@openparachute/hub 0.5.14-rc.2 → 0.5.14-rc.21

package/src/__tests__/api-revoke-token.test.ts

@@ -318,3 +318,387 @@ describe("POST /api/auth/revoke-token (closes hub#220)", () => {
     }
   });
 });
+
+// ---------------------------------------------------------------------------
+// Capability attenuation — symmetric to mint-token (hub#452). A bearer that
+// is NOT host:auth may revoke a jti iff every one of the jti's recorded scopes
+// is one the bearer could have minted (`canGrant`): you may revoke what you
+// could mint. This is the security-critical half of the auth arc.
+// ---------------------------------------------------------------------------
+describe("POST /api/auth/revoke-token — capability attenuation (symmetric to hub#452)", () => {
+  /**
+   * Hand-mint a `vault:<vault>:admin` bearer the way the SPA / mcp-install
+   * path obtains one (scope `vault:<vault>:admin`, aud `vault.<vault>`,
+   * vaultScope `[vault]`). Mirrors `mintVaultAdminBearer` in
+   * api-mint-token.test.ts.
+   */
+  async function mintVaultAdminBearer(
+    db: ReturnType<typeof openHubDb>,
+    userId: string,
+    vault: string,
+  ): Promise<string> {
+    const signed = await signAccessToken(db, {
+      sub: userId,
+      scopes: [`vault:${vault}:admin`],
+      audience: `vault.${vault}`,
+      clientId: "parachute-hub",
+      issuer: ISSUER,
+      ttlSeconds: 3600,
+      vaultScope: [vault],
+    });
+    return signed.token;
+  }
+
+  test("host:auth bearer revokes ANY jti (preserved) — incl. a host-scoped target", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+        // Seed a target whose own scopes a vault-admin could never mint.
+        const jti = await seedToken(db, userId, ["parachute:host:auth"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${op.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("vault:work:admin revokes a vault:work:write jti → 200 (could have minted it)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const jti = await seedToken(db, userId, ["vault:work:write"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("vault:work:admin revokes a vault:work:admin jti → 200", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const jti = await seedToken(db, userId, ["vault:work:admin"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("CROSS-VAULT BLOCKED: vault:work:admin revokes vault:other:write jti → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const jti = await seedToken(db, userId, ["vault:other:write"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(((await resp.json()) as { error: string }).error).toBe("insufficient_scope");
+        // SECURITY: the cross-vault token must NOT have been revoked.
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("HOST-ESCALATION BLOCKED: vault:work:admin revokes parachute:host:auth jti → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const jti = await seedToken(db, userId, ["parachute:host:auth"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("NO LEAK: vault:work:admin revokes an UNKNOWN jti → 404 (same as host:auth, no leak)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti: "no-such-jti-ever-minted" }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        // Identical to today's unknown-jti behavior for a host:auth bearer:
+        // the attenuated caller cannot distinguish "doesn't exist" here.
+        expect(resp.status).toBe(404);
+        expect(((await resp.json()) as { error: string }).error).toBe("not_found");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("ENTRY GATE: vault:work:read bearer (no admin, no host) → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const readOnly = await signAccessToken(db, {
+          sub: userId,
+          scopes: ["vault:work:read"],
+          audience: "vault.work",
+          clientId: "parachute-hub",
+          issuer: ISSUER,
+          ttlSeconds: 3600,
+          vaultScope: ["work"],
+        });
+        // Seed a target the read bearer could never mint anyway.
+        const jti = await seedToken(db, userId, ["vault:work:write"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${readOnly.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(((await resp.json()) as { error: string }).error).toBe("insufficient_scope");
+        // Entry-gated before any lookup — the target stays intact.
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("MULTI-SCOPE: vault:work:admin revokes vault:work:read+write jti → 200 (all in authority)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        const jti = await seedToken(db, userId, ["vault:work:read", "vault:work:write"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("MULTI-SCOPE BLOCKED: one out-of-authority scope blocks the whole revoke → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        // In-authority scope + one cross-vault scope: must block entirely.
+        const jti = await seedToken(db, userId, ["vault:work:write", "vault:other:read"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("host:admin bearer revokes a vault:<name>:admin jti → 200 (rule 2 symmetry)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const hostAdmin = await signAccessToken(db, {
+          sub: userId,
+          scopes: ["parachute:host:admin"],
+          audience: "hub",
+          clientId: "parachute-hub",
+          issuer: ISSUER,
+          ttlSeconds: 3600,
+        });
+        const jti = await seedToken(db, userId, ["vault:work:admin"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${hostAdmin.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("HOST-ESCALATION BLOCKED: host:admin bearer revokes parachute:host:auth jti → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        // host:admin is NOT host:auth, so it goes through the per-jti
+        // attenuation check. `parachute:host:auth` is non-requestable and not
+        // a vault-admin scope, so canGrant returns false for it → 403.
+        const hostAdmin = await signAccessToken(db, {
+          sub: userId,
+          scopes: ["parachute:host:admin"],
+          audience: "hub",
+          clientId: "parachute-hub",
+          issuer: ISSUER,
+          ttlSeconds: 3600,
+        });
+        const jti = await seedToken(db, userId, ["parachute:host:auth"]);
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${hostAdmin.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(((await resp.json()) as { error: string }).error).toBe("insufficient_scope");
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("EMPTY-SCOPES GUARD: non-host:auth bearer cannot revoke a scopeless target → 403, NOT revoked", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const bearer = await mintVaultAdminBearer(db, userId, "work");
+        // Seed a registry row with ZERO recorded scopes directly — the CLI/SPA
+        // never mint these, but a vacuous `[].filter(canGrant)` would
+        // otherwise pass the authority check for any entry-gate-clearing
+        // bearer. The explicit empty-scopes guard must 403 instead.
+        const jti = "scopeless-target-jti";
+        recordTokenMint(db, {
+          jti,
+          createdVia: "cli_mint",
+          subject: userId,
+          clientId: "parachute-hub",
+          scopes: [],
+          expiresAt: new Date(Date.now() + 3600_000).toISOString(),
+        });
+        expect(findTokenRowByJti(db, jti)?.scopes).toEqual([]);
+
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${bearer}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(403);
+        expect(((await resp.json()) as { error: string }).error).toBe("insufficient_scope");
+        // SECURITY: the scopeless token must NOT have been revoked.
+        expect(findTokenRowByJti(db, jti)?.revokedAt).toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("EMPTY-SCOPES: host:auth bearer CAN revoke a scopeless target → 200 (guard is non-host:auth-only)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+        const jti = "scopeless-target-host-auth";
+        recordTokenMint(db, {
+          jti,
+          createdVia: "cli_mint",
+          subject: userId,
+          clientId: "parachute-hub",
+          scopes: [],
+          expiresAt: new Date(Date.now() + 3600_000).toISOString(),
+        });
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti }, { authorization: `Bearer ${op.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(200);
+        expect(findTokenRowByJti(db, jti)?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("JTI LENGTH GUARD: jti longer than the cap → 400 invalid_request", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+        const resp = await handleApiRevokeToken(
+          jsonRequest({ jti: "x".repeat(257) }, { authorization: `Bearer ${op.token}` }),
+          { db, issuer: ISSUER },
+        );
+        expect(resp.status).toBe(400);
+        const body = (await resp.json()) as { error: string; error_description: string };
+        expect(body.error).toBe("invalid_request");
+        expect(body.error_description).toContain("256");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+});

package/src/__tests__/api-users.test.ts

@@ -462,7 +462,7 @@ describe("handleDeleteUser", () => {
     expect(list.users.map((u) => u.id)).toContain(userId);
   });
 
-  test("204 deletes a non-first user and revokes their tokens", async () => {
+  test("200 + revocation_lag_seconds deletes a non-first user and revokes their tokens", async () => {
     const { bearer } = await makeAdminBearer();
     // Create a second user (non-first) + mint a token on their behalf.
     const second = await createUser(harness.db, "alice", "alice-strong-passphrase", {
@@ -497,7 +497,12 @@ describe("handleDeleteUser", () => {
       second.id,
       deps(),
     );
-    expect(res.status).toBe(204);
+    // 200 + body (was a bare 204) so the SPA can warn about revocation lag —
+    // consistency with the reset-password path.
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { ok: boolean; revocation_lag_seconds: number };
+    expect(body.ok).toBe(true);
+    expect(body.revocation_lag_seconds).toBe(60);
 
     // User row is gone.
     const listRes = await handleListUsers(withBearer("/api/users", bearer), deps());

package/src/__tests__/auth.test.ts

@@ -65,34 +65,159 @@ async function captureOutput(fn: () => Promise<number> | number): Promise<{
 }
 
 describe("parachute auth", () => {
-  test("2fa enroll forwards to parachute-vault 2fa enroll", async () => {
-    const { runner, calls } = makeRunner(0);
-    const code = await auth(["2fa", "enroll"], runner);
-    expect(code).toBe(0);
-    expect(calls).toEqual([["parachute-vault", "2fa", "enroll"]]);
+  test("2fa is hub-local — never forwards to parachute-vault", async () => {
+    // 2fa used to forward to the deprecated `parachute-vault 2fa` stub. As of
+    // hub#473 it's real hub-login TOTP, fully hub-local (hub.db). No subprocess.
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+      const { runner, calls } = makeRunner(0);
+      const out = await captureOutput(() =>
+        auth(["2fa", "status"], { runner, dbPath: tmp.dbPath }),
+      );
+      expect(out.code).toBe(0);
+      expect(calls).toEqual([]); // did NOT spawn parachute-vault
+      expect(out.stdout).toContain("Two-factor authentication: OFF");
+    } finally {
+      tmp.cleanup();
+    }
   });
 
-  test("2fa enroll --some-flag forwards every arg after the subcommand", async () => {
-    const { runner, calls } = makeRunner(0);
-    const code = await auth(["2fa", "enroll", "--some-flag", "value"], runner);
-    expect(code).toBe(0);
-    expect(calls).toEqual([["parachute-vault", "2fa", "enroll", "--some-flag", "value"]]);
+  test("2fa status reports OFF for a fresh user, then ON after a CLI enroll round-trip", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+
+      // status → OFF
+      const off = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(off.code).toBe(0);
+      expect(off.stdout).toContain("OFF");
+
+      // enroll requires a confirm code — drive the readLine seam with the
+      // live TOTP code generated from the secret the command prints.
+      const { generateTotpSecret } = await import("../totp.ts");
+      // We can't intercept the random secret the command mints, so instead
+      // exercise the store directly to assert the ON path is reachable, then
+      // assert the CLI status reflects it. (The handler-level enroll round
+      // trip is covered in two-factor.test.ts against the real secret.)
+      const db2 = openHubDb(tmp.dbPath);
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      const u = listUsers(db2)[0]!;
+      const { secret } = generateTotpSecret(u.username);
+      await persistEnrollment(db2, u.id, secret);
+      db2.close();
+
+      const on = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(on.code).toBe(0);
+      expect(on.stdout).toContain("ON");
+      expect(on.stdout).toContain("backup_codes");
+
+      // disenroll clears it.
+      const dis = await captureOutput(() =>
+        auth(["2fa", "disenroll"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(dis.code).toBe(0);
+      expect(dis.stdout).toContain("Turned off");
+
+      const off2 = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(off2.stdout).toContain("OFF");
+    } finally {
+      tmp.cleanup();
+    }
   });
 
-  test("exit code from parachute-vault is propagated", async () => {
-    const { runner } = makeRunner(3);
-    const code = await auth(["2fa", "status"], runner);
-    expect(code).toBe(3);
+  test("2fa enroll confirms the printed secret against a live code, prints backup codes", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+
+      // Single console.log interception that BOTH accumulates stdout and lets
+      // the readLine seam read the secret the command just printed. (Avoids
+      // nesting two console.log replacements.)
+      const OTPAuth = await import("otpauth");
+      const origLog = console.log;
+      let stdout = "";
+      let capturedSecret = "";
+      console.log = (...a: unknown[]) => {
+        const line = a.map(String).join(" ");
+        stdout += `${line}\n`;
+        const m = line.match(/secret key:\s+([A-Z2-7]+)/);
+        if (m) capturedSecret = m[1]!;
+      };
+      let code = "";
+      let exitCode = 0;
+      try {
+        exitCode = await auth(["2fa", "enroll"], {
+          dbPath: tmp.dbPath,
+          isInteractive: () => true,
+          readLine: async () => {
+            // The secret has been printed by the time the prompt fires.
+            const totp = new OTPAuth.TOTP({
+              issuer: "Parachute Hub",
+              label: "owner",
+              algorithm: "SHA1",
+              digits: 6,
+              period: 30,
+              secret: OTPAuth.Secret.fromBase32(capturedSecret),
+            });
+            code = totp.generate();
+            return code;
+          },
+        });
+      } finally {
+        console.log = origLog;
+      }
+      expect(exitCode).toBe(0);
+      expect(capturedSecret.length).toBeGreaterThan(0);
+      expect(stdout).toContain("now ON");
+      // 10 backup codes printed (hyphenated form).
+      const backupLines = stdout.split("\n").filter((l) => /^ {2}[a-z2-9]{5}-[a-z2-9]{5}$/.test(l));
+      expect(backupLines.length).toBe(10);
+      expect(code.length).toBe(6);
+      // The persisted state reflects the enrollment: the captured secret is
+      // now stored on the user row. (We don't re-verify `code` — the enroll
+      // confirm consumed it via the replay cache, by design.)
+      const db2 = openHubDb(tmp.dbPath);
+      const { getTotpState } = await import("../two-factor-store.ts");
+      const uid = listUsers(db2)[0]!.id;
+      const persisted = getTotpState(db2, uid);
+      expect(persisted.secret).toBe(capturedSecret);
+      expect(persisted.backupCodes.length).toBe(10);
+      db2.close();
+    } finally {
+      tmp.cleanup();
+    }
   });
 
-  test("ENOENT on a vault-forwarded subcommand surfaces install hint and exit 127", async () => {
-    const runner: Runner = {
-      async run() {
-        throw new Error("ENOENT: spawn parachute-vault");
-      },
-    };
-    const code = await auth(["2fa", "status"], runner);
-    expect(code).toBe(127);
+  test("2fa enroll refuses to re-enroll when already on", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      const u = await createUser(db, "owner", "owner-password-123");
+      const { generateTotpSecret } = await import("../totp.ts");
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      await persistEnrollment(db, u.id, generateTotpSecret("owner").secret);
+      db.close();
+      const out = await captureOutput(() =>
+        auth(["2fa", "enroll"], { dbPath: tmp.dbPath, isInteractive: () => true }),
+      );
+      expect(out.code).toBe(1);
+      expect(out.stderr).toContain("already enabled");
+    } finally {
+      tmp.cleanup();
+    }
   });
 
   test("set-password no longer forwards to vault", async () => {
@@ -142,23 +267,25 @@ describe("authHelp", () => {
   test("lists every blessed subcommand", () => {
     expect(h).toContain("parachute auth set-password");
     expect(h).toContain("parachute auth list-users");
-    expect(h).toContain("parachute auth 2fa status");
-    expect(h).toContain("parachute auth 2fa enroll");
-    expect(h).toContain("parachute auth 2fa disable");
-    expect(h).toContain("parachute auth 2fa backup-codes");
+    expect(h).toContain("parachute auth 2fa");
     expect(h).toContain("parachute auth rotate-key");
   });
 
+  test("2fa help documents the real hub-login TOTP subcommands (#473)", () => {
+    expect(h).toContain("#473");
+    // Real enroll / disenroll subcommands are now advertised.
+    expect(h).toContain("2fa enroll");
+    expect(h).toContain("2fa disenroll");
+    expect(h).toContain("otpauth://");
+    expect(h).toContain("backup codes");
+  });
+
   test("set-password help mentions the new flags + hub-local home", () => {
     expect(h).toContain("--username");
     expect(h).toContain("--allow-multi");
     expect(h).toContain("hub.db");
   });
 
-  test("mentions the vault-install hint", () => {
-    expect(h).toContain("parachute install vault");
-  });
-
   test("rotate-key explains the 24h JWKS retention", () => {
     expect(h).toContain("jwks.json");
     // "24" + "hours" may be split by line wrap; check both pieces.