@openparachute/hub 0.6.3 → 0.6.4-rc.2

package/src/__tests__/api-account.test.ts

@@ -30,6 +30,7 @@ import {
 } from "../api-account.ts";
 import { CSRF_COOKIE_NAME, CSRF_FIELD_NAME } from "../csrf.ts";
 import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { recordTokenMint } from "../jwt-sign.ts";
 import {
   CHANGE_PASSWORD_MAX_ATTEMPTS,
   CHANGE_PASSWORD_WINDOW_MS,
@@ -257,6 +258,63 @@ describe("POST /account/change-password", () => {
     }
   });
 
+  // Item F / hub#469 — a successful self-service password change revokes the
+  // user's still-active tokens (so a token minted under the admin's temp
+  // password dies with the rotation). Mirrors `resetUserPassword`'s admin-reset
+  // revoke. Tokens belonging to OTHER users are untouched.
+  test("self-change revokes the user's active tokens, leaves other users' tokens (item F)", async () => {
+    const { userId, cookie } = await sessionCookieFor(harness.db, "newbie", "old-default-pw", {
+      passwordChanged: false,
+    });
+    const other = await createUser(harness.db, "other", "other-strong-passphrase", {
+      passwordChanged: true,
+      allowMulti: true,
+    });
+    // Seed one active token for the changing user + one for another user.
+    recordTokenMint(harness.db, {
+      jti: "tok-self-1",
+      createdVia: "cli_mint",
+      subject: userId,
+      userId,
+      clientId: "parachute-account",
+      scopes: ["vault:work:read"],
+      expiresAt: new Date(Date.now() + 86_400_000).toISOString(),
+    });
+    recordTokenMint(harness.db, {
+      jti: "tok-other-1",
+      createdVia: "cli_mint",
+      subject: other.id,
+      userId: other.id,
+      clientId: "parachute-account",
+      scopes: ["vault:work:read"],
+      expiresAt: new Date(Date.now() + 86_400_000).toISOString(),
+    });
+
+    const { body, headers } = formBody({
+      [CSRF_FIELD_NAME]: TEST_CSRF,
+      current_password: "old-default-pw",
+      new_password: "user-chosen-strong-passphrase",
+      new_password_confirm: "user-chosen-strong-passphrase",
+      next: "/account/",
+    });
+    const req = new Request("http://hub.test/account/change-password", {
+      method: "POST",
+      headers: { ...headers, cookie },
+      body,
+    });
+    const res = await handleAccountChangePasswordPost(req, { db: harness.db });
+    expect(res.status).toBe(302);
+
+    const selfTok = harness.db
+      .query<{ revoked_at: string | null }, [string]>("SELECT revoked_at FROM tokens WHERE jti = ?")
+      .get("tok-self-1");
+    const otherTok = harness.db
+      .query<{ revoked_at: string | null }, [string]>("SELECT revoked_at FROM tokens WHERE jti = ?")
+      .get("tok-other-1");
+    expect(selfTok?.revoked_at).not.toBeNull(); // changing user's token revoked
+    expect(otherTok?.revoked_at).toBeNull(); // other user's token untouched
+  });
+
   test("non-admin user with no next defaults to /account/ (no admin-shell flash)", async () => {
     // Without this rewrite, a friend's change-password POST would 302 to
     // /admin/vaults, the SPA would load, the 403 from
@@ -743,7 +801,7 @@ describe("handleAccountHomeGet", () => {
 
   test("302 → /login when no session cookie is present", async () => {
     const req = new Request(`${HUB_ORIGIN}/account/`);
-    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
     expect(res.status).toBe(302);
     const location = res.headers.get("location") ?? "";
     // Round-trip /account/ as the `next` param so post-login lands back.
@@ -762,7 +820,7 @@ describe("handleAccountHomeGet", () => {
     const session = createSession(harness.db, { userId: friend.id });
     const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
     const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
-    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
     expect(res.status).toBe(200);
     expect(res.headers.get("content-type")).toContain("text/html");
     const html = await res.text();
@@ -782,7 +840,7 @@ describe("handleAccountHomeGet", () => {
     const session = createSession(harness.db, { userId: admin.id });
     const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
     const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
-    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
     expect(res.status).toBe(200);
     const html = await res.text();
     expect(html).toContain("Welcome, admin");
@@ -813,8 +871,71 @@ describe("handleAccountHomeGet", () => {
       harness.db.exec("PRAGMA foreign_keys = ON");
     }
     const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
-    const res = handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
     expect(res.status).toBe(302);
     expect(res.headers.get("location")).toBe("/login");
   });
+
+  test("renders the per-vault usage stat when usage resolves", async () => {
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = await handleAccountHomeGet(req, {
+      db: harness.db,
+      hubOrigin: HUB_ORIGIN,
+      resolveVaultPort: () => 1940,
+      // Stub the fetch: resolves to a known stat.
+      fetchUsage: async () => ({ notes: 7, totalBytes: 2 * 1024 * 1024 }),
+    });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain('data-testid="vault-usage"');
+    expect(html).toContain("7 notes · 2.0 MB");
+  });
+
+  test("omits the usage stat gracefully when the fetch fails (null)", async () => {
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = await handleAccountHomeGet(req, {
+      db: harness.db,
+      hubOrigin: HUB_ORIGIN,
+      resolveVaultPort: () => 1940,
+      fetchUsage: async () => null,
+    });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    // Tile still renders; just no usage stat.
+    expect(html).toContain("<strong>alice</strong>");
+    expect(html).not.toContain('data-testid="vault-usage"');
+  });
+
+  test("renders the 'Configure / back up this vault ↗' deep-link button for an assigned vault", async () => {
+    await createUser(harness.db, "admin", "admin-passphrase", { passwordChanged: true });
+    const friend = await createUser(harness.db, "alice", "alice-passphrase", {
+      allowMulti: true,
+      passwordChanged: true,
+      assignedVaults: ["alice"],
+    });
+    const session = createSession(harness.db, { userId: friend.id });
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const req = new Request(`${HUB_ORIGIN}/account/`, { headers: { cookie } });
+    const res = await handleAccountHomeGet(req, { db: harness.db, hubOrigin: HUB_ORIGIN });
+    expect(res.status).toBe(200);
+    const html = await res.text();
+    expect(html).toContain('data-testid="vault-admin-button"');
+    expect(html).toContain('action="/account/vault-admin-token/alice"');
+  });
 });

package/src/__tests__/api-invites.test.ts

@@ -0,0 +1,217 @@
+/**
+ * Admin API tests for `/api/invites*` (`api-invites.ts`).
+ *
+ *   - host:admin gate (403 without the scope)
+ *   - POST create → 201 with single-emit token + URL; defaults applied
+ *   - GET list → status-annotated, raw token NEVER present
+ *   - DELETE /:id → revoke; 409 when already terminal; 404 unknown
+ */
+import type { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { handleCreateInvite, handleListInvites, handleRevokeInvite } from "../api-invites.ts";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { signAccessToken } from "../jwt-sign.ts";
+import { createUser } from "../users.ts";
+
+const ISSUER = "https://hub.test";
+const HOST_ADMIN_SCOPE = "parachute:host:admin";
+
+interface Harness {
+  db: Database;
+  manifestPath: string;
+  cleanup: () => void;
+}
+
+function makeHarness(): Harness {
+  const dir = mkdtempSync(join(tmpdir(), "phub-api-invites-"));
+  const db = openHubDb(hubDbPath(dir));
+  const manifestPath = join(dir, "services.json");
+  writeFileSync(manifestPath, JSON.stringify({ services: [] }));
+  return {
+    db,
+    manifestPath,
+    cleanup: () => {
+      db.close();
+      rmSync(dir, { recursive: true, force: true });
+    },
+  };
+}
+
+let harness: Harness;
+beforeEach(() => {
+  harness = makeHarness();
+});
+afterEach(() => {
+  harness.cleanup();
+});
+
+async function makeAdminBearer(scopes = [HOST_ADMIN_SCOPE]): Promise<string> {
+  const user = await createUser(harness.db, "operator", "operator-password-1", {
+    allowMulti: true,
+    passwordChanged: true,
+  });
+  const minted = await signAccessToken(harness.db, {
+    sub: user.id,
+    scopes,
+    audience: "hub",
+    clientId: "parachute-hub-spa",
+    issuer: ISSUER,
+    ttlSeconds: 600,
+  });
+  return minted.token;
+}
+
+function deps() {
+  return { db: harness.db, issuer: ISSUER, manifestPath: harness.manifestPath };
+}
+
+function withBearer(path: string, bearer: string, init: RequestInit = {}): Request {
+  const headers = new Headers(init.headers ?? {});
+  headers.set("authorization", `Bearer ${bearer}`);
+  return new Request(`${ISSUER}${path}`, { ...init, headers });
+}
+
+describe("/api/invites auth", () => {
+  test("403 without host:admin scope", async () => {
+    const bearer = await makeAdminBearer(["other:scope"]);
+    const res = await handleListInvites(withBearer("/api/invites", bearer), deps());
+    expect(res.status).toBe(403);
+  });
+});
+
+describe("POST /api/invites", () => {
+  test("201 with single-emit token + URL; defaults (write/provision/7d)", async () => {
+    const bearer = await makeAdminBearer();
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({}),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(201);
+    const body = (await res.json()) as {
+      invite: { id: string; status: string; role: string; provision_vault: boolean };
+      token: string;
+      url: string;
+    };
+    expect(body.token.length).toBeGreaterThan(40);
+    expect(body.url).toBe(`${ISSUER}/account/setup/${body.token}`);
+    expect(body.invite.role).toBe("write");
+    expect(body.invite.provision_vault).toBe(true);
+    expect(body.invite.status).toBe("pending");
+    // The id is the sha256 hash — never the raw token.
+    expect(body.invite.id).not.toBe(body.token);
+  });
+
+  test("400 on a bad role", async () => {
+    const bearer = await makeAdminBearer();
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ role: "admin" }),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(400);
+  });
+
+  test("400 rejects a shared-vault invite (provision_vault=false + vault_name)", async () => {
+    // Defense in depth (FIX-1): assigning a redeemer to a PRE-EXISTING vault
+    // as owner-admin is a cross-tenant breach; shared-vault invites aren't
+    // supported yet, so the create handler refuses this combination outright.
+    const bearer = await makeAdminBearer();
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ provision_vault: false, vault_name: "someoneelse" }),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error: string; error_description: string };
+    expect(body.error).toBe("invalid_request");
+    expect(body.error_description).toContain("shared-vault");
+  });
+
+  test("account-only invite (provision_vault=false, NO vault_name) is still allowed", async () => {
+    const bearer = await makeAdminBearer();
+    const res = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ provision_vault: false }),
+      }),
+      deps(),
+    );
+    expect(res.status).toBe(201);
+    const body = (await res.json()) as {
+      invite: { provision_vault: boolean; vault_name: string | null };
+    };
+    expect(body.invite.provision_vault).toBe(false);
+    expect(body.invite.vault_name).toBeNull();
+  });
+});
+
+describe("GET /api/invites", () => {
+  test("lists invites; raw token NEVER present in the wire shape", async () => {
+    const bearer = await makeAdminBearer();
+    const created = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ vault_name: "maya" }),
+      }),
+      deps(),
+    );
+    const createdBody = (await created.json()) as { token: string };
+    const list = await handleListInvites(withBearer("/api/invites", bearer), deps());
+    const body = (await list.json()) as { invites: { id: string }[] };
+    expect(body.invites.length).toBe(1);
+    // The raw token must not be recoverable from the list.
+    const json = JSON.stringify(body);
+    expect(json).not.toContain(createdBody.token);
+  });
+});
+
+describe("DELETE /api/invites/:id", () => {
+  test("revokes a pending invite; 409 if already revoked; 404 unknown", async () => {
+    const bearer = await makeAdminBearer();
+    const created = await handleCreateInvite(
+      withBearer("/api/invites", bearer, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({}),
+      }),
+      deps(),
+    );
+    const { invite } = (await created.json()) as { invite: { id: string } };
+
+    const ok = await handleRevokeInvite(
+      withBearer(`/api/invites/${invite.id}`, bearer, { method: "DELETE" }),
+      invite.id,
+      deps(),
+    );
+    expect(ok.status).toBe(200);
+
+    const again = await handleRevokeInvite(
+      withBearer(`/api/invites/${invite.id}`, bearer, { method: "DELETE" }),
+      invite.id,
+      deps(),
+    );
+    expect(again.status).toBe(409);
+
+    const unknown = await handleRevokeInvite(
+      withBearer("/api/invites/deadbeef", bearer, { method: "DELETE" }),
+      "deadbeef",
+      deps(),
+    );
+    expect(unknown.status).toBe(404);
+  });
+});

package/src/__tests__/api-mint-token.test.ts

@@ -317,6 +317,32 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
     }
   });
 
+  // Item C — case-insensitive non-requestable guard. An uppercase casing of a
+  // host-level scope must NOT bypass the non-requestable membership check (which
+  // was exact-string before). `PARACHUTE:HOST:AUTH` is now correctly rejected.
+  test("400 invalid_scope when minting an uppercase host scope (item C)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+        for (const variant of ["PARACHUTE:HOST:AUTH", "Parachute:Host:Admin"]) {
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: variant }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string };
+          expect(body.error).toBe("invalid_scope");
+        }
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("400 invalid_scope when multi-scope includes a non-requestable", async () => {
     const h = makeHarness();
     try {
@@ -416,13 +442,13 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
     }
   });
 
-  // A bare `vault:admin` (no vault name) is NOT a per-vault admin scope —
-  // the de-escalation exception only covers `vault:<name>:admin`. It isn't
-  // in the non-requestable set either, so it's treated as an ordinary
-  // (unnamed) scope and mints — but with the `vault` fallback audience, not
-  // a per-vault one. Pinned so a future regex loosening can't silently let
-  // an unnamed admin through the named-vault exemption.
-  test("bare vault:admin (no name) is not caught by the de-escalation exemption", async () => {
+  // Item B / hub#451 — bare `vault:admin` (no vault name) is NOT mintable on
+  // the headless path. The unnamed broad-admin form has no resource pin; the
+  // mint endpoint refuses it with 400 `invalid_scope` (even for a full host:admin
+  // operator). The legitimate path for a vault admin token is a resource-narrowed
+  // `vault:<name>:admin`. The OAuth flow still accepts bare `vault:admin` and
+  // narrows it via the picker — that path is unaffected (see oauth-handlers).
+  test("bare vault:admin (no name) → 400 (non-requestable headlessly, item B / #451)", async () => {
     const h = makeHarness();
     try {
       const { db, userId } = await bootstrap(h.dir);
@@ -432,9 +458,31 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
           jsonRequest({ scope: "vault:admin" }, { authorization: `Bearer ${op.token}` }),
           { db, issuer: ISSUER },
         );
-        // `vault:admin` isn't a per-vault admin scope and isn't in the
-        // non-requestable set, so it mints as an ordinary scope. The point
-        // of this test is that it does NOT get a per-vault audience/pin.
+        expect(resp.status).toBe(400);
+        const body = (await resp.json()) as { error: string; error_description: string };
+        expect(body.error).toBe("invalid_scope");
+        expect(body.error_description).toContain("vault:admin");
+      } finally {
+        db.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  // Item B does NOT touch unnamed vault:read / vault:write — those carry no
+  // admin authority and remain mintable (regression guard for the narrow scope
+  // of the bare-admin block).
+  test("bare vault:read still mints headlessly (item B is admin-only)", async () => {
+    const h = makeHarness();
+    try {
+      const { db, userId } = await bootstrap(h.dir);
+      try {
+        const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+        const resp = await handleApiMintToken(
+          jsonRequest({ scope: "vault:read" }, { authorization: `Bearer ${op.token}` }),
+          { db, issuer: ISSUER },
+        );
         expect(resp.status).toBe(200);
         const body = (await resp.json()) as { token: string };
         const validated = await validateAccessToken(db, body.token, ISSUER);
@@ -745,6 +793,122 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
         h.cleanup();
       }
     });
+
+    // Item A (subject-pin) — audit-attribution forgery. A non-operator
+    // (vault-admin-only) bearer may NOT override the minted token's `sub`:
+    // forging a foreign subject would mis-attribute the registry + revocation
+    // rows. It may still mint under its OWN sub (subject omitted / equal).
+    test("subject override by non-operator bearer → 403 (forgery blocked)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:read", subject: "someone-else" },
+              { authorization: `Bearer ${bearer}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(403);
+          const body = (await resp.json()) as { error: string; error_description: string };
+          expect(body.error).toBe("insufficient_scope");
+          expect(body.error_description).toContain("non-operator");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("subject equal to own sub by non-operator bearer → 200 (no forgery)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const bearer = await mintVaultAdminBearer(db, userId, "work");
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:read", subject: userId },
+              { authorization: `Bearer ${bearer}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { jti: string };
+          const row = db
+            .query<{ subject: string }, [string]>("SELECT subject FROM tokens WHERE jti = ?")
+            .get(body.jti);
+          expect(row?.subject).toBe(userId);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
+  // Item A (subject-pin) — the operator carve-out: a host operator
+  // (parachute:host:auth / parachute:host:admin) MAY override `sub` to stamp a
+  // service-account subject. This is the documented service-account override
+  // that the non-operator pin above must NOT break.
+  describe("subject override — operator carve-out (item A)", () => {
+    test("host:auth operator overrides subject → 200, registry row carries override", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER, scopeSet: "auth" });
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:read", subject: "svc-account" },
+              { authorization: `Bearer ${op.token}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { jti: string; token: string };
+          const validated = await validateAccessToken(db, body.token, ISSUER);
+          expect(validated.payload.sub).toBe("svc-account");
+          const row = db
+            .query<{ subject: string }, [string]>("SELECT subject FROM tokens WHERE jti = ?")
+            .get(body.jti);
+          expect(row?.subject).toBe("svc-account");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("host:admin operator overrides subject → 200", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest(
+              { scope: "vault:work:admin", subject: "svc-account" },
+              { authorization: `Bearer ${op.token}` },
+            ),
+            { db, issuer: ISSUER },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { token: string };
+          const validated = await validateAccessToken(db, body.token, ISSUER);
+          expect(validated.payload.sub).toBe("svc-account");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
   });
 
   describe("capability attenuation — entry gate + regression", () => {
@@ -1051,6 +1215,91 @@ describe("POST /api/auth/mint-token (hub#212 Phase 1)", () => {
     });
   });
 
+  // Item D / hub#450 — vault-existence check on vault:<name>:admin mints.
+  describe("vault-existence check on vault:<name>:admin (item D / #450)", () => {
+    test("vault:typo:admin for an unknown vault → 400 when knownVaultNames is wired", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:typo:admin" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER, knownVaultNames: new Set(["work", "default"]) },
+          );
+          expect(resp.status).toBe(400);
+          const body = (await resp.json()) as { error: string; error_description: string };
+          expect(body.error).toBe("invalid_scope");
+          expect(body.error_description).toContain("typo");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("vault:work:admin for a KNOWN vault → 200", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:work:admin" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER, knownVaultNames: new Set(["work", "default"]) },
+          );
+          expect(resp.status).toBe(200);
+          const body = (await resp.json()) as { scope: string };
+          expect(body.scope).toBe("vault:work:admin");
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("read/write for an unknown vault are NOT existence-checked (admin-only gate)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:typo:read" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER, knownVaultNames: new Set(["work"]) },
+          );
+          expect(resp.status).toBe(200);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+
+    test("knownVaultNames omitted → existence check skipped (back-compat)", async () => {
+      const h = makeHarness();
+      try {
+        const { db, userId } = await bootstrap(h.dir);
+        try {
+          const op = await mintOperatorToken(db, userId, { issuer: ISSUER });
+          const resp = await handleApiMintToken(
+            jsonRequest({ scope: "vault:typo:admin" }, { authorization: `Bearer ${op.token}` }),
+            { db, issuer: ISSUER },
+          );
+          // No knownVaultNames → the documented "caller responsible" fallback.
+          expect(resp.status).toBe(200);
+        } finally {
+          db.close();
+        }
+      } finally {
+        h.cleanup();
+      }
+    });
+  });
+
   test("405 on non-POST", async () => {
     const h = makeHarness();
     try {