@openparachute/hub 0.5.14-rc.2 → 0.5.14-rc.21

package/src/users.ts

@@ -144,6 +144,64 @@ function readVaultsForUser(db: Database, userId: string): string[] {
     .map((r) => r.vault_name);
 }
 
+/**
+ * The per-vault verbs a `user_vaults.role` grants. The schema's `role`
+ * column is `TEXT NOT NULL DEFAULT 'write'` and is reserved forward-compat
+ * for per-vault role granularity (see the v10 migration note in
+ * `hub-db.ts`). Today every assignment is created with `role = 'write'`, so
+ * the only live mapping is `write → {read, write}`. The function is the
+ * single place the verb-cap lives so a future role taxonomy (`read`-only,
+ * `admin`, etc.) lands here without the friend-mint path having to change.
+ *
+ * Mapping:
+ *   - `write` (today's only value)  → `["read", "write"]`
+ *   - `read`                        → `["read"]`
+ *   - anything else (unknown role)  → `[]` — fail closed. An unrecognised
+ *     role grants no minting authority rather than silently defaulting to
+ *     write. (Defense-in-depth: a hand-edited / future row with a role this
+ *     code doesn't understand should not be treated as broad write.)
+ *
+ * `admin` is intentionally NOT mapped to a `vault:<name>:admin` mint here —
+ * the friend-facing token mint is capped at read/write by design. A
+ * future per-vault-admin friend grant would route through the
+ * vault-admin-token path, not this one.
+ */
+export type VaultVerb = "read" | "write";
+
+export function vaultVerbsForRole(role: string): VaultVerb[] {
+  if (role === "write") return ["read", "write"];
+  if (role === "read") return ["read"];
+  return [];
+}
+
+/**
+ * Read the verbs a user may mint for one of their assigned vaults.
+ *
+ * Returns `null` when the user has NO `user_vaults` row for `vaultName` —
+ * i.e. the vault is not in their assignment. The caller treats `null` as a
+ * hard 403 (no minting for an unassigned vault). When a row exists, returns
+ * the verb list `vaultVerbsForRole` maps the stored role to (today always
+ * `["read", "write"]` since every assignment is `role = 'write'`).
+ *
+ * This reads the role column directly rather than going through
+ * `getUserById().assignedVaults` because that array is verb-blind — it
+ * names the vaults but not the role granted. The friend-mint authorization
+ * cap needs the role.
+ */
+export function vaultVerbsForUserVault(
+  db: Database,
+  userId: string,
+  vaultName: string,
+): VaultVerb[] | null {
+  const row = db
+    .query<{ role: string }, [string, string]>(
+      "SELECT role FROM user_vaults WHERE user_id = ? AND vault_name = ?",
+    )
+    .get(userId, vaultName);
+  if (!row) return null;
+  return vaultVerbsForRole(row.role);
+}
+
 export interface CreateUserOpts {
   /** Allow creating an additional user when one already exists. Off by default. */
   allowMulti?: boolean;

package/src/vault/auth-status.ts

@@ -1,29 +1,48 @@
 /**
- * Read-only probe of vault's auth state, for the post-exposure preflight
- * nudge. We don't want to lock the DB or mutate anything — this is a
- * one-shot "should we warn the user their vault is wide open on the public
+ * Read-only probe of operator auth state, for the post-exposure preflight
+ * nudge. We don't want to lock anything or mutate state — this is a one-
+ * shot "should we warn the user their vault is wide open on the public
  * internet?" check.
  *
- * Two sources:
- *   1. ~/.parachute/vault/config.yaml   → owner_password_hash + totp_secret
- *   2. ~/.parachute/vault/data/<name>/vault.db (SQLite) → tokens table count
+ * Three sources, checked in this order:
  *
- * The YAML path uses line-anchored regex parsing that matches vault's own
- * `readGlobalConfig()` semantics (parachute-vault src/config.ts): keys are
- * optional, quoted scalars, and empty-string / missing-key both mean "not
- * configured." We mirror that rather than bringing in a YAML dependency.
+ *   1. ~/.parachute/hub.db  →  users table (authoritative since multi-user
+ *      Phase 1, hub#252 / PRs 279–281 / 425). Hub-issued OAuth + browser
+ *      sign-in both verify against `users.password_hash`. If any user row
+ *      exists with a non-empty password_hash, the operator has an account —
+ *      "owner password set." The earliest-created user row is the canonical
+ *      operator (cf. `getFirstAdminId` in src/users.ts).
+ *   2. ~/.parachute/vault/config.yaml  →  owner_password_hash + totp_secret
+ *      (pre-multi-user Phase 1 location). Fallback for super-old installs
+ *      whose hub.db is absent or empty.
+ *   3. ~/.parachute/vault/data/<name>/vault.db (SQLite) → tokens table
+ *      count, summed across every vault instance.
  *
- * The SQLite path is best-effort: if the DB is missing, locked (vault is
- * writing), or the schema has drifted, `tokenCount` comes back as `null`
- * and the caller surfaces "token status unknown" rather than lying with a
- * false zero. The exposure flow has already succeeded by the time this
- * runs — a probe failure must never block the user's happy path.
+ * As of hub#473 the hub.db `users` table carries TOTP columns
+ * (`totp_secret` et al.) and `/login` enforces a second factor when set, so
+ * `hasTotp` now reflects the hub.db state: true when any user has a non-empty
+ * `totp_secret`. The legacy vault `config.yaml` `totp_secret` (which never
+ * gated hub `/login`) is still read as a fallback for super-old installs whose
+ * hub.db is absent, but real hub-login 2FA is the hub.db signal.
  *
- * Schema coupling note: we read the `tokens` table by name with a bare
- * COUNT(*). If vault ever renames that table, that's a breaking change on
- * vault's side and this probe is the least of the fallout. Post-launch,
- * a public `/api/auth/status` endpoint on vault (tracked separately) would
- * let us drop this coupling entirely.
+ * The YAML fallback path uses line-anchored regex parsing that matches
+ * vault's own `readGlobalConfig()` semantics (parachute-vault src/config.ts):
+ * keys are optional, quoted scalars, and empty-string / missing-key both
+ * mean "not configured." We mirror that rather than bringing in a YAML
+ * dependency.
+ *
+ * The vault-token SQLite path is best-effort: if the DB is missing,
+ * locked (vault is writing), or the schema has drifted, `tokenCount`
+ * comes back as `null` and the caller surfaces "token status unknown"
+ * rather than lying with a false zero. The exposure flow has already
+ * succeeded by the time this runs — a probe failure must never block
+ * the user's happy path.
+ *
+ * Schema coupling note: we read the `tokens` table in each vault.db by
+ * name with a bare COUNT(*). If vault ever renames that table, that's a
+ * breaking change on vault's side and this probe is the least of the
+ * fallout. Post-launch, a public `/api/auth/status` endpoint on vault
+ * (tracked separately) would let us drop this coupling entirely.
  */
 
 import { existsSync, readFileSync, readdirSync } from "node:fs";
@@ -36,9 +55,12 @@ export interface VaultAuthStatus {
   hasTotp: boolean;
   /**
    * `null` means we couldn't read the SQLite DB — distinct from "0 tokens
-   * exist." Callers branch the UI on this: `null` → "token status unknown,
-   * run `parachute vault tokens list` to check"; `0` → loud "no auth at
-   * all!" warning; `>0` → benign.
+   * exist." Post the pvt_* DROP (hub#466) the expose preflight no longer
+   * branches on this — `classify()` in expose-auth-preflight.ts gates on
+   * `hasOwnerPassword`, since access now flows through the owner password +
+   * on-demand hub JWT mint, not standing vault tokens. `tokenCount` is kept
+   * as a best-effort diagnostic only (these rows are vestigial); `null`
+   * still cleanly distinguishes "unreadable DB" from "0 rows."
    */
   tokenCount: number | null;
   /** Vault instance names discovered under data/. Empty when vault has
@@ -49,6 +71,8 @@ export interface VaultAuthStatus {
 export interface AuthStatusOpts {
   /** Override `~/.parachute/vault` for tests. */
   vaultHome?: string;
+  /** Override `~/.parachute/hub.db` for tests. */
+  hubDbPath?: string;
   /** Read a YAML file; defaults to `readFileSync(path, "utf8")`. Missing
    *  file should return `undefined` (not throw) so callers can distinguish
    *  "no password configured" from "IO error." */
@@ -60,13 +84,42 @@ export interface AuthStatusOpts {
    *  thrown error (missing, locked, schema drift) is caught by the caller
    *  and mapped to `tokenCount: null`. */
   countTokens?: (dbPath: string) => number;
+  /**
+   * Probe hub.db for "does at least one user row with a non-empty
+   * `password_hash` exist?" — the canonical "owner password is set"
+   * signal post-multi-user-Phase-1. Returning:
+   *   - `true`  → at least one user has a password_hash; hub.db is
+   *               the source of truth, YAML fallback is skipped.
+   *   - `false` → hub.db opened cleanly but users is empty (fresh
+   *               install pre-wizard); fall back to YAML.
+   *   - `undefined` → hub.db missing / unreadable / migration not yet
+   *               applied; fall back to YAML (legacy install path).
+   * The split between `false` and `undefined` matters: an empty hub.db
+   * on a fresh wizard run should NOT be allowed to mask an owner_password_hash
+   * that the operator set via vault's pre-multi-user flow. Callers that
+   * want true "I can sign in" semantics get the OR of hub.db∪YAML.
+   */
+  probeHubDbHasUserPassword?: (dbPath: string) => boolean | undefined;
+  /**
+   * Probe hub.db for "does at least one user row have a non-empty
+   * `totp_secret`?" — the canonical "real hub-login 2FA is on" signal
+   * (hub#473). Same tri-state semantics as {@link probeHubDbHasUserPassword}:
+   *   - `true`  → at least one user has TOTP enrolled.
+   *   - `false` → hub.db opened cleanly but no user has a secret.
+   *   - `undefined` → hub.db missing / unreadable / column absent (pre-v11);
+   *                   caller falls back to the legacy YAML probe.
+   */
+  probeHubDbHasTotp?: (dbPath: string) => boolean | undefined;
 }
 
 interface Resolved {
   vaultHome: string;
+  hubDbPath: string;
   readText: (path: string) => string | undefined;
   listVaultNames: (dataDir: string) => string[];
   countTokens: (dbPath: string) => number;
+  probeHubDbHasUserPassword: (dbPath: string) => boolean | undefined;
+  probeHubDbHasTotp: (dbPath: string) => boolean | undefined;
 }
 
 function defaultVaultHome(): string {
@@ -77,6 +130,11 @@ function defaultVaultHome(): string {
   return root.length > 0 ? join(root, "vault") : join(homedir(), ".parachute", "vault");
 }
 
+function defaultHubDbPath(): string {
+  const root = configDir();
+  return root.length > 0 ? join(root, "hub.db") : join(homedir(), ".parachute", "hub.db");
+}
+
 function defaultReadText(path: string): string | undefined {
   try {
     return readFileSync(path, "utf8");
@@ -112,12 +170,93 @@ function defaultCountTokens(dbPath: string): number {
   }
 }
 
+/**
+ * Open hub.db readonly and ask "does at least one user have a non-empty
+ * password_hash?" Returns `undefined` on any failure (DB missing, locked,
+ * schema drift, users table absent because migration v2 hasn't applied) —
+ * indistinguishable from "no hub.db at all," which is what the caller
+ * wants for the YAML-fallback branch.
+ *
+ * We deliberately do NOT open hub.db read-write here — `openHubDb()`
+ * would run migrations as a side effect, and this is a read probe from
+ * an unrelated command (`parachute expose`). `readonly: true` skips the
+ * WAL handshake and won't contend with the live hub server.
+ */
+function defaultProbeHubDbHasUserPassword(dbPath: string): boolean | undefined {
+  if (!existsSync(dbPath)) return undefined;
+  const { Database } = require("bun:sqlite");
+  let db: { prepare: (sql: string) => { get: () => unknown }; close: () => void } | undefined;
+  try {
+    db = new Database(dbPath, { readonly: true }) as typeof db;
+    // COUNT(*) over users with non-empty password_hash. `length(...) > 0`
+    // matches the "missing/empty hash" treatment from the YAML side.
+    //
+    // Why "any user with a hash" not "first admin specifically": friend
+    // accounts can only be created by an already-authenticated admin
+    // (per api-users.ts's host:admin gate), so any user-with-hash
+    // implies the first admin has one too. Equivalent in practice and
+    // simpler than a JOIN on earliest-created-at. A future env-seed
+    // flow that creates friend accounts before the operator sets a
+    // password would need to revisit this assumption.
+    const row = db
+      ?.prepare(
+        "SELECT COUNT(*) AS n FROM users WHERE password_hash IS NOT NULL AND length(password_hash) > 0",
+      )
+      .get() as { n: number } | null;
+    return (row?.n ?? 0) > 0;
+  } catch {
+    return undefined;
+  } finally {
+    try {
+      db?.close();
+    } catch {
+      // ignore
+    }
+  }
+}
+
+/**
+ * Open hub.db readonly and ask "does at least one user have a non-empty
+ * `totp_secret`?" — the real hub-login 2FA signal (hub#473). Returns
+ * `undefined` on any failure (DB missing, locked, or the `totp_secret` column
+ * absent because migration v11 hasn't applied) — the caller then falls back to
+ * the legacy YAML probe. Readonly open (no migration side effects) mirrors
+ * {@link defaultProbeHubDbHasUserPassword}.
+ */
+function defaultProbeHubDbHasTotp(dbPath: string): boolean | undefined {
+  if (!existsSync(dbPath)) return undefined;
+  const { Database } = require("bun:sqlite");
+  let db: { prepare: (sql: string) => { get: () => unknown }; close: () => void } | undefined;
+  try {
+    db = new Database(dbPath, { readonly: true }) as typeof db;
+    const row = db
+      ?.prepare(
+        "SELECT COUNT(*) AS n FROM users WHERE totp_secret IS NOT NULL AND length(totp_secret) > 0",
+      )
+      .get() as { n: number } | null;
+    return (row?.n ?? 0) > 0;
+  } catch {
+    // Column absent (pre-v11) or DB unreadable — indistinguishable from
+    // "no hub.db"; let the YAML fallback decide.
+    return undefined;
+  } finally {
+    try {
+      db?.close();
+    } catch {
+      // ignore
+    }
+  }
+}
+
 function resolve(opts: AuthStatusOpts): Resolved {
   return {
     vaultHome: opts.vaultHome ?? defaultVaultHome(),
+    hubDbPath: opts.hubDbPath ?? defaultHubDbPath(),
     readText: opts.readText ?? defaultReadText,
     listVaultNames: opts.listVaultNames ?? defaultListVaultNames,
     countTokens: opts.countTokens ?? defaultCountTokens,
+    probeHubDbHasUserPassword: opts.probeHubDbHasUserPassword ?? defaultProbeHubDbHasUserPassword,
+    probeHubDbHasTotp: opts.probeHubDbHasTotp ?? defaultProbeHubDbHasTotp,
   };
 }
 
@@ -134,7 +273,12 @@ function matchQuotedKey(yaml: string, key: string): string | undefined {
   return captured;
 }
 
-function readGlobalAuth(r: Resolved): { hasOwnerPassword: boolean; hasTotp: boolean } {
+interface AuthSignals {
+  hasOwnerPassword: boolean;
+  hasTotp: boolean;
+}
+
+function readYamlAuth(r: Resolved): AuthSignals {
   const yaml = r.readText(join(r.vaultHome, "config.yaml"));
   if (yaml === undefined) return { hasOwnerPassword: false, hasTotp: false };
   return {
@@ -143,6 +287,37 @@ function readGlobalAuth(r: Resolved): { hasOwnerPassword: boolean; hasTotp: bool
   };
 }
 
+/**
+ * Combine the hub.db probe + the legacy YAML probe into a single auth-signals
+ * read. Logic:
+ *
+ *   - hub.db says yes → operator has an account in the canonical store;
+ *     report `hasOwnerPassword: true`. TOTP is reported per the YAML probe
+ *     (so a legacy operator who set both YAML password + YAML totp_secret,
+ *     then migrated to a hub.db user, still surfaces "TOTP is on" — we
+ *     don't have a hub-side TOTP column yet, hub#252 Phase 3 lands it).
+ *   - hub.db says no AND was reachable → users table is empty, no hub
+ *     account exists yet. Fall back to YAML for both signals — a pre-
+ *     multi-user install would have its password in YAML.
+ *   - hub.db unreachable → can't tell, fall back to YAML entirely.
+ *
+ * Net effect: `hasOwnerPassword` is the OR of (hub.db has a user with a
+ * password) ∪ (YAML has owner_password_hash). Either source counts.
+ */
+function readAuthSignals(r: Resolved): AuthSignals {
+  const yaml = readYamlAuth(r);
+  const hubDbHasUser = r.probeHubDbHasUserPassword(r.hubDbPath);
+  const hasOwnerPassword = hubDbHasUser === true ? true : yaml.hasOwnerPassword;
+  // Real hub-login 2FA (hub#473): read hub.db's totp_secret. `undefined` (DB
+  // missing / pre-v11 column absent) falls back to the legacy YAML totp_secret
+  // — that one never gated hub `/login`, but suppressing the warning for an
+  // operator who set it avoids nagging. A definitive hub.db `false` (column
+  // present, no user enrolled) overrides a stale YAML true.
+  const hubDbHasTotp = r.probeHubDbHasTotp(r.hubDbPath);
+  const hasTotp = hubDbHasTotp === undefined ? yaml.hasTotp : hubDbHasTotp;
+  return { hasOwnerPassword, hasTotp };
+}
+
 /**
  * Sum token counts across every vault instance found under data/. If any
  * probe throws (missing DB, locked, schema drift), the whole result
@@ -171,7 +346,7 @@ function readTotalTokenCount(r: Resolved, vaultNames: string[]): number | null {
 
 export function readVaultAuthStatus(opts: AuthStatusOpts = {}): VaultAuthStatus {
   const r = resolve(opts);
-  const { hasOwnerPassword, hasTotp } = readGlobalAuth(r);
+  const { hasOwnerPassword, hasTotp } = readAuthSignals(r);
   const dataDir = join(r.vaultHome, "data");
   const vaultNames = r.listVaultNames(dataDir);
   const tokenCount = readTotalTokenCount(r, vaultNames);

package/src/vault-hub-origin-env.ts

@@ -0,0 +1,163 @@
+/**
+ * Persist the resolved hub PUBLIC origin into `<configDir>/vault/.env` so the
+ * launchd / systemd daemon validates hub-minted JWTs against it.
+ *
+ * The OAuth issuer-mismatch P0 (this module's reason to exist): hub stamps the
+ * public origin (e.g. `https://parachute-x.ts.net`) on every JWT it mints.
+ * Vault, as the resource server, validates the `iss` claim against
+ * `getHubOrigin()` (`parachute-vault/src/hub-jwt.ts`), which reads ONLY
+ * `PARACHUTE_HUB_ORIGIN` from its process env and falls back to loopback
+ * `http://127.0.0.1:1939` when unset.
+ *
+ * `parachute start|restart vault` injects `PARACHUTE_HUB_ORIGIN` into the
+ * *spawn* env (see `commands/lifecycle.ts`). But the real-world boot path on an
+ * owner-operated box is the autostart daemon: `parachute-vault init` registers
+ * a launchd agent (macOS) / systemd unit (Linux) with `KeepAlive`/`Restart`,
+ * and that daemon boots vault out-of-band via `~/.parachute/vault/start.sh`.
+ * The wrapper sources `~/.parachute/vault/.env` and never reads expose-state,
+ * and the launchd plist carries no `EnvironmentVariables`. So on every reboot
+ * or crash-restart, launchd starts vault with NO `PARACHUTE_HUB_ORIGIN`, vault
+ * falls back to loopback, and every token stamped with the public FQDN fails
+ * the `iss` check → `HubJwtError('issuer')` → 401 on every OAuth/MCP reconnect.
+ * Bricks team onboarding on any exposed deploy.
+ *
+ * The durable fix: write `PARACHUTE_HUB_ORIGIN` into `vault/.env` so the daemon
+ * boot path picks it up too. Mirrors `auto-wire.ts`'s vault-.env writes
+ * (SCRIBE_AUTH_TOKEN / SCRIBE_URL) — hub owns these keys, vault's boot wrapper
+ * reads them.
+ */
+import { join } from "node:path";
+import { parseEnvFile, removeEnvLine, upsertEnvLine, writeEnvFile } from "./env-file.ts";
+import { EXPOSE_STATE_PATH, readExposeState } from "./expose-state.ts";
+import { HUB_ORIGIN_ENV } from "./hub-origin.ts";
+
+/**
+ * Loopback origins (`http://127.0.0.1:<port>`, `localhost`, `[::1]`) are the
+ * local-dev fallback `deriveHubOrigin` returns when no exposure is active. We
+ * never *persist* one — baking a loopback value into `.env` would SHADOW a
+ * later exposure on the daemon boot path (which has no other source of truth),
+ * recreating the exact `iss` mismatch this fix prevents. Worse than absent.
+ */
+export function isLoopbackOrigin(origin: string): boolean {
+  try {
+    // URL.hostname keeps IPv6 in bracket form (`[::1]`); strip them so the
+    // comparison is on the bare address.
+    const hostname = new URL(origin).hostname.replace(/^\[|\]$/g, "");
+    // `0.0.0.0` is a bind-all wildcard, not a reachable origin — `deriveHubOrigin`
+    // never emits it, but `--hub-origin http://0.0.0.0:1939` flows straight
+    // through `persistVaultHubOrigin`. Baking it into vault/.env would advertise
+    // a non-functional issuer and recreate the iss-mismatch class this guard
+    // exists to prevent. Refuse it like any other loopback.
+    return (
+      hostname === "127.0.0.1" ||
+      hostname === "localhost" ||
+      hostname === "::1" ||
+      hostname === "0.0.0.0"
+    );
+  } catch {
+    return false;
+  }
+}
+
+function vaultEnvPath(configDir: string): string {
+  return join(configDir, "vault", ".env");
+}
+
+/**
+ * Upsert `PARACHUTE_HUB_ORIGIN=<origin>` into `vault/.env` when `origin` is a
+ * non-loopback public origin. Idempotent — skips the write (and the log) when
+ * the value is already current so repeated `start`s don't churn the file.
+ * Returns true iff the file was written this call.
+ */
+export function persistVaultHubOrigin(
+  configDir: string,
+  origin: string,
+  log: (line: string) => void,
+): boolean {
+  if (isLoopbackOrigin(origin)) return false;
+  const path = vaultEnvPath(configDir);
+  const parsed = parseEnvFile(path);
+  if (parsed.values[HUB_ORIGIN_ENV] === origin) return false;
+  writeEnvFile(path, upsertEnvLine(parsed.lines, HUB_ORIGIN_ENV, origin));
+  log(`  persisted ${HUB_ORIGIN_ENV}=${origin} to ${path} (survives daemon restart)`);
+  return true;
+}
+
+/**
+ * Drop a previously-persisted `PARACHUTE_HUB_ORIGIN` from `vault/.env`. Called
+ * on `expose … off`: once exposure is torn down, a local-only hub mints tokens
+ * with a loopback `iss`, so a stale public origin left in `.env` would itself
+ * cause the mismatch. Removing the line reverts vault to its loopback default
+ * (`getHubOrigin`), which matches what the local hub now stamps. No-op (returns
+ * false) when the key isn't present. Returns true iff the file was rewritten.
+ */
+export function clearVaultHubOrigin(configDir: string, log: (line: string) => void): boolean {
+  const path = vaultEnvPath(configDir);
+  const parsed = parseEnvFile(path);
+  if (parsed.values[HUB_ORIGIN_ENV] === undefined) return false;
+  writeEnvFile(path, removeEnvLine(parsed.lines, HUB_ORIGIN_ENV));
+  log(`  cleared ${HUB_ORIGIN_ENV} from ${path} (exposure torn down)`);
+  return true;
+}
+
+/**
+ * The public origin a live exposure advertises, or undefined when no exposure
+ * is active. Both the Tailscale and Cloudflare expose paths populate
+ * `expose-state.json` with a `hubOrigin` (the URL stamped into OAuth tokens'
+ * `iss` claim); older state files predating Phase 0 may carry only
+ * `canonicalFqdn`, so we synthesize `https://<fqdn>` as a fallback. Loopback /
+ * empty values resolve to undefined — there's no public origin to persist.
+ */
+export function publicOriginFromExposeState(
+  exposeStatePath: string = EXPOSE_STATE_PATH,
+): string | undefined {
+  let state: ReturnType<typeof readExposeState>;
+  try {
+    state = readExposeState(exposeStatePath);
+  } catch {
+    // A malformed expose-state must never block a vault start — treat it as
+    // "no exposure" and let the loopback default stand.
+    return undefined;
+  }
+  if (!state) return undefined;
+  const origin = state.hubOrigin ?? (state.canonicalFqdn ? `https://${state.canonicalFqdn}` : "");
+  if (!origin || isLoopbackOrigin(origin)) return undefined;
+  return origin.replace(/\/+$/, "");
+}
+
+/**
+ * Self-heal vault's persisted `PARACHUTE_HUB_ORIGIN` from `expose-state.json`.
+ *
+ * The bug this closes (the Cloudflare 401 P0): on a Cloudflare-tunnel deploy the
+ * expose path writes a public `hubOrigin` into `expose-state.json`, but — unlike
+ * the Tailscale path, which auto-restarts vault and so flows the public origin
+ * into `vault/.env` via `persistVaultHubOrigin` — it never wrote vault's `.env`.
+ * So the launchd / systemd daemon kept booting vault with NO `PARACHUTE_HUB_ORIGIN`,
+ * vault fell back to loopback as its expected issuer, and every hub-minted token
+ * (whose `iss` is the public origin) failed the `iss` check → 401 on every vault
+ * request → "You're not signed in to the hub."
+ *
+ * Called on `parachute start|restart vault`: when expose-state advertises a
+ * public origin AND vault's persisted value is unset or loopback, write the
+ * public origin. Existing broken deploys self-correct on the next restart, not
+ * just fresh ones. We deliberately do NOT overwrite a *different* non-loopback
+ * value already in `.env` — that could be a deliberate `--hub-origin` override;
+ * `persistVaultHubOrigin` (the explicit, resolved-origin path) owns that case.
+ *
+ * Returns true iff `.env` was written this call.
+ */
+export function selfHealVaultHubOrigin(
+  configDir: string,
+  log: (line: string) => void,
+  exposeStatePath: string = EXPOSE_STATE_PATH,
+): boolean {
+  const publicOrigin = publicOriginFromExposeState(exposeStatePath);
+  if (!publicOrigin) return false;
+  const current = parseEnvFile(vaultEnvPath(configDir)).values[HUB_ORIGIN_ENV];
+  // Only heal the broken shapes: unset (daemon falls back to loopback) or an
+  // already-persisted loopback (a value that itself causes the iss mismatch).
+  // A current public value — including one equal to publicOrigin — is left to
+  // persistVaultHubOrigin's idempotent path so we don't double-log.
+  if (current !== undefined && !isLoopbackOrigin(current)) return false;
+  return persistVaultHubOrigin(configDir, publicOrigin, log);
+}

package/web/ui/dist/assets/index-BiBlvEaj.css

@@ -0,0 +1 @@
+:root{--bg: #faf8f4;--bg-soft: #f3f0ea;--fg: #2c2a26;--fg-muted: #6b6860;--fg-dim: #9a9690;--accent: #4a7c59;--accent-soft: rgba(74, 124, 89, .08);--accent-hover: #3d6849;--border: #e4e0d8;--border-light: #ece9e2;--card-bg: #ffffff;--error: #a3392b;--error-soft: rgba(163, 57, 43, .08);--warn: #b08023;--warn-soft: rgba(176, 128, 35, .08);--success: #3d6849;--success-soft: rgba(61, 104, 73, .08);--font-serif: Georgia, "Times New Roman", serif;--font-sans: -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif;--font-mono: ui-monospace, "SF Mono", Menlo, Monaco, "Cascadia Mono", monospace;font-family:var(--font-sans)}*{box-sizing:border-box}html,body{margin:0;padding:0;background:var(--bg);color:var(--fg)}a{color:var(--accent);text-decoration:none}a:hover{text-decoration:underline}button{font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease}button:hover{background:var(--accent-hover)}button:disabled{opacity:.5;cursor:not-allowed}button.secondary{background:#fff;color:var(--fg);border:1px solid var(--border)}button.secondary:hover{background:var(--bg-soft)}input,select,textarea{font:inherit;background:#fff;border:1px solid var(--border);border-radius:6px;padding:.55rem .75rem;color:var(--fg)}input:focus,select:focus,textarea:focus{outline:none;border-color:var(--accent)}code{font-family:var(--font-mono);font-size:.85em;background:var(--bg-soft);padding:.1em .3em;border-radius:3px}.page{max-width:880px;margin:0 auto;padding:1.5rem 1.5rem 6rem}.nav{display:flex;flex-wrap:wrap;gap:.6rem 1rem;align-items:center;padding-bottom:1rem;border-bottom:1px solid var(--border);margin-bottom:2rem}.nav .brand{font-weight:600;font-family:var(--font-serif);font-size:1.15rem;margin-right:auto;display:inline-flex;align-items:center;gap:.45rem;color:var(--accent);text-decoration:none}.nav .brand:hover{color:var(--accent-hover);text-decoration:none}.nav .brand-mark-icon{flex-shrink:0;line-height:0}.nav .brand-wordmark{color:var(--fg);letter-spacing:-.005em}.nav .brand .sub{color:var(--fg-dim);font-size:.78rem;font-weight:400;margin-left:.4rem;font-family:var(--font-sans)}.nav a{color:var(--fg-muted);font-size:.95rem}.nav a:hover{text-decoration:none;color:var(--fg)}.nav a.nav-link-active{color:var(--accent);font-weight:500;text-decoration:underline;text-underline-offset:.3em;text-decoration-thickness:2px}.nav .nav-divider{display:inline-block;width:1px;height:1.1em;background:var(--border);align-self:center}.nav .nav-dropdown{position:relative}.nav .nav-dropdown-summary{list-style:none;cursor:pointer;color:var(--fg-muted);font-size:.95rem;-webkit-user-select:none;user-select:none}.nav .nav-dropdown-summary::-webkit-details-marker{display:none}.nav .nav-dropdown-summary:hover{color:var(--fg)}.nav .nav-dropdown[open]>.nav-dropdown-summary{color:var(--fg)}.nav .nav-dropdown-summary:after{content:" ▾";font-size:.7em;color:var(--fg-dim)}.nav .nav-dropdown-panel{position:absolute;top:calc(100% + .4rem);left:0;z-index:10;min-width:12rem;background:var(--card-bg);border:1px solid var(--border);border-radius:8px;box-shadow:0 4px 12px #00000014;padding:.4rem 0;display:flex;flex-direction:column}.nav .nav-dropdown-item{padding:.4rem .85rem;color:var(--fg);font-size:.9rem;text-decoration:none}.nav .nav-dropdown-item:hover{background:var(--bg-soft);color:var(--fg);text-decoration:none}.nav .nav-dropdown-item-disabled{color:var(--fg-dim);cursor:not-allowed}.nav .nav-dropdown-item-disabled:hover{background:transparent;color:var(--fg-dim)}.nav .auth-spa{font-size:.85rem;color:var(--fg-muted)}.nav .auth-spa strong{font-weight:600;color:var(--fg)}.nav .auth-spa-signout{background:none;border:none;padding:0;color:var(--accent);font:inherit;cursor:pointer;text-decoration:underline;text-decoration-thickness:1px;text-underline-offset:2px}.nav .auth-spa-signout:hover:not(:disabled){color:var(--accent-hover)}.nav .auth-spa-signout:disabled{color:var(--fg-dim);cursor:not-allowed}h1{margin:0 0 .5rem;font-family:var(--font-serif);font-size:1.85rem;font-weight:400;letter-spacing:-.01em;line-height:1.2;color:var(--fg)}h2{margin:0 0 1rem;font-size:1.4rem;font-weight:500}.muted{color:var(--fg-muted);font-size:.92rem}.dim{color:var(--fg-dim);font-size:.85rem}.error-banner{background:var(--error-soft);border:1px solid var(--error);color:var(--error);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.warn-banner{background:var(--warn-soft);border:1px solid var(--warn);color:var(--warn);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.empty{padding:3rem 1.5rem;text-align:center;color:var(--fg-muted);background:var(--bg-soft);border-radius:10px}@keyframes pc-loading-pulse{0%,to{opacity:.55}50%{opacity:1}}[data-loading=true]{animation:pc-loading-pulse 1.4s ease-in-out infinite}.user-table tbody tr,.tokens-table tbody tr{transition:background-color .12s ease}.user-table tbody tr:hover,.tokens-table tbody tr:hover{background:var(--bg-soft)}@keyframes pc-route-fade-up{0%{opacity:0;transform:translateY(6px)}to{opacity:1;transform:translateY(0)}}[data-route-content]{animation:pc-route-fade-up .32s ease forwards}@media(prefers-reduced-motion:reduce){[data-loading=true],[data-route-content]{animation:none}}.table-scroll{overflow-x:auto;-webkit-overflow-scrolling:touch;background:linear-gradient(to right,var(--card-bg),var(--card-bg)) left center / 20px 100% no-repeat,linear-gradient(to right,#2c2a2614,#2c2a2600) left center / 8px 100% no-repeat,linear-gradient(to left,var(--card-bg),var(--card-bg)) right center / 20px 100% no-repeat,linear-gradient(to left,#2c2a2614,#2c2a2600) right center / 8px 100% no-repeat;background-attachment:local,scroll,local,scroll}.table-scroll>table{min-width:100%}.empty-rich{text-align:left;padding:2rem 1.75rem;background:#fff;border:1px solid var(--border)}.empty-rich .empty-headline{font-size:1.05rem;color:var(--fg);margin:0 0 .5rem;font-weight:500}.list-header{display:flex;align-items:baseline;justify-content:space-between;gap:1rem;margin-bottom:1rem}.list-header h1,.list-header h2{margin:0}.tag{display:inline-block;padding:.1em .55em;background:var(--accent-soft);color:var(--accent);border-radius:4px;font-size:.78rem;font-weight:500}.tag.muted{background:var(--bg-soft);color:var(--fg-muted)}.tag.source-oauth{background:#4a7cc61f;color:#3b6aa6}.tag.source-operator{background:#c6984a24;color:#8a5e1f}.tag.source-cli{background:#4a7c5924;color:#2f5a3f}.tag.source-unknown{background:var(--bg-soft);color:var(--fg-muted)}@media(prefers-color-scheme:dark){.tag.source-oauth{background:#7a9cdc24;color:#9bb6d8}.tag.source-operator{background:#dcb46e24;color:#d4b27a}.tag.source-cli{background:#7ab08a24;color:#8fc49e}.tag.source-unknown{background:#e8e4dc0f;color:#a8a49a}}.vault-row{display:flex;align-items:center;gap:1rem;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;margin-bottom:.5rem;text-decoration:none;color:inherit;transition:border-color .15s ease}.vault-row:hover{border-color:var(--accent);text-decoration:none}.vault-row .body{flex:1;min-width:0}.vault-row .name{display:flex;align-items:center;gap:.5rem;flex-wrap:wrap}.vault-row .name code{font-size:.95em}.vault-row .url{margin-top:.25rem;word-break:break-all}.vault-row .chev{color:var(--fg-dim);font-size:1.2rem}.vault-row-group{margin-bottom:.5rem}.vault-row-group .vault-row{margin-bottom:0}.vault-row-actions{display:flex;gap:.5rem;align-items:center;flex-shrink:0}.mcp-connect-card{background:var(--bg-soft);border:1px solid var(--border);border-radius:8px;padding:1.1rem 1.25rem;margin:0 0 .5rem}.mcp-connect-card-embedded{background:#fff;margin-bottom:0}.mcp-connect-card h3{margin:0 0 .4rem;font-size:1rem}.mcp-connect-card>p{margin-top:0}.mcp-connect-card .token-box{display:flex;align-items:center;gap:.5rem;margin:.35rem 0 .25rem}.mcp-connect-card .token-box code{flex:1;font-size:.85rem;padding:.55rem .7rem;background:#fff;border:1px solid var(--border);border-radius:6px;word-break:break-all;-webkit-user-select:all;user-select:all}.mcp-field{margin-top:.9rem}.mcp-field-label{display:block;font-size:.82rem;font-weight:600;color:var(--fg-muted)}.mcp-field .dim{margin:.3rem 0 0}.mcp-token-path{margin-top:1rem;border-top:1px solid var(--border);padding-top:.75rem}.mcp-token-path>summary{cursor:pointer;font-size:.9rem;color:var(--fg-muted)}.mcp-token-path>summary:hover{color:var(--accent)}.mcp-token-path .mint-banner{margin-top:.75rem;margin-bottom:0}.mcp-docs-link{margin:.9rem 0 0}form .row{margin-bottom:1rem}form label{display:block;font-size:.9rem;color:var(--fg-muted);margin-bottom:.3rem;font-weight:500}form input[type=text]{width:100%}form .actions{display:flex;gap:.6rem;align-items:center;margin-top:1rem}form .field-hint{margin-top:.35rem;font-size:.82rem;color:var(--fg-dim)}form .field-error{margin-top:.35rem;font-size:.85rem;color:var(--error)}.section{background:#fff;border:1px solid var(--border);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner{background:var(--success-soft);border:1px solid var(--success);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner h3{margin:0 0 .5rem;font-size:1rem;color:var(--success)}.mint-banner .token-box{display:flex;align-items:center;gap:.5rem;margin:.85rem 0 .5rem}.mint-banner code{flex:1;font-size:.9rem;padding:.6rem .75rem;background:#fff;border:1px solid var(--border);word-break:break-all;-webkit-user-select:all;user-select:all}.mint-banner .warn{margin:.75rem 0 0;font-size:.85rem;color:var(--warn)}.mint-banner .actions{margin-top:1rem;display:flex;gap:.5rem}.kv{display:grid;grid-template-columns:8.5rem 1fr;gap:.5rem 1rem;font-size:.92rem}.kv>div:nth-child(odd){color:var(--fg-muted)}.kv code{word-break:break-all}.channel-toggle{margin:1.25rem 0 1.5rem;padding:.75rem 1rem;border:1px solid var(--border, #ddd);border-radius:6px;background:var(--bg-soft, #fafafa)}.channel-toggle legend{padding:0 .25rem;font-weight:600;font-size:.95rem}.channel-toggle label{display:inline-flex;align-items:center;gap:.4rem;margin-right:1.5rem;cursor:pointer;font-size:.95rem}.channel-toggle label input[type=radio]:disabled+*{opacity:.5}.channel-toggle code{font-size:.85em}.channel-toggle p.muted{margin:.4rem 0 0;font-size:.85rem}.module-config{display:flex;flex-direction:column;gap:1.25rem}.module-config-header h1{margin-bottom:.35rem}.module-config-form fieldset{border:0;padding:0;margin:0;display:flex;flex-direction:column;gap:1rem}.module-config-form .field{display:flex;flex-direction:column;gap:.25rem}.module-config-form .field input,.module-config-form .field select,.module-config-form .field textarea{width:100%}.module-config-form .field-inline{flex-direction:row;align-items:center;flex-wrap:wrap;gap:.5rem}.module-config-form .field-inline label{display:inline-flex;align-items:center;gap:.5rem}.module-config-form .field-inline .field-hint{flex-basis:100%;margin-left:1.6rem}.module-config-form .field-invalid input,.module-config-form .field-invalid select,.module-config-form .field-invalid textarea{border-color:var(--error)}.module-config-form .actions{display:flex;gap:.6rem;align-items:center;margin-top:.5rem}.module-config-form .actions button.destructive{background:#fff;color:var(--fg);border:1px solid var(--border)}.module-config-form .actions button.destructive:hover{background:var(--bg-soft)}.module-config-form .banner{margin:0;padding:.75rem 1rem;border-radius:6px;border:1px solid transparent;font-size:.9rem}.module-config-form .banner-success{background:var(--success-soft);border-color:var(--success);color:var(--success)}.module-config-form .banner-success p,.module-config-form .banner-success ul{margin:.4rem 0 0}.module-config-form .banner-error{background:var(--error-soft, rgba(163, 57, 43, .08));border-color:var(--error);color:var(--error)}.modules-installed,.modules-installable{margin-top:1.75rem}.modules-installed>h2,.modules-installable>h2{font-size:1.15rem;font-weight:600;margin:0 0 .75rem;color:var(--fg)}.modules-installed>p.muted,.modules-installable>p.muted{margin:0 0 .5rem}.install-list{list-style:none;padding:0;margin:0;display:flex;flex-direction:column;gap:.6rem}.install-card{display:flex;flex-direction:row;align-items:center;gap:1rem;flex-wrap:wrap;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;transition:border-color .15s ease}.install-card:hover{border-color:var(--accent)}.install-card-body{flex:1 1 0;min-width:0}.install-card-body h3{margin:0 0 .2rem;font-size:1rem;font-weight:600;color:var(--fg)}.install-card-body .tagline{margin:0 0 .35rem;color:var(--fg-muted);font-size:.92rem}.install-card-meta{margin:0;font-size:.82rem}.install-card-actions{flex:0 0 auto}.install-card .error{flex-basis:100%;margin-top:.5rem;color:var(--error);font-size:.85rem}.module-row .actions .btn,a.btn{display:inline-block;font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease;text-decoration:none}.module-row .actions .btn:hover,a.btn:hover{background:var(--accent-hover);text-decoration:none}.module-uis{margin:.5rem 0 0;padding:.5rem 0 0;border-top:1px solid var(--border-light)}.module-uis>summary{cursor:pointer;font-size:.88rem;color:var(--fg-muted);font-weight:500;padding:.15rem 0;list-style:revert}.module-uis>summary:hover{color:var(--fg)}.ui-sub-units{list-style:none;padding:0;margin:.5rem 0 0 1.1rem;display:flex;flex-direction:column;gap:.35rem}.ui-sub-unit{display:flex;flex-direction:row;align-items:center;gap:.65rem;padding:.5rem .75rem;background:var(--bg-soft);border:1px solid var(--border-light);border-radius:6px;transition:border-color .15s ease,background .15s ease}.ui-sub-unit:hover{border-color:var(--accent);background:#fff}.ui-icon{flex:0 0 auto;width:20px;height:20px;border-radius:4px;object-fit:contain}.ui-sub-unit-body{flex:1 1 0;min-width:0}.ui-sub-unit-link{color:var(--fg);font-size:.95rem;text-decoration:none}.ui-sub-unit-link:hover{color:var(--accent);text-decoration:underline}.ui-sub-unit-link strong{font-weight:600}.ui-sub-unit .tagline{margin:.2rem 0 0;font-size:.82rem;color:var(--fg-muted)}.status{flex:0 0 auto;display:inline-block;padding:.1em .55em;background:var(--bg-soft);color:var(--fg-muted);border-radius:4px;font-size:.78rem;font-weight:500;white-space:nowrap}.status-active{background:var(--success-soft);color:var(--success)}.status-pending{background:var(--warn-soft);color:var(--warn)}.status-inactive{background:var(--bg-soft);color:var(--fg-dim)}.status-failing{background:var(--error-soft);color:var(--error)}.status-absent{background:var(--bg-soft);color:var(--fg-dim)}.status-pending-oauth{background:var(--warn-soft);color:var(--warn)}.status-disabled{background:var(--bg-soft);color:var(--fg-dim)}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border:0}.hub-version-badge{margin-top:3rem;padding-top:1rem;border-top:1px solid var(--border-light);display:flex;flex-direction:column;align-items:flex-start;gap:.75rem;color:var(--fg-muted);font-size:.8rem}.hub-version-badge-summary{background:transparent;border:0;padding:0;margin:0;color:var(--fg-muted);font:inherit;cursor:pointer;text-align:left;border-radius:4px}.hub-version-badge-summary:hover{color:var(--fg);background:transparent}.hub-version-badge-summary strong{color:var(--fg);font-weight:600}.hub-version-badge-source{font-variant:small-caps;letter-spacing:.04em}.hub-version-badge-panel{background:var(--card-bg);border:1px solid var(--border);border-radius:8px;padding:.85rem 1rem;font-size:.85rem;color:var(--fg);width:100%;max-width:28rem}.hub-version-badge-panel dl{margin:0 0 .75rem;display:grid;grid-template-columns:max-content 1fr;gap:.3rem .85rem}.hub-version-badge-panel dt{color:var(--fg-muted);font-size:.78rem;text-transform:uppercase;letter-spacing:.06em;padding-top:.1rem}.hub-version-badge-panel dd{margin:0;color:var(--fg);word-break:break-all}.hub-version-badge-refresh{font-size:.8rem;padding:.35rem .85rem}.depcard-wrap{margin-top:.6rem}.depcard{border:1px solid var(--warn);background:var(--warn-soft);border-radius:8px;padding:.9rem 1rem}.depcard-heading{margin:0 0 .25rem;font-size:1rem}.depcard-why{margin:0 0 .75rem;font-size:.9rem}.depcard-installs-label{margin:0 0 .4rem;font-size:.85rem;font-weight:600}.depcard-install{margin-bottom:.55rem}.depcard-install.preferred .depcard-os{color:var(--accent);font-weight:600}.depcard-os{display:block;font-size:.78rem;text-transform:uppercase;letter-spacing:.05em;color:var(--fg-muted);margin-bottom:.2rem}.depcard-cmd{display:flex;align-items:stretch;gap:.4rem}.depcard-cmd-text{flex:1;margin:0;padding:.45rem .6rem;background:var(--card-bg, #fff);border:1px solid var(--border);border-radius:6px;font-size:.82rem;white-space:pre-wrap;overflow-x:auto}.depcard-copy{flex:0 0 auto;font-size:.8rem;padding:.35rem .7rem;align-self:flex-start}.depcard-docs{margin:.5rem 0 .4rem;font-size:.88rem}.depcard-hint{margin:0;font-size:.82rem}.depcard-fallback{color:var(--error);font-size:.9rem}