@openparachute/hub 0.5.2 → 0.5.9-rc.6

package/src/__tests__/auth.test.ts

@@ -556,6 +556,103 @@ describe("parachute auth rotate-operator", () => {
       tmp.cleanup();
     }
   });
+
+  // closes #213 — `--scope-set` flag.
+  test("--scope-set=start mints with parachute:host:start only", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stdout } = await captureOutput(() =>
+        auth(["rotate-operator", "--scope-set", "start"], deps),
+      );
+      expect(code).toBe(0);
+      expect(stdout).toContain("scope_set:  start");
+      const onDisk = await readOperatorTokenFile(tmp.dir);
+      expect(onDisk).not.toBeNull();
+      const db = openHubDb(tmp.dbPath);
+      try {
+        const validated = await validateAccessToken(db, onDisk!, "http://127.0.0.1:1939");
+        expect(validated.payload.scope).toBe("parachute:host:start");
+      } finally {
+        db.close();
+      }
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--scope-set=admin (default) mints the full admin set", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stdout } = await captureOutput(() => auth(["rotate-operator"], deps));
+      expect(code).toBe(0);
+      expect(stdout).toContain("scope_set:  admin");
+      const onDisk = await readOperatorTokenFile(tmp.dir);
+      const db = openHubDb(tmp.dbPath);
+      try {
+        const validated = await validateAccessToken(db, onDisk!, "http://127.0.0.1:1939");
+        const scopes = String(validated.payload.scope ?? "").split(" ");
+        expect(scopes).toContain("hub:admin");
+        expect(scopes).toContain("parachute:host:admin");
+        expect(scopes).toContain("vault:admin");
+      } finally {
+        db.close();
+      }
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--scope-set=bogus rejected with usage message", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stderr } = await captureOutput(() =>
+        auth(["rotate-operator", "--scope-set", "wallet"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("--scope-set must be one of");
+      expect(stderr).toContain("install");
+      expect(stderr).toContain("admin");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("unknown flag is rejected", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stderr } = await captureOutput(() =>
+        auth(["rotate-operator", "--bogus"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("unknown flag");
+    } finally {
+      tmp.cleanup();
+    }
+  });
 });
 
 // closes #74 — the operator's surface for the DCR approval gate. The CLI
@@ -863,7 +960,8 @@ describe("parachute auth mint-token", () => {
     }
   });
 
-  test("operator token without hub:admin scope is rejected (no token emitted)", async () => {
+  // closes #213 — auto-rotation banner must not leak into stdout (pipe purity).
+  test("operator token within 7d of expiry: auto-rotates, banner on stderr only", async () => {
     const tmp = makeTmp();
     try {
       const deps: AuthDeps = {
@@ -873,40 +971,172 @@ describe("parachute auth mint-token", () => {
       };
       // Bootstrap: set-password to seed the user + signing key.
       await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
-      // Now overwrite operator.token with a valid-signature, valid-expiry
-      // JWT that lacks hub:admin — simulating someone stashing a narrow
-      // token at the operator path.
+      // Overwrite operator.token with one that's within 7d of expiry — the
+      // auto-rotation path should fire on the next mint-token invocation.
+      const { issueOperatorToken } = await import("../operator-token.ts");
       const db = openHubDb(tmp.dbPath);
-      let narrow: string;
+      const originalOnDisk = await readOperatorTokenFile(tmp.dir);
       try {
-        const owner = listUsers(db)[0]!;
-        const signed = await signAccessToken(db, {
-          sub: owner.id,
-          scopes: ["scribe:transcribe"],
-          audience: "scribe",
-          clientId: OPERATOR_TOKEN_CLIENT_ID,
+        await issueOperatorToken(db, listUsers(db)[0]!.id, {
+          dir: tmp.dir,
           issuer: "http://127.0.0.1:1939",
-          ttlSeconds: 3600,
+          ttlSeconds: 24 * 60 * 60,
         });
-        narrow = signed.token;
       } finally {
         db.close();
       }
-      await writeOperatorTokenFile(narrow, tmp.dir);
 
+      const { code, stdout, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "scribe:transcribe"], deps),
+      );
+      expect(code).toBe(0);
+      // The minted JWT is the only thing on stdout (pipe purity).
+      const token = stdout.trim();
+      expect(token.split(".").length).toBe(3);
+      expect(stdout).toBe(`${token}\n`);
+      // Auto-rotation banner went to stderr.
+      expect(stderr).toContain("auto-rotated");
+      expect(stderr).toContain("scope_set=admin");
+      // The on-disk operator.token was replaced.
+      const after = await readOperatorTokenFile(tmp.dir);
+      expect(after).not.toBeNull();
+      expect(after).not.toBe(originalOnDisk);
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  // Helper: stash a token with the chosen scopes at operator.token, returning
+  // the deps bag so the caller can immediately invoke mint-token. Used by
+  // every gating-scope test below to exercise the gate against a known
+  // narrow / wide token without going through `rotate-operator` (which would
+  // always mint admin-set).
+  //
+  // TTL is 30d (well beyond the 7d auto-rotation window) so the token
+  // survives the next mint-token call without being silently swapped for a
+  // fresh admin-set token by the auto-rotation path. Without this, narrow
+  // tokens would auto-rotate to admin and our gate tests would all see the
+  // post-rotation token, defeating the test entirely.
+  async function bootstrapWithOperatorScopes(
+    tmp: { dir: string; dbPath: string; cleanup: () => void },
+    scopes: readonly string[],
+  ): Promise<AuthDeps> {
+    const deps: AuthDeps = {
+      dbPath: tmp.dbPath,
+      configDir: tmp.dir,
+      isInteractive: () => false,
+    };
+    await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+    const db = openHubDb(tmp.dbPath);
+    let token: string;
+    try {
+      const owner = listUsers(db)[0]!;
+      const signed = await signAccessToken(db, {
+        sub: owner.id,
+        scopes: [...scopes],
+        audience: "operator",
+        clientId: OPERATOR_TOKEN_CLIENT_ID,
+        issuer: "http://127.0.0.1:1939",
+        ttlSeconds: 30 * 24 * 60 * 60,
+      });
+      token = signed.token;
+    } finally {
+      db.close();
+    }
+    await writeOperatorTokenFile(token, tmp.dir);
+    return deps;
+  }
+
+  // hub#222: gate widened from `hub:admin` to `parachute:host:auth`. The
+  // following tests pin the new behaviour:
+  //   - admin scope-set (which carries both) still succeeds (regression);
+  //   - `auth` scope-set (carries only `:host:auth`) NOW succeeds (gain);
+  //   - other narrow scope-sets (vault/install/etc.) still rejected;
+  //   - error message updated to name the new gate.
+
+  test("operator token with `auth` scope-set (parachute:host:auth only) mints successfully (hub#222)", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps = await bootstrapWithOperatorScopes(tmp, ["parachute:host:auth"]);
+      const { code, stdout, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "scribe:transcribe"], deps),
+      );
+      expect(code).toBe(0);
+      // Pipe purity: stdout is the JWT, stderr empty.
+      const token = stdout.trim();
+      expect(token.split(".").length).toBe(3);
+      expect(stdout).toBe(`${token}\n`);
+      expect(stderr).toBe("");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("operator token with admin scope-set still mints (regression — admin includes :host:auth as superset)", async () => {
+    const tmp = makeTmp();
+    try {
+      // The full admin scope-set carries both `hub:admin` and `parachute:host:auth`.
+      const deps = await bootstrapWithOperatorScopes(tmp, [
+        "hub:admin",
+        "parachute:host:auth",
+        "vault:admin",
+      ]);
+      const { code, stdout } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "scribe:transcribe"], deps),
+      );
+      expect(code).toBe(0);
+      expect(stdout.trim().split(".").length).toBe(3);
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("operator token without parachute:host:auth is rejected (no token emitted)", async () => {
+    const tmp = makeTmp();
+    try {
+      // Narrow non-auth token (resembles what someone might stash by mistake,
+      // or a `--scope-set vault` operator token from rotate-operator).
+      const deps = await bootstrapWithOperatorScopes(tmp, ["scribe:transcribe"]);
       const { code, stdout, stderr } = await captureOutput(() =>
         auth(["mint-token", "--scope", "scribe:transcribe"], deps),
       );
       expect(code).toBe(1);
-      expect(stderr).toContain("lacks hub:admin scope");
+      expect(stderr).toContain("lacks parachute:host:auth scope");
       expect(stderr).toContain("rotate-operator");
-      // Purity: no token written to stdout.
       expect(stdout).toBe("");
     } finally {
       tmp.cleanup();
     }
   });
 
+  test("`vault` scope-set is rejected (regression — narrow scope-sets still can't mint)", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps = await bootstrapWithOperatorScopes(tmp, ["parachute:host:vault"]);
+      const { code, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "scribe:transcribe"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("lacks parachute:host:auth scope");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("`install` scope-set is rejected (regression — narrow scope-sets still can't mint)", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps = await bootstrapWithOperatorScopes(tmp, ["parachute:host:install", "vault:read"]);
+      const { code, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "scribe:transcribe"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("lacks parachute:host:auth scope");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
   test("named vault scope infers aud=vault.<name>", async () => {
     const tmp = makeTmp();
     try {
@@ -1144,4 +1374,438 @@ describe("parachute auth mint-token", () => {
       tmp.cleanup();
     }
   });
+
+  // closes #212 Phase 1 — registry write, --permissions, --expires-in,
+  // --ttl deprecation notice.
+  test("every successful mint writes a tokens registry row (created_via=cli_mint)", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stdout } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "scribe:transcribe"], deps),
+      );
+      expect(code).toBe(0);
+      const token = stdout.trim();
+      const db = openHubDb(tmp.dbPath);
+      try {
+        const validated = await validateAccessToken(db, token);
+        const jti = validated.payload.jti as string;
+        const row = db
+          .query<{ jti: string; created_via: string; subject: string | null }, [string]>(
+            "SELECT jti, created_via, subject FROM tokens WHERE jti = ?",
+          )
+          .get(jti);
+        expect(row).not.toBeNull();
+        expect(row?.created_via).toBe("cli_mint");
+        // Default subject = operator's sub (the hub user id).
+        expect(typeof row?.subject).toBe("string");
+        expect(row?.subject?.length).toBeGreaterThan(0);
+      } finally {
+        db.close();
+      }
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--permissions JSON object round-trips into JWT + registry row", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const permissions = '{"vault":{"default":{"write_tags":["health"]}}}';
+      const { code, stdout } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "vault:default:write", "--permissions", permissions], deps),
+      );
+      expect(code).toBe(0);
+      const token = stdout.trim();
+      const db = openHubDb(tmp.dbPath);
+      try {
+        const validated = await validateAccessToken(db, token);
+        expect(validated.payload.permissions).toEqual({
+          vault: { default: { write_tags: ["health"] } },
+        });
+        const jti = validated.payload.jti as string;
+        const row = db
+          .query<{ permissions: string }, [string]>("SELECT permissions FROM tokens WHERE jti = ?")
+          .get(jti);
+        expect(JSON.parse(row!.permissions)).toEqual({
+          vault: { default: { write_tags: ["health"] } },
+        });
+      } finally {
+        db.close();
+      }
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--permissions with malformed JSON is rejected", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "vault:read", "--permissions", "{not-json}"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("not valid JSON");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--permissions with non-object JSON (array) is rejected", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "vault:read", "--permissions", "[1,2,3]"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("must be a JSON object");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--expires-in (canonical) sets the JWT TTL in seconds", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stdout } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "scribe:transcribe", "--expires-in", "7200"], deps),
+      );
+      expect(code).toBe(0);
+      const token = stdout.trim();
+      const db = openHubDb(tmp.dbPath);
+      try {
+        const validated = await validateAccessToken(db, token);
+        const exp = validated.payload.exp as number;
+        const iat = validated.payload.iat as number;
+        expect(exp - iat).toBe(7200);
+      } finally {
+        db.close();
+      }
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--expires-in with non-integer value rejected", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "vault:read", "--expires-in", "1d"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("integer seconds count");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--expires-in over 365d cap rejected", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "vault:read", "--expires-in", String(366 * 86400)], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("365d cap");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--ttl emits deprecation notice on stderr but still works", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stdout, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "scribe:transcribe", "--ttl", "1h"], deps),
+      );
+      expect(code).toBe(0);
+      expect(stdout.trim().split(".").length).toBe(3);
+      expect(stderr).toContain("--ttl is deprecated");
+      expect(stderr).toContain("--expires-in");
+      expect(stderr).toContain("0.6.0");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  // closes #215 reviewer F1 — privilege-diffusion guard on the CLI mint path.
+  test("CLI mint-token rejects parachute:host:auth (non-requestable scope)", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stdout, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "parachute:host:auth"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("not requestable");
+      expect(stderr).toContain("parachute:host:auth");
+      // No token leaked to stdout.
+      expect(stdout).toBe("");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("passing both --ttl and --expires-in is an error", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "vault:read", "--ttl", "1h", "--expires-in", "3600"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("--ttl");
+      expect(stderr).toContain("--expires-in");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+});
+
+describe("parachute auth revoke-token", () => {
+  // Each test mints a fresh token via mint-token and then revokes it. Going
+  // through the public mint surface (rather than calling signAccessToken +
+  // recordTokenMint directly) keeps these tests honest about the contract:
+  // mint writes a registry row, revoke-token flips its bit, and a future
+  // round-trip through validateAccessToken would reject it. The Phase 4
+  // RS-side enforcement is exercised in scope-guard's own integration suite.
+
+  async function mintAJti(deps: AuthDeps): Promise<string> {
+    const { stdout } = await captureOutput(() =>
+      auth(["mint-token", "--scope", "scribe:transcribe"], deps),
+    );
+    const token = stdout.trim();
+    // Decode the unverified payload to recover the jti — every mint stamps one.
+    const [, payloadB64] = token.split(".");
+    const payload = JSON.parse(Buffer.from(payloadB64!, "base64url").toString("utf8")) as {
+      jti: string;
+    };
+    return payload.jti;
+  }
+
+  test("missing jti positional is a usage error", async () => {
+    const tmp = makeTmp();
+    try {
+      const { code, stderr } = await captureOutput(() =>
+        auth(["revoke-token"], { dbPath: tmp.dbPath, configDir: tmp.dir }),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("missing jti argument");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("unexpected flag is a usage error", async () => {
+    const tmp = makeTmp();
+    try {
+      const { code, stderr } = await captureOutput(() =>
+        auth(["revoke-token", "--reason", "compromise", "abc123"], {
+          dbPath: tmp.dbPath,
+          configDir: tmp.dir,
+        }),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("unexpected flag");
+      expect(stderr).toContain("--reason");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("revokes a fresh token and prints subject + scope", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const jti = await mintAJti(deps);
+      const { code, stdout, stderr } = await captureOutput(() => auth(["revoke-token", jti], deps));
+      expect(code).toBe(0);
+      expect(stderr).toBe("");
+      expect(stdout).toContain(`revoked: jti=${jti}`);
+      expect(stdout).toContain("identity=");
+      expect(stdout).toContain("scope=scribe:transcribe");
+
+      // Registry row really has revoked_at set now.
+      const db = openHubDb(tmp.dbPath);
+      try {
+        const { findTokenRowByJti } = await import("../jwt-sign.ts");
+        const row = findTokenRowByJti(db, jti);
+        expect(row?.revokedAt).not.toBeNull();
+      } finally {
+        db.close();
+      }
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("re-revoke is idempotent: exit 0, prints existing revoked_at", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const jti = await mintAJti(deps);
+      const first = await captureOutput(() => auth(["revoke-token", jti], deps));
+      expect(first.code).toBe(0);
+
+      // Capture the timestamp from the first revoke for cross-check.
+      const db = openHubDb(tmp.dbPath);
+      let firstRevokedAt: string | null;
+      try {
+        const { findTokenRowByJti } = await import("../jwt-sign.ts");
+        firstRevokedAt = findTokenRowByJti(db, jti)?.revokedAt ?? null;
+      } finally {
+        db.close();
+      }
+      expect(firstRevokedAt).not.toBeNull();
+
+      const second = await captureOutput(() => auth(["revoke-token", jti], deps));
+      expect(second.code).toBe(0);
+      expect(second.stdout).toContain("already revoked at");
+      expect(second.stdout).toContain(firstRevokedAt!);
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("unknown jti exits 1 with not-found error", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stderr } = await captureOutput(() =>
+        auth(["revoke-token", "this-jti-does-not-exist"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("no token with jti this-jti-does-not-exist found in registry");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("operator token without parachute:host:auth is rejected", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      // Replace operator.token with a narrow JWT that lacks parachute:host:auth.
+      const db = openHubDb(tmp.dbPath);
+      let narrow: string;
+      try {
+        const owner = listUsers(db)[0]!;
+        const signed = await signAccessToken(db, {
+          sub: owner.id,
+          scopes: ["scribe:transcribe"],
+          audience: "scribe",
+          clientId: OPERATOR_TOKEN_CLIENT_ID,
+          issuer: "http://127.0.0.1:1939",
+          ttlSeconds: 3600,
+        });
+        narrow = signed.token;
+      } finally {
+        db.close();
+      }
+      await writeOperatorTokenFile(narrow, tmp.dir);
+
+      const { code, stderr } = await captureOutput(() => auth(["revoke-token", "any-jti"], deps));
+      expect(code).toBe(1);
+      expect(stderr).toContain("lacks parachute:host:auth scope");
+      expect(stderr).toContain("rotate-operator");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("missing operator.token is an actionable error", async () => {
+    const tmp = makeTmp();
+    try {
+      const { code, stderr } = await captureOutput(() =>
+        auth(["revoke-token", "any-jti"], { dbPath: tmp.dbPath, configDir: tmp.dir }),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("operator.token");
+      expect(stderr).toContain("rotate-operator");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("authHelp lists revoke-token alongside mint-token", () => {
+    expect(authHelp()).toContain("revoke-token");
+    expect(authHelp()).toContain("revoke-token <jti>");
+  });
 });