@openparachute/hub 0.6.5-rc.7 → 0.7.0

package/src/hub-server.ts

@@ -15,7 +15,8 @@
  *
  *   # Pre-rename 301 back-compat (hub#231 — first so they preempt any
  *   # remaining handlers under /vault or /hub).
- *   /vault, /vault/, /vault/new                → 301 → /admin/vaults[/new]
+ *   /vault, /vault/, /vault/new                → 301 → /vault/admin/ (B5:
+ *                                                vault's daemon-level admin)
  *   /hub/vaults*                               → 301 → /admin/vaults*
  *   /hub/permissions                           → 301 → /admin/permissions
  *   /hub/tokens                                → 301 → /admin/tokens
@@ -43,8 +44,22 @@
  *
  *   # Admin API + bearer-mint surfaces (must precede /admin/* SPA mount).
  *   /vaults                       (POST)       → create vault
+ *   /vaults/<name>                (DELETE)     → destroy vault + identity cascade
+ *                                                 (B1: confirm body, host:admin,
+ *                                                 tokens/grants/user_vaults/invites/
+ *                                                 connections sweep, CLI remove,
+ *                                                 supervisor restart)
  *   /admin/host-admin-token       (GET)        → SPA bearer mint (cookie-gated)
  *   /admin/vault-admin-token/<n>  (GET)        → per-vault bearer mint (cookie-gated)
+ *   /admin/channel-token          (GET)        → channel UI bearer mint (cookie-gated)
+ *   /admin/module-token/<short>   (GET)        → generic module config-UI bearer mint <short>:admin (cookie-gated)
+ *   /api/connections/catalog      (GET)        → events/actions across installed modules (cookie-gated)
+ *   /admin/connections            (POST/GET)   → connection provision/list (cookie-gated; POST CSRF-belted)
+ *   /admin/connections/<id>       (DELETE)     → connection teardown (cookie-gated; CSRF-belted)
+ *
+ *   # "CSRF-belted" = strict same-origin Origin check on cookie-authed
+ *   # mutations (hub#632, boundary C1) — origin-check.ts
+ *   # `assertSameOriginForCookieMutation` carries the canonical enumeration.
  *   /api/me                       (GET)        → who-am-I (session+CSRF or hasSession:false)
  *   /api/hub                      (GET)        → hub version + uptime + install-source (host:admin)
  *   /api/hub/upgrade              (POST)       → SPA-driven hub self-upgrade → 202 + detached helper (host:admin, §5.3/D4)
@@ -94,6 +109,11 @@
  *   /admin/config*                             → 301 → /admin/vaults (legacy
  *                                                portal retired post-SPA-rework)
  *
+ *   # Vault MODULE daemon-level admin surface (B-route, 2026-06-09
+ *   # hub-module-boundary). Runs BEFORE the per-vault proxy; "admin" is a
+ *   # reserved vault name so no instance can claim the mount.
+ *   /vault/admin, /vault/admin/*               → proxy to the vault module's daemon
+ *
  *   # Per-vault content proxy (user-facing vault data: Notes PWA, MCP, etc.).
  *   /vault/<name>/*                            → proxy to the vault backend
  *
@@ -130,7 +150,13 @@ import pkg from "../package.json" with { type: "json" };
 import { handleAccountSetupGet, handleAccountSetupPost } from "./account-setup.ts";
 import { handleAccountVaultAdminTokenPost } from "./account-vault-admin-token.ts";
 import { handleAccountVaultTokenPost } from "./account-vault-token.ts";
+import { handleChannelToken } from "./admin-channel-token.ts";
 import { handleApproveClient, handleGetClient } from "./admin-clients.ts";
+import {
+  type ConnectionsDeps,
+  handleConnections,
+  handleConnectionsCatalog,
+} from "./admin-connections.ts";
 import { handleListGrants, handleRevokeGrant } from "./admin-grants.ts";
 import {
   handleAdminLoginGet,
@@ -139,8 +165,9 @@ import {
   handleAdminLogoutPost,
 } from "./admin-handlers.ts";
 import { handleHostAdminToken } from "./admin-host-admin-token.ts";
+import { handleModuleToken } from "./admin-module-token.ts";
 import { handleVaultAdminToken } from "./admin-vault-admin-token.ts";
-import { handleCreateVault } from "./admin-vaults.ts";
+import { handleCreateVault, handleDeleteVault } from "./admin-vaults.ts";
 import {
   handleAccountChangePasswordGet,
   handleAccountChangePasswordPost,
@@ -151,7 +178,6 @@ import { handleApiHub } from "./api-hub.ts";
 import { handleCreateInvite, handleListInvites, handleRevokeInvite } from "./api-invites.ts";
 import { handleApiMe } from "./api-me.ts";
 import { handleApiMintToken } from "./api-mint-token.ts";
-import { handleApiModulesConfig, parseModulesConfigPath } from "./api-modules-config.ts";
 import {
   getDefaultOperationsRegistry,
   handleInstall,
@@ -211,7 +237,7 @@ import {
   protectedResourceMetadata,
 } from "./oauth-handlers.ts";
 import { renderNotFoundPage } from "./oauth-ui.ts";
-import { buildHubBoundOrigins } from "./origin-check.ts";
+import { assertSameOriginForCookieMutation, buildHubBoundOrigins } from "./origin-check.ts";
 import { clearPid, writePid } from "./process-state.ts";
 import { toResponse as proxyErrorToResponse, renderProxyError } from "./proxy-error-ui.ts";
 import { classifyUpstream } from "./proxy-state.ts";
@@ -220,6 +246,7 @@ import {
   FIRST_PARTY_FALLBACKS,
   KNOWN_MODULES,
   effectivePublicExposure,
+  findServiceByShort,
   shortNameForManifest,
 } from "./service-spec.ts";
 import { type ServiceEntry, readManifest, readManifestLenient } from "./services-manifest.ts";
@@ -412,6 +439,45 @@ function hasVaultInstalled(manifestPath: string): boolean {
   }
 }
 
+/**
+ * Snapshot of every installed module's `.parachute/module.json` + its
+ * user-facing mount path, for the Connections engine (2026-06-09 modular-UI
+ * architecture, P5). Read at request time so a freshly-installed module's
+ * declared events/actions surface without a hub restart. A malformed manifest
+ * on one module is skipped (logged), never 500s the whole catalog — same
+ * posture as `/api/modules`.
+ *
+ * `mount` is the first non-`.parachute` services.json path (the proxied
+ * user-facing prefix, e.g. `/channel`), which the engine joins with a sink
+ * action's `endpoint` to build the hub-proxied webhook.
+ */
+async function collectInstalledModules(
+  manifestPath: string,
+  readManifestFn: (installDir: string) => Promise<ModuleManifest | null>,
+): Promise<import("./admin-connections.ts").InstalledModuleInfo[]> {
+  // Lenient — see hub#406.
+  const services = readManifestLenient(manifestPath).services;
+  const out: import("./admin-connections.ts").InstalledModuleInfo[] = [];
+  await Promise.all(
+    services.map(async (entry) => {
+      if (!entry.installDir) return;
+      const short = shortNameForManifest(entry.name) ?? entry.name;
+      const userPath = (entry.paths ?? []).find(
+        (p) => p !== "/.parachute" && !p.startsWith("/.parachute/"),
+      );
+      try {
+        const manifest = await readManifestFn(entry.installDir);
+        if (!manifest) return;
+        out.push({ short, manifest, mount: userPath ?? null });
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.warn(`connections: skipping module ${short}: ${msg}`);
+      }
+    }),
+  );
+  return out;
+}
+
 /**
  * The trust layer a request arrived through. Hub binds `127.0.0.1:1939`, so
  * every request reaches it via one of three trusted forwarders (or directly
@@ -698,6 +764,50 @@ async function proxyToVault(
   return proxyRequest(req, match.port, "vault", "vault", supervisor, targetPath);
 }
 
+/**
+ * Reverse-proxy `/vault/admin` + `/vault/admin/*` to the vault MODULE's
+ * daemon — the daemon-level multi-vault admin surface (B-route, 2026-06-09
+ * hub-module-boundary migration), NOT a per-instance path.
+ *
+ * Resolution is via `findServiceByShort(services, "vault")` (the canonical
+ * self-registered `parachute-vault` row — same shape as the channelEntry
+ * lookup in the Connections deps), deliberately NOT `findVaultUpstream`:
+ * vault must NOT self-register `/vault/admin` in `paths[]`, because every
+ * consumer that derives instance names from paths (`vaultInstanceNameFor`,
+ * the well-known vaults[] fan-out, `findExistingVault`, the mint
+ * allowlists, the users vault-picker) would fabricate a phantom vault named
+ * "admin". The mount is hub-owned and gated on the B2h `admin` name
+ * reservation, so no real instance can ever claim it.
+ *
+ * Applies the SAME `publicExposure: "loopback"` 404-cloak as `proxyToVault`
+ * (the per-vault proxy's only layer-gate; "allowed"/"auth-required" pass
+ * through and the daemon self-gates). Vault's row declares no `stripPrefix`
+ * — the FULL path forwards, so the daemon's own `/vault/admin` routing
+ * branch (vault wave, B3) serves it.
+ *
+ * Returns `undefined` when no vault module is installed (caller 404s).
+ * NOTE: legacy per-instance rows named `parachute-vault-<name>` don't
+ * resolve through `findServiceByShort` (it only knows the canonical
+ * manifest name) — on such an install this surface 404s until vault's boot
+ * selfRegister rewrites the canonical row, which is the documented
+ * old-install degradation, not a routing hole.
+ */
+async function proxyToVaultAdmin(
+  req: Request,
+  manifestPath: string,
+  supervisor: Supervisor | undefined,
+  peerAddr: string | null,
+): Promise<Response | undefined> {
+  // Lenient — see hub#406 (same posture as proxyToVault).
+  const services = readManifestLenient(manifestPath).services;
+  const entry = findServiceByShort(services, "vault");
+  if (!entry) return undefined;
+  if (effectivePublicExposure(entry) === "loopback" && layerOf(req, peerAddr) !== "loopback") {
+    return new Response("not found", { status: 404 });
+  }
+  return proxyRequest(req, entry.port, "vault", "vault", supervisor);
+}
+
 /**
  * Resolve which (non-vault) ServiceEntry should handle a given request.
  * Generic longest-prefix match across every service's `paths[]`. Vault
@@ -784,15 +894,15 @@ async function proxyToService(
   ) {
     return new Response("not found", { status: 404 });
   }
-  // Consult FIRST_PARTY_FALLBACKS as a fallback for `stripPrefix` (#196).
-  // Pre-hub#310, scribe's `stripPrefix: true` lived only in hub's vendored
-  // fallback; post-#310 scribe self-registers with `stripPrefix: true` on
-  // its row, so the entry-based path is authoritative for scribe. The
-  // fallback consultation now matters only for notes / channel
-  // (FIRST_PARTY_FALLBACKS shorts that haven't yet self-registered with
-  // the canonical declaration). Explicit-on-entry still wins; absent →
-  // fallback → false (preserving the keep-prefix default for unknown
-  // services).
+  // Consult FIRST_PARTY_FALLBACKS / KNOWN_MODULES as a fallback for
+  // `stripPrefix` (#196). Pre-hub#310, scribe's `stripPrefix: true` lived
+  // only in hub's vendored fallback; post-#310 scribe (and post-D3 channel)
+  // self-register with `stripPrefix: true` on their rows, so the entry-based
+  // path is authoritative. The registry consultation now matters only for
+  // notes (the remaining FALLBACK short) and legacy rows written before the
+  // module emitted the field (KNOWN_MODULES canonicalStripPrefix).
+  // Explicit-on-entry still wins; absent → fallback → false (preserving the
+  // keep-prefix default for unknown services).
   const stripPrefix = stripPrefixFor(match.entry);
   const targetPath = stripPrefix ? url.pathname.slice(match.mount.length) || "/" : undefined;
   // Resolve canonical short for classification — falls back to the
@@ -807,14 +917,15 @@ async function proxyToService(
 /**
  * Resolve effective `stripPrefix` for a service entry. Explicit on-entry
  * wins; otherwise consult `FIRST_PARTY_FALLBACKS` keyed by short name (for
- * notes / channel — vault/scribe/runner retired their FALLBACK entries in
- * hub#310 and self-register with the canonical `stripPrefix` declaration on
- * their services.json row). `KNOWN_MODULES[short]?.canonicalStripPrefix`
- * is the next fallback — covers the edge case where a self-registering
- * module wrote its row before the `stripPrefix` field was being emitted
- * (e.g. pre-scribe#50 services.json rows). Defaults to `false` — keep the
- * prefix — matching the pre-#196 dispatch behavior for unknown / third-
- * party services.
+ * notes — vault/scribe/runner retired their FALLBACK entries in hub#310,
+ * channel in boundary D3; all self-register with the canonical `stripPrefix`
+ * declaration on their services.json row).
+ * `KNOWN_MODULES[short]?.canonicalStripPrefix` is the next fallback — covers
+ * the edge case where a self-registering module wrote its row before the
+ * `stripPrefix` field was being emitted (e.g. pre-scribe#50 or pre-D3
+ * channel services.json rows). Defaults to `false` — keep the prefix —
+ * matching the pre-#196 dispatch behavior for unknown / third-party
+ * services.
  *
  * For a self-registering KNOWN_MODULES short whose row is missing entirely
  * (uninstalled, never booted), the request never reaches this code path —
@@ -873,6 +984,11 @@ export interface HubFetchDeps {
    * the doc reflect `parachute vault create` etc. without re-running expose.
    */
   manifestPath?: string;
+  /**
+   * Path to `connections.json` (the Connections store, P5). Tests point this
+   * at a tmpdir; production defaults to `<CONFIG_DIR>/connections.json`.
+   */
+  connectionsStorePath?: string;
   /**
    * Directory containing the built SPA bundle (`index.html` + `assets/`). When
    * absent, the hub auto-resolves to `<repo>/web/ui/dist/` — handy for the
@@ -1024,8 +1140,9 @@ function defaultSpaDistDir(): string {
  * The admin SPA serves at a single mount: `/admin/*` (since hub#231).
  *
  * Routes:
- *   - `/admin/vaults`       → vault list (the SPA's home)
- *   - `/admin/vaults/new`   → vault create form
+ *   - `/admin/`             → Home (the admin-shell overview)
+ *   - `/admin/vaults`       → legacy vault list; feature-detects a new-manifest
+ *                             vault and forwards to `/vault/admin/` (B5)
  *   - `/admin/permissions`  → OAuth consent grant management
  *   - `/admin/tokens`       → token registry: mint / list / revoke
  *
@@ -1497,11 +1614,17 @@ export function hubFetch(
     async function dispatch(): Promise<Response> {
       // 301 back-compat for the pre-hub#231 admin-SPA mounts:
       //
-      //   `/vault`            → `/admin/vaults`
-      //   `/vault/new`        → `/admin/vaults/new`
+      //   `/vault`, `/vault/new` → `/vault/admin/` (vault's own daemon-level
+      //                        admin surface — B5, 2026-06-09 hub-module-
+      //                        boundary migration. These pointed at
+      //                        `/admin/vaults[/new]` until B5; with the
+      //                        list+create UX module-owned, pointing DIRECTLY
+      //                        at the target avoids a redirect → SPA-load →
+      //                        client-side-forward chain)
       //   `/hub/vaults*`      → `/admin/vaults*` (this redirect predates #231;
-      //                        it now retargets at the new admin mount instead
-      //                        of the interim `/vault` mount)
+      //                        /admin/vaults survives as the feature-detected
+      //                        legacy list, so the target stays valid on both
+      //                        old-vault and new-vault boxes)
       //   `/hub/permissions`  → `/admin/permissions`
       //   `/hub/tokens`       → `/admin/tokens`
       //   `/hub` (bare)       → `/admin/vaults`
@@ -1513,12 +1636,13 @@ export function hubFetch(
       // POST endpoint to protect.
       //
       // `/vault/<name>/*` is INTENTIONALLY excluded — that's the per-vault
-      // content proxy (Notes PWA, etc.), not the admin SPA. Stays where it is.
+      // content proxy (Notes PWA, etc.), not the admin SPA. The exact-match
+      // condition here also never touches `/vault/admin*` — the daemon-level
+      // mount dispatched further down.
       if (pathname === "/vault" || pathname === "/vault/" || pathname === "/vault/new") {
-        const sub = pathname === "/vault/new" ? "/new" : "";
         return new Response("", {
           status: 301,
-          headers: { location: `/admin/vaults${sub}${url.search}` },
+          headers: { location: `/vault/admin/${url.search}` },
         });
       }
       if (pathname === "/hub/vaults" || pathname.startsWith("/hub/vaults/")) {
@@ -1627,8 +1751,11 @@ export function hubFetch(
             // succeeding, so `probeDbLiveness` alone would report `db:"ok"` on a
             // database that's gone from disk (the /health lie the issue calls
             // out). `probeDbPath` stat()s the path + compares inodes; on a
-            // gone/replaced verdict it ALSO self-heals (reopen-or-exit) and we
-            // surface the fault so the #591 adoption probe + monitoring see it.
+            // "replaced" verdict it self-heals in-place (reopen-or-exit, adopt
+            // the new inode); on a "gone" verdict it exits the process directly
+            // (#621 — a full wipe needs a clean platform-manager restart, not an
+            // empty-db reopen). Either way we surface the fault so the #591
+            // adoption probe + monitoring see it.
             const pathVerdict = deps?.probeDbPath?.();
             if (pathVerdict === "gone" || pathVerdict === "replaced") {
               // One-request anomaly on "replaced": probeDbPath already healed the
@@ -1792,7 +1919,35 @@ export function hubFetch(
         );
       }
 
-      if (pathname === "/" || pathname === "/hub.html") {
+      // Bare `/` → `/admin` (admin-shell IA, R1). The home page and the admin
+      // SPA used to be two disconnected surfaces; `/` now funnels straight into
+      // the single coherent admin shell, whose Home/Overview carries the
+      // discovery content (hub-native sections, modules, user surfaces) that
+      // used to live here.
+      //
+      // Ordering matters: this sits AFTER the fresh-hub wizard funnel above
+      // (so a brand-new operator still lands on `/admin/setup`, not a 404 inside
+      // the shell) and AFTER the pre-admin lockout (so an admin-less hub still
+      // 503s API callers correctly). 302 (not 301) — `/` is reclaimed for
+      // future use, but a permanent redirect would get cached and we may want
+      // `/` back later.
+      //
+      // The signed-out path is preserved: a signed-out visitor lands on
+      // `/admin`, where the SPA's AuthIndicator shows a "Sign in" link that
+      // round-trips through `/login?next=/admin/...` and back. We don't pin the
+      // redirect on session state — the shell handles both auth states itself.
+      //
+      // `/hub.html` is INTENTIONALLY excluded: it still renders the discovery
+      // page (used by the static `parachute expose --set-path=/` disk file and
+      // any bookmark to the explicit `.html`). Only the bare `/` redirects.
+      if (pathname === "/") {
+        return new Response(null, {
+          status: 302,
+          headers: { location: "/admin" },
+        });
+      }
+
+      if (pathname === "/hub.html") {
         // When a DB is configured, render the discovery page dynamically so
         // the header carries a "Signed in as <name>" affordance for the
         // active session. Without a DB, fall back to the static disk file
@@ -2060,6 +2215,46 @@ export function hubFetch(
         });
       }
 
+      // DELETE /vaults/<name> — destroy a vault with the full identity
+      // cascade (B1, 2026-06-09 hub-module-boundary: lifecycle symmetry).
+      // Bearer parachute:host:admin + {"confirm": "<name>"} body. See
+      // admin-vaults.handleDeleteVault for the enumerated cascade.
+      if (pathname.startsWith("/vaults/")) {
+        if (!getDb) return dbNotConfigured();
+        const name = decodeURIComponent(pathname.slice("/vaults/".length));
+        const services = readManifestLenient(manifestPath).services;
+        // Channel's row carries its MANIFEST name — resolve via
+        // findServiceByShort (see the /admin/connections note below).
+        const channelEntry = findServiceByShort(services, "channel");
+        const channelOrigin = channelEntry ? `http://127.0.0.1:${channelEntry.port}` : null;
+        const resolveVaultOrigin = (vaultName: string): string | null => {
+          const match = findVaultUpstream(
+            readManifestLenient(manifestPath).services,
+            `/vault/${vaultName}`,
+          );
+          return match ? `http://127.0.0.1:${match.port}` : null;
+        };
+        const supervisor = deps?.supervisor;
+        return handleDeleteVault(req, name, {
+          db: getDb(),
+          issuer: oauthDeps(req).issuer,
+          manifestPath,
+          connectionsStorePath: deps?.connectionsStorePath ?? join(CONFIG_DIR, "connections.json"),
+          channelOrigin,
+          resolveVaultOrigin,
+          // Daemon eviction — the same in-process supervisor the lifecycle
+          // verbs drive (module-ops API); restarting vault evicts the open
+          // store handle + re-runs selfRegister (services.json path rebuild).
+          ...(supervisor
+            ? {
+                restartVaultModule: async () => {
+                  await supervisor.restart("vault");
+                },
+              }
+            : {}),
+        });
+      }
+
       // Note: the old `/hub/*` SPA mount has been retired. Known prefixes
       // (`/hub`, `/hub/vaults*`, `/hub/permissions`, `/hub/tokens`) are
       // 301-redirected at the top of dispatch. Any other `/hub/*` path falls
@@ -2073,6 +2268,97 @@ export function hubFetch(
         });
       }
 
+      if (pathname === "/admin/channel-token") {
+        if (!getDb) return dbNotConfigured();
+        return handleChannelToken(req, {
+          db: getDb(),
+          issuer: oauthDeps(req).issuer,
+        });
+      }
+
+      // Generic per-module config-UI bearer mint (2026-06-09 modular-UI
+      // architecture, P3). `<short>:admin` for any single-audience module —
+      // the admin scope each module-owned config UI needs to call its own
+      // endpoints. Cookie-gated to the first-admin operator, exactly like
+      // /admin/channel-token + /admin/vault-admin-token. Gated on
+      // self-registration (services.json row + readable module.json) with the
+      // bootstrap registries as a fallback (boundary C5) — a genuinely
+      // third-party module mints here with zero hub code changes. Vault is
+      // per-instance and routed to /admin/vault-admin-token/<name> instead.
+      if (pathname.startsWith("/admin/module-token/")) {
+        if (!getDb) return dbNotConfigured();
+        const short = decodeURIComponent(pathname.slice("/admin/module-token/".length));
+        return handleModuleToken(req, short, {
+          db: getDb(),
+          issuer: oauthDeps(req).issuer,
+          // Lenient + per-request — a module that self-registered since hub
+          // boot is mintable without a restart (see hub#406 for lenient).
+          readServices: () => readManifestLenient(manifestPath).services,
+          ...(deps?.readModuleManifest ? { readModuleManifest: deps.readModuleManifest } : {}),
+        });
+      }
+
+      // Note: the legacy `/admin/channels` bespoke vault-channel orchestration
+      // endpoint (pre-Connections, hub#624 era) was retired in boundary D1 —
+      // superseded by the general engine below. Channel's own admin page
+      // drives `/admin/connections` + `/admin/channel-token`.
+
+      // Connections — the GENERAL module event→action engine (2026-06-09
+      // modular-UI architecture, P5). `/api/connections/catalog` (GET) returns
+      // the available events/actions read from each installed module's
+      // `module.json`; `/admin/connections` (GET/POST) lists + provisions;
+      // `/admin/connections/:id` (DELETE) tears down. Cookie-gated to the
+      // first-admin operator. The provisioning engine derives the vault
+      // trigger's webhook + scope from the SINK action's declaration —
+      // nothing is channel-hardcoded.
+      if (
+        pathname === "/api/connections/catalog" ||
+        pathname === "/admin/connections" ||
+        pathname.startsWith("/admin/connections/")
+      ) {
+        if (!getDb) return dbNotConfigured();
+        const services = readManifestLenient(manifestPath).services;
+        // Channel's services.json row carries its MANIFEST name
+        // (`parachute-channel`), not the bare short `channel` — resolve via
+        // findServiceByShort so the lookup matches the on-disk row. (A bare
+        // `s.name === "channel"` never matched, leaving channelOrigin null →
+        // "channel not installed".)
+        const channelEntry = findServiceByShort(services, "channel");
+        const channelOrigin = channelEntry ? `http://127.0.0.1:${channelEntry.port}` : null;
+        const resolveVaultOrigin = (vaultName: string): string | null => {
+          const match = findVaultUpstream(
+            readManifestLenient(manifestPath).services,
+            `/vault/${vaultName}`,
+          );
+          return match ? `http://127.0.0.1:${match.port}` : null;
+        };
+        const readManifestFn = deps?.readModuleManifest ?? defaultReadModuleManifest;
+        const modules = await collectInstalledModules(manifestPath, readManifestFn);
+        const connectionsDeps: ConnectionsDeps = {
+          db: getDb(),
+          hubOrigin: oauthDeps(req).issuer,
+          modules,
+          resolveVaultOrigin,
+          channelOrigin,
+          storePath: deps?.connectionsStorePath ?? join(CONFIG_DIR, "connections.json"),
+        };
+        if (pathname === "/api/connections/catalog") {
+          return handleConnectionsCatalog(req, connectionsDeps);
+        }
+        // CSRF belt (hub#632, boundary C1): cookie-authed POST/DELETE must
+        // carry a matching Origin. The seam's canonical consumer — channel's
+        // admin page POSTing link-vault with `credentials: "include"` — is a
+        // same-origin fetch() and passes; see origin-check.ts
+        // `assertSameOriginForCookieMutation` for the belted-endpoint
+        // enumeration.
+        {
+          const rejected = assertSameOriginForCookieMutation(req, oauthDeps(req).hubBoundOrigins());
+          if (rejected) return rejected;
+        }
+        const subPath = pathname.slice("/admin/connections".length);
+        return handleConnections(req, subPath, connectionsDeps);
+      }
+
       if (pathname.startsWith("/admin/vault-admin-token/")) {
         if (!getDb) return dbNotConfigured();
         const vaultName = decodeURIComponent(pathname.slice("/admin/vault-admin-token/".length));
@@ -2215,28 +2501,12 @@ export function hubFetch(
         });
       }
 
-      // Per-module config surface (hub#260) — schema + values GET, values PUT.
-      // Sits ahead of the install/restart/upgrade/uninstall switch below so
-      // `/api/modules/<short>/config[/schema]` doesn't fall into the default-
-      // branch 404 (`parseModulesPath` only matches the action-suffix shape,
-      // not the `config` / `config/schema` shape).
-      //
-      // Diverges from the action endpoints in two ways: doesn't require a
-      // supervisor (we just proxy to the running module's HTTP surface, not
-      // spawn a child), and mints a `<short>:admin` token at proxy time so
-      // the upstream auth gate is satisfied without forcing the SPA bearer
-      // to carry per-module scopes.
-      {
-        const configMatch = parseModulesConfigPath(pathname);
-        if (configMatch) {
-          if (!getDb) return dbNotConfigured();
-          return handleApiModulesConfig(req, configMatch, {
-            db: getDb(),
-            issuer: oauthDeps(req).issuer,
-            manifestPath: deps?.manifestPath ?? SERVICES_MANIFEST_PATH,
-          });
-        }
-      }
+      // NOTE: the hub-hosted generic per-module config proxy
+      // (`/api/modules/<short>/config[/schema]`) + its SPA form were RETIRED in
+      // the 2026-06-09 modular-UI architecture P3. Config is module-owned +
+      // hub-framed now: the Modules page "Configure" action opens the module's
+      // OWN config UI (`configUiUrl`), which mints its admin Bearer from the
+      // cookie-gated `/admin/module-token/<short>` (or `/admin/channel-token`).
 
       // Per-module action endpoints: /api/modules/:short/{install,restart,upgrade,uninstall}.
       if (pathname.startsWith("/api/modules/")) {
@@ -2666,8 +2936,10 @@ export function hubFetch(
       }
 
       // Legacy `/admin/config` (server-rendered module-config portal, #46)
-      // retired post-SPA-rework. 301 → the SPA home so any bookmark or stale
-      // post-login redirect lands somewhere useful. The route stays here in
+      // retired post-SPA-rework. 301 → /admin/vaults so any bookmark or stale
+      // post-login redirect lands somewhere useful (post-B5 that's the
+      // feature-detected vaults surface — legacy list on an old-vault box,
+      // forward to /vault/admin/ on a new one). The route stays here in
       // dispatch order (above the /admin/* SPA catch-all) so the redirect
       // wins over a SPA shell render.
       if (pathname === "/admin/config" || pathname.startsWith("/admin/config/")) {
@@ -2677,10 +2949,31 @@ export function hubFetch(
         });
       }
 
+      // /vault/admin + /vault/admin/* — the vault MODULE's daemon-level
+      // admin surface (B-route, 2026-06-09 hub-module-boundary). MUST run
+      // BEFORE the per-vault proxy dispatch below: this is a module-level
+      // mount, not an instance path. "admin" is a reserved vault name (B2h)
+      // so no instance can claim it, and `findVaultUpstream` never sees it —
+      // no consumer fabricates a phantom vault named "admin". Exact-segment
+      // match only: a vault instance named e.g. "adminx" still routes
+      // per-instance through the branch below.
+      if (pathname === "/vault/admin" || pathname.startsWith("/vault/admin/")) {
+        // Same per-request force-change-password gate as the per-vault proxy
+        // (P0-1 / hub#469) — a pre-rotation signed-in user can't reach the
+        // multi-vault admin surface on an un-rotated temp password either.
+        if (getDb) {
+          const gate = forceChangePasswordGate(getDb(), req);
+          if (gate) return gate;
+        }
+        const proxied = await proxyToVaultAdmin(req, manifestPath, deps?.supervisor, peerAddr);
+        if (proxied) return decorateWithChrome(proxied, req, pathname, getDb);
+        return new Response("not found", { status: 404 });
+      }
+
       // /vault/<name>/* — per-vault content proxy. Stays as user-facing
       // surface (the Notes PWA loads through here, etc.). The bare `/vault`
       // and `/vault/new` paths were SPA routes pre-#231; they 301-redirect at
-      // the top of dispatch now. Multi-segment requests like
+      // the top of dispatch now (to `/vault/admin/` since B5). Multi-segment requests like
       // `/vault/<unknown>/health` are vault-API shapes targeting a
       // non-existent vault and 404 directly — there's no SPA-shell fallback
       // here anymore (the SPA moved to /admin), so we can't accidentally
@@ -2710,9 +3003,9 @@ export function hubFetch(
       // SPA's own router renders the page and handles 404 client-side for
       // unknown sub-paths.
       if (pathname === "/admin" || pathname === "/admin/") {
-        // Unprefixed /admin → SPA shell pointed at the vault list (its home).
-        // The SPA's basename is /admin, so the router will land on / and
-        // render VaultsList.
+        // Unprefixed /admin → SPA shell at its index route. The SPA's
+        // basename is /admin, so the router lands on / and renders Home
+        // (the admin-shell overview).
         if (req.method !== "GET") return new Response("method not allowed", { status: 405 });
         return serveSpa(spaDistDir, pathname, "/admin");
       }

package/src/invites.ts

@@ -289,3 +289,25 @@ export function revokeInvite(db: Database, tokenHash: string, now: Date = new Da
     .run(now.toISOString(), tokenHash);
   return res.changes > 0;
 }
+
+/**
+ * Vault-delete cascade step (B1, 2026-06-09 hub-module-boundary): invalidate
+ * every UNREDEEMED invite pinned to the deleted vault. An un-revoked pending
+ * invite carrying `vault_name = <deleted>` would re-provision (resurrect)
+ * the name on redemption — the cascade must close that door. Used/already-
+ * revoked invites are untouched (terminal states). `vault_name` is an exact
+ * `=` comparison — no pattern matching. Returns the number of invites
+ * newly revoked.
+ */
+export function revokeInvitesForVault(
+  db: Database,
+  vaultName: string,
+  now: Date = new Date(),
+): number {
+  const res = db
+    .prepare(
+      "UPDATE invites SET revoked_at = ? WHERE vault_name = ? AND used_at IS NULL AND revoked_at IS NULL",
+    )
+    .run(now.toISOString(), vaultName);
+  return Number(res.changes);
+}