@openparachute/hub 0.6.5-rc.7 → 0.7.0

package/src/__tests__/hub-server.test.ts

@@ -85,20 +85,26 @@ function vaultEntry(name: string): ServiceEntry {
 }
 
 describe("hubFetch routing", () => {
-  test("/ serves hub.html with text/html content-type", async () => {
+  // Admin-shell IA (R1): the bare `/` page redirects into the single coherent
+  // admin shell at `/admin`. The old discovery-page content moved into the
+  // shell's Home overview. Only the bare `/` redirects — `/hub.html` still
+  // serves the discovery page (static expose file + explicit-`.html` bookmarks).
+  test("/ redirects (302) to /admin (admin-shell IA)", async () => {
     const h = makeHarness();
     try {
+      // No DB → exercises the redirect on the static-fallback path. The
+      // redirect sits above the static hub.html serve, so it fires regardless
+      // of whether a disk file exists.
       writeFileSync(join(h.dir, "hub.html"), "<html><body>hi</body></html>");
       const res = await hubFetch(h.dir)(req("/"));
-      expect(res.status).toBe(200);
-      expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
-      expect(await res.text()).toContain("<html>");
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe("/admin");
     } finally {
       h.cleanup();
     }
   });
 
-  test("/hub.html serves the same file as / (no DB → static fallback)", async () => {
+  test("/hub.html still serves the discovery page (no DB → static fallback)", async () => {
     const h = makeHarness();
     try {
       writeFileSync(join(h.dir, "hub.html"), "<html>x</html>");
@@ -173,11 +179,14 @@ describe("hubFetch routing", () => {
     }
   });
 
-  test("/ renders the signed-out indicator dynamically when DB is configured but no session cookie (rc.13)", async () => {
+  test("/hub.html renders the signed-out indicator dynamically when DB is configured but no session cookie (rc.13)", async () => {
     // The dynamic path takes over from the static disk file the moment a
     // DB is configured. With no session cookie, we still render — just
     // with the "Sign in" affordance.
     //
+    // Targets `/hub.html` (not `/`): bare `/` now 302-redirects to the admin
+    // shell (R1). `/hub.html` still serves the dynamic discovery page.
+    //
     // hub#259 rc.6: requires an admin row to bypass the fresh-hub
     // funnel redirect to /admin/setup (Bug 2 fix). Seed one so this
     // test continues to exercise the signed-out-but-setup-done branch.
@@ -198,7 +207,7 @@ describe("hubFetch routing", () => {
         const res = await hubFetch(h.dir, {
           getDb: () => db,
           manifestPath: h.manifestPath,
-        })(req("/"));
+        })(req("/hub.html"));
         expect(res.status).toBe(200);
         expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
         const body = await res.text();
@@ -213,10 +222,11 @@ describe("hubFetch routing", () => {
     }
   });
 
-  test("/ renders 'Signed in as <name>' + sign-out form when session cookie is active (rc.13)", async () => {
+  test("/hub.html renders 'Signed in as <name>' + sign-out form when session cookie is active (rc.13)", async () => {
     // Same wizard-funnel bypass as the signed-out test above — seed a
     // vault row and pass an explicit manifestPath so CI doesn't fall back
-    // to ~/.parachute/services.json.
+    // to ~/.parachute/services.json. Targets `/hub.html` (bare `/` now
+    // redirects to the admin shell, R1).
     const h = makeHarness();
     try {
       writeManifest({ services: [vaultEntry("default")] }, h.manifestPath);
@@ -232,7 +242,7 @@ describe("hubFetch routing", () => {
         const res = await hubFetch(h.dir, {
           getDb: () => db,
           manifestPath: h.manifestPath,
-        })(req("/", { headers: { cookie } }));
+        })(req("/hub.html", { headers: { cookie } }));
         expect(res.status).toBe(200);
         const body = await res.text();
         expect(body).toContain("Signed in as");
@@ -249,6 +259,36 @@ describe("hubFetch routing", () => {
     }
   });
 
+  test("/ → /admin even with a DB + admin + vault (setup complete; not the wizard funnel)", async () => {
+    // Distinguishes the admin-shell redirect (302 → /admin) from the fresh-hub
+    // wizard funnel (302 → /admin/setup). With admin + vault seeded, the wizard
+    // funnel is bypassed and the bare `/` lands on the admin shell. Also proves
+    // the redirect fires on the DB-configured path, not just the static
+    // fallback. `/hub.html` under the same setup still renders the discovery
+    // page (asserted separately above) — only bare `/` redirects.
+    const h = makeHarness();
+    try {
+      writeManifest({ services: [vaultEntry("default")] }, h.manifestPath);
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        const { createUser } = await import("../users.ts");
+        await createUser(db, "owner", "pw");
+        const handler = hubFetch(h.dir, { getDb: () => db, manifestPath: h.manifestPath });
+        const rootRes = await handler(req("/"));
+        expect(rootRes.status).toBe(302);
+        expect(rootRes.headers.get("location")).toBe("/admin");
+        // /hub.html under the same setup-complete state still serves discovery.
+        const hubHtmlRes = await handler(req("/hub.html"));
+        expect(hubHtmlRes.status).toBe(200);
+        expect(hubHtmlRes.headers.get("content-type")).toBe("text/html; charset=utf-8");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("/.well-known/parachute.json builds the doc dynamically from services.json", async () => {
     const h = makeHarness();
     try {
@@ -648,8 +688,9 @@ describe("hubFetch routing", () => {
   test("missing hub.html returns 404 rather than crashing", async () => {
     const h = makeHarness();
     try {
-      // dir exists but no files in it
-      const res = await hubFetch(h.dir)(req("/"));
+      // dir exists but no files in it. Targets `/hub.html` directly — bare `/`
+      // now 302-redirects to the admin shell before reaching the static serve.
+      const res = await hubFetch(h.dir)(req("/hub.html"));
       expect(res.status).toBe(404);
     } finally {
       h.cleanup();
@@ -932,23 +973,28 @@ describe("hubFetch routing", () => {
   // 301-redirect to the new /admin/* mount. Tests cover every entry in the
   // dispatch — operator bookmarks landing on any of these still work.
 
-  test("301: /vault → /admin/vaults", async () => {
+  // B5 (2026-06-09 hub-module-boundary): the legacy `/vault[/new]` 301s point
+  // DIRECTLY at vault's daemon-level admin surface — not at /admin/vaults,
+  // whose SPA route is now just a feature-detected forwarder. Pointing at the
+  // final target avoids a redirect → SPA-load → client-side-forward chain.
+
+  test("301: /vault → /vault/admin/ (direct — no chain through /admin/vaults)", async () => {
     const h = makeHarness();
     try {
       const res = await hubFetch(h.dir)(req("/vault"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/admin/vaults");
+      expect(res.headers.get("location")).toBe("/vault/admin/");
     } finally {
       h.cleanup();
     }
   });
 
-  test("301: /vault/new → /admin/vaults/new", async () => {
+  test("301: /vault/new → /vault/admin/ (create relocated into vault's surface)", async () => {
     const h = makeHarness();
     try {
       const res = await hubFetch(h.dir)(req("/vault/new"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/admin/vaults/new");
+      expect(res.headers.get("location")).toBe("/vault/admin/");
     } finally {
       h.cleanup();
     }
@@ -959,7 +1005,7 @@ describe("hubFetch routing", () => {
     try {
       const res = await hubFetch(h.dir)(req("/vault?next=foo"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/admin/vaults?next=foo");
+      expect(res.headers.get("location")).toBe("/vault/admin/?next=foo");
     } finally {
       h.cleanup();
     }
@@ -1622,7 +1668,7 @@ describe("hubFetch routing", () => {
     }
   });
 
-  test("live Bun.serve round-trip: / and /.well-known resolve", async () => {
+  test("live Bun.serve round-trip: /, /hub.html and /.well-known resolve", async () => {
     const h = makeHarness();
     try {
       writeFileSync(join(h.dir, "hub.html"), "<html>live</html>");
@@ -1634,9 +1680,15 @@ describe("hubFetch routing", () => {
       });
       try {
         const base = `http://127.0.0.1:${server.port}`;
-        const r1 = await fetch(`${base}/`);
-        expect(r1.status).toBe(200);
-        expect(await r1.text()).toBe("<html>live</html>");
+        // Bare `/` 302-redirects into the admin shell (R1). `redirect: "manual"`
+        // so we observe the redirect itself rather than following it to /admin.
+        const r1 = await fetch(`${base}/`, { redirect: "manual" });
+        expect(r1.status).toBe(302);
+        expect(r1.headers.get("location")).toBe("/admin");
+        // The discovery page still serves at /hub.html.
+        const rHub = await fetch(`${base}/hub.html`);
+        expect(rHub.status).toBe(200);
+        expect(await rHub.text()).toBe("<html>live</html>");
         const r2 = await fetch(`${base}/.well-known/parachute.json`);
         expect(r2.headers.get("content-type")).toBe("application/json");
         expect(await r2.json()).toEqual({ vaults: [], services: [] });
@@ -4051,6 +4103,208 @@ describe("hubFetch publicExposure layer-gate (proxyToVault)", () => {
   });
 });
 
+describe("hubFetch /vault/admin daemon-level mount (B-route, hub-module-boundary)", () => {
+  // /vault/admin + /vault/admin/* route to the vault MODULE's daemon
+  // (resolved via findServiceByShort, not findVaultUpstream) — the
+  // daemon-level multi-vault admin surface, not an instance path. "admin"
+  // is a reserved vault name (B2h) so no instance can ever claim the mount.
+
+  /** Upstream that ECHOES the request path, so the tests can pin both which
+   * daemon got the request and that the FULL path was forwarded (vault's
+   * row declares no stripPrefix). */
+  function startEchoUpstream(tag: string): { port: number; stop: () => void } {
+    const server = Bun.serve({
+      port: 0,
+      hostname: "127.0.0.1",
+      fetch: (r) =>
+        new Response(JSON.stringify({ tag, path: new URL(r.url).pathname }), {
+          status: 200,
+          headers: { "content-type": "application/json" },
+        }),
+    });
+    return { port: server.port as number, stop: () => server.stop(true) };
+  }
+
+  const fakeServer = (address: string) => ({ requestIP: () => ({ address }) });
+
+  test("/vault/admin and /vault/admin/* route to the vault module's daemon port with the FULL path", async () => {
+    const h = makeHarness();
+    const upstream = startEchoUpstream("vault-daemon");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              // The canonical self-registered row name — findServiceByShort
+              // resolves `parachute-vault` → short "vault".
+              name: "parachute-vault",
+              port: upstream.port,
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.5.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      for (const path of ["/vault/admin", "/vault/admin/", "/vault/admin/assets/app.js"]) {
+        const res = await fetcher(req(path));
+        expect(res.status).toBe(200);
+        const body = (await res.json()) as { tag: string; path: string };
+        expect(body.tag).toBe("vault-daemon");
+        // Full path forwarded — no prefix strip (vault routes /vault/admin itself).
+        expect(body.path).toBe(path);
+      }
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("/vault/admin is NOT captured by a per-instance mount — daemon-level route wins", async () => {
+    // A pathological vault row mounted at the bare `/vault` would prefix-match
+    // `/vault/admin` in findVaultUpstream; the daemon-level branch runs FIRST
+    // so the per-vault proxy never sees the path (and no consumer can
+    // fabricate a phantom instance named "admin"). With distinct upstream
+    // ports we can tell exactly which one served the request.
+    const h = makeHarness();
+    const daemonUpstream = startEchoUpstream("vault-daemon");
+    const instanceUpstream = startEchoUpstream("vault-instance");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: daemonUpstream.port,
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.5.0",
+            },
+            {
+              // Pathological-but-representable bare mount on a second row.
+              name: "parachute-vault-bare",
+              port: instanceUpstream.port,
+              paths: ["/vault"],
+              health: "/vault/health",
+              version: "0.5.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const res = await fetcher(req("/vault/admin/"));
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { tag: string };
+      expect(body.tag).toBe("vault-daemon");
+    } finally {
+      daemonUpstream.stop();
+      instanceUpstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test('a vault instance named "adminx" still routes per-instance (exact-segment match only)', async () => {
+    const h = makeHarness();
+    const upstream = startEchoUpstream("vault-daemon");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: upstream.port,
+              paths: ["/vault/adminx"],
+              health: "/vault/adminx/health",
+              version: "0.5.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      // Per-instance path — proxied through the per-vault dispatch (full
+      // path forwarded; vault rows don't strip).
+      const res = await fetcher(req("/vault/adminx/health"));
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { path: string };
+      expect(body.path).toBe("/vault/adminx/health");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("404 cleanly when no vault module is installed", async () => {
+    const h = makeHarness();
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              // Some other module installed — must not capture /vault/admin.
+              name: "parachute-scribe",
+              port: 1942,
+              paths: ["/scribe"],
+              health: "/scribe/health",
+              version: "0.1.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const res = await fetcher(req("/vault/admin/"));
+      expect(res.status).toBe(404);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test('publicExposure: "loopback" on the vault row cloaks /vault/admin from tailnet/public (same gate as proxyToVault)', async () => {
+    const h = makeHarness();
+    const upstream = startEchoUpstream("vault-daemon");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: upstream.port,
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.5.0",
+              publicExposure: "loopback",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      // Tailnet caller → cloaked.
+      const tailnet = await fetcher(
+        req("/vault/admin/", { headers: { "Tailscale-User-Login": "alice@example.com" } }),
+      );
+      expect(tailnet.status).toBe(404);
+      // Public caller → cloaked.
+      const pub = await fetcher(req("/vault/admin/", { headers: { "CF-Ray": "abc123" } }));
+      expect(pub.status).toBe(404);
+      // Header-absent NON-loopback peer (0.0.0.0 bind) → cloaked (#526 posture).
+      const direct = await fetcher(req("/vault/admin/"), fakeServer("198.51.100.4"));
+      expect(direct.status).toBe(404);
+      // Loopback peer → reaches the daemon.
+      const loop = await fetcher(req("/vault/admin/"), fakeServer("127.0.0.1"));
+      expect(loop.status).toBe(200);
+      expect(((await loop.json()) as { tag: string }).tag).toBe("vault-daemon");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+});
+
 /** Find a port that no one is listening on by binding briefly and releasing. */
 async function pickClosedPort(): Promise<number> {
   const s = Bun.serve({ port: 0, hostname: "127.0.0.1", fetch: () => new Response("x") });
@@ -5004,6 +5258,50 @@ describe("force-change-password per-request gate (#469)", () => {
     }
   });
 
+  test("(a) pre-rotation browser GET /vault/admin/ is 302'd to change-password (B-route gate parity)", async () => {
+    // The daemon-level /vault/admin mount applies the SAME per-request
+    // force-change-password gate as the per-vault proxy — a pre-rotation
+    // session can't reach the multi-vault admin surface on an un-rotated
+    // temp password either.
+    const h = makeHarness();
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              // Canonical row name so findServiceByShort would resolve it if
+              // the request ever got past the gate.
+              name: "parachute-vault",
+              port: 1940,
+              paths: ["/vault/work"],
+              health: "/vault/work/health",
+              version: "0.5.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        const { cookie } = await seedUser(h, db, {
+          passwordChanged: false,
+          assignedVaults: ["work"],
+        });
+        const res = await hubFetch(h.dir, { getDb: () => db, manifestPath: h.manifestPath })(
+          req("/vault/admin/", { headers: { cookie, accept: "text/html" } }),
+        );
+        // Gated BEFORE proxyToVaultAdmin ever runs — the gate's 302, not a
+        // proxy 404/502.
+        expect(res.status).toBe(302);
+        expect(res.headers.get("location")).toBe("/account/change-password");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("(b) pre-rotation user CAN still reach /account/change-password (GET)", async () => {
     const h = makeHarness();
     try {

package/src/__tests__/invites.test.ts

@@ -27,6 +27,7 @@ import {
   issueInvite,
   listInvites,
   revokeInvite,
+  revokeInvitesForVault,
 } from "../invites.ts";
 import { createUser } from "../users.ts";
 
@@ -183,6 +184,32 @@ describe("revokeInvite", () => {
   });
 });
 
+describe("revokeInvitesForVault (B1 cascade step)", () => {
+  test("a NULL-vault_name invite (redeemer-named flow) is NOT revoked by any vault's cascade", async () => {
+    // The cascade invalidates invites PINNED to the deleted vault — an
+    // unpinned invite (vault_name NULL: the redeemer names their own vault)
+    // can't resurrect a specific name, so it must survive every vault's
+    // delete. SQL `vault_name = ?` never matches NULL; pin that boundary.
+    const { db, adminId, cleanup } = await makeDb();
+    try {
+      const unpinned = issueInvite(db, { createdBy: adminId }); // vault_name NULL
+      const pinned = issueInvite(db, { createdBy: adminId, vaultName: "work" });
+
+      expect(revokeInvitesForVault(db, "work")).toBe(1);
+      // The pinned invite is revoked; the unpinned one rides on untouched.
+      expect(findInviteByRawToken(db, pinned.rawToken)?.revokedAt).not.toBeNull();
+      expect(findInviteByRawToken(db, unpinned.rawToken)?.revokedAt).toBeNull();
+
+      // A second sweep (or another vault's sweep) finds nothing more.
+      expect(revokeInvitesForVault(db, "work")).toBe(0);
+      expect(revokeInvitesForVault(db, "other")).toBe(0);
+      expect(findInviteByRawToken(db, unpinned.rawToken)?.revokedAt).toBeNull();
+    } finally {
+      cleanup();
+    }
+  });
+});
+
 describe("inviteStatus / listInvites", () => {
   test("derives pending / redeemed / expired / revoked", async () => {
     const { db, adminId, cleanup } = await makeDb();