@openparachute/hub 0.5.1 → 0.5.7

package/src/__tests__/services-manifest.test.ts

@@ -196,6 +196,373 @@ describe("services-manifest", () => {
       cleanup();
     }
   });
+
+  test("round-trips optional stripPrefix (true and false)", () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      const stripping: ServiceEntry = { ...vault, stripPrefix: true };
+      upsertService(stripping, path);
+      expect(readManifest(path).services[0]).toEqual(stripping);
+
+      const explicitFalse: ServiceEntry = { ...vault, stripPrefix: false };
+      upsertService(explicitFalse, path);
+      expect(readManifest(path).services[0]).toEqual(explicitFalse);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("rejects non-boolean stripPrefix", () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      expect(() =>
+        upsertService({ ...vault, stripPrefix: "yes" as unknown as boolean }, path),
+      ).toThrow(/stripPrefix/);
+    } finally {
+      cleanup();
+    }
+  });
+
+  // Duplicate-port detection (hub#195). The original collision had
+  // parachute-scribe and agent both at 1944 in services.json with no
+  // operator-visible warning. The OS lets only one service bind, the
+  // hub reverse-proxy quietly routes everyone to whoever won the race,
+  // and `/agent` requests silently land on scribe. Reject at parse time
+  // so the same shape can't recur silently. Underlying overwrite bugs
+  // were fixed in parachute-scribe#41 + parachute-agent#146; this is
+  // the hub-side gate.
+  describe("duplicate port rejection", () => {
+    test("rejects manifest where two entries share a port", () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        writeFileSync(
+          path,
+          JSON.stringify({
+            services: [
+              {
+                name: "parachute-scribe",
+                port: 1944,
+                paths: ["/scribe"],
+                health: "/scribe/health",
+                version: "0.4.0",
+              },
+              {
+                name: "agent",
+                port: 1944,
+                paths: ["/agent"],
+                health: "/agent/health",
+                version: "0.1.0",
+              },
+            ],
+          }),
+        );
+        expect(() => readManifest(path)).toThrow(ServicesManifestError);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("error message names both conflicting services and the colliding port", () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        writeFileSync(
+          path,
+          JSON.stringify({
+            services: [
+              {
+                name: "parachute-scribe",
+                port: 1944,
+                paths: ["/scribe"],
+                health: "/scribe/health",
+                version: "0.4.0",
+              },
+              {
+                name: "agent",
+                port: 1944,
+                paths: ["/agent"],
+                health: "/agent/health",
+                version: "0.1.0",
+              },
+            ],
+          }),
+        );
+        // The error names the conflicting port (so an operator scanning
+        // services.json knows where to look) and both service names (so
+        // they know which two rows to reconcile).
+        expect(() => readManifest(path)).toThrow(/duplicate port 1944/);
+        expect(() => readManifest(path)).toThrow(/parachute-scribe/);
+        expect(() => readManifest(path)).toThrow(/agent/);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("accepts manifest with all unique ports", () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        writeFileSync(
+          path,
+          JSON.stringify({
+            services: [
+              {
+                name: "parachute-vault",
+                port: 1940,
+                paths: ["/"],
+                health: "/health",
+                version: "0.2.4",
+              },
+              {
+                name: "parachute-scribe",
+                port: 1943,
+                paths: ["/scribe"],
+                health: "/scribe/health",
+                version: "0.4.0",
+              },
+            ],
+          }),
+        );
+        const m = readManifest(path);
+        expect(m.services).toHaveLength(2);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("allows multi-vault: parachute-vault-default + parachute-vault-techne on the same port", () => {
+      // Multi-vault is the deliberate exception. One parachute-vault process
+      // serves N vault instances on a single port at distinct mount paths.
+      // The duplicate-port gate must not break that shape.
+      const { path, cleanup } = makeTempPath();
+      try {
+        writeFileSync(
+          path,
+          JSON.stringify({
+            services: [
+              {
+                name: "parachute-vault-default",
+                port: 1940,
+                paths: ["/vault/default"],
+                health: "/vault/default/health",
+                version: "0.4.0",
+              },
+              {
+                name: "parachute-vault-techne",
+                port: 1940,
+                paths: ["/vault/techne"],
+                health: "/vault/techne/health",
+                version: "0.4.0",
+              },
+            ],
+          }),
+        );
+        const m = readManifest(path);
+        expect(m.services).toHaveLength(2);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("rejects vault sharing a port with a non-vault service", () => {
+      // The vault exception is narrow: same-port is allowed only between
+      // multi-vault rows. A vault sharing a port with anything else is the
+      // same silent-miswire shape we're guarding against.
+      const { path, cleanup } = makeTempPath();
+      try {
+        writeFileSync(
+          path,
+          JSON.stringify({
+            services: [
+              {
+                name: "parachute-vault-default",
+                port: 1940,
+                paths: ["/vault/default"],
+                health: "/vault/default/health",
+                version: "0.4.0",
+              },
+              {
+                name: "parachute-scribe",
+                port: 1940,
+                paths: ["/scribe"],
+                health: "/scribe/health",
+                version: "0.4.0",
+              },
+            ],
+          }),
+        );
+        expect(() => readManifest(path)).toThrow(/duplicate port 1940/);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("three-way collision still surfaces (first pair caught)", () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        writeFileSync(
+          path,
+          JSON.stringify({
+            services: [
+              {
+                name: "a",
+                port: 9000,
+                paths: ["/a"],
+                health: "/a/health",
+                version: "0.1.0",
+              },
+              {
+                name: "b",
+                port: 9000,
+                paths: ["/b"],
+                health: "/b/health",
+                version: "0.1.0",
+              },
+              {
+                name: "c",
+                port: 9000,
+                paths: ["/c"],
+                health: "/c/health",
+                version: "0.1.0",
+              },
+            ],
+          }),
+        );
+        expect(() => readManifest(path)).toThrow(/duplicate port 9000/);
+      } finally {
+        cleanup();
+      }
+    });
+  });
+
+  // Write-time port collision rejection (hub#205). The read-time gate above
+  // catches duplicate ports on the next `readManifest`, but without a
+  // matching write-side check `upsertService` happily writes a corrupt
+  // manifest to disk and only the next read surfaces the fault. A buggy
+  // service boot calling `upsertService({ name: "agent", port: 1944 })`
+  // while scribe is already at 1944 must fail before `writeManifest` runs.
+  // Same multi-vault carve-out applies.
+  describe("upsertService duplicate-port rejection (hub#205)", () => {
+    const scribe: ServiceEntry = {
+      name: "parachute-scribe",
+      port: 1944,
+      paths: ["/scribe"],
+      health: "/scribe/health",
+      version: "0.4.0",
+    };
+    const agent: ServiceEntry = {
+      name: "agent",
+      port: 1944,
+      paths: ["/agent"],
+      health: "/agent/health",
+      version: "0.1.0",
+    };
+
+    test("succeeds when adding a service at a non-conflicting port", () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        upsertService(scribe, path);
+        const m = upsertService({ ...agent, port: 1945 }, path);
+        expect(m.services).toHaveLength(2);
+        expect(m.services.map((s) => s.port).sort()).toEqual([1944, 1945]);
+        // And it actually wrote: a fresh read sees both rows.
+        expect(readManifest(path).services).toHaveLength(2);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("throws ServicesManifestError when adding a service at a port already claimed by a non-vault service", () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        upsertService(scribe, path);
+        expect(() => upsertService(agent, path)).toThrow(ServicesManifestError);
+        // Error names the colliding port and both services so an operator
+        // scanning logs knows which two rows to reconcile.
+        expect(() => upsertService(agent, path)).toThrow(/duplicate port 1944/);
+        expect(() => upsertService(agent, path)).toThrow(/parachute-scribe/);
+        expect(() => upsertService(agent, path)).toThrow(/agent/);
+        // Crucially: services.json was NOT corrupted on the failed write.
+        // The pre-existing row stays, and the agent row never lands.
+        const m = readManifest(path);
+        expect(m.services).toHaveLength(1);
+        expect(m.services[0]?.name).toBe("parachute-scribe");
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("succeeds when adding a vault row at a port already used by another vault row (multi-vault carve-out)", () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        const vaultDefault: ServiceEntry = {
+          name: "parachute-vault-default",
+          port: 1940,
+          paths: ["/vault/default"],
+          health: "/vault/default/health",
+          version: "0.4.0",
+        };
+        const vaultTechne: ServiceEntry = {
+          name: "parachute-vault-techne",
+          port: 1940,
+          paths: ["/vault/techne"],
+          health: "/vault/techne/health",
+          version: "0.4.0",
+        };
+        upsertService(vaultDefault, path);
+        const m = upsertService(vaultTechne, path);
+        expect(m.services).toHaveLength(2);
+        expect(m.services.map((s) => s.port)).toEqual([1940, 1940]);
+        // And persisted: a fresh read sees both vault rows on the same port,
+        // confirming readManifest's multi-vault carve-out matches the write
+        // side's.
+        expect(readManifest(path).services).toHaveLength(2);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("succeeds when UPDATING an existing entry's port to a non-conflicting port", () => {
+      // The update path (idx >= 0 in upsertService) replaces the row in-place
+      // before the duplicate-port check. Updating an entry's port to a value
+      // that collides with a DIFFERENT row must still throw, but moving an
+      // entry to a free port must succeed — including off canonical, which is
+      // a legitimate operator move (e.g., to dodge a third-party clash).
+      const { path, cleanup } = makeTempPath();
+      try {
+        upsertService(scribe, path); // port 1944
+        upsertService({ ...agent, port: 1945 }, path); // port 1945
+        // Move scribe from 1944 to 1948 (free): succeeds.
+        const m = upsertService({ ...scribe, port: 1948 }, path);
+        expect(m.services).toHaveLength(2);
+        const scribeRow = m.services.find((s) => s.name === "parachute-scribe");
+        expect(scribeRow?.port).toBe(1948);
+        // Fresh read: persisted state matches.
+        const persisted = readManifest(path);
+        expect(persisted.services.find((s) => s.name === "parachute-scribe")?.port).toBe(1948);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("throws when UPDATING an existing entry's port to one that collides with another row", () => {
+      // Companion to the above: the update path must NOT bypass the gate
+      // when the moved row's new port now collides with a different row.
+      const { path, cleanup } = makeTempPath();
+      try {
+        upsertService(scribe, path); // port 1944
+        upsertService({ ...agent, port: 1945 }, path); // port 1945
+        // Move scribe to 1945, where agent already lives: must throw.
+        expect(() => upsertService({ ...scribe, port: 1945 }, path)).toThrow(ServicesManifestError);
+        expect(() => upsertService({ ...scribe, port: 1945 }, path)).toThrow(/duplicate port 1945/);
+        // And the on-disk state stayed coherent — scribe at 1944, agent at
+        // 1945 — because the gate fires before writeManifest.
+        const persisted = readManifest(path);
+        expect(persisted.services.find((s) => s.name === "parachute-scribe")?.port).toBe(1944);
+        expect(persisted.services.find((s) => s.name === "agent")?.port).toBe(1945);
+      } finally {
+        cleanup();
+      }
+    });
+  });
 });
 
 describe("claw → agent migration", () => {

package/src/__tests__/setup.test.ts

@@ -115,18 +115,21 @@ describe("setup", () => {
     const h = makeHarness();
     try {
       // Pre-seed every first-party shortname so survey returns all-installed.
-      for (const m of [
-        "parachute-vault",
-        "parachute-notes",
-        "parachute-scribe",
-        "parachute-channel",
-      ]) {
+      // Distinct canonical ports per service — services-manifest.ts now
+      // rejects duplicate ports between distinct services (hub#195).
+      const seeds: Array<{ name: string; port: number }> = [
+        { name: "parachute-vault", port: 1940 },
+        { name: "parachute-notes", port: 1942 },
+        { name: "parachute-scribe", port: 1943 },
+        { name: "parachute-channel", port: 1941 },
+      ];
+      for (const s of seeds) {
         upsertService(
           {
-            name: m,
+            name: s.name,
             version: "0.0.0",
-            port: 1940,
-            paths: [`/${m.replace(/^parachute-/, "")}`],
+            port: s.port,
+            paths: [`/${s.name.replace(/^parachute-/, "")}`],
             health: "/health",
           },
           h.manifestPath,

package/src/__tests__/status.test.ts

@@ -317,6 +317,179 @@ describe("status", () => {
     }
   });
 
+  // Canonical-port drift warning (hub#195). When a known service ends up at
+  // a non-canonical port (because of an upgrade rewrite, a port-walk fallback,
+  // or an operator edit), surface it in `parachute status` so a silent miswire
+  // is operator-visible. Warning, not error — operators may have moved the
+  // service deliberately to dodge a third-party clash.
+  describe("canonical-port drift warning", () => {
+    test("warns when scribe is at non-canonical port (1944 instead of 1943)", async () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        upsertService(
+          {
+            name: "parachute-scribe",
+            port: 1944,
+            paths: ["/scribe"],
+            health: "/scribe/health",
+            version: "0.4.0",
+          },
+          path,
+        );
+        const lines: string[] = [];
+        await status({
+          manifestPath: path,
+          fetchImpl: async () => new Response(null, { status: 200 }),
+          print: (l) => lines.push(l),
+        });
+        expect(lines.some((l) => l.includes("canonical port is 1943"))).toBe(true);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("does not warn when service is on its canonical port", async () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        upsertService(
+          {
+            name: "parachute-scribe",
+            port: 1943,
+            paths: ["/scribe"],
+            health: "/scribe/health",
+            version: "0.4.0",
+          },
+          path,
+        );
+        const lines: string[] = [];
+        await status({
+          manifestPath: path,
+          fetchImpl: async () => new Response(null, { status: 200 }),
+          print: (l) => lines.push(l),
+        });
+        expect(lines.some((l) => l.includes("canonical port"))).toBe(false);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("does not warn for third-party services with no canonical port", async () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        upsertService(
+          {
+            name: "third-party-thing",
+            port: 9000,
+            paths: ["/widget"],
+            health: "/health",
+            version: "1.0.0",
+          },
+          path,
+        );
+        const lines: string[] = [];
+        await status({
+          manifestPath: path,
+          fetchImpl: async () => new Response(null, { status: 200 }),
+          print: (l) => lines.push(l),
+        });
+        expect(lines.some((l) => l.includes("canonical port"))).toBe(false);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("warning does not affect exit code (status stays 0 when healthy)", async () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        upsertService(
+          {
+            name: "parachute-scribe",
+            port: 1944,
+            paths: ["/scribe"],
+            health: "/scribe/health",
+            version: "0.4.0",
+          },
+          path,
+        );
+        const code = await status({
+          manifestPath: path,
+          fetchImpl: async () => new Response(null, { status: 200 }),
+          print: () => {},
+        });
+        // Drift is informational. A healthy probed service still returns 0
+        // even when the port has drifted off canonical.
+        expect(code).toBe(0);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("warning still fires when service is stopped (probe skipped)", async () => {
+      const { path, configDir, cleanup } = makeTempPath();
+      try {
+        upsertService(
+          {
+            name: "parachute-scribe",
+            port: 1944,
+            paths: ["/scribe"],
+            health: "/scribe/health",
+            version: "0.4.0",
+          },
+          path,
+        );
+        writePid("scribe", 4242, configDir);
+        const lines: string[] = [];
+        await status({
+          manifestPath: path,
+          configDir,
+          alive: () => false,
+          fetchImpl: async () => new Response(null, { status: 200 }),
+          print: (l) => lines.push(l),
+        });
+        // Drift is computed from services.json, not from the probe — a
+        // stopped service with a drifted port should still surface the
+        // warning so operators see the miswire even before they start it.
+        expect(lines.some((l) => l.includes("canonical port is 1943"))).toBe(true);
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("multi-vault instance rows do not surface a drift warning (intentional gap)", async () => {
+      // Pinning the documented gap: `parachute-vault-default` is not
+      // a canonical manifest name in FIRST_PARTY_FALLBACKS, so
+      // `canonicalPortForManifest` returns undefined and no drift
+      // warning fires — even when the row's port differs from the
+      // canonical `parachute-vault` port (1940). Rationale lives on
+      // `canonicalPortForManifest` in service-spec.ts; this test pins
+      // the behavior so a future change to the lookup shape doesn't
+      // accidentally start emitting drift on every multi-vault row
+      // without an explicit decision.
+      const { path, cleanup } = makeTempPath();
+      try {
+        upsertService(
+          {
+            name: "parachute-vault-default",
+            port: 1944,
+            paths: ["/vault/default"],
+            health: "/vault/default/health",
+            version: "0.2.4",
+          },
+          path,
+        );
+        const lines: string[] = [];
+        await status({
+          manifestPath: path,
+          fetchImpl: async () => new Response(null, { status: 200 }),
+          print: (l) => lines.push(l),
+        });
+        expect(lines.some((l) => l.includes("canonical port"))).toBe(false);
+      } finally {
+        cleanup();
+      }
+    });
+  });
+
   test("stopped services still render a URL line so the user knows where to point clients post-start", async () => {
     const { path, configDir, cleanup } = makeTempPath();
     try {

package/src/admin-handlers.ts

@@ -31,6 +31,7 @@ import { restart as lifecycleRestart } from "./commands/lifecycle.ts";
 import { CONFIG_DIR } from "./config.ts";
 import { CSRF_FIELD_NAME, ensureCsrfToken, verifyCsrfToken } from "./csrf.ts";
 import type { ModuleManifest } from "./module-manifest.ts";
+import { checkAndRecord, clientIpFromRequest } from "./rate-limit.ts";
 import {
   type ServicesManifest,
   readManifest as readServicesManifest,
@@ -41,7 +42,7 @@ import {
   buildSessionCookie,
   createSession,
   deleteSession,
-  findSession,
+  findActiveSession,
   parseSessionCookie,
 } from "./sessions.ts";
 import { getUserByUsername, verifyPassword } from "./users.ts";
@@ -74,15 +75,6 @@ function redirect(location: string, extra: Record<string, string> = {}): Respons
 
 // --- session gate ----------------------------------------------------------
 
-/**
- * Return the active session for this request, or null. Caller decides what
- * to do on null — most paths should redirect to `/admin/login?next=<path>`.
- */
-function activeSession(db: Database, req: Request) {
-  const sid = parseSessionCookie(req.headers.get("cookie"));
-  return sid ? findSession(db, sid) : null;
-}
-
 function loginRedirect(req: Request, extra: Record<string, string> = {}): Response {
   const url = new URL(req.url);
   const next = `${url.pathname}${url.search}`;
@@ -106,7 +98,11 @@ export function handleAdminLoginGet(_db: Database, req: Request): Response {
   return htmlResponse(renderAdminLogin({ next, csrfToken: csrf.token }), 200, extra);
 }
 
-export async function handleAdminLoginPost(db: Database, req: Request): Promise<Response> {
+export async function handleAdminLoginPost(
+  db: Database,
+  req: Request,
+  deps: AdminLoginDeps = {},
+): Promise<Response> {
   const form = await req.formData();
   const formCsrf = form.get(CSRF_FIELD_NAME);
   if (!verifyCsrfToken(req, typeof formCsrf === "string" ? formCsrf : null)) {
@@ -118,6 +114,24 @@ export async function handleAdminLoginPost(db: Database, req: Request): Promise<
       400,
     );
   }
+  // Rate-limit gate fires *after* CSRF (so a junk cross-site POST doesn't
+  // burn a bucket slot for the victim's IP) but *before* credential check.
+  // Every legitimate login attempt — wrong password, missing user, eventually
+  // failed-2FA (#186) — counts toward the same bucket so an attacker can't
+  // partition the cooldown across stages.
+  const clientIp = clientIpFromRequest(req);
+  const now = deps.now ? deps.now() : new Date();
+  const gate = checkAndRecord(clientIp, now);
+  if (!gate.allowed) {
+    return htmlResponse(
+      renderAdminError({
+        title: "Too many login attempts",
+        message: `Too many login attempts from this IP. Try again in ${gate.retryAfterSeconds ?? 1} seconds.`,
+      }),
+      429,
+      { "retry-after": String(gate.retryAfterSeconds ?? 1) },
+    );
+  }
   const username = String(form.get("username") ?? "");
   const password = String(form.get("password") ?? "");
   const next = safeNext(String(form.get("next") ?? ""));
@@ -147,6 +161,17 @@ export async function handleAdminLoginPost(db: Database, req: Request): Promise<
   return redirect(next, { "set-cookie": cookie });
 }
 
+/**
+ * Test-injection seam for `handleAdminLoginPost`. Production callers omit
+ * `deps`; tests pass a deterministic clock so the rate-limit assertions
+ * don't race wall-clock time. Kept narrow — login doesn't share the wider
+ * `AdminDeps` because it doesn't load services / module manifests.
+ */
+export interface AdminLoginDeps {
+  /** Test seam — defaults to real clock. */
+  now?: () => Date;
+}
+
 // --- /admin/logout ---------------------------------------------------------
 
 /**
@@ -183,7 +208,7 @@ export async function handleAdminConfigGet(
   req: Request,
   deps: AdminDeps = {},
 ): Promise<Response> {
-  const session = activeSession(db, req);
+  const session = findActiveSession(db, req);
   if (!session) return loginRedirect(req);
 
   const csrf = ensureCsrfToken(req);
@@ -207,7 +232,7 @@ export async function handleAdminConfigPost(
   moduleName: string,
   deps: AdminDeps = {},
 ): Promise<Response> {
-  const session = activeSession(db, req);
+  const session = findActiveSession(db, req);
   if (!session) return loginRedirect(req);
 
   const form = await req.formData();