@openparachute/hub 0.5.14-rc.1 → 0.5.14-rc.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.14-rc.1",
+  "version": "0.5.14-rc.3",
   "description": "parachute \u2014 the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/account-home-ui.test.ts

@@ -22,7 +22,7 @@ describe("renderAccountHome", () => {
   test("assigned-vault branch — Notes CTA carries the encoded hub+vault URL", () => {
     const html = renderAccountHome({
       username: "alice",
-      assignedVault: "alice",
+      assignedVaults: ["alice"],
       passwordChanged: true,
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
@@ -49,7 +49,7 @@ describe("renderAccountHome", () => {
     // renderer must produce a clean `/vault/<name>` join either way.
     const html = renderAccountHome({
       username: "alice",
-      assignedVault: "alice",
+      assignedVaults: ["alice"],
       passwordChanged: true,
       hubOrigin: `${HUB_ORIGIN}/`,
       isFirstAdmin: false,
@@ -65,7 +65,7 @@ describe("renderAccountHome", () => {
   test("admin branch — null assignedVault + isFirstAdmin renders an /admin/ link", () => {
     const html = renderAccountHome({
       username: "admin",
-      assignedVault: null,
+      assignedVaults: [],
       passwordChanged: true,
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: true,
@@ -85,7 +85,7 @@ describe("renderAccountHome", () => {
     // state via hand-edit or migration race.
     const html = renderAccountHome({
       username: "ghost",
-      assignedVault: null,
+      assignedVaults: [],
       passwordChanged: true,
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
@@ -102,7 +102,7 @@ describe("renderAccountHome", () => {
   test("account card — change-password link and sign-out form are present", () => {
     const html = renderAccountHome({
       username: "alice",
-      assignedVault: "alice",
+      assignedVaults: ["alice"],
       passwordChanged: true,
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
@@ -120,6 +120,29 @@ describe("renderAccountHome", () => {
     expect(html).toContain("<code>alice</code>");
   });
 
+  test("multi-vault branch — renders one tile per assigned vault (Phase 2 PR 2)", () => {
+    const html = renderAccountHome({
+      username: "alice",
+      assignedVaults: ["personal", "family"],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+    });
+    // Plural heading.
+    expect(html).toContain("Your vaults");
+    // Each vault name appears.
+    expect(html).toContain("<strong>personal</strong>");
+    expect(html).toContain("<strong>family</strong>");
+    // One CTA per vault with the right encoded URL.
+    const personalEncoded = encodeURIComponent(`${HUB_ORIGIN}/vault/personal`);
+    const familyEncoded = encodeURIComponent(`${HUB_ORIGIN}/vault/family`);
+    expect(html).toContain(`https://notes.parachute.computer/add?url=${personalEncoded}`);
+    expect(html).toContain(`https://notes.parachute.computer/add?url=${familyEncoded}`);
+    // Hub origin block appears once at the section level, not per tile.
+    expect(html.split(`<code>${HUB_ORIGIN}</code>`).length - 1).toBe(1);
+  });
+
   test("escapes hostile content in username and vault name", () => {
     // Defense-in-depth: usernames pass validateUsername (lowercase alnum
     // + `_-`), so HTML metacharacters won't normally make it through. But
@@ -127,7 +150,7 @@ describe("renderAccountHome", () => {
     // escape is load-bearing if the validator ever loosens.
     const html = renderAccountHome({
       username: "<script>",
-      assignedVault: "<vault>",
+      assignedVaults: ["<vault>"],
       passwordChanged: true,
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,

package/src/__tests__/admin-vault-admin-token.test.ts

@@ -160,7 +160,7 @@ describe("handleVaultAdminToken", () => {
     // whole reason this gate exists.
     await createUser(harness.db, "operator", "hunter2-admin");
     const friend = await createUser(harness.db, "friend", "hunter2-friend", {
-      assignedVault: "work",
+      assignedVaults: ["work"],
       allowMulti: true,
     });
     const session = createSession(harness.db, { userId: friend.id });
@@ -182,7 +182,7 @@ describe("handleVaultAdminToken", () => {
     // happy path when there are friends in the DB.
     const admin = await createUser(harness.db, "operator", "hunter2-admin");
     await createUser(harness.db, "friend", "hunter2-friend", {
-      assignedVault: "work",
+      assignedVaults: ["work"],
       allowMulti: true,
     });
     const session = createSession(harness.db, { userId: admin.id });

package/src/__tests__/api-account.test.ts

@@ -757,7 +757,7 @@ describe("handleAccountHomeGet", () => {
     const friend = await createUser(harness.db, "alice", "alice-passphrase", {
       allowMulti: true,
       passwordChanged: true,
-      assignedVault: "alice",
+      assignedVaults: ["alice"],
     });
     const session = createSession(harness.db, { userId: friend.id });
     const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
@@ -774,7 +774,7 @@ describe("handleAccountHomeGet", () => {
     expect(html).toContain(`https://notes.parachute.computer/add?url=${encoded}`);
   });
 
-  test("200 + admin branch when the first-admin signs in (assignedVault=null)", async () => {
+  test("200 + admin branch when the first-admin signs in (no vault assignments)", async () => {
     // The first-created user with no vault pin is the admin posture.
     const admin = await createUser(harness.db, "admin", "admin-passphrase", {
       passwordChanged: true,

package/src/__tests__/api-modules-config.test.ts

@@ -23,6 +23,7 @@ import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { decodeJwt } from "jose";
+import type { CuratedModuleShort } from "../api-modules.ts";
 import {
   API_MODULES_CONFIG_REQUIRED_SCOPE,
   MODULE_CONFIG_PROXY_CLIENT_ID,
@@ -152,14 +153,19 @@ describe("parseModulesConfigPath", () => {
     });
   });
 
-  test("matches vault and notes (curated modules)", () => {
+  test("matches vault and scribe (curated modules)", () => {
     expect(parseModulesConfigPath("/api/modules/vault/config")?.short).toBe("vault");
-    expect(parseModulesConfigPath("/api/modules/notes/config/schema")?.short).toBe("notes");
+    expect(parseModulesConfigPath("/api/modules/scribe/config/schema")?.short).toBe("scribe");
   });
 
   test("rejects unknown short (non-curated)", () => {
     expect(parseModulesConfigPath("/api/modules/unknown/config")).toBeUndefined();
     expect(parseModulesConfigPath("/api/modules/channel/config")).toBeUndefined();
+    // Curated list trimmed 2026-05-27: notes / runner / surface are no
+    // longer curated and reject at the parse boundary.
+    expect(parseModulesConfigPath("/api/modules/notes/config")).toBeUndefined();
+    expect(parseModulesConfigPath("/api/modules/runner/config")).toBeUndefined();
+    expect(parseModulesConfigPath("/api/modules/surface/config")).toBeUndefined();
   });
 
   test("rejects non-config suffix shapes", () => {
@@ -302,7 +308,7 @@ describe("handleApiModulesConfig — FALLBACK retirement (hub#310)", () => {
       makeReq("/api/modules/runner/config/schema", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "schema" },
+      { short: "runner" as CuratedModuleShort, suffix: "schema" },
       { db: h.db, issuer: ISSUER, manifestPath: h.manifestPath },
     );
     expect(res.status).toBe(404);
@@ -365,7 +371,7 @@ describe("handleApiModulesConfig — FALLBACK retirement (hub#310)", () => {
       makeReq("/api/modules/runner/config/schema", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "schema" },
+      { short: "runner" as CuratedModuleShort, suffix: "schema" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -614,7 +620,7 @@ describe("handleApiModulesConfig — stripPrefix=false (notes-shape)", () => {
       makeReq("/api/modules/notes/config/schema", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "notes", suffix: "schema" },
+      { short: "notes" as CuratedModuleShort, suffix: "schema" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -668,7 +674,7 @@ describe("handleApiModulesConfig — hostsBareParachute (hub#307)", () => {
       makeReq("/api/modules/runner/config/schema", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "schema" },
+      { short: "runner" as CuratedModuleShort, suffix: "schema" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -700,7 +706,7 @@ describe("handleApiModulesConfig — hostsBareParachute (hub#307)", () => {
       makeReq("/api/modules/runner/config", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "" },
+      { short: "runner" as CuratedModuleShort, suffix: "" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -733,7 +739,7 @@ describe("handleApiModulesConfig — hostsBareParachute (hub#307)", () => {
         },
         body: JSON.stringify({ intervalSeconds: 120 }),
       }),
-      { short: "runner", suffix: "" },
+      { short: "runner" as CuratedModuleShort, suffix: "" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -760,7 +766,7 @@ describe("handleApiModulesConfig — hostsBareParachute (hub#307)", () => {
       makeReq("/api/modules/runner/config", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "" },
+      { short: "runner" as CuratedModuleShort, suffix: "" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -863,7 +869,7 @@ describe("handleApiModulesConfig — hostsBareParachute (hub#307)", () => {
       makeReq("/api/modules/runner/config/schema", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "schema" },
+      { short: "runner" as CuratedModuleShort, suffix: "schema" },
       {
         db: h.db,
         issuer: ISSUER,

package/src/__tests__/api-modules-ops.test.ts

@@ -126,6 +126,19 @@ function alwaysOkRun(): {
   };
 }
 
+/**
+ * Test default for `isLinked`: assume the package is NOT bun-linked so
+ * `runInstall` exercises the `bun add -g` path (which the stubbed runner
+ * captures into `calls`). The production default at
+ * `src/bun-link.ts` reads the contributor's real `~/.bun/install/global/`
+ * symlinks; on Aaron's machine vault/scribe/notes/hub are all linked
+ * (the canonical local-dev shape — smoke 2026-05-27 finding 1 caps the
+ * fix). Tests asserting "bun add WAS called" must opt out of that leakage
+ * by passing this stub. Tests specifically exercising the skip path use
+ * an inline `isLinked: () => true` or a per-pkg discriminator.
+ */
+const TEST_DEFAULT_NOT_LINKED = (_pkg: string): boolean => false;
+
 describe("parseModulesPath", () => {
   test("recognizes curated short + action", () => {
     expect(parseModulesPath("/api/modules/vault/install")).toEqual({
@@ -231,6 +244,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -280,6 +294,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -301,6 +316,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     const op = (await opRes.json()) as { status: string };
@@ -324,6 +340,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -348,6 +365,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     await new Promise((r) => setTimeout(r, 10));
@@ -379,6 +397,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -406,6 +425,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     await new Promise((r) => setTimeout(r, 10));
@@ -433,6 +453,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(400);
@@ -458,6 +479,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     await new Promise((r) => setTimeout(r, 10));
@@ -487,6 +509,7 @@ describe("POST /api/modules/:short/install", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       await new Promise((r) => setTimeout(r, 10));
@@ -524,6 +547,7 @@ describe("POST /api/modules/:short/install", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       await new Promise((r) => setTimeout(r, 10));
@@ -557,6 +581,7 @@ describe("POST /api/modules/:short/install", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       expect(res.status).toBe(202);
@@ -583,6 +608,7 @@ describe("POST /api/modules/:short/install", () => {
       supervisor,
       run: async () => 1,
       findGlobalInstall: () => null,
+      isLinked: TEST_DEFAULT_NOT_LINKED,
     };
     const res = await handleInstall(
       postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
@@ -602,6 +628,71 @@ describe("POST /api/modules/:short/install", () => {
     expect(op.status).toBe("failed");
     expect(op.error).toMatch(/bun add -g exited 1/);
   });
+
+  test("skips bun add -g when package is already bun-linked (smoke 2026-05-27 finding 1)", async () => {
+    // Smoke finding 1: the wizard's parallel install path was unconditionally
+    // invoking `bun add -g <pkg>` even when the package was already linked
+    // via `bun link <abspath>` (the standard local-dev shape). At best a
+    // wasted ~3s npm round-trip per install; at worst the global bun.lock
+    // had unrelated noise and the install failed outright, taking the
+    // wizard's vault step with it. Fix: mirror the CLI install path's
+    // `isLinked` short-circuit. Regression guard.
+    const { supervisor, spawns } = makeIdleSupervisor();
+    const { run, calls } = alwaysOkRun();
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    const res = await handleInstall(
+      postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+        run,
+        // The bug shape: package IS linked locally. Without the
+        // short-circuit, runInstall would still call bun add -g.
+        isLinked: (pkg) => pkg === "@openparachute/vault",
+      },
+    );
+    expect(res.status).toBe(202);
+    await new Promise((r) => setTimeout(r, 10));
+
+    // The fix: bun add -g was NOT invoked for the linked package.
+    expect(calls).not.toContainEqual(["bun", "add", "-g", "@openparachute/vault@latest"]);
+    // Downstream of the skip, the seed + spawn still happen — the install
+    // op completes successfully against the locally-linked checkout.
+    const manifest = JSON.parse(readFileSync(h.manifestPath, "utf8")) as {
+      services: Array<{ name: string }>;
+    };
+    expect(manifest.services.some((s) => s.name === "parachute-vault")).toBe(true);
+    expect(spawns.find((s) => s.short === "vault")?.cmd).toEqual(["parachute-vault", "serve"]);
+  });
+
+  test("still runs bun add -g when package is NOT bun-linked", async () => {
+    // Companion to the above — confirms the short-circuit doesn't
+    // unconditionally skip. On a friend's fresh machine (no bun link),
+    // bun add -g IS what installs the package from npm. `isLinked: () => false`
+    // is the production default behavior for a non-linked package.
+    const { supervisor } = makeIdleSupervisor();
+    const { run, calls } = alwaysOkRun();
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    await handleInstall(
+      postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+        run,
+        isLinked: () => false,
+      },
+    );
+    await new Promise((r) => setTimeout(r, 10));
+    expect(calls).toContainEqual(["bun", "add", "-g", "@openparachute/vault@latest"]);
+  });
 });
 
 describe("POST /api/modules/:short/restart", () => {
@@ -682,6 +773,7 @@ describe("POST /api/modules/:short/upgrade", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -706,6 +798,7 @@ describe("POST /api/modules/:short/upgrade", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -736,6 +829,7 @@ describe("POST /api/modules/:short/upgrade", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       await new Promise((r) => setTimeout(r, 10));
@@ -846,6 +940,7 @@ describe("POST /api/modules/:short/uninstall", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(200);
@@ -878,6 +973,7 @@ describe("POST /api/modules/:short/uninstall", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(200);
@@ -1099,6 +1195,7 @@ describe("well-known regen after module ops", () => {
       supervisor,
       run: async () => 1,
       findGlobalInstall: () => null,
+      isLinked: TEST_DEFAULT_NOT_LINKED,
       wellKnownPath: wkPath,
     };
     const res = await handleInstall(