@openparachute/hub 0.5.13 → 0.5.14-rc.10

package/src/__tests__/api-mint-token.test.ts

@@ -308,7 +308,7 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
         const body = (await resp.json()) as { error: string; error_description: string };
         expect(body.error).toBe("invalid_scope");
         expect(body.error_description).toContain("parachute:host:auth");
-        expect(body.error_description).toContain("not requestable");
+        expect(body.error_description).toContain("not grantable");
       } finally {
         db.close();
       }
@@ -342,19 +342,98 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
     }
   });
 
-  test("400 invalid_scope when minting vault:<name>:admin (regex non-requestable)", async () => {
+  // De-escalation (PR-A): a `parachute:host:admin` bearer MAY mint a
+  // vault-pinned admin token — host:admin already implies box-wide vault
+  // administration, so narrowing it to one vault is a privilege reduction.
+  // This is the canonical headless path replacing deprecated pvt_* (vault#282).
+  test("200 when host:admin bearer mints vault:<name>:admin (de-escalation)", async () => {
     const h = makeHarness();
     try {
       const { db, userId } = await bootstrap(h.dir);
       try {
+        // The default admin operator scope-set carries parachute:host:admin.
         const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
         const resp = await handleApiMintToken(
           jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
           { db, issuer: ISSUER },
         );
+        expect(resp.status).toBe(200);
+        const body = (await resp.json()) as { jti: string; token: string; scope: string };
+        expect(body.scope).toBe("vault:work:admin");
+        const validated = await validateAccessToken(db, body.token, ISSUER);
+        // Audience must be the per-vault resource so vault's strict-equality
+        // audience check accepts it.
+        expect(validated.payload.aud).toBe("vault.work");
+        expect(validated.payload.scope).toBe("vault:work:admin");
+        // vault_scope is pinned to the named vault (defense-in-depth — the
+        // token can ONLY be used against `work`), matching the canonical
+        // session-path mint in admin-vault-admin-token.ts.
+        expect(validated.payload.vault_scope).toEqual(["work"]);
+        // Registry row written → revocable like any operator mint.
+        const row = db
+          .query<{ jti: string }, [string]>("SELECT jti FROM tokens WHERE jti = ?")
+          .get(body.jti);
+        expect(row).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  // The de-escalation exception is gated on host:admin specifically. A
+  // bearer that only holds `parachute:host:auth` (the narrow auth scope-set)
+  // can mint verb scopes but NOT vault-admin — that would be an escalation.
+  test("400 invalid_scope when auth-only bearer mints vault:<name>:admin", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, {
+          issuer: ISSUER,
+          scopeSet: "auth",
+        });
+        const resp = await handleApiMintToken(
+          jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
+          { db, issuer: ISSUER },
+        );
         expect(resp.status).toBe(400);
-        const body = (await resp.json()) as { error: string };
+        const body = (await resp.json()) as { error: string; error_description: string };
         expect(body.error).toBe("invalid_scope");
+        expect(body.error_description).toContain("vault:work:admin");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  // A bare `vault:admin` (no vault name) is NOT a per-vault admin scope —
+  // the de-escalation exception only covers `vault:<name>:admin`. It isn't
+  // in the non-requestable set either, so it's treated as an ordinary
+  // (unnamed) scope and mints — but with the `vault` fallback audience, not
+  // a per-vault one. Pinned so a future regex loosening can't silently let
+  // an unnamed admin through the named-vault exemption.
+  test("bare vault:admin (no name) is not caught by the de-escalation exemption", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+        const resp = await handleApiMintToken(
+          jsonRequest({ scope: "vault:admin" }, { authorization: `Bearer ${op.token}` }),
+          { db, issuer: ISSUER },
+        );
+        // `vault:admin` isn't a per-vault admin scope and isn't in the
+        // non-requestable set, so it mints as an ordinary scope. The point
+        // of this test is that it does NOT get a per-vault audience/pin.
+        expect(resp.status).toBe(200);
+        const body = (await resp.json()) as { token: string };
+        const validated = await validateAccessToken(db, body.token, ISSUER);
+        expect(validated.payload.aud).toBe("vault");
+        expect(validated.payload.vault_scope).toEqual([]);
       } finally {
         db.close();
       }
@@ -363,6 +442,606 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
     }
   });
 
+  // ── Capability attenuation (hub PR — subsumes hub#449's PR-A carve-out) ──
+  //
+  // A `vault:<name>:admin` bearer may mint a token whose authority is a
+  // SUBSET of its own: same-vault read/write/admin. It can NEVER mint a
+  // cross-vault scope or any host-level authority. We hand-mint the bearer
+  // via signAccessToken (scope `vault:work:admin`, aud `vault.work`,
+  // vaultScope `["work"]`) — mirroring how the SPA / mcp-install obtain one.
+  async function mintVaultAdminBearer(
+    db: ReturnType<typeof openHubDb>,
+    userId: string,
+    vault: string,
+  ): Promise<string> {
+    const signed = await signAccessToken(db, {
+      sub: userId,
+      scopes: [`vault:${vault}:admin`],
+      audience: `vault.${vault}`,
+      clientId: "parachute-hub",
+      issuer: ISSUER,
+      ttlSeconds: 3600,
+      vaultScope: [vault],
+    });
+    return signed.token;
+  }
+
+  describe("capability attenuation — vault:<name>:admin bearer", () => {
+    test("mints vault:work:write → 200, aud=vault.work, vault_scope=[work]", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:write" }, { authorization: `Bearer ${bearer}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { token: string };
+          const validated = await validateAccessToken(db, body.token, ISSUER);
+          expect(validated.payload.aud).toBe("vault.work");
+          expect(validated.payload.scope).toBe("vault:work:write");
+          expect(validated.payload.vault_scope).toEqual(["work"]);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("mints vault:work:read → 200", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:read" }, { authorization: `Bearer ${bearer}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { token: string };
+          const validated = await validateAccessToken(db, body.token, ISSUER);
+          expect(validated.payload.vault_scope).toEqual(["work"]);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("mints vault:work:admin → 200 (same-level allowed)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${bearer}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { token: string };
+          const validated = await validateAccessToken(db, body.token, ISSUER);
+          expect(validated.payload.aud).toBe("vault.work");
+          expect(validated.payload.scope).toBe("vault:work:admin");
+          expect(validated.payload.vault_scope).toEqual(["work"]);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    // THE CRUX: cross-vault is the security boundary. A work-admin bearer
+    // MUST NOT be able to mint authority over any other vault.
+    test("mints vault:other:write → 400 (cross-vault BLOCKED)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:other:write" }, { authorization: `Bearer ${bearer}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string; error_description: string };
+          expect(body.error).toBe("invalid_scope");
+          expect(body.error_description).toContain("vault:other:write");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("mints vault:other:admin → 400 (cross-vault BLOCKED)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:other:admin" }, { authorization: `Bearer ${bearer}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string };
+          expect(body.error).toBe("invalid_scope");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("mints parachute:host:auth → 400 (no escalation to host authority)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "parachute:host:auth" }, { authorization: `Bearer ${bearer}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string };
+          expect(body.error).toBe("invalid_scope");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("mints parachute:host:admin → 400 (no escalation to host authority)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "parachute:host:admin" }, { authorization: `Bearer ${bearer}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string };
+          expect(body.error).toBe("invalid_scope");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    // No host:auth, and scribe:transcribe is not a vault:work scope → blocked.
+    test("mints scribe:transcribe → 400 (not a vault:work scope, no host:auth)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "scribe:transcribe" }, { authorization: `Bearer ${bearer}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string };
+          expect(body.error).toBe("invalid_scope");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("multi-scope vault:work:read vault:work:write → 200, vault_scope=[work]", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:read vault:work:write" },
+              { authorization: `Bearer ${bearer}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { token: string };
+          const validated = await validateAccessToken(db, body.token, ISSUER);
+          expect(validated.payload.vault_scope).toEqual(["work"]);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    // Realistic headless-runner shape: a bearer holding admin over MULTIPLE
+    // vaults composes rule 3 across them. Minting same-vault subsets of both
+    // succeeds; vault_scope collects every authorized vault name (order-
+    // insensitive). aud is first-wins (vault.work), which is fine — a
+    // multi-vault token only authenticates against its single aud, the pin is
+    // defense-in-depth.
+    test("multi-vault-admin bearer mints vault:work:read vault:other:read → 200, vault_scope=[work,other]", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await signAccessToken(db, {
+            sub: userId,
+            scopes: ["vault:work:admin", "vault:other:admin"],
+            audience: "vault.work",
+            clientId: "parachute-hub",
+            issuer: ISSUER,
+            ttlSeconds: 3600,
+            vaultScope: ["work", "other"],
+          });
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:read vault:other:read" },
+              { authorization: `Bearer ${bearer.token}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { token: string };
+          const validated = await validateAccessToken(db, body.token, ISSUER);
+          expect(validated.payload.aud).toBe("vault.work");
+          const pin = validated.payload.vault_scope as string[];
+          expect(pin).toContain("work");
+          expect(pin).toContain("other");
+          expect(pin).toHaveLength(2);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    // One blocked scope rejects the whole request (no partial mint).
+    test("multi-scope vault:work:read vault:other:read → 400 (one blocked → all rejected)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:read vault:other:read" },
+              { authorization: `Bearer ${bearer}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string; error_description: string };
+          expect(body.error).toBe("invalid_scope");
+          expect(body.error_description).toContain("vault:other:read");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
+  describe("capability attenuation — entry gate + regression", () => {
+    test("host:auth-only bearer mints vault:work:read → 200 (rule 1, preserved)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER, scopeSet: "auth" });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:read" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { token: string };
+          const validated = await validateAccessToken(db, body.token, ISSUER);
+          // Pure host:auth requestable mint → no vault pin.
+          expect(validated.payload.vault_scope).toEqual([]);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("host:auth-only bearer mints vault:work:admin → 400 (rule 1 doesn't cover admin)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER, scopeSet: "auth" });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string };
+          expect(body.error).toBe("invalid_scope");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("host:admin bearer mints vault:work:admin → 200 (rule 2, PR-A preserved)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { token: string };
+          const validated = await validateAccessToken(db, body.token, ISSUER);
+          expect(validated.payload.aud).toBe("vault.work");
+          expect(validated.payload.vault_scope).toEqual(["work"]);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    // Entry gate: a bearer with no host:* and no vault-admin holds no minting
+    // authority → 403 before any per-scope check.
+    test("403 entry gate when bearer holds no minting authority", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const noAuthority = await signAccessToken(db, {
+            sub: userId,
+            scopes: ["hub:admin", "scribe:transcribe"],
+            audience: "hub",
+            clientId: "parachute-hub",
+            issuer: ISSUER,
+            ttlSeconds: 3600,
+          });
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:read" },
+              { authorization: `Bearer ${noAuthority.token}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(403);
+          const body = (await resp.json()) as { error: string };
+          expect(body.error).toBe("insufficient_scope");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    // A read-only token used AS A BEARER is not minting authority → 403.
+    test("403 entry gate when bearer is a vault:work:read token (read is not minting authority)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const readOnly = await signAccessToken(db, {
+            sub: userId,
+            scopes: ["vault:work:read"],
+            audience: "vault.work",
+            clientId: "parachute-hub",
+            issuer: ISSUER,
+            ttlSeconds: 3600,
+            vaultScope: ["work"],
+          });
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:read" },
+              { authorization: `Bearer ${readOnly.token}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(403);
+          const body = (await resp.json()) as { error: string };
+          expect(body.error).toBe("insufficient_scope");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
+  // ── Malformed vault-shaped scope guard (defensive hygiene, audit 2026-05-28) ──
+  //
+  // A `parachute:host:auth` bearer can craft scope strings that LOOK like a
+  // named per-vault scope but slip past `isNonRequestableScope`'s strict
+  // regexes, so `canGrant` rule 1 would admit them as "requestable" and mint a
+  // junk registry row. They grant zero access today (the vault consumer rejects
+  // them), so this isn't exploitable now — the mint-time shape check is a
+  // backstop against a future consumer-normalization regression + registry
+  // hygiene. It's an input-shape check, orthogonal to authority.
+  describe("malformed vault-shaped scope rejection", () => {
+    const MALFORMED = [
+      "vault:work:ADMIN", // uppercase verb
+      "vault::admin", // empty name
+      "vault:work:read:admin", // extra segment
+      "VAULT:work:admin", // uppercase resource
+    ];
+
+    for (const scope of MALFORMED) {
+      test(`host:auth bearer minting ${scope} → 400 invalid_scope (malformed)`, async () => {
+        const h = makeHarness();
+        try {
+          const { db, userId } = await bootstrap(h.dir);
+          try {
+            const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+            const resp = await handleApiMintToken(
+              jsonRequest({ scope }, { authorization: `Bearer ${op.token}` }),
+              { db, issuer: ISSUER },
+            );
+            expect(resp.status).toBe(400);
+            const body = (await resp.json()) as { error: string; error_description: string };
+            expect(body.error).toBe("invalid_scope");
+            expect(body.error_description).toContain("malformed vault scope");
+            expect(body.error_description).toContain(scope);
+            // No junk registry row written — the request was rejected before
+            // mint. The only `cli_mint` provenance comes from this endpoint;
+            // the operator bearer's own row is `operator` provenance, so a
+            // count of zero proves the malformed mint never landed.
+            const row = db
+              .query<{ n: number }, []>(
+                "SELECT COUNT(*) AS n FROM tokens WHERE created_via = 'cli_mint'",
+              )
+              .get();
+            expect(row?.n ?? 0).toBe(0);
+          } finally {
+            db.close();
+          }
+        } finally {
+          h.cleanup();
+        }
+      });
+    }
+
+    // Regression: well-formed named scopes still mint (host:auth → read/write
+    // via rule 1; host:admin → admin via rule 2). The guard is shape-only.
+    test("host:auth bearer minting vault:work:read → 200 (well-formed, regression)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER, scopeSet: "auth" });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:read" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { scope: string };
+          expect(body.scope).toBe("vault:work:read");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("host:auth bearer minting vault:work:write → 200 (well-formed, regression)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER, scopeSet: "auth" });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:write" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { scope: string };
+          expect(body.scope).toBe("vault:work:write");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("host:admin bearer minting vault:work:admin → 200 (well-formed, attenuation path)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { scope: string };
+          expect(body.scope).toBe("vault:work:admin");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    // The existing non-requestable behaviour is unchanged: a host:auth-only
+    // bearer minting the well-formed `vault:work:admin` is still 400 (rule 1
+    // doesn't cover admin) — this path is reached AFTER the shape guard passes.
+    test("host:auth-only bearer minting vault:work:admin → 400 (non-requestable, unchanged)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER, scopeSet: "auth" });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string; error_description: string };
+          expect(body.error).toBe("invalid_scope");
+          // Not the malformed-shape message — it cleared the shape guard.
+          expect(body.error_description).toContain("not grantable");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    // Non-vault scopes are entirely unaffected by the shape guard.
+    test("host:auth bearer minting scribe:transcribe → 200 (non-vault, unaffected)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER, scopeSet: "auth" });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "scribe:transcribe" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { scope: string };
+          expect(body.scope).toBe("scribe:transcribe");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
   test("405 on non-POST", async () => {
     const h = makeHarness();
     try {