@openparachute/hub 0.5.13-rc.29 → 0.5.13-rc.34

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.13-rc.29",
+  "version": "0.5.13-rc.34",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/api-modules-ops.test.ts

@@ -1005,6 +1005,44 @@ describe("well-known regen after module ops", () => {
     expect(doc.vaults.some((v) => v.name === "default")).toBe(true);
   });
 
+  test("runInstall sets PORT in child env from services.json entry (hub#356)", async () => {
+    // Container deploys (Render / etc.) set PORT in hub's env via the
+    // Dockerfile / platform. Without explicit override at spawn time, every
+    // supervised child inherits hub's PORT via `env: process.env` and tries
+    // to bind hub's own port — EADDRINUSE → crashloop → supervisor gives up.
+    // Regression guard: the spawn captures the child's services.json port.
+    const { supervisor, spawns } = makeIdleSupervisor();
+    const { run } = alwaysOkRun();
+    const wkPath = join(h.dir, "well-known.json");
+    const install = fakeInstall("@openparachute/vault", {
+      name: "vault",
+      manifestName: "parachute-vault",
+      port: 1940,
+      paths: ["/vault/default"],
+      health: "/vault/default/health",
+    });
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    const deps = {
+      db: h.db,
+      issuer: ISSUER,
+      manifestPath: h.manifestPath,
+      configDir: h.dir,
+      supervisor,
+      run,
+      findGlobalInstall: install.findGlobalInstall,
+      readModuleManifest: install.readModuleManifest,
+      wellKnownPath: wkPath,
+    };
+    await handleInstall(
+      postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      deps,
+    );
+    await new Promise((r) => setTimeout(r, 10));
+    expect(spawns.length).toBe(1);
+    expect(spawns[0]?.env?.PORT).toBe("1940");
+  });
+
   test("runInstall failure: bun add fails -> no well-known regen (no partial state)", async () => {
     const { supervisor } = makeIdleSupervisor();
     const wkPath = join(h.dir, "well-known.json");

package/src/__tests__/hub-server.test.ts

@@ -80,13 +80,24 @@ describe("hubFetch routing", () => {
     // hub#259 rc.6: requires an admin row to bypass the fresh-hub
     // funnel redirect to /admin/setup (Bug 2 fix). Seed one so this
     // test continues to exercise the signed-out-but-setup-done branch.
+    //
+    // Hub also funnels to /admin/setup when no vault is installed
+    // (env-seed case). Pass an explicit manifestPath + seed a vault row
+    // so the funnel sees an installed vault and lets the discovery page
+    // render. Without this, the manifestPath default falls back to
+    // `~/.parachute/services.json` — which works on a dev box with an
+    // installed vault but fails in CI with a 302 wizard redirect.
     const h = makeHarness();
     try {
+      writeManifest({ services: [vaultEntry("default")] }, h.manifestPath);
       const db = openHubDb(hubDbPath(h.dir));
       try {
         const { createUser } = await import("../users.ts");
         await createUser(db, "owner", "pw");
-        const res = await hubFetch(h.dir, { getDb: () => db })(req("/"));
+        const res = await hubFetch(h.dir, {
+          getDb: () => db,
+          manifestPath: h.manifestPath,
+        })(req("/"));
         expect(res.status).toBe(200);
         expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
         const body = await res.text();
@@ -102,8 +113,12 @@ describe("hubFetch routing", () => {
   });
 
   test("/ renders 'Signed in as <name>' + sign-out form when session cookie is active (rc.13)", async () => {
+    // Same wizard-funnel bypass as the signed-out test above — seed a
+    // vault row and pass an explicit manifestPath so CI doesn't fall back
+    // to ~/.parachute/services.json.
     const h = makeHarness();
     try {
+      writeManifest({ services: [vaultEntry("default")] }, h.manifestPath);
       const db = openHubDb(hubDbPath(h.dir));
       try {
         const { createUser } = await import("../users.ts");
@@ -113,7 +128,10 @@ describe("hubFetch routing", () => {
         const user = await createUser(db, "aaron", "pw");
         const session = createSession(db, { userId: user.id });
         const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
-        const res = await hubFetch(h.dir, { getDb: () => db })(req("/", { headers: { cookie } }));
+        const res = await hubFetch(h.dir, {
+          getDb: () => db,
+          manifestPath: h.manifestPath,
+        })(req("/", { headers: { cookie } }));
         expect(res.status).toBe(200);
         const body = await res.text();
         expect(body).toContain("Signed in as");
@@ -1390,7 +1408,8 @@ describe("hubFetch /vault/<name>/* dynamic proxy (#144)", () => {
       fetch: async (req) => {
         const u = new URL(req.url);
         // Echo enough metadata for tests to verify path + method + body
-        // arrive intact end-to-end.
+        // arrive intact end-to-end. Also echo X-Forwarded-* headers so
+        // tests can assert hub forwards proxy hints (hub#358).
         const body = req.body ? await req.text() : "";
         return new Response(
           JSON.stringify({
@@ -1399,6 +1418,8 @@ describe("hubFetch /vault/<name>/* dynamic proxy (#144)", () => {
             pathname: u.pathname,
             search: u.search,
             body,
+            forwardedHost: req.headers.get("x-forwarded-host"),
+            forwardedProto: req.headers.get("x-forwarded-proto"),
           }),
           { status: 200, headers: { "content-type": "application/json" } },
         );
@@ -1409,6 +1430,164 @@ describe("hubFetch /vault/<name>/* dynamic proxy (#144)", () => {
     return { port: server.port as number, stop: () => server.stop(true) };
   }
 
+  test("forwards X-Forwarded-Host + X-Forwarded-Proto to upstream (hub#358)", async () => {
+    // Container deploys: supervised modules (vault, scribe, app) reverse-
+    // proxy through hub. They need the public origin to construct OAuth
+    // discovery metadata and redirect URIs. Without forwarded headers,
+    // they fall back to their internal loopback URL — breaking OAuth
+    // flows for clients that landed on a hub-proxied URL.
+    const h = makeHarness();
+    const upstream = startUpstream("hdr-test");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: upstream.port,
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.4.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      // Simulate Render-shape: page came in over HTTPS at parachute-hub.onrender.com
+      // Render terminates TLS and sets X-Forwarded-Proto: https; the Host
+      // header is preserved as the public hostname.
+      const incoming = new Request("http://parachute-hub.onrender.com/vault/default/.well-known/oauth-authorization-server", {
+        headers: {
+          host: "parachute-hub.onrender.com",
+          "x-forwarded-proto": "https",
+        },
+      });
+      const res = await fetcher(incoming);
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { forwardedHost: string; forwardedProto: string };
+      // Hub captured the public Host and forwarded it as X-Forwarded-Host.
+      expect(body.forwardedHost).toBe("parachute-hub.onrender.com");
+      // X-Forwarded-Proto preserved (edge already set it).
+      expect(body.forwardedProto).toBe("https");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("synthesizes X-Forwarded-Proto when edge didn't set it (direct HTTPS to hub)", async () => {
+    // Non-Render shape: hub bound directly to https (e.g. local TLS or a
+    // proxy that doesn't set X-Forwarded-Proto). isHttpsRequest sees the
+    // URL's https scheme; proxyRequest synthesizes X-Forwarded-Proto.
+    const h = makeHarness();
+    const upstream = startUpstream("hdr-test");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: upstream.port,
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.4.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const incoming = new Request("https://hub.example.com/vault/default/health", {
+        headers: { host: "hub.example.com" },
+      });
+      const res = await fetcher(incoming);
+      const body = (await res.json()) as { forwardedHost: string; forwardedProto: string };
+      expect(body.forwardedHost).toBe("hub.example.com");
+      expect(body.forwardedProto).toBe("https");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("synthesizes X-Forwarded-Proto=http when neither edge nor URL signal HTTPS", async () => {
+    // Plain-HTTP path: no edge, no https URL scheme. isHttpsRequest returns
+    // false; proxyRequest synthesizes "http". This is local-dev shape.
+    const h = makeHarness();
+    const upstream = startUpstream("hdr-test");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: upstream.port,
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.4.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const incoming = new Request("http://127.0.0.1:1939/vault/default/health", {
+        headers: { host: "127.0.0.1:1939" },
+      });
+      const res = await fetcher(incoming);
+      const body = (await res.json()) as { forwardedProto: string };
+      expect(body.forwardedProto).toBe("http");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("preserves X-Forwarded-Host when edge already set it (nested-proxy chain)", async () => {
+    // Multi-hop chain: client → edge proxy → hub → upstream. Edge captures
+    // the original host as X-Forwarded-Host before its own host-rewrite;
+    // hub MUST preserve that, not overwrite with its own incoming Host
+    // (which may be the edge's hostname). "Don't clobber" semantics.
+    const h = makeHarness();
+    const upstream = startUpstream("hdr-test");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: upstream.port,
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.4.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      // Edge already labeled the canonical hop: original-client.example
+      // (this is what an HTTPS termination proxy in front of hub would set).
+      const incoming = new Request("http://edge.local/vault/default/health", {
+        headers: {
+          host: "edge.local",
+          "x-forwarded-host": "original-client.example",
+          "x-forwarded-proto": "https",
+        },
+      });
+      const res = await fetcher(incoming);
+      const body = (await res.json()) as { forwardedHost: string; forwardedProto: string };
+      // Edge's X-Forwarded-Host preserved verbatim, NOT clobbered by the
+      // edge.local Host that hub itself saw.
+      expect(body.forwardedHost).toBe("original-client.example");
+      expect(body.forwardedProto).toBe("https");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
   test("proxies a /vault/<name>/* request to the matching upstream", async () => {
     const h = makeHarness();
     const upstream = startUpstream("default-vault");

package/src/__tests__/lifecycle.test.ts

@@ -342,7 +342,10 @@ describe("parachute start", () => {
         log: () => {},
       });
       expect(code).toBe(0);
+      // PORT is always set by `parachute start` (hub#356) from the
+      // services.json entry. PARACHUTE_HUB_ORIGIN comes from expose-state.
       expect(spawner.calls[0]?.env).toEqual({
+        PORT: "1940",
         PARACHUTE_HUB_ORIGIN: "https://parachute.taildf9ce2.ts.net",
       });
     } finally {
@@ -364,6 +367,7 @@ describe("parachute start", () => {
       });
       expect(code).toBe(0);
       expect(spawner.calls[0]?.env).toEqual({
+        PORT: "1940",
         PARACHUTE_HUB_ORIGIN: "http://127.0.0.1:1939",
       });
     } finally {
@@ -398,6 +402,7 @@ describe("parachute start", () => {
       });
       expect(code).toBe(0);
       expect(spawner.calls[0]?.env).toEqual({
+        PORT: "1940",
         PARACHUTE_HUB_ORIGIN: "https://override.example.com",
       });
     } finally {
@@ -417,7 +422,11 @@ describe("parachute start", () => {
         log: () => {},
       });
       expect(code).toBe(0);
-      expect(spawner.calls[0]?.env).toBeUndefined();
+      // PORT is always set (hub#356) — even with no override, no exposure,
+      // and no hub.port file, the spawn env carries the canonical PORT
+      // from services.json. Test renamed from "omits env" to reflect
+      // the new minimum-env shape.
+      expect(spawner.calls[0]?.env).toEqual({ PORT: "1940" });
     } finally {
       h.cleanup();
     }
@@ -453,6 +462,7 @@ describe("parachute start", () => {
       });
       expect(code).toBe(0);
       expect(spawner.calls[0]?.env).toEqual({
+        PORT: "1943",
         GROQ_API_KEY: "gsk_real_value",
         QUOTED: "quoted_val",
       });
@@ -483,6 +493,7 @@ describe("parachute start", () => {
       });
       expect(code).toBe(0);
       expect(spawner.calls[0]?.env).toEqual({
+        PORT: "1940",
         SCRIBE_AUTH_TOKEN: "secret",
         PARACHUTE_HUB_ORIGIN: "https://live.example.com",
       });

package/src/__tests__/serve-boot.test.ts

@@ -121,6 +121,27 @@ describe("bootSupervisedModules", () => {
     expect(recorder.calls[0]?.env?.PARACHUTE_HUB_ORIGIN).toBe("https://hub.example");
   });
 
+  test("sets PORT in child env from services.json entry (hub#357)", async () => {
+    // Container deploys (Render etc.) set PORT in hub's process.env via
+    // Dockerfile / platform injection. The supervisor's defaultSpawnFn
+    // passes `env: process.env` so children inherit hub's PORT and try
+    // to bind hub's own port → EADDRINUSE crashloop. This boot path
+    // (called on hub startup to re-spawn supervised modules from
+    // services.json) was missed by hub#356 which only fixed the
+    // install-time + lifecycle paths. Third spawn site, same fix shape.
+    writeManifest({ services: [VAULT_ENTRY] }, h.manifestPath);
+    const recorder = makeRecorder();
+    const sup = new Supervisor({ spawnFn: recorder.spawn });
+
+    await bootSupervisedModules(sup, {
+      manifestPath: h.manifestPath,
+      configDir: h.dir,
+    });
+
+    // VAULT_ENTRY's port = 1940 (vault's canonical).
+    expect(recorder.calls[0]?.env?.PORT).toBe("1940");
+  });
+
   test("merges per-module .env file into child env", async () => {
     writeManifest({ services: [VAULT_ENTRY] }, h.manifestPath);
     // Write a per-module .env at <configDir>/<short>/.env — what the

package/src/__tests__/setup-wizard.test.ts

@@ -2143,6 +2143,10 @@ describe("typed vault name (hub#267)", () => {
       const vaultSpawn = spawnRequests.find((s) => s.short === "vault");
       expect(vaultSpawn).toBeDefined();
       expect(vaultSpawn?.env?.PARACHUTE_VAULT_NAME).toBe("smoke-1940");
+      // PORT also injected (hub#356) — supervisor always sets it from the
+      // services.json entry regardless of whether the typed-name path
+      // contributed any additional env vars.
+      expect(vaultSpawn?.env?.PORT).toBe("1940");
     } finally {
       db.close();
     }
@@ -2254,10 +2258,13 @@ describe("typed vault name (hub#267)", () => {
       await new Promise((r) => setTimeout(r, 50));
       const vaultSpawn = spawnRequests.find((s) => s.short === "vault");
       expect(vaultSpawn).toBeDefined();
-      // No env override on the default-name path (vault's
+      // No PARACHUTE_VAULT_NAME override on the default-name path (vault's
       // resolveFirstBootVaultName already defaults to "default" when the
-      // env var is absent, so the override would be redundant).
-      expect(vaultSpawn?.env).toBeUndefined();
+      // env var is absent). PORT is set by the supervisor (hub#356) for
+      // every supervised child regardless — assert the empty-name path
+      // doesn't add PARACHUTE_VAULT_NAME.
+      expect(vaultSpawn?.env?.PARACHUTE_VAULT_NAME).toBeUndefined();
+      expect(vaultSpawn?.env?.PORT).toBe("1940");
     } finally {
       db.close();
     }

package/src/api-modules-ops.ts

@@ -401,11 +401,23 @@ async function spawnSupervised(
   if (!entry) return undefined;
   const cmd = spec.startCmd?.(entry);
   if (!cmd || cmd.length === 0) return undefined;
+  // PORT override (hub#356): in container deploys, hub binds its own port
+  // via the PORT env var (Render sets PORT=$PORT, Dockerfile defaults to
+  // 1939). Bun.spawn's `env: process.env` propagates that PORT to every
+  // supervised child — so vault (which reads `process.env.PORT` in
+  // server.ts:230) tries to bind hub's port and crashes EADDRINUSE.
+  // Explicitly override with the child's services.json port so children
+  // honor their canonical port assignment regardless of hub's PORT.
+  // `deps.spawnEnv` still wins (test seam + first-boot vault-name pass-through).
+  const childEnv: Record<string, string> = {
+    PORT: String(entry.port),
+    ...(deps.spawnEnv ?? {}),
+  };
   const req: SpawnRequest = {
     short,
     cmd,
     ...(entry.installDir ? { cwd: entry.installDir } : {}),
-    ...(deps.spawnEnv && Object.keys(deps.spawnEnv).length > 0 ? { env: deps.spawnEnv } : {}),
+    env: childEnv,
   };
   return deps.supervisor.start(req);
 }

package/src/commands/lifecycle.ts

@@ -436,7 +436,13 @@ export async function start(svc: string | undefined, opts: LifecycleOpts = {}):
     // wrapper for launchd / systemd) — this is idempotent there. Hub-origin
     // override wins on collision; that's the live-exposure source of truth.
     const fileEnv = readEnvFileValues(join(r.configDir, short, ".env"));
-    const env: Record<string, string> = { ...fileEnv };
+    // PORT override (hub#356): same shape as `spawnSupervised` in
+    // api-modules-ops.ts. Without this, operators running `parachute start
+    // vault` inside a container that has PORT in env (Render / Fly / etc.)
+    // hit EADDRINUSE on hub's port. Local dev typically doesn't set PORT, so
+    // this is a no-op there. fileEnv wins on collision so per-service .env
+    // can still override if an operator deliberately set PORT in there.
+    const env: Record<string, string> = { PORT: String(entry.port), ...fileEnv };
     if (r.hubOrigin) env[HUB_ORIGIN_ENV] = r.hubOrigin;
     const spawnerOpts: { env?: Record<string, string>; cwd?: string } = {};
     if (Object.keys(env).length > 0) spawnerOpts.env = env;

package/src/commands/serve-boot.ts

@@ -89,11 +89,15 @@ export async function bootSupervisedModules(
       continue;
     }
 
-    // Per-module .env layers under HUB_ORIGIN (hub-origin wins on
-    // collision — it's the canonical issuer source, and a stale .env
-    // shouldn't override the live `parachute serve` env).
+    // PORT override (hub#357 — third spawn site missed by hub#356).
+    // Without this, modules that read process.env.PORT (vault, scribe)
+    // inherit hub's PORT from Bun.spawn's env: process.env default and
+    // crash EADDRINUSE on hub's port. Container deploy was still broken
+    // after #356 because this BOOT path runs on hub startup before the
+    // supervisor's other spawn paths see any traffic. fileEnv wins on
+    // collision so per-service .env can still override.
     const fileEnv = readEnvFileValues(join(opts.configDir, short, ".env"));
-    const env: Record<string, string> = { ...fileEnv };
+    const env: Record<string, string> = { PORT: String(entry.port), ...fileEnv };
     if (opts.hubOrigin) env[HUB_ORIGIN_ENV] = opts.hubOrigin;
 
     const req: {

package/src/hub-server.ts

@@ -418,9 +418,28 @@ async function proxyRequest(
   const path = targetPath ?? url.pathname;
   const upstream = `http://127.0.0.1:${port}${path}${url.search}`;
   const headers = new Headers(req.headers);
+  // Capture the public hostname BEFORE deleting Host so we can forward it
+  // as X-Forwarded-Host (hub#358). Without this, supervised modules like
+  // vault see no X-Forwarded-Host header and fall back to their internal
+  // loopback URL when constructing OAuth metadata — publishing
+  // `http://127.0.0.1:1940/...` as the issuer instead of the public origin.
+  const publicHost = req.headers.get("host");
   // Host comes from the requester (tailnet FQDN); the loopback target wants
   // its own. Bun's fetch fills it in when omitted.
   headers.delete("host");
+  // Forward the public origin so downstream services build their public-
+  // facing URLs (OAuth metadata, redirect URIs) against the same host the
+  // client used. We DON'T overwrite X-Forwarded-Host if already set —
+  // some platforms (Render) set it at the edge.
+  if (publicHost && !headers.has("x-forwarded-host")) {
+    headers.set("x-forwarded-host", publicHost);
+  }
+  // Same for protocol — if the edge set X-Forwarded-Proto we preserve it,
+  // otherwise we set it from isHttpsRequest's signal (direct HTTPS to hub
+  // is unusual on Render, but covers local TLS-terminating proxies too).
+  if (!headers.has("x-forwarded-proto")) {
+    headers.set("x-forwarded-proto", isHttpsRequest(req) ? "https" : "http");
+  }
 
   const init: RequestInit & { duplex?: "half" } = {
     method: req.method,
@@ -953,11 +972,16 @@ export function resolveIssuer(
   // The `isHttpsRequest` helper is the canonical place where this trust
   // is established (also used for the Secure cookie attribute).
   //
-  // We do NOT honor X-Forwarded-Host. Render, Tailscale Funnel, and
-  // cloudflared all preserve the Host header end-to-end, so `req.url`'s
-  // host already reflects the public hostname. Operators on a proxy that
-  // rewrites Host (some nginx / Caddy configs) should set hub_origin via
-  // the admin SPA — that path bypasses this fallback entirely.
+  // We do NOT honor X-Forwarded-Host *for hub's own issuer derivation*.
+  // (Note: hub DOES forward X-Forwarded-Host to upstream supervised
+  // modules in `proxyRequest` — that's a separate concern, see #358.
+  // Here we're deriving hub's own canonical origin from the incoming
+  // request, not what to tell downstream services.) Render, Tailscale
+  // Funnel, and cloudflared all preserve the Host header end-to-end,
+  // so `req.url`'s host already reflects the public hostname.
+  // Operators on a proxy that rewrites Host (some nginx / Caddy
+  // configs) should set hub_origin via the admin SPA — that path
+  // bypasses this fallback entirely.
   const url = new URL(req.url);
   if (isHttpsRequest(req)) {
     url.protocol = "https:";