@openparachute/vault 0.4.0 → 0.4.4-rc.11

package/src/doctor.test.ts

@@ -156,16 +156,16 @@ describe("vault doctor — extended checks", () => {
     // Isolated HOME with no ~/.claude.json at all — the most common
     // pre-`mcp-install` state for new users.
     const res = runCli(["doctor"], dir, { HOME: dir });
-    expect(res.stdout).toMatch(/! MCP entry in ~\/\.claude\.json/);
-    expect(res.stdout).toMatch(/does not exist|no mcpServers/);
+    expect(res.stdout).toMatch(/! MCP entry in MCP client config/);
+    expect(res.stdout).toMatch(/does not exist|no parachute-vault entry/);
     expect(res.stdout).toMatch(/mcp-install/);
   });
 
   test("warns when ~/.claude.json exists but has no parachute-vault entry", () => {
     writeFileSync(join(dir, ".claude.json"), JSON.stringify({ mcpServers: {} }));
     const res = runCli(["doctor"], dir, { HOME: dir });
-    expect(res.stdout).toMatch(/! MCP entry in ~\/\.claude\.json/);
-    expect(res.stdout).toMatch(/no mcpServers\["parachute-vault"\] entry/);
+    expect(res.stdout).toMatch(/! MCP entry in MCP client config/);
+    expect(res.stdout).toMatch(/no parachute-vault entry/);
   });
 
   test("passes MCP entry + port-match checks when URL points at the configured port", () => {
@@ -174,7 +174,8 @@ describe("vault doctor — extended checks", () => {
     writeFileSync(join(dir, "config.yaml"), "port: 4321\n");
     writeClaudeJson(dir, "http://127.0.0.1:4321/vault/default/mcp");
     const res = runCli(["doctor"], dir, { HOME: dir });
-    expect(res.stdout).toMatch(/✓ MCP entry in ~\/\.claude\.json/);
+    // Doctor now names the source file in the check label.
+    expect(res.stdout).toMatch(/✓ MCP entry in ~\/\.claude\.json \(parachute-vault\)/);
     expect(res.stdout).toMatch(/✓ MCP URL port matches vault\s+\(port 4321\)/);
     // Reachability will warn because nothing is bound to 4321 in the test
     // env — this is the "entry present, port matches, daemon unreachable"
@@ -186,7 +187,7 @@ describe("vault doctor — extended checks", () => {
     writeFileSync(join(dir, "config.yaml"), "port: 4321\n");
     writeClaudeJson(dir, "http://127.0.0.1:9999/vault/default/mcp");
     const res = runCli(["doctor"], dir, { HOME: dir });
-    expect(res.stdout).toMatch(/✓ MCP entry in ~\/\.claude\.json/);
+    expect(res.stdout).toMatch(/✓ MCP entry in ~\/\.claude\.json \(parachute-vault\)/);
     expect(res.stdout).toMatch(/! MCP URL port matches vault/);
     expect(res.stdout).toMatch(/MCP URL port 9999 ≠ vault port 4321/);
   });

package/src/hub-jwt.test.ts

@@ -14,7 +14,7 @@
  */
 import { describe, test, expect, beforeAll, afterAll, beforeEach } from "bun:test";
 import { generateKeyPair, exportJWK, SignJWT } from "jose";
-import { resetJwksCache, validateHubJwt, looksLikeJwt } from "./hub-jwt.ts";
+import { resetJwksCache, resetRevocationCache, validateHubJwt, looksLikeJwt } from "./hub-jwt.ts";
 
 interface Keypair {
   privateKey: CryptoKey;
@@ -53,11 +53,19 @@ function startJwksFixture(): JwksFixture {
     port: 0,
     fetch(req) {
       const url = new URL(req.url);
-      if (url.pathname !== "/.well-known/jwks.json") {
-        return new Response("not found", { status: 404 });
-      }
       if (down) return new Response("upstream down", { status: 503 });
-      return Response.json({ keys: keys.map((k) => k.publicJwk) });
+      if (url.pathname === "/.well-known/jwks.json") {
+        return Response.json({ keys: keys.map((k) => k.publicJwk) });
+      }
+      // scope-guard 0.2+ consults `/.well-known/parachute-revocation.json` on
+      // every JWT validation (when the token has a jti). Serve an empty list
+      // by default so unrelated tests in this file aren't fail-closed by a
+      // 404 on that endpoint. The integration tests (`auth-hub-jwt.test.ts`)
+      // own the revoked-jti / fail-closed cases separately.
+      if (url.pathname === "/.well-known/parachute-revocation.json") {
+        return Response.json({ generated_at: new Date().toISOString(), jtis: [] });
+      }
+      return new Response("not found", { status: 404 });
     },
   });
   return {
@@ -121,6 +129,9 @@ beforeEach(() => {
   fixture.setUnreachable(false);
   fixture.setKeys([kp]);
   resetJwksCache();
+  // Drop the per-process revocation cache so each test starts cold against
+  // the fixture (an empty list by default; tests opt into populated lists).
+  resetRevocationCache();
 });
 
 describe("looksLikeJwt", () => {

package/src/hub-jwt.ts

@@ -75,5 +75,14 @@ export function resetJwksCache(): void {
   guard.resetJwksCache();
 }
 
+/**
+ * Reset the cached revocation list. Tests use this to start from a clean
+ * fail-closed state between cases; production callers shouldn't need it
+ * (the cache refreshes itself on TTL expiry).
+ */
+export function resetRevocationCache(): void {
+  guard.resetRevocationCache();
+}
+
 export { HubJwtError, looksLikeJwt };
 export type { HubJwtClaims, ValidateHubJwtOptions };

package/src/mcp-http.ts

@@ -41,7 +41,6 @@ const TOOL_REQUIRED_VERB: Record<string, VaultVerb> = {
   "query-notes": "read",
   "list-tags": "read",
   "find-path": "read",
-  "synthesize-notes": "read",
   "vault-info": "read",
   "create-note": "write",
   "update-note": "write",
@@ -58,7 +57,10 @@ function requiredVerbForTool(toolName: string): VaultVerb {
 
 /** Handle scoped MCP at /vault/{name}/mcp (single vault). */
 export async function handleScopedMcp(req: Request, vaultName: string, auth: AuthResult): Promise<Response> {
-  const instruction = getServerInstruction(vaultName);
+  // Auth flows through to getServerInstruction so the connect-time
+  // markdown brief is filtered by `scoped_tags` — symmetric with the
+  // JSON `vault-info` wrapper.
+  const instruction = await getServerInstruction(vaultName, auth);
   return handleMcp(req, () => generateScopedMcpTools(vaultName, auth), `parachute-vault/${vaultName}`, vaultName, auth, instruction);
 }