@openparachute/vault 0.5.1 → 0.5.2-rc.2

package/src/init-summary.test.ts

@@ -13,6 +13,7 @@ const baseInput = {
   bindHost: "127.0.0.1",
   port: 1940,
   mcpUrl: "http://127.0.0.1:1940/vault/default/mcp",
+  vaultName: "default",
 };
 
 function lines(addMcp: boolean, addToken: boolean, apiKey: string | undefined) {
@@ -96,16 +97,70 @@ describe("buildInitSummaryLines", () => {
     });
   });
 
-  describe("MCP=N + token=N (unreachable)", () => {
+  // vault#442: the DEFAULT init path — MCP wired, NO token minted (per-user
+  // OAuth). The summary must LEAD with the OAuth connect path, never mint, and
+  // never surface the old "no token issued" failure copy.
+  describe("MCP=Y + no token (vault#442 OAuth default)", () => {
+    const out = lines(true, false, undefined).join("\n");
+
+    test("leads with the OAuth connect message — no token needed", () => {
+      expect(out).toContain("no token needed, you'll sign in on first use");
+    });
+
+    test("tells the user Claude Code is already wired in", () => {
+      expect(out).toContain("Claude Code is already wired in");
+    });
+
+    test("shows the OAuth `claude mcp add` command for other clients", () => {
+      expect(out).toContain(
+        "claude mcp add --transport http parachute-vault http://127.0.0.1:1940/vault/default/mcp",
+      );
+    });
+
+    test("offers the scope-narrow opt-in mint for scripts (full vault:<name>:read, never admin)", () => {
+      // Must be the three-segment named-resource form the hub mint-token model
+      // requires — a bare `vault:read` would mint a malformed scope (vault#443).
+      expect(out).toContain("parachute auth mint-token --scope vault:default:read");
+      expect(out).not.toContain("--scope vault:read ");
+      expect(out).not.toMatch(/--scope vault:read$/m);
+      expect(out).not.toContain("vault:admin");
+    });
+
+    test("does NOT print or imply any minted token", () => {
+      expect(out).not.toContain("Your API token:");
+      expect(out).not.toContain("Baked into ~/.claude.json");
+      expect(out).not.toContain("Authorization: Bearer");
+    });
+
+    test("does NOT surface the old no-token-issued failure copy", () => {
+      expect(out).not.toContain("No token issued");
+    });
+
+    test("threads a non-default vault name into the mint-token scope", () => {
+      const out2 = buildInitSummaryLines({
+        ...baseInput,
+        vaultName: "journal",
+        mcpUrl: "http://127.0.0.1:1940/vault/journal/mcp",
+        addMcp: true,
+        addToken: false,
+        apiKey: undefined,
+      }).join("\n");
+      expect(out2).toContain("parachute auth mint-token --scope vault:journal:read");
+      expect(out2).not.toContain("vault:default:read");
+    });
+  });
+
+  describe("MCP=N + token=N (OAuth default, Claude Code not wired)", () => {
     const out = lines(false, false, undefined).join("\n");
 
-    test("warns the vault is unreachable", () => {
-      expect(out).toContain("your vault isn't reachable by any client");
+    test("frames skipping the MCP entry as OAuth-first, not 'unreachable'", () => {
+      expect(out).toContain("uses per-user OAuth, no token needed");
+      expect(out).not.toContain("your vault isn't reachable by any client");
     });
 
-    test("points to the mcp-install recovery path (hub JWT)", () => {
+    test("points to mcp-install (no token-minting framing)", () => {
       expect(out).toContain("parachute-vault mcp-install");
-      expect(out).toContain("mints a hub JWT");
+      expect(out).not.toContain("mints a hub JWT");
     });
 
     test("does not print any token", () => {
@@ -118,6 +173,23 @@ describe("buildInitSummaryLines", () => {
     });
   });
 
+  // Explicit opt-in but no hub reachable to mint (vault#282 Stage 2 path,
+  // reached only when the operator passes --token without a hub).
+  describe("MCP=N + token=Y but no hub (opt-in mint failed)", () => {
+    const out = buildInitSummaryLines({
+      ...baseInput,
+      addMcp: false,
+      addToken: true,
+      apiKey: undefined,
+      noTokenGuidance: "No token issued — hub unreachable.",
+    }).join("\n");
+
+    test("surfaces the no-token-issued guidance + recovery", () => {
+      expect(out).toContain("No token issued");
+      expect(out).toContain("parachute-vault mcp-install");
+    });
+  });
+
   test("always prints Config: and Server: lines", () => {
     for (const [addMcp, addToken] of [
       [true, true],

package/src/init-summary.ts

@@ -12,6 +12,13 @@ export type InitSummaryInput = {
   bindHost: string;
   port: number;
   mcpUrl: string;
+  /**
+   * The default vault's name — used to emit the three-segment
+   * `vault:<vaultName>:read` scope in the OAuth-first mint-token suggestion
+   * (the hub mint-token model requires the named-resource form;
+   * a bare `vault:read` would mint a malformed scope). vault#442/#443.
+   */
+  vaultName: string;
   /**
    * Guidance from the bootstrap-credential step when no token could be issued
    * (standalone install, no hub reachable — vault#282 Stage 2). Surfaced when
@@ -23,44 +30,54 @@ export type InitSummaryInput = {
 
 /**
  * Build the post-install summary lines for `vault init`, branched on the
- * (addMcp, addToken, apiKey) decision matrix. Post-0.5.0 the token is a
- * hub-issued JWT minted via operator.token; when no hub is reachable `apiKey`
- * is undefined even though the operator opted in (`addToken`/`addMcp`):
+ * (addMcp, addToken, apiKey) decision matrix.
+ *
+ * vault#442: the DEFAULT is per-user OAuth — no token is minted, and the
+ * Claude Code MCP entry is written without a baked bearer (browser sign-in on
+ * first connect). A token is minted only on explicit opt-in (`addToken`), and
+ * then scope-narrow. Branches:
  *
- *   addMcp,  addToken,  apiKey → token baked into claude.json + printed
- *   addMcp,  !addToken, apiKey → token baked into claude.json, hint
- *   !addMcp, addToken,  apiKey → token printed prominently
- *   wanted-token-but-no-hub    → guidance: no token issued, recovery paths
- *   !addMcp, !addToken         → warning: vault unreachable; recovery paths
+ *   addMcp,  !apiKey            → OAuth-first: connect, sign in on first use
+ *   addMcp,  addToken,  apiKey  → token baked into claude.json + printed
+ *   addMcp,  !addToken, apiKey  → token baked into claude.json, hint
+ *   !addMcp, addToken,  apiKey  → token printed prominently
+ *   !addMcp, addToken,  !apiKey → opted into a token but no hub reachable
+ *   !addMcp, !addToken          → OAuth-first: add Claude Code later
  */
 export function buildInitSummaryLines(input: InitSummaryInput): string[] {
-  const { addMcp, addToken, apiKey, configDir, bindHost, port, mcpUrl, noTokenGuidance } = input;
+  const { addMcp, addToken, apiKey, configDir, bindHost, port, mcpUrl, vaultName, noTokenGuidance } = input;
   const lines: string[] = [];
   lines.push("");
   lines.push("---");
 
-  const wantedToken = addMcp || addToken;
-
-  if (addMcp && addToken && apiKey) {
+  if (addMcp && apiKey && addToken) {
     lines.push("");
     lines.push(`Your API token: ${apiKey}`);
     lines.push(`  - Baked into ~/.claude.json for Claude Code ✓`);
     lines.push(`  - Paste into your other MCP client's config, or use as Authorization: Bearer <token>`);
     lines.push(`  - Won't be shown again — save it now.`);
-  } else if (addMcp && !addToken && apiKey) {
+  } else if (addMcp && apiKey && !addToken) {
     lines.push("");
     lines.push(
       "Token in ~/.claude.json; run `parachute-vault mcp-install` later if you need one for other clients.",
     );
+  } else if (addMcp && !apiKey) {
+    // vault#442 default: OAuth-first. The MCP entry is wired without a bearer —
+    // Claude Code signs in via browser OAuth on first connect. No token needed.
+    lines.push("");
+    lines.push("Connect your AI — no token needed, you'll sign in on first use:");
+    lines.push(`  Claude Code is already wired in (~/.claude.json) — just start a session.`);
+    lines.push(`  Other clients: claude mcp add --transport http parachute-vault ${mcpUrl}`);
+    lines.push(`  Need a header-auth token for a script? parachute auth mint-token --scope vault:${vaultName}:read`);
   } else if (!addMcp && addToken && apiKey) {
     lines.push("");
     lines.push(`Your API token: ${apiKey}`);
     lines.push(`  - Paste into your other MCP client's config, or use as Authorization: Bearer <token>`);
     lines.push(`  - Won't be shown again — save it now.`);
-  } else if (wantedToken && !apiKey) {
-    // Opted into a token but no hub was reachable to mint one (vault#282
-    // Stage 2 — vault no longer mints local pvt_* tokens). Surface why and
-    // the recovery paths.
+  } else if (!addMcp && addToken && !apiKey) {
+    // Explicitly opted into a token but no hub was reachable to mint one
+    // (vault#282 Stage 2 — vault no longer mints local pvt_* tokens). Surface
+    // why and the recovery paths.
     lines.push("");
     lines.push(
       noTokenGuidance ??
@@ -73,12 +90,13 @@ export function buildInitSummaryLines(input: InitSummaryInput): string[] {
       "  or set VAULT_AUTH_TOKEN for an operator-channel bearer.",
     );
   } else if (!addMcp && !addToken) {
+    // OAuth-first, but the operator skipped wiring Claude Code too.
     lines.push("");
     lines.push(
-      "You've skipped both MCP install and token generation — your vault isn't reachable by any client.",
+      "Skipped the Claude Code MCP entry. Add it anytime — it uses per-user OAuth, no token needed:",
     );
     lines.push(
-      "  Add Claude Code later with `parachute-vault mcp-install`, which mints a hub JWT (needs a hub running).",
+      "  parachute-vault mcp-install",
     );
   }
 

package/src/mcp-tools.ts

@@ -7,6 +7,7 @@
 
 import { generateMcpTools } from "../core/src/mcp.ts";
 import type { McpToolDef } from "../core/src/mcp.ts";
+import type { Note } from "../core/src/types.ts";
 import {
   buildVaultProjection,
   projectionToMarkdown,
@@ -18,6 +19,7 @@ import { hasScopeForVault, parseScopes, validateMintedScopes } from "./scopes.ts
 import type { AuthResult } from "./auth.ts";
 import {
   expandTokenTagScope,
+  filterHydratedLinksByTagScope,
   noteWithinTagScope,
   tagsWithinScope,
 } from "./tag-scope.ts";
@@ -117,11 +119,30 @@ export function generateScopedMcpTools(
   callerBearer?: string | null,
 ): McpToolDef[] {
   const store = getVaultStore(vaultName);
-  const tools = generateMcpTools(store);
+
+  // Tag-scope confidentiality (security review): when the session is
+  // tag-scoped, build an expand-visibility predicate so `query-notes`'s
+  // `expand_links` inlining can't embed out-of-scope note content. The
+  // predicate reads from a SHARED holder that `applyTagScopeWrappers`
+  // populates with the resolved allowlist before core's execute runs the
+  // (synchronous) expansion — so by the time core calls `isVisible(note)`
+  // the allowlist is ready. Core stays scope-unaware: it only receives the
+  // plain closure. Unscoped sessions pass no predicate (unchanged path).
+  const scoped = Boolean(auth?.scoped_tags && auth.scoped_tags.length > 0);
+  const allowedHolder: { value: Set<string> | null } = { value: null };
+  const rawTags = scoped ? auth!.scoped_tags : null;
+  const expandVisibility = scoped
+    ? (note: Note) => noteWithinTagScope(note, allowedHolder.value, rawTags)
+    : undefined;
+
+  const tools = generateMcpTools(
+    store,
+    expandVisibility ? { expandVisibility } : undefined,
+  );
 
   overrideVaultInfo(tools, vaultName, auth);
   applyTagDependencyGuards(tools, vaultName);
-  applyTagScopeWrappers(tools, vaultName, auth);
+  applyTagScopeWrappers(tools, vaultName, auth, allowedHolder);
 
   // manage-token is server-only (needs token-store + auth context), so it
   // lives here rather than in core. Always appended to the surface; the
@@ -181,6 +202,7 @@ function applyTagScopeWrappers(
   tools: McpToolDef[],
   vaultName: string,
   auth: AuthResult | undefined,
+  allowedHolder?: { value: Set<string> | null },
 ): void {
   if (!auth || !auth.scoped_tags || auth.scoped_tags.length === 0) return;
   const store = getVaultStore(vaultName);
@@ -188,12 +210,40 @@ function applyTagScopeWrappers(
   let allowedPromise: Promise<Set<string> | null> | null = null;
   const getAllowed = (): Promise<Set<string> | null> => {
     if (!allowedPromise) {
-      allowedPromise = expandTokenTagScope(store, auth.scoped_tags);
+      allowedPromise = expandTokenTagScope(store, auth.scoped_tags).then((a) => {
+        // Publish the resolved allowlist into the shared holder so the
+        // expand-visibility predicate (wired in generateScopedMcpTools and
+        // baked into the query-notes expand context) sees the same set.
+        // The query-notes wrapper awaits getAllowed() before calling the
+        // core execute that runs expansion, so the holder is populated in
+        // time. Security review: closes the expand_links content leak.
+        if (allowedHolder) allowedHolder.value = a;
+        return a;
+      });
     }
     return allowedPromise;
   };
   const rawTags = auth.scoped_tags;
 
+  // Scrub a returned note's hydrated `links` array (present when the caller
+  // set `include_links`) so out-of-scope NEIGHBOR summaries (id/path/tags)
+  // don't leak — symmetric with the REST `include_links` fix. Mutates in
+  // place and returns the note for chaining. No-op when `links` is absent.
+  //
+  // Ordering invariant: reading `allowedHolder.value` here is safe ONLY
+  // because every wrapper that calls scrubNoteLinks first does
+  // `await getAllowed()` (which populates the holder) before `orig(params)`
+  // and before this scrub runs. So by the time we read `holder.value` it is
+  // the resolved allowlist, never the initial `null`. The `?? null` fallback
+  // is the unscoped/holder-absent path; `filterHydratedLinksByTagScope` then
+  // keys off `rawTags` (non-null here) for the actual scope check.
+  const scrubNoteLinks = (n: any): any => {
+    if (n && Array.isArray(n.links)) {
+      n.links = filterHydratedLinksByTagScope(n.links, allowedHolder?.value ?? null, rawTags);
+    }
+    return n;
+  };
+
   wrapReadTool(tools, "query-notes", async (orig, params) => {
     const allowed = await getAllowed();
     const result = await orig(params);
@@ -203,7 +253,9 @@ function applyTagScopeWrappers(
     //   - `{notes, next_cursor}` (cursor mode, vault#313)
     //   - `{...note}` with `id`+`tags` (single-note by id)
     if (Array.isArray(result)) {
-      return result.filter((n: any) => noteWithinTagScope(n, allowed, rawTags));
+      return result
+        .filter((n: any) => noteWithinTagScope(n, allowed, rawTags))
+        .map(scrubNoteLinks);
     }
     if (
       result &&
@@ -214,13 +266,15 @@ function applyTagScopeWrappers(
     ) {
       const r = result as { notes: any[]; next_cursor: string | null };
       return {
-        notes: r.notes.filter((n: any) => noteWithinTagScope(n, allowed, rawTags)),
+        notes: r.notes
+          .filter((n: any) => noteWithinTagScope(n, allowed, rawTags))
+          .map(scrubNoteLinks),
         next_cursor: r.next_cursor,
       };
     }
     if (result && typeof result === "object" && "id" in result && "tags" in result) {
       return noteWithinTagScope(result as any, allowed, rawTags)
-        ? result
+        ? scrubNoteLinks(result)
         : { error: "Note not found", id: (result as any).id };
     }
     return result;