@openparachute/hub 0.6.3-rc.2 → 0.6.3-rc.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.6.3-rc.2",
+  "version": "0.6.3-rc.3",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/api-modules-ops.test.ts

@@ -70,6 +70,36 @@ async function mintBearer(h: Harness, scopes: string[]): Promise<string> {
   return signed.token;
 }
 
+/**
+ * Mint a host-admin bearer at a chosen `iss` (hub#516). The CLI presents the
+ * operator token on loopback; after `expose` its `iss` is the public origin
+ * while the loopback request resolves the loopback issuer.
+ */
+async function mintBearerAtIssuer(h: Harness, scopes: string[], iss: string): Promise<string> {
+  const signed = await signAccessToken(h.db, {
+    sub: h.userId,
+    scopes,
+    audience: "operator",
+    clientId: "parachute-hub",
+    issuer: iss,
+    ttlSeconds: 3600,
+  });
+  recordTokenMint(h.db, {
+    jti: signed.jti,
+    createdVia: "operator_mint",
+    subject: "operator",
+    clientId: "parachute-hub",
+    scopes,
+    expiresAt: signed.expiresAt,
+  });
+  return signed.token;
+}
+
+/** The hub's public origin after `expose` — what the operator token's `iss` becomes. */
+const PUBLIC_ORIGIN = "https://parachute.taildf9ce2.ts.net";
+/** A foreign origin the hub never answers on. */
+const FOREIGN_ORIGIN = "https://evil.example.com";
+
 function postReq(path: string, headers: Record<string, string>): Request {
   return new Request(`http://localhost${path}`, { method: "POST", headers });
 }
@@ -967,6 +997,97 @@ describe("POST /api/modules/:short/stop", () => {
   });
 });
 
+/**
+ * hub#516 — the module-ops `authorize` accepts the operator token's `iss`
+ * against the SET of origins the hub answers on (knownIssuers), not just the
+ * single per-request issuer. Exercised through `handleStop` (the simplest sync
+ * op that goes through `authorize`). The per-request `issuer` here is loopback
+ * (mirroring a loopback CLI request); `knownIssuers` carries loopback + the
+ * public expose-state origin.
+ */
+describe("operator-token iss validation against knownIssuers (hub#516)", () => {
+  let h: Harness;
+  beforeEach(async () => {
+    h = await makeHarness();
+    _resetOperationsRegistryForTests();
+  });
+  afterEach(() => h.cleanup());
+
+  // The live repro: operator token's iss = PUBLIC origin, loopback request
+  // (per-request issuer = loopback), knownIssuers includes the public origin
+  // → ACCEPTED. Was rejected (`unexpected "iss" claim value`) pre-fix.
+  test("live repro: public-iss operator token on a loopback request → ACCEPTED", async () => {
+    const { supervisor } = makeIdleSupervisor();
+    const bearer = await mintBearerAtIssuer(h, [API_MODULES_OPS_REQUIRED_SCOPE], PUBLIC_ORIGIN);
+    const res = await handleStop(
+      postReq("/api/modules/vault/stop", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: ISSUER, // loopback per-request issuer
+        knownIssuers: [ISSUER, "http://localhost:1939", PUBLIC_ORIGIN],
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+      },
+    );
+    // Not a 401 — authorize passed. (stopped:false because nothing's running.)
+    expect(res.status).toBe(200);
+  });
+
+  test("loopback-iss operator token, loopback knownIssuers → accepted (unchanged)", async () => {
+    const { supervisor } = makeIdleSupervisor();
+    const bearer = await mintBearerAtIssuer(h, [API_MODULES_OPS_REQUIRED_SCOPE], ISSUER);
+    const res = await handleStop(
+      postReq("/api/modules/vault/stop", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: ISSUER,
+        knownIssuers: [ISSUER, "http://localhost:1939"],
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+      },
+    );
+    expect(res.status).toBe(200);
+  });
+
+  test("FOREIGN-iss operator token → 401 (no widening to arbitrary issuers)", async () => {
+    const { supervisor } = makeIdleSupervisor();
+    const bearer = await mintBearerAtIssuer(h, [API_MODULES_OPS_REQUIRED_SCOPE], FOREIGN_ORIGIN);
+    const res = await handleStop(
+      postReq("/api/modules/vault/stop", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: ISSUER,
+        knownIssuers: [ISSUER, "http://localhost:1939", PUBLIC_ORIGIN],
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+      },
+    );
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error_description: string };
+    expect(body.error_description).toMatch(/unexpected "iss" claim value/);
+  });
+
+  test("knownIssuers absent → falls back to strict per-request issuer (back-compat)", async () => {
+    const { supervisor } = makeIdleSupervisor();
+    // Public-iss token, loopback per-request issuer, NO knownIssuers wired →
+    // the strict single-issuer fallback rejects (the pre-fix behavior the
+    // non-HTTP install path relies on).
+    const bearer = await mintBearerAtIssuer(h, [API_MODULES_OPS_REQUIRED_SCOPE], PUBLIC_ORIGIN);
+    const res = await handleStop(
+      postReq("/api/modules/vault/stop", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      { db: h.db, issuer: ISSUER, manifestPath: h.manifestPath, configDir: h.dir, supervisor },
+    );
+    expect(res.status).toBe(401);
+  });
+});
+
 describe("POST /api/modules/:short/restart", () => {
   let h: Harness;
   beforeEach(async () => {

package/src/__tests__/api-modules.test.ts

@@ -63,6 +63,32 @@ async function mintBearer(h: Harness, scopes: string[]): Promise<string> {
   return signed.token;
 }
 
+/** The hub's public origin after `expose` — what the operator token's `iss` becomes (hub#516). */
+const PUBLIC_ORIGIN = "https://parachute.taildf9ce2.ts.net";
+/** A foreign origin the hub never answers on (hub#516). */
+const FOREIGN_ORIGIN = "https://evil.example.com";
+
+/** Mint a host-admin (operator-shaped) bearer at a chosen `iss` (hub#516). */
+async function mintBearerAtIssuer(h: Harness, scopes: string[], iss: string): Promise<string> {
+  const signed = await signAccessToken(h.db, {
+    sub: h.userId,
+    scopes,
+    audience: "operator",
+    clientId: "parachute-hub",
+    issuer: iss,
+    ttlSeconds: 3600,
+  });
+  recordTokenMint(h.db, {
+    jti: signed.jti,
+    createdVia: "operator_mint",
+    subject: "operator",
+    clientId: "parachute-hub",
+    scopes,
+    expiresAt: signed.expiresAt,
+  });
+  return signed.token;
+}
+
 function writeManifest(path: string, services: unknown[]): void {
   writeFileSync(path, JSON.stringify({ services }));
 }
@@ -147,6 +173,47 @@ describe("GET /api/modules", () => {
     expect(body.error).toBe("insufficient_scope");
   });
 
+  // hub#516: `parachute status` reads /api/modules on loopback presenting the
+  // operator token, whose `iss` is the PUBLIC origin after `expose`. The
+  // host-admin bearer's iss is validated against `knownIssuers` (loopback ∪
+  // expose-state public ∪ env), not the single per-request loopback issuer.
+  test("live repro: public-iss operator token on a loopback request → 200 (hub#516)", async () => {
+    const bearer = await mintBearerAtIssuer(h, [API_MODULES_REQUIRED_SCOPE], PUBLIC_ORIGIN);
+    const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
+      db: h.db,
+      issuer: ISSUER, // loopback per-request issuer
+      knownIssuers: [ISSUER, "http://localhost:1939", PUBLIC_ORIGIN],
+      manifestPath: h.manifestPath,
+      fetchLatestVersion: async () => null,
+    });
+    expect(res.status).toBe(200);
+  });
+
+  test("FOREIGN-iss operator token → 401 (no widening) (hub#516)", async () => {
+    const bearer = await mintBearerAtIssuer(h, [API_MODULES_REQUIRED_SCOPE], FOREIGN_ORIGIN);
+    const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
+      db: h.db,
+      issuer: ISSUER,
+      knownIssuers: [ISSUER, "http://localhost:1939", PUBLIC_ORIGIN],
+      manifestPath: h.manifestPath,
+      fetchLatestVersion: async () => null,
+    });
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error_description: string };
+    expect(body.error_description).toMatch(/unexpected "iss" claim value/);
+  });
+
+  test("knownIssuers absent → strict per-request issuer fallback rejects public-iss (hub#516)", async () => {
+    const bearer = await mintBearerAtIssuer(h, [API_MODULES_REQUIRED_SCOPE], PUBLIC_ORIGIN);
+    const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
+      db: h.db,
+      issuer: ISSUER, // no knownIssuers → falls back to [issuer]
+      manifestPath: h.manifestPath,
+      fetchLatestVersion: async () => null,
+    });
+    expect(res.status).toBe(401);
+  });
+
   test("200 + curated list on fresh container (empty services.json)", async () => {
     // The v0.6 hot path: brand-new Render container, no services.json
     // yet. UI must render "install vault / scribe" cards even though

package/src/__tests__/host-admin-token-validation.test.ts

@@ -0,0 +1,218 @@
+/**
+ * hub#516 — `validateHostAdminToken` accepts the operator / SPA host-admin
+ * token's `iss` against the SET of origins the hub answers on (loopback ∪
+ * expose-state public ∪ env/platform), not the single per-request issuer, so
+ * the loopback CLI works on an exposed box. OAuth-token validation
+ * (`validateAccessToken` with a pinned `expectedIssuer`) is NOT touched — see
+ * the strict-iss regression at the bottom of this file.
+ */
+import { describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { validateHostAdminToken } from "../host-admin-token-validation.ts";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { recordTokenMint, signAccessToken, validateAccessToken } from "../jwt-sign.ts";
+import { rotateSigningKey } from "../signing-keys.ts";
+import { createUser } from "../users.ts";
+
+const LOOPBACK = "http://127.0.0.1:1939";
+const PUBLIC_TS = "https://parachute.taildf9ce2.ts.net";
+const FOREIGN = "https://evil.example.com";
+
+interface H {
+  db: ReturnType<typeof openHubDb>;
+  userId: string;
+  cleanup: () => void;
+}
+
+async function makeH(): Promise<H> {
+  const dir = mkdtempSync(join(tmpdir(), "phub-host-admin-tok-"));
+  const db = openHubDb(hubDbPath(dir));
+  rotateSigningKey(db);
+  const user = await createUser(db, "owner", "pw");
+  return {
+    db,
+    userId: user.id,
+    cleanup: () => {
+      db.close();
+      rmSync(dir, { recursive: true, force: true });
+    },
+  };
+}
+
+/** Mint an operator-shaped token (aud: "operator", host:admin) at `iss`. */
+async function mintOperatorAt(h: H, iss: string): Promise<string> {
+  const signed = await signAccessToken(h.db, {
+    sub: h.userId,
+    scopes: ["parachute:host:admin", "parachute:host:auth"],
+    audience: "operator",
+    clientId: "parachute-hub",
+    issuer: iss,
+    ttlSeconds: 3600,
+  });
+  recordTokenMint(h.db, {
+    jti: signed.jti,
+    createdVia: "operator_mint",
+    subject: "operator",
+    clientId: "parachute-hub",
+    scopes: ["parachute:host:admin", "parachute:host:auth"],
+    expiresAt: signed.expiresAt,
+  });
+  return signed.token;
+}
+
+describe("validateHostAdminToken (hub#516)", () => {
+  // The live repro: operator token minted with the PUBLIC origin as `iss`,
+  // presented on a LOOPBACK request (known-origins set built from the loopback
+  // per-request issuer + the expose-state public origin) → ACCEPTED.
+  test("live repro: public-iss operator token accepted when public origin is in the known set", async () => {
+    const h = await makeH();
+    try {
+      const token = await mintOperatorAt(h, PUBLIC_TS);
+      const knownIssuers = [LOOPBACK, "http://localhost:1939", PUBLIC_TS];
+      const { payload } = await validateHostAdminToken(h.db, token, knownIssuers);
+      expect(payload.iss).toBe(PUBLIC_TS);
+      expect(payload.sub).toBe(h.userId);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("loopback-iss operator token, loopback known set → accepted (unchanged)", async () => {
+    const h = await makeH();
+    try {
+      const token = await mintOperatorAt(h, LOOPBACK);
+      const { payload } = await validateHostAdminToken(h.db, token, [
+        LOOPBACK,
+        "http://localhost:1939",
+      ]);
+      expect(payload.iss).toBe(LOOPBACK);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("FOREIGN iss → REJECTED (no widening to arbitrary issuers)", async () => {
+    const h = await makeH();
+    try {
+      // A token the hub itself signed but whose iss is NOT one of its known
+      // origins. The signature verifies, but the belt-and-suspenders iss ∈
+      // known-origins check must still reject it.
+      const token = await mintOperatorAt(h, FOREIGN);
+      const knownIssuers = [LOOPBACK, "http://localhost:1939", PUBLIC_TS];
+      await expect(validateHostAdminToken(h.db, token, knownIssuers)).rejects.toThrow(
+        /unexpected "iss" claim value/,
+      );
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("empty known-origins set rejects every token (fails closed)", async () => {
+    const h = await makeH();
+    try {
+      const token = await mintOperatorAt(h, LOOPBACK);
+      await expect(validateHostAdminToken(h.db, token, [])).rejects.toThrow(
+        /unexpected "iss" claim value/,
+      );
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("expose-state absent (loopback-only set): public-iss token rejected; loopback-iss accepted", async () => {
+    const h = await makeH();
+    try {
+      // Before `expose`, the known set is loopback-only — a public-iss token
+      // shouldn't exist yet, and if presented, it's not in the set → reject.
+      const publicTok = await mintOperatorAt(h, PUBLIC_TS);
+      const loopbackOnly = [LOOPBACK, "http://localhost:1939"];
+      await expect(validateHostAdminToken(h.db, publicTok, loopbackOnly)).rejects.toThrow(
+        /unexpected "iss" claim value/,
+      );
+
+      const loopbackTok = await mintOperatorAt(h, LOOPBACK);
+      const { payload } = await validateHostAdminToken(h.db, loopbackTok, loopbackOnly);
+      expect(payload.iss).toBe(LOOPBACK);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("signature still enforced: a token signed by an unknown key is rejected", async () => {
+    const h = await makeH();
+    try {
+      // Mint against a SECOND hub's key, then try to validate against the
+      // first hub's JWKS. The known-origins set includes the iss, but the
+      // signature check (step 1) must reject it before iss is even considered.
+      const other = await makeH();
+      try {
+        const foreignSigned = await mintOperatorAt(other, PUBLIC_TS);
+        await expect(validateHostAdminToken(h.db, foreignSigned, [PUBLIC_TS])).rejects.toThrow();
+      } finally {
+        other.cleanup();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  // Host-injection defense, made explicit. Simulate an attacker who got their
+  // own issuer into the known-issuers set via a forged Host header (the set is
+  // built from the per-request Host-derived issuer, so `iss ∈ knownIssuers`
+  // holds). They present a token signed by a DIFFERENT hub's key whose `iss`
+  // is exactly that injected origin. It is STILL REJECTED — the signature /
+  // JWKS check (step 1) fails before the `iss ∈ knownIssuers` check (step 2)
+  // is ever reached. This pins that known-issuers acceptance can never bypass
+  // the signature gate: membership in the set is necessary but not sufficient.
+  test("Host-injection: foreign-signed token with iss IN knownIssuers is STILL rejected (signature gate is first)", async () => {
+    const h = await makeH();
+    try {
+      const other = await makeH();
+      try {
+        // Token minted + signed by the OTHER hub at PUBLIC_TS.
+        const foreignSigned = await mintOperatorAt(other, PUBLIC_TS);
+        // The attacker's iss IS in our known set (e.g. injected via Host), yet
+        // validation against OUR JWKS must reject it on the signature check.
+        const knownIssuers = [LOOPBACK, "http://localhost:1939", PUBLIC_TS];
+        expect(knownIssuers).toContain(PUBLIC_TS); // precondition: iss ∈ knownIssuers
+        await expect(validateHostAdminToken(h.db, foreignSigned, knownIssuers)).rejects.toThrow();
+      } finally {
+        other.cleanup();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  // Pin the invariant: OAuth/access-token validation stays STRICT per-request
+  // issuer. The relaxation lives only in validateHostAdminToken; the core
+  // primitive validateAccessToken(db, token, expectedIssuer) still rejects a
+  // mismatched iss. (Mirrors jwt-sign.test.ts's defense-in-depth test; kept
+  // here so the hub#516 guard travels with the relaxation.)
+  test("OAuth-token validation UNCHANGED: validateAccessToken pins iss strictly", async () => {
+    const h = await makeH();
+    try {
+      // A vault-aud OAuth-shaped token minted at the public origin.
+      const signed = await signAccessToken(h.db, {
+        sub: h.userId,
+        scopes: ["vault:read"],
+        audience: "vault.default",
+        clientId: "some-mcp-client",
+        issuer: PUBLIC_TS,
+        ttlSeconds: 3600,
+      });
+      // Strict per-request validation against a DIFFERENT (loopback) issuer
+      // still rejects — the relaxation must NOT leak to this path.
+      await expect(validateAccessToken(h.db, signed.token, LOOPBACK)).rejects.toThrow(
+        /unexpected "iss" claim value/,
+      );
+      // And it accepts when the issuer matches (sanity).
+      const { payload } = await validateAccessToken(h.db, signed.token, PUBLIC_TS);
+      expect(payload.aud).toBe("vault.default");
+    } finally {
+      h.cleanup();
+    }
+  });
+});

package/src/__tests__/migrate.test.ts

@@ -296,6 +296,7 @@ describe("migrate — interactive + flag behavior", () => {
           throw new Error("prompt must not be called");
         },
         isTty: true,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(code).toBe(0);
       expect(logs.join("\n")).toMatch(/nothing to archive/i);
@@ -325,6 +326,7 @@ describe("migrate — interactive + flag behavior", () => {
         },
         list: true,
         isTty: true,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(code).toBe(0);
       expect(logs.join("\n")).toMatch(/--list — no changes made/);
@@ -351,6 +353,7 @@ describe("migrate — interactive + flag behavior", () => {
         },
         dryRun: true,
         isTty: true,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(code).toBe(0);
       expect(logs.join("\n")).toMatch(/dry-run/);
@@ -383,6 +386,7 @@ describe("migrate — interactive + flag behavior", () => {
         },
         yes: true,
         isTty: false,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(code).toBe(0);
       const archive = join(h.configDir, ".archive-2026-04-19");
@@ -510,6 +514,7 @@ describe("migrate — interactive + flag behavior", () => {
           throw new Error("prompt must not be called");
         },
         isTty: false,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(code).toBe(1);
       expect(logs.join("\n")).toMatch(/refusing to sweep without a TTY/i);
@@ -533,6 +538,7 @@ describe("migrate — interactive + flag behavior", () => {
         log: () => {},
         prompt: async () => answers.shift() ?? "n",
         isTty: true,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(code).toBe(1);
       // Aborted before any rename — daily.db still there.
@@ -557,6 +563,7 @@ describe("migrate — interactive + flag behavior", () => {
         log: () => {},
         prompt: async () => answers.shift() ?? "y",
         isTty: true,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(code).toBe(0);
       const archive = join(h.configDir, ".archive-2026-04-19");
@@ -588,6 +595,7 @@ describe("migrate — interactive + flag behavior", () => {
         },
         yes: true,
         isTty: false,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(code).toBe(0);
       const archivedLink = join(h.configDir, ".archive-2026-04-19", "logs");
@@ -621,6 +629,7 @@ describe("migrate — interactive + flag behavior", () => {
         },
         yes: true,
         isTty: false,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(code).toBe(0);
       // The "nothing recognized" exit branch — no archive directory created.
@@ -647,6 +656,7 @@ describe("migrate — interactive + flag behavior", () => {
         log: (l) => logs.push(l),
         prompt: async () => "n",
         isTty: true,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(code).toBe(1);
       expect(logs.join("\n")).toMatch(/aborted/i);
@@ -668,6 +678,7 @@ describe("migrate — interactive + flag behavior", () => {
         log: () => {},
         prompt: async () => "y",
         isTty: true,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(code).toBe(0);
       expect(existsSync(join(h.configDir, ".archive-2026-04-19", "server.yaml"))).toBe(true);
@@ -687,6 +698,7 @@ describe("migrate — interactive + flag behavior", () => {
         log: () => {},
         yes: true,
         isTty: false,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       // Add more cruft and sweep again the same day
       touch(join(h.configDir, "channel.log"), "2");
@@ -696,6 +708,7 @@ describe("migrate — interactive + flag behavior", () => {
         log: () => {},
         yes: true,
         isTty: false,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       const archive = join(h.configDir, ".archive-2026-04-19");
       expect(existsSync(join(archive, "server.yaml"))).toBe(true);
@@ -719,6 +732,7 @@ describe("migrate — interactive + flag behavior", () => {
         log: () => {},
         yes: true,
         isTty: false,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       touch(join(h.configDir, "channel.log"), "2");
       await migrate({
@@ -727,6 +741,7 @@ describe("migrate — interactive + flag behavior", () => {
         log: () => {},
         yes: true,
         isTty: false,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       expect(existsSync(join(h.configDir, ".archive-2026-04-19", "server.yaml"))).toBe(true);
       expect(existsSync(join(h.configDir, ".archive-2026-04-20", "channel.log"))).toBe(true);
@@ -749,6 +764,7 @@ describe("migrate — interactive + flag behavior", () => {
         log: () => {},
         yes: true,
         isTty: false,
+        hubUnitState: () => ({ state: "inactive" }),
       });
       const archive = join(h.configDir, ".archive-2026-04-19");
       const contents = readdirSync(archive);

package/src/__tests__/operator-token.test.ts

@@ -3,6 +3,8 @@ import { chmodSync, mkdtempSync, rmSync, statSync } from "node:fs";
 import { readFile } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import type { ExposeState } from "../expose-state.ts";
+import { writeExposeState } from "../expose-state.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
 import { signAccessToken, validateAccessToken } from "../jwt-sign.ts";
 import {
@@ -14,6 +16,7 @@ import {
   OPERATOR_TOKEN_SCOPE_SETS,
   OPERATOR_TOKEN_SCOPE_SET_CLAIM,
   OPERATOR_TOKEN_TTL_SECONDS,
+  buildKnownIssuersForOperatorToken,
   issueOperatorToken,
   mintOperatorToken,
   operatorTokenPath,
@@ -478,6 +481,280 @@ describe("useOperatorTokenWithAutoRotate (#213)", () => {
   });
 });
 
+// hub#516 — the operator token's `iss` is the hub's PUBLIC origin after
+// `parachute expose`, but callers resolve `issuer` inconsistently (status →
+// loopback, lifecycle → public). The client-side validation now accepts the
+// token if its `iss` is ANY of the hub's known origins (loopback aliases ∪
+// expose-state public origin ∪ env), gated FIRST on the JWKS signature. These
+// tests pin the four-corner matrix: public-iss accepted with loopback config
+// (the status bug), loopback-iss accepted, foreign-iss rejected, and
+// foreign-SIGNATURE rejected even when its iss is in the known set.
+const PUBLIC_ISSUER = "https://parachute.taildf9ce2.ts.net";
+
+/** Minimal valid expose-state advertising `hubOrigin` (the public origin). */
+function exposeStateForOrigin(hubOrigin: string): ExposeState {
+  return {
+    version: 1,
+    layer: "tailnet",
+    mode: "path",
+    canonicalFqdn: new URL(hubOrigin).host,
+    port: 1939,
+    funnel: false,
+    entries: [],
+    hubOrigin,
+  };
+}
+
+describe("useOperatorTokenWithAutoRotate known-issuer set (hub#516)", () => {
+  // The PARACHUTE_HUB_ORIGIN / RENDER_EXTERNAL_URL / FLY_APP_NAME env vars feed
+  // the platform-origin seed of the known-issuer set. Tests that assert a
+  // public-iss is REJECTED when expose-state is absent must not have a stray
+  // env public origin leaking the iss back in — clear them around each test.
+  function withCleanPlatformEnv<T>(fn: () => T): T {
+    const saved = {
+      hub: process.env.PARACHUTE_HUB_ORIGIN,
+      render: process.env.RENDER_EXTERNAL_URL,
+      fly: process.env.FLY_APP_NAME,
+    };
+    // Computed-key delete (not `delete process.env.FOO`) so biome's noDelete
+    // doesn't fire — matches spawn-env-propagation.test.ts. A `= undefined`
+    // assignment would coerce to the string "undefined" and leak a bogus
+    // origin into the known-issuer set, so a real delete is required here.
+    for (const k of ["PARACHUTE_HUB_ORIGIN", "RENDER_EXTERNAL_URL", "FLY_APP_NAME"]) {
+      delete process.env[k];
+    }
+    try {
+      return fn();
+    } finally {
+      if (saved.hub !== undefined) process.env.PARACHUTE_HUB_ORIGIN = saved.hub;
+      if (saved.render !== undefined) process.env.RENDER_EXTERNAL_URL = saved.render;
+      if (saved.fly !== undefined) process.env.FLY_APP_NAME = saved.fly;
+    }
+  }
+
+  test("accepts a PUBLIC-iss operator token when config resolves loopback (the status bug)", async () => {
+    await withCleanPlatformEnv(async () => {
+      const h = makeHarness();
+      try {
+        const db = openHubDb(hubDbPath(h.dir));
+        try {
+          rotateSigningKey(db);
+          // Mint the operator token under the hub's PUBLIC origin — what
+          // happens on an exposed box (selfHealOperatorTokenIssuer re-mints to
+          // the public iss).
+          const issued = await issueOperatorToken(db, "user-abc", {
+            dir: h.dir,
+            issuer: PUBLIC_ISSUER,
+          });
+          // Expose-state advertises the public origin (so it lands in the
+          // known set). The CALLER resolves loopback (status's hardcoded path).
+          writeExposeState(exposeStateForOrigin(PUBLIC_ISSUER), join(h.dir, "expose-state.json"));
+
+          const used = await useOperatorTokenWithAutoRotate(db, {
+            configDir: h.dir,
+            issuer: TEST_ISSUER, // loopback — the status scenario
+          });
+          expect(used).not.toBeNull();
+          expect(used?.status.kind).toBe("fresh");
+          expect(used?.token).toBe(issued.token);
+          expect(used?.payload.iss).toBe(PUBLIC_ISSUER);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
+  test("accepts a loopback-iss operator token with loopback config", async () => {
+    await withCleanPlatformEnv(async () => {
+      const h = makeHarness();
+      try {
+        const db = openHubDb(hubDbPath(h.dir));
+        try {
+          rotateSigningKey(db);
+          const issued = await issueOperatorToken(db, "user-abc", {
+            dir: h.dir,
+            issuer: TEST_ISSUER,
+          });
+          // No expose-state — known set is loopback aliases only.
+          const used = await useOperatorTokenWithAutoRotate(db, {
+            configDir: h.dir,
+            issuer: TEST_ISSUER,
+          });
+          expect(used).not.toBeNull();
+          expect(used?.status.kind).toBe("fresh");
+          expect(used?.token).toBe(issued.token);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
+  test("rejects a token whose iss is FOREIGN to the known set", async () => {
+    await withCleanPlatformEnv(async () => {
+      const h = makeHarness();
+      try {
+        const db = openHubDb(hubDbPath(h.dir));
+        try {
+          rotateSigningKey(db);
+          // Hub-SIGNED (so the signature gate passes) but stamped with an iss
+          // that's neither loopback nor in expose-state nor env. Must reject.
+          const issued = await issueOperatorToken(db, "user-abc", {
+            dir: h.dir,
+            issuer: "https://evil.example.com",
+          });
+          expect(issued.token.length).toBeGreaterThan(0);
+          // expose-state advertises the PUBLIC origin (not the evil one), so
+          // the foreign iss is not in the known set.
+          writeExposeState(exposeStateForOrigin(PUBLIC_ISSUER), join(h.dir, "expose-state.json"));
+
+          await expect(
+            useOperatorTokenWithAutoRotate(db, { configDir: h.dir, issuer: TEST_ISSUER }),
+          ).rejects.toThrow(/unexpected "iss" claim value/);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
+  test("rejects a FOREIGN-SIGNED token even when its iss is in the known set (signature gate first)", async () => {
+    await withCleanPlatformEnv(async () => {
+      const h = makeHarness();
+      const foreign = makeHarness();
+      try {
+        const db = openHubDb(hubDbPath(h.dir));
+        // A DIFFERENT hub (different signing key) mints a token stamped with an
+        // iss that IS in our known set. The signature won't verify against our
+        // JWKS, so it must be rejected at the signature gate regardless of iss.
+        const foreignDb = openHubDb(hubDbPath(foreign.dir));
+        try {
+          rotateSigningKey(db);
+          rotateSigningKey(foreignDb);
+          const foreignToken = await mintOperatorToken(foreignDb, "user-abc", {
+            issuer: PUBLIC_ISSUER,
+          });
+          await writeOperatorTokenFile(foreignToken.token, h.dir);
+          // Our expose-state advertises PUBLIC_ISSUER — so the iss WOULD pass
+          // the belt-and-suspenders check. The signature gate must still reject.
+          writeExposeState(exposeStateForOrigin(PUBLIC_ISSUER), join(h.dir, "expose-state.json"));
+
+          await expect(
+            useOperatorTokenWithAutoRotate(db, { configDir: h.dir, issuer: TEST_ISSUER }),
+          ).rejects.toThrow();
+        } finally {
+          db.close();
+          foreignDb.close();
+        }
+      } finally {
+        h.cleanup();
+        foreign.cleanup();
+      }
+    });
+  });
+
+  test("expose-state absent: loopback-iss accepted, public-iss rejected (no public origin known)", async () => {
+    await withCleanPlatformEnv(async () => {
+      const h = makeHarness();
+      try {
+        const db = openHubDb(hubDbPath(h.dir));
+        try {
+          rotateSigningKey(db);
+          // A loopback-iss token is accepted (loopback alias is always in the set).
+          const loopbackTok = await issueOperatorToken(db, "user-abc", {
+            dir: h.dir,
+            issuer: TEST_ISSUER,
+          });
+          const usedLoopback = await useOperatorTokenWithAutoRotate(db, {
+            configDir: h.dir,
+            issuer: TEST_ISSUER,
+          });
+          expect(usedLoopback?.token).toBe(loopbackTok.token);
+
+          // Overwrite with a public-iss token. No expose-state, no env public
+          // origin → the public iss is NOT known → reject. (Correct: with no
+          // exposure configured, the hub doesn't legitimately answer on it.)
+          const publicTok = await issueOperatorToken(db, "user-abc", {
+            dir: h.dir,
+            issuer: PUBLIC_ISSUER,
+          });
+          expect(publicTok.token.length).toBeGreaterThan(0);
+          await expect(
+            useOperatorTokenWithAutoRotate(db, { configDir: h.dir, issuer: TEST_ISSUER }),
+          ).rejects.toThrow(/unexpected "iss" claim value/);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
+  test("auto-rotate still fires for a near-expiry token validated via the known set", async () => {
+    await withCleanPlatformEnv(async () => {
+      const h = makeHarness();
+      try {
+        const db = openHubDb(hubDbPath(h.dir));
+        try {
+          rotateSigningKey(db);
+          // Public-iss + 1-day TTL (below the 7d threshold). Validates via the
+          // known set (expose-state public origin), then auto-rotates.
+          const original = await issueOperatorToken(db, "user-abc", {
+            dir: h.dir,
+            issuer: PUBLIC_ISSUER,
+            scopeSet: "start",
+            ttlSeconds: 24 * 60 * 60,
+          });
+          writeExposeState(exposeStateForOrigin(PUBLIC_ISSUER), join(h.dir, "expose-state.json"));
+
+          const used = await useOperatorTokenWithAutoRotate(db, {
+            configDir: h.dir,
+            issuer: PUBLIC_ISSUER, // lifecycle's public-origin scenario
+          });
+          expect(used).not.toBeNull();
+          expect(used?.status.kind).toBe("rotated");
+          expect(used?.rotated?.scopeSet).toBe("start");
+          expect(used?.token).not.toBe(original.token);
+          // Re-mint stamps opts.issuer as the new iss; still validates.
+          const validated = await validateAccessToken(db, used!.token, PUBLIC_ISSUER);
+          expect(validated.payload.iss).toBe(PUBLIC_ISSUER);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
+  test("buildKnownIssuersForOperatorToken includes loopback aliases + expose-state public origin", async () => {
+    await withCleanPlatformEnv(() => {
+      const h = makeHarness();
+      try {
+        writeExposeState(exposeStateForOrigin(PUBLIC_ISSUER), join(h.dir, "expose-state.json"));
+        const set = buildKnownIssuersForOperatorToken(h.dir, TEST_ISSUER);
+        expect(set).toContain("http://127.0.0.1:1939");
+        expect(set).toContain("http://localhost:1939");
+        expect(set).toContain(PUBLIC_ISSUER);
+        // The seed issuer is included too.
+        expect(set).toContain(TEST_ISSUER);
+        // A foreign origin is NOT present.
+        expect(set).not.toContain("https://evil.example.com");
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+});
+
 // closes #212 Phase 1 — operator-mint paths write to the unified token
 // registry so they show up in the revocation list and admin UI alongside
 // OAuth refresh tokens and CLI mints.

package/src/api-modules-ops.ts

@@ -40,8 +40,8 @@ import { CURATED_MODULES, type CuratedModuleShort } from "./api-modules.ts";
 import { isLinked as defaultIsLinked } from "./bun-link.ts";
 import { PARACHUTE_INSTALL_CHANNEL_ENV } from "./commands/install.ts";
 import { buildModuleSpawnRequest } from "./commands/serve-boot.ts";
+import { validateHostAdminToken } from "./host-admin-token-validation.ts";
 import { getModuleInstallChannel } from "./hub-settings.ts";
-import { validateAccessToken } from "./jwt-sign.ts";
 import { readModuleManifest } from "./module-manifest.ts";
 import { refreshWellKnown, stampInstallDirOnRow } from "./post-install.ts";
 import {
@@ -180,6 +180,21 @@ export interface RunOpts {
 export interface ApiModulesOpsDeps {
   db: Database;
   issuer: string;
+  /**
+   * The SET of origins the hub legitimately answers on — loopback aliases ∪
+   * expose-state public origin ∪ platform/env origin ∪ the per-request
+   * `issuer`. The host-admin bearer's `iss` is validated against THIS set, not
+   * the single per-request `issuer` (hub#516): the CLI drives these endpoints
+   * on loopback presenting the operator token, whose `iss` is the hub's public
+   * origin after `expose`. Built via `buildHubBoundOrigins` at the call site.
+   *
+   * Optional for back-compat with callers that don't construct it (the
+   * first-boot wizard's `runInstall`, tests). When absent, `authorize` falls
+   * back to the single-element `[issuer]` set — i.e. the prior strict
+   * per-request behavior — so the relaxation is opt-in at the HTTP call site
+   * and the non-HTTP install path is unaffected.
+   */
+  knownIssuers?: readonly string[];
   manifestPath: string;
   configDir: string;
   supervisor: Supervisor;
@@ -280,7 +295,18 @@ async function authorize(req: Request, deps: ApiModulesOpsDeps): Promise<Respons
   const bearer = auth.slice("Bearer ".length).trim();
   if (!bearer) return jsonError(401, "unauthenticated", "empty bearer token");
   try {
-    const validated = await validateAccessToken(deps.db, bearer, deps.issuer);
+    // Host-admin (operator / SPA) token validation: accept the `iss` against
+    // the SET of origins the hub answers on, not the single per-request issuer
+    // (hub#516). This surface only ever accepts the hub's own self-issued
+    // host-admin credentials (the `parachute:host:admin` scope below is
+    // non-requestable via OAuth), so the relaxation cannot reach an OAuth
+    // token's validation. Falls back to the strict single-issuer set when
+    // `knownIssuers` isn't wired (non-HTTP install path / tests).
+    const validated = await validateHostAdminToken(
+      deps.db,
+      bearer,
+      deps.knownIssuers ?? [deps.issuer],
+    );
     if (typeof validated.payload.sub !== "string" || validated.payload.sub.length === 0) {
       return jsonError(401, "unauthenticated", "bearer token has no sub claim");
     }

package/src/api-modules.ts

@@ -25,6 +25,7 @@
  */
 
 import type { Database } from "bun:sqlite";
+import { validateHostAdminToken } from "./host-admin-token-validation.ts";
 import {
   type ModuleInstallChannel,
   getModuleInstallChannel,
@@ -116,6 +117,18 @@ export type CuratedModuleShort = (typeof CURATED_MODULES)[number];
 export interface ApiModulesDeps {
   db: Database;
   issuer: string;
+  /**
+   * The SET of origins the hub legitimately answers on — loopback aliases ∪
+   * expose-state public origin ∪ platform/env origin ∪ the per-request
+   * `issuer`. The host-admin bearer's `iss` is validated against THIS set, not
+   * the single per-request `issuer` (hub#516): `parachute status` reads this
+   * endpoint on loopback presenting the operator token, whose `iss` is the
+   * hub's public origin after `expose`. Built via `buildHubBoundOrigins` at the
+   * call site. When absent, falls back to the single-element `[issuer]` set
+   * (the prior strict per-request behavior) so non-HTTP callers / tests are
+   * unaffected.
+   */
+  knownIssuers?: readonly string[];
   manifestPath: string;
   supervisor?: Supervisor;
   /**
@@ -312,10 +325,20 @@ export async function handleApiModules(req: Request, deps: ApiModulesDeps): Prom
     return jsonError(401, "unauthenticated", "empty bearer token");
   }
 
-  // Bearer validation.
+  // Bearer validation. Host-admin (operator / SPA) token: accept the `iss`
+  // against the SET of origins the hub answers on, not the single per-request
+  // issuer (hub#516) — `parachute status` reads this on loopback presenting the
+  // operator token, whose `iss` is the hub's public origin after `expose`. This
+  // surface gates on the non-requestable `parachute:host:auth` scope below, so
+  // the relaxation only ever touches the hub's own self-issued host-admin
+  // credentials and cannot reach an OAuth token's validation.
   let bearerScopes: string[];
   try {
-    const validated = await validateAccessToken(deps.db, bearer, deps.issuer);
+    const validated = await validateHostAdminToken(
+      deps.db,
+      bearer,
+      deps.knownIssuers ?? [deps.issuer],
+    );
     if (typeof validated.payload.sub !== "string" || validated.payload.sub.length === 0) {
       return jsonError(401, "unauthenticated", "bearer token has no sub claim");
     }

package/src/host-admin-token-validation.ts

@@ -0,0 +1,96 @@
+/**
+ * Issuer validation for the hub's OWN host-admin credentials (the operator
+ * token + the SPA host-admin token) on the loopback module-ops surfaces.
+ *
+ * ## Why this is its own helper (hub#516)
+ *
+ * The on-box CLI drives the hub on loopback (`127.0.0.1:1939`) presenting
+ * `~/.parachute/operator.token` — a hub-SELF-issued JWT (`aud: "operator"`,
+ * scope-set carries `parachute:host:admin`). After `parachute expose`, the
+ * operator token's `iss` is the hub's PUBLIC origin (e.g.
+ * `https://parachute.taildf9ce2.ts.net`), because §3.1 self-heals it there so
+ * on-box services validating public-origin bearers accept it.
+ *
+ * But the hub resolves its issuer PER-REQUEST from the Host header
+ * (`resolveIssuer` in hub-server.ts, "closes #245") — so a LOOPBACK request
+ * resolves the issuer to `http://127.0.0.1:1939`. The strict per-request
+ * `validateAccessToken(db, token, <loopback-issuer>)` then rejects the
+ * operator token's PUBLIC `iss` as `unexpected "iss" claim value`. Net:
+ * `parachute status` / `start|stop|restart <svc>` fail on ANY exposed box
+ * (tailnet or Cloudflare), even though the credential is the hub's own,
+ * presented on the hub's own loopback.
+ *
+ * ## The scoped relaxation
+ *
+ * The operator token (and the SPA host-admin token) are SELF-issued — the hub
+ * signs them with its own key, and {@link validateAccessToken} verifies that
+ * signature against the hub's JWKS. The signature already proves provenance:
+ * the only tokens that can verify are ones THIS hub minted. So for these
+ * host-admin credentials, the `iss` claim should be accepted if it matches ANY
+ * origin the hub legitimately answers on — loopback ∪ expose-state public
+ * origin ∪ platform/env origin — not just the single per-request one.
+ *
+ * We deliberately do NOT drop the `iss` check entirely (belt-and-suspenders):
+ * a token whose `iss` is none of the hub's known origins is still rejected,
+ * so a hypothetical hub-signed token minted for a DIFFERENT origin can't be
+ * replayed here.
+ *
+ * ## What this does NOT touch
+ *
+ * OAuth / access-token validation (vault / MCP tokens, `aud: "vault.<name>"`)
+ * stays STRICT per-request-issuer and lives on entirely separate code paths
+ * (the resource servers' own validators, hub's `/api/auth/*`, etc.). This
+ * helper is invoked ONLY from the two loopback host-admin module surfaces
+ * (`/api/modules` GET — the `status` read; `/api/modules/:short/*` POST — the
+ * lifecycle ops), both of which already gate on the non-requestable
+ * `parachute:host:admin` / `parachute:host:auth` scopes that no OAuth token
+ * can carry. The relaxation cannot reach an OAuth token's validation.
+ */
+import type { Database } from "bun:sqlite";
+import { type ValidatedAccessToken, validateAccessToken } from "./jwt-sign.ts";
+
+/**
+ * Validate a host-admin bearer (operator token / SPA host-admin token)
+ * presented on a loopback module surface, accepting its `iss` against the SET
+ * of origins the hub legitimately answers on rather than the single
+ * per-request issuer.
+ *
+ * Verification order:
+ *   1. Signature + `exp` + revocation, via {@link validateAccessToken} WITHOUT
+ *      an `expectedIssuer` — the signature proves the hub minted it (only this
+ *      hub's key can produce a JWS that verifies against its JWKS). A throw
+ *      here (bad/unknown/expired kid, jose `exp`, revoked jti) propagates
+ *      unchanged.
+ *   2. `iss` ∈ `knownIssuers` — belt-and-suspenders. Even though the signature
+ *      proves provenance, we still require the issuer to be one of the hub's
+ *      own origins. A foreign/garbage `iss` throws (matching the per-request
+ *      strict check's message shape so callers' error rendering is unchanged).
+ *
+ * `knownIssuers` is the hub's own valid origin set — typically built from
+ * `buildHubBoundOrigins` (per-request issuer ∪ loopback aliases ∪
+ * expose-state public origin ∪ platform/env origin). Empty/garbage entries are
+ * the caller's responsibility to filter; an empty set rejects every token
+ * (fails closed).
+ *
+ * @throws Error when the signature/exp/revocation check fails, or when `iss`
+ *   is absent / not a string / not in `knownIssuers`.
+ */
+export async function validateHostAdminToken(
+  db: Database,
+  token: string,
+  knownIssuers: readonly string[],
+): Promise<ValidatedAccessToken> {
+  // Step 1: signature + exp + revocation, NOT pinning iss. Provenance is
+  // proved by the signature verifying against the hub's own JWKS.
+  const validated = await validateAccessToken(db, token);
+
+  // Step 2: belt-and-suspenders iss ∈ known-origins. Never widen to arbitrary
+  // issuers — the token's iss must be one of the hub's own legitimate origins.
+  const iss = validated.payload.iss;
+  if (typeof iss !== "string" || !knownIssuers.includes(iss)) {
+    // Mirror jose's wording so the CLI's bearer-invalid error path renders the
+    // same way it did for the strict per-request check.
+    throw new Error('unexpected "iss" claim value');
+  }
+  return validated;
+}

package/src/hub-server.ts

@@ -1783,9 +1783,16 @@ export function hubFetch(
 
     if (pathname === "/api/modules") {
       if (!getDb) return dbNotConfigured();
+      const od = oauthDeps(req);
       const modulesDeps: Parameters<typeof handleApiModules>[1] = {
         db: getDb(),
-        issuer: oauthDeps(req).issuer,
+        issuer: od.issuer,
+        // hub#516: validate the host-admin bearer's `iss` against the SET of
+        // origins the hub answers on (loopback ∪ expose-state ∪ env/platform ∪
+        // per-request issuer), so `parachute status` works on an exposed box
+        // where the operator token carries the public origin but the loopback
+        // request resolves the loopback issuer.
+        knownIssuers: od.hubBoundOrigins(),
         manifestPath: deps?.manifestPath ?? SERVICES_MANIFEST_PATH,
       };
       if (deps?.supervisor !== undefined) modulesDeps.supervisor = deps.supervisor;
@@ -1841,9 +1848,13 @@ export function hubFetch(
       }
       const opId = decodeURIComponent(pathname.slice("/api/modules/operations/".length));
       if (!opId || opId.includes("/")) return new Response("not found", { status: 404 });
+      const od = oauthDeps(req);
       return handleOperationGet(req, opId, {
         db: getDb(),
-        issuer: oauthDeps(req).issuer,
+        issuer: od.issuer,
+        // hub#516: see the `/api/modules` deps note — the CLI polls async ops
+        // on loopback with the operator token (public `iss`).
+        knownIssuers: od.hubBoundOrigins(),
         manifestPath: deps?.manifestPath ?? SERVICES_MANIFEST_PATH,
         configDir: CONFIG_DIR,
         supervisor: deps.supervisor,
@@ -1888,9 +1899,14 @@ export function hubFetch(
       }
       const match = parseModulesPath(pathname);
       if (!match) return new Response("not found", { status: 404 });
+      const od = oauthDeps(req);
       const opsDeps = {
         db: getDb(),
-        issuer: oauthDeps(req).issuer,
+        issuer: od.issuer,
+        // hub#516: the CLI drives start/stop/restart/install/upgrade/uninstall
+        // on loopback with the operator token, whose `iss` is the hub's public
+        // origin after `expose`. Validate against the hub's known-origin set.
+        knownIssuers: od.hubBoundOrigins(),
         manifestPath: deps?.manifestPath ?? SERVICES_MANIFEST_PATH,
         configDir: CONFIG_DIR,
         supervisor: deps.supervisor,

package/src/operator-token.ts

@@ -30,7 +30,12 @@ import type { Database } from "bun:sqlite";
 import { promises as fs } from "node:fs";
 import { join } from "node:path";
 import { configDir } from "./config.ts";
+import { EXPOSE_STATE_PATH, readExposeState } from "./expose-state.ts";
+import { validateHostAdminToken } from "./host-admin-token-validation.ts";
+import { readHubPort } from "./hub-control.ts";
+import { HUB_UNIT_DEFAULT_PORT } from "./hub-unit.ts";
 import { recordTokenMint, signAccessToken, validateAccessToken } from "./jwt-sign.ts";
+import { buildHubBoundOrigins } from "./origin-check.ts";
 import { isLoopbackOrigin } from "./vault-hub-origin-env.ts";
 
 export const OPERATOR_TOKEN_FILENAME = "operator.token";
@@ -279,7 +284,14 @@ export class OperatorTokenExpiredError extends Error {
 }
 
 export interface UseOperatorTokenOpts {
-  /** Hub origin used as `iss` validator. Required. */
+  /**
+   * Hub origin the caller resolved. Required. As of hub#516 this is a SEED of
+   * the known-issuer SET the token's `iss` is validated against
+   * ({@link buildKnownIssuersForOperatorToken}), not the sole `iss` validator —
+   * so a caller that resolves loopback (`status`) still accepts a public-`iss`
+   * operator token from `expose-state.json`, and vice versa. It also remains
+   * the `iss` stamped on an auto-rotated re-mint.
+   */
   issuer: string;
   /** configDir override (where operator.token lives). Defaults to `configDir()`. */
   configDir?: string;
@@ -345,9 +357,78 @@ export interface UsedOperatorToken {
   status: RotationStatus;
 }
 
+/**
+ * Compose the Fly.io default public origin from `FLY_APP_NAME`, mirroring the
+ * server-side `flyDefaultOrigin` (hub-server.ts) so the client-side
+ * known-issuer set matches the origin the hub stamps tokens with on Fly. Kept
+ * local (a one-liner) rather than imported to avoid pulling hub-server.ts /
+ * serve.ts into the CLI auth path. Fly slugs never contain `/`; anything with
+ * one is spoofed or malformed.
+ */
+function flyDefaultOrigin(env: NodeJS.ProcessEnv): string | undefined {
+  const app = env.FLY_APP_NAME;
+  if (typeof app !== "string" || app.length === 0 || app.includes("/")) return undefined;
+  return `https://${app}.fly.dev`;
+}
+
+/**
+ * Assemble the SET of origins this hub legitimately answers on, from on-disk
+ * client state — the client-side mirror of hub-server.ts's per-request
+ * `buildHubBoundOrigins` call (hub#516). The operator token's `iss` is
+ * validated against this set rather than a single issuer, so a token whose
+ * `iss` is the hub's PUBLIC origin (stamped after `parachute expose`) is
+ * accepted even when the CLI command resolved a loopback `issuer` (the
+ * `status` case) — and vice versa.
+ *
+ * The set is:
+ *   - `seedIssuer` — the issuer the caller resolved (loopback for `status`,
+ *     `r.hubOrigin` / public for lifecycle). Kept as a seed so callers that
+ *     pass a value still contribute it; never the sole gate.
+ *   - loopback aliases — `http://127.0.0.1:<port>` AND `http://localhost:<port>`
+ *     for the hub's port (`readHubPort(configDir) ?? HUB_UNIT_DEFAULT_PORT`),
+ *     matching the hub's own loopback alias set (`buildHubBoundOrigins`).
+ *   - the expose-state public origin — `expose-state.json`'s `hubOrigin`, the
+ *     public URL the hub stamps on tokens once exposed.
+ *   - the platform/env public origin — `PARACHUTE_HUB_ORIGIN` ∪
+ *     `RENDER_EXTERNAL_URL` ∪ the composed Fly default — for container deploys
+ *     where the public origin comes from the platform, not expose-state.
+ *
+ * Provenance is NOT established here: `validateHostAdminToken` runs the JWKS
+ * signature check FIRST and unconditionally. This set is the belt-and-suspenders
+ * `iss` allowlist layered on top — a foreign `iss` (not loopback / expose /
+ * env) is rejected, and an empty set fails closed.
+ */
+export function buildKnownIssuersForOperatorToken(
+  configDirOverride: string | undefined,
+  seedIssuer: string,
+): readonly string[] {
+  const dir = configDirOverride ?? configDir();
+  const loopbackPort = readHubPort(dir) ?? HUB_UNIT_DEFAULT_PORT;
+  let exposeHubOrigin: string | undefined;
+  try {
+    exposeHubOrigin = readExposeState(join(dir, "expose-state.json"))?.hubOrigin;
+  } catch {
+    // A malformed expose-state.json must never lock the operator out of the
+    // CLI — the seed issuer + loopback aliases already cover legitimate
+    // loopback access; treat it as "no public origin known."
+    exposeHubOrigin = undefined;
+  }
+  const platformOrigin =
+    process.env.PARACHUTE_HUB_ORIGIN ??
+    process.env.RENDER_EXTERNAL_URL ??
+    flyDefaultOrigin(process.env);
+  return buildHubBoundOrigins({
+    issuer: seedIssuer,
+    loopbackPort,
+    ...(exposeHubOrigin !== undefined ? { exposeHubOrigin } : {}),
+    ...(platformOrigin !== undefined ? { platformOrigin } : {}),
+  });
+}
+
 /**
  * The canonical "use the operator token in a CLI flow" helper. Reads
- * `~/.parachute/operator.token`, validates against `db` + `issuer`, and:
+ * `~/.parachute/operator.token`, validates against `db` + the hub's
+ * known-issuer SET, and:
  *
  *   - If the token has fully expired: throws `OperatorTokenExpiredError`
  *     with an actionable message. Does NOT auto-rotate from a dead token —
@@ -397,9 +478,19 @@ export async function useOperatorTokenWithAutoRotate(
   if (!token) return null;
   const now = opts.now ?? (() => new Date());
 
-  // Validation failures (signature mismatch, wrong issuer, missing kid,
-  // expired-by-jose) bubble out for the caller to render the right message.
-  const validated = await validateAccessToken(db, token, opts.issuer);
+  // Validate against the hub's KNOWN-ISSUER SET, not a single `opts.issuer`
+  // (hub#516). The operator token is the hub's OWN self-issued credential; its
+  // `iss` is the hub's loopback origin before `expose` and its PUBLIC origin
+  // after. Callers resolve `opts.issuer` inconsistently — `status` hardcodes
+  // loopback, lifecycle uses `r.hubOrigin` (public when exposed) — so a single
+  // per-issuer check rejected the public-`iss` operator token on `status` even
+  // though `restart` worked. `validateHostAdminToken` (the #517 helper) gates
+  // on the JWKS SIGNATURE first+unconditionally (provenance), then accepts the
+  // `iss` if it's ANY origin the hub legitimately answers on. Validation
+  // failures (signature mismatch, missing kid, expired-by-jose, revoked, or an
+  // `iss` foreign to the whole set) bubble out for the caller to render.
+  const knownIssuers = buildKnownIssuersForOperatorToken(opts.configDir, opts.issuer);
+  const validated = await validateHostAdminToken(db, token, knownIssuers);
   const { payload } = validated;
 
   const exp = typeof payload.exp === "number" ? payload.exp : 0;

package/src/origin-check.ts

@@ -74,6 +74,16 @@ export function buildHubBoundOrigins(opts: {
       // Malformed URL — skip.
     }
   };
+  // `opts.issuer` is the PER-REQUEST issuer, which `resolveIssuer` derives
+  // from the request's Host header (hub-server.ts, "closes #245"). Including a
+  // Host-derived value in the known-issuers set is SAFE — it is NOT a
+  // forged-`iss` bypass. Token provenance is signature-gated: the JWKS verify
+  // in `validateAccessToken` / `validateHostAdminToken` runs UNCONDITIONALLY
+  // FIRST, before `iss` is ever checked against this set. So a token whose
+  // `iss` matches an attacker-injected Host (and thus lands in this set) but
+  // which isn't signed by THIS hub's key is still rejected at the signature
+  // step. The known-issuers membership check is belt-and-suspenders layered on
+  // top of the signature gate, never a substitute for it.
   add(opts.issuer);
   add(opts.exposeHubOrigin);
   add(opts.platformOrigin);