@openparachute/hub 0.3.0-rc.1 → 0.5.1

package/src/__tests__/expose.test.ts

@@ -143,6 +143,10 @@ describe("expose tailnet up", () => {
       expect(calls.every((c) => c[1] !== "funnel")).toBe(true);
 
       const mounts = serveCalls.map((c) => c.find((a) => a.startsWith("--set-path="))).sort();
+      // Vault paths consolidate to a single `/vault/` mount → hub (#144);
+      // the hub then picks the specific vault instance per request from
+      // services.json. Notes (and other non-vault services) keep their
+      // direct mount.
       expect(mounts).toEqual([
         "--set-path=/",
         "--set-path=/.well-known/oauth-authorization-server",
@@ -151,7 +155,7 @@ describe("expose tailnet up", () => {
         "--set-path=/oauth/authorize",
         "--set-path=/oauth/register",
         "--set-path=/oauth/token",
-        "--set-path=/vault/default",
+        "--set-path=/vault/",
       ]);
 
       // Hub + well-known now point at localhost HTTP, not a file path.
@@ -165,12 +169,14 @@ describe("expose tailnet up", () => {
         /^http:\/\/127\.0\.0\.1:\d+\/\.well-known\/parachute\.json$/,
       );
 
-      // Service targets also include their mount path to prevent tailscale
-      // from stripping the prefix before forwarding to a base-aware backend.
+      // Non-vault service targets include the mount path so tailscale's
+      // strip-then-forward is a no-op against base-aware backends.
       const notesCall = serveCalls.find((c) => c.includes("--set-path=/notes"));
       expect(notesCall?.[notesCall.length - 1]).toBe("http://127.0.0.1:5173/notes");
-      const vaultCall = serveCalls.find((c) => c.includes("--set-path=/vault/default"));
-      expect(vaultCall?.[vaultCall.length - 1]).toBe("http://127.0.0.1:1940/vault/default");
+      // Vault mount targets the hub's loopback port (the hub re-proxies to
+      // the right vault backend on each request) — port is dynamic per test.
+      const vaultCall = serveCalls.find((c) => c.includes("--set-path=/vault/"));
+      expect(vaultCall?.[vaultCall.length - 1]).toMatch(/^http:\/\/127\.0\.0\.1:\d+\/vault\/$/);
 
       expect(existsSync(h.wellKnownPath)).toBe(true);
       expect(existsSync(h.hubPath)).toBe(true);
@@ -288,7 +294,10 @@ describe("expose tailnet up", () => {
         (c) => c[0] === "tailscale" && c[1] === "serve" && c.includes("--bg"),
       );
       const mounts = serveCalls.map((c) => c.find((a) => a.startsWith("--set-path="))).sort();
-      expect(mounts).toContain("--set-path=/vault");
+      // Even with the legacy `/` remap, the vault rolls into the consolidated
+      // `/vault/` mount → hub. The remap warning still fires; the mount shape
+      // just doesn't reflect the original `/<shortname>` since #144.
+      expect(mounts).toContain("--set-path=/vault/");
       expect(mounts).toContain("--set-path=/");
       expect(mounts.filter((m) => m === "--set-path=/")).toHaveLength(1);
 
@@ -475,7 +484,7 @@ describe("expose tailnet up", () => {
     }
   });
 
-  test("emits 4 OAuth proxies targeting vault when vault is installed", async () => {
+  test("emits 4 OAuth proxies targeting the hub origin (hub IS the IdP)", async () => {
     const h = makeHarness();
     try {
       seedServices(h.manifestPath);
@@ -508,17 +517,15 @@ describe("expose tailnet up", () => {
           oauthTargets.set(mount, c[c.length - 1] ?? "");
         }
       }
-      expect(oauthTargets.get("/.well-known/oauth-authorization-server")).toBe(
-        "http://127.0.0.1:1940/vault/default/.well-known/oauth-authorization-server",
+      expect(oauthTargets.get("/.well-known/oauth-authorization-server")).toMatch(
+        /^http:\/\/127\.0\.0\.1:\d+\/\.well-known\/oauth-authorization-server$/,
       );
-      expect(oauthTargets.get("/oauth/authorize")).toBe(
-        "http://127.0.0.1:1940/vault/default/oauth/authorize",
+      expect(oauthTargets.get("/oauth/authorize")).toMatch(
+        /^http:\/\/127\.0\.0\.1:\d+\/oauth\/authorize$/,
       );
-      expect(oauthTargets.get("/oauth/token")).toBe(
-        "http://127.0.0.1:1940/vault/default/oauth/token",
-      );
-      expect(oauthTargets.get("/oauth/register")).toBe(
-        "http://127.0.0.1:1940/vault/default/oauth/register",
+      expect(oauthTargets.get("/oauth/token")).toMatch(/^http:\/\/127\.0\.0\.1:\d+\/oauth\/token$/);
+      expect(oauthTargets.get("/oauth/register")).toMatch(
+        /^http:\/\/127\.0\.0\.1:\d+\/oauth\/register$/,
       );
 
       const state = readExposeState(h.statePath);
@@ -528,7 +535,7 @@ describe("expose tailnet up", () => {
     }
   });
 
-  test("skips OAuth proxies when no vault is installed", async () => {
+  test("emits OAuth proxies even when no vault is installed (hub IS the IdP)", async () => {
     const h = makeHarness();
     try {
       upsertService(
@@ -560,10 +567,15 @@ describe("expose tailnet up", () => {
       const serveCalls = calls.filter(
         (c) => c[0] === "tailscale" && c[1] === "serve" && c.includes("--bg"),
       );
-      // No vault → no OAuth proxies. Hub + well-known + notes = 3.
-      expect(serveCalls).toHaveLength(3);
-      const mounts = serveCalls.map((c) => c.find((a) => a.startsWith("--set-path=")));
-      expect(mounts.every((m) => m !== undefined && !m.includes("/oauth/"))).toBe(true);
+      // Hub + well-known + notes + 4 OAuth proxies = 7. The hub serves OAuth
+      // regardless of which services are installed.
+      expect(serveCalls).toHaveLength(7);
+      const oauthMounts = serveCalls
+        .map((c) => c.find((a) => a.startsWith("--set-path=")))
+        .filter(
+          (m): m is string => !!m && (m.includes("/oauth/") || m.endsWith("authorization-server")),
+        );
+      expect(oauthMounts).toHaveLength(4);
     } finally {
       h.cleanup();
     }
@@ -1063,8 +1075,10 @@ describe("expose publicExposure filter", () => {
         (c) => c[0] === "tailscale" && c[1] === "serve" && c.includes("--bg"),
       );
       const mounts = serveCalls.map((c) => c.find((a) => a.startsWith("--set-path=")));
-      // Vault + its 4 OAuth proxies + hub + well-known — but no /scribe.
-      expect(mounts).toContain("--set-path=/vault/default");
+      // Vault rolls into the consolidated `/vault/` mount → hub (#144);
+      // its 4 OAuth proxies, hub, and well-known are still individually
+      // mounted. /scribe is loopback-only and absent.
+      expect(mounts).toContain("--set-path=/vault/");
       expect(mounts).not.toContain("--set-path=/scribe");
 
       // Operator-visible notice explaining the withhold.
@@ -1207,7 +1221,8 @@ describe("expose publicExposure filter", () => {
       const mounts = calls
         .filter((c) => c[0] === "tailscale" && c[1] === "serve" && c.includes("--bg"))
         .map((c) => c.find((a) => a.startsWith("--set-path=")));
-      expect(mounts).toContain("--set-path=/vault/default");
+      // Vault → consolidated `/vault/` mount (#144).
+      expect(mounts).toContain("--set-path=/vault/");
     } finally {
       h.cleanup();
     }
@@ -1579,3 +1594,180 @@ describe("expose teardown tolerance for already-gone entries", () => {
     }
   });
 });
+
+describe("expose vault mount consolidation (#144)", () => {
+  // Pre-#144: tailscale plan emitted one mount per vault path. New vault →
+  // had to re-run `parachute expose` to get a tailnet route. Post-#144: a
+  // single `/vault/` → hub mount, hub does the per-request lookup.
+
+  test("single vault, single path → exactly one /vault/ mount, no per-instance entry", async () => {
+    const h = makeHarness();
+    try {
+      upsertService(
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/vault/default"],
+          health: "/vault/default/health",
+          version: "0.4.0",
+        },
+        h.manifestPath,
+      );
+      const { runner, calls } = makeRunner();
+      const { spawner } = makeHubSpawner(1111);
+      const code = await exposeTailnet("up", {
+        runner,
+        manifestPath: h.manifestPath,
+        statePath: h.statePath,
+        wellKnownPath: h.wellKnownPath,
+        hubPath: h.hubPath,
+        wellKnownDir: h.wellKnownDir,
+        configDir: h.configDir,
+        hubEnsureOpts: hubEnsureOpts(spawner),
+        servicePortProbe: allServicesUp,
+        log: () => {},
+      });
+      expect(code).toBe(0);
+      const mounts = calls
+        .filter((c) => c[0] === "tailscale" && c[1] === "serve" && c.includes("--bg"))
+        .map((c) => c.find((a) => a.startsWith("--set-path=")));
+      expect(mounts).toContain("--set-path=/vault/");
+      expect(mounts).not.toContain("--set-path=/vault/default");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("multi-path single ServiceEntry still emits exactly one /vault/ mount", async () => {
+    // The current vault manifest shape: one ServiceEntry whose `paths` lists
+    // every instance. The plan must collapse them all to the hub-routed
+    // `/vault/` instead of one mount per instance.
+    const h = makeHarness();
+    try {
+      upsertService(
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/vault/default", "/vault/techne"],
+          health: "/vault/default/health",
+          version: "0.4.0",
+        },
+        h.manifestPath,
+      );
+      const { runner, calls } = makeRunner();
+      const { spawner } = makeHubSpawner(1111);
+      const code = await exposeTailnet("up", {
+        runner,
+        manifestPath: h.manifestPath,
+        statePath: h.statePath,
+        wellKnownPath: h.wellKnownPath,
+        hubPath: h.hubPath,
+        wellKnownDir: h.wellKnownDir,
+        configDir: h.configDir,
+        hubEnsureOpts: hubEnsureOpts(spawner),
+        servicePortProbe: allServicesUp,
+        log: () => {},
+      });
+      expect(code).toBe(0);
+      const mounts = calls
+        .filter((c) => c[0] === "tailscale" && c[1] === "serve" && c.includes("--bg"))
+        .map((c) => c.find((a) => a.startsWith("--set-path=")));
+      const vaultMounts = mounts.filter((m) => m?.startsWith("--set-path=/vault"));
+      expect(vaultMounts).toEqual(["--set-path=/vault/"]);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("multiple separate vault ServiceEntries still emit exactly one /vault/ mount", async () => {
+    // Pathological but representable: someone might install a second
+    // parachute-vault-archive backend alongside the bare parachute-vault.
+    // Both fold into the single `/vault/` mount; hub disambiguates per
+    // request.
+    const h = makeHarness();
+    try {
+      upsertService(
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/vault/default"],
+          health: "/vault/default/health",
+          version: "0.4.0",
+        },
+        h.manifestPath,
+      );
+      upsertService(
+        {
+          name: "parachute-vault-archive",
+          port: 1941,
+          paths: ["/vault/archive"],
+          health: "/vault/archive/health",
+          version: "0.4.0",
+        },
+        h.manifestPath,
+      );
+      const { runner, calls } = makeRunner();
+      const { spawner } = makeHubSpawner(1111);
+      const code = await exposeTailnet("up", {
+        runner,
+        manifestPath: h.manifestPath,
+        statePath: h.statePath,
+        wellKnownPath: h.wellKnownPath,
+        hubPath: h.hubPath,
+        wellKnownDir: h.wellKnownDir,
+        configDir: h.configDir,
+        hubEnsureOpts: hubEnsureOpts(spawner),
+        servicePortProbe: allServicesUp,
+        log: () => {},
+      });
+      expect(code).toBe(0);
+      const mounts = calls
+        .filter((c) => c[0] === "tailscale" && c[1] === "serve" && c.includes("--bg"))
+        .map((c) => c.find((a) => a.startsWith("--set-path=")));
+      const vaultMounts = mounts.filter((m) => m?.startsWith("--set-path=/vault"));
+      expect(vaultMounts).toEqual(["--set-path=/vault/"]);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("no vault installed → no /vault/ mount in the plan", async () => {
+    const h = makeHarness();
+    try {
+      upsertService(
+        {
+          name: "parachute-notes",
+          port: 5173,
+          paths: ["/notes"],
+          health: "/notes/health",
+          version: "0.0.1",
+        },
+        h.manifestPath,
+      );
+      const { runner, calls } = makeRunner();
+      const { spawner } = makeHubSpawner(1111);
+      const code = await exposeTailnet("up", {
+        runner,
+        manifestPath: h.manifestPath,
+        statePath: h.statePath,
+        wellKnownPath: h.wellKnownPath,
+        hubPath: h.hubPath,
+        wellKnownDir: h.wellKnownDir,
+        configDir: h.configDir,
+        hubEnsureOpts: hubEnsureOpts(spawner),
+        servicePortProbe: allServicesUp,
+        log: () => {},
+      });
+      expect(code).toBe(0);
+      const mounts = calls
+        .filter((c) => c[0] === "tailscale" && c[1] === "serve" && c.includes("--bg"))
+        .map((c) => c.find((a) => a.startsWith("--set-path=")));
+      expect(mounts).not.toContain("--set-path=/vault/");
+      // /notes is still individually mounted — non-vault services keep
+      // their direct route.
+      expect(mounts).toContain("--set-path=/notes");
+    } finally {
+      h.cleanup();
+    }
+  });
+});

package/src/__tests__/grants.test.ts

@@ -0,0 +1,164 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { registerClient } from "../clients.ts";
+import {
+  findGrant,
+  isCoveredByGrant,
+  listGrantsForUser,
+  recordGrant,
+  revokeGrant,
+} from "../grants.ts";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { createUser } from "../users.ts";
+
+async function harness() {
+  const dir = mkdtempSync(join(tmpdir(), "phub-grants-"));
+  const db = openHubDb(hubDbPath(dir));
+  const user = await createUser(db, "owner", "pw");
+  const reg = registerClient(db, { redirectUris: ["https://app.example/cb"] });
+  return {
+    db,
+    userId: user.id,
+    clientId: reg.client.clientId,
+    cleanup: () => {
+      db.close();
+      rmSync(dir, { recursive: true, force: true });
+    },
+  };
+}
+
+describe("grants module (#75)", () => {
+  test("findGrant returns null when no row exists", async () => {
+    const h = await harness();
+    try {
+      expect(findGrant(h.db, h.userId, h.clientId)).toBeNull();
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("recordGrant inserts a row with sorted scopes", async () => {
+    const h = await harness();
+    try {
+      const grant = recordGrant(h.db, h.userId, h.clientId, ["b", "a", "c"]);
+      // Sorted to keep on-disk order deterministic; test pins the contract.
+      expect(grant.scopes).toEqual(["a", "b", "c"]);
+      const fromDb = findGrant(h.db, h.userId, h.clientId);
+      expect(fromDb?.scopes).toEqual(["a", "b", "c"]);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("recordGrant unions new scopes into existing grant", async () => {
+    const h = await harness();
+    try {
+      recordGrant(h.db, h.userId, h.clientId, ["a", "b", "c"]);
+      recordGrant(h.db, h.userId, h.clientId, ["a", "d"]);
+      const grant = findGrant(h.db, h.userId, h.clientId);
+      expect(new Set(grant?.scopes)).toEqual(new Set(["a", "b", "c", "d"]));
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("recordGrant skips empty strings inside the scope list", async () => {
+    const h = await harness();
+    try {
+      recordGrant(h.db, h.userId, h.clientId, ["", "a", ""]);
+      const grant = findGrant(h.db, h.userId, h.clientId);
+      expect(grant?.scopes).toEqual(["a"]);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("isCoveredByGrant: false when no grant exists", async () => {
+    const h = await harness();
+    try {
+      expect(isCoveredByGrant(h.db, h.userId, h.clientId, ["a"])).toBe(false);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("isCoveredByGrant: true for exact match and subset, false for superset", async () => {
+    const h = await harness();
+    try {
+      recordGrant(h.db, h.userId, h.clientId, ["a", "b", "c"]);
+      expect(isCoveredByGrant(h.db, h.userId, h.clientId, ["a", "b", "c"])).toBe(true);
+      expect(isCoveredByGrant(h.db, h.userId, h.clientId, ["a"])).toBe(true);
+      expect(isCoveredByGrant(h.db, h.userId, h.clientId, ["a", "b"])).toBe(true);
+      expect(isCoveredByGrant(h.db, h.userId, h.clientId, ["a", "d"])).toBe(false);
+      expect(isCoveredByGrant(h.db, h.userId, h.clientId, ["d"])).toBe(false);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("isCoveredByGrant: empty request returns false (no auto-approve for empty)", async () => {
+    const h = await harness();
+    try {
+      recordGrant(h.db, h.userId, h.clientId, ["a"]);
+      // Empty scope flow is suspicious — surface it through consent rather
+      // than silently auto-approving.
+      expect(isCoveredByGrant(h.db, h.userId, h.clientId, [])).toBe(false);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("revokeGrant returns true when a row was removed, false when none existed", async () => {
+    const h = await harness();
+    try {
+      expect(revokeGrant(h.db, h.userId, h.clientId)).toBe(false);
+      recordGrant(h.db, h.userId, h.clientId, ["a"]);
+      expect(revokeGrant(h.db, h.userId, h.clientId)).toBe(true);
+      expect(findGrant(h.db, h.userId, h.clientId)).toBeNull();
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("recordGrant: concurrent calls produce one row with the union of scopes (#119)", async () => {
+    const h = await harness();
+    try {
+      // Fire two recordGrant calls "concurrently" via Promise.all. The
+      // transaction wrapper means the read-merge-write is atomic, so the
+      // second writer always sees the first writer's scopes — neither set
+      // gets dropped.
+      await Promise.all([
+        Promise.resolve().then(() => recordGrant(h.db, h.userId, h.clientId, ["a", "b"])),
+        Promise.resolve().then(() => recordGrant(h.db, h.userId, h.clientId, ["c", "d"])),
+      ]);
+      const rowCount = (
+        h.db
+          .prepare("SELECT COUNT(*) AS n FROM grants WHERE user_id = ? AND client_id = ?")
+          .get(h.userId, h.clientId) as { n: number }
+      ).n;
+      expect(rowCount).toBe(1);
+      const grant = findGrant(h.db, h.userId, h.clientId);
+      expect(new Set(grant?.scopes)).toEqual(new Set(["a", "b", "c", "d"]));
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("listGrantsForUser orders most-recent first", async () => {
+    const h = await harness();
+    try {
+      const reg2 = registerClient(h.db, { redirectUris: ["https://other.example/cb"] });
+      // Older grant first.
+      recordGrant(h.db, h.userId, h.clientId, ["a"], new Date("2026-04-01T00:00:00Z"));
+      recordGrant(h.db, h.userId, reg2.client.clientId, ["b"], new Date("2026-04-15T00:00:00Z"));
+      const grants = listGrantsForUser(h.db, h.userId);
+      expect(grants).toHaveLength(2);
+      expect(grants[0]?.clientId).toBe(reg2.client.clientId);
+      expect(grants[1]?.clientId).toBe(h.clientId);
+    } finally {
+      h.cleanup();
+    }
+  });
+});

package/src/__tests__/hub-db.test.ts

@@ -0,0 +1,153 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+
+interface Harness {
+  configDir: string;
+  dbPath: string;
+  cleanup: () => void;
+}
+
+function makeHarness(): Harness {
+  const configDir = mkdtempSync(join(tmpdir(), "phub-db-"));
+  return {
+    configDir,
+    dbPath: hubDbPath(configDir),
+    cleanup: () => rmSync(configDir, { recursive: true, force: true }),
+  };
+}
+
+describe("openHubDb + migrate", () => {
+  test("creates schema_version + signing_keys on a fresh db", () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(h.dbPath);
+      try {
+        const tables = (
+          db
+            .query<{ name: string }, []>(
+              "SELECT name FROM sqlite_master WHERE type='table' ORDER BY name",
+            )
+            .all() ?? []
+        ).map((r) => r.name);
+        expect(tables).toContain("schema_version");
+        expect(tables).toContain("signing_keys");
+        const versions = (
+          db.query<{ version: number }, []>("SELECT version FROM schema_version").all() ?? []
+        ).map((r) => r.version);
+        expect(versions).toContain(1);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("re-opening an already-migrated db is a no-op (no duplicate version rows)", () => {
+    const h = makeHarness();
+    try {
+      const db1 = openHubDb(h.dbPath);
+      db1.close();
+      const db2 = openHubDb(h.dbPath);
+      try {
+        const rows = db2
+          .query<{ version: number; applied_at: string }, []>(
+            "SELECT version, applied_at FROM schema_version",
+          )
+          .all();
+        // Each migration recorded exactly once — re-open is idempotent.
+        const versions = rows.map((r) => r.version).sort();
+        expect(new Set(versions).size).toBe(versions.length);
+        expect(versions).toContain(1);
+        expect(versions).toContain(2);
+      } finally {
+        db2.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("signing_keys schema enforces required columns", () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(h.dbPath);
+      try {
+        // Missing private_key_pem must fail (NOT NULL).
+        expect(() =>
+          db
+            .prepare(
+              "INSERT INTO signing_keys (kid, public_key_pem, algorithm, created_at) VALUES (?, ?, ?, ?)",
+            )
+            .run("k1", "pem", "RS256", new Date().toISOString()),
+        ).toThrow();
+        // Full row works; retired_at is nullable.
+        db.prepare(
+          `INSERT INTO signing_keys (kid, public_key_pem, private_key_pem, algorithm, created_at)
+           VALUES (?, ?, ?, ?, ?)`,
+        ).run("k2", "pub", "priv", "RS256", new Date().toISOString());
+        const row = db
+          .query<{ retired_at: string | null }, [string]>(
+            "SELECT retired_at FROM signing_keys WHERE kid = ?",
+          )
+          .get("k2");
+        expect(row?.retired_at).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("v2 creates users + tokens tables with the expected columns", () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(h.dbPath);
+      try {
+        const tables = (
+          db
+            .query<{ name: string }, []>(
+              "SELECT name FROM sqlite_master WHERE type='table' ORDER BY name",
+            )
+            .all() ?? []
+        ).map((r) => r.name);
+        expect(tables).toContain("users");
+        expect(tables).toContain("tokens");
+        const versions = (
+          db.query<{ version: number }, []>("SELECT version FROM schema_version").all() ?? []
+        ).map((r) => r.version);
+        expect(versions).toContain(2);
+
+        // users.username UNIQUE constraint enforced.
+        db.prepare(
+          "INSERT INTO users (id, username, password_hash, created_at, updated_at) VALUES (?, ?, ?, ?, ?)",
+        ).run("u1", "owner", "h", "2026-01-01", "2026-01-01");
+        expect(() =>
+          db
+            .prepare(
+              "INSERT INTO users (id, username, password_hash, created_at, updated_at) VALUES (?, ?, ?, ?, ?)",
+            )
+            .run("u2", "owner", "h2", "2026-01-01", "2026-01-01"),
+        ).toThrow();
+
+        // tokens.user_id FK enforced.
+        expect(() =>
+          db
+            .prepare(
+              `INSERT INTO tokens (jti, user_id, client_id, scopes, expires_at, created_at)
+               VALUES (?, ?, ?, ?, ?, ?)`,
+            )
+            .run("t1", "no-such-user", "c", "s", "2030-01-01", "2026-01-01"),
+        ).toThrow();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+});