@openparachute/hub 0.6.5-rc.8 → 0.7.1

package/src/__tests__/module-manifest.test.ts

@@ -31,6 +31,104 @@ describe("validateModuleManifest", () => {
     expect(() => validateModuleManifest([1, 2], "where")).toThrow(/root must be an object/);
   });
 
+  test("parses connectionTemplates (boundary D2 — channel's link-to-vault shape)", () => {
+    const m = validateModuleManifest(
+      {
+        ...VALID,
+        connectionTemplates: [
+          {
+            key: "link-to-vault",
+            title: "Link a channel to a vault",
+            description: "Back a channel with a vault.",
+            requestedBy: "channel",
+            source: {
+              module: "vault",
+              event: "note.created",
+              filter: { tags: ["#channel-message/inbound"] },
+            },
+            sink: { module: "channel", action: "message.deliver" },
+            parameters: [
+              { key: "vault", target: "source.vault", title: "Vault" },
+              { key: "channel", target: "sink.params.channel", example: "eng" },
+            ],
+          },
+        ],
+      },
+      "test",
+    );
+    const t = m.connectionTemplates?.[0];
+    expect(t?.key).toBe("link-to-vault");
+    expect(t?.source).toEqual({
+      module: "vault",
+      event: "note.created",
+      filter: { tags: ["#channel-message/inbound"] },
+    });
+    expect(t?.sink).toEqual({ module: "channel", action: "message.deliver" });
+    expect(t?.parameters?.[1]).toEqual({
+      key: "channel",
+      target: "sink.params.channel",
+      example: "eng",
+    });
+  });
+
+  test('accepts a source/sink-less config template (scribe\'s kind: "config" shape)', () => {
+    // Scribe's real module.json ships a `kind: "config"` template with
+    // provider/target instead of source/sink. The validator must NOT reject
+    // it (a strict source/sink requirement would make every read of scribe's
+    // manifest throw — install, catalog, lifecycle).
+    const m = validateModuleManifest(
+      {
+        ...VALID,
+        connectionTemplates: [
+          {
+            key: "link-to-vault",
+            kind: "config",
+            title: "Auto-transcribe a vault's audio",
+            requestedBy: "demo",
+            provider: { module: "demo", action: "transcribe" },
+            target: { module: "vault", setting: "auto_transcribe.enabled" },
+            parameters: [{ key: "vault", target: "target.vault", title: "Vault" }],
+          },
+        ],
+      },
+      "test",
+    );
+    const t = m.connectionTemplates?.[0];
+    expect(t?.kind).toBe("config");
+    expect(t?.source).toBeUndefined();
+    expect(t?.sink).toBeUndefined();
+    expect(t?.parameters?.[0]?.target).toBe("target.vault");
+  });
+
+  test("rejects malformed connectionTemplates", () => {
+    expect(() => validateModuleManifest({ ...VALID, connectionTemplates: "x" }, "t")).toThrow(
+      /connectionTemplates/,
+    );
+    expect(() =>
+      validateModuleManifest(
+        { ...VALID, connectionTemplates: [{ key: "k", title: "T", source: {}, sink: {} }] },
+        "t",
+      ),
+    ).toThrow(/source\.module/);
+    expect(() =>
+      validateModuleManifest(
+        {
+          ...VALID,
+          connectionTemplates: [
+            {
+              key: "k",
+              title: "T",
+              source: { module: "vault", event: "note.created" },
+              sink: { module: "channel", action: "message.deliver" },
+              parameters: [{ key: "p" }],
+            },
+          ],
+        },
+        "t",
+      ),
+    ).toThrow(/parameters\[0\]\.target/);
+  });
+
   test("rejects missing required fields", () => {
     expect(() => validateModuleManifest({ ...VALID, name: undefined }, "x")).toThrow(/name/);
     expect(() => validateModuleManifest({ ...VALID, port: -1 }, "x")).toThrow(/port/);
@@ -127,19 +225,216 @@ describe("validateModuleManifest", () => {
     expect(m.managementUrl).toBe("https://admin.example.com/");
   });
 
-  test("managementUrl rejects empty / non-string / non-url-or-path", () => {
+  test("managementUrl accepts the relative (per-instance) form — B4", () => {
+    // Unified URL semantics (2026-06-09 hub-module-boundary, B4): a relative
+    // path (no leading slash) is the per-instance form resolvers join under
+    // the module's mount. Vault's new manifest declares `"admin/"`.
+    expect(validateModuleManifest({ ...VALID, managementUrl: "admin/" }, "x").managementUrl).toBe(
+      "admin/",
+    );
+    expect(
+      validateModuleManifest({ ...VALID, managementUrl: "deep/admin" }, "x").managementUrl,
+    ).toBe("deep/admin");
+  });
+
+  test("managementUrl rejects empty / non-string / bad-scheme / traversal", () => {
     expect(() => validateModuleManifest({ ...VALID, managementUrl: "" }, "x")).toThrow(
       /managementUrl/,
     );
     expect(() => validateModuleManifest({ ...VALID, managementUrl: 7 }, "x")).toThrow(
       /managementUrl/,
     );
-    expect(() =>
-      validateModuleManifest({ ...VALID, managementUrl: "no-leading-slash" }, "x"),
-    ).toThrow(/path starting with "\/" or a full http\(s\) URL/);
     expect(() =>
       validateModuleManifest({ ...VALID, managementUrl: "ftp://example.com" }, "x"),
     ).toThrow(/http:.*https:/);
+    // Scheme-bearing non-URL strings must not smuggle through as "relative".
+    expect(() =>
+      validateModuleManifest({ ...VALID, managementUrl: "javascript:alert(1)" }, "x"),
+    ).toThrow(/managementUrl/);
+    // The relative form can only deepen its mount — no `..` traversal.
+    expect(() =>
+      validateModuleManifest({ ...VALID, managementUrl: "../other/admin" }, "x"),
+    ).toThrow(/\.\./);
+    // Backslash-traversal closure: WHATWG URL parsing treats `\` as `/` in
+    // http(s) schemes, so `a\..\b` would normalize to `a/../b` post-join and
+    // pop a segment past the `..`-segment check. Any backslash → invalid.
+    expect(() => validateModuleManifest({ ...VALID, managementUrl: "a\\..\\b" }, "x")).toThrow(
+      /backslash/,
+    );
+  });
+
+  test("percent-encoded ..%2f is inert in the relative form (URL base-join doesn't decode)", () => {
+    // The validator ACCEPTS `..%2f...` — it isn't a literal ".." segment and
+    // needs no guard, because `new URL()` does not decode percent-escapes
+    // during base-join: the segment stays the literal "..%2fadmin" and never
+    // traverses. Pin the resolution behavior the safety argument rests on.
+    const m = validateModuleManifest({ ...VALID, managementUrl: "..%2fadmin" }, "x");
+    expect(m.managementUrl).toBe("..%2fadmin");
+    const joined = new URL("/vault/default/..%2fadmin", "https://x.example/");
+    expect(joined.pathname).toBe("/vault/default/..%2fadmin"); // no segment popped
+  });
+
+  // --- 2026-06-09 modular-UI architecture P1 fields: focus / configUiUrl /
+  //     adminCapabilities / events / actions. All optional + additive. ---
+
+  test("focus accepts core / experimental and rejects anything else", () => {
+    expect(validateModuleManifest({ ...VALID, focus: "core" }, "x").focus).toBe("core");
+    expect(validateModuleManifest({ ...VALID, focus: "experimental" }, "x").focus).toBe(
+      "experimental",
+    );
+    // Absent stays absent (hub falls back to its default map downstream).
+    expect(validateModuleManifest(VALID, "x").focus).toBeUndefined();
+    expect(() => validateModuleManifest({ ...VALID, focus: "headline" }, "x")).toThrow(/focus/);
+    expect(() => validateModuleManifest({ ...VALID, focus: 1 }, "x")).toThrow(/focus/);
+  });
+
+  test("configUiUrl follows the path-or-url shape (incl. the B4 relative form)", () => {
+    expect(
+      validateModuleManifest({ ...VALID, configUiUrl: "/scribe/admin" }, "x").configUiUrl,
+    ).toBe("/scribe/admin");
+    expect(
+      validateModuleManifest({ ...VALID, configUiUrl: "https://cfg.example.com/" }, "x")
+        .configUiUrl,
+    ).toBe("https://cfg.example.com/");
+    // Relative = the per-instance mount-joined form (B4) — valid.
+    expect(validateModuleManifest({ ...VALID, configUiUrl: "admin/" }, "x").configUiUrl).toBe(
+      "admin/",
+    );
+    expect(() => validateModuleManifest({ ...VALID, configUiUrl: "//evil.com" }, "x")).toThrow(
+      /configUiUrl/,
+    );
+  });
+
+  test("adminCapabilities accepts a string array, rejects non-arrays", () => {
+    expect(
+      validateModuleManifest({ ...VALID, adminCapabilities: ["config", "logs"] }, "x")
+        .adminCapabilities,
+    ).toEqual(["config", "logs"]);
+    expect(() => validateModuleManifest({ ...VALID, adminCapabilities: "config" }, "x")).toThrow(
+      /adminCapabilities/,
+    );
+    expect(() => validateModuleManifest({ ...VALID, adminCapabilities: [1, 2] }, "x")).toThrow(
+      /adminCapabilities/,
+    );
+  });
+
+  test("events parse key + title (+ optional filterSchema), reject malformed entries", () => {
+    const m = validateModuleManifest(
+      {
+        ...VALID,
+        events: [
+          { key: "note.created", title: "Note created", filterSchema: { type: "object" } },
+          { key: "note.deleted", title: "Note deleted" },
+        ],
+      },
+      "x",
+    );
+    expect(m.events?.map((e) => e.key)).toEqual(["note.created", "note.deleted"]);
+    expect(m.events?.[0]?.filterSchema).toEqual({ type: "object" });
+    expect(m.events?.[1]?.filterSchema).toBeUndefined();
+    expect(() => validateModuleManifest({ ...VALID, events: "nope" }, "x")).toThrow(/events/);
+    expect(() => validateModuleManifest({ ...VALID, events: [{ title: "no key" }] }, "x")).toThrow(
+      /events\[0\]\.key/,
+    );
+  });
+
+  test("actions parse key + title (+ optional inputSchema / provision), reject malformed entries", () => {
+    const m = validateModuleManifest(
+      {
+        ...VALID,
+        actions: [
+          {
+            key: "message.send",
+            title: "Send message",
+            inputSchema: { type: "object" },
+            provision: { kind: "vault-trigger" },
+          },
+        ],
+      },
+      "x",
+    );
+    expect(m.actions?.[0]?.key).toBe("message.send");
+    expect(m.actions?.[0]?.inputSchema).toEqual({ type: "object" });
+    expect(m.actions?.[0]?.provision).toEqual({ kind: "vault-trigger" });
+    expect(() => validateModuleManifest({ ...VALID, actions: [{ key: "x" }] }, "x")).toThrow(
+      /actions\[0\]\.title/,
+    );
+  });
+
+  test("actions parse endpoint + scope (the connection-wiring fields, P5)", () => {
+    // The scope namespace must match the module name (VALID is "demo"), so use
+    // a demo-namespaced scope here; the cross-namespace rejection is exercised
+    // in the namespace-guard test below.
+    const m = validateModuleManifest(
+      {
+        ...VALID,
+        actions: [
+          {
+            key: "message.deliver",
+            title: "Deliver",
+            endpoint: "/api/vault/inbound",
+            scope: "demo:send",
+            provision: { type: "vault-trigger" },
+          },
+        ],
+      },
+      "x",
+    );
+    expect(m.actions?.[0]?.endpoint).toBe("/api/vault/inbound");
+    expect(m.actions?.[0]?.scope).toBe("demo:send");
+    // endpoint must be a leading-slash path.
+    expect(() =>
+      validateModuleManifest(
+        { ...VALID, actions: [{ key: "a", title: "A", endpoint: "no-slash" }] },
+        "x",
+      ),
+    ).toThrow(/actions\[0\]\.endpoint/);
+    // scope must be a non-empty string.
+    expect(() =>
+      validateModuleManifest({ ...VALID, actions: [{ key: "a", title: "A", scope: 7 }] }, "x"),
+    ).toThrow(/actions\[0\]\.scope/);
+  });
+
+  test("action.scope namespace MUST match the declaring module name (privilege-escalation guard)", () => {
+    // A malicious manifest named "widget" declaring an action scoped to ANOTHER
+    // module's namespace (vault:default:admin) would trick the hub into minting a
+    // 90-day cross-module bearer when an operator wires a Connection to it.
+    // Reject it at validation, mirroring the `scopes.defines` namespace rule.
+    expect(() =>
+      validateModuleManifest(
+        {
+          ...VALID,
+          name: "widget",
+          actions: [{ key: "thing.do", title: "Do", scope: "vault:default:admin" }],
+        },
+        "x",
+      ),
+    ).toThrow(/namespace "vault" does not match module name "widget"/);
+    // An un-namespaced scope is rejected too.
+    expect(() =>
+      validateModuleManifest(
+        { ...VALID, name: "widget", actions: [{ key: "a", title: "A", scope: "bare" }] },
+        "x",
+      ),
+    ).toThrow(/must be namespaced as "<name>:<verb>"/);
+    // A matching-namespace scope still validates — the real channel case
+    // (channel.message.deliver → channel:send).
+    const okm = validateModuleManifest(
+      {
+        ...VALID,
+        name: "channel",
+        actions: [
+          {
+            key: "message.deliver",
+            title: "Deliver",
+            endpoint: "/api/vault/inbound",
+            scope: "channel:send",
+          },
+        ],
+      },
+      "x",
+    );
+    expect(okm.actions?.[0]?.scope).toBe("channel:send");
   });
 
   test("uiUrl accepts a leading-slash path (Phase D)", () => {
@@ -152,15 +447,17 @@ describe("validateModuleManifest", () => {
     expect(m.uiUrl).toBe("https://app.example.com/");
   });
 
-  test("uiUrl rejects empty / non-string / non-url-or-path (mirrors managementUrl)", () => {
+  test("uiUrl accepts the relative (per-instance) form — B4 (mirrors managementUrl)", () => {
+    expect(validateModuleManifest({ ...VALID, uiUrl: "admin/" }, "x").uiUrl).toBe("admin/");
+  });
+
+  test("uiUrl rejects empty / non-string / bad-scheme / traversal (mirrors managementUrl)", () => {
     expect(() => validateModuleManifest({ ...VALID, uiUrl: "" }, "x")).toThrow(/uiUrl/);
     expect(() => validateModuleManifest({ ...VALID, uiUrl: 7 }, "x")).toThrow(/uiUrl/);
-    expect(() => validateModuleManifest({ ...VALID, uiUrl: "no-slash" }, "x")).toThrow(
-      /path starting with "\/" or a full http\(s\) URL/,
-    );
     expect(() => validateModuleManifest({ ...VALID, uiUrl: "ftp://example.com" }, "x")).toThrow(
       /http:.*https:/,
     );
+    expect(() => validateModuleManifest({ ...VALID, uiUrl: "../sneaky" }, "x")).toThrow(/\.\./);
   });
 
   test("uiUrl absent stays absent", () => {

package/src/__tests__/serve-boot.test.ts

@@ -2,8 +2,12 @@ import { afterEach, beforeEach, describe, expect, test } from "bun:test";
 import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { bootSupervisedModules, buildModuleSpawnRequest } from "../commands/serve-boot.ts";
-import { type ServiceEntry, writeManifest } from "../services-manifest.ts";
+import {
+  bootSupervisedModules,
+  buildModuleSpawnRequest,
+  reconcilePortToCanonical,
+} from "../commands/serve-boot.ts";
+import { type ServiceEntry, readManifestLenient, writeManifest } from "../services-manifest.ts";
 import { type SpawnRequest, type SupervisedProc, Supervisor } from "../supervisor.ts";
 
 interface Harness {
@@ -285,3 +289,130 @@ describe("bootSupervisedModules", () => {
     expect(logs.some((l) => l.includes("no startCmd resolvable"))).toBe(true);
   });
 });
+
+// channel#41 — a transiently-wrong (drifted) services.json port for a
+// fixed-port first-party module self-perpetuates: the supervisor injects PORT /
+// probes / proxies from that row, so the wrong port strands the module forever.
+// The boot path snaps it back to canonical before spawn AND persists the fix so
+// the reverse-proxy (which reads services.json) routes correctly.
+describe("reconcilePortToCanonical (channel#41)", () => {
+  let h: Harness;
+  beforeEach(() => {
+    h = makeHarness();
+  });
+  afterEach(() => h.cleanup());
+
+  // The live-observed signature: channel's row carried 19415 instead of its
+  // canonical 1941.
+  const DRIFTED_CHANNEL: ServiceEntry = {
+    name: "parachute-channel",
+    port: 19415,
+    paths: ["/channel"],
+    health: "/health",
+    version: "0.1.0",
+  };
+
+  test("snaps a drifted fixed-port row back to canonical + persists it", () => {
+    writeManifest({ services: [DRIFTED_CHANNEL] }, h.manifestPath);
+    const logs: string[] = [];
+
+    const reconciled = reconcilePortToCanonical(DRIFTED_CHANNEL, h.manifestPath, (l) =>
+      logs.push(l),
+    );
+
+    // Returned entry carries canonical (channel → 1941).
+    expect(reconciled.port).toBe(1941);
+    // And it's PERSISTED — the proxy reads services.json, so the row itself must
+    // now point at 1941 or `/channel/*` keeps routing to the dead 19415.
+    const onDisk = readManifestLenient(h.manifestPath).services.find(
+      (s) => s.name === "parachute-channel",
+    );
+    expect(onDisk?.port).toBe(1941);
+    expect(
+      logs.some((l) => l.includes("reconciled") && l.includes("19415") && l.includes("1941")),
+    ).toBe(true);
+  });
+
+  test("no-op when the row already sits on its canonical port (vault/scribe/surface common path)", () => {
+    writeManifest({ services: [VAULT_ENTRY] }, h.manifestPath);
+    const out = reconcilePortToCanonical(VAULT_ENTRY, h.manifestPath);
+    expect(out).toBe(VAULT_ENTRY); // identity — untouched
+    expect(out.port).toBe(1940);
+  });
+
+  test("third-party module (no canonical) is never touched", () => {
+    const thirdParty: ServiceEntry = {
+      name: "third-party-thing",
+      port: 7777,
+      paths: ["/thing"],
+      health: "/thing/health",
+      version: "1.0.0",
+    };
+    writeManifest({ services: [thirdParty] }, h.manifestPath);
+    const out = reconcilePortToCanonical(thirdParty, h.manifestPath);
+    expect(out).toBe(thirdParty);
+    expect(out.port).toBe(7777);
+  });
+
+  test("does NOT steal the canonical port when another row already holds it", () => {
+    // Another row legitimately occupies 1941 — reconciling would trip the
+    // write-side duplicate-port guard and isn't channel's to take. Leave the
+    // drift; the supervisor's squatter detection surfaces it.
+    const squatter: ServiceEntry = {
+      name: "parachute-vault",
+      port: 1941, // unusual, but it owns this slot right now
+      paths: ["/vault/default"],
+      health: "/vault/default/health",
+      version: "0.4.5",
+    };
+    writeManifest({ services: [squatter, DRIFTED_CHANNEL] }, h.manifestPath);
+    const logs: string[] = [];
+
+    const out = reconcilePortToCanonical(DRIFTED_CHANNEL, h.manifestPath, (l) => logs.push(l));
+
+    expect(out.port).toBe(19415); // unchanged
+    const onDisk = readManifestLenient(h.manifestPath).services.find(
+      (s) => s.name === "parachute-channel",
+    );
+    expect(onDisk?.port).toBe(19415); // not rewritten
+    expect(logs.some((l) => l.includes("held by another row"))).toBe(true);
+  });
+
+  test("boot path injects PORT=canonical + persists the fix for a drifted channel row", async () => {
+    writeManifest({ services: [DRIFTED_CHANNEL] }, h.manifestPath);
+    const recorder = makeRecorder();
+    const sup = new Supervisor({ spawnFn: recorder.spawn });
+
+    await bootSupervisedModules(sup, {
+      manifestPath: h.manifestPath,
+      configDir: h.dir,
+    });
+
+    // The supervisor child gets PORT=1941 (so it binds + the readiness probe
+    // checks the right port), not the drifted 19415.
+    expect(recorder.calls[0]?.short).toBe("channel");
+    expect(recorder.calls[0]?.env?.PORT).toBe("1941");
+    // services.json row is reconciled → proxy routes /channel/* to 1941.
+    const onDisk = readManifestLenient(h.manifestPath).services.find(
+      (s) => s.name === "parachute-channel",
+    );
+    expect(onDisk?.port).toBe(1941);
+  });
+
+  test("boot path leaves a non-drifted vault row's port untouched", async () => {
+    writeManifest({ services: [VAULT_ENTRY] }, h.manifestPath);
+    const recorder = makeRecorder();
+    const sup = new Supervisor({ spawnFn: recorder.spawn });
+
+    await bootSupervisedModules(sup, {
+      manifestPath: h.manifestPath,
+      configDir: h.dir,
+    });
+
+    expect(recorder.calls[0]?.env?.PORT).toBe("1940");
+    const onDisk = readManifestLenient(h.manifestPath).services.find(
+      (s) => s.name === "parachute-vault",
+    );
+    expect(onDisk?.port).toBe(1940);
+  });
+});

package/src/__tests__/service-spec-discovery.test.ts

@@ -0,0 +1,109 @@
+import { describe, expect, test } from "bun:test";
+import {
+  FIRST_PARTY_FALLBACKS,
+  KNOWN_MODULES,
+  discoverableShorts,
+  findServiceByShort,
+  focusForShort,
+  isKnownModuleShort,
+} from "../service-spec.ts";
+
+// 2026-06-09 modular-UI architecture (P2): discovery is driven by the union of
+// the bootstrap registries + self-registration, NOT a CURATED_MODULES
+// whitelist. These helpers are the seam.
+
+describe("discoverableShorts", () => {
+  test("is the deduped union of FIRST_PARTY_FALLBACKS ∪ KNOWN_MODULES", () => {
+    const shorts = discoverableShorts();
+    const expected = new Set([
+      ...Object.keys(FIRST_PARTY_FALLBACKS),
+      ...Object.keys(KNOWN_MODULES),
+    ]);
+    expect(new Set(shorts)).toEqual(expected);
+    // No duplicates.
+    expect(shorts.length).toBe(new Set(shorts).size);
+  });
+
+  test("includes channel (the module the whitelist used to hide) + the core set", () => {
+    const shorts = discoverableShorts();
+    for (const s of ["vault", "scribe", "surface", "runner", "channel", "notes"]) {
+      expect(shorts).toContain(s);
+    }
+  });
+
+  test("FIRST_PARTY_FALLBACKS shorts lead KNOWN_MODULES shorts (registry order)", () => {
+    const shorts = discoverableShorts();
+    // notes (the remaining FALLBACK — channel moved to KNOWN_MODULES in
+    // boundary D3) appears before vault (KNOWN_MODULES) in the union.
+    expect(shorts.indexOf("notes")).toBeLessThan(shorts.indexOf("vault"));
+    // channel rides in KNOWN_MODULES now but is still discoverable.
+    expect(shorts).toContain("channel");
+  });
+});
+
+describe("focusForShort", () => {
+  test("declared focus wins over the default map", () => {
+    // channel defaults experimental, but a manifest-declared core wins.
+    expect(focusForShort("channel", "core")).toBe("core");
+    // vault defaults core, but a declared experimental wins.
+    expect(focusForShort("vault", "experimental")).toBe("experimental");
+  });
+
+  test("falls back to the default tier map when undeclared", () => {
+    expect(focusForShort("vault")).toBe("core");
+    expect(focusForShort("scribe")).toBe("core");
+    expect(focusForShort("surface")).toBe("core");
+    expect(focusForShort("channel")).toBe("experimental");
+    expect(focusForShort("runner")).toBe("experimental");
+    expect(focusForShort("notes")).toBe("experimental");
+  });
+
+  test("unlisted shorts default to experimental", () => {
+    expect(focusForShort("some-third-party-module")).toBe("experimental");
+  });
+});
+
+describe("isKnownModuleShort", () => {
+  test("true for every known module (the install/config gate)", () => {
+    for (const s of ["vault", "scribe", "surface", "runner", "channel", "notes"]) {
+      expect(isKnownModuleShort(s)).toBe(true);
+    }
+  });
+
+  test("false for the hub itself + genuinely third-party shorts", () => {
+    expect(isKnownModuleShort("hub")).toBe(false);
+    expect(isKnownModuleShort("random")).toBe(false);
+  });
+});
+
+// Regression: services.json rows carry the MANIFEST name (`parachute-channel`),
+// not the bare short (`channel`). The connection/channels wiring used to do
+// `services.find((s) => s.name === "channel")`, which never matched the on-disk
+// row → channelOrigin null → a spurious "channel module is not installed" when
+// linking a vault-backed channel. findServiceByShort resolves through the
+// short↔manifest map so the lookup hits the real row.
+describe("findServiceByShort", () => {
+  const services = [
+    { name: "parachute-vault-default", port: 1940 },
+    { name: "parachute-channel", port: 1941 },
+    { name: "parachute-scribe", port: 1943 },
+  ];
+
+  test("matches a row by its manifest name via the short↔manifest map", () => {
+    const found = findServiceByShort(services, "channel");
+    expect(found?.name).toBe("parachute-channel");
+    expect(found?.port).toBe(1941);
+  });
+
+  test("the naive `name === short` comparison would have missed it (the bug)", () => {
+    // The exact pre-fix predicate: a bare short never matches a manifest-named row.
+    expect(services.find((s) => s.name === "channel")).toBeUndefined();
+    // The fix finds it.
+    expect(findServiceByShort(services, "channel")).toBeDefined();
+  });
+
+  test("resolves scribe too, and returns undefined for an absent module", () => {
+    expect(findServiceByShort(services, "scribe")?.port).toBe(1943);
+    expect(findServiceByShort(services, "runner")).toBeUndefined();
+  });
+});

package/src/__tests__/setup-gate.test.ts

@@ -257,7 +257,7 @@ describe("setup gate (admin exists)", () => {
     }
   });
 
-  test("/ renders the discovery page when admin + vault both exist", async () => {
+  test("/ redirects to the admin shell (NOT the setup funnel) when admin + vault both exist", async () => {
     const db = openHubDb(hubDbPath(h.dir));
     try {
       await createUser(db, "owner", "pw");
@@ -275,14 +275,20 @@ describe("setup gate (admin exists)", () => {
         },
         join(h.dir, "services.json"),
       );
-      const res = await hubFetch(h.dir, {
+      const handler = hubFetch(h.dir, {
         getDb: () => db,
         manifestPath: join(h.dir, "services.json"),
-      })(req("/"));
-      // 200 (the dynamic discovery page) — NOT 302 to /admin/setup. The
-      // wizard's work is done.
-      expect(res.status).toBe(200);
-      expect(res.headers.get("content-type")).toContain("text/html");
+      });
+      // Setup complete: bare `/` lands on the admin shell (302 → /admin), NOT
+      // the wizard funnel (302 → /admin/setup) and NOT the old 200-discovery.
+      // The discovery content moved into the shell's Home overview (R1).
+      const res = await handler(req("/"));
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe("/admin");
+      // The discovery page itself still lives at /hub.html.
+      const hubHtmlRes = await handler(req("/hub.html"));
+      expect(hubHtmlRes.status).toBe(200);
+      expect(hubHtmlRes.headers.get("content-type")).toContain("text/html");
     } finally {
       db.close();
     }