@openparachute/vault 0.3.1 → 0.4.0

package/src/routing.test.ts

@@ -18,7 +18,7 @@
  */
 
 import { describe, test, expect, beforeEach, afterAll } from "bun:test";
-import { rmSync, existsSync, mkdirSync } from "fs";
+import { rmSync, existsSync, mkdirSync, writeFileSync } from "fs";
 import { join } from "path";
 import { tmpdir } from "os";
 
@@ -42,6 +42,7 @@ const {
 // even when the DB files are already gone.
 const { clearVaultStoreCache, getVaultStore } = await import("./vault-store.ts");
 const { generateToken, createToken } = await import("./token-store.ts");
+const { vaultDbPath } = await import("./config.ts");
 
 function createVault(name: string, description?: string): void {
   writeVaultConfig({
@@ -216,6 +217,224 @@ describe("GET /vaults/list (public discovery)", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// /vault/<name>/admin/* — admin SPA static-file mount. Detailed tests live
+// in admin-spa.test.ts (with a tmp dist dir); these pin the dispatch — i.e.
+// the SPA layer fires *before* the per-vault dispatcher swallows the path.
+// Per-vault mount (vault#252): the SPA used to live at /admin/* but is now
+// scoped under each vault so it's reachable through hub's /vault/<name>/*
+// proxy.
+// ---------------------------------------------------------------------------
+
+describe("/vault/<name>/admin/* SPA mount", () => {
+  test("/vault/<name>/admin/ never returns the per-vault dispatcher's 404 JSON", async () => {
+    // dist may or may not be built in CI; the dispatch check just asserts
+    // that we don't fall through to the catch-all. Both 200 (dist present)
+    // and 503 (dist absent) are valid SPA-layer responses.
+    createVault("work");
+    const req = new Request("http://localhost:1940/vault/work/admin/");
+    const res = await route(req, "/vault/work/admin/");
+    expect(res.status === 200 || res.status === 503).toBe(true);
+    expect(res.headers.get("content-type") ?? "").not.toContain("application/json");
+  });
+
+  test("/vault/<name>/admin/tokens (client-routed path) reaches the SPA layer", async () => {
+    createVault("work");
+    const req = new Request("http://localhost:1940/vault/work/admin/tokens");
+    const res = await route(req, "/vault/work/admin/tokens");
+    expect(res.status === 200 || res.status === 503).toBe(true);
+    expect(res.headers.get("content-type") ?? "").not.toContain("application/json");
+  });
+
+  test("/vault/<name>/admin fires the SPA layer even when the vault doesn't exist", async () => {
+    // Admin-spa dispatch sits *before* the per-vault config check — the SPA
+    // shell is static and surfaces its own auth-required state, so 404'ing
+    // here would just hide the operator's typo behind the SPA layer's own
+    // empty-state. Belt-and-braces: the SPA layer never reads vault config.
+    const req = new Request("http://localhost:1940/vault/ghost/admin/");
+    const res = await route(req, "/vault/ghost/admin/");
+    expect(res.status === 200 || res.status === 503).toBe(true);
+    expect(res.headers.get("content-type") ?? "").not.toContain("application/json");
+  });
+
+  test("POST /vault/<name>/admin/ returns 405 (no admin SPA writes today)", async () => {
+    createVault("work");
+    const req = new Request("http://localhost:1940/vault/work/admin/", { method: "POST" });
+    const res = await route(req, "/vault/work/admin/");
+    expect(res.status).toBe(405);
+  });
+
+  test("/vault/<name>/admin-foo does NOT match the admin mount", async () => {
+    // Falls through to the per-vault dispatcher; the auth wall there 401s
+    // before any route lookup runs, which is exactly the signal that the
+    // SPA layer didn't swallow this path. (Same shape as /api/notes below.)
+    createVault("work");
+    const req = new Request("http://localhost:1940/vault/work/admin-foo");
+    const res = await route(req, "/vault/work/admin-foo");
+    expect(res.status).toBe(401);
+  });
+
+  test("origin-rooted /admin (legacy mount retired) returns 404", async () => {
+    // Pre-vault#252 the SPA was at /admin/*. Routing now lets that fall
+    // through to the catch-all — hub's directory page should link to
+    // /vault/<name>/admin instead.
+    const req = new Request("http://localhost:1940/admin/");
+    const res = await route(req, "/admin/");
+    expect(res.status).toBe(404);
+  });
+
+  test("/vault/<name>/api/notes still reaches the per-vault API (not the SPA)", async () => {
+    // Regression: the SPA mount must not shadow the existing API surface.
+    // No auth here — the per-vault dispatcher 401s, which is exactly the
+    // signal that the request reached the API layer rather than the SPA.
+    createVault("work");
+    const req = new Request("http://localhost:1940/vault/work/api/notes");
+    const res = await route(req, "/vault/work/api/notes");
+    expect(res.status).toBe(401);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// /auth/status — public preflight discovery (issue #163). Tells first-contact
+// clients which bearer format to use and surfaces auth-state bits the hub's
+// post-exposure flow needs without locking us into any auth check.
+// ---------------------------------------------------------------------------
+
+describe("GET /auth/status (public auth preflight)", () => {
+  test("empty server: initialized=false, no vaults, no auth bits", async () => {
+    const res = await route(new Request("http://localhost:1940/auth/status"), "/auth/status");
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      initialized: boolean;
+      auth_modes: string[];
+      vaults: { name: string; url: string }[];
+      hasOwnerPassword: boolean;
+      hasTotp: boolean;
+      hasTokens: boolean | null;
+    };
+    expect(body.initialized).toBe(false);
+    expect(body.vaults).toEqual([]);
+    expect(body.auth_modes).toEqual(["pvt_token", "hub_jwt"]);
+    expect(body.hasOwnerPassword).toBe(false);
+    expect(body.hasTotp).toBe(false);
+    // No vaults means hasTokens collapses to false (not null), since there's
+    // no DB to fail on.
+    expect(body.hasTokens).toBe(false);
+  });
+
+  test("vault with no tokens: initialized=true, hasTokens=false", async () => {
+    createVault("journal");
+    // getVaultStore opens (and creates) the SQLite file with the tokens
+    // table — without it, the probe falls into the "DB missing" branch and
+    // hasTokens stays false anyway, but we want the table to exist for the
+    // realistic case.
+    getVaultStore("journal");
+    const res = await route(new Request("http://localhost:1940/auth/status"), "/auth/status");
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as {
+      initialized: boolean;
+      vaults: { name: string; url: string }[];
+      hasTokens: boolean | null;
+    };
+    expect(body.initialized).toBe(true);
+    expect(body.vaults).toEqual([{ name: "journal", url: "/vault/journal" }]);
+    expect(body.hasTokens).toBe(false);
+  });
+
+  test("vault with a token: hasTokens=true", async () => {
+    createVault("journal");
+    createAdminToken("journal");
+    const res = await route(new Request("http://localhost:1940/auth/status"), "/auth/status");
+    const body = (await res.json()) as { hasTokens: boolean | null };
+    expect(body.hasTokens).toBe(true);
+  });
+
+  test("multiple vaults are all listed; hasTokens=true if any has tokens", async () => {
+    createVault("journal");
+    createVault("work");
+    getVaultStore("journal");
+    createAdminToken("work");
+    const res = await route(new Request("http://localhost:1940/auth/status"), "/auth/status");
+    const body = (await res.json()) as {
+      vaults: { name: string; url: string }[];
+      hasTokens: boolean | null;
+    };
+    expect(new Set(body.vaults.map((v) => v.name))).toEqual(new Set(["journal", "work"]));
+    expect(body.hasTokens).toBe(true);
+  });
+
+  test("hasTokens degrades to null when one vault has tokens and another DB is unreadable (#192)", async () => {
+    // The probe loop's whole point: a single failed DB read poisons the
+    // overall answer to `null`, even if an earlier vault already proved
+    // tokens exist. Otherwise an operator who locked one DB would see a
+    // misleading `true` and think auth-state is fully observable.
+    createVault("alpha");
+    createAdminToken("alpha");
+    createVault("beta");
+    // Replace beta's DB file with a non-SQLite blob; the readonly Database
+    // open throws at probe time. clearVaultStoreCache so beta's pre-opened
+    // handle (if any) doesn't shadow the on-disk corruption.
+    clearVaultStoreCache();
+    writeFileSync(vaultDbPath("beta"), "not-a-sqlite-file");
+    const res = await route(new Request("http://localhost:1940/auth/status"), "/auth/status");
+    const body = (await res.json()) as { hasTokens: boolean | null };
+    expect(body.hasTokens).toBeNull();
+  });
+
+  test("owner password / TOTP set in global config surface as true", async () => {
+    createVault("journal");
+    writeGlobalConfig({
+      port: 1940,
+      owner_password_hash: "$2b$10$abcdefghijklmnopqrstuv",
+      totp_secret: "JBSWY3DPEHPK3PXP",
+    });
+    const res = await route(new Request("http://localhost:1940/auth/status"), "/auth/status");
+    const body = (await res.json()) as { hasOwnerPassword: boolean; hasTotp: boolean };
+    expect(body.hasOwnerPassword).toBe(true);
+    expect(body.hasTotp).toBe(true);
+  });
+
+  test("response never leaks secrets, hashes, descriptions, or token counts", async () => {
+    createVault("journal", "Private journal — must not appear in /auth/status");
+    createAdminToken("journal");
+    writeGlobalConfig({
+      port: 1940,
+      owner_password_hash: "$2b$10$verysecretpasswordhash",
+      totp_secret: "JBSWY3DPEHPK3PXP",
+      backup_codes: ["$2b$10$backup1", "$2b$10$backup2"],
+    });
+    const res = await route(new Request("http://localhost:1940/auth/status"), "/auth/status");
+    const dump = JSON.stringify(await res.json());
+    expect(dump).not.toContain("Private journal");
+    expect(dump).not.toContain("$2b$10$verysecretpasswordhash");
+    expect(dump).not.toContain("JBSWY3DPEHPK3PXP");
+    expect(dump).not.toContain("backup");
+    // Token-count guard: even with one token created above, no integer count
+    // appears in the dump. `hasTokens` is the only token-derived field.
+    expect(dump).not.toMatch(/"tokenCount"/);
+    expect(dump).not.toMatch(/"token_count"/);
+  });
+
+  test("ignores Authorization header (endpoint is public)", async () => {
+    const req = new Request("http://localhost:1940/auth/status", {
+      headers: { Authorization: "Bearer not-a-real-token" },
+    });
+    const res = await route(req, "/auth/status");
+    expect(res.status).toBe(200);
+  });
+
+  test("rejects non-GET methods (falls through to 404)", async () => {
+    const req = new Request("http://localhost:1940/auth/status", { method: "POST" });
+    const res = await route(req, "/auth/status");
+    expect(res.status).toBe(404);
+  });
+
+  test("response includes CORS allow-origin so first-contact browser clients can read it", async () => {
+    const res = await route(new Request("http://localhost:1940/auth/status"), "/auth/status");
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+  });
+});
+
 // ---------------------------------------------------------------------------
 // Per-vault routing: /vault/<name>/... is the only URL shape for vault
 // resources. Unscoped routes (/mcp, /api/*, /oauth/*) no longer exist.
@@ -1146,6 +1365,252 @@ describe("scope enforcement on /api/*", () => {
     expect(res.status).toBe(401);
   });
 
+  // ----- tag-scoped tokens (patterns/tag-scoped-tokens.md) -----------------
+
+  /**
+   * Mint a tag-scoped token. Mirrors `mintToken` above but threads
+   * `scoped_tags` through to the token row so `resolveToken` returns the
+   * allowlist on the AuthResult and routing.ts feeds it into the per-request
+   * TagScopeCtx that handlers consult.
+   */
+  function mintTagScopedToken(
+    vaultName: string,
+    scopes: string[],
+    scopedTags: string[],
+  ): string {
+    const store = getVaultStore(vaultName);
+    const { fullToken } = generateToken();
+    createToken(store.db, fullToken, {
+      label: `test-tag-scoped`,
+      permission: scopes.includes("vault:write") || scopes.includes("vault:admin") ? "full" : "read",
+      scopes,
+      scoped_tags: scopedTags,
+    });
+    return fullToken;
+  }
+
+  test("tag-scoped read token: GET /api/notes/:id 404s on out-of-scope note (no existence leak)", async () => {
+    createVault("journal");
+    const store = getVaultStore("journal");
+    const inScope = await store.createNote("h", { tags: ["health"] });
+    const outOfScope = await store.createNote("w", { tags: ["work"] });
+    const token = mintTagScopedToken("journal", ["vault:read"], ["health"]);
+
+    const ok = `/vault/journal/api/notes/${inScope.id}`;
+    expect((await route(authed(token, "GET", ok), ok)).status).toBe(200);
+
+    const notFound = `/vault/journal/api/notes/${outOfScope.id}`;
+    expect((await route(authed(token, "GET", notFound), notFound)).status).toBe(404);
+  });
+
+  test("tag-scoped read token: GET /api/notes filters list to in-scope notes only", async () => {
+    createVault("journal");
+    const store = getVaultStore("journal");
+    await store.createNote("h", { tags: ["health"] });
+    await store.createNote("w", { tags: ["work"] });
+    const token = mintTagScopedToken("journal", ["vault:read"], ["health"]);
+
+    const path = "/vault/journal/api/notes";
+    const res = await route(authed(token, "GET", path), path);
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { notes?: { tags: string[] }[] } | { tags: string[] }[];
+    const list = Array.isArray(body) ? body : (body.notes ?? []);
+    expect(list.every((n) => n.tags.includes("health"))).toBe(true);
+    expect(list.length).toBeGreaterThanOrEqual(1);
+  });
+
+  test("tag-scoped read token: GET /api/tags filters to allowlisted tags", async () => {
+    createVault("journal");
+    const store = getVaultStore("journal");
+    await store.createNote("h", { tags: ["health"] });
+    await store.createNote("w", { tags: ["work"] });
+    const token = mintTagScopedToken("journal", ["vault:read"], ["health"]);
+
+    const path = "/vault/journal/api/tags";
+    const res = await route(authed(token, "GET", path), path);
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { name: string }[];
+    const names = body.map((t) => t.name);
+    expect(names).toContain("health");
+    expect(names).not.toContain("work");
+  });
+
+  test("tag-scoped write token: POST /api/notes with in-scope tag → 201", async () => {
+    createVault("journal");
+    const store = getVaultStore("journal");
+    await store.createNote("seed", { tags: ["health"] });
+    const token = mintTagScopedToken("journal", ["vault:read", "vault:write"], ["health"]);
+
+    const path = "/vault/journal/api/notes";
+    const res = await route(
+      new Request(`http://localhost:1940${path}`, {
+        method: "POST",
+        headers: { authorization: `Bearer ${token}`, "content-type": "application/json" },
+        body: JSON.stringify({ content: "ok", tags: ["health"] }),
+      }),
+      path,
+    );
+    expect(res.status).toBe(201);
+  });
+
+  test("tag-scoped write token: POST /api/notes outside allowlist → 403 tag_scope_violation", async () => {
+    createVault("journal");
+    const token = mintTagScopedToken("journal", ["vault:read", "vault:write"], ["health"]);
+
+    const path = "/vault/journal/api/notes";
+    const res = await route(
+      new Request(`http://localhost:1940${path}`, {
+        method: "POST",
+        headers: { authorization: `Bearer ${token}`, "content-type": "application/json" },
+        body: JSON.stringify({ content: "denied", tags: ["work"] }),
+      }),
+      path,
+    );
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error_type?: string };
+    expect(body.error_type).toBe("tag_scope_violation");
+  });
+
+  test("tag-scoped write token: DELETE on out-of-scope note → 404 (no leak)", async () => {
+    createVault("journal");
+    const store = getVaultStore("journal");
+    const outOfScope = await store.createNote("w", { tags: ["work"] });
+    const token = mintTagScopedToken("journal", ["vault:read", "vault:write"], ["health"]);
+
+    const path = `/vault/journal/api/notes/${outOfScope.id}`;
+    const res = await route(authed(token, "DELETE", path), path);
+    expect(res.status).toBe(404);
+  });
+
+  // ----- Q6: orphan-sub-tag fail-open ------------------------------------
+  // patterns/tag-scoped-tokens.md §Storage: when a sub-tag has no declared
+  // schema, the string-form root authorizes. Token allowlisted for `health`
+  // must see `#health/food` even when no `_tags/health/food` schema exists.
+
+  test("tag-scoped read token: orphan sub-tag is in scope via string-form root", async () => {
+    createVault("journal");
+    const store = getVaultStore("journal");
+    // No `_tags/health/food` schema is created — this is the orphan case.
+    const orphan = await store.createNote("orphan", { tags: ["health/food"] });
+    const token = mintTagScopedToken("journal", ["vault:read"], ["health"]);
+
+    const path = `/vault/journal/api/notes/${orphan.id}`;
+    const res = await route(authed(token, "GET", path), path);
+    expect(res.status).toBe(200);
+  });
+
+  test("tag-scoped write token: orphan sub-tag write succeeds via string-form root", async () => {
+    createVault("journal");
+    const token = mintTagScopedToken("journal", ["vault:read", "vault:write"], ["health"]);
+
+    const path = "/vault/journal/api/notes";
+    const res = await route(
+      new Request(`http://localhost:1940${path}`, {
+        method: "POST",
+        headers: { authorization: `Bearer ${token}`, "content-type": "application/json" },
+        body: JSON.stringify({ content: "ok", tags: ["health/food"] }),
+      }),
+      path,
+    );
+    expect(res.status).toBe(201);
+  });
+
+  // ----- Q5: tag-delete dependency check ---------------------------------
+  // Deleting a tag referenced by any token's scoped_tags would silently
+  // orphan the token's allowlist; fail closed with 409 + referenced_by.
+
+  test("DELETE /api/tags/:name → 409 when a tag-scoped token references it", async () => {
+    createVault("journal");
+    const store = getVaultStore("journal");
+    await store.createNote("h", { tags: ["health"] });
+    // Mint a tag-scoped token that references `health`, then try to delete
+    // `health` with an admin token.
+    mintTagScopedToken("journal", ["vault:read"], ["health"]);
+    const admin = createAdminToken("journal");
+
+    const path = "/vault/journal/api/tags/health";
+    const res = await route(authed(admin, "DELETE", path), path);
+    expect(res.status).toBe(409);
+    const body = (await res.json()) as {
+      error_type?: string;
+      tag?: string;
+      referenced_by?: { id: string; label: string }[];
+    };
+    expect(body.error_type).toBe("tag_in_use_by_tokens");
+    expect(body.tag).toBe("health");
+    expect(body.referenced_by?.length).toBe(1);
+    expect(body.referenced_by?.[0]?.label).toBe("test-tag-scoped");
+  });
+
+  test("DELETE /api/tags/:name → 200 when no tag-scoped token references it", async () => {
+    createVault("journal");
+    const store = getVaultStore("journal");
+    await store.createNote("h", { tags: ["health"] });
+    const admin = createAdminToken("journal");
+
+    const path = "/vault/journal/api/tags/health";
+    const res = await route(authed(admin, "DELETE", path), path);
+    expect(res.status).toBe(200);
+  });
+
+  test("POST /api/tags/:name/rename → 409 when a tag-scoped token references the old name", async () => {
+    createVault("journal");
+    const store = getVaultStore("journal");
+    await store.createNote("h", { tags: ["health"] });
+    mintTagScopedToken("journal", ["vault:read"], ["health"]);
+    const admin = createAdminToken("journal");
+
+    const path = "/vault/journal/api/tags/health/rename";
+    const res = await route(
+      new Request(`http://localhost:1940${path}`, {
+        method: "POST",
+        headers: { authorization: `Bearer ${admin}`, "content-type": "application/json" },
+        body: JSON.stringify({ new_name: "wellness" }),
+      }),
+      path,
+    );
+    expect(res.status).toBe(409);
+    const body = (await res.json()) as {
+      error_type?: string;
+      tag?: string;
+      referenced_by?: { id: string; label: string }[];
+    };
+    expect(body.error_type).toBe("tag_in_use_by_tokens");
+    expect(body.tag).toBe("health");
+    expect(body.referenced_by?.length).toBe(1);
+
+    // Tag was not renamed.
+    expect((await store.listTags()).find((t) => t.name === "health")).toBeTruthy();
+    expect((await store.listTags()).find((t) => t.name === "wellness")).toBeFalsy();
+  });
+
+  test("POST /api/tags/merge → 409 when a tag-scoped token references a source", async () => {
+    createVault("journal");
+    const store = getVaultStore("journal");
+    await store.createNote("a", { tags: ["alpha"] });
+    await store.createNote("b", { tags: ["beta"] });
+    mintTagScopedToken("journal", ["vault:read"], ["alpha"]);
+    const admin = createAdminToken("journal");
+
+    const path = "/vault/journal/api/tags/merge";
+    const res = await route(
+      new Request(`http://localhost:1940${path}`, {
+        method: "POST",
+        headers: { authorization: `Bearer ${admin}`, "content-type": "application/json" },
+        body: JSON.stringify({ sources: ["alpha"], target: "beta" }),
+      }),
+      path,
+    );
+    expect(res.status).toBe(409);
+    const body = (await res.json()) as {
+      error_type?: string;
+      referenced_by?: { source: string; tokens: { id: string; label: string }[] }[];
+    };
+    expect(body.error_type).toBe("tag_in_use_by_tokens");
+    expect(body.referenced_by?.[0]?.source).toBe("alpha");
+    expect(body.referenced_by?.[0]?.tokens?.length).toBe(1);
+  });
+
   test("CLI --read equivalent token (permission='read', scopes=[vault:read]) is read-only at the HTTP boundary", async () => {
     // This pins the end-to-end contract: a token minted the way
     // `parachute-vault tokens create --read` mints them actually refuses