@openparachute/hub 0.5.14-rc.8 → 0.5.14-rc.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/README.md +86 -15
  2. package/package.json +1 -1
  3. package/src/__tests__/api-mint-token.test.ts +682 -3
  4. package/src/__tests__/api-revoke-token.test.ts +384 -0
  5. package/src/__tests__/scope-explanations.test.ts +36 -0
  6. package/src/api-mint-token.ts +132 -24
  7. package/src/api-revoke-token.ts +107 -21
  8. package/src/scope-attenuation.ts +85 -0
  9. package/src/scope-explanations.ts +94 -5
package/README.md CHANGED
@@ -61,33 +61,99 @@ Operators who want env-var-driven seeding (CI, scripted deploys) can still set `
61
61
 
62
62
  ## First 5 minutes
63
63
 
64
+ One command gets you from a fresh install to the setup wizard:
65
+
64
66
  ```sh
65
67
  # 1. Install the hub (one line — installs the `parachute` binary)
66
68
  bun add -g @openparachute/hub
67
69
 
68
- # 2. Install a service (runs `bun add -g @openparachute/vault` + `parachute-vault init`)
69
- parachute install vault
70
+ # 2. parachute init the unified front door (laptop, EC2, any VPS).
71
+ # It starts the hub, offers to expose it, always installs the vault
72
+ # module, then drops you into the setup wizard.
73
+ parachute init
74
+ ```
70
75
 
71
- # 3. Start the service in the background (PID + logs tracked under ~/.parachute/vault/)
72
- parachute start vault
76
+ `parachute init` is idempotent every re-run is safe. End to end it:
77
+
78
+ 1. **Starts the hub** if it isn't already running (port `1939`).
79
+ 2. **Offers to expose it** so you can reach the wizard from other devices. In a
80
+ terminal you pick: stay loopback-only, your **tailnet** (`tailscale serve` —
81
+ private to your own Tailscale devices), or a **Cloudflare Tunnel** (public
82
+ HTTPS on your own domain). The default highlights "no thanks — loopback" on a
83
+ laptop and pre-selects Cloudflare on an SSH'd server. Skip with
84
+ `--no-expose-prompt`, or pin non-interactively with
85
+ `--expose none|tailnet|cloudflare`.
86
+ 3. **Installs the vault module** — always — so the wizard can offer
87
+ create / import / skip. No vault *instance* is created yet; that's the
88
+ wizard's call.
89
+ 4. **Drops you into the setup wizard.** Browser by default (opens
90
+ `/admin/setup`); pick the in-terminal walk-through with `--cli-wizard`, or
91
+ force the browser with `--browser-wizard`. It prints the canonical admin URL
92
+ either way — loopback when you're not exposed, the tailnet / Cloudflare FQDN
93
+ when you are.
94
+
95
+ The wizard walks the same three steps in the browser and the CLI:
96
+
97
+ - **Account** — create the admin operator for this hub (username + password).
98
+ - **Vault** — *create* a fresh vault (default name `default`), *import* one from
99
+ a git repo (a previously-exported Parachute vault on any HTTPS / SSH remote;
100
+ PAT optional for private repos), or *skip* and create one later. The vault
101
+ module is installed regardless of which you pick.
102
+ - **Expose** — record how this hub is reached (localhost / tailnet / public) so
103
+ the done screen surfaces the right URLs.
104
+
105
+ The done screen hands you a copy-pasteable `claude mcp add` command (with a
106
+ freshly-minted operator token), a link to start using your vault, and the admin
107
+ UI. Verify the stack any time:
73
108
 
74
- # 4. Check it landed — reads ~/.parachute/services.json, shows process state + probes health
109
+ ```sh
75
110
  parachute status
76
111
  # SERVICE PORT VERSION PROCESS PID UPTIME HEALTH LATENCY
77
- # parachute-vault 1940 0.2.4 running 12345 12s ok 2ms
112
+ # parachute-hub 1939 0.5.14 running 12344 20s ok 1ms
113
+ # parachute-vault 1940 0.4.5 running 12345 12s ok 2ms
114
+ ```
78
115
 
79
- # 5. Use it. Vault is up on 127.0.0.1:1940; Claude Code picked up the MCP
80
- # on your next session. Point any other local MCP client (Codex, Goose,
81
- # OpenCode, Cursor, Zed, Cline, your own agent) at:
82
- # http://127.0.0.1:1940/vault/default/mcp
116
+ Vault is up on `127.0.0.1:1940`; Claude Code picks up the MCP on your next
117
+ session. Point any other local MCP client (Codex, Goose, OpenCode, Cursor, Zed,
118
+ Cline, your own agent) at `http://127.0.0.1:1940/vault/<name>/mcp`.
83
119
 
84
- # 6. Expose across your tailnet HTTPS, MagicDNS, only your devices.
85
- # The supported exposure shape today; public-internet exposure is
86
- # exploratory (see "Public exposure" below).
87
- parachute expose tailnet
120
+ ### Want the wizard in the terminal instead of the browser?
121
+
122
+ ```sh
123
+ parachute init --cli-wizard
124
+ ```
125
+
126
+ …or drive the wizard directly against an already-running hub:
127
+
128
+ ```sh
129
+ parachute setup-wizard --hub-url http://127.0.0.1:1939
130
+ ```
131
+
132
+ `setup-wizard` is the in-terminal mirror of `/admin/setup` — same handlers, same
133
+ Account → Vault → Expose walk. Every prompt has a paired flag for scripted /
134
+ non-interactive setup (`--account-username`, `--account-password`,
135
+ `--vault-mode create|import|skip`, `--vault-name`, `--vault-import-url`,
136
+ `--expose-mode localhost|tailnet|public`, …); run `parachute setup-wizard --help`
137
+ for the full list.
138
+
139
+ ### Prefer to drive installs by hand?
140
+
141
+ `parachute init` → wizard is the recommended path, but the per-module commands
142
+ still work and are additive:
143
+
144
+ ```sh
145
+ parachute install vault # install + register + create first vault + start one module
146
+ parachute setup # older interactive multi-pick: survey + install vault/notes/scribe
147
+ parachute start vault # PID + logs tracked under ~/.parachute/vault/
148
+ ```
149
+
150
+ ### Expose across your tailnet
151
+
152
+ ```sh
153
+ parachute expose tailnet # HTTPS, MagicDNS, only your devices (the supported shape today)
88
154
  ```
89
155
 
90
- Tear down with `parachute expose tailnet off`. The public layer (`expose public off`) tears down independently — `off` only affects the layer you name.
156
+ Tear down with `parachute expose tailnet off`. The public layer (`expose public off`) tears down independently — `off` only affects the layer you name. Public-internet exposure is exploratory (see "Public exposure" below).
91
157
 
92
158
  ## Service lifecycle
93
159
 
@@ -313,6 +379,11 @@ Public-internet exposure (`parachute expose public`) is exploratory — see "Pub
313
379
  Run `parachute --help` for the top-level list, and `parachute <subcommand> --help` for details on any individual command.
314
380
 
315
381
  ```
382
+ parachute init fresh-install front door: start hub, offer expose,
383
+ install vault module, open the setup wizard
384
+ parachute setup-wizard --hub-url <url>
385
+ in-terminal mirror of /admin/setup (Account/Vault/Expose)
386
+ parachute setup older interactive multi-pick service installer
316
387
  parachute install <service> install and register a service
317
388
  parachute status show installed services, process state, health
318
389
  parachute start [service] start services in the background
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@openparachute/hub",
3
- "version": "0.5.14-rc.8",
3
+ "version": "0.5.14-rc.9",
4
4
  "description": "parachute \u2014 the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
5
5
  "license": "AGPL-3.0",
6
6
  "publishConfig": {