@openparachute/hub 0.5.10-rc.9 → 0.5.10

package/src/__tests__/oauth-ui.test.ts

@@ -2,10 +2,13 @@ import { describe, expect, test } from "bun:test";
 import {
   type AuthorizeFormParams,
   escapeHtml,
+  renderApprovePending,
   renderConsent,
   renderError,
   renderHiddenInputs,
   renderLogin,
+  renderUnknownClient,
+  substituteVaultDisplay,
 } from "../oauth-ui.ts";
 
 const PARAMS: AuthorizeFormParams = {
@@ -232,6 +235,213 @@ describe("renderError", () => {
   });
 });
 
+describe("renderUnknownClient", () => {
+  test("escapes the client_id into the page", () => {
+    const html = renderUnknownClient({
+      clientId: "<img src=x>",
+      selfOriginRedirectPath: null,
+    });
+    expect(html).toContain("&lt;img src=x&gt;");
+    expect(html).not.toContain("<img src=x>");
+  });
+
+  test("renders the recovery button when selfOriginRedirectPath is set", () => {
+    const html = renderUnknownClient({
+      clientId: "stale-id",
+      selfOriginRedirectPath: "/notes/oauth/callback",
+    });
+    expect(html).toContain('id="unknown-client-reset"');
+    expect(html).toContain('data-target="/notes/oauth/callback"');
+    // The inline JS clears the Notes-side DCR cache prefix.
+    expect(html).toContain("'lens:dcr:'");
+  });
+
+  test("escapes selfOriginRedirectPath into the data-target attribute", () => {
+    const html = renderUnknownClient({
+      clientId: "id",
+      selfOriginRedirectPath: '/x"><script>alert(1)</script>',
+    });
+    expect(html).not.toContain("><script>alert(1)</script>");
+    expect(html).toContain("&quot;");
+  });
+
+  test("omits the recovery button when selfOriginRedirectPath is null", () => {
+    const html = renderUnknownClient({
+      clientId: "stale-id",
+      selfOriginRedirectPath: null,
+    });
+    expect(html).not.toContain('id="unknown-client-reset"');
+    expect(html).not.toContain("'lens:dcr:'");
+    // Static fallback help text still surfaces.
+    expect(html).toContain("close this window");
+  });
+});
+
+describe("substituteVaultDisplay", () => {
+  test("undefined → leaves the scope untouched", () => {
+    expect(substituteVaultDisplay("vault:read", undefined)).toBe("vault:read");
+  });
+
+  test("named vault → substitutes vault:<name>:<verb>", () => {
+    expect(substituteVaultDisplay("vault:read", "work")).toBe("vault:work:read");
+    expect(substituteVaultDisplay("vault:write", "default")).toBe("vault:default:write");
+  });
+
+  test("null → renders a <TBD> placeholder for the consent picker", () => {
+    expect(substituteVaultDisplay("vault:read", null)).toBe("vault:<TBD>:read");
+  });
+
+  test("non-vault scope passes through regardless of displayVault", () => {
+    expect(substituteVaultDisplay("scribe:transcribe", "work")).toBe("scribe:transcribe");
+    expect(substituteVaultDisplay("channel:send", null)).toBe("channel:send");
+  });
+
+  test("already-named vault scope passes through (caller specified the vault)", () => {
+    expect(substituteVaultDisplay("vault:other:read", "work")).toBe("vault:other:read");
+  });
+
+  test("vault admin (vault:admin) doesn't get narrowed — admin verb stays unnamed", () => {
+    // vault:admin is a full-vault scope; we don't narrow it the same way
+    // because per-vault admin is `vault:<name>:admin` (non-requestable) and
+    // the unnamed vault:admin form is the legacy full-vault grant. Keep the
+    // displayed shape as-is so the operator sees the scope they're
+    // consenting to literally.
+    expect(substituteVaultDisplay("vault:admin", "work")).toBe("vault:admin");
+  });
+});
+
+describe("renderConsent displayVault substitution", () => {
+  test("non-admin user (lockedVault) → consent shows vault:<assigned>:<verb>", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:read", "vault:write"],
+      vaultPicker: {
+        unnamedVerbs: ["read", "write"],
+        availableVaults: ["my-vault"],
+        lockedVault: "my-vault",
+      },
+      displayVault: "my-vault",
+    });
+    expect(html).toContain("vault:my-vault:read");
+    expect(html).toContain("vault:my-vault:write");
+    // Raw unnamed form (the thing this PR fixes) must NOT appear in the
+    // rendered scope-row code blocks. Scope name shows up inside
+    // `<code class="scope-name">…</code>` so check the row substring.
+    expect(html).not.toMatch(/<code class="scope-name">vault:read<\/code>/);
+    expect(html).not.toMatch(/<code class="scope-name">vault:write<\/code>/);
+  });
+
+  test("admin user, single-vault hub → picker pre-checks the only vault, consent shows it", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:read"],
+      vaultPicker: { unnamedVerbs: ["read"], availableVaults: ["default"] },
+      displayVault: "default",
+    });
+    expect(html).toContain("vault:default:read");
+    expect(html).not.toMatch(/<code class="scope-name">vault:read<\/code>/);
+  });
+
+  test("admin user, multi-vault hub → displayVault=null renders <TBD> + picker hint", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:read"],
+      vaultPicker: { unnamedVerbs: ["read"], availableVaults: ["work", "personal"] },
+      displayVault: null,
+    });
+    expect(html).toContain("vault:&lt;TBD&gt;:read");
+    expect(html).toContain("scope-pending-note");
+    expect(html).toContain("A specific vault is picked below");
+    // explainScope label still resolves via the verb-form lookup.
+    expect(html).toContain("Read your notes");
+  });
+
+  test("displayVault undefined preserves the legacy raw form (no substitution)", () => {
+    // The existing oauth-ui.test.ts cases call renderConsent without
+    // displayVault — confirming the back-compat shape stays.
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:read"],
+    });
+    expect(html).toContain("vault:read");
+  });
+});
+
+describe("renderApprovePending unauthenticated CTAs", () => {
+  const COMMON = {
+    clientName: "MyApp",
+    clientId: "client-xyz",
+    redirectUris: ["https://app.example/cb"],
+    requestedScopes: ["vault:read"],
+    hubOrigin: "https://hub.example.com",
+  };
+
+  test("renders Sign in CTA wired to /login?next=/admin/approve-client/<id>", () => {
+    const html = renderApprovePending(COMMON);
+    expect(html).toContain("Sign in as admin to approve");
+    const expectedHref = `/login?next=${encodeURIComponent("/admin/approve-client/client-xyz")}`;
+    expect(html).toContain(`href="${expectedHref}"`);
+  });
+
+  test("renders fully-qualified shareable deep link + Copy button + clipboard JS", () => {
+    const html = renderApprovePending(COMMON);
+    expect(html).toContain("https://hub.example.com/admin/approve-client/client-xyz");
+    expect(html).toContain('id="approve-share-copy"');
+    expect(html).toContain('data-link="https://hub.example.com/admin/approve-client/client-xyz"');
+    // Inline JS uses navigator.clipboard.writeText with visual feedback.
+    expect(html).toContain("navigator.clipboard");
+    expect(html).toContain("writeText");
+    expect(html).toContain("Copied!");
+  });
+
+  test("trims a trailing slash on hubOrigin so the deep link doesn't double-slash", () => {
+    const html = renderApprovePending({ ...COMMON, hubOrigin: "https://hub.example.com/" });
+    expect(html).toContain("https://hub.example.com/admin/approve-client/client-xyz");
+    expect(html).not.toContain("https://hub.example.com//admin/");
+  });
+
+  test("retired CLI hint does NOT appear in the unauthenticated branch", () => {
+    const html = renderApprovePending(COMMON);
+    expect(html).not.toContain("parachute auth approve-client");
+    expect(html).not.toContain("from a terminal");
+  });
+
+  test("escapes hostile client_id into href, data-link, and the visible deep link", () => {
+    const html = renderApprovePending({
+      ...COMMON,
+      clientId: "<img src=x onerror=alert(1)>",
+    });
+    expect(html).not.toContain("<img src=x");
+    // encodeURIComponent in both the href and the deep-link URL produces
+    // %3Cimg…; that lives inside escapeHtml-wrapped attribute values.
+    expect(html).toContain("%3Cimg");
+  });
+
+  test("admin-authenticated branch hides the unauth CTAs and renders the inline approve form", () => {
+    const html = renderApprovePending({
+      ...COMMON,
+      approveForm: { csrfToken: CSRF, returnTo: "/oauth/authorize?client_id=client-xyz" },
+    });
+    expect(html).toContain('action="/oauth/authorize/approve"');
+    expect(html).toContain("Approve and continue");
+    expect(html).not.toContain("Sign in as admin to approve");
+    expect(html).not.toContain("Or send this link to your hub admin");
+    expect(html).not.toContain("parachute auth approve-client");
+  });
+});
+
 describe("CSS / styling guarantees", () => {
   test("does not load fonts from a third-party CDN (privacy)", () => {
     const html = renderLogin({ params: PARAMS, csrfToken: CSRF });

package/src/__tests__/scope-explanations.test.ts

@@ -41,6 +41,29 @@ describe("explainScope", () => {
   test("returns null for an unknown scope", () => {
     expect(explainScope("notes:weird-thing")).toBeNull();
   });
+
+  // Approval-UX rc.19: the consent screen renders the *resolved* scope
+  // shape (`vault:<name>:read`) rather than the raw OAuth request
+  // (`vault:read`) so the operator sees the form the token will carry.
+  // explainScope falls back to the unnamed verb's entry for both the
+  // narrowed (`vault:work:read`) and wildcard-display (`vault:*:read`)
+  // forms so the consent UI keeps the same label + level styling.
+  test("named vault scopes (vault:<name>:<verb>) reuse the unnamed-verb explanation", () => {
+    expect(explainScope("vault:work:read")?.label).toBe(SCOPE_EXPLANATIONS["vault:read"]?.label);
+    expect(explainScope("vault:work:read")?.level).toBe("read");
+    expect(explainScope("vault:my-techne_2:write")?.level).toBe("write");
+  });
+
+  test("wildcard vault display form (vault:*:<verb>) explains via the unnamed verb", () => {
+    expect(explainScope("vault:*:read")?.level).toBe("read");
+    expect(explainScope("vault:*:write")?.level).toBe("write");
+  });
+
+  test("doesn't promote a per-vault admin (vault:<name>:admin) into an explained scope", () => {
+    // vault:<name>:admin is NON_REQUESTABLE — never appears on the consent
+    // screen. Explicitly not in the verb-pattern, so explainScope returns null.
+    expect(explainScope("vault:default:admin")).toBeNull();
+  });
 });
 
 describe("scopeIsAdmin", () => {

package/src/__tests__/serve.test.ts

@@ -4,7 +4,7 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { seedInitialAdminIfNeeded } from "../commands/serve.ts";
 import { openHubDb } from "../hub-db.ts";
-import { userCount } from "../users.ts";
+import { getUserByUsername, userCount } from "../users.ts";
 
 describe("seedInitialAdminIfNeeded", () => {
   let dir: string;
@@ -44,6 +44,13 @@ describe("seedInitialAdminIfNeeded", () => {
     expect(log).toHaveBeenCalledTimes(1);
     expect(log.mock.calls[0]?.[0] ?? "").toContain("seeded initial admin");
     expect(log.mock.calls[0]?.[0] ?? "").toContain("ops");
+    // Multi-user Phase 1 (design 2026-05-20-multi-user-phase-1.md §wizard
+    // interaction): env-seeded admin chose their password via env vars, so
+    // skip the force-change-password redirect. `assignedVault` stays null
+    // — admin posture.
+    const seeded = getUserByUsername(db, "ops");
+    expect(seeded?.passwordChanged).toBe(true);
+    expect(seeded?.assignedVault).toBeNull();
   });
 
   test("returns 'exists' when an admin already exists, even with env vars set", async () => {

package/src/__tests__/setup-wizard.test.ts

@@ -37,7 +37,7 @@ import {
   handleSetupVaultPost,
 } from "../setup-wizard.ts";
 import { Supervisor } from "../supervisor.ts";
-import { createUser, userCount } from "../users.ts";
+import { createUser, getUserByUsername, userCount } from "../users.ts";
 
 interface Harness {
   dir: string;
@@ -577,6 +577,13 @@ describe("handleSetupAccountPost", () => {
       const sessionCookie = setCookie(post, SESSION_COOKIE_NAME);
       expect(sessionCookie).toBeDefined();
       expect(userCount(db)).toBe(1);
+      // Multi-user Phase 1: the wizard's first admin chose their password
+      // via this very form, so skip the force-change-password redirect on
+      // first sign-in (`password_changed=1`). `assigned_vault` stays NULL
+      // — admin posture (no per-vault restriction).
+      const created = getUserByUsername(db, "ops");
+      expect(created?.passwordChanged).toBe(true);
+      expect(created?.assignedVault).toBeNull();
     } finally {
       db.close();
     }
@@ -1335,9 +1342,28 @@ describe("done screen auto-minted token (hub#272 Item A)", () => {
       );
       expect(res.status).toBe(200);
       const html = await res.text();
-      expect(html).toContain("--header "Authorization: Bearer test-jwt-token-abc"");
-      expect(html).toContain('data-target="mcp-cmd"');
+      // Real token rides in the hidden script-tag stash as JSON-encoded
+      // text — script element content is raw-text per the HTML spec
+      // (entities aren't parsed), so JSON encoding round-trips through
+      // textContent + JSON.parse without `"` polluting the copied
+      // command. Verify the JSON-encoded form appears in the document.
+      expect(html).toContain(
+        '"claude mcp add --transport http parachute-default https://hub.example/vault/default/mcp --header \\"Authorization: Bearer test-jwt-token-abc\\""',
+      );
       expect(html).toContain('id="mcp-cmd"');
+      expect(html).toContain('id="mcp-cmd-real"');
+      // The hidden stash is `<script type="application/json">` so the
+      // browser doesn't execute it but textContent is still readable.
+      expect(html).toContain('<script type="application/json" id="mcp-cmd-real">');
+      // The visible default state is masked: the <pre> body is wrapped
+      // with data-state="masked" and renders • placeholder characters
+      // rather than the live token. Verified by the masked Bearer
+      // header substring (• repeated).
+      expect(html).toContain('data-state="masked"');
+      expect(html).toMatch(/Bearer •+/);
+      // Show button + Copy button both present.
+      expect(html).toContain('id="mcp-cmd-show"');
+      expect(html).toContain('id="mcp-cmd-copy"');
       expect(html).toContain("/admin/tokens");
       // The token is single-use — consumed on first render.
       expect(getSetting(db, "setup_minted_token")).toBeUndefined();
@@ -1439,6 +1465,193 @@ describe("done screen auto-minted token (hub#272 Item A)", () => {
     }
   });
 
+  // rc.11 — token visible by default on the done screen was a
+  // shoulder-surf hazard. The fix: render the visible command with
+  // a masked Bearer token, stash the real command in a
+  // hidden script tag, and surface a Show button + Copy button. Copy
+  // ALWAYS pulls the real command from the script tag so the
+  // operator's terminal paste never breaks regardless of mask state.
+  test("done screen masks the Bearer token in the visible <pre> by default", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      const user = await createUser(db, "owner", "pw");
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              version: "0.1.0",
+              port: 1940,
+              paths: ["/vault/default"],
+              health: "/health",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      setSetting(db, "setup_expose_mode", "localhost");
+      setSetting(db, "setup_minted_token", "pvt_super_secret_token_payload");
+      const { createSession } = await import("../sessions.ts");
+      const session = createSession(db, { userId: user.id });
+      const res = handleSetupGet(
+        req("/admin/setup?just_finished=1", {
+          headers: { cookie: `${SESSION_COOKIE_NAME}=${session.id}` },
+        }),
+        {
+          db,
+          manifestPath: h.manifestPath,
+          configDir: h.dir,
+          issuer: "https://hub.example",
+          registry: getDefaultOperationsRegistry(),
+        },
+      );
+      const html = await res.text();
+      // Extract the visible <pre id="mcp-cmd"> text only — the masked
+      // shape must live there, with no occurrence of the literal token
+      // string. The real token still appears elsewhere (the hidden
+      // script tag) so a plain `toContain` would miss the leak.
+      const preMatch = html.match(/<pre id="mcp-cmd">([^<]*)<\/pre>/);
+      expect(preMatch).not.toBeNull();
+      const preBody = preMatch?.[1] ?? "";
+      expect(preBody).not.toContain("pvt_super_secret_token_payload");
+      // Masked Bearer header is present in the <pre> text.
+      expect(preBody).toMatch(/Bearer •+/);
+      // Real command still in the document (hidden JSON stash) so the
+      // Copy handler can read it.
+      expect(html).toContain('<script type="application/json" id="mcp-cmd-real">');
+      expect(html).toContain("pvt_super_secret_token_payload");
+      // Default state is masked.
+      expect(html).toContain('data-state="masked"');
+    } finally {
+      db.close();
+    }
+  });
+
+  test("done screen JSON-encodes the stashed command so `</script>` in a token can't break out", async () => {
+    // Defense-in-depth: an attacker-shaped token containing `</script>`
+    // would prematurely close the stash tag if we just dropped it into
+    // the HTML. The renderer JSON-encodes the command AND replaces
+    // `</` with `<\/` inside the encoded string so the sequence can't
+    // appear in the document. Decode round-trips via JSON.parse.
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      const user = await createUser(db, "owner", "pw");
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              version: "0.1.0",
+              port: 1940,
+              paths: ["/vault/default"],
+              health: "/health",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      setSetting(db, "setup_expose_mode", "localhost");
+      // Token contains characters that would be load-bearing in the
+      // HTML/JS layer if mis-encoded: a quote (would close the JSON
+      // string) and `</script>` (would close the stash tag).
+      const hostileToken = `weird-token-with-"-and-</script>-inside`;
+      setSetting(db, "setup_minted_token", hostileToken);
+      const { createSession } = await import("../sessions.ts");
+      const session = createSession(db, { userId: user.id });
+      const res = handleSetupGet(
+        req("/admin/setup?just_finished=1", {
+          headers: { cookie: `${SESSION_COOKIE_NAME}=${session.id}` },
+        }),
+        {
+          db,
+          manifestPath: h.manifestPath,
+          configDir: h.dir,
+          issuer: "https://hub.example",
+          registry: getDefaultOperationsRegistry(),
+        },
+      );
+      const html = await res.text();
+      // `</script>` must NOT appear inside the stash element. We
+      // verify by extracting the stash text via the literal HTML
+      // boundaries and asserting no close-tag escape escaped the
+      // encoder.
+      const stashMatch = html.match(
+        /<script type="application\/json" id="mcp-cmd-real">([\s\S]*?)<\/script>/,
+      );
+      expect(stashMatch).not.toBeNull();
+      const stashBody = stashMatch?.[1] ?? "";
+      // The encoder replaces `</` with `<\/` inside the JSON, so the
+      // raw bytes between the opening and the first `</script>` should
+      // not contain `</`.
+      expect(stashBody).not.toContain("</");
+      // Round-trips: `<\/` decodes back to `</` after JSON.parse +
+      // the script-end-sequence escape — the operator's clipboard
+      // gets the original bytes.
+      const decoded = JSON.parse(stashBody) as string;
+      expect(decoded).toContain(hostileToken);
+    } finally {
+      db.close();
+    }
+  });
+
+  test("done screen wires Show + Copy buttons that read from the hidden real-command stash", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      const user = await createUser(db, "owner", "pw");
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              version: "0.1.0",
+              port: 1940,
+              paths: ["/vault/default"],
+              health: "/health",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      setSetting(db, "setup_expose_mode", "localhost");
+      setSetting(db, "setup_minted_token", "live-token-AAA");
+      const { createSession } = await import("../sessions.ts");
+      const session = createSession(db, { userId: user.id });
+      const res = handleSetupGet(
+        req("/admin/setup?just_finished=1", {
+          headers: { cookie: `${SESSION_COOKIE_NAME}=${session.id}` },
+        }),
+        {
+          db,
+          manifestPath: h.manifestPath,
+          configDir: h.dir,
+          issuer: "https://hub.example",
+          registry: getDefaultOperationsRegistry(),
+        },
+      );
+      const html = await res.text();
+      // Both buttons present, both wired via addEventListener (no
+      // inline onclick — the script runs in a single IIFE).
+      expect(html).toContain('id="mcp-cmd-show"');
+      expect(html).toContain('id="mcp-cmd-copy"');
+      expect(html).toContain("'click'");
+      // The Copy handler reads from the hidden script tag, not from
+      // the visible <pre>. Regression: this was the load-bearing
+      // contract Aaron called out ("Copy still works without reveal").
+      expect(html).toContain("getElementById('mcp-cmd-real')");
+      // The stash holds JSON-encoded text and the handler decodes via
+      // JSON.parse so the clipboard receives the exact byte sequence of
+      // the command — `&quot;`-style HTML entities can't survive into
+      // the operator's shell because script-element content is raw text
+      // (the HTML parser doesn't decode entities inside <script>).
+      expect(html).toContain("JSON.parse(real.textContent");
+      // Auto-hide timer present so a stray reveal doesn't leak into a
+      // subsequent screencast capture.
+      expect(html).toContain("setTimeout(setMasked, 10000)");
+    } finally {
+      db.close();
+    }
+  });
+
   test("GET /admin/setup?just_finished=1 without a session does NOT consume the minted token (hub#274 security fold)", async () => {
     // Regression — without the session gate, any HTTP client racing the
     // operator's browser between the expose POST (which mints + stores)