@openparachute/hub 0.5.14-rc.9 → 0.6.0

package/src/__tests__/oauth-ui.test.ts

@@ -20,6 +20,7 @@ const PARAMS: AuthorizeFormParams = {
   codeChallenge: "ch",
   codeChallengeMethod: "S256",
   state: "xyz",
+  resource: null,
 };
 
 const CSRF = "csrf-token-fixture";
@@ -50,9 +51,19 @@ describe("renderHiddenInputs", () => {
   });
 
   test("escapes hostile values into hidden inputs", () => {
-    const html = renderHiddenInputs({ ...PARAMS, state: `"><script>alert(1)</script>` });
+    const html = renderHiddenInputs({
+      ...PARAMS,
+      state: `"><script>alert(1)</script>`,
+      // RFC 8707 resource is round-tripped through a hidden input too, so a
+      // hostile value must be escaped the same way.
+      resource: `"><script>alert(2)</script>`,
+    });
     expect(html).not.toContain("<script>alert(1)</script>");
+    expect(html).not.toContain("<script>alert(2)</script>");
     expect(html).toContain("&lt;script&gt;");
+    // The resource value is emitted as a hidden input (escaped).
+    expect(html).toContain('name="resource"');
+    expect(html).toContain("alert(2)");
   });
 });
 

package/src/__tests__/operator-token-issuer-self-heal.test.ts

@@ -0,0 +1,412 @@
+/**
+ * hub#481 — `selfHealOperatorTokenIssuer` re-mints a genuine-but-stale
+ * operator token under the hub's current issuer.
+ *
+ * Background: a box that ran init/setup at loopback and was LATER exposed
+ * publicly carries an `operator.token` whose `iss` (e.g. `http://127.0.0.1:1939`)
+ * no longer matches the hub's current issuer. The hub rejects it on every CLI
+ * auth flow. The self-heal re-issues the hub's OWN credential under the new
+ * issuer, preserving scope-set + sub, gated on the token's signature verifying
+ * against this hub's current keys (no privilege-escalation surface).
+ *
+ * Mirrors the existing `operator-token.test.ts` harness shape.
+ */
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { readFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { signAccessToken, validateAccessToken } from "../jwt-sign.ts";
+import {
+  OPERATOR_TOKEN_AUDIENCE,
+  OPERATOR_TOKEN_CLIENT_ID,
+  OPERATOR_TOKEN_FILENAME,
+  OPERATOR_TOKEN_SCOPE_SET_CLAIM,
+  issueOperatorToken,
+  operatorTokenPath,
+  readOperatorTokenFile,
+  selfHealOperatorTokenIssuer,
+  writeOperatorTokenFile,
+} from "../operator-token.ts";
+import { rotateSigningKey } from "../signing-keys.ts";
+
+interface Harness {
+  dir: string;
+  cleanup: () => void;
+}
+
+function makeHarness(): Harness {
+  const dir = mkdtempSync(join(tmpdir(), "phub-op-heal-"));
+  return { dir, cleanup: () => rmSync(dir, { recursive: true, force: true }) };
+}
+
+const LOOPBACK_ISSUER = "http://127.0.0.1:1939";
+const PUBLIC_ISSUER = "https://gitcoin-parachute.unforced.dev";
+
+describe("selfHealOperatorTokenIssuer", () => {
+  test("stale-iss genuine token + non-loopback new issuer → rotated, scope-set preserved, valid under new issuer", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // Mint at loopback issuer with a non-default scope-set ("start").
+        await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: LOOPBACK_ISSUER,
+          scopeSet: "start",
+        });
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("rotated");
+        if (status.kind === "rotated") {
+          expect(status.scopeSet).toBe("start");
+          expect(status.path).toBe(operatorTokenPath(h.dir));
+        }
+
+        // The on-disk token now has iss=PUBLIC_ISSUER, scope-set preserved,
+        // and validates under the new issuer.
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).not.toBeNull();
+        const validated = await validateAccessToken(db, onDisk as string, PUBLIC_ISSUER);
+        expect(validated.payload.iss).toBe(PUBLIC_ISSUER);
+        expect(validated.payload.sub).toBe("user-abc");
+        expect(validated.payload[OPERATOR_TOKEN_SCOPE_SET_CLAIM]).toBe("start");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("iss already current → fresh, on-disk file byte-identical", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: PUBLIC_ISSUER,
+          scopeSet: "admin",
+        });
+        const before = await readFile(operatorTokenPath(h.dir));
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("fresh");
+
+        const after = await readFile(operatorTokenPath(h.dir));
+        expect(after.equals(before)).toBe(true);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("absent token file → absent, no throw", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("absent");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("bad signature (corrupt token) → skipped:unverifiable, disk untouched", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // Mint a real token at loopback, then corrupt its signature segment so
+        // it no longer verifies against the hub's keys.
+        const issued = await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: LOOPBACK_ISSUER,
+          scopeSet: "start",
+        });
+        const parts = issued.token.split(".");
+        const hdr = parts[0] ?? "";
+        const body = parts[1] ?? "";
+        const sig = parts[2] ?? "";
+        // Flip a character in the MIDDLE of the signature, keeping it
+        // base64url-shaped. Corrupting the last char is unreliable: the final
+        // base64url char of an RS256 signature encodes only padding bits, so a
+        // flip there can decode to identical bytes and leave the signature
+        // valid (~25% of mints). A mid-signature char sits in a full 4-char
+        // group with no padding, so any single-char change deterministically
+        // alters the decoded bytes and invalidates the signature.
+        const mid = Math.floor(sig.length / 2);
+        const flipped = sig[mid] === "A" ? "B" : "A";
+        const tampered = `${hdr}.${body}.${sig.slice(0, mid)}${flipped}${sig.slice(mid + 1)}`;
+        await writeOperatorTokenFile(tampered, h.dir);
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("unverifiable");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(tampered);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("expired token (exp in the past) → skipped:unverifiable (jose throws), disk untouched", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // Mint a token that expired in the past — jose's exp check throws on
+        // validate, so the self-heal must classify it unverifiable.
+        const issued = await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: LOOPBACK_ISSUER,
+          scopeSet: "start",
+          ttlSeconds: 60,
+          now: () => new Date("2026-01-01T00:00:00Z"),
+        });
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("unverifiable");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(issued.token);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("aud != operator (aud=scribe, valid sig, stale iss) → skipped:aud-mismatch, untouched", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // A hub-signed token with the WRONG audience must not be re-minted as
+        // an operator token (privilege guard).
+        const signed = await signAccessToken(db, {
+          sub: "user-abc",
+          scopes: ["scribe:transcribe"],
+          audience: "scribe",
+          clientId: OPERATOR_TOKEN_CLIENT_ID,
+          issuer: LOOPBACK_ISSUER,
+          extraClaims: { [OPERATOR_TOKEN_SCOPE_SET_CLAIM]: "admin" },
+        });
+        await writeOperatorTokenFile(signed.token, h.dir);
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("aud-mismatch");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(signed.token);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("missing/invalid pa_scope_set (stale iss, aud=operator) → skipped:no-scope-set, NOT widened to admin", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // aud=operator + stale iss + NO pa_scope_set claim. Falling back to a
+        // default scope-set would silently widen to admin (hub#224); refuse.
+        const signed = await signAccessToken(db, {
+          sub: "user-abc",
+          scopes: ["scribe:transcribe"],
+          audience: OPERATOR_TOKEN_AUDIENCE,
+          clientId: OPERATOR_TOKEN_CLIENT_ID,
+          issuer: LOOPBACK_ISSUER,
+        });
+        await writeOperatorTokenFile(signed.token, h.dir);
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("no-scope-set");
+
+        // On-disk file unchanged — no widening occurred.
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(signed.token);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("missing sub (stale iss, aud=operator, valid scope-set) → skipped:no-sub, untouched", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // aud=operator + recognized scope-set + stale iss but NO sub — we can't
+        // re-mint a token we can't attribute.
+        const signed = await signAccessToken(db, {
+          sub: "",
+          scopes: ["parachute:host:start"],
+          audience: OPERATOR_TOKEN_AUDIENCE,
+          clientId: OPERATOR_TOKEN_CLIENT_ID,
+          issuer: LOOPBACK_ISSUER,
+          extraClaims: { [OPERATOR_TOKEN_SCOPE_SET_CLAIM]: "start" },
+        });
+        await writeOperatorTokenFile(signed.token, h.dir);
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("no-sub");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(signed.token);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("target issuer loopback (public token on disk) → skipped:issuer-loopback, public token preserved", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        // A good PUBLIC-issuer token; calling self-heal with a loopback target
+        // must never downgrade it.
+        const issued = await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: PUBLIC_ISSUER,
+          scopeSet: "admin",
+        });
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: LOOPBACK_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("skipped");
+        if (status.kind === "skipped") expect(status.reason).toBe("issuer-loopback");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        expect(onDisk).toBe(issued.token);
+        // Still a public-issuer token.
+        const validated = await validateAccessToken(db, onDisk as string, PUBLIC_ISSUER);
+        expect(validated.payload.iss).toBe(PUBLIC_ISSUER);
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("scope-set preserved verbatim — 'auth' set stays 'auth', not widened to admin", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        await issueOperatorToken(db, "user-xyz", {
+          dir: h.dir,
+          issuer: LOOPBACK_ISSUER,
+          scopeSet: "auth",
+        });
+
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        expect(status.kind).toBe("rotated");
+        if (status.kind === "rotated") expect(status.scopeSet).toBe("auth");
+
+        const onDisk = await readOperatorTokenFile(h.dir);
+        const validated = await validateAccessToken(db, onDisk as string, PUBLIC_ISSUER);
+        expect(validated.payload[OPERATOR_TOKEN_SCOPE_SET_CLAIM]).toBe("auth");
+        // The minted scopes are the "auth" set, NOT the admin superset.
+        expect(validated.payload.scope).toBe("parachute:host:auth");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("file path is the canonical operator.token under configDir", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        rotateSigningKey(db);
+        await issueOperatorToken(db, "user-abc", {
+          dir: h.dir,
+          issuer: LOOPBACK_ISSUER,
+          scopeSet: "start",
+        });
+        const status = await selfHealOperatorTokenIssuer(db, {
+          issuer: PUBLIC_ISSUER,
+          configDir: h.dir,
+        });
+        if (status.kind === "rotated") {
+          expect(status.path).toBe(join(h.dir, OPERATOR_TOKEN_FILENAME));
+        } else {
+          throw new Error(`expected rotated, got ${status.kind}`);
+        }
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+});

package/src/__tests__/resource-binding.test.ts

@@ -0,0 +1,97 @@
+import { describe, expect, test } from "bun:test";
+import { narrowResourceVaultScopes, resolveResourceVault } from "../resource-binding.ts";
+
+const ORIGIN = "https://hub.example";
+const BOUND = [ORIGIN, "http://127.0.0.1:1939"];
+
+describe("resolveResourceVault", () => {
+  test("resolves a per-vault MCP resource to the vault name", () => {
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon/mcp`, BOUND)).toBe("jon");
+  });
+
+  test("tolerates a trailing slash on the MCP path", () => {
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon/mcp/`, BOUND)).toBe("jon");
+  });
+
+  test("ignores query string + fragment", () => {
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon/mcp?x=1#y`, BOUND)).toBe("jon");
+  });
+
+  test("resolves the PRM document URL to the vault name", () => {
+    expect(
+      resolveResourceVault(`${ORIGIN}/vault/jon/.well-known/oauth-protected-resource`, BOUND),
+    ).toBe("jon");
+  });
+
+  test("resolves against a non-issuer bound origin (loopback)", () => {
+    expect(resolveResourceVault("http://127.0.0.1:1939/vault/work/mcp", BOUND)).toBe("work");
+  });
+
+  test("returns null for an off-origin resource (not one we front)", () => {
+    expect(resolveResourceVault("https://evil.example/vault/jon/mcp", BOUND)).toBeNull();
+  });
+
+  test("returns null for a non-vault path", () => {
+    expect(resolveResourceVault(`${ORIGIN}/scribe/mcp`, BOUND)).toBeNull();
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon`, BOUND)).toBeNull();
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon/notes`, BOUND)).toBeNull();
+  });
+
+  test("returns null for absent / empty / malformed resource", () => {
+    expect(resolveResourceVault(null, BOUND)).toBeNull();
+    expect(resolveResourceVault(undefined, BOUND)).toBeNull();
+    expect(resolveResourceVault("", BOUND)).toBeNull();
+    expect(resolveResourceVault("not a url", BOUND)).toBeNull();
+  });
+
+  test("does not collapse a deeper vault sub-path into the MCP shape", () => {
+    // `/vault/jon/mcp/extra` is not the canonical MCP endpoint.
+    expect(resolveResourceVault(`${ORIGIN}/vault/jon/mcp/extra`, BOUND)).toBeNull();
+  });
+
+  test("rejects a vault segment that isn't a well-formed vault name (no junk mint)", () => {
+    // A crafted `resource=…/vault/%2F..%2Fadmin/mcp` decodes to `/../admin`,
+    // which is not `[a-zA-Z0-9_-]+`. Returning null falls through to the
+    // unbound flow — no narrowing, no token stamped `aud=vault./../admin`.
+    expect(resolveResourceVault(`${ORIGIN}/vault/%2F..%2Fadmin/mcp`, BOUND)).toBeNull();
+    // Spaces / dots / slashes in the decoded name are all out of shape.
+    expect(resolveResourceVault(`${ORIGIN}/vault/a.b/mcp`, BOUND)).toBeNull();
+  });
+
+  test("returns null for a malformed percent-escape in the vault segment (safeDecode catch path)", () => {
+    // `%GG` is not a valid percent-escape — `decodeURIComponent` throws; the
+    // helper must degrade to null rather than 500 the authorize handler.
+    expect(resolveResourceVault(`${ORIGIN}/vault/%GG/mcp`, BOUND)).toBeNull();
+  });
+});
+
+describe("narrowResourceVaultScopes", () => {
+  test("narrows unnamed vault verbs to the named form", () => {
+    expect(narrowResourceVaultScopes(["vault:read", "vault:write"], "jon")).toEqual([
+      "vault:jon:read",
+      "vault:jon:write",
+    ]);
+  });
+
+  test("leaves already-named scopes for other vaults untouched", () => {
+    expect(narrowResourceVaultScopes(["vault:other:read"], "jon")).toEqual(["vault:other:read"]);
+  });
+
+  test("passes non-vault scopes through unchanged", () => {
+    expect(narrowResourceVaultScopes(["scribe:transcribe", "vault:read"], "jon")).toEqual([
+      "scribe:transcribe",
+      "vault:jon:read",
+    ]);
+  });
+
+  test("narrows the admin verb too (gate happens downstream)", () => {
+    // narrowResourceVaultScopes only rewrites shape; the non-requestable gate
+    // (`vault:<name>:admin`) blocks it afterward.
+    expect(narrowResourceVaultScopes(["vault:admin"], "jon")).toEqual(["vault:jon:admin"]);
+  });
+
+  test("is idempotent over an already-narrowed list", () => {
+    const once = narrowResourceVaultScopes(["vault:read"], "jon");
+    expect(narrowResourceVaultScopes(once, "jon")).toEqual(once);
+  });
+});

package/src/__tests__/scope-explanations.test.ts

@@ -60,10 +60,18 @@ describe("explainScope", () => {
     expect(explainScope("vault:*:write")?.level).toBe("write");
   });
 
-  test("doesn't promote a per-vault admin (vault:<name>:admin) into an explained scope", () => {
-    // vault:<name>:admin is NON_REQUESTABLE — never appears on the consent
-    // screen. Explicitly not in the verb-pattern, so explainScope returns null.
-    expect(explainScope("vault:default:admin")).toBeNull();
+  // Single-consent change (2026-05-29): vault:<name>:admin is now REQUESTABLE
+  // and reaches the consent screen, so explainScope MUST resolve it to the
+  // vault:admin explanation (level "admin"). This is load-bearing: it makes
+  // scopeIsAdmin("vault:<name>:admin") return true, which the same-hub and
+  // trust-by-name auto-mint gates rely on to keep admin consent-gated.
+  test("resolves a per-vault admin (vault:<name>:admin) to the vault:admin explanation", () => {
+    expect(explainScope("vault:default:admin")?.label).toBe(
+      SCOPE_EXPLANATIONS["vault:admin"]?.label,
+    );
+    expect(explainScope("vault:default:admin")?.level).toBe("admin");
+    expect(explainScope("vault:my-techne_2:admin")?.level).toBe("admin");
+    expect(explainScope("vault:*:admin")?.level).toBe("admin");
   });
 });
 
@@ -74,6 +82,17 @@ describe("scopeIsAdmin", () => {
     expect(scopeIsAdmin("parachute:host:admin")).toBe(true);
   });
 
+  // Single-consent change (2026-05-29): the named per-vault admin form must
+  // be recognized as admin. LOAD-BEARING — the same-hub auto-trust gate
+  // (`!hasAdminScope`) and the trust-by-client_name gate
+  // (`!requestedScopes.some(scopeIsAdmin)`) rely on this to keep a named admin
+  // grant consent-gated instead of silently auto-minting it.
+  test("true for named per-vault admin (vault:<name>:admin)", () => {
+    expect(scopeIsAdmin("vault:work:admin")).toBe(true);
+    expect(scopeIsAdmin("vault:default:admin")).toBe(true);
+    expect(scopeIsAdmin("vault:my-techne_2:admin")).toBe(true);
+  });
+
   test("false for non-admin and unknown scopes", () => {
     expect(scopeIsAdmin("vault:read")).toBe(false);
     expect(scopeIsAdmin("channel:send")).toBe(false);
@@ -120,16 +139,26 @@ describe("isRequestableScope", () => {
     expect(isRequestableScope("notes:something-new")).toBe(true);
   });
 
-  // Per-vault admin scopes are pattern-matched as non-requestable so the
-  // public OAuth flow can never mint vault:<name>:admin — only the local
-  // session-cookie endpoint at /admin/vault-admin-token/<name> can.
-  test("false for any vault:<name>:admin scope", () => {
-    expect(isRequestableScope("vault:default:admin")).toBe(false);
-    expect(isRequestableScope("vault:work:admin")).toBe(false);
-    expect(isRequestableScope("vault:my-techne_2:admin")).toBe(false);
+  // Single-consent change (2026-05-29): per-vault admin scopes are now
+  // requestable via the public OAuth flow. The anti-privesc cap at the mint
+  // choke-point (`capScopesToUserAuthority`) keeps a non-owner from actually
+  // being granted admin — but the scope is no longer rejected up front, so
+  // Claude MCP (consenting as the owner) can mint a vault admin token.
+  test("true for any vault:<name>:admin scope (single-consent change)", () => {
+    expect(isRequestableScope("vault:default:admin")).toBe(true);
+    expect(isRequestableScope("vault:work:admin")).toBe(true);
+    expect(isRequestableScope("vault:my-techne_2:admin")).toBe(true);
+  });
+
+  test("host-level operator scopes stay non-requestable", () => {
+    // The asymmetry the single-consent change preserved: per-vault admin is
+    // now requestable (capped at mint), but host-wide operator authority is
+    // still operator-only-mintable.
+    expect(isRequestableScope("parachute:host:admin")).toBe(false);
+    expect(isRequestableScope("parachute:host:auth")).toBe(false);
   });
 
-  test("vault:<name>:read|write stays requestable (only :admin is locked down)", () => {
+  test("vault:<name>:read|write stays requestable", () => {
     expect(isRequestableScope("vault:default:read")).toBe(true);
     expect(isRequestableScope("vault:work:write")).toBe(true);
   });