@openparachute/hub 0.5.13 → 0.5.14-rc.10

package/src/__tests__/api-modules-config.test.ts

@@ -23,6 +23,7 @@ import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { decodeJwt } from "jose";
+import type { CuratedModuleShort } from "../api-modules.ts";
 import {
   API_MODULES_CONFIG_REQUIRED_SCOPE,
   MODULE_CONFIG_PROXY_CLIENT_ID,
@@ -152,14 +153,19 @@ describe("parseModulesConfigPath", () => {
     });
   });
 
-  test("matches vault and notes (curated modules)", () => {
+  test("matches vault and scribe (curated modules)", () => {
     expect(parseModulesConfigPath("/api/modules/vault/config")?.short).toBe("vault");
-    expect(parseModulesConfigPath("/api/modules/notes/config/schema")?.short).toBe("notes");
+    expect(parseModulesConfigPath("/api/modules/scribe/config/schema")?.short).toBe("scribe");
   });
 
   test("rejects unknown short (non-curated)", () => {
     expect(parseModulesConfigPath("/api/modules/unknown/config")).toBeUndefined();
     expect(parseModulesConfigPath("/api/modules/channel/config")).toBeUndefined();
+    // Curated list trimmed 2026-05-27: notes / runner / surface are no
+    // longer curated and reject at the parse boundary.
+    expect(parseModulesConfigPath("/api/modules/notes/config")).toBeUndefined();
+    expect(parseModulesConfigPath("/api/modules/runner/config")).toBeUndefined();
+    expect(parseModulesConfigPath("/api/modules/surface/config")).toBeUndefined();
   });
 
   test("rejects non-config suffix shapes", () => {
@@ -302,7 +308,7 @@ describe("handleApiModulesConfig — FALLBACK retirement (hub#310)", () => {
       makeReq("/api/modules/runner/config/schema", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "schema" },
+      { short: "runner" as CuratedModuleShort, suffix: "schema" },
       { db: h.db, issuer: ISSUER, manifestPath: h.manifestPath },
     );
     expect(res.status).toBe(404);
@@ -365,7 +371,7 @@ describe("handleApiModulesConfig — FALLBACK retirement (hub#310)", () => {
       makeReq("/api/modules/runner/config/schema", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "schema" },
+      { short: "runner" as CuratedModuleShort, suffix: "schema" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -614,7 +620,7 @@ describe("handleApiModulesConfig — stripPrefix=false (notes-shape)", () => {
       makeReq("/api/modules/notes/config/schema", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "notes", suffix: "schema" },
+      { short: "notes" as CuratedModuleShort, suffix: "schema" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -668,7 +674,7 @@ describe("handleApiModulesConfig — hostsBareParachute (hub#307)", () => {
       makeReq("/api/modules/runner/config/schema", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "schema" },
+      { short: "runner" as CuratedModuleShort, suffix: "schema" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -700,7 +706,7 @@ describe("handleApiModulesConfig — hostsBareParachute (hub#307)", () => {
       makeReq("/api/modules/runner/config", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "" },
+      { short: "runner" as CuratedModuleShort, suffix: "" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -733,7 +739,7 @@ describe("handleApiModulesConfig — hostsBareParachute (hub#307)", () => {
         },
         body: JSON.stringify({ intervalSeconds: 120 }),
       }),
-      { short: "runner", suffix: "" },
+      { short: "runner" as CuratedModuleShort, suffix: "" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -760,7 +766,7 @@ describe("handleApiModulesConfig — hostsBareParachute (hub#307)", () => {
       makeReq("/api/modules/runner/config", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "" },
+      { short: "runner" as CuratedModuleShort, suffix: "" },
       {
         db: h.db,
         issuer: ISSUER,
@@ -863,7 +869,7 @@ describe("handleApiModulesConfig — hostsBareParachute (hub#307)", () => {
       makeReq("/api/modules/runner/config/schema", {
         headers: { authorization: `Bearer ${bearer}` },
       }),
-      { short: "runner", suffix: "schema" },
+      { short: "runner" as CuratedModuleShort, suffix: "schema" },
       {
         db: h.db,
         issuer: ISSUER,

package/src/__tests__/api-modules-ops.test.ts

@@ -126,6 +126,19 @@ function alwaysOkRun(): {
   };
 }
 
+/**
+ * Test default for `isLinked`: assume the package is NOT bun-linked so
+ * `runInstall` exercises the `bun add -g` path (which the stubbed runner
+ * captures into `calls`). The production default at
+ * `src/bun-link.ts` reads the contributor's real `~/.bun/install/global/`
+ * symlinks; on Aaron's machine vault/scribe/notes/hub are all linked
+ * (the canonical local-dev shape — smoke 2026-05-27 finding 1 caps the
+ * fix). Tests asserting "bun add WAS called" must opt out of that leakage
+ * by passing this stub. Tests specifically exercising the skip path use
+ * an inline `isLinked: () => true` or a per-pkg discriminator.
+ */
+const TEST_DEFAULT_NOT_LINKED = (_pkg: string): boolean => false;
+
 describe("parseModulesPath", () => {
   test("recognizes curated short + action", () => {
     expect(parseModulesPath("/api/modules/vault/install")).toEqual({
@@ -231,6 +244,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -280,6 +294,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -301,6 +316,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     const op = (await opRes.json()) as { status: string };
@@ -324,6 +340,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -348,6 +365,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     await new Promise((r) => setTimeout(r, 10));
@@ -379,6 +397,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -406,6 +425,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     await new Promise((r) => setTimeout(r, 10));
@@ -433,6 +453,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(400);
@@ -458,6 +479,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     await new Promise((r) => setTimeout(r, 10));
@@ -487,6 +509,7 @@ describe("POST /api/modules/:short/install", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       await new Promise((r) => setTimeout(r, 10));
@@ -524,6 +547,7 @@ describe("POST /api/modules/:short/install", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       await new Promise((r) => setTimeout(r, 10));
@@ -557,6 +581,7 @@ describe("POST /api/modules/:short/install", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       expect(res.status).toBe(202);
@@ -583,6 +608,7 @@ describe("POST /api/modules/:short/install", () => {
       supervisor,
       run: async () => 1,
       findGlobalInstall: () => null,
+      isLinked: TEST_DEFAULT_NOT_LINKED,
     };
     const res = await handleInstall(
       postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
@@ -602,6 +628,71 @@ describe("POST /api/modules/:short/install", () => {
     expect(op.status).toBe("failed");
     expect(op.error).toMatch(/bun add -g exited 1/);
   });
+
+  test("skips bun add -g when package is already bun-linked (smoke 2026-05-27 finding 1)", async () => {
+    // Smoke finding 1: the wizard's parallel install path was unconditionally
+    // invoking `bun add -g <pkg>` even when the package was already linked
+    // via `bun link <abspath>` (the standard local-dev shape). At best a
+    // wasted ~3s npm round-trip per install; at worst the global bun.lock
+    // had unrelated noise and the install failed outright, taking the
+    // wizard's vault step with it. Fix: mirror the CLI install path's
+    // `isLinked` short-circuit. Regression guard.
+    const { supervisor, spawns } = makeIdleSupervisor();
+    const { run, calls } = alwaysOkRun();
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    const res = await handleInstall(
+      postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+        run,
+        // The bug shape: package IS linked locally. Without the
+        // short-circuit, runInstall would still call bun add -g.
+        isLinked: (pkg) => pkg === "@openparachute/vault",
+      },
+    );
+    expect(res.status).toBe(202);
+    await new Promise((r) => setTimeout(r, 10));
+
+    // The fix: bun add -g was NOT invoked for the linked package.
+    expect(calls).not.toContainEqual(["bun", "add", "-g", "@openparachute/vault@latest"]);
+    // Downstream of the skip, the seed + spawn still happen — the install
+    // op completes successfully against the locally-linked checkout.
+    const manifest = JSON.parse(readFileSync(h.manifestPath, "utf8")) as {
+      services: Array<{ name: string }>;
+    };
+    expect(manifest.services.some((s) => s.name === "parachute-vault")).toBe(true);
+    expect(spawns.find((s) => s.short === "vault")?.cmd).toEqual(["parachute-vault", "serve"]);
+  });
+
+  test("still runs bun add -g when package is NOT bun-linked", async () => {
+    // Companion to the above — confirms the short-circuit doesn't
+    // unconditionally skip. On a friend's fresh machine (no bun link),
+    // bun add -g IS what installs the package from npm. `isLinked: () => false`
+    // is the production default behavior for a non-linked package.
+    const { supervisor } = makeIdleSupervisor();
+    const { run, calls } = alwaysOkRun();
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    await handleInstall(
+      postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+        run,
+        isLinked: () => false,
+      },
+    );
+    await new Promise((r) => setTimeout(r, 10));
+    expect(calls).toContainEqual(["bun", "add", "-g", "@openparachute/vault@latest"]);
+  });
 });
 
 describe("POST /api/modules/:short/restart", () => {
@@ -682,6 +773,7 @@ describe("POST /api/modules/:short/upgrade", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -706,6 +798,7 @@ describe("POST /api/modules/:short/upgrade", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -736,6 +829,7 @@ describe("POST /api/modules/:short/upgrade", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       await new Promise((r) => setTimeout(r, 10));
@@ -846,6 +940,7 @@ describe("POST /api/modules/:short/uninstall", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(200);
@@ -878,6 +973,7 @@ describe("POST /api/modules/:short/uninstall", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(200);
@@ -1099,6 +1195,7 @@ describe("well-known regen after module ops", () => {
       supervisor,
       run: async () => 1,
       findGlobalInstall: () => null,
+      isLinked: TEST_DEFAULT_NOT_LINKED,
       wellKnownPath: wkPath,
     };
     const res = await handleInstall(

package/src/__tests__/api-modules.test.ts

@@ -149,10 +149,12 @@ describe("GET /api/modules", () => {
 
   test("200 + curated list on fresh container (empty services.json)", async () => {
     // The v0.6 hot path: brand-new Render container, no services.json
-    // yet. UI must render "install vault / app / notes / scribe / runner"
-    // cards even though nothing's installed. hub#323 inserted `app` between
-    // `vault` and `notes` — app auto-bootstraps notes-ui as a sub-unit;
-    // `notes` (notes-daemon) stays curated for back-compat install paths.
+    // yet. UI must render "install vault / scribe" cards even though
+    // nothing's installed. Trimmed 2026-05-27 (Aaron-directed launch
+    // focus): notes (notes-daemon), surface (host module), and runner
+    // (experimental) are no longer curated — notes.parachute.computer
+    // is the hosted PWA, surface-client is the library for custom UI
+    // builders, and runner isn't in the launch focus set.
     const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
     const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
       db: h.db,
@@ -170,8 +172,10 @@ describe("GET /api/modules", () => {
       }>;
       supervisor_available: boolean;
     };
-    // Curated order is preserved: vault → app → notes → scribe → runner.
-    expect(body.modules.map((m) => m.short)).toEqual(["vault", "app", "notes", "scribe", "runner"]);
+    // Curated order is preserved: vault → scribe (vault first per the
+    // recommended install order — the wizard's vault step already runs
+    // before this catalog surfaces).
+    expect(body.modules.map((m) => m.short)).toEqual(["vault", "scribe"]);
     expect(body.modules.every((m) => m.available)).toBe(true);
     expect(body.modules.every((m) => !m.installed)).toBe(true);
     expect(body.modules.every((m) => m.latest_version === "0.9.9")).toBe(true);
@@ -179,18 +183,25 @@ describe("GET /api/modules", () => {
     expect(body.supervisor_available).toBe(false);
   });
 
-  test("app row carries package + display props from KNOWN_MODULES (#323)", async () => {
-    // hub#323 added app to CURATED_MODULES + KNOWN_MODULES so the admin SPA
-    // install catalog + setup-wizard install tile surface it. Spot-check the
-    // wire shape resolves app-specific fields (package, displayName, tagline)
-    // from KNOWN_MODULES rather than a stale default — same shape as the
-    // runner row test below.
+  test("scribe row carries package + display props from KNOWN_MODULES", async () => {
+    // Spot-check the wire shape resolves scribe-specific fields
+    // (package, displayName, tagline) from KNOWN_MODULES rather than a
+    // stale default. Vault is exercised via the install-state test below;
+    // this pins the other curated row's KNOWN_MODULES round-trip.
+    //
+    // Pre-2026-05-27 this test pinned the `surface` row (added by
+    // hub#323), and a sibling pinned the `runner` FIRST_PARTY_FALLBACKS
+    // row (hub#305). Both modules retired from CURATED_MODULES — the
+    // FIRST_PARTY_FALLBACKS / KNOWN_MODULES entries persist for the
+    // install-bootstrap path but `/api/modules` doesn't return them.
+    // The "uncurated modules don't surface here" test below pins that
+    // boundary.
     const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
     const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
       db: h.db,
       issuer: ISSUER,
       manifestPath: h.manifestPath,
-      fetchLatestVersion: async () => "0.2.0",
+      fetchLatestVersion: async () => "0.4.4",
     });
     expect(res.status).toBe(200);
     const body = (await res.json()) as {
@@ -202,42 +213,41 @@ describe("GET /api/modules", () => {
         available: boolean;
       }>;
     };
-    const app = body.modules.find((m) => m.short === "app");
-    expect(app).toBeDefined();
-    expect(app?.package).toBe("@openparachute/app");
-    expect(app?.display_name).toBe("App");
-    expect(app?.tagline).toContain("auto-installs Notes");
-    expect(app?.available).toBe(true);
-  });
-
-  test("runner row carries package + display props from FIRST_PARTY_FALLBACKS (#305)", async () => {
-    // hub#305 added runner to CURATED_MODULES + FIRST_PARTY_FALLBACKS so
-    // the admin SPA install catalog surfaces it. Spot-check the wire
-    // shape resolves the runner-specific fields (package, displayName,
-    // tagline) from the vendored fallback rather than a stale default.
+    const scribe = body.modules.find((m) => m.short === "scribe");
+    expect(scribe).toBeDefined();
+    expect(scribe?.package).toBe("@openparachute/scribe");
+    expect(scribe?.display_name).toBe("Scribe");
+    expect(scribe?.tagline).toContain("transcription");
+    expect(scribe?.available).toBe(true);
+  });
+
+  test("uncurated modules (notes / runner / surface) are NOT returned by GET /api/modules", async () => {
+    // CURATED_MODULES was trimmed 2026-05-27 to [vault, scribe]. The
+    // KNOWN_MODULES + FIRST_PARTY_FALLBACKS registries still carry
+    // entries for notes / runner (install-bootstrap path), but
+    // /api/modules only returns CURATED rows. Pins the boundary so a
+    // future re-curation has to be intentional, not a stale registry
+    // leak.
     const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
     const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
       db: h.db,
       issuer: ISSUER,
       manifestPath: h.manifestPath,
-      fetchLatestVersion: async () => "0.1.0",
+      fetchLatestVersion: async () => null,
     });
-    expect(res.status).toBe(200);
-    const body = (await res.json()) as {
-      modules: Array<{
-        short: string;
-        package: string;
-        display_name: string;
-        tagline: string;
-        available: boolean;
-      }>;
-    };
-    const runner = body.modules.find((m) => m.short === "runner");
-    expect(runner).toBeDefined();
-    expect(runner?.package).toBe("@openparachute/runner");
-    expect(runner?.display_name).toBe("Runner");
-    expect(runner?.tagline).toContain("Vault-as-job-substrate");
-    expect(runner?.available).toBe(true);
+    const body = (await res.json()) as { modules: Array<{ short: string }> };
+    const shorts = body.modules.map((m) => m.short);
+    // Positive shape assertion — stronger than `not.toContain` because
+    // it also catches "we accidentally added a new uncurated entry"
+    // and "we accidentally removed an existing curated entry." Update
+    // this assertion intentionally when CURATED_MODULES changes.
+    expect(shorts).toEqual(["vault", "scribe"]);
+    // Belt + suspenders: explicit negatives for the modules dropped
+    // 2026-05-27, so a developer regressing the curated list sees both
+    // the shape failure AND the named-module failure messages.
+    expect(shorts).not.toContain("notes");
+    expect(shorts).not.toContain("runner");
+    expect(shorts).not.toContain("surface");
   });
 
   test("surfaces installed_version from services.json", async () => {
@@ -272,11 +282,11 @@ describe("GET /api/modules", () => {
     expect(vault?.installed_version).toBe("0.4.5");
     expect(vault?.latest_version).toBe("0.5.0");
     expect(vault?.install_dir).toBe("/parachute/modules/node_modules/@openparachute/vault");
-    // The other curated rows stay installed:false — the test installed
-    // only vault, so notes + scribe still render as available-but-not-installed.
-    const notes = body.modules.find((m) => m.short === "notes");
-    expect(notes?.installed).toBe(false);
-    expect(notes?.installed_version).toBeNull();
+    // The other curated row stays installed:false — the test installed
+    // only vault, so scribe still renders as available-but-not-installed.
+    const scribe = body.modules.find((m) => m.short === "scribe");
+    expect(scribe?.installed).toBe(false);
+    expect(scribe?.installed_version).toBeNull();
   });
 
   test("includes supervisor status + pid when a supervisor is injected", async () => {
@@ -309,9 +319,9 @@ describe("GET /api/modules", () => {
     expect(vault?.pid).toBe(12345);
     // Modules without a supervisor entry get null status — the UI
     // disables Restart/Stop for those since there's no live process.
-    const notes = body.modules.find((m) => m.short === "notes");
-    expect(notes?.supervisor_status).toBeNull();
-    expect(notes?.pid).toBeNull();
+    const scribe = body.modules.find((m) => m.short === "scribe");
+    expect(scribe?.supervisor_status).toBeNull();
+    expect(scribe?.pid).toBeNull();
     expect(body.supervisor_available).toBe(true);
   });
 
@@ -366,22 +376,28 @@ describe("GET /api/modules", () => {
   });
 
   test("management_url does not double-prepend mount when managementUrl is already mount-prefixed (hub#380)", async () => {
-    // Audit caught 2026-05-25: app declares `managementUrl: "/app/admin/"`
-    // (full hub-origin path) and `paths: ["/app", "/.parachute"]`. The
-    // SPA's Services dropdown was navigating to `/app/app/admin/` (404)
-    // because api-modules unconditionally prepended the mount onto the
-    // candidate. Fix: detect already-mount-prefixed paths and pass through.
+    // Audit caught 2026-05-25: surface declared `managementUrl: "/surface/admin/"`
+    // (full hub-origin path) and `paths: ["/surface", "/.parachute"]`. The
+    // SPA's Services dropdown was navigating to `/surface/surface/admin/`
+    // (404) because api-modules unconditionally prepended the mount onto
+    // the candidate. Fix: detect already-mount-prefixed paths and pass
+    // through.
     //
     // Single-instance modules conventionally declare the full path; only
     // multi-instance modules (vault) use the per-instance relative form.
+    // Post 2026-05-27 CURATED trim the canonical single-instance example
+    // is scribe (when scribe ships a managementUrl — scribe#53). For now
+    // we exercise the same code path with vault declaring an
+    // already-mount-prefixed managementUrl: any module whose declared
+    // URL starts with its mount must pass through unchanged.
     writeManifest(h.manifestPath, [
       {
-        name: "parachute-app",
-        port: 1946,
-        paths: ["/app", "/.parachute"],
-        health: "/app/healthz",
-        version: "0.2.0-rc.13",
-        installDir: "/install/dir/app",
+        name: "parachute-vault",
+        port: 1940,
+        paths: ["/vault/default"],
+        health: "/vault/default/health",
+        version: "0.4.5",
+        installDir: "/install/dir/vault",
       },
     ]);
     const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
@@ -391,17 +407,18 @@ describe("GET /api/modules", () => {
       manifestPath: h.manifestPath,
       fetchLatestVersion: async () => null,
       readModuleManifest: async (installDir) => {
-        if (installDir === "/install/dir/app") {
+        if (installDir === "/install/dir/vault") {
           return {
-            name: "app",
-            manifestName: "parachute-app",
-            displayName: "App",
+            name: "parachute-vault",
+            manifestName: "parachute-vault",
+            displayName: "Vault",
             tagline: "",
-            port: 1946,
-            paths: ["/app", "/.parachute"],
-            health: "/app/healthz",
-            uiUrl: "/app/admin/",
-            managementUrl: "/app/admin/",
+            port: 1940,
+            paths: ["/vault/default"],
+            health: "/vault/default/health",
+            // Already-mount-prefixed managementUrl — must NOT have the
+            // mount prepended again.
+            managementUrl: "/vault/default/admin/",
           } as unknown as Awaited<
             ReturnType<typeof import("../module-manifest.ts").readModuleManifest>
           >;
@@ -413,9 +430,9 @@ describe("GET /api/modules", () => {
     const body = (await res.json()) as {
       modules: Array<{ short: string; management_url: string | null }>;
     };
-    const app = body.modules.find((m) => m.short === "app");
-    // Single `/app/`, not `/app/app/`.
-    expect(app?.management_url).toBe("/app/admin/");
+    const vault = body.modules.find((m) => m.short === "vault");
+    // Single `/vault/default/`, not `/vault/default/vault/default/`.
+    expect(vault?.management_url).toBe("/vault/default/admin/");
   });
 
   test("management_url prefix-ish names don't collide (hub#380 — /app vs /app-foo)", async () => {
@@ -430,8 +447,8 @@ describe("GET /api/modules", () => {
       {
         name: "parachute-vault",
         port: 1940,
-        paths: ["/app"], // mount is /app (using vault as a stand-in installable)
-        health: "/app/health",
+        paths: ["/surface"], // mount is /app (using vault as a stand-in installable)
+        health: "/surface/health",
         version: "0.4.5",
         installDir: "/install/dir/contrived",
       },
@@ -450,8 +467,8 @@ describe("GET /api/modules", () => {
             displayName: "Vault",
             tagline: "",
             port: 1940,
-            paths: ["/app"],
-            health: "/app/health",
+            paths: ["/surface"],
+            health: "/surface/health",
             // candidate looks like a sibling-name prefix but is NOT a
             // mount-prefix of /app — should still get prepended.
             managementUrl: "/app-foo/admin",
@@ -467,9 +484,9 @@ describe("GET /api/modules", () => {
       modules: Array<{ short: string; management_url: string | null }>;
     };
     const vault = body.modules.find((m) => m.short === "vault");
-    // /app + /app-foo/admin → /app/app-foo/admin (prepend fires; not treated
-    // as already-mount-prefixed because /app-foo/ doesn't start with /app/).
-    expect(vault?.management_url).toBe("/app/app-foo/admin");
+    // /surface + /app-foo/admin → /surface/app-foo/admin (prepend fires; not
+    // treated as already-mount-prefixed because /app-foo/ doesn't start with /surface/).
+    expect(vault?.management_url).toBe("/surface/app-foo/admin");
   });
 
   test("management_url equality edge: tail equals mount exactly (hub#380)", async () => {
@@ -786,8 +803,8 @@ describe("GET /api/modules", () => {
         },
       ]);
       // Other curated rows stay empty — uis is per-row, not global.
-      const notes = body.modules.find((m) => m.short === "notes");
-      expect(notes?.uis).toEqual([]);
+      const scribe = body.modules.find((m) => m.short === "scribe");
+      expect(scribe?.uis).toEqual([]);
     });
 
     test("optional fields ride through verbatim, missing fields become null on the wire", async () => {