@openparachute/hub 0.5.13-rc.23 → 0.5.13-rc.29

package/README.md

@@ -24,11 +24,14 @@ One-click Render deploy via the `render.yaml` Blueprint in this repo. Provisions
 
 **Want pre-release / rc modules?** Set `PARACHUTE_INSTALL_CHANNEL=rc` in your Render dashboard env vars (useful for dev/testing against the rc release line).
 
-After deploy:
+After deploy completes:
 
-1. Open your Render service URL → wizard runs at `/admin/setup`
-2. Set custom domain (optional) → set `PARACHUTE_HUB_ORIGIN` env to match
-3. Install modules via the admin SPA at `/admin/modules` (or via the wizard)
+1. Open Render Logs → search for `parachute-bootstrap-` to find your one-time admin setup token (printed in a prominent banner on first boot).
+2. Visit your Render service URL's `/admin/setup` → paste the token → create your admin account.
+3. Set custom domain (optional) → set `PARACHUTE_HUB_ORIGIN` env to match.
+4. Install modules via the admin SPA at `/admin/modules` (or via the wizard).
+
+Operators who want env-var-driven seeding (CI, scripted deploys) can still set `PARACHUTE_INITIAL_ADMIN_USERNAME` + `PARACHUTE_INITIAL_ADMIN_PASSWORD` manually in the Render dashboard — hub honors them when present.
 
 Render's docs on Blueprints: <https://render.com/docs/blueprint-spec>
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.13-rc.23",
+  "version": "0.5.13-rc.29",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/hub-origin-resolution.test.ts

@@ -117,6 +117,56 @@ describe("resolveIssuer — precedence chain", () => {
     // Pass 3 — back to request origin.
     expect(resolveIssuer(req(baseUrl), db, undefined)).toBe("http://127.0.0.1:1939");
   });
+
+  test("X-Forwarded-Proto: https upgrades the request-origin fallback", () => {
+    // Render / Tailscale Funnel / cloudflared terminate TLS at the edge
+    // and forward plain HTTP. Without honoring the header, hub publishes
+    // `http://...` in OAuth discovery — mixed-content blocked when the
+    // page loaded over https://. See hub#355 (the notes app's
+    // /oauth/register call surfaced this).
+    const r = new Request("http://parachute-hub.onrender.com/.well-known/oauth-authorization-server", {
+      method: "GET",
+      headers: { "X-Forwarded-Proto": "https" },
+    });
+    expect(resolveIssuer(r, db, undefined)).toBe("https://parachute-hub.onrender.com");
+  });
+
+  test("X-Forwarded-Proto with comma-separated values takes the first", () => {
+    // Multi-hop proxies append; the leftmost is the original client → edge
+    // hop. RFC-style parsing (consistent with isHttpsRequest).
+    const r = new Request("http://hub.internal/oauth/token", {
+      method: "GET",
+      headers: { "X-Forwarded-Proto": "https, http" },
+    });
+    expect(resolveIssuer(r, db, undefined)).toBe("https://hub.internal");
+  });
+
+  test("missing X-Forwarded-Proto leaves the URL scheme as-is (localhost dev)", () => {
+    // No reverse proxy → no header → keep http for the local-dev shape.
+    // Operators on plain HTTP localhost depend on this.
+    const r = new Request("http://127.0.0.1:1939/oauth/token", { method: "GET" });
+    expect(resolveIssuer(r, db, undefined)).toBe("http://127.0.0.1:1939");
+  });
+
+  test("X-Forwarded-Proto is IGNORED when hub_settings or env wins", () => {
+    // Precedence guard: X-Forwarded-Proto should only affect the
+    // request-origin fallback branch. Explicit operator config
+    // (settings row, env var) always wins as-is, including its scheme.
+    // Without this guard, a future refactor could accidentally let the
+    // header override an operator's deliberate choice.
+    const r = new Request("http://hub.internal/oauth/token", {
+      method: "GET",
+      headers: { "X-Forwarded-Proto": "https" },
+    });
+
+    // Env layer wins, even though the header says https — the env value
+    // is returned verbatim (preserving whatever scheme the operator set).
+    expect(resolveIssuer(r, db, "http://configured.example")).toBe("http://configured.example");
+
+    // Settings layer wins above env, also verbatim.
+    setHubOrigin(db, "http://settings.example");
+    expect(resolveIssuer(r, db, "https://env.example")).toBe("http://settings.example");
+  });
 });
 
 describe("resolveIssuerSource — attribution for SPA", () => {

package/src/__tests__/serve.test.ts

@@ -184,6 +184,15 @@ describe("formatBootstrapTokenBanner", () => {
       expect(line.startsWith("[wizard]")).toBe(true);
     }
   });
+
+  test("uses ═ delimiters and an ALL-CAPS heading so operators spot the block in log viewers", () => {
+    const banner = formatBootstrapTokenBanner("parachute-bootstrap-visual-token");
+    // The ═ box-drawing char is the visual cue an operator scrolling
+    // Render's log tab keys off; this assertion locks the new shape so
+    // a stylistic regression doesn't silently demote the banner.
+    expect(banner).toContain("═");
+    expect(banner).toContain("PARACHUTE BOOTSTRAP TOKEN");
+  });
 });
 
 // --- bootstrap-token generation under needs-setup (Issue 1 wiring) -------

package/src/__tests__/spawn-env-propagation.test.ts

@@ -0,0 +1,78 @@
+/**
+ * Regression test for hub#349: Bun.spawn defaults to an EMPTY env, which meant
+ * subprocess `bun add -g` didn't see TMPDIR, BUN_INSTALL, or any other env vars
+ * set by the Dockerfile / Render env. All `defaultRun`-style helpers were
+ * updated to pass `env: process.env`.
+ *
+ * This test asserts that property end-to-end: spawn a real child via `bun -e`
+ * and have it print one parent-set env var. Pre-fix, the child would not see
+ * the var; post-fix, it does.
+ *
+ * We exercise the production path by importing one representative helper.
+ * The full set of seven explicit + several inherited fix sites all use the
+ * same `env: process.env` pattern; testing one is sufficient to lock the
+ * pattern in place — the others are mechanical applications of it.
+ */
+import { describe, expect, test } from "bun:test";
+
+describe("Bun.spawn env propagation (hub#349)", () => {
+  test("child process sees parent env when defaultRun-style helper is used", async () => {
+    // Unique marker so we can't false-positive against leftover env from
+    // another test or the harness itself.
+    const markerKey = "PARACHUTE_HUB_SPAWN_ENV_TEST_MARKER";
+    const markerValue = `marker-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+
+    const originalValue = process.env[markerKey];
+    process.env[markerKey] = markerValue;
+    try {
+      // Spawn a child the same way every defaultRun helper does:
+      // `env: process.env`. The child prints its view of the marker var.
+      const proc = Bun.spawn(
+        ["bun", "-e", `process.stdout.write(process.env.${markerKey} ?? "MISSING")`],
+        {
+          stdout: "pipe",
+          stderr: "pipe",
+          env: process.env,
+        },
+      );
+      const stdout = await new Response(proc.stdout).text();
+      const exitCode = await proc.exited;
+
+      expect(exitCode).toBe(0);
+      expect(stdout).toBe(markerValue);
+    } finally {
+      if (originalValue === undefined) delete process.env[markerKey];
+      else process.env[markerKey] = originalValue;
+    }
+  });
+
+  test("child process does NOT see parent env when env is omitted (negative control)", async () => {
+    // The bug we're guarding against: without `env: process.env`, Bun.spawn
+    // hands the child an empty env. This test pins the failure mode so a
+    // future regression (someone removing `env: process.env`) is caught here,
+    // not in production on Render.
+    const markerKey = "PARACHUTE_HUB_SPAWN_ENV_TEST_MARKER_NEG";
+    const markerValue = `marker-${Date.now()}`;
+
+    const originalValue = process.env[markerKey];
+    process.env[markerKey] = markerValue;
+    try {
+      const proc = Bun.spawn(
+        ["bun", "-e", `process.stdout.write(process.env.${markerKey} ?? "MISSING")`],
+        {
+          stdout: "pipe",
+          stderr: "pipe",
+          // intentionally NO env: process.env
+        },
+      );
+      const stdout = await new Response(proc.stdout).text();
+      const exitCode = await proc.exited;
+
+      expect(exitCode).toBe(0);
+      expect(stdout).toBe("MISSING");
+    } finally {
+      if (originalValue === undefined) delete process.env[markerKey];
+      else process.env[markerKey] = originalValue;
+    }
+  });
+});

package/src/admin-vaults.ts

@@ -206,7 +206,12 @@ function buildEntry(
 }
 
 async function defaultRunCommand(cmd: readonly string[]): Promise<RunResult> {
-  const proc = Bun.spawn([...cmd], { stdio: ["ignore", "pipe", "pipe"] });
+  // Inherit env so the child sees PATH, HOME, BUN_INSTALL, etc. Bun.spawn
+  // defaults to empty env — see api-modules-ops.ts:defaultRun for the rationale.
+  const proc = Bun.spawn([...cmd], {
+    stdio: ["ignore", "pipe", "pipe"],
+    env: process.env,
+  });
   // Drain both pipes in parallel — leaving stderr unread can deadlock long
   // installs once the OS pipe buffer fills (#97). Captured stderr is folded
   // into the orchestration error message on non-zero exit.

package/src/api-modules-ops.ts

@@ -322,7 +322,14 @@ async function resolveSpawnSpec(
 }
 
 function defaultRun(cmd: readonly string[]): Promise<number> {
-  const proc = Bun.spawn([...cmd], { stdio: ["ignore", "inherit", "inherit"] });
+  // Inherit env so child `bun add` sees TMPDIR, BUN_INSTALL, PARACHUTE_*,
+  // etc. set by the Dockerfile / Render env. Bun.spawn defaults to empty
+  // env — without this, bun-add fails with cross-mount rename errors on
+  // Render (where TMPDIR points at the persistent disk). See hub#349.
+  const proc = Bun.spawn([...cmd], {
+    stdio: ["ignore", "inherit", "inherit"],
+    env: process.env,
+  });
   return proc.exited;
 }
 

package/src/commands/auth.ts

@@ -60,7 +60,13 @@ export interface Runner {
 
 export const defaultRunner: Runner = {
   async run(cmd) {
-    const proc = Bun.spawn([...cmd], { stdio: ["inherit", "inherit", "inherit"] });
+    // Inherit env so the child (e.g. parachute-vault subprocess) sees PATH,
+    // HOME, PARACHUTE_HOME, etc. Bun.spawn defaults to empty env — see
+    // api-modules-ops.ts:defaultRun.
+    const proc = Bun.spawn([...cmd], {
+      stdio: ["inherit", "inherit", "inherit"],
+      env: process.env,
+    });
     return await proc.exited;
   },
 };

package/src/commands/expose-auth-preflight.ts

@@ -26,7 +26,12 @@ import { type VaultAuthStatus, readVaultAuthStatus } from "../vault/auth-status.
 export type InteractiveRunner = (cmd: readonly string[]) => Promise<number>;
 
 const defaultInteractiveRunner: InteractiveRunner = async (cmd) => {
-  const proc = Bun.spawn([...cmd], { stdio: ["inherit", "inherit", "inherit"] });
+  // Inherit env so subprocesses see PATH (to find `tailscale`), HOME, etc.
+  // Bun.spawn defaults to empty env — see api-modules-ops.ts:defaultRun.
+  const proc = Bun.spawn([...cmd], {
+    stdio: ["inherit", "inherit", "inherit"],
+    env: process.env,
+  });
   return await proc.exited;
 };
 

package/src/commands/expose-cloudflare.ts

@@ -69,7 +69,12 @@ export const defaultCloudflaredSpawner: CloudflaredSpawner = {
   spawn(cmd, logFile) {
     mkdirSync(dirname(logFile), { recursive: true });
     const fd = openSync(logFile, "a");
-    const proc = Bun.spawn([...cmd], { stdio: ["ignore", fd, fd] });
+    // Inherit env so cloudflared sees HOME (where it reads ~/.cloudflared/),
+    // PATH, etc. Bun.spawn defaults to empty env — see api-modules-ops.ts.
+    const proc = Bun.spawn([...cmd], {
+      stdio: ["ignore", fd, fd],
+      env: process.env,
+    });
     proc.unref();
     return proc.pid;
   },

package/src/commands/expose-interactive.ts

@@ -46,7 +46,13 @@ import { type ExposeOpts, exposePublic } from "./expose.ts";
 export type InteractiveRunner = (cmd: readonly string[]) => Promise<number>;
 
 const defaultInteractiveRunner: InteractiveRunner = async (cmd) => {
-  const proc = Bun.spawn([...cmd], { stdio: ["inherit", "inherit", "inherit"] });
+  // Inherit env so interactive subprocesses (e.g. `brew install cloudflared`,
+  // `cloudflared tunnel login`) see PATH, HOME, etc. Bun.spawn defaults to
+  // empty env — see api-modules-ops.ts:defaultRun.
+  const proc = Bun.spawn([...cmd], {
+    stdio: ["inherit", "inherit", "inherit"],
+    env: process.env,
+  });
   return await proc.exited;
 };
 

package/src/commands/install.ts

@@ -250,7 +250,13 @@ export interface InstallOpts {
 }
 
 async function defaultRunner(cmd: readonly string[]): Promise<number> {
-  const proc = Bun.spawn([...cmd], { stdio: ["inherit", "inherit", "inherit"] });
+  // Inherit env (TMPDIR, BUN_INSTALL, PATH, HOME, PARACHUTE_*, etc.) — see
+  // api-modules-ops.ts:defaultRun for the rationale. Same Bun.spawn-defaults-
+  // to-empty-env bug; same one-line fix. See hub#349.
+  const proc = Bun.spawn([...cmd], {
+    stdio: ["inherit", "inherit", "inherit"],
+    env: process.env,
+  });
   return await proc.exited;
 }
 

package/src/commands/lifecycle.ts

@@ -67,6 +67,10 @@ export const defaultSpawner: Spawner = {
       // wrapped startCmds like `pnpm exec tsx server.ts` leave the tsx
       // grandchild bound to the port after stop → restart hits EADDRINUSE.
       detached: true,
+      // Inherit env so child sees PATH, HOME, PARACHUTE_HOME, etc.
+      // Bun.spawn defaults to empty env — see api-modules-ops.ts:defaultRun.
+      // Per-call `opts.env` overrides merge on top below.
+      env: process.env,
     };
     if (opts?.env) spawnOpts.env = { ...process.env, ...opts.env };
     if (opts?.cwd) spawnOpts.cwd = opts.cwd;
@@ -647,7 +651,12 @@ export async function logs(svc: string, opts: LogsOpts = {}): Promise<number> {
   if (follow) {
     const spawner = opts.tailSpawner ?? {
       spawn(cmd) {
-        const proc = Bun.spawn([...cmd], { stdio: ["ignore", "inherit", "inherit"] });
+        // Inherit env so `tail` sees PATH, etc. Bun.spawn defaults to empty
+        // env — see api-modules-ops.ts:defaultRun.
+        const proc = Bun.spawn([...cmd], {
+          stdio: ["ignore", "inherit", "inherit"],
+          env: process.env,
+        });
         return proc.pid;
       },
     };

package/src/commands/serve.ts

@@ -149,16 +149,26 @@ export async function seedInitialAdminIfNeeded(
  * the token can't proceed; an attacker who reads it before the
  * operator wins the race).
  */
-export function formatBootstrapTokenBanner(token: string): string {
+export function formatBootstrapTokenBanner(token: string, hubUrl?: string): string {
+  const rule = "═".repeat(64);
+  // Substitute the actual hub URL when known (PARACHUTE_HUB_ORIGIN). Operators
+  // staring at the banner in Render Logs shouldn't have to figure out their
+  // own URL — show the literal placeholder only when the issuer isn't set.
+  const url = hubUrl && hubUrl.length > 0 ? hubUrl.replace(/\/+$/, "") : "<hub-url>";
   return [
-    "[wizard] No admin exists — wizard mode active. To claim ownership of this hub:",
-    "[wizard]   1. Visit http://localhost:1939/admin/setup (or your deployed URL)",
-    "[wizard]   2. Paste this bootstrap token into the form:",
+    "[wizard]",
+    `[wizard] ${rule}`,
+    "[wizard]   PARACHUTE BOOTSTRAP TOKEN",
+    `[wizard] ${rule}`,
     "[wizard]",
     `[wizard]   ${token}`,
     "[wizard]",
-    "[wizard] This token grants permission to create the first admin. It expires when",
-    "[wizard] admin is created OR when hub restarts.",
+    `[wizard]   → Visit ${url}/admin/setup and paste this token to create`,
+    "[wizard]     your admin account.",
+    "[wizard]   → Expires when admin is created OR when hub restarts.",
+    "[wizard]",
+    `[wizard] ${rule}`,
+    "[wizard]",
   ].join("\n");
 }
 
@@ -199,14 +209,14 @@ export async function serve(opts: ServeOpts = {}): Promise<{
 
   if (adminBootstrap === "needs-setup") {
     log(
-      "parachute serve: no admin account configured. Set PARACHUTE_INITIAL_ADMIN_USERNAME + PARACHUTE_INITIAL_ADMIN_PASSWORD, or visit /admin/setup once the hub is reachable.",
+      "parachute serve: no admin account configured. Visit /admin/setup once the hub is reachable, or seed via PARACHUTE_INITIAL_ADMIN_USERNAME + PARACHUTE_INITIAL_ADMIN_PASSWORD env vars for scripted deploys.",
     );
     // Mint a bootstrap token + log it. The wizard's account POST will
     // require this token, so an attacker who beats the operator to the
     // freshly-provisioned URL still can't claim the admin row without
     // shell access to the platform's startup logs.
     const token = generateBootstrapToken();
-    log(formatBootstrapTokenBanner(token));
+    log(formatBootstrapTokenBanner(token, issuer));
   }
 
   const supervisor = opts.supervisor ?? new Supervisor();

package/src/commands/upgrade.ts

@@ -74,17 +74,22 @@ export interface UpgradeRunner {
 
 export const defaultRunner: UpgradeRunner = {
   async run(cmd, opts) {
+    // Inherit env so `bun add -g` etc. see TMPDIR, BUN_INSTALL, PATH, HOME.
+    // Bun.spawn defaults to empty env — see api-modules-ops.ts:defaultRun.
     const proc = Bun.spawn([...cmd], {
       cwd: opts?.cwd,
       stdio: ["inherit", "inherit", "inherit"],
+      env: process.env,
     });
     return await proc.exited;
   },
   async capture(cmd, opts) {
+    // Inherit env — same rationale as `run` above.
     const proc = Bun.spawn([...cmd], {
       cwd: opts?.cwd,
       stdout: "pipe",
       stderr: "pipe",
+      env: process.env,
     });
     const [stdout, stderr] = await Promise.all([
       new Response(proc.stdout).text(),

package/src/commands/vault-tokens-create-interactive.ts

@@ -30,7 +30,13 @@ import { createInterface } from "node:readline/promises";
 export type InteractiveRunner = (cmd: readonly string[]) => Promise<number>;
 
 const defaultInteractiveRunner: InteractiveRunner = async (cmd) => {
-  const proc = Bun.spawn([...cmd], { stdio: ["inherit", "inherit", "inherit"] });
+  // Inherit env so the child (parachute-vault subprocess) sees PATH, HOME,
+  // PARACHUTE_HOME, etc. Bun.spawn defaults to empty env — see
+  // api-modules-ops.ts:defaultRun.
+  const proc = Bun.spawn([...cmd], {
+    stdio: ["inherit", "inherit", "inherit"],
+    env: process.env,
+  });
   return await proc.exited;
 };
 

package/src/commands/vault.ts

@@ -2,6 +2,9 @@ export async function dispatchVault(args: readonly string[]): Promise<number> {
   try {
     const proc = Bun.spawn(["parachute-vault", ...args], {
       stdio: ["inherit", "inherit", "inherit"],
+      // Inherit env so parachute-vault sees PATH, HOME, PARACHUTE_HOME, etc.
+      // Bun.spawn defaults to empty env — see api-modules-ops.ts:defaultRun.
+      env: process.env,
     });
     return await proc.exited;
   } catch (err) {

package/src/hub-control.ts

@@ -74,7 +74,12 @@ export interface HubSpawner {
 export const defaultHubSpawner: HubSpawner = {
   spawn(cmd, logFile) {
     const fd = openSync(logFile, "a");
-    const proc = Bun.spawn([...cmd], { stdio: ["ignore", fd, fd] });
+    // Inherit env so the hub child process sees PATH, HOME, PARACHUTE_HOME,
+    // etc. Bun.spawn defaults to empty env — see api-modules-ops.ts.
+    const proc = Bun.spawn([...cmd], {
+      stdio: ["ignore", fd, fd],
+      env: process.env,
+    });
     proc.unref();
     return proc.pid;
   },

package/src/hub-server.ts

@@ -167,6 +167,7 @@ import {
 } from "./oauth-handlers.ts";
 import { buildHubBoundOrigins } from "./origin-check.ts";
 import { clearPid, writePid } from "./process-state.ts";
+import { isHttpsRequest } from "./request-protocol.ts";
 import {
   FIRST_PARTY_FALLBACKS,
   KNOWN_MODULES,
@@ -944,7 +945,24 @@ export function resolveIssuer(
     if (stored) return stored;
   }
   if (configuredIssuer) return configuredIssuer;
-  return new URL(req.url).origin;
+  // Reverse-proxy aware: Render / Tailscale Funnel / cloudflared terminate
+  // TLS at the edge and forward plain HTTP to hub. Without X-Forwarded-Proto
+  // honoring, `req.url.origin` is `http://...` and hub publishes mixed-content
+  // URLs in OAuth discovery (`registration_endpoint`, `authorization_endpoint`,
+  // etc.) — browsers block them when the page itself loaded over https://.
+  // The `isHttpsRequest` helper is the canonical place where this trust
+  // is established (also used for the Secure cookie attribute).
+  //
+  // We do NOT honor X-Forwarded-Host. Render, Tailscale Funnel, and
+  // cloudflared all preserve the Host header end-to-end, so `req.url`'s
+  // host already reflects the public hostname. Operators on a proxy that
+  // rewrites Host (some nginx / Caddy configs) should set hub_origin via
+  // the admin SPA — that path bypasses this fallback entirely.
+  const url = new URL(req.url);
+  if (isHttpsRequest(req)) {
+    url.protocol = "https:";
+  }
+  return url.origin;
 }
 
 /**

package/src/supervisor.ts

@@ -403,6 +403,10 @@ async function pumpLines(
 const defaultSpawnFn: SpawnFn = (req) => {
   const spawnOpts: Parameters<typeof Bun.spawn>[1] = {
     stdio: ["ignore", "pipe", "pipe"],
+    // Inherit env so supervised module sees PATH, HOME, PARACHUTE_HOME, etc.
+    // Bun.spawn defaults to empty env — see api-modules-ops.ts:defaultRun.
+    // Per-call `req.env` overrides merge on top below.
+    env: process.env,
   };
   if (req.cwd) spawnOpts.cwd = req.cwd;
   if (req.env) spawnOpts.env = { ...process.env, ...req.env };

package/src/tailscale/run.ts

@@ -7,7 +7,13 @@ export interface CommandResult {
 export type Runner = (cmd: readonly string[]) => Promise<CommandResult>;
 
 export async function defaultRunner(cmd: readonly string[]): Promise<CommandResult> {
-  const proc = Bun.spawn([...cmd], { stdout: "pipe", stderr: "pipe" });
+  // Inherit env so `tailscale` sees PATH (and HOME for state dir). Bun.spawn
+  // defaults to empty env — see api-modules-ops.ts:defaultRun for rationale.
+  const proc = Bun.spawn([...cmd], {
+    stdout: "pipe",
+    stderr: "pipe",
+    env: process.env,
+  });
   const [stdout, stderr, code] = await Promise.all([
     new Response(proc.stdout).text(),
     new Response(proc.stderr).text(),