@openparachute/vault 0.5.3-rc.3 → 0.6.0

package/src/routing.test.ts

@@ -431,6 +431,70 @@ describe("/vault/<name>/admin/* SPA mount", () => {
     expect(res.status).toBe(401);
   });
 
+  // ---------------------------------------------------------------------
+  // /vault/admin[/*] — DAEMON-LEVEL multi-vault SPA mount (B3, 2026-06-09
+  // hub-module-boundary migration). `admin` is a reserved vault name (B2),
+  // and this branch dispatches BEFORE both the per-vault SPA mount and the
+  // per-vault dispatcher. Detailed serving behavior (the bare-mount 301,
+  // asset strip) is pinned in admin-spa.test.ts with a tmp dist dir.
+  // ---------------------------------------------------------------------
+
+  test("/vault/admin/ fires the SPA layer, never the per-vault 'Vault not found' JSON", async () => {
+    // No vault named "admin" exists (it can't — reserved). Without the
+    // daemon-level branch this path would fall to the per-vault dispatcher
+    // and 404 as JSON.
+    const req = new Request("http://localhost:1940/vault/admin/");
+    const res = await route(req, "/vault/admin/");
+    expect(res.status === 200 || res.status === 503).toBe(true);
+    expect(res.headers.get("content-type") ?? "").not.toContain("application/json");
+  });
+
+  test("/vault/admin/admin does NOT boot per-vault mode for a vault named 'admin'", async () => {
+    // The per-vault regex would capture name="admin" here. The daemon-level
+    // branch must win — the regexes are deliberately not merged.
+    const req = new Request("http://localhost:1940/vault/admin/admin");
+    const res = await route(req, "/vault/admin/admin");
+    expect(res.status === 200 || res.status === 503).toBe(true);
+    expect(res.headers.get("content-type") ?? "").not.toContain("application/json");
+  });
+
+  test("a squatted vault named 'admin' is shadowed — its data plane serves the SPA layer", async () => {
+    // A vault created before the reservation landed. The daemon mount wins
+    // over its entire /vault/admin/* surface (server boot warns with the
+    // recovery procedure — see vault-name.ts:reservedNameSquatWarnings).
+    createVault("admin");
+    const req = new Request("http://localhost:1940/vault/admin/api/notes");
+    const res = await route(req, "/vault/admin/api/notes");
+    // The per-vault API would 401 (auth wall); the SPA layer serves the
+    // static shell (200) or the unbuilt-dist 503 — never the API's JSON.
+    expect(res.status === 200 || res.status === 503).toBe(true);
+    expect(res.headers.get("content-type") ?? "").not.toContain("application/json");
+  });
+
+  test("POST /vault/admin/ returns 405 (daemon mount is GET-only)", async () => {
+    const req = new Request("http://localhost:1940/vault/admin/", { method: "POST" });
+    const res = await route(req, "/vault/admin/");
+    expect(res.status).toBe(405);
+  });
+
+  test("/vault/adminx/* does NOT match the daemon mount — routes per-vault", async () => {
+    // Exact-segment match only: a real vault whose name merely starts with
+    // "admin" keeps its normal per-vault surface (the API auth wall 401s,
+    // proving the per-vault dispatcher handled it).
+    createVault("adminx");
+    const req = new Request("http://localhost:1940/vault/adminx/api/notes");
+    const res = await route(req, "/vault/adminx/api/notes");
+    expect(res.status).toBe(401);
+  });
+
+  test("per-vault /vault/<real>/admin/ is unaffected by the daemon mount", async () => {
+    createVault("work");
+    const req = new Request("http://localhost:1940/vault/work/admin/");
+    const res = await route(req, "/vault/work/admin/");
+    expect(res.status === 200 || res.status === 503).toBe(true);
+    expect(res.headers.get("content-type") ?? "").not.toContain("application/json");
+  });
+
   test("origin-rooted /admin (legacy mount retired) returns 404", async () => {
     // Pre-vault#252 the SPA was at /admin/*. Routing now lets that fall
     // through to the catch-all — hub's directory page should link to

package/src/routing.ts

@@ -15,6 +15,9 @@
  *   /vaults/list                       — public vault-name discovery (can be
  *                                        disabled globally via config)
  *   /vaults                            — authenticated vault metadata list
+ *   /vault/admin[/*]                   — daemon-level multi-vault admin SPA
+ *                                        (B3; `admin` is a reserved vault
+ *                                        name, dispatched BEFORE per-vault)
  *   /vault/<name>/.well-known/oauth-*  — discovery forwarder; metadata names
  *                                        the hub as the authorization server
  *                                        (vault is resource-server only)
@@ -52,7 +55,13 @@ import {
 import { hasScopeForVault, SCOPE_ADMIN, SCOPE_READ, scopeForMethod, verbForMethod } from "./scopes.ts";
 import { getVaultStore } from "./vault-store.ts";
 import { handleScopedMcp } from "./mcp-http.ts";
-import { defaultAdminSpaDistDir, isAdminSpaPath, serveAdminSpa } from "./admin-spa.ts";
+import {
+  defaultAdminSpaDistDir,
+  isAdminSpaPath,
+  isDaemonAdminSpaPath,
+  serveAdminSpa,
+  serveDaemonAdminSpa,
+} from "./admin-spa.ts";
 import {
   handleNotes,
   handleTags,
@@ -63,6 +72,8 @@ import {
   handleViewNote,
   type TagScopeCtx,
 } from "./routes.ts";
+import { handleSubscribe } from "./subscribe.ts";
+import { handleTriggers } from "./triggers-api.ts";
 import { expandTokenTagScope } from "./tag-scope.ts";
 import {
   handleProtectedResource,
@@ -287,6 +298,26 @@ export async function route(
     });
   }
 
+  // Daemon-level multi-vault admin SPA — `/vault/admin[/*]` (B3 of the
+  // 2026-06-09 hub-module-boundary migration). The vault MODULE's own home
+  // surface: list / create / delete vaults, deep-link into each instance's
+  // per-vault admin. Same static bundle as the per-vault mount below —
+  // `web/ui/src/lib/mount.ts` detects the basename at runtime.
+  //
+  // MUST dispatch BEFORE `isAdminSpaPath`: the per-vault regex also matches
+  // `/vault/admin/admin` (capturing name="admin"), which must NOT boot
+  // per-vault mode — `admin` is a reserved vault name (B2) and this mount is
+  // daemon-owned. Hub#637's `/vault/admin` route forwards the FULL path here
+  // (no stripPrefix on vault's services row). A pre-reservation squatter
+  // vault named "admin" is fully shadowed by this branch — server boot
+  // warns with the recovery procedure (see vault-name.ts).
+  if (isDaemonAdminSpaPath(path)) {
+    if (req.method !== "GET") {
+      return Response.json({ error: "Method not allowed" }, { status: 405 });
+    }
+    return serveDaemonAdminSpa(defaultAdminSpaDistDir(), path);
+  }
+
   // Admin SPA — per-vault at `/vault/<name>/admin/*` (vault#252). Static-
   // file serving only (index.html + Vite asset bundle); no auth at this
   // seam since the bundle reveals nothing privileged. The SPA's data
@@ -728,6 +759,18 @@ export async function route(
     return Response.json({ error: "Not found" }, { status: 404 });
   }
 
+  // /api/triggers — runtime trigger-registration API. Dispatched BEFORE the
+  // generic method→verb scope gate below because it's ADMIN-scoped on EVERY
+  // method (a webhook trigger exfiltrates note data; even GET is admin). The
+  // gate lives inside `handleTriggers`. Subpath is everything after
+  // `/api/triggers`. See src/triggers-api.ts.
+  {
+    const triggersPath = apiMatch[1] ?? "";
+    if (triggersPath === "/triggers" || triggersPath.startsWith("/triggers/")) {
+      return handleTriggers(req, store, triggersPath.slice("/triggers".length), vaultName, auth);
+    }
+  }
+
   // REST API — scope gate. GET/HEAD/OPTIONS → vault:read,
   // POST/PATCH/PUT/DELETE → vault:write. Inheritance (admin ⊇ write ⊇ read)
   // and the broad-vs-narrowed shape (`vault:<verb>` from pvt_*, or
@@ -762,6 +805,10 @@ export async function route(
   };
 
   if (apiPath.startsWith("/notes")) return handleNotes(req, store, apiPath.slice(6), vaultName, tagScope);
+  // Live-query SSE subscription (design 2026-06-08). Snapshot + scoped live
+  // upsert/remove events over text/event-stream. Auth + tag-scope already
+  // resolved above and threaded through, mirroring the /notes branch.
+  if (apiPath === "/subscribe") return handleSubscribe(req, store, vaultName, tagScope);
   if (apiPath.startsWith("/tags")) return handleTags(req, store, apiPath.slice(5), tagScope);
   if (apiPath === "/find-path") return handleFindPath(req, store, tagScope);
   if (apiPath === "/vault") {

package/src/server.ts

@@ -15,13 +15,14 @@
  * The request pipeline lives in ./routing.ts (exported for unit testing).
  */
 
-import { readVaultConfig, readGlobalConfig, writeGlobalConfig, writeVaultConfig, listVaults, DEFAULT_PORT, ensureConfigDirSync, loadEnvFile, generateApiKey, hashKey, stopSignalPath } from "./config.ts";
+import { readVaultConfig, readGlobalConfig, writeGlobalConfig, writeVaultConfig, listVaults, DEFAULT_PORT, ensureConfigDirSync, loadEnvFile, generateApiKey, hashKey, stopSignalPath, bootAutoCreateAllowed } from "./config.ts";
 import { existsSync, rmSync } from "fs";
 import { migrateVaultKeys } from "./token-store.ts";
-import { resolveFirstBootVaultName } from "./vault-name.ts";
+import { resolveFirstBootVaultName, reservedNameSquatWarnings } from "./vault-name.ts";
 import { getVaultStore, getVaultNameForStore } from "./vault-store.ts";
 import { defaultHookRegistry } from "../core/src/hooks.ts";
 import { registerTriggers } from "./triggers.ts";
+import { loadVaultTriggers } from "./triggers-api.ts";
 import { route } from "./routing.ts";
 import { startTranscriptionWorker, registerTranscriptionHook, type TranscriptionWorker } from "./transcription-worker.ts";
 import { setTranscriptionWorker } from "./transcription-registry.ts";
@@ -155,9 +156,20 @@ warnLegacyGlobalApiKeys(readGlobalConfig().api_keys);
 // The vault name comes from PARACHUTE_VAULT_NAME when set + valid; otherwise
 // falls back to "default". Hub's first-boot wizard (hub#267) passes through
 // an operator-chosen name via this env var.
+//
+// Gated on the `auto_create: false` marker (2026-06-09 hub-module-boundary
+// migration): `parachute-vault remove` writes it when the operator deletes
+// their LAST vault, so an explicit empty-the-server action isn't silently
+// undone by a resurrection with fresh credentials on the next boot. Fresh
+// installs have no config.yaml — no marker — so Docker first-run still
+// auto-creates.
 if (listVaults().length === 0) {
   const globalConfig = readGlobalConfig();
-  if (!globalConfig.default_vault) {
+  if (!bootAutoCreateAllowed(globalConfig)) {
+    console.log(
+      '[vault first-boot] auto-create disabled (auto_create: false in config.yaml — the last vault was removed deliberately). Create one with: parachute-vault create <name>',
+    );
+  } else if (!globalConfig.default_vault) {
     const firstBoot = resolveFirstBootVaultName(process.env.PARACHUTE_VAULT_NAME);
     if (firstBoot.source === "env") {
       console.log(`[vault first-boot] using PARACHUTE_VAULT_NAME=${firstBoot.name}`);
@@ -204,6 +216,15 @@ if (listVaults().length === 0) {
 // survive — see self-register.ts header for the v0.6 vs v0.7 design note.
 selfRegister({ version: pkg.version });
 
+// Loud boot warning for vaults squatting a shadowed reserved name (B2 of the
+// 2026-06-09 hub-module-boundary migration). A vault named `admin`/`new`/
+// `assets` (created before the names were reserved) has its entire
+// `/vault/<name>/*` data plane shadowed by reserved hub/daemon routes — warn
+// with the recovery procedure rather than silently serving nothing.
+for (const warning of reservedNameSquatWarnings(listVaults())) {
+  console.warn(warning);
+}
+
 // Migrate tag schemas from vault.yaml → DB for each vault.
 // Only inserts schemas that don't already exist in the DB (safe across restarts).
 for (const vaultName of listVaults()) {
@@ -244,6 +265,31 @@ for (const vaultName of listVaults()) {
   }
 }
 
+// Load persisted runtime triggers for each vault and register them
+// vault-scoped on the shared hook registry (frictionless-channel-setup PR 1).
+// Runs alongside the config.yaml trigger registration above; config.yaml
+// triggers stay global, these fire only for their own vault. Survives
+// restart — the `triggers` table is the source of truth. Per-vault failure
+// is isolated so one bad vault can't block the others.
+{
+  let totalTriggers = 0;
+  for (const vaultName of listVaults()) {
+    try {
+      const store = getVaultStore(vaultName);
+      const n = loadVaultTriggers(vaultName, store);
+      totalTriggers += n;
+      if (n > 0) {
+        console.log(`[triggers] loaded ${n} runtime trigger(s) for vault "${vaultName}"`);
+      }
+    } catch (err) {
+      console.error(`[triggers] failed to load runtime triggers for vault "${vaultName}":`, err);
+    }
+  }
+  if (totalTriggers === 0) {
+    console.log("[triggers] no persisted runtime triggers");
+  }
+}
+
 const globalConfig = readGlobalConfig();
 const port = parseInt(process.env.PORT ?? "") || globalConfig.port || DEFAULT_PORT;
 const hostname = resolveBindHostname();