forked from farhoodlabs/paperclip
Dotta
8da50dbcf8
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies. > - Fresh self-hosted deployments need an operator path before any invite exists. > - Umbrel installs are private LAN deployments, so a one-time browser claim is appropriate only when the deployment is private and unclaimed. > - Public deployments and installs with active invites must keep the existing invite-only model so admin creation is not exposed broadly. > - GitHub PR #2927 established the useful direction, but it needed to be adapted onto current `master` rather than merged as-is. > - This pull request adds that adapted private-only claim flow across server, UI, docs, and regression coverage. > - The benefit is that a fresh private Umbrel-style install can be claimed from the browser without weakening public deployment access. ## What Changed - Added a first-admin claim service and access route support for one-time admin claim eligibility on private unclaimed deployments. - Updated the bootstrap/access UI so eligible private installs show a setup claim path, while public and invited deployments keep invite-first behavior. - Added a bootstrap-pending setup UX lab covering claim, invite, public, and signed-in access states. - Updated deployment and local development docs for authenticated private/public behavior and the Umbrel-style claim path. - Added server and UI regression tests for private claim, public no-claim, active invite fallback, existing board/no-access flows, and health exposure reporting. - Stabilized PR handoff verification by serializing the aggregate server Vitest workspace run, forcing `NODE_ENV=test`, and relaxing the heartbeat batching test around legitimate recovery follow-up runs. ## Verification - `pnpm -r typecheck` - `pnpm build` - `pnpm vitest --run server/src/__tests__/heartbeat-comment-wake-batching.test.ts` - `pnpm vitest --run server/src/__tests__/health-dev-server-token.test.ts` - `pnpm test:run` - QA validation: PAP-10115 passed browser validation with screenshots for private fresh install claim, active invite versus claim conflict, public invite-only/claim-absent behavior, existing invite fallback, and normal board/no-access flows. - GitHub closeout: issue #2579 and PR #2927 were updated with the accepted direction: adapt the implementation, do not direct-merge #2927 as-is. ## Risks - The claim endpoint must remain private-only and one-time; a regression here could expose admin creation on public deployments. - Existing invite behavior must remain intact for public deployments and installs that already have an active invite. - The stable Vitest harness now serializes the aggregate server workspace group; this is slower, but it avoids DB-backed suite collisions under root workspace mode. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected - check the roadmap first. See `CONTRIBUTING.md`. > > ROADMAP.md checked: this is a scoped deployment bootstrap/access fix and does not duplicate a listed roadmap project. ## Model Used - OpenAI GPT-5 Codex via Paperclip `codex_local` for product engineering, implementation, and verification, with tool-enabled local code execution. Paperclip QA browser validation was performed in PAP-10115 by the assigned QA agent; exact adapter model metadata for that QA run is not exposed in this PR context. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
230 lines
7.5 KiB
TypeScript
230 lines
7.5 KiB
TypeScript
// @vitest-environment jsdom
|
|
|
|
import type { ReactNode } from "react";
|
|
import { flushSync } from "react-dom";
|
|
import { createRoot } from "react-dom/client";
|
|
import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
|
|
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
|
|
import { CloudAccessGate } from "./components/CloudAccessGate";
|
|
|
|
const mockHealthApi = vi.hoisted(() => ({
|
|
get: vi.fn(),
|
|
}));
|
|
|
|
const mockAuthApi = vi.hoisted(() => ({
|
|
getSession: vi.fn(),
|
|
}));
|
|
|
|
const mockAccessApi = vi.hoisted(() => ({
|
|
getCurrentBoardAccess: vi.fn(),
|
|
claimBootstrapAdmin: vi.fn(),
|
|
}));
|
|
|
|
vi.mock("./api/health", () => ({
|
|
healthApi: mockHealthApi,
|
|
}));
|
|
|
|
vi.mock("./api/auth", () => ({
|
|
authApi: mockAuthApi,
|
|
}));
|
|
|
|
vi.mock("./api/access", () => ({
|
|
accessApi: mockAccessApi,
|
|
}));
|
|
|
|
vi.mock("@/lib/router", () => ({
|
|
Link: ({ to, children }: { to: string; children?: ReactNode }) => <a href={to}>{children}</a>,
|
|
Navigate: ({ to }: { to: string }) => <div>Navigate:{to}</div>,
|
|
Outlet: () => <div>Outlet content</div>,
|
|
Route: ({ children }: { children?: ReactNode }) => <>{children}</>,
|
|
Routes: ({ children }: { children?: ReactNode }) => <>{children}</>,
|
|
useLocation: () => ({ pathname: "/instance/settings/general", search: "", hash: "" }),
|
|
useParams: () => ({}),
|
|
}));
|
|
|
|
async function flushReact() {
|
|
await Promise.resolve();
|
|
await new Promise((resolve) => window.setTimeout(resolve, 0));
|
|
}
|
|
|
|
async function waitForText(container: HTMLElement, text: string) {
|
|
for (let attempt = 0; attempt < 20; attempt += 1) {
|
|
if (container.textContent?.includes(text)) return;
|
|
await flushReact();
|
|
}
|
|
expect(container.textContent).toContain(text);
|
|
}
|
|
|
|
function renderGate(container: HTMLElement) {
|
|
const root = createRoot(container);
|
|
const queryClient = new QueryClient({
|
|
defaultOptions: { queries: { retry: false } },
|
|
});
|
|
|
|
flushSync(() => {
|
|
root.render(
|
|
<QueryClientProvider client={queryClient}>
|
|
<CloudAccessGate />
|
|
</QueryClientProvider>,
|
|
);
|
|
});
|
|
|
|
return root;
|
|
}
|
|
|
|
function unmountRoot(root: ReturnType<typeof createRoot>) {
|
|
flushSync(() => {
|
|
root.unmount();
|
|
});
|
|
}
|
|
|
|
describe("CloudAccessGate", () => {
|
|
let container: HTMLDivElement;
|
|
|
|
beforeEach(() => {
|
|
container = document.createElement("div");
|
|
document.body.appendChild(container);
|
|
mockHealthApi.get.mockResolvedValue({
|
|
status: "ok",
|
|
deploymentMode: "authenticated",
|
|
deploymentExposure: "private",
|
|
bootstrapStatus: "ready",
|
|
});
|
|
});
|
|
|
|
afterEach(() => {
|
|
container.remove();
|
|
document.body.innerHTML = "";
|
|
vi.clearAllMocks();
|
|
});
|
|
|
|
it("shows a no-access message for signed-in users without org access", async () => {
|
|
mockAuthApi.getSession.mockResolvedValue({
|
|
session: { id: "session-1", userId: "user-1" },
|
|
user: { id: "user-1", email: "user@example.com", name: "User", image: null },
|
|
});
|
|
mockAccessApi.getCurrentBoardAccess.mockResolvedValue({
|
|
user: { id: "user-1", email: "user@example.com", name: "User", image: null },
|
|
userId: "user-1",
|
|
isInstanceAdmin: false,
|
|
companyIds: [],
|
|
source: "session",
|
|
keyId: null,
|
|
});
|
|
|
|
const root = renderGate(container);
|
|
await waitForText(container, "No company access");
|
|
|
|
expect(container.textContent).toContain("No company access");
|
|
expect(container.textContent).not.toContain("Outlet content");
|
|
|
|
unmountRoot(root);
|
|
});
|
|
|
|
it("allows authenticated users with company access through to the board", async () => {
|
|
mockAuthApi.getSession.mockResolvedValue({
|
|
session: { id: "session-1", userId: "user-1" },
|
|
user: { id: "user-1", email: "user@example.com", name: "User", image: null },
|
|
});
|
|
mockAccessApi.getCurrentBoardAccess.mockResolvedValue({
|
|
user: { id: "user-1", email: "user@example.com", name: "User", image: null },
|
|
userId: "user-1",
|
|
isInstanceAdmin: false,
|
|
companyIds: ["company-1"],
|
|
source: "session",
|
|
keyId: null,
|
|
});
|
|
|
|
const root = renderGate(container);
|
|
await waitForText(container, "Outlet content");
|
|
|
|
expect(container.textContent).toContain("Outlet content");
|
|
expect(container.textContent).not.toContain("No company access");
|
|
|
|
unmountRoot(root);
|
|
});
|
|
|
|
it("shows browser sign-in setup for signed-out private bootstrap-pending instances", async () => {
|
|
mockHealthApi.get.mockResolvedValue({
|
|
status: "ok",
|
|
deploymentMode: "authenticated",
|
|
deploymentExposure: "private",
|
|
bootstrapStatus: "bootstrap_pending",
|
|
bootstrapInviteActive: false,
|
|
});
|
|
mockAuthApi.getSession.mockResolvedValue(null);
|
|
|
|
const root = renderGate(container);
|
|
await waitForText(container, "Finish setting up this Paperclip");
|
|
|
|
expect(container.textContent).toContain("Finish setting up this Paperclip");
|
|
expect(container.textContent).toContain("Sign in / Create account");
|
|
expect(container.textContent).toContain("pnpm paperclipai auth bootstrap-ceo");
|
|
expect(mockAccessApi.getCurrentBoardAccess).not.toHaveBeenCalled();
|
|
|
|
unmountRoot(root);
|
|
});
|
|
|
|
it("shows the claim action for signed-in private bootstrap-pending instances", async () => {
|
|
mockHealthApi.get.mockResolvedValue({
|
|
status: "ok",
|
|
deploymentMode: "authenticated",
|
|
deploymentExposure: "private",
|
|
bootstrapStatus: "bootstrap_pending",
|
|
bootstrapInviteActive: false,
|
|
});
|
|
mockAuthApi.getSession.mockResolvedValue({
|
|
session: { id: "session-1", userId: "user-1" },
|
|
user: { id: "user-1", email: "user@example.com", name: "User", image: null },
|
|
});
|
|
mockAccessApi.claimBootstrapAdmin.mockResolvedValue({ claimed: true, userId: "user-1" });
|
|
|
|
const root = renderGate(container);
|
|
await waitForText(container, "Claim this instance");
|
|
|
|
expect(container.textContent).toContain("Claim this instance");
|
|
expect(container.textContent).toContain("Signed in as user@example.com");
|
|
expect(mockAccessApi.getCurrentBoardAccess).not.toHaveBeenCalled();
|
|
|
|
const button = Array.from(container.querySelectorAll("button")).find((candidate) =>
|
|
candidate.textContent?.includes("Claim this instance"),
|
|
);
|
|
expect(button).toBeTruthy();
|
|
flushSync(() => {
|
|
button?.dispatchEvent(new MouseEvent("click", { bubbles: true }));
|
|
});
|
|
await waitForText(container, "You're the instance admin");
|
|
|
|
expect(mockAccessApi.claimBootstrapAdmin).toHaveBeenCalledTimes(1);
|
|
expect(container.textContent).toContain("You're the instance admin");
|
|
expect(container.textContent).toContain("Continue to dashboard");
|
|
|
|
unmountRoot(root);
|
|
});
|
|
|
|
it("keeps public bootstrap-pending instances invite-only", async () => {
|
|
mockHealthApi.get.mockResolvedValue({
|
|
status: "ok",
|
|
deploymentMode: "authenticated",
|
|
deploymentExposure: "public",
|
|
bootstrapStatus: "bootstrap_pending",
|
|
bootstrapInviteActive: true,
|
|
});
|
|
mockAuthApi.getSession.mockResolvedValue({
|
|
session: { id: "session-1", userId: "user-1" },
|
|
user: { id: "user-1", email: "user@example.com", name: "User", image: null },
|
|
});
|
|
|
|
const root = renderGate(container);
|
|
await waitForText(container, "This Paperclip is waiting on its first admin");
|
|
|
|
expect(container.textContent).toContain("This Paperclip is waiting on its first admin");
|
|
expect(container.textContent).toContain("invite-only mode");
|
|
expect(container.textContent).not.toContain("Claim this instance");
|
|
expect(container.textContent).not.toContain("Sign in / Create account");
|
|
expect(mockAccessApi.claimBootstrapAdmin).not.toHaveBeenCalled();
|
|
|
|
unmountRoot(root);
|
|
});
|
|
});
|