@openparachute/hub 0.5.2 → 0.5.9-rc.6

package/src/__tests__/hub-server.test.ts

@@ -5,7 +5,7 @@ import { join } from "node:path";
 import { fileURLToPath } from "node:url";
 import { HUB_SVC, hubPortPath } from "../hub-control.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
-import { findServiceUpstream, findVaultUpstream, hubFetch } from "../hub-server.ts";
+import { findServiceUpstream, findVaultUpstream, hubFetch, layerOf } from "../hub-server.ts";
 import { pidPath } from "../process-state.ts";
 import { type ServiceEntry, writeManifest } from "../services-manifest.ts";
 import { rotateSigningKey } from "../signing-keys.ts";
@@ -57,7 +57,7 @@ describe("hubFetch routing", () => {
     }
   });
 
-  test("/hub.html serves the same file as /", async () => {
+  test("/hub.html serves the same file as / (no DB → static fallback)", async () => {
     const h = makeHarness();
     try {
       writeFileSync(join(h.dir, "hub.html"), "<html>x</html>");
@@ -69,6 +69,58 @@ describe("hubFetch routing", () => {
     }
   });
 
+  test("/ renders the signed-out indicator dynamically when DB is configured but no session cookie (rc.13)", async () => {
+    // The dynamic path takes over from the static disk file the moment a
+    // DB is configured. With no session cookie, we still render — just
+    // with the "Sign in" affordance.
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        const res = await hubFetch(h.dir, { getDb: () => db })(req("/"));
+        expect(res.status).toBe(200);
+        expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
+        const body = await res.text();
+        expect(body).toContain('class="auth-indicator"');
+        expect(body).toContain("Sign in");
+        expect(body).not.toContain("Signed in as");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("/ renders 'Signed in as <name>' + sign-out form when session cookie is active (rc.13)", async () => {
+    const h = makeHarness();
+    try {
+      const db = openHubDb(hubDbPath(h.dir));
+      try {
+        const { createUser } = await import("../users.ts");
+        const { createSession, buildSessionCookie, SESSION_TTL_MS } = await import(
+          "../sessions.ts"
+        );
+        const user = await createUser(db, "aaron", "pw");
+        const session = createSession(db, { userId: user.id });
+        const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+        const res = await hubFetch(h.dir, { getDb: () => db })(req("/", { headers: { cookie } }));
+        expect(res.status).toBe(200);
+        const body = await res.text();
+        expect(body).toContain("Signed in as");
+        expect(body).toContain("aaron");
+        expect(body).toContain('action="/logout"');
+        expect(body).toContain('name="__csrf"');
+        // CSRF cookie was minted on the response (no prior cookie present).
+        expect(res.headers.get("set-cookie") ?? "").toContain("parachute_hub_csrf=");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("/.well-known/parachute.json builds the doc dynamically from services.json", async () => {
     const h = makeHarness();
     try {
@@ -194,6 +246,105 @@ describe("hubFetch routing", () => {
     }
   });
 
+  // Phase D consumer-side: each non-vault service entry's
+  // module.json:uiUrl + displayName ride through to doc.services. The
+  // discovery page (`/`) reads them to render data-driven Service tiles.
+  test("/.well-known/parachute.json surfaces uiUrl + displayName from non-vault module manifests", async () => {
+    const h = makeHarness();
+    try {
+      const notesEntry: ServiceEntry = {
+        name: "parachute-notes",
+        port: 5173,
+        paths: ["/notes"],
+        health: "/health",
+        version: "0.0.1",
+        installDir: "/fake/notes",
+      };
+      writeManifest({ services: [notesEntry] }, h.manifestPath);
+      const res = await hubFetch(h.dir, {
+        manifestPath: h.manifestPath,
+        readModuleManifest: async () => ({
+          name: "notes",
+          manifestName: "parachute-notes",
+          kind: "frontend",
+          port: 5173,
+          paths: ["/notes"],
+          health: "/health",
+          uiUrl: "/notes",
+          displayName: "Notes",
+        }),
+      })(req("/.well-known/parachute.json"));
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as {
+        services: Array<{ name: string; uiUrl?: string; displayName?: string }>;
+      };
+      const svc = body.services.find((s) => s.name === "parachute-notes");
+      expect(svc?.uiUrl).toMatch(/\/notes$/);
+      expect(svc?.displayName).toBe("Notes");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("/.well-known/parachute.json omits uiUrl when the non-vault manifest has none", async () => {
+    const h = makeHarness();
+    try {
+      const notesEntry: ServiceEntry = {
+        name: "parachute-notes",
+        port: 5173,
+        paths: ["/notes"],
+        health: "/health",
+        version: "0.0.1",
+        installDir: "/fake/notes",
+      };
+      writeManifest({ services: [notesEntry] }, h.manifestPath);
+      const res = await hubFetch(h.dir, {
+        manifestPath: h.manifestPath,
+        readModuleManifest: async () => ({
+          name: "notes",
+          manifestName: "parachute-notes",
+          kind: "frontend",
+          port: 5173,
+          paths: ["/notes"],
+          health: "/health",
+          // no uiUrl declared — discovery page will skip the tile.
+        }),
+      })(req("/.well-known/parachute.json"));
+      const body = (await res.json()) as { services: Array<{ uiUrl?: string }> };
+      expect(body.services[0]).not.toHaveProperty("uiUrl");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("/.well-known/parachute.json: uiUrl resolver is skipped for vault entries (loadManagementUrls handles vault)", async () => {
+    const h = makeHarness();
+    try {
+      const vaultWithDir: ServiceEntry = { ...vaultEntry("default"), installDir: "/fake/vault" };
+      writeManifest({ services: [vaultWithDir] }, h.manifestPath);
+      // The fake module.json declares uiUrl, but vault is supposed to be
+      // skipped by loadServiceUiMetadata (it has its own managementUrl
+      // path). So doc.services[vault] should NOT carry uiUrl.
+      const res = await hubFetch(h.dir, {
+        manifestPath: h.manifestPath,
+        readModuleManifest: async () => ({
+          name: "vault",
+          manifestName: "parachute-vault",
+          kind: "api",
+          port: 1940,
+          paths: ["/vault/default"],
+          health: "/health",
+          uiUrl: "/should-be-ignored",
+        }),
+      })(req("/.well-known/parachute.json"));
+      const body = (await res.json()) as { services: Array<{ name: string; uiUrl?: string }> };
+      const vaultSvc = body.services.find((s) => s.name === "parachute-vault");
+      expect(vaultSvc).not.toHaveProperty("uiUrl");
+    } finally {
+      h.cleanup();
+    }
+  });
+
   // The bug this PR fixes: `parachute vault create techne` updates
   // services.json but the old code only re-derived parachute.json on
   // `parachute expose`. With the dynamic build, the second GET reflects
@@ -398,15 +549,12 @@ describe("hubFetch routing", () => {
     }
   });
 
-  // SPA mounts after hub#168-realignment:
-  //   /vault — primary (vault list, NewVault, etc.)
-  //   /hub   — back-compat (only /hub/permissions; /hub/vaults* is 301'd
-  //            below, /hub/ root falls through to the SPA's 404 route)
-  //
-  // Same bundle at both mounts. Build base is /vault/, so asset URLs are
-  // origin-absolute and resolve regardless of which mount served the HTML.
+  // SPA mount after hub#231: single `/admin/*` mount serves vault
+  // provisioning + permissions + tokens. Pre-rename `/vault` and `/hub/*`
+  // SPA URLs are 301-redirected; the per-vault content proxy at
+  // `/vault/<name>/*` stays where it is.
 
-  test("/vault serves index.html when the SPA bundle exists", async () => {
+  test("/admin/vaults serves the SPA shell when the bundle exists", async () => {
     const h = makeHarness();
     try {
       const dist = join(h.dir, "dist");
@@ -414,7 +562,7 @@ describe("hubFetch routing", () => {
       writeFileSync(join(dist, "index.html"), "<!doctype html><div id=root></div>");
       writeManifest({ services: [] }, h.manifestPath);
       const res = await hubFetch(h.dir, { spaDistDir: dist, manifestPath: h.manifestPath })(
-        req("/vault"),
+        req("/admin/vaults"),
       );
       expect(res.status).toBe(200);
       expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
@@ -424,10 +572,7 @@ describe("hubFetch routing", () => {
     }
   });
 
-  test("/vault/new (client-side route, no matching vault) falls back to index.html", async () => {
-    // Routing-order check: `new` isn't a known vault, so proxyToVault
-    // returns undefined and we fall through to the SPA shell. The router
-    // takes over client-side and renders the NewVault form.
+  test("/admin/vaults/new serves the SPA shell (client-side route)", async () => {
     const h = makeHarness();
     try {
       const dist = join(h.dir, "dist");
@@ -435,7 +580,7 @@ describe("hubFetch routing", () => {
       writeFileSync(join(dist, "index.html"), "<!doctype html><div id=root></div>");
       writeManifest({ services: [] }, h.manifestPath);
       const res = await hubFetch(h.dir, { spaDistDir: dist, manifestPath: h.manifestPath })(
-        req("/vault/new"),
+        req("/admin/vaults/new"),
       );
       expect(res.status).toBe(200);
       expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
@@ -445,7 +590,34 @@ describe("hubFetch routing", () => {
     }
   });
 
-  test("/vault/assets/*.js is served with the matching content-type", async () => {
+  test("/admin/permissions serves the SPA shell", async () => {
+    const h = makeHarness();
+    try {
+      const dist = join(h.dir, "dist");
+      mkdirIfMissing(dist);
+      writeFileSync(join(dist, "index.html"), "<!doctype html><div id=root></div>");
+      const res = await hubFetch(h.dir, { spaDistDir: dist })(req("/admin/permissions"));
+      expect(res.status).toBe(200);
+      expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("/admin/tokens serves the SPA shell", async () => {
+    const h = makeHarness();
+    try {
+      const dist = join(h.dir, "dist");
+      mkdirIfMissing(dist);
+      writeFileSync(join(dist, "index.html"), "<!doctype html><div id=root></div>");
+      const res = await hubFetch(h.dir, { spaDistDir: dist })(req("/admin/tokens"));
+      expect(res.status).toBe(200);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("/admin/assets/*.js is served with the matching content-type", async () => {
     const h = makeHarness();
     try {
       const dist = join(h.dir, "dist");
@@ -456,7 +628,7 @@ describe("hubFetch routing", () => {
       writeFileSync(join(assets, "main.js"), "console.log('hi');");
       writeManifest({ services: [] }, h.manifestPath);
       const res = await hubFetch(h.dir, { spaDistDir: dist, manifestPath: h.manifestPath })(
-        req("/vault/assets/main.js"),
+        req("/admin/assets/main.js"),
       );
       expect(res.status).toBe(200);
       expect(res.headers.get("content-type")).toBe("application/javascript; charset=utf-8");
@@ -466,14 +638,14 @@ describe("hubFetch routing", () => {
     }
   });
 
-  test("/vault/* returns 503 with build hint when dist is missing", async () => {
+  test("/admin/* returns 503 with build hint when dist is missing", async () => {
     const h = makeHarness();
     try {
       writeManifest({ services: [] }, h.manifestPath);
       const res = await hubFetch(h.dir, {
         spaDistDir: join(h.dir, "missing"),
         manifestPath: h.manifestPath,
-      })(req("/vault"));
+      })(req("/admin/vaults"));
       expect(res.status).toBe(503);
       expect(await res.text()).toContain("bun run build");
     } finally {
@@ -481,92 +653,194 @@ describe("hubFetch routing", () => {
     }
   });
 
-  test("/vault rejects non-GET methods with 405", async () => {
+  test("/admin/vaults rejects non-GET methods with 405", async () => {
     const h = makeHarness();
     try {
       const dist = join(h.dir, "dist");
       mkdirIfMissing(dist);
       writeFileSync(join(dist, "index.html"), "<!doctype html>");
-      const res = await hubFetch(h.dir, { spaDistDir: dist })(req("/vault", { method: "POST" }));
+      const res = await hubFetch(h.dir, { spaDistDir: dist })(
+        req("/admin/vaults", { method: "POST" }),
+      );
       expect(res.status).toBe(405);
     } finally {
       h.cleanup();
     }
   });
 
-  test("/hub/permissions serves the SPA shell (back-compat mount)", async () => {
+  // 301 back-compat redirects (closes hub#231): pre-rename SPA URLs
+  // 301-redirect to the new /admin/* mount. Tests cover every entry in the
+  // dispatch — operator bookmarks landing on any of these still work.
+
+  test("301: /vault → /admin/vaults", async () => {
     const h = makeHarness();
     try {
-      const dist = join(h.dir, "dist");
-      mkdirIfMissing(dist);
-      writeFileSync(join(dist, "index.html"), "<!doctype html><div id=root></div>");
-      const res = await hubFetch(h.dir, { spaDistDir: dist })(req("/hub/permissions"));
-      expect(res.status).toBe(200);
-      expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
-      expect(await res.text()).toContain("<div id=root>");
+      const res = await hubFetch(h.dir)(req("/vault"));
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/admin/vaults");
     } finally {
       h.cleanup();
     }
   });
 
-  test("/hub/* returns 503 with build hint when dist is missing", async () => {
+  test("301: /vault/new → /admin/vaults/new", async () => {
     const h = makeHarness();
     try {
-      const res = await hubFetch(h.dir, { spaDistDir: join(h.dir, "missing") })(
-        req("/hub/permissions"),
-      );
-      expect(res.status).toBe(503);
-      expect(await res.text()).toContain("bun run build");
+      const res = await hubFetch(h.dir)(req("/vault/new"));
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/admin/vaults/new");
     } finally {
       h.cleanup();
     }
   });
 
-  test("/hub rejects non-GET methods with 405", async () => {
+  test("301: /vault preserves query string", async () => {
     const h = makeHarness();
     try {
-      const dist = join(h.dir, "dist");
-      mkdirIfMissing(dist);
-      writeFileSync(join(dist, "index.html"), "<!doctype html>");
-      const res = await hubFetch(h.dir, { spaDistDir: dist })(
-        req("/hub/permissions", { method: "POST" }),
-      );
-      expect(res.status).toBe(405);
+      const res = await hubFetch(h.dir)(req("/vault?next=foo"));
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/admin/vaults?next=foo");
     } finally {
       h.cleanup();
     }
   });
 
-  test("/hub/vaults issues a 301 redirect to /vault", async () => {
-    // Back-compat for bookmarks. The exact mount path used to be /hub/vaults
-    // before the realignment; permanent redirect keeps stale URLs working.
+  test("301: /hub/vaults → /admin/vaults (chain through the rename)", async () => {
+    // The /hub/vaults redirect predates #231 — it used to land at /vault.
+    // Now it lands at the final /admin/vaults so old bookmarks don't bounce
+    // through two redirects.
     const h = makeHarness();
     try {
       const res = await hubFetch(h.dir)(req("/hub/vaults"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/vault");
+      expect(res.headers.get("location")).toBe("/admin/vaults");
     } finally {
       h.cleanup();
     }
   });
 
-  test("/hub/vaults/new redirects to /vault/new", async () => {
+  test("301: /hub/vaults/new → /admin/vaults/new", async () => {
     const h = makeHarness();
     try {
       const res = await hubFetch(h.dir)(req("/hub/vaults/new"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/vault/new");
+      expect(res.headers.get("location")).toBe("/admin/vaults/new");
     } finally {
       h.cleanup();
     }
   });
 
-  test("/hub/vaults/* preserves the query string in the redirect", async () => {
+  test("301: /hub/vaults/* preserves the query string", async () => {
     const h = makeHarness();
     try {
       const res = await hubFetch(h.dir)(req("/hub/vaults/foo?bar=1&baz=2"));
       expect(res.status).toBe(301);
-      expect(res.headers.get("location")).toBe("/vault/foo?bar=1&baz=2");
+      expect(res.headers.get("location")).toBe("/admin/vaults/foo?bar=1&baz=2");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("301: /hub/permissions → /admin/permissions", async () => {
+    const h = makeHarness();
+    try {
+      const res = await hubFetch(h.dir)(req("/hub/permissions"));
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/admin/permissions");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("301: /hub/tokens → /admin/tokens", async () => {
+    const h = makeHarness();
+    try {
+      const res = await hubFetch(h.dir)(req("/hub/tokens"));
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/admin/tokens");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("301: /hub bare → /admin/vaults", async () => {
+    const h = makeHarness();
+    try {
+      const res = await hubFetch(h.dir)(req("/hub"));
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/admin/vaults");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  // Login surface rename redirects (auth-UX cleanup): /admin/login and
+  // /admin/logout 301 to /login and /logout. Path-only test — the
+  // handlers themselves are exercised through the existing
+  // handleAdminLoginGet/Post + handleAdminLogoutPost test files.
+  test("301: /admin/login → /login", async () => {
+    const h = makeHarness();
+    try {
+      const res = await hubFetch(h.dir)(req("/admin/login"));
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/login");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("301: /admin/login preserves the next= query param", async () => {
+    const h = makeHarness();
+    try {
+      const res = await hubFetch(h.dir)(req("/admin/login?next=/admin/permissions"));
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/login?next=/admin/permissions");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("301: /admin/config → /admin/vaults (legacy server-rendered portal retired)", async () => {
+    const h = makeHarness();
+    try {
+      const res = await hubFetch(h.dir)(req("/admin/config"));
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/admin/vaults");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("301: /admin/config/<name> → /admin/vaults", async () => {
+    const h = makeHarness();
+    try {
+      const res = await hubFetch(h.dir)(req("/admin/config/vault"));
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/admin/vaults");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("301: /admin/logout → /logout", async () => {
+    const h = makeHarness();
+    try {
+      const res = await hubFetch(h.dir)(req("/admin/logout"));
+      expect(res.status).toBe(301);
+      expect(res.headers.get("location")).toBe("/logout");
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("/hub/<unknown> (no SPA mount anymore) → 404", async () => {
+    const h = makeHarness();
+    try {
+      writeManifest({ services: [] }, h.manifestPath);
+      const res = await hubFetch(h.dir, { manifestPath: h.manifestPath })(
+        req("/hub/unknown-thing"),
+      );
+      expect(res.status).toBe(404);
     } finally {
       h.cleanup();
     }
@@ -591,10 +865,11 @@ describe("hubFetch routing", () => {
         ["/oauth/register", { method: "POST" }],
         ["/oauth/revoke", { method: "POST" }],
         ["/vaults", { method: "POST" }],
-        ["/admin/login", { method: "POST" }],
-        ["/admin/logout", { method: "POST" }],
-        ["/admin/config", { method: "GET" }],
-        ["/admin/config/example", { method: "POST" }],
+        // /login + /logout — canonical names since the auth-UX rename;
+        // /admin/login + /admin/logout 301-redirect to here (separate
+        // tests pin the redirects themselves).
+        ["/login", { method: "POST" }],
+        ["/logout", { method: "POST" }],
         ["/admin/host-admin-token", { method: "GET" }],
       ];
       for (const [path, init] of cases) {
@@ -746,6 +1021,31 @@ describe("findVaultUpstream (#144)", () => {
     expect(m?.mount).toBe("/vault/inner");
     expect(m?.port).toBe(1941);
   });
+
+  // #197: a services.json entry written with a trailing slash on the mount
+  // path (e.g. `paths: ["/vault/default/"]`) used to only match the exact
+  // pathname `/vault/default/` and silently drop every sub-path because
+  // `pathname.startsWith("/vault/default//")` is always false. Normalize
+  // trailing slashes before comparison so sub-paths route correctly.
+  test("trailing-slash mount path matches sub-paths (#197)", () => {
+    const trailing: ServiceEntry = {
+      name: "parachute-vault",
+      port: 1940,
+      paths: ["/vault/default/"],
+      health: "/vault/default/health",
+      version: "0.4.0",
+    };
+    const exact = findVaultUpstream([trailing], "/vault/default");
+    expect(exact?.port).toBe(1940);
+    // mount is reported normalized (trailing slash stripped) so callers
+    // computing `pathname.slice(match.mount.length)` get the same answer
+    // regardless of how the entry was written on disk.
+    expect(exact?.mount).toBe("/vault/default");
+
+    const sub = findVaultUpstream([trailing], "/vault/default/notes/abc");
+    expect(sub?.port).toBe(1940);
+    expect(sub?.mount).toBe("/vault/default");
+  });
 });
 
 describe("hubFetch /vault/<name>/* dynamic proxy (#144)", () => {
@@ -999,15 +1299,15 @@ describe("hubFetch /vault/<name>/* dynamic proxy (#144)", () => {
     }
   });
 
-  test("single-segment /vault/<name> picks proxy when registered, SPA shell when not", async () => {
+  test("single-segment /vault/<name> picks proxy when registered, 404 when not", async () => {
     // Two cases share one fixture so the contrast is explicit:
     //   - `/vault/default` is registered → proxy answers (200, JSON tag).
-    //   - `/vault/nonexistent` has no match → falls through to the SPA
-    //     shell (200, text/html). The SPA's :name route renders client-side
-    //     and shows a 404 in-app, but at the wire it's the shell.
+    //   - `/vault/nonexistent` has no match → 404 directly (no SPA-shell
+    //     fallback under /vault since hub#231 moved the admin SPA to
+    //     /admin/*; the /vault/<name>/* slot is now exclusively the
+    //     per-vault content proxy).
     // This is the routing-order seam #173 introduced — proxy is consulted
-    // before the SPA fallback, and the fallback only triggers when no
-    // vault claims the path.
+    // before the 404; the SPA fallback that used to live here is gone.
     const h = makeHarness();
     const upstream = startUpstream("default-vault");
     try {
@@ -1040,10 +1340,8 @@ describe("hubFetch /vault/<name>/* dynamic proxy (#144)", () => {
       expect(body.tag).toBe("default-vault");
       expect(body.pathname).toBe("/vault/default");
 
-      const shelled = await fetcher(req("/vault/nonexistent"));
-      expect(shelled.status).toBe(200);
-      expect(shelled.headers.get("content-type")).toBe("text/html; charset=utf-8");
-      expect(await shelled.text()).toContain("<div id=root>");
+      const notFound = await fetcher(req("/vault/nonexistent"));
+      expect(notFound.status).toBe(404);
     } finally {
       upstream.stop();
       h.cleanup();
@@ -1144,6 +1442,62 @@ describe("findServiceUpstream (#182)", () => {
     expect(findServiceUpstream(services, "/scribe-admin")).toBeUndefined();
     expect(findServiceUpstream(services, "/scribe-admin/foo")).toBeUndefined();
   });
+
+  // #197: a services.json entry written with a trailing slash on the mount
+  // path (e.g. `paths: ["/notes/"]`) used to only match the exact pathname
+  // `/notes/` and silently drop every sub-path because
+  // `pathname.startsWith("/notes//")` is always false. Notes blank-screen
+  // on Aaron's box (2026-05-08) was the operator-visible symptom: the SPA
+  // shell loaded but every `/notes/assets/*.js` 404'd. Normalize trailing
+  // slashes before comparison.
+  test("trailing-slash mount path matches sub-paths (#197)", () => {
+    const services: ServiceEntry[] = [
+      {
+        name: "parachute-notes",
+        port: 1942,
+        paths: ["/notes/"],
+        health: "/notes/health",
+        version: "0.1.0",
+      },
+    ];
+    const exact = findServiceUpstream(services, "/notes");
+    expect(exact?.port).toBe(1942);
+    // mount is reported normalized (trailing slash stripped) so callers
+    // computing `pathname.slice(match.mount.length)` (the stripPrefix path)
+    // get the same answer regardless of how the entry was written on disk.
+    expect(exact?.mount).toBe("/notes");
+
+    const asset = findServiceUpstream(services, "/notes/assets/index-XXX.js");
+    expect(asset?.port).toBe(1942);
+    expect(asset?.mount).toBe("/notes");
+    expect(asset?.entry.name).toBe("parachute-notes");
+  });
+
+  test('mount path "/" survives normalization without collapsing to empty string (#197)', () => {
+    // Edge case: `"/".replace(/\/+$/, "")` yields the empty string; the
+    // `|| "/"` branch keeps it stable so an exact-`/` request still matches.
+    // Pre-fix this branch wasn't reachable (legacy `paths: ["/"]` entries
+    // are already remapped to `/<shortname>` in-memory by services-manifest;
+    // the test pins the lookup-level behavior so a future regression in the
+    // remap layer doesn't silently 404 every catchall request).
+    //
+    // Sub-path matching for `/`-mounted entries is intentionally not asserted
+    // here — that would change the existing "exact match only" behavior
+    // captured in `pathname === path || pathname.startsWith(path + '/')`,
+    // which never matched `/anything` when `path === "/"` (since `"//"` is
+    // not a real URL prefix).
+    const services: ServiceEntry[] = [
+      {
+        name: "catchall",
+        port: 1950,
+        paths: ["/"],
+        health: "/health",
+        version: "0.1.0",
+      },
+    ];
+    expect(findServiceUpstream(services, "/")?.port).toBe(1950);
+    expect(findServiceUpstream(services, "/")?.mount).toBe("/");
+  });
 });
 
 describe("hubFetch /<svc>/* generic proxy dispatch (#182)", () => {
@@ -1628,6 +1982,572 @@ describe("hubFetch /<svc>/* generic proxy dispatch (#182)", () => {
       h.cleanup();
     }
   });
+
+  test("trailing-slash entry routes sub-paths end-to-end (#197)", async () => {
+    // Operator-symptom regression: notes blank-screen on Aaron's box
+    // (2026-05-08). services.json had `paths: ["/notes/"]` (trailing slash),
+    // which used to make the matcher return undefined for every sub-path
+    // because `pathname.startsWith("/notes//")` is always false. Hub
+    // returned 404 for `/notes/assets/*.js` even though the SPA shell
+    // loaded fine, breaking the page silently.
+    const h = makeHarness();
+    const upstream = startUpstream("notes");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-notes",
+              port: upstream.port,
+              paths: ["/notes/"],
+              health: "/notes/health",
+              version: "0.1.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const res = await fetcher(req("/notes/assets/index-XXX.js"));
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { tag: string; pathname: string };
+      expect(body.tag).toBe("notes");
+      // Path is forwarded verbatim — no stripPrefix on the notes entry, so
+      // backend sees the full mount-prefixed path.
+      expect(body.pathname).toBe("/notes/assets/index-XXX.js");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("FIRST_PARTY_FALLBACKS supplies stripPrefix when entry omits it (#196)", async () => {
+    // Operator-symptom regression: scribe `/scribe/health` 404 on Aaron's
+    // box (2026-05-08). Scribe v0.4.0 doesn't write `stripPrefix: true` to
+    // its services.json entry; the declaration only lives in hub's
+    // SCRIBE_FALLBACK manifest. Pre-#187 this didn't matter because the
+    // per-service `tailscale serve` plan baked the path into the target
+    // URL; post-#187 routing went through hub which wasn't consulting the
+    // fallback registry. Result: hub forwarded `/scribe/health` verbatim
+    // to scribe at :1943, scribe served bare paths and 404'd. Fix: hub-
+    // side fallback merge in `stripPrefixFor`.
+    //
+    // Use a `parachute-scribe` manifestName so `shortNameForManifest`
+    // resolves to "scribe" → SCRIBE_FALLBACK (which declares
+    // `stripPrefix: true`). The entry itself omits stripPrefix to mirror
+    // what scribe v0.4.0 actually writes today.
+    const h = makeHarness();
+    const upstream = startUpstream("scribe");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-scribe",
+              port: upstream.port,
+              paths: ["/scribe"],
+              health: "/scribe/health",
+              version: "0.4.0",
+              // stripPrefix intentionally omitted — must be derived from
+              // FIRST_PARTY_FALLBACKS.scribe.manifest.stripPrefix.
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const res = await fetcher(req("/scribe/health"));
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { tag: string; pathname: string };
+      expect(body.tag).toBe("scribe");
+      // The mount prefix is stripped — backend sees the bare `/health`
+      // route that scribe v0.4.0 actually serves.
+      expect(body.pathname).toBe("/health");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("explicit stripPrefix:false on entry overrides FIRST_PARTY_FALLBACKS (#196)", async () => {
+    // Explicit-on-entry must win, even when the fallback would default to
+    // stripping. Documents the precedence ordering: explicit > fallback >
+    // false. Without this, an operator who deliberately writes
+    // `"stripPrefix": false` couldn't opt out of the fallback's strip.
+    const h = makeHarness();
+    const upstream = startUpstream("scribe");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-scribe",
+              port: upstream.port,
+              paths: ["/scribe"],
+              health: "/scribe/health",
+              version: "0.4.0",
+              stripPrefix: false,
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const res = await fetcher(req("/scribe/health"));
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { pathname: string };
+      // Explicit false wins — full path forwarded.
+      expect(body.pathname).toBe("/scribe/health");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("third-party service without fallback does not strip (#196)", async () => {
+    // Default behavior contract: a service whose manifestName isn't in
+    // FIRST_PARTY_FALLBACKS and whose entry omits stripPrefix gets the
+    // pre-#196 keep-prefix behavior. No accidental strip on third-party
+    // installs.
+    const h = makeHarness();
+    const upstream = startUpstream("third-party");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "third-party-service",
+              port: upstream.port,
+              paths: ["/third"],
+              health: "/third/health",
+              version: "0.1.0",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const res = await fetcher(req("/third/health"));
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { pathname: string };
+      expect(body.pathname).toBe("/third/health");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+});
+
+describe("layerOf — classify trust layer from proxy headers", () => {
+  // Hub binds 127.0.0.1:1939; only trusted forwarders (cloudflared,
+  // tailscaled-serve, tailscaled-funnel) reach the listener. Spoofing isn't
+  // a concern. layerOf inspects the headers each forwarder injects.
+
+  test("no proxy headers → loopback (direct localhost call)", () => {
+    expect(layerOf(req("/"))).toBe("loopback");
+  });
+
+  test("Tailscale-User-Login → tailnet (authed via tailscale serve)", () => {
+    // Set verbatim per Tailscale docs / serve.go addTailscaleIdentityHeaders.
+    const r = req("/", { headers: { "Tailscale-User-Login": "alice@example.com" } });
+    expect(layerOf(r)).toBe("tailnet");
+  });
+
+  test("Tailscale-Funnel-Request: ?1 → public (Tailscale Funnel)", () => {
+    // Tailscale Funnel sets this header on every funneled connection per
+    // serve.go; mutually exclusive with Tailscale-User-Login.
+    const r = req("/", { headers: { "Tailscale-Funnel-Request": "?1" } });
+    expect(layerOf(r)).toBe("public");
+  });
+
+  test("CF-Ray → public (Cloudflare tunnel)", () => {
+    const r = req("/", { headers: { "CF-Ray": "abc123-DEN" } });
+    expect(layerOf(r)).toBe("public");
+  });
+
+  test("CF-Connecting-IP → public (Cloudflare tunnel — alt header shape)", () => {
+    const r = req("/", { headers: { "CF-Connecting-IP": "203.0.113.42" } });
+    expect(layerOf(r)).toBe("public");
+  });
+
+  test("Cloudflare wins over tailscale headers (cloudflared-then-serve hop, defensive)", () => {
+    // If a node ran both forwarders chained, the outer-most public layer
+    // wins. Defensive — not a recommended deployment shape.
+    const r = req("/", {
+      headers: { "CF-Ray": "abc", "Tailscale-User-Login": "alice@example.com" },
+    });
+    expect(layerOf(r)).toBe("public");
+  });
+
+  test("Tailscale-Funnel-Request wins over Tailscale-User-Login (defensive)", () => {
+    // serve.go can't actually set both — funnel returns early. Defensive.
+    const r = req("/", {
+      headers: {
+        "Tailscale-Funnel-Request": "?1",
+        "Tailscale-User-Login": "alice@example.com",
+      },
+    });
+    expect(layerOf(r)).toBe("public");
+  });
+});
+
+describe("hubFetch publicExposure layer-gate (proxyToService)", () => {
+  // The hub's only layer-gate. effectivePublicExposure(entry) === "loopback"
+  // → 404 on tailnet/public; pass through on loopback. "allowed" /
+  // "auth-required" reach all layers (service does its own auth gate).
+
+  function startUpstream(replyTag: string): { port: number; stop: () => void } {
+    const server = Bun.serve({
+      port: 0,
+      hostname: "127.0.0.1",
+      fetch: () =>
+        new Response(JSON.stringify({ tag: replyTag }), {
+          status: 200,
+          headers: { "content-type": "application/json" },
+        }),
+    });
+    return { port: server.port as number, stop: () => server.stop(true) };
+  }
+
+  test("publicExposure: loopback + tailnet header → 404 (gate hides the route)", async () => {
+    const h = makeHarness();
+    const upstream = startUpstream("loopback-only");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "loopback-only",
+              port: upstream.port,
+              paths: ["/loopback-only"],
+              health: "/loopback-only/health",
+              version: "0.1.0",
+              publicExposure: "loopback",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const r = req("/loopback-only/anything", {
+        headers: { "Tailscale-User-Login": "alice@example.com" },
+      });
+      const res = await fetcher(r);
+      expect(res.status).toBe(404);
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("publicExposure: loopback + public header → 404 (gate hides the route)", async () => {
+    const h = makeHarness();
+    const upstream = startUpstream("loopback-only");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "loopback-only",
+              port: upstream.port,
+              paths: ["/loopback-only"],
+              health: "/loopback-only/health",
+              version: "0.1.0",
+              publicExposure: "loopback",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const r = req("/loopback-only/anything", { headers: { "CF-Ray": "abc123" } });
+      const res = await fetcher(r);
+      expect(res.status).toBe(404);
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("publicExposure: loopback + no headers → reaches upstream (loopback layer)", async () => {
+    const h = makeHarness();
+    const upstream = startUpstream("loopback-only");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "loopback-only",
+              port: upstream.port,
+              paths: ["/loopback-only"],
+              health: "/loopback-only/health",
+              version: "0.1.0",
+              publicExposure: "loopback",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const res = await fetcher(req("/loopback-only/health"));
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { tag: string };
+      expect(body.tag).toBe("loopback-only");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("publicExposure: allowed + tailnet header → reaches upstream (no gate)", async () => {
+    const h = makeHarness();
+    const upstream = startUpstream("allowed");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "allowed",
+              port: upstream.port,
+              paths: ["/allowed"],
+              health: "/allowed/health",
+              version: "0.1.0",
+              publicExposure: "allowed",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const r = req("/allowed/health", {
+        headers: { "Tailscale-User-Login": "alice@example.com" },
+      });
+      const res = await fetcher(r);
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { tag: string };
+      expect(body.tag).toBe("allowed");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("publicExposure: auth-required + public header → reaches upstream (service self-gates)", async () => {
+    // The service does its own auth check; the hub passes through.
+    const h = makeHarness();
+    const upstream = startUpstream("auth-required");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "auth-required",
+              port: upstream.port,
+              paths: ["/auth-required"],
+              health: "/auth-required/health",
+              version: "0.1.0",
+              publicExposure: "auth-required",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const r = req("/auth-required/health", { headers: { "CF-Ray": "abc123" } });
+      const res = await fetcher(r);
+      expect(res.status).toBe(200);
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("scribe (kind=api, hasAuth=false default) → loopback gate fires from public layer", async () => {
+    // Spec-derived default for scribe is "auth-required" (NOT loopback —
+    // see effectivePublicExposure in service-spec.ts). So the hub passes
+    // through; this test confirms the spec-default isn't accidentally
+    // loopback-gating well-known services.
+    const h = makeHarness();
+    const upstream = startUpstream("scribe");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-scribe",
+              port: upstream.port,
+              paths: ["/scribe"],
+              health: "/scribe/health",
+              version: "0.1.0",
+              // publicExposure absent — exercises spec-derived default
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const r = req("/scribe/health", { headers: { "CF-Ray": "abc123" } });
+      const res = await fetcher(r);
+      // auth-required → pass through; service does its own gate.
+      expect(res.status).toBe(200);
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("unknown third-party service (no SERVICE_SPECS row, no publicExposure) → defaults to allowed, reaches public layer", async () => {
+    // Third-party modules installed via `module.json` aren't in
+    // FIRST_PARTY_FALLBACKS, so effectivePublicExposure has no spec to
+    // derive from. The contract documented on effectivePublicExposure is
+    // "default to 'allowed'", which means the gate must NOT fire from the
+    // public layer for an unknown service that didn't opt into a stricter
+    // exposure. Regression-guards anyone tightening the default to
+    // "loopback" without realizing it would silently 404 every
+    // third-party module on tailnet/public.
+    const h = makeHarness();
+    const upstream = startUpstream("unknown-thirdparty");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-unknown-thirdparty",
+              port: upstream.port,
+              paths: ["/parachute-unknown-thirdparty"],
+              health: "/parachute-unknown-thirdparty/health",
+              version: "0.1.0",
+              // publicExposure absent — exercises the unknown-spec default path
+              // kind absent — no SERVICE_SPECS / FIRST_PARTY_FALLBACKS row matches
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const r = req("/parachute-unknown-thirdparty/health", {
+        headers: { "CF-Ray": "abc123" },
+      });
+      const res = await fetcher(r);
+      // Default "allowed" → no gate. Forwarded to upstream.
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { tag: string };
+      expect(body.tag).toBe("unknown-thirdparty");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+});
+
+describe("hubFetch publicExposure layer-gate (proxyToVault)", () => {
+  // Same gate, applied to /vault/<name>/* dispatch. A vault entry that
+  // declares publicExposure: "loopback" is hidden from non-loopback callers.
+
+  function startVaultUpstream(replyTag: string): { port: number; stop: () => void } {
+    const server = Bun.serve({
+      port: 0,
+      hostname: "127.0.0.1",
+      fetch: () =>
+        new Response(JSON.stringify({ tag: replyTag }), {
+          status: 200,
+          headers: { "content-type": "application/json" },
+        }),
+    });
+    return { port: server.port as number, stop: () => server.stop(true) };
+  }
+
+  test("vault publicExposure: loopback + tailnet header → 404", async () => {
+    const h = makeHarness();
+    const upstream = startVaultUpstream("vault-private");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault-private",
+              port: upstream.port,
+              paths: ["/vault/private"],
+              health: "/vault/private/health",
+              version: "0.4.0",
+              publicExposure: "loopback",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const r = req("/vault/private/health", {
+        headers: { "Tailscale-User-Login": "alice@example.com" },
+      });
+      const res = await fetcher(r);
+      expect(res.status).toBe(404);
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("vault publicExposure: loopback + no headers → reaches vault backend", async () => {
+    const h = makeHarness();
+    const upstream = startVaultUpstream("vault-private");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault-private",
+              port: upstream.port,
+              paths: ["/vault/private"],
+              health: "/vault/private/health",
+              version: "0.4.0",
+              publicExposure: "loopback",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const res = await fetcher(req("/vault/private/health"));
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { tag: string };
+      expect(body.tag).toBe("vault-private");
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
+
+  test("vault publicExposure: allowed + tailnet header → reaches backend", async () => {
+    const h = makeHarness();
+    const upstream = startVaultUpstream("vault-public");
+    try {
+      writeManifest(
+        {
+          services: [
+            {
+              name: "parachute-vault",
+              port: upstream.port,
+              paths: ["/vault/default"],
+              health: "/vault/default/health",
+              version: "0.4.0",
+              publicExposure: "allowed",
+            },
+          ],
+        },
+        h.manifestPath,
+      );
+      const fetcher = hubFetch(h.dir, { manifestPath: h.manifestPath });
+      const r = req("/vault/default/health", {
+        headers: { "Tailscale-User-Login": "alice@example.com" },
+      });
+      const res = await fetcher(r);
+      expect(res.status).toBe(200);
+    } finally {
+      upstream.stop();
+      h.cleanup();
+    }
+  });
 });
 
 /** Find a port that no one is listening on by binding briefly and releasing. */