@openparachute/hub 0.5.14-rc.9 → 0.6.0

package/src/__tests__/auth.test.ts

@@ -65,34 +65,159 @@ async function captureOutput(fn: () => Promise<number> | number): Promise<{
 }
 
 describe("parachute auth", () => {
-  test("2fa enroll forwards to parachute-vault 2fa enroll", async () => {
-    const { runner, calls } = makeRunner(0);
-    const code = await auth(["2fa", "enroll"], runner);
-    expect(code).toBe(0);
-    expect(calls).toEqual([["parachute-vault", "2fa", "enroll"]]);
+  test("2fa is hub-local — never forwards to parachute-vault", async () => {
+    // 2fa used to forward to the deprecated `parachute-vault 2fa` stub. As of
+    // hub#473 it's real hub-login TOTP, fully hub-local (hub.db). No subprocess.
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+      const { runner, calls } = makeRunner(0);
+      const out = await captureOutput(() =>
+        auth(["2fa", "status"], { runner, dbPath: tmp.dbPath }),
+      );
+      expect(out.code).toBe(0);
+      expect(calls).toEqual([]); // did NOT spawn parachute-vault
+      expect(out.stdout).toContain("Two-factor authentication: OFF");
+    } finally {
+      tmp.cleanup();
+    }
   });
 
-  test("2fa enroll --some-flag forwards every arg after the subcommand", async () => {
-    const { runner, calls } = makeRunner(0);
-    const code = await auth(["2fa", "enroll", "--some-flag", "value"], runner);
-    expect(code).toBe(0);
-    expect(calls).toEqual([["parachute-vault", "2fa", "enroll", "--some-flag", "value"]]);
+  test("2fa status reports OFF for a fresh user, then ON after a CLI enroll round-trip", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+
+      // status → OFF
+      const off = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(off.code).toBe(0);
+      expect(off.stdout).toContain("OFF");
+
+      // enroll requires a confirm code — drive the readLine seam with the
+      // live TOTP code generated from the secret the command prints.
+      const { generateTotpSecret } = await import("../totp.ts");
+      // We can't intercept the random secret the command mints, so instead
+      // exercise the store directly to assert the ON path is reachable, then
+      // assert the CLI status reflects it. (The handler-level enroll round
+      // trip is covered in two-factor.test.ts against the real secret.)
+      const db2 = openHubDb(tmp.dbPath);
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      const u = listUsers(db2)[0]!;
+      const { secret } = generateTotpSecret(u.username);
+      await persistEnrollment(db2, u.id, secret);
+      db2.close();
+
+      const on = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(on.code).toBe(0);
+      expect(on.stdout).toContain("ON");
+      expect(on.stdout).toContain("backup_codes");
+
+      // disenroll clears it.
+      const dis = await captureOutput(() =>
+        auth(["2fa", "disenroll"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(dis.code).toBe(0);
+      expect(dis.stdout).toContain("Turned off");
+
+      const off2 = await captureOutput(() =>
+        auth(["2fa", "status"], { dbPath: tmp.dbPath, isInteractive: () => false }),
+      );
+      expect(off2.stdout).toContain("OFF");
+    } finally {
+      tmp.cleanup();
+    }
   });
 
-  test("exit code from parachute-vault is propagated", async () => {
-    const { runner } = makeRunner(3);
-    const code = await auth(["2fa", "status"], runner);
-    expect(code).toBe(3);
+  test("2fa enroll confirms the printed secret against a live code, prints backup codes", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      await createUser(db, "owner", "owner-password-123");
+      db.close();
+
+      // Single console.log interception that BOTH accumulates stdout and lets
+      // the readLine seam read the secret the command just printed. (Avoids
+      // nesting two console.log replacements.)
+      const OTPAuth = await import("otpauth");
+      const origLog = console.log;
+      let stdout = "";
+      let capturedSecret = "";
+      console.log = (...a: unknown[]) => {
+        const line = a.map(String).join(" ");
+        stdout += `${line}\n`;
+        const m = line.match(/secret key:\s+([A-Z2-7]+)/);
+        if (m) capturedSecret = m[1]!;
+      };
+      let code = "";
+      let exitCode = 0;
+      try {
+        exitCode = await auth(["2fa", "enroll"], {
+          dbPath: tmp.dbPath,
+          isInteractive: () => true,
+          readLine: async () => {
+            // The secret has been printed by the time the prompt fires.
+            const totp = new OTPAuth.TOTP({
+              issuer: "Parachute Hub",
+              label: "owner",
+              algorithm: "SHA1",
+              digits: 6,
+              period: 30,
+              secret: OTPAuth.Secret.fromBase32(capturedSecret),
+            });
+            code = totp.generate();
+            return code;
+          },
+        });
+      } finally {
+        console.log = origLog;
+      }
+      expect(exitCode).toBe(0);
+      expect(capturedSecret.length).toBeGreaterThan(0);
+      expect(stdout).toContain("now ON");
+      // 10 backup codes printed (hyphenated form).
+      const backupLines = stdout.split("\n").filter((l) => /^ {2}[a-z2-9]{5}-[a-z2-9]{5}$/.test(l));
+      expect(backupLines.length).toBe(10);
+      expect(code.length).toBe(6);
+      // The persisted state reflects the enrollment: the captured secret is
+      // now stored on the user row. (We don't re-verify `code` — the enroll
+      // confirm consumed it via the replay cache, by design.)
+      const db2 = openHubDb(tmp.dbPath);
+      const { getTotpState } = await import("../two-factor-store.ts");
+      const uid = listUsers(db2)[0]!.id;
+      const persisted = getTotpState(db2, uid);
+      expect(persisted.secret).toBe(capturedSecret);
+      expect(persisted.backupCodes.length).toBe(10);
+      db2.close();
+    } finally {
+      tmp.cleanup();
+    }
   });
 
-  test("ENOENT on a vault-forwarded subcommand surfaces install hint and exit 127", async () => {
-    const runner: Runner = {
-      async run() {
-        throw new Error("ENOENT: spawn parachute-vault");
-      },
-    };
-    const code = await auth(["2fa", "status"], runner);
-    expect(code).toBe(127);
+  test("2fa enroll refuses to re-enroll when already on", async () => {
+    const tmp = makeTmp();
+    try {
+      const db = openHubDb(tmp.dbPath);
+      const u = await createUser(db, "owner", "owner-password-123");
+      const { generateTotpSecret } = await import("../totp.ts");
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      await persistEnrollment(db, u.id, generateTotpSecret("owner").secret);
+      db.close();
+      const out = await captureOutput(() =>
+        auth(["2fa", "enroll"], { dbPath: tmp.dbPath, isInteractive: () => true }),
+      );
+      expect(out.code).toBe(1);
+      expect(out.stderr).toContain("already enabled");
+    } finally {
+      tmp.cleanup();
+    }
   });
 
   test("set-password no longer forwards to vault", async () => {
@@ -142,23 +267,25 @@ describe("authHelp", () => {
   test("lists every blessed subcommand", () => {
     expect(h).toContain("parachute auth set-password");
     expect(h).toContain("parachute auth list-users");
-    expect(h).toContain("parachute auth 2fa status");
-    expect(h).toContain("parachute auth 2fa enroll");
-    expect(h).toContain("parachute auth 2fa disable");
-    expect(h).toContain("parachute auth 2fa backup-codes");
+    expect(h).toContain("parachute auth 2fa");
     expect(h).toContain("parachute auth rotate-key");
   });
 
+  test("2fa help documents the real hub-login TOTP subcommands (#473)", () => {
+    expect(h).toContain("#473");
+    // Real enroll / disenroll subcommands are now advertised.
+    expect(h).toContain("2fa enroll");
+    expect(h).toContain("2fa disenroll");
+    expect(h).toContain("otpauth://");
+    expect(h).toContain("backup codes");
+  });
+
   test("set-password help mentions the new flags + hub-local home", () => {
     expect(h).toContain("--username");
     expect(h).toContain("--allow-multi");
     expect(h).toContain("hub.db");
   });
 
-  test("mentions the vault-install hint", () => {
-    expect(h).toContain("parachute install vault");
-  });
-
   test("rotate-key explains the 24h JWKS retention", () => {
     expect(h).toContain("jwks.json");
     // "24" + "hours" may be split by line wrap; check both pieces.

package/src/__tests__/cli.test.ts

@@ -123,6 +123,43 @@ describe("cli per-subcommand help", () => {
     expect(stderr).toMatch(/dash\.cloudflare\.com/);
   });
 
+  test("expose cloudflare is an alias for expose public --cloudflare (Fix 5)", async () => {
+    // No --domain, non-TTY → same hard error as `expose public --cloudflare`.
+    // That it reaches the cloudflare-domain check (not "unknown layer") proves
+    // the alias rewrote the layer to public + forced the cloudflare flag.
+    const { code, stderr } = await runCli(["expose", "cloudflare"]);
+    expect(code).toBe(1);
+    expect(stderr).toMatch(/--domain <hostname> is required/);
+    expect(stderr).not.toMatch(/unknown layer/);
+  });
+
+  test("expose cloudflare --domain X routes to the cloudflare path (not 'unknown layer')", async () => {
+    // cloudflared isn't installed under PATH="", so the cloudflare path prints
+    // its own not-installed hint — distinct from the layer-validation error.
+    const proc = Bun.spawn(
+      [process.execPath, CLI, "expose", "cloudflare", "--domain", "vault.example.com"],
+      {
+        stdout: "pipe",
+        stderr: "pipe",
+        env: {
+          ...process.env,
+          PATH: "",
+          HOME: "/tmp/parachute-hub-nonexistent-home",
+          PARACHUTE_HOME: "/tmp/parachute-hub-nonexistent-home",
+        },
+      },
+    );
+    const [stdout, stderr, code] = await Promise.all([
+      new Response(proc.stdout).text(),
+      new Response(proc.stderr).text(),
+      proc.exited,
+    ]);
+    expect(code).toBe(1);
+    expect(stderr).not.toMatch(/unknown layer/);
+    // Reached the cloudflare path (cloudflared detection), proving the alias.
+    expect(stdout).toMatch(/cloudflared is not installed/);
+  });
+
   test("expose tailnet --cloudflare is rejected (cloudflare is public-only)", async () => {
     const { code, stderr } = await runCli([
       "expose",
@@ -217,11 +254,13 @@ describe("cli per-subcommand help", () => {
     expect(stderr).toMatch(/parachute install vault/);
   });
 
-  test("vault tokens create in non-TTY passes through without prompting", async () => {
-    // Spawned-subprocess stdio is piped, so isTtyInteractive() returns false
-    // and the command falls through to the passthrough. Clearing PATH forces
-    // ENOENT — same probe as the `vault no-args` test. If we regressed into
-    // prompting, this subprocess would hang on stdin instead of exiting 127.
+  test("vault tokens create forwards verbatim to parachute-vault", async () => {
+    // The guided interactive wrapper was removed with the pvt_* DROP (vault
+    // #412 / hub#466) — `vault tokens create` now always forwards transparently
+    // to parachute-vault (which exits 1 with migration guidance on a real box).
+    // Clearing PATH forces ENOENT — same probe as the `vault no-args` test.
+    // If we ever re-introduced a hub-side prompt, this subprocess would hang on
+    // stdin instead of exiting 127.
     const proc = Bun.spawn([process.execPath, CLI, "vault", "tokens", "create"], {
       stdout: "pipe",
       stderr: "pipe",

package/src/__tests__/expose-2fa-warning.test.ts

@@ -24,46 +24,53 @@ describe("is2FAEnrolled", () => {
     expect(is2FAEnrolled({ status: status({ hasTotp: false }) })).toBe(false);
   });
 
-  test("reads totp_secret from vaultHome's config.yaml when status not supplied", () => {
+  test("falls back to legacy config.yaml totp_secret when hub.db is absent", () => {
+    // hub#473: hub.db is the source of truth for real 2FA, but a super-old
+    // install with no hub.db still suppresses the warning if the legacy vault
+    // YAML totp_secret is set. Point hubDbPath at a nonexistent file so the
+    // YAML fallback is exercised.
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
       writeFileSync(join(dir, "config.yaml"), 'totp_secret: "JBSWY3DPEHPK3PXP"\n');
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(true);
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(true);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("missing config.yaml → not enrolled (false)", () => {
+  test("missing config.yaml + absent hub.db → not enrolled (false)", () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
-      // No config.yaml written.
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      // No config.yaml written, no hub.db.
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(false);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("empty totp_secret value → not enrolled (matches vault's readGlobalConfig)", () => {
+  test("empty totp_secret value + absent hub.db → not enrolled", () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
       writeFileSync(join(dir, "config.yaml"), 'totp_secret: ""\n');
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: join(dir, "absent-hub.db") })).toBe(false);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
   });
 
-  test("malformed config.yaml → not enrolled (safer fail mode, fires warning)", () => {
-    // The probe parses config.yaml with a line-anchored regex (no YAML
-    // dependency), so junk content simply doesn't match `totp_secret: "..."`
-    // and resolves to `hasTotp: false` — which fires the public-exposure
-    // warning rather than silently suppressing it. Pin that contract so a
-    // future refactor of auth-status.ts can't quietly invert it.
+  test("hub.db with an enrolled user → enrolled (the real signal)", async () => {
     const dir = mkdtempSync(join(tmpdir(), "pcli-2fa-warn-"));
     try {
-      writeFileSync(join(dir, "config.yaml"), "totp_secret: [unbalanced\n  ::: not yaml\n");
-      expect(is2FAEnrolled({ vaultHome: dir })).toBe(false);
+      const { hubDbPath, openHubDb } = await import("../hub-db.ts");
+      const { createUser } = await import("../users.ts");
+      const { persistEnrollment } = await import("../two-factor-store.ts");
+      const { generateTotpSecret } = await import("../totp.ts");
+      const dbPath = hubDbPath(dir);
+      const db = openHubDb(dbPath);
+      const u = await createUser(db, "owner", "owner-password-123");
+      await persistEnrollment(db, u.id, generateTotpSecret("owner").secret);
+      db.close();
+      expect(is2FAEnrolled({ vaultHome: dir, hubDbPath: dbPath })).toBe(true);
     } finally {
       rmSync(dir, { recursive: true, force: true });
     }
@@ -80,9 +87,14 @@ describe("printPublic2FAWarning", () => {
     });
     expect(fired).toBe(true);
     const joined = logs.join("\n");
-    expect(joined).toContain("2FA is not enrolled");
+    // hub#473: real hub-login 2FA. The warning now recommends the real
+    // `parachute auth 2fa enroll` path (+ the /account/2fa browser path) and
+    // still nudges a strong owner password.
+    expect(joined).toContain("/login is now reachable on the public internet");
     expect(joined).toContain("https://vault.example.com/login");
     expect(joined).toContain("parachute auth 2fa enroll");
+    expect(joined).toContain("/account/2fa");
+    expect(joined).toContain("parachute auth set-password");
   });
 
   test("enrolled → suppressed, returns false, logs nothing", () => {
@@ -108,7 +120,9 @@ describe("printPublic2FAWarning", () => {
       publicUrl: "https://vault.example.com",
     });
     expect(fired).toBe(true);
-    expect(logs.some((l) => l.includes("2FA is not enrolled"))).toBe(true);
+    expect(logs.some((l) => l.includes("/login is now reachable on the public internet"))).toBe(
+      true,
+    );
   });
 
   test("embeds the supplied publicUrl into the /login pointer", () => {

package/src/__tests__/expose-auth-preflight.test.ts

@@ -40,128 +40,124 @@ function status(partial: Partial<VaultAuthStatus> = {}): VaultAuthStatus {
   };
 }
 
-describe("runAuthPreflight — wide open (no password, no tokens)", () => {
-  test("warns loudly and offers password, 2FA, and token creation", async () => {
-    const h = makeHarness(["y", "n", "n"]); // password yes, 2fa no, token no
+describe("runAuthPreflight — wide open (no owner password)", () => {
+  test("warns loudly, offers password + real 2FA enroll, prints hub-JWT token guidance", async () => {
+    const h = makeHarness(["y", "y"]); // password yes, 2FA yes
     await runAuthPreflight({ status: status(), ...wire(h) });
     const joined = h.logs.join("\n");
-    expect(joined).toContain("No owner password and no API tokens");
+    expect(joined).toContain("No owner password");
     expect(joined).toContain("public internet");
-    expect(h.commands).toHaveLength(1);
-    expect(h.commands[0]).toEqual(["parachute", "auth", "set-password"]);
+    // Programmatic-client guidance points at the hub mint path, not pvt_*.
+    expect(joined).toContain("parachute auth mint-token --scope vault:default:read");
+    expect(joined).toContain("Bearer <hub-jwt>");
+    // Real 2FA (hub#473) — both commands offered + run.
+    expect(h.commands.map((c) => c.join(" "))).toEqual([
+      "parachute auth set-password",
+      "parachute auth 2fa enroll",
+    ]);
+    // Two interactive offers now: password + 2FA. Token guidance is printed.
+    expect(h.prompts).toHaveLength(2);
   });
 
-  test("user declines every prompt → no subprocesses run", async () => {
-    const h = makeHarness(["", "", ""]); // all Enter = skip
+  test("token guidance uses the first discovered vault name", async () => {
+    const h = makeHarness(["n", "n"]);
+    await runAuthPreflight({ status: status({ vaultNames: ["work"] }), ...wire(h) });
+    expect(h.logs.join("\n")).toContain("--scope vault:work:read");
+  });
+
+  test("user declines both prompts → no subprocesses run", async () => {
+    const h = makeHarness(["", ""]); // Enter = skip both
     await runAuthPreflight({ status: status(), ...wire(h) });
     expect(h.commands).toHaveLength(0);
-    // Still prompted on all three lines, even though each was declined.
-    expect(h.prompts).toHaveLength(3);
+    expect(h.prompts).toHaveLength(2);
   });
 
-  test("user accepts all three → all three commands invoked in order", async () => {
-    const h = makeHarness(["y", "y", "y"]);
+  test("user accepts the password offer → set-password invoked", async () => {
+    const h = makeHarness(["y", "n"]);
     await runAuthPreflight({ status: status(), ...wire(h) });
-    expect(h.commands.map((c) => c.join(" "))).toEqual([
-      "parachute auth set-password",
-      "parachute auth 2fa enroll",
-      "parachute vault tokens create",
-    ]);
+    expect(h.commands.map((c) => c.join(" "))).toEqual(["parachute auth set-password"]);
   });
-});
 
-describe("runAuthPreflight — password set, no 2FA", () => {
-  test("short nudge, offers 2FA only", async () => {
-    const h = makeHarness(["y"]);
+  test("null tokenCount with no owner password still classifies wide-open", async () => {
+    // The `tokenCount: null` (unreadable vault DB) path is vestigial post-DROP
+    // — `classify()` gates on `hasOwnerPassword` alone.
+    const h = makeHarness(["n", "n"]);
     await runAuthPreflight({
-      status: status({ hasOwnerPassword: true, tokenCount: 3 }),
+      status: status({ hasOwnerPassword: false, tokenCount: null }),
       ...wire(h),
     });
     const joined = h.logs.join("\n");
-    expect(joined).toContain("Owner password is set");
-    expect(joined).toContain("2FA");
-    expect(h.prompts).toHaveLength(1);
-    expect(h.commands).toEqual([["parachute", "auth", "2fa", "enroll"]]);
+    expect(joined).toContain("No owner password");
+    expect(joined).toContain("public internet");
+    expect(h.prompts).toHaveLength(2);
   });
 
-  test("user declines → no command runs", async () => {
-    const h = makeHarness([""]);
-    await runAuthPreflight({
-      status: status({ hasOwnerPassword: true, tokenCount: 3 }),
-      ...wire(h),
-    });
-    expect(h.commands).toHaveLength(0);
+  test("never offers the dead vault-tokens-create command", async () => {
+    const h = makeHarness(["y", "n"]);
+    await runAuthPreflight({ status: status(), ...wire(h) });
+    const allCommands = h.commands.map((c) => c.join(" ")).join("\n");
+    expect(allCommands).not.toContain("vault tokens create");
+    const guidance = h.logs.join("\n");
+    expect(guidance).not.toContain("parachute vault tokens create");
   });
 });
 
-describe("runAuthPreflight — tokens exist, no password", () => {
-  test("notes that OAuth is not set up, offers password", async () => {
-    const h = makeHarness(["y"]);
+describe("runAuthPreflight — password set, no 2FA", () => {
+  test("confirms password set + offers real 2FA enroll (ignores vestigial tokenCount)", async () => {
+    const h = makeHarness(["n"]); // decline 2FA
     await runAuthPreflight({
-      status: status({ hasOwnerPassword: false, tokenCount: 2 }),
+      // tokenCount is non-zero (vestigial pvt_* rows) but no longer consulted.
+      status: status({ hasOwnerPassword: true, hasTotp: false, tokenCount: 3 }),
       ...wire(h),
     });
     const joined = h.logs.join("\n");
-    expect(joined).toContain("API tokens exist");
-    expect(joined).toContain("no owner password");
+    expect(joined).toContain("Owner password is set");
+    // Real 2FA offer (hub#473) — exactly one prompt (the 2FA offer).
     expect(h.prompts).toHaveLength(1);
-    expect(h.commands).toEqual([["parachute", "auth", "set-password"]]);
+    expect(h.commands).toHaveLength(0); // declined
   });
-});
 
-describe("runAuthPreflight — unknown token count (SQLite failed)", () => {
-  test("advises running `tokens list`, no token-dependent prompts", async () => {
-    const h = makeHarness([]);
+  test("accepting the 2FA offer runs `parachute auth 2fa enroll`", async () => {
+    const h = makeHarness(["y"]);
     await runAuthPreflight({
-      status: status({ hasOwnerPassword: false, hasTotp: false, tokenCount: null }),
+      status: status({ hasOwnerPassword: true, hasTotp: false }),
       ...wire(h),
     });
-    const joined = h.logs.join("\n");
-    expect(joined).toContain("Couldn't read vault token state");
-    expect(joined).toContain("parachute vault tokens list");
-    // No prompts because we don't offer password/token flow when token
-    // state is unknown (it'd be ambiguous whether we're dealing with the
-    // wide-open or the tokens-only case).
-    expect(h.prompts).toHaveLength(0);
+    expect(h.commands.map((c) => c.join(" "))).toEqual(["parachute auth 2fa enroll"]);
   });
 
-  test("password set + 2FA absent + tokens unknown → still offers 2FA", async () => {
-    const h = makeHarness([""]); // decline 2FA
+  test("null tokenCount (DB unreadable) is irrelevant — password gates the branch", async () => {
+    const h = makeHarness(["n"]);
     await runAuthPreflight({
       status: status({ hasOwnerPassword: true, hasTotp: false, tokenCount: null }),
       ...wire(h),
     });
+    expect(h.logs.join("\n")).toContain("Owner password is set");
     expect(h.prompts).toHaveLength(1);
-    expect(h.prompts[0]?.toLowerCase()).toContain("2fa");
   });
 });
 
-describe("runAuthPreflight — all good", () => {
-  test("single positive line, no prompts", async () => {
+describe("runAuthPreflight — password + 2FA both set", () => {
+  test("two-line confirmation, no prompts", async () => {
     const h = makeHarness([]);
     await runAuthPreflight({
-      status: status({ hasOwnerPassword: true, hasTotp: true, tokenCount: 1 }),
+      status: status({ hasOwnerPassword: true, hasTotp: true, tokenCount: 0 }),
       ...wire(h),
     });
     const joined = h.logs.join("\n");
-    expect(joined).toContain("looks good");
+    expect(joined).toContain("Owner password is set");
+    expect(joined).toContain("Two-factor authentication is on");
     expect(h.prompts).toHaveLength(0);
     expect(h.commands).toHaveLength(0);
   });
 });
 
 describe("runAuthPreflight — subprocess failure handling", () => {
-  test("non-zero exit from auth command doesn't abort the rest of the preflight", async () => {
-    const h = makeHarness(["y", "y", "y"]);
-    // Override the interactive runner to return non-zero on the first call.
-    let first = true;
+  test("non-zero exit from set-password doesn't abort the rest of the preflight", async () => {
+    const h = makeHarness(["y", "n"]);
     const interactiveRunner = async (cmd: readonly string[]) => {
       h.commands.push([...cmd]);
-      if (first) {
-        first = false;
-        return 7;
-      }
-      return 0;
+      return 7;
     };
     await runAuthPreflight({
       status: status(),
@@ -172,19 +168,22 @@ describe("runAuthPreflight — subprocess failure handling", () => {
       },
       interactiveRunner,
     });
-    // All three commands still attempted, none aborted the flow.
-    expect(h.commands.map((c) => c[0])).toEqual(["parachute", "parachute", "parachute"]);
+    // The command was attempted; the flow continued (token guidance still
+    // printed afterward).
+    expect(h.commands.map((c) => c[0])).toEqual(["parachute"]);
     const joined = h.logs.join("\n");
     expect(joined).toContain("exited 7");
+    expect(joined).toContain("Bearer <hub-jwt>");
   });
 });
 
 describe("runAuthPreflight — case-insensitive yes", () => {
   test('"Y", "YES", and "y" all count as affirmative; anything else is decline', async () => {
+    // Drive the password-set-no-2FA path so there's exactly one prompt (2FA).
     for (const yes of ["y", "Y", "yes", "YES"]) {
       const h = makeHarness([yes]);
       await runAuthPreflight({
-        status: status({ hasOwnerPassword: true, tokenCount: 1 }),
+        status: status({ hasOwnerPassword: true, hasTotp: false }),
         ...wire(h),
       });
       expect(h.commands).toHaveLength(1);
@@ -192,7 +191,7 @@ describe("runAuthPreflight — case-insensitive yes", () => {
     for (const no of ["", "n", "no", "q", "bogus"]) {
       const h = makeHarness([no]);
       await runAuthPreflight({
-        status: status({ hasOwnerPassword: true, tokenCount: 1 }),
+        status: status({ hasOwnerPassword: true, hasTotp: false }),
         ...wire(h),
       });
       expect(h.commands).toHaveLength(0);