@openparachute/vault 0.4.9-rc.9 → 0.5.0-rc.2

package/src/routing.ts

@@ -64,7 +64,6 @@ import {
   type TagScopeCtx,
 } from "./routes.ts";
 import { expandTokenTagScope } from "./tag-scope.ts";
-import { handleTokens } from "./tokens-routes.ts";
 import {
   handleProtectedResource,
   handleAuthorizationServer,
@@ -127,12 +126,11 @@ async function withMcpChallenge(
 async function isViewAuthenticated(
   req: Request,
   vaultConfig: VaultConfig | null,
-  vaultDb?: import("bun:sqlite").Database,
 ): Promise<boolean> {
   if (!vaultConfig) return false;
   const key = extractApiKey(req);
   if (!key) return false;
-  const auth = await authenticateVaultRequest(req, vaultConfig, vaultDb);
+  const auth = await authenticateVaultRequest(req, vaultConfig);
   return !("error" in auth);
 }
 
@@ -334,7 +332,7 @@ export async function route(
   const vaultViewMatch = subpath.match(/^\/view\/(.+)$/);
   if (vaultViewMatch && req.method === "GET") {
     const store = getVaultStore(vaultName);
-    const authenticated = await isViewAuthenticated(req, vaultConfig, store.db);
+    const authenticated = await isViewAuthenticated(req, vaultConfig);
     return handleViewNote(store, decodeURIComponent(vaultViewMatch[1]!), {
       authenticated,
       publishedTag: vaultConfig.published_tag,
@@ -395,7 +393,7 @@ export async function route(
     // (worker intervals, TTLs, retention policy) but are still configuration
     // an attacker could use to map the deployment. `vault:admin` keeps the
     // hub's loopback workflow intact while locking out read-only tokens.
-    const configAuth = await authenticateVaultRequest(req, vaultConfig, getVaultStore(vaultName).db);
+    const configAuth = await authenticateVaultRequest(req, vaultConfig);
     if ("error" in configAuth) return configAuth.error;
     if (!hasScopeForVault(configAuth.scopes, vaultName, "admin")) {
       return Response.json(
@@ -430,7 +428,7 @@ export async function route(
   // ---------------------------------------------------------------------
 
   const store = getVaultStore(vaultName);
-  const auth = await authenticateVaultRequest(req, vaultConfig, store.db);
+  const auth = await authenticateVaultRequest(req, vaultConfig);
   const isScopedMcp = subpath === "/mcp" || subpath.startsWith("/mcp/");
   if ("error" in auth) {
     return isScopedMcp ? withMcpChallenge(auth.error, req, vaultName) : auth.error;
@@ -438,7 +436,15 @@ export async function route(
 
   // MCP (per-vault, single-vault session).
   if (isScopedMcp) {
-    return handleScopedMcp(req, vaultName, auth);
+    // Thread the RAW caller bearer (the exact credential the session
+    // presented) into the MCP layer so the manage-token tool can forward it
+    // to hub's mint-token attenuation proxy (vault#403, MGT). Only the raw
+    // validated bearer — never a fabricated one. extractApiKey returns the
+    // same value `authenticateVaultRequest` validated above; non-forwardable
+    // credentials (env-var secret, legacy pvt_*) are handled by manage-token
+    // itself (it only forwards JWT-shaped bearers).
+    const callerBearer = extractApiKey(req);
+    return handleScopedMcp(req, vaultName, auth, callerBearer);
   }
 
   // Bare `/vault/<name>` — single-vault root. Returns name, description,
@@ -456,40 +462,18 @@ export async function route(
     });
   }
 
-  // /tokens — admin-gated REST surface for minting/listing/revoking pvt_*
-  // tokens. Admin gate applies to every method (POST/GET/DELETE) since both
-  // the plaintext mint and the metadata listing are sensitive — knowing
-  // labels and scopes of issued tokens leaks the deployment's auth shape.
-  // The handler's POST path applies a strict subset check on requested
-  // scopes via `validateMintedScopes` (defense-in-depth: cross-vault and
-  // privilege-escalation rejections survive even if this gate is later
-  // relaxed).
-  const tokensMatch = subpath.match(/^\/tokens(\/.*)?$/);
-  if (tokensMatch) {
-    if (!hasScopeForVault(auth.scopes, vaultName, "admin")) {
-      return Response.json(
-        {
-          error: "Forbidden",
-          error_type: "insufficient_scope",
-          message: `This endpoint requires the '${SCOPE_ADMIN}' scope (or '${SCOPE_ADMIN.replace("vault:", `vault:${vaultName}:`)}').`,
-          required_scope: SCOPE_ADMIN,
-          granted_scopes: auth.scopes,
-        },
-        { status: 403 },
-      );
-    }
-    return handleTokens(req, store, vaultName, auth.scopes, auth.scoped_tags, tokensMatch[1] ?? "");
-  }
-
-  // /.parachute/mirror — vault-sync Phase A1. Admin-gated read+write of
-  // the persistent mirror config + runtime status. Lives under
-  // `.parachute/` (alongside info/icon/config) rather than `admin/`
-  // because `/vault/<name>/admin/*` is reserved for the admin SPA's
-  // static-file mount; the API surface goes under `.parachute/` by the
-  // module-protocol convention. Per the design doc, the hub admin SPA
-  // (Phase A2 — future PR) is the eventual primary consumer; for Phase
-  // A1 these endpoints unblock direct API callers and the by-hand
-  // config workflow.
+  // The per-vault `/tokens` REST surface (pvt_* mint/list/revoke) was removed
+  // at 0.5.0 (vault#282 Stage 2 — vault is a pure hub resource-server). Hub
+  // JWTs are minted via hub's registry (`/api/auth/mint-token`); a `/tokens`
+  // request now falls through to the catch-all 404 below.
+
+  // /.parachute/mirror — Admin-gated read+write of THIS vault's persistent
+  // mirror config + runtime status. Per-vault (vault#400): the manager is
+  // resolved by the URL's vault name, so each vault's mirror page reflects
+  // its own config + git remote. Lives under `.parachute/` (alongside
+  // info/icon/config) rather than `admin/` because `/vault/<name>/admin/*`
+  // is reserved for the admin SPA's static-file mount; the API surface goes
+  // under `.parachute/` by the module-protocol convention.
   if (subpath === "/.parachute/mirror") {
     if (!hasScopeForVault(auth.scopes, vaultName, "admin")) {
       return Response.json(
@@ -503,19 +487,22 @@ export async function route(
         { status: 403 },
       );
     }
-    const manager = getMirrorManager();
+    // vault#400: resolve the manager for THIS vault (from the URL). The
+    // registry lazily builds one (via the boot-installed factory) for any
+    // existing vault — including a non-default vault or one configured at
+    // runtime — so the handler operates on the right vault's config + status
+    // + git remote, never the default vault's.
+    const manager = getMirrorManager(vaultName);
     if (!manager) {
-      // The boot path constructs a manager when at least one vault
-      // exists; a missing manager here means either a startup error or
-      // a brand-new deploy that hasn't finished first-boot. Surface a
-      // clear 503 rather than a JSON null so the operator + the hub
-      // SPA know it's a service-state issue, not a misconfig on their
-      // end.
+      // Null only when boot hasn't installed the factory yet (startup race
+      // or boot failure). Surface a clear 503 rather than a JSON null so the
+      // operator + the hub SPA know it's a service-state issue, not a
+      // misconfig on their end.
       return Response.json(
         {
           error: "Mirror manager not initialized",
           message:
-            "The vault server hasn't wired a mirror manager yet (no vaults exist, or boot failed). Check logs for [mirror] entries.",
+            "The vault server hasn't wired the mirror manager registry yet (boot hasn't finished, or it failed). Check logs for [mirror] entries.",
         },
         { status: 503 },
       );
@@ -543,13 +530,13 @@ export async function route(
         { status: 403 },
       );
     }
-    const manager = getMirrorManager();
+    const manager = getMirrorManager(vaultName);
     if (!manager) {
       return Response.json(
         {
           error: "Mirror manager not initialized",
           message:
-            "The vault server hasn't wired a mirror manager yet (no vaults exist, or boot failed). Check logs for [mirror] entries.",
+            "The vault server hasn't wired the mirror manager registry yet (boot hasn't finished, or it failed). Check logs for [mirror] entries.",
         },
         { status: 503 },
       );
@@ -575,13 +562,13 @@ export async function route(
         { status: 403 },
       );
     }
-    const manager = getMirrorManager();
+    const manager = getMirrorManager(vaultName);
     if (!manager) {
       return Response.json(
         {
           error: "Mirror manager not initialized",
           message:
-            "The vault server hasn't wired a mirror manager yet (no vaults exist, or boot failed). Check logs for [mirror] entries.",
+            "The vault server hasn't wired the mirror manager registry yet (boot hasn't finished, or it failed). Check logs for [mirror] entries.",
         },
         { status: 503 },
       );
@@ -631,20 +618,20 @@ export async function route(
         { status: 403 },
       );
     }
-    const manager = getMirrorManager();
+    const manager = getMirrorManager(vaultName);
     if (!manager) {
       return Response.json(
         {
           error: "Mirror manager not initialized",
           message:
-            "The vault server hasn't wired a mirror manager yet (no vaults exist, or boot failed). Check logs for [mirror] entries.",
+            "The vault server hasn't wired the mirror manager registry yet (boot hasn't finished, or it failed). Check logs for [mirror] entries.",
         },
         { status: 503 },
       );
     }
 
     if (subpath === "/.parachute/mirror/auth") {
-      if (req.method === "GET") return handleAuthGet();
+      if (req.method === "GET") return handleAuthGet(manager);
       if (req.method === "DELETE") return handleAuthDelete(manager);
       return Response.json({ error: "Method not allowed" }, { status: 405 });
     }
@@ -657,11 +644,11 @@ export async function route(
       return Response.json({ error: "Method not allowed" }, { status: 405 });
     }
     if (subpath === "/.parachute/mirror/auth/github/repos") {
-      if (req.method === "GET") return handleAuthGithubRepos();
+      if (req.method === "GET") return handleAuthGithubRepos(manager);
       return Response.json({ error: "Method not allowed" }, { status: 405 });
     }
     if (subpath === "/.parachute/mirror/auth/github/create-repo") {
-      if (req.method === "POST") return handleAuthGithubCreateRepo(req);
+      if (req.method === "POST") return handleAuthGithubCreateRepo(req, manager);
       return Response.json({ error: "Method not allowed" }, { status: 405 });
     }
     if (subpath === "/.parachute/mirror/auth/github/select-repo") {
@@ -722,7 +709,7 @@ export async function route(
     });
   }
   if (apiPath === "/unresolved-wikilinks") return handleUnresolvedWikilinks(req, store);
-  if (apiPath.startsWith("/storage")) return handleStorage(req, apiPath.slice(8), vaultName);
+  if (apiPath.startsWith("/storage")) return handleStorage(req, apiPath.slice(8), vaultName, store, tagScope);
   if (apiPath === "/health") return Response.json({ status: "ok", vault: vaultName });
 
   return Response.json({ error: "Not found" }, { status: 404 });

package/src/scopes.test.ts

@@ -11,7 +11,6 @@ import {
   SCOPE_ADMIN,
   parseScopes,
   parseScopeFlags,
-  resolveCreateTokenFlags,
   hasScope,
   hasScopeForVault,
   findBroadVaultScopes,
@@ -254,91 +253,6 @@ describe("parseScopeFlags", () => {
   });
 });
 
-describe("resolveCreateTokenFlags", () => {
-  test("no flags → full scope, full permission (historical default)", () => {
-    expect(resolveCreateTokenFlags([]))
-      .toEqual({ scopes: undefined, permission: "full", error: null });
-  });
-
-  test("--read alone → [vault:read], read permission", () => {
-    expect(resolveCreateTokenFlags(["--read"]))
-      .toEqual({ scopes: [SCOPE_READ], permission: "read", error: null });
-  });
-
-  test("--scope vault:read alone → read permission", () => {
-    expect(resolveCreateTokenFlags(["--scope", "vault:read"]))
-      .toEqual({ scopes: [SCOPE_READ], permission: "read", error: null });
-  });
-
-  test("--scope vault:write,vault:read → full permission (any write surface → full)", () => {
-    expect(resolveCreateTokenFlags(["--scope", "vault:write,vault:read"]))
-      .toEqual({ scopes: [SCOPE_WRITE, SCOPE_READ], permission: "full", error: null });
-  });
-
-  test("--scope vault:admin alone → full permission", () => {
-    expect(resolveCreateTokenFlags(["--scope", "vault:admin"]))
-      .toEqual({ scopes: [SCOPE_ADMIN], permission: "full", error: null });
-  });
-
-  test("--permission read → no scopes (token-store default), read permission", () => {
-    expect(resolveCreateTokenFlags(["--permission", "read"]))
-      .toEqual({ scopes: undefined, permission: "read", error: null });
-  });
-
-  test("--permission full → no scopes, full permission", () => {
-    expect(resolveCreateTokenFlags(["--permission", "full"]))
-      .toEqual({ scopes: undefined, permission: "full", error: null });
-  });
-
-  test("--scope + --read errors and mentions both flags", () => {
-    const result = resolveCreateTokenFlags(["--scope", "vault:write", "--read"]);
-    expect(result.scopes).toBeUndefined();
-    expect(result.error).toContain("--scope");
-    expect(result.error).toContain("--read");
-    expect(result.error).toContain("cannot be combined");
-  });
-
-  test("--scope + --permission errors", () => {
-    const result = resolveCreateTokenFlags(["--scope", "vault:read", "--permission", "full"]);
-    expect(result.scopes).toBeUndefined();
-    expect(result.error).toContain("--scope");
-    expect(result.error).toContain("--permission");
-    expect(result.error).toContain("cannot be combined");
-  });
-
-  test("--read + --permission errors", () => {
-    const result = resolveCreateTokenFlags(["--read", "--permission", "full"]);
-    expect(result.scopes).toBeUndefined();
-    expect(result.error).toContain("--read");
-    expect(result.error).toContain("--permission");
-    expect(result.error).toContain("cannot be combined");
-  });
-
-  test("invalid --permission value errors with prefer-scope hint", () => {
-    const result = resolveCreateTokenFlags(["--permission", "admin"]);
-    expect(result.scopes).toBeUndefined();
-    expect(result.error).toContain("admin");
-    expect(result.error).toContain("full");
-    expect(result.error).toContain("read");
-    expect(result.error).toContain("--scope");
-  });
-
-  test("--permission with no value errors", () => {
-    expect(resolveCreateTokenFlags(["--permission"]).error).toContain("requires a value");
-    expect(resolveCreateTokenFlags(["--permission", "--label", "x"]).error).toContain("requires a value");
-  });
-
-  test("surfaces parseScopeFlags errors unchanged", () => {
-    const result = resolveCreateTokenFlags(["--scope", "vault:frob"]);
-    expect(result.error).toContain("Unknown scope");
-  });
-
-  test("ignores unrelated flags", () => {
-    const result = resolveCreateTokenFlags(["--vault", "journal", "--label", "r", "--read"]);
-    expect(result).toEqual({ scopes: [SCOPE_READ], permission: "read", error: null });
-  });
-});
-
 describe("serializeScopes — round-trips with parseScopes", () => {
   test("joins with spaces", () => {
     expect(serializeScopes([SCOPE_READ, SCOPE_WRITE])).toBe("vault:read vault:write");

package/src/scopes.ts

@@ -3,9 +3,11 @@
  *
  * Tokens carry OAuth-standard whitespace-separated scopes. Two shapes coexist:
  *
- *   - **Broad** `vault:<verb>` — used by `pvt_*` tokens, which are vault-pinned
- *     by storage (each vault has its own tokens DB; a token only resolves
- *     against the vault that minted it).
+ *   - **Broad** `vault:<verb>` — used by legacy YAML api_keys and the
+ *     VAULT_AUTH_TOKEN operator bearer, which are vault-pinned by context
+ *     (the YAML key lives under a specific vault; the operator bearer is
+ *     server-wide full-admin). (The `pvt_*` vault-DB token that also used
+ *     this shape was dropped at 0.5.0 — vault#282 Stage 2.)
  *   - **Narrowed** `vault:<name>:<verb>` — used by hub-issued JWTs, which are
  *     not pinned by storage and so MUST name the resource they grant access
  *     to. Hub JWTs carrying broad `vault:<verb>` are rejected at validation
@@ -113,9 +115,10 @@ export function hasScope(granted: string[], required: string): boolean {
  *
  * Match rules:
  *   - Broad `vault:<verb>` in granted satisfies any vault (the broad scope
- *     has no resource constraint; the caller pins the vault upstream — pvt_*
- *     resolves only against its issuing vault's DB, hub JWTs reject broad
- *     scopes at validation).
+ *     has no resource constraint; the caller pins the vault upstream — a
+ *     legacy YAML key lives under a specific vault, the VAULT_AUTH_TOKEN
+ *     bearer is server-wide full-admin, and hub JWTs reject broad scopes at
+ *     validation).
  *   - Narrowed `vault:<name>:<verb>` satisfies only the matching `vaultName`.
  *   - Verb inheritance `admin ⊇ write ⊇ read` applies in both forms.
  */
@@ -286,94 +289,3 @@ export function parseScopeFlags(
   }
   return { scopes: deduped, error: null };
 }
-
-/**
- * Resolve `parachute vault tokens create` argv into a concrete scope set +
- * legacy `permission` column value, or an actionable error.
- *
- * Precedence is **exclusive**: `--scope`, `--read`, and `--permission` all
- * narrow the token, but combining them is always an error — a user who
- * writes `--scope vault:write --read` almost certainly expects one of the
- * two to win, and silently picking would mint the opposite of what at
- * least one reading intended. Fail loud for anything token-minting.
- *
- * With no narrowing flag, falls back to a full-scope token for back-compat.
- */
-export function resolveCreateTokenFlags(args: string[]): {
-  scopes: string[] | undefined;
-  permission: "full" | "read";
-  error: string | null;
-} {
-  const scopeResult = parseScopeFlags(args);
-  if (scopeResult.error) {
-    return { scopes: undefined, permission: "full", error: scopeResult.error };
-  }
-  const hasScopeFlag = scopeResult.scopes !== null;
-  const hasReadFlag = args.includes("--read");
-  const permIdx = args.indexOf("--permission");
-  const hasPermFlag = permIdx !== -1;
-
-  if (hasScopeFlag && hasReadFlag) {
-    return {
-      scopes: undefined,
-      permission: "full",
-      error:
-        "--scope and --read cannot be combined. Pick one:\n" +
-        "  --read                     # shorthand for --scope vault:read\n" +
-        "  --scope vault:read         # equivalent, explicit\n" +
-        "  --scope vault:write        # write scope",
-    };
-  }
-  if (hasScopeFlag && hasPermFlag) {
-    return {
-      scopes: undefined,
-      permission: "full",
-      error:
-        "--scope and --permission cannot be combined. --scope is the canonical way to narrow a token; --permission is legacy.",
-    };
-  }
-  if (hasReadFlag && hasPermFlag) {
-    return {
-      scopes: undefined,
-      permission: "full",
-      error: "--read and --permission cannot be combined. --read is a shorthand for --permission read.",
-    };
-  }
-
-  if (hasPermFlag) {
-    const rawPerm = args[permIdx + 1];
-    if (!rawPerm || rawPerm.startsWith("--")) {
-      return {
-        scopes: undefined,
-        permission: "full",
-        error: `--permission requires a value ("full" or "read"). Prefer --scope for new scripts.`,
-      };
-    }
-    if (!["full", "read"].includes(rawPerm)) {
-      return {
-        scopes: undefined,
-        permission: "full",
-        error: `Invalid --permission: ${rawPerm}. Must be "full" or "read". Prefer --scope for new scripts.`,
-      };
-    }
-  }
-
-  if (scopeResult.scopes) {
-    const scopes = scopeResult.scopes;
-    const permission: "full" | "read" =
-      scopes.includes(SCOPE_WRITE) || scopes.includes(SCOPE_ADMIN) ? "full" : "read";
-    return { scopes, permission, error: null };
-  }
-  if (hasReadFlag) {
-    return { scopes: [SCOPE_READ], permission: "read", error: null };
-  }
-  if (hasPermFlag) {
-    const rawPerm = args[permIdx + 1];
-    return {
-      scopes: undefined,
-      permission: rawPerm === "read" ? "read" : "full",
-      error: null,
-    };
-  }
-  return { scopes: undefined, permission: "full", error: null };
-}

package/src/server.ts

@@ -31,8 +31,19 @@ import { getCachedScribeUrl } from "./scribe-discovery.ts";
 import { readEnvFile, setEnvVar } from "./config.ts";
 import { resolveBindHostname } from "./bind.ts";
 import { MirrorManager } from "./mirror-manager.ts";
-import { setMirrorManager } from "./mirror-registry.ts";
+import {
+  setMirrorManager,
+  setMirrorManagerFactory,
+  listMirrorManagers,
+} from "./mirror-registry.ts";
 import { buildMirrorDeps, resolveMirrorVaultName } from "./mirror-deps.ts";
+import { migrateLegacyServerWideCredentials } from "./mirror-credentials.ts";
+import {
+  commentOutLegacyMirrorBlockFile,
+  migrateLegacyServerWideConfig,
+  readMirrorConfigForVault,
+} from "./mirror-config.ts";
+import { GLOBAL_CONFIG_PATH } from "./config.ts";
 import { selfRegister } from "./self-register.ts";
 import pkg from "../package.json" with { type: "json" };
 
@@ -231,47 +242,96 @@ const port = parseInt(process.env.PORT ?? "") || globalConfig.port || DEFAULT_PO
 const hostname = resolveBindHostname();
 
 // ---------------------------------------------------------------------------
-// Mirror lifecycle (vault-sync Phase A1).
+// Mirror lifecycle — per-vault (vault#400).
 //
-// Boot-time bootstrap of the persistent mirror manager. Only stands up an
-// active mirror when global config carries `mirror.enabled: true`; otherwise
-// the manager construct + status reflects "disabled" but no filesystem work
-// happens. The HTTP `/admin/mirror` routes can still flip it on at runtime
-// without a vault restart — see routing.ts + mirror-routes.ts.
+// Before vault#400 the server stood up a SINGLE mirror manager bound to the
+// mirror-owning vault (default/first), and every mirror route resolved to it
+// — so every vault's mirror page showed the default vault's config + git
+// remote. Now each vault gets its OWN config (`data/<vault>/mirror-config.yaml`)
+// + its OWN manager. Boot:
 //
-// Failure here is logged and ignored; vault keeps serving. The operator
-// sees the error via `GET /admin/mirror` + the log line.
+//   1. Migrate the legacy SERVER-WIDE credentials file (vault#399) + the
+//      legacy server-wide `mirror:` config block (vault#400) to the
+//      mirror-owning vault (default/first). Other vaults start unconfigured.
+//   2. Install the lazy-build factory so routes can stand up a manager for
+//      any vault on first request (handles a vault configured at runtime
+//      without a restart).
+//   3. Iterate ALL vaults; for each whose per-vault config has
+//      `enabled: true`, build + register + start its manager. Per-vault
+//      failure is logged + isolated — one vault's mirror error never breaks
+//      another vault's mirror or the vault server's serving path.
 // ---------------------------------------------------------------------------
-let mirrorManager: MirrorManager | null = null;
 {
-  // Canonicalized in `mirror-deps.ts:resolveMirrorVaultName` so the
-  // binding rule (default_vault → first listed vault → null) lives in
-  // exactly one place; multi-vault-mirror work (design-doc open
-  // question 2) only has to touch one site.
+  // Canonicalized in `mirror-deps.ts:resolveMirrorVaultName` — the binding
+  // rule (default_vault → first listed vault → null) lives in exactly one
+  // place. Post-vault#400 it's only used for migration attribution.
   const mirrorVaultName = resolveMirrorVaultName(listVaults);
-  if (mirrorVaultName) {
+
+  // vault#399: migrate the legacy SERVER-WIDE credentials file to the
+  // per-vault layout, attributed to the mirror-owning vault. Idempotent +
+  // safe (no-op when no legacy file / already migrated; legacy file renamed
+  // `.bak`, never deleted). Runs even with no vaults (no-op).
+  try {
+    migrateLegacyServerWideCredentials(mirrorVaultName);
+  } catch (err) {
+    console.warn(
+      `[mirror] legacy credential migration failed (non-fatal): ${(err as Error).message ?? err}`,
+    );
+  }
+
+  // vault#400: migrate the legacy server-wide `mirror:` CONFIG block from
+  // config.yaml to the mirror-owning vault's per-vault config file. The
+  // legacy block is commented out in place (preserved for reference), never
+  // silently dropped. Idempotent: no-op when no block / target already
+  // configured. (#399 already moved credentials — we do NOT re-migrate them.)
+  try {
+    migrateLegacyServerWideConfig(
+      readGlobalConfig().mirror,
+      mirrorVaultName,
+      () => commentOutLegacyMirrorBlockFile(GLOBAL_CONFIG_PATH),
+    );
+  } catch (err) {
+    console.warn(
+      `[mirror] legacy config migration failed (non-fatal): ${(err as Error).message ?? err}`,
+    );
+  }
+
+  // Install the lazy-build factory so routes can stand up a per-vault manager
+  // on demand (a vault configured at runtime works without a restart).
+  setMirrorManagerFactory((name) => new MirrorManager(buildMirrorDeps(name)));
+
+  // Stand up every vault whose per-vault config is enabled. Don't block
+  // server startup on slow initial exports — kick each off in the background.
+  const vaults = listVaults();
+  if (vaults.length === 0) {
+    console.log("[mirror] no vaults yet — managers stand up on next restart after a vault exists");
+  }
+  for (const name of vaults) {
+    let cfg;
     try {
-      mirrorManager = new MirrorManager(buildMirrorDeps(mirrorVaultName));
-      setMirrorManager(mirrorManager);
-      // Don't block server startup on a slow initial export — kick it off
-      // in the background, log the outcome. The HTTP server comes up
-      // immediately so OAuth + REST aren't blocked behind a multi-second
-      // export pass.
-      void mirrorManager
+      cfg = readMirrorConfigForVault(name);
+    } catch (err) {
+      console.warn(`[mirror] could not read config for vault "${name}" (skipping): ${(err as Error).message ?? err}`);
+      continue;
+    }
+    if (!cfg?.enabled) continue; // unconfigured / disabled → no manager work
+    try {
+      const mgr = new MirrorManager(buildMirrorDeps(name));
+      setMirrorManager(name, mgr);
+      void mgr
         .start()
         .then((status) => {
           if (!status.enabled && status.last_error) {
-            console.warn(`[mirror] startup error: ${status.last_error}`);
+            console.warn(`[mirror] vault "${name}" startup error: ${status.last_error}`);
           }
         })
         .catch((err) => {
-          console.warn(`[mirror] startup threw: ${(err as Error).message ?? err}`);
+          console.warn(`[mirror] vault "${name}" startup threw: ${(err as Error).message ?? err}`);
         });
     } catch (err) {
-      console.warn(`[mirror] manager construction failed: ${(err as Error).message ?? err}`);
+      // Isolated per-vault: one vault's failure never touches others.
+      console.warn(`[mirror] vault "${name}" manager construction failed: ${(err as Error).message ?? err}`);
     }
-  } else {
-    console.log("[mirror] no vaults yet — manager will be initialized on next restart after a vault exists");
   }
 }
 
@@ -317,10 +377,11 @@ console.log(`Parachute Vault server listening on http://${hostname}:${server.por
 // Graceful shutdown — best-effort drain of in-flight note-mutation hooks.
 //
 // Order matters under the event-driven mirror shape (vault#382):
-//   1. MirrorManager.stop() runs FIRST so it can unsubscribe from hooks
-//      cleanly + cancel its debounce timer. Otherwise the registry drain
-//      below would wait on the manager's hook handler that just queued
-//      itself after a final mutation.
+//   1. Every MirrorManager.stop() runs FIRST (vault#400: drain ALL per-vault
+//      managers, not just one) so they unsubscribe from hooks cleanly +
+//      cancel their debounce timers. Otherwise the registry drain below
+//      would wait on a manager's hook handler that just queued itself after
+//      a final mutation.
 //   2. Then drain hooks + stop the transcription worker in parallel —
 //      neither depends on the other.
 //
@@ -331,9 +392,16 @@ async function shutdown(signal: string): Promise<void> {
   try {
     await Promise.race([
       (async () => {
-        // Mirror stop first — unsubscribes + cancels its debounce. Its
-        // internal soft-settle timeout (250ms) bounds the wait.
-        await (mirrorManager?.stop() ?? Promise.resolve());
+        // Mirror stop first — unsubscribes + cancels each debounce. Each
+        // manager's internal soft-settle timeout (250ms) bounds the wait;
+        // drain them in parallel so total shutdown stays bounded.
+        await Promise.all(
+          listMirrorManagers().map((m) =>
+            m.stop().catch((err) =>
+              console.warn(`[mirror] stop threw during shutdown (non-fatal): ${(err as Error).message ?? err}`),
+            ),
+          ),
+        );
         // Then drain hooks + stop the transcription worker in parallel.
         await Promise.all([
           defaultHookRegistry.drain(),