axvault 1.1.0 → 1.2.0

package/README.md

@@ -32,17 +32,27 @@ Setting `--refresh-threshold 0` disables automatic credential refresh.
 
 ## API Keys
 
-API keys control access to the credential API. Each key has configurable read and write permissions.
+API keys control access to the credential API. Each key has configurable permissions:
+
+- **Read**: retrieve credentials
+- **Write**: store and delete credentials
+- **Grant**: delegate access to other keys (enforcement coming in future release)
 
 ### Create an API Key
 
 ```bash
-# Full access
+# Full access (read, write, and grant)
+axvault key create --name "Admin" --read "*" --write "*" --grant "*"
+
+# Read/write access only
 axvault key create --name "CI Pipeline" --read "*" --write "*"
 
 # Restricted access
-axvault key create --name "Claude Reader" --read "claude/*"
+axvault key create --name "Claude Reader" --read "claude/work,claude/ci"
 axvault key create --name "Deploy Script" --write "claude/prod,codex/prod"
+
+# Grant-only key (for delegation, does not allow direct read/write)
+axvault key create --name "Issuer" --grant "claude/work,claude/ci"
 ```
 
 The command outputs metadata to stderr and the secret key to stdout for easy piping:
@@ -53,6 +63,7 @@ Created API key: CI Pipeline
 ID: k_a1b2c3d4e5f6
 Read access: *
 Write access: *
+Grant access: (none)
 
 Save this key securely - it cannot be retrieved later.
 
@@ -68,6 +79,24 @@ To copy directly to clipboard: `axvault key create --name "My Key" --read "*" |
 axvault key list
 ```
 
+### Update a Key
+
+Modify an existing key's permissions:
+
+```bash
+# Add read access for new credentials
+axvault key update k_a1b2c3d4e5f6 --add-read "gemini/prod"
+
+# Remove write access
+axvault key update k_a1b2c3d4e5f6 --remove-write "claude/test"
+
+# Add grant permissions
+axvault key update k_a1b2c3d4e5f6 --add-grant "claude/work"
+
+# Multiple changes at once
+axvault key update k_a1b2c3d4e5f6 --add-read "codex/ci" --remove-write "claude/dev"
+```
+
 ### Revoke a Key
 
 ```bash
@@ -148,10 +177,10 @@ Exec into the container to manage API keys:
 
 ```bash
 # Podman
-sudo podman exec axvault /nodejs/bin/node node_modules/axvault/bin/axvault key create --name "My Key" --write "*"
+sudo podman exec axvault /nodejs/bin/node node_modules/axvault/bin/axvault key create --name "My Key" --read "*" --write "*"
 
 # Docker
-docker exec axvault /nodejs/bin/node node_modules/axvault/bin/axvault key create --name "My Key" --write "*"
+docker exec axvault /nodejs/bin/node node_modules/axvault/bin/axvault key create --name "My Key" --read "*" --write "*"
 ```
 
 ## Credentials API

package/dist/cli.js

@@ -8,7 +8,7 @@ import { Command } from "@commander-js/extra-typings";
 import packageJson from "../package.json" with { type: "json" };
 import { handleCredentialDelete, handleCredentialList, } from "./commands/credential.js";
 import { handleInit } from "./commands/init.js";
-import { handleKeyCreate, handleKeyList, handleKeyRevoke, } from "./commands/key.js";
+import { handleKeyCreate, handleKeyList, handleKeyRevoke, handleKeyUpdate, } from "./commands/key.js";
 import { handleServe } from "./commands/serve.js";
 const program = new Command()
     .name(packageJson.name)
@@ -35,11 +35,14 @@ Examples:
   axvault key create --name "Uploader" --write "claude/backups"
 
   # Create an admin API key with full access
-  axvault key create --name "Admin" --read "*" --write "*"
+  axvault key create --name "Admin" --read "*" --write "*" --grant "*"
 
   # List all API keys
   axvault key list
 
+  # Update an API key's permissions
+  axvault key update k_abc123def456 --add-read "claude/new"
+
   # Revoke an API key
   axvault key revoke k_abc123def456
 
@@ -73,6 +76,7 @@ keyCommand
     .requiredOption("-n, --name <name>", "Name for the API key")
     .option("-r, --read <access>", "Comma-separated read access list (e.g., 'claude/work,codex/ci' or '*')")
     .option("-w, --write <access>", "Comma-separated write access list (e.g., 'claude/ci' or '*')")
+    .option("-g, --grant <access>", "Comma-separated grant access list (can delegate these to other keys)")
     .option("--json", "Output as JSON")
     .option("--db-path <path>", "Database file path")
     .action(handleKeyCreate);
@@ -88,6 +92,19 @@ keyCommand
     .argument("<id>", "API key ID (e.g., k_abc123def456)")
     .option("--db-path <path>", "Database file path")
     .action(handleKeyRevoke);
+keyCommand
+    .command("update")
+    .description("Update an API key's permissions")
+    .argument("<id>", "API key ID (e.g., k_abc123def456)")
+    .option("--add-read <access>", "Add read access entries")
+    .option("--add-write <access>", "Add write access entries")
+    .option("--add-grant <access>", "Add grant access entries")
+    .option("--remove-read <access>", "Remove read access entries")
+    .option("--remove-write <access>", "Remove write access entries")
+    .option("--remove-grant <access>", "Remove grant access entries")
+    .option("--json", "Output as JSON")
+    .option("--db-path <path>", "Database file path")
+    .action(handleKeyUpdate);
 // Credential management commands
 const credentialCommand = program
     .command("credential")

package/dist/commands/key-create.d.ts

@@ -0,0 +1,13 @@
+/**
+ * API key create command handler.
+ */
+interface KeyCreateOptions {
+    dbPath?: string;
+    name: string;
+    read?: string;
+    write?: string;
+    grant?: string;
+    json?: boolean;
+}
+export declare function handleKeyCreate(options: KeyCreateOptions): void;
+export {};

package/dist/commands/key-create.js

@@ -0,0 +1,99 @@
+/**
+ * API key create command handler.
+ */
+import { getServerConfig } from "../config.js";
+import { closeDatabase, getDatabase } from "../db/client.js";
+import { runMigrations } from "../db/migrations.js";
+import { createApiKey } from "../db/repositories/api-keys.js";
+import { containsControlChars, formatAccessList, getAccessListErrorMessage, getErrorMessage, normalizeAccessList, parseAccessList, sanitizeForTsv, } from "../lib/format.js";
+export function handleKeyCreate(options) {
+    // Validate key name (reject control characters)
+    if (containsControlChars(options.name)) {
+        console.error("Error: Key name contains control characters.");
+        process.exitCode = 2;
+        return;
+    }
+    // Parse and validate access lists
+    const readResult = parseAccessList(options.read);
+    const writeResult = parseAccessList(options.write);
+    const grantResult = parseAccessList(options.grant);
+    if (readResult.error) {
+        console.error(`Error: ${getAccessListErrorMessage(readResult.error)}`);
+        process.exitCode = 2;
+        return;
+    }
+    if (writeResult.error) {
+        console.error(`Error: ${getAccessListErrorMessage(writeResult.error)}`);
+        process.exitCode = 2;
+        return;
+    }
+    if (grantResult.error) {
+        console.error(`Error: ${getAccessListErrorMessage(grantResult.error)}`);
+        process.exitCode = 2;
+        return;
+    }
+    // Normalize wildcards (warn if mixed with specific entries)
+    const readNorm = normalizeAccessList(readResult.entries, "read");
+    const writeNorm = normalizeAccessList(writeResult.entries, "write");
+    const grantNorm = normalizeAccessList(grantResult.entries, "grant");
+    if (readNorm.warning)
+        console.warn(`Warning: ${readNorm.warning}`);
+    if (writeNorm.warning)
+        console.warn(`Warning: ${writeNorm.warning}`);
+    if (grantNorm.warning)
+        console.warn(`Warning: ${grantNorm.warning}`);
+    const readAccess = readNorm.normalized;
+    const writeAccess = writeNorm.normalized;
+    const grantAccess = grantNorm.normalized;
+    // Validate: at least one access must be specified
+    if (readAccess.length === 0 &&
+        writeAccess.length === 0 &&
+        grantAccess.length === 0) {
+        console.error("Error: At least one of --read, --write, or --grant must be specified.");
+        console.error("Try 'axvault key create --help' for more information.");
+        process.exitCode = 2;
+        return;
+    }
+    try {
+        const config = getServerConfig(options);
+        const database = getDatabase(config.databasePath);
+        runMigrations(database);
+        const apiKey = createApiKey(database, {
+            name: options.name,
+            readAccess,
+            writeAccess,
+            grantAccess,
+        });
+        if (options.json) {
+            console.warn("Warning: JSON output contains the secret key. Avoid logging in CI.");
+            console.log(JSON.stringify({
+                id: apiKey.id,
+                name: apiKey.name,
+                key: apiKey.key,
+                readAccess: apiKey.readAccess,
+                writeAccess: apiKey.writeAccess,
+                grantAccess: apiKey.grantAccess,
+                createdAt: apiKey.createdAt.toISOString(),
+            }, undefined, 2));
+        }
+        else {
+            console.error(`Created API key: ${sanitizeForTsv(apiKey.name)}`);
+            console.error(`ID: ${sanitizeForTsv(apiKey.id)}`);
+            console.error(`Read access: ${sanitizeForTsv(formatAccessList(apiKey.readAccess))}`);
+            console.error(`Write access: ${sanitizeForTsv(formatAccessList(apiKey.writeAccess))}`);
+            console.error(`Grant access: ${sanitizeForTsv(formatAccessList(apiKey.grantAccess))}`);
+            console.error("");
+            // Output the secret key to stdout for piping
+            console.log(apiKey.key);
+            console.error("");
+            console.error("Save this key securely - it cannot be retrieved later.");
+        }
+    }
+    catch (error) {
+        console.error(`Error: Failed to create API key: ${getErrorMessage(error)}`);
+        process.exitCode = 1;
+    }
+    finally {
+        closeDatabase();
+    }
+}

package/dist/commands/key-list.d.ts

@@ -0,0 +1,9 @@
+/**
+ * API key list command handler.
+ */
+interface KeyListOptions {
+    dbPath?: string;
+    json?: boolean;
+}
+export declare function handleKeyList(options: KeyListOptions): void;
+export {};

package/dist/commands/key-list.js

@@ -0,0 +1,43 @@
+/**
+ * API key list command handler.
+ */
+import { getServerConfig } from "../config.js";
+import { closeDatabase, getDatabase } from "../db/client.js";
+import { runMigrations } from "../db/migrations.js";
+import { listApiKeys } from "../db/repositories/api-keys.js";
+import { formatDateForJson, formatKeyRow, getErrorMessage, } from "../lib/format.js";
+export function handleKeyList(options) {
+    try {
+        const config = getServerConfig(options);
+        const database = getDatabase(config.databasePath);
+        runMigrations(database);
+        const keys = listApiKeys(database);
+        if (options.json) {
+            const output = keys.map((key) => ({
+                id: key.id,
+                name: key.name,
+                readAccess: key.readAccess,
+                writeAccess: key.writeAccess,
+                grantAccess: key.grantAccess,
+                createdAt: key.createdAt.toISOString(),
+                lastUsedAt: formatDateForJson(key.lastUsedAt),
+            }));
+            console.log(JSON.stringify(output, undefined, 2));
+        }
+        else if (keys.length === 0) {
+            console.error("No API keys found.\nCreate one with: axvault key create --name <name> [--read <access>] [--write <access>] [--grant <access>]");
+        }
+        else {
+            console.log("ID\tNAME\tREAD ACCESS\tWRITE ACCESS\tGRANT ACCESS\tLAST USED");
+            for (const key of keys)
+                console.log(formatKeyRow(key));
+        }
+    }
+    catch (error) {
+        console.error(`Error: Failed to list API keys: ${getErrorMessage(error)}`);
+        process.exitCode = 1;
+    }
+    finally {
+        closeDatabase();
+    }
+}

package/dist/commands/key-revoke.d.ts

@@ -0,0 +1,8 @@
+/**
+ * API key revoke command handler.
+ */
+interface KeyRevokeOptions {
+    dbPath?: string;
+}
+export declare function handleKeyRevoke(id: string, options: KeyRevokeOptions): void;
+export {};

package/dist/commands/key-revoke.js

@@ -0,0 +1,47 @@
+/**
+ * API key revoke command handler.
+ */
+import { getServerConfig } from "../config.js";
+import { closeDatabase, getDatabase } from "../db/client.js";
+import { runMigrations } from "../db/migrations.js";
+import { deleteApiKey } from "../db/repositories/api-keys.js";
+import { containsControlChars, getErrorMessage, isValidKeyId, sanitizeForTsv, } from "../lib/format.js";
+export function handleKeyRevoke(id, options) {
+    // Reject inputs containing control characters BEFORE trimming
+    // (prevents silent bypass where \n or \t would be removed by trim)
+    if (containsControlChars(id)) {
+        console.error("Error: Invalid API key ID: contains control characters.");
+        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
+        process.exitCode = 2;
+        return;
+    }
+    // Trim whitespace from ID (common copy-paste issue)
+    const trimmedId = id.trim();
+    // Validate ID format (k_ + 12 hex chars)
+    if (!isValidKeyId(trimmedId)) {
+        console.error(`Error: Invalid API key ID format: ${trimmedId}`);
+        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
+        process.exitCode = 2;
+        return;
+    }
+    try {
+        const config = getServerConfig(options);
+        const database = getDatabase(config.databasePath);
+        runMigrations(database);
+        const deleted = deleteApiKey(database, trimmedId);
+        if (deleted) {
+            console.error(`Revoked API key: ${sanitizeForTsv(trimmedId)}`);
+        }
+        else {
+            console.error(`Error: API key not found: ${sanitizeForTsv(trimmedId)}`);
+            process.exitCode = 1;
+        }
+    }
+    catch (error) {
+        console.error(`Error: Failed to revoke API key: ${getErrorMessage(error)}`);
+        process.exitCode = 1;
+    }
+    finally {
+        closeDatabase();
+    }
+}

package/dist/commands/key-update.d.ts

@@ -0,0 +1,15 @@
+/**
+ * API key update command handler.
+ */
+interface KeyUpdateOptions {
+    dbPath?: string;
+    addRead?: string;
+    addWrite?: string;
+    addGrant?: string;
+    removeRead?: string;
+    removeWrite?: string;
+    removeGrant?: string;
+    json?: boolean;
+}
+export declare function handleKeyUpdate(id: string, options: KeyUpdateOptions): void;
+export {};

package/dist/commands/key-update.js

@@ -0,0 +1,109 @@
+/**
+ * API key update command handler.
+ */
+import { getServerConfig } from "../config.js";
+import { closeDatabase, getDatabase } from "../db/client.js";
+import { runMigrations } from "../db/migrations.js";
+import { findApiKeyById, updateApiKeyAccess, } from "../db/repositories/api-keys.js";
+import { containsControlChars, formatAccessList, formatDateForJson, getErrorMessage, isValidKeyId, sanitizeForTsv, } from "../lib/format.js";
+import { computeUpdatedAccess, normalizeAllAccess, parseAccessOptions, } from "../lib/parse-access-options.js";
+export function handleKeyUpdate(id, options) {
+    // Validate key ID
+    if (containsControlChars(id)) {
+        console.error("Error: Invalid API key ID: contains control characters.");
+        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
+        process.exitCode = 2;
+        return;
+    }
+    const trimmedId = id.trim();
+    if (!isValidKeyId(trimmedId)) {
+        console.error(`Error: Invalid API key ID format: ${trimmedId}`);
+        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
+        process.exitCode = 2;
+        return;
+    }
+    // Parse and validate access options
+    const parsed = parseAccessOptions(options);
+    if (!parsed)
+        return; // Error already logged
+    // Check if any updates were requested
+    const hasUpdates = parsed.addRead.length > 0 ||
+        parsed.addWrite.length > 0 ||
+        parsed.addGrant.length > 0 ||
+        parsed.removeRead.length > 0 ||
+        parsed.removeWrite.length > 0 ||
+        parsed.removeGrant.length > 0;
+    if (!hasUpdates) {
+        console.error("Error: No updates specified.");
+        console.error("Try 'axvault key update --help' for more information.");
+        process.exitCode = 2;
+        return;
+    }
+    try {
+        const config = getServerConfig(options);
+        const database = getDatabase(config.databasePath);
+        runMigrations(database);
+        // Find existing key
+        const existingKey = findApiKeyById(database, trimmedId);
+        if (!existingKey) {
+            console.error(`Error: API key not found: ${sanitizeForTsv(trimmedId)}`);
+            process.exitCode = 1;
+            return;
+        }
+        // Compute new access lists
+        const newReadAccess = computeUpdatedAccess(existingKey.readAccess, parsed.addRead, parsed.removeRead);
+        const newWriteAccess = computeUpdatedAccess(existingKey.writeAccess, parsed.addWrite, parsed.removeWrite);
+        const newGrantAccess = computeUpdatedAccess(existingKey.grantAccess, parsed.addGrant, parsed.removeGrant);
+        // Normalize and update
+        const normalized = normalizeAllAccess(newReadAccess, newWriteAccess, newGrantAccess);
+        // Validate: at least one access must remain after update
+        if (normalized.read.length === 0 &&
+            normalized.write.length === 0 &&
+            normalized.grant.length === 0) {
+            console.error("Error: Update would leave the key with no permissions. At least one of read, write, or grant access must remain.");
+            process.exitCode = 2;
+            return;
+        }
+        updateApiKeyAccess(database, trimmedId, {
+            readAccess: normalized.read,
+            writeAccess: normalized.write,
+            grantAccess: normalized.grant,
+        });
+        // Fetch updated key for output
+        const updatedKey = findApiKeyById(database, trimmedId);
+        if (!updatedKey) {
+            console.error("Error: Failed to fetch updated key.");
+            process.exitCode = 1;
+            return;
+        }
+        outputKeyDetails(updatedKey, options.json ?? false);
+    }
+    catch (error) {
+        console.error(`Error: Failed to update API key: ${getErrorMessage(error)}`);
+        process.exitCode = 1;
+    }
+    finally {
+        closeDatabase();
+    }
+}
+/** Output key details in JSON or human-readable format */
+function outputKeyDetails(key, json) {
+    if (json) {
+        console.log(JSON.stringify({
+            id: key.id,
+            name: key.name,
+            readAccess: key.readAccess,
+            writeAccess: key.writeAccess,
+            grantAccess: key.grantAccess,
+            createdAt: key.createdAt.toISOString(),
+            lastUsedAt: formatDateForJson(key.lastUsedAt),
+        }, undefined, 2));
+    }
+    else {
+        console.error(`Updated API key: ${sanitizeForTsv(key.name)}`);
+        console.error(`ID: ${sanitizeForTsv(key.id)}`);
+        console.error(`Read access: ${sanitizeForTsv(formatAccessList(key.readAccess))}`);
+        console.error(`Write access: ${sanitizeForTsv(formatAccessList(key.writeAccess))}`);
+        console.error(`Grant access: ${sanitizeForTsv(formatAccessList(key.grantAccess))}`);
+    }
+}

package/dist/commands/key.d.ts

@@ -1,21 +1,9 @@
 /**
  * API key management command handlers.
+ *
+ * Re-exports handlers from separate modules for better maintainability.
  */
-interface KeyCreateOptions {
-    dbPath?: string;
-    name: string;
-    read?: string;
-    write?: string;
-    json?: boolean;
-}
-interface KeyListOptions {
-    dbPath?: string;
-    json?: boolean;
-}
-interface KeyRevokeOptions {
-    dbPath?: string;
-}
-export declare function handleKeyCreate(options: KeyCreateOptions): void;
-export declare function handleKeyList(options: KeyListOptions): void;
-export declare function handleKeyRevoke(id: string, options: KeyRevokeOptions): void;
-export {};
+export { handleKeyCreate } from "./key-create.js";
+export { handleKeyList } from "./key-list.js";
+export { handleKeyRevoke } from "./key-revoke.js";
+export { handleKeyUpdate } from "./key-update.js";

package/dist/commands/key.js

@@ -1,157 +1,9 @@
 /**
  * API key management command handlers.
+ *
+ * Re-exports handlers from separate modules for better maintainability.
  */
-import { getServerConfig } from "../config.js";
-import { closeDatabase, getDatabase } from "../db/client.js";
-import { runMigrations } from "../db/migrations.js";
-import { createApiKey, deleteApiKey, listApiKeys, } from "../db/repositories/api-keys.js";
-import { containsControlChars, formatAccessList, formatDateForJson, formatKeyRow, getAccessListErrorMessage, getErrorMessage, isValidKeyId, normalizeAccessList, parseAccessList, sanitizeForTsv, } from "../lib/format.js";
-export function handleKeyCreate(options) {
-    // Validate key name (reject control characters)
-    if (containsControlChars(options.name)) {
-        console.error("Error: Key name contains control characters.");
-        process.exitCode = 2;
-        return;
-    }
-    // Parse and validate access lists
-    const readResult = parseAccessList(options.read);
-    const writeResult = parseAccessList(options.write);
-    if (readResult.error) {
-        console.error(`Error: ${getAccessListErrorMessage(readResult.error)}`);
-        process.exitCode = 2;
-        return;
-    }
-    if (writeResult.error) {
-        console.error(`Error: ${getAccessListErrorMessage(writeResult.error)}`);
-        process.exitCode = 2;
-        return;
-    }
-    // Normalize wildcards (warn if mixed with specific entries)
-    const readNorm = normalizeAccessList(readResult.entries, "read");
-    const writeNorm = normalizeAccessList(writeResult.entries, "write");
-    if (readNorm.warning)
-        console.warn(`Warning: ${readNorm.warning}`);
-    if (writeNorm.warning)
-        console.warn(`Warning: ${writeNorm.warning}`);
-    const readAccess = readNorm.normalized;
-    const writeAccess = writeNorm.normalized;
-    // Validate: at least one access must be specified
-    if (readAccess.length === 0 && writeAccess.length === 0) {
-        console.error("Error: At least one of --read or --write must be specified.");
-        console.error("Try 'axvault key create --help' for more information.");
-        process.exitCode = 2;
-        return;
-    }
-    try {
-        const config = getServerConfig(options);
-        const database = getDatabase(config.databasePath);
-        runMigrations(database);
-        const apiKey = createApiKey(database, {
-            name: options.name,
-            readAccess,
-            writeAccess,
-        });
-        if (options.json) {
-            console.warn("Warning: JSON output contains the secret key. Avoid logging in CI.");
-            console.log(JSON.stringify({
-                id: apiKey.id,
-                name: apiKey.name,
-                key: apiKey.key,
-                readAccess: apiKey.readAccess,
-                writeAccess: apiKey.writeAccess,
-                createdAt: apiKey.createdAt.toISOString(),
-            }, undefined, 2));
-        }
-        else {
-            console.error(`Created API key: ${sanitizeForTsv(apiKey.name)}`);
-            console.error(`ID: ${sanitizeForTsv(apiKey.id)}`);
-            console.error(`Read access: ${sanitizeForTsv(formatAccessList(apiKey.readAccess))}`);
-            console.error(`Write access: ${sanitizeForTsv(formatAccessList(apiKey.writeAccess))}`);
-            console.error("");
-            // Output the secret key to stdout for piping
-            console.log(apiKey.key);
-            console.error("");
-            console.error("Save this key securely - it cannot be retrieved later.");
-        }
-    }
-    catch (error) {
-        console.error(`Error: Failed to create API key: ${getErrorMessage(error)}`);
-        process.exitCode = 1;
-    }
-    finally {
-        closeDatabase();
-    }
-}
-export function handleKeyList(options) {
-    try {
-        const config = getServerConfig(options);
-        const database = getDatabase(config.databasePath);
-        runMigrations(database);
-        const keys = listApiKeys(database);
-        if (options.json) {
-            const output = keys.map((key) => ({
-                id: key.id,
-                name: key.name,
-                readAccess: key.readAccess,
-                writeAccess: key.writeAccess,
-                createdAt: key.createdAt.toISOString(),
-                lastUsedAt: formatDateForJson(key.lastUsedAt),
-            }));
-            console.log(JSON.stringify(output, undefined, 2));
-        }
-        else if (keys.length === 0) {
-            console.error("No API keys found.\nCreate one with: axvault key create --name <name> [--read <access>] [--write <access>]");
-        }
-        else {
-            console.log("ID\tNAME\tREAD ACCESS\tWRITE ACCESS\tLAST USED");
-            for (const key of keys)
-                console.log(formatKeyRow(key));
-        }
-    }
-    catch (error) {
-        console.error(`Error: Failed to list API keys: ${getErrorMessage(error)}`);
-        process.exitCode = 1;
-    }
-    finally {
-        closeDatabase();
-    }
-}
-export function handleKeyRevoke(id, options) {
-    // Reject inputs containing control characters BEFORE trimming
-    // (prevents silent bypass where \n or \t would be removed by trim)
-    if (containsControlChars(id)) {
-        console.error("Error: Invalid API key ID: contains control characters.");
-        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
-        process.exitCode = 2;
-        return;
-    }
-    // Trim whitespace from ID (common copy-paste issue)
-    const trimmedId = id.trim();
-    // Validate ID format (k_ + 12 hex chars)
-    if (!isValidKeyId(trimmedId)) {
-        console.error(`Error: Invalid API key ID format: ${trimmedId}`);
-        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
-        process.exitCode = 2;
-        return;
-    }
-    try {
-        const config = getServerConfig(options);
-        const database = getDatabase(config.databasePath);
-        runMigrations(database);
-        const deleted = deleteApiKey(database, trimmedId);
-        if (deleted) {
-            console.error(`Revoked API key: ${sanitizeForTsv(trimmedId)}`);
-        }
-        else {
-            console.error(`Error: API key not found: ${sanitizeForTsv(trimmedId)}`);
-            process.exitCode = 1;
-        }
-    }
-    catch (error) {
-        console.error(`Error: Failed to revoke API key: ${getErrorMessage(error)}`);
-        process.exitCode = 1;
-    }
-    finally {
-        closeDatabase();
-    }
-}
+export { handleKeyCreate } from "./key-create.js";
+export { handleKeyList } from "./key-list.js";
+export { handleKeyRevoke } from "./key-revoke.js";
+export { handleKeyUpdate } from "./key-update.js";

package/dist/db/migrations.d.ts

@@ -4,7 +4,7 @@
  * Uses a simple version-based migration system.
  */
 import type Database from "better-sqlite3";
-declare const CURRENT_VERSION = 3;
+declare const CURRENT_VERSION = 4;
 /** Run all pending migrations */
 declare function runMigrations(database: Database.Database): void;
 /** Get current schema version */

package/dist/db/migrations.js

@@ -3,7 +3,7 @@
  *
  * Uses a simple version-based migration system.
  */
-const CURRENT_VERSION = 3;
+const CURRENT_VERSION = 4;
 /** Run all pending migrations */
 function runMigrations(database) {
     const version = getSchemaVersion(database);
@@ -16,6 +16,9 @@ function runMigrations(database) {
     if (version < 3) {
         migrateToV3(database);
     }
+    if (version < 4) {
+        migrateToV4(database);
+    }
 }
 /** Get current schema version */
 function getSchemaVersion(database) {
@@ -110,4 +113,18 @@ function migrateToV3(database) {
         setSchemaVersion(database, 3);
     })();
 }
+/**
+ * Migration to version 4: Add grant_access column to api_keys
+ *
+ * The grant permission controls which credentials a key can delegate access to.
+ * Existing keys get an empty grant_access array (no delegation rights).
+ */
+function migrateToV4(database) {
+    database.transaction(() => {
+        database.exec(`
+      ALTER TABLE api_keys ADD COLUMN grant_access TEXT NOT NULL DEFAULT '[]'
+    `);
+        setSchemaVersion(database, 4);
+    })();
+}
 export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/api-keys.d.ts

@@ -11,6 +11,7 @@ interface ApiKeyRecord {
     keyHash: string;
     readAccess: string[];
     writeAccess: string[];
+    grantAccess: string[];
     createdAt: Date;
     lastUsedAt: Date | undefined;
 }
@@ -23,6 +24,7 @@ declare function createApiKey(database: Database.Database, options: {
     name: string;
     readAccess: string[];
     writeAccess: string[];
+    grantAccess: string[];
 }): ApiKeyWithSecret;
 /** Find API key by raw key value */
 declare function findApiKeyByKey(database: Database.Database, key: string): ApiKeyRecord | undefined;
@@ -38,5 +40,13 @@ declare function deleteApiKey(database: Database.Database, id: string): boolean;
 declare function hasReadAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
 /** Check if API key has write access to a credential */
 declare function hasWriteAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasReadAccess, hasWriteAccess, listApiKeys, updateLastUsed, };
+/** Check if API key has grant access to a credential */
+declare function hasGrantAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
+/** Update an API key's access permissions */
+declare function updateApiKeyAccess(database: Database.Database, id: string, options: {
+    readAccess?: string[];
+    writeAccess?: string[];
+    grantAccess?: string[];
+}): boolean;
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, };
 export type { ApiKeyRecord, ApiKeyWithSecret };

package/dist/db/repositories/api-keys.js

@@ -12,6 +12,7 @@ function rowToRecord(row) {
         keyHash: row.key_hash,
         readAccess: JSON.parse(row.read_access),
         writeAccess: JSON.parse(row.write_access),
+        grantAccess: JSON.parse(row.grant_access),
         createdAt: new Date(row.created_at),
         lastUsedAt: row.last_used_at ? new Date(row.last_used_at) : undefined,
     };
@@ -20,7 +21,7 @@ function rowToRecord(row) {
 function hashApiKey(key) {
     return createHash("sha256").update(key).digest("hex");
 }
-const SELECT_COLUMNS = `id, name, key_hash, read_access, write_access, created_at, last_used_at`;
+const SELECT_COLUMNS = `id, name, key_hash, read_access, write_access, grant_access, created_at, last_used_at`;
 /** Create a new API key */
 function createApiKey(database, options) {
     const id = `k_${randomBytes(6).toString("hex")}`;
@@ -28,9 +29,9 @@ function createApiKey(database, options) {
     const keyHash = hashApiKey(key);
     const now = Date.now();
     database
-        .prepare(`INSERT INTO api_keys (id, name, key_hash, read_access, write_access, created_at)
-     VALUES (?, ?, ?, ?, ?, ?)`)
-        .run(id, options.name, keyHash, JSON.stringify(options.readAccess), JSON.stringify(options.writeAccess), now);
+        .prepare(`INSERT INTO api_keys (id, name, key_hash, read_access, write_access, grant_access, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`)
+        .run(id, options.name, keyHash, JSON.stringify(options.readAccess), JSON.stringify(options.writeAccess), JSON.stringify(options.grantAccess), now);
     return {
         id,
         name: options.name,
@@ -38,6 +39,7 @@ function createApiKey(database, options) {
         keyHash,
         readAccess: options.readAccess,
         writeAccess: options.writeAccess,
+        grantAccess: options.grantAccess,
         createdAt: new Date(now),
         lastUsedAt: undefined,
     };
@@ -83,4 +85,31 @@ function hasWriteAccess(apiKey, agent, name) {
     const path = `${agent}/${name}`;
     return apiKey.writeAccess.includes("*") || apiKey.writeAccess.includes(path);
 }
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasReadAccess, hasWriteAccess, listApiKeys, updateLastUsed, };
+/** Check if API key has grant access to a credential */
+function hasGrantAccess(apiKey, agent, name) {
+    const path = `${agent}/${name}`;
+    return apiKey.grantAccess.includes("*") || apiKey.grantAccess.includes(path);
+}
+/** Update an API key's access permissions */
+function updateApiKeyAccess(database, id, options) {
+    const updates = [];
+    const values = [];
+    if (options.readAccess !== undefined) {
+        updates.push("read_access = ?");
+        values.push(JSON.stringify(options.readAccess));
+    }
+    if (options.writeAccess !== undefined) {
+        updates.push("write_access = ?");
+        values.push(JSON.stringify(options.writeAccess));
+    }
+    if (options.grantAccess !== undefined) {
+        updates.push("grant_access = ?");
+        values.push(JSON.stringify(options.grantAccess));
+    }
+    if (updates.length === 0)
+        return false;
+    values.push(id);
+    const sql = `UPDATE api_keys SET ${updates.join(", ")} WHERE id = ?`;
+    return database.prepare(sql).run(...values).changes > 0;
+}
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, };

package/dist/db/repositories/audit-log.d.ts

@@ -9,7 +9,7 @@ interface AuditLogEntry {
     id: number;
     timestamp: Date;
     apiKeyId: string | undefined;
-    action: "auth" | "read" | "write" | "delete" | "refresh" | "list";
+    action: "auth" | "read" | "write" | "delete" | "refresh" | "list" | "grant";
     agent: string | undefined;
     name: string | undefined;
     success: boolean;

package/dist/db/types.d.ts

@@ -8,6 +8,7 @@ export interface ApiKeyRow {
     key_hash: string;
     read_access: string;
     write_access: string;
+    grant_access: string;
     created_at: number;
     last_used_at: number | null;
 }

package/dist/lib/format.d.ts

@@ -39,6 +39,7 @@ export declare function formatKeyRow(key: {
     name: string;
     readAccess: string[];
     writeAccess: string[];
+    grantAccess: string[];
     lastUsedAt?: Date;
 }): string;
 /**

package/dist/lib/format.js

@@ -74,8 +74,9 @@ export function formatKeyRow(key) {
     const name = sanitizeForTsv(key.name);
     const readAccess = sanitizeForTsv(formatAccessList(key.readAccess));
     const writeAccess = sanitizeForTsv(formatAccessList(key.writeAccess));
+    const grantAccess = sanitizeForTsv(formatAccessList(key.grantAccess));
     const lastUsed = formatRelativeTime(key.lastUsedAt);
-    return `${id}\t${name}\t${readAccess}\t${writeAccess}\t${lastUsed}`;
+    return `${id}\t${name}\t${readAccess}\t${writeAccess}\t${grantAccess}\t${lastUsed}`;
 }
 /**
  * Validate access list entry format.

package/dist/lib/parse-access-options.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Parse and validate access list options from CLI flags.
+ */
+interface ParsedAccessOptions {
+    addRead: string[];
+    addWrite: string[];
+    addGrant: string[];
+    removeRead: string[];
+    removeWrite: string[];
+    removeGrant: string[];
+}
+interface AccessOptions {
+    addRead?: string;
+    addWrite?: string;
+    addGrant?: string;
+    removeRead?: string;
+    removeWrite?: string;
+    removeGrant?: string;
+}
+/**
+ * Parse all access list options and validate them.
+ * Returns parsed entries or logs error and sets exit code.
+ */
+export declare function parseAccessOptions(options: AccessOptions): ParsedAccessOptions | undefined;
+/**
+ * Compute updated access list by adding and removing entries.
+ */
+export declare function computeUpdatedAccess(current: string[], toAdd: string[], toRemove: string[]): string[];
+/**
+ * Normalize all access lists and print warnings.
+ */
+export declare function normalizeAllAccess(readAccess: string[], writeAccess: string[], grantAccess: string[]): {
+    read: string[];
+    write: string[];
+    grant: string[];
+};
+export {};

package/dist/lib/parse-access-options.js

@@ -0,0 +1,84 @@
+/**
+ * Parse and validate access list options from CLI flags.
+ */
+import { getAccessListErrorMessage, normalizeAccessList, parseAccessList, } from "./format.js";
+/**
+ * Parse all access list options and validate them.
+ * Returns parsed entries or logs error and sets exit code.
+ */
+export function parseAccessOptions(options) {
+    const addReadResult = parseAccessList(options.addRead);
+    const addWriteResult = parseAccessList(options.addWrite);
+    const addGrantResult = parseAccessList(options.addGrant);
+    const removeReadResult = parseAccessList(options.removeRead);
+    const removeWriteResult = parseAccessList(options.removeWrite);
+    const removeGrantResult = parseAccessList(options.removeGrant);
+    if (addReadResult.error) {
+        console.error(`Error in --add-read: ${getAccessListErrorMessage(addReadResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    if (addWriteResult.error) {
+        console.error(`Error in --add-write: ${getAccessListErrorMessage(addWriteResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    if (addGrantResult.error) {
+        console.error(`Error in --add-grant: ${getAccessListErrorMessage(addGrantResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    if (removeReadResult.error) {
+        console.error(`Error in --remove-read: ${getAccessListErrorMessage(removeReadResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    if (removeWriteResult.error) {
+        console.error(`Error in --remove-write: ${getAccessListErrorMessage(removeWriteResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    if (removeGrantResult.error) {
+        console.error(`Error in --remove-grant: ${getAccessListErrorMessage(removeGrantResult.error)}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    return {
+        addRead: addReadResult.entries,
+        addWrite: addWriteResult.entries,
+        addGrant: addGrantResult.entries,
+        removeRead: removeReadResult.entries,
+        removeWrite: removeWriteResult.entries,
+        removeGrant: removeGrantResult.entries,
+    };
+}
+/**
+ * Compute updated access list by adding and removing entries.
+ */
+export function computeUpdatedAccess(current, toAdd, toRemove) {
+    const set = new Set(current);
+    for (const entry of toAdd)
+        set.add(entry);
+    for (const entry of toRemove)
+        set.delete(entry);
+    return [...set];
+}
+/**
+ * Normalize all access lists and print warnings.
+ */
+export function normalizeAllAccess(readAccess, writeAccess, grantAccess) {
+    const readNorm = normalizeAccessList(readAccess, "read");
+    const writeNorm = normalizeAccessList(writeAccess, "write");
+    const grantNorm = normalizeAccessList(grantAccess, "grant");
+    if (readNorm.warning)
+        console.warn(`Warning: ${readNorm.warning}`);
+    if (writeNorm.warning)
+        console.warn(`Warning: ${writeNorm.warning}`);
+    if (grantNorm.warning)
+        console.warn(`Warning: ${grantNorm.warning}`);
+    return {
+        read: readNorm.normalized,
+        write: writeNorm.normalized,
+        grant: grantNorm.normalized,
+    };
+}

package/package.json

@@ -2,7 +2,7 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",