@openparachute/hub 0.5.14-rc.1 → 0.5.14-rc.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.14-rc.1",
+  "version": "0.5.14-rc.2",
   "description": "parachute \u2014 the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/account-home-ui.test.ts

@@ -22,7 +22,7 @@ describe("renderAccountHome", () => {
   test("assigned-vault branch — Notes CTA carries the encoded hub+vault URL", () => {
     const html = renderAccountHome({
       username: "alice",
-      assignedVault: "alice",
+      assignedVaults: ["alice"],
       passwordChanged: true,
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
@@ -49,7 +49,7 @@ describe("renderAccountHome", () => {
     // renderer must produce a clean `/vault/<name>` join either way.
     const html = renderAccountHome({
       username: "alice",
-      assignedVault: "alice",
+      assignedVaults: ["alice"],
       passwordChanged: true,
       hubOrigin: `${HUB_ORIGIN}/`,
       isFirstAdmin: false,
@@ -65,7 +65,7 @@ describe("renderAccountHome", () => {
   test("admin branch — null assignedVault + isFirstAdmin renders an /admin/ link", () => {
     const html = renderAccountHome({
       username: "admin",
-      assignedVault: null,
+      assignedVaults: [],
       passwordChanged: true,
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: true,
@@ -85,7 +85,7 @@ describe("renderAccountHome", () => {
     // state via hand-edit or migration race.
     const html = renderAccountHome({
       username: "ghost",
-      assignedVault: null,
+      assignedVaults: [],
       passwordChanged: true,
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
@@ -102,7 +102,7 @@ describe("renderAccountHome", () => {
   test("account card — change-password link and sign-out form are present", () => {
     const html = renderAccountHome({
       username: "alice",
-      assignedVault: "alice",
+      assignedVaults: ["alice"],
       passwordChanged: true,
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
@@ -120,6 +120,29 @@ describe("renderAccountHome", () => {
     expect(html).toContain("<code>alice</code>");
   });
 
+  test("multi-vault branch — renders one tile per assigned vault (Phase 2 PR 2)", () => {
+    const html = renderAccountHome({
+      username: "alice",
+      assignedVaults: ["personal", "family"],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+    });
+    // Plural heading.
+    expect(html).toContain("Your vaults");
+    // Each vault name appears.
+    expect(html).toContain("<strong>personal</strong>");
+    expect(html).toContain("<strong>family</strong>");
+    // One CTA per vault with the right encoded URL.
+    const personalEncoded = encodeURIComponent(`${HUB_ORIGIN}/vault/personal`);
+    const familyEncoded = encodeURIComponent(`${HUB_ORIGIN}/vault/family`);
+    expect(html).toContain(`https://notes.parachute.computer/add?url=${personalEncoded}`);
+    expect(html).toContain(`https://notes.parachute.computer/add?url=${familyEncoded}`);
+    // Hub origin block appears once at the section level, not per tile.
+    expect(html.split(`<code>${HUB_ORIGIN}</code>`).length - 1).toBe(1);
+  });
+
   test("escapes hostile content in username and vault name", () => {
     // Defense-in-depth: usernames pass validateUsername (lowercase alnum
     // + `_-`), so HTML metacharacters won't normally make it through. But
@@ -127,7 +150,7 @@ describe("renderAccountHome", () => {
     // escape is load-bearing if the validator ever loosens.
     const html = renderAccountHome({
       username: "<script>",
-      assignedVault: "<vault>",
+      assignedVaults: ["<vault>"],
       passwordChanged: true,
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,

package/src/__tests__/admin-vault-admin-token.test.ts

@@ -160,7 +160,7 @@ describe("handleVaultAdminToken", () => {
     // whole reason this gate exists.
     await createUser(harness.db, "operator", "hunter2-admin");
     const friend = await createUser(harness.db, "friend", "hunter2-friend", {
-      assignedVault: "work",
+      assignedVaults: ["work"],
       allowMulti: true,
     });
     const session = createSession(harness.db, { userId: friend.id });
@@ -182,7 +182,7 @@ describe("handleVaultAdminToken", () => {
     // happy path when there are friends in the DB.
     const admin = await createUser(harness.db, "operator", "hunter2-admin");
     await createUser(harness.db, "friend", "hunter2-friend", {
-      assignedVault: "work",
+      assignedVaults: ["work"],
       allowMulti: true,
     });
     const session = createSession(harness.db, { userId: admin.id });

package/src/__tests__/api-account.test.ts

@@ -757,7 +757,7 @@ describe("handleAccountHomeGet", () => {
     const friend = await createUser(harness.db, "alice", "alice-passphrase", {
       allowMulti: true,
       passwordChanged: true,
-      assignedVault: "alice",
+      assignedVaults: ["alice"],
     });
     const session = createSession(harness.db, { userId: friend.id });
     const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
@@ -774,7 +774,7 @@ describe("handleAccountHomeGet", () => {
     expect(html).toContain(`https://notes.parachute.computer/add?url=${encoded}`);
   });
 
-  test("200 + admin branch when the first-admin signs in (assignedVault=null)", async () => {
+  test("200 + admin branch when the first-admin signs in (no vault assignments)", async () => {
     // The first-created user with no vault pin is the admin posture.
     const admin = await createUser(harness.db, "admin", "admin-passphrase", {
       passwordChanged: true,

package/src/__tests__/api-modules-ops.test.ts

@@ -126,6 +126,19 @@ function alwaysOkRun(): {
   };
 }
 
+/**
+ * Test default for `isLinked`: assume the package is NOT bun-linked so
+ * `runInstall` exercises the `bun add -g` path (which the stubbed runner
+ * captures into `calls`). The production default at
+ * `src/bun-link.ts` reads the contributor's real `~/.bun/install/global/`
+ * symlinks; on Aaron's machine vault/scribe/notes/hub are all linked
+ * (the canonical local-dev shape — smoke 2026-05-27 finding 1 caps the
+ * fix). Tests asserting "bun add WAS called" must opt out of that leakage
+ * by passing this stub. Tests specifically exercising the skip path use
+ * an inline `isLinked: () => true` or a per-pkg discriminator.
+ */
+const TEST_DEFAULT_NOT_LINKED = (_pkg: string): boolean => false;
+
 describe("parseModulesPath", () => {
   test("recognizes curated short + action", () => {
     expect(parseModulesPath("/api/modules/vault/install")).toEqual({
@@ -231,6 +244,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -280,6 +294,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -301,6 +316,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     const op = (await opRes.json()) as { status: string };
@@ -324,6 +340,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -348,6 +365,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     await new Promise((r) => setTimeout(r, 10));
@@ -379,6 +397,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -406,6 +425,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     await new Promise((r) => setTimeout(r, 10));
@@ -433,6 +453,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(400);
@@ -458,6 +479,7 @@ describe("POST /api/modules/:short/install", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     await new Promise((r) => setTimeout(r, 10));
@@ -487,6 +509,7 @@ describe("POST /api/modules/:short/install", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       await new Promise((r) => setTimeout(r, 10));
@@ -524,6 +547,7 @@ describe("POST /api/modules/:short/install", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       await new Promise((r) => setTimeout(r, 10));
@@ -557,6 +581,7 @@ describe("POST /api/modules/:short/install", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       expect(res.status).toBe(202);
@@ -583,6 +608,7 @@ describe("POST /api/modules/:short/install", () => {
       supervisor,
       run: async () => 1,
       findGlobalInstall: () => null,
+      isLinked: TEST_DEFAULT_NOT_LINKED,
     };
     const res = await handleInstall(
       postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
@@ -602,6 +628,71 @@ describe("POST /api/modules/:short/install", () => {
     expect(op.status).toBe("failed");
     expect(op.error).toMatch(/bun add -g exited 1/);
   });
+
+  test("skips bun add -g when package is already bun-linked (smoke 2026-05-27 finding 1)", async () => {
+    // Smoke finding 1: the wizard's parallel install path was unconditionally
+    // invoking `bun add -g <pkg>` even when the package was already linked
+    // via `bun link <abspath>` (the standard local-dev shape). At best a
+    // wasted ~3s npm round-trip per install; at worst the global bun.lock
+    // had unrelated noise and the install failed outright, taking the
+    // wizard's vault step with it. Fix: mirror the CLI install path's
+    // `isLinked` short-circuit. Regression guard.
+    const { supervisor, spawns } = makeIdleSupervisor();
+    const { run, calls } = alwaysOkRun();
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    const res = await handleInstall(
+      postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+        run,
+        // The bug shape: package IS linked locally. Without the
+        // short-circuit, runInstall would still call bun add -g.
+        isLinked: (pkg) => pkg === "@openparachute/vault",
+      },
+    );
+    expect(res.status).toBe(202);
+    await new Promise((r) => setTimeout(r, 10));
+
+    // The fix: bun add -g was NOT invoked for the linked package.
+    expect(calls).not.toContainEqual(["bun", "add", "-g", "@openparachute/vault@latest"]);
+    // Downstream of the skip, the seed + spawn still happen — the install
+    // op completes successfully against the locally-linked checkout.
+    const manifest = JSON.parse(readFileSync(h.manifestPath, "utf8")) as {
+      services: Array<{ name: string }>;
+    };
+    expect(manifest.services.some((s) => s.name === "parachute-vault")).toBe(true);
+    expect(spawns.find((s) => s.short === "vault")?.cmd).toEqual(["parachute-vault", "serve"]);
+  });
+
+  test("still runs bun add -g when package is NOT bun-linked", async () => {
+    // Companion to the above — confirms the short-circuit doesn't
+    // unconditionally skip. On a friend's fresh machine (no bun link),
+    // bun add -g IS what installs the package from npm. `isLinked: () => false`
+    // is the production default behavior for a non-linked package.
+    const { supervisor } = makeIdleSupervisor();
+    const { run, calls } = alwaysOkRun();
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    await handleInstall(
+      postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+        run,
+        isLinked: () => false,
+      },
+    );
+    await new Promise((r) => setTimeout(r, 10));
+    expect(calls).toContainEqual(["bun", "add", "-g", "@openparachute/vault@latest"]);
+  });
 });
 
 describe("POST /api/modules/:short/restart", () => {
@@ -682,6 +773,7 @@ describe("POST /api/modules/:short/upgrade", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -706,6 +798,7 @@ describe("POST /api/modules/:short/upgrade", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(202);
@@ -736,6 +829,7 @@ describe("POST /api/modules/:short/upgrade", () => {
           configDir: h.dir,
           supervisor,
           run,
+          isLinked: TEST_DEFAULT_NOT_LINKED,
         },
       );
       await new Promise((r) => setTimeout(r, 10));
@@ -846,6 +940,7 @@ describe("POST /api/modules/:short/uninstall", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(200);
@@ -878,6 +973,7 @@ describe("POST /api/modules/:short/uninstall", () => {
         configDir: h.dir,
         supervisor,
         run,
+        isLinked: TEST_DEFAULT_NOT_LINKED,
       },
     );
     expect(res.status).toBe(200);
@@ -1099,6 +1195,7 @@ describe("well-known regen after module ops", () => {
       supervisor,
       run: async () => 1,
       findGlobalInstall: () => null,
+      isLinked: TEST_DEFAULT_NOT_LINKED,
       wellKnownPath: wkPath,
     };
     const res = await handleInstall(

package/src/__tests__/api-users.test.ts

@@ -31,6 +31,7 @@ import {
   handleListUsers,
   handleListVaults,
   handleResetUserPassword,
+  handleUpdateUserVaults,
 } from "../api-users.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
 import { findTokenRowByJti, recordTokenMint, signAccessToken } from "../jwt-sign.ts";
@@ -176,7 +177,7 @@ describe("handleListUsers", () => {
       expect(u).toHaveProperty("id");
       expect(u).toHaveProperty("username");
       expect(u).toHaveProperty("password_changed");
-      expect(u).toHaveProperty("assigned_vault");
+      expect(u).toHaveProperty("assigned_vaults");
       expect(u).toHaveProperty("created_at");
     }
   });
@@ -220,13 +221,13 @@ describe("handleCreateUser", () => {
     const res = await post(bearer, {
       username: "alice",
       password: "alice-strong-passphrase",
-      assignedVault: null,
+      assignedVaults: [],
     });
     expect(res.status).toBe(201);
     const body = (await res.json()) as { user: Record<string, unknown> };
     expect(body.user.username).toBe("alice");
     expect(body.user.password_changed).toBe(false);
-    expect(body.user.assigned_vault).toBeNull();
+    expect(body.user.assigned_vaults).toEqual([]);
     expect(body.user).not.toHaveProperty("password_hash");
   });
 
@@ -331,9 +332,9 @@ describe("handleCreateUser", () => {
     const stamp = "2026-05-20T00:00:00.000Z";
     harness.db
       .prepare(
-        "INSERT INTO users (id, username, password_hash, created_at, updated_at, password_changed, assigned_vault) VALUES (?, ?, ?, ?, ?, ?, ?)",
+        "INSERT INTO users (id, username, password_hash, created_at, updated_at, password_changed) VALUES (?, ?, ?, ?, ?, ?)",
       )
-      .run("legacy-id", "Alice", "$argon2id$fake", stamp, stamp, 1, null);
+      .run("legacy-id", "Alice", "$argon2id$fake", stamp, stamp, 1);
     const { bearer } = await makeAdminBearer();
     const res = await post(bearer, {
       username: "alice",
@@ -349,25 +350,55 @@ describe("handleCreateUser", () => {
     const res = await post(bearer, {
       username: "alice",
       password: "alice-strong-passphrase",
-      assignedVault: "ghost-vault",
+      assignedVaults: ["ghost-vault"],
     });
     expect(res.status).toBe(400);
     const body = (await res.json()) as { error: string };
     expect(body.error).toBe("assigned_vault_not_found");
   });
 
-  test("happy path with assigned_vault that exists in services.json", async () => {
+  test("happy path with single assigned_vaults that exists in services.json", async () => {
     harness.cleanup();
     harness = makeHarness(manifestWithVaults("home"));
     const { bearer } = await makeAdminBearer();
     const res = await post(bearer, {
       username: "alice",
       password: "alice-strong-passphrase",
-      assignedVault: "home",
+      assignedVaults: ["home"],
     });
     expect(res.status).toBe(201);
     const body = (await res.json()) as { user: Record<string, unknown> };
-    expect(body.user.assigned_vault).toBe("home");
+    expect(body.user.assigned_vaults).toEqual(["home"]);
+  });
+
+  test("happy path with multiple assigned_vaults (Phase 2 PR 2)", async () => {
+    harness.cleanup();
+    harness = makeHarness(manifestWithVaults("personal", "family"));
+    const { bearer } = await makeAdminBearer();
+    const res = await post(bearer, {
+      username: "alice",
+      password: "alice-strong-passphrase",
+      assignedVaults: ["personal", "family"],
+    });
+    expect(res.status).toBe(201);
+    const body = (await res.json()) as { user: Record<string, unknown> };
+    const list = body.user.assigned_vaults as string[];
+    expect(new Set(list)).toEqual(new Set(["personal", "family"]));
+  });
+
+  test("400 assigned_vault_not_found when ANY vault in the array is unknown", async () => {
+    harness.cleanup();
+    harness = makeHarness(manifestWithVaults("home"));
+    const { bearer } = await makeAdminBearer();
+    const res = await post(bearer, {
+      username: "alice",
+      password: "alice-strong-passphrase",
+      assignedVaults: ["home", "ghost"],
+    });
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string; error_description: string };
+    expect(body.error).toBe("assigned_vault_not_found");
+    expect(body.error_description).toContain("ghost");
   });
 });
 
@@ -632,6 +663,30 @@ describe("handleResetUserPassword", () => {
     expect(await verifyPassword(fresh!, "alice-strong-passphrase")).toBe(false);
   });
 
+  test("response body includes revocation_lag_seconds = 60 so clients can surface the propagation lag (smoke 2026-05-27 finding 3)", async () => {
+    // Resource servers cache the revocation list via scope-guard's
+    // REVOCATION_CACHE_TTL_MS = 60_000 — so even though hub marks the
+    // user's tokens revoked immediately and publishes them on the
+    // revocation list, vault/scribe/etc. may keep accepting the
+    // revoked token for up to 60 seconds. For the stolen-device
+    // recovery threat model that's a meaningful exposure window
+    // the admin needs to know about. Surface the lag in the
+    // response body so the SPA's success banner can warn operators.
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+    });
+    const res = await post(bearer, friend.id, { new_password: "new-temp-passphrase" });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      ok: boolean;
+      user: unknown;
+      revocation_lag_seconds: number;
+    };
+    expect(body.revocation_lag_seconds).toBe(60);
+  });
+
   test("revokes the friend's existing tokens (pre-reset token row has revoked_at after)", async () => {
     const { bearer } = await makeAdminBearer();
     const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
@@ -710,3 +765,130 @@ describe("handleListVaults", () => {
     expect(body.vaults).toEqual(["home", "scratch", "work"]);
   });
 });
+
+// ---------------------------------------------------------------------------
+// PATCH /api/users/:id/vaults — edit vault assignments (Phase 2 PR 2)
+// ---------------------------------------------------------------------------
+
+describe("handleUpdateUserVaults", () => {
+  async function patch(
+    bearer: string,
+    userId: string,
+    body: Record<string, unknown> | string,
+    headers: Record<string, string> = {},
+  ): Promise<Response> {
+    const init: RequestInit = {
+      method: "PATCH",
+      headers: {
+        "content-type": "application/json",
+        authorization: `Bearer ${bearer}`,
+        ...headers,
+      },
+      body: typeof body === "string" ? body : JSON.stringify(body),
+    };
+    return await handleUpdateUserVaults(req(`/api/users/${userId}/vaults`, init), userId, deps());
+  }
+
+  test("401 with no Authorization header", async () => {
+    const res = await handleUpdateUserVaults(
+      req("/api/users/some-id/vaults", {
+        method: "PATCH",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ assigned_vaults: [] }),
+      }),
+      "some-id",
+      deps(),
+    );
+    expect(res.status).toBe(401);
+  });
+
+  test("405 on non-PATCH", async () => {
+    const { bearer } = await makeAdminBearer();
+    const res = await handleUpdateUserVaults(
+      withBearer("/api/users/x/vaults", bearer, { method: "POST" }),
+      "x",
+      deps(),
+    );
+    expect(res.status).toBe(405);
+  });
+
+  test("404 when target user does not exist", async () => {
+    const { bearer } = await makeAdminBearer();
+    const res = await patch(bearer, "no-such-id", { assigned_vaults: [] });
+    expect(res.status).toBe(404);
+  });
+
+  test("403 cannot_edit_first_admin_vaults for the first admin", async () => {
+    // The bearer-minting helper creates the first admin already; mint
+    // again returns the same admin's id.
+    const { bearer, userId } = await makeAdminBearer();
+    const res = await patch(bearer, userId, { assigned_vaults: ["home"] });
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("cannot_edit_first_admin_vaults");
+  });
+
+  test("400 when assigned_vaults is missing", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+    });
+    const res = await patch(bearer, friend.id, {});
+    expect(res.status).toBe(400);
+  });
+
+  test("400 when assigned_vaults entry is not a string", async () => {
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+    });
+    const res = await patch(bearer, friend.id, { assigned_vaults: ["ok", 7] });
+    expect(res.status).toBe(400);
+  });
+
+  test("400 assigned_vault_not_found when a vault doesn't exist in services.json", async () => {
+    harness.cleanup();
+    harness = makeHarness(manifestWithVaults("home"));
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+    });
+    const res = await patch(bearer, friend.id, { assigned_vaults: ["home", "ghost"] });
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("assigned_vault_not_found");
+  });
+
+  test("happy path — replaces the user's vault list and bumps updated_at", async () => {
+    harness.cleanup();
+    harness = makeHarness(manifestWithVaults("home", "work", "family"));
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      assignedVaults: ["home"],
+    });
+    const res = await patch(bearer, friend.id, { assigned_vaults: ["work", "family"] });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      ok: boolean;
+      user: { id: string; assigned_vaults: string[]; updated_at: string };
+    };
+    expect(body.ok).toBe(true);
+    expect(new Set(body.user.assigned_vaults)).toEqual(new Set(["work", "family"]));
+    expect(body.user.assigned_vaults).not.toContain("home");
+  });
+
+  test("empty array clears every assignment", async () => {
+    harness.cleanup();
+    harness = makeHarness(manifestWithVaults("home", "work"));
+    const { bearer } = await makeAdminBearer();
+    const friend = await createUser(harness.db, "alice", "alice-strong-passphrase", {
+      allowMulti: true,
+      assignedVaults: ["home", "work"],
+    });
+    const res = await patch(bearer, friend.id, { assigned_vaults: [] });
+    expect(res.status).toBe(200);
+    const fresh = getUserById(harness.db, friend.id);
+    expect(fresh?.assignedVaults).toEqual([]);
+  });
+});