@openparachute/hub 0.6.4 → 0.6.5-rc.2

package/src/hub-unit.ts

@@ -85,7 +85,9 @@ export interface HubUnitDeps extends ManagedUnitDeps {
    * `null` when the hub doesn't answer at all (connection-refused / timeout).
    * Production uses a bounded `fetch`; tests inject a deterministic stub.
    */
-  probeHealthVersion: (port: number) => Promise<{ ok: boolean; version?: string } | null>;
+  probeHealthVersion: (
+    port: number,
+  ) => Promise<{ ok: boolean; version?: string; db?: string } | null>;
   /** TCP connect-probe for readiness polling (reuses `defaultPortListening`). */
   portListening: PortListeningFn;
   /** Sleep between readiness polls (tests pin to 0). */
@@ -118,27 +120,48 @@ async function defaultProbeHealth(port: number): Promise<boolean> {
  */
 async function defaultProbeHealthVersion(
   port: number,
-): Promise<{ ok: boolean; version?: string } | null> {
+): Promise<{ ok: boolean; version?: string; db?: string } | null> {
   try {
     const res = await fetch(`http://127.0.0.1:${port}/health`, {
       signal: AbortSignal.timeout(1500),
     });
     let version: string | undefined;
+    let db: string | undefined;
     try {
       const body = (await res.json()) as unknown;
-      if (body && typeof body === "object" && "version" in body) {
+      if (body && typeof body === "object") {
         const v = (body as { version?: unknown }).version;
         if (typeof v === "string" && v.length > 0) version = v;
+        // `db` liveness verdict (#594): "ok" / "error: <class>" / "unconfigured".
+        // Threaded through so the adoption probe can treat a db-error hub as
+        // needing a restart even when its version matches.
+        const d = (body as { db?: unknown }).db;
+        if (typeof d === "string" && d.length > 0) db = d;
       }
     } catch {
-      // Non-JSON body → no version. Leave `version` undefined (→ mismatch).
+      // Non-JSON body → no version/db. Leave undefined (→ mismatch / unknown db).
     }
-    return version !== undefined ? { ok: res.ok, version } : { ok: res.ok };
+    const out: { ok: boolean; version?: string; db?: string } = { ok: res.ok };
+    if (version !== undefined) out.version = version;
+    if (db !== undefined) out.db = db;
+    return out;
   } catch {
     return null;
   }
 }
 
+/**
+ * True when a `/health` `db` field reports a non-recoverable liveness fault
+ * (#594) — anything starting with "error:" (e.g. "error: fatal" from the
+ * dead-handle field repro). "ok" and "unconfigured" are not faults: a
+ * pre-wizard hub with no DB rows still reports a working handle. A missing
+ * `db` field (an older hub that predates #594) reads as "unknown → don't
+ * treat as a fault" so we never restart a hub merely for lacking the field.
+ */
+function healthReportsDbFault(db: string | undefined): boolean {
+  return typeof db === "string" && db.startsWith("error:");
+}
+
 export const defaultHubUnitDeps: HubUnitDeps = {
   ...defaultManagedUnitDeps,
   probeHealth: defaultProbeHealth,
@@ -510,13 +533,22 @@ export async function ensureHubVersionMatches(
   }
 
   const runningVersion = probe.version;
-  if (runningVersion === installedVersion) {
-    // Exactly today's behavior — versions agree, no extra restart.
+  const dbFault = healthReportsDbFault(probe.db);
+  if (runningVersion === installedVersion && !dbFault) {
+    // Versions agree AND the DB handle is live — today's behavior, no restart.
     return { outcome: "match", runningVersion, installedVersion, messages: [] };
   }
 
-  // Mismatch (includes the no-`version`-field very-old-hub case → undefined).
-  const runningLabel = runningVersion ?? "an older version (no version field)";
+  // From here we know the running hub needs a restart: EITHER its version is
+  // stale (the #590 zombie-adoption case) OR it's reporting a dead DB handle
+  // (#594 — a hub that adopted-as-version-match but whose state dir was deleted
+  // under it; /health stays 200 while every DB route 500s). Both run through
+  // the same restart-once machinery. `runningLabel` describes whichever fault
+  // we're acting on so the operator sees an accurate reason.
+  const versionMismatch = runningVersion !== installedVersion;
+  const runningLabel = versionMismatch
+    ? (runningVersion ?? "an older version (no version field)")
+    : `${runningVersion} with a dead database handle (${probe.db})`;
 
   // Is this hub one we can restart through the manager? If there's no manager,
   // or no unit installed, the running hub is a legacy detached pid / a dev
@@ -556,45 +588,60 @@ export async function ensureHubVersionMatches(
     outcome: "restarted",
     runningVersion: v,
     installedVersion,
-    messages: [`✓ hub unit restarted; now running ${installedVersion}.`],
+    messages: [`✓ hub unit restarted; now running ${installedVersion} with a live database.`],
   });
-  const stillMismatchedResult = (last: string | undefined): EnsureHubVersionMatchesResult => {
-    const reports = last ? ` (reports ${last})` : "";
+  const stillMismatchedResult = (
+    last: { version?: string; db?: string } | undefined,
+  ): EnsureHubVersionMatchesResult => {
+    const lastVersion = last?.version;
+    const reports = lastVersion ? ` (reports ${lastVersion})` : "";
+    const dbStillBad = healthReportsDbFault(last?.db);
     return {
       outcome: "still-mismatched",
-      ...(last !== undefined ? { runningVersion: last } : {}),
+      ...(lastVersion !== undefined ? { runningVersion: lastVersion } : {}),
       installedVersion,
-      messages: [
-        `⚠ restarted the hub unit, but it is still not reporting ${installedVersion}${reports}.`,
-        "  This can happen with a bun-linked checkout on a feature branch whose package.json version trails the running code.",
-        `  Continuing — verify with \`parachute status\` / \`curl http://127.0.0.1:${port}/health\` if the hub should be on a specific version.`,
-      ],
+      messages: dbStillBad
+        ? [
+            `⚠ restarted the hub unit, but its database still reports a fault (${last?.db}).`,
+            "  The state directory may still be missing or the database file corrupted.",
+            `  Check it with \`curl http://127.0.0.1:${port}/health\` and ensure ~/.parachute exists.`,
+          ]
+        : [
+            `⚠ restarted the hub unit, but it is still not reporting ${installedVersion}${reports}.`,
+            "  This can happen with a bun-linked checkout on a feature branch whose package.json version trails the running code.",
+            `  Continuing — verify with \`parachute status\` / \`curl http://127.0.0.1:${port}/health\` if the hub should be on a specific version.`,
+          ],
     };
   };
 
-  // Re-probe `/health` until the running version matches the installed version
-  // or the readiness budget elapses. Restart-loop guard: we restart AT MOST
-  // once — if it still mismatches after this single restart (e.g. a bun-linked
-  // checkout on a branch), we warn + continue rather than looping.
+  // A re-probe counts as "healed" only when the version matches AND the DB
+  // handle is live — a restart that came back on the right version but with a
+  // still-dead handle hasn't actually fixed the #594 fault.
+  const probeHealed = (p: { version?: string; db?: string } | null): boolean =>
+    p !== null && p.version === installedVersion && !healthReportsDbFault(p.db);
+
+  // Re-probe `/health` until the hub is healed or the readiness budget elapses.
+  // Restart-loop guard: we restart AT MOST once — if it still mismatches /
+  // db-faults after this single restart (e.g. a bun-linked checkout on a
+  // branch, or a still-missing state dir), we warn + continue rather than loop.
   const deadline = Date.now() + readyTimeoutMs;
   for (;;) {
     const after = await deps.probeHealthVersion(port);
-    if (after !== null && after.version === installedVersion) {
+    if (probeHealed(after)) {
       return restartedResult(installedVersion);
     }
     if (Date.now() >= deadline) {
-      // Report the last-observed (still-stale) version if the hub came back.
-      return stillMismatchedResult(after?.version ?? runningVersion);
+      return stillMismatchedResult(after ?? { version: runningVersion });
     }
     if (readyPollMs > 0) await deps.sleep(readyPollMs);
     else break;
   }
   // readyPollMs === 0 fast-path: one more probe, then settle.
   const finalProbe = await deps.probeHealthVersion(port);
-  if (finalProbe !== null && finalProbe.version === installedVersion) {
+  if (probeHealed(finalProbe)) {
     return restartedResult(installedVersion);
   }
-  return stillMismatchedResult(finalProbe?.version ?? runningVersion);
+  return stillMismatchedResult(finalProbe ?? { version: runningVersion });
 }
 
 /**

package/src/oauth-handlers.ts

@@ -861,22 +861,14 @@ export function handleAuthorizeGet(db: Database, req: Request, deps: OAuthDeps):
   if ("error" in parsed) {
     return htmlError("Invalid authorization request", parsed.error, 400);
   }
-  if (parsed.responseType !== "code") {
-    return oauthErrorRedirect(
-      parsed.redirectUri,
-      "unsupported_response_type",
-      "only response_type=code is supported",
-      parsed.state,
-    );
-  }
-  if (parsed.codeChallengeMethod !== "S256") {
-    return oauthErrorRedirect(
-      parsed.redirectUri,
-      "invalid_request",
-      "PKCE S256 is required",
-      parsed.state,
-    );
-  }
+  // NOTE: response_type / code_challenge_method validation is DELIBERATELY
+  // deferred until after the (client_id, redirect_uri) pair is confirmed
+  // registered (below, just past `requireRegisteredRedirectUri`). RFC 6749
+  // §4.1.2.1: when the redirect_uri can't be validated against the client,
+  // errors MUST be shown to the user — NOT redirected to the supplied URI.
+  // Redirecting here (pre-validation) on a crafted redirect_uri is an open
+  // redirect (hub#570). Once the pair is validated, redirecting these errors
+  // back to the now-trusted URI is spec-correct.
   let client = getClient(db, parsed.clientId);
   if (!client) {
     // Can't safely redirect — we don't trust the redirect_uri until we've
@@ -928,6 +920,49 @@ export function handleAuthorizeGet(db: Database, req: Request, deps: OAuthDeps):
     url.searchParams.set("scope", parsed.scope);
   }
 
+  // Validate the FULL request BEFORE any state mutation (the pending-client
+  // auto-approve below calls `approveClient`). Two reasons, both #570:
+  //
+  //   1. RFC 6749 §4.1.2.1 — an unvalidated redirect_uri error is shown to
+  //      the user, never redirected. `requireRegisteredRedirectUri` first
+  //      confirms the (client_id, redirect_uri) pair is registered; only then
+  //      may we redirect the protocol errors (response_type / PKCE) to it.
+  //   2. We must not permanently promote a pending client to `approved` for a
+  //      request we're about to reject. Pre-fix the redirect-uri + protocol
+  //      checks sat BELOW the auto-approve block, so a malformed request
+  //      (bad response_type / PKCE) against a registered-but-pending client
+  //      mutated the DB before validation ever ran (#570 reviewer fold).
+  //
+  // So: redirect_uri registration → response_type → PKCE, all ahead of the
+  // pending-client auto-approve.
+  try {
+    requireRegisteredRedirectUri(client, parsed.redirectUri);
+  } catch {
+    return htmlError(
+      "Redirect mismatch",
+      "The redirect_uri does not match any URI registered for this app.",
+      400,
+    );
+  }
+  // The pair is confirmed registered, so redirecting these protocol errors to
+  // it is spec-correct (RFC 6749 §4.1.2.1).
+  if (parsed.responseType !== "code") {
+    return oauthErrorRedirect(
+      parsed.redirectUri,
+      "unsupported_response_type",
+      "only response_type=code is supported",
+      parsed.state,
+    );
+  }
+  if (parsed.codeChallengeMethod !== "S256") {
+    return oauthErrorRedirect(
+      parsed.redirectUri,
+      "invalid_request",
+      "PKCE S256 is required",
+      parsed.state,
+    );
+  }
+
   if (client.status !== "approved") {
     // Single-consent change (2026-05-29): the separate operator "approve this
     // client" gate is retired — the user's OAuth consent IS the authorization.
@@ -995,15 +1030,6 @@ export function handleAuthorizeGet(db: Database, req: Request, deps: OAuthDeps):
     }
     client = refreshed;
   }
-  try {
-    requireRegisteredRedirectUri(client, parsed.redirectUri);
-  } catch {
-    return htmlError(
-      "Redirect mismatch",
-      "The redirect_uri does not match any URI registered for this app.",
-      400,
-    );
-  }
 
   // Operator-only scope gate (#96). Reject any request that names a scope
   // we'll never mint via this flow — `parachute:host:admin` and friends.
@@ -2571,6 +2597,23 @@ function consentProps(
 ) {
   const scopes = params.scope.split(" ").filter((s) => s.length > 0);
   const unnamedVerbs = unnamedVaultVerbs(scopes);
+  // Zero-vault non-admin can't authorize a vault-scoped request (hub#431).
+  // The POST handler already 400s this case ("No vaults assigned"); this
+  // flag lets the consent screen render Approve disabled + explain why,
+  // instead of showing an enabled button that lands the user on an error.
+  // Mirrors the vault-scope detection in `handleConsentSubmit`'s zero-vault
+  // gate. Non-vault scopes (`scribe:transcribe`, etc.) stay authorizable.
+  const requestsVaultScope = scopes.some((s) => {
+    if (s === "vault:read" || s === "vault:write" || s === "vault:admin") return true;
+    const parts = s.split(":");
+    return (
+      parts.length === 3 &&
+      parts[0] === "vault" &&
+      parts[2] !== undefined &&
+      VAULT_VERBS.has(parts[2])
+    );
+  });
+  const userCanAuthorizeRequest = userIsAdmin || assignedVaults.length > 0 || !requestsVaultScope;
   // Multi-user Phase 2 PR 2 stale-assignment branch (hub#284 generalized
   // from one vault to N). A non-admin user whose entire vault list has
   // been removed from services.json — admin removed / renamed the vaults
@@ -2696,6 +2739,7 @@ function consentProps(
     // verb against the stale assignment).
     blockApproveForStaleAssignment:
       staleAssignedVault !== undefined && (unnamedVerbs.length > 0 || hasNamedStaleVaultScope),
+    userCanAuthorizeRequest,
   };
 }
 

package/src/oauth-ui.ts

@@ -20,7 +20,7 @@
  *     module scopes that the hub doesn't know about) render verbatim.
  *   - **No JavaScript.** Entirely form-based. Submit is the only interaction.
  */
-import { brandMarkSvg, WORDMARK_TEXT } from "./brand.ts";
+import { WORDMARK_TEXT, brandMarkSvg } from "./brand.ts";
 import { renderCsrfHiddenInput } from "./csrf.ts";
 import { type ScopeExplanation, explainScope } from "./scope-explanations.ts";
 
@@ -138,6 +138,15 @@ export interface ConsentViewProps {
    * the user can still proceed.
    */
   blockApproveForStaleAssignment?: boolean;
+  /**
+   * Multi-user (hub#431): false when the signed-in user can't authorize this
+   * request at all — a non-admin with zero assigned vaults requesting a vault
+   * scope (named or unnamed). The POST handler already 400s this case ("No
+   * vaults assigned"); this flag lets the consent screen render Approve
+   * disabled + show explanatory copy instead of an enabled button that lands
+   * the user on an error page. Defaults to authorizable when omitted.
+   */
+  userCanAuthorizeRequest?: boolean;
 }
 
 export interface VaultPicker {
@@ -318,6 +327,7 @@ export function renderConsent(props: ConsentViewProps): string {
     displayVault,
     staleAssignedVault,
     blockApproveForStaleAssignment,
+    userCanAuthorizeRequest,
   } = props;
   // Substitute unnamed `vault:<verb>` rows with the resolved named form so
   // the operator sees the scope shape that will appear in the token. Raw
@@ -345,11 +355,16 @@ export function renderConsent(props: ConsentViewProps): string {
   // requested scope actually depends on a vault — non-vault flows (e.g.
   // `scribe:transcribe` only) keep Approve enabled so the user can still
   // proceed despite the informational banner.
+  // Zero-vault non-admin requesting a vault scope (hub#431): the POST handler
+  // refuses with 400 "No vaults assigned", so render Approve disabled rather
+  // than leading the user to click into an error page.
+  const cannotAuthorize = userCanAuthorizeRequest === false;
   const approveDisabled =
     (vaultPicker &&
       vaultPicker.lockedVault === undefined &&
       vaultPicker.availableVaults.length === 0) ||
-    blockApproveForStaleAssignment === true
+    blockApproveForStaleAssignment === true ||
+    cannotAuthorize
       ? " disabled"
       : "";
   // Banner copy (hub#284). Worded to the *user* — "ask the admin" framing
@@ -366,6 +381,16 @@ export function renderConsent(props: ConsentViewProps): string {
             again.
           </p>`
       : "";
+  // No-vaults-assigned banner (hub#431). Shown when a non-admin with zero
+  // assigned vaults requests a vault scope — Approve is disabled above, this
+  // explains why and points at admin remediation.
+  const noVaultsBanner = cannotAuthorize
+    ? `<p class="stale-assignment-banner" role="alert">
+            <strong>You have no assigned vaults.</strong>
+            Ask the hub admin to assign you a vault via <code>/admin/users</code>
+            before authorizing vault access.
+          </p>`
+    : "";
   const body = `
     <div class="card">
       <div class="card-header">
@@ -383,6 +408,7 @@ export function renderConsent(props: ConsentViewProps): string {
         </p>
       </div>
       ${staleBanner}
+      ${noVaultsBanner}
       <section class="scopes">
         <h2 class="scopes-title">Permissions requested</h2>
         <ul class="scope-list">${scopeRows}</ul>