@openparachute/hub 0.5.13-rc.49 → 0.5.13

package/README.md

@@ -16,25 +16,49 @@ bun add -g @openparachute/hub
 
 Prereqs: [Bun](https://bun.sh) 1.3.0 or later. `parachute expose` also requires [Tailscale](https://tailscale.com/download) **1.82 or newer** (installed + `tailscale up` run once); the `expose` path is under active polish for launch, so expect rough edges.
 
-### Hosted (Render)
+### Hosted self-deploy
 
-[![Deploy to Render](https://render.com/images/deploy-to-render-button.svg)](https://render.com/deploy?repo=https://github.com/ParachuteComputer/parachute-hub)
+Hub runs as a single container with one persistent disk. Two equally-supported platforms; pick the one you prefer.
+
+#### Render
 
-One-click Render deploy via the `render.yaml` Blueprint in this repo. Provisions a $7/mo Starter service + 1 GiB persistent disk + auto-deploys from `main`. Comes pre-configured with `PARACHUTE_INSTALL_CHANNEL=latest` so modules you install via the admin SPA (vault, app, scribe, runner) pull stable releases by default.
+[![Deploy to Render](https://render.com/images/deploy-to-render-button.svg)](https://render.com/deploy?repo=https://github.com/ParachuteComputer/parachute-hub)
 
-**Want pre-release / rc modules?** Set `PARACHUTE_INSTALL_CHANNEL=rc` in your Render dashboard env vars (useful for dev/testing against the rc release line).
+One-click Render deploy via the `render.yaml` Blueprint in this repo. Provisions a $7/mo Starter service + 1 GiB persistent disk + auto-deploys from `main`. GUI-first ops; click-and-go for operators who don't want to install a CLI.
 
 After deploy completes:
 
-1. Open Render Logs → search for `parachute-bootstrap-` to find your one-time admin setup token (printed in a prominent banner on first boot).
+1. Open Render Logs → search for `parachute-bootstrap-` to find your one-time admin setup token.
 2. Visit your Render service URL's `/admin/setup` → paste the token → create your admin account.
 3. Set custom domain (optional) → set `PARACHUTE_HUB_ORIGIN` env to match.
-4. Install modules via the admin SPA at `/admin/modules` (or via the wizard).
-
-Operators who want env-var-driven seeding (CI, scripted deploys) can still set `PARACHUTE_INITIAL_ADMIN_USERNAME` + `PARACHUTE_INITIAL_ADMIN_PASSWORD` manually in the Render dashboard — hub honors them when present.
+4. Install modules via the admin SPA at `/admin/modules`.
 
 Render's docs on Blueprints: <https://render.com/docs/blueprint-spec>
 
+#### Fly.io
+
+```sh
+gh repo fork ParachuteComputer/parachute-hub --clone && cd parachute-hub
+./scripts/deploy-to-fly.sh
+```
+
+The script installs `flyctl` if missing, runs `fly launch --copy-config`, and prints the URL. Provisions a shared-cpu-1x 512MB machine in `iad` (override with `--region` if your operators are elsewhere) + 1 GiB persistent volume at `/parachute`. Cost: ~$3.34/mo all-in.
+
+After deploy:
+
+1. `fly logs --app <your-app> | grep parachute-bootstrap-` to find your one-time admin token.
+2. Visit `https://<your-app>.fly.dev/admin/setup` → paste the token → create your admin account.
+3. Custom domain: `fly certs add <your-domain> --app <your-app>` then `fly secrets set PARACHUTE_HUB_ORIGIN=https://<your-domain>`.
+4. Install modules via the admin SPA at `/admin/modules`.
+
+Config in `fly.toml`. CLI-first ops; bring your own `flyctl`.
+
+#### Both platforms
+
+Pre-configured with `PARACHUTE_INSTALL_CHANNEL=latest` so modules you install via the admin SPA (vault, app, scribe, runner) pull stable releases by default. Flip to `rc` in your platform's env vars for the pre-release cascade.
+
+Operators who want env-var-driven seeding (CI, scripted deploys) can still set `PARACHUTE_INITIAL_ADMIN_USERNAME` + `PARACHUTE_INITIAL_ADMIN_PASSWORD` manually — hub honors them on both platforms.
+
 ## First 5 minutes
 
 ```sh

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.13-rc.49",
+  "version": "0.5.13",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/hub-server.test.ts

@@ -3418,6 +3418,35 @@ describe("parseArgs — issuer env precedence (hub#365)", () => {
     // Bare slash collapses to empty after strip — must not become "" issuer.
     expect(parseArgs([], { RENDER_EXTERNAL_URL: "/" }).issuer).toBeUndefined();
   });
+
+  // Fly.io self-host path (patterns#100 / parachute.computer#62).
+  test("FLY_APP_NAME composes https://<app>.fly.dev as fallback issuer", () => {
+    const got = parseArgs([], { FLY_APP_NAME: "my-parachute" });
+    expect(got.issuer).toBe("https://my-parachute.fly.dev");
+  });
+
+  test("PARACHUTE_HUB_ORIGIN wins over FLY_APP_NAME (operator with custom domain)", () => {
+    const got = parseArgs([], {
+      PARACHUTE_HUB_ORIGIN: "https://hub.example",
+      FLY_APP_NAME: "my-parachute",
+    });
+    expect(got.issuer).toBe("https://hub.example");
+  });
+
+  test("RENDER_EXTERNAL_URL wins over FLY_APP_NAME (pathological co-set)", () => {
+    // Both Render and Fly are unlikely to be set in the same env, but if a
+    // weird container ever passes both, the existing Render branch wins.
+    // Documents the precedence rather than asserting any product behavior.
+    const got = parseArgs([], {
+      RENDER_EXTERNAL_URL: "https://app.onrender.com",
+      FLY_APP_NAME: "my-parachute",
+    });
+    expect(got.issuer).toBe("https://app.onrender.com");
+  });
+
+  test("FLY_APP_NAME empty string → no fallback (treat as unset)", () => {
+    expect(parseArgs([], { FLY_APP_NAME: "" }).issuer).toBeUndefined();
+  });
 });
 
 describe("hubFetch persistent chrome strip injection (workstream G)", () => {

package/src/__tests__/oauth-handlers.test.ts

@@ -4545,6 +4545,194 @@ describe("inline approve button on pending /oauth/authorize (#208)", () => {
       cleanup();
     }
   });
+
+  // Deny path tests (hub#390). The shared describe block above pins the
+  // approve path's security model; these tests pin that the deny path
+  // honors the same guards AND constructs a spec-shaped error redirect.
+
+  test("deny POST happy path: valid redirect_uri + state → 302 to client with access_denied", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const user = await createUser(db, "owner", "pw");
+      const session = createSession(db, { userId: user.id });
+      const reg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        status: "pending",
+      });
+      const form = new URLSearchParams({
+        __csrf: TEST_CSRF,
+        client_id: reg.client.clientId,
+        return_to: `/oauth/authorize?client_id=${reg.client.clientId}`,
+        decision: "deny",
+        redirect_uri: "https://app.example/cb",
+        state: "deny-state-abc",
+      });
+      const req = new Request(`${ISSUER}/oauth/authorize/approve`, {
+        method: "POST",
+        body: form,
+        headers: {
+          "content-type": "application/x-www-form-urlencoded",
+          cookie: `${CSRF_COOKIE}; ${buildSessionCookie(session.id, SESSION_COOKIE_TTL_S)}`,
+          origin: ISSUER,
+        },
+      });
+      const res = await handleApproveClientPost(db, req, { issuer: ISSUER });
+      expect(res.status).toBe(302);
+      const loc = res.headers.get("location") ?? "";
+      const target = new URL(loc);
+      expect(target.origin).toBe("https://app.example");
+      expect(target.pathname).toBe("/cb");
+      expect(target.searchParams.get("error")).toBe("access_denied");
+      expect(target.searchParams.get("state")).toBe("deny-state-abc");
+      // Client row stays pending — deny does not mutate.
+      expect(getClient(db, reg.client.clientId)?.status).toBe("pending");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("deny POST: no state in form → redirect omits state param (spec-compliant)", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const user = await createUser(db, "owner", "pw");
+      const session = createSession(db, { userId: user.id });
+      const reg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        status: "pending",
+      });
+      const form = new URLSearchParams({
+        __csrf: TEST_CSRF,
+        client_id: reg.client.clientId,
+        return_to: `/oauth/authorize?client_id=${reg.client.clientId}`,
+        decision: "deny",
+        redirect_uri: "https://app.example/cb",
+      });
+      const req = new Request(`${ISSUER}/oauth/authorize/approve`, {
+        method: "POST",
+        body: form,
+        headers: {
+          "content-type": "application/x-www-form-urlencoded",
+          cookie: `${CSRF_COOKIE}; ${buildSessionCookie(session.id, SESSION_COOKIE_TTL_S)}`,
+          origin: ISSUER,
+        },
+      });
+      const res = await handleApproveClientPost(db, req, { issuer: ISSUER });
+      expect(res.status).toBe(302);
+      const target = new URL(res.headers.get("location") ?? "");
+      expect(target.searchParams.get("error")).toBe("access_denied");
+      expect(target.searchParams.has("state")).toBe(false);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("deny POST: redirect_uri not in client's registered URIs → 400 (open-redirect defense)", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const user = await createUser(db, "owner", "pw");
+      const session = createSession(db, { userId: user.id });
+      const reg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        status: "pending",
+      });
+      const form = new URLSearchParams({
+        __csrf: TEST_CSRF,
+        client_id: reg.client.clientId,
+        return_to: `/oauth/authorize?client_id=${reg.client.clientId}`,
+        decision: "deny",
+        // attacker-controlled redirect_uri
+        redirect_uri: "https://attacker.example/grab",
+        state: "x",
+      });
+      const req = new Request(`${ISSUER}/oauth/authorize/approve`, {
+        method: "POST",
+        body: form,
+        headers: {
+          "content-type": "application/x-www-form-urlencoded",
+          cookie: `${CSRF_COOKIE}; ${buildSessionCookie(session.id, SESSION_COOKIE_TTL_S)}`,
+          origin: ISSUER,
+        },
+      });
+      const res = await handleApproveClientPost(db, req, { issuer: ISSUER });
+      expect(res.status).toBe(400);
+      // No mutation, no redirect to attacker.
+      expect(res.headers.get("location")).toBeNull();
+      expect(getClient(db, reg.client.clientId)?.status).toBe("pending");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("deny POST: CSRF + session + same-origin guards apply to deny path too", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const user = await createUser(db, "owner", "pw");
+      const session = createSession(db, { userId: user.id });
+      const reg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        status: "pending",
+      });
+      const form = new URLSearchParams({
+        __csrf: TEST_CSRF,
+        client_id: reg.client.clientId,
+        return_to: `/oauth/authorize?client_id=${reg.client.clientId}`,
+        decision: "deny",
+        redirect_uri: "https://app.example/cb",
+        state: "x",
+      });
+      // Cross-origin Origin header — same defense as approve path.
+      const req = new Request(`${ISSUER}/oauth/authorize/approve`, {
+        method: "POST",
+        body: form,
+        headers: {
+          "content-type": "application/x-www-form-urlencoded",
+          cookie: `${CSRF_COOKIE}; ${buildSessionCookie(session.id, SESSION_COOKIE_TTL_S)}`,
+          origin: "https://attacker.example",
+        },
+      });
+      const res = await handleApproveClientPost(db, req, { issuer: ISSUER });
+      expect(res.status).toBe(403);
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("approve POST: explicit decision=approve still works (no regression)", async () => {
+    // Back-compat: forms that explicitly carry decision=approve should
+    // continue to flip the client to approved + redirect to return_to.
+    // Pre-deny PR the field didn't exist; the new form sends it explicitly.
+    const { db, cleanup } = await makeDb();
+    try {
+      const user = await createUser(db, "owner", "pw");
+      const session = createSession(db, { userId: user.id });
+      const reg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        status: "pending",
+      });
+      const returnTo = `/oauth/authorize?client_id=${reg.client.clientId}&state=rt-208`;
+      const form = new URLSearchParams({
+        __csrf: TEST_CSRF,
+        client_id: reg.client.clientId,
+        return_to: returnTo,
+        decision: "approve",
+      });
+      const req = new Request(`${ISSUER}/oauth/authorize/approve`, {
+        method: "POST",
+        body: form,
+        headers: {
+          "content-type": "application/x-www-form-urlencoded",
+          cookie: `${CSRF_COOKIE}; ${buildSessionCookie(session.id, SESSION_COOKIE_TTL_S)}`,
+          origin: ISSUER,
+        },
+      });
+      const res = await handleApproveClientPost(db, req, { issuer: ISSUER });
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe(returnTo);
+      expect(getClient(db, reg.client.clientId)?.status).toBe("approved");
+    } finally {
+      cleanup();
+    }
+  });
 });
 
 // DCR first-client auto-approve window (hub#268 Item 3). The wizard's

package/src/__tests__/oauth-ui.test.ts

@@ -511,7 +511,11 @@ describe("renderApprovePending unauthenticated CTAs", () => {
   test("admin-authenticated branch hides the unauth CTAs and renders the inline approve form", () => {
     const html = renderApprovePending({
       ...COMMON,
-      approveForm: { csrfToken: CSRF, returnTo: "/oauth/authorize?client_id=client-xyz" },
+      approveForm: {
+        csrfToken: CSRF,
+        returnTo: "/oauth/authorize?client_id=client-xyz",
+        redirectUri: "https://client.example/cb",
+      },
     });
     expect(html).toContain('action="/oauth/authorize/approve"');
     // Workstream I, 2026-05-25 — button label "Approve and continue"
@@ -522,6 +526,39 @@ describe("renderApprovePending unauthenticated CTAs", () => {
     expect(html).not.toContain("Or send this link to your hub admin");
     expect(html).not.toContain("parachute auth approve-client");
   });
+
+  test("authed branch renders Deny button + hidden inputs for redirect_uri / state (hub#390)", () => {
+    const html = renderApprovePending({
+      ...COMMON,
+      approveForm: {
+        csrfToken: CSRF,
+        returnTo: "/oauth/authorize?client_id=client-xyz",
+        redirectUri: "https://client.example/cb",
+        state: "abc-state",
+      },
+    });
+    // Both buttons present, distinguished by decision value.
+    expect(html).toContain('name="decision" value="approve"');
+    expect(html).toContain('name="decision" value="deny"');
+    expect(html).toContain(">Deny</button>");
+    // Hidden inputs carry redirect_uri + state for the deny handler.
+    expect(html).toContain('name="redirect_uri" value="https://client.example/cb"');
+    expect(html).toContain('name="state" value="abc-state"');
+  });
+
+  test("authed branch omits state hidden input when state is undefined (spec-allowed)", () => {
+    const html = renderApprovePending({
+      ...COMMON,
+      approveForm: {
+        csrfToken: CSRF,
+        returnTo: "/oauth/authorize?client_id=client-xyz",
+        redirectUri: "https://client.example/cb",
+        // state intentionally absent
+      },
+    });
+    expect(html).toContain('name="redirect_uri" value="https://client.example/cb"');
+    expect(html).not.toContain('name="state"');
+  });
 });
 
 describe("renderApprovePending scope display (wildcard substitution)", () => {
@@ -612,7 +649,11 @@ describe("renderApprovePending scope display (wildcard substitution)", () => {
     const html = renderApprovePending({
       ...COMMON,
       requestedScopes: ["vault:read", "vault:write"],
-      approveForm: { csrfToken: CSRF, returnTo: "/oauth/authorize?client_id=client-xyz" },
+      approveForm: {
+        csrfToken: CSRF,
+        returnTo: "/oauth/authorize?client_id=client-xyz",
+        redirectUri: "https://client.example/cb",
+      },
     });
     expect(html).toContain('action="/oauth/authorize/approve"');
     expect(html).toMatch(/<code class="scope-name">vault:\*:read<\/code>/);

package/src/__tests__/scope-registry.test.ts

@@ -217,4 +217,49 @@ describe("loadDeclaredScopes", () => {
       cleanup();
     }
   });
+
+  test("one bad row in services.json — valid siblings' scopes still declared", () => {
+    // Regression for hub#411/#413/#415 lenient sweep: pre-sweep the reader
+    // threw on any bad row, the catch fired in loadDeclaredScopes, and we
+    // returned just FIRST_PARTY_SCOPES — dropping declared scopes from
+    // every VALID third-party module installed alongside the bad row.
+    // After the sweep we keep valid rows and skip the bad one with a warning.
+    const { manifestPath, cleanup } = tmp();
+    try {
+      writeFileSync(
+        manifestPath,
+        JSON.stringify({
+          services: [
+            // Bad row: port=0 violates the integer 1..65535 rule (the exact
+            // shape app@0.2.0-rc.4 wrote to operators' manifests).
+            {
+              name: "broken-module",
+              port: 0,
+              paths: ["/broken"],
+              health: "/healthz",
+              version: "0.0.1",
+            },
+            // Valid sibling.
+            {
+              name: "@acme/widget",
+              port: 1950,
+              paths: ["/widget"],
+              health: "/healthz",
+              version: "0.0.0-linked",
+            },
+          ],
+        }),
+      );
+      const declared = loadDeclaredScopes({
+        manifestPath,
+        readModuleScopes: (pkg) =>
+          pkg === "@acme/widget" ? ["widget:read", "widget:write"] : null,
+      });
+      expect(declared.has("vault:read")).toBe(true); // baseline
+      expect(declared.has("widget:read")).toBe(true); // valid sibling's scope survives
+      expect(declared.has("widget:write")).toBe(true);
+    } finally {
+      cleanup();
+    }
+  });
 });

package/src/__tests__/serve.test.ts

@@ -308,4 +308,44 @@ describe("resolveStartupIssuer — precedence chain (hub#365)", () => {
     // origin, which is the same as not setting it at all).
     expect(resolveStartupIssuer({}, { PARACHUTE_HUB_ORIGIN: "/" })).toBeUndefined();
   });
+
+  // Fly.io self-host path (patterns#100). resolveStartupIssuer is the
+  // function that injects PARACHUTE_HUB_ORIGIN into every supervised module's
+  // env. Without a Fly branch here, vault/scribe/app on Fly without a custom
+  // domain get undefined → OAuth iss-mismatch on every token hub mints.
+  test("FLY_APP_NAME composes https://<app>.fly.dev as fallback issuer", () => {
+    const got = resolveStartupIssuer({}, { FLY_APP_NAME: "my-parachute" });
+    expect(got).toBe("https://my-parachute.fly.dev");
+  });
+
+  test("PARACHUTE_HUB_ORIGIN wins over FLY_APP_NAME (operator with custom domain)", () => {
+    const got = resolveStartupIssuer(
+      {},
+      {
+        PARACHUTE_HUB_ORIGIN: "https://hub.example",
+        FLY_APP_NAME: "my-parachute",
+      },
+    );
+    expect(got).toBe("https://hub.example");
+  });
+
+  test("RENDER_EXTERNAL_URL wins over FLY_APP_NAME (pathological co-set)", () => {
+    const got = resolveStartupIssuer(
+      {},
+      {
+        RENDER_EXTERNAL_URL: "https://app.onrender.com",
+        FLY_APP_NAME: "my-parachute",
+      },
+    );
+    expect(got).toBe("https://app.onrender.com");
+  });
+
+  test("FLY_APP_NAME with slash rejected (defensive — Fly slugs don't contain /)", () => {
+    expect(resolveStartupIssuer({}, { FLY_APP_NAME: "a/b" })).toBeUndefined();
+    expect(resolveStartupIssuer({}, { FLY_APP_NAME: "../etc/passwd" })).toBeUndefined();
+  });
+
+  test("FLY_APP_NAME empty string → no fallback", () => {
+    expect(resolveStartupIssuer({}, { FLY_APP_NAME: "" })).toBeUndefined();
+  });
 });

package/src/__tests__/setup-wizard.test.ts

@@ -3029,3 +3029,35 @@ describe("detectAutoExposeMode — Render env detection edge cases (hub#407 nit)
     expect(detectAutoExposeMode({ RENDER_EXTERNAL_URL: undefined })).toBeUndefined();
   });
 });
+
+describe("detectAutoExposeMode — Fly env detection (patterns#100)", () => {
+  test("returns 'public' when FLY_APP_NAME is a plausible app slug", () => {
+    expect(detectAutoExposeMode({ FLY_APP_NAME: "my-parachute" })).toBe("public");
+  });
+
+  test("returns 'public' when FLY_APP_NAME is the only platform var set", () => {
+    expect(detectAutoExposeMode({ FLY_APP_NAME: "demo-hub" })).toBe("public");
+  });
+
+  test("returns undefined when FLY_APP_NAME is absent", () => {
+    expect(detectAutoExposeMode({})).toBeUndefined();
+  });
+
+  test("returns undefined when FLY_APP_NAME is empty", () => {
+    expect(detectAutoExposeMode({ FLY_APP_NAME: "" })).toBeUndefined();
+  });
+
+  test("rejects FLY_APP_NAME with a slash (defensive — Fly slugs don't contain /)", () => {
+    expect(detectAutoExposeMode({ FLY_APP_NAME: "../etc/passwd" })).toBeUndefined();
+    expect(detectAutoExposeMode({ FLY_APP_NAME: "a/b" })).toBeUndefined();
+  });
+
+  test("Render takes precedence when both are set (pathological co-set)", () => {
+    expect(
+      detectAutoExposeMode({
+        RENDER_EXTERNAL_URL: "https://app.onrender.com",
+        FLY_APP_NAME: "my-parachute",
+      }),
+    ).toBe("public");
+  });
+});

package/src/api-account.ts

@@ -249,7 +249,7 @@ export async function handleAccountChangePasswordPost(
   // grind window against argon2id. Same 429 + Retry-After shape as
   // /login (admin-handlers.ts), with the re-rendered form body so the
   // signed-in user sees a coherent page rather than a bare error chrome.
-  const rlNow = deps.now ? deps.now() : new Date();
+  const rlNow = (deps.now ?? (() => new Date()))();
   const gate = changePasswordRateLimiter.checkAndRecord(user.id, rlNow);
   if (!gate.allowed) {
     return htmlResponse(

package/src/api-modules-ops.ts

@@ -48,7 +48,11 @@ import {
   getSpec,
   synthesizeManifestForKnownModule,
 } from "./service-spec.ts";
-import { findService, readManifest, removeService } from "./services-manifest.ts";
+import {
+  findService,
+  readManifestLenient,
+  removeService,
+} from "./services-manifest.ts";
 import type { ModuleState, SpawnRequest, Supervisor } from "./supervisor.ts";
 import { WELL_KNOWN_PATH, type regenerateWellKnown } from "./well-known.ts";
 
@@ -359,8 +363,8 @@ function resolveApiInstallChannel(
       );
     }
   }
-  // 3. Admin-toggle setting (hub#275). Seeds from `PARACHUTE_MODULE_CHANNEL`
-  // on first read; after that the row is source of truth.
+  // 3. Admin-toggle setting (hub#275). Default for the OS process when no env
+  // override (#2) is set — see `getModuleInstallChannel` for the DB seed/read.
   return getModuleInstallChannel(deps.db);
 }
 
@@ -396,7 +400,8 @@ async function spawnSupervised(
   spec: ServiceSpec,
   deps: ApiModulesOpsDeps,
 ): Promise<ModuleState | undefined> {
-  const manifest = readManifest(deps.manifestPath);
+  // Lenient: one bad row elsewhere shouldn't block spawning a valid one.
+  const manifest = readManifestLenient(deps.manifestPath);
   const entry = manifest.services.find((s) => s.name === spec.manifestName);
   if (!entry) return undefined;
   const cmd = spec.startCmd?.(entry);
@@ -785,8 +790,9 @@ export async function handleUninstall(
   const stopped = await deps.supervisor.stop(short);
   log.push(stopped ? `${short} supervisor stopped` : `${short} not supervised`);
 
-  // 2. Drop the services.json row (idempotent — readManifest is empty if missing).
-  const before = readManifest(deps.manifestPath);
+  // 2. Drop the services.json row (idempotent — readManifestLenient is empty if missing).
+  // Lenient so a malformed sibling row doesn't block uninstall of an unrelated module.
+  const before = readManifestLenient(deps.manifestPath);
   if (before.services.some((s) => s.name === spec.manifestName)) {
     removeService(spec.manifestName, deps.manifestPath);
     log.push(`removed ${spec.manifestName} from services.json`);

package/src/commands/serve-boot.ts

@@ -26,7 +26,7 @@ import {
   getSpecFromInstallDir,
   shortNameForManifest,
 } from "../service-spec.ts";
-import { type ServiceEntry, readManifest } from "../services-manifest.ts";
+import { type ServiceEntry, readManifestLenient } from "../services-manifest.ts";
 import type { Supervisor } from "../supervisor.ts";
 
 export interface BootOpts {
@@ -57,7 +57,10 @@ export async function bootSupervisedModules(
   opts: BootOpts,
 ): Promise<BootedModule[]> {
   const log = opts.log ?? (() => {});
-  const manifest = readManifest(opts.manifestPath);
+  // Lenient: a single bad row shouldn't prevent the supervisor from booting
+  // the rest of the services. The container deploy hot path depends on this —
+  // we'd rather have N-1 modules up + one warning than zero modules up.
+  const manifest = readManifestLenient(opts.manifestPath);
   const results: BootedModule[] = [];
 
   for (const entry of manifest.services) {

package/src/commands/serve.ts

@@ -117,11 +117,13 @@ function parsePort(raw: string | undefined): number | undefined {
  * Precedence (highest first):
  *   1. Explicit `--issuer` flag (test override too)
  *   2. `PARACHUTE_HUB_ORIGIN` env (operator-set, typical custom-domain case)
- *   3. Platform-injected public URL — currently Render's RENDER_EXTERNAL_URL.
+ *   3. Platform-injected public URL:
+ *      - Render: `RENDER_EXTERNAL_URL` (auto-injected on web services)
+ *      - Fly.io: `FLY_APP_NAME` → `https://<app>.fly.dev` (patterns#100)
  *      This is the load-bearing tier for container deploys where the
- *      operator can't know the URL at deploy time. Render generates the
- *      *.onrender.com hostname after service creation and injects it for
- *      web services; hub picks it up automatically.
+ *      operator can't know the URL at deploy time. Without this, supervised
+ *      modules' iss-validation breaks on hub-minted tokens (iss-mismatch
+ *      every time).
  *   4. None (returns undefined). Hub falls back to per-request derivation
  *      via `resolveIssuer` in hub-server.ts — works for `/.well-known`
  *      discovery but supervised modules with cached iss expectations
@@ -129,8 +131,8 @@ function parsePort(raw: string | undefined): number | undefined {
  *      through hub-mint → vault-validate will fail with iss-mismatch.
  *      This is the "no canonical origin known" degraded mode.
  *
- * Future platforms (Fly's `FLY_APP_NAME` + region, Railway's
- * `RAILWAY_PUBLIC_DOMAIN`, etc.) can extend tier 3 as needed.
+ * Future platforms (Railway's `RAILWAY_PUBLIC_DOMAIN`, etc.) can extend
+ * tier 3 as needed.
  *
  * Trailing slashes are stripped for canonical-form comparison; empty
  * strings collapse to undefined.
@@ -139,12 +141,30 @@ export function resolveStartupIssuer(
   opts: { issuer?: string },
   env: NodeJS.ProcessEnv,
 ): string | undefined {
+  const flyOrigin = flyDefaultOriginFromEnv(env);
   return (
-    (opts.issuer ?? env.PARACHUTE_HUB_ORIGIN ?? env.RENDER_EXTERNAL_URL)?.replace(/\/+$/, "") ||
-    undefined
+    (opts.issuer ?? env.PARACHUTE_HUB_ORIGIN ?? env.RENDER_EXTERNAL_URL ?? flyOrigin)?.replace(
+      /\/+$/,
+      "",
+    ) || undefined
   );
 }
 
+/**
+ * Compose `https://${FLY_APP_NAME}.fly.dev` when FLY_APP_NAME is a plausible
+ * Fly app slug. Mirrors the validation in detectAutoExposeMode (no slashes —
+ * Fly slugs don't contain them). Kept local to this file (vs imported from
+ * hub-server.ts) because serve.ts boots before hub-server.ts is loaded and
+ * we want to avoid a cross-module dependency cycle at startup.
+ */
+function flyDefaultOriginFromEnv(env: NodeJS.ProcessEnv): string | undefined {
+  const app = env.FLY_APP_NAME;
+  if (typeof app !== "string" || app.length === 0 || app.includes("/")) {
+    return undefined;
+  }
+  return `https://${app}.fly.dev`;
+}
+
 /**
  * Seed the initial admin from env vars when no admin exists. Returns the
  * bootstrap state so the caller can log it for operator visibility.

package/src/hub-server.ts

@@ -156,7 +156,7 @@ import {
   type ModuleManifest,
   readModuleManifest as defaultReadModuleManifest,
 } from "./module-manifest.ts";
-import { logNotesRedirect, maybeRedirectNotes } from "./notes-redirect.ts";
+import { isLegacyNotesPath, logNotesRedirect, maybeRedirectNotes } from "./notes-redirect.ts";
 import {
   authorizationServerMetadata,
   handleApproveClientPost,
@@ -222,6 +222,12 @@ interface Args {
  *                                without operator config. Mirrors the
  *                                precedence in commands/serve.ts's
  *                                resolveStartupIssuer.
+ *   FLY_APP_NAME               — Fly.io sets this to the app name; we compose
+ *                                `https://${FLY_APP_NAME}.fly.dev` as a peer
+ *                                of RENDER_EXTERNAL_URL for the self-host-on-Fly
+ *                                path (patterns#100). Operators with custom
+ *                                domains attached set PARACHUTE_HUB_ORIGIN
+ *                                explicitly to override.
  */
 export function parseArgs(argv: string[], env: NodeJS.ProcessEnv = process.env): Args {
   let port: number | undefined;
@@ -260,12 +266,39 @@ export function parseArgs(argv: string[], env: NodeJS.ProcessEnv = process.env):
   if (hostname === undefined) hostname = env.PARACHUTE_BIND_HOST || "127.0.0.1";
   if (wellKnownDir === undefined) wellKnownDir = WELL_KNOWN_DIR;
   if (issuer === undefined) {
-    const fromEnv = env.PARACHUTE_HUB_ORIGIN ?? env.RENDER_EXTERNAL_URL;
+    const fromEnv =
+      env.PARACHUTE_HUB_ORIGIN ??
+      env.RENDER_EXTERNAL_URL ??
+      flyDefaultOrigin(env);
     if (fromEnv) issuer = fromEnv.replace(/\/+$/, "") || undefined;
   }
   return { port, hostname, wellKnownDir, dbPath: dbPath ?? hubDbPath(), issuer };
 }
 
+/**
+ * Compose the default Fly.io public origin from FLY_APP_NAME. Mirrors what
+ * `RENDER_EXTERNAL_URL` provides on Render — without an operator-set
+ * PARACHUTE_HUB_ORIGIN, we need *some* fallback so OAuth issuance + same-
+ * origin checks work out of the box. Fly doesn't auto-set a public-URL env
+ * var the way Render does, but every Fly app on the free shared TLS tier
+ * is reachable at `<app>.fly.dev` — composing it from FLY_APP_NAME is the
+ * canonical default.
+ *
+ * Operators on Fly with a custom domain attached should set
+ * PARACHUTE_HUB_ORIGIN explicitly via `fly secrets set` — that wins over
+ * this fallback (precedence in `parseArgs` above).
+ */
+function flyDefaultOrigin(env: NodeJS.ProcessEnv): string | undefined {
+  const app = env.FLY_APP_NAME;
+  // Mirror detectAutoExposeMode's slash-rejection — Fly slugs don't contain
+  // `/`, so anything with one is either spoofed or malformed. The composed
+  // URL is the OAuth issuer claim, so consistency in validation matters.
+  if (typeof app !== "string" || app.length === 0 || app.includes("/")) {
+    return undefined;
+  }
+  return `https://${app}.fly.dev`;
+}
+
 function parsePort(v: string): number {
   const n = Number.parseInt(v, 10);
   if (!Number.isInteger(n) || n <= 0 || n > 65535) {
@@ -1080,9 +1113,13 @@ export function hubFetch(
           // configured issuer. On Render, an operator who set hub_origin
           // via the admin SPA (or via a stale db row) to a non-public URL
           // would otherwise reject legitimate browser POSTs that arrive
-          // with the public Render URL as Origin. See origin-check.ts
+          // with the public Render URL as Origin. Same defense on Fly:
+          // the public <app>.fly.dev URL is the canonical Origin for
+          // browser POSTs and must be trusted even when the operator's
+          // configured issuer points elsewhere. See origin-check.ts
           // jsdoc for the failure case this closes.
-          platformOrigin: process.env.RENDER_EXTERNAL_URL,
+          platformOrigin:
+            process.env.RENDER_EXTERNAL_URL ?? flyDefaultOrigin(process.env),
         }),
     };
   };
@@ -1178,7 +1215,7 @@ export function hubFetch(
     // Lazy DB read: only consult `getDb` when the path actually matches a
     // legacy notes prefix — every non-notes request must NOT touch the DB
     // here (some tests + the /health route assert getDb is never called).
-    if (pathname === "/notes" || pathname.startsWith("/notes/")) {
+    if (isLegacyNotesPath(pathname)) {
       const notesRedirect = maybeRedirectNotes(pathname, url.search, getDb?.());
       if (notesRedirect !== undefined) {
         logNotesRedirect(pathname, notesRedirect);
@@ -1915,6 +1952,9 @@ export function hubFetch(
     // password (design §"Direct navigation").
     if (pathname === "/account/change-password") {
       if (!getDb) return dbNotConfigured();
+      // `now` deliberately omitted — handlers fall through to `new Date()` in
+      // production; the seam exists only so tests can advance the rate-limiter
+      // clock deterministically.
       const accountDeps = { db: getDb() };
       if (req.method === "GET") return handleAccountChangePasswordGet(req, accountDeps);
       if (req.method === "POST") return handleAccountChangePasswordPost(req, accountDeps);

package/src/notes-redirect.ts

@@ -89,6 +89,8 @@ export function maybeRedirectNotes(
  * helper resets it between test runs.
  */
 const RATE_LIMIT_WINDOW_MS = 60_000;
+// Bounded by O(distinct legacy notes paths bookmarked by operators) —
+// operator-owned input set, not attacker-controlled. No eviction needed.
 const lastLogAt = new Map<string, number>();
 
 export interface LogNotesRedirectOpts {

package/src/oauth-handlers.ts

@@ -590,6 +590,19 @@ function pendingClientResponse(
   // the authed branch's inline approve form, and the flow resumes.
   const returnTo = `${authorizeUrl.pathname}${authorizeUrl.search}`;
   if (session && sameOrigin) {
+    // Plumb redirect_uri + state for the Deny path (hub#390): an operator
+    // who clicks Deny gets routed back to the client's redirect_uri with
+    // an RFC 6749 §4.1.2.1 error response. redirect_uri is required by
+    // the spec on /oauth/authorize so it's reliably present; state is
+    // optional per the spec, so undefined-passes-through.
+    //
+    // We round-trip both values through hidden form inputs rather than
+    // re-parsing them from `return_to` in the handler. Reason: keeps the
+    // handler stateless about authorize-URL shape — it just reads the
+    // form. State is also not stored server-side (it never was; OAuth
+    // state lives in the query string by design).
+    const requestRedirectUri = authorizeUrl.searchParams.get("redirect_uri") ?? "";
+    const requestState = authorizeUrl.searchParams.get("state") ?? undefined;
     return htmlResponse(
       renderApprovePending({
         clientName: client.clientName ?? client.clientId,
@@ -598,7 +611,12 @@ function pendingClientResponse(
         requestedScopes,
         ...(requestedVault !== undefined && { requestedVault }),
         hubOrigin: deps.issuer,
-        approveForm: { csrfToken: csrf.token, returnTo },
+        approveForm: {
+          csrfToken: csrf.token,
+          returnTo,
+          redirectUri: requestRedirectUri,
+          ...(requestState !== undefined && { state: requestState }),
+        },
         loginNextUrl: returnTo,
       }),
       403,
@@ -1359,10 +1377,64 @@ export async function handleApproveClientPost(
   if (!client) {
     return htmlError("Unknown application", "This client_id is not registered with this hub.", 404);
   }
-  // Validate return_to BEFORE the DB mutation: if an authenticated operator
-  // submits a hand-crafted form with a bad return_to, we refuse without
-  // committing the client to `approved`. Practical risk is low (all three
-  // belts already passed), but ordering matters — validate, then mutate.
+
+  // Deny branch (hub#390): RFC 6749 §4.1.2.1 — when the resource owner
+  // denies an access request, the AS bounces back to the client's
+  // redirect_uri with `error=access_denied` (+ original state). Validate
+  // redirect_uri against the client's registered URIs to prevent open
+  // redirect via a hand-crafted form; refuse with 400 if it doesn't match.
+  // Deny does NOT mutate the client row — the client stays `pending` and
+  // the operator can revisit later from /admin/permissions or re-trigger
+  // OAuth from the calling app.
+  //
+  // The decision default is `"approve"` — that covers both back-compat
+  // (older forms that don't carry the field at all) AND any unexpected
+  // value (e.g. `decision="garbage"`). The reasoning: only the literal
+  // string `"deny"` triggers the destructive-from-the-client's-perspective
+  // path; everything else is treated as the safe, prior behavior. A user
+  // can't accidentally land on the error redirect by clicking a malformed
+  // button.
+  const decision = String(form.get("decision") ?? "approve");
+  if (decision === "deny") {
+    const denyRedirectUri = String(form.get("redirect_uri") ?? "");
+    if (!denyRedirectUri || !client.redirectUris.includes(denyRedirectUri)) {
+      return htmlError(
+        "Invalid form submission",
+        "The redirect_uri does not match any URI registered for this app.",
+        400,
+      );
+    }
+    const stateRaw = form.get("state");
+    const denyState = typeof stateRaw === "string" && stateRaw.length > 0 ? stateRaw : undefined;
+    // `new URL()` could in principle throw if a legacy code path bypassed
+    // `isValidRedirectUri` at registration and wrote a non-http(s) URI.
+    // Current DCR enforces validity at write time, so this catch is
+    // belt-and-suspenders, but cost is near-zero.
+    let target: URL;
+    try {
+      target = new URL(denyRedirectUri);
+    } catch {
+      return htmlError(
+        "Invalid form submission",
+        "The registered redirect_uri for this app is not a valid URL.",
+        400,
+      );
+    }
+    target.searchParams.set("error", "access_denied");
+    target.searchParams.set(
+      "error_description",
+      "The user denied the authorization request.",
+    );
+    if (denyState !== undefined) target.searchParams.set("state", denyState);
+    return redirectResponse(target.toString());
+  }
+
+  // Approve branch (default — also the back-compat path for any form that
+  // doesn't carry an explicit `decision` field). Validate return_to BEFORE
+  // the DB mutation: if an authenticated operator submits a hand-crafted
+  // form with a bad return_to, we refuse without committing the client to
+  // `approved`. Practical risk is low (all three belts already passed),
+  // but ordering matters — validate, then mutate.
   const returnTo = String(form.get("return_to") ?? "");
   if (!isSafeAuthorizeReturnTo(returnTo)) {
     return htmlError(

package/src/oauth-ui.ts

@@ -226,10 +226,19 @@ export interface ApprovePendingViewProps {
    * server will redirect to after the approve commits — the original
    * `/oauth/authorize?...` URL so the OAuth flow re-enters with the now-
    * approved client and lands on the consent screen.
+   *
+   * Deny path (closes hub#390): the same form also surfaces a Deny button.
+   * `redirectUri` + `state` are plumbed through as hidden inputs so the deny
+   * handler can construct an RFC 6749 §4.1.2.1 error redirect back to the
+   * calling client (`<redirect_uri>?error=access_denied&state=<state>`).
+   * `redirectUri` is required because deny must signal back to the client;
+   * `state` may be undefined (OAuth clients sometimes omit it).
    */
   approveForm?: {
     csrfToken: string;
     returnTo: string;
+    redirectUri: string;
+    state?: string;
   };
   /**
    * Same-origin hub-relative URL (path + search) to send the operator to
@@ -506,7 +515,12 @@ export function renderApprovePending(props: ApprovePendingViewProps): string {
         ${renderCsrfHiddenInput(approveForm.csrfToken)}
         <input type="hidden" name="client_id" value="${escapeHtml(clientId)}" />
         <input type="hidden" name="return_to" value="${escapeHtml(approveForm.returnTo)}" />
-        <button type="submit" class="btn btn-primary">Approve</button>
+        <input type="hidden" name="redirect_uri" value="${escapeHtml(approveForm.redirectUri)}" />
+        ${approveForm.state !== undefined ? `<input type="hidden" name="state" value="${escapeHtml(approveForm.state)}" />` : ""}
+        <div class="approve-actions">
+          <button type="submit" name="decision" value="approve" class="btn btn-primary">Approve</button>
+          <button type="submit" name="decision" value="deny" class="btn btn-secondary">Deny</button>
+        </div>
       </form>`
     : renderUnauthenticatedApproveCtas(hubOrigin, clientId, loginNextUrl);
   const body = `

package/src/rate-limit.ts

@@ -36,6 +36,13 @@
  * the map, so an attacker cycling through keys can't grow the map
  * without also leaving timestamps in each.
  *
+ * One edge case worth naming: a per-stable-key limiter (e.g. /change-password
+ * keyed by user.id) can leave an empty bucket for a user who hit the limit
+ * once and never returned — the prune only fires on `checkAndRecord` for
+ * that same key. Real-world scale is tiny (hundreds of users → hundreds of
+ * empty bucket entries at worst), so this is a documentation note, not a
+ * leak. Per-IP limiters (e.g. /login) self-prune as attackers cycle keys.
+ *
  * Auth-stage independence: callers MUST gate via `checkAndRecord` *before*
  * the credential check. A 2FA (or password) failure should count toward
  * the same bucket as a wrong password — an attacker who knows the

package/src/scope-registry.ts

@@ -24,7 +24,7 @@ import { homedir } from "node:os";
 import { join } from "node:path";
 import { type ModuleManifest, validateModuleManifest } from "./module-manifest.ts";
 import { FIRST_PARTY_SCOPES } from "./scope-explanations.ts";
-import { readManifest as readServicesManifest } from "./services-manifest.ts";
+import { readManifestLenient as readServicesManifest } from "./services-manifest.ts";
 
 /**
  * RFC 6749 §3.3: scope strings are 1*( SP scope-token ). We accept any
@@ -143,12 +143,10 @@ export interface LoadDeclaredScopesOpts {
 export function loadDeclaredScopes(opts: LoadDeclaredScopesOpts = {}): Set<string> {
   const declared = new Set<string>(FIRST_PARTY_SCOPES);
   const readModuleScopes = opts.readModuleScopes ?? defaultReadModuleScopes;
-  let services: { name: string; installDir?: string }[];
-  try {
-    services = readServicesManifest(opts.manifestPath).services;
-  } catch {
-    return declared;
-  }
+  // readServicesManifest is the lenient reader: it returns `{ services: [] }`
+  // on missing/unparseable files and skips individual bad rows with a warning.
+  // The for-loop below already degrades gracefully, so no try/catch needed.
+  const services = readServicesManifest(opts.manifestPath).services;
   for (const svc of services) {
     const defined = readModuleScopes(svc.name, svc.installDir);
     if (!defined) continue;

package/src/setup-wizard.ts

@@ -233,19 +233,19 @@ export interface SetupWizardDeps {
 /**
  * Returns `"public"` when the runtime env indicates the hub is deployed
  * on a platform where the "how will this hub be reached?" answer is
- * pre-determined by the platform. Today: Render (sets RENDER_EXTERNAL_URL
- * for any web service). Returns `undefined` otherwise — the wizard's
- * expose step asks the operator.
+ * pre-determined by the platform. Today: Render (sets RENDER_EXTERNAL_URL)
+ * and Fly.io (sets FLY_APP_NAME, reachable at `<app>.fly.dev`). Returns
+ * `undefined` otherwise — the wizard's expose step asks the operator.
  *
- * Why this matters: on Render, none of the three radio options
+ * Why this matters: on a managed PaaS, none of the three radio options
  * (localhost, tailnet, public-with-custom-domain) match the actual
- * setup. The hub is reached at `*.onrender.com` automatically. Asking
- * the operator wastes a click and surfaces three options that don't
- * speak to their situation. Auto-pinning `public` skips the step.
+ * setup. The hub is reached at the platform-assigned URL automatically.
+ * Asking the operator wastes a click and surfaces three options that
+ * don't speak to their situation. Auto-pinning `public` skips the step.
  *
- * Add more platforms here when we encounter them — e.g. Fly.io
- * (FLY_APP_NAME), Railway (RAILWAY_ENVIRONMENT), etc. Each only auto-
- * detects when the platform clearly owns the public URL.
+ * Add more platforms here when we encounter them — e.g. Railway
+ * (RAILWAY_ENVIRONMENT), DigitalOcean App Platform (DIGITALOCEAN_APP_*),
+ * etc. Each only auto-detects when the platform clearly owns the public URL.
  */
 export function detectAutoExposeMode(env: Record<string, string | undefined>): "public" | undefined {
   // Render always sets `RENDER_EXTERNAL_URL` to a real `https://` URL on
@@ -253,8 +253,21 @@ export function detectAutoExposeMode(env: Record<string, string | undefined>): "
   // also accept `http://` as a defensive fallback in case Render ever
   // changes the scheme on some plan tier. Anything else (empty, weird,
   // not a URL) → don't auto-skip; let the operator choose.
-  const url = env.RENDER_EXTERNAL_URL;
-  if (typeof url === "string" && (url.startsWith("https://") || url.startsWith("http://"))) {
+  const renderUrl = env.RENDER_EXTERNAL_URL;
+  if (
+    typeof renderUrl === "string" &&
+    (renderUrl.startsWith("https://") || renderUrl.startsWith("http://"))
+  ) {
+    return "public";
+  }
+  // Fly.io sets FLY_APP_NAME (the app slug) on every machine. Unlike
+  // Render, Fly doesn't auto-inject a public-URL env var — but every
+  // Fly app on shared TLS is reachable at `<app>.fly.dev`, so the
+  // presence of FLY_APP_NAME is the canonical "we're on Fly with a
+  // public URL" signal. Validate it's a plausible slug (non-empty,
+  // no scheme weirdness) before trusting it.
+  const flyApp = env.FLY_APP_NAME;
+  if (typeof flyApp === "string" && flyApp.length > 0 && !flyApp.includes("/")) {
     return "public";
   }
   return undefined;

package/src/vault-names.ts

@@ -26,7 +26,7 @@
  * `vaultInstanceNameFor`. Entries with no paths still resolve to a name via
  * the helper's manifest-suffix fallback (hub#143).
  */
-import { type ServicesManifest, readManifest } from "./services-manifest.ts";
+import { type ServicesManifest, readManifestLenient } from "./services-manifest.ts";
 import { isVaultEntry, vaultInstanceNameFor } from "./well-known.ts";
 
 /**
@@ -50,8 +50,8 @@ export function listVaultNames(manifest: ServicesManifest): string[] {
 /**
  * Read-from-disk convenience for callers that already have a manifest path
  * (e.g. `/api/users/vaults` reading the live `services.json`). Equivalent to
- * `listVaultNames(readManifest(manifestPath))`.
+ * `listVaultNames(readManifestLenient(manifestPath))`.
  */
 export function listVaultNamesFromPath(manifestPath: string): string[] {
-  return listVaultNames(readManifest(manifestPath));
+  return listVaultNames(readManifestLenient(manifestPath));
 }

package/src/well-known.ts

@@ -6,7 +6,7 @@ import {
   type ServiceEntry,
   type UiSubUnit,
   type UiSubUnitStatus,
-  readManifest,
+  readManifestLenient,
 } from "./services-manifest.ts";
 
 export interface WellKnownServiceEntry {
@@ -386,7 +386,11 @@ export async function regenerateWellKnown(
 ): Promise<{ path: string; doc: WellKnownDocument }> {
   const read = opts.readModuleManifest ?? readModuleManifest;
   const path = opts.wellKnownPath ?? WELL_KNOWN_PATH;
-  const services = readManifest(opts.manifestPath).services;
+  // Lenient: one malformed row shouldn't block well-known regen for everyone
+  // else (downstream consumers — Notes, Scribe, MCP — poll this; if it 500s
+  // they lose discovery). The function below already tolerates per-entry
+  // manifest errors via console.warn, so partial valid set is the right shape.
+  const services = readManifestLenient(opts.manifestPath).services;
   // Build the resolver maps the same way hub-server does — read each
   // module's `.parachute/module.json` from `installDir` and harvest
   // managementUrl (vault rows), uiUrl + displayName (all rows). Vaults