@openparachute/hub 0.5.14-rc.9 → 0.6.0

package/src/api-account.ts

@@ -55,12 +55,15 @@ import { CSRF_FIELD_NAME, ensureCsrfToken, verifyCsrfToken } from "./csrf.ts";
 import { changePasswordRateLimiter } from "./rate-limit.ts";
 import { isHttpsRequest } from "./request-protocol.ts";
 import { findActiveSession } from "./sessions.ts";
+import { isTotpEnrolled } from "./two-factor-store.ts";
 import {
   PASSWORD_MAX_LEN,
   UserNotFoundError,
+  type VaultVerb,
   getUserById,
   isFirstAdmin,
   validatePassword,
+  vaultVerbsForUserVault,
   verifyPassword,
 } from "./users.ts";
 
@@ -489,6 +492,15 @@ export function handleAccountHomeGet(req: Request, deps: AccountHomeDeps): Respo
   const adminFlag = isFirstAdmin(deps.db, user.id);
   const csrf = ensureCsrfToken(req);
   const extra: Record<string, string> = csrf.setCookie ? { "set-cookie": csrf.setCookie } : {};
+  // Per-vault mintable verbs for the "mint an access token" affordance on each
+  // tile. Reads the assignment role (today always write → ["read", "write"])
+  // so the UI only ever offers a verb the POST handler would accept. Empty for
+  // the admin / no-vault branches (no assigned vaults to iterate).
+  const mintableVerbs: Record<string, VaultVerb[]> = {};
+  for (const v of user.assignedVaults) {
+    const verbs = vaultVerbsForUserVault(deps.db, user.id, v);
+    if (verbs && verbs.length > 0) mintableVerbs[v] = verbs;
+  }
   return htmlResponse(
     renderAccountHome({
       username: user.username,
@@ -497,6 +509,8 @@ export function handleAccountHomeGet(req: Request, deps: AccountHomeDeps): Respo
       hubOrigin: deps.hubOrigin,
       isFirstAdmin: adminFlag,
       csrfToken: csrf.token,
+      twoFactorEnabled: isTotpEnrolled(deps.db, user.id),
+      mintableVerbs,
     }),
     200,
     extra,

package/src/api-modules-ops.ts

@@ -35,6 +35,7 @@
 import type { Database } from "bun:sqlite";
 import { randomUUID } from "node:crypto";
 import { dirname } from "node:path";
+import { MissingDependencyError, type MissingDependencyWire } from "@openparachute/depcheck";
 import { CURATED_MODULES, type CuratedModuleShort } from "./api-modules.ts";
 import { isLinked as defaultIsLinked } from "./bun-link.ts";
 import { PARACHUTE_INSTALL_CHANNEL_ENV } from "./commands/install.ts";
@@ -49,11 +50,7 @@ import {
   getSpec,
   synthesizeManifestForKnownModule,
 } from "./service-spec.ts";
-import {
-  findService,
-  readManifestLenient,
-  removeService,
-} from "./services-manifest.ts";
+import { findService, readManifestLenient, removeService } from "./services-manifest.ts";
 import type { ModuleState, SpawnRequest, Supervisor } from "./supervisor.ts";
 import { WELL_KNOWN_PATH, type regenerateWellKnown } from "./well-known.ts";
 
@@ -81,6 +78,15 @@ export interface Operation {
   log: string[];
   /** Error message when status is `failed`. Mirrored from the underlying throw. */
   error?: string;
+  /**
+   * Structured error detail when the failure is a known typed error — today
+   * only `MissingDependencyError.toWire()` (a missing external binary like
+   * `bun` / `git` during install). The operations-polling SPA switches on
+   * `error_detail.error_type === "missing_dependency"` to render a dedicated
+   * install card; the plain `error` string is the fallback for everything
+   * else. Wire shape matches `@openparachute/depcheck`'s `MissingDependencyWire`.
+   */
+  error_detail?: MissingDependencyWire;
   startedAt: string;
   finishedAt?: string;
 }
@@ -89,7 +95,11 @@ export interface OperationsRegistry {
   create(kind: OperationKind, short: string): Operation;
   get(id: string): Operation | undefined;
   /** Append a log line + (optionally) advance status. */
-  update(id: string, patch: Partial<Pick<Operation, "status" | "error">>, logLine?: string): void;
+  update(
+    id: string,
+    patch: Partial<Pick<Operation, "status" | "error" | "error_detail">>,
+    logLine?: string,
+  ): void;
 }
 
 /**
@@ -122,11 +132,16 @@ class InMemoryOperationsRegistry implements OperationsRegistry {
     return this.ops.get(id);
   }
 
-  update(id: string, patch: Partial<Pick<Operation, "status" | "error">>, logLine?: string): void {
+  update(
+    id: string,
+    patch: Partial<Pick<Operation, "status" | "error" | "error_detail">>,
+    logLine?: string,
+  ): void {
     const op = this.ops.get(id);
     if (!op) return;
     if (patch.status) op.status = patch.status;
     if (patch.error !== undefined) op.error = patch.error;
+    if (patch.error_detail !== undefined) op.error_detail = patch.error_detail;
     if (logLine) op.log.push(logLine);
     if (patch.status === "succeeded" || patch.status === "failed") {
       op.finishedAt = this.clock().toISOString();
@@ -520,13 +535,37 @@ export async function handleInstall(
   // immediately + the work runs in the background. Errors get logged
   // to the operation; nothing throws back to the request handler.
   void runInstall(op.id, short, spec, deps, bodyChannel).catch((err) => {
-    const msg = err instanceof Error ? err.message : String(err);
-    registry.update(op.id, { status: "failed", error: msg }, `install failed: ${msg}`);
+    failOperation(registry, op.id, "install", err);
   });
 
   return acceptedOp(op.id);
 }
 
+/**
+ * Mark an async op failed, attaching the structured `error_detail` wire when
+ * the underlying throw is a `MissingDependencyError` (a missing external
+ * binary like `bun` / `git` during install). The operations-polling SPA reads
+ * `error_detail` to render the dedicated install card; the plain `error`
+ * string is the fallback for every other failure.
+ */
+function failOperation(
+  registry: OperationsRegistry,
+  opId: string,
+  verb: string,
+  err: unknown,
+): void {
+  const msg = err instanceof Error ? err.message : String(err);
+  if (err instanceof MissingDependencyError) {
+    registry.update(
+      opId,
+      { status: "failed", error: msg, error_detail: err.toWire() },
+      `${verb} failed: ${err.binary} not installed`,
+    );
+    return;
+  }
+  registry.update(opId, { status: "failed", error: msg }, `${verb} failed: ${msg}`);
+}
+
 /**
  * Internal install runner. Exported so non-API callers (the first-boot
  * wizard at `/admin/setup`, hub#259) can drive the same install →
@@ -722,8 +761,7 @@ export async function handleUpgrade(
   const spec = specFor(short);
 
   void runUpgrade(op.id, short, spec, deps).catch((err) => {
-    const msg = err instanceof Error ? err.message : String(err);
-    registry.update(op.id, { status: "failed", error: msg }, `upgrade failed: ${msg}`);
+    failOperation(registry, op.id, "upgrade", err);
   });
   return acceptedOp(op.id);
 }

package/src/api-users.ts

@@ -336,7 +336,16 @@ export async function handleCreateUser(req: Request, deps: ApiUsersDeps): Promis
   }
 }
 
-/** DELETE /api/users/:id — hard-delete + token revocation + session/grant cleanup. */
+/**
+ * DELETE /api/users/:id — hard-delete + token revocation + session/grant
+ * cleanup.
+ *
+ * Success returns `200 { ok: true, revocation_lag_seconds: 60 }` (was a bare
+ * 204 pre-consistency-fix) so the SPA can warn that the deleted user's
+ * tokens linger ~60s on resource-server revocation caches — same surface
+ * the reset-password path carries. The race-tolerant "row already gone"
+ * path stays a bodyless 204 (nothing was revoked here, no lag to report).
+ */
 export async function handleDeleteUser(
   req: Request,
   userId: string,
@@ -390,11 +399,28 @@ export async function handleDeleteUser(
   if (!removed) {
     // Race: row deleted by a concurrent request. Operator's intent
     // (no such user) is already satisfied — same shape as the grant-
-    // revoke race in `admin-grants.ts`.
+    // revoke race in `admin-grants.ts`. No tokens were revoked by THIS
+    // call, so there's no revocation lag to warn about; keep the bodyless
+    // 204 for the race path.
     return new Response(null, { status: 204 });
   }
   console.log(`user deleted: id=${userId} username=${target.username}`);
-  return new Response(null, { status: 204 });
+  // `revocation_lag_seconds`: same consistency fix the reset-password path
+  // got (smoke 2026-05-27 finding 3). Deleting a user revokes their tokens
+  // in hub's DB immediately, but resource servers (vault, scribe, …) cache
+  // the revocation list via scope-guard's `REVOCATION_CACHE_TTL_MS = 60_000`
+  // — a deleted user's tokens linger for up to ~60s on those caches. Surface
+  // that so the admin isn't surprised when a just-deleted user's client can
+  // still read for a minute (relevant in the stolen-device / compromise
+  // threat model). 200 + body instead of the old bare 204 so the SPA can
+  // render the warning banner.
+  return new Response(
+    JSON.stringify({ ok: true, revocation_lag_seconds: REVOCATION_LAG_SECONDS }),
+    {
+      status: 200,
+      headers: { "content-type": "application/json", "cache-control": "no-store" },
+    },
+  );
 }
 
 /**

package/src/cli.ts

@@ -6,6 +6,7 @@
  * Run `parachute --help` or `parachute <subcommand> --help` for usage.
  */
 
+import { MissingDependencyError } from "@openparachute/depcheck";
 import pkg from "../package.json" with { type: "json" };
 import { CloudflaredStateError } from "./cloudflare/state.ts";
 import { auth } from "./commands/auth.ts";
@@ -472,12 +473,21 @@ async function main(argv: string[]): Promise<number> {
         return 1;
       }
       const exposeArgs = flagExtract.rest;
-      const layer = exposeArgs[0];
+      let layer = exposeArgs[0];
       const mode = exposeArgs[1];
       if (isHelpFlag(layer)) {
         console.log(exposeHelp());
         return 0;
       }
+      // Alias: `parachute expose cloudflare [--domain X] [off]` is shorthand for
+      // `parachute expose public --cloudflare …`. Cloudflare is a public-internet
+      // provider, so we rewrite the layer to `public` and force the cloudflare
+      // flag — the rest of the dispatch (domain prompt, off-path, etc.) is
+      // identical to the canonical form.
+      if (layer === "cloudflare") {
+        layer = "public";
+        flagExtract.cloudflare = true;
+      }
       if (layer !== "tailnet" && layer !== "public") {
         console.error(`parachute expose: unknown layer "${layer ?? ""}"`);
         console.error("usage: parachute expose tailnet [off]");
@@ -749,26 +759,13 @@ async function main(argv: string[]): Promise<number> {
       // after `vault` (including --help) is passed through verbatim.
       if (rest.length === 0) return await dispatchVault(["--help"]);
 
-      // `parachute vault tokens create` in a TTY with no scope-narrowing flag
-      // → guided flow. Any of --scope / --read / --permission means the user
-      // has already decided, so we stay out of the way. Non-TTY always
-      // bypasses (no way to answer a prompt). Label is orthogonal — the
-      // guided flow prompts for it only if --label wasn't supplied.
-      const wantsGuidedTokenCreate =
-        rest[0] === "tokens" &&
-        rest[1] === "create" &&
-        isTtyInteractive() &&
-        !rest.includes("--scope") &&
-        !rest.includes("--read") &&
-        !rest.includes("--permission") &&
-        !isHelpFlag(rest[2]);
-      if (wantsGuidedTokenCreate) {
-        const { runVaultTokensCreateInteractive } = await import(
-          "./commands/vault-tokens-create-interactive.ts"
-        );
-        return await runVaultTokensCreateInteractive({ args: rest.slice(2) });
-      }
-
+      // Everything under `vault` forwards transparently to `parachute-vault`.
+      // `vault tokens create` used to route through a guided interactive
+      // wrapper, but the pvt_* DROP (vault#412 / hub#466) removed that vault
+      // subcommand — it now exits 1 with migration guidance. Access tokens are
+      // hub-issued JWTs; mint them with `parachute auth mint-token` or the
+      // admin SPA Connect card. We forward verbatim so the operator sees
+      // vault's own migration error rather than a hub-side stub.
       return await dispatchVault(rest);
     }
 
@@ -788,6 +785,14 @@ async function run(argv: string[]): Promise<number> {
   try {
     return await main(argv);
   } catch (err) {
+    if (err instanceof MissingDependencyError) {
+      // A required external binary wasn't on PATH (git / tailscale / tail /
+      // …). Print the friendly install block to stderr. interactive:true so
+      // the operator at a terminal sees the "ask your sysadmin" trailer; the
+      // message was already formatted at construction, so we just emit it.
+      console.error(err.message);
+      return 1;
+    }
     if (err instanceof ServicesManifestError) {
       console.error(`services.json is malformed: ${err.message}`);
       console.error("Fix or remove the file, then re-run.");

package/src/clients.ts

@@ -12,12 +12,24 @@
  *     plaintext exactly once. The token endpoint enforces client_secret per
  *     RFC 6749 §3.2.1 (closes #72).
  *
- * Approval gate (closes #74): every row carries a `status` of `pending` or
- * `approved`. New self-registrations default to `pending`; only registrations
- * that authenticate with an operator token bearing `hub:admin` (the install-
- * time path for first-party modules) land as `approved`. The OAuth flow
- * rejects `pending` clients at `/oauth/authorize` and `/oauth/token`. An
- * operator promotes a pending client via `parachute auth approve-client`.
+ * Status column (`pending` | `approved`): every row carries one. New
+ * self-registrations default to `pending`; registrations that authenticate
+ * with an operator token bearing `hub:admin` (the install-time path for
+ * first-party modules) land as `approved`.
+ *
+ * Single-consent change (2026-05-29): the separate operator "approve this
+ * client" gate was retired. The user's OAuth consent IS the authorization —
+ * `handleAuthorizeGet` now session-gates a `pending` client: a request
+ * carrying a valid session auto-approves the client (status → `approved`,
+ * audit-logged) and FALLS THROUGH to the normal consent screen; a session-
+ * less request still renders the unauth "App not yet approved" page whose
+ * sign-in CTA round-trips back to authorize (after login the user re-enters
+ * with a session → auto-approve → consent). The `status` column, the DCR
+ * `pending` default, the `/oauth/token` pending rejection, and the
+ * `parachute auth approve-client` / SPA approve surfaces all persist but are
+ * near-vestigial — kept for defense-in-depth and back-compat. Motivation:
+ * Notes/Claude DCR a fresh `client_id` per instance, so a per-client_id
+ * approval gate re-prompted the operator constantly.
  */
 import type { Database } from "bun:sqlite";
 import { createHash, randomBytes, randomUUID } from "node:crypto";

package/src/cloudflare/config.ts

@@ -2,8 +2,6 @@ import { mkdirSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { CONFIG_DIR } from "../config.ts";
 
-export const CLOUDFLARED_DIR = join(CONFIG_DIR, "cloudflared");
-
 export const DEFAULT_TUNNEL_NAME = "parachute";
 
 /**
@@ -16,12 +14,20 @@ export const DEFAULT_TUNNEL_NAME = "parachute";
  * location change from pre-#32 (`~/.parachute/cloudflared/config.yml`).
  * Re-running `parachute expose public --cloudflare` regenerates the file
  * at the new path; the legacy file is left in place but unused.
+ *
+ * `configDir` overrides the base (`~/.parachute` by default). Tests pass a
+ * tmp dir so per-tunnel-derived paths never resolve against the operator's
+ * real `CONFIG_DIR` — otherwise running the suite scribbles fixture
+ * config.yml + log files into `~/.parachute/cloudflared/<name>/`.
  */
-export function cloudflaredPathsFor(tunnelName: string): {
+export function cloudflaredPathsFor(
+  tunnelName: string,
+  configDir: string = CONFIG_DIR,
+): {
   configPath: string;
   logPath: string;
 } {
-  const dir = join(CLOUDFLARED_DIR, tunnelName);
+  const dir = join(configDir, "cloudflared", tunnelName);
   return {
     configPath: join(dir, "config.yml"),
     logPath: join(dir, "cloudflared.log"),

package/src/cloudflare/detect.ts

@@ -1,6 +1,7 @@
 import { existsSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
+import { isBinaryNotFoundError, lookupDep } from "@openparachute/depcheck";
 import type { Runner } from "../tailscale/run.ts";
 
 export const DEFAULT_CLOUDFLARED_HOME = join(homedir(), ".cloudflared");
@@ -10,30 +11,22 @@ export const DEFAULT_CLOUDFLARED_HOME = join(homedir(), ".cloudflared");
  * "binary not on PATH" errors — anything else (EACCES from a non-executable
  * file, corrupted binary, etc.) propagates so we don't silently report
  * "not installed" when something more specific is wrong.
+ *
+ * The not-found matcher is `@openparachute/depcheck`'s `isBinaryNotFoundError`
+ * — the single source of truth across the ecosystem (this used to be a local
+ * copy that drifted from vault's `git-preflight.ts`). Pass the binary name so
+ * a not-found message about an unrelated file isn't mis-attributed.
  */
 export async function isCloudflaredInstalled(runner: Runner): Promise<boolean> {
   try {
     const { code } = await runner(["cloudflared", "--version"]);
     return code === 0;
   } catch (err) {
-    if (isBinaryNotFoundError(err)) return false;
+    if (isBinaryNotFoundError(err, "cloudflared")) return false;
     throw err;
   }
 }
 
-function isBinaryNotFoundError(err: unknown): boolean {
-  if (!err || typeof err !== "object") return false;
-  const e = err as { code?: unknown; message?: unknown };
-  if (e.code === "ENOENT") return true;
-  // Bun.spawn's error shape varies across versions; fall back to message
-  // string matching so we catch "Executable not found in $PATH" and
-  // "ENOENT" variants without pinning to one runtime detail.
-  if (typeof e.message === "string") {
-    return /ENOENT|not found|No such file/i.test(e.message);
-  }
-  return false;
-}
-
 /**
  * `cloudflared tunnel login` drops a cert at `~/.cloudflared/cert.pem` — its
  * presence is cloudflared's own login marker. Every `cloudflared tunnel
@@ -61,30 +54,37 @@ export function isCloudflaredLoggedIn(cloudflaredHome: string = DEFAULT_CLOUDFLA
  *   other  → the binary-download path is still the best generic answer
  *
  * The `arch` parameter is the architecture string in `process.arch`
- * shape (`x64`, `arm64`, `arm`). Mapped to the suffix cloudflared uses
- * in its release artifacts (`amd64`, `arm64`, `arm`). Unknown arches
- * fall through to a generic pointer at the releases page.
+ * shape (`x64`, `arm64`, `arm`). The static-binary curl recipe + the arch
+ * mapping now live in `@openparachute/depcheck`'s `cloudflared` registry
+ * entry (`install.linuxBinaryUrl`) — the single source of truth shared with
+ * the structured `MissingDependencyError` UX. This function keeps its own
+ * prose (the surrounding "works across distros" framing the expose flow
+ * prints) but derives the URL + arch support from the registry so the two
+ * can't drift. A `undefined` recipe (arch with no published artifact) is the
+ * signal to fall through to the generic releases pointer rather than
+ * fabricating a 404-bound URL.
  */
 export function cloudflaredInstallHint(
   platform: NodeJS.Platform = process.platform,
   arch: NodeJS.Architecture = process.arch,
 ): string {
+  const releasesUrl = "https://github.com/cloudflare/cloudflared/releases/latest";
   if (platform === "darwin") {
     return [
       "Install cloudflared:",
       "  brew install cloudflared",
       "",
       "(or download a static binary from",
-      "  https://github.com/cloudflare/cloudflared/releases/latest)",
+      `  ${releasesUrl})`,
     ].join("\n");
   }
   if (platform === "linux") {
-    const suffix = linuxArtifactSuffix(arch);
-    if (suffix) {
+    const downloadUrl = cloudflaredLinuxDownloadUrl(arch);
+    if (downloadUrl) {
       return [
         "Install cloudflared (static binary — works across distros):",
-        `  curl -L -o /usr/local/bin/cloudflared \\`,
-        `    https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${suffix}`,
+        "  curl -L -o /usr/local/bin/cloudflared \\",
+        `    ${downloadUrl}`,
         "  sudo chmod +x /usr/local/bin/cloudflared",
         "  cloudflared --version",
         "",
@@ -93,33 +93,28 @@ export function cloudflaredInstallHint(
     }
     return [
       "Install cloudflared from the official binary release:",
-      "  https://github.com/cloudflare/cloudflared/releases/latest",
+      `  ${releasesUrl}`,
       `(pick the linux-* artifact matching your architecture; your arch is "${arch}")`,
     ].join("\n");
   }
-  return [
-    "Install cloudflared from the official binary release:",
-    "  https://github.com/cloudflare/cloudflared/releases/latest",
-  ].join("\n");
+  return ["Install cloudflared from the official binary release:", `  ${releasesUrl}`].join("\n");
 }
 
 /**
- * Map a Node `process.arch` to the suffix Cloudflare uses for its
- * cloudflared-linux-* release artifacts. Returns undefined for arches
- * that don't have a published artifact (we surface a generic pointer
- * in that case instead of fabricating a download URL that 404s).
+ * Pull the cloudflared-linux-<suffix> download URL for an arch out of the
+ * depcheck registry's static-binary recipe. The registry recipe is a
+ * multi-line `curl … / chmod … / version` block; we extract the single
+ * `https://…/cloudflared-linux-<suffix>` line so this function's own prose
+ * wraps the canonical URL. Returns undefined when the arch has no published
+ * artifact (registry recipe is undefined) — the caller then uses the generic
+ * pointer. Keeps the arch→suffix mapping in exactly one place (the registry).
  */
-function linuxArtifactSuffix(arch: NodeJS.Architecture): string | undefined {
-  switch (arch) {
-    case "x64":
-      return "amd64";
-    case "arm64":
-      return "arm64";
-    case "arm":
-      return "arm";
-    case "ia32":
-      return "386";
-    default:
-      return undefined;
-  }
+function cloudflaredLinuxDownloadUrl(arch: NodeJS.Architecture): string | undefined {
+  const recipe = lookupDep("cloudflared")?.install.linuxBinaryUrl?.(arch);
+  if (!recipe) return undefined;
+  const urlLine = recipe
+    .split("\n")
+    .map((l) => l.trim())
+    .find((l) => l.startsWith("https://"));
+  return urlLine;
 }