@openparachute/hub 0.5.14-rc.8 → 0.6.0

package/src/cli.ts

@@ -6,6 +6,7 @@
  * Run `parachute --help` or `parachute <subcommand> --help` for usage.
  */
 
+import { MissingDependencyError } from "@openparachute/depcheck";
 import pkg from "../package.json" with { type: "json" };
 import { CloudflaredStateError } from "./cloudflare/state.ts";
 import { auth } from "./commands/auth.ts";
@@ -472,12 +473,21 @@ async function main(argv: string[]): Promise<number> {
         return 1;
       }
       const exposeArgs = flagExtract.rest;
-      const layer = exposeArgs[0];
+      let layer = exposeArgs[0];
       const mode = exposeArgs[1];
       if (isHelpFlag(layer)) {
         console.log(exposeHelp());
         return 0;
       }
+      // Alias: `parachute expose cloudflare [--domain X] [off]` is shorthand for
+      // `parachute expose public --cloudflare …`. Cloudflare is a public-internet
+      // provider, so we rewrite the layer to `public` and force the cloudflare
+      // flag — the rest of the dispatch (domain prompt, off-path, etc.) is
+      // identical to the canonical form.
+      if (layer === "cloudflare") {
+        layer = "public";
+        flagExtract.cloudflare = true;
+      }
       if (layer !== "tailnet" && layer !== "public") {
         console.error(`parachute expose: unknown layer "${layer ?? ""}"`);
         console.error("usage: parachute expose tailnet [off]");
@@ -749,26 +759,13 @@ async function main(argv: string[]): Promise<number> {
       // after `vault` (including --help) is passed through verbatim.
       if (rest.length === 0) return await dispatchVault(["--help"]);
 
-      // `parachute vault tokens create` in a TTY with no scope-narrowing flag
-      // → guided flow. Any of --scope / --read / --permission means the user
-      // has already decided, so we stay out of the way. Non-TTY always
-      // bypasses (no way to answer a prompt). Label is orthogonal — the
-      // guided flow prompts for it only if --label wasn't supplied.
-      const wantsGuidedTokenCreate =
-        rest[0] === "tokens" &&
-        rest[1] === "create" &&
-        isTtyInteractive() &&
-        !rest.includes("--scope") &&
-        !rest.includes("--read") &&
-        !rest.includes("--permission") &&
-        !isHelpFlag(rest[2]);
-      if (wantsGuidedTokenCreate) {
-        const { runVaultTokensCreateInteractive } = await import(
-          "./commands/vault-tokens-create-interactive.ts"
-        );
-        return await runVaultTokensCreateInteractive({ args: rest.slice(2) });
-      }
-
+      // Everything under `vault` forwards transparently to `parachute-vault`.
+      // `vault tokens create` used to route through a guided interactive
+      // wrapper, but the pvt_* DROP (vault#412 / hub#466) removed that vault
+      // subcommand — it now exits 1 with migration guidance. Access tokens are
+      // hub-issued JWTs; mint them with `parachute auth mint-token` or the
+      // admin SPA Connect card. We forward verbatim so the operator sees
+      // vault's own migration error rather than a hub-side stub.
       return await dispatchVault(rest);
     }
 
@@ -788,6 +785,14 @@ async function run(argv: string[]): Promise<number> {
   try {
     return await main(argv);
   } catch (err) {
+    if (err instanceof MissingDependencyError) {
+      // A required external binary wasn't on PATH (git / tailscale / tail /
+      // …). Print the friendly install block to stderr. interactive:true so
+      // the operator at a terminal sees the "ask your sysadmin" trailer; the
+      // message was already formatted at construction, so we just emit it.
+      console.error(err.message);
+      return 1;
+    }
     if (err instanceof ServicesManifestError) {
       console.error(`services.json is malformed: ${err.message}`);
       console.error("Fix or remove the file, then re-run.");

package/src/clients.ts

@@ -12,12 +12,24 @@
  *     plaintext exactly once. The token endpoint enforces client_secret per
  *     RFC 6749 §3.2.1 (closes #72).
  *
- * Approval gate (closes #74): every row carries a `status` of `pending` or
- * `approved`. New self-registrations default to `pending`; only registrations
- * that authenticate with an operator token bearing `hub:admin` (the install-
- * time path for first-party modules) land as `approved`. The OAuth flow
- * rejects `pending` clients at `/oauth/authorize` and `/oauth/token`. An
- * operator promotes a pending client via `parachute auth approve-client`.
+ * Status column (`pending` | `approved`): every row carries one. New
+ * self-registrations default to `pending`; registrations that authenticate
+ * with an operator token bearing `hub:admin` (the install-time path for
+ * first-party modules) land as `approved`.
+ *
+ * Single-consent change (2026-05-29): the separate operator "approve this
+ * client" gate was retired. The user's OAuth consent IS the authorization —
+ * `handleAuthorizeGet` now session-gates a `pending` client: a request
+ * carrying a valid session auto-approves the client (status → `approved`,
+ * audit-logged) and FALLS THROUGH to the normal consent screen; a session-
+ * less request still renders the unauth "App not yet approved" page whose
+ * sign-in CTA round-trips back to authorize (after login the user re-enters
+ * with a session → auto-approve → consent). The `status` column, the DCR
+ * `pending` default, the `/oauth/token` pending rejection, and the
+ * `parachute auth approve-client` / SPA approve surfaces all persist but are
+ * near-vestigial — kept for defense-in-depth and back-compat. Motivation:
+ * Notes/Claude DCR a fresh `client_id` per instance, so a per-client_id
+ * approval gate re-prompted the operator constantly.
  */
 import type { Database } from "bun:sqlite";
 import { createHash, randomBytes, randomUUID } from "node:crypto";

package/src/cloudflare/config.ts

@@ -2,8 +2,6 @@ import { mkdirSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { CONFIG_DIR } from "../config.ts";
 
-export const CLOUDFLARED_DIR = join(CONFIG_DIR, "cloudflared");
-
 export const DEFAULT_TUNNEL_NAME = "parachute";
 
 /**
@@ -16,12 +14,20 @@ export const DEFAULT_TUNNEL_NAME = "parachute";
  * location change from pre-#32 (`~/.parachute/cloudflared/config.yml`).
  * Re-running `parachute expose public --cloudflare` regenerates the file
  * at the new path; the legacy file is left in place but unused.
+ *
+ * `configDir` overrides the base (`~/.parachute` by default). Tests pass a
+ * tmp dir so per-tunnel-derived paths never resolve against the operator's
+ * real `CONFIG_DIR` — otherwise running the suite scribbles fixture
+ * config.yml + log files into `~/.parachute/cloudflared/<name>/`.
  */
-export function cloudflaredPathsFor(tunnelName: string): {
+export function cloudflaredPathsFor(
+  tunnelName: string,
+  configDir: string = CONFIG_DIR,
+): {
   configPath: string;
   logPath: string;
 } {
-  const dir = join(CLOUDFLARED_DIR, tunnelName);
+  const dir = join(configDir, "cloudflared", tunnelName);
   return {
     configPath: join(dir, "config.yml"),
     logPath: join(dir, "cloudflared.log"),

package/src/cloudflare/detect.ts

@@ -1,6 +1,7 @@
 import { existsSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
+import { isBinaryNotFoundError, lookupDep } from "@openparachute/depcheck";
 import type { Runner } from "../tailscale/run.ts";
 
 export const DEFAULT_CLOUDFLARED_HOME = join(homedir(), ".cloudflared");
@@ -10,30 +11,22 @@ export const DEFAULT_CLOUDFLARED_HOME = join(homedir(), ".cloudflared");
  * "binary not on PATH" errors — anything else (EACCES from a non-executable
  * file, corrupted binary, etc.) propagates so we don't silently report
  * "not installed" when something more specific is wrong.
+ *
+ * The not-found matcher is `@openparachute/depcheck`'s `isBinaryNotFoundError`
+ * — the single source of truth across the ecosystem (this used to be a local
+ * copy that drifted from vault's `git-preflight.ts`). Pass the binary name so
+ * a not-found message about an unrelated file isn't mis-attributed.
  */
 export async function isCloudflaredInstalled(runner: Runner): Promise<boolean> {
   try {
     const { code } = await runner(["cloudflared", "--version"]);
     return code === 0;
   } catch (err) {
-    if (isBinaryNotFoundError(err)) return false;
+    if (isBinaryNotFoundError(err, "cloudflared")) return false;
     throw err;
   }
 }
 
-function isBinaryNotFoundError(err: unknown): boolean {
-  if (!err || typeof err !== "object") return false;
-  const e = err as { code?: unknown; message?: unknown };
-  if (e.code === "ENOENT") return true;
-  // Bun.spawn's error shape varies across versions; fall back to message
-  // string matching so we catch "Executable not found in $PATH" and
-  // "ENOENT" variants without pinning to one runtime detail.
-  if (typeof e.message === "string") {
-    return /ENOENT|not found|No such file/i.test(e.message);
-  }
-  return false;
-}
-
 /**
  * `cloudflared tunnel login` drops a cert at `~/.cloudflared/cert.pem` — its
  * presence is cloudflared's own login marker. Every `cloudflared tunnel
@@ -61,30 +54,37 @@ export function isCloudflaredLoggedIn(cloudflaredHome: string = DEFAULT_CLOUDFLA
  *   other  → the binary-download path is still the best generic answer
  *
  * The `arch` parameter is the architecture string in `process.arch`
- * shape (`x64`, `arm64`, `arm`). Mapped to the suffix cloudflared uses
- * in its release artifacts (`amd64`, `arm64`, `arm`). Unknown arches
- * fall through to a generic pointer at the releases page.
+ * shape (`x64`, `arm64`, `arm`). The static-binary curl recipe + the arch
+ * mapping now live in `@openparachute/depcheck`'s `cloudflared` registry
+ * entry (`install.linuxBinaryUrl`) — the single source of truth shared with
+ * the structured `MissingDependencyError` UX. This function keeps its own
+ * prose (the surrounding "works across distros" framing the expose flow
+ * prints) but derives the URL + arch support from the registry so the two
+ * can't drift. A `undefined` recipe (arch with no published artifact) is the
+ * signal to fall through to the generic releases pointer rather than
+ * fabricating a 404-bound URL.
  */
 export function cloudflaredInstallHint(
   platform: NodeJS.Platform = process.platform,
   arch: NodeJS.Architecture = process.arch,
 ): string {
+  const releasesUrl = "https://github.com/cloudflare/cloudflared/releases/latest";
   if (platform === "darwin") {
     return [
       "Install cloudflared:",
       "  brew install cloudflared",
       "",
       "(or download a static binary from",
-      "  https://github.com/cloudflare/cloudflared/releases/latest)",
+      `  ${releasesUrl})`,
     ].join("\n");
   }
   if (platform === "linux") {
-    const suffix = linuxArtifactSuffix(arch);
-    if (suffix) {
+    const downloadUrl = cloudflaredLinuxDownloadUrl(arch);
+    if (downloadUrl) {
       return [
         "Install cloudflared (static binary — works across distros):",
-        `  curl -L -o /usr/local/bin/cloudflared \\`,
-        `    https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${suffix}`,
+        "  curl -L -o /usr/local/bin/cloudflared \\",
+        `    ${downloadUrl}`,
         "  sudo chmod +x /usr/local/bin/cloudflared",
         "  cloudflared --version",
         "",
@@ -93,33 +93,28 @@ export function cloudflaredInstallHint(
     }
     return [
       "Install cloudflared from the official binary release:",
-      "  https://github.com/cloudflare/cloudflared/releases/latest",
+      `  ${releasesUrl}`,
       `(pick the linux-* artifact matching your architecture; your arch is "${arch}")`,
     ].join("\n");
   }
-  return [
-    "Install cloudflared from the official binary release:",
-    "  https://github.com/cloudflare/cloudflared/releases/latest",
-  ].join("\n");
+  return ["Install cloudflared from the official binary release:", `  ${releasesUrl}`].join("\n");
 }
 
 /**
- * Map a Node `process.arch` to the suffix Cloudflare uses for its
- * cloudflared-linux-* release artifacts. Returns undefined for arches
- * that don't have a published artifact (we surface a generic pointer
- * in that case instead of fabricating a download URL that 404s).
+ * Pull the cloudflared-linux-<suffix> download URL for an arch out of the
+ * depcheck registry's static-binary recipe. The registry recipe is a
+ * multi-line `curl … / chmod … / version` block; we extract the single
+ * `https://…/cloudflared-linux-<suffix>` line so this function's own prose
+ * wraps the canonical URL. Returns undefined when the arch has no published
+ * artifact (registry recipe is undefined) — the caller then uses the generic
+ * pointer. Keeps the arch→suffix mapping in exactly one place (the registry).
  */
-function linuxArtifactSuffix(arch: NodeJS.Architecture): string | undefined {
-  switch (arch) {
-    case "x64":
-      return "amd64";
-    case "arm64":
-      return "arm64";
-    case "arm":
-      return "arm";
-    case "ia32":
-      return "386";
-    default:
-      return undefined;
-  }
+function cloudflaredLinuxDownloadUrl(arch: NodeJS.Architecture): string | undefined {
+  const recipe = lookupDep("cloudflared")?.install.linuxBinaryUrl?.(arch);
+  if (!recipe) return undefined;
+  const urlLine = recipe
+    .split("\n")
+    .map((l) => l.trim())
+    .find((l) => l.startsWith("https://"));
+  return urlLine;
 }

package/src/commands/auth.ts

@@ -13,7 +13,14 @@
  *   - `list-users` — show accounts in `users`.
  *
  * Vault-forwarded subcommands (still implemented in `parachute-vault`):
- *   - `2fa` — TOTP enroll/disable/backup-codes.
+ *   - (none currently). `2fa` used to forward here, but the legacy
+ *     `parachute-vault 2fa` stub writes vault YAML that does NOT gate hub
+ *     `/login`. As of hub#473 `parachute auth 2fa` is the REAL hub-login TOTP
+ *     surface: it reads/writes the hub.db `users` TOTP columns and gates
+ *     `/login`. Subcommands: `status`, `enroll` (CLI text enroll — prints the
+ *     otpauth:// URI + base32 secret for manual authenticator entry, then
+ *     prompts for the confirm code), `disenroll`. The browser path lives at
+ *     `<hub-origin>/account/2fa` (QR + backup codes).
  */
 
 import { join } from "node:path";
@@ -44,6 +51,13 @@ import {
 } from "../operator-token.ts";
 import { isNonRequestableScope } from "../scope-explanations.ts";
 import { rotateSigningKey } from "../signing-keys.ts";
+import { generateTotpSecret, otpauthUrlFor, verifyTotpCode } from "../totp.ts";
+import {
+  clearEnrollment,
+  getTotpState,
+  isTotpEnrolled,
+  persistEnrollment,
+} from "../two-factor-store.ts";
 import {
   SingleUserModeError,
   UsernameTakenError,
@@ -71,9 +85,10 @@ export const defaultRunner: Runner = {
   },
 };
 
-const VAULT_FORWARDED_SUBCOMMANDS = new Set(["2fa"]);
+const VAULT_FORWARDED_SUBCOMMANDS = new Set<string>([]);
 const HUB_LOCAL_SUBCOMMANDS = new Set([
   "rotate-key",
+  "2fa",
   "set-password",
   "list-users",
   "rotate-operator",
@@ -92,10 +107,14 @@ Usage:
   parachute auth set-password [--username <name>] [--password <pw>] [--allow-multi]
                                        Create or update the hub user's password
   parachute auth list-users            Show registered hub accounts
-  parachute auth 2fa status            Show 2FA state
-  parachute auth 2fa enroll            Enable TOTP 2FA (QR + backup codes)
-  parachute auth 2fa disable           Disable 2FA (requires password)
-  parachute auth 2fa backup-codes      Regenerate backup codes
+  parachute auth 2fa [status]          Show hub-login 2FA (TOTP) status
+  parachute auth 2fa enroll [--username <name>]
+                                       Enroll TOTP for hub login (prints the
+                                       otpauth:// URI + base32 secret for manual
+                                       authenticator entry, then prompts for a
+                                       confirm code; prints backup codes once)
+  parachute auth 2fa disenroll [--username <name>]
+                                       Turn off hub-login 2FA for the account
   parachute auth rotate-key            Rotate the hub's JWT signing key
   parachute auth rotate-operator [--scope-set <set>]
                                        Mint a fresh ~/.parachute/operator.token
@@ -128,10 +147,20 @@ The default username on first run is "owner" — override with --username.
 Single-user mode is the default; pass --allow-multi to add additional
 accounts beyond the first.
 
-2fa forwards to \`parachute-vault\` which still implements TOTP storage. If
-you see "not found on PATH", install vault first:
+2fa is real hub-login TOTP (hub#473). It reads/writes the hub.db \`users\` TOTP
+columns and gates \`/login\`: once enrolled, signing in requires a 6-digit code
+from your authenticator app (or a single-use backup code) after your password.
+
+\`parachute auth 2fa enroll\` is headless-friendly — it prints the \`otpauth://\`
+URI and the base32 secret as text so you can type them into an authenticator
+manually (no QR scan needed on a server), then prompts for the current 6-digit
+code to confirm. On success it prints 10 single-use backup codes ONCE — save
+them. The browser path (\`<hub-origin>/account/2fa\`) shows a scannable QR code.
 
-  parachute install vault
+\`parachute auth 2fa disenroll\` clears the TOTP secret + backup codes.
+
+In single-user mode both default to the only hub account; pass --username to
+target a specific account when more than one exists.
 
 rotate-key generates a fresh RSA-2048 keypair and retires the previous
 one. The retired key keeps appearing in /.well-known/jwks.json for 24
@@ -1124,6 +1153,115 @@ async function runRevokeToken(args: readonly string[], deps: AuthDeps): Promise<
   }
 }
 
+/**
+ * Real hub-login TOTP 2FA CLI (hub#473). `parachute auth 2fa [status|enroll|
+ * disenroll]`. Reads/writes the hub.db `users` TOTP columns — the same store
+ * the `/login` flow and `/account/2fa` browser surface use, so a CLI enroll
+ * gates the exposed hub login exactly like the browser one.
+ *
+ * Headless-first by design: `enroll` prints the `otpauth://` URI + base32
+ * secret as text so the operator can type them into an authenticator app
+ * manually (no QR scan on a server), then prompts for the current code to
+ * confirm before persisting. Browser enroll (QR) lives at
+ * `<hub-origin>/account/2fa`.
+ */
+async function run2fa(args: readonly string[], deps: AuthDeps): Promise<number> {
+  const flag = extractUsernameFlag(args);
+  if (flag.error) {
+    console.error(`parachute auth 2fa: ${flag.error}`);
+    return 1;
+  }
+  const sub = flag.rest[0] ?? "status";
+  if (flag.rest.length > 1) {
+    console.error(`parachute auth 2fa: unexpected argument "${flag.rest[1]}"`);
+    console.error("usage: parachute auth 2fa [status|enroll|disenroll] [--username <name>]");
+    return 1;
+  }
+  if (sub !== "status" && sub !== "enroll" && sub !== "disenroll") {
+    console.error(`parachute auth 2fa: unknown subcommand "${sub}"`);
+    console.error("usage: parachute auth 2fa [status|enroll|disenroll] [--username <name>]");
+    return 1;
+  }
+
+  const db = deps.dbPath ? openHubDb(deps.dbPath) : openHubDb();
+  try {
+    const target = resolveTargetUser(db, flag.username, sub);
+    if ("error" in target) {
+      console.error(`parachute auth 2fa: ${target.error}`);
+      return 1;
+    }
+
+    if (sub === "status") {
+      const state = getTotpState(db, target.id);
+      if (state.secret) {
+        console.log(`Two-factor authentication: ON for "${target.username}".`);
+        if (state.enrolledAt) console.log(`  enrolled_at:   ${state.enrolledAt}`);
+        console.log(`  backup_codes:  ${state.backupCodes.length} remaining`);
+      } else {
+        console.log(`Two-factor authentication: OFF for "${target.username}".`);
+        console.log("Run `parachute auth 2fa enroll` to turn it on.");
+      }
+      return 0;
+    }
+
+    if (sub === "disenroll") {
+      if (!isTotpEnrolled(db, target.id)) {
+        console.log(`Two-factor authentication is already off for "${target.username}".`);
+        return 0;
+      }
+      clearEnrollment(db, target.id);
+      console.log(`Turned off two-factor authentication for "${target.username}".`);
+      return 0;
+    }
+
+    // sub === "enroll"
+    if (isTotpEnrolled(db, target.id)) {
+      console.error(
+        `parachute auth 2fa: two-factor is already enabled for "${target.username}". Run \`parachute auth 2fa disenroll\` first to re-enroll.`,
+      );
+      return 1;
+    }
+    const isInteractive = (deps.isInteractive ?? defaultIsInteractive)();
+    if (!isInteractive) {
+      console.error(
+        "parachute auth 2fa enroll: a TTY is required to confirm the enrollment code (run it interactively)",
+      );
+      return 1;
+    }
+    const readLine = deps.readLine ?? defaultReadLine;
+
+    const { secret } = generateTotpSecret(target.username);
+    const otpauthUrl = otpauthUrlFor(secret, target.username);
+    console.log(`Enrolling two-factor authentication for "${target.username}".`);
+    console.log("");
+    console.log("Add this account to your authenticator app. Either scan the otpauth URL");
+    console.log("(paste it into a QR generator), or enter the secret key manually:");
+    console.log("");
+    console.log(`  otpauth URL:  ${otpauthUrl}`);
+    console.log(`  secret key:   ${secret}`);
+    console.log("");
+    const code = (await readLine("Enter the 6-digit code from your app to confirm: ")).trim();
+    if (!verifyTotpCode(secret, code)) {
+      console.error(
+        "parachute auth 2fa enroll: that code didn't match — nothing was saved. Check your device clock and try again.",
+      );
+      return 1;
+    }
+    const result = await persistEnrollment(db, target.id, secret);
+    console.log("");
+    console.log("✓ Two-factor authentication is now ON for hub login.");
+    console.log("");
+    console.log("Save these backup codes — each works once if you lose your authenticator:");
+    console.log("");
+    for (const c of result.backupCodes) console.log(`  ${c}`);
+    console.log("");
+    console.log("They are shown only once. Store them somewhere safe.");
+    return 0;
+  } finally {
+    db.close();
+  }
+}
+
 function runListUsers(deps: AuthDeps): number {
   const db = deps.dbPath ? openHubDb(deps.dbPath) : openHubDb();
   try {
@@ -1182,6 +1320,15 @@ export async function auth(args: readonly string[], deps: AuthDeps | Runner = {}
         return 1;
       }
     }
+    if (sub === "2fa") {
+      try {
+        return await run2fa(args.slice(1), normalized);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`parachute auth 2fa: ${msg}`);
+        return 1;
+      }
+    }
     if (sub === "list-users") {
       return runListUsers(normalized);
     }
@@ -1250,23 +1397,17 @@ export async function auth(args: readonly string[], deps: AuthDeps | Runner = {}
     }
   }
 
-  if (!VAULT_FORWARDED_SUBCOMMANDS.has(sub)) {
-    console.error(`parachute auth: unknown subcommand "${sub}"`);
-    console.error("run `parachute auth --help` for usage");
-    return 1;
-  }
-  try {
+  // No subcommands forward to parachute-vault anymore (VAULT_FORWARDED_SUBCOMMANDS
+  // is empty — `2fa` is now hub-local + honest, see #473). Anything that fell
+  // through every hub-local handler above is unknown.
+  if (VAULT_FORWARDED_SUBCOMMANDS.has(sub)) {
+    // Defensive: if a future subcommand is added back to the forward set, route
+    // it. Currently unreachable (the set is empty).
     return await runner.run(["parachute-vault", ...args]);
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    if (msg.toLowerCase().includes("enoent") || msg.toLowerCase().includes("not found")) {
-      console.error("parachute-vault not found on PATH.");
-      console.error("Install it with: parachute install vault");
-      return 127;
-    }
-    console.error(`failed to run parachute-vault: ${msg}`);
-    return 1;
   }
+  console.error(`parachute auth: unknown subcommand "${sub}"`);
+  console.error("run `parachute auth --help` for usage");
+  return 1;
 }
 
 // Re-exported so `users.ts` consumers can preserve the named-export.

package/src/commands/expose-2fa-warning.ts

@@ -1,29 +1,23 @@
 /**
- * Public-exposure 2FA-enrollment warning (#186). Lands as the next layer of
- * defense after #188's `/login` rate-limit floor: once the operator brings
- * up cloudflare or Tailscale Funnel, `/login` is reachable from the public
- * internet on every layer admitting traffic. 2FA is the difference between
- * "password is the only wall" and "password + something-you-have."
+ * Public-exposure security warning (#186). Once the operator brings up
+ * cloudflare or Tailscale Funnel, `/login` is reachable from the public
+ * internet on every layer admitting traffic. After #188's `/login` rate-limit
+ * floor, the owner password is the wall — and now (hub#473) hub-login TOTP 2FA
+ * is the second wall.
+ *
+ * 2FA at the hub login layer is real as of hub#473: "password +
+ * something-you-have." This warning recommends `parachute auth 2fa enroll`
+ * (which now gates hub `/login` for real) when the operator hasn't enrolled.
  *
  * Why this is a warning, not a hard gate: hard-gating would surprise operators
  * mid-flow — they ran `parachute expose public` to expose, not to be told
- * "set up 2FA first." A loud, contextual warning + a clear one-line
- * remediation is the right shape; the operator decides whether to act now or
- * later. The tunnel is up regardless.
- *
- * Why the source-of-truth is vault's `config.yaml`: 2FA enrollment lives in
- * `parachute-vault` (the hub forwards `parachute auth 2fa enroll` to vault —
- * see `commands/auth.ts` `VAULT_FORWARDED_SUBCOMMANDS`). The hub's `users`
- * table has no TOTP column today; it will gain one when hub-admin login
- * verifies TOTP against vault. Until then, "is 2FA enrolled?" maps cleanly
- * to "does vault's config.yaml carry a non-empty `totp_secret`?", which is
- * exactly what `readVaultAuthStatus().hasTotp` returns.
+ * "set up 2FA first." A loud, contextual warning + a clear remediation is the
+ * right shape; the operator decides whether to act now or later. The tunnel is
+ * up regardless.
  *
- * If vault isn't installed at all (rare for the cloudflare path — it requires
- * a vault entry — but possible on the tailnet/funnel path): `hasTotp` comes
- * back `false` and the warning still fires. The remediation
- * `parachute auth 2fa enroll` then surfaces vault's "install vault first"
- * error, which is the right next step regardless.
+ * The probe consults `readVaultAuthStatus().hasTotp`, which now reflects the
+ * hub.db `users.totp_secret` column (real hub-login 2FA) — true when any user
+ * has enrolled. The warning fires only when no second factor is configured.
  */
 
 import { type VaultAuthStatus, readVaultAuthStatus } from "../vault/auth-status.ts";
@@ -40,17 +34,20 @@ export interface Public2FAWarningOpts {
 }
 
 /**
- * `true` when `totp_secret` is present and non-empty in vault's config.yaml,
- * `false` otherwise (missing vault, missing config.yaml, empty value).
- *
- * Source-of-truth note: TOTP storage is the vault's, not the hub's. See the
- * module-level doc comment.
+ * `true` when a second factor is configured, `false` otherwise. As of hub#473
+ * this reflects the hub.db `users.totp_secret` column (real hub-login 2FA),
+ * with the legacy vault `config.yaml` `totp_secret` as a fallback for old
+ * installs — see {@link readVaultAuthStatus} and the module-level doc comment.
  */
 export function is2FAEnrolled(
-  opts: { vaultHome?: string; status?: VaultAuthStatus } = {},
+  opts: { vaultHome?: string; hubDbPath?: string; status?: VaultAuthStatus } = {},
 ): boolean {
   const status =
-    opts.status ?? readVaultAuthStatus(opts.vaultHome ? { vaultHome: opts.vaultHome } : {});
+    opts.status ??
+    readVaultAuthStatus({
+      ...(opts.vaultHome ? { vaultHome: opts.vaultHome } : {}),
+      ...(opts.hubDbPath ? { hubDbPath: opts.hubDbPath } : {}),
+    });
   return status.hasTotp;
 }
 
@@ -71,12 +68,17 @@ export function printPublic2FAWarning(opts: Public2FAWarningOpts): boolean {
     return false;
   }
   log("");
-  log("⚠ 2FA is not enrolled. /login is now reachable on the public internet");
-  log(`  (${opts.publicUrl}/login). Anyone who guesses your password`);
-  log("  is in. Strongly recommended:");
+  log("⚠ /login is now reachable on the public internet");
+  log(`  (${opts.publicUrl}/login). Anyone who guesses your password is in.`);
+  log("");
+  log("  Turn on two-factor authentication — it adds a second wall (a one-time");
+  log("  code from your authenticator app) on top of your password:");
   log("");
   log("    parachute auth 2fa enroll");
   log("");
-  log("  Adds TOTP + backup codes. Takes 30 seconds.");
+  log("  (Or set it up in the browser at /account/2fa for a scannable QR code.)");
+  log("  Either way, also make sure your owner password is a strong one:");
+  log("");
+  log("    parachute auth set-password");
   return true;
 }