@openparachute/hub 0.6.4-rc.4 → 0.6.4-rc.6

package/src/__tests__/cloudflare-state.test.ts

@@ -7,12 +7,15 @@ import {
   CloudflaredStateError,
   type CloudflaredTunnelRecord,
   clearCloudflaredState,
+  clearPendingHostname,
   findTunnelRecord,
   listTunnelRecords,
   readCloudflaredState,
+  readPendingHostname,
   withTunnelRecord,
   withoutTunnelRecord,
   writeCloudflaredState,
+  writePendingHostname,
 } from "../cloudflare/state.ts";
 
 function makeTempPath(): { path: string; cleanup: () => void } {
@@ -250,3 +253,104 @@ describe("cloudflared state — record helpers", () => {
     expect(listTunnelRecords(undefined)).toEqual([]);
   });
 });
+
+describe("hub#567 pending hostname", () => {
+  test("read returns undefined when no state file / no pending hostname", () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      expect(readPendingHostname(path)).toBeUndefined();
+      writeCloudflaredState(sample, path);
+      expect(readPendingHostname(path)).toBeUndefined();
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("write then read round-trips the pending hostname (seeds empty state)", () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      writePendingHostname("techne.parachute.computer", path);
+      expect(readPendingHostname(path)).toBe("techne.parachute.computer");
+      const state = readCloudflaredState(path);
+      expect(state?.pendingHostname).toBe("techne.parachute.computer");
+      expect(state?.tunnels).toEqual({});
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("write preserves existing tunnel records", () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      writeCloudflaredState(sample, path);
+      writePendingHostname("techne.parachute.computer", path);
+      const state = readCloudflaredState(path);
+      expect(state?.pendingHostname).toBe("techne.parachute.computer");
+      expect(state?.tunnels.parachute).toEqual(sampleRecord);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("clear drops the pending hostname but keeps tunnel records", () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      writeCloudflaredState({ ...sample, pendingHostname: "techne.parachute.computer" }, path);
+      clearPendingHostname(path);
+      const state = readCloudflaredState(path);
+      expect(state?.pendingHostname).toBeUndefined();
+      expect(state?.tunnels.parachute).toEqual(sampleRecord);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("clear removes the state file entirely when no tunnels remain", () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      writePendingHostname("techne.parachute.computer", path);
+      expect(existsSync(path)).toBe(true);
+      clearPendingHostname(path);
+      expect(existsSync(path)).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("validate preserves a pending hostname round-tripped through the bytes", () => {
+    const { path, cleanup } = makeTempPath();
+    try {
+      const withPending: CloudflaredState = { ...sample, pendingHostname: "a.example.com" };
+      writeCloudflaredState(withPending, path);
+      expect(readCloudflaredState(path)).toEqual(withPending);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("withTunnelRecord preserves an existing pending hostname", () => {
+    const seed: CloudflaredState = { version: 2, tunnels: {}, pendingHostname: "a.example.com" };
+    const next = withTunnelRecord(seed, sampleRecord);
+    expect(next.pendingHostname).toBe("a.example.com");
+    expect(next.tunnels.parachute).toEqual(sampleRecord);
+  });
+
+  test("withoutTunnelRecord carries the pending hostname when it's the only thing left", () => {
+    const seed: CloudflaredState = {
+      version: 2,
+      tunnels: { parachute: sampleRecord },
+      pendingHostname: "a.example.com",
+    };
+    // Removing the last tunnel must NOT discard a typed-but-not-routed hostname.
+    expect(withoutTunnelRecord(seed, "parachute")).toEqual({
+      version: 2,
+      tunnels: {},
+      pendingHostname: "a.example.com",
+    });
+  });
+
+  test("withoutTunnelRecord returns undefined when no tunnels AND no pending hostname remain", () => {
+    const seed: CloudflaredState = { version: 2, tunnels: { parachute: sampleRecord } };
+    expect(withoutTunnelRecord(seed, "parachute")).toBeUndefined();
+  });
+});

package/src/__tests__/expose-cloudflare.test.ts

@@ -509,16 +509,31 @@ describe("exposeCloudflareUp", () => {
     }
   });
 
-  test("errors out when vault isn't installed", async () => {
+  test("hub#564: continues (no vault gate) when vault isn't installed — routes the hub anyway", async () => {
     const env = makeEnv({ includeVault: false });
     try {
-      const { runner } = queueRunner([{ code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" }]);
-      const { spawner } = fakeSpawner(0);
+      const uuid = "3d2b8d8f-2345-6789-abcd-ef0123456789";
+      const derived = "parachute-vault-example-com";
+      // The full chain must run now that the vault gate is gone: version,
+      // tunnel list, tunnel create, route dns.
+      const { runner } = queueRunner([
+        { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" }, // --version
+        { code: 0, stdout: "[]", stderr: "" }, // tunnel list
+        {
+          code: 0,
+          stdout: `Created tunnel ${derived} with id ${uuid}\n`,
+          stderr: "",
+        }, // create
+        { code: 0, stdout: "", stderr: "" }, // route dns
+      ]);
+      const { spawner } = fakeSpawner(42000);
       const logs: string[] = [];
 
       const code = await exposeCloudflareUp("vault.example.com", {
         runner,
         spawner,
+        alive: () => false,
+        kill: () => {},
         log: (l) => logs.push(l),
         manifestPath: env.manifestPath,
         statePath: env.statePath,
@@ -528,10 +543,17 @@ describe("exposeCloudflareUp", () => {
         cloudflaredHome: env.cloudflaredHome,
         configDir: env.configDir,
         skipHub: true,
+        now: () => new Date("2026-04-22T12:00:00Z"),
       });
 
-      expect(code).toBe(1);
-      expect(logs.join("\n")).toContain("parachute install vault");
+      // The expose succeeds (the hub is what gets routed), with a courtesy
+      // note instead of a dead-end. No "install vault" gate, no Vault-URL
+      // footer (vault isn't there to point at).
+      expect(code).toBe(0);
+      const joined = logs.join("\n");
+      expect(joined).toContain("vault not installed yet");
+      expect(joined).not.toContain("nothing to route");
+      expect(joined).not.toMatch(/^\s*Vault:/m);
     } finally {
       env.cleanup();
     }

package/src/__tests__/expose-interactive.test.ts

@@ -2,6 +2,7 @@ import { describe, expect, test } from "bun:test";
 import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import { readPendingHostname, writePendingHostname } from "../cloudflare/state.ts";
 import { exposePublicInteractive } from "../commands/expose-interactive.ts";
 import { readLastProvider, writeLastProvider } from "../expose-last-provider.ts";
 import type { CommandResult, Runner } from "../tailscale/run.ts";
@@ -15,6 +16,7 @@ const noopPreflight = async () => {};
 interface TestEnv {
   cloudflaredHome: string;
   lastProviderPath: string;
+  statePath: string;
   cleanup: () => void;
 }
 
@@ -28,6 +30,7 @@ function makeEnv(opts: { cloudflaredLoggedIn?: boolean } = {}): TestEnv {
   return {
     cloudflaredHome,
     lastProviderPath: join(dir, "expose-last-provider.json"),
+    statePath: join(dir, "cloudflared-state.json"),
     cleanup: () => rmSync(dir, { recursive: true, force: true }),
   };
 }
@@ -194,6 +197,75 @@ describe("exposePublicInteractive — both ready", () => {
     }
   });
 
+  test("hub#567: persists the typed hostname as soon as it validates", async () => {
+    const env = makeEnv({ cloudflaredLoggedIn: true });
+    try {
+      const { runner } = fixedRunner({
+        tailscaleInstalled: true,
+        tailscaleLoggedIn: true,
+        tailscaleFunnelCap: true,
+        cloudflaredInstalled: true,
+      });
+      const { prompt } = queuePrompt(["2", "vault.example.com"]);
+      // exposeCloudflareUpImpl FAILS — so the hostname must survive for a retry.
+      const code = await exposePublicInteractive({
+        runner,
+        prompt,
+        cloudflaredHome: env.cloudflaredHome,
+        lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
+        log: () => {},
+        exposePublicImpl: async () => 0,
+        exposeCloudflareUpImpl: async () => 1,
+        runAuthPreflightImpl: noopPreflight,
+      });
+      expect(code).toBe(1);
+      // Stashed despite the downstream failure.
+      expect(readPendingHostname(env.statePath)).toBe("vault.example.com");
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub#567: pre-fills the hostname prompt from a stashed value; Enter accepts it", async () => {
+    const env = makeEnv({ cloudflaredLoggedIn: true });
+    try {
+      writePendingHostname("techne.parachute.computer", env.statePath);
+      const { runner } = fixedRunner({
+        tailscaleInstalled: true,
+        tailscaleLoggedIn: true,
+        tailscaleFunnelCap: true,
+        cloudflaredInstalled: true,
+      });
+      // Pick cloudflare, then press Enter (blank) at the hostname prompt.
+      const { prompt, asked } = queuePrompt(["2", ""]);
+      let cloudflareHostname: string | undefined;
+      const code = await exposePublicInteractive({
+        runner,
+        prompt,
+        cloudflaredHome: env.cloudflaredHome,
+        lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
+        log: () => {},
+        exposePublicImpl: async () => 0,
+        exposeCloudflareUpImpl: async (h) => {
+          cloudflareHostname = h;
+          return 0;
+        },
+        runAuthPreflightImpl: noopPreflight,
+      });
+      expect(code).toBe(0);
+      // Enter accepted the stashed hostname.
+      expect(cloudflareHostname).toBe("techne.parachute.computer");
+      // The prompt surfaced the default in brackets.
+      expect(asked.some((q) => q.includes("[techne.parachute.computer]"))).toBe(true);
+      // Cleared once routing succeeded.
+      expect(readPendingHostname(env.statePath)).toBeUndefined();
+    } finally {
+      env.cleanup();
+    }
+  });
+
   test("'q' aborts cleanly with exit 0 and no downstream calls", async () => {
     const env = makeEnv({ cloudflaredLoggedIn: true });
     try {
@@ -440,11 +512,12 @@ describe("exposePublicInteractive — neither ready", () => {
     }
   });
 
-  test("user picks cloudflare on linux: prints manual install pointers and exits 1", async () => {
+  test("hub#566: cloudflare on linux, user DECLINES auto-install: prints manual + --cloudflare hint, exits 1", async () => {
     const env = makeEnv();
     try {
       const { runner } = fixedRunner({});
-      const { prompt } = queuePrompt(["2"]);
+      // "2" → cloudflare; "n" → decline the auto-install offer.
+      const { prompt } = queuePrompt(["2", "n"]);
       const logs: string[] = [];
       let interactiveCalled = false;
       let cloudflareCalled = false;
@@ -456,8 +529,10 @@ describe("exposePublicInteractive — neither ready", () => {
         },
         prompt,
         platform: "linux",
+        arch: "x64",
         cloudflaredHome: env.cloudflaredHome,
         lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
         log: (l) => logs.push(l),
         exposePublicImpl: async () => 0,
         exposeCloudflareUpImpl: async () => {
@@ -466,16 +541,16 @@ describe("exposePublicInteractive — neither ready", () => {
         },
       });
       expect(code).toBe(1);
+      // Declining means no curl/chmod ran and we never reached the expose.
       expect(interactiveCalled).toBe(false);
       expect(cloudflareCalled).toBe(false);
       const joined = logs.join("\n");
-      // Post 2026-05-27 cloudflared-URL refresh: the install hint moved
-      // off apt-get / dnf / developers.cloudflare.com (all unreliable —
-      // Aaron hit `No match for argument: cloudflared` on AL2023 and
-      // 404s from the docs URL on the same box) onto the static binary
-      // from GitHub releases.
+      expect(joined).toContain("Skipped auto-install");
       expect(joined).toContain("github.com/cloudflare/cloudflared/releases/latest");
       expect(joined).toContain("curl -L -o /usr/local/bin/cloudflared");
+      // hub#566: re-run hint carries the --cloudflare flag (bare `expose
+      // public` defaults to Tailscale).
+      expect(joined).toContain("parachute expose public --cloudflare");
       expect(joined).not.toContain("developers.cloudflare.com");
       expect(joined).not.toContain("pkg.cloudflare.com");
       expect(joined).not.toContain("sudo dnf install cloudflared");
@@ -484,6 +559,158 @@ describe("exposePublicInteractive — neither ready", () => {
     }
   });
 
+  test("hub#566: cloudflare on linux as ROOT, accepts auto-install: runs bare curl+chmod (no sudo), then exposes", async () => {
+    const env = makeEnv();
+    try {
+      // cloudflared starts absent (so the install offer fires), then present
+      // after the install runs (so the verify probe + flow continue).
+      let cloudflaredPresent = false;
+      const runner: Runner = async (cmd) => {
+        if (cmd.slice(0, 2).join(" ") === "cloudflared --version") {
+          return cloudflaredPresent
+            ? { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" }
+            : { code: 127, stdout: "", stderr: "not found" };
+        }
+        if (cmd[0] === "tailscale") {
+          // Detection: tailscale absent (forces the cloudflare-only path).
+          return { code: 127, stdout: "", stderr: "not found" };
+        }
+        throw new Error(`unexpected runner call: ${cmd.join(" ")}`);
+      };
+      // "2" cloudflare → "Y" install → "Y" login → hostname. The login prompt
+      // fires because detection reported cloudflared absent (so loggedIn=false)
+      // even though cert.pem appears once login "runs".
+      const { prompt } = queuePrompt(["2", "y", "y", "vault.example.com"]);
+      const interactiveCmds: string[][] = [];
+      const logs: string[] = [];
+      let cloudflareHostname = "";
+      const code = await exposePublicInteractive({
+        runner,
+        interactiveRunner: async (cmd) => {
+          interactiveCmds.push([...cmd]);
+          // Install "succeeds": flip cloudflared to present. Login "succeeds":
+          // drop the cert so `isCloudflaredLoggedIn` reads true afterward.
+          if (cmd.includes("login")) writeFileSync(join(env.cloudflaredHome, "cert.pem"), "---");
+          else cloudflaredPresent = true;
+          return 0;
+        },
+        prompt,
+        platform: "linux",
+        arch: "x64",
+        getuid: () => 0, // root
+        cloudflaredHome: env.cloudflaredHome,
+        lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
+        log: (l) => logs.push(l),
+        exposePublicImpl: async () => 0,
+        exposeCloudflareUpImpl: async (hostname) => {
+          cloudflareHostname = hostname;
+          return 0;
+        },
+        runAuthPreflightImpl: noopPreflight,
+      });
+      expect(code).toBe(0);
+      expect(cloudflareHostname).toBe("vault.example.com");
+      // Root runs curl + chmod WITHOUT a sudo prefix.
+      expect(interactiveCmds[0]?.[0]).toBe("curl");
+      expect(interactiveCmds[0]).toContain("/usr/local/bin/cloudflared");
+      expect(interactiveCmds[1]?.[0]).toBe("chmod");
+      expect(interactiveCmds.some((c) => c[0] === "sudo")).toBe(false);
+      expect(logs.join("\n")).toContain("✓ cloudflared installed.");
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub#566: cloudflare on linux NON-root, accepts auto-install: wraps curl+chmod in sudo", async () => {
+    const env = makeEnv();
+    try {
+      let cloudflaredPresent = false;
+      const runner: Runner = async (cmd) => {
+        if (cmd.slice(0, 2).join(" ") === "cloudflared --version") {
+          return cloudflaredPresent
+            ? { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" }
+            : { code: 127, stdout: "", stderr: "not found" };
+        }
+        if (cmd[0] === "tailscale") return { code: 127, stdout: "", stderr: "not found" };
+        throw new Error(`unexpected runner call: ${cmd.join(" ")}`);
+      };
+      const { prompt } = queuePrompt(["2", "y", "y", "vault.example.com"]);
+      const interactiveCmds: string[][] = [];
+      const code = await exposePublicInteractive({
+        runner,
+        interactiveRunner: async (cmd) => {
+          interactiveCmds.push([...cmd]);
+          if (cmd.includes("login")) writeFileSync(join(env.cloudflaredHome, "cert.pem"), "---");
+          else cloudflaredPresent = true;
+          return 0;
+        },
+        prompt,
+        platform: "linux",
+        arch: "arm64",
+        getuid: () => 1000, // non-root
+        cloudflaredHome: env.cloudflaredHome,
+        lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
+        log: () => {},
+        exposePublicImpl: async () => 0,
+        exposeCloudflareUpImpl: async () => 0,
+        runAuthPreflightImpl: noopPreflight,
+      });
+      expect(code).toBe(0);
+      // Non-root prefixes both privileged steps with non-interactive `sudo -n`
+      // (fails fast instead of hanging on a password prompt under a detached
+      // init).
+      expect(interactiveCmds[0]?.slice(0, 2)).toEqual(["sudo", "-n"]);
+      expect(interactiveCmds[0]).toContain("curl");
+      expect(interactiveCmds[1]?.slice(0, 2)).toEqual(["sudo", "-n"]);
+      expect(interactiveCmds[1]).toContain("chmod");
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub#566: cloudflare on linux, sudo curl FAILS: prints manual + --cloudflare hint, exits 1", async () => {
+    const env = makeEnv();
+    try {
+      const runner: Runner = async (cmd) => {
+        if (cmd.slice(0, 2).join(" ") === "cloudflared --version") {
+          return { code: 127, stdout: "", stderr: "not found" };
+        }
+        if (cmd[0] === "tailscale") return { code: 127, stdout: "", stderr: "not found" };
+        throw new Error(`unexpected runner call: ${cmd.join(" ")}`);
+      };
+      const { prompt } = queuePrompt(["2", "y"]);
+      const logs: string[] = [];
+      let cloudflareCalled = false;
+      const code = await exposePublicInteractive({
+        runner,
+        // Simulate sudo failing (no cached creds, no tty).
+        interactiveRunner: async () => 1,
+        prompt,
+        platform: "linux",
+        arch: "x64",
+        getuid: () => 1000,
+        cloudflaredHome: env.cloudflaredHome,
+        lastProviderPath: env.lastProviderPath,
+        statePath: env.statePath,
+        log: (l) => logs.push(l),
+        exposePublicImpl: async () => 0,
+        exposeCloudflareUpImpl: async () => {
+          cloudflareCalled = true;
+          return 0;
+        },
+      });
+      expect(code).toBe(1);
+      expect(cloudflareCalled).toBe(false);
+      const joined = logs.join("\n");
+      expect(joined).toContain("Download failed");
+      expect(joined).toContain("parachute expose public --cloudflare");
+    } finally {
+      env.cleanup();
+    }
+  });
+
   test("user picks cloudflare on macos but declines brew: exits 1, no install attempted", async () => {
     const env = makeEnv();
     try {

package/src/__tests__/init.test.ts

@@ -898,14 +898,15 @@ describe("init exposure chain", () => {
     }
   });
 
-  test("exposure chain non-zero exit propagates", async () => {
+  test("hub#565: a failed exposure chain does NOT abort init — warns, continues, exits 0", async () => {
     const h = makeHarness();
     try {
       writeHubPort(1939, h.configDir);
+      const logs: string[] = [];
       const code = await init({
         configDir: h.configDir,
         manifestPath: h.manifestPath,
-        log: () => {},
+        log: (l) => logs.push(l),
         alive: () => false,
         ensureHub: async () => ({ pid: 7, port: 1939, started: true }),
         readExposeStateFn: () => undefined,
@@ -915,8 +916,46 @@ describe("init exposure chain", () => {
         exposeTailnetImpl: async () => 0,
         exposeCloudflareImpl: async () => 2,
         exposeChoice: "cloudflare",
+        installVaultModuleImpl: noopVaultInstall,
       });
-      expect(code).toBe(2);
+      // Init reaches the admin-URL/wizard handoff regardless of the expose
+      // failure (exposure is an enhancement, not a prerequisite).
+      expect(code).toBe(0);
+      const joined = logs.join("\n");
+      // Warned about the failure + printed the exact retry command (the
+      // `--cloudflare` flag matters — bare `expose public` defaults to
+      // Tailscale, hub#566).
+      expect(joined).toContain("Couldn't finish setting up public access");
+      expect(joined).toContain("parachute expose public --cloudflare");
+      // Fell through to the loopback admin URL.
+      expect(joined).toContain("http://127.0.0.1:1939/admin/");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("hub#565: tailnet expose failure prints the --tailnet retry command", async () => {
+    const h = makeHarness();
+    try {
+      writeHubPort(1939, h.configDir);
+      const logs: string[] = [];
+      const code = await init({
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        log: (l) => logs.push(l),
+        alive: () => false,
+        ensureHub: async () => ({ pid: 7, port: 1939, started: true }),
+        readExposeStateFn: () => undefined,
+        isTty: false,
+        platform: "linux",
+        env: {},
+        exposeTailnetImpl: async () => 3,
+        exposeCloudflareImpl: async () => 0,
+        exposeChoice: "tailnet",
+        installVaultModuleImpl: noopVaultInstall,
+      });
+      expect(code).toBe(0);
+      expect(logs.join("\n")).toContain("parachute expose public --tailnet");
     } finally {
       h.cleanup();
     }

package/src/__tests__/install.test.ts

@@ -2,7 +2,7 @@ import { describe, expect, test } from "bun:test";
 import { existsSync, mkdtempSync, readFileSync, realpathSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { install } from "../commands/install.ts";
+import { defaultStartLifecycleOpts, install } from "../commands/install.ts";
 import { findService, upsertService } from "../services-manifest.ts";
 
 function makeTempPath(): { path: string; configDir: string; cleanup: () => void } {
@@ -1721,3 +1721,26 @@ describe("install", () => {
     }
   });
 });
+
+describe("hub#573 — install auto-start converges on supervised detection", () => {
+  test("the default start opts opt into real supervisor detection + the migrate offer", () => {
+    const log = () => {};
+    const opts = defaultStartLifecycleOpts({
+      manifestPath: "/tmp/services.json",
+      configDir: "/tmp/cfg",
+      log,
+    });
+    // `supervisor: {}` (present, even if empty) → lifecycle resolves
+    // `unitInstalled` via the real `isHubUnitInstalled` probe instead of the
+    // omitted-supervisor default of `false`. Pre-fix this block was absent, so
+    // the auto-start ALWAYS concluded "no unit" and printed the spurious
+    // "No supervised hub unit is installed" + "didn't start cleanly".
+    expect(opts.supervisor).toEqual({});
+    // The cutover offer is armed, matching `parachute start <svc>` (cli.ts).
+    expect(opts.migrateOffer).toEqual({ enabled: true });
+    // Plumbing preserved.
+    expect(opts.manifestPath).toBe("/tmp/services.json");
+    expect(opts.configDir).toBe("/tmp/cfg");
+    expect(opts.log).toBe(log);
+  });
+});