@openparachute/hub 0.5.14-rc.2 → 0.5.14-rc.21

package/src/__tests__/expose-interactive.test.ts

@@ -469,10 +469,16 @@ describe("exposePublicInteractive — neither ready", () => {
       expect(interactiveCalled).toBe(false);
       expect(cloudflareCalled).toBe(false);
       const joined = logs.join("\n");
-      expect(joined).toMatch(/apt-get|dnf/);
-      expect(joined).toContain(
-        "developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads",
-      );
+      // Post 2026-05-27 cloudflared-URL refresh: the install hint moved
+      // off apt-get / dnf / developers.cloudflare.com (all unreliable —
+      // Aaron hit `No match for argument: cloudflared` on AL2023 and
+      // 404s from the docs URL on the same box) onto the static binary
+      // from GitHub releases.
+      expect(joined).toContain("github.com/cloudflare/cloudflared/releases/latest");
+      expect(joined).toContain("curl -L -o /usr/local/bin/cloudflared");
+      expect(joined).not.toContain("developers.cloudflare.com");
+      expect(joined).not.toContain("pkg.cloudflare.com");
+      expect(joined).not.toContain("sudo dnf install cloudflared");
     } finally {
       env.cleanup();
     }

package/src/__tests__/expose-public-auto.test.ts

@@ -126,7 +126,11 @@ describe("exposePublicAutoPick — neither ready", () => {
     expect(code).toBe(1);
     const joined = logs.join("\n");
     expect(joined).toContain("tailscale.com/download");
-    expect(joined).toContain("developers.cloudflare.com");
+    // Post 2026-05-27 cloudflared-URL refresh: the install hint now points
+    // at GitHub releases (developers.cloudflare.com / pkg.cloudflare.com
+    // both returned HTML/404 on Aaron's fresh AL2023 EC2 box).
+    expect(joined).toContain("github.com/cloudflare/cloudflared/releases/latest");
+    expect(joined).not.toContain("developers.cloudflare.com");
     expect(joined).toContain("--skip-provider-check");
   });
 

package/src/__tests__/expose.test.ts

@@ -1,8 +1,9 @@
 import { describe, expect, test } from "bun:test";
-import { existsSync, mkdtempSync, rmSync } from "node:fs";
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { exposePublic, exposeTailnet } from "../commands/expose.ts";
+import { readEnvFileValues } from "../env-file.ts";
 import { readExposeState, writeExposeState } from "../expose-state.ts";
 import type { EnsureHubOpts, HubSpawner, StopHubOpts } from "../hub-control.ts";
 import { writePid } from "../process-state.ts";
@@ -696,6 +697,53 @@ describe("expose tailnet off", () => {
     }
   });
 
+  test("clears the persisted PARACHUTE_HUB_ORIGIN from vault/.env on teardown", async () => {
+    // OAuth issuer-mismatch fix: `expose up` persisted the public origin into
+    // vault/.env so the daemon validates `iss` against it. With exposure gone,
+    // a local-only hub mints loopback-`iss` tokens, so a stale public origin
+    // left in `.env` would itself cause the mismatch on the next daemon boot.
+    // Tearing it down reverts vault to its loopback default.
+    const h = makeHarness();
+    try {
+      writeExposeState(
+        {
+          version: 1,
+          layer: "tailnet",
+          mode: "path",
+          canonicalFqdn: "parachute.taildf9ce2.ts.net",
+          port: 443,
+          funnel: false,
+          entries: [{ kind: "proxy", mount: "/", target: "http://127.0.0.1:1939", service: "hub" }],
+          hubOrigin: "https://parachute.taildf9ce2.ts.net",
+        },
+        h.statePath,
+      );
+      mkdirSync(join(h.configDir, "vault"), { recursive: true });
+      writeFileSync(
+        join(h.configDir, "vault", ".env"),
+        "SCRIBE_AUTH_TOKEN=secret\nPARACHUTE_HUB_ORIGIN=https://parachute.taildf9ce2.ts.net\n",
+      );
+      const { runner } = makeRunner();
+      const code = await exposeTailnet("off", {
+        runner,
+        statePath: h.statePath,
+        wellKnownPath: h.wellKnownPath,
+        hubPath: h.hubPath,
+        wellKnownDir: h.wellKnownDir,
+        configDir: h.configDir,
+        skipHub: true,
+        log: () => {},
+      });
+      expect(code).toBe(0);
+      const values = readEnvFileValues(join(h.configDir, "vault", ".env"));
+      expect(values.PARACHUTE_HUB_ORIGIN).toBeUndefined();
+      // Sibling keys preserved.
+      expect(values.SCRIBE_AUTH_TOKEN).toBe("secret");
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("leaves state in place on teardown failure", async () => {
     const h = makeHarness();
     try {
@@ -961,7 +1009,9 @@ describe("expose public up", () => {
       });
       expect(code).toBe(0);
       const joined = logs.join("\n");
-      expect(joined).toContain("2FA is not enrolled");
+      // hub#473: real hub-login 2FA. The warning now recommends the real
+      // `parachute auth 2fa enroll` path.
+      expect(joined).toContain("/login is now reachable on the public internet");
       expect(joined).toContain("parachute auth 2fa enroll");
       // /login pointer uses the canonical https://<fqdn> origin.
       expect(joined).toContain("https://parachute.taildf9ce2.ts.net/login");

package/src/__tests__/hub-server.test.ts

@@ -3,6 +3,7 @@ import { existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { fileURLToPath } from "node:url";
+import { buildCsrfCookie, generateCsrfToken } from "../csrf.ts";
 import { HUB_SVC, hubPortPath } from "../hub-control.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
 import {
@@ -16,7 +17,9 @@ import { setNotesRedirectDisabled } from "../hub-settings.ts";
 import { clearNotesRedirectLogState } from "../notes-redirect.ts";
 import { pidPath } from "../process-state.ts";
 import { type ServiceEntry, writeManifest } from "../services-manifest.ts";
+import { buildSessionCookie, createSession } from "../sessions.ts";
 import { rotateSigningKey } from "../signing-keys.ts";
+import type { ModuleState, Supervisor } from "../supervisor.ts";
 import { createUser } from "../users.ts";
 
 interface Harness {
@@ -42,6 +45,33 @@ function mkdirIfMissing(dir: string): void {
   if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
 }
 
+/**
+ * Minimal stub of the Supervisor surface that proxyRequest's classifier
+ * reads from. We don't drive real Bun.spawn — just hand back hand-crafted
+ * ModuleState values so the test can pin "vault is starting" / "vault has
+ * been running for a minute" exactly. See `supervisor.test.ts` for the
+ * real lifecycle tests.
+ */
+function stubSupervisor(states: ModuleState[]): Supervisor {
+  return {
+    list: () => states,
+    get: (short: string) => states.find((s) => s.short === short),
+    start: async () => {
+      throw new Error("not implemented");
+    },
+    stop: async () => undefined,
+    restart: async () => undefined,
+  } as unknown as Supervisor;
+}
+
+function moduleState(partial: Partial<ModuleState> & { short: string }): ModuleState {
+  return {
+    status: "running",
+    restartsInWindow: 0,
+    ...partial,
+  };
+}
+
 function vaultEntry(name: string): ServiceEntry {
   return {
     name: `parachute-vault-${name}`,
@@ -1912,10 +1942,12 @@ describe("hubFetch /vault/<name>/* dynamic proxy (#144)", () => {
     }
   });
 
-  test("returns 502 when the matching vault upstream is unreachable", async () => {
+  test("returns 502 with persistent-state JSON when the matching vault upstream is unreachable", async () => {
     // Vault is in services.json but the port has nothing listening — vault
     // crashed, port shifted, or the user is mid-restart. We owe the caller a
-    // useful error instead of a hang or a silent 404.
+    // useful error instead of a hang or a silent 404. No supervisor +
+    // no pidfile → classifier returns "persistent" → 502 + admin_url
+    // (hub#443 boot-readiness gating).
     const h = makeHarness();
     try {
       writeManifest(
@@ -1934,10 +1966,261 @@ describe("hubFetch /vault/<name>/* dynamic proxy (#144)", () => {
         h.manifestPath,
       );
       const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
-      const res = await fetcher(req("/vault/default/health"));
+      const res = await fetcher(
+        req("/vault/default/health", { headers: { accept: "application/json" } }),
+      );
+      expect(res.status).toBe(502);
+      const body = (await res.json()) as {
+        error: string;
+        error_type: string;
+        admin_url?: string;
+        service: string;
+      };
+      expect(body.error_type).toBe("upstream_unreachable");
+      expect(body.error).toBe("upstream_unreachable");
+      expect(body.admin_url).toBe("/admin/modules");
+      expect(body.service).toBe("vault");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("transient state (supervisor reports starting) → 503 + Retry-After when fetch fails", async () => {
+    // Supervisor says vault is `starting` — the loopback port hasn't bound
+    // yet, fetch fails with ECONNREFUSED. Classifier returns "transient",
+    // proxy responds 503 with a Retry-After hint instead of 502.
+    const h = makeHarness();
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: await pickClosedPort(),
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.4.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const supervisor = stubSupervisor([moduleState({ short: "vault", status: "starting" })]);
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath, supervisor });
+      const res = await fetcher(
+        req("/vault/default/health", { headers: { accept: "application/json" } }),
+      );
+      expect(res.status).toBe(503);
+      expect(res.headers.get("retry-after")).toBe("2");
+      const body = (await res.json()) as {
+        error_type: string;
+        retry_after_ms: number;
+        max_attempts: number;
+        admin_url?: string;
+      };
+      expect(body.error_type).toBe("upstream_starting");
+      expect(body.retry_after_ms).toBe(2000);
+      expect(body.max_attempts).toBe(5);
+      // Transient JSON MUST NOT carry an admin link.
+      expect(body.admin_url).toBeUndefined();
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("transient state + Accept: text/html → 503 HTML page with auto-refresh + poll, no admin link", async () => {
+    const h = makeHarness();
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: await pickClosedPort(),
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.4.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const supervisor = stubSupervisor([moduleState({ short: "vault", status: "starting" })]);
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath, supervisor });
+      const res = await fetcher(req("/vault/default/health", { headers: { accept: "text/html" } }));
+      expect(res.status).toBe(503);
+      expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
+      const text = await res.text();
+      expect(text).toContain(`<meta http-equiv="refresh"`);
+      expect(text).toContain("/api/ready");
+      expect(text).toContain("Just a moment");
+      // Aaron design (d): transient page has no admin link.
+      expect(text).not.toContain("/admin/modules");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("persistent state + Accept: text/html → 502 HTML page with admin link, no auto-refresh", async () => {
+    const h = makeHarness();
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: await pickClosedPort(),
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.4.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const supervisor = stubSupervisor([moduleState({ short: "vault", status: "crashed" })]);
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath, supervisor });
+      const res = await fetcher(req("/vault/default/health", { headers: { accept: "text/html" } }));
+      expect(res.status).toBe(502);
+      expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
+      expect(res.headers.get("retry-after")).toBeNull();
+      const text = await res.text();
+      expect(text).toContain("Module unreachable");
+      expect(text).toContain("/admin/modules");
+      expect(text).not.toContain(`http-equiv="refresh"`);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("supervisor running-but-fresh-startedAt → transient classification", async () => {
+    // Supervisor says vault is running, but startedAt is recent enough that
+    // we trust the boot-window heuristic over the failed fetch.
+    const h = makeHarness();
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: await pickClosedPort(),
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.4.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const supervisor = stubSupervisor([
+        moduleState({
+          short: "vault",
+          status: "running",
+          startedAt: new Date(Date.now() - 5_000).toISOString(),
+        }),
+      ]);
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath, supervisor });
+      const res = await fetcher(
+        req("/vault/default/health", { headers: { accept: "application/json" } }),
+      );
+      expect(res.status).toBe(503);
+      const body = (await res.json()) as { error_type: string };
+      expect(body.error_type).toBe("upstream_starting");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("supervisor running-but-old-startedAt → persistent (boot window expired)", async () => {
+    const h = makeHarness();
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: await pickClosedPort(),
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.4.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const supervisor = stubSupervisor([
+        moduleState({
+          short: "vault",
+          status: "running",
+          startedAt: new Date(Date.now() - 120_000).toISOString(),
+        }),
+      ]);
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath, supervisor });
+      const res = await fetcher(
+        req("/vault/default/health", { headers: { accept: "application/json" } }),
+      );
       expect(res.status).toBe(502);
-      const body = (await res.json()) as { error: string };
-      expect(body.error).toContain("vault upstream unreachable");
+      const body = (await res.json()) as { error_type: string };
+      expect(body.error_type).toBe("upstream_unreachable");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("non-vault upstream (scribe) classified through supervisor when starting", async () => {
+    // Same logic as vault, but exercising the generic /<svc>/* dispatch path.
+    const h = makeHarness();
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "scribe",
+              port: await pickClosedPort(),
+              paths: ["/scribe"],
+              health: "/scribe/health",
+              version: "0.1.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const supervisor = stubSupervisor([moduleState({ short: "scribe", status: "starting" })]);
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath, supervisor });
+      const res = await fetcher(req("/scribe/health", { headers: { accept: "application/json" } }));
+      expect(res.status).toBe(503);
+      const body = (await res.json()) as { error_type: string; service: string };
+      expect(body.error_type).toBe("upstream_starting");
+      expect(body.service).toBe("scribe");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("/api/ready returns supervisor view + is reachable pre-admin", async () => {
+    // hub#443 endpoint is public + pre-admin (it has to be — the page that
+    // polls it is itself served pre-auth when modules are still booting).
+    const h = makeHarness();
+    try {
+      const supervisor = stubSupervisor([
+        moduleState({ short: "vault", status: "starting" }),
+        moduleState({
+          short: "scribe",
+          status: "running",
+          startedAt: new Date(Date.now() - 60_000).toISOString(),
+        }),
+      ]);
+      const fetcher = hubFetch(h.dir, { supervisor });
+      const res = await fetcher(req("/api/ready"));
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as {
+        ready: boolean;
+        ready_modules: string[];
+        transient_modules: string[];
+      };
+      expect(body.ready).toBe(false);
+      expect(body.transient_modules).toEqual(["vault"]);
+      expect(body.ready_modules).toEqual(["scribe"]);
     } finally {
       h.cleanup();
     }
@@ -2562,9 +2845,10 @@ describe("hubFetch /<svc>/* generic proxy dispatch (#182)", () => {
     }
   });
 
-  test("returns 502 when the matching upstream is unreachable", async () => {
+  test("returns 502 with persistent-state JSON when the matching upstream is unreachable", async () => {
     // Service is in services.json but the port has nothing listening — same
-    // shape as the vault-unreachable test, label is the entry's `name`.
+    // shape as the vault-unreachable test (hub#443 boot-readiness gating).
+    // No supervisor + no pidfile → persistent → 502 with admin_url.
     const h = makeHarness();
     try {
       writeManifest(
@@ -2582,10 +2866,17 @@ describe("hubFetch /<svc>/* generic proxy dispatch (#182)", () => {
         h.manifestPath,
       );
       const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
-      const res = await fetcher(req("/scribe/health"));
+      const res = await fetcher(req("/scribe/health", { headers: { accept: "application/json" } }));
       expect(res.status).toBe(502);
-      const body = (await res.json()) as { error: string };
-      expect(body.error).toContain("scribe upstream unreachable");
+      const body = (await res.json()) as {
+        error: string;
+        error_type: string;
+        admin_url?: string;
+        service: string;
+      };
+      expect(body.error_type).toBe("upstream_unreachable");
+      expect(body.admin_url).toBe("/admin/modules");
+      expect(body.service).toBe("scribe");
     } finally {
       h.cleanup();
     }
@@ -3882,3 +4173,98 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
     }
   });
 });
+
+describe("POST /account/vault-token/<name> — friend scoped mint (routed end-to-end)", () => {
+  // Drive the real dispatch (`hubFetch`) so the route wiring + precedence
+  // (the `/account/vault-token/` prefix must win over `/account/` and the
+  // SPA catch-all) is exercised, not just the handler in isolation.
+  async function seed(h: Harness, assignedVaults: string[]) {
+    const db = openHubDb(hubDbPath(h.dir));
+    rotateSigningKey(db); // mint needs an active signing key
+    await createUser(db, "operator", "operator-password-123");
+    const friend = await createUser(db, "friend", "friend-password-123", {
+      assignedVaults,
+      allowMulti: true,
+    });
+    const session = createSession(db, { userId: friend.id });
+    const csrf = generateCsrfToken();
+    const cookie = `${buildSessionCookie(session.id, 3600, { secure: false })}; ${
+      buildCsrfCookie(csrf, { secure: false }).split(";")[0]
+    }`;
+    return { db, friendId: friend.id, cookie, csrf };
+  }
+
+  function postBody(csrf: string, verb: string): string {
+    const b = new URLSearchParams();
+    b.set("__csrf", csrf);
+    b.set("verb", verb);
+    return b.toString();
+  }
+
+  test("assigned vault → 200 with a token banner, routed through hubFetch", async () => {
+    const h = makeHarness();
+    writeManifest({ services: [vaultEntry("work")] }, h.manifestPath);
+    const { db, cookie, csrf } = await seed(h, ["work"]);
+    try {
+      const res = await hubFetch(h.dir, {
+        getDb: () => db,
+        manifestPath: h.manifestPath,
+        issuer: "https://hub.test",
+      })(
+        req("/account/vault-token/work", {
+          method: "POST",
+          headers: { cookie, "content-type": "application/x-www-form-urlencoded" },
+          body: postBody(csrf, "read"),
+        }),
+      );
+      expect(res.status).toBe(200);
+      const html = await res.text();
+      expect(html).toContain('data-testid="minted-token-banner"');
+      expect(html).toContain("vault:work:read");
+    } finally {
+      db.close();
+      h.cleanup();
+    }
+  });
+
+  test("unassigned vault → 403, no token, routed through hubFetch", async () => {
+    const h = makeHarness();
+    writeManifest({ services: [vaultEntry("work")] }, h.manifestPath);
+    const { db, cookie, csrf } = await seed(h, ["work"]);
+    try {
+      const res = await hubFetch(h.dir, {
+        getDb: () => db,
+        manifestPath: h.manifestPath,
+        issuer: "https://hub.test",
+      })(
+        req("/account/vault-token/other", {
+          method: "POST",
+          headers: { cookie, "content-type": "application/x-www-form-urlencoded" },
+          body: postBody(csrf, "read"),
+        }),
+      );
+      expect(res.status).toBe(403);
+      const html = await res.text();
+      expect(html).not.toContain('data-testid="minted-token-banner"');
+    } finally {
+      db.close();
+      h.cleanup();
+    }
+  });
+
+  test("GET on the mint path → 405 (POST-only)", async () => {
+    const h = makeHarness();
+    writeManifest({ services: [vaultEntry("work")] }, h.manifestPath);
+    const { db } = await seed(h, ["work"]);
+    try {
+      const res = await hubFetch(h.dir, {
+        getDb: () => db,
+        manifestPath: h.manifestPath,
+      })(req("/account/vault-token/work"));
+      expect(res.status).toBe(405);
+    } finally {
+      db.close();
+      h.cleanup();
+    }
+  });
+});