@arkhera30/cli 0.1.16 → 0.2.0

package/compose/docker-compose.yml

@@ -1,5 +1,6 @@
+# NOTE: This file is superseded by dynamic compose generation in cli/src/lib/compose.ts
 # ─────────────────────────────────────────────────────────────────────────────
-# Horus — Production Docker Compose
+# Horus — Production Docker Compose (DEPRECATED static template)
 # Managed by @arkhera30/cli. Do not edit manually.
 #
 # This file uses pre-built images from ghcr.io. Once CI pipelines are set up,

package/dist/index.js

@@ -10,7 +10,7 @@ import chalk2 from "chalk";
 import ora2 from "ora";
 import { execSync } from "child_process";
 import { existsSync as existsSync5, mkdirSync as mkdirSync3 } from "fs";
-import { join as join4 } from "path";
+import { join as join3 } from "path";
 import { input, confirm, number, select, password } from "@inquirer/prompts";
 
 // src/lib/config.ts
@@ -38,26 +38,26 @@ function findPackageJson() {
 }
 var pkg = JSON.parse(readFileSync(findPackageJson(), "utf-8"));
 var CLI_VERSION = pkg.version;
-var HORUS_DIR = join(homedir(), ".horus");
+var HORUS_DIR = join(homedir(), "Horus");
+var LEGACY_HORUS_DIR = join(homedir(), ".horus");
 var CONFIG_PATH = join(HORUS_DIR, "config.yaml");
 var ENV_PATH = join(HORUS_DIR, ".env");
 var COMPOSE_PATH = join(HORUS_DIR, "docker-compose.yml");
 var DEFAULT_PORTS = {
   anvil: 8100,
   vault_rest: 8e3,
+  // keep for individual vault instances
   vault_mcp: 8300,
+  vault_router: 8400,
+  // new
   forge: 8200
 };
-var DEFAULT_REPOS = {
-  anvil_notes: "",
-  vault_knowledge: "",
-  forge_registry: ""
-};
-var DEFAULT_DATA_DIR = join(homedir(), ".horus", "data");
+var DEFAULT_DATA_DIR = join(homedir(), "Horus", "data");
 var SERVICES = [
   "qmd-daemon",
   "anvil",
-  "vault",
+  "vault-router",
+  // replaces 'vault'
   "vault-mcp",
   "forge"
 ];
@@ -70,11 +70,14 @@ function defaultConfig() {
     data_dir: DEFAULT_DATA_DIR,
     runtime: "docker",
     ports: { ...DEFAULT_PORTS },
-    git_host: "github.com",
-    repos: { ...DEFAULT_REPOS },
+    repos: {
+      anvil_notes: "",
+      forge_registry: ""
+    },
+    vaults: {},
+    github_hosts: {},
     host_repos_path: "",
-    host_repos_extra_scan_dirs: [],
-    github_token: ""
+    host_repos_extra_scan_dirs: []
   };
 }
 function ensureHorusDir() {
@@ -85,30 +88,52 @@ function configExists() {
 }
 function loadConfig() {
   if (!existsSync2(CONFIG_PATH)) {
+    const legacyConfigPath = pathJoin(LEGACY_HORUS_DIR, "config.yaml");
+    if (existsSync2(legacyConfigPath)) {
+      console.warn(
+        `
+Warning: Horus config found at ~/.horus/config.yaml (legacy location).
+The new default is ~/Horus. Run \`horus setup\` to migrate.
+`
+      );
+      const raw2 = readFileSync2(legacyConfigPath, "utf-8");
+      const parsed2 = parseYaml(raw2);
+      return buildConfigFromParsed(parsed2);
+    }
     return defaultConfig();
   }
   const raw = readFileSync2(CONFIG_PATH, "utf-8");
   const parsed = parseYaml(raw);
+  return buildConfigFromParsed(parsed);
+}
+function buildConfigFromParsed(parsed) {
+  const repos = parsed.repos;
+  if (repos && "vault_knowledge" in repos) {
+    throw new Error(
+      "config.yaml uses the old single-vault format (repos.vault_knowledge). This version requires the new multi-vault format. Please delete ~/Horus/config.yaml and run `horus setup` to reconfigure."
+    );
+  }
   const defaults = defaultConfig();
+  const parsedPorts = parsed.ports;
   return {
     version: parsed.version ?? defaults.version,
     data_dir: parsed.data_dir ?? defaults.data_dir,
     runtime: parsed.runtime ?? defaults.runtime,
     ports: {
-      anvil: parsed.ports?.anvil ?? defaults.ports.anvil,
-      vault_rest: parsed.ports?.vault_rest ?? defaults.ports.vault_rest,
-      vault_mcp: parsed.ports?.vault_mcp ?? defaults.ports.vault_mcp,
-      forge: parsed.ports?.forge ?? defaults.ports.forge
+      anvil: parsedPorts?.anvil ?? defaults.ports.anvil,
+      vault_rest: parsedPorts?.vault_rest ?? defaults.ports.vault_rest,
+      vault_mcp: parsedPorts?.vault_mcp ?? defaults.ports.vault_mcp,
+      vault_router: parsedPorts?.vault_router ?? defaults.ports.vault_router,
+      forge: parsedPorts?.forge ?? defaults.ports.forge
     },
-    git_host: parsed.git_host ?? defaults.git_host,
     repos: {
-      anvil_notes: parsed.repos?.anvil_notes ?? defaults.repos.anvil_notes,
-      vault_knowledge: parsed.repos?.vault_knowledge ?? defaults.repos.vault_knowledge,
-      forge_registry: parsed.repos?.forge_registry ?? defaults.repos.forge_registry
+      anvil_notes: repos?.anvil_notes ?? defaults.repos.anvil_notes,
+      forge_registry: repos?.forge_registry ?? defaults.repos.forge_registry
     },
+    vaults: parsed.vaults ?? defaults.vaults,
+    github_hosts: parsed.github_hosts ?? defaults.github_hosts,
     host_repos_path: parsed.host_repos_path ?? defaults.host_repos_path,
-    host_repos_extra_scan_dirs: parsed.host_repos_extra_scan_dirs ?? defaults.host_repos_extra_scan_dirs,
-    github_token: parsed.github_token ?? defaults.github_token
+    host_repos_extra_scan_dirs: parsed.host_repos_extra_scan_dirs ?? defaults.host_repos_extra_scan_dirs
   };
 }
 function saveConfig(config) {
@@ -116,6 +141,14 @@ function saveConfig(config) {
   const yaml = stringifyYaml(config, { lineWidth: 0 });
   writeFileSync(CONFIG_PATH, yaml, "utf-8");
 }
+function resolveGitHubHost(repoUrl, github_hosts) {
+  try {
+    const hostname = new URL(repoUrl).hostname;
+    return Object.values(github_hosts).find((h) => h.host === hostname);
+  } catch {
+    return void 0;
+  }
+}
 function resolvePath(p) {
   if (p.startsWith("~")) {
     return resolve(homedir2(), p.slice(2));
@@ -185,15 +218,12 @@ function generateEnv(config) {
     `ANVIL_PORT=${config.ports.anvil}`,
     `VAULT_PORT=${config.ports.vault_rest}`,
     `VAULT_MCP_PORT=${config.ports.vault_mcp}`,
+    `VAULT_ROUTER_PORT=${config.ports.vault_router}`,
     `FORGE_PORT=${config.ports.forge}`,
     "",
     "# Repository URLs (must be HTTPS \u2014 container services do not have SSH keys)",
     `ANVIL_REPO_URL=${config.repos.anvil_notes}`,
-    `VAULT_KNOWLEDGE_REPO_URL=${config.repos.vault_knowledge}`,
     `FORGE_REGISTRY_REPO_URL=${config.repos.forge_registry}`,
-    "",
-    "# Authentication",
-    `GITHUB_TOKEN=${config.github_token}`,
     ""
   ];
   return lines.join("\n");
@@ -211,11 +241,9 @@ var CONFIG_KEYS = [
   "port.anvil",
   "port.vault-rest",
   "port.vault-mcp",
+  "port.vault-router",
   "port.forge",
-  "github-token",
-  "git-host",
   "repo.anvil-notes",
-  "repo.vault-knowledge",
   "repo.forge-registry"
 ];
 function getConfigValue(config, key) {
@@ -234,16 +262,12 @@ function getConfigValue(config, key) {
       return String(config.ports.vault_rest);
     case "port.vault-mcp":
       return String(config.ports.vault_mcp);
+    case "port.vault-router":
+      return String(config.ports.vault_router);
     case "port.forge":
       return String(config.ports.forge);
-    case "github-token":
-      return config.github_token;
-    case "git-host":
-      return config.git_host;
     case "repo.anvil-notes":
       return config.repos.anvil_notes;
-    case "repo.vault-knowledge":
-      return config.repos.vault_knowledge;
     case "repo.forge-registry":
       return config.repos.forge_registry;
   }
@@ -275,21 +299,15 @@ function setConfigValue(config, key, value) {
     case "port.vault-mcp":
       updated.ports = { ...updated.ports, vault_mcp: parseInt(value, 10) };
       break;
+    case "port.vault-router":
+      updated.ports = { ...updated.ports, vault_router: parseInt(value, 10) };
+      break;
     case "port.forge":
       updated.ports = { ...updated.ports, forge: parseInt(value, 10) };
       break;
-    case "github-token":
-      updated.github_token = value;
-      break;
-    case "git-host":
-      updated.git_host = value;
-      break;
     case "repo.anvil-notes":
       updated.repos = { ...updated.repos, anvil_notes: value };
       break;
-    case "repo.vault-knowledge":
-      updated.repos = { ...updated.repos, vault_knowledge: value };
-      break;
     case "repo.forge-registry":
       updated.repos = { ...updated.repos, forge_registry: value };
       break;
@@ -502,7 +520,7 @@ async function pollUntilHealthy(runtime, onUpdate, timeoutMs = 3e5, intervalMs =
       const unhealthyServices = states.filter((s) => s.status === "unhealthy").map((s) => s.name).join(", ");
       throw new Error(
         `Services failed health check: ${unhealthyServices}
-Run '${runtime.name} compose logs <service>' from ~/.horus/ to investigate.`
+Run '${runtime.name} compose logs <service>' from ~/Horus/ to investigate.`
       );
     }
     const elapsed = Date.now() - startTime;
@@ -510,7 +528,7 @@ Run '${runtime.name} compose logs <service>' from ~/.horus/ to investigate.`
       const notReady = states.filter((s) => s.status !== "healthy").map((s) => `${s.name} (${s.status})`).join(", ");
       throw new Error(
         `Timed out after ${Math.round(timeoutMs / 1e3)}s waiting for services: ${notReady}
-Run '${runtime.name} compose logs' from ~/.horus/ to investigate.`
+Run '${runtime.name} compose logs' from ~/Horus/ to investigate.`
       );
     }
     await new Promise((resolve2) => setTimeout(resolve2, intervalMs));
@@ -519,41 +537,280 @@ Run '${runtime.name} compose logs' from ~/.horus/ to investigate.`
 
 // src/lib/compose.ts
 import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync3 } from "fs";
-import { join as join2, dirname as dirname2 } from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
-var __filename = fileURLToPath2(import.meta.url);
-var __dirname = dirname2(__filename);
-function getBundledComposePath() {
-  const candidates = [
-    join2(__dirname, "..", "..", "compose", "docker-compose.yml"),
-    join2(__dirname, "..", "compose", "docker-compose.yml")
-  ];
-  for (const candidate of candidates) {
-    if (existsSync3(candidate)) {
-      return candidate;
-    }
-  }
-  throw new Error(
-    `Bundled docker-compose.yml not found. The CLI package may be corrupted.
-Searched: ${candidates.join(", ")}`
-  );
-}
 function applyPodmanUserOverride(compose) {
   return compose.replace(
     /^(    image: .+)$/gm,
     '$1\n    user: "0:0"'
   );
 }
+var QMD_DAEMON_SERVICE = `  # \u2500\u2500 QMD Daemon \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  # Shared QMD MCP HTTP server. Keeps GGUF models warm in memory so Anvil and
+  # Vault pay the model-load cost only once.
+  qmd-daemon:
+    image: ghcr.io/arjunkhera/horus/qmd-daemon:latest
+    environment:
+      - QMD_DAEMON_PORT=8181
+      - HORUS_RUNTIME=\${HORUS_RUNTIME:-docker}
+    volumes:
+      - qmd-daemon-data:/home/qmd/.cache/qmd
+    networks:
+      - horus-net
+    restart: unless-stopped
+    stop_grace_period: 15s
+    deploy:
+      resources:
+        limits:
+          memory: 4g
+        reservations:
+          memory: 512m
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8181/health"]
+      interval: 30s
+      timeout: 10s
+      start_period: 600s
+      retries: 3`;
+var ANVIL_SERVICE = `  # \u2500\u2500 Anvil \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  # Notes system and MCP server. Indexes markdown files from the Notes repo.
+  anvil:
+    image: ghcr.io/arjunkhera/horus/anvil:latest
+    ports:
+      - "\${ANVIL_PORT:-8100}:8100"
+    volumes:
+      - \${HORUS_DATA_PATH}/notes:/data/notes:rw
+      - qmd-daemon-data:/home/anvil/.cache/qmd
+    environment:
+      - HORUS_RUNTIME=\${HORUS_RUNTIME:-docker}
+      - ANVIL_TRANSPORT=http
+      - ANVIL_PORT=8100
+      - ANVIL_HOST=0.0.0.0
+      - ANVIL_NOTES_PATH=/data/notes
+      - ANVIL_REPO_URL=\${ANVIL_REPO_URL:-}
+      - ANVIL_QMD_COLLECTION=\${ANVIL_QMD_COLLECTION:-anvil}
+      - ANVIL_SYNC_INTERVAL=\${ANVIL_SYNC_INTERVAL:-300}
+      - ANVIL_DEBOUNCE_SECONDS=\${ANVIL_DEBOUNCE_SECONDS:-5}
+      - GITHUB_TOKEN=\${GITHUB_TOKEN:-}
+      - QMD_DAEMON_URL=http://qmd-daemon:8181
+    depends_on:
+      qmd-daemon:
+        condition: service_healthy
+    networks:
+      - horus-net
+    restart: unless-stopped
+    stop_grace_period: 15s
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+        reservations:
+          memory: 256m
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8100/health"]
+      interval: 30s
+      timeout: 5s
+      start_period: 600s
+      retries: 3`;
+var FORGE_SERVICE = `  # \u2500\u2500 Forge \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  # Workspace manager and package registry MCP server.
+  forge:
+    image: ghcr.io/arjunkhera/horus/forge:latest
+    ports:
+      - "\${FORGE_PORT:-8200}:8200"
+    volumes:
+      - \${HORUS_DATA_PATH}/registry:/data/registry:rw
+      - \${HORUS_DATA_PATH}/workspaces:/data/workspaces:rw
+      - \${HOST_REPOS_PATH}:/data/repos:ro
+    environment:
+      - HORUS_RUNTIME=\${HORUS_RUNTIME:-docker}
+      - FORGE_PORT=8200
+      - FORGE_HOST=0.0.0.0
+      - FORGE_REGISTRY_PATH=/data/registry
+      - FORGE_WORKSPACES_PATH=/data/workspaces
+      - FORGE_REGISTRY_REPO_URL=\${FORGE_REGISTRY_REPO_URL:-}
+      - FORGE_SYNC_INTERVAL=\${FORGE_SYNC_INTERVAL:-300}
+      - FORGE_ANVIL_URL=http://anvil:8100
+      - FORGE_VAULT_URL=http://vault-mcp:8300
+      - FORGE_HOST_WORKSPACES_PATH=\${HORUS_DATA_PATH}/workspaces
+      - FORGE_HOST_REPOS_PATH=\${HOST_REPOS_PATH}
+      - FORGE_HOST_ANVIL_URL=http://localhost:\${ANVIL_PORT:-8100}
+      - FORGE_HOST_VAULT_URL=http://localhost:\${VAULT_MCP_PORT:-8300}
+      - FORGE_HOST_FORGE_URL=http://localhost:\${FORGE_PORT:-8200}
+      - FORGE_SCAN_PATHS=\${FORGE_SCAN_PATHS:-/data/repos}
+      - GITHUB_TOKEN=\${GITHUB_TOKEN:-}
+    depends_on:
+      anvil:
+        condition: service_healthy
+      vault-router:
+        condition: service_healthy
+    networks:
+      - horus-net
+    restart: unless-stopped
+    stop_grace_period: 15s
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+        reservations:
+          memory: 128m
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8200/health"]
+      interval: 30s
+      timeout: 5s
+      start_period: 60s
+      retries: 3`;
+function generateComposeFile(config, runtime) {
+  const vaultEntries = Object.entries(config.vaults).sort(([a], [b]) => a.localeCompare(b));
+  const vaultServices = vaultEntries.map(([name, vault], index) => {
+    const hostPort = `800${index + 1}`;
+    const envVarName = `VAULT_REST_PORT_${name.toUpperCase().replace(/-/g, "_")}`;
+    const githubHost = resolveGitHubHost(vault.repo, config.github_hosts);
+    const token = githubHost?.token ?? "";
+    const apiHost = githubHost?.host ?? "github.com";
+    return `  # \u2500\u2500 Vault: ${name} \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  vault-${name}:
+    image: ghcr.io/arjunkhera/horus/vault:latest
+    ports:
+      - "\${${envVarName}:-${hostPort}}:8000"
+    volumes:
+      - \${HORUS_DATA_PATH}/vaults/${name}:/data/knowledge-repo:rw
+      - vault-${name}-workspace:/data/workspace
+      - qmd-daemon-data:/home/appuser/.cache/qmd
+    environment:
+      - HORUS_RUNTIME=\${HORUS_RUNTIME:-docker}
+      - KNOWLEDGE_REPO_PATH=/data/knowledge-repo
+      - WORKSPACE_PATH=/data/workspace
+      - VAULT_KNOWLEDGE_REPO_URL=${vault.repo}
+      - QMD_INDEX_NAME=vault-${name}
+      - SYNC_INTERVAL=\${VAULT_SYNC_INTERVAL:-300}
+      - VAULT_SYNC_INTERVAL=\${VAULT_SYNC_INTERVAL:-300}
+      - LOG_LEVEL=\${LOG_LEVEL:-info}
+      - HOST=0.0.0.0
+      - PORT=8000
+      - GITHUB_TOKEN=${token}
+      - GITHUB_API_HOST=${apiHost}
+      - QMD_DAEMON_URL=http://qmd-daemon:8181
+    depends_on:
+      qmd-daemon:
+        condition: service_healthy
+    networks:
+      - horus-net
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+        reservations:
+          memory: 256m
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
+      interval: 30s
+      timeout: 10s
+      start_period: 600s
+      retries: 3`;
+  });
+  const defaultVaultEntry = vaultEntries.find(([, v]) => v.default);
+  const defaultVaultName = defaultVaultEntry ? defaultVaultEntry[0] : vaultEntries[0]?.[0] ?? "";
+  const vaultEndpoints = vaultEntries.map(([name]) => `${name}=http://vault-${name}:8000`).join(",");
+  const vaultRouterDependsOn = vaultEntries.map(([name]) => `      vault-${name}:
+        condition: service_healthy`).join("\n");
+  const vaultRouterService = `  # \u2500\u2500 Vault Router \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  # Routes requests to the appropriate vault instance by name.
+  vault-router:
+    image: ghcr.io/arjunkhera/horus/vault-router:latest
+    ports:
+      - "\${VAULT_ROUTER_PORT:-8400}:8400"
+    environment:
+      - VAULT_ENDPOINTS=${vaultEndpoints}
+      - VAULT_DEFAULT=${defaultVaultName}
+    depends_on:
+${vaultRouterDependsOn}
+    networks:
+      - horus-net
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 256m
+        reservations:
+          memory: 64m
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8400/health"]
+      interval: 30s
+      timeout: 10s
+      start_period: 30s
+      retries: 3`;
+  const vaultMcpService = `  # \u2500\u2500 Vault MCP \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  # Thin MCP adapter that translates MCP tool calls to Vault REST API calls.
+  vault-mcp:
+    image: ghcr.io/arjunkhera/horus/vault-mcp:latest
+    ports:
+      - "\${VAULT_MCP_PORT:-8300}:8300"
+    environment:
+      - VAULT_MCP_HTTP=true
+      - VAULT_MCP_PORT=8300
+      - VAULT_MCP_HOST=0.0.0.0
+      - KNOWLEDGE_SERVICE_URL=http://vault-router:8400
+    depends_on:
+      vault-router:
+        condition: service_healthy
+    networks:
+      - horus-net
+    restart: unless-stopped
+    stop_grace_period: 15s
+    deploy:
+      resources:
+        limits:
+          memory: 256m
+        reservations:
+          memory: 64m
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8300/health"]
+      interval: 30s
+      timeout: 5s
+      start_period: 30s
+      retries: 3`;
+  const vaultVolumeEntries = vaultEntries.map(([name]) => `  vault-${name}-workspace:`).join("\n");
+  const sections = [
+    "# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "# Horus \u2014 Generated Docker Compose",
+    "# Managed by @arkhera30/cli. Do not edit manually.",
+    "# Generated dynamically from ~/Horus/config.yaml by `horus setup`.",
+    "# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "",
+    "services:",
+    "",
+    QMD_DAEMON_SERVICE,
+    "",
+    ANVIL_SERVICE,
+    "",
+    ...vaultServices.map((s) => s + "\n"),
+    vaultRouterService,
+    "",
+    vaultMcpService,
+    "",
+    FORGE_SERVICE,
+    "",
+    "# \u2500\u2500 Networks \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "networks:",
+    "  horus-net:",
+    "    driver: bridge",
+    "",
+    "# \u2500\u2500 Volumes \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "volumes:",
+    "  qmd-daemon-data:",
+    vaultVolumeEntries
+  ];
+  let content = sections.join("\n");
+  if (runtime === "podman") {
+    content = applyPodmanUserOverride(content);
+  }
+  return content;
+}
 function composeFileExists() {
   return existsSync3(COMPOSE_PATH);
 }
-function installComposeFile(runtime) {
+function installComposeFile(config, runtime) {
   ensureHorusDir();
-  const bundledPath = getBundledComposePath();
-  let content = readFileSync3(bundledPath, "utf-8");
-  if (runtime === "podman") {
-    content = applyPodmanUserOverride(content);
-  }
+  const content = generateComposeFile(config, runtime);
   writeFileSync2(COMPOSE_PATH, content, "utf-8");
 }
 
@@ -563,22 +820,22 @@ import chalk from "chalk";
 import ora from "ora";
 import { checkbox } from "@inquirer/prompts";
 import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync2, existsSync as existsSync4 } from "fs";
-import { join as join3 } from "path";
+import { join as join2 } from "path";
 import { homedir as homedir3 } from "os";
 import { execa as execa2 } from "execa";
 function detectInstalledClients() {
   const detected = [];
   const home = homedir3();
-  const claudeDesktopDir = join3(home, "Library", "Application Support", "Claude");
+  const claudeDesktopDir = join2(home, "Library", "Application Support", "Claude");
   if (existsSync4(claudeDesktopDir)) {
     detected.push("claude-desktop");
   }
-  const claudeCodeDir = join3(home, ".claude");
+  const claudeCodeDir = join2(home, ".claude");
   if (existsSync4(claudeCodeDir)) {
     detected.push("claude-code");
   }
-  const cursorDir = join3(home, ".cursor");
-  const cursorAppDir = join3(home, "Library", "Application Support", "Cursor");
+  const cursorDir = join2(home, ".cursor");
+  const cursorAppDir = join2(home, "Library", "Application Support", "Cursor");
   if (existsSync4(cursorDir) || existsSync4(cursorAppDir)) {
     detected.push("cursor");
   }
@@ -588,11 +845,11 @@ function getConfigPath(target) {
   const home = homedir3();
   switch (target) {
     case "claude-desktop":
-      return join3(home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
+      return join2(home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
     case "claude-code":
-      return join3(home, ".claude", "settings.json");
+      return join2(home, ".claude", "settings.json");
     case "cursor":
-      return join3(home, ".cursor", "mcp.json");
+      return join2(home, ".cursor", "mcp.json");
   }
 }
 function mergeAndWriteConfig(configPath, mcpServers) {
@@ -612,13 +869,13 @@ function mergeAndWriteConfig(configPath, mcpServers) {
   writeFileSync3(configPath, JSON.stringify(existing, null, 2) + "\n", "utf-8");
 }
 function getMcpRemoteWrapperPath() {
-  return join3(homedir3(), ".forge", "bin", "mcp-remote-wrapper");
+  return join2(homedir3(), ".forge", "bin", "mcp-remote-wrapper");
 }
 function buildStdioServers(config, wrapperPath, host) {
   return {
-    anvil: { command: wrapperPath, args: [`http://${host}:${config.ports.anvil}/mcp`] },
-    vault: { command: wrapperPath, args: [`http://${host}:${config.ports.vault_mcp}/mcp`] },
-    forge: { command: wrapperPath, args: [`http://${host}:${config.ports.forge}/mcp`] }
+    anvil: { command: wrapperPath, args: [`http://${host}:${config.ports.anvil}/mcp`, "--transport", "http-only"] },
+    vault: { command: wrapperPath, args: [`http://${host}:${config.ports.vault_mcp}/mcp`, "--transport", "http-only"] },
+    forge: { command: wrapperPath, args: [`http://${host}:${config.ports.forge}/mcp`, "--transport", "http-only"] }
   };
 }
 async function isClaudeCliAvailable() {
@@ -650,14 +907,14 @@ async function registerWithClaudeCode(mcpServers) {
 }
 async function syncSkills(runtime) {
   const home = homedir3();
-  const skillsBase = join3(home, ".claude", "skills");
+  const skillsBase = join2(home, ".claude", "skills");
   const skills = ["horus-anvil", "horus-vault", "horus-forge"];
   const forgeContainer = "horus-forge-1";
   for (const skill of skills) {
-    const destDir = join3(skillsBase, skill);
+    const destDir = join2(skillsBase, skill);
     mkdirSync2(destDir, { recursive: true });
     const src = `/home/forge/.claude/skills/${skill}/SKILL.md`;
-    const dest = join3(destDir, "SKILL.md");
+    const dest = join2(destDir, "SKILL.md");
     const result = await runtime.exec(forgeContainer, "cat", src);
     if (result.exitCode === 0 && result.stdout.trim()) {
       writeFileSync3(dest, result.stdout, "utf-8");
@@ -666,8 +923,8 @@ async function syncSkills(runtime) {
 }
 async function syncSkillsForCursor(runtime) {
   const home = homedir3();
-  const rulesDir = join3(home, ".cursor", "rules");
-  const skillsBase = join3(home, ".cursor", "skills-cursor");
+  const rulesDir = join2(home, ".cursor", "rules");
+  const skillsBase = join2(home, ".cursor", "skills-cursor");
   const skills = ["horus-anvil", "horus-vault", "horus-forge"];
   const forgeContainer = "horus-forge-1";
   mkdirSync2(rulesDir, { recursive: true });
@@ -675,7 +932,7 @@ async function syncSkillsForCursor(runtime) {
     const src = `/home/forge/.claude/skills/${skill}/SKILL.md`;
     const result = await runtime.exec(forgeContainer, "cat", src);
     if (result.exitCode === 0 && result.stdout.trim()) {
-      const ruleDest = join3(rulesDir, `${skill}.mdc`);
+      const ruleDest = join2(rulesDir, `${skill}.mdc`);
       const frontmatter = `---
 description: Horus ${skill} reference
 alwaysApply: true
@@ -683,9 +940,9 @@ alwaysApply: true
 
 `;
       writeFileSync3(ruleDest, frontmatter + result.stdout, "utf-8");
-      const skillDir = join3(skillsBase, skill);
+      const skillDir = join2(skillsBase, skill);
       mkdirSync2(skillDir, { recursive: true });
-      writeFileSync3(join3(skillDir, "SKILL.md"), result.stdout, "utf-8");
+      writeFileSync3(join2(skillDir, "SKILL.md"), result.stdout, "utf-8");
     }
   }
 }
@@ -873,7 +1130,14 @@ function injectToken(url, token) {
     return url;
   }
 }
-var setupCommand = new Command2("setup").description("Interactive first-run setup for Horus").option("-y, --yes", "Non-interactive mode (use defaults + env vars)").option("--runtime <runtime>", "Container runtime to use: docker or podman (non-interactive only)").option("--data-dir <path>", "Data directory path").option("--repos-path <path>", "Host repos path for Forge scanning").option("--git-host <host>", "Git server hostname (e.g., github.com, gitlab.corp.com)").option("--anvil-repo <url>", "Anvil notes repository URL").option("--vault-repo <url>", "Vault knowledge-base repository URL").option("--forge-repo <url>", "Forge registry repository URL").option("--github-token <token>", "GitHub personal access token for private repos").action(async (opts) => {
+function extractHostname(url) {
+  try {
+    return new URL(url).hostname;
+  } catch {
+    return "github.com";
+  }
+}
+var setupCommand = new Command2("setup").description("Interactive first-run setup for Horus").option("-y, --yes", "Non-interactive mode (use defaults + env vars)").option("--runtime <runtime>", "Container runtime to use: docker or podman (non-interactive only)").option("--data-dir <path>", "Data directory path").option("--repos-path <path>", "Host repos path for Forge scanning").option("--anvil-repo <url>", "Anvil notes repository URL").option("--vault-name <name>", "Vault name (can be specified multiple times)").option("--vault-repo <url>", "Vault knowledge-base repository URL (matches positionally with --vault-name)").option("--forge-repo <url>", "Forge registry repository URL").option("--github-token <token>", "GitHub personal access token for private repos (primary host)").action(async (opts) => {
   console.log("");
   console.log(chalk2.bold("Horus Setup"));
   console.log(chalk2.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
@@ -935,18 +1199,47 @@ var setupCommand = new Command2("setup").description("Interactive first-run setu
   let config;
   if (opts.yes) {
     const defaults = defaultConfig();
+    const vaultNames = opts.vaultName ? Array.isArray(opts.vaultName) ? opts.vaultName : [opts.vaultName] : ["default"];
+    const vaultRepos = opts.vaultRepo ? Array.isArray(opts.vaultRepo) ? opts.vaultRepo : [opts.vaultRepo] : [process.env.VAULT_KNOWLEDGE_REPO_URL ?? ""];
+    const vaults = {};
+    vaultNames.forEach((name, i) => {
+      vaults[name] = {
+        repo: vaultRepos[i] ?? vaultRepos[0] ?? "",
+        default: i === 0
+      };
+    });
+    const primaryToken = opts.githubToken || process.env.GITHUB_TOKEN || "";
+    const anvilRepo = opts.anvilRepo || process.env.ANVIL_REPO_URL || defaults.repos.anvil_notes;
+    const allRepoUrls = [anvilRepo, ...Object.values(vaults).map((v) => v.repo)].filter(Boolean);
+    const seenHosts = /* @__PURE__ */ new Set();
+    const github_hosts = {};
+    let hostIndex = 0;
+    for (const url of allRepoUrls) {
+      const hostname = extractHostname(url);
+      if (!seenHosts.has(hostname)) {
+        seenHosts.add(hostname);
+        const hostKey = hostIndex === 0 ? "default" : hostname;
+        github_hosts[hostKey] = {
+          host: hostname,
+          token: primaryToken
+        };
+        hostIndex++;
+      }
+    }
+    if (Object.keys(github_hosts).length === 0) {
+      github_hosts["default"] = { host: "github.com", token: primaryToken };
+    }
     config = {
       ...defaults,
       runtime: runtime.name,
       data_dir: opts.dataDir || DEFAULT_DATA_DIR,
       host_repos_path: opts.reposPath || "",
-      git_host: opts.gitHost || defaults.git_host,
       repos: {
-        anvil_notes: opts.anvilRepo || process.env.ANVIL_REPO_URL || defaults.repos.anvil_notes,
-        vault_knowledge: opts.vaultRepo || process.env.VAULT_KNOWLEDGE_REPO_URL || defaults.repos.vault_knowledge,
+        anvil_notes: anvilRepo,
         forge_registry: opts.forgeRepo || process.env.FORGE_REGISTRY_REPO_URL || defaults.repos.forge_registry
       },
-      github_token: opts.githubToken || process.env.GITHUB_TOKEN || ""
+      vaults,
+      github_hosts
     };
   } else {
     const data_dir = await input({
@@ -969,13 +1262,17 @@ var setupCommand = new Command2("setup").description("Interactive first-run setu
         default: DEFAULT_PORTS.anvil
       });
       const vault_rest = await number({
-        message: "Vault REST port:",
+        message: "Vault REST port (per-vault instances):",
         default: DEFAULT_PORTS.vault_rest
       });
       const vault_mcp = await number({
         message: "Vault MCP port:",
         default: DEFAULT_PORTS.vault_mcp
       });
+      const vault_router = await number({
+        message: "Vault Router port:",
+        default: DEFAULT_PORTS.vault_router
+      });
       const forge = await number({
         message: "Forge port:",
         default: DEFAULT_PORTS.forge
@@ -984,6 +1281,7 @@ var setupCommand = new Command2("setup").description("Interactive first-run setu
         anvil: anvil ?? DEFAULT_PORTS.anvil,
         vault_rest: vault_rest ?? DEFAULT_PORTS.vault_rest,
         vault_mcp: vault_mcp ?? DEFAULT_PORTS.vault_mcp,
+        vault_router: vault_router ?? DEFAULT_PORTS.vault_router,
         forge: forge ?? DEFAULT_PORTS.forge
       };
     }
@@ -995,12 +1293,11 @@ var setupCommand = new Command2("setup").description("Interactive first-run setu
     console.log(chalk2.yellow("  Use HTTPS URLs \u2014 container services do not have SSH keys."));
     console.log(chalk2.dim("  SSH URLs (git@github.com:...) will fail at runtime inside Docker/Podman."));
     console.log("");
-    const git_host = await input({
-      message: "Git server hostname:",
+    const primaryHost = await input({
+      message: "Primary Git server hostname:",
       default: "github.com"
     });
-    const host = git_host.trim();
-    const example = (repo) => chalk2.dim(`  e.g., https://${host}/<owner>/${repo}`);
+    const example = (repo) => chalk2.dim(`  e.g., https://${primaryHost}/<owner>/${repo}`);
     console.log("");
     const anvil_notes = await input({
       message: `Anvil notes repo URL:
@@ -1008,12 +1305,6 @@ ${example("horus-notes")}
 `,
       validate: (v) => v.trim().length > 0 || "Anvil needs a notes repo to store your data."
     });
-    const vault_knowledge = await input({
-      message: `Vault knowledge-base repo URL:
-${example("knowledge-base")}
-`,
-      validate: (v) => v.trim().length > 0 || "Vault needs a knowledge-base repo."
-    });
     const forge_registry = await input({
       message: `Forge registry repo URL:
 ${example("forge-registry")}
@@ -1021,13 +1312,75 @@ ${example("forge-registry")}
       validate: (v) => v.trim().length > 0 || "Forge needs a registry repo."
     });
     console.log("");
+    console.log(chalk2.bold("Vault Configuration"));
+    console.log(chalk2.dim("Add one or more knowledge-base vaults. Each vault is a separate Git repo."));
+    console.log("");
+    const vaults = {};
+    let addingVaults = true;
+    let isFirstVault = true;
+    while (addingVaults) {
+      const vaultName = await input({
+        message: "Add vault name (e.g., personal):",
+        validate: (v) => {
+          const trimmed = v.trim();
+          if (!trimmed) return "Vault name cannot be empty.";
+          if (!/^[a-z0-9-]+$/.test(trimmed)) return "Vault name must be lowercase alphanumeric with hyphens only.";
+          if (trimmed in vaults) return `Vault "${trimmed}" already added.`;
+          return true;
+        }
+      });
+      const vaultRepo = await input({
+        message: `Vault repo URL:
+${example(`${vaultName.trim()}-knowledge`)}
+`,
+        validate: (v) => v.trim().length > 0 || "Vault repo URL cannot be empty."
+      });
+      let isDefault = isFirstVault;
+      if (!isFirstVault) {
+        isDefault = await confirm({
+          message: `Is "${vaultName.trim()}" the default vault?`,
+          default: false
+        });
+      }
+      if (isDefault) {
+        for (const v of Object.values(vaults)) {
+          v.default = false;
+        }
+      }
+      vaults[vaultName.trim()] = {
+        repo: vaultRepo.trim(),
+        default: isDefault || isFirstVault
+      };
+      isFirstVault = false;
+      addingVaults = await confirm({
+        message: "Add another vault?",
+        default: false
+      });
+    }
+    const defaultCount = Object.values(vaults).filter((v) => v.default).length;
+    if (defaultCount === 0 && Object.keys(vaults).length > 0) {
+      const firstKey = Object.keys(vaults)[0];
+      vaults[firstKey].default = true;
+    }
+    console.log("");
     console.log(chalk2.bold("Authentication"));
-    console.log(chalk2.dim("A personal access token is required for private repositories."));
+    console.log(chalk2.dim("A personal access token is required per Git server for private repositories."));
     console.log("");
-    const github_token = await password({
-      message: "GitHub personal access token (leave empty to skip):",
-      mask: "*"
-    });
+    const allRepoUrls = [anvil_notes.trim(), ...Object.values(vaults).map((v) => v.repo)].filter(Boolean);
+    const uniqueHostnames = [...new Set(allRepoUrls.map(extractHostname))];
+    const github_hosts = {};
+    for (let i = 0; i < uniqueHostnames.length; i++) {
+      const hostname = uniqueHostnames[i];
+      const token = await password({
+        message: `GitHub token for ${chalk2.cyan(hostname)} (leave empty to skip):`,
+        mask: "*"
+      });
+      const hostKey = i === 0 ? "default" : hostname;
+      github_hosts[hostKey] = {
+        host: hostname,
+        token: token.trim()
+      };
+    }
     config = {
       ...defaultConfig(),
       data_dir,
@@ -1035,19 +1388,18 @@ ${example("forge-registry")}
       host_repos_extra_scan_dirs,
       runtime: runtime.name,
       ports,
-      git_host: git_host.trim(),
       repos: {
         anvil_notes: anvil_notes.trim(),
-        vault_knowledge: vault_knowledge.trim(),
         forge_registry: forge_registry.trim()
       },
-      github_token: github_token.trim()
+      vaults,
+      github_hosts
     };
   }
   const configSpinner = ora2("Saving configuration...").start();
   try {
     saveConfig(config);
-    configSpinner.succeed("Configuration saved to ~/.horus/config.yaml");
+    configSpinner.succeed("Configuration saved to ~/Horus/config.yaml");
   } catch (error) {
     configSpinner.fail("Failed to save configuration");
     console.error(error.message);
@@ -1056,7 +1408,7 @@ ${example("forge-registry")}
   const envSpinner = ora2("Generating .env file...").start();
   try {
     writeEnvFile(config);
-    envSpinner.succeed("Environment file written to ~/.horus/.env");
+    envSpinner.succeed("Environment file written to ~/Horus/.env");
   } catch (error) {
     envSpinner.fail("Failed to generate .env");
     console.error(error.message);
@@ -1064,32 +1416,54 @@ ${example("forge-registry")}
   }
   const composeSpinner = ora2("Installing docker-compose.yml...").start();
   try {
-    installComposeFile(runtime.name);
-    composeSpinner.succeed("Compose file installed to ~/.horus/docker-compose.yml");
+    installComposeFile(config, runtime.name);
+    composeSpinner.succeed("Compose file installed to ~/Horus/docker-compose.yml");
   } catch (error) {
     composeSpinner.fail("Failed to install compose file");
     console.error(error.message);
     process.exit(1);
   }
   const dataDir = resolvePath(config.data_dir);
+  const anvilToken = resolveGitHubHost(config.repos.anvil_notes, config.github_hosts)?.token ?? "";
+  const forgeToken = resolveGitHubHost(config.repos.forge_registry, config.github_hosts)?.token ?? "";
   const reposToClone = [
-    { url: config.repos.anvil_notes, dest: join4(dataDir, "notes"), label: "Anvil notes" },
-    { url: config.repos.vault_knowledge, dest: join4(dataDir, "knowledge-base"), label: "Vault knowledge-base" },
-    { url: config.repos.forge_registry, dest: join4(dataDir, "registry"), label: "Forge registry" }
+    {
+      url: config.repos.anvil_notes,
+      dest: join3(dataDir, "notes"),
+      label: "Anvil notes",
+      token: anvilToken
+    },
+    {
+      url: config.repos.forge_registry,
+      dest: join3(dataDir, "registry"),
+      label: "Forge registry",
+      token: forgeToken
+    }
   ].filter((r) => r.url);
+  for (const [name, vault] of Object.entries(config.vaults)) {
+    if (vault.repo) {
+      const vaultToken = resolveGitHubHost(vault.repo, config.github_hosts)?.token ?? "";
+      reposToClone.push({
+        url: vault.repo,
+        dest: join3(dataDir, "vaults", name),
+        label: `Vault: ${name}`,
+        token: vaultToken
+      });
+    }
+  }
   if (reposToClone.length > 0) {
     console.log("");
     console.log(chalk2.bold("Cloning repositories..."));
     mkdirSync3(dataDir, { recursive: true });
     for (const repo of reposToClone) {
       const spinner = ora2(`Cloning ${repo.label}...`).start();
-      if (existsSync5(join4(repo.dest, ".git"))) {
+      if (existsSync5(join3(repo.dest, ".git"))) {
         spinner.succeed(`${repo.label} already cloned`);
         continue;
       }
       try {
         mkdirSync3(repo.dest, { recursive: true });
-        const cloneUrl = injectToken(repo.url, config.github_token);
+        const cloneUrl = injectToken(repo.url, repo.token);
         execSync(`git clone "${cloneUrl}" "${repo.dest}"`, {
           stdio: "pipe",
           timeout: 6e4
@@ -1104,7 +1478,7 @@ ${example("forge-registry")}
           console.log(chalk2.dim(`  ${msg.split("\n")[0]}`));
         }
         console.log(chalk2.dim(`  URL: ${repo.url}`));
-        if (!config.github_token) {
+        if (!repo.token) {
           console.log(chalk2.dim("  Tip: Re-run setup and provide a GitHub token if the repo is private."));
         }
         process.exit(1);
@@ -1151,7 +1525,7 @@ ${example("forge-registry")}
     healthSpinner.fail("Some services did not become healthy");
     console.log(chalk2.dim(error.message));
     console.log("");
-    console.log(chalk2.dim("Tip: Check logs with `docker compose logs` from ~/.horus/"));
+    console.log(chalk2.dim("Tip: Check logs with `docker compose logs` from ~/Horus/"));
     process.exit(1);
   }
   console.log("");
@@ -1172,15 +1546,23 @@ ${example("forge-registry")}
   console.log(chalk2.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   console.log("");
   console.log(`  ${chalk2.bold("Runtime:")}    ${runtime.name}`);
-  console.log(`  ${chalk2.bold("Config:")}     ~/.horus/config.yaml`);
+  console.log(`  ${chalk2.bold("Config:")}     ~/Horus/config.yaml`);
   console.log(`  ${chalk2.bold("Data:")}       ${config.data_dir}`);
   console.log("");
   console.log(chalk2.bold("  Service URLs:"));
-  console.log(`    Anvil:      http://localhost:${config.ports.anvil}`);
-  console.log(`    Vault REST: http://localhost:${config.ports.vault_rest}`);
-  console.log(`    Vault MCP:  http://localhost:${config.ports.vault_mcp}`);
-  console.log(`    Forge:      http://localhost:${config.ports.forge}`);
+  console.log(`    Anvil:        http://localhost:${config.ports.anvil}`);
+  console.log(`    Vault Router: http://localhost:${config.ports.vault_router}`);
+  console.log(`    Vault MCP:    http://localhost:${config.ports.vault_mcp}`);
+  console.log(`    Forge:        http://localhost:${config.ports.forge}`);
   console.log("");
+  console.log(chalk2.bold("  Vault instances:"));
+  Object.entries(config.vaults).sort(([a], [b]) => a.localeCompare(b)).forEach(([name, vault], index) => {
+    const port = `800${index + 1}`;
+    const defaultLabel = vault.default ? chalk2.dim(" (default)") : "";
+    console.log(`    ${name}${defaultLabel}:  http://localhost:${port}`);
+  });
+  console.log("");
+  void lastStates;
 });
 
 // src/commands/up.ts
@@ -1314,7 +1696,7 @@ var statusCommand = new Command5("status").description("Show status of Horus ser
   console.log(chalk5.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   console.log(`  ${chalk5.bold("Version:")}  ${CLI_VERSION}`);
   console.log(`  ${chalk5.bold("Runtime:")}  ${runtime.name}`);
-  console.log(`  ${chalk5.bold("Config:")}   ~/.horus/config.yaml`);
+  console.log(`  ${chalk5.bold("Config:")}   ~/Horus/config.yaml`);
   console.log("");
   if (containers.length === 0) {
     console.log(chalk5.yellow("  No services are running."));
@@ -1385,21 +1767,38 @@ var configCommand = new Command6("config").description("View or modify Horus con
   console.log(`  ${chalk6.bold("host-repos-path:")}             ${config.host_repos_path || chalk6.dim("(not set)")}`);
   const extraDirs = (config.host_repos_extra_scan_dirs ?? []).join(", ");
   console.log(`  ${chalk6.bold("host-repos-extra-scan-dirs:")}  ${extraDirs || chalk6.dim("(not set)")}`);
-  console.log(`  ${chalk6.bold("git-host:")}                    ${config.git_host || chalk6.dim("(not set)")}`);
-  console.log(`  ${chalk6.bold("github-token:")}     ${config.github_token ? maskApiKey(config.github_token) : chalk6.dim("(not set)")}`);
   console.log("");
   console.log(chalk6.bold("  Ports:"));
-  console.log(`    ${chalk6.bold("anvil:")}       ${config.ports.anvil}`);
-  console.log(`    ${chalk6.bold("vault-rest:")}  ${config.ports.vault_rest}`);
-  console.log(`    ${chalk6.bold("vault-mcp:")}   ${config.ports.vault_mcp}`);
-  console.log(`    ${chalk6.bold("forge:")}       ${config.ports.forge}`);
+  console.log(`    ${chalk6.bold("anvil:")}         ${config.ports.anvil}`);
+  console.log(`    ${chalk6.bold("vault-rest:")}    ${config.ports.vault_rest}`);
+  console.log(`    ${chalk6.bold("vault-mcp:")}     ${config.ports.vault_mcp}`);
+  console.log(`    ${chalk6.bold("vault-router:")}  ${config.ports.vault_router}`);
+  console.log(`    ${chalk6.bold("forge:")}         ${config.ports.forge}`);
   console.log("");
   console.log(chalk6.bold("  Repos:"));
-  console.log(`    ${chalk6.bold("anvil-notes:")}      ${config.repos.anvil_notes || chalk6.dim("(not set)")}`);
-  console.log(`    ${chalk6.bold("vault-knowledge:")}  ${config.repos.vault_knowledge || chalk6.dim("(not set)")}`);
-  console.log(`    ${chalk6.bold("forge-registry:")}   ${config.repos.forge_registry || chalk6.dim("(not set)")}`);
+  console.log(`    ${chalk6.bold("anvil-notes:")}    ${config.repos.anvil_notes || chalk6.dim("(not set)")}`);
+  console.log(`    ${chalk6.bold("forge-registry:")} ${config.repos.forge_registry || chalk6.dim("(not set)")}`);
+  console.log("");
+  console.log(chalk6.bold("  Vaults:"));
+  if (Object.keys(config.vaults ?? {}).length === 0) {
+    console.log(chalk6.dim("    (none configured)"));
+  } else {
+    for (const [name, vault] of Object.entries(config.vaults)) {
+      const defaultLabel = vault.default ? chalk6.dim(" (default)") : "";
+      console.log(`    ${chalk6.bold(name)}${defaultLabel}: ${vault.repo || chalk6.dim("(no repo)")}`);
+    }
+  }
+  console.log("");
+  console.log(chalk6.bold("  GitHub Hosts:"));
+  if (Object.keys(config.github_hosts ?? {}).length === 0) {
+    console.log(chalk6.dim("    (none configured)"));
+  } else {
+    for (const [key, gh] of Object.entries(config.github_hosts)) {
+      console.log(`    ${chalk6.bold(key)}: ${gh.host}  token: ${gh.token ? maskApiKey(gh.token) : chalk6.dim("(not set)")}`);
+    }
+  }
   console.log("");
-  console.log(chalk6.dim(`  Config file: ~/.horus/config.yaml`));
+  console.log(chalk6.dim(`  Config file: ~/Horus/config.yaml`));
   console.log(chalk6.dim(`  Use 'horus config get <key>' or 'horus config set <key> <value>'`));
   console.log("");
 });
@@ -1416,11 +1815,7 @@ configCommand.command("get <key>").description("Get a configuration value").acti
   }
   const config = loadConfig();
   const value = getConfigValue(config, key);
-  if (key === "github-token") {
-    console.log(maskApiKey(value));
-  } else {
-    console.log(value || "");
-  }
+  console.log(value || "");
 });
 configCommand.command("set <key> <value>").description("Set a configuration value").action(async (key, value) => {
   if (!configExists()) {
@@ -1451,6 +1846,7 @@ configCommand.command("set <key> <value>").description("Set a configuration valu
     "port.anvil",
     "port.vault-rest",
     "port.vault-mcp",
+    "port.vault-router",
     "port.forge"
   ];
   if (needsRestart.includes(key)) {
@@ -1478,10 +1874,10 @@ import chalk7 from "chalk";
 import ora6 from "ora";
 import { select as select2, confirm as confirm3 } from "@inquirer/prompts";
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, mkdirSync as mkdirSync4, readdirSync as readdirSync2, existsSync as existsSync6 } from "fs";
-import { join as join5 } from "path";
+import { join as join4 } from "path";
 import { createHash } from "crypto";
 import { stringify as stringifyYaml2, parse as parseYaml2 } from "yaml";
-var SNAPSHOTS_DIR = join5(HORUS_DIR, "snapshots");
+var SNAPSHOTS_DIR = join4(HORUS_DIR, "snapshots");
 function ensureSnapshotsDir() {
   mkdirSync4(SNAPSHOTS_DIR, { recursive: true });
 }
@@ -1516,14 +1912,14 @@ function saveSnapshot(images) {
     images,
     compose_hash: composeFileHash()
   };
-  const filePath = join5(SNAPSHOTS_DIR, `${timestamp}.yaml`);
+  const filePath = join4(SNAPSHOTS_DIR, `${timestamp}.yaml`);
   writeFileSync4(filePath, stringifyYaml2(snapshot, { lineWidth: 0 }), "utf-8");
   return filePath;
 }
 function listSnapshots() {
   if (!existsSync6(SNAPSHOTS_DIR)) return [];
   return readdirSync2(SNAPSHOTS_DIR).filter((f) => f.endsWith(".yaml")).sort().reverse().map((f) => {
-    const file = join5(SNAPSHOTS_DIR, f);
+    const file = join4(SNAPSHOTS_DIR, f);
     const snapshot = parseYaml2(readFileSync5(file, "utf-8"));
     return { file, snapshot };
   });
@@ -1734,7 +2130,7 @@ import { Command as Command8 } from "commander";
 import chalk8 from "chalk";
 import { execSync as execSync2 } from "child_process";
 import { existsSync as existsSync7, accessSync, statfsSync, constants } from "fs";
-import { join as join6 } from "path";
+import { join as join5 } from "path";
 function symbol(status) {
   switch (status) {
     case "pass":
@@ -1790,23 +2186,23 @@ async function checkCompose(preferred) {
 }
 function checkConfig() {
   if (configExists()) {
-    return { status: "pass", label: "Config", message: "Configuration file exists (~/.horus/config.yaml)" };
+    return { status: "pass", label: "Config", message: "Configuration file exists (~/Horus/config.yaml)" };
   }
   return {
     status: "fail",
     label: "Config",
-    message: "Configuration file missing (~/.horus/config.yaml)",
+    message: "Configuration file missing (~/Horus/config.yaml)",
     hint: "Run `horus setup` to create the configuration"
   };
 }
 function checkComposeFile() {
   if (existsSync7(COMPOSE_PATH)) {
-    return { status: "pass", label: "Compose file", message: "Compose file installed (~/.horus/docker-compose.yml)" };
+    return { status: "pass", label: "Compose file", message: "Compose file installed (~/Horus/docker-compose.yml)" };
   }
   return {
     status: "fail",
     label: "Compose file",
-    message: "Compose file missing (~/.horus/docker-compose.yml)",
+    message: "Compose file missing (~/Horus/docker-compose.yml)",
     hint: "Run `horus setup` to install the compose file"
   };
 }
@@ -1862,7 +2258,7 @@ function checkDataDir(dataDir) {
   }
 }
 function checkDiskSpace(dataDir) {
-  const checkDir = existsSync7(dataDir) ? dataDir : join6(dataDir, "..");
+  const checkDir = existsSync7(dataDir) ? dataDir : join5(dataDir, "..");
   try {
     const stats = statfsSync(checkDir);
     const freeBytes = stats.bfree * stats.bsize;
@@ -1939,7 +2335,7 @@ var doctorCommand = new Command8("doctor").description("Diagnose common Horus is
   allResults.push(checkConfig());
   allResults.push(checkComposeFile());
   const ports = config?.ports ?? DEFAULT_PORTS;
-  const dataDir = config?.data_dir ?? join6(process.env.HOME ?? "~", ".horus", "data");
+  const dataDir = config?.data_dir ?? DEFAULT_DATA_DIR;
   allResults.push(checkPort(ports.anvil, "Anvil"));
   allResults.push(checkPort(ports.vault_rest, "Vault"));
   allResults.push(checkPort(ports.vault_mcp, "Vault MCP"));
@@ -1995,10 +2391,10 @@ import chalk9 from "chalk";
 import ora7 from "ora";
 import { confirm as confirm4 } from "@inquirer/prompts";
 import { mkdirSync as mkdirSync5, statSync as statSync2, existsSync as existsSync8, writeFileSync as writeFileSync5 } from "fs";
-import { join as join7, basename } from "path";
+import { join as join6, basename } from "path";
 import { execSync as execSync3 } from "child_process";
 import { stringify as stringifyYaml3 } from "yaml";
-var BACKUPS_DIR = join7(HORUS_DIR, "backups");
+var BACKUPS_DIR = join6(HORUS_DIR, "backups");
 function ensureBackupsDir() {
   mkdirSync5(BACKUPS_DIR, { recursive: true });
 }
@@ -2045,8 +2441,8 @@ async function createBackup(yes) {
   }
   ensureBackupsDir();
   const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-  const tarFile = join7(BACKUPS_DIR, `${timestamp}.tar.gz`);
-  const metaFile = join7(BACKUPS_DIR, `${timestamp}.meta.yaml`);
+  const tarFile = join6(BACKUPS_DIR, `${timestamp}.tar.gz`);
+  const metaFile = join6(BACKUPS_DIR, `${timestamp}.meta.yaml`);
   const backupSpinner = ora7("Creating backup archive...").start();
   try {
     execSync3(`tar -czf "${tarFile}" -C "${HORUS_DIR}" data/`, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arkhera30/cli",
-  "version": "0.1.16",
+  "version": "0.2.0",
   "description": "CLI for managing the Horus AI development stack",
   "type": "module",
   "bin": {