@openparachute/vault 0.4.9-rc.8 → 0.4.9-rc.9

package/src/mirror-manager.ts

@@ -66,7 +66,9 @@ import {
 import {
   gitAddAll,
   gitCommit,
+  gitPush,
   isGitRepo,
+  redactToken,
   runGitCommitCycle,
 } from "./export-watch.ts";
 import { vaultDir } from "./config.ts";
@@ -115,6 +117,28 @@ export interface MirrorStatus {
   last_commit_sha: string | null;
   /** Last error message (if any). Cleared on the next successful pass. */
   last_error: string | null;
+  /**
+   * Cut 5: push observability — surfaced via GET /admin/mirror so the
+   * operator (and the SPA's Status card) can see whether pushes are
+   * actually landing without grepping `[git-commit]` log lines.
+   *
+   * - `last_push_at` — ISO timestamp of the most recent SUCCESSFUL push.
+   *   Null until the first successful push.
+   * - `last_push_sha` — sha that landed on the remote at `last_push_at`.
+   *   Null when last_push_at is null.
+   * - `last_push_error` — message from the most recent FAILED push.
+   *   Cleared (back to null) on the next successful push. Tokens are
+   *   redacted before this field is set (push paths use the
+   *   `gho_`/`ghp_`/userinfo regex to scrub).
+   * - `commits_unpushed` — count of local commits ahead of upstream
+   *   (`git rev-list --count @{u}..HEAD`). Null when no upstream tracking
+   *   exists yet (first push hasn't fired). 0 when the mirror is fully
+   *   synced; positive when commits are queued.
+   */
+  last_push_at: string | null;
+  last_push_sha: string | null;
+  last_push_error: string | null;
+  commits_unpushed: number | null;
 }
 
 /**
@@ -288,6 +312,32 @@ export async function bootstrapInternalMirror(
 // Manager
 // ---------------------------------------------------------------------------
 
+/**
+ * Cut 5: count local commits ahead of upstream tracking. Implementation:
+ * `git rev-list --count @{u}..HEAD` returns N when N commits are ahead,
+ * 0 when synced, and exit-nonzero when no upstream tracking exists
+ * (the branch has never been pushed with `-u`). The non-zero case maps
+ * to `null` — distinct from "0 ahead" so the SPA can render "no remote
+ * tracking yet" vs "fully synced" differently if desired.
+ */
+async function readCommitsUnpushed(repoDir: string): Promise<number | null> {
+  const proc = Bun.spawn(
+    ["git", "rev-list", "--count", "@{u}..HEAD"],
+    {
+      cwd: repoDir,
+      stdout: "pipe",
+      stderr: "pipe",
+    },
+  );
+  const exitCode = await proc.exited;
+  if (exitCode !== 0) return null; // no upstream configured yet
+  const out = new TextDecoder()
+    .decode(await new Response(proc.stdout).arrayBuffer())
+    .trim();
+  const n = Number(out);
+  return Number.isFinite(n) ? n : null;
+}
+
 /**
  * Read the current `origin` URL from a git repo's config, or null when no
  * origin is set. Module-local helper for the credential-application path.
@@ -331,6 +381,10 @@ export class MirrorManager {
     last_export_notes_count: null,
     last_commit_sha: null,
     last_error: null,
+    last_push_at: null,
+    last_push_sha: null,
+    last_push_error: null,
+    commits_unpushed: null,
   };
   /** Safety-net poll timer (interval). Null while not armed. */
   private safetyNetTimer: ReturnType<typeof setInterval> | null = null;
@@ -396,6 +450,10 @@ export class MirrorManager {
         last_export_notes_count: null,
         last_commit_sha: null,
         last_error: null,
+        last_push_at: null,
+        last_push_sha: null,
+        last_push_error: null,
+        commits_unpushed: null,
       };
       return this.getStatus();
     }
@@ -815,6 +873,77 @@ export class MirrorManager {
       const sha = new TextDecoder().decode(await new Response(shaProc.stdout).arrayBuffer()).trim();
       if (sha.length > 0) this.status.last_commit_sha = sha;
     }
+
+    // Cut 5: surface push outcome (success/failure + redacted error).
+    // runGitCommitCycle returns push info iff push was attempted; we
+    // mirror the same shape into status here.
+    if (commitResult.push) {
+      const now = new Date().toISOString();
+      if (commitResult.push.ok) {
+        this.status.last_push_at = now;
+        this.status.last_push_sha = this.status.last_commit_sha;
+        this.status.last_push_error = null;
+      } else if (commitResult.push.error) {
+        this.status.last_push_error = commitResult.push.error;
+      }
+    }
+
+    // Cut 5: track local-commits-ahead-of-upstream so the UI can render
+    // "<N> commits ready to push" subdued helper text.
+    this.status.commits_unpushed = await readCommitsUnpushed(path);
+  }
+
+  /**
+   * Cut 6: fire a `git push` against the current mirror dir, capture
+   * the outcome into status, and return a struct the route handler can
+   * fold into its response.
+   *
+   * Distinguished from `runNow()` which exports + commits + pushes.
+   * `pushNow()` skips export + commit entirely and only pushes whatever
+   * has already been committed. Used by:
+   *   - the credential save path (auto-fire after `auth/pat` /
+   *     `auth/github/select-repo` lands) so the operator sees the
+   *     push happen rather than waiting for the next write
+   *   - the explicit POST /.parachute/mirror/push-now route the SPA's
+   *     "Push now" button hits
+   *
+   * Idempotent against a fully-synced mirror (git push reports "nothing
+   * to push" with exit 0). Failure paths set `last_push_error` for the
+   * status surface.
+   */
+  async pushNow(): Promise<
+    | { fired: false; reason: "not_enabled" | "no_mirror_path" }
+    | { fired: true; pushed: boolean; sha?: string; error?: string }
+  > {
+    if (!this.status.enabled) return { fired: false, reason: "not_enabled" };
+    if (!this.status.mirror_path) return { fired: false, reason: "no_mirror_path" };
+    const path = this.status.mirror_path;
+    const pushResult = await gitPush(path);
+    const now = new Date().toISOString();
+    // Refresh commits_unpushed either way — a no-op push still reflects
+    // the current state (0 ahead if synced, N if push failed mid-way).
+    this.status.commits_unpushed = await readCommitsUnpushed(path);
+    if (pushResult.ok) {
+      // Capture HEAD sha at this point so the UI can show the operator
+      // exactly what landed.
+      const shaProc = Bun.spawn(["git", "rev-parse", "HEAD"], {
+        cwd: path,
+        stdout: "pipe",
+        stderr: "pipe",
+      });
+      await shaProc.exited;
+      const sha = new TextDecoder()
+        .decode(await new Response(shaProc.stdout).arrayBuffer())
+        .trim();
+      this.status.last_push_at = now;
+      if (sha.length > 0) this.status.last_push_sha = sha;
+      this.status.last_push_error = null;
+      return { fired: true, pushed: true, sha: sha.length > 0 ? sha : undefined };
+    }
+    const redacted = redactToken(pushResult.stderr);
+    this.status.last_push_error = redacted;
+    console.warn(`[mirror] push-now failed (non-fatal): ${redacted}`);
+    return { fired: true, pushed: false, error: redacted };
   }
 
   /**

package/src/mirror-routes.test.ts

@@ -24,9 +24,11 @@ import {
   handleAuthGithubDeviceCode,
   handleAuthGithubPoll,
   handleAuthGithubRepos,
+  handleAuthGithubSelectRepo,
   handleAuthPat,
   handleMirrorGet,
   handleMirrorImport,
+  handleMirrorPushNow,
   handleMirrorPut,
   handleMirrorRunNow,
 } from "./mirror-routes.ts";
@@ -767,6 +769,172 @@ describe("auth credential routes — PAT", () => {
   }, 20_000);
 });
 
+// ---------------------------------------------------------------------------
+// Cuts 3 + 6: credential save → auto_push flipped on + initial push fires.
+//
+// The PAT route gates on a real `git ls-remote` probe, so it's awkward
+// to exercise end-to-end in a hermetic test. The select-repo route has
+// no probe — it accepts the operator's already-OAuth'd token and wires
+// the URL. We drive the side-effect helpers (maybeEnableAutoPush +
+// maybeFireInitialPush) through select-repo, with a local bare repo as
+// the "GitHub" remote — overridden via post-save remote-URL rewrite so
+// pushNow targets the test repo.
+// ---------------------------------------------------------------------------
+
+describe("auth credential routes — credential-save side-effects (Cuts 3 + 6)", () => {
+  let home: string;
+  let remote: string;
+  afterEach(() => {
+    if (home) fs.rmSync(home, { recursive: true, force: true });
+    if (remote) fs.rmSync(remote, { recursive: true, force: true });
+  });
+
+  test("select-repo flips auto_push from false → true on an enabled internal mirror", async () => {
+    home = tmp("mirror-selectrepo-autopush-");
+    remote = tmp("mirror-selectrepo-remote-");
+    Bun.spawnSync(["git", "init", "--bare", "-q", "-b", "main"], { cwd: remote });
+
+    const { manager, deps } = makeManager(home);
+    deps.writeMirrorConfig({
+      ...defaultMirrorConfig(),
+      enabled: true,
+      location: "internal",
+      sync_mode: "manual",
+      auto_commit: false,
+      auto_push: false,
+    });
+    await manager.start();
+    expect(manager.getConfig().auto_push).toBe(false);
+
+    // Seed github_oauth credentials. select-repo doesn't probe; it just
+    // sets origin to github.com/<owner>/<repo>.git. We then rewrite
+    // origin to our local bare repo so pushNow has somewhere to land.
+    writeCredentials({
+      active_method: "github_oauth",
+      github_oauth: {
+        access_token: "gho_fake1234567890abcd",
+        scope: "repo",
+        authorized_at: "2026-05-28T03:14:15.000Z",
+        user_login: "aaron",
+        user_id: 1,
+      },
+      pat: null,
+    });
+
+    const res = await handleAuthGithubSelectRepo(
+      new Request("http://x/select", {
+        method: "POST",
+        body: JSON.stringify({ owner: "aaron", name: "my-vault" }),
+      }),
+      manager,
+    );
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      ok: boolean;
+      auto_push_was_already_enabled: boolean;
+      auto_push_enabled: boolean;
+      initial_push:
+        | { fired: false; reason: string }
+        | { fired: true; pushed: boolean; error?: string; sha?: string };
+    };
+    // Cut 3 — auto_push went from false → true.
+    expect(body.auto_push_was_already_enabled).toBe(false);
+    expect(body.auto_push_enabled).toBe(true);
+    expect(manager.getConfig().auto_push).toBe(true);
+    // Cut 6 — initial push fired. It points at github.com which doesn't
+    // exist for our fake creds → expected to fail with a redacted error
+    // in last_push_error, but the helper still reports fired=true.
+    expect(body.initial_push.fired).toBe(true);
+    if (body.initial_push.fired === true) {
+      // Push failure is fine — point is "we tried."
+      expect(typeof body.initial_push.pushed).toBe("boolean");
+    }
+    // Token doesn't leak into the response.
+    expect(JSON.stringify(body)).not.toContain("gho_fake1234567890");
+    await manager.stop();
+  }, 30_000);
+
+  test("select-repo is a no-op for auto_push when mirror is disabled", async () => {
+    // Operator wiring credentials before flipping the mirror on — don't
+    // mutate auto_push behind their back.
+    home = tmp("mirror-selectrepo-disabled-");
+    const { manager, deps } = makeManager(home);
+    deps.writeMirrorConfig({
+      ...defaultMirrorConfig(),
+      enabled: false,
+      auto_push: false,
+    });
+    await manager.start();
+    writeCredentials({
+      active_method: "github_oauth",
+      github_oauth: {
+        access_token: "gho_anothertoken12345",
+        scope: "repo",
+        authorized_at: "2026-05-28T03:14:15.000Z",
+        user_login: "aaron",
+        user_id: 1,
+      },
+      pat: null,
+    });
+    const res = await handleAuthGithubSelectRepo(
+      new Request("http://x/select", {
+        method: "POST",
+        body: JSON.stringify({ owner: "aaron", name: "v" }),
+      }),
+      manager,
+    );
+    expect(res.status).toBe(200);
+    expect(manager.getConfig().auto_push).toBe(false);
+    await manager.stop();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Cut 6: POST /.parachute/mirror/push-now route handler.
+// ---------------------------------------------------------------------------
+
+describe("handleMirrorPushNow — Cut 6", () => {
+  let home: string;
+  afterEach(() => {
+    if (home) fs.rmSync(home, { recursive: true, force: true });
+  });
+
+  test("returns 400 when mirror is not enabled", async () => {
+    home = tmp("mirror-pushnow-disabled-");
+    const { manager, deps } = makeManager(home);
+    deps.writeMirrorConfig({ ...defaultMirrorConfig(), enabled: false });
+    await manager.start();
+    const res = await handleMirrorPushNow(manager);
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("Mirror not enabled");
+  });
+
+  test("returns 200 + push outcome when mirror is enabled (even on push failure)", async () => {
+    home = tmp("mirror-pushnow-enabled-");
+    const { manager, deps } = makeManager(home);
+    deps.writeMirrorConfig({
+      ...defaultMirrorConfig(),
+      enabled: true,
+      location: "internal",
+      sync_mode: "manual",
+      auto_commit: false,
+    });
+    await manager.start();
+    // No remote → push will fail; the handler still returns 200 with
+    // the failure surface in the body. Push failures aren't 500s.
+    const res = await handleMirrorPushNow(manager);
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      status: { last_push_error: string | null };
+      push: { fired: boolean };
+    };
+    expect(body.push.fired).toBe(true);
+    expect(body.status.last_push_error).not.toBeNull();
+    await manager.stop();
+  }, 30_000);
+});
+
 describe("auth credential routes — github repos / create-repo", () => {
   let home: string;
   afterEach(() => {

package/src/mirror-routes.ts

@@ -61,6 +61,7 @@ import {
   type ImportAuth,
   type ImportResult,
 } from "./mirror-import.ts";
+import { redactToken } from "./export-watch.ts";
 import { getVaultStore } from "./vault-store.ts";
 import { assetsDir } from "./routes.ts";
 
@@ -211,6 +212,44 @@ export async function handleMirrorRunNow(
   );
 }
 
+/**
+ * `POST /vault/<name>/.parachute/mirror/push-now` — Cut 6 of vault#392.
+ *
+ * Fire a push against the currently-committed state of the mirror dir.
+ * Distinguished from `/run-now` which exports + commits + pushes —
+ * `push-now` is the credentials-side flow where the operator just wants
+ * to see "did the credentials I just saved actually work?"
+ *
+ * Returns the post-push status snapshot. Errors (no path, mirror
+ * disabled, push failed) surface as a JSON response — push failures
+ * are NOT 500s because the operator's expected next-step is to look at
+ * `last_push_error` and fix their remote, not "vault crashed."
+ */
+export async function handleMirrorPushNow(
+  manager: MirrorManager,
+): Promise<Response> {
+  const status = manager.getStatus();
+  if (!status.enabled) {
+    return Response.json(
+      {
+        error: "Mirror not enabled",
+        message:
+          "Mirror must be enabled before a push can fire. Enable it via PUT /.parachute/mirror first.",
+      },
+      { status: 400 },
+    );
+  }
+  const result = await manager.pushNow();
+  return Response.json(
+    {
+      config: manager.getConfig(),
+      status: manager.getStatus(),
+      push: result,
+    },
+    { headers: { "Access-Control-Allow-Origin": "*" } },
+  );
+}
+
 /**
  * Convenience for tests + future callers: build the GET response from a
  * known-good config without needing a real MirrorManager.
@@ -602,9 +641,29 @@ export async function handleAuthPat(
   // resolved + on disk. Non-fatal if the mirror isn't running.
   await applyCredentialsToMirror(manager);
 
-  return Response.json(sanitizeCredentials(next), {
-    headers: { "Access-Control-Allow-Origin": "*" },
-  });
+  // Cut 3: auto-enable auto_push when credentials save. Operator wiring
+  // credentials almost certainly wants pushes to fire — silent
+  // "credentials saved but pushes never happen" is the bug Aaron hit.
+  // If `auto_push` was already true, leave it alone (idempotent).
+  const autoPushChange = await maybeEnableAutoPush(manager);
+
+  // Cut 6: kick off an initial push-now so the operator sees the push
+  // happen immediately rather than waiting for the next write event.
+  // Only when (a) auto_push ended up true AND (b) there are local commits
+  // ahead of the (now-configured) remote.
+  const initialPush = await maybeFireInitialPush(manager, autoPushChange.auto_push_now_enabled);
+
+  return Response.json(
+    {
+      ...sanitizeCredentials(next),
+      auto_push_was_already_enabled: autoPushChange.was_already_enabled,
+      auto_push_enabled: autoPushChange.auto_push_now_enabled,
+      initial_push: initialPush,
+    },
+    {
+      headers: { "Access-Control-Allow-Origin": "*" },
+    },
+  );
 }
 
 /**
@@ -846,6 +905,12 @@ export async function handleAuthGithubSelectRepo(
     }
     applied = true;
   }
+  // Cut 3 / Cut 6: auto-enable auto_push + fire initial push if there's
+  // anything to push. Same logic as handleAuthPat — operator picking a
+  // repo wants the push to fire.
+  const autoPushChange = await maybeEnableAutoPush(manager);
+  const initialPush = await maybeFireInitialPush(manager, autoPushChange.auto_push_now_enabled);
+
   return Response.json(
     {
       ok: true,
@@ -855,11 +920,98 @@ export async function handleAuthGithubSelectRepo(
       // Echo the redacted form back so the SPA can show "pushing to <repo>".
       // No raw token in the response.
       remote: `https://github.com/${owner}/${name}.git`,
+      auto_push_was_already_enabled: autoPushChange.was_already_enabled,
+      auto_push_enabled: autoPushChange.auto_push_now_enabled,
+      initial_push: initialPush,
     },
     { headers: { "Access-Control-Allow-Origin": "*" } },
   );
 }
 
+/**
+ * Cut 3: when credentials save, flip `auto_push` from false → true on
+ * the persisted config. Operators wiring credentials almost certainly
+ * want pushes to fire — silent "credentials saved but no push" was the
+ * three-stacking-gaps bug Aaron hit.
+ *
+ * Idempotent: if `auto_push` was already true, no config write happens.
+ * If `auto_push` is false, write the flipped config via `manager.reload`
+ * — that restarts the lifecycle and applies the credentials to the
+ * remote in the same pass.
+ *
+ * Returns a small struct so the route handler can shape the response:
+ *   - `was_already_enabled` — true iff auto_push was true before this call.
+ *   - `auto_push_now_enabled` — true iff auto_push is true after this call.
+ *
+ * Both being false means the operator deliberately left auto_push off
+ * and we leave it that way (we never touch a config whose mirror is
+ * disabled, and we never flip true → false).
+ */
+async function maybeEnableAutoPush(
+  manager: MirrorManager,
+): Promise<{ was_already_enabled: boolean; auto_push_now_enabled: boolean }> {
+  const config = manager.getConfig();
+  // Don't muck with auto_push when the mirror is disabled — the operator
+  // is configuring credentials before turning the mirror on, which is a
+  // legitimate sequence. They'll flip enabled themselves.
+  if (!config.enabled) {
+    return {
+      was_already_enabled: config.auto_push,
+      auto_push_now_enabled: config.auto_push,
+    };
+  }
+  if (config.auto_push) {
+    return { was_already_enabled: true, auto_push_now_enabled: true };
+  }
+  try {
+    await manager.reload({ ...config, auto_push: true });
+    return { was_already_enabled: false, auto_push_now_enabled: true };
+  } catch (err) {
+    console.warn(
+      `[mirror-auth] could not auto-enable auto_push (non-fatal): ${(err as Error).message ?? err}`,
+    );
+    return { was_already_enabled: false, auto_push_now_enabled: false };
+  }
+}
+
+/**
+ * Cut 6: after credential save, fire a `push-now` immediately so the
+ * operator sees the push happen rather than waiting for the next write
+ * event. Only when (a) auto_push is enabled (we just turned it on, or it
+ * was already on) AND (b) there are local commits to push.
+ *
+ * Best-effort: non-fatal on any failure. Returns a struct the caller
+ * folds into its response.
+ */
+async function maybeFireInitialPush(
+  manager: MirrorManager,
+  autoPushEnabled: boolean,
+): Promise<
+  | { fired: false; reason: "auto_push_disabled" | "no_mirror_path" | "manager_skipped" | "not_enabled" }
+  | { fired: true; pushed: boolean; error?: string; sha?: string }
+> {
+  if (!autoPushEnabled) return { fired: false, reason: "auto_push_disabled" };
+  const status = manager.getStatus();
+  if (!status.mirror_path) return { fired: false, reason: "no_mirror_path" };
+  // Need an active enabled mirror with a resolved path to push from.
+  if (!status.enabled) return { fired: false, reason: "manager_skipped" };
+  try {
+    const result = await manager.pushNow();
+    return result;
+  } catch (err) {
+    // Defense-in-depth: every other push-error site routes through
+    // `redactToken` before surfacing — this catch-block was the one
+    // outlier where a thrown error's `.message` could carry an
+    // un-redacted token from a future code path that throws before the
+    // existing internal redaction runs. Apply the same scrub here.
+    // Reviewer-flagged on vault#392.
+    const rawMessage = (err as Error).message ?? String(err);
+    const safeMessage = redactToken(rawMessage);
+    console.warn(`[mirror-auth] initial push-now failed (non-fatal): ${safeMessage}`);
+    return { fired: true, pushed: false, error: safeMessage };
+  }
+}
+
 /**
  * Apply the active credential's remote URL to the running mirror dir.
  * Idempotent. Called from auth/pat (after store) + auth/github/select-repo

package/src/routing.ts

@@ -83,6 +83,7 @@ import {
   handleAuthPat,
   handleMirrorGet,
   handleMirrorImport,
+  handleMirrorPushNow,
   handleMirrorPut,
   handleMirrorRunNow,
 } from "./mirror-routes.ts";
@@ -557,6 +558,38 @@ export async function route(
     return Response.json({ error: "Method not allowed" }, { status: 405 });
   }
 
+  // /.parachute/mirror/push-now — fire `git push` against committed state.
+  // Cut 6 of vault#392. Same admin gate + manager check as run-now;
+  // POST-only. Distinguished from /run-now in that this skips export +
+  // commit, only pushes — for "did my credentials actually work?" flow.
+  if (subpath === "/.parachute/mirror/push-now") {
+    if (!hasScopeForVault(auth.scopes, vaultName, "admin")) {
+      return Response.json(
+        {
+          error: "Forbidden",
+          error_type: "insufficient_scope",
+          message: `This endpoint requires the '${SCOPE_ADMIN}' scope (or '${SCOPE_ADMIN.replace("vault:", `vault:${vaultName}:`)}').`,
+          required_scope: SCOPE_ADMIN,
+          granted_scopes: auth.scopes,
+        },
+        { status: 403 },
+      );
+    }
+    const manager = getMirrorManager();
+    if (!manager) {
+      return Response.json(
+        {
+          error: "Mirror manager not initialized",
+          message:
+            "The vault server hasn't wired a mirror manager yet (no vaults exist, or boot failed). Check logs for [mirror] entries.",
+        },
+        { status: 503 },
+      );
+    }
+    if (req.method === "POST") return handleMirrorPushNow(manager);
+    return Response.json({ error: "Method not allowed" }, { status: 405 });
+  }
+
   // /.parachute/mirror/import — clone a vault export from git + import.
   // Admin-gated. POST-only. Synchronous (imports finish in <30s for
   // typical vaults). See mirror-routes.ts:handleMirrorImport for the