@openparachute/hub 0.5.14-rc.8 → 0.6.0

package/src/two-factor-ui.ts

@@ -0,0 +1,462 @@
+/**
+ * Server-rendered HTML for `/account/2fa` — user self-service TOTP 2FA
+ * enroll / disenroll (hub#473). Part of the `/account/*` surface family;
+ * chrome cloned from `account-home-ui.ts` so the family stays cohesive.
+ *
+ * Three render states:
+ *
+ *   - `not-enrolled`: a "Set up two-factor authentication" card with a POST
+ *     button that starts enrollment.
+ *   - `enrolling`: the QR code (inline SVG, no external fetch) + the manual
+ *     base32 key + a confirm-code form. Posting a valid code finalizes.
+ *   - `enrolled`: status (enabled since …, N backup codes left) + a disenroll
+ *     form (requires the current password).
+ *
+ * Plus `backup-codes`: a one-time display of the freshly-minted backup codes
+ * after a successful enroll-confirm — shown ONCE, never retrievable.
+ *
+ * Pure renderer — no DB, no fs. The route handlers in `two-factor-handlers.ts`
+ * resolve the user + state, then call in here.
+ */
+import { WORDMARK_TEXT, brandMarkSvg } from "./brand.ts";
+import { renderCsrfHiddenInput } from "./csrf.ts";
+import { escapeHtml } from "./oauth-ui.ts";
+
+const PALETTE = {
+  bg: "#faf8f4",
+  bgSoft: "#f3f0ea",
+  fg: "#2c2a26",
+  fgMuted: "#6b6860",
+  fgDim: "#9a9690",
+  accent: "#4a7c59",
+  accentHover: "#3d6849",
+  accentSoft: "rgba(74, 124, 89, 0.08)",
+  border: "#e4e0d8",
+  borderLight: "#ece9e2",
+  cardBg: "#ffffff",
+  danger: "#a3392b",
+  dangerSoft: "rgba(163, 57, 43, 0.08)",
+  success: "#3d6849",
+  successSoft: "rgba(61, 104, 73, 0.08)",
+} as const;
+
+const FONT_SERIF = `Georgia, "Times New Roman", serif`;
+const FONT_SANS = `-apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif`;
+const FONT_MONO = `ui-monospace, "SF Mono", Menlo, Monaco, "Cascadia Mono", monospace`;
+
+function escapeAttr(s: string): string {
+  return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;");
+}
+
+function baseDocument(title: string, body: string): string {
+  return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <title>${escapeHtml(title)}</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <meta name="referrer" content="no-referrer" />
+  <style>${STYLES}</style>
+</head>
+<body>
+  <main>
+${body}
+  </main>
+</body>
+</html>`;
+}
+
+function header(): string {
+  return `
+        <div class="brand">
+          <span class="brand-mark" aria-hidden="true">${brandMarkSvg(20, "account-2fa")}</span>
+          <span class="brand-name">${WORDMARK_TEXT}</span>
+          <span class="brand-tag">two-factor</span>
+        </div>`;
+}
+
+function errorBanner(msg: string | undefined): string {
+  return msg ? `<p class="error-banner">${escapeHtml(msg)}</p>` : "";
+}
+
+function noticeBanner(msg: string | undefined): string {
+  return msg ? `<p class="notice-banner">${escapeHtml(msg)}</p>` : "";
+}
+
+function shell(title: string, inner: string): string {
+  const body = `
+    <div class="card">
+      <div class="card-header">
+        ${header()}
+        <h1>Two-factor authentication</h1>
+        <p class="subtitle">Protect your hub sign-in with a one-time code from an authenticator app.</p>
+      </div>
+      ${inner}
+      <p class="footer-link"><a href="/account/">← Back to your account</a></p>
+    </div>`;
+  return baseDocument(title, body);
+}
+
+// --- not enrolled ---------------------------------------------------------
+
+export interface NotEnrolledProps {
+  csrfToken: string;
+  errorMessage?: string;
+  notice?: string;
+}
+
+export function renderTwoFactorNotEnrolled(props: NotEnrolledProps): string {
+  const inner = `
+      ${errorBanner(props.errorMessage)}
+      ${noticeBanner(props.notice)}
+      <section class="section">
+        <p class="status status-off"><span class="dot dot-off"></span>Two-factor authentication is <strong>off</strong>.</p>
+        <p>When enabled, signing in will require a 6-digit code from your authenticator
+           app (Google Authenticator, 1Password, Authy, …) in addition to your password.</p>
+        <form method="POST" action="/account/2fa" class="action-form">
+          ${renderCsrfHiddenInput(props.csrfToken)}
+          <input type="hidden" name="action" value="start" />
+          <button type="submit" class="btn btn-primary">Set up two-factor authentication</button>
+        </form>
+      </section>`;
+  return shell("Two-factor authentication — Parachute", inner);
+}
+
+// --- enrolling (show QR + confirm) ----------------------------------------
+
+export interface EnrollingProps {
+  csrfToken: string;
+  /** Inline SVG markup for the otpauth QR code. */
+  qrSvg: string;
+  /** Base32 secret for manual authenticator entry. */
+  secret: string;
+  errorMessage?: string;
+}
+
+export function renderTwoFactorEnrolling(props: EnrollingProps): string {
+  const inner = `
+      ${errorBanner(props.errorMessage)}
+      <section class="section">
+        <p>1. Scan this QR code with your authenticator app:</p>
+        <div class="qr" aria-label="TOTP QR code">${props.qrSvg}</div>
+        <p>Can't scan? Enter this key manually:</p>
+        <div class="copy-row">
+          <code data-testid="totp-secret">${escapeHtml(props.secret)}</code>
+        </div>
+        <p>2. Enter the 6-digit code your app shows to confirm:</p>
+        <form method="POST" action="/account/2fa" class="action-form">
+          ${renderCsrfHiddenInput(props.csrfToken)}
+          <input type="hidden" name="action" value="confirm" />
+          <input type="hidden" name="secret" value="${escapeAttr(props.secret)}" />
+          <label class="field">
+            <span class="field-label">Authentication code</span>
+            <input type="text" name="code" inputmode="numeric" autocomplete="one-time-code"
+                   autofocus required placeholder="123456" />
+          </label>
+          <button type="submit" class="btn btn-primary">Confirm and enable</button>
+        </form>
+      </section>`;
+  return shell("Set up two-factor authentication — Parachute", inner);
+}
+
+// --- backup codes (one-time display) --------------------------------------
+
+export interface BackupCodesProps {
+  codes: string[];
+}
+
+export function renderTwoFactorBackupCodes(props: BackupCodesProps): string {
+  const list = props.codes
+    .map((c) => `<li><code>${escapeHtml(c)}</code></li>`)
+    .join("\n          ");
+  const inner = `
+      <section class="section">
+        <p class="status status-on"><span class="dot dot-on"></span>Two-factor authentication is now <strong>on</strong>.</p>
+        <p class="warn-text"><strong>Save these backup codes now.</strong> Each can be used once to
+           sign in if you lose access to your authenticator app. They are shown only once —
+           store them somewhere safe.</p>
+        <ul class="backup-codes" data-testid="backup-codes">
+          ${list}
+        </ul>
+        <p class="footer-link"><a class="btn btn-secondary" href="/account/2fa">I've saved my codes</a></p>
+      </section>`;
+  return shell("Backup codes — Parachute", inner);
+}
+
+// --- enrolled (status + disenroll) ----------------------------------------
+
+export interface EnrolledProps {
+  csrfToken: string;
+  /** ISO-8601 enrollment timestamp, or null. */
+  enrolledAt: string | null;
+  /** Count of unused backup codes. */
+  backupCodesRemaining: number;
+  errorMessage?: string;
+  notice?: string;
+}
+
+export function renderTwoFactorEnrolled(props: EnrolledProps): string {
+  const since = props.enrolledAt ? ` (since ${escapeHtml(props.enrolledAt.slice(0, 10))})` : "";
+  const inner = `
+      ${errorBanner(props.errorMessage)}
+      ${noticeBanner(props.notice)}
+      <section class="section">
+        <p class="status status-on"><span class="dot dot-on"></span>Two-factor authentication is <strong>on</strong>${since}.</p>
+        <p>You have <strong data-testid="backup-remaining">${props.backupCodesRemaining}</strong>
+           backup code${props.backupCodesRemaining === 1 ? "" : "s"} remaining.</p>
+      </section>
+      <section class="section">
+        <h2>Turn off two-factor authentication</h2>
+        <p>Disabling 2FA removes the second-factor requirement from your sign-in.
+           Enter your current password to confirm.</p>
+        <form method="POST" action="/account/2fa" class="action-form">
+          ${renderCsrfHiddenInput(props.csrfToken)}
+          <input type="hidden" name="action" value="disable" />
+          <label class="field">
+            <span class="field-label">Current password</span>
+            <input type="password" name="password" autocomplete="current-password" required />
+          </label>
+          <button type="submit" class="btn btn-danger">Turn off two-factor authentication</button>
+        </form>
+      </section>`;
+  return shell("Two-factor authentication — Parachute", inner);
+}
+
+// --- styles ---------------------------------------------------------------
+
+const STYLES = `
+  *, *::before, *::after { box-sizing: border-box; }
+  html, body { margin: 0; padding: 0; }
+  body {
+    font-family: ${FONT_SANS};
+    background: ${PALETTE.bg};
+    color: ${PALETTE.fg};
+    line-height: 1.55;
+    min-height: 100vh;
+    -webkit-font-smoothing: antialiased;
+    -moz-osx-font-smoothing: grayscale;
+  }
+  main {
+    display: flex;
+    align-items: flex-start;
+    justify-content: center;
+    min-height: 100vh;
+    padding: 2rem 1.5rem;
+  }
+  .card {
+    width: 100%;
+    max-width: 34rem;
+    background: ${PALETTE.cardBg};
+    border: 1px solid ${PALETTE.border};
+    border-radius: 12px;
+    padding: 2rem 1.75rem;
+    box-shadow: 0 1px 2px rgba(44, 42, 38, 0.04), 0 8px 24px rgba(44, 42, 38, 0.06);
+  }
+  .card-header { margin-bottom: 1.5rem; }
+  .brand {
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+    color: ${PALETTE.accent};
+    font-weight: 500;
+    font-size: 0.95rem;
+    margin-bottom: 1.25rem;
+  }
+  .brand-mark { display: inline-flex; line-height: 0; }
+  .brand-mark svg { width: 20px; height: 20px; }
+  .brand-name { letter-spacing: 0.01em; }
+  .brand-tag {
+    text-transform: uppercase;
+    letter-spacing: 0.06em;
+    font-size: 0.7rem;
+    color: ${PALETTE.fgMuted};
+    border: 1px solid ${PALETTE.borderLight};
+    padding: 0.05rem 0.4rem;
+    border-radius: 999px;
+  }
+  h1 {
+    font-family: ${FONT_SERIF};
+    font-weight: 400;
+    font-size: 1.6rem;
+    line-height: 1.2;
+    margin: 0 0 0.4rem;
+    color: ${PALETTE.fg};
+  }
+  h2 {
+    font-family: ${FONT_SERIF};
+    font-weight: 400;
+    font-size: 1.15rem;
+    line-height: 1.25;
+    margin: 0 0 0.6rem;
+    color: ${PALETTE.fg};
+  }
+  .subtitle { margin: 0; color: ${PALETTE.fgMuted}; font-size: 0.95rem; }
+
+  .section {
+    border-top: 1px solid ${PALETTE.borderLight};
+    padding-top: 1.25rem;
+    margin-top: 1.25rem;
+  }
+  .section p { margin: 0.5rem 0; }
+
+  .status { font-weight: 500; display: flex; align-items: center; gap: 0.5rem; }
+  .dot { display: inline-block; width: 0.6rem; height: 0.6rem; border-radius: 999px; }
+  .dot-on { background: ${PALETTE.success}; }
+  .dot-off { background: ${PALETTE.fgDim}; }
+  .status-on strong { color: ${PALETTE.success}; }
+
+  .qr {
+    width: 200px;
+    height: 200px;
+    margin: 0.75rem 0;
+    padding: 0.6rem;
+    background: #ffffff;
+    border: 1px solid ${PALETTE.borderLight};
+    border-radius: 8px;
+  }
+  .qr svg { width: 100%; height: 100%; display: block; }
+
+  .copy-row {
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+    background: ${PALETTE.bgSoft};
+    border: 1px solid ${PALETTE.borderLight};
+    border-radius: 6px;
+    padding: 0.5rem 0.6rem;
+    margin: 0.4rem 0 0.75rem;
+  }
+  .copy-row code {
+    flex: 1 1 auto;
+    overflow-x: auto;
+    white-space: nowrap;
+    background: transparent;
+    padding: 0;
+    font-size: 0.95rem;
+    letter-spacing: 0.08em;
+  }
+
+  .backup-codes {
+    list-style: none;
+    margin: 0.75rem 0;
+    padding: 0;
+    display: grid;
+    grid-template-columns: repeat(2, 1fr);
+    gap: 0.5rem;
+  }
+  .backup-codes code {
+    font-size: 0.95rem;
+    letter-spacing: 0.04em;
+    display: block;
+    text-align: center;
+    padding: 0.4rem;
+  }
+  .warn-text {
+    background: ${PALETTE.dangerSoft};
+    border: 1px solid ${PALETTE.danger};
+    border-radius: 6px;
+    color: ${PALETTE.danger};
+    padding: 0.6rem 0.8rem;
+  }
+
+  code {
+    font-family: ${FONT_MONO};
+    background: ${PALETTE.bgSoft};
+    padding: 0.1rem 0.4rem;
+    border-radius: 4px;
+    font-size: 0.88em;
+  }
+
+  .action-form { display: flex; flex-direction: column; gap: 0.9rem; margin-top: 0.75rem; }
+  .field { display: flex; flex-direction: column; gap: 0.35rem; }
+  .field-label {
+    font-size: 0.85rem;
+    font-weight: 500;
+    color: ${PALETTE.fgMuted};
+    letter-spacing: 0.01em;
+    font-family: ${FONT_MONO};
+  }
+  input[type=text], input[type=password] {
+    font: inherit;
+    width: 100%;
+    padding: 0.6rem 0.75rem;
+    border: 1px solid ${PALETTE.border};
+    border-radius: 6px;
+    background: ${PALETTE.bg};
+    color: ${PALETTE.fg};
+    transition: border-color 0.15s ease, background 0.15s ease;
+  }
+  input[type=text]:focus, input[type=password]:focus {
+    outline: none;
+    border-color: ${PALETTE.accent};
+    background: ${PALETTE.cardBg};
+    box-shadow: 0 0 0 3px ${PALETTE.accentSoft};
+  }
+
+  .btn {
+    font: inherit;
+    font-weight: 500;
+    padding: 0.6rem 1.1rem;
+    border-radius: 6px;
+    border: 1px solid transparent;
+    cursor: pointer;
+    text-decoration: none;
+    display: inline-block;
+    align-self: flex-start;
+    transition: background 0.15s ease, color 0.15s ease, border-color 0.15s ease;
+  }
+  .btn-primary { background: ${PALETTE.accent}; color: ${PALETTE.cardBg}; }
+  .btn-primary:hover { background: ${PALETTE.accentHover}; }
+  .btn-secondary { background: transparent; color: ${PALETTE.fg}; border-color: ${PALETTE.border}; }
+  .btn-secondary:hover { background: ${PALETTE.bgSoft}; border-color: ${PALETTE.accent}; }
+  .btn-danger { background: ${PALETTE.danger}; color: ${PALETTE.cardBg}; }
+  .btn-danger:hover { background: #8a3023; }
+
+  .error-banner {
+    background: ${PALETTE.dangerSoft};
+    border: 1px solid ${PALETTE.danger};
+    border-radius: 6px;
+    color: ${PALETTE.danger};
+    padding: 0.6rem 0.8rem;
+    margin: 0 0 1rem;
+    font-size: 0.9rem;
+  }
+  .notice-banner {
+    background: ${PALETTE.successSoft};
+    border: 1px solid ${PALETTE.success};
+    border-radius: 6px;
+    color: ${PALETTE.success};
+    padding: 0.6rem 0.8rem;
+    margin: 0 0 1rem;
+    font-size: 0.9rem;
+  }
+
+  .footer-link { margin-top: 1.25rem; }
+  a { color: ${PALETTE.accent}; }
+  a:hover { color: ${PALETTE.accentHover}; }
+
+  @media (max-width: 480px) {
+    main { padding: 1rem 0.75rem; }
+    .card { padding: 1.5rem 1.25rem; border-radius: 10px; }
+    h1 { font-size: 1.4rem; }
+    .backup-codes { grid-template-columns: 1fr; }
+  }
+
+  @media (prefers-color-scheme: dark) {
+    body { background: #1a1815; color: #e8e4dc; }
+    .card { background: #25221d; border-color: #3a362f; box-shadow: 0 8px 24px rgba(0, 0, 0, 0.3); }
+    h1, h2 { color: #f0ece4; }
+    .subtitle, .field-label { color: #a8a29a; }
+    code { background: #1f1c18; color: #e8e4dc; }
+    .copy-row { background: #1f1c18; border-color: #3a362f; }
+    .copy-row code { background: transparent; }
+    .section { border-top-color: #3a362f; }
+    .brand-tag { border-color: #3a362f; color: #a8a29a; }
+    input[type=text], input[type=password] {
+      background: #1f1c18; border-color: #3a362f; color: #e8e4dc;
+    }
+    input[type=text]:focus, input[type=password]:focus { background: #25221d; }
+    .btn-secondary { color: #e8e4dc; border-color: #3a362f; }
+    .btn-secondary:hover { background: #1f1c18; border-color: ${PALETTE.accent}; }
+  }
+`;

package/src/users.ts

@@ -144,6 +144,64 @@ function readVaultsForUser(db: Database, userId: string): string[] {
     .map((r) => r.vault_name);
 }
 
+/**
+ * The per-vault verbs a `user_vaults.role` grants. The schema's `role`
+ * column is `TEXT NOT NULL DEFAULT 'write'` and is reserved forward-compat
+ * for per-vault role granularity (see the v10 migration note in
+ * `hub-db.ts`). Today every assignment is created with `role = 'write'`, so
+ * the only live mapping is `write → {read, write}`. The function is the
+ * single place the verb-cap lives so a future role taxonomy (`read`-only,
+ * `admin`, etc.) lands here without the friend-mint path having to change.
+ *
+ * Mapping:
+ *   - `write` (today's only value)  → `["read", "write"]`
+ *   - `read`                        → `["read"]`
+ *   - anything else (unknown role)  → `[]` — fail closed. An unrecognised
+ *     role grants no minting authority rather than silently defaulting to
+ *     write. (Defense-in-depth: a hand-edited / future row with a role this
+ *     code doesn't understand should not be treated as broad write.)
+ *
+ * `admin` is intentionally NOT mapped to a `vault:<name>:admin` mint here —
+ * the friend-facing token mint is capped at read/write by design. A
+ * future per-vault-admin friend grant would route through the
+ * vault-admin-token path, not this one.
+ */
+export type VaultVerb = "read" | "write";
+
+export function vaultVerbsForRole(role: string): VaultVerb[] {
+  if (role === "write") return ["read", "write"];
+  if (role === "read") return ["read"];
+  return [];
+}
+
+/**
+ * Read the verbs a user may mint for one of their assigned vaults.
+ *
+ * Returns `null` when the user has NO `user_vaults` row for `vaultName` —
+ * i.e. the vault is not in their assignment. The caller treats `null` as a
+ * hard 403 (no minting for an unassigned vault). When a row exists, returns
+ * the verb list `vaultVerbsForRole` maps the stored role to (today always
+ * `["read", "write"]` since every assignment is `role = 'write'`).
+ *
+ * This reads the role column directly rather than going through
+ * `getUserById().assignedVaults` because that array is verb-blind — it
+ * names the vaults but not the role granted. The friend-mint authorization
+ * cap needs the role.
+ */
+export function vaultVerbsForUserVault(
+  db: Database,
+  userId: string,
+  vaultName: string,
+): VaultVerb[] | null {
+  const row = db
+    .query<{ role: string }, [string, string]>(
+      "SELECT role FROM user_vaults WHERE user_id = ? AND vault_name = ?",
+    )
+    .get(userId, vaultName);
+  if (!row) return null;
+  return vaultVerbsForRole(row.role);
+}
+
 export interface CreateUserOpts {
   /** Allow creating an additional user when one already exists. Off by default. */
   allowMulti?: boolean;

package/src/vault/auth-status.ts

@@ -18,11 +18,12 @@
  *   3. ~/.parachute/vault/data/<name>/vault.db (SQLite) → tokens table
  *      count, summed across every vault instance.
  *
- * The hub.db schema doesn't yet carry a TOTP column (2FA lands in a later
- * phase per the multi-user design doc); we always report `hasTotp: false`
- * when the hub.db path is the source of truth. That matches what's
- * actually shipped — pretending otherwise would whisper "you're covered"
- * when no second factor exists.
+ * As of hub#473 the hub.db `users` table carries TOTP columns
+ * (`totp_secret` et al.) and `/login` enforces a second factor when set, so
+ * `hasTotp` now reflects the hub.db state: true when any user has a non-empty
+ * `totp_secret`. The legacy vault `config.yaml` `totp_secret` (which never
+ * gated hub `/login`) is still read as a fallback for super-old installs whose
+ * hub.db is absent, but real hub-login 2FA is the hub.db signal.
  *
  * The YAML fallback path uses line-anchored regex parsing that matches
  * vault's own `readGlobalConfig()` semantics (parachute-vault src/config.ts):
@@ -54,9 +55,12 @@ export interface VaultAuthStatus {
   hasTotp: boolean;
   /**
    * `null` means we couldn't read the SQLite DB — distinct from "0 tokens
-   * exist." Callers branch the UI on this: `null` → "token status unknown,
-   * run `parachute vault tokens list` to check"; `0` → loud "no auth at
-   * all!" warning; `>0` → benign.
+   * exist." Post the pvt_* DROP (hub#466) the expose preflight no longer
+   * branches on this — `classify()` in expose-auth-preflight.ts gates on
+   * `hasOwnerPassword`, since access now flows through the owner password +
+   * on-demand hub JWT mint, not standing vault tokens. `tokenCount` is kept
+   * as a best-effort diagnostic only (these rows are vestigial); `null`
+   * still cleanly distinguishes "unreadable DB" from "0 rows."
    */
   tokenCount: number | null;
   /** Vault instance names discovered under data/. Empty when vault has
@@ -96,6 +100,16 @@ export interface AuthStatusOpts {
    * want true "I can sign in" semantics get the OR of hub.db∪YAML.
    */
   probeHubDbHasUserPassword?: (dbPath: string) => boolean | undefined;
+  /**
+   * Probe hub.db for "does at least one user row have a non-empty
+   * `totp_secret`?" — the canonical "real hub-login 2FA is on" signal
+   * (hub#473). Same tri-state semantics as {@link probeHubDbHasUserPassword}:
+   *   - `true`  → at least one user has TOTP enrolled.
+   *   - `false` → hub.db opened cleanly but no user has a secret.
+   *   - `undefined` → hub.db missing / unreadable / column absent (pre-v11);
+   *                   caller falls back to the legacy YAML probe.
+   */
+  probeHubDbHasTotp?: (dbPath: string) => boolean | undefined;
 }
 
 interface Resolved {
@@ -105,6 +119,7 @@ interface Resolved {
   listVaultNames: (dataDir: string) => string[];
   countTokens: (dbPath: string) => number;
   probeHubDbHasUserPassword: (dbPath: string) => boolean | undefined;
+  probeHubDbHasTotp: (dbPath: string) => boolean | undefined;
 }
 
 function defaultVaultHome(): string {
@@ -183,11 +198,46 @@ function defaultProbeHubDbHasUserPassword(dbPath: string): boolean | undefined {
     // simpler than a JOIN on earliest-created-at. A future env-seed
     // flow that creates friend accounts before the operator sets a
     // password would need to revisit this assumption.
-    const row = db?.prepare(
-      "SELECT COUNT(*) AS n FROM users WHERE password_hash IS NOT NULL AND length(password_hash) > 0",
-    ).get() as { n: number } | null;
+    const row = db
+      ?.prepare(
+        "SELECT COUNT(*) AS n FROM users WHERE password_hash IS NOT NULL AND length(password_hash) > 0",
+      )
+      .get() as { n: number } | null;
+    return (row?.n ?? 0) > 0;
+  } catch {
+    return undefined;
+  } finally {
+    try {
+      db?.close();
+    } catch {
+      // ignore
+    }
+  }
+}
+
+/**
+ * Open hub.db readonly and ask "does at least one user have a non-empty
+ * `totp_secret`?" — the real hub-login 2FA signal (hub#473). Returns
+ * `undefined` on any failure (DB missing, locked, or the `totp_secret` column
+ * absent because migration v11 hasn't applied) — the caller then falls back to
+ * the legacy YAML probe. Readonly open (no migration side effects) mirrors
+ * {@link defaultProbeHubDbHasUserPassword}.
+ */
+function defaultProbeHubDbHasTotp(dbPath: string): boolean | undefined {
+  if (!existsSync(dbPath)) return undefined;
+  const { Database } = require("bun:sqlite");
+  let db: { prepare: (sql: string) => { get: () => unknown }; close: () => void } | undefined;
+  try {
+    db = new Database(dbPath, { readonly: true }) as typeof db;
+    const row = db
+      ?.prepare(
+        "SELECT COUNT(*) AS n FROM users WHERE totp_secret IS NOT NULL AND length(totp_secret) > 0",
+      )
+      .get() as { n: number } | null;
     return (row?.n ?? 0) > 0;
   } catch {
+    // Column absent (pre-v11) or DB unreadable — indistinguishable from
+    // "no hub.db"; let the YAML fallback decide.
     return undefined;
   } finally {
     try {
@@ -205,8 +255,8 @@ function resolve(opts: AuthStatusOpts): Resolved {
     readText: opts.readText ?? defaultReadText,
     listVaultNames: opts.listVaultNames ?? defaultListVaultNames,
     countTokens: opts.countTokens ?? defaultCountTokens,
-    probeHubDbHasUserPassword:
-      opts.probeHubDbHasUserPassword ?? defaultProbeHubDbHasUserPassword,
+    probeHubDbHasUserPassword: opts.probeHubDbHasUserPassword ?? defaultProbeHubDbHasUserPassword,
+    probeHubDbHasTotp: opts.probeHubDbHasTotp ?? defaultProbeHubDbHasTotp,
   };
 }
 
@@ -258,12 +308,14 @@ function readAuthSignals(r: Resolved): AuthSignals {
   const yaml = readYamlAuth(r);
   const hubDbHasUser = r.probeHubDbHasUserPassword(r.hubDbPath);
   const hasOwnerPassword = hubDbHasUser === true ? true : yaml.hasOwnerPassword;
-  return {
-    hasOwnerPassword,
-    // No hub-side TOTP column shipped yet (multi-user Phase 3). Until it
-    // lands, TOTP is YAML-only — matches what's actually true on disk.
-    hasTotp: yaml.hasTotp,
-  };
+  // Real hub-login 2FA (hub#473): read hub.db's totp_secret. `undefined` (DB
+  // missing / pre-v11 column absent) falls back to the legacy YAML totp_secret
+  // — that one never gated hub `/login`, but suppressing the warning for an
+  // operator who set it avoids nagging. A definitive hub.db `false` (column
+  // present, no user enrolled) overrides a stale YAML true.
+  const hubDbHasTotp = r.probeHubDbHasTotp(r.hubDbPath);
+  const hasTotp = hubDbHasTotp === undefined ? yaml.hasTotp : hubDbHasTotp;
+  return { hasOwnerPassword, hasTotp };
 }
 
 /**