@openparachute/hub 0.5.13-rc.21 → 0.5.13-rc.29

package/src/commands/auth.ts

@@ -60,7 +60,13 @@ export interface Runner {
 
 export const defaultRunner: Runner = {
   async run(cmd) {
-    const proc = Bun.spawn([...cmd], { stdio: ["inherit", "inherit", "inherit"] });
+    // Inherit env so the child (e.g. parachute-vault subprocess) sees PATH,
+    // HOME, PARACHUTE_HOME, etc. Bun.spawn defaults to empty env — see
+    // api-modules-ops.ts:defaultRun.
+    const proc = Bun.spawn([...cmd], {
+      stdio: ["inherit", "inherit", "inherit"],
+      env: process.env,
+    });
     return await proc.exited;
   },
 };

package/src/commands/expose-auth-preflight.ts

@@ -26,7 +26,12 @@ import { type VaultAuthStatus, readVaultAuthStatus } from "../vault/auth-status.
 export type InteractiveRunner = (cmd: readonly string[]) => Promise<number>;
 
 const defaultInteractiveRunner: InteractiveRunner = async (cmd) => {
-  const proc = Bun.spawn([...cmd], { stdio: ["inherit", "inherit", "inherit"] });
+  // Inherit env so subprocesses see PATH (to find `tailscale`), HOME, etc.
+  // Bun.spawn defaults to empty env — see api-modules-ops.ts:defaultRun.
+  const proc = Bun.spawn([...cmd], {
+    stdio: ["inherit", "inherit", "inherit"],
+    env: process.env,
+  });
   return await proc.exited;
 };
 

package/src/commands/expose-cloudflare.ts

@@ -69,7 +69,12 @@ export const defaultCloudflaredSpawner: CloudflaredSpawner = {
   spawn(cmd, logFile) {
     mkdirSync(dirname(logFile), { recursive: true });
     const fd = openSync(logFile, "a");
-    const proc = Bun.spawn([...cmd], { stdio: ["ignore", fd, fd] });
+    // Inherit env so cloudflared sees HOME (where it reads ~/.cloudflared/),
+    // PATH, etc. Bun.spawn defaults to empty env — see api-modules-ops.ts.
+    const proc = Bun.spawn([...cmd], {
+      stdio: ["ignore", fd, fd],
+      env: process.env,
+    });
     proc.unref();
     return proc.pid;
   },

package/src/commands/expose-interactive.ts

@@ -46,7 +46,13 @@ import { type ExposeOpts, exposePublic } from "./expose.ts";
 export type InteractiveRunner = (cmd: readonly string[]) => Promise<number>;
 
 const defaultInteractiveRunner: InteractiveRunner = async (cmd) => {
-  const proc = Bun.spawn([...cmd], { stdio: ["inherit", "inherit", "inherit"] });
+  // Inherit env so interactive subprocesses (e.g. `brew install cloudflared`,
+  // `cloudflared tunnel login`) see PATH, HOME, etc. Bun.spawn defaults to
+  // empty env — see api-modules-ops.ts:defaultRun.
+  const proc = Bun.spawn([...cmd], {
+    stdio: ["inherit", "inherit", "inherit"],
+    env: process.env,
+  });
   return await proc.exited;
 };
 

package/src/commands/install.ts

@@ -250,7 +250,13 @@ export interface InstallOpts {
 }
 
 async function defaultRunner(cmd: readonly string[]): Promise<number> {
-  const proc = Bun.spawn([...cmd], { stdio: ["inherit", "inherit", "inherit"] });
+  // Inherit env (TMPDIR, BUN_INSTALL, PATH, HOME, PARACHUTE_*, etc.) — see
+  // api-modules-ops.ts:defaultRun for the rationale. Same Bun.spawn-defaults-
+  // to-empty-env bug; same one-line fix. See hub#349.
+  const proc = Bun.spawn([...cmd], {
+    stdio: ["inherit", "inherit", "inherit"],
+    env: process.env,
+  });
   return await proc.exited;
 }
 

package/src/commands/lifecycle.ts

@@ -67,6 +67,10 @@ export const defaultSpawner: Spawner = {
       // wrapped startCmds like `pnpm exec tsx server.ts` leave the tsx
       // grandchild bound to the port after stop → restart hits EADDRINUSE.
       detached: true,
+      // Inherit env so child sees PATH, HOME, PARACHUTE_HOME, etc.
+      // Bun.spawn defaults to empty env — see api-modules-ops.ts:defaultRun.
+      // Per-call `opts.env` overrides merge on top below.
+      env: process.env,
     };
     if (opts?.env) spawnOpts.env = { ...process.env, ...opts.env };
     if (opts?.cwd) spawnOpts.cwd = opts.cwd;
@@ -647,7 +651,12 @@ export async function logs(svc: string, opts: LogsOpts = {}): Promise<number> {
   if (follow) {
     const spawner = opts.tailSpawner ?? {
       spawn(cmd) {
-        const proc = Bun.spawn([...cmd], { stdio: ["ignore", "inherit", "inherit"] });
+        // Inherit env so `tail` sees PATH, etc. Bun.spawn defaults to empty
+        // env — see api-modules-ops.ts:defaultRun.
+        const proc = Bun.spawn([...cmd], {
+          stdio: ["ignore", "inherit", "inherit"],
+          env: process.env,
+        });
         return proc.pid;
       },
     };

package/src/commands/serve.ts

@@ -149,16 +149,26 @@ export async function seedInitialAdminIfNeeded(
  * the token can't proceed; an attacker who reads it before the
  * operator wins the race).
  */
-export function formatBootstrapTokenBanner(token: string): string {
+export function formatBootstrapTokenBanner(token: string, hubUrl?: string): string {
+  const rule = "═".repeat(64);
+  // Substitute the actual hub URL when known (PARACHUTE_HUB_ORIGIN). Operators
+  // staring at the banner in Render Logs shouldn't have to figure out their
+  // own URL — show the literal placeholder only when the issuer isn't set.
+  const url = hubUrl && hubUrl.length > 0 ? hubUrl.replace(/\/+$/, "") : "<hub-url>";
   return [
-    "[wizard] No admin exists — wizard mode active. To claim ownership of this hub:",
-    "[wizard]   1. Visit http://localhost:1939/admin/setup (or your deployed URL)",
-    "[wizard]   2. Paste this bootstrap token into the form:",
+    "[wizard]",
+    `[wizard] ${rule}`,
+    "[wizard]   PARACHUTE BOOTSTRAP TOKEN",
+    `[wizard] ${rule}`,
     "[wizard]",
     `[wizard]   ${token}`,
     "[wizard]",
-    "[wizard] This token grants permission to create the first admin. It expires when",
-    "[wizard] admin is created OR when hub restarts.",
+    `[wizard]   → Visit ${url}/admin/setup and paste this token to create`,
+    "[wizard]     your admin account.",
+    "[wizard]   → Expires when admin is created OR when hub restarts.",
+    "[wizard]",
+    `[wizard] ${rule}`,
+    "[wizard]",
   ].join("\n");
 }
 
@@ -199,14 +209,14 @@ export async function serve(opts: ServeOpts = {}): Promise<{
 
   if (adminBootstrap === "needs-setup") {
     log(
-      "parachute serve: no admin account configured. Set PARACHUTE_INITIAL_ADMIN_USERNAME + PARACHUTE_INITIAL_ADMIN_PASSWORD, or visit /admin/setup once the hub is reachable.",
+      "parachute serve: no admin account configured. Visit /admin/setup once the hub is reachable, or seed via PARACHUTE_INITIAL_ADMIN_USERNAME + PARACHUTE_INITIAL_ADMIN_PASSWORD env vars for scripted deploys.",
     );
     // Mint a bootstrap token + log it. The wizard's account POST will
     // require this token, so an attacker who beats the operator to the
     // freshly-provisioned URL still can't claim the admin row without
     // shell access to the platform's startup logs.
     const token = generateBootstrapToken();
-    log(formatBootstrapTokenBanner(token));
+    log(formatBootstrapTokenBanner(token, issuer));
   }
 
   const supervisor = opts.supervisor ?? new Supervisor();

package/src/commands/upgrade.ts

@@ -74,17 +74,22 @@ export interface UpgradeRunner {
 
 export const defaultRunner: UpgradeRunner = {
   async run(cmd, opts) {
+    // Inherit env so `bun add -g` etc. see TMPDIR, BUN_INSTALL, PATH, HOME.
+    // Bun.spawn defaults to empty env — see api-modules-ops.ts:defaultRun.
     const proc = Bun.spawn([...cmd], {
       cwd: opts?.cwd,
       stdio: ["inherit", "inherit", "inherit"],
+      env: process.env,
     });
     return await proc.exited;
   },
   async capture(cmd, opts) {
+    // Inherit env — same rationale as `run` above.
     const proc = Bun.spawn([...cmd], {
       cwd: opts?.cwd,
       stdout: "pipe",
       stderr: "pipe",
+      env: process.env,
     });
     const [stdout, stderr] = await Promise.all([
       new Response(proc.stdout).text(),

package/src/commands/vault-tokens-create-interactive.ts

@@ -30,7 +30,13 @@ import { createInterface } from "node:readline/promises";
 export type InteractiveRunner = (cmd: readonly string[]) => Promise<number>;
 
 const defaultInteractiveRunner: InteractiveRunner = async (cmd) => {
-  const proc = Bun.spawn([...cmd], { stdio: ["inherit", "inherit", "inherit"] });
+  // Inherit env so the child (parachute-vault subprocess) sees PATH, HOME,
+  // PARACHUTE_HOME, etc. Bun.spawn defaults to empty env — see
+  // api-modules-ops.ts:defaultRun.
+  const proc = Bun.spawn([...cmd], {
+    stdio: ["inherit", "inherit", "inherit"],
+    env: process.env,
+  });
   return await proc.exited;
 };
 

package/src/commands/vault.ts

@@ -2,6 +2,9 @@ export async function dispatchVault(args: readonly string[]): Promise<number> {
   try {
     const proc = Bun.spawn(["parachute-vault", ...args], {
       stdio: ["inherit", "inherit", "inherit"],
+      // Inherit env so parachute-vault sees PATH, HOME, PARACHUTE_HOME, etc.
+      // Bun.spawn defaults to empty env — see api-modules-ops.ts:defaultRun.
+      env: process.env,
     });
     return await proc.exited;
   } catch (err) {

package/src/hub-control.ts

@@ -74,7 +74,12 @@ export interface HubSpawner {
 export const defaultHubSpawner: HubSpawner = {
   spawn(cmd, logFile) {
     const fd = openSync(logFile, "a");
-    const proc = Bun.spawn([...cmd], { stdio: ["ignore", fd, fd] });
+    // Inherit env so the hub child process sees PATH, HOME, PARACHUTE_HOME,
+    // etc. Bun.spawn defaults to empty env — see api-modules-ops.ts.
+    const proc = Bun.spawn([...cmd], {
+      stdio: ["ignore", fd, fd],
+      env: process.env,
+    });
     proc.unref();
     return proc.pid;
   },

package/src/hub-server.ts

@@ -46,6 +46,7 @@
  *   /admin/host-admin-token       (GET)        → SPA bearer mint (cookie-gated)
  *   /admin/vault-admin-token/<n>  (GET)        → per-vault bearer mint (cookie-gated)
  *   /api/me                       (GET)        → who-am-I (session+CSRF or hasSession:false)
+ *   /api/hub                      (GET)        → hub version + uptime + install-source (host:admin)
  *   /api/modules                  (GET)        → curated + installed module catalog (host:auth)
  *   /api/modules/channel          (PUT)        → operator channel toggle (host:admin)
  *   /api/modules/:short/install   (POST)       → bun add + spawn (async op)
@@ -117,6 +118,7 @@ import { handleHostAdminToken } from "./admin-host-admin-token.ts";
 import { handleVaultAdminToken } from "./admin-vault-admin-token.ts";
 import { handleCreateVault } from "./admin-vaults.ts";
 import { handleAccountChangePasswordGet, handleAccountChangePasswordPost } from "./api-account.ts";
+import { handleApiHub } from "./api-hub.ts";
 import { handleApiMe } from "./api-me.ts";
 import { handleApiMintToken } from "./api-mint-token.ts";
 import { handleApiModulesConfig, parseModulesConfigPath } from "./api-modules-config.ts";
@@ -165,6 +167,7 @@ import {
 } from "./oauth-handlers.ts";
 import { buildHubBoundOrigins } from "./origin-check.ts";
 import { clearPid, writePid } from "./process-state.ts";
+import { isHttpsRequest } from "./request-protocol.ts";
 import {
   FIRST_PARTY_FALLBACKS,
   KNOWN_MODULES,
@@ -942,7 +945,24 @@ export function resolveIssuer(
     if (stored) return stored;
   }
   if (configuredIssuer) return configuredIssuer;
-  return new URL(req.url).origin;
+  // Reverse-proxy aware: Render / Tailscale Funnel / cloudflared terminate
+  // TLS at the edge and forward plain HTTP to hub. Without X-Forwarded-Proto
+  // honoring, `req.url.origin` is `http://...` and hub publishes mixed-content
+  // URLs in OAuth discovery (`registration_endpoint`, `authorization_endpoint`,
+  // etc.) — browsers block them when the page itself loaded over https://.
+  // The `isHttpsRequest` helper is the canonical place where this trust
+  // is established (also used for the Secure cookie attribute).
+  //
+  // We do NOT honor X-Forwarded-Host. Render, Tailscale Funnel, and
+  // cloudflared all preserve the Host header end-to-end, so `req.url`'s
+  // host already reflects the public hostname. Operators on a proxy that
+  // rewrites Host (some nginx / Caddy configs) should set hub_origin via
+  // the admin SPA — that path bypasses this fallback entirely.
+  const url = new URL(req.url);
+  if (isHttpsRequest(req)) {
+    url.protocol = "https:";
+  }
+  return url.origin;
 }
 
 /**
@@ -1526,6 +1546,17 @@ export function hubFetch(
       return handleApiMe(req, { db: getDb() });
     }
 
+    // Hub version + uptime + install-source — drives the admin SPA's
+    // version badge (hub#348). Bearer-gated on `parachute:host:admin`
+    // (same as the rest of the operator-only admin surface).
+    if (pathname === "/api/hub") {
+      if (!getDb) return dbNotConfigured();
+      return handleApiHub(req, {
+        db: getDb(),
+        issuer: oauthDeps(req).issuer,
+      });
+    }
+
     if (pathname === "/api/modules") {
       if (!getDb) return dbNotConfigured();
       const modulesDeps: Parameters<typeof handleApiModules>[1] = {

package/src/supervisor.ts

@@ -403,6 +403,10 @@ async function pumpLines(
 const defaultSpawnFn: SpawnFn = (req) => {
   const spawnOpts: Parameters<typeof Bun.spawn>[1] = {
     stdio: ["ignore", "pipe", "pipe"],
+    // Inherit env so supervised module sees PATH, HOME, PARACHUTE_HOME, etc.
+    // Bun.spawn defaults to empty env — see api-modules-ops.ts:defaultRun.
+    // Per-call `req.env` overrides merge on top below.
+    env: process.env,
   };
   if (req.cwd) spawnOpts.cwd = req.cwd;
   if (req.env) spawnOpts.env = { ...process.env, ...req.env };

package/src/tailscale/run.ts

@@ -7,7 +7,13 @@ export interface CommandResult {
 export type Runner = (cmd: readonly string[]) => Promise<CommandResult>;
 
 export async function defaultRunner(cmd: readonly string[]): Promise<CommandResult> {
-  const proc = Bun.spawn([...cmd], { stdout: "pipe", stderr: "pipe" });
+  // Inherit env so `tailscale` sees PATH (and HOME for state dir). Bun.spawn
+  // defaults to empty env — see api-modules-ops.ts:defaultRun for rationale.
+  const proc = Bun.spawn([...cmd], {
+    stdout: "pipe",
+    stderr: "pipe",
+    env: process.env,
+  });
   const [stdout, stderr, code] = await Promise.all([
     new Response(proc.stdout).text(),
     new Response(proc.stderr).text(),