@openparachute/vault 0.3.3 → 0.4.3

package/src/hub-jwt.test.ts

@@ -0,0 +1,307 @@
+/**
+ * Hub-issued JWT validation — vault as resource server.
+ *
+ * Spins up a fake JWKS endpoint (Bun.serve) with a known RSA keypair, signs
+ * JWTs locally with `jose.SignJWT`, and asserts `validateHubJwt` accepts the
+ * good ones and rejects every failure mode the spec cares about: bad
+ * signature, wrong issuer, expired, missing kid, unknown kid, JWKS
+ * unreachable. Audience permissiveness is exercised — both `aud="operator"`
+ * and `aud="<client_id>"` shapes pass.
+ *
+ * Each test resets the JWKS cache so the origin/keys can change between
+ * cases. The cache is module-scoped; without `resetJwksCache()` we'd reuse
+ * the previous origin's getter and miss test rotations.
+ */
+import { describe, test, expect, beforeAll, afterAll, beforeEach } from "bun:test";
+import { generateKeyPair, exportJWK, SignJWT } from "jose";
+import { resetJwksCache, resetRevocationCache, validateHubJwt, looksLikeJwt } from "./hub-jwt.ts";
+
+interface Keypair {
+  privateKey: CryptoKey;
+  publicJwk: { kty: string; n: string; e: string; kid: string; alg: string; use: string };
+  kid: string;
+}
+
+async function makeKeypair(kid: string): Promise<Keypair> {
+  const { privateKey, publicKey } = await generateKeyPair("RS256", { extractable: true });
+  const jwk = await exportJWK(publicKey);
+  return {
+    privateKey,
+    publicJwk: {
+      kty: "RSA",
+      n: jwk.n!,
+      e: jwk.e!,
+      kid,
+      alg: "RS256",
+      use: "sig",
+    },
+    kid,
+  };
+}
+
+interface JwksFixture {
+  origin: string;
+  stop: () => void;
+  setKeys: (keys: Keypair[]) => void;
+  setUnreachable: (down: boolean) => void;
+}
+
+function startJwksFixture(): JwksFixture {
+  let keys: Keypair[] = [];
+  let down = false;
+  const server = Bun.serve({
+    port: 0,
+    fetch(req) {
+      const url = new URL(req.url);
+      if (down) return new Response("upstream down", { status: 503 });
+      if (url.pathname === "/.well-known/jwks.json") {
+        return Response.json({ keys: keys.map((k) => k.publicJwk) });
+      }
+      // scope-guard 0.2+ consults `/.well-known/parachute-revocation.json` on
+      // every JWT validation (when the token has a jti). Serve an empty list
+      // by default so unrelated tests in this file aren't fail-closed by a
+      // 404 on that endpoint. The integration tests (`auth-hub-jwt.test.ts`)
+      // own the revoked-jti / fail-closed cases separately.
+      if (url.pathname === "/.well-known/parachute-revocation.json") {
+        return Response.json({ generated_at: new Date().toISOString(), jtis: [] });
+      }
+      return new Response("not found", { status: 404 });
+    },
+  });
+  return {
+    origin: `http://127.0.0.1:${server.port}`,
+    stop: () => server.stop(true),
+    setKeys: (next) => { keys = next; },
+    setUnreachable: (v) => { down = v; },
+  };
+}
+
+interface SignOpts {
+  iss?: string;
+  aud?: string | string[];
+  sub?: string;
+  scope?: string;
+  jti?: string;
+  clientId?: string;
+  ttlSeconds?: number;
+  expiresAtSeconds?: number;
+  omitKid?: boolean;
+  kid?: string;
+}
+
+async function signJwt(kp: Keypair, opts: SignOpts): Promise<string> {
+  const iat = Math.floor(Date.now() / 1000);
+  const exp = opts.expiresAtSeconds ?? iat + (opts.ttlSeconds ?? 60);
+  const builder = new SignJWT({
+    scope: opts.scope ?? "vault:read vault:write",
+    client_id: opts.clientId ?? "test-client",
+  })
+    .setProtectedHeader(opts.omitKid ? { alg: "RS256" } : { alg: "RS256", kid: opts.kid ?? kp.kid })
+    .setIssuer(opts.iss ?? "http://issuer.invalid")
+    .setSubject(opts.sub ?? "user-1")
+    .setAudience(opts.aud ?? "operator")
+    .setIssuedAt(iat)
+    .setExpirationTime(exp)
+    .setJti(opts.jti ?? "jti-1");
+  return await builder.sign(kp.privateKey);
+}
+
+let fixture: JwksFixture;
+let kp: Keypair;
+let prevHubOrigin: string | undefined;
+
+beforeAll(async () => {
+  fixture = startJwksFixture();
+  kp = await makeKeypair("k1");
+  fixture.setKeys([kp]);
+});
+
+afterAll(() => {
+  fixture.stop();
+  if (prevHubOrigin === undefined) delete process.env.PARACHUTE_HUB_ORIGIN;
+  else process.env.PARACHUTE_HUB_ORIGIN = prevHubOrigin;
+});
+
+beforeEach(() => {
+  // Each test sets its own origin for clarity.
+  prevHubOrigin = process.env.PARACHUTE_HUB_ORIGIN;
+  process.env.PARACHUTE_HUB_ORIGIN = fixture.origin;
+  fixture.setUnreachable(false);
+  fixture.setKeys([kp]);
+  resetJwksCache();
+  // Drop the per-process revocation cache so each test starts cold against
+  // the fixture (an empty list by default; tests opt into populated lists).
+  resetRevocationCache();
+});
+
+describe("looksLikeJwt", () => {
+  test("`eyJ` prefix → true", () => {
+    expect(looksLikeJwt("eyJhbGciOiJSUzI1NiJ9.x.y")).toBe(true);
+  });
+
+  test("pvt_ token → false", () => {
+    expect(looksLikeJwt("pvt_abcdef0123456789")).toBe(false);
+  });
+
+  test("empty / random → false", () => {
+    expect(looksLikeJwt("")).toBe(false);
+    expect(looksLikeJwt("hello-world")).toBe(false);
+  });
+});
+
+describe("validateHubJwt — happy path", () => {
+  test("valid JWT with correct iss → claims surface", async () => {
+    const token = await signJwt(kp, { iss: fixture.origin, scope: "vault:work:read vault:work:write" });
+    const claims = await validateHubJwt(token);
+    expect(claims.sub).toBe("user-1");
+    expect(claims.scopes).toEqual(["vault:work:read", "vault:work:write"]);
+    expect(claims.aud).toBe("operator");
+    expect(claims.jti).toBe("jti-1");
+    expect(claims.clientId).toBe("test-client");
+  });
+
+  test("aud=operator accepted when expectedAudience not set", async () => {
+    const token = await signJwt(kp, { iss: fixture.origin, aud: "operator" });
+    const claims = await validateHubJwt(token);
+    expect(claims.aud).toBe("operator");
+  });
+
+  test("aud=<client_id> accepted when expectedAudience not set", async () => {
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: "did:plc:randomclientid",
+      clientId: "did:plc:randomclientid",
+    });
+    const claims = await validateHubJwt(token);
+    expect(claims.aud).toBe("did:plc:randomclientid");
+  });
+
+  test("empty scope claim → empty scopes array", async () => {
+    const token = await signJwt(kp, { iss: fixture.origin, scope: "" });
+    const claims = await validateHubJwt(token);
+    expect(claims.scopes).toEqual([]);
+  });
+
+  test("audience strict-check passes when expected matches", async () => {
+    const token = await signJwt(kp, { iss: fixture.origin, aud: "vault.work" });
+    const claims = await validateHubJwt(token, { expectedAudience: "vault.work" });
+    expect(claims.aud).toBe("vault.work");
+  });
+});
+
+describe("validateHubJwt — audience strict-check", () => {
+  test("mismatched audience throws with the expected vs got values", async () => {
+    const token = await signJwt(kp, { iss: fixture.origin, aud: "vault.personal" });
+    await expect(
+      validateHubJwt(token, { expectedAudience: "vault.work" }),
+    ).rejects.toThrow(/audience mismatch.*vault\.work.*vault\.personal/);
+  });
+
+  test("missing audience claim throws when expected is set", async () => {
+    // jose's SignJWT requires .setAudience() — provide an unrelated value to
+    // exercise "not the expected one" rather than a literal missing claim.
+    const token = await signJwt(kp, { iss: fixture.origin, aud: "operator" });
+    await expect(
+      validateHubJwt(token, { expectedAudience: "vault.work" }),
+    ).rejects.toThrow(/audience mismatch/);
+  });
+
+  test("expectedAudience: null skips the check (cross-vault path)", async () => {
+    const token = await signJwt(kp, { iss: fixture.origin, aud: "vault.anything" });
+    const claims = await validateHubJwt(token, { expectedAudience: null });
+    expect(claims.aud).toBe("vault.anything");
+  });
+
+  test("array aud: passes when expected is one of the entries", async () => {
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: ["vault.work", "vault.personal", "operator"],
+    });
+    const claims = await validateHubJwt(token, { expectedAudience: "vault.personal" });
+    expect(claims.aud).toBe("vault.personal");
+  });
+
+  test("array aud: rejects when expected is not in the entries", async () => {
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: ["vault.work", "operator"],
+    });
+    await expect(
+      validateHubJwt(token, { expectedAudience: "vault.personal" }),
+    ).rejects.toThrow(/audience mismatch.*vault\.personal.*vault\.work.*operator/);
+  });
+
+  test("array aud: surfaces the first entry when no expectation is set", async () => {
+    const token = await signJwt(kp, {
+      iss: fixture.origin,
+      aud: ["vault.first", "vault.second"],
+    });
+    const claims = await validateHubJwt(token, { expectedAudience: null });
+    expect(claims.aud).toBe("vault.first");
+  });
+});
+
+describe("validateHubJwt — failure modes", () => {
+  test("wrong issuer → throws", async () => {
+    const token = await signJwt(kp, { iss: "http://attacker.example" });
+    await expect(validateHubJwt(token)).rejects.toThrow(/verification failed/);
+  });
+
+  test("expired token → throws", async () => {
+    const past = Math.floor(Date.now() / 1000) - 10;
+    const token = await signJwt(kp, { iss: fixture.origin, expiresAtSeconds: past });
+    await expect(validateHubJwt(token)).rejects.toThrow(/verification failed/);
+  });
+
+  test("bad signature (token signed by an unpublished key) → throws", async () => {
+    const otherKp = await makeKeypair("k1"); // same kid, different key
+    const token = await signJwt(otherKp, { iss: fixture.origin });
+    await expect(validateHubJwt(token)).rejects.toThrow(/verification failed/);
+  });
+
+  test("unknown kid → throws", async () => {
+    const token = await signJwt(kp, { iss: fixture.origin, kid: "does-not-exist" });
+    await expect(validateHubJwt(token)).rejects.toThrow(/verification failed/);
+  });
+
+  test("missing kid header → throws when JWKS has multiple keys", async () => {
+    // jose's createRemoteJWKSet falls back to the only key when JWKS has just
+    // one — so to exercise the "no kid" failure path we need ≥2 keys.
+    const kp2 = await makeKeypair("k2");
+    fixture.setKeys([kp, kp2]);
+    resetJwksCache();
+    const token = await signJwt(kp, { iss: fixture.origin, omitKid: true });
+    await expect(validateHubJwt(token)).rejects.toThrow(/verification failed/);
+  });
+
+  test("JWKS endpoint unreachable → throws (fail closed)", async () => {
+    fixture.setUnreachable(true);
+    const token = await signJwt(kp, { iss: fixture.origin });
+    await expect(validateHubJwt(token)).rejects.toThrow(/verification failed/);
+  });
+
+  test("missing `sub` claim → throws", async () => {
+    // SignJWT requires .setSubject; build the token manually-ish: pass empty sub.
+    const iat = Math.floor(Date.now() / 1000);
+    const token = await new SignJWT({ scope: "vault:read" })
+      .setProtectedHeader({ alg: "RS256", kid: kp.kid })
+      .setIssuer(fixture.origin)
+      .setAudience("operator")
+      .setIssuedAt(iat)
+      .setExpirationTime(iat + 60)
+      .setJti("jti-no-sub")
+      .sign(kp.privateKey);
+    await expect(validateHubJwt(token)).rejects.toThrow(/missing required `sub`/);
+  });
+});
+
+describe("validateHubJwt — JWKS rotation", () => {
+  test("rotated key (new kid published) verifies after cache reset", async () => {
+    const kp2 = await makeKeypair("k2");
+    fixture.setKeys([kp, kp2]);
+    resetJwksCache();
+    const token = await signJwt(kp2, { iss: fixture.origin });
+    const claims = await validateHubJwt(token);
+    expect(claims.sub).toBe("user-1");
+  });
+});

package/src/hub-jwt.ts

@@ -0,0 +1,88 @@
+/**
+ * Hub-issued JWT validation. Vault as resource server: trusts tokens that the
+ * hub signs against keys we fetch from the hub's `/.well-known/jwks.json`.
+ *
+ * The trust kernel — JWKS fetch + verify, issuer pin, audience strict-check,
+ * RFC 7519 string-or-array `aud` handling — lives in the shared
+ * `@openparachute/scope-guard` library so vault, scribe, and paraclaw can't
+ * silently drift on the worst place to drift. This file is the vault-side
+ * adapter: hub-origin resolution (env-var precedence + loopback fallback),
+ * a process-wide guard instance, and re-exports preserving the public
+ * surface every existing call site already imports.
+ *
+ * Vault#169 / hub-as-issuer Phase B2; vault#TBD / scope-guard adoption.
+ */
+import {
+  createScopeGuard,
+  HubJwtError,
+  type HubJwtClaims,
+  looksLikeJwt,
+  type ValidateHubJwtOptions,
+} from "@openparachute/scope-guard";
+
+const DEFAULT_HUB_LOOPBACK = "http://127.0.0.1:1939";
+
+/**
+ * Resolve the hub origin used to fetch JWKS and validate `iss`. Strips a
+ * trailing slash so we get a single canonical form.
+ *
+ * Order: env var → loopback fallback. We deliberately don't read
+ * `~/.parachute/services.json` — the hub is the dispatcher, not a registered
+ * service in that file. If a deployment exposes the hub on a non-default
+ * origin, the env var is the contract.
+ */
+export function getHubOrigin(): string {
+  const env = process.env.PARACHUTE_HUB_ORIGIN?.replace(/\/$/, "");
+  if (env && env.length > 0) return env;
+  return DEFAULT_HUB_LOOPBACK;
+}
+
+// Process-wide guard. The resolver form lets tests flip
+// `PARACHUTE_HUB_ORIGIN` between cases — the lib re-resolves on every
+// `validateHubJwt` and `resetJwksCache` call so the env-var change picks up
+// without a server restart. JWKS cache (5min/30s defaults) lives inside the
+// guard, shared across requests.
+const guard = createScopeGuard({ hubOrigin: () => getHubOrigin() });
+
+/**
+ * Verify a presented JWT against the hub's JWKS. Throws `HubJwtError` on any
+ * failure (bad signature, wrong issuer, expired, missing kid, JWKS
+ * unreachable, audience mismatch). On success returns the surfaced claims
+ * plus the parsed scope list.
+ *
+ * Trust model:
+ *   - `iss` MUST equal the configured hub origin. Without this, anyone could
+ *     mint a token against any RSA key and pass verification.
+ *   - `aud` is strict-checked against `opts.expectedAudience` when provided
+ *     — the resource-server backstop for per-vault binding.
+ *
+ * Scope-shape policy (e.g. "hub-issued tokens may not carry broad
+ * `vault:<verb>` scopes") is enforced one layer up in `authenticateHubJwt`,
+ * not here — this function stays focused on JWT-level concerns.
+ */
+export async function validateHubJwt(
+  token: string,
+  opts: ValidateHubJwtOptions = {},
+): Promise<HubJwtClaims> {
+  return guard.validateHubJwt(token, opts);
+}
+
+/**
+ * Reset the cached JWKS getter. Tests use this to switch origins between
+ * cases; production callers shouldn't need it (origin is process-stable).
+ */
+export function resetJwksCache(): void {
+  guard.resetJwksCache();
+}
+
+/**
+ * Reset the cached revocation list. Tests use this to start from a clean
+ * fail-closed state between cases; production callers shouldn't need it
+ * (the cache refreshes itself on TTL expiry).
+ */
+export function resetRevocationCache(): void {
+  guard.resetRevocationCache();
+}
+
+export { HubJwtError, looksLikeJwt };
+export type { HubJwtClaims, ValidateHubJwtOptions };

package/src/init.test.ts

@@ -0,0 +1,216 @@
+/**
+ * Integration tests for `parachute-vault init` flag plumbing — the cases
+ * where init exits early without touching the daemon, ~/.claude.json, or
+ * the vault filesystem. The full happy-path of init isn't run here because
+ * it would install a launchd agent on macOS and write into the developer's
+ * real ~/Library/LaunchAgents — out of scope for unit tests. The vault-name
+ * decision logic is fully covered by `vault-name.test.ts`.
+ */
+
+import { describe, test, expect } from "bun:test";
+import { existsSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { join, resolve } from "path";
+
+const CLI = resolve(import.meta.dir, "cli.ts");
+
+function runCli(args: string[], env: Record<string, string> = {}): {
+  exitCode: number;
+  stdout: string;
+  stderr: string;
+} {
+  const proc = Bun.spawnSync({
+    cmd: ["bun", CLI, ...args],
+    stdout: "pipe",
+    stderr: "pipe",
+    env: { ...process.env, ...env },
+  });
+  return {
+    exitCode: proc.exitCode ?? -1,
+    stdout: new TextDecoder().decode(proc.stdout),
+    stderr: new TextDecoder().decode(proc.stderr),
+  };
+}
+
+describe("vault init — --vault-name validation", () => {
+  test("rejects --vault-name with uppercase + space and exits non-zero", () => {
+    const { exitCode, stderr } = runCli(["init", "--vault-name", "My Vault"]);
+    expect(exitCode).not.toBe(0);
+    expect(stderr).toContain("--vault-name:");
+    expect(stderr).toContain("lowercase alphanumeric");
+  });
+
+  test("rejects --vault-name with a slash and exits non-zero", () => {
+    const { exitCode, stderr } = runCli(["init", "--vault-name", "team/work"]);
+    expect(exitCode).not.toBe(0);
+    expect(stderr).toContain("lowercase alphanumeric");
+  });
+
+  test("rejects --vault-name with no value and exits non-zero", () => {
+    // `--vault-name` is the last arg → no value follows.
+    const { exitCode, stderr } = runCli(["init", "--vault-name"]);
+    expect(exitCode).not.toBe(0);
+    expect(stderr).toContain("requires a value");
+  });
+
+  test("rejects reserved name 'list' and exits non-zero", () => {
+    const { exitCode, stderr } = runCli(["init", "--vault-name", "list"]);
+    expect(exitCode).not.toBe(0);
+    expect(stderr).toContain("reserved");
+  });
+});
+
+describe("vault init — --help mentions --vault-name", () => {
+  test("usage text documents the new flag", () => {
+    const { exitCode, stdout } = runCli(["--help"]);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain("--vault-name");
+  });
+
+  test("usage text documents --no-autostart (#113)", () => {
+    const { exitCode, stdout } = runCli(["--help"]);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain("--no-autostart");
+  });
+});
+
+/**
+ * End-to-end init under an isolated $HOME / $PARACHUTE_HOME so we never touch
+ * the developer's real ~/.parachute or ~/Library/LaunchAgents. With
+ * --no-autostart, init must:
+ *   1. Persist `autostart: false` in config.yaml.
+ *   2. NOT write the daemon wrapper (start.sh / server-path).
+ *
+ * --no-mcp / --no-token avoid the ~/.claude.json side effect; HOME=tmpdir
+ * makes the launchd-uninstall-prior-registration call land inside the
+ * sandbox even on macOS (where uninstallAgent operates on
+ * `homedir()/Library/LaunchAgents/...`).
+ */
+describe("vault init — --no-autostart (#113)", () => {
+  test("persists autostart=false and skips the daemon wrapper", () => {
+    const sandbox = mkdtempSync(join(tmpdir(), "vault-init-autostart-"));
+    try {
+      const parachuteHome = join(sandbox, ".parachute");
+      const { exitCode, stdout } = runCli(
+        [
+          "init",
+          "--no-autostart",
+          "--no-mcp",
+          "--no-token",
+          "--vault-name",
+          "autostarttest",
+        ],
+        { HOME: sandbox, PARACHUTE_HOME: parachuteHome },
+      );
+
+      expect(exitCode).toBe(0);
+      expect(stdout).toContain("Autostart disabled");
+
+      const configPath = join(parachuteHome, "vault", "config.yaml");
+      expect(existsSync(configPath)).toBe(true);
+      expect(readFileSync(configPath, "utf-8")).toContain("autostart: false");
+
+      // Daemon wrapper / pointer are written by installAgent /
+      // installSystemdService — neither should run when autostart is off.
+      expect(existsSync(join(parachuteHome, "vault", "start.sh"))).toBe(false);
+      expect(existsSync(join(parachuteHome, "vault", "server-path"))).toBe(false);
+    } finally {
+      rmSync(sandbox, { recursive: true, force: true });
+    }
+  });
+
+  test("re-running init without a flag preserves persisted autostart=false", () => {
+    // We can't drive the --autostart re-run end-to-end here: it calls
+    // installAgent() / installSystemdService() which write to launchd /
+    // systemd state outside the PARACHUTE_HOME sandbox, breaking test
+    // hermeticity. Instead verify the inverse property — that a no-flag
+    // re-run honors the persisted opt-out and does NOT fall back to the
+    // default-on. This is the actual user-facing risk (forgetting to pass
+    // --no-autostart on every re-run shouldn't re-enable the daemon).
+    const sandbox = mkdtempSync(join(tmpdir(), "vault-init-autostart-"));
+    try {
+      const parachuteHome = join(sandbox, ".parachute");
+      const env = { HOME: sandbox, PARACHUTE_HOME: parachuteHome };
+
+      const first = runCli(
+        [
+          "init",
+          "--no-autostart",
+          "--no-mcp",
+          "--no-token",
+          "--vault-name",
+          "autostarttest",
+        ],
+        env,
+      );
+      expect(first.exitCode).toBe(0);
+
+      const configPath = join(parachuteHome, "vault", "config.yaml");
+      expect(readFileSync(configPath, "utf-8")).toContain("autostart: false");
+
+      // No --autostart / --no-autostart on this run; init should read the
+      // persisted false and skip daemon install again.
+      const second = runCli(["init", "--no-mcp", "--no-token"], env);
+      expect(second.exitCode).toBe(0);
+      expect(second.stdout).toContain("Autostart disabled");
+      expect(readFileSync(configPath, "utf-8")).toContain("autostart: false");
+      expect(existsSync(join(parachuteHome, "vault", "start.sh"))).toBe(false);
+    } finally {
+      rmSync(sandbox, { recursive: true, force: true });
+    }
+  });
+});
+
+/**
+ * #210: re-running `parachute-vault init` is the documented recovery path
+ * for installs whose `services.json` is stale (#208 left some vaults out of
+ * the manifest). The recovery is implicit — init re-registers the full
+ * vault list every run via `buildVaultServicePaths` — so this test pins it
+ * down with an explicit fixture: corrupt the manifest to drop one vault,
+ * re-run init, expect the manifest to grow back.
+ */
+describe("vault init — repairs stale services.json (#210)", () => {
+  test("re-running init rewrites services.json to include every vault on disk", () => {
+    const sandbox = mkdtempSync(join(tmpdir(), "vault-init-repair-"));
+    try {
+      const parachuteHome = join(sandbox, ".parachute");
+      const env = { HOME: sandbox, PARACHUTE_HOME: parachuteHome };
+
+      // Use `create` to bootstrap two vaults into a real, healthy state —
+      // this also writes the initial services.json with both vaults so we
+      // have a known-good baseline to corrupt.
+      expect(runCli(["create", "alpha", "--json"], env).exitCode).toBe(0);
+      expect(runCli(["create", "beta", "--json"], env).exitCode).toBe(0);
+
+      const servicesPath = join(parachuteHome, "services.json");
+      const baseline = JSON.parse(readFileSync(servicesPath, "utf-8"));
+      const baselineEntry = baseline.services.find(
+        (s: { name: string }) => s.name === "parachute-vault",
+      );
+      expect(baselineEntry.paths).toEqual(["/vault/alpha", "/vault/beta"]);
+
+      // Corrupt: drop beta from the manifest, mimicking the #208 state where
+      // an older `create` ran without the upsert.
+      baselineEntry.paths = ["/vault/alpha"];
+      writeFileSync(servicesPath, JSON.stringify(baseline, null, 2));
+
+      // Re-run init with no flags that would change vault topology. The
+      // sandbox env keeps launchd / ~/.claude.json side effects out of the
+      // dev environment.
+      const repair = runCli(
+        ["init", "--no-autostart", "--no-mcp", "--no-token"],
+        env,
+      );
+      expect(repair.exitCode).toBe(0);
+
+      const repaired = JSON.parse(readFileSync(servicesPath, "utf-8"));
+      const repairedEntry = repaired.services.find(
+        (s: { name: string }) => s.name === "parachute-vault",
+      );
+      // alpha is still default (created first), so it leads. beta is back.
+      expect(repairedEntry.paths).toEqual(["/vault/alpha", "/vault/beta"]);
+    } finally {
+      rmSync(sandbox, { recursive: true, force: true });
+    }
+  });
+});