@openparachute/hub 0.5.13 → 0.5.14-rc.2

package/src/__tests__/setup.test.ts

@@ -123,7 +123,7 @@ describe("setup", () => {
         { name: "parachute-scribe", port: 1943 },
         { name: "parachute-channel", port: 1941 },
         { name: "parachute-runner", port: 1945 },
-        { name: "parachute-app", port: 1946 },
+        { name: "parachute-surface", port: 1946 },
       ];
       for (const s of seeds) {
         upsertService(

package/src/__tests__/status.test.ts

@@ -123,6 +123,45 @@ describe("status", () => {
     }
   });
 
+  test("http 401 counts as HEALTHY (auth-gated endpoint is responsive)", async () => {
+    // Vault's canonical health path `/vault/<name>/health` returns 401
+    // without an API key — that's the server replying "I'm up but you
+    // need auth," not "I'm down." `parachute status` used to roll 401
+    // into the failing bucket via `res.ok`, surfacing "failing" on every
+    // fresh install (vault was fine — the probe was just confused).
+    // Now: 401 specifically counts as healthy. Other 4xx (404, 400) stay
+    // unhealthy — those mean the configured health path is misshapen.
+    const { path, configDir, cleanup } = makeTempPath();
+    try {
+      upsertService(
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/"],
+          health: "/vault/default/health",
+          version: "0.2.4",
+        },
+        path,
+      );
+      writePid("vault", 4242, configDir);
+      const lines: string[] = [];
+      const code = await status({
+        manifestPath: path,
+        configDir,
+        alive: () => true,
+        fetchImpl: async () => new Response(null, { status: 401 }),
+        print: (l) => lines.push(l),
+      });
+      expect(code).toBe(0);
+      expect(lines.some((l) => /\bactive\b/.test(l))).toBe(true);
+      // No "failing" rollup, no `! probe: http 401` continuation line.
+      expect(lines.some((l) => /\bfailing\b/.test(l))).toBe(false);
+      expect(lines.some((l) => l.includes("probe: http 401"))).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
   test("running + healthy probe shows STATE=active, pid + uptime", async () => {
     const { path, configDir, cleanup } = makeTempPath();
     try {

package/src/__tests__/users.test.ts

@@ -3,6 +3,7 @@ import { mkdtempSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { recordTokenMint, signAccessToken } from "../jwt-sign.ts";
 import {
   PASSWORD_MIN_LEN,
   SingleUserModeError,
@@ -11,11 +12,15 @@ import {
   UsernameTakenError,
   createUser,
   deleteUser,
+  getFirstAdminId,
   getUserById,
   getUserByUsername,
   getUserByUsernameCI,
+  isFirstAdmin,
   listUsers,
+  resetUserPassword,
   setPassword,
+  setUserVaults,
   userCount,
   validatePassword,
   validateUsername,
@@ -52,7 +57,7 @@ describe("createUser", () => {
       expect(userCount(db)).toBe(1);
       // Default multi-user-Phase-1 shape: unchanged password, no vault pin.
       expect(u.passwordChanged).toBe(false);
-      expect(u.assignedVault).toBeNull();
+      expect(u.assignedVaults).toEqual([]);
     } finally {
       cleanup();
     }
@@ -72,28 +77,63 @@ describe("createUser", () => {
     }
   });
 
-  test("assignedVault opt-in persists the column (admin-creates-user path)", async () => {
+  test("assignedVaults opt-in persists each vault (admin-creates-user path)", async () => {
     const { db, cleanup } = makeDb();
     try {
       const u = await createUser(db, "alice", "pw1", {
         allowMulti: true,
-        assignedVault: "alice",
+        assignedVaults: ["alice"],
       });
-      expect(u.assignedVault).toBe("alice");
+      expect(u.assignedVaults).toEqual(["alice"]);
       const fresh = getUserById(db, u.id);
-      expect(fresh?.assignedVault).toBe("alice");
+      expect(fresh?.assignedVaults).toEqual(["alice"]);
     } finally {
       cleanup();
     }
   });
 
-  test("assignedVault explicit null is treated the same as omitted", async () => {
+  test("assignedVaults with multiple entries — all persist (multi-vault Phase 2)", async () => {
     const { db, cleanup } = makeDb();
     try {
-      const u = await createUser(db, "admin1", "pw1", { assignedVault: null });
-      expect(u.assignedVault).toBeNull();
+      const u = await createUser(db, "alice", "pw1", {
+        allowMulti: true,
+        assignedVaults: ["personal", "family"],
+      });
+      expect(u.assignedVaults).toEqual(["personal", "family"]);
+      const fresh = getUserById(db, u.id);
+      // Loaded via the user_vaults JOIN — order matches insertion order
+      // because rows share the same `created_at` timestamp and tie-break
+      // on `vault_name` ASC. `family` precedes `personal` alphabetically.
+      expect(fresh?.assignedVaults.length).toBe(2);
+      expect(new Set(fresh?.assignedVaults)).toEqual(new Set(["personal", "family"]));
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("assignedVaults omitted defaults to empty array (admin posture)", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const u = await createUser(db, "admin1", "pw1");
+      expect(u.assignedVaults).toEqual([]);
       const fresh = getUserById(db, u.id);
-      expect(fresh?.assignedVault).toBeNull();
+      expect(fresh?.assignedVaults).toEqual([]);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("assignedVaults de-duplicates repeated names", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const u = await createUser(db, "alice", "pw1", {
+        allowMulti: true,
+        assignedVaults: ["personal", "personal", "family"],
+      });
+      // De-dupe is silent; user gets one row per distinct name.
+      expect(u.assignedVaults).toEqual(["personal", "family"]);
+      const fresh = getUserById(db, u.id);
+      expect(fresh?.assignedVaults.length).toBe(2);
     } finally {
       cleanup();
     }
@@ -348,3 +388,350 @@ describe("validatePassword", () => {
     expect(validatePassword("aaaaaaaaaaaa").valid).toBe(true);
   });
 });
+
+describe("resetUserPassword", () => {
+  test("returns false when user does not exist", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      expect(await resetUserPassword(db, "no-such-id", "twelvechars1")).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("returns false when user vanishes between pre-check and tx body", async () => {
+    // Reviewer-flagged race path (hub#427). The argon2 hash is computed
+    // outside the transaction (async), giving a window where a concurrent
+    // delete can land between the existence pre-check and the UPDATE tx.
+    // The helper must return false in that case so the caller can 404
+    // instead of cosmetically claiming success.
+    const { db, cleanup } = makeDb();
+    try {
+      const user = await createUser(db, "alice", "alice-strong-passphrase", {
+        passwordChanged: true,
+      });
+      // Simulate the race: delete the row, then invoke the reset. The
+      // pre-check runs in `resetUserPassword` against the now-empty table.
+      // (We can't intercept between pre-check and tx without forking the
+      // helper; deleting before the call is the equivalent post-condition
+      // — if the row is gone the tx body will UPDATE 0 rows.)
+      db.prepare("DELETE FROM users WHERE id = ?").run(user.id);
+      expect(await resetUserPassword(db, user.id, "new-temp-passphrase")).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("rotates hash, flips password_changed back to 0, bumps updated_at", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      // Seed user as "already changed their password" (true) to prove the
+      // reset flips it back to false for the force-redirect rail.
+      const initial = await createUser(db, "alice", "alice-strong-passphrase", {
+        passwordChanged: true,
+        now: () => new Date(1000),
+      });
+      const oldHash = initial.passwordHash;
+      const oldUpdated = initial.updatedAt;
+      const later = new Date(2000);
+      expect(await resetUserPassword(db, initial.id, "new-temp-passphrase", () => later)).toBe(
+        true,
+      );
+      const fresh = getUserById(db, initial.id);
+      expect(fresh).not.toBeNull();
+      expect(fresh?.passwordHash).not.toBe(oldHash);
+      expect(fresh?.passwordChanged).toBe(false);
+      expect(fresh?.updatedAt).not.toBe(oldUpdated);
+      // Round-trip verify: old password no longer works, new one does.
+      expect(await verifyPassword(fresh!, "alice-strong-passphrase")).toBe(false);
+      expect(await verifyPassword(fresh!, "new-temp-passphrase")).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("revokes still-active tokens belonging to the user", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const user = await createUser(db, "alice", "alice-strong-passphrase", {
+        passwordChanged: true,
+      });
+      const minted = await signAccessToken(db, {
+        sub: user.id,
+        scopes: ["vault:home:read"],
+        audience: "vault",
+        clientId: "notes-client",
+        issuer: "https://hub.test",
+        ttlSeconds: 600,
+      });
+      recordTokenMint(db, {
+        jti: minted.jti,
+        createdVia: "operator_mint",
+        subject: user.username,
+        userId: user.id,
+        clientId: "notes-client",
+        scopes: ["vault:home:read"],
+        expiresAt: minted.expiresAt,
+      });
+      // Pre-state: token row not yet revoked.
+      const before = db
+        .query<{ revoked_at: string | null }, [string]>(
+          "SELECT revoked_at FROM tokens WHERE jti = ?",
+        )
+        .get(minted.jti);
+      expect(before?.revoked_at).toBeNull();
+
+      expect(await resetUserPassword(db, user.id, "new-temp-passphrase")).toBe(true);
+
+      // Post-state: token row has revoked_at set, user_id retained (the
+      // user row sticks around, audit trail re-anchors naturally).
+      const after = db
+        .query<{ revoked_at: string | null; user_id: string | null }, [string]>(
+          "SELECT revoked_at, user_id FROM tokens WHERE jti = ?",
+        )
+        .get(minted.jti);
+      expect(after?.revoked_at).not.toBeNull();
+      expect(after?.user_id).toBe(user.id);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("does not re-revoke an already-revoked token", async () => {
+    // Defense-in-depth: a previously-revoked token shouldn't have its
+    // revoked_at timestamp overwritten by a fresh reset. The UPDATE's
+    // WHERE clause filters on `revoked_at IS NULL` so this is naturally
+    // enforced; pinning it here so a future refactor that drops the
+    // filter trips the test.
+    const { db, cleanup } = makeDb();
+    try {
+      const user = await createUser(db, "alice", "alice-strong-passphrase", {
+        passwordChanged: true,
+      });
+      const minted = await signAccessToken(db, {
+        sub: user.id,
+        scopes: ["vault:home:read"],
+        audience: "vault",
+        clientId: "notes-client",
+        issuer: "https://hub.test",
+        ttlSeconds: 600,
+      });
+      const earlierStamp = "2026-01-01T00:00:00.000Z";
+      recordTokenMint(db, {
+        jti: minted.jti,
+        createdVia: "operator_mint",
+        subject: user.username,
+        userId: user.id,
+        clientId: "notes-client",
+        scopes: ["vault:home:read"],
+        expiresAt: minted.expiresAt,
+      });
+      db.prepare("UPDATE tokens SET revoked_at = ? WHERE jti = ?").run(earlierStamp, minted.jti);
+
+      expect(await resetUserPassword(db, user.id, "new-temp-passphrase")).toBe(true);
+
+      const row = db
+        .query<{ revoked_at: string | null }, [string]>(
+          "SELECT revoked_at FROM tokens WHERE jti = ?",
+        )
+        .get(minted.jti);
+      expect(row?.revoked_at).toBe(earlierStamp);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("leaves tokens for other users untouched", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const alice = await createUser(db, "alice", "alice-strong-passphrase", {
+        passwordChanged: true,
+      });
+      const bob = await createUser(db, "bob", "bob-strong-passphrase", {
+        allowMulti: true,
+        passwordChanged: true,
+      });
+      const bobToken = await signAccessToken(db, {
+        sub: bob.id,
+        scopes: ["vault:home:read"],
+        audience: "vault",
+        clientId: "notes-client",
+        issuer: "https://hub.test",
+        ttlSeconds: 600,
+      });
+      recordTokenMint(db, {
+        jti: bobToken.jti,
+        createdVia: "operator_mint",
+        subject: bob.username,
+        userId: bob.id,
+        clientId: "notes-client",
+        scopes: ["vault:home:read"],
+        expiresAt: bobToken.expiresAt,
+      });
+
+      await resetUserPassword(db, alice.id, "new-temp-passphrase");
+
+      const bobRow = db
+        .query<{ revoked_at: string | null }, [string]>(
+          "SELECT revoked_at FROM tokens WHERE jti = ?",
+        )
+        .get(bobToken.jti);
+      expect(bobRow?.revoked_at).toBeNull();
+    } finally {
+      cleanup();
+    }
+  });
+});
+
+describe("setUserVaults (multi-user Phase 2 PR 2)", () => {
+  test("returns false when user does not exist", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      expect(setUserVaults(db, "no-such-id", ["a"])).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("replaces a user's vault list atomically", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const u = await createUser(db, "alice", "alice-strong-passphrase", {
+        assignedVaults: ["personal"],
+      });
+      expect(setUserVaults(db, u.id, ["family", "work"])).toBe(true);
+      const fresh = getUserById(db, u.id);
+      // Old vault dropped; new ones present.
+      expect(new Set(fresh?.assignedVaults)).toEqual(new Set(["family", "work"]));
+      expect(fresh?.assignedVaults).not.toContain("personal");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("empty array clears every existing assignment (non-admin = no access)", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const u = await createUser(db, "alice", "alice-strong-passphrase", {
+        assignedVaults: ["a", "b", "c"],
+      });
+      expect(setUserVaults(db, u.id, [])).toBe(true);
+      const fresh = getUserById(db, u.id);
+      expect(fresh?.assignedVaults).toEqual([]);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("de-duplicates repeated names without throwing", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const u = await createUser(db, "alice", "alice-strong-passphrase");
+      expect(setUserVaults(db, u.id, ["a", "a", "b"])).toBe(true);
+      const fresh = getUserById(db, u.id);
+      expect(new Set(fresh?.assignedVaults)).toEqual(new Set(["a", "b"]));
+      expect(fresh?.assignedVaults.length).toBe(2);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("bumps updated_at so the SPA row reflects the change", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const u = await createUser(db, "alice", "alice-strong-passphrase", {
+        now: () => new Date(1000),
+      });
+      const before = getUserById(db, u.id);
+      expect(setUserVaults(db, u.id, ["a"], () => new Date(2000))).toBe(true);
+      const after = getUserById(db, u.id);
+      expect(after?.updatedAt).not.toBe(before?.updatedAt);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("vault assignments cascade-delete with the user row", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const u = await createUser(db, "alice", "alice-strong-passphrase", {
+        assignedVaults: ["a", "b"],
+      });
+      // Sanity: rows exist in user_vaults.
+      const before = db
+        .query<{ n: number }, [string]>("SELECT COUNT(*) AS n FROM user_vaults WHERE user_id = ?")
+        .get(u.id);
+      expect(before?.n).toBe(2);
+      deleteUser(db, u.id);
+      const after = db
+        .query<{ n: number }, [string]>("SELECT COUNT(*) AS n FROM user_vaults WHERE user_id = ?")
+        .get(u.id);
+      expect(after?.n).toBe(0);
+    } finally {
+      cleanup();
+    }
+  });
+});
+
+describe("getFirstAdminId / isFirstAdmin", () => {
+  test("getFirstAdminId returns null on an empty users table", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      expect(getFirstAdminId(db)).toBeNull();
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("getFirstAdminId returns the earliest-created user id", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const admin = await createUser(db, "admin", "pw1", { now: () => new Date(1000) });
+      await createUser(db, "alice", "pw2", {
+        allowMulti: true,
+        now: () => new Date(2000),
+      });
+      await createUser(db, "bob", "pw3", {
+        allowMulti: true,
+        now: () => new Date(3000),
+      });
+      expect(getFirstAdminId(db)).toBe(admin.id);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("isFirstAdmin matches earliest user, false for everyone else", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const admin = await createUser(db, "admin", "pw1", { now: () => new Date(1000) });
+      const friend = await createUser(db, "alice", "pw2", {
+        allowMulti: true,
+        now: () => new Date(2000),
+      });
+      expect(isFirstAdmin(db, admin.id)).toBe(true);
+      expect(isFirstAdmin(db, friend.id)).toBe(false);
+      expect(isFirstAdmin(db, "no-such-id")).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("isFirstAdmin tracks the admin even after a later user is deleted", async () => {
+    // Deleting a non-first user doesn't promote anyone — the original
+    // admin still holds the "first" slot.
+    const { db, cleanup } = makeDb();
+    try {
+      const admin = await createUser(db, "admin", "pw1", { now: () => new Date(1000) });
+      const friend = await createUser(db, "alice", "pw2", {
+        allowMulti: true,
+        now: () => new Date(2000),
+      });
+      deleteUser(db, friend.id);
+      expect(getFirstAdminId(db)).toBe(admin.id);
+      expect(isFirstAdmin(db, admin.id)).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
+});

package/src/__tests__/well-known.test.ts

@@ -426,10 +426,10 @@ describe("buildWellKnown", () => {
   // joined onto the canonical origin into a deep-linkable `url`.
   describe("uis hierarchical sub-units (hub#313)", () => {
     const app: ServiceEntry = {
-      name: "parachute-app",
+      name: "parachute-surface",
       port: 1946,
-      paths: ["/app"],
-      health: "/app/healthz",
+      paths: ["/surface"],
+      health: "/surface/healthz",
       version: "0.1.0",
     };
 
@@ -455,7 +455,7 @@ describe("buildWellKnown", () => {
         services: [withUis],
         canonicalOrigin: "https://x.example",
       });
-      const appSvc = doc.services.find((s) => s.name === "parachute-app");
+      const appSvc = doc.services.find((s) => s.name === "parachute-surface");
       expect(appSvc?.uis).toEqual([
         {
           name: "gitcoin-brain",
@@ -500,7 +500,7 @@ describe("buildWellKnown", () => {
         services: [empty],
         canonicalOrigin: "https://x.example",
       });
-      const svc = doc.services.find((s) => s.name === "parachute-app");
+      const svc = doc.services.find((s) => s.name === "parachute-surface");
       expect(svc).not.toHaveProperty("uis");
     });
 
@@ -519,7 +519,7 @@ describe("buildWellKnown", () => {
         services: [withIcon],
         canonicalOrigin: "https://x.example",
       });
-      const svc = doc.services.find((s) => s.name === "parachute-app");
+      const svc = doc.services.find((s) => s.name === "parachute-surface");
       expect(svc?.uis?.[0]?.iconUrl).toBe("https://x.example/app/slug/icon.svg");
     });
 
@@ -538,7 +538,7 @@ describe("buildWellKnown", () => {
         services: [withIcon],
         canonicalOrigin: "https://x.example",
       });
-      const svc = doc.services.find((s) => s.name === "parachute-app");
+      const svc = doc.services.find((s) => s.name === "parachute-surface");
       expect(svc?.uis?.[0]?.iconUrl).toBe("https://cdn.example.com/icon.svg");
     });
 
@@ -562,7 +562,7 @@ describe("buildWellKnown", () => {
         services: [mixed],
         canonicalOrigin: "https://x.example",
       });
-      const svc = doc.services.find((s) => s.name === "parachute-app");
+      const svc = doc.services.find((s) => s.name === "parachute-surface");
       const full = svc?.uis?.find((u) => u.name === "full");
       const minimal = svc?.uis?.find((u) => u.name === "minimal");
       expect(full?.tagline).toBe("Has it all");
@@ -593,7 +593,7 @@ describe("buildWellKnown", () => {
         services: [app1, app2],
         canonicalOrigin: "https://x.example",
       });
-      const svc1 = doc.services.find((s) => s.name === "parachute-app");
+      const svc1 = doc.services.find((s) => s.name === "parachute-surface");
       const svc2 = doc.services.find((s) => s.name === "parachute-app-2");
       expect(svc1?.uis?.map((u) => u.name)).toEqual(["a"]);
       expect(svc2?.uis?.map((u) => u.name)).toEqual(["b"]);