@openparachute/hub 0.5.13 → 0.5.14-rc.10

package/src/__tests__/oauth-ui.test.ts

@@ -20,6 +20,7 @@ const PARAMS: AuthorizeFormParams = {
   codeChallenge: "ch",
   codeChallengeMethod: "S256",
   state: "xyz",
+  resource: null,
 };
 
 const CSRF = "csrf-token-fixture";
@@ -50,9 +51,19 @@ describe("renderHiddenInputs", () => {
   });
 
   test("escapes hostile values into hidden inputs", () => {
-    const html = renderHiddenInputs({ ...PARAMS, state: `"><script>alert(1)</script>` });
+    const html = renderHiddenInputs({
+      ...PARAMS,
+      state: `"><script>alert(1)</script>`,
+      // RFC 8707 resource is round-tripped through a hidden input too, so a
+      // hostile value must be escaped the same way.
+      resource: `"><script>alert(2)</script>`,
+    });
     expect(html).not.toContain("<script>alert(1)</script>");
+    expect(html).not.toContain("<script>alert(2)</script>");
     expect(html).toContain("&lt;script&gt;");
+    // The resource value is emitted as a hidden input (escaped).
+    expect(html).toContain('name="resource"');
+    expect(html).toContain("alert(2)");
   });
 });
 

package/src/__tests__/proxy-error-ui.test.ts

@@ -0,0 +1,212 @@
+import { describe, expect, test } from "bun:test";
+import {
+  ADMIN_MODULES_URL,
+  ERROR_TYPE_PERSISTENT,
+  ERROR_TYPE_TRANSIENT,
+  TRANSIENT_MAX_ATTEMPTS,
+  TRANSIENT_RETRY_MS,
+  renderProxyError,
+  renderProxyErrorHtml,
+  renderProxyErrorJson,
+  statusForState,
+  toResponse,
+  wantsHtml,
+} from "../proxy-error-ui.ts";
+
+function req(accept?: string): Request {
+  const headers: Record<string, string> = {};
+  if (accept !== undefined) headers.accept = accept;
+  return new Request("http://127.0.0.1/vault/default/health", { headers });
+}
+
+describe("wantsHtml — Accept-header negotiation", () => {
+  test("text/html → HTML", () => {
+    expect(wantsHtml(req("text/html"))).toBe(true);
+  });
+  test("application/json → JSON", () => {
+    expect(wantsHtml(req("application/json"))).toBe(false);
+  });
+  test("missing Accept → HTML (browser-ish default)", () => {
+    expect(wantsHtml(req())).toBe(true);
+  });
+  test("*/* alone → HTML", () => {
+    expect(wantsHtml(req("*/*"))).toBe(true);
+  });
+  test("text/html,application/xhtml+xml,application/xml → HTML", () => {
+    expect(wantsHtml(req("text/html,application/xhtml+xml,application/xml"))).toBe(true);
+  });
+  test("application/json with text/html present → HTML", () => {
+    // If a client sends both, we lean HTML — matches the hub's existing
+    // one-line accept check at the 404 fallthrough.
+    expect(wantsHtml(req("application/json, text/html"))).toBe(true);
+  });
+});
+
+describe("statusForState", () => {
+  test("transient → 503", () => {
+    expect(statusForState("transient")).toBe(503);
+  });
+  test("persistent → 502", () => {
+    expect(statusForState("persistent")).toBe(502);
+  });
+});
+
+describe("renderProxyErrorJson", () => {
+  test("transient → 503 JSON with retry_after_ms + max_attempts + no admin_url", () => {
+    const out = renderProxyErrorJson({
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "transient",
+      upstreamError: "ECONNREFUSED",
+    });
+    expect(out.status).toBe(503);
+    expect(out.contentType).toBe("application/json");
+    expect(out.retryAfter).toBe("2");
+    const body = JSON.parse(out.body) as {
+      error: string;
+      error_type: string;
+      retry_after_ms: number;
+      max_attempts: number;
+      admin_url?: string;
+      service: string;
+    };
+    expect(body.error).toBe(ERROR_TYPE_TRANSIENT);
+    expect(body.error_type).toBe(ERROR_TYPE_TRANSIENT);
+    expect(body.retry_after_ms).toBe(TRANSIENT_RETRY_MS);
+    expect(body.max_attempts).toBe(TRANSIENT_MAX_ATTEMPTS);
+    expect(body.admin_url).toBeUndefined();
+    expect(body.service).toBe("vault");
+  });
+
+  test("persistent → 502 JSON with admin_url + no retry_after_ms", () => {
+    const out = renderProxyErrorJson({
+      short: "scribe",
+      serviceLabel: "scribe",
+      state: "persistent",
+      upstreamError: "ECONNREFUSED",
+    });
+    expect(out.status).toBe(502);
+    expect(out.contentType).toBe("application/json");
+    expect(out.retryAfter).toBeUndefined();
+    const body = JSON.parse(out.body) as {
+      error: string;
+      error_type: string;
+      retry_after_ms?: number;
+      admin_url?: string;
+    };
+    expect(body.error).toBe(ERROR_TYPE_PERSISTENT);
+    expect(body.error_type).toBe(ERROR_TYPE_PERSISTENT);
+    expect(body.admin_url).toBe(ADMIN_MODULES_URL);
+    expect(body.retry_after_ms).toBeUndefined();
+  });
+
+  test("persistent JSON folds upstreamError into error_description", () => {
+    const out = renderProxyErrorJson({
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "persistent",
+      upstreamError: "ECONNREFUSED 127.0.0.1:1940",
+    });
+    const body = JSON.parse(out.body) as { error_description: string };
+    expect(body.error_description).toContain("ECONNREFUSED");
+    expect(body.error_description).toContain("parachute-vault");
+  });
+});
+
+describe("renderProxyErrorHtml", () => {
+  test("transient HTML → 503 + meta-refresh + Retry-After + poll script", () => {
+    const out = renderProxyErrorHtml({
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "transient",
+      upstreamError: "ECONNREFUSED",
+    });
+    expect(out.status).toBe(503);
+    expect(out.contentType).toBe("text/html; charset=utf-8");
+    expect(out.retryAfter).toBe("2");
+    expect(out.body).toContain(`<meta http-equiv="refresh" content="2">`);
+    expect(out.body).toContain("Just a moment");
+    expect(out.body).toContain("/api/ready");
+    expect(out.body).toContain("ready_modules");
+    expect(out.body).toContain(`maxAttempts = ${TRANSIENT_MAX_ATTEMPTS}`);
+    // Transient page MUST NOT include an admin link (Aaron design (d)).
+    expect(out.body).not.toContain("/admin/modules");
+  });
+
+  test("persistent HTML → 502 + no meta-refresh + admin link + manual refresh", () => {
+    const out = renderProxyErrorHtml({
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "persistent",
+      upstreamError: "ECONNREFUSED",
+    });
+    expect(out.status).toBe(502);
+    expect(out.contentType).toBe("text/html; charset=utf-8");
+    expect(out.retryAfter).toBeUndefined();
+    expect(out.body).not.toContain(`http-equiv="refresh"`);
+    expect(out.body).toContain("Module unreachable");
+    expect(out.body).toContain("/admin/modules");
+    expect(out.body).toContain("View module status");
+    // No periodic poll on the persistent page — only the manual-refresh
+    // listener. Assert by checking that maxAttempts/intervalMs constants
+    // aren't emitted into the script.
+    expect(out.body).not.toContain("maxAttempts");
+  });
+
+  test("HTML escapes the service short name into the body", () => {
+    // Constructing a malicious short shouldn't break the page. ServiceEntry
+    // names are validated upstream but the renderer is defense-in-depth.
+    const out = renderProxyErrorHtml({
+      short: "<script>alert(1)</script>",
+      serviceLabel: "<malicious>",
+      state: "persistent",
+      upstreamError: "x",
+    });
+    expect(out.body).not.toContain("<script>alert(1)</script>");
+    expect(out.body).toContain("&lt;script&gt;");
+  });
+});
+
+describe("renderProxyError — Accept-driven dispatch", () => {
+  test("JSON-accepting request → JSON renderer", () => {
+    const out = renderProxyError(req("application/json"), {
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "transient",
+      upstreamError: "x",
+    });
+    expect(out.contentType).toBe("application/json");
+  });
+  test("HTML-accepting request → HTML renderer", () => {
+    const out = renderProxyError(req("text/html"), {
+      short: "vault",
+      serviceLabel: "parachute-vault",
+      state: "transient",
+      upstreamError: "x",
+    });
+    expect(out.contentType).toBe("text/html; charset=utf-8");
+  });
+});
+
+describe("toResponse", () => {
+  test("attaches Retry-After when present", () => {
+    const out = toResponse({
+      body: "{}",
+      status: 503,
+      contentType: "application/json",
+      retryAfter: "2",
+    });
+    expect(out.status).toBe(503);
+    expect(out.headers.get("retry-after")).toBe("2");
+    expect(out.headers.get("content-type")).toBe("application/json");
+    expect(out.headers.get("cache-control")).toBe("no-store");
+  });
+  test("omits Retry-After when absent", () => {
+    const out = toResponse({
+      body: "{}",
+      status: 502,
+      contentType: "application/json",
+    });
+    expect(out.headers.get("retry-after")).toBeNull();
+  });
+});

package/src/__tests__/proxy-state.test.ts

@@ -0,0 +1,192 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { writePid } from "../process-state.ts";
+import { type ClassifyOpts, classifyUpstream } from "../proxy-state.ts";
+import type { ModuleState, Supervisor } from "../supervisor.ts";
+
+/**
+ * Stub supervisor — only `get(short)` is exercised by `classifyUpstream`.
+ * We construct it directly instead of standing up a real `Supervisor`
+ * + driving the spawn lifecycle, so test cases stay focused on the
+ * classifier's per-status branching.
+ */
+function stubSupervisor(states: Record<string, ModuleState>): Supervisor {
+  return {
+    get: (short: string) => states[short],
+    list: () => Object.values(states),
+    // Unused by classifyUpstream — present to satisfy the Supervisor type.
+    start: async () => {
+      throw new Error("not implemented");
+    },
+    stop: async () => undefined,
+    restart: async () => undefined,
+  } as unknown as Supervisor;
+}
+
+function moduleState(partial: Partial<ModuleState> & { short: string }): ModuleState {
+  return {
+    status: "running",
+    restartsInWindow: 0,
+    ...partial,
+  };
+}
+
+describe("classifyUpstream — supervisor mode", () => {
+  test("status=starting → transient", () => {
+    const sup = stubSupervisor({
+      vault: moduleState({ short: "vault", status: "starting" }),
+    });
+    expect(classifyUpstream("vault", { supervisor: sup })).toBe("transient");
+  });
+
+  test("status=restarting → transient", () => {
+    const sup = stubSupervisor({
+      vault: moduleState({ short: "vault", status: "restarting" }),
+    });
+    expect(classifyUpstream("vault", { supervisor: sup })).toBe("transient");
+  });
+
+  test("status=crashed → persistent", () => {
+    const sup = stubSupervisor({
+      vault: moduleState({ short: "vault", status: "crashed" }),
+    });
+    expect(classifyUpstream("vault", { supervisor: sup })).toBe("persistent");
+  });
+
+  test("status=stopped → persistent", () => {
+    const sup = stubSupervisor({
+      vault: moduleState({ short: "vault", status: "stopped" }),
+    });
+    expect(classifyUpstream("vault", { supervisor: sup })).toBe("persistent");
+  });
+
+  test("status=running, inside boot window → transient", () => {
+    const now = 1_700_000_000_000;
+    const startedAt = new Date(now - 10_000).toISOString(); // 10s ago
+    const sup = stubSupervisor({
+      vault: moduleState({ short: "vault", status: "running", startedAt }),
+    });
+    expect(classifyUpstream("vault", { supervisor: sup, now: () => now })).toBe("transient");
+  });
+
+  test("status=running, outside boot window → persistent", () => {
+    const now = 1_700_000_000_000;
+    const startedAt = new Date(now - 60_000).toISOString(); // 60s ago
+    const sup = stubSupervisor({
+      vault: moduleState({ short: "vault", status: "running", startedAt }),
+    });
+    expect(classifyUpstream("vault", { supervisor: sup, now: () => now })).toBe("persistent");
+  });
+
+  test("status=running, exactly at boot-window boundary → persistent", () => {
+    // The check is strict-less-than, so exactly 30s falls into persistent.
+    const now = 1_700_000_000_000;
+    const startedAt = new Date(now - 30_000).toISOString();
+    const sup = stubSupervisor({
+      vault: moduleState({ short: "vault", status: "running", startedAt }),
+    });
+    expect(classifyUpstream("vault", { supervisor: sup, now: () => now })).toBe("persistent");
+  });
+
+  test("status=running, missing startedAt → persistent", () => {
+    // Can't classify a running module without a start time; safer to call
+    // persistent and let the operator hit refresh than to lie that it's
+    // booting.
+    const sup = stubSupervisor({
+      vault: moduleState({ short: "vault", status: "running" }),
+    });
+    expect(classifyUpstream("vault", { supervisor: sup })).toBe("persistent");
+  });
+
+  test("custom boot window honored", () => {
+    const now = 1_700_000_000_000;
+    const startedAt = new Date(now - 5_000).toISOString(); // 5s ago
+    const sup = stubSupervisor({
+      vault: moduleState({ short: "vault", status: "running", startedAt }),
+    });
+    expect(
+      classifyUpstream("vault", { supervisor: sup, now: () => now, bootWindowMs: 2_000 }),
+    ).toBe("persistent");
+    expect(
+      classifyUpstream("vault", { supervisor: sup, now: () => now, bootWindowMs: 10_000 }),
+    ).toBe("transient");
+  });
+
+  test("module not tracked → falls back to pidfile path", () => {
+    // Empty supervisor map. Classifier must call through to processState;
+    // we inject a stub via readProcessState.
+    const sup = stubSupervisor({});
+    const opts: ClassifyOpts = {
+      supervisor: sup,
+      readProcessState: () => ({ status: "unknown" }),
+    };
+    expect(classifyUpstream("vault", opts)).toBe("persistent");
+  });
+});
+
+describe("classifyUpstream — on-box CLI mode (no supervisor)", () => {
+  test("running pidfile inside boot window → transient", () => {
+    const now = 1_700_000_000_000;
+    const opts: ClassifyOpts = {
+      now: () => now,
+      readProcessState: () => ({
+        status: "running",
+        pid: 12345,
+        startedAt: new Date(now - 5_000), // 5s old pidfile
+      }),
+    };
+    expect(classifyUpstream("vault", opts)).toBe("transient");
+  });
+
+  test("running pidfile outside boot window → persistent", () => {
+    const now = 1_700_000_000_000;
+    const opts: ClassifyOpts = {
+      now: () => now,
+      readProcessState: () => ({
+        status: "running",
+        pid: 12345,
+        startedAt: new Date(now - 60_000),
+      }),
+    };
+    expect(classifyUpstream("vault", opts)).toBe("persistent");
+  });
+
+  test("stopped pidfile (stale) → persistent", () => {
+    const opts: ClassifyOpts = {
+      readProcessState: () => ({ status: "stopped", pid: 12345 }),
+    };
+    expect(classifyUpstream("vault", opts)).toBe("persistent");
+  });
+
+  test("no pidfile (unknown) → persistent", () => {
+    const opts: ClassifyOpts = {
+      readProcessState: () => ({ status: "unknown" }),
+    };
+    expect(classifyUpstream("vault", opts)).toBe("persistent");
+  });
+
+  test("readProcessState throws → persistent (defensive)", () => {
+    // pidfile read can race with cleanup. Don't blow up the proxy.
+    const opts: ClassifyOpts = {
+      readProcessState: () => {
+        throw new Error("ENOENT");
+      },
+    };
+    expect(classifyUpstream("vault", opts)).toBe("persistent");
+  });
+
+  test("integration with real processState — running pid is alive + fresh mtime", () => {
+    // Write a real pidfile pointing at this test process (always alive),
+    // so `defaultAlive` returns true. Pidfile mtime will be ~now, so it
+    // falls inside the boot window.
+    const dir = mkdtempSync(join(tmpdir(), "proxy-state-"));
+    try {
+      writePid("vault", process.pid, dir);
+      expect(classifyUpstream("vault", { configDir: dir })).toBe("transient");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+});

package/src/__tests__/resource-binding.test.ts

@@ -0,0 +1,97 @@
+import { describe, expect, test } from "bun:test";
+import { narrowResourceVaultScopes, resolveResourceVault } from "../resource-binding.ts";
+
+const ORIGIN = "https://hub.example";
+const BOUND = [ORIGIN, "http://127.0.0.1:1939"];
+
+describe("resolveResourceVault", () => {
+  test("resolves a per-vault MCP resource to the vault name", () => {
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon/mcp`, BOUND)).toBe("jon");
+  });
+
+  test("tolerates a trailing slash on the MCP path", () => {
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon/mcp/`, BOUND)).toBe("jon");
+  });
+
+  test("ignores query string + fragment", () => {
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon/mcp?x=1#y`, BOUND)).toBe("jon");
+  });
+
+  test("resolves the PRM document URL to the vault name", () => {
+    expect(
+      resolveResourceVault(`${ORIGIN}/vault/jon/.well-known/oauth-protected-resource`, BOUND),
+    ).toBe("jon");
+  });
+
+  test("resolves against a non-issuer bound origin (loopback)", () => {
+    expect(resolveResourceVault("http://127.0.0.1:1939/vault/work/mcp", BOUND)).toBe("work");
+  });
+
+  test("returns null for an off-origin resource (not one we front)", () => {
+    expect(resolveResourceVault("https://evil.example/vault/jon/mcp", BOUND)).toBeNull();
+  });
+
+  test("returns null for a non-vault path", () => {
+    expect(resolveResourceVault(`${ORIGIN}/scribe/mcp`, BOUND)).toBeNull();
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon`, BOUND)).toBeNull();
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon/notes`, BOUND)).toBeNull();
+  });
+
+  test("returns null for absent / empty / malformed resource", () => {
+    expect(resolveResourceVault(null, BOUND)).toBeNull();
+    expect(resolveResourceVault(undefined, BOUND)).toBeNull();
+    expect(resolveResourceVault("", BOUND)).toBeNull();
+    expect(resolveResourceVault("not a url", BOUND)).toBeNull();
+  });
+
+  test("does not collapse a deeper vault sub-path into the MCP shape", () => {
+    // `/vault/jon/mcp/extra` is not the canonical MCP endpoint.
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon/mcp/extra`, BOUND)).toBeNull();
+  });
+
+  test("rejects a vault segment that isn't a well-formed vault name (no junk mint)", () => {
+    // A crafted `resource=…/vault/%2F..%2Fadmin/mcp` decodes to `/../admin`,
+    // which is not `[a-zA-Z0-9_-]+`. Returning null falls through to the
+    // unbound flow — no narrowing, no token stamped `aud=vault./../admin`.
+    expect(resolveResourceVault(`${ORIGIN}/vault/%2F..%2Fadmin/mcp`, BOUND)).toBeNull();
+    // Spaces / dots / slashes in the decoded name are all out of shape.
+    expect(resolveResourceVault(`${ORIGIN}/vault/a.b/mcp`, BOUND)).toBeNull();
+  });
+
+  test("returns null for a malformed percent-escape in the vault segment (safeDecode catch path)", () => {
+    // `%GG` is not a valid percent-escape — `decodeURIComponent` throws; the
+    // helper must degrade to null rather than 500 the authorize handler.
+    expect(resolveResourceVault(`${ORIGIN}/vault/%GG/mcp`, BOUND)).toBeNull();
+  });
+});
+
+describe("narrowResourceVaultScopes", () => {
+  test("narrows unnamed vault verbs to the named form", () => {
+    expect(narrowResourceVaultScopes(["vault:read", "vault:write"], "jon")).toEqual([
+      "vault:jon:read",
+      "vault:jon:write",
+    ]);
+  });
+
+  test("leaves already-named scopes for other vaults untouched", () => {
+    expect(narrowResourceVaultScopes(["vault:other:read"], "jon")).toEqual(["vault:other:read"]);
+  });
+
+  test("passes non-vault scopes through unchanged", () => {
+    expect(narrowResourceVaultScopes(["scribe:transcribe", "vault:read"], "jon")).toEqual([
+      "scribe:transcribe",
+      "vault:jon:read",
+    ]);
+  });
+
+  test("narrows the admin verb too (gate happens downstream)", () => {
+    // narrowResourceVaultScopes only rewrites shape; the non-requestable gate
+    // (`vault:<name>:admin`) blocks it afterward.
+    expect(narrowResourceVaultScopes(["vault:admin"], "jon")).toEqual(["vault:jon:admin"]);
+  });
+
+  test("is idempotent over an already-narrowed list", () => {
+    const once = narrowResourceVaultScopes(["vault:read"], "jon");
+    expect(narrowResourceVaultScopes(once, "jon")).toEqual(once);
+  });
+});

package/src/__tests__/scope-explanations.test.ts

@@ -5,6 +5,7 @@ import {
   SCOPE_EXPLANATIONS,
   explainScope,
   isRequestableScope,
+  isWellFormedOrNonVaultScope,
   scopeIsAdmin,
 } from "../scope-explanations.ts";
 
@@ -133,3 +134,38 @@ describe("isRequestableScope", () => {
     expect(isRequestableScope("vault:work:write")).toBe(true);
   });
 });
+
+// Mint-time shape guard (defensive hygiene, audit 2026-05-28). Rejects only the
+// *named* three-segment vault shape when malformed; leaves the unnamed two-
+// segment forms and all non-vault scopes alone.
+describe("isWellFormedOrNonVaultScope", () => {
+  test("rejects the four audited malformed named-vault forms", () => {
+    expect(isWellFormedOrNonVaultScope("vault:work:ADMIN")).toBe(false); // uppercase verb
+    expect(isWellFormedOrNonVaultScope("vault::admin")).toBe(false); // empty name
+    expect(isWellFormedOrNonVaultScope("vault:work:read:admin")).toBe(false); // extra segment
+    expect(isWellFormedOrNonVaultScope("VAULT:work:admin")).toBe(false); // uppercase resource
+  });
+
+  test("admits well-formed named-vault scopes (all three verbs)", () => {
+    expect(isWellFormedOrNonVaultScope("vault:work:read")).toBe(true);
+    expect(isWellFormedOrNonVaultScope("vault:work:write")).toBe(true);
+    expect(isWellFormedOrNonVaultScope("vault:work:admin")).toBe(true);
+    expect(isWellFormedOrNonVaultScope("vault:my-techne_2:admin")).toBe(true);
+  });
+
+  test("admits the unnamed two-segment vault forms (out of remit)", () => {
+    expect(isWellFormedOrNonVaultScope("vault:read")).toBe(true);
+    expect(isWellFormedOrNonVaultScope("vault:write")).toBe(true);
+    expect(isWellFormedOrNonVaultScope("vault:admin")).toBe(true);
+    expect(isWellFormedOrNonVaultScope("vault")).toBe(true); // bare, no colon
+  });
+
+  test("admits all non-vault scopes unconditionally", () => {
+    expect(isWellFormedOrNonVaultScope("scribe:transcribe")).toBe(true);
+    expect(isWellFormedOrNonVaultScope("parachute:host:auth")).toBe(true);
+    expect(isWellFormedOrNonVaultScope("parachute:host:admin")).toBe(true);
+    expect(isWellFormedOrNonVaultScope("hub:admin")).toBe(true);
+    // A three-segment non-vault scope is not constrained even if malformed-looking.
+    expect(isWellFormedOrNonVaultScope("scribe:work:ADMIN")).toBe(true);
+  });
+});

package/src/__tests__/serve.test.ts

@@ -52,11 +52,11 @@ describe("seedInitialAdminIfNeeded", () => {
     expect(log.mock.calls[0]?.[0] ?? "").toContain("ops");
     // Multi-user Phase 1 (design 2026-05-20-multi-user-phase-1.md §wizard
     // interaction): env-seeded admin chose their password via env vars, so
-    // skip the force-change-password redirect. `assignedVault` stays null
-    // — admin posture.
+    // skip the force-change-password redirect. `assignedVaults` stays []
+    // — admin posture (multi-user Phase 2 PR 2 lifted single → array).
     const seeded = getUserByUsername(db, "ops");
     expect(seeded?.passwordChanged).toBe(true);
-    expect(seeded?.assignedVault).toBeNull();
+    expect(seeded?.assignedVaults).toEqual([]);
   });
 
   test("returns 'exists' when an admin already exists, even with env vars set", async () => {
@@ -287,12 +287,12 @@ describe("resolveStartupIssuer — precedence chain (hub#365)", () => {
   test("strips trailing slashes from any source for canonical form", () => {
     expect(resolveStartupIssuer({ issuer: "https://x.example/" }, {})).toBe("https://x.example");
     expect(resolveStartupIssuer({ issuer: "https://x.example//" }, {})).toBe("https://x.example");
-    expect(
-      resolveStartupIssuer({}, { PARACHUTE_HUB_ORIGIN: "https://x.example/" }),
-    ).toBe("https://x.example");
-    expect(
-      resolveStartupIssuer({}, { RENDER_EXTERNAL_URL: "https://x.example/" }),
-    ).toBe("https://x.example");
+    expect(resolveStartupIssuer({}, { PARACHUTE_HUB_ORIGIN: "https://x.example/" })).toBe(
+      "https://x.example",
+    );
+    expect(resolveStartupIssuer({}, { RENDER_EXTERNAL_URL: "https://x.example/" })).toBe(
+      "https://x.example",
+    );
   });
 
   test("returns undefined when no source has a value", () => {