@openparachute/hub 0.5.13 → 0.5.14-rc.2

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.13",
-  "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
+  "version": "0.5.14-rc.2",
+  "description": "parachute \u2014 the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {
     "access": "public"

package/src/__tests__/account-home-ui.test.ts

@@ -0,0 +1,163 @@
+/**
+ * Renderer tests for the friend-facing `/account/` home (multi-user
+ * Phase 1 follow-up). The page is a pure function over its opts — these
+ * tests pin the load-bearing shape:
+ *
+ *   - Assigned-vault branch: Notes CTA href encodes the hub+vault URL,
+ *     vault name shows in the body, hub origin appears as inline code
+ *     in the custom-client disclosure.
+ *   - Admin (no assigned vault) branch: link to /admin/ visible.
+ *   - Defensive third branch (non-admin + no vault): "ask the operator"
+ *     copy renders.
+ *   - Common scaffolding: username in welcome, sign-out POST form,
+ *     change-password link.
+ */
+import { describe, expect, test } from "bun:test";
+import { renderAccountHome } from "../account-home-ui.ts";
+
+const HUB_ORIGIN = "https://hub.example";
+const CSRF = "test-csrf-token";
+
+describe("renderAccountHome", () => {
+  test("assigned-vault branch — Notes CTA carries the encoded hub+vault URL", () => {
+    const html = renderAccountHome({
+      username: "alice",
+      assignedVaults: ["alice"],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+    });
+    // Welcome header includes the username.
+    expect(html).toContain("Welcome, alice");
+    // Vault name renders as inline content in the vault card.
+    expect(html).toContain("<strong>alice</strong>");
+    // Notes "Open" CTA — same shape as setup-wizard's renderStartUsingTile.
+    // The href encodes `${hubOrigin}/vault/<name>` via encodeURIComponent.
+    const encodedVaultUrl = encodeURIComponent(`${HUB_ORIGIN}/vault/alice`);
+    expect(html).toContain(`https://notes.parachute.computer/add?url=${encodedVaultUrl}`);
+    expect(html).toContain('target="_blank"');
+    expect(html).toContain('rel="noopener"');
+    // Hub origin renders as inline <code> in the custom-client disclosure.
+    expect(html).toContain(`<code>${HUB_ORIGIN}</code>`);
+    expect(html).toContain("Use a custom client");
+  });
+
+  test("assigned-vault branch — trailing slash on hubOrigin is normalized", () => {
+    // The handler resolves origin per-request via `resolveIssuer`; some
+    // operators set a hub_origin setting with a trailing slash. The
+    // renderer must produce a clean `/vault/<name>` join either way.
+    const html = renderAccountHome({
+      username: "alice",
+      assignedVaults: ["alice"],
+      passwordChanged: true,
+      hubOrigin: `${HUB_ORIGIN}/`,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+    });
+    const cleanEncoded = encodeURIComponent(`${HUB_ORIGIN}/vault/alice`);
+    expect(html).toContain(`https://notes.parachute.computer/add?url=${cleanEncoded}`);
+    // The inline-code display also drops the trailing slash.
+    expect(html).toContain(`<code>${HUB_ORIGIN}</code>`);
+    expect(html).not.toContain(`<code>${HUB_ORIGIN}/</code>`);
+  });
+
+  test("admin branch — null assignedVault + isFirstAdmin renders an /admin/ link", () => {
+    const html = renderAccountHome({
+      username: "admin",
+      assignedVaults: [],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: true,
+      csrfToken: CSRF,
+    });
+    expect(html).toContain("Welcome, admin");
+    expect(html).toContain("hub administrator");
+    expect(html).toContain('href="/admin/"');
+    // Should NOT carry the Notes CTA (no vault).
+    expect(html).not.toContain("notes.parachute.computer/add");
+  });
+
+  test("defensive branch — non-admin with null assignedVault renders an 'ask operator' message", () => {
+    // Shouldn't normally occur in Phase 1 (PR 2's /api/users always
+    // assigns a vault on create), but the renderer carries a clear
+    // explanation rather than a blank card if a row gets into that
+    // state via hand-edit or migration race.
+    const html = renderAccountHome({
+      username: "ghost",
+      assignedVaults: [],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+    });
+    expect(html).toContain("Welcome, ghost");
+    expect(html).toContain("Ask the hub operator");
+    // No /admin/ link in this branch — they have no admin role.
+    expect(html).not.toContain('href="/admin/"');
+    // No Notes CTA.
+    expect(html).not.toContain("notes.parachute.computer/add");
+  });
+
+  test("account card — change-password link and sign-out form are present", () => {
+    const html = renderAccountHome({
+      username: "alice",
+      assignedVaults: ["alice"],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+    });
+    // Change-password link points at the existing /account/change-password
+    // route (server-rendered HTML, separate handler).
+    expect(html).toContain('href="/account/change-password"');
+    // Sign-out form POSTs to /logout (existing handler), CSRF token
+    // round-trips via the renderCsrfHiddenInput helper.
+    expect(html).toContain('action="/logout"');
+    expect(html).toContain('method="POST"');
+    expect(html).toContain(CSRF);
+    // Username renders inside the account card too.
+    expect(html).toContain("<code>alice</code>");
+  });
+
+  test("multi-vault branch — renders one tile per assigned vault (Phase 2 PR 2)", () => {
+    const html = renderAccountHome({
+      username: "alice",
+      assignedVaults: ["personal", "family"],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+    });
+    // Plural heading.
+    expect(html).toContain("Your vaults");
+    // Each vault name appears.
+    expect(html).toContain("<strong>personal</strong>");
+    expect(html).toContain("<strong>family</strong>");
+    // One CTA per vault with the right encoded URL.
+    const personalEncoded = encodeURIComponent(`${HUB_ORIGIN}/vault/personal`);
+    const familyEncoded = encodeURIComponent(`${HUB_ORIGIN}/vault/family`);
+    expect(html).toContain(`https://notes.parachute.computer/add?url=${personalEncoded}`);
+    expect(html).toContain(`https://notes.parachute.computer/add?url=${familyEncoded}`);
+    // Hub origin block appears once at the section level, not per tile.
+    expect(html.split(`<code>${HUB_ORIGIN}</code>`).length - 1).toBe(1);
+  });
+
+  test("escapes hostile content in username and vault name", () => {
+    // Defense-in-depth: usernames pass validateUsername (lowercase alnum
+    // + `_-`), so HTML metacharacters won't normally make it through. But
+    // the renderer is a pure function over arbitrary string input and the
+    // escape is load-bearing if the validator ever loosens.
+    const html = renderAccountHome({
+      username: "<script>",
+      assignedVaults: ["<vault>"],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+    });
+    expect(html).not.toContain("<script>");
+    expect(html).toContain("&lt;script&gt;");
+    expect(html).toContain("&lt;vault&gt;");
+  });
+});

package/src/__tests__/admin-handlers.test.ts

@@ -426,6 +426,80 @@ describe("loginRedirectTarget — force-change-password (multi-user PR 3)", () =
     expect(res.headers.get("location")).toBe("/admin/tokens");
   });
 
+  test("non-admin (friend) targeting /admin/* gets rewritten to /account/", async () => {
+    // Multi-user follow-up: a signed-in friend account hitting an /admin/*
+    // URL via post-login `next=` would otherwise land on the admin SPA,
+    // which 403s on `/admin/host-admin-token` (first-admin gate) and
+    // bounces them back via the SPA-side 403 handler. Rewriting at the
+    // login boundary skips the bouncing-around UX. Friend has
+    // passwordChanged=true so the force-change path doesn't pre-empt.
+    await createUser(harness.db, "admin", "admin-pw", { passwordChanged: true });
+    await createUser(harness.db, "alice", "alice-pw", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "alice",
+      password: "alice-pw",
+      next: "/admin/users",
+    });
+    const req = new Request("http://hub.test/login", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLoginPost(harness.db, req);
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/account/");
+  });
+
+  test("admin targeting /admin/* still lands at the original next= (rewrite doesn't fire for admin)", async () => {
+    // Belt-and-suspenders for the friend rewrite above: the same next=
+    // for the admin user must NOT redirect to /account/.
+    await createUser(harness.db, "admin", "admin-pw", { passwordChanged: true });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "admin",
+      password: "admin-pw",
+      next: "/admin/users",
+    });
+    const req = new Request("http://hub.test/login", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLoginPost(harness.db, req);
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/admin/users");
+  });
+
+  test("non-admin (friend) keeps non-/admin next= intact (e.g. /oauth/authorize, /vault/...)", async () => {
+    // Legitimate user destinations — OAuth consent + per-vault routes —
+    // must pass through unchanged. Friends sign in through /login as part
+    // of the OAuth user-consent flow; rewriting their next= to /account/
+    // would break that.
+    await createUser(harness.db, "admin", "admin-pw", { passwordChanged: true });
+    await createUser(harness.db, "alice", "alice-pw", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "alice",
+      password: "alice-pw",
+      next: "/oauth/authorize?client_id=abc",
+    });
+    const req = new Request("http://hub.test/login", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLoginPost(harness.db, req);
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/oauth/authorize?client_id=abc");
+  });
+
   test("password_changed=false defense-in-depth: unsafe next= is sanitized before encoding", async () => {
     // safeNext rewrites unsafe next values to /admin/vaults BEFORE the
     // redirect-target helper runs. The change-password URL should never

package/src/__tests__/admin-host-admin-token.test.ts

@@ -56,6 +56,31 @@ async function withSession(): Promise<{ cookie: string; userId: string }> {
   return { cookie, userId: user.id };
 }
 
+/**
+ * Seed an admin (first-created user) + a second non-admin "friend"
+ * account, return cookies + ids for both. Used by the first-admin-gate
+ * tests.
+ */
+async function withAdminAndFriend(): Promise<{
+  adminCookie: string;
+  adminId: string;
+  friendCookie: string;
+  friendId: string;
+}> {
+  const admin = await createUser(harness.db, "admin", "admin-passphrase");
+  const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+    allowMulti: true,
+  });
+  const adminSession = createSession(harness.db, { userId: admin.id });
+  const friendSession = createSession(harness.db, { userId: friend.id });
+  return {
+    adminCookie: buildSessionCookie(adminSession.id, Math.floor(SESSION_TTL_MS / 1000)),
+    adminId: admin.id,
+    friendCookie: buildSessionCookie(friendSession.id, Math.floor(SESSION_TTL_MS / 1000)),
+    friendId: friend.id,
+  };
+}
+
 describe("handleHostAdminToken", () => {
   test("401 when no session cookie is present", async () => {
     const req = new Request(`${ISSUER}/admin/host-admin-token`);
@@ -124,6 +149,43 @@ describe("handleHostAdminToken", () => {
     expect(scopes).toContain("parachute:host:auth");
   });
 
+  test("403 not_admin when a signed-in non-first-admin (friend) hits the endpoint", async () => {
+    // Privesc closure: without the first-admin gate, any signed-in
+    // friend account could mint a JWT carrying parachute:host:admin +
+    // parachute:host:auth — the SPA bearer that gates vault provisioning,
+    // grants, and the token registry. The friend's session is valid;
+    // the endpoint must refuse because the session.userId doesn't match
+    // the first-admin row.
+    const { friendCookie } = await withAdminAndFriend();
+    rotateSigningKey(harness.db);
+    const req = new Request(`${ISSUER}/admin/host-admin-token`, {
+      headers: { cookie: friendCookie },
+    });
+    const res = await handleHostAdminToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: string; error_description: string };
+    expect(body.error).toBe("not_admin");
+    // The wire description steers the SPA-side handler toward /account/.
+    expect(body.error_description).toContain("/account/");
+  });
+
+  test("first-admin path still succeeds when a friend exists alongside", async () => {
+    // Belt-and-suspenders for the gate above: adding a second user must
+    // not break the admin's own happy path. Same DB, same query — the
+    // admin's session.userId matches the earliest-created row, so the
+    // gate passes.
+    const { adminCookie, adminId } = await withAdminAndFriend();
+    rotateSigningKey(harness.db);
+    const req = new Request(`${ISSUER}/admin/host-admin-token`, {
+      headers: { cookie: adminCookie },
+    });
+    const res = await handleHostAdminToken(req, { db: harness.db, issuer: ISSUER });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { token: string };
+    const validated = await validateAccessToken(harness.db, body.token, ISSUER);
+    expect(validated.payload.sub).toBe(adminId);
+  });
+
   // Regression for the end-to-end bug that motivated adding `:host:auth`
   // here: the SPA's session-bearer was rejected by `/api/auth/tokens` (and
   // its peers) because it carried `:host:admin` only. This test mints

package/src/__tests__/admin-vault-admin-token.test.ts

@@ -152,6 +152,50 @@ describe("handleVaultAdminToken", () => {
     expect(scopeClaim.split(/\s+/)).toContain("vault:work:admin");
   });
 
+  test("403 not_admin when the session belongs to a non-first-admin user", async () => {
+    // Multi-user Phase 1 privesc gate (mirrors host-admin-token). The first-
+    // created user is the hub admin; subsequent users are friends pinned to
+    // a single vault and must NOT be able to mint vault:<name>:admin via
+    // this endpoint. The session check alone would let them — that's the
+    // whole reason this gate exists.
+    await createUser(harness.db, "operator", "hunter2-admin");
+    const friend = await createUser(harness.db, "friend", "hunter2-friend", {
+      assignedVaults: ["work"],
+      allowMulti: true,
+    });
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${ISSUER}/admin/vault-admin-token/work`, { headers: { cookie } });
+    const res = await handleVaultAdminToken(req, "work", {
+      db: harness.db,
+      issuer: ISSUER,
+      knownVaultNames: known("work", "default"),
+    });
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: string; error_description: string };
+    expect(body.error).toBe("not_admin");
+    expect(body.error_description).toContain("/account/");
+  });
+
+  test("first admin still mints when other users exist", async () => {
+    // Regression: the first-admin gate must not regress the operator's
+    // happy path when there are friends in the DB.
+    const admin = await createUser(harness.db, "operator", "hunter2-admin");
+    await createUser(harness.db, "friend", "hunter2-friend", {
+      assignedVaults: ["work"],
+      allowMulti: true,
+    });
+    const session = createSession(harness.db, { userId: admin.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${ISSUER}/admin/vault-admin-token/work`, { headers: { cookie } });
+    const res = await handleVaultAdminToken(req, "work", {
+      db: harness.db,
+      issuer: ISSUER,
+      knownVaultNames: known("work"),
+    });
+    expect(res.status).toBe(200);
+  });
+
   test("audience is per-vault — different vaults get different aud claims", async () => {
     // Regression for PR #173 follow-up: a single shared audience constant
     // meant a token minted for vault `boulder` carried `aud: "hub"` and

package/src/__tests__/api-account.test.ts

@@ -25,6 +25,7 @@ import { join } from "node:path";
 import {
   handleAccountChangePasswordGet,
   handleAccountChangePasswordPost,
+  handleAccountHomeGet,
   markPasswordChanged,
 } from "../api-account.ts";
 import { CSRF_COOKIE_NAME, CSRF_FIELD_NAME } from "../csrf.ts";
@@ -256,7 +257,110 @@ describe("POST /account/change-password", () => {
     }
   });
 
-  test("missing next defaults to /admin/vaults", async () => {
+  test("non-admin user with no next defaults to /account/ (no admin-shell flash)", async () => {
+    // Without this rewrite, a friend's change-password POST would 302 to
+    // /admin/vaults, the SPA would load, the 403 from
+    // /admin/host-admin-token would bounce them to /account/ — a visible
+    // two-hop flash. Mirror the login-redirect rewrite in admin-handlers.ts.
+    await createUser(harness.db, "operator", "operator-strong-passphrase");
+    const { cookie } = await sessionCookieFor(harness.db, "friend", "old-default-pw", {
+      passwordChanged: false,
+      allowMulti: true,
+    });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      current_password: "old-default-pw",
+      new_password: "user-chosen-strong-passphrase",
+      new_password_confirm: "user-chosen-strong-passphrase",
+    });
+    const req = new Request("http://hub.test/account/change-password", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAccountChangePasswordPost(req, { db: harness.db });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/account/");
+  });
+
+  test("non-admin user with next=/admin/users gets rewritten to /account/", async () => {
+    await createUser(harness.db, "operator", "operator-strong-passphrase");
+    const { cookie } = await sessionCookieFor(harness.db, "friend", "old-default-pw", {
+      passwordChanged: false,
+      allowMulti: true,
+    });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      current_password: "old-default-pw",
+      new_password: "user-chosen-strong-passphrase",
+      new_password_confirm: "user-chosen-strong-passphrase",
+      next: "/admin/users",
+    });
+    const req = new Request("http://hub.test/account/change-password", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAccountChangePasswordPost(req, { db: harness.db });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/account/");
+  });
+
+  test("non-admin user with non-admin next= passes through unchanged", async () => {
+    // Friends with a legitimate non-admin destination (e.g. /oauth/authorize
+    // mid-flow) should land where they intended — the rewrite only catches
+    // /admin/* targets.
+    await createUser(harness.db, "operator", "operator-strong-passphrase");
+    const { cookie } = await sessionCookieFor(harness.db, "friend", "old-default-pw", {
+      passwordChanged: false,
+      allowMulti: true,
+    });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      current_password: "old-default-pw",
+      new_password: "user-chosen-strong-passphrase",
+      new_password_confirm: "user-chosen-strong-passphrase",
+      next: "/oauth/authorize?client_id=abc",
+    });
+    const req = new Request("http://hub.test/account/change-password", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAccountChangePasswordPost(req, { db: harness.db });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/oauth/authorize?client_id=abc");
+  });
+
+  test("non-admin with exact next=/admin (no trailing slash) rewrites to /account/", async () => {
+    // Pins the exact-match arm of the prefix gate. Tests in #426 cover
+    // /admin/users (prefix match) and the no-next case (POST_CHANGE_DEFAULT
+    // → rewrite). This is the third arm.
+    await createUser(harness.db, "operator", "operator-strong-passphrase");
+    const { cookie } = await sessionCookieFor(harness.db, "friend", "old-default-pw", {
+      passwordChanged: false,
+      allowMulti: true,
+    });
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      current_password: "old-default-pw",
+      new_password: "user-chosen-strong-passphrase",
+      new_password_confirm: "user-chosen-strong-passphrase",
+      next: "/admin",
+    });
+    const req = new Request("http://hub.test/account/change-password", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAccountChangePasswordPost(req, { db: harness.db });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/account/");
+  });
+
+  test("first admin with no next still defaults to /admin/vaults", async () => {
+    // Existing behavior — preserved by the non-admin gate. The first user
+    // is the admin under Phase 1; admin SPA is the intended landing.
     const { cookie } = await sessionCookieFor(harness.db, "newbie", "old-default-pw", {
       passwordChanged: false,
     });
@@ -628,3 +732,89 @@ describe("markPasswordChanged", () => {
     expect(after?.passwordChanged).toBe(true);
   });
 });
+
+describe("handleAccountHomeGet", () => {
+  // Integration smoke for `GET /account/` — verifies session gating
+  // (302 → /login when missing) and the happy path (200 + rendered HTML
+  // with the user's vault). The pure-renderer assertions live in
+  // `account-home-ui.test.ts`; this suite pins handler-level wiring.
+
+  const HUB_ORIGIN = "https://hub.test";
+
+  test("302 → /login when no session cookie is present", async () => {
+    const req = new Request(`${HUB_ORIGIN}/account/`);
+    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(302);
+    const location = res.headers.get("location") ?? "";
+    // Round-trip /account/ as the `next` param so post-login lands back.
+    expect(location).toBe(`/login?next=${encodeURIComponent("/account/")}`);
+  });
+
+  test("200 + HTML for a signed-in friend with an assigned vault", async () => {
+    // Create the admin first (so the friend is NOT the first admin),
+    // then a friend with an assigned vault.
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(200);
+    expect(res.headers.get("content-type")).toContain("text/html");
+    const html = await res.text();
+    expect(html).toContain("Welcome, alice");
+    // Vault name visible.
+    expect(html).toContain("<strong>alice</strong>");
+    // Notes CTA carries the hub-origin-encoded vault URL.
+    const encoded = encodeURIComponent(`${HUB_ORIGIN}/vault/alice`);
+    expect(html).toContain(`https://notes.parachute.computer/add?url=${encoded}`);
+  });
+
+  test("200 + admin branch when the first-admin signs in (no vault assignments)", async () => {
+    // The first-created user with no vault pin is the admin posture.
+    const admin = await createUser(harness.db, "admin", "admin-passphrase", {
+      passwordChanged: true,
+    });
+    const session = createSession(harness.db, { userId: admin.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain("Welcome, admin");
+    expect(html).toContain("hub administrator");
+    expect(html).toContain('href="/admin/"');
+  });
+
+  test("302 → /login when the session points at a deleted user", async () => {
+    // Stale-session shape: a session row outlives its user. The handler
+    // hands back to /login rather than rendering against null.
+    //
+    // Construction note: `deleteUser` drops the session as part of its
+    // cleanup transaction, and the sessions.user_id FK is RESTRICT, so
+    // we briefly drop FK enforcement to fabricate the orphan-session
+    // shape. The handler's job is robustness against an externally-
+    // induced orphan (e.g. a race between session-read and user-delete
+    // on a different connection); the test exercises that defensive
+    // branch directly.
+    const user = await createUser(harness.db, "ghost", "ghost-passphrase", {
+      passwordChanged: true,
+    });
+    const session = createSession(harness.db, { userId: user.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    harness.db.exec("PRAGMA foreign_keys = OFF");
+    try {
+      harness.db.prepare("DELETE FROM users WHERE id = ?").run(user.id);
+    } finally {
+      harness.db.exec("PRAGMA foreign_keys = ON");
+    }
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/login");
+  });
+});