@openparachute/vault 0.4.8-rc.8 → 0.4.8

package/src/self-register.test.ts

@@ -117,6 +117,39 @@ describe("self-register", () => {
     });
   });
 
+  test("health path follows the primary vault name (closes vault#369)", () => {
+    // Regression: pre-fix self-register used `manifest.health` verbatim
+    // (which is `/vault/default/health`) regardless of the actual vault
+    // name. A hub-bundled wizard that lets the operator name their vault
+    // `notes` produced a services.json entry with `paths: ["/vault/notes"]`
+    // but `health: "/vault/default/health"`, so hub's per-module health
+    // probe hit a 404 even on a healthy vault. The fix derives health from
+    // paths[0]. Caught in the wild on a Render rebuild walkthrough.
+    withParachuteHome((home) => {
+      const { log, warn } = captureLogs();
+      selfRegister({
+        version: "0.4.8-rc.3",
+        log,
+        warn,
+        readManifest: () => TEST_MANIFEST,
+        resolvePackageRoot: () => "/fake/install/dir",
+        // Vault named something other than "default" — the manifest fallback
+        // path `/vault/default` should NOT leak into the health URL.
+        listVaults: () => ["notes"],
+        readGlobalConfig: () => ({ port: 1940, default_vault: "notes" }),
+      });
+      const parsed = JSON.parse(readFileSync(join(home, "services.json"), "utf8")) as {
+        services: { paths: string[]; health: string }[];
+      };
+      const row = parsed.services[0];
+      expect(row.paths).toEqual(["/vault/notes"]);
+      expect(row.health).toBe("/vault/notes/health");
+      // Sanity: health should never be the literal manifest template
+      // when a real vault exists with a different name.
+      expect(row.health).not.toBe("/vault/default/health");
+    });
+  });
+
   test("idempotent — re-running reports no changes", () => {
     withParachuteHome(() => {
       const { log, warn } = captureLogs();

package/src/self-register.ts

@@ -163,6 +163,19 @@ export function selfRegister(deps: SelfRegisterDeps): SelfRegisterResult {
   const paths = buildVaultServicePaths(globalConfig.default_vault, vaults, manifest.paths);
   const port = globalConfig.port ?? DEFAULT_PORT;
 
+  // Derive the health path from the primary path (paths[0]) rather than
+  // using `manifest.health` verbatim. The manifest's `health` is
+  // `/vault/default/health` — a template literal where `default` is the
+  // placeholder vault name. When the operator named their vault something
+  // other than `default` (e.g. `notes`, `journal`, or — caught in the wild
+  // on a Render rebuild — just `vault`), the manifest's `default` doesn't
+  // get rewritten and the hub's per-module health probe ends up hitting
+  // `/vault/default/health` against a vault that lives at `/vault/<other>/`,
+  // returning 404 even when the vault is healthy. Build health off paths[0]
+  // so the path follows the primary vault by construction. Closes vault#369.
+  const primaryPath = paths[0] ?? "/vault/default";
+  const health = `${primaryPath}/health`;
+
   // Build the entry with manifest-sourced metadata (displayName, tagline,
   // stripPrefix) layered on top of the operationally-determined fields
   // (port from config, paths from current vault list, version from
@@ -178,7 +191,7 @@ export function selfRegister(deps: SelfRegisterDeps): SelfRegisterResult {
     name: manifest.manifestName,
     port,
     paths,
-    health: manifest.health,
+    health,
     version: deps.version,
     installDir,
   };
@@ -212,7 +225,7 @@ export function selfRegister(deps: SelfRegisterDeps): SelfRegisterResult {
     priorRow.version !== deps.version ||
     priorRow.port !== port ||
     JSON.stringify(priorRow.paths) !== JSON.stringify(paths) ||
-    priorRow.health !== manifest.health ||
+    priorRow.health !== health ||
     (priorRow as { displayName?: string }).displayName !== manifest.displayName ||
     (priorRow as { tagline?: string }).tagline !== manifest.tagline ||
     (priorRow as { stripPrefix?: boolean }).stripPrefix !== manifest.stripPrefix;

package/src/server.ts

@@ -293,20 +293,9 @@ const server = Bun.serve({
       return new Response(null, { status: 204, headers: corsHeaders });
     }
 
-    // Derive client IP. Default: socket IP only (safe for direct-internet
-    // deployments). If TRUST_PROXY=1 is set, honor X-Forwarded-For — use
-    // this only when a reverse proxy (Cloudflare Tunnel, nginx, etc.) is
-    // terminating the connection, otherwise attackers can spoof the header
-    // to evade per-IP rate limiting.
-    const trustProxy = process.env.TRUST_PROXY === "1" || process.env.TRUST_PROXY === "true";
-    const forwardedFor = trustProxy ? req.headers.get("x-forwarded-for") : null;
-    const clientIp = forwardedFor
-      ? forwardedFor.split(",")[0]!.trim()
-      : server.requestIP(req)?.address;
-
     try {
       const start = Date.now();
-      const response = await route(req, path, clientIp);
+      const response = await route(req, path);
       const ms = Date.now() - start;
       console.log(`${req.method} ${path} ${response.status} ${ms}ms`);
       for (const [k, v] of Object.entries(corsHeaders)) {

package/src/vault-name.ts

@@ -2,8 +2,9 @@
  * Validation for vault names.
  *
  * Vault names appear in URLs (`/vault/<name>/mcp`, `/vault/<name>/api/*`),
- * the SQLite filename, and the OAuth consent page — anything that breaks
- * URL routing or filesystem assumptions has to be rejected up front.
+ * the SQLite filename, and the JWT audience claim (`aud: vault.<name>`) —
+ * anything that breaks URL routing or filesystem assumptions has to be
+ * rejected up front.
  *
  * Rule: lowercase alphanumeric + hyphens or underscores, 2–32 chars, with
  * `list` reserved. Used by the `init` prompt, the `--vault-name` flag, and