@openparachute/vault 0.4.9-rc.9 → 0.5.0-rc.2

package/src/mirror-manager.test.ts

@@ -215,6 +215,21 @@ describe("bootstrapInternalMirror", () => {
       expect(isGitRepoSync(dir)).toBe(true);
     }
   });
+
+  test("git missing → ok:false with actionable error (status surfaces it, no raw crash)", async () => {
+    // vault#415 — a git-less server can't bootstrap a mirror. The error
+    // channel carries the friendly message that MirrorManager.start threads
+    // into status.last_error, instead of a raw "Executable not found" crash.
+    dir = path.join(tmp("mirror-boot-nogit-"), "mirror");
+    const r = await bootstrapInternalMirror(dir, () => null);
+    expect(r.ok).toBe(false);
+    if (!r.ok) {
+      expect(r.error).toContain("git is required");
+      expect(r.error).toContain("dnf install git");
+    }
+    // Failed fast at the preflight — the dir was never created.
+    expect(fs.existsSync(dir)).toBe(false);
+  });
 });
 
 // ---------------------------------------------------------------------------
@@ -378,6 +393,42 @@ describe("MirrorManager.start — lifecycle matrix", () => {
     fs.rmSync(external, { recursive: true, force: true });
   });
 
+  test("external + git not installed → enabled:false with friendly error, never spawns/exports", async () => {
+    // vault#415 nit — the external branch's isGitRepo() check shells `git`
+    // with no preflight; on a git-less server it would throw a raw
+    // "Executable not found in $PATH: \"git\"" and crash start(). The
+    // top-of-start() preflight (forced via the `which` seam) lands the
+    // friendly, actionable message in last_error for the external location.
+    home = tmp("mgr-ext-nogit-installed-");
+    fs.mkdirSync(path.join(home, "vault", "data", "default"), { recursive: true });
+    // Use a real, valid external git repo so the ONLY thing that can fail is
+    // the git-presence preflight — proving the preflight (not the path/repo
+    // checks) produced the disabled state.
+    const external = tmp("mgr-ext-nogit-target-");
+    initRepo(external);
+    seedCommit(external);
+    const deps = makeFakeDeps({
+      parachuteHome: home,
+      initialConfig: {
+        ...defaultMirrorConfig(),
+        enabled: true,
+        location: "external",
+        external_path: external,
+        sync_mode: "events",
+      },
+    });
+    const mgr = new MirrorManager(deps);
+    // Force the preflight to see no git on PATH.
+    const status = await mgr.start(() => null);
+    expect(status.enabled).toBe(false);
+    expect(status.last_error).toContain("git is required");
+    expect(status.last_error).toContain("dnf install git");
+    // Never reached export — the preflight bailed before any git work.
+    expect(deps.exportCalls).toHaveLength(0);
+    await mgr.stop();
+    fs.rmSync(external, { recursive: true, force: true });
+  });
+
   test("internal bootstrap refuses to clobber pre-existing non-git data", async () => {
     home = tmp("mgr-int-clobber-");
     const mirrorPath = path.join(home, "vault", "data", "default", "mirror");

package/src/mirror-manager.ts

@@ -26,17 +26,16 @@
  *     debounce timer, cancel safety-net poll, let an in-flight export
  *     finish via the soft settle window.
  *
- * Singleton per-process: one `MirrorManager` instance backs the vault
- * server's lifecycle. Tests instantiate `MirrorManager` directly with
- * fake deps to exercise lifecycle transitions without spawning a full
- * vault server.
+ * One `MirrorManager` instance PER VAULT (vault#400). The per-vault
+ * registry (`mirror-registry.ts`) holds them keyed by vault name; boot
+ * stands up a manager for each vault whose config is enabled, and the
+ * routes resolve a manager by the URL's vault name. Tests instantiate
+ * `MirrorManager` directly with fake deps to exercise lifecycle
+ * transitions without spawning a full vault server.
  *
- * Phase A1 deliberately surfaces ONE mirror per vault server (matching
- * the design doc's single-mirror-per-vault model). Multi-vault server
- * deployments today already pin one vault per server via
- * `PARACHUTE_VAULT_NAME` / `default_vault`; the mirror config follows
- * suit. Multi-vault mirror routing is a future ripple (open question 2
- * in the design doc).
+ * Each manager is bound to its vault via `deps.vaultName` — its config
+ * read/write, credential reads, and resolved mirror path are all
+ * scoped to that one vault, so vault A's mirror never touches vault B's.
  *
  * ## Race-condition contract
  *
@@ -76,6 +75,7 @@ import {
   applyToGitRemote,
   readCredentials,
 } from "./mirror-credentials.ts";
+import { GitNotInstalledError, ensureGitAvailable } from "./git-preflight.ts";
 import type { HookRegistry } from "../core/src/hooks.ts";
 
 /**
@@ -231,7 +231,20 @@ export type BootstrapResult = BootstrapResultOk | BootstrapResultError;
  */
 export async function bootstrapInternalMirror(
   path: string,
+  // Test seam for the git-presence preflight (default `Bun.which`). Inject a
+  // fn returning `null` to exercise the git-not-installed bootstrap path.
+  which?: (cmd: string) => string | null,
 ): Promise<BootstrapResult> {
+  // Preflight: a git-less server can't bootstrap a mirror. Surface the
+  // friendly, actionable message into the bootstrap-error channel so the
+  // caller threads it into mirror status (`last_error`) rather than letting
+  // a raw `Executable not found in $PATH: "git"` crash out of the spawn.
+  try {
+    ensureGitAvailable(which);
+  } catch (err) {
+    return { ok: false, error: (err as Error).message };
+  }
+
   if (existsSync(path)) {
     let stat;
     try {
@@ -410,6 +423,15 @@ export class MirrorManager {
     this.deps = deps;
   }
 
+  /**
+   * The vault this mirror manager belongs to. Credential reads/writes are
+   * per-vault (vault#399); route handlers thread this into the credential
+   * functions so they touch the right vault's `.mirror-credentials.yaml`.
+   */
+  getVaultName(): string {
+    return this.deps.vaultName;
+  }
+
   /**
    * Read the current config snapshot. Returns a copy so callers can't
    * accidentally mutate the manager's internal state.
@@ -418,6 +440,30 @@ export class MirrorManager {
     return { ...this.currentConfig };
   }
 
+  /**
+   * The config the operator + SPA should SEE for this vault — distinct from
+   * the live in-memory `getConfig()` only before the manager has started.
+   *
+   * Why this exists (vault#400): routes resolve a per-vault manager via the
+   * registry, which can LAZILY build a manager for a vault that has config
+   * on disk but no running instance yet (e.g. a non-default vault the
+   * operator configured, or a runtime-enabled vault between PUT and the
+   * reload's start). A freshly-constructed-but-never-started manager has
+   * `currentConfig === defaultMirrorConfig()` (disabled), which would make
+   * `GET /vault/<name>/.parachute/mirror` show "disabled" for a vault whose
+   * file says `enabled: true`. Reading the persisted config when we haven't
+   * started yet returns the truth for that vault. Once `start()` has run,
+   * `currentConfig` is authoritative (it reflects the same persisted config
+   * plus any bootstrap outcome).
+   */
+  getEffectiveConfig(): MirrorConfig {
+    if (this.startCount === 0) {
+      const persisted = this.deps.readMirrorConfig();
+      if (persisted) return { ...persisted };
+    }
+    return { ...this.currentConfig };
+  }
+
   /**
    * Get the current status snapshot. Returns a copy for the same reason as
    * `getConfig`.
@@ -434,7 +480,11 @@ export class MirrorManager {
    * Returns the final status snapshot — useful for tests + the PUT
    * endpoint response.
    */
-  async start(): Promise<MirrorStatus> {
+  async start(
+    // Test seam for the git-presence preflight (default `Bun.which`). Inject
+    // a fn returning `null` to exercise the git-not-installed start path.
+    which?: (cmd: string) => string | null,
+  ): Promise<MirrorStatus> {
     this.startCount++;
     await this.stop({ preserveStatus: true });
 
@@ -469,6 +519,24 @@ export class MirrorManager {
     }
     this.status.mirror_path = path;
 
+    // Preflight git BEFORE branching on location. Both branches shell `git`
+    // (internal → bootstrapInternalMirror; external → isGitRepo). On a
+    // git-less server the external branch's `isGitRepo` would otherwise throw
+    // a raw "Executable not found in $PATH: \"git\"" and crash start();
+    // catching it here lands the friendly, actionable message in
+    // status.last_error (disabled) for either location, uniformly.
+    try {
+      ensureGitAvailable(which);
+    } catch (err) {
+      if (err instanceof GitNotInstalledError) {
+        this.status.enabled = false;
+        this.status.last_error = err.message;
+        console.warn(`[mirror] ${err.message}`);
+        return this.getStatus();
+      }
+      throw err;
+    }
+
     // Internal bootstrap. External path is the operator's responsibility —
     // they should have validated via the PUT endpoint before we hit boot.
     // We re-check `isGitRepo` defensively here either way; a missing/non-
@@ -609,9 +677,13 @@ export class MirrorManager {
    * the operator-intended config on disk; on the next vault boot it
    * applies cleanly.
    */
-  async reload(newConfig: MirrorConfig): Promise<MirrorStatus> {
+  async reload(
+    newConfig: MirrorConfig,
+    // Test seam forwarded to `start()` — see `start(which)`.
+    which?: (cmd: string) => string | null,
+  ): Promise<MirrorStatus> {
     this.deps.writeMirrorConfig(newConfig);
-    return this.start();
+    return this.start(which);
   }
 
   /**
@@ -855,14 +927,25 @@ export class MirrorManager {
     }
 
     const firstNoteTitle = await this.deps.firstChangedNoteTitle(sinceCursor);
-    const commitResult = await runGitCommitCycle({
-      repoDir: path,
-      template: this.currentConfig.commit_template,
-      notesChanged: totalChanged,
-      vaultName: this.deps.vaultName,
-      firstNoteTitle,
-      push: this.currentConfig.auto_push,
-    });
+    let commitResult: Awaited<ReturnType<typeof runGitCommitCycle>>;
+    try {
+      commitResult = await runGitCommitCycle({
+        repoDir: path,
+        template: this.currentConfig.commit_template,
+        notesChanged: totalChanged,
+        vaultName: this.deps.vaultName,
+        firstNoteTitle,
+        push: this.currentConfig.auto_push,
+      });
+    } catch (err) {
+      // git-not-installed (or any commit-cycle throw) lands in status as a
+      // friendly last_error rather than crashing the cycle. Matches the
+      // "errors reflected in last_error, never rethrown" contract above.
+      const msg = (err as Error).message ?? String(err);
+      this.status.last_error = `commit cycle failed: ${msg}`;
+      console.warn(`[mirror] ${this.status.last_error}`);
+      return;
+    }
 
     if (commitResult.committed) {
       // Resolve the new HEAD sha so the status displays the commit that
@@ -918,6 +1001,17 @@ export class MirrorManager {
     if (!this.status.enabled) return { fired: false, reason: "not_enabled" };
     if (!this.status.mirror_path) return { fired: false, reason: "no_mirror_path" };
     const path = this.status.mirror_path;
+    // Preflight: git-less server can't push. Surface the friendly message
+    // into last_push_error (the SPA renders it) rather than throwing a raw
+    // "Executable not found" out of the gitPush spawn.
+    try {
+      ensureGitAvailable();
+    } catch (err) {
+      const msg = (err as Error).message ?? String(err);
+      this.status.last_push_error = msg;
+      console.warn(`[mirror] push-now failed: ${msg}`);
+      return { fired: true, pushed: false, error: msg };
+    }
     const pushResult = await gitPush(path);
     const now = new Date().toISOString();
     // Refresh commits_unpushed either way — a no-op push still reflects
@@ -963,7 +1057,7 @@ export class MirrorManager {
    */
   private async applyCredentialsToRemote(repoDir: string): Promise<void> {
     try {
-      const creds = readCredentials();
+      const creds = readCredentials(this.deps.vaultName);
       if (!creds || !creds.active_method) {
         // No UI-configured credentials. Leave the remote alone — the
         // operator may have set one up via `git remote add` manually.