@openparachute/vault 0.1.0 → 0.2.1

package/src/server.ts

@@ -6,21 +6,19 @@
  *   GET  /health                           — health check
  *   *    /mcp                              — unified MCP (all vaults, vault param)
  *   *    /vaults/{name}/mcp                — scoped MCP (single vault, no vault param)
- *   GET  /vaults                           — list vaults
+ *   GET  /vaults                           — list vaults with metadata (authenticated)
+ *   GET  /vaults/list                      — list vault names (public; disable via config.discovery)
  *   *    /vaults/{name}/api/...            — per-vault REST API
+ *
+ * The request pipeline lives in ./routing.ts (exported for unit testing).
  */
 
 import { readVaultConfig, readGlobalConfig, writeGlobalConfig, writeVaultConfig, listVaults, DEFAULT_PORT, ensureConfigDirSync, loadEnvFile, generateApiKey, hashKey } from "./config.ts";
-import { authenticateVaultRequest, authenticateGlobalRequest, isMethodAllowed, extractApiKey } from "./auth.ts";
-import type { AuthResult } from "./auth.ts";
-import type { VaultConfig } from "./config.ts";
 import { migrateVaultKeys } from "./token-store.ts";
 import { getVaultStore } from "./vault-store.ts";
-import { handleUnifiedMcp, handleScopedMcp } from "./mcp-http.ts";
-import { handleNotes, handleTags, handleFindPath, handleVault, handleUnresolvedWikilinks, handleStorage, handleViewNote } from "./routes.ts";
 import { defaultHookRegistry } from "../core/src/hooks.ts";
 import { registerTriggers } from "./triggers.ts";
-import { handleProtectedResource, handleAuthorizationServer, handleRegister, handleAuthorizeGet, handleAuthorizePost, handleToken } from "./oauth.ts";
+import { route } from "./routing.ts";
 
 // Register webhook triggers from global config. Replaces the old hardcoded
 // tts-hook and transcription-hook with config-driven webhooks.
@@ -76,11 +74,11 @@ for (const vaultName of listVaults()) {
   const vaultConfig = readVaultConfig(vaultName);
   if (vaultConfig?.tag_schemas && Object.keys(vaultConfig.tag_schemas).length > 0) {
     const store = getVaultStore(vaultName);
-    const existingTags = new Set(store.listTagSchemas().map((s) => s.tag));
+    const existingTags = new Set((await store.listTagSchemas()).map((s) => s.tag));
     let migrated = 0;
     for (const [tag, schema] of Object.entries(vaultConfig.tag_schemas)) {
       if (!existingTags.has(tag)) {
-        store.upsertTagSchema(tag, schema);
+        await store.upsertTagSchema(tag, schema);
         migrated++;
       }
     }
@@ -179,272 +177,3 @@ async function shutdown(signal: string): Promise<void> {
 process.on("SIGINT", () => void shutdown("SIGINT"));
 process.on("SIGTERM", () => void shutdown("SIGTERM"));
 
-/**
- * Check if a /view request has a valid API key (header or ?key= query param).
- * Returns true if authenticated, false if not. Never rejects — unauthenticated
- * requests still get public notes.
- */
-function isViewAuthenticated(req: Request, vaultConfig: VaultConfig | null, vaultDb?: import("bun:sqlite").Database): boolean {
-  if (!vaultConfig) return false;
-  // extractApiKey now checks headers AND ?key= query param
-  const key = extractApiKey(req);
-  if (!key) return false;
-  const auth = authenticateVaultRequest(req, vaultConfig, vaultDb);
-  return !("error" in auth);
-}
-
-async function route(req: Request, path: string, clientIp?: string): Promise<Response> {
-  // OAuth discovery endpoints (no auth required)
-  if (path === "/.well-known/oauth-protected-resource") {
-    return handleProtectedResource(req);
-  }
-  if (path === "/.well-known/oauth-authorization-server") {
-    return handleAuthorizationServer(req);
-  }
-
-  // OAuth flow endpoints (no auth — these ARE the auth)
-  if (path === "/oauth/register" || path === "/oauth/authorize" || path === "/oauth/token") {
-    const defaultVault = readGlobalConfig().default_vault ?? "default";
-    const vaultConfig = readVaultConfig(defaultVault);
-    if (!vaultConfig) {
-      return Response.json({ error: "server_error", error_description: "Default vault not configured" }, { status: 500 });
-    }
-    const store = getVaultStore(defaultVault);
-
-    if (path === "/oauth/register") {
-      return handleRegister(req, store.db);
-    }
-    if (path === "/oauth/authorize") {
-      const gc = readGlobalConfig();
-      const ownerPasswordHash = gc.owner_password_hash ?? null;
-      const totpSecret = gc.totp_secret ?? null;
-      const totpEnrolled = typeof totpSecret === "string" && totpSecret.length > 0;
-      if (req.method === "GET") {
-        return handleAuthorizeGet(req, store.db, vaultConfig.name, ownerPasswordHash, totpEnrolled);
-      }
-      if (req.method === "POST") {
-        return handleAuthorizePost(req, store.db, {
-          vaultName: vaultConfig.name,
-          clientIp,
-          ownerPasswordHash,
-          totpSecret,
-        });
-      }
-      return Response.json({ error: "method_not_allowed" }, { status: 405 });
-    }
-    if (path === "/oauth/token") {
-      return handleToken(req, store.db);
-    }
-  }
-
-  // Health check — vault names only for authenticated requests
-  if (path === "/health") {
-    const auth = authenticateGlobalRequest(req);
-    if ("error" in auth) {
-      return Response.json({ status: "ok" });
-    }
-    return Response.json({ status: "ok", vaults: listVaults() });
-  }
-
-  // Unified MCP (all vaults, global auth)
-  if (path === "/mcp" || path.startsWith("/mcp/")) {
-    const auth = authenticateGlobalRequest(req);
-    if ("error" in auth) return auth.error;
-    return handleUnifiedMcp(req, auth);
-  }
-
-  // View endpoint — serves notes as HTML (auth-aware, supports ID or path)
-  const viewMatch = path.match(/^\/view\/(.+)$/);
-  if (viewMatch && req.method === "GET") {
-    const defaultVault = readGlobalConfig().default_vault ?? "default";
-    const vaultConfig = readVaultConfig(defaultVault);
-    if (!vaultConfig) {
-      return Response.json({ error: "Default vault not found" }, { status: 404 });
-    }
-    const store = getVaultStore(defaultVault);
-    const authenticated = isViewAuthenticated(req, vaultConfig, store.db);
-    return handleViewNote(store, decodeURIComponent(viewMatch[1]), {
-      authenticated,
-      publishedTag: vaultConfig.published_tag,
-    });
-  }
-
-  // Backward compat: /public/:noteId → /view/:noteId (preserving query params)
-  const publicMatch = path.match(/^\/public\/([^/]+)$/);
-  if (publicMatch && req.method === "GET") {
-    const dest = new URL(`/view/${publicMatch[1]}`, req.url);
-    dest.search = new URL(req.url).search;
-    return Response.redirect(dest.toString(), 301);
-  }
-
-
-  // List vaults — requires auth
-  if (path === "/vaults" && req.method === "GET") {
-    const auth = authenticateGlobalRequest(req);
-    if ("error" in auth) return auth.error;
-    const names = listVaults();
-    const vaults = names.map((name) => {
-      const config = readVaultConfig(name);
-      return {
-        name,
-        description: config?.description,
-        created_at: config?.created_at,
-      };
-    });
-    return Response.json({ vaults });
-  }
-
-  // Backward-compatible: /api/* routes to default vault
-  if (path.startsWith("/api/")) {
-    const defaultVault = readGlobalConfig().default_vault ?? "default";
-    const vaultConfig = readVaultConfig(defaultVault);
-    if (!vaultConfig) {
-      return Response.json({ error: "Default vault not found" }, { status: 404 });
-    }
-    const store = getVaultStore(defaultVault);
-    const auth = authenticateVaultRequest(req, vaultConfig, store.db);
-    if ("error" in auth) return auth.error;
-    if (!isMethodAllowed(req.method, auth.permission)) {
-      return Response.json({ error: "Forbidden", message: "Insufficient permissions" }, { status: 403 });
-    }
-    const apiPath = path.slice(4); // strip "/api"
-    if (apiPath.startsWith("/notes")) return handleNotes(req, store, apiPath.slice(6));
-    if (apiPath.startsWith("/tags")) return handleTags(req, store, apiPath.slice(5));
-    if (apiPath === "/find-path") return handleFindPath(req, store);
-    if (apiPath === "/vault") return handleVault(req, store, vaultConfig, (desc) => {
-      vaultConfig.description = desc;
-      writeVaultConfig(vaultConfig);
-    });
-    if (apiPath === "/unresolved-wikilinks") return handleUnresolvedWikilinks(req, store);
-    if (apiPath.startsWith("/storage")) return handleStorage(req, apiPath.slice(8), defaultVault);
-    if (apiPath === "/health") return Response.json({ status: "ok", vault: defaultVault });
-  }
-
-  // Vault-scoped routes: /vaults/{name}/...
-  const vaultMatch = path.match(/^\/vaults\/([^/]+)(\/.*)?$/);
-  if (!vaultMatch) {
-    return Response.json({ error: "Not found" }, { status: 404 });
-  }
-
-  const vaultName = vaultMatch[1];
-  const subpath = vaultMatch[2] ?? "";
-
-  const vaultConfig = readVaultConfig(vaultName);
-  if (!vaultConfig) {
-    return Response.json(
-      { error: "Vault not found", vault: vaultName },
-      { status: 404 },
-    );
-  }
-
-  // Backward compat: /vaults/{name}/public/:noteId → /view/:noteId
-  const vaultPublicMatch = subpath.match(/^\/public\/([^/]+)$/);
-  if (vaultPublicMatch && req.method === "GET") {
-    const dest = new URL(`/vaults/${vaultName}/view/${vaultPublicMatch[1]}`, req.url);
-    dest.search = new URL(req.url).search;
-    return Response.redirect(dest.toString(), 301);
-  }
-
-  // View endpoint — serves notes as HTML (auth-aware, vault-scoped, supports ID or path)
-  const vaultViewMatch = subpath.match(/^\/view\/(.+)$/);
-  if (vaultViewMatch && req.method === "GET") {
-    const store = getVaultStore(vaultName);
-    const authenticated = isViewAuthenticated(req, vaultConfig, store.db);
-    return handleViewNote(store, decodeURIComponent(vaultViewMatch[1]), {
-      authenticated,
-      publishedTag: vaultConfig.published_tag,
-    });
-  }
-
-  // Vault-scoped OAuth endpoints (no auth — these ARE the auth)
-  if (subpath === "/oauth/register" || subpath === "/oauth/authorize" || subpath === "/oauth/token") {
-    const store = getVaultStore(vaultName);
-    if (subpath === "/oauth/register") return handleRegister(req, store.db);
-    if (subpath === "/oauth/authorize") {
-      const gc = readGlobalConfig();
-      const ownerPasswordHash = gc.owner_password_hash ?? null;
-      const totpSecret = gc.totp_secret ?? null;
-      const totpEnrolled = typeof totpSecret === "string" && totpSecret.length > 0;
-      if (req.method === "GET") return handleAuthorizeGet(req, store.db, vaultConfig.name, ownerPasswordHash, totpEnrolled);
-      if (req.method === "POST") return handleAuthorizePost(req, store.db, {
-        vaultName: vaultConfig.name,
-        clientIp,
-        ownerPasswordHash,
-        totpSecret,
-      });
-      return Response.json({ error: "method_not_allowed" }, { status: 405 });
-    }
-    if (subpath === "/oauth/token") return handleToken(req, store.db);
-  }
-
-  // Vault-scoped discovery endpoints
-  if (subpath === "/.well-known/oauth-protected-resource") return handleProtectedResource(req, `/vaults/${vaultName}/mcp`);
-  if (subpath === "/.well-known/oauth-authorization-server") return handleAuthorizationServer(req);
-
-  // Auth: per-vault key OR global key
-  const store = getVaultStore(vaultName);
-  const auth = authenticateVaultRequest(req, vaultConfig, store.db);
-  if ("error" in auth) return auth.error;
-
-  // Per-vault scoped MCP
-  if (subpath === "/mcp" || subpath.startsWith("/mcp/")) {
-    return handleScopedMcp(req, vaultName, auth);
-  }
-
-  // Bare /vaults/{name} — single-vault root. Returns name, description,
-  // createdAt, and stats. One round trip for a viz landing page.
-  if (subpath === "" || subpath === "/") {
-    if (req.method !== "GET") {
-      return Response.json({ error: "Method not allowed" }, { status: 405 });
-    }
-    const stats = store.getVaultStats();
-    return Response.json({
-      name: vaultName,
-      description: vaultConfig.description,
-      createdAt: vaultConfig.created_at,
-      stats,
-    });
-  }
-
-  // REST API — enforce permission level
-  if (!isMethodAllowed(req.method, auth.permission)) {
-    return Response.json(
-      { error: "Forbidden", message: "Insufficient permissions" },
-      { status: 403 },
-    );
-  }
-
-  const apiMatch = subpath.match(/^\/api(\/.*)?$/);
-  if (!apiMatch) {
-    return Response.json({ error: "Not found" }, { status: 404 });
-  }
-
-  const apiPath = apiMatch[1] ?? "";
-
-  if (apiPath.startsWith("/notes")) {
-    return handleNotes(req, store, apiPath.slice(6));
-  }
-  if (apiPath.startsWith("/tags")) {
-    return handleTags(req, store, apiPath.slice(5));
-  }
-  if (apiPath === "/find-path") {
-    return handleFindPath(req, store);
-  }
-  if (apiPath === "/vault") {
-    return handleVault(req, store, vaultConfig, (desc) => {
-      vaultConfig.description = desc;
-      writeVaultConfig(vaultConfig);
-    });
-  }
-  if (apiPath === "/unresolved-wikilinks") {
-    return handleUnresolvedWikilinks(req, store);
-  }
-  if (apiPath.startsWith("/storage")) {
-    return handleStorage(req, apiPath.slice(8), vaultName);
-  }
-  if (apiPath === "/health") {
-    return Response.json({ status: "ok", vault: vaultName });
-  }
-
-  return Response.json({ error: "Not found" }, { status: 404 });
-}

package/src/systemd.test.ts

@@ -0,0 +1,15 @@
+import { describe, test, expect } from "bun:test";
+import { generateUnit } from "./systemd.ts";
+import { WRAPPER_PATH } from "./daemon.ts";
+
+describe("generateUnit", () => {
+  test("invokes the shared wrapper rather than hardcoding server.ts", () => {
+    const unit = generateUnit();
+    // Same incident on Linux: the old unit hardcoded the absolute path to
+    // server.ts inside ExecStart. Now ExecStart points at the wrapper, and
+    // the wrapper resolves the path from a pointer file at boot.
+    expect(unit).toContain(`ExecStart=/bin/bash ${WRAPPER_PATH}`);
+    expect(unit).not.toMatch(/server\.ts/);
+    expect(unit).toContain("Restart=on-failure");
+  });
+});

package/src/systemd.ts

@@ -6,28 +6,33 @@
  */
 
 import { homedir } from "os";
-import { join, resolve } from "path";
+import { join } from "path";
 import { writeFile, mkdir, unlink } from "fs/promises";
 import { existsSync } from "fs";
 import { $ } from "bun";
-import { CONFIG_DIR, ENV_PATH, LOG_PATH, ERR_PATH } from "./config.ts";
+import { CONFIG_DIR, LOG_PATH, ERR_PATH } from "./config.ts";
+import { WRAPPER_PATH, writeDaemonWrapper } from "./daemon.ts";
 
 const SERVICE_NAME = "parachute-vault";
 const SERVICE_DIR = join(homedir(), ".config", "systemd", "user");
 const SERVICE_PATH = join(SERVICE_DIR, `${SERVICE_NAME}.service`);
 
-function generateUnit(serverPath: string, bunPath: string): string {
+/**
+ * systemd unit invokes the shared start.sh wrapper. Env + server path
+ * resolution lives in the wrapper (see daemon.ts) — keeping systemd and
+ * launchd aligned on a single source of truth.
+ */
+export function generateUnit(): string {
   return `[Unit]
 Description=Parachute Vault
 After=network.target
 
 [Service]
 Type=simple
-WorkingDirectory=${resolve(serverPath, "..")}
-ExecStart=${bunPath} ${serverPath}
+WorkingDirectory=${CONFIG_DIR}
+ExecStart=/bin/bash ${WRAPPER_PATH}
 Restart=on-failure
 RestartSec=5
-EnvironmentFile=${ENV_PATH}
 StandardOutput=append:${LOG_PATH}
 StandardError=append:${ERR_PATH}
 
@@ -36,12 +41,11 @@ WantedBy=default.target
 `;
 }
 
-export async function installSystemdService(): Promise<void> {
-  const serverPath = resolve(import.meta.dir, "server.ts");
-  const bunPath = (await $`which bun`.text()).trim();
+export async function installSystemdService(): Promise<{ serverPath: string }> {
+  const { serverPath } = await writeDaemonWrapper();
 
   await mkdir(SERVICE_DIR, { recursive: true });
-  await writeFile(SERVICE_PATH, generateUnit(serverPath, bunPath));
+  await writeFile(SERVICE_PATH, generateUnit());
 
   // Enable lingering so user services run without login session
   try {
@@ -52,7 +56,10 @@ export async function installSystemdService(): Promise<void> {
 
   await $`systemctl --user daemon-reload`.quiet();
   await $`systemctl --user enable ${SERVICE_NAME}`.quiet();
-  await $`systemctl --user start ${SERVICE_NAME}`.quiet();
+  // Idempotent: `restart` works whether or not the service was running.
+  await $`systemctl --user restart ${SERVICE_NAME}`.quiet();
+
+  return { serverPath };
 }
 
 export async function uninstallSystemdService(): Promise<void> {

package/src/triggers.test.ts

@@ -97,13 +97,13 @@ describe("buildPredicate", () => {
   });
 });
 
-describe("registerTriggers — dispatch modes", () => {
+describe("registerTriggers — dispatch modes", async () => {
   let webhookServer: ReturnType<typeof Bun.serve>;
   let webhookPort: number;
   let lastRequest: { method: string; url: string; headers: Headers; body: unknown; formData?: FormData } | null = null;
   let webhookHandler: (req: Request) => Response | Promise<Response>;
 
-  beforeAll(() => {
+  beforeAll(async () => {
     webhookHandler = () => Response.json({});
     webhookServer = Bun.serve({
       hostname: "127.0.0.1",
@@ -224,7 +224,7 @@ describe("registerTriggers — dispatch modes", () => {
     expect((file as File).name).toBe("recording.wav");
 
     // Verify note content was updated
-    const updated = store.getNote("n2");
+    const updated = await store.getNote("n2");
     expect(updated?.content).toBe("transcribed content");
 
     // Cleanup
@@ -272,12 +272,12 @@ describe("registerTriggers — dispatch modes", () => {
     expect(body.input).toBe("Hello world");
 
     // Verify attachment was created
-    const attachments = store.getAttachments("n3");
+    const attachments = await store.getAttachments("n3");
     expect(attachments.length).toBe(1);
     expect(attachments[0].mimeType).toBe("audio/ogg");
 
     // Verify metadata includes provider info
-    const updated = store.getNote("n3");
+    const updated = await store.getNote("n3");
     const meta = updated?.metadata as Record<string, unknown>;
     expect(meta.tts_provider).toBe("kokoro");
     expect(meta.tts_voice).toBe("af_heart");
@@ -307,7 +307,7 @@ describe("registerTriggers — dispatch modes", () => {
     await hooks.dispatch("created", note, store);
     await new Promise(r => setTimeout(r, 50));
 
-    const updated = store.getNote("n4");
+    const updated = await store.getNote("n4");
     const meta = updated?.metadata as Record<string, unknown>;
     expect(meta.skip_test_skipped_reason).toBe("no audio attachment found");
   });
@@ -330,7 +330,7 @@ describe("registerTriggers — dispatch modes", () => {
     await hooks.dispatch("created", note, store);
     await new Promise(r => setTimeout(r, 50));
 
-    const updated = store.getNote("n5");
+    const updated = await store.getNote("n5");
     const meta = updated?.metadata as Record<string, unknown>;
     expect(meta.empty_test_skipped_reason).toBe("note has no content to synthesize");
   });

package/src/triggers.ts

@@ -313,7 +313,7 @@ export function registerTriggers(
 
         // Phase 1: claim
         try {
-          store.updateNote(note.id, {
+          await store.updateNote(note.id, {
             metadata: { ...existingMeta, [pendingKey]: pendingAt },
             skipUpdatedAt: true,
           });
@@ -324,7 +324,7 @@ export function registerTriggers(
 
         // Fire the webhook using the configured send mode
         let webhookResult: WebhookResponse;
-        const attachments = store.getAttachments(note.id);
+        const attachments = await store.getAttachments(note.id);
         const controller = new AbortController();
         const timer = setTimeout(() => controller.abort(), timeout);
         try {
@@ -358,7 +358,7 @@ export function registerTriggers(
         // trigger an infinite webhook loop on every update.
         if (webhookResult.skipped_reason) {
           try {
-            store.updateNote(note.id, {
+            await store.updateNote(note.id, {
               metadata: {
                 ...existingMeta,
                 [pendingKey]: undefined,
@@ -378,16 +378,16 @@ export function registerTriggers(
           // Add attachments first
           if (webhookResult.attachments?.length) {
             for (const att of webhookResult.attachments) {
-              store.addAttachment(note.id, att.path, att.mimeType, att.meta);
+              await store.addAttachment(note.id, att.path, att.mimeType, att.meta);
             }
           }
 
           // Read fresh metadata to avoid clobbering concurrent edits
-          const fresh = store.getNote(note.id);
+          const fresh = await store.getNote(note.id);
           const freshMeta = (fresh?.metadata as Record<string, unknown> | undefined) ?? existingMeta;
           const { [pendingKey]: _drop, ...restMeta } = freshMeta;
 
-          store.updateNote(note.id, {
+          await store.updateNote(note.id, {
             ...(webhookResult.content !== undefined ? { content: webhookResult.content } : {}),
             metadata: {
               ...restMeta,

package/src/vault-store.ts

@@ -38,10 +38,27 @@ export function getVaultNameForStore(store: SqliteStore): string | undefined {
   return storeToVault.get(store);
 }
 
-/** Close all open stores. */
-export function closeAllStores(): void {
+/**
+ * Close all open stores. When `silent` is true, swallow errors from
+ * `db.close()` — used by test cleanup where the underlying DB files may
+ * already be gone.
+ */
+export function closeAllStores(silent = false): void {
   for (const [, store] of stores) {
-    store.db.close();
+    if (silent) {
+      try { store.db.close(); } catch {}
+    } else {
+      store.db.close();
+    }
   }
   stores.clear();
 }
+
+/**
+ * Test-only: close and clear all cached stores. Used between tests that
+ * swap `PARACHUTE_HOME` out from under the cache, which would otherwise
+ * hold handles to DBs whose files no longer exist.
+ */
+export function clearVaultStoreCache(): void {
+  closeAllStores(true);
+}