@openparachute/hub 0.6.1-rc.3 → 0.6.1

package/src/__tests__/oauth-handlers.test.ts

@@ -8542,12 +8542,12 @@ describe("single OAuth consent + grantable vault admin + delegate-only cap (2026
   // Test 9 — privesc: read/write assigned (non-owner) user requests
   // vault:work:admin + vault:work:write → admin DROPPED, token has write only,
   // recorded grant lacks admin.
-  test("[9] non-owner read/write user requests admin+write → admin DROPPED (write only), grant lacks admin", async () => {
+  test("[9] non-owner ASSIGNED to the vault requests admin+write → BOTH granted (assigned users hold admin)", async () => {
     const { db, cleanup } = await makeDb();
     try {
       await createUser(db, "owner", "pw"); // first user = owner; consumes the admin slot.
       const friend = await createUser(db, "friend", "pw", { allowMulti: true });
-      setUserVaults(db, friend.id, ["work"]); // role=write → verbs [read, write]
+      setUserVaults(db, friend.id, ["work"]); // role=write → verbs [read, write, admin]
       const session = createSession(db, { userId: friend.id });
       const reg = registerClient(db, {
         redirectUris: ["https://app.example/cb"],
@@ -8564,20 +8564,20 @@ describe("single OAuth consent + grantable vault admin + delegate-only cap (2026
       expect(consentRes.status).toBe(302);
       const code = new URL(consentRes.headers.get("location") ?? "").searchParams.get("code");
       const { scope, aud } = await redeemToScopeAud(db, code ?? "", reg.client.clientId, verifier);
-      // admin dropped; write kept.
-      expect(scope.split(" ").sort()).toEqual(["vault:work:write"]);
+      // Assigned user holds admin on their own vault → BOTH kept (2026-05-30 policy).
+      expect(scope.split(" ").sort()).toEqual(["vault:work:admin", "vault:work:write"]);
       expect(aud).toBe("vault.work");
-      // Recorded grant lacks admin.
+      // Recorded grant includes admin.
       const grant = findGrant(db, friend.id, reg.client.clientId);
       expect(grant?.scopes).toContain("vault:work:write");
-      expect(grant?.scopes).not.toContain("vault:work:admin");
+      expect(grant?.scopes).toContain("vault:work:admin");
     } finally {
       cleanup();
     }
   });
 
   // Test 10 — non-owner admin-ONLY request → REFUSED (clear error), no token.
-  test("[10] non-owner admin-only request → REFUSED with invalid_scope, no token minted", async () => {
+  test("[10] non-owner assigned, admin-only request → GRANTED (holds admin on their vault)", async () => {
     const { db, cleanup } = await makeDb();
     try {
       await createUser(db, "owner", "pw");
@@ -8588,7 +8588,7 @@ describe("single OAuth consent + grantable vault admin + delegate-only cap (2026
         redirectUris: ["https://app.example/cb"],
         status: "approved",
       });
-      const { challenge } = makePkce();
+      const { verifier, challenge } = makePkce();
       const consentRes = await submitConsent(
         db,
         session.id,
@@ -8596,14 +8596,17 @@ describe("single OAuth consent + grantable vault admin + delegate-only cap (2026
         "vault:work:admin",
         challenge,
       );
-      // Capping leaves an EMPTY scope set → refuse (no zero-scope token).
+      // Assigned user holds admin on their vault → minted, not refused.
       expect(consentRes.status).toBe(302);
       const loc = new URL(consentRes.headers.get("location") ?? "");
       expect(loc.origin + loc.pathname).toBe("https://app.example/cb");
-      expect(loc.searchParams.get("error")).toBe("invalid_scope");
-      expect(loc.searchParams.get("code")).toBeNull();
-      // No grant recorded.
-      expect(findGrant(db, friend.id, reg.client.clientId)).toBeNull();
+      const code = loc.searchParams.get("code");
+      expect(code).toBeTruthy();
+      const { scope, aud } = await redeemToScopeAud(db, code ?? "", reg.client.clientId, verifier);
+      expect(scope.split(" ")).toEqual(["vault:work:admin"]);
+      expect(aud).toBe("vault.work");
+      const grant = findGrant(db, friend.id, reg.client.clientId);
+      expect(grant?.scopes).toContain("vault:work:admin");
     } finally {
       cleanup();
     }
@@ -8611,7 +8614,7 @@ describe("single OAuth consent + grantable vault admin + delegate-only cap (2026
 
   // Test 11 — non-owner unnamed vault:admin + picks assigned vault → after
   // narrowing, admin dropped (cap runs post-narrow).
-  test("[11] non-owner unnamed vault:admin + picks assigned vault → admin dropped post-narrow", async () => {
+  test("[11] non-owner unnamed vault:admin + picks assigned vault → admin KEPT post-narrow", async () => {
     const { db, cleanup } = await makeDb();
     try {
       await createUser(db, "owner", "pw");
@@ -8632,16 +8635,16 @@ describe("single OAuth consent + grantable vault admin + delegate-only cap (2026
         challenge,
         { vault_pick: "work" },
       );
-      // narrowVaultScopes → vault:work:admin + vault:work:write; cap drops
-      // admin (non-owner doesn't hold it), keeps write → mints write only.
+      // narrowVaultScopes → vault:work:admin + vault:work:write; cap KEEPS
+      // both (assigned user holds admin on their picked vault) → mints both.
       expect(consentRes.status).toBe(302);
       const code = new URL(consentRes.headers.get("location") ?? "").searchParams.get("code");
       expect(code).toBeTruthy();
       const { scope } = await redeemToScopeAud(db, code ?? "", reg.client.clientId, verifier);
-      expect(scope.split(" ").sort()).toEqual(["vault:work:write"]);
+      expect(scope.split(" ").sort()).toEqual(["vault:work:admin", "vault:work:write"]);
       const grant = findGrant(db, friend.id, reg.client.clientId);
       expect(grant?.scopes).toContain("vault:work:write");
-      expect(grant?.scopes).not.toContain("vault:work:admin");
+      expect(grant?.scopes).toContain("vault:work:admin");
     } finally {
       cleanup();
     }
@@ -8770,35 +8773,41 @@ describe("single OAuth consent + grantable vault admin + delegate-only cap (2026
   // issueAuthCodeRedirect with an admin scope via ANY path (skip-consent /
   // same-hub / consent). Assert no grants row ever contains an un-held admin
   // verb across each path.
-  test("[15] bypass-proof: no mint path ever records an un-held admin verb for a non-owner", async () => {
+  test("[15] bypass-proof: no mint path grants admin on a vault the user is NOT assigned", async () => {
     const { db, cleanup } = await makeDb();
     try {
       await createUser(db, "owner", "pw");
       const friend = await createUser(db, "friend", "pw", { allowMulti: true });
-      setUserVaults(db, friend.id, ["work"]); // verbs [read, write] only
+      // Assigned to "work" only → holds work:read/write/admin, but NOT "other"
+      // (which exists in CAP_MANIFEST). "other" is the un-held boundary.
+      setUserVaults(db, friend.id, ["work"]);
       const session = createSession(db, { userId: friend.id });
 
-      // Path A — consent-submit with admin+write → admin dropped, recorded grant
-      // lacks admin.
+      // Path A — consent-submit admin on the UNASSIGNED "other" → the cap
+      // empties the set (friend doesn't hold it) → invalid_scope refusal, no
+      // grant. (Granting admin on the user's OWN assigned vault is exercised by
+      // [9]/[10]; here we isolate the un-held boundary.)
       const regConsent = registerClient(db, {
         redirectUris: ["https://app.example/cb"],
         status: "approved",
       });
       {
         const { challenge } = makePkce();
-        await submitConsent(
+        const res = await submitConsent(
           db,
           session.id,
           regConsent.client.clientId,
-          "vault:work:admin vault:work:write",
+          "vault:other:admin",
           challenge,
         );
-        const g = findGrant(db, friend.id, regConsent.client.clientId);
-        expect(g?.scopes ?? []).not.toContain("vault:work:admin");
+        // The consent-submit assignment gate rejects a request naming a vault
+        // the user isn't assigned (400) — refused before any mint, no grant.
+        expect(res.status).toBe(400);
+        expect(findGrant(db, friend.id, regConsent.client.clientId)).toBeNull();
       }
 
-      // Path B — same-hub client requesting admin → consent renders (admin gate
-      // blocks the silent path); no grant recorded with admin.
+      // Path B — same-hub client requesting admin on the UNASSIGNED "other" →
+      // consent renders (admin gate blocks the silent path); no grant with it.
       const regSameHub = registerClient(db, {
         redirectUris: ["https://app.example/cb"],
         status: "approved",
@@ -8815,7 +8824,7 @@ describe("single OAuth consent + grantable vault admin + delegate-only cap (2026
               response_type: "code",
               code_challenge: challenge,
               code_challenge_method: "S256",
-              scope: "vault:work:admin",
+              scope: "vault:other:admin",
             }),
             { headers: { cookie: `${CSRF_COOKIE}; ${buildSessionCookie(session.id, TTL_S)}` } },
           ),
@@ -8823,22 +8832,23 @@ describe("single OAuth consent + grantable vault admin + delegate-only cap (2026
         );
         expect(res.status).toBe(200); // consent, not silent-mint
         const g = findGrant(db, friend.id, regSameHub.client.clientId);
-        expect(g?.scopes ?? []).not.toContain("vault:work:admin");
+        expect(g?.scopes ?? []).not.toContain("vault:other:admin");
       }
 
-      // Path C — skip-consent: even if a grant row were somehow seeded with an
-      // admin verb, the cap at issueAuthCodeRedirect drops it before minting AND
-      // re-records the capped set. Seed a poisoned grant, drive skip-consent,
-      // and assert the minted token + the (re-recorded) grant carry no admin.
+      // Path C — skip-consent: a grant row seeded with an UNASSIGNED-vault admin
+      // verb. The cap at issueAuthCodeRedirect is the authority, not the grant
+      // row — request only the held write scope (skip-consent fires) and the
+      // minted token carries no other:admin (the un-held verb never rides along).
       const regSkip = registerClient(db, {
         redirectUris: ["https://app.example/cb"],
         status: "approved",
       });
-      recordGrant(db, friend.id, regSkip.client.clientId, ["vault:work:write", "vault:work:admin"]);
+      recordGrant(db, friend.id, regSkip.client.clientId, [
+        "vault:work:write",
+        "vault:other:admin",
+      ]);
       {
         const { verifier, challenge } = makePkce();
-        // Request only the held write scope so skip-consent fires (covered by
-        // the seeded grant) and routes through issueAuthCodeRedirect.
         const res = handleAuthorizeGet(
           db,
           new Request(
@@ -8857,37 +8867,36 @@ describe("single OAuth consent + grantable vault admin + delegate-only cap (2026
         expect(res.status).toBe(302); // skip-consent silent mint of the held scope
         const code = new URL(res.headers.get("location") ?? "").searchParams.get("code");
         const { scope } = await redeemToScopeAud(db, code ?? "", regSkip.client.clientId, verifier);
-        expect(scope.split(" ")).not.toContain("vault:work:admin");
+        expect(scope.split(" ")).not.toContain("vault:other:admin");
       }
     } finally {
       cleanup();
     }
   });
 
-  // Reviewer fold (security-relevant): test 15 path C only requested `write`
-  // against the poisoned client, which proves the cap doesn't *re-record* an
-  // un-held verb. This case requests `vault:work:admin` DIRECTLY against a
-  // client whose grant row ALREADY lists `vault:work:admin` (poisoned). The
-  // skip-consent gate fires (the requested admin scope IS covered by the
-  // poisoned grant) and routes through issueAuthCodeRedirect — where the CAP,
-  // not the grant lookup, drops the admin verb. Admin-only request → caps to
-  // EMPTY → invalid_scope refusal, no code, no token. This pins that the
-  // cap-before-issueAuthCode invariant holds even when a stale admin grant
-  // would otherwise satisfy the coverage check.
-  test("[15b] non-owner requests admin DIRECTLY against a POISONED-grant client → cap refuses, no admin token", async () => {
+  // Reviewer fold (security-relevant): test 15 path C only requested the held
+  // `write` scope, proving the cap doesn't re-record an un-held verb. This case
+  // requests admin on the UNASSIGNED "other" vault DIRECTLY against a client
+  // whose grant row already lists `vault:other:admin` (poisoned). The
+  // skip-consent gate fires (the requested scope IS covered by the poisoned
+  // grant) and routes through issueAuthCodeRedirect — where the CAP, not the
+  // grant lookup, drops the un-held verb. Admin-only request → caps to EMPTY →
+  // invalid_scope refusal, no code, no token. Pins that the cap-before-
+  // issueAuthCode invariant holds even when a stale grant satisfies coverage.
+  test("[15b] non-owner requests admin on an UNASSIGNED vault against a POISONED-grant client → cap refuses", async () => {
     const { db, cleanup } = await makeDb();
     try {
       await createUser(db, "owner", "pw");
       const friend = await createUser(db, "friend", "pw", { allowMulti: true });
-      setUserVaults(db, friend.id, ["work"]); // verbs [read, write] only — never admin
+      setUserVaults(db, friend.id, ["work"]); // holds work:* (incl. admin) — NOT "other"
       const session = createSession(db, { userId: friend.id });
       const reg = registerClient(db, {
         redirectUris: ["https://app.example/cb"],
         status: "approved",
       });
-      // Poisoned grant: already lists vault:work:admin (so the skip-consent
-      // coverage check would pass for a direct admin request).
-      recordGrant(db, friend.id, reg.client.clientId, ["vault:work:write", "vault:work:admin"]);
+      // Poisoned grant: already lists vault:other:admin (so the skip-consent
+      // coverage check would pass for a direct other:admin request).
+      recordGrant(db, friend.id, reg.client.clientId, ["vault:work:write", "vault:other:admin"]);
 
       const { challenge } = makePkce();
       const res = handleAuthorizeGet(
@@ -8899,14 +8908,14 @@ describe("single OAuth consent + grantable vault admin + delegate-only cap (2026
             response_type: "code",
             code_challenge: challenge,
             code_challenge_method: "S256",
-            scope: "vault:work:admin",
+            scope: "vault:other:admin",
             state: "poisoned-direct",
           }),
           { headers: { cookie: `${CSRF_COOKIE}; ${buildSessionCookie(session.id, TTL_S)}` } },
         ),
         capDeps,
       );
-      // The cap leaves an EMPTY set (non-owner doesn't hold admin) → refuse.
+      // The cap leaves an EMPTY set (friend isn't assigned "other") → refuse.
       // 302 to redirect_uri with invalid_scope and NO code — no token minted.
       expect(res.status).toBe(302);
       const loc = new URL(res.headers.get("location") ?? "");

package/src/__tests__/users.test.ts

@@ -740,10 +740,13 @@ describe("getFirstAdminId / isFirstAdmin", () => {
 
 describe("vaultVerbsForRole / vaultVerbsForUserVault (friend token-mint cap)", () => {
   test("vaultVerbsForRole maps roles to verbs, fails closed on unknown", () => {
-    expect(vaultVerbsForRole("write")).toEqual(["read", "write"]);
+    // Assigned users (role=write, today's default) hold FULL vault authority
+    // incl. admin (2026-05-30 policy: any assigned user gets admin). A
+    // deliberate read-only assignment stays read-only. Unknown role strings
+    // (including the literal "admin") map to [] — only the recognised roles
+    // grant verbs; never silently default to write.
+    expect(vaultVerbsForRole("write")).toEqual(["read", "write", "admin"]);
     expect(vaultVerbsForRole("read")).toEqual(["read"]);
-    // Unknown / future roles grant NO mintable verb — never silently
-    // default to write. `admin` is explicitly NOT a mintable role here.
     expect(vaultVerbsForRole("admin")).toEqual([]);
     expect(vaultVerbsForRole("owner")).toEqual([]);
     expect(vaultVerbsForRole("")).toEqual([]);
@@ -757,8 +760,9 @@ describe("vaultVerbsForRole / vaultVerbsForUserVault (friend token-mint cap)", (
         allowMulti: true,
         assignedVaults: ["work"],
       });
-      // createUser/setUserVaults insert role='write' today → read+write.
-      expect(vaultVerbsForUserVault(db, friend.id, "work")).toEqual(["read", "write"]);
+      // createUser/setUserVaults insert role='write' today → read+write+admin
+      // (assigned users hold full vault authority, 2026-05-30 policy).
+      expect(vaultVerbsForUserVault(db, friend.id, "work")).toEqual(["read", "write", "admin"]);
     } finally {
       cleanup();
     }

package/src/account-home-ui.ts

@@ -384,7 +384,12 @@ function renderTokenMintBlock(
   const radios = verbs
     .map((verb, i) => {
       const checked = i === 0 ? " checked" : "";
-      const label = verb === "read" ? "Read-only" : "Read + write";
+      const label =
+        verb === "read"
+          ? "Read-only"
+          : verb === "admin"
+            ? "Full (read, write, rotate tokens + config)"
+            : "Read + write";
       return `
               <label class="mint-verb-option">
                 <input type="radio" name="verb" value="${verb}"${checked}

package/src/account-vault-token.ts

@@ -21,12 +21,10 @@
  *      `vaultVerbsForUserVault` (which returns `null` for an unassigned
  *      vault), NOT from the verb-blind `assignedVaults` array.
  *   3. **Scope cap.** The requested verb MUST be one the user's assignment
- *      role permits, and may only ever be `read` or `write` — NEVER `admin`,
- *      never a broader scope than the user holds. `vaultVerbsForUserVault`
- *      returns the role's verb set (today always `["read", "write"]` since
- *      every assignment is `role = 'write'`); a verb outside that set → 403.
- *      `admin` is not in the form's vocabulary at all and is rejected at the
- *      parse step as an invalid verb.
+ *      role permits. As of 2026-05-30 an assigned user holds the full set
+ *      `["read", "write", "admin"]` on their vault (`vaultVerbsForUserVault`),
+ *      so this surface mints admin tokens too — consistent with the OAuth
+ *      flow. A verb outside the held set, or for an unassigned vault, → 403.
  *
  * The first admin (unrestricted, empty `assignedVaults`) has no `user_vaults`
  * rows, so gate 2 returns `null` for every vault and the admin gets a 403
@@ -81,7 +79,7 @@ import { type VaultVerb, getUserById, isFirstAdmin, vaultVerbsForUserVault } fro
 /** Matches the manifest vault-name validator + `/admin/vault-admin-token`. */
 const VAULT_NAME_RE = /^[a-zA-Z0-9_-]+$/;
 /** Verbs this surface will ever mint. `admin` is deliberately absent. */
-const ALLOWED_VERBS: readonly VaultVerb[] = ["read", "write"];
+const ALLOWED_VERBS: readonly VaultVerb[] = ["read", "write", "admin"];
 /** client_id stamped on the minted JWT + registry row. */
 const ACCOUNT_VAULT_TOKEN_CLIENT_ID = "parachute-account";
 
@@ -199,14 +197,15 @@ export async function handleAccountVaultTokenPost(
     return renderHome(400, { mintError: `"${vaultName}" is not a valid vault name.` });
   }
 
-  // Verb parse — must be exactly one of read/write. `admin` (or anything
-  // else) is not in this surface's vocabulary and is rejected here, well
-  // before authority is even consulted.
+  // Verb parse — must be one of read/write/admin (this surface's vocabulary).
+  // Anything else is rejected here, well before authority is even consulted;
+  // the per-vault authority cap (gate 3 below) then drops verbs the user
+  // doesn't actually hold.
   const verbRaw = form.get("verb");
   const verb = typeof verbRaw === "string" ? verbRaw : "";
   if (!ALLOWED_VERBS.includes(verb as VaultVerb)) {
     return renderHome(400, {
-      mintError: "Pick an access level (read or write).",
+      mintError: "Pick an access level (read, write, or admin).",
     });
   }
   const requestedVerb = verb as VaultVerb;
@@ -217,9 +216,11 @@ export async function handleAccountVaultTokenPost(
   //             (fail-closed for an unknown role): 403.
   //   - [...] → the verbs the assignment role permits. The requested verb
   //             must be in this set (gate 3): else 403.
-  // This is the cap to the user's actual authority — it blocks minting for
-  // an unassigned vault, a broader verb than the role grants, and (since the
-  // set never contains `admin`) any admin escalation.
+  // This is the cap to the user's actual authority — it blocks minting for an
+  // unassigned vault or a verb the role doesn't grant. Assigned users hold
+  // read/write/admin on their vault (2026-05-30), so admin mints for an
+  // assigned vault; the cap still refuses admin (and everything else) for a
+  // vault the user isn't assigned (`allowedForUser === null`).
   const allowedForUser = vaultVerbsForUserVault(deps.db, user.id, vaultName);
   if (allowedForUser === null) {
     return renderHome(403, {

package/src/cli.ts

@@ -159,7 +159,8 @@ function extractNamedFlag(
  *                                       fall through to today's Tailscale
  *                                       default (CI escape hatch, #29)
  *   --domain=<host>           hostname for the Cloudflare path
- *   --tunnel-name=<name>      named tunnel override (#32)
+ *   --tunnel-name=<name>      named tunnel override (#32); defaults to a
+ *                                       per-hostname dedicated name (#491)
  *
  * Returns the stripped argv so the layer/action parser sees `[layer, action?]`
  * regardless of flag placement. `--tailnet` + `--cloudflare` together is

package/src/cloudflare/config.ts

@@ -2,18 +2,84 @@ import { mkdirSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { CONFIG_DIR } from "../config.ts";
 
+/**
+ * The legacy shared tunnel name. Pre-#491, every machine defaulted its
+ * Cloudflare tunnel to this single constant — but Cloudflare tunnels are
+ * account-wide, so a second machine exposing a *different* hostname found and
+ * reused the SAME tunnel, both connectors registered on one UUID, and the edge
+ * load-balanced requests across them → a request for host B could land on host
+ * A's connector (whose config.yml only routes host A) → ~50% cross-host 404s.
+ *
+ * The default is now a per-hostname derived name (`deriveTunnelName`). This
+ * constant's role narrows to "the legacy shared name we migrate away from":
+ *   - the up-path legacy-sweep kills a stale `"parachute"` connector on the box
+ *     so running deploys self-heal on the next expose, and
+ *   - the off-path reuse-hint compares against it (records no longer equal it,
+ *     so the hint always includes `--tunnel-name`, which is now correct).
+ */
 export const DEFAULT_TUNNEL_NAME = "parachute";
 
+/**
+ * Derive a dedicated, per-hostname tunnel name from a hostname. Cloudflare
+ * tunnels are account-wide, so each machine/hostname needs its OWN tunnel —
+ * sharing one name across boxes collides their connectors (#491). The name is
+ * deterministic (same hostname → same name) so re-exposing the same hostname
+ * is idempotent: it finds and reuses the tunnel it created last time.
+ *
+ * Sanitization: lowercase, dots → hyphens, drop anything outside `[a-z0-9_-]`,
+ * then prefix `parachute-`. Examples:
+ *   `our.parachute.computer` → `parachute-our-parachute-computer`
+ *   `vault.example.com`      → `parachute-vault-example-com`
+ *
+ * Length: tunnel names must satisfy `isValidTunnelName` (≤64 chars). When the
+ * derived name would exceed 64, truncate the sanitized body and append a short
+ * stable suffix (`-<8-hex>`) computed deterministically from the FULL hostname
+ * so two long hostnames sharing a 64-char prefix can't collide on the same
+ * tunnel. The hash is a non-crypto FNV-1a-style fold — deterministic, no
+ * Math.random / Date dependency (those would break idempotent re-expose).
+ */
+const TUNNEL_NAME_PREFIX = "parachute-";
+const MAX_TUNNEL_NAME = 64;
+
+function shortStableHash(input: string): string {
+  // FNV-1a 32-bit. Deterministic, dependency-free, good enough to disambiguate
+  // two hostnames that sanitize to the same truncated prefix. >>> 0 keeps it
+  // unsigned so the hex is stable across runtimes.
+  let h = 0x811c9dc5;
+  for (let i = 0; i < input.length; i++) {
+    h ^= input.charCodeAt(i);
+    h = Math.imul(h, 0x01000193);
+  }
+  return (h >>> 0).toString(16).padStart(8, "0");
+}
+
+export function deriveTunnelName(hostname: string): string {
+  const body = hostname
+    .toLowerCase()
+    .replace(/\./g, "-")
+    .replace(/[^a-z0-9_-]/g, "");
+  const full = `${TUNNEL_NAME_PREFIX}${body}`;
+  if (full.length <= MAX_TUNNEL_NAME) return full;
+  // Too long — truncate the body and append a stable 8-hex suffix derived from
+  // the full hostname. Reserve room for the prefix + "-" + 8 hex chars.
+  const suffix = `-${shortStableHash(hostname)}`;
+  const room = MAX_TUNNEL_NAME - TUNNEL_NAME_PREFIX.length - suffix.length;
+  // Strip any trailing hyphen the truncation left behind (e.g. a slice that
+  // lands on a dot-turned-hyphen) so the body doesn't abut the suffix as `--`.
+  const truncated = body.slice(0, room).replace(/-+$/, "");
+  return `${TUNNEL_NAME_PREFIX}${truncated}${suffix}`;
+}
+
 /**
  * Per-tunnel config + log file paths. Each tunnel gets its own subdirectory
  * under `~/.parachute/cloudflared/<tunnelName>/` so multiple tunnels on one
  * box don't trample each other's config.yml or interleave log lines.
  *
- * The default tunnel ("parachute") lives at
- * `~/.parachute/cloudflared/parachute/{config.yml,cloudflared.log}` — a
- * location change from pre-#32 (`~/.parachute/cloudflared/config.yml`).
+ * The per-hostname tunnel (`deriveTunnelName(host)`, e.g.
+ * `parachute-our-parachute-computer`) lives at
+ * `~/.parachute/cloudflared/<tunnelName>/{config.yml,cloudflared.log}`.
  * Re-running `parachute expose public --cloudflare` regenerates the file
- * at the new path; the legacy file is left in place but unused.
+ * at that path; any legacy `parachute/` file is left in place but unused.
  *
  * `configDir` overrides the base (`~/.parachute` by default). Tests pass a
  * tmp dir so per-tunnel-derived paths never resolve against the operator's