@openparachute/hub 0.6.3 → 0.6.4-rc.10

package/src/supervisor.ts

@@ -34,14 +34,55 @@
  * child state to disk (transient — re-derived from services.json on every boot).
  */
 
+import { spawnSync } from "node:child_process";
 import {
   MissingDependencyError,
   type MissingDependencyWire,
   ensureExecutable,
   rethrowIfMissing,
 } from "@openparachute/depcheck";
+import { defaultPidOnPort } from "./hub-control.ts";
 import { type PortListeningFn, defaultPortListening } from "./port-probe.ts";
 
+/**
+ * Which pid (if any) holds a TCP LISTEN on `port`. Production wires
+ * `hub-control.ts:defaultPidOnPort` (an `lsof -ti :<port> -sTCP:LISTEN`
+ * shell-out, macOS + Linux); a box without `lsof` / on an unsupported platform
+ * returns undefined → the squatter check degrades gracefully (falls back to the
+ * existing started-but-unbound error). Injectable so tests stay deterministic.
+ */
+export type PidOnPortFn = (port: number) => number | undefined;
+
+/**
+ * Best-effort command line of a pid (the squatter-surfacing detail). Returns
+ * undefined when it can't be read; the message then omits the cmdline.
+ */
+export type OwnerProbeFn = (pid: number) => string | undefined;
+
+/**
+ * Production `ownerOfPid`: `ps -o command= -p <pid>` → the process's full argv
+ * (one line). Mirrors `migrate-cutover.ts:defaultOwnerOfPid` (inlined rather
+ * than imported to keep the supervisor off the heavy command-module graph).
+ * Any failure (no `ps`, pid gone, permission, garbage) → undefined, so the
+ * squatter message degrades to "command line unavailable".
+ */
+export const defaultOwnerOfPid: OwnerProbeFn = (pid) => {
+  try {
+    const result = spawnSync("ps", ["-o", "command=", "-p", String(pid)], {
+      encoding: "utf8",
+      timeout: 2000,
+    });
+    if (result.status !== 0) return undefined;
+    const line = result.stdout
+      .split("\n")
+      .map((s) => s.trim())
+      .find((s) => s.length > 0);
+    return line === undefined || line.length === 0 ? undefined : line;
+  } catch {
+    return undefined;
+  }
+};
+
 export type ModuleStatus = "starting" | "running" | "stopped" | "crashed" | "restarting";
 
 /**
@@ -196,6 +237,19 @@ export interface SupervisorOpts {
   readonly startReadyMs?: number;
   /** Poll interval while waiting for the port to bind, in ms. Default 200. */
   readonly startReadyPollMs?: number;
+  /**
+   * How long the background late-bind watch keeps re-probing AFTER the
+   * readiness window elapsed with the port unbound, in ms. Heavy modules
+   * (vault — SQLite + git mirror + well-known init) can legitimately take
+   * longer than `startReadyMs` to bind; without a re-probe the recorded
+   * `started_but_unbound` note sticks for the module's whole lifetime and
+   * `parachute status` shows a perpetual "failed to start" on a healthy
+   * module. The watch clears the note once the port binds. Default 60s;
+   * `0` disables the watch (the note then behaves as before).
+   */
+  readonly lateBindWatchMs?: number;
+  /** Poll interval for the late-bind watch, in ms. Default 1000. */
+  readonly lateBindPollMs?: number;
   /**
    * PATH-resolution seam for the pre-spawn `ensureExecutable` preflight
    * (`@openparachute/depcheck`). Production uses the real `Bun.which`; a
@@ -208,6 +262,29 @@ export interface SupervisorOpts {
    * Tests exercising the missing-binary branch inject `which: () => null`.
    */
   readonly which?: (cmd: string) => string | null;
+  /**
+   * Pre-spawn port-squatter detection (#580 item 4). Returns the pid holding a
+   * TCP LISTEN on the module's port, or undefined when the port is free /
+   * undetectable. Before spawning a module, the supervisor checks whether the
+   * declared port is already held by a pid it does NOT own (not one of its live
+   * children). If so it records a structured `port_squatter` start-error with
+   * an actionable message and DOES NOT spawn — so a rogue process holding the
+   * port (the #580 field signature: a bare `vault/src/server.ts` outside the
+   * supervisor on :1940) surfaces in `status` instead of the supervised child
+   * EADDRINUSE-crash-looping into a bare `supervisor: crashed`.
+   *
+   * Detection ONLY — never auto-kills (that's an operator's unrelated process).
+   * Defaults to `hub-control.ts:defaultPidOnPort` on the production path; the
+   * stub-spawner test path defaults to "no squatter" (returns undefined) so
+   * existing fake-proc tests are unaffected unless they inject this explicitly.
+   */
+  readonly pidOnPort?: PidOnPortFn;
+  /**
+   * Best-effort cmdline probe for the squatter pid (the actionable message
+   * detail). Defaults to {@link defaultOwnerOfPid} on the production path; the
+   * stub-spawner test path defaults to "unknown" (returns undefined).
+   */
+  readonly ownerOfPid?: OwnerProbeFn;
 }
 
 /**
@@ -242,6 +319,8 @@ const DEFAULT_KILL_TIMEOUT_MS = 5_000;
 const DEFAULT_LOG_BUFFER_BYTES = 64 * 1024;
 const DEFAULT_START_READY_MS = 4_000;
 const DEFAULT_START_READY_POLL_MS = 200;
+const DEFAULT_LATE_BIND_WATCH_MS = 60_000;
+const DEFAULT_LATE_BIND_POLL_MS = 1_000;
 
 /**
  * Bounded, line-oriented ring buffer (§6.5). Holds the most-recent lines of a
@@ -318,7 +397,15 @@ export class Supervisor {
       startReadyMs:
         opts.startReadyMs ?? (isProductionPath || readinessOptedIn ? DEFAULT_START_READY_MS : 0),
       startReadyPollMs: opts.startReadyPollMs ?? DEFAULT_START_READY_POLL_MS,
+      lateBindWatchMs: opts.lateBindWatchMs ?? DEFAULT_LATE_BIND_WATCH_MS,
+      lateBindPollMs: opts.lateBindPollMs ?? DEFAULT_LATE_BIND_POLL_MS,
       which: opts.which ?? (isProductionPath ? Bun.which : () => "/stub/bin/preflight-skipped"),
+      // Squatter detection (#580 item 4): real probes on the production path;
+      // the stub-spawner test path defaults to "no squatter / unknown owner" so
+      // fake-proc tests (which never hold a real port) aren't tripped. Tests
+      // opt in by injecting `pidOnPort` / `ownerOfPid`.
+      pidOnPort: opts.pidOnPort ?? (isProductionPath ? defaultPidOnPort : () => undefined),
+      ownerOfPid: opts.ownerOfPid ?? (isProductionPath ? defaultOwnerOfPid : () => undefined),
     };
   }
 
@@ -372,6 +459,25 @@ export class Supervisor {
       }
     }
 
+    // Pre-spawn port-squatter detection (#580 item 4). If the module's declared
+    // port is already held by a process the supervisor does NOT own (not one of
+    // its live children), spawning would EADDRINUSE-crash-loop the child into a
+    // bare `supervisor: crashed` with no clue why. Detect the foreign holder and
+    // record a structured, actionable `port_squatter` start-error INSTEAD of
+    // spawning — the operator sees the offending pid + cmdline + a copy-paste
+    // recovery in `status` / the SPA. Detection only: we never kill someone
+    // else's process (it may be the operator's unrelated dev server).
+    const squatter = this.detectPortSquatter(entry);
+    if (squatter) {
+      entry.state = {
+        ...entry.state,
+        status: "crashed",
+        pid: undefined,
+        startError: squatter,
+      };
+      return entry.state;
+    }
+
     // Belt-and-suspenders for a spawn that slips past the preflight (binary
     // removed between check + spawn, or a path that didn't preflight): a
     // not-found spawn throw becomes the same structured MissingDependencyError
@@ -411,6 +517,65 @@ export class Supervisor {
     return entry.state;
   }
 
+  /**
+   * The set of pids the supervisor currently owns AND that are still alive — its
+   * live children's pids. Used by the squatter check to decide whether a process
+   * holding a module's port is "ours" (a re-probe of our own just-spawned child,
+   * or a sibling) vs a foreign rogue.
+   *
+   * Liveness guard (N1): `entry.proc` is NEVER cleared on exit (`handleExit`
+   * only updates `entry.state`), so a recycled OS pid could otherwise be
+   * misclassified as "our own child" and wrongly excused from the squatter
+   * check. We therefore only count an entry whose child is actually running —
+   * `state.status` is `running` or `starting`. A `crashed` / `restarting` /
+   * `stopped` module's recorded pid is stale (the process is gone or being
+   * replaced) and must not vouch for whoever now holds the port. An entry with
+   * no `proc` (never spawned) contributes no pid either.
+   */
+  private supervisedPids(): Set<number> {
+    const pids = new Set<number>();
+    for (const entry of this.modules.values()) {
+      if (entry.state.status !== "running" && entry.state.status !== "starting") continue;
+      const pid = entry.proc?.pid;
+      if (typeof pid === "number" && pid > 0) pids.add(pid);
+    }
+    return pids;
+  }
+
+  /**
+   * Pre-spawn port-squatter check (#580 item 4). Returns a structured
+   * `port_squatter` start-error when the module's declared port is held by a
+   * process the supervisor does NOT own; undefined when the port is free, the
+   * holder is one of our own children, or detection isn't available on this
+   * platform (no `lsof` → `pidOnPort` returns undefined → we degrade to the
+   * existing started-but-unbound path post-spawn).
+   *
+   * Ownership precedent mirrors `migrate-cutover.ts:sweepOrphanOnPort`'s "is
+   * this mine?" check — here the discriminant is "is the holder one of my live
+   * children's pids?". We deliberately do NOT kill the holder (detection only):
+   * a foreign pid on a module port may be the operator's unrelated process.
+   */
+  private detectPortSquatter(entry: ModuleEntry): ModuleStartError | undefined {
+    const portStr = entry.req.env?.PORT;
+    const port = portStr ? Number(portStr) : Number.NaN;
+    if (!Number.isFinite(port) || port <= 0) return undefined; // No declared port.
+
+    const holder = this.opts.pidOnPort(port);
+    if (holder === undefined) return undefined; // Port free, or detection unavailable.
+    if (this.supervisedPids().has(holder)) return undefined; // Our own child.
+
+    const cmdline = this.opts.ownerOfPid(holder);
+    const who = cmdline ? `pid ${holder} (${cmdline})` : `pid ${holder}`;
+    const short = entry.req.short;
+    return {
+      error_type: "port_squatter",
+      error_description:
+        `port ${port} is held by ${who} outside the supervisor — ` +
+        `kill it and retry: kill ${holder} && parachute start ${short}`,
+      at: new Date(this.opts.now()).toISOString(),
+    };
+  }
+
   /**
    * Poll the module's port until it binds or `startReadyMs` elapses (§6.5).
    * Skipped when the gate is disabled (stub-spawner test path) or the request
@@ -453,6 +618,44 @@ export class Supervisor {
           at: new Date(this.opts.now()).toISOString(),
         },
       };
+      // Keep watching in the background: heavy modules (vault) routinely bind
+      // a moment after the window. Without the re-probe the note above would
+      // stick for the module's whole lifetime — `parachute status` then shows
+      // a perpetual "failed to start" on a healthy module. Fire-and-forget so
+      // `start()`'s latency stays bounded by `startReadyMs`.
+      if (this.opts.lateBindWatchMs > 0) {
+        void this.lateBindWatch(entry, port).catch(() => {});
+      }
+    }
+  }
+
+  /**
+   * Background re-probe after `awaitPortReadiness` recorded a
+   * `started_but_unbound` note: poll (slower cadence, bounded window) and
+   * clear the note once the port binds. Exits early when the module stops,
+   * crashes, or the note is replaced by a different startError (a later
+   * crash-restart's missing-dependency note must not be wiped).
+   *
+   * Restart safety: a crash-auto-restart reuses the same `entry` object and
+   * clears `startError` on respawn — this watch's `error_type` guard then sees
+   * `undefined` and exits, so a stale watch from spawn-1 never clobbers
+   * spawn-2's state. If spawn-2 also misses its window, its own gate records a
+   * fresh note and launches its own watch; two live watches clearing the same
+   * note is idempotent. `stop()`/teardown set `stopRequested` before any entry
+   * removal, so a watch holding a stale entry ref exits cleanly.
+   */
+  private async lateBindWatch(entry: ModuleEntry, port: number): Promise<void> {
+    const deadline = this.opts.now() + this.opts.lateBindWatchMs;
+    while (this.opts.now() < deadline) {
+      await this.opts.sleep(this.opts.lateBindPollMs);
+      if (entry.stopRequested || entry.state.status !== "running") return;
+      // Only OUR note is clearable — anything else was recorded after us.
+      if (entry.state.startError?.error_type !== "started_but_unbound") return;
+      if (await this.opts.portListening(port)) {
+        const { startError: _drop, ...rest } = entry.state;
+        entry.state = rest;
+        return;
+      }
     }
   }
 
@@ -540,21 +743,43 @@ export class Supervisor {
   }
 
   /**
-   * Restart a supervised module: stop, wait for exit, start with the
-   * same SpawnRequest. Used by the `/api/modules/:name/restart`
-   * handler. The on-box `parachute restart <svc>` path stays on
-   * `commands/lifecycle.ts` — different surface, different ownership.
+   * Restart a supervised module: stop, wait for exit, start again. Used by
+   * the `/api/modules/:name/restart` handler. The on-box
+   * `parachute restart <svc>` path stays on `commands/lifecycle.ts` —
+   * different surface, different ownership.
+   *
+   * `nextReq` (hub#532): when the caller supplies a freshly-rebuilt
+   * SpawnRequest (current `PARACHUTE_HUB_ORIGIN` / enriched PATH /
+   * re-resolved cwd), the re-spawn uses it AND it becomes the entry's new
+   * `req` — so subsequent CRASH-restarts (`handleExit` → `spawnAndWatch`,
+   * which reuse `entry.req`) also carry the refreshed env, not the original
+   * first-start snapshot. When omitted, the prior `entry.req` is replayed
+   * (legacy behavior, e.g. an internal restart with no state change).
+   *
+   * `nextReq.short` MUST match `short`: `start(req)` keys the supervisor map
+   * on `req.short`, so a mismatch would silently register the restarted
+   * module under the WRONG key (orphaning the original entry + breaking every
+   * subsequent `get`/`stop`/`restart` lookup). Throws on mismatch rather than
+   * trusting the caller — a one-line invariant that turns a silent
+   * state-corruption bug into a loud one.
    */
-  async restart(short: string): Promise<ModuleState | undefined> {
+  async restart(short: string, nextReq?: SpawnRequest): Promise<ModuleState | undefined> {
+    if (nextReq && nextReq.short !== short) {
+      throw new Error(
+        `restart(${short}): nextReq.short is "${nextReq.short}" — it must match the restarted short or the module re-registers under the wrong key`,
+      );
+    }
     const entry = this.modules.get(short);
     if (!entry) return undefined;
-    const req = entry.req;
+    const req = nextReq ?? entry.req;
     entry.state = { ...entry.state, status: "restarting" };
     // stop() now awaits the prior process's exit (with SIGKILL
     // escalation) before returning, so the fresh spawn below doesn't
     // race on EADDRINUSE — no separate await needed here.
     await this.stop(short);
-    // Drop the entry so `start` treats this as a clean spawn.
+    // Drop the entry so `start` treats this as a clean spawn. `start` stores
+    // `req` as the new entry's `req`, so a refreshed `nextReq` propagates to
+    // the crash-restart path too.
     this.modules.delete(short);
     return this.start(req);
   }

package/src/users.ts

@@ -232,6 +232,26 @@ export interface CreateUserOpts {
    * each name against `services.json` before passing through.
    */
   assignedVaults?: string[];
+  /**
+   * The `user_vaults.role` to write for every entry in `assignedVaults`.
+   * Default `'write'` (= owner; `vaultVerbsForRole('write')` grants the
+   * full read/write/admin triple). The invite-redeem path passes the
+   * invite's baked-in role so a future shared-into-existing-vault invite
+   * can land a narrower `'read'` role without a second migration. All
+   * existing call sites omit it and keep the historical `'write'` default.
+   */
+  role?: string;
+  /**
+   * Optional hook run INSIDE the same transaction as the user + user_vaults
+   * inserts, after them, with the new user's id. Throwing from it rolls the
+   * whole insert back (no orphan user row). The invite-redeem path uses this
+   * to atomically re-check + consume a single-use invite together with the
+   * account creation — so two concurrent redeems of one invite can't both
+   * create an account (the loser throws here and its user insert rolls back),
+   * while a failure still leaves the invite re-usable (nothing committed).
+   * Must be synchronous — bun:sqlite transactions can't await.
+   */
+  withinTx?: (userId: string) => void;
 }
 
 export async function createUser(
@@ -268,14 +288,18 @@ export async function createUser(
          VALUES (?, ?, ?, ?, ?, ?)`,
       ).run(id, username, passwordHash, stamp, stamp, passwordChanged);
       if (assignedVaults.length > 0) {
+        const role = opts.role ?? "write";
         const insertVault = db.prepare(
           `INSERT INTO user_vaults (user_id, vault_name, role, created_at)
-           VALUES (?, ?, 'write', ?)`,
+           VALUES (?, ?, ?, ?)`,
         );
         for (const vaultName of assignedVaults) {
-          insertVault.run(id, vaultName, stamp);
+          insertVault.run(id, vaultName, role, stamp);
         }
       }
+      // In-transaction hook (e.g. consume a single-use invite). Throwing here
+      // rolls back the user + user_vaults inserts above — no orphan row.
+      opts.withinTx?.(id);
     })();
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
@@ -468,7 +492,7 @@ export async function setPassword(
  * only Phase-1 recovery was delete+recreate, which is destructive-feeling
  * even though it's safe (vaults are independent of accounts).
  *
- * Three writes inside one transaction:
+ * Four writes inside one transaction:
  *
  *   1. Rotate `password_hash` to the new argon2id hash and flip
  *      `password_changed` back to 0 so the user is force-redirected
@@ -482,7 +506,15 @@ export async function setPassword(
  *      would defeat the purpose. We keep the rows (don't NULL `user_id`
  *      like `deleteUser` does) because the audit trail naturally re-
  *      anchors to the still-existing user row.
- *   3. Bump `updated_at` so the SPA's row reflects the rotation.
+ *   3. Delete every active SESSION for the user (item G). Revoking tokens
+ *      alone left a live session cookie valid — an attacker who already had
+ *      a session (the very "old password / stolen device" shape this reset
+ *      recovers from) kept browsing post-reset until the session aged out.
+ *      Killing sessions in the same transaction makes the reset a true cut:
+ *      the user (and any attacker) must re-authenticate with the new
+ *      password. Sessions carry no audit value (unlike tokens), so we hard-
+ *      delete — same shape as `deleteUser`'s `DELETE FROM sessions`.
+ *   4. Bump `updated_at` so the SPA's row reflects the rotation.
  *
  * Hash OUTSIDE the transaction — argon2id is async and `db.transaction()`
  * on bun:sqlite is sync; doing it inside silently breaks atomicity (same
@@ -547,6 +579,12 @@ export async function resetUserPassword(
       stamp,
       userId,
     );
+    // Item G — also kill active sessions in the same transaction. A token
+    // revoke alone left a live session cookie valid; an admin reset must
+    // force re-auth with the new password (the "old password leaked / stolen
+    // device" recovery shape). Sessions carry no audit value, so hard-delete
+    // (same shape as deleteUser).
+    db.prepare("DELETE FROM sessions WHERE user_id = ?").run(userId);
   })();
   return updated;
 }
@@ -563,8 +601,10 @@ export async function resetUserPassword(
  *     parent users row. The audit trail survives via the `subject`
  *     column we backfill from the username plus the existing
  *     `created_at`, `scopes`, `client_id`, `revoked_at` fields.
- *   - `sessions.user_id` and `grants.user_id` are NOT NULL with a
- *     non-cascading FK. Both are deleted before the users row drops.
+ *   - `sessions.user_id`, `grants.user_id`, and `auth_codes.user_id` are
+ *     NOT NULL with a non-cascading (RESTRICT) FK. All three are deleted
+ *     before the users row drops — auth_codes are ephemeral OAuth codes
+ *     (60s TTL, no audit value), so a hard-delete is correct (hub#559).
  *   - `user_vaults.user_id` has `ON DELETE CASCADE` (migration v10), so
  *     vault assignments are dropped automatically when the parent row
  *     goes. No explicit cleanup needed.
@@ -592,10 +632,16 @@ export function deleteUser(db: Database, userId: string): boolean {
     db.prepare(
       "UPDATE tokens SET subject = COALESCE(subject, ?), user_id = NULL WHERE user_id = ?",
     ).run(row.username, userId);
-    // 2. Drop sessions + grants. Both have non-cascading FKs on user_id;
-    //    leaving rows behind would RESTRICT the users delete below.
+    // 2. Drop sessions + grants + auth_codes. All have NOT-NULL, non-cascading
+    //    (RESTRICT) FKs on user_id; leaving rows behind blocks the users delete
+    //    below with SQLITE_CONSTRAINT_FOREIGNKEY. auth_codes are short-lived
+    //    (60s TTL) OAuth authorization codes with no audit value — hard-delete,
+    //    same as sessions. (Omitting this 500'd a real delete of a user who had
+    //    completed an OAuth authorize: the code row outlived its TTL but still
+    //    pinned the FK. hub#559.)
     db.prepare("DELETE FROM sessions WHERE user_id = ?").run(userId);
     db.prepare("DELETE FROM grants WHERE user_id = ?").run(userId);
+    db.prepare("DELETE FROM auth_codes WHERE user_id = ?").run(userId);
     // 3. Drop the user row itself.
     db.prepare("DELETE FROM users WHERE id = ?").run(userId);
   })();

package/src/vault-hub-origin-env.ts

@@ -59,6 +59,34 @@ export function isLoopbackOrigin(origin: string): boolean {
   }
 }
 
+/**
+ * Canonicalize a candidate public origin for use as the hub's OAuth issuer:
+ * strip trailing slashes, then accept it only when it parses as an absolute
+ * `http(s)` URL that is NOT loopback. Returns the canonical origin or
+ * undefined when it fails any check.
+ *
+ * Shared by the two expose-state issuer fallbacks (`resolveStartupIssuer` in
+ * commands/serve.ts and `exposeIssuerOrigin` in hub-server.ts) so the guard
+ * — never let a non-http(s) or loopback value pin the issuer — stays
+ * identical on both origin-resolution chokepoints (#531). The loopback
+ * rejection is defensive: expose-state.hubOrigin should always be the public
+ * origin, but a stray loopback value would re-pin the degraded
+ * request-origin mode the fix exists to escape.
+ */
+export function sanitizePublicOrigin(raw: string | undefined): string | undefined {
+  const trimmed = raw?.replace(/\/+$/, "");
+  if (!trimmed) return undefined;
+  let proto: string;
+  try {
+    proto = new URL(trimmed).protocol;
+  } catch {
+    return undefined;
+  }
+  if (proto !== "http:" && proto !== "https:") return undefined;
+  if (isLoopbackOrigin(trimmed)) return undefined;
+  return trimmed;
+}
+
 function vaultEnvPath(configDir: string): string {
   return join(configDir, "vault", ".env");
 }

package/src/vault-name.ts

@@ -25,7 +25,19 @@
  * `/vault/list` endpoint.
  */
 
-const VAULT_NAME_RE = /^[a-z0-9_-]+$/;
+/**
+ * Canonical vault-name charset: lowercase alphanumerics + hyphen/underscore.
+ * Exported as the single source of truth for the hub edge sites that mint /
+ * create vaults (item I) — `admin-vaults.ts`, `account-vault-token.ts`,
+ * `admin-vault-admin-token.ts` historically accepted `[a-zA-Z0-9_-]`, a
+ * superset of what vault's init enforces. The case drift was a real bug class:
+ * a hub-side `Work` would never match vault's URL-derived `work`, so the minted
+ * token's audience (`vault.Work`) wouldn't validate, and a created vault name
+ * could diverge from what vault persisted. Pinning every hub edge to THIS
+ * lowercase-only regex closes the drift.
+ */
+export const VAULT_NAME_CHARSET_RE = /^[a-z0-9_-]+$/;
+const VAULT_NAME_RE = VAULT_NAME_CHARSET_RE;
 const VAULT_NAME_MIN_LEN = 2;
 const VAULT_NAME_MAX_LEN = 32;
 

package/src/well-known.ts

@@ -2,6 +2,7 @@ import { existsSync, mkdirSync, renameSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { CONFIG_DIR } from "./config.ts";
 import { type ModuleManifest, readModuleManifest } from "./module-manifest.ts";
+import { SEED_VERSION } from "./service-spec.ts";
 import {
   type ServiceEntry,
   type UiSubUnit,
@@ -315,6 +316,18 @@ export function buildWellKnown(opts: BuildWellKnownOpts): WellKnownDocument {
       }
       doc.services.push(entry);
       if (isVault) {
+        // hub#577: don't fabricate a phantom vault row from a SEED placeholder.
+        // `parachute init` installs the vault MODULE without creating an
+        // instance (hub#168 Cut 1: `noCreate`), seeding a services.json entry
+        // at SEED_VERSION with the canonical `/vault/default` mount. Vault's
+        // own boot overwrites that entry with the real instance path(s) once a
+        // vault is actually created. Until then, emitting a `vaults[]` row here
+        // makes the management page show a `default` vault that doesn't exist —
+        // it vanishes the moment a real vault registers. Keep the `services`
+        // entry (so the SPA knows the module IS installed and offers "New
+        // vault" rather than "Install module"), but suppress the vault row so
+        // the list honestly reads "No vaults yet."
+        if (s.version === SEED_VERSION) continue;
         const managementUrl = opts.managementUrlFor?.(s);
         const entry: WellKnownVaultEntry = {
           name: vaultInstanceNameFor(s.name, path),

package/web/ui/dist/assets/{index-mz8XcVPP.css → index-BYYUeLGA.css}

@@ -1 +1 @@
-:root{--bg: #faf8f4;--bg-soft: #f3f0ea;--fg: #2c2a26;--fg-muted: #6b6860;--fg-dim: #9a9690;--accent: #4a7c59;--accent-soft: rgba(74, 124, 89, .08);--accent-hover: #3d6849;--border: #e4e0d8;--border-light: #ece9e2;--card-bg: #ffffff;--error: #a3392b;--error-soft: rgba(163, 57, 43, .08);--warn: #b08023;--warn-soft: rgba(176, 128, 35, .08);--success: #3d6849;--success-soft: rgba(61, 104, 73, .08);--font-serif: Georgia, "Times New Roman", serif;--font-sans: -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif;--font-mono: ui-monospace, "SF Mono", Menlo, Monaco, "Cascadia Mono", monospace;font-family:var(--font-sans)}*{box-sizing:border-box}html,body{margin:0;padding:0;background:var(--bg);color:var(--fg)}a{color:var(--accent);text-decoration:none}a:hover{text-decoration:underline}button{font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease}button:hover{background:var(--accent-hover)}button:disabled{opacity:.5;cursor:not-allowed}button.secondary{background:#fff;color:var(--fg);border:1px solid var(--border)}button.secondary:hover{background:var(--bg-soft)}input,select,textarea{font:inherit;background:#fff;border:1px solid var(--border);border-radius:6px;padding:.55rem .75rem;color:var(--fg)}input:focus,select:focus,textarea:focus{outline:none;border-color:var(--accent)}code{font-family:var(--font-mono);font-size:.85em;background:var(--bg-soft);padding:.1em .3em;border-radius:3px}.page{max-width:880px;margin:0 auto;padding:1.5rem 1.5rem 6rem}.nav{display:flex;flex-wrap:wrap;gap:.6rem 1rem;align-items:center;padding-bottom:1rem;border-bottom:1px solid var(--border);margin-bottom:2rem}.nav .brand{font-weight:600;font-family:var(--font-serif);font-size:1.15rem;margin-right:auto;display:inline-flex;align-items:center;gap:.45rem;color:var(--accent);text-decoration:none}.nav .brand:hover{color:var(--accent-hover);text-decoration:none}.nav .brand-mark-icon{flex-shrink:0;line-height:0}.nav .brand-wordmark{color:var(--fg);letter-spacing:-.005em}.nav .brand .sub{color:var(--fg-dim);font-size:.78rem;font-weight:400;margin-left:.4rem;font-family:var(--font-sans)}.nav a{color:var(--fg-muted);font-size:.95rem}.nav a:hover{text-decoration:none;color:var(--fg)}.nav a.nav-link-active{color:var(--accent);font-weight:500;text-decoration:underline;text-underline-offset:.3em;text-decoration-thickness:2px}.nav .nav-divider{display:inline-block;width:1px;height:1.1em;background:var(--border);align-self:center}.nav .nav-dropdown{position:relative}.nav .nav-dropdown-summary{list-style:none;cursor:pointer;color:var(--fg-muted);font-size:.95rem;-webkit-user-select:none;user-select:none}.nav .nav-dropdown-summary::-webkit-details-marker{display:none}.nav .nav-dropdown-summary:hover{color:var(--fg)}.nav .nav-dropdown[open]>.nav-dropdown-summary{color:var(--fg)}.nav .nav-dropdown-summary:after{content:" ▾";font-size:.7em;color:var(--fg-dim)}.nav .nav-dropdown-panel{position:absolute;top:calc(100% + .4rem);left:0;z-index:10;min-width:12rem;background:var(--card-bg);border:1px solid var(--border);border-radius:8px;box-shadow:0 4px 12px #00000014;padding:.4rem 0;display:flex;flex-direction:column}.nav .nav-dropdown-item{padding:.4rem .85rem;color:var(--fg);font-size:.9rem;text-decoration:none}.nav .nav-dropdown-item:hover{background:var(--bg-soft);color:var(--fg);text-decoration:none}.nav .nav-dropdown-item-disabled{color:var(--fg-dim);cursor:not-allowed}.nav .nav-dropdown-item-disabled:hover{background:transparent;color:var(--fg-dim)}.nav .auth-spa{font-size:.85rem;color:var(--fg-muted)}.nav .auth-spa strong{font-weight:600;color:var(--fg)}.nav .auth-spa-signout{background:none;border:none;padding:0;color:var(--accent);font:inherit;cursor:pointer;text-decoration:underline;text-decoration-thickness:1px;text-underline-offset:2px}.nav .auth-spa-signout:hover:not(:disabled){color:var(--accent-hover)}.nav .auth-spa-signout:disabled{color:var(--fg-dim);cursor:not-allowed}h1{margin:0 0 .5rem;font-family:var(--font-serif);font-size:1.85rem;font-weight:400;letter-spacing:-.01em;line-height:1.2;color:var(--fg)}h2{margin:0 0 1rem;font-size:1.4rem;font-weight:500}.muted{color:var(--fg-muted);font-size:.92rem}.dim{color:var(--fg-dim);font-size:.85rem}.error-banner{background:var(--error-soft);border:1px solid var(--error);color:var(--error);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.warn-banner{background:var(--warn-soft);border:1px solid var(--warn);color:var(--warn);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.empty{padding:3rem 1.5rem;text-align:center;color:var(--fg-muted);background:var(--bg-soft);border-radius:10px}@keyframes pc-loading-pulse{0%,to{opacity:.55}50%{opacity:1}}[data-loading=true]{animation:pc-loading-pulse 1.4s ease-in-out infinite}.user-table tbody tr,.tokens-table tbody tr{transition:background-color .12s ease}.user-table tbody tr:hover,.tokens-table tbody tr:hover{background:var(--bg-soft)}@keyframes pc-route-fade-up{0%{opacity:0;transform:translateY(6px)}to{opacity:1;transform:translateY(0)}}[data-route-content]{animation:pc-route-fade-up .32s ease forwards}@media(prefers-reduced-motion:reduce){[data-loading=true],[data-route-content]{animation:none}}.table-scroll{overflow-x:auto;-webkit-overflow-scrolling:touch;background:linear-gradient(to right,var(--card-bg),var(--card-bg)) left center / 20px 100% no-repeat,linear-gradient(to right,#2c2a2614,#2c2a2600) left center / 8px 100% no-repeat,linear-gradient(to left,var(--card-bg),var(--card-bg)) right center / 20px 100% no-repeat,linear-gradient(to left,#2c2a2614,#2c2a2600) right center / 8px 100% no-repeat;background-attachment:local,scroll,local,scroll}.table-scroll>table{min-width:100%}.empty-rich{text-align:left;padding:2rem 1.75rem;background:#fff;border:1px solid var(--border)}.empty-rich .empty-headline{font-size:1.05rem;color:var(--fg);margin:0 0 .5rem;font-weight:500}.list-header{display:flex;align-items:baseline;justify-content:space-between;gap:1rem;margin-bottom:1rem}.list-header h1,.list-header h2{margin:0}.tag{display:inline-block;padding:.1em .55em;background:var(--accent-soft);color:var(--accent);border-radius:4px;font-size:.78rem;font-weight:500}.tag.muted{background:var(--bg-soft);color:var(--fg-muted)}.tag.source-oauth{background:#4a7cc61f;color:#3b6aa6}.tag.source-operator{background:#c6984a24;color:#8a5e1f}.tag.source-cli{background:#4a7c5924;color:#2f5a3f}.tag.source-unknown{background:var(--bg-soft);color:var(--fg-muted)}@media(prefers-color-scheme:dark){.tag.source-oauth{background:#7a9cdc24;color:#9bb6d8}.tag.source-operator{background:#dcb46e24;color:#d4b27a}.tag.source-cli{background:#7ab08a24;color:#8fc49e}.tag.source-unknown{background:#e8e4dc0f;color:#a8a49a}}.vault-row{display:flex;align-items:center;gap:1rem;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;margin-bottom:.5rem;text-decoration:none;color:inherit;transition:border-color .15s ease}.vault-row:hover{border-color:var(--accent);text-decoration:none}.vault-row .body{flex:1;min-width:0}.vault-row .name{display:flex;align-items:center;gap:.5rem;flex-wrap:wrap}.vault-row .name code{font-size:.95em}.vault-row .url{margin-top:.25rem;word-break:break-all}.vault-row .chev{color:var(--fg-dim);font-size:1.2rem}.vault-row-group{margin-bottom:.5rem}.vault-row-group .vault-row{margin-bottom:0}.vault-row-actions{display:flex;gap:.5rem;align-items:center;flex-shrink:0}.mcp-connect-card{background:var(--bg-soft);border:1px solid var(--border);border-radius:8px;padding:1.1rem 1.25rem;margin:0 0 .5rem}.mcp-connect-card-embedded{background:#fff;margin-bottom:0}.mcp-connect-card h3{margin:0 0 .4rem;font-size:1rem}.mcp-connect-card>p{margin-top:0}.mcp-connect-card .token-box{display:flex;align-items:center;gap:.5rem;margin:.35rem 0 .25rem}.mcp-connect-card .token-box code{flex:1;font-size:.85rem;padding:.55rem .7rem;background:#fff;border:1px solid var(--border);border-radius:6px;word-break:break-all;-webkit-user-select:all;user-select:all}.mcp-field{margin-top:.9rem}.mcp-field-label{display:block;font-size:.82rem;font-weight:600;color:var(--fg-muted)}.mcp-field .dim{margin:.3rem 0 0}.mcp-token-path{margin-top:1rem;border-top:1px solid var(--border);padding-top:.75rem}.mcp-token-path>summary{cursor:pointer;font-size:.9rem;color:var(--fg-muted)}.mcp-token-path>summary:hover{color:var(--accent)}.mcp-token-path .mint-banner{margin-top:.75rem;margin-bottom:0}.mcp-docs-link{margin:.9rem 0 0}form .row{margin-bottom:1rem}form label{display:block;font-size:.9rem;color:var(--fg-muted);margin-bottom:.3rem;font-weight:500}form input[type=text]{width:100%}form .actions{display:flex;gap:.6rem;align-items:center;margin-top:1rem}form .field-hint{margin-top:.35rem;font-size:.82rem;color:var(--fg-dim)}form .field-error{margin-top:.35rem;font-size:.85rem;color:var(--error)}.section{background:#fff;border:1px solid var(--border);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner{background:var(--success-soft);border:1px solid var(--success);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner h3{margin:0 0 .5rem;font-size:1rem;color:var(--success)}.mint-banner .token-box{display:flex;align-items:center;gap:.5rem;margin:.85rem 0 .5rem}.mint-banner code{flex:1;font-size:.9rem;padding:.6rem .75rem;background:#fff;border:1px solid var(--border);word-break:break-all;-webkit-user-select:all;user-select:all}.mint-banner .warn{margin:.75rem 0 0;font-size:.85rem;color:var(--warn)}.mint-banner .actions{margin-top:1rem;display:flex;gap:.5rem}.kv{display:grid;grid-template-columns:8.5rem 1fr;gap:.5rem 1rem;font-size:.92rem}.kv>div:nth-child(odd){color:var(--fg-muted)}.kv code{word-break:break-all}.channel-toggle{margin:1.25rem 0 1.5rem;padding:.75rem 1rem;border:1px solid var(--border, #ddd);border-radius:6px;background:var(--bg-soft, #fafafa)}.channel-toggle legend{padding:0 .25rem;font-weight:600;font-size:.95rem}.channel-toggle label{display:inline-flex;align-items:center;gap:.4rem;margin-right:1.5rem;cursor:pointer;font-size:.95rem}.channel-toggle label input[type=radio]:disabled+*{opacity:.5}.channel-toggle code{font-size:.85em}.channel-toggle p.muted{margin:.4rem 0 0;font-size:.85rem}.module-config{display:flex;flex-direction:column;gap:1.25rem}.module-config-header h1{margin-bottom:.35rem}.module-config-form fieldset{border:0;padding:0;margin:0;display:flex;flex-direction:column;gap:1rem}.module-config-form .field{display:flex;flex-direction:column;gap:.25rem}.module-config-form .field input,.module-config-form .field select,.module-config-form .field textarea{width:100%}.module-config-form .field-inline{flex-direction:row;align-items:center;flex-wrap:wrap;gap:.5rem}.module-config-form .field-inline label{display:inline-flex;align-items:center;gap:.5rem}.module-config-form .field-inline .field-hint{flex-basis:100%;margin-left:1.6rem}.module-config-form .field-invalid input,.module-config-form .field-invalid select,.module-config-form .field-invalid textarea{border-color:var(--error)}.module-config-form .actions{display:flex;gap:.6rem;align-items:center;margin-top:.5rem}.module-config-form .actions button.destructive{background:#fff;color:var(--fg);border:1px solid var(--border)}.module-config-form .actions button.destructive:hover{background:var(--bg-soft)}.module-config-form .banner{margin:0;padding:.75rem 1rem;border-radius:6px;border:1px solid transparent;font-size:.9rem}.module-config-form .banner-success{background:var(--success-soft);border-color:var(--success);color:var(--success)}.module-config-form .banner-success p,.module-config-form .banner-success ul{margin:.4rem 0 0}.module-config-form .banner-error{background:var(--error-soft, rgba(163, 57, 43, .08));border-color:var(--error);color:var(--error)}.modules-installed,.modules-installable{margin-top:1.75rem}.modules-installed>h2,.modules-installable>h2{font-size:1.15rem;font-weight:600;margin:0 0 .75rem;color:var(--fg)}.modules-installed>p.muted,.modules-installable>p.muted{margin:0 0 .5rem}.install-list{list-style:none;padding:0;margin:0;display:flex;flex-direction:column;gap:.6rem}.install-card{display:flex;flex-direction:row;align-items:center;gap:1rem;flex-wrap:wrap;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;transition:border-color .15s ease}.install-card:hover{border-color:var(--accent)}.install-card-body{flex:1 1 0;min-width:0}.install-card-body h3{margin:0 0 .2rem;font-size:1rem;font-weight:600;color:var(--fg)}.install-card-body .tagline{margin:0 0 .35rem;color:var(--fg-muted);font-size:.92rem}.install-card-meta{margin:0;font-size:.82rem}.install-card-actions{flex:0 0 auto}.install-card .error{flex-basis:100%;margin-top:.5rem;color:var(--error);font-size:.85rem}.hub-upgrade-card{border-left:3px solid var(--accent);margin-top:1.25rem}.hub-upgrade-card .warn-banner,.hub-upgrade-card .error-banner{flex-basis:100%;margin:.5rem 0 0;font-size:.85rem}.module-row .actions .btn,a.btn{display:inline-block;font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease;text-decoration:none}.module-row .actions .btn:hover,a.btn:hover{background:var(--accent-hover);text-decoration:none}.module-uis{margin:.5rem 0 0;padding:.5rem 0 0;border-top:1px solid var(--border-light)}.module-uis>summary{cursor:pointer;font-size:.88rem;color:var(--fg-muted);font-weight:500;padding:.15rem 0;list-style:revert}.module-uis>summary:hover{color:var(--fg)}.ui-sub-units{list-style:none;padding:0;margin:.5rem 0 0 1.1rem;display:flex;flex-direction:column;gap:.35rem}.ui-sub-unit{display:flex;flex-direction:row;align-items:center;gap:.65rem;padding:.5rem .75rem;background:var(--bg-soft);border:1px solid var(--border-light);border-radius:6px;transition:border-color .15s ease,background .15s ease}.ui-sub-unit:hover{border-color:var(--accent);background:#fff}.ui-icon{flex:0 0 auto;width:20px;height:20px;border-radius:4px;object-fit:contain}.ui-sub-unit-body{flex:1 1 0;min-width:0}.ui-sub-unit-link{color:var(--fg);font-size:.95rem;text-decoration:none}.ui-sub-unit-link:hover{color:var(--accent);text-decoration:underline}.ui-sub-unit-link strong{font-weight:600}.ui-sub-unit .tagline{margin:.2rem 0 0;font-size:.82rem;color:var(--fg-muted)}.status{flex:0 0 auto;display:inline-block;padding:.1em .55em;background:var(--bg-soft);color:var(--fg-muted);border-radius:4px;font-size:.78rem;font-weight:500;white-space:nowrap}.status-active{background:var(--success-soft);color:var(--success)}.status-pending{background:var(--warn-soft);color:var(--warn)}.status-inactive{background:var(--bg-soft);color:var(--fg-dim)}.status-failing{background:var(--error-soft);color:var(--error)}.status-absent{background:var(--bg-soft);color:var(--fg-dim)}.status-pending-oauth{background:var(--warn-soft);color:var(--warn)}.status-disabled{background:var(--bg-soft);color:var(--fg-dim)}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border:0}.hub-version-badge{margin-top:3rem;padding-top:1rem;border-top:1px solid var(--border-light);display:flex;flex-direction:column;align-items:flex-start;gap:.75rem;color:var(--fg-muted);font-size:.8rem}.hub-version-badge-summary{background:transparent;border:0;padding:0;margin:0;color:var(--fg-muted);font:inherit;cursor:pointer;text-align:left;border-radius:4px}.hub-version-badge-summary:hover{color:var(--fg);background:transparent}.hub-version-badge-summary strong{color:var(--fg);font-weight:600}.hub-version-badge-source{font-variant:small-caps;letter-spacing:.04em}.hub-version-badge-panel{background:var(--card-bg);border:1px solid var(--border);border-radius:8px;padding:.85rem 1rem;font-size:.85rem;color:var(--fg);width:100%;max-width:28rem}.hub-version-badge-panel dl{margin:0 0 .75rem;display:grid;grid-template-columns:max-content 1fr;gap:.3rem .85rem}.hub-version-badge-panel dt{color:var(--fg-muted);font-size:.78rem;text-transform:uppercase;letter-spacing:.06em;padding-top:.1rem}.hub-version-badge-panel dd{margin:0;color:var(--fg);word-break:break-all}.hub-version-badge-refresh{font-size:.8rem;padding:.35rem .85rem}.depcard-wrap{margin-top:.6rem}.depcard{border:1px solid var(--warn);background:var(--warn-soft);border-radius:8px;padding:.9rem 1rem}.depcard-heading{margin:0 0 .25rem;font-size:1rem}.depcard-why{margin:0 0 .75rem;font-size:.9rem}.depcard-installs-label{margin:0 0 .4rem;font-size:.85rem;font-weight:600}.depcard-install{margin-bottom:.55rem}.depcard-install.preferred .depcard-os{color:var(--accent);font-weight:600}.depcard-os{display:block;font-size:.78rem;text-transform:uppercase;letter-spacing:.05em;color:var(--fg-muted);margin-bottom:.2rem}.depcard-cmd{display:flex;align-items:stretch;gap:.4rem}.depcard-cmd-text{flex:1;margin:0;padding:.45rem .6rem;background:var(--card-bg, #fff);border:1px solid var(--border);border-radius:6px;font-size:.82rem;white-space:pre-wrap;overflow-x:auto}.depcard-copy{flex:0 0 auto;font-size:.8rem;padding:.35rem .7rem;align-self:flex-start}.depcard-docs{margin:.5rem 0 .4rem;font-size:.88rem}.depcard-hint{margin:0;font-size:.82rem}.depcard-fallback{color:var(--error);font-size:.9rem}
+:root{--bg: #faf8f4;--bg-soft: #f3f0ea;--fg: #2c2a26;--fg-muted: #6b6860;--fg-dim: #9a9690;--accent: #4a7c59;--accent-soft: rgba(74, 124, 89, .08);--accent-hover: #3d6849;--border: #e4e0d8;--border-light: #ece9e2;--card-bg: #ffffff;--error: #a3392b;--error-soft: rgba(163, 57, 43, .08);--warn: #b08023;--warn-soft: rgba(176, 128, 35, .08);--success: #3d6849;--success-soft: rgba(61, 104, 73, .08);--font-serif: Georgia, "Times New Roman", serif;--font-sans: -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif;--font-mono: ui-monospace, "SF Mono", Menlo, Monaco, "Cascadia Mono", monospace;font-family:var(--font-sans)}*{box-sizing:border-box}html,body{margin:0;padding:0;background:var(--bg);color:var(--fg)}a{color:var(--accent);text-decoration:none}a:hover{text-decoration:underline}button{font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease}button:hover{background:var(--accent-hover)}button:disabled{opacity:.5;cursor:not-allowed}button.secondary{background:#fff;color:var(--fg);border:1px solid var(--border)}button.secondary:hover{background:var(--bg-soft)}input,select,textarea{font:inherit;background:#fff;border:1px solid var(--border);border-radius:6px;padding:.55rem .75rem;color:var(--fg)}input:focus,select:focus,textarea:focus{outline:none;border-color:var(--accent)}code{font-family:var(--font-mono);font-size:.85em;background:var(--bg-soft);padding:.1em .3em;border-radius:3px}.page{max-width:880px;margin:0 auto;padding:1.5rem 1.5rem 6rem}.nav{display:flex;flex-wrap:wrap;gap:.6rem 1rem;align-items:center;padding-bottom:1rem;border-bottom:1px solid var(--border);margin-bottom:2rem}.nav .brand{font-weight:600;font-family:var(--font-serif);font-size:1.15rem;margin-right:auto;display:inline-flex;align-items:center;gap:.45rem;color:var(--accent);text-decoration:none}.nav .brand:hover{color:var(--accent-hover);text-decoration:none}.nav .brand-mark-icon{flex-shrink:0;line-height:0}.nav .brand-wordmark{color:var(--fg);letter-spacing:-.005em}.nav .brand .sub{color:var(--fg-dim);font-size:.78rem;font-weight:400;margin-left:.4rem;font-family:var(--font-sans)}.nav a{color:var(--fg-muted);font-size:.95rem}.nav a:hover{text-decoration:none;color:var(--fg)}.nav a.nav-link-active{color:var(--accent);font-weight:500;text-decoration:underline;text-underline-offset:.3em;text-decoration-thickness:2px}.nav .nav-divider{display:inline-block;width:1px;height:1.1em;background:var(--border);align-self:center}.nav .nav-dropdown{position:relative}.nav .nav-dropdown-summary{list-style:none;cursor:pointer;color:var(--fg-muted);font-size:.95rem;-webkit-user-select:none;user-select:none}.nav .nav-dropdown-summary::-webkit-details-marker{display:none}.nav .nav-dropdown-summary:hover{color:var(--fg)}.nav .nav-dropdown[open]>.nav-dropdown-summary{color:var(--fg)}.nav .nav-dropdown-summary:after{content:" ▾";font-size:.7em;color:var(--fg-dim)}.nav .nav-dropdown-panel{position:absolute;top:calc(100% + .4rem);left:0;z-index:10;min-width:12rem;background:var(--card-bg);border:1px solid var(--border);border-radius:8px;box-shadow:0 4px 12px #00000014;padding:.4rem 0;display:flex;flex-direction:column}.nav .nav-dropdown-item{padding:.4rem .85rem;color:var(--fg);font-size:.9rem;text-decoration:none}.nav .nav-dropdown-item:hover{background:var(--bg-soft);color:var(--fg);text-decoration:none}.nav .nav-dropdown-item-disabled{color:var(--fg-dim);cursor:not-allowed}.nav .nav-dropdown-item-disabled:hover{background:transparent;color:var(--fg-dim)}.nav .auth-spa{font-size:.85rem;color:var(--fg-muted)}.nav .auth-spa strong{font-weight:600;color:var(--fg)}.nav .auth-spa-signout{background:none;border:none;padding:0;color:var(--accent);font:inherit;cursor:pointer;text-decoration:underline;text-decoration-thickness:1px;text-underline-offset:2px}.nav .auth-spa-signout:hover:not(:disabled){color:var(--accent-hover)}.nav .auth-spa-signout:disabled{color:var(--fg-dim);cursor:not-allowed}h1{margin:0 0 .5rem;font-family:var(--font-serif);font-size:1.85rem;font-weight:400;letter-spacing:-.01em;line-height:1.2;color:var(--fg)}h2{margin:0 0 1rem;font-size:1.4rem;font-weight:500}.muted{color:var(--fg-muted);font-size:.92rem}.dim{color:var(--fg-dim);font-size:.85rem}.error-banner{background:var(--error-soft);border:1px solid var(--error);color:var(--error);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.warn-banner{background:var(--warn-soft);border:1px solid var(--warn);color:var(--warn);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.empty{padding:3rem 1.5rem;text-align:center;color:var(--fg-muted);background:var(--bg-soft);border-radius:10px}@keyframes pc-loading-pulse{0%,to{opacity:.55}50%{opacity:1}}[data-loading=true]{animation:pc-loading-pulse 1.4s ease-in-out infinite}.user-table tbody tr,.tokens-table tbody tr{transition:background-color .12s ease}.user-table tbody tr:hover,.tokens-table tbody tr:hover{background:var(--bg-soft)}@keyframes pc-route-fade-up{0%{opacity:0;transform:translateY(6px)}to{opacity:1;transform:translateY(0)}}[data-route-content]{animation:pc-route-fade-up .32s ease forwards}@media(prefers-reduced-motion:reduce){[data-loading=true],[data-route-content]{animation:none}}.table-scroll{overflow-x:auto;-webkit-overflow-scrolling:touch;background:linear-gradient(to right,var(--card-bg),var(--card-bg)) left center / 20px 100% no-repeat,linear-gradient(to right,#2c2a2614,#2c2a2600) left center / 8px 100% no-repeat,linear-gradient(to left,var(--card-bg),var(--card-bg)) right center / 20px 100% no-repeat,linear-gradient(to left,#2c2a2614,#2c2a2600) right center / 8px 100% no-repeat;background-attachment:local,scroll,local,scroll}.table-scroll>table{min-width:100%}.empty-rich{text-align:left;padding:2rem 1.75rem;background:#fff;border:1px solid var(--border)}.empty-rich .empty-headline{font-size:1.05rem;color:var(--fg);margin:0 0 .5rem;font-weight:500}.list-header{display:flex;align-items:baseline;justify-content:space-between;gap:1rem;margin-bottom:1rem}.list-header h1,.list-header h2{margin:0}.tag{display:inline-block;padding:.1em .55em;background:var(--accent-soft);color:var(--accent);border-radius:4px;font-size:.78rem;font-weight:500}.tag.muted{background:var(--bg-soft);color:var(--fg-muted)}.tag.source-oauth{background:#4a7cc61f;color:#3b6aa6}.tag.source-operator{background:#c6984a24;color:#8a5e1f}.tag.source-cli{background:#4a7c5924;color:#2f5a3f}.tag.source-unknown{background:var(--bg-soft);color:var(--fg-muted)}@media(prefers-color-scheme:dark){.tag.source-oauth{background:#7a9cdc24;color:#9bb6d8}.tag.source-operator{background:#dcb46e24;color:#d4b27a}.tag.source-cli{background:#7ab08a24;color:#8fc49e}.tag.source-unknown{background:#e8e4dc0f;color:#a8a49a}}.vault-row{display:flex;align-items:center;gap:1rem;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;margin-bottom:.5rem;text-decoration:none;color:inherit;transition:border-color .15s ease}.vault-row:hover{border-color:var(--accent);text-decoration:none}.vault-row .body{flex:1;min-width:0}.vault-row .name{display:flex;align-items:center;gap:.5rem;flex-wrap:wrap}.vault-row .name code{font-size:.95em}.vault-row .url{margin-top:.25rem;word-break:break-all}.vault-row .chev{color:var(--fg-dim);font-size:1.2rem}.vault-row-group{margin-bottom:.5rem}.vault-row-group .vault-row{margin-bottom:0}.vault-row-actions{display:flex;gap:.5rem;align-items:center;flex-shrink:0}.mcp-connect-card{background:var(--bg-soft);border:1px solid var(--border);border-radius:8px;padding:1.1rem 1.25rem;margin:0 0 .5rem}.mcp-connect-card-embedded{background:#fff;margin-bottom:0}.mcp-connect-card h3{margin:0 0 .4rem;font-size:1rem}.mcp-connect-card>p{margin-top:0}.mcp-connect-card .token-box{display:flex;align-items:center;gap:.5rem;margin:.35rem 0 .25rem}.mcp-connect-card .token-box code{flex:1;font-size:.85rem;padding:.55rem .7rem;background:#fff;border:1px solid var(--border);border-radius:6px;word-break:break-all;-webkit-user-select:all;user-select:all}.mcp-field{margin-top:.9rem}.mcp-field-label{display:block;font-size:.82rem;font-weight:600;color:var(--fg-muted)}.mcp-field .dim{margin:.3rem 0 0}.mcp-token-path{margin-top:1rem;border-top:1px solid var(--border);padding-top:.75rem}.mcp-token-path>summary{cursor:pointer;font-size:.9rem;color:var(--fg-muted)}.mcp-token-path>summary:hover{color:var(--accent)}.mcp-token-path .mint-banner{margin-top:.75rem;margin-bottom:0}.mcp-docs-link{margin:.9rem 0 0}form .row{margin-bottom:1rem}form label{display:block;font-size:.9rem;color:var(--fg-muted);margin-bottom:.3rem;font-weight:500}form input[type=text]{width:100%}form .actions{display:flex;gap:.6rem;align-items:center;margin-top:1rem}form .field-hint{margin-top:.35rem;font-size:.82rem;color:var(--fg-dim)}form .field-error{margin-top:.35rem;font-size:.85rem;color:var(--error)}.section{background:#fff;border:1px solid var(--border);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner{background:var(--success-soft);border:1px solid var(--success);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner h3{margin:0 0 .5rem;font-size:1rem;color:var(--success)}.mint-banner .token-box{display:flex;align-items:center;gap:.5rem;margin:.85rem 0 .5rem}.mint-banner code{flex:1;font-size:.9rem;padding:.6rem .75rem;background:#fff;border:1px solid var(--border);word-break:break-all;-webkit-user-select:all;user-select:all}.mint-banner .warn{margin:.75rem 0 0;font-size:.85rem;color:var(--warn)}.mint-banner .actions{margin-top:1rem;display:flex;gap:.5rem}.kv{display:grid;grid-template-columns:8.5rem 1fr;gap:.5rem 1rem;font-size:.92rem}.kv>div:nth-child(odd){color:var(--fg-muted)}.kv code{word-break:break-all}.channel-toggle{margin:1.25rem 0 1.5rem;padding:.75rem 1rem;border:1px solid var(--border, #ddd);border-radius:6px;background:var(--bg-soft, #fafafa)}.channel-toggle legend{padding:0 .25rem;font-weight:600;font-size:.95rem}.channel-toggle label{display:inline-flex;align-items:center;gap:.4rem;margin-right:1.5rem;cursor:pointer;font-size:.95rem}.channel-toggle label input[type=radio]:disabled+*{opacity:.5}.channel-toggle code{font-size:.85em}.channel-toggle p.muted{margin:.4rem 0 0;font-size:.85rem}.module-config{display:flex;flex-direction:column;gap:1.25rem}.module-config-header h1{margin-bottom:.35rem}.module-config-form fieldset{border:0;padding:0;margin:0;display:flex;flex-direction:column;gap:1rem}.module-config-form .field{display:flex;flex-direction:column;gap:.25rem}.module-config-form .field input,.module-config-form .field select,.module-config-form .field textarea{width:100%}.module-config-form .field-inline{flex-direction:row;align-items:center;flex-wrap:wrap;gap:.5rem}.module-config-form .field-inline label{display:inline-flex;align-items:center;gap:.5rem}.module-config-form .field-inline .field-hint{flex-basis:100%;margin-left:1.6rem}.module-config-form .field-invalid input,.module-config-form .field-invalid select,.module-config-form .field-invalid textarea{border-color:var(--error)}.module-config-form .actions{display:flex;gap:.6rem;align-items:center;margin-top:.5rem}.module-config-form .actions button.destructive{background:#fff;color:var(--fg);border:1px solid var(--border)}.module-config-form .actions button.destructive:hover{background:var(--bg-soft)}.module-config-form .banner{margin:0;padding:.75rem 1rem;border-radius:6px;border:1px solid transparent;font-size:.9rem}.module-config-form .banner-success{background:var(--success-soft);border-color:var(--success);color:var(--success)}.module-config-form .banner-success p,.module-config-form .banner-success ul{margin:.4rem 0 0}.module-config-form .banner-error{background:var(--error-soft, rgba(163, 57, 43, .08));border-color:var(--error);color:var(--error)}.modules-installed,.modules-installable{margin-top:1.75rem}.modules-installed>h2,.modules-installable>h2{font-size:1.15rem;font-weight:600;margin:0 0 .75rem;color:var(--fg)}.modules-installed>p.muted,.modules-installable>p.muted{margin:0 0 .5rem}.install-list{list-style:none;padding:0;margin:0;display:flex;flex-direction:column;gap:.6rem}.install-card{display:flex;flex-direction:row;align-items:center;gap:1rem;flex-wrap:wrap;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;transition:border-color .15s ease}.install-card:hover{border-color:var(--accent)}.install-card-body{flex:1 1 0;min-width:0}.install-card-body h3{margin:0 0 .2rem;font-size:1rem;font-weight:600;color:var(--fg)}.install-card-body .tagline{margin:0 0 .35rem;color:var(--fg-muted);font-size:.92rem}.install-card-meta{margin:0;font-size:.82rem}.install-card-actions{flex:0 0 auto}.install-card .error{flex-basis:100%;margin-top:.5rem;color:var(--error);font-size:.85rem}.hub-upgrade-card{border-left:3px solid var(--accent);margin-top:1.25rem}.hub-upgrade-card .warn-banner,.hub-upgrade-card .error-banner{flex-basis:100%;margin:.5rem 0 0;font-size:.85rem}.module-row .actions .btn,a.btn{display:inline-block;font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease;text-decoration:none}.module-row .actions .btn:hover,a.btn:hover{background:var(--accent-hover);text-decoration:none}.module-uis{margin:.5rem 0 0;padding:.5rem 0 0;border-top:1px solid var(--border-light)}.module-uis>summary{cursor:pointer;font-size:.88rem;color:var(--fg-muted);font-weight:500;padding:.15rem 0;list-style:revert}.module-uis>summary:hover{color:var(--fg)}.ui-sub-units{list-style:none;padding:0;margin:.5rem 0 0 1.1rem;display:flex;flex-direction:column;gap:.35rem}.ui-sub-unit{display:flex;flex-direction:row;align-items:center;gap:.65rem;padding:.5rem .75rem;background:var(--bg-soft);border:1px solid var(--border-light);border-radius:6px;transition:border-color .15s ease,background .15s ease}.ui-sub-unit:hover{border-color:var(--accent);background:#fff}.ui-icon{flex:0 0 auto;width:20px;height:20px;border-radius:4px;object-fit:contain}.ui-sub-unit-body{flex:1 1 0;min-width:0}.ui-sub-unit-link{color:var(--fg);font-size:.95rem;text-decoration:none}.ui-sub-unit-link:hover{color:var(--accent);text-decoration:underline}.ui-sub-unit-link strong{font-weight:600}.ui-sub-unit .tagline{margin:.2rem 0 0;font-size:.82rem;color:var(--fg-muted)}.status{flex:0 0 auto;display:inline-block;padding:.1em .55em;background:var(--bg-soft);color:var(--fg-muted);border-radius:4px;font-size:.78rem;font-weight:500;white-space:nowrap}.status-active{background:var(--success-soft);color:var(--success)}.status-pending{background:var(--warn-soft);color:var(--warn)}.status-inactive{background:var(--bg-soft);color:var(--fg-dim)}.status-failing{background:var(--error-soft);color:var(--error)}.status-absent{background:var(--bg-soft);color:var(--fg-dim)}.status-redeemed{background:var(--success-soft);color:var(--success)}.status-expired,.status-revoked{background:var(--bg-soft);color:var(--fg-dim)}.status-pending-oauth{background:var(--warn-soft);color:var(--warn)}.status-disabled{background:var(--bg-soft);color:var(--fg-dim)}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border:0}.hub-version-badge{margin-top:3rem;padding-top:1rem;border-top:1px solid var(--border-light);display:flex;flex-direction:column;align-items:flex-start;gap:.75rem;color:var(--fg-muted);font-size:.8rem}.hub-version-badge-summary{background:transparent;border:0;padding:0;margin:0;color:var(--fg-muted);font:inherit;cursor:pointer;text-align:left;border-radius:4px}.hub-version-badge-summary:hover{color:var(--fg);background:transparent}.hub-version-badge-summary strong{color:var(--fg);font-weight:600}.hub-version-badge-source{font-variant:small-caps;letter-spacing:.04em}.hub-version-badge-panel{background:var(--card-bg);border:1px solid var(--border);border-radius:8px;padding:.85rem 1rem;font-size:.85rem;color:var(--fg);width:100%;max-width:28rem}.hub-version-badge-panel dl{margin:0 0 .75rem;display:grid;grid-template-columns:max-content 1fr;gap:.3rem .85rem}.hub-version-badge-panel dt{color:var(--fg-muted);font-size:.78rem;text-transform:uppercase;letter-spacing:.06em;padding-top:.1rem}.hub-version-badge-panel dd{margin:0;color:var(--fg);word-break:break-all}.hub-version-badge-refresh{font-size:.8rem;padding:.35rem .85rem}.depcard-wrap{margin-top:.6rem}.depcard{border:1px solid var(--warn);background:var(--warn-soft);border-radius:8px;padding:.9rem 1rem}.depcard-heading{margin:0 0 .25rem;font-size:1rem}.depcard-why{margin:0 0 .75rem;font-size:.9rem}.depcard-installs-label{margin:0 0 .4rem;font-size:.85rem;font-weight:600}.depcard-install{margin-bottom:.55rem}.depcard-install.preferred .depcard-os{color:var(--accent);font-weight:600}.depcard-os{display:block;font-size:.78rem;text-transform:uppercase;letter-spacing:.05em;color:var(--fg-muted);margin-bottom:.2rem}.depcard-cmd{display:flex;align-items:stretch;gap:.4rem}.depcard-cmd-text{flex:1;margin:0;padding:.45rem .6rem;background:var(--card-bg, #fff);border:1px solid var(--border);border-radius:6px;font-size:.82rem;white-space:pre-wrap;overflow-x:auto}.depcard-copy{flex:0 0 auto;font-size:.8rem;padding:.35rem .7rem;align-self:flex-start}.depcard-docs{margin:.5rem 0 .4rem;font-size:.88rem}.depcard-hint{margin:0;font-size:.82rem}.depcard-fallback{color:var(--error);font-size:.9rem}