@openparachute/hub 0.5.14-rc.11 → 0.5.14-rc.12

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.14-rc.11",
+  "version": "0.5.14-rc.12",
   "description": "parachute \u2014 the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/auth.test.ts

@@ -65,34 +65,26 @@ async function captureOutput(fn: () => Promise<number> | number): Promise<{
 }
 
 describe("parachute auth", () => {
-  test("2fa enroll forwards to parachute-vault 2fa enroll", async () => {
+  test("2fa is an honest hub-side stub — never forwards to parachute-vault", async () => {
+    // 2fa used to forward to the deprecated `parachute-vault 2fa` stub, which
+    // exits 1 post auth-unification and only wrote vault YAML that never gated
+    // hub /login. It's now an informational stub: exit 0, no subprocess.
     const { runner, calls } = makeRunner(0);
-    const code = await auth(["2fa", "enroll"], runner);
-    expect(code).toBe(0);
-    expect(calls).toEqual([["parachute-vault", "2fa", "enroll"]]);
+    const out = await captureOutput(() => auth(["2fa", "enroll"], runner));
+    expect(out.code).toBe(0);
+    expect(calls).toEqual([]); // did NOT spawn parachute-vault
+    expect(out.stdout).toContain("isn't available yet");
+    expect(out.stdout).toContain("#473");
+    // Doesn't tell the operator to run the dead vault command.
+    expect(out.stdout).not.toContain("2fa enroll");
   });
 
-  test("2fa enroll --some-flag forwards every arg after the subcommand", async () => {
+  test("2fa with any sub-args still resolves to the honest stub (exit 0, no spawn)", async () => {
     const { runner, calls } = makeRunner(0);
-    const code = await auth(["2fa", "enroll", "--some-flag", "value"], runner);
-    expect(code).toBe(0);
-    expect(calls).toEqual([["parachute-vault", "2fa", "enroll", "--some-flag", "value"]]);
-  });
-
-  test("exit code from parachute-vault is propagated", async () => {
-    const { runner } = makeRunner(3);
-    const code = await auth(["2fa", "status"], runner);
-    expect(code).toBe(3);
-  });
-
-  test("ENOENT on a vault-forwarded subcommand surfaces install hint and exit 127", async () => {
-    const runner: Runner = {
-      async run() {
-        throw new Error("ENOENT: spawn parachute-vault");
-      },
-    };
-    const code = await auth(["2fa", "status"], runner);
-    expect(code).toBe(127);
+    const out = await captureOutput(() => auth(["2fa", "status", "--whatever"], runner));
+    expect(out.code).toBe(0);
+    expect(calls).toEqual([]);
+    expect(out.stdout).toContain("#473");
   });
 
   test("set-password no longer forwards to vault", async () => {
@@ -142,23 +134,24 @@ describe("authHelp", () => {
   test("lists every blessed subcommand", () => {
     expect(h).toContain("parachute auth set-password");
     expect(h).toContain("parachute auth list-users");
-    expect(h).toContain("parachute auth 2fa status");
-    expect(h).toContain("parachute auth 2fa enroll");
-    expect(h).toContain("parachute auth 2fa disable");
-    expect(h).toContain("parachute auth 2fa backup-codes");
+    expect(h).toContain("parachute auth 2fa");
     expect(h).toContain("parachute auth rotate-key");
   });
 
+  test("2fa help is honest about hub-login TOTP not being shipped (#473)", () => {
+    expect(h).toContain("#473");
+    // No longer advertises the dead enroll/disable/backup-codes subcommands.
+    expect(h).not.toContain("2fa enroll");
+    expect(h).not.toContain("2fa disable");
+    expect(h).not.toContain("2fa backup-codes");
+  });
+
   test("set-password help mentions the new flags + hub-local home", () => {
     expect(h).toContain("--username");
     expect(h).toContain("--allow-multi");
     expect(h).toContain("hub.db");
   });
 
-  test("mentions the vault-install hint", () => {
-    expect(h).toContain("parachute install vault");
-  });
-
   test("rotate-key explains the 24h JWKS retention", () => {
     expect(h).toContain("jwks.json");
     // "24" + "hours" may be split by line wrap; check both pieces.

package/src/__tests__/cli.test.ts

@@ -123,6 +123,43 @@ describe("cli per-subcommand help", () => {
     expect(stderr).toMatch(/dash\.cloudflare\.com/);
   });
 
+  test("expose cloudflare is an alias for expose public --cloudflare (Fix 5)", async () => {
+    // No --domain, non-TTY → same hard error as `expose public --cloudflare`.
+    // That it reaches the cloudflare-domain check (not "unknown layer") proves
+    // the alias rewrote the layer to public + forced the cloudflare flag.
+    const { code, stderr } = await runCli(["expose", "cloudflare"]);
+    expect(code).toBe(1);
+    expect(stderr).toMatch(/--domain <hostname> is required/);
+    expect(stderr).not.toMatch(/unknown layer/);
+  });
+
+  test("expose cloudflare --domain X routes to the cloudflare path (not 'unknown layer')", async () => {
+    // cloudflared isn't installed under PATH="", so the cloudflare path prints
+    // its own not-installed hint — distinct from the layer-validation error.
+    const proc = Bun.spawn(
+      [process.execPath, CLI, "expose", "cloudflare", "--domain", "vault.example.com"],
+      {
+        stdout: "pipe",
+        stderr: "pipe",
+        env: {
+          ...process.env,
+          PATH: "",
+          HOME: "/tmp/parachute-hub-nonexistent-home",
+          PARACHUTE_HOME: "/tmp/parachute-hub-nonexistent-home",
+        },
+      },
+    );
+    const [stdout, stderr, code] = await Promise.all([
+      new Response(proc.stdout).text(),
+      new Response(proc.stderr).text(),
+      proc.exited,
+    ]);
+    expect(code).toBe(1);
+    expect(stderr).not.toMatch(/unknown layer/);
+    // Reached the cloudflare path (cloudflared detection), proving the alias.
+    expect(stdout).toMatch(/cloudflared is not installed/);
+  });
+
   test("expose tailnet --cloudflare is rejected (cloudflare is public-only)", async () => {
     const { code, stderr } = await runCli([
       "expose",

package/src/__tests__/expose-2fa-warning.test.ts

@@ -80,9 +80,13 @@ describe("printPublic2FAWarning", () => {
     });
     expect(fired).toBe(true);
     const joined = logs.join("\n");
-    expect(joined).toContain("2FA is not enrolled");
+    // Honest copy: /login is public, owner password is the wall, hub-login 2FA
+    // is coming (#473) — does NOT recommend the dead `auth 2fa enroll` path.
+    expect(joined).toContain("/login is now reachable on the public internet");
     expect(joined).toContain("https://vault.example.com/login");
-    expect(joined).toContain("parachute auth 2fa enroll");
+    expect(joined).toContain("#473");
+    expect(joined).toContain("parachute auth set-password");
+    expect(joined).not.toContain("parachute auth 2fa enroll");
   });
 
   test("enrolled → suppressed, returns false, logs nothing", () => {
@@ -108,7 +112,9 @@ describe("printPublic2FAWarning", () => {
       publicUrl: "https://vault.example.com",
     });
     expect(fired).toBe(true);
-    expect(logs.some((l) => l.includes("2FA is not enrolled"))).toBe(true);
+    expect(logs.some((l) => l.includes("/login is now reachable on the public internet"))).toBe(
+      true,
+    );
   });
 
   test("embeds the supplied publicUrl into the /login pointer", () => {

package/src/__tests__/expose-auth-preflight.test.ts

@@ -41,8 +41,8 @@ function status(partial: Partial<VaultAuthStatus> = {}): VaultAuthStatus {
 }
 
 describe("runAuthPreflight — wide open (no owner password)", () => {
-  test("warns loudly, offers password + 2FA, and prints hub-JWT token guidance", async () => {
-    const h = makeHarness(["y", "n"]); // password yes, 2fa no
+  test("warns loudly, offers password only, prints hub-JWT token guidance + honest 2FA note", async () => {
+    const h = makeHarness(["y"]); // password yes
     await runAuthPreflight({ status: status(), ...wire(h) });
     const joined = h.logs.join("\n");
     expect(joined).toContain("No owner password");
@@ -50,33 +50,34 @@ describe("runAuthPreflight — wide open (no owner password)", () => {
     // Programmatic-client guidance points at the hub mint path, not pvt_*.
     expect(joined).toContain("parachute auth mint-token --scope vault:default:read");
     expect(joined).toContain("Bearer <hub-jwt>");
-    // Only password + 2FA are interactive offers; token guidance is printed,
-    // not prompted (no auto-mint).
+    // Honest 2FA state — coming (#473), not offered as a dead enroll command.
+    expect(joined).toContain("#473");
+    expect(joined).not.toContain("2fa enroll");
+    // Only password is an interactive offer; token guidance + 2FA note are
+    // printed, not prompted.
     expect(h.commands).toHaveLength(1);
     expect(h.commands[0]).toEqual(["parachute", "auth", "set-password"]);
+    expect(h.prompts).toHaveLength(1);
   });
 
   test("token guidance uses the first discovered vault name", async () => {
-    const h = makeHarness(["n", "n"]);
+    const h = makeHarness(["n"]);
     await runAuthPreflight({ status: status({ vaultNames: ["work"] }), ...wire(h) });
     expect(h.logs.join("\n")).toContain("--scope vault:work:read");
   });
 
-  test("user declines every prompt → no subprocesses run", async () => {
-    const h = makeHarness(["", ""]); // all Enter = skip
+  test("user declines the password prompt → no subprocesses run", async () => {
+    const h = makeHarness([""]); // Enter = skip
     await runAuthPreflight({ status: status(), ...wire(h) });
     expect(h.commands).toHaveLength(0);
-    // Prompted on password + 2FA (token guidance is not a prompt).
-    expect(h.prompts).toHaveLength(2);
+    // Only one prompt now (password); token guidance + 2FA note aren't prompts.
+    expect(h.prompts).toHaveLength(1);
   });
 
-  test("user accepts password + 2FA → both commands invoked in order", async () => {
-    const h = makeHarness(["y", "y"]);
+  test("user accepts the password offer → set-password invoked", async () => {
+    const h = makeHarness(["y"]);
     await runAuthPreflight({ status: status(), ...wire(h) });
-    expect(h.commands.map((c) => c.join(" "))).toEqual([
-      "parachute auth set-password",
-      "parachute auth 2fa enroll",
-    ]);
+    expect(h.commands.map((c) => c.join(" "))).toEqual(["parachute auth set-password"]);
   });
 
   test("null tokenCount with no owner password still classifies wide-open", async () => {
@@ -84,7 +85,7 @@ describe("runAuthPreflight — wide open (no owner password)", () => {
     // — `classify()` gates on `hasOwnerPassword` alone. A box with no owner
     // password AND an unreadable token DB must still take the loud wide-open
     // branch, not silently fall through to a quieter state.
-    const h = makeHarness(["n", "n"]);
+    const h = makeHarness(["n"]);
     await runAuthPreflight({
       status: status({ hasOwnerPassword: false, tokenCount: null }),
       ...wire(h),
@@ -92,24 +93,26 @@ describe("runAuthPreflight — wide open (no owner password)", () => {
     const joined = h.logs.join("\n");
     expect(joined).toContain("No owner password");
     expect(joined).toContain("public internet");
-    // Wide-open offers password + 2FA (two prompts); not the all-good path.
-    expect(h.prompts).toHaveLength(2);
+    // Wide-open offers the password (one prompt); not the password-set path.
+    expect(h.prompts).toHaveLength(1);
   });
 
-  test("never offers the removed `vault tokens create` command", async () => {
-    const h = makeHarness(["y", "y"]);
+  test("never offers a dead command (vault tokens create OR auth 2fa enroll)", async () => {
+    const h = makeHarness(["y"]);
     await runAuthPreflight({ status: status(), ...wire(h) });
     const allCommands = h.commands.map((c) => c.join(" ")).join("\n");
     expect(allCommands).not.toContain("vault tokens create");
-    // And no log line steers the operator at the dead command as guidance.
-    const guidance = h.logs.filter((l) => !l.includes("old affordance")).join("\n");
+    expect(allCommands).not.toContain("auth 2fa enroll");
+    // And no log line steers the operator at a dead command as guidance.
+    const guidance = h.logs.join("\n");
     expect(guidance).not.toContain("parachute vault tokens create");
+    expect(guidance).not.toContain("parachute auth 2fa enroll");
   });
 });
 
-describe("runAuthPreflight — password set, no 2FA", () => {
-  test("short nudge, offers 2FA only — ignores vestigial tokenCount", async () => {
-    const h = makeHarness(["y"]);
+describe("runAuthPreflight — password set", () => {
+  test("single confirmation line + honest 2FA note, no prompts (ignores vestigial tokenCount)", async () => {
+    const h = makeHarness([]);
     await runAuthPreflight({
       // tokenCount is non-zero (vestigial pvt_* rows) but no longer consulted.
       status: status({ hasOwnerPassword: true, tokenCount: 3 }),
@@ -117,59 +120,42 @@ describe("runAuthPreflight — password set, no 2FA", () => {
     });
     const joined = h.logs.join("\n");
     expect(joined).toContain("Owner password is set");
-    expect(joined).toContain("2FA");
-    expect(h.prompts).toHaveLength(1);
-    expect(h.commands).toEqual([["parachute", "auth", "2fa", "enroll"]]);
-  });
-
-  test("user declines → no command runs", async () => {
-    const h = makeHarness([""]);
-    await runAuthPreflight({
-      status: status({ hasOwnerPassword: true, tokenCount: 3 }),
-      ...wire(h),
-    });
+    // Honest 2FA note (#473) — not a prompt, not the dead enroll command.
+    expect(joined).toContain("#473");
+    expect(joined).not.toContain("2fa enroll");
+    expect(h.prompts).toHaveLength(0);
     expect(h.commands).toHaveLength(0);
   });
 
   test("null tokenCount (DB unreadable) is irrelevant — password gates the branch", async () => {
-    const h = makeHarness([""]); // decline 2FA
+    const h = makeHarness([]);
     await runAuthPreflight({
       status: status({ hasOwnerPassword: true, hasTotp: false, tokenCount: null }),
       ...wire(h),
     });
-    expect(h.prompts).toHaveLength(1);
-    expect(h.prompts[0]?.toLowerCase()).toContain("2fa");
+    expect(h.logs.join("\n")).toContain("Owner password is set");
+    expect(h.prompts).toHaveLength(0);
+    expect(h.commands).toHaveLength(0);
   });
-});
 
-describe("runAuthPreflight — all good", () => {
-  test("single positive line, no prompts (tokens not required)", async () => {
+  test("password + legacy vault TOTP — still the quiet password-set path", async () => {
     const h = makeHarness([]);
     await runAuthPreflight({
-      // tokenCount: 0 — a hub JWT is minted on demand, not a standing need.
       status: status({ hasOwnerPassword: true, hasTotp: true, tokenCount: 0 }),
       ...wire(h),
     });
-    const joined = h.logs.join("\n");
-    expect(joined).toContain("looks good");
-    expect(joined).toContain("owner password + 2FA");
+    expect(h.logs.join("\n")).toContain("Owner password is set");
     expect(h.prompts).toHaveLength(0);
     expect(h.commands).toHaveLength(0);
   });
 });
 
 describe("runAuthPreflight — subprocess failure handling", () => {
-  test("non-zero exit from an auth command doesn't abort the rest of the preflight", async () => {
-    const h = makeHarness(["y", "y"]);
-    // Override the interactive runner to return non-zero on the first call.
-    let first = true;
+  test("non-zero exit from set-password doesn't abort the rest of the preflight", async () => {
+    const h = makeHarness(["y"]);
     const interactiveRunner = async (cmd: readonly string[]) => {
       h.commands.push([...cmd]);
-      if (first) {
-        first = false;
-        return 7;
-      }
-      return 0;
+      return 7;
     };
     await runAuthPreflight({
       status: status(),
@@ -180,19 +166,22 @@ describe("runAuthPreflight — subprocess failure handling", () => {
       },
       interactiveRunner,
     });
-    // Both commands still attempted, neither aborted the flow.
-    expect(h.commands.map((c) => c[0])).toEqual(["parachute", "parachute"]);
+    // The command was attempted; the flow continued (token guidance still
+    // printed afterward).
+    expect(h.commands.map((c) => c[0])).toEqual(["parachute"]);
     const joined = h.logs.join("\n");
     expect(joined).toContain("exited 7");
+    expect(joined).toContain("Bearer <hub-jwt>");
   });
 });
 
 describe("runAuthPreflight — case-insensitive yes", () => {
   test('"Y", "YES", and "y" all count as affirmative; anything else is decline', async () => {
+    // Now only the wide-open path prompts (for the password). Drive it there.
     for (const yes of ["y", "Y", "yes", "YES"]) {
       const h = makeHarness([yes]);
       await runAuthPreflight({
-        status: status({ hasOwnerPassword: true, tokenCount: 1 }),
+        status: status({ hasOwnerPassword: false }),
         ...wire(h),
       });
       expect(h.commands).toHaveLength(1);
@@ -200,7 +189,7 @@ describe("runAuthPreflight — case-insensitive yes", () => {
     for (const no of ["", "n", "no", "q", "bogus"]) {
       const h = makeHarness([no]);
       await runAuthPreflight({
-        status: status({ hasOwnerPassword: true, tokenCount: 1 }),
+        status: status({ hasOwnerPassword: false }),
         ...wire(h),
       });
       expect(h.commands).toHaveLength(0);