@openparachute/vault 0.4.8 → 0.4.9-rc.11

package/src/auto-transcribe.test.ts

@@ -69,11 +69,16 @@ describe("shouldAutoTranscribe", () => {
     })).toBe(false);
   });
 
-  test("skips when enabled is unset (no auto_transcribe block in config)", () => {
+  test("fires when enabled is unset — unset config means ON", () => {
+    // Default behavior (no `auto_transcribe` block in config) is opt-out:
+    // once an operator has scribe reachable, audio attachments transcribe
+    // automatically. Operators wanting it OFF set
+    // `auto_transcribe.enabled: false` explicitly. Previously default-off;
+    // flipped to default-on so installing scribe is the only opt-in signal.
     expect(shouldAutoTranscribe("audio/wav", {
       readGlobalConfigImpl: readGlobalConfig(undefined),
       getCachedScribeUrlImpl: scribePresent,
-    })).toBe(false);
+    })).toBe(true);
   });
 
   test("skips when scribe URL is undefined (no services.json entry, no env)", () => {

package/src/auto-transcribe.ts

@@ -19,7 +19,11 @@ import { getCachedScribeUrl } from "./scribe-discovery.ts";
  *
  * Returns `true` only when ALL three conditions hold:
  *   1. mime-type starts with `audio/` (case-insensitive).
- *   2. `globalConfig.auto_transcribe?.enabled === true`.
+ *   2. `globalConfig.auto_transcribe?.enabled` is not explicitly false.
+ *      Default behavior (when unset) is ON — once an operator has scribe
+ *      reachable, audio attachments transcribe automatically without a
+ *      separate config step. Operators who want it OFF set
+ *      `auto_transcribe.enabled: false` explicitly.
  *   3. Scribe is discoverable (services.json entry OR SCRIBE_URL env).
  *
  * The three conditions are independent guards: a single `false` is sufficient
@@ -40,7 +44,7 @@ export function shouldAutoTranscribe(
   }
   const enabled = opts.enabledOverride
     ?? (opts.readGlobalConfigImpl ?? readGlobalConfig)().auto_transcribe?.enabled
-    ?? false;
+    ?? true;
   if (!enabled) return false;
   const url = (opts.getCachedScribeUrlImpl ?? getCachedScribeUrl)();
   if (!url || !url.trim()) return false;

package/src/cli.ts

@@ -222,6 +222,9 @@ switch (command) {
   case "export":
     await cmdExport(cmdArgs);
     break;
+  case "schema":
+    await cmdSchema(cmdArgs);
+    break;
   case "help":
   case "--help":
   case "-h":
@@ -933,11 +936,10 @@ function takeArgValue(args: string[], name: string): { value?: string; missingVa
  * Targeting:
  *   --scope <verb>        vault:read | vault:write | vault:admin (default: vault:read).
  *                         For --mint, expands to vault:<vault-name>:<verb>.
- *                         vault:admin requires --legacy-pat — hub policy makes
- *                         per-vault admin non-requestable via mint-token (it's
- *                         operator-only, minted only through the session-
- *                         cookie-gated admin SPA endpoint), so --mint + admin
- *                         is rejected pre-flight.
+ *                         vault:admin is mintable via --mint as of hub PR-A
+ *                         (hub#449): hub mints per-vault admin when the operator
+ *                         bearer carries parachute:host:admin (the default
+ *                         operator.token does). Requires a hub running PR-A.
  *   --install-scope <s>   local (default) | user | project. local writes to
  *                         ~/.claude.json under projects[<cwd>].mcpServers
  *                         (private, this directory only — matches Claude
@@ -1307,7 +1309,7 @@ async function executeMcpInstall(opts: ExecuteMcpInstallOpts): Promise<void> {
     console.error(
       "Note: --legacy-pat mints a vault-DB pvt_* token. The hub-issued JWT path (--mint, default) " +
         "is the canonical install going forward; pvt_* support is preserved for self-hosted-without-hub " +
-        "setups, tracked at vault#288, planned removal 0.6.0.",
+        "setups, tracked at vault#282, planned removal 0.6.0.",
     );
     const store = getVaultStore(vaultName);
     const { fullToken } = generateToken();
@@ -1326,28 +1328,13 @@ async function executeMcpInstall(opts: ExecuteMcpInstallOpts): Promise<void> {
     bearer = fullToken;
   } else {
     // mode === "mint"
-    // Pre-flight: hub policy rejects `vault:<name>:admin` via the public
-    // mint-token endpoint. Per-vault admin is operator-only, mintable
-    // only through the session-cookie-gated `/admin/vault-admin-token/:name`
-    // SPA path. Calling hub with admin would surface a 400:
-    //   "Hub mint-token rejected (HTTP 400, invalid_scope):
-    //    scope vault:default:admin is not requestable via mint-token;
-    //    use OAuth flow or operator rotation"
-    // Fail early with the actionable remediation rather than letting
-    // the operator chase the hub's wire-level error. See
-    // `parachute-hub/src/scope-explanations.ts` (VAULT_ADMIN_RE) and
-    // `parachute-hub/src/api-mint-token.ts` (non-requestable guard).
-    if (verb === "admin") {
-      console.error(
-        "Hub policy: vault:<name>:admin is not requestable via mint-token " +
-          "(per-vault admin is operator-only, minted only by the session-cookie-gated " +
-          "admin SPA at <hub>/admin/vaults/" + vaultName + ").\n" +
-          "  Fix: use `--legacy-pat --scope vault:admin` to mint a vault-DB pvt_* with admin scope " +
-          "(the right shape for an MCP entry needing schema management).\n" +
-          "  Or:  drop --scope to default to vault:read (least privilege), or use --scope vault:write.",
-      );
-      process.exit(1);
-    }
+    // `vault:<name>:admin` is mintable via the hub mint-token endpoint as
+    // of hub PR-A (hub#449): the hub mints per-vault admin when the calling
+    // operator bearer carries `parachute:host:admin` (which the default
+    // operator.token does). No admin pre-flight reject — the narrowScope
+    // below produces `vault:<name>:admin` and the hub honors it. This
+    // requires a hub running PR-A; older hubs reject admin with HTTP 400
+    // invalid_scope, surfaced via the api-error branch below.
     const operatorToken = readOperatorToken();
     if (!operatorToken) {
       console.error(
@@ -1391,6 +1378,17 @@ async function executeMcpInstall(opts: ExecuteMcpInstallOpts): Promise<void> {
           console.error(
             `Hub mint-token rejected (HTTP ${result.status}, ${result.error}): ${result.description}`,
           );
+          // Older hubs (pre-hub#449) reject vault:<name>:admin as a
+          // non-requestable scope with HTTP 400 invalid_scope. Surface an
+          // actionable hint so the operator reaches for the upgrade rather
+          // than chasing the wire-level error.
+          if (result.status === 400 && verb === "admin") {
+            console.error(
+              "  Hint: minting vault:admin requires a hub with per-vault admin mint support " +
+                "(hub#449). Your hub may predate it — upgrade the hub, or use --legacy-pat for " +
+                "a vault-DB pvt_* admin token instead.",
+            );
+          }
           break;
       }
       process.exit(1);
@@ -3217,6 +3215,92 @@ async function cmdExport(args: string[]) {
   await new Promise(() => {});
 }
 
+// ---------------------------------------------------------------------------
+// Schema maintenance — `parachute-vault schema <subcommand>`
+// ---------------------------------------------------------------------------
+
+/**
+ * `parachute-vault schema prune` — drop orphaned indexed-field columns +
+ * indexes whose declaring tags no longer exist (the gitcoin orphaned-fields
+ * bug). Dry-run by default; `--apply` (alias `--yes`) executes. A field
+ * co-declared by a still-live tag is never dropped — only the dead declarers
+ * are trimmed. Dropping a generated column loses only the index; the source
+ * values stay in notes.metadata, so the column rebuilds when the field is
+ * declared again.
+ */
+async function cmdSchema(args: string[] = []) {
+  const sub = args[0];
+  if (sub !== "prune") {
+    console.error("Usage: parachute-vault schema prune [--vault <name>] [--dry-run|--apply|--yes]");
+    console.error("\nSubcommands:");
+    console.error("  prune    Drop orphaned indexed-field columns whose declaring tags are gone.");
+    console.error("           Dry-run by default (--dry-run is an explicit alias); pass --apply (or --yes) to execute.");
+    process.exit(1);
+  }
+
+  let vaultName = "default";
+  let apply = false;
+  for (let i = 1; i < args.length; i++) {
+    const arg = args[i]!;
+    if (arg === "--vault") {
+      const v = args[++i];
+      if (!v) {
+        console.error("--vault requires a value.");
+        process.exit(1);
+      }
+      vaultName = v;
+    } else if (arg === "--apply" || arg === "--yes") {
+      apply = true;
+    } else if (arg === "--dry-run") {
+      // Dry-run is the default; accept the flag as an explicit affirmative
+      // for convention + scriptability. --apply wins if both are passed.
+    } else {
+      console.error(`Unknown flag for \`schema prune\`: ${arg}`);
+      process.exit(1);
+    }
+  }
+
+  const config = readVaultConfig(vaultName);
+  if (!config) {
+    console.error(`Vault "${vaultName}" not found.`);
+    process.exit(1);
+  }
+
+  const { getVaultStore } = await import("./vault-store.ts");
+  const store = getVaultStore(vaultName);
+  const plan = await store.pruneIndexedFields({ dryRun: !apply });
+
+  const dropped = plan.filter((p) => p.dropped);
+  const trimmed = plan.filter((p) => !p.dropped);
+
+  if (plan.length === 0) {
+    console.log(`No orphaned indexed fields in vault "${vaultName}". Nothing to prune.`);
+    return;
+  }
+
+  console.log(
+    apply
+      ? `Pruned orphaned indexed fields in vault "${vaultName}":`
+      : `Would prune orphaned indexed fields in vault "${vaultName}" (dry-run):`,
+  );
+  for (const p of dropped) {
+    console.log(
+      `  ${apply ? "DROPPED" : "drop  "} ${p.field}  (dead declarers: ${p.deadDeclarers.join(", ")})`,
+    );
+  }
+  for (const p of trimmed) {
+    console.log(
+      `  ${apply ? "TRIMMED" : "trim  "} ${p.field}  (removed dead declarers: ${p.deadDeclarers.join(", ")}; column kept — still co-declared)`,
+    );
+  }
+  console.log(
+    `\n${apply ? "Dropped" : "Would drop"} ${dropped.length} orphaned field(s); ${apply ? "trimmed" : "would trim"} ${trimmed.length} co-declared field(s).`,
+  );
+  if (!apply) {
+    console.log("Re-run with --apply (or --yes) to execute.");
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Export-watch glue. The git-shell + commit-message logic lives in
 // `./export-watch.ts` for unit-testability; cli.ts just wires it in.
@@ -3408,14 +3492,15 @@ Vaults:
                                             --token <t>: paste an existing bearer
                                             (any shape) instead of minting.
                                             --legacy-pat: mint a vault-DB pvt_*
-                                            token (deprecated; for self-hosted-
-                                            without-hub setups). Also the only
-                                            path for --scope vault:admin — hub
-                                            policy reserves per-vault admin for
-                                            operator-only minting (the admin SPA
-                                            session-cookie path), so --mint
-                                            --scope vault:admin is rejected
-                                            pre-flight.
+                                            token (deprecated, vault#282; removal
+                                            0.6.0; for self-hosted-without-hub
+                                            setups).
+                                            --scope vault:admin IS mintable via
+                                            --mint (hub#449): hub mints
+                                            vault:<name>:admin when the operator
+                                            bearer carries parachute:host:admin
+                                            (the default operator.token does).
+                                            Requires a hub running hub#449.
                                             --install-scope local (default) writes
                                             ~/.claude.json under
                                             projects[<cwd>].mcpServers (this
@@ -3513,6 +3598,16 @@ Import/Export:
                                                        template via --git-message-template;
                                                        --git-push to push after commit)
 
+Schema maintenance:
+  parachute-vault schema prune [--vault <name>]       Drop orphaned indexed-field columns +
+                                                       indexes whose declaring tags no longer
+                                                       exist. Dry-run by default (--dry-run is an
+                                                       explicit alias) — prints the drop plan
+                                                       without changing anything.
+  parachute-vault schema prune --apply                Execute the prune (alias: --yes). Co-declared
+                                                       fields keep their column; a drop loses only
+                                                       the index (data lives in notes.metadata).
+
 ── Advanced / standalone ──────────────────────────────────────────────
 
 Direct daemon controls. For normal use, prefer the Parachute Hub wrappers

package/src/config.ts

@@ -34,8 +34,11 @@ import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync, renameSy
 import crypto from "node:crypto";
 
 import {
+  // vault#400: only the PARSE side is used here now — to detect a legacy
+  // server-wide `mirror:` block so the boot migration can relocate it to the
+  // owning vault's per-vault file. `writeGlobalConfig` no longer serializes a
+  // mirror block (per-vault writes live in `mirror-config.ts`).
   parseMirrorConfig as parseMirrorSectionFromYaml,
-  serializeMirrorConfig as serializeMirrorSection,
   type MirrorConfig as MirrorConfigType,
 } from "./mirror-config.ts";
 
@@ -1330,9 +1333,14 @@ export function writeGlobalConfig(config: GlobalConfig): void {
     lines.push(...serializeBackup(config.backup));
   }
 
-  if (config.mirror) {
-    lines.push(...serializeMirrorSection(config.mirror));
-  }
+  // vault#400: mirror config is now PER-VAULT (`data/<vault>/mirror-config.yaml`),
+  // not a server-wide block here. `writeGlobalConfig` deliberately does NOT
+  // re-emit a `mirror:` block — doing so would resurrect the legacy
+  // server-wide config the boot migration just commented out, re-introducing
+  // the "same remote on every vault page" bug. `readGlobalConfig` still parses
+  // a legacy block (below) so the one-time migration can detect + relocate it.
+  // `serializeMirrorSection` remains used by the per-vault writer in
+  // `mirror-config.ts`.
 
   if (config.auto_transcribe) {
     lines.push("auto_transcribe:");

package/src/export-watch.test.ts

@@ -27,6 +27,7 @@ import {
   DEFAULT_COMMIT_TEMPLATE,
   gitAddAll,
   gitCommit,
+  gitPush,
   gitUnstageAll,
   isGitRepo,
   listStagedFiles,
@@ -315,6 +316,79 @@ describe("git-shell helpers", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// 2b. gitPush — first-push upstream tracking (Cut 4 of vault#392)
+//
+// A freshly-bootstrapped mirror has commits but no upstream branch.
+// Bare `git push` fails with "fatal: The current branch X has no upstream
+// branch." gitPush now detects the missing-upstream case and falls back
+// to `git push -u origin <branch>`. Subsequent pushes go bare.
+// ---------------------------------------------------------------------------
+
+describe("gitPush — upstream tracking", () => {
+  let workdir: string;
+  let remote: string;
+  beforeEach(() => {
+    workdir = makeTmp("vault-push-work-");
+    remote = makeTmp("vault-push-remote-");
+    // Bare repo as the "remote" — `git push` to it lands like any real remote.
+    Bun.spawnSync(["git", "init", "--bare", "-q", "-b", "main"], { cwd: remote });
+    initGitRepo(workdir);
+    Bun.spawnSync(["git", "remote", "add", "origin", remote], { cwd: workdir });
+    fs.writeFileSync(path.join(workdir, "seed.md"), "# seed\n");
+    Bun.spawnSync(["git", "add", "-A"], { cwd: workdir });
+    Bun.spawnSync(["git", "commit", "-q", "-m", "initial"], { cwd: workdir });
+  });
+  afterEach(() => {
+    fs.rmSync(workdir, { recursive: true, force: true });
+    fs.rmSync(remote, { recursive: true, force: true });
+  });
+
+  test("first push to a fresh remote establishes upstream tracking", async () => {
+    // Pre-Cut-4 this failed with "no upstream branch."
+    const result = await gitPush(workdir);
+    expect(result.ok).toBe(true);
+    // Verify upstream is now set so subsequent pushes can be bare.
+    const upstream = Bun.spawnSync(
+      ["git", "rev-parse", "--abbrev-ref", "--symbolic-full-name", "@{u}"],
+      { cwd: workdir, stdout: "pipe" },
+    );
+    expect(upstream.exitCode).toBe(0);
+    expect(
+      new TextDecoder().decode(upstream.stdout).trim(),
+    ).toBe("origin/main");
+  });
+
+  test("subsequent push (upstream already set) succeeds bare", async () => {
+    // First push wires the upstream.
+    await gitPush(workdir);
+    // Make another commit, push again — should succeed.
+    fs.writeFileSync(path.join(workdir, "n.md"), "# n\n");
+    Bun.spawnSync(["git", "add", "-A"], { cwd: workdir });
+    Bun.spawnSync(["git", "commit", "-q", "-m", "second"], { cwd: workdir });
+    const result = await gitPush(workdir);
+    expect(result.ok).toBe(true);
+  });
+
+  test("push with no remote configured surfaces the error (back-compat)", async () => {
+    // Same shape as the existing "no remote" test in runGitCommitCycle —
+    // the branch probe returns a branch but no upstream, gitPush falls
+    // back to `git push -u origin main`, which fails because there's no
+    // `origin` remote configured.
+    const localOnly = makeTmp("vault-push-noremote-");
+    initGitRepo(localOnly);
+    fs.writeFileSync(path.join(localOnly, "x.md"), "# x\n");
+    Bun.spawnSync(["git", "add", "-A"], { cwd: localOnly });
+    Bun.spawnSync(["git", "commit", "-q", "-m", "x"], { cwd: localOnly });
+    const result = await gitPush(localOnly);
+    expect(result.ok).toBe(false);
+    // Doesn't matter what the exact error is — just that it's non-fatal
+    // (gitPush returns rather than throws).
+    expect(typeof result.stderr).toBe("string");
+    fs.rmSync(localOnly, { recursive: true, force: true });
+  });
+});
+
 // ---------------------------------------------------------------------------
 // 3. runGitCommitCycle — stage → decide → commit → push
 // ---------------------------------------------------------------------------

package/src/export-watch.ts

@@ -121,11 +121,72 @@ export async function gitCommit(
   return { ok: exitCode === 0, stderr: stderr.trim() };
 }
 
-/** Run `git push` in `repoDir`. Returns true on success. */
+/**
+ * Run `git push` in `repoDir`. Returns true on success.
+ *
+ * Handles the first-push case: a freshly-bootstrapped mirror has
+ * commits but no upstream tracking, and a bare `git push` fails with
+ * "fatal: The current branch X has no upstream branch." That's
+ * unrecoverable from the operator's POV — they'd have to drop to a
+ * shell and run `git push -u origin main`. The wiring here detects the
+ * missing-upstream case ahead of time and falls back to `git push -u
+ * origin <branch>` so the first push works and every subsequent push
+ * picks up the now-configured tracking.
+ *
+ * Vault#382 carried bare `git push`; this is the Cut 4 fix in the
+ * credentials-save round-trip work.
+ */
 export async function gitPush(
   repoDir: string,
 ): Promise<{ ok: boolean; stderr: string }> {
-  const proc = Bun.spawn(["git", "push"], {
+  // Resolve the current branch name. `git rev-parse --abbrev-ref HEAD`
+  // returns the branch on a checked-out branch (e.g. "main"); on a
+  // detached HEAD it returns "HEAD" — in that case we bail to bare push
+  // since `-u origin HEAD` doesn't mean anything useful.
+  let branch: string | null = null;
+  try {
+    const branchProc = Bun.spawn(["git", "rev-parse", "--abbrev-ref", "HEAD"], {
+      cwd: repoDir,
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+    const branchCode = await branchProc.exited;
+    if (branchCode === 0) {
+      const out = new TextDecoder()
+        .decode(await new Response(branchProc.stdout).arrayBuffer())
+        .trim();
+      if (out.length > 0 && out !== "HEAD") branch = out;
+    }
+  } catch {
+    // Fall through to bare push.
+  }
+
+  // Probe for an existing upstream. `git rev-parse --abbrev-ref
+  // --symbolic-full-name @{u}` exits non-zero when no upstream is
+  // configured for the current branch. Exit 0 + a value → upstream
+  // exists; bare `git push` is fine.
+  let hasUpstream = false;
+  if (branch !== null) {
+    const upstreamProc = Bun.spawn(
+      ["git", "rev-parse", "--abbrev-ref", "--symbolic-full-name", "@{u}"],
+      {
+        cwd: repoDir,
+        stdout: "pipe",
+        stderr: "pipe",
+      },
+    );
+    const upstreamCode = await upstreamProc.exited;
+    hasUpstream = upstreamCode === 0;
+  }
+
+  // First-push path: `git push -u origin <branch>` to establish
+  // tracking. Subsequent calls take the bare path because hasUpstream
+  // will be true after this lands.
+  const cmd =
+    branch !== null && !hasUpstream
+      ? ["git", "push", "-u", "origin", branch]
+      : ["git", "push"];
+  const proc = Bun.spawn(cmd, {
     cwd: repoDir,
     stdout: "pipe",
     stderr: "pipe",
@@ -190,7 +251,14 @@ export function shouldCommit(stagedFiles: string[], notesChanged: number): {
 
 /**
  * Stage → decide → commit → optionally push. Logs status to stdout/stderr.
- * Returns whether a commit landed.
+ * Returns whether a commit landed and (when push was attempted) the
+ * push outcome — so callers can surface push status in their UIs
+ * without having to grep logs.
+ *
+ * Cut 5: the return shape now includes a `push` field with the outcome
+ * when push was attempted. Tokens are redacted from `push.error` via
+ * the userinfo + `gho_/ghp_/glpat-` regex so log + status surfaces are
+ * safe to display.
  */
 export async function runGitCommitCycle(opts: {
   repoDir: string;
@@ -201,7 +269,11 @@ export async function runGitCommitCycle(opts: {
   push: boolean;
   /** Override for tests — defaults to `new Date().toISOString()`. */
   now?: () => string;
-}): Promise<{ committed: boolean; message?: string }> {
+}): Promise<{
+  committed: boolean;
+  message?: string;
+  push?: { attempted: true; ok: boolean; error?: string };
+}> {
   const now = opts.now ?? (() => new Date().toISOString());
 
   const add = await gitAddAll(opts.repoDir);
@@ -245,11 +317,40 @@ export async function runGitCommitCycle(opts: {
     if (!pushResult.ok) {
       // Non-fatal — a network blip shouldn't kill a watch loop. Warn and
       // move on; the next successful commit's push will catch up history.
-      console.warn(`[git-commit] git push failed (non-fatal): ${pushResult.stderr}`);
-    } else {
-      console.log(`[git-commit] pushed`);
+      const redacted = redactToken(pushResult.stderr);
+      console.warn(`[git-commit] git push failed (non-fatal): ${redacted}`);
+      return {
+        committed: true,
+        message,
+        push: { attempted: true, ok: false, error: redacted },
+      };
     }
+    console.log(`[git-commit] pushed`);
+    return { committed: true, message, push: { attempted: true, ok: true } };
   }
 
   return { committed: true, message };
 }
+
+/**
+ * Redact tokens from a string that came back from `git push` /
+ * `git ls-remote` stderr. Same pattern as `redactRemoteUrl` for full
+ * URLs; also handles bare `gho_*`/`ghp_*`/`glpat-*` tokens that
+ * sometimes show up in git error messages.
+ *
+ * Best-effort — git's error format isn't a stable contract, so we
+ * scrub the obvious patterns and accept that a really unusual
+ * formatting could slip through. The credentials file is the
+ * authoritative store; logs are diagnostic.
+ */
+export function redactToken(text: string): string {
+  return text
+    // userinfo (https://user:token@host/…)
+    .replace(/https?:\/\/[^@\s]+@/g, "https://***@")
+    // bare GitHub OAuth tokens
+    .replace(/gho_[A-Za-z0-9_]{8,}/g, "gho_***")
+    // bare GitHub PATs
+    .replace(/ghp_[A-Za-z0-9_]{8,}/g, "ghp_***")
+    // bare GitLab PATs
+    .replace(/glpat-[A-Za-z0-9_-]{8,}/g, "glpat-***");
+}