@openparachute/hub 0.5.2 → 0.5.9-rc.6

package/src/__tests__/admin-handlers.test.ts

@@ -1,66 +1,22 @@
 import type { Database } from "bun:sqlite";
 import { afterEach, beforeEach, describe, expect, test } from "bun:test";
-import { existsSync, mkdtempSync, readFileSync, rmSync } from "node:fs";
+import { mkdtempSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import {
-  handleAdminConfigGet,
-  handleAdminConfigPost,
   handleAdminLoginGet,
   handleAdminLoginPost,
   handleAdminLogoutPost,
 } from "../admin-handlers.ts";
 import { CSRF_COOKIE_NAME, CSRF_FIELD_NAME } from "../csrf.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
-import type { ConfigSchema, ModuleManifest } from "../module-manifest.ts";
-import type { ServicesManifest } from "../services-manifest.ts";
+import { __resetForTests as resetRateLimit } from "../rate-limit.ts";
 import { SESSION_TTL_MS, buildSessionCookie, createSession, findSession } from "../sessions.ts";
 import { createUser } from "../users.ts";
 
 const TEST_CSRF = "csrf-handlers-test-token";
 const CSRF_COOKIE = `${CSRF_COOKIE_NAME}=${TEST_CSRF}`;
 
-const VAULT_SCHEMA: ConfigSchema = {
-  type: "object",
-  required: ["transcribe_provider"],
-  properties: {
-    transcribe_provider: {
-      type: "string",
-      description: "Speech-to-text backend.",
-      enum: ["openai", "deepgram", "groq"],
-      default: "openai",
-    },
-    max_tags_per_note: { type: "integer", default: 10 },
-    public: { type: "boolean", default: false },
-  },
-};
-
-const VAULT_MANIFEST: ModuleManifest = {
-  name: "vault",
-  manifestName: "parachute-vault",
-  displayName: "Vault",
-  kind: "api",
-  port: 1940,
-  paths: ["/vault"],
-  health: "/health",
-  configSchema: VAULT_SCHEMA,
-};
-
-function vaultServices(): ServicesManifest {
-  return {
-    services: [
-      {
-        name: "vault",
-        port: 1940,
-        paths: ["/vault"],
-        health: "/health",
-        version: "0.0.0",
-        installDir: "/fake/vault",
-      },
-    ],
-  };
-}
-
 interface Harness {
   db: Database;
   configDir: string;
@@ -98,14 +54,13 @@ function formBody(values: Record<string, string>): {
   };
 }
 
-function fakeReadManifest(installDir: string): Promise<ModuleManifest | null> {
-  if (installDir === "/fake/vault") return Promise.resolve(VAULT_MANIFEST);
-  return Promise.resolve(null);
-}
-
 let harness: Harness;
 beforeEach(() => {
   harness = makeHarness();
+  // Per-test rate-limit state — login tests share the UNKNOWN_IP sentinel
+  // bucket since they don't set CF-Connecting-IP, so without a reset the
+  // 6th test in this file would 429 spuriously.
+  resetRateLimit();
 });
 afterEach(() => {
   harness.cleanup();
@@ -120,20 +75,29 @@ describe("handleAdminLoginGet", () => {
   });
 
   test("echoes the next= query param into the form", async () => {
-    const req = new Request("http://hub.test/admin/login?next=/admin/config");
+    const req = new Request("http://hub.test/admin/login?next=/admin/permissions");
     const res = handleAdminLoginGet(harness.db, req);
     const html = await res.text();
-    expect(html).toContain('value="/admin/config"');
+    expect(html).toContain('value="/admin/permissions"');
   });
 
-  test("rewrites unsafe next= to /admin/config", async () => {
+  test("rewrites unsafe next= to /admin/vaults", async () => {
     const req = new Request("http://hub.test/admin/login?next=https%3A%2F%2Fevil.example%2Fpwn");
     const res = handleAdminLoginGet(harness.db, req);
     const html = await res.text();
-    expect(html).toContain('value="/admin/config"');
+    expect(html).toContain('value="/admin/vaults"');
     expect(html).not.toContain("evil.example");
   });
 
+  test("missing next= falls back to /admin/vaults (SPA home)", async () => {
+    // Post-SPA-rework default: the legacy `/admin/config` portal was retired,
+    // so the login form's hidden `next` defaults to the SPA's vault list.
+    const req = new Request("http://hub.test/admin/login");
+    const res = handleAdminLoginGet(harness.db, req);
+    const html = await res.text();
+    expect(html).toContain('value="/admin/vaults"');
+  });
+
   test("hidden __csrf input value matches the freshly-minted cookie value (#113)", async () => {
     const req = new Request("http://hub.test/admin/login");
     const res = handleAdminLoginGet(harness.db, req);
@@ -156,7 +120,7 @@ describe("handleAdminLoginPost", () => {
       [CSRF_FIELD_NAME]: "wrong",
       username: "admin",
       password: "pw",
-      next: "/admin/config",
+      next: "/admin/vaults",
     });
     const req = new Request("http://hub.test/admin/login", {
       method: "POST",
@@ -174,7 +138,7 @@ describe("handleAdminLoginPost", () => {
       [CSRF_FIELD_NAME]: TEST_CSRF,
       username: "admin",
       password: "wrong",
-      next: "/admin/config",
+      next: "/admin/vaults",
     });
     const req = new Request("http://hub.test/admin/login", {
       method: "POST",
@@ -192,7 +156,7 @@ describe("handleAdminLoginPost", () => {
       [CSRF_FIELD_NAME]: TEST_CSRF,
       username: "admin",
       password: "pw",
-      next: "/admin/config",
+      next: "/admin/permissions",
     });
     const req = new Request("http://hub.test/admin/login", {
       method: "POST",
@@ -201,7 +165,7 @@ describe("handleAdminLoginPost", () => {
     });
     const res = await handleAdminLoginPost(harness.db, req);
     expect(res.status).toBe(302);
-    expect(res.headers.get("location")).toBe("/admin/config");
+    expect(res.headers.get("location")).toBe("/admin/permissions");
     expect(res.headers.get("set-cookie") ?? "").toContain("parachute_hub_session=");
   });
 
@@ -220,7 +184,137 @@ describe("handleAdminLoginPost", () => {
     });
     const res = await handleAdminLoginPost(harness.db, req);
     expect(res.status).toBe(302);
-    expect(res.headers.get("location")).toBe("/admin/config");
+    expect(res.headers.get("location")).toBe("/admin/vaults");
+  });
+
+  test("ignores a protocol-relative next= from the form (open-redirect defense)", async () => {
+    // Scheme-relative `//host/path` URLs would otherwise resolve to a
+    // different origin when followed by the browser. `safeNext` rejects them
+    // alongside scheme-absolute URLs; this test pins the POST path
+    // explicitly so future refactors of the redirect builder don't quietly
+    // re-open the open-redirect.
+    await createUser(harness.db, "admin", "pw");
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "admin",
+      password: "pw",
+      next: "//evil.example/pwn",
+    });
+    const req = new Request("http://hub.test/admin/login", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLoginPost(harness.db, req);
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/admin/vaults");
+  });
+
+  test("missing next= lands the operator on /admin/vaults (SPA home)", async () => {
+    // Post-SPA-rework default: when the form omits `next`, login lands on
+    // the SPA's vault list. Previously the legacy `/admin/config` portal
+    // was the default; that page is retired and 301s to /admin/vaults.
+    await createUser(harness.db, "admin", "pw");
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      username: "admin",
+      password: "pw",
+    });
+    const req = new Request("http://hub.test/admin/login", {
+      method: "POST",
+      headers: { ...headers, cookie: CSRF_COOKIE },
+      body,
+    });
+    const res = await handleAdminLoginPost(harness.db, req);
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/admin/vaults");
+  });
+
+  // hub#185 — per-IP rate-limit (5 attempts / 15 min) on POST /admin/login.
+  test("6 rapid POSTs from same IP get 200/401×4/429 and the 429 carries Retry-After", async () => {
+    await createUser(harness.db, "admin", "correct-pw");
+    const buildReq = (password: string) => {
+      const { body, headers } = formBody({
+        [CSRF_FIELD_NAME]: TEST_CSRF,
+        username: "admin",
+        password,
+        next: "/admin/vaults",
+      });
+      return new Request("http://hub.test/admin/login", {
+        method: "POST",
+        headers: { ...headers, cookie: CSRF_COOKIE, "cf-connecting-ip": "203.0.113.42" },
+        body,
+      });
+    };
+    // First attempt: correct password → 302. Counts as attempt #1.
+    const first = await handleAdminLoginPost(harness.db, buildReq("correct-pw"));
+    expect(first.status).toBe(302);
+    // Attempts 2–5: wrong password → 401 each.
+    for (let i = 2; i <= 5; i++) {
+      const r = await handleAdminLoginPost(harness.db, buildReq("wrong"));
+      expect(r.status).toBe(401);
+    }
+    // Attempt 6: rate-limit fires before credential check → 429 + Retry-After.
+    const denied = await handleAdminLoginPost(harness.db, buildReq("wrong"));
+    expect(denied.status).toBe(429);
+    const retryAfter = denied.headers.get("retry-after");
+    expect(retryAfter).not.toBeNull();
+    const seconds = Number(retryAfter);
+    expect(seconds).toBeGreaterThan(0);
+    // Window is 15 min = 900s, so retry-after sits in (0, 900].
+    expect(seconds).toBeLessThanOrEqual(900);
+  });
+
+  test("rate-limit is per-IP: a different IP can still log in after another's bucket fills", async () => {
+    await createUser(harness.db, "admin", "pw");
+    const buildReq = (ip: string, password: string) => {
+      const { body, headers } = formBody({
+        [CSRF_FIELD_NAME]: TEST_CSRF,
+        username: "admin",
+        password,
+        next: "/admin/vaults",
+      });
+      return new Request("http://hub.test/admin/login", {
+        method: "POST",
+        headers: { ...headers, cookie: CSRF_COOKIE, "cf-connecting-ip": ip },
+        body,
+      });
+    };
+    // Exhaust ip-a's bucket with 5 wrong-password attempts, then confirm 429.
+    for (let i = 0; i < 5; i++) {
+      await handleAdminLoginPost(harness.db, buildReq("203.0.113.7", "wrong"));
+    }
+    const aDenied = await handleAdminLoginPost(harness.db, buildReq("203.0.113.7", "wrong"));
+    expect(aDenied.status).toBe(429);
+    // Different IP: fresh bucket, correct credentials → 302.
+    const bOk = await handleAdminLoginPost(harness.db, buildReq("198.51.100.99", "pw"));
+    expect(bOk.status).toBe(302);
+  });
+
+  test("rate-limit fires before credential check (denied request never touches DB)", async () => {
+    // No user exists in the harness DB. First 5 attempts should be 401
+    // ("Invalid credentials" — no such user). 6th should be 429 with the
+    // rate-limit body, NOT a credential-failure body.
+    const buildReq = () => {
+      const { body, headers } = formBody({
+        [CSRF_FIELD_NAME]: TEST_CSRF,
+        username: "ghost",
+        password: "x",
+        next: "/admin/vaults",
+      });
+      return new Request("http://hub.test/admin/login", {
+        method: "POST",
+        headers: { ...headers, cookie: CSRF_COOKIE, "cf-connecting-ip": "203.0.113.99" },
+        body,
+      });
+    };
+    for (let i = 0; i < 5; i++) {
+      const r = await handleAdminLoginPost(harness.db, buildReq());
+      expect(r.status).toBe(401);
+    }
+    const denied = await handleAdminLoginPost(harness.db, buildReq());
+    expect(denied.status).toBe(429);
+    expect(await denied.text()).toContain("Too many login attempts");
   });
 });
 
@@ -238,7 +332,7 @@ describe("handleAdminLogoutPost (#113)", () => {
     expect(res.headers.get("set-cookie")).toBeNull();
   });
 
-  test("clears session cookie, deletes session row, and redirects to /admin/login", async () => {
+  test("clears session cookie, deletes session row, and redirects to /login", async () => {
     const user = await createUser(harness.db, "admin", "pw");
     const session = createSession(harness.db, { userId: user.id });
     const cookie = `${CSRF_COOKIE}; ${buildSessionCookie(
@@ -246,14 +340,14 @@ describe("handleAdminLogoutPost (#113)", () => {
       Math.floor(SESSION_TTL_MS / 1000),
     )}`;
     const { body, headers } = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF });
-    const req = new Request("http://hub.test/admin/logout", {
+    const req = new Request("http://hub.test/logout", {
       method: "POST",
       headers: { ...headers, cookie },
       body,
     });
     const res = await handleAdminLogoutPost(harness.db, req);
     expect(res.status).toBe(302);
-    expect(res.headers.get("location")).toBe("/admin/login");
+    expect(res.headers.get("location")).toBe("/login");
     const setCookie = res.headers.get("set-cookie") ?? "";
     expect(setCookie).toContain("parachute_hub_session=;");
     expect(setCookie).toContain("Max-Age=0");
@@ -262,269 +356,14 @@ describe("handleAdminLogoutPost (#113)", () => {
 
   test("idempotent — clears cookie even with no active session", async () => {
     const { body, headers } = formBody({ [CSRF_FIELD_NAME]: TEST_CSRF });
-    const req = new Request("http://hub.test/admin/logout", {
+    const req = new Request("http://hub.test/logout", {
       method: "POST",
       headers: { ...headers, cookie: CSRF_COOKIE },
       body,
     });
     const res = await handleAdminLogoutPost(harness.db, req);
     expect(res.status).toBe(302);
-    expect(res.headers.get("location")).toBe("/admin/login");
+    expect(res.headers.get("location")).toBe("/login");
     expect(res.headers.get("set-cookie") ?? "").toContain("parachute_hub_session=;");
   });
 });
-
-describe("handleAdminConfigGet", () => {
-  test("redirects unauthenticated requests to /admin/login", async () => {
-    const req = new Request("http://hub.test/admin/config");
-    const res = await handleAdminConfigGet(harness.db, req);
-    expect(res.status).toBe(302);
-    expect(res.headers.get("location")).toBe("/admin/login?next=%2Fadmin%2Fconfig");
-  });
-
-  test("renders the empty-state when no module declares a configSchema", async () => {
-    const cookie = await cookieForUser(harness.db, "admin", "pw");
-    const req = new Request("http://hub.test/admin/config", {
-      headers: { cookie },
-    });
-    const res = await handleAdminConfigGet(harness.db, req, {
-      loadServicesManifest: () => ({ services: [] }),
-      configDir: harness.configDir,
-      readManifest: fakeReadManifest,
-    });
-    expect(res.status).toBe(200);
-    const html = await res.text();
-    expect(html).toContain("No installed module declares");
-  });
-
-  test("renders one section per configurable module", async () => {
-    const cookie = await cookieForUser(harness.db, "admin", "pw");
-    const req = new Request("http://hub.test/admin/config", {
-      headers: { cookie },
-    });
-    const res = await handleAdminConfigGet(harness.db, req, {
-      loadServicesManifest: vaultServices,
-      configDir: harness.configDir,
-      readManifest: fakeReadManifest,
-    });
-    expect(res.status).toBe(200);
-    const html = await res.text();
-    expect(html).toContain('id="module-vault"');
-    expect(html).toContain("transcribe_provider");
-    expect(html).toContain('action="/admin/config/vault"');
-  });
-
-  test("surfaces flash success message after a saved redirect", async () => {
-    const cookie = await cookieForUser(harness.db, "admin", "pw");
-    const req = new Request("http://hub.test/admin/config?_status=saved&_module=vault", {
-      headers: { cookie },
-    });
-    const res = await handleAdminConfigGet(harness.db, req, {
-      loadServicesManifest: vaultServices,
-      configDir: harness.configDir,
-      readManifest: fakeReadManifest,
-    });
-    const html = await res.text();
-    expect(html).toContain("Saved and restarted Vault");
-  });
-});
-
-describe("handleAdminConfigPost", () => {
-  function postBody(values: Record<string, string>) {
-    return formBody({ [CSRF_FIELD_NAME]: TEST_CSRF, ...values });
-  }
-
-  test("redirects unauthenticated requests to /admin/login", async () => {
-    const { body, headers } = postBody({ transcribe_provider: "openai" });
-    const req = new Request("http://hub.test/admin/config/vault", {
-      method: "POST",
-      headers: { ...headers, cookie: CSRF_COOKIE },
-      body,
-    });
-    const res = await handleAdminConfigPost(harness.db, req, "vault", {
-      loadServicesManifest: vaultServices,
-      configDir: harness.configDir,
-      readManifest: fakeReadManifest,
-    });
-    expect(res.status).toBe(302);
-    expect(res.headers.get("location")).toContain("/admin/login");
-  });
-
-  test("returns 400 when the CSRF token is wrong", async () => {
-    const cookie = await cookieForUser(harness.db, "admin", "pw");
-    const { body, headers } = formBody({
-      [CSRF_FIELD_NAME]: "wrong",
-      transcribe_provider: "openai",
-    });
-    const req = new Request("http://hub.test/admin/config/vault", {
-      method: "POST",
-      headers: { ...headers, cookie },
-      body,
-    });
-    const res = await handleAdminConfigPost(harness.db, req, "vault", {
-      loadServicesManifest: vaultServices,
-      configDir: harness.configDir,
-      readManifest: fakeReadManifest,
-    });
-    expect(res.status).toBe(400);
-  });
-
-  test("returns 404 for unknown module names", async () => {
-    const cookie = await cookieForUser(harness.db, "admin", "pw");
-    const { body, headers } = postBody({});
-    const req = new Request("http://hub.test/admin/config/nope", {
-      method: "POST",
-      headers: { ...headers, cookie },
-      body,
-    });
-    const res = await handleAdminConfigPost(harness.db, req, "nope", {
-      loadServicesManifest: vaultServices,
-      configDir: harness.configDir,
-      readManifest: fakeReadManifest,
-    });
-    expect(res.status).toBe(404);
-  });
-
-  test("re-renders with field errors (422) when validation fails", async () => {
-    const cookie = await cookieForUser(harness.db, "admin", "pw");
-    const restarts: string[] = [];
-    const { body, headers } = postBody({
-      transcribe_provider: "whisper", // not in enum
-      max_tags_per_note: "10",
-    });
-    const req = new Request("http://hub.test/admin/config/vault", {
-      method: "POST",
-      headers: { ...headers, cookie },
-      body,
-    });
-    const res = await handleAdminConfigPost(harness.db, req, "vault", {
-      loadServicesManifest: vaultServices,
-      configDir: harness.configDir,
-      readManifest: fakeReadManifest,
-      restartService: async (name) => {
-        restarts.push(name);
-        return 0;
-      },
-    });
-    expect(res.status).toBe(422);
-    const html = await res.text();
-    expect(html).toContain("must be one of");
-    expect(restarts).toEqual([]); // restart never called
-    // The on-disk config must not have been written.
-    expect(existsSync(join(harness.configDir, "vault", "config.json"))).toBe(false);
-  });
-
-  test("writes config + triggers restart + redirects with saved flash", async () => {
-    const cookie = await cookieForUser(harness.db, "admin", "pw");
-    const restarts: string[] = [];
-    const { body, headers } = postBody({
-      transcribe_provider: "deepgram",
-      max_tags_per_note: "25",
-      // checkbox absent → public stays false
-    });
-    const req = new Request("http://hub.test/admin/config/vault", {
-      method: "POST",
-      headers: { ...headers, cookie },
-      body,
-    });
-    const res = await handleAdminConfigPost(harness.db, req, "vault", {
-      loadServicesManifest: vaultServices,
-      configDir: harness.configDir,
-      readManifest: fakeReadManifest,
-      restartService: async (name) => {
-        restarts.push(name);
-        return 0;
-      },
-    });
-    expect(res.status).toBe(302);
-    const location = res.headers.get("location") ?? "";
-    expect(location).toContain("/admin/config?");
-    expect(location).toContain("_status=saved");
-    expect(location).toContain("_module=vault");
-    expect(location).toContain("#module-vault");
-    expect(restarts).toEqual(["vault"]);
-    const written = JSON.parse(
-      readFileSync(join(harness.configDir, "vault", "config.json"), "utf8"),
-    );
-    expect(written).toEqual({
-      transcribe_provider: "deepgram",
-      max_tags_per_note: 25,
-      public: false,
-    });
-  });
-
-  test("flashes saved-restart-failed when the restart returns non-zero", async () => {
-    const cookie = await cookieForUser(harness.db, "admin", "pw");
-    const { body, headers } = postBody({
-      transcribe_provider: "openai",
-      max_tags_per_note: "5",
-    });
-    const req = new Request("http://hub.test/admin/config/vault", {
-      method: "POST",
-      headers: { ...headers, cookie },
-      body,
-    });
-    const res = await handleAdminConfigPost(harness.db, req, "vault", {
-      loadServicesManifest: vaultServices,
-      configDir: harness.configDir,
-      readManifest: fakeReadManifest,
-      restartService: async () => 1,
-    });
-    expect(res.status).toBe(302);
-    const location = res.headers.get("location") ?? "";
-    expect(location).toContain("_status=saved-restart-failed");
-    // Config was still written before the restart attempt.
-    expect(existsSync(join(harness.configDir, "vault", "config.json"))).toBe(true);
-  });
-
-  test("flashes saved-restart-failed with err detail when restart throws", async () => {
-    const cookie = await cookieForUser(harness.db, "admin", "pw");
-    const { body, headers } = postBody({
-      transcribe_provider: "openai",
-      max_tags_per_note: "5",
-    });
-    const req = new Request("http://hub.test/admin/config/vault", {
-      method: "POST",
-      headers: { ...headers, cookie },
-      body,
-    });
-    const res = await handleAdminConfigPost(harness.db, req, "vault", {
-      loadServicesManifest: vaultServices,
-      configDir: harness.configDir,
-      readManifest: fakeReadManifest,
-      restartService: async () => {
-        throw new Error("launchctl unavailable");
-      },
-    });
-    expect(res.status).toBe(302);
-    const location = res.headers.get("location") ?? "";
-    expect(location).toContain("_status=saved-restart-failed");
-    const errParam = new URL(location, "http://hub.test").searchParams.get("_err") ?? "";
-    expect(errParam).toContain("launchctl unavailable");
-  });
-
-  test("checkbox-on translates to `public: true` in the written config", async () => {
-    const cookie = await cookieForUser(harness.db, "admin", "pw");
-    const { body, headers } = postBody({
-      transcribe_provider: "openai",
-      max_tags_per_note: "5",
-      public: "true",
-    });
-    const req = new Request("http://hub.test/admin/config/vault", {
-      method: "POST",
-      headers: { ...headers, cookie },
-      body,
-    });
-    const res = await handleAdminConfigPost(harness.db, req, "vault", {
-      loadServicesManifest: vaultServices,
-      configDir: harness.configDir,
-      readManifest: fakeReadManifest,
-      restartService: async () => 0,
-    });
-    expect(res.status).toBe(302);
-    const written = JSON.parse(
-      readFileSync(join(harness.configDir, "vault", "config.json"), "utf8"),
-    );
-    expect(written.public).toBe(true);
-  });
-});

package/src/__tests__/admin-host-admin-token.test.ts

@@ -2,9 +2,12 @@
  * Tests for the SPA's session→bearer mint endpoint. Covers:
  *   - 401 when no admin session cookie is present.
  *   - 401 when the cookie names a deleted/expired session.
- *   - 200 + JWT carrying parachute:host:admin when the session is valid.
+ *   - 200 + JWT carrying parachute:host:admin AND parachute:host:auth.
  *   - Token validates against the hub's own keys and the configured issuer.
  *   - Method-not-allowed on POST.
+ *   - End-to-end regression: the minted JWT actually unlocks the new
+ *     `/api/auth/tokens` endpoint (hub#212 Phase 2 backend) — the bug from
+ *     end-to-end testing that motivated adding `parachute:host:auth` here.
  */
 import type { Database } from "bun:sqlite";
 import { afterEach, beforeEach, describe, expect, test } from "bun:test";
@@ -12,9 +15,11 @@ import { mkdtempSync, rmSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { HOST_ADMIN_TOKEN_TTL_SECONDS, handleHostAdminToken } from "../admin-host-admin-token.ts";
+import { handleApiTokens } from "../api-tokens.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
 import { validateAccessToken } from "../jwt-sign.ts";
 import { SESSION_TTL_MS, buildSessionCookie, createSession, deleteSession } from "../sessions.ts";
+import { rotateSigningKey } from "../signing-keys.ts";
 import { createUser } from "../users.ts";
 
 const ISSUER = "https://hub.test";
@@ -82,8 +87,9 @@ describe("handleHostAdminToken", () => {
     expect(res.status).toBe(405);
   });
 
-  test("200 mints a JWT carrying parachute:host:admin and the configured issuer", async () => {
+  test("200 mints a JWT carrying parachute:host:admin + parachute:host:auth and the configured issuer", async () => {
     const { cookie, userId } = await withSession();
+    rotateSigningKey(harness.db);
     const req = new Request(`${ISSUER}/admin/host-admin-token`, {
       headers: { cookie },
     });
@@ -96,7 +102,10 @@ describe("handleHostAdminToken", () => {
       expires_at: string;
       scopes: string[];
     };
-    expect(body.scopes).toEqual(["parachute:host:admin"]);
+    // Both scopes — the SPA now needs `:host:auth` for the hub#212 Phase 2
+    // token-registry endpoints alongside the existing `:host:admin` for
+    // vault provisioning + grant management.
+    expect(body.scopes).toEqual(["parachute:host:admin", "parachute:host:auth"]);
     expect(body.token.length).toBeGreaterThan(20);
 
     // expires_at is roughly TTL_SECONDS in the future.
@@ -110,6 +119,45 @@ describe("handleHostAdminToken", () => {
     expect(validated.payload.sub).toBe(userId);
     expect(validated.payload.iss).toBe(ISSUER);
     const scopeClaim = (validated.payload as { scope?: string }).scope ?? "";
-    expect(scopeClaim.split(/\s+/)).toContain("parachute:host:admin");
+    const scopes = scopeClaim.split(/\s+/);
+    expect(scopes).toContain("parachute:host:admin");
+    expect(scopes).toContain("parachute:host:auth");
+  });
+
+  // Regression for the end-to-end bug that motivated adding `:host:auth`
+  // here: the SPA's session-bearer was rejected by `/api/auth/tokens` (and
+  // its peers) because it carried `:host:admin` only. This test mints
+  // through the SPA path and exercises one of the new endpoints
+  // end-to-end — the Phase 2 backend tests only minted operator-style
+  // tokens with `:host:auth` directly, leaving the SPA-flow gap uncaught.
+  test("regression: the minted SPA bearer is accepted by /api/auth/tokens", async () => {
+    const { cookie } = await withSession();
+    rotateSigningKey(harness.db);
+
+    // Step 1: SPA grabs its bearer via the cookie path.
+    const mintRes = await handleHostAdminToken(
+      new Request(`${ISSUER}/admin/host-admin-token`, { headers: { cookie } }),
+      { db: harness.db, issuer: ISSUER },
+    );
+    expect(mintRes.status).toBe(200);
+    const { token } = (await mintRes.json()) as { token: string };
+
+    // Step 2: SPA hits /api/auth/tokens with that bearer. Pre-fix this
+    // returned 403 `bearer token lacks parachute:host:auth`; post-fix it
+    // returns 200 with the (empty-by-default) tokens list.
+    const tokensRes = await handleApiTokens(
+      new Request(`${ISSUER}/api/auth/tokens`, {
+        method: "GET",
+        headers: { authorization: `Bearer ${token}` },
+      }),
+      { db: harness.db, issuer: ISSUER },
+    );
+    expect(tokensRes.status).toBe(200);
+    const tokensBody = (await tokensRes.json()) as {
+      tokens: unknown[];
+      next_cursor: string | null;
+    };
+    expect(Array.isArray(tokensBody.tokens)).toBe(true);
+    expect(tokensBody.next_cursor).toBeNull();
   });
 });