axvault 1.0.0

package/dist/lib/encryption.js

@@ -0,0 +1,38 @@
+/**
+ * Encryption utilities for credential storage.
+ *
+ * Wraps axshared encryption functions with vault-specific configuration.
+ */
+import { decrypt, encrypt } from "axshared";
+/** Validate encryption key is configured */
+function getEncryptionKey() {
+    const key = process.env["AXVAULT_ENCRYPTION_KEY"];
+    if (!key || key.length < 32) {
+        throw new Error("AXVAULT_ENCRYPTION_KEY must be set to at least 32 characters");
+    }
+    return key;
+}
+/** Encrypt credential data for storage */
+function encryptCredential(data) {
+    const encryptionKey = getEncryptionKey();
+    const plaintext = JSON.stringify(data);
+    const encrypted = encrypt(plaintext, encryptionKey);
+    return {
+        encryptedData: encrypted.ciphertext,
+        salt: encrypted.salt,
+        iv: encrypted.iv,
+        authTag: encrypted.tag,
+    };
+}
+/** Decrypt credential data from storage */
+function decryptCredential(credential) {
+    const encryptionKey = getEncryptionKey();
+    const decrypted = decrypt({
+        ciphertext: credential.encryptedData,
+        salt: credential.salt,
+        iv: credential.iv,
+        tag: credential.authTag,
+    }, encryptionKey);
+    return JSON.parse(decrypted);
+}
+export { decryptCredential, encryptCredential };

package/dist/lib/format.d.ts

@@ -0,0 +1,92 @@
+/**
+ * Shared formatting utilities for CLI output.
+ */
+/**
+ * Strip control characters and ANSI escape sequences to prevent terminal
+ * injection and preserve TSV structure.
+ *
+ * Removes:
+ * - 7-bit ANSI/CSI escape sequences (ESC [ ... final-byte)
+ * - 8-bit C1 CSI sequences (0x9B ... final-byte)
+ * - C0 controls (0x00-0x1F) including ESC, tab, newline
+ * - DEL (0x7F)
+ * - C1 controls (0x80-0x9F)
+ */
+export declare function sanitizeForTsv(value: string): string;
+/**
+ * Format relative time from a Date.
+ * Returns human-readable strings like "just now", "5m ago", "2h ago".
+ *
+ * This helper is intended for past events (e.g., "last updated"), so future
+ * dates are treated as unexpected and return the generic string "in the future"
+ * instead of using granular units. For precise future-oriented formatting
+ * (e.g., "in 2h", "in 3d"), use {@link formatExpiresAt}.
+ */
+export declare function formatRelativeTime(date: Date | undefined): string;
+/**
+ * Check if a string contains control characters (would be changed by sanitization).
+ */
+export declare function containsControlChars(value: string): boolean;
+/**
+ * Validate API key ID format (k_ + 12 hex chars).
+ */
+export declare function isValidKeyId(id: string): boolean;
+/**
+ * Format a single API key row for TSV output.
+ */
+export declare function formatKeyRow(key: {
+    id: string;
+    name: string;
+    readAccess: string[];
+    writeAccess: string[];
+    lastUsedAt?: Date;
+}): string;
+/**
+ * Parse comma-separated access list into array of entries.
+ *
+ * Returns object with:
+ * - `entries`: parsed entries if valid, undefined if invalid
+ * - `error`: error type if invalid ('control-chars' or 'invalid-format')
+ *
+ * Control characters are checked BEFORE trimming to prevent silent bypass
+ * (e.g., "\n*" would otherwise become "*" after trim).
+ */
+export declare function parseAccessList(value: string | undefined): {
+    entries: string[];
+    error?: never;
+} | {
+    entries?: never;
+    error: "control-chars" | "invalid-format";
+};
+/**
+ * Get error message for access list parsing error.
+ */
+export declare function getAccessListErrorMessage(error: "control-chars" | "invalid-format"): string;
+/**
+ * Normalize access list by collapsing to ['*'] if wildcard is present with other entries.
+ * Returns the normalized list and an optional warning message.
+ */
+export declare function normalizeAccessList(access: string[], optionName?: string): {
+    normalized: string[];
+    warning: string | undefined;
+};
+/**
+ * Format access list for display.
+ * Returns "(none)" for empty, "*" if wildcard present, otherwise comma-joined.
+ */
+export declare function formatAccessList(access: string[]): string;
+/**
+ * Format optional date for JSON output.
+ * Returns ISO string or null for consistent JSON schema.
+ */
+export declare function formatDateForJson(date: Date | undefined): string | null;
+/**
+ * Extract error message from unknown error value.
+ * Returns the error's message if it's an Error, otherwise stringifies it.
+ */
+export declare function getErrorMessage(error: unknown): string;
+/**
+ * Format expiration time relative to now.
+ * Returns "(never)" for no expiration, or relative time like "in 2h", "expired 5m ago".
+ */
+export declare function formatExpiresAt(date: Date | undefined): string;

package/dist/lib/format.js

@@ -0,0 +1,216 @@
+/**
+ * Shared formatting utilities for CLI output.
+ */
+/**
+ * Strip control characters and ANSI escape sequences to prevent terminal
+ * injection and preserve TSV structure.
+ *
+ * Removes:
+ * - 7-bit ANSI/CSI escape sequences (ESC [ ... final-byte)
+ * - 8-bit C1 CSI sequences (0x9B ... final-byte)
+ * - C0 controls (0x00-0x1F) including ESC, tab, newline
+ * - DEL (0x7F)
+ * - C1 controls (0x80-0x9F)
+ */
+export function sanitizeForTsv(value) {
+    /* eslint-disable no-control-regex */
+    return (value
+        // Strip 7-bit ANSI CSI sequences: ESC [ <params> <intermediate> <final>
+        // Parameters: 0x30-0x3F, Intermediate: 0x20-0x2F, Final: 0x40-0x7E
+        .replaceAll(/\u001B\[[0-?]*[ -/]*[@-~]/gu, "")
+        // Strip 8-bit C1 CSI sequences: 0x9B <params> <intermediate> <final>
+        .replaceAll(/\u009B[0-?]*[ -/]*[@-~]/gu, "")
+        // Strip C0 controls (0x00-0x1F), DEL (0x7F), and C1 controls (0x80-0x9F)
+        .replaceAll(/[\u0000-\u001F\u007F-\u009F]/gu, ""));
+    /* eslint-enable no-control-regex */
+}
+/**
+ * Format relative time from a Date.
+ * Returns human-readable strings like "just now", "5m ago", "2h ago".
+ *
+ * This helper is intended for past events (e.g., "last updated"), so future
+ * dates are treated as unexpected and return the generic string "in the future"
+ * instead of using granular units. For precise future-oriented formatting
+ * (e.g., "in 2h", "in 3d"), use {@link formatExpiresAt}.
+ */
+export function formatRelativeTime(date) {
+    if (!date)
+        return "never";
+    const now = Date.now();
+    const diff = now - date.getTime();
+    if (diff < 0)
+        return "in the future";
+    const seconds = Math.floor(diff / 1000);
+    if (seconds < 60)
+        return "just now";
+    const minutes = Math.floor(seconds / 60);
+    if (minutes < 60)
+        return `${minutes}m ago`;
+    const hours = Math.floor(minutes / 60);
+    if (hours < 24)
+        return `${hours}h ago`;
+    const days = Math.floor(hours / 24);
+    return `${days}d ago`;
+}
+/**
+ * Check if a string contains control characters (would be changed by sanitization).
+ */
+export function containsControlChars(value) {
+    return sanitizeForTsv(value) !== value;
+}
+/** API key ID format: k_ followed by 12 hex characters */
+const KEY_ID_PATTERN = /^k_[0-9a-f]{12}$/u;
+/**
+ * Validate API key ID format (k_ + 12 hex chars).
+ */
+export function isValidKeyId(id) {
+    return KEY_ID_PATTERN.test(id);
+}
+/**
+ * Format a single API key row for TSV output.
+ */
+export function formatKeyRow(key) {
+    const id = sanitizeForTsv(key.id);
+    const name = sanitizeForTsv(key.name);
+    const readAccess = sanitizeForTsv(formatAccessList(key.readAccess));
+    const writeAccess = sanitizeForTsv(formatAccessList(key.writeAccess));
+    const lastUsed = formatRelativeTime(key.lastUsedAt);
+    return `${id}\t${name}\t${readAccess}\t${writeAccess}\t${lastUsed}`;
+}
+/**
+ * Validate access list entry format.
+ * Valid formats:
+ * - "*" (full wildcard granting access to all credentials)
+ * - "agent/name" (exactly one slash, both parts non-empty, no wildcards)
+ *
+ * Partial wildcards like "claude/*" are rejected because the authorization
+ * logic uses exact matching, not pattern matching.
+ */
+function isValidAccessEntry(entry) {
+    if (entry === "*")
+        return true;
+    const parts = entry.split("/");
+    const agent = parts[0];
+    const name = parts[1];
+    return (parts.length === 2 &&
+        agent !== undefined &&
+        agent.length > 0 &&
+        !agent.includes("*") &&
+        name !== undefined &&
+        name.length > 0 &&
+        !name.includes("*"));
+}
+/**
+ * Parse comma-separated access list into array of entries.
+ *
+ * Returns object with:
+ * - `entries`: parsed entries if valid, undefined if invalid
+ * - `error`: error type if invalid ('control-chars' or 'invalid-format')
+ *
+ * Control characters are checked BEFORE trimming to prevent silent bypass
+ * (e.g., "\n*" would otherwise become "*" after trim).
+ */
+export function parseAccessList(value) {
+    if (!value)
+        return { entries: [] };
+    const rawEntries = value.split(",");
+    // Check for control characters in raw entries before trimming
+    if (rawEntries.some((entry) => containsControlChars(entry))) {
+        return { error: "control-chars" };
+    }
+    const entries = rawEntries
+        .map((item) => item.trim())
+        .filter((item) => item.length > 0);
+    // Validate entry format: must be "*" or "agent/name"
+    if (!entries.every((entry) => isValidAccessEntry(entry))) {
+        return { error: "invalid-format" };
+    }
+    return { entries };
+}
+/**
+ * Get error message for access list parsing error.
+ */
+export function getAccessListErrorMessage(error) {
+    if (error === "control-chars") {
+        return "Access list contains control characters.";
+    }
+    return 'Invalid access list entry format. Entries must be "*" or "agent/name" (e.g., claude/work).';
+}
+/**
+ * Normalize access list by collapsing to ['*'] if wildcard is present with other entries.
+ * Returns the normalized list and an optional warning message.
+ */
+export function normalizeAccessList(access, optionName) {
+    if (access.includes("*") && access.length > 1) {
+        const warning = optionName
+            ? `--${optionName} '*' grants full access; ignoring other entries`
+            : "'*' grants full access; ignoring other entries";
+        return { normalized: ["*"], warning };
+    }
+    return { normalized: access, warning: undefined };
+}
+/**
+ * Format access list for display.
+ * Returns "(none)" for empty, "*" if wildcard present, otherwise comma-joined.
+ */
+export function formatAccessList(access) {
+    if (access.length === 0)
+        return "(none)";
+    if (access.includes("*"))
+        return "*";
+    return access.join(", ");
+}
+/**
+ * Format optional date for JSON output.
+ * Returns ISO string or null for consistent JSON schema.
+ */
+export function formatDateForJson(date) {
+    // eslint-disable-next-line unicorn/no-null
+    return date?.toISOString() ?? null;
+}
+/**
+ * Extract error message from unknown error value.
+ * Returns the error's message if it's an Error, otherwise stringifies it.
+ */
+export function getErrorMessage(error) {
+    return error instanceof Error ? error.message : String(error);
+}
+/**
+ * Format expiration time relative to now.
+ * Returns "(never)" for no expiration, or relative time like "in 2h", "expired 5m ago".
+ */
+export function formatExpiresAt(date) {
+    if (!date)
+        return "(never)";
+    const now = Date.now();
+    const diff = date.getTime() - now;
+    // Already expired
+    if (diff < 0) {
+        const elapsed = Math.abs(diff);
+        const seconds = Math.floor(elapsed / 1000);
+        if (seconds < 60)
+            return "expired just now";
+        const minutes = Math.floor(seconds / 60);
+        if (minutes < 60)
+            return `expired ${minutes}m ago`;
+        const hours = Math.floor(minutes / 60);
+        if (hours < 24)
+            return `expired ${hours}h ago`;
+        const days = Math.floor(hours / 24);
+        return `expired ${days}d ago`;
+    }
+    // Future expiration
+    const seconds = Math.floor(diff / 1000);
+    if (seconds === 0)
+        return "expires soon";
+    if (seconds < 60)
+        return `in ${seconds}s`;
+    const minutes = Math.floor(seconds / 60);
+    if (minutes < 60)
+        return `in ${minutes}m`;
+    const hours = Math.floor(minutes / 60);
+    if (hours < 24)
+        return `in ${hours}h`;
+    const days = Math.floor(hours / 24);
+    return `in ${days}d`;
+}

package/dist/middleware/auth.d.ts

@@ -0,0 +1,21 @@
+/**
+ * API key authentication middleware.
+ *
+ * Validates Bearer token and attaches API key record to request.
+ */
+import type { NextFunction, Request, Response } from "express";
+import type Database from "better-sqlite3";
+import { type ApiKeyRecord } from "../db/repositories/api-keys.js";
+/** Extended request with API key */
+interface AuthenticatedRequest extends Request {
+    apiKey: ApiKeyRecord;
+}
+/**
+ * Create authentication middleware.
+ *
+ * Validates API key from Authorization header and attaches to request.
+ * Returns 401 for missing/invalid key.
+ */
+declare function createAuthMiddleware(database: Database.Database): (request: Request, response: Response, next: NextFunction) => void;
+export { createAuthMiddleware };
+export type { AuthenticatedRequest };

package/dist/middleware/auth.js

@@ -0,0 +1,50 @@
+/**
+ * API key authentication middleware.
+ *
+ * Validates Bearer token and attaches API key record to request.
+ */
+import { findApiKeyByKey, updateLastUsed, } from "../db/repositories/api-keys.js";
+import { logAccess } from "../db/repositories/audit-log.js";
+/** Extract Bearer token from Authorization header */
+function extractBearerToken(authorizationHeader) {
+    if (!authorizationHeader)
+        return undefined;
+    const match = /^Bearer\s+(\S+)$/iu.exec(authorizationHeader);
+    return match?.[1];
+}
+/**
+ * Create authentication middleware.
+ *
+ * Validates API key from Authorization header and attaches to request.
+ * Returns 401 for missing/invalid key.
+ */
+function createAuthMiddleware(database) {
+    return (request, response, next) => {
+        const token = extractBearerToken(request.headers.authorization);
+        if (!token) {
+            logAccess(database, {
+                action: "auth",
+                success: false,
+                errorMessage: "Missing authorization header",
+            });
+            response.status(401).json({ error: "Missing authorization header" });
+            return;
+        }
+        const apiKey = findApiKeyByKey(database, token);
+        if (!apiKey) {
+            logAccess(database, {
+                action: "auth",
+                success: false,
+                errorMessage: "Invalid API key",
+            });
+            response.status(401).json({ error: "Invalid API key" });
+            return;
+        }
+        // Update last used timestamp
+        updateLastUsed(database, apiKey.id);
+        // Attach API key to request
+        request.apiKey = apiKey;
+        next();
+    };
+}
+export { createAuthMiddleware };

package/dist/middleware/validate-parameters.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Path parameter validation middleware.
+ *
+ * Validates agent and name parameters to prevent injection attacks
+ * and ensure consistent credential naming.
+ */
+import type { NextFunction, Request, Response } from "express";
+/** Validate agent and name path parameters */
+declare function validateParameters(request: Request, response: Response, next: NextFunction): void;
+export { validateParameters };

package/dist/middleware/validate-parameters.js

@@ -0,0 +1,26 @@
+/**
+ * Path parameter validation middleware.
+ *
+ * Validates agent and name parameters to prevent injection attacks
+ * and ensure consistent credential naming.
+ */
+/** Valid pattern for agent and name path segments */
+const VALID_PATH_SEGMENT = /^[\w.-]{1,64}$/u;
+/** Validate agent and name path parameters */
+function validateParameters(request, response, next) {
+    const { agent, name } = request.params;
+    if (agent !== undefined && !VALID_PATH_SEGMENT.test(agent)) {
+        response.status(400).json({
+            error: "Invalid agent format. Must be 1-64 characters: letters, numbers, dots, hyphens, underscores.",
+        });
+        return;
+    }
+    if (name !== undefined && !VALID_PATH_SEGMENT.test(name)) {
+        response.status(400).json({
+            error: "Invalid name format. Must be 1-64 characters: letters, numbers, dots, hyphens, underscores.",
+        });
+        return;
+    }
+    next();
+}
+export { validateParameters };

package/dist/refresh/check-refresh.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Pure functions for checking if credentials need refresh.
+ *
+ * Extracted from refresh-manager to reduce complexity.
+ */
+import { type Credentials } from "axauth";
+/**
+ * Check if credential is refreshable (has refresh_token).
+ *
+ * axauth's refreshCredentials requires a refresh_token to work.
+ * API keys and tokens without refresh_token cannot be refreshed.
+ * Returns false for non-object data to avoid TypeError from `in` operator.
+ */
+declare function isRefreshable(data: unknown): data is Record<string, unknown>;
+/**
+ * Check if credential needs refresh based on expiry.
+ *
+ * Only returns true if:
+ * 1. Credential data is an object with refresh_token (required for axauth refresh)
+ * 2. Credential has expiry info that is within threshold
+ *
+ * @param data - Decrypted credential data (accepts unknown for safety)
+ * @param thresholdSeconds - Refresh if expires within this many seconds
+ * @returns true if refresh needed, false otherwise
+ */
+declare function needsRefresh(data: unknown, thresholdSeconds: number): boolean;
+/**
+ * Map vault credential data to axauth Credentials type.
+ *
+ * @param agent - Agent CLI name
+ * @param data - Decrypted credential data from vault (must have refresh_token)
+ * @returns Credentials object for axauth, or undefined if not mappable
+ */
+declare function toAxauthCredentials(agent: string, data: Record<string, unknown>): Credentials | undefined;
+/**
+ * Extract expiry date from refreshed credentials.
+ * Looks for common expiry fields (expires_at, expiry_date).
+ */
+declare function extractExpiryDate(data: Record<string, unknown>): Date | undefined;
+export { extractExpiryDate, isRefreshable, needsRefresh, toAxauthCredentials };

package/dist/refresh/check-refresh.js

@@ -0,0 +1,83 @@
+/**
+ * Pure functions for checking if credentials need refresh.
+ *
+ * Extracted from refresh-manager to reduce complexity.
+ */
+import { AGENT_CLIS } from "axshared";
+import { isCredentialExpired } from "axauth";
+/** Valid agent CLI names - sourced from axshared for consistency */
+const VALID_AGENTS = new Set(AGENT_CLIS);
+/**
+ * Check if credential is refreshable (has refresh_token).
+ *
+ * axauth's refreshCredentials requires a refresh_token to work.
+ * API keys and tokens without refresh_token cannot be refreshed.
+ * Returns false for non-object data to avoid TypeError from `in` operator.
+ */
+function isRefreshable(data) {
+    return (typeof data === "object" &&
+        data !== null &&
+        "refresh_token" in data &&
+        typeof data.refresh_token === "string");
+}
+/**
+ * Check if credential needs refresh based on expiry.
+ *
+ * Only returns true if:
+ * 1. Credential data is an object with refresh_token (required for axauth refresh)
+ * 2. Credential has expiry info that is within threshold
+ *
+ * @param data - Decrypted credential data (accepts unknown for safety)
+ * @param thresholdSeconds - Refresh if expires within this many seconds
+ * @returns true if refresh needed, false otherwise
+ */
+function needsRefresh(data, thresholdSeconds) {
+    // Must be an object with refresh_token to be refreshable
+    if (!isRefreshable(data))
+        return false;
+    const expired = isCredentialExpired(data, thresholdSeconds);
+    // undefined means no expiry info found - don't refresh
+    return expired === true;
+}
+/**
+ * Map vault credential data to axauth Credentials type.
+ *
+ * @param agent - Agent CLI name
+ * @param data - Decrypted credential data from vault (must have refresh_token)
+ * @returns Credentials object for axauth, or undefined if not mappable
+ */
+function toAxauthCredentials(agent, data) {
+    if (!VALID_AGENTS.has(agent)) {
+        return undefined;
+    }
+    // Only OAuth credentials can be refreshed
+    return {
+        agent: agent,
+        type: "oauth",
+        data,
+    };
+}
+/**
+ * Timestamp threshold to distinguish seconds from milliseconds.
+ * Values below this are assumed to be Unix timestamps in seconds.
+ */
+const SECONDS_THRESHOLD = 10_000_000_000;
+/**
+ * Extract expiry date from refreshed credentials.
+ * Looks for common expiry fields (expires_at, expiry_date).
+ */
+function extractExpiryDate(data) {
+    // Google OAuth uses expiry_date (milliseconds)
+    if (typeof data.expiry_date === "number") {
+        return new Date(data.expiry_date);
+    }
+    // Generic OAuth uses expires_at (seconds or milliseconds)
+    if (typeof data.expires_at === "number") {
+        const ts = data.expires_at < SECONDS_THRESHOLD
+            ? data.expires_at * 1000
+            : data.expires_at;
+        return new Date(ts);
+    }
+    return undefined;
+}
+export { extractExpiryDate, isRefreshable, needsRefresh, toAxauthCredentials };

package/dist/refresh/log-refresh.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Logging helpers for refresh operations.
+ */
+import type Database from "better-sqlite3";
+interface RefreshLogContext {
+    database: Database.Database;
+    apiKeyId: string;
+    agent: string;
+    name: string;
+}
+/** Log a successful refresh */
+declare function logRefreshSuccess(context: RefreshLogContext): void;
+/** Log a failed refresh (best-effort, ignores logging errors) */
+declare function logRefreshError(context: RefreshLogContext, errorMessage: string): void;
+/** Extract error message from unknown error */
+declare function getErrorMessage(error: unknown): string;
+export { getErrorMessage, logRefreshError, logRefreshSuccess };

package/dist/refresh/log-refresh.js

@@ -0,0 +1,35 @@
+/**
+ * Logging helpers for refresh operations.
+ */
+import { logAccess } from "../db/repositories/audit-log.js";
+/** Log a successful refresh */
+function logRefreshSuccess(context) {
+    logAccess(context.database, {
+        apiKeyId: context.apiKeyId,
+        action: "refresh",
+        agent: context.agent,
+        name: context.name,
+        success: true,
+    });
+}
+/** Log a failed refresh (best-effort, ignores logging errors) */
+function logRefreshError(context, errorMessage) {
+    try {
+        logAccess(context.database, {
+            apiKeyId: context.apiKeyId,
+            action: "refresh",
+            agent: context.agent,
+            name: context.name,
+            success: false,
+            errorMessage,
+        });
+    }
+    catch {
+        // Ignore logging failures
+    }
+}
+/** Extract error message from unknown error */
+function getErrorMessage(error) {
+    return error instanceof Error ? error.message : String(error);
+}
+export { getErrorMessage, logRefreshError, logRefreshSuccess };

package/dist/refresh/refresh-manager.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Refresh manager with per-credential mutex locking.
+ *
+ * Prevents concurrent refreshes of the same credential and coordinates
+ * with axauth's refresh functionality.
+ */
+import type Database from "better-sqlite3";
+/** Key for credential-specific mutex */
+type CredentialKey = `${string}/${string}`;
+/** Result type for the full refresh operation */
+type FullRefreshResult = {
+    ok: true;
+    data: unknown;
+    expiresAt: Date | undefined;
+    updatedAt: Date;
+} | {
+    ok: false;
+    error: string;
+};
+/** Options for refresh operation */
+interface RefreshManagerOptions {
+    timeoutMs: number;
+}
+/** Build credential key for mutex */
+declare function buildKey(agent: string, name: string): CredentialKey;
+/**
+ * Perform refresh with mutex locking.
+ *
+ * If a refresh is already in progress for this credential, waits for it
+ * rather than starting a new one. The mutex covers the FULL operation
+ * (refresh + validate + persist), ensuring all callers see the same result.
+ *
+ * Note: There is a small race window where a request that loaded stale
+ * credential data could start a duplicate refresh if it checks the mutex
+ * right after the previous refresh completes. This is rare (requires precise
+ * timing), harmless (produces correct results), and self-limiting (OAuth
+ * providers handle duplicate refreshes). The complexity of cooldown timers
+ * or reference counting isn't justified for this edge case.
+ *
+ * @param database - Database connection
+ * @param agent - Agent name
+ * @param name - Credential name
+ * @param data - Current decrypted credential data
+ * @param apiKeyId - API key ID for audit logging
+ * @param originalUpdatedAt - Original updatedAt for optimistic locking
+ * @param options - Refresh options
+ * @returns Refresh result with new data, expiresAt, updatedAt or error
+ */
+declare function refreshWithMutex(database: Database.Database, agent: string, name: string, data: Record<string, unknown>, apiKeyId: string, originalUpdatedAt: Date, options: RefreshManagerOptions): Promise<FullRefreshResult>;
+export { extractExpiryDate, isRefreshable, needsRefresh, toAxauthCredentials, } from "./check-refresh.js";
+export { buildKey, refreshWithMutex };