@openparachute/hub 0.5.10-rc.6 → 0.5.10

package/src/__tests__/oauth-ui.test.ts

@@ -2,10 +2,13 @@ import { describe, expect, test } from "bun:test";
 import {
   type AuthorizeFormParams,
   escapeHtml,
+  renderApprovePending,
   renderConsent,
   renderError,
   renderHiddenInputs,
   renderLogin,
+  renderUnknownClient,
+  substituteVaultDisplay,
 } from "../oauth-ui.ts";
 
 const PARAMS: AuthorizeFormParams = {
@@ -232,6 +235,213 @@ describe("renderError", () => {
   });
 });
 
+describe("renderUnknownClient", () => {
+  test("escapes the client_id into the page", () => {
+    const html = renderUnknownClient({
+      clientId: "<img src=x>",
+      selfOriginRedirectPath: null,
+    });
+    expect(html).toContain("&lt;img src=x&gt;");
+    expect(html).not.toContain("<img src=x>");
+  });
+
+  test("renders the recovery button when selfOriginRedirectPath is set", () => {
+    const html = renderUnknownClient({
+      clientId: "stale-id",
+      selfOriginRedirectPath: "/notes/oauth/callback",
+    });
+    expect(html).toContain('id="unknown-client-reset"');
+    expect(html).toContain('data-target="/notes/oauth/callback"');
+    // The inline JS clears the Notes-side DCR cache prefix.
+    expect(html).toContain("'lens:dcr:'");
+  });
+
+  test("escapes selfOriginRedirectPath into the data-target attribute", () => {
+    const html = renderUnknownClient({
+      clientId: "id",
+      selfOriginRedirectPath: '/x"><script>alert(1)</script>',
+    });
+    expect(html).not.toContain("><script>alert(1)</script>");
+    expect(html).toContain("&quot;");
+  });
+
+  test("omits the recovery button when selfOriginRedirectPath is null", () => {
+    const html = renderUnknownClient({
+      clientId: "stale-id",
+      selfOriginRedirectPath: null,
+    });
+    expect(html).not.toContain('id="unknown-client-reset"');
+    expect(html).not.toContain("'lens:dcr:'");
+    // Static fallback help text still surfaces.
+    expect(html).toContain("close this window");
+  });
+});
+
+describe("substituteVaultDisplay", () => {
+  test("undefined → leaves the scope untouched", () => {
+    expect(substituteVaultDisplay("vault:read", undefined)).toBe("vault:read");
+  });
+
+  test("named vault → substitutes vault:<name>:<verb>", () => {
+    expect(substituteVaultDisplay("vault:read", "work")).toBe("vault:work:read");
+    expect(substituteVaultDisplay("vault:write", "default")).toBe("vault:default:write");
+  });
+
+  test("null → renders a <TBD> placeholder for the consent picker", () => {
+    expect(substituteVaultDisplay("vault:read", null)).toBe("vault:<TBD>:read");
+  });
+
+  test("non-vault scope passes through regardless of displayVault", () => {
+    expect(substituteVaultDisplay("scribe:transcribe", "work")).toBe("scribe:transcribe");
+    expect(substituteVaultDisplay("channel:send", null)).toBe("channel:send");
+  });
+
+  test("already-named vault scope passes through (caller specified the vault)", () => {
+    expect(substituteVaultDisplay("vault:other:read", "work")).toBe("vault:other:read");
+  });
+
+  test("vault admin (vault:admin) doesn't get narrowed — admin verb stays unnamed", () => {
+    // vault:admin is a full-vault scope; we don't narrow it the same way
+    // because per-vault admin is `vault:<name>:admin` (non-requestable) and
+    // the unnamed vault:admin form is the legacy full-vault grant. Keep the
+    // displayed shape as-is so the operator sees the scope they're
+    // consenting to literally.
+    expect(substituteVaultDisplay("vault:admin", "work")).toBe("vault:admin");
+  });
+});
+
+describe("renderConsent displayVault substitution", () => {
+  test("non-admin user (lockedVault) → consent shows vault:<assigned>:<verb>", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:read", "vault:write"],
+      vaultPicker: {
+        unnamedVerbs: ["read", "write"],
+        availableVaults: ["my-vault"],
+        lockedVault: "my-vault",
+      },
+      displayVault: "my-vault",
+    });
+    expect(html).toContain("vault:my-vault:read");
+    expect(html).toContain("vault:my-vault:write");
+    // Raw unnamed form (the thing this PR fixes) must NOT appear in the
+    // rendered scope-row code blocks. Scope name shows up inside
+    // `<code class="scope-name">…</code>` so check the row substring.
+    expect(html).not.toMatch(/<code class="scope-name">vault:read<\/code>/);
+    expect(html).not.toMatch(/<code class="scope-name">vault:write<\/code>/);
+  });
+
+  test("admin user, single-vault hub → picker pre-checks the only vault, consent shows it", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:read"],
+      vaultPicker: { unnamedVerbs: ["read"], availableVaults: ["default"] },
+      displayVault: "default",
+    });
+    expect(html).toContain("vault:default:read");
+    expect(html).not.toMatch(/<code class="scope-name">vault:read<\/code>/);
+  });
+
+  test("admin user, multi-vault hub → displayVault=null renders <TBD> + picker hint", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:read"],
+      vaultPicker: { unnamedVerbs: ["read"], availableVaults: ["work", "personal"] },
+      displayVault: null,
+    });
+    expect(html).toContain("vault:&lt;TBD&gt;:read");
+    expect(html).toContain("scope-pending-note");
+    expect(html).toContain("A specific vault is picked below");
+    // explainScope label still resolves via the verb-form lookup.
+    expect(html).toContain("Read your notes");
+  });
+
+  test("displayVault undefined preserves the legacy raw form (no substitution)", () => {
+    // The existing oauth-ui.test.ts cases call renderConsent without
+    // displayVault — confirming the back-compat shape stays.
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:read"],
+    });
+    expect(html).toContain("vault:read");
+  });
+});
+
+describe("renderApprovePending unauthenticated CTAs", () => {
+  const COMMON = {
+    clientName: "MyApp",
+    clientId: "client-xyz",
+    redirectUris: ["https://app.example/cb"],
+    requestedScopes: ["vault:read"],
+    hubOrigin: "https://hub.example.com",
+  };
+
+  test("renders Sign in CTA wired to /login?next=/admin/approve-client/<id>", () => {
+    const html = renderApprovePending(COMMON);
+    expect(html).toContain("Sign in as admin to approve");
+    const expectedHref = `/login?next=${encodeURIComponent("/admin/approve-client/client-xyz")}`;
+    expect(html).toContain(`href="${expectedHref}"`);
+  });
+
+  test("renders fully-qualified shareable deep link + Copy button + clipboard JS", () => {
+    const html = renderApprovePending(COMMON);
+    expect(html).toContain("https://hub.example.com/admin/approve-client/client-xyz");
+    expect(html).toContain('id="approve-share-copy"');
+    expect(html).toContain('data-link="https://hub.example.com/admin/approve-client/client-xyz"');
+    // Inline JS uses navigator.clipboard.writeText with visual feedback.
+    expect(html).toContain("navigator.clipboard");
+    expect(html).toContain("writeText");
+    expect(html).toContain("Copied!");
+  });
+
+  test("trims a trailing slash on hubOrigin so the deep link doesn't double-slash", () => {
+    const html = renderApprovePending({ ...COMMON, hubOrigin: "https://hub.example.com/" });
+    expect(html).toContain("https://hub.example.com/admin/approve-client/client-xyz");
+    expect(html).not.toContain("https://hub.example.com//admin/");
+  });
+
+  test("retired CLI hint does NOT appear in the unauthenticated branch", () => {
+    const html = renderApprovePending(COMMON);
+    expect(html).not.toContain("parachute auth approve-client");
+    expect(html).not.toContain("from a terminal");
+  });
+
+  test("escapes hostile client_id into href, data-link, and the visible deep link", () => {
+    const html = renderApprovePending({
+      ...COMMON,
+      clientId: "<img src=x onerror=alert(1)>",
+    });
+    expect(html).not.toContain("<img src=x");
+    // encodeURIComponent in both the href and the deep-link URL produces
+    // %3Cimg…; that lives inside escapeHtml-wrapped attribute values.
+    expect(html).toContain("%3Cimg");
+  });
+
+  test("admin-authenticated branch hides the unauth CTAs and renders the inline approve form", () => {
+    const html = renderApprovePending({
+      ...COMMON,
+      approveForm: { csrfToken: CSRF, returnTo: "/oauth/authorize?client_id=client-xyz" },
+    });
+    expect(html).toContain('action="/oauth/authorize/approve"');
+    expect(html).toContain("Approve and continue");
+    expect(html).not.toContain("Sign in as admin to approve");
+    expect(html).not.toContain("Or send this link to your hub admin");
+    expect(html).not.toContain("parachute auth approve-client");
+  });
+});
+
 describe("CSS / styling guarantees", () => {
   test("does not load fonts from a third-party CDN (privacy)", () => {
     const html = renderLogin({ params: PARAMS, csrfToken: CSRF });

package/src/__tests__/scope-explanations.test.ts

@@ -41,6 +41,29 @@ describe("explainScope", () => {
   test("returns null for an unknown scope", () => {
     expect(explainScope("notes:weird-thing")).toBeNull();
   });
+
+  // Approval-UX rc.19: the consent screen renders the *resolved* scope
+  // shape (`vault:<name>:read`) rather than the raw OAuth request
+  // (`vault:read`) so the operator sees the form the token will carry.
+  // explainScope falls back to the unnamed verb's entry for both the
+  // narrowed (`vault:work:read`) and wildcard-display (`vault:*:read`)
+  // forms so the consent UI keeps the same label + level styling.
+  test("named vault scopes (vault:<name>:<verb>) reuse the unnamed-verb explanation", () => {
+    expect(explainScope("vault:work:read")?.label).toBe(SCOPE_EXPLANATIONS["vault:read"]?.label);
+    expect(explainScope("vault:work:read")?.level).toBe("read");
+    expect(explainScope("vault:my-techne_2:write")?.level).toBe("write");
+  });
+
+  test("wildcard vault display form (vault:*:<verb>) explains via the unnamed verb", () => {
+    expect(explainScope("vault:*:read")?.level).toBe("read");
+    expect(explainScope("vault:*:write")?.level).toBe("write");
+  });
+
+  test("doesn't promote a per-vault admin (vault:<name>:admin) into an explained scope", () => {
+    // vault:<name>:admin is NON_REQUESTABLE — never appears on the consent
+    // screen. Explicitly not in the verb-pattern, so explainScope returns null.
+    expect(explainScope("vault:default:admin")).toBeNull();
+  });
 });
 
 describe("scopeIsAdmin", () => {

package/src/__tests__/serve.test.ts

@@ -4,7 +4,7 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { seedInitialAdminIfNeeded } from "../commands/serve.ts";
 import { openHubDb } from "../hub-db.ts";
-import { userCount } from "../users.ts";
+import { getUserByUsername, userCount } from "../users.ts";
 
 describe("seedInitialAdminIfNeeded", () => {
   let dir: string;
@@ -44,6 +44,13 @@ describe("seedInitialAdminIfNeeded", () => {
     expect(log).toHaveBeenCalledTimes(1);
     expect(log.mock.calls[0]?.[0] ?? "").toContain("seeded initial admin");
     expect(log.mock.calls[0]?.[0] ?? "").toContain("ops");
+    // Multi-user Phase 1 (design 2026-05-20-multi-user-phase-1.md §wizard
+    // interaction): env-seeded admin chose their password via env vars, so
+    // skip the force-change-password redirect. `assignedVault` stays null
+    // — admin posture.
+    const seeded = getUserByUsername(db, "ops");
+    expect(seeded?.passwordChanged).toBe(true);
+    expect(seeded?.assignedVault).toBeNull();
   });
 
   test("returns 'exists' when an admin already exists, even with env vars set", async () => {