@openparachute/hub 0.5.2 → 0.5.9-rc.6

package/src/__tests__/jwt-sign.test.ts

@@ -9,8 +9,13 @@ import {
   REFRESH_TOKEN_TTL_MS,
   RefreshTokenInsertError,
   findRefreshToken,
+  findTokenRowByJti,
+  listActiveRevocations,
+  recordTokenMint,
+  revokeTokenByJti,
   signAccessToken,
   signRefreshToken,
+  tokenRowIdentity,
   validateAccessToken,
 } from "../jwt-sign.ts";
 import { getActiveSigningKey, rotateSigningKey } from "../signing-keys.ts";
@@ -359,3 +364,203 @@ describe("validateAccessToken", () => {
     }
   });
 });
+
+// closes #212 Phase 1 — unified token registry helpers (recordTokenMint,
+// revokeTokenByJti, listActiveRevocations) and the v6 schema shape.
+describe("token registry (hub#212 Phase 1)", () => {
+  test("v6 schema: tokens has user_id NULLABLE + permissions/created_via/subject", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      // SQLite PRAGMA table_info reports column nullability + defaults; the
+      // bun:sqlite driver maps the row shape onto our type. The columns are
+      // (cid, name, type, notnull, dflt_value, pk) per SQLite docs.
+      type ColInfo = {
+        cid: number;
+        name: string;
+        type: string;
+        notnull: number;
+        dflt_value: string | null;
+        pk: number;
+      };
+      const cols = db.query<ColInfo, []>("PRAGMA table_info(tokens)").all();
+      const byName = new Map(cols.map((c) => [c.name, c]));
+      // Pre-v6: user_id NOT NULL. Post-v6: user_id NULLABLE.
+      expect(byName.get("user_id")?.notnull).toBe(0);
+      // New columns.
+      expect(byName.has("permissions")).toBe(true);
+      expect(byName.has("created_via")).toBe(true);
+      expect(byName.has("subject")).toBe(true);
+      // created_via has the back-compat default for pre-v6 rows.
+      expect(byName.get("created_via")?.dflt_value).toMatch(/oauth_refresh/);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("recordTokenMint inserts a registry row matching the inputs", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const expiresAt = new Date(Date.now() + 86400_000).toISOString();
+      recordTokenMint(db, {
+        jti: "jti-cli-1",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read", "scribe:transcribe"],
+        expiresAt,
+        permissions: '{"vault":{"default":{"read_tags":["public"]}}}',
+      });
+      const row = findTokenRowByJti(db, "jti-cli-1");
+      expect(row).not.toBeNull();
+      expect(row?.userId).toBeNull();
+      expect(row?.subject).toBe("operator");
+      expect(row?.createdVia).toBe("cli_mint");
+      expect(row?.scopes).toEqual(["vault:read", "scribe:transcribe"]);
+      expect(row?.expiresAt).toBe(expiresAt);
+      expect(row?.permissions).toBe('{"vault":{"default":{"read_tags":["public"]}}}');
+      expect(row?.revokedAt).toBeNull();
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("recordTokenMint with a duplicate jti throws RefreshTokenInsertError", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const expiresAt = new Date(Date.now() + 86400_000).toISOString();
+      recordTokenMint(db, {
+        jti: "jti-dup",
+        createdVia: "operator_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["hub:admin"],
+        expiresAt,
+      });
+      expect(() =>
+        recordTokenMint(db, {
+          jti: "jti-dup",
+          createdVia: "cli_mint",
+          subject: "operator",
+          clientId: "parachute-hub",
+          scopes: ["vault:read"],
+          expiresAt,
+        }),
+      ).toThrow(RefreshTokenInsertError);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("revokeTokenByJti flips revoked_at; second call returns false (idempotent)", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const expiresAt = new Date(Date.now() + 86400_000).toISOString();
+      recordTokenMint(db, {
+        jti: "jti-rev",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+        expiresAt,
+      });
+      const now = new Date();
+      expect(revokeTokenByJti(db, "jti-rev", now)).toBe(true);
+      expect(revokeTokenByJti(db, "jti-rev", now)).toBe(false);
+      const row = findTokenRowByJti(db, "jti-rev");
+      expect(row?.revokedAt).toBe(now.toISOString());
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("listActiveRevocations filters by revoked_at AND expires_at>now", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const past = new Date(Date.now() - 86400_000).toISOString();
+      const future = new Date(Date.now() + 86400_000).toISOString();
+      // Two revoked rows: one expired, one active.
+      recordTokenMint(db, {
+        jti: "jti-revoked-expired",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+        expiresAt: past,
+      });
+      recordTokenMint(db, {
+        jti: "jti-revoked-active",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+        expiresAt: future,
+      });
+      // One non-revoked active row (control — must NOT appear).
+      recordTokenMint(db, {
+        jti: "jti-not-revoked",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+        expiresAt: future,
+      });
+      const now = new Date();
+      revokeTokenByJti(db, "jti-revoked-expired", now);
+      revokeTokenByJti(db, "jti-revoked-active", now);
+      const list = listActiveRevocations(db, now);
+      expect(list).toEqual(["jti-revoked-active"]);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("tokenRowIdentity returns userId when present, else subject", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      rotateSigningKey(db);
+      const u = await createUser(db, "owner", "pw");
+      // OAuth refresh row: userId set, subject NULL.
+      const refresh = signRefreshToken(db, {
+        jti: "jti-oauth",
+        userId: u.id,
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+      });
+      expect(refresh.familyId).toBeDefined();
+      const oauthRow = findTokenRowByJti(db, "jti-oauth")!;
+      expect(tokenRowIdentity(oauthRow)).toBe(u.id);
+
+      // CLI mint row: userId NULL, subject set.
+      recordTokenMint(db, {
+        jti: "jti-cli",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+        expiresAt: new Date(Date.now() + 86400_000).toISOString(),
+      });
+      const cliRow = findTokenRowByJti(db, "jti-cli")!;
+      expect(tokenRowIdentity(cliRow)).toBe("operator");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("signRefreshToken explicitly stamps created_via='oauth_refresh'", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      rotateSigningKey(db);
+      const u = await createUser(db, "owner", "pw");
+      signRefreshToken(db, {
+        jti: "jti-oauth-stamped",
+        userId: u.id,
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+      });
+      const row = findTokenRowByJti(db, "jti-oauth-stamped");
+      expect(row?.createdVia).toBe("oauth_refresh");
+    } finally {
+      cleanup();
+    }
+  });
+});

package/src/__tests__/lifecycle.test.ts

@@ -248,7 +248,11 @@ describe("parachute start", () => {
         configDir: h.configDir,
         manifestPath: h.manifestPath,
         spawner,
-        alive: () => false,
+        // Stale 4242 is dead; the freshly spawned 7777 is alive — the
+        // post-spawn settle (hub#194) calls alive(pid) on the new pid,
+        // so we differentiate per-pid rather than blanket-false.
+        alive: (pid) => pid === 7777,
+        sleep: async () => {},
         log: () => {},
       });
       expect(code).toBe(0);
@@ -629,6 +633,94 @@ describe("parachute start", () => {
     }
   });
 
+  test("hub#194: reports failure when child dies before the settle window", async () => {
+    // The bug: `parachute start notes` reported `✓ notes started (pid X)`
+    // but notes-serve crashed milliseconds later on a Bun.resolveSync
+    // failure, leaving tailnet `/notes/` 502'ing. Fix: after spawn, sleep
+    // ~250ms then re-check alive(pid). If dead, clear pidfile, log
+    // failure, return non-zero. This regression test pins the post-fix
+    // shape with a stub alive that always reports dead and a fast settle.
+    const h = makeHarness();
+    try {
+      seedVault(h.manifestPath);
+      const spawner = makeSpawner([4242]);
+      const lines: string[] = [];
+      const code = await start("vault", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        spawner,
+        alive: () => false, // child dies immediately after spawn
+        sleep: async () => {}, // skip the real wait in tests
+        startSettleMs: 1, // any non-zero value engages the check
+        log: (l) => lines.push(l),
+      });
+      expect(code).toBe(1);
+      expect(spawner.calls).toHaveLength(1);
+      // pidfile is cleared so a follow-up `start` doesn't report
+      // already-running against a corpse.
+      expect(readPid("vault", h.configDir)).toBeUndefined();
+      const out = lines.join("\n");
+      expect(out).toMatch(/✗ vault failed to start/);
+      expect(out).toMatch(/exited within 1ms/);
+      expect(out).toMatch(/Tail the log/);
+      expect(out).not.toMatch(/✓ vault started/);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("hub#194: settle path passes when child stays alive past the window", async () => {
+    // Companion to the above — verifies the success-path shape doesn't
+    // regress. Stub alive returns true so the post-spawn check passes,
+    // and we still see the `✓ ... started` line.
+    const h = makeHarness();
+    try {
+      seedVault(h.manifestPath);
+      const spawner = makeSpawner([4242]);
+      const lines: string[] = [];
+      const code = await start("vault", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        spawner,
+        alive: () => true,
+        sleep: async () => {},
+        startSettleMs: 1,
+        log: (l) => lines.push(l),
+      });
+      expect(code).toBe(0);
+      expect(readPid("vault", h.configDir)).toBe(4242);
+      expect(lines.join("\n")).toMatch(/✓ vault started \(pid 4242\)/);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("hub#194: settle skipped when startSettleMs is 0", async () => {
+    // Defense — don't regress the test-default policy. With a stub
+    // spawner and no `alive` override, the resolved settle is 0 (see
+    // resolve() in lifecycle.ts), so the post-spawn check is bypassed
+    // entirely and even an `alive: () => false` doesn't matter.
+    const h = makeHarness();
+    try {
+      seedVault(h.manifestPath);
+      const spawner = makeSpawner([4242]);
+      const code = await start("vault", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        spawner,
+        startSettleMs: 0,
+        // intentionally omit alive — defaultAlive against a fake pid
+        // would normally report dead, but startSettleMs: 0 skips the
+        // call entirely.
+        log: () => {},
+      });
+      expect(code).toBe(0);
+      expect(readPid("vault", h.configDir)).toBe(4242);
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("third-party with no startCmd in module.json reports lifecycle-unsupported", async () => {
     const h = makeHarness();
     try {
@@ -802,7 +894,10 @@ describe("parachute restart", () => {
         manifestPath: h.manifestPath,
         spawner,
         kill: (pid, sig) => killed.push([pid, sig]),
-        alive: () => false,
+        // Stale 4242 is dead (stop's stale-pid path skips the kill);
+        // freshly spawned 7777 is alive past the post-spawn settle
+        // (hub#194). Per-pid differentiation rather than blanket-false.
+        alive: (pid) => pid === 7777,
         sleep: async () => {},
         log: () => {},
       });

package/src/__tests__/module-manifest.test.ts

@@ -126,6 +126,54 @@ describe("validateModuleManifest", () => {
     ).toThrow(/http:.*https:/);
   });
 
+  test("uiUrl accepts a leading-slash path (Phase D)", () => {
+    const m = validateModuleManifest({ ...VALID, uiUrl: "/notes" }, "x");
+    expect(m.uiUrl).toBe("/notes");
+  });
+
+  test("uiUrl accepts an absolute https URL", () => {
+    const m = validateModuleManifest({ ...VALID, uiUrl: "https://app.example.com/" }, "x");
+    expect(m.uiUrl).toBe("https://app.example.com/");
+  });
+
+  test("uiUrl rejects empty / non-string / non-url-or-path (mirrors managementUrl)", () => {
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: "" }, "x")).toThrow(/uiUrl/);
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: 7 }, "x")).toThrow(/uiUrl/);
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: "no-slash" }, "x")).toThrow(
+      /path starting with "\/" or a full http\(s\) URL/,
+    );
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: "ftp://example.com" }, "x")).toThrow(
+      /http:.*https:/,
+    );
+  });
+
+  test("uiUrl absent stays absent", () => {
+    const m = validateModuleManifest(VALID, "x");
+    expect(m.uiUrl).toBeUndefined();
+  });
+
+  // Open-redirect regression: protocol-relative paths like "//evil.com" pass
+  // a naive `startsWith("/")` check but `new URL("//evil.com", base)` resolves
+  // to the foreign origin. A malicious third-party module could plant such a
+  // value in module.json:uiUrl and turn a discovery tile into an off-origin
+  // redirect. Both uiUrl and managementUrl are validated by the shared
+  // asPathOrUrl helper, so cover both.
+  test("uiUrl rejects protocol-relative paths (open-redirect regression)", () => {
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: "//evil.com" }, "x")).toThrow(/uiUrl/);
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: "//evil.com/path" }, "x")).toThrow(
+      /uiUrl/,
+    );
+  });
+
+  test("managementUrl rejects protocol-relative paths (open-redirect regression)", () => {
+    expect(() => validateModuleManifest({ ...VALID, managementUrl: "//evil.com" }, "x")).toThrow(
+      /managementUrl/,
+    );
+    expect(() =>
+      validateModuleManifest({ ...VALID, managementUrl: "//evil.com/admin" }, "x"),
+    ).toThrow(/managementUrl/);
+  });
+
   test("managementUrl absent stays absent", () => {
     const m = validateModuleManifest(VALID, "x");
     expect(m.managementUrl).toBeUndefined();

package/src/__tests__/notes-serve.test.ts

@@ -1,8 +1,13 @@
 import { describe, expect, test } from "bun:test";
-import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { mkdirSync, mkdtempSync, realpathSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { normalizeMount, notesFetch } from "../notes-serve.ts";
+import {
+  normalizeMount,
+  notesDistCandidates,
+  notesFetch,
+  resolveNotesDistFrom,
+} from "../notes-serve.ts";
 
 interface Harness {
   dir: string;
@@ -133,3 +138,150 @@ describe("notesFetch with empty mount (root deployment)", () => {
     }
   });
 });
+
+describe("notesDistCandidates", () => {
+  test("returns cwd, then global node_modules, then global root", () => {
+    const cands = notesDistCandidates("/some/cwd", "/home/user");
+    expect(cands).toEqual([
+      "/some/cwd",
+      "/home/user/.bun/install/global/node_modules",
+      "/home/user/.bun/install/global",
+    ]);
+  });
+});
+
+/**
+ * `resolveNotesDistFrom` is the hub#194 fix — when the cwd-relative resolve
+ * fails (hub repo dir doesn't depend on @openparachute/notes), we walk down
+ * to bun's global install dirs before giving up. Tests use a stub
+ * `resolveSync` so we can drive the candidate order without writing real
+ * fixtures into `~/.bun/install/global`.
+ */
+describe("resolveNotesDistFrom (hub#194)", () => {
+  function makeFixture(): { home: string; cleanup: () => void; pkgRoot: string; dist: string } {
+    // realpathSync — on macOS `mkdtempSync` returns a /var/folders path
+    // that resolves to /private/var/folders; we want the resolved form so
+    // string comparisons against `Bun.resolveSync` output line up.
+    const root = realpathSync(mkdtempSync(join(tmpdir(), "pcli-notes-resolve-")));
+    const home = join(root, "home");
+    const pkgRoot = join(home, ".bun/install/global/node_modules/@openparachute/notes");
+    mkdirSync(pkgRoot, { recursive: true });
+    const dist = join(pkgRoot, "dist");
+    mkdirSync(dist, { recursive: true });
+    writeFileSync(join(pkgRoot, "package.json"), '{"name":"@openparachute/notes"}');
+    return { home, pkgRoot, dist, cleanup: () => rmSync(root, { recursive: true, force: true }) };
+  }
+
+  test("first-candidate (cwd) hit returns its dist immediately", () => {
+    const f = makeFixture();
+    try {
+      const calls: string[] = [];
+      const out = resolveNotesDistFrom({
+        cwd: "/cwd-with-notes",
+        home: f.home,
+        resolveSync: (specifier, base) => {
+          calls.push(base);
+          if (base === "/cwd-with-notes") {
+            return "/cwd-with-notes/node_modules/@openparachute/notes/package.json";
+          }
+          throw new Error(`unexpected base: ${base}`);
+        },
+        existsSync: (p) => p === "/cwd-with-notes/node_modules/@openparachute/notes/dist",
+      });
+      expect(out).toBe("/cwd-with-notes/node_modules/@openparachute/notes/dist");
+      // Only the cwd candidate should be probed — we short-circuit on hit.
+      expect(calls).toEqual(["/cwd-with-notes"]);
+    } finally {
+      f.cleanup();
+    }
+  });
+
+  test("falls through to global node_modules when cwd resolve fails (hub#194 root cause)", () => {
+    // The exact scenario from hub#194: hub repo's cwd has no dependency on
+    // notes, so the first candidate throws ResolveMessage. Bun does NOT
+    // auto-consult ~/.bun/install/global, so we have to try it explicitly.
+    const f = makeFixture();
+    try {
+      const calls: string[] = [];
+      const out = resolveNotesDistFrom({
+        cwd: "/hub-repo-cwd-without-notes",
+        home: f.home,
+        resolveSync: (specifier, base) => {
+          calls.push(base);
+          if (base === "/hub-repo-cwd-without-notes") {
+            throw new Error(`Cannot find module '${specifier}' from '${base}'`);
+          }
+          // Real Bun.resolveSync against the global node_modules dir
+          // resolves into the package's package.json.
+          return Bun.resolveSync(specifier, base);
+        },
+        // Use real existsSync — the fixture has dist/ on disk.
+      });
+      expect(out).toBe(f.dist);
+      // Both candidates probed, in order.
+      expect(calls[0]).toBe("/hub-repo-cwd-without-notes");
+      expect(calls[1]).toBe(join(f.home, ".bun/install/global/node_modules"));
+    } finally {
+      f.cleanup();
+    }
+  });
+
+  test("falls through past global node_modules to the older global root layout", () => {
+    // Defensive: older Bun versions used a flatter global layout. We probe
+    // both. This test forces the first two candidates to fail and pins
+    // that the third is reached.
+    const probed: string[] = [];
+    expect(() =>
+      resolveNotesDistFrom({
+        cwd: "/cwd",
+        home: "/h",
+        resolveSync: (_specifier, base) => {
+          probed.push(base);
+          throw new Error(`Cannot find module from '${base}'`);
+        },
+      }),
+    ).toThrow(/Could not resolve @openparachute\/notes from any of/);
+    expect(probed).toEqual([
+      "/cwd",
+      "/h/.bun/install/global/node_modules",
+      "/h/.bun/install/global",
+    ]);
+  });
+
+  test("error message names every candidate that was tried", () => {
+    let caught: unknown;
+    try {
+      resolveNotesDistFrom({
+        cwd: "/probe-cwd",
+        home: "/probe-home",
+        resolveSync: (_specifier, base) => {
+          throw new Error(`Cannot find module from '${base}'`);
+        },
+      });
+    } catch (err) {
+      caught = err;
+    }
+    expect(caught).toBeInstanceOf(Error);
+    const msg = (caught as Error).message;
+    expect(msg).toContain("/probe-cwd");
+    expect(msg).toContain("/probe-home/.bun/install/global/node_modules");
+    expect(msg).toContain("/probe-home/.bun/install/global");
+    // Hint operators at the actionable next step.
+    expect(msg).toMatch(/bun add -g @openparachute\/notes|parachute install notes/);
+  });
+
+  test("resolved package without dist/ throws a hard error (no fallthrough)", () => {
+    // If the package resolves but lacks a dist/ directory, that's a
+    // packaging issue — falling through to other candidates would just
+    // re-resolve the same package. Surface the problem with the resolved
+    // path so the operator can file the right issue against the package.
+    expect(() =>
+      resolveNotesDistFrom({
+        cwd: "/cwd-with-notes",
+        home: "/h",
+        resolveSync: () => "/cwd-with-notes/node_modules/@openparachute/notes/package.json",
+        existsSync: () => false,
+      }),
+    ).toThrow(/has no dist\/ directory/);
+  });
+});