@openparachute/hub 0.3.0-rc.1

package/src/__tests__/cloudflare-tunnel.test.ts

@@ -0,0 +1,207 @@
+import { describe, expect, test } from "bun:test";
+import {
+  CloudflaredError,
+  createTunnel,
+  credentialsPath,
+  findTunnelByName,
+  listTunnels,
+  routeDns,
+} from "../cloudflare/tunnel.ts";
+import type { CommandResult, Runner } from "../tailscale/run.ts";
+
+function makeRunner(
+  expected: string[][],
+  results: CommandResult[],
+): {
+  runner: Runner;
+  seen: string[][];
+} {
+  const seen: string[][] = [];
+  let i = 0;
+  const runner: Runner = async (cmd) => {
+    seen.push([...cmd]);
+    const exp = expected[i];
+    if (exp) expect([...cmd]).toEqual(exp);
+    const out = results[i];
+    if (!out) throw new Error(`runner called more times than stubs (call #${i + 1})`);
+    i++;
+    return out;
+  };
+  return { runner, seen };
+}
+
+describe("cloudflare tunnel", () => {
+  test("listTunnels parses the json array and drops malformed rows", async () => {
+    const { runner } = makeRunner(
+      [["cloudflared", "tunnel", "list", "--output", "json"]],
+      [
+        {
+          code: 0,
+          stdout: JSON.stringify([
+            {
+              id: "2c1a7c7e-1234-5678-9abc-def012345678",
+              name: "parachute",
+              created_at: "2026-04-22T00:00:00Z",
+            },
+            { id: "other-id-without-name" },
+            { name: "nameonly" },
+            "not an object",
+          ]),
+          stderr: "",
+        },
+      ],
+    );
+    const tunnels = await listTunnels(runner);
+    expect(tunnels).toEqual([
+      {
+        id: "2c1a7c7e-1234-5678-9abc-def012345678",
+        name: "parachute",
+        createdAt: "2026-04-22T00:00:00Z",
+      },
+    ]);
+  });
+
+  test("listTunnels throws CloudflaredError on non-zero exit", async () => {
+    const { runner } = makeRunner(
+      [["cloudflared", "tunnel", "list", "--output", "json"]],
+      [{ code: 1, stdout: "", stderr: "Cannot determine default origin certificate path" }],
+    );
+    try {
+      await listTunnels(runner);
+      throw new Error("expected throw");
+    } catch (err) {
+      expect(err).toBeInstanceOf(CloudflaredError);
+      expect((err as CloudflaredError).message).toContain("Cannot determine default origin");
+    }
+  });
+
+  test("listTunnels throws on non-array JSON", async () => {
+    const { runner } = makeRunner(
+      [["cloudflared", "tunnel", "list", "--output", "json"]],
+      [{ code: 0, stdout: JSON.stringify({ tunnels: [] }), stderr: "" }],
+    );
+    await expect(listTunnels(runner)).rejects.toBeInstanceOf(CloudflaredError);
+  });
+
+  test("findTunnelByName returns match", async () => {
+    const { runner } = makeRunner(
+      [["cloudflared", "tunnel", "list", "--output", "json"]],
+      [
+        {
+          code: 0,
+          stdout: JSON.stringify([
+            { id: "aaaaaaaa-0000-0000-0000-000000000001", name: "foo" },
+            { id: "bbbbbbbb-0000-0000-0000-000000000002", name: "parachute" },
+          ]),
+          stderr: "",
+        },
+      ],
+    );
+    const t = await findTunnelByName(runner, "parachute");
+    expect(t?.id).toBe("bbbbbbbb-0000-0000-0000-000000000002");
+  });
+
+  test("findTunnelByName returns undefined when absent", async () => {
+    const { runner } = makeRunner(
+      [["cloudflared", "tunnel", "list", "--output", "json"]],
+      [{ code: 0, stdout: "[]", stderr: "" }],
+    );
+    expect(await findTunnelByName(runner, "parachute")).toBeUndefined();
+  });
+
+  test("createTunnel parses UUID from typical stdout", async () => {
+    const { runner } = makeRunner(
+      [["cloudflared", "tunnel", "create", "parachute"]],
+      [
+        {
+          code: 0,
+          stdout:
+            "Tunnel credentials written to /Users/x/.cloudflared/2c1a7c7e-1234-5678-9abc-def012345678.json.\n" +
+            "Created tunnel parachute with id 2c1a7c7e-1234-5678-9abc-def012345678\n",
+          stderr: "",
+        },
+      ],
+    );
+    const t = await createTunnel(runner, "parachute");
+    expect(t).toEqual({ id: "2c1a7c7e-1234-5678-9abc-def012345678", name: "parachute" });
+  });
+
+  test("createTunnel throws CloudflaredError when UUID can't be parsed", async () => {
+    const { runner } = makeRunner(
+      [["cloudflared", "tunnel", "create", "parachute"]],
+      [{ code: 0, stdout: "some unexpected output\n", stderr: "" }],
+    );
+    await expect(createTunnel(runner, "parachute")).rejects.toBeInstanceOf(CloudflaredError);
+  });
+
+  test("createTunnel surfaces cloudflared error output on non-zero exit", async () => {
+    const { runner } = makeRunner(
+      [["cloudflared", "tunnel", "create", "parachute"]],
+      [{ code: 1, stdout: "", stderr: "tunnel with name parachute already exists" }],
+    );
+    await expect(createTunnel(runner, "parachute")).rejects.toMatchObject({
+      message: expect.stringContaining("already exists"),
+    });
+  });
+
+  test("routeDns passes --overwrite-dns and surfaces zone-not-found errors", async () => {
+    const { runner, seen } = makeRunner(
+      [
+        [
+          "cloudflared",
+          "tunnel",
+          "route",
+          "dns",
+          "--overwrite-dns",
+          "parachute",
+          "vault.example.com",
+        ],
+      ],
+      [
+        {
+          code: 1,
+          stdout: "",
+          stderr: "Failed to add route: code: 1000, reason: Invalid DNS zone",
+        },
+      ],
+    );
+    await expect(routeDns(runner, "parachute", "vault.example.com")).rejects.toMatchObject({
+      message: expect.stringContaining("Invalid DNS zone"),
+    });
+    expect(seen[0]).toEqual([
+      "cloudflared",
+      "tunnel",
+      "route",
+      "dns",
+      "--overwrite-dns",
+      "parachute",
+      "vault.example.com",
+    ]);
+  });
+
+  test("routeDns succeeds on rerun when the CNAME already exists (upsert semantics)", async () => {
+    // Without --overwrite-dns this call would exit non-zero with "An A, AAAA,
+    // or CNAME record with that host already exists" on the second run. The
+    // flag turns it into an idempotent UPSERT, which is what users expect.
+    const { runner, seen } = makeRunner(
+      [
+        [
+          "cloudflared",
+          "tunnel",
+          "route",
+          "dns",
+          "--overwrite-dns",
+          "parachute",
+          "vault.example.com",
+        ],
+      ],
+      [{ code: 0, stdout: "Added CNAME vault.example.com which will route to …", stderr: "" }],
+    );
+    await routeDns(runner, "parachute", "vault.example.com");
+    expect(seen[0]).toContain("--overwrite-dns");
+  });
+
+  test("credentialsPath joins uuid under the cloudflared home", () => {
+    expect(credentialsPath("abc", "/Users/x/.cloudflared")).toBe("/Users/x/.cloudflared/abc.json");
+  });
+});

package/src/__tests__/config.test.ts

@@ -0,0 +1,18 @@
+import { describe, expect, test } from "bun:test";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { configDir } from "../config.ts";
+
+describe("configDir", () => {
+  test("honors PARACHUTE_HOME when set", () => {
+    expect(configDir({ PARACHUTE_HOME: "/tmp/custom-parachute" })).toBe("/tmp/custom-parachute");
+  });
+
+  test("ignores empty PARACHUTE_HOME", () => {
+    expect(configDir({ PARACHUTE_HOME: "" })).toBe(join(homedir(), ".parachute"));
+  });
+
+  test("falls back to ~/.parachute when unset", () => {
+    expect(configDir({})).toBe(join(homedir(), ".parachute"));
+  });
+});

package/src/__tests__/env-file.test.ts

@@ -0,0 +1,125 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import {
+  parseEnvFile,
+  parseEnvFileText,
+  readEnvFileValues,
+  upsertEnvLine,
+  writeEnvFile,
+} from "../env-file.ts";
+
+function makeHarness(): { dir: string; cleanup: () => void } {
+  const dir = mkdtempSync(join(tmpdir(), "pcli-envfile-"));
+  return { dir, cleanup: () => rmSync(dir, { recursive: true, force: true }) };
+}
+
+describe("parseEnvFileText", () => {
+  test("parses bare KEY=value lines", () => {
+    const parsed = parseEnvFileText("FOO=bar\nBAZ=qux\n");
+    expect(parsed.values).toEqual({ FOO: "bar", BAZ: "qux" });
+    expect(parsed.lines).toEqual(["FOO=bar", "BAZ=qux"]);
+  });
+
+  test("strips one level of double quotes", () => {
+    const parsed = parseEnvFileText('TOKEN="abc123"\n');
+    expect(parsed.values.TOKEN).toBe("abc123");
+  });
+
+  test("strips one level of single quotes", () => {
+    const parsed = parseEnvFileText("TOKEN='abc123'\n");
+    expect(parsed.values.TOKEN).toBe("abc123");
+  });
+
+  test("preserves embedded equals signs in value", () => {
+    const parsed = parseEnvFileText("URL=http://x.example.com/?q=1\n");
+    expect(parsed.values.URL).toBe("http://x.example.com/?q=1");
+  });
+
+  test("ignores lines without a key (leading equals or no equals)", () => {
+    const parsed = parseEnvFileText("=novalue\nbarewordnoequals\nGOOD=x\n");
+    expect(parsed.values).toEqual({ GOOD: "x" });
+  });
+
+  test("empty content yields empty parse", () => {
+    const parsed = parseEnvFileText("");
+    expect(parsed.lines).toEqual([]);
+    expect(parsed.values).toEqual({});
+  });
+
+  test("handles missing trailing newline", () => {
+    const parsed = parseEnvFileText("FOO=bar");
+    expect(parsed.values.FOO).toBe("bar");
+    expect(parsed.lines).toEqual(["FOO=bar"]);
+  });
+});
+
+describe("parseEnvFile / readEnvFileValues", () => {
+  test("missing file returns empty parse", () => {
+    const h = makeHarness();
+    try {
+      const parsed = parseEnvFile(join(h.dir, "missing.env"));
+      expect(parsed.lines).toEqual([]);
+      expect(parsed.values).toEqual({});
+      expect(readEnvFileValues(join(h.dir, "missing.env"))).toEqual({});
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("reads existing file values", () => {
+    const h = makeHarness();
+    try {
+      const path = join(h.dir, ".env");
+      writeFileSync(path, "A=1\nB=2\n");
+      expect(readEnvFileValues(path)).toEqual({ A: "1", B: "2" });
+    } finally {
+      h.cleanup();
+    }
+  });
+});
+
+describe("upsertEnvLine", () => {
+  test("appends when key not present", () => {
+    const next = upsertEnvLine(["FOO=1"], "BAR", "2");
+    expect(next).toEqual(["FOO=1", "BAR=2"]);
+  });
+
+  test("replaces in place when key present", () => {
+    const next = upsertEnvLine(["FOO=1", "BAR=old", "BAZ=3"], "BAR", "new");
+    expect(next).toEqual(["FOO=1", "BAR=new", "BAZ=3"]);
+  });
+
+  test("does not mutate the input array", () => {
+    const input = ["FOO=1"];
+    upsertEnvLine(input, "BAR", "2");
+    expect(input).toEqual(["FOO=1"]);
+  });
+});
+
+describe("writeEnvFile", () => {
+  test("creates parent directories and writes content with trailing newline", () => {
+    const h = makeHarness();
+    try {
+      const path = join(h.dir, "nested", "subdir", ".env");
+      writeEnvFile(path, ["FOO=1", "BAR=2"]);
+      expect(readFileSync(path, "utf8")).toBe("FOO=1\nBAR=2\n");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("round-trips with parseEnvFile", () => {
+    const h = makeHarness();
+    try {
+      const path = join(h.dir, ".env");
+      const start = parseEnvFileText("KEEP=ok\nUPDATE=old\n");
+      const lines = upsertEnvLine(start.lines, "UPDATE", "new");
+      writeEnvFile(path, lines);
+      expect(parseEnvFile(path).values).toEqual({ KEEP: "ok", UPDATE: "new" });
+    } finally {
+      h.cleanup();
+    }
+  });
+});

package/src/__tests__/expose-auth-preflight.test.ts

@@ -0,0 +1,201 @@
+import { describe, expect, test } from "bun:test";
+import { runAuthPreflight } from "../commands/expose-auth-preflight.ts";
+import type { VaultAuthStatus } from "../vault/auth-status.ts";
+
+interface Harness {
+  logs: string[];
+  prompts: string[];
+  promptAnswers: string[];
+  commands: string[][];
+}
+
+function makeHarness(answers: string[] = []): Harness {
+  return { logs: [], prompts: [], promptAnswers: answers, commands: [] };
+}
+
+function wire(h: Harness) {
+  let i = 0;
+  return {
+    log: (line: string) => h.logs.push(line),
+    prompt: async (q: string) => {
+      h.prompts.push(q);
+      const answer = h.promptAnswers[i++];
+      if (answer === undefined) throw new Error(`prompt exhausted at: ${q}`);
+      return answer;
+    },
+    interactiveRunner: async (cmd: readonly string[]) => {
+      h.commands.push([...cmd]);
+      return 0;
+    },
+  };
+}
+
+function status(partial: Partial<VaultAuthStatus> = {}): VaultAuthStatus {
+  return {
+    hasOwnerPassword: false,
+    hasTotp: false,
+    tokenCount: 0,
+    vaultNames: ["default"],
+    ...partial,
+  };
+}
+
+describe("runAuthPreflight — wide open (no password, no tokens)", () => {
+  test("warns loudly and offers password, 2FA, and token creation", async () => {
+    const h = makeHarness(["y", "n", "n"]); // password yes, 2fa no, token no
+    await runAuthPreflight({ status: status(), ...wire(h) });
+    const joined = h.logs.join("\n");
+    expect(joined).toContain("No owner password and no API tokens");
+    expect(joined).toContain("public internet");
+    expect(h.commands).toHaveLength(1);
+    expect(h.commands[0]).toEqual(["parachute", "auth", "set-password"]);
+  });
+
+  test("user declines every prompt → no subprocesses run", async () => {
+    const h = makeHarness(["", "", ""]); // all Enter = skip
+    await runAuthPreflight({ status: status(), ...wire(h) });
+    expect(h.commands).toHaveLength(0);
+    // Still prompted on all three lines, even though each was declined.
+    expect(h.prompts).toHaveLength(3);
+  });
+
+  test("user accepts all three → all three commands invoked in order", async () => {
+    const h = makeHarness(["y", "y", "y"]);
+    await runAuthPreflight({ status: status(), ...wire(h) });
+    expect(h.commands.map((c) => c.join(" "))).toEqual([
+      "parachute auth set-password",
+      "parachute auth 2fa enroll",
+      "parachute vault tokens create",
+    ]);
+  });
+});
+
+describe("runAuthPreflight — password set, no 2FA", () => {
+  test("short nudge, offers 2FA only", async () => {
+    const h = makeHarness(["y"]);
+    await runAuthPreflight({
+      status: status({ hasOwnerPassword: true, tokenCount: 3 }),
+      ...wire(h),
+    });
+    const joined = h.logs.join("\n");
+    expect(joined).toContain("Owner password is set");
+    expect(joined).toContain("2FA");
+    expect(h.prompts).toHaveLength(1);
+    expect(h.commands).toEqual([["parachute", "auth", "2fa", "enroll"]]);
+  });
+
+  test("user declines → no command runs", async () => {
+    const h = makeHarness([""]);
+    await runAuthPreflight({
+      status: status({ hasOwnerPassword: true, tokenCount: 3 }),
+      ...wire(h),
+    });
+    expect(h.commands).toHaveLength(0);
+  });
+});
+
+describe("runAuthPreflight — tokens exist, no password", () => {
+  test("notes that OAuth is not set up, offers password", async () => {
+    const h = makeHarness(["y"]);
+    await runAuthPreflight({
+      status: status({ hasOwnerPassword: false, tokenCount: 2 }),
+      ...wire(h),
+    });
+    const joined = h.logs.join("\n");
+    expect(joined).toContain("API tokens exist");
+    expect(joined).toContain("no owner password");
+    expect(h.prompts).toHaveLength(1);
+    expect(h.commands).toEqual([["parachute", "auth", "set-password"]]);
+  });
+});
+
+describe("runAuthPreflight — unknown token count (SQLite failed)", () => {
+  test("advises running `tokens list`, no token-dependent prompts", async () => {
+    const h = makeHarness([]);
+    await runAuthPreflight({
+      status: status({ hasOwnerPassword: false, hasTotp: false, tokenCount: null }),
+      ...wire(h),
+    });
+    const joined = h.logs.join("\n");
+    expect(joined).toContain("Couldn't read vault token state");
+    expect(joined).toContain("parachute vault tokens list");
+    // No prompts because we don't offer password/token flow when token
+    // state is unknown (it'd be ambiguous whether we're dealing with the
+    // wide-open or the tokens-only case).
+    expect(h.prompts).toHaveLength(0);
+  });
+
+  test("password set + 2FA absent + tokens unknown → still offers 2FA", async () => {
+    const h = makeHarness([""]); // decline 2FA
+    await runAuthPreflight({
+      status: status({ hasOwnerPassword: true, hasTotp: false, tokenCount: null }),
+      ...wire(h),
+    });
+    expect(h.prompts).toHaveLength(1);
+    expect(h.prompts[0]?.toLowerCase()).toContain("2fa");
+  });
+});
+
+describe("runAuthPreflight — all good", () => {
+  test("single positive line, no prompts", async () => {
+    const h = makeHarness([]);
+    await runAuthPreflight({
+      status: status({ hasOwnerPassword: true, hasTotp: true, tokenCount: 1 }),
+      ...wire(h),
+    });
+    const joined = h.logs.join("\n");
+    expect(joined).toContain("looks good");
+    expect(h.prompts).toHaveLength(0);
+    expect(h.commands).toHaveLength(0);
+  });
+});
+
+describe("runAuthPreflight — subprocess failure handling", () => {
+  test("non-zero exit from auth command doesn't abort the rest of the preflight", async () => {
+    const h = makeHarness(["y", "y", "y"]);
+    // Override the interactive runner to return non-zero on the first call.
+    let first = true;
+    const interactiveRunner = async (cmd: readonly string[]) => {
+      h.commands.push([...cmd]);
+      if (first) {
+        first = false;
+        return 7;
+      }
+      return 0;
+    };
+    await runAuthPreflight({
+      status: status(),
+      log: (l) => h.logs.push(l),
+      prompt: async (q) => {
+        h.prompts.push(q);
+        return h.promptAnswers.shift() ?? "";
+      },
+      interactiveRunner,
+    });
+    // All three commands still attempted, none aborted the flow.
+    expect(h.commands.map((c) => c[0])).toEqual(["parachute", "parachute", "parachute"]);
+    const joined = h.logs.join("\n");
+    expect(joined).toContain("exited 7");
+  });
+});
+
+describe("runAuthPreflight — case-insensitive yes", () => {
+  test('"Y", "YES", and "y" all count as affirmative; anything else is decline', async () => {
+    for (const yes of ["y", "Y", "yes", "YES"]) {
+      const h = makeHarness([yes]);
+      await runAuthPreflight({
+        status: status({ hasOwnerPassword: true, tokenCount: 1 }),
+        ...wire(h),
+      });
+      expect(h.commands).toHaveLength(1);
+    }
+    for (const no of ["", "n", "no", "q", "bogus"]) {
+      const h = makeHarness([no]);
+      await runAuthPreflight({
+        status: status({ hasOwnerPassword: true, tokenCount: 1 }),
+        ...wire(h),
+      });
+      expect(h.commands).toHaveLength(0);
+    }
+  });
+});