@openparachute/hub 0.5.14-rc.9 → 0.6.0

package/src/__tests__/account-vault-token.test.ts

@@ -0,0 +1,355 @@
+/**
+ * Security tests for the friend-facing scoped vault token mint —
+ * `POST /account/vault-token/<name>` (`handleAccountVaultTokenPost`).
+ *
+ * This is a new auth-mint surface, so the authorization is tested
+ * adversarially. The spine:
+ *   - No session            → 401 (no mint).
+ *   - Assigned vault        → 200, token carries `vault:<name>:<verb>`,
+ *                             `aud=vault.<name>`, `iss=<hub>`, sub=user.
+ *   - UNassigned vault      → 403 (cannot mint for a vault not in the
+ *                             user's `user_vaults` assignment — blocks
+ *                             cross-vault).
+ *   - `admin` verb          → rejected (not in the form vocabulary).
+ *   - Broader/garbage verb  → rejected.
+ *   - First admin           → 403 (no `user_vaults` rows → unrestricted
+ *                             admins use the SPA path, not this one).
+ *   - CSRF missing/mismatch → 400.
+ *   - Rate limit            → 429 after the bucket fills.
+ *   - The minted token is a valid hub JWT the vault would accept.
+ */
+import type { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { ACCOUNT_VAULT_TOKEN_TTL_SECONDS } from "../account-home-ui.ts";
+import { handleAccountVaultTokenPost } from "../account-vault-token.ts";
+import { CSRF_FIELD_NAME, buildCsrfCookie, generateCsrfToken } from "../csrf.ts";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { validateAccessToken } from "../jwt-sign.ts";
+import { __resetForTests } from "../rate-limit.ts";
+import { SESSION_TTL_MS, buildSessionCookie, createSession } from "../sessions.ts";
+import { createUser } from "../users.ts";
+
+const ISSUER = "https://hub.test";
+
+interface Harness {
+  db: Database;
+  cleanup: () => void;
+}
+
+function makeHarness(): Harness {
+  const dir = mkdtempSync(join(tmpdir(), "phub-account-vault-token-"));
+  const db = openHubDb(hubDbPath(dir));
+  return {
+    db,
+    cleanup: () => {
+      db.close();
+      rmSync(dir, { recursive: true, force: true });
+    },
+  };
+}
+
+let harness: Harness;
+beforeEach(() => {
+  harness = makeHarness();
+  __resetForTests();
+});
+afterEach(() => {
+  harness.cleanup();
+  __resetForTests();
+});
+
+const deps = () => ({ db: harness.db, hubOrigin: ISSUER });
+
+/** A shared CSRF token + matching cookie value for the double-submit handshake. */
+function csrfPair(): { token: string; cookieFragment: string } {
+  const token = generateCsrfToken();
+  // buildCsrfCookie(...) → "parachute_hub_csrf=<token>; HttpOnly; ...". We only
+  // need the name=value fragment to join with the session cookie.
+  const cookie = buildCsrfCookie(token, { secure: false }).split(";")[0] ?? "";
+  return { token, cookieFragment: cookie };
+}
+
+/** Build the first-admin operator + a friend assigned to `vaults`. */
+async function seedFriend(
+  vaults: string[],
+): Promise<{ friendId: string; cookie: string; csrfToken: string }> {
+  await createUser(harness.db, "operator", "operator-password-123");
+  const friend = await createUser(harness.db, "friend", "friend-password-123", {
+    assignedVaults: vaults,
+    allowMulti: true,
+  });
+  const session = createSession(harness.db, { userId: friend.id });
+  const { token, cookieFragment } = csrfPair();
+  const sessionCookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+  const cookie = `${sessionCookie}; ${cookieFragment}`;
+  return { friendId: friend.id, cookie, csrfToken: token };
+}
+
+function mintReq(
+  vaultName: string,
+  opts: { cookie?: string; csrfToken?: string; verb?: string; omitCsrf?: boolean } = {},
+): Request {
+  const body = new URLSearchParams();
+  if (!opts.omitCsrf && opts.csrfToken !== undefined) body.set(CSRF_FIELD_NAME, opts.csrfToken);
+  if (opts.verb !== undefined) body.set("verb", opts.verb);
+  const headers: Record<string, string> = {
+    "content-type": "application/x-www-form-urlencoded",
+  };
+  if (opts.cookie) headers.cookie = opts.cookie;
+  return new Request(`${ISSUER}/account/vault-token/${encodeURIComponent(vaultName)}`, {
+    method: "POST",
+    headers,
+    body: body.toString(),
+  });
+}
+
+describe("handleAccountVaultTokenPost — happy path (assigned vault)", () => {
+  test("200 mints vault:<name>:read for an assigned vault, valid hub JWT", async () => {
+    const { friendId, cookie, csrfToken } = await seedFriend(["work"]);
+    const res = await handleAccountVaultTokenPost(
+      mintReq("work", { cookie, csrfToken, verb: "read" }),
+      "work",
+      deps(),
+    );
+    expect(res.status).toBe(200);
+    expect(res.headers.get("cache-control")).toBe("no-store");
+    const html = await res.text();
+    expect(html).toContain('data-testid="minted-token-banner"');
+
+    // Pull the token out of the show-once banner and validate it as a hub JWT.
+    const m = html.match(/data-testid="minted-token-value">([^<]+)</);
+    expect(m).not.toBeNull();
+    const token = m![1] as string;
+    const validated = await validateAccessToken(harness.db, token, ISSUER);
+    expect(validated.payload.sub).toBe(friendId);
+    expect(validated.payload.iss).toBe(ISSUER);
+    expect(validated.payload.aud).toBe("vault.work");
+    const scopeClaim = (validated.payload as { scope?: string }).scope ?? "";
+    expect(scopeClaim.split(/\s+/)).toEqual(["vault:work:read"]);
+    // vault_scope pin — token can only ever be used against `work`.
+    expect((validated.payload as { vault_scope?: string[] }).vault_scope).toEqual(["work"]);
+
+    // TTL ≈ 90 days.
+    const expMs = new Date((validated.payload.exp ?? 0) * 1000).getTime();
+    const skew = expMs - Date.now();
+    expect(skew).toBeGreaterThan((ACCOUNT_VAULT_TOKEN_TTL_SECONDS - 60) * 1000);
+    expect(skew).toBeLessThan((ACCOUNT_VAULT_TOKEN_TTL_SECONDS + 60) * 1000);
+  });
+
+  test("200 mints vault:<name>:write when verb=write (default-role assignment)", async () => {
+    const { cookie, csrfToken } = await seedFriend(["work"]);
+    const res = await handleAccountVaultTokenPost(
+      mintReq("work", { cookie, csrfToken, verb: "write" }),
+      "work",
+      deps(),
+    );
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    const token = html.match(/data-testid="minted-token-value">([^<]+)</)?.[1] as string;
+    const validated = await validateAccessToken(harness.db, token, ISSUER);
+    const scopeClaim = (validated.payload as { scope?: string }).scope ?? "";
+    expect(scopeClaim.split(/\s+/)).toEqual(["vault:work:write"]);
+  });
+
+  test("a friend assigned to multiple vaults can mint for each, never cross-vault", async () => {
+    const { cookie, csrfToken } = await seedFriend(["work", "home"]);
+    for (const v of ["work", "home"]) {
+      const res = await handleAccountVaultTokenPost(
+        mintReq(v, { cookie, csrfToken, verb: "read" }),
+        v,
+        deps(),
+      );
+      expect(res.status).toBe(200);
+      const html = await res.text();
+      const token = html.match(/data-testid="minted-token-value">([^<]+)</)?.[1] as string;
+      const validated = await validateAccessToken(harness.db, token, ISSUER);
+      expect(validated.payload.aud).toBe(`vault.${v}`);
+    }
+    // ...but a vault NOT in {work, home} is refused.
+    const res = await handleAccountVaultTokenPost(
+      mintReq("secret", { cookie, csrfToken, verb: "read" }),
+      "secret",
+      deps(),
+    );
+    expect(res.status).toBe(403);
+  });
+});
+
+describe("handleAccountVaultTokenPost — authorization gates (adversarial)", () => {
+  test("401 when no session cookie is present", async () => {
+    // Even with a CSRF token, no session = no identity = no mint.
+    const { token, cookieFragment } = csrfPair();
+    const res = await handleAccountVaultTokenPost(
+      mintReq("work", { cookie: cookieFragment, csrfToken: token, verb: "read" }),
+      "work",
+      deps(),
+    );
+    expect(res.status).toBe(401);
+  });
+
+  test("403 when minting for a vault the friend is NOT assigned to (cross-vault)", async () => {
+    // Friend is assigned to `work` only; attempts `other`.
+    const { cookie, csrfToken } = await seedFriend(["work"]);
+    const res = await handleAccountVaultTokenPost(
+      mintReq("other", { cookie, csrfToken, verb: "read" }),
+      "other",
+      deps(),
+    );
+    expect(res.status).toBe(403);
+    const html = await res.text();
+    expect(html).toContain('data-testid="mint-error-banner"');
+    expect(html).toContain("not assigned");
+    // Critically: no token was minted.
+    expect(html).not.toContain('data-testid="minted-token-banner"');
+  });
+
+  test("a non-assigned friend cannot mint even for a vault that EXISTS for another user", async () => {
+    // Two friends; friend B is assigned to `shared`, friend A is not.
+    await createUser(harness.db, "operator", "operator-password-123");
+    const friendB = await createUser(harness.db, "bee", "bee-password-12345", {
+      assignedVaults: ["shared"],
+      allowMulti: true,
+    });
+    expect(friendB.id).toBeTruthy();
+    const friendA = await createUser(harness.db, "aay", "aay-password-12345", {
+      assignedVaults: ["mine"],
+      allowMulti: true,
+    });
+    const sessionA = createSession(harness.db, { userId: friendA.id });
+    const { token, cookieFragment } = csrfPair();
+    const cookie = `${buildSessionCookie(sessionA.id, Math.floor(SESSION_TTL_MS / 1000))}; ${cookieFragment}`;
+    const res = await handleAccountVaultTokenPost(
+      mintReq("shared", { cookie, csrfToken: token, verb: "read" }),
+      "shared",
+      deps(),
+    );
+    expect(res.status).toBe(403);
+  });
+
+  test("403 — the first admin cannot mint here (no user_vaults rows; uses SPA path)", async () => {
+    // The first-created user is the unrestricted admin: empty assignedVaults,
+    // so vaultVerbsForUserVault returns null for every vault → 403. Admins
+    // mint via /admin/vault-admin-token, not this friend surface.
+    const admin = await createUser(harness.db, "operator", "operator-password-123");
+    const session = createSession(harness.db, { userId: admin.id });
+    const { token, cookieFragment } = csrfPair();
+    const cookie = `${buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000))}; ${cookieFragment}`;
+    const res = await handleAccountVaultTokenPost(
+      mintReq("work", { cookie, csrfToken: token, verb: "read" }),
+      "work",
+      deps(),
+    );
+    expect(res.status).toBe(403);
+  });
+
+  test("admin verb is rejected — never mints vault:<name>:admin", async () => {
+    const { cookie, csrfToken } = await seedFriend(["work"]);
+    const res = await handleAccountVaultTokenPost(
+      mintReq("work", { cookie, csrfToken, verb: "admin" }),
+      "work",
+      deps(),
+    );
+    expect(res.status).toBe(400);
+    const html = await res.text();
+    expect(html).not.toContain('data-testid="minted-token-banner"');
+    expect(html).not.toContain("vault:work:admin");
+  });
+
+  test("a garbage / broader verb is rejected", async () => {
+    const { cookie, csrfToken } = await seedFriend(["work"]);
+    for (const verb of ["host", "delete", "read write", "*", ""]) {
+      const res = await handleAccountVaultTokenPost(
+        mintReq("work", { cookie, csrfToken, verb }),
+        "work",
+        deps(),
+      );
+      expect(res.status).toBe(400);
+    }
+  });
+
+  test("a syntactically invalid vault name is rejected before any mint", async () => {
+    const { cookie, csrfToken } = await seedFriend(["work"]);
+    const res = await handleAccountVaultTokenPost(
+      mintReq("has..dots", { cookie, csrfToken, verb: "read" }),
+      "has..dots",
+      deps(),
+    );
+    expect(res.status).toBe(400);
+  });
+});
+
+describe("handleAccountVaultTokenPost — CSRF + method + rate limit", () => {
+  test("405 on non-POST", async () => {
+    const { cookie } = await seedFriend(["work"]);
+    const req = new Request(`${ISSUER}/account/vault-token/work`, {
+      method: "GET",
+      headers: { cookie },
+    });
+    const res = await handleAccountVaultTokenPost(req, "work", deps());
+    expect(res.status).toBe(405);
+  });
+
+  test("400 when the CSRF token is missing", async () => {
+    const { cookie } = await seedFriend(["work"]);
+    const res = await handleAccountVaultTokenPost(
+      mintReq("work", { cookie, omitCsrf: true, verb: "read" }),
+      "work",
+      deps(),
+    );
+    expect(res.status).toBe(400);
+  });
+
+  test("400 when the CSRF form token does not match the cookie", async () => {
+    const { cookie } = await seedFriend(["work"]);
+    // Send a different (non-matching) CSRF token in the form than the cookie.
+    const res = await handleAccountVaultTokenPost(
+      mintReq("work", { cookie, csrfToken: generateCsrfToken(), verb: "read" }),
+      "work",
+      deps(),
+    );
+    expect(res.status).toBe(400);
+  });
+
+  test("429 once the per-user mint bucket fills (10 / 10 min)", async () => {
+    const { cookie, csrfToken } = await seedFriend(["work"]);
+    // 10 admitted, 11th denied.
+    for (let i = 0; i < 10; i++) {
+      const res = await handleAccountVaultTokenPost(
+        mintReq("work", { cookie, csrfToken, verb: "read" }),
+        "work",
+        deps(),
+      );
+      expect(res.status).toBe(200);
+    }
+    const denied = await handleAccountVaultTokenPost(
+      mintReq("work", { cookie, csrfToken, verb: "read" }),
+      "work",
+      deps(),
+    );
+    expect(denied.status).toBe(429);
+  });
+
+  test("CSRF failure does NOT burn a rate-limit slot", async () => {
+    // A cross-site POST with a bad CSRF token should 400 before the bucket is
+    // touched — otherwise an attacker could exhaust the victim's mint bucket.
+    const { cookie, csrfToken } = await seedFriend(["work"]);
+    for (let i = 0; i < 15; i++) {
+      const res = await handleAccountVaultTokenPost(
+        mintReq("work", { cookie, csrfToken: generateCsrfToken(), verb: "read" }),
+        "work",
+        deps(),
+      );
+      expect(res.status).toBe(400);
+    }
+    // The legitimate mint still succeeds — the bucket was never touched.
+    const ok = await handleAccountVaultTokenPost(
+      mintReq("work", { cookie, csrfToken, verb: "read" }),
+      "work",
+      deps(),
+    );
+    expect(ok.status).toBe(200);
+  });
+});

package/src/__tests__/admin-vaults.test.ts

@@ -8,11 +8,21 @@ import { signAccessToken } from "../jwt-sign.ts";
 import { upsertService, writeManifest } from "../services-manifest.ts";
 import { rotateSigningKey } from "../signing-keys.ts";
 
-/** Build the JSON shape parachute-vault create --json emits (PR #184). */
-function vaultCreateJson(name: string, token = `pvt_${name}_token`): string {
+/**
+ * Build the JSON shape `parachute-vault create --json` emits (PR #184).
+ * Post the pvt_* DROP the `token` is a hub-issued access JWT (scoped
+ * `vault:<name>:admin`), and may be the empty string when the vault
+ * couldn't mint — in which case `token_guidance` carries the reason.
+ */
+function vaultCreateJson(
+  name: string,
+  token = `hubjwt.${name}.access`,
+  tokenGuidance?: string,
+): string {
   return JSON.stringify({
     name,
     token,
+    ...(tokenGuidance ? { token_guidance: tokenGuidance } : {}),
     paths: {
       vault_dir: `/home/test/.parachute/vault/${name}`,
       vault_db: `/home/test/.parachute/vault/${name}/vault.db`,
@@ -404,7 +414,7 @@ describe("POST /vaults — orchestration", () => {
           );
           return {
             exitCode: 0,
-            stdout: vaultCreateJson("work", "pvt_supersecret"),
+            stdout: vaultCreateJson("work", "hubjwt.work.access"),
             stderr: "",
           };
         };
@@ -420,7 +430,7 @@ describe("POST /vaults — orchestration", () => {
           token?: string;
           paths?: { vault_dir: string; vault_db: string; vault_config: string };
         };
-        expect(body.token).toBe("pvt_supersecret");
+        expect(body.token).toBe("hubjwt.work.access");
         expect(body.paths).toEqual({
           vault_dir: "/home/test/.parachute/vault/work",
           vault_db: "/home/test/.parachute/vault/work/vault.db",
@@ -434,6 +444,62 @@ describe("POST /vaults — orchestration", () => {
     }
   });
 
+  test("201 forwards an empty token + token_guidance when the vault couldn't mint (post-DROP)", async () => {
+    // The vault emits `token: ""` + a `token_guidance` reason when no hub
+    // origin was reachable to mint against (e.g. loopback create). The hub
+    // must forward both verbatim so the SPA can render the
+    // created-but-no-token state instead of confusing it with a re-POST.
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        upsertService(
+          {
+            name: "parachute-vault",
+            port: 1940,
+            paths: ["/vault/default"],
+            health: "/health",
+            version: "0.3.5",
+          },
+          h.manifestPath,
+        );
+        const runCommand = async (_cmd: readonly string[]): Promise<RunResult> => {
+          upsertService(
+            {
+              name: "parachute-vault",
+              port: 1940,
+              paths: ["/vault/default", "/vault/work"],
+              health: "/health",
+              version: "0.3.5",
+            },
+            h.manifestPath,
+          );
+          return {
+            exitCode: 0,
+            stdout: vaultCreateJson("work", "", "no hub origin reachable to mint against"),
+            stderr: "",
+          };
+        };
+        const res = await call({
+          db,
+          manifestPath: h.manifestPath,
+          body: { name: "work" },
+          runCommand,
+        });
+        // Still a fresh create — HTTP 201, NOT 200.
+        expect(res.status).toBe(201);
+        const body = (await res.json()) as { token?: string; token_guidance?: string };
+        expect(body.token).toBe("");
+        expect(body.token_guidance).toBe("no hub origin reachable to mint against");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("500 when `parachute-vault create --json` exits 0 but stdout is unparseable", async () => {
     const h = makeHarness();
     try {

package/src/__tests__/api-mint-token.test.ts

@@ -382,10 +382,14 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
     }
   });
 
-  // The de-escalation exception is gated on host:admin specifically. A
-  // bearer that only holds `parachute:host:auth` (the narrow auth scope-set)
-  // can mint verb scopes but NOT vault-admin — that would be an escalation.
-  test("400 invalid_scope when auth-only bearer mints vault:<name>:admin", async () => {
+  // Single-consent change (2026-05-29) — INTENTIONAL canGrant widening. Once
+  // `vault:<name>:admin` became requestable (`isNonRequestableScope` dropped
+  // the per-vault-admin clause), canGrant rule 1 (`!isNonRequestableScope` +
+  // bearer holds `parachute:host:auth`) now ADMITS it. A `parachute:host:auth`
+  // bearer is an on-box operator credential, so minting a vault-pinned admin
+  // from it is a de-escalation, not an escalation. Pinned here so the widening
+  // is deliberate, not an accidental regression.
+  test("200 when auth-only bearer mints vault:<name>:admin (intentional canGrant widening)", async () => {
     const h = makeHarness();
     try {
       const { db, userId } = await bootstrap(h.dir);
@@ -398,10 +402,12 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
           jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
           { db, issuer: ISSUER },
         );
-        expect(resp.status).toBe(400);
-        const body = (await resp.json()) as { error: string; error_description: string };
-        expect(body.error).toBe("invalid_scope");
-        expect(body.error_description).toContain("vault:work:admin");
+        expect(resp.status).toBe(200);
+        const body = (await resp.json()) as { scope: string; token: string };
+        expect(body.scope).toBe("vault:work:admin");
+        const validated = await validateAccessToken(db, body.token, ISSUER);
+        expect(validated.payload.aud).toBe("vault.work");
+        expect(validated.payload.scope).toBe("vault:work:admin");
       } finally {
         db.close();
       }
@@ -765,7 +771,10 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
       }
     });
 
-    test("host:auth-only bearer mints vault:work:admin → 400 (rule 1 doesn't cover admin)", async () => {
+    test("host:auth-only bearer mints vault:work:admin → 200 (single-consent: rule 1 now covers admin)", async () => {
+      // Single-consent change (2026-05-29): vault:<name>:admin is requestable
+      // now, so canGrant rule 1 admits it for a host:auth bearer. De-escalation
+      // from an on-box operator credential — intentional widening.
       const h = makeHarness();
       try {
         const { db, userId } = await bootstrap(h.dir);
@@ -775,9 +784,9 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
             jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
             { db, issuer: ISSUER },
           );
-          expect(resp.status).toBe(400);
-          const body = (await resp.json()) as { error: string };
-          expect(body.error).toBe("invalid_scope");
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { scope: string };
+          expect(body.scope).toBe("vault:work:admin");
         } finally {
           db.close();
         }
@@ -993,10 +1002,12 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
       }
     });
 
-    // The existing non-requestable behaviour is unchanged: a host:auth-only
-    // bearer minting the well-formed `vault:work:admin` is still 400 (rule 1
-    // doesn't cover admin) — this path is reached AFTER the shape guard passes.
-    test("host:auth-only bearer minting vault:work:admin → 400 (non-requestable, unchanged)", async () => {
+    // Contrast with the malformed forms above: a WELL-FORMED `vault:work:admin`
+    // clears the shape guard, and (single-consent change, 2026-05-29) now mints
+    // 200 via canGrant rule 1 for a host:auth bearer. The malformed forms are
+    // rejected by the shape guard BEFORE canGrant; this one passes the guard
+    // and is admitted.
+    test("host:auth-only bearer minting well-formed vault:work:admin → 200 (clears shape guard, mints)", async () => {
       const h = makeHarness();
       try {
         const { db, userId } = await bootstrap(h.dir);
@@ -1006,11 +1017,9 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
             jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
             { db, issuer: ISSUER },
           );
-          expect(resp.status).toBe(400);
-          const body = (await resp.json()) as { error: string; error_description: string };
-          expect(body.error).toBe("invalid_scope");
-          // Not the malformed-shape message — it cleared the shape guard.
-          expect(body.error_description).toContain("not grantable");
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { scope: string };
+          expect(body.scope).toBe("vault:work:admin");
         } finally {
           db.close();
         }

package/src/__tests__/api-modules-ops.test.ts

@@ -2,6 +2,7 @@ import { afterEach, beforeEach, describe, expect, test } from "bun:test";
 import { existsSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import { MissingDependencyError, lookupDep } from "@openparachute/depcheck";
 import {
   API_MODULES_OPS_REQUIRED_SCOPE,
   _resetOperationsRegistryForTests,
@@ -629,6 +630,50 @@ describe("POST /api/modules/:short/install", () => {
     expect(op.error).toMatch(/bun add -g exited 1/);
   });
 
+  test("a MissingDependencyError during install attaches the structured error_detail wire", async () => {
+    const { supervisor } = makeIdleSupervisor();
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    const deps = {
+      db: h.db,
+      issuer: ISSUER,
+      manifestPath: h.manifestPath,
+      configDir: h.dir,
+      supervisor,
+      // Simulate `bun` not being on PATH: the install runner's shell-out
+      // throws the typed missing-dependency error.
+      run: async () => {
+        throw new MissingDependencyError("bun", lookupDep("bun"), {
+          platform: "linux",
+          arch: "x64",
+        });
+      },
+      findGlobalInstall: () => null,
+      isLinked: TEST_DEFAULT_NOT_LINKED,
+    };
+    const res = await handleInstall(
+      postReq("/api/modules/vault/install", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      deps,
+    );
+    const body = (await res.json()) as { operation_id: string };
+    await new Promise((r) => setTimeout(r, 10));
+    const opRes = await handleOperationGet(
+      getReq(`/api/modules/operations/${body.operation_id}`, {
+        authorization: `Bearer ${bearer}`,
+      }),
+      body.operation_id,
+      deps,
+    );
+    const op = (await opRes.json()) as {
+      status: string;
+      error?: string;
+      error_detail?: { error_type: string; binary: string };
+    };
+    expect(op.status).toBe("failed");
+    expect(op.error_detail?.error_type).toBe("missing_dependency");
+    expect(op.error_detail?.binary).toBe("bun");
+  });
+
   test("skips bun add -g when package is already bun-linked (smoke 2026-05-27 finding 1)", async () => {
     // Smoke finding 1: the wizard's parallel install path was unconditionally
     // invoking `bun add -g <pkg>` even when the package was already linked

package/src/__tests__/api-users.test.ts

@@ -462,7 +462,7 @@ describe("handleDeleteUser", () => {
     expect(list.users.map((u) => u.id)).toContain(userId);
   });
 
-  test("204 deletes a non-first user and revokes their tokens", async () => {
+  test("200 + revocation_lag_seconds deletes a non-first user and revokes their tokens", async () => {
     const { bearer } = await makeAdminBearer();
     // Create a second user (non-first) + mint a token on their behalf.
     const second = await createUser(harness.db, "alice", "alice-strong-passphrase", {
@@ -497,7 +497,12 @@ describe("handleDeleteUser", () => {
       second.id,
       deps(),
     );
-    expect(res.status).toBe(204);
+    // 200 + body (was a bare 204) so the SPA can warn about revocation lag —
+    // consistency with the reset-password path.
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { ok: boolean; revocation_lag_seconds: number };
+    expect(body.ok).toBe(true);
+    expect(body.revocation_lag_seconds).toBe(60);
 
     // User row is gone.
     const listRes = await handleListUsers(withBearer("/api/users", bearer), deps());