@openparachute/hub 0.6.0 → 0.6.1-rc.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.6.0",
+  "version": "0.6.1-rc.2",
   "description": "parachute \u2014 the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/auth.test.ts

@@ -1696,7 +1696,76 @@ describe("parachute auth mint-token", () => {
       expect(stdout.trim().split(".").length).toBe(3);
       expect(stderr).toContain("--ttl is deprecated");
       expect(stderr).toContain("--expires-in");
-      expect(stderr).toContain("0.6.0");
+      expect(stderr).toContain("future release");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--ephemeral mints a short-lived (1h) token", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stdout } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "vault:default:read", "--ephemeral"], deps),
+      );
+      expect(code).toBe(0);
+      const token = stdout.trim();
+      const db = openHubDb(tmp.dbPath);
+      try {
+        const validated = await validateAccessToken(db, token);
+        const exp = validated.payload.exp as number;
+        const iat = validated.payload.iat as number;
+        expect(exp - iat).toBe(60 * 60);
+      } finally {
+        db.close();
+      }
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--ephemeral is mutually exclusive with --expires-in", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stdout, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "vault:read", "--ephemeral", "--expires-in", "3600"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("--ephemeral");
+      // No token leaked to stdout on the conflict error.
+      expect(stdout).toBe("");
+    } finally {
+      tmp.cleanup();
+    }
+  });
+
+  test("--ephemeral is mutually exclusive with the deprecated --ttl too", async () => {
+    const tmp = makeTmp();
+    try {
+      const deps: AuthDeps = {
+        dbPath: tmp.dbPath,
+        configDir: tmp.dir,
+        isInteractive: () => false,
+      };
+      await captureOutput(() => auth(["set-password", "--password", "pw"], deps));
+      const { code, stdout, stderr } = await captureOutput(() =>
+        auth(["mint-token", "--scope", "vault:read", "--ephemeral", "--ttl", "1h"], deps),
+      );
+      expect(code).toBe(1);
+      expect(stderr).toContain("--ephemeral");
+      expect(stdout).toBe("");
     } finally {
       tmp.cleanup();
     }

package/src/__tests__/oauth-handlers.test.ts

@@ -609,6 +609,207 @@ describe("handleAuthorizeGet — vault picker", () => {
   });
 });
 
+describe("handleAuthorizeGet — RFC 8707 resource binding drops foreign scopes (scary-consent fix)", () => {
+  // claude.ai connecting to ONE vault reads the hub's whole-hub AS-metadata
+  // `scopes_supported` and over-requests the full catalog. Bound to the vault
+  // resource (`aud=vault.<name>`), scribe/channel/hub scopes are unusable, so
+  // they must be DROPPED before consent — Aaron hit them as "a fuck ton of
+  // privileges that don't make sense" (scribe isn't even installed here).
+  const FOREIGN_AND_VAULT =
+    "vault:read vault:write scribe:transcribe scribe:admin channel:send hub:admin";
+
+  test("session consent for a vault MCP resource drops scribe/channel/hub scopes", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const user = await createUser(db, "owner", "pw");
+      const session = createSession(db, { userId: user.id });
+      const reg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        clientName: "Claude",
+      });
+      const { challenge } = makePkce();
+      const req = new Request(
+        authorizeUrl({
+          client_id: reg.client.clientId,
+          redirect_uri: "https://app.example/cb",
+          response_type: "code",
+          code_challenge: challenge,
+          code_challenge_method: "S256",
+          scope: FOREIGN_AND_VAULT,
+          resource: `${ISSUER}/vault/default/mcp`,
+        }),
+        {
+          headers: {
+            cookie: `${CSRF_COOKIE}; ${buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000))}`,
+          },
+        },
+      );
+      const res = handleAuthorizeGet(db, req, {
+        issuer: ISSUER,
+        loadServicesManifest: fixtureLoadServicesManifest,
+      });
+      // Renders consent (200) — NOT a 302 invalid_scope. Pre-fix the
+      // pass-through left non-requestable `hub:admin` + `scribe:admin` in the
+      // request, which the gate would reject; dropping them clears the gate.
+      expect(res.status).toBe(200);
+      const html = await res.text();
+      // Vault scopes survive, narrowed to the bound vault → picker is gone.
+      expect(html).not.toContain("Pick a vault");
+      expect(html).toContain("Create, edit, and delete notes, tags, and attachments."); // vault:write
+      // The foreign scopes are gone.
+      expect(html).not.toContain("Send audio to Scribe for transcription."); // scribe:transcribe
+      expect(html).not.toContain("Manage Scribe configuration"); // scribe:admin
+      expect(html).not.toContain("Post messages to your Channel."); // channel:send
+      expect(html).not.toContain("Manage hub identity"); // hub:admin
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("session-less 'App not yet approved' page also drops foreign scopes", async () => {
+    const { db, cleanup } = await makeDb();
+    try {
+      const reg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        clientName: "Claude",
+        status: "pending",
+      });
+      const { challenge } = makePkce();
+      const req = new Request(
+        authorizeUrl({
+          client_id: reg.client.clientId,
+          redirect_uri: "https://app.example/cb",
+          response_type: "code",
+          code_challenge: challenge,
+          code_challenge_method: "S256",
+          scope: "vault:read scribe:transcribe channel:send",
+          resource: `${ISSUER}/vault/default/mcp`,
+        }),
+        // No session cookie → the unauth pending page renders.
+      );
+      const res = handleAuthorizeGet(db, req, {
+        issuer: ISSUER,
+        loadServicesManifest: fixtureLoadServicesManifest,
+      });
+      expect(res.status).toBe(403);
+      const html = await res.text();
+      expect(html).toContain("App not yet approved");
+      // Foreign scopes absent from the rendered rows...
+      expect(html).not.toContain("Send audio to Scribe for transcription.");
+      expect(html).not.toContain("Post messages to your Channel.");
+      // ...and from the login round-trip URL embedded in the page (the
+      // narrowed scope was written back onto `url` before this render).
+      expect(html).not.toContain("scribe:transcribe");
+      expect(html).not.toContain("channel:send");
+      expect(html).not.toContain("scribe%3Atranscribe");
+      expect(html).not.toContain("channel%3Asend");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("a vault-bound request of ONLY non-vault scopes narrows to empty (consent, not invalid_scope)", async () => {
+    // Edge: a client over-asks but names zero vault scopes against a vault
+    // resource. Narrowing drops everything → empty scope. We render consent
+    // (zero scope rows) rather than a 302 invalid_scope; an empty grant is
+    // harmless and the operator can simply deny.
+    const { db, cleanup } = await makeDb();
+    try {
+      const user = await createUser(db, "owner", "pw");
+      const session = createSession(db, { userId: user.id });
+      const reg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        clientName: "Claude",
+      });
+      const { challenge } = makePkce();
+      const req = new Request(
+        authorizeUrl({
+          client_id: reg.client.clientId,
+          redirect_uri: "https://app.example/cb",
+          response_type: "code",
+          code_challenge: challenge,
+          code_challenge_method: "S256",
+          scope: "scribe:transcribe channel:send",
+          resource: `${ISSUER}/vault/default/mcp`,
+        }),
+        {
+          headers: {
+            cookie: `${CSRF_COOKIE}; ${buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000))}`,
+          },
+        },
+      );
+      const res = handleAuthorizeGet(db, req, {
+        issuer: ISSUER,
+        loadServicesManifest: fixtureLoadServicesManifest,
+      });
+      expect(res.status).toBe(200);
+      const html = await res.text();
+      expect(html).not.toContain("Send audio to Scribe for transcription.");
+      expect(html).not.toContain("Post messages to your Channel.");
+    } finally {
+      cleanup();
+    }
+  });
+
+  test("trust-by-client_name no longer re-prompts when the request over-asks the whole-hub catalog", async () => {
+    // Before the narrowing was moved ahead of the status branch, the
+    // trust-by-client_name coverage check compared the RAW request
+    // (`vault:read scribe:transcribe channel:send`) against a vault-only prior
+    // grant — never matched — re-prompting consent every session for a client
+    // the operator had already approved. Narrowing first makes the comparison
+    // vault-only-vs-vault-only, so the silent re-link fires.
+    const { db, cleanup } = await makeDb();
+    try {
+      const user = await createUser(db, "owner", "pw");
+      const session = createSession(db, { userId: user.id });
+      // Prior approval under client_name "Claude" (an earlier DCR client_id).
+      const oldReg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        clientName: "Claude",
+      });
+      const { recordGrant } = await import("../grants.ts");
+      recordGrant(db, user.id, oldReg.client.clientId, ["vault:default:read"]);
+      // Fresh per-session DCR: new client_id, same name, pending.
+      const newReg = registerClient(db, {
+        redirectUris: ["https://app.example/cb"],
+        clientName: "Claude",
+        status: "pending",
+      });
+      expect(newReg.client.clientId).not.toBe(oldReg.client.clientId);
+      const { challenge } = makePkce();
+      const req = new Request(
+        authorizeUrl({
+          client_id: newReg.client.clientId,
+          redirect_uri: "https://app.example/cb",
+          response_type: "code",
+          code_challenge: challenge,
+          code_challenge_method: "S256",
+          scope: "vault:read scribe:transcribe channel:send",
+          resource: `${ISSUER}/vault/default/mcp`,
+        }),
+        {
+          headers: {
+            // Same-origin → the trust-by-client_name carry-over is allowed.
+            origin: ISSUER,
+            cookie: `${CSRF_COOKIE}; ${buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000))}`,
+          },
+        },
+      );
+      const res = handleAuthorizeGet(db, req, {
+        issuer: ISSUER,
+        loadServicesManifest: fixtureLoadServicesManifest,
+      });
+      // Silent re-link: 302 back to the client with a code — NOT a 200 re-prompt.
+      expect(res.status).toBe(302);
+      const loc = res.headers.get("location") ?? "";
+      expect(loc).toContain("https://app.example/cb");
+      expect(loc).toContain("code=");
+    } finally {
+      cleanup();
+    }
+  });
+});
+
 describe("handleAuthorizePost — vault picker", () => {
   test("approve with vault_pick narrows vault:read → vault:<picked>:read in the issued JWT", async () => {
     const { db, cleanup } = await makeDb();

package/src/__tests__/resource-binding.test.ts

@@ -77,16 +77,42 @@ describe("narrowResourceVaultScopes", () => {
     expect(narrowResourceVaultScopes(["vault:other:read"], "jon")).toEqual(["vault:other:read"]);
   });
 
-  test("passes non-vault scopes through unchanged", () => {
-    expect(narrowResourceVaultScopes(["scribe:transcribe", "vault:read"], "jon")).toEqual([
-      "scribe:transcribe",
-      "vault:jon:read",
-    ]);
-  });
-
-  test("narrows the admin verb too (gate happens downstream)", () => {
-    // narrowResourceVaultScopes only rewrites shape; the non-requestable gate
-    // (`vault:<name>:admin`) blocks it afterward.
+  test("drops non-vault scopes — unusable in a vault-audience token", () => {
+    // A vault-bound flow mints `aud=vault.jon`; scribe/channel/hub scopes
+    // inside that token are dead weight, so they're removed rather than shown
+    // on the consent screen.
+    expect(
+      narrowResourceVaultScopes(
+        ["scribe:transcribe", "channel:send", "hub:admin", "vault:read"],
+        "jon",
+      ),
+    ).toEqual(["vault:jon:read"]);
+  });
+
+  test("a one-vault connection drops the whole-hub catalog claude.ai over-requests", () => {
+    // claude.ai reads the hub AS-metadata `scopes_supported` (the full
+    // catalog) and requests all of it. Bound to one vault, only that vault's
+    // verbs survive — no scribe (uninstalled) or channel:send on the consent.
+    // Regression lock for the "scary consent" bug.
+    expect(
+      narrowResourceVaultScopes(
+        [
+          "vault:read",
+          "vault:write",
+          "vault:admin",
+          "scribe:admin",
+          "scribe:transcribe",
+          "channel:send",
+          "hub:admin",
+        ],
+        "default",
+      ),
+    ).toEqual(["vault:default:read", "vault:default:write", "vault:default:admin"]);
+  });
+
+  test("narrows the admin verb too (requestable-scope gate decides downstream)", () => {
+    // narrowResourceVaultScopes only rewrites shape; `vault:<name>:admin` is
+    // requestable post-#484, so this named form survives the downstream gate.
     expect(narrowResourceVaultScopes(["vault:admin"], "jon")).toEqual(["vault:jon:admin"]);
   });
 

package/src/commands/auth.ts

@@ -120,10 +120,13 @@ Usage:
                                        Mint a fresh ~/.parachute/operator.token
                                        (set = install|start|expose|auth|vault|admin,
                                        default admin)
-  parachute auth mint-token --scope <scope> [--aud <aud>] [--expires-in <seconds>]
+  parachute auth mint-token --scope <scope> [--aud <aud>]
+                                            [--ephemeral | --expires-in <seconds>]
                                             [--sub <sub>] [--permissions <json>]
                                        Mint a scope-narrow JWT against the
                                        operator's identity (stdout = JWT).
+                                       --ephemeral = short-lived (1h), ideal for
+                                       scripting; default lifetime is 90d.
                                        --ttl <duration> is the deprecated
                                        alias (use --expires-in seconds).
   parachute auth revoke-token <jti>    Mark a registry-row token revoked
@@ -194,6 +197,12 @@ audience defaults via the same inference rule the OAuth flow uses
 colon-prefixed scope's namespace, fallback \`hub\`). Lifetime defaults
 to 90d, caps at 365d.
 
+--ephemeral mints a short-lived (1h) token — the right default for
+scripting, where the credential only needs to outlive the script run.
+Prefer it over a long-lived token for one-off automation:
+\`parachute auth mint-token --scope vault:default:read --ephemeral\`.
+Mutually exclusive with --expires-in / --ttl.
+
 --scope accepts space-separated multi-scope (e.g.
 \`--scope "vault:default:read agent:wovenboulder:invoke"\`).
 
@@ -201,7 +210,7 @@ to 90d, caps at 365d.
 \`--expires-in 86400\` for 1 day). The legacy \`--ttl\` flag accepts a
 duration suffix (\`90d\` / \`24h\` / \`30m\` / \`60s\`) and is supported as
 a deprecated alias; passing it emits a one-line stderr deprecation
-notice. \`--ttl\` will be removed in 0.6.0.
+notice. \`--ttl\` will be removed in a future release.
 
 --permissions accepts a JSON object encoding fine-grained constraints
 beyond OAuth scope (e.g.
@@ -748,6 +757,8 @@ interface MintTokenFlags {
   permissions?: string;
   /** True when --ttl was used (deprecated alias). Triggers a one-line stderr warning. */
   ttlDeprecationSeen?: boolean;
+  /** --ephemeral: short-lived token (EPHEMERAL_TTL_SECONDS), the scripting default. */
+  ephemeral?: boolean;
   error?: string;
 }
 
@@ -759,6 +770,7 @@ function parseMintTokenFlags(args: readonly string[]): MintTokenFlags {
   let sub: string | undefined;
   let permissions: string | undefined;
   let ttlDeprecationSeen = false;
+  let ephemeral = false;
   for (let i = 0; i < args.length; i++) {
     const a = args[i];
     if (a === "--scope") {
@@ -805,6 +817,8 @@ function parseMintTokenFlags(args: readonly string[]): MintTokenFlags {
     } else if (a?.startsWith("--permissions=")) {
       permissions = a.slice("--permissions=".length);
       if (!permissions) return { error: "--permissions requires a value" };
+    } else if (a === "--ephemeral") {
+      ephemeral = true;
     } else {
       return { error: `unknown flag "${a}"` };
     }
@@ -812,11 +826,21 @@ function parseMintTokenFlags(args: readonly string[]): MintTokenFlags {
   if (ttl !== undefined && expiresIn !== undefined) {
     return { error: "pass --expires-in OR --ttl, not both (--ttl is the deprecated alias)" };
   }
-  return { scope, aud, ttl, expiresIn, sub, permissions, ttlDeprecationSeen };
+  if (ephemeral && (ttl !== undefined || expiresIn !== undefined)) {
+    return {
+      error: "pass --ephemeral OR an explicit lifetime (--expires-in/--ttl), not both",
+    };
+  }
+  return { scope, aud, ttl, expiresIn, sub, permissions, ttlDeprecationSeen, ephemeral };
 }
 
 const MINT_TOKEN_TTL_DEFAULT_SECONDS = 90 * 24 * 60 * 60;
 const MINT_TOKEN_TTL_MAX_SECONDS = 365 * 24 * 60 * 60;
+// --ephemeral: short-lived token for scripting, where the credential only needs
+// to outlive the script run. 1h is long enough to mint → iterate → run, short
+// enough that a leaked scripting token isn't a standing liability like the 90d
+// default would be.
+const EPHEMERAL_TTL_SECONDS = 60 * 60;
 
 /**
  * Parse a Go-ish duration string: integer + one of d/h/m/s. Caps at 365d.
@@ -870,7 +894,7 @@ async function runMintToken(args: readonly string[], deps: AuthDeps): Promise<nu
   if (!flags.scope) {
     console.error("parachute auth mint-token: --scope is required");
     console.error(
-      "usage: parachute auth mint-token --scope <scope> [--aud <aud>] [--expires-in <seconds>] [--sub <sub>] [--permissions <json>]",
+      "usage: parachute auth mint-token --scope <scope> [--aud <aud>] [--ephemeral | --expires-in <seconds>] [--sub <sub>] [--permissions <json>]",
     );
     return 1;
   }
@@ -918,7 +942,11 @@ async function runMintToken(args: readonly string[], deps: AuthDeps): Promise<nu
   }
 
   let ttlSeconds = MINT_TOKEN_TTL_DEFAULT_SECONDS;
-  if (flags.expiresIn) {
+  if (flags.ephemeral) {
+    // Short-lived scripting default — takes precedence (the parse layer already
+    // rejected --ephemeral alongside an explicit --expires-in/--ttl).
+    ttlSeconds = EPHEMERAL_TTL_SECONDS;
+  } else if (flags.expiresIn) {
     const parsed = parseExpiresIn(flags.expiresIn);
     if ("error" in parsed) {
       console.error(`parachute auth mint-token: ${parsed.error}`);
@@ -935,7 +963,7 @@ async function runMintToken(args: readonly string[], deps: AuthDeps): Promise<nu
   }
   if (flags.ttlDeprecationSeen) {
     console.error(
-      "parachute auth mint-token: --ttl is deprecated; use --expires-in <seconds> instead (will be removed in 0.6.0)",
+      "parachute auth mint-token: --ttl is deprecated; use --expires-in <seconds> instead (will be removed in a future release)",
     );
   }
 

package/src/oauth-handlers.ts

@@ -844,6 +844,47 @@ export function handleAuthorizeGet(db: Database, req: Request, deps: OAuthDeps):
     // localStorage, the recovery is "clear that key and reload the SPA").
     return unknownClientResponse(parsed.clientId, parsed.redirectUri, deps);
   }
+
+  // RFC 8707 resource binding. When the client named a per-vault MCP resource
+  // (`<origin>/vault/<name>/mcp` or its PRM URL), narrow the requested scopes
+  // to that vault BEFORE the pending/consent branches below, so EVERY
+  // downstream consumer sees the narrowed set:
+  //
+  //   1. The consent screen — and the session-less "App not yet approved"
+  //      page (`pendingClientResponse`) — shows ONLY that vault's scopes
+  //      instead of the whole-hub catalog. Narrowing DROPS non-vault scopes
+  //      (`scribe:*`, `channel:send`, `hub:admin`) outright: the token this
+  //      flow mints is stamped `aud=vault.<name>`, so they're unusable inside
+  //      it and only inflate the consent surface — the exact "scary consent"
+  //      a friend hit connecting Claude to ONE vault (scribe isn't even
+  //      installed; `channel:send` is meaningless to them).
+  //   2. The minted token carries the named scope, so `inferAudience` stamps
+  //      `aud=vault.<name>` and a current-line vault accepts it (an unnamed
+  //      `vault:read` token is rejected by `findBroadVaultScopes`).
+  //   3. The trust-by-client_name coverage checks (the auto-approve branch
+  //      below + the one inside `pendingClientResponse`) compare the narrowed
+  //      request against the narrowed prior grant. Before this ran early they
+  //      compared the RAW whole-hub request against a vault-only grant, never
+  //      matched, and re-prompted consent every session for a client the
+  //      operator had already approved.
+  //
+  // We rewrite both `parsed.scope` (consent/grant/mint read it) AND the `url`
+  // scope param (`pendingClientResponse` + its login round-trip read it off
+  // the URL) so the two never diverge. Re-entry after login re-narrows
+  // idempotently (no foreign scopes left to drop).
+  //
+  // No resource, or one that isn't a per-vault MCP resource (off-origin,
+  // malformed, non-vault path) → `boundVault` is null and the flow is
+  // byte-for-byte the pre-#461 behavior (manual picker, etc.).
+  const boundVault = resolveResourceVault(parsed.resource, resolveBoundOrigins(deps));
+  if (boundVault) {
+    parsed.scope = narrowResourceVaultScopes(
+      parsed.scope.split(" ").filter((s) => s.length > 0),
+      boundVault,
+    ).join(" ");
+    url.searchParams.set("scope", parsed.scope);
+  }
+
   if (client.status !== "approved") {
     // Single-consent change (2026-05-29): the separate operator "approve this
     // client" gate is retired — the user's OAuth consent IS the authorization.
@@ -921,41 +962,6 @@ export function handleAuthorizeGet(db: Database, req: Request, deps: OAuthDeps):
     );
   }
 
-  // RFC 8707 resource binding. When the client named a per-vault MCP
-  // resource (`<origin>/vault/<name>/mcp` or its PRM URL), narrow the
-  // requested vault verbs to the named `vault:<name>:<verb>` form BEFORE any
-  // downstream processing. Two effects:
-  //
-  //   1. The consent screen shows ONLY that vault's scopes (the picker locks
-  //      to <name>) instead of the whole-hub catalog — a friend connecting to
-  //      one vault no longer sees `hub:admin`, `scribe:admin`, or every other
-  //      vault's verbs.
-  //   2. The minted token carries the named scope, so `inferAudience` stamps
-  //      `aud=vault.<name>` and a current-line vault accepts it (an unnamed
-  //      `vault:read` token is rejected by `findBroadVaultScopes`).
-  //
-  // Narrowing happens before the non-requestable gate (below) on purpose: if
-  // a resource-bound client somehow asked for `vault:admin`, narrowing makes
-  // it `vault:<name>:admin`, which IS non-requestable — so the gate correctly
-  // blocks it. Read/write narrow to the requestable named form. Non-vault
-  // scopes and already-named scopes for other vaults pass through unchanged.
-  //
-  // No resource, or a resource that isn't one of our per-vault MCP resources
-  // (off-origin, malformed, non-vault path) → `boundVault` is null and the
-  // flow is byte-for-byte the pre-#461 behavior (manual picker, etc.).
-  const boundVault = resolveResourceVault(parsed.resource, resolveBoundOrigins(deps));
-  if (boundVault) {
-    const narrowed = narrowResourceVaultScopes(
-      parsed.scope.split(" ").filter((s) => s.length > 0),
-      boundVault,
-    );
-    // Rewrite `parsed.scope` so the narrowed named scopes flow through every
-    // downstream consumer: the login-redirect query round-trip, the consent
-    // props + hidden inputs, the skip-consent grant lookup, and the
-    // auth-code mint.
-    parsed.scope = narrowed.join(" ");
-  }
-
   // Operator-only scope gate (#96). Reject any request that names a scope
   // we'll never mint via this flow — `parachute:host:admin` and friends.
   // Per RFC 6749 §4.1.2.1, errors that aren't redirect-uri-related are

package/src/resource-binding.ts

@@ -109,26 +109,41 @@ function decodeVaultName(segment: string): string | null {
 }
 
 /**
- * Rewrite the requested scope list for a resource-bound vault flow.
+ * Rewrite the requested scope list for a resource-bound vault flow, returning
+ * ONLY scopes usable in the resulting vault-audience token:
  *
  *   - unnamed `vault:<verb>`        → `vault:<name>:<verb>` (the narrow,
  *     audience-correct shape vault accepts);
  *   - already-named `vault:<other>:<verb>` is LEFT UNTOUCHED — a client that
  *     explicitly named a different vault is not silently re-pointed; the
  *     downstream picker / assignment defenses decide whether that's allowed.
- *   - non-vault scopes (`scribe:transcribe`, `hub:admin`, …) pass through
- *     unchanged — resource-binding only narrows the vault verbs.
+ *   - non-vault scopes (`scribe:*`, `channel:send`, `hub:admin`, …) are
+ *     DROPPED. This flow mints a token stamped `aud=vault.<name>` (RFC 8707),
+ *     so a scribe/channel/hub scope inside it is unusable — keeping it only
+ *     inflates the consent surface a friend sees when connecting ONE vault.
+ *     That "scary consent" is the failure mode this module exists to kill
+ *     (see the header docstring): the verb-narrowing alone left the foreign
+ *     scopes riding through, so a client that over-requests the whole-hub
+ *     catalog (claude.ai reads it from the AS-metadata `scopes_supported`)
+ *     still surfaced `scribe:admin` + `channel:send` on the consent screen.
+ *     A client that genuinely wants a scribe token runs a separate flow
+ *     naming the scribe resource.
  *
- * Idempotent: a scope already shaped `vault:<name>:<verb>` for THIS name is
- * returned as-is, so re-running over a narrowed list is a no-op.
+ * Idempotent: an already-narrowed list contains only `vault:` scopes, so a
+ * second pass has nothing left to drop and `vault:<name>:<verb>` for THIS name
+ * is returned as-is.
  */
 export function narrowResourceVaultScopes(scopes: readonly string[], vaultName: string): string[] {
-  return scopes.map((s) => {
+  const out: string[] = [];
+  for (const s of scopes) {
     const parts = s.split(":");
+    if (parts[0] !== "vault") continue; // drop scribe:/channel:/hub:/… — foreign to a vault-audience token
     const verb = parts[1];
-    if (parts.length === 2 && parts[0] === "vault" && verb && VAULT_VERBS.has(verb)) {
-      return `vault:${vaultName}:${verb}`;
+    if (parts.length === 2 && verb && VAULT_VERBS.has(verb)) {
+      out.push(`vault:${vaultName}:${verb}`);
+    } else {
+      out.push(s); // already-named (incl. other vaults) or malformed vault scope — downstream defenses decide
     }
-    return s;
-  });
+  }
+  return out;
 }