@openparachute/hub 0.5.14-rc.2 → 0.5.14-rc.21

package/src/__tests__/cli.test.ts

@@ -123,6 +123,43 @@ describe("cli per-subcommand help", () => {
     expect(stderr).toMatch(/dash\.cloudflare\.com/);
   });
 
+  test("expose cloudflare is an alias for expose public --cloudflare (Fix 5)", async () => {
+    // No --domain, non-TTY → same hard error as `expose public --cloudflare`.
+    // That it reaches the cloudflare-domain check (not "unknown layer") proves
+    // the alias rewrote the layer to public + forced the cloudflare flag.
+    const { code, stderr } = await runCli(["expose", "cloudflare"]);
+    expect(code).toBe(1);
+    expect(stderr).toMatch(/--domain <hostname> is required/);
+    expect(stderr).not.toMatch(/unknown layer/);
+  });
+
+  test("expose cloudflare --domain X routes to the cloudflare path (not 'unknown layer')", async () => {
+    // cloudflared isn't installed under PATH="", so the cloudflare path prints
+    // its own not-installed hint — distinct from the layer-validation error.
+    const proc = Bun.spawn(
+      [process.execPath, CLI, "expose", "cloudflare", "--domain", "vault.example.com"],
+      {
+        stdout: "pipe",
+        stderr: "pipe",
+        env: {
+          ...process.env,
+          PATH: "",
+          HOME: "/tmp/parachute-hub-nonexistent-home",
+          PARACHUTE_HOME: "/tmp/parachute-hub-nonexistent-home",
+        },
+      },
+    );
+    const [stdout, stderr, code] = await Promise.all([
+      new Response(proc.stdout).text(),
+      new Response(proc.stderr).text(),
+      proc.exited,
+    ]);
+    expect(code).toBe(1);
+    expect(stderr).not.toMatch(/unknown layer/);
+    // Reached the cloudflare path (cloudflared detection), proving the alias.
+    expect(stdout).toMatch(/cloudflared is not installed/);
+  });
+
   test("expose tailnet --cloudflare is rejected (cloudflare is public-only)", async () => {
     const { code, stderr } = await runCli([
       "expose",
@@ -217,11 +254,13 @@ describe("cli per-subcommand help", () => {
     expect(stderr).toMatch(/parachute install vault/);
   });
 
-  test("vault tokens create in non-TTY passes through without prompting", async () => {
-    // Spawned-subprocess stdio is piped, so isTtyInteractive() returns false
-    // and the command falls through to the passthrough. Clearing PATH forces
-    // ENOENT — same probe as the `vault no-args` test. If we regressed into
-    // prompting, this subprocess would hang on stdin instead of exiting 127.
+  test("vault tokens create forwards verbatim to parachute-vault", async () => {
+    // The guided interactive wrapper was removed with the pvt_* DROP (vault
+    // #412 / hub#466) — `vault tokens create` now always forwards transparently
+    // to parachute-vault (which exits 1 with migration guidance on a real box).
+    // Clearing PATH forces ENOENT — same probe as the `vault no-args` test.
+    // If we ever re-introduced a hub-side prompt, this subprocess would hang on
+    // stdin instead of exiting 127.
     const proc = Bun.spawn([process.execPath, CLI, "vault", "tokens", "create"], {
       stdout: "pipe",
       stderr: "pipe",

package/src/__tests__/cloudflare-detect.test.ts

@@ -59,10 +59,65 @@ describe("cloudflare detect", () => {
     }
   });
 
-  test("install hint names brew on darwin and a URL elsewhere", () => {
-    expect(cloudflaredInstallHint("darwin")).toContain("brew install cloudflared");
-    expect(cloudflaredInstallHint("linux")).toContain(
-      "developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads",
-    );
+  describe("cloudflaredInstallHint", () => {
+    test("darwin: names brew + points at GitHub releases as fallback", () => {
+      const hint = cloudflaredInstallHint("darwin", "arm64");
+      expect(hint).toContain("brew install cloudflared");
+      expect(hint).toContain("https://github.com/cloudflare/cloudflared/releases/latest");
+    });
+
+    test("linux x64: writes the curl line with the amd64 artifact suffix", () => {
+      // Refresh of stale URLs (2026-05-27). Aaron hit this on a fresh
+      // Amazon Linux 2023 install — `sudo dnf install cloudflared`
+      // returned 'No match for argument: cloudflared', and the hub's
+      // hint pointed at developers.cloudflare.com paths that 404. The
+      // GitHub release is the reliable cross-distro path.
+      const hint = cloudflaredInstallHint("linux", "x64");
+      expect(hint).toContain("curl -L -o /usr/local/bin/cloudflared");
+      expect(hint).toContain(
+        "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64",
+      );
+      expect(hint).toContain("sudo chmod +x /usr/local/bin/cloudflared");
+    });
+
+    test("linux arm64: writes the arm64 artifact suffix", () => {
+      const hint = cloudflaredInstallHint("linux", "arm64");
+      expect(hint).toContain("cloudflared-linux-arm64");
+    });
+
+    test("linux arm (32-bit): writes the arm artifact suffix", () => {
+      const hint = cloudflaredInstallHint("linux", "arm");
+      expect(hint).toContain("cloudflared-linux-arm");
+    });
+
+    test("linux exotic arch: falls back to a generic GitHub releases pointer", () => {
+      // riscv64 / ppc64 / mips64 — no cloudflared artifact published, so
+      // we don't fabricate a 404-bound download URL; we point the user at
+      // the releases page and surface what their arch is so they can pick.
+      const hint = cloudflaredInstallHint("linux", "riscv64");
+      expect(hint).toContain("https://github.com/cloudflare/cloudflared/releases/latest");
+      expect(hint).toContain("riscv64");
+      expect(hint).not.toContain("curl -L -o /usr/local/bin/cloudflared");
+    });
+
+    test("no stale developers.cloudflare.com or pkg.cloudflare.com paths anywhere", () => {
+      // Aaron caught both URL shapes returning HTML/404 on 2026-05-27 —
+      // they had been the hub's installer instructions for months.
+      // Hard-assert they're gone so they don't regress.
+      for (const platform of ["darwin", "linux"] as const) {
+        for (const arch of ["x64", "arm64"] as const) {
+          const hint = cloudflaredInstallHint(platform, arch);
+          expect(hint).not.toContain("developers.cloudflare.com");
+          expect(hint).not.toContain("pkg.cloudflare.com");
+        }
+      }
+    });
+
+    test("non-Linux, non-darwin platform: GitHub releases pointer with no curl line", () => {
+      const hint = cloudflaredInstallHint("win32", "x64");
+      expect(hint).toContain("https://github.com/cloudflare/cloudflared/releases/latest");
+      expect(hint).not.toContain("brew install");
+      expect(hint).not.toContain("curl -L -o");
+    });
   });
 });

package/src/__tests__/expose-2fa-warning.test.ts

@@ -24,46 +24,53 @@ describe("is2FAEnrolled", () => {
     expect(is2FAEnrolled({ status: status({ hasTotp: false }) })).toBe(false);
   });
 
-  test("reads totp_secret from vaultHome's config.yaml when status not supplied", () => {
+  test("falls back to legacy config.yaml totp_secret when hub.db is absent", () => {
+    // hub#473: hub.db is the source of truth for real 2FA, but a super-old
+    // install with no hub.db still suppresses the warning if the legacy vault
+    // YAML totp_secret is set. Point hubDbPath at a nonexistent file so the
+    // YAML fallback is exercised.
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
       writeFileSync(join(dir, "config.yaml"), 'totp_secret: "JBSWY3DPEHPK3PXP"\n');
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(true);
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(true);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("missing config.yaml → not enrolled (false)", () => {
+  test("missing config.yaml + absent hub.db → not enrolled (false)", () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
-      // No config.yaml written.
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      // No config.yaml written, no hub.db.
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(false);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("empty totp_secret value → not enrolled (matches vault's readGlobalConfig)", () => {
+  test("empty totp_secret value + absent hub.db → not enrolled", () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
       writeFileSync(join(dir, "config.yaml"), 'totp_secret: ""\n');
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(false);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("malformed config.yaml → not enrolled (safer fail mode, fires warning)", () => {
-    // The probe parses config.yaml with a line-anchored regex (no YAML
-    // dependency), so junk content simply doesn't match `totp_secret: "..."`
-    // and resolves to `hasTotp: false` — which fires the public-exposure
-    // warning rather than silently suppressing it. Pin that contract so a
-    // future refactor of auth-status.ts can't quietly invert it.
+  test("hub.db with an enrolled user → enrolled (the real signal)", async () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
-      writeFileSync(join(dir, "config.yaml"), "totp_secret: [unbalanced\n  ::: not yaml\n");
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      const { hubDbPath, openHubDb } = await import("../hub-db.ts");
+      const { createUser } = await import("../users.ts");
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      const { generateTotpSecret } = await import("../totp.ts");
+      const dbPath = hubDbPath(dir);
+      const db = openHubDb(dbPath);
+      const u = await createUser(db, "owner", "owner-password-123");
+      await persistEnrollment(db, u.id, generateTotpSecret("owner").secret);
+      db.close();
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: dbPath })).toBe(true);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
@@ -80,9 +87,14 @@ describe("printPublic2FAWarning", () => {
     });
     expect(fired).toBe(true);
     const joined = logs.join("\n");
-    expect(joined).toContain("2FA is not enrolled");
+    // hub#473: real hub-login 2FA. The warning now recommends the real
+    // `parachute auth 2fa enroll` path (+ the /account/2fa browser path) and
+    // still nudges a strong owner password.
+    expect(joined).toContain("/login is now reachable on the public internet");
     expect(joined).toContain("https://vault.example.com/login");
     expect(joined).toContain("parachute auth 2fa enroll");
+    expect(joined).toContain("/account/2fa");
+    expect(joined).toContain("parachute auth set-password");
   });
 
   test("enrolled → suppressed, returns false, logs nothing", () => {
@@ -108,7 +120,9 @@ describe("printPublic2FAWarning", () => {
       publicUrl: "https://vault.example.com",
     });
     expect(fired).toBe(true);
-    expect(logs.some((l) => l.includes("2FA is not enrolled"))).toBe(true);
+    expect(logs.some((l) => l.includes("/login is now reachable on the public internet"))).toBe(
+      true,
+    );
   });
 
   test("embeds the supplied publicUrl into the /login pointer", () => {

package/src/__tests__/expose-auth-preflight.test.ts

@@ -40,128 +40,124 @@ function status(partial: Partial<VaultAuthStatus> = {}): VaultAuthStatus {
   };
 }
 
-describe("runAuthPreflight — wide open (no password, no tokens)", () => {
-  test("warns loudly and offers password, 2FA, and token creation", async () => {
-    const h = makeHarness(["y", "n", "n"]); // password yes, 2fa no, token no
+describe("runAuthPreflight — wide open (no owner password)", () => {
+  test("warns loudly, offers password + real 2FA enroll, prints hub-JWT token guidance", async () => {
+    const h = makeHarness(["y", "y"]); // password yes, 2FA yes
     await runAuthPreflight({ status: status(), ...wire(h) });
     const joined = h.logs.join("\n");
-    expect(joined).toContain("No owner password and no API tokens");
+    expect(joined).toContain("No owner password");
     expect(joined).toContain("public internet");
-    expect(h.commands).toHaveLength(1);
-    expect(h.commands[0]).toEqual(["parachute", "auth", "set-password"]);
+    // Programmatic-client guidance points at the hub mint path, not pvt_*.
+    expect(joined).toContain("parachute auth mint-token --scope vault:default:read");
+    expect(joined).toContain("Bearer <hub-jwt>");
+    // Real 2FA (hub#473) — both commands offered + run.
+    expect(h.commands.map((c) => c.join(" "))).toEqual([
+      "parachute auth set-password",
+      "parachute auth 2fa enroll",
+    ]);
+    // Two interactive offers now: password + 2FA. Token guidance is printed.
+    expect(h.prompts).toHaveLength(2);
   });
 
-  test("user declines every prompt → no subprocesses run", async () => {
-    const h = makeHarness(["", "", ""]); // all Enter = skip
+  test("token guidance uses the first discovered vault name", async () => {
+    const h = makeHarness(["n", "n"]);
+    await runAuthPreflight({ status: status({ vaultNames: ["work"] }), ...wire(h) });
+    expect(h.logs.join("\n")).toContain("--scope vault:work:read");
+  });
+
+  test("user declines both prompts → no subprocesses run", async () => {
+    const h = makeHarness(["", ""]); // Enter = skip both
     await runAuthPreflight({ status: status(), ...wire(h) });
     expect(h.commands).toHaveLength(0);
-    // Still prompted on all three lines, even though each was declined.
-    expect(h.prompts).toHaveLength(3);
+    expect(h.prompts).toHaveLength(2);
   });
 
-  test("user accepts all three → all three commands invoked in order", async () => {
-    const h = makeHarness(["y", "y", "y"]);
+  test("user accepts the password offer → set-password invoked", async () => {
+    const h = makeHarness(["y", "n"]);
     await runAuthPreflight({ status: status(), ...wire(h) });
-    expect(h.commands.map((c) => c.join(" "))).toEqual([
-      "parachute auth set-password",
-      "parachute auth 2fa enroll",
-      "parachute vault tokens create",
-    ]);
+    expect(h.commands.map((c) => c.join(" "))).toEqual(["parachute auth set-password"]);
   });
-});
 
-describe("runAuthPreflight — password set, no 2FA", () => {
-  test("short nudge, offers 2FA only", async () => {
-    const h = makeHarness(["y"]);
+  test("null tokenCount with no owner password still classifies wide-open", async () => {
+    // The `tokenCount: null` (unreadable vault DB) path is vestigial post-DROP
+    // — `classify()` gates on `hasOwnerPassword` alone.
+    const h = makeHarness(["n", "n"]);
     await runAuthPreflight({
-      status: status({ hasOwnerPassword: true, tokenCount: 3 }),
+      status: status({ hasOwnerPassword: false, tokenCount: null }),
       ...wire(h),
     });
     const joined = h.logs.join("\n");
-    expect(joined).toContain("Owner password is set");
-    expect(joined).toContain("2FA");
-    expect(h.prompts).toHaveLength(1);
-    expect(h.commands).toEqual([["parachute", "auth", "2fa", "enroll"]]);
+    expect(joined).toContain("No owner password");
+    expect(joined).toContain("public internet");
+    expect(h.prompts).toHaveLength(2);
   });
 
-  test("user declines → no command runs", async () => {
-    const h = makeHarness([""]);
-    await runAuthPreflight({
-      status: status({ hasOwnerPassword: true, tokenCount: 3 }),
-      ...wire(h),
-    });
-    expect(h.commands).toHaveLength(0);
+  test("never offers the dead vault-tokens-create command", async () => {
+    const h = makeHarness(["y", "n"]);
+    await runAuthPreflight({ status: status(), ...wire(h) });
+    const allCommands = h.commands.map((c) => c.join(" ")).join("\n");
+    expect(allCommands).not.toContain("vault tokens create");
+    const guidance = h.logs.join("\n");
+    expect(guidance).not.toContain("parachute vault tokens create");
   });
 });
 
-describe("runAuthPreflight — tokens exist, no password", () => {
-  test("notes that OAuth is not set up, offers password", async () => {
-    const h = makeHarness(["y"]);
+describe("runAuthPreflight — password set, no 2FA", () => {
+  test("confirms password set + offers real 2FA enroll (ignores vestigial tokenCount)", async () => {
+    const h = makeHarness(["n"]); // decline 2FA
     await runAuthPreflight({
-      status: status({ hasOwnerPassword: false, tokenCount: 2 }),
+      // tokenCount is non-zero (vestigial pvt_* rows) but no longer consulted.
+      status: status({ hasOwnerPassword: true, hasTotp: false, tokenCount: 3 }),
       ...wire(h),
     });
     const joined = h.logs.join("\n");
-    expect(joined).toContain("API tokens exist");
-    expect(joined).toContain("no owner password");
+    expect(joined).toContain("Owner password is set");
+    // Real 2FA offer (hub#473) — exactly one prompt (the 2FA offer).
     expect(h.prompts).toHaveLength(1);
-    expect(h.commands).toEqual([["parachute", "auth", "set-password"]]);
+    expect(h.commands).toHaveLength(0); // declined
   });
-});
 
-describe("runAuthPreflight — unknown token count (SQLite failed)", () => {
-  test("advises running `tokens list`, no token-dependent prompts", async () => {
-    const h = makeHarness([]);
+  test("accepting the 2FA offer runs `parachute auth 2fa enroll`", async () => {
+    const h = makeHarness(["y"]);
     await runAuthPreflight({
-      status: status({ hasOwnerPassword: false, hasTotp: false, tokenCount: null }),
+      status: status({ hasOwnerPassword: true, hasTotp: false }),
       ...wire(h),
     });
-    const joined = h.logs.join("\n");
-    expect(joined).toContain("Couldn't read vault token state");
-    expect(joined).toContain("parachute vault tokens list");
-    // No prompts because we don't offer password/token flow when token
-    // state is unknown (it'd be ambiguous whether we're dealing with the
-    // wide-open or the tokens-only case).
-    expect(h.prompts).toHaveLength(0);
+    expect(h.commands.map((c) => c.join(" "))).toEqual(["parachute auth 2fa enroll"]);
   });
 
-  test("password set + 2FA absent + tokens unknown → still offers 2FA", async () => {
-    const h = makeHarness([""]); // decline 2FA
+  test("null tokenCount (DB unreadable) is irrelevant — password gates the branch", async () => {
+    const h = makeHarness(["n"]);
     await runAuthPreflight({
       status: status({ hasOwnerPassword: true, hasTotp: false, tokenCount: null }),
       ...wire(h),
     });
+    expect(h.logs.join("\n")).toContain("Owner password is set");
     expect(h.prompts).toHaveLength(1);
-    expect(h.prompts[0]?.toLowerCase()).toContain("2fa");
   });
 });
 
-describe("runAuthPreflight — all good", () => {
-  test("single positive line, no prompts", async () => {
+describe("runAuthPreflight — password + 2FA both set", () => {
+  test("two-line confirmation, no prompts", async () => {
     const h = makeHarness([]);
     await runAuthPreflight({
-      status: status({ hasOwnerPassword: true, hasTotp: true, tokenCount: 1 }),
+      status: status({ hasOwnerPassword: true, hasTotp: true, tokenCount: 0 }),
       ...wire(h),
     });
     const joined = h.logs.join("\n");
-    expect(joined).toContain("looks good");
+    expect(joined).toContain("Owner password is set");
+    expect(joined).toContain("Two-factor authentication is on");
     expect(h.prompts).toHaveLength(0);
     expect(h.commands).toHaveLength(0);
   });
 });
 
 describe("runAuthPreflight — subprocess failure handling", () => {
-  test("non-zero exit from auth command doesn't abort the rest of the preflight", async () => {
-    const h = makeHarness(["y", "y", "y"]);
-    // Override the interactive runner to return non-zero on the first call.
-    let first = true;
+  test("non-zero exit from set-password doesn't abort the rest of the preflight", async () => {
+    const h = makeHarness(["y", "n"]);
     const interactiveRunner = async (cmd: readonly string[]) => {
       h.commands.push([...cmd]);
-      if (first) {
-        first = false;
-        return 7;
-      }
-      return 0;
+      return 7;
     };
     await runAuthPreflight({
       status: status(),
@@ -172,19 +168,22 @@ describe("runAuthPreflight — subprocess failure handling", () => {
       },
       interactiveRunner,
     });
-    // All three commands still attempted, none aborted the flow.
-    expect(h.commands.map((c) => c[0])).toEqual(["parachute", "parachute", "parachute"]);
+    // The command was attempted; the flow continued (token guidance still
+    // printed afterward).
+    expect(h.commands.map((c) => c[0])).toEqual(["parachute"]);
     const joined = h.logs.join("\n");
     expect(joined).toContain("exited 7");
+    expect(joined).toContain("Bearer <hub-jwt>");
   });
 });
 
 describe("runAuthPreflight — case-insensitive yes", () => {
   test('"Y", "YES", and "y" all count as affirmative; anything else is decline', async () => {
+    // Drive the password-set-no-2FA path so there's exactly one prompt (2FA).
     for (const yes of ["y", "Y", "yes", "YES"]) {
       const h = makeHarness([yes]);
       await runAuthPreflight({
-        status: status({ hasOwnerPassword: true, tokenCount: 1 }),
+        status: status({ hasOwnerPassword: true, hasTotp: false }),
         ...wire(h),
       });
       expect(h.commands).toHaveLength(1);
@@ -192,7 +191,7 @@ describe("runAuthPreflight — case-insensitive yes", () => {
     for (const no of ["", "n", "no", "q", "bogus"]) {
       const h = makeHarness([no]);
       await runAuthPreflight({
-        status: status({ hasOwnerPassword: true, tokenCount: 1 }),
+        status: status({ hasOwnerPassword: true, hasTotp: false }),
         ...wire(h),
       });
       expect(h.commands).toHaveLength(0);