axvault 1.0.0

package/dist/commands/key.js

@@ -0,0 +1,157 @@
+/**
+ * API key management command handlers.
+ */
+import { getServerConfig } from "../config.js";
+import { closeDatabase, getDatabase } from "../db/client.js";
+import { runMigrations } from "../db/migrations.js";
+import { createApiKey, deleteApiKey, listApiKeys, } from "../db/repositories/api-keys.js";
+import { containsControlChars, formatAccessList, formatDateForJson, formatKeyRow, getAccessListErrorMessage, getErrorMessage, isValidKeyId, normalizeAccessList, parseAccessList, sanitizeForTsv, } from "../lib/format.js";
+export function handleKeyCreate(options) {
+    // Validate key name (reject control characters)
+    if (containsControlChars(options.name)) {
+        console.error("Error: Key name contains control characters.");
+        process.exitCode = 2;
+        return;
+    }
+    // Parse and validate access lists
+    const readResult = parseAccessList(options.read);
+    const writeResult = parseAccessList(options.write);
+    if (readResult.error) {
+        console.error(`Error: ${getAccessListErrorMessage(readResult.error)}`);
+        process.exitCode = 2;
+        return;
+    }
+    if (writeResult.error) {
+        console.error(`Error: ${getAccessListErrorMessage(writeResult.error)}`);
+        process.exitCode = 2;
+        return;
+    }
+    // Normalize wildcards (warn if mixed with specific entries)
+    const readNorm = normalizeAccessList(readResult.entries, "read");
+    const writeNorm = normalizeAccessList(writeResult.entries, "write");
+    if (readNorm.warning)
+        console.warn(`Warning: ${readNorm.warning}`);
+    if (writeNorm.warning)
+        console.warn(`Warning: ${writeNorm.warning}`);
+    const readAccess = readNorm.normalized;
+    const writeAccess = writeNorm.normalized;
+    // Validate: at least one access must be specified
+    if (readAccess.length === 0 && writeAccess.length === 0) {
+        console.error("Error: At least one of --read or --write must be specified.");
+        console.error("Try 'axvault key create --help' for more information.");
+        process.exitCode = 2;
+        return;
+    }
+    try {
+        const config = getServerConfig(options);
+        const database = getDatabase(config.databasePath);
+        runMigrations(database);
+        const apiKey = createApiKey(database, {
+            name: options.name,
+            readAccess,
+            writeAccess,
+        });
+        if (options.json) {
+            console.warn("Warning: JSON output contains the secret key. Avoid logging in CI.");
+            console.log(JSON.stringify({
+                id: apiKey.id,
+                name: apiKey.name,
+                key: apiKey.key,
+                readAccess: apiKey.readAccess,
+                writeAccess: apiKey.writeAccess,
+                createdAt: apiKey.createdAt.toISOString(),
+            }, undefined, 2));
+        }
+        else {
+            console.error(`Created API key: ${sanitizeForTsv(apiKey.name)}`);
+            console.error(`ID: ${sanitizeForTsv(apiKey.id)}`);
+            console.error(`Read access: ${sanitizeForTsv(formatAccessList(apiKey.readAccess))}`);
+            console.error(`Write access: ${sanitizeForTsv(formatAccessList(apiKey.writeAccess))}`);
+            console.error("");
+            // Output the secret key to stdout for piping
+            console.log(apiKey.key);
+            console.error("");
+            console.error("Save this key securely - it cannot be retrieved later.");
+        }
+    }
+    catch (error) {
+        console.error(`Error: Failed to create API key: ${getErrorMessage(error)}`);
+        process.exitCode = 1;
+    }
+    finally {
+        closeDatabase();
+    }
+}
+export function handleKeyList(options) {
+    try {
+        const config = getServerConfig(options);
+        const database = getDatabase(config.databasePath);
+        runMigrations(database);
+        const keys = listApiKeys(database);
+        if (options.json) {
+            const output = keys.map((key) => ({
+                id: key.id,
+                name: key.name,
+                readAccess: key.readAccess,
+                writeAccess: key.writeAccess,
+                createdAt: key.createdAt.toISOString(),
+                lastUsedAt: formatDateForJson(key.lastUsedAt),
+            }));
+            console.log(JSON.stringify(output, undefined, 2));
+        }
+        else if (keys.length === 0) {
+            console.error("No API keys found.\nCreate one with: axvault key create --name <name> [--read <access>] [--write <access>]");
+        }
+        else {
+            console.log("ID\tNAME\tREAD ACCESS\tWRITE ACCESS\tLAST USED");
+            for (const key of keys)
+                console.log(formatKeyRow(key));
+        }
+    }
+    catch (error) {
+        console.error(`Error: Failed to list API keys: ${getErrorMessage(error)}`);
+        process.exitCode = 1;
+    }
+    finally {
+        closeDatabase();
+    }
+}
+export function handleKeyRevoke(id, options) {
+    // Reject inputs containing control characters BEFORE trimming
+    // (prevents silent bypass where \n or \t would be removed by trim)
+    if (containsControlChars(id)) {
+        console.error("Error: Invalid API key ID: contains control characters.");
+        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
+        process.exitCode = 2;
+        return;
+    }
+    // Trim whitespace from ID (common copy-paste issue)
+    const trimmedId = id.trim();
+    // Validate ID format (k_ + 12 hex chars)
+    if (!isValidKeyId(trimmedId)) {
+        console.error(`Error: Invalid API key ID format: ${trimmedId}`);
+        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
+        process.exitCode = 2;
+        return;
+    }
+    try {
+        const config = getServerConfig(options);
+        const database = getDatabase(config.databasePath);
+        runMigrations(database);
+        const deleted = deleteApiKey(database, trimmedId);
+        if (deleted) {
+            console.error(`Revoked API key: ${sanitizeForTsv(trimmedId)}`);
+        }
+        else {
+            console.error(`Error: API key not found: ${sanitizeForTsv(trimmedId)}`);
+            process.exitCode = 1;
+        }
+    }
+    catch (error) {
+        console.error(`Error: Failed to revoke API key: ${getErrorMessage(error)}`);
+        process.exitCode = 1;
+    }
+    finally {
+        closeDatabase();
+    }
+}

package/dist/commands/serve.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Start server command handler.
+ */
+interface ServeOptions {
+    port?: string;
+    host?: string;
+    dbPath?: string;
+    refreshThreshold?: string;
+    refreshTimeout?: string;
+}
+export declare function handleServe(options: ServeOptions): Promise<void>;
+export {};

package/dist/commands/serve.js

@@ -0,0 +1,93 @@
+/**
+ * Start server command handler.
+ */
+import { existsSync, mkdirSync } from "node:fs";
+import path from "node:path";
+import { getServerConfig } from "../config.js";
+import { getDatabase, closeDatabase } from "../db/client.js";
+import { runMigrations } from "../db/migrations.js";
+import { createHealthRouter, createCredentialRouter, } from "../server/routes.js";
+import { createServer } from "../server/server.js";
+export async function handleServe(options) {
+    let config;
+    try {
+        config = getServerConfig({
+            ...options,
+            refreshThresholdSeconds: options.refreshThreshold,
+            refreshTimeoutMs: options.refreshTimeout,
+        });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`Error: ${message}`);
+        // eslint-disable-next-line unicorn/no-process-exit -- CLI config error
+        process.exit(1);
+    }
+    // Check encryption key is set
+    const encryptionKey = process.env["AXVAULT_ENCRYPTION_KEY"];
+    if (!encryptionKey || encryptionKey.length < 32) {
+        console.error("Error: AXVAULT_ENCRYPTION_KEY must be set to at least 32 characters");
+        // eslint-disable-next-line unicorn/no-process-exit -- CLI config error
+        process.exit(1);
+    }
+    // Ensure data directory exists (enables direct execution without init command)
+    const dataDirectory = path.dirname(config.databasePath);
+    if (!existsSync(dataDirectory)) {
+        try {
+            mkdirSync(dataDirectory, { recursive: true });
+            console.error(`Created data directory: ${dataDirectory}`);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            console.error(`Failed to create data directory '${dataDirectory}': ${message}`);
+            // eslint-disable-next-line unicorn/no-process-exit -- CLI startup failure
+            process.exit(1);
+        }
+    }
+    // Initialize database
+    let database;
+    try {
+        database = getDatabase(config.databasePath);
+        runMigrations(database);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`Failed to initialize database: ${message}`);
+        // eslint-disable-next-line unicorn/no-process-exit -- CLI startup failure
+        process.exit(1);
+    }
+    // Create server with routers
+    const server = createServer(config, [
+        createHealthRouter(),
+        createCredentialRouter(database, {
+            refreshThresholdSeconds: config.refreshThresholdSeconds,
+            refreshTimeoutMs: config.refreshTimeoutMs,
+        }),
+    ]);
+    // Graceful shutdown handler
+    const shutdown = () => {
+        console.error("Shutting down...");
+        server.stop().then(() => {
+            closeDatabase();
+            // eslint-disable-next-line unicorn/no-process-exit -- CLI graceful shutdown
+            process.exit(0);
+        }, (error) => {
+            console.error("Error during shutdown:", error);
+            closeDatabase();
+            // eslint-disable-next-line unicorn/no-process-exit -- CLI graceful shutdown
+            process.exit(1);
+        });
+    };
+    process.once("SIGTERM", shutdown);
+    process.once("SIGINT", shutdown);
+    try {
+        await server.start();
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`Failed to start server on http://${config.host}:${config.port}:`, message);
+        closeDatabase();
+        // eslint-disable-next-line unicorn/no-process-exit -- CLI startup failure
+        process.exit(1);
+    }
+}

package/dist/config.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Configuration for axvault server.
+ *
+ * Priority: CLI flags > environment variables > defaults.
+ */
+export interface ServerConfig {
+    port: number;
+    host: string;
+    databasePath: string;
+    refreshThresholdSeconds: number;
+    refreshTimeoutMs: number;
+}
+interface ConfigOverrides {
+    port?: string;
+    host?: string;
+    dbPath?: string;
+    refreshThresholdSeconds?: string;
+    refreshTimeoutMs?: string;
+}
+/** Parse config from environment and CLI overrides */
+export declare function getServerConfig(overrides?: ConfigOverrides): ServerConfig;
+export {};

package/dist/config.js

@@ -0,0 +1,44 @@
+/**
+ * Configuration for axvault server.
+ *
+ * Priority: CLI flags > environment variables > defaults.
+ */
+const DEFAULT_PORT = 3847;
+const DEFAULT_HOST = "127.0.0.1";
+const DEFAULT_DATABASE_PATH = "./data/axvault.db";
+const DEFAULT_REFRESH_THRESHOLD_SECONDS = 3600; // 1 hour
+const DEFAULT_REFRESH_TIMEOUT_MS = 30_000; // 30 seconds
+/** Parse config from environment and CLI overrides */
+export function getServerConfig(overrides = {}) {
+    const port = parsePort(overrides.port ?? process.env.AXVAULT_PORT);
+    const host = overrides.host ?? process.env.AXVAULT_HOST ?? DEFAULT_HOST;
+    const databasePath = overrides.dbPath ?? process.env.AXVAULT_DB_PATH ?? DEFAULT_DATABASE_PATH;
+    const refreshThresholdSeconds = parseNonNegativeInt(overrides.refreshThresholdSeconds ?? process.env.AXVAULT_REFRESH_THRESHOLD, DEFAULT_REFRESH_THRESHOLD_SECONDS, "AXVAULT_REFRESH_THRESHOLD");
+    const refreshTimeoutMs = parseNonNegativeInt(overrides.refreshTimeoutMs ?? process.env.AXVAULT_REFRESH_TIMEOUT_MS, DEFAULT_REFRESH_TIMEOUT_MS, "AXVAULT_REFRESH_TIMEOUT_MS");
+    return {
+        port,
+        host,
+        databasePath,
+        refreshThresholdSeconds,
+        refreshTimeoutMs,
+    };
+}
+function parsePort(value) {
+    if (!value)
+        return DEFAULT_PORT;
+    const port = Number.parseInt(value);
+    if (Number.isNaN(port) || port < 1 || port > 65_535) {
+        throw new Error(`Invalid port: ${value}`);
+    }
+    return port;
+}
+function parseNonNegativeInt(value, defaultValue, name) {
+    if (!value)
+        return defaultValue;
+    const parsed = Number.parseInt(value);
+    if (Number.isNaN(parsed) || parsed < 0) {
+        console.warn(`Invalid ${name} value "${value}", using default ${defaultValue}`);
+        return defaultValue;
+    }
+    return parsed;
+}

package/dist/db/client.d.ts

@@ -0,0 +1,13 @@
+/**
+ * SQLite database client.
+ *
+ * Manages a single database connection with WAL mode for better concurrency.
+ */
+import Database from "better-sqlite3";
+/** Get the database connection, creating it if necessary */
+declare function getDatabase(databasePath: string): Database.Database;
+/** Close the database connection */
+declare function closeDatabase(): void;
+/** Check if database is connected */
+declare function isDatabaseConnected(): boolean;
+export { closeDatabase, getDatabase, isDatabaseConnected };

package/dist/db/client.js

@@ -0,0 +1,38 @@
+/**
+ * SQLite database client.
+ *
+ * Manages a single database connection with WAL mode for better concurrency.
+ */
+import Database from "better-sqlite3";
+let database;
+let currentPath;
+/** Get the database connection, creating it if necessary */
+function getDatabase(databasePath) {
+    if (database) {
+        if (currentPath !== databasePath) {
+            throw new Error(`Database already connected to '${currentPath}'. ` +
+                `Call closeDatabase() before connecting to '${databasePath}'.`);
+        }
+        return database;
+    }
+    database = new Database(databasePath);
+    currentPath = databasePath;
+    // Enable WAL mode for better concurrent read performance
+    database.pragma("journal_mode = WAL");
+    // Enable foreign keys
+    database.pragma("foreign_keys = ON");
+    return database;
+}
+/** Close the database connection */
+function closeDatabase() {
+    if (database) {
+        database.close();
+        database = undefined;
+        currentPath = undefined;
+    }
+}
+/** Check if database is connected */
+function isDatabaseConnected() {
+    return database !== undefined;
+}
+export { closeDatabase, getDatabase, isDatabaseConnected };

package/dist/db/migrations.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Database schema migrations.
+ *
+ * Uses a simple version-based migration system.
+ */
+import type Database from "better-sqlite3";
+declare const CURRENT_VERSION = 2;
+/** Run all pending migrations */
+declare function runMigrations(database: Database.Database): void;
+/** Get current schema version */
+declare function getSchemaVersion(database: Database.Database): number;
+export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/migrations.js

@@ -0,0 +1,96 @@
+/**
+ * Database schema migrations.
+ *
+ * Uses a simple version-based migration system.
+ */
+const CURRENT_VERSION = 2;
+/** Run all pending migrations */
+function runMigrations(database) {
+    const version = getSchemaVersion(database);
+    if (version < 1) {
+        migrateToV1(database);
+    }
+    if (version < 2) {
+        migrateToV2(database);
+    }
+}
+/** Get current schema version */
+function getSchemaVersion(database) {
+    const result = database.pragma("user_version", { simple: true });
+    return typeof result === "number" ? result : 0;
+}
+/** Set schema version */
+function setSchemaVersion(database, version) {
+    database.pragma(`user_version = ${version}`);
+}
+/**
+ * Migration to version 1: Initial schema
+ *
+ * Creates tables for API keys, credentials, and audit log.
+ */
+function migrateToV1(database) {
+    database.transaction(() => {
+        // API keys with credential access lists
+        database.exec(`
+      CREATE TABLE api_keys (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL,
+        key_hash TEXT NOT NULL UNIQUE,
+        read_access TEXT NOT NULL,
+        write_access TEXT NOT NULL,
+        created_at INTEGER NOT NULL,
+        last_used_at INTEGER
+      )
+    `);
+        // Create index for key lookup
+        database.exec(`
+      CREATE INDEX idx_api_keys_key_hash ON api_keys(key_hash)
+    `);
+        // Encrypted credentials
+        database.exec(`
+      CREATE TABLE credentials (
+        agent TEXT NOT NULL,
+        name TEXT NOT NULL,
+        encrypted_data BLOB NOT NULL,
+        iv BLOB NOT NULL,
+        auth_tag BLOB NOT NULL,
+        created_at INTEGER NOT NULL,
+        updated_at INTEGER NOT NULL,
+        expires_at INTEGER,
+        PRIMARY KEY (agent, name)
+      )
+    `);
+        // Audit log - intentionally no FK on api_key_id to preserve logs after key deletion
+        database.exec(`
+      CREATE TABLE audit_log (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        timestamp INTEGER NOT NULL,
+        api_key_id TEXT,
+        action TEXT NOT NULL,
+        agent TEXT,
+        name TEXT,
+        success INTEGER NOT NULL,
+        error_message TEXT
+      )
+    `);
+        // Create index for audit log queries by time
+        database.exec(`
+      CREATE INDEX idx_audit_log_timestamp ON audit_log(timestamp DESC)
+    `);
+        setSchemaVersion(database, 1);
+    })();
+}
+/**
+ * Migration to version 2: Add salt column to credentials
+ *
+ * AES-256-GCM with PBKDF2 requires a salt for key derivation.
+ */
+function migrateToV2(database) {
+    database.transaction(() => {
+        database.exec(`
+      ALTER TABLE credentials ADD COLUMN salt BLOB
+    `);
+        setSchemaVersion(database, 2);
+    })();
+}
+export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/api-keys.d.ts

@@ -0,0 +1,42 @@
+/**
+ * API key repository.
+ *
+ * Manages API keys with read/write access lists for credentials.
+ */
+import type Database from "better-sqlite3";
+/** API key data stored in database */
+interface ApiKeyRecord {
+    id: string;
+    name: string;
+    keyHash: string;
+    readAccess: string[];
+    writeAccess: string[];
+    createdAt: Date;
+    lastUsedAt: Date | undefined;
+}
+/** API key with the raw key (only returned on creation) */
+interface ApiKeyWithSecret extends ApiKeyRecord {
+    key: string;
+}
+/** Create a new API key */
+declare function createApiKey(database: Database.Database, options: {
+    name: string;
+    readAccess: string[];
+    writeAccess: string[];
+}): ApiKeyWithSecret;
+/** Find API key by raw key value */
+declare function findApiKeyByKey(database: Database.Database, key: string): ApiKeyRecord | undefined;
+/** Find API key by ID */
+declare function findApiKeyById(database: Database.Database, id: string): ApiKeyRecord | undefined;
+/** List all API keys (without revealing the raw key values) */
+declare function listApiKeys(database: Database.Database): ApiKeyRecord[];
+/** Update last used timestamp */
+declare function updateLastUsed(database: Database.Database, id: string): void;
+/** Delete an API key */
+declare function deleteApiKey(database: Database.Database, id: string): boolean;
+/** Check if API key has read access to a credential */
+declare function hasReadAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
+/** Check if API key has write access to a credential */
+declare function hasWriteAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasReadAccess, hasWriteAccess, listApiKeys, updateLastUsed, };
+export type { ApiKeyRecord, ApiKeyWithSecret };

package/dist/db/repositories/api-keys.js

@@ -0,0 +1,86 @@
+/**
+ * API key repository.
+ *
+ * Manages API keys with read/write access lists for credentials.
+ */
+import { createHash, randomBytes } from "node:crypto";
+/** Convert database row to record */
+function rowToRecord(row) {
+    return {
+        id: row.id,
+        name: row.name,
+        keyHash: row.key_hash,
+        readAccess: JSON.parse(row.read_access),
+        writeAccess: JSON.parse(row.write_access),
+        createdAt: new Date(row.created_at),
+        lastUsedAt: row.last_used_at ? new Date(row.last_used_at) : undefined,
+    };
+}
+/** Hash an API key for storage */
+function hashApiKey(key) {
+    return createHash("sha256").update(key).digest("hex");
+}
+const SELECT_COLUMNS = `id, name, key_hash, read_access, write_access, created_at, last_used_at`;
+/** Create a new API key */
+function createApiKey(database, options) {
+    const id = `k_${randomBytes(6).toString("hex")}`;
+    const key = `axv_sk_${randomBytes(16).toString("hex")}`;
+    const keyHash = hashApiKey(key);
+    const now = Date.now();
+    database
+        .prepare(`INSERT INTO api_keys (id, name, key_hash, read_access, write_access, created_at)
+     VALUES (?, ?, ?, ?, ?, ?)`)
+        .run(id, options.name, keyHash, JSON.stringify(options.readAccess), JSON.stringify(options.writeAccess), now);
+    return {
+        id,
+        name: options.name,
+        key,
+        keyHash,
+        readAccess: options.readAccess,
+        writeAccess: options.writeAccess,
+        createdAt: new Date(now),
+        lastUsedAt: undefined,
+    };
+}
+/** Find API key by raw key value */
+function findApiKeyByKey(database, key) {
+    const row = database
+        .prepare(`SELECT ${SELECT_COLUMNS} FROM api_keys WHERE key_hash = ?`)
+        .get(hashApiKey(key));
+    return row ? rowToRecord(row) : undefined;
+}
+/** Find API key by ID */
+function findApiKeyById(database, id) {
+    const row = database
+        .prepare(`SELECT ${SELECT_COLUMNS} FROM api_keys WHERE id = ?`)
+        .get(id);
+    return row ? rowToRecord(row) : undefined;
+}
+/** List all API keys (without revealing the raw key values) */
+function listApiKeys(database) {
+    const rows = database
+        .prepare(`SELECT ${SELECT_COLUMNS} FROM api_keys ORDER BY created_at DESC`)
+        .all();
+    return rows.map((row) => rowToRecord(row));
+}
+/** Update last used timestamp */
+function updateLastUsed(database, id) {
+    database
+        .prepare(`UPDATE api_keys SET last_used_at = ? WHERE id = ?`)
+        .run(Date.now(), id);
+}
+/** Delete an API key */
+function deleteApiKey(database, id) {
+    return (database.prepare(`DELETE FROM api_keys WHERE id = ?`).run(id).changes > 0);
+}
+/** Check if API key has read access to a credential */
+function hasReadAccess(apiKey, agent, name) {
+    const path = `${agent}/${name}`;
+    return apiKey.readAccess.includes("*") || apiKey.readAccess.includes(path);
+}
+/** Check if API key has write access to a credential */
+function hasWriteAccess(apiKey, agent, name) {
+    const path = `${agent}/${name}`;
+    return apiKey.writeAccess.includes("*") || apiKey.writeAccess.includes(path);
+}
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasReadAccess, hasWriteAccess, listApiKeys, updateLastUsed, };

package/dist/db/repositories/audit-log.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Audit log repository.
+ *
+ * Records all credential access for security auditing.
+ */
+import type Database from "better-sqlite3";
+/** Audit log entry */
+interface AuditLogEntry {
+    id: number;
+    timestamp: Date;
+    apiKeyId: string | undefined;
+    action: "auth" | "read" | "write" | "delete" | "refresh" | "list";
+    agent: string | undefined;
+    name: string | undefined;
+    success: boolean;
+    errorMessage: string | undefined;
+}
+/** Log a credential access event */
+declare function logAccess(database: Database.Database, entry: {
+    apiKeyId?: string;
+    action: AuditLogEntry["action"];
+    agent?: string;
+    name?: string;
+    success: boolean;
+    errorMessage?: string;
+}): void;
+/** Get recent audit log entries */
+declare function getRecentLogs(database: Database.Database, options?: {
+    limit?: number;
+    apiKeyId?: string;
+}): AuditLogEntry[];
+/** Get logs for a specific credential */
+declare function getLogsForCredential(database: Database.Database, agent: string, name: string, limit_?: number): AuditLogEntry[];
+/** Prune old audit log entries */
+declare function pruneOldLogs(database: Database.Database, olderThanDays: number): number;
+export { getLogsForCredential, getRecentLogs, logAccess, pruneOldLogs };
+export type { AuditLogEntry };