@openparachute/vault 0.4.8 → 0.4.9-rc.11

package/src/storage.test.ts

@@ -8,9 +8,14 @@
  */
 
 import { describe, test, expect, beforeAll, afterAll } from "bun:test";
-import { rmSync, existsSync, mkdirSync } from "fs";
+import { rmSync, existsSync, mkdirSync, writeFileSync } from "fs";
 import { join } from "path";
 import { tmpdir } from "os";
+import { Database } from "bun:sqlite";
+import { SqliteStore } from "../core/src/store.ts";
+import { initSchema } from "../core/src/schema.ts";
+import type { Store } from "../core/src/types.ts";
+import type { TagScopeCtx } from "./routes.ts";
 
 const testDir = join(
   tmpdir(),
@@ -20,6 +25,16 @@ process.env.PARACHUTE_HOME = testDir;
 process.env.ASSETS_DIR = join(testDir, "assets");
 
 const { handleStorage } = await import("./routes.ts");
+const { expandTokenTagScope } = await import("./tag-scope.ts");
+
+// The upload-allowlist tests never touch the store (POST /upload writes to
+// disk only); a fresh in-memory store satisfies the now-required param.
+function freshStore(): SqliteStore {
+  const db = new Database(":memory:");
+  initSchema(db);
+  return new SqliteStore(db);
+}
+const uploadStore = freshStore();
 
 function uploadRequest(filename: string, mimeType: string): Request {
   const form = new FormData();
@@ -33,6 +48,11 @@ function uploadRequest(filename: string, mimeType: string): Request {
   });
 }
 
+/** Build the per-request TagScopeCtx the dispatcher hands handlers. */
+async function tagScopeCtx(store: Store, scopedTags: string[] | null): Promise<TagScopeCtx> {
+  return { allowed: await expandTokenTagScope(store, scopedTags), raw: scopedTags };
+}
+
 beforeAll(() => {
   mkdirSync(testDir, { recursive: true });
   mkdirSync(join(testDir, "assets"), { recursive: true });
@@ -44,7 +64,7 @@ afterAll(() => {
 
 describe("storage upload allowlist", () => {
   test("accepts .pdf — knowledge-vault content (#127)", async () => {
-    const res = await handleStorage(uploadRequest("paper.pdf", "application/pdf"), "/upload", "default");
+    const res = await handleStorage(uploadRequest("paper.pdf", "application/pdf"), "/upload", "default", uploadStore);
     expect(res.status).toBe(201);
     const body = (await res.json()) as { mimeType: string; path: string };
     expect(body.mimeType).toBe("application/pdf");
@@ -52,7 +72,7 @@ describe("storage upload allowlist", () => {
   });
 
   test("accepts .mp4 — mobile capture default (#127)", async () => {
-    const res = await handleStorage(uploadRequest("clip.mp4", "video/mp4"), "/upload", "default");
+    const res = await handleStorage(uploadRequest("clip.mp4", "video/mp4"), "/upload", "default", uploadStore);
     expect(res.status).toBe(201);
     const body = (await res.json()) as { mimeType: string };
     expect(body.mimeType).toBe("video/mp4");
@@ -66,27 +86,132 @@ describe("storage upload allowlist", () => {
       ["photo.jpg", "image/jpeg"],
       ["clip.webm", "audio/webm"],
     ] as const) {
-      const res = await handleStorage(uploadRequest(name, mime), "/upload", "default");
+      const res = await handleStorage(uploadRequest(name, mime), "/upload", "default", uploadStore);
       expect(res.status).toBe(201);
     }
   });
 
   test("rejects .svg — XSS vector via inline <script> (#127)", async () => {
-    const res = await handleStorage(uploadRequest("evil.svg", "image/svg+xml"), "/upload", "default");
+    const res = await handleStorage(uploadRequest("evil.svg", "image/svg+xml"), "/upload", "default", uploadStore);
     expect(res.status).toBe(400);
     const body = (await res.json()) as { error: string };
     expect(body.error).toContain(".svg");
   });
 
   test("rejects .html — same XSS surface as SVG (#127)", async () => {
-    const res = await handleStorage(uploadRequest("evil.html", "text/html"), "/upload", "default");
+    const res = await handleStorage(uploadRequest("evil.html", "text/html"), "/upload", "default", uploadStore);
     expect(res.status).toBe(400);
     const body = (await res.json()) as { error: string };
     expect(body.error).toContain(".html");
   });
 
   test("rejects unknown extensions (default-deny)", async () => {
-    const res = await handleStorage(uploadRequest("payload.exe", "application/octet-stream"), "/upload", "default");
+    const res = await handleStorage(uploadRequest("payload.exe", "application/octet-stream"), "/upload", "default", uploadStore);
     expect(res.status).toBe(400);
   });
 });
+
+// ---------------------------------------------------------------------------
+// GET byte-serve tag-scope enforcement (C0 adversarial-audit finding).
+//
+// The raw `/api/storage/<date>/<file>` endpoint historically served bytes by
+// filesystem path with only a path-traversal guard — bypassing the tag-scope
+// enforcement that gates every note-keyed attachment surface. A tag-scoped
+// token could therefore fetch an out-of-scope note's attachment bytes
+// directly if it learned the (UUID-secret) storage path. These tests pin the
+// fix: in-scope → 200, out-of-scope → 404 (no existence oracle), unscoped →
+// 200 (regression), path-traversal guard intact (regression).
+// ---------------------------------------------------------------------------
+
+describe("storage GET tag-scope enforcement", () => {
+  // Each test builds its own vault assets dir + store so rows and on-disk
+  // files line up. `vault` names the assets subdir; ASSETS_DIR is global to
+  // the test process, so we point it at this vault's dir per test.
+  const VAULT = "scope-vault";
+
+  async function setup(): Promise<{
+    store: SqliteStore;
+    assets: string;
+    inScopePath: string;
+    outScopePath: string;
+  }> {
+    const store = freshStore();
+    const assets = join(testDir, "assets", VAULT, "data");
+    mkdirSync(join(assets, "2026-05-28"), { recursive: true });
+    process.env.ASSETS_DIR = assets;
+
+    // An in-scope (#work) note + attachment, and an out-of-scope (#health)
+    // note + attachment. Both files exist on disk.
+    const workNote = await store.createNote("work note", { tags: ["work"] });
+    const healthNote = await store.createNote("health note", { tags: ["health"] });
+
+    const inScopePath = "2026-05-28/work-asset.pdf";
+    const outScopePath = "2026-05-28/health-asset.pdf";
+    writeFileSync(join(assets, inScopePath), Buffer.from([0x25, 0x50, 0x44, 0x46])); // %PDF
+    writeFileSync(join(assets, outScopePath), Buffer.from([0x25, 0x50, 0x44, 0x46]));
+
+    await store.addAttachment(workNote.id, inScopePath, "application/pdf");
+    await store.addAttachment(healthNote.id, outScopePath, "application/pdf");
+
+    return { store, assets, inScopePath, outScopePath };
+  }
+
+  function getReq(reqPath: string): Request {
+    return new Request(`http://localhost:1940/storage/${reqPath}`, { method: "GET" });
+  }
+
+  test("tag-scoped token (work): GET in-scope attachment → 200 (bytes served)", async () => {
+    const { store, inScopePath } = await setup();
+    const ctx = await tagScopeCtx(store, ["work"]);
+    const res = await handleStorage(getReq(inScopePath), `/${inScopePath}`, VAULT, store, ctx);
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toBe("application/pdf");
+    expect((await res.arrayBuffer()).byteLength).toBe(4);
+  });
+
+  test("tag-scoped token (work): GET OUT-of-scope attachment → 404 (no existence oracle)", async () => {
+    const { store, outScopePath } = await setup();
+    const ctx = await tagScopeCtx(store, ["work"]);
+    const res = await handleStorage(getReq(outScopePath), `/${outScopePath}`, VAULT, store, ctx);
+    expect(res.status).toBe(404);
+  });
+
+  test("tag-scoped token: GET path with NO owning attachment row → 404", async () => {
+    const { store, assets } = await setup();
+    // A real on-disk file that no attachment row references — must 404 for a
+    // scoped token (would-be existence oracle otherwise).
+    const orphanPath = "2026-05-28/orphan-on-disk.pdf";
+    writeFileSync(join(assets, orphanPath), Buffer.from([0x25, 0x50, 0x44, 0x46]));
+    const ctx = await tagScopeCtx(store, ["work"]);
+    const res = await handleStorage(getReq(orphanPath), `/${orphanPath}`, VAULT, store, ctx);
+    expect(res.status).toBe(404);
+  });
+
+  test("unscoped token: GET any attachment → 200 (regression — no behavior change)", async () => {
+    const { store, outScopePath } = await setup();
+    const ctx = await tagScopeCtx(store, null); // unscoped
+    const res = await handleStorage(getReq(outScopePath), `/${outScopePath}`, VAULT, store, ctx);
+    expect(res.status).toBe(200);
+  });
+
+  test("default ctx (no tagScope arg): unscoped behavior — 200 (regression)", async () => {
+    const { store, outScopePath } = await setup();
+    const res = await handleStorage(getReq(outScopePath), `/${outScopePath}`, VAULT, store);
+    expect(res.status).toBe(200);
+  });
+
+  test("path-traversal guard still blocks ../ escapes (regression)", async () => {
+    const { store } = await setup();
+    const ctx = await tagScopeCtx(store, ["work"]);
+    // `/a/../../../etc/passwd` resolves outside assetsDir → 403 Invalid path.
+    const evil = "/a/../../../../../../etc/passwd";
+    const res = await handleStorage(
+      new Request(`http://localhost:1940/storage${evil}`, { method: "GET" }),
+      evil,
+      VAULT,
+      store,
+      ctx,
+    );
+    expect(res.status).toBe(403);
+  });
+});

package/src/token-store.ts

@@ -63,6 +63,26 @@ export interface Token {
   expires_at: string | null;
   created_at: string;
   last_used_at: string | null;
+  /**
+   * Provenance (v19). 'mcp_mint' = minted via manage-token MCP tool;
+   * NULL = pre-v19 / CLI / REST / YAML-import. Used by manage-token list
+   * to restrict the surface to MCP-session-managed tokens. See vault#376.
+   */
+  created_via: string | null;
+  /**
+   * Session pin (v19). When this token was minted via manage-token, this
+   * is the display id (`t_<prefix>`) of the calling session's token (for
+   * pvt_* MCP sessions) or the hub JWT's jti claim (for hub-issued
+   * sessions). NULL otherwise.
+   */
+  parent_jti: string | null;
+  /**
+   * Soft-revoke timestamp (v19). When set, `resolveToken` returns null
+   * and the row stays in place for audit history. manage-token revoke is
+   * idempotent — calling revoke a second time on the same jti is a no-op
+   * with ok=true. NULL = active.
+   */
+  revoked_at: string | null;
 }
 
 export interface ResolvedToken {
@@ -88,6 +108,12 @@ export interface ResolvedToken {
    * vault. See vault#257.
    */
   vault_name: string | null;
+  /**
+   * Display id (`t_<hashprefix>`) of THIS token. Surfaced so callers that
+   * later mint child tokens (manage-token MCP tool) can stamp parent_jti
+   * without re-derivation. Pre-v19 lookups still compute this on the fly.
+   */
+  jti: string;
 }
 
 /**
@@ -149,6 +175,17 @@ export function createToken(
      */
     vault_name?: string | null;
     expires_at?: string | null;
+    /**
+     * Provenance tag (v19). `'mcp_mint'` for tokens minted via the
+     * manage-token MCP tool; omit/null for CLI / REST / YAML paths.
+     */
+    created_via?: string | null;
+    /**
+     * Session pin (v19). Display id (`t_<prefix>`) or hub JWT `jti` of the
+     * caller that minted this token via manage-token. Used by the
+     * manage-token list/revoke surface to scope itself to one session.
+     */
+    parent_jti?: string | null;
   },
 ): Token {
   const tokenHash = hashKey(fullToken);
@@ -159,10 +196,12 @@ export function createToken(
   const scopedTags = opts.scoped_tags && opts.scoped_tags.length > 0 ? opts.scoped_tags : null;
   const scopedTagsStr = scopedTags ? JSON.stringify(scopedTags) : null;
   const vaultName = opts.vault_name ?? null;
+  const createdVia = opts.created_via ?? null;
+  const parentJti = opts.parent_jti ?? null;
 
   db.prepare(`
-    INSERT INTO tokens (token_hash, label, permission, scopes, scoped_tags, scope_tag, scope_path_prefix, expires_at, created_at, vault_name)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    INSERT INTO tokens (token_hash, label, permission, scopes, scoped_tags, scope_tag, scope_path_prefix, expires_at, created_at, vault_name, created_via, parent_jti)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
   `).run(
     tokenHash,
     opts.label,
@@ -174,6 +213,8 @@ export function createToken(
     opts.expires_at ?? null,
     now,
     vaultName,
+    createdVia,
+    parentJti,
   );
 
   return {
@@ -187,6 +228,9 @@ export function createToken(
     expires_at: opts.expires_at ?? null,
     created_at: now,
     last_used_at: null,
+    created_via: createdVia,
+    parent_jti: parentJti,
+    revoked_at: null,
   };
 }
 
@@ -200,8 +244,15 @@ export function resolveToken(db: Database, providedToken: string): ResolvedToken
   // preimage, which is computationally infeasible regardless of timing leaks.
   const candidateHash = hashKey(providedToken);
 
+  // Defensive SELECT for revoked_at: the column exists post-v19, but a
+  // freshly-opened ResolvedToken-only test fixture might run on a DB the
+  // migration hasn't touched. SQLite returns NULL for missing columns when
+  // the table is queried via prepared statements only after migration; here
+  // initSchema fires on every store-open path, so the column is guaranteed
+  // present in production. Tests instantiating bare DBs against this
+  // module are expected to call initSchema first.
   const row = db.prepare(`
-    SELECT token_hash, permission, scopes, scoped_tags, expires_at, vault_name
+    SELECT token_hash, permission, scopes, scoped_tags, expires_at, vault_name, revoked_at
     FROM tokens WHERE token_hash = ?
   `).get(candidateHash) as {
     token_hash: string;
@@ -210,10 +261,16 @@ export function resolveToken(db: Database, providedToken: string): ResolvedToken
     scoped_tags: string | null;
     expires_at: string | null;
     vault_name: string | null;
+    revoked_at: string | null;
   } | null;
 
   if (!row) return null;
 
+  // Soft-revoked tokens never authenticate (v19). The row stays in place
+  // for audit; resolveToken just treats it as not-found from the caller's
+  // perspective.
+  if (row.revoked_at) return null;
+
   // Check expiry
   if (row.expires_at && new Date(row.expires_at) < new Date()) {
     return null;
@@ -229,8 +286,9 @@ export function resolveToken(db: Database, providedToken: string): ResolvedToken
   const scopes = hasVaultScope ? parsed : legacyPermissionToScopes(permission);
   const legacyDerived = !hasVaultScope;
   const scoped_tags = parseScopedTags(row.scoped_tags);
+  const jti = `t_${row.token_hash.slice(7, 19)}`;
 
-  return { permission, scopes, legacyDerived, scoped_tags, vault_name: row.vault_name };
+  return { permission, scopes, legacyDerived, scoped_tags, vault_name: row.vault_name, jti };
 }
 
 /**
@@ -252,7 +310,8 @@ export function listTokens(
   const params = opts.vaultName ? [opts.vaultName] : [];
   const rows = db.prepare(`
     SELECT token_hash, label, permission, scope_tag, scope_path_prefix,
-           scoped_tags, vault_name, expires_at, created_at, last_used_at
+           scoped_tags, vault_name, expires_at, created_at, last_used_at,
+           created_via, parent_jti, revoked_at
     FROM tokens ${where}
     ORDER BY created_at DESC
   `).all(...params) as (Omit<Token, "scoped_tags"> & { scoped_tags: string | null })[];
@@ -266,6 +325,242 @@ export function listTokens(
   }));
 }
 
+/**
+ * List tokens minted via the manage-token MCP tool by a given session
+ * (parent_jti). Used by `manage-token` action="list" to scope its surface
+ * to its own session's mints — operators with multiple MCP sessions open
+ * don't see each other's tokens, and CLI/REST-minted tokens never appear.
+ *
+ * Returns metadata only (no token-hash exposure beyond the display id);
+ * the display id is what the caller uses to revoke. Includes `revoked_at`
+ * so the UI can render a tombstone for soft-revoked rows.
+ */
+export function listMcpMintedTokens(
+  db: Database,
+  parentJti: string,
+  vaultName: string,
+): Array<{
+  jti: string;
+  label: string;
+  scopes: string[];
+  scoped_tags: string[] | null;
+  created_at: string;
+  expires_at: string | null;
+  revoked_at: string | null;
+}> {
+  const rows = db.prepare(`
+    SELECT token_hash, label, scopes, scoped_tags, created_at, expires_at, revoked_at
+    FROM tokens
+    WHERE created_via = 'mcp_mint'
+      AND parent_jti = ?
+      AND vault_name = ?
+    ORDER BY created_at DESC
+  `).all(parentJti, vaultName) as {
+    token_hash: string;
+    label: string;
+    scopes: string | null;
+    scoped_tags: string | null;
+    created_at: string;
+    expires_at: string | null;
+    revoked_at: string | null;
+  }[];
+  return rows.map((r) => ({
+    jti: `t_${r.token_hash.slice(7, 19)}`,
+    label: r.label,
+    scopes: parseScopes(r.scopes),
+    scoped_tags: parseScopedTags(r.scoped_tags),
+    created_at: r.created_at,
+    expires_at: r.expires_at,
+    revoked_at: r.revoked_at,
+  }));
+}
+
+/**
+ * Soft-revoke a token minted via manage-token, scoped to the session that
+ * minted it. Idempotent: revoking an already-revoked or never-existent jti
+ * returns the same shape; second-call to revoke is intentionally still
+ * ok=true so the AI's revoke step doesn't surface a confusing failure on a
+ * retry after a network blip. The row stays in place for audit trail —
+ * resolveToken treats revoked_at-set rows as not-found.
+ *
+ * `parentJti` + `vaultName` scope the lookup: a token minted by a
+ * different MCP session (or against a different vault) returns ok=false.
+ * Returns { ok: true, already_revoked? } when the operation matched a row.
+ */
+export function softRevokeMcpToken(
+  db: Database,
+  jti: string,
+  parentJti: string,
+  vaultName: string,
+): { ok: true; already_revoked: boolean } | { ok: false; reason: "not_found" } {
+  if (!jti.startsWith("t_")) {
+    return { ok: false, reason: "not_found" };
+  }
+  const hashPrefix = jti.slice(2);
+  const row = db.prepare(`
+    SELECT token_hash, revoked_at FROM tokens
+    WHERE token_hash LIKE ?
+      AND created_via = 'mcp_mint'
+      AND parent_jti = ?
+      AND vault_name = ?
+    LIMIT 1
+  `).get(`sha256:${hashPrefix}%`, parentJti, vaultName) as {
+    token_hash: string;
+    revoked_at: string | null;
+  } | null;
+
+  if (!row) return { ok: false, reason: "not_found" };
+  if (row.revoked_at) {
+    // Second revoke: idempotent — already done, surface true with the flag.
+    return { ok: true, already_revoked: true };
+  }
+  db.prepare("UPDATE tokens SET revoked_at = ? WHERE token_hash = ?")
+    .run(new Date().toISOString(), row.token_hash);
+  return { ok: true, already_revoked: false };
+}
+
+// ---------------------------------------------------------------------------
+// mcp_mint_ledger — session-pinned index of HUB JWTs minted by manage-token
+// (vault#403, MGT). After the auth-unification arc the tool mints hub JWTs,
+// not pvt_* rows, so the session attribution (parent_jti → minted jti) lives
+// here instead of in the `tokens` table. Rows are NOT credentials — only the
+// hub `jti` (the revocation handle) plus display metadata is stored; the
+// signed token never touches the vault DB.
+// ---------------------------------------------------------------------------
+
+/**
+ * Record a hub-minted JWT in the session-pinned ledger. `jti` is hub's
+ * returned jti; `parentJti` is the minting MCP session (the caller's
+ * `caller_jti`).
+ *
+ * Uses INSERT OR IGNORE, NOT OR REPLACE: hub guarantees jti uniqueness, so a
+ * pre-existing row with this jti shouldn't happen. If it does, it's a real bug
+ * (a hub jti collision) — we log a warning and KEEP the existing row rather
+ * than overwriting it, because OR REPLACE would silently reset a previously-set
+ * `revoked_at` and resurrect a revoked token in the list/revoke surface.
+ */
+export function recordMcpMintLedger(
+  db: Database,
+  entry: {
+    jti: string;
+    parentJti: string;
+    vaultName: string;
+    label: string;
+    scopes: string[];
+    scopedTags: string[] | null;
+    expiresAt: string | null;
+  },
+): void {
+  const scopedTags = entry.scopedTags && entry.scopedTags.length > 0 ? entry.scopedTags : null;
+  const result = db.prepare(`
+    INSERT OR IGNORE INTO mcp_mint_ledger
+      (jti, parent_jti, vault_name, label, scopes, scoped_tags, created_at, expires_at, revoked_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, NULL)
+  `).run(
+    entry.jti,
+    entry.parentJti,
+    entry.vaultName,
+    entry.label,
+    serializeScopes(entry.scopes),
+    scopedTags ? JSON.stringify(scopedTags) : null,
+    new Date().toISOString(),
+    entry.expiresAt,
+  );
+  if (result.changes === 0) {
+    // Row already existed — IGNORE swallowed the conflict. Surface it: a hub
+    // jti collision is a real bug worth investigating (the existing row is
+    // left untouched, including any `revoked_at`).
+    console.warn(
+      `[manage-token] mcp_mint_ledger already has a row for jti '${entry.jti}' — skipped insert (kept existing row). A hub jti collision shouldn't happen; investigate.`,
+    );
+  }
+}
+
+/**
+ * List hub JWTs minted by a given MCP session (parent_jti) against a vault.
+ * Mirrors `listMcpMintedTokens`' shape so the manage-token list surface is
+ * unchanged on the wire. Includes `revoked_at` so callers can render a
+ * tombstone for soft-revoked rows.
+ */
+export function listMcpMintedHubJwts(
+  db: Database,
+  parentJti: string,
+  vaultName: string,
+): Array<{
+  jti: string;
+  label: string;
+  scopes: string[];
+  scoped_tags: string[] | null;
+  created_at: string;
+  expires_at: string | null;
+  revoked_at: string | null;
+}> {
+  const rows = db.prepare(`
+    SELECT jti, label, scopes, scoped_tags, created_at, expires_at, revoked_at
+    FROM mcp_mint_ledger
+    WHERE parent_jti = ? AND vault_name = ?
+    ORDER BY created_at DESC
+  `).all(parentJti, vaultName) as {
+    jti: string;
+    label: string;
+    scopes: string | null;
+    scoped_tags: string | null;
+    created_at: string;
+    expires_at: string | null;
+    revoked_at: string | null;
+  }[];
+  return rows.map((r) => ({
+    jti: r.jti,
+    label: r.label,
+    scopes: parseScopes(r.scopes),
+    scoped_tags: parseScopedTags(r.scoped_tags),
+    created_at: r.created_at,
+    expires_at: r.expires_at,
+    revoked_at: r.revoked_at,
+  }));
+}
+
+/**
+ * Look up a single ledger row by (jti, parent_jti, vault_name) — the
+ * session-pin gate for revoke. Returns null when the jti isn't in THIS
+ * session's ledger (a different session's mint, or a never-minted jti),
+ * which the caller turns into the not_found path. Returns the row (incl.
+ * `revoked_at`) when it belongs to this session.
+ */
+export function findMcpMintLedgerEntry(
+  db: Database,
+  jti: string,
+  parentJti: string,
+  vaultName: string,
+): { jti: string; revoked_at: string | null } | null {
+  const row = db.prepare(`
+    SELECT jti, revoked_at FROM mcp_mint_ledger
+    WHERE jti = ? AND parent_jti = ? AND vault_name = ?
+    LIMIT 1
+  `).get(jti, parentJti, vaultName) as { jti: string; revoked_at: string | null } | null;
+  return row ?? null;
+}
+
+/**
+ * Mark a ledger row revoked (the local attribution-side soft-revoke; the
+ * authoritative revocation happens in hub's registry via the revoke-token
+ * call). Idempotent: a second call on an already-revoked row leaves the
+ * existing timestamp in place. Only flips rows belonging to the given
+ * session — defense-in-depth on top of the caller's `findMcpMintLedgerEntry`
+ * gate.
+ */
+export function markMcpMintLedgerRevoked(
+  db: Database,
+  jti: string,
+  parentJti: string,
+  vaultName: string,
+): void {
+  db.prepare(`
+    UPDATE mcp_mint_ledger SET revoked_at = ?
+    WHERE jti = ? AND parent_jti = ? AND vault_name = ? AND revoked_at IS NULL
+  `).run(new Date().toISOString(), jti, parentJti, vaultName);
+}
+
 /**
  * Find tokens whose `scoped_tags` allowlist references the given root tag.
  * Used by tag-delete and tag-merge to fail-closed (409) when removing a

package/src/transcription-worker.ts

@@ -554,10 +554,15 @@ export function registerTranscriptionHook(
   return registry.onAttachment({
     name: "transcription-kickoff",
     event: "created",
-    when: (att) =>
-      (att.metadata as { transcribe_status?: string } | undefined)
-        ?.transcribe_status === "pending",
-    handler: async (attachment, store) => {
+    when: (att) => {
+      // Only "created" payloads reach this predicate (we don't subscribe
+      // to "deleted"), so `metadata` is populated. The union widening
+      // post-deletion-events just means we narrow here defensively.
+      const meta = (att as Attachment).metadata as { transcribe_status?: string } | undefined;
+      return meta?.transcribe_status === "pending";
+    },
+    handler: async (payload, store) => {
+      const attachment = payload as Attachment;
       const vault = resolveVault(store);
       if (!vault) {
         logger.error(

package/src/triggers.ts

@@ -29,7 +29,7 @@ import { join, normalize } from "path";
 import { mkdirSync, readFileSync, writeFileSync, existsSync } from "fs";
 import crypto from "node:crypto";
 import type { Note, Store, Attachment } from "../core/src/types.ts";
-import type { HookRegistry, HookEvent } from "../core/src/hooks.ts";
+import type { HookRegistry, HookEvent, NoteHookPayload } from "../core/src/hooks.ts";
 import type { TriggerConfig, TriggerWhen } from "./config.ts";
 import { getVaultNameForStore } from "./vault-store.ts";
 import { assetsDir } from "./routes.ts";
@@ -56,6 +56,10 @@ export function buildPredicate(when: TriggerWhen, triggerName: string): (note: N
   const pendingKey = `${triggerName}_pending_at`;
   const renderedKey = `${triggerName}_rendered_at`;
 
+  // Hook dispatcher passes `NoteHookPayload` (Note | DeletedNoteRef). All
+  // triggers default to events `["created", "updated"]` so deleted shapes
+  // never reach this predicate, but we still type the parameter as Note
+  // — narrowing here keeps the rest of the predicate body unchanged.
   return (note: Note) => {
     const meta = note.metadata as Record<string, unknown> | undefined;
 
@@ -310,8 +314,17 @@ export function registerTriggers(
     const unregister = hooks.onNote({
       name: trigger.name,
       event: events,
-      when: predicate,
-      handler: async (note: Note, store: Store, hookEvent?: HookEvent) => {
+      when: (payload: NoteHookPayload) => {
+        // Triggers don't subscribe to "deleted"; if the union ever
+        // widens via config, the predicate sees a partial shape that
+        // simply doesn't match anything tag/metadata-based and returns
+        // false. Safe by construction.
+        return predicate(payload as Note);
+      },
+      handler: async (payload: NoteHookPayload, store: Store, hookEvent?: HookEvent) => {
+        // Same shape contract as the predicate — triggers don't
+        // subscribe to deleted events, so narrow back to Note.
+        const note = payload as Note;
         const existingMeta = (note.metadata as Record<string, unknown> | undefined) ?? {};
 
         // Handler-side re-check (same race-window protection as the old hooks)