@openparachute/hub 0.3.0-rc.1 → 0.5.0

package/src/__tests__/oauth-ui.test.ts

@@ -0,0 +1,253 @@
+import { describe, expect, test } from "bun:test";
+import {
+  type AuthorizeFormParams,
+  escapeHtml,
+  renderConsent,
+  renderError,
+  renderHiddenInputs,
+  renderLogin,
+} from "../oauth-ui.ts";
+
+const PARAMS: AuthorizeFormParams = {
+  clientId: "client-abc",
+  redirectUri: "https://app.example/cb",
+  responseType: "code",
+  scope: "vault:read vault:admin",
+  codeChallenge: "ch",
+  codeChallengeMethod: "S256",
+  state: "xyz",
+};
+
+const CSRF = "csrf-token-fixture";
+
+describe("escapeHtml", () => {
+  test("escapes the five HTML metacharacters", () => {
+    expect(escapeHtml(`<script>alert("x&y'z")</script>`)).toBe(
+      "&lt;script&gt;alert(&quot;x&amp;y&#39;z&quot;)&lt;/script&gt;",
+    );
+  });
+});
+
+describe("renderHiddenInputs", () => {
+  test("emits one hidden input per non-state field, plus state when present", () => {
+    const html = renderHiddenInputs(PARAMS);
+    expect(html).toContain('name="client_id" value="client-abc"');
+    expect(html).toContain('name="redirect_uri" value="https://app.example/cb"');
+    expect(html).toContain('name="response_type" value="code"');
+    expect(html).toContain('name="scope" value="vault:read vault:admin"');
+    expect(html).toContain('name="code_challenge" value="ch"');
+    expect(html).toContain('name="code_challenge_method" value="S256"');
+    expect(html).toContain('name="state" value="xyz"');
+  });
+
+  test("omits state input when state is null", () => {
+    const html = renderHiddenInputs({ ...PARAMS, state: null });
+    expect(html).not.toContain('name="state"');
+  });
+
+  test("escapes hostile values into hidden inputs", () => {
+    const html = renderHiddenInputs({ ...PARAMS, state: `"><script>alert(1)</script>` });
+    expect(html).not.toContain("<script>alert(1)</script>");
+    expect(html).toContain("&lt;script&gt;");
+  });
+});
+
+describe("renderLogin", () => {
+  test("contains form, hidden inputs, and a Sign in submit", () => {
+    const html = renderLogin({ params: PARAMS, csrfToken: CSRF });
+    expect(html).toContain('action="/oauth/authorize"');
+    expect(html).toContain('name="__action" value="login"');
+    expect(html).toContain('name="username"');
+    expect(html).toContain('name="password"');
+    expect(html).toContain("Sign in");
+    // Hidden state echoed
+    expect(html).toContain('name="state" value="xyz"');
+    // Brand styling present
+    expect(html).toContain("Parachute");
+  });
+
+  test("renders an error banner when errorMessage is set", () => {
+    const html = renderLogin({ params: PARAMS, csrfToken: CSRF, errorMessage: "bad pw" });
+    expect(html).toContain("error-banner");
+    expect(html).toContain("bad pw");
+  });
+
+  test("escapes the error message", () => {
+    const html = renderLogin({
+      params: PARAMS,
+      csrfToken: CSRF,
+      errorMessage: "<script>x</script>",
+    });
+    expect(html).not.toContain("<script>x</script>");
+    expect(html).toContain("&lt;script&gt;");
+  });
+});
+
+describe("renderConsent", () => {
+  test("shows client name, client_id, and a row per scope", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "client-abc",
+      clientName: "MyApp",
+      scopes: ["vault:read", "vault:admin"],
+    });
+    expect(html).toContain("Authorize");
+    expect(html).toContain("MyApp");
+    expect(html).toContain("client-abc");
+    expect(html).toContain("vault:read");
+    expect(html).toContain("vault:admin");
+    // Scope explanations from the registry
+    expect(html).toContain("Read your notes");
+    expect(html).toContain("Full vault access");
+  });
+
+  test("highlights admin scopes with a danger color and badge", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:admin"],
+    });
+    expect(html).toContain("scope-admin");
+    expect(html).toContain("badge-admin");
+  });
+
+  test("renders unknown scopes verbatim with a muted explanation", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["mystery.module:do-thing"],
+    });
+    expect(html).toContain("scope-unknown");
+    expect(html).toContain("mystery.module:do-thing");
+    expect(html).toContain("no built-in description");
+  });
+
+  test("renders a placeholder when no scopes are requested", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: [],
+    });
+    expect(html).toContain("scope-empty");
+    expect(html).toContain("No scopes requested");
+  });
+
+  test("includes Approve and Deny buttons posting __action=consent", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: [],
+    });
+    expect(html).toContain('name="__action" value="consent"');
+    expect(html).toContain('name="approve" value="yes"');
+    expect(html).toContain('name="approve" value="no"');
+  });
+
+  test("escapes a hostile client name", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "<img src=x onerror=alert(1)>",
+      scopes: [],
+    });
+    expect(html).not.toContain("<img src=x");
+    expect(html).toContain("&lt;img");
+  });
+
+  test("renders a vault picker when vaultPicker is set", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:read"],
+      vaultPicker: { unnamedVerbs: ["read"], availableVaults: ["work", "personal"] },
+    });
+    expect(html).toContain("Pick a vault");
+    expect(html).toContain('name="vault_pick" value="work"');
+    expect(html).toContain('name="vault_pick" value="personal"');
+    // First option pre-checked so a single-vault host doesn't force a click.
+    expect(html).toMatch(/name="vault_pick" value="work" checked/);
+  });
+
+  test("escapes a hostile vault name in the picker", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:read"],
+      vaultPicker: {
+        unnamedVerbs: ["read"],
+        availableVaults: [`evil"><script>alert(1)</script>`],
+      },
+    });
+    expect(html).not.toContain("<script>alert(1)</script>");
+    expect(html).toContain("&quot;&gt;&lt;script&gt;");
+  });
+
+  test("disables the Approve button when no vaults exist", () => {
+    const html = renderConsent({
+      params: PARAMS,
+      csrfToken: CSRF,
+      clientId: "c",
+      clientName: "App",
+      scopes: ["vault:read"],
+      vaultPicker: { unnamedVerbs: ["read"], availableVaults: [] },
+    });
+    expect(html).toContain("no vaults exist");
+    expect(html).toContain('value="yes" class="btn btn-primary" disabled');
+  });
+});
+
+describe("renderError", () => {
+  test("renders a card with title and message", () => {
+    const html = renderError({ title: "Boom", message: "something blew up", status: 400 });
+    expect(html).toContain("Boom");
+    expect(html).toContain("something blew up");
+    expect(html).toContain('class="card"');
+    // Brand mark visible so the user knows where they are
+    expect(html).toContain("Parachute");
+  });
+
+  test("escapes hostile title + message", () => {
+    const html = renderError({
+      title: "<script>1</script>",
+      message: '"><img>',
+      status: 400,
+    });
+    expect(html).not.toContain("<script>1</script>");
+    expect(html).not.toContain('"><img>');
+    expect(html).toContain("&lt;script&gt;");
+  });
+});
+
+describe("CSS / styling guarantees", () => {
+  test("does not load fonts from a third-party CDN (privacy)", () => {
+    const html = renderLogin({ params: PARAMS, csrfToken: CSRF });
+    expect(html).not.toContain("fonts.googleapis.com");
+    expect(html).not.toContain("fonts.gstatic.com");
+  });
+
+  test("sets referrer policy to no-referrer", () => {
+    expect(renderLogin({ params: PARAMS, csrfToken: CSRF })).toContain(
+      'name="referrer" content="no-referrer"',
+    );
+  });
+
+  test("declares mobile-friendly viewport", () => {
+    expect(renderLogin({ params: PARAMS, csrfToken: CSRF })).toContain(
+      'name="viewport" content="width=device-width, initial-scale=1"',
+    );
+  });
+});

package/src/__tests__/operator-token.test.ts

@@ -0,0 +1,140 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync, statSync } from "node:fs";
+import { readFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { validateAccessToken } from "../jwt-sign.ts";
+import {
+  OPERATOR_TOKEN_AUDIENCE,
+  OPERATOR_TOKEN_FILENAME,
+  OPERATOR_TOKEN_SCOPES,
+  OPERATOR_TOKEN_TTL_SECONDS,
+  issueOperatorToken,
+  mintOperatorToken,
+  operatorTokenPath,
+  readOperatorTokenFile,
+  writeOperatorTokenFile,
+} from "../operator-token.ts";
+import { rotateSigningKey } from "../signing-keys.ts";
+
+interface Harness {
+  dir: string;
+  cleanup: () => void;
+}
+
+function makeHarness(): Harness {
+  const dir = mkdtempSync(join(tmpdir(), "phub-operator-"));
+  return { dir, cleanup: () => rmSync(dir, { recursive: true, force: true }) };
+}
+
+const TEST_ISSUER = "http://127.0.0.1:1939";
+
+describe("mintOperatorToken", () => {
+  test("returns a JWT with operator audience, broad scopes, and ~1y TTL", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        const minted = await mintOperatorToken(db, "user-abc", {
+          issuer: TEST_ISSUER,
+          now: () => new Date("2026-04-26T00:00:00Z"),
+        });
+        expect(minted.token.split(".")).toHaveLength(3);
+        const validated = await validateAccessToken(db, minted.token, TEST_ISSUER);
+        expect(validated.payload.sub).toBe("user-abc");
+        expect(validated.payload.aud).toBe(OPERATOR_TOKEN_AUDIENCE);
+        expect(validated.payload.iss).toBe(TEST_ISSUER);
+        expect(validated.payload.scope).toBe(OPERATOR_TOKEN_SCOPES.join(" "));
+        const exp = validated.payload.exp ?? 0;
+        const iat = validated.payload.iat ?? 0;
+        expect(exp - iat).toBe(OPERATOR_TOKEN_TTL_SECONDS);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("scopes include hub:admin + parachute:host:admin + vault:admin + scribe:admin + channel:send", () => {
+    expect(OPERATOR_TOKEN_SCOPES).toEqual([
+      "hub:admin",
+      "parachute:host:admin",
+      "vault:admin",
+      "scribe:admin",
+      "channel:send",
+    ]);
+  });
+});
+
+describe("writeOperatorTokenFile + readOperatorTokenFile", () => {
+  test("writes mode 0600 and round-trips the plaintext", async () => {
+    const h = makeHarness();
+    try {
+      const path = await writeOperatorTokenFile("plaintext-abc", h.dir);
+      expect(path).toBe(join(h.dir, OPERATOR_TOKEN_FILENAME));
+      const stat = statSync(path);
+      // Mask off file-type bits; just compare permission bits.
+      expect(stat.mode & 0o777).toBe(0o600);
+      const round = await readOperatorTokenFile(h.dir);
+      expect(round).toBe("plaintext-abc");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("readOperatorTokenFile returns null when missing", async () => {
+    const h = makeHarness();
+    try {
+      expect(await readOperatorTokenFile(h.dir)).toBeNull();
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("overwrite is atomic — second write replaces the first plaintext", async () => {
+    const h = makeHarness();
+    try {
+      await writeOperatorTokenFile("first", h.dir);
+      await writeOperatorTokenFile("second", h.dir);
+      const round = await readOperatorTokenFile(h.dir);
+      expect(round).toBe("second");
+      // No leftover .tmp
+      const tmp = `${operatorTokenPath(h.dir)}.tmp`;
+      await readFile(tmp).then(
+        () => expect.unreachable("tmp file should be renamed away"),
+        (err: NodeJS.ErrnoException) => expect(err.code).toBe("ENOENT"),
+      );
+    } finally {
+      h.cleanup();
+    }
+  });
+});
+
+describe("issueOperatorToken", () => {
+  test("mints + writes the token to disk in one call", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        const issued = await issueOperatorToken(db, "user-xyz", {
+          dir: h.dir,
+          issuer: TEST_ISSUER,
+        });
+        expect(issued.path).toBe(join(h.dir, OPERATOR_TOKEN_FILENAME));
+        const fromDisk = await readOperatorTokenFile(h.dir);
+        expect(fromDisk).toBe(issued.token);
+        const validated = await validateAccessToken(db, issued.token, TEST_ISSUER);
+        expect(validated.payload.sub).toBe("user-xyz");
+        expect(validated.payload.iss).toBe(TEST_ISSUER);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+});

package/src/__tests__/providers-detect.test.ts

@@ -0,0 +1,158 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import {
+  type ProviderAvailability,
+  detectProviders,
+  isCloudflareReady,
+  isTailnetReady,
+} from "../providers/detect.ts";
+import type { CommandResult, Runner } from "../tailscale/run.ts";
+
+interface FixedRunnerOpts {
+  tailscaleInstalled?: boolean;
+  tailscaleLoggedIn?: boolean;
+  tailscaleFunnelCap?: boolean;
+  cloudflaredInstalled?: boolean;
+}
+
+function fixedRunner(opts: FixedRunnerOpts): { runner: Runner; calls: string[][] } {
+  const calls: string[][] = [];
+  const runner: Runner = async (cmd) => {
+    calls.push([...cmd]);
+    const head = cmd.slice(0, 2).join(" ");
+    if (head === "tailscale version") {
+      return opts.tailscaleInstalled
+        ? ({ code: 0, stdout: "1.82.0\n", stderr: "" } as CommandResult)
+        : ({ code: 127, stdout: "", stderr: "not found" } as CommandResult);
+    }
+    if (head === "tailscale status") {
+      const self: Record<string, unknown> = {};
+      if (opts.tailscaleLoggedIn) self.DNSName = "host.example.ts.net.";
+      if (opts.tailscaleFunnelCap) self.CapMap = { funnel: null };
+      return { code: 0, stdout: JSON.stringify({ Self: self }), stderr: "" } as CommandResult;
+    }
+    if (head === "cloudflared --version") {
+      return opts.cloudflaredInstalled
+        ? ({ code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" } as CommandResult)
+        : ({ code: 127, stdout: "", stderr: "not found" } as CommandResult);
+    }
+    throw new Error(`unexpected runner call: ${cmd.join(" ")}`);
+  };
+  return { runner, calls };
+}
+
+function makeCloudflaredHome(loggedIn: boolean): { home: string; cleanup: () => void } {
+  const home = mkdtempSync(join(tmpdir(), "providers-detect-cf-"));
+  if (loggedIn) writeFileSync(join(home, "cert.pem"), "---");
+  return { home, cleanup: () => rmSync(home, { recursive: true, force: true }) };
+}
+
+describe("detectProviders", () => {
+  test("everything available + logged in + funnel granted → both ready", async () => {
+    const env = makeCloudflaredHome(true);
+    try {
+      const { runner } = fixedRunner({
+        tailscaleInstalled: true,
+        tailscaleLoggedIn: true,
+        tailscaleFunnelCap: true,
+        cloudflaredInstalled: true,
+      });
+      const r = await detectProviders({ runner, cloudflaredHome: env.home });
+      expect(r).toEqual({
+        tailnet: { available: true, loggedIn: true, funnelEnabled: true },
+        cloudflare: { available: true, loggedIn: true },
+      });
+      expect(isTailnetReady(r)).toBe(true);
+      expect(isCloudflareReady(r)).toBe(true);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("tailscale installed but Funnel cap missing → not tailnet-ready", async () => {
+    const env = makeCloudflaredHome(false);
+    try {
+      const { runner } = fixedRunner({
+        tailscaleInstalled: true,
+        tailscaleLoggedIn: true,
+        tailscaleFunnelCap: false,
+      });
+      const r = await detectProviders({ runner, cloudflaredHome: env.home });
+      expect(r.tailnet).toEqual({ available: true, loggedIn: true, funnelEnabled: false });
+      expect(isTailnetReady(r)).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("cloudflared installed but no cert.pem → not cloudflare-ready", async () => {
+    const env = makeCloudflaredHome(false);
+    try {
+      const { runner } = fixedRunner({ cloudflaredInstalled: true });
+      const r = await detectProviders({ runner, cloudflaredHome: env.home });
+      expect(r.cloudflare).toEqual({ available: true, loggedIn: false });
+      expect(isCloudflareReady(r)).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("neither binary installed → no `tailscale status` probe is issued", async () => {
+    const env = makeCloudflaredHome(false);
+    try {
+      const { runner, calls } = fixedRunner({});
+      const r = await detectProviders({ runner, cloudflaredHome: env.home });
+      const ran = calls.map((c) => c.slice(0, 2).join(" "));
+      // `tailscale version` is the gate; if it fails, we skip status to avoid
+      // a guaranteed-to-fail call.
+      expect(ran).toContain("tailscale version");
+      expect(ran).not.toContain("tailscale status");
+      expect(r.tailnet.available).toBe(false);
+      expect(r.cloudflare.available).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
+});
+
+describe("readiness predicates", () => {
+  const base: ProviderAvailability = {
+    tailnet: { available: false, loggedIn: false, funnelEnabled: false },
+    cloudflare: { available: false, loggedIn: false },
+  };
+
+  test("isTailnetReady requires all three legs", () => {
+    expect(
+      isTailnetReady({
+        ...base,
+        tailnet: { available: true, loggedIn: true, funnelEnabled: true },
+      }),
+    ).toBe(true);
+    expect(
+      isTailnetReady({
+        ...base,
+        tailnet: { available: true, loggedIn: true, funnelEnabled: false },
+      }),
+    ).toBe(false);
+    expect(
+      isTailnetReady({
+        ...base,
+        tailnet: { available: true, loggedIn: false, funnelEnabled: true },
+      }),
+    ).toBe(false);
+  });
+
+  test("isCloudflareReady requires both legs", () => {
+    expect(isCloudflareReady({ ...base, cloudflare: { available: true, loggedIn: true } })).toBe(
+      true,
+    );
+    expect(isCloudflareReady({ ...base, cloudflare: { available: true, loggedIn: false } })).toBe(
+      false,
+    );
+    expect(isCloudflareReady({ ...base, cloudflare: { available: false, loggedIn: true } })).toBe(
+      false,
+    );
+  });
+});

package/src/__tests__/scope-explanations.test.ts

@@ -0,0 +1,108 @@
+import { describe, expect, test } from "bun:test";
+import {
+  FIRST_PARTY_SCOPES,
+  NON_REQUESTABLE_SCOPES,
+  SCOPE_EXPLANATIONS,
+  explainScope,
+  isRequestableScope,
+  scopeIsAdmin,
+} from "../scope-explanations.ts";
+
+describe("SCOPE_EXPLANATIONS", () => {
+  test("covers every canonical first-party scope from oauth-scopes.md", () => {
+    // Source of truth: parachute-patterns/patterns/oauth-scopes.md.
+    const expected = [
+      "vault:read",
+      "vault:write",
+      "vault:admin",
+      "scribe:transcribe",
+      "scribe:admin",
+      "channel:send",
+      "hub:admin",
+      "parachute:host:admin",
+    ];
+    for (const s of expected) {
+      expect(SCOPE_EXPLANATIONS[s]).toBeDefined();
+      expect(SCOPE_EXPLANATIONS[s]?.label.length).toBeGreaterThan(10);
+    }
+  });
+
+  test("FIRST_PARTY_SCOPES is sorted and matches the keys of SCOPE_EXPLANATIONS", () => {
+    expect(FIRST_PARTY_SCOPES).toEqual([...FIRST_PARTY_SCOPES].sort());
+    expect(new Set(FIRST_PARTY_SCOPES)).toEqual(new Set(Object.keys(SCOPE_EXPLANATIONS)));
+  });
+});
+
+describe("explainScope", () => {
+  test("returns the entry for a known scope", () => {
+    expect(explainScope("vault:read")?.level).toBe("read");
+  });
+
+  test("returns null for an unknown scope", () => {
+    expect(explainScope("notes:weird-thing")).toBeNull();
+  });
+});
+
+describe("scopeIsAdmin", () => {
+  test("true for admin scopes", () => {
+    expect(scopeIsAdmin("vault:admin")).toBe(true);
+    expect(scopeIsAdmin("hub:admin")).toBe(true);
+    expect(scopeIsAdmin("parachute:host:admin")).toBe(true);
+  });
+
+  test("false for non-admin and unknown scopes", () => {
+    expect(scopeIsAdmin("vault:read")).toBe(false);
+    expect(scopeIsAdmin("channel:send")).toBe(false);
+    expect(scopeIsAdmin("unknown:anything")).toBe(false);
+  });
+});
+
+describe("NON_REQUESTABLE_SCOPES (#96)", () => {
+  test("contains parachute:host:admin", () => {
+    expect(NON_REQUESTABLE_SCOPES.has("parachute:host:admin")).toBe(true);
+  });
+
+  test("does NOT contain hub:admin (intentional asymmetry)", () => {
+    // hub:admin is service management an operator may legitimately delegate
+    // to a tooling app. parachute:host:admin is cross-vault data sovereignty
+    // and stays operator-only-mintable.
+    expect(NON_REQUESTABLE_SCOPES.has("hub:admin")).toBe(false);
+  });
+
+  test("every non-requestable scope is a known first-party scope", () => {
+    for (const s of NON_REQUESTABLE_SCOPES) {
+      expect(FIRST_PARTY_SCOPES).toContain(s);
+    }
+  });
+});
+
+describe("isRequestableScope", () => {
+  test("false for parachute:host:admin", () => {
+    expect(isRequestableScope("parachute:host:admin")).toBe(false);
+  });
+
+  test("true for hub:admin and other first-party scopes", () => {
+    expect(isRequestableScope("hub:admin")).toBe(true);
+    expect(isRequestableScope("vault:read")).toBe(true);
+    expect(isRequestableScope("vault:admin")).toBe(true);
+    expect(isRequestableScope("channel:send")).toBe(true);
+  });
+
+  test("true for unknown scopes (third-party module scopes pass through)", () => {
+    expect(isRequestableScope("notes:something-new")).toBe(true);
+  });
+
+  // Per-vault admin scopes are pattern-matched as non-requestable so the
+  // public OAuth flow can never mint vault:<name>:admin — only the local
+  // session-cookie endpoint at /admin/vault-admin-token/<name> can.
+  test("false for any vault:<name>:admin scope", () => {
+    expect(isRequestableScope("vault:default:admin")).toBe(false);
+    expect(isRequestableScope("vault:work:admin")).toBe(false);
+    expect(isRequestableScope("vault:my-techne_2:admin")).toBe(false);
+  });
+
+  test("vault:<name>:read|write stays requestable (only :admin is locked down)", () => {
+    expect(isRequestableScope("vault:default:read")).toBe(true);
+    expect(isRequestableScope("vault:work:write")).toBe(true);
+  });
+});