flightcheck script, lifecycle docs, README/CLAUDE updates

Author: blackwood

.claude/CLAUDE.md

@@ -59,20 +59,24 @@ npm run test:static:notification
 # Single spec file
 npm run pretest && NODE_EXTRA_CA_CERTS=ssl.crt npx playwright test tests/static/autofill-forms.spec.ts
 
-# Public (live site) tests
+# Public (live site) tests — NEVER run these; they hit real external sites
 npm run test:public:debug
 
 # Accessibility tests
 npm run test:a11y:browser
 npm run test:a11y:web
 
 # Utilities
-npm run status                # check environment prerequisites
+npm run flightcheck           # check environment prerequisites
 npm run prettier:fix          # format all files
 npm run typecheck             # typecheck scripts/ and tests/
+npm run setup:install         # generate and write BW_INSTALLATION_ID / BW_INSTALLATION_KEY
+npm run setup:crypto          # generate and write crypto values to .env
+npm run setup:crypto:reset    # regenerate crypto values after VAULT_EMAIL/PASSWORD change
+npm run setup:flags           # sync feature flags from REMOTE_VAULT_CONFIG_MATCH into flags.json
 npm run setup:vault           # create account + seed vault
 npm run seed:vault:ciphers    # seed vault only (account must exist)
-npm run setup:crypto:reset    # regenerate crypto values after VAULT_EMAIL/PASSWORD change
+npm run seed:vault:import     # import a vault JSON file (requires VAULT_IMPORT_FILE)
 ```
 
 ## Debug Helpers
@@ -84,7 +88,7 @@ npm run setup:crypto:reset    # regenerate crypto values after VAULT_EMAIL/PASSW
 
 1. **No real credentials in test data**: All vault passwords are fake (e.g., `"fakeBasicFormPassword"`). Prefix test credential values with `fake`.
 2. **No secrets in source**: Crypto material, master password hashes, and API keys live only in `.env` (gitignored). Generated by `npm run setup:crypto` — never set manually.
-    - `VAULT_EMAIL` is used as a PBKDF2 salt — changing it invalidates `MASTER_PASSWORD_HASH` and requires `npm run setup:crypto:reset` + a fresh DB.
+    - `VAULT_EMAIL` is used as a PBKDF2 salt and as a seeding value for generating the install keys — changing it invalidates `MASTER_PASSWORD_HASH` and requires `npm run setup:crypto:reset` + a fresh DB.
 3. **Zero-knowledge invariant**: Account creation in `create-account.ts` sends a pre-hashed master password and encrypted key material — never the plaintext password — to the server API.
 4. **Downloads disabled**: The browser fixture sets `acceptDownloads: false`.
 

README.md

@@ -75,11 +75,10 @@ As a secondary concern, BIT aspires to track and anticipate feature compatibilit
 
 ## Returning Workflow
 
-Run `npm run status` to check which prerequisites are satisfied and get specific commands for anything that needs attention. Typically all that's needed is:
+Run `npm run flightcheck` to check which prerequisites are satisfied and get specific commands for anything that needs attention. Typically you only need to do the initial set up once; after that all that's needed is:
 
 ```bash
 docker compose up -d --wait   # start the vault server
-npm run start:test-site
 npm run test:static:debug
 ```
 
@@ -89,7 +88,7 @@ npm run test:static:debug
 
 > Important! Once you've generated installation and crypto values for your `.env` file, DO NOT CHANGE the seeding values (`VAULT_EMAIL`, `VAULT_PASSWORD`, `KDF_ITERATIONS`). Doing so requires regenerating your installation and crypto secret values and rebuilding/updating server.
 
-> If you do need to change `VAULT_EMAIL` or `VAULT_PASSWORD`, run `npm run setup:crypto:reset` to clear and regenerate the derived crypto values, then `docker compose down -v && docker compose up -d --wait` for a fresh database, then `npm run setup:vault`.
+> If you do need to change `VAULT_EMAIL` or `VAULT_PASSWORD`, run `npm run setup:crypto:reset` to clear and regenerate the derived crypto values, then `docker compose down -v && docker compose up -d --wait` for a fresh database, then `npm run setup:vault`. Note that changing `VAULT_EMAIL` may also require regenerating install keys (`npm run setup:install`) and rebuilding the vault, depending on what you're trying to do.
 
 - Run `npm run setup:install` to generate and add installation values to your dotfile
   - Alternatively, you can generate them at `https://bitwarden.com/host` and add them to your dotfile manually as `BW_INSTALLATION_ID` and `BW_INSTALLATION_KEY`
@@ -125,11 +124,13 @@ Using Docker Compose will set up all the services required by the extension for
 
 Create and start the containers and volumes with `docker compose up -d --build --remove-orphans`, and teardown with `docker compose down -v`
 
-> If the image pull fails with a network error (e.g. `unexpected EOF`), re-run `docker compose pull` and then retry. If it continues to fail, try increasing the timeout: `COMPOSE_HTTP_TIMEOUT=120 docker compose pull`.
+> If the image pull fails with a network error (e.g. `unexpected EOF`), re-run `docker compose pull` and then retry. If it continues to fail, try increasing the timeout: `COMPOSE_HTTP_TIMEOUT=120 docker compose pull`. A common underlying cause is endpoint protection or firewall rules blocking the pull.
 
-> If startup fails with `port is already allocated`, a previous container session is holding the port — often a prior BIT stack (e.g. after updating the image version). Run `npm run status` to identify which project owns the port and get the exact teardown command.
+> If startup fails with `port is already allocated`, a previous container session is holding the port — often a prior BIT stack (e.g. after updating the image version). Run `npm run flightcheck` to identify which project owns the port and get the exact teardown command.
 
-> Each compose project uses its own database volume. Switching to a different vault image version means a fresh database — re-run `npm run setup:vault` after bringing the new stack up. Old project volumes are not removed automatically; `npm run status` will list any orphaned BIT volumes and show the `docker volume rm` commands to clean them up.
+> Each compose project uses its own database volume. Switching to a different vault image version means a fresh database — re-run `npm run setup:vault` after bringing the new stack up. Old project volumes are not removed automatically. If `npm run flightcheck` detects a wrong-version or missing stack, it will list any BIT volumes from other projects and show the `docker volume rm` commands to clean them up.
+
+> If you have previously seeded a vault, you don't need to run setup again — just start it. This is especially relevant when switching between several environments (for example, different server images or feature flag configurations): each has its own volume, so bringing one back up restores its prior state as-is.
 
 ### Seeding Your Vault
 

package.json

@@ -43,7 +43,7 @@
     "seed:vault:ciphers": "./scripts/seeder.sh",
     "seed:vault:ciphers:refresh": "REFRESH=true ./scripts/seeder.sh",
     "seed:vault:import": "./scripts/vault-import.sh",
-    "status": "./scripts/status.sh",
+    "flightcheck": "./scripts/flightcheck.sh",
     "setup:all": "./scripts/first-time-setup.sh",
     "setup:extension": "rimraf clients && git clone https://github.com/bitwarden/clients.git clients && cd clients && npm ci",
     "setup:install": "ts-node ./scripts/generate-installation.ts",

scripts/status.sh scripts/flightcheck.shscripts/status.sh renamed to scripts/flightcheck.sh

@@ -38,7 +38,15 @@ else
   set -o allexport; source "$ROOT_DIR/.env"; set +o allexport
 
   missing=()
-  for var in VAULT_EMAIL VAULT_PASSWORD PAGES_HOST VAULT_HOST_URL VAULT_HOST_PORT; do
+  for var in \
+    VAULT_EMAIL VAULT_PASSWORD \
+    PAGES_HOST VAULT_HOST_URL VAULT_HOST_PORT \
+    CLI_SERVE_HOST CLI_SERVE_PORT \
+    EXTENSION_BUILD_PATH \
+    BW_DOMAIN \
+    BW_DB_PROVIDER BW_DB_SERVER BW_DB_DATABASE \
+    BW_DB_USERNAME BW_DB_PASSWORD BW_DB_PORT \
+    BW_ENABLE_SSL BW_SSL_CERT BW_SSL_KEY; do
     val=$(eval "echo \"\${${var}:-}\"")
     if [ -z "$val" ] || [[ "$val" == *"<"* ]]; then
       missing+=("$var")
@@ -53,6 +61,19 @@ else
   fi
 fi
 
+# ── Vault import file (optional) ──────────────────────────────────────────────
+if [ -n "${VAULT_IMPORT_FILE:-}" ]; then
+  if [ -f "$ROOT_DIR/$VAULT_IMPORT_FILE" ]; then
+    row "$OK" "Vault import file" "$VAULT_IMPORT_FILE"
+  else
+    row "$ERR" "Vault import file" "not found  ($VAULT_IMPORT_FILE)"
+    errors=$((errors + 1))
+  fi
+else
+  row "$WARN" "Vault import file" "not set  (optional)"
+  warnings=$((warnings + 1))
+fi
+
 # ── SSL certificates ──────────────────────────────────────────────────────────
 if [ -f "$ROOT_DIR/ssl.crt" ] && [ -f "$ROOT_DIR/ssl.key" ]; then
   row "$OK" "SSL certificates" "ssl.crt / ssl.key"
@@ -119,20 +140,34 @@ else
   if [ -n "$BW_ID" ]; then
     BW_HEALTH=$(docker inspect --format "{{.State.Health.Status}}" "$BW_ID" 2>/dev/null || true)
     ACTUAL_IMAGE=$(docker inspect --format "{{.Config.Image}}" "$BW_ID" 2>/dev/null || true)
+    BW_PROJECT=$(docker inspect --format \
+      "{{index .Config.Labels \"com.docker.compose.project\"}}" "$BW_ID" 2>/dev/null || true)
+    BW_NAME=$(docker inspect --format "{{.Name}}" "$BW_ID" 2>/dev/null | sed 's|^/||' || true)
+    BW_PORTS=$(docker ps --filter "id=$BW_ID" --format "{{.Ports}}" 2>/dev/null || true)
+    DB_IMAGE=$(docker ps \
+      --filter "label=com.docker.compose.project=${BW_PROJECT}" \
+      --filter "label=com.docker.compose.service=db" \
+      --format "{{.Image}}" 2>/dev/null | head -1 || true)
+
+    show_container_details() {
+      hint "name: ${BW_NAME}${DB_IMAGE:+  |  db: ${DB_IMAGE}}${BW_PORTS:+  |  ports: ${BW_PORTS}}"
+    }
 
     if [ "$BW_HEALTH" = "unhealthy" ]; then
       row "$ERR" "Docker" "bitwarden unhealthy  (${ACTUAL_IMAGE})"
+      show_container_details
       hint "docker compose logs bitwarden"
       errors=$((errors + 1))
     elif [ "$BW_HEALTH" = "starting" ]; then
       row "$WARN" "Docker" "bitwarden still starting up...  (${ACTUAL_IMAGE})"
+      show_container_details
       warnings=$((warnings + 1))
     elif [ "$ACTUAL_IMAGE" = "$EXPECTED_IMAGE" ]; then
       row "$OK" "Docker" "running  (${ACTUAL_IMAGE})"
+      show_container_details
     else
-      BW_PROJECT=$(docker inspect --format \
-        "{{index .Config.Labels \"com.docker.compose.project\"}}" "$BW_ID" 2>/dev/null || true)
       row "$WARN" "Docker" "running wrong version  (got: ${ACTUAL_IMAGE}, want: ${EXPECTED_IMAGE})"
+      show_container_details
       if [ -n "$BW_PROJECT" ]; then
         hint "docker compose -p ${BW_PROJECT} down && docker compose up -d --build --wait"
       else
@@ -208,24 +243,82 @@ if curl -sf $CACERT_OPT --max-time 3 "${VAULT_URL}/alive" > /dev/null 2>&1; then
     hint "npm run setup:vault"
     errors=$((errors + 1))
   fi
+
+  # Check feature flags
+  if [ -n "${REMOTE_VAULT_CONFIG_MATCH:-}" ]; then
+    row "$OK" "Feature flags" "synced from remote  (${REMOTE_VAULT_CONFIG_MATCH})"
+  else
+    CONFIG_JSON=$(curl -s $CACERT_OPT --max-time 5 "${VAULT_URL}/api/config" 2>/dev/null || true)
+    FLAG_COUNT=$(python3 -c "
+import json, sys
+try:
+    d = json.loads(sys.argv[1])
+    print(len(d.get('featureStates', {})))
+except:
+    print(-1)
+" "$CONFIG_JSON" 2>/dev/null || echo -1)
+
+    if [ "$FLAG_COUNT" -gt 0 ] 2>/dev/null; then
+      row "$OK" "Feature flags" "${FLAG_COUNT} flags loaded"
+    elif [ "$FLAG_COUNT" -eq 0 ] 2>/dev/null; then
+      row "$WARN" "Feature flags" "featureStates is empty — flags may not be configured"
+      hint "npm run setup:flags  # sync from a remote config source"
+      warnings=$((warnings + 1))
+    else
+      row "$WARN" "Feature flags" "could not read /api/config"
+      warnings=$((warnings + 1))
+    fi
+  fi
 else
   row "$WARN" "Vault" "not reachable  (${VAULT_URL})"
   warnings=$((warnings + 1))
 fi
 
 # ── Test site ─────────────────────────────────────────────────────────────────
+# Playwright's webServer starts/stops the test site automatically.
+# Probe that it's serveable: start in background, hit the endpoint, then stop.
 PAGES_URL="${PAGES_HOST:-https://127.0.0.1}${PAGES_HOST_PORT:+:${PAGES_HOST_PORT}}"
-PID_FILE="$ROOT_DIR/.test-site.pid"
 
-if curl -sf $CACERT_OPT --max-time 3 "${PAGES_URL}" > /dev/null 2>&1; then
-  row "$OK" "Test site" "running  (${PAGES_URL})"
-elif [ -f "$PID_FILE" ] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
-  row "$WARN" "Test site" "process alive but not yet responding"
-  warnings=$((warnings + 1))
+_probe_test_site() {
+  local pid log i ok=0
+  log=$(mktemp)
+
+  # If something is already serving on this port, the server is clearly up
+  if curl -sf $CACERT_OPT --max-time 2 "${PAGES_URL}" > /dev/null 2>&1; then
+    rm -f "$log"; return 0
+  fi
+
+  # exec replaces the subshell with node directly, so $pid == node PID
+  (
+    export SSL_CERT=${BW_SSL_CERT:-ssl.crt}
+    export SSL_KEY=${BW_SSL_KEY:-ssl.key}
+    export SERVE_PORT=$PAGES_HOST_PORT
+    export SERVE_INSECURE_PORT=$PAGES_HOST_INSECURE_PORT
+    cd "$ROOT_DIR/test-site/api"
+    exec node build/app.js
+  ) > "$log" 2>&1 &
+  pid=$!
+
+  for i in $(seq 1 15); do
+    sleep 0.5
+    if ! kill -0 "$pid" 2>/dev/null; then break; fi
+    if curl -sf $CACERT_OPT --max-time 2 "${PAGES_URL}" > /dev/null 2>&1; then
+      ok=1; break
+    fi
+  done
+
+  kill "$pid" 2>/dev/null; wait "$pid" 2>/dev/null
+  rm -f "$log"
+  return $((1 - ok))
+}
+
+if _probe_test_site; then
+  row "$OK" "Test site" "serveable  (${PAGES_URL})"
 else
-  row "$WARN" "Test site" "not running  (${PAGES_URL})"
-  hint "npm run start:test-site"
-  warnings=$((warnings + 1))
+  row "$ERR" "Test site" "failed to serve"
+  hint "cd test-site && npm run build:client  # rebuild if not yet built"
+  hint "cd test-site/api && npm run build     # rebuild API if needed"
+  errors=$((errors + 1))
 fi
 
 # ── Summary ───────────────────────────────────────────────────────────────────