@openparachute/hub 0.5.2 → 0.5.9-rc.6

package/src/__tests__/hub.test.ts

@@ -13,10 +13,9 @@ describe("renderHub", () => {
     expect(html).toContain("<script>");
   });
 
-  test("fetches /.well-known/parachute.json and reads services[] + vaults[]", () => {
+  test("fetches /.well-known/parachute.json for the Use section", () => {
     expect(html).toContain("/.well-known/parachute.json");
     expect(html).toContain("doc.services");
-    expect(html).toContain("doc.vaults");
   });
 
   test("uses parachute.computer sage palette and serif/sans fonts", () => {
@@ -30,79 +29,133 @@ describe("renderHub", () => {
     expect(html).toContain("prefers-color-scheme: dark");
   });
 
-  test("falls back to a generic icon for module tiles", () => {
-    expect(html).toContain("fallbackIcon");
+  test("renders two sections: Services and Admin, each with its own heading + grid", () => {
+    expect(html).toContain('id="services-section"');
+    expect(html).toContain('id="admin-section"');
+    expect(html).toContain('id="services-grid"');
+    expect(html).toContain('id="admin-grid"');
+    expect(html).toContain("<h2>Services</h2>");
+    expect(html).toContain("<h2>Admin</h2>");
   });
 
-  test("renders one tile per module type, not per service instance", () => {
-    expect(html).toContain("aggregate(services, vaults)");
-    expect(html).toContain("renderTile");
-    expect(html).toContain("MODULE_ORDER");
+  test("Services section sub-text frames the section as service-owned surfaces", () => {
+    // Services-vs-Admin axis is OWNERSHIP (services own their UIs vs
+    // hub owns host admin), not function. The sub-text reflects that —
+    // earlier "Browse, transcribe, and run" framing put it on the
+    // function axis, which broke down once you noticed services have
+    // UIs that mix use / config / admin.
+    expect(html).toContain("Surfaces provided by services");
   });
 
-  test("known module display order is vault → scribe → notes → agent", () => {
-    expect(html).toContain("['vault', 'scribe', 'notes', 'agent']");
+  test("Services tiles are data-driven from each service's uiUrl + displayName", () => {
+    // Phase D consumer-side: SERVICE_LABELS / SERVICE_ORDER hardcoding
+    // retired. Each well-known services[] row carries displayName + uiUrl
+    // (sourced from module.json via hub-server's loadServiceUiMetadata);
+    // tiles render directly from those.
+    expect(html).toContain("svc.uiUrl");
+    expect(html).toContain("svc.displayName");
+    // No more hardcoded short→label map.
+    expect(html).not.toContain("'Notes', desc:");
+    expect(html).not.toContain("['notes', 'scribe', 'agent']");
   });
 
-  test("vault tile counts vaults[] (per instance) and links to /vault", () => {
-    // Vault count is the length of doc.vaults — one entry per /vault/<name>
-    // mount, so a single ServiceEntry with paths=[a,b,c] still shows "3
-    // registered". The manage link is the hub's vault SPA at /vault
-    // (renamed from /hub/vaults in the realignment), never an individual
-    // vault backend.
-    expect(html).toContain("vaults.length");
-    expect(html).toContain("'/vault'");
+  test("Services skip rule emerges from data, not name-checks (vault has no uiUrl)", () => {
+    // The previous `isVaultName` hardcoded skip is gone — vault doesn't
+    // declare uiUrl, so it naturally doesn't render. Other API-only
+    // modules (current or future) get the same treatment for free.
+    expect(html).toContain("if (!svc || !svc.uiUrl) continue;");
+    // The function definition is gone (the comment may still mention the
+    // name as historical context — we only care about the active code).
+    expect(html).not.toContain("function isVaultName");
   });
 
-  test("non-vault tiles take their manageUrl from the service's path", () => {
-    // shortName('parachute-scribe') = 'scribe' → tile links to svc.path,
-    // which is whatever the module declared (e.g. /scribe, /notes, /agent).
-    // Hardcoding the link would silently break on a custom mount.
-    expect(html).toContain("manageUrl: svc.path");
+  test("Services tiles sort alphabetically by displayName", () => {
+    // Per the module-json-extensibility pattern doc — default ordering
+    // until a `displayOrder` field surfaces. localeCompare keeps the
+    // ordering stable across locales for ASCII labels.
+    expect(html).toContain("a.title.localeCompare(b.title)");
   });
 
-  test("tiles for module types with zero instances are hidden", () => {
-    // Aggregate only inserts a group when the type has at least one entry;
-    // tilesInOrder iterates the map. No "0 registered" surface.
-    expect(html).not.toContain("0 registered");
-    expect(html).toContain("count === 1 ? '1 registered'");
+  test("Admin section is hardcoded (always visible) with three entries", () => {
+    expect(html).toContain("ADMIN_ENTRIES");
+    expect(html).toContain("/admin/vaults");
+    expect(html).toContain("/admin/permissions");
+    expect(html).toContain("/admin/tokens");
   });
 
-  test("module labels are humanized (Vault / Scribe / Notes / Agent)", () => {
-    expect(html).toContain("vault: 'Vault'");
-    expect(html).toContain("scribe: 'Scribe'");
-    expect(html).toContain("notes: 'Notes'");
-    expect(html).toContain("agent: 'Agent'");
+  test("Admin section renders synchronously (does not depend on the well-known fetch)", () => {
+    // Even if the fetch is slow or fails, the operator should see Admin
+    // surfaces — they may be the reason the operator landed on /.
+    expect(html).toContain("renderAdmin();");
+    expect(html).toContain("Admin section is static");
   });
 
-  test("vault-name detection covers parachute-vault and parachute-vault-<name>", () => {
-    // Phase-1 multi-vault keeps a single ServiceEntry with multiple paths
-    // (parachute-vault), but the door is open for per-instance entries
-    // (parachute-vault-techne). isVaultName has to accept both.
-    expect(html).toContain("isVaultName");
-    expect(html).toContain("'parachute-vault'");
-    expect(html).toContain("'parachute-vault-'");
+  test("Services section empty state guides operators to declare uiUrl", () => {
+    // Empty state under Phase D means "no installed service has declared
+    // uiUrl yet" — different shape from pre-D ("none installed at all").
+    // Hint points at the pattern doc since the fix is in module.json,
+    // not at install time.
+    expect(html).toContain("No services with a UI declared yet");
+    expect(html).toContain("module-json-extensibility");
   });
 
-  test("empty state when no modules are registered", () => {
-    expect(html).toContain("No modules installed yet");
-    expect(html).toContain("parachute install vault");
+  test("Use section error state surfaces the underlying message", () => {
+    expect(html).toContain("Could not load services");
   });
 
-  test("error state surfaces the underlying message", () => {
-    expect(html).toContain("Could not load modules");
-  });
-
-  test("does not retain the per-service interactive-card / config-form code", () => {
-    // The home page is now a directory of modules — per-instance config
-    // forms and detail panels live behind the Manage links (vault SPA at
-    // /vault, the running module's own UI elsewhere). Keeping the
-    // dead code around is a maintenance trap.
+  test("does not retain the old aggregate-by-module-type code", () => {
+    // The Vault collapse + per-module aggregation pattern is gone — Use
+    // entries are direct service-path → label lookups; Admin is hardcoded.
+    expect(html).not.toContain("aggregate(services, vaults)");
+    expect(html).not.toContain("MODULE_LABELS");
     expect(html).not.toContain("renderConfigField");
-    expect(html).not.toContain("fetchConfig");
     expect(html).not.toContain("kind-badge");
-    expect(html).not.toContain("info.mcpUrl");
-    expect(html).not.toContain("info.openInNotesUrl");
+  });
+
+  test("default render (no session) emits the 'Sign in' affordance", () => {
+    expect(html).toContain('class="auth-indicator"');
+    expect(html).toContain("Sign in");
+    expect(html).toContain('href="/login?next=/"');
+    // No POST form, no CSRF input — those only appear when signed in.
+    expect(html).not.toContain('action="/logout"');
+    expect(html).not.toContain("__csrf");
+  });
+});
+
+describe("renderHub — signed-in indicator (rc.13)", () => {
+  test("session user → 'Signed in as <name>' + inline POST form with CSRF", () => {
+    const html = renderHub({
+      session: { displayName: "aaron", csrfToken: "csrf-token-xyz" },
+    });
+    expect(html).toContain('class="auth-indicator"');
+    expect(html).toContain("Signed in as");
+    expect(html).toContain("aaron");
+    // Inline POST form for sign-out — CSRF token embedded as the
+    // existing `__csrf` field name (matches /logout's expectations).
+    expect(html).toContain('method="POST" action="/logout"');
+    expect(html).toContain('name="__csrf"');
+    expect(html).toContain('value="csrf-token-xyz"');
+    expect(html).toContain("Sign out");
+    // No "Sign in" affordance when signed in.
+    expect(html).not.toContain('href="/login?next=/"');
+  });
+
+  test("displayName with HTML special chars is escaped", () => {
+    // Username field allows alphanumerics historically, but the
+    // displayName field on the wire is forward-compatible with profile
+    // names that may contain &, <, >. Escape at render time.
+    const html = renderHub({
+      session: { displayName: "<aaron>&friends", csrfToken: "tok" },
+    });
+    expect(html).toContain("&lt;aaron&gt;&amp;friends");
+    expect(html).not.toContain("<aaron>&friends");
+  });
+
+  test("CSRF token with HTML special chars is escaped in the value attribute", () => {
+    const html = renderHub({
+      session: { displayName: "aaron", csrfToken: 'token"with"quotes' },
+    });
+    expect(html).toContain('value="token&quot;with&quot;quotes"');
   });
 });
 

package/src/__tests__/install-source.test.ts

@@ -0,0 +1,249 @@
+import { describe, expect, test } from "bun:test";
+import {
+  type DetectInstallSourceDeps,
+  detectHubInstallSource,
+  detectInstallSource,
+  formatInstallSourceLabel,
+  isStale,
+} from "../install-source.ts";
+
+/**
+ * Stub helpers for the detect path. Production reads the operator's bun
+ * globals + real package.jsons; here we wire everything from a virtual
+ * filesystem so each kind (npm / bun-linked / unknown / stale) has a
+ * deterministic shape.
+ */
+function makeDeps(opts: {
+  prefixes?: readonly string[];
+  packageVersions?: Record<string, string>;
+  bunGlobalLinks?: Record<string, string>;
+  gitHeads?: Record<string, string>;
+}): DetectInstallSourceDeps {
+  const prefixes = opts.prefixes ?? ["/home/test/.bun/install/global/node_modules"];
+  return {
+    bunGlobalPrefixes: () => prefixes,
+    resolveBunGlobal: (pkg) => opts.bunGlobalLinks?.[pkg] ?? null,
+    readJson: (path) => {
+      // Path looks like `<pkgDir>/package.json` — strip suffix.
+      const pkgDirRaw = path.replace(/\/package\.json$/, "");
+      const v = opts.packageVersions?.[pkgDirRaw];
+      if (v === undefined) throw new Error(`no package.json at ${pkgDirRaw}`);
+      return { name: "@stub/pkg", version: v };
+    },
+    readGitHead: (path) => opts.gitHeads?.[path],
+  };
+}
+
+describe("detectInstallSource", () => {
+  test("classifies a bun-linked checkout (installDir outside bun globals)", () => {
+    const deps = makeDeps({
+      packageVersions: { "/Users/me/code/parachute-notes": "0.3.15-rc.1" },
+      gitHeads: { "/Users/me/code/parachute-notes": "051c404" },
+    });
+    const source = detectInstallSource(
+      { entryName: "parachute-notes", installDir: "/Users/me/code/parachute-notes" },
+      deps,
+    );
+    expect(source.kind).toBe("bun-linked");
+    expect(source.path).toBe("/Users/me/code/parachute-notes");
+    expect(source.gitHead).toBe("051c404");
+    expect(source.livePackageVersion).toBe("0.3.15-rc.1");
+  });
+
+  test("classifies an npm install (installDir under bun globals)", () => {
+    const deps = makeDeps({
+      prefixes: ["/home/test/.bun/install/global/node_modules"],
+      packageVersions: {
+        "/home/test/.bun/install/global/node_modules/@openparachute/scribe": "0.4.2-rc.1",
+      },
+    });
+    const source = detectInstallSource(
+      {
+        entryName: "parachute-scribe",
+        installDir: "/home/test/.bun/install/global/node_modules/@openparachute/scribe",
+      },
+      deps,
+    );
+    expect(source.kind).toBe("npm");
+    expect(source.livePackageVersion).toBe("0.4.2-rc.1");
+    expect(source.gitHead).toBeUndefined();
+  });
+
+  test("falls back to bun-global symlink lookup when installDir is absent", () => {
+    const deps = makeDeps({
+      bunGlobalLinks: { "@openparachute/vault": "/Users/me/code/parachute-vault" },
+      packageVersions: { "/Users/me/code/parachute-vault": "0.4.4-rc.3" },
+      gitHeads: { "/Users/me/code/parachute-vault": "8aa167b" },
+    });
+    const source = detectInstallSource({ entryName: "parachute-vault" }, deps);
+    expect(source.kind).toBe("bun-linked");
+    expect(source.path).toBe("/Users/me/code/parachute-vault");
+    expect(source.gitHead).toBe("8aa167b");
+  });
+
+  test("returns unknown when nothing resolves (no installDir, no first-party mapping)", () => {
+    const deps = makeDeps({});
+    const source = detectInstallSource({ entryName: "agent" }, deps);
+    expect(source.kind).toBe("unknown");
+    expect(source.path).toBeUndefined();
+    expect(source.gitHead).toBeUndefined();
+  });
+
+  test("omits gitHead when the bun-linked path isn't a git repo", () => {
+    const deps = makeDeps({
+      packageVersions: { "/tmp/no-git/pkg": "1.0.0" },
+      // gitHeads intentionally missing → readGitHead returns undefined.
+    });
+    const source = detectInstallSource(
+      { entryName: "third-party", installDir: "/tmp/no-git/pkg" },
+      deps,
+    );
+    expect(source.kind).toBe("bun-linked");
+    expect(source.gitHead).toBeUndefined();
+    expect(source.livePackageVersion).toBe("1.0.0");
+  });
+
+  test("omits livePackageVersion when package.json is unreadable", () => {
+    const deps = makeDeps({
+      packageVersions: {}, // every read throws
+    });
+    const source = detectInstallSource(
+      { entryName: "third-party", installDir: "/tmp/no-pkg" },
+      deps,
+    );
+    expect(source.kind).toBe("bun-linked");
+    expect(source.livePackageVersion).toBeUndefined();
+  });
+
+  test("trailing-slash prefix doesn't false-match a sibling directory", () => {
+    // Subtle: `/home/test/.bun/install/global/node_modules-other` shouldn't
+    // be classified as "under" `/home/test/.bun/install/global/node_modules`.
+    // The prefix join in `isUnderBunGlobals` adds a trailing slash precisely
+    // to avoid this — pin the behavior.
+    const deps = makeDeps({
+      prefixes: ["/home/test/.bun/install/global/node_modules"],
+      packageVersions: {
+        "/home/test/.bun/install/global/node_modules-other/pkg": "1.0.0",
+      },
+    });
+    const source = detectInstallSource(
+      {
+        entryName: "third-party",
+        installDir: "/home/test/.bun/install/global/node_modules-other/pkg",
+      },
+      deps,
+    );
+    expect(source.kind).toBe("bun-linked");
+  });
+});
+
+describe("isStale", () => {
+  test("flags drift between cached entry version and live package.json", () => {
+    expect(
+      isStale("0.3.11-rc.1", {
+        kind: "bun-linked",
+        path: "/Users/me/code/parachute-notes",
+        livePackageVersion: "0.3.15-rc.1",
+      }),
+    ).toBe(true);
+  });
+
+  test("does not flag a matching version", () => {
+    expect(
+      isStale("0.3.15-rc.1", {
+        kind: "bun-linked",
+        path: "/Users/me/code/parachute-notes",
+        livePackageVersion: "0.3.15-rc.1",
+      }),
+    ).toBe(false);
+  });
+
+  test("does not flag npm-installed services (cached version IS the source)", () => {
+    expect(
+      isStale("0.4.2-rc.1", {
+        kind: "npm",
+        path: "/path/to/global",
+        livePackageVersion: "0.4.2-rc.1",
+      }),
+    ).toBe(false);
+  });
+
+  test("does not flag when live version is unavailable", () => {
+    expect(
+      isStale("0.3.11-rc.1", {
+        kind: "bun-linked",
+        path: "/Users/me/code/parachute-notes",
+        // livePackageVersion absent — can't compute drift, don't false-flag.
+      }),
+    ).toBe(false);
+  });
+
+  test("does not flag unknown sources", () => {
+    expect(isStale("1.0.0", { kind: "unknown" })).toBe(false);
+  });
+});
+
+describe("formatInstallSourceLabel", () => {
+  test("bun-linked → basename + short SHA", () => {
+    expect(
+      formatInstallSourceLabel({
+        kind: "bun-linked",
+        path: "/Users/me/code/parachute-notes",
+        gitHead: "051c404",
+      }),
+    ).toBe("bun-linked → parachute-notes @ 051c404");
+  });
+
+  test("bun-linked without gitHead drops the @ <sha> suffix", () => {
+    expect(
+      formatInstallSourceLabel({
+        kind: "bun-linked",
+        path: "/Users/me/code/parachute-notes",
+      }),
+    ).toBe("bun-linked → parachute-notes");
+  });
+
+  test("npm with version", () => {
+    expect(
+      formatInstallSourceLabel({
+        kind: "npm",
+        path: "/some/global/dir",
+        livePackageVersion: "0.4.2-rc.1",
+      }),
+    ).toBe("npm (0.4.2-rc.1)");
+  });
+
+  test("npm without version", () => {
+    expect(formatInstallSourceLabel({ kind: "npm" })).toBe("npm");
+  });
+
+  test("unknown sources render as 'unknown'", () => {
+    expect(formatInstallSourceLabel({ kind: "unknown" })).toBe("unknown");
+  });
+});
+
+describe("detectHubInstallSource", () => {
+  test("classifies the hub based on its source location", () => {
+    // Exercise the happy path via the real hub's `src/` dir. The result
+    // depends on the test environment (CI vs. bun-linked checkout), so we
+    // only assert the kind is one of the known classifications — not the
+    // exact value. `readGitHead` is stubbed so the test never forks a real
+    // git process; the contract under test is "climb to package.json,
+    // classify by location against bun globals" — git is incidental.
+    const source = detectHubInstallSource(import.meta.dir, {
+      readGitHead: () => "deadbeef",
+    });
+    expect(["bun-linked", "npm", "unknown"]).toContain(source.kind);
+  });
+
+  test("returns unknown when no package.json exists above srcDir", () => {
+    // `/private` exists on macOS but has no package.json up the chain;
+    // injected readJson always throws so the walk hits the climb-cap.
+    const source = detectHubInstallSource("/private/var/empty", {
+      readJson: () => {
+        throw new Error("no package.json");
+      },
+    });
+    expect(source.kind).toBe("unknown");
+  });
+});

package/src/__tests__/install.test.ts

@@ -264,9 +264,11 @@ describe("install", () => {
 
   test("CLI overrides a non-canonical port written by init when canonical is free", async () => {
     // Pre-#53 the CLI deferred to whatever port the service's init wrote
-    // (e.g. 5173, Vite's dev default for notes). With CLI-as-port-authority
-    // the canonical slot wins when free: the manifest is updated and the
-    // .env carries PORT=<canonical> so the next daemon boot binds it.
+    // (e.g. 5173, Vite's dev default for notes). With hub-as-port-authority
+    // the canonical slot wins when free: services.json is updated to the
+    // canonical port (post-hub#206 the install path no longer touches .env;
+    // services.json is the single source of truth at boot per the 4-tier
+    // resolvePort ladder in scribe/agent).
     const { path, configDir, cleanup } = makeTempPath();
     try {
       const logs: string[] = [];
@@ -1047,11 +1049,14 @@ describe("install", () => {
     }
   });
 
-  // CLI-as-port-authority (#53). Install assigns the service's port up front
-  // and writes `PORT=<port>` into `<configDir>/<svc>/.env`. lifecycle.start
-  // merges that .env into spawn env, so the next daemon boot binds the port
-  // the CLI picked.
-  test("install writes PORT=<canonical> to .env when the slot is free", async () => {
+  // Hub-as-port-authority (#53), services.json-is-authoritative (#206).
+  // Install picks the service's port up front and reflects it in
+  // services.json. Pre-#206 it also wrote `PORT=<port>` into the service's
+  // `.env`; post-#206 it doesn't — services.json is the single source of
+  // truth at boot per the 4-tier resolvePort ladder in scribe#41 / agent#146
+  // / agent#148, so the duplicate `.env` PORT was at best dead weight and
+  // at worst a source of drift on re-install.
+  test("install reflects canonical port in services.json without writing PORT to .env (hub#206)", async () => {
     const { path, configDir, cleanup } = makeTempPath();
     try {
       const code = await install("vault", {
@@ -1064,34 +1069,38 @@ describe("install", () => {
         log: () => {},
       });
       expect(code).toBe(0);
-      const envText = readFileSync(join(configDir, "vault", ".env"), "utf8");
-      expect(envText).toContain("PORT=1940");
+      // services.json is authoritative — that's where the port lives.
+      const entry = findService("parachute-vault", path);
+      expect(entry?.port).toBe(1940);
+      // .env should NOT have a PORT line. The directory may not even
+      // exist (nothing in this test path writes to the service's config
+      // dir); if it does, the file shouldn't carry PORT.
+      const envPath = join(configDir, "vault", ".env");
+      if (existsSync(envPath)) {
+        expect(readFileSync(envPath, "utf8")).not.toMatch(/^PORT=/m);
+      }
     } finally {
       cleanup();
     }
   });
 
-  test("install preserves a pre-existing PORT in .env across re-installs", async () => {
+  test("install does NOT preserve a pre-existing PORT in .env across re-installs (hub#206)", async () => {
+    // Pre-#206 a stale `.env` PORT survived a re-install: an operator
+    // who edited services.json to fix a duplicate would get re-stamped
+    // by the .env on the next `parachute install`. Post-#206 services.json
+    // is authoritative; the install path leaves `.env` alone but
+    // services.json reflects the freshly-assigned port. The stale `.env`
+    // PORT is harmless because the boot-time resolvePort ladder reads
+    // services.json before falling through to the bare PORT env tier.
     const { path, configDir, cleanup } = makeTempPath();
     try {
-      // First install assigns canonical 1940.
-      await install("vault", {
-        runner: async () => 0,
-        manifestPath: path,
-        configDir,
-        startService: async () => 0,
-        isLinked: () => false,
-        portProbe: async () => false,
-        log: () => {},
-      });
-      // Hand-edit .env to use a custom port (operator override).
       const envPath = join(configDir, "vault", ".env");
-      const original = readFileSync(envPath, "utf8");
-      const edited = original.replace("PORT=1940", "PORT=1947");
-      const { writeFileSync } = await import("node:fs");
-      writeFileSync(envPath, edited);
+      const { mkdirSync, writeFileSync } = await import("node:fs");
+      mkdirSync(join(configDir, "vault"), { recursive: true });
+      // Pre-existing .env with an operator-edited (now-stale) PORT.
+      const before = "PORT=1947\nOTHER=keepme\n";
+      writeFileSync(envPath, before);
 
-      // Second install must preserve the operator's choice, not stomp it.
       await install("vault", {
         runner: async () => 0,
         manifestPath: path,
@@ -1101,13 +1110,20 @@ describe("install", () => {
         portProbe: async () => false,
         log: () => {},
       });
-      expect(readFileSync(envPath, "utf8")).toContain("PORT=1947");
+
+      // services.json gets the freshly-assigned canonical port (1940),
+      // NOT the stale 1947 from .env.
+      const entry = findService("parachute-vault", path);
+      expect(entry?.port).toBe(1940);
+      // .env is bit-for-bit untouched: the stale PORT stays, OTHER stays,
+      // and we did NOT rewrite the file with a new PORT line.
+      expect(readFileSync(envPath, "utf8")).toBe(before);
     } finally {
       cleanup();
     }
   });
 
-  test("install falls back inside the canonical range when the slot is occupied", async () => {
+  test("install falls back inside the canonical range when the slot is occupied (hub#206 — no .env write)", async () => {
     const { path, configDir, cleanup } = makeTempPath();
     try {
       // Pretend something else is on 1940.
@@ -1133,11 +1149,14 @@ describe("install", () => {
       });
       expect(code).toBe(0);
       // First reservation slot is 1944.
-      const envText = readFileSync(join(configDir, "vault", ".env"), "utf8");
-      expect(envText).toContain("PORT=1944");
       const entry = findService("parachute-vault", path);
       expect(entry?.port).toBe(1944);
       expect(logs.join("\n")).toMatch(/canonical port 1940 is in use/);
+      // .env is not touched.
+      const envPath = join(configDir, "vault", ".env");
+      if (existsSync(envPath)) {
+        expect(readFileSync(envPath, "utf8")).not.toMatch(/^PORT=/m);
+      }
     } finally {
       cleanup();
     }