@openparachute/hub 0.5.10 → 0.5.12-rc.2

package/src/__tests__/hub-origin-resolution.test.ts

@@ -0,0 +1,154 @@
+/**
+ * Tests for the issuer precedence chain introduced in hub#298:
+ *
+ *   hub_settings.hub_origin  →  configuredIssuer (env/flag)  →  request origin
+ *
+ * Both `resolveIssuer` (the canonical resolver) and `resolveIssuerSource`
+ * (the SPA-facing attribution helper) are exercised together so a future
+ * precedence drift can't surface in one without the other.
+ */
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { resolveIssuer, resolveIssuerSource } from "../hub-server.ts";
+import { setHubOrigin } from "../hub-settings.ts";
+
+let dir: string;
+let db: ReturnType<typeof openHubDb>;
+
+beforeEach(() => {
+  dir = mkdtempSync(join(tmpdir(), "hub-issuer-resolve-"));
+  db = openHubDb(hubDbPath(dir));
+});
+afterEach(() => {
+  db.close();
+  rmSync(dir, { recursive: true, force: true });
+});
+
+function req(url: string): Request {
+  return new Request(url, { method: "GET" });
+}
+
+describe("resolveIssuer — precedence chain", () => {
+  test("falls back to request origin when no settings + no env", () => {
+    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined);
+    expect(got).toBe("http://127.0.0.1:1939");
+  });
+
+  test("env wins over request origin (deploy-time setting)", () => {
+    const got = resolveIssuer(
+      req("http://127.0.0.1:1939/oauth/token"),
+      db,
+      "https://hub.from-env.example",
+    );
+    expect(got).toBe("https://hub.from-env.example");
+  });
+
+  test("hub_settings wins over env (operator override)", () => {
+    setHubOrigin(db, "https://hub.from-settings.example");
+    const got = resolveIssuer(
+      req("http://127.0.0.1:1939/oauth/token"),
+      db,
+      "https://hub.from-env.example",
+    );
+    expect(got).toBe("https://hub.from-settings.example");
+  });
+
+  test("hub_settings wins over request origin (no env)", () => {
+    setHubOrigin(db, "https://hub.from-settings.example");
+    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined);
+    expect(got).toBe("https://hub.from-settings.example");
+  });
+
+  test("clearing hub_settings reverts to env precedence", () => {
+    setHubOrigin(db, "https://hub.from-settings.example");
+    setHubOrigin(db, null);
+    const got = resolveIssuer(
+      req("http://127.0.0.1:1939/oauth/token"),
+      db,
+      "https://hub.from-env.example",
+    );
+    expect(got).toBe("https://hub.from-env.example");
+  });
+
+  test("clearing hub_settings + no env reverts to request origin", () => {
+    setHubOrigin(db, "https://hub.from-settings.example");
+    setHubOrigin(db, null);
+    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined);
+    expect(got).toBe("http://127.0.0.1:1939");
+  });
+
+  test("undefined db (pre-config gate) falls through to env then request", () => {
+    // The wellknown / discovery surfaces may hit oauthDeps before a DB
+    // is wired; resolveIssuer must not throw — just skip the settings
+    // layer.
+    const got = resolveIssuer(req("http://127.0.0.1:1939/"), undefined, undefined);
+    expect(got).toBe("http://127.0.0.1:1939");
+
+    const gotEnv = resolveIssuer(
+      req("http://127.0.0.1:1939/"),
+      undefined,
+      "https://hub.from-env.example",
+    );
+    expect(gotEnv).toBe("https://hub.from-env.example");
+  });
+
+  test("change takes effect on the very next request (no caching)", () => {
+    // Critical operator-facing behavior: the SPA save button must
+    // affect token mints on the subsequent OAuth request without a
+    // hub restart. Exercised by pulling resolveIssuer in sequence
+    // around a mid-flight setHubOrigin call.
+    const baseUrl = "http://127.0.0.1:1939/oauth/token";
+
+    // Pass 1 — no settings, no env → request origin.
+    expect(resolveIssuer(req(baseUrl), db, undefined)).toBe("http://127.0.0.1:1939");
+
+    // Mid-flight write.
+    setHubOrigin(db, "https://hub.example.com");
+
+    // Pass 2 — settings wins immediately.
+    expect(resolveIssuer(req(baseUrl), db, undefined)).toBe("https://hub.example.com");
+
+    // Mid-flight clear.
+    setHubOrigin(db, null);
+
+    // Pass 3 — back to request origin.
+    expect(resolveIssuer(req(baseUrl), db, undefined)).toBe("http://127.0.0.1:1939");
+  });
+});
+
+describe("resolveIssuerSource — attribution for SPA", () => {
+  test('"request" when nothing is configured', () => {
+    expect(resolveIssuerSource(db, undefined)).toBe("request");
+  });
+
+  test('"env" when configuredIssuer is set + no settings row', () => {
+    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("env");
+  });
+
+  test('"settings" when hub_settings row is set, even if env is also set', () => {
+    setHubOrigin(db, "https://hub.from-settings.example");
+    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("settings");
+  });
+
+  test("attribution matches resolved value across the chain", () => {
+    // Pair them up so a future change to one without the other gets
+    // caught — the SPA helper text says "from settings" iff the
+    // settings layer is what got returned.
+    setHubOrigin(db, "https://hub.example.com");
+    const r1 = req("http://127.0.0.1:1939/oauth/token");
+    expect(resolveIssuer(r1, db, "https://hub.from-env.example")).toBe("https://hub.example.com");
+    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("settings");
+
+    setHubOrigin(db, null);
+    expect(resolveIssuer(r1, db, "https://hub.from-env.example")).toBe(
+      "https://hub.from-env.example",
+    );
+    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("env");
+
+    expect(resolveIssuer(r1, db, undefined)).toBe("http://127.0.0.1:1939");
+    expect(resolveIssuerSource(db, undefined)).toBe("request");
+  });
+});

package/src/__tests__/hub-settings.test.ts

@@ -18,12 +18,14 @@ import {
   SETUP_EXPOSE_MODES,
   consumeFirstClientAutoApproveWindow,
   deleteSetting,
+  getHubOrigin,
   getModuleInstallChannel,
   getSetting,
   isFirstClientAutoApproveWindowOpen,
   isModuleInstallChannel,
   isSetupExposeMode,
   openFirstClientAutoApproveWindow,
+  setHubOrigin,
   setModuleInstallChannel,
   setSetting,
 } from "../hub-settings.ts";
@@ -375,3 +377,95 @@ describe("hub-settings — module install channel bootstrap", () => {
     }
   });
 });
+
+describe("hub-settings — hub_origin (hub#298)", () => {
+  let dir: string;
+  beforeEach(() => {
+    dir = mkdtempSync(join(tmpdir(), "hub-settings-"));
+  });
+  afterEach(() => rmSync(dir, { recursive: true, force: true }));
+
+  test("getHubOrigin returns null when no row is present", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      expect(getHubOrigin(db)).toBeNull();
+    } finally {
+      db.close();
+    }
+  });
+
+  test("setHubOrigin then getHubOrigin round-trips the value", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      setHubOrigin(db, "https://hub.example.com");
+      expect(getHubOrigin(db)).toBe("https://hub.example.com");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("setHubOrigin overwrites an existing value", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      setHubOrigin(db, "https://hub.example.com");
+      setHubOrigin(db, "https://hub.other.example");
+      expect(getHubOrigin(db)).toBe("https://hub.other.example");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("setHubOrigin(null) clears the row → getHubOrigin returns null", () => {
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      setHubOrigin(db, "https://hub.example.com");
+      setHubOrigin(db, null);
+      expect(getHubOrigin(db)).toBeNull();
+      // Idempotent — a second clear on an already-absent row is a no-op.
+      setHubOrigin(db, null);
+      expect(getHubOrigin(db)).toBeNull();
+    } finally {
+      db.close();
+    }
+  });
+
+  test('setHubOrigin("") is treated as null (no falsy-row footgun)', () => {
+    // An empty string would be a useless issuer + would cause source
+    // attribution to lie ("from settings" while no real value).
+    // Normalize at the write layer.
+    const db = openHubDb(hubDbPath(dir));
+    try {
+      setHubOrigin(db, "https://hub.example.com");
+      setHubOrigin(db, "");
+      expect(getHubOrigin(db)).toBeNull();
+    } finally {
+      db.close();
+    }
+  });
+
+  test("does not auto-seed from env (unlike module_install_channel)", () => {
+    // The env var (PARACHUTE_HUB_ORIGIN) is a separate precedence layer
+    // in resolveIssuer (env wins when no settings row). Auto-seeding
+    // would collapse env → settings and lose the source attribution
+    // the SPA exposes ("from env" vs "from settings"). Verify no row
+    // appears just from reading.
+    const prior = process.env.PARACHUTE_HUB_ORIGIN;
+    process.env.PARACHUTE_HUB_ORIGIN = "https://hub.from-env.example";
+    try {
+      const db = openHubDb(hubDbPath(dir));
+      try {
+        expect(getHubOrigin(db)).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      if (prior === undefined) {
+        // Bun's process.env supports the `[key]: undefined` shape
+        // (biome's noDelete rule preferred this over `delete`).
+        process.env.PARACHUTE_HUB_ORIGIN = undefined;
+      } else {
+        process.env.PARACHUTE_HUB_ORIGIN = prior;
+      }
+    }
+  });
+});

package/src/__tests__/oauth-ui.test.ts

@@ -308,6 +308,26 @@ describe("substituteVaultDisplay", () => {
     // consenting to literally.
     expect(substituteVaultDisplay("vault:admin", "work")).toBe("vault:admin");
   });
+
+  test("'*' → renders the wildcard display form (vault:*:<verb>)", () => {
+    // Approve-time rendering: no vault has been picked yet (the consent
+    // picker hasn't run), but rendering the raw `vault:read` form implies
+    // unrestricted full-vault access. The wildcard signals "scope will be
+    // narrowed to a specific vault at consent" — mirrors the SPA's
+    // `/admin/approve-client/<id>` view.
+    expect(substituteVaultDisplay("vault:read", "*")).toBe("vault:*:read");
+    expect(substituteVaultDisplay("vault:write", "*")).toBe("vault:*:write");
+  });
+
+  test("'*' → non-vault scopes still pass through unchanged", () => {
+    expect(substituteVaultDisplay("scribe:transcribe", "*")).toBe("scribe:transcribe");
+    expect(substituteVaultDisplay("channel:send", "*")).toBe("channel:send");
+  });
+
+  test("'*' → already-named vault scopes pass through (caller specified the vault)", () => {
+    expect(substituteVaultDisplay("vault:work:read", "*")).toBe("vault:work:read");
+    expect(substituteVaultDisplay("vault:other:write", "*")).toBe("vault:other:write");
+  });
 });
 
 describe("renderConsent displayVault substitution", () => {
@@ -442,6 +462,103 @@ describe("renderApprovePending unauthenticated CTAs", () => {
   });
 });
 
+describe("renderApprovePending scope display (wildcard substitution)", () => {
+  const COMMON = {
+    clientName: "MyApp",
+    clientId: "client-xyz",
+    redirectUris: ["https://app.example/cb"],
+    hubOrigin: "https://hub.example.com",
+  };
+
+  test("unnamed vault scopes render with the wildcard form (vault:*:<verb>)", () => {
+    // The bug Aaron hit on rc.1: the server-rendered approve-pending page
+    // showed raw `vault:read` / `vault:write` rather than the resolved
+    // `vault:*:<verb>` form the SPA already used. Both the unauth viewer
+    // and the authenticated admin branch get the substituted display so
+    // they match the SPA's `/admin/approve-client/<id>` view.
+    const html = renderApprovePending({
+      ...COMMON,
+      requestedScopes: ["vault:read", "vault:write"],
+    });
+    expect(html).toMatch(/<code class="scope-name">vault:\*:read<\/code>/);
+    expect(html).toMatch(/<code class="scope-name">vault:\*:write<\/code>/);
+    // Raw unnamed form must NOT appear in the rendered scope-row code
+    // blocks any more — that was the bug.
+    expect(html).not.toMatch(/<code class="scope-name">vault:read<\/code>/);
+    expect(html).not.toMatch(/<code class="scope-name">vault:write<\/code>/);
+  });
+
+  test("wildcard explanation surfaces below the scope list when any scope renders with `*`", () => {
+    const html = renderApprovePending({
+      ...COMMON,
+      requestedScopes: ["vault:read"],
+    });
+    // The `<p class="scope-wildcard-note">…` element is what's conditional;
+    // `.scope-wildcard-note` as a CSS class name is always present in the
+    // stylesheet, so match the rendered element specifically.
+    expect(html).toMatch(/<p class="scope-wildcard-note">/);
+    expect(html).toContain("a specific vault is selected during sign-in");
+    expect(html).toContain("unbound shape");
+  });
+
+  test("wildcard explanation is omitted when no scope renders with `*`", () => {
+    // All-non-vault: explanation absent.
+    const nonVault = renderApprovePending({
+      ...COMMON,
+      requestedScopes: ["scribe:transcribe", "channel:send"],
+    });
+    expect(nonVault).not.toMatch(/<p class="scope-wildcard-note">/);
+    expect(nonVault).not.toContain("unbound shape");
+
+    // Already-named vault: explanation absent (vault already specified).
+    const named = renderApprovePending({
+      ...COMMON,
+      requestedScopes: ["vault:work:read"],
+    });
+    expect(named).not.toMatch(/<p class="scope-wildcard-note">/);
+    expect(named).not.toContain("unbound shape");
+
+    // Empty scopes: explanation absent (no scope rows at all).
+    const empty = renderApprovePending({ ...COMMON, requestedScopes: [] });
+    expect(empty).not.toMatch(/<p class="scope-wildcard-note">/);
+  });
+
+  test("already-named vault scopes still render as-is (no double substitution)", () => {
+    const html = renderApprovePending({
+      ...COMMON,
+      requestedScopes: ["vault:work:read"],
+    });
+    expect(html).toMatch(/<code class="scope-name">vault:work:read<\/code>/);
+    // Pre-existing named scopes don't get mangled by the wildcard substitution.
+    expect(html).not.toMatch(/vault:\*:work/);
+  });
+
+  test("mixed scopes render the wildcard explanation when ANY scope is unnamed-vault", () => {
+    const html = renderApprovePending({
+      ...COMMON,
+      requestedScopes: ["scribe:transcribe", "vault:read"],
+    });
+    expect(html).toMatch(/<code class="scope-name">scribe:transcribe<\/code>/);
+    expect(html).toMatch(/<code class="scope-name">vault:\*:read<\/code>/);
+    expect(html).toMatch(/<p class="scope-wildcard-note">/);
+  });
+
+  test("authenticated admin branch also gets the wildcard substitution + explanation", () => {
+    // Both branches of the page render through the same scope-display path
+    // — the inline-form admin viewer sees the same resolved scopes as the
+    // unauth viewer with the sign-in CTA.
+    const html = renderApprovePending({
+      ...COMMON,
+      requestedScopes: ["vault:read", "vault:write"],
+      approveForm: { csrfToken: CSRF, returnTo: "/oauth/authorize?client_id=client-xyz" },
+    });
+    expect(html).toContain('action="/oauth/authorize/approve"');
+    expect(html).toMatch(/<code class="scope-name">vault:\*:read<\/code>/);
+    expect(html).toMatch(/<code class="scope-name">vault:\*:write<\/code>/);
+    expect(html).toMatch(/<p class="scope-wildcard-note">/);
+  });
+});
+
 describe("CSS / styling guarantees", () => {
   test("does not load fonts from a third-party CDN (privacy)", () => {
     const html = renderLogin({ params: PARAMS, csrfToken: CSRF });

package/src/__tests__/serve.test.ts

@@ -2,7 +2,12 @@ import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
 import { mkdtempSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { seedInitialAdminIfNeeded } from "../commands/serve.ts";
+import { _resetBootstrapTokenForTests, getBootstrapToken } from "../bootstrap-token.ts";
+import {
+  formatBootstrapTokenBanner,
+  formatListeningBanner,
+  seedInitialAdminIfNeeded,
+} from "../commands/serve.ts";
 import { openHubDb } from "../hub-db.ts";
 import { getUserByUsername, userCount } from "../users.ts";
 
@@ -105,3 +110,129 @@ describe("seedInitialAdminIfNeeded", () => {
     expect(userCount(db)).toBe(0);
   });
 });
+
+describe("formatListeningBanner", () => {
+  const base = {
+    port: 1939,
+    configDir: "/home/op/.parachute",
+    dbPath: "/home/op/.parachute/hub.db",
+    issuer: undefined,
+    adminBootstrap: "exists",
+  };
+
+  test("hostname 0.0.0.0 → display localhost + bound note", () => {
+    // Chrome refuses to navigate to `0.0.0.0`, and mixing it with
+    // `localhost` trips cross-origin errors. Operators paste the URL
+    // straight from the banner, so the printed URL must be navigable.
+    const line = formatListeningBanner({ ...base, hostname: "0.0.0.0" });
+    expect(line).toContain("listening on http://localhost:1939");
+    expect(line).toContain("(bound on all interfaces: 0.0.0.0:1939)");
+    // The bind disclosure should sit between the URL and the contextual
+    // PARACHUTE_HOME / db / issuer block, so an operator scanning the
+    // banner sees the URL first and the bind note second.
+    const urlIdx = line.indexOf("http://localhost:1939");
+    const boundIdx = line.indexOf("(bound on all interfaces");
+    const homeIdx = line.indexOf("PARACHUTE_HOME=");
+    expect(urlIdx).toBeLessThan(boundIdx);
+    expect(boundIdx).toBeLessThan(homeIdx);
+  });
+
+  test("hostname 127.0.0.1 (operator-chosen loopback) → display verbatim, no bound note", () => {
+    const line = formatListeningBanner({ ...base, hostname: "127.0.0.1" });
+    expect(line).toContain("listening on http://127.0.0.1:1939");
+    expect(line).not.toContain("bound on all interfaces");
+  });
+
+  test("hostname 192.168.x.x (operator-chosen LAN IP) → display verbatim, no bound note", () => {
+    const line = formatListeningBanner({ ...base, hostname: "192.168.1.10" });
+    expect(line).toContain("listening on http://192.168.1.10:1939");
+    expect(line).not.toContain("bound on all interfaces");
+  });
+
+  test("contextual block carries PARACHUTE_HOME, db, issuer, admin state", () => {
+    const line = formatListeningBanner({
+      ...base,
+      hostname: "0.0.0.0",
+      issuer: "https://hub.example.com",
+      adminBootstrap: "seeded",
+    });
+    expect(line).toContain("PARACHUTE_HOME=/home/op/.parachute");
+    expect(line).toContain("db=/home/op/.parachute/hub.db");
+    expect(line).toContain("issuer=https://hub.example.com");
+    expect(line).toContain("admin=seeded");
+  });
+
+  test("issuer undefined renders as <request-origin> placeholder", () => {
+    const line = formatListeningBanner({ ...base, hostname: "0.0.0.0" });
+    expect(line).toContain("issuer=<request-origin>");
+  });
+});
+
+// --- bootstrap-token banner (first-boot-path hardening, Issue 1) ---------
+
+describe("formatBootstrapTokenBanner", () => {
+  test("includes the token verbatim, the wizard URL, and an expiry note", () => {
+    const banner = formatBootstrapTokenBanner("parachute-bootstrap-sample-token-abc-123");
+    expect(banner).toContain("parachute-bootstrap-sample-token-abc-123");
+    expect(banner).toContain("/admin/setup");
+    expect(banner).toContain("admin is created OR when hub restarts");
+  });
+
+  test("each line carries the `[wizard]` prefix so a log scanner can isolate the block", () => {
+    const banner = formatBootstrapTokenBanner("parachute-bootstrap-x");
+    for (const line of banner.split("\n")) {
+      expect(line.startsWith("[wizard]")).toBe(true);
+    }
+  });
+});
+
+// --- bootstrap-token generation under needs-setup (Issue 1 wiring) -------
+//
+// `seedInitialAdminIfNeeded` returns `needs-setup` when no admin row and
+// no env vars; the wizard-mode boot path then mints + logs the token.
+// These tests pin the wiring: when `needs-setup` fires, the token slot
+// gets populated; when the env-seed path fires, the token slot stays
+// undefined.
+
+describe("bootstrap-token wiring under needs-setup", () => {
+  let dir: string;
+  let dbPath: string;
+
+  beforeEach(() => {
+    dir = mkdtempSync(join(tmpdir(), "parachute-serve-bootstrap-"));
+    dbPath = join(dir, "hub.db");
+    _resetBootstrapTokenForTests();
+  });
+
+  afterEach(() => {
+    rmSync(dir, { recursive: true, force: true });
+    _resetBootstrapTokenForTests();
+  });
+
+  test("needs-setup branch: seedInitialAdminIfNeeded itself does NOT mint a token", async () => {
+    // The token mint is in serve() — the surrounding fetch loop — not
+    // in `seedInitialAdminIfNeeded`. This pins the helper's contract:
+    // pure state inspection, no side effects beyond the admin row.
+    // (The mint happens in the caller; covered by integration via the
+    // hub-side gate tests that exercise the wizard against a generated
+    // token.)
+    const db = openHubDb(dbPath);
+    const result = await seedInitialAdminIfNeeded(db, {}, () => {});
+    expect(result).toBe("needs-setup");
+    expect(getBootstrapToken()).toBeUndefined();
+  });
+
+  test("env-seed branch: no token generated by the seed helper", async () => {
+    const db = openHubDb(dbPath);
+    const result = await seedInitialAdminIfNeeded(
+      db,
+      {
+        PARACHUTE_INITIAL_ADMIN_USERNAME: "ops",
+        PARACHUTE_INITIAL_ADMIN_PASSWORD: "correct horse battery staple",
+      },
+      () => {},
+    );
+    expect(result).toBe("seeded");
+    expect(getBootstrapToken()).toBeUndefined();
+  });
+});

package/src/__tests__/setup-gate.test.ts

@@ -219,4 +219,97 @@ describe("setup gate (admin exists)", () => {
       db.close();
     }
   });
+
+  // Issue 2 (first-boot-path hardening): the auto-redirect on `/` and
+  // `/hub.html` fires whenever the wizard still has work to do — not just
+  // when the admin row is missing. Pre-fix, an env-seeded admin with no
+  // vault landed on the static discovery portal and had to hand-find
+  // `/admin/modules` + `/admin/vaults`. Post-fix, `/` funnels them
+  // straight to the wizard's vault step.
+  test("/ 302s to /admin/setup when env-seeded admin has no vault (Issue 2)", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      // Simulate env-seed: admin row exists, services.json is empty.
+      await createUser(db, "env-seeded-admin", "pw");
+      const res = await hubFetch(h.dir, {
+        getDb: () => db,
+        manifestPath: join(h.dir, "services.json"),
+      })(req("/"));
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe("/admin/setup");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("/hub.html 302s to /admin/setup when env-seeded admin has no vault (Issue 2)", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      await createUser(db, "env-seeded-admin", "pw");
+      const res = await hubFetch(h.dir, {
+        getDb: () => db,
+        manifestPath: join(h.dir, "services.json"),
+      })(req("/hub.html"));
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe("/admin/setup");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("/ renders the discovery page when admin + vault both exist", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      await createUser(db, "owner", "pw");
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              version: "0.1.0",
+              port: 1940,
+              paths: ["/vault/default"],
+              health: "/health",
+            },
+          ],
+        },
+        join(h.dir, "services.json"),
+      );
+      const res = await hubFetch(h.dir, {
+        getDb: () => db,
+        manifestPath: join(h.dir, "services.json"),
+      })(req("/"));
+      // 200 (the dynamic discovery page) — NOT 302 to /admin/setup. The
+      // wizard's work is done.
+      expect(res.status).toBe(200);
+      expect(res.headers.get("content-type")).toContain("text/html");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("wizard at /admin/setup with env-seeded admin + no vault renders vault step (Issue 2)", async () => {
+    // Mirror the wizard's resume-at-vault-step shape for the env-seed
+    // path. Same as the existing test above, but explicitly named to
+    // document the Issue 2 expectation: the wizard handles env-seeded
+    // admins correctly.
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      await createUser(db, "env-seeded-admin", "pw");
+      const res = await hubFetch(h.dir, {
+        getDb: () => db,
+        manifestPath: join(h.dir, "services.json"),
+      })(req("/admin/setup"));
+      expect(res.status).toBe(200);
+      const html = await res.text();
+      // Vault step is rendered (the form action gives it away).
+      expect(html).toContain('action="/admin/setup/vault"');
+      // Account step is NOT rendered — no username field, no bootstrap
+      // token field.
+      expect(html).not.toContain('name="bootstrap_token"');
+      expect(html).not.toContain('name="password_confirm"');
+    } finally {
+      db.close();
+    }
+  });
 });