@openparachute/hub 0.6.1-rc.4 → 0.6.2

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.6.1-rc.4",
-  "description": "parachute \u2014 the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
+  "version": "0.6.2",
+  "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {
     "access": "public"

package/src/__tests__/account-home-ui.test.ts

@@ -74,6 +74,40 @@ describe("renderAccountHome", () => {
     expect(html).toContain('data-testid="connect-any-client-hint"');
     // Notes CTA still present, now framed as the browser-UI option.
     expect(html).toContain('data-testid="open-notes-cta"');
+    // Import-notes CTA deep-links to the Notes-UI /import route for the same
+    // vault, mirroring the Open-Notes target-resolution (same hosted origin,
+    // same `?url=${hubOrigin}/vault/<name>` vault-targeting param).
+    expect(html).toContain(`https://notes.parachute.computer/import?url=${encodedVaultUrl}`);
+    expect(html).toContain('data-testid="import-notes-cta"');
+  });
+
+  test("assigned-vault branch — import-notes CTA gated alongside open-notes (no dead link)", () => {
+    // Both CTAs render together for an assigned vault and are absent together
+    // in the no-vault branches — so we never surface an Import link that points
+    // at a vault the user can't reach.
+    const html = renderAccountHome({
+      username: "alice",
+      assignedVaults: ["alice"],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+      twoFactorEnabled: false,
+    });
+    expect(html).toContain('data-testid="open-notes-cta"');
+    expect(html).toContain('data-testid="import-notes-cta"');
+
+    const adminHtml = renderAccountHome({
+      username: "admin",
+      assignedVaults: [],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: true,
+      csrfToken: CSRF,
+      twoFactorEnabled: false,
+    });
+    expect(adminHtml).not.toContain('data-testid="import-notes-cta"');
+    expect(adminHtml).not.toContain("notes.parachute.computer/import");
   });
 
   test("assigned-vault branch — trailing slash on hubOrigin is normalized", () => {

package/src/__tests__/cloudflare-config.test.ts

@@ -2,7 +2,8 @@ import { describe, expect, test } from "bun:test";
 import { mkdtempSync, readFileSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { renderConfig, writeConfig } from "../cloudflare/config.ts";
+import { deriveTunnelName, renderConfig, writeConfig } from "../cloudflare/config.ts";
+import { isValidTunnelName } from "../commands/expose-cloudflare.ts";
 
 describe("cloudflare config", () => {
   test("renderConfig produces a valid cloudflared YAML with one-hostname ingress + catch-all 404", () => {
@@ -52,3 +53,66 @@ describe("cloudflare config", () => {
     }
   });
 });
+
+describe("deriveTunnelName (#491 — per-hostname dedicated tunnels)", () => {
+  test("prefixes parachute- and turns dots into hyphens", () => {
+    expect(deriveTunnelName("our.parachute.computer")).toBe("parachute-our-parachute-computer");
+    expect(deriveTunnelName("vault.example.com")).toBe("parachute-vault-example-com");
+  });
+
+  test("lowercases and strips characters outside [a-z0-9_-]", () => {
+    // Uppercase → lowercase; a stray char that an over-permissive hostname
+    // validator might let through is dropped so the result stays a valid
+    // tunnel name. (Dots are already mapped to hyphens before stripping.)
+    expect(deriveTunnelName("Vault.Example.COM")).toBe("parachute-vault-example-com");
+    expect(deriveTunnelName("a_b-c.example.com")).toBe("parachute-a_b-c-example-com");
+  });
+
+  test("every derived name satisfies isValidTunnelName", () => {
+    for (const host of [
+      "our.parachute.computer",
+      "vault.example.com",
+      "Vault.Example.COM",
+      "a_b-c.example.com",
+      `${"x".repeat(200)}.example.com`,
+    ]) {
+      const name = deriveTunnelName(host);
+      expect(isValidTunnelName(name)).toBe(true);
+    }
+  });
+
+  test("truncates + appends a stable 8-hex suffix when the name would exceed 64 chars", () => {
+    const longHost = `${"sub.".repeat(20)}example.com`; // way over 64 once prefixed
+    const name = deriveTunnelName(longHost);
+    expect(name.length).toBeLessThanOrEqual(64);
+    expect(name.startsWith("parachute-")).toBe(true);
+    // 8-hex stable suffix on the end.
+    expect(name).toMatch(/-[0-9a-f]{8}$/);
+  });
+
+  test("is deterministic — same hostname always derives the same name (idempotent re-expose)", () => {
+    const longHost = `${"sub.".repeat(20)}example.com`;
+    expect(deriveTunnelName(longHost)).toBe(deriveTunnelName(longHost));
+    expect(deriveTunnelName("our.parachute.computer")).toBe(
+      deriveTunnelName("our.parachute.computer"),
+    );
+  });
+
+  test("two distinct long hostnames whose truncated bodies are identical don't collide", () => {
+    // Identical leading labels long enough that the body truncation
+    // (parachute- + body-slice + -<8hex>, capped at 64) cuts BEFORE the
+    // differing tail — so the truncated bodies are byte-identical and only the
+    // full-hostname hash distinguishes them. Verifies the suffix disambiguates.
+    const sharedPrefix = "x".repeat(80); // single long label, well past the truncation point
+    const a = `${sharedPrefix}.alpha.example.com`;
+    const b = `${sharedPrefix}.beta.example.com`;
+    const nameA = deriveTunnelName(a);
+    const nameB = deriveTunnelName(b);
+    expect(nameA.length).toBeLessThanOrEqual(64);
+    expect(nameB.length).toBeLessThanOrEqual(64);
+    // Bodies before the suffix are identical (truncation cut inside the shared
+    // prefix), so the names can only differ in the trailing 8-hex hash.
+    expect(nameA.slice(0, -8)).toBe(nameB.slice(0, -8));
+    expect(nameA).not.toBe(nameB);
+  });
+});

package/src/__tests__/cloudflare-connector-service.test.ts

@@ -0,0 +1,441 @@
+import { describe, expect, test } from "bun:test";
+import {
+  type ConnectorServiceDeps,
+  type ServiceCommandResult,
+  installConnectorService,
+  launchdLabel,
+  launchdPlistPath,
+  removeConnectorService,
+  renderLaunchdPlist,
+  renderSystemdUnit,
+  systemdUnitName,
+  systemdUnitPath,
+} from "../cloudflare/connector-service.ts";
+
+const TUNNEL = "parachute-vault-example-com";
+const CONFIG = "/home/op/.parachute/cloudflared/parachute-vault-example-com/config.yml";
+const LOG = "/home/op/.parachute/cloudflared/parachute-vault-example-com/cloudflared.log";
+const CF_BIN = "/usr/local/bin/cloudflared";
+
+interface FakeDepsState {
+  deps: ConnectorServiceDeps;
+  calls: string[][];
+  files: Map<string, string>;
+}
+
+/**
+ * Build a fully-injected dep set. Defaults to a happy macOS/Linux path where
+ * `which` resolves both cloudflared and the init tool and every command exits
+ * 0. Override per-test via `over`.
+ */
+function fakeDeps(
+  over: Partial<ConnectorServiceDeps> & { runResults?: ServiceCommandResult[] } = {},
+): FakeDepsState {
+  const calls: string[][] = [];
+  const files = new Map<string, string>();
+  let runIdx = 0;
+  const ok: ServiceCommandResult = { code: 0, stdout: "", stderr: "" };
+  const deps: ConnectorServiceDeps = {
+    platform: over.platform ?? "darwin",
+    getuid: over.getuid ?? (() => 501),
+    homeDir: over.homeDir ?? (() => "/home/op"),
+    userName: over.userName ?? (() => "op"),
+    which:
+      over.which ??
+      ((b) => {
+        if (b === "cloudflared") return CF_BIN;
+        if (b === "launchctl" || b === "systemctl" || b === "loginctl") return `/usr/bin/${b}`;
+        return null;
+      }),
+    run:
+      over.run ??
+      ((cmd) => {
+        calls.push([...cmd]);
+        const r = over.runResults?.[runIdx++];
+        return r ?? ok;
+      }),
+    writeFile: over.writeFile ?? ((p, c) => void files.set(p, c)),
+    removeFile: over.removeFile ?? ((p) => void files.delete(p)),
+    readFile: over.readFile ?? ((p) => files.get(p)),
+    exists: over.exists ?? ((p) => files.has(p)),
+  };
+  return { deps, calls, files };
+}
+
+describe("renderLaunchdPlist", () => {
+  test("produces a valid plist with RunAtLoad + KeepAlive and the absolute argv", () => {
+    const plist = renderLaunchdPlist({
+      tunnelName: TUNNEL,
+      cloudflaredPath: CF_BIN,
+      configPath: CONFIG,
+      logPath: LOG,
+    });
+    expect(plist).toContain('<?xml version="1.0"');
+    expect(plist).toContain(`<string>${launchdLabel(TUNNEL)}</string>`);
+    // argv: absolute binary + the same `tunnel --config <path> run` shape the
+    // transient spawn used.
+    expect(plist).toContain(`<string>${CF_BIN}</string>`);
+    expect(plist).toContain("<string>tunnel</string>");
+    expect(plist).toContain("<string>--config</string>");
+    expect(plist).toContain(`<string>${CONFIG}</string>`);
+    expect(plist).toContain("<string>run</string>");
+    expect(plist).toContain("<key>RunAtLoad</key>\n  <true/>");
+    expect(plist).toContain("<key>KeepAlive</key>\n  <true/>");
+    expect(plist).toContain(`<string>${LOG}</string>`);
+  });
+
+  test("label + plist path use the reverse-DNS scheme under LaunchAgents", () => {
+    expect(launchdLabel(TUNNEL)).toBe(`computer.parachute.cloudflared.${TUNNEL}`);
+    expect(launchdPlistPath(TUNNEL, "/home/op")).toBe(
+      `/home/op/Library/LaunchAgents/computer.parachute.cloudflared.${TUNNEL}.plist`,
+    );
+  });
+});
+
+describe("renderSystemdUnit", () => {
+  test("user unit: WantedBy=default.target, no User=, absolute ExecStart", () => {
+    const unit = renderSystemdUnit({
+      tunnelName: TUNNEL,
+      cloudflaredPath: CF_BIN,
+      configPath: CONFIG,
+      logPath: LOG,
+      root: false,
+      userName: "op",
+    });
+    expect(unit).toContain(`ExecStart=${CF_BIN} tunnel --config ${CONFIG} run`);
+    expect(unit).toContain("Restart=always");
+    expect(unit).toContain("WantedBy=default.target");
+    expect(unit).not.toContain("User=");
+  });
+
+  test("system unit (root): WantedBy=multi-user.target, pins User=", () => {
+    const unit = renderSystemdUnit({
+      tunnelName: TUNNEL,
+      cloudflaredPath: CF_BIN,
+      configPath: CONFIG,
+      logPath: LOG,
+      root: true,
+      userName: "op",
+    });
+    expect(unit).toContain("WantedBy=multi-user.target");
+    expect(unit).toContain("User=op");
+  });
+
+  test("unit name + path differ by scope", () => {
+    expect(systemdUnitName(TUNNEL)).toBe(`parachute-cloudflared-${TUNNEL}.service`);
+    expect(systemdUnitPath(TUNNEL, "/home/op", false)).toBe(
+      `/home/op/.config/systemd/user/parachute-cloudflared-${TUNNEL}.service`,
+    );
+    expect(systemdUnitPath(TUNNEL, "/home/op", true)).toBe(
+      `/etc/systemd/system/parachute-cloudflared-${TUNNEL}.service`,
+    );
+  });
+});
+
+describe("installConnectorService — macOS launchd", () => {
+  test("writes the plist + bootstraps it into the per-user GUI domain", () => {
+    const f = fakeDeps({ platform: "darwin", getuid: () => 501 });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("installed");
+    expect(result.kind).toBe("launchd");
+    const plistPath = launchdPlistPath(TUNNEL, "/home/op");
+    expect(result.servicePath).toBe(plistPath);
+    expect(f.files.get(plistPath)).toContain("<key>RunAtLoad</key>");
+    // bootout (idempotent unload) then bootstrap gui/501 <plist>.
+    expect(f.calls).toContainEqual(["launchctl", "bootout", `gui/501/${launchdLabel(TUNNEL)}`]);
+    expect(f.calls).toContainEqual(["launchctl", "bootstrap", "gui/501", plistPath]);
+  });
+
+  test("re-install is idempotent: bootout-then-bootstrap each time", () => {
+    const f = fakeDeps({ platform: "darwin" });
+    installConnectorService({ tunnelName: TUNNEL, configPath: CONFIG, logPath: LOG, deps: f.deps });
+    const firstCount = f.calls.length;
+    installConnectorService({ tunnelName: TUNNEL, configPath: CONFIG, logPath: LOG, deps: f.deps });
+    // Second install re-runs the same bootout+bootstrap sequence (no crash, no
+    // dependence on prior state).
+    expect(f.calls.length).toBe(firstCount * 2);
+    const bootstraps = f.calls.filter((c) => c[1] === "bootstrap");
+    expect(bootstraps.length).toBe(2);
+  });
+
+  test("graceful fallback when launchctl is absent", () => {
+    const f = fakeDeps({
+      platform: "darwin",
+      which: (b) => (b === "cloudflared" ? CF_BIN : null),
+    });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("fallback");
+    expect(result.messages.join(" ")).toContain("launchctl not found");
+    // No plist written when the tool is unavailable.
+    expect(f.files.size).toBe(0);
+  });
+
+  test("graceful fallback (no plist left behind) when bootstrap + legacy load both fail", () => {
+    const f = fakeDeps({
+      platform: "darwin",
+      // bootout(ignored) → bootstrap FAIL → load -w FAIL.
+      runResults: [
+        { code: 0, stdout: "", stderr: "" },
+        { code: 1, stdout: "", stderr: "Bootstrap failed: 5: Input/output error" },
+        { code: 1, stdout: "", stderr: "nothing found to load" },
+      ],
+    });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("fallback");
+    // The half-written plist is cleaned up so a stale, never-loaded file
+    // doesn't linger.
+    expect(f.files.size).toBe(0);
+    expect(result.messages.join(" ")).toContain("won't survive a reboot");
+  });
+});
+
+describe("installConnectorService — Linux systemd", () => {
+  test("non-root: writes a USER unit, enables linger, enable --now --user", () => {
+    const f = fakeDeps({ platform: "linux", getuid: () => 1000, userName: () => "op" });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("installed");
+    expect(result.kind).toBe("systemd-user");
+    const unitPath = systemdUnitPath(TUNNEL, "/home/op", false);
+    expect(result.servicePath).toBe(unitPath);
+    expect(f.files.get(unitPath)).toContain("WantedBy=default.target");
+    expect(f.files.get(unitPath)).not.toContain("User=");
+    // linger + the --user-scoped daemon-reload + enable.
+    expect(f.calls).toContainEqual(["loginctl", "enable-linger", "op"]);
+    expect(f.calls).toContainEqual(["systemctl", "--user", "daemon-reload"]);
+    expect(f.calls).toContainEqual([
+      "systemctl",
+      "--user",
+      "enable",
+      "--now",
+      systemdUnitName(TUNNEL),
+    ]);
+  });
+
+  test("root: writes a SYSTEM unit, no --user scope, no linger", () => {
+    const f = fakeDeps({ platform: "linux", getuid: () => 0, userName: () => "root" });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("installed");
+    expect(result.kind).toBe("systemd-system");
+    const unitPath = systemdUnitPath(TUNNEL, "/home/op", true);
+    expect(result.servicePath).toBe(unitPath);
+    expect(unitPath.startsWith("/etc/systemd/system/")).toBe(true);
+    expect(f.files.get(unitPath)).toContain("WantedBy=multi-user.target");
+    expect(f.files.get(unitPath)).toContain("User=root");
+    // System scope: no `--user` on any systemctl call, and no linger.
+    expect(f.calls.some((c) => c.includes("--user"))).toBe(false);
+    expect(f.calls.some((c) => c[0] === "loginctl")).toBe(false);
+    expect(f.calls).toContainEqual(["systemctl", "daemon-reload"]);
+    expect(f.calls).toContainEqual(["systemctl", "enable", "--now", systemdUnitName(TUNNEL)]);
+  });
+
+  test("non-root: linger failure is a soft warning, still installs", () => {
+    const f = fakeDeps({
+      platform: "linux",
+      getuid: () => 1000,
+      userName: () => "op",
+      // enable-linger FAIL, then daemon-reload OK, enable --now OK.
+      runResults: [
+        { code: 1, stdout: "", stderr: "Failed to enable linger" },
+        { code: 0, stdout: "", stderr: "" },
+        { code: 0, stdout: "", stderr: "" },
+      ],
+    });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("installed");
+    expect(result.messages.join(" ")).toContain("could not enable lingering");
+    // The warning is actionable — points at the root/system-unit path (EC2 /
+    // headless case).
+    expect(result.messages.join(" ")).toContain("re-run this command as root");
+  });
+
+  test("non-root: systemctl present but loginctl ABSENT → installs, warns, never throws", () => {
+    // The real robustness gap: production `Bun.spawnSync(["loginctl",…])`
+    // THROWS on ENOENT. With systemctl present but loginctl missing (a
+    // container with systemd but no logind), the unguarded linger call would
+    // propagate that throw out and hard-fail the whole expose. The `which`
+    // probe must skip the call and degrade to a soft warning.
+    let lingerRan = false;
+    const f = fakeDeps({
+      platform: "linux",
+      getuid: () => 1000,
+      userName: () => "op",
+      which: (b) => {
+        if (b === "cloudflared") return CF_BIN;
+        if (b === "systemctl") return "/usr/bin/systemctl";
+        if (b === "loginctl") return null; // absent
+        return null;
+      },
+      run: (cmd) => {
+        if (cmd[0] === "loginctl") lingerRan = true;
+        return { code: 0, stdout: "", stderr: "" };
+      },
+    });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("installed");
+    expect(result.kind).toBe("systemd-user");
+    // loginctl was NOT invoked (the probe short-circuited it).
+    expect(lingerRan).toBe(false);
+    expect(result.messages.join(" ")).toContain("could not enable lingering");
+    expect(result.messages.join(" ")).toContain("re-run this command as root");
+  });
+
+  test("non-root: loginctl present but the run THROWS → caught, installs, warns", () => {
+    // Belt-and-suspenders for the race where loginctl passes the `which` probe
+    // but the spawn itself throws (binary removed between probe and run, or an
+    // EACCES). The try/catch keeps it non-fatal.
+    const f = fakeDeps({
+      platform: "linux",
+      getuid: () => 1000,
+      userName: () => "op",
+      run: (cmd) => {
+        if (cmd[0] === "loginctl") throw new Error("spawn loginctl ENOENT");
+        return { code: 0, stdout: "", stderr: "" };
+      },
+    });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("installed");
+    expect(result.messages.join(" ")).toContain("could not enable lingering");
+  });
+
+  test("graceful fallback when systemctl is absent", () => {
+    const f = fakeDeps({
+      platform: "linux",
+      which: (b) => (b === "cloudflared" ? CF_BIN : null),
+    });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("fallback");
+    expect(result.messages.join(" ")).toContain("systemctl not found");
+    expect(f.files.size).toBe(0);
+  });
+
+  test("graceful fallback (unit removed) when enable --now fails", () => {
+    const f = fakeDeps({
+      platform: "linux",
+      getuid: () => 0,
+      userName: () => "root",
+      // daemon-reload OK, enable --now FAIL.
+      runResults: [
+        { code: 0, stdout: "", stderr: "" },
+        { code: 1, stdout: "", stderr: "Failed to enable unit: ..." },
+      ],
+    });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("fallback");
+    // The unit file is removed on failure so a half-installed (written but not
+    // enabled) unit doesn't linger.
+    expect(f.files.size).toBe(0);
+  });
+});
+
+describe("installConnectorService — unsupported / missing cloudflared", () => {
+  test("fallback when cloudflared can't be resolved", () => {
+    const f = fakeDeps({ which: () => null });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("fallback");
+    expect(result.messages.join(" ")).toContain("cloudflared binary path");
+  });
+
+  test("fallback on an unsupported platform (win32)", () => {
+    const f = fakeDeps({ platform: "win32" });
+    const result = installConnectorService({
+      tunnelName: TUNNEL,
+      configPath: CONFIG,
+      logPath: LOG,
+      deps: f.deps,
+    });
+    expect(result.outcome).toBe("fallback");
+    expect(result.messages.join(" ")).toContain("win32");
+  });
+});
+
+describe("removeConnectorService", () => {
+  test("macOS: boots out + removes the plist", () => {
+    const f = fakeDeps({ platform: "darwin", getuid: () => 501 });
+    const plistPath = launchdPlistPath(TUNNEL, "/home/op");
+    f.files.set(plistPath, "<plist/>");
+    const result = removeConnectorService({ tunnelName: TUNNEL, deps: f.deps });
+    expect(result.removed).toBe(true);
+    expect(f.files.has(plistPath)).toBe(false);
+    expect(f.calls).toContainEqual(["launchctl", "bootout", `gui/501/${launchdLabel(TUNNEL)}`]);
+  });
+
+  test("Linux non-root: disable --now --user + removes the user unit + daemon-reload", () => {
+    const f = fakeDeps({ platform: "linux", getuid: () => 1000 });
+    const unitPath = systemdUnitPath(TUNNEL, "/home/op", false);
+    f.files.set(unitPath, "[Unit]");
+    const result = removeConnectorService({ tunnelName: TUNNEL, deps: f.deps });
+    expect(result.removed).toBe(true);
+    expect(f.files.has(unitPath)).toBe(false);
+    expect(f.calls).toContainEqual([
+      "systemctl",
+      "--user",
+      "disable",
+      "--now",
+      systemdUnitName(TUNNEL),
+    ]);
+    expect(f.calls).toContainEqual(["systemctl", "--user", "daemon-reload"]);
+  });
+
+  test("no-op (no throw) when no service file exists", () => {
+    const f = fakeDeps({ platform: "darwin" });
+    const result = removeConnectorService({ tunnelName: TUNNEL, deps: f.deps });
+    expect(result.removed).toBe(false);
+    // Nothing run — pure no-op so the off-path always succeeds at clearing state.
+    expect(f.calls.length).toBe(0);
+  });
+});