@openparachute/hub 0.5.13 → 0.5.14-rc.2

package/src/__tests__/hub-db.test.ts

@@ -151,7 +151,7 @@ describe("openHubDb + migrate", () => {
     }
   });
 
-  test("v8 adds password_changed + assigned_vault columns on a fresh DB", () => {
+  test("v8 added password_changed column (still present at v10)", () => {
     const h = makeHarness();
     try {
       const db = openHubDb(h.dbPath);
@@ -160,8 +160,9 @@ describe("openHubDb + migrate", () => {
           db.query<{ version: number }, []>("SELECT version FROM schema_version").all() ?? []
         ).map((r) => r.version);
         expect(versions).toContain(8);
-        // PRAGMA table_info returns the column shape; we want both new
-        // columns present with the right defaults / nullability.
+        // PRAGMA table_info returns the column shape; password_changed
+        // should still be on users at v10 (only assigned_vault was
+        // dropped in v10's recreate).
         interface ColInfo {
           name: string;
           type: string;
@@ -180,10 +181,8 @@ describe("openHubDb + migrate", () => {
         expect(pc?.notnull).toBe(1);
         // Default literal — SQLite returns it as a string "0".
         expect(pc?.dflt_value).toBe("0");
-        const av = byName.get("assigned_vault");
-        expect(av).toBeDefined();
-        expect(av?.type).toBe("TEXT");
-        expect(av?.notnull).toBe(0);
+        // v10 dropped assigned_vault — verify the column is gone.
+        expect(byName.has("assigned_vault")).toBe(false);
       } finally {
         db.close();
       }
@@ -195,21 +194,13 @@ describe("openHubDb + migrate", () => {
   test("v8 backfills password_changed=1 for users that pre-date the migration", () => {
     const h = makeHarness();
     try {
-      // Stand up a DB at the v7 state by partially-applying migrations:
-      // open Database directly, call migrate after stripping the v8 entry
-      // would be invasive. Instead, drive the same migration shape by hand
-      // for v1-v7 then insert a row, then call migrate() to apply v8.
-      // Cleanest path: openHubDb runs everything, but we want a v7 snapshot.
-      // Approach: open with openHubDb (runs all migrations), drop the v8
-      // changes, mark v8 unapplied, insert a user with password_changed=0
-      // (simulating a row from before the backfill), then re-run migrate.
-      // SQLite doesn't have DROP COLUMN pre-3.35 universally, so we do the
-      // recreate-and-rename: drop v8's columns by recreating users without
-      // them, then delete the v8 schema_version row, then call migrate().
+      // Stand up a DB at the v7 state by recreating the users table
+      // without the v8/v10 columns and re-running migrate().
       const db = openHubDb(h.dbPath);
       try {
         // Build a v7-shape users table and copy the v8-shape rows.
         db.exec(`
+          DROP TABLE IF EXISTS user_vaults;
           CREATE TABLE users_v7 (
             id TEXT PRIMARY KEY,
             username TEXT UNIQUE NOT NULL,
@@ -222,26 +213,26 @@ describe("openHubDb + migrate", () => {
           DROP TABLE users;
           ALTER TABLE users_v7 RENAME TO users;
         `);
-        db.exec("DELETE FROM schema_version WHERE version = 8");
+        db.exec("DELETE FROM schema_version WHERE version IN (8, 10)");
         // Insert a row that pre-dates v8 (no password_changed column yet).
         db.prepare(
           `INSERT INTO users (id, username, password_hash, created_at, updated_at)
            VALUES (?, ?, ?, ?, ?)`,
         ).run("legacy-user", "owner", "h", "2026-01-01", "2026-01-01");
-        // Now re-run migrations — v8 should ALTER the table and backfill.
+        // Now re-run migrations — v8 + v10 apply.
         migrate(db);
         const row = db
-          .query<{ password_changed: number; assigned_vault: string | null }, [string]>(
-            "SELECT password_changed, assigned_vault FROM users WHERE id = ?",
+          .query<{ password_changed: number }, [string]>(
+            "SELECT password_changed FROM users WHERE id = ?",
           )
           .get("legacy-user");
         expect(row).not.toBeNull();
         expect(row?.password_changed).toBe(1);
-        expect(row?.assigned_vault).toBeNull();
         const versions = (
           db.query<{ version: number }, []>("SELECT version FROM schema_version").all() ?? []
         ).map((r) => r.version);
         expect(versions).toContain(8);
+        expect(versions).toContain(10);
       } finally {
         db.close();
       }
@@ -250,24 +241,198 @@ describe("openHubDb + migrate", () => {
     }
   });
 
-  test("v8 — fresh inserts default password_changed=0 and assigned_vault NULL", () => {
+  test("v8 — fresh inserts default password_changed=0 (v10 dropped assigned_vault)", () => {
     const h = makeHarness();
     try {
       const db = openHubDb(h.dbPath);
       try {
-        // Insert via the bare-columns SQL (mirrors what a pre-v8 caller
-        // would emit) to confirm the column DEFAULTs work.
+        // Insert via the bare-columns SQL to confirm the column DEFAULTs work.
         db.prepare(
           `INSERT INTO users (id, username, password_hash, created_at, updated_at)
            VALUES (?, ?, ?, ?, ?)`,
         ).run("u-default", "owner", "h", "2026-01-01", "2026-01-01");
         const row = db
-          .query<{ password_changed: number; assigned_vault: string | null }, [string]>(
-            "SELECT password_changed, assigned_vault FROM users WHERE id = ?",
+          .query<{ password_changed: number }, [string]>(
+            "SELECT password_changed FROM users WHERE id = ?",
           )
           .get("u-default");
         expect(row?.password_changed).toBe(0);
-        expect(row?.assigned_vault).toBeNull();
+        // user_vaults table is empty for a default insert.
+        const vaultCount = db
+          .query<{ n: number }, [string]>("SELECT COUNT(*) AS n FROM user_vaults WHERE user_id = ?")
+          .get("u-default");
+        expect(vaultCount?.n).toBe(0);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  // ---------------------------------------------------------------------------
+  // v10 — user_vaults many-to-many membership (multi-user Phase 2 PR 2)
+  // ---------------------------------------------------------------------------
+
+  test("v10 creates user_vaults table with the expected shape", () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(h.dbPath);
+      try {
+        const versions = (
+          db.query<{ version: number }, []>("SELECT version FROM schema_version").all() ?? []
+        ).map((r) => r.version);
+        expect(versions).toContain(10);
+        const tables = (
+          db
+            .query<{ name: string }, []>(
+              "SELECT name FROM sqlite_master WHERE type='table' ORDER BY name",
+            )
+            .all() ?? []
+        ).map((r) => r.name);
+        expect(tables).toContain("user_vaults");
+        interface ColInfo {
+          name: string;
+          type: string;
+          notnull: number;
+          dflt_value: string | null;
+        }
+        const cols = db
+          .query<ColInfo, []>(
+            "SELECT name, type, \"notnull\", dflt_value FROM pragma_table_info('user_vaults')",
+          )
+          .all();
+        const names = cols.map((c) => c.name);
+        expect(names).toContain("user_id");
+        expect(names).toContain("vault_name");
+        expect(names).toContain("role");
+        expect(names).toContain("created_at");
+        const role = cols.find((c) => c.name === "role");
+        expect(role?.notnull).toBe(1);
+        // SQLite represents the default literal verbatim — `'write'`.
+        expect(role?.dflt_value).toBe("'write'");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("v10 backfills user_vaults from v9 assigned_vault column", () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(h.dbPath);
+      try {
+        // Rebuild a v9-shape users table (with assigned_vault column),
+        // mark v10 unapplied, drop user_vaults, populate fixture rows,
+        // then re-run migrate to apply v10's backfill.
+        db.exec(`
+          DROP TABLE IF EXISTS user_vaults;
+          CREATE TABLE users_v9 (
+            id TEXT PRIMARY KEY,
+            username TEXT UNIQUE NOT NULL,
+            password_hash TEXT NOT NULL,
+            created_at TEXT NOT NULL,
+            updated_at TEXT NOT NULL,
+            password_changed INTEGER NOT NULL DEFAULT 0,
+            assigned_vault TEXT
+          );
+          INSERT INTO users_v9 (id, username, password_hash, created_at, updated_at, password_changed, assigned_vault)
+          VALUES
+            ('u-admin', 'admin', 'h', '2026-01-01', '2026-01-01', 1, NULL),
+            ('u-alice', 'alice', 'h', '2026-01-02', '2026-01-02', 1, 'personal'),
+            ('u-bob',   'bob',   'h', '2026-01-03', '2026-01-03', 1, 'family');
+          DROP TABLE users;
+          ALTER TABLE users_v9 RENAME TO users;
+        `);
+        db.exec("DELETE FROM schema_version WHERE version = 10");
+        migrate(db);
+        // Expect 2 rows in user_vaults (admin had NULL → no row).
+        const rows = db
+          .query<{ user_id: string; vault_name: string; role: string }, []>(
+            "SELECT user_id, vault_name, role FROM user_vaults ORDER BY user_id ASC",
+          )
+          .all();
+        expect(rows.length).toBe(2);
+        expect(rows[0]).toMatchObject({
+          user_id: "u-alice",
+          vault_name: "personal",
+          role: "write",
+        });
+        expect(rows[1]).toMatchObject({ user_id: "u-bob", vault_name: "family", role: "write" });
+        // No row for the admin.
+        const adminRows = db
+          .query<{ n: number }, [string]>("SELECT COUNT(*) AS n FROM user_vaults WHERE user_id = ?")
+          .get("u-admin");
+        expect(adminRows?.n).toBe(0);
+        // assigned_vault column should be gone.
+        interface ColInfo {
+          name: string;
+        }
+        const cols = db.query<ColInfo, []>("SELECT name FROM pragma_table_info('users')").all();
+        expect(cols.map((c) => c.name)).not.toContain("assigned_vault");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("v10 FK cascade: deleting a user drops their user_vaults rows", () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(h.dbPath);
+      try {
+        const stamp = "2026-05-27T00:00:00.000Z";
+        db.prepare(
+          "INSERT INTO users (id, username, password_hash, created_at, updated_at, password_changed) VALUES (?, ?, ?, ?, ?, ?)",
+        ).run("u1", "alice", "h", stamp, stamp, 1);
+        db.prepare(
+          "INSERT INTO user_vaults (user_id, vault_name, role, created_at) VALUES (?, ?, ?, ?)",
+        ).run("u1", "personal", "write", stamp);
+        db.prepare(
+          "INSERT INTO user_vaults (user_id, vault_name, role, created_at) VALUES (?, ?, ?, ?)",
+        ).run("u1", "family", "write", stamp);
+        // sanity
+        const before = db
+          .query<{ n: number }, [string]>("SELECT COUNT(*) AS n FROM user_vaults WHERE user_id = ?")
+          .get("u1");
+        expect(before?.n).toBe(2);
+        // Delete the user — ON DELETE CASCADE should drop the user_vaults rows.
+        db.prepare("DELETE FROM users WHERE id = ?").run("u1");
+        const after = db
+          .query<{ n: number }, [string]>("SELECT COUNT(*) AS n FROM user_vaults WHERE user_id = ?")
+          .get("u1");
+        expect(after?.n).toBe(0);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("v10 (user_id, vault_name) PRIMARY KEY blocks duplicate (user, vault) pairs", () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(h.dbPath);
+      try {
+        const stamp = "2026-05-27T00:00:00.000Z";
+        db.prepare(
+          "INSERT INTO users (id, username, password_hash, created_at, updated_at, password_changed) VALUES (?, ?, ?, ?, ?, ?)",
+        ).run("u1", "alice", "h", stamp, stamp, 1);
+        db.prepare(
+          "INSERT INTO user_vaults (user_id, vault_name, role, created_at) VALUES (?, ?, ?, ?)",
+        ).run("u1", "personal", "write", stamp);
+        expect(() =>
+          db
+            .prepare(
+              "INSERT INTO user_vaults (user_id, vault_name, role, created_at) VALUES (?, ?, ?, ?)",
+            )
+            .run("u1", "personal", "write", stamp),
+        ).toThrow();
       } finally {
         db.close();
       }

package/src/__tests__/hub-server.test.ts

@@ -995,22 +995,22 @@ describe("hubFetch routing", () => {
   });
 
   // Notes-as-app migration Phase 2 (parachute-app design doc §16).
-  // `/notes/*` 301-redirects to `/app/notes/*` so legacy bookmarks land
+  // `/notes/*` 301-redirects to `/surface/notes/*` so legacy bookmarks land
   // on the apps-hosted Notes. Tested with no DB (the migration-default
   // path — absent DB or absent row means redirect-on).
-  test("301: /notes/ → /app/notes/", async () => {
+  test("301: /notes/ → /surface/notes/", async () => {
     clearNotesRedirectLogState();
     const h = makeHarness();
     try {
       const res = await hubFetch(h.dir)(req("/notes/"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/app/notes/");
+      expect(res.headers.get("location")).toBe("/surface/notes/");
     } finally {
       h.cleanup();
     }
   });
 
-  test("301: bare /notes → /app/notes", async () => {
+  test("301: bare /notes → /surface/notes", async () => {
     // The bare-prefix form (no trailing slash) is the path browsers land
     // on when an operator types `https://hub.example/notes` directly.
     clearNotesRedirectLogState();
@@ -1018,7 +1018,7 @@ describe("hubFetch routing", () => {
     try {
       const res = await hubFetch(h.dir)(req("/notes"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/app/notes");
+      expect(res.headers.get("location")).toBe("/surface/notes");
     } finally {
       h.cleanup();
     }
@@ -1030,7 +1030,7 @@ describe("hubFetch routing", () => {
     try {
       const res = await hubFetch(h.dir)(req("/notes/some/path?q=1&n=2"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/app/notes/some/path?q=1&n=2");
+      expect(res.headers.get("location")).toBe("/surface/notes/some/path?q=1&n=2");
     } finally {
       h.cleanup();
     }
@@ -2240,7 +2240,7 @@ describe("hubFetch /<svc>/* generic proxy dispatch (#182)", () => {
     // motivator for the `--mount` strip in notes-serve.ts).
     //
     // Post-parachute-app §16 Phase 2 the `/notes/*` path 301-redirects to
-    // `/app/notes/*` by default. This test pins the notes-as-module legacy
+    // `/surface/notes/*` by default. This test pins the notes-as-module legacy
     // path (notes-daemon still serving its own mount); set the opt-out
     // flag so the dispatch falls through to the generic proxy.
     const h = makeHarness();
@@ -3453,7 +3453,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
   // Pins the proxy-side wiring of the chrome strip from
   // `parachute-patterns/patterns/design-system.md` §7 — every proxied
   // text/html response gets the strip injected after the first `<body>`,
-  // with opt-outs for `/app/notes/*` (the Notes PWA owns its own chrome).
+  // with opt-outs for `/surface/notes/*` (the Notes PWA owns its own chrome).
   // The pure rewrite + opt-out logic is covered in chrome-strip.test.ts;
   // here we exercise the dispatch integration end-to-end through hubFetch.
 
@@ -3608,7 +3608,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
     }
   });
 
-  test("does NOT inject chrome on /app/notes/* (Notes PWA owns its own chrome)", async () => {
+  test("does NOT inject chrome on /surface/notes/* (Notes PWA owns its own chrome)", async () => {
     const h = makeHarness();
     const upstream = startHtmlUpstream("<html><body><h1>Notes</h1></body></html>");
     try {
@@ -3616,10 +3616,10 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         {
           services: [
             {
-              name: "parachute-app",
+              name: "parachute-surface",
               port: upstream.port,
-              paths: ["/app"],
-              health: "/app/health",
+              paths: ["/surface"],
+              health: "/surface/health",
               version: "0.1.0",
             },
           ],
@@ -3627,7 +3627,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         h.manifestPath,
       );
       const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
-      const res = await fetcher(req("/app/notes/"));
+      const res = await fetcher(req("/surface/notes/"));
       expect(res.status).toBe(200);
       const body = await res.text();
       expect(body).toBe("<html><body><h1>Notes</h1></body></html>");
@@ -3638,7 +3638,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
     }
   });
 
-  test("DOES inject chrome on /app/admin/* (parachute-app admin, not Notes)", async () => {
+  test("DOES inject chrome on /surface/admin/* (parachute-app admin, not Notes)", async () => {
     const h = makeHarness();
     const upstream = startHtmlUpstream("<html><body>app admin</body></html>");
     try {
@@ -3646,10 +3646,10 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         {
           services: [
             {
-              name: "parachute-app",
+              name: "parachute-surface",
               port: upstream.port,
-              paths: ["/app"],
-              health: "/app/health",
+              paths: ["/surface"],
+              health: "/surface/health",
               version: "0.1.0",
             },
           ],
@@ -3657,7 +3657,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         h.manifestPath,
       );
       const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
-      const res = await fetcher(req("/app/admin/"));
+      const res = await fetcher(req("/surface/admin/"));
       expect(res.status).toBe(200);
       const body = await res.text();
       expect(body).toContain("pc-chrome");
@@ -3668,7 +3668,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
     }
   });
 
-  test("does NOT inject on /app/notes/ sub-paths (asset requests)", async () => {
+  test("does NOT inject on /surface/notes/ sub-paths (asset requests)", async () => {
     const h = makeHarness();
     const upstream = startHtmlUpstream("<html><body>asset shell</body></html>");
     try {
@@ -3676,10 +3676,10 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         {
           services: [
             {
-              name: "parachute-app",
+              name: "parachute-surface",
               port: upstream.port,
-              paths: ["/app"],
-              health: "/app/health",
+              paths: ["/surface"],
+              health: "/surface/health",
               version: "0.1.0",
             },
           ],
@@ -3687,7 +3687,7 @@ describe("hubFetch persistent chrome strip injection (workstream G)", () => {
         h.manifestPath,
       );
       const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
-      const res = await fetcher(req("/app/notes/index.html"));
+      const res = await fetcher(req("/surface/notes/index.html"));
       expect(res.status).toBe(200);
       const body = await res.text();
       expect(body).not.toContain("pc-chrome");

package/src/__tests__/notes-redirect.test.ts

@@ -1,5 +1,5 @@
 /**
- * Tests for the `/notes/*` → `/app/notes/*` redirect helper (Notes-as-app
+ * Tests for the `/notes/*` → `/surface/notes/*` redirect helper (Notes-as-app
  * migration Phase 2, parachute-app design doc §16).
  *
  * Covers the path-match predicate, the target-URL builder, the DB-aware
@@ -52,30 +52,30 @@ describe("notes-redirect — isLegacyNotesPath", () => {
 });
 
 describe("notes-redirect — buildNotesRedirectTarget", () => {
-  test("rewrites the bare path /notes → /app/notes", () => {
-    expect(buildNotesRedirectTarget("/notes", "")).toBe("/app/notes");
+  test("rewrites the bare path /notes → /surface/notes", () => {
+    expect(buildNotesRedirectTarget("/notes", "")).toBe("/surface/notes");
   });
 
-  test("rewrites the trailing-slash form /notes/ → /app/notes/", () => {
-    expect(buildNotesRedirectTarget("/notes/", "")).toBe("/app/notes/");
+  test("rewrites the trailing-slash form /notes/ → /surface/notes/", () => {
+    expect(buildNotesRedirectTarget("/notes/", "")).toBe("/surface/notes/");
   });
 
-  test("rewrites a sub-path /notes/sw.js → /app/notes/sw.js", () => {
-    expect(buildNotesRedirectTarget("/notes/sw.js", "")).toBe("/app/notes/sw.js");
+  test("rewrites a sub-path /notes/sw.js → /surface/notes/sw.js", () => {
+    expect(buildNotesRedirectTarget("/notes/sw.js", "")).toBe("/surface/notes/sw.js");
   });
 
   test("preserves a single-param query string", () => {
-    expect(buildNotesRedirectTarget("/notes/foo", "?q=1")).toBe("/app/notes/foo?q=1");
+    expect(buildNotesRedirectTarget("/notes/foo", "?q=1")).toBe("/surface/notes/foo?q=1");
   });
 
   test("preserves a multi-param query string verbatim (no re-encoding)", () => {
     expect(buildNotesRedirectTarget("/notes/foo", "?a=1&b=hello%20world")).toBe(
-      "/app/notes/foo?a=1&b=hello%20world",
+      "/surface/notes/foo?a=1&b=hello%20world",
     );
   });
 
   test("preserves the bare /notes + query (no trailing slash on rewrite)", () => {
-    expect(buildNotesRedirectTarget("/notes", "?next=foo")).toBe("/app/notes?next=foo");
+    expect(buildNotesRedirectTarget("/notes", "?next=foo")).toBe("/surface/notes?next=foo");
   });
 });
 
@@ -90,13 +90,13 @@ describe("notes-redirect — maybeRedirectNotes", () => {
     // Absent DB defaults to redirect-on — the migration-default direction.
     // Operators flipping the opt-out flag have a hub-with-DB; the default
     // doesn't depend on DB readiness.
-    expect(maybeRedirectNotes("/notes/foo", "?q=1", undefined)).toBe("/app/notes/foo?q=1");
+    expect(maybeRedirectNotes("/notes/foo", "?q=1", undefined)).toBe("/surface/notes/foo?q=1");
   });
 
   test("returns the target URL when the path matches and the flag is absent (default)", () => {
     const db = openHubDb(hubDbPath(dir));
     try {
-      expect(maybeRedirectNotes("/notes/foo", "", db)).toBe("/app/notes/foo");
+      expect(maybeRedirectNotes("/notes/foo", "", db)).toBe("/surface/notes/foo");
     } finally {
       db.close();
     }
@@ -109,7 +109,7 @@ describe("notes-redirect — maybeRedirectNotes", () => {
     try {
       setNotesRedirectDisabled(db, true);
       setNotesRedirectDisabled(db, false);
-      expect(maybeRedirectNotes("/notes/foo", "", db)).toBe("/app/notes/foo");
+      expect(maybeRedirectNotes("/notes/foo", "", db)).toBe("/surface/notes/foo");
     } finally {
       db.close();
     }
@@ -144,18 +144,18 @@ describe("notes-redirect — logNotesRedirect (throttled)", () => {
 
   test("logs once on the first hit", () => {
     const lines: string[] = [];
-    logNotesRedirect("/notes/foo", "/app/notes/foo", {
+    logNotesRedirect("/notes/foo", "/surface/notes/foo", {
       now: () => 1_000_000,
       log: (m) => lines.push(m),
     });
-    expect(lines).toEqual(["[notes-migration] redirect /notes/foo → /app/notes/foo"]);
+    expect(lines).toEqual(["[notes-migration] redirect /notes/foo → /surface/notes/foo"]);
   });
 
   test("throttles repeated hits to the same path within the window", () => {
     const lines: string[] = [];
     // Five hits within a 10-second span — well inside the 60-second window.
     for (let i = 0; i < 5; i++) {
-      logNotesRedirect("/notes/foo", "/app/notes/foo", {
+      logNotesRedirect("/notes/foo", "/surface/notes/foo", {
         now: () => 1_000_000 + i * 2_000,
         log: (m) => lines.push(m),
       });
@@ -165,12 +165,12 @@ describe("notes-redirect — logNotesRedirect (throttled)", () => {
 
   test("re-logs the same path after the window expires", () => {
     const lines: string[] = [];
-    logNotesRedirect("/notes/foo", "/app/notes/foo", {
+    logNotesRedirect("/notes/foo", "/surface/notes/foo", {
       now: () => 1_000_000,
       log: (m) => lines.push(m),
     });
     // 60_001 ms later → window has rolled, log fires again.
-    logNotesRedirect("/notes/foo", "/app/notes/foo", {
+    logNotesRedirect("/notes/foo", "/surface/notes/foo", {
       now: () => 1_000_000 + 60_001,
       log: (m) => lines.push(m),
     });
@@ -179,11 +179,11 @@ describe("notes-redirect — logNotesRedirect (throttled)", () => {
 
   test("logs distinct paths independently (per-path bucket)", () => {
     const lines: string[] = [];
-    logNotesRedirect("/notes/foo", "/app/notes/foo", {
+    logNotesRedirect("/notes/foo", "/surface/notes/foo", {
       now: () => 1_000_000,
       log: (m) => lines.push(m),
     });
-    logNotesRedirect("/notes/bar", "/app/notes/bar", {
+    logNotesRedirect("/notes/bar", "/surface/notes/bar", {
       now: () => 1_000_000,
       log: (m) => lines.push(m),
     });