@openparachute/hub 0.5.13 → 0.5.14-rc.10

package/src/__tests__/api-ready.test.ts

@@ -0,0 +1,135 @@
+import { describe, expect, test } from "bun:test";
+import { handleApiReady } from "../api-ready.ts";
+import type { ModuleState, Supervisor } from "../supervisor.ts";
+
+function stubSupervisor(states: ModuleState[]): Supervisor {
+  return {
+    list: () => states,
+    get: (short: string) => states.find((s) => s.short === short),
+    start: async () => {
+      throw new Error("not implemented");
+    },
+    stop: async () => undefined,
+    restart: async () => undefined,
+  } as unknown as Supervisor;
+}
+
+function req(): Request {
+  return new Request("http://127.0.0.1/api/ready", {
+    headers: { accept: "application/json" },
+  });
+}
+
+function moduleState(partial: Partial<ModuleState> & { short: string }): ModuleState {
+  return {
+    status: "running",
+    restartsInWindow: 0,
+    ...partial,
+  };
+}
+
+describe("handleApiReady — no supervisor (CLI mode)", () => {
+  test("returns ready=true + empty arrays when supervisor absent", async () => {
+    const res = handleApiReady(req());
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      ready: boolean;
+      ready_modules: string[];
+      transient_modules: string[];
+      persistent_modules: string[];
+    };
+    expect(body.ready).toBe(true);
+    expect(body.ready_modules).toEqual([]);
+    expect(body.transient_modules).toEqual([]);
+    expect(body.persistent_modules).toEqual([]);
+  });
+});
+
+describe("handleApiReady — supervisor mode", () => {
+  test("all modules running past boot window → ready=true", async () => {
+    const now = 1_700_000_000_000;
+    const startedAt = new Date(now - 60_000).toISOString();
+    const sup = stubSupervisor([
+      moduleState({ short: "vault", status: "running", startedAt }),
+      moduleState({ short: "scribe", status: "running", startedAt }),
+    ]);
+    const res = handleApiReady(req(), { supervisor: sup, now: () => now });
+    const body = (await res.json()) as {
+      ready: boolean;
+      ready_modules: string[];
+      transient_modules: string[];
+      persistent_modules: string[];
+    };
+    expect(body.ready).toBe(true);
+    expect(body.ready_modules.sort()).toEqual(["scribe", "vault"]);
+    expect(body.transient_modules).toEqual([]);
+    expect(body.persistent_modules).toEqual([]);
+  });
+
+  test("module inside boot window → transient, ready=false", async () => {
+    const now = 1_700_000_000_000;
+    const sup = stubSupervisor([
+      moduleState({
+        short: "vault",
+        status: "running",
+        startedAt: new Date(now - 10_000).toISOString(),
+      }),
+    ]);
+    const res = handleApiReady(req(), { supervisor: sup, now: () => now });
+    const body = (await res.json()) as {
+      ready: boolean;
+      ready_modules: string[];
+      transient_modules: string[];
+    };
+    expect(body.ready).toBe(false);
+    expect(body.transient_modules).toEqual(["vault"]);
+    expect(body.ready_modules).toEqual([]);
+  });
+
+  test("starting + restarting + crashed all classified correctly", async () => {
+    const now = 1_700_000_000_000;
+    const sup = stubSupervisor([
+      moduleState({ short: "vault", status: "starting" }),
+      moduleState({ short: "scribe", status: "restarting" }),
+      moduleState({ short: "notes", status: "crashed" }),
+      moduleState({ short: "channel", status: "stopped" }),
+      moduleState({
+        short: "runner",
+        status: "running",
+        startedAt: new Date(now - 60_000).toISOString(),
+      }),
+    ]);
+    const res = handleApiReady(req(), { supervisor: sup, now: () => now });
+    const body = (await res.json()) as {
+      ready: boolean;
+      ready_modules: string[];
+      transient_modules: string[];
+      persistent_modules: string[];
+    };
+    expect(body.ready).toBe(false);
+    expect(body.ready_modules).toEqual(["runner"]);
+    expect(body.transient_modules.sort()).toEqual(["scribe", "vault"]);
+    expect(body.persistent_modules.sort()).toEqual(["channel", "notes"]);
+  });
+
+  test("only crashed/stopped + nothing transient → ready=false (still failing)", async () => {
+    const sup = stubSupervisor([moduleState({ short: "vault", status: "crashed" })]);
+    const res = handleApiReady(req(), { supervisor: sup });
+    const body = (await res.json()) as { ready: boolean };
+    expect(body.ready).toBe(false);
+  });
+});
+
+describe("handleApiReady — method check", () => {
+  test("rejects non-GET", () => {
+    const r = new Request("http://127.0.0.1/api/ready", { method: "POST" });
+    const res = handleApiReady(r);
+    expect(res.status).toBe(405);
+  });
+
+  test("accepts HEAD", () => {
+    const r = new Request("http://127.0.0.1/api/ready", { method: "HEAD" });
+    const res = handleApiReady(r);
+    expect(res.status).toBe(200);
+  });
+});

package/src/__tests__/api-revoke-token.test.ts

@@ -318,3 +318,387 @@ describe("POST /api/auth/revoke-token (closes hub#220)", () => {
     }
   });
 });
+
+// ---------------------------------------------------------------------------
+// Capability attenuation — symmetric to mint-token (hub#452). A bearer that
+// is NOT host:auth may revoke a jti iff every one of the jti's recorded scopes
+// is one the bearer could have minted (`canGrant`): you may revoke what you
+// could mint. This is the security-critical half of the auth arc.
+// ---------------------------------------------------------------------------
+describe("POST /api/auth/revoke-token — capability attenuation (symmetric to hub#452)", () => {
+  /**
+   * Hand-mint a `vault:<vault>:admin` bearer the way the SPA / mcp-install
+   * path obtains one (scope `vault:<vault>:admin`, aud `vault.<vault>`,
+   * vaultScope `[vault]`). Mirrors `mintVaultAdminBearer` in
+   * api-mint-token.test.ts.
+   */
+  async function mintVaultAdminBearer(
+    db: ReturnType<typeof openHubDb>,
+    userId: string,
+    vault: string,
+  ): Promise<string> {
+    const signed = await signAccessToken(db, {
+      sub: userId,
+      scopes: [`vault:${vault}:admin`],
+      audience: `vault.${vault}`,
+      clientId: "parachute-hub",
+      issuer: ISSUER,
+      ttlSeconds: 3600,
+      vaultScope: [vault],
+    });
+    return signed.token;
+  }
+
+  test("host:auth bearer revokes ANY jti (preserved) — incl. a host-scoped target", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+        // Seed a target whose own scopes a vault-admin could never mint.
+        const jti = await seedToken(db, userId, ["parachute:host:auth"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${op.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("vault:work:admin revokes a vault:work:write jti → 200 (could have minted it)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const jti = await seedToken(db, userId, ["vault:work:write"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("vault:work:admin revokes a vault:work:admin jti → 200", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const jti = await seedToken(db, userId, ["vault:work:admin"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("CROSS-VAULT BLOCKED: vault:work:admin revokes vault:other:write jti → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const jti = await seedToken(db, userId, ["vault:other:write"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(((await resp.json()) as { error: string }).error).toBe("insufficient_scope");
+        // SECURITY: the cross-vault token must NOT have been revoked.
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("HOST-ESCALATION BLOCKED: vault:work:admin revokes parachute:host:auth jti → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const jti = await seedToken(db, userId, ["parachute:host:auth"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("NO LEAK: vault:work:admin revokes an UNKNOWN jti → 404 (same as host:auth, no leak)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti: "no-such-jti-ever-minted" }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        // Identical to today's unknown-jti behavior for a host:auth bearer:
+        // the attenuated caller cannot distinguish "doesn't exist" here.
+        expect(resp.status).toBe(404);
+        expect(((await resp.json()) as { error: string }).error).toBe("not_found");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("ENTRY GATE: vault:work:read bearer (no admin, no host) → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const readOnly = await signAccessToken(db, {
+          sub: userId,
+          scopes: ["vault:work:read"],
+          audience: "vault.work",
+          clientId: "parachute-hub",
+          issuer: ISSUER,
+          ttlSeconds: 3600,
+          vaultScope: ["work"],
+        });
+        // Seed a target the read bearer could never mint anyway.
+        const jti = await seedToken(db, userId, ["vault:work:write"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${readOnly.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(((await resp.json()) as { error: string }).error).toBe("insufficient_scope");
+        // Entry-gated before any lookup — the target stays intact.
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("MULTI-SCOPE: vault:work:admin revokes vault:work:read+write jti → 200 (all in authority)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const jti = await seedToken(db, userId, ["vault:work:read", "vault:work:write"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("MULTI-SCOPE BLOCKED: one out-of-authority scope blocks the whole revoke → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        // In-authority scope + one cross-vault scope: must block entirely.
+        const jti = await seedToken(db, userId, ["vault:work:write", "vault:other:read"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("host:admin bearer revokes a vault:<name>:admin jti → 200 (rule 2 symmetry)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const hostAdmin = await signAccessToken(db, {
+          sub: userId,
+          scopes: ["parachute:host:admin"],
+          audience: "hub",
+          clientId: "parachute-hub",
+          issuer: ISSUER,
+          ttlSeconds: 3600,
+        });
+        const jti = await seedToken(db, userId, ["vault:work:admin"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${hostAdmin.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("HOST-ESCALATION BLOCKED: host:admin bearer revokes parachute:host:auth jti → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        // host:admin is NOT host:auth, so it goes through the per-jti
+        // attenuation check. `parachute:host:auth` is non-requestable and not
+        // a vault-admin scope, so canGrant returns false for it → 403.
+        const hostAdmin = await signAccessToken(db, {
+          sub: userId,
+          scopes: ["parachute:host:admin"],
+          audience: "hub",
+          clientId: "parachute-hub",
+          issuer: ISSUER,
+          ttlSeconds: 3600,
+        });
+        const jti = await seedToken(db, userId, ["parachute:host:auth"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${hostAdmin.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(((await resp.json()) as { error: string }).error).toBe("insufficient_scope");
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("EMPTY-SCOPES GUARD: non-host:auth bearer cannot revoke a scopeless target → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        // Seed a registry row with ZERO recorded scopes directly — the CLI/SPA
+        // never mint these, but a vacuous `[].filter(canGrant)` would
+        // otherwise pass the authority check for any entry-gate-clearing
+        // bearer. The explicit empty-scopes guard must 403 instead.
+        const jti = "scopeless-target-jti";
+        recordTokenMint(db, {
+          jti,
+          createdVia: "cli_mint",
+          subject: userId,
+          clientId: "parachute-hub",
+          scopes: [],
+          expiresAt: new Date(Date.now() + 3600_000).toISOString(),
+        });
+        expect(findTokenRowByJti(db, jti)?.scopes).toEqual([]);
+
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(((await resp.json()) as { error: string }).error).toBe("insufficient_scope");
+        // SECURITY: the scopeless token must NOT have been revoked.
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("EMPTY-SCOPES: host:auth bearer CAN revoke a scopeless target → 200 (guard is non-host:auth-only)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+        const jti = "scopeless-target-host-auth";
+        recordTokenMint(db, {
+          jti,
+          createdVia: "cli_mint",
+          subject: userId,
+          clientId: "parachute-hub",
+          scopes: [],
+          expiresAt: new Date(Date.now() + 3600_000).toISOString(),
+        });
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${op.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("JTI LENGTH GUARD: jti longer than the cap → 400 invalid_request", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti: "x".repeat(257) }, { authorization: `Bearer ${op.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(400);
+        const body = (await resp.json()) as { error: string; error_description: string };
+        expect(body.error).toBe("invalid_request");
+        expect(body.error_description).toContain("256");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+});