axvault 1.0.0 → 1.2.0

package/dist/commands/key.js

@@ -1,157 +1,9 @@
 /**
  * API key management command handlers.
+ *
+ * Re-exports handlers from separate modules for better maintainability.
  */
-import { getServerConfig } from "../config.js";
-import { closeDatabase, getDatabase } from "../db/client.js";
-import { runMigrations } from "../db/migrations.js";
-import { createApiKey, deleteApiKey, listApiKeys, } from "../db/repositories/api-keys.js";
-import { containsControlChars, formatAccessList, formatDateForJson, formatKeyRow, getAccessListErrorMessage, getErrorMessage, isValidKeyId, normalizeAccessList, parseAccessList, sanitizeForTsv, } from "../lib/format.js";
-export function handleKeyCreate(options) {
-    // Validate key name (reject control characters)
-    if (containsControlChars(options.name)) {
-        console.error("Error: Key name contains control characters.");
-        process.exitCode = 2;
-        return;
-    }
-    // Parse and validate access lists
-    const readResult = parseAccessList(options.read);
-    const writeResult = parseAccessList(options.write);
-    if (readResult.error) {
-        console.error(`Error: ${getAccessListErrorMessage(readResult.error)}`);
-        process.exitCode = 2;
-        return;
-    }
-    if (writeResult.error) {
-        console.error(`Error: ${getAccessListErrorMessage(writeResult.error)}`);
-        process.exitCode = 2;
-        return;
-    }
-    // Normalize wildcards (warn if mixed with specific entries)
-    const readNorm = normalizeAccessList(readResult.entries, "read");
-    const writeNorm = normalizeAccessList(writeResult.entries, "write");
-    if (readNorm.warning)
-        console.warn(`Warning: ${readNorm.warning}`);
-    if (writeNorm.warning)
-        console.warn(`Warning: ${writeNorm.warning}`);
-    const readAccess = readNorm.normalized;
-    const writeAccess = writeNorm.normalized;
-    // Validate: at least one access must be specified
-    if (readAccess.length === 0 && writeAccess.length === 0) {
-        console.error("Error: At least one of --read or --write must be specified.");
-        console.error("Try 'axvault key create --help' for more information.");
-        process.exitCode = 2;
-        return;
-    }
-    try {
-        const config = getServerConfig(options);
-        const database = getDatabase(config.databasePath);
-        runMigrations(database);
-        const apiKey = createApiKey(database, {
-            name: options.name,
-            readAccess,
-            writeAccess,
-        });
-        if (options.json) {
-            console.warn("Warning: JSON output contains the secret key. Avoid logging in CI.");
-            console.log(JSON.stringify({
-                id: apiKey.id,
-                name: apiKey.name,
-                key: apiKey.key,
-                readAccess: apiKey.readAccess,
-                writeAccess: apiKey.writeAccess,
-                createdAt: apiKey.createdAt.toISOString(),
-            }, undefined, 2));
-        }
-        else {
-            console.error(`Created API key: ${sanitizeForTsv(apiKey.name)}`);
-            console.error(`ID: ${sanitizeForTsv(apiKey.id)}`);
-            console.error(`Read access: ${sanitizeForTsv(formatAccessList(apiKey.readAccess))}`);
-            console.error(`Write access: ${sanitizeForTsv(formatAccessList(apiKey.writeAccess))}`);
-            console.error("");
-            // Output the secret key to stdout for piping
-            console.log(apiKey.key);
-            console.error("");
-            console.error("Save this key securely - it cannot be retrieved later.");
-        }
-    }
-    catch (error) {
-        console.error(`Error: Failed to create API key: ${getErrorMessage(error)}`);
-        process.exitCode = 1;
-    }
-    finally {
-        closeDatabase();
-    }
-}
-export function handleKeyList(options) {
-    try {
-        const config = getServerConfig(options);
-        const database = getDatabase(config.databasePath);
-        runMigrations(database);
-        const keys = listApiKeys(database);
-        if (options.json) {
-            const output = keys.map((key) => ({
-                id: key.id,
-                name: key.name,
-                readAccess: key.readAccess,
-                writeAccess: key.writeAccess,
-                createdAt: key.createdAt.toISOString(),
-                lastUsedAt: formatDateForJson(key.lastUsedAt),
-            }));
-            console.log(JSON.stringify(output, undefined, 2));
-        }
-        else if (keys.length === 0) {
-            console.error("No API keys found.\nCreate one with: axvault key create --name <name> [--read <access>] [--write <access>]");
-        }
-        else {
-            console.log("ID\tNAME\tREAD ACCESS\tWRITE ACCESS\tLAST USED");
-            for (const key of keys)
-                console.log(formatKeyRow(key));
-        }
-    }
-    catch (error) {
-        console.error(`Error: Failed to list API keys: ${getErrorMessage(error)}`);
-        process.exitCode = 1;
-    }
-    finally {
-        closeDatabase();
-    }
-}
-export function handleKeyRevoke(id, options) {
-    // Reject inputs containing control characters BEFORE trimming
-    // (prevents silent bypass where \n or \t would be removed by trim)
-    if (containsControlChars(id)) {
-        console.error("Error: Invalid API key ID: contains control characters.");
-        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
-        process.exitCode = 2;
-        return;
-    }
-    // Trim whitespace from ID (common copy-paste issue)
-    const trimmedId = id.trim();
-    // Validate ID format (k_ + 12 hex chars)
-    if (!isValidKeyId(trimmedId)) {
-        console.error(`Error: Invalid API key ID format: ${trimmedId}`);
-        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
-        process.exitCode = 2;
-        return;
-    }
-    try {
-        const config = getServerConfig(options);
-        const database = getDatabase(config.databasePath);
-        runMigrations(database);
-        const deleted = deleteApiKey(database, trimmedId);
-        if (deleted) {
-            console.error(`Revoked API key: ${sanitizeForTsv(trimmedId)}`);
-        }
-        else {
-            console.error(`Error: API key not found: ${sanitizeForTsv(trimmedId)}`);
-            process.exitCode = 1;
-        }
-    }
-    catch (error) {
-        console.error(`Error: Failed to revoke API key: ${getErrorMessage(error)}`);
-        process.exitCode = 1;
-    }
-    finally {
-        closeDatabase();
-    }
-}
+export { handleKeyCreate } from "./key-create.js";
+export { handleKeyList } from "./key-list.js";
+export { handleKeyRevoke } from "./key-revoke.js";
+export { handleKeyUpdate } from "./key-update.js";

package/dist/db/migrations.d.ts

@@ -4,7 +4,7 @@
  * Uses a simple version-based migration system.
  */
 import type Database from "better-sqlite3";
-declare const CURRENT_VERSION = 2;
+declare const CURRENT_VERSION = 4;
 /** Run all pending migrations */
 declare function runMigrations(database: Database.Database): void;
 /** Get current schema version */

package/dist/db/migrations.js

@@ -3,7 +3,7 @@
  *
  * Uses a simple version-based migration system.
  */
-const CURRENT_VERSION = 2;
+const CURRENT_VERSION = 4;
 /** Run all pending migrations */
 function runMigrations(database) {
     const version = getSchemaVersion(database);
@@ -13,6 +13,12 @@ function runMigrations(database) {
     if (version < 2) {
         migrateToV2(database);
     }
+    if (version < 3) {
+        migrateToV3(database);
+    }
+    if (version < 4) {
+        migrateToV4(database);
+    }
 }
 /** Get current schema version */
 function getSchemaVersion(database) {
@@ -93,4 +99,32 @@ function migrateToV2(database) {
         setSchemaVersion(database, 2);
     })();
 }
+/**
+ * Migration to version 3: Add type column to credentials
+ *
+ * Explicit credential type ("oauth" or "api-key") instead of inferring from data.
+ * Existing credentials without type must be re-uploaded.
+ */
+function migrateToV3(database) {
+    database.transaction(() => {
+        database.exec(`
+      ALTER TABLE credentials ADD COLUMN type TEXT
+    `);
+        setSchemaVersion(database, 3);
+    })();
+}
+/**
+ * Migration to version 4: Add grant_access column to api_keys
+ *
+ * The grant permission controls which credentials a key can delegate access to.
+ * Existing keys get an empty grant_access array (no delegation rights).
+ */
+function migrateToV4(database) {
+    database.transaction(() => {
+        database.exec(`
+      ALTER TABLE api_keys ADD COLUMN grant_access TEXT NOT NULL DEFAULT '[]'
+    `);
+        setSchemaVersion(database, 4);
+    })();
+}
 export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/api-keys.d.ts

@@ -11,6 +11,7 @@ interface ApiKeyRecord {
     keyHash: string;
     readAccess: string[];
     writeAccess: string[];
+    grantAccess: string[];
     createdAt: Date;
     lastUsedAt: Date | undefined;
 }
@@ -23,6 +24,7 @@ declare function createApiKey(database: Database.Database, options: {
     name: string;
     readAccess: string[];
     writeAccess: string[];
+    grantAccess: string[];
 }): ApiKeyWithSecret;
 /** Find API key by raw key value */
 declare function findApiKeyByKey(database: Database.Database, key: string): ApiKeyRecord | undefined;
@@ -38,5 +40,13 @@ declare function deleteApiKey(database: Database.Database, id: string): boolean;
 declare function hasReadAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
 /** Check if API key has write access to a credential */
 declare function hasWriteAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasReadAccess, hasWriteAccess, listApiKeys, updateLastUsed, };
+/** Check if API key has grant access to a credential */
+declare function hasGrantAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
+/** Update an API key's access permissions */
+declare function updateApiKeyAccess(database: Database.Database, id: string, options: {
+    readAccess?: string[];
+    writeAccess?: string[];
+    grantAccess?: string[];
+}): boolean;
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, };
 export type { ApiKeyRecord, ApiKeyWithSecret };

package/dist/db/repositories/api-keys.js

@@ -12,6 +12,7 @@ function rowToRecord(row) {
         keyHash: row.key_hash,
         readAccess: JSON.parse(row.read_access),
         writeAccess: JSON.parse(row.write_access),
+        grantAccess: JSON.parse(row.grant_access),
         createdAt: new Date(row.created_at),
         lastUsedAt: row.last_used_at ? new Date(row.last_used_at) : undefined,
     };
@@ -20,7 +21,7 @@ function rowToRecord(row) {
 function hashApiKey(key) {
     return createHash("sha256").update(key).digest("hex");
 }
-const SELECT_COLUMNS = `id, name, key_hash, read_access, write_access, created_at, last_used_at`;
+const SELECT_COLUMNS = `id, name, key_hash, read_access, write_access, grant_access, created_at, last_used_at`;
 /** Create a new API key */
 function createApiKey(database, options) {
     const id = `k_${randomBytes(6).toString("hex")}`;
@@ -28,9 +29,9 @@ function createApiKey(database, options) {
     const keyHash = hashApiKey(key);
     const now = Date.now();
     database
-        .prepare(`INSERT INTO api_keys (id, name, key_hash, read_access, write_access, created_at)
-     VALUES (?, ?, ?, ?, ?, ?)`)
-        .run(id, options.name, keyHash, JSON.stringify(options.readAccess), JSON.stringify(options.writeAccess), now);
+        .prepare(`INSERT INTO api_keys (id, name, key_hash, read_access, write_access, grant_access, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`)
+        .run(id, options.name, keyHash, JSON.stringify(options.readAccess), JSON.stringify(options.writeAccess), JSON.stringify(options.grantAccess), now);
     return {
         id,
         name: options.name,
@@ -38,6 +39,7 @@ function createApiKey(database, options) {
         keyHash,
         readAccess: options.readAccess,
         writeAccess: options.writeAccess,
+        grantAccess: options.grantAccess,
         createdAt: new Date(now),
         lastUsedAt: undefined,
     };
@@ -83,4 +85,31 @@ function hasWriteAccess(apiKey, agent, name) {
     const path = `${agent}/${name}`;
     return apiKey.writeAccess.includes("*") || apiKey.writeAccess.includes(path);
 }
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasReadAccess, hasWriteAccess, listApiKeys, updateLastUsed, };
+/** Check if API key has grant access to a credential */
+function hasGrantAccess(apiKey, agent, name) {
+    const path = `${agent}/${name}`;
+    return apiKey.grantAccess.includes("*") || apiKey.grantAccess.includes(path);
+}
+/** Update an API key's access permissions */
+function updateApiKeyAccess(database, id, options) {
+    const updates = [];
+    const values = [];
+    if (options.readAccess !== undefined) {
+        updates.push("read_access = ?");
+        values.push(JSON.stringify(options.readAccess));
+    }
+    if (options.writeAccess !== undefined) {
+        updates.push("write_access = ?");
+        values.push(JSON.stringify(options.writeAccess));
+    }
+    if (options.grantAccess !== undefined) {
+        updates.push("grant_access = ?");
+        values.push(JSON.stringify(options.grantAccess));
+    }
+    if (updates.length === 0)
+        return false;
+    values.push(id);
+    const sql = `UPDATE api_keys SET ${updates.join(", ")} WHERE id = ?`;
+    return database.prepare(sql).run(...values).changes > 0;
+}
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, };

package/dist/db/repositories/audit-log.d.ts

@@ -9,7 +9,7 @@ interface AuditLogEntry {
     id: number;
     timestamp: Date;
     apiKeyId: string | undefined;
-    action: "auth" | "read" | "write" | "delete" | "refresh" | "list";
+    action: "auth" | "read" | "write" | "delete" | "refresh" | "list" | "grant";
     agent: string | undefined;
     name: string | undefined;
     success: boolean;

package/dist/db/repositories/credentials.d.ts

@@ -4,10 +4,13 @@
  * Manages encrypted credential storage.
  */
 import type Database from "better-sqlite3";
+/** Valid credential types */
+type CredentialType = "oauth" | "api-key";
 /** Credential record stored in database */
 interface CredentialRecord {
     agent: string;
     name: string;
+    type: CredentialType;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;
@@ -20,6 +23,7 @@ interface CredentialRecord {
 interface CredentialMetadata {
     agent: string;
     name: string;
+    type: CredentialType;
     createdAt: Date;
     updatedAt: Date;
     expiresAt: Date | undefined;
@@ -28,6 +32,7 @@ interface CredentialMetadata {
 declare function upsertCredential(database: Database.Database, credential: {
     agent: string;
     name: string;
+    type: CredentialType;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;
@@ -45,4 +50,4 @@ declare function deleteCredential(database: Database.Database, agent: string, na
 /** Update expiration time after refresh */
 declare function updateExpiresAt(database: Database.Database, agent: string, name: string, expiresAt: Date | undefined): void;
 export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, };
-export type { CredentialMetadata, CredentialRecord };
+export type { CredentialMetadata, CredentialRecord, CredentialType };

package/dist/db/repositories/credentials.js

@@ -3,14 +3,19 @@
  *
  * Manages encrypted credential storage.
  */
+/** Validate credential type from database */
+function validateType(type) {
+    if (type !== "oauth" && type !== "api-key") {
+        throw new Error(`Invalid credential type: ${type}`);
+    }
+    return type;
+}
 /** Convert database row to record */
 function rowToRecord(row) {
-    if (!row.salt) {
-        throw new Error("Credential missing salt - database may need migration");
-    }
     return {
         agent: row.agent,
         name: row.name,
+        type: validateType(row.type),
         encryptedData: row.encrypted_data,
         salt: row.salt,
         iv: row.iv,
@@ -25,6 +30,7 @@ function rowToMetadata(row) {
     return {
         agent: row.agent,
         name: row.name,
+        type: validateType(row.type),
         createdAt: new Date(row.created_at),
         updatedAt: new Date(row.updated_at),
         expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
@@ -35,25 +41,25 @@ function upsertCredential(database, credential) {
     const now = Date.now();
     /* eslint-disable unicorn/no-null -- SQLite requires null for NULL values */
     database
-        .prepare(`INSERT INTO credentials (agent, name, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)
-     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+        .prepare(`INSERT INTO credentials (agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
      ON CONFLICT(agent, name) DO UPDATE SET
-       encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
+       type = excluded.type, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
        updated_at = excluded.updated_at, expires_at = excluded.expires_at`)
-        .run(credential.agent, credential.name, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now, credential.expiresAt?.getTime() ?? null);
+        .run(credential.agent, credential.name, credential.type, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now, credential.expiresAt?.getTime() ?? null);
     /* eslint-enable unicorn/no-null */
 }
 /** Get a credential by agent and name */
 function getCredential(database, agent, name) {
     const row = database
-        .prepare(`SELECT agent, name, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at FROM credentials WHERE agent = ? AND name = ?`)
+        .prepare(`SELECT agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at FROM credentials WHERE agent = ? AND name = ?`)
         .get(agent, name);
     return row ? rowToRecord(row) : undefined;
 }
 /** List all credentials (metadata only) */
 function listCredentials(database) {
     const rows = database
-        .prepare(`SELECT agent, name, created_at, updated_at, expires_at FROM credentials ORDER BY agent, name`)
+        .prepare(`SELECT agent, name, type, created_at, updated_at, expires_at FROM credentials ORDER BY agent, name`)
         .all();
     return rows.map((row) => rowToMetadata(row));
 }

package/dist/db/types.d.ts

@@ -8,6 +8,7 @@ export interface ApiKeyRow {
     key_hash: string;
     read_access: string;
     write_access: string;
+    grant_access: string;
     created_at: number;
     last_used_at: number | null;
 }
@@ -26,8 +27,9 @@ export interface AuditLogRow {
 export interface CredentialRow {
     agent: string;
     name: string;
+    type: string;
     encrypted_data: Buffer;
-    salt: Buffer | null;
+    salt: Buffer;
     iv: Buffer;
     auth_tag: Buffer;
     created_at: number;
@@ -38,6 +40,7 @@ export interface CredentialRow {
 export interface MetadataRow {
     agent: string;
     name: string;
+    type: string;
     created_at: number;
     updated_at: number;
     expires_at: number | null;

package/dist/handlers/get-credential.js

@@ -30,28 +30,7 @@ function createGetCredentialHandler(database, config) {
             return;
         }
         // Fetch credential from database
-        let credential;
-        try {
-            credential = getCredential(database, agent, name);
-        }
-        catch (error) {
-            // Handle legacy credentials stored without salt (pre-v2 migration)
-            if (error instanceof Error && error.message.includes("missing salt")) {
-                logAccess(database, {
-                    apiKeyId: apiKey.id,
-                    action: "read",
-                    agent,
-                    name,
-                    success: false,
-                    errorMessage: "Legacy credential requires re-upload",
-                });
-                response.status(410).json({
-                    error: "This credential was stored with legacy encryption and must be deleted and re-uploaded",
-                });
-                return;
-            }
-            throw error;
-        }
+        const credential = getCredential(database, agent, name);
         if (!credential) {
             logAccess(database, {
                 apiKeyId: apiKey.id,
@@ -90,10 +69,11 @@ function createGetCredentialHandler(database, config) {
         let wasRefreshed = false;
         let refreshFailed = false;
         if (config.refreshThresholdSeconds > 0 &&
+            credential.type === "oauth" &&
             isRefreshable(data) &&
             needsRefresh(data, config.refreshThresholdSeconds)) {
             try {
-                const refreshResult = await refreshWithMutex(database, agent, name, data, apiKey.id, credential.updatedAt, { timeoutMs: config.refreshTimeoutMs });
+                const refreshResult = await refreshWithMutex(database, agent, name, credential.type, data, apiKey.id, credential.updatedAt, { timeoutMs: config.refreshTimeoutMs });
                 if (refreshResult.ok) {
                     finalData = refreshResult.data;
                     finalExpiresAt = refreshResult.expiresAt;
@@ -101,8 +81,30 @@ function createGetCredentialHandler(database, config) {
                     wasRefreshed = true;
                 }
                 else {
-                    // Refresh failed - will return stale credentials with warning header
-                    // Error details logged by refreshWithMutex to audit log
+                    // Refresh failed - re-fetch to check if credential was deleted/modified
+                    const currentCredential = getCredential(database, agent, name);
+                    if (!currentCredential) {
+                        // Credential was deleted during refresh - don't leak old data
+                        logAccess(database, {
+                            apiKeyId: apiKey.id,
+                            action: "read",
+                            agent,
+                            name,
+                            success: false,
+                            errorMessage: "Credential deleted during refresh",
+                        });
+                        response.status(404).json({ error: "Credential not found" });
+                        return;
+                    }
+                    if (currentCredential.updatedAt.getTime() !==
+                        credential.updatedAt.getTime()) {
+                        // Credential was modified during refresh - return fresh data
+                        const freshData = decryptCredential(currentCredential);
+                        finalData = freshData;
+                        finalExpiresAt = currentCredential.expiresAt;
+                        finalUpdatedAt = currentCredential.updatedAt;
+                    }
+                    // Otherwise credential unchanged, return original with warning
                     refreshFailed = true;
                 }
             }
@@ -134,6 +136,7 @@ function createGetCredentialHandler(database, config) {
         response.json({
             agent,
             name,
+            type: credential.type,
             data: finalData,
             expiresAt: finalExpiresAt?.toISOString(),
             updatedAt: finalUpdatedAt.toISOString(),

package/dist/handlers/list-credentials.js

@@ -20,6 +20,7 @@ function createListCredentialsHandler(database) {
             credentials: credentials.map((cred) => ({
                 agent: cred.agent,
                 name: cred.name,
+                type: cred.type,
                 expiresAt: cred.expiresAt?.toISOString(),
                 updatedAt: cred.updatedAt.toISOString(),
             })),

package/dist/handlers/put-credential.js

@@ -26,7 +26,10 @@ function createPutCredentialHandler(database) {
             return;
         }
         const body = request.body;
-        if (!body || typeof body.data !== "object" || body.data === null) {
+        if (!body ||
+            typeof body.data !== "object" ||
+            body.data === null ||
+            Array.isArray(body.data)) {
             logAccess(database, {
                 apiKeyId: apiKey.id,
                 action: "write",
@@ -40,6 +43,21 @@ function createPutCredentialHandler(database) {
                 .json({ error: "Request body must include 'data' object" });
             return;
         }
+        if (body.type !== "oauth" && body.type !== "api-key") {
+            logAccess(database, {
+                apiKeyId: apiKey.id,
+                action: "write",
+                agent,
+                name,
+                success: false,
+                errorMessage: "Invalid type",
+            });
+            response.status(400).json({
+                error: 'Request body must include \'type\' ("oauth" or "api-key")',
+            });
+            return;
+        }
+        const credentialType = body.type;
         try {
             const encrypted = encryptCredential(body.data);
             let expiresAt;
@@ -61,6 +79,7 @@ function createPutCredentialHandler(database) {
             upsertCredential(database, {
                 agent,
                 name,
+                type: credentialType,
                 ...encrypted,
                 expiresAt,
             });

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 /**
- * axvault - Remote credential storage server for axpoint.
+ * axvault - Remote credential storage server for axkit.
  *
  * This module exports types and functions for programmatic use.
  */

package/dist/index.js

@@ -1,5 +1,5 @@
 /**
- * axvault - Remote credential storage server for axpoint.
+ * axvault - Remote credential storage server for axkit.
  *
  * This module exports types and functions for programmatic use.
  */

package/dist/lib/format.d.ts

@@ -39,6 +39,7 @@ export declare function formatKeyRow(key: {
     name: string;
     readAccess: string[];
     writeAccess: string[];
+    grantAccess: string[];
     lastUsedAt?: Date;
 }): string;
 /**

package/dist/lib/format.js

@@ -74,8 +74,9 @@ export function formatKeyRow(key) {
     const name = sanitizeForTsv(key.name);
     const readAccess = sanitizeForTsv(formatAccessList(key.readAccess));
     const writeAccess = sanitizeForTsv(formatAccessList(key.writeAccess));
+    const grantAccess = sanitizeForTsv(formatAccessList(key.grantAccess));
     const lastUsed = formatRelativeTime(key.lastUsedAt);
-    return `${id}\t${name}\t${readAccess}\t${writeAccess}\t${lastUsed}`;
+    return `${id}\t${name}\t${readAccess}\t${writeAccess}\t${grantAccess}\t${lastUsed}`;
 }
 /**
  * Validate access list entry format.

package/dist/lib/parse-access-options.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Parse and validate access list options from CLI flags.
+ */
+interface ParsedAccessOptions {
+    addRead: string[];
+    addWrite: string[];
+    addGrant: string[];
+    removeRead: string[];
+    removeWrite: string[];
+    removeGrant: string[];
+}
+interface AccessOptions {
+    addRead?: string;
+    addWrite?: string;
+    addGrant?: string;
+    removeRead?: string;
+    removeWrite?: string;
+    removeGrant?: string;
+}
+/**
+ * Parse all access list options and validate them.
+ * Returns parsed entries or logs error and sets exit code.
+ */
+export declare function parseAccessOptions(options: AccessOptions): ParsedAccessOptions | undefined;
+/**
+ * Compute updated access list by adding and removing entries.
+ */
+export declare function computeUpdatedAccess(current: string[], toAdd: string[], toRemove: string[]): string[];
+/**
+ * Normalize all access lists and print warnings.
+ */
+export declare function normalizeAllAccess(readAccess: string[], writeAccess: string[], grantAccess: string[]): {
+    read: string[];
+    write: string[];
+    grant: string[];
+};
+export {};