@openparachute/hub 0.5.14-rc.2 → 0.5.14-rc.21

package/src/commands/auth.ts

@@ -13,7 +13,14 @@
  *   - `list-users` — show accounts in `users`.
  *
  * Vault-forwarded subcommands (still implemented in `parachute-vault`):
- *   - `2fa` — TOTP enroll/disable/backup-codes.
+ *   - (none currently). `2fa` used to forward here, but the legacy
+ *     `parachute-vault 2fa` stub writes vault YAML that does NOT gate hub
+ *     `/login`. As of hub#473 `parachute auth 2fa` is the REAL hub-login TOTP
+ *     surface: it reads/writes the hub.db `users` TOTP columns and gates
+ *     `/login`. Subcommands: `status`, `enroll` (CLI text enroll — prints the
+ *     otpauth:// URI + base32 secret for manual authenticator entry, then
+ *     prompts for the confirm code), `disenroll`. The browser path lives at
+ *     `<hub-origin>/account/2fa` (QR + backup codes).
  */
 
 import { join } from "node:path";
@@ -44,6 +51,13 @@ import {
 } from "../operator-token.ts";
 import { isNonRequestableScope } from "../scope-explanations.ts";
 import { rotateSigningKey } from "../signing-keys.ts";
+import { generateTotpSecret, otpauthUrlFor, verifyTotpCode } from "../totp.ts";
+import {
+  clearEnrollment,
+  getTotpState,
+  isTotpEnrolled,
+  persistEnrollment,
+} from "../two-factor-store.ts";
 import {
   SingleUserModeError,
   UsernameTakenError,
@@ -71,9 +85,10 @@ export const defaultRunner: Runner = {
   },
 };
 
-const VAULT_FORWARDED_SUBCOMMANDS = new Set(["2fa"]);
+const VAULT_FORWARDED_SUBCOMMANDS = new Set<string>([]);
 const HUB_LOCAL_SUBCOMMANDS = new Set([
   "rotate-key",
+  "2fa",
   "set-password",
   "list-users",
   "rotate-operator",
@@ -92,10 +107,14 @@ Usage:
   parachute auth set-password [--username <name>] [--password <pw>] [--allow-multi]
                                        Create or update the hub user's password
   parachute auth list-users            Show registered hub accounts
-  parachute auth 2fa status            Show 2FA state
-  parachute auth 2fa enroll            Enable TOTP 2FA (QR + backup codes)
-  parachute auth 2fa disable           Disable 2FA (requires password)
-  parachute auth 2fa backup-codes      Regenerate backup codes
+  parachute auth 2fa [status]          Show hub-login 2FA (TOTP) status
+  parachute auth 2fa enroll [--username <name>]
+                                       Enroll TOTP for hub login (prints the
+                                       otpauth:// URI + base32 secret for manual
+                                       authenticator entry, then prompts for a
+                                       confirm code; prints backup codes once)
+  parachute auth 2fa disenroll [--username <name>]
+                                       Turn off hub-login 2FA for the account
   parachute auth rotate-key            Rotate the hub's JWT signing key
   parachute auth rotate-operator [--scope-set <set>]
                                        Mint a fresh ~/.parachute/operator.token
@@ -128,10 +147,20 @@ The default username on first run is "owner" — override with --username.
 Single-user mode is the default; pass --allow-multi to add additional
 accounts beyond the first.
 
-2fa forwards to \`parachute-vault\` which still implements TOTP storage. If
-you see "not found on PATH", install vault first:
+2fa is real hub-login TOTP (hub#473). It reads/writes the hub.db \`users\` TOTP
+columns and gates \`/login\`: once enrolled, signing in requires a 6-digit code
+from your authenticator app (or a single-use backup code) after your password.
+
+\`parachute auth 2fa enroll\` is headless-friendly — it prints the \`otpauth://\`
+URI and the base32 secret as text so you can type them into an authenticator
+manually (no QR scan needed on a server), then prompts for the current 6-digit
+code to confirm. On success it prints 10 single-use backup codes ONCE — save
+them. The browser path (\`<hub-origin>/account/2fa\`) shows a scannable QR code.
 
-  parachute install vault
+\`parachute auth 2fa disenroll\` clears the TOTP secret + backup codes.
+
+In single-user mode both default to the only hub account; pass --username to
+target a specific account when more than one exists.
 
 rotate-key generates a fresh RSA-2048 keypair and retires the previous
 one. The retired key keeps appearing in /.well-known/jwks.json for 24
@@ -1124,6 +1153,115 @@ async function runRevokeToken(args: readonly string[], deps: AuthDeps): Promise<
   }
 }
 
+/**
+ * Real hub-login TOTP 2FA CLI (hub#473). `parachute auth 2fa [status|enroll|
+ * disenroll]`. Reads/writes the hub.db `users` TOTP columns — the same store
+ * the `/login` flow and `/account/2fa` browser surface use, so a CLI enroll
+ * gates the exposed hub login exactly like the browser one.
+ *
+ * Headless-first by design: `enroll` prints the `otpauth://` URI + base32
+ * secret as text so the operator can type them into an authenticator app
+ * manually (no QR scan on a server), then prompts for the current code to
+ * confirm before persisting. Browser enroll (QR) lives at
+ * `<hub-origin>/account/2fa`.
+ */
+async function run2fa(args: readonly string[], deps: AuthDeps): Promise<number> {
+  const flag = extractUsernameFlag(args);
+  if (flag.error) {
+    console.error(`parachute auth 2fa: ${flag.error}`);
+    return 1;
+  }
+  const sub = flag.rest[0] ?? "status";
+  if (flag.rest.length > 1) {
+    console.error(`parachute auth 2fa: unexpected argument "${flag.rest[1]}"`);
+    console.error("usage: parachute auth 2fa [status|enroll|disenroll] [--username <name>]");
+    return 1;
+  }
+  if (sub !== "status" && sub !== "enroll" && sub !== "disenroll") {
+    console.error(`parachute auth 2fa: unknown subcommand "${sub}"`);
+    console.error("usage: parachute auth 2fa [status|enroll|disenroll] [--username <name>]");
+    return 1;
+  }
+
+  const db = deps.dbPath ? openHubDb(deps.dbPath) : openHubDb();
+  try {
+    const target = resolveTargetUser(db, flag.username, sub);
+    if ("error" in target) {
+      console.error(`parachute auth 2fa: ${target.error}`);
+      return 1;
+    }
+
+    if (sub === "status") {
+      const state = getTotpState(db, target.id);
+      if (state.secret) {
+        console.log(`Two-factor authentication: ON for "${target.username}".`);
+        if (state.enrolledAt) console.log(`  enrolled_at:   ${state.enrolledAt}`);
+        console.log(`  backup_codes:  ${state.backupCodes.length} remaining`);
+      } else {
+        console.log(`Two-factor authentication: OFF for "${target.username}".`);
+        console.log("Run `parachute auth 2fa enroll` to turn it on.");
+      }
+      return 0;
+    }
+
+    if (sub === "disenroll") {
+      if (!isTotpEnrolled(db, target.id)) {
+        console.log(`Two-factor authentication is already off for "${target.username}".`);
+        return 0;
+      }
+      clearEnrollment(db, target.id);
+      console.log(`Turned off two-factor authentication for "${target.username}".`);
+      return 0;
+    }
+
+    // sub === "enroll"
+    if (isTotpEnrolled(db, target.id)) {
+      console.error(
+        `parachute auth 2fa: two-factor is already enabled for "${target.username}". Run \`parachute auth 2fa disenroll\` first to re-enroll.`,
+      );
+      return 1;
+    }
+    const isInteractive = (deps.isInteractive ?? defaultIsInteractive)();
+    if (!isInteractive) {
+      console.error(
+        "parachute auth 2fa enroll: a TTY is required to confirm the enrollment code (run it interactively)",
+      );
+      return 1;
+    }
+    const readLine = deps.readLine ?? defaultReadLine;
+
+    const { secret } = generateTotpSecret(target.username);
+    const otpauthUrl = otpauthUrlFor(secret, target.username);
+    console.log(`Enrolling two-factor authentication for "${target.username}".`);
+    console.log("");
+    console.log("Add this account to your authenticator app. Either scan the otpauth URL");
+    console.log("(paste it into a QR generator), or enter the secret key manually:");
+    console.log("");
+    console.log(`  otpauth URL:  ${otpauthUrl}`);
+    console.log(`  secret key:   ${secret}`);
+    console.log("");
+    const code = (await readLine("Enter the 6-digit code from your app to confirm: ")).trim();
+    if (!verifyTotpCode(secret, code)) {
+      console.error(
+        "parachute auth 2fa enroll: that code didn't match — nothing was saved. Check your device clock and try again.",
+      );
+      return 1;
+    }
+    const result = await persistEnrollment(db, target.id, secret);
+    console.log("");
+    console.log("✓ Two-factor authentication is now ON for hub login.");
+    console.log("");
+    console.log("Save these backup codes — each works once if you lose your authenticator:");
+    console.log("");
+    for (const c of result.backupCodes) console.log(`  ${c}`);
+    console.log("");
+    console.log("They are shown only once. Store them somewhere safe.");
+    return 0;
+  } finally {
+    db.close();
+  }
+}
+
 function runListUsers(deps: AuthDeps): number {
   const db = deps.dbPath ? openHubDb(deps.dbPath) : openHubDb();
   try {
@@ -1182,6 +1320,15 @@ export async function auth(args: readonly string[], deps: AuthDeps | Runner = {}
         return 1;
       }
     }
+    if (sub === "2fa") {
+      try {
+        return await run2fa(args.slice(1), normalized);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`parachute auth 2fa: ${msg}`);
+        return 1;
+      }
+    }
     if (sub === "list-users") {
       return runListUsers(normalized);
     }
@@ -1250,23 +1397,17 @@ export async function auth(args: readonly string[], deps: AuthDeps | Runner = {}
     }
   }
 
-  if (!VAULT_FORWARDED_SUBCOMMANDS.has(sub)) {
-    console.error(`parachute auth: unknown subcommand "${sub}"`);
-    console.error("run `parachute auth --help` for usage");
-    return 1;
-  }
-  try {
+  // No subcommands forward to parachute-vault anymore (VAULT_FORWARDED_SUBCOMMANDS
+  // is empty — `2fa` is now hub-local + honest, see #473). Anything that fell
+  // through every hub-local handler above is unknown.
+  if (VAULT_FORWARDED_SUBCOMMANDS.has(sub)) {
+    // Defensive: if a future subcommand is added back to the forward set, route
+    // it. Currently unreachable (the set is empty).
     return await runner.run(["parachute-vault", ...args]);
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    if (msg.toLowerCase().includes("enoent") || msg.toLowerCase().includes("not found")) {
-      console.error("parachute-vault not found on PATH.");
-      console.error("Install it with: parachute install vault");
-      return 127;
-    }
-    console.error(`failed to run parachute-vault: ${msg}`);
-    return 1;
   }
+  console.error(`parachute auth: unknown subcommand "${sub}"`);
+  console.error("run `parachute auth --help` for usage");
+  return 1;
 }
 
 // Re-exported so `users.ts` consumers can preserve the named-export.

package/src/commands/expose-2fa-warning.ts

@@ -1,29 +1,23 @@
 /**
- * Public-exposure 2FA-enrollment warning (#186). Lands as the next layer of
- * defense after #188's `/login` rate-limit floor: once the operator brings
- * up cloudflare or Tailscale Funnel, `/login` is reachable from the public
- * internet on every layer admitting traffic. 2FA is the difference between
- * "password is the only wall" and "password + something-you-have."
+ * Public-exposure security warning (#186). Once the operator brings up
+ * cloudflare or Tailscale Funnel, `/login` is reachable from the public
+ * internet on every layer admitting traffic. After #188's `/login` rate-limit
+ * floor, the owner password is the wall — and now (hub#473) hub-login TOTP 2FA
+ * is the second wall.
+ *
+ * 2FA at the hub login layer is real as of hub#473: "password +
+ * something-you-have." This warning recommends `parachute auth 2fa enroll`
+ * (which now gates hub `/login` for real) when the operator hasn't enrolled.
  *
  * Why this is a warning, not a hard gate: hard-gating would surprise operators
  * mid-flow — they ran `parachute expose public` to expose, not to be told
- * "set up 2FA first." A loud, contextual warning + a clear one-line
- * remediation is the right shape; the operator decides whether to act now or
- * later. The tunnel is up regardless.
- *
- * Why the source-of-truth is vault's `config.yaml`: 2FA enrollment lives in
- * `parachute-vault` (the hub forwards `parachute auth 2fa enroll` to vault —
- * see `commands/auth.ts` `VAULT_FORWARDED_SUBCOMMANDS`). The hub's `users`
- * table has no TOTP column today; it will gain one when hub-admin login
- * verifies TOTP against vault. Until then, "is 2FA enrolled?" maps cleanly
- * to "does vault's config.yaml carry a non-empty `totp_secret`?", which is
- * exactly what `readVaultAuthStatus().hasTotp` returns.
+ * "set up 2FA first." A loud, contextual warning + a clear remediation is the
+ * right shape; the operator decides whether to act now or later. The tunnel is
+ * up regardless.
  *
- * If vault isn't installed at all (rare for the cloudflare path — it requires
- * a vault entry — but possible on the tailnet/funnel path): `hasTotp` comes
- * back `false` and the warning still fires. The remediation
- * `parachute auth 2fa enroll` then surfaces vault's "install vault first"
- * error, which is the right next step regardless.
+ * The probe consults `readVaultAuthStatus().hasTotp`, which now reflects the
+ * hub.db `users.totp_secret` column (real hub-login 2FA) — true when any user
+ * has enrolled. The warning fires only when no second factor is configured.
  */
 
 import { type VaultAuthStatus, readVaultAuthStatus } from "../vault/auth-status.ts";
@@ -40,17 +34,20 @@ export interface Public2FAWarningOpts {
 }
 
 /**
- * `true` when `totp_secret` is present and non-empty in vault's config.yaml,
- * `false` otherwise (missing vault, missing config.yaml, empty value).
- *
- * Source-of-truth note: TOTP storage is the vault's, not the hub's. See the
- * module-level doc comment.
+ * `true` when a second factor is configured, `false` otherwise. As of hub#473
+ * this reflects the hub.db `users.totp_secret` column (real hub-login 2FA),
+ * with the legacy vault `config.yaml` `totp_secret` as a fallback for old
+ * installs — see {@link readVaultAuthStatus} and the module-level doc comment.
  */
 export function is2FAEnrolled(
-  opts: { vaultHome?: string; status?: VaultAuthStatus } = {},
+  opts: { vaultHome?: string; hubDbPath?: string; status?: VaultAuthStatus } = {},
 ): boolean {
   const status =
-    opts.status ?? readVaultAuthStatus(opts.vaultHome ? { vaultHome: opts.vaultHome } : {});
+    opts.status ??
+    readVaultAuthStatus({
+      ...(opts.vaultHome ? { vaultHome: opts.vaultHome } : {}),
+      ...(opts.hubDbPath ? { hubDbPath: opts.hubDbPath } : {}),
+    });
   return status.hasTotp;
 }
 
@@ -71,12 +68,17 @@ export function printPublic2FAWarning(opts: Public2FAWarningOpts): boolean {
     return false;
   }
   log("");
-  log("⚠ 2FA is not enrolled. /login is now reachable on the public internet");
-  log(`  (${opts.publicUrl}/login). Anyone who guesses your password`);
-  log("  is in. Strongly recommended:");
+  log("⚠ /login is now reachable on the public internet");
+  log(`  (${opts.publicUrl}/login). Anyone who guesses your password is in.`);
+  log("");
+  log("  Turn on two-factor authentication — it adds a second wall (a one-time");
+  log("  code from your authenticator app) on top of your password:");
   log("");
   log("    parachute auth 2fa enroll");
   log("");
-  log("  Adds TOTP + backup codes. Takes 30 seconds.");
+  log("  (Or set it up in the browser at /account/2fa for a scannable QR code.)");
+  log("  Either way, also make sure your owner password is a strong one:");
+  log("");
+  log("    parachute auth set-password");
   return true;
 }

package/src/commands/expose-auth-preflight.ts

@@ -2,20 +2,34 @@
  * Post-exposure auth nudge. Runs after `parachute expose public` successfully
  * brings a tunnel up (TTY only). The tunnel is already live; this is purely
  * advisory — we never error the exposure flow regardless of what the user
- * chooses. The goal is to catch the "fresh vault, just went public, no
- * password or tokens set" trap before someone else finds it first.
+ * chooses. The goal is to catch the "fresh vault, just went public, no auth
+ * configured" trap before someone else finds it first.
  *
- * Four states we branch on, based on {@link VaultAuthStatus}:
+ * The load-bearing signal is the **owner password**. Post-pvt_*-DROP (vault
+ * #412 / hub#466), the vault `tokens` table holds only vestigial pvt_* rows;
+ * a non-zero count no longer means "API auth is configured." Access is now
+ * hub-issued JWTs, minted against the operator's identity — and minting that
+ * identity requires the owner password (browser OAuth) or the operator token
+ * that `set-password` seeds. So "has an owner password" is the single gate
+ * that tells us whether *any* authenticated access is reachable. We branch
+ * purely on password + 2FA; we no longer count vault-DB rows for the auth
+ * decision.
  *
- *   - neither password nor tokens: loud warning + offer to set up each.
- *   - password, no 2FA: shorter "recommend 2FA" nudge.
- *   - tokens but no password: OAuth isn't set up; offer to add a password.
- *   - `tokenCount === null`: couldn't read the DB; advisory only, no prompts
- *     that depend on token state.
- *   - all set: one-line "looks good" (the quiet path).
+ * Two states we branch on, based on {@link VaultAuthStatus}:
+ *
+ *   - no owner password: loud warning — the exposure is wide open. Offer to
+ *     set a password, and point at the hub-JWT mint path for clients.
+ *   - password set, no 2FA: one-line "looks good" + offer to enroll hub-login
+ *     TOTP (real as of hub#473) since the box is now public.
+ *   - password + 2FA set: one-line "looks good, 2FA on."
+ *
+ * `parachute auth 2fa enroll` is the real hub-login TOTP path now (hub#473) —
+ * it gates `/login` for real, so the preflight offers it when the operator has
+ * a password but no second factor.
  *
  * Defaults are always "skip" — Enter declines every prompt. User can always
- * run `parachute auth …` or `parachute vault tokens create` later.
+ * run `parachute auth set-password` / `parachute auth 2fa enroll` /
+ * `parachute auth mint-token …` later.
  */
 
 import { createInterface } from "node:readline/promises";
@@ -100,16 +114,47 @@ async function offerOwnerPassword(r: Resolved): Promise<void> {
   }
 }
 
+/**
+ * Offer to enroll hub-login TOTP 2FA (real as of hub#473). Interactive enroll
+ * needs to print a secret + prompt for a confirm code, so we run the real CLI
+ * command inheriting stdio. Declining is fine — the operator can run it later.
+ */
 async function offerTotp(r: Resolved): Promise<void> {
-  if (await yesNo(r, "Enable TOTP 2FA now?")) {
+  r.log("");
+  r.log("Add two-factor authentication? It puts a one-time code (from your");
+  r.log("authenticator app) in front of /login on top of your password.");
+  if (await yesNo(r, "Set up two-factor authentication now?")) {
     await runCmd(r, ["parachute", "auth", "2fa", "enroll"], "parachute auth 2fa enroll");
+  } else {
+    r.log("");
+    r.log("You can enroll later: `parachute auth 2fa enroll` (or /account/2fa in a browser).");
   }
 }
 
-async function offerTokenCreate(r: Resolved): Promise<void> {
-  if (await yesNo(r, "Create an API token now?")) {
-    await runCmd(r, ["parachute", "vault", "tokens", "create"], "parachute vault tokens create");
-  }
+/** One-line confirmation that 2FA is already on. */
+function note2faOn(r: Resolved): void {
+  r.log("✓  Two-factor authentication is on.");
+}
+
+/**
+ * Programmatic / headless clients don't use a password — they carry a
+ * hub-issued JWT. We don't auto-mint one here (it needs a scope, and the
+ * operator should choose read vs write per client), so this is guidance,
+ * not a prompt. Mint paths, in order of how most operators reach them:
+ *
+ *   - Admin SPA → Vaults → "Connect" card (mints + shows the header command).
+ *   - `parachute auth mint-token --scope vault:<name>:<verb>` (pipeable JWT).
+ *
+ * The old affordance ran `parachute vault tokens create`, which exits 1
+ * post-DROP (vault no longer mints pvt_* tokens) — we never offer it.
+ */
+function printTokenGuidance(r: Resolved): void {
+  const name = r.status.vaultNames[0] ?? "<name>";
+  r.log("");
+  r.log("For programmatic / headless clients (scripts, CI), mint a hub token:");
+  r.log("  • Admin → Vaults → Connect  (mints a scope-narrow token + copy-paste header)");
+  r.log(`  • parachute auth mint-token --scope vault:${name}:read   # or :write`);
+  r.log("    → attach the printed JWT as  Authorization: Bearer <hub-jwt>");
 }
 
 function printDivider(r: Resolved): void {
@@ -118,86 +163,58 @@ function printDivider(r: Resolved): void {
 }
 
 /**
- * `neither password nor tokens`: the exposure is wide open — anyone who
- * finds the URL can talk to the vault. The loudest warning we draw.
+ * `no owner password`: the exposure is wide open — without a password,
+ * nobody can sign in and no hub JWT can be minted, so there's no auth gate
+ * at all. The loudest warning we draw.
  */
 async function handleWideOpen(r: Resolved): Promise<void> {
   printDivider(r);
-  r.log("⚠  No owner password and no API tokens are configured.");
+  r.log("⚠  No owner password is configured.");
   r.log("   The tunnel is reachable from the public internet RIGHT NOW.");
   r.log("   Anyone with the URL can make requests until you set auth up.");
   r.log("");
-  r.log("Recommended: set an owner password (enables the browser sign-in flow)");
-  r.log("and/or create an API token (for programmatic clients).");
+  r.log("Recommended: set an owner password — it's the gate for both browser");
+  r.log("sign-in (OAuth) and minting hub tokens for programmatic clients.");
   r.log("");
   await offerOwnerPassword(r);
-  // Offer 2FA regardless of the password step outcome: we can't observe it
-  // from outside the subprocess, and vault itself will reject a 2fa enroll
-  // if there's no password yet, surfacing the real error to the user.
+  // Programmatic-client guidance is informational (no auto-mint) — print it
+  // so the operator knows the headless path exists, not the dead pvt_* one.
+  printTokenGuidance(r);
+  // Offer real hub-login 2FA (hub#473) — the box is public now.
   await offerTotp(r);
-  await offerTokenCreate(r);
   printDivider(r);
 }
 
 /**
- * `password set, no 2FA`: the common case where the user did the obvious
- * thing but hasn't opted into the stronger factor yet. Short nudge.
+ * `password set, no 2FA`: the operator has a password but no second factor.
+ * One-line confirmation, then offer to enroll TOTP since the box is public.
  */
-async function handlePasswordNoTotp(r: Resolved): Promise<void> {
+async function handlePasswordSetNo2fa(r: Resolved): Promise<void> {
   r.log("");
   r.log("✓  Owner password is set.");
-  r.log("   Consider also enabling 2FA for defense-in-depth.");
   await offerTotp(r);
 }
 
 /**
- * `tokens exist, no password`: vault is authenticated for API clients but
- * nobody can sign in through a browser — the hub's OAuth flow is dead in
- * the water. Offer to fix.
+ * `password + 2FA set`: the operator did everything. Two-line confirmation.
  */
-async function handleTokensNoPassword(r: Resolved): Promise<void> {
+function handleFullyConfigured(r: Resolved): void {
   r.log("");
-  r.log("ℹ  API tokens exist, but no owner password is set.");
-  r.log("   Browser sign-in (OAuth) won't work until you add one.");
-  await offerOwnerPassword(r);
-}
-
-/**
- * `tokenCount === null`: SQLite probe failed (DB missing, locked, schema
- * drift, whatever). Don't guess; don't prompt on token state. Nudge 2FA
- * if we know the password is set, otherwise stay quiet.
- */
-async function handleUnknownTokens(r: Resolved): Promise<void> {
-  r.log("");
-  r.log("ℹ  Couldn't read vault token state (vault may be locked or offline).");
-  r.log("   Run `parachute vault tokens list` to check token config yourself.");
-  if (r.status.hasOwnerPassword && !r.status.hasTotp) {
-    r.log("");
-    r.log("   (While you're here: owner password is set, 2FA is not.)");
-    await offerTotp(r);
-  }
-}
-
-/**
- * `all set`: password + 2FA + at least one token. Keep it tight.
- */
-function handleAllGood(r: Resolved): void {
-  r.log("");
-  r.log("✓  Auth config looks good (password + 2FA + API tokens).");
+  r.log("✓  Owner password is set.");
+  note2faOn(r);
 }
 
 /**
  * Pick the branch. Pure function of the status — keeps test coverage trivial.
+ *
+ * Owner-password-centric since the pvt_* DROP (hub#466): `tokenCount` is no
+ * longer consulted. Real hub-login 2FA (hub#473) re-introduces the 2FA branch:
+ * three states — wide-open, password-but-no-2FA, fully-configured.
  */
-function classify(
-  s: VaultAuthStatus,
-): "wide-open" | "password-no-totp" | "tokens-no-password" | "unknown-tokens" | "all-good" {
-  if (s.tokenCount === null) return "unknown-tokens";
-  const hasTokens = s.tokenCount > 0;
-  if (!s.hasOwnerPassword && !hasTokens) return "wide-open";
-  if (!s.hasOwnerPassword && hasTokens) return "tokens-no-password";
-  if (s.hasOwnerPassword && !s.hasTotp) return "password-no-totp";
-  return "all-good";
+function classify(s: VaultAuthStatus): "wide-open" | "password-no-2fa" | "fully-configured" {
+  if (!s.hasOwnerPassword) return "wide-open";
+  if (!s.hasTotp) return "password-no-2fa";
+  return "fully-configured";
 }
 
 export async function runAuthPreflight(opts: AuthPreflightOpts = {}): Promise<void> {
@@ -206,17 +223,11 @@ export async function runAuthPreflight(opts: AuthPreflightOpts = {}): Promise<vo
     case "wide-open":
       await handleWideOpen(r);
       return;
-    case "password-no-totp":
-      await handlePasswordNoTotp(r);
-      return;
-    case "tokens-no-password":
-      await handleTokensNoPassword(r);
-      return;
-    case "unknown-tokens":
-      await handleUnknownTokens(r);
+    case "password-no-2fa":
+      await handlePasswordSetNo2fa(r);
       return;
-    case "all-good":
-      handleAllGood(r);
+    case "fully-configured":
+      handleFullyConfigured(r);
       return;
   }
 }