@openparachute/hub 0.6.3 → 0.6.4-rc.10

package/src/admin-vaults.ts

@@ -59,6 +59,8 @@ import type { Database } from "bun:sqlite";
 import { type AdminAuthError, adminAuthErrorResponse, requireScope } from "./admin-auth.ts";
 import { SERVICES_MANIFEST_PATH } from "./config.ts";
 import { findService, type readManifest, readManifestLenient } from "./services-manifest.ts";
+import { enrichedPath } from "./spawn-path.ts";
+import { VAULT_NAME_CHARSET_RE } from "./vault-name.ts";
 import { type WellKnownVaultEntry, isVaultEntry, vaultInstanceNameFor } from "./well-known.ts";
 
 /** Scope required to call POST /vaults. */
@@ -72,7 +74,12 @@ export const HOST_ADMIN_SCOPE = "parachute:host:admin";
  * the hub rejects them at the API edge before a vault under those names
  * can register and capture the proxy path.
  */
-const VAULT_NAME_PATTERN = /^[a-zA-Z0-9_-]+$/;
+// Lowercase-only (item I) — single source of truth in vault-name.ts. Vault's
+// init enforces `[a-z0-9_-]`; a hub-side `[a-zA-Z0-9_-]` superset let an
+// uppercased name through that vault would then lowercase or reject, drifting
+// the hub's idea of the vault from vault's. The hub-only reservations (`new`,
+// `assets`) shadow SPA routes and stay on top of vault's `list`.
+const VAULT_NAME_PATTERN = VAULT_NAME_CHARSET_RE;
 const RESERVED_VAULT_NAMES = new Set(["list", "new", "assets"]);
 
 export interface CreateVaultRequest {
@@ -164,7 +171,7 @@ async function parseBody(req: Request): Promise<ParseResult | ParseError> {
     return {
       ok: false,
       status: 400,
-      message: "vault name must contain only letters, numbers, hyphens, and underscores",
+      message: "vault name must contain only lowercase letters, numbers, hyphens, and underscores",
     };
   }
   if (RESERVED_VAULT_NAMES.has(name)) {
@@ -230,9 +237,13 @@ function buildEntry(
 async function defaultRunCommand(cmd: readonly string[]): Promise<RunResult> {
   // Inherit env so the child sees PATH, HOME, BUN_INSTALL, etc. Bun.spawn
   // defaults to empty env — see api-modules-ops.ts:defaultRun for the rationale.
+  // PATH enrichment (hub launchd-PATH regression): a launchd-managed hub bakes
+  // a minimal PATH, so this shell-out (vault ops) inherits that thin PATH too;
+  // enrich it with operator-tool dirs (`$HOME/.local/bin`, brew bin). See
+  // `spawn-path.ts`.
   const proc = Bun.spawn([...cmd], {
     stdio: ["ignore", "pipe", "pipe"],
-    env: process.env,
+    env: { ...process.env, PATH: enrichedPath() },
   });
   // Drain both pipes in parallel — leaving stderr unread can deadlock long
   // installs once the OS pipe buffer fills (#97). Captured stderr is folded
@@ -268,10 +279,17 @@ async function orchestrate(
   manifestPath: string,
   name: string,
   runCommand: (cmd: readonly string[]) => Promise<RunResult>,
+  opts: { noMirror?: boolean } = {},
 ): Promise<OrchestrateOk | OrchestrateError> {
   const vaultRegistered = findService("parachute-vault", manifestPath) !== undefined;
+  // `--no-mirror` opts this create out of the default internal live mirror
+  // (§3 default_mirror knob). Only meaningful on the `create` branch — the
+  // bootstrap `install` path provisions the default vault and follows the
+  // server-wide knob.
   const cmd = vaultRegistered
-    ? ["parachute-vault", "create", name, "--json"]
+    ? opts.noMirror
+      ? ["parachute-vault", "create", name, "--json", "--no-mirror"]
+      : ["parachute-vault", "create", name, "--json"]
     : ["parachute", "install", "vault"];
   let result: RunResult;
   try {
@@ -320,6 +338,102 @@ async function orchestrate(
   return { ok: true, createJson };
 }
 
+/**
+ * Result of {@link provisionVault} — the programmatic vault-provisioning
+ * core shared by the authed HTTP handler and the invite-redeem path.
+ *
+ *   - `created: true`  — a fresh vault was provisioned this call. `entry`
+ *     describes it; `createJson` (when present) carries the single-emit
+ *     bootstrap creds.
+ *   - `created: false` — the vault already existed (idempotent). `entry`
+ *     describes the existing vault; no `createJson`.
+ */
+export type ProvisionVaultResult =
+  | {
+      ok: true;
+      created: boolean;
+      entry: WellKnownVaultEntry;
+      createJson: VaultCreateJson | null;
+    }
+  | { ok: false; status: number; message: string };
+
+/**
+ * Provision (or no-op if it exists) a vault by name — the auth-free core
+ * lifted out of {@link handleCreateVault} so the invite-redeem flow can
+ * provision a vault for a freshly-created account WITHOUT a host:admin
+ * bearer (the redeemer holds no admin authority; the invite IS the
+ * authorization). The HTTP handler keeps the host:admin gate in front of
+ * this; the invite path calls it directly after validating the invite.
+ *
+ * Idempotent-safe: if the vault already exists this returns
+ * `created:false` with the existing entry rather than re-running the CLI —
+ * a redeem retry (or a name collision) lands the user on the existing
+ * vault instead of erroring.
+ *
+ * Name validation matches `parachute-vault create`'s rules. Callers that
+ * accept an untrusted name (the invite redeemer naming their own vault)
+ * MUST pass it through here so the same regex + reserved-name gate the
+ * `/vaults` API edge enforces applies.
+ */
+export async function provisionVault(
+  name: string,
+  deps: {
+    issuer: string;
+    manifestPath?: string;
+    runCommand?: CreateVaultDeps["runCommand"];
+    /** `'off'` appends `--no-mirror`; anything else follows the server knob. */
+    defaultMirror?: string;
+  },
+): Promise<ProvisionVaultResult> {
+  const manifestPath = deps.manifestPath ?? SERVICES_MANIFEST_PATH;
+  const runCommand = deps.runCommand ?? defaultRunCommand;
+
+  if (!VAULT_NAME_PATTERN.test(name)) {
+    return {
+      ok: false,
+      status: 400,
+      message: "vault name must contain only lowercase letters, numbers, hyphens, and underscores",
+    };
+  }
+  if (RESERVED_VAULT_NAMES.has(name)) {
+    return { ok: false, status: 400, message: `"${name}" is a reserved vault name` };
+  }
+
+  // Idempotency: if the vault already exists, return the existing entry.
+  const existing = findExistingVault(manifestPath, name);
+  if (existing) {
+    return {
+      ok: true,
+      created: false,
+      entry: buildEntry(name, existing.path, existing.version, deps.issuer),
+      createJson: null,
+    };
+  }
+
+  const result = await orchestrate(manifestPath, name, runCommand, {
+    noMirror: deps.defaultMirror === "off",
+  });
+  if (!result.ok) {
+    return { ok: false, status: result.status, message: result.message };
+  }
+
+  // Re-read services.json: the CLI just wrote it.
+  const created = findExistingVault(manifestPath, name);
+  if (!created) {
+    return {
+      ok: false,
+      status: 500,
+      message: `vault "${name}" was provisioned but is not in services.json — manual recovery required`,
+    };
+  }
+  return {
+    ok: true,
+    created: true,
+    entry: buildEntry(name, created.path, created.version, deps.issuer),
+    createJson: result.createJson,
+  };
+}
+
 export async function handleCreateVault(req: Request, deps: CreateVaultDeps): Promise<Response> {
   if (req.method !== "POST") {
     return new Response("method not allowed", { status: 405 });
@@ -341,35 +455,29 @@ export async function handleCreateVault(req: Request, deps: CreateVaultDeps): Pr
   }
   const { name } = parsed.body;
 
-  // Idempotency: if the vault already exists, return 200 + existing entry.
-  // Skip the CLI shell-out — re-POST is usually a UI retry.
-  const existing = findExistingVault(manifestPath, name);
-  if (existing) {
-    return new Response(
-      JSON.stringify(buildEntry(name, existing.path, existing.version, deps.issuer)),
-      {
-        status: 200,
-        headers: { "content-type": "application/json" },
-      },
-    );
-  }
-
-  const result = await orchestrate(manifestPath, name, runCommand);
-  if (!result.ok) {
-    return jsonError(result.status, "server_error", result.message);
+  const provisioned = await provisionVault(name, {
+    issuer: deps.issuer,
+    manifestPath,
+    runCommand,
+  });
+  if (!provisioned.ok) {
+    // parseBody already enforced the name regex/reserved gate, so a
+    // provisionVault 400 here would be a redundant re-check; map any
+    // non-ok to its status. invalid_request for 400, server_error otherwise.
+    const error = provisioned.status === 400 ? "invalid_request" : "server_error";
+    return jsonError(provisioned.status, error, provisioned.message);
   }
 
-  // Re-read services.json: the CLI just wrote it.
-  const created = findExistingVault(manifestPath, name);
-  if (!created) {
-    return jsonError(
-      500,
-      "server_error",
-      `vault "${name}" was provisioned but is not in services.json — manual recovery required`,
-    );
+  // Idempotent re-POST: existing vault → 200, no single-emit creds.
+  if (!provisioned.created) {
+    return new Response(JSON.stringify(provisioned.entry), {
+      status: 200,
+      headers: { "content-type": "application/json" },
+    });
   }
 
-  const entry = buildEntry(name, created.path, created.version, deps.issuer);
+  const entry = provisioned.entry;
+  const result = { createJson: provisioned.createJson };
   // Access token (a `vault:<name>:admin` JWT, possibly empty post-DROP) +
   // filesystem paths are single-emit at create time. We surface them here so
   // the caller can immediately bootstrap a connection to the new vault.

package/src/api-account.ts

@@ -49,9 +49,12 @@ import type { Database } from "bun:sqlite";
 import { hash as argonHash } from "@node-rs/argon2";
 import { type ChangePasswordMode, renderChangePassword } from "./account-change-password-ui.ts";
 import { renderAccountHome } from "./account-home-ui.ts";
+import { fetchVaultMirrorStatus, formatMirrorLine } from "./account-mirror.ts";
+import { fetchVaultUsage, formatUsageStat } from "./account-usage.ts";
 import { POST_LOGIN_DEFAULT } from "./admin-handlers.ts";
 import { renderAdminError } from "./admin-login-ui.ts";
 import { CSRF_FIELD_NAME, ensureCsrfToken, verifyCsrfToken } from "./csrf.ts";
+import { userHasExternalAiGrant } from "./grants.ts";
 import { changePasswordRateLimiter } from "./rate-limit.ts";
 import { isHttpsRequest } from "./request-protocol.ts";
 import { findActiveSession } from "./sessions.ts";
@@ -419,6 +422,16 @@ export async function handleAccountChangePasswordPost(
         )
         .run(passwordHash, stamp, user.id);
       if (result.changes === 0) throw new UserNotFoundError(user.id);
+      // Revoke the user's still-active tokens on a self-service password change
+      // (item F / hub#469). The admin-reset path already revokes
+      // (`resetUserPassword`, users.ts); applying the same on self-change closes
+      // the "mint a token under the admin's temp password, then rotate but keep
+      // the token" gap — any token minted before the rotation dies with it. The
+      // user re-mints under their own (now-rotated) password if they need one.
+      // Same transaction as the hash write so the two are atomic.
+      deps.db
+        .prepare("UPDATE tokens SET revoked_at = ? WHERE user_id = ? AND revoked_at IS NULL")
+        .run(stamp, user.id);
     })();
   } catch (err) {
     // The user row vanished between the session-resolve check above and
@@ -476,9 +489,31 @@ export async function handleAccountChangePasswordPost(
 export interface AccountHomeDeps extends ApiAccountDeps {
   /** Canonical hub origin for this request (e.g. `https://my-hub.example`). */
   hubOrigin: string;
+  /**
+   * Resolve a vault's loopback port from services.json, or `null` when no vault
+   * is mounted under that name. Threaded in by the route handler (which reads
+   * the manifest) so this module stays free of services.json plumbing. Absent
+   * in tests / older callers → usage surfacing is skipped (tiles render without
+   * the stat, same as a failed fetch).
+   */
+  resolveVaultPort?: (vaultName: string) => number | null;
+  /**
+   * Fetch one vault's usage stat, or `null` on any failure. Defaults to the
+   * real `fetchVaultUsage` (mints a read token + hits the vault's loopback
+   * usage endpoint). Injectable so tests assert the render without a live
+   * vault.
+   */
+  fetchUsage?: typeof fetchVaultUsage;
+  /**
+   * Fetch one vault's backup (mirror) status, or `null` on any failure.
+   * Defaults to the real `fetchVaultMirrorStatus` (mints an admin-scoped token +
+   * hits the vault's loopback `/.parachute/mirror` endpoint). Injectable so
+   * tests assert the render without a live vault.
+   */
+  fetchMirror?: typeof fetchVaultMirrorStatus;
 }
 
-export function handleAccountHomeGet(req: Request, deps: AccountHomeDeps): Response {
+export async function handleAccountHomeGet(req: Request, deps: AccountHomeDeps): Promise<Response> {
   const session = findActiveSession(deps.db, req);
   if (!session) {
     return redirect(`/login?next=${encodeURIComponent("/account/")}`);
@@ -501,6 +536,84 @@ export function handleAccountHomeGet(req: Request, deps: AccountHomeDeps): Respo
     const verbs = vaultVerbsForUserVault(deps.db, user.id, v);
     if (verbs && verbs.length > 0) mintableVerbs[v] = verbs;
   }
+
+  // Per-vault usage stat ("X notes · Y MB"). Fetched concurrently across the
+  // user's assigned vaults via the read-scoped vault endpoint; each fetch is
+  // independently fault-tolerant (returns null → that tile renders without a
+  // stat). Skipped entirely when the route didn't wire a port resolver (tests /
+  // older callers). The READ scope means the user's own authority suffices.
+  const usageStats: Record<string, string> = {};
+  if (deps.resolveVaultPort && user.assignedVaults.length > 0) {
+    const fetchUsage = deps.fetchUsage ?? fetchVaultUsage;
+    const resolvePort = deps.resolveVaultPort;
+    await Promise.all(
+      user.assignedVaults.map(async (vaultName) => {
+        const port = resolvePort(vaultName);
+        if (port === null) return;
+        const stat = await fetchUsage(vaultName, {
+          db: deps.db,
+          hubOrigin: deps.hubOrigin,
+          vaultPort: port,
+          userId: user.id,
+          ...(deps.now !== undefined ? { now: deps.now } : {}),
+        });
+        if (stat) usageStats[vaultName] = formatUsageStat(stat);
+      }),
+    );
+  }
+
+  // Per-vault backup (mirror) line ("Backed up — full version history" / "…
+  // + GitHub"). The vault's mirror endpoint is ADMIN-scoped, so we only fetch
+  // for vaults where this user holds the admin verb (the same gate the
+  // "Advanced vault settings ↗" deep-link uses). Each fetch is independently
+  // fault-tolerant (returns null → no backup line on that tile) and backup-off
+  // formats to null too (we never nag with a "not backed up" warning here).
+  // Skipped entirely when the route didn't wire a port resolver (tests / older
+  // callers).
+  const mirrorLines: Record<string, string> = {};
+  // Whether each vault's backup is already pushing to a remote (`auto_push`).
+  // Threaded to the renderer as a proper boolean so it gates the "Back up to
+  // GitHub ↗" action without re-deriving "are we pushing?" from the line string.
+  const mirrorPushing: Record<string, boolean> = {};
+  if (deps.resolveVaultPort && user.assignedVaults.length > 0) {
+    const fetchMirror = deps.fetchMirror ?? fetchVaultMirrorStatus;
+    const resolvePort = deps.resolveVaultPort;
+    await Promise.all(
+      user.assignedVaults.map(async (vaultName) => {
+        if (!(mintableVerbs[vaultName] ?? []).includes("admin")) return;
+        const port = resolvePort(vaultName);
+        if (port === null) return;
+        const stat = await fetchMirror(vaultName, {
+          db: deps.db,
+          hubOrigin: deps.hubOrigin,
+          vaultPort: port,
+          userId: user.id,
+          ...(deps.now !== undefined ? { now: deps.now } : {}),
+        });
+        if (stat) {
+          const line = formatMirrorLine(stat);
+          if (line) {
+            mirrorLines[vaultName] = line;
+            mirrorPushing[vaultName] = stat.backedUpToRemote;
+          }
+        }
+      }),
+    );
+  }
+
+  // hub#583: "connected" means an EXTERNAL AI/MCP client (Claude, Cursor, …)
+  // was wired to a vault — NOT a first-party browser sign-in. This is the
+  // PRIMARY browser GET /account/ route — the exact page the field report
+  // describes — so it must use the same filtered check as the vault-token
+  // re-render (account-vault-token.ts:196): the old `userHasVaultGrant` lit
+  // "✓ You're connected" the moment the user opened Notes (a first-party OAuth
+  // client that writes a vault-scoped grant). `userHasExternalAiGrant` excludes
+  // first-party browser surfaces so the checklist only condenses on a real AI
+  // connection.
+  const connectedVault = user.assignedVaults.some((v) =>
+    userHasExternalAiGrant(deps.db, user.id, v),
+  );
+
   return htmlResponse(
     renderAccountHome({
       username: user.username,
@@ -511,6 +624,10 @@ export function handleAccountHomeGet(req: Request, deps: AccountHomeDeps): Respo
       csrfToken: csrf.token,
       twoFactorEnabled: isTotpEnrolled(deps.db, user.id),
       mintableVerbs,
+      usageStats,
+      mirrorLines,
+      mirrorPushing,
+      connectedVault,
     }),
     200,
     extra,