@openparachute/vault 0.6.0 → 0.6.2-rc.1

package/src/init.test.ts

@@ -72,6 +72,134 @@ describe("vault init — --help mentions --vault-name", () => {
     expect(exitCode).toBe(0);
     expect(stdout).toContain("--no-autostart");
   });
+
+  test("usage text documents the opt-in --configure-claude-code flag (2026-06-23)", () => {
+    const { exitCode, stdout } = runCli(["--help"]);
+    expect(exitCode).toBe(0);
+    expect(stdout).toContain("--configure-claude-code");
+  });
+});
+
+/**
+ * 2026-06-23 messaging realignment: writing the Claude Code MCP config
+ * (~/.claude.json) is now OPT-IN. init's default no longer writes it — it
+ * surfaces the connector URL + a copy-paste `claude mcp add` command and points
+ * at the web wizard instead. These run init end-to-end under an isolated HOME /
+ * PARACHUTE_HOME (with --no-autostart --no-token to keep daemon + token side
+ * effects out) and assert the ~/.claude.json side effect on the default vs the
+ * opt-in path. Non-interactive (piped) is the mode these spawned subprocesses
+ * run in, which is exactly the back-compat-sensitive path.
+ */
+describe("vault init — Claude Code MCP config is opt-in (2026-06-23)", () => {
+  test("default (no --mcp flag) does NOT write ~/.claude.json, and surfaces copy-paste connect info", () => {
+    const sandbox = mkdtempSync(join(tmpdir(), "vault-init-mcp-optin-"));
+    try {
+      const parachuteHome = join(sandbox, ".parachute");
+      const claudeJson = join(sandbox, ".claude.json");
+      const { exitCode, stdout } = runCli(
+        [
+          "init",
+          "--no-autostart",
+          "--no-token",
+          "--vault-name",
+          "mcpoptin",
+        ],
+        { HOME: sandbox, PARACHUTE_HOME: parachuteHome },
+      );
+
+      expect(exitCode).toBe(0);
+      // The headline behavior: no silent ~/.claude.json write.
+      expect(existsSync(claudeJson)).toBe(false);
+      expect(stdout).not.toContain("MCP server added to ~/.claude.json");
+      // But the self-serve connect info IS surfaced for copy-paste.
+      expect(stdout).toContain("claude mcp add --transport http");
+      expect(stdout).toContain("/vault/mcpoptin/mcp");
+      // And the web wizard hand-off is present.
+      expect(stdout).toContain("Finish setup in your browser:");
+    } finally {
+      rmSync(sandbox, { recursive: true, force: true });
+    }
+  });
+
+  test("--configure-claude-code opts in and writes ~/.claude.json", () => {
+    const sandbox = mkdtempSync(join(tmpdir(), "vault-init-mcp-optin-"));
+    try {
+      const parachuteHome = join(sandbox, ".parachute");
+      const claudeJson = join(sandbox, ".claude.json");
+      const { exitCode, stdout } = runCli(
+        [
+          "init",
+          "--no-autostart",
+          "--no-token",
+          "--configure-claude-code",
+          "--vault-name",
+          "mcpoptin",
+        ],
+        { HOME: sandbox, PARACHUTE_HOME: parachuteHome },
+      );
+
+      expect(exitCode).toBe(0);
+      expect(existsSync(claudeJson)).toBe(true);
+      const claudeConfig = JSON.parse(readFileSync(claudeJson, "utf-8"));
+      // The user-scope entry is keyed `parachute-vault` under top-level mcpServers.
+      expect(claudeConfig.mcpServers?.["parachute-vault"]?.url).toContain(
+        "/vault/mcpoptin/mcp",
+      );
+      expect(stdout).toContain("MCP server added to ~/.claude.json");
+    } finally {
+      rmSync(sandbox, { recursive: true, force: true });
+    }
+  });
+
+  for (const alias of ["--mcp", "--mcp-install"]) {
+    test(`the ${alias} alias still opts in`, () => {
+      const sandbox = mkdtempSync(join(tmpdir(), "vault-init-mcp-optin-"));
+      try {
+        const parachuteHome = join(sandbox, ".parachute");
+        const claudeJson = join(sandbox, ".claude.json");
+        const { exitCode } = runCli(
+          [
+            "init",
+            "--no-autostart",
+            "--no-token",
+            alias,
+            "--vault-name",
+            "mcpoptin",
+          ],
+          { HOME: sandbox, PARACHUTE_HOME: parachuteHome },
+        );
+        expect(exitCode).toBe(0);
+        expect(existsSync(claudeJson)).toBe(true);
+      } finally {
+        rmSync(sandbox, { recursive: true, force: true });
+      }
+    });
+  }
+
+  test("--no-mcp wins over an opt-in alias on the same command line", () => {
+    const sandbox = mkdtempSync(join(tmpdir(), "vault-init-mcp-optin-"));
+    try {
+      const parachuteHome = join(sandbox, ".parachute");
+      const claudeJson = join(sandbox, ".claude.json");
+      const { exitCode } = runCli(
+        [
+          "init",
+          "--no-autostart",
+          "--no-token",
+          "--configure-claude-code",
+          "--no-mcp",
+          "--vault-name",
+          "mcpoptin",
+        ],
+        { HOME: sandbox, PARACHUTE_HOME: parachuteHome },
+      );
+      expect(exitCode).toBe(0);
+      // --no-mcp is the safer default and must win — no file written.
+      expect(existsSync(claudeJson)).toBe(false);
+    } finally {
+      rmSync(sandbox, { recursive: true, force: true });
+    }
+  });
 });
 
 /**

package/src/mirror-credentials.test.ts

@@ -104,6 +104,26 @@ describe("serialize + parse round-trip", () => {
     expect(out).toEqual(creds);
   });
 
+  test("github_oauth with empty scope round-trips (GitHub App tokens)", () => {
+    // Tokens from the shared Parachute GitHub App carry scope: "" (GitHub
+    // Apps use fine-grained permissions, not scopes). The empty string must
+    // survive serialize → parse and still pass the section-validity guard.
+    const creds: MirrorCredentials = {
+      active_method: "github_oauth",
+      github_oauth: {
+        access_token: "ghu_abc123def456ghi789",
+        scope: "",
+        authorized_at: "2026-06-10T18:00:00.000Z",
+        user_login: "aaron",
+        user_id: 12345,
+      },
+      pat: null,
+    };
+    const out = parseCredentials(serializeCredentials(creds));
+    expect(out).toEqual(creds);
+    expect(out.github_oauth?.scope).toBe("");
+  });
+
   test("pat credentials round-trip", () => {
     const creds: MirrorCredentials = {
       active_method: "pat",

package/src/mirror-credentials.ts

@@ -209,8 +209,8 @@ export function emptyCredentials(): MirrorCredentials {
  *
  *   active_method: github_oauth
  *   github_oauth:
- *     access_token: gho_...
- *     scope: repo
+ *     access_token: ghu_...
+ *     scope: ""
  *     authorized_at: 2026-05-28T03:14:15.000Z
  *     user_login: aaron
  *     user_id: 12345
@@ -218,6 +218,10 @@ export function emptyCredentials(): MirrorCredentials {
  *     token: ghp_...
  *     remote_url: https://github.com/aaron/my-vault.git
  *     label: "GitHub PAT"
+ *
+ * `scope` is always `""` for tokens from the shared Parachute GitHub App
+ * (GitHub Apps use fine-grained permissions, not scopes). Credentials from
+ * the classic-OAuth era may still carry `scope: repo` — both parse fine.
  */
 export function serializeCredentials(creds: MirrorCredentials): string {
   const lines: string[] = [];

package/src/mirror-remote-guard.test.ts

@@ -0,0 +1,269 @@
+/**
+ * Tests for the cross-vault remote-clobber guard (vault#482).
+ *
+ * Two layers:
+ *   - Pure normalization / equivalence (`normalizeRemoteIdentity`,
+ *     `sameRemoteIdentity`) — https vs ssh vs scp-shorthand vs .git-suffix.
+ *   - `findConflictingVault` against real on-disk vault state under a temp
+ *     PARACHUTE_HOME (no network, no live manager).
+ */
+
+import { describe, test, expect, afterEach } from "bun:test";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+import {
+  normalizeRemoteIdentity,
+  sameRemoteIdentity,
+  claimedRemoteOf,
+  findConflictingVault,
+} from "./mirror-remote-guard.ts";
+import { writeMirrorConfigForVault, defaultMirrorConfig } from "./mirror-config.ts";
+import { writeCredentials } from "./mirror-credentials.ts";
+
+const ORIG_PARACHUTE_HOME = process.env.PARACHUTE_HOME;
+const ORIG_HOME = process.env.HOME;
+afterEach(() => {
+  if (ORIG_PARACHUTE_HOME === undefined) delete process.env.PARACHUTE_HOME;
+  else process.env.PARACHUTE_HOME = ORIG_PARACHUTE_HOME;
+  if (ORIG_HOME === undefined) delete process.env.HOME;
+  else process.env.HOME = ORIG_HOME;
+});
+
+function tmp(prefix: string): string {
+  return fs.mkdtempSync(path.join(os.tmpdir(), prefix));
+}
+
+/**
+ * Stand up a vault on disk under the active PARACHUTE_HOME so `listVaults()`
+ * sees it: create `data/<name>/vault.yaml`. Optionally seed an enabled
+ * internal mirror config + a mirror-dir `origin` and/or a PAT credential.
+ */
+function seedVault(
+  name: string,
+  opts: {
+    origin?: string;
+    pat?: string;
+    enabledMirror?: boolean;
+  } = {},
+): void {
+  const home = process.env.PARACHUTE_HOME!;
+  const vaultDataDir = path.join(home, "vault", "data", name);
+  fs.mkdirSync(vaultDataDir, { recursive: true });
+  // Minimal vault.yaml so listVaults() recognizes it.
+  fs.writeFileSync(path.join(vaultDataDir, "vault.yaml"), `name: ${name}\n`);
+
+  if (opts.enabledMirror !== false && (opts.origin || opts.pat)) {
+    writeMirrorConfigForVault(name, {
+      ...defaultMirrorConfig(),
+      enabled: true,
+      location: "internal",
+    });
+  }
+
+  if (opts.origin) {
+    // Write the mirror dir's git config origin straight to disk — no git
+    // spawn needed; the guard reads `.git/config` directly.
+    const mirrorGitDir = path.join(vaultDataDir, "mirror", ".git");
+    fs.mkdirSync(mirrorGitDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(mirrorGitDir, "config"),
+      `[core]\n\trepositoryformatversion = 0\n[remote "origin"]\n\turl = ${opts.origin}\n\tfetch = +refs/heads/*:refs/remotes/origin/*\n`,
+    );
+  }
+
+  if (opts.pat) {
+    writeCredentials(name, {
+      active_method: "pat",
+      github_oauth: null,
+      pat: { token: "ghp_seedtoken1234567890", remote_url: opts.pat, label: "seed" },
+    });
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Normalization / equivalence
+// ---------------------------------------------------------------------------
+
+describe("normalizeRemoteIdentity", () => {
+  test("https with and without .git normalize equal", () => {
+    expect(normalizeRemoteIdentity("https://github.com/x/y")).toBe("github.com/x/y");
+    expect(normalizeRemoteIdentity("https://github.com/x/y.git")).toBe("github.com/x/y");
+  });
+
+  test("trailing slash is stripped", () => {
+    expect(normalizeRemoteIdentity("https://github.com/x/y/")).toBe("github.com/x/y");
+    expect(normalizeRemoteIdentity("https://github.com/x/y.git/")).toBe("github.com/x/y");
+  });
+
+  test("host is lower-cased", () => {
+    expect(normalizeRemoteIdentity("https://GitHub.com/x/y")).toBe("github.com/x/y");
+  });
+
+  test("owner/repo is lower-cased too (GitHub is case-insensitive) — the clobber guard", () => {
+    // Aaron/Vault and aaron/vault are the SAME GitHub repo; both must normalize
+    // equal so two vaults with different-case configs are caught, not clobbered.
+    expect(normalizeRemoteIdentity("https://github.com/Aaron/Vault.git")).toBe("github.com/aaron/vault");
+    expect(normalizeRemoteIdentity("git@github.com:Aaron/Vault.git")).toBe("github.com/aaron/vault");
+  });
+
+  test("embedded userinfo (token) is stripped", () => {
+    expect(
+      normalizeRemoteIdentity("https://x-access-token:ghp_secret@github.com/x/y.git"),
+    ).toBe("github.com/x/y");
+  });
+
+  test("scp-style SSH shorthand normalizes to host/path", () => {
+    expect(normalizeRemoteIdentity("git@github.com:x/y.git")).toBe("github.com/x/y");
+  });
+
+  test("ssh:// URL normalizes to host/path", () => {
+    expect(normalizeRemoteIdentity("ssh://git@github.com/x/y.git")).toBe("github.com/x/y");
+  });
+
+  test("empty / whitespace → null", () => {
+    expect(normalizeRemoteIdentity("")).toBeNull();
+    expect(normalizeRemoteIdentity("   ")).toBeNull();
+  });
+});
+
+describe("sameRemoteIdentity — the equivalence the guard keys off", () => {
+  test("https ≡ ssh ≡ scp-shorthand ≡ .git-suffix for the same repo", () => {
+    const variants = [
+      "https://github.com/aaron/my-vault.git",
+      "https://github.com/aaron/my-vault",
+      "git@github.com:aaron/my-vault.git",
+      "ssh://git@github.com/aaron/my-vault",
+      "https://x-access-token:ghp_tok@github.com/aaron/my-vault.git",
+    ];
+    for (const a of variants) {
+      for (const b of variants) {
+        expect(sameRemoteIdentity(a, b)).toBe(true);
+      }
+    }
+  });
+
+  test("case-insensitive owner/repo: Aaron/Vault ≡ aaron/vault (the data-loss gap)", () => {
+    expect(
+      sameRemoteIdentity("https://github.com/Aaron/Vault.git", "https://github.com/aaron/vault"),
+    ).toBe(true);
+  });
+
+  test("different repos are NOT equal", () => {
+    expect(
+      sameRemoteIdentity(
+        "https://github.com/aaron/my-vault.git",
+        "https://github.com/aaron/other-vault.git",
+      ),
+    ).toBe(false);
+  });
+
+  test("different owners are NOT equal (the family-box case)", () => {
+    expect(
+      sameRemoteIdentity(
+        "https://github.com/alice/backup.git",
+        "https://github.com/bob/backup.git",
+      ),
+    ).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// claimedRemoteOf — reads both origin + PAT sources
+// ---------------------------------------------------------------------------
+
+describe("claimedRemoteOf", () => {
+  let home: string;
+  afterEach(() => {
+    if (home) fs.rmSync(home, { recursive: true, force: true });
+  });
+
+  test("reads the mirror dir origin (covers OAuth-selected repos)", () => {
+    home = tmp("guard-claimed-origin-");
+    process.env.PARACHUTE_HOME = home;
+    seedVault("a", { origin: "https://github.com/aaron/my-vault.git" });
+    expect(claimedRemoteOf("a")).toBe("github.com/aaron/my-vault");
+  });
+
+  test("reads the stored PAT remote_url when no origin on disk", () => {
+    home = tmp("guard-claimed-pat-");
+    process.env.PARACHUTE_HOME = home;
+    seedVault("a", {
+      pat: "https://x-access-token:ghp_x@github.com/aaron/pat-vault.git",
+    });
+    expect(claimedRemoteOf("a")).toBe("github.com/aaron/pat-vault");
+  });
+
+  test("returns null for a vault with no mirror remote", () => {
+    home = tmp("guard-claimed-none-");
+    process.env.PARACHUTE_HOME = home;
+    seedVault("a", {});
+    expect(claimedRemoteOf("a")).toBeNull();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// findConflictingVault — the cross-vault scan
+// ---------------------------------------------------------------------------
+
+describe("findConflictingVault", () => {
+  let home: string;
+  afterEach(() => {
+    if (home) fs.rmSync(home, { recursive: true, force: true });
+  });
+
+  test("detects a sibling vault targeting the same repo (origin source)", () => {
+    home = tmp("guard-conflict-origin-");
+    process.env.PARACHUTE_HOME = home;
+    // Vault "a" already backs up to aaron/shared via its mirror origin.
+    seedVault("a", { origin: "https://github.com/aaron/shared.git" });
+    seedVault("b", {});
+    // Vault "b" tries to bind the SAME repo via a different URL shape.
+    const conflict = findConflictingVault("b", "git@github.com:aaron/shared.git");
+    expect(conflict).not.toBeNull();
+    expect(conflict!.conflictingVault).toBe("a");
+    expect(conflict!.remoteIdentity).toBe("github.com/aaron/shared");
+  });
+
+  test("detects a sibling vault targeting the same repo (PAT source)", () => {
+    home = tmp("guard-conflict-pat-");
+    process.env.PARACHUTE_HOME = home;
+    seedVault("a", {
+      pat: "https://x-access-token:ghp_a@github.com/aaron/shared.git",
+    });
+    seedVault("b", {});
+    const conflict = findConflictingVault(
+      "b",
+      "https://github.com/aaron/shared",
+    );
+    expect(conflict).not.toBeNull();
+    expect(conflict!.conflictingVault).toBe("a");
+  });
+
+  test("excludes the current vault — re-pointing to its OWN remote is allowed", () => {
+    home = tmp("guard-conflict-self-");
+    process.env.PARACHUTE_HOME = home;
+    seedVault("a", { origin: "https://github.com/aaron/shared.git" });
+    // Vault "a" re-binds its OWN repo (token rotation / re-pick) → no conflict.
+    const conflict = findConflictingVault("a", "https://github.com/aaron/shared.git");
+    expect(conflict).toBeNull();
+  });
+
+  test("no false positive when no sibling targets the repo", () => {
+    home = tmp("guard-conflict-clear-");
+    process.env.PARACHUTE_HOME = home;
+    seedVault("a", { origin: "https://github.com/aaron/vault-a.git" });
+    seedVault("b", {});
+    const conflict = findConflictingVault("b", "https://github.com/aaron/vault-b.git");
+    expect(conflict).toBeNull();
+  });
+
+  test("an empty / unparseable candidate never conflicts", () => {
+    home = tmp("guard-conflict-empty-");
+    process.env.PARACHUTE_HOME = home;
+    seedVault("a", { origin: "https://github.com/aaron/shared.git" });
+    expect(findConflictingVault("b", "")).toBeNull();
+    expect(findConflictingVault("b", "   ")).toBeNull();
+  });
+});