@openparachute/vault 0.6.0-rc.1 → 0.6.0

package/src/auth.test.ts

@@ -1,7 +1,7 @@
 /**
  * Auth invariants — vault as a pure hub resource-server (vault#282 Stage 2).
  *
- * The `pvt_*` opaque vault-DB token was dropped at 0.6.0: vault no longer
+ * The `pvt_*` opaque vault-DB token was dropped at 0.5.0: vault no longer
  * mints or validates it. The surviving auth surfaces tested here are:
  *   - VAULT_AUTH_TOKEN — the server-wide operator bearer.
  *   - Legacy YAML api_keys (vault.yaml / config.yaml) — hashed keys.
@@ -26,7 +26,8 @@ import {
   hashKey,
 } from "./config.ts";
 import { getVaultStore, clearVaultStoreCache } from "./vault-store.ts";
-import { authenticateVaultRequest, authenticateGlobalRequest } from "./auth.ts";
+import { authenticateVaultRequest, authenticateGlobalRequest, warnLegacyGlobalApiKeys } from "./auth.ts";
+import type { StoredKey } from "./config.ts";
 
 let tmpHome: string;
 let prevHome: string | undefined;
@@ -91,7 +92,7 @@ describe("auth — pvt_* tokens are unvalidatable (fail closed)", () => {
   // API key" a non-pvt_ bad token gets) — the prefix is the user-meaningful
   // signal that the mechanism was dropped, not that the key was mistyped.
   const PVT_MESSAGE =
-    "pvt_* tokens are no longer supported (vault 0.6.0). Re-add this vault via your hub to get an access token.";
+    "pvt_* tokens are no longer supported (vault 0.5.0). Re-add this vault via your hub to get an access token.";
 
   test("a pvt_* bearer is 401-rejected with the dropped-token message on the per-vault surface", async () => {
     seedVault("journal");
@@ -442,3 +443,38 @@ describe("auth — VAULT_AUTH_TOKEN server-wide operator bearer", () => {
     expect("error" in result).toBe(true);
   });
 });
+
+// ---------------------------------------------------------------------------
+// Legacy GLOBAL api_keys boot warning (security review — multi-user
+// hardening). Cross-vault credentials in config.yaml must be surfaced loudly
+// at boot, but never altered. Pure-function unit tests (no server boot).
+// ---------------------------------------------------------------------------
+describe("warnLegacyGlobalApiKeys (legacy cross-vault key boot warning)", () => {
+  function key(id: string): StoredKey {
+    return {
+      id,
+      label: id,
+      key_hash: `sha256:${id}`,
+      scope: "full",
+      created_at: new Date().toISOString(),
+    };
+  }
+
+  test("warns when global api_keys are present", () => {
+    const msgs: string[] = [];
+    const count = warnLegacyGlobalApiKeys([key("a"), key("b")], (m) => msgs.push(m));
+    expect(count).toBe(2);
+    expect(msgs).toHaveLength(1);
+    expect(msgs[0]).toContain("legacy GLOBAL api_key");
+    expect(msgs[0]).toContain("CROSS-VAULT");
+    // Heads-up only — must signal it does NOT alter the keys.
+    expect(msgs[0]).toContain("remain active");
+  });
+
+  test("silent when there are no global api_keys", () => {
+    const msgs: string[] = [];
+    expect(warnLegacyGlobalApiKeys([], (m) => msgs.push(m))).toBe(0);
+    expect(warnLegacyGlobalApiKeys(undefined, (m) => msgs.push(m))).toBe(0);
+    expect(msgs).toHaveLength(0);
+  });
+});

package/src/auth.ts

@@ -1,7 +1,7 @@
 /**
  * Authentication and authorization for the vault server.
  *
- * As of 0.6.0 vault is a PURE HUB RESOURCE-SERVER (vault#282 Stage 2). The
+ * As of 0.5.0 vault is a PURE HUB RESOURCE-SERVER (vault#282 Stage 2). The
  * opaque `pvt_*` vault-DB token was dropped — vault no longer mints or
  * validates it. Three auth paths survive:
  *
@@ -171,6 +171,35 @@ export function warnLegacyOnce(cacheKey: string, context: string): void {
   );
 }
 
+/**
+ * Boot-time warning for legacy GLOBAL `api_keys` in `config.yaml` (security
+ * review — multi-user hardening). Those keys are CROSS-VAULT credentials: a
+ * single key authenticates against EVERY vault on this server (see the global
+ * `api_keys` branch in `authenticate` ~L283). That predates per-vault keys +
+ * tag-scoped hub JWTs and is a confidentiality hazard once a server hosts
+ * multiple users' vaults — one user's global key reads another's vault.
+ *
+ * WARNING ONLY — never touches the keys (the operator owns them). The
+ * verification flagged 6 such keys on the live box; this surfaces them at
+ * boot so they're rotated/removed before multi-user sharing. Returns the
+ * count it warned about (0 = silent) so callers / tests can assert.
+ */
+export function warnLegacyGlobalApiKeys(
+  globalApiKeys: StoredKey[] | undefined,
+  warn: (msg: string) => void = console.warn,
+): number {
+  const count = globalApiKeys?.length ?? 0;
+  if (count === 0) return 0;
+  warn(
+    `[auth] WARNING: ${count} legacy GLOBAL api_key(s) found in config.yaml. ` +
+      "These are CROSS-VAULT credentials (each grants access to every vault on this server) " +
+      "and predate per-vault keys + tag-scoped hub JWTs. Before multi-user sharing, ROTATE or " +
+      "REMOVE them — a global key leaks one user's vault to another. They remain active (the " +
+      "operator owns them); this is a heads-up, not an automatic change.",
+  );
+  return count;
+}
+
 /** Read-only tools (the only tools allowed for "read" permission). */
 const READ_TOOLS = new Set([
   "query-notes",
@@ -310,7 +339,7 @@ function droppedPvtTokenResponse(): Response {
     {
       error: "Unauthorized",
       message:
-        "pvt_* tokens are no longer supported (vault 0.6.0). Re-add this vault via your hub to get an access token.",
+        "pvt_* tokens are no longer supported (vault 0.5.0). Re-add this vault via your hub to get an access token.",
     },
     { status: 401 },
   );

package/src/auto-transcribe.test.ts

@@ -118,4 +118,55 @@ describe("shouldAutoTranscribe", () => {
       enabledOverride: false,
     })).toBe(false);
   });
+
+  describe("per-vault precedence (per-vault → global → true)", () => {
+    test("per-vault true wins even when global is false", () => {
+      expect(shouldAutoTranscribe("audio/wav", {
+        readGlobalConfigImpl: readGlobalConfig(false),
+        getCachedScribeUrlImpl: scribePresent,
+        perVaultEnabled: true,
+      })).toBe(true);
+    });
+
+    test("per-vault false wins even when global is true", () => {
+      // The whole point: linking scribe to vault X (perVault true) elsewhere
+      // must not force-on a vault that set its own false.
+      expect(shouldAutoTranscribe("audio/wav", {
+        readGlobalConfigImpl: readGlobalConfig(true),
+        getCachedScribeUrlImpl: scribePresent,
+        perVaultEnabled: false,
+      })).toBe(false);
+    });
+
+    test("per-vault unset falls back to global", () => {
+      expect(shouldAutoTranscribe("audio/wav", {
+        readGlobalConfigImpl: readGlobalConfig(true),
+        getCachedScribeUrlImpl: scribePresent,
+        perVaultEnabled: undefined,
+      })).toBe(true);
+      expect(shouldAutoTranscribe("audio/wav", {
+        readGlobalConfigImpl: readGlobalConfig(false),
+        getCachedScribeUrlImpl: scribePresent,
+        perVaultEnabled: undefined,
+      })).toBe(false);
+    });
+
+    test("both per-vault and global unset falls back to true (no regression)", () => {
+      expect(shouldAutoTranscribe("audio/wav", {
+        readGlobalConfigImpl: readGlobalConfig(undefined),
+        getCachedScribeUrlImpl: scribePresent,
+        perVaultEnabled: undefined,
+      })).toBe(true);
+    });
+
+    test("enabledOverride still hard-overrides the per-vault value", () => {
+      // The explicit caller-opt-in path beats everything.
+      expect(shouldAutoTranscribe("audio/wav", {
+        readGlobalConfigImpl: readGlobalConfig(true),
+        getCachedScribeUrlImpl: scribePresent,
+        perVaultEnabled: false,
+        enabledOverride: true,
+      })).toBe(true);
+    });
+  });
 });

package/src/auto-transcribe.ts

@@ -19,11 +19,18 @@ import { getCachedScribeUrl } from "./scribe-discovery.ts";
  *
  * Returns `true` only when ALL three conditions hold:
  *   1. mime-type starts with `audio/` (case-insensitive).
- *   2. `globalConfig.auto_transcribe?.enabled` is not explicitly false.
- *      Default behavior (when unset) is ON — once an operator has scribe
- *      reachable, audio attachments transcribe automatically without a
- *      separate config step. Operators who want it OFF set
- *      `auto_transcribe.enabled: false` explicitly.
+ *   2. The resolved auto-transcribe toggle is not `false`. Resolution is
+ *      **per-vault → global → true**:
+ *        - `perVaultEnabled` (the owning vault's own `auto_transcribe.enabled`)
+ *          wins when set — this is what makes scribe's "link to vault X" affect
+ *          only X, not the whole server.
+ *        - else the server-wide `globalConfig.auto_transcribe?.enabled`.
+ *        - else `true` (default ON — once scribe is reachable, audio
+ *          transcribes without a separate config step). Operators who want it
+ *          OFF set `auto_transcribe.enabled: false` explicitly (per-vault or
+ *          globally).
+ *      `enabledOverride`, when present, hard-overrides the whole chain (used
+ *      by the explicit caller-opt-in path).
  *   3. Scribe is discoverable (services.json entry OR SCRIBE_URL env).
  *
  * The three conditions are independent guards: a single `false` is sufficient
@@ -35,7 +42,17 @@ export function shouldAutoTranscribe(
     /** Injection seam for tests — defaults to live globals. */
     readGlobalConfigImpl?: typeof readGlobalConfig;
     getCachedScribeUrlImpl?: () => string | undefined;
-    /** Allow per-call enabled override — used by the explicit-opt-in path. */
+    /**
+     * The owning vault's per-vault `auto_transcribe.enabled` (vault.yaml).
+     * Takes precedence over the global toggle when set, so enabling/disabling
+     * one vault doesn't move the rest. `undefined` (the vault left it unset)
+     * falls through to the global toggle.
+     */
+    perVaultEnabled?: boolean;
+    /**
+     * Hard override of the entire per-vault→global→true chain. Used by the
+     * explicit caller-opt-in path; not part of the normal precedence ladder.
+     */
     enabledOverride?: boolean;
   } = {},
 ): boolean {
@@ -43,6 +60,7 @@ export function shouldAutoTranscribe(
     return false;
   }
   const enabled = opts.enabledOverride
+    ?? opts.perVaultEnabled
     ?? (opts.readGlobalConfigImpl ?? readGlobalConfig)().auto_transcribe?.enabled
     ?? true;
   if (!enabled) return false;

package/src/autostart.test.ts

@@ -0,0 +1,75 @@
+import { describe, test, expect } from "bun:test";
+import { decideAutostart } from "./autostart.ts";
+
+/**
+ * Pure matrix for the autostart decision (ParachuteComputer/parachute-hub#580
+ * item 2). No launchd/systemd is touched — `decideAutostart` is side-effect
+ * free; the CLI consumes its result to register or skip.
+ */
+describe("decideAutostart", () => {
+  test("hub present, no flag, no persisted → default OFF (#580)", () => {
+    const d = decideAutostart({ flagOn: false, flagOff: false, persisted: undefined, hubPresent: true });
+    expect(d.enabled).toBe(false);
+    expect(d.reason).toBe("hub-default-off");
+    // Per-run inference — not persisted, so a later standalone re-run registers.
+    expect(d.persist).toBe(false);
+    expect(d.overrodeHub).toBe(false);
+  });
+
+  test("hub absent, no flag, no persisted → default ON (standalone)", () => {
+    const d = decideAutostart({ flagOn: false, flagOff: false, persisted: undefined, hubPresent: false });
+    expect(d.enabled).toBe(true);
+    expect(d.reason).toBe("default-on");
+    expect(d.persist).toBe(false);
+  });
+
+  test("explicit --autostart forces ON even under a hub (operator override + warn flag)", () => {
+    const d = decideAutostart({ flagOn: true, flagOff: false, persisted: undefined, hubPresent: true });
+    expect(d.enabled).toBe(true);
+    expect(d.reason).toBe("flag-on");
+    expect(d.persist).toBe(true);
+    expect(d.overrodeHub).toBe(true);
+  });
+
+  test("explicit --autostart with no hub does not set overrodeHub", () => {
+    const d = decideAutostart({ flagOn: true, flagOff: false, persisted: undefined, hubPresent: false });
+    expect(d.enabled).toBe(true);
+    expect(d.overrodeHub).toBe(false);
+    expect(d.persist).toBe(true);
+  });
+
+  test("explicit --no-autostart forces OFF and persists (even under a hub)", () => {
+    const d = decideAutostart({ flagOn: false, flagOff: true, persisted: undefined, hubPresent: true });
+    expect(d.enabled).toBe(false);
+    expect(d.reason).toBe("flag-off");
+    expect(d.persist).toBe(true);
+    expect(d.overrodeHub).toBe(false);
+  });
+
+  test("--no-autostart wins over --autostart on the same line (safer default)", () => {
+    const d = decideAutostart({ flagOn: true, flagOff: true, persisted: undefined, hubPresent: false });
+    expect(d.enabled).toBe(false);
+    expect(d.reason).toBe("flag-off");
+  });
+
+  test("persisted=false honored over hub-present default", () => {
+    const d = decideAutostart({ flagOn: false, flagOff: false, persisted: false, hubPresent: true });
+    expect(d.enabled).toBe(false);
+    expect(d.reason).toBe("persisted");
+    expect(d.persist).toBe(false);
+  });
+
+  test("persisted=true honored even when a hub is present (prior explicit choice)", () => {
+    const d = decideAutostart({ flagOn: false, flagOff: false, persisted: true, hubPresent: true });
+    expect(d.enabled).toBe(true);
+    expect(d.reason).toBe("persisted");
+    expect(d.persist).toBe(false);
+  });
+
+  test("flag beats persisted: --no-autostart over persisted=true", () => {
+    const d = decideAutostart({ flagOn: false, flagOff: true, persisted: true, hubPresent: false });
+    expect(d.enabled).toBe(false);
+    expect(d.reason).toBe("flag-off");
+    expect(d.persist).toBe(true);
+  });
+});

package/src/autostart.ts

@@ -0,0 +1,84 @@
+/**
+ * Decide whether `parachute-vault init` should register a boot/restart daemon
+ * (launchd on macOS, systemd on Linux).
+ *
+ * Pure: extracted so the flag × persisted-config × hub-presence matrix can be
+ * unit-tested without spawning the CLI or touching launchd/systemd. The caller
+ * passes in the resolved `hubPresent` signal (from `detectHubPresence`) so this
+ * function stays side-effect-free.
+ *
+ * Why hub-presence flips the default (ParachuteComputer/parachute-hub#580):
+ * under hub-as-supervisor the hub owns the vault lifecycle — it spawns vault as
+ * a supervised child. If init *also* registers a launchd/systemd unit with
+ * `KeepAlive`/`RunAtLoad`, two lifecycles race for :1940: the supervisor's
+ * child and the platform manager's respawn. `parachute stop` kills the
+ * supervised one, launchd resurrects the other (EADDRINUSE crash-loop, pidfile
+ * records the loser, the rogue holds the port with no injected
+ * PARACHUTE_HUB_ORIGIN → iss mismatch). Defaulting autostart OFF when a hub is
+ * present makes the standalone daemon an explicit opt-in.
+ *
+ * Precedence (first match wins):
+ *   1. `--no-autostart` on this run            → off  (persisted; safer-default
+ *                                                 precedence beats --autostart)
+ *   2. `--autostart` on this run               → on   (persisted; operator
+ *                                                 override — caller warns if a
+ *                                                 supervised hub was detected)
+ *   3. Existing `config.autostart` (boolean)   → that value (honor prior choice)
+ *   4. Hub present, no flag, no persisted value → off  (the hub supervisor owns
+ *                                                 the lifecycle — #580)
+ *   5. Default                                 → on   (standalone deploys
+ *                                                 genuinely need a daemon)
+ *
+ * `persist` is true only when the choice came from an explicit flag (cases 1+2)
+ * — matching the prior behavior where a flagless re-run never rewrote the
+ * persisted value. The hub-present default (case 4) is intentionally NOT
+ * persisted: it's a per-run inference, so a later standalone re-run (no hub)
+ * falls back to the register default rather than being stuck off.
+ *
+ * `overrodeHub` is true only for case 2 when a hub was detected — the signal the
+ * caller uses to log the "supervised hub detected, registering anyway" warning.
+ */
+export interface AutostartDecisionInput {
+  /** `--autostart` present on this invocation. */
+  flagOn: boolean;
+  /** `--no-autostart` present on this invocation. */
+  flagOff: boolean;
+  /** Persisted `config.autostart` from a prior run, if a boolean. */
+  persisted?: boolean | undefined;
+  /** Whether a hub supervisor was detected (from `detectHubPresence`). */
+  hubPresent: boolean;
+}
+
+export interface AutostartDecision {
+  /** Final resolved value. */
+  enabled: boolean;
+  /** Whether the caller should write `config.autostart` to disk. */
+  persist: boolean;
+  /** True when `--autostart` forced registration despite a detected hub. */
+  overrodeHub: boolean;
+  /** Which precedence rule decided the outcome (for testing + copy). */
+  reason: "flag-off" | "flag-on" | "persisted" | "hub-default-off" | "default-on";
+}
+
+export function decideAutostart(input: AutostartDecisionInput): AutostartDecision {
+  const { flagOn, flagOff, persisted, hubPresent } = input;
+
+  if (flagOff) {
+    return { enabled: false, persist: true, overrodeHub: false, reason: "flag-off" };
+  }
+  if (flagOn) {
+    return {
+      enabled: true,
+      persist: true,
+      overrodeHub: hubPresent,
+      reason: "flag-on",
+    };
+  }
+  if (typeof persisted === "boolean") {
+    return { enabled: persisted, persist: false, overrodeHub: false, reason: "persisted" };
+  }
+  if (hubPresent) {
+    return { enabled: false, persist: false, overrodeHub: false, reason: "hub-default-off" };
+  }
+  return { enabled: true, persist: false, overrodeHub: false, reason: "default-on" };
+}