axvault 1.11.3 → 1.13.0

package/README.md

@@ -5,68 +5,53 @@ Remote credential storage server for a╳kit.
 ## Prerequisites
 
 - Node.js 22.19+
+- PostgreSQL 14+ (local install or via Docker: `docker run -p 5432:5432 -e POSTGRES_PASSWORD=postgres postgres:17-alpine`)
 - `pnpm` (for `pnpm dlx axvault`) or `npx` (for `npx -y axvault`)
-- `jq` for scripting against `--json` output
+- `jq` for scripting against JSON API responses
 
 If `axvault` is not installed globally, prefix commands with `npx -y axvault` (or `pnpm dlx axvault`).
 
 ## Quick start
 
 ```bash
+# Start PostgreSQL (if not already running)
+docker run -d --name axvault-db -p 5432:5432 \
+  -e POSTGRES_PASSWORD=postgres -e POSTGRES_DB=axvault \
+  postgres:17-alpine
+
+# Generate encryption key
 umask 077
 printf 'AXVAULT_ENCRYPTION_KEY=' > .env
 openssl rand -base64 32 >> .env
+printf '\nAXVAULT_DATABASE_URL=postgresql://postgres:postgres@localhost:5432/axvault\n' >> .env
 chmod 600 .env
 set -a
 . ./.env
 set +a
-mkdir -p ./data
-npx -y axvault init
-npx -y axvault serve
-```
-
-Keep the `.env` file and reuse the same key between restarts to avoid losing access to existing credentials.
-
-In a new shell, you must re-export the variables from `.env` before running `axvault` commands (the server does not load `.env` automatically).
-
-In another shell, create an API key:
-
-```bash
-npx -y axvault key create --name "Admin" --read "*" --write "*" --grant "*"
-```
-
-Add `--verbose` to commands like `init`, `serve`, `key revoke`, `key update`, and
-`credential delete` to see status output.
-
-## Output formats
 
-List commands output TSV by default. Use `--json` on `key create`, `key list`,
-`key update`, and `credential list` for structured output (note: `key create
---json` includes the secret key).
-
-```bash
-npx -y axvault key list --json | jq -r '.[].id'
+# Start server (runs migrations and creates bootstrap admin key on first startup)
+npx -y axvault serve
 ```
 
-## Pipeline examples
+On first startup, axvault runs database migrations and creates a bootstrap admin API key with full access. The secret is printed to stderr — **save it immediately**, it cannot be retrieved later.
 
-### Extract key IDs
+Keep the `.env` file and reuse the same encryption key between restarts to avoid losing access to existing credentials.
 
-```bash
-npx -y axvault key list | tail -n +2 | cut -f1
-```
+## Architecture
 
-### Count credentials by creation date
+axvault is a server-only tool. The CLI has a single command (`serve`) that starts the HTTP server. All key and credential management is done through the HTTP API.
 
-```bash
-npx -y axvault credential list --json | jq -r '.[].createdAt | split("T")[0]' | sort | uniq -c | sort -rn
-```
+On startup, the server:
 
-### List credential names in the `claude` namespace
+1. Runs database migrations (idempotent, so they are safe to re-run on every startup)
+2. Creates a bootstrap admin API key if no keys exist (serialized with an advisory lock, prints secret to stderr)
+3. Starts listening for HTTP requests
 
-```bash
-npx -y axvault credential list | tail -n +2 | awk -F'\t' '$1 ~ /^claude\./ {print $1}'
-```
+Migration files must remain replay-safe because axvault re-runs them on every
+startup instead of tracking applied versions. Use guarded SQL such as
+`CREATE ... IF NOT EXISTS` or `ALTER ... ADD COLUMN IF NOT EXISTS`. If a future
+schema change cannot be written safely that way, switch back to tracked
+migrations rather than adding a one-shot file to this runner.
 
 ## Agent Rule
 
@@ -77,24 +62,24 @@ Add to your `CLAUDE.md` or `AGENTS.md`:
 
 Run `npx -y axvault --help` to learn available options.
 
-Use `axvault` when you need to initialize the vault database, manage API keys,
-or list/delete stored credentials. List commands output TSV by default; add
-`--json` for structured output you can pipe into `jq`.
+Use `axvault serve` to start the credential vault server. All key and credential
+management is done via the HTTP API. On first startup, a bootstrap admin API key
+is created and printed to stderr.
 ```
 
 ## Configuration
 
 ### Environment Variables
 
-| Variable                     | Description                                                          | Default             |
-| ---------------------------- | -------------------------------------------------------------------- | ------------------- |
-| `AXVAULT_PORT`               | Port to listen on                                                    | `3847`              |
-| `AXVAULT_HOST`               | Host to bind to                                                      | `127.0.0.1`         |
-| `AXVAULT_DB_PATH`            | Database file path                                                   | `./data/axvault.db` |
-| `AXVAULT_ENCRYPTION_KEY`     | Encryption key (min 32 chars, required)                              | —                   |
-| `AXVAULT_REFRESH_THRESHOLD`  | Refresh credentials expiring within this many seconds (0 to disable) | `3600`              |
-| `AXVAULT_REFRESH_TIMEOUT_MS` | Timeout for refresh operations in milliseconds                       | `30000`             |
-| `AXVAULT_LOG_LEVEL`          | Log level (trace, debug, info, warn, error, fatal, silent)           | `info`              |
+| Variable                     | Description                                                          | Default                               |
+| ---------------------------- | -------------------------------------------------------------------- | ------------------------------------- |
+| `AXVAULT_PORT`               | Port to listen on                                                    | `3847`                                |
+| `AXVAULT_HOST`               | Host to bind to                                                      | `127.0.0.1`                           |
+| `AXVAULT_DATABASE_URL`       | PostgreSQL connection URL                                            | `postgresql://localhost:5432/axvault` |
+| `AXVAULT_ENCRYPTION_KEY`     | Encryption key (min 32 chars, required)                              | —                                     |
+| `AXVAULT_REFRESH_THRESHOLD`  | Refresh credentials expiring within this many seconds (0 to disable) | `3600`                                |
+| `AXVAULT_REFRESH_TIMEOUT_MS` | Timeout for refresh operations in milliseconds                       | `30000`                               |
+| `AXVAULT_LOG_LEVEL`          | Log level (trace, debug, info, warn, error, fatal, silent)           | `info`                                |
 
 ### CLI Flags
 
@@ -104,7 +89,7 @@ The `serve` command accepts flags that override environment variables:
 npx -y axvault serve \
   --port 8080 \
   --host 0.0.0.0 \
-  --db-path /data/vault.db \
+  --database-url postgresql://localhost:5432/axvault \
   --refresh-threshold 7200 \
   --refresh-timeout 60000 \
   --log-level debug
@@ -112,86 +97,60 @@ npx -y axvault serve \
 
 Setting `--refresh-threshold 0` disables automatic credential refresh.
 
-## Confirmation flags
-
-Destructive commands require confirmation: `axvault key revoke` and `axvault
-credential delete` require `--force` (alias `--yes`).
-
 ## API Keys
 
 API keys control access to the credential API. Each key has configurable permissions:
 
 - **Read**: retrieve credentials
 - **Write**: store and delete credentials
-- **Grant**: delegate access to other keys (enforcement coming in future release)
-
-### Create an API Key
+- **Grant**: manage other API keys
 
-```bash
-# Full access (read, write, and grant)
-npx -y axvault key create --name "Admin" --read "*" --write "*" --grant "*"
+### Bootstrap Key
 
-# Read/write access only
-npx -y axvault key create --name "CI Pipeline" --read "*" --write "*"
+On first startup (when no keys exist), axvault creates a "Bootstrap Admin" key with full access (`*` for read, write, and grant). The secret is printed to stderr.
 
-# Restricted access
-npx -y axvault key create --name "Claude Reader" --read "claude.work,claude.ci"
-npx -y axvault key create --name "Deploy Script" --write "claude.prod,codex.prod"
+### Managing Keys via API
 
-# Grant-only key (for delegation, does not allow direct read/write)
-npx -y axvault key create --name "Issuer" --grant "claude.work,claude.ci"
-```
-
-The command outputs metadata to stderr and the secret key to stdout for easy piping:
-
-```
-# stderr (visible in terminal):
-Created API key: CI Pipeline
-ID: k_a1b2c3d4e5f6
-Read access: *
-Write access: *
-Grant access: (none)
+All key management is done through the HTTP API:
 
-Save this key securely - it cannot be retrieved later.
-
-# stdout (can be piped):
-axv_sk_0123456789abcdef0123456789abcdef
-```
-
-To copy directly to clipboard: `npx -y axvault key create --name "My Key" --read "*" | pbcopy`
-
-### List Keys
-
-```bash
-npx -y axvault key list
-```
-
-### Update a Key
-
-Modify an existing key's permissions:
+- `POST /api/v1/keys` accepts either a bootstrap/admin key or a scoped grant
+  key, as long as every requested read/write/grant entry stays within the
+  caller's `grantAccess` list.
+- `PATCH /api/v1/keys/:id` only works when the target key's current and resulting
+  permissions both stay within the caller's `grantAccess` list. In practice,
+  scoped grant keys can only update keys that are already fully inside their
+  scope.
+- `GET /api/v1/keys`, `GET /api/v1/keys/:id`, and `DELETE /api/v1/keys/:id`
+  require full grant access (`grantAccess: ["*"]`).
 
 ```bash
-# Add read access for new credentials
-npx -y axvault key update k_a1b2c3d4e5f6 --add-read "gemini.prod"
+API_KEY="axv_sk_..."  # Bootstrap/admin key with grantAccess ["*"]
 
-# Remove write access
-npx -y axvault key update k_a1b2c3d4e5f6 --remove-write "claude.test"
+# Create a new key
+curl -X POST https://vault.example.com/api/v1/keys \
+  -H "Authorization: Bearer $API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"name": "CI Pipeline", "readAccess": ["*"], "writeAccess": ["*"], "grantAccess": []}'
 
-# Add grant permissions
-npx -y axvault key update k_a1b2c3d4e5f6 --add-grant "claude.work"
+# List all keys
+curl https://vault.example.com/api/v1/keys \
+  -H "Authorization: Bearer $API_KEY"
 
-# Multiple changes at once
-npx -y axvault key update k_a1b2c3d4e5f6 --add-read "codex.ci" --remove-write "claude.dev"
-```
+# Get a single key
+curl https://vault.example.com/api/v1/keys/k_a1b2c3d4e5f6 \
+  -H "Authorization: Bearer $API_KEY"
 
-### Revoke a Key
+# Update key permissions
+curl -X PATCH https://vault.example.com/api/v1/keys/k_a1b2c3d4e5f6 \
+  -H "Authorization: Bearer $API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"readAccess": ["claude.work", "codex.ci"]}'
 
-```bash
-npx -y axvault key revoke k_a1b2c3d4e5f6 --force
+# Revoke a key
+curl -X DELETE https://vault.example.com/api/v1/keys/k_a1b2c3d4e5f6 \
+  -H "Authorization: Bearer $API_KEY"
 ```
 
-This command requires `--force` or `--yes` to confirm.
-
 ### Container Deployments
 
 Container images are published automatically to `registry.j4k.dev/axvault` on every release (multi-arch: amd64 + arm64). To rebuild manually, run `workflow_dispatch` on `publish-image` and provide the required `version` input (for example `1.7.0`).
@@ -203,13 +162,13 @@ The image uses an external UID pattern—no user is baked into the image. **Alwa
 > **Security note:** Without `-u`/`--user`, the container runs as root. For Kubernetes, set `runAsUser: 1000` and `runAsNonRoot: true` in your SecurityContext.
 
 ```bash
-# Docker
+# Docker (requires a PostgreSQL instance accessible from the container)
 docker run -d \
   --name axvault \
   -p 3847:3847 \
   -u 1000:1000 \
   -e AXVAULT_ENCRYPTION_KEY="your-secret-key-minimum-32-chars!" \
-  -v /srv/axvault/data:/data \
+  -e AXVAULT_DATABASE_URL="postgresql://user:pass@db-host:5432/axvault" \
   registry.j4k.dev/axvault:latest
 
 # Podman
@@ -218,29 +177,25 @@ podman run -d \
   -p 3847:3847 \
   --user 1000:1000 \
   -e AXVAULT_ENCRYPTION_KEY="your-secret-key-minimum-32-chars!" \
-  -v /srv/axvault/data:/data:Z \
+  -e AXVAULT_DATABASE_URL="postgresql://user:pass@db-host:5432/axvault" \
   registry.j4k.dev/axvault:latest
 ```
 
-#### Volume Ownership
+**Note:** `AXVAULT_DATABASE_URL` must point to an accessible PostgreSQL instance. The Containerfile default (`postgresql://localhost:5432/axvault`) refers to the container itself, so standalone `docker run` users must provide this variable. For a batteries-included setup, use `docker-compose.yml` which includes a PostgreSQL service.
 
-The data volume must be owned by the UID/GID the container runs as:
-
-```bash
-# Create directory and set ownership before first run
-sudo mkdir -p /srv/axvault/data
-sudo chown 1000:1000 /srv/axvault/data
-```
-
-For rootless Podman, use your user's UID or let Podman handle mapping automatically.
+The bootstrap admin key is created on first startup and printed to the container logs. Retrieve it with `docker logs axvault` or `podman logs axvault`.
 
 #### Quadlet (systemd)
 
+This example references `axvault-db.service`, which is a PostgreSQL container you must provide separately as a companion Quadlet (`axvault-db.container`). Alternatively, point `AXVAULT_DATABASE_URL` at an existing PostgreSQL instance and remove the `Requires`/`After` lines.
+
 Create `/etc/containers/systemd/axvault.container`:
 
 ```ini
 [Unit]
 Description=axvault credential server
+Requires=axvault-db.service
+After=axvault-db.service
 
 [Container]
 Image=registry.j4k.dev/axvault:latest
@@ -248,7 +203,7 @@ PublishPort=3847:3847
 User=1000
 Group=1000
 Environment=AXVAULT_ENCRYPTION_KEY=your-secret-key-minimum-32-chars!
-Volume=/srv/axvault/data:/data:Z
+Environment=AXVAULT_DATABASE_URL=postgresql://axvault:axvault@axvault-db:5432/axvault
 
 [Service]
 Restart=always
@@ -264,18 +219,6 @@ sudo systemctl daemon-reload
 sudo systemctl start axvault
 ```
 
-#### Managing Keys in Containers
-
-Exec into the container to manage API keys:
-
-```bash
-# Podman
-sudo podman exec axvault node /app/node_modules/axvault/bin/axvault key create --name "My Key" --read "*" --write "*"
-
-# Docker
-docker exec axvault node /app/node_modules/axvault/bin/axvault key create --name "My Key" --read "*" --write "*"
-```
-
 ## Credentials API
 
 ### Store a Credential
@@ -454,13 +397,13 @@ Alternatively, use separate environment variables:
 
 ### Common Errors
 
-| Error            | Cause                                      | Solution                                                                                |
-| ---------------- | ------------------------------------------ | --------------------------------------------------------------------------------------- |
-| `not-configured` | Missing `AXVAULT_URL` or `AXVAULT_API_KEY` | Set both environment variables or use `AXVAULT` JSON                                    |
-| `unauthorized`   | Invalid API key                            | Verify key with `npx -y axvault key list`, create new if needed                         |
-| `forbidden`      | No access to credential                    | Add credential to key's read access: `npx -y axvault key update <id> --add-read <path>` |
-| `not-found`      | Credential doesn't exist                   | Store credential first: `axauth vault push --agent <agent> --name <name>`               |
-| `unreachable`    | Network issue or server down               | Check vault URL, verify server is running                                               |
+| Error            | Cause                                      | Solution                                                                  |
+| ---------------- | ------------------------------------------ | ------------------------------------------------------------------------- |
+| `not-configured` | Missing `AXVAULT_URL` or `AXVAULT_API_KEY` | Set both environment variables or use `AXVAULT` JSON                      |
+| `unauthorized`   | Invalid API key                            | Check the key via the keys API, create a new one if needed                |
+| `forbidden`      | No access to credential                    | Update key permissions via `PATCH /api/v1/keys/:id`                       |
+| `not-found`      | Credential doesn't exist                   | Store credential first: `axauth vault push --agent <agent> --name <name>` |
+| `unreachable`    | Network issue or server down               | Check vault URL, verify server is running                                 |
 
 ### Debugging
 
@@ -470,10 +413,11 @@ Alternatively, use separate environment variables:
    curl -I $AXVAULT_URL/api/v1/health
    ```
 
-2. Verify API key permissions:
+2. List API keys (requires grant access):
 
    ```bash
-   npx -y axvault key list  # on server
+   curl -H "Authorization: Bearer $AXVAULT_API_KEY" \
+     $AXVAULT_URL/api/v1/keys
    ```
 
 3. Check credential exists:

package/dist/cli.d.ts

@@ -2,7 +2,8 @@
 /**
  * axvault - Remote credential storage server for axkit.
  *
- * Stores agent credentials and serves them via API.
+ * Starts the vault server. All key and credential management is done
+ * via the HTTP API once the server is running.
  */
 export {};
 //# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;GAIG"}
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;GAKG"}

package/dist/cli.js

@@ -2,13 +2,11 @@
 /**
  * axvault - Remote credential storage server for axkit.
  *
- * Stores agent credentials and serves them via API.
+ * Starts the vault server. All key and credential management is done
+ * via the HTTP API once the server is running.
  */
 import { Command } from "@commander-js/extra-typings";
 import packageJson from "../package.json" with { type: "json" };
-import { handleCredentialDelete, handleCredentialList, } from "./commands/credential.js";
-import { handleInit } from "./commands/init.js";
-import { handleKeyCreate, handleKeyList, handleKeyRevoke, handleKeyUpdate, } from "./commands/key.js";
 import { handleServe } from "./commands/serve.js";
 const program = new Command()
     .name(packageJson.name)
@@ -19,121 +17,24 @@ const program = new Command()
     .helpCommand(false)
     .addHelpText("after", String.raw `
 Examples:
-  # Initialize database
-  axvault init
-
-  # Start server
+  # Start server (runs migrations and creates bootstrap key on first run)
   axvault serve
 
   # Start server on custom port
   axvault serve --port 8080
 
-  # Create an API key with read access (at least one of --read/--write required)
-  axvault key create --name "CI Pipeline" --read "claude.work,codex.ci"
-
-  # Create a write-only API key
-  axvault key create --name "Uploader" --write "claude.backups"
-
-  # Create an admin API key with full access
-  axvault key create --name "Admin" --read "*" --write "*" --grant "*"
-
-  # List all API keys
-  axvault key list
-
-  # Extract key IDs for scripting (pipeline example)
-  axvault key list | tail -n +2 | cut -f1
-
-  # Update an API key's permissions
-  axvault key update k_abc123def456 --add-read "claude.new"
-
-  # Revoke an API key
-  axvault key revoke k_abc123def456 --force
-
-  # List all stored credentials
-  axvault credential list
-
-  # Delete a credential
-  axvault credential delete claude.work --force`);
-program
-    .command("init")
-    .description("Initialize database and configuration")
-    .option("--db-path <path>", "Database file path")
-    .option("-v, --verbose", "Enable verbose output")
-    .action(handleInit);
+  # Start with debug logging
+  axvault serve --log-level debug`);
 program
     .command("serve")
     .description("Start the vault server")
     .option("-p, --port <port>", "Port to listen on")
     .option("-H, --host <host>", "Host to bind to")
-    .option("--db-path <path>", "Database file path")
+    .option("--database-url <url>", "PostgreSQL connection URL")
     .option("--refresh-threshold <seconds>", "Refresh credentials expiring within this many seconds (0 to disable)")
     .option("--refresh-timeout <ms>", "Timeout for refresh operations in milliseconds")
     .option("--log-level <level>", "Log level (trace, debug, info, warn, error, fatal, silent)")
     .option("-v, --verbose", "Enable verbose output")
     .action(handleServe);
-// API key management commands
-const keyCommand = program
-    .command("key")
-    .description("Manage API keys")
-    .helpCommand(false);
-keyCommand
-    .command("create")
-    .description("Create a new API key")
-    .requiredOption("-n, --name <name>", "Name for the API key")
-    .option("-r, --read <access>", "Comma-separated read access list (e.g., 'claude.work,codex.ci' or '*')")
-    .option("-w, --write <access>", "Comma-separated write access list (e.g., 'claude.ci' or '*')")
-    .option("-g, --grant <access>", "Comma-separated grant access list (can delegate these to other keys)")
-    .option("--json", "Output as JSON")
-    .option("--db-path <path>", "Database file path")
-    .action(handleKeyCreate);
-keyCommand
-    .command("list")
-    .description("List all API keys")
-    .option("--json", "Output as JSON")
-    .option("--db-path <path>", "Database file path")
-    .action(handleKeyList);
-keyCommand
-    .command("revoke")
-    .description("Revoke an API key")
-    .argument("<id>", "API key ID (e.g., k_abc123def456)")
-    .option("-f, --force", "Confirm destructive action")
-    .option("-y, --yes", "Alias for --force")
-    .option("-v, --verbose", "Enable verbose output")
-    .option("--db-path <path>", "Database file path")
-    .action(handleKeyRevoke);
-keyCommand
-    .command("update")
-    .description("Update an API key's permissions")
-    .argument("<id>", "API key ID (e.g., k_abc123def456)")
-    .option("--add-read <access>", "Add read access entries")
-    .option("--add-write <access>", "Add write access entries")
-    .option("--add-grant <access>", "Add grant access entries")
-    .option("--remove-read <access>", "Remove read access entries")
-    .option("--remove-write <access>", "Remove write access entries")
-    .option("--remove-grant <access>", "Remove grant access entries")
-    .option("--json", "Output as JSON")
-    .option("-v, --verbose", "Enable verbose output")
-    .option("--db-path <path>", "Database file path")
-    .action(handleKeyUpdate);
-// Credential management commands
-const credentialCommand = program
-    .command("credential")
-    .description("Manage stored credentials")
-    .helpCommand(false);
-credentialCommand
-    .command("list")
-    .description("List all stored credentials")
-    .option("--json", "Output as JSON")
-    .option("--db-path <path>", "Database file path")
-    .action(handleCredentialList);
-credentialCommand
-    .command("delete")
-    .description("Delete a credential")
-    .argument("<name>", "Credential name (e.g., claude.work)")
-    .option("-f, --force", "Confirm destructive action")
-    .option("-y, --yes", "Alias for --force")
-    .option("-v, --verbose", "Enable verbose output")
-    .option("--db-path <path>", "Database file path")
-    .action(handleCredentialDelete);
 await program.parseAsync(process.argv);
 //# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;GAIG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,6BAA6B,CAAC;AAEtD,OAAO,WAAW,MAAM,iBAAiB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAChE,OAAO,EACL,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EACL,eAAe,EACf,aAAa,EACb,eAAe,EACf,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAElD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE;KAC1B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;KACtB,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC;KACpC,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,eAAe,CAAC;KAC7C,kBAAkB,CAAC,yCAAyC,CAAC;KAC7D,wBAAwB,EAAE;KAC1B,WAAW,CAAC,KAAK,CAAC;KAClB,WAAW,CACV,OAAO,EACP,MAAM,CAAC,GAAG,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gDAoCkC,CAC7C,CAAC;AAEJ,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,uCAAuC,CAAC;KACpD,MAAM,CAAC,kBAAkB,EAAE,oBAAoB,CAAC;KAChD,MAAM,CAAC,eAAe,EAAE,uBAAuB,CAAC;KAChD,MAAM,CAAC,UAAU,CAAC,CAAC;AAEtB,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,wBAAwB,CAAC;KACrC,MAAM,CAAC,mBAAmB,EAAE,mBAAmB,CAAC;KAChD,MAAM,CAAC,mBAAmB,EAAE,iBAAiB,CAAC;KAC9C,MAAM,CAAC,kBAAkB,EAAE,oBAAoB,CAAC;KAChD,MAAM,CACL,+BAA+B,EAC/B,sEAAsE,CACvE;KACA,MAAM,CACL,wBAAwB,EACxB,gDAAgD,CACjD;KACA,MAAM,CACL,qBAAqB,EACrB,4DAA4D,CAC7D;KACA,MAAM,CAAC,eAAe,EAAE,uBAAuB,CAAC;KAChD,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,8BAA8B;AAC9B,MAAM,UAAU,GAAG,OAAO;KACvB,OAAO,CAAC,KAAK,CAAC;KACd,WAAW,CAAC,iBAAiB,CAAC;KAC9B,WAAW,CAAC,KAAK,CAAC,CAAC;AAEtB,UAAU;KACP,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,sBAAsB,CAAC;KACnC,cAAc,CAAC,mBAAmB,EAAE,sBAAsB,CAAC;KAC3D,MAAM,CACL,qBAAqB,EACrB,wEAAwE,CACzE;KACA,MAAM,CACL,sBAAsB,EACtB,8DAA8D,CAC/D;KACA,MAAM,CACL,sBAAsB,EACtB,sEAAsE,CACvE;KACA,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;KAClC,MAAM,CAAC,kBAAkB,EAAE,oBAAoB,CAAC;KAChD,MAAM,CAAC,eAAe,CAAC,CAAC;AAE3B,UAAU;KACP,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,mBAAmB,CAAC;KAChC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;KAClC,MAAM,CAAC,kBAAkB,EAAE,oBAAoB,CAAC;KAChD,MAAM,CAAC,aAAa,CAAC,CAAC;AAEzB,UAAU;KACP,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,mBAAmB,CAAC;KAChC,QAAQ,CAAC,MAAM,EAAE,mCAAmC,CAAC;KACrD,MAAM,CAAC,aAAa,EAAE,4BAA4B,CAAC;KACnD,MAAM,CAAC,WAAW,EAAE,mBAAmB,CAAC;KACxC,MAAM,CAAC,eAAe,EAAE,uBAAuB,CAAC;KAChD,MAAM,CAAC,kBAAkB,EAAE,oBAAoB,CAAC;KAChD,MAAM,CAAC,eAAe,CAAC,CAAC;AAE3B,UAAU;KACP,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,iCAAiC,CAAC;KAC9C,QAAQ,CAAC,MAAM,EAAE,mCAAmC,CAAC;KACrD,MAAM,CAAC,qBAAqB,EAAE,yBAAyB,CAAC;KACxD,MAAM,CAAC,sBAAsB,EAAE,0BAA0B,CAAC;KAC1D,MAAM,CAAC,sBAAsB,EAAE,0BAA0B,CAAC;KAC1D,MAAM,CAAC,wBAAwB,EAAE,4BAA4B,CAAC;KAC9D,MAAM,CAAC,yBAAyB,EAAE,6BAA6B,CAAC;KAChE,MAAM,CAAC,yBAAyB,EAAE,6BAA6B,CAAC;KAChE,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;KAClC,MAAM,CAAC,eAAe,EAAE,uBAAuB,CAAC;KAChD,MAAM,CAAC,kBAAkB,EAAE,oBAAoB,CAAC;KAChD,MAAM,CAAC,eAAe,CAAC,CAAC;AAE3B,iCAAiC;AACjC,MAAM,iBAAiB,GAAG,OAAO;KAC9B,OAAO,CAAC,YAAY,CAAC;KACrB,WAAW,CAAC,2BAA2B,CAAC;KACxC,WAAW,CAAC,KAAK,CAAC,CAAC;AAEtB,iBAAiB;KACd,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,6BAA6B,CAAC;KAC1C,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;KAClC,MAAM,CAAC,kBAAkB,EAAE,oBAAoB,CAAC;KAChD,MAAM,CAAC,oBAAoB,CAAC,CAAC;AAEhC,iBAAiB;KACd,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,qBAAqB,CAAC;KAClC,QAAQ,CAAC,QAAQ,EAAE,qCAAqC,CAAC;KACzD,MAAM,CAAC,aAAa,EAAE,4BAA4B,CAAC;KACnD,MAAM,CAAC,WAAW,EAAE,mBAAmB,CAAC;KACxC,MAAM,CAAC,eAAe,EAAE,uBAAuB,CAAC;KAChD,MAAM,CAAC,kBAAkB,EAAE,oBAAoB,CAAC;KAChD,MAAM,CAAC,sBAAsB,CAAC,CAAC;AAElC,MAAM,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,6BAA6B,CAAC;AAEtD,OAAO,WAAW,MAAM,iBAAiB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAElD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE;KAC1B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;KACtB,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC;KACpC,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,eAAe,CAAC;KAC7C,kBAAkB,CAAC,yCAAyC,CAAC;KAC7D,wBAAwB,EAAE;KAC1B,WAAW,CAAC,KAAK,CAAC;KAClB,WAAW,CACV,OAAO,EACP,MAAM,CAAC,GAAG,CAAA;;;;;;;;;kCASoB,CAC/B,CAAC;AAEJ,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,wBAAwB,CAAC;KACrC,MAAM,CAAC,mBAAmB,EAAE,mBAAmB,CAAC;KAChD,MAAM,CAAC,mBAAmB,EAAE,iBAAiB,CAAC;KAC9C,MAAM,CAAC,sBAAsB,EAAE,2BAA2B,CAAC;KAC3D,MAAM,CACL,+BAA+B,EAC/B,sEAAsE,CACvE;KACA,MAAM,CACL,wBAAwB,EACxB,gDAAgD,CACjD;KACA,MAAM,CACL,qBAAqB,EACrB,4DAA4D,CAC7D;KACA,MAAM,CAAC,eAAe,EAAE,uBAAuB,CAAC;KAChD,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,MAAM,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/dist/commands/serve.d.ts

@@ -1,10 +1,14 @@
 /**
  * Start server command handler.
+ *
+ * Builds the Fastify app, registers plugins in dependency order
+ * (database → auth → routes), runs migrations, creates a bootstrap
+ * API key on first startup, and starts listening.
  */
 interface ServeOptions {
     port?: string;
     host?: string;
-    dbPath?: string;
+    databaseUrl?: string;
     refreshThreshold?: string;
     refreshTimeout?: string;
     logLevel?: string;

package/dist/commands/serve.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"serve.d.ts","sourceRoot":"","sources":["../../src/commands/serve.ts"],"names":[],"mappings":"AAAA;;GAEG;AAiBH,UAAU,YAAY;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA+GtE"}
+{"version":3,"file":"serve.d.ts","sourceRoot":"","sources":["../../src/commands/serve.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAkBH,UAAU,YAAY;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAMD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA2GtE"}