Skip to content

hub 0.7.0 — the hub–module boundary

Latest
Latest

Choose a tag to compare

View all tags
@unforced unforced released this 09 Jun 23:59
· 21 commits to main since this release
v0.7.0
d7bb942
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

The biggest architectural release since launch. Hub 0.7.0 implements the hub–module boundary charter (parachute-patterns/patterns/hub-module-boundary.md): the hub owns the substrate (identity, issuance, identity transactions, transport, catalog, supervision, bootstrap); modules own their domain — including their instance lifecycle and admin surfaces. Pairs with vault 0.6.0 (designed together; a one-release compat shim means either may upgrade first).

The boundary (2026-06-09 arc)

  • DELETE /vaults/<name> with a full identity cascade (#637): revokes every token naming the vault (exact scope-segment matching), rewrites OAuth grants (multi-vault grants lose only the deleted vault's entries), drops user assignments, invalidates pinned invites, tears down connections, and restarts vault to evict the deleted store. Refuses last-vault deletion (409). Requires {"confirm":"<name>"}.
  • Lifecycle symmetry: the Connections engine now registers its long-lived mints, so tearing down a connection genuinely revokes its credentials (#637). Previously a removed vault-backed channel left live 90-day tokens behind.
  • /vault/admin/ routes to vault's own multi-vault home (#637) — vault instance management (list/create/delete) now lives in vault's surface, completing the module-admin URL symmetry: channel/admin · scribe/admin · surface/admin · vault/admin. The hub SPA slims accordingly (#645): vault's Home card renders exactly like every other module; /vaults is a feature-detected forwarder (legacy list kept for pre-0.6.0 vaults).
  • Same-origin belt on cookie-gated /admin/* mutations (#638, closes #632): strict Origin check, defense-in-depth over SameSite=Lax. Bearer-authed API clients unaffected.
  • Module-token mint opened to third-party modules (#646): GET /admin/module-token/<short> now gates on self-registration (services.json row + readable .parachute/module.json) — a third-party module gets proxy, discovery, OAuth, admin-token mints, and Connections with zero hub code changes.
  • Unified module.json URL semantics (#637): http(s):// verbatim · leading-/ = origin-absolute · relative = per-instance mount-join. One-release compat shim for the legacy vault "/admin/" form.
  • Reserved vault names consolidated to one validator: list, new, assets, admin — enforced at every creation path including invite redemption (#637).
  • Legacy /admin/channels endpoint retired (superseded by Connections); presets are now declaration-driven via connectionTemplates (#646).
  • Connection provenance, parameterized module-initiated connections, the unified admin shell, and the general event→action Connections builder (#627#631, #635, #636).

Hardening (0.6.5-rc chain, promoted here)

  • OAuth open-redirect fix (#599/#570) · expose + DB self-heal (#597) · supervisor port-reclaim (#601) + canonical-port reconciliation (#633) · per-request force-change-password coverage extended to the new routes · PR-time CI + Node-20 migration.

Upgrade

bun add -g @openparachute/hub@latest
parachute restart hub

Upgrading vault to 0.6.0 alongside is recommended (new manifest clears the one-release URL-semantics shim). New-hub + old-vault works with deprecation log lines; old-hub + new-vault degrades only cosmetically (admin links).

Assets 2
Loading