@openparachute/vault 0.4.0 → 0.4.4-rc.11

package/src/routes.ts

@@ -4,10 +4,8 @@
  * Mirrors the MCP tools:
  *   /api/notes          — query-notes, create-note, update-note, delete-note
  *   /api/tags           — list-tags, update-tag, delete-tag
- *   /api/note-schemas   — list/upsert/delete note_schemas + nested mappings
  *   /api/find-path      — find-path
  *   /api/vault          — vault-info
- * (synthesize-notes is MCP-only; agents call it through the MCP transport.)
  *
  * Each handler receives a Store instance (already resolved for the vault)
  * and the Request, and returns a Response.
@@ -16,9 +14,9 @@
 import type { Store, Note } from "../core/src/types.ts";
 import { listUnresolvedWikilinks } from "../core/src/wikilinks.ts";
 import { toNoteIndex, filterMetadata, MAX_BATCH_SIZE } from "../core/src/notes.ts";
+import { attachValidationStatus } from "../core/src/mcp.ts";
 import * as linkOps from "../core/src/links.ts";
 import * as tagSchemaOps from "../core/src/tag-schemas.ts";
-import { MAPPING_KINDS, type SchemaMappingKind, type NoteSchemaField } from "../core/src/note-schemas.ts";
 import {
   filterNotesByTagScope,
   noteWithinTagScope,
@@ -83,6 +81,258 @@ function parseInt10(val: string | null): number | undefined {
   return isNaN(n) ? undefined : n;
 }
 
+/**
+ * Parse bracket-style metadata filters (vault#285 friction point 1.3).
+ *
+ * Maps `?meta[field][op]=value` (Stripe / JSON:API / Strapi convention) to
+ * the engine `metadata` filter shape at `core/src/notes.ts:494-509`. Recognised
+ * forms:
+ *
+ *   - `?meta[field]=value`                 — shorthand equality (JSON-scan;
+ *                                            no indexed-field declaration
+ *                                            required)
+ *   - `?meta[field][op]=value`             — operator query (routes through
+ *                                            the indexed generated column;
+ *                                            engine raises FIELD_NOT_INDEXED
+ *                                            if the field isn't declared)
+ *   - `?meta[field][in][]=v1&[in][]=v2`    — array form for in/not_in
+ *   - `?meta[field][in]=v1,v2`             — comma-separated form for in/not_in
+ *
+ * Supported operators mirror the engine: `eq`, `ne`, `gt`, `gte`, `lt`,
+ * `lte`, `in`, `not_in`, `exists`. `exists` requires `"true"` or `"false"`;
+ * other values reject with INVALID_OPERATOR_VALUE.
+ *
+ * Compound filters AND together: multiple `meta[a][gte]=1&meta[a][lt]=5`
+ * on the same field merge into one operator object; filters on different
+ * fields stack as independent AND clauses (engine semantics).
+ *
+ * **Bridge for the real `n.created_at` / `n.updated_at` columns** — these
+ * route through `dateFilter` (the existing engine path that exempts them
+ * from the indexed-field gate), not through the metadata-filter path. Only
+ * `gte` (→ inclusive `from`) and `lt` (→ exclusive `to`) are accepted on
+ * these fields, matching the dateFilter contract exactly. Other operators
+ * reject with INVALID_QUERY so callers don't think `meta[created_at][eq]=…`
+ * works.
+ *
+ * Returns `{ metadata?, dateFilter?, error? }`. When `error` is set the
+ * caller should return it directly (already shaped as a 400 with
+ * `error` + `code`).
+ */
+function parseMetaBrackets(url: URL): {
+  metadata?: Record<string, unknown>;
+  dateFilter?: { field: string; from?: string; to?: string };
+  error?: Response;
+} {
+  // Real columns on `notes` — exempt from the indexed-field gate, routed
+  // through `dateFilter` instead of `metadata`.
+  const REAL_DATE_COLUMNS = new Set(["created_at", "updated_at"]);
+  // Operators that take an array value. Used for parser-level rejection of
+  // `[]`-array syntax on the wrong operator (e.g. `meta[field][eq][]=value`).
+  const ARRAY_OPS = new Set(["in", "not_in"]);
+  // `meta[FIELD]` or `meta[FIELD][OP]` or `meta[FIELD][OP][]`. Field names are
+  // bounded by `FIELD_NAME_RE` at the engine layer; the parser is liberal here
+  // and lets the engine raise the loud error on bad names.
+  const META_RE = /^meta\[([^\]]+)\](?:\[([^\]]+)\](\[\])?)?$/;
+
+  // `metadata[field]` is either a primitive (shorthand `eq` via json_extract)
+  // or a sub-object of operator clauses. The two are *mutually exclusive per
+  // field per request*: mixing them is a silent-data-loss footgun (op set,
+  // then shorthand stomps; or shorthand set, then op stomps) so we reject
+  // loudly. Track each field's chosen form here.
+  const metadata: Record<string, unknown> = {};
+  const shorthandFields = new Set<string>();
+  const opBucketsByField = new Map<string, Map<string, string[]>>(); // field → op → values (array form)
+  const opObjectByField = new Map<string, Record<string, unknown>>(); // field → built op object (single-value ops)
+
+  // dateFilter accumulates `from` (gte) and `to` (lt) bounds on a single
+  // column. Spanning both `created_at` AND `updated_at` in one request is
+  // not expressible (the engine takes one `field`), so we reject early
+  // rather than silently corrupting one bound. See vault#289 review F1.
+  let dateField: "created_at" | "updated_at" | null = null;
+  let dateFrom: string | undefined;
+  let dateTo: string | undefined;
+
+  function rejectMixedForms(field: string): Response {
+    return json(
+      {
+        error: `bracket-meta filter: cannot mix shorthand and operator forms for the same field — \`meta[${field}]=…\` and \`meta[${field}][<op>]=…\` are mutually exclusive in one request. Pick one form.`,
+        code: "INVALID_QUERY",
+      },
+      400,
+    );
+  }
+
+  function getOpObject(field: string): Record<string, unknown> {
+    let bucket = opObjectByField.get(field);
+    if (!bucket) {
+      bucket = {};
+      opObjectByField.set(field, bucket);
+    }
+    return bucket;
+  }
+
+  for (const [key, value] of url.searchParams.entries()) {
+    const m = META_RE.exec(key);
+    if (!m) continue;
+    const field = m[1]!;
+    const op = m[2];
+    const isArray = m[3] === "[]";
+
+    // Bridge: real date columns route to dateFilter, not metadata.
+    if (REAL_DATE_COLUMNS.has(field)) {
+      if (!op) {
+        return {
+          error: json(
+            {
+              error: `bracket-date filter on \`${field}\` requires an operator: meta[${field}][gte]=… (lower bound) or meta[${field}][lt]=… (upper bound, exclusive).`,
+              code: "INVALID_QUERY",
+            },
+            400,
+          ),
+        };
+      }
+      if (op !== "gte" && op !== "lt") {
+        return {
+          error: json(
+            {
+              error: `bracket-date filter on \`${field}\` supports only \`gte\` (inclusive lower bound) and \`lt\` (exclusive upper bound). Got: \`${op}\`. The dateFilter contract uses these two ops because the equivalent flat shape (\`date_field=${field}&date_from=…&date_to=…\`) is half-open by design.`,
+              code: "INVALID_QUERY",
+            },
+            400,
+          ),
+        };
+      }
+      // F1: dateFilter takes a single column. Reject the cross-column
+      // case before assigning — otherwise the second column's
+      // assignment would silently override the first.
+      if (dateField !== null && dateField !== field) {
+        return {
+          error: json(
+            {
+              error: `bracket-date filter cannot span both \`created_at\` and \`updated_at\` in one request — issue two queries or use one column per request.`,
+              code: "INVALID_QUERY",
+            },
+            400,
+          ),
+        };
+      }
+      dateField = field as "created_at" | "updated_at";
+      if (op === "gte") dateFrom = value;
+      else dateTo = value;
+      continue;
+    }
+
+    // Regular metadata field.
+    if (!op) {
+      // Shorthand: `?meta[field]=value` → primitive (engine routes through
+      // json_extract; no indexed declaration required).
+      // F2: reject if any operator form already wrote a bucket for this
+      // field — the two shapes don't compose and the silent stomp would
+      // drop one form's intent. Mirror check for the reverse order below.
+      if (opObjectByField.has(field) || opBucketsByField.has(field)) {
+        return { error: rejectMixedForms(field) };
+      }
+      shorthandFields.add(field);
+      metadata[field] = value;
+      continue;
+    }
+    // F2: reject if shorthand already wrote a primitive for this field.
+    if (shorthandFields.has(field)) {
+      return { error: rejectMixedForms(field) };
+    }
+    // F4: `[]`-array syntax only makes sense for `in` / `not_in`. Other ops
+    // (eq, gt, exists, …) take a scalar; `meta[field][eq][]=v` is a
+    // shape error — surface it at the parser layer with a clear message
+    // instead of letting the engine raise a generic INVALID_OPERATOR_VALUE
+    // downstream.
+    if (isArray && !ARRAY_OPS.has(op)) {
+      return {
+        error: json(
+          {
+            error: `bracket-meta filter: array form \`meta[${field}][${op}][]=…\` is only valid for \`in\` and \`not_in\`. \`${op}\` takes a single value — use \`meta[${field}][${op}]=value\` instead.`,
+            code: "INVALID_OPERATOR_VALUE",
+          },
+          400,
+        ),
+      };
+    }
+    if (isArray) {
+      // `meta[field][in][]=v1&meta[field][in][]=v2`. Nested map keeps
+      // field and op as separate dimensions — no string-concat ambiguity
+      // for field names that contain (or might one day be allowed to
+      // contain) the delimiter character. See vault#289 review F5.
+      let fieldBucket = opBucketsByField.get(field);
+      if (!fieldBucket) {
+        fieldBucket = new Map<string, string[]>();
+        opBucketsByField.set(field, fieldBucket);
+      }
+      let values = fieldBucket.get(op);
+      if (!values) {
+        values = [];
+        fieldBucket.set(op, values);
+      }
+      values.push(value);
+      continue;
+    }
+    if (op === "in" || op === "not_in") {
+      // Comma form: `meta[field][in]=v1,v2`. Mutually exclusive with the
+      // `[]` array form per field+op — last write wins if both are
+      // supplied; we don't reject because the resulting array is well-
+      // defined regardless of which form a caller picked.
+      const arr = value.includes(",")
+        ? value.split(",").map((s) => s.trim()).filter((s) => s.length > 0)
+        : [value];
+      getOpObject(field)[op] = arr;
+    } else if (op === "exists") {
+      const bool = value === "true" ? true : value === "false" ? false : null;
+      if (bool === null) {
+        return {
+          error: json(
+            {
+              error: `bracket-meta filter: \`exists\` on \`${field}\` requires "true" or "false", got "${value}"`,
+              code: "INVALID_OPERATOR_VALUE",
+            },
+            400,
+          ),
+        };
+      }
+      getOpObject(field)[op] = bool;
+    } else {
+      // eq / ne / gt / gte / lt / lte — all primitive, single value. Type
+      // coercion is left to SQLite affinity rules: indexed columns are
+      // declared TEXT or INTEGER, and SQLite will compare a string-shaped
+      // numeric correctly against an INTEGER column. The engine raises
+      // UNKNOWN_OPERATOR if `op` isn't in SUPPORTED_OPS.
+      getOpObject(field)[op] = value;
+    }
+  }
+
+  // Roll up `[]`-array buckets onto their op-objects. Done after the main
+  // loop so `in`/`not_in` array-form and comma-form on the same field
+  // collapse into one merged op-object cleanly.
+  for (const [field, opMap] of opBucketsByField) {
+    for (const [op, values] of opMap) {
+      getOpObject(field)[op] = values;
+    }
+  }
+  // Roll up op-objects onto the metadata payload.
+  for (const [field, opObj] of opObjectByField) {
+    metadata[field] = opObj;
+  }
+
+  const result: {
+    metadata?: Record<string, unknown>;
+    dateFilter?: { field: string; from?: string; to?: string };
+  } = {};
+  if (Object.keys(metadata).length > 0) result.metadata = metadata;
+  if (dateField) {
+    result.dateFilter = { field: dateField };
+    if (dateFrom !== undefined) result.dateFilter.from = dateFrom;
+    if (dateTo !== undefined) result.dateFilter.to = dateTo;
+  }
+  return result;
+}
+
 /**
  * Parse include_metadata query param.
  * - absent/null → undefined (all metadata, default)
@@ -222,13 +472,32 @@ export async function handleNotes(
 
       // Structured query
       //
-      // Surface asymmetry: REST uses three flat query params
-      // (`date_field`, `date_from`, `date_to`) while MCP takes a nested
-      // `date_filter: { field, from, to }` object. Both lower to the same
-      // store-level `dateFilter` shape — the difference is just that query
-      // strings are flat by nature. This mirrors the broader REST/MCP
-      // pattern across the API and is intentional, not a fix-it-up TODO.
+      // Two filter syntaxes coexist on this endpoint:
+      //
+      //   - **Bracket-style** (canonical, vault#285 friction point 1.3):
+      //     `?meta[field][op]=value` / `?meta[created_at][gte]=…`. Exposes
+      //     the full engine `metadata` filter (eq/ne/gt/gte/lt/lte/in/
+      //     not_in/exists) and the dateFilter bridge through one consistent
+      //     shape. See `parseMetaBrackets` for the grammar.
+      //
+      //   - **Flat date params** (DEPRECATED): `?date_field=created_at&
+      //     date_from=…&date_to=…` and the legacy `?date_from=…&date_to=…`.
+      //     Still functional through 0.5.x; planned removal in 0.6.0
+      //     (vault#288). New consumers should use bracket-style.
+      //
+      // Precedence on overlap: bracket-style wins. If a caller passes both
+      // `meta[created_at][gte]=X` and `date_field=created_at&date_from=Y`,
+      // the bracket form is the dateFilter the engine sees; the flat
+      // params are silently dropped. We don't error — the bracket form is
+      // documented as canonical, and rejecting the overlap would block a
+      // realistic migration path where a caller half-converted their code.
+      //
+      // Surface asymmetry: REST flattens to a query string; MCP takes a
+      // nested `date_filter: { field, from, to }` object directly. Both
+      // lower to the same store-level `dateFilter` shape.
       const tags = parseQueryList(url, "tag");
+      const bracket = parseMetaBrackets(url);
+      if (bracket.error) return bracket.error;
       let results: Note[];
       try {
         results = await store.queryNotes({
@@ -239,23 +508,28 @@ export async function handleNotes(
           hasLinks: parseBoolOrUndef(parseQuery(url, "has_links")),
           path: parseQuery(url, "path") ?? undefined,
           pathPrefix: parseQuery(url, "path_prefix") ?? undefined,
-          metadata: undefined, // metadata filter not practical in query params
-          // `date_field=<name>&date_from=...&date_to=...` activates the
-          // generalized filter (filters on the named indexed field). Without
-          // `date_field`, `date_from`/`date_to` keep their legacy meaning of
-          // filtering on `created_at` (vault ingestion time).
-          ...(parseQuery(url, "date_field")
-            ? {
-                dateFilter: {
-                  field: parseQuery(url, "date_field")!,
-                  from: parseQuery(url, "date_from") ?? undefined,
-                  to: parseQuery(url, "date_to") ?? undefined,
-                },
-              }
-            : {
-                dateFrom: parseQuery(url, "date_from") ?? undefined,
-                dateTo: parseQuery(url, "date_to") ?? undefined,
-              }),
+          metadata: bracket.metadata,
+          // Date-range precedence chain (highest to lowest):
+          //   1. Bracket-style `meta[created_at][gte]=…` (canonical).
+          //   2. Flat `date_field=…&date_from=…&date_to=…` (deprecated).
+          //   3. Legacy `date_from=…&date_to=…` (no date_field, deprecated)
+          //      — filters on `n.created_at` by definition.
+          // The engine rejects combinations of `dateFilter` with the legacy
+          // `dateFrom`/`dateTo`, so we never set both shapes simultaneously.
+          ...(bracket.dateFilter
+            ? { dateFilter: bracket.dateFilter }
+            : parseQuery(url, "date_field")
+              ? {
+                  dateFilter: {
+                    field: parseQuery(url, "date_field")!,
+                    from: parseQuery(url, "date_from") ?? undefined,
+                    to: parseQuery(url, "date_to") ?? undefined,
+                  },
+                }
+              : {
+                  dateFrom: parseQuery(url, "date_from") ?? undefined,
+                  dateTo: parseQuery(url, "date_to") ?? undefined,
+                }),
           sort: (parseQuery(url, "sort") as "asc" | "desc") ?? undefined,
           orderBy: parseQuery(url, "order_by") ?? undefined,
           limit: parseInt10(parseQuery(url, "limit")) ?? 50,
@@ -460,7 +734,13 @@ export async function handleNotes(
         }
       }
 
-      return json(body.notes ? created : created[0], 201);
+      // Attach `validation_status` so HTTP create-note matches the MCP
+      // surface (vault#287). Mirrors the MCP create-note attach site at
+      // `core/src/mcp.ts:451`. `attachValidationStatus` returns the note
+      // unchanged when no tag declares fields, so vaults without any tag
+      // schemas see no behavior change.
+      const final = created.map((n) => attachValidationStatus(store, db, n));
+      return json(body.notes ? final : final[0], 201);
     }
 
     return json({ error: "Method not allowed" }, 405);
@@ -743,7 +1023,23 @@ export async function handleNotes(
         }
       }
 
-      return json(await store.getNote(note.id));
+      // Response shape: full Note (back-compat default) or lean NoteIndex
+      // (vault#285 friction point 2.response — opt-out for callers making
+      // frequent small edits to large notes). Mirror the MCP `update-note`
+      // `include_content` knob exactly, *and* `validation_status` attachment
+      // (vault#287) so HTTP and MCP consumers see the same schema-validation
+      // signal. Recipe matches `core/src/mcp.ts:751` — attach to the full
+      // Note first, then carry the field across the lean conversion (since
+      // `toNoteIndex` drops unknown fields).
+      const updatedNote = await store.getNote(note.id);
+      if (updatedNote === null) return json({ error: "Note disappeared" }, 404);
+      const validated = attachValidationStatus(store, db, updatedNote);
+      const includeContentResp = body.include_content !== false;
+      if (includeContentResp) return json(validated);
+      const lean: any = toNoteIndex(validated);
+      const vs = (validated as any).validation_status;
+      if (vs !== undefined) lean.validation_status = vs;
+      return json(lean);
     } catch (e: any) {
       if (e instanceof NotFoundError) return json({ error: e.message }, 404);
       // Duck-type on `code` rather than `instanceof ConflictError`: this
@@ -936,24 +1232,10 @@ export async function handleTags(
     if (tagScope.allowed && (!tagScope.allowed.has(oldName) || !tagScope.allowed.has(newName))) {
       return tagScopeForbidden(tagScope.raw ?? []);
     }
-    // Same dependency check as DELETE / merge — until vault#240 ships the
-    // rename→token cascade, fail-closed on referenced names so the rename
-    // can't silently orphan a token's allowlist (the JSON-stored old name
-    // would no longer match anything). When the cascade lands this becomes
-    // an unconditional cascade + audit log entry per patterns#26 §Lifecycle.
-    const referenced_by = findTokensReferencingTag((store as any).db, oldName);
-    if (referenced_by.length > 0) {
-      return json(
-        {
-          error: "TagInUseByTokens",
-          error_type: "tag_in_use_by_tokens",
-          message: `Tag "${oldName}" is referenced by ${referenced_by.length} tag-scoped token(s); revoke or re-mint them before renaming. (vault#240 will replace this with an automatic cascade.)`,
-          tag: oldName,
-          referenced_by,
-        },
-        409,
-      );
-    }
+    // Vault#240: rename now cascades to tokens.scoped_tags (and every
+    // other surface). The old fail-closed token-reference check has been
+    // removed; the cascade rewrites the JSON allowlist atomically. See
+    // notes.ts:renameTag for the surfaces touched.
     const result = await store.renameTag(oldName, newName);
     if ("error" in result) {
       if (result.error === "not_found") return json({ error: "not_found", tag: oldName }, 404);
@@ -962,7 +1244,8 @@ export async function handleTags(
           {
             error: "target_exists",
             target: newName,
-            message: "Target tag already exists; use POST /api/tags/merge to combine them.",
+            conflicting: result.conflicting,
+            message: "Target tag (or one of its sub-tags) already exists; use POST /api/tags/merge to combine them.",
           },
           409,
         );
@@ -1096,166 +1379,6 @@ export async function handleTags(
   return json({ error: "Method not allowed" }, 405);
 }
 
-// ---------------------------------------------------------------------------
-// Note schemas — GET/PUT/DELETE /api/note-schemas[/:name],
-//                GET/POST/DELETE /api/note-schemas/:name/mappings
-// ---------------------------------------------------------------------------
-
-export async function handleNoteSchemas(
-  req: Request,
-  store: Store,
-  subpath = "",
-  tagScope: TagScopeCtx = NO_TAG_SCOPE,
-): Promise<Response> {
-  const url = new URL(req.url);
-
-  // Tag-scope filter for `tag`-kind mappings. `path_prefix` mappings carry no
-  // tag-axis information so they're always visible/writable. The single-tag
-  // check delegates to `tagsWithinScope` so the string-form fallback in
-  // patterns/tag-scoped-tokens.md §Storage details is honored end-to-end.
-  const mappingInScope = (m: { match_kind: SchemaMappingKind; match_value: string }): boolean => {
-    if (m.match_kind !== "tag") return true;
-    return tagsWithinScope([m.match_value], tagScope.allowed, tagScope.raw);
-  };
-
-  // GET /note-schemas — list all
-  if (req.method === "GET" && subpath === "") {
-    const schemas = await store.listNoteSchemas();
-    if (parseBool(parseQuery(url, "include_mappings"), false)) {
-      const allMappings = (await store.listSchemaMappings()).filter(mappingInScope);
-      const byName = new Map<string, typeof allMappings>();
-      for (const m of allMappings) {
-        const list = byName.get(m.schema_name) ?? [];
-        list.push(m);
-        byName.set(m.schema_name, list);
-      }
-      return json(schemas.map((s) => ({ ...s, mappings: byName.get(s.name) ?? [] })));
-    }
-    return json(schemas);
-  }
-
-  // /note-schemas/:name(/mappings)
-  const mappingsMatch = subpath.match(/^\/([^/]+)\/mappings$/);
-  if (mappingsMatch) {
-    const schemaName = decodeURIComponent(mappingsMatch[1]!);
-
-    // GET /note-schemas/:name/mappings
-    if (req.method === "GET") {
-      const mappings = (await store.listSchemaMappings({ schema_name: schemaName })).filter(mappingInScope);
-      return json(mappings);
-    }
-
-    // POST /note-schemas/:name/mappings — body: { match_kind, match_value }
-    if (req.method === "POST") {
-      const body = (await req.json().catch(() => null)) as
-        | { match_kind?: unknown; match_value?: unknown }
-        | null;
-      if (!body) return json({ error: "Invalid JSON body" }, 400);
-      const match_kind = body.match_kind;
-      const match_value = body.match_value;
-      if (typeof match_kind !== "string" || !MAPPING_KINDS.includes(match_kind as SchemaMappingKind)) {
-        return json(
-          { error: `match_kind must be one of: ${MAPPING_KINDS.join(", ")}`, error_type: "invalid_match_kind" },
-          400,
-        );
-      }
-      if (typeof match_value !== "string" || match_value.length === 0) {
-        return json({ error: "match_value must be a non-empty string" }, 400);
-      }
-      // Tag-scope write gate: a tag mapping for an out-of-scope tag would let
-      // a tag-scoped token bind a schema to a tag it can't see. Mirrors the
-      // vault#241 write-gate shape (403 + tag_scope_violation envelope).
-      if (!mappingInScope({ match_kind: match_kind as SchemaMappingKind, match_value })) {
-        return tagScopeForbidden(tagScope.raw ?? []);
-      }
-      // Validate FK explicitly so a bad schema_name surfaces as 404 (not a
-      // raw SQLITE_CONSTRAINT 500).
-      if (!(await store.getNoteSchema(schemaName))) {
-        return json({ error: "Schema not found", schema_name: schemaName }, 404);
-      }
-      await store.setSchemaMapping(schemaName, match_kind as SchemaMappingKind, match_value);
-      return json({ ok: true, schema_name: schemaName, match_kind, match_value }, 201);
-    }
-
-    // DELETE /note-schemas/:name/mappings?match_kind=...&match_value=...
-    // Query params (not URL segments) because match_value can contain slashes
-    // for path-prefix mappings.
-    if (req.method === "DELETE") {
-      const match_kind = parseQuery(url, "match_kind");
-      const match_value = parseQuery(url, "match_value");
-      if (!match_kind || !MAPPING_KINDS.includes(match_kind as SchemaMappingKind)) {
-        return json(
-          { error: `match_kind must be one of: ${MAPPING_KINDS.join(", ")}`, error_type: "invalid_match_kind" },
-          400,
-        );
-      }
-      if (!match_value) {
-        return json({ error: "match_value query parameter is required" }, 400);
-      }
-      if (!mappingInScope({ match_kind: match_kind as SchemaMappingKind, match_value })) {
-        return tagScopeForbidden(tagScope.raw ?? []);
-      }
-      const deleted = await store.deleteSchemaMapping(
-        schemaName,
-        match_kind as SchemaMappingKind,
-        match_value,
-      );
-      return json({ deleted, schema_name: schemaName, match_kind, match_value });
-    }
-
-    return json({ error: "Method not allowed" }, 405);
-  }
-
-  // /note-schemas/:name (no nested segment)
-  const nameMatch = subpath.match(/^\/([^/]+)$/);
-  if (!nameMatch) return json({ error: "Not found" }, 404);
-  const name = decodeURIComponent(nameMatch[1]!);
-
-  // GET /note-schemas/:name — single (with mappings)
-  if (req.method === "GET") {
-    const schema = await store.getNoteSchema(name);
-    if (!schema) return json({ error: "Schema not found", name }, 404);
-    const mappings = (await store.listSchemaMappings({ schema_name: name })).filter(mappingInScope);
-    return json({ ...schema, mappings });
-  }
-
-  // PUT /note-schemas/:name — partial-upsert (mirrors update-tag shape)
-  if (req.method === "PUT") {
-    const body = (await req.json().catch(() => null)) as {
-      description?: string | null;
-      fields?: Record<string, unknown> | null;
-      required?: unknown;
-    } | null;
-    if (!body) return json({ error: "Invalid JSON body" }, 400);
-
-    const patch: { description?: string | null; fields?: Record<string, NoteSchemaField> | null; required?: string[] | null } = {};
-    if (body.description === null) patch.description = null;
-    else if (body.description !== undefined) patch.description = body.description;
-    if (body.fields === null) patch.fields = null;
-    else if (body.fields !== undefined) patch.fields = body.fields as Record<string, NoteSchemaField>;
-    if (body.required === null) patch.required = null;
-    else if (body.required !== undefined) {
-      if (!Array.isArray(body.required)) {
-        return json({ error: "required must be an array of field names" }, 400);
-      }
-      patch.required = (body.required as unknown[]).filter(
-        (x): x is string => typeof x === "string",
-      );
-    }
-
-    const result = await store.upsertNoteSchema(name, patch);
-    return json(result);
-  }
-
-  // DELETE /note-schemas/:name — drop schema; FK CASCADE drops its mappings.
-  if (req.method === "DELETE") {
-    const deleted = await store.deleteNoteSchema(name);
-    return json({ deleted, name });
-  }
-
-  return json({ error: "Method not allowed" }, 405);
-}
-
 // ---------------------------------------------------------------------------
 // Find-path — GET /api/find-path?source=...&target=...
 // ---------------------------------------------------------------------------

package/src/routing.test.ts

@@ -1553,7 +1553,7 @@ describe("scope enforcement on /api/*", () => {
     expect(res.status).toBe(200);
   });
 
-  test("POST /api/tags/:name/rename → 409 when a tag-scoped token references the old name", async () => {
+  test("POST /api/tags/:name/rename → 200 cascades token allowlists (vault#240)", async () => {
     createVault("journal");
     const store = getVaultStore("journal");
     await store.createNote("h", { tags: ["health"] });
@@ -1569,19 +1569,19 @@ describe("scope enforcement on /api/*", () => {
       }),
       path,
     );
-    expect(res.status).toBe(409);
+    expect(res.status).toBe(200);
     const body = (await res.json()) as {
-      error_type?: string;
-      tag?: string;
-      referenced_by?: { id: string; label: string }[];
+      renamed?: number;
+      tokens_updated?: number;
     };
-    expect(body.error_type).toBe("tag_in_use_by_tokens");
-    expect(body.tag).toBe("health");
-    expect(body.referenced_by?.length).toBe(1);
-
-    // Tag was not renamed.
-    expect((await store.listTags()).find((t) => t.name === "health")).toBeTruthy();
-    expect((await store.listTags()).find((t) => t.name === "wellness")).toBeFalsy();
+    // The cascade reports per-surface counts so callers can see what shifted.
+    expect(body.renamed).toBe(1);
+    expect(body.tokens_updated).toBe(1);
+
+    // Tag is renamed; the previously-409-blocking token's scoped_tags
+    // rewrites alongside.
+    expect((await store.listTags()).find((t) => t.name === "health")).toBeFalsy();
+    expect((await store.listTags()).find((t) => t.name === "wellness")).toBeTruthy();
   });
 
   test("POST /api/tags/merge → 409 when a tag-scoped token references a source", async () => {

package/src/routing.ts

@@ -48,7 +48,6 @@ import { defaultAdminSpaDistDir, isAdminSpaPath, serveAdminSpa } from "./admin-s
 import {
   handleNotes,
   handleTags,
-  handleNoteSchemas,
   handleFindPath,
   handleVault,
   handleUnresolvedWikilinks,
@@ -520,7 +519,6 @@ export async function route(
 
   if (apiPath.startsWith("/notes")) return handleNotes(req, store, apiPath.slice(6), vaultName, tagScope);
   if (apiPath.startsWith("/tags")) return handleTags(req, store, apiPath.slice(5), tagScope);
-  if (apiPath.startsWith("/note-schemas")) return handleNoteSchemas(req, store, apiPath.slice(13), tagScope);
   if (apiPath === "/find-path") return handleFindPath(req, store, tagScope);
   if (apiPath === "/vault") {
     return handleVault(req, store, vaultConfig, () => {