@openparachute/vault 0.4.0 → 0.4.4-rc.11

package/src/vault.test.ts

@@ -10,7 +10,7 @@ import { tmpdir } from "os";
 import { BunStore } from "./vault-store.ts";
 import { generateMcpTools } from "../core/src/mcp.ts";
 import { getLinksHydrated } from "../core/src/links.ts";
-import { handleNotes, handleTags, handleNoteSchemas, handleFindPath, handleVault } from "./routes.ts";
+import { handleNotes, handleTags, handleFindPath, handleVault } from "./routes.ts";
 import { extractApiKey } from "./auth.ts";
 
 let db: Database;
@@ -478,7 +478,7 @@ describe("deeper link queries", async () => {
 describe("MCP tools", async () => {
   test("generates the consolidated tool set", () => {
     const tools = generateMcpTools(store);
-    expect(tools.length).toBe(16);
+    expect(tools.length).toBe(9);
 
     const names = tools.map((t) => t.name);
     expect(names).toContain("query-notes");
@@ -488,15 +488,14 @@ describe("MCP tools", async () => {
     expect(names).toContain("list-tags");
     expect(names).toContain("update-tag");
     expect(names).toContain("delete-tag");
-    expect(names).toContain("list-note-schemas");
-    expect(names).toContain("update-note-schema");
-    expect(names).toContain("delete-note-schema");
-    expect(names).toContain("list-schema-mappings");
-    expect(names).toContain("set-schema-mapping");
-    expect(names).toContain("delete-schema-mapping");
     expect(names).toContain("find-path");
-    expect(names).toContain("synthesize-notes");
     expect(names).toContain("vault-info");
+    // Six note-schema MCP tools (list/update/delete-note-schema +
+    // list/set/delete-schema-mapping) retired in v17 — vault#267.
+    expect(names).not.toContain("list-note-schemas");
+    expect(names).not.toContain("set-schema-mapping");
+    // synthesize-notes retired in v17 — vault#268.
+    expect(names).not.toContain("synthesize-notes");
   });
 
   test("query-notes by id works", async () => {
@@ -566,6 +565,355 @@ describe("scoped MCP wrapper", async () => {
     closeAllStores();
   });
 
+  test("vault-info projection includes tags-with-schemas + indexed_fields + query_hints (vault#271)", async () => {
+    const { generateScopedMcpTools } = await import("./mcp-tools.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { getVaultStore, closeAllStores } = await import("./vault-store.ts");
+
+    const vaultName = `proj-${Date.now()}`;
+    writeVaultConfig({
+      name: vaultName,
+      api_keys: [],
+      created_at: new Date().toISOString(),
+      description: "vault for #271",
+    });
+
+    const vaultStore = getVaultStore(vaultName);
+    await vaultStore.upsertTagRecord("_default", {
+      fields: { created_by: { type: "string", description: "Origin" } },
+    });
+
+    // Indexed-field lifecycle is owned by the update-tag MCP tool — go
+    // through the tool, not the store, so indexed_fields gets populated.
+    const tools = generateScopedMcpTools(vaultName);
+    const updateTag = tools.find((t) => t.name === "update-tag")!;
+    await updateTag.execute({
+      tag: "person",
+      description: "A person",
+      fields: { email: { type: "string", indexed: true } },
+    });
+    await updateTag.execute({
+      tag: "employee",
+      description: "Employee",
+      fields: { title: { type: "string" } },
+      parent_names: ["person"],
+    });
+
+    const vaultInfo = tools.find((t) => t.name === "vault-info")!;
+    const result = await vaultInfo.execute({}) as any;
+
+    expect(result.name).toBe(vaultName);
+    expect(result.description).toBe("vault for #271");
+
+    // tags array — only schema-bearing rows, with effective inheritance
+    const byName = Object.fromEntries(
+      (result.tags as any[]).map((t) => [t.name, t]),
+    );
+    expect(byName.person).toBeTruthy();
+    expect(byName.person.effective_parents).toEqual(["_default"]);
+    expect(Object.keys(byName.person.effective_fields).sort()).toEqual([
+      "created_by",
+      "email",
+    ]);
+    expect(byName.employee.effective_parents).toEqual(["person", "_default"]);
+    expect(Object.keys(byName.employee.effective_fields).sort()).toEqual([
+      "created_by",
+      "email",
+      "title",
+    ]);
+
+    // indexed_fields catalog
+    const indexed = result.indexed_fields as any[];
+    const emailEntry = indexed.find((f) => f.name === "email");
+    expect(emailEntry).toBeTruthy();
+    expect(emailEntry.type).toBe("string");
+    expect(emailEntry.tags).toEqual(["person"]);
+
+    // query_hints — static catalog, present even without include_stats
+    expect(Array.isArray(result.query_hints)).toBe(true);
+    expect((result.query_hints as string[]).length).toBeGreaterThan(0);
+
+    // stats omitted unless requested
+    expect(result.stats).toBeUndefined();
+
+    const withStats = await vaultInfo.execute({ include_stats: true }) as any;
+    expect(withStats.stats).toBeTruthy();
+
+    closeAllStores();
+  });
+
+  test("getServerInstruction renders projection markdown for a populated vault (vault#271)", async () => {
+    const { getServerInstruction } = await import("./mcp-tools.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { getVaultStore, closeAllStores } = await import("./vault-store.ts");
+    const { generateScopedMcpTools } = await import("./mcp-tools.ts");
+
+    const vaultName = `instr-${Date.now()}`;
+    writeVaultConfig({
+      name: vaultName,
+      api_keys: [],
+      created_at: new Date().toISOString(),
+      description: "Working notebook for the daily team.",
+    });
+
+    const vaultStore = getVaultStore(vaultName);
+    await vaultStore.createNote("A", { tags: ["person"] });
+
+    const tools = generateScopedMcpTools(vaultName);
+    const updateTag = tools.find((t) => t.name === "update-tag")!;
+    await updateTag.execute({
+      tag: "person",
+      description: "A person",
+      fields: { email: { type: "string", indexed: true } },
+    });
+
+    const md = await getServerInstruction(vaultName);
+
+    expect(md).toContain(`Parachute Vault "${vaultName}"`);
+    expect(md).toContain("Working notebook for the daily team.");
+    // vault#274: stats line distinguishes total tag count (note-usage)
+    // from schema-bearing count. One note tagged `person`, one tag
+    // overall, that one tag has a schema → "1 tag total, 1 with schemas".
+    expect(md).toContain("1 note, 1 tag total, 1 with schemas");
+    expect(md).toContain("1 tag with schemas: person");
+    expect(md).toContain("Indexed metadata fields");
+    expect(md).toContain("email");
+    expect(md).toContain("#person");
+    expect(md).toContain("Querying");
+    expect(md).toContain("vault-info");
+    expect(md).toContain("list-tags { include_schema: true }");
+
+    closeAllStores();
+  });
+
+  test("getServerInstruction degrades gracefully on an empty vault (vault#271)", async () => {
+    const { getServerInstruction } = await import("./mcp-tools.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { closeAllStores } = await import("./vault-store.ts");
+
+    const vaultName = `instr-empty-${Date.now()}`;
+    writeVaultConfig({
+      name: vaultName,
+      api_keys: [],
+      created_at: new Date().toISOString(),
+    });
+
+    const md = await getServerInstruction(vaultName);
+
+    expect(md).toContain(`Parachute Vault "${vaultName}"`);
+    // vault#274: empty vault — no schemas, so the suffix is omitted.
+    // 0 is plural per English convention. The not.toContain guard
+    // pins that "with schemas" doesn't leak through anywhere — when
+    // schemas exist it appears in two places (stats suffix + the
+    // tags-with-schemas list line); on an empty vault both branches
+    // are unreachable, so the phrase shouldn't appear at all.
+    expect(md).toContain("0 notes, 0 tags total");
+    expect(md).not.toContain("with schemas");
+    expect(md).toContain("No tag schemas declared");
+    expect(md).toContain("No indexed metadata fields");
+    // Refresh hints surface both pointers so the agent knows where to look.
+    expect(md).toContain("vault-info");
+    expect(md).toContain("list-tags");
+
+    closeAllStores();
+  });
+
+  test("getServerInstruction stays under ~5K tokens at 50 tags-with-schemas (vault#271)", async () => {
+    const { getServerInstruction } = await import("./mcp-tools.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { getVaultStore, closeAllStores } = await import("./vault-store.ts");
+
+    const vaultName = `instr-big-${Date.now()}`;
+    writeVaultConfig({
+      name: vaultName,
+      api_keys: [],
+      created_at: new Date().toISOString(),
+      description: "Stress-test fixture for the connect-time projection size.",
+    });
+
+    const vaultStore = getVaultStore(vaultName);
+    for (let i = 0; i < 50; i++) {
+      await vaultStore.upsertTagRecord(`schema_tag_${i}`, {
+        description: `Description for tag ${i} — covers a meaningful chunk of the vault's domain.`,
+        fields: {
+          [`field_${i}_a`]: { type: "string" },
+          [`field_${i}_b`]: { type: "integer" },
+        },
+      });
+    }
+
+    const md = await getServerInstruction(vaultName);
+    // Rough token approximation: 1 token ≈ 4 chars. Budget: 5K tokens.
+    const approxTokens = md.length / 4;
+    expect(approxTokens).toBeLessThan(5000);
+
+    closeAllStores();
+  });
+
+  test("getServerInstruction filters projection by tag-scoped allowlist (vault#271 fold 5)", async () => {
+    const { getServerInstruction, generateScopedMcpTools } = await import("./mcp-tools.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { closeAllStores } = await import("./vault-store.ts");
+
+    const vaultName = `instr-scoped-${Date.now()}`;
+    writeVaultConfig({
+      name: vaultName,
+      api_keys: [],
+      created_at: new Date().toISOString(),
+      description: "Scoped session brief.",
+    });
+
+    // Seed three schema-bearing tags. Cross-declarer indexed `status`
+    // exercises the same shape the JSON wrapper test pinned: scoped to
+    // `task`, the brief should mention `status` via `task` but never
+    // surface `project` or `person`.
+    const tools = generateScopedMcpTools(vaultName);
+    const updateTag = tools.find((t) => t.name === "update-tag")!;
+    await updateTag.execute({
+      tag: "task",
+      description: "A task",
+      fields: { status: { type: "string", indexed: true } },
+    });
+    await updateTag.execute({
+      tag: "project",
+      description: "A project",
+      fields: { status: { type: "string", indexed: true } },
+    });
+    await updateTag.execute({
+      tag: "person",
+      description: "A person",
+      fields: { email: { type: "string", indexed: true } },
+    });
+
+    const auth = {
+      permission: "full" as const,
+      scopes: ["vault:read", "vault:write", "vault:admin"],
+      legacyDerived: false,
+      scoped_tags: ["task"],
+    };
+    const md = await getServerInstruction(vaultName, auth as any);
+
+    // Allowlisted tag surfaces; out-of-scope tags do not. Use word-boundary
+    // regex — the static refresh-pointer text mentions "full projection"
+    // which contains the substring "project".
+    expect(md).toMatch(/\btask\b/);
+    expect(md).not.toMatch(/\bproject\b/);
+    expect(md).not.toMatch(/\bperson\b/);
+
+    // Indexed-field catalog: `status` survives (declared by `task`);
+    // `email` (person-only) is filtered out entirely.
+    expect(md).toMatch(/\bstatus\b/);
+    expect(md).not.toMatch(/\bemail\b/);
+
+    // Aggregate stats line still flows through unchanged — counts are
+    // pre-existing leak surface (per the rc.3 design discussion).
+    expect(md).toMatch(/\d+ note/);
+
+    closeAllStores();
+  });
+
+  test("getServerInstruction passes the full projection through for unscoped tokens (vault#271 fold 5)", async () => {
+    const { getServerInstruction, generateScopedMcpTools } = await import("./mcp-tools.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { closeAllStores } = await import("./vault-store.ts");
+
+    const vaultName = `instr-unscoped-${Date.now()}`;
+    writeVaultConfig({ name: vaultName, api_keys: [], created_at: new Date().toISOString() });
+
+    const tools = generateScopedMcpTools(vaultName);
+    const updateTag = tools.find((t) => t.name === "update-tag")!;
+    await updateTag.execute({
+      tag: "task",
+      description: "A task",
+      fields: { status: { type: "string" } },
+    });
+    await updateTag.execute({
+      tag: "project",
+      description: "A project",
+      fields: { priority: { type: "integer" } },
+    });
+
+    // No `auth` arg → no scoping applied, full projection rendered.
+    const md = await getServerInstruction(vaultName);
+    expect(md).toContain("task");
+    expect(md).toContain("project");
+    expect(md).toContain("tags with schemas");
+    // Same for explicit auth with `scoped_tags: null`.
+    const mdNullScoped = await getServerInstruction(vaultName, {
+      permission: "full",
+      scopes: ["vault:read"],
+      legacyDerived: false,
+      scoped_tags: null,
+    } as any);
+    expect(mdNullScoped).toContain("task");
+    expect(mdNullScoped).toContain("project");
+
+    closeAllStores();
+  });
+
+  test("MCP initialize response carries scope-filtered instructions for tag-scoped tokens (vault#271 fold 5)", async () => {
+    const { handleScopedMcp } = await import("./mcp-http.ts");
+    const { generateScopedMcpTools } = await import("./mcp-tools.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { closeAllStores } = await import("./vault-store.ts");
+
+    const vaultName = `init-scoped-${Date.now()}`;
+    writeVaultConfig({ name: vaultName, api_keys: [], created_at: new Date().toISOString() });
+
+    // Same fixture shape as the unit test, but driven through the actual
+    // `handleScopedMcp` initialize path the MCP client invokes at session
+    // start. The reviewer asked for an integration assertion on the
+    // `instructions` field carried in the `initialize` response.
+    const tools = generateScopedMcpTools(vaultName);
+    const updateTag = tools.find((t) => t.name === "update-tag")!;
+    await updateTag.execute({
+      tag: "task",
+      description: "A task",
+      fields: { status: { type: "string" } },
+    });
+    await updateTag.execute({
+      tag: "project",
+      description: "A project",
+      fields: { priority: { type: "integer" } },
+    });
+
+    const req = new Request(`http://localhost:1940/vault/${vaultName}/mcp`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        "accept": "application/json, text/event-stream",
+      },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: 1,
+        method: "initialize",
+        params: {
+          protocolVersion: "2024-11-05",
+          capabilities: {},
+          clientInfo: { name: "test", version: "1.0" },
+        },
+      }),
+    });
+
+    const res = await handleScopedMcp(req, vaultName, {
+      permission: "full",
+      scopes: ["vault:read", "vault:write", "vault:admin"],
+      legacyDerived: false,
+      scoped_tags: ["task"],
+    } as any);
+    expect(res.status).toBe(200);
+
+    const body = await res.json() as any;
+    const instructions: string = body.result.instructions;
+    expect(instructions).toBeTruthy();
+    // Word-boundary match — the static refresh text mentions "full
+    // projection" which would false-trigger a substring check.
+    expect(instructions).toMatch(/\btask\b/);
+    expect(instructions).not.toMatch(/\bproject\b/);
+
+    closeAllStores();
+  });
+
   test("list-tags with schema returns per-tag detail", async () => {
     const { generateScopedMcpTools } = await import("./mcp-tools.ts");
     const { writeVaultConfig } = await import("./config.ts");
@@ -798,6 +1146,93 @@ describe("scoped MCP wrapper", async () => {
     closeAllStores();
   });
 
+  test("scoped vault-info filters projection.tags + indexed_fields to the allowlist (vault#271 fold)", async () => {
+    const { generateScopedMcpTools } = await import("./mcp-tools.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { getVaultStore, closeAllStores } = await import("./vault-store.ts");
+
+    const vaultName = `tagscope-vault-info-${Date.now()}`;
+    writeVaultConfig({ name: vaultName, api_keys: [], created_at: new Date().toISOString() });
+
+    // Seed two schema-bearing tags. `task` and `project` BOTH declare a
+    // shared indexed `status` field — this exercises the cross-declarer
+    // case the reviewer called out: a token scoped to `task` should see
+    // `status` (because task is a declarer) but the entry's `tags` array
+    // must list only `task`, not `project`.
+    const unscopedTools = generateScopedMcpTools(vaultName);
+    const updateTag = unscopedTools.find((t) => t.name === "update-tag")!;
+    await updateTag.execute({
+      tag: "task",
+      description: "A task",
+      fields: { status: { type: "string", indexed: true } },
+    });
+    await updateTag.execute({
+      tag: "project",
+      description: "A project",
+      fields: {
+        status: { type: "string", indexed: true },
+        priority: { type: "integer", indexed: true },
+      },
+    });
+
+    // Now mint scoped tools, scoped to `task` only.
+    const tools = generateScopedMcpTools(vaultName, authForTags(["task"]) as any);
+    const vaultInfo = tools.find((t) => t.name === "vault-info")!;
+    const result = await vaultInfo.execute({}) as any;
+
+    // tags array: only `task`, not `project`.
+    const tagNames = (result.tags as { name: string }[]).map((t) => t.name);
+    expect(tagNames).toContain("task");
+    expect(tagNames).not.toContain("project");
+
+    // indexed_fields: `status` survives (task is a declarer), `priority`
+    // dropped entirely (only project declared it).
+    const indexedNames = (result.indexed_fields as { name: string }[]).map((f) => f.name);
+    expect(indexedNames).toContain("status");
+    expect(indexedNames).not.toContain("priority");
+
+    // Cross-declarer attribution leak: `status` lists declarer tags. The
+    // scoped response must show only `task`, never the out-of-scope
+    // `project`.
+    const status = (result.indexed_fields as { name: string; tags: string[] }[]).find(
+      (f) => f.name === "status",
+    )!;
+    expect(status.tags).toEqual(["task"]);
+
+    // Top-level passthrough sanity: name, description, and query_hints are
+    // not tag-scoped surfaces — they must still flow through.
+    expect(result.name).toBe(vaultName);
+    expect(Array.isArray(result.query_hints)).toBe(true);
+    expect((result.query_hints as string[]).length).toBeGreaterThan(0);
+
+    closeAllStores();
+  });
+
+  test("unscoped vault-info still sees the full projection (vault#271 fold)", async () => {
+    const { generateScopedMcpTools } = await import("./mcp-tools.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { getVaultStore, closeAllStores } = await import("./vault-store.ts");
+
+    const vaultName = `tagscope-vault-info-unscoped-${Date.now()}`;
+    writeVaultConfig({ name: vaultName, api_keys: [], created_at: new Date().toISOString() });
+
+    const tools0 = generateScopedMcpTools(vaultName);
+    const updateTag = tools0.find((t) => t.name === "update-tag")!;
+    await updateTag.execute({ tag: "task", description: "T", fields: { status: { type: "string", indexed: true } } });
+    await updateTag.execute({ tag: "project", description: "P", fields: { status: { type: "string", indexed: true } } });
+
+    // No `auth` and no `scoped_tags` — unscoped path must remain
+    // identical to pre-fold behavior (full projection).
+    const tools = generateScopedMcpTools(vaultName);
+    const result = await tools.find((t) => t.name === "vault-info")!.execute({}) as any;
+    const tagNames = (result.tags as { name: string }[]).map((t) => t.name);
+    expect(tagNames.sort()).toEqual(["project", "task"]);
+    const status = (result.indexed_fields as { name: string; tags: string[] }[]).find((f) => f.name === "status")!;
+    expect(status.tags.sort()).toEqual(["project", "task"]);
+
+    closeAllStores();
+  });
+
   test("scoped create-note rejects a note whose tags fall outside the allowlist", async () => {
     const { generateScopedMcpTools } = await import("./mcp-tools.ts");
     const { writeVaultConfig } = await import("./config.ts");
@@ -1115,6 +1550,31 @@ describe("HTTP /notes", async () => {
     expect(body.map((n) => n.content)).toEqual(["plain"]);
   });
 
+  // ---- updated_at filter via date_field (vault#285 friction point 1.5) ----
+  //
+  // HTTP plumbing routes `date_field=updated_at&date_from=…` straight to
+  // the core `dateFilter` resolver, which now recognizes `updated_at` as
+  // a real column. Smoke-tests the end-to-end HTTP path; the engine-side
+  // semantics are exercised in core.test.ts.
+  test("GET /notes?date_field=updated_at filters by last-write time", async () => {
+    const a = await store.createNote("untouched", { id: "ua", path: "ua" });
+    const b = await store.createNote("modified", { id: "ub", path: "ub" });
+    // Bump b's updated_at into the test window, leave a's at its createdAt.
+    db.prepare("UPDATE notes SET updated_at = ? WHERE id = ?")
+      .run("2026-01-15T00:00:00.000Z", a.id);
+    db.prepare("UPDATE notes SET updated_at = ? WHERE id = ?")
+      .run("2026-04-25T00:00:00.000Z", b.id);
+
+    const res = await handleNotes(
+      mkReq("GET", "/notes?date_field=updated_at&date_from=2026-04-01&include_content=true"),
+      store,
+      "",
+    );
+    expect(res.status).toBe(200);
+    const body = await res.json() as any[];
+    expect(body.map((n) => n.content)).toEqual(["modified"]);
+  });
+
   test("GET /notes?has_links=false returns only orphaned notes", async () => {
     const a = await store.createNote("src", { id: "qa" });
     const b = await store.createNote("tgt", { id: "qb" });
@@ -1567,46 +2027,418 @@ describe("HTTP /notes", async () => {
       expect(body).toHaveLength(500);
     });
   });
-});
 
-describe("HTTP GET /notes?format=graph", async () => {
-  test("returns nodes and edges for linked notes", async () => {
-    const a = await store.createNote("A", { id: "a", path: "People/Alice", tags: ["person"] });
-    const b = await store.createNote("B", { id: "b", path: "People/Bob", tags: ["person"] });
-    const c = await store.createNote("C", { id: "c", path: "Projects/X" });
-    await store.createLink("a", "b", "knows");
-    await store.createLink("a", "c", "works-on");
+  // ---- Bracket-style metadata filter (vault#285 friction point 1.3) ----
+  //
+  // Exposes vault's engine-level metadata-value filtering to HTTP REST
+  // callers (today: only MCP). Uses `meta[field][op]=value` (Stripe /
+  // JSON:API / Strapi convention). The HTTP layer translates to the engine's
+  // existing `metadata` filter; engine semantics + gates are unchanged.
+  // Bridges `created_at` / `updated_at` through `dateFilter`.
+  describe("bracket-style metadata filter", () => {
+    async function declareIndexed() {
+      const { declareField } = await import("../core/src/indexed-fields.ts");
+      declareField(db, "priority", "INTEGER", "project");
+      declareField(db, "status", "TEXT", "project");
+    }
 
-    const res = await handleNotes(
-      mkReq("GET", "/notes?format=graph&include_links=true"),
-      store,
-      "",
-    );
-    const body = await res.json() as any;
-    expect(body.nodes).toHaveLength(3);
-    expect(body.edges).toHaveLength(2);
-    // Nodes have id, path, tags
-    const alice = body.nodes.find((n: any) => n.id === "a");
-    expect(alice.path).toBe("People/Alice");
-    expect(alice.tags).toEqual(["person"]);
-    // Edges have source, target, relationship
-    expect(body.edges).toContainEqual({ source: "a", target: "b", relationship: "knows" });
-    expect(body.edges).toContainEqual({ source: "a", target: "c", relationship: "works-on" });
-  });
+    test("shorthand `?meta[field]=value` does exact equality (JSON scan, no indexed gate)", async () => {
+      // Deliberately NOT calling declareIndexed — shorthand should work on
+      // any field via the json_extract fallback at core/src/notes.ts:504-507.
+      await store.createNote("matches", { metadata: { kind: "draft" } });
+      await store.createNote("other", { metadata: { kind: "final" } });
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[kind]=draft&include_content=true"),
+        store,
+        "",
+      );
+      expect(res.status).toBe(200);
+      const body = await res.json() as any[];
+      expect(body.map((n) => n.content)).toEqual(["matches"]);
+    });
 
-  test("returns empty edges when include_links is not set", async () => {
-    await store.createNote("A", { id: "a" });
-    await store.createNote("B", { id: "b" });
-    await store.createLink("a", "b", "ref");
+    test("eq operator on indexed field", async () => {
+      await declareIndexed();
+      await store.createNote("p5", { metadata: { priority: 5 } });
+      await store.createNote("p1", { metadata: { priority: 1 } });
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[priority][eq]=5&include_content=true"),
+        store,
+        "",
+      );
+      const body = await res.json() as any[];
+      expect(body.map((n) => n.content)).toEqual(["p5"]);
+    });
 
-    const res = await handleNotes(
-      mkReq("GET", "/notes?format=graph"),
-      store,
-      "",
-    );
-    const body = await res.json() as any;
-    expect(body.nodes).toHaveLength(2);
-    expect(body.edges).toHaveLength(0);
+    test("ne operator returns non-matching rows plus rows without the field", async () => {
+      await declareIndexed();
+      await store.createNote("has-1", { metadata: { priority: 1 } });
+      await store.createNote("has-2", { metadata: { priority: 2 } });
+      await store.createNote("missing");
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[priority][ne]=1&include_content=true"),
+        store,
+        "",
+      );
+      const body = await res.json() as any[];
+      expect(body.map((n) => n.content).sort()).toEqual(["has-2", "missing"]);
+    });
+
+    test("gt / gte / lt / lte compose into a range query on one field", async () => {
+      await declareIndexed();
+      for (const p of [1, 2, 3, 4, 5]) {
+        await store.createNote(`p${p}`, { metadata: { priority: p } });
+      }
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[priority][gte]=2&meta[priority][lt]=5&include_content=true"),
+        store,
+        "",
+      );
+      const body = await res.json() as any[];
+      expect(body.map((n) => n.content).sort()).toEqual(["p2", "p3", "p4"]);
+    });
+
+    test("in array form: `?meta[field][in][]=v1&meta[field][in][]=v2`", async () => {
+      await declareIndexed();
+      await store.createNote("a", { metadata: { status: "active" } });
+      await store.createNote("b", { metadata: { status: "exploring" } });
+      await store.createNote("c", { metadata: { status: "done" } });
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[status][in][]=active&meta[status][in][]=exploring&include_content=true"),
+        store,
+        "",
+      );
+      const body = await res.json() as any[];
+      expect(body.map((n) => n.content).sort()).toEqual(["a", "b"]);
+    });
+
+    test("in comma form: `?meta[field][in]=v1,v2`", async () => {
+      await declareIndexed();
+      await store.createNote("a", { metadata: { status: "active" } });
+      await store.createNote("b", { metadata: { status: "exploring" } });
+      await store.createNote("c", { metadata: { status: "done" } });
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[status][in]=active,exploring&include_content=true"),
+        store,
+        "",
+      );
+      const body = await res.json() as any[];
+      expect(body.map((n) => n.content).sort()).toEqual(["a", "b"]);
+    });
+
+    test("not_in via comma form", async () => {
+      await declareIndexed();
+      await store.createNote("a", { metadata: { status: "active" } });
+      await store.createNote("b", { metadata: { status: "done" } });
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[status][not_in]=done&include_content=true"),
+        store,
+        "",
+      );
+      const body = await res.json() as any[];
+      expect(body.map((n) => n.content)).toEqual(["a"]);
+    });
+
+    test("exists: true / false distinguishes present vs absent field", async () => {
+      await declareIndexed();
+      await store.createNote("has", { metadata: { priority: 3 } });
+      await store.createNote("missing");
+
+      const hasRes = await handleNotes(
+        mkReq("GET", "/notes?meta[priority][exists]=true&include_content=true"),
+        store,
+        "",
+      );
+      const hasBody = await hasRes.json() as any[];
+      expect(hasBody.map((n) => n.content)).toEqual(["has"]);
+
+      const missingRes = await handleNotes(
+        mkReq("GET", "/notes?meta[priority][exists]=false&include_content=true"),
+        store,
+        "",
+      );
+      const missingBody = await missingRes.json() as any[];
+      expect(missingBody.map((n) => n.content)).toEqual(["missing"]);
+    });
+
+    test("exists with non-boolean value rejects with INVALID_OPERATOR_VALUE", async () => {
+      await declareIndexed();
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[priority][exists]=yes"),
+        store,
+        "",
+      );
+      expect(res.status).toBe(400);
+      const body = await res.json() as any;
+      expect(body.code).toBe("INVALID_OPERATOR_VALUE");
+    });
+
+    test("compound filter across two fields ANDs together", async () => {
+      await declareIndexed();
+      await store.createNote("hit", { metadata: { priority: 5, status: "active" } });
+      await store.createNote("priority-only", { metadata: { priority: 5, status: "done" } });
+      await store.createNote("status-only", { metadata: { priority: 1, status: "active" } });
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[priority][gte]=4&meta[status][eq]=active&include_content=true"),
+        store,
+        "",
+      );
+      const body = await res.json() as any[];
+      expect(body.map((n) => n.content)).toEqual(["hit"]);
+    });
+
+    test("operator query on a non-indexed field returns 400 with FIELD_NOT_INDEXED", async () => {
+      // Don't declare the field — the engine's indexed-field gate should fire.
+      await store.createNote("x", { metadata: { mood: "great" } });
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[mood][eq]=great"),
+        store,
+        "",
+      );
+      expect(res.status).toBe(400);
+      const body = await res.json() as any;
+      expect(body.code).toBe("FIELD_NOT_INDEXED");
+    });
+
+    test("unknown operator returns 400 with UNKNOWN_OPERATOR", async () => {
+      await declareIndexed();
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[priority][bogus]=5"),
+        store,
+        "",
+      );
+      expect(res.status).toBe(400);
+      const body = await res.json() as any;
+      expect(body.code).toBe("UNKNOWN_OPERATOR");
+    });
+
+    // ---- Bridge: created_at / updated_at via brackets route to dateFilter ----
+    test("`meta[created_at][gte]=…` routes to dateFilter (same result as flat date_field)", async () => {
+      await store.createNote("old", { created_at: "2026-01-15T00:00:00.000Z" });
+      await store.createNote("new", { created_at: "2026-04-15T00:00:00.000Z" });
+
+      const bracketRes = await handleNotes(
+        mkReq("GET", "/notes?meta[created_at][gte]=2026-04-01&include_content=true"),
+        store,
+        "",
+      );
+      const bracketBody = await bracketRes.json() as any[];
+      const flatRes = await handleNotes(
+        mkReq("GET", "/notes?date_field=created_at&date_from=2026-04-01&include_content=true"),
+        store,
+        "",
+      );
+      const flatBody = await flatRes.json() as any[];
+      expect(bracketBody.map((n) => n.content)).toEqual(["new"]);
+      expect(bracketBody.map((n) => n.content)).toEqual(flatBody.map((n) => n.content));
+    });
+
+    test("`meta[updated_at][gte]=…` routes to dateFilter on n.updated_at", async () => {
+      const a = await store.createNote("untouched");
+      const b = await store.createNote("modified");
+      db.prepare("UPDATE notes SET updated_at = ? WHERE id = ?")
+        .run("2026-01-15T00:00:00.000Z", a.id);
+      db.prepare("UPDATE notes SET updated_at = ? WHERE id = ?")
+        .run("2026-04-25T00:00:00.000Z", b.id);
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[updated_at][gte]=2026-04-01&include_content=true"),
+        store,
+        "",
+      );
+      const body = await res.json() as any[];
+      expect(body.map((n) => n.content)).toEqual(["modified"]);
+    });
+
+    test("`meta[created_at][lt]=…` maps to dateFilter's exclusive upper bound", async () => {
+      await store.createNote("inside", { created_at: "2026-04-15T00:00:00.000Z" });
+      await store.createNote("on-boundary", { created_at: "2026-05-01T00:00:00.000Z" });
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[created_at][lt]=2026-05-01&include_content=true"),
+        store,
+        "",
+      );
+      const body = await res.json() as any[];
+      // "on-boundary" excluded because `< to` is half-open by design.
+      expect(body.map((n) => n.content)).toEqual(["inside"]);
+    });
+
+    test("unsupported date-column operator (e.g. gt) rejects with a guiding error", async () => {
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[created_at][gt]=2026-01-01"),
+        store,
+        "",
+      );
+      expect(res.status).toBe(400);
+      const body = await res.json() as any;
+      expect(body.code).toBe("INVALID_QUERY");
+      // Error must call out the supported ops so callers can self-correct.
+      expect(body.error).toContain("gte");
+      expect(body.error).toContain("lt");
+    });
+
+    test("`meta[created_at]=…` (shorthand, no operator) rejects with a guiding error", async () => {
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[created_at]=2026-01-01"),
+        store,
+        "",
+      );
+      expect(res.status).toBe(400);
+      const body = await res.json() as any;
+      expect(body.code).toBe("INVALID_QUERY");
+      expect(body.error).toContain("operator");
+    });
+
+    // ---- Mutually-exclusive shapes that would silently corrupt input ----
+
+    test("bracket-date filter spanning created_at AND updated_at in one request rejects (vault#289 F1)", async () => {
+      // Before this guard, the parser flattened both columns onto a single
+      // `dateBucket.field`, so the second column silently won and the first
+      // column's bound was applied against the wrong column.
+      const res = await handleNotes(
+        mkReq(
+          "GET",
+          "/notes?meta[created_at][gte]=2026-04-01&meta[updated_at][lt]=2026-06-01",
+        ),
+        store,
+        "",
+      );
+      expect(res.status).toBe(400);
+      const body = await res.json() as any;
+      expect(body.code).toBe("INVALID_QUERY");
+      expect(body.error).toContain("cannot span");
+      expect(body.error).toContain("created_at");
+      expect(body.error).toContain("updated_at");
+    });
+
+    test("two bracket-date params on the same column compose into a range (regression)", async () => {
+      // The F1 guard must reject *different* columns only — same-column
+      // gte+lt is the canonical range case and must keep working.
+      await store.createNote("in-window", { created_at: "2026-04-15T00:00:00.000Z" });
+      await store.createNote("after-window", { created_at: "2026-05-15T00:00:00.000Z" });
+      await store.createNote("before-window", { created_at: "2026-03-15T00:00:00.000Z" });
+      const res = await handleNotes(
+        mkReq(
+          "GET",
+          "/notes?meta[created_at][gte]=2026-04-01&meta[created_at][lt]=2026-05-01&include_content=true",
+        ),
+        store,
+        "",
+      );
+      expect(res.status).toBe(200);
+      const body = await res.json() as any[];
+      expect(body.map((n) => n.content)).toEqual(["in-window"]);
+    });
+
+    test("shorthand-then-operator on the same field rejects (vault#289 F2)", async () => {
+      // `URLSearchParams` iteration is insertion-order. Before this guard,
+      // shorthand wrote `metadata[field] = primitive`, then the operator
+      // handler called `metaOpBucket` which overwrote it with a fresh op
+      // object — the shorthand was silently dropped.
+      await declareIndexed();
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[priority]=5&meta[priority][gte]=3"),
+        store,
+        "",
+      );
+      expect(res.status).toBe(400);
+      const body = await res.json() as any;
+      expect(body.code).toBe("INVALID_QUERY");
+      expect(body.error).toContain("mix shorthand and operator");
+    });
+
+    test("operator-then-shorthand on the same field rejects (vault#289 F2, reverse order)", async () => {
+      // Reverse insertion order. Before this guard, the operator was set
+      // first, then the shorthand wrote `metadata[field] = primitive` and
+      // clobbered the op bucket — operator silently dropped.
+      await declareIndexed();
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[priority][gte]=3&meta[priority]=5"),
+        store,
+        "",
+      );
+      expect(res.status).toBe(400);
+      const body = await res.json() as any;
+      expect(body.code).toBe("INVALID_QUERY");
+      expect(body.error).toContain("mix shorthand and operator");
+    });
+
+    test("`[]` array form on a non-array operator rejects at the parser layer (vault#289 F4)", async () => {
+      // `meta[field][eq][]=value` is a shape error — `eq` takes a scalar.
+      // The engine would also catch this (the value would be an array
+      // SQLite can't bind), but the parser-level error names the issue
+      // more precisely: "use single-value form for `eq`."
+      const res = await handleNotes(
+        mkReq("GET", "/notes?meta[priority][eq][]=5"),
+        store,
+        "",
+      );
+      expect(res.status).toBe(400);
+      const body = await res.json() as any;
+      expect(body.code).toBe("INVALID_OPERATOR_VALUE");
+      expect(body.error).toContain("array form");
+      expect(body.error).toContain("in");
+      expect(body.error).toContain("not_in");
+    });
+
+    // ---- Precedence on overlap ----
+    test("when both flat and bracket date params overlap, bracket wins", async () => {
+      await store.createNote("old", { created_at: "2026-01-15T00:00:00.000Z" });
+      await store.createNote("new", { created_at: "2026-04-15T00:00:00.000Z" });
+      // Bracket says "from 2026-04-01"; flat says "from 2020-01-01". If
+      // flat won, both notes would match. The bracket-wins precedence is
+      // verified by getting back only the post-April note.
+      const res = await handleNotes(
+        mkReq(
+          "GET",
+          "/notes?meta[created_at][gte]=2026-04-01&date_field=created_at&date_from=2020-01-01&include_content=true",
+        ),
+        store,
+        "",
+      );
+      const body = await res.json() as any[];
+      expect(body.map((n) => n.content)).toEqual(["new"]);
+    });
+  });
+});
+
+describe("HTTP GET /notes?format=graph", async () => {
+  test("returns nodes and edges for linked notes", async () => {
+    const a = await store.createNote("A", { id: "a", path: "People/Alice", tags: ["person"] });
+    const b = await store.createNote("B", { id: "b", path: "People/Bob", tags: ["person"] });
+    const c = await store.createNote("C", { id: "c", path: "Projects/X" });
+    await store.createLink("a", "b", "knows");
+    await store.createLink("a", "c", "works-on");
+
+    const res = await handleNotes(
+      mkReq("GET", "/notes?format=graph&include_links=true"),
+      store,
+      "",
+    );
+    const body = await res.json() as any;
+    expect(body.nodes).toHaveLength(3);
+    expect(body.edges).toHaveLength(2);
+    // Nodes have id, path, tags
+    const alice = body.nodes.find((n: any) => n.id === "a");
+    expect(alice.path).toBe("People/Alice");
+    expect(alice.tags).toEqual(["person"]);
+    // Edges have source, target, relationship
+    expect(body.edges).toContainEqual({ source: "a", target: "b", relationship: "knows" });
+    expect(body.edges).toContainEqual({ source: "a", target: "c", relationship: "works-on" });
+  });
+
+  test("returns empty edges when include_links is not set", async () => {
+    await store.createNote("A", { id: "a" });
+    await store.createNote("B", { id: "b" });
+    await store.createLink("a", "b", "ref");
+
+    const res = await handleNotes(
+      mkReq("GET", "/notes?format=graph"),
+      store,
+      "",
+    );
+    const body = await res.json() as any;
+    expect(body.nodes).toHaveLength(2);
+    expect(body.edges).toHaveLength(0);
   });
 
   test("composes with near param for subgraph", async () => {
@@ -1918,6 +2750,180 @@ describe("HTTP PATCH /notes/:idOrPath (update)", async () => {
     // Source note unchanged
     expect((await store.getNote("a"))!.path).toBe("alpha");
   });
+
+  // ---- include_content response-shape opt-out (vault#285 friction point 2.response) ----
+  test("PATCH defaults to returning the full Note (back-compat)", async () => {
+    await store.createNote("body", { id: "x" });
+    const res = await handleNotes(
+      mkReq("PATCH", "/notes/x", { content: "updated", force: true }),
+      store,
+      "/x",
+    );
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    expect(body.content).toBe("updated");
+    expect(body.byteSize).toBeUndefined();
+    expect(body.preview).toBeUndefined();
+  });
+
+  test("PATCH with include_content: false returns the lean NoteIndex shape", async () => {
+    const longBody = "x".repeat(2_000);
+    await store.createNote(longBody, { id: "big", path: "big" });
+    const res = await handleNotes(
+      mkReq("PATCH", "/notes/big", { append: " edit", include_content: false }),
+      store,
+      "/big",
+    );
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    expect(body.content).toBeUndefined();
+    expect(typeof body.byteSize).toBe("number");
+    expect(body.byteSize).toBe(2_000 + 5);
+    expect(typeof body.preview).toBe("string");
+    expect(body.id).toBe("big");
+    expect(body.path).toBe("big");
+  });
+
+  // vault#287 — HTTP must match MCP on validation_status attachment.
+  // Pre-#287 fix: MCP `update-note` attached validation_status; HTTP
+  // PATCH didn't. HTTP consumers using schema-validated vaults had no
+  // way to see schema warnings without re-reading + replaying validation
+  // client-side. These tests pin the symmetry on both response shapes
+  // (`include_content: true` and `false`) and confirm the no-schema
+  // case still returns no validation_status (advisory only — never
+  // forced onto vaults that don't declare fields).
+
+  test("PATCH attaches validation_status with enum_mismatch warning when tag schema is violated", async () => {
+    await store.upsertTagSchema("task287patch", {
+      fields: { priority: { type: "string", enum: ["high", "low"] } },
+    });
+    const note = await store.createNote("body", {
+      id: "p287a",
+      tags: ["task287patch"],
+      metadata: { priority: "high" },
+    });
+    const res = await handleNotes(
+      mkReq("PATCH", "/notes/p287a", {
+        metadata: { priority: "ULTRA" },
+        if_updated_at: note.updatedAt,
+      }),
+      store,
+      "/p287a",
+    );
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    // The write still lands — validation is advisory.
+    expect(body.metadata.priority).toBe("ULTRA");
+    // …but the response carries the warning so the HTTP caller knows.
+    expect(body.validation_status).toBeTruthy();
+    expect(body.validation_status.schemas).toContain("task287patch");
+    expect(body.validation_status.warnings.length).toBeGreaterThan(0);
+    expect(body.validation_status.warnings[0].reason).toBe("enum_mismatch");
+    expect(body.validation_status.warnings[0].field).toBe("priority");
+  });
+
+  test("PATCH preserves validation_status on the lean (include_content: false) response", async () => {
+    await store.upsertTagSchema("task287lean", {
+      fields: { priority: { type: "string", enum: ["high", "low"] } },
+    });
+    const note = await store.createNote("body", {
+      id: "p287b",
+      tags: ["task287lean"],
+      metadata: { priority: "high" },
+    });
+    const res = await handleNotes(
+      mkReq("PATCH", "/notes/p287b", {
+        metadata: { priority: "ULTRA" },
+        include_content: false,
+        if_updated_at: note.updatedAt,
+      }),
+      store,
+      "/p287b",
+    );
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    // Lean shape: no `content`, has `byteSize` + `preview`.
+    expect(body.content).toBeUndefined();
+    expect(typeof body.byteSize).toBe("number");
+    // …and validation_status survives the lean conversion.
+    expect(body.validation_status).toBeTruthy();
+    expect(body.validation_status.warnings[0].reason).toBe("enum_mismatch");
+  });
+
+  test("PATCH omits validation_status when no tag on the note declares fields", async () => {
+    // No tag schemas configured for this note — the response should look
+    // exactly like the pre-#287 shape (no validation_status). The behavior-
+    // unchanged guarantee for callers that don't use tag schemas.
+    await store.createNote("body", { id: "p287c", tags: ["plain"] });
+    const res = await handleNotes(
+      mkReq("PATCH", "/notes/p287c", { content: "updated", force: true }),
+      store,
+      "/p287c",
+    );
+    expect(res.status).toBe(200);
+    const body = await res.json() as any;
+    expect(body.content).toBe("updated");
+    expect(body.validation_status).toBeUndefined();
+  });
+});
+
+describe("HTTP POST /notes — validation_status attachment (vault#287)", async () => {
+  // Mirror of the PATCH cases for create. The MCP create-note path
+  // attaches validation_status; HTTP POST must match (vault#287).
+
+  test("POST attaches validation_status with type_mismatch warning", async () => {
+    await store.upsertTagSchema("task287post", {
+      fields: { done: { type: "boolean" } },
+    });
+    const res = await handleNotes(
+      mkReq("POST", "/notes", {
+        content: "x",
+        tags: ["task287post"],
+        metadata: { done: "yes" }, // wrong type
+      }),
+      store,
+      "",
+    );
+    expect(res.status).toBe(201);
+    const body = await res.json() as any;
+    expect(body.id).toBeTruthy();
+    expect(body.validation_status).toBeTruthy();
+    expect(body.validation_status.warnings[0].reason).toBe("type_mismatch");
+    expect(body.validation_status.warnings[0].field).toBe("done");
+  });
+
+  test("POST batch attaches validation_status per-note", async () => {
+    await store.upsertTagSchema("task287batch", {
+      fields: { priority: { type: "string", enum: ["high", "low"] } },
+    });
+    const res = await handleNotes(
+      mkReq("POST", "/notes", {
+        notes: [
+          { content: "good", tags: ["task287batch"], metadata: { priority: "high" } },
+          { content: "bad", tags: ["task287batch"], metadata: { priority: "ULTRA" } },
+        ],
+      }),
+      store,
+      "",
+    );
+    expect(res.status).toBe(201);
+    const body = await res.json() as any[];
+    expect(body).toHaveLength(2);
+    expect(body[0].validation_status.warnings).toEqual([]);
+    expect(body[1].validation_status.warnings[0].reason).toBe("enum_mismatch");
+  });
+
+  test("POST omits validation_status when no tag declares fields (back-compat)", async () => {
+    const res = await handleNotes(
+      mkReq("POST", "/notes", { content: "no schema here", tags: ["plain287"] }),
+      store,
+      "",
+    );
+    expect(res.status).toBe(201);
+    const body = await res.json() as any;
+    expect(body.id).toBeTruthy();
+    expect(body.validation_status).toBeUndefined();
+  });
 });
 
 describe("HTTP /tags", async () => {
@@ -1986,7 +2992,7 @@ describe("HTTP /tags", async () => {
     );
     expect(res.status).toBe(200);
     const body = await res.json() as any;
-    expect(body).toEqual({ renamed: 2 });
+    expect(body).toMatchObject({ renamed: 2, sub_tags_renamed: 0 });
     expect((await store.getNote(n1.id))!.tags).toEqual(["memo"]);
     expect((await store.getNote(n2.id))!.tags?.sort()).toEqual(["keeper", "memo"]);
   });
@@ -2086,293 +3092,6 @@ describe("HTTP /tags", async () => {
   });
 });
 
-describe("HTTP /note-schemas", async () => {
-  test("PUT /note-schemas/:name creates a schema", async () => {
-    const res = await handleNoteSchemas(
-      mkReq("PUT", "/note-schemas/task", {
-        description: "A task",
-        fields: { priority: { type: "string", enum: ["high", "low"] } },
-        required: ["priority"],
-      }),
-      store,
-      "/task",
-    );
-    expect(res.status).toBe(200);
-    const body = await res.json() as any;
-    expect(body.name).toBe("task");
-    expect(body.description).toBe("A task");
-    expect(body.required).toEqual(["priority"]);
-  });
-
-  test("GET /note-schemas lists all schemas", async () => {
-    await store.upsertNoteSchema("task", { description: "t" });
-    await store.upsertNoteSchema("project", { description: "p" });
-    const res = await handleNoteSchemas(mkReq("GET", "/note-schemas"), store);
-    const body = await res.json() as any[];
-    const names = body.map((s) => s.name).sort();
-    expect(names).toEqual(["project", "task"]);
-  });
-
-  test("GET /note-schemas?include_mappings=true inlines mappings per schema", async () => {
-    await store.upsertNoteSchema("task", {});
-    await store.setSchemaMapping("task", "tag", "task");
-    const res = await handleNoteSchemas(
-      mkReq("GET", "/note-schemas?include_mappings=true"),
-      store,
-    );
-    const body = await res.json() as any[];
-    const task = body.find((s) => s.name === "task");
-    expect(task.mappings).toEqual([{ schema_name: "task", match_kind: "tag", match_value: "task" }]);
-  });
-
-  test("GET /note-schemas/:name returns the schema and its mappings", async () => {
-    await store.upsertNoteSchema("task", { description: "A task" });
-    await store.setSchemaMapping("task", "tag", "task");
-    const res = await handleNoteSchemas(mkReq("GET", "/note-schemas/task"), store, "/task");
-    expect(res.status).toBe(200);
-    const body = await res.json() as any;
-    expect(body.name).toBe("task");
-    expect(body.mappings.length).toBe(1);
-  });
-
-  test("GET /note-schemas/:name returns 404 when missing", async () => {
-    const res = await handleNoteSchemas(mkReq("GET", "/note-schemas/missing"), store, "/missing");
-    expect(res.status).toBe(404);
-  });
-
-  test("PUT /note-schemas/:name with required: [] clears required", async () => {
-    await store.upsertNoteSchema("task", { required: ["a"] });
-    const res = await handleNoteSchemas(
-      mkReq("PUT", "/note-schemas/task", { required: [] }),
-      store,
-      "/task",
-    );
-    const body = await res.json() as any;
-    expect(body.required).toBeNull();
-  });
-
-  test("PUT /note-schemas/:name returns 400 when required isn't an array", async () => {
-    const res = await handleNoteSchemas(
-      mkReq("PUT", "/note-schemas/task", { required: "priority" }),
-      store,
-      "/task",
-    );
-    expect(res.status).toBe(400);
-  });
-
-  test("DELETE /note-schemas/:name removes schema (and cascades mappings)", async () => {
-    await store.upsertNoteSchema("task", {});
-    await store.setSchemaMapping("task", "tag", "task");
-    const res = await handleNoteSchemas(mkReq("DELETE", "/note-schemas/task"), store, "/task");
-    expect(res.status).toBe(200);
-    expect(await store.getNoteSchema("task")).toBeNull();
-    expect(await store.listSchemaMappings({ schema_name: "task" })).toEqual([]);
-  });
-
-  test("POST /note-schemas/:name/mappings adds a mapping", async () => {
-    await store.upsertNoteSchema("task", {});
-    const res = await handleNoteSchemas(
-      mkReq("POST", "/note-schemas/task/mappings", { match_kind: "tag", match_value: "task" }),
-      store,
-      "/task/mappings",
-    );
-    expect(res.status).toBe(201);
-    expect((await store.listSchemaMappings({ schema_name: "task" })).length).toBe(1);
-  });
-
-  test("POST /note-schemas/:name/mappings returns 400 on bad match_kind", async () => {
-    await store.upsertNoteSchema("task", {});
-    const res = await handleNoteSchemas(
-      mkReq("POST", "/note-schemas/task/mappings", { match_kind: "BOGUS", match_value: "x" }),
-      store,
-      "/task/mappings",
-    );
-    expect(res.status).toBe(400);
-    const body = await res.json() as any;
-    expect(body.error_type).toBe("invalid_match_kind");
-  });
-
-  test("POST /note-schemas/:name/mappings returns 404 when schema doesn't exist", async () => {
-    const res = await handleNoteSchemas(
-      mkReq("POST", "/note-schemas/missing/mappings", { match_kind: "tag", match_value: "x" }),
-      store,
-      "/missing/mappings",
-    );
-    expect(res.status).toBe(404);
-  });
-
-  test("GET /note-schemas/:name/mappings lists mappings for a schema", async () => {
-    await store.upsertNoteSchema("task", {});
-    await store.setSchemaMapping("task", "tag", "task");
-    await store.setSchemaMapping("task", "path_prefix", "Tasks/");
-    const res = await handleNoteSchemas(
-      mkReq("GET", "/note-schemas/task/mappings"),
-      store,
-      "/task/mappings",
-    );
-    const body = await res.json() as any[];
-    expect(body.length).toBe(2);
-  });
-
-  test("DELETE /note-schemas/:name/mappings?match_kind=...&match_value=... removes one", async () => {
-    await store.upsertNoteSchema("task", {});
-    await store.setSchemaMapping("task", "tag", "task");
-    await store.setSchemaMapping("task", "path_prefix", "Tasks/");
-    const res = await handleNoteSchemas(
-      mkReq("DELETE", "/note-schemas/task/mappings?match_kind=tag&match_value=task"),
-      store,
-      "/task/mappings",
-    );
-    expect(res.status).toBe(200);
-    const body = await res.json() as any;
-    expect(body.deleted).toBe(true);
-    const remaining = await store.listSchemaMappings({ schema_name: "task" });
-    expect(remaining).toEqual([{ schema_name: "task", match_kind: "path_prefix", match_value: "Tasks/" }]);
-  });
-
-  test("DELETE /note-schemas/:name/mappings handles slash-containing path prefixes via query string", async () => {
-    await store.upsertNoteSchema("journal", {});
-    await store.setSchemaMapping("journal", "path_prefix", "journal/2026/");
-    const res = await handleNoteSchemas(
-      mkReq(
-        "DELETE",
-        `/note-schemas/journal/mappings?match_kind=path_prefix&match_value=${encodeURIComponent("journal/2026/")}`,
-      ),
-      store,
-      "/journal/mappings",
-    );
-    expect(res.status).toBe(200);
-    const body = await res.json() as any;
-    expect(body.deleted).toBe(true);
-  });
-
-  // Tag-scoped tokens enumerate `schema_mappings` through the same handler.
-  // Without these gates, a token allowlisted for `health` can both see and
-  // create `tag` mappings for tags outside its scope (e.g. `finance`). The
-  // path_prefix kind carries no tag-axis info and stays visible/writable.
-  describe("tag-scope", async () => {
-    const healthScope = { allowed: new Set(["health"]), raw: ["health"] };
-
-    test("GET /note-schemas?include_mappings filters out-of-scope tag mappings", async () => {
-      await store.upsertNoteSchema("task", {});
-      await store.setSchemaMapping("task", "tag", "health");
-      await store.setSchemaMapping("task", "tag", "finance");
-      await store.setSchemaMapping("task", "path_prefix", "Tasks/");
-      const res = await handleNoteSchemas(
-        mkReq("GET", "/note-schemas?include_mappings=true"),
-        store,
-        "",
-        healthScope,
-      );
-      const body = await res.json() as any[];
-      const task = body.find((s) => s.name === "task");
-      const kinds = task.mappings.map((m: any) => `${m.match_kind}:${m.match_value}`).sort();
-      expect(kinds).toEqual(["path_prefix:Tasks/", "tag:health"]);
-    });
-
-    test("GET /note-schemas/:name filters out-of-scope tag mappings", async () => {
-      await store.upsertNoteSchema("task", {});
-      await store.setSchemaMapping("task", "tag", "health");
-      await store.setSchemaMapping("task", "tag", "finance");
-      const res = await handleNoteSchemas(
-        mkReq("GET", "/note-schemas/task"),
-        store,
-        "/task",
-        healthScope,
-      );
-      const body = await res.json() as any;
-      expect(body.mappings.map((m: any) => m.match_value)).toEqual(["health"]);
-    });
-
-    test("GET /note-schemas/:name/mappings filters out-of-scope tag mappings", async () => {
-      await store.upsertNoteSchema("task", {});
-      await store.setSchemaMapping("task", "tag", "health");
-      await store.setSchemaMapping("task", "tag", "finance");
-      const res = await handleNoteSchemas(
-        mkReq("GET", "/note-schemas/task/mappings"),
-        store,
-        "/task/mappings",
-        healthScope,
-      );
-      const body = await res.json() as any[];
-      expect(body.map((m) => m.match_value)).toEqual(["health"]);
-    });
-
-    test("POST /:name/mappings rejects out-of-scope tag with 403", async () => {
-      await store.upsertNoteSchema("task", {});
-      const res = await handleNoteSchemas(
-        mkReq("POST", "/note-schemas/task/mappings", { match_kind: "tag", match_value: "finance" }),
-        store,
-        "/task/mappings",
-        healthScope,
-      );
-      expect(res.status).toBe(403);
-      const body = await res.json() as any;
-      expect(body.error_type).toBe("tag_scope_violation");
-      expect(await store.listSchemaMappings({ schema_name: "task" })).toEqual([]);
-    });
-
-    test("POST /:name/mappings accepts in-scope tag and string-form fallback descendant", async () => {
-      await store.upsertNoteSchema("task", {});
-      const inScope = await handleNoteSchemas(
-        mkReq("POST", "/note-schemas/task/mappings", { match_kind: "tag", match_value: "health" }),
-        store,
-        "/task/mappings",
-        healthScope,
-      );
-      expect(inScope.status).toBe(201);
-      // String-form fallback: `health/food` has root `health`, which is in
-      // the raw allowlist, so it's permitted even when no `_tags/health/food`
-      // schema declares the descendant relationship.
-      const descendant = await handleNoteSchemas(
-        mkReq("POST", "/note-schemas/task/mappings", { match_kind: "tag", match_value: "health/food" }),
-        store,
-        "/task/mappings",
-        healthScope,
-      );
-      expect(descendant.status).toBe(201);
-    });
-
-    test("POST /:name/mappings allows path_prefix regardless of tag-scope", async () => {
-      await store.upsertNoteSchema("task", {});
-      const res = await handleNoteSchemas(
-        mkReq("POST", "/note-schemas/task/mappings", { match_kind: "path_prefix", match_value: "Tasks/" }),
-        store,
-        "/task/mappings",
-        healthScope,
-      );
-      expect(res.status).toBe(201);
-    });
-
-    test("DELETE /:name/mappings rejects out-of-scope tag with 403", async () => {
-      await store.upsertNoteSchema("task", {});
-      await store.setSchemaMapping("task", "tag", "finance");
-      const res = await handleNoteSchemas(
-        mkReq("DELETE", "/note-schemas/task/mappings?match_kind=tag&match_value=finance"),
-        store,
-        "/task/mappings",
-        healthScope,
-      );
-      expect(res.status).toBe(403);
-      // Mapping still present — write was denied.
-      expect((await store.listSchemaMappings({ schema_name: "task" })).length).toBe(1);
-    });
-
-    test("unscoped tokens see and write everything (regression of fast-path)", async () => {
-      await store.upsertNoteSchema("task", {});
-      await store.setSchemaMapping("task", "tag", "finance");
-      await store.setSchemaMapping("task", "tag", "health");
-      const res = await handleNoteSchemas(
-        mkReq("GET", "/note-schemas/task/mappings"),
-        store,
-        "/task/mappings",
-        // default tagScope (unscoped) — omitted parameter
-      );
-      const body = await res.json() as any[];
-      expect(body.length).toBe(2);
-    });
-  });
-});
 
 describe("HTTP /find-path", async () => {
   test("finds path between two notes", async () => {