@openparachute/vault 0.2.0 → 0.2.2

package/CHANGELOG.md

@@ -4,6 +4,22 @@ All notable changes to Parachute Vault are documented here.
 
 This project loosely follows [Keep a Changelog](https://keepachangelog.com) and [Semantic Versioning](https://semver.org).
 
+## [0.2.2] — 2026-04-17
+
+### Fixed
+
+- **`start.sh` daemon wrapper no longer crashes on user shell profiles that reference unbound variables.** The generated wrapper ran `source ~/.zprofile` and `source ~/.zshrc` under `set -u`, so a zsh plugin framework or any conditional profile setup that touched an unset variable would abort the wrapper with exit 1. The `2>/dev/null` redirect swallowed the error, launchd saw repeated exit 1s, and the daemon silently refused to start with an empty `vault.err`. The wrapper now brackets the profile-source lines with `set +u` / `set -u` so -u is only active for code the wrapper owns. Run `parachute vault init` once on 0.2.2 to rewrite `~/.parachute/start.sh` — the rewrite is idempotent.
+
+### Added
+
+- **`parachute --version` / `parachute -v` / `parachute version`** print the installed package version to stdout. Works at the root and with the `vault` prefix (`parachute vault --version`, etc.). Reads from the installed `package.json` at module load, not a hardcoded string.
+
+## [0.2.1] — 2026-04-17
+
+### Fixed
+
+- OAuth discovery now works against Claude Code's MCP SDK (and any other strict RFC 9728 client): 401 responses from the MCP endpoint carry a `WWW-Authenticate: Bearer resource_metadata="…"` header pointing at the scoped or unscoped protected-resource metadata document, matching the URL the client actually hit. Previously, clients with no pointer fell back to probing the root `/.well-known/oauth-protected-resource`, got `resource: <base>/mcp`, and rejected any connection to `/vaults/<name>/mcp` as a resource mismatch.
+
 ## [0.2.0] — 2026-04-17
 
 First tagged public release. Ships the auth, backup, and onboarding surface the project needs for first-wave users.
@@ -77,4 +93,6 @@ First tagged public release. Ships the auth, backup, and onboarding surface the
 - **`core/src/test-preload.ts`** isolates `PARACHUTE_HOME` for tests so `bun test` never touches a user's real `~/.parachute/`.
 - Test suite at release cut: **538 passing / 0 failing / 3 skipped** across 22 files (541 tests total).
 
+[0.2.2]: https://github.com/ParachuteComputer/parachute-vault/releases/tag/v0.2.2
+[0.2.1]: https://github.com/ParachuteComputer/parachute-vault/releases/tag/v0.2.1
 [0.2.0]: https://github.com/ParachuteComputer/parachute-vault/releases/tag/v0.2.0

package/README.md

@@ -172,6 +172,7 @@ parachute vault init                       # one-command setup (idempotent — s
 parachute vault status                     # check what's running
 parachute vault doctor                     # diagnose install/config issues (see Troubleshooting)
 parachute vault url                        # print the local server URL (for scripts)
+parachute --version                        # print the installed version (aliases: -v, version)
 parachute vault uninstall                  # remove daemon + MCP entry; keeps user data
 parachute vault uninstall --wipe           # ...and also remove vaults, .env, config.yaml, logs
 parachute vault uninstall --yes --wipe     # scripted destructive wipe (prints an audit line)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/vault",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "Agent-native knowledge graph. Notes, tags, links over MCP.",
   "module": "src/cli.ts",
   "type": "module",

package/src/cli.ts

@@ -19,6 +19,10 @@
 import { resolve } from "path";
 import { homedir } from "os";
 import { existsSync, readFileSync, writeFileSync, rmSync, mkdirSync } from "fs";
+// JSON import — resolved at module load, works for both dev runs
+// (`bun src/cli.ts …`) and the published package (`bunx @openparachute/vault`)
+// because package.json ships at the root next to src/.
+import pkg from "../package.json" with { type: "json" };
 import {
   ensureConfigDirSync,
   readVaultConfig,
@@ -180,6 +184,14 @@ switch (command) {
   case "-h":
     usage();
     break;
+  case "version":
+  case "--version":
+  case "-v":
+    // Intentionally minimal — just the version string on stdout. Scripts
+    // (and `parachute vault doctor` in a future check) rely on this being
+    // a bare-number line; anything else belongs in `vault status`.
+    console.log(pkg.version);
+    break;
   default:
     console.error(`Unknown command: ${command}`);
     usage();
@@ -1976,6 +1988,7 @@ Setup:
                                            config.yaml, and daemon logs (vault.log, vault.err).
                                            --yes skips prompts (DANGEROUS with --wipe: no confirmation).
   parachute vault url                      Print the local server URL (for scripts)
+  parachute --version                      Print the installed version (alias: -v, version)
 
 Vaults:
   parachute vault create <name>            Create a new vault

package/src/daemon.ts

@@ -55,8 +55,17 @@ export function generateWrapper(opts: {
 set -u
 
 # Source user shell profile for PATH (needed for parakeet-mlx, ffmpeg, etc.)
+# Temporarily disable -u around these: user rc files routinely reference
+# unbound variables (zsh plugin frameworks, conditional setups), and a bare
+# \`set -u\` source would crash the wrapper with exit 1 and leave vault.err
+# empty because of the 2>/dev/null below — launchd would respawn silently
+# until it gave up. Keep the stderr redirect so expected "command not found"
+# noise from incomplete setups doesn't fill vault.err; to debug silent
+# wrapper failures, run \`bash -x ~/.parachute/start.sh\` by hand.
+set +u
 [ -f "$HOME/.zprofile" ] && source "$HOME/.zprofile" 2>/dev/null
 [ -f "$HOME/.zshrc" ] && source "$HOME/.zshrc" 2>/dev/null
+set -u
 
 if [ -f "${envPath}" ]; then
   set -a

package/src/launchd.test.ts

@@ -78,6 +78,84 @@ describe("generateWrapper", () => {
       rmSync(dir, { recursive: true, force: true });
     }
   });
+
+  // ---------------------------------------------------------------------------
+  // The incident this guards against (0.2.2): sourcing the user's ~/.zshrc or
+  // ~/.zprofile under `set -u` crashes the wrapper if any line in the rc file
+  // references an unbound variable — which is routine in zsh plugin frameworks
+  // and half-configured setups. The 2>/dev/null redirect swallowed the error
+  // so vault.err stayed empty and launchd silently gave up after repeated
+  // exit 1s. The fix brackets the profile-source lines with `set +u` / `set -u`
+  // so strict-unset-vars only applies to code the wrapper itself owns.
+  // ---------------------------------------------------------------------------
+
+  test("brackets profile sourcing with set +u / set -u to survive user rc files", () => {
+    const wrapper = generateWrapper({ bunPath: "/bin/bun" });
+    // Textual shape check — quickest canary.
+    const lines = wrapper.split("\n");
+    const zprofileIdx = lines.findIndex((l) => l.includes(".zprofile"));
+    const zshrcIdx = lines.findIndex((l) => l.includes(".zshrc"));
+    expect(zprofileIdx).toBeGreaterThan(-1);
+    expect(zshrcIdx).toBeGreaterThan(-1);
+    // Both source lines must be sandwiched between a `set +u` and a `set -u`.
+    // Walk back for `set +u` and forward for `set -u` from whichever source
+    // line comes first / last so ordering stays flexible.
+    const firstIdx = Math.min(zprofileIdx, zshrcIdx);
+    const lastIdx = Math.max(zprofileIdx, zshrcIdx);
+    const preceding = lines.slice(0, firstIdx).reverse().find((l) => l.trim().startsWith("set "));
+    const following = lines.slice(lastIdx + 1).find((l) => l.trim().startsWith("set "));
+    expect(preceding?.trim()).toBe("set +u");
+    expect(following?.trim()).toBe("set -u");
+  });
+
+  test("surviving profile source under set -u: running the generated wrapper with a rc file that trips set -u does not abort before reaching the pointer-file logic", async () => {
+    // The integration proof. Build a fake HOME where ~/.zshrc expands an
+    // unbound variable ($UNSET_IN_TEST), point the wrapper at it via HOME,
+    // and expect the wrapper to exit on the "server path not configured"
+    // path (exit 1 from the explicit check) rather than on the zshrc crash
+    // (exit 1 from set -u). The signal we compare on is the stderr message:
+    // the pointer-missing branch prints a specific error; a set-u crash
+    // prints zsh's own "parameter not set" message and no vault-branded
+    // text at all.
+    //
+    // Skipping stderr here would let a regressed wrapper silently exit 1
+    // and still pass the test, so we assert on the presence of the
+    // pointer-missing message.
+    const dir = mkdtempSync(join(tmpdir(), "vault-wrapper-setu-"));
+    try {
+      const fakeHome = join(dir, "home");
+      writeFileSync(join(dir, "mkdir.marker"), ""); // ensure dir exists
+      await $`mkdir -p ${fakeHome}`.quiet();
+      // A ~/.zshrc that blows up under set -u.
+      writeFileSync(join(fakeHome, ".zshrc"), 'echo "$UNSET_IN_TEST"\n');
+      // Wrapper with explicit env/pointer paths that do NOT exist. We do not
+      // pass PARACHUTE_VAULT_SERVER_PATH either. So the wrapper should take
+      // the "no server path configured" branch and exit 1 with the branded
+      // message — but only if it survives the zshrc source.
+      const wrapper = generateWrapper({
+        bunPath: "/bin/echo", // won't be reached; a safe no-op if it is
+        serverPathFile: join(dir, "nonexistent-pointer"),
+        envPath: join(dir, "nonexistent.env"),
+      });
+      const path = join(dir, "start.sh");
+      writeFileSync(path, wrapper);
+      // Override HOME so the wrapper sources our crafted zshrc.
+      // Clear PARACHUTE_VAULT_SERVER_PATH in case the test runner has it set.
+      const result = await $`HOME=${fakeHome} PARACHUTE_VAULT_SERVER_PATH= bash ${path}`
+        .quiet()
+        .nothrow();
+      const stderr = result.stderr.toString();
+      // Positive: we reached the branded pointer-missing branch.
+      expect(stderr).toMatch(/parachute-vault: server path not configured/);
+      // Negative: we did NOT crash in zshrc with a zsh/bash unbound-variable
+      // message. Catches a future regression where someone drops the
+      // `set +u` bracket.
+      expect(stderr).not.toMatch(/UNSET_IN_TEST: unbound variable/);
+      expect(result.exitCode).toBe(1); // the branded branch
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
 });
 
 describe("generatePlist", () => {

package/src/oauth.ts

@@ -44,7 +44,15 @@ export interface AuthorizePostOptions {
 // Helpers
 // ---------------------------------------------------------------------------
 
-function getBaseUrl(req: Request): string {
+/**
+ * Public-facing base URL of the server. Honors `x-forwarded-*` headers so a
+ * Cloudflare Tunnel / Tailscale Funnel / reverse-proxied deployment advertises
+ * the right external origin in discovery documents (RFC 8414, RFC 9728).
+ *
+ * Exported so the router can build `WWW-Authenticate` challenge headers that
+ * point at the same origin as the `/.well-known/*` metadata documents.
+ */
+export function getBaseUrl(req: Request): string {
   const forwardedHost = req.headers.get("x-forwarded-host");
   const forwardedProto = req.headers.get("x-forwarded-proto");
   if (forwardedHost) {

package/src/routing.test.ts

@@ -345,3 +345,134 @@ describe("single-vault auto-default", () => {
     expect(res.status).toBe(401); // reached per-vault auth
   });
 });
+
+// ---------------------------------------------------------------------------
+// RFC 9728 WWW-Authenticate challenge on MCP 401.
+//
+// Claude Code's MCP SDK (and any other strict RFC 9728 client) requires the
+// server to emit `WWW-Authenticate: Bearer resource_metadata="..."` on 401
+// so the client knows which protected-resource metadata document applies to
+// the endpoint it just hit. Without it, clients fall back to probing the
+// root `/.well-known/oauth-protected-resource`, get `resource: <base>/mcp`,
+// and reject any connection to `/vaults/<name>/mcp` as a resource mismatch.
+// ---------------------------------------------------------------------------
+
+describe("MCP 401 WWW-Authenticate challenge (RFC 9728)", () => {
+  test("unscoped /mcp 401 carries the root protected-resource pointer", async () => {
+    createVault("journal");
+    const req = new Request("http://localhost:1940/mcp");
+    const res = await route(req, "/mcp");
+    expect(res.status).toBe(401);
+    const header = res.headers.get("WWW-Authenticate");
+    expect(header).toBe(
+      'Bearer resource_metadata="http://localhost:1940/.well-known/oauth-protected-resource"',
+    );
+  });
+
+  test("scoped /vaults/{name}/mcp 401 carries the vault-scoped pointer", async () => {
+    createVault("journal");
+    const req = new Request("http://localhost:1940/vaults/journal/mcp");
+    const res = await route(req, "/vaults/journal/mcp");
+    expect(res.status).toBe(401);
+    const header = res.headers.get("WWW-Authenticate");
+    expect(header).toBe(
+      'Bearer resource_metadata="http://localhost:1940/vaults/journal/.well-known/oauth-protected-resource"',
+    );
+  });
+
+  test("challenge points at the same PRM document the server actually serves", async () => {
+    // Belt-and-braces: whatever we advertise in the header MUST line up with
+    // what `/.well-known/oauth-protected-resource` actually returns. If these
+    // drift, a conforming client will chase the pointer, fetch the PRM, then
+    // reject on resource mismatch anyway. Test both directions.
+    createVault("journal");
+
+    // Scoped: header points at /vaults/journal/.well-known/...
+    const scopedReq = new Request("http://localhost:1940/vaults/journal/mcp");
+    const scopedRes = await route(scopedReq, "/vaults/journal/mcp");
+    const scopedHeader = scopedRes.headers.get("WWW-Authenticate")!;
+    const scopedPrmUrl = scopedHeader.match(/resource_metadata="([^"]+)"/)![1];
+    // Fetch that PRM. Bypass the full URL by extracting the path.
+    const prmPath = new URL(scopedPrmUrl).pathname;
+    const prmRes = await route(new Request(`http://localhost:1940${prmPath}`), prmPath);
+    expect(prmRes.status).toBe(200);
+    const prm = (await prmRes.json()) as { resource: string };
+    expect(prm.resource).toBe("http://localhost:1940/vaults/journal/mcp");
+
+    // Unscoped: header points at root /.well-known/...
+    const unscopedReq = new Request("http://localhost:1940/mcp");
+    const unscopedRes = await route(unscopedReq, "/mcp");
+    const unscopedHeader = unscopedRes.headers.get("WWW-Authenticate")!;
+    const unscopedPrmUrl = unscopedHeader.match(/resource_metadata="([^"]+)"/)![1];
+    const unscopedPrmPath = new URL(unscopedPrmUrl).pathname;
+    const unscopedPrmRes = await route(
+      new Request(`http://localhost:1940${unscopedPrmPath}`),
+      unscopedPrmPath,
+    );
+    expect(unscopedPrmRes.status).toBe(200);
+    const unscopedPrm = (await unscopedPrmRes.json()) as { resource: string };
+    expect(unscopedPrm.resource).toBe("http://localhost:1940/mcp");
+  });
+
+  test("MCP 401 with invalid token still carries the challenge", async () => {
+    // The no-token case is one 401 code path (extractApiKey returns null);
+    // the invalid-token case is another (extractApiKey returns a string but
+    // resolveToken / validateKey all fail). Both must emit the header.
+    createVault("journal");
+    const req = new Request("http://localhost:1940/vaults/journal/mcp", {
+      headers: { Authorization: "Bearer pvt_not-a-real-token" },
+    });
+    const res = await route(req, "/vaults/journal/mcp");
+    expect(res.status).toBe(401);
+    expect(res.headers.get("WWW-Authenticate")).toBe(
+      'Bearer resource_metadata="http://localhost:1940/vaults/journal/.well-known/oauth-protected-resource"',
+    );
+  });
+
+  test("non-MCP 401s do NOT carry the challenge (spec is MCP-only)", async () => {
+    // The RFC 9728 challenge header is specific to the MCP resource; plain
+    // REST endpoints are not OAuth resources in the same sense. A spurious
+    // challenge here could confuse non-MCP clients and makes the /api
+    // surface look OAuth-gated when it is not.
+    createVault("journal");
+
+    // /api/notes (unscoped) — 401, no challenge.
+    const unscopedApi = await route(new Request("http://localhost:1940/api/notes"), "/api/notes");
+    expect(unscopedApi.status).toBe(401);
+    expect(unscopedApi.headers.get("WWW-Authenticate")).toBeNull();
+
+    // /vaults/journal/api/notes (scoped) — 401, no challenge. This is the
+    // code path that shares the auth check with the scoped MCP branch, so
+    // if we leak the header here the isScopedMcp gate has regressed.
+    const scopedApi = await route(
+      new Request("http://localhost:1940/vaults/journal/api/notes"),
+      "/vaults/journal/api/notes",
+    );
+    expect(scopedApi.status).toBe(401);
+    expect(scopedApi.headers.get("WWW-Authenticate")).toBeNull();
+
+    // /vaults (authenticated listing) — 401, no challenge.
+    const vaultsList = await route(new Request("http://localhost:1940/vaults"), "/vaults");
+    expect(vaultsList.status).toBe(401);
+    expect(vaultsList.headers.get("WWW-Authenticate")).toBeNull();
+  });
+
+  test("x-forwarded-host and x-forwarded-proto shape the challenge URL", async () => {
+    // Remote deployments behind Cloudflare Tunnel / Tailscale Funnel / any
+    // reverse proxy need the challenge URL to match the external origin,
+    // not the 127.0.0.1:1940 the server actually binds. Parallels how the
+    // /.well-known/* endpoints already honor these headers.
+    createVault("journal");
+    const req = new Request("http://127.0.0.1:1940/vaults/journal/mcp", {
+      headers: {
+        "x-forwarded-host": "vault.example.com",
+        "x-forwarded-proto": "https",
+      },
+    });
+    const res = await route(req, "/vaults/journal/mcp");
+    expect(res.status).toBe(401);
+    expect(res.headers.get("WWW-Authenticate")).toBe(
+      'Bearer resource_metadata="https://vault.example.com/vaults/journal/.well-known/oauth-protected-resource"',
+    );
+  });
+});

package/src/routing.ts

@@ -49,8 +49,49 @@ import {
   handleAuthorizeGet,
   handleAuthorizePost,
   handleToken,
+  getBaseUrl,
 } from "./oauth.ts";
 
+/**
+ * Decorate a 401 response from the MCP endpoint with the RFC 9728 challenge
+ * header pointing at the matching protected-resource metadata document.
+ *
+ * An MCP-capable OAuth client that receives a plain 401 has no structured way
+ * to discover which authorization server to use, and SDKs that follow RFC 9728
+ * (including Claude Code's) default to probing the *root* `/.well-known/oauth-
+ * protected-resource`. That document advertises `resource: <base>/mcp` — which
+ * then fails the SDK's strict resource-URL match when the client is actually
+ * connecting to `/vaults/{name}/mcp`. The `WWW-Authenticate` header tells the
+ * client exactly which metadata document applies to the endpoint it just hit,
+ * closing the mismatch.
+ *
+ * Scoped calls pass `vaultName`; unscoped omits it. Other 401-emitting
+ * endpoints (`/api/*`, `/vaults`, `/health` when authenticated) are not MCP
+ * resources and intentionally do not carry this header.
+ */
+function mcpWwwAuthenticate(req: Request, vaultName?: string): string {
+  const base = getBaseUrl(req);
+  const prefix = vaultName ? `/vaults/${vaultName}` : "";
+  return `Bearer resource_metadata="${base}${prefix}/.well-known/oauth-protected-resource"`;
+}
+
+/**
+ * Clone a 401 Response and attach the `WWW-Authenticate` challenge header.
+ * The auth module returns a fully-baked `Response`, and headers on a consumed
+ * `Response` can't be mutated in place; cloning is the cheap path.
+ */
+async function withMcpChallenge(
+  res: Response,
+  req: Request,
+  vaultName?: string,
+): Promise<Response> {
+  if (res.status !== 401) return res;
+  const body = await res.text();
+  const headers = new Headers(res.headers);
+  headers.set("WWW-Authenticate", mcpWwwAuthenticate(req, vaultName));
+  return new Response(body, { status: 401, headers });
+}
+
 /**
  * Check if a /view request has a valid API key (header or ?key= query param).
  * Returns true if authenticated, false if not. Never rejects — unauthenticated
@@ -134,7 +175,7 @@ export async function route(
   // Unified MCP (all vaults, global auth)
   if (path === "/mcp" || path.startsWith("/mcp/")) {
     const auth = authenticateGlobalRequest(req);
-    if ("error" in auth) return auth.error;
+    if ("error" in auth) return withMcpChallenge(auth.error, req);
     return handleUnifiedMcp(req, auth);
   }
 
@@ -308,13 +349,20 @@ export async function route(
     return handleAuthorizationServer(req, vaultName);
   }
 
-  // Auth: per-vault key OR global key
+  // Auth: per-vault key OR global key.
+  // The auth check is shared between the scoped MCP branch and the scoped
+  // /api/* branches, so we can't unconditionally attach the MCP-only
+  // WWW-Authenticate challenge here — we pass the challenge back only when
+  // the failing request was actually targeting /vaults/{name}/mcp.
   const store = getVaultStore(vaultName);
   const auth = authenticateVaultRequest(req, vaultConfig, store.db);
-  if ("error" in auth) return auth.error;
+  const isScopedMcp = subpath === "/mcp" || subpath.startsWith("/mcp/");
+  if ("error" in auth) {
+    return isScopedMcp ? withMcpChallenge(auth.error, req, vaultName) : auth.error;
+  }
 
   // Per-vault scoped MCP
-  if (subpath === "/mcp" || subpath.startsWith("/mcp/")) {
+  if (isScopedMcp) {
     return handleScopedMcp(req, vaultName, auth);
   }
 

package/src/version.test.ts

@@ -0,0 +1,65 @@
+/**
+ * Integration tests for `parachute --version` and its aliases.
+ *
+ * Spawns the real CLI as a subprocess so the argv-dispatch path is exercised
+ * end-to-end. Every accepted spelling must produce the exact version string
+ * from package.json on stdout, with exit code 0, and nothing else.
+ */
+
+import { describe, test, expect } from "bun:test";
+import { resolve } from "path";
+import pkg from "../package.json" with { type: "json" };
+
+const CLI = resolve(import.meta.dir, "cli.ts");
+
+function runCli(args: string[]): {
+  exitCode: number;
+  stdout: string;
+  stderr: string;
+} {
+  const proc = Bun.spawnSync({
+    cmd: ["bun", CLI, ...args],
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  return {
+    exitCode: proc.exitCode ?? -1,
+    stdout: new TextDecoder().decode(proc.stdout),
+    stderr: new TextDecoder().decode(proc.stderr),
+  };
+}
+
+describe("parachute version", () => {
+  // Every spelling must print the package's version and nothing else.
+  // `parachute vault --version` works via the argv parser's existing
+  // `args[0] === "vault"` branch, which shifts "vault" off and treats
+  // `--version` as the command — so the same switch case handles both
+  // root and vault-prefixed invocations.
+  for (const form of [
+    ["--version"],
+    ["-v"],
+    ["version"],
+    ["vault", "--version"],
+    ["vault", "-v"],
+    ["vault", "version"],
+  ]) {
+    test(`parachute ${form.join(" ")} prints the package version`, () => {
+      const { exitCode, stdout, stderr } = runCli(form);
+      expect(exitCode).toBe(0);
+      // Exact match — no banner, no trailing whitespace other than the single
+      // trailing newline from console.log. Scripts will pipe this through
+      // things like `$(parachute --version)`.
+      expect(stdout).toBe(`${pkg.version}\n`);
+      // Stderr must be empty. If the dispatcher drops into the default branch
+      // it would print "Unknown command:" plus the full usage() block to
+      // stderr, which is exactly the regression this test catches.
+      expect(stderr).toBe("");
+    });
+  }
+
+  test("version string looks like semver (sanity check)", () => {
+    // Defense-in-depth: if someone ever replaces the JSON import with a
+    // hardcoded string, a malformed value still won't slip through.
+    expect(pkg.version).toMatch(/^\d+\.\d+\.\d+(-[A-Za-z0-9.-]+)?$/);
+  });
+});