axvault 1.0.0 → 1.1.0

package/README.md

@@ -163,11 +163,14 @@ curl -X PUT https://vault.example.com/api/v1/credentials/claude/prod \
   -H "Authorization: Bearer <api_key>" \
   -H "Content-Type: application/json" \
   -d '{
-    "data": {"accessToken": "...", "refreshToken": "..."},
+    "type": "oauth",
+    "data": {"access_token": "...", "refresh_token": "..."},
     "expiresAt": "2025-12-31T23:59:59Z"
   }'
 ```
 
+The `type` field is required and must be either `"oauth"` (for refreshable tokens) or `"api-key"` (for static keys). Only `oauth` credentials are eligible for auto-refresh.
+
 ### Retrieve a Credential
 
 ```bash

package/dist/cli.d.ts

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * axvault - Remote credential storage server for axpoint.
+ * axvault - Remote credential storage server for axkit.
  *
  * Stores agent credentials and serves them via API.
  */

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * axvault - Remote credential storage server for axpoint.
+ * axvault - Remote credential storage server for axkit.
  *
  * Stores agent credentials and serves them via API.
  */

package/dist/commands/credential.js

@@ -8,13 +8,14 @@ import { deleteCredential, listCredentials, } from "../db/repositories/credentia
 import { containsControlChars, formatDateForJson, formatExpiresAt, formatRelativeTime, getErrorMessage, sanitizeForTsv, } from "../lib/format.js";
 /** Print credentials as TSV table */
 function printCredentialTable(credentials) {
-    console.log("AGENT\tNAME\tEXPIRES\tUPDATED");
+    console.log("AGENT\tNAME\tTYPE\tEXPIRES\tUPDATED");
     for (const cred of credentials) {
         const agent = sanitizeForTsv(cred.agent);
         const name = sanitizeForTsv(cred.name);
+        const type = sanitizeForTsv(cred.type);
         const expires = formatExpiresAt(cred.expiresAt);
         const updated = formatRelativeTime(cred.updatedAt);
-        console.log(`${agent}\t${name}\t${expires}\t${updated}`);
+        console.log(`${agent}\t${name}\t${type}\t${expires}\t${updated}`);
     }
 }
 /**
@@ -59,6 +60,7 @@ export function handleCredentialList(options) {
             const output = credentials.map((cred) => ({
                 agent: cred.agent,
                 name: cred.name,
+                type: cred.type,
                 createdAt: cred.createdAt.toISOString(),
                 updatedAt: cred.updatedAt.toISOString(),
                 expiresAt: formatDateForJson(cred.expiresAt),

package/dist/db/migrations.d.ts

@@ -4,7 +4,7 @@
  * Uses a simple version-based migration system.
  */
 import type Database from "better-sqlite3";
-declare const CURRENT_VERSION = 2;
+declare const CURRENT_VERSION = 3;
 /** Run all pending migrations */
 declare function runMigrations(database: Database.Database): void;
 /** Get current schema version */

package/dist/db/migrations.js

@@ -3,7 +3,7 @@
  *
  * Uses a simple version-based migration system.
  */
-const CURRENT_VERSION = 2;
+const CURRENT_VERSION = 3;
 /** Run all pending migrations */
 function runMigrations(database) {
     const version = getSchemaVersion(database);
@@ -13,6 +13,9 @@ function runMigrations(database) {
     if (version < 2) {
         migrateToV2(database);
     }
+    if (version < 3) {
+        migrateToV3(database);
+    }
 }
 /** Get current schema version */
 function getSchemaVersion(database) {
@@ -93,4 +96,18 @@ function migrateToV2(database) {
         setSchemaVersion(database, 2);
     })();
 }
+/**
+ * Migration to version 3: Add type column to credentials
+ *
+ * Explicit credential type ("oauth" or "api-key") instead of inferring from data.
+ * Existing credentials without type must be re-uploaded.
+ */
+function migrateToV3(database) {
+    database.transaction(() => {
+        database.exec(`
+      ALTER TABLE credentials ADD COLUMN type TEXT
+    `);
+        setSchemaVersion(database, 3);
+    })();
+}
 export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/credentials.d.ts

@@ -4,10 +4,13 @@
  * Manages encrypted credential storage.
  */
 import type Database from "better-sqlite3";
+/** Valid credential types */
+type CredentialType = "oauth" | "api-key";
 /** Credential record stored in database */
 interface CredentialRecord {
     agent: string;
     name: string;
+    type: CredentialType;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;
@@ -20,6 +23,7 @@ interface CredentialRecord {
 interface CredentialMetadata {
     agent: string;
     name: string;
+    type: CredentialType;
     createdAt: Date;
     updatedAt: Date;
     expiresAt: Date | undefined;
@@ -28,6 +32,7 @@ interface CredentialMetadata {
 declare function upsertCredential(database: Database.Database, credential: {
     agent: string;
     name: string;
+    type: CredentialType;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;
@@ -45,4 +50,4 @@ declare function deleteCredential(database: Database.Database, agent: string, na
 /** Update expiration time after refresh */
 declare function updateExpiresAt(database: Database.Database, agent: string, name: string, expiresAt: Date | undefined): void;
 export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, };
-export type { CredentialMetadata, CredentialRecord };
+export type { CredentialMetadata, CredentialRecord, CredentialType };

package/dist/db/repositories/credentials.js

@@ -3,14 +3,19 @@
  *
  * Manages encrypted credential storage.
  */
+/** Validate credential type from database */
+function validateType(type) {
+    if (type !== "oauth" && type !== "api-key") {
+        throw new Error(`Invalid credential type: ${type}`);
+    }
+    return type;
+}
 /** Convert database row to record */
 function rowToRecord(row) {
-    if (!row.salt) {
-        throw new Error("Credential missing salt - database may need migration");
-    }
     return {
         agent: row.agent,
         name: row.name,
+        type: validateType(row.type),
         encryptedData: row.encrypted_data,
         salt: row.salt,
         iv: row.iv,
@@ -25,6 +30,7 @@ function rowToMetadata(row) {
     return {
         agent: row.agent,
         name: row.name,
+        type: validateType(row.type),
         createdAt: new Date(row.created_at),
         updatedAt: new Date(row.updated_at),
         expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
@@ -35,25 +41,25 @@ function upsertCredential(database, credential) {
     const now = Date.now();
     /* eslint-disable unicorn/no-null -- SQLite requires null for NULL values */
     database
-        .prepare(`INSERT INTO credentials (agent, name, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)
-     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+        .prepare(`INSERT INTO credentials (agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
      ON CONFLICT(agent, name) DO UPDATE SET
-       encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
+       type = excluded.type, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
        updated_at = excluded.updated_at, expires_at = excluded.expires_at`)
-        .run(credential.agent, credential.name, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now, credential.expiresAt?.getTime() ?? null);
+        .run(credential.agent, credential.name, credential.type, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now, credential.expiresAt?.getTime() ?? null);
     /* eslint-enable unicorn/no-null */
 }
 /** Get a credential by agent and name */
 function getCredential(database, agent, name) {
     const row = database
-        .prepare(`SELECT agent, name, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at FROM credentials WHERE agent = ? AND name = ?`)
+        .prepare(`SELECT agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at FROM credentials WHERE agent = ? AND name = ?`)
         .get(agent, name);
     return row ? rowToRecord(row) : undefined;
 }
 /** List all credentials (metadata only) */
 function listCredentials(database) {
     const rows = database
-        .prepare(`SELECT agent, name, created_at, updated_at, expires_at FROM credentials ORDER BY agent, name`)
+        .prepare(`SELECT agent, name, type, created_at, updated_at, expires_at FROM credentials ORDER BY agent, name`)
         .all();
     return rows.map((row) => rowToMetadata(row));
 }

package/dist/db/types.d.ts

@@ -26,8 +26,9 @@ export interface AuditLogRow {
 export interface CredentialRow {
     agent: string;
     name: string;
+    type: string;
     encrypted_data: Buffer;
-    salt: Buffer | null;
+    salt: Buffer;
     iv: Buffer;
     auth_tag: Buffer;
     created_at: number;
@@ -38,6 +39,7 @@ export interface CredentialRow {
 export interface MetadataRow {
     agent: string;
     name: string;
+    type: string;
     created_at: number;
     updated_at: number;
     expires_at: number | null;

package/dist/handlers/get-credential.js

@@ -30,28 +30,7 @@ function createGetCredentialHandler(database, config) {
             return;
         }
         // Fetch credential from database
-        let credential;
-        try {
-            credential = getCredential(database, agent, name);
-        }
-        catch (error) {
-            // Handle legacy credentials stored without salt (pre-v2 migration)
-            if (error instanceof Error && error.message.includes("missing salt")) {
-                logAccess(database, {
-                    apiKeyId: apiKey.id,
-                    action: "read",
-                    agent,
-                    name,
-                    success: false,
-                    errorMessage: "Legacy credential requires re-upload",
-                });
-                response.status(410).json({
-                    error: "This credential was stored with legacy encryption and must be deleted and re-uploaded",
-                });
-                return;
-            }
-            throw error;
-        }
+        const credential = getCredential(database, agent, name);
         if (!credential) {
             logAccess(database, {
                 apiKeyId: apiKey.id,
@@ -90,10 +69,11 @@ function createGetCredentialHandler(database, config) {
         let wasRefreshed = false;
         let refreshFailed = false;
         if (config.refreshThresholdSeconds > 0 &&
+            credential.type === "oauth" &&
             isRefreshable(data) &&
             needsRefresh(data, config.refreshThresholdSeconds)) {
             try {
-                const refreshResult = await refreshWithMutex(database, agent, name, data, apiKey.id, credential.updatedAt, { timeoutMs: config.refreshTimeoutMs });
+                const refreshResult = await refreshWithMutex(database, agent, name, credential.type, data, apiKey.id, credential.updatedAt, { timeoutMs: config.refreshTimeoutMs });
                 if (refreshResult.ok) {
                     finalData = refreshResult.data;
                     finalExpiresAt = refreshResult.expiresAt;
@@ -101,8 +81,30 @@ function createGetCredentialHandler(database, config) {
                     wasRefreshed = true;
                 }
                 else {
-                    // Refresh failed - will return stale credentials with warning header
-                    // Error details logged by refreshWithMutex to audit log
+                    // Refresh failed - re-fetch to check if credential was deleted/modified
+                    const currentCredential = getCredential(database, agent, name);
+                    if (!currentCredential) {
+                        // Credential was deleted during refresh - don't leak old data
+                        logAccess(database, {
+                            apiKeyId: apiKey.id,
+                            action: "read",
+                            agent,
+                            name,
+                            success: false,
+                            errorMessage: "Credential deleted during refresh",
+                        });
+                        response.status(404).json({ error: "Credential not found" });
+                        return;
+                    }
+                    if (currentCredential.updatedAt.getTime() !==
+                        credential.updatedAt.getTime()) {
+                        // Credential was modified during refresh - return fresh data
+                        const freshData = decryptCredential(currentCredential);
+                        finalData = freshData;
+                        finalExpiresAt = currentCredential.expiresAt;
+                        finalUpdatedAt = currentCredential.updatedAt;
+                    }
+                    // Otherwise credential unchanged, return original with warning
                     refreshFailed = true;
                 }
             }
@@ -134,6 +136,7 @@ function createGetCredentialHandler(database, config) {
         response.json({
             agent,
             name,
+            type: credential.type,
             data: finalData,
             expiresAt: finalExpiresAt?.toISOString(),
             updatedAt: finalUpdatedAt.toISOString(),

package/dist/handlers/list-credentials.js

@@ -20,6 +20,7 @@ function createListCredentialsHandler(database) {
             credentials: credentials.map((cred) => ({
                 agent: cred.agent,
                 name: cred.name,
+                type: cred.type,
                 expiresAt: cred.expiresAt?.toISOString(),
                 updatedAt: cred.updatedAt.toISOString(),
             })),

package/dist/handlers/put-credential.js

@@ -26,7 +26,10 @@ function createPutCredentialHandler(database) {
             return;
         }
         const body = request.body;
-        if (!body || typeof body.data !== "object" || body.data === null) {
+        if (!body ||
+            typeof body.data !== "object" ||
+            body.data === null ||
+            Array.isArray(body.data)) {
             logAccess(database, {
                 apiKeyId: apiKey.id,
                 action: "write",
@@ -40,6 +43,21 @@ function createPutCredentialHandler(database) {
                 .json({ error: "Request body must include 'data' object" });
             return;
         }
+        if (body.type !== "oauth" && body.type !== "api-key") {
+            logAccess(database, {
+                apiKeyId: apiKey.id,
+                action: "write",
+                agent,
+                name,
+                success: false,
+                errorMessage: "Invalid type",
+            });
+            response.status(400).json({
+                error: 'Request body must include \'type\' ("oauth" or "api-key")',
+            });
+            return;
+        }
+        const credentialType = body.type;
         try {
             const encrypted = encryptCredential(body.data);
             let expiresAt;
@@ -61,6 +79,7 @@ function createPutCredentialHandler(database) {
             upsertCredential(database, {
                 agent,
                 name,
+                type: credentialType,
                 ...encrypted,
                 expiresAt,
             });

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 /**
- * axvault - Remote credential storage server for axpoint.
+ * axvault - Remote credential storage server for axkit.
  *
  * This module exports types and functions for programmatic use.
  */

package/dist/index.js

@@ -1,5 +1,5 @@
 /**
- * axvault - Remote credential storage server for axpoint.
+ * axvault - Remote credential storage server for axkit.
  *
  * This module exports types and functions for programmatic use.
  */

package/dist/refresh/refresh-manager.d.ts

@@ -5,6 +5,7 @@
  * with axauth's refresh functionality.
  */
 import type Database from "better-sqlite3";
+import type { CredentialType } from "../db/repositories/credentials.js";
 /** Key for credential-specific mutex */
 type CredentialKey = `${string}/${string}`;
 /** Result type for the full refresh operation */
@@ -40,12 +41,13 @@ declare function buildKey(agent: string, name: string): CredentialKey;
  * @param database - Database connection
  * @param agent - Agent name
  * @param name - Credential name
+ * @param type - Credential type (must be "oauth"; caller must gate on type)
  * @param data - Current decrypted credential data
  * @param apiKeyId - API key ID for audit logging
  * @param originalUpdatedAt - Original updatedAt for optimistic locking
  * @param options - Refresh options
  * @returns Refresh result with new data, expiresAt, updatedAt or error
  */
-declare function refreshWithMutex(database: Database.Database, agent: string, name: string, data: Record<string, unknown>, apiKeyId: string, originalUpdatedAt: Date, options: RefreshManagerOptions): Promise<FullRefreshResult>;
+declare function refreshWithMutex(database: Database.Database, agent: string, name: string, type: CredentialType, data: Record<string, unknown>, apiKeyId: string, originalUpdatedAt: Date, options: RefreshManagerOptions): Promise<FullRefreshResult>;
 export { extractExpiryDate, isRefreshable, needsRefresh, toAxauthCredentials, } from "./check-refresh.js";
 export { buildKey, refreshWithMutex };

package/dist/refresh/refresh-manager.js

@@ -19,7 +19,7 @@ function buildKey(agent, name) {
  * Execute the full refresh operation: call axauth, validate, persist.
  * This is the inner operation that gets stored in the mutex.
  */
-async function executeRefresh(database, agent, name, data, apiKeyId, originalUpdatedAt, refreshStartedAt, options) {
+async function executeRefresh(database, agent, name, type, data, apiKeyId, originalUpdatedAt, refreshStartedAt, options) {
     const logContext = { database, apiKeyId, agent, name };
     // Map to axauth format
     const creds = toAxauthCredentials(agent, data);
@@ -54,6 +54,7 @@ async function executeRefresh(database, agent, name, data, apiKeyId, originalUpd
             upsertCredential(database, {
                 agent,
                 name,
+                type,
                 ...encrypted,
                 expiresAt,
             });
@@ -98,13 +99,14 @@ async function executeRefresh(database, agent, name, data, apiKeyId, originalUpd
  * @param database - Database connection
  * @param agent - Agent name
  * @param name - Credential name
+ * @param type - Credential type (must be "oauth"; caller must gate on type)
  * @param data - Current decrypted credential data
  * @param apiKeyId - API key ID for audit logging
  * @param originalUpdatedAt - Original updatedAt for optimistic locking
  * @param options - Refresh options
  * @returns Refresh result with new data, expiresAt, updatedAt or error
  */
-async function refreshWithMutex(database, agent, name, data, apiKeyId, originalUpdatedAt, options) {
+async function refreshWithMutex(database, agent, name, type, data, apiKeyId, originalUpdatedAt, options) {
     const key = buildKey(agent, name);
     // Check if refresh already in progress
     const existing = pendingRefreshes.get(key);
@@ -115,7 +117,7 @@ async function refreshWithMutex(database, agent, name, data, apiKeyId, originalU
     }
     // Start new refresh - store promise for the FULL operation
     const refreshStartedAt = new Date();
-    const fullOperationPromise = executeRefresh(database, agent, name, data, apiKeyId, originalUpdatedAt, refreshStartedAt, options);
+    const fullOperationPromise = executeRefresh(database, agent, name, type, data, apiKeyId, originalUpdatedAt, refreshStartedAt, options);
     pendingRefreshes.set(key, {
         promise: fullOperationPromise,
         startedAt: refreshStartedAt,

package/package.json

@@ -2,8 +2,8 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.0.0",
-  "description": "Remote credential storage server for axpoint",
+  "version": "1.1.0",
+  "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/Jercik/axvault.git"
@@ -81,7 +81,7 @@
     "@types/node": "^25.0.3",
     "@vitest/coverage-v8": "^4.0.16",
     "eslint": "^9.39.2",
-    "eslint-config-axpoint": "^1.0.0",
+    "eslint-config-axkit": "^1.0.0",
     "fta-check": "^1.5.1",
     "fta-cli": "^3.0.0",
     "knip": "^5.80.0",