npm - @openparachute/vault - Versions diffs - 0.5.0-rc.3 → 0.5.0-rc.4 - Mend

@openparachute/vault 0.5.0-rc.3 → 0.5.0-rc.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/src/oauth-discovery.test.ts +55 -0
package/src/oauth-discovery.ts +24 -5

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/vault",
-  "version": "0.5.0-rc.3",
+  "version": "0.5.0-rc.4",
   "description": "Agent-native knowledge graph. Notes, tags, links over MCP.",
   "module": "src/cli.ts",
   "type": "module",

package/src/oauth-discovery.test.ts ADDED Viewed

@@ -0,0 +1,55 @@
+import { describe, expect, test } from "bun:test";
+import { handleAuthorizationServer, handleProtectedResource } from "./oauth-discovery.ts";
+/**
+ * Regression: the per-vault discovery documents MUST advertise resource-narrowed
+ * `vault:<name>:<verb>` scopes, never broad `vault:<verb>`. A broad scope makes a
+ * spec-following MCP client (Claude) request `vault:read`, which the hub stamps
+ * `aud=vault`, which the per-vault MCP endpoint rejects ("audience mismatch:
+ * expected vault.<name>, got vault") — the live "Authorization with the MCP
+ * server failed" bug. See oauth-discovery.ts + auth.ts findBroadVaultScopes.
+ */
+describe("oauth-discovery per-vault scopes_supported is resource-narrowed", () => {
+  const req = new Request("https://hub.example.com/vault/default/.well-known/oauth-protected-resource");
+  test("protected-resource metadata advertises vault:<name>:<verb>, never broad", async () => {
+    const body = (await handleProtectedResource(req, "default").json()) as {
+      resource: string;
+      scopes_supported: string[];
+    };
+    expect(body.scopes_supported).toEqual([
+      "vault:default:read",
+      "vault:default:write",
+      "vault:default:admin",
+    ]);
+    // No broad scope leaks through — vault rejects those on audience mismatch.
+    for (const s of body.scopes_supported) {
+      expect(s).not.toBe("vault:read");
+      expect(s).not.toBe("vault:write");
+      expect(s).not.toBe("vault:admin");
+    }
+    expect(body.resource).toContain("/vault/default/mcp");
+  });
+  test("scopes are narrowed to the specific vault name", async () => {
+    const body = (await handleProtectedResource(req, "work-notes").json()) as {
+      scopes_supported: string[];
+    };
+    expect(body.scopes_supported).toEqual([
+      "vault:work-notes:read",
+      "vault:work-notes:write",
+      "vault:work-notes:admin",
+    ]);
+  });
+  test("authorization-server forwarding doc also advertises narrowed scopes", async () => {
+    const body = (await handleAuthorizationServer(req, "default").json()) as {
+      scopes_supported: string[];
+    };
+    expect(body.scopes_supported).toEqual([
+      "vault:default:read",
+      "vault:default:write",
+      "vault:default:admin",
+    ]);
+  });
+});

package/src/oauth-discovery.ts CHANGED Viewed

@@ -28,8 +28,27 @@
 import { getHubOrigin } from "./hub-jwt.ts";
-/** OAuth scopes vault publishes through discovery; see scopes.ts for enforcement. */
-const SCOPES_SUPPORTED = ["vault:read", "vault:write", "vault:admin"];
+/**
+ * OAuth scopes vault publishes through discovery, RESOURCE-NARROWED to the
+ * specific vault instance the metadata document describes.
+ *
+ * This MUST be narrowed (`vault:<name>:<verb>`), not broad (`vault:<verb>`).
+ * Post auth-unification (vault#282/#412), vault is a pure hub resource server
+ * that REJECTS broad `vault:<verb>` tokens (`findBroadVaultScopes` → 401) and
+ * requires `vault:<name>:<verb>` scopes carrying `aud=vault.<name>`. A
+ * spec-following MCP client (e.g. Claude) reads `scopes_supported` from this
+ * PRM and requests exactly those scopes; if we advertise broad `vault:read`
+ * the client gets a token stamped `aud=vault` and the per-vault MCP endpoint
+ * rejects it ("audience mismatch: expected vault.<name>, got vault") — the
+ * "Authorization with the MCP server failed" symptom. Advertising the narrowed
+ * shape makes the client request the scope vault will actually accept. The
+ * hub's RFC 8707 resource-binding narrows too, but only when the client echoes
+ * the `resource` param — advertising narrowed scopes here is the belt that
+ * works regardless. See scopes.ts for enforcement.
+ */
+function scopesSupportedFor(vaultName: string): string[] {
+  return [`vault:${vaultName}:read`, `vault:${vaultName}:write`, `vault:${vaultName}:admin`];
+}
 /**
  * Public-facing base URL of the server. Honors `x-forwarded-*` headers so a
@@ -63,7 +82,7 @@ export function handleProtectedResource(req: Request, vaultName: string): Respon
   return Response.json({
     resource: `${base}${prefix}/mcp`,
     authorization_servers: [getHubOrigin()],
-    scopes_supported: SCOPES_SUPPORTED,
+    scopes_supported: scopesSupportedFor(vaultName),
     bearer_methods_supported: ["header"],
   });
 }
@@ -78,7 +97,7 @@ export function handleProtectedResource(req: Request, vaultName: string): Respon
  * land here and discover the hub's actual endpoints; conformant clients that
  * probe AS metadata directly at the vault path get the same answer.
  */
-export function handleAuthorizationServer(_req: Request, _vaultName: string): Response {
+export function handleAuthorizationServer(_req: Request, vaultName: string): Response {
   const hub = getHubOrigin();
   return Response.json({
     issuer: hub,
@@ -90,6 +109,6 @@ export function handleAuthorizationServer(_req: Request, _vaultName: string): Re
     code_challenge_methods_supported: ["S256"],
     grant_types_supported: ["authorization_code", "refresh_token"],
     token_endpoint_auth_methods_supported: ["none", "client_secret_post"],
-    scopes_supported: SCOPES_SUPPORTED,
+    scopes_supported: scopesSupportedFor(vaultName),
   });
 }