@openparachute/vault 0.5.0 → 0.5.1-rc.2

package/core/src/core.test.ts

@@ -5609,6 +5609,13 @@ describe("vault projection (vault#271)", async () => {
     expect(md).toContain("#person");
     expect(md).toContain("vault-info");
     expect(md).toContain("list-tags { include_schema: true }");
+    // Scripting pointer (closes the "points nowhere" gap): the brief routes an
+    // agent to the HTTP API + the public guide, with the vault name baked into
+    // the copy-paste mint command.
+    expect(md).toContain("## Scripting & automation (beyond this session)");
+    expect(md).toContain("https://parachute.computer/scripting/");
+    expect(md).toContain("parachute auth mint-token --scope vault:test:read --ephemeral");
+    expect(md).toContain("vault/test/api");
   });
 
   it("markdown brief degrades gracefully when no schemas declared", async () => {

package/core/src/vault-projection.ts

@@ -305,5 +305,25 @@ export function projectionToMarkdown(args: {
   lines.push("");
   lines.push("If schema or tags change during this session, call `vault-info` to refresh the full projection. Call `list-tags { include_schema: true }` for tag-only details.");
 
+  // Scripting pointer block: the connect-time brief used to dead-end on
+  // querying — an agent had no path to "how do I script/automate against this
+  // vault." Point at the guide rather than inlining it, to keep this brief
+  // lean (token-budget note above). Uses the concrete vault name so the mint
+  // command is copy-paste ready.
+  lines.push("");
+  lines.push("## Scripting & automation (beyond this session)");
+  lines.push("");
+  lines.push(
+    "This vault is also a plain HTTP API — reach for it when the user wants a script, cron job, or CI step rather than an interactive session:",
+  );
+  lines.push(
+    `- Mint a scoped credential: \`parachute auth mint-token --scope vault:${vaultName}:read --ephemeral\` (\`--ephemeral\` = short-lived, ideal for scripts; use \`:write\` to create/edit).`,
+  );
+  lines.push(`- Call the REST API at \`<hub-origin>/vault/${vaultName}/api/...\`.`);
+  lines.push(
+    "- Full guide — copy-paste bash/Python/JS examples, plus how to design tags vs paths vs schemas: https://parachute.computer/scripting/",
+  );
+  lines.push("- For a prompt on a schedule with no code, see Parachute Runner.");
+
   return lines.join("\n");
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/vault",
-  "version": "0.5.0",
+  "version": "0.5.1-rc.2",
   "description": "Agent-native knowledge graph. Notes, tags, links over MCP.",
   "module": "src/cli.ts",
   "type": "module",

package/src/server.ts

@@ -347,6 +347,15 @@ const server = Bun.serve({
       "Access-Control-Allow-Origin": "*",
       "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
       "Access-Control-Allow-Headers": "Content-Type, Authorization, X-API-Key, Mcp-Session-Id",
+      // Expose response headers a BROWSER-based MCP client (e.g. claude.ai) must
+      // read cross-origin: `WWW-Authenticate` carries the RFC 9728 auth challenge
+      // (the `resource_metadata` PRM URL) the client follows to discover the auth
+      // server — without exposing it, the browser's fetch() can't see it and the
+      // OAuth flow never starts ("Couldn't register with the sign-in service").
+      // `Mcp-Session-Id` is the streamable-HTTP MCP session the client echoes
+      // back. (Claude Code is a CLI → no CORS → unaffected. The hub already
+      // exposes WWW-Authenticate; this matches it on the resource server.)
+      "Access-Control-Expose-Headers": "WWW-Authenticate, Mcp-Session-Id",
     };
 
     if (req.method === "OPTIONS") {