axvault 1.0.0 → 1.2.0

package/dist/lib/parse-access-options.js

@@ -0,0 +1,84 @@
+/**
+ * Parse and validate access list options from CLI flags.
+ */
+import { getAccessListErrorMessage, normalizeAccessList, parseAccessList, } from "./format.js";
+/**
+ * Parse all access list options and validate them.
+ * Returns parsed entries or logs error and sets exit code.
+ */
+export function parseAccessOptions(options) {
+    const addReadResult = parseAccessList(options.addRead);
+    const addWriteResult = parseAccessList(options.addWrite);
+    const addGrantResult = parseAccessList(options.addGrant);
+    const removeReadResult = parseAccessList(options.removeRead);
+    const removeWriteResult = parseAccessList(options.removeWrite);
+    const removeGrantResult = parseAccessList(options.removeGrant);
+    if (addReadResult.error) {
+        console.error(`Error in --add-read: ${getAccessListErrorMessage(addReadResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    if (addWriteResult.error) {
+        console.error(`Error in --add-write: ${getAccessListErrorMessage(addWriteResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    if (addGrantResult.error) {
+        console.error(`Error in --add-grant: ${getAccessListErrorMessage(addGrantResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    if (removeReadResult.error) {
+        console.error(`Error in --remove-read: ${getAccessListErrorMessage(removeReadResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    if (removeWriteResult.error) {
+        console.error(`Error in --remove-write: ${getAccessListErrorMessage(removeWriteResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    if (removeGrantResult.error) {
+        console.error(`Error in --remove-grant: ${getAccessListErrorMessage(removeGrantResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    return {
+        addRead: addReadResult.entries,
+        addWrite: addWriteResult.entries,
+        addGrant: addGrantResult.entries,
+        removeRead: removeReadResult.entries,
+        removeWrite: removeWriteResult.entries,
+        removeGrant: removeGrantResult.entries,
+    };
+}
+/**
+ * Compute updated access list by adding and removing entries.
+ */
+export function computeUpdatedAccess(current, toAdd, toRemove) {
+    const set = new Set(current);
+    for (const entry of toAdd)
+        set.add(entry);
+    for (const entry of toRemove)
+        set.delete(entry);
+    return [...set];
+}
+/**
+ * Normalize all access lists and print warnings.
+ */
+export function normalizeAllAccess(readAccess, writeAccess, grantAccess) {
+    const readNorm = normalizeAccessList(readAccess, "read");
+    const writeNorm = normalizeAccessList(writeAccess, "write");
+    const grantNorm = normalizeAccessList(grantAccess, "grant");
+    if (readNorm.warning)
+        console.warn(`Warning: ${readNorm.warning}`);
+    if (writeNorm.warning)
+        console.warn(`Warning: ${writeNorm.warning}`);
+    if (grantNorm.warning)
+        console.warn(`Warning: ${grantNorm.warning}`);
+    return {
+        read: readNorm.normalized,
+        write: writeNorm.normalized,
+        grant: grantNorm.normalized,
+    };
+}

package/dist/refresh/refresh-manager.d.ts

@@ -5,6 +5,7 @@
  * with axauth's refresh functionality.
  */
 import type Database from "better-sqlite3";
+import type { CredentialType } from "../db/repositories/credentials.js";
 /** Key for credential-specific mutex */
 type CredentialKey = `${string}/${string}`;
 /** Result type for the full refresh operation */
@@ -40,12 +41,13 @@ declare function buildKey(agent: string, name: string): CredentialKey;
  * @param database - Database connection
  * @param agent - Agent name
  * @param name - Credential name
+ * @param type - Credential type (must be "oauth"; caller must gate on type)
  * @param data - Current decrypted credential data
  * @param apiKeyId - API key ID for audit logging
  * @param originalUpdatedAt - Original updatedAt for optimistic locking
  * @param options - Refresh options
  * @returns Refresh result with new data, expiresAt, updatedAt or error
  */
-declare function refreshWithMutex(database: Database.Database, agent: string, name: string, data: Record<string, unknown>, apiKeyId: string, originalUpdatedAt: Date, options: RefreshManagerOptions): Promise<FullRefreshResult>;
+declare function refreshWithMutex(database: Database.Database, agent: string, name: string, type: CredentialType, data: Record<string, unknown>, apiKeyId: string, originalUpdatedAt: Date, options: RefreshManagerOptions): Promise<FullRefreshResult>;
 export { extractExpiryDate, isRefreshable, needsRefresh, toAxauthCredentials, } from "./check-refresh.js";
 export { buildKey, refreshWithMutex };

package/dist/refresh/refresh-manager.js

@@ -19,7 +19,7 @@ function buildKey(agent, name) {
  * Execute the full refresh operation: call axauth, validate, persist.
  * This is the inner operation that gets stored in the mutex.
  */
-async function executeRefresh(database, agent, name, data, apiKeyId, originalUpdatedAt, refreshStartedAt, options) {
+async function executeRefresh(database, agent, name, type, data, apiKeyId, originalUpdatedAt, refreshStartedAt, options) {
     const logContext = { database, apiKeyId, agent, name };
     // Map to axauth format
     const creds = toAxauthCredentials(agent, data);
@@ -54,6 +54,7 @@ async function executeRefresh(database, agent, name, data, apiKeyId, originalUpd
             upsertCredential(database, {
                 agent,
                 name,
+                type,
                 ...encrypted,
                 expiresAt,
             });
@@ -98,13 +99,14 @@ async function executeRefresh(database, agent, name, data, apiKeyId, originalUpd
  * @param database - Database connection
  * @param agent - Agent name
  * @param name - Credential name
+ * @param type - Credential type (must be "oauth"; caller must gate on type)
  * @param data - Current decrypted credential data
  * @param apiKeyId - API key ID for audit logging
  * @param originalUpdatedAt - Original updatedAt for optimistic locking
  * @param options - Refresh options
  * @returns Refresh result with new data, expiresAt, updatedAt or error
  */
-async function refreshWithMutex(database, agent, name, data, apiKeyId, originalUpdatedAt, options) {
+async function refreshWithMutex(database, agent, name, type, data, apiKeyId, originalUpdatedAt, options) {
     const key = buildKey(agent, name);
     // Check if refresh already in progress
     const existing = pendingRefreshes.get(key);
@@ -115,7 +117,7 @@ async function refreshWithMutex(database, agent, name, data, apiKeyId, originalU
     }
     // Start new refresh - store promise for the FULL operation
     const refreshStartedAt = new Date();
-    const fullOperationPromise = executeRefresh(database, agent, name, data, apiKeyId, originalUpdatedAt, refreshStartedAt, options);
+    const fullOperationPromise = executeRefresh(database, agent, name, type, data, apiKeyId, originalUpdatedAt, refreshStartedAt, options);
     pendingRefreshes.set(key, {
         promise: fullOperationPromise,
         startedAt: refreshStartedAt,

package/package.json

@@ -2,8 +2,8 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.0.0",
-  "description": "Remote credential storage server for axpoint",
+  "version": "1.2.0",
+  "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/Jercik/axvault.git"
@@ -81,7 +81,7 @@
     "@types/node": "^25.0.3",
     "@vitest/coverage-v8": "^4.0.16",
     "eslint": "^9.39.2",
-    "eslint-config-axpoint": "^1.0.0",
+    "eslint-config-axkit": "^1.0.0",
     "fta-check": "^1.5.1",
     "fta-cli": "^3.0.0",
     "knip": "^5.80.0",