npm - @openparachute/hub - Versions diffs - 0.5.13 → 0.5.14-rc.10 - Mend

@openparachute/hub 0.5.13 → 0.5.14-rc.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (101) hide show

package/README.md +109 -15
package/package.json +2 -2
package/src/__tests__/account-home-ui.test.ts +205 -0
package/src/__tests__/admin-handlers.test.ts +74 -0
package/src/__tests__/admin-host-admin-token.test.ts +62 -0
package/src/__tests__/admin-vault-admin-token.test.ts +44 -0
package/src/__tests__/admin-vaults.test.ts +70 -4
package/src/__tests__/api-account.test.ts +191 -1
package/src/__tests__/api-mint-token.test.ts +682 -3
package/src/__tests__/api-modules-config.test.ts +16 -10
package/src/__tests__/api-modules-ops.test.ts +97 -0
package/src/__tests__/api-modules.test.ts +100 -83
package/src/__tests__/api-ready.test.ts +135 -0
package/src/__tests__/api-revoke-token.test.ts +384 -0
package/src/__tests__/api-users.test.ts +390 -13
package/src/__tests__/chrome-strip.test.ts +15 -15
package/src/__tests__/cli.test.ts +7 -5
package/src/__tests__/cloudflare-detect.test.ts +60 -5
package/src/__tests__/expose-auth-preflight.test.ts +58 -50
package/src/__tests__/expose-cloudflare.test.ts +114 -3
package/src/__tests__/expose-interactive.test.ts +10 -4
package/src/__tests__/expose-public-auto.test.ts +5 -1
package/src/__tests__/expose.test.ts +49 -1
package/src/__tests__/hub-db.test.ts +194 -29
package/src/__tests__/hub-server.test.ts +322 -33
package/src/__tests__/hub.test.ts +11 -0
package/src/__tests__/init.test.ts +827 -0
package/src/__tests__/lifecycle.test.ts +33 -1
package/src/__tests__/migrate.test.ts +433 -51
package/src/__tests__/notes-redirect.test.ts +20 -20
package/src/__tests__/oauth-handlers.test.ts +1060 -29
package/src/__tests__/oauth-ui.test.ts +12 -1
package/src/__tests__/proxy-error-ui.test.ts +212 -0
package/src/__tests__/proxy-state.test.ts +192 -0
package/src/__tests__/resource-binding.test.ts +97 -0
package/src/__tests__/scope-explanations.test.ts +36 -0
package/src/__tests__/serve.test.ts +9 -9
package/src/__tests__/services-manifest.test.ts +40 -40
package/src/__tests__/setup-wizard.test.ts +1114 -66
package/src/__tests__/setup.test.ts +1 -1
package/src/__tests__/status.test.ts +39 -0
package/src/__tests__/users.test.ts +396 -9
package/src/__tests__/vault-auth-status.test.ts +271 -11
package/src/__tests__/vault-hub-origin-env.test.ts +126 -0
package/src/__tests__/well-known.test.ts +9 -9
package/src/__tests__/wizard.test.ts +372 -0
package/src/account-home-ui.ts +547 -0
package/src/admin-handlers.ts +49 -17
package/src/admin-host-admin-token.ts +25 -0
package/src/admin-login-ui.ts +4 -4
package/src/admin-vault-admin-token.ts +17 -0
package/src/admin-vaults.ts +48 -15
package/src/api-account.ts +72 -6
package/src/api-mint-token.ts +132 -24
package/src/api-modules-ops.ts +52 -16
package/src/api-modules.ts +31 -14
package/src/api-ready.ts +102 -0
package/src/api-revoke-token.ts +107 -21
package/src/api-users.ts +497 -58
package/src/bun-link.ts +55 -0
package/src/chrome-strip.ts +6 -6
package/src/cli.ts +93 -24
package/src/cloudflare/config.ts +10 -4
package/src/cloudflare/detect.ts +73 -6
package/src/commands/expose-auth-preflight.ts +55 -63
package/src/commands/expose-cloudflare.ts +114 -10
package/src/commands/expose-interactive.ts +10 -11
package/src/commands/expose-public-auto.ts +6 -4
package/src/commands/expose.ts +8 -0
package/src/commands/init.ts +563 -0
package/src/commands/install.ts +41 -23
package/src/commands/lifecycle.ts +12 -0
package/src/commands/migrate.ts +293 -41
package/src/commands/status.ts +10 -1
package/src/commands/wizard.ts +843 -0
package/src/env-file.ts +10 -0
package/src/help.ts +157 -17
package/src/hub-db.ts +42 -0
package/src/hub-server.ts +136 -23
package/src/hub-settings.ts +13 -2
package/src/hub.ts +16 -9
package/src/notes-redirect.ts +5 -5
package/src/oauth-handlers.ts +342 -173
package/src/oauth-ui.ts +28 -2
package/src/proxy-error-ui.ts +506 -0
package/src/proxy-state.ts +131 -0
package/src/resource-binding.ts +134 -0
package/src/scope-attenuation.ts +85 -0
package/src/scope-explanations.ts +94 -5
package/src/service-spec.ts +39 -18
package/src/setup-wizard.ts +1173 -117
package/src/users.ts +307 -29
package/src/vault/auth-status.ts +152 -25
package/src/vault-hub-origin-env.ts +100 -0
package/web/ui/dist/assets/index-2SSK7JbM.js +61 -0
package/web/ui/dist/assets/index-B28SdMSz.css +1 -0
package/web/ui/dist/index.html +2 -2
package/src/__tests__/vault-tokens-create-interactive.test.ts +0 -183
package/src/commands/vault-tokens-create-interactive.ts +0 -143
package/web/ui/dist/assets/index-7DtAXz7y.css +0 -1
package/web/ui/dist/assets/index-Dzrbe6EP.js +0 -61

package/src/commands/expose-cloudflare.ts CHANGED Viewed

@@ -26,11 +26,19 @@ import {
   findTunnelByName,
   routeDns,
 } from "../cloudflare/tunnel.ts";
-import { SERVICES_MANIFEST_PATH } from "../config.ts";
+import { CONFIG_DIR, SERVICES_MANIFEST_PATH } from "../config.ts";
+import {
+  type EnsureHubOpts,
+  HUB_DEFAULT_PORT,
+  ensureHubRunning,
+  readHubPort,
+} from "../hub-control.ts";
+import { deriveHubOrigin } from "../hub-origin.ts";
 import { type AliveFn, defaultAlive } from "../process-state.ts";
 import { readManifest } from "../services-manifest.ts";
 import { type Runner, defaultRunner } from "../tailscale/run.ts";
 import type { VaultAuthStatus } from "../vault/auth-status.ts";
+import { WELL_KNOWN_DIR } from "../well-known.ts";
 import { printPublic2FAWarning } from "./expose-2fa-warning.ts";
 const AUTH_DOC_URL =
@@ -112,6 +120,37 @@ export interface ExposeCloudflareOpts {
   logPath?: string;
   /** Override `~/.cloudflared` for tests and `$HOME`-free environments. */
   cloudflaredHome?: string;
+  /**
+   * Config root for hub PID / port / log files. Defaults to `~/.parachute`.
+   * Threaded into `ensureHubRunning` so cloudflared's ingress target stays
+   * in sync with where the hub actually bound.
+   */
+  configDir?: string;
+  /**
+   * Override the public hub origin (the `iss` claim baked into the OAuth
+   * issuer). Mirrors the Tailscale path — when set, this URL is what the
+   * hub advertises rather than the cloudflared hostname.
+   */
+  hubOrigin?: string;
+  /**
+   * Overrides for hub lifecycle — primarily for tests. Tests pass
+   * `skipHubLifecycle: true` (above) plus a seeded `hub.port` file so the
+   * cloudflare path can resolve a port without actually spawning a hub.
+   */
+  hubEnsureOpts?: Omit<EnsureHubOpts, "configDir" | "wellKnownDir" | "log">;
+  /**
+   * Directory holding hub.html (passed through to the hub server on first
+   * spawn). Defaults to the same `well-known/` resolution the Tailscale
+   * path uses.
+   */
+  wellKnownDir?: string;
+  /**
+   * Skip spawning the hub server. Tests flip this on and pre-seed
+   * `<configDir>/hub/run/hub.port` so `readHubPort` can resolve the
+   * cloudflared target without a live process. Production always leaves
+   * this off so the bringup self-heals a missing hub.
+   */
+  skipHub?: boolean;
   now?: () => Date;
   /**
    * Override `~/.parachute/vault` for the 2FA-enrollment probe. Tests
@@ -139,6 +178,11 @@ interface Resolved {
   configPath: string;
   logPath: string;
   cloudflaredHome: string;
+  configDir: string;
+  hubOrigin: string | undefined;
+  hubEnsureOpts: Omit<EnsureHubOpts, "configDir" | "wellKnownDir" | "log">;
+  wellKnownDir: string;
+  skipHub: boolean;
   now: () => Date;
   vaultHome: string | undefined;
   vaultAuthStatus: VaultAuthStatus | undefined;
@@ -146,7 +190,12 @@ interface Resolved {
 function resolve(opts: ExposeCloudflareOpts): Resolved {
   const tunnelName = opts.tunnelName ?? DEFAULT_TUNNEL_NAME;
-  const paths = cloudflaredPathsFor(tunnelName);
+  const configDir = opts.configDir ?? CONFIG_DIR;
+  // Derive per-tunnel config/log paths from the *resolved* configDir, not the
+  // real `CONFIG_DIR`. When a test threads a tmp `configDir` but omits explicit
+  // `configPath`/`logPath`, this keeps the derived files inside the tmp dir
+  // instead of writing fixtures into the operator's real ~/.parachute.
+  const paths = cloudflaredPathsFor(tunnelName, configDir);
   return {
     runner: opts.runner ?? defaultRunner,
     spawner: opts.spawner ?? defaultCloudflaredSpawner,
@@ -159,6 +208,11 @@ function resolve(opts: ExposeCloudflareOpts): Resolved {
     configPath: opts.configPath ?? paths.configPath,
     logPath: opts.logPath ?? paths.logPath,
     cloudflaredHome: opts.cloudflaredHome ?? DEFAULT_CLOUDFLARED_HOME,
+    configDir,
+    hubOrigin: opts.hubOrigin,
+    hubEnsureOpts: opts.hubEnsureOpts ?? {},
+    wellKnownDir: opts.wellKnownDir ?? WELL_KNOWN_DIR,
+    skipHub: opts.skipHub ?? false,
     now: opts.now ?? (() => new Date()),
     vaultHome: opts.vaultHome,
     vaultAuthStatus: opts.vaultAuthStatus,
@@ -179,11 +233,13 @@ function printAuthGuidance(log: (line: string) => void, vaultUrl: string): void
   log("    then point your connector at:");
   log(`    ${vaultUrl}`);
   log("");
-  log("  Scripts / machines:");
-  log("    parachute vault tokens create       # creates a pvt_… bearer token");
-  log("    Authorization: Bearer pvt_…         # attach to every request");
+  log("  Scripts / machines (hub-issued JWT — set the owner password first):");
+  log("    parachute auth mint-token --scope vault:<name>:read   # or :write");
+  log("    Authorization: Bearer <hub-jwt>     # attach the printed token to every request");
+  log("    (or: Admin → Vaults → Connect mints one and shows the header for you)");
   log("");
-  log("Neither is a prerequisite for the other. Full auth reference:");
+  log("The owner password gates both paths — browser sign-in and minting tokens.");
+  log("Full auth reference:");
   log(`  ${AUTH_DOC_URL}`);
 }
@@ -239,6 +295,46 @@ export async function exposeCloudflareUp(
     return 1;
   }
+  // Resolve the public hub origin before spawning the hub server — it gets
+  // baked into the OAuth `iss` claim via the `--issuer` flag. For Cloudflare
+  // ingress the canonical origin is the user-supplied hostname (mirrors the
+  // Tailscale Funnel path which uses the tailnet FQDN). Falling back to the
+  // request origin would put `http://127.0.0.1:<port>` in tokens, which any
+  // client following RFC 8414 would reject.
+  const canonicalOrigin = `https://${hostname}`;
+  const hubOrigin =
+    deriveHubOrigin({ override: r.hubOrigin, exposeFqdn: hostname }) ?? canonicalOrigin;
+  // Ensure the hub is running and figure out the loopback port cloudflared
+  // should target. The hub does all internal routing (discovery, admin,
+  // OAuth, well-known, per-vault proxy, generic /<svc>/* dispatch) — same
+  // shape the Tailscale Funnel path uses (see `planEntries` in expose.ts).
+  // Pre-2026-05-27 the cloudflared config routed straight at vault's port,
+  // so a public URL like https://gitcoin.parachute.computer/ returned 404
+  // from vault itself instead of the hub's discovery page; admin / OAuth
+  // were unreachable. Aaron hit this on a fresh EC2 install.
+  let hubPort: number;
+  if (r.skipHub) {
+    const existing = readHubPort(r.configDir);
+    if (existing === undefined) {
+      throw new Error("skipHub set but no hub.port on disk — tests must seed one");
+    }
+    hubPort = existing;
+  } else {
+    const hub = await ensureHubRunning({
+      reservedPorts: manifest.services.map((s) => s.port),
+      ...r.hubEnsureOpts,
+      configDir: r.configDir,
+      wellKnownDir: r.wellKnownDir,
+      issuer: hubOrigin,
+      log: r.log,
+    });
+    hubPort = hub.port;
+    if (hub.started) r.log(`✓ hub started (pid ${hub.pid}, port ${hub.port}).`);
+    else r.log(`✓ hub already running (pid ${hub.pid}, port ${hub.port}).`);
+  }
+  if (hubPort === 0) hubPort = HUB_DEFAULT_PORT;
   let tunnel: Tunnel | undefined;
   try {
     tunnel = await findTunnelByName(r.runner, r.tunnelName);
@@ -282,7 +378,13 @@ export async function exposeCloudflareUp(
       tunnelUuid: tunnel.id,
       credentialsFile: credsFile,
       hostname,
-      servicePort: vaultEntry.port,
+      // Route into the hub, not vault directly. The hub dispatches
+      // discovery / admin / OAuth / per-vault proxy / generic /<svc>/*
+      // — same shape Tailscale Funnel uses (single mount → hub catchall).
+      // Pre-fix this was `vaultEntry.port`, which served vault's own 404
+      // page on every request that wasn't /vault/<name>/… — admin SPA and
+      // OAuth surfaces were unreachable from the public URL.
+      servicePort: hubPort,
     },
     r.configPath,
   );
@@ -329,9 +431,11 @@ export async function exposeCloudflareUp(
   r.log("");
   r.log(`✓ Cloudflare tunnel up (pid ${pid}).`);
-  r.log(`  URL:    ${baseUrl}`);
-  r.log(`  Vault:  ${vaultUrl}`);
-  r.log(`  Logs:   ${r.logPath}`);
+  r.log(`  Open:    ${baseUrl}/`);
+  r.log(`  Admin:   ${baseUrl}/admin/`);
+  r.log(`  Vault:   ${vaultUrl}`);
+  r.log(`  OAuth:   ${hubOrigin}`);
+  r.log(`  Logs:    ${r.logPath}`);
   r.log("");
   r.log("Point a claude.ai / ChatGPT connector at:");
   r.log(`  ${vaultUrl}`);

package/src/commands/expose-interactive.ts CHANGED Viewed

@@ -13,6 +13,7 @@
 import { createInterface } from "node:readline/promises";
 import {
   DEFAULT_CLOUDFLARED_HOME,
+  cloudflaredInstallHint,
   isCloudflaredInstalled,
   isCloudflaredLoggedIn,
 } from "../cloudflare/detect.ts";
@@ -273,19 +274,17 @@ async function guideCloudflareSetup(
         return false;
       }
     } else {
+      // 2026-05-27 refresh: distro-package paths (`apt-get`, `dnf`) are
+      // unreliable across versions — Aaron hit `No match for argument:
+      // cloudflared` on Amazon Linux 2023 — and the
+      // pkg.cloudflare.com / developers.cloudflare.com paths the old hint
+      // pointed at now serve HTML/404. Defer to `cloudflaredInstallHint`,
+      // which writes the canonical GitHub-release static-binary path
+      // matching the host's architecture.
       r.log("");
       r.log("Cloudflare Tunnel uses the `cloudflared` binary, which isn't installed yet.");
-      r.log("Install one way:");
-      r.log("  Debian / Ubuntu:");
-      r.log(
-        "    curl -L https://pkg.cloudflare.com/install.sh | sudo bash && sudo apt-get install -y cloudflared",
-      );
-      r.log("  RHEL / Fedora:");
-      r.log("    sudo dnf install cloudflared");
-      r.log("  Tarball / other:");
-      r.log(
-        "    https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
-      );
+      r.log("");
+      for (const line of cloudflaredInstallHint(r.platform).split("\n")) r.log(line);
       r.log("");
       r.log("After install, re-run: parachute expose public");
       return false;

package/src/commands/expose-public-auto.ts CHANGED Viewed

@@ -28,7 +28,7 @@
  * tailscale/cloudflared.
  */
-import { DEFAULT_CLOUDFLARED_HOME } from "../cloudflare/detect.ts";
+import { DEFAULT_CLOUDFLARED_HOME, cloudflaredInstallHint } from "../cloudflare/detect.ts";
 import {
   type DetectProvidersOpts,
   type ProviderAvailability,
@@ -109,9 +109,11 @@ function reportNeitherReady(r: Resolved, p: ProviderAvailability): number {
   r.log("");
   r.log("  Option B — Cloudflare Tunnel (your own domain, Cloudflare DNS):");
   if (!p.cloudflare.available) {
-    r.log(
-      "    1. Install cloudflared: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
-    );
+    // 2026-05-27 refresh: defer to the shared install-hint helper so the
+    // canonical install path stays in one place. Pre-refresh this surface
+    // hard-coded a developers.cloudflare.com URL that now serves HTML/404.
+    r.log("    1. Install cloudflared:");
+    for (const line of cloudflaredInstallHint().split("\n")) r.log(`         ${line}`);
     r.log("    2. Log in:              cloudflared tunnel login");
     r.log("    3. Re-run with --domain: parachute expose public --cloudflare --domain <hostname>");
   } else {

package/src/commands/expose.ts CHANGED Viewed

@@ -24,6 +24,7 @@ import { type ServiceEntry, readManifest } from "../services-manifest.ts";
 import { type ServeEntry, bringupCommand, teardownCommand } from "../tailscale/commands.ts";
 import { getFqdn, isTailscaleInstalled } from "../tailscale/detect.ts";
 import { type Runner, defaultRunner } from "../tailscale/run.ts";
+import { clearVaultHubOrigin } from "../vault-hub-origin-env.ts";
 import type { VaultAuthStatus } from "../vault/auth-status.ts";
 import {
   WELL_KNOWN_DIR,
@@ -438,6 +439,13 @@ export async function exposeOff(layer: ExposeLayer, opts: ExposeOpts = {}): Prom
   }
   clearExposeState(statePath);
+  // Drop the persisted PARACHUTE_HUB_ORIGIN from vault's `.env`. `expose up`
+  // (via the vault restart) persisted the public origin so the launchd /
+  // systemd daemon validates `iss` against it. With exposure gone, a
+  // local-only hub mints loopback-`iss` tokens, so a stale public origin left
+  // in `.env` would itself cause the mismatch on the next daemon restart.
+  // Reverting to vault's loopback default (`getHubOrigin`) keeps them aligned.
+  clearVaultHubOrigin(configDir, log);
   // Pair to the debug-only write at expose-up — clean up the inspection artifact
   // on teardown so it doesn't outlive the layer it described.
   if (existsSync(wellKnownFilePath)) {