@openparachute/hub 0.5.13 → 0.5.14-rc.2

package/src/api-account.ts

@@ -48,6 +48,8 @@
 import type { Database } from "bun:sqlite";
 import { hash as argonHash } from "@node-rs/argon2";
 import { type ChangePasswordMode, renderChangePassword } from "./account-change-password-ui.ts";
+import { renderAccountHome } from "./account-home-ui.ts";
+import { POST_LOGIN_DEFAULT } from "./admin-handlers.ts";
 import { renderAdminError } from "./admin-login-ui.ts";
 import { CSRF_FIELD_NAME, ensureCsrfToken, verifyCsrfToken } from "./csrf.ts";
 import { changePasswordRateLimiter } from "./rate-limit.ts";
@@ -57,6 +59,7 @@ import {
   PASSWORD_MAX_LEN,
   UserNotFoundError,
   getUserById,
+  isFirstAdmin,
   validatePassword,
   verifyPassword,
 } from "./users.ts";
@@ -69,12 +72,10 @@ export interface ApiAccountDeps {
 
 /**
  * Where to land after a successful password change when no `next` param
- * is present. Matches `POST_LOGIN_DEFAULT` in `admin-handlers.ts` — the
- * admin SPA's vault list. Kept as a local const (not imported) so this
- * file doesn't accidentally couple to admin-handlers' internals; if the
- * default ever diverges the two should reconcile via a shared config.
+ * is present. Re-exported from `admin-handlers.ts` so login + change-
+ * password share a single source of truth (reviewer fold on hub#425).
  */
-const POST_CHANGE_DEFAULT = "/admin/vaults";
+const POST_CHANGE_DEFAULT = POST_LOGIN_DEFAULT;
 
 function safeNext(raw: string | null | undefined): string {
   if (!raw) return POST_CHANGE_DEFAULT;
@@ -234,7 +235,20 @@ export async function handleAccountChangePasswordPost(
   const currentPassword = String(form.get("current_password") ?? "");
   const newPassword = String(form.get("new_password") ?? "");
   const confirmPassword = String(form.get("new_password_confirm") ?? "");
-  const next = safeNext(String(form.get("next") ?? ""));
+  // Friend-facing redirect: non-admin users who would otherwise land in the
+  // admin SPA (because POST_CHANGE_DEFAULT = /admin/vaults) get bounced to
+  // /account/ directly. Without this, the SPA loads, hits 403 on its host-
+  // admin-token mint, then redirects to /account/ via the SPA's auth.ts —
+  // a visible two-hop flash for the friend. The login-redirect path
+  // (admin-handlers.ts:118) does the same rewrite at sign-in time; this
+  // mirrors it for the change-password POST. (hub#425 reviewer fold —
+  // operator runbook accuracy: the doc said "lands at /account/", but
+  // without this fix the user briefly sees the admin shell.)
+  const rawNext = safeNext(String(form.get("next") ?? ""));
+  const next =
+    !isFirstAdmin(deps.db, user.id) && (rawNext === "/admin" || rawNext.startsWith("/admin/"))
+      ? "/account/"
+      : rawNext;
   const mode = modeFor(user.passwordChanged);
 
   // Rate-limit gate (hub#282). Fires *after* CSRF (so a junk cross-site
@@ -437,6 +451,58 @@ export async function handleAccountChangePasswordPost(
   });
 }
 
+/**
+ * GET /account/ — friend-facing user home (multi-user Phase 1 follow-up).
+ *
+ * Companion surface to the first-admin gate on
+ * `/admin/host-admin-token`: friend users who can't reach the admin
+ * SPA need a coherent landing page that shows their assigned vault, a
+ * sign-out form, and a link to rotate their password. The admin lands
+ * here too (via the SPA's 403 redirect path) but mostly bounces back
+ * to `/admin/` immediately — for admins this is a "wait, what?" exit
+ * ramp.
+ *
+ * Auth: requires an active session. Session-less requests 302 to
+ * `/login?next=/account/` — same posture as `handleAccountChangePasswordGet`.
+ *
+ * `hubOrigin` is passed in by the route handler (resolved per-request
+ * via `resolveIssuer` in `hub-server.ts`). The page uses it to build
+ * the canonical Notes "Open" CTA URL and to show as inline code in
+ * the "use a custom client" disclosure.
+ */
+export interface AccountHomeDeps extends ApiAccountDeps {
+  /** Canonical hub origin for this request (e.g. `https://my-hub.example`). */
+  hubOrigin: string;
+}
+
+export function handleAccountHomeGet(req: Request, deps: AccountHomeDeps): Response {
+  const session = findActiveSession(deps.db, req);
+  if (!session) {
+    return redirect(`/login?next=${encodeURIComponent("/account/")}`);
+  }
+  const user = getUserById(deps.db, session.userId);
+  if (!user) {
+    // Stale session pointing at a deleted user — hand back to /login;
+    // the orphaned session row will time out on its own.
+    return redirect("/login");
+  }
+  const adminFlag = isFirstAdmin(deps.db, user.id);
+  const csrf = ensureCsrfToken(req);
+  const extra: Record<string, string> = csrf.setCookie ? { "set-cookie": csrf.setCookie } : {};
+  return htmlResponse(
+    renderAccountHome({
+      username: user.username,
+      assignedVaults: user.assignedVaults,
+      passwordChanged: user.passwordChanged,
+      hubOrigin: deps.hubOrigin,
+      isFirstAdmin: adminFlag,
+      csrfToken: csrf.token,
+    }),
+    200,
+    extra,
+  );
+}
+
 /**
  * Flip `users.password_changed` from 0 to 1 for the given user.
  * Idempotent — running against an already-`true` row is a no-op.

package/src/api-modules-ops.ts

@@ -36,6 +36,7 @@ import type { Database } from "bun:sqlite";
 import { randomUUID } from "node:crypto";
 import { dirname } from "node:path";
 import { CURATED_MODULES, type CuratedModuleShort } from "./api-modules.ts";
+import { isLinked as defaultIsLinked } from "./bun-link.ts";
 import { PARACHUTE_INSTALL_CHANNEL_ENV } from "./commands/install.ts";
 import { getModuleInstallChannel } from "./hub-settings.ts";
 import { validateAccessToken } from "./jwt-sign.ts";
@@ -187,6 +188,21 @@ export interface ApiModulesOpsDeps {
    * null when not found.
    */
   findGlobalInstall?: (pkg: string) => string | null;
+  /**
+   * Override `isLinked` (test seam). Production probes bun's globals
+   * for a symlink-shaped entry under `<prefix>/node_modules/<pkg>` —
+   * true iff the package was installed via `bun link` from a local
+   * checkout. When true, `runInstall` skips `bun add -g <pkg>`
+   * entirely; the linked checkout already provides the binary on
+   * PATH and `bun add -g` would either be a wasted npm round-trip
+   * or fail outright on unrelated global-lockfile noise (smoke
+   * 2026-05-27 finding 1).
+   *
+   * Mirrors the CLI install path's `isLinked` short-circuit in
+   * `commands/install.ts`. Both paths use the same `src/bun-link.ts`
+   * helper so they can't drift again.
+   */
+  isLinked?: (pkg: string) => boolean;
   /**
    * Extra env vars merged onto the supervised child at spawn time (hub#267).
    *
@@ -543,23 +559,43 @@ export async function runInstall(
   // without a hub restart.
   const channel = resolveApiInstallChannel(channelOverride, deps);
   const spec_str = `${spec.package}@${channel}`;
-  registry.update(opId, { status: "running" }, `running bun add -g ${spec_str}`);
-  const code = await run(["bun", "add", "-g", spec_str]);
-  if (code !== 0) {
-    // Bun 1.2.x lockfile-recovery noise: probe the global prefix
-    // before treating non-zero as fatal. Mirrors the same defense in
-    // commands/install.ts.
-    const findGlobalInstall = deps.findGlobalInstall;
-    const probed = findGlobalInstall?.(spec.package) ?? null;
-    if (!probed) {
-      registry.update(
-        opId,
-        { status: "failed", error: `bun add -g exited ${code}` },
-        `bun add -g ${spec_str} failed (exit ${code})`,
-      );
-      return;
+  // bun-link short-circuit (smoke 2026-05-27, finding 1): mirror the
+  // CLI install path's `isLinked` check. When the package is already
+  // linked globally via `bun link <abspath>` (the standard local-dev
+  // shape — Aaron + every workspace contributor runs this way), the
+  // linked checkout already provides the binary on PATH. `bun add -g`
+  // is at best a wasted ~3s npm round-trip and at worst a hard failure
+  // on unrelated global-lockfile noise (one stale entry can crash the
+  // whole `bun add`, failing the wizard's vault step even though the
+  // linked vault is fine). The wizard's parallel install path diverged
+  // pre-this-fix; the shared `src/bun-link.ts` keeps both paths in
+  // lockstep going forward.
+  const isLinked = deps.isLinked ?? defaultIsLinked;
+  if (isLinked(spec.package)) {
+    registry.update(
+      opId,
+      { status: "running" },
+      `${spec.package} is already linked globally (bun link) — skipping bun add -g`,
+    );
+  } else {
+    registry.update(opId, { status: "running" }, `running bun add -g ${spec_str}`);
+    const code = await run(["bun", "add", "-g", spec_str]);
+    if (code !== 0) {
+      // Bun 1.2.x lockfile-recovery noise: probe the global prefix
+      // before treating non-zero as fatal. Mirrors the same defense in
+      // commands/install.ts.
+      const findGlobalInstall = deps.findGlobalInstall;
+      const probed = findGlobalInstall?.(spec.package) ?? null;
+      if (!probed) {
+        registry.update(
+          opId,
+          { status: "failed", error: `bun add -g exited ${code}` },
+          `bun add -g ${spec_str} failed (exit ${code})`,
+        );
+        return;
+      }
+      registry.update(opId, {}, `bun add reported exit ${code} but package landed at ${probed}`);
     }
-    registry.update(opId, {}, `bun add reported exit ${code} but package landed at ${probed}`);
   }
 
   // Seed services.json if absent (the install flow does this for the

package/src/api-modules.ts

@@ -88,7 +88,7 @@ export const API_MODULES_REQUIRED_SCOPE = "parachute:host:auth";
  * the pre-app architecture; scribe + runner come last because they
  * depend on a working vault + app to be useful).
  */
-export const CURATED_MODULES = ["vault", "app", "notes", "scribe", "runner"] as const;
+export const CURATED_MODULES = ["vault", "surface", "notes", "scribe", "runner"] as const;
 export type CuratedModuleShort = (typeof CURATED_MODULES)[number];
 
 export interface ApiModulesDeps {
@@ -385,8 +385,8 @@ export async function handleApiModules(req: Request, deps: ApiModulesDeps): Prom
         //     (e.g. `/vault/default` + `/admin/` → `/vault/default/admin/`).
         //   - Single-instance modules (app, scribe, runner) declare a
         //     full hub-origin path that ALREADY includes the mount
-        //     (e.g. `/app/admin/`, `/scribe/admin`); the mount must NOT
-        //     be prepended again or the result is `/app/app/admin/`
+        //     (e.g. `/surface/admin/`, `/scribe/admin`); the mount must NOT
+        //     be prepended again or the result is `/app/surface/admin/`
         //     (the audit bug caught 2026-05-25 on the SPA's Services
         //     dropdown).
         // Detect by checking if candidate is already mount-prefixed.