@openparachute/vault 0.4.8 → 0.4.9-rc.11

package/src/vault.test.ts

@@ -10,6 +10,7 @@ import { tmpdir } from "os";
 import { BunStore } from "./vault-store.ts";
 import { generateMcpTools } from "../core/src/mcp.ts";
 import { getLinksHydrated } from "../core/src/links.ts";
+import { buildVaultProjection } from "../core/src/vault-projection.ts";
 import { handleNotes, handleTags, handleFindPath, handleVault } from "./routes.ts";
 import { extractApiKey } from "./auth.ts";
 
@@ -478,7 +479,7 @@ describe("deeper link queries", async () => {
 describe("MCP tools", async () => {
   test("generates the consolidated tool set", () => {
     const tools = generateMcpTools(store);
-    expect(tools.length).toBe(9);
+    expect(tools.length).toBe(10);
 
     const names = tools.map((t) => t.name);
     expect(names).toContain("query-notes");
@@ -490,6 +491,8 @@ describe("MCP tools", async () => {
     expect(names).toContain("delete-tag");
     expect(names).toContain("find-path");
     expect(names).toContain("vault-info");
+    // prune-schema (admin) — drops orphaned indexed-field columns.
+    expect(names).toContain("prune-schema");
     // Six note-schema MCP tools (list/update/delete-note-schema +
     // list/set/delete-schema-mapping) retired in v17 — vault#267.
     expect(names).not.toContain("list-note-schemas");
@@ -3622,6 +3625,78 @@ describe("HTTP /tags", async () => {
     expect(body.description).toBe("A person");
   });
 
+  // P1 regression (vault#398 review) — the REST PUT path calls
+  // store.upsertTagRecord directly. Before the lifecycle was centralized in
+  // the store, PUT {fields:null} or an indexed:false toggle left the
+  // generated column orphaned (the MCP path released, REST didn't). Assert
+  // via the same PRAGMA table_xinfo / buildVaultProjection introspection the
+  // core lifecycle tests use.
+  function notesMetaCols(): string[] {
+    return (db.prepare("PRAGMA table_xinfo(notes)").all() as { name: string }[])
+      .map((r) => r.name)
+      .filter((n) => n.startsWith("meta_"));
+  }
+
+  test("PUT /tags/:name {fields:null} drops the orphaned generated column", async () => {
+    // Declare an indexed field via REST PUT — column materializes.
+    await handleTags(
+      mkReq("PUT", "/tags/project", { fields: { status: { type: "string", indexed: true } } }),
+      store,
+      "/project",
+    );
+    expect(notesMetaCols()).toContain("meta_status");
+    expect(buildVaultProjection(db).indexed_fields.map((f) => f.name)).toContain("status");
+
+    // Clear all fields via REST PUT {fields:null} — column must drop.
+    const res = await handleTags(
+      mkReq("PUT", "/tags/project", { fields: null }),
+      store,
+      "/project",
+    );
+    expect(res.status).toBe(200);
+    expect(notesMetaCols()).not.toContain("meta_status");
+    const idxs = (db.prepare("SELECT name FROM sqlite_master WHERE type='index' AND tbl_name='notes'").all() as { name: string }[]).map((r) => r.name);
+    expect(idxs).not.toContain("idx_meta_status");
+    expect(buildVaultProjection(db).indexed_fields.map((f) => f.name)).not.toContain("status");
+  });
+
+  test("PUT /tags/:name indexed:false toggle drops the generated column", async () => {
+    await handleTags(
+      mkReq("PUT", "/tags/project", { fields: { status: { type: "string", indexed: true } } }),
+      store,
+      "/project",
+    );
+    expect(notesMetaCols()).toContain("meta_status");
+
+    // Re-PUT the same field with indexed:false — REST merges, so the field
+    // stays in the schema but loses its index → column drops.
+    const res = await handleTags(
+      mkReq("PUT", "/tags/project", { fields: { status: { type: "string", indexed: false } } }),
+      store,
+      "/project",
+    );
+    expect(res.status).toBe(200);
+    expect(notesMetaCols()).not.toContain("meta_status");
+    expect(buildVaultProjection(db).indexed_fields.map((f) => f.name)).not.toContain("status");
+  });
+
+  test("PUT /tags/:name respects the co-declaration guard (keeps column for a live co-declarer)", async () => {
+    await handleTags(
+      mkReq("PUT", "/tags/asset", { fields: { aspect_ratio: { type: "string", indexed: true } } }),
+      store,
+      "/asset",
+    );
+    await handleTags(
+      mkReq("PUT", "/tags/storyboard", { fields: { aspect_ratio: { type: "string", indexed: true } } }),
+      store,
+      "/storyboard",
+    );
+    // Clear asset's fields — storyboard still declares aspect_ratio → keep.
+    await handleTags(mkReq("PUT", "/tags/asset", { fields: null }), store, "/asset");
+    expect(notesMetaCols()).toContain("meta_aspect_ratio");
+    expect(buildVaultProjection(db).indexed_fields.map((f) => f.name)).toContain("aspect_ratio");
+  });
+
   test("PUT /tags/:name returns 400 with error_type: invalid_relationships on bad shape", async () => {
     const res = await handleTags(
       mkReq("PUT", "/tags/person", {
@@ -3941,6 +4016,10 @@ describe("stateless MCP transport", async () => {
     expect(toolNames).not.toContain("delete-note");
     expect(toolNames).not.toContain("update-tag");
     expect(toolNames).not.toContain("delete-tag");
+    // Admin tools (vault#376) are hidden too
+    expect(toolNames).not.toContain("manage-token");
+    // Read tier is exactly 4 tools.
+    expect(toolNames.length).toBe(4);
 
     closeAllStores();
   });
@@ -4077,7 +4156,13 @@ describe("stateless MCP transport", async () => {
     expect(res.status).toBe(200); // JSON-RPC envelope is 200 even for tool errors
     const body = await res.json() as any;
     expect(body.result.isError).toBe(true);
-    expect(body.result.content[0].text).toContain("vault:write");
+    // Post-vault#376: hidden tools surface as "Unknown tool" rather than
+    // a verb-specific Forbidden — see mcp-http.ts dispatch-against-
+    // visibleTools rationale. The contract is: tools not in tools/list
+    // also can't be called explicitly. (Differential errors would leak
+    // the existence of admin-only tools to write-scope sessions.)
+    expect(body.result.content[0].text).toContain("Unknown tool");
+    expect(body.result.content[0].text).toContain("create-note");
 
     closeAllStores();
   });
@@ -4129,6 +4214,600 @@ describe("stateless MCP transport", async () => {
   });
 });
 
+// ===========================================================================
+// vault#376 — Change 1: scope-filtered tool listing across all three tiers
+// ===========================================================================
+
+describe("MCP tools/list scope tiers (vault#376)", () => {
+  async function listToolNames(scopes: string[], scopedTags: string[] | null = null, vaultPrefix = "scope-tier") {
+    const { handleScopedMcp } = await import("./mcp-http.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { closeAllStores } = await import("./vault-store.ts");
+
+    const vaultName = `${vaultPrefix}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    writeVaultConfig({
+      name: vaultName,
+      api_keys: [],
+      created_at: new Date().toISOString(),
+    });
+
+    const req = new Request(`http://localhost:1940/vault/${vaultName}/mcp`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        "accept": "application/json, text/event-stream",
+      },
+      body: JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }),
+    });
+
+    const res = await handleScopedMcp(req, vaultName, {
+      permission: scopes.includes("vault:write") || scopes.includes("vault:admin") ? "full" : "read",
+      scopes,
+      legacyDerived: false,
+      scoped_tags: scopedTags,
+    } as any);
+    const body = await res.json() as any;
+    const names: string[] = body.result.tools.map((t: any) => t.name);
+    closeAllStores();
+    return names;
+  }
+
+  test("vault:read sees exactly the 4 read tools", async () => {
+    const names = await listToolNames(["vault:read"]);
+    expect(new Set(names)).toEqual(
+      new Set(["query-notes", "list-tags", "find-path", "vault-info"]),
+    );
+    expect(names.length).toBe(4);
+  });
+
+  test("vault:read + vault:write sees the 9 read+write tools", async () => {
+    const names = await listToolNames(["vault:read", "vault:write"]);
+    expect(new Set(names)).toEqual(
+      new Set([
+        "query-notes",
+        "list-tags",
+        "find-path",
+        "vault-info",
+        "create-note",
+        "update-note",
+        "delete-note",
+        "update-tag",
+        "delete-tag",
+      ]),
+    );
+    expect(names.length).toBe(9);
+    expect(names).not.toContain("manage-token");
+    // Aaron 2026-05-27: delete-* are write-tier (same destructive verb as
+    // update). Only manage-token is admin-gated.
+    expect(names).toContain("delete-note");
+    expect(names).toContain("delete-tag");
+  });
+
+  test("vault:admin sees all 11 tools including manage-token + prune-schema", async () => {
+    const names = await listToolNames(["vault:read", "vault:write", "vault:admin"]);
+    expect(names).toContain("manage-token");
+    expect(names).toContain("prune-schema");
+    expect(names.length).toBe(11);
+  });
+
+  test("legacy-derived full token sees all 11 tools (back-compat)", async () => {
+    const { handleScopedMcp } = await import("./mcp-http.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { closeAllStores } = await import("./vault-store.ts");
+
+    const vaultName = `legacy-token-${Date.now()}`;
+    writeVaultConfig({
+      name: vaultName,
+      api_keys: [],
+      created_at: new Date().toISOString(),
+    });
+
+    const req = new Request(`http://localhost:1940/vault/${vaultName}/mcp`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        "accept": "application/json, text/event-stream",
+      },
+      body: JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }),
+    });
+
+    // Legacy permission-derived token: legacyDerived=true, scopes carry the
+    // full admin set per `legacyPermissionToScopes("full")`. Compat shim
+    // means the operator's existing pvt_* tokens minted pre-scope-column
+    // see the full admin surface (including manage-token + prune-schema).
+    const res = await handleScopedMcp(req, vaultName, {
+      permission: "full",
+      scopes: ["vault:read", "vault:write", "vault:admin"],
+      legacyDerived: true,
+      scoped_tags: null,
+    } as any);
+    const body = await res.json() as any;
+    const names: string[] = body.result.tools.map((t: any) => t.name);
+    expect(names.length).toBe(11);
+    expect(names).toContain("manage-token");
+    expect(names).toContain("prune-schema");
+    closeAllStores();
+  });
+
+  test("excluded tools surface as 'Unknown tool' if called explicitly", async () => {
+    const { handleScopedMcp } = await import("./mcp-http.ts");
+    const { writeVaultConfig } = await import("./config.ts");
+    const { closeAllStores } = await import("./vault-store.ts");
+
+    const vaultName = `hidden-call-${Date.now()}`;
+    writeVaultConfig({
+      name: vaultName,
+      api_keys: [],
+      created_at: new Date().toISOString(),
+    });
+
+    // Write-scope session calling manage-token (admin-only): should look
+    // like the tool doesn't exist, not "Forbidden: requires vault:admin".
+    // Differential messages would leak the admin tool's existence.
+    const req = new Request(`http://localhost:1940/vault/${vaultName}/mcp`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        "accept": "application/json, text/event-stream",
+      },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: 1,
+        method: "tools/call",
+        params: { name: "manage-token", arguments: { action: "list" } },
+      }),
+    });
+
+    const res = await handleScopedMcp(req, vaultName, {
+      permission: "full",
+      scopes: ["vault:read", "vault:write"],
+      legacyDerived: false,
+      scoped_tags: null,
+    } as any);
+    const body = await res.json() as any;
+    expect(body.result.isError).toBe(true);
+    expect(body.result.content[0].text).toContain("Unknown tool");
+    expect(body.result.content[0].text).toContain("manage-token");
+    expect(body.result.content[0].text).not.toContain("vault:admin");
+    closeAllStores();
+  });
+});
+
+// ===========================================================================
+// vault#376 — Change 2: manage-token mint/revoke/list
+// ===========================================================================
+
+describe("manage-token MCP tool (vault#403, MGT — hub-JWT attenuation proxy)", () => {
+  // A JWT-shaped bearer the session presents; the manage-token mint path only
+  // forwards JWT-shaped credentials, so tests must thread one through.
+  const JWT_BEARER = "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1In0.sig";
+
+  // --- Hub fetch stub --------------------------------------------------------
+  // mintAction/revokeAction call mintHubJwt/revokeHubJwt, which use global
+  // fetch (no fetchImpl seam on that path). Each test installs a stub that
+  // records the requests and returns a canned hub response. We capture every
+  // call so assertions can inspect the URL / Authorization header / body.
+  let realFetch: typeof globalThis.fetch;
+  let hubCalls: Array<{ url: string; init: RequestInit | undefined; body: any }>;
+  let mintSeq: number;
+
+  beforeEach(() => {
+    realFetch = globalThis.fetch;
+    hubCalls = [];
+    mintSeq = 0;
+  });
+  afterEach(() => {
+    globalThis.fetch = realFetch;
+  });
+
+  /** Install a hub stub that mints a fresh jti per mint + idempotent revoke. */
+  function installHubStub(opts?: { revokeFails?: "network" | "api-error" }) {
+    globalThis.fetch = (async (input: any, init?: RequestInit) => {
+      const url = String(input);
+      let body: any = undefined;
+      try { body = init?.body ? JSON.parse(String(init.body)) : undefined; } catch {}
+      hubCalls.push({ url, init, body });
+      if (url.endsWith("/api/auth/mint-token")) {
+        const jti = `hub_jti_${++mintSeq}`;
+        const ttl = typeof body?.expires_in === "number" ? body.expires_in : 900;
+        return new Response(
+          JSON.stringify({
+            jti,
+            token: `eyJ.minted.${jti}`,
+            expires_at: new Date(Date.now() + ttl * 1000).toISOString(),
+            scope: body?.scope ?? "",
+            ...(body?.permissions ? { permissions: body.permissions } : {}),
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        );
+      }
+      if (url.endsWith("/api/auth/revoke-token")) {
+        if (opts?.revokeFails === "network") throw new Error("connection refused");
+        if (opts?.revokeFails === "api-error") {
+          return new Response(
+            JSON.stringify({ error: "insufficient_scope", error_description: "bearer lacks parachute:host:auth" }),
+            { status: 403, headers: { "Content-Type": "application/json" } },
+          );
+        }
+        return new Response(
+          JSON.stringify({ jti: body?.jti, revoked_at: new Date().toISOString() }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        );
+      }
+      throw new Error(`unexpected fetch in test: ${url}`);
+    }) as typeof globalThis.fetch;
+  }
+
+  async function callTool(
+    vaultName: string,
+    auth: any,
+    toolName: string,
+    args: Record<string, unknown>,
+    callerBearer: string | null = JWT_BEARER,
+  ) {
+    const { handleScopedMcp } = await import("./mcp-http.ts");
+    const req = new Request(`http://localhost:1940/vault/${vaultName}/mcp`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        "accept": "application/json, text/event-stream",
+        ...(callerBearer ? { authorization: `Bearer ${callerBearer}` } : {}),
+      },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: 1,
+        method: "tools/call",
+        params: { name: toolName, arguments: args },
+      }),
+    });
+    const res = await handleScopedMcp(req, vaultName, auth, callerBearer);
+    const body = await res.json() as any;
+    if (body.result?.content?.[0]?.text) {
+      try {
+        return { isError: !!body.result.isError, parsed: JSON.parse(body.result.content[0].text), raw: body };
+      } catch {
+        return { isError: !!body.result.isError, parsed: null, raw: body, text: body.result.content[0].text };
+      }
+    }
+    return { isError: false, parsed: null, raw: body };
+  }
+
+  async function setupAdminSession(prefix: string, scopedTags: string[] | null = null) {
+    const { writeVaultConfig } = await import("./config.ts");
+    const vaultName = `${prefix}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    writeVaultConfig({
+      name: vaultName,
+      api_keys: [],
+      created_at: new Date().toISOString(),
+    });
+    // Stable caller_jti so the session-pinned ledger can attribute mints.
+    // Scopes carry the resource-narrowed admin scope so validateMintedScopes +
+    // the visibility filter pass for THIS vault.
+    const auth: any = {
+      permission: "full",
+      scopes: [`vault:${vaultName}:read`, `vault:${vaultName}:write`, `vault:${vaultName}:admin`],
+      legacyDerived: false,
+      scoped_tags: scopedTags,
+      vault_name: vaultName,
+      caller_jti: `t_session${Math.random().toString(36).slice(2, 12)}`,
+    };
+    return { vaultName, auth };
+  }
+
+  test("mint proxies to hub mint-token with caller bearer + narrowed scope + ttl", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("mint-proxy");
+    const { closeAllStores } = await import("./vault-store.ts");
+    const { parsed } = await callTool(vaultName, auth, "manage-token", {
+      action: "mint",
+      scope: "vault:read",
+    });
+    expect(parsed.action).toBe("mint");
+    // Token is now a hub JWT (not pvt_*); jti is hub's returned jti.
+    expect(parsed.token).toMatch(/^eyJ\.minted\./);
+    expect(parsed.jti).toBe("hub_jti_1");
+    expect(parsed.scopes).toEqual([`vault:${vaultName}:read`]);
+    expect(parsed.vault_name).toBe(vaultName);
+    // One hub mint-token call carrying the caller bearer + narrowed scope.
+    const mint = hubCalls.find((c) => c.url.endsWith("/api/auth/mint-token"));
+    expect(mint).toBeDefined();
+    const headers = new Headers(mint!.init?.headers);
+    expect(headers.get("authorization")).toBe(`Bearer ${JWT_BEARER}`);
+    expect(mint!.body.scope).toBe(`vault:${vaultName}:read`);
+    expect(mint!.body.expires_in).toBe(900);
+    expect(mint!.body.permissions).toBeUndefined(); // unscoped caller
+    closeAllStores();
+  });
+
+  test("mint with custom TTL=3600 forwards expires_in=3600", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("mint-max");
+    const { closeAllStores } = await import("./vault-store.ts");
+    await callTool(vaultName, auth, "manage-token", { action: "mint", scope: "vault:read", ttl_seconds: 3600 });
+    const mint = hubCalls.find((c) => c.url.endsWith("/api/auth/mint-token"));
+    expect(mint!.body.expires_in).toBe(3600);
+    closeAllStores();
+  });
+
+  test("tag-scoped caller's mint includes permissions.scoped_tags", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("mint-scoped", ["task", "project"]);
+    const { closeAllStores } = await import("./vault-store.ts");
+    const { parsed } = await callTool(vaultName, auth, "manage-token", { action: "mint", scope: "vault:read" });
+    expect(parsed.scoped_tags).toEqual(["task", "project"]);
+    const mint = hubCalls.find((c) => c.url.endsWith("/api/auth/mint-token"));
+    expect(mint!.body.permissions).toEqual({ scoped_tags: ["task", "project"] });
+    closeAllStores();
+  });
+
+  test("mint with TTL=0 is rejected locally (no hub call)", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("mint-zero");
+    const { closeAllStores } = await import("./vault-store.ts");
+    const { parsed } = await callTool(vaultName, auth, "manage-token", { action: "mint", scope: "vault:read", ttl_seconds: 0 });
+    expect(parsed.error).toBe("invalid_request");
+    expect(hubCalls.length).toBe(0);
+    closeAllStores();
+  });
+
+  test("mint with TTL=3601 is rejected locally (over the 3600 cap)", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("mint-over");
+    const { closeAllStores } = await import("./vault-store.ts");
+    const { parsed } = await callTool(vaultName, auth, "manage-token", { action: "mint", scope: "vault:read", ttl_seconds: 3601 });
+    expect(parsed.error).toBe("invalid_request");
+    expect(hubCalls.length).toBe(0);
+    closeAllStores();
+  });
+
+  test("cross-vault / over-scope request is rejected locally (no hub call)", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("mint-subset");
+    const { closeAllStores } = await import("./vault-store.ts");
+    const { parsed } = await callTool(vaultName, auth, "manage-token", {
+      action: "mint",
+      scope: "vault:other-vault:write",
+    });
+    expect(parsed.error).toBe("forbidden");
+    expect(parsed.rejected).toBeDefined();
+    expect(hubCalls.length).toBe(0);
+    closeAllStores();
+  });
+
+  test("non-forwardable session (no JWT bearer) → clear mint error, no hub call", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("mint-nonfwd");
+    const { closeAllStores } = await import("./vault-store.ts");
+    // Env-var operator path: caller_jti present but the presented credential
+    // is a non-JWT secret → mint must refuse with a hub-JWT-required message.
+    const { parsed } = await callTool(vaultName, auth, "manage-token", { action: "mint", scope: "vault:read" }, "operator-env-secret");
+    expect(parsed.error).toBe("forbidden");
+    expect(parsed.message).toContain("hub-JWT session");
+    expect(hubCalls.length).toBe(0);
+    closeAllStores();
+  });
+
+  test("revoke own minted jti posts to hub revoke-token + idempotent second revoke", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("revoke-idem");
+    const { closeAllStores } = await import("./vault-store.ts");
+    const mint = await callTool(vaultName, auth, "manage-token", { action: "mint", scope: "vault:read" });
+    const jti = mint.parsed.jti;
+    const first = await callTool(vaultName, auth, "manage-token", { action: "revoke", jti });
+    expect(first.parsed.ok).toBe(true);
+    expect(first.parsed.already_revoked).toBe(false);
+    // First revoke posted to hub revoke-token with the caller bearer + jti.
+    const revoke = hubCalls.find((c) => c.url.endsWith("/api/auth/revoke-token"));
+    expect(revoke).toBeDefined();
+    expect(revoke!.body.jti).toBe(jti);
+    expect(new Headers(revoke!.init?.headers).get("authorization")).toBe(`Bearer ${JWT_BEARER}`);
+    // Second revoke is idempotent and does NOT re-hit hub (already revoked locally).
+    const revokeCallsBefore = hubCalls.filter((c) => c.url.endsWith("/api/auth/revoke-token")).length;
+    const second = await callTool(vaultName, auth, "manage-token", { action: "revoke", jti });
+    expect(second.parsed.ok).toBe(true);
+    expect(second.parsed.already_revoked).toBe(true);
+    const revokeCallsAfter = hubCalls.filter((c) => c.url.endsWith("/api/auth/revoke-token")).length;
+    expect(revokeCallsAfter).toBe(revokeCallsBefore);
+    closeAllStores();
+  });
+
+  test("cannot revoke another session's jti (session-pinned)", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("revoke-other");
+    const { closeAllStores, getVaultStore } = await import("./vault-store.ts");
+    const { recordMcpMintLedger } = await import("./token-store.ts");
+    // Seed a ledger row attributed to a DIFFERENT session.
+    const store = getVaultStore(vaultName);
+    recordMcpMintLedger(store.db, {
+      jti: "hub_jti_other",
+      parentJti: "t_othersession",
+      vaultName,
+      label: "other",
+      scopes: [`vault:${vaultName}:read`],
+      scopedTags: null,
+      expiresAt: new Date(Date.now() + 900_000).toISOString(),
+    });
+    const { parsed } = await callTool(vaultName, auth, "manage-token", { action: "revoke", jti: "hub_jti_other" });
+    // Not in THIS session's ledger → idempotent ok=true, but NO hub revoke call.
+    expect(parsed.ok).toBe(true);
+    expect(hubCalls.filter((c) => c.url.endsWith("/api/auth/revoke-token")).length).toBe(0);
+    closeAllStores();
+  });
+
+  test("list returns this session's hub-JWT mints, not other sessions'", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("list-session");
+    const { closeAllStores, getVaultStore } = await import("./vault-store.ts");
+    const { recordMcpMintLedger } = await import("./token-store.ts");
+
+    const m1 = await callTool(vaultName, auth, "manage-token", { action: "mint", scope: "vault:read", description: "alpha" });
+    const m2 = await callTool(vaultName, auth, "manage-token", { action: "mint", scope: "vault:read", description: "beta" });
+
+    // Seed another session's ledger row — must NOT appear in this list.
+    const store = getVaultStore(vaultName);
+    recordMcpMintLedger(store.db, {
+      jti: "hub_jti_foreign",
+      parentJti: "t_othersession",
+      vaultName,
+      label: "other-session-mint",
+      scopes: [`vault:${vaultName}:read`],
+      scopedTags: null,
+      expiresAt: null,
+    });
+
+    const { parsed } = await callTool(vaultName, auth, "manage-token", { action: "list" });
+    expect(parsed.action).toBe("list");
+    const jtis = parsed.tokens.map((t: any) => t.jti);
+    expect(jtis).toContain(m1.parsed.jti);
+    expect(jtis).toContain(m2.parsed.jti);
+    expect(jtis).not.toContain("hub_jti_foreign");
+    expect(parsed.tokens.length).toBe(2);
+    closeAllStores();
+  });
+
+  test("ledger row records parent_jti + hub jti for the minting session", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("ledger");
+    const { closeAllStores, getVaultStore } = await import("./vault-store.ts");
+    const { parsed } = await callTool(vaultName, auth, "manage-token", { action: "mint", scope: "vault:read" });
+    const store = getVaultStore(vaultName);
+    const row = store.db.prepare(
+      "SELECT jti, parent_jti, vault_name FROM mcp_mint_ledger WHERE jti = ?",
+    ).get(parsed.jti) as { jti: string; parent_jti: string; vault_name: string };
+    expect(row.jti).toBe(parsed.jti);
+    expect(row.parent_jti).toBe(auth.caller_jti);
+    expect(row.vault_name).toBe(vaultName);
+    closeAllStores();
+  });
+
+  // hub#454 made `vault:<N>:admin` sufficient to revoke an in-authority jti
+  // (capability attenuation, symmetric to mint), so the hub round-trip is now
+  // the expected-SUCCESS path. This asserts the success contract end-to-end:
+  // the caller's `vault:<N>:admin` bearer is forwarded, hub returns 200, and
+  // the local ledger row is flipped to revoked.
+  test("revoke success path: caller's vault:admin bearer revokes at hub + marks ledger (hub#454)", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("revoke-success");
+    const { closeAllStores, getVaultStore } = await import("./vault-store.ts");
+    const mint = await callTool(vaultName, auth, "manage-token", { action: "mint", scope: "vault:admin" });
+    const jti = mint.parsed.jti;
+
+    const res = await callTool(vaultName, auth, "manage-token", { action: "revoke", jti });
+    expect(res.parsed.ok).toBe(true);
+    expect(res.parsed.already_revoked).toBe(false);
+    expect(res.parsed.error).toBeUndefined();
+
+    // Hub revoke-token was called with the caller's vault:admin bearer + jti.
+    const revoke = hubCalls.find((c) => c.url.endsWith("/api/auth/revoke-token"));
+    expect(revoke).toBeDefined();
+    expect(revoke!.body.jti).toBe(jti);
+    expect(new Headers(revoke!.init?.headers).get("authorization")).toBe(`Bearer ${JWT_BEARER}`);
+
+    // Local ledger row is now marked revoked.
+    const store = getVaultStore(vaultName);
+    const row = store.db.prepare(
+      "SELECT revoked_at FROM mcp_mint_ledger WHERE jti = ?",
+    ).get(jti) as { revoked_at: string | null };
+    expect(row.revoked_at).not.toBeNull();
+    closeAllStores();
+  });
+
+  test("caller_jti: null session → list returns empty", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("null-list");
+    const { closeAllStores } = await import("./vault-store.ts");
+    // Env-var operator / legacy session: no stable session id.
+    auth.caller_jti = null;
+    const { parsed } = await callTool(vaultName, auth, "manage-token", { action: "list" });
+    expect(parsed.action).toBe("list");
+    expect(parsed.tokens).toEqual([]);
+    closeAllStores();
+  });
+
+  test("caller_jti: null session → revoke returns not_found, no hub call", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("null-revoke");
+    const { closeAllStores } = await import("./vault-store.ts");
+    auth.caller_jti = null;
+    const { parsed } = await callTool(vaultName, auth, "manage-token", { action: "revoke", jti: "hub_jti_anything" });
+    expect(parsed.ok).toBe(false);
+    expect(parsed.error).toBe("not_found");
+    expect(hubCalls.filter((c) => c.url.endsWith("/api/auth/revoke-token")).length).toBe(0);
+    closeAllStores();
+  });
+
+  test("list isolation across vaults: vault-A session never sees a vault-B ledger row", async () => {
+    installHubStub();
+    const { vaultName, auth } = await setupAdminSession("list-vault-iso");
+    const { closeAllStores, getVaultStore } = await import("./vault-store.ts");
+    const { recordMcpMintLedger } = await import("./token-store.ts");
+
+    // Mint one in THIS (vault-A) session.
+    const m1 = await callTool(vaultName, auth, "manage-token", { action: "mint", scope: "vault:read" });
+
+    // Seed a ledger row attributed to the SAME parent_jti but a DIFFERENT
+    // vault — the list query scopes on (parent_jti, vault_name), so this
+    // foreign-vault row must not leak into vault-A's list.
+    const store = getVaultStore(vaultName);
+    recordMcpMintLedger(store.db, {
+      jti: "hub_jti_vaultB",
+      parentJti: auth.caller_jti, // same session id, different vault
+      vaultName: `${vaultName}-OTHER`,
+      label: "vault-B mint",
+      scopes: [`vault:${vaultName}-OTHER:read`],
+      scopedTags: null,
+      expiresAt: null,
+    });
+
+    const { parsed } = await callTool(vaultName, auth, "manage-token", { action: "list" });
+    const jtis = parsed.tokens.map((t: any) => t.jti);
+    expect(jtis).toContain(m1.parsed.jti);
+    expect(jtis).not.toContain("hub_jti_vaultB");
+    expect(parsed.tokens.length).toBe(1);
+    closeAllStores();
+  });
+
+  // INSERT OR IGNORE (not OR REPLACE): a duplicate jti record (a hub jti
+  // collision — shouldn't happen) must NOT overwrite the existing row, because
+  // that would silently reset a previously-set revoked_at and resurrect a
+  // revoked token.
+  test("recordMcpMintLedger duplicate jti preserves the existing row's revoked_at", async () => {
+    const { vaultName, auth } = await setupAdminSession("ledger-dup");
+    const { closeAllStores, getVaultStore } = await import("./vault-store.ts");
+    const { recordMcpMintLedger, markMcpMintLedgerRevoked, findMcpMintLedgerEntry } =
+      await import("./token-store.ts");
+    const store = getVaultStore(vaultName);
+
+    recordMcpMintLedger(store.db, {
+      jti: "hub_jti_dup",
+      parentJti: auth.caller_jti,
+      vaultName,
+      label: "first",
+      scopes: [`vault:${vaultName}:read`],
+      scopedTags: null,
+      expiresAt: null,
+    });
+    // Revoke it (sets revoked_at).
+    markMcpMintLedgerRevoked(store.db, "hub_jti_dup", auth.caller_jti, vaultName);
+    const before = findMcpMintLedgerEntry(store.db, "hub_jti_dup", auth.caller_jti, vaultName);
+    expect(before!.revoked_at).not.toBeNull();
+
+    // A second record with the same jti must be IGNORED — revoked_at survives.
+    recordMcpMintLedger(store.db, {
+      jti: "hub_jti_dup",
+      parentJti: auth.caller_jti,
+      vaultName,
+      label: "second (collision)",
+      scopes: [`vault:${vaultName}:read`],
+      scopedTags: null,
+      expiresAt: null,
+    });
+    const after = findMcpMintLedgerEntry(store.db, "hub_jti_dup", auth.caller_jti, vaultName);
+    expect(after!.revoked_at).toBe(before!.revoked_at); // unchanged, not reset to NULL
+    closeAllStores();
+  });
+});
+
 describe("extractApiKey", () => {
   test("extracts from Authorization: Bearer header", () => {
     const req = new Request("http://localhost/api/notes", {