@openparachute/vault 0.3.3 → 0.4.3

package/src/admin-spa.ts

@@ -0,0 +1,161 @@
+/**
+ * Admin SPA mount. Serves `web/ui/dist/` under `/vault/<name>/admin/*`.
+ *
+ * The vault HTTP server hosts an admin SPA (vault#216) co-located in the
+ * source tree at `web/ui/`. Vite produces the bundle in `web/ui/dist/`
+ * (gitignored — built locally before publish, or by a release pipeline).
+ * This module turns the bundle into a static-file response.
+ *
+ * Per-vault mount (vault#252): the SPA lives under `/vault/<name>/admin/*`
+ * rather than the origin-rooted `/admin/*` it shipped with. The hub only
+ * proxies `/vault/<name>/*` paths (per parachute-patterns/module-protocol),
+ * so an origin-rooted SPA is unreachable through the hub. Asset URLs are
+ * relative (Vite `base: "./"`), so the same bundle works at any mount
+ * point — no rebuild per vault.
+ *
+ * Mirrors `parachute-hub/src/hub-server.ts:serveSpa` — the conventions
+ * (strip mount, asset-shape filter, `.html` fallthrough for client routes)
+ * are identical so an operator who knows one knows the other.
+ */
+import { existsSync } from "node:fs";
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+
+/**
+ * Regex anchoring the per-vault SPA mount. Matches `/vault/<name>/admin`
+ * exactly and any subpath under it. The `<name>` capture is reused by the
+ * prefix-strip below — keep the two in sync if this regex moves.
+ */
+const ADMIN_SPA_MOUNT_RE = /^\/vault\/([^/]+)\/admin(?=\/|$)/;
+
+/**
+ * Resolve the default SPA bundle dir. Anchored to this file's location so
+ * a `bun src/server.ts` from any cwd still finds `<repo>/web/ui/dist/`.
+ * Tests / production override via the `spaDistDir` argument to
+ * `serveAdminSpa`.
+ */
+export function defaultAdminSpaDistDir(): string {
+  // import.meta.dir is the dir holding *this* file (`src/`); the SPA bundle
+  // sits at `<repo>/web/ui/dist/`.
+  const here = dirname(fileURLToPath(import.meta.url));
+  return resolve(here, "..", "web", "ui", "dist");
+}
+
+/**
+ * Pick a content type for static assets the SPA build produces. Vite's
+ * fingerprinted output is the realistic surface — js / css / svg / png /
+ * woff2 / ico. Mismatches show up loud (a `.js` served as `text/html` is
+ * unmistakable) and the list is trivially extensible if a future feature
+ * adds an asset type.
+ */
+function spaContentType(pathname: string): string {
+  const ext = pathname.slice(pathname.lastIndexOf(".") + 1).toLowerCase();
+  switch (ext) {
+    case "html":
+      return "text/html; charset=utf-8";
+    case "js":
+    case "mjs":
+      return "application/javascript; charset=utf-8";
+    case "css":
+      return "text/css; charset=utf-8";
+    case "svg":
+      return "image/svg+xml";
+    case "png":
+      return "image/png";
+    case "ico":
+      return "image/x-icon";
+    case "woff2":
+      return "font/woff2";
+    case "woff":
+      return "font/woff";
+    case "json":
+    case "map":
+      return "application/json";
+    case "txt":
+      return "text/plain; charset=utf-8";
+    default:
+      return "application/octet-stream";
+  }
+}
+
+/**
+ * Serve a single file under the SPA mount, falling back to `index.html`
+ * for client-side-routed paths (anything that doesn't resolve to a real
+ * file under `dist/`). Path-traversal is blocked twice: the asset-shape
+ * filter rejects sub-paths containing "..", and the resolved absolute
+ * path is checked to start with `dist/` before any read.
+ *
+ * No auth is enforced at this seam — the SPA's `index.html` and bundle are
+ * static assets and reveal nothing privileged. The data fetches the SPA
+ * issues land on existing per-vault routes that already enforce
+ * `vault:<name>:read` / `vault:<name>:admin`. This keeps the SPA loadable
+ * even before a token has been minted (so the operator can actually see
+ * the empty / auth-required state we render in `VaultDetail.tsx`).
+ */
+export async function serveAdminSpa(spaDistDir: string, pathname: string): Promise<Response> {
+  if (!existsSync(spaDistDir)) {
+    return new Response(
+      "vault admin SPA bundle not found — run `bun run build` in web/ui/ to produce dist/",
+      { status: 503, headers: { "content-type": "text/plain; charset=utf-8" } },
+    );
+  }
+  // Strip the mount prefix:
+  //   /vault/foo/admin       → ""
+  //   /vault/foo/admin/      → "/"
+  //   /vault/foo/admin/x.js  → "/x.js"
+  const sub = pathname.replace(ADMIN_SPA_MOUNT_RE, "");
+
+  // Canonicalize the bare mount → trailing-slash form. Vite emits
+  // *relative* asset URLs (`./assets/index-abc.js`) since `<name>` isn't
+  // known at build time, and browsers resolve relative URLs against the
+  // **directory** of the current document — not the document itself. So:
+  //   /vault/foo/admin/  → asset resolves to /vault/foo/admin/assets/...  ✓
+  //   /vault/foo/admin   → asset resolves to /vault/foo/assets/...        ✗
+  // Without this redirect, the bare-form URL hub#162 generates (per
+  // `resolveManagementUrl` — strip trailing slash, append `/admin`)
+  // would 404 every asset against the per-vault auth wall, and the SPA
+  // would never boot. Same canonicalization the notes-server `--mount`
+  // path does for the same reason.
+  if (sub === "") {
+    return Response.redirect(`${pathname}/`, 301);
+  }
+  const indexPath = join(spaDistDir, "index.html");
+
+  // Empty / mount-root / any non-asset request → SPA shell. The router
+  // takes it from there. First defense against traversal: bare paths and
+  // anything containing ".." never enter the asset branch — they fall
+  // through to the shell below.
+  const looksLikeAsset = sub.length > 0 && /\.[a-z0-9]+$/i.test(sub) && !sub.includes("..");
+  if (!looksLikeAsset) {
+    return new Response(Bun.file(indexPath), {
+      headers: { "content-type": "text/html; charset=utf-8" },
+    });
+  }
+
+  const filePath = resolve(spaDistDir, `.${sub}`);
+  // Second defense: even if a future tweak loosens looksLikeAsset, refuse
+  // any resolved path that escapes dist/. Belt-and-braces.
+  if (!filePath.startsWith(`${spaDistDir}/`)) {
+    return new Response("not found", { status: 404 });
+  }
+  if (!existsSync(filePath)) {
+    // Asset request that doesn't resolve to a real file → SPA shell.
+    // (e.g. `/admin/vault/foo` with a typo'd extension shouldn't 404 the
+    // page.)
+    return new Response(Bun.file(indexPath), {
+      headers: { "content-type": "text/html; charset=utf-8" },
+    });
+  }
+  return new Response(Bun.file(filePath), {
+    headers: { "content-type": spaContentType(filePath) },
+  });
+}
+
+/**
+ * Match `/vault/<name>/admin` or `/vault/<name>/admin/...`. Bare
+ * `/vault/<name>/admin-foo` and `/vault/<name>` (the metadata endpoint)
+ * must NOT trigger this — only the SPA mount root and its true subpaths.
+ */
+export function isAdminSpaPath(pathname: string): boolean {
+  return ADMIN_SPA_MOUNT_RE.test(pathname);
+}

package/src/auth-hub-jwt.test.ts

@@ -0,0 +1,360 @@
+/**
+ * End-to-end auth tests for the hub-JWT path.
+ *
+ * `hub-jwt.test.ts` covers `validateHubJwt` in isolation. This file exercises
+ * the full request path: a JWT bearer arrives at `authenticateVaultRequest`,
+ * goes through `authenticateHubJwt`, and the result either resolves into an
+ * `AuthResult` or surfaces as a 401 Response. The cases that matter most:
+ *
+ *   - happy path with narrowed scopes
+ *   - broad `vault:<verb>` scope rejected (forced narrowing per #180)
+ *   - `aud=vault.<other>` rejected (audience mismatch)
+ *   - JWT path rejected at the global (cross-vault) entrypoint
+ *   - revoked jti rejected (revocation list integration; client-facing
+ *     message is sanitized so the jti doesn't leak)
+ *   - revocation list unavailable on cold start → fail-closed 401
+ *
+ * Each test owns a fresh `PARACHUTE_HOME` and a fake hub fixture that serves
+ * BOTH `/.well-known/jwks.json` and `/.well-known/parachute-revocation.json`.
+ * scope-guard's own unit suite covers the cache mechanics (TTL refresh,
+ * fail-open with last-good, single-flight); this file pins the vault-side
+ * wiring and the response-shape contract.
+ */
+
+import { describe, test, expect, beforeEach, afterEach, spyOn } from "bun:test";
+import { mkdirSync, rmSync, existsSync } from "fs";
+import { join } from "path";
+import { tmpdir } from "os";
+import { generateKeyPair, exportJWK, SignJWT } from "jose";
+import { writeVaultConfig, readVaultConfig } from "./config.ts";
+import { getVaultStore, clearVaultStoreCache } from "./vault-store.ts";
+import { authenticateVaultRequest, authenticateGlobalRequest } from "./auth.ts";
+import { resetJwksCache, resetRevocationCache } from "./hub-jwt.ts";
+
+interface Keypair {
+  privateKey: CryptoKey;
+  publicJwk: { kty: string; n: string; e: string; kid: string; alg: string; use: string };
+  kid: string;
+}
+
+async function makeKeypair(kid: string): Promise<Keypair> {
+  const { privateKey, publicKey } = await generateKeyPair("RS256", { extractable: true });
+  const jwk = await exportJWK(publicKey);
+  return {
+    privateKey,
+    publicJwk: { kty: "RSA", n: jwk.n!, e: jwk.e!, kid, alg: "RS256", use: "sig" },
+    kid,
+  };
+}
+
+interface HubFixture {
+  origin: string;
+  /** Drive the revocation list contents; cleared by default. */
+  setRevoked(jtis: string[]): void;
+  /** When true, the revocation endpoint returns 503 — exercises fail-closed. */
+  setRevocationFails(fails: boolean): void;
+  stop: () => void;
+}
+
+function startHubFixture(keys: Keypair[]): HubFixture {
+  let revokedJtis: string[] = [];
+  let revocationFails = false;
+  const server = Bun.serve({
+    port: 0,
+    fetch(req) {
+      const url = new URL(req.url);
+      if (url.pathname === "/.well-known/jwks.json") {
+        return Response.json({ keys: keys.map((k) => k.publicJwk) });
+      }
+      if (url.pathname === "/.well-known/parachute-revocation.json") {
+        if (revocationFails) {
+          return new Response("hub down", { status: 503 });
+        }
+        return Response.json({
+          generated_at: new Date().toISOString(),
+          jtis: revokedJtis,
+        });
+      }
+      return new Response("not found", { status: 404 });
+    },
+  });
+  return {
+    origin: `http://127.0.0.1:${server.port}`,
+    setRevoked: (jtis) => {
+      revokedJtis = jtis;
+    },
+    setRevocationFails: (fails) => {
+      revocationFails = fails;
+    },
+    stop: () => server.stop(true),
+  };
+}
+
+interface SignOpts {
+  iss: string;
+  aud: string;
+  scope: string;
+  sub?: string;
+  ttlSeconds?: number;
+  /** Override the random jti — needed when a test wants to revoke this exact token. */
+  jti?: string;
+}
+
+async function signJwt(kp: Keypair, opts: SignOpts): Promise<string> {
+  const iat = Math.floor(Date.now() / 1000);
+  const exp = iat + (opts.ttlSeconds ?? 60);
+  return await new SignJWT({ scope: opts.scope, client_id: "test-client" })
+    .setProtectedHeader({ alg: "RS256", kid: kp.kid })
+    .setIssuer(opts.iss)
+    .setSubject(opts.sub ?? "user-1")
+    .setAudience(opts.aud)
+    .setIssuedAt(iat)
+    .setExpirationTime(exp)
+    .setJti(opts.jti ?? `jti-${Math.random().toString(36).slice(2)}`)
+    .sign(kp.privateKey);
+}
+
+function bearer(token: string): Request {
+  return new Request("https://vault.test/x", {
+    headers: { Authorization: `Bearer ${token}` },
+  });
+}
+
+let tmpHome: string;
+let prevHome: string | undefined;
+let prevHubOrigin: string | undefined;
+let fixture: HubFixture;
+let kp: Keypair;
+
+beforeEach(async () => {
+  tmpHome = join(
+    tmpdir(),
+    `vault-auth-jwt-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+  );
+  mkdirSync(join(tmpHome, "vault", "data"), { recursive: true });
+  prevHome = process.env.PARACHUTE_HOME;
+  process.env.PARACHUTE_HOME = tmpHome;
+  clearVaultStoreCache();
+
+  kp = await makeKeypair("k1");
+  fixture = startHubFixture([kp]);
+  prevHubOrigin = process.env.PARACHUTE_HUB_ORIGIN;
+  process.env.PARACHUTE_HUB_ORIGIN = fixture.origin;
+  resetJwksCache();
+  resetRevocationCache();
+});
+
+afterEach(() => {
+  fixture.stop();
+  clearVaultStoreCache();
+  if (prevHome === undefined) delete process.env.PARACHUTE_HOME;
+  else process.env.PARACHUTE_HOME = prevHome;
+  if (prevHubOrigin === undefined) delete process.env.PARACHUTE_HUB_ORIGIN;
+  else process.env.PARACHUTE_HUB_ORIGIN = prevHubOrigin;
+  if (existsSync(tmpHome)) rmSync(tmpHome, { recursive: true, force: true });
+});
+
+function seedVault(name: string): void {
+  writeVaultConfig({ name, api_keys: [], created_at: new Date().toISOString() });
+  // Touch the store so the DB file exists (matches the routing path's expectation).
+  getVaultStore(name);
+}
+
+describe("authenticateVaultRequest — hub JWT integration", () => {
+  test("narrowed scope + matching aud → AuthResult with permission derived from verb", async () => {
+    seedVault("journal");
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: "vault.journal",
+      scope: "vault:journal:write",
+    });
+    const config = readVaultConfig("journal")!;
+    const store = getVaultStore("journal");
+
+    const result = await authenticateVaultRequest(bearer(token), config, store.db);
+    expect("error" in result).toBe(false);
+    if (!("error" in result)) {
+      expect(result.permission).toBe("full");
+      expect(result.scopes).toEqual(["vault:journal:write"]);
+      expect(result.legacyDerived).toBe(false);
+    }
+  });
+
+  test("narrowed read scope → permission='read'", async () => {
+    seedVault("journal");
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: "vault.journal",
+      scope: "vault:journal:read",
+    });
+    const config = readVaultConfig("journal")!;
+    const store = getVaultStore("journal");
+
+    const result = await authenticateVaultRequest(bearer(token), config, store.db);
+    expect("error" in result).toBe(false);
+    if (!("error" in result)) expect(result.permission).toBe("read");
+  });
+
+  test("broad vault:write scope from a JWT → 401 with explanatory message", async () => {
+    seedVault("journal");
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: "vault.journal",
+      scope: "vault:write",
+    });
+    const config = readVaultConfig("journal")!;
+    const store = getVaultStore("journal");
+
+    const result = await authenticateVaultRequest(bearer(token), config, store.db);
+    expect("error" in result).toBe(true);
+    if ("error" in result) {
+      expect(result.error.status).toBe(401);
+      const body = (await result.error.json()) as { error: string; message: string };
+      expect(body.error).toBe("Unauthorized");
+      expect(body.message).toContain("broad vault scope");
+      expect(body.message).toContain("vault:write");
+    }
+  });
+
+  test("aud=vault.work cannot reach /vault/journal/* → 401 audience mismatch", async () => {
+    seedVault("journal");
+    seedVault("work");
+    // Token is correctly stamped for work, but presented at journal's endpoint.
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: "vault.work",
+      scope: "vault:work:write",
+    });
+    const journalConfig = readVaultConfig("journal")!;
+    const journalStore = getVaultStore("journal");
+
+    const result = await authenticateVaultRequest(
+      bearer(token),
+      journalConfig,
+      journalStore.db,
+    );
+    expect("error" in result).toBe(true);
+    if ("error" in result) {
+      expect(result.error.status).toBe(401);
+      const body = (await result.error.json()) as { error: string; message: string };
+      expect(body.message).toMatch(/audience mismatch.*vault\.journal.*vault\.work/);
+    }
+  });
+
+  test("hub JWT at the global (cross-vault) entrypoint → 401 with vault-bound hint", async () => {
+    seedVault("journal");
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: "vault.journal",
+      scope: "vault:journal:read",
+    });
+    const result = await authenticateGlobalRequest(bearer(token));
+    expect("error" in result).toBe(true);
+    if ("error" in result) {
+      expect(result.error.status).toBe(401);
+      const body = (await result.error.json()) as { error: string; message: string };
+      expect(body.message).toContain("vault-bound");
+      expect(body.message).toContain("/vault/<name>");
+    }
+  });
+
+  test("revoked jti → 401 sanitized; full diagnostic (with jti) routed to console.warn audit log", async () => {
+    seedVault("journal");
+    const revokedJti = "jti-revoked-by-operator";
+    fixture.setRevoked([revokedJti]);
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: "vault.journal",
+      scope: "vault:journal:read",
+      jti: revokedJti,
+    });
+    const config = readVaultConfig("journal")!;
+    const store = getVaultStore("journal");
+
+    // Spy + suppress so the assertion is the audit-trail invariant for
+    // this scenario, not a stderr inspection. Pattern carries to scribe/agent.
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    try {
+      const result = await authenticateVaultRequest(bearer(token), config, store.db);
+      expect("error" in result).toBe(true);
+      if ("error" in result) {
+        expect(result.error.status).toBe(401);
+        const body = (await result.error.json()) as { error: string; message: string };
+        expect(body.error).toBe("Unauthorized");
+        // Client-facing message must NOT carry the jti — that's a server-side
+        // audit-log concern only. See the `code === "revoked"` branch in
+        // authenticateHubJwt for the sanitization.
+        expect(body.message).toBe("token has been revoked");
+        expect(body.message).not.toContain(revokedJti);
+      }
+      // Audit-log invariant: console.warn fires exactly once with a message
+      // that carries the jti, so an operator chasing a 401 in production logs
+      // can correlate to which token was retired.
+      expect(warnSpy).toHaveBeenCalledTimes(1);
+      const warnArg = warnSpy.mock.calls[0]![0] as string;
+      expect(warnArg).toContain(revokedJti);
+      expect(warnArg).toContain("revoked");
+    } finally {
+      warnSpy.mockRestore();
+    }
+  });
+
+  test("non-revoked jti against populated list → still honored (happy path with active revocations)", async () => {
+    seedVault("journal");
+    fixture.setRevoked(["some-other-revoked-jti"]);
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: "vault.journal",
+      scope: "vault:journal:write",
+      jti: "jti-still-good",
+    });
+    const config = readVaultConfig("journal")!;
+    const store = getVaultStore("journal");
+
+    const result = await authenticateVaultRequest(bearer(token), config, store.db);
+    expect("error" in result).toBe(false);
+    if (!("error" in result)) {
+      expect(result.permission).toBe("full");
+      expect(result.scopes).toEqual(["vault:journal:write"]);
+    }
+  });
+
+  test("revocation list unreachable on cold start → fail-closed 401 sanitized; full diagnostic routed to console.warn", async () => {
+    seedVault("journal");
+    // Hub is reachable for JWKS but the revocation endpoint 503s. Cold cache
+    // + first-fetch-fail = "unknown" outcome, surfaced as
+    // HubJwtError(code: "revocation_unavailable"). Client gets a code-shaped
+    // sentence; the implementation-detail phrasing ("no last-good cache")
+    // stays in the server-side audit log.
+    fixture.setRevocationFails(true);
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: "vault.journal",
+      scope: "vault:journal:read",
+    });
+    const config = readVaultConfig("journal")!;
+    const store = getVaultStore("journal");
+
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    try {
+      const result = await authenticateVaultRequest(bearer(token), config, store.db);
+      expect("error" in result).toBe(true);
+      if ("error" in result) {
+        expect(result.error.status).toBe(401);
+        const body = (await result.error.json()) as { error: string; message: string };
+        // Client message: code-shaped, no internals.
+        expect(body.message).toBe("token cannot be validated: revocation list unavailable");
+        // The internal phrase "no last-good cache" is a scope-guard
+        // implementation detail and must not leak into the public response.
+        expect(body.message).not.toContain("last-good cache");
+      }
+      // Audit-log invariant: full diagnostic routed to console.warn so
+      // operators can distinguish cold-start from sustained outage.
+      expect(warnSpy).toHaveBeenCalledTimes(1);
+      const warnArg = warnSpy.mock.calls[0]![0] as string;
+      expect(warnArg).toContain("no last-good cache");
+    } finally {
+      warnSpy.mockRestore();
+    }
+  });
+});

package/src/auth-status.ts

@@ -0,0 +1,84 @@
+/**
+ * Public auth-state probe — read-only summary that lets a first-contact
+ * client decide which token to mint before doing anything authenticated.
+ *
+ * Mirrors the consumer shape that `parachute-hub/src/vault/auth-status.ts`
+ * already computes by snooping vault's filesystem; this endpoint replaces
+ * that out-of-process coupling with an in-process read.
+ *
+ * What gets exposed:
+ *   - `initialized` — at least one vault exists
+ *   - `auth_modes`  — accepted bearer formats (pvt_*, hub-issued JWT)
+ *   - `vaults`      — list of `{ name, url }` for client-side dispatch
+ *   - `hasOwnerPassword`, `hasTotp` — OAuth consent prerequisites
+ *   - `hasTokens`   — boolean | null. `null` ≈ "we couldn't read all DBs,
+ *     don't trust this answer"; `true`/`false` are honest yes/no signals.
+ *
+ * What is deliberately NOT exposed: token counts, hashes, descriptions,
+ * timestamps, owner-password hash, totp secret, backup codes. The endpoint
+ * is unauthenticated — anything sensitive belongs behind /vaults or
+ * /vault/<name>/.
+ */
+
+import { Database } from "bun:sqlite";
+import { existsSync } from "fs";
+import { listVaults, readGlobalConfig, vaultDbPath } from "./config.ts";
+
+export interface AuthStatusResponse {
+  initialized: boolean;
+  auth_modes: ("pvt_token" | "hub_jwt")[];
+  vaults: { name: string; url: string }[];
+  hasOwnerPassword: boolean;
+  hasTotp: boolean;
+  hasTokens: boolean | null;
+}
+
+/**
+ * Probe a single vault's `tokens` table for *existence* (not count). We open
+ * the DB read-only and `LIMIT 1` so we never block a writer or fight for a
+ * lock. Any failure (missing DB, schema drift, lock contention) is the
+ * caller's signal to degrade `hasTokens` to `null`.
+ */
+function vaultHasTokens(dbPath: string): boolean {
+  const db = new Database(dbPath, { readonly: true });
+  try {
+    const row = db.prepare("SELECT 1 FROM tokens LIMIT 1").get();
+    return row !== null && row !== undefined;
+  } finally {
+    db.close();
+  }
+}
+
+function readTokenPresence(vaultNames: string[]): boolean | null {
+  if (vaultNames.length === 0) return false;
+  let any = false;
+  for (const name of vaultNames) {
+    const dbPath = vaultDbPath(name);
+    if (!existsSync(dbPath)) continue;
+    try {
+      if (vaultHasTokens(dbPath)) {
+        any = true;
+        // Don't early-return — keep probing so a later locked DB still
+        // surfaces as `null` rather than a misleading `true`.
+      }
+    } catch {
+      return null;
+    }
+  }
+  return any;
+}
+
+export function buildAuthStatus(): AuthStatusResponse {
+  const globalConfig = readGlobalConfig();
+  const vaultNames = listVaults();
+  return {
+    initialized: vaultNames.length > 0,
+    auth_modes: ["pvt_token", "hub_jwt"],
+    vaults: vaultNames.map((name) => ({ name, url: `/vault/${name}` })),
+    hasOwnerPassword: typeof globalConfig.owner_password_hash === "string"
+      && globalConfig.owner_password_hash.length > 0,
+    hasTotp: typeof globalConfig.totp_secret === "string"
+      && globalConfig.totp_secret.length > 0,
+    hasTokens: readTokenPresence(vaultNames),
+  };
+}