render a URL line so the user knows where to point clients post-start", async () => {
+    const { path, configDir, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/vault/default"],
+          health: "/vault/default/health",
+          version: "0.2.4",
+        },
+        path,
+      );
+      writePid("vault", 4242, configDir);
+      const lines: string[] = [];
+      await status({
+        manifestPath: path,
+        configDir,
+        alive: () => false,
+        fetchImpl: async () => new Response(null, { status: 200 }),
+        print: (l) => lines.push(l),
+      });
+      expect(lines.some((l) => l.includes("→ http://127.0.0.1:1940/vault/default/mcp"))).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+});

package/src/__tests__/tailscale-commands.test.ts

@@ -0,0 +1,111 @@
+import { describe, expect, test } from "bun:test";
+import { type ServeEntry, bringupCommand, teardownCommand } from "../tailscale/commands.ts";
+
+const proxyEntry: ServeEntry = {
+  kind: "proxy",
+  mount: "/",
+  target: "http://127.0.0.1:1940",
+  service: "parachute-vault",
+};
+
+const fileEntry: ServeEntry = {
+  kind: "file",
+  mount: "/.well-known/parachute.json",
+  target: "/Users/x/.parachute/well-known/parachute.json",
+  service: "well-known",
+};
+
+const subpathEntry: ServeEntry = {
+  kind: "proxy",
+  mount: "/notes",
+  target: "http://127.0.0.1:5173",
+  service: "parachute-notes",
+};
+
+describe("tailscale commands", () => {
+  test("bringup proxy uses https=443 and --set-path", () => {
+    expect(bringupCommand(proxyEntry)).toEqual([
+      "tailscale",
+      "serve",
+      "--bg",
+      "--https=443",
+      "--set-path=/",
+      "http://127.0.0.1:1940",
+    ]);
+  });
+
+  test("bringup preserves subpath mounts", () => {
+    expect(bringupCommand(subpathEntry)).toEqual([
+      "tailscale",
+      "serve",
+      "--bg",
+      "--https=443",
+      "--set-path=/notes",
+      "http://127.0.0.1:5173",
+    ]);
+  });
+
+  test("bringup file entry passes filesystem path as target", () => {
+    expect(bringupCommand(fileEntry)).toEqual([
+      "tailscale",
+      "serve",
+      "--bg",
+      "--https=443",
+      "--set-path=/.well-known/parachute.json",
+      "/Users/x/.parachute/well-known/parachute.json",
+    ]);
+  });
+
+  test("bringup uses `tailscale funnel` subcommand when funnel=true", () => {
+    // Modern tailscale (1.82+) split funnel out of serve. Public mode must
+    // route through `tailscale funnel`, not `tailscale serve --funnel`.
+    expect(bringupCommand(proxyEntry, { funnel: true })).toEqual([
+      "tailscale",
+      "funnel",
+      "--bg",
+      "--https=443",
+      "--set-path=/",
+      "http://127.0.0.1:1940",
+    ]);
+  });
+
+  test("bringup honors custom port", () => {
+    expect(bringupCommand(proxyEntry, { port: 8443 })).toEqual([
+      "tailscale",
+      "serve",
+      "--bg",
+      "--https=8443",
+      "--set-path=/",
+      "http://127.0.0.1:1940",
+    ]);
+  });
+
+  test("teardown issues off per mount", () => {
+    expect(teardownCommand(proxyEntry)).toEqual([
+      "tailscale",
+      "serve",
+      "--https=443",
+      "--set-path=/",
+      "off",
+    ]);
+    expect(teardownCommand(fileEntry)).toEqual([
+      "tailscale",
+      "serve",
+      "--https=443",
+      "--set-path=/.well-known/parachute.json",
+      "off",
+    ]);
+  });
+
+  test("teardown routes through `tailscale funnel` when funnel=true", () => {
+    // Same subcommand split applies to teardown — `serve … off` doesn't
+    // remove a funnel-mounted entry on 1.82+.
+    expect(teardownCommand(proxyEntry, { funnel: true })).toEqual([
+      "tailscale",
+      "funnel",
+      "--https=443",
+      "--set-path=/",
+      "off",
+    ]);
+  });
+});

package/src/__tests__/tailscale-detect.test.ts

@@ -0,0 +1,64 @@
+import { describe, expect, test } from "bun:test";
+import { getTailscaleStatus } from "../tailscale/detect.ts";
+import type { CommandResult, Runner } from "../tailscale/run.ts";
+
+function statusRunner(selfJson: Record<string, unknown>, code = 0): Runner {
+  return async (cmd) => {
+    if (cmd.slice(0, 2).join(" ") === "tailscale status") {
+      return {
+        code,
+        stdout: JSON.stringify({ Self: selfJson }),
+        stderr: "",
+      } as CommandResult;
+    }
+    throw new Error(`unexpected runner call: ${cmd.join(" ")}`);
+  };
+}
+
+describe("getTailscaleStatus funnelCapable", () => {
+  test("recognizes bare 'funnel' cap key (tailscaled ≥ 1.96)", async () => {
+    // Aaron's tailscaled 1.96.5 emits { funnel: null } — no URL-form key.
+    const runner = statusRunner({
+      DNSName: "host.example.ts.net.",
+      CapMap: { funnel: null },
+    });
+    const result = await getTailscaleStatus(runner);
+    expect(result).toEqual({ loggedIn: true, funnelCapable: true });
+  });
+
+  test("recognizes legacy URL-form cap key", async () => {
+    const runner = statusRunner({
+      DNSName: "host.example.ts.net.",
+      CapMap: { "https://tailscale.com/cap/funnel": ["*"] },
+    });
+    const result = await getTailscaleStatus(runner);
+    expect(result).toEqual({ loggedIn: true, funnelCapable: true });
+  });
+
+  test("funnel-ports cap alone does not imply funnel capability", async () => {
+    // funnel-ports declares *which* ports are allowed; it is not the grant.
+    const runner = statusRunner({
+      DNSName: "host.example.ts.net.",
+      CapMap: {
+        "https://tailscale.com/cap/funnel-ports?ports=443,8443,10000": null,
+      },
+    });
+    const result = await getTailscaleStatus(runner);
+    expect(result).toEqual({ loggedIn: true, funnelCapable: false });
+  });
+
+  test("no funnel cap key → funnelCapable false", async () => {
+    const runner = statusRunner({
+      DNSName: "host.example.ts.net.",
+      CapMap: { "default-auto-update": [true] },
+    });
+    const result = await getTailscaleStatus(runner);
+    expect(result).toEqual({ loggedIn: true, funnelCapable: false });
+  });
+
+  test("logged out → both false even with funnel cap", async () => {
+    const runner = statusRunner({ CapMap: { funnel: null } });
+    const result = await getTailscaleStatus(runner);
+    expect(result).toEqual({ loggedIn: false, funnelCapable: false });
+  });
+});

package/src/__tests__/vault-auth-status.test.ts

@@ -0,0 +1,164 @@
+import { describe, expect, test } from "bun:test";
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { readVaultAuthStatus } from "../vault/auth-status.ts";
+
+function makeVaultHome(): { path: string; cleanup: () => void } {
+  const path = mkdtempSync(join(tmpdir(), "pcli-vault-auth-"));
+  return { path, cleanup: () => rmSync(path, { recursive: true, force: true }) };
+}
+
+function writeConfig(vaultHome: string, body: string): void {
+  writeFileSync(join(vaultHome, "config.yaml"), body);
+}
+
+function seedVault(vaultHome: string, name: string, opts: { withDb?: boolean } = {}): string {
+  const dir = join(vaultHome, "data", name);
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(join(dir, "vault.yaml"), "# placeholder\n");
+  const dbPath = join(dir, "vault.db");
+  if (opts.withDb) writeFileSync(dbPath, ""); // exists but opaque to the fake counter
+  return dbPath;
+}
+
+describe("readVaultAuthStatus — config.yaml parse", () => {
+  test("missing config.yaml → hasOwnerPassword + hasTotp both false", () => {
+    const env = makeVaultHome();
+    try {
+      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 0 });
+      expect(status.hasOwnerPassword).toBe(false);
+      expect(status.hasTotp).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("both keys present and non-empty → both true", () => {
+    const env = makeVaultHome();
+    try {
+      writeConfig(
+        env.path,
+        [
+          "port: 1940",
+          'owner_password_hash: "$2b$12$somehashhere"',
+          'totp_secret: "JBSWY3DPEHPK3PXP"',
+          "",
+        ].join("\n"),
+      );
+      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 0 });
+      expect(status.hasOwnerPassword).toBe(true);
+      expect(status.hasTotp).toBe(true);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("empty quoted values are treated as absent (matches vault's readGlobalConfig)", () => {
+    const env = makeVaultHome();
+    try {
+      writeConfig(env.path, ['owner_password_hash: ""', 'totp_secret: ""', ""].join("\n"));
+      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 0 });
+      expect(status.hasOwnerPassword).toBe(false);
+      expect(status.hasTotp).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("only owner_password_hash present", () => {
+    const env = makeVaultHome();
+    try {
+      writeConfig(env.path, 'owner_password_hash: "$2b$12$abc"\n');
+      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 0 });
+      expect(status.hasOwnerPassword).toBe(true);
+      expect(status.hasTotp).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
+});
+
+describe("readVaultAuthStatus — vault discovery", () => {
+  test("no data/ dir → vaultNames empty, tokenCount 0", () => {
+    const env = makeVaultHome();
+    try {
+      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 999 });
+      expect(status.vaultNames).toEqual([]);
+      expect(status.tokenCount).toBe(0);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("directories without vault.yaml are skipped", () => {
+    const env = makeVaultHome();
+    try {
+      // "real" vault
+      seedVault(env.path, "default", { withDb: true });
+      // garbage dir that happens to sit under data/
+      mkdirSync(join(env.path, "data", "stray"), { recursive: true });
+      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 0 });
+      expect(status.vaultNames).toEqual(["default"]);
+    } finally {
+      env.cleanup();
+    }
+  });
+});
+
+describe("readVaultAuthStatus — token count resilience", () => {
+  test("sums across multiple vaults", () => {
+    const env = makeVaultHome();
+    try {
+      seedVault(env.path, "default", { withDb: true });
+      seedVault(env.path, "work", { withDb: true });
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: (dbPath) => (dbPath.includes("/default/") ? 2 : 3),
+      });
+      expect(status.tokenCount).toBe(5);
+      expect(new Set(status.vaultNames)).toEqual(new Set(["default", "work"]));
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("vault.yaml present but vault.db missing → count that vault as 0, keep going", () => {
+    const env = makeVaultHome();
+    try {
+      seedVault(env.path, "default", { withDb: false });
+      seedVault(env.path, "work", { withDb: true });
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: (dbPath) => {
+          // Should only be called for the vault whose DB exists.
+          if (dbPath.includes("/default/")) throw new Error("should not open missing DB");
+          return 4;
+        },
+      });
+      expect(status.tokenCount).toBe(4);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("countTokens throws → tokenCount degrades to null (not partial)", () => {
+    const env = makeVaultHome();
+    try {
+      seedVault(env.path, "default", { withDb: true });
+      seedVault(env.path, "work", { withDb: true });
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: (dbPath) => {
+          if (dbPath.includes("/work/")) throw new Error("locked");
+          return 2;
+        },
+      });
+      // Even though "default" succeeded with 2, we return null — callers
+      // shouldn't see a misleading partial count.
+      expect(status.tokenCount).toBeNull();
+    } finally {
+      env.cleanup();
+    }
+  });
+});