@openparachute/vault 0.4.5 → 0.4.6

package/src/routing.test.ts

@@ -17,7 +17,7 @@
  * never touch ~/.parachute.
  */
 
-import { describe, test, expect, beforeEach, afterAll } from "bun:test";
+import { describe, test, expect, beforeEach, afterEach, afterAll } from "bun:test";
 import { rmSync, existsSync, mkdirSync, writeFileSync } from "fs";
 import { join } from "path";
 import { tmpdir } from "os";
@@ -1641,3 +1641,87 @@ describe("scope enforcement on /api/*", () => {
     expect(writeRes.status).toBe(403);
   });
 });
+
+// ---------------------------------------------------------------------------
+// /health — smoke tests for the unauthenticated liveness probe (vault#339).
+//
+// /health must ALWAYS return 200 regardless of VAULT_AUTH_TOKEN config so
+// Render's health probe + Docker HEALTHCHECK can poll the container even
+// before the operator has configured a bearer. The response shape changes
+// (vault names are leaked only to authed callers) but the status code is
+// invariant.
+// ---------------------------------------------------------------------------
+
+describe("/health — always 200 (Render/Docker healthcheck contract)", () => {
+  let prevToken: string | undefined;
+
+  beforeEach(() => {
+    prevToken = process.env.VAULT_AUTH_TOKEN;
+  });
+
+  afterEach(() => {
+    if (prevToken === undefined) delete process.env.VAULT_AUTH_TOKEN;
+    else process.env.VAULT_AUTH_TOKEN = prevToken;
+  });
+
+  test("env unset + no bearer → 200 (anonymous probe)", async () => {
+    delete process.env.VAULT_AUTH_TOKEN;
+    createVault("journal");
+
+    const res = await route(new Request("http://localhost:1940/health"), "/health");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.status).toBe("ok");
+    // No bearer → no vault names leaked.
+    expect(body.vaults).toBeUndefined();
+  });
+
+  test("env set + no bearer → 200 (Render's health probe doesn't have the secret)", async () => {
+    process.env.VAULT_AUTH_TOKEN = "operator-token-xyz";
+    createVault("journal");
+
+    const res = await route(new Request("http://localhost:1940/health"), "/health");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.status).toBe("ok");
+    expect(body.vaults).toBeUndefined();
+  });
+
+  test("env set + matching bearer → 200 + vault names leaked", async () => {
+    process.env.VAULT_AUTH_TOKEN = "operator-token-xyz";
+    createVault("journal");
+    createVault("work");
+
+    const res = await route(
+      new Request("http://localhost:1940/health", {
+        headers: { Authorization: "Bearer operator-token-xyz" },
+      }),
+      "/health",
+    );
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.status).toBe("ok");
+    expect(Array.isArray(body.vaults)).toBe(true);
+    expect(body.vaults).toContain("journal");
+    expect(body.vaults).toContain("work");
+  });
+
+  test("env set + wrong bearer → 200 (still healthy, just no vault detail)", async () => {
+    // /health doesn't 401 on a wrong bearer — it just falls back to the
+    // anonymous response. The operator's probe stays green even if the
+    // bearer is mid-rotation.
+    process.env.VAULT_AUTH_TOKEN = "operator-token-xyz";
+    createVault("journal");
+
+    const res = await route(
+      new Request("http://localhost:1940/health", {
+        headers: { Authorization: "Bearer wrong-token" },
+      }),
+      "/health",
+    );
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.status).toBe("ok");
+    expect(body.vaults).toBeUndefined();
+  });
+});

package/src/server.ts

@@ -18,6 +18,7 @@
 import { readVaultConfig, readGlobalConfig, writeGlobalConfig, writeVaultConfig, listVaults, DEFAULT_PORT, ensureConfigDirSync, loadEnvFile, generateApiKey, hashKey, stopSignalPath } from "./config.ts";
 import { existsSync, rmSync } from "fs";
 import { migrateVaultKeys } from "./token-store.ts";
+import { resolveFirstBootVaultName } from "./vault-name.ts";
 import { getVaultStore, getVaultNameForStore } from "./vault-store.ts";
 import { defaultHookRegistry } from "../core/src/hooks.ts";
 import { registerTriggers } from "./triggers.ts";
@@ -98,13 +99,31 @@ if (process.env.SCRIBE_URL) {
   console.log("[transcribe] worker disabled (set SCRIBE_URL to enable)");
 }
 
-// Auto-init: create a default vault if none exist (first run in Docker)
+if (process.env.VAULT_AUTH_TOKEN?.trim()) {
+  console.log("[auth] VAULT_AUTH_TOKEN set — server-wide operator bearer active");
+}
+
+// Auto-init: create a default vault if none exist (first run in Docker).
+// The vault name comes from PARACHUTE_VAULT_NAME when set + valid; otherwise
+// falls back to "default". Hub's first-boot wizard (hub#267) passes through
+// an operator-chosen name via this env var.
 if (listVaults().length === 0) {
   const globalConfig = readGlobalConfig();
   if (!globalConfig.default_vault) {
+    const firstBoot = resolveFirstBootVaultName(process.env.PARACHUTE_VAULT_NAME);
+    if (firstBoot.source === "env") {
+      console.log(`[vault first-boot] using PARACHUTE_VAULT_NAME=${firstBoot.name}`);
+    } else if (firstBoot.source === "env-invalid") {
+      console.warn(
+        `[vault first-boot] PARACHUTE_VAULT_NAME=${JSON.stringify(firstBoot.rawValue)} is invalid (${firstBoot.reason}); falling back to "default"`,
+      );
+    } else {
+      console.log("[vault first-boot] using default name (no PARACHUTE_VAULT_NAME set)");
+    }
+    const vaultName = firstBoot.name;
     const { fullKey, keyId } = generateApiKey();
     writeVaultConfig({
-      name: "default",
+      name: vaultName,
       api_keys: [{
         id: keyId,
         label: "default",
@@ -114,7 +133,7 @@ if (listVaults().length === 0) {
       }],
       created_at: new Date().toISOString(),
     });
-    globalConfig.default_vault = "default";
+    globalConfig.default_vault = vaultName;
     if (!globalConfig.api_keys?.length) {
       globalConfig.api_keys = [{
         id: keyId,
@@ -125,7 +144,7 @@ if (listVaults().length === 0) {
       }];
     }
     writeGlobalConfig(globalConfig);
-    console.log(`Auto-created default vault (API key: ${fullKey})`);
+    console.log(`Auto-created vault "${vaultName}" (API key: ${fullKey})`);
   }
 }
 

package/src/vault-name.test.ts

@@ -1,11 +1,13 @@
 /**
  * Unit tests for `validateVaultName` — the rule enforced by the `init`
- * prompt and the `--vault-name` flag. Covers each rejection branch plus
- * the happy paths the prompt has to accept (default, hyphens, underscores).
+ * prompt, the `--vault-name` flag, and the `PARACHUTE_VAULT_NAME` env var
+ * at server first-boot. Covers each rejection branch (empty, length,
+ * regex, reserved) plus the happy paths the prompt has to accept (default,
+ * hyphens, underscores, length boundaries).
  */
 
 import { describe, test, expect } from "bun:test";
-import { validateVaultName, decideInitVaultName } from "./vault-name.ts";
+import { validateVaultName, decideInitVaultName, resolveFirstBootVaultName } from "./vault-name.ts";
 
 describe("validateVaultName", () => {
   describe("accepts", () => {
@@ -14,11 +16,12 @@ describe("validateVaultName", () => {
       "aaron",
       "personal",
       "work",
-      "a",
+      "ab", // 2-char boundary (min length)
       "vault-1",
       "my_vault",
       "a-b_c-1",
       "abc123",
+      "a".repeat(32), // 32-char boundary (max length)
     ])("%s", (name) => {
       const result = validateVaultName(name);
       expect(result.ok).toBe(true);
@@ -71,6 +74,24 @@ describe("validateVaultName", () => {
       expect(result.ok).toBe(false);
       if (!result.ok) expect(result.error).toContain("reserved");
     });
+
+    test("single character (below 2-char min)", () => {
+      const result = validateVaultName("a");
+      expect(result.ok).toBe(false);
+      if (!result.ok) expect(result.error).toContain("2");
+    });
+
+    test("33 characters (above 32-char max)", () => {
+      const result = validateVaultName("a".repeat(33));
+      expect(result.ok).toBe(false);
+      if (!result.ok) expect(result.error).toContain("32");
+    });
+
+    test("200 characters (well above max)", () => {
+      const result = validateVaultName("a".repeat(200));
+      expect(result.ok).toBe(false);
+      if (!result.ok) expect(result.error).toContain("32");
+    });
   });
 });
 
@@ -121,3 +142,78 @@ describe("decideInitVaultName", () => {
     expect(d).toEqual({ kind: "name", name: "aaron" });
   });
 });
+
+describe("resolveFirstBootVaultName", () => {
+  test("env var unset → fallback to default", () => {
+    const r = resolveFirstBootVaultName(undefined);
+    expect(r).toEqual({ source: "default", name: "default" });
+  });
+
+  test("env var empty string → fallback to default", () => {
+    const r = resolveFirstBootVaultName("");
+    expect(r).toEqual({ source: "default", name: "default" });
+  });
+
+  test("env var whitespace-only → fallback to default", () => {
+    const r = resolveFirstBootVaultName("   ");
+    expect(r).toEqual({ source: "default", name: "default" });
+  });
+
+  test("env var set to a valid name → that name (positive path)", () => {
+    const r = resolveFirstBootVaultName("smoke-1939");
+    expect(r).toEqual({ source: "env", name: "smoke-1939" });
+  });
+
+  test("env var set to a valid name with underscores → that name", () => {
+    const r = resolveFirstBootVaultName("my_vault");
+    expect(r).toEqual({ source: "env", name: "my_vault" });
+  });
+
+  test("env var set with surrounding whitespace → trimmed + accepted", () => {
+    const r = resolveFirstBootVaultName("  aaron  ");
+    expect(r).toEqual({ source: "env", name: "aaron" });
+  });
+
+  test("env var set to invalid (uppercase + spaces + special) → fallback to default + record raw + reason", () => {
+    const r = resolveFirstBootVaultName("Bad Name!!");
+    expect(r.source).toBe("env-invalid");
+    expect(r.name).toBe("default");
+    if (r.source === "env-invalid") {
+      expect(r.rawValue).toBe("Bad Name!!");
+      expect(r.reason).toContain("lowercase alphanumeric");
+    }
+  });
+
+  test("env var set to reserved name 'list' → fallback to default", () => {
+    const r = resolveFirstBootVaultName("list");
+    expect(r.source).toBe("env-invalid");
+    expect(r.name).toBe("default");
+    if (r.source === "env-invalid") {
+      expect(r.reason).toContain("reserved");
+    }
+  });
+
+  test("env var set to slash-containing name → fallback to default", () => {
+    const r = resolveFirstBootVaultName("team/work");
+    expect(r.source).toBe("env-invalid");
+    expect(r.name).toBe("default");
+  });
+
+  test("env var set to a 200-char name → fallback to default (over max-length)", () => {
+    const r = resolveFirstBootVaultName("a".repeat(200));
+    expect(r.source).toBe("env-invalid");
+    expect(r.name).toBe("default");
+    if (r.source === "env-invalid") {
+      expect(r.reason).toContain("32");
+    }
+  });
+
+  test("env var set to a single character → fallback to default (under min-length)", () => {
+    const r = resolveFirstBootVaultName("a");
+    expect(r.source).toBe("env-invalid");
+    expect(r.name).toBe("default");
+    if (r.source === "env-invalid") {
+      expect(r.reason).toContain("2");
+    }
+  });
+});

package/src/vault-name.ts

@@ -5,12 +5,17 @@
  * the SQLite filename, and the OAuth consent page — anything that breaks
  * URL routing or filesystem assumptions has to be rejected up front.
  *
- * Used by the `init` prompt and the `--vault-name` flag. `cmdCreate` keeps
- * its own (slightly more permissive, legacy) regex for backward compat —
- * tightening it would reject names existing users may already have minted.
+ * Rule: lowercase alphanumeric + hyphens or underscores, 2–32 chars, with
+ * `list` reserved. Used by the `init` prompt, the `--vault-name` flag, and
+ * the `PARACHUTE_VAULT_NAME` env var at server first-boot. `cmdCreate`
+ * keeps its own (slightly more permissive, legacy) regex for backward
+ * compat — tightening it would reject names existing users may already
+ * have minted.
  */
 
 const VAULT_NAME_RE = /^[a-z0-9_-]+$/;
+const VAULT_NAME_MIN_LEN = 2;
+const VAULT_NAME_MAX_LEN = 32;
 
 const RESERVED_NAMES = new Set([
   // Collides with the `/vaults/list` discovery endpoint historically; the
@@ -23,11 +28,24 @@ export type VaultNameValidation =
   | { ok: true; name: string }
   | { ok: false; error: string };
 
+/**
+ * Validate a vault name. Accepts lowercase alphanumeric + hyphens or
+ * underscores, 2–32 chars. Trims surrounding whitespace before checking.
+ * `cmdCreate` keeps its own (legacy-permissive) regex; this validator is
+ * the strict gate used by the env var, the `--vault-name` flag, and
+ * hub's first-boot wizard.
+ */
 export function validateVaultName(raw: string): VaultNameValidation {
   const name = raw.trim();
   if (!name) {
     return { ok: false, error: "vault name cannot be empty." };
   }
+  if (name.length < VAULT_NAME_MIN_LEN || name.length > VAULT_NAME_MAX_LEN) {
+    return {
+      ok: false,
+      error: `vault names must be ${VAULT_NAME_MIN_LEN}–${VAULT_NAME_MAX_LEN} characters long.`,
+    };
+  }
   if (!VAULT_NAME_RE.test(name)) {
     return {
       ok: false,
@@ -78,3 +96,43 @@ export function decideInitVaultName(
   }
   return { kind: "prompt" };
 }
+
+/**
+ * Pick the first-boot vault name based on `PARACHUTE_VAULT_NAME`. Used by
+ * `server.ts` when the server starts with zero vaults on disk (Docker
+ * first-boot, hub-driven self-host install).
+ *
+ *   - env var unset / empty / whitespace-only → `{ source: "default", name: "default" }`
+ *   - env var present + valid → `{ source: "env", name: <validated> }`
+ *   - env var present + invalid → `{ source: "env-invalid", name: "default",
+ *     rawValue: <original>, reason: <validator message> }` (caller logs a
+ *     warning and proceeds with the default name; we never abort first-boot
+ *     over a misconfigured env var)
+ *
+ * Validation uses the same `validateVaultName` rule as the `--vault-name`
+ * flag — lowercase alphanumeric + hyphens or underscores, 2–32 chars, with
+ * the `list` reserved-name carveout — so hub's wizard, the CLI flag, and
+ * the env var all share one truth.
+ */
+export type FirstBootVaultName =
+  | { source: "default"; name: "default" }
+  | { source: "env"; name: string }
+  | { source: "env-invalid"; name: "default"; rawValue: string; reason: string };
+
+export function resolveFirstBootVaultName(
+  rawEnvValue: string | undefined,
+): FirstBootVaultName {
+  if (rawEnvValue === undefined || rawEnvValue.trim() === "") {
+    return { source: "default", name: "default" };
+  }
+  const v = validateVaultName(rawEnvValue);
+  if (v.ok) {
+    return { source: "env", name: v.name };
+  }
+  return {
+    source: "env-invalid",
+    name: "default",
+    rawValue: rawEnvValue,
+    reason: v.error,
+  };
+}