@openparachute/vault 0.6.0 → 0.6.2-rc.1

package/src/init-summary.test.ts

@@ -1,8 +1,14 @@
 /**
  * Tests for `buildInitSummaryLines` — the post-install summary printed at the
- * end of `vault init`. The summary branches on the (addMcp, addToken) decision
- * matrix; these tests cover all four cells plus the token surfacing /
- * Bearer-example rules.
+ * end of `vault init`.
+ *
+ * 2026-06-23 messaging realignment: the site no longer claims "Claude Code is
+ * auto-configured," and init no longer writes ~/.claude.json by default. The
+ * summary now (1) leads with the web setup wizard hand-off and (2) always
+ * surfaces the self-serve connect info — the connector URL plus a
+ * ready-to-paste `claude mcp add` command — so a Claude Code user opts in by
+ * copy-paste rather than via a silent side effect. These tests pin that copy
+ * across the (addMcp, addToken) decision matrix.
  */
 
 import { describe, test, expect } from "bun:test";
@@ -13,6 +19,7 @@ const baseInput = {
   bindHost: "127.0.0.1",
   port: 1940,
   mcpUrl: "http://127.0.0.1:1940/vault/default/mcp",
+  wizardUrl: "http://127.0.0.1:1939/admin/setup",
   vaultName: "default",
 };
 
@@ -21,161 +28,154 @@ function lines(addMcp: boolean, addToken: boolean, apiKey: string | undefined) {
 }
 
 describe("buildInitSummaryLines", () => {
-  describe("MCP=Y + token=Y (most common)", () => {
-    const out = lines(true, true, "pvt_abc123").join("\n");
+  // The wizard hand-off + self-serve connect info are the load-bearing pieces
+  // of the new messaging — they must appear in every branch.
+  describe("always surfaces the wizard + the copy-paste connect info", () => {
+    for (const [addMcp, addToken] of [
+      [true, true],
+      [true, false],
+      [false, true],
+      [false, false],
+    ] as const) {
+      const out = lines(addMcp, addToken, addMcp || addToken ? "pvt_k" : undefined).join("\n");
 
-    test("prints token prominently", () => {
-      expect(out).toContain("Your API token: pvt_abc123");
-    });
+      test(`(addMcp=${addMcp}, addToken=${addToken}) prints the web wizard URL prominently`, () => {
+        expect(out).toContain("Finish setup in your browser:");
+        expect(out).toContain("http://127.0.0.1:1939/admin/setup");
+      });
 
-    test("notes token is baked into ~/.claude.json", () => {
-      expect(out).toContain("Baked into ~/.claude.json for Claude Code");
-    });
+      test(`(addMcp=${addMcp}, addToken=${addToken}) surfaces the connector URL`, () => {
+        expect(out).toContain("http://127.0.0.1:1940/vault/default/mcp");
+      });
 
-    test("includes save-it-now warning", () => {
-      expect(out).toContain("Won't be shown again — save it now.");
+      test(`(addMcp=${addMcp}, addToken=${addToken}) always prints Config: and Server: lines`, () => {
+        expect(out).toContain("Config:   /tmp/parachute");
+        expect(out).toContain("Server:   http://127.0.0.1:1940");
+      });
+    }
+  });
+
+  // The new DEFAULT init path — no MCP write, no token minted (per-user OAuth).
+  // init pointed the operator at the wizard and surfaced the copy-paste connect
+  // info; it did NOT write ~/.claude.json.
+  describe("DEFAULT (addMcp=N, token=N) — wizard hand-off + copy-paste opt-in", () => {
+    const out = lines(false, false, undefined).join("\n");
+
+    test("does NOT claim Claude Code is already wired in", () => {
+      expect(out).not.toContain("already wired in");
+      expect(out).not.toContain("Baked into ~/.claude.json");
     });
 
-    test("includes Bearer curl example", () => {
+    test("offers the ready-to-paste `claude mcp add` opt-in command", () => {
       expect(out).toContain(
-        'curl -H "Authorization: Bearer pvt_abc123" http://localhost:1940/api/notes',
+        "claude mcp add --transport http parachute-vault http://127.0.0.1:1940/vault/default/mcp",
       );
     });
 
-    test("Next steps mentions starting a Claude Code session", () => {
-      expect(out).toContain("Start a new Claude Code session");
-    });
-  });
-
-  describe("MCP=Y + token=N (MCP wired, token not surfaced)", () => {
-    const out = lines(true, false, "pvt_secret").join("\n");
-
-    test("does not print the token prominently", () => {
-      expect(out).not.toContain("pvt_secret");
+    test("points at the guided installer as an alternative", () => {
+      expect(out).toContain("parachute-vault mcp-install");
     });
 
-    test("does not include the 'Baked into' bullet", () => {
-      expect(out).not.toContain("Baked into ~/.claude.json");
+    test("frames OAuth-first connect — no token needed", () => {
+      expect(out).toContain("no token needed, you'll sign in on first use");
     });
 
-    test("includes the mcp-install-later hint", () => {
-      expect(out).toContain("Token in ~/.claude.json");
-      expect(out).toContain("parachute-vault mcp-install");
+    test("offers the scope-narrow opt-in mint for scripts (full vault:<name>:read, never admin)", () => {
+      // Must be the three-segment named-resource form the hub mint-token model
+      // requires — a bare `vault:read` would mint a malformed scope (vault#443).
+      expect(out).toContain("parachute auth mint-token --scope vault:default:read");
+      expect(out).not.toContain("vault:admin");
     });
 
-    test("omits the Bearer curl example", () => {
+    test("does not print any token", () => {
+      expect(out).not.toContain("Your API token:");
+      expect(out).not.toMatch(/pvt_/);
       expect(out).not.toContain("Authorization: Bearer");
     });
 
-    test("still shows the Claude-Code-session next step", () => {
-      expect(out).toContain("Start a new Claude Code session");
+    test("threads a non-default vault name into the mint-token scope + connector URL", () => {
+      const out2 = buildInitSummaryLines({
+        ...baseInput,
+        vaultName: "journal",
+        mcpUrl: "http://127.0.0.1:1940/vault/journal/mcp",
+        addMcp: false,
+        addToken: false,
+        apiKey: undefined,
+      }).join("\n");
+      expect(out2).toContain("parachute auth mint-token --scope vault:journal:read");
+      expect(out2).toContain("http://127.0.0.1:1940/vault/journal/mcp");
     });
   });
 
-  describe("MCP=N + token=Y (token only)", () => {
-    const out = lines(false, true, "pvt_xyz").join("\n");
-
-    test("prints token prominently", () => {
-      expect(out).toContain("Your API token: pvt_xyz");
-    });
-
-    test("omits the 'Baked into' bullet (no claude.json entry written)", () => {
-      expect(out).not.toContain("Baked into ~/.claude.json");
-    });
+  // Opt-in: operator passed --configure-claude-code, so init DID write the entry.
+  describe("opted into MCP write (addMcp=Y, token=N, OAuth)", () => {
+    const out = lines(true, false, undefined).join("\n");
 
-    test("includes Bearer curl example", () => {
-      expect(out).toContain('Authorization: Bearer pvt_xyz');
+    test("tells the user Claude Code is already wired in", () => {
+      expect(out).toContain("Claude Code is already wired in");
     });
 
-    test("Next steps points at any local MCP client", () => {
-      expect(out).toContain("Point any local MCP client");
+    test("still surfaces the connector URL for other clients", () => {
       expect(out).toContain("http://127.0.0.1:1940/vault/default/mcp");
     });
 
-    test("Next steps offers mcp-install as a way back", () => {
-      expect(out).toContain("parachute-vault mcp-install");
+    test("does NOT print or imply any minted token", () => {
+      expect(out).not.toContain("Your API token:");
+      expect(out).not.toContain("Authorization: Bearer");
     });
   });
 
-  // vault#442: the DEFAULT init path — MCP wired, NO token minted (per-user
-  // OAuth). The summary must LEAD with the OAuth connect path, never mint, and
-  // never surface the old "no token issued" failure copy.
-  describe("MCP=Y + no token (vault#442 OAuth default)", () => {
-    const out = lines(true, false, undefined).join("\n");
-
-    test("leads with the OAuth connect message — no token needed", () => {
-      expect(out).toContain("no token needed, you'll sign in on first use");
-    });
-
-    test("tells the user Claude Code is already wired in", () => {
-      expect(out).toContain("Claude Code is already wired in");
-    });
+  describe("opted into MCP write + token minted (addMcp=Y, token=Y)", () => {
+    const out = lines(true, true, "pvt_abc123").join("\n");
 
-    test("shows the OAuth `claude mcp add` command for other clients", () => {
-      expect(out).toContain(
-        "claude mcp add --transport http parachute-vault http://127.0.0.1:1940/vault/default/mcp",
-      );
+    test("prints token prominently", () => {
+      expect(out).toContain("Your API token: pvt_abc123");
     });
 
-    test("offers the scope-narrow opt-in mint for scripts (full vault:<name>:read, never admin)", () => {
-      // Must be the three-segment named-resource form the hub mint-token model
-      // requires — a bare `vault:read` would mint a malformed scope (vault#443).
-      expect(out).toContain("parachute auth mint-token --scope vault:default:read");
-      expect(out).not.toContain("--scope vault:read ");
-      expect(out).not.toMatch(/--scope vault:read$/m);
-      expect(out).not.toContain("vault:admin");
+    test("notes token is baked into ~/.claude.json", () => {
+      expect(out).toContain("Baked into ~/.claude.json for Claude Code");
     });
 
-    test("does NOT print or imply any minted token", () => {
-      expect(out).not.toContain("Your API token:");
-      expect(out).not.toContain("Baked into ~/.claude.json");
-      expect(out).not.toContain("Authorization: Bearer");
+    test("includes save-it-now warning", () => {
+      expect(out).toContain("Won't be shown again — save it now.");
     });
 
-    test("does NOT surface the old no-token-issued failure copy", () => {
-      expect(out).not.toContain("No token issued");
+    test("includes Bearer curl example", () => {
+      expect(out).toContain(
+        'curl -H "Authorization: Bearer pvt_abc123" http://localhost:1940/api/notes',
+      );
     });
 
-    test("threads a non-default vault name into the mint-token scope", () => {
-      const out2 = buildInitSummaryLines({
-        ...baseInput,
-        vaultName: "journal",
-        mcpUrl: "http://127.0.0.1:1940/vault/journal/mcp",
-        addMcp: true,
-        addToken: false,
-        apiKey: undefined,
-      }).join("\n");
-      expect(out2).toContain("parachute auth mint-token --scope vault:journal:read");
-      expect(out2).not.toContain("vault:default:read");
+    test("Next steps mentions starting a Claude Code session", () => {
+      expect(out).toContain("Start a new Claude Code session");
     });
   });
 
-  describe("MCP=N + token=N (OAuth default, Claude Code not wired)", () => {
-    const out = lines(false, false, undefined).join("\n");
+  describe("token only, no MCP write (addMcp=N, token=Y, minted)", () => {
+    const out = lines(false, true, "pvt_xyz").join("\n");
 
-    test("frames skipping the MCP entry as OAuth-first, not 'unreachable'", () => {
-      expect(out).toContain("uses per-user OAuth, no token needed");
-      expect(out).not.toContain("your vault isn't reachable by any client");
+    test("prints token prominently", () => {
+      expect(out).toContain("Your API token: pvt_xyz");
     });
 
-    test("points to mcp-install (no token-minting framing)", () => {
-      expect(out).toContain("parachute-vault mcp-install");
-      expect(out).not.toContain("mints a hub JWT");
+    test("omits the 'Baked into' bullet (no claude.json entry written)", () => {
+      expect(out).not.toContain("Baked into ~/.claude.json");
     });
 
-    test("does not print any token", () => {
-      expect(out).not.toContain("Your API token:");
-      expect(out).not.toMatch(/pvt_/);
+    test("includes Bearer curl example", () => {
+      expect(out).toContain("Authorization: Bearer pvt_xyz");
     });
 
-    test("omits the Bearer curl example", () => {
-      expect(out).not.toContain("Authorization: Bearer");
+    test("surfaces the connector URL + a copy-paste Claude Code opt-in", () => {
+      expect(out).toContain("http://127.0.0.1:1940/vault/default/mcp");
+      expect(out).toContain(
+        "claude mcp add --transport http parachute-vault http://127.0.0.1:1940/vault/default/mcp",
+      );
     });
   });
 
-  // Explicit opt-in but no hub reachable to mint (vault#282 Stage 2 path,
-  // reached only when the operator passes --token without a hub).
-  describe("MCP=N + token=Y but no hub (opt-in mint failed, standalone)", () => {
+  // Explicit opt-in to a token but no hub reachable to mint (vault#282 Stage 2).
+  describe("token opt-in but no hub (standalone, mint failed)", () => {
     const out = buildInitSummaryLines({
       ...baseInput,
       addMcp: false,
@@ -198,12 +198,14 @@ describe("buildInitSummaryLines", () => {
     test("does NOT claim the vault is reachable (no hub present)", () => {
       expect(out).not.toContain("Your vault is still reachable");
     });
+
+    test("still surfaces the connector URL for self-serve connect", () => {
+      expect(out).toContain("http://127.0.0.1:1940/vault/default/mcp");
+    });
   });
 
-  // #445: opted into a token, none minted, but a HUB IS PRESENT. The vault is
-  // reachable via the hub's browser OAuth flow even with no header-auth token,
-  // so the standalone "isn't reachable" framing would be false here.
-  describe("MCP=N + token=Y, no token minted, but hub present (#445)", () => {
+  // #445: opted into a token, none minted, but a HUB IS PRESENT.
+  describe("token opt-in, none minted, hub present (#445)", () => {
     const out = buildInitSummaryLines({
       ...baseInput,
       addMcp: false,
@@ -227,22 +229,20 @@ describe("buildInitSummaryLines", () => {
       expect(out).not.toContain("Once a hub is running");
       expect(out).not.toContain("VAULT_AUTH_TOKEN");
     });
-
-    test("never claims the vault isn't reachable by any client", () => {
-      expect(out).not.toContain("isn't reachable by any client");
-    });
   });
 
-  test("always prints Config: and Server: lines", () => {
-    for (const [addMcp, addToken] of [
-      [true, true],
-      [true, false],
-      [false, true],
-      [false, false],
-    ] as const) {
-      const out = lines(addMcp, addToken, addMcp || addToken ? "pvt_k" : undefined).join("\n");
-      expect(out).toContain("Config:   /tmp/parachute");
-      expect(out).toContain("Server:   http://127.0.0.1:1940");
-    }
+  // Defensive: the summary must still render coherently if no wizard URL is
+  // supplied (e.g. an older caller / a hub-origin resolution failure).
+  test("omits the wizard hand-off cleanly when wizardUrl is absent", () => {
+    const out = buildInitSummaryLines({
+      ...baseInput,
+      wizardUrl: undefined,
+      addMcp: false,
+      addToken: false,
+      apiKey: undefined,
+    }).join("\n");
+    expect(out).not.toContain("Finish setup in your browser:");
+    // The connect info is still surfaced.
+    expect(out).toContain("http://127.0.0.1:1940/vault/default/mcp");
   });
 });

package/src/init-summary.ts

@@ -5,13 +5,32 @@
  */
 
 export type InitSummaryInput = {
+  /**
+   * Whether init WROTE the Claude Code MCP config (~/.claude.json) this run.
+   * As of 2026-06-23 this is opt-in (default false) — init's primary job is to
+   * point the operator at the web setup wizard and surface the self-serve
+   * connect info, not to write a config file as a side effect.
+   */
   addMcp: boolean;
   addToken: boolean;
   apiKey: string | undefined;
   configDir: string;
   bindHost: string;
   port: number;
+  /**
+   * The vault's MCP connector URL — `<hub-origin>/vault/<name>/mcp` (hub-origin
+   * / expose-state aware). Surfaced in the summary for self-serve copy-paste:
+   * a ready-to-run `claude mcp add ...` command is built from it so a Claude
+   * Code user can opt in by pasting one line, AND it's printed plain so any
+   * other MCP client can be pointed at it.
+   */
   mcpUrl: string;
+  /**
+   * The web setup wizard URL — `<hub-origin>/admin/setup`. init's primary job
+   * is to get the operator into this wizard, so it's printed prominently at the
+   * top of the summary.
+   */
+  wizardUrl?: string | undefined;
   /**
    * The default vault's name — used to emit the three-segment
    * `vault:<vaultName>:read` scope in the OAuth-first mint-token suggestion
@@ -22,8 +41,8 @@ export type InitSummaryInput = {
   /**
    * Guidance from the bootstrap-credential step when no token could be issued
    * (standalone install, no hub reachable — vault#282 Stage 2). Surfaced when
-   * the operator wanted a token (`addMcp || addToken`) but `apiKey` is
-   * undefined, so they know why and how to make the vault reachable.
+   * the operator wanted a token (`addToken`) but `apiKey` is undefined, so they
+   * know why and how to make the vault reachable.
    */
   noTokenGuidance?: string | undefined;
   /**
@@ -38,54 +57,66 @@ export type InitSummaryInput = {
 };
 
 /**
- * Build the post-install summary lines for `vault init`, branched on the
- * (addMcp, addToken, apiKey) decision matrix.
+ * Build the post-install summary lines for `vault init`.
+ *
+ * 2026-06-23 messaging realignment: the site no longer claims "Claude Code is
+ * auto-configured," and init no longer writes `~/.claude.json` by default.
+ * init's job is to (1) point the operator at the web setup wizard, and
+ * (2) SURFACE the self-serve connect info — the connector URL + a ready-to-paste
+ * `claude mcp add ...` line — so a Claude Code user opts in by copy-paste rather
+ * than a silent side effect.
  *
- * vault#442: the DEFAULT is per-user OAuth — no token is minted, and the
- * Claude Code MCP entry is written without a baked bearer (browser sign-in on
- * first connect). A token is minted only on explicit opt-in (`addToken`), and
- * then scope-narrow. Branches:
+ * The summary is built in three parts:
+ *   1. Wizard hand-off (always) — "finish setup in your browser: <wizardUrl>".
+ *   2. Connect-your-AI block — the connector URL + copy-paste `claude mcp add`,
+ *      branched on whether init wrote the MCP entry / minted a token.
+ *   3. Config / server / next-steps footer.
  *
- *   addMcp,  !apiKey            → OAuth-first: connect, sign in on first use
- *   addMcp,  addToken,  apiKey  → token baked into claude.json + printed
- *   addMcp,  !addToken, apiKey  → token baked into claude.json, hint
- *   !addMcp, addToken,  apiKey  → token printed prominently
- *   !addMcp, addToken,  !apiKey → opted into a token but no hub reachable
- *   !addMcp, !addToken          → OAuth-first: add Claude Code later
+ * vault#442: per-user OAuth is the default — no token is minted unless the
+ * operator opts in (`addToken`), and then it's scope-narrow.
  */
 export function buildInitSummaryLines(input: InitSummaryInput): string[] {
-  const { addMcp, addToken, apiKey, configDir, bindHost, port, mcpUrl, vaultName, noTokenGuidance, hubPresent } = input;
+  const { addMcp, addToken, apiKey, configDir, bindHost, port, mcpUrl, wizardUrl, vaultName, noTokenGuidance, hubPresent } = input;
   const lines: string[] = [];
   lines.push("");
   lines.push("---");
 
-  if (addMcp && apiKey && addToken) {
+  // 1. Wizard hand-off — the primary purpose of init is to get the operator
+  // into the web setup wizard. Lead with it.
+  if (wizardUrl) {
     lines.push("");
-    lines.push(`Your API token: ${apiKey}`);
-    lines.push(`  - Baked into ~/.claude.json for Claude Code ✓`);
-    lines.push(`  - Paste into your other MCP client's config, or use as Authorization: Bearer <token>`);
-    lines.push(`  - Won't be shown again — save it now.`);
-  } else if (addMcp && apiKey && !addToken) {
-    lines.push("");
-    lines.push(
-      "Token in ~/.claude.json; run `parachute-vault mcp-install` later if you need one for other clients.",
-    );
-  } else if (addMcp && !apiKey) {
-    // vault#442 default: OAuth-first. The MCP entry is wired without a bearer —
-    // Claude Code signs in via browser OAuth on first connect. No token needed.
-    lines.push("");
-    lines.push("Connect your AI — no token needed, you'll sign in on first use:");
-    lines.push(`  Claude Code is already wired in (~/.claude.json) — just start a session.`);
-    lines.push(`  Other clients: claude mcp add --transport http parachute-vault ${mcpUrl}`);
-    lines.push(`  Need a header-auth token for a script? parachute auth mint-token --scope vault:${vaultName}:read`);
-  } else if (!addMcp && addToken && apiKey) {
+    lines.push("Finish setup in your browser:");
+    lines.push(`  ${wizardUrl}`);
+  }
+
+  // The copy-paste opt-in line for Claude Code (and any client that speaks the
+  // `claude mcp add` form). Built from the connector URL so it's the real
+  // endpoint, hub-origin aware.
+  const claudeAddCmd = `claude mcp add --transport http parachute-vault ${mcpUrl}`;
+
+  // 2. Connect-your-AI — surface the self-serve connect info every time.
+  if (addToken && apiKey) {
+    // Operator opted into a header-auth token AND it was minted. Surface it
+    // prominently (won't be shown again), plus the connector URL.
     lines.push("");
     lines.push(`Your API token: ${apiKey}`);
-    lines.push(`  - Paste into your other MCP client's config, or use as Authorization: Bearer <token>`);
+    if (addMcp) {
+      lines.push(`  - Baked into ~/.claude.json for Claude Code ✓`);
+    }
+    lines.push(`  - Paste into another MCP client's config, or use as Authorization: Bearer <token>`);
     lines.push(`  - Won't be shown again — save it now.`);
-  } else if (!addMcp && addToken && !apiKey) {
+    lines.push("");
+    lines.push("Connector URL (point any MCP client here):");
+    lines.push(`  ${mcpUrl}`);
+    if (!addMcp) {
+      lines.push("");
+      lines.push("Add Claude Code by copy-paste:");
+      lines.push(`  ${claudeAddCmd}`);
+    }
+  } else if (addToken && !apiKey) {
     // Explicitly opted into a token but none was minted (vault#282 Stage 2 —
-    // vault no longer mints local pvt_* tokens). Surface why + recovery.
+    // vault no longer mints local pvt_* tokens). Surface why + recovery, then
+    // still print the self-serve connect info.
     lines.push("");
     lines.push(
       noTokenGuidance ??
@@ -113,15 +144,23 @@ export function buildInitSummaryLines(input: InitSummaryInput): string[] {
         "  or set VAULT_AUTH_TOKEN for an operator-channel bearer.",
       );
     }
-  } else if (!addMcp && !addToken) {
-    // OAuth-first, but the operator skipped wiring Claude Code too.
     lines.push("");
-    lines.push(
-      "Skipped the Claude Code MCP entry. Add it anytime — it uses per-user OAuth, no token needed:",
-    );
-    lines.push(
-      "  parachute-vault mcp-install",
-    );
+    lines.push("Connect your AI — no token needed, you'll sign in on first use:");
+    lines.push(`  Connector URL:  ${mcpUrl}`);
+    lines.push(`  Claude Code:    ${claudeAddCmd}`);
+  } else {
+    // Default path (no token). Per-user OAuth — sign in on first connect.
+    lines.push("");
+    lines.push("Connect your AI — no token needed, you'll sign in on first use:");
+    lines.push(`  Connector URL:  ${mcpUrl}`);
+    if (addMcp) {
+      lines.push(`  Claude Code is already wired in (~/.claude.json) — just start a session.`);
+      lines.push(`  Other clients: ${claudeAddCmd}`);
+    } else {
+      lines.push(`  Claude Code:    ${claudeAddCmd}`);
+      lines.push(`  Other clients (Codex, Goose, OpenCode, Cursor, Zed, Cline): point them at the connector URL above.`);
+    }
+    lines.push(`  Need a header-auth token for a script? parachute auth mint-token --scope vault:${vaultName}:read`);
   }
 
   lines.push("");
@@ -137,19 +176,15 @@ export function buildInitSummaryLines(input: InitSummaryInput): string[] {
 
   lines.push("");
   lines.push(`Next steps:`);
+  if (wizardUrl) {
+    lines.push(`  - Finish setup in the web wizard:  ${wizardUrl}`);
+  }
   if (addMcp) {
     lines.push(`  - Start a new Claude Code session — your Vault is already wired in. Try:`);
     lines.push(`      claude "Help me set up my parachute vault"`);
-    lines.push(`  - Or point any other local MCP client (Codex, Goose, OpenCode, Cursor,`);
-    lines.push(`    Zed, Cline, your own agent) at:`);
-    lines.push(`      ${mcpUrl}`);
-  } else if (addToken) {
-    lines.push(`  - Point any local MCP client (Codex, Goose, OpenCode, Cursor, Zed,`);
-    lines.push(`    Cline, your own agent) at:`);
-    lines.push(`      ${mcpUrl}`);
-    lines.push(`  - Or add Claude Code back anytime:  parachute-vault mcp-install`);
   } else {
-    lines.push(`  - Add Claude Code:  parachute-vault mcp-install`);
+    lines.push(`  - Wire Claude Code (copy-paste):    ${claudeAddCmd}`);
+    lines.push(`    or run the guided installer:      parachute-vault mcp-install`);
   }
   lines.push(`  - Check status:     parachute-vault status`);
   lines.push(`  - Edit config:      parachute-vault config`);