@openparachute/hub 0.5.10-rc.9 → 0.5.10

package/src/__tests__/hub-db.test.ts

@@ -2,7 +2,7 @@ import { describe, expect, test } from "bun:test";
 import { mkdtempSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { hubDbPath, migrate, openHubDb } from "../hub-db.ts";
 
 interface Harness {
   configDir: string;
@@ -150,4 +150,129 @@ describe("openHubDb + migrate", () => {
       h.cleanup();
     }
   });
+
+  test("v8 adds password_changed + assigned_vault columns on a fresh DB", () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(h.dbPath);
+      try {
+        const versions = (
+          db.query<{ version: number }, []>("SELECT version FROM schema_version").all() ?? []
+        ).map((r) => r.version);
+        expect(versions).toContain(8);
+        // PRAGMA table_info returns the column shape; we want both new
+        // columns present with the right defaults / nullability.
+        interface ColInfo {
+          name: string;
+          type: string;
+          notnull: number;
+          dflt_value: string | null;
+        }
+        const cols = db
+          .query<ColInfo, []>(
+            "SELECT name, type, \"notnull\", dflt_value FROM pragma_table_info('users')",
+          )
+          .all();
+        const byName = new Map(cols.map((c) => [c.name, c]));
+        const pc = byName.get("password_changed");
+        expect(pc).toBeDefined();
+        expect(pc?.type).toBe("INTEGER");
+        expect(pc?.notnull).toBe(1);
+        // Default literal — SQLite returns it as a string "0".
+        expect(pc?.dflt_value).toBe("0");
+        const av = byName.get("assigned_vault");
+        expect(av).toBeDefined();
+        expect(av?.type).toBe("TEXT");
+        expect(av?.notnull).toBe(0);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("v8 backfills password_changed=1 for users that pre-date the migration", () => {
+    const h = makeHarness();
+    try {
+      // Stand up a DB at the v7 state by partially-applying migrations:
+      // open Database directly, call migrate after stripping the v8 entry
+      // would be invasive. Instead, drive the same migration shape by hand
+      // for v1-v7 then insert a row, then call migrate() to apply v8.
+      // Cleanest path: openHubDb runs everything, but we want a v7 snapshot.
+      // Approach: open with openHubDb (runs all migrations), drop the v8
+      // changes, mark v8 unapplied, insert a user with password_changed=0
+      // (simulating a row from before the backfill), then re-run migrate.
+      // SQLite doesn't have DROP COLUMN pre-3.35 universally, so we do the
+      // recreate-and-rename: drop v8's columns by recreating users without
+      // them, then delete the v8 schema_version row, then call migrate().
+      const db = openHubDb(h.dbPath);
+      try {
+        // Build a v7-shape users table and copy the v8-shape rows.
+        db.exec(`
+          CREATE TABLE users_v7 (
+            id TEXT PRIMARY KEY,
+            username TEXT UNIQUE NOT NULL,
+            password_hash TEXT NOT NULL,
+            created_at TEXT NOT NULL,
+            updated_at TEXT NOT NULL
+          );
+          INSERT INTO users_v7 (id, username, password_hash, created_at, updated_at)
+          SELECT id, username, password_hash, created_at, updated_at FROM users;
+          DROP TABLE users;
+          ALTER TABLE users_v7 RENAME TO users;
+        `);
+        db.exec("DELETE FROM schema_version WHERE version = 8");
+        // Insert a row that pre-dates v8 (no password_changed column yet).
+        db.prepare(
+          `INSERT INTO users (id, username, password_hash, created_at, updated_at)
+           VALUES (?, ?, ?, ?, ?)`,
+        ).run("legacy-user", "owner", "h", "2026-01-01", "2026-01-01");
+        // Now re-run migrations — v8 should ALTER the table and backfill.
+        migrate(db);
+        const row = db
+          .query<{ password_changed: number; assigned_vault: string | null }, [string]>(
+            "SELECT password_changed, assigned_vault FROM users WHERE id = ?",
+          )
+          .get("legacy-user");
+        expect(row).not.toBeNull();
+        expect(row?.password_changed).toBe(1);
+        expect(row?.assigned_vault).toBeNull();
+        const versions = (
+          db.query<{ version: number }, []>("SELECT version FROM schema_version").all() ?? []
+        ).map((r) => r.version);
+        expect(versions).toContain(8);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("v8 — fresh inserts default password_changed=0 and assigned_vault NULL", () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(h.dbPath);
+      try {
+        // Insert via the bare-columns SQL (mirrors what a pre-v8 caller
+        // would emit) to confirm the column DEFAULTs work.
+        db.prepare(
+          `INSERT INTO users (id, username, password_hash, created_at, updated_at)
+           VALUES (?, ?, ?, ?, ?)`,
+        ).run("u-default", "owner", "h", "2026-01-01", "2026-01-01");
+        const row = db
+          .query<{ password_changed: number; assigned_vault: string | null }, [string]>(
+            "SELECT password_changed, assigned_vault FROM users WHERE id = ?",
+          )
+          .get("u-default");
+        expect(row?.password_changed).toBe(0);
+        expect(row?.assigned_vault).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
 });

package/src/__tests__/hub-settings.test.ts

@@ -11,14 +11,20 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
 import {
+  DEFAULT_MODULE_INSTALL_CHANNEL,
   FIRST_CLIENT_AUTO_APPROVE_WINDOW_MS,
+  MODULE_INSTALL_CHANNELS,
+  PARACHUTE_MODULE_CHANNEL_ENV,
   SETUP_EXPOSE_MODES,
   consumeFirstClientAutoApproveWindow,
   deleteSetting,
+  getModuleInstallChannel,
   getSetting,
   isFirstClientAutoApproveWindowOpen,
+  isModuleInstallChannel,
   isSetupExposeMode,
   openFirstClientAutoApproveWindow,
+  setModuleInstallChannel,
   setSetting,
 } from "../hub-settings.ts";
 
@@ -223,3 +229,149 @@ describe("hub-settings — first-client auto-approve window", () => {
     }
   });
 });
+
+describe("hub-settings — isModuleInstallChannel", () => {
+  test("accepts the two canonical values", () => {
+    for (const c of MODULE_INSTALL_CHANNELS) {
+      expect(isModuleInstallChannel(c)).toBe(true);
+    }
+    expect(isModuleInstallChannel("latest")).toBe(true);
+    expect(isModuleInstallChannel("rc")).toBe(true);
+  });
+
+  test("rejects anything else (typos, empty, non-string, case-mismatch)", () => {
+    expect(isModuleInstallChannel("LATEST")).toBe(false);
+    expect(isModuleInstallChannel("Latest")).toBe(false);
+    expect(isModuleInstallChannel("stable")).toBe(false);
+    expect(isModuleInstallChannel("beta")).toBe(false);
+    expect(isModuleInstallChannel("")).toBe(false);
+    expect(isModuleInstallChannel(null)).toBe(false);
+    expect(isModuleInstallChannel(undefined)).toBe(false);
+    expect(isModuleInstallChannel(42)).toBe(false);
+  });
+});
+
+describe("hub-settings — module install channel bootstrap", () => {
+  let dir: string;
+  beforeEach(() => {
+    dir = mkdtempSync(join(tmpdir(), "hub-settings-channel-"));
+  });
+  afterEach(() => rmSync(dir, { recursive: true, force: true }));
+
+  test("first read with no env + no row seeds + returns the default (latest)", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      // Empty env — no PARACHUTE_MODULE_CHANNEL.
+      const channel = getModuleInstallChannel(db, { env: {} });
+      expect(channel).toBe(DEFAULT_MODULE_INSTALL_CHANNEL);
+      expect(channel).toBe("latest");
+      // The row is now seeded.
+      expect(getSetting(db, "module_install_channel")).toBe("latest");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("first read with PARACHUTE_MODULE_CHANNEL=rc seeds with rc", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      const channel = getModuleInstallChannel(db, {
+        env: { [PARACHUTE_MODULE_CHANNEL_ENV]: "rc" },
+      });
+      expect(channel).toBe("rc");
+      expect(getSetting(db, "module_install_channel")).toBe("rc");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("first read with PARACHUTE_MODULE_CHANNEL=latest seeds with latest", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      const channel = getModuleInstallChannel(db, {
+        env: { [PARACHUTE_MODULE_CHANNEL_ENV]: "latest" },
+      });
+      expect(channel).toBe("latest");
+      expect(getSetting(db, "module_install_channel")).toBe("latest");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("invalid PARACHUTE_MODULE_CHANNEL warns + falls back to latest", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      const warns: string[] = [];
+      const channel = getModuleInstallChannel(db, {
+        env: { [PARACHUTE_MODULE_CHANNEL_ENV]: "stable" },
+        warn: (msg) => warns.push(msg),
+      });
+      expect(channel).toBe("latest");
+      expect(getSetting(db, "module_install_channel")).toBe("latest");
+      expect(warns.length).toBe(1);
+      expect(warns[0]).toMatch(/PARACHUTE_MODULE_CHANNEL="stable"/);
+      expect(warns[0]).toMatch(/not a valid channel/);
+    } finally {
+      db.close();
+    }
+  });
+
+  test("empty PARACHUTE_MODULE_CHANNEL is treated as unset (no warn)", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      const warns: string[] = [];
+      const channel = getModuleInstallChannel(db, {
+        env: { [PARACHUTE_MODULE_CHANNEL_ENV]: "" },
+        warn: (msg) => warns.push(msg),
+      });
+      expect(channel).toBe("latest");
+      expect(warns).toEqual([]);
+    } finally {
+      db.close();
+    }
+  });
+
+  test("once seeded, env var is ignored on subsequent reads", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      // First read seeds with rc.
+      getModuleInstallChannel(db, { env: { [PARACHUTE_MODULE_CHANNEL_ENV]: "rc" } });
+      // Second read with a different env value still returns the seeded value.
+      const channel = getModuleInstallChannel(db, {
+        env: { [PARACHUTE_MODULE_CHANNEL_ENV]: "latest" },
+      });
+      expect(channel).toBe("rc");
+      // And with no env at all.
+      expect(getModuleInstallChannel(db, { env: {} })).toBe("rc");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("setModuleInstallChannel persists the new value, subsequent reads return it", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      // Seed with rc via env.
+      getModuleInstallChannel(db, { env: { [PARACHUTE_MODULE_CHANNEL_ENV]: "rc" } });
+      // Admin toggles to latest.
+      setModuleInstallChannel(db, "latest");
+      expect(getModuleInstallChannel(db, { env: {} })).toBe("latest");
+      // And back to rc — no env needed.
+      setModuleInstallChannel(db, "rc");
+      expect(getModuleInstallChannel(db, { env: {} })).toBe("rc");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("corrupted row falls back to latest silently (no throw)", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      // Simulate a manual sqlite edit / schema drift / external write.
+      setSetting(db, "module_install_channel", "bogus");
+      expect(getModuleInstallChannel(db, { env: {} })).toBe("latest");
+    } finally {
+      db.close();
+    }
+  });
+});

package/src/__tests__/jwt-sign.test.ts

@@ -121,6 +121,65 @@ describe("signAccessToken", () => {
       cleanup();
     }
   });
+
+  // Multi-user Phase 1, PR 4 (design 2026-05-20-multi-user-phase-1.md):
+  // the `vault_scope` claim is emitted unconditionally so a downstream
+  // consumer (PR 5's scope-guard) doesn't have to distinguish "absent" from
+  // "empty." Callers pass `[]` for admin / unpinned, `[<assigned_vault>]`
+  // for non-admin pinned users.
+  test("vault_scope=[] is emitted as the empty-array claim", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const { token } = await signAccessToken(db, {
+        sub: "admin-aaron",
+        scopes: ["vault:default:read"],
+        audience: "vault.default",
+        clientId: "c",
+        issuer: "https://hub.example",
+        vaultScope: [],
+      });
+      const payload = decodeJwt(token);
+      expect(payload.vault_scope).toEqual([]);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("vault_scope=['bob'] is emitted as the single-element claim", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const { token } = await signAccessToken(db, {
+        sub: "bob",
+        scopes: ["vault:bob:read"],
+        audience: "vault.bob",
+        clientId: "c",
+        issuer: "https://hub.example",
+        vaultScope: ["bob"],
+      });
+      const payload = decodeJwt(token);
+      expect(payload.vault_scope).toEqual(["bob"]);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("vault_scope defaults to [] when caller omits the field (back-compat sentinel)", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const { token } = await signAccessToken(db, {
+        sub: "operator",
+        scopes: ["parachute:host:admin"],
+        audience: "hub",
+        clientId: "c",
+        issuer: "https://hub.example",
+      });
+      const payload = decodeJwt(token);
+      // Claim is present (not undefined), set to the empty-array sentinel.
+      expect(payload.vault_scope).toEqual([]);
+    } finally {
+      cleanup();
+    }
+  });
 });
 
 describe("signRefreshToken", () => {