@openparachute/hub 0.6.5-rc.8 → 0.7.1

package/src/admin-login-ui.ts

@@ -161,8 +161,18 @@ export interface InviteSetupProps {
   /**
    * When the invite pins a vault name the redeemer can't choose one — we show
    * it read-only. When null the redeemer names their own vault (a text field).
+   * With `provisionVault: false` a pinned name is a SHARED-VAULT invite: the
+   * redeemer is being given `role` access to the operator's existing vault.
    */
   pinnedVaultName: string | null;
+  /**
+   * When the invite pre-names the account, the username is shown read-only
+   * and ENFORCED server-side (the redeem handler ignores the form field).
+   * Null = the redeemer picks their own.
+   */
+  pinnedUsername: string | null;
+  /** The `user_vaults` role redemption grants ('read' | 'write') — shown on the shared-vault row. */
+  role: string;
   /** Whether redemption provisions a vault at all (shows the vault row iff true). */
   provisionVault: boolean;
   username?: string;
@@ -177,15 +187,55 @@ export interface InviteSetupProps {
  * same `/account/setup/<token>` path. Reuses the shared login chrome.
  */
 export function renderInviteSetup(props: InviteSetupProps): string {
-  const { token, csrfToken, pinnedVaultName, provisionVault, username, vaultName, errorMessage } =
-    props;
+  const {
+    token,
+    csrfToken,
+    pinnedVaultName,
+    pinnedUsername,
+    role,
+    provisionVault,
+    username,
+    vaultName,
+    errorMessage,
+  } = props;
   const error = errorMessage ? `<p class="error-banner">${escapeHtml(errorMessage)}</p>` : "";
   const usernameAttr = username ? ` value="${escapeAttr(username)}"` : "";
 
-  // Vault row: shown only when the invite provisions a vault. Pinned → a
-  // read-only display of the name the admin chose (redeemer can't squat names).
-  // Unpinned → a text field the redeemer fills.
+  // Username row: pre-named → read-only display (the server ENFORCES the
+  // invite's username; the disabled input never submits and the handler
+  // ignores the field anyway). Unpinned → the normal pick-a-name field.
+  const usernameRow =
+    pinnedUsername !== null
+      ? `
+        <label class="field">
+          <span class="field-label">Username</span>
+          <input type="text" value="${escapeAttr(pinnedUsername)}" readonly disabled />
+          <span class="field-hint">Your hub operator chose this username for you.</span>
+        </label>`
+      : `
+        <label class="field">
+          <span class="field-label">Username</span>
+          <input type="text" name="username" id="username" autocomplete="username" autofocus
+            required minlength="2" maxlength="32"
+            pattern="[a-z0-9_-]+" title="lowercase letters, digits, _ - (2–32 chars)"
+            spellcheck="false" autocapitalize="off"${usernameAttr} />
+          <span class="field-hint">lowercase letters, digits, <code>_</code>, <code>-</code></span>
+        </label>`;
+
+  // Vault row. Provisioning invites show the new vault's name (pinned →
+  // read-only; unpinned → a text field the redeemer fills). A shared-vault
+  // invite (no provisioning + a pinned name) shows what the redeemer is
+  // being given access to, including the role.
   let vaultRow = "";
+  if (!provisionVault && pinnedVaultName !== null) {
+    const roleLabel = role === "read" ? "read-only" : "read &amp; write";
+    vaultRow = `
+        <label class="field">
+          <span class="field-label">Shared vault</span>
+          <input type="text" value="${escapeAttr(pinnedVaultName)}" readonly disabled />
+          <span class="field-hint">You're being given ${roleLabel} access to this existing vault.</span>
+        </label>`;
+  }
   if (provisionVault) {
     if (pinnedVaultName !== null) {
       vaultRow = `
@@ -240,21 +290,20 @@ export function renderInviteSetup(props: InviteSetupProps): string {
       <div class="card-header">
         ${header()}
         <h1>Claim your invite</h1>
-        <p class="subtitle">Pick a username and password to create your Parachute account${
-          provisionVault ? " and your own vault" : ""
+        <p class="subtitle">${
+          pinnedUsername !== null ? "Pick a password" : "Pick a username and password"
+        } to create your Parachute account${
+          provisionVault
+            ? " and your own vault"
+            : pinnedVaultName !== null
+              ? " with access to a shared vault"
+              : ""
         }.</p>
       </div>
       ${error}
       <form method="POST" action="/account/setup/${escapeAttr(token)}" class="auth-form">
         ${renderCsrfHiddenInput(csrfToken)}
-        <label class="field">
-          <span class="field-label">Username</span>
-          <input type="text" name="username" id="username" autocomplete="username" autofocus
-            required minlength="2" maxlength="32"
-            pattern="[a-z0-9_-]+" title="lowercase letters, digits, _ - (2–32 chars)"
-            spellcheck="false" autocapitalize="off"${usernameAttr} />
-          <span class="field-hint">lowercase letters, digits, <code>_</code>, <code>-</code></span>
-        </label>
+        ${usernameRow}
         <label class="field">
           <span class="field-label">Password</span>
           <input type="password" name="password" autocomplete="new-password"

package/src/admin-module-token.ts

@@ -0,0 +1,197 @@
+/**
+ * `GET /admin/module-token/<short>` — exchange a valid admin session cookie for
+ * a short-lived JWT carrying `<short>:admin` (audience = the bare module short).
+ *
+ * Why this exists (2026-06-09 modular-UI architecture, P3): modules now own
+ * their config/admin UIs and declare `configUiUrl` in `module.json` (scribe
+ * `/scribe/admin`, runner `/runner/admin`, surface `/surface/admin/`, …). The
+ * hub frames/links those surfaces consistently (the Modules page "Configure"
+ * action). Each module-owned config UI, served behind the hub proxy to a
+ * logged-in portal operator, needs an admin-scoped hub Bearer to call its own
+ * `<short>:admin`-gated endpoints — the same shape the channel config UI gets
+ * from `/admin/channel-token` and the vault admin SPA gets from
+ * `/admin/vault-admin-token/<name>`. This is the GENERIC mint that covers every
+ * other self-registered single-audience module, so the hub doesn't grow a
+ * bespoke per-module mint endpoint as each module ships a config UI.
+ *
+ * Scope + audience: `<short>:admin`, audience = `<short>` (the bare service
+ * prefix). Modules validate the JWT's `aud` against their literal short name
+ * (`scribe`, `runner`, `surface`, `channel`) — the same shape `inferAudience`
+ * stamps for the public OAuth flow, so a hub-minted and an OAuth-minted admin
+ * token are indistinguishable to the module. This mirrors the per-request
+ * `<short>:admin` proxy token `api-modules-config.ts` used to mint; the
+ * difference is this endpoint hands the token to the module's OWN UI rather
+ * than proxying a hub-side config form.
+ *
+ * Multi-vault note: VAULT is excluded here. Vault's admin scope is per-instance
+ * (`vault:<name>:admin`, audience `vault.<name>`), which needs a vault-name
+ * parameter and a known-vault check — that lives in `/admin/vault-admin-token/
+ * <name>` (`admin-vault-admin-token.ts`). A request for `vault` here returns a
+ * 400 pointing at that endpoint, so a caller can't accidentally mint a useless
+ * bare `vault:admin`.
+ *
+ * Gate: the session must belong to the first admin (the single hub admin under
+ * the Phase 1 multi-user model — `users.ts:isFirstAdmin`), exactly like
+ * host-admin-token / vault-admin-token / channel-token. A friend account holds
+ * a valid session but must not mint a module admin Bearer.
+ *
+ * Tokens are short-lived (10 min — matches the sibling admin-token mints); the
+ * config UI re-fetches on near-expiry.
+ */
+import type { Database } from "bun:sqlite";
+import { signAccessToken } from "./jwt-sign.ts";
+import {
+  type ModuleManifest,
+  readModuleManifest as defaultReadModuleManifest,
+} from "./module-manifest.ts";
+import { findServiceByShort, isKnownModuleShort } from "./service-spec.ts";
+import type { ServiceEntry } from "./services-manifest.ts";
+import { findSession, parseSessionCookie } from "./sessions.ts";
+import { isFirstAdmin } from "./users.ts";
+
+/** Short TTL — matches host/vault/channel admin-token. UI re-fetches on near-expiry. */
+export const MODULE_TOKEN_TTL_SECONDS = 10 * 60;
+const MODULE_TOKEN_CLIENT_ID = "parachute-hub-spa";
+
+/** Lowercase short-name charset, matching the module-name rule + path parsing. */
+const MODULE_SHORT_RE = /^[a-z][a-z0-9-]*$/;
+
+export interface MintModuleTokenDeps {
+  db: Database;
+  /** Hub origin — written into JWT `iss`. */
+  issuer: string;
+  /**
+   * Snapshot of services.json rows, read at request time so a module that
+   * self-registered since hub boot is mintable without a restart. Used by the
+   * self-registration gate (boundary C5) — see {@link isSelfRegisteredModule}.
+   */
+  readServices: () => readonly ServiceEntry[];
+  /** Test seam — defaults to the real `readModuleManifest` (disk read). */
+  readModuleManifest?: (installDir: string) => Promise<ModuleManifest | null>;
+}
+
+/**
+ * The self-registration gate (C5 of the 2026-06-09 hub-module-boundary
+ * migration): a short is mintable when it resolves to a services.json row
+ * whose `installDir` carries a readable `.parachute/module.json`.
+ *
+ * Resolution mirrors the rest of the hub (`/api/modules`,
+ * `collectInstalledModules`): first-party rows resolve through
+ * `findServiceByShort` (manifest name ↔ short map); a genuinely third-party
+ * row matches by its literal services.json `name` — the same
+ * `shortNameForManifest(name) ?? name` convention the catalog uses.
+ *
+ * Why this is enough against a forged short: services.json is written only by
+ * same-disk modules, which the charter's trust statement already covers — an
+ * installed module runs a daemon on the operator's machine, strictly more
+ * power than an admin Bearer. Requiring the registered row AND a readable
+ * manifest still keeps a typo'd short from minting `<anything>:admin` and
+ * masquerading as a real (but unusable) credential.
+ */
+async function isSelfRegisteredModule(short: string, deps: MintModuleTokenDeps): Promise<boolean> {
+  const services = deps.readServices();
+  const row =
+    findServiceByShort(services, short) ?? services.find((s): boolean => s.name === short);
+  if (!row?.installDir) return false;
+  const readManifest = deps.readModuleManifest ?? defaultReadModuleManifest;
+  try {
+    const manifest = await readManifest(row.installDir);
+    return manifest !== null;
+  } catch {
+    // Malformed manifest — treat as not-a-module rather than 500ing the mint.
+    return false;
+  }
+}
+
+export async function handleModuleToken(
+  req: Request,
+  short: string,
+  deps: MintModuleTokenDeps,
+): Promise<Response> {
+  if (req.method !== "GET") {
+    return jsonError(405, "method_not_allowed", "use GET");
+  }
+  if (!MODULE_SHORT_RE.test(short)) {
+    return jsonError(400, "invalid_request", `module short "${short}" is not a valid identifier`);
+  }
+  // Vault is per-instance — its admin scope needs a vault name. Route the caller
+  // to the dedicated per-vault endpoint rather than minting a useless bare
+  // `vault:admin` (no vault validates that audience).
+  if (short === "vault") {
+    return jsonError(
+      400,
+      "use_vault_admin_token",
+      "vault admin tokens are per-instance — use GET /admin/vault-admin-token/<name>",
+    );
+  }
+  // Only mint for modules the hub can verify exist. Two paths (boundary C5 —
+  // closes the charter's third-party-test gap, where this endpoint used to
+  // require bootstrap-registry presence):
+  //   1. SELF-REGISTERED: the short resolves to a services.json row whose
+  //      installDir carries a readable module.json. This is the canonical
+  //      gate — any module (first- or third-party) that completed
+  //      self-registration mints with zero hub code changes, per
+  //      `parachute-patterns/patterns/hub-module-boundary.md` (the seam,
+  //      mechanism 1).
+  //   2. KNOWN bootstrap short (KNOWN_MODULES ∪ FIRST_PARTY_FALLBACKS): kept
+  //      as a fallback so a first-party module mid-install (row not yet
+  //      written) still mints.
+  // Either way a forged/typo'd short can't mint `<anything>:admin` and mask
+  // itself as a real (but unusable) credential.
+  if (!isKnownModuleShort(short) && !(await isSelfRegisteredModule(short, deps))) {
+    return jsonError(404, "not_found", `no module "${short}" known to this hub`);
+  }
+  const sid = parseSessionCookie(req.headers.get("cookie"));
+  const session = sid ? findSession(deps.db, sid) : null;
+  if (!session) {
+    return jsonError(401, "unauthenticated", "no admin session — sign in at /login first");
+  }
+  // First-admin gate (mirrors host/vault/channel-admin-token). A friend account
+  // (non-first-admin user) holds a valid session but must not mint a module
+  // admin Bearer.
+  if (!isFirstAdmin(deps.db, session.userId)) {
+    return jsonError(
+      403,
+      "not_admin",
+      "module admin token mint is restricted to the hub admin — your account home is at /account/",
+    );
+  }
+  const scope = `${short}:admin`;
+  const minted = await signAccessToken(deps.db, {
+    sub: session.userId,
+    scopes: [scope],
+    // Bare service audience — modules validate `aud === <short>`, the same
+    // shape `inferAudience` stamps for the OAuth flow.
+    audience: short,
+    clientId: MODULE_TOKEN_CLIENT_ID,
+    issuer: deps.issuer,
+    ttlSeconds: MODULE_TOKEN_TTL_SECONDS,
+    // No per-user vault pin — this Bearer talks to a module-scoped endpoint,
+    // not a single vault. Empty `vault_scope` is the "no per-user restriction"
+    // sentinel, matching host-admin / channel tokens.
+    vaultScope: [],
+  });
+  return new Response(
+    JSON.stringify({
+      token: minted.token,
+      expires_at: minted.expiresAt,
+      scopes: [scope],
+    }),
+    {
+      status: 200,
+      headers: {
+        "content-type": "application/json",
+        // No browser cache — token rotates per-fetch, and a stale 200 from a
+        // back/forward navigation could hand the UI a long-expired JWT.
+        "cache-control": "no-store",
+      },
+    },
+  );
+}
+
+function jsonError(status: number, error: string, description: string): Response {
+  return new Response(JSON.stringify({ error, error_description: description }), {
+    status,
+    headers: { "content-type": "application/json" },
+  });
+}