@openparachute/hub 0.6.5-rc.8 → 0.7.1

package/src/__tests__/api-invites.test.ts

@@ -68,6 +68,24 @@ function deps() {
   return { db: harness.db, issuer: ISSUER, manifestPath: harness.manifestPath };
 }
 
+/** Register an existing vault in the harness manifest (for shared-vault invites). */
+function seedVaultInManifest(name: string) {
+  writeFileSync(
+    harness.manifestPath,
+    JSON.stringify({
+      services: [
+        {
+          name: "parachute-vault",
+          port: 4101,
+          paths: [`/vault/${name}`],
+          health: "/health",
+          version: "0.0.0-test",
+        },
+      ],
+    }),
+  );
+}
+
 function withBearer(path: string, bearer: string, init: RequestInit = {}): Request {
   const headers = new Headers(init.headers ?? {});
   headers.set("authorization", `Bearer ${bearer}`);
@@ -121,23 +139,64 @@ describe("POST /api/invites", () => {
     expect(res.status).toBe(400);
   });
 
-  test("400 rejects a shared-vault invite (provision_vault=false + vault_name)", async () => {
-    // Defense in depth (FIX-1): assigning a redeemer to a PRE-EXISTING vault
-    // as owner-admin is a cross-tenant breach; shared-vault invites aren't
-    // supported yet, so the create handler refuses this combination outright.
+  test("shared-vault invite (provision_vault=false + EXISTING vault_name) → 201 at the given role", async () => {
+    // The Adam/Jonathan shape: read-only access to a vault the admin already
+    // built. Issuing is host:admin-gated — the same authority that can assign
+    // any user to any vault via POST /api/users.
+    seedVaultInManifest("jonathan-vault");
     const bearer = await makeAdminBearer();
     const res = await handleCreateInvite(
       withBearer("/api/invites", bearer, {
         method: "POST",
         headers: { "content-type": "application/json" },
-        body: JSON.stringify({ provision_vault: false, vault_name: "someoneelse" }),
+        body: JSON.stringify({
+          provision_vault: false,
+          vault_name: "jonathan-vault",
+          role: "read",
+        }),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(201);
+    const body = (await res.json()) as {
+      invite: { vault_name: string | null; role: string; provision_vault: boolean };
+    };
+    expect(body.invite.vault_name).toBe("jonathan-vault");
+    expect(body.invite.role).toBe("read");
+    expect(body.invite.provision_vault).toBe(false);
+  });
+
+  test("400 vault_not_found when the shared vault doesn't exist on this hub", async () => {
+    // A pinned-but-nonexistent name is a typo, not a future reservation —
+    // fail at mint, not at the invitee's redeem.
+    const bearer = await makeAdminBearer();
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ provision_vault: false, vault_name: "nosuchvault", role: "read" }),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("vault_not_found");
+  });
+
+  test("400 rejects role=read with provision_vault=true (sole user of a new vault must hold write)", async () => {
+    const bearer = await makeAdminBearer();
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ provision_vault: true, role: "read" }),
       }),
       deps(),
     );
     expect(res.status).toBe(400);
     const body = (await res.json()) as { error: string; error_description: string };
     expect(body.error).toBe("invalid_request");
-    expect(body.error_description).toContain("shared-vault");
+    expect(body.error_description).toContain("write");
   });
 
   test("account-only invite (provision_vault=false, NO vault_name) is still allowed", async () => {
@@ -159,6 +218,107 @@ describe("POST /api/invites", () => {
   });
 });
 
+describe("POST /api/invites — pre-named username", () => {
+  test("201 carries the username in the wire shape", async () => {
+    seedVaultInManifest("jonathan-vault");
+    const bearer = await makeAdminBearer();
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({
+          username: "jonathan",
+          provision_vault: false,
+          vault_name: "jonathan-vault",
+          role: "read",
+        }),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(201);
+    const body = (await res.json()) as { invite: { username: string | null } };
+    expect(body.invite.username).toBe("jonathan");
+  });
+
+  test("400 invalid_username on a name outside the /api/users vocabulary", async () => {
+    const bearer = await makeAdminBearer();
+    for (const bad of ["A", "Has Spaces", "admin"]) {
+      const res = await handleCreateInvite(
+        withBearer("/api/invites", bearer, {
+          method: "POST",
+          headers: { "content-type": "application/json" },
+          body: JSON.stringify({ username: bad }),
+        }),
+        deps(),
+      );
+      expect(res.status).toBe(400);
+      const body = (await res.json()) as { error: string };
+      expect(body.error).toBe("invalid_username");
+    }
+  });
+
+  test("409 username_taken when an existing user holds the name (case-insensitive)", async () => {
+    const bearer = await makeAdminBearer(); // creates user "operator"
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ username: "operator" }),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(409);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("username_taken");
+  });
+
+  test("409 username_reserved when another PENDING invite pre-names the same username", async () => {
+    const bearer = await makeAdminBearer();
+    const make = () =>
+      handleCreateInvite(
+        withBearer("/api/invites", bearer, {
+          method: "POST",
+          headers: { "content-type": "application/json" },
+          body: JSON.stringify({ username: "jonathan" }),
+        }),
+        deps(),
+      );
+    const first = await make();
+    expect(first.status).toBe(201);
+    const second = await make();
+    expect(second.status).toBe(409);
+    const body = (await second.json()) as { error: string };
+    expect(body.error).toBe("username_reserved");
+  });
+
+  test("revoking the pending invite frees the reserved username", async () => {
+    const bearer = await makeAdminBearer();
+    const first = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ username: "jonathan" }),
+      }),
+      deps(),
+    );
+    const { invite } = (await first.json()) as { invite: { id: string } };
+    await handleRevokeInvite(
+      withBearer(`/api/invites/${invite.id}`, bearer, { method: "DELETE" }),
+      invite.id,
+      deps(),
+    );
+    const second = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ username: "jonathan" }),
+      }),
+      deps(),
+    );
+    expect(second.status).toBe(201);
+  });
+});
+
 describe("GET /api/invites", () => {
   test("lists invites; raw token NEVER present in the wire shape", async () => {
     const bearer = await makeAdminBearer();

package/src/__tests__/api-modules-ops.test.ts

@@ -208,11 +208,27 @@ describe("parseModulesPath", () => {
     });
   });
 
-  test("rejects non-curated shorts (no marketplace yet)", () => {
-    // Channel exists in FIRST_PARTY_FALLBACKS but is exploration, not
-    // in CURATED_MODULES — the v0.6 surface refuses to drive it via
-    // /api/modules.
-    expect(parseModulesPath("/api/modules/channel/install")).toBeUndefined();
+  test("accepts any KNOWN module short — channel install now resolves (was the bug)", () => {
+    // Post-2026-06-09 (modular-UI architecture, P2) the install-path gate is
+    // `isKnownModuleShort` (KNOWN_MODULES ∪ FIRST_PARTY_FALLBACKS), NOT the old
+    // CURATED_MODULES whitelist. channel is in FIRST_PARTY_FALLBACKS, so its
+    // install path now resolves — fixing the running-but-uninstallable bug.
+    expect(parseModulesPath("/api/modules/channel/install")).toEqual({
+      short: "channel",
+      rest: "install",
+    });
+    // Other known modules (runner / surface) resolve too.
+    expect(parseModulesPath("/api/modules/runner/install")).toEqual({
+      short: "runner",
+      rest: "install",
+    });
+  });
+
+  test("rejects unknown shorts (the hub itself + genuinely third-party rows)", () => {
+    // `hub` isn't a supervised module (no registry entry) and a random short
+    // has no install package — both still fall through to undefined so the
+    // module-ops switch never acts on them.
+    expect(parseModulesPath("/api/modules/hub/install")).toBeUndefined();
     expect(parseModulesPath("/api/modules/random/install")).toBeUndefined();
   });
 
@@ -996,6 +1012,55 @@ describe("POST /api/modules/:short/start", () => {
     expect(spawns).toEqual([]);
     expect(calls).toEqual([]);
   });
+
+  test("channel#41: start reconciles a drifted services.json port back to canonical (API path)", async () => {
+    // The live signature: channel's row carried 19415 instead of canonical 1941.
+    // The API start path (admin SPA / `parachute start channel`) must apply the
+    // SAME reconcile the boot path does — otherwise an operator-triggered start
+    // re-strands the module on the dead port.
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-channel",
+        port: 19415,
+        paths: ["/channel"],
+        health: "/health",
+        version: "0.0.0-linked",
+      },
+    ]);
+    const { supervisor, spawns } = makeIdleSupervisor();
+    const logs: string[] = [];
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+
+    const res = await handleStart(
+      postReq("/api/modules/channel/start", { authorization: `Bearer ${bearer}` }),
+      "channel",
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+        log: (l) => logs.push(l),
+      },
+    );
+
+    expect(res.status).toBe(200);
+    // The supervisor child gets PORT=1941 (canonical), not the drifted 19415 —
+    // so it binds + the readiness probe checks the right port.
+    expect(spawns.length).toBe(1);
+    expect(spawns[0]?.short).toBe("channel");
+    expect(spawns[0]?.env?.PORT).toBe("1941");
+    // services.json row is rewritten to 1941 → the reverse-proxy (which reads
+    // services.json) routes /channel/* to the live port.
+    const onDisk = JSON.parse(readFileSync(h.manifestPath, "utf8")) as {
+      services: { name: string; port: number }[];
+    };
+    expect(onDisk.services.find((s) => s.name === "parachute-channel")?.port).toBe(1941);
+    // The reconcile event logged on the API path too (deps.log wired — #41 review).
+    expect(
+      logs.some((l) => l.includes("reconciled") && l.includes("19415") && l.includes("1941")),
+    ).toBe(true);
+  });
 });
 
 describe("POST /api/modules/:short/stop", () => {