@openparachute/hub 0.5.2 → 0.5.9-rc.6

package/src/commands/expose-2fa-warning.ts

@@ -0,0 +1,82 @@
+/**
+ * Public-exposure 2FA-enrollment warning (#186). Lands as the next layer of
+ * defense after #188's `/login` rate-limit floor: once the operator brings
+ * up cloudflare or Tailscale Funnel, `/login` is reachable from the public
+ * internet on every layer admitting traffic. 2FA is the difference between
+ * "password is the only wall" and "password + something-you-have."
+ *
+ * Why this is a warning, not a hard gate: hard-gating would surprise operators
+ * mid-flow — they ran `parachute expose public` to expose, not to be told
+ * "set up 2FA first." A loud, contextual warning + a clear one-line
+ * remediation is the right shape; the operator decides whether to act now or
+ * later. The tunnel is up regardless.
+ *
+ * Why the source-of-truth is vault's `config.yaml`: 2FA enrollment lives in
+ * `parachute-vault` (the hub forwards `parachute auth 2fa enroll` to vault —
+ * see `commands/auth.ts` `VAULT_FORWARDED_SUBCOMMANDS`). The hub's `users`
+ * table has no TOTP column today; it will gain one when hub-admin login
+ * verifies TOTP against vault. Until then, "is 2FA enrolled?" maps cleanly
+ * to "does vault's config.yaml carry a non-empty `totp_secret`?", which is
+ * exactly what `readVaultAuthStatus().hasTotp` returns.
+ *
+ * If vault isn't installed at all (rare for the cloudflare path — it requires
+ * a vault entry — but possible on the tailnet/funnel path): `hasTotp` comes
+ * back `false` and the warning still fires. The remediation
+ * `parachute auth 2fa enroll` then surfaces vault's "install vault first"
+ * error, which is the right next step regardless.
+ */
+
+import { type VaultAuthStatus, readVaultAuthStatus } from "../vault/auth-status.ts";
+
+export interface Public2FAWarningOpts {
+  /** Pre-computed status to skip on-disk probe (tests). Production omits. */
+  status?: VaultAuthStatus;
+  /** Forwarded to {@link readVaultAuthStatus} when `status` is not supplied. */
+  vaultHome?: string;
+  /** Sink for the warning lines. Defaults to console.log. */
+  log?: (line: string) => void;
+  /** Public URL the operator just brought up — embedded in the warning. */
+  publicUrl: string;
+}
+
+/**
+ * `true` when `totp_secret` is present and non-empty in vault's config.yaml,
+ * `false` otherwise (missing vault, missing config.yaml, empty value).
+ *
+ * Source-of-truth note: TOTP storage is the vault's, not the hub's. See the
+ * module-level doc comment.
+ */
+export function is2FAEnrolled(
+  opts: { vaultHome?: string; status?: VaultAuthStatus } = {},
+): boolean {
+  const status =
+    opts.status ?? readVaultAuthStatus(opts.vaultHome ? { vaultHome: opts.vaultHome } : {});
+  return status.hasTotp;
+}
+
+/**
+ * Print a 2FA-enrollment warning to `log` when not enrolled. No-op when
+ * enrolled. Returns `true` if the warning fired, `false` if suppressed —
+ * primarily to make integration tests assert the branch without scraping log
+ * text.
+ */
+export function printPublic2FAWarning(opts: Public2FAWarningOpts): boolean {
+  const log = opts.log ?? ((line: string) => console.log(line));
+  if (
+    is2FAEnrolled({
+      ...(opts.vaultHome ? { vaultHome: opts.vaultHome } : {}),
+      ...(opts.status ? { status: opts.status } : {}),
+    })
+  ) {
+    return false;
+  }
+  log("");
+  log("⚠ 2FA is not enrolled. /login is now reachable on the public internet");
+  log(`  (${opts.publicUrl}/login). Anyone who guesses your password`);
+  log("  is in. Strongly recommended:");
+  log("");
+  log("    parachute auth 2fa enroll");
+  log("");
+  log("  Adds TOTP + backup codes. Takes 30 seconds.");
+  return true;
+}

package/src/commands/expose-cloudflare.ts

@@ -30,6 +30,8 @@ import { SERVICES_MANIFEST_PATH } from "../config.ts";
 import { type AliveFn, defaultAlive } from "../process-state.ts";
 import { readManifest } from "../services-manifest.ts";
 import { type Runner, defaultRunner } from "../tailscale/run.ts";
+import type { VaultAuthStatus } from "../vault/auth-status.ts";
+import { printPublic2FAWarning } from "./expose-2fa-warning.ts";
 
 const AUTH_DOC_URL =
   "https://github.com/ParachuteComputer/parachute-vault/blob/main/docs/auth-model.md";
@@ -106,6 +108,18 @@ export interface ExposeCloudflareOpts {
   /** Override `~/.cloudflared` for tests and `$HOME`-free environments. */
   cloudflaredHome?: string;
   now?: () => Date;
+  /**
+   * Override `~/.parachute/vault` for the 2FA-enrollment probe. Tests
+   * point at a tmp dir; production omits and the probe defaults to the
+   * resolved vault home. (#186)
+   */
+  vaultHome?: string;
+  /**
+   * Pre-computed vault auth status, primarily for tests. When set,
+   * `printPublic2FAWarning` consults this instead of reading
+   * `<vaultHome>/config.yaml` from disk. (#186)
+   */
+  vaultAuthStatus?: VaultAuthStatus;
 }
 
 interface Resolved {
@@ -121,6 +135,8 @@ interface Resolved {
   logPath: string;
   cloudflaredHome: string;
   now: () => Date;
+  vaultHome: string | undefined;
+  vaultAuthStatus: VaultAuthStatus | undefined;
 }
 
 function resolve(opts: ExposeCloudflareOpts): Resolved {
@@ -139,6 +155,8 @@ function resolve(opts: ExposeCloudflareOpts): Resolved {
     logPath: opts.logPath ?? paths.logPath,
     cloudflaredHome: opts.cloudflaredHome ?? DEFAULT_CLOUDFLARED_HOME,
     now: opts.now ?? (() => new Date()),
+    vaultHome: opts.vaultHome,
+    vaultAuthStatus: opts.vaultAuthStatus,
   };
 }
 
@@ -313,6 +331,15 @@ export async function exposeCloudflareUp(
   r.log("Point a claude.ai / ChatGPT connector at:");
   r.log(`  ${vaultUrl}`);
   printAuthGuidance(r.log, vaultUrl);
+  // 2FA-enrollment warning when /admin/login is now reachable on the public
+  // internet but the operator hasn't enrolled TOTP. Cloudflare exposure is
+  // always public; tailnet/funnel mirrors this in `expose.ts`. See #186.
+  printPublic2FAWarning({
+    log: r.log,
+    publicUrl: baseUrl,
+    ...(r.vaultHome !== undefined ? { vaultHome: r.vaultHome } : {}),
+    ...(r.vaultAuthStatus !== undefined ? { status: r.vaultAuthStatus } : {}),
+  });
   return 0;
 }
 

package/src/commands/expose-public-auto.ts

@@ -30,8 +30,8 @@
 
 import { DEFAULT_CLOUDFLARED_HOME } from "../cloudflare/detect.ts";
 import {
-  type ProviderAvailability,
   type DetectProvidersOpts,
+  type ProviderAvailability,
   detectProviders,
   isCloudflareReady,
   isTailnetReady,
@@ -143,9 +143,7 @@ function reportCloudflareNeedsDomain(r: Resolved): number {
   r.log("Re-run with the hostname:");
   r.log("  parachute expose public --cloudflare --domain vault.example.com");
   r.log("");
-  r.log(
-    "The hostname's apex domain must already be a zone on your Cloudflare account.",
-  );
+  r.log("The hostname's apex domain must already be a zone on your Cloudflare account.");
   return 1;
 }
 
@@ -154,9 +152,7 @@ function reportCloudflareNeedsDomain(r: Resolved): number {
  * (`--tailnet` / `--cloudflare`) was supplied AND we're not in a TTY (the TTY
  * path runs `expose-interactive.ts` instead).
  */
-export async function exposePublicAutoPick(
-  opts: ExposePublicAutoOpts = {},
-): Promise<number> {
+export async function exposePublicAutoPick(opts: ExposePublicAutoOpts = {}): Promise<number> {
   const r = resolve(opts);
   const availability = await r.detectProvidersImpl({ cloudflaredHome: r.cloudflaredHome });
   const tsReady = isTailnetReady(availability);

package/src/commands/expose.ts

@@ -17,39 +17,47 @@ import {
   stopHub,
 } from "../hub-control.ts";
 import { deriveHubOrigin } from "../hub-origin.ts";
-import { HUB_MOUNT, HUB_PATH, writeHubFile } from "../hub.ts";
+import { HUB_PATH, writeHubFile } from "../hub.ts";
 import { type AliveFn, processState } from "../process-state.ts";
-import { effectivePublicExposure, shortNameForManifest } from "../service-spec.ts";
+import { shortNameForManifest } from "../service-spec.ts";
 import { type ServiceEntry, readManifest } from "../services-manifest.ts";
 import { type ServeEntry, bringupCommand, teardownCommand } from "../tailscale/commands.ts";
 import { getFqdn, isTailscaleInstalled } from "../tailscale/detect.ts";
 import { type Runner, defaultRunner } from "../tailscale/run.ts";
+import type { VaultAuthStatus } from "../vault/auth-status.ts";
 import {
   WELL_KNOWN_DIR,
   WELL_KNOWN_MOUNT,
   WELL_KNOWN_PATH,
   buildWellKnown,
-  isVaultEntry,
   shortName,
   writeWellKnownFile,
 } from "../well-known.ts";
+import { printPublic2FAWarning } from "./expose-2fa-warning.ts";
 import { restart } from "./lifecycle.ts";
 
 /**
  * Two exposure layers share a single tailscale serve config on this node.
  * Public layer adds `--funnel` to each handler; everything else is identical.
  *
- * Funnel constraint: Tailscale allows at most three public HTTPS ports per
- * node (443, 8443, 10000). Path-routing packs every service onto a single
- * port — that's why we default to one `--https=443` and mount services under
- * `/vault`, `/notes`, etc. rather than giving each service its own port or
- * subdomain. Subdomain-per-service requires the Tailscale Services feature
- * (virtual-IP advertisement) and is deferred.
+ * Single-rule shape: tailnet bringup emits exactly one `tailscale serve`
+ * mount — `/ → http://127.0.0.1:<hubPort>/`. The hub does all internal
+ * routing per request: hub UI, OAuth, well-known, vault SPA + per-vault
+ * proxy, and generic services.json-driven `/<svc>/*` dispatch. Layer
+ * detection (loopback / tailnet / public) and `publicExposure` enforcement
+ * also live in the hub (`layerOf` + `effectivePublicExposure`), so this
+ * plan layer no longer partitions services up-front. Cloudflare ingress
+ * shipped the same shape on 0.5.2 in #178; this closes the symmetry.
  *
- * Hub + well-known entries are HTTP proxies to an internal Bun.serve (see
- * `hub-control.ts`). They used to be `--set-path=<mount> <file>` entries but
- * macOS `tailscaled` runs sandboxed and can't read arbitrary files; proxy
- * mode is the only reliable shape.
+ * Funnel constraint, mostly historical now: Tailscale allows at most three
+ * public HTTPS ports per node (443, 8443, 10000). With one rule there is
+ * one port — symbolic but the constraint is what motivated path-routing
+ * over subdomain-per-service in the first place.
+ *
+ * Hub mount is an HTTP proxy to the internal Bun.serve (see `hub-control.ts`).
+ * Used to be `--set-path=<mount> <file>` entries but macOS `tailscaled` runs
+ * sandboxed and can't read arbitrary files; proxy mode is the only reliable
+ * shape.
  */
 
 export interface ExposeOpts {
@@ -92,6 +100,18 @@ export interface ExposeOpts {
    * spawning real child processes.
    */
   restartService?: (short: string) => Promise<number>;
+  /**
+   * Override `~/.parachute/vault` for the 2FA-enrollment probe on the public
+   * (Funnel) layer. Tests point at a tmp dir; production omits and the probe
+   * defaults to the resolved vault home. (#186)
+   */
+  vaultHome?: string;
+  /**
+   * Pre-computed vault auth status, primarily for tests. When set,
+   * `printPublic2FAWarning` consults this instead of reading
+   * `<vaultHome>/config.yaml` from disk. (#186)
+   */
+  vaultAuthStatus?: VaultAuthStatus;
 }
 
 /**
@@ -104,166 +124,49 @@ export interface ExposeOpts {
 const HUB_DEPENDENT_SHORTS = ["vault"] as const;
 
 /**
- * OAuth paths the hub serves natively. The mount path is what clients see;
- * the target is the hub's loopback origin (where `hub-server.ts` is
- * listening). tailscale strips the mount before forwarding, so the target
- * must include the same path so the hub-server router sees the full URL.
- *
- * Pre-cli#58 (PR (c)) these were proxied to vault's `/vault/<name>/oauth/*`
- * handlers; after PR (c) the hub IS the OAuth IdP and vault validates
- * hub-issued JWTs (vault#169).
+ * Single tailscale serve mount: `/ → http://127.0.0.1:<hubPort>/`. The hub
+ * dispatches everything internally (hub page, /admin, /api, /hub SPA, /oauth,
+ * /.well-known, /vault SPA + proxy, /vaults POST, generic /<svc>/*), so the
+ * tailscale plan stays at this single rule regardless of how many services
+ * are installed. `publicExposure: "loopback"` enforcement happens inside the
+ * hub via `layerOf` — see `proxyToService` / `proxyToVault` in hub-server.ts.
  */
-const OAUTH_PATHS = [
-  "/.well-known/oauth-authorization-server",
-  "/oauth/authorize",
-  "/oauth/token",
-  "/oauth/register",
-] as const;
+const HUB_CATCHALL_MOUNT = "/";
 
 /**
- * Single tailscale serve mount that catches every `/vault/<name>/...` request
- * and routes it through the hub. The hub then reads services.json on each
- * request to pick the right vault backend (#144). Consolidating to one mount
- * means `parachute vault create techne` is reachable on the tailnet without
- * re-running `parachute expose` — only the hub-internal lookup needs to know
- * about the new path.
- *
- * Trailing slash distinguishes the mount from `/vaults` (the create-vault
- * POST endpoint, an exact-match on hub).
+ * Warn (but don't rewrite) for legacy `paths: ["/"]` entries. Pre-#144 these
+ * were remapped to `/<shortname>` so they didn't collide with the hub page
+ * at `/`. Now that the entire tailnet is one catchall to the hub, the hub
+ * dispatches by services.json `paths[]` per request — a `paths: ["/"]` entry
+ * still wouldn't route correctly, but the failure is hub-side rather than a
+ * tailscale plan collision. Emit the warning so operators know to re-install.
  */
-const VAULT_MOUNT = "/vault/";
-
-/**
- * Remap legacy `paths: ["/"]` entries to `/<shortname>` so they don't collide
- * with the hub page at `/`. Emits a warning per remapped service. This is the
- * transitional path for services installed before the vault PR that writes
- * `paths: ["/vault/<default>"]` — once `parachute install` is re-run those
- * entries update themselves and this branch goes dormant.
- */
-function remapLegacyRoot(
-  services: readonly ServiceEntry[],
-  log: (line: string) => void,
-): ServiceEntry[] {
-  return services.map((s) => {
-    const first = s.paths[0];
-    if (first !== "/") return s;
+function warnLegacyRoot(services: readonly ServiceEntry[], log: (line: string) => void): void {
+  for (const s of services) {
+    if (s.paths[0] !== "/") continue;
     const sn = shortName(s.name);
-    const remapped = `/${sn}`;
     log(
-      `note: ${s.name} claims "/"; hub page lives there — exposing at "${remapped}" instead. Re-run \`parachute install ${sn}\` to update services.json.`,
+      `note: ${s.name} claims "/"; hub page lives there — re-run \`parachute install ${sn}\` to update services.json.`,
     );
-    return { ...s, paths: [remapped, ...s.paths.slice(1)] };
-  });
-}
-
-/**
- * Partition services into ones that will be mounted on the layer versus ones
- * that stay loopback-only. "allowed" services go on the serve plan; every
- * other effective exposure state (explicit loopback, explicit auth-required,
- * spec-default auth-required) is withheld. Hidden services still appear in
- * services.json so on-box callers reach them at http://127.0.0.1:<port>.
- */
-interface ExposurePartition {
-  exposed: ServiceEntry[];
-  hidden: Array<{ entry: ServiceEntry; reason: string }>;
-}
-
-function partitionByExposure(services: readonly ServiceEntry[]): ExposurePartition {
-  const exposed: ServiceEntry[] = [];
-  const hidden: Array<{ entry: ServiceEntry; reason: string }> = [];
-  for (const s of services) {
-    const eff = effectivePublicExposure(s);
-    if (eff === "allowed") {
-      exposed.push(s);
-      continue;
-    }
-    // Explicit declaration tells the user exactly what the service asked for;
-    // a spec-derived default points at the usual cause (no auth configured).
-    let reason: string;
-    if (s.publicExposure === "loopback") {
-      reason = "loopback-only by service declaration";
-    } else if (s.publicExposure === "auth-required") {
-      reason = "auth-required: service reports auth is not yet configured";
-    } else {
-      reason = "auth-required: service has no auth gate — set the service's auth token to expose";
-    }
-    hidden.push({ entry: s, reason });
   }
-  return { exposed, hidden };
 }
 
 /**
- * Compose the tailscale serve target URL for a service rooted at `mount`.
- *
- * `tailscale serve --set-path=<mount> <target>` strips `<mount>` from the
- * incoming request path before forwarding. So if the backend expects
- * requests to keep arriving at `<mount>/...` (every SPA with a configured
- * base path, plus vault's `/vault/<name>/` API root) the target URL must
- * include the same mount path — otherwise the backend sees requests at `/`,
- * emits a redirect back to its real base, tailscale strips again, and the
- * client loops on `ERR_TOO_MANY_REDIRECTS`.
- *
- * The rule of thumb is: mount and target path must match byte-for-byte
- * (including trailing slash state), so tailscale's strip-then-forward is a
- * no-op and the backend sees the full path it expects.
+ * Build the tailscale plan: one rule, `/ → http://127.0.0.1:<hubPort>/`.
+ * Hub does internal dispatch (UI, OAuth, well-known, vault SPA + per-vault
+ * proxy, generic /<svc>/* services.json dispatch) and per-request layer
+ * gating for `publicExposure: "loopback"` services. See `layerOf` in
+ * `hub-server.ts` for the access-control matrix.
  */
-function serviceProxyTarget(port: number, mount: string): string {
-  return `http://127.0.0.1:${port}${mount}`;
-}
-
-function planEntries(services: readonly ServiceEntry[], hubPort: number): ServeEntry[] {
-  const entries: ServeEntry[] = [];
-  entries.push({
-    kind: "proxy",
-    mount: HUB_MOUNT,
-    target: serviceProxyTarget(hubPort, HUB_MOUNT),
-    service: "hub",
-  });
-  let anyVault = false;
-  for (const s of services) {
-    if (isVaultEntry(s)) {
-      // Vault paths route through the single `/vault/` → hub mount below so
-      // `parachute vault create <name>` is reachable on the tailnet without
-      // a re-expose. Hub does the per-request services.json lookup (#144).
-      anyVault = true;
-      continue;
-    }
-    const mount = s.paths[0] ?? `/${shortName(s.name)}`;
-    entries.push({
+function planEntries(hubPort: number): ServeEntry[] {
+  return [
+    {
       kind: "proxy",
-      mount,
-      target: serviceProxyTarget(s.port, mount),
-      service: s.name,
-    });
-  }
-  if (anyVault) {
-    entries.push({
-      kind: "proxy",
-      mount: VAULT_MOUNT,
-      target: serviceProxyTarget(hubPort, VAULT_MOUNT),
-      service: "vault",
-    });
-  }
-  entries.push({
-    kind: "proxy",
-    mount: WELL_KNOWN_MOUNT,
-    target: serviceProxyTarget(hubPort, WELL_KNOWN_MOUNT),
-    service: "well-known",
-  });
-
-  // The hub is the OAuth IdP — mount the four endpoints at the canonical
-  // origin and proxy them to the hub's loopback. tailscale strips the mount
-  // before forwarding, so the target keeps the same path (matches the
-  // `serviceProxyTarget` rule of thumb in the doc above).
-  for (const oauthPath of OAUTH_PATHS) {
-    entries.push({
-      kind: "proxy",
-      mount: oauthPath,
-      target: serviceProxyTarget(hubPort, oauthPath),
-      service: "hub:oauth",
-    });
-  }
-  return entries;
+      mount: HUB_CATCHALL_MOUNT,
+      target: `http://127.0.0.1:${hubPort}/`,
+      service: "hub",
+    },
+  ];
 }
 
 async function runEach(
@@ -366,12 +269,13 @@ export async function exposeUp(layer: ExposeLayer, opts: ExposeOpts = {}): Promi
     }
   }
 
-  const allServices = remapLegacyRoot(manifest.services, log);
-  // Split out loopback/auth-required services before planning the serve routes.
-  // Hidden services keep their /127.0.0.1:<port> accessibility for on-box
-  // callers (e.g., vault's transcription-worker dialing scribe); they just
-  // don't land on tailnet/funnel.
-  const { exposed: services, hidden } = partitionByExposure(allServices);
+  // Plan no longer partitions services — every service goes through the
+  // single hub catchall, and hub gates per request (`publicExposure` +
+  // `layerOf` in hub-server.ts). Just surface the legacy `paths: ["/"]`
+  // warning so operators know to re-install. `warnLegacyRoot` is
+  // side-effect-only (warning to `log`); use `manifest.services` directly
+  // downstream.
+  warnLegacyRoot(manifest.services, log);
 
   /**
    * Probe each service port before wiring tailscale up. A service that's
@@ -381,7 +285,7 @@ export async function exposeUp(layer: ExposeLayer, opts: ExposeOpts = {}): Promi
    */
   const portProbe = opts.servicePortProbe ?? (async (p: number) => !(await defaultPortProbe(p)));
   const probeResults = await Promise.all(
-    services.map(async (s) => ({ svc: s, up: await portProbe(s.port) })),
+    manifest.services.map(async (s) => ({ svc: s, up: await portProbe(s.port) })),
   );
   for (const { svc, up } of probeResults) {
     if (up) continue;
@@ -394,7 +298,7 @@ export async function exposeUp(layer: ExposeLayer, opts: ExposeOpts = {}): Promi
   // Kept for manual debugging / inspection only — the hub server now builds
   // /.well-known/parachute.json dynamically from services.json at request time
   // (#135), so this on-disk copy is no longer load-bearing for any consumer.
-  const wellKnownDoc = buildWellKnown({ services, canonicalOrigin });
+  const wellKnownDoc = buildWellKnown({ services: manifest.services, canonicalOrigin });
   writeWellKnownFile(wellKnownDoc, wellKnownFilePath);
   log(`Wrote ${wellKnownFilePath}`);
   writeHubFile(hubFilePath);
@@ -416,7 +320,7 @@ export async function exposeUp(layer: ExposeLayer, opts: ExposeOpts = {}): Promi
     hubPort = existing;
   } else {
     const hub = await ensureHubRunning({
-      reservedPorts: services.map((s) => s.port),
+      reservedPorts: manifest.services.map((s) => s.port),
       ...(opts.hubEnsureOpts ?? {}),
       configDir,
       wellKnownDir,
@@ -428,15 +332,12 @@ export async function exposeUp(layer: ExposeLayer, opts: ExposeOpts = {}): Promi
     else log(`✓ hub already running (pid ${hub.pid}, port ${hub.port}).`);
   }
 
-  const entries = planEntries(services, hubPort);
+  const entries = planEntries(hubPort);
   log(`Exposing under ${canonicalOrigin} (${layerLabel(layer)}, path-routing, port ${port}):`);
   for (const e of entries) {
     const suffix = e.kind === "proxy" ? `→ ${e.target}  (${e.service})` : `→ ${e.target}`;
     log(`  ${e.mount.padEnd(30, " ")} ${suffix}`);
   }
-  for (const { entry: hiddenSvc, reason } of hidden) {
-    log(`  (${hiddenSvc.name} is loopback-only — ${reason})`);
-  }
 
   const cmds = entries.map((e) => bringupCommand(e, { port, funnel }));
   const code = await runEach(runner, cmds, log);
@@ -470,6 +371,20 @@ export async function exposeUp(layer: ExposeLayer, opts: ExposeOpts = {}): Promi
   log(`  Discovery: ${canonicalOrigin}${WELL_KNOWN_MOUNT}`);
   log(`  OAuth issuer: ${hubOrigin}`);
 
+  // 2FA-enrollment warning, public-layer only. /admin/login became reachable
+  // from every layer when 0.5.3-rc.1 collapsed the access-control matrix into
+  // the hub; on Funnel that means the open internet, where 2FA is the
+  // defense beyond #188's rate-limit floor. Tailnet exposure stays
+  // tailscale-authed at the ingress so the warning is moot there. See #186.
+  if (layer === "public") {
+    printPublic2FAWarning({
+      log,
+      publicUrl: canonicalOrigin,
+      ...(opts.vaultHome !== undefined ? { vaultHome: opts.vaultHome } : {}),
+      ...(opts.vaultAuthStatus !== undefined ? { status: opts.vaultAuthStatus } : {}),
+    });
+  }
+
   // Auto-restart services that cache the hub origin. Aaron hit this on launch
   // day: after `expose public` first-run, vault kept its stale (loopback)
   // PARACHUTE_HUB_ORIGIN, the OAuth issuer didn't match what clients saw, and

package/src/commands/install.ts

@@ -545,29 +545,27 @@ export async function install(input: string, opts: InstallOpts = {}): Promise<nu
     }
   }
 
-  // CLI-as-port-authority (#53): pick the service's port now and persist it
-  // via `~/.parachute/<svc>/.env`. lifecycle.start merges that .env into the
-  // spawn env (PR #50), so the next daemon boot binds the port we picked.
-  // Idempotent — an existing PORT in .env wins, so re-installs and
-  // user-edited ports survive across upgrades. Compiled-in service-side
-  // fallbacks (vault → 1940 etc.) stay; this just adds a CLI-managed
-  // override.
+  // Hub-as-port-authority (#53): pick the service's port now and reflect it
+  // in services.json. Pre-hub#206 the install path also wrote `PORT=<port>`
+  // into the service's `.env`; post-#206 (option A) services.json is the
+  // single source of truth — services follow the 4-tier resolvePort ladder
+  // (services.json → service config → bare PORT env → compiled-in default,
+  // per parachute-scribe#41 / parachute-agent#146 / parachute-agent#148 /
+  // parachute-patterns#45), so the duplicate `.env` PORT was at best dead
+  // weight and at worst a source of drift on re-install. Existing `.env`
+  // PORT lines on operator machines stay where they are — harmless — and
+  // future installs no longer touch them.
   const preInitEntry = findService(entryName, manifestPath);
   const probe = opts.portProbe ?? defaultPortProbe;
   const occupied = await collectOccupiedPorts(manifestPath, entryName, preInitEntry?.port, probe);
-  const envPath = join(configDir, short, ".env");
   const canonicalPort = spec.seedEntry?.().port ?? preInitEntry?.port;
   const portResult = assignServicePort({
-    envPath,
     canonical: canonicalPort,
     occupied,
   });
   if (portResult.warning) {
     log(`⚠ ${portResult.warning}`);
   }
-  if (portResult.written) {
-    log(`Wrote PORT=${portResult.port} to ${envPath}.`);
-  }
 
   // Find-or-seed the manifest entry. Re-read after the seed write so a silent
   // upsert failure (filesystem permission, races against an external writer)
@@ -600,7 +598,7 @@ export async function install(input: string, opts: InstallOpts = {}): Promise<nu
   } else if (entry && entry.port !== portResult.port) {
     // init wrote an entry on the canonical port but the CLI assigned a
     // different one (collision). Reflect the CLI's choice so the hub and
-    // status views stay consistent with the .env we just wrote.
+    // status views stay consistent with the canonical-port assignment.
     upsertService({ ...entry, port: portResult.port }, manifestPath);
     entry = findService(entryName, manifestPath);
     log(