@openparachute/hub 0.5.14-rc.12 → 0.5.14-rc.13

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.14-rc.12",
-  "description": "parachute \u2014 the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
+  "version": "0.5.14-rc.13",
+  "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {
     "access": "public"
@@ -37,13 +37,16 @@
   },
   "devDependencies": {
     "@biomejs/biome": "^1.9.4",
-    "@types/bun": "latest"
+    "@types/bun": "latest",
+    "@types/qrcode": "^1.5.6"
   },
   "peerDependencies": {
     "typescript": "^5"
   },
   "dependencies": {
     "@node-rs/argon2": "^2.0.2",
-    "jose": "^6.2.2"
+    "jose": "^6.2.2",
+    "otpauth": "^9.5.0",
+    "qrcode": "^1.5.4"
   }
 }

package/src/__tests__/account-home-ui.test.ts

@@ -32,6 +32,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     // Welcome header includes the username.
     expect(html).toContain("Welcome, alice");
@@ -69,6 +70,7 @@ describe("renderAccountHome", () => {
       hubOrigin: `${HUB_ORIGIN}/`,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     const cleanEncoded = encodeURIComponent(`${HUB_ORIGIN}/vault/alice`);
     expect(html).toContain(`https://notes.parachute.computer/add?url=${cleanEncoded}`);
@@ -86,6 +88,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: true,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     expect(html).toContain("Welcome, admin");
     expect(html).toContain("hub administrator");
@@ -106,6 +109,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     expect(html).toContain("Welcome, ghost");
     expect(html).toContain("Ask the hub operator");
@@ -123,6 +127,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     // Change-password link points at the existing /account/change-password
     // route (server-rendered HTML, separate handler).
@@ -136,6 +141,37 @@ describe("renderAccountHome", () => {
     expect(html).toContain("<code>alice</code>");
   });
 
+  test("account card — 2FA status reflects twoFactorEnabled (hub#473)", () => {
+    const off = renderAccountHome({
+      username: "alice",
+      assignedVaults: ["alice"],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+      twoFactorEnabled: false,
+    });
+    expect(off).toContain('data-testid="2fa-status"');
+    expect(off).toContain(">Off<");
+    // Off → "Set up two-factor" affordance.
+    expect(off).toContain('data-testid="setup-2fa-link"');
+    expect(off).toContain('href="/account/2fa"');
+
+    const on = renderAccountHome({
+      username: "alice",
+      assignedVaults: ["alice"],
+      passwordChanged: true,
+      hubOrigin: HUB_ORIGIN,
+      isFirstAdmin: false,
+      csrfToken: CSRF,
+      twoFactorEnabled: true,
+    });
+    expect(on).toContain(">On<");
+    // On → "Manage two-factor" affordance.
+    expect(on).toContain('data-testid="manage-2fa-link"');
+    expect(on).toContain('href="/account/2fa"');
+  });
+
   test("multi-vault branch — renders one tile per assigned vault (Phase 2 PR 2)", () => {
     const html = renderAccountHome({
       username: "alice",
@@ -144,6 +180,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     // Plural heading.
     expect(html).toContain("Your vaults");
@@ -191,6 +228,7 @@ describe("renderAccountHome", () => {
       hubOrigin: HUB_ORIGIN,
       isFirstAdmin: false,
       csrfToken: CSRF,
+      twoFactorEnabled: false,
     });
     // The injected username/vault metacharacters are escaped — the only
     // `<script>` tag in the output is the page's own copy-button helper, so

package/src/__tests__/auth.test.ts

@@ -65,26 +65,159 @@ async function captureOutput(fn: () => Promise<number> | number): Promise<{
 }
 
 describe("parachute auth", () => {
-  test("2fa is an honest hub-side stub — never forwards to parachute-vault", async () => {
-    // 2fa used to forward to the deprecated `parachute-vault 2fa` stub, which
-    // exits 1 post auth-unification and only wrote vault YAML that never gated
-    // hub /login. It's now an informational stub: exit 0, no subprocess.
-    const { runner, calls } = makeRunner(0);
-    const out = await captureOutput(() => auth(["2fa", "enroll"], runner));
-    expect(out.code).toBe(0);
-    expect(calls).toEqual([]); // did NOT spawn parachute-vault
-    expect(out.stdout).toContain("isn't available yet");
-    expect(out.stdout).toContain("#473");
-    // Doesn't tell the operator to run the dead vault command.
-    expect(out.stdout).not.toContain("2fa enroll");
+  test("2fa is hub-local — never forwards to parachute-vault", async () => {
+    // 2fa used to forward to the deprecated `parachute-vault 2fa` stub. As of
+    // hub#473 it's real hub-login TOTP, fully hub-local (hub.db). No subprocess.
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+      const { runner, calls } = makeRunner(0);
+      const out = await captureOutput(() =>
+        auth(["2fa", "status"], { runner, dbPath: tmp.dbPath }),
+      );
+      expect(out.code).toBe(0);
+      expect(calls).toEqual([]); // did NOT spawn parachute-vault
+      expect(out.stdout).toContain("Two-factor authentication: OFF");
+    } finally {
+      tmp.cleanup();
+    }
   });
 
-  test("2fa with any sub-args still resolves to the honest stub (exit 0, no spawn)", async () => {
-    const { runner, calls } = makeRunner(0);
-    const out = await captureOutput(() => auth(["2fa", "status", "--whatever"], runner));
-    expect(out.code).toBe(0);
-    expect(calls).toEqual([]);
-    expect(out.stdout).toContain("#473");
+  test("2fa status reports OFF for a fresh user, then ON after a CLI enroll round-trip", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+
+      // status → OFF
+      const off = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(off.code).toBe(0);
+      expect(off.stdout).toContain("OFF");
+
+      // enroll requires a confirm code — drive the readLine seam with the
+      // live TOTP code generated from the secret the command prints.
+      const { generateTotpSecret } = await import("../totp.ts");
+      // We can't intercept the random secret the command mints, so instead
+      // exercise the store directly to assert the ON path is reachable, then
+      // assert the CLI status reflects it. (The handler-level enroll round
+      // trip is covered in two-factor.test.ts against the real secret.)
+      const db2 = openHubDb(tmp.dbPath);
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      const u = listUsers(db2)[0]!;
+      const { secret } = generateTotpSecret(u.username);
+      await persistEnrollment(db2, u.id, secret);
+      db2.close();
+
+      const on = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(on.code).toBe(0);
+      expect(on.stdout).toContain("ON");
+      expect(on.stdout).toContain("backup_codes");
+
+      // disenroll clears it.
+      const dis = await captureOutput(() =>
+        auth(["2fa", "disenroll"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(dis.code).toBe(0);
+      expect(dis.stdout).toContain("Turned off");
+
+      const off2 = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(off2.stdout).toContain("OFF");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("2fa enroll confirms the printed secret against a live code, prints backup codes", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+
+      // Single console.log interception that BOTH accumulates stdout and lets
+      // the readLine seam read the secret the command just printed. (Avoids
+      // nesting two console.log replacements.)
+      const OTPAuth = await import("otpauth");
+      const origLog = console.log;
+      let stdout = "";
+      let capturedSecret = "";
+      console.log = (...a: unknown[]) => {
+        const line = a.map(String).join(" ");
+        stdout += `${line}\n`;
+        const m = line.match(/secret key:\s+([A-Z2-7]+)/);
+        if (m) capturedSecret = m[1]!;
+      };
+      let code = "";
+      let exitCode = 0;
+      try {
+        exitCode = await auth(["2fa", "enroll"], {
+          dbPath: tmp.dbPath,
+          isInteractive: () => true,
+          readLine: async () => {
+            // The secret has been printed by the time the prompt fires.
+            const totp = new OTPAuth.TOTP({
+              issuer: "Parachute Hub",
+              label: "owner",
+              algorithm: "SHA1",
+              digits: 6,
+              period: 30,
+              secret: OTPAuth.Secret.fromBase32(capturedSecret),
+            });
+            code = totp.generate();
+            return code;
+          },
+        });
+      } finally {
+        console.log = origLog;
+      }
+      expect(exitCode).toBe(0);
+      expect(capturedSecret.length).toBeGreaterThan(0);
+      expect(stdout).toContain("now ON");
+      // 10 backup codes printed (hyphenated form).
+      const backupLines = stdout.split("\n").filter((l) => /^ {2}[a-z2-9]{5}-[a-z2-9]{5}$/.test(l));
+      expect(backupLines.length).toBe(10);
+      expect(code.length).toBe(6);
+      // The persisted state reflects the enrollment: the captured secret is
+      // now stored on the user row. (We don't re-verify `code` — the enroll
+      // confirm consumed it via the replay cache, by design.)
+      const db2 = openHubDb(tmp.dbPath);
+      const { getTotpState } = await import("../two-factor-store.ts");
+      const uid = listUsers(db2)[0]!.id;
+      const persisted = getTotpState(db2, uid);
+      expect(persisted.secret).toBe(capturedSecret);
+      expect(persisted.backupCodes.length).toBe(10);
+      db2.close();
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("2fa enroll refuses to re-enroll when already on", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      const u = await createUser(db, "owner", "owner-password-123");
+      const { generateTotpSecret } = await import("../totp.ts");
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      await persistEnrollment(db, u.id, generateTotpSecret("owner").secret);
+      db.close();
+      const out = await captureOutput(() =>
+        auth(["2fa", "enroll"], { dbPath: tmp.dbPath, isInteractive: () => true }),
+      );
+      expect(out.code).toBe(1);
+      expect(out.stderr).toContain("already enabled");
+    } finally {
+      tmp.cleanup();
+    }
   });
 
   test("set-password no longer forwards to vault", async () => {
@@ -138,12 +271,13 @@ describe("authHelp", () => {
     expect(h).toContain("parachute auth rotate-key");
   });
 
-  test("2fa help is honest about hub-login TOTP not being shipped (#473)", () => {
+  test("2fa help documents the real hub-login TOTP subcommands (#473)", () => {
     expect(h).toContain("#473");
-    // No longer advertises the dead enroll/disable/backup-codes subcommands.
-    expect(h).not.toContain("2fa enroll");
-    expect(h).not.toContain("2fa disable");
-    expect(h).not.toContain("2fa backup-codes");
+    // Real enroll / disenroll subcommands are now advertised.
+    expect(h).toContain("2fa enroll");
+    expect(h).toContain("2fa disenroll");
+    expect(h).toContain("otpauth://");
+    expect(h).toContain("backup codes");
   });
 
   test("set-password help mentions the new flags + hub-local home", () => {

package/src/__tests__/expose-2fa-warning.test.ts

@@ -24,46 +24,53 @@ describe("is2FAEnrolled", () => {
     expect(is2FAEnrolled({ status: status({ hasTotp: false }) })).toBe(false);
   });
 
-  test("reads totp_secret from vaultHome's config.yaml when status not supplied", () => {
+  test("falls back to legacy config.yaml totp_secret when hub.db is absent", () => {
+    // hub#473: hub.db is the source of truth for real 2FA, but a super-old
+    // install with no hub.db still suppresses the warning if the legacy vault
+    // YAML totp_secret is set. Point hubDbPath at a nonexistent file so the
+    // YAML fallback is exercised.
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
       writeFileSync(join(dir, "config.yaml"), 'totp_secret: "JBSWY3DPEHPK3PXP"\n');
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(true);
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(true);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("missing config.yaml → not enrolled (false)", () => {
+  test("missing config.yaml + absent hub.db → not enrolled (false)", () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
-      // No config.yaml written.
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      // No config.yaml written, no hub.db.
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(false);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("empty totp_secret value → not enrolled (matches vault's readGlobalConfig)", () => {
+  test("empty totp_secret value + absent hub.db → not enrolled", () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
       writeFileSync(join(dir, "config.yaml"), 'totp_secret: ""\n');
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(false);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("malformed config.yaml → not enrolled (safer fail mode, fires warning)", () => {
-    // The probe parses config.yaml with a line-anchored regex (no YAML
-    // dependency), so junk content simply doesn't match `totp_secret: "..."`
-    // and resolves to `hasTotp: false` — which fires the public-exposure
-    // warning rather than silently suppressing it. Pin that contract so a
-    // future refactor of auth-status.ts can't quietly invert it.
+  test("hub.db with an enrolled user → enrolled (the real signal)", async () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
-      writeFileSync(join(dir, "config.yaml"), "totp_secret: [unbalanced\n  ::: not yaml\n");
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      const { hubDbPath, openHubDb } = await import("../hub-db.ts");
+      const { createUser } = await import("../users.ts");
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      const { generateTotpSecret } = await import("../totp.ts");
+      const dbPath = hubDbPath(dir);
+      const db = openHubDb(dbPath);
+      const u = await createUser(db, "owner", "owner-password-123");
+      await persistEnrollment(db, u.id, generateTotpSecret("owner").secret);
+      db.close();
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: dbPath })).toBe(true);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
@@ -80,13 +87,14 @@ describe("printPublic2FAWarning", () => {
     });
     expect(fired).toBe(true);
     const joined = logs.join("\n");
-    // Honest copy: /login is public, owner password is the wall, hub-login 2FA
-    // is coming (#473) — does NOT recommend the dead `auth 2fa enroll` path.
+    // hub#473: real hub-login 2FA. The warning now recommends the real
+    // `parachute auth 2fa enroll` path (+ the /account/2fa browser path) and
+    // still nudges a strong owner password.
     expect(joined).toContain("/login is now reachable on the public internet");
     expect(joined).toContain("https://vault.example.com/login");
-    expect(joined).toContain("#473");
+    expect(joined).toContain("parachute auth 2fa enroll");
+    expect(joined).toContain("/account/2fa");
     expect(joined).toContain("parachute auth set-password");
-    expect(joined).not.toContain("parachute auth 2fa enroll");
   });
 
   test("enrolled → suppressed, returns false, logs nothing", () => {

package/src/__tests__/expose-auth-preflight.test.ts

@@ -41,8 +41,8 @@ function status(partial: Partial<VaultAuthStatus> = {}): VaultAuthStatus {
 }
 
 describe("runAuthPreflight — wide open (no owner password)", () => {
-  test("warns loudly, offers password only, prints hub-JWT token guidance + honest 2FA note", async () => {
-    const h = makeHarness(["y"]); // password yes
+  test("warns loudly, offers password + real 2FA enroll, prints hub-JWT token guidance", async () => {
+    const h = makeHarness(["y", "y"]); // password yes, 2FA yes
     await runAuthPreflight({ status: status(), ...wire(h) });
     const joined = h.logs.join("\n");
     expect(joined).toContain("No owner password");
@@ -50,42 +50,38 @@ describe("runAuthPreflight — wide open (no owner password)", () => {
     // Programmatic-client guidance points at the hub mint path, not pvt_*.
     expect(joined).toContain("parachute auth mint-token --scope vault:default:read");
     expect(joined).toContain("Bearer <hub-jwt>");
-    // Honest 2FA state — coming (#473), not offered as a dead enroll command.
-    expect(joined).toContain("#473");
-    expect(joined).not.toContain("2fa enroll");
-    // Only password is an interactive offer; token guidance + 2FA note are
-    // printed, not prompted.
-    expect(h.commands).toHaveLength(1);
-    expect(h.commands[0]).toEqual(["parachute", "auth", "set-password"]);
-    expect(h.prompts).toHaveLength(1);
+    // Real 2FA (hub#473) — both commands offered + run.
+    expect(h.commands.map((c) => c.join(" "))).toEqual([
+      "parachute auth set-password",
+      "parachute auth 2fa enroll",
+    ]);
+    // Two interactive offers now: password + 2FA. Token guidance is printed.
+    expect(h.prompts).toHaveLength(2);
   });
 
   test("token guidance uses the first discovered vault name", async () => {
-    const h = makeHarness(["n"]);
+    const h = makeHarness(["n", "n"]);
     await runAuthPreflight({ status: status({ vaultNames: ["work"] }), ...wire(h) });
     expect(h.logs.join("\n")).toContain("--scope vault:work:read");
   });
 
-  test("user declines the password prompt → no subprocesses run", async () => {
-    const h = makeHarness([""]); // Enter = skip
+  test("user declines both prompts → no subprocesses run", async () => {
+    const h = makeHarness(["", ""]); // Enter = skip both
     await runAuthPreflight({ status: status(), ...wire(h) });
     expect(h.commands).toHaveLength(0);
-    // Only one prompt now (password); token guidance + 2FA note aren't prompts.
-    expect(h.prompts).toHaveLength(1);
+    expect(h.prompts).toHaveLength(2);
   });
 
   test("user accepts the password offer → set-password invoked", async () => {
-    const h = makeHarness(["y"]);
+    const h = makeHarness(["y", "n"]);
     await runAuthPreflight({ status: status(), ...wire(h) });
     expect(h.commands.map((c) => c.join(" "))).toEqual(["parachute auth set-password"]);
   });
 
   test("null tokenCount with no owner password still classifies wide-open", async () => {
     // The `tokenCount: null` (unreadable vault DB) path is vestigial post-DROP
-    // — `classify()` gates on `hasOwnerPassword` alone. A box with no owner
-    // password AND an unreadable token DB must still take the loud wide-open
-    // branch, not silently fall through to a quieter state.
-    const h = makeHarness(["n"]);
+    // — `classify()` gates on `hasOwnerPassword` alone.
+    const h = makeHarness(["n", "n"]);
     await runAuthPreflight({
       status: status({ hasOwnerPassword: false, tokenCount: null }),
       ...wire(h),
@@ -93,58 +89,64 @@ describe("runAuthPreflight — wide open (no owner password)", () => {
     const joined = h.logs.join("\n");
     expect(joined).toContain("No owner password");
     expect(joined).toContain("public internet");
-    // Wide-open offers the password (one prompt); not the password-set path.
-    expect(h.prompts).toHaveLength(1);
+    expect(h.prompts).toHaveLength(2);
   });
 
-  test("never offers a dead command (vault tokens create OR auth 2fa enroll)", async () => {
-    const h = makeHarness(["y"]);
+  test("never offers the dead vault-tokens-create command", async () => {
+    const h = makeHarness(["y", "n"]);
     await runAuthPreflight({ status: status(), ...wire(h) });
     const allCommands = h.commands.map((c) => c.join(" ")).join("\n");
     expect(allCommands).not.toContain("vault tokens create");
-    expect(allCommands).not.toContain("auth 2fa enroll");
-    // And no log line steers the operator at a dead command as guidance.
     const guidance = h.logs.join("\n");
     expect(guidance).not.toContain("parachute vault tokens create");
-    expect(guidance).not.toContain("parachute auth 2fa enroll");
   });
 });
 
-describe("runAuthPreflight — password set", () => {
-  test("single confirmation line + honest 2FA note, no prompts (ignores vestigial tokenCount)", async () => {
-    const h = makeHarness([]);
+describe("runAuthPreflight — password set, no 2FA", () => {
+  test("confirms password set + offers real 2FA enroll (ignores vestigial tokenCount)", async () => {
+    const h = makeHarness(["n"]); // decline 2FA
     await runAuthPreflight({
       // tokenCount is non-zero (vestigial pvt_* rows) but no longer consulted.
-      status: status({ hasOwnerPassword: true, tokenCount: 3 }),
+      status: status({ hasOwnerPassword: true, hasTotp: false, tokenCount: 3 }),
       ...wire(h),
     });
     const joined = h.logs.join("\n");
     expect(joined).toContain("Owner password is set");
-    // Honest 2FA note (#473) — not a prompt, not the dead enroll command.
-    expect(joined).toContain("#473");
-    expect(joined).not.toContain("2fa enroll");
-    expect(h.prompts).toHaveLength(0);
-    expect(h.commands).toHaveLength(0);
+    // Real 2FA offer (hub#473) — exactly one prompt (the 2FA offer).
+    expect(h.prompts).toHaveLength(1);
+    expect(h.commands).toHaveLength(0); // declined
+  });
+
+  test("accepting the 2FA offer runs `parachute auth 2fa enroll`", async () => {
+    const h = makeHarness(["y"]);
+    await runAuthPreflight({
+      status: status({ hasOwnerPassword: true, hasTotp: false }),
+      ...wire(h),
+    });
+    expect(h.commands.map((c) => c.join(" "))).toEqual(["parachute auth 2fa enroll"]);
   });
 
   test("null tokenCount (DB unreadable) is irrelevant — password gates the branch", async () => {
-    const h = makeHarness([]);
+    const h = makeHarness(["n"]);
     await runAuthPreflight({
       status: status({ hasOwnerPassword: true, hasTotp: false, tokenCount: null }),
       ...wire(h),
     });
     expect(h.logs.join("\n")).toContain("Owner password is set");
-    expect(h.prompts).toHaveLength(0);
-    expect(h.commands).toHaveLength(0);
+    expect(h.prompts).toHaveLength(1);
   });
+});
 
-  test("password + legacy vault TOTP — still the quiet password-set path", async () => {
+describe("runAuthPreflight — password + 2FA both set", () => {
+  test("two-line confirmation, no prompts", async () => {
     const h = makeHarness([]);
     await runAuthPreflight({
       status: status({ hasOwnerPassword: true, hasTotp: true, tokenCount: 0 }),
       ...wire(h),
     });
-    expect(h.logs.join("\n")).toContain("Owner password is set");
+    const joined = h.logs.join("\n");
+    expect(joined).toContain("Owner password is set");
+    expect(joined).toContain("Two-factor authentication is on");
     expect(h.prompts).toHaveLength(0);
     expect(h.commands).toHaveLength(0);
   });
@@ -152,7 +154,7 @@ describe("runAuthPreflight — password set", () => {
 
 describe("runAuthPreflight — subprocess failure handling", () => {
   test("non-zero exit from set-password doesn't abort the rest of the preflight", async () => {
-    const h = makeHarness(["y"]);
+    const h = makeHarness(["y", "n"]);
     const interactiveRunner = async (cmd: readonly string[]) => {
       h.commands.push([...cmd]);
       return 7;
@@ -177,11 +179,11 @@ describe("runAuthPreflight — subprocess failure handling", () => {
 
 describe("runAuthPreflight — case-insensitive yes", () => {
   test('"Y", "YES", and "y" all count as affirmative; anything else is decline', async () => {
-    // Now only the wide-open path prompts (for the password). Drive it there.
+    // Drive the password-set-no-2FA path so there's exactly one prompt (2FA).
     for (const yes of ["y", "Y", "yes", "YES"]) {
       const h = makeHarness([yes]);
       await runAuthPreflight({
-        status: status({ hasOwnerPassword: false }),
+        status: status({ hasOwnerPassword: true, hasTotp: false }),
         ...wire(h),
       });
       expect(h.commands).toHaveLength(1);
@@ -189,7 +191,7 @@ describe("runAuthPreflight — case-insensitive yes", () => {
     for (const no of ["", "n", "no", "q", "bogus"]) {
       const h = makeHarness([no]);
       await runAuthPreflight({
-        status: status({ hasOwnerPassword: false }),
+        status: status({ hasOwnerPassword: true, hasTotp: false }),
         ...wire(h),
       });
       expect(h.commands).toHaveLength(0);

package/src/__tests__/expose-cloudflare.test.ts

@@ -683,12 +683,11 @@ describe("exposeCloudflareUp", () => {
 
         expect(code).toBe(0);
         const joined = logs.join("\n");
-        // Honest copy: /login is public, owner password is the wall, hub-login
-        // 2FA is coming (#473) — does NOT recommend the dead `2fa enroll`.
+        // hub#473: real hub-login 2FA — the warning now recommends the real
+        // `parachute auth 2fa enroll` path.
         expect(joined).toContain("/login is now reachable on the public internet");
         expect(joined).toContain("https://vault.example.com/login");
-        expect(joined).toContain("#473");
-        expect(joined).not.toContain("parachute auth 2fa enroll");
+        expect(joined).toContain("parachute auth 2fa enroll");
       } finally {
         env.cleanup();
       }
@@ -736,11 +735,12 @@ describe("exposeCloudflareUp", () => {
         expect(code).toBe(0);
         const joined = logs.join("\n");
         expect(joined).not.toContain("/login is now reachable on the public internet");
-        // The contextual 2FA warning is suppressed (legacy vault TOTP present);
-        // the always-shown owner-password guidance from `printAuthGuidance`
-        // still appears, and it no longer recommends the dead `2fa enroll`.
+        // The contextual 2FA warning is suppressed (2FA already enrolled); the
+        // always-shown owner-password guidance from `printAuthGuidance` still
+        // appears, and it now (hub#473) also surfaces the real `2fa enroll`
+        // path in the humans section.
         expect(joined).toContain("parachute auth set-password");
-        expect(joined).not.toContain("parachute auth 2fa enroll");
+        expect(joined).toContain("parachute auth 2fa enroll");
       } finally {
         env.cleanup();
       }

package/src/__tests__/expose.test.ts

@@ -1009,11 +1009,10 @@ describe("expose public up", () => {
       });
       expect(code).toBe(0);
       const joined = logs.join("\n");
-      // Honest copy: /login is public, owner password is the wall, hub-login
-      // 2FA is coming (#473) — no longer recommends the dead `2fa enroll`.
+      // hub#473: real hub-login 2FA. The warning now recommends the real
+      // `parachute auth 2fa enroll` path.
       expect(joined).toContain("/login is now reachable on the public internet");
-      expect(joined).toContain("#473");
-      expect(joined).not.toContain("parachute auth 2fa enroll");
+      expect(joined).toContain("parachute auth 2fa enroll");
       // /login pointer uses the canonical https://<fqdn> origin.
       expect(joined).toContain("https://parachute.taildf9ce2.ts.net/login");
     } finally {