@openparachute/hub 0.6.3 → 0.6.4-rc.10

package/src/__tests__/expose-interactive.test.ts

@@ -2,6 +2,7 @@ import { describe, expect, test } from "bun:test";
 import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import { readPendingHostname, writePendingHostname } from "../cloudflare/state.ts";
 import { exposePublicInteractive } from "../commands/expose-interactive.ts";
 import { readLastProvider, writeLastProvider } from "../expose-last-provider.ts";
 import type { CommandResult, Runner } from "../tailscale/run.ts";
@@ -15,6 +16,7 @@ const noopPreflight = async () => {};
 interface TestEnv {
   cloudflaredHome: string;
   lastProviderPath: string;
+  statePath: string;
   cleanup: () => void;
 }
 
@@ -28,6 +30,7 @@ function makeEnv(opts: { cloudflaredLoggedIn?: boolean } = {}): TestEnv {
   return {
     cloudflaredHome,
     lastProviderPath: join(dir, "expose-last-provider.json"),
+    statePath: join(dir, "cloudflared-state.json"),
     cleanup: () => rmSync(dir, { recursive: true, force: true }),
   };
 }
@@ -194,6 +197,75 @@ describe("exposePublicInteractive — both ready", () => {
     }
   });
 
+  test("hub#567: persists the typed hostname as soon as it validates", async () => {
+    const env = makeEnv({ cloudflaredLoggedIn: true });
+    try {
+      const { runner } = fixedRunner({
+        tailscaleInstalled: true,
+        tailscaleLoggedIn: true,
+        tailscaleFunnelCap: true,
+        cloudflaredInstalled: true,
+      });
+      const { prompt } = queuePrompt(["2", "vault.example.com"]);
+      // exposeCloudflareUpImpl FAILS — so the hostname must survive for a retry.
+      const code = await exposePublicInteractive({
+        runner,
+        prompt,
+        cloudflaredHome: env.cloudflaredHome,
+        lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
+        log: () => {},
+        exposePublicImpl: async () => 0,
+        exposeCloudflareUpImpl: async () => 1,
+        runAuthPreflightImpl: noopPreflight,
+      });
+      expect(code).toBe(1);
+      // Stashed despite the downstream failure.
+      expect(readPendingHostname(env.statePath)).toBe("vault.example.com");
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub#567: pre-fills the hostname prompt from a stashed value; Enter accepts it", async () => {
+    const env = makeEnv({ cloudflaredLoggedIn: true });
+    try {
+      writePendingHostname("techne.parachute.computer", env.statePath);
+      const { runner } = fixedRunner({
+        tailscaleInstalled: true,
+        tailscaleLoggedIn: true,
+        tailscaleFunnelCap: true,
+        cloudflaredInstalled: true,
+      });
+      // Pick cloudflare, then press Enter (blank) at the hostname prompt.
+      const { prompt, asked } = queuePrompt(["2", ""]);
+      let cloudflareHostname: string | undefined;
+      const code = await exposePublicInteractive({
+        runner,
+        prompt,
+        cloudflaredHome: env.cloudflaredHome,
+        lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
+        log: () => {},
+        exposePublicImpl: async () => 0,
+        exposeCloudflareUpImpl: async (h) => {
+          cloudflareHostname = h;
+          return 0;
+        },
+        runAuthPreflightImpl: noopPreflight,
+      });
+      expect(code).toBe(0);
+      // Enter accepted the stashed hostname.
+      expect(cloudflareHostname).toBe("techne.parachute.computer");
+      // The prompt surfaced the default in brackets.
+      expect(asked.some((q) => q.includes("[techne.parachute.computer]"))).toBe(true);
+      // Cleared once routing succeeded.
+      expect(readPendingHostname(env.statePath)).toBeUndefined();
+    } finally {
+      env.cleanup();
+    }
+  });
+
   test("'q' aborts cleanly with exit 0 and no downstream calls", async () => {
     const env = makeEnv({ cloudflaredLoggedIn: true });
     try {
@@ -440,11 +512,12 @@ describe("exposePublicInteractive — neither ready", () => {
     }
   });
 
-  test("user picks cloudflare on linux: prints manual install pointers and exits 1", async () => {
+  test("hub#566: cloudflare on linux, user DECLINES auto-install: prints manual + --cloudflare hint, exits 1", async () => {
     const env = makeEnv();
     try {
       const { runner } = fixedRunner({});
-      const { prompt } = queuePrompt(["2"]);
+      // "2" → cloudflare; "n" → decline the auto-install offer.
+      const { prompt } = queuePrompt(["2", "n"]);
       const logs: string[] = [];
       let interactiveCalled = false;
       let cloudflareCalled = false;
@@ -456,8 +529,10 @@ describe("exposePublicInteractive — neither ready", () => {
         },
         prompt,
         platform: "linux",
+        arch: "x64",
         cloudflaredHome: env.cloudflaredHome,
         lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
         log: (l) => logs.push(l),
         exposePublicImpl: async () => 0,
         exposeCloudflareUpImpl: async () => {
@@ -466,16 +541,16 @@ describe("exposePublicInteractive — neither ready", () => {
         },
       });
       expect(code).toBe(1);
+      // Declining means no curl/chmod ran and we never reached the expose.
       expect(interactiveCalled).toBe(false);
       expect(cloudflareCalled).toBe(false);
       const joined = logs.join("\n");
-      // Post 2026-05-27 cloudflared-URL refresh: the install hint moved
-      // off apt-get / dnf / developers.cloudflare.com (all unreliable —
-      // Aaron hit `No match for argument: cloudflared` on AL2023 and
-      // 404s from the docs URL on the same box) onto the static binary
-      // from GitHub releases.
+      expect(joined).toContain("Skipped auto-install");
       expect(joined).toContain("github.com/cloudflare/cloudflared/releases/latest");
       expect(joined).toContain("curl -L -o /usr/local/bin/cloudflared");
+      // hub#566: re-run hint carries the --cloudflare flag (bare `expose
+      // public` defaults to Tailscale).
+      expect(joined).toContain("parachute expose public --cloudflare");
       expect(joined).not.toContain("developers.cloudflare.com");
       expect(joined).not.toContain("pkg.cloudflare.com");
       expect(joined).not.toContain("sudo dnf install cloudflared");
@@ -484,6 +559,158 @@ describe("exposePublicInteractive — neither ready", () => {
     }
   });
 
+  test("hub#566: cloudflare on linux as ROOT, accepts auto-install: runs bare curl+chmod (no sudo), then exposes", async () => {
+    const env = makeEnv();
+    try {
+      // cloudflared starts absent (so the install offer fires), then present
+      // after the install runs (so the verify probe + flow continue).
+      let cloudflaredPresent = false;
+      const runner: Runner = async (cmd) => {
+        if (cmd.slice(0, 2).join(" ") === "cloudflared --version") {
+          return cloudflaredPresent
+            ? { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" }
+            : { code: 127, stdout: "", stderr: "not found" };
+        }
+        if (cmd[0] === "tailscale") {
+          // Detection: tailscale absent (forces the cloudflare-only path).
+          return { code: 127, stdout: "", stderr: "not found" };
+        }
+        throw new Error(`unexpected runner call: ${cmd.join(" ")}`);
+      };
+      // "2" cloudflare → "Y" install → "Y" login → hostname. The login prompt
+      // fires because detection reported cloudflared absent (so loggedIn=false)
+      // even though cert.pem appears once login "runs".
+      const { prompt } = queuePrompt(["2", "y", "y", "vault.example.com"]);
+      const interactiveCmds: string[][] = [];
+      const logs: string[] = [];
+      let cloudflareHostname = "";
+      const code = await exposePublicInteractive({
+        runner,
+        interactiveRunner: async (cmd) => {
+          interactiveCmds.push([...cmd]);
+          // Install "succeeds": flip cloudflared to present. Login "succeeds":
+          // drop the cert so `isCloudflaredLoggedIn` reads true afterward.
+          if (cmd.includes("login")) writeFileSync(join(env.cloudflaredHome, "cert.pem"), "---");
+          else cloudflaredPresent = true;
+          return 0;
+        },
+        prompt,
+        platform: "linux",
+        arch: "x64",
+        getuid: () => 0, // root
+        cloudflaredHome: env.cloudflaredHome,
+        lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
+        log: (l) => logs.push(l),
+        exposePublicImpl: async () => 0,
+        exposeCloudflareUpImpl: async (hostname) => {
+          cloudflareHostname = hostname;
+          return 0;
+        },
+        runAuthPreflightImpl: noopPreflight,
+      });
+      expect(code).toBe(0);
+      expect(cloudflareHostname).toBe("vault.example.com");
+      // Root runs curl + chmod WITHOUT a sudo prefix.
+      expect(interactiveCmds[0]?.[0]).toBe("curl");
+      expect(interactiveCmds[0]).toContain("/usr/local/bin/cloudflared");
+      expect(interactiveCmds[1]?.[0]).toBe("chmod");
+      expect(interactiveCmds.some((c) => c[0] === "sudo")).toBe(false);
+      expect(logs.join("\n")).toContain("✓ cloudflared installed.");
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub#566: cloudflare on linux NON-root, accepts auto-install: wraps curl+chmod in sudo", async () => {
+    const env = makeEnv();
+    try {
+      let cloudflaredPresent = false;
+      const runner: Runner = async (cmd) => {
+        if (cmd.slice(0, 2).join(" ") === "cloudflared --version") {
+          return cloudflaredPresent
+            ? { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" }
+            : { code: 127, stdout: "", stderr: "not found" };
+        }
+        if (cmd[0] === "tailscale") return { code: 127, stdout: "", stderr: "not found" };
+        throw new Error(`unexpected runner call: ${cmd.join(" ")}`);
+      };
+      const { prompt } = queuePrompt(["2", "y", "y", "vault.example.com"]);
+      const interactiveCmds: string[][] = [];
+      const code = await exposePublicInteractive({
+        runner,
+        interactiveRunner: async (cmd) => {
+          interactiveCmds.push([...cmd]);
+          if (cmd.includes("login")) writeFileSync(join(env.cloudflaredHome, "cert.pem"), "---");
+          else cloudflaredPresent = true;
+          return 0;
+        },
+        prompt,
+        platform: "linux",
+        arch: "arm64",
+        getuid: () => 1000, // non-root
+        cloudflaredHome: env.cloudflaredHome,
+        lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
+        log: () => {},
+        exposePublicImpl: async () => 0,
+        exposeCloudflareUpImpl: async () => 0,
+        runAuthPreflightImpl: noopPreflight,
+      });
+      expect(code).toBe(0);
+      // Non-root prefixes both privileged steps with non-interactive `sudo -n`
+      // (fails fast instead of hanging on a password prompt under a detached
+      // init).
+      expect(interactiveCmds[0]?.slice(0, 2)).toEqual(["sudo", "-n"]);
+      expect(interactiveCmds[0]).toContain("curl");
+      expect(interactiveCmds[1]?.slice(0, 2)).toEqual(["sudo", "-n"]);
+      expect(interactiveCmds[1]).toContain("chmod");
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub#566: cloudflare on linux, sudo curl FAILS: prints manual + --cloudflare hint, exits 1", async () => {
+    const env = makeEnv();
+    try {
+      const runner: Runner = async (cmd) => {
+        if (cmd.slice(0, 2).join(" ") === "cloudflared --version") {
+          return { code: 127, stdout: "", stderr: "not found" };
+        }
+        if (cmd[0] === "tailscale") return { code: 127, stdout: "", stderr: "not found" };
+        throw new Error(`unexpected runner call: ${cmd.join(" ")}`);
+      };
+      const { prompt } = queuePrompt(["2", "y"]);
+      const logs: string[] = [];
+      let cloudflareCalled = false;
+      const code = await exposePublicInteractive({
+        runner,
+        // Simulate sudo failing (no cached creds, no tty).
+        interactiveRunner: async () => 1,
+        prompt,
+        platform: "linux",
+        arch: "x64",
+        getuid: () => 1000,
+        cloudflaredHome: env.cloudflaredHome,
+        lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
+        log: (l) => logs.push(l),
+        exposePublicImpl: async () => 0,
+        exposeCloudflareUpImpl: async () => {
+          cloudflareCalled = true;
+          return 0;
+        },
+      });
+      expect(code).toBe(1);
+      expect(cloudflareCalled).toBe(false);
+      const joined = logs.join("\n");
+      expect(joined).toContain("Download failed");
+      expect(joined).toContain("parachute expose public --cloudflare");
+    } finally {
+      env.cleanup();
+    }
+  });
+
   test("user picks cloudflare on macos but declines brew: exits 1, no install attempted", async () => {
     const env = makeEnv();
     try {

package/src/__tests__/expose-supervisor-version.test.ts

@@ -0,0 +1,104 @@
+import { describe, expect, test } from "bun:test";
+import { ensureHubUnitForExpose, resolveExposeSupervisor } from "../commands/expose-supervisor.ts";
+import type { EnsureHubVersionMatchesResult } from "../hub-unit.ts";
+
+/**
+ * #590: `ensureHubUnitForExpose` must run the version-check-and-restart at the
+ * expose adoption point, so an expose never wires a tunnel to a stale zombie
+ * that merely answers /health on the canonical port. These tests drive the
+ * version-check seam directly (no real launchctl / live hub).
+ */
+describe("ensureHubUnitForExpose — version-check at the expose adoption point (#590)", () => {
+  function sup(
+    ensureHubUnitOutcome: "already-up" | "started" | "no-unit",
+    versionResult: EnsureHubVersionMatchesResult,
+    versionSpy?: (port: number) => void,
+  ) {
+    return resolveExposeSupervisor({
+      ensureHubUnit: async ({ port }) => ({
+        outcome: ensureHubUnitOutcome,
+        port: port ?? 1939,
+        messages: ensureHubUnitOutcome === "no-unit" ? ["no hub unit installed"] : [],
+      }),
+      ensureHubVersion: async ({ port }) => {
+        versionSpy?.(port);
+        return versionResult;
+      },
+    });
+  }
+
+  test("hub up + version matches → ok, version check ran with the probed port", async () => {
+    const logs: string[] = [];
+    let checkedPort: number | undefined;
+    const s = sup(
+      "already-up",
+      {
+        outcome: "match",
+        runningVersion: "0.6.4-rc.9",
+        installedVersion: "0.6.4-rc.9",
+        messages: [],
+      },
+      (p) => {
+        checkedPort = p;
+      },
+    );
+    const res = await ensureHubUnitForExpose(s, 1939, (l) => logs.push(l));
+    expect(res.ok).toBe(true);
+    expect(checkedPort).toBe(1939);
+  });
+
+  test("hub up but a stale zombie → restarted → ok (tunnel binds to NEW code)", async () => {
+    const logs: string[] = [];
+    const s = sup("already-up", {
+      outcome: "restarted",
+      runningVersion: "0.6.4-rc.9",
+      installedVersion: "0.6.4-rc.9",
+      messages: ["✓ hub unit restarted; now running 0.6.4-rc.9."],
+    });
+    const res = await ensureHubUnitForExpose(s, 1939, (l) => logs.push(l));
+    expect(res.ok).toBe(true);
+    expect(logs.join("\n")).toContain("now running 0.6.4-rc.9");
+  });
+
+  test("hub up but mismatch + NOT unit-managed → expose FAILS (don't tunnel to a zombie)", async () => {
+    const logs: string[] = [];
+    const s = sup("already-up", {
+      outcome: "not-unit-managed",
+      runningVersion: "0.5.14-rc.4",
+      installedVersion: "0.6.4-rc.9",
+      messages: ["⚠ the running hub is 0.5.14-rc.4 but 0.6.4-rc.9 is installed."],
+    });
+    const res = await ensureHubUnitForExpose(s, 1939, (l) => logs.push(l));
+    expect(res.ok).toBe(false);
+    expect(logs.join("\n")).toContain("0.5.14-rc.4");
+  });
+
+  test("still-mismatched after restart → expose CONTINUES (warn, don't block)", async () => {
+    const logs: string[] = [];
+    const s = sup("already-up", {
+      outcome: "still-mismatched",
+      runningVersion: "0.6.4-rc.8",
+      installedVersion: "0.6.4-rc.9",
+      messages: ["⚠ restarted the hub unit, but it is still not reporting 0.6.4-rc.9."],
+    });
+    const res = await ensureHubUnitForExpose(s, 1939, (l) => logs.push(l));
+    expect(res.ok).toBe(true);
+    expect(logs.join("\n")).toContain("still not reporting");
+  });
+
+  test("hub NOT up (no unit) → fails BEFORE the version check (no false adoption)", async () => {
+    const logs: string[] = [];
+    let versionRan = false;
+    const s = sup(
+      "no-unit",
+      { outcome: "match", installedVersion: "0.6.4-rc.9", messages: [] },
+      () => {
+        versionRan = true;
+      },
+    );
+    const res = await ensureHubUnitForExpose(s, 1939, (l) => logs.push(l));
+    expect(res.ok).toBe(false);
+    // The version check only runs once the hub is confirmed up.
+    expect(versionRan).toBe(false);
+  });
+});

package/src/__tests__/expose.test.ts

@@ -558,7 +558,9 @@ describe("expose tailnet up", () => {
         },
       });
       expect(code).toBe(0);
-      expect(logs.join("\n")).not.toContain("2FA is not enrolled");
+      expect(logs.join("\n")).not.toContain(
+        "Strongly recommended: turn on two-factor authentication",
+      );
     } finally {
       h.cleanup();
     }
@@ -931,9 +933,10 @@ describe("expose public up", () => {
       });
       expect(code).toBe(0);
       const joined = logs.join("\n");
-      // hub#473: real hub-login 2FA. The warning now recommends the real
-      // `parachute auth 2fa enroll` path.
-      expect(joined).toContain("/login is now reachable on the public internet");
+      // hub#473: real hub-login 2FA. The recommendation now leads with the
+      // friendly "strongly recommended" framing and the real `parachute auth
+      // 2fa enroll` path.
+      expect(joined).toContain("Strongly recommended: turn on two-factor authentication");
       expect(joined).toContain("parachute auth 2fa enroll");
       // /login pointer uses the canonical https://<fqdn> origin.
       expect(joined).toContain("https://parachute.taildf9ce2.ts.net/login");
@@ -966,7 +969,9 @@ describe("expose public up", () => {
         },
       });
       expect(code).toBe(0);
-      expect(logs.join("\n")).not.toContain("2FA is not enrolled");
+      expect(logs.join("\n")).not.toContain(
+        "Strongly recommended: turn on two-factor authentication",
+      );
     } finally {
       h.cleanup();
     }