@openparachute/hub 0.5.7 → 0.5.10-rc.10

package/src/__tests__/oauth-handlers.test.ts

@@ -6,7 +6,13 @@ import { join } from "node:path";
 import { getClient, registerClient } from "../clients.ts";
 import { CSRF_COOKIE_NAME } from "../csrf.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
-import { validateAccessToken } from "../jwt-sign.ts";
+import {
+  FIRST_CLIENT_AUTO_APPROVE_WINDOW_MS,
+  getSetting,
+  openFirstClientAutoApproveWindow,
+  setSetting,
+} from "../hub-settings.ts";
+import { findTokenRowByJti, validateAccessToken } from "../jwt-sign.ts";
 import {
   authorizationServerMetadata,
   buildServicesCatalog,
@@ -1034,10 +1040,37 @@ describe("handleToken — full OAuth dance", () => {
 
       // closes #81 — services catalog tells the client where vault lives so
       // notes doesn't have to re-probe /.well-known/parachute.json. A
-      // vault:read token only sees the vault entry.
+      // `vault:default:read` token sees both the collapsed `vault` key
+      // (backwards compat) AND the per-vault `vault:default` key (closes
+      // #247 — pre-#247 only the collapsed key was emitted; consumers on
+      // multi-vault hubs were forced to assume `/vault/default` and
+      // collided).
       expect(tokenBody.services).toEqual({
         vault: { url: `${ISSUER}/vault/default`, version: "0.3.0" },
-      });
+        "vault:default": { url: `${ISSUER}/vault/default`, version: "0.3.0" },
+      });
+
+      // closes #215 reviewer F2 — Phase 1 code-grant access-token registry
+      // exemption pinning. The access token and refresh token share `jti`
+      // by design (signRefreshToken({ jti: access.jti, ... }) at the mint
+      // site), so the `tokens` row keyed by the access-token jti IS the
+      // shared row — refresh_token_hash is non-null, created_via is
+      // 'oauth_refresh'. We deliberately don't write a separate per-jti
+      // access-token row; revocation acts on the shared jti / family,
+      // bounded by the 15-min access TTL.
+      expect(payload.jti).toBeTruthy();
+      const row = findTokenRowByJti(db, payload.jti as string);
+      expect(row).not.toBeNull();
+      expect(row?.createdVia).toBe("oauth_refresh");
+      expect(row?.familyId).toBeTruthy();
+      // Verify the registry has exactly one row for this code-grant
+      // (not two — no separate access-token row).
+      const rowCount = (
+        db
+          .query<{ n: number }, [string]>("SELECT COUNT(*) as n FROM tokens WHERE jti = ?")
+          .get(payload.jti as string) ?? { n: 0 }
+      ).n;
+      expect(rowCount).toBe(1);
     } finally {
       cleanup();
     }
@@ -1523,6 +1556,156 @@ describe("handleToken — full OAuth dance", () => {
       vault: { url: `${ISSUER}/vault/work`, version: "0.3.0" },
     });
   });
+
+  // closes #247 — multi-vault correctness. Pre-#247 every vault collapsed
+  // under the single `vault` key, so Notes' OAuthCallback always wrote
+  // VaultRecord URL = paths[0] of the first vault row regardless of which
+  // vault the token actually granted. Per-vault `vault:<name>` keys let
+  // consumers route each grant to the correct vault URL.
+  describe("services catalog — multi-vault per-vault keys (#247)", () => {
+    // Real shape from a multi-vault hub: one `parachute-vault` row with N
+    // paths, each path naming an instance. Aaron's setup verbatim (4
+    // vaults: default, boulder, gitcoin, techne).
+    const multiVaultManifest: ServicesManifest = {
+      services: [
+        {
+          name: "parachute-vault",
+          port: 1940,
+          paths: ["/vault/default", "/vault/boulder", "/vault/gitcoin", "/vault/techne"],
+          health: "/health",
+          version: "0.4.4",
+        },
+      ],
+    };
+
+    test("single-vault hub with broad scope: only collapsed `vault` key (unchanged)", () => {
+      // Per-vault keys are noise on single-vault hubs — no disambiguation
+      // is needed. Backwards compat for pre-popover clients matters here.
+      expect(buildServicesCatalog(FIXTURE_MANIFEST, ISSUER, ["vault:read"])).toEqual({
+        vault: { url: `${ISSUER}/vault/default`, version: "0.3.0" },
+      });
+    });
+
+    test("single-vault hub with per-vault-narrowed scope: emits per-vault key too", () => {
+      // A `vault:default:read` token is an explicit consumer signal that
+      // the per-vault key matters — emit it even on a single-vault hub so
+      // the consumer's `services["vault:default"]` lookup works uniformly
+      // regardless of how many vaults the hub has.
+      expect(buildServicesCatalog(FIXTURE_MANIFEST, ISSUER, ["vault:default:read"])).toEqual({
+        vault: { url: `${ISSUER}/vault/default`, version: "0.3.0" },
+        "vault:default": { url: `${ISSUER}/vault/default`, version: "0.3.0" },
+      });
+    });
+
+    test("multi-vault hub with broad scope: emits every per-vault key + collapsed `vault`", () => {
+      // Broad `vault:read` admits every vault on the hub. Per-#247
+      // guidance: emit per-vault keys for all admitted vaults so the
+      // consumer (Notes popover) can pick its target by name without
+      // re-probing /.well-known/parachute.json.
+      expect(buildServicesCatalog(multiVaultManifest, ISSUER, ["vault:read"])).toEqual({
+        // Collapsed key still emitted (first admitted path); backwards compat.
+        vault: { url: `${ISSUER}/vault/default`, version: "0.4.4" },
+        "vault:default": { url: `${ISSUER}/vault/default`, version: "0.4.4" },
+        "vault:boulder": { url: `${ISSUER}/vault/boulder`, version: "0.4.4" },
+        "vault:gitcoin": { url: `${ISSUER}/vault/gitcoin`, version: "0.4.4" },
+        "vault:techne": { url: `${ISSUER}/vault/techne`, version: "0.4.4" },
+      });
+    });
+
+    test("multi-vault hub with per-vault scope: only that vault's per-vault key", () => {
+      // Aaron's "Connect boulder" flow: token has `vault:boulder:write`,
+      // scope admits only boulder. Pre-#247 the catalog said `vault.url =
+      // /vault/default` (WRONG), so Notes stored a /vault/default record
+      // with scope `vault:boulder:write` — collision city as more vaults
+      // got connected. Post-#247 the consumer reads
+      // `services["vault:boulder"].url` which correctly says /vault/boulder.
+      expect(buildServicesCatalog(multiVaultManifest, ISSUER, ["vault:boulder:write"])).toEqual({
+        // Collapsed `vault` points at boulder too — the only admitted
+        // vault — so legacy consumers happen to land on the right URL even
+        // though they have no per-vault awareness.
+        vault: { url: `${ISSUER}/vault/boulder`, version: "0.4.4" },
+        "vault:boulder": { url: `${ISSUER}/vault/boulder`, version: "0.4.4" },
+      });
+    });
+
+    test("multi-vault hub with mixed scopes: per-vault keys for each narrowed vault", () => {
+      // A token granting both `vault:boulder:read` and `vault:gitcoin:write`
+      // admits exactly those two vaults; default and techne aren't reachable.
+      expect(
+        buildServicesCatalog(multiVaultManifest, ISSUER, [
+          "vault:boulder:read",
+          "vault:gitcoin:write",
+        ]),
+      ).toEqual({
+        vault: { url: `${ISSUER}/vault/boulder`, version: "0.4.4" },
+        "vault:boulder": { url: `${ISSUER}/vault/boulder`, version: "0.4.4" },
+        "vault:gitcoin": { url: `${ISSUER}/vault/gitcoin`, version: "0.4.4" },
+      });
+    });
+
+    test("multi-vault hub: broad + per-vault scopes coexist; broad opens all vaults", () => {
+      // A token that carries BOTH `vault:read` (broad) AND
+      // `vault:boulder:write` (narrow) should land in the broad bucket
+      // because the broad scope is more permissive — narrowing one verb
+      // can't take away access the unnamed scope already granted.
+      expect(
+        buildServicesCatalog(multiVaultManifest, ISSUER, ["vault:read", "vault:boulder:write"]),
+      ).toEqual({
+        vault: { url: `${ISSUER}/vault/default`, version: "0.4.4" },
+        "vault:default": { url: `${ISSUER}/vault/default`, version: "0.4.4" },
+        "vault:boulder": { url: `${ISSUER}/vault/boulder`, version: "0.4.4" },
+        "vault:gitcoin": { url: `${ISSUER}/vault/gitcoin`, version: "0.4.4" },
+        "vault:techne": { url: `${ISSUER}/vault/techne`, version: "0.4.4" },
+      });
+    });
+
+    test("legacy per-vault rows (parachute-vault-<name>) also produce per-vault keys", () => {
+      // Older multi-vault layout — one row per vault — should produce the
+      // same catalog shape as the single-row-multi-path layout. The
+      // `vaultInstanceNameFor` helper handles both via its
+      // manifest-suffix fallback.
+      const legacyManifest: ServicesManifest = {
+        services: [
+          {
+            name: "parachute-vault",
+            port: 1940,
+            paths: ["/vault/default"],
+            health: "/health",
+            version: "0.4.4",
+          },
+          {
+            name: "parachute-vault-work",
+            port: 1941,
+            paths: ["/vault/work"],
+            health: "/health",
+            version: "0.4.4",
+          },
+        ],
+      };
+      expect(buildServicesCatalog(legacyManifest, ISSUER, ["vault:read"])).toEqual({
+        vault: { url: `${ISSUER}/vault/default`, version: "0.4.4" },
+        "vault:default": { url: `${ISSUER}/vault/default`, version: "0.4.4" },
+        "vault:work": { url: `${ISSUER}/vault/work`, version: "0.4.4" },
+      });
+    });
+
+    test("non-vault services unaffected — only one key per service, no per-instance variant", () => {
+      // The per-vault-key expansion is vault-specific. scribe / notes /
+      // third-party rows still emit one key per service.
+      expect(
+        buildServicesCatalog(FIXTURE_MANIFEST, ISSUER, [
+          "vault:default:read",
+          "scribe:transcribe",
+          "notes:read",
+        ]),
+      ).toEqual({
+        vault: { url: `${ISSUER}/vault/default`, version: "0.3.0" },
+        "vault:default": { url: `${ISSUER}/vault/default`, version: "0.3.0" },
+        scribe: { url: `${ISSUER}/scribe`, version: "0.3.0-rc.1" },
+        notes: { url: `${ISSUER}/notes`, version: "0.3.0" },
+      });
+    });
+  });
 });
 
 // closes #72 — RFC 6749 §3.2.1 + §2.3.1: confidential clients must
@@ -2054,6 +2237,76 @@ describe("DCR approval gate (#74)", () => {
       const html = await res.text();
       expect(html).toContain("App not yet approved");
       expect(html).toContain("approve-client");
+      // No vault hint → no vault row in approve-meta. Single-vault hubs +
+      // pre-vault-popover clients leave the section omitted (#244).
+      expect(html).not.toContain('approve-meta-label">vault');
+    } finally {
+      cleanup();
+    }
+  });
+
+  // closes #244 — vault hint surfaced in approve-pending UI. Notes#115
+  // passes `vault=<name>` on `/oauth/authorize` for per-vault grants; hub's
+  // approve page now displays it alongside the other client metadata so a
+  // multi-vault operator can tell which vault they're approving for.
+  test("authorize: pending client with vault hint → approve UI renders 'vault: <name>'", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const reg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        status: "pending",
+      });
+      const { challenge } = makePkce();
+      const req = new Request(
+        authorizeUrl({
+          client_id: reg.client.clientId,
+          redirect_uri: "https://app.example/cb",
+          response_type: "code",
+          code_challenge: challenge,
+          code_challenge_method: "S256",
+          scope: "vault:read",
+          vault: "boulder",
+        }),
+      );
+      const res = handleAuthorizeGet(db, req, { issuer: ISSUER });
+      expect(res.status).toBe(403);
+      const html = await res.text();
+      expect(html).toContain("App not yet approved");
+      // The vault hint surfaces as a labeled row in the approve-meta block.
+      expect(html).toContain('approve-meta-label">vault');
+      expect(html).toContain("boulder");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("authorize: pending client with empty vault param → no vault row", async () => {
+    // Defensive: `vault=` with empty value normalizes to undefined so the
+    // UI doesn't render a blank vault label. Easy to hit if a client builds
+    // the URL via URLSearchParams.set("vault", someMaybeEmptyVar).
+    const { db, cleanup } = await makeDb();
+    try {
+      const reg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        status: "pending",
+      });
+      const { challenge } = makePkce();
+      const req = new Request(
+        authorizeUrl({
+          client_id: reg.client.clientId,
+          redirect_uri: "https://app.example/cb",
+          response_type: "code",
+          code_challenge: challenge,
+          code_challenge_method: "S256",
+          scope: "vault:read",
+          vault: "",
+        }),
+      );
+      const res = handleAuthorizeGet(db, req, { issuer: ISSUER });
+      expect(res.status).toBe(403);
+      const html = await res.text();
+      expect(html).toContain("App not yet approved");
+      expect(html).not.toContain('approve-meta-label">vault');
     } finally {
       cleanup();
     }
@@ -2103,6 +2356,13 @@ describe("DCR approval gate (#74)", () => {
       const body = (await res.json()) as Record<string, unknown>;
       expect(body.error).toBe("invalid_client");
       expect(body.error_description).toContain("not been approved");
+      // Surface the inline-approval affordances so consumers (Notes, future
+      // cross-origin SPAs) can deep-link the operator to a browser-based
+      // approve flow without dropping to a terminal.
+      expect(body.approve_url).toBe(
+        `${ISSUER}/admin/approve-client/${encodeURIComponent(reg.client.clientId)}`,
+      );
+      expect(body.cli_alternative).toBe(`parachute auth approve-client ${reg.client.clientId}`);
     } finally {
       cleanup();
     }
@@ -2132,6 +2392,13 @@ describe("DCR approval gate (#74)", () => {
       expect(res.status).toBe(401);
       const body = (await res.json()) as Record<string, unknown>;
       expect(body.error).toBe("invalid_client");
+      // Same pending-affordance shape on the refresh path: a long-lived
+      // OAuth client whose row was unapproved between issuance and refresh
+      // hits this branch and surfaces the same approve_url + cli_alternative.
+      expect(body.approve_url).toBe(
+        `${ISSUER}/admin/approve-client/${encodeURIComponent(reg.client.clientId)}`,
+      );
+      expect(body.cli_alternative).toBe(`parachute auth approve-client ${reg.client.clientId}`);
     } finally {
       cleanup();
     }
@@ -2309,7 +2576,7 @@ describe("DCR auto-approve via session cookie (#199)", () => {
     // Sandbox iframes (`<iframe sandbox>` without `allow-same-origin`),
     // `data:`/`file:` documents, and some privacy contexts send the literal
     // string `Origin: null` rather than omitting the header. `new URL("null")`
-    // throws → originMatchesIssuer's try/catch returns false → DCR stays
+    // throws → isSameOriginRequest's try/catch returns false → DCR stays
     // pending. This test pins that invariant: an opaque-origin caller does
     // NOT ride the cookie path even with a valid session, because we can't
     // prove the request came from the issuer's own origin.
@@ -2944,6 +3211,115 @@ describe("refresh-token rotation + /oauth/revoke (#73)", () => {
 // to the auth-code redirect. Strict superset (incremental scope) and
 // revoked grants still show consent.
 describe("handleAuthorizeGet — skip consent when scope already granted (#75)", () => {
+  // hub#236 — pin the full silent-approve flow end-to-end in one test.
+  // The per-branch tests below this one cover individual branches (subset,
+  // superset, revoke, unnamed-vault, re-registered-client); this test
+  // walks the operator-visible state machine in a single body so a
+  // regression at any step surfaces immediately, and the JSDoc on
+  // handleAuthorizeGet's silent-approve flow (1-5) has a single load-
+  // bearing test to point at.
+  test("first-use consent → silent-approve → novel-scope re-prompts (full silent-approve flow, #236)", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const user = await createUser(db, "owner", "pw");
+      const session = createSession(db, { userId: user.id });
+      const reg = registerClient(db, { redirectUris: ["https://app.example/cb"] });
+      const { challenge } = makePkce();
+      const sessionCookie = buildSessionCookie(session.id, 86400);
+
+      // Step 1: first use — no grant exists; consent screen renders.
+      const firstReq = new Request(
+        authorizeUrl({
+          client_id: reg.client.clientId,
+          redirect_uri: "https://app.example/cb",
+          response_type: "code",
+          scope: "vault:default:read",
+          code_challenge: challenge,
+          code_challenge_method: "S256",
+          state: "step1",
+        }),
+        { headers: { cookie: sessionCookie } },
+      );
+      const firstRes = handleAuthorizeGet(db, firstReq, { issuer: ISSUER });
+      expect(firstRes.status).toBe(200);
+      expect(firstRes.headers.get("content-type")).toContain("text/html");
+
+      // Step 1b: user approves via the consent form — grant gets recorded.
+      const consentRes = await handleAuthorizePost(
+        db,
+        new Request(`${ISSUER}/oauth/authorize`, {
+          method: "POST",
+          body: new URLSearchParams({
+            __action: "consent",
+            __csrf: TEST_CSRF,
+            approve: "yes",
+            client_id: reg.client.clientId,
+            redirect_uri: "https://app.example/cb",
+            response_type: "code",
+            scope: "vault:default:read",
+            code_challenge: challenge,
+            code_challenge_method: "S256",
+          }),
+          headers: {
+            "content-type": "application/x-www-form-urlencoded",
+            cookie: `${CSRF_COOKIE}; ${sessionCookie}`,
+          },
+        }),
+        { issuer: ISSUER },
+      );
+      expect(consentRes.status).toBe(302);
+
+      // Step 2: subsequent use, same scopes — silent-approve fires.
+      // Authoritative assertion: 302 redirect with auth code, NOT a 200
+      // HTML consent screen. This is the operator-visible payoff.
+      const secondReq = new Request(
+        authorizeUrl({
+          client_id: reg.client.clientId,
+          redirect_uri: "https://app.example/cb",
+          response_type: "code",
+          scope: "vault:default:read",
+          code_challenge: challenge,
+          code_challenge_method: "S256",
+          state: "step2",
+        }),
+        { headers: { cookie: sessionCookie } },
+      );
+      const secondRes = handleAuthorizeGet(db, secondReq, { issuer: ISSUER });
+      expect(secondRes.status).toBe(302);
+      const secondLoc = new URL(secondRes.headers.get("location") ?? "");
+      expect(secondLoc.origin + secondLoc.pathname).toBe("https://app.example/cb");
+      expect(secondLoc.searchParams.get("code")?.length).toBeGreaterThan(20);
+      expect(secondLoc.searchParams.get("state")).toBe("step2");
+
+      // Step 3: subsequent use, novel scope NOT in the grant — gate must
+      // NOT fire; consent re-renders with the new scope explicit. This is
+      // the load-bearing security property: silent-approve must not
+      // silently approve scopes the user never consented to.
+      const novelReq = new Request(
+        authorizeUrl({
+          client_id: reg.client.clientId,
+          redirect_uri: "https://app.example/cb",
+          response_type: "code",
+          // Adds scribe:transcribe to the original vault:default:read.
+          scope: "vault:default:read scribe:transcribe",
+          code_challenge: challenge,
+          code_challenge_method: "S256",
+          state: "step3",
+        }),
+        { headers: { cookie: sessionCookie } },
+      );
+      const novelRes = handleAuthorizeGet(db, novelReq, { issuer: ISSUER });
+      expect(novelRes.status).toBe(200);
+      expect(novelRes.headers.get("content-type")).toContain("text/html");
+      const novelBody = await novelRes.text();
+      // The new scope appears on the consent page — the user must approve
+      // it explicitly.
+      expect(novelBody).toContain("scribe:transcribe");
+    } finally {
+      cleanup();
+    }
+  });
+
   test("first approval records grant; second flow with same scopes skips consent", async () => {
     const { db, cleanup } = await makeDb();
     try {
@@ -3556,7 +3932,7 @@ describe("inline approve button on pending /oauth/authorize (#208)", () => {
     // Opaque-origin contexts (sandboxed iframes, some `data:` and `file:`
     // pages) send the literal string "null" as the Origin header. The DCR
     // /register path covers this; the inline-approve endpoint must reject it
-    // too. originMatchesIssuer() handles this correctly because new URL("null")
+    // too. isSameOriginRequest() handles this correctly because new URL("null")
     // throws → returns false; this test pins that contract.
     const { db, cleanup } = await makeDb();
     try {
@@ -3846,3 +4222,144 @@ describe("inline approve button on pending /oauth/authorize (#208)", () => {
     }
   });
 });
+
+// DCR first-client auto-approve window (hub#268 Item 3). The wizard's
+// expose-step POST opens a 60-minute window where the very next
+// `/oauth/register` registration is auto-approved + the window cleared.
+// Single-use: client #2 within the same window falls through to the
+// standard pending-approval flow.
+describe("DCR first-client auto-approve window (hub#268 Item 3)", () => {
+  function registerRequest(): Request {
+    return new Request(`${ISSUER}/oauth/register`, {
+      method: "POST",
+      body: JSON.stringify({
+        redirect_uris: ["https://app.example/cb"],
+        client_name: "first-client",
+      }),
+      headers: { "content-type": "application/json" },
+    });
+  }
+
+  test("client registered within the open window → status approved + window cleared", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const t0 = new Date("2026-05-19T00:00:00.000Z");
+      openFirstClientAutoApproveWindow(db, () => t0);
+      const res = await handleRegister(db, registerRequest(), {
+        issuer: ISSUER,
+        now: () => t0,
+      });
+      expect(res.status).toBe(201);
+      const body = (await res.json()) as Record<string, unknown>;
+      expect(body.status).toBe("approved");
+      // Persisted, not just response-shaped.
+      const row = getClient(db, body.client_id as string);
+      expect(row?.status).toBe("approved");
+      // Window cleared on consume (single-use).
+      expect(getSetting(db, "pending_first_client_auto_approve_until")).toBeUndefined();
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("client registered AFTER the window has expired → status pending", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const t0 = new Date("2026-05-19T00:00:00.000Z");
+      openFirstClientAutoApproveWindow(db, () => t0);
+      const past = new Date(t0.getTime() + FIRST_CLIENT_AUTO_APPROVE_WINDOW_MS + 1);
+      const res = await handleRegister(db, registerRequest(), {
+        issuer: ISSUER,
+        now: () => past,
+      });
+      expect(res.status).toBe(201);
+      const body = (await res.json()) as Record<string, unknown>;
+      expect(body.status).toBe("pending");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("second client within window after first auto-approved → status pending (single-use)", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const t0 = new Date("2026-05-19T00:00:00.000Z");
+      openFirstClientAutoApproveWindow(db, () => t0);
+      // Client #1: approved.
+      const res1 = await handleRegister(db, registerRequest(), {
+        issuer: ISSUER,
+        now: () => t0,
+      });
+      const body1 = (await res1.json()) as Record<string, unknown>;
+      expect(body1.status).toBe("approved");
+      // Client #2 within the (still-not-expired) window: pending.
+      const stillWithinWindow = new Date(t0.getTime() + 30 * 60 * 1000);
+      const res2 = await handleRegister(db, registerRequest(), {
+        issuer: ISSUER,
+        now: () => stillWithinWindow,
+      });
+      const body2 = (await res2.json()) as Record<string, unknown>;
+      expect(body2.status).toBe("pending");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("no window set → status pending (default public-DCR flow)", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const res = await handleRegister(db, registerRequest(), { issuer: ISSUER });
+      const body = (await res.json()) as Record<string, unknown>;
+      expect(body.status).toBe("pending");
+      // Settings row untouched.
+      expect(getSetting(db, "pending_first_client_auto_approve_until")).toBeUndefined();
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("operator-bearer auto-approve still takes precedence over the window (no double-consume)", async () => {
+    // Bearer-authenticated registration approves directly; the
+    // auto-approve window should NOT be consumed in that case — it's
+    // still available for the first un-authenticated client.
+    const { db, cleanup } = await makeDb();
+    try {
+      const t0 = new Date("2026-05-19T00:00:00.000Z");
+      openFirstClientAutoApproveWindow(db, () => t0);
+      // We can't easily mint an operator bearer in this test layer, so
+      // simulate by using the session-cookie path (issuer-trusted) which
+      // also auto-approves before falling through to the window check.
+      const user = await createUser(db, "owner", "pw");
+      const session = createSession(db, { userId: user.id });
+      const req = new Request(`${ISSUER}/oauth/register`, {
+        method: "POST",
+        body: JSON.stringify({ redirect_uris: ["https://app.example/cb"] }),
+        headers: {
+          "content-type": "application/json",
+          cookie: buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000)),
+          origin: ISSUER,
+        },
+      });
+      const res = await handleRegister(db, req, { issuer: ISSUER, now: () => t0 });
+      const body = (await res.json()) as Record<string, unknown>;
+      expect(body.status).toBe("approved");
+      // Window NOT consumed — still set, still open. The session-cookie
+      // path approved first, never reaching the window-consume code.
+      expect(getSetting(db, "pending_first_client_auto_approve_until")).toBeDefined();
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("malformed timestamp in the setting → treated as no-window, status pending", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      setSetting(db, "pending_first_client_auto_approve_until", "not-a-real-iso-string");
+      const res = await handleRegister(db, registerRequest(), { issuer: ISSUER });
+      const body = (await res.json()) as Record<string, unknown>;
+      expect(body.status).toBe("pending");
+    } finally {
+      cleanup();
+    }
+  });
+});