@openparachute/hub 0.5.14-rc.2 → 0.5.14-rc.21

package/src/__tests__/vault-auth-status.test.ts

@@ -22,11 +22,146 @@ function seedVault(vaultHome: string, name: string, opts: { withDb?: boolean } =
   return dbPath;
 }
 
-describe("readVaultAuthStatus — config.yaml parse", () => {
-  test("missing config.yaml → hasOwnerPassword + hasTotp both false", () => {
+/**
+ * Default tests pass a `probeHubDbHasUserPassword` of `() => undefined`
+ * (hub.db unreachable) so existing YAML-fallback behavior is exercised
+ * verbatim. Tests that specifically exercise the hub.db path pass their
+ * own probe.
+ */
+const hubDbUnreachable = () => undefined;
+
+describe("readVaultAuthStatus — hub.db source of truth (multi-user Phase 1+)", () => {
+  test("hub.db has a user with password_hash → hasOwnerPassword: true (no YAML needed)", () => {
+    const env = makeVaultHome();
+    try {
+      // No config.yaml at all on disk.
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: () => true,
+        probeHubDbHasTotp: () => false,
+      });
+      expect(status.hasOwnerPassword).toBe(true);
+      // No TOTP enrolled in hub.db (and no legacy YAML) → false.
+      expect(status.hasTotp).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub.db users empty, YAML has owner_password_hash → falls back to YAML (legacy install)", () => {
+    const env = makeVaultHome();
+    try {
+      writeConfig(env.path, 'owner_password_hash: "$2b$12$legacyhash"\n');
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: () => false,
+        probeHubDbHasTotp: () => false,
+      });
+      expect(status.hasOwnerPassword).toBe(true);
+      expect(status.hasTotp).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub.db unreachable, YAML has owner_password_hash → falls back to YAML", () => {
+    const env = makeVaultHome();
+    try {
+      writeConfig(env.path, 'owner_password_hash: "$2b$12$superlegacyhash"\n');
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: hubDbUnreachable,
+      });
+      expect(status.hasOwnerPassword).toBe(true);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub.db users empty AND no YAML → hasOwnerPassword: false (fresh wide-open install)", () => {
+    const env = makeVaultHome();
+    try {
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: () => false,
+        probeHubDbHasTotp: () => false,
+      });
+      expect(status.hasOwnerPassword).toBe(false);
+      expect(status.hasTotp).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub.db password=true, hub.db TOTP unreachable → TOTP falls back to YAML state", () => {
+    const env = makeVaultHome();
+    try {
+      // hub#473: hub.db is the canonical TOTP source, but when the TOTP probe
+      // is unreachable (pre-v11 column absent) it falls back to the legacy
+      // vault YAML totp_secret. password=true (hub.db), totp=true (YAML fallback).
+      writeConfig(env.path, 'totp_secret: "JBSWY3DPEHPK3PXP"\n');
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: () => true,
+        probeHubDbHasTotp: () => undefined,
+      });
+      expect(status.hasOwnerPassword).toBe(true);
+      expect(status.hasTotp).toBe(true);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub.db TOTP=true is the real signal — overrides absent YAML", () => {
+    const env = makeVaultHome();
+    try {
+      // No YAML totp_secret, but a hub.db user has enrolled real 2FA (hub#473).
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: () => true,
+        probeHubDbHasTotp: () => true,
+      });
+      expect(status.hasTotp).toBe(true);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub.db TOTP=false (column present, none enrolled) overrides a stale YAML true", () => {
+    const env = makeVaultHome();
+    try {
+      // Legacy YAML totp_secret present, but hub.db definitively says no user
+      // has enrolled real hub-login 2FA → report false (the real signal wins).
+      writeConfig(env.path, 'totp_secret: "JBSWY3DPEHPK3PXP"\n');
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: () => true,
+        probeHubDbHasTotp: () => false,
+      });
+      expect(status.hasTotp).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
+});
+
+describe("readVaultAuthStatus — YAML fallback (pre-multi-user installs)", () => {
+  test("missing config.yaml AND hub.db unreachable → both signals false", () => {
     const env = makeVaultHome();
     try {
-      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 0 });
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: hubDbUnreachable,
+        probeHubDbHasTotp: hubDbUnreachable,
+      });
       expect(status.hasOwnerPassword).toBe(false);
       expect(status.hasTotp).toBe(false);
     } finally {
@@ -34,7 +169,7 @@ describe("readVaultAuthStatus — config.yaml parse", () => {
     }
   });
 
-  test("both keys present and non-empty → both true", () => {
+  test("both YAML keys present, hub.db unreachable → both true", () => {
     const env = makeVaultHome();
     try {
       writeConfig(
@@ -46,7 +181,12 @@ describe("readVaultAuthStatus — config.yaml parse", () => {
           "",
         ].join("\n"),
       );
-      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 0 });
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: hubDbUnreachable,
+        probeHubDbHasTotp: hubDbUnreachable,
+      });
       expect(status.hasOwnerPassword).toBe(true);
       expect(status.hasTotp).toBe(true);
     } finally {
@@ -54,11 +194,16 @@ describe("readVaultAuthStatus — config.yaml parse", () => {
     }
   });
 
-  test("empty quoted values are treated as absent (matches vault's readGlobalConfig)", () => {
+  test("empty quoted YAML values are absent (matches vault's readGlobalConfig)", () => {
     const env = makeVaultHome();
     try {
       writeConfig(env.path, ['owner_password_hash: ""', 'totp_secret: ""', ""].join("\n"));
-      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 0 });
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: hubDbUnreachable,
+        probeHubDbHasTotp: hubDbUnreachable,
+      });
       expect(status.hasOwnerPassword).toBe(false);
       expect(status.hasTotp).toBe(false);
     } finally {
@@ -66,11 +211,16 @@ describe("readVaultAuthStatus — config.yaml parse", () => {
     }
   });
 
-  test("only owner_password_hash present", () => {
+  test("only YAML owner_password_hash present, hub.db unreachable", () => {
     const env = makeVaultHome();
     try {
       writeConfig(env.path, 'owner_password_hash: "$2b$12$abc"\n');
-      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 0 });
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: hubDbUnreachable,
+        probeHubDbHasTotp: hubDbUnreachable,
+      });
       expect(status.hasOwnerPassword).toBe(true);
       expect(status.hasTotp).toBe(false);
     } finally {
@@ -83,7 +233,11 @@ describe("readVaultAuthStatus — vault discovery", () => {
   test("no data/ dir → vaultNames empty, tokenCount 0", () => {
     const env = makeVaultHome();
     try {
-      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 999 });
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 999,
+        probeHubDbHasUserPassword: hubDbUnreachable,
+      });
       expect(status.vaultNames).toEqual([]);
       expect(status.tokenCount).toBe(0);
     } finally {
@@ -98,7 +252,11 @@ describe("readVaultAuthStatus — vault discovery", () => {
       seedVault(env.path, "default", { withDb: true });
       // garbage dir that happens to sit under data/
       mkdirSync(join(env.path, "data", "stray"), { recursive: true });
-      const status = readVaultAuthStatus({ vaultHome: env.path, countTokens: () => 0 });
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        countTokens: () => 0,
+        probeHubDbHasUserPassword: hubDbUnreachable,
+      });
       expect(status.vaultNames).toEqual(["default"]);
     } finally {
       env.cleanup();
@@ -115,6 +273,7 @@ describe("readVaultAuthStatus — token count resilience", () => {
       const status = readVaultAuthStatus({
         vaultHome: env.path,
         countTokens: (dbPath) => (dbPath.includes("/default/") ? 2 : 3),
+        probeHubDbHasUserPassword: hubDbUnreachable,
       });
       expect(status.tokenCount).toBe(5);
       expect(new Set(status.vaultNames)).toEqual(new Set(["default", "work"]));
@@ -135,6 +294,7 @@ describe("readVaultAuthStatus — token count resilience", () => {
           if (dbPath.includes("/default/")) throw new Error("should not open missing DB");
           return 4;
         },
+        probeHubDbHasUserPassword: hubDbUnreachable,
       });
       expect(status.tokenCount).toBe(4);
     } finally {
@@ -153,6 +313,7 @@ describe("readVaultAuthStatus — token count resilience", () => {
           if (dbPath.includes("/work/")) throw new Error("locked");
           return 2;
         },
+        probeHubDbHasUserPassword: hubDbUnreachable,
       });
       // Even though "default" succeeded with 2, we return null — callers
       // shouldn't see a misleading partial count.
@@ -162,3 +323,143 @@ describe("readVaultAuthStatus — token count resilience", () => {
     }
   });
 });
+
+describe("readVaultAuthStatus — defaultProbeHubDbHasUserPassword end-to-end", () => {
+  // These tests exercise the real `bun:sqlite` probe (no injected fake)
+  // to catch breakage in the on-disk read path: schema drift, opening
+  // semantics, undefined-returns-on-failure.
+
+  test("hub.db missing → probe returns undefined → falls back to YAML cleanly", () => {
+    const env = makeVaultHome();
+    try {
+      writeConfig(env.path, 'owner_password_hash: "$2b$12$legacyfromYAML"\n');
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        hubDbPath: join(env.path, "definitely-not-here.db"),
+        countTokens: () => 0,
+      });
+      expect(status.hasOwnerPassword).toBe(true);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub.db exists with users.password_hash set → hasOwnerPassword: true", () => {
+    const env = makeVaultHome();
+    try {
+      // Build a real hub.db with the canonical schema + an `unforced` user.
+      const { Database } = require("bun:sqlite");
+      const dbPath = join(env.path, "hub.db");
+      const db = new Database(dbPath);
+      db.exec(`
+        CREATE TABLE users (
+          id TEXT PRIMARY KEY,
+          username TEXT UNIQUE NOT NULL,
+          password_hash TEXT NOT NULL,
+          created_at TEXT NOT NULL,
+          updated_at TEXT NOT NULL,
+          password_changed INTEGER NOT NULL DEFAULT 0
+        );
+        INSERT INTO users (id, username, password_hash, created_at, updated_at, password_changed)
+        VALUES ('u1', 'unforced', '$argon2id$v=19$realhashhere', '2026-05-26T00:00:00Z', '2026-05-26T00:00:00Z', 1);
+      `);
+      db.close();
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        hubDbPath: dbPath,
+        countTokens: () => 0,
+      });
+      expect(status.hasOwnerPassword).toBe(true);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub.db exists but users table empty → falls back to YAML", () => {
+    const env = makeVaultHome();
+    try {
+      const { Database } = require("bun:sqlite");
+      const dbPath = join(env.path, "hub.db");
+      const db = new Database(dbPath);
+      db.exec(`
+        CREATE TABLE users (
+          id TEXT PRIMARY KEY,
+          username TEXT UNIQUE NOT NULL,
+          password_hash TEXT NOT NULL,
+          created_at TEXT NOT NULL,
+          updated_at TEXT NOT NULL,
+          password_changed INTEGER NOT NULL DEFAULT 0
+        );
+      `);
+      db.close();
+      // YAML provides the password — should still be true.
+      writeConfig(env.path, 'owner_password_hash: "$2b$12$fallbackhash"\n');
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        hubDbPath: dbPath,
+        countTokens: () => 0,
+      });
+      expect(status.hasOwnerPassword).toBe(true);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub.db exists but schema is missing the users table → probe returns undefined, YAML fallback", () => {
+    const env = makeVaultHome();
+    try {
+      // A hub.db that hasn't run migration v2 yet (only signing_keys, v1).
+      const { Database } = require("bun:sqlite");
+      const dbPath = join(env.path, "hub.db");
+      const db = new Database(dbPath);
+      db.exec(`
+        CREATE TABLE signing_keys (kid TEXT PRIMARY KEY);
+      `);
+      db.close();
+      writeConfig(env.path, 'owner_password_hash: "$2b$12$onlyinYAML"\n');
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        hubDbPath: dbPath,
+        countTokens: () => 0,
+      });
+      // SELECT against nonexistent `users` throws → probe returns undefined
+      // → YAML wins → password reported as set.
+      expect(status.hasOwnerPassword).toBe(true);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("hub.db users table has a row with empty password_hash → treated as no password", () => {
+    const env = makeVaultHome();
+    try {
+      const { Database } = require("bun:sqlite");
+      const dbPath = join(env.path, "hub.db");
+      const db = new Database(dbPath);
+      // NOT NULL on password_hash, but allow empty string — schema check
+      // is just for "non-empty hash exists."
+      db.exec(`
+        CREATE TABLE users (
+          id TEXT PRIMARY KEY,
+          username TEXT UNIQUE NOT NULL,
+          password_hash TEXT NOT NULL,
+          created_at TEXT NOT NULL,
+          updated_at TEXT NOT NULL,
+          password_changed INTEGER NOT NULL DEFAULT 0
+        );
+        INSERT INTO users (id, username, password_hash, created_at, updated_at, password_changed)
+        VALUES ('u1', 'placeholder', '', '2026-05-26T00:00:00Z', '2026-05-26T00:00:00Z', 0);
+      `);
+      db.close();
+      const status = readVaultAuthStatus({
+        vaultHome: env.path,
+        hubDbPath: dbPath,
+        countTokens: () => 0,
+      });
+      // No YAML, no non-empty hub.db password → wide open.
+      expect(status.hasOwnerPassword).toBe(false);
+    } finally {
+      env.cleanup();
+    }
+  });
+});

package/src/__tests__/vault-hub-origin-env.test.ts

@@ -0,0 +1,263 @@
+/**
+ * Tests for the durable half of the OAuth issuer-mismatch fix: persisting the
+ * hub's PUBLIC origin into `<configDir>/vault/.env` so the launchd / systemd
+ * daemon — which boots vault out-of-band and never sees the `parachute start`
+ * spawn env — validates hub-minted JWTs' `iss` against the public origin
+ * instead of vault's loopback default. See `vault-hub-origin-env.ts`.
+ */
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { readEnvFileValues } from "../env-file.ts";
+import type { ExposeState } from "../expose-state.ts";
+import { writeExposeState } from "../expose-state.ts";
+import {
+  clearVaultHubOrigin,
+  isLoopbackOrigin,
+  persistVaultHubOrigin,
+  publicOriginFromExposeState,
+  selfHealVaultHubOrigin,
+} from "../vault-hub-origin-env.ts";
+
+let dir: string;
+
+beforeEach(() => {
+  dir = mkdtempSync(join(tmpdir(), "pcli-vhoe-"));
+});
+afterEach(() => {
+  rmSync(dir, { recursive: true, force: true });
+});
+
+function vaultEnv(): string {
+  return join(dir, "vault", ".env");
+}
+
+describe("isLoopbackOrigin", () => {
+  test("flags 127.0.0.1 / localhost / [::1] / 0.0.0.0", () => {
+    expect(isLoopbackOrigin("http://127.0.0.1:1939")).toBe(true);
+    expect(isLoopbackOrigin("http://localhost:1939")).toBe(true);
+    expect(isLoopbackOrigin("http://[::1]:1939")).toBe(true);
+    // 0.0.0.0 is a bind-all wildcard, not a reachable origin.
+    expect(isLoopbackOrigin("http://0.0.0.0:1939")).toBe(true);
+  });
+
+  test("does not flag a public FQDN", () => {
+    expect(isLoopbackOrigin("https://parachute-aaron.tailc75afc.ts.net")).toBe(false);
+    expect(isLoopbackOrigin("https://hub.example.com")).toBe(false);
+  });
+
+  test("non-URL strings are treated as non-loopback (don't block persistence)", () => {
+    expect(isLoopbackOrigin("not a url")).toBe(false);
+  });
+});
+
+describe("persistVaultHubOrigin", () => {
+  test("writes a non-loopback public origin into vault/.env", () => {
+    const wrote = persistVaultHubOrigin(dir, "https://parachute-aaron.tailc75afc.ts.net", () => {});
+    expect(wrote).toBe(true);
+    expect(readEnvFileValues(vaultEnv()).PARACHUTE_HUB_ORIGIN).toBe(
+      "https://parachute-aaron.tailc75afc.ts.net",
+    );
+  });
+
+  test("refuses to persist a loopback origin (would shadow a later exposure)", () => {
+    const wrote = persistVaultHubOrigin(dir, "http://127.0.0.1:1939", () => {});
+    expect(wrote).toBe(false);
+    expect(existsSync(vaultEnv())).toBe(false);
+  });
+
+  test("refuses to persist a 0.0.0.0 origin (--hub-origin flows straight through)", () => {
+    // `--hub-origin http://0.0.0.0:1939` bypasses deriveHubOrigin and reaches
+    // here verbatim; baking a bind-all wildcard into vault/.env would advertise
+    // a non-functional issuer and recreate the iss-mismatch class.
+    const wrote = persistVaultHubOrigin(dir, "http://0.0.0.0:1939", () => {});
+    expect(wrote).toBe(false);
+    expect(existsSync(vaultEnv())).toBe(false);
+  });
+
+  test("is idempotent — no rewrite when the value is already current", () => {
+    const log: string[] = [];
+    expect(persistVaultHubOrigin(dir, "https://hub.example.com", (l) => log.push(l))).toBe(true);
+    expect(persistVaultHubOrigin(dir, "https://hub.example.com", (l) => log.push(l))).toBe(false);
+    // Only the first call logged.
+    expect(log).toHaveLength(1);
+    expect(log[0]).toMatch(/persisted PARACHUTE_HUB_ORIGIN=https:\/\/hub\.example\.com/);
+  });
+
+  test("updates a stale origin in-place and preserves sibling keys", () => {
+    writeFileSync(
+      mkVaultDir(),
+      "SCRIBE_AUTH_TOKEN=secret\nPARACHUTE_HUB_ORIGIN=https://old.example.com\nSCRIBE_URL=http://127.0.0.1:1943\n",
+    );
+    const wrote = persistVaultHubOrigin(dir, "https://new.example.com", () => {});
+    expect(wrote).toBe(true);
+    const values = readEnvFileValues(vaultEnv());
+    expect(values.PARACHUTE_HUB_ORIGIN).toBe("https://new.example.com");
+    // Sibling keys untouched.
+    expect(values.SCRIBE_AUTH_TOKEN).toBe("secret");
+    expect(values.SCRIBE_URL).toBe("http://127.0.0.1:1943");
+  });
+});
+
+describe("clearVaultHubOrigin", () => {
+  test("removes a persisted origin and leaves sibling keys", () => {
+    writeFileSync(
+      mkVaultDir(),
+      "SCRIBE_AUTH_TOKEN=secret\nPARACHUTE_HUB_ORIGIN=https://hub.example.com\n",
+    );
+    const wrote = clearVaultHubOrigin(dir, () => {});
+    expect(wrote).toBe(true);
+    const values = readEnvFileValues(vaultEnv());
+    expect(values.PARACHUTE_HUB_ORIGIN).toBeUndefined();
+    expect(values.SCRIBE_AUTH_TOKEN).toBe("secret");
+  });
+
+  test("no-op when no origin is present", () => {
+    writeFileSync(mkVaultDir(), "SCRIBE_AUTH_TOKEN=secret\n");
+    expect(clearVaultHubOrigin(dir, () => {})).toBe(false);
+  });
+
+  test("no-op when vault/.env doesn't exist", () => {
+    expect(clearVaultHubOrigin(dir, () => {})).toBe(false);
+  });
+});
+
+/** Create `<dir>/vault/` and return the `.env` path so writeFileSync lands. */
+function mkVaultDir(): string {
+  mkdirSync(join(dir, "vault"), { recursive: true });
+  return vaultEnv();
+}
+
+function exposeStatePath(): string {
+  return join(dir, "expose-state.json");
+}
+
+/** Cloudflare-shaped expose state (subdomain mode, single hub-catchall entry). */
+function cloudflareState(overrides: Partial<ExposeState> = {}): ExposeState {
+  return {
+    version: 1,
+    layer: "public",
+    mode: "subdomain",
+    canonicalFqdn: "gitcoin-parachute.unforced.dev",
+    port: 1939,
+    funnel: false,
+    entries: [{ kind: "proxy", mount: "/", target: "http://localhost:1939", service: "hub" }],
+    hubOrigin: "https://gitcoin-parachute.unforced.dev",
+    ...overrides,
+  };
+}
+
+/** Tailnet-shaped expose state (path mode). */
+function tailnetState(overrides: Partial<ExposeState> = {}): ExposeState {
+  return {
+    version: 1,
+    layer: "tailnet",
+    mode: "path",
+    canonicalFqdn: "parachute-aaron.tailc75afc.ts.net",
+    port: 1939,
+    funnel: false,
+    entries: [{ kind: "proxy", mount: "/", target: "http://localhost:1939", service: "hub" }],
+    hubOrigin: "https://parachute-aaron.tailc75afc.ts.net",
+    ...overrides,
+  };
+}
+
+describe("publicOriginFromExposeState", () => {
+  test("undefined when no expose-state file exists", () => {
+    expect(publicOriginFromExposeState(exposeStatePath())).toBeUndefined();
+  });
+
+  test("returns the cloudflare hubOrigin", () => {
+    writeExposeState(cloudflareState(), exposeStatePath());
+    expect(publicOriginFromExposeState(exposeStatePath())).toBe(
+      "https://gitcoin-parachute.unforced.dev",
+    );
+  });
+
+  test("returns the tailnet hubOrigin", () => {
+    writeExposeState(tailnetState(), exposeStatePath());
+    expect(publicOriginFromExposeState(exposeStatePath())).toBe(
+      "https://parachute-aaron.tailc75afc.ts.net",
+    );
+  });
+
+  test("synthesizes https://<canonicalFqdn> when hubOrigin is absent (pre-Phase-0 state)", () => {
+    // hubOrigin is optional on older state files; canonicalFqdn is mandatory.
+    const { hubOrigin, ...rest } = cloudflareState();
+    void hubOrigin;
+    writeExposeState(rest as ExposeState, exposeStatePath());
+    expect(publicOriginFromExposeState(exposeStatePath())).toBe(
+      "https://gitcoin-parachute.unforced.dev",
+    );
+  });
+});
+
+describe("selfHealVaultHubOrigin (Cloudflare 401 self-heal)", () => {
+  test("writes the cloudflare public origin when vault/.env is UNSET", () => {
+    // The exact broken-deploy shape: expose-state carries a public cloudflare
+    // hubOrigin but vault/.env has no PARACHUTE_HUB_ORIGIN, so the daemon falls
+    // back to loopback and 401s every hub token. Restart self-corrects it.
+    writeExposeState(cloudflareState(), exposeStatePath());
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(true);
+    expect(readEnvFileValues(vaultEnv()).PARACHUTE_HUB_ORIGIN).toBe(
+      "https://gitcoin-parachute.unforced.dev",
+    );
+  });
+
+  test("overwrites a LOOPBACK value already persisted in vault/.env", () => {
+    writeExposeState(cloudflareState(), exposeStatePath());
+    writeFileSync(mkVaultDir(), "PARACHUTE_HUB_ORIGIN=http://127.0.0.1:1939\n");
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(true);
+    expect(readEnvFileValues(vaultEnv()).PARACHUTE_HUB_ORIGIN).toBe(
+      "https://gitcoin-parachute.unforced.dev",
+    );
+  });
+
+  test("tailnet shape still self-heals (no regression)", () => {
+    writeExposeState(tailnetState(), exposeStatePath());
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(true);
+    expect(readEnvFileValues(vaultEnv()).PARACHUTE_HUB_ORIGIN).toBe(
+      "https://parachute-aaron.tailc75afc.ts.net",
+    );
+  });
+
+  test("does NOT persist when there's no exposure (genuine loopback / local dev)", () => {
+    // No expose-state file → no public origin → vault keeps its loopback
+    // default. Persisting loopback would shadow a later exposure.
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(false);
+    expect(existsSync(vaultEnv())).toBe(false);
+  });
+
+  test("leaves a DIFFERENT non-loopback value alone (deliberate --hub-origin override)", () => {
+    writeExposeState(cloudflareState(), exposeStatePath());
+    writeFileSync(mkVaultDir(), "PARACHUTE_HUB_ORIGIN=https://custom.example.com\n");
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(false);
+    // Untouched — self-heal only fixes unset/loopback, never clobbers a public
+    // value an operator may have set on purpose.
+    expect(readEnvFileValues(vaultEnv()).PARACHUTE_HUB_ORIGIN).toBe("https://custom.example.com");
+  });
+
+  test("no-op (no double-write) when the persisted value already equals the public origin", () => {
+    writeExposeState(cloudflareState(), exposeStatePath());
+    writeFileSync(mkVaultDir(), "PARACHUTE_HUB_ORIGIN=https://gitcoin-parachute.unforced.dev\n");
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(false);
+  });
+
+  test("expose-state with a loopback hubOrigin is treated as no public exposure", () => {
+    // A loopback hubOrigin (local-dev hub) must never be persisted — it would
+    // recreate the iss mismatch on the daemon boot path.
+    writeExposeState(cloudflareState({ hubOrigin: "http://127.0.0.1:1939" }), exposeStatePath());
+    // canonicalFqdn is still public here, but hubOrigin wins — we honor the
+    // explicit value the writer chose.
+    const wrote = selfHealVaultHubOrigin(dir, () => {}, exposeStatePath());
+    expect(wrote).toBe(false);
+    expect(existsSync(vaultEnv())).toBe(false);
+  });
+});