@openparachute/hub 0.7.4-rc.2 → 0.7.4-rc.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (75) hide show
  1. package/package.json +4 -11
  2. package/src/__tests__/admin-auth.test.ts +128 -0
  3. package/src/__tests__/admin-clients.test.ts +103 -1
  4. package/src/__tests__/admin-lock.test.ts +7 -1
  5. package/src/__tests__/admin-vaults.test.ts +216 -10
  6. package/src/__tests__/api-account-2fa.test.ts +453 -0
  7. package/src/__tests__/api-hub-upgrade.test.ts +59 -3
  8. package/src/__tests__/api-mint-token.test.ts +75 -0
  9. package/src/__tests__/api-modules.test.ts +143 -0
  10. package/src/__tests__/api-settings-root-redirect.test.ts +302 -0
  11. package/src/__tests__/auth.test.ts +336 -0
  12. package/src/__tests__/clients.test.ts +326 -8
  13. package/src/__tests__/cloudflare-connector-service.test.ts +3 -1
  14. package/src/__tests__/cors.test.ts +138 -1
  15. package/src/__tests__/doctor.test.ts +755 -0
  16. package/src/__tests__/hub-command.test.ts +69 -2
  17. package/src/__tests__/hub-server.test.ts +127 -5
  18. package/src/__tests__/hub-settings.test.ts +188 -0
  19. package/src/__tests__/init.test.ts +153 -0
  20. package/src/__tests__/jwt-sign.test.ts +27 -0
  21. package/src/__tests__/managed-unit.test.ts +62 -0
  22. package/src/__tests__/oauth-handlers.test.ts +626 -0
  23. package/src/__tests__/oauth-ui.test.ts +107 -1
  24. package/src/__tests__/scope-explanations.test.ts +19 -0
  25. package/src/__tests__/setup-gate.test.ts +111 -3
  26. package/src/__tests__/setup-wizard.test.ts +124 -7
  27. package/src/__tests__/supervisor.test.ts +25 -0
  28. package/src/__tests__/vault-names.test.ts +32 -3
  29. package/src/__tests__/vault-remove.test.ts +40 -19
  30. package/src/__tests__/well-known.test.ts +37 -2
  31. package/src/admin-agent-grants.ts +16 -1
  32. package/src/admin-auth.ts +13 -4
  33. package/src/admin-clients.ts +66 -5
  34. package/src/admin-grants.ts +11 -2
  35. package/src/admin-vaults.ts +77 -27
  36. package/src/api-account-2fa.ts +395 -0
  37. package/src/api-admin-lock.ts +7 -0
  38. package/src/api-hub-upgrade.ts +52 -4
  39. package/src/api-hub.ts +10 -1
  40. package/src/api-invites.ts +18 -3
  41. package/src/api-me.ts +11 -2
  42. package/src/api-mint-token.ts +16 -1
  43. package/src/api-modules.ts +119 -1
  44. package/src/api-revoke-token.ts +14 -1
  45. package/src/api-settings-hub-origin.ts +14 -1
  46. package/src/api-settings-root-redirect.ts +201 -0
  47. package/src/api-tokens.ts +14 -1
  48. package/src/api-users.ts +15 -6
  49. package/src/api-vault-caps.ts +11 -2
  50. package/src/cli.ts +56 -5
  51. package/src/clients.ts +178 -0
  52. package/src/commands/auth.ts +263 -1
  53. package/src/commands/doctor.ts +1250 -0
  54. package/src/commands/hub.ts +102 -1
  55. package/src/commands/init.ts +108 -0
  56. package/src/commands/vault-remove.ts +16 -24
  57. package/src/cors.ts +7 -3
  58. package/src/help.ts +65 -1
  59. package/src/hub-db.ts +14 -0
  60. package/src/hub-server.ts +173 -25
  61. package/src/hub-settings.ts +163 -1
  62. package/src/jwt-sign.ts +25 -6
  63. package/src/managed-unit.ts +30 -1
  64. package/src/oauth-handlers.ts +110 -7
  65. package/src/oauth-ui.ts +174 -0
  66. package/src/rate-limit.ts +28 -0
  67. package/src/scope-explanations.ts +2 -1
  68. package/src/setup-wizard.ts +40 -21
  69. package/src/supervisor.ts +46 -2
  70. package/src/vault-names.ts +15 -4
  71. package/src/well-known.ts +10 -1
  72. package/web/ui/dist/assets/{index--728BX3j.css → index-BcC4U5gM.css} +1 -1
  73. package/web/ui/dist/assets/index-CVqK1cV5.js +61 -0
  74. package/web/ui/dist/index.html +2 -2
  75. package/web/ui/dist/assets/index-DZzX_Enf.js +0 -61
@@ -454,6 +454,25 @@ function installLaunchdUnit(opts: InstallManagedUnitOpts): ManagedUnitInstallRes
454
454
  };
455
455
  }
456
456
 
457
+ /**
458
+ * #528: is `loginctl` linger already enabled for `userName`? Best-effort probe:
459
+ * `loginctl show-user <user> --property=Linger` prints `Linger=yes` / `Linger=no`.
460
+ * Returns true ONLY on a clear `Linger=yes`; ANY ambiguity (non-zero exit, a
461
+ * throw, or unparseable output) returns false so the caller falls through to the
462
+ * enable attempt — we never SKIP enabling on a guess, only when linger is
463
+ * provably already on. (`show-user` of a user with no session can itself exit
464
+ * non-zero; treat that as "unknown → try to enable".)
465
+ */
466
+ function lingerAlreadyOn(deps: ManagedUnitDeps, userName: string): boolean {
467
+ try {
468
+ const probe = deps.run(["loginctl", "show-user", userName, "--property=Linger"]);
469
+ if (probe.code !== 0) return false;
470
+ return /(^|\n)\s*Linger=yes\s*(\n|$)/i.test(probe.stdout);
471
+ } catch {
472
+ return false;
473
+ }
474
+ }
475
+
457
476
  function installSystemdUnit(opts: InstallManagedUnitOpts): ManagedUnitInstallResult {
458
477
  const { unit, deps, messages } = opts;
459
478
  const start = opts.start ?? true;
@@ -490,10 +509,20 @@ function installSystemdUnit(opts: InstallManagedUnitOpts): ManagedUnitInstallRes
490
509
  // systemctl but not loginctl would propagate the spawn error out and hard-fail
491
510
  // the calling command. (Run on both start + install-without-start: linger is a
492
511
  // boot-survival nicety independent of whether we start the unit now.)
512
+ //
513
+ // #528: pre-check the CURRENT linger state before trying to enable it. When
514
+ // linger is ALREADY on (the common re-install / re-migrate case on a box
515
+ // whose owner already enabled it), `enable-linger` is a no-op we don't need —
516
+ // and on some systemd builds it can return non-zero even though linger is
517
+ // genuinely on, raising a scary "couldn't enable lingering, your hub won't
518
+ // survive reboot" warning that is a FALSE ALARM. So: probe first; if linger
519
+ // is on, skip both the enable AND the warning. Only when linger is genuinely
520
+ // OFF and the enable attempt then fails do we warn. This is the single-owner
521
+ // self-host reboot-survival happy path — keep it quiet when it's already good.
493
522
  if (!root && userName) {
494
523
  if (deps.which("loginctl") === null) {
495
524
  outMessages.push(messages.lingerWarning);
496
- } else {
525
+ } else if (!lingerAlreadyOn(deps, userName)) {
497
526
  try {
498
527
  const linger = deps.run(["loginctl", "enable-linger", userName]);
499
528
  if (linger.code !== 0) outMessages.push(messages.lingerWarning);
@@ -294,8 +294,11 @@ export function buildServicesCatalog(
294
294
  if (audiences.has("vault")) {
295
295
  for (const entry of manifest.services) {
296
296
  if (!isVaultEntry(entry)) continue;
297
- const paths = entry.paths.length > 0 ? entry.paths : ["/"];
298
- for (const path of paths) {
297
+ // #478: an empty-paths vault row is "installed but no servable instance"
298
+ // — skip it so it never counts toward (or, below, fabricates) a phantom
299
+ // vault. Mirrors the continue in well-known.ts / admin-vaults.ts.
300
+ if (entry.paths.length === 0) continue;
301
+ for (const path of entry.paths) {
299
302
  const instance = vaultInstanceNameFor(entry.name, path);
300
303
  if (broadVaultScope || namedVaults.has(instance)) admittedVaultPathCount++;
301
304
  }
@@ -308,12 +311,16 @@ export function buildServicesCatalog(
308
311
  for (const entry of manifest.services) {
309
312
  if (isVaultEntry(entry)) {
310
313
  if (!audiences.has("vault")) continue;
314
+ // #478: an empty-paths vault row is "installed but no servable instance"
315
+ // — skip it so the catalog never offers a phantom `vault` / `vault:default`
316
+ // entry pointing at root before any vault exists. Mirrors well-known.ts /
317
+ // admin-vaults.ts / vault-names.ts.
318
+ if (entry.paths.length === 0) continue;
311
319
  // Walk every path the row exposes. Real multi-vault on the hub is a
312
320
  // single `parachute-vault` row with N paths (one per vault instance);
313
321
  // legacy per-vault rows (`parachute-vault-<name>`) are handled by the
314
322
  // same loop because each contributes one path.
315
- const paths = entry.paths.length > 0 ? entry.paths : ["/"];
316
- for (const path of paths) {
323
+ for (const path of entry.paths) {
317
324
  const instance = vaultInstanceNameFor(entry.name, path);
318
325
  const admit = broadVaultScope || namedVaults.has(instance);
319
326
  if (!admit) continue;
@@ -1209,9 +1216,31 @@ export function handleAuthorizeGet(db: Database, req: Request, deps: OAuthDeps):
1209
1216
  return issueAuthCodeRedirect(db, parsed, requestedScopes, session.userId, deps);
1210
1217
  }
1211
1218
 
1219
+ // hub#689 — does the user hold ADMIN on every vault they could pick? Admin
1220
+ // (isFirstAdmin) owns the whole hub. A non-admin owns a vault only if their
1221
+ // `user_vaults` role grants admin there (today role=write does; a role=read
1222
+ // assignment would NOT). Re-derived from the DB so the owner-verb-selector
1223
+ // is offered only to a genuine owner — the submit path re-checks the PICKED
1224
+ // vault and the cap is the backstop, but rendering it precisely avoids
1225
+ // promising an admin upgrade the cap would silently demote.
1226
+ const userHoldsAdminOnPickable =
1227
+ userIsAdmin ||
1228
+ (assignedVaults.length > 0 &&
1229
+ assignedVaults.every((v) =>
1230
+ (vaultVerbsForUserVault(db, session.userId, v) ?? []).includes("admin"),
1231
+ ));
1232
+
1212
1233
  return htmlResponse(
1213
1234
  renderConsent(
1214
- consentProps(client, parsed, vaultNames, csrf.token, assignedVaults, userIsAdmin),
1235
+ consentProps(
1236
+ client,
1237
+ parsed,
1238
+ vaultNames,
1239
+ csrf.token,
1240
+ assignedVaults,
1241
+ userIsAdmin,
1242
+ userHoldsAdminOnPickable,
1243
+ ),
1215
1244
  ),
1216
1245
  200,
1217
1246
  extra,
@@ -1270,7 +1299,8 @@ function capScopesToUserAuthority(
1270
1299
  if (name === undefined || verb === undefined || !VAULT_VERBS.has(verb)) return true;
1271
1300
  // Named vault verb requested by a non-owner: admit only if the user holds
1272
1301
  // it. `vaultVerbsForUserVault` returns null for an unassigned vault (drop)
1273
- // or the held verb list (today read/write only never admin).
1302
+ // or the held verb list a `write` role holds [read, write, admin], a
1303
+ // `read` role holds [read] (see `vaultVerbsForRole`).
1274
1304
  const held = vaultVerbsForUserVault(db, userId, name);
1275
1305
  return held !== null && (held as readonly string[]).includes(verb);
1276
1306
  });
@@ -1682,6 +1712,44 @@ async function handleConsentSubmit(
1682
1712
  400,
1683
1713
  );
1684
1714
  }
1715
+ // hub#689 — owner-on-own-vault verb widening. The consent screen offers
1716
+ // owners a read/write/admin selector (pre-selected to admin) for an
1717
+ // unnamed `vault:read`/`vault:write` request, so an owner whose AI client
1718
+ // asked for read-only can grant the level it actually needs in-flow. The
1719
+ // submitted `verb_select` is an UNTRUSTED hint — we re-derive ownership of
1720
+ // the PICKED vault server-side here, and `capScopesToUserAuthority` (inside
1721
+ // issueAuthCodeRedirect) is the backstop that drops any verb the user
1722
+ // doesn't actually hold. This only ever rewrites the unnamed read/write
1723
+ // verb(s) to the selected level on the picked vault; named scopes and every
1724
+ // other scope are untouched. A forged `verb_select=admin` from a user who
1725
+ // doesn't own the picked vault gets capped back to what they hold (or, for
1726
+ // a vault outside a pinned user's assignment, never reaches here — the
1727
+ // mismatch checks above already 400'd it).
1728
+ const selectedVerb = String(form.get("verb_select") ?? "").trim();
1729
+ if (selectedVerb === "read" || selectedVerb === "write" || selectedVerb === "admin") {
1730
+ // Re-derive, server-side, whether THIS user owns (holds admin on) the
1731
+ // PICKED vault. Owner === first admin (holds admin everywhere) OR an
1732
+ // assigned user whose role grants admin on this vault. Never trust the
1733
+ // client-submitted selector to establish authority.
1734
+ const heldOnPicked = vaultVerbsForUserVault(db, session.userId, pickedVault);
1735
+ const ownsPicked = userIsAdmin || (heldOnPicked?.includes("admin") ?? false);
1736
+ if (ownsPicked) {
1737
+ scopes = scopes.map((s) => {
1738
+ const parts = s.split(":");
1739
+ // Only widen the unnamed read/write verbs the selector was offered
1740
+ // for — leave an unnamed `vault:admin`, named scopes, and non-vault
1741
+ // scopes exactly as requested.
1742
+ if (
1743
+ parts.length === 2 &&
1744
+ parts[0] === "vault" &&
1745
+ (parts[1] === "read" || parts[1] === "write")
1746
+ ) {
1747
+ return `vault:${selectedVerb}`;
1748
+ }
1749
+ return s;
1750
+ });
1751
+ }
1752
+ }
1685
1753
  scopes = narrowVaultScopes(scopes, pickedVault);
1686
1754
  }
1687
1755
 
@@ -2638,7 +2706,13 @@ export async function handleRegister(
2638
2706
  let sameHub = false;
2639
2707
  if (req.headers.get("authorization")) {
2640
2708
  try {
2641
- await requireScope(db, req, "hub:admin", deps.issuer);
2709
+ // Validate the operator bearer's `iss` against the SET of origins the
2710
+ // hub answers on (`deps.hubBoundOrigins` — loopback ∪ expose-state ∪
2711
+ // platform ∪ per-request issuer), not just the single per-request
2712
+ // `issuer`, so a host-admin credential minted under a still-valid prior
2713
+ // origin keeps auto-approving across an origin switch (hub#516 parity).
2714
+ // Falls back to `[deps.issuer]` when no set getter is wired (tests).
2715
+ await requireScope(db, req, "hub:admin", deps.hubBoundOrigins?.() ?? deps.issuer);
2642
2716
  status = "approved";
2643
2717
  sameHub = true;
2644
2718
  } catch (err) {
@@ -2746,6 +2820,10 @@ function consentProps(
2746
2820
  csrfToken: string,
2747
2821
  assignedVaults: readonly string[],
2748
2822
  userIsAdmin: boolean,
2823
+ // hub#689 — true when the user holds admin on every vault they could pick
2824
+ // (admin owns the hub; an assigned non-admin only if their role grants admin
2825
+ // on each assigned vault). Gates whether the owner-verb-selector renders.
2826
+ userHoldsAdminOnPickable = userIsAdmin,
2749
2827
  ) {
2750
2828
  const scopes = params.scope.split(" ").filter((s) => s.length > 0);
2751
2829
  const unnamedVerbs = unnamedVaultVerbs(scopes);
@@ -2875,6 +2953,25 @@ function consentProps(
2875
2953
  const only = vaultNames[0];
2876
2954
  if (only) displayVault = only;
2877
2955
  }
2956
+ // hub#689 — owner-on-own-vault verb selector. The client requested an
2957
+ // unnamed `vault:read`/`vault:write` verb, and the consenting user owns
2958
+ // (holds admin on) every vault they could pick — first admin owns the whole
2959
+ // hub; an assigned non-admin holds admin on each of their assigned vaults
2960
+ // (vaultVerbsForRole('write') → [read,write,admin]). Offer the selector so
2961
+ // they can grant the level their client actually needs (or downgrade), with
2962
+ // admin pre-selected. Suppressed when the request can't be authorized (zero-
2963
+ // vault non-admin) or the assignment is stale (no valid vault to own).
2964
+ //
2965
+ // SECURITY: this only DECIDES WHETHER TO RENDER. The actual widening is
2966
+ // re-derived server-side in `handleConsentSubmit` against the *picked* vault
2967
+ // and capped by `capScopesToUserAuthority`. The selector value is a hint.
2968
+ const upgradeableUnnamedVerbs = unnamedVerbs.filter((v) => v === "read" || v === "write");
2969
+ const userOwnsEveryPickableVault =
2970
+ !hasStaleAssignment && userCanAuthorizeRequest && userHoldsAdminOnPickable;
2971
+ const ownerVerbSelector =
2972
+ upgradeableUnnamedVerbs.length > 0 && userOwnsEveryPickableVault
2973
+ ? { requestedVerbs: upgradeableUnnamedVerbs }
2974
+ : undefined;
2878
2975
  return {
2879
2976
  params,
2880
2977
  clientId: client.clientId,
@@ -2883,6 +2980,7 @@ function consentProps(
2883
2980
  csrfToken,
2884
2981
  vaultPicker,
2885
2982
  displayVault,
2983
+ ownerVerbSelector,
2886
2984
  staleAssignedVault,
2887
2985
  // Approve stays enabled for non-vault scopes even when assigned_vault
2888
2986
  // is stale — the user can still consent to e.g. `scribe:transcribe`
@@ -2892,6 +2990,11 @@ function consentProps(
2892
2990
  blockApproveForStaleAssignment:
2893
2991
  staleAssignedVault !== undefined && (unnamedVerbs.length > 0 || hasNamedStaleVaultScope),
2894
2992
  userCanAuthorizeRequest,
2993
+ // hub#314 — surface the client's provenance (same-hub first-party vs
2994
+ // external third-party DCR) so the operator sees the trust level on the
2995
+ // consent screen. Clean DB-backed signal: the `same_hub` column written
2996
+ // at DCR time (bearer hub:admin / same-origin session → true).
2997
+ sameHub: client.sameHub,
2895
2998
  };
2896
2999
  }
2897
3000
 
package/src/oauth-ui.ts CHANGED
@@ -147,6 +147,46 @@ export interface ConsentViewProps {
147
147
  * the user on an error page. Defaults to authorizable when omitted.
148
148
  */
149
149
  userCanAuthorizeRequest?: boolean;
150
+ /**
151
+ * hub#689 — owner-on-own-vault verb selector. Set when the consenting user
152
+ * OWNS (holds admin on) every vault they could pick AND the client requested
153
+ * an unnamed `vault:read`/`vault:write` verb. Renders a read/write/admin
154
+ * radio group, pre-selected to admin, so the owner can grant the level their
155
+ * AI client actually needs in-flow (the requested-scope shape was the
156
+ * blocker, not the user's authority) — or transparently downgrade.
157
+ *
158
+ * The submitted `verb_select` is an UNTRUSTED hint: the consent-submit
159
+ * handler re-derives, server-side, whether the user actually owns the picked
160
+ * vault before widening, and `capScopesToUserAuthority` remains the backstop
161
+ * that drops any verb the user doesn't hold. The selector only ever WIDENS
162
+ * the unnamed verb(s) on the picked vault; it never touches any other scope.
163
+ */
164
+ ownerVerbSelector?: OwnerVerbSelector;
165
+ /**
166
+ * hub#314 — same-hub vs external trust marker. True when the requesting
167
+ * client was registered through this hub's own flow / first-party install
168
+ * (`OAuthClient.sameHub` — bearer `hub:admin` OR session-cookie +
169
+ * same-origin DCR). False for a third-party Dynamic Client Registration
170
+ * (an external app, e.g. Claude.ai, that self-registered). Drives a small
171
+ * trust badge in the consent card header so the operator knows the trust
172
+ * level of the app they're approving before they click Approve.
173
+ *
174
+ * Omitted / undefined → no badge (provenance unknown; only the GET-handler
175
+ * call site, which always has the client row, populates it). Provenance is
176
+ * a clean DB-backed signal — see the `same_hub` column on `clients` and the
177
+ * `consentProps` call site in `oauth-handlers.ts`.
178
+ */
179
+ sameHub?: boolean;
180
+ }
181
+
182
+ export interface OwnerVerbSelector {
183
+ /**
184
+ * The unnamed read/write verb(s) the client requested. Only `read`/`write`
185
+ * are upgradeable here — an unnamed `vault:admin` request already renders
186
+ * with the admin badge and needs no selector. Used to word the selector
187
+ * help text ("the app asked for write access").
188
+ */
189
+ requestedVerbs: string[];
150
190
  }
151
191
 
152
192
  export interface VaultPicker {
@@ -328,6 +368,8 @@ export function renderConsent(props: ConsentViewProps): string {
328
368
  staleAssignedVault,
329
369
  blockApproveForStaleAssignment,
330
370
  userCanAuthorizeRequest,
371
+ ownerVerbSelector,
372
+ sameHub,
331
373
  } = props;
332
374
  // Substitute unnamed `vault:<verb>` rows with the resolved named form so
333
375
  // the operator sees the scope shape that will appear in the token. Raw
@@ -339,6 +381,7 @@ export function renderConsent(props: ConsentViewProps): string {
339
381
  ? `<li class="scope scope-empty">No scopes requested — the app gets a session token only.</li>`
340
382
  : displayedScopes.map(renderScopeRow).join("\n");
341
383
  const pickerSection = vaultPicker ? renderVaultPicker(vaultPicker) : "";
384
+ const verbSelectorSection = ownerVerbSelector ? renderOwnerVerbSelector(ownerVerbSelector) : "";
342
385
  // Approve is disabled when the picker can't yield a valid vault. The
343
386
  // empty-vault branch (no vaults registered) is the original case. A
344
387
  // locked-vault picker (multi-user Phase 1) always has a valid value via
@@ -391,6 +434,24 @@ export function renderConsent(props: ConsentViewProps): string {
391
434
  before authorizing vault access.
392
435
  </p>`
393
436
  : "";
437
+ // hub#314 — same-hub vs external trust marker. `sameHub === true` means the
438
+ // client was registered through this hub's own flow (first-party / operator-
439
+ // authenticated DCR); `false` means a third-party app self-registered via
440
+ // public Dynamic Client Registration. `undefined` → no badge (provenance
441
+ // unknown to the caller). The badge sits in the header so the operator sees
442
+ // the trust level before reading the scope list.
443
+ const trustMarker =
444
+ sameHub === undefined
445
+ ? ""
446
+ : sameHub
447
+ ? `<p class="trust-marker trust-marker-same-hub">
448
+ <span class="badge badge-trust-same-hub">First-party</span>
449
+ <span class="trust-marker-text">Registered through this hub.</span>
450
+ </p>`
451
+ : `<p class="trust-marker trust-marker-external">
452
+ <span class="badge badge-trust-external">External</span>
453
+ <span class="trust-marker-text">A third-party app that registered itself. Approve only if you recognise it.</span>
454
+ </p>`;
394
455
  const body = `
395
456
  <div class="card">
396
457
  <div class="card-header">
@@ -402,6 +463,7 @@ export function renderConsent(props: ConsentViewProps): string {
402
463
  <p class="subtitle">
403
464
  This app is requesting access to your Parachute account.
404
465
  </p>
466
+ ${trustMarker}
405
467
  <p class="client-meta">
406
468
  <span class="client-meta-label">client_id</span>
407
469
  <code>${escapeHtml(clientId)}</code>
@@ -418,6 +480,7 @@ export function renderConsent(props: ConsentViewProps): string {
418
480
  ${renderCsrfHiddenInput(csrfToken)}
419
481
  ${renderHiddenInputs(params)}
420
482
  ${pickerSection}
483
+ ${verbSelectorSection}
421
484
  <div class="button-row">
422
485
  <button type="submit" name="approve" value="yes" class="btn btn-primary"${approveDisabled}>Approve</button>
423
486
  <button type="submit" name="approve" value="no" class="btn btn-secondary">Deny</button>
@@ -492,6 +555,60 @@ function renderVaultPicker(picker: VaultPicker): string {
492
555
  </section>`;
493
556
  }
494
557
 
558
+ /**
559
+ * hub#689 — owner-on-own-vault verb selector. Rendered only when the
560
+ * consenting user owns (holds admin on) every vault they could pick and the
561
+ * client requested an unnamed `vault:read`/`vault:write` verb. Three radios
562
+ * (read / write / admin), pre-selected to **admin** so the common case (the
563
+ * owner's own AI client that needs full access) is one click — but the owner
564
+ * sees and submits the choice, and can downgrade.
565
+ *
566
+ * The `admin` option keeps the `.scope-admin` red border + admin badge so an
567
+ * admin grant stays visibly flagged even when pre-selected. The submitted
568
+ * `verb_select` is an untrusted hint re-checked server-side (ownership
569
+ * re-derivation in `handleConsentSubmit` + `capScopesToUserAuthority` backstop);
570
+ * this template only renders the choice.
571
+ */
572
+ function renderOwnerVerbSelector(selector: OwnerVerbSelector): string {
573
+ const requested = selector.requestedVerbs.map((v) => `<code>vault:${escapeHtml(v)}</code>`);
574
+ const requestedList =
575
+ requested.length === 1
576
+ ? requested[0]
577
+ : `${requested.slice(0, -1).join(", ")} and ${requested.at(-1)}`;
578
+ const option = (
579
+ verb: "read" | "write" | "admin",
580
+ title: string,
581
+ desc: string,
582
+ checked: boolean,
583
+ ): string => {
584
+ const isAdmin = verb === "admin";
585
+ const cls = `verb-option${isAdmin ? " verb-option-admin scope-admin" : ""}`;
586
+ const badge = isAdmin ? `<span class="badge badge-admin">admin</span>` : "";
587
+ return `
588
+ <label class="${cls}">
589
+ <input type="radio" name="verb_select" value="${verb}"${checked ? " checked" : ""} />
590
+ <span class="verb-option-body">
591
+ <span class="verb-option-head">
592
+ <span class="verb-option-title">${escapeHtml(title)}</span>
593
+ ${badge}
594
+ </span>
595
+ <span class="verb-option-desc">${escapeHtml(desc)}</span>
596
+ </span>
597
+ </label>`;
598
+ };
599
+ return `
600
+ <section class="verb-selector">
601
+ <h2 class="scopes-title">Access level</h2>
602
+ <p class="picker-help">
603
+ This app asked for ${requestedList} access to your vault. Because you own
604
+ this vault, you can grant a different level — admin is selected so your app
605
+ can do everything it might need; lower it if you'd rather not.
606
+ </p>
607
+ <div class="verb-options">${option("read", "Read only", "View notes, tags, attachments, and config.", false)}${option("write", "Read & write", "Create, edit, and delete notes, tags, and attachments.", false)}${option("admin", "Admin", "Full access plus config, triggers/automation, GitHub backup, and minting tokens.", true)}
608
+ </div>
609
+ </section>`;
610
+ }
611
+
495
612
  /**
496
613
  * "App not yet approved" page (#74). Two branches:
497
614
  *
@@ -1282,6 +1399,47 @@ const STYLES = `
1282
1399
  font-size: 0.88rem;
1283
1400
  color: ${PALETTE.fg};
1284
1401
  }
1402
+ /* hub#689 — owner-on-own-vault verb selector. Same card shell as the
1403
+ vault picker; the admin option carries the .scope-admin red border so an
1404
+ admin grant stays visibly flagged even when pre-selected. */
1405
+ .verb-selector {
1406
+ margin: 0 0 1.25rem;
1407
+ padding: 0.75rem 0.85rem;
1408
+ border: 1px solid ${PALETTE.borderLight};
1409
+ border-radius: 6px;
1410
+ background: ${PALETTE.bgSoft};
1411
+ }
1412
+ .verb-selector .scopes-title { margin-bottom: 0.4rem; }
1413
+ .verb-options {
1414
+ display: flex;
1415
+ flex-direction: column;
1416
+ gap: 0.4rem;
1417
+ }
1418
+ .verb-option {
1419
+ display: flex;
1420
+ align-items: flex-start;
1421
+ gap: 0.5rem;
1422
+ padding: 0.5rem 0.65rem;
1423
+ border: 1px solid ${PALETTE.border};
1424
+ border-radius: 6px;
1425
+ background: ${PALETTE.cardBg};
1426
+ cursor: pointer;
1427
+ transition: border-color 0.15s ease, background 0.15s ease;
1428
+ }
1429
+ .verb-option:hover { border-color: ${PALETTE.accent}; }
1430
+ .verb-option input[type=radio] { margin-top: 0.25rem; }
1431
+ .verb-option input[type=radio]:focus { outline: 2px solid ${PALETTE.accent}; outline-offset: 2px; }
1432
+ .verb-option-body { display: flex; flex-direction: column; gap: 0.1rem; }
1433
+ .verb-option-head {
1434
+ display: flex;
1435
+ align-items: center;
1436
+ gap: 0.4rem;
1437
+ flex-wrap: wrap;
1438
+ }
1439
+ .verb-option-title { font-weight: 500; color: ${PALETTE.fg}; font-size: 0.9rem; }
1440
+ .verb-option-desc { font-size: 0.82rem; color: ${PALETTE.fgMuted}; }
1441
+ .verb-option-admin .verb-option-title { color: ${PALETTE.danger}; }
1442
+
1285
1443
  .vault-picker-empty .picker-help { color: ${PALETTE.danger}; }
1286
1444
  .vault-picker-empty .picker-help code { color: ${PALETTE.fg}; }
1287
1445
  .vault-picker-locked .picker-help { color: ${PALETTE.fgMuted}; }
@@ -1456,6 +1614,22 @@ const STYLES = `
1456
1614
  .badge-send { background: ${PALETTE.accentSoft}; color: ${PALETTE.accent}; }
1457
1615
  .badge-admin { background: ${PALETTE.danger}; color: ${PALETTE.cardBg}; }
1458
1616
 
1617
+ /* hub#314 — same-hub vs external trust marker on the consent header. The
1618
+ first-party badge uses the accent (calm/trusted); external uses the danger
1619
+ tint so a third-party DCR client stands out without being alarmist. */
1620
+ .trust-marker {
1621
+ display: flex;
1622
+ align-items: baseline;
1623
+ gap: 0.45rem;
1624
+ flex-wrap: wrap;
1625
+ margin: 0.75rem 0 0;
1626
+ font-size: 0.85rem;
1627
+ color: ${PALETTE.fgMuted};
1628
+ }
1629
+ .trust-marker-text { flex: 1; min-width: 12rem; }
1630
+ .badge-trust-same-hub { background: ${PALETTE.accentSoft}; color: ${PALETTE.accent}; }
1631
+ .badge-trust-external { background: ${PALETTE.dangerSoft}; color: ${PALETTE.danger}; }
1632
+
1459
1633
  @media (max-width: 480px) {
1460
1634
  main { padding: 0.75rem; }
1461
1635
  .card { padding: 1.5rem 1.25rem; border-radius: 10px; }
package/src/rate-limit.ts CHANGED
@@ -87,6 +87,21 @@ export const CHANGE_PASSWORD_WINDOW_MS = 5 * 60 * 1000;
87
87
  * cookie attacker shouldn't get a 5-shot grind window.
88
88
  */
89
89
  export const CHANGE_PASSWORD_MAX_ATTEMPTS = 3;
90
+ /**
91
+ * `/api/account/2fa/confirm` (TOTP enrollment seal) window: 15 minutes. This is
92
+ * the SELF-only, already-session-authenticated enrollment step — the operator is
93
+ * typing the first live code off their own authenticator while it drifts into
94
+ * sync, so legitimate mistypes are common and must not be punished. The threat
95
+ * is only a hijacked session grinding the (client-held, not-yet-persisted)
96
+ * in-flight secret, which the 10^6 code space + replay cache already make
97
+ * effectively non-exploitable — so this is defense-in-depth, deliberately MORE
98
+ * generous than the 3/5-min change-password bucket. NOT the `/login/2fa` bucket:
99
+ * that one is the strict, pre-auth brute-force door (5/15-min); enrollment is a
100
+ * different, lower-risk surface and gets its own lenient bucket.
101
+ */
102
+ export const TOTP_ENROLL_CONFIRM_WINDOW_MS = 15 * 60 * 1000;
103
+ /** `/api/account/2fa/confirm` attempts allowed per window. 11th is denied. */
104
+ export const TOTP_ENROLL_CONFIRM_MAX_ATTEMPTS = 10;
90
105
  /**
91
106
  * `/login/2fa` window length: 15 minutes — same as `/login`. The second-
92
107
  * factor step (hub#473) sits behind a verified password + a short-lived
@@ -289,6 +304,18 @@ export const changePasswordRateLimiter = new RateLimiter(
289
304
  */
290
305
  export const totpRateLimiter = new RateLimiter(TOTP_MAX_ATTEMPTS, TOTP_WINDOW_MS);
291
306
 
307
+ /**
308
+ * `/api/account/2fa/confirm` enrollment-seal bucket. Lenient (10 / 15 min),
309
+ * keyed by `user.id` (the session already establishes identity). Separate from
310
+ * `totpRateLimiter` so an enrollment mistype and a `/login/2fa` failure never
311
+ * share a window — different surfaces, different threat models (see the const
312
+ * docs above).
313
+ */
314
+ export const totpEnrollConfirmRateLimiter = new RateLimiter(
315
+ TOTP_ENROLL_CONFIRM_MAX_ATTEMPTS,
316
+ TOTP_ENROLL_CONFIRM_WINDOW_MS,
317
+ );
318
+
292
319
  /**
293
320
  * Coarse per-IP CEILING rate limiter — 60 attempts / 15 min, keyed by client
294
321
  * IP ONLY. Shared by all interactive auth doors (`/login`, the
@@ -342,6 +369,7 @@ export function __resetForTests(): void {
342
369
  loginRateLimiter.reset();
343
370
  changePasswordRateLimiter.reset();
344
371
  totpRateLimiter.reset();
372
+ totpEnrollConfirmRateLimiter.reset();
345
373
  vaultTokenMintRateLimiter.reset();
346
374
  signupRateLimiter.reset();
347
375
  authIpCeilingRateLimiter.reset();
@@ -42,7 +42,8 @@ export const SCOPE_EXPLANATIONS: Record<string, ScopeExplanation> = {
42
42
  level: "write",
43
43
  },
44
44
  "vault:admin": {
45
- label: "Full vault access plus configuration changes (rotate tokens, change settings).",
45
+ label:
46
+ "Read and write everything, plus admin: config & settings, triggers & automation, GitHub backup, and minting access tokens.",
46
47
  level: "admin",
47
48
  },
48
49
  // Optional-module scopes (scribe / agent). These are in FIRST_PARTY_SCOPES
@@ -1592,14 +1592,33 @@ export function handleSetupGet(req: Request, deps: SetupWizardDeps): Response {
1592
1592
  // poll on the auth the wizard already carries.
1593
1593
  const opId = url.searchParams.get("op");
1594
1594
  if (opId) {
1595
- const op = deps.registry?.get(opId);
1596
- if (op) {
1597
- envelope.operation = {
1598
- id: op.id,
1599
- status: op.status,
1600
- log: op.log,
1601
- ...(op.error !== undefined ? { error: op.error } : {}),
1602
- };
1595
+ // hub#618: post-setup this JSON `?op=` surface is unauth-reachable —
1596
+ // `/admin/setup` is always lockout-exempt (the dispatcher's
1597
+ // `shouldGateForSetup` lets it through so a stale bookmark resolves), and
1598
+ // the snapshot is read BEFORE any session check. The leak is small (an
1599
+ // in-memory op's status + install-progress log lines, behind an
1600
+ // unguessable UUID), but it's still a post-setup admin surface, so gate
1601
+ // it once setup is COMPLETE. During setup (no admin yet) the surface
1602
+ // stays OPEN: the unauth CLI wizard (`parachute init`) AND the brand-new-
1603
+ // operator browser both poll this `?op=` snapshot mid-setup before any
1604
+ // session exists — gating then would break first-boot vault
1605
+ // provisioning. Loopback always passes (same on-box trust as the
1606
+ // `bootstrapToken` branch below); a valid session also passes.
1607
+ const setupComplete = state.hasAdmin && state.hasVault && state.hasExposeMode;
1608
+ const opSnapshotAllowed =
1609
+ !setupComplete ||
1610
+ deps.requestIsLoopback === true ||
1611
+ findActiveSession(deps.db, req) !== null;
1612
+ if (opSnapshotAllowed) {
1613
+ const op = deps.registry?.get(opId);
1614
+ if (op) {
1615
+ envelope.operation = {
1616
+ id: op.id,
1617
+ status: op.status,
1618
+ log: op.log,
1619
+ ...(op.error !== undefined ? { error: op.error } : {}),
1620
+ };
1621
+ }
1603
1622
  }
1604
1623
  }
1605
1624
  // hub#576: hand the actual token to a LOOPBACK caller only. The on-box
@@ -2325,19 +2344,19 @@ export async function handleSetupVaultPost(req: Request, deps: SetupWizardDeps):
2325
2344
  if (registry) {
2326
2345
  // hub#267: thread the typed name through `PARACHUTE_VAULT_NAME` so
2327
2346
  // vault's first-boot path (vault#342) names the created vault
2328
- // accordingly. Skip the env override when the operator left the
2329
- // field blank — vault's `resolveFirstBootVaultName` defaults to
2330
- // `default` on absent env vars, so this preserves the prior
2331
- // behaviour for the empty-input case.
2347
+ // accordingly.
2332
2348
  //
2333
- // If the operator typed "default" explicitly, treat the same as
2334
- // blank vault's first-boot defaults to "default" anyway, so
2335
- // skipping the env override is correct (the comparison below
2336
- // catches both blank-trimmed-to-DEFAULT and typed-"default").
2337
- const spawnEnv: Record<string, string> = {};
2338
- if (vaultName !== DEFAULT_VAULT_NAME) {
2339
- spawnEnv.PARACHUTE_VAULT_NAME = vaultName;
2340
- }
2349
+ // #478 Part 2: ALWAYS set `PARACHUTE_VAULT_NAME`, even when the name
2350
+ // is "default". Once vault removes its silent auto-create-on-missing-env
2351
+ // behavior, vault's first-boot will require the env var to know which
2352
+ // vault to create — a missing `PARACHUTE_VAULT_NAME` will mean "no vault
2353
+ // to create" rather than "create one named default". Passing it
2354
+ // explicitly for every path (including the default) is correct and safe:
2355
+ // vault's `resolveFirstBootVaultName` accepts "default" as a valid name
2356
+ // and behaves identically to the prior implicit default.
2357
+ const spawnEnv: Record<string, string> = {
2358
+ PARACHUTE_VAULT_NAME: vaultName,
2359
+ };
2341
2360
  // Capture importParams + deps in the runInstall promise chain — when
2342
2361
  // mode === "import", run the vault-side `/.parachute/mirror/import`
2343
2362
  // POST as a follow-up step once the supervised vault has come up
@@ -2358,7 +2377,7 @@ export async function handleSetupVaultPost(req: Request, deps: SetupWizardDeps):
2358
2377
  registry,
2359
2378
  ...(deps.run ? { run: deps.run } : {}),
2360
2379
  ...(deps.isLinked ? { isLinked: deps.isLinked } : {}),
2361
- ...(Object.keys(spawnEnv).length > 0 ? { spawnEnv } : {}),
2380
+ spawnEnv,
2362
2381
  })
2363
2382
  .then(async () => {
2364
2383
  if (!importToRun) return;