@openparachute/hub 0.5.7 → 0.5.10-rc.10

package/src/__tests__/install-source.test.ts

@@ -0,0 +1,249 @@
+import { describe, expect, test } from "bun:test";
+import {
+  type DetectInstallSourceDeps,
+  detectHubInstallSource,
+  detectInstallSource,
+  formatInstallSourceLabel,
+  isStale,
+} from "../install-source.ts";
+
+/**
+ * Stub helpers for the detect path. Production reads the operator's bun
+ * globals + real package.jsons; here we wire everything from a virtual
+ * filesystem so each kind (npm / bun-linked / unknown / stale) has a
+ * deterministic shape.
+ */
+function makeDeps(opts: {
+  prefixes?: readonly string[];
+  packageVersions?: Record<string, string>;
+  bunGlobalLinks?: Record<string, string>;
+  gitHeads?: Record<string, string>;
+}): DetectInstallSourceDeps {
+  const prefixes = opts.prefixes ?? ["/home/test/.bun/install/global/node_modules"];
+  return {
+    bunGlobalPrefixes: () => prefixes,
+    resolveBunGlobal: (pkg) => opts.bunGlobalLinks?.[pkg] ?? null,
+    readJson: (path) => {
+      // Path looks like `<pkgDir>/package.json` — strip suffix.
+      const pkgDirRaw = path.replace(/\/package\.json$/, "");
+      const v = opts.packageVersions?.[pkgDirRaw];
+      if (v === undefined) throw new Error(`no package.json at ${pkgDirRaw}`);
+      return { name: "@stub/pkg", version: v };
+    },
+    readGitHead: (path) => opts.gitHeads?.[path],
+  };
+}
+
+describe("detectInstallSource", () => {
+  test("classifies a bun-linked checkout (installDir outside bun globals)", () => {
+    const deps = makeDeps({
+      packageVersions: { "/Users/me/code/parachute-notes": "0.3.15-rc.1" },
+      gitHeads: { "/Users/me/code/parachute-notes": "051c404" },
+    });
+    const source = detectInstallSource(
+      { entryName: "parachute-notes", installDir: "/Users/me/code/parachute-notes" },
+      deps,
+    );
+    expect(source.kind).toBe("bun-linked");
+    expect(source.path).toBe("/Users/me/code/parachute-notes");
+    expect(source.gitHead).toBe("051c404");
+    expect(source.livePackageVersion).toBe("0.3.15-rc.1");
+  });
+
+  test("classifies an npm install (installDir under bun globals)", () => {
+    const deps = makeDeps({
+      prefixes: ["/home/test/.bun/install/global/node_modules"],
+      packageVersions: {
+        "/home/test/.bun/install/global/node_modules/@openparachute/scribe": "0.4.2-rc.1",
+      },
+    });
+    const source = detectInstallSource(
+      {
+        entryName: "parachute-scribe",
+        installDir: "/home/test/.bun/install/global/node_modules/@openparachute/scribe",
+      },
+      deps,
+    );
+    expect(source.kind).toBe("npm");
+    expect(source.livePackageVersion).toBe("0.4.2-rc.1");
+    expect(source.gitHead).toBeUndefined();
+  });
+
+  test("falls back to bun-global symlink lookup when installDir is absent", () => {
+    const deps = makeDeps({
+      bunGlobalLinks: { "@openparachute/vault": "/Users/me/code/parachute-vault" },
+      packageVersions: { "/Users/me/code/parachute-vault": "0.4.4-rc.3" },
+      gitHeads: { "/Users/me/code/parachute-vault": "8aa167b" },
+    });
+    const source = detectInstallSource({ entryName: "parachute-vault" }, deps);
+    expect(source.kind).toBe("bun-linked");
+    expect(source.path).toBe("/Users/me/code/parachute-vault");
+    expect(source.gitHead).toBe("8aa167b");
+  });
+
+  test("returns unknown when nothing resolves (no installDir, no first-party mapping)", () => {
+    const deps = makeDeps({});
+    const source = detectInstallSource({ entryName: "agent" }, deps);
+    expect(source.kind).toBe("unknown");
+    expect(source.path).toBeUndefined();
+    expect(source.gitHead).toBeUndefined();
+  });
+
+  test("omits gitHead when the bun-linked path isn't a git repo", () => {
+    const deps = makeDeps({
+      packageVersions: { "/tmp/no-git/pkg": "1.0.0" },
+      // gitHeads intentionally missing → readGitHead returns undefined.
+    });
+    const source = detectInstallSource(
+      { entryName: "third-party", installDir: "/tmp/no-git/pkg" },
+      deps,
+    );
+    expect(source.kind).toBe("bun-linked");
+    expect(source.gitHead).toBeUndefined();
+    expect(source.livePackageVersion).toBe("1.0.0");
+  });
+
+  test("omits livePackageVersion when package.json is unreadable", () => {
+    const deps = makeDeps({
+      packageVersions: {}, // every read throws
+    });
+    const source = detectInstallSource(
+      { entryName: "third-party", installDir: "/tmp/no-pkg" },
+      deps,
+    );
+    expect(source.kind).toBe("bun-linked");
+    expect(source.livePackageVersion).toBeUndefined();
+  });
+
+  test("trailing-slash prefix doesn't false-match a sibling directory", () => {
+    // Subtle: `/home/test/.bun/install/global/node_modules-other` shouldn't
+    // be classified as "under" `/home/test/.bun/install/global/node_modules`.
+    // The prefix join in `isUnderBunGlobals` adds a trailing slash precisely
+    // to avoid this — pin the behavior.
+    const deps = makeDeps({
+      prefixes: ["/home/test/.bun/install/global/node_modules"],
+      packageVersions: {
+        "/home/test/.bun/install/global/node_modules-other/pkg": "1.0.0",
+      },
+    });
+    const source = detectInstallSource(
+      {
+        entryName: "third-party",
+        installDir: "/home/test/.bun/install/global/node_modules-other/pkg",
+      },
+      deps,
+    );
+    expect(source.kind).toBe("bun-linked");
+  });
+});
+
+describe("isStale", () => {
+  test("flags drift between cached entry version and live package.json", () => {
+    expect(
+      isStale("0.3.11-rc.1", {
+        kind: "bun-linked",
+        path: "/Users/me/code/parachute-notes",
+        livePackageVersion: "0.3.15-rc.1",
+      }),
+    ).toBe(true);
+  });
+
+  test("does not flag a matching version", () => {
+    expect(
+      isStale("0.3.15-rc.1", {
+        kind: "bun-linked",
+        path: "/Users/me/code/parachute-notes",
+        livePackageVersion: "0.3.15-rc.1",
+      }),
+    ).toBe(false);
+  });
+
+  test("does not flag npm-installed services (cached version IS the source)", () => {
+    expect(
+      isStale("0.4.2-rc.1", {
+        kind: "npm",
+        path: "/path/to/global",
+        livePackageVersion: "0.4.2-rc.1",
+      }),
+    ).toBe(false);
+  });
+
+  test("does not flag when live version is unavailable", () => {
+    expect(
+      isStale("0.3.11-rc.1", {
+        kind: "bun-linked",
+        path: "/Users/me/code/parachute-notes",
+        // livePackageVersion absent — can't compute drift, don't false-flag.
+      }),
+    ).toBe(false);
+  });
+
+  test("does not flag unknown sources", () => {
+    expect(isStale("1.0.0", { kind: "unknown" })).toBe(false);
+  });
+});
+
+describe("formatInstallSourceLabel", () => {
+  test("bun-linked → basename + short SHA", () => {
+    expect(
+      formatInstallSourceLabel({
+        kind: "bun-linked",
+        path: "/Users/me/code/parachute-notes",
+        gitHead: "051c404",
+      }),
+    ).toBe("bun-linked → parachute-notes @ 051c404");
+  });
+
+  test("bun-linked without gitHead drops the @ <sha> suffix", () => {
+    expect(
+      formatInstallSourceLabel({
+        kind: "bun-linked",
+        path: "/Users/me/code/parachute-notes",
+      }),
+    ).toBe("bun-linked → parachute-notes");
+  });
+
+  test("npm with version", () => {
+    expect(
+      formatInstallSourceLabel({
+        kind: "npm",
+        path: "/some/global/dir",
+        livePackageVersion: "0.4.2-rc.1",
+      }),
+    ).toBe("npm (0.4.2-rc.1)");
+  });
+
+  test("npm without version", () => {
+    expect(formatInstallSourceLabel({ kind: "npm" })).toBe("npm");
+  });
+
+  test("unknown sources render as 'unknown'", () => {
+    expect(formatInstallSourceLabel({ kind: "unknown" })).toBe("unknown");
+  });
+});
+
+describe("detectHubInstallSource", () => {
+  test("classifies the hub based on its source location", () => {
+    // Exercise the happy path via the real hub's `src/` dir. The result
+    // depends on the test environment (CI vs. bun-linked checkout), so we
+    // only assert the kind is one of the known classifications — not the
+    // exact value. `readGitHead` is stubbed so the test never forks a real
+    // git process; the contract under test is "climb to package.json,
+    // classify by location against bun globals" — git is incidental.
+    const source = detectHubInstallSource(import.meta.dir, {
+      readGitHead: () => "deadbeef",
+    });
+    expect(["bun-linked", "npm", "unknown"]).toContain(source.kind);
+  });
+
+  test("returns unknown when no package.json exists above srcDir", () => {
+    // `/private` exists on macOS but has no package.json up the chain;
+    // injected readJson always throws so the walk hits the climb-cap.
+    const source = detectHubInstallSource("/private/var/empty", {
+      readJson: () => {
+        throw new Error("no package.json");
+      },
+    });
+    expect(source.kind).toBe("unknown");
+  });
+});

package/src/__tests__/jwt-sign.test.ts

@@ -9,8 +9,13 @@ import {
   REFRESH_TOKEN_TTL_MS,
   RefreshTokenInsertError,
   findRefreshToken,
+  findTokenRowByJti,
+  listActiveRevocations,
+  recordTokenMint,
+  revokeTokenByJti,
   signAccessToken,
   signRefreshToken,
+  tokenRowIdentity,
   validateAccessToken,
 } from "../jwt-sign.ts";
 import { getActiveSigningKey, rotateSigningKey } from "../signing-keys.ts";
@@ -359,3 +364,203 @@ describe("validateAccessToken", () => {
     }
   });
 });
+
+// closes #212 Phase 1 — unified token registry helpers (recordTokenMint,
+// revokeTokenByJti, listActiveRevocations) and the v6 schema shape.
+describe("token registry (hub#212 Phase 1)", () => {
+  test("v6 schema: tokens has user_id NULLABLE + permissions/created_via/subject", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      // SQLite PRAGMA table_info reports column nullability + defaults; the
+      // bun:sqlite driver maps the row shape onto our type. The columns are
+      // (cid, name, type, notnull, dflt_value, pk) per SQLite docs.
+      type ColInfo = {
+        cid: number;
+        name: string;
+        type: string;
+        notnull: number;
+        dflt_value: string | null;
+        pk: number;
+      };
+      const cols = db.query<ColInfo, []>("PRAGMA table_info(tokens)").all();
+      const byName = new Map(cols.map((c) => [c.name, c]));
+      // Pre-v6: user_id NOT NULL. Post-v6: user_id NULLABLE.
+      expect(byName.get("user_id")?.notnull).toBe(0);
+      // New columns.
+      expect(byName.has("permissions")).toBe(true);
+      expect(byName.has("created_via")).toBe(true);
+      expect(byName.has("subject")).toBe(true);
+      // created_via has the back-compat default for pre-v6 rows.
+      expect(byName.get("created_via")?.dflt_value).toMatch(/oauth_refresh/);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("recordTokenMint inserts a registry row matching the inputs", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const expiresAt = new Date(Date.now() + 86400_000).toISOString();
+      recordTokenMint(db, {
+        jti: "jti-cli-1",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read", "scribe:transcribe"],
+        expiresAt,
+        permissions: '{"vault":{"default":{"read_tags":["public"]}}}',
+      });
+      const row = findTokenRowByJti(db, "jti-cli-1");
+      expect(row).not.toBeNull();
+      expect(row?.userId).toBeNull();
+      expect(row?.subject).toBe("operator");
+      expect(row?.createdVia).toBe("cli_mint");
+      expect(row?.scopes).toEqual(["vault:read", "scribe:transcribe"]);
+      expect(row?.expiresAt).toBe(expiresAt);
+      expect(row?.permissions).toBe('{"vault":{"default":{"read_tags":["public"]}}}');
+      expect(row?.revokedAt).toBeNull();
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("recordTokenMint with a duplicate jti throws RefreshTokenInsertError", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const expiresAt = new Date(Date.now() + 86400_000).toISOString();
+      recordTokenMint(db, {
+        jti: "jti-dup",
+        createdVia: "operator_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["hub:admin"],
+        expiresAt,
+      });
+      expect(() =>
+        recordTokenMint(db, {
+          jti: "jti-dup",
+          createdVia: "cli_mint",
+          subject: "operator",
+          clientId: "parachute-hub",
+          scopes: ["vault:read"],
+          expiresAt,
+        }),
+      ).toThrow(RefreshTokenInsertError);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("revokeTokenByJti flips revoked_at; second call returns false (idempotent)", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const expiresAt = new Date(Date.now() + 86400_000).toISOString();
+      recordTokenMint(db, {
+        jti: "jti-rev",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+        expiresAt,
+      });
+      const now = new Date();
+      expect(revokeTokenByJti(db, "jti-rev", now)).toBe(true);
+      expect(revokeTokenByJti(db, "jti-rev", now)).toBe(false);
+      const row = findTokenRowByJti(db, "jti-rev");
+      expect(row?.revokedAt).toBe(now.toISOString());
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("listActiveRevocations filters by revoked_at AND expires_at>now", () => {
+    const { db, cleanup } = makeDb();
+    try {
+      const past = new Date(Date.now() - 86400_000).toISOString();
+      const future = new Date(Date.now() + 86400_000).toISOString();
+      // Two revoked rows: one expired, one active.
+      recordTokenMint(db, {
+        jti: "jti-revoked-expired",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+        expiresAt: past,
+      });
+      recordTokenMint(db, {
+        jti: "jti-revoked-active",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+        expiresAt: future,
+      });
+      // One non-revoked active row (control — must NOT appear).
+      recordTokenMint(db, {
+        jti: "jti-not-revoked",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+        expiresAt: future,
+      });
+      const now = new Date();
+      revokeTokenByJti(db, "jti-revoked-expired", now);
+      revokeTokenByJti(db, "jti-revoked-active", now);
+      const list = listActiveRevocations(db, now);
+      expect(list).toEqual(["jti-revoked-active"]);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("tokenRowIdentity returns userId when present, else subject", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      rotateSigningKey(db);
+      const u = await createUser(db, "owner", "pw");
+      // OAuth refresh row: userId set, subject NULL.
+      const refresh = signRefreshToken(db, {
+        jti: "jti-oauth",
+        userId: u.id,
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+      });
+      expect(refresh.familyId).toBeDefined();
+      const oauthRow = findTokenRowByJti(db, "jti-oauth")!;
+      expect(tokenRowIdentity(oauthRow)).toBe(u.id);
+
+      // CLI mint row: userId NULL, subject set.
+      recordTokenMint(db, {
+        jti: "jti-cli",
+        createdVia: "cli_mint",
+        subject: "operator",
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+        expiresAt: new Date(Date.now() + 86400_000).toISOString(),
+      });
+      const cliRow = findTokenRowByJti(db, "jti-cli")!;
+      expect(tokenRowIdentity(cliRow)).toBe("operator");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("signRefreshToken explicitly stamps created_via='oauth_refresh'", async () => {
+    const { db, cleanup } = makeDb();
+    try {
+      rotateSigningKey(db);
+      const u = await createUser(db, "owner", "pw");
+      signRefreshToken(db, {
+        jti: "jti-oauth-stamped",
+        userId: u.id,
+        clientId: "parachute-hub",
+        scopes: ["vault:read"],
+      });
+      const row = findTokenRowByJti(db, "jti-oauth-stamped");
+      expect(row?.createdVia).toBe("oauth_refresh");
+    } finally {
+      cleanup();
+    }
+  });
+});

package/src/__tests__/module-manifest.test.ts

@@ -126,6 +126,54 @@ describe("validateModuleManifest", () => {
     ).toThrow(/http:.*https:/);
   });
 
+  test("uiUrl accepts a leading-slash path (Phase D)", () => {
+    const m = validateModuleManifest({ ...VALID, uiUrl: "/notes" }, "x");
+    expect(m.uiUrl).toBe("/notes");
+  });
+
+  test("uiUrl accepts an absolute https URL", () => {
+    const m = validateModuleManifest({ ...VALID, uiUrl: "https://app.example.com/" }, "x");
+    expect(m.uiUrl).toBe("https://app.example.com/");
+  });
+
+  test("uiUrl rejects empty / non-string / non-url-or-path (mirrors managementUrl)", () => {
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: "" }, "x")).toThrow(/uiUrl/);
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: 7 }, "x")).toThrow(/uiUrl/);
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: "no-slash" }, "x")).toThrow(
+      /path starting with "\/" or a full http\(s\) URL/,
+    );
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: "ftp://example.com" }, "x")).toThrow(
+      /http:.*https:/,
+    );
+  });
+
+  test("uiUrl absent stays absent", () => {
+    const m = validateModuleManifest(VALID, "x");
+    expect(m.uiUrl).toBeUndefined();
+  });
+
+  // Open-redirect regression: protocol-relative paths like "//evil.com" pass
+  // a naive `startsWith("/")` check but `new URL("//evil.com", base)` resolves
+  // to the foreign origin. A malicious third-party module could plant such a
+  // value in module.json:uiUrl and turn a discovery tile into an off-origin
+  // redirect. Both uiUrl and managementUrl are validated by the shared
+  // asPathOrUrl helper, so cover both.
+  test("uiUrl rejects protocol-relative paths (open-redirect regression)", () => {
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: "//evil.com" }, "x")).toThrow(/uiUrl/);
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: "//evil.com/path" }, "x")).toThrow(
+      /uiUrl/,
+    );
+  });
+
+  test("managementUrl rejects protocol-relative paths (open-redirect regression)", () => {
+    expect(() => validateModuleManifest({ ...VALID, managementUrl: "//evil.com" }, "x")).toThrow(
+      /managementUrl/,
+    );
+    expect(() =>
+      validateModuleManifest({ ...VALID, managementUrl: "//evil.com/admin" }, "x"),
+    ).toThrow(/managementUrl/);
+  });
+
   test("managementUrl absent stays absent", () => {
     const m = validateModuleManifest(VALID, "x");
     expect(m.managementUrl).toBeUndefined();