@openparachute/hub 0.5.13 → 0.5.14-rc.10

package/src/__tests__/expose-auth-preflight.test.ts

@@ -40,40 +40,78 @@ function status(partial: Partial<VaultAuthStatus> = {}): VaultAuthStatus {
   };
 }
 
-describe("runAuthPreflight — wide open (no password, no tokens)", () => {
-  test("warns loudly and offers password, 2FA, and token creation", async () => {
-    const h = makeHarness(["y", "n", "n"]); // password yes, 2fa no, token no
+describe("runAuthPreflight — wide open (no owner password)", () => {
+  test("warns loudly, offers password + 2FA, and prints hub-JWT token guidance", async () => {
+    const h = makeHarness(["y", "n"]); // password yes, 2fa no
     await runAuthPreflight({ status: status(), ...wire(h) });
     const joined = h.logs.join("\n");
-    expect(joined).toContain("No owner password and no API tokens");
+    expect(joined).toContain("No owner password");
     expect(joined).toContain("public internet");
+    // Programmatic-client guidance points at the hub mint path, not pvt_*.
+    expect(joined).toContain("parachute auth mint-token --scope vault:default:read");
+    expect(joined).toContain("Bearer <hub-jwt>");
+    // Only password + 2FA are interactive offers; token guidance is printed,
+    // not prompted (no auto-mint).
     expect(h.commands).toHaveLength(1);
     expect(h.commands[0]).toEqual(["parachute", "auth", "set-password"]);
   });
 
+  test("token guidance uses the first discovered vault name", async () => {
+    const h = makeHarness(["n", "n"]);
+    await runAuthPreflight({ status: status({ vaultNames: ["work"] }), ...wire(h) });
+    expect(h.logs.join("\n")).toContain("--scope vault:work:read");
+  });
+
   test("user declines every prompt → no subprocesses run", async () => {
-    const h = makeHarness(["", "", ""]); // all Enter = skip
+    const h = makeHarness(["", ""]); // all Enter = skip
     await runAuthPreflight({ status: status(), ...wire(h) });
     expect(h.commands).toHaveLength(0);
-    // Still prompted on all three lines, even though each was declined.
-    expect(h.prompts).toHaveLength(3);
+    // Prompted on password + 2FA (token guidance is not a prompt).
+    expect(h.prompts).toHaveLength(2);
   });
 
-  test("user accepts all three → all three commands invoked in order", async () => {
-    const h = makeHarness(["y", "y", "y"]);
+  test("user accepts password + 2FA → both commands invoked in order", async () => {
+    const h = makeHarness(["y", "y"]);
     await runAuthPreflight({ status: status(), ...wire(h) });
     expect(h.commands.map((c) => c.join(" "))).toEqual([
       "parachute auth set-password",
       "parachute auth 2fa enroll",
-      "parachute vault tokens create",
     ]);
   });
+
+  test("null tokenCount with no owner password still classifies wide-open", async () => {
+    // The `tokenCount: null` (unreadable vault DB) path is vestigial post-DROP
+    // — `classify()` gates on `hasOwnerPassword` alone. A box with no owner
+    // password AND an unreadable token DB must still take the loud wide-open
+    // branch, not silently fall through to a quieter state.
+    const h = makeHarness(["n", "n"]);
+    await runAuthPreflight({
+      status: status({ hasOwnerPassword: false, tokenCount: null }),
+      ...wire(h),
+    });
+    const joined = h.logs.join("\n");
+    expect(joined).toContain("No owner password");
+    expect(joined).toContain("public internet");
+    // Wide-open offers password + 2FA (two prompts); not the all-good path.
+    expect(h.prompts).toHaveLength(2);
+  });
+
+  test("never offers the removed `vault tokens create` command", async () => {
+    const h = makeHarness(["y", "y"]);
+    await runAuthPreflight({ status: status(), ...wire(h) });
+    const allCommands = h.commands.map((c) => c.join(" ")).join("\n");
+    expect(allCommands).not.toContain("vault tokens create");
+    // And no log line steers the operator at the dead command as guidance.
+    const guidance = h.logs.filter((l) => !l.includes("old affordance")).join("\n");
+    expect(guidance).not.toContain("parachute vault tokens create");
+  });
 });
 
 describe("runAuthPreflight — password set, no 2FA", () => {
-  test("short nudge, offers 2FA only", async () => {
+  test("short nudge, offers 2FA only — ignores vestigial tokenCount", async () => {
     const h = makeHarness(["y"]);
     await runAuthPreflight({
+      // tokenCount is non-zero (vestigial pvt_* rows) but no longer consulted.
       status: status({ hasOwnerPassword: true, tokenCount: 3 }),
       ...wire(h),
     });
@@ -92,40 +130,8 @@ describe("runAuthPreflight — password set, no 2FA", () => {
     });
     expect(h.commands).toHaveLength(0);
   });
-});
-
-describe("runAuthPreflight — tokens exist, no password", () => {
-  test("notes that OAuth is not set up, offers password", async () => {
-    const h = makeHarness(["y"]);
-    await runAuthPreflight({
-      status: status({ hasOwnerPassword: false, tokenCount: 2 }),
-      ...wire(h),
-    });
-    const joined = h.logs.join("\n");
-    expect(joined).toContain("API tokens exist");
-    expect(joined).toContain("no owner password");
-    expect(h.prompts).toHaveLength(1);
-    expect(h.commands).toEqual([["parachute", "auth", "set-password"]]);
-  });
-});
-
-describe("runAuthPreflight — unknown token count (SQLite failed)", () => {
-  test("advises running `tokens list`, no token-dependent prompts", async () => {
-    const h = makeHarness([]);
-    await runAuthPreflight({
-      status: status({ hasOwnerPassword: false, hasTotp: false, tokenCount: null }),
-      ...wire(h),
-    });
-    const joined = h.logs.join("\n");
-    expect(joined).toContain("Couldn't read vault token state");
-    expect(joined).toContain("parachute vault tokens list");
-    // No prompts because we don't offer password/token flow when token
-    // state is unknown (it'd be ambiguous whether we're dealing with the
-    // wide-open or the tokens-only case).
-    expect(h.prompts).toHaveLength(0);
-  });
 
-  test("password set + 2FA absent + tokens unknown → still offers 2FA", async () => {
+  test("null tokenCount (DB unreadable) is irrelevant — password gates the branch", async () => {
     const h = makeHarness([""]); // decline 2FA
     await runAuthPreflight({
       status: status({ hasOwnerPassword: true, hasTotp: false, tokenCount: null }),
@@ -137,22 +143,24 @@ describe("runAuthPreflight — unknown token count (SQLite failed)", () => {
 });
 
 describe("runAuthPreflight — all good", () => {
-  test("single positive line, no prompts", async () => {
+  test("single positive line, no prompts (tokens not required)", async () => {
     const h = makeHarness([]);
     await runAuthPreflight({
-      status: status({ hasOwnerPassword: true, hasTotp: true, tokenCount: 1 }),
+      // tokenCount: 0 — a hub JWT is minted on demand, not a standing need.
+      status: status({ hasOwnerPassword: true, hasTotp: true, tokenCount: 0 }),
       ...wire(h),
     });
     const joined = h.logs.join("\n");
     expect(joined).toContain("looks good");
+    expect(joined).toContain("owner password + 2FA");
     expect(h.prompts).toHaveLength(0);
     expect(h.commands).toHaveLength(0);
   });
 });
 
 describe("runAuthPreflight — subprocess failure handling", () => {
-  test("non-zero exit from auth command doesn't abort the rest of the preflight", async () => {
-    const h = makeHarness(["y", "y", "y"]);
+  test("non-zero exit from an auth command doesn't abort the rest of the preflight", async () => {
+    const h = makeHarness(["y", "y"]);
     // Override the interactive runner to return non-zero on the first call.
     let first = true;
     const interactiveRunner = async (cmd: readonly string[]) => {
@@ -172,8 +180,8 @@ describe("runAuthPreflight — subprocess failure handling", () => {
       },
       interactiveRunner,
     });
-    // All three commands still attempted, none aborted the flow.
-    expect(h.commands.map((c) => c[0])).toEqual(["parachute", "parachute", "parachute"]);
+    // Both commands still attempted, neither aborted the flow.
+    expect(h.commands.map((c) => c[0])).toEqual(["parachute", "parachute"]);
     const joined = h.logs.join("\n");
     expect(joined).toContain("exited 7");
   });

package/src/__tests__/expose-cloudflare.test.ts

@@ -14,8 +14,13 @@ import {
   exposeCloudflareOff,
   exposeCloudflareUp,
 } from "../commands/expose-cloudflare.ts";
+import { writeHubPort } from "../hub-control.ts";
 import type { CommandResult, Runner } from "../tailscale/run.ts";
 
+// Default seeded hub port used by tests with `skipHub: true`. The cloudflared
+// path reads `<configDir>/hub/run/hub.port` instead of spawning a real hub.
+const TEST_HUB_PORT = 1939;
+
 interface TestEnv {
   configDir: string;
   manifestPath: string;
@@ -41,6 +46,11 @@ function makeEnv(opts: { includeVault?: boolean; loggedIn?: boolean } = {}): Tes
   require("node:fs").mkdirSync(configDir, { recursive: true });
   require("node:fs").mkdirSync(cloudflaredHome, { recursive: true });
 
+  // Seed the hub port so `skipHub: true` invocations can resolve a port
+  // without spawning the actual hub process. Matches the seam pattern used
+  // by expose.test.ts (which threads `hubEnsureOpts` for the same purpose).
+  writeHubPort(TEST_HUB_PORT, configDir);
+
   if (loggedIn) {
     writeFileSync(join(cloudflaredHome, "cert.pem"), "---");
   }
@@ -128,6 +138,8 @@ describe("exposeCloudflareUp", () => {
         configPath: env.configPath,
         logPath: env.logPath,
         cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
         now: () => new Date("2026-04-22T12:00:00Z"),
       });
 
@@ -170,12 +182,22 @@ describe("exposeCloudflareUp", () => {
       const yaml = readFileSync(env.configPath, "utf8");
       expect(yaml).toContain(`tunnel: ${uuid}`);
       expect(yaml).toContain("- hostname: vault.example.com");
-      expect(yaml).toContain("service: http://localhost:1940");
+      // Routes through the hub (not directly at vault). The hub dispatches
+      // discovery / admin / OAuth / per-vault proxy / generic /<svc>/* —
+      // same shape Tailscale Funnel uses. Pre-2026-05-27 this was
+      // http://localhost:1940 (vault's port), which served vault's own 404
+      // page on every request that wasn't /vault/<name>/...
+      expect(yaml).toContain(`service: http://localhost:${TEST_HUB_PORT}`);
 
       // Security copy surfaces both paths plus a pointer to the auth doc.
       const joined = logs.join("\n");
       expect(joined).toContain("parachute auth set-password");
-      expect(joined).toContain("parachute vault tokens create");
+      // Scripts/machines path points at the hub-JWT mint (vault#412 / hub#466
+      // DROPped `vault tokens create`), not the removed pvt_* command.
+      expect(joined).toContain("parachute auth mint-token --scope vault:");
+      expect(joined).toContain("Bearer <hub-jwt>");
+      expect(joined).not.toContain("vault tokens create");
+      expect(joined).not.toContain("pvt_");
       expect(joined).toContain("auth-model.md");
     } finally {
       env.cleanup();
@@ -209,6 +231,8 @@ describe("exposeCloudflareUp", () => {
         configPath: env.configPath,
         logPath: env.logPath,
         cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
       });
       expect(code).toBe(0);
       // No `tunnel create` — only list + route.
@@ -236,6 +260,8 @@ describe("exposeCloudflareUp", () => {
         configPath: env.configPath,
         logPath: env.logPath,
         cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
       });
 
       expect(code).toBe(1);
@@ -262,6 +288,8 @@ describe("exposeCloudflareUp", () => {
         configPath: env.configPath,
         logPath: env.logPath,
         cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
         tunnelName: "bad name with spaces",
       });
 
@@ -291,6 +319,8 @@ describe("exposeCloudflareUp", () => {
         configPath: env.configPath,
         logPath: env.logPath,
         cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
       });
 
       expect(code).toBe(1);
@@ -317,6 +347,8 @@ describe("exposeCloudflareUp", () => {
         configPath: env.configPath,
         logPath: env.logPath,
         cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
       });
 
       expect(code).toBe(1);
@@ -342,6 +374,8 @@ describe("exposeCloudflareUp", () => {
         configPath: env.configPath,
         logPath: env.logPath,
         cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
       });
 
       expect(code).toBe(1);
@@ -376,6 +410,8 @@ describe("exposeCloudflareUp", () => {
         configPath: env.configPath,
         logPath: env.logPath,
         cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
       });
 
       expect(code).toBe(1);
@@ -425,6 +461,8 @@ describe("exposeCloudflareUp", () => {
         configPath: env.configPath,
         logPath: env.logPath,
         cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
       });
 
       expect(code).toBe(0);
@@ -462,7 +500,12 @@ describe("exposeCloudflareUp", () => {
         manifestPath: env.manifestPath,
         statePath: env.statePath,
         cloudflaredHome: env.cloudflaredHome,
-        // Use defaults for configPath/logPath so they're per-tunnel-derived.
+        configDir: env.configDir,
+        skipHub: true,
+        // Omit configPath/logPath so they're per-tunnel-derived — but the
+        // derivation now resolves against the tmp `configDir` above, so the
+        // generated config.yml lands under tmp, not the operator's real
+        // ~/.parachute/cloudflared/parachute/.
       });
       expect(code1).toBe(0);
 
@@ -487,6 +530,8 @@ describe("exposeCloudflareUp", () => {
         manifestPath: env.manifestPath,
         statePath: env.statePath,
         cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
         tunnelName: "second",
       });
       expect(code2).toBe(0);
@@ -544,6 +589,8 @@ describe("exposeCloudflareUp", () => {
           configPath: env.configPath,
           logPath: env.logPath,
           cloudflaredHome: env.cloudflaredHome,
+          configDir: env.configDir,
+          skipHub: true,
           // No password, no 2FA — fully wide open. The warning should still
           // fire; password-recovery copy already lives in `printAuthGuidance`.
           vaultAuthStatus: {
@@ -592,6 +639,8 @@ describe("exposeCloudflareUp", () => {
           configPath: env.configPath,
           logPath: env.logPath,
           cloudflaredHome: env.cloudflaredHome,
+          configDir: env.configDir,
+          skipHub: true,
           vaultAuthStatus: {
             hasOwnerPassword: true,
             hasTotp: true,
@@ -612,6 +661,68 @@ describe("exposeCloudflareUp", () => {
       }
     });
   });
+
+  describe("routes through hub, not vault", () => {
+    test("config.yml targets the hub port; success log mentions Admin + OAuth URLs", async () => {
+      // Regression guard for the 2026-05-27 cut. Aaron ran `parachute expose
+      // public` on a fresh EC2 box, configured Cloudflare with a custom
+      // domain, and hit it — and got vault's 404 page rather than the hub's
+      // discovery / admin. The pre-fix cloudflared config routed straight at
+      // vault's port; the fix routes at the hub, mirroring the Tailscale
+      // Funnel shape (single mount → hub catchall; hub dispatches per-request).
+      const env = makeEnv();
+      try {
+        // Re-seed hub port to a non-default value so the assertion is
+        // unambiguous about *which* port got into the yaml.
+        writeHubPort(1949, env.configDir);
+
+        const uuid = "ffff0000-0000-0000-0000-00000000beef";
+        const { runner } = queueRunner([
+          { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" },
+          { code: 0, stdout: "[]", stderr: "" },
+          {
+            code: 0,
+            stdout: `Created tunnel parachute with id ${uuid}\n`,
+            stderr: "",
+          },
+          { code: 0, stdout: "", stderr: "" },
+        ]);
+        const { spawner } = fakeSpawner(60001);
+        const logs: string[] = [];
+
+        const code = await exposeCloudflareUp("gitcoin.parachute.computer", {
+          runner,
+          spawner,
+          alive: () => false,
+          kill: () => {},
+          log: (l) => logs.push(l),
+          manifestPath: env.manifestPath,
+          statePath: env.statePath,
+          configPath: env.configPath,
+          logPath: env.logPath,
+          cloudflaredHome: env.cloudflaredHome,
+          configDir: env.configDir,
+          skipHub: true,
+        });
+
+        expect(code).toBe(0);
+        const yaml = readFileSync(env.configPath, "utf8");
+        // Routes through the hub on its loopback port.
+        expect(yaml).toContain("service: http://localhost:1949");
+        // Does NOT route directly at vault's port (1940 per makeEnv default).
+        expect(yaml).not.toContain("service: http://localhost:1940");
+
+        const joined = logs.join("\n");
+        // Discoverable surfaces: open / admin / vault / OAuth all surfaced.
+        expect(joined).toContain("https://gitcoin.parachute.computer/");
+        expect(joined).toContain("Admin:   https://gitcoin.parachute.computer/admin/");
+        expect(joined).toContain("Vault:   https://gitcoin.parachute.computer/vault/default");
+        expect(joined).toContain("OAuth:   https://gitcoin.parachute.computer");
+      } finally {
+        env.cleanup();
+      }
+    });
+  });
 });
 
 describe("exposeCloudflareOff", () => {

package/src/__tests__/expose-interactive.test.ts

@@ -469,10 +469,16 @@ describe("exposePublicInteractive — neither ready", () => {
       expect(interactiveCalled).toBe(false);
       expect(cloudflareCalled).toBe(false);
       const joined = logs.join("\n");
-      expect(joined).toMatch(/apt-get|dnf/);
-      expect(joined).toContain(
-        "developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads",
-      );
+      // Post 2026-05-27 cloudflared-URL refresh: the install hint moved
+      // off apt-get / dnf / developers.cloudflare.com (all unreliable —
+      // Aaron hit `No match for argument: cloudflared` on AL2023 and
+      // 404s from the docs URL on the same box) onto the static binary
+      // from GitHub releases.
+      expect(joined).toContain("github.com/cloudflare/cloudflared/releases/latest");
+      expect(joined).toContain("curl -L -o /usr/local/bin/cloudflared");
+      expect(joined).not.toContain("developers.cloudflare.com");
+      expect(joined).not.toContain("pkg.cloudflare.com");
+      expect(joined).not.toContain("sudo dnf install cloudflared");
     } finally {
       env.cleanup();
     }

package/src/__tests__/expose-public-auto.test.ts

@@ -126,7 +126,11 @@ describe("exposePublicAutoPick — neither ready", () => {
     expect(code).toBe(1);
     const joined = logs.join("\n");
     expect(joined).toContain("tailscale.com/download");
-    expect(joined).toContain("developers.cloudflare.com");
+    // Post 2026-05-27 cloudflared-URL refresh: the install hint now points
+    // at GitHub releases (developers.cloudflare.com / pkg.cloudflare.com
+    // both returned HTML/404 on Aaron's fresh AL2023 EC2 box).
+    expect(joined).toContain("github.com/cloudflare/cloudflared/releases/latest");
+    expect(joined).not.toContain("developers.cloudflare.com");
     expect(joined).toContain("--skip-provider-check");
   });
 

package/src/__tests__/expose.test.ts

@@ -1,8 +1,9 @@
 import { describe, expect, test } from "bun:test";
-import { existsSync, mkdtempSync, rmSync } from "node:fs";
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { exposePublic, exposeTailnet } from "../commands/expose.ts";
+import { readEnvFileValues } from "../env-file.ts";
 import { readExposeState, writeExposeState } from "../expose-state.ts";
 import type { EnsureHubOpts, HubSpawner, StopHubOpts } from "../hub-control.ts";
 import { writePid } from "../process-state.ts";
@@ -696,6 +697,53 @@ describe("expose tailnet off", () => {
     }
   });
 
+  test("clears the persisted PARACHUTE_HUB_ORIGIN from vault/.env on teardown", async () => {
+    // OAuth issuer-mismatch fix: `expose up` persisted the public origin into
+    // vault/.env so the daemon validates `iss` against it. With exposure gone,
+    // a local-only hub mints loopback-`iss` tokens, so a stale public origin
+    // left in `.env` would itself cause the mismatch on the next daemon boot.
+    // Tearing it down reverts vault to its loopback default.
+    const h = makeHarness();
+    try {
+      writeExposeState(
+        {
+          version: 1,
+          layer: "tailnet",
+          mode: "path",
+          canonicalFqdn: "parachute.taildf9ce2.ts.net",
+          port: 443,
+          funnel: false,
+          entries: [{ kind: "proxy", mount: "/", target: "http://127.0.0.1:1939", service: "hub" }],
+          hubOrigin: "https://parachute.taildf9ce2.ts.net",
+        },
+        h.statePath,
+      );
+      mkdirSync(join(h.configDir, "vault"), { recursive: true });
+      writeFileSync(
+        join(h.configDir, "vault", ".env"),
+        "SCRIBE_AUTH_TOKEN=secret\nPARACHUTE_HUB_ORIGIN=https://parachute.taildf9ce2.ts.net\n",
+      );
+      const { runner } = makeRunner();
+      const code = await exposeTailnet("off", {
+        runner,
+        statePath: h.statePath,
+        wellKnownPath: h.wellKnownPath,
+        hubPath: h.hubPath,
+        wellKnownDir: h.wellKnownDir,
+        configDir: h.configDir,
+        skipHub: true,
+        log: () => {},
+      });
+      expect(code).toBe(0);
+      const values = readEnvFileValues(join(h.configDir, "vault", ".env"));
+      expect(values.PARACHUTE_HUB_ORIGIN).toBeUndefined();
+      // Sibling keys preserved.
+      expect(values.SCRIBE_AUTH_TOKEN).toBe("secret");
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("leaves state in place on teardown failure", async () => {
     const h = makeHarness();
     try {