axvault 1.1.0 → 1.3.0

package/dist/commands/key.js

@@ -1,157 +1,9 @@
 /**
  * API key management command handlers.
+ *
+ * Re-exports handlers from separate modules for better maintainability.
  */
-import { getServerConfig } from "../config.js";
-import { closeDatabase, getDatabase } from "../db/client.js";
-import { runMigrations } from "../db/migrations.js";
-import { createApiKey, deleteApiKey, listApiKeys, } from "../db/repositories/api-keys.js";
-import { containsControlChars, formatAccessList, formatDateForJson, formatKeyRow, getAccessListErrorMessage, getErrorMessage, isValidKeyId, normalizeAccessList, parseAccessList, sanitizeForTsv, } from "../lib/format.js";
-export function handleKeyCreate(options) {
-    // Validate key name (reject control characters)
-    if (containsControlChars(options.name)) {
-        console.error("Error: Key name contains control characters.");
-        process.exitCode = 2;
-        return;
-    }
-    // Parse and validate access lists
-    const readResult = parseAccessList(options.read);
-    const writeResult = parseAccessList(options.write);
-    if (readResult.error) {
-        console.error(`Error: ${getAccessListErrorMessage(readResult.error)}`);
-        process.exitCode = 2;
-        return;
-    }
-    if (writeResult.error) {
-        console.error(`Error: ${getAccessListErrorMessage(writeResult.error)}`);
-        process.exitCode = 2;
-        return;
-    }
-    // Normalize wildcards (warn if mixed with specific entries)
-    const readNorm = normalizeAccessList(readResult.entries, "read");
-    const writeNorm = normalizeAccessList(writeResult.entries, "write");
-    if (readNorm.warning)
-        console.warn(`Warning: ${readNorm.warning}`);
-    if (writeNorm.warning)
-        console.warn(`Warning: ${writeNorm.warning}`);
-    const readAccess = readNorm.normalized;
-    const writeAccess = writeNorm.normalized;
-    // Validate: at least one access must be specified
-    if (readAccess.length === 0 && writeAccess.length === 0) {
-        console.error("Error: At least one of --read or --write must be specified.");
-        console.error("Try 'axvault key create --help' for more information.");
-        process.exitCode = 2;
-        return;
-    }
-    try {
-        const config = getServerConfig(options);
-        const database = getDatabase(config.databasePath);
-        runMigrations(database);
-        const apiKey = createApiKey(database, {
-            name: options.name,
-            readAccess,
-            writeAccess,
-        });
-        if (options.json) {
-            console.warn("Warning: JSON output contains the secret key. Avoid logging in CI.");
-            console.log(JSON.stringify({
-                id: apiKey.id,
-                name: apiKey.name,
-                key: apiKey.key,
-                readAccess: apiKey.readAccess,
-                writeAccess: apiKey.writeAccess,
-                createdAt: apiKey.createdAt.toISOString(),
-            }, undefined, 2));
-        }
-        else {
-            console.error(`Created API key: ${sanitizeForTsv(apiKey.name)}`);
-            console.error(`ID: ${sanitizeForTsv(apiKey.id)}`);
-            console.error(`Read access: ${sanitizeForTsv(formatAccessList(apiKey.readAccess))}`);
-            console.error(`Write access: ${sanitizeForTsv(formatAccessList(apiKey.writeAccess))}`);
-            console.error("");
-            // Output the secret key to stdout for piping
-            console.log(apiKey.key);
-            console.error("");
-            console.error("Save this key securely - it cannot be retrieved later.");
-        }
-    }
-    catch (error) {
-        console.error(`Error: Failed to create API key: ${getErrorMessage(error)}`);
-        process.exitCode = 1;
-    }
-    finally {
-        closeDatabase();
-    }
-}
-export function handleKeyList(options) {
-    try {
-        const config = getServerConfig(options);
-        const database = getDatabase(config.databasePath);
-        runMigrations(database);
-        const keys = listApiKeys(database);
-        if (options.json) {
-            const output = keys.map((key) => ({
-                id: key.id,
-                name: key.name,
-                readAccess: key.readAccess,
-                writeAccess: key.writeAccess,
-                createdAt: key.createdAt.toISOString(),
-                lastUsedAt: formatDateForJson(key.lastUsedAt),
-            }));
-            console.log(JSON.stringify(output, undefined, 2));
-        }
-        else if (keys.length === 0) {
-            console.error("No API keys found.\nCreate one with: axvault key create --name <name> [--read <access>] [--write <access>]");
-        }
-        else {
-            console.log("ID\tNAME\tREAD ACCESS\tWRITE ACCESS\tLAST USED");
-            for (const key of keys)
-                console.log(formatKeyRow(key));
-        }
-    }
-    catch (error) {
-        console.error(`Error: Failed to list API keys: ${getErrorMessage(error)}`);
-        process.exitCode = 1;
-    }
-    finally {
-        closeDatabase();
-    }
-}
-export function handleKeyRevoke(id, options) {
-    // Reject inputs containing control characters BEFORE trimming
-    // (prevents silent bypass where \n or \t would be removed by trim)
-    if (containsControlChars(id)) {
-        console.error("Error: Invalid API key ID: contains control characters.");
-        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
-        process.exitCode = 2;
-        return;
-    }
-    // Trim whitespace from ID (common copy-paste issue)
-    const trimmedId = id.trim();
-    // Validate ID format (k_ + 12 hex chars)
-    if (!isValidKeyId(trimmedId)) {
-        console.error(`Error: Invalid API key ID format: ${trimmedId}`);
-        console.error("API key IDs have format: k_<12 hex chars> (e.g., k_abc123def456)");
-        process.exitCode = 2;
-        return;
-    }
-    try {
-        const config = getServerConfig(options);
-        const database = getDatabase(config.databasePath);
-        runMigrations(database);
-        const deleted = deleteApiKey(database, trimmedId);
-        if (deleted) {
-            console.error(`Revoked API key: ${sanitizeForTsv(trimmedId)}`);
-        }
-        else {
-            console.error(`Error: API key not found: ${sanitizeForTsv(trimmedId)}`);
-            process.exitCode = 1;
-        }
-    }
-    catch (error) {
-        console.error(`Error: Failed to revoke API key: ${getErrorMessage(error)}`);
-        process.exitCode = 1;
-    }
-    finally {
-        closeDatabase();
-    }
-}
+export { handleKeyCreate } from "./key-create.js";
+export { handleKeyList } from "./key-list.js";
+export { handleKeyRevoke } from "./key-revoke.js";
+export { handleKeyUpdate } from "./key-update.js";

package/dist/db/migrations.d.ts

@@ -4,7 +4,7 @@
  * Uses a simple version-based migration system.
  */
 import type Database from "better-sqlite3";
-declare const CURRENT_VERSION = 3;
+declare const CURRENT_VERSION = 5;
 /** Run all pending migrations */
 declare function runMigrations(database: Database.Database): void;
 /** Get current schema version */

package/dist/db/migrations.js

@@ -3,7 +3,7 @@
  *
  * Uses a simple version-based migration system.
  */
-const CURRENT_VERSION = 3;
+const CURRENT_VERSION = 5;
 /** Run all pending migrations */
 function runMigrations(database) {
     const version = getSchemaVersion(database);
@@ -16,6 +16,12 @@ function runMigrations(database) {
     if (version < 3) {
         migrateToV3(database);
     }
+    if (version < 4) {
+        migrateToV4(database);
+    }
+    if (version < 5) {
+        migrateToV5(database);
+    }
 }
 /** Get current schema version */
 function getSchemaVersion(database) {
@@ -110,4 +116,36 @@ function migrateToV3(database) {
         setSchemaVersion(database, 3);
     })();
 }
+/**
+ * Migration to version 4: Add grant_access column to api_keys
+ *
+ * The grant permission controls which credentials a key can delegate access to.
+ * Existing keys get an empty grant_access array (no delegation rights).
+ */
+function migrateToV4(database) {
+    database.transaction(() => {
+        database.exec(`
+      ALTER TABLE api_keys ADD COLUMN grant_access TEXT NOT NULL DEFAULT '[]'
+    `);
+        setSchemaVersion(database, 4);
+    })();
+}
+/**
+ * Migration to version 5: Rename credential type "oauth" to "oauth-credentials"
+ *
+ * Distinguishes refreshable OAuth credentials (oauth-credentials) from
+ * long-lived OAuth tokens like CLAUDE_CODE_OAUTH_TOKEN (oauth-token).
+ *
+ * - `oauth-credentials`: Full OAuth flow with accessToken, refreshToken, expiresAt (refreshable)
+ * - `oauth-token`: Long-lived OAuth token for CI/CD (static, no refresh)
+ * - `api-key`: API key (static)
+ */
+function migrateToV5(database) {
+    database.transaction(() => {
+        database.exec(`
+      UPDATE credentials SET type = 'oauth-credentials' WHERE type = 'oauth'
+    `);
+        setSchemaVersion(database, 5);
+    })();
+}
 export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/api-keys.d.ts

@@ -11,6 +11,7 @@ interface ApiKeyRecord {
     keyHash: string;
     readAccess: string[];
     writeAccess: string[];
+    grantAccess: string[];
     createdAt: Date;
     lastUsedAt: Date | undefined;
 }
@@ -23,6 +24,7 @@ declare function createApiKey(database: Database.Database, options: {
     name: string;
     readAccess: string[];
     writeAccess: string[];
+    grantAccess: string[];
 }): ApiKeyWithSecret;
 /** Find API key by raw key value */
 declare function findApiKeyByKey(database: Database.Database, key: string): ApiKeyRecord | undefined;
@@ -38,5 +40,13 @@ declare function deleteApiKey(database: Database.Database, id: string): boolean;
 declare function hasReadAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
 /** Check if API key has write access to a credential */
 declare function hasWriteAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasReadAccess, hasWriteAccess, listApiKeys, updateLastUsed, };
+/** Check if API key has grant access to a credential */
+declare function hasGrantAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
+/** Update an API key's access permissions */
+declare function updateApiKeyAccess(database: Database.Database, id: string, options: {
+    readAccess?: string[];
+    writeAccess?: string[];
+    grantAccess?: string[];
+}): boolean;
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, };
 export type { ApiKeyRecord, ApiKeyWithSecret };

package/dist/db/repositories/api-keys.js

@@ -12,6 +12,7 @@ function rowToRecord(row) {
         keyHash: row.key_hash,
         readAccess: JSON.parse(row.read_access),
         writeAccess: JSON.parse(row.write_access),
+        grantAccess: JSON.parse(row.grant_access),
         createdAt: new Date(row.created_at),
         lastUsedAt: row.last_used_at ? new Date(row.last_used_at) : undefined,
     };
@@ -20,7 +21,7 @@ function rowToRecord(row) {
 function hashApiKey(key) {
     return createHash("sha256").update(key).digest("hex");
 }
-const SELECT_COLUMNS = `id, name, key_hash, read_access, write_access, created_at, last_used_at`;
+const SELECT_COLUMNS = `id, name, key_hash, read_access, write_access, grant_access, created_at, last_used_at`;
 /** Create a new API key */
 function createApiKey(database, options) {
     const id = `k_${randomBytes(6).toString("hex")}`;
@@ -28,9 +29,9 @@ function createApiKey(database, options) {
     const keyHash = hashApiKey(key);
     const now = Date.now();
     database
-        .prepare(`INSERT INTO api_keys (id, name, key_hash, read_access, write_access, created_at)
-     VALUES (?, ?, ?, ?, ?, ?)`)
-        .run(id, options.name, keyHash, JSON.stringify(options.readAccess), JSON.stringify(options.writeAccess), now);
+        .prepare(`INSERT INTO api_keys (id, name, key_hash, read_access, write_access, grant_access, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`)
+        .run(id, options.name, keyHash, JSON.stringify(options.readAccess), JSON.stringify(options.writeAccess), JSON.stringify(options.grantAccess), now);
     return {
         id,
         name: options.name,
@@ -38,6 +39,7 @@ function createApiKey(database, options) {
         keyHash,
         readAccess: options.readAccess,
         writeAccess: options.writeAccess,
+        grantAccess: options.grantAccess,
         createdAt: new Date(now),
         lastUsedAt: undefined,
     };
@@ -83,4 +85,31 @@ function hasWriteAccess(apiKey, agent, name) {
     const path = `${agent}/${name}`;
     return apiKey.writeAccess.includes("*") || apiKey.writeAccess.includes(path);
 }
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasReadAccess, hasWriteAccess, listApiKeys, updateLastUsed, };
+/** Check if API key has grant access to a credential */
+function hasGrantAccess(apiKey, agent, name) {
+    const path = `${agent}/${name}`;
+    return apiKey.grantAccess.includes("*") || apiKey.grantAccess.includes(path);
+}
+/** Update an API key's access permissions */
+function updateApiKeyAccess(database, id, options) {
+    const updates = [];
+    const values = [];
+    if (options.readAccess !== undefined) {
+        updates.push("read_access = ?");
+        values.push(JSON.stringify(options.readAccess));
+    }
+    if (options.writeAccess !== undefined) {
+        updates.push("write_access = ?");
+        values.push(JSON.stringify(options.writeAccess));
+    }
+    if (options.grantAccess !== undefined) {
+        updates.push("grant_access = ?");
+        values.push(JSON.stringify(options.grantAccess));
+    }
+    if (updates.length === 0)
+        return false;
+    values.push(id);
+    const sql = `UPDATE api_keys SET ${updates.join(", ")} WHERE id = ?`;
+    return database.prepare(sql).run(...values).changes > 0;
+}
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, };

package/dist/db/repositories/audit-log.d.ts

@@ -9,7 +9,7 @@ interface AuditLogEntry {
     id: number;
     timestamp: Date;
     apiKeyId: string | undefined;
-    action: "auth" | "read" | "write" | "delete" | "refresh" | "list";
+    action: "auth" | "read" | "write" | "delete" | "refresh" | "list" | "grant";
     agent: string | undefined;
     name: string | undefined;
     success: boolean;

package/dist/db/repositories/credentials-queries.d.ts

@@ -0,0 +1,8 @@
+/**
+ * SQL queries for credentials repository.
+ */
+export declare const UPSERT_CREDENTIAL = "\n  INSERT INTO credentials (agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)\n  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n  ON CONFLICT(agent, name) DO UPDATE SET\n    type = excluded.type, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,\n    updated_at = excluded.updated_at, expires_at = excluded.expires_at";
+export declare const SELECT_CREDENTIAL = "\n  SELECT agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at\n  FROM credentials WHERE agent = ? AND name = ?";
+export declare const SELECT_ALL_METADATA = "\n  SELECT agent, name, type, created_at, updated_at, expires_at\n  FROM credentials ORDER BY agent, name";
+export declare const DELETE_CREDENTIAL = "\n  DELETE FROM credentials WHERE agent = ? AND name = ?";
+export declare const UPDATE_EXPIRES_AT = "\n  UPDATE credentials SET expires_at = ?, updated_at = ? WHERE agent = ? AND name = ?";

package/dist/db/repositories/credentials-queries.js

@@ -0,0 +1,19 @@
+/**
+ * SQL queries for credentials repository.
+ */
+export const UPSERT_CREDENTIAL = `
+  INSERT INTO credentials (agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)
+  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  ON CONFLICT(agent, name) DO UPDATE SET
+    type = excluded.type, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
+    updated_at = excluded.updated_at, expires_at = excluded.expires_at`;
+export const SELECT_CREDENTIAL = `
+  SELECT agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at
+  FROM credentials WHERE agent = ? AND name = ?`;
+export const SELECT_ALL_METADATA = `
+  SELECT agent, name, type, created_at, updated_at, expires_at
+  FROM credentials ORDER BY agent, name`;
+export const DELETE_CREDENTIAL = `
+  DELETE FROM credentials WHERE agent = ? AND name = ?`;
+export const UPDATE_EXPIRES_AT = `
+  UPDATE credentials SET expires_at = ?, updated_at = ? WHERE agent = ? AND name = ?`;

package/dist/db/repositories/credentials.d.ts

@@ -4,30 +4,8 @@
  * Manages encrypted credential storage.
  */
 import type Database from "better-sqlite3";
-/** Valid credential types */
-type CredentialType = "oauth" | "api-key";
-/** Credential record stored in database */
-interface CredentialRecord {
-    agent: string;
-    name: string;
-    type: CredentialType;
-    encryptedData: Buffer;
-    salt: Buffer;
-    iv: Buffer;
-    authTag: Buffer;
-    createdAt: Date;
-    updatedAt: Date;
-    expiresAt: Date | undefined;
-}
-/** Credential metadata (without encrypted data) */
-interface CredentialMetadata {
-    agent: string;
-    name: string;
-    type: CredentialType;
-    createdAt: Date;
-    updatedAt: Date;
-    expiresAt: Date | undefined;
-}
+import type { CredentialType } from "axshared";
+import { type CredentialMetadata, type CredentialRecord } from "./parse-credential-row.js";
 /** Store or update a credential */
 declare function upsertCredential(database: Database.Database, credential: {
     agent: string;
@@ -50,4 +28,4 @@ declare function deleteCredential(database: Database.Database, agent: string, na
 /** Update expiration time after refresh */
 declare function updateExpiresAt(database: Database.Database, agent: string, name: string, expiresAt: Date | undefined): void;
 export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, };
-export type { CredentialMetadata, CredentialRecord, CredentialType };
+export type { CredentialMetadata, CredentialRecord, } from "./parse-credential-row.js";

package/dist/db/repositories/credentials.js

@@ -3,64 +3,25 @@
  *
  * Manages encrypted credential storage.
  */
-/** Validate credential type from database */
-function validateType(type) {
-    if (type !== "oauth" && type !== "api-key") {
-        throw new Error(`Invalid credential type: ${type}`);
-    }
-    return type;
-}
-/** Convert database row to record */
-function rowToRecord(row) {
-    return {
-        agent: row.agent,
-        name: row.name,
-        type: validateType(row.type),
-        encryptedData: row.encrypted_data,
-        salt: row.salt,
-        iv: row.iv,
-        authTag: row.auth_tag,
-        createdAt: new Date(row.created_at),
-        updatedAt: new Date(row.updated_at),
-        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
-    };
-}
-/** Convert metadata row to metadata */
-function rowToMetadata(row) {
-    return {
-        agent: row.agent,
-        name: row.name,
-        type: validateType(row.type),
-        createdAt: new Date(row.created_at),
-        updatedAt: new Date(row.updated_at),
-        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
-    };
-}
+import * as SQL from "./credentials-queries.js";
+import { rowToMetadata, rowToRecord, } from "./parse-credential-row.js";
 /** Store or update a credential */
 function upsertCredential(database, credential) {
     const now = Date.now();
-    /* eslint-disable unicorn/no-null -- SQLite requires null for NULL values */
+    // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
+    const expiresAt = credential.expiresAt?.getTime() ?? null;
     database
-        .prepare(`INSERT INTO credentials (agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)
-     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-     ON CONFLICT(agent, name) DO UPDATE SET
-       type = excluded.type, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
-       updated_at = excluded.updated_at, expires_at = excluded.expires_at`)
-        .run(credential.agent, credential.name, credential.type, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now, credential.expiresAt?.getTime() ?? null);
-    /* eslint-enable unicorn/no-null */
+        .prepare(SQL.UPSERT_CREDENTIAL)
+        .run(credential.agent, credential.name, credential.type, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now, expiresAt);
 }
 /** Get a credential by agent and name */
 function getCredential(database, agent, name) {
-    const row = database
-        .prepare(`SELECT agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at FROM credentials WHERE agent = ? AND name = ?`)
-        .get(agent, name);
+    const row = database.prepare(SQL.SELECT_CREDENTIAL).get(agent, name);
     return row ? rowToRecord(row) : undefined;
 }
 /** List all credentials (metadata only) */
 function listCredentials(database) {
-    const rows = database
-        .prepare(`SELECT agent, name, type, created_at, updated_at, expires_at FROM credentials ORDER BY agent, name`)
-        .all();
+    const rows = database.prepare(SQL.SELECT_ALL_METADATA).all();
     return rows.map((row) => rowToMetadata(row));
 }
 /** List credentials accessible by an API key's read access list */
@@ -71,15 +32,12 @@ function listCredentialsForApiKey(database, readAccess) {
 }
 /** Delete a credential */
 function deleteCredential(database, agent, name) {
-    return (database
-        .prepare(`DELETE FROM credentials WHERE agent = ? AND name = ?`)
-        .run(agent, name).changes > 0);
+    return database.prepare(SQL.DELETE_CREDENTIAL).run(agent, name).changes > 0;
 }
 /** Update expiration time after refresh */
 function updateExpiresAt(database, agent, name, expiresAt) {
-    database
-        .prepare(`UPDATE credentials SET expires_at = ?, updated_at = ? WHERE agent = ? AND name = ?`)
-        // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
-        .run(expiresAt?.getTime() ?? null, Date.now(), agent, name);
+    // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
+    const expires = expiresAt?.getTime() ?? null;
+    database.prepare(SQL.UPDATE_EXPIRES_AT).run(expires, Date.now(), agent, name);
 }
 export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, };

package/dist/db/repositories/parse-credential-row.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Pure functions for parsing credential database rows.
+ */
+import { CredentialType } from "axshared";
+import type { CredentialRow, MetadataRow } from "../types.js";
+/** Credential record stored in database */
+interface CredentialRecord {
+    agent: string;
+    name: string;
+    type: CredentialType;
+    encryptedData: Buffer;
+    salt: Buffer;
+    iv: Buffer;
+    authTag: Buffer;
+    createdAt: Date;
+    updatedAt: Date;
+    expiresAt: Date | undefined;
+}
+/** Credential metadata (without encrypted data) */
+interface CredentialMetadata {
+    agent: string;
+    name: string;
+    type: CredentialType;
+    createdAt: Date;
+    updatedAt: Date;
+    expiresAt: Date | undefined;
+}
+/** Convert database row to record */
+declare function rowToRecord(row: CredentialRow): CredentialRecord;
+/** Convert metadata row to metadata */
+declare function rowToMetadata(row: MetadataRow): CredentialMetadata;
+export { rowToMetadata, rowToRecord };
+export type { CredentialMetadata, CredentialRecord };

package/dist/db/repositories/parse-credential-row.js

@@ -0,0 +1,39 @@
+/**
+ * Pure functions for parsing credential database rows.
+ */
+import { CredentialType } from "axshared";
+/** Parse and validate credential type from database */
+function parseCredentialType(type) {
+    const result = CredentialType.safeParse(type);
+    if (!result.success) {
+        throw new Error(`Invalid credential type: ${type}`);
+    }
+    return result.data;
+}
+/** Convert database row to record */
+function rowToRecord(row) {
+    return {
+        agent: row.agent,
+        name: row.name,
+        type: parseCredentialType(row.type),
+        encryptedData: row.encrypted_data,
+        salt: row.salt,
+        iv: row.iv,
+        authTag: row.auth_tag,
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at),
+        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
+    };
+}
+/** Convert metadata row to metadata */
+function rowToMetadata(row) {
+    return {
+        agent: row.agent,
+        name: row.name,
+        type: parseCredentialType(row.type),
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at),
+        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
+    };
+}
+export { rowToMetadata, rowToRecord };

package/dist/db/types.d.ts

@@ -8,6 +8,7 @@ export interface ApiKeyRow {
     key_hash: string;
     read_access: string;
     write_access: string;
+    grant_access: string;
     created_at: number;
     last_used_at: number | null;
 }

package/dist/handlers/get-credential.js

@@ -1,6 +1,7 @@
 /**
  * GET /api/v1/credentials/:agent/:name handler.
  */
+import { isRefreshableCredentialType } from "axshared";
 import { hasReadAccess } from "../db/repositories/api-keys.js";
 import { getCredential } from "../db/repositories/credentials.js";
 import { logAccess } from "../db/repositories/audit-log.js";
@@ -69,7 +70,7 @@ function createGetCredentialHandler(database, config) {
         let wasRefreshed = false;
         let refreshFailed = false;
         if (config.refreshThresholdSeconds > 0 &&
-            credential.type === "oauth" &&
+            isRefreshableCredentialType(credential.type) &&
             isRefreshable(data) &&
             needsRefresh(data, config.refreshThresholdSeconds)) {
             try {

package/dist/handlers/put-credential.js

@@ -1,6 +1,7 @@
 /**
  * PUT /api/v1/credentials/:agent/:name handler.
  */
+import { CredentialType, } from "axshared";
 import { hasWriteAccess } from "../db/repositories/api-keys.js";
 import { upsertCredential } from "../db/repositories/credentials.js";
 import { logAccess } from "../db/repositories/audit-log.js";
@@ -43,7 +44,8 @@ function createPutCredentialHandler(database) {
                 .json({ error: "Request body must include 'data' object" });
             return;
         }
-        if (body.type !== "oauth" && body.type !== "api-key") {
+        const typeResult = CredentialType.safeParse(body.type);
+        if (!typeResult.success) {
             logAccess(database, {
                 apiKeyId: apiKey.id,
                 action: "write",
@@ -53,11 +55,11 @@ function createPutCredentialHandler(database) {
                 errorMessage: "Invalid type",
             });
             response.status(400).json({
-                error: 'Request body must include \'type\' ("oauth" or "api-key")',
+                error: `Request body must include 'type' (${CredentialType.options.map((t) => `"${t}"`).join(", ")})`,
             });
             return;
         }
-        const credentialType = body.type;
+        const credentialType = typeResult.data;
         try {
             const encrypted = encryptCredential(body.data);
             let expiresAt;

package/dist/lib/format.d.ts

@@ -39,6 +39,7 @@ export declare function formatKeyRow(key: {
     name: string;
     readAccess: string[];
     writeAccess: string[];
+    grantAccess: string[];
     lastUsedAt?: Date;
 }): string;
 /**

package/dist/lib/format.js

@@ -74,8 +74,9 @@ export function formatKeyRow(key) {
     const name = sanitizeForTsv(key.name);
     const readAccess = sanitizeForTsv(formatAccessList(key.readAccess));
     const writeAccess = sanitizeForTsv(formatAccessList(key.writeAccess));
+    const grantAccess = sanitizeForTsv(formatAccessList(key.grantAccess));
     const lastUsed = formatRelativeTime(key.lastUsedAt);
-    return `${id}\t${name}\t${readAccess}\t${writeAccess}\t${lastUsed}`;
+    return `${id}\t${name}\t${readAccess}\t${writeAccess}\t${grantAccess}\t${lastUsed}`;
 }
 /**
  * Validate access list entry format.