@openparachute/hub 0.6.3 → 0.6.4-rc.10

package/src/__tests__/api-mint-token.test.ts

@@ -317,6 +317,32 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
     }
   });
 
+  // Item C — case-insensitive non-requestable guard. An uppercase casing of a
+  // host-level scope must NOT bypass the non-requestable membership check (which
+  // was exact-string before). `PARACHUTE:HOST:AUTH` is now correctly rejected.
+  test("400 invalid_scope when minting an uppercase host scope (item C)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+        for (const variant of ["PARACHUTE:HOST:AUTH", "Parachute:Host:Admin"]) {
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: variant }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string };
+          expect(body.error).toBe("invalid_scope");
+        }
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("400 invalid_scope when multi-scope includes a non-requestable", async () => {
     const h = makeHarness();
     try {
@@ -416,13 +442,13 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
     }
   });
 
-  // A bare `vault:admin` (no vault name) is NOT a per-vault admin scope —
-  // the de-escalation exception only covers `vault:<name>:admin`. It isn't
-  // in the non-requestable set either, so it's treated as an ordinary
-  // (unnamed) scope and mints — but with the `vault` fallback audience, not
-  // a per-vault one. Pinned so a future regex loosening can't silently let
-  // an unnamed admin through the named-vault exemption.
-  test("bare vault:admin (no name) is not caught by the de-escalation exemption", async () => {
+  // Item B / hub#451 — bare `vault:admin` (no vault name) is NOT mintable on
+  // the headless path. The unnamed broad-admin form has no resource pin; the
+  // mint endpoint refuses it with 400 `invalid_scope` (even for a full host:admin
+  // operator). The legitimate path for a vault admin token is a resource-narrowed
+  // `vault:<name>:admin`. The OAuth flow still accepts bare `vault:admin` and
+  // narrows it via the picker — that path is unaffected (see oauth-handlers).
+  test("bare vault:admin (no name) → 400 (non-requestable headlessly, item B / #451)", async () => {
     const h = makeHarness();
     try {
       const { db, userId } = await bootstrap(h.dir);
@@ -432,9 +458,31 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
           jsonRequest({ scope: "vault:admin" }, { authorization: `Bearer ${op.token}` }),
           { db, issuer: ISSUER },
         );
-        // `vault:admin` isn't a per-vault admin scope and isn't in the
-        // non-requestable set, so it mints as an ordinary scope. The point
-        // of this test is that it does NOT get a per-vault audience/pin.
+        expect(resp.status).toBe(400);
+        const body = (await resp.json()) as { error: string; error_description: string };
+        expect(body.error).toBe("invalid_scope");
+        expect(body.error_description).toContain("vault:admin");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  // Item B does NOT touch unnamed vault:read / vault:write — those carry no
+  // admin authority and remain mintable (regression guard for the narrow scope
+  // of the bare-admin block).
+  test("bare vault:read still mints headlessly (item B is admin-only)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+        const resp = await handleApiMintToken(
+          jsonRequest({ scope: "vault:read" }, { authorization: `Bearer ${op.token}` }),
+          { db, issuer: ISSUER },
+        );
         expect(resp.status).toBe(200);
         const body = (await resp.json()) as { token: string };
         const validated = await validateAccessToken(db, body.token, ISSUER);
@@ -745,6 +793,122 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
         h.cleanup();
       }
     });
+
+    // Item A (subject-pin) — audit-attribution forgery. A non-operator
+    // (vault-admin-only) bearer may NOT override the minted token's `sub`:
+    // forging a foreign subject would mis-attribute the registry + revocation
+    // rows. It may still mint under its OWN sub (subject omitted / equal).
+    test("subject override by non-operator bearer → 403 (forgery blocked)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:read", subject: "someone-else" },
+              { authorization: `Bearer ${bearer}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(403);
+          const body = (await resp.json()) as { error: string; error_description: string };
+          expect(body.error).toBe("insufficient_scope");
+          expect(body.error_description).toContain("non-operator");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("subject equal to own sub by non-operator bearer → 200 (no forgery)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:read", subject: userId },
+              { authorization: `Bearer ${bearer}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { jti: string };
+          const row = db
+            .query<{ subject: string }, [string]>("SELECT subject FROM tokens WHERE jti = ?")
+            .get(body.jti);
+          expect(row?.subject).toBe(userId);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
+  // Item A (subject-pin) — the operator carve-out: a host operator
+  // (parachute:host:auth / parachute:host:admin) MAY override `sub` to stamp a
+  // service-account subject. This is the documented service-account override
+  // that the non-operator pin above must NOT break.
+  describe("subject override — operator carve-out (item A)", () => {
+    test("host:auth operator overrides subject → 200, registry row carries override", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER, scopeSet: "auth" });
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:read", subject: "svc-account" },
+              { authorization: `Bearer ${op.token}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { jti: string; token: string };
+          const validated = await validateAccessToken(db, body.token, ISSUER);
+          expect(validated.payload.sub).toBe("svc-account");
+          const row = db
+            .query<{ subject: string }, [string]>("SELECT subject FROM tokens WHERE jti = ?")
+            .get(body.jti);
+          expect(row?.subject).toBe("svc-account");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("host:admin operator overrides subject → 200", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:admin", subject: "svc-account" },
+              { authorization: `Bearer ${op.token}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { token: string };
+          const validated = await validateAccessToken(db, body.token, ISSUER);
+          expect(validated.payload.sub).toBe("svc-account");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
   });
 
   describe("capability attenuation — entry gate + regression", () => {
@@ -1051,6 +1215,91 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
     });
   });
 
+  // Item D / hub#450 — vault-existence check on vault:<name>:admin mints.
+  describe("vault-existence check on vault:<name>:admin (item D / #450)", () => {
+    test("vault:typo:admin for an unknown vault → 400 when knownVaultNames is wired", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:typo:admin" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER, knownVaultNames: new Set(["work", "default"]) },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string; error_description: string };
+          expect(body.error).toBe("invalid_scope");
+          expect(body.error_description).toContain("typo");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("vault:work:admin for a KNOWN vault → 200", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER, knownVaultNames: new Set(["work", "default"]) },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { scope: string };
+          expect(body.scope).toBe("vault:work:admin");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("read/write for an unknown vault are NOT existence-checked (admin-only gate)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:typo:read" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER, knownVaultNames: new Set(["work"]) },
+          );
+          expect(resp.status).toBe(200);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("knownVaultNames omitted → existence check skipped (back-compat)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:typo:admin" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          // No knownVaultNames → the documented "caller responsible" fallback.
+          expect(resp.status).toBe(200);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
   test("405 on non-POST", async () => {
     const h = makeHarness();
     try {

package/src/__tests__/api-modules-ops.test.ts

@@ -323,6 +323,13 @@ describe("POST /api/modules/:short/install", () => {
     expect(manifest.services.some((s) => s.name === "parachute-vault")).toBe(true);
     // Supervisor was handed the spawn.
     expect(spawns.find((s) => s.short === "vault")?.cmd).toEqual(["parachute-vault", "serve"]);
+    // The install-time spawn path (spawnSupervised) injects the enriched PATH
+    // so a module installed via /admin/modules can find operator tools (scribe's
+    // parakeet-mlx / ffmpeg) — same fix as the serve-boot path, second spawn
+    // site (hub launchd-PATH regression). It must carry the inherited PATH.
+    const vaultEnv = spawns.find((s) => s.short === "vault")?.env;
+    expect(vaultEnv?.PATH).toBeDefined();
+    expect(vaultEnv?.PATH?.length).toBeGreaterThan(0);
   });
 
   test("idempotent: already-installed + running returns succeeded immediately", async () => {
@@ -842,6 +849,31 @@ describe("POST /api/modules/:short/start", () => {
     expect(res.status).toBe(403);
   });
 
+  test("supervisor.start throw → structured 500 module_op_failed, not a naked 500 (hub#536)", async () => {
+    seedVault();
+    // Models the hub#536 wedge: Bun.spawn throwing because the module's
+    // installDir/cwd no longer exists (NOT a missing binary — the preflight
+    // + rethrowIfMissing nets don't catch it, so it propagates out of
+    // supervisor.start). Pre-fix this escaped the handler as a bodyless 500
+    // and the CLI showed an opaque "request failed".
+    const supervisor = new Supervisor({
+      spawnFn: () => {
+        throw new Error("simulated spawn failure: cwd /gone/parachute-app does not exist");
+      },
+    });
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    const res = await handleStart(
+      postReq("/api/modules/vault/start", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      { db: h.db, issuer: ISSUER, manifestPath: h.manifestPath, configDir: h.dir, supervisor },
+    );
+    expect(res.status).toBe(500);
+    const body = (await res.json()) as { error: string; error_description: string };
+    expect(body.error).toBe("module_op_failed");
+    expect(body.error_description).toContain("vault start failed");
+    expect(body.error_description).toContain("cwd /gone/parachute-app does not exist");
+  });
+
   test("pure supervisor.start of an installed module — NOT install (no bun add)", async () => {
     seedVault();
     const { supervisor, spawns } = makeIdleSupervisor();
@@ -1096,7 +1128,44 @@ describe("POST /api/modules/:short/restart", () => {
   });
   afterEach(() => h.cleanup());
 
-  test("404 not_supervised when module isn't running", async () => {
+  /** Seed a minimal installed vault row (in services.json). */
+  function seedVault(port = 1940): void {
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-vault",
+        port,
+        paths: ["/vault/default"],
+        health: "/vault/default/health",
+        version: "0.0.0-linked",
+      },
+    ]);
+  }
+
+  test("400 not_installed when the module isn't in services.json", async () => {
+    // restart rebuilds the spawn req from services.json (hub#532), so a
+    // missing row is a `not_installed` 400 (mirrors `start`) — before the
+    // supervisor is even consulted.
+    const { supervisor } = makeIdleSupervisor();
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    const res = await handleRestart(
+      postReq("/api/modules/vault/restart", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: ISSUER,
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+        run: async () => 0,
+      },
+    );
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("not_installed");
+  });
+
+  test("404 not_supervised when installed but not currently running", async () => {
+    seedVault();
     const { supervisor } = makeIdleSupervisor();
     const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
     const res = await handleRestart(
@@ -1117,6 +1186,7 @@ describe("POST /api/modules/:short/restart", () => {
   });
 
   test("returns new state on success", async () => {
+    seedVault();
     const { supervisor } = makeIdleSupervisor();
     await supervisor.start({ short: "vault", cmd: ["parachute-vault", "serve"] });
 
@@ -1140,6 +1210,122 @@ describe("POST /api/modules/:short/restart", () => {
     // on timing — either is acceptable here as long as it's not crashed/stopped.
     expect(["restarting", "running", "starting"]).toContain(body.state.status);
   });
+
+  test("re-injects the CURRENT hub origin on restart (hub#532)", async () => {
+    // The core hub#532 fix: a module first started under one issuer, then
+    // restarted after the canonical origin changed (e.g. post-expose), must
+    // re-spawn with the NEW PARACHUTE_HUB_ORIGIN — not replay the stale
+    // first-start snapshot. We drive the supervisor directly to control the
+    // first-start env, then restart through the handler with a different
+    // `deps.issuer` and assert the recorded spawn carries the new origin.
+    seedVault(1940);
+    const { supervisor, spawns } = makeIdleSupervisor();
+    // First start with the OLD origin baked in (as boot would have).
+    await supervisor.start({
+      short: "vault",
+      cmd: ["parachute-vault", "serve"],
+      env: { PORT: "1940", PARACHUTE_HUB_ORIGIN: "https://old.example" },
+    });
+    const spawnsBefore = spawns.length;
+
+    const NEW_ORIGIN = "https://new.example";
+    // The bearer was minted at the prior (loopback) ISSUER; the canonical
+    // origin has since moved to NEW_ORIGIN. `knownIssuers` accepts the older
+    // bearer iss while `deps.issuer` is the current canonical origin — exactly
+    // the post-expose scenario hub#532 describes.
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    const res = await handleRestart(
+      postReq("/api/modules/vault/restart", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: NEW_ORIGIN,
+        knownIssuers: [ISSUER, NEW_ORIGIN],
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+        run: async () => 0,
+      },
+    );
+    expect(res.status).toBe(200);
+    // A fresh spawn happened, and it carries the NEW origin (rebuilt from the
+    // live deps.issuer), not the stale one from first start.
+    const reSpawn = spawns[spawnsBefore];
+    expect(reSpawn?.env?.PARACHUTE_HUB_ORIGIN).toBe(NEW_ORIGIN);
+    expect(reSpawn?.env?.PORT).toBe("1940");
+  });
+
+  test("crash-restart after a restart reuses the REFRESHED req (hub#532)", async () => {
+    // The refreshed SpawnRequest must become the supervisor entry's `req` so
+    // a SUBSEQUENT crash-restart (handleExit → spawnAndWatch, which replays
+    // `entry.req`) also carries the current env — not the original snapshot.
+    seedVault(1940);
+    // Controllable supervisor: spawns record env; each fake exposes a `crash()`
+    // resolving `exited` with code 1 (a crash, not an operator stop). `kill()`
+    // (driven by the injected group-aware `killFn`) resolves with 0 so the
+    // handler's restart-stop completes promptly. Distinct codes let us crash a
+    // specific child without tripping the stop path.
+    const spawns: SpawnRequest[] = [];
+    const procs: Array<{ pid: number; crash: () => void; kill: () => void }> = [];
+    let nextPid = 8000;
+    const spawnFn = (req: SpawnRequest): SupervisedProc => {
+      spawns.push(req);
+      const pid = nextPid++;
+      let resolveExit!: (c: number | null) => void;
+      const exited = new Promise<number | null>((r) => {
+        resolveExit = r;
+      });
+      const proc = {
+        pid,
+        exited,
+        stdout: null,
+        stderr: null,
+        kill: () => resolveExit(0),
+      };
+      procs.push({ pid, crash: () => resolveExit(1), kill: proc.kill });
+      return proc;
+    };
+    const killFn = (pid: number): void => {
+      procs.find((p) => p.pid === Math.abs(pid))?.kill();
+    };
+    const supervisor = new Supervisor({ spawnFn, killFn, restartDelayMs: 1, startReadyMs: 0 });
+
+    // First start with the OLD origin.
+    await supervisor.start({
+      short: "vault",
+      cmd: ["parachute-vault", "serve"],
+      env: { PORT: "1940", PARACHUTE_HUB_ORIGIN: "https://old.example" },
+    });
+
+    const NEW_ORIGIN = "https://new.example";
+    const bearer = await mintBearer(h, [API_MODULES_OPS_REQUIRED_SCOPE]);
+    await handleRestart(
+      postReq("/api/modules/vault/restart", { authorization: `Bearer ${bearer}` }),
+      "vault",
+      {
+        db: h.db,
+        issuer: NEW_ORIGIN,
+        knownIssuers: [ISSUER, NEW_ORIGIN],
+        manifestPath: h.manifestPath,
+        configDir: h.dir,
+        supervisor,
+        run: async () => 0,
+      },
+    );
+    // The restart re-spawn is the most recent — confirm the NEW origin landed.
+    const restartSpawnIdx = spawns.length - 1;
+    expect(spawns[restartSpawnIdx]?.env?.PARACHUTE_HUB_ORIGIN).toBe(NEW_ORIGIN);
+
+    // Crash the restart-spawned child → the supervisor's crash-restart replays
+    // entry.req (which `start` stored from the refreshed req).
+    procs[restartSpawnIdx]?.crash();
+    // Wait for the crash watcher's restartDelay + respawn.
+    await new Promise((r) => setTimeout(r, 40));
+    expect(spawns.length).toBeGreaterThan(restartSpawnIdx + 1);
+    const crashRespawn = spawns[spawns.length - 1];
+    // The crash-restart inherited the REFRESHED req → still the new origin.
+    expect(crashRespawn?.env?.PARACHUTE_HUB_ORIGIN).toBe(NEW_ORIGIN);
+  });
 });
 
 describe("POST /api/modules/:short/upgrade", () => {
@@ -1485,13 +1671,19 @@ describe("well-known regen after module ops", () => {
     const vaultRow = manifest.services.find((s) => s.name === "parachute-vault");
     expect(vaultRow?.installDir).toBe(install.installDir);
 
-    // The on-disk well-known doc reflects the new module.
+    // The on-disk well-known doc reflects the new module in `services`...
     const doc = JSON.parse(readFileSync(wkPath, "utf8")) as {
       services: Array<{ name: string; version: string }>;
       vaults: Array<{ name: string }>;
     };
     expect(doc.services.some((s) => s.name === "parachute-vault")).toBe(true);
-    expect(doc.vaults.some((v) => v.name === "default")).toBe(true);
+    // ...but does NOT fabricate a phantom `default` vault row (hub#577). The
+    // install seeds the entry at SEED_VERSION ("module installed, no instance
+    // booted"); vault's own boot registers the real instance later. Until then
+    // the vaults[] list is honestly empty so the management page reads "No
+    // vaults yet" rather than showing a `default` that doesn't exist.
+    expect(doc.vaults.some((v) => v.name === "default")).toBe(false);
+    expect(doc.vaults).toEqual([]);
   });
 
   test("runInstall sets PORT in child env from services.json entry (hub#356)", async () => {

package/src/__tests__/api-modules.test.ts

@@ -317,6 +317,45 @@ describe("GET /api/modules", () => {
     expect(shorts).not.toContain("surface");
   });
 
+  test("non-curated supervised modules appear in `supervised` (not `modules`) — hub#539", async () => {
+    // surface (the UI host) is supervised but not curated. Its run-state must
+    // surface in `supervised` so `parachute status` reads it `active`, while it
+    // stays OUT of the curated `modules` catalog (which drives the install UI).
+    writeManifest(h.manifestPath, [
+      {
+        name: "parachute-vault",
+        port: 1940,
+        paths: ["/vault/default"],
+        health: "/vault/default/health",
+        version: "0.4.5",
+      },
+    ]);
+    const { supervisor } = makeIdleSupervisor();
+    await supervisor.start({ short: "vault", cmd: ["parachute-vault", "serve"] });
+    await supervisor.start({ short: "surface", cmd: ["parachute-surface", "serve"] });
+
+    const bearer = await mintBearer(h, [API_MODULES_REQUIRED_SCOPE]);
+    const res = await handleApiModules(getReq({ authorization: `Bearer ${bearer}` }), {
+      db: h.db,
+      issuer: ISSUER,
+      manifestPath: h.manifestPath,
+      supervisor,
+      fetchLatestVersion: async () => null,
+    });
+    const body = (await res.json()) as {
+      modules: Array<{ short: string }>;
+      supervised: Array<{ short: string; supervisor_status: string | null; pid: number | null }>;
+    };
+    // surface stays out of the curated catalog…
+    expect(body.modules.map((m) => m.short)).not.toContain("surface");
+    // …but its run-state is in `supervised`, marked running with a pid.
+    const surf = body.supervised.find((m) => m.short === "surface");
+    expect(surf?.supervisor_status).toBe("running");
+    expect(typeof surf?.pid).toBe("number");
+    // Curated modules appear in `supervised` too (consumers dedupe by short).
+    expect(body.supervised.find((m) => m.short === "vault")?.supervisor_status).toBe("running");
+  });
+
   test("surfaces installed_version from services.json", async () => {
     writeManifest(h.manifestPath, [
       {
@@ -716,10 +755,7 @@ describe("GET /api/modules", () => {
     // Second back-to-back request must not re-hit the registry. The
     // UI may poll this endpoint; we don't want it to slam npm.
     let calls = 0;
-    const probe = async (
-      _pkg: string,
-      _channel: "latest" | "rc",
-    ): Promise<string | null> => {
+    const probe = async (_pkg: string, _channel: "latest" | "rc"): Promise<string | null> => {
       calls++;
       return "0.5.0";
     };

package/src/__tests__/api-settings-hub-origin.test.ts

@@ -83,6 +83,11 @@ function putReq(body: unknown, headers: Record<string, string> = {}): Request {
   });
 }
 
+// Stub "no exposure recorded" so resolveIssuer / resolveIssuerSource don't
+// pick up the host's real ~/.parachute/expose-state.json (the #531 expose
+// tier would otherwise shadow the request-origin source these tests assert).
+const noExpose = (): string | undefined => undefined;
+
 function deps(
   h: Harness,
   overrides: Partial<Parameters<typeof handleApiSettingsHubOrigin>[1]> = {},
@@ -90,8 +95,8 @@ function deps(
   return {
     db: h.db,
     issuer: ISSUER,
-    resolvedIssuer: resolveIssuer(getReq(), h.db, undefined),
-    resolvedSource: resolveIssuerSource(h.db, undefined),
+    resolvedIssuer: resolveIssuer(getReq(), h.db, undefined, noExpose),
+    resolvedSource: resolveIssuerSource(h.db, undefined, noExpose),
     ...overrides,
   };
 }
@@ -414,8 +419,8 @@ describe("change takes effect on the next request (no restart needed)", () => {
     const g1 = await handleApiSettingsHubOrigin(getReq({ authorization: `Bearer ${bearer}` }), {
       db: h.db,
       issuer: ISSUER,
-      resolvedIssuer: resolveIssuer(getReq(), h.db, undefined),
-      resolvedSource: resolveIssuerSource(h.db, undefined),
+      resolvedIssuer: resolveIssuer(getReq(), h.db, undefined, noExpose),
+      resolvedSource: resolveIssuerSource(h.db, undefined, noExpose),
     });
     const b1 = (await g1.json()) as { source: string; resolved_issuer: string };
     expect(b1.source).toBe("request");
@@ -426,8 +431,8 @@ describe("change takes effect on the next request (no restart needed)", () => {
       {
         db: h.db,
         issuer: ISSUER,
-        resolvedIssuer: resolveIssuer(putReq({}), h.db, undefined),
-        resolvedSource: resolveIssuerSource(h.db, undefined),
+        resolvedIssuer: resolveIssuer(putReq({}), h.db, undefined, noExpose),
+        resolvedSource: resolveIssuerSource(h.db, undefined, noExpose),
       },
     );
     expect(p.status).toBe(200);
@@ -437,8 +442,8 @@ describe("change takes effect on the next request (no restart needed)", () => {
     const g2 = await handleApiSettingsHubOrigin(getReq({ authorization: `Bearer ${bearer}` }), {
       db: h.db,
       issuer: ISSUER,
-      resolvedIssuer: resolveIssuer(getReq(), h.db, undefined),
-      resolvedSource: resolveIssuerSource(h.db, undefined),
+      resolvedIssuer: resolveIssuer(getReq(), h.db, undefined, noExpose),
+      resolvedSource: resolveIssuerSource(h.db, undefined, noExpose),
     });
     const b2 = (await g2.json()) as {
       hub_origin: string | null;