@openparachute/hub 0.5.12-rc.4 → 0.5.13-rc.12

package/README.md

@@ -2,7 +2,7 @@
 
 `@openparachute/hub` — the local hub for the [Parachute](https://parachute.computer) ecosystem. The `parachute` binary is one of its surfaces.
 
-The hub coordinates the modules running on your machine: it installs them, runs them as background processes, exposes them over Tailscale, serves the discovery document at `/.well-known/parachute.json`, and (soon) issues OAuth tokens. Each module (vault, notes, scribe, channel, …) stays a standalone package; the hub stitches them together.
+The hub coordinates the modules running on your machine: it installs them, runs them as background processes, exposes them over Tailscale, serves the discovery document at `/.well-known/parachute.json`, and (soon) issues OAuth tokens. Each module (vault, app, scribe, …) stays a standalone package; the hub stitches them together.
 
 > Previously published as `@openparachute/cli`. Renamed 2026-04-26 to better reflect the role — see [parachute-patterns/hub-as-issuer](https://github.com/ParachuteComputer/parachute-patterns/blob/main/patterns/hub-as-issuer.md). The `parachute` binary name is unchanged.
 
@@ -160,16 +160,19 @@ Parachute services reserve a block of loopback ports in the canonical range **19
 | 1939 | parachute-hub (internal proxy + static) |
 | 1940 | parachute-vault    |
 | 1941 | parachute-channel  |
-| 1942 | parachute-notes    |
+| 1942 | parachute-notes *(deprecating — see [notes#154](https://github.com/ParachuteComputer/parachute-notes/issues/154); folds into parachute-app at 1946)* |
 | 1943 | parachute-scribe   |
-| 1944–1949 | *unassigned (CLI fallback range)* |
+| 1944 | *parachute-agent (retired 2026-05-20; slot held — see [`parachute-agent/DEPRECATED.md`](https://github.com/ParachuteComputer/parachute-agent/blob/main/DEPRECATED.md))* |
+| 1945 | parachute-runner *(shipped; exploration-tier, not committed-core)* |
+| 1946 | parachute-app *(committed core; UI host, ships Notes as canonical first app)* |
+| 1947–1949 | *unassigned (CLI fallback range)* |
 
 The hub pins 1939 — no fallback. If something else is on 1939 when you run `parachute expose`, the command fails with a pointer to `lsof -iTCP:1939` rather than walking up into another service's slot.
 
 **The CLI is the port authority.** `parachute install <svc>` picks the port at install time and writes `PORT=<port>` into `~/.parachute/<svc>/.env`; lifecycle.start merges that .env into the spawn env so the next daemon boot binds the port the CLI assigned. The algorithm:
 
 1. Prefer the canonical slot (e.g. vault → 1940).
-2. On collision, walk the unassigned range (1944–1949).
+2. On collision, walk the unassigned range (1947–1949).
 3. Range exhausted: assign past 1949 with a warning.
 
 Idempotent: an existing `PORT=` in `~/.parachute/<svc>/.env` wins, so re-installs and operator-edited ports survive across upgrades. Services keep their compiled-in fallbacks (vault → 1940 etc.) so a stand-alone `bun run` still works without a CLI-managed .env.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.12-rc.4",
+  "version": "0.5.13-rc.12",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/admin-clients.test.ts

@@ -115,6 +115,32 @@ describe("handleGetClient", () => {
     expect(body.redirect_uris).toEqual(["https://app.example/cb"]);
     expect(body.scopes).toEqual(["vault:work:read"]);
     expect(typeof body.registered_at).toBe("string");
+    // hub#312 — same_hub surfaced for future SPA badging. Default false
+    // when the test registers via the helper (no operator-auth path).
+    expect(body.same_hub).toBe(false);
+  });
+
+  test("same_hub=true client surfaces same_hub: true in the response (hub#312)", async () => {
+    // The DCR path stamps same_hub=true on operator-authenticated
+    // registrations. Pin that the admin view exposes that flag so future
+    // SPA changes (per-client same-hub badge) can read it directly from
+    // /api/oauth/clients/<id>.
+    const { bearer } = await makeOperatorBearer();
+    const r = registerClient(harness.db, {
+      redirectUris: ["https://app.example/cb"],
+      scopes: ["vault:work:read"],
+      status: "approved",
+      sameHub: true,
+      clientName: "SameHubApp",
+    });
+    const id = r.client.clientId;
+    const res = await handleGetClient(getReq(id, bearer), id, {
+      db: harness.db,
+      issuer: ISSUER,
+    });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as Record<string, unknown>;
+    expect(body.same_hub).toBe(true);
   });
 
   test("returns the row's status after approval (so the SPA can short-circuit re-approve)", async () => {

package/src/__tests__/api-account.test.ts

@@ -29,6 +29,11 @@ import {
 } from "../api-account.ts";
 import { CSRF_COOKIE_NAME, CSRF_FIELD_NAME } from "../csrf.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
+import {
+  CHANGE_PASSWORD_MAX_ATTEMPTS,
+  CHANGE_PASSWORD_WINDOW_MS,
+  changePasswordRateLimiter,
+} from "../rate-limit.ts";
 import { SESSION_TTL_MS, buildSessionCookie, createSession } from "../sessions.ts";
 import { createUser, getUserById, verifyPassword } from "../users.ts";
 
@@ -84,6 +89,13 @@ function formBody(values: Record<string, string>): {
 let harness: Harness;
 beforeEach(() => {
   harness = makeHarness();
+  // Per-test rate-limit reset — change-password tests share the
+  // singleton `changePasswordRateLimiter`, and a test that exhausts a
+  // user-id bucket would 429-cascade into the next test if the user-id
+  // happened to collide. Per-harness DB → fresh user-ids, so in practice
+  // there's no collision, but the explicit reset matches `admin-handlers`
+  // discipline and pins the contract.
+  changePasswordRateLimiter.reset();
 });
 afterEach(() => {
   harness.cleanup();
@@ -438,6 +450,161 @@ describe("POST /account/change-password", () => {
     const setCookie = res.headers.get("set-cookie") ?? "";
     expect(setCookie).not.toContain("Max-Age=0");
   });
+
+  // hub#282 — per-user rate-limit on /account/change-password.
+  // CHANGE_PASSWORD_MAX_ATTEMPTS attempts per CHANGE_PASSWORD_WINDOW_MS;
+  // (CHANGE_PASSWORD_MAX_ATTEMPTS+1)th attempt within the window is 429.
+  test("rapid wrong-current_password attempts exhaust the bucket and 429 with Retry-After", async () => {
+    const { cookie } = await sessionCookieFor(harness.db, "newbie", "correct-pw", {
+      passwordChanged: false,
+    });
+    const buildReq = () => {
+      const { body, headers } = formBody({
+        [CSRF_FIELD_NAME]: TEST_CSRF,
+        current_password: "this-is-wrong",
+        new_password: "long-enough-passphrase",
+        new_password_confirm: "long-enough-passphrase",
+      });
+      return new Request("http://hub.test/account/change-password", {
+        method: "POST",
+        headers: { ...headers, cookie },
+        body,
+      });
+    };
+    // First N attempts: wrong current → 401 each (admitted by rate limiter,
+    // failed by argon2id verify).
+    for (let i = 0; i < CHANGE_PASSWORD_MAX_ATTEMPTS; i++) {
+      const r = await handleAccountChangePasswordPost(buildReq(), { db: harness.db });
+      expect(r.status).toBe(401);
+    }
+    // (N+1)th attempt: rate-limit fires before argon2id → 429 + Retry-After.
+    const denied = await handleAccountChangePasswordPost(buildReq(), { db: harness.db });
+    expect(denied.status).toBe(429);
+    const retryAfter = denied.headers.get("retry-after");
+    expect(retryAfter).not.toBeNull();
+    const seconds = Number(retryAfter);
+    expect(seconds).toBeGreaterThan(0);
+    // Window is CHANGE_PASSWORD_WINDOW_MS, so retry-after sits in (0, window].
+    expect(seconds).toBeLessThanOrEqual(CHANGE_PASSWORD_WINDOW_MS / 1000);
+    // Body should re-render the form with the rate-limit message.
+    const html = await denied.text();
+    expect(html).toContain("Too many password-change attempts");
+  });
+
+  test("rate-limit is per-user: two users have independent buckets", async () => {
+    const userA = await sessionCookieFor(harness.db, "user-a", "pw-a", {
+      passwordChanged: false,
+    });
+    const userB = await sessionCookieFor(harness.db, "user-b", "pw-b", {
+      passwordChanged: false,
+      allowMulti: true,
+    });
+    const buildReq = (cookie: string) => {
+      const { body, headers } = formBody({
+        [CSRF_FIELD_NAME]: TEST_CSRF,
+        current_password: "wrong",
+        new_password: "long-enough-passphrase",
+        new_password_confirm: "long-enough-passphrase",
+      });
+      return new Request("http://hub.test/account/change-password", {
+        method: "POST",
+        headers: { ...headers, cookie },
+        body,
+      });
+    };
+    // Exhaust user-a's bucket.
+    for (let i = 0; i < CHANGE_PASSWORD_MAX_ATTEMPTS; i++) {
+      await handleAccountChangePasswordPost(buildReq(userA.cookie), { db: harness.db });
+    }
+    const aDenied = await handleAccountChangePasswordPost(buildReq(userA.cookie), {
+      db: harness.db,
+    });
+    expect(aDenied.status).toBe(429);
+    // user-b's bucket is untouched — first attempt should be admitted
+    // (and reject for wrong current → 401, not 429).
+    const bAttempt = await handleAccountChangePasswordPost(buildReq(userB.cookie), {
+      db: harness.db,
+    });
+    expect(bAttempt.status).toBe(401);
+  });
+
+  test("rate-limit gate fires before argon2id verify (denied request is fast)", async () => {
+    // Pin the "fires before verifyPassword" property with an elapsed-time
+    // floor on the 429 response — argon2id verify would push elapsed
+    // into the hundreds of ms; the 429 path skips it.
+    const { cookie } = await sessionCookieFor(harness.db, "newbie", "correct-pw", {
+      passwordChanged: false,
+    });
+    const buildReq = () => {
+      const { body, headers } = formBody({
+        [CSRF_FIELD_NAME]: TEST_CSRF,
+        current_password: "wrong",
+        new_password: "long-enough-passphrase",
+        new_password_confirm: "long-enough-passphrase",
+      });
+      return new Request("http://hub.test/account/change-password", {
+        method: "POST",
+        headers: { ...headers, cookie },
+        body,
+      });
+    };
+    // Fill the bucket.
+    for (let i = 0; i < CHANGE_PASSWORD_MAX_ATTEMPTS; i++) {
+      await handleAccountChangePasswordPost(buildReq(), { db: harness.db });
+    }
+    // The (N+1)th attempt should 429-and-return without touching argon2id.
+    const t0 = Date.now();
+    const denied = await handleAccountChangePasswordPost(buildReq(), { db: harness.db });
+    const elapsed = Date.now() - t0;
+    expect(denied.status).toBe(429);
+    // 200ms is enough headroom even on a noisy runner; an argon2id verify
+    // would push elapsed into the hundreds of ms.
+    expect(elapsed).toBeLessThan(200);
+  });
+
+  test("CSRF failure does NOT burn a rate-limit slot", async () => {
+    // Gate-order invariant: rate-limit fires *after* CSRF, so a junk
+    // cross-site POST (which would never have a valid CSRF token) doesn't
+    // burn a bucket slot for the victim's session. Pin by sending
+    // (max+1) CSRF-broken requests and then confirming a fresh, valid
+    // attempt is admitted (would-be 401 for wrong current_password, not
+    // 429).
+    const { cookie } = await sessionCookieFor(harness.db, "newbie", "correct-pw", {
+      passwordChanged: false,
+    });
+    const csrfBroken = () => {
+      const { body, headers } = formBody({
+        [CSRF_FIELD_NAME]: "wrong-token",
+        current_password: "wrong",
+        new_password: "long-enough-passphrase",
+        new_password_confirm: "long-enough-passphrase",
+      });
+      return new Request("http://hub.test/account/change-password", {
+        method: "POST",
+        headers: { ...headers, cookie },
+        body,
+      });
+    };
+    for (let i = 0; i < CHANGE_PASSWORD_MAX_ATTEMPTS + 2; i++) {
+      const r = await handleAccountChangePasswordPost(csrfBroken(), { db: harness.db });
+      expect(r.status).toBe(400);
+    }
+    // Now send a CSRF-valid attempt — should NOT be 429 (CSRF-broken
+    // attempts never reached the rate limiter).
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      current_password: "wrong",
+      new_password: "long-enough-passphrase",
+      new_password_confirm: "long-enough-passphrase",
+    });
+    const valid = new Request("http://hub.test/account/change-password", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAccountChangePasswordPost(valid, { db: harness.db });
+    expect(res.status).toBe(401);
+  });
 });
 
 describe("markPasswordChanged", () => {

package/src/__tests__/api-modules-config.test.ts

@@ -248,20 +248,155 @@ describe("handleApiModulesConfig — module-not-installed", () => {
   });
 });
 
+/**
+ * Regression suite for hub#310 — vault / scribe / runner retired their
+ * FIRST_PARTY_FALLBACKS entries because each module now self-registers its
+ * services.json row at boot (vault#356, scribe#50, runner#3). The contract:
+ *
+ *   - **services.json has a row** → operations work using its fields
+ *     (operator-authoritative).
+ *   - **services.json has no row** → `module_not_installed` 404. Hub no
+ *     longer falls back to vendored manifest data — pretending a module is
+ *     installed when it isn't was the anti-pattern we're retiring.
+ *
+ * These tests pin both halves of that contract per FALLBACK-retired short
+ * (vault / scribe / runner) so a future re-introduction of vendored data
+ * would have to explicitly delete them.
+ */
+describe("handleApiModulesConfig — FALLBACK retirement (hub#310)", () => {
+  let h: Harness;
+  beforeEach(async () => {
+    h = await makeHarness();
+  });
+  afterEach(() => h.cleanup());
+
+  test("vault not in services.json → 404 module_not_installed (no vendored fallback)", async () => {
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const res = await handleApiModulesConfig(
+      makeReq("/api/modules/vault/config/schema", {
+        headers: { authorization: `Bearer ${bearer}` },
+      }),
+      { short: "vault", suffix: "schema" },
+      { db: h.db, issuer: ISSUER, manifestPath: h.manifestPath },
+    );
+    expect(res.status).toBe(404);
+    expect(((await res.json()) as { error: string }).error).toBe("module_not_installed");
+  });
+
+  test("scribe not in services.json → 404 module_not_installed (no vendored fallback)", async () => {
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const res = await handleApiModulesConfig(
+      makeReq("/api/modules/scribe/config/schema", {
+        headers: { authorization: `Bearer ${bearer}` },
+      }),
+      { short: "scribe", suffix: "schema" },
+      { db: h.db, issuer: ISSUER, manifestPath: h.manifestPath },
+    );
+    expect(res.status).toBe(404);
+    expect(((await res.json()) as { error: string }).error).toBe("module_not_installed");
+  });
+
+  test("runner not in services.json → 404 module_not_installed (no vendored fallback)", async () => {
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const res = await handleApiModulesConfig(
+      makeReq("/api/modules/runner/config/schema", {
+        headers: { authorization: `Bearer ${bearer}` },
+      }),
+      { short: "runner", suffix: "schema" },
+      { db: h.db, issuer: ISSUER, manifestPath: h.manifestPath },
+    );
+    expect(res.status).toBe(404);
+    expect(((await res.json()) as { error: string }).error).toBe("module_not_installed");
+  });
+
+  test("vault in services.json with self-registered fields → upstream URL composed from entry", async () => {
+    // Self-registered vault row (mirrors what vault#356's `selfRegister` writes):
+    // installDir + canonical paths + version + stripPrefix omitted (vault doesn't
+    // strip). The config proxy must build `/vault/default/.parachute/config/schema`
+    // — vault's per-mount routing requires the prefix.
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-vault",
+        port: 1940,
+        paths: ["/vault/default"],
+        health: "/vault/default/health",
+        version: "0.4.8-rc.4",
+        installDir: "/parachute/modules/node_modules/@openparachute/vault",
+      },
+    ]);
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const upstream = makeFakeUpstream(() => Response.json({ type: "object", properties: {} }));
+    const res = await handleApiModulesConfig(
+      makeReq("/api/modules/vault/config/schema", {
+        headers: { authorization: `Bearer ${bearer}` },
+      }),
+      { short: "vault", suffix: "schema" },
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        upstreamFetch: upstream.fetchFn,
+      },
+    );
+    expect(res.status).toBe(200);
+    expect(upstream.calls[0]?.url).toBe(
+      "http://127.0.0.1:1940/vault/default/.parachute/config/schema",
+    );
+  });
+
+  test("runner in services.json with self-registered fields → routes to bare /.parachute path", async () => {
+    // Self-registered runner row (mirrors what runner#3's `selfRegister` writes):
+    // multi-path declaration with `/.parachute` second → hub#307 routes the
+    // config proxy to the bare URL regardless of stripPrefix.
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-runner",
+        port: 1945,
+        paths: ["/runner", "/.parachute"],
+        health: "/runner/healthz",
+        version: "0.1.0-rc.4",
+        stripPrefix: false,
+        installDir: "/parachute/modules/node_modules/@openparachute/runner",
+      },
+    ]);
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const upstream = makeFakeUpstream(() => Response.json({ type: "object" }));
+    const res = await handleApiModulesConfig(
+      makeReq("/api/modules/runner/config/schema", {
+        headers: { authorization: `Bearer ${bearer}` },
+      }),
+      { short: "runner", suffix: "schema" },
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        upstreamFetch: upstream.fetchFn,
+      },
+    );
+    expect(res.status).toBe(200);
+    // Bare path — runner hosts /.parachute at root regardless of stripPrefix.
+    expect(upstream.calls[0]?.url).toBe("http://127.0.0.1:1945/.parachute/config/schema");
+  });
+});
+
 describe("handleApiModulesConfig — proxy + mint", () => {
   let h: Harness;
   beforeEach(async () => {
     h = await makeHarness();
-    // Scribe at port 1943 with `/scribe` mount + stripPrefix true (matches
-    // FIRST_PARTY_FALLBACKS — verified upstream paths must be the bare
-    // `/.parachute/config/schema` shape).
+    // Scribe at port 1943 with `/scribe` mount + `stripPrefix: true`.
+    // Post hub#310 (vault/scribe/runner FALLBACK retirement), services.json
+    // is the authoritative source for `stripPrefix` — scribe#50 self-
+    // registers the flag at boot, so the canonical post-self-register row
+    // carries it. Verified upstream paths must be the bare
+    // `/.parachute/config[/schema]` shape.
     writeManifest(h.manifestPath, [
       {
         name: "parachute-scribe",
         port: 1943,
         paths: ["/scribe"],
         health: "/health",
-        version: "0.4.0",
+        version: "0.4.4-rc.4",
+        stripPrefix: true,
       },
     ]);
   });
@@ -490,3 +625,252 @@ describe("handleApiModulesConfig — stripPrefix=false (notes-shape)", () => {
     expect(upstream.calls[0]?.url).toBe("http://127.0.0.1:1941/notes/.parachute/config/schema");
   });
 });
+
+/**
+ * hub#307: modules that declare `/.parachute` in their `paths[]` host the
+ * universal protocol endpoints at the bare URL — runner is the first
+ * example. Before this fix the proxy built `/runner/.parachute/config`
+ * (mount-prefixed because stripPrefix is false) and runner returned 404.
+ *
+ * The fix detects the `/.parachute` declaration in `paths[]` and routes
+ * to the bare URL regardless of `stripPrefix`. These tests pin that
+ * behavior + verify vault (mount-routed per-vault) keeps its prefixed
+ * path so the fix doesn't regress vault config.
+ */
+describe("handleApiModulesConfig — hostsBareParachute (hub#307)", () => {
+  let h: Harness;
+  beforeEach(async () => {
+    h = await makeHarness();
+  });
+  afterEach(() => h.cleanup());
+
+  test("runner (stripPrefix:false + /.parachute in paths) → bare /.parachute/config", async () => {
+    // Runner's FIRST_PARTY_FALLBACKS shape: paths includes `/.parachute`
+    // explicitly because runner serves the universal protocol at the bare
+    // URL. The services.json entry can carry either path first; we put
+    // `/runner` first to mirror what `parachute install runner` writes
+    // (matches the FIRST_PARTY_FALLBACKS manifest paths order).
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-runner",
+        port: 1945,
+        paths: ["/runner", "/.parachute"],
+        health: "/runner/healthz",
+        version: "0.1.0",
+        stripPrefix: false,
+      },
+    ]);
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const upstream = makeFakeUpstream(() =>
+      Response.json({ type: "object", properties: { intervalSeconds: { type: "number" } } }),
+    );
+    const res = await handleApiModulesConfig(
+      makeReq("/api/modules/runner/config/schema", {
+        headers: { authorization: `Bearer ${bearer}` },
+      }),
+      { short: "runner", suffix: "schema" },
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        upstreamFetch: upstream.fetchFn,
+      },
+    );
+    expect(res.status).toBe(200);
+    // No /runner prefix — bare /.parachute/config/schema. This is the
+    // hub#307 fix: pre-fix the URL was http://127.0.0.1:1945/runner/.parachute/config/schema
+    // and runner returned 404.
+    expect(upstream.calls[0]?.url).toBe("http://127.0.0.1:1945/.parachute/config/schema");
+  });
+
+  test("runner GET /config (no schema) also routes bare", async () => {
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-runner",
+        port: 1945,
+        paths: ["/runner", "/.parachute"],
+        health: "/runner/healthz",
+        version: "0.1.0",
+        stripPrefix: false,
+      },
+    ]);
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const upstream = makeFakeUpstream(() => Response.json({ intervalSeconds: 60 }));
+    await handleApiModulesConfig(
+      makeReq("/api/modules/runner/config", {
+        headers: { authorization: `Bearer ${bearer}` },
+      }),
+      { short: "runner", suffix: "" },
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        upstreamFetch: upstream.fetchFn,
+      },
+    );
+    expect(upstream.calls[0]?.url).toBe("http://127.0.0.1:1945/.parachute/config");
+  });
+
+  test("runner PUT /config also routes bare with body", async () => {
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-runner",
+        port: 1945,
+        paths: ["/runner", "/.parachute"],
+        health: "/runner/healthz",
+        version: "0.1.0",
+        stripPrefix: false,
+      },
+    ]);
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const upstream = makeFakeUpstream(() => Response.json({ restart_required: [] }));
+    await handleApiModulesConfig(
+      makeReq("/api/modules/runner/config", {
+        method: "PUT",
+        headers: {
+          authorization: `Bearer ${bearer}`,
+          "content-type": "application/json",
+        },
+        body: JSON.stringify({ intervalSeconds: 120 }),
+      }),
+      { short: "runner", suffix: "" },
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        upstreamFetch: upstream.fetchFn,
+      },
+    );
+    const call = upstream.calls[0];
+    if (!call) throw new Error("upstream not called");
+    expect(call.url).toBe("http://127.0.0.1:1945/.parachute/config");
+    expect(call.method).toBe("PUT");
+    expect(call.body).toBe(JSON.stringify({ intervalSeconds: 120 }));
+  });
+
+  test("runner fallback (no services.json entry) — picks up /.parachute from FIRST_PARTY_FALLBACKS paths", async () => {
+    // bun-link / fresh-install case: the runner row isn't in services.json
+    // yet but the fallback declares the shape. resolveUpstream returns
+    // not-installed when neither the row nor the fallback can prove the
+    // module is up — so this case actually 404s. Pinned as the expected
+    // shape: hub#307 only changes the upstream-URL math, not the
+    // installed-detection contract.
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const res = await handleApiModulesConfig(
+      makeReq("/api/modules/runner/config", {
+        headers: { authorization: `Bearer ${bearer}` },
+      }),
+      { short: "runner", suffix: "" },
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+      },
+    );
+    expect(res.status).toBe(404);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("module_not_installed");
+  });
+
+  test("vault (stripPrefix:false, no /.parachute in paths) — keeps /vault/<name> prefix (unchanged)", async () => {
+    // Vault's `.parachute/config` is per-vault, scoped under the
+    // `/vault/<name>` mount. Routing it bare would lose the vault-name
+    // context. This test pins that hub#307 doesn't regress vault.
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-vault",
+        port: 1940,
+        paths: ["/vault/default"],
+        health: "/vault/default/health",
+        version: "0.5.0",
+      },
+    ]);
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const upstream = makeFakeUpstream(() => Response.json({ type: "object", properties: {} }));
+    await handleApiModulesConfig(
+      makeReq("/api/modules/vault/config/schema", {
+        headers: { authorization: `Bearer ${bearer}` },
+      }),
+      { short: "vault", suffix: "schema" },
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        upstreamFetch: upstream.fetchFn,
+      },
+    );
+    // Preserved mount — same as pre-hub#307.
+    expect(upstream.calls[0]?.url).toBe(
+      "http://127.0.0.1:1940/vault/default/.parachute/config/schema",
+    );
+  });
+
+  test("scribe (stripPrefix:true) — bare URL preserved (unchanged)", async () => {
+    // Pre-hub#307: stripPrefix:true produced /.parachute/config (via the
+    // stripPrefix branch). Post-fix: same result via the hostsBareParachute
+    // branch when /.parachute is in paths, or via the stripPrefix branch
+    // when it isn't. Scribe ships `paths: ["/scribe"]` (no /.parachute),
+    // so it takes the stripPrefix branch. Either way, the upstream URL is
+    // identical to pre-fix behavior.
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-scribe",
+        port: 1943,
+        paths: ["/scribe"],
+        health: "/health",
+        version: "0.4.0",
+        stripPrefix: true,
+      },
+    ]);
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const upstream = makeFakeUpstream(() => Response.json({ type: "object", properties: {} }));
+    await handleApiModulesConfig(
+      makeReq("/api/modules/scribe/config/schema", {
+        headers: { authorization: `Bearer ${bearer}` },
+      }),
+      { short: "scribe", suffix: "schema" },
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        upstreamFetch: upstream.fetchFn,
+      },
+    );
+    // Unchanged from pre-hub#307.
+    expect(upstream.calls[0]?.url).toBe("http://127.0.0.1:1943/.parachute/config/schema");
+  });
+
+  test("mixed: stripPrefix:false module with both /custom and /.parachute → bare for protocol, prefix for others", async () => {
+    // The hostsBareParachute branch only governs the `/.parachute/config*`
+    // proxy here. Other proxy code-paths (the generic services-proxy in
+    // hub-server.ts) handle non-protocol requests; this surface only ever
+    // forwards to `/.parachute/config[/schema]`, so verifying just that
+    // route is the right scope.
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-runner",
+        port: 1945,
+        // Order doesn't matter for hostsBareParachute detection.
+        paths: ["/.parachute", "/runner"],
+        health: "/runner/healthz",
+        version: "0.1.0",
+        stripPrefix: false,
+      },
+    ]);
+    const bearer = await mintBearer(h, [API_MODULES_CONFIG_REQUIRED_SCOPE]);
+    const upstream = makeFakeUpstream(() => Response.json({ type: "object", properties: {} }));
+    await handleApiModulesConfig(
+      makeReq("/api/modules/runner/config/schema", {
+        headers: { authorization: `Bearer ${bearer}` },
+      }),
+      { short: "runner", suffix: "schema" },
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        upstreamFetch: upstream.fetchFn,
+      },
+    );
+    expect(upstream.calls[0]?.url).toBe("http://127.0.0.1:1945/.parachute/config/schema");
+  });
+});