@openparachute/hub 0.5.13-rc.39 → 0.5.13-rc.40

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.13-rc.39",
+  "version": "0.5.13-rc.40",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/api-modules.test.ts

@@ -519,7 +519,7 @@ describe("GET /api/modules", () => {
             techne: {
               displayName: "Techne",
               path: "/vault/techne",
-              status: "pending-oauth",
+              status: "pending",
             },
           },
         },
@@ -566,7 +566,7 @@ describe("GET /api/modules", () => {
           icon_url: null,
           version: null,
           oauth_client_id: null,
-          status: "pending-oauth",
+          status: "pending",
         },
       ]);
       // Other curated rows stay empty — uis is per-row, not global.
@@ -590,7 +590,7 @@ describe("GET /api/modules", () => {
               iconUrl: "/vault/full/icon.svg",
               version: "0.3.1",
               oauthClientId: "c1",
-              status: "disabled",
+              status: "inactive",
             },
           },
         },
@@ -626,9 +626,61 @@ describe("GET /api/modules", () => {
         icon_url: "/vault/full/icon.svg",
         version: "0.3.1",
         oauth_client_id: "c1",
-        status: "disabled",
+        status: "inactive",
       });
     });
+
+    test("legacy `pending-oauth` / `disabled` status values normalize to canonical vocab on the wire (workstream F back-compat)", async () => {
+      // Workstream F unifies the SPA / CLI / well-known state vocab onto
+      // `active | pending | inactive | failing`. Old modules / SDKs may
+      // still write the pre-F values to services.json (`pending-oauth`,
+      // `disabled`). `services-manifest.ts` normalizes on read so every
+      // downstream emit (this API, well-known doc) sees the canonical
+      // form. Pins that boundary normalization end-to-end here.
+      writeManifest(h.manifestPath, [
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/vault/default"],
+          health: "/vault/default/health",
+          version: "0.4.5",
+          uis: {
+            legacy_pending: {
+              displayName: "Legacy Pending",
+              path: "/vault/legacy-pending",
+              // biome-ignore lint/suspicious/noExplicitAny: deliberately
+              // writing the pre-F legacy alias to pin the normalization
+              // boundary; the schema accepts it on read.
+              status: "pending-oauth" as any,
+            },
+            legacy_disabled: {
+              displayName: "Legacy Disabled",
+              path: "/vault/legacy-disabled",
+              // biome-ignore lint/suspicious/noExplicitAny: same as above.
+              status: "disabled" as any,
+            },
+          },
+        },
+      ]);
+      const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
+      const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        fetchLatestVersion: async () => null,
+      });
+      const body = (await res.json()) as {
+        modules: Array<{
+          short: string;
+          uis: Array<{ name: string; status: string | null }>;
+        }>;
+      };
+      const vault = body.modules.find((m) => m.short === "vault");
+      const pending = vault?.uis.find((u) => u.name === "legacy_pending");
+      const inactive = vault?.uis.find((u) => u.name === "legacy_disabled");
+      expect(pending?.status).toBe("pending");
+      expect(inactive?.status).toBe("inactive");
+    });
   });
 });
 

package/src/__tests__/origin-check.test.ts

@@ -48,6 +48,42 @@ describe("buildHubBoundOrigins", () => {
     expect(origins.filter((o) => o === ISSUER).length).toBe(1);
   });
 
+  test("platformOrigin adds the platform-injected public URL independently of issuer (hub#375)", () => {
+    // Render injects RENDER_EXTERNAL_URL=https://<svc>.onrender.com at the
+    // container edge; if hub_settings.hub_origin was stored to a non-public
+    // URL (e.g. loopback during initial setup), the configured issuer would
+    // be loopback. The browser still POSTs from the public Render URL, so
+    // the public URL must independently land in the bound set or the
+    // operator's legitimate POSTs are rejected. Closes the failure caught
+    // on Aaron's deploy 2026-05-25 where Origin was https://...onrender.com
+    // but bound set was loopback-only.
+    const platformOrigin = "https://parachute-hub.onrender.com";
+    const origins = buildHubBoundOrigins({
+      issuer: "http://127.0.0.1:1939",
+      loopbackPort: PORT,
+      platformOrigin,
+    });
+    expect(origins).toContain(platformOrigin);
+    expect(origins).toContain("http://127.0.0.1:1939");
+  });
+
+  test("platformOrigin dedups when it matches issuer", () => {
+    // Normal Render boot path: configuredIssuer was derived from
+    // RENDER_EXTERNAL_URL in serve.ts's resolveStartupIssuer, so the
+    // resolved issuer equals platformOrigin. The set carries one entry.
+    const platformOrigin = "https://parachute-hub.onrender.com";
+    const origins = buildHubBoundOrigins({
+      issuer: platformOrigin,
+      platformOrigin,
+    });
+    expect(origins.filter((o) => o === platformOrigin).length).toBe(1);
+  });
+
+  test("undefined platformOrigin is a no-op (non-Render deploys)", () => {
+    const origins = buildHubBoundOrigins({ issuer: ISSUER });
+    expect(origins).toEqual([ISSUER]);
+  });
+
   test("malformed inputs are silently dropped", () => {
     // No URL parser crash — return whatever could be parsed. The caller
     // (resolveBoundOrigins) keeps the issuer as a baseline anyway.

package/src/__tests__/services-manifest.test.ts

@@ -257,7 +257,7 @@ describe("services-manifest", () => {
               displayName: "Unforced Brain",
               path: "/app/unforced-brain",
               oauthClientId: "client_def456",
-              status: "pending-oauth",
+              status: "pending",
             },
           },
         };
@@ -386,6 +386,79 @@ describe("services-manifest", () => {
       }
     });
 
+    test("normalizes legacy `pending-oauth` → `pending` on read (workstream F back-compat)", () => {
+      // Pre-F services may still write the legacy alias. The schema
+      // accepts it on read + normalizes to the canonical vocab so
+      // downstream emit surfaces (well-known, /api/modules, SPA) always
+      // see the canonical form. Retire after the next rc-chain alias
+      // window per design-system.md §6.
+      const { path, cleanup } = makeTempPath();
+      try {
+        const legacy: ServiceEntry = {
+          ...app,
+          uis: {
+            slug: {
+              displayName: "S",
+              path: "/app/s",
+              // biome-ignore lint/suspicious/noExplicitAny: deliberately
+              // writing the pre-F legacy alias to pin the normalization
+              // boundary; the schema accepts it on read.
+              status: "pending-oauth" as any,
+            },
+          },
+        };
+        upsertService(legacy, path);
+        const got = readManifest(path).services[0]?.uis?.slug;
+        expect(got?.status).toBe("pending");
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("normalizes legacy `disabled` → `inactive` on read (workstream F back-compat)", () => {
+      const { path, cleanup } = makeTempPath();
+      try {
+        const legacy: ServiceEntry = {
+          ...app,
+          uis: {
+            slug: {
+              displayName: "S",
+              path: "/app/s",
+              // biome-ignore lint/suspicious/noExplicitAny: same as above.
+              status: "disabled" as any,
+            },
+          },
+        };
+        upsertService(legacy, path);
+        const got = readManifest(path).services[0]?.uis?.slug;
+        expect(got?.status).toBe("inactive");
+      } finally {
+        cleanup();
+      }
+    });
+
+    test("accepts new canonical states (`failing`, `inactive`)", () => {
+      // `failing` is new in workstream F (no pre-F equivalent — pre-F
+      // collapsed failing into `disabled`). `inactive` is the new
+      // canonical name for `disabled`. Both must validate.
+      const { path, cleanup } = makeTempPath();
+      try {
+        const entry: ServiceEntry = {
+          ...app,
+          uis: {
+            f: { displayName: "F", path: "/app/f", status: "failing" },
+            i: { displayName: "I", path: "/app/i", status: "inactive" },
+          },
+        };
+        upsertService(entry, path);
+        const got = readManifest(path).services[0]?.uis;
+        expect(got?.f?.status).toBe("failing");
+        expect(got?.i?.status).toBe("inactive");
+      } finally {
+        cleanup();
+      }
+    });
+
     test("rejects non-string oauthClientId", () => {
       const { path, cleanup } = makeTempPath();
       try {

package/src/__tests__/status.test.ts

@@ -62,15 +62,21 @@ describe("status", () => {
       expect(code).toBe(0);
       expect(seen).toContain("http://localhost:1940/health");
       expect(seen).toContain("http://localhost:3200/scribe/health");
+      // Header reflects the post-workstream-F column shape:
+      // SERVICE  PORT  VERSION  STATE  PID  UPTIME  LATENCY  SOURCE
       expect(lines[0]).toMatch(/SERVICE/);
+      expect(lines[0]).toMatch(/STATE/);
+      expect(lines[0]).not.toMatch(/PROCESS/);
+      expect(lines[0]).not.toMatch(/HEALTH/);
       expect(lines.some((l) => l.includes("parachute-vault"))).toBe(true);
-      expect(lines.some((l) => l.includes("ok"))).toBe(true);
+      // Healthy probe rolls up to `active` per design-system.md §6.
+      expect(lines.some((l) => /\bactive\b/.test(l))).toBe(true);
     } finally {
       cleanup();
     }
   });
 
-  test("any-failing returns 1", async () => {
+  test("any-failing returns 1 and surfaces probe detail on continuation line", async () => {
     const { path, cleanup } = makeTempPath();
     try {
       upsertService(
@@ -86,13 +92,17 @@ describe("status", () => {
         print: (l) => lines.push(l),
       });
       expect(code).toBe(1);
-      expect(lines.some((l) => l.includes("ECONNREFUSED"))).toBe(true);
+      // STATE column rolls up to `failing`.
+      expect(lines.some((l) => /\bfailing\b/.test(l))).toBe(true);
+      // The pre-F HEALTH column's detail survives on a continuation line
+      // ("  ! probe: ECONNREFUSED") so the operator can still diagnose.
+      expect(lines.some((l) => l.includes("probe:") && l.includes("ECONNREFUSED"))).toBe(true);
     } finally {
       cleanup();
     }
   });
 
-  test("http non-2xx counts as unhealthy with status code", async () => {
+  test("http non-2xx counts as failing and surfaces the code on the probe line", async () => {
     const { path, cleanup } = makeTempPath();
     try {
       upsertService(
@@ -106,13 +116,14 @@ describe("status", () => {
         print: (l) => lines.push(l),
       });
       expect(code).toBe(1);
-      expect(lines.some((l) => l.includes("http 503"))).toBe(true);
+      expect(lines.some((l) => /\bfailing\b/.test(l))).toBe(true);
+      expect(lines.some((l) => l.includes("probe: http 503"))).toBe(true);
     } finally {
       cleanup();
     }
   });
 
-  test("running process shows pid + uptime and still probes", async () => {
+  test("running + healthy probe shows STATE=active, pid + uptime", async () => {
     const { path, configDir, cleanup } = makeTempPath();
     try {
       upsertService(
@@ -129,15 +140,19 @@ describe("status", () => {
         print: (l) => lines.push(l),
       });
       expect(code).toBe(0);
-      expect(lines.some((l) => l.includes("running"))).toBe(true);
+      // Pre-F: STATE was a two-column (PROCESS=running, HEALTH=ok) split.
+      // Post-F: collapsed to one column showing `active`.
+      expect(lines.some((l) => /\bactive\b/.test(l))).toBe(true);
       expect(lines.some((l) => l.includes("4242"))).toBe(true);
-      expect(lines.some((l) => l.includes("ok"))).toBe(true);
+      // Probe-detail continuation line is suppressed for active rows
+      // (the rollup is sufficient — no need to repeat "ok").
+      expect(lines.some((l) => l.includes("probe:"))).toBe(false);
     } finally {
       cleanup();
     }
   });
 
-  test("known-stopped process skips probe and doesn't fail exit", async () => {
+  test("known-stopped process renders STATE=inactive, skips probe, exits 0", async () => {
     const { path, configDir, cleanup } = makeTempPath();
     try {
       upsertService(
@@ -159,7 +174,8 @@ describe("status", () => {
       });
       expect(code).toBe(0);
       expect(probed).toBe(false);
-      expect(lines.some((l) => l.includes("stopped"))).toBe(true);
+      // Pre-F: PROCESS=stopped. Post-F: STATE=inactive.
+      expect(lines.some((l) => /\binactive\b/.test(l))).toBe(true);
     } finally {
       cleanup();
     }

package/src/__tests__/well-known.test.ts

@@ -447,7 +447,7 @@ describe("buildWellKnown", () => {
             displayName: "Unforced Brain",
             path: "/app/unforced-brain",
             oauthClientId: "client_def456",
-            status: "pending-oauth",
+            status: "pending",
           },
         },
       };
@@ -471,7 +471,7 @@ describe("buildWellKnown", () => {
           path: "/app/unforced-brain",
           url: "https://x.example/app/unforced-brain",
           oauthClientId: "client_def456",
-          status: "pending-oauth",
+          status: "pending",
         },
       ]);
     });
@@ -553,7 +553,7 @@ describe("buildWellKnown", () => {
             version: "0.3.1",
             iconUrl: "/i.svg",
             oauthClientId: "c1",
-            status: "disabled",
+            status: "inactive",
           },
           minimal: { displayName: "Minimal", path: "/app/minimal" },
         },
@@ -568,7 +568,7 @@ describe("buildWellKnown", () => {
       expect(full?.tagline).toBe("Has it all");
       expect(full?.version).toBe("0.3.1");
       expect(full?.oauthClientId).toBe("c1");
-      expect(full?.status).toBe("disabled");
+      expect(full?.status).toBe("inactive");
       // Minimal carries only the required fields — no optional keys.
       expect(minimal).toEqual({
         name: "minimal",

package/src/commands/status.ts

@@ -82,14 +82,41 @@ function formatRow(cells: string[], widths: number[]): string {
     .trimEnd();
 }
 
+/**
+ * Canonical user-facing state vocabulary, per [parachute-patterns/patterns/
+ * design-system.md §6](../parachute-patterns/patterns/design-system.md)
+ * (workstream F). Replaces the pre-F two-column `PROCESS` (running/stopped)
+ * + `HEALTH` (ok/down/http <code>) split with a single rollup column the
+ * SPA, well-known doc, and CLI all share.
+ *
+ *   active   — process supervised, probe ok.
+ *   pending  — supervised, needs operator action (OAuth, config) — not
+ *              reached from `parachute status` today; here for completeness
+ *              so the union matches what the SPA renders.
+ *   inactive — operator-stopped or never started.
+ *   failing  — supervised but probe failed (down / non-2xx).
+ */
+type StateLabel = "active" | "pending" | "inactive" | "failing";
+
 interface StatusRow {
   service: string;
   port: string;
   version: string;
-  processLabel: string;
+  /**
+   * Canonical four-state label per design-system.md §6 — what the operator
+   * reads. Derived from the pre-F (PROCESS, HEALTH) tuple at the emit-time
+   * site so the wider supervisor pipeline doesn't have to change shape.
+   */
+  stateLabel: StateLabel | "-";
   pidLabel: string;
   uptimeLabel: string;
-  healthLabel: string;
+  /**
+   * Pre-F probe-result detail (`ok` / `http 503` / `ECONNREFUSED` / …).
+   * Kept on the row so the continuation-line context is still available
+   * when a row is `failing` and the operator wants to know why. Not a
+   * column; surfaced inline beneath the row only when non-trivial.
+   */
+  healthDetail: string;
   latencyLabel: string;
   sourceLabel: string;
   url: string | undefined;
@@ -137,7 +164,10 @@ function hubRow(
   if (proc.status === "unknown") return undefined;
   const port = readHubPort(configDir);
   const portLabel = port !== undefined ? String(port) : "-";
-  const processLabel = proc.status === "running" ? "running" : "stopped";
+  // Hub doesn't self-probe (it'd be probing itself over loopback). Treat
+  // "running pidfile" as `active` and "stopped" as `inactive` — the same
+  // STATE rollup every other row uses, just without the probe input.
+  const stateLabel: StateLabel = proc.status === "running" ? "active" : "inactive";
   const pidLabel = proc.status === "running" && proc.pid !== undefined ? String(proc.pid) : "-";
   const uptimeLabel =
     proc.status === "running" && proc.startedAt ? formatUptime(proc.startedAt, nowDate) : "-";
@@ -146,10 +176,10 @@ function hubRow(
     service: "parachute-hub (internal)",
     port: portLabel,
     version: source.livePackageVersion ?? "-",
-    processLabel,
+    stateLabel,
     pidLabel,
     uptimeLabel,
-    healthLabel: "-",
+    healthDetail: "-",
     latencyLabel: "-",
     sourceLabel: formatInstallSourceLabel(source),
     url: port !== undefined ? `http://127.0.0.1:${port}` : undefined,
@@ -194,8 +224,6 @@ export async function status(opts: StatusOpts = {}): Promise<number> {
       const short = shortNameForManifest(entry.name) ?? (entry.installDir ? entry.name : undefined);
       const proc = short ? processState(short, configDir, alive) : undefined;
 
-      const processLabel =
-        proc?.status === "running" ? "running" : proc?.status === "stopped" ? "stopped" : "-";
       const pidLabel =
         proc?.status === "running" && proc.pid !== undefined ? String(proc.pid) : "-";
       const uptimeLabel =
@@ -235,10 +263,14 @@ export async function status(opts: StatusOpts = {}): Promise<number> {
           service: entry.name,
           port: String(entry.port),
           version: entry.version,
-          processLabel,
+          // Operator deliberately stopped (or pidfile-but-dead) maps to
+          // `inactive` per design-system.md §6 — same surface as "never
+          // started." No probe is informative when we know the process
+          // is dead.
+          stateLabel: "inactive",
           pidLabel,
           uptimeLabel,
-          healthLabel: "-",
+          healthDetail: "-",
           latencyLabel: "-",
           sourceLabel,
           url,
@@ -250,19 +282,32 @@ export async function status(opts: StatusOpts = {}): Promise<number> {
       }
 
       const p = await probe(entry, fetchImpl, timeoutMs);
-      const healthLabel = p.healthy
+      const healthDetail = p.healthy
         ? "ok"
         : p.statusCode !== undefined
           ? `http ${p.statusCode}`
           : (p.error ?? "down");
+      // STATE rollup per design-system.md §6:
+      //   - probe ok                  → `active`
+      //   - probe failed              → `failing` (the probe ran, so the
+      //                                 process is up enough to answer or
+      //                                 refuse — it's failing, not stopped)
+      //   - no PID file + probe fails → `failing` too (externally-managed
+      //                                 row that's down is still "failing"
+      //                                 from the operator's view)
+      // The `pending` state isn't reachable from `parachute status` today
+      // — pending-OAuth surfaces in the admin SPA, not the CLI. If a
+      // future surface adds it (e.g. supervisor reports `pending-config`
+      // for unconfigured modules), wire it here.
+      const stateLabel: StateLabel = p.healthy ? "active" : "failing";
       return {
         service: entry.name,
         port: String(entry.port),
         version: entry.version,
-        processLabel,
+        stateLabel,
         pidLabel,
         uptimeLabel,
-        healthLabel,
+        healthDetail,
         latencyLabel: `${p.latencyMs}ms`,
         sourceLabel,
         url,
@@ -279,25 +324,20 @@ export async function status(opts: StatusOpts = {}): Promise<number> {
   const hub = hubRow(configDir, alive, nowDate, hubSrcDir, installSourceDeps);
   if (hub) rows.push(hub);
 
-  const header = [
-    "SERVICE",
-    "PORT",
-    "VERSION",
-    "PROCESS",
-    "PID",
-    "UPTIME",
-    "HEALTH",
-    "LATENCY",
-    "SOURCE",
-  ];
+  // Header per design-system.md §6 "CLI status column shape":
+  //   SERVICE  PORT  VERSION  STATE   PID  UPTIME  LATENCY  SOURCE
+  // Pre-F shape was SERVICE PORT VERSION PROCESS PID UPTIME HEALTH LATENCY
+  // SOURCE — workstream F collapses PROCESS + HEALTH into a single STATE
+  // column (both encoded the same rollup in two slots). LATENCY stays as
+  // a separate measurement column.
+  const header = ["SERVICE", "PORT", "VERSION", "STATE", "PID", "UPTIME", "LATENCY", "SOURCE"];
   const textRows = rows.map((r) => [
     r.service,
     r.port,
     r.version,
-    r.processLabel,
+    r.stateLabel,
     r.pidLabel,
     r.uptimeLabel,
-    r.healthLabel,
     r.latencyLabel,
     r.sourceLabel,
   ]);
@@ -305,18 +345,28 @@ export async function status(opts: StatusOpts = {}): Promise<number> {
     Math.max(header[i]?.length ?? 0, ...textRows.map((r) => r[i]?.length ?? 0)),
   );
   print(formatRow(header, widths));
-  // URL, drift, and stale notes stay on continuation lines rather than
-  // columns. URLs are long (vault's MCP path runs ~40 chars); SOURCE labels
-  // can be long for bun-linked rows. Spreading them across columns would
-  // push the table well past 80 cols on every install — continuation lines
-  // keep the table scannable. The "  → " / "  ! " prefixes group visually
-  // with the row above without misleading the table widths.
+  // URL, drift, stale, and probe-failure detail stay on continuation lines
+  // rather than columns. URLs are long (vault's MCP path runs ~40 chars);
+  // SOURCE labels can be long for bun-linked rows. Spreading them across
+  // columns would push the table well past 80 cols on every install —
+  // continuation lines keep the table scannable. The "  → " / "  ! "
+  // prefixes group visually with the row above without misleading the
+  // table widths.
+  //
+  // When STATE collapses to `failing`, the pre-F `HEALTH` column's detail
+  // (`http 503`, `ECONNREFUSED`, etc.) surfaces on a continuation line so
+  // the operator can still see "what kind of failing" without the column
+  // overhead. Skipped on `active` / `inactive` rows (the detail is either
+  // trivial or N/A).
   for (let i = 0; i < textRows.length; i++) {
     const cells = textRows[i];
     const row = rows[i];
     if (!cells || !row) continue;
     print(formatRow(cells, widths));
     if (row.url) print(`  → ${row.url}`);
+    if (row.stateLabel === "failing" && row.healthDetail !== "-" && row.healthDetail.length > 0) {
+      print(`  ! probe: ${row.healthDetail}`);
+    }
     if (row.driftWarning) print(`  ! ${row.driftWarning}`);
     if (row.staleNote) print(`  ! ${row.staleNote}`);
   }

package/src/help.ts

@@ -142,21 +142,36 @@ Examples:
 }
 
 export function statusHelp(): string {
-  return `parachute status — show installed services, process state, health, install source
+  return `parachute status — show installed services, run state, install source
 
 Usage:
   parachute status
 
 What it does:
   Reads ~/.parachute/services.json. For each registered service:
-    - checks PID file at ~/.parachute/<svc>/run/<svc>.pid → running/stopped
+    - checks PID file at ~/.parachute/<svc>/run/<svc>.pid
     - probes http://localhost:<port><health> (skipped for known-stopped processes)
     - classifies the install source as bun-linked (local checkout) or npm
 
-  Stopped services show "-" for health and don't count toward the exit
-  code — they're an expected state after fresh install before \`parachute
-  start\`. Running or externally-managed services that fail health checks
-  do exit 1.
+  The STATE column rolls process state + probe result into one of four
+  canonical labels (per parachute-patterns/patterns/design-system.md §6):
+    active    supervised, running, last probe ok
+    pending   supervised, needs operator action (OAuth / config) —
+              not reachable from \`parachute status\` today; surfaces in
+              the admin SPA; kept here for completeness
+    inactive  operator-stopped or never started (no probe attempted)
+    failing   supervised but probe failed (down / non-2xx); a
+              continuation line ("  ! probe: <detail>") prints the
+              underlying probe failure for diagnosis
+
+  Pre-workstream-F this column was two: PROCESS (running / stopped) and
+  HEALTH (ok / down / http <code>). Workstream F collapsed them onto the
+  single STATE column the SPA + well-known doc also speak.
+
+  Stopped services render as STATE=inactive and don't count toward the
+  exit code — they're an expected state after fresh install before
+  \`parachute start\`. Running or externally-managed services that fail
+  health checks render as STATE=failing and exit 1.
 
   A "STALE: services.json cached … live package.json …" continuation line
   appears under a row when a bun-linked service has been rebuilt but the
@@ -169,10 +184,10 @@ Exit codes:
 
 Example:
   $ parachute status
-  SERVICE          PORT  VERSION  PROCESS  PID    UPTIME  HEALTH  LATENCY  SOURCE
-  parachute-vault  1940  0.2.4    running  12345  2h 13m  ok      2ms      bun-linked → parachute-vault @ 8aa167b
+  SERVICE          PORT  VERSION  STATE   PID    UPTIME  LATENCY  SOURCE
+  parachute-vault  1940  0.2.4    active  12345  2h 13m  2ms      bun-linked → parachute-vault @ 8aa167b
     → http://127.0.0.1:1940/vault/default/mcp
-  parachute-app    1946  0.2.0    running  12346  2h 12m  ok      3ms      npm (0.2.0-rc.4)
+  parachute-app    1946  0.2.0    active  12346  2h 12m  3ms      npm (0.2.0-rc.4)
     → http://127.0.0.1:1946/app/notes
 `;
 }

package/src/hub-server.ts

@@ -1058,6 +1058,13 @@ export function hubFetch(
           issuer,
           loopbackPort,
           exposeHubOrigin: loadExposeHubOrigin(),
+          // Trust the platform-injected public URL independently of the
+          // configured issuer. On Render, an operator who set hub_origin
+          // via the admin SPA (or via a stale db row) to a non-public URL
+          // would otherwise reject legitimate browser POSTs that arrive
+          // with the public Render URL as Origin. See origin-check.ts
+          // jsdoc for the failure case this closes.
+          platformOrigin: process.env.RENDER_EXTERNAL_URL,
         }),
     };
   };

package/src/oauth-handlers.ts

@@ -1215,7 +1215,24 @@ export async function handleApproveClientPost(
       401,
     );
   }
-  if (!isSameOriginRequest(req, resolveBoundOrigins(deps))) {
+  const bound = resolveBoundOrigins(deps);
+  if (!isSameOriginRequest(req, bound)) {
+    // Diagnostic: log the headers we saw + the bound set so an operator
+    // chasing a rejection on a real deploy can see exactly what didn't
+    // match. The same-origin check is the most opaque CSRF gate — without
+    // this log, a misconfigured hub_settings.hub_origin or a proxy
+    // stripping Origin/Referer produces a flat 403 with no way to debug.
+    // Headers logged are non-sensitive (Origin/Referer/Host are public);
+    // the bound set is hub's own configuration. Body content not logged.
+    console.warn(
+      `[oauth] approve POST same-origin check failed. headers: ` +
+        `origin=${JSON.stringify(req.headers.get("origin"))} ` +
+        `referer=${JSON.stringify(req.headers.get("referer"))} ` +
+        `host=${JSON.stringify(req.headers.get("host"))} ` +
+        `xff-host=${JSON.stringify(req.headers.get("x-forwarded-host"))} ` +
+        `xff-proto=${JSON.stringify(req.headers.get("x-forwarded-proto"))}. ` +
+        `bound origins: ${JSON.stringify(bound)}`,
+    );
     return htmlError(
       "Cross-origin request rejected",
       "The approve form must be submitted from this hub's own origin.",