@openparachute/hub 0.5.13 → 0.5.14-rc.1

package/src/__tests__/api-modules.test.ts

@@ -171,7 +171,7 @@ describe("GET /api/modules", () => {
       supervisor_available: boolean;
     };
     // Curated order is preserved: vault → app → notes → scribe → runner.
-    expect(body.modules.map((m) => m.short)).toEqual(["vault", "app", "notes", "scribe", "runner"]);
+    expect(body.modules.map((m) => m.short)).toEqual(["vault", "surface", "notes", "scribe", "runner"]);
     expect(body.modules.every((m) => m.available)).toBe(true);
     expect(body.modules.every((m) => !m.installed)).toBe(true);
     expect(body.modules.every((m) => m.latest_version === "0.9.9")).toBe(true);
@@ -202,12 +202,12 @@ describe("GET /api/modules", () => {
         available: boolean;
       }>;
     };
-    const app = body.modules.find((m) => m.short === "app");
-    expect(app).toBeDefined();
-    expect(app?.package).toBe("@openparachute/app");
-    expect(app?.display_name).toBe("App");
-    expect(app?.tagline).toContain("auto-installs Notes");
-    expect(app?.available).toBe(true);
+    const surface = body.modules.find((m) => m.short === "surface");
+    expect(surface).toBeDefined();
+    expect(surface?.package).toBe("@openparachute/surface");
+    expect(surface?.display_name).toBe("Surface");
+    expect(surface?.tagline).toContain("auto-installs Notes");
+    expect(surface?.available).toBe(true);
   });
 
   test("runner row carries package + display props from FIRST_PARTY_FALLBACKS (#305)", async () => {
@@ -366,9 +366,9 @@ describe("GET /api/modules", () => {
   });
 
   test("management_url does not double-prepend mount when managementUrl is already mount-prefixed (hub#380)", async () => {
-    // Audit caught 2026-05-25: app declares `managementUrl: "/app/admin/"`
-    // (full hub-origin path) and `paths: ["/app", "/.parachute"]`. The
-    // SPA's Services dropdown was navigating to `/app/app/admin/` (404)
+    // Audit caught 2026-05-25: app declares `managementUrl: "/surface/admin/"`
+    // (full hub-origin path) and `paths: ["/surface", "/.parachute"]`. The
+    // SPA's Services dropdown was navigating to `/app/surface/admin/` (404)
     // because api-modules unconditionally prepended the mount onto the
     // candidate. Fix: detect already-mount-prefixed paths and pass through.
     //
@@ -376,12 +376,12 @@ describe("GET /api/modules", () => {
     // multi-instance modules (vault) use the per-instance relative form.
     writeManifest(h.manifestPath, [
       {
-        name: "parachute-app",
+        name: "parachute-surface",
         port: 1946,
-        paths: ["/app", "/.parachute"],
-        health: "/app/healthz",
+        paths: ["/surface", "/.parachute"],
+        health: "/surface/healthz",
         version: "0.2.0-rc.13",
-        installDir: "/install/dir/app",
+        installDir: "/install/dir/surface",
       },
     ]);
     const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
@@ -391,17 +391,17 @@ describe("GET /api/modules", () => {
       manifestPath: h.manifestPath,
       fetchLatestVersion: async () => null,
       readModuleManifest: async (installDir) => {
-        if (installDir === "/install/dir/app") {
+        if (installDir === "/install/dir/surface") {
           return {
-            name: "app",
-            manifestName: "parachute-app",
-            displayName: "App",
+            name: "surface",
+            manifestName: "parachute-surface",
+            displayName: "Surface",
             tagline: "",
             port: 1946,
-            paths: ["/app", "/.parachute"],
-            health: "/app/healthz",
-            uiUrl: "/app/admin/",
-            managementUrl: "/app/admin/",
+            paths: ["/surface", "/.parachute"],
+            health: "/surface/healthz",
+            uiUrl: "/surface/admin/",
+            managementUrl: "/surface/admin/",
           } as unknown as Awaited<
             ReturnType<typeof import("../module-manifest.ts").readModuleManifest>
           >;
@@ -413,9 +413,9 @@ describe("GET /api/modules", () => {
     const body = (await res.json()) as {
       modules: Array<{ short: string; management_url: string | null }>;
     };
-    const app = body.modules.find((m) => m.short === "app");
-    // Single `/app/`, not `/app/app/`.
-    expect(app?.management_url).toBe("/app/admin/");
+    const surface = body.modules.find((m) => m.short === "surface");
+    // Single `/surface/`, not `/surface/surface/`.
+    expect(surface?.management_url).toBe("/surface/admin/");
   });
 
   test("management_url prefix-ish names don't collide (hub#380 — /app vs /app-foo)", async () => {
@@ -430,8 +430,8 @@ describe("GET /api/modules", () => {
       {
         name: "parachute-vault",
         port: 1940,
-        paths: ["/app"], // mount is /app (using vault as a stand-in installable)
-        health: "/app/health",
+        paths: ["/surface"], // mount is /app (using vault as a stand-in installable)
+        health: "/surface/health",
         version: "0.4.5",
         installDir: "/install/dir/contrived",
       },
@@ -450,8 +450,8 @@ describe("GET /api/modules", () => {
             displayName: "Vault",
             tagline: "",
             port: 1940,
-            paths: ["/app"],
-            health: "/app/health",
+            paths: ["/surface"],
+            health: "/surface/health",
             // candidate looks like a sibling-name prefix but is NOT a
             // mount-prefix of /app — should still get prepended.
             managementUrl: "/app-foo/admin",
@@ -467,9 +467,9 @@ describe("GET /api/modules", () => {
       modules: Array<{ short: string; management_url: string | null }>;
     };
     const vault = body.modules.find((m) => m.short === "vault");
-    // /app + /app-foo/admin → /app/app-foo/admin (prepend fires; not treated
-    // as already-mount-prefixed because /app-foo/ doesn't start with /app/).
-    expect(vault?.management_url).toBe("/app/app-foo/admin");
+    // /surface + /app-foo/admin → /surface/app-foo/admin (prepend fires; not
+    // treated as already-mount-prefixed because /app-foo/ doesn't start with /surface/).
+    expect(vault?.management_url).toBe("/surface/app-foo/admin");
   });
 
   test("management_url equality edge: tail equals mount exactly (hub#380)", async () => {

package/src/__tests__/api-users.test.ts

@@ -1,5 +1,6 @@
 /**
- * Tests for `/api/users*` (multi-user Phase 1, PR 2). Covers:
+ * Tests for `/api/users*` (multi-user Phase 1 PR 2 + Phase 2 PR 1).
+ * Covers:
  *
  *   - Auth boundary: every endpoint requires a bearer carrying
  *     `parachute:host:admin`.
@@ -11,6 +12,10 @@
  *     400 `assigned_vault_not_found`).
  *   - DELETE happy path with token revocation; first-admin-undeletable
  *     returns 403; 404 on unknown id.
+ *   - POST /:id/reset-password (Phase 2 PR 1) happy path with token
+ *     revocation, first-admin protection (403 cannot_reset_first_admin),
+ *     password-validation branches (too-short 400, too-long 413 before
+ *     argon2id), missing target (404), auth boundary.
  *   - GET /api/users/vaults returns the same name set the OAuth issuer
  *     would resolve against.
  *   - 405 on wrong methods.
@@ -25,10 +30,11 @@ import {
   handleDeleteUser,
   handleListUsers,
   handleListVaults,
+  handleResetUserPassword,
 } from "../api-users.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
 import { findTokenRowByJti, recordTokenMint, signAccessToken } from "../jwt-sign.ts";
-import { createUser } from "../users.ts";
+import { createUser, getUserById, verifyPassword } from "../users.ts";
 
 const ISSUER = "https://hub.test";
 const HOST_ADMIN_SCOPE = "parachute:host:admin";
@@ -477,6 +483,190 @@ describe("handleDeleteUser", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// POST /api/users/:id/reset-password — admin-initiated password reset
+// (multi-user Phase 2 PR 1)
+// ---------------------------------------------------------------------------
+
+describe("handleResetUserPassword", () => {
+  async function post(
+    bearer: string | null,
+    id: string,
+    body: Record<string, unknown> | string | null,
+    headers: Record<string, string> = {},
+  ): Promise<Response> {
+    const init: RequestInit = {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        ...(bearer ? { authorization: `Bearer ${bearer}` } : {}),
+        ...headers,
+      },
+      body: body === null ? undefined : typeof body === "string" ? body : JSON.stringify(body),
+    };
+    return await handleResetUserPassword(req(`/api/users/${id}/reset-password`, init), id, deps());
+  }
+
+  test("401 with no Authorization header", async () => {
+    const res = await post(null, "some-id", { new_password: "twelvechars1" });
+    expect(res.status).toBe(401);
+  });
+
+  test("403 when bearer lacks parachute:host:admin", async () => {
+    const { bearer } = await makeAdminBearer(["other:scope"]);
+    const res = await post(bearer, "some-id", { new_password: "twelvechars1" });
+    expect(res.status).toBe(403);
+  });
+
+  test("405 on GET", async () => {
+    const { bearer } = await makeAdminBearer();
+    const res = await handleResetUserPassword(
+      withBearer("/api/users/some-id/reset-password", bearer, { method: "GET" }),
+      "some-id",
+      deps(),
+    );
+    expect(res.status).toBe(405);
+  });
+
+  test("404 when target user does not exist", async () => {
+    const { bearer } = await makeAdminBearer();
+    const res = await post(bearer, "no-such-id", { new_password: "twelvechars1" });
+    expect(res.status).toBe(404);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("not_found");
+  });
+
+  test("403 cannot_reset_first_admin when targeting the first admin", async () => {
+    const { bearer, userId } = await makeAdminBearer();
+    const res = await post(bearer, userId, { new_password: "twelvechars1" });
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("cannot_reset_first_admin");
+    // First-admin row's hash + password_changed bit untouched.
+    const fresh = getUserById(harness.db, userId);
+    expect(fresh?.passwordChanged).toBe(true);
+  });
+
+  test("400 invalid_password when new_password is too short (< 12 chars)", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const res = await post(bearer, friend.id, { new_password: "short" });
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string; error_description: string };
+    expect(body.error).toBe("invalid_password");
+    expect(body.error_description).toMatch(/12 characters/);
+  });
+
+  test("413 password_too_long when new_password > 256 chars (before argon2id touches it)", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const huge = "a".repeat(300);
+    const t0 = Date.now();
+    const res = await post(bearer, friend.id, { new_password: huge });
+    const elapsed = Date.now() - t0;
+    expect(res.status).toBe(413);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("password_too_long");
+    // Same liveness check as the create-user path: 300-char argon2id is
+    // hundreds of ms; cap-and-reject should complete in <200ms.
+    expect(elapsed).toBeLessThan(200);
+  });
+
+  test("400 invalid_request when content-type is not application/json", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const res = await post(bearer, friend.id, "new_password=twelvechars1", {
+      "content-type": "application/x-www-form-urlencoded",
+    });
+    expect(res.status).toBe(400);
+  });
+
+  test("400 invalid_request when new_password missing", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const res = await post(bearer, friend.id, {});
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("invalid_request");
+  });
+
+  test("happy path — rotates hash, flips password_changed=false, returns user shape", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const oldHash = friend.passwordHash;
+    const res = await post(bearer, friend.id, { new_password: "new-temp-passphrase" });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      ok: boolean;
+      user: { id: string; password_changed: boolean; username: string };
+    };
+    expect(body.ok).toBe(true);
+    expect(body.user.id).toBe(friend.id);
+    expect(body.user.username).toBe("alice");
+    expect(body.user.password_changed).toBe(false);
+    // Echo body never carries the hash (or the new password).
+    expect(body.user).not.toHaveProperty("password_hash");
+    expect(body).not.toHaveProperty("new_password");
+    // Round-trip on the user row: new password works, old does not, hash
+    // moved, password_changed is now false (force-redirect on next login).
+    const fresh = getUserById(harness.db, friend.id);
+    expect(fresh).not.toBeNull();
+    expect(fresh?.passwordHash).not.toBe(oldHash);
+    expect(fresh?.passwordChanged).toBe(false);
+    expect(await verifyPassword(fresh!, "new-temp-passphrase")).toBe(true);
+    expect(await verifyPassword(fresh!, "alice-strong-passphrase")).toBe(false);
+  });
+
+  test("revokes the friend's existing tokens (pre-reset token row has revoked_at after)", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const minted = await signAccessToken(harness.db, {
+      sub: friend.id,
+      scopes: ["vault:home:read"],
+      audience: "vault",
+      clientId: "notes-client",
+      issuer: ISSUER,
+      ttlSeconds: 600,
+    });
+    recordTokenMint(harness.db, {
+      jti: minted.jti,
+      createdVia: "operator_mint",
+      subject: friend.username,
+      userId: friend.id,
+      clientId: "notes-client",
+      scopes: ["vault:home:read"],
+      expiresAt: minted.expiresAt,
+    });
+    expect(findTokenRowByJti(harness.db, minted.jti)?.revokedAt).toBeNull();
+
+    const res = await post(bearer, friend.id, { new_password: "new-temp-passphrase" });
+    expect(res.status).toBe(200);
+
+    const row = findTokenRowByJti(harness.db, minted.jti);
+    expect(row?.revokedAt).not.toBeNull();
+    // User row sticks around (unlike delete), so user_id is NOT NULLed.
+    expect(row?.userId).toBe(friend.id);
+  });
+});
+
 // ---------------------------------------------------------------------------
 // GET /api/users/vaults — vault-name list for the assigned-vault dropdown
 // ---------------------------------------------------------------------------

package/src/__tests__/chrome-strip.test.ts

@@ -82,21 +82,21 @@ describe("shouldInjectChrome", () => {
     expect(shouldInjectChrome("/admin/vaults")).toBe(true);
     expect(shouldInjectChrome("/scribe/admin")).toBe(true);
     expect(shouldInjectChrome("/vault/default/admin/")).toBe(true);
-    expect(shouldInjectChrome("/app/admin/modules")).toBe(true);
+    expect(shouldInjectChrome("/surface/admin/modules")).toBe(true);
   });
 
-  test("default: opts out the Notes PWA at /app/notes/*", () => {
-    expect(shouldInjectChrome("/app/notes")).toBe(false);
-    expect(shouldInjectChrome("/app/notes/")).toBe(false);
-    expect(shouldInjectChrome("/app/notes/index.html")).toBe(false);
-    expect(shouldInjectChrome("/app/notes/assets/index-XXX.js")).toBe(false);
+  test("default: opts out the Notes PWA at /surface/notes/*", () => {
+    expect(shouldInjectChrome("/surface/notes")).toBe(false);
+    expect(shouldInjectChrome("/surface/notes/")).toBe(false);
+    expect(shouldInjectChrome("/surface/notes/index.html")).toBe(false);
+    expect(shouldInjectChrome("/surface/notes/assets/index-XXX.js")).toBe(false);
   });
 
   test("opt-out prefix matching does not over-match sibling paths", () => {
-    // `/app/notesbook` must NOT match `/app/notes/` — startsWith check
+    // `/surface/notesbook` must NOT match `/surface/notes/` — startsWith check
     // requires a trailing slash boundary.
-    expect(shouldInjectChrome("/app/notesbook")).toBe(true);
-    expect(shouldInjectChrome("/app/notes-archive/")).toBe(true);
+    expect(shouldInjectChrome("/surface/notesbook")).toBe(true);
+    expect(shouldInjectChrome("/surface/notes-archive/")).toBe(true);
   });
 
   test("custom opt-out list is honored", () => {
@@ -111,8 +111,8 @@ describe("shouldInjectChrome", () => {
     expect(shouldInjectChrome("/foo/bar", ["/foo"])).toBe(false);
   });
 
-  test("the canonical opt-out list contains /app/notes/", () => {
-    expect(CHROME_OPT_OUT_PREFIXES).toContain("/app/notes/");
+  test("the canonical opt-out list contains /surface/notes/", () => {
+    expect(CHROME_OPT_OUT_PREFIXES).toContain("/surface/notes/");
   });
 });
 
@@ -250,27 +250,27 @@ describe("injectChromeIntoResponse", () => {
     expect(cssOut).toBe(css);
   });
 
-  test("passes through responses on opt-out paths (/app/notes/) unchanged", async () => {
+  test("passes through responses on opt-out paths (/surface/notes/) unchanged", async () => {
     const res = new Response("<html><body>notes</body></html>", {
       status: 200,
       headers: { "content-type": "text/html" },
     });
     const out = await injectChromeIntoResponse(res, {
       chromeHtml: chrome,
-      pathname: "/app/notes/",
+      pathname: "/surface/notes/",
     });
     expect(out).toBe(res);
     expect(await out.text()).toBe("<html><body>notes</body></html>");
   });
 
-  test("passes through responses on opt-out sub-paths (/app/notes/assets/x.js)", async () => {
+  test("passes through responses on opt-out sub-paths (/surface/notes/assets/x.js)", async () => {
     const res = new Response("<html><body>notes</body></html>", {
       status: 200,
       headers: { "content-type": "text/html" },
     });
     const out = await injectChromeIntoResponse(res, {
       chromeHtml: chrome,
-      pathname: "/app/notes/index.html",
+      pathname: "/surface/notes/index.html",
     });
     expect(out).toBe(res);
   });

package/src/__tests__/hub-server.test.ts

@@ -995,22 +995,22 @@ describe("hubFetch routing", () => {
   });
 
   // Notes-as-app migration Phase 2 (parachute-app design doc §16).
-  // `/notes/*` 301-redirects to `/app/notes/*` so legacy bookmarks land
+  // `/notes/*` 301-redirects to `/surface/notes/*` so legacy bookmarks land
   // on the apps-hosted Notes. Tested with no DB (the migration-default
   // path — absent DB or absent row means redirect-on).
-  test("301: /notes/ → /app/notes/", async () => {
+  test("301: /notes/ → /surface/notes/", async () => {
     clearNotesRedirectLogState();
     const h = makeHarness();
     try {
       const res = await hubFetch(h.dir)(req("/notes/"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/app/notes/");
+      expect(res.headers.get("location")).toBe("/surface/notes/");
     } finally {
       h.cleanup();
     }
   });
 
-  test("301: bare /notes → /app/notes", async () => {
+  test("301: bare /notes → /surface/notes", async () => {
     // The bare-prefix form (no trailing slash) is the path browsers land
     // on when an operator types `https://hub.example/notes` directly.
     clearNotesRedirectLogState();
@@ -1018,7 +1018,7 @@ describe("hubFetch routing", () => {
     try {
       const res = await hubFetch(h.dir)(req("/notes"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/app/notes");
+      expect(res.headers.get("location")).toBe("/surface/notes");
     } finally {
       h.cleanup();
     }
@@ -1030,7 +1030,7 @@ describe("hubFetch routing", () => {
     try {
       const res = await hubFetch(h.dir)(req("/notes/some/path?q=1&n=2"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/app/notes/some/path?q=1&n=2");
+      expect(res.headers.get("location")).toBe("/surface/notes/some/path?q=1&n=2");
     } finally {
       h.cleanup();
     }
@@ -2240,7 +2240,7 @@ describe("hubFetch /<svc>/* generic proxy dispatch (#182)", () => {
     // motivator for the `--mount` strip in notes-serve.ts).
     //
     // Post-parachute-app §16 Phase 2 the `/notes/*` path 301-redirects to
-    // `/app/notes/*` by default. This test pins the notes-as-module legacy
+    // `/surface/notes/*` by default. This test pins the notes-as-module legacy
     // path (notes-daemon still serving its own mount); set the opt-out
     // flag so the dispatch falls through to the generic proxy.
     const h = makeHarness();
@@ -3453,7 +3453,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
   // Pins the proxy-side wiring of the chrome strip from
   // `parachute-patterns/patterns/design-system.md` §7 — every proxied
   // text/html response gets the strip injected after the first `<body>`,
-  // with opt-outs for `/app/notes/*` (the Notes PWA owns its own chrome).
+  // with opt-outs for `/surface/notes/*` (the Notes PWA owns its own chrome).
   // The pure rewrite + opt-out logic is covered in chrome-strip.test.ts;
   // here we exercise the dispatch integration end-to-end through hubFetch.
 
@@ -3608,7 +3608,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
     }
   });
 
-  test("does NOT inject chrome on /app/notes/* (Notes PWA owns its own chrome)", async () => {
+  test("does NOT inject chrome on /surface/notes/* (Notes PWA owns its own chrome)", async () => {
     const h = makeHarness();
     const upstream = startHtmlUpstream("<html><body><h1>Notes</h1></body></html>");
     try {
@@ -3616,10 +3616,10 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         {
           services: [
             {
-              name: "parachute-app",
+              name: "parachute-surface",
               port: upstream.port,
-              paths: ["/app"],
-              health: "/app/health",
+              paths: ["/surface"],
+              health: "/surface/health",
               version: "0.1.0",
             },
           ],
@@ -3627,7 +3627,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         h.manifestPath,
       );
       const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
-      const res = await fetcher(req("/app/notes/"));
+      const res = await fetcher(req("/surface/notes/"));
       expect(res.status).toBe(200);
       const body = await res.text();
       expect(body).toBe("<html><body><h1>Notes</h1></body></html>");
@@ -3638,7 +3638,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
     }
   });
 
-  test("DOES inject chrome on /app/admin/* (parachute-app admin, not Notes)", async () => {
+  test("DOES inject chrome on /surface/admin/* (parachute-app admin, not Notes)", async () => {
     const h = makeHarness();
     const upstream = startHtmlUpstream("<html><body>app admin</body></html>");
     try {
@@ -3646,10 +3646,10 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         {
           services: [
             {
-              name: "parachute-app",
+              name: "parachute-surface",
               port: upstream.port,
-              paths: ["/app"],
-              health: "/app/health",
+              paths: ["/surface"],
+              health: "/surface/health",
               version: "0.1.0",
             },
           ],
@@ -3657,7 +3657,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         h.manifestPath,
       );
       const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
-      const res = await fetcher(req("/app/admin/"));
+      const res = await fetcher(req("/surface/admin/"));
       expect(res.status).toBe(200);
       const body = await res.text();
       expect(body).toContain("pc-chrome");
@@ -3668,7 +3668,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
     }
   });
 
-  test("does NOT inject on /app/notes/ sub-paths (asset requests)", async () => {
+  test("does NOT inject on /surface/notes/ sub-paths (asset requests)", async () => {
     const h = makeHarness();
     const upstream = startHtmlUpstream("<html><body>asset shell</body></html>");
     try {
@@ -3676,10 +3676,10 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         {
           services: [
             {
-              name: "parachute-app",
+              name: "parachute-surface",
               port: upstream.port,
-              paths: ["/app"],
-              health: "/app/health",
+              paths: ["/surface"],
+              health: "/surface/health",
               version: "0.1.0",
             },
           ],
@@ -3687,7 +3687,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         h.manifestPath,
       );
       const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
-      const res = await fetcher(req("/app/notes/index.html"));
+      const res = await fetcher(req("/surface/notes/index.html"));
       expect(res.status).toBe(200);
       const body = await res.text();
       expect(body).not.toContain("pc-chrome");