@openparachute/vault 0.1.0

package/src/db.ts

@@ -0,0 +1,14 @@
+/**
+ * Vault database — opens bun:sqlite databases for vaults.
+ */
+
+import { Database } from "bun:sqlite";
+import { vaultDbPath, vaultDir } from "./config.ts";
+import { mkdirSync } from "fs";
+
+/** Open (or create) a vault's SQLite database. */
+export function openVaultDb(name: string): Database {
+  const dir = vaultDir(name);
+  mkdirSync(dir, { recursive: true });
+  return new Database(vaultDbPath(name));
+}

package/src/launchd.ts

@@ -0,0 +1,109 @@
+/**
+ * macOS launchd agent management for the vault daemon.
+ *
+ * The plist runs a wrapper script that sources ~/.parachute/.env
+ * before starting the server, so env vars (API keys, providers)
+ * are available to the daemon.
+ */
+
+import { homedir } from "os";
+import { join, resolve, dirname } from "path";
+import { writeFile, unlink } from "fs/promises";
+import { $ } from "bun";
+import { CONFIG_DIR, ENV_PATH, LOG_PATH, ERR_PATH } from "./config.ts";
+
+const LABEL = "computer.parachute.vault";
+const PLIST_PATH = join(homedir(), "Library", "LaunchAgents", `${LABEL}.plist`);
+const WRAPPER_PATH = join(CONFIG_DIR, "start.sh");
+
+/**
+ * Generate a shell wrapper that loads .env before starting the server.
+ */
+function generateWrapper(serverPath: string, bunPath: string): string {
+  return `#!/bin/bash
+# Auto-generated by parachute vault init
+# Loads user PATH + ~/.parachute/.env then starts the vault server
+
+# Source user shell profile for PATH (needed for parakeet-mlx, ffmpeg, etc.)
+[ -f "$HOME/.zprofile" ] && source "$HOME/.zprofile" 2>/dev/null
+[ -f "$HOME/.zshrc" ] && source "$HOME/.zshrc" 2>/dev/null
+
+if [ -f "${ENV_PATH}" ]; then
+  set -a
+  source "${ENV_PATH}"
+  set +a
+fi
+
+exec "${bunPath}" "${serverPath}"
+`;
+}
+
+export function generatePlist(): string {
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${LABEL}</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>/bin/bash</string>
+    <string>${WRAPPER_PATH}</string>
+  </array>
+  <key>KeepAlive</key>
+  <true/>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>StandardOutPath</key>
+  <string>${LOG_PATH}</string>
+  <key>StandardErrorPath</key>
+  <string>${ERR_PATH}</string>
+  <key>WorkingDirectory</key>
+  <string>${CONFIG_DIR}</string>
+</dict>
+</plist>`;
+}
+
+export async function installAgent(): Promise<void> {
+  if (process.platform !== "darwin") {
+    throw new Error("launchd is only available on macOS. Use systemd on Linux.");
+  }
+  const serverPath = resolve(dirname(import.meta.path), "server.ts");
+  const bunPath = Bun.which("bun") || join(homedir(), ".bun", "bin", "bun");
+
+  // Write the wrapper script
+  await writeFile(WRAPPER_PATH, generateWrapper(serverPath, bunPath), { mode: 0o755 });
+
+  // Write and load the plist
+  const plist = generatePlist();
+  await writeFile(PLIST_PATH, plist);
+  await $`launchctl load ${PLIST_PATH}`.quiet();
+}
+
+export async function uninstallAgent(): Promise<void> {
+  try {
+    await $`launchctl unload ${PLIST_PATH}`.quiet();
+  } catch {}
+  try {
+    await unlink(PLIST_PATH);
+  } catch {}
+  try {
+    await unlink(WRAPPER_PATH);
+  } catch {}
+}
+
+export async function isAgentLoaded(): Promise<boolean> {
+  try {
+    const result = await $`launchctl list ${LABEL}`.quiet();
+    return result.exitCode === 0;
+  } catch {
+    return false;
+  }
+}
+
+export async function restartAgent(): Promise<void> {
+  try {
+    await $`launchctl unload ${PLIST_PATH}`.quiet();
+  } catch {}
+  await $`launchctl load ${PLIST_PATH}`.quiet();
+}

package/src/mcp-http.ts

@@ -0,0 +1,113 @@
+/**
+ * Streamable HTTP MCP transport — stateless mode.
+ *
+ * Each request gets a fresh transport+server pair with no session ID
+ * generator. The SDK skips session validation when sessionIdGenerator
+ * is undefined, so clients can send `tools/call` or `tools/list`
+ * directly without a prior `initialize` handshake.
+ *
+ * This means server restarts never break existing MCP clients — the
+ * root cause of vault#56. The `initialize` method still works if a
+ * client sends it (the Server class handles it natively).
+ *
+ * Two modes:
+ *   /mcp              — unified, all vaults via `vault` param + list-vaults
+ *   /vaults/{name}/mcp — scoped to one vault, no vault param
+ *
+ * Vault description is sent as the MCP server instruction.
+ * Read-only keys see fewer tools.
+ */
+
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
+import {
+  ListToolsRequestSchema,
+  CallToolRequestSchema,
+} from "@modelcontextprotocol/sdk/types.js";
+import { generateUnifiedMcpTools, generateScopedMcpTools, getServerInstruction } from "./mcp-tools.ts";
+import { isToolAllowed } from "./auth.ts";
+import type { AuthResult } from "./auth.ts";
+import type { McpToolDef } from "../core/src/mcp.ts";
+
+/** Handle unified MCP at /mcp (all vaults). */
+export async function handleUnifiedMcp(req: Request, auth: AuthResult): Promise<Response> {
+  const instruction = getServerInstruction();
+  return handleMcp(req, () => generateUnifiedMcpTools(), "parachute-vault", auth, instruction);
+}
+
+/** Handle scoped MCP at /vaults/{name}/mcp (single vault). */
+export async function handleScopedMcp(req: Request, vaultName: string, auth: AuthResult): Promise<Response> {
+  const instruction = getServerInstruction(vaultName);
+  return handleMcp(req, () => generateScopedMcpTools(vaultName), `parachute-vault/${vaultName}`, auth, instruction);
+}
+
+async function handleMcp(
+  req: Request,
+  getTools: () => McpToolDef[],
+  serverName: string,
+  auth: AuthResult,
+  instruction: string,
+): Promise<Response> {
+  const { permission } = auth;
+  const transport = new WebStandardStreamableHTTPServerTransport({
+    sessionIdGenerator: undefined,
+    enableJsonResponse: true,
+  });
+
+  const server = new Server(
+    { name: serverName, version: "0.1.0" },
+    {
+      capabilities: { tools: {} },
+      instructions: instruction,
+    },
+  );
+
+  const mcpTools = getTools();
+
+  // For read-only keys, only list readable tools
+  const visibleTools = permission === "read"
+    ? mcpTools.filter((t) => isToolAllowed(t.name, "read"))
+    : mcpTools;
+
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: visibleTools.map((t) => ({
+      name: t.name,
+      description: t.description,
+      inputSchema: t.inputSchema,
+    })),
+  }));
+
+  server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+
+    if (!isToolAllowed(name, permission)) {
+      return {
+        content: [{ type: "text" as const, text: `Forbidden: insufficient permissions to call ${name}` }],
+        isError: true,
+      };
+    }
+
+    const tool = mcpTools.find((t) => t.name === name);
+    if (!tool) {
+      return {
+        content: [{ type: "text" as const, text: `Unknown tool: ${name}` }],
+        isError: true,
+      };
+    }
+    try {
+      const result = tool.execute((args ?? {}) as Record<string, unknown>);
+      return {
+        content: [{ type: "text" as const, text: JSON.stringify(result, null, 2) }],
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Unknown error";
+      return {
+        content: [{ type: "text" as const, text: `Error: ${message}` }],
+        isError: true,
+      };
+    }
+  });
+
+  await server.connect(transport);
+  return transport.handleRequest(req);
+}

package/src/mcp-tools.ts

@@ -0,0 +1,155 @@
+/**
+ * MCP tool generation for multi-vault.
+ *
+ * Wraps core tools with vault resolution (optional `vault` param) and
+ * overrides vault-info with actual vault config access.
+ */
+
+import { generateMcpTools } from "../core/src/mcp.ts";
+import type { McpToolDef } from "../core/src/mcp.ts";
+import { readVaultConfig, writeVaultConfig, readGlobalConfig, listVaults as getVaultNames } from "./config.ts";
+import { getVaultStore } from "./vault-store.ts";
+
+/**
+ * Get the MCP server instruction for a vault (or the default vault).
+ * Sent once at session init — not per tool.
+ */
+export function getServerInstruction(vaultName?: string): string {
+  const globalConfig = readGlobalConfig();
+  const name = vaultName ?? globalConfig.default_vault ?? "default";
+  const config = readVaultConfig(name);
+
+  const parts: string[] = [
+    `You are connected to Parachute Vault "${name}".`,
+  ];
+
+  if (config?.description) {
+    parts.push("", config.description);
+  }
+
+  return parts.join("\n");
+}
+
+/**
+ * Generate the unified MCP tool set.
+ * Each tool has an optional `vault` param that defaults to the default vault.
+ */
+export function generateUnifiedMcpTools(): McpToolDef[] {
+  const globalConfig = readGlobalConfig();
+  const defaultVault = globalConfig.default_vault ?? "default";
+  const vaultNames = getVaultNames();
+  const multiVault = vaultNames.length > 1;
+
+  // Get tool definitions from core (using default vault for schema)
+  const defaultStore = getVaultStore(defaultVault);
+  const coreTools = generateMcpTools(defaultStore);
+
+  // Wrap each core tool with vault resolution
+  const tools: McpToolDef[] = coreTools.map((coreTool) => {
+    let description = coreTool.description;
+    if (multiVault) {
+      description += `\n\nMulti-vault: pass 'vault' to target a specific vault. Default: "${defaultVault}". Available: ${vaultNames.join(", ")}`;
+    }
+
+    const inputSchema = {
+      ...coreTool.inputSchema,
+      properties: {
+        vault: {
+          type: "string",
+          description: `Vault name (default: "${defaultVault}")`,
+        },
+        ...(coreTool.inputSchema as any).properties,
+      },
+    };
+
+    return {
+      name: coreTool.name,
+      description,
+      inputSchema,
+      execute: (params) => {
+        const vaultName = (params.vault as string) ?? defaultVault;
+        const config = readVaultConfig(vaultName);
+        if (!config) {
+          throw new Error(`Vault "${vaultName}" not found. Available: ${getVaultNames().join(", ")}`);
+        }
+        const store = getVaultStore(vaultName);
+        const vaultTools = generateMcpTools(store);
+        const tool = vaultTools.find((t) => t.name === coreTool.name)!;
+        const { vault: _, ...rest } = params;
+        return tool.execute(rest);
+      },
+    };
+  });
+
+  // Override vault-info with actual vault config access
+  overrideVaultInfo(tools, defaultVault);
+
+  // Add list-vaults (multi-vault only, not in core)
+  if (multiVault) {
+    tools.push({
+      name: "list-vaults",
+      description: "List all available vaults with their descriptions.",
+      inputSchema: { type: "object", properties: {} },
+      execute: () => {
+        const names = getVaultNames();
+        return names.map((name) => {
+          const config = readVaultConfig(name);
+          return {
+            name,
+            description: config?.description,
+            created_at: config?.created_at,
+            is_default: name === defaultVault,
+          };
+        });
+      },
+    });
+  }
+
+  return tools;
+}
+
+/**
+ * Generate MCP tools scoped to a single vault.
+ * No vault param — tools operate on that vault only.
+ */
+export function generateScopedMcpTools(vaultName: string): McpToolDef[] {
+  const store = getVaultStore(vaultName);
+  const tools = generateMcpTools(store);
+
+  // Override vault-info with actual vault config access
+  overrideVaultInfo(tools, vaultName);
+
+  return tools;
+}
+
+/**
+ * Override vault-info's placeholder execute with real vault config access.
+ */
+function overrideVaultInfo(tools: McpToolDef[], defaultVault: string): void {
+  const vaultInfo = tools.find((t) => t.name === "vault-info");
+  if (!vaultInfo) return;
+
+  vaultInfo.execute = (params) => {
+    const vaultName = (params.vault as string) ?? defaultVault;
+    const config = readVaultConfig(vaultName);
+    if (!config) throw new Error(`Vault "${vaultName}" not found`);
+
+    // Update description if provided
+    if (params.description !== undefined) {
+      config.description = params.description as string;
+      writeVaultConfig(config);
+    }
+
+    const result: any = {
+      name: config.name,
+      description: config.description ?? null,
+    };
+
+    if (params.include_stats) {
+      const store = getVaultStore(vaultName);
+      result.stats = store.getVaultStats();
+    }
+
+    return result;
+  };
+}