@openparachute/hub 0.6.1-rc.3 → 0.6.1

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.6.1-rc.3",
-  "description": "parachute \u2014 the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
+  "version": "0.6.1",
+  "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {
     "access": "public"

package/src/__tests__/account-home-ui.test.ts

@@ -310,7 +310,9 @@ describe("renderAccountHome", () => {
     expect(html).not.toContain('data-testid="mint-verb-write"');
   });
 
-  test("mint affordance — never offers an admin verb", () => {
+  test("mint affordance — offers the admin verb when the user holds it", () => {
+    // 2026-05-30: assigned users hold read/write/admin on their vault, so the
+    // mint form offers admin (the live `vaultVerbsForUserVault` returns it).
     const html = renderAccountHome({
       username: "alice",
       assignedVaults: ["work"],
@@ -319,10 +321,10 @@ describe("renderAccountHome", () => {
       isFirstAdmin: false,
       csrfToken: CSRF,
       twoFactorEnabled: false,
-      mintableVerbs: { work: ["read", "write"] },
+      mintableVerbs: { work: ["read", "write", "admin"] },
     });
-    expect(html).not.toContain('value="admin"');
-    expect(html).not.toContain('data-testid="mint-verb-admin"');
+    expect(html).toContain('value="admin"');
+    expect(html).toContain('data-testid="mint-verb-admin"');
   });
 
   test("mint affordance — absent when no mintable verbs (admin / no-vault / unmapped role)", () => {

package/src/__tests__/account-vault-token.test.ts

@@ -10,7 +10,8 @@
  *   - UNassigned vault      → 403 (cannot mint for a vault not in the
  *                             user's `user_vaults` assignment — blocks
  *                             cross-vault).
- *   - `admin` verb          → rejected (not in the form vocabulary).
+ *   - `admin` verb          → minted for an ASSIGNED vault (2026-05-30:
+ *                             assigned users hold full vault authority).
  *   - Broader/garbage verb  → rejected.
  *   - First admin           → 403 (no `user_vaults` rows → unrestricted
  *                             admins use the SPA path, not this one).
@@ -245,17 +246,19 @@ describe("handleAccountVaultTokenPost — authorization gates (adversarial)", ()
     expect(res.status).toBe(403);
   });
 
-  test("admin verb is rejected — never mints vault:<name>:admin", async () => {
+  test("200 mints vault:<name>:admin when verb=admin (assigned users hold admin, 2026-05-30)", async () => {
     const { cookie, csrfToken } = await seedFriend(["work"]);
     const res = await handleAccountVaultTokenPost(
       mintReq("work", { cookie, csrfToken, verb: "admin" }),
       "work",
       deps(),
     );
-    expect(res.status).toBe(400);
+    expect(res.status).toBe(200);
     const html = await res.text();
-    expect(html).not.toContain('data-testid="minted-token-banner"');
-    expect(html).not.toContain("vault:work:admin");
+    const token = html.match(/data-testid="minted-token-value">([^<]+)</)?.[1] as string;
+    const validated = await validateAccessToken(harness.db, token, ISSUER);
+    const scopeClaim = (validated.payload as { scope?: string }).scope ?? "";
+    expect(scopeClaim.split(/\s+/)).toEqual(["vault:work:admin"]);
   });
 
   test("a garbage / broader verb is rejected", async () => {

package/src/__tests__/cloudflare-config.test.ts

@@ -2,7 +2,8 @@ import { describe, expect, test } from "bun:test";
 import { mkdtempSync, readFileSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { renderConfig, writeConfig } from "../cloudflare/config.ts";
+import { deriveTunnelName, renderConfig, writeConfig } from "../cloudflare/config.ts";
+import { isValidTunnelName } from "../commands/expose-cloudflare.ts";
 
 describe("cloudflare config", () => {
   test("renderConfig produces a valid cloudflared YAML with one-hostname ingress + catch-all 404", () => {
@@ -52,3 +53,66 @@ describe("cloudflare config", () => {
     }
   });
 });
+
+describe("deriveTunnelName (#491 — per-hostname dedicated tunnels)", () => {
+  test("prefixes parachute- and turns dots into hyphens", () => {
+    expect(deriveTunnelName("our.parachute.computer")).toBe("parachute-our-parachute-computer");
+    expect(deriveTunnelName("vault.example.com")).toBe("parachute-vault-example-com");
+  });
+
+  test("lowercases and strips characters outside [a-z0-9_-]", () => {
+    // Uppercase → lowercase; a stray char that an over-permissive hostname
+    // validator might let through is dropped so the result stays a valid
+    // tunnel name. (Dots are already mapped to hyphens before stripping.)
+    expect(deriveTunnelName("Vault.Example.COM")).toBe("parachute-vault-example-com");
+    expect(deriveTunnelName("a_b-c.example.com")).toBe("parachute-a_b-c-example-com");
+  });
+
+  test("every derived name satisfies isValidTunnelName", () => {
+    for (const host of [
+      "our.parachute.computer",
+      "vault.example.com",
+      "Vault.Example.COM",
+      "a_b-c.example.com",
+      `${"x".repeat(200)}.example.com`,
+    ]) {
+      const name = deriveTunnelName(host);
+      expect(isValidTunnelName(name)).toBe(true);
+    }
+  });
+
+  test("truncates + appends a stable 8-hex suffix when the name would exceed 64 chars", () => {
+    const longHost = `${"sub.".repeat(20)}example.com`; // way over 64 once prefixed
+    const name = deriveTunnelName(longHost);
+    expect(name.length).toBeLessThanOrEqual(64);
+    expect(name.startsWith("parachute-")).toBe(true);
+    // 8-hex stable suffix on the end.
+    expect(name).toMatch(/-[0-9a-f]{8}$/);
+  });
+
+  test("is deterministic — same hostname always derives the same name (idempotent re-expose)", () => {
+    const longHost = `${"sub.".repeat(20)}example.com`;
+    expect(deriveTunnelName(longHost)).toBe(deriveTunnelName(longHost));
+    expect(deriveTunnelName("our.parachute.computer")).toBe(
+      deriveTunnelName("our.parachute.computer"),
+    );
+  });
+
+  test("two distinct long hostnames whose truncated bodies are identical don't collide", () => {
+    // Identical leading labels long enough that the body truncation
+    // (parachute- + body-slice + -<8hex>, capped at 64) cuts BEFORE the
+    // differing tail — so the truncated bodies are byte-identical and only the
+    // full-hostname hash distinguishes them. Verifies the suffix disambiguates.
+    const sharedPrefix = "x".repeat(80); // single long label, well past the truncation point
+    const a = `${sharedPrefix}.alpha.example.com`;
+    const b = `${sharedPrefix}.beta.example.com`;
+    const nameA = deriveTunnelName(a);
+    const nameB = deriveTunnelName(b);
+    expect(nameA.length).toBeLessThanOrEqual(64);
+    expect(nameB.length).toBeLessThanOrEqual(64);
+    // Bodies before the suffix are identical (truncation cut inside the shared
+    // prefix), so the names can only differ in the trailing 8-hex hash.
+    expect(nameA.slice(0, -8)).toBe(nameB.slice(0, -8));
+    expect(nameA).not.toBe(nameB);
+  });
+});