@openparachute/hub 0.6.5-rc.7 → 0.7.0

package/src/__tests__/api-modules.test.ts

@@ -214,14 +214,14 @@ describe("GET /api/modules", () => {
     expect(res.status).toBe(401);
   });
 
-  test("200 + curated list on fresh container (empty services.json)", async () => {
+  test("200 + full self-registration catalog on fresh container (empty services.json)", async () => {
     // The v0.6 hot path: brand-new Render container, no services.json
-    // yet. UI must render "install vault / scribe" cards even though
-    // nothing's installed. Trimmed 2026-05-27 (Aaron-directed launch
-    // focus): notes (notes-daemon), surface (host module), and runner
-    // (experimental) are no longer curated — notes.parachute.computer
-    // is the hosted PWA, surface-client is the library for custom UI
-    // builders, and runner isn't in the launch focus set.
+    // yet. Post-2026-06-09 (modular-UI architecture, P2) discovery is driven
+    // by the UNION of the bootstrap registries (KNOWN_MODULES ∪
+    // FIRST_PARTY_FALLBACKS), NOT a curated whitelist. Every known module
+    // surfaces — core (vault/scribe/surface) in the headline tier, the rest
+    // (channel/runner/notes) as `experimental` — so the channel-not-installed
+    // class (running but invisible) can't recur.
     const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
     const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
       db: h.db,
@@ -233,16 +233,32 @@ describe("GET /api/modules", () => {
     const body = (await res.json()) as {
       modules: Array<{
         short: string;
+        focus: "core" | "experimental";
         available: boolean;
         installed: boolean;
         latest_version: string | null;
       }>;
       supervisor_available: boolean;
     };
-    // Curated order is preserved: vault → scribe (vault first per the
-    // recommended install order — the wizard's vault step already runs
-    // before this catalog surfaces).
-    expect(body.modules.map((m) => m.short)).toEqual(["vault", "scribe"]);
+    const shorts = body.modules.map((m) => m.short);
+    // The core tier leads, in the recommended install order (vault → scribe),
+    // ahead of every experimental module.
+    expect(shorts.indexOf("vault")).toBeLessThan(shorts.indexOf("scribe"));
+    expect(shorts.indexOf("scribe")).toBeLessThan(shorts.indexOf("channel"));
+    expect(shorts.indexOf("scribe")).toBeLessThan(shorts.indexOf("runner"));
+    // Every known module is discoverable — vault/scribe/surface (core) +
+    // channel/runner/notes (experimental).
+    for (const s of ["vault", "scribe", "surface", "channel", "runner", "notes"]) {
+      expect(shorts).toContain(s);
+    }
+    // Focus tier resolves from the default map.
+    const byShort = new Map(body.modules.map((m) => [m.short, m]));
+    expect(byShort.get("vault")?.focus).toBe("core");
+    expect(byShort.get("scribe")?.focus).toBe("core");
+    expect(byShort.get("surface")?.focus).toBe("core");
+    expect(byShort.get("channel")?.focus).toBe("experimental");
+    expect(byShort.get("runner")?.focus).toBe("experimental");
+    expect(byShort.get("notes")?.focus).toBe("experimental");
     expect(body.modules.every((m) => m.available)).toBe(true);
     expect(body.modules.every((m) => !m.installed)).toBe(true);
     expect(body.modules.every((m) => m.latest_version === "0.9.9")).toBe(true);
@@ -288,39 +304,56 @@ describe("GET /api/modules", () => {
     expect(scribe?.available).toBe(true);
   });
 
-  test("uncurated modules (notes / runner / surface) are NOT returned by GET /api/modules", async () => {
-    // CURATED_MODULES was trimmed 2026-05-27 to [vault, scribe]. The
-    // KNOWN_MODULES + FIRST_PARTY_FALLBACKS registries still carry
-    // entries for notes / runner (install-bootstrap path), but
-    // /api/modules only returns CURATED rows. Pins the boundary so a
-    // future re-curation has to be intentional, not a stale registry
-    // leak.
+  test("channel (running + self-registered) appears as installed + experimental — regression for the channel-not-installed bug", async () => {
+    // THE bug this PR fixes (2026-06-09 modular-UI architecture, P2): channel
+    // was running, proxied, supervised, and self-registered in services.json
+    // yet invisible on the Modules screen — because the old CURATED_MODULES =
+    // ["vault","scribe"] whitelist gated discovery. Now discovery is driven by
+    // self-registration ∪ the known registries, so a self-registered channel
+    // row surfaces as installed, in the experimental tier, with its run-state.
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-channel",
+        port: 1941,
+        paths: ["/channel"],
+        health: "/channel/health",
+        version: "0.3.1",
+      },
+    ]);
+    const { supervisor } = makeIdleSupervisor();
+    await supervisor.start({ short: "channel", cmd: ["parachute-channel", "daemon"] });
+
     const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
     const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
       db: h.db,
       issuer: ISSUER,
       manifestPath: h.manifestPath,
+      supervisor,
       fetchLatestVersion: async () => null,
     });
-    const body = (await res.json()) as { modules: Array<{ short: string }> };
-    const shorts = body.modules.map((m) => m.short);
-    // Positive shape assertion — stronger than `not.toContain` because
-    // it also catches "we accidentally added a new uncurated entry"
-    // and "we accidentally removed an existing curated entry." Update
-    // this assertion intentionally when CURATED_MODULES changes.
-    expect(shorts).toEqual(["vault", "scribe"]);
-    // Belt + suspenders: explicit negatives for the modules dropped
-    // 2026-05-27, so a developer regressing the curated list sees both
-    // the shape failure AND the named-module failure messages.
-    expect(shorts).not.toContain("notes");
-    expect(shorts).not.toContain("runner");
-    expect(shorts).not.toContain("surface");
+    const body = (await res.json()) as {
+      modules: Array<{
+        short: string;
+        focus: "core" | "experimental";
+        installed: boolean;
+        installed_version: string | null;
+        supervisor_status: string | null;
+      }>;
+    };
+    const channel = body.modules.find((m) => m.short === "channel");
+    expect(channel).toBeDefined();
+    expect(channel?.installed).toBe(true);
+    expect(channel?.installed_version).toBe("0.3.1");
+    expect(channel?.focus).toBe("experimental");
+    expect(channel?.supervisor_status).toBe("running");
   });
 
-  test("non-curated supervised modules appear in `supervised` (not `modules`) — hub#539", async () => {
-    // surface (the UI host) is supervised but not curated. Its run-state must
-    // surface in `supervised` so `parachute status` reads it `active`, while it
-    // stays OUT of the curated `modules` catalog (which drives the install UI).
+  test("every self-registered + known module appears in `modules` — no running-but-invisible class", async () => {
+    // The two-registry-disagreement (services.json says installed, the curated
+    // whitelist says invisible) is gone: a self-registered surface row + a
+    // supervised channel both surface in `modules` (2026-06-09 modular-UI
+    // architecture). `supervised` still mirrors the run-state for every
+    // tracked module (hub#539) — consumers dedupe by short.
     writeManifest(h.manifestPath, [
       {
         name: "parachute-vault",
@@ -329,6 +362,13 @@ describe("GET /api/modules", () => {
         health: "/vault/default/health",
         version: "0.4.5",
       },
+      {
+        name: "parachute-surface",
+        port: 1946,
+        paths: ["/surface"],
+        health: "/surface/healthz",
+        version: "0.2.0",
+      },
     ]);
     const { supervisor } = makeIdleSupervisor();
     await supervisor.start({ short: "vault", cmd: ["parachute-vault", "serve"] });
@@ -343,15 +383,17 @@ describe("GET /api/modules", () => {
       fetchLatestVersion: async () => null,
     });
     const body = (await res.json()) as {
-      modules: Array<{ short: string }>;
+      modules: Array<{ short: string; installed: boolean }>;
       supervised: Array<{ short: string; supervisor_status: string | null; pid: number | null }>;
     };
-    // surface stays out of the curated catalog…
-    expect(body.modules.map((m) => m.short)).not.toContain("surface");
-    // …but its run-state is in `supervised`, marked running with a pid.
-    const surf = body.supervised.find((m) => m.short === "surface");
-    expect(surf?.supervisor_status).toBe("running");
-    expect(typeof surf?.pid).toBe("number");
+    // surface is now IN the catalog (it was excluded under the whitelist), and
+    // reflects installed:true from its services.json row.
+    const surf = body.modules.find((m) => m.short === "surface");
+    expect(surf?.installed).toBe(true);
+    // …and its run-state is still in `supervised`, marked running with a pid.
+    const surfSup = body.supervised.find((m) => m.short === "surface");
+    expect(surfSup?.supervisor_status).toBe("running");
+    expect(typeof surfSup?.pid).toBe("number");
     // Curated modules appear in `supervised` too (consumers dedupe by short).
     expect(body.supervised.find((m) => m.short === "vault")?.supervisor_status).toBe("running");
   });
@@ -485,10 +527,12 @@ describe("GET /api/modules", () => {
     expect(scribe?.supervisor_start_error).toBeNull();
   });
 
-  test("populates management_url from a relative managementUrl + module mount (hub#342)", async () => {
-    // Vault declares `managementUrl: "/admin"` in its module.json — hub
-    // resolves that against the entry's mount path (`/vault/default`)
-    // to produce the absolute admin URL the SPA's "Open" button targets.
+  test("populates management_url from a RELATIVE managementUrl + module mount (B4 per-instance form)", async () => {
+    // Vault's new manifest declares `managementUrl: "admin/"` — relative, no
+    // leading slash: the per-instance form under the B4 unified semantics
+    // (2026-06-09 hub-module-boundary). Hub joins it under the entry's mount
+    // path (`/vault/default`) to produce the absolute admin URL the SPA's
+    // "Open" button targets.
     writeManifest(h.manifestPath, [
       {
         name: "parachute-vault",
@@ -510,6 +554,55 @@ describe("GET /api/modules", () => {
         // shape via `as unknown as ...` because the test only exercises
         // the consumer-side resolver, not the validator (which lives in
         // module-manifest.ts and has its own test suite).
+        if (installDir === "/install/dir/vault") {
+          return {
+            name: "parachute-vault",
+            manifestName: "parachute-vault",
+            displayName: "Vault",
+            tagline: "",
+            port: 1940,
+            paths: ["/vault/default"],
+            health: "/health",
+            managementUrl: "admin/",
+          } as unknown as Awaited<
+            ReturnType<typeof import("../module-manifest.ts").readModuleManifest>
+          >;
+        }
+        return null;
+      },
+    });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      modules: Array<{ short: string; management_url: string | null }>;
+    };
+    const vault = body.modules.find((m) => m.short === "vault");
+    expect(vault?.management_url).toBe("/vault/default/admin/");
+  });
+
+  test('COMPAT SHIM: the literal legacy "/admin" on a VAULT entry still mount-joins (one release)', async () => {
+    // Deployed vaults still declare `managementUrl: "/admin"` — the OLD
+    // per-instance relative form. Under the new semantics a leading-"/" is
+    // origin-absolute (which would point at the daemon-level /vault/admin
+    // mount, not the instance), so the literal "/admin"/"/admin/" on a vault
+    // entry keeps the old mount-join behavior for one release, with a
+    // deprecation log. Remove the shim once vault's new manifest is @latest.
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-vault",
+        port: 1940,
+        paths: ["/vault/default"],
+        health: "/vault/default/health",
+        version: "0.4.5",
+        installDir: "/install/dir/vault",
+      },
+    ]);
+    const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
+    const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
+      db: h.db,
+      issuer: ISSUER,
+      manifestPath: h.manifestPath,
+      fetchLatestVersion: async () => null,
+      readModuleManifest: async (installDir) => {
         if (installDir === "/install/dir/vault") {
           return {
             name: "parachute-vault",
@@ -532,24 +625,117 @@ describe("GET /api/modules", () => {
       modules: Array<{ short: string; management_url: string | null }>;
     };
     const vault = body.modules.find((m) => m.short === "vault");
+    // Mount-joined (legacy behavior preserved), NOT origin-absolute "/admin".
     expect(vault?.management_url).toBe("/vault/default/admin");
   });
 
-  test("management_url does not double-prepend mount when managementUrl is already mount-prefixed (hub#380)", async () => {
-    // Audit caught 2026-05-25: surface declared `managementUrl: "/surface/admin/"`
-    // (full hub-origin path) and `paths: ["/surface", "/.parachute"]`. The
-    // SPA's Services dropdown was navigating to `/surface/surface/admin/`
-    // (404) because api-modules unconditionally prepended the mount onto
-    // the candidate. Fix: detect already-mount-prefixed paths and pass
-    // through.
-    //
-    // Single-instance modules conventionally declare the full path; only
-    // multi-instance modules (vault) use the per-instance relative form.
-    // Post 2026-05-27 CURATED trim the canonical single-instance example
-    // is scribe (when scribe ships a managementUrl — scribe#53). For now
-    // we exercise the same code path with vault declaring an
-    // already-mount-prefixed managementUrl: any module whose declared
-    // URL starts with its mount must pass through unchanged.
+  test("populates config_ui_url from a module's configUiUrl (2026-06-09 modular-UI P3)", async () => {
+    // Channel declares `configUiUrl: "/channel/admin"` (a single-instance,
+    // origin-absolute path) + `uiUrl: "/channel/ui"`. The hub surfaces
+    // both: `config_ui_url` drives the Modules page Configure action,
+    // `management_url` drives Open. configUiUrl resolves identically to
+    // managementUrl (same B4 unified semantics).
+    writeManifest(h.manifestPath, [
+      {
+        name: "channel",
+        port: 1941,
+        paths: ["/channel"],
+        health: "/health",
+        version: "0.1.0",
+        installDir: "/install/dir/channel",
+      },
+    ]);
+    const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
+    const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
+      db: h.db,
+      issuer: ISSUER,
+      manifestPath: h.manifestPath,
+      fetchLatestVersion: async () => null,
+      readModuleManifest: async (installDir) => {
+        if (installDir === "/install/dir/channel") {
+          return {
+            name: "channel",
+            manifestName: "parachute-channel",
+            displayName: "Channel",
+            tagline: "",
+            port: 1941,
+            paths: ["/channel"],
+            health: "/health",
+            uiUrl: "/channel/ui",
+            configUiUrl: "/channel/admin",
+          } as unknown as Awaited<
+            ReturnType<typeof import("../module-manifest.ts").readModuleManifest>
+          >;
+        }
+        return null;
+      },
+    });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      modules: Array<{
+        short: string;
+        config_ui_url: string | null;
+        management_url: string | null;
+      }>;
+    };
+    const channel = body.modules.find((m) => m.short === "channel");
+    // Origin-absolute — verbatim, never double-prepends `/channel`.
+    expect(channel?.config_ui_url).toBe("/channel/admin");
+    // uiUrl (no managementUrl) drives the Open action's management_url.
+    expect(channel?.management_url).toBe("/channel/ui");
+  });
+
+  test("config_ui_url is null when the module declares no configUiUrl", async () => {
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-vault",
+        port: 1940,
+        paths: ["/vault/default"],
+        health: "/vault/default/health",
+        version: "0.4.5",
+        installDir: "/install/dir/vault",
+      },
+    ]);
+    const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
+    const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
+      db: h.db,
+      issuer: ISSUER,
+      manifestPath: h.manifestPath,
+      fetchLatestVersion: async () => null,
+      readModuleManifest: async (installDir) => {
+        if (installDir === "/install/dir/vault") {
+          return {
+            name: "parachute-vault",
+            manifestName: "parachute-vault",
+            displayName: "Vault",
+            tagline: "",
+            port: 1940,
+            paths: ["/vault/default"],
+            health: "/health",
+            managementUrl: "/admin",
+          } as unknown as Awaited<
+            ReturnType<typeof import("../module-manifest.ts").readModuleManifest>
+          >;
+        }
+        return null;
+      },
+    });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      modules: Array<{ short: string; config_ui_url: string | null }>;
+    };
+    const vault = body.modules.find((m) => m.short === "vault");
+    expect(vault?.config_ui_url).toBeNull();
+  });
+
+  test("management_url passes a leading-slash path through verbatim (origin-absolute, B4)", async () => {
+    // Historical context (hub#380): surface declared `managementUrl:
+    // "/surface/admin/"` (full hub-origin path) and the resolver
+    // double-prepended the mount (`/surface/surface/admin/` → 404), patched
+    // then by an already-mount-prefixed heuristic. Under the B4 unified
+    // semantics the heuristic is gone: ANY leading-"/" path is
+    // ORIGIN-ABSOLUTE and passes through verbatim (except the vault "/admin"
+    // compat shim) — same result here, simpler rule.
     writeManifest(h.manifestPath, [
       {
         name: "parachute-vault",
@@ -576,8 +762,8 @@ describe("GET /api/modules", () => {
             port: 1940,
             paths: ["/vault/default"],
             health: "/vault/default/health",
-            // Already-mount-prefixed managementUrl — must NOT have the
-            // mount prepended again.
+            // Origin-absolute managementUrl — passes through verbatim,
+            // never gets the mount prepended.
             managementUrl: "/vault/default/admin/",
           } as unknown as Awaited<
             ReturnType<typeof import("../module-manifest.ts").readModuleManifest>
@@ -595,14 +781,12 @@ describe("GET /api/modules", () => {
     expect(vault?.management_url).toBe("/vault/default/admin/");
   });
 
-  test("management_url prefix-ish names don't collide (hub#380 — /app vs /app-foo)", async () => {
-    // The detection uses `tail.startsWith(\`${mount}/\`)` with the trailing
-    // slash specifically to avoid a false positive when a candidate
-    // path looks like a sibling name (e.g. `/app-foo/admin` shouldn't be
-    // treated as "already prefixed by /app"). Without the slash gate,
-    // a future module named `app-foo` would silently inherit the
-    // pass-through behavior and `/app` mount would skip its prepend.
-    // Tests the trailing-slash discriminator stays load-bearing.
+  test("management_url: a leading-slash path NOT under the mount is still origin-absolute (B4 inverts hub#380)", async () => {
+    // INVERTED PIN (B4). Pre-B4 the resolver prepended the mount onto any
+    // leading-"/" candidate that didn't look already-mount-prefixed:
+    // mount=/surface + "/app-foo/admin" → "/surface/app-foo/admin". Under
+    // the unified semantics a leading-"/" is ORIGIN-ABSOLUTE, verbatim —
+    // the module says exactly where its surface lives on the origin.
     writeManifest(h.manifestPath, [
       {
         name: "parachute-vault",
@@ -629,8 +813,8 @@ describe("GET /api/modules", () => {
             port: 1940,
             paths: ["/surface"],
             health: "/surface/health",
-            // candidate looks like a sibling-name prefix but is NOT a
-            // mount-prefix of /app — should still get prepended.
+            // Origin-absolute path outside this module's own mount —
+            // verbatim under B4 (pre-B4 this was mount-prepended).
             managementUrl: "/app-foo/admin",
           } as unknown as Awaited<
             ReturnType<typeof import("../module-manifest.ts").readModuleManifest>
@@ -644,14 +828,13 @@ describe("GET /api/modules", () => {
       modules: Array<{ short: string; management_url: string | null }>;
     };
     const vault = body.modules.find((m) => m.short === "vault");
-    // /surface + /app-foo/admin → /surface/app-foo/admin (prepend fires; not
-    // treated as already-mount-prefixed because /app-foo/ doesn't start with /surface/).
-    expect(vault?.management_url).toBe("/surface/app-foo/admin");
+    // Origin-absolute, verbatim — NOT /surface/app-foo/admin.
+    expect(vault?.management_url).toBe("/app-foo/admin");
   });
 
-  test("management_url equality edge: tail equals mount exactly (hub#380)", async () => {
-    // mount=/foo, candidate=/foo → tail === mount → pass through unchanged.
-    // Not a "real" config but pins the equality branch of the detection.
+  test("management_url equality edge: candidate equals mount exactly", async () => {
+    // mount=/foo, candidate=/foo → origin-absolute, verbatim — same output
+    // as the pre-B4 equality branch, simpler rule.
     writeManifest(h.manifestPath, [
       {
         name: "parachute-vault",

package/src/__tests__/hub-db-liveness.test.ts

@@ -214,18 +214,23 @@ describe("DbHolder.probePath (#610 proactive detection)", () => {
     h.cleanup();
   });
 
-  test("path GONE (ENOENT) → reopen attempted; reopen verify fails → exit(1)", () => {
-    // Reopen returns a closed handle (the dir is still gone) → SELECT 1 throws
-    // → exit. This is the genuine `rm -rf ~/.parachute` field shape.
-    const dead = new Database(":memory:");
-    dead.close();
+  test("path GONE (ENOENT) → exit(1) directly, NO reopen (#619 follow-up)", () => {
+    // The genuine `rm -rf ~/.parachute` field shape. We must NOT reopen here:
+    // reopen is openHubDb, which mkdir-recursive's the dir back + opens a fresh
+    // EMPTY db, so its SELECT-1 verify would PASS and the hub would "heal" into a
+    // half-recovered state (empty db, stale in-memory state, wiped well-known,
+    // un-respawned modules). A full wipe must exit so the platform manager does a
+    // clean restart that re-bootstraps everything. `onReopen` throws to PROVE the
+    // reopen path is never taken — if it were, this test would surface the throw.
     const h = makeHolder({
       initialInode: INODE_A,
       statInode: () => undefined, // ENOENT
-      onReopen: () => dead,
+      onReopen: () => {
+        throw new Error("reopen must NOT be called on a gone verdict");
+      },
     });
     expect(h.holder.probePath()).toBe("gone");
-    expect(h.stats().reopens).toBe(1);
+    expect(h.stats().reopens).toBe(0);
     expect(h.stats().exits).toBe(1);
     expect(h.stats().exitCode).toBe(1);
     h.cleanup();