@openparachute/vault 0.6.1 → 0.6.2-rc.1

package/README.md

@@ -22,7 +22,7 @@ bun install
 bun src/cli.ts vault init
 ```
 
-`vault init` creates a vault, generates an API key, starts a background daemon (launchd on Mac, systemd on Linux), and configures Claude Code's MCP — all in one command. Start a new Claude Code session and your vault's tools show up. For other local MCP clients (Codex, Goose, OpenCode, Cursor, Zed, Cline, your own agent), point them at `http://127.0.0.1:1940/vault/default/mcp` — the API key is printed once at init; save it for anything that isn't Claude Code.
+`vault init` creates a vault, starts a background daemon (launchd on Mac, systemd on Linux), and prints how to connect your AI — the web setup wizard URL, your vault's connector URL (`http://127.0.0.1:1940/vault/default/mcp`), and a ready-to-paste `claude mcp add` command. It does **not** write any client config for you by default. Pass `--configure-claude-code` if you want init to add the Claude Code MCP entry; pass `--token` if you also need a header-auth API token for non-OAuth clients (Codex, Goose, OpenCode, Cursor, Zed, Cline, scripts, `curl`). OAuth-capable clients just need the connector URL and sign in on first connect.
 
 For remote access from Claude Desktop or mobile apps, see [Deployment](#deployment) below.
 
@@ -93,11 +93,11 @@ The daemon binds `0.0.0.0:1940` (or whatever you set in `PORT`) and serves REST,
 
 ### `~/.claude.json`
 
-`vault init` adds one entry — `mcpServers["parachute-vault"]` — pointing at `http://127.0.0.1:<port>/vault/<default-vault>/mcp` with a baked-in `Authorization: Bearer <hub-jwt>` header (a hub-minted JWT — vault#282 Stage 2). Next Claude Code session picks it up; there's no further wiring. See [Connecting a client](#connecting-a-client) for rotating that token or pointing it elsewhere.
+When you opt in (`--configure-claude-code`), `vault init` adds one entry — `mcpServers["parachute-vault"]` — pointing at `http://127.0.0.1:<port>/vault/<default-vault>/mcp`. By default that entry uses OAuth (browser sign-in on first connect); add `--token` and init bakes a scope-narrow `Authorization: Bearer <hub-jwt>` header instead (a hub-minted JWT — vault#282 Stage 2). Next Claude Code session picks it up. See [Connecting a client](#connecting-a-client) for rotating that token or pointing it elsewhere.
 
 ### Your API token
 
-`vault init` asks two explicit questions: (1) install vault as an MCP server in `~/.claude.json`? (2) also surface the access token so you can paste it into other MCP clients (Codex, Goose, OpenCode, Cursor, Zed, Cline), scripts, or `curl`? Both default yes. Pass `--mcp` / `--no-mcp` and `--token` / `--no-token` for non-interactive installs.
+`vault init` asks two explicit questions: (1) write the Claude Code MCP entry in `~/.claude.json`? (2) also mint + surface a header-auth API token so you can paste it into non-OAuth MCP clients (Codex, Goose, OpenCode, Cursor, Zed, Cline), scripts, or `curl`? **Both default no** — init's job is to get you to the web wizard and print the connector URL + a paste-ready `claude mcp add` command, not to write client config behind your back. Opt in with `--configure-claude-code` (alias `--mcp`) and/or `--token`; `--no-mcp` / `--no-token` are the explicit opt-outs for non-interactive installs.
 
 If you said yes to (2), the hub-issued JWT is printed prominently at the end — it's the same token baked into `~/.claude.json` (if you also said yes to (1)). It's not stored anywhere retrievable — save it if you need it for `curl`, cron, or any other script. Lost it? Mint a fresh one with `parachute auth mint-token --scope vault:<name>:<verb>` (or rewire an MCP client with `parachute-vault mcp-install`, or use the admin SPA Tokens page). As of vault 0.5.0 (vault#282 Stage 2) vault no longer mints its own `pvt_*` tokens — minting is the hub's job.
 
@@ -126,7 +126,7 @@ As of 0.5.0 (vault#282 Stage 2) vault is a **pure hub resource-server**: both pa
 
 ### Claude Code
 
-`vault init` fully auto-configures `~/.claude.json` — there's nothing else to do. The entry it writes bakes in a hub-minted JWT rather than running the interactive OAuth browser flow:
+`vault init` does **not** touch `~/.claude.json` by default — connecting is self-serve (paste the `claude mcp add` command init prints, or add the connector in your client). To have init write the entry for you, pass `--configure-claude-code`. The entry it writes uses OAuth by default (browser sign-in on first connect); add `--token` and it bakes a scope-narrow hub-minted JWT instead:
 
 ```json
 {
@@ -140,9 +140,9 @@ As of 0.5.0 (vault#282 Stage 2) vault is a **pure hub resource-server**: both pa
 }
 ```
 
-Where `{name}` is `default` on a fresh install, or whatever vault you pointed `vault init` at. **First MCP call after `vault init` requires no browser handoff — Claude Code uses the baked-in token and the vault's tools show up in your next session.** This is intentional: for an owner connecting their own machine's vault to their own Claude Code, the token is already there and the OAuth browser handshake would add friction.
+Where `{name}` is `default` on a fresh install, or whatever vault you pointed `vault init` at. **With `--configure-claude-code --token`, the first MCP call needs no browser handoff** — Claude Code uses the baked-in token and the vault's tools show up in your next session. Without `--token`, the opted-in entry uses OAuth and Claude Code does a one-time browser sign-in on first connect. This is a deliberate trade: OAuth-first by default (no long-lived token sitting in a dotfile), with the baked-token path one flag away for an owner wiring their own machine.
 
-To re-point Claude Code at a different vault, change `default_vault` in `~/.parachute/vault/config.yaml` and re-run `parachute-vault init` — which re-mints an API token and re-writes the `~/.claude.json` entry end-to-end. To rotate the token only, run `parachute-vault mcp-install` (defaults to `--mint`, which mints a fresh scope-narrow hub JWT via `~/.parachute/operator.token` and writes it into `~/.claude.json` with an `Authorization: Bearer …` header). See the [cookbook](#install-vault-mcp-into-a-client-config) section below for the full flag surface — token paste, scope narrowing, project-level install, multi-vault.
+To re-point Claude Code at a different vault, change `default_vault` in `~/.parachute/vault/config.yaml` and re-run `parachute-vault init --configure-claude-code` (add `--token` to bake a fresh token). To rotate the token only, run `parachute-vault mcp-install` (defaults to `--mint`, which mints a fresh scope-narrow hub JWT via `~/.parachute/operator.token` and writes it into `~/.claude.json` with an `Authorization: Bearer …` header). See the [cookbook](#install-vault-mcp-into-a-client-config) section below for the full flag surface — token paste, scope narrowing, project-level install, multi-vault.
 
 ### Claude Desktop (OAuth)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/vault",
-  "version": "0.6.1",
+  "version": "0.6.2-rc.1",
   "description": "Agent-native knowledge graph. Notes, tags, links over MCP.",
   "module": "src/cli.ts",
   "type": "module",

package/src/cli.ts

@@ -57,6 +57,7 @@ import {
   buildMcpEntryPlan,
   chooseHubOrigin,
   chooseMcpUrl,
+  DEFAULT_HUB_LOOPBACK_PORT,
   detectHubPresence,
   detectInstallContext,
   mintHubJwt,
@@ -258,21 +259,60 @@ switch (command) {
 // Command implementations
 // ---------------------------------------------------------------------------
 
+/**
+ * Resolve the origin to use for the web setup wizard link (`<origin>/admin/setup`).
+ *
+ * The wizard is served by the HUB, not by vault, so the loopback fallback must
+ * target the hub's fixed loopback port (1939 / $PARACHUTE_HUB_PORT) — NOT
+ * vault's listen port. `chooseHubOrigin` returns vault's loopback as its
+ * fallback, so we only reuse it when a real (env / expose-state) hub origin is
+ * configured; otherwise we synthesize the hub's loopback URL.
+ *
+ * `vaultPort` is vault's listen port — passed only so `chooseHubOrigin`'s
+ * loopback branch is well-formed; we discard that loopback URL in favor of the
+ * hub-port one.
+ */
+function resolveHubOriginForWizard(vaultPort: number): string {
+  const { url, source } = chooseHubOrigin(vaultPort);
+  if (source === "loopback") {
+    // Guard against a non-numeric PARACHUTE_HUB_PORT producing
+    // `http://127.0.0.1:NaN` — mirror detectHubPresence's Number.isFinite guard.
+    const envPort = process.env.PARACHUTE_HUB_PORT
+      ? Number(process.env.PARACHUTE_HUB_PORT)
+      : undefined;
+    const hubPort = Number.isFinite(envPort) ? (envPort as number) : DEFAULT_HUB_LOOPBACK_PORT;
+    return `http://127.0.0.1:${hubPort}`;
+  }
+  return url;
+}
+
 async function cmdInit(args: string[] = []) {
   ensureConfigDirSync();
 
-  // Flags: --mcp installs MCP in ~/.claude.json without prompting;
-  // --no-mcp skips it without prompting. If both passed, --no-mcp wins
-  // (safer default). Neither → prompt in a TTY, default-yes in a
-  // non-TTY for back-compat with existing piped install scripts.
+  // Writing the Claude Code MCP config (~/.claude.json) is now OPT-IN
+  // (2026-06-23). init's primary job is to get the operator to the hub's
+  // web setup wizard and SURFACE the self-serve connection info (connector
+  // URL + a ready-to-paste `claude mcp add` command), NOT to silently write
+  // a config file as a side effect of setup. The site no longer claims
+  // "Claude Code is auto-configured," so the install code stops doing it by
+  // default.
+  //
+  // Opt in with --configure-claude-code (aliases --mcp-install, --mcp) to
+  // have init write the entry for you. --no-mcp is retained as the explicit
+  // "definitely don't" form (and wins if both are passed — safer default).
+  // The standalone `parachute-vault mcp-install` command is unchanged — it
+  // remains the canonical explicit opt-in path.
   //
-  // --token / --no-token follow the same pattern for whether the API
-  // token is surfaced to the user at the end of init (for pasting into
-  // other MCP clients, scripts, or curl).
+  // --token / --no-token control whether init ALSO mints + surfaces a
+  // header-auth API token (for pasting into non-OAuth MCP clients, scripts,
+  // or curl). Default stays off.
   //
   // --vault-name <name> skips the name prompt for non-interactive installs
   // (validated up front; exits non-zero on invalid input).
-  const flagMcpOn = args.includes("--mcp");
+  const flagMcpOn =
+    args.includes("--configure-claude-code") ||
+    args.includes("--mcp-install") ||
+    args.includes("--mcp");
   const flagMcpOff = args.includes("--no-mcp");
   const flagTokenOn = args.includes("--token");
   const flagTokenOff = args.includes("--no-token");
@@ -507,19 +547,28 @@ async function cmdInit(args: string[] = []) {
   const bindHost = resolveBindHostname(process.env);
   console.log(`  Listening on http://${bindHost}:${globalConfig.port || DEFAULT_PORT}`);
 
-  // 7. Install MCP for Claude Code (with token for auth) — user confirms
-  // unless --mcp / --no-mcp explicitly passed. Writing to ~/.claude.json
-  // is a side effect some users don't want; default-yes in a TTY since
-  // most users installing vault want Claude Code to see it, but ask.
+  // 7. Optionally write the Claude Code MCP config (~/.claude.json). This is
+  // OPT-IN as of 2026-06-23 (see the flag-parsing note above). init's job is
+  // to point the operator at the web wizard + surface the self-serve connect
+  // info; it does NOT write ~/.claude.json by default. Resolution:
+  //   --no-mcp                          → false (explicit "don't")
+  //   --configure-claude-code / --mcp   → true  (explicit opt-in)
+  //   TTY, no flag                      → ask (default NO — opt-in, not -out)
+  //   non-TTY, no flag                  → false (no silent side effect in
+  //                                       piped installs; the connect info is
+  //                                       printed for copy-paste instead)
   let addMcp: boolean;
   if (flagMcpOff) {
     addMcp = false;
   } else if (flagMcpOn) {
     addMcp = true;
   } else if (process.stdin.isTTY) {
-    addMcp = await confirm("Install Vault as an MCP server in Claude Code (~/.claude.json)?", true);
+    addMcp = await confirm(
+      "Also write the Claude Code MCP config now (~/.claude.json)? (you can always copy-paste the command below later)",
+      false,
+    );
   } else {
-    addMcp = true; // non-interactive: preserve the installable-via-pipe default
+    addMcp = false; // non-interactive: no silent ~/.claude.json write
   }
 
   // 7b. Mint an API token for the header-auth / script use case? (Codex,
@@ -583,14 +632,22 @@ async function cmdInit(args: string[] = []) {
     if (!apiKey) {
       console.log(`  No token baked in — you'll sign in via OAuth on first connect.`);
     }
-  } else {
-    console.log("  Skipped adding MCP to ~/.claude.json.");
-    console.log("  Run `parachute-vault mcp-install` later if you want it.");
   }
+  // No else: when the operator didn't opt in, the init summary below surfaces
+  // the connector URL + a copy-paste `claude mcp add` command instead of a
+  // "skipped" line — that's the self-serve path.
 
   // 8. Summary
   const port = globalConfig.port || DEFAULT_PORT;
-  const mcpUrl = `http://127.0.0.1:${port}/vault/${defaultVault}/mcp`;
+  // Connector URL surfaced for self-serve copy-paste. Hub-origin / expose-state
+  // aware (chooseMcpUrl), so it's the URL a remote Claude Code / other client
+  // actually reaches, not a bare loopback. The init-summary prints a
+  // ready-to-paste `claude mcp add ...` built from this.
+  const { url: connectorUrl } = chooseMcpUrl(defaultVault, port);
+  // Web setup wizard lives on the hub at <hub-origin>/admin/setup. Resolve the
+  // hub origin the same way (env / expose-state / loopback); the loopback form
+  // points at the co-located hub's fixed port (1939), not vault's listen port.
+  const wizardUrl = `${resolveHubOriginForWizard(port)}/admin/setup`;
   // Probe whether a hub is present so the summary's "opted into a token but
   // none minted" copy reflects reality: under a hub the vault is reachable via
   // browser OAuth even with no header-auth token (#445). Only matters for the
@@ -603,7 +660,8 @@ async function cmdInit(args: string[] = []) {
     configDir: CONFIG_DIR,
     bindHost,
     port,
-    mcpUrl,
+    mcpUrl: connectorUrl,
+    wizardUrl,
     vaultName: defaultVault,
     noTokenGuidance: credentialGuidance,
     hubPresent,
@@ -3714,12 +3772,19 @@ data, and debugging.
 ── Standard use ───────────────────────────────────────────────────────
 
 Setup:
-  parachute-vault init [--mcp|--no-mcp] [--token|--no-token] [--vault-name <name>]
-                       [--autostart|--no-autostart]
-                                           Set up everything (one command, idempotent).
-                                           --mcp/--no-mcp controls the Claude Code MCP entry (written
-                                           for per-user OAuth by default — no baked token; sign in on
-                                           first connect). --token opts into ALSO minting a scope-narrow
+  parachute-vault init [--configure-claude-code|--no-mcp] [--token|--no-token]
+                       [--vault-name <name>] [--autostart|--no-autostart]
+                                           Set up everything (one command, idempotent). init's
+                                           job is to get you to the web setup wizard and surface
+                                           your connector URL + a ready-to-paste \`claude mcp add\`
+                                           command — it does NOT write the Claude Code MCP config
+                                           (~/.claude.json) by default. Pass --configure-claude-code
+                                           (alias --mcp-install / --mcp) to opt in and have init
+                                           write that entry for you (per-user OAuth — no baked token;
+                                           sign in on first connect); --no-mcp is the explicit "don't".
+                                           The standalone \`parachute-vault mcp-install\` command remains
+                                           the canonical way to wire Claude Code anytime.
+                                           --token opts into ALSO minting a scope-narrow
                                            header-auth token (vault:<name>:read) for non-OAuth clients /
                                            scripts; --no-token (the default) skips minting entirely.
                                            --vault-name skips the prompt and names the vault

package/src/init-summary.test.ts

@@ -1,8 +1,14 @@
 /**
  * Tests for `buildInitSummaryLines` — the post-install summary printed at the
- * end of `vault init`. The summary branches on the (addMcp, addToken) decision
- * matrix; these tests cover all four cells plus the token surfacing /
- * Bearer-example rules.
+ * end of `vault init`.
+ *
+ * 2026-06-23 messaging realignment: the site no longer claims "Claude Code is
+ * auto-configured," and init no longer writes ~/.claude.json by default. The
+ * summary now (1) leads with the web setup wizard hand-off and (2) always
+ * surfaces the self-serve connect info — the connector URL plus a
+ * ready-to-paste `claude mcp add` command — so a Claude Code user opts in by
+ * copy-paste rather than via a silent side effect. These tests pin that copy
+ * across the (addMcp, addToken) decision matrix.
  */
 
 import { describe, test, expect } from "bun:test";
@@ -13,6 +19,7 @@ const baseInput = {
   bindHost: "127.0.0.1",
   port: 1940,
   mcpUrl: "http://127.0.0.1:1940/vault/default/mcp",
+  wizardUrl: "http://127.0.0.1:1939/admin/setup",
   vaultName: "default",
 };
 
@@ -21,161 +28,154 @@ function lines(addMcp: boolean, addToken: boolean, apiKey: string | undefined) {
 }
 
 describe("buildInitSummaryLines", () => {
-  describe("MCP=Y + token=Y (most common)", () => {
-    const out = lines(true, true, "pvt_abc123").join("\n");
+  // The wizard hand-off + self-serve connect info are the load-bearing pieces
+  // of the new messaging — they must appear in every branch.
+  describe("always surfaces the wizard + the copy-paste connect info", () => {
+    for (const [addMcp, addToken] of [
+      [true, true],
+      [true, false],
+      [false, true],
+      [false, false],
+    ] as const) {
+      const out = lines(addMcp, addToken, addMcp || addToken ? "pvt_k" : undefined).join("\n");
 
-    test("prints token prominently", () => {
-      expect(out).toContain("Your API token: pvt_abc123");
-    });
+      test(`(addMcp=${addMcp}, addToken=${addToken}) prints the web wizard URL prominently`, () => {
+        expect(out).toContain("Finish setup in your browser:");
+        expect(out).toContain("http://127.0.0.1:1939/admin/setup");
+      });
 
-    test("notes token is baked into ~/.claude.json", () => {
-      expect(out).toContain("Baked into ~/.claude.json for Claude Code");
-    });
+      test(`(addMcp=${addMcp}, addToken=${addToken}) surfaces the connector URL`, () => {
+        expect(out).toContain("http://127.0.0.1:1940/vault/default/mcp");
+      });
 
-    test("includes save-it-now warning", () => {
-      expect(out).toContain("Won't be shown again — save it now.");
+      test(`(addMcp=${addMcp}, addToken=${addToken}) always prints Config: and Server: lines`, () => {
+        expect(out).toContain("Config:   /tmp/parachute");
+        expect(out).toContain("Server:   http://127.0.0.1:1940");
+      });
+    }
+  });
+
+  // The new DEFAULT init path — no MCP write, no token minted (per-user OAuth).
+  // init pointed the operator at the wizard and surfaced the copy-paste connect
+  // info; it did NOT write ~/.claude.json.
+  describe("DEFAULT (addMcp=N, token=N) — wizard hand-off + copy-paste opt-in", () => {
+    const out = lines(false, false, undefined).join("\n");
+
+    test("does NOT claim Claude Code is already wired in", () => {
+      expect(out).not.toContain("already wired in");
+      expect(out).not.toContain("Baked into ~/.claude.json");
     });
 
-    test("includes Bearer curl example", () => {
+    test("offers the ready-to-paste `claude mcp add` opt-in command", () => {
       expect(out).toContain(
-        'curl -H "Authorization: Bearer pvt_abc123" http://localhost:1940/api/notes',
+        "claude mcp add --transport http parachute-vault http://127.0.0.1:1940/vault/default/mcp",
       );
     });
 
-    test("Next steps mentions starting a Claude Code session", () => {
-      expect(out).toContain("Start a new Claude Code session");
-    });
-  });
-
-  describe("MCP=Y + token=N (MCP wired, token not surfaced)", () => {
-    const out = lines(true, false, "pvt_secret").join("\n");
-
-    test("does not print the token prominently", () => {
-      expect(out).not.toContain("pvt_secret");
+    test("points at the guided installer as an alternative", () => {
+      expect(out).toContain("parachute-vault mcp-install");
     });
 
-    test("does not include the 'Baked into' bullet", () => {
-      expect(out).not.toContain("Baked into ~/.claude.json");
+    test("frames OAuth-first connect — no token needed", () => {
+      expect(out).toContain("no token needed, you'll sign in on first use");
     });
 
-    test("includes the mcp-install-later hint", () => {
-      expect(out).toContain("Token in ~/.claude.json");
-      expect(out).toContain("parachute-vault mcp-install");
+    test("offers the scope-narrow opt-in mint for scripts (full vault:<name>:read, never admin)", () => {
+      // Must be the three-segment named-resource form the hub mint-token model
+      // requires — a bare `vault:read` would mint a malformed scope (vault#443).
+      expect(out).toContain("parachute auth mint-token --scope vault:default:read");
+      expect(out).not.toContain("vault:admin");
     });
 
-    test("omits the Bearer curl example", () => {
+    test("does not print any token", () => {
+      expect(out).not.toContain("Your API token:");
+      expect(out).not.toMatch(/pvt_/);
       expect(out).not.toContain("Authorization: Bearer");
     });
 
-    test("still shows the Claude-Code-session next step", () => {
-      expect(out).toContain("Start a new Claude Code session");
+    test("threads a non-default vault name into the mint-token scope + connector URL", () => {
+      const out2 = buildInitSummaryLines({
+        ...baseInput,
+        vaultName: "journal",
+        mcpUrl: "http://127.0.0.1:1940/vault/journal/mcp",
+        addMcp: false,
+        addToken: false,
+        apiKey: undefined,
+      }).join("\n");
+      expect(out2).toContain("parachute auth mint-token --scope vault:journal:read");
+      expect(out2).toContain("http://127.0.0.1:1940/vault/journal/mcp");
     });
   });
 
-  describe("MCP=N + token=Y (token only)", () => {
-    const out = lines(false, true, "pvt_xyz").join("\n");
-
-    test("prints token prominently", () => {
-      expect(out).toContain("Your API token: pvt_xyz");
-    });
-
-    test("omits the 'Baked into' bullet (no claude.json entry written)", () => {
-      expect(out).not.toContain("Baked into ~/.claude.json");
-    });
+  // Opt-in: operator passed --configure-claude-code, so init DID write the entry.
+  describe("opted into MCP write (addMcp=Y, token=N, OAuth)", () => {
+    const out = lines(true, false, undefined).join("\n");
 
-    test("includes Bearer curl example", () => {
-      expect(out).toContain('Authorization: Bearer pvt_xyz');
+    test("tells the user Claude Code is already wired in", () => {
+      expect(out).toContain("Claude Code is already wired in");
     });
 
-    test("Next steps points at any local MCP client", () => {
-      expect(out).toContain("Point any local MCP client");
+    test("still surfaces the connector URL for other clients", () => {
       expect(out).toContain("http://127.0.0.1:1940/vault/default/mcp");
     });
 
-    test("Next steps offers mcp-install as a way back", () => {
-      expect(out).toContain("parachute-vault mcp-install");
+    test("does NOT print or imply any minted token", () => {
+      expect(out).not.toContain("Your API token:");
+      expect(out).not.toContain("Authorization: Bearer");
     });
   });
 
-  // vault#442: the DEFAULT init path — MCP wired, NO token minted (per-user
-  // OAuth). The summary must LEAD with the OAuth connect path, never mint, and
-  // never surface the old "no token issued" failure copy.
-  describe("MCP=Y + no token (vault#442 OAuth default)", () => {
-    const out = lines(true, false, undefined).join("\n");
-
-    test("leads with the OAuth connect message — no token needed", () => {
-      expect(out).toContain("no token needed, you'll sign in on first use");
-    });
-
-    test("tells the user Claude Code is already wired in", () => {
-      expect(out).toContain("Claude Code is already wired in");
-    });
+  describe("opted into MCP write + token minted (addMcp=Y, token=Y)", () => {
+    const out = lines(true, true, "pvt_abc123").join("\n");
 
-    test("shows the OAuth `claude mcp add` command for other clients", () => {
-      expect(out).toContain(
-        "claude mcp add --transport http parachute-vault http://127.0.0.1:1940/vault/default/mcp",
-      );
+    test("prints token prominently", () => {
+      expect(out).toContain("Your API token: pvt_abc123");
     });
 
-    test("offers the scope-narrow opt-in mint for scripts (full vault:<name>:read, never admin)", () => {
-      // Must be the three-segment named-resource form the hub mint-token model
-      // requires — a bare `vault:read` would mint a malformed scope (vault#443).
-      expect(out).toContain("parachute auth mint-token --scope vault:default:read");
-      expect(out).not.toContain("--scope vault:read ");
-      expect(out).not.toMatch(/--scope vault:read$/m);
-      expect(out).not.toContain("vault:admin");
+    test("notes token is baked into ~/.claude.json", () => {
+      expect(out).toContain("Baked into ~/.claude.json for Claude Code");
     });
 
-    test("does NOT print or imply any minted token", () => {
-      expect(out).not.toContain("Your API token:");
-      expect(out).not.toContain("Baked into ~/.claude.json");
-      expect(out).not.toContain("Authorization: Bearer");
+    test("includes save-it-now warning", () => {
+      expect(out).toContain("Won't be shown again — save it now.");
     });
 
-    test("does NOT surface the old no-token-issued failure copy", () => {
-      expect(out).not.toContain("No token issued");
+    test("includes Bearer curl example", () => {
+      expect(out).toContain(
+        'curl -H "Authorization: Bearer pvt_abc123" http://localhost:1940/api/notes',
+      );
     });
 
-    test("threads a non-default vault name into the mint-token scope", () => {
-      const out2 = buildInitSummaryLines({
-        ...baseInput,
-        vaultName: "journal",
-        mcpUrl: "http://127.0.0.1:1940/vault/journal/mcp",
-        addMcp: true,
-        addToken: false,
-        apiKey: undefined,
-      }).join("\n");
-      expect(out2).toContain("parachute auth mint-token --scope vault:journal:read");
-      expect(out2).not.toContain("vault:default:read");
+    test("Next steps mentions starting a Claude Code session", () => {
+      expect(out).toContain("Start a new Claude Code session");
     });
   });
 
-  describe("MCP=N + token=N (OAuth default, Claude Code not wired)", () => {
-    const out = lines(false, false, undefined).join("\n");
+  describe("token only, no MCP write (addMcp=N, token=Y, minted)", () => {
+    const out = lines(false, true, "pvt_xyz").join("\n");
 
-    test("frames skipping the MCP entry as OAuth-first, not 'unreachable'", () => {
-      expect(out).toContain("uses per-user OAuth, no token needed");
-      expect(out).not.toContain("your vault isn't reachable by any client");
+    test("prints token prominently", () => {
+      expect(out).toContain("Your API token: pvt_xyz");
     });
 
-    test("points to mcp-install (no token-minting framing)", () => {
-      expect(out).toContain("parachute-vault mcp-install");
-      expect(out).not.toContain("mints a hub JWT");
+    test("omits the 'Baked into' bullet (no claude.json entry written)", () => {
+      expect(out).not.toContain("Baked into ~/.claude.json");
     });
 
-    test("does not print any token", () => {
-      expect(out).not.toContain("Your API token:");
-      expect(out).not.toMatch(/pvt_/);
+    test("includes Bearer curl example", () => {
+      expect(out).toContain("Authorization: Bearer pvt_xyz");
     });
 
-    test("omits the Bearer curl example", () => {
-      expect(out).not.toContain("Authorization: Bearer");
+    test("surfaces the connector URL + a copy-paste Claude Code opt-in", () => {
+      expect(out).toContain("http://127.0.0.1:1940/vault/default/mcp");
+      expect(out).toContain(
+        "claude mcp add --transport http parachute-vault http://127.0.0.1:1940/vault/default/mcp",
+      );
     });
   });
 
-  // Explicit opt-in but no hub reachable to mint (vault#282 Stage 2 path,
-  // reached only when the operator passes --token without a hub).
-  describe("MCP=N + token=Y but no hub (opt-in mint failed, standalone)", () => {
+  // Explicit opt-in to a token but no hub reachable to mint (vault#282 Stage 2).
+  describe("token opt-in but no hub (standalone, mint failed)", () => {
     const out = buildInitSummaryLines({
       ...baseInput,
       addMcp: false,
@@ -198,12 +198,14 @@ describe("buildInitSummaryLines", () => {
     test("does NOT claim the vault is reachable (no hub present)", () => {
       expect(out).not.toContain("Your vault is still reachable");
     });
+
+    test("still surfaces the connector URL for self-serve connect", () => {
+      expect(out).toContain("http://127.0.0.1:1940/vault/default/mcp");
+    });
   });
 
-  // #445: opted into a token, none minted, but a HUB IS PRESENT. The vault is
-  // reachable via the hub's browser OAuth flow even with no header-auth token,
-  // so the standalone "isn't reachable" framing would be false here.
-  describe("MCP=N + token=Y, no token minted, but hub present (#445)", () => {
+  // #445: opted into a token, none minted, but a HUB IS PRESENT.
+  describe("token opt-in, none minted, hub present (#445)", () => {
     const out = buildInitSummaryLines({
       ...baseInput,
       addMcp: false,
@@ -227,22 +229,20 @@ describe("buildInitSummaryLines", () => {
       expect(out).not.toContain("Once a hub is running");
       expect(out).not.toContain("VAULT_AUTH_TOKEN");
     });
-
-    test("never claims the vault isn't reachable by any client", () => {
-      expect(out).not.toContain("isn't reachable by any client");
-    });
   });
 
-  test("always prints Config: and Server: lines", () => {
-    for (const [addMcp, addToken] of [
-      [true, true],
-      [true, false],
-      [false, true],
-      [false, false],
-    ] as const) {
-      const out = lines(addMcp, addToken, addMcp || addToken ? "pvt_k" : undefined).join("\n");
-      expect(out).toContain("Config:   /tmp/parachute");
-      expect(out).toContain("Server:   http://127.0.0.1:1940");
-    }
+  // Defensive: the summary must still render coherently if no wizard URL is
+  // supplied (e.g. an older caller / a hub-origin resolution failure).
+  test("omits the wizard hand-off cleanly when wizardUrl is absent", () => {
+    const out = buildInitSummaryLines({
+      ...baseInput,
+      wizardUrl: undefined,
+      addMcp: false,
+      addToken: false,
+      apiKey: undefined,
+    }).join("\n");
+    expect(out).not.toContain("Finish setup in your browser:");
+    // The connect info is still surfaced.
+    expect(out).toContain("http://127.0.0.1:1940/vault/default/mcp");
   });
 });