@openparachute/hub 0.6.5-rc.8 → 0.7.1

package/src/__tests__/setup-wizard.test.ts

@@ -3158,6 +3158,54 @@ describe("typed vault name (hub#267)", () => {
     }
   });
 
+  test("vault POST rejects every consolidated reserved name (B2h: list, new, assets, admin)", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      const user = await createUser(db, "owner", "pw");
+      const { createSession } = await import("../sessions.ts");
+      const session = createSession(db, { userId: user.id });
+      const get = handleSetupGet(req("/admin/setup"), {
+        db,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        readExposeStateFn: h.readExposeStateFn,
+        issuer: "https://hub.example",
+        registry: getDefaultOperationsRegistry(),
+      });
+      const csrf = setCookie(get, CSRF_COOKIE_NAME) ?? "";
+      for (const name of ["list", "new", "assets", "admin"]) {
+        const post = await handleSetupVaultPost(
+          req("/admin/setup/vault", {
+            method: "POST",
+            body: new URLSearchParams({
+              [CSRF_FIELD_NAME]: csrf,
+              vault_name: name,
+            }).toString(),
+            headers: {
+              "content-type": "application/x-www-form-urlencoded",
+              cookie: `${CSRF_COOKIE_NAME}=${csrf}; ${SESSION_COOKIE_NAME}=${session.id}`,
+            },
+          }),
+          {
+            db,
+            manifestPath: h.manifestPath,
+            configDir: h.dir,
+            readExposeStateFn: h.readExposeStateFn,
+            issuer: "https://hub.example",
+            supervisor: makeSupervisor(),
+            registry: getDefaultOperationsRegistry(),
+          },
+        );
+        expect(post.status).toBe(400);
+        const html = await post.text();
+        expect(html).toContain("reserved");
+        expect(getSetting(db, "setup_vault_name")).toBeUndefined();
+      }
+    } finally {
+      db.close();
+    }
+  });
+
   test("vault POST with empty name falls back to 'default' + omits the env override", async () => {
     const db = openHubDb(hubDbPath(h.dir));
     try {
@@ -4350,19 +4398,198 @@ describe("setup-wizard JSON surface (hub#168 Cuts 2/3)", () => {
       expect(body.step).toBe("expose");
       // The skip flag is persisted.
       expect(getSetting(db, "setup_vault_skipped")).toBe("true");
-      // deriveWizardState advances past the vault step.
+      // deriveWizardState advances past the vault step — but hasRealVault
+      // stays false (no instance exists; only the skip marker is set). The
+      // distinction is what the re-enterable vault step (B5) keys on.
       const s = deriveWizardState({
         db,
         manifestPath: h.manifestPath,
         readExposeStateFn: h.readExposeStateFn,
       });
       expect(s.hasVault).toBe(true);
+      expect(s.hasRealVault).toBe(false);
       expect(s.step).toBe("expose");
     } finally {
       db.close();
     }
   });
 
+  // --- B5 (2026-06-09 hub-module-boundary): re-enterable vault step --------
+  //
+  // A wizard-skip leaves the vault module installed with zero instances and
+  // `setup_vault_skipped` satisfying hasVault — pre-B5 the create form was
+  // unreachable forever after. The hub-side "create your first vault"
+  // affordances (Home's vault card, the legacy /admin/vaults empty state)
+  // deep-link `/admin/setup?step=vault`, which must re-enter the form.
+
+  test("GET ?step=vault re-enters the create form after a wizard-skip (session-gated)", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      await createUser(db, "owner", "pw");
+      setSetting(db, "setup_vault_skipped", "true");
+      const { createSession } = await import("../sessions.ts");
+      const user = getUserByUsername(db, "owner");
+      if (!user) throw new Error("user missing");
+      const session = createSession(db, { userId: user.id });
+      const res = handleSetupGet(
+        req("/admin/setup?step=vault", {
+          headers: { cookie: `${SESSION_COOKIE_NAME}=${session.id}` },
+        }),
+        {
+          db,
+          manifestPath: h.manifestPath,
+          configDir: h.dir,
+          readExposeStateFn: h.readExposeStateFn,
+          issuer: "http://127.0.0.1:1939",
+          registry: getDefaultOperationsRegistry(),
+        },
+      );
+      expect(res.status).toBe(200);
+      const html = await res.text();
+      // The vault create/import/skip form — not the expose step the plain
+      // GET would resume at post-skip.
+      expect(html).toContain('action="/admin/setup/vault"');
+    } finally {
+      db.close();
+    }
+  });
+
+  test("GET ?step=vault without a session 302s to /login (post-skip)", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      await createUser(db, "owner", "pw");
+      setSetting(db, "setup_vault_skipped", "true");
+      const res = handleSetupGet(req("/admin/setup?step=vault"), {
+        db,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        readExposeStateFn: h.readExposeStateFn,
+        issuer: "http://127.0.0.1:1939",
+        registry: getDefaultOperationsRegistry(),
+      });
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe(
+        `/login?next=${encodeURIComponent("/admin/setup?step=vault")}`,
+      );
+    } finally {
+      db.close();
+    }
+  });
+
+  test("GET ?step=vault with NO admin falls through to the welcome step (hasAdmin guard)", async () => {
+    // Fresh box, no user rows: the re-entry branch is gated on
+    // `state.hasAdmin` — the param must not jump a brand-new operator past
+    // account creation into a provisioning form (the POST would reject the
+    // session-less submit anyway, but the GET shouldn't render out of order
+    // either).
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      const res = handleSetupGet(req("/admin/setup?step=vault"), {
+        db,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        readExposeStateFn: h.readExposeStateFn,
+        issuer: "http://127.0.0.1:1939",
+        registry: getDefaultOperationsRegistry(),
+      });
+      expect(res.status).toBe(200);
+      // The welcome/account form — not the vault create form, not a redirect.
+      const html = await res.text();
+      expect(html).toContain('action="/admin/setup/account"');
+      expect(html).not.toContain('action="/admin/setup/vault"');
+    } finally {
+      db.close();
+    }
+  });
+
+  test("GET ?step=vault is ignored when a real vault instance exists", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      await createUser(db, "owner", "pw");
+      setSetting(db, "setup_expose_mode", "localhost");
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              version: "0.1.0",
+              port: 1940,
+              paths: ["/vault/default"],
+              health: "/health",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const res = handleSetupGet(req("/admin/setup?step=vault"), {
+        db,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        readExposeStateFn: h.readExposeStateFn,
+        issuer: "http://127.0.0.1:1939",
+        registry: getDefaultOperationsRegistry(),
+      });
+      // Setup is fully complete — the param must not reopen a provisioning
+      // form; the normal completed flow (301 → /login) runs instead.
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/login");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("vault POST mode=create proceeds after a skip (short-circuit keys on hasRealVault)", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      await createUser(db, "owner", "pw");
+      setSetting(db, "setup_vault_skipped", "true");
+      // No supervisor in deps: a create that gets PAST the short-circuit hits
+      // the supervisor gate and 503s. Pre-B5 this returned 200
+      // `{ step: "expose", message: "vault already provisioned" }` because the
+      // skip marker satisfied hasVault — the form was a dead end.
+      const baseDeps = {
+        db,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        readExposeStateFn: h.readExposeStateFn,
+        issuer: "http://127.0.0.1:1939",
+        registry: getDefaultOperationsRegistry(),
+      };
+      const getRes = handleSetupGet(
+        req("/admin/setup", { headers: { accept: "application/json" } }),
+        baseDeps,
+      );
+      const csrf = setCookie(getRes, CSRF_COOKIE_NAME) ?? "";
+      const envelope = (await getRes.json()) as { csrfToken: string };
+      const { createSession } = await import("../sessions.ts");
+      const user = getUserByUsername(db, "owner");
+      if (!user) throw new Error("user missing");
+      const session = createSession(db, { userId: user.id });
+      const cookieHeader = `${SESSION_COOKIE_NAME}=${session.id}; ${CSRF_COOKIE_NAME}=${csrf}`;
+      const postRes = await handleSetupVaultPost(
+        req("/admin/setup/vault", {
+          method: "POST",
+          headers: {
+            accept: "application/json",
+            "content-type": "application/json",
+            cookie: cookieHeader,
+          },
+          body: JSON.stringify({
+            [CSRF_FIELD_NAME]: envelope.csrfToken,
+            mode: "create",
+            vault_name: "second-chance",
+          }),
+        }),
+        baseDeps,
+      );
+      expect(postRes.status).toBe(503);
+      const body = (await postRes.json()) as { error: string };
+      expect(body.error).toContain("supervisor");
+    } finally {
+      db.close();
+    }
+  });
+
   test("vault step import mode requires remote_url (400 on empty)", async () => {
     const db = openHubDb(hubDbPath(h.dir));
     try {

package/src/__tests__/vault-name.test.ts

@@ -6,7 +6,7 @@
  */
 
 import { describe, expect, test } from "bun:test";
-import { DEFAULT_VAULT_NAME, validateVaultName } from "../vault-name.ts";
+import { DEFAULT_VAULT_NAME, RESERVED_VAULT_NAMES, validateVaultName } from "../vault-name.ts";
 
 describe("validateVaultName", () => {
   test("accepts lowercase alphanumeric + hyphens/underscores", () => {
@@ -64,10 +64,25 @@ describe("validateVaultName", () => {
     expect(validateVaultName("   ").ok).toBe(false);
   });
 
-  test("rejects the reserved name 'list' (matches vault's reservation)", () => {
-    const result = validateVaultName("list");
-    expect(result.ok).toBe(false);
-    if (!result.ok) expect(result.error).toContain("reserved");
+  test("rejects every consolidated reserved name (B2h: list, new, assets, admin)", () => {
+    // One set for every hub edge — wizard, invite redemption, POST /vaults.
+    // `list` mirrors vault's CLI reservation; `new`/`assets` shadow SPA
+    // routes; `admin` shadows the daemon-level /vault/admin mount (B-route).
+    for (const name of ["list", "new", "assets", "admin"]) {
+      const result = validateVaultName(name);
+      expect(result.ok).toBe(false);
+      if (!result.ok) expect(result.error).toContain("reserved");
+    }
+  });
+
+  test("near-miss names of the reserved set still pass (admins, listing, my-admin)", () => {
+    for (const name of ["admins", "listing", "my-admin", "assets2", "newer"]) {
+      expect(validateVaultName(name).ok).toBe(true);
+    }
+  });
+
+  test("RESERVED_VAULT_NAMES is the consolidated four-name set", () => {
+    expect([...RESERVED_VAULT_NAMES].sort()).toEqual(["admin", "assets", "list", "new"]);
   });
 
   test("DEFAULT_VAULT_NAME is 'default'", () => {

package/src/__tests__/well-known.test.ts

@@ -361,26 +361,27 @@ describe("buildWellKnown", () => {
     expect(notesSvc?.uiUrl).toBe("https://x.example/notes");
   });
 
-  // Workstream C (patterns#96): vault declares `uiUrl: "/admin/"` as a
-  // per-instance path. buildWellKnown applies the per-instance mount-path
-  // prefix on emission, yielding one tile per vault instance pointing at
-  // `<origin>/vault/<name>/admin/`. Non-vault uiUrl behavior is unchanged.
-  test("vault uiUrl is prefixed with the per-instance mount path (single instance)", () => {
+  // B4 unified semantics (2026-06-09 hub-module-boundary): relative
+  // (no leading slash) = the per-instance form, mount-joined per vault
+  // instance; leading-"/" = origin-absolute pass-through. The literal legacy
+  // `"/admin/"` on a vault entry rides the one-release COMPAT SHIM
+  // (mount-join + deprecation log) because deployed vaults still declare it.
+  test("vault RELATIVE uiUrl mount-joins per instance (B4 per-instance form)", () => {
     const doc = buildWellKnown({
       services: [vault],
       canonicalOrigin: "https://x.example",
-      uiUrlFor: () => "/admin/",
+      uiUrlFor: () => "admin/",
     });
     const svc = doc.services.find((s) => s.name === "parachute-vault");
     expect(svc?.uiUrl).toBe("https://x.example/vault/default/admin/");
   });
 
-  test("vault uiUrl is prefixed per-instance for multi-path vault entries", () => {
+  test("vault RELATIVE uiUrl mount-joins per instance for multi-path vault entries", () => {
     const multi: ServiceEntry = { ...vault, paths: ["/vault/default", "/vault/techne"] };
     const doc = buildWellKnown({
       services: [multi],
       canonicalOrigin: "https://x.example",
-      uiUrlFor: () => "/admin/",
+      uiUrlFor: () => "admin/",
     });
     const rows = doc.services.filter((s) => s.name === "parachute-vault");
     expect(rows.length).toBe(2);
@@ -389,6 +390,41 @@ describe("buildWellKnown", () => {
     expect(uiUrls[1]).toBe("https://x.example/vault/techne/admin/");
   });
 
+  test('COMPAT SHIM: vault legacy "/admin/" uiUrl still mount-joins per instance (one release)', () => {
+    // Deployed vaults declare `uiUrl: "/admin/"` (the OLD per-instance form).
+    // Origin-absolute resolution would point every tile at the daemon-level
+    // /vault/admin mount — so the literal "/admin"/"/admin/" keeps the old
+    // mount-join for one release, with a deprecation log. Remove the shim
+    // once vault's new manifest ("admin/") reaches @latest.
+    const multi: ServiceEntry = { ...vault, paths: ["/vault/default", "/vault/techne"] };
+    const doc = buildWellKnown({
+      services: [multi],
+      canonicalOrigin: "https://x.example",
+      uiUrlFor: () => "/admin/",
+    });
+    const rows = doc.services.filter((s) => s.name === "parachute-vault");
+    const uiUrls = rows.map((r) => r.uiUrl).sort();
+    expect(uiUrls[0]).toBe("https://x.example/vault/default/admin/");
+    expect(uiUrls[1]).toBe("https://x.example/vault/techne/admin/");
+  });
+
+  test("vault LEADING-SLASH uiUrl (non-shim) is origin-absolute pass-through (B4)", () => {
+    // The daemon-level surface form: `/vault/admin/` resolves against the
+    // origin — NOT per-instance — so a multi-path vault emits the same
+    // daemon-level URL on each row.
+    const multi: ServiceEntry = { ...vault, paths: ["/vault/default", "/vault/techne"] };
+    const doc = buildWellKnown({
+      services: [multi],
+      canonicalOrigin: "https://x.example",
+      uiUrlFor: () => "/vault/admin/",
+    });
+    const rows = doc.services.filter((s) => s.name === "parachute-vault");
+    expect(rows.length).toBe(2);
+    for (const r of rows) {
+      expect(r.uiUrl).toBe("https://x.example/vault/admin/");
+    }
+  });
+
   test("vault uiUrl absolute URL still passes through verbatim (no prefix)", () => {
     const doc = buildWellKnown({
       services: [vault],