@openparachute/hub 0.6.3 → 0.6.4-rc.10

package/src/__tests__/grants.test.ts

@@ -8,9 +8,12 @@ import {
   findGrantByClientName,
   isCoveredByGrant,
   isCoveredByGrantForClientName,
+  isFirstPartyBrowserClient,
   listGrantsForUser,
   recordGrant,
   revokeGrant,
+  userHasExternalAiGrant,
+  userHasVaultGrant,
 } from "../grants.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
 import { createUser } from "../users.ts";
@@ -177,7 +180,13 @@ describe("findGrantByClientName / isCoveredByGrantForClientName (hub#409)", () =
         redirectUris: ["https://app.example/cb"],
         clientName: "claude-code",
       });
-      recordGrant(h.db, h.userId, reg1.client.clientId, ["a", "b"], new Date("2026-04-10T00:00:00Z"));
+      recordGrant(
+        h.db,
+        h.userId,
+        reg1.client.clientId,
+        ["a", "b"],
+        new Date("2026-04-10T00:00:00Z"),
+      );
       // Second DCR: same client_name="claude-code", fresh client_id, no grant yet
       const reg2 = registerClient(h.db, {
         redirectUris: ["https://app.example/cb"],
@@ -249,8 +258,20 @@ describe("findGrantByClientName / isCoveredByGrantForClientName (hub#409)", () =
         clientName: "claude-code",
       });
       recordGrant(h.db, h.userId, reg1.client.clientId, ["a"], new Date("2026-04-01T00:00:00Z"));
-      recordGrant(h.db, h.userId, reg3.client.clientId, ["a", "c"], new Date("2026-04-15T00:00:00Z"));
-      recordGrant(h.db, h.userId, reg2.client.clientId, ["a", "b"], new Date("2026-04-10T00:00:00Z"));
+      recordGrant(
+        h.db,
+        h.userId,
+        reg3.client.clientId,
+        ["a", "c"],
+        new Date("2026-04-15T00:00:00Z"),
+      );
+      recordGrant(
+        h.db,
+        h.userId,
+        reg2.client.clientId,
+        ["a", "b"],
+        new Date("2026-04-10T00:00:00Z"),
+      );
       const grant = findGrantByClientName(h.db, h.userId, "claude-code");
       // Most recent = reg3's grant (2026-04-15)
       expect(grant?.clientId).toBe(reg3.client.clientId);
@@ -267,9 +288,19 @@ describe("findGrantByClientName / isCoveredByGrantForClientName (hub#409)", () =
         redirectUris: ["https://app.example/cb"],
         clientName: "claude-code",
       });
-      recordGrant(h.db, h.userId, reg.client.clientId, ["vault:default:read", "vault:default:write"]);
-      expect(isCoveredByGrantForClientName(h.db, h.userId, "claude-code", ["vault:default:read"])).toBe(true);
-      expect(isCoveredByGrantForClientName(h.db, h.userId, "claude-code", ["vault:default:read", "vault:default:write"])).toBe(true);
+      recordGrant(h.db, h.userId, reg.client.clientId, [
+        "vault:default:read",
+        "vault:default:write",
+      ]);
+      expect(
+        isCoveredByGrantForClientName(h.db, h.userId, "claude-code", ["vault:default:read"]),
+      ).toBe(true);
+      expect(
+        isCoveredByGrantForClientName(h.db, h.userId, "claude-code", [
+          "vault:default:read",
+          "vault:default:write",
+        ]),
+      ).toBe(true);
     } finally {
       h.cleanup();
     }
@@ -284,8 +315,15 @@ describe("findGrantByClientName / isCoveredByGrantForClientName (hub#409)", () =
       });
       recordGrant(h.db, h.userId, reg.client.clientId, ["vault:default:read"]);
       // Asking for write — not previously granted
-      expect(isCoveredByGrantForClientName(h.db, h.userId, "claude-code", ["vault:default:write"])).toBe(false);
-      expect(isCoveredByGrantForClientName(h.db, h.userId, "claude-code", ["vault:default:read", "vault:default:write"])).toBe(false);
+      expect(
+        isCoveredByGrantForClientName(h.db, h.userId, "claude-code", ["vault:default:write"]),
+      ).toBe(false);
+      expect(
+        isCoveredByGrantForClientName(h.db, h.userId, "claude-code", [
+          "vault:default:read",
+          "vault:default:write",
+        ]),
+      ).toBe(false);
     } finally {
       h.cleanup();
     }
@@ -304,4 +342,155 @@ describe("findGrantByClientName / isCoveredByGrantForClientName (hub#409)", () =
       h.cleanup();
     }
   });
+
+  // --- userHasVaultGrant (onboarding "has connected an AI?" signal) --------
+
+  test("userHasVaultGrant: false when the user has no grants at all", async () => {
+    const h = await harness();
+    try {
+      expect(userHasVaultGrant(h.db, h.userId, "default")).toBe(false);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("userHasVaultGrant: true when a grant's scopes touch the vault", async () => {
+    const h = await harness();
+    try {
+      recordGrant(h.db, h.userId, h.clientId, ["vault:default:read", "vault:default:write"]);
+      expect(userHasVaultGrant(h.db, h.userId, "default")).toBe(true);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("userHasVaultGrant: false when the grant touches a DIFFERENT vault", async () => {
+    const h = await harness();
+    try {
+      recordGrant(h.db, h.userId, h.clientId, ["vault:work:read"]);
+      expect(userHasVaultGrant(h.db, h.userId, "default")).toBe(false);
+      expect(userHasVaultGrant(h.db, h.userId, "work")).toBe(true);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("userHasVaultGrant: non-vault scopes don't count as a connection", async () => {
+    const h = await harness();
+    try {
+      recordGrant(h.db, h.userId, h.clientId, ["parachute:host:auth", "vault:read"]);
+      // `vault:read` (no name segment) is a generic scope, not vault:<name>:.
+      expect(userHasVaultGrant(h.db, h.userId, "default")).toBe(false);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("userHasVaultGrant: prefix isn't substring-fooled (vault:default-2 ≠ default)", async () => {
+    const h = await harness();
+    try {
+      recordGrant(h.db, h.userId, h.clientId, ["vault:default-2:read"]);
+      expect(userHasVaultGrant(h.db, h.userId, "default")).toBe(false);
+      expect(userHasVaultGrant(h.db, h.userId, "default-2")).toBe(true);
+    } finally {
+      h.cleanup();
+    }
+  });
+});
+
+describe("userHasExternalAiGrant / isFirstPartyBrowserClient (hub#583)", () => {
+  test("isFirstPartyBrowserClient matches fixed first-party client_ids", () => {
+    expect(isFirstPartyBrowserClient("parachute-hub-spa", null)).toBe(true);
+    expect(isFirstPartyBrowserClient("parachute-account", null)).toBe(true);
+    expect(isFirstPartyBrowserClient("some-random-dcr-id", null)).toBe(false);
+  });
+
+  test("isFirstPartyBrowserClient matches Notes by client_name (case-insensitive)", () => {
+    expect(isFirstPartyBrowserClient("dcr-generated-id", "Notes")).toBe(true);
+    expect(isFirstPartyBrowserClient("dcr-generated-id", "notes")).toBe(true);
+    expect(isFirstPartyBrowserClient("dcr-generated-id", "Claude")).toBe(false);
+    expect(isFirstPartyBrowserClient("dcr-generated-id", null)).toBe(false);
+  });
+
+  test("a first-party browser grant does NOT count as a connected AI", async () => {
+    const h = await harness();
+    try {
+      // Notes signs in via DCR (generated client_id, client_name "Notes") and
+      // writes a vault-scoped grant — the exact false-positive in hub#583.
+      const notes = registerClient(h.db, {
+        redirectUris: ["https://app.example/cb"],
+        clientName: "Notes",
+      });
+      recordGrant(h.db, h.userId, notes.client.clientId, ["vault:default:read"]);
+      // The coarse signal lights up...
+      expect(userHasVaultGrant(h.db, h.userId, "default")).toBe(true);
+      // ...but the AI-connection signal does NOT.
+      expect(userHasExternalAiGrant(h.db, h.userId, "default")).toBe(false);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("the fixed first-party SPA client_id does NOT count as a connected AI", async () => {
+    const h = await harness();
+    try {
+      registerClient(h.db, {
+        redirectUris: ["https://app.example/cb"],
+        clientId: "parachute-hub-spa",
+      });
+      recordGrant(h.db, h.userId, "parachute-hub-spa", ["vault:default:read"]);
+      expect(userHasExternalAiGrant(h.db, h.userId, "default")).toBe(false);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("an external AI/MCP client grant DOES count as connected", async () => {
+    const h = await harness();
+    try {
+      // Claude Code: DCR-registered, ordinary client_name, vault scope.
+      const claude = registerClient(h.db, {
+        redirectUris: ["https://claude.ai/cb"],
+        clientName: "Claude",
+      });
+      recordGrant(h.db, h.userId, claude.client.clientId, ["vault:default:read"]);
+      expect(userHasExternalAiGrant(h.db, h.userId, "default")).toBe(true);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("external grant is scoped to the named vault", async () => {
+    const h = await harness();
+    try {
+      const claude = registerClient(h.db, {
+        redirectUris: ["https://claude.ai/cb"],
+        clientName: "Claude",
+      });
+      recordGrant(h.db, h.userId, claude.client.clientId, ["vault:other:read"]);
+      expect(userHasExternalAiGrant(h.db, h.userId, "default")).toBe(false);
+      expect(userHasExternalAiGrant(h.db, h.userId, "other")).toBe(true);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("Notes + Claude both granted: still counts (the external one wins)", async () => {
+    const h = await harness();
+    try {
+      const notes = registerClient(h.db, {
+        redirectUris: ["https://app.example/cb"],
+        clientName: "Notes",
+      });
+      const claude = registerClient(h.db, {
+        redirectUris: ["https://claude.ai/cb"],
+        clientName: "Claude",
+      });
+      recordGrant(h.db, h.userId, notes.client.clientId, ["vault:default:read"]);
+      recordGrant(h.db, h.userId, claude.client.clientId, ["vault:default:read"]);
+      expect(userHasExternalAiGrant(h.db, h.userId, "default")).toBe(true);
+    } finally {
+      h.cleanup();
+    }
+  });
 });

package/src/__tests__/hub-origin-resolution.test.ts

@@ -31,9 +31,20 @@ function req(url: string): Request {
   return new Request(url, { method: "GET" });
 }
 
+/**
+ * Stub the expose-state reader to "no exposure recorded" so these
+ * settings/env/request-tier tests are isolated from the host's real
+ * `~/.parachute/expose-state.json`. Without this, the default reader picks
+ * up a live exposure on the dev box and the expose tier shadows the
+ * request-origin fallback these tests assert. (The expose tier itself is
+ * exercised in the dedicated describe blocks below with its own injected
+ * origins.)
+ */
+const noExpose = (): string | undefined => undefined;
+
 describe("resolveIssuer — precedence chain", () => {
   test("falls back to request origin when no settings + no env", () => {
-    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined);
+    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined, noExpose);
     expect(got).toBe("http://127.0.0.1:1939");
   });
 
@@ -42,6 +53,7 @@ describe("resolveIssuer — precedence chain", () => {
       req("http://127.0.0.1:1939/oauth/token"),
       db,
       "https://hub.from-env.example",
+      noExpose,
     );
     expect(got).toBe("https://hub.from-env.example");
   });
@@ -52,13 +64,14 @@ describe("resolveIssuer — precedence chain", () => {
       req("http://127.0.0.1:1939/oauth/token"),
       db,
       "https://hub.from-env.example",
+      noExpose,
     );
     expect(got).toBe("https://hub.from-settings.example");
   });
 
   test("hub_settings wins over request origin (no env)", () => {
     setHubOrigin(db, "https://hub.from-settings.example");
-    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined);
+    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined, noExpose);
     expect(got).toBe("https://hub.from-settings.example");
   });
 
@@ -69,6 +82,7 @@ describe("resolveIssuer — precedence chain", () => {
       req("http://127.0.0.1:1939/oauth/token"),
       db,
       "https://hub.from-env.example",
+      noExpose,
     );
     expect(got).toBe("https://hub.from-env.example");
   });
@@ -76,7 +90,7 @@ describe("resolveIssuer — precedence chain", () => {
   test("clearing hub_settings + no env reverts to request origin", () => {
     setHubOrigin(db, "https://hub.from-settings.example");
     setHubOrigin(db, null);
-    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined);
+    const got = resolveIssuer(req("http://127.0.0.1:1939/oauth/token"), db, undefined, noExpose);
     expect(got).toBe("http://127.0.0.1:1939");
   });
 
@@ -84,13 +98,14 @@ describe("resolveIssuer — precedence chain", () => {
     // The wellknown / discovery surfaces may hit oauthDeps before a DB
     // is wired; resolveIssuer must not throw — just skip the settings
     // layer.
-    const got = resolveIssuer(req("http://127.0.0.1:1939/"), undefined, undefined);
+    const got = resolveIssuer(req("http://127.0.0.1:1939/"), undefined, undefined, noExpose);
     expect(got).toBe("http://127.0.0.1:1939");
 
     const gotEnv = resolveIssuer(
       req("http://127.0.0.1:1939/"),
       undefined,
       "https://hub.from-env.example",
+      noExpose,
     );
     expect(gotEnv).toBe("https://hub.from-env.example");
   });
@@ -103,19 +118,19 @@ describe("resolveIssuer — precedence chain", () => {
     const baseUrl = "http://127.0.0.1:1939/oauth/token";
 
     // Pass 1 — no settings, no env → request origin.
-    expect(resolveIssuer(req(baseUrl), db, undefined)).toBe("http://127.0.0.1:1939");
+    expect(resolveIssuer(req(baseUrl), db, undefined, noExpose)).toBe("http://127.0.0.1:1939");
 
     // Mid-flight write.
     setHubOrigin(db, "https://hub.example.com");
 
     // Pass 2 — settings wins immediately.
-    expect(resolveIssuer(req(baseUrl), db, undefined)).toBe("https://hub.example.com");
+    expect(resolveIssuer(req(baseUrl), db, undefined, noExpose)).toBe("https://hub.example.com");
 
     // Mid-flight clear.
     setHubOrigin(db, null);
 
     // Pass 3 — back to request origin.
-    expect(resolveIssuer(req(baseUrl), db, undefined)).toBe("http://127.0.0.1:1939");
+    expect(resolveIssuer(req(baseUrl), db, undefined, noExpose)).toBe("http://127.0.0.1:1939");
   });
 
   test("X-Forwarded-Proto: https upgrades the request-origin fallback", () => {
@@ -124,11 +139,14 @@ describe("resolveIssuer — precedence chain", () => {
     // `http://...` in OAuth discovery — mixed-content blocked when the
     // page loaded over https://. See hub#355 (the notes app's
     // /oauth/register call surfaced this).
-    const r = new Request("http://parachute-hub.onrender.com/.well-known/oauth-authorization-server", {
-      method: "GET",
-      headers: { "X-Forwarded-Proto": "https" },
-    });
-    expect(resolveIssuer(r, db, undefined)).toBe("https://parachute-hub.onrender.com");
+    const r = new Request(
+      "http://parachute-hub.onrender.com/.well-known/oauth-authorization-server",
+      {
+        method: "GET",
+        headers: { "X-Forwarded-Proto": "https" },
+      },
+    );
+    expect(resolveIssuer(r, db, undefined, noExpose)).toBe("https://parachute-hub.onrender.com");
   });
 
   test("X-Forwarded-Proto with comma-separated values takes the first", () => {
@@ -138,14 +156,14 @@ describe("resolveIssuer — precedence chain", () => {
       method: "GET",
       headers: { "X-Forwarded-Proto": "https, http" },
     });
-    expect(resolveIssuer(r, db, undefined)).toBe("https://hub.internal");
+    expect(resolveIssuer(r, db, undefined, noExpose)).toBe("https://hub.internal");
   });
 
   test("missing X-Forwarded-Proto leaves the URL scheme as-is (localhost dev)", () => {
     // No reverse proxy → no header → keep http for the local-dev shape.
     // Operators on plain HTTP localhost depend on this.
     const r = new Request("http://127.0.0.1:1939/oauth/token", { method: "GET" });
-    expect(resolveIssuer(r, db, undefined)).toBe("http://127.0.0.1:1939");
+    expect(resolveIssuer(r, db, undefined, noExpose)).toBe("http://127.0.0.1:1939");
   });
 
   test("X-Forwarded-Proto is IGNORED when hub_settings or env wins", () => {
@@ -161,26 +179,28 @@ describe("resolveIssuer — precedence chain", () => {
 
     // Env layer wins, even though the header says https — the env value
     // is returned verbatim (preserving whatever scheme the operator set).
-    expect(resolveIssuer(r, db, "http://configured.example")).toBe("http://configured.example");
+    expect(resolveIssuer(r, db, "http://configured.example", noExpose)).toBe(
+      "http://configured.example",
+    );
 
     // Settings layer wins above env, also verbatim.
     setHubOrigin(db, "http://settings.example");
-    expect(resolveIssuer(r, db, "https://env.example")).toBe("http://settings.example");
+    expect(resolveIssuer(r, db, "https://env.example", noExpose)).toBe("http://settings.example");
   });
 });
 
 describe("resolveIssuerSource — attribution for SPA", () => {
   test('"request" when nothing is configured', () => {
-    expect(resolveIssuerSource(db, undefined)).toBe("request");
+    expect(resolveIssuerSource(db, undefined, noExpose)).toBe("request");
   });
 
   test('"env" when configuredIssuer is set + no settings row', () => {
-    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("env");
+    expect(resolveIssuerSource(db, "https://hub.from-env.example", noExpose)).toBe("env");
   });
 
   test('"settings" when hub_settings row is set, even if env is also set', () => {
     setHubOrigin(db, "https://hub.from-settings.example");
-    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("settings");
+    expect(resolveIssuerSource(db, "https://hub.from-env.example", noExpose)).toBe("settings");
   });
 
   test("attribution matches resolved value across the chain", () => {
@@ -189,16 +209,150 @@ describe("resolveIssuerSource — attribution for SPA", () => {
     // settings layer is what got returned.
     setHubOrigin(db, "https://hub.example.com");
     const r1 = req("http://127.0.0.1:1939/oauth/token");
-    expect(resolveIssuer(r1, db, "https://hub.from-env.example")).toBe("https://hub.example.com");
-    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("settings");
+    expect(resolveIssuer(r1, db, "https://hub.from-env.example", noExpose)).toBe(
+      "https://hub.example.com",
+    );
+    expect(resolveIssuerSource(db, "https://hub.from-env.example", noExpose)).toBe("settings");
 
     setHubOrigin(db, null);
-    expect(resolveIssuer(r1, db, "https://hub.from-env.example")).toBe(
+    expect(resolveIssuer(r1, db, "https://hub.from-env.example", noExpose)).toBe(
       "https://hub.from-env.example",
     );
-    expect(resolveIssuerSource(db, "https://hub.from-env.example")).toBe("env");
+    expect(resolveIssuerSource(db, "https://hub.from-env.example", noExpose)).toBe("env");
+
+    expect(resolveIssuer(r1, db, undefined, noExpose)).toBe("http://127.0.0.1:1939");
+    expect(resolveIssuerSource(db, undefined, noExpose)).toBe("request");
+  });
+});
+
+/**
+ * The expose-state tier (#531). On the reboot-persistent owner-operated
+ * path the launchd plist / systemd unit carries no PARACHUTE_HUB_ORIGIN, so
+ * the hub boots with no `configuredIssuer`. Without this tier it would stamp
+ * `iss` from the per-request origin (loopback) and exposed resource servers
+ * (vault) reject the token with `unexpected "iss" claim value`. The exposed
+ * origin recorded in expose-state.json's hubOrigin is consulted between the
+ * env tier and the request-origin fallback. The `readExpose` seam (4th /
+ * 3rd param) drives this without touching the real ~/.parachute.
+ */
+describe("resolveIssuer — expose-state tier (#531)", () => {
+  const EXPOSED = "https://parachute.taildf9ce2.ts.net";
+  // Simulates the reported bug: token minted under loopback, request arrives
+  // at loopback, but the canonical exposed origin lives in expose-state.
+  const loopbackReq = () => req("http://127.0.0.1:1939/oauth/token");
+
+  test("REGRESSION: expose origin used (NOT request origin) when settings+env both absent", () => {
+    const got = resolveIssuer(loopbackReq(), db, undefined, () => EXPOSED);
+    expect(got).toBe(EXPOSED);
+    expect(got).not.toBe("http://127.0.0.1:1939");
+  });
+
+  test("settings wins over expose", () => {
+    setHubOrigin(db, "https://hub.from-settings.example");
+    const got = resolveIssuer(loopbackReq(), db, undefined, () => EXPOSED);
+    expect(got).toBe("https://hub.from-settings.example");
+  });
+
+  test("env wins over expose", () => {
+    const got = resolveIssuer(loopbackReq(), db, "https://hub.from-env.example", () => EXPOSED);
+    expect(got).toBe("https://hub.from-env.example");
+  });
+
+  test("expose wins over request origin", () => {
+    // settings + env both absent → expose beats the per-request loopback origin.
+    const got = resolveIssuer(loopbackReq(), db, undefined, () => EXPOSED);
+    expect(got).toBe(EXPOSED);
+  });
+
+  test("full precedence: settings > env > expose > request", () => {
+    // request-only
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => undefined)).toBe(
+      "http://127.0.0.1:1939",
+    );
+    // expose beats request
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => EXPOSED)).toBe(EXPOSED);
+    // env beats expose
+    expect(resolveIssuer(loopbackReq(), db, "https://env.example", () => EXPOSED)).toBe(
+      "https://env.example",
+    );
+    // settings beats env (and expose)
+    setHubOrigin(db, "https://settings.example");
+    expect(resolveIssuer(loopbackReq(), db, "https://env.example", () => EXPOSED)).toBe(
+      "https://settings.example",
+    );
+  });
+
+  test("malformed expose-state falls through to request without throwing", () => {
+    // A reader that throws simulates a corrupt expose-state.json. The
+    // `exposeIssuerOrigin` wrapper guards the `readExpose()` call itself in
+    // try/catch, so even an injected non-swallowing reader can NEVER
+    // propagate into the request path — resolveIssuer falls through to the
+    // request origin instead of 500ing the hub.
+    const throwing = () => {
+      throw new Error("malformed expose-state.json");
+    };
+    expect(() => resolveIssuer(loopbackReq(), db, undefined, throwing)).not.toThrow();
+    expect(resolveIssuer(loopbackReq(), db, undefined, throwing)).toBe("http://127.0.0.1:1939");
+    // A reader that returns undefined (the default's post-swallow shape) also
+    // yields the request origin.
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => undefined)).toBe(
+      "http://127.0.0.1:1939",
+    );
+  });
+
+  test("loopback expose origin ignored (never re-pin the degraded mode)", () => {
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "http://127.0.0.1:1939")).toBe(
+      "http://127.0.0.1:1939",
+    );
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "http://localhost:1939")).toBe(
+      "http://127.0.0.1:1939",
+    );
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "http://0.0.0.0:1939")).toBe(
+      "http://127.0.0.1:1939",
+    );
+  });
+
+  test("non-http(s) / empty expose origin ignored", () => {
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "ftp://x.example")).toBe(
+      "http://127.0.0.1:1939",
+    );
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "")).toBe("http://127.0.0.1:1939");
+    expect(resolveIssuer(loopbackReq(), db, undefined, () => "not-a-url")).toBe(
+      "http://127.0.0.1:1939",
+    );
+  });
+
+  test("undefined db (pre-config gate) still consults expose before request", () => {
+    const got = resolveIssuer(loopbackReq(), undefined, undefined, () => EXPOSED);
+    expect(got).toBe(EXPOSED);
+  });
+});
+
+describe("resolveIssuerSource — expose attribution (#531)", () => {
+  const EXPOSED = "https://parachute.taildf9ce2.ts.net";
+
+  test('"expose" when resolved from expose-state (settings+env absent)', () => {
+    expect(resolveIssuerSource(db, undefined, () => EXPOSED)).toBe("expose");
+  });
+
+  test('"settings" wins over expose', () => {
+    setHubOrigin(db, "https://settings.example");
+    expect(resolveIssuerSource(db, undefined, () => EXPOSED)).toBe("settings");
+  });
+
+  test('"env" wins over expose', () => {
+    expect(resolveIssuerSource(db, "https://env.example", () => EXPOSED)).toBe("env");
+  });
+
+  test('"request" when no settings/env and no (valid) expose origin', () => {
+    expect(resolveIssuerSource(db, undefined, () => undefined)).toBe("request");
+    expect(resolveIssuerSource(db, undefined, () => "http://127.0.0.1:1939")).toBe("request");
+  });
 
-    expect(resolveIssuer(r1, db, undefined)).toBe("http://127.0.0.1:1939");
-    expect(resolveIssuerSource(db, undefined)).toBe("request");
+  test("attribution matches resolved value for the expose tier", () => {
+    // Pair the source label with the resolved value so they can't drift.
+    const r = req("http://127.0.0.1:1939/oauth/token");
+    expect(resolveIssuer(r, db, undefined, () => EXPOSED)).toBe(EXPOSED);
+    expect(resolveIssuerSource(db, undefined, () => EXPOSED)).toBe("expose");
   });
 });