@openparachute/hub 0.5.13 → 0.5.14-rc.10

package/src/bun-link.ts

@@ -0,0 +1,55 @@
+/**
+ * bun-link detection — shared helper used by both the CLI install path
+ * (`commands/install.ts`) and the API/wizard install path (`api-modules-ops.ts`).
+ *
+ * "Linked" means a global symlink shape under `~/.bun/install/global/node_modules/<pkg>`
+ * created by `bun link` (from a local checkout). When the package is already linked,
+ * `bun add -g <pkg>` is at best a wasted npm round-trip (~3s) and at worst a hard
+ * failure when the global bun.lock has unrelated noise — neither outcome is desirable
+ * given the linked checkout already provides the binary on PATH.
+ *
+ * Both install paths gate the `bun add -g` call on `isLinked(pkg) === false`.
+ * Centralizing the detection here keeps the CLI and wizard in lockstep — diverging
+ * (as the wizard did pre-hub#433) is the bug class this module exists to prevent.
+ */
+
+import { lstatSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+
+/**
+ * The set of bun global-prefix locations to probe for a `<pkg>` symlink.
+ * Honors `BUN_INSTALL` (the canonical override) before falling back to the
+ * default `~/.bun` layout. Order matters — env-set prefix wins on a custom
+ * bun layout (containers, CI).
+ */
+export function bunGlobalPrefixes(): string[] {
+  const prefixes: string[] = [];
+  const fromEnv = process.env.BUN_INSTALL;
+  if (fromEnv) prefixes.push(join(fromEnv, "install", "global", "node_modules"));
+  prefixes.push(join(homedir(), ".bun", "install", "global", "node_modules"));
+  return prefixes;
+}
+
+/**
+ * True iff `<pkg>` resolves to a symlink under any bun global prefix —
+ * i.e. the package was installed via `bun link` from a local checkout
+ * rather than `bun add -g` from npm. Used to short-circuit `bun add -g`
+ * in both the CLI and the wizard install paths.
+ *
+ * Scoped packages (`@openparachute/vault`) are split on `/` so the probe
+ * lands at `<prefix>/@openparachute/vault`. Non-symlink resolutions
+ * (real dir from `bun add -g`) return false — we only want to skip the
+ * `bun add -g` when the symlink-shape is in place.
+ */
+export function isLinked(pkg: string): boolean {
+  for (const prefix of bunGlobalPrefixes()) {
+    const path = join(prefix, ...pkg.split("/"));
+    try {
+      if (lstatSync(path).isSymbolicLink()) return true;
+    } catch {
+      // Not present at this prefix; try the next.
+    }
+  }
+  return false;
+}

package/src/chrome-strip.ts

@@ -13,7 +13,7 @@
  * (above that threshold the response is almost certainly not an HTML shell
  * anyway — SPA index.html files are < 16 KB in this ecosystem).
  *
- * Opt-out: hub-side path-prefix deny list. The Notes PWA at `/app/notes/*`
+ * Opt-out: hub-side path-prefix deny list. The Notes PWA at `/surface/notes/*`
  * is the canonical opt-out — it owns its own chrome (see design-system §7
  * "Where NOT to inject" + AUDIT §4: "Notes is the proof this can work: own
  * application, looks distinctively Notes, reads as Parachute because the
@@ -22,7 +22,7 @@
  * Why path-based and not module-declared:
  *   - Notes is a `uis[]` sub-unit of parachute-app, not its own module —
  *     adding `chrome: "off"` to parachute-app's module.json would suppress
- *     chrome on `/app/admin/*` too (wrong: that surface SHOULD get chrome).
+ *     chrome on `/surface/admin/*` too (wrong: that surface SHOULD get chrome).
  *   - The per-uis well-known fan-out (workstream C/4) is in flight but the
  *     hub side doesn't yet thread per-uis metadata into proxy dispatch.
  *   - HTML meta-tag peeking adds parsing overhead on every response.
@@ -46,10 +46,10 @@ import { CSRF_FIELD_NAME, ensureCsrfToken } from "./csrf.ts";
  * prefix" or "pathname startsWith prefix" — the same shape as
  * `findServiceUpstream`'s mount comparison.
  *
- * `/app/notes/` covers the Notes PWA bundled by parachute-app. Notes is a
+ * `/surface/notes/` covers the Notes PWA bundled by parachute-app. Notes is a
  * destination, not chrome; it owns its own header (see design-system.md §7).
  */
-export const CHROME_OPT_OUT_PREFIXES: readonly string[] = ["/app/notes/"];
+export const CHROME_OPT_OUT_PREFIXES: readonly string[] = ["/surface/notes/"];
 
 /**
  * Buffer size cap. Responses larger than this are passed through unchanged.
@@ -208,8 +208,8 @@ function renderSignedOutCluster(nextPath: string): string {
  * when any opt-out prefix matches (`pathname === prefix` or
  * `pathname startsWith prefix`).
  *
- * Match shape mirrors `findServiceUpstream` so an opt-out for `"/app/notes/"`
- * suppresses chrome for `/app/notes`, `/app/notes/`, and every sub-path.
+ * Match shape mirrors `findServiceUpstream` so an opt-out for `"/surface/notes/"`
+ * suppresses chrome for `/surface/notes`, `/surface/notes/`, and every sub-path.
  */
 export function shouldInjectChrome(
   pathname: string,

package/src/cli.ts

@@ -10,6 +10,7 @@ import pkg from "../package.json" with { type: "json" };
 import { CloudflaredStateError } from "./cloudflare/state.ts";
 import { auth } from "./commands/auth.ts";
 import { exposePublic, exposeTailnet } from "./commands/expose.ts";
+import { init } from "./commands/init.ts";
 import { install } from "./commands/install.ts";
 import { logs, restart, start, stop } from "./commands/lifecycle.ts";
 import { migrate } from "./commands/migrate.ts";
@@ -18,15 +19,18 @@ import { setup } from "./commands/setup.ts";
 import { status } from "./commands/status.ts";
 import { upgrade } from "./commands/upgrade.ts";
 import { dispatchVault } from "./commands/vault.ts";
+import { runSetupWizardCommand } from "./commands/wizard.ts";
 import { ExposeStateError } from "./expose-state.ts";
 import {
   exposeHelp,
+  initHelp,
   installHelp,
   logsHelp,
   migrateHelp,
   restartHelp,
   serveHelp,
   setupHelp,
+  setupWizardHelp,
   startHelp,
   statusHelp,
   stopHelp,
@@ -305,6 +309,76 @@ async function main(argv: string[]): Promise<number> {
       return await setup(setupOpts);
     }
 
+    case "setup-wizard": {
+      // hub#168 Cut 3 — the in-terminal mirror of /admin/setup. Distinct
+      // from `parachute setup` (which is the multi-pick install
+      // walk-through, not a wizard-handler frontend). Both surfaces stay
+      // — `parachute setup` is the historical "install + configure
+      // services" entry; `parachute setup-wizard` drives the same
+      // handlers the browser wizard uses.
+      if (isHelpFlag(rest[0])) {
+        console.log(setupWizardHelp());
+        return 0;
+      }
+      return await runSetupWizardCommand(rest);
+    }
+
+    case "init": {
+      if (isHelpFlag(rest[0])) {
+        console.log(initHelp());
+        return 0;
+      }
+      const exposeExtract = extractNamedFlag(rest, "--expose");
+      if (exposeExtract.error) {
+        console.error(`parachute init: ${exposeExtract.error}`);
+        return 1;
+      }
+      if (
+        exposeExtract.value !== undefined &&
+        exposeExtract.value !== "none" &&
+        exposeExtract.value !== "tailnet" &&
+        exposeExtract.value !== "cloudflare"
+      ) {
+        console.error(
+          `parachute init: --expose must be one of none|tailnet|cloudflare (got "${exposeExtract.value}")`,
+        );
+        return 1;
+      }
+      const noBrowser = exposeExtract.rest.includes("--no-browser");
+      const noExposePrompt = exposeExtract.rest.includes("--no-expose-prompt");
+      const cliWizard = exposeExtract.rest.includes("--cli-wizard");
+      const browserWizard = exposeExtract.rest.includes("--browser-wizard");
+      const known = new Set([
+        "--no-browser",
+        "--no-expose-prompt",
+        "--cli-wizard",
+        "--browser-wizard",
+      ]);
+      const unknown = exposeExtract.rest.find((a) => !known.has(a));
+      if (unknown !== undefined) {
+        console.error(`parachute init: unknown argument "${unknown}"`);
+        console.error(
+          "usage: parachute init [--no-browser] [--no-expose-prompt]\n" +
+            "                     [--expose none|tailnet|cloudflare]\n" +
+            "                     [--cli-wizard | --browser-wizard]",
+        );
+        return 1;
+      }
+      if (cliWizard && browserWizard) {
+        console.error("parachute init: --cli-wizard and --browser-wizard are mutually exclusive.");
+        return 1;
+      }
+      const initOpts: Parameters<typeof init>[0] = {};
+      if (noBrowser) initOpts.noBrowser = true;
+      if (noExposePrompt) initOpts.noExposePrompt = true;
+      if (exposeExtract.value) {
+        initOpts.exposeChoice = exposeExtract.value as "none" | "tailnet" | "cloudflare";
+      }
+      if (cliWizard) initOpts.wizardChoice = "cli";
+      else if (browserWizard) initOpts.wizardChoice = "browser";
+      return await init(initOpts);
+    }
+
     case "install": {
       if (isHelpFlag(rest[0])) {
         console.log(installHelp());
@@ -627,14 +701,17 @@ async function main(argv: string[]): Promise<number> {
         return 0;
       }
       const dryRun = rest.includes("--dry-run");
+      const list = rest.includes("--list");
       const yes = rest.includes("--yes") || rest.includes("-y");
-      const unknown = rest.find((a) => a !== "--dry-run" && a !== "--yes" && a !== "-y");
+      const unknown = rest.find(
+        (a) => a !== "--dry-run" && a !== "--list" && a !== "--yes" && a !== "-y",
+      );
       if (unknown !== undefined) {
         console.error(`parachute migrate: unknown argument "${unknown}"`);
-        console.error("usage: parachute migrate [--dry-run] [--yes]");
+        console.error("usage: parachute migrate [--list] [--dry-run] [--yes]");
         return 1;
       }
-      return await migrate({ dryRun, yes });
+      return await migrate({ dryRun, list, yes });
     }
 
     case "serve": {
@@ -672,32 +749,24 @@ async function main(argv: string[]): Promise<number> {
       // after `vault` (including --help) is passed through verbatim.
       if (rest.length === 0) return await dispatchVault(["--help"]);
 
-      // `parachute vault tokens create` in a TTY with no scope-narrowing flag
-      // → guided flow. Any of --scope / --read / --permission means the user
-      // has already decided, so we stay out of the way. Non-TTY always
-      // bypasses (no way to answer a prompt). Label is orthogonal — the
-      // guided flow prompts for it only if --label wasn't supplied.
-      const wantsGuidedTokenCreate =
-        rest[0] === "tokens" &&
-        rest[1] === "create" &&
-        isTtyInteractive() &&
-        !rest.includes("--scope") &&
-        !rest.includes("--read") &&
-        !rest.includes("--permission") &&
-        !isHelpFlag(rest[2]);
-      if (wantsGuidedTokenCreate) {
-        const { runVaultTokensCreateInteractive } = await import(
-          "./commands/vault-tokens-create-interactive.ts"
-        );
-        return await runVaultTokensCreateInteractive({ args: rest.slice(2) });
-      }
-
+      // Everything under `vault` forwards transparently to `parachute-vault`.
+      // `vault tokens create` used to route through a guided interactive
+      // wrapper, but the pvt_* DROP (vault#412 / hub#466) removed that vault
+      // subcommand — it now exits 1 with migration guidance. Access tokens are
+      // hub-issued JWTs; mint them with `parachute auth mint-token` or the
+      // admin SPA Connect card. We forward verbatim so the operator sees
+      // vault's own migration error rather than a hub-side stub.
       return await dispatchVault(rest);
     }
 
     default:
       console.error(`parachute: unknown command "${command}"`);
-      console.error("run `parachute --help` for usage");
+      console.error("");
+      console.error("If this is a fresh install, start here:");
+      console.error("  parachute init        # get the admin wizard going");
+      console.error("");
+      console.error("Or see all commands:");
+      console.error("  parachute --help");
       return 1;
   }
 }

package/src/cloudflare/config.ts

@@ -2,8 +2,6 @@ import { mkdirSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { CONFIG_DIR } from "../config.ts";
 
-export const CLOUDFLARED_DIR = join(CONFIG_DIR, "cloudflared");
-
 export const DEFAULT_TUNNEL_NAME = "parachute";
 
 /**
@@ -16,12 +14,20 @@ export const DEFAULT_TUNNEL_NAME = "parachute";
  * location change from pre-#32 (`~/.parachute/cloudflared/config.yml`).
  * Re-running `parachute expose public --cloudflare` regenerates the file
  * at the new path; the legacy file is left in place but unused.
+ *
+ * `configDir` overrides the base (`~/.parachute` by default). Tests pass a
+ * tmp dir so per-tunnel-derived paths never resolve against the operator's
+ * real `CONFIG_DIR` — otherwise running the suite scribbles fixture
+ * config.yml + log files into `~/.parachute/cloudflared/<name>/`.
  */
-export function cloudflaredPathsFor(tunnelName: string): {
+export function cloudflaredPathsFor(
+  tunnelName: string,
+  configDir: string = CONFIG_DIR,
+): {
   configPath: string;
   logPath: string;
 } {
-  const dir = join(CLOUDFLARED_DIR, tunnelName);
+  const dir = join(configDir, "cloudflared", tunnelName);
   return {
     configPath: join(dir, "config.yml"),
     logPath: join(dir, "cloudflared.log"),

package/src/cloudflare/detect.ts

@@ -45,14 +45,81 @@ export function isCloudflaredLoggedIn(cloudflaredHome: string = DEFAULT_CLOUDFLA
   return existsSync(join(cloudflaredHome, "cert.pem"));
 }
 
-export function cloudflaredInstallHint(platform: NodeJS.Platform = process.platform): string {
-  const url =
-    "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/";
+/**
+ * Cloudflare's "Downloads" page (developers.cloudflare.com/cloudflare-one/
+ * connections/connect-networks/downloads/) churns markdown anchors; pkg.cloudflare.com
+ * paths the older instructions referenced now serve HTML / 404. Aaron hit
+ * the failure mode on a fresh Amazon Linux 2023 EC2 install (2026-05-27):
+ * `sudo dnf install cloudflared` returned 'No match for argument:
+ * cloudflared'. The reliable cross-distro path is grabbing the static
+ * binary from Cloudflare's GitHub releases.
+ *
+ * Canonical install paths:
+ *
+ *   macOS  → `brew install cloudflared` (homebrew is the documented path)
+ *   Linux  → architecture-specific binary from GitHub releases
+ *   other  → the binary-download path is still the best generic answer
+ *
+ * The `arch` parameter is the architecture string in `process.arch`
+ * shape (`x64`, `arm64`, `arm`). Mapped to the suffix cloudflared uses
+ * in its release artifacts (`amd64`, `arm64`, `arm`). Unknown arches
+ * fall through to a generic pointer at the releases page.
+ */
+export function cloudflaredInstallHint(
+  platform: NodeJS.Platform = process.platform,
+  arch: NodeJS.Architecture = process.arch,
+): string {
   if (platform === "darwin") {
-    return `Install cloudflared:\n  brew install cloudflared\n(or see ${url})`;
+    return [
+      "Install cloudflared:",
+      "  brew install cloudflared",
+      "",
+      "(or download a static binary from",
+      "  https://github.com/cloudflare/cloudflared/releases/latest)",
+    ].join("\n");
   }
   if (platform === "linux") {
-    return `Install cloudflared: ${url}`;
+    const suffix = linuxArtifactSuffix(arch);
+    if (suffix) {
+      return [
+        "Install cloudflared (static binary — works across distros):",
+        `  curl -L -o /usr/local/bin/cloudflared \\`,
+        `    https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${suffix}`,
+        "  sudo chmod +x /usr/local/bin/cloudflared",
+        "  cloudflared --version",
+        "",
+        "(distro packages are unreliable across versions; the GitHub release is the canonical path.)",
+      ].join("\n");
+    }
+    return [
+      "Install cloudflared from the official binary release:",
+      "  https://github.com/cloudflare/cloudflared/releases/latest",
+      `(pick the linux-* artifact matching your architecture; your arch is "${arch}")`,
+    ].join("\n");
+  }
+  return [
+    "Install cloudflared from the official binary release:",
+    "  https://github.com/cloudflare/cloudflared/releases/latest",
+  ].join("\n");
+}
+
+/**
+ * Map a Node `process.arch` to the suffix Cloudflare uses for its
+ * cloudflared-linux-* release artifacts. Returns undefined for arches
+ * that don't have a published artifact (we surface a generic pointer
+ * in that case instead of fabricating a download URL that 404s).
+ */
+function linuxArtifactSuffix(arch: NodeJS.Architecture): string | undefined {
+  switch (arch) {
+    case "x64":
+      return "amd64";
+    case "arm64":
+      return "arm64";
+    case "arm":
+      return "arm";
+    case "ia32":
+      return "386";
+    default:
+      return undefined;
   }
-  return `Install cloudflared: ${url}`;
 }

package/src/commands/expose-auth-preflight.ts

@@ -2,20 +2,28 @@
  * Post-exposure auth nudge. Runs after `parachute expose public` successfully
  * brings a tunnel up (TTY only). The tunnel is already live; this is purely
  * advisory — we never error the exposure flow regardless of what the user
- * chooses. The goal is to catch the "fresh vault, just went public, no
- * password or tokens set" trap before someone else finds it first.
+ * chooses. The goal is to catch the "fresh vault, just went public, no auth
+ * configured" trap before someone else finds it first.
  *
- * Four states we branch on, based on {@link VaultAuthStatus}:
+ * The load-bearing signal is the **owner password**. Post-pvt_*-DROP (vault
+ * #412 / hub#466), the vault `tokens` table holds only vestigial pvt_* rows;
+ * a non-zero count no longer means "API auth is configured." Access is now
+ * hub-issued JWTs, minted against the operator's identity — and minting that
+ * identity requires the owner password (browser OAuth) or the operator token
+ * that `set-password` seeds. So "has an owner password" is the single gate
+ * that tells us whether *any* authenticated access is reachable. We branch
+ * purely on password + 2FA; we no longer count vault-DB rows for the auth
+ * decision.
  *
- *   - neither password nor tokens: loud warning + offer to set up each.
+ * Three states we branch on, based on {@link VaultAuthStatus}:
+ *
+ *   - no owner password: loud warning — the exposure is wide open. Offer to
+ *     set a password (+ 2FA), and point at the hub-JWT mint path for clients.
  *   - password, no 2FA: shorter "recommend 2FA" nudge.
- *   - tokens but no password: OAuth isn't set up; offer to add a password.
- *   - `tokenCount === null`: couldn't read the DB; advisory only, no prompts
- *     that depend on token state.
- *   - all set: one-line "looks good" (the quiet path).
+ *   - password + 2FA: one-line "looks good" (the quiet path).
  *
  * Defaults are always "skip" — Enter declines every prompt. User can always
- * run `parachute auth …` or `parachute vault tokens create` later.
+ * run `parachute auth set-password` / `parachute auth mint-token …` later.
  */
 
 import { createInterface } from "node:readline/promises";
@@ -106,10 +114,25 @@ async function offerTotp(r: Resolved): Promise<void> {
   }
 }
 
-async function offerTokenCreate(r: Resolved): Promise<void> {
-  if (await yesNo(r, "Create an API token now?")) {
-    await runCmd(r, ["parachute", "vault", "tokens", "create"], "parachute vault tokens create");
-  }
+/**
+ * Programmatic / headless clients don't use a password — they carry a
+ * hub-issued JWT. We don't auto-mint one here (it needs a scope, and the
+ * operator should choose read vs write per client), so this is guidance,
+ * not a prompt. Mint paths, in order of how most operators reach them:
+ *
+ *   - Admin SPA → Vaults → "Connect" card (mints + shows the header command).
+ *   - `parachute auth mint-token --scope vault:<name>:<verb>` (pipeable JWT).
+ *
+ * The old affordance ran `parachute vault tokens create`, which exits 1
+ * post-DROP (vault no longer mints pvt_* tokens) — we never offer it.
+ */
+function printTokenGuidance(r: Resolved): void {
+  const name = r.status.vaultNames[0] ?? "<name>";
+  r.log("");
+  r.log("For programmatic / headless clients (scripts, CI), mint a hub token:");
+  r.log("  • Admin → Vaults → Connect  (mints a scope-narrow token + copy-paste header)");
+  r.log(`  • parachute auth mint-token --scope vault:${name}:read   # or :write`);
+  r.log("    → attach the printed JWT as  Authorization: Bearer <hub-jwt>");
 }
 
 function printDivider(r: Resolved): void {
@@ -118,24 +141,27 @@ function printDivider(r: Resolved): void {
 }
 
 /**
- * `neither password nor tokens`: the exposure is wide open — anyone who
- * finds the URL can talk to the vault. The loudest warning we draw.
+ * `no owner password`: the exposure is wide open — without a password,
+ * nobody can sign in and no hub JWT can be minted, so there's no auth gate
+ * at all. The loudest warning we draw.
  */
 async function handleWideOpen(r: Resolved): Promise<void> {
   printDivider(r);
-  r.log("⚠  No owner password and no API tokens are configured.");
+  r.log("⚠  No owner password is configured.");
   r.log("   The tunnel is reachable from the public internet RIGHT NOW.");
   r.log("   Anyone with the URL can make requests until you set auth up.");
   r.log("");
-  r.log("Recommended: set an owner password (enables the browser sign-in flow)");
-  r.log("and/or create an API token (for programmatic clients).");
+  r.log("Recommended: set an owner password — it's the gate for both browser");
+  r.log("sign-in (OAuth) and minting hub tokens for programmatic clients.");
   r.log("");
   await offerOwnerPassword(r);
   // Offer 2FA regardless of the password step outcome: we can't observe it
   // from outside the subprocess, and vault itself will reject a 2fa enroll
   // if there's no password yet, surfacing the real error to the user.
   await offerTotp(r);
-  await offerTokenCreate(r);
+  // Programmatic-client guidance is informational (no auto-mint) — print it
+  // so the operator knows the headless path exists, not the dead pvt_* one.
+  printTokenGuidance(r);
   printDivider(r);
 }
 
@@ -151,52 +177,24 @@ async function handlePasswordNoTotp(r: Resolved): Promise<void> {
 }
 
 /**
- * `tokens exist, no password`: vault is authenticated for API clients but
- * nobody can sign in through a browser — the hub's OAuth flow is dead in
- * the water. Offer to fix.
- */
-async function handleTokensNoPassword(r: Resolved): Promise<void> {
-  r.log("");
-  r.log("ℹ  API tokens exist, but no owner password is set.");
-  r.log("   Browser sign-in (OAuth) won't work until you add one.");
-  await offerOwnerPassword(r);
-}
-
-/**
- * `tokenCount === null`: SQLite probe failed (DB missing, locked, schema
- * drift, whatever). Don't guess; don't prompt on token state. Nudge 2FA
- * if we know the password is set, otherwise stay quiet.
- */
-async function handleUnknownTokens(r: Resolved): Promise<void> {
-  r.log("");
-  r.log("ℹ  Couldn't read vault token state (vault may be locked or offline).");
-  r.log("   Run `parachute vault tokens list` to check token config yourself.");
-  if (r.status.hasOwnerPassword && !r.status.hasTotp) {
-    r.log("");
-    r.log("   (While you're here: owner password is set, 2FA is not.)");
-    await offerTotp(r);
-  }
-}
-
-/**
- * `all set`: password + 2FA + at least one token. Keep it tight.
+ * `all set`: owner password + 2FA. Keep it tight. (We don't assert on
+ * tokens — a hub JWT is minted on demand, not a standing prerequisite.)
  */
 function handleAllGood(r: Resolved): void {
   r.log("");
-  r.log("✓  Auth config looks good (password + 2FA + API tokens).");
+  r.log("✓  Auth config looks good (owner password + 2FA).");
 }
 
 /**
  * Pick the branch. Pure function of the status — keeps test coverage trivial.
+ *
+ * Owner-password-centric since the pvt_* DROP (hub#466): `tokenCount` is no
+ * longer consulted — those rows are vestigial and minting access now flows
+ * through the owner password, not a standing vault token. Three states.
  */
-function classify(
-  s: VaultAuthStatus,
-): "wide-open" | "password-no-totp" | "tokens-no-password" | "unknown-tokens" | "all-good" {
-  if (s.tokenCount === null) return "unknown-tokens";
-  const hasTokens = s.tokenCount > 0;
-  if (!s.hasOwnerPassword && !hasTokens) return "wide-open";
-  if (!s.hasOwnerPassword && hasTokens) return "tokens-no-password";
-  if (s.hasOwnerPassword && !s.hasTotp) return "password-no-totp";
+function classify(s: VaultAuthStatus): "wide-open" | "password-no-totp" | "all-good" {
+  if (!s.hasOwnerPassword) return "wide-open";
+  if (!s.hasTotp) return "password-no-totp";
   return "all-good";
 }
 
@@ -209,12 +207,6 @@ export async function runAuthPreflight(opts: AuthPreflightOpts = {}): Promise<vo
     case "password-no-totp":
       await handlePasswordNoTotp(r);
       return;
-    case "tokens-no-password":
-      await handleTokensNoPassword(r);
-      return;
-    case "unknown-tokens":
-      await handleUnknownTokens(r);
-      return;
     case "all-good":
       handleAllGood(r);
       return;