@openparachute/hub 0.5.14-rc.18 → 0.5.14-rc.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.14-rc.18",
+  "version": "0.5.14-rc.20",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {
@@ -11,15 +11,8 @@
   "bin": {
     "parachute": "src/cli.ts"
   },
-  "workspaces": [
-    "packages/*"
-  ],
-  "files": [
-    "src",
-    "web/ui/dist",
-    "README.md",
-    "LICENSE"
-  ],
+  "workspaces": ["packages/*"],
+  "files": ["src", "web/ui/dist", "README.md", "LICENSE"],
   "repository": {
     "type": "git",
     "url": "https://github.com/ParachuteComputer/parachute-hub.git"
@@ -45,6 +38,7 @@
   },
   "dependencies": {
     "@node-rs/argon2": "^2.0.2",
+    "@openparachute/depcheck": "0.1.0-rc.1",
     "jose": "^6.2.2",
     "otpauth": "^9.5.0",
     "qrcode": "^1.5.4"

package/src/__tests__/api-mint-token.test.ts

@@ -382,10 +382,14 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
     }
   });
 
-  // The de-escalation exception is gated on host:admin specifically. A
-  // bearer that only holds `parachute:host:auth` (the narrow auth scope-set)
-  // can mint verb scopes but NOT vault-admin — that would be an escalation.
-  test("400 invalid_scope when auth-only bearer mints vault:<name>:admin", async () => {
+  // Single-consent change (2026-05-29) — INTENTIONAL canGrant widening. Once
+  // `vault:<name>:admin` became requestable (`isNonRequestableScope` dropped
+  // the per-vault-admin clause), canGrant rule 1 (`!isNonRequestableScope` +
+  // bearer holds `parachute:host:auth`) now ADMITS it. A `parachute:host:auth`
+  // bearer is an on-box operator credential, so minting a vault-pinned admin
+  // from it is a de-escalation, not an escalation. Pinned here so the widening
+  // is deliberate, not an accidental regression.
+  test("200 when auth-only bearer mints vault:<name>:admin (intentional canGrant widening)", async () => {
     const h = makeHarness();
     try {
       const { db, userId } = await bootstrap(h.dir);
@@ -398,10 +402,12 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
           jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
           { db, issuer: ISSUER },
         );
-        expect(resp.status).toBe(400);
-        const body = (await resp.json()) as { error: string; error_description: string };
-        expect(body.error).toBe("invalid_scope");
-        expect(body.error_description).toContain("vault:work:admin");
+        expect(resp.status).toBe(200);
+        const body = (await resp.json()) as { scope: string; token: string };
+        expect(body.scope).toBe("vault:work:admin");
+        const validated = await validateAccessToken(db, body.token, ISSUER);
+        expect(validated.payload.aud).toBe("vault.work");
+        expect(validated.payload.scope).toBe("vault:work:admin");
       } finally {
         db.close();
       }
@@ -765,7 +771,10 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
       }
     });
 
-    test("host:auth-only bearer mints vault:work:admin → 400 (rule 1 doesn't cover admin)", async () => {
+    test("host:auth-only bearer mints vault:work:admin → 200 (single-consent: rule 1 now covers admin)", async () => {
+      // Single-consent change (2026-05-29): vault:<name>:admin is requestable
+      // now, so canGrant rule 1 admits it for a host:auth bearer. De-escalation
+      // from an on-box operator credential — intentional widening.
       const h = makeHarness();
       try {
         const { db, userId } = await bootstrap(h.dir);
@@ -775,9 +784,9 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
             jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
             { db, issuer: ISSUER },
           );
-          expect(resp.status).toBe(400);
-          const body = (await resp.json()) as { error: string };
-          expect(body.error).toBe("invalid_scope");
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { scope: string };
+          expect(body.scope).toBe("vault:work:admin");
         } finally {
           db.close();
         }
@@ -993,10 +1002,12 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
       }
     });
 
-    // The existing non-requestable behaviour is unchanged: a host:auth-only
-    // bearer minting the well-formed `vault:work:admin` is still 400 (rule 1
-    // doesn't cover admin) — this path is reached AFTER the shape guard passes.
-    test("host:auth-only bearer minting vault:work:admin → 400 (non-requestable, unchanged)", async () => {
+    // Contrast with the malformed forms above: a WELL-FORMED `vault:work:admin`
+    // clears the shape guard, and (single-consent change, 2026-05-29) now mints
+    // 200 via canGrant rule 1 for a host:auth bearer. The malformed forms are
+    // rejected by the shape guard BEFORE canGrant; this one passes the guard
+    // and is admitted.
+    test("host:auth-only bearer minting well-formed vault:work:admin → 200 (clears shape guard, mints)", async () => {
       const h = makeHarness();
       try {
         const { db, userId } = await bootstrap(h.dir);
@@ -1006,11 +1017,9 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
             jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
             { db, issuer: ISSUER },
           );
-          expect(resp.status).toBe(400);
-          const body = (await resp.json()) as { error: string; error_description: string };
-          expect(body.error).toBe("invalid_scope");
-          // Not the malformed-shape message — it cleared the shape guard.
-          expect(body.error_description).toContain("not grantable");
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { scope: string };
+          expect(body.scope).toBe("vault:work:admin");
         } finally {
           db.close();
         }

package/src/__tests__/api-modules-ops.test.ts

@@ -2,6 +2,7 @@ import { afterEach, beforeEach, describe, expect, test } from "bun:test";
 import { existsSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import { MissingDependencyError, lookupDep } from "@openparachute/depcheck";
 import {
   API_MODULES_OPS_REQUIRED_SCOPE,
   _resetOperationsRegistryForTests,
@@ -629,6 +630,50 @@ describe("POST /api/modules/:short/install", () => {
     expect(op.error).toMatch(/bun add -g exited 1/);
   });
 
+  test("a MissingDependencyError during install attaches the structured error_detail wire", async () => {
+    const { supervisor } = makeIdleSupervisor();
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    const deps = {
+      db: h.db,
+      issuer: ISSUER,
+      manifestPath: h.manifestPath,
+      configDir: h.dir,
+      supervisor,
+      // Simulate `bun` not being on PATH: the install runner's shell-out
+      // throws the typed missing-dependency error.
+      run: async () => {
+        throw new MissingDependencyError("bun", lookupDep("bun"), {
+          platform: "linux",
+          arch: "x64",
+        });
+      },
+      findGlobalInstall: () => null,
+      isLinked: TEST_DEFAULT_NOT_LINKED,
+    };
+    const res = await handleInstall(
+      postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      deps,
+    );
+    const body = (await res.json()) as { operation_id: string };
+    await new Promise((r) => setTimeout(r, 10));
+    const opRes = await handleOperationGet(
+      getReq(`/api/modules/operations/${body.operation_id}`, {
+        authorization: `Bearer ${bearer}`,
+      }),
+      body.operation_id,
+      deps,
+    );
+    const op = (await opRes.json()) as {
+      status: string;
+      error?: string;
+      error_detail?: { error_type: string; binary: string };
+    };
+    expect(op.status).toBe("failed");
+    expect(op.error_detail?.error_type).toBe("missing_dependency");
+    expect(op.error_detail?.binary).toBe("bun");
+  });
+
   test("skips bun add -g when package is already bun-linked (smoke 2026-05-27 finding 1)", async () => {
     // Smoke finding 1: the wizard's parallel install path was unconditionally
     // invoking `bun add -g <pkg>` even when the package was already linked

package/src/__tests__/lifecycle.test.ts

@@ -21,7 +21,7 @@ import {
   readOperatorTokenFile,
 } from "../operator-token.ts";
 import { ensureLogPath, logPath, readPid, writePid } from "../process-state.ts";
-import { upsertService } from "../services-manifest.ts";
+import { readManifest, upsertService } from "../services-manifest.ts";
 import { rotateSigningKey } from "../signing-keys.ts";
 
 interface Harness {
@@ -197,6 +197,87 @@ describe("parachute start", () => {
     }
   });
 
+  test("missing startCmd binary → friendly missing-dependency message + no spawn", async () => {
+    const h = makeHarness();
+    try {
+      seedVault(h.manifestPath);
+      const spawner = makeSpawner([4242]);
+      const logs: string[] = [];
+      const code = await start("vault", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        spawner,
+        // Force the preflight's missing-binary branch: parachute-vault not on PATH.
+        which: () => null,
+        log: (l) => logs.push(l),
+      });
+      expect(code).toBe(1);
+      // Preflight fired before the spawn — the stub spawner is never called.
+      expect(spawner.calls).toHaveLength(0);
+      const out = logs.join("\n");
+      expect(out).toMatch(/vault failed to start/);
+      // The friendly install block names the binary + its install path.
+      expect(out).toContain("parachute-vault is required to run the Vault module Hub supervises");
+      expect(out).toContain("parachute install vault");
+      expect(readPid("vault", h.configDir)).toBeUndefined();
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("missing startCmd binary persists lastStartError so a later status surfaces it", async () => {
+    const h = makeHarness();
+    try {
+      seedVault(h.manifestPath);
+      await start("vault", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        spawner: makeSpawner([4242]),
+        which: () => null,
+        log: () => {},
+      });
+      const entry = readManifest(h.manifestPath).services.find((s) => s.name === "parachute-vault");
+      expect(entry?.lastStartError?.error_type).toBe("missing_dependency");
+      expect(entry?.lastStartError?.binary).toBe("parachute-vault");
+      expect(entry?.lastStartError?.at).toBeDefined();
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("a successful start clears a previously-recorded lastStartError", async () => {
+    const h = makeHarness();
+    try {
+      seedVault(h.manifestPath);
+      // First start fails (binary missing) → records the error.
+      await start("vault", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        spawner: makeSpawner([1]),
+        which: () => null,
+        log: () => {},
+      });
+      expect(
+        readManifest(h.manifestPath).services.find((s) => s.name === "parachute-vault")
+          ?.lastStartError,
+      ).toBeDefined();
+      // Second start succeeds (binary present via the permissive default which
+      // — stub spawner path) → clears the recorded error.
+      await start("vault", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        spawner: makeSpawner([4242]),
+        log: () => {},
+      });
+      expect(
+        readManifest(h.manifestPath).services.find((s) => s.name === "parachute-vault")
+          ?.lastStartError,
+      ).toBeUndefined();
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("notes start command includes configured port and notes-serve shim path", async () => {
     const h = makeHarness();
     try {