@openparachute/vault 0.3.3 → 0.4.3

package/src/config.test.ts

@@ -180,6 +180,50 @@ describe("config", () => {
     writeGlobalConfig({ port: 1940, discovery: "disabled" });
     expect(readGlobalConfig().discovery).toBe("disabled");
   });
+
+  test("global api_keys round-trip scope: read|write and default missing scope to write", () => {
+    // Regression for the silent privilege-escalation bug: the global YAML
+    // parser used to drop the `scope` field, leaving `globalKey.scope`
+    // undefined. Auth then resolved any non-"read" value to "full", so a
+    // user-authored `scope: read` global key would silently get full access.
+    writeGlobalConfig({
+      port: 1940,
+      api_keys: [
+        { id: "k_r", label: "reader", scope: "read", key_hash: "sha256:r", created_at: "2026-01-01T00:00:00.000Z" },
+        { id: "k_w", label: "writer", scope: "write", key_hash: "sha256:w", created_at: "2026-01-01T00:00:00.000Z" },
+      ],
+    });
+    const loaded = readGlobalConfig();
+    expect(loaded.api_keys?.find((k) => k.id === "k_r")?.scope).toBe("read");
+    expect(loaded.api_keys?.find((k) => k.id === "k_w")?.scope).toBe("write");
+
+    // Missing-scope branch: a hand-edited config.yaml entry without a
+    // `scope:` line must default to "write" (matches vault-level parser
+    // and the historical behavior the writer round-trips).
+    const fs = require("fs");
+    const path = `${process.env.PARACHUTE_HOME}/vault/config.yaml`;
+    fs.writeFileSync(
+      path,
+      `port: 1940\napi_keys:\n  - id: k_legacy\n    label: legacy\n    key_hash: sha256:legacy\n    created_at: "2026-01-01T00:00:00.000Z"\n`,
+    );
+    const reloaded = readGlobalConfig();
+    expect(reloaded.api_keys?.find((k) => k.id === "k_legacy")?.scope).toBe("write");
+  });
+
+  test("round-trips autostart: true|false (#113)", () => {
+    // Default: absent means autostart-on (init registers the daemon).
+    writeGlobalConfig({ port: 1940 });
+    expect(readGlobalConfig().autostart).toBeUndefined();
+
+    // Explicit true (e.g., user re-enabled after disabling).
+    writeGlobalConfig({ port: 1940, autostart: true });
+    expect(readGlobalConfig().autostart).toBe(true);
+
+    // Explicit false — the opt-out signal init writes when --no-autostart is
+    // passed. Daemon registration is then skipped on this and future inits.
+    writeGlobalConfig({ port: 1940, autostart: false });
+    expect(readGlobalConfig().autostart).toBe(false);
+  });
 });
 
 // ---------------------------------------------------------------------------

package/src/config.ts

@@ -86,6 +86,14 @@ export const ERR_PATH = join(LOGS_DIR, "vault.err");
 export const DEFAULT_PORT = 1940;
 export const ASSETS_DIR = join(VAULT_HOME, "assets");
 
+// Filesystem sentinel for graceful shutdown. `parachute-vault stop` writes
+// this file; the running server polls for it and exits cleanly when it
+// appears. Resolved per-call so PARACHUTE_HOME overrides (tests, Docker)
+// match between writer and reader.
+export function stopSignalPath(): string {
+  return join(vaultHomePath(), "stop.signal");
+}
+
 export function vaultDir(name: string): string {
   return join(dataDirPath(), name);
 }
@@ -243,6 +251,16 @@ export interface GlobalConfig {
    *   callers.
    */
   discovery?: "enabled" | "disabled";
+  /**
+   * Whether `parachute-vault init` registers the daemon with launchd / systemd
+   * (which then auto-starts on boot AND auto-restarts on crash). Defaults to
+   * `true` (preserve historical behavior). When `false`, init skips daemon
+   * registration AND removes any prior registration — for CI, dev sandboxes,
+   * Docker/K8s setups, or environments where another supervisor manages the
+   * process. The user is expected to run `parachute-vault serve` manually or
+   * point their own supervisor at it.
+   */
+  autostart?: boolean;
   /** Backup configuration: schedule, retention, destinations. */
   backup?: BackupConfig;
 }
@@ -403,13 +421,13 @@ function parseVaultConfig(yaml: string, name: string): VaultConfig {
   };
 
   const nameMatch = yaml.match(/^name:\s*(.+)/m);
-  if (nameMatch) config.name = nameMatch[1].trim();
+  if (nameMatch) config.name = nameMatch[1]!.trim();
 
   const createdMatch = yaml.match(/^created_at:\s*"?([^"\n]+)"?/m);
-  if (createdMatch) config.created_at = createdMatch[1];
+  if (createdMatch) config.created_at = createdMatch[1]!;
 
   const pubTagMatch = yaml.match(/^published_tag:\s*(\S+)/m);
-  if (pubTagMatch) config.published_tag = pubTagMatch[1];
+  if (pubTagMatch) config.published_tag = pubTagMatch[1]!;
 
   const retentionMatch = yaml.match(/^audio_retention:\s*(\S+)/m);
   if (retentionMatch) {
@@ -420,14 +438,14 @@ function parseVaultConfig(yaml: string, name: string): VaultConfig {
   // Parse description (block scalar)
   const descMatch = yaml.match(/^description:\s*\|\s*\n((?:\s{2}.+\n?)+)/m);
   if (descMatch) {
-    config.description = descMatch[1]
+    config.description = descMatch[1]!
       .split("\n")
       .map((l) => l.replace(/^\s{2}/, ""))
       .join("\n")
       .trim();
   } else {
     const descSimple = yaml.match(/^description:\s*(.+)/m);
-    if (descSimple) config.description = descSimple[1].trim().replace(/^"(.*)"$/, "$1");
+    if (descSimple) config.description = descSimple[1]!.trim().replace(/^"(.*)"$/, "$1");
   }
 
   // Parse api_keys
@@ -442,10 +460,10 @@ function parseVaultConfig(yaml: string, name: string): VaultConfig {
 
     if (idMatch && hashMatch) {
       config.api_keys.push({
-        id: idMatch[1],
+        id: idMatch[1]!,
         label: (labelMatch?.[1] ?? "default").trim(),
         scope: (scopeMatch?.[1] as KeyScope) ?? "write",
-        key_hash: hashMatch[1],
+        key_hash: hashMatch[1]!,
         created_at: createdAtMatch?.[1] ?? new Date().toISOString(),
         last_used_at: lastUsedMatch?.[1],
       });
@@ -499,12 +517,12 @@ function parseTranscriptionContext(yaml: string): TriggerIncludeContext[] | unde
     if (itemStart) {
       pushCurrent();
       current = { tag: "" };
-      applyContextField(current, itemStart[1], itemStart[2]);
+      applyContextField(current, itemStart[1]!, itemStart[2]!);
       continue;
     }
     const fieldMatch = trimmed.match(/^(\w+):\s*(.*)$/);
     if (fieldMatch && current) {
-      applyContextField(current, fieldMatch[1], fieldMatch[2]);
+      applyContextField(current, fieldMatch[1]!, fieldMatch[2]!);
       continue;
     }
   }
@@ -533,50 +551,52 @@ function parseTagSchemas(yaml: string): Record<string, TagSchema> | undefined {
     if (line.match(/^\S/) && line.trim().length > 0) break;
     if (line.trim().length === 0) continue;
 
-    const indent = line.match(/^(\s*)/)?.[1].length ?? 0;
+    const indent = line.match(/^(\s*)/)?.[1]?.length ?? 0;
 
     if (indent === 2) {
       // Tag name (e.g., "  person:")
       const tagMatch = line.match(/^\s{2}(\S+):\s*$/);
       if (tagMatch) {
-        currentTag = tagMatch[1];
+        currentTag = tagMatch[1]!;
         currentField = null;
         schemas[currentTag] = {};
       }
     } else if (indent === 4 && currentTag) {
       // Tag-level property (description, fields:)
+      const schema = schemas[currentTag]!;
       const descMatch = line.match(/^\s{4}description:\s*"?([^"]*)"?\s*$/);
       if (descMatch) {
-        schemas[currentTag].description = descMatch[1];
+        schema.description = descMatch[1]!;
         continue;
       }
       const fieldsMatch = line.match(/^\s{4}fields:\s*$/);
       if (fieldsMatch) {
-        schemas[currentTag].fields = schemas[currentTag].fields ?? {};
+        schema.fields = schema.fields ?? {};
         currentField = null;
       }
-    } else if (indent === 6 && currentTag && schemas[currentTag].fields !== undefined) {
+    } else if (indent === 6 && currentTag && schemas[currentTag]?.fields !== undefined) {
       // Field name (e.g., "      first_appeared:")
       const fieldMatch = line.match(/^\s{6}(\S+):\s*$/);
       if (fieldMatch) {
-        currentField = fieldMatch[1];
-        schemas[currentTag].fields![currentField] = { type: "string" };
+        currentField = fieldMatch[1]!;
+        schemas[currentTag]!.fields![currentField] = { type: "string" };
       }
-    } else if (indent === 8 && currentTag && currentField && schemas[currentTag].fields) {
+    } else if (indent === 8 && currentTag && currentField && schemas[currentTag]?.fields) {
       // Field property (type, description, enum)
+      const field = schemas[currentTag]!.fields![currentField]!;
       const typeMatch = line.match(/^\s{8}type:\s*(\S+)/);
       if (typeMatch) {
-        schemas[currentTag].fields![currentField].type = typeMatch[1];
+        field.type = typeMatch[1]!;
         continue;
       }
       const fdescMatch = line.match(/^\s{8}description:\s*"?([^"]*)"?\s*$/);
       if (fdescMatch) {
-        schemas[currentTag].fields![currentField].description = fdescMatch[1];
+        field.description = fdescMatch[1]!;
         continue;
       }
       const enumMatch = line.match(/^\s{8}enum:\s*\[([^\]]*)\]/);
       if (enumMatch) {
-        schemas[currentTag].fields![currentField].enum = enumMatch[1]
+        field.enum = enumMatch[1]!
           .split(",")
           .map((s) => s.trim().replace(/^"(.*)"$/, "$1"));
       }
@@ -610,7 +630,7 @@ function applyContextField(
   if (key === "exclude_tag") { item.exclude_tag = value.replace(/^"(.*)"$/, "$1"); return; }
   if (key === "include_metadata") {
     const listMatch = value.match(/^\[([^\]]*)\]/);
-    if (listMatch) item.include_metadata = parseYamlList(listMatch[1]);
+    if (listMatch) item.include_metadata = parseYamlList(listMatch[1]!);
     return;
   }
 }
@@ -655,7 +675,7 @@ function parseTriggers(yaml: string): TriggerConfig[] | undefined {
           console.warn(`[config] trigger "${current.name}" has no webhook URL — skipping`);
         }
       }
-      current = { name: nameMatch[1].trim(), when: {}, action: undefined as unknown as TriggerAction };
+      current = { name: nameMatch[1]!.trim(), when: {}, action: undefined as unknown as TriggerAction };
       section = "top";
       continue;
     }
@@ -677,37 +697,37 @@ function parseTriggers(yaml: string): TriggerConfig[] | undefined {
     // Top-level trigger field
     const eventsMatch = trimmed.match(/^events:\s*\[([^\]]*)\]/);
     if (eventsMatch) {
-      current.events = parseYamlList(eventsMatch[1]) as Array<"created" | "updated">;
+      current.events = parseYamlList(eventsMatch[1]!) as Array<"created" | "updated">;
       continue;
     }
 
     // When fields
     if (section === "when") {
       const tagsMatch = trimmed.match(/^tags:\s*\[([^\]]*)\]/);
-      if (tagsMatch) { current.when!.tags = parseYamlList(tagsMatch[1]); continue; }
+      if (tagsMatch) { current.when!.tags = parseYamlList(tagsMatch[1]!); continue; }
       const hasContentMatch = trimmed.match(/^has_content:\s*(true|false)/);
       if (hasContentMatch) { current.when!.has_content = hasContentMatch[1] === "true"; continue; }
       const missingMetaMatch = trimmed.match(/^missing_metadata:\s*\[([^\]]*)\]/);
-      if (missingMetaMatch) { current.when!.missing_metadata = parseYamlList(missingMetaMatch[1]); continue; }
+      if (missingMetaMatch) { current.when!.missing_metadata = parseYamlList(missingMetaMatch[1]!); continue; }
       const hasMetaMatch = trimmed.match(/^has_metadata:\s*\[([^\]]*)\]/);
-      if (hasMetaMatch) { current.when!.has_metadata = parseYamlList(hasMetaMatch[1]); continue; }
+      if (hasMetaMatch) { current.when!.has_metadata = parseYamlList(hasMetaMatch[1]!); continue; }
     }
 
     // Action fields
     if (section === "action") {
       const webhookMatch = trimmed.match(/^webhook:\s*(.+)/);
       if (webhookMatch) {
-        current.action = { ...(current.action ?? {}), webhook: webhookMatch[1].trim() } as TriggerAction;
+        current.action = { ...(current.action ?? {}), webhook: webhookMatch[1]!.trim() } as TriggerAction;
         continue;
       }
       const timeoutMatch = trimmed.match(/^timeout:\s*(\d+)/);
       if (timeoutMatch && current.action) {
-        current.action.timeout = parseInt(timeoutMatch[1], 10);
+        current.action.timeout = parseInt(timeoutMatch[1]!, 10);
         continue;
       }
       const sendMatch = trimmed.match(/^send:\s*(\S+)/);
       if (sendMatch && current.action) {
-        current.action.send = sendMatch[1] as TriggerAction["send"];
+        current.action.send = sendMatch[1]! as TriggerAction["send"];
         continue;
       }
     }
@@ -719,12 +739,12 @@ function parseTriggers(yaml: string): TriggerConfig[] | undefined {
       if (itemStart) {
         pushContextItem();
         currentContext = { tag: "" };
-        applyContextField(currentContext, itemStart[1], itemStart[2]);
+        applyContextField(currentContext, itemStart[1]!, itemStart[2]!);
         continue;
       }
       const fieldMatch = trimmed.match(/^(\w+):\s*(.*)$/);
       if (fieldMatch && currentContext) {
-        applyContextField(currentContext, fieldMatch[1], fieldMatch[2]);
+        applyContextField(currentContext, fieldMatch[1]!, fieldMatch[2]!);
         continue;
       }
     }
@@ -843,7 +863,7 @@ function parseBackup(yaml: string): BackupConfig | undefined {
       const tierMatch = trimmed.match(/^(daily|weekly|monthly|yearly):\s*(\S+)/);
       if (tierMatch) {
         const tier = tierMatch[1] as keyof RetentionPolicy;
-        const raw = tierMatch[2].trim();
+        const raw = tierMatch[2]!.trim();
         // "null" / "~" / "unbounded" all mean "keep every year" for the
         // yearly tier. For the other tiers they'd be meaningless; we
         // silently treat them as disabled (0) rather than erroring.
@@ -867,13 +887,13 @@ function parseBackup(yaml: string): BackupConfig | undefined {
         pushDest();
         hasDest = true;
         currentDest = {};
-        (currentDest as Record<string, string>)[itemMatch[1]] = itemMatch[2].trim();
+        (currentDest as Record<string, string>)[itemMatch[1]!] = itemMatch[2]!.trim();
         continue;
       }
       // Continuation line inside the current list item.
       const fieldMatch = trimmed.match(/^(\w+):\s*(.*)$/);
       if (fieldMatch && hasDest) {
-        (currentDest as Record<string, string>)[fieldMatch[1]] = fieldMatch[2].trim();
+        (currentDest as Record<string, string>)[fieldMatch[1]!] = fieldMatch[2]!.trim();
         continue;
       }
     }
@@ -1106,14 +1126,18 @@ export function readGlobalConfig(): GlobalConfig {
       const passwordHashMatch = yaml.match(/^owner_password_hash:\s*"([^"]+)"/m);
       const totpSecretMatch = yaml.match(/^totp_secret:\s*"([^"]+)"/m);
       const discoveryMatch = yaml.match(/^discovery:\s*(enabled|disabled)/m);
+      const autostartMatch = yaml.match(/^autostart:\s*(true|false)/m);
       const config: GlobalConfig = {
-        port: portMatch ? parseInt(portMatch[1], 10) : DEFAULT_PORT,
+        port: portMatch ? parseInt(portMatch[1]!, 10) : DEFAULT_PORT,
         default_vault: defaultVaultMatch?.[1],
         owner_password_hash: passwordHashMatch?.[1],
         totp_secret: totpSecretMatch?.[1],
       };
       if (discoveryMatch) {
-        config.discovery = discoveryMatch[1] as "enabled" | "disabled";
+        config.discovery = discoveryMatch[1]! as "enabled" | "disabled";
+      }
+      if (autostartMatch) {
+        config.autostart = autostartMatch[1]! === "true";
       }
 
       // Parse backup_codes: a YAML list of quoted bcrypt hashes under
@@ -1128,7 +1152,7 @@ export function readGlobalConfig(): GlobalConfig {
         for (const line of lines) {
           if (line.match(/^\S/) && line.trim().length > 0) break; // next top-level key
           const m = line.match(/^\s+-\s+"([^"]+)"/);
-          if (m) codes.push(m[1]);
+          if (m) codes.push(m[1]!);
         }
         if (codes.length > 0) config.backup_codes = codes;
       }
@@ -1140,14 +1164,16 @@ export function readGlobalConfig(): GlobalConfig {
         for (const block of keyBlocks) {
           const idMatch = block.match(/^(\S+)/);
           const labelMatch = block.match(/label:\s*(.+)/);
+          const scopeMatch = block.match(/scope:\s*(\S+)/);
           const hashMatch = block.match(/key_hash:\s*(\S+)/);
           const createdAtMatch = block.match(/created_at:\s*"?([^"\n]+)"?/);
           const lastUsedMatch = block.match(/last_used_at:\s*"?([^"\n]+)"?/);
           if (idMatch && hashMatch) {
             config.api_keys.push({
-              id: idMatch[1],
+              id: idMatch[1]!,
               label: (labelMatch?.[1] ?? "default").trim(),
-              key_hash: hashMatch[1],
+              scope: (scopeMatch?.[1] as KeyScope) ?? "write",
+              key_hash: hashMatch[1]!,
               created_at: createdAtMatch?.[1] ?? new Date().toISOString(),
               last_used_at: lastUsedMatch?.[1],
             });
@@ -1172,6 +1198,7 @@ export function writeGlobalConfig(config: GlobalConfig): void {
   const lines = [`port: ${config.port}`];
   if (config.default_vault) lines.push(`default_vault: ${config.default_vault}`);
   if (config.discovery) lines.push(`discovery: ${config.discovery}`);
+  if (config.autostart !== undefined) lines.push(`autostart: ${config.autostart}`);
   if (config.owner_password_hash) {
     lines.push(`owner_password_hash: "${config.owner_password_hash}"`);
   }
@@ -1190,6 +1217,7 @@ export function writeGlobalConfig(config: GlobalConfig): void {
     for (const key of config.api_keys) {
       lines.push(`  - id: ${key.id}`);
       lines.push(`    label: ${key.label}`);
+      lines.push(`    scope: ${key.scope ?? "write"}`);
       lines.push(`    key_hash: ${key.key_hash}`);
       lines.push(`    created_at: "${key.created_at}"`);
       if (key.last_used_at) {
@@ -1420,7 +1448,7 @@ export function resolveDefaultVault(): string | null {
     return globalConfig.default_vault;
   }
   if (vaults.length === 1) {
-    return vaults[0];
+    return vaults[0]!;
   }
   return null;
 }