npm - axvault - Versions diffs - 1.11.3 → 1.13.0 - Mend

axvault 1.11.3 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (246) hide show

package/README.md +91 -147
package/dist/cli.d.ts +2 -1
package/dist/cli.d.ts.map +1 -1
package/dist/cli.js +6 -105
package/dist/cli.js.map +1 -1
package/dist/commands/serve.d.ts +5 -1
package/dist/commands/serve.d.ts.map +1 -1
package/dist/commands/serve.js +88 -79
package/dist/commands/serve.js.map +1 -1
package/dist/config.d.ts +60 -9
package/dist/config.d.ts.map +1 -1
package/dist/config.js +53 -36
package/dist/config.js.map +1 -1
package/dist/db/bootstrap-api-key.d.ts +14 -0
package/dist/db/bootstrap-api-key.d.ts.map +1 -0
package/dist/db/bootstrap-api-key.js +26 -0
package/dist/db/bootstrap-api-key.js.map +1 -0
package/dist/db/create-pool.d.ts +5 -0
package/dist/db/create-pool.d.ts.map +1 -0
package/dist/db/create-pool.js +13 -0
package/dist/db/create-pool.js.map +1 -0
package/dist/db/migrations/001-initial.sql +41 -0
package/dist/db/repositories/api-keys.d.ts +11 -37
package/dist/db/repositories/api-keys.d.ts.map +1 -1
package/dist/db/repositories/api-keys.js +23 -67
package/dist/db/repositories/api-keys.js.map +1 -1
package/dist/db/repositories/audit-log.d.ts +9 -7
package/dist/db/repositories/audit-log.d.ts.map +1 -1
package/dist/db/repositories/audit-log.js +25 -24
package/dist/db/repositories/audit-log.js.map +1 -1
package/dist/db/repositories/create-api-key.d.ts +30 -0
package/dist/db/repositories/create-api-key.d.ts.map +1 -0
package/dist/db/repositories/create-api-key.js +37 -0
package/dist/db/repositories/create-api-key.js.map +1 -0
package/dist/db/repositories/credentials-queries.d.ts +6 -6
package/dist/db/repositories/credentials-queries.d.ts.map +1 -1
package/dist/db/repositories/credentials-queries.js +8 -8
package/dist/db/repositories/credentials-queries.js.map +1 -1
package/dist/db/repositories/credentials.d.ts +9 -25
package/dist/db/repositories/credentials.d.ts.map +1 -1
package/dist/db/repositories/credentials.js +38 -34
package/dist/db/repositories/credentials.js.map +1 -1
package/dist/db/repositories/list-credentials-paginated.d.ts +2 -2
package/dist/db/repositories/list-credentials-paginated.d.ts.map +1 -1
package/dist/db/repositories/list-credentials-paginated.js +26 -26
package/dist/db/repositories/list-credentials-paginated.js.map +1 -1
package/dist/db/repositories/update-api-key-access.d.ts +12 -0
package/dist/db/repositories/update-api-key-access.d.ts.map +1 -0
package/dist/db/repositories/update-api-key-access.js +29 -0
package/dist/db/repositories/update-api-key-access.js.map +1 -0
package/dist/db/repositories/update-credential-if-unchanged.d.ts +20 -0
package/dist/db/repositories/update-credential-if-unchanged.d.ts.map +1 -0
package/dist/db/repositories/update-credential-if-unchanged.js +22 -0
package/dist/db/repositories/update-credential-if-unchanged.js.map +1 -0
package/dist/db/run-migrations.d.ts +16 -0
package/dist/db/run-migrations.d.ts.map +1 -0
package/dist/db/run-migrations.js +26 -0
package/dist/db/run-migrations.js.map +1 -0
package/dist/db/types.d.ts +6 -2
package/dist/db/types.d.ts.map +1 -1
package/dist/db/types.js +1 -1
package/dist/format-error-message.d.ts +7 -0
package/dist/format-error-message.d.ts.map +1 -0
package/dist/format-error-message.js +19 -0
package/dist/format-error-message.js.map +1 -0
package/dist/handlers/refresh-credential-on-read.d.ts +2 -2
package/dist/handlers/refresh-credential-on-read.d.ts.map +1 -1
package/dist/handlers/refresh-credential-on-read.js +8 -8
package/dist/handlers/refresh-credential-on-read.js.map +1 -1
package/dist/index.d.ts +14 -7
package/dist/index.d.ts.map +1 -1
package/dist/index.js +15 -7
package/dist/index.js.map +1 -1
package/dist/lib/access-list.d.ts +13 -0
package/dist/lib/access-list.d.ts.map +1 -0
package/dist/lib/access-list.js +22 -0
package/dist/lib/access-list.js.map +1 -0
package/dist/lib/credential-name.d.ts +1 -6
package/dist/lib/credential-name.d.ts.map +1 -1
package/dist/lib/credential-name.js +1 -4
package/dist/lib/credential-name.js.map +1 -1
package/dist/schemas/request.d.ts +35 -0
package/dist/schemas/request.d.ts.map +1 -0
package/dist/schemas/request.js +76 -0
package/dist/schemas/request.js.map +1 -0
package/dist/schemas/{api.d.ts → response.d.ts} +6 -32
package/dist/schemas/response.d.ts.map +1 -0
package/dist/schemas/response.js +59 -0
package/dist/schemas/response.js.map +1 -0
package/dist/server/plugins/auth.d.ts +19 -0
package/dist/server/plugins/auth.d.ts.map +1 -0
package/dist/server/plugins/auth.js +51 -0
package/dist/server/plugins/auth.js.map +1 -0
package/dist/server/plugins/config.d.ts +14 -0
package/dist/server/plugins/config.d.ts.map +1 -0
package/dist/server/plugins/config.js +19 -0
package/dist/server/plugins/config.js.map +1 -0
package/dist/server/plugins/database.d.ts +12 -0
package/dist/server/plugins/database.d.ts.map +1 -0
package/dist/server/plugins/database.js +20 -0
package/dist/server/plugins/database.js.map +1 -0
package/dist/server/routes/credentials.d.ts +8 -0
package/dist/server/routes/credentials.d.ts.map +1 -0
package/dist/server/routes/credentials.js +82 -0
package/dist/server/routes/credentials.js.map +1 -0
package/dist/server/routes/handle-create-key.d.ts +10 -0
package/dist/server/routes/handle-create-key.d.ts.map +1 -0
package/dist/server/routes/handle-create-key.js +44 -0
package/dist/server/routes/handle-create-key.js.map +1 -0
package/dist/server/routes/handle-delete-credential.d.ts +10 -0
package/dist/server/routes/handle-delete-credential.d.ts.map +1 -0
package/dist/server/routes/handle-delete-credential.js +47 -0
package/dist/server/routes/handle-delete-credential.js.map +1 -0
package/dist/server/routes/handle-delete-key.d.ts +11 -0
package/dist/server/routes/handle-delete-key.d.ts.map +1 -0
package/dist/server/routes/handle-delete-key.js +40 -0
package/dist/server/routes/handle-delete-key.js.map +1 -0
package/dist/server/routes/handle-get-credential.d.ts +18 -0
package/dist/server/routes/handle-get-credential.d.ts.map +1 -0
package/dist/{handlers/get-credential.js → server/routes/handle-get-credential.js} +23 -40
package/dist/server/routes/handle-get-credential.js.map +1 -0
package/dist/server/routes/handle-list-credentials.d.ts +13 -0
package/dist/server/routes/handle-list-credentials.d.ts.map +1 -0
package/dist/{handlers/list-credentials.js → server/routes/handle-list-credentials.js} +13 -32
package/dist/server/routes/handle-list-credentials.js.map +1 -0
package/dist/server/routes/handle-put-credential.d.ts +14 -0
package/dist/server/routes/handle-put-credential.d.ts.map +1 -0
package/dist/{handlers/put-credential.js → server/routes/handle-put-credential.js} +30 -38
package/dist/server/routes/handle-put-credential.js.map +1 -0
package/dist/server/routes/handle-update-key.d.ts +13 -0
package/dist/server/routes/handle-update-key.d.ts.map +1 -0
package/dist/server/routes/handle-update-key.js +74 -0
package/dist/server/routes/handle-update-key.js.map +1 -0
package/dist/server/routes/health.d.ts +7 -0
package/dist/server/routes/health.d.ts.map +1 -0
package/dist/server/routes/health.js +25 -0
package/dist/server/routes/health.js.map +1 -0
package/dist/server/routes/keys.d.ts +12 -0
package/dist/server/routes/keys.d.ts.map +1 -0
package/dist/server/routes/keys.js +119 -0
package/dist/server/routes/keys.js.map +1 -0
package/dist/server/routes/log-grant-event.d.ts +7 -0
package/dist/server/routes/log-grant-event.d.ts.map +1 -0
package/dist/server/routes/log-grant-event.js +15 -0
package/dist/server/routes/log-grant-event.js.map +1 -0
package/dist/server/send-sensible-error.d.ts +7 -0
package/dist/server/send-sensible-error.d.ts.map +1 -0
package/dist/server/send-sensible-error.js +40 -0
package/dist/server/send-sensible-error.js.map +1 -0
package/dist/server/server.d.ts +6 -17
package/dist/server/server.d.ts.map +1 -1
package/dist/server/server.js +72 -56
package/dist/server/server.js.map +1 -1
package/package.json +11 -4
package/dist/commands/credential.d.ts +0 -17
package/dist/commands/credential.d.ts.map +0 -1
package/dist/commands/credential.js +0 -126
package/dist/commands/credential.js.map +0 -1
package/dist/commands/init.d.ts +0 -10
package/dist/commands/init.d.ts.map +0 -1
package/dist/commands/init.js +0 -56
package/dist/commands/init.js.map +0 -1
package/dist/commands/key-create.d.ts +0 -14
package/dist/commands/key-create.d.ts.map +0 -1
package/dist/commands/key-create.js +0 -100
package/dist/commands/key-create.js.map +0 -1
package/dist/commands/key-list.d.ts +0 -10
package/dist/commands/key-list.d.ts.map +0 -1
package/dist/commands/key-list.js +0 -46
package/dist/commands/key-list.js.map +0 -1
package/dist/commands/key-revoke.d.ts +0 -12
package/dist/commands/key-revoke.d.ts.map +0 -1
package/dist/commands/key-revoke.js +0 -56
package/dist/commands/key-revoke.js.map +0 -1
package/dist/commands/key-update.d.ts +0 -17
package/dist/commands/key-update.d.ts.map +0 -1
package/dist/commands/key-update.js +0 -110
package/dist/commands/key-update.js.map +0 -1
package/dist/commands/key.d.ts +0 -10
package/dist/commands/key.d.ts.map +0 -1
package/dist/commands/key.js +0 -10
package/dist/commands/key.js.map +0 -1
package/dist/db/client.d.ts +0 -14
package/dist/db/client.d.ts.map +0 -1
package/dist/db/client.js +0 -39
package/dist/db/client.js.map +0 -1
package/dist/db/migrations.d.ts +0 -14
package/dist/db/migrations.d.ts.map +0 -1
package/dist/db/migrations.js +0 -141
package/dist/db/migrations.js.map +0 -1
package/dist/handlers/create-key.d.ts +0 -14
package/dist/handlers/create-key.d.ts.map +0 -1
package/dist/handlers/create-key.js +0 -25
package/dist/handlers/create-key.js.map +0 -1
package/dist/handlers/delete-credential.d.ts +0 -15
package/dist/handlers/delete-credential.d.ts.map +0 -1
package/dist/handlers/delete-credential.js +0 -47
package/dist/handlers/delete-credential.js.map +0 -1
package/dist/handlers/delete-key.d.ts +0 -15
package/dist/handlers/delete-key.d.ts.map +0 -1
package/dist/handlers/delete-key.js +0 -26
package/dist/handlers/delete-key.js.map +0 -1
package/dist/handlers/get-credential.d.ts +0 -27
package/dist/handlers/get-credential.d.ts.map +0 -1
package/dist/handlers/get-credential.js.map +0 -1
package/dist/handlers/get-key.d.ts +0 -15
package/dist/handlers/get-key.d.ts.map +0 -1
package/dist/handlers/get-key.js +0 -21
package/dist/handlers/get-key.js.map +0 -1
package/dist/handlers/list-credentials.d.ts +0 -27
package/dist/handlers/list-credentials.d.ts.map +0 -1
package/dist/handlers/list-credentials.js.map +0 -1
package/dist/handlers/list-keys.d.ts +0 -11
package/dist/handlers/list-keys.d.ts.map +0 -1
package/dist/handlers/list-keys.js +0 -16
package/dist/handlers/list-keys.js.map +0 -1
package/dist/handlers/put-credential.d.ts +0 -24
package/dist/handlers/put-credential.d.ts.map +0 -1
package/dist/handlers/put-credential.js.map +0 -1
package/dist/handlers/update-key.d.ts +0 -17
package/dist/handlers/update-key.d.ts.map +0 -1
package/dist/handlers/update-key.js +0 -51
package/dist/handlers/update-key.js.map +0 -1
package/dist/lib/format.d.ts +0 -89
package/dist/lib/format.d.ts.map +0 -1
package/dist/lib/format.js +0 -180
package/dist/lib/format.js.map +0 -1
package/dist/lib/parse-access-options.d.ts +0 -38
package/dist/lib/parse-access-options.d.ts.map +0 -1
package/dist/lib/parse-access-options.js +0 -85
package/dist/lib/parse-access-options.js.map +0 -1
package/dist/middleware/auth.d.ts +0 -22
package/dist/middleware/auth.d.ts.map +0 -1
package/dist/middleware/auth.js +0 -48
package/dist/middleware/auth.js.map +0 -1
package/dist/middleware/require-grant-access.d.ts +0 -10
package/dist/middleware/require-grant-access.d.ts.map +0 -1
package/dist/middleware/require-grant-access.js +0 -14
package/dist/middleware/require-grant-access.js.map +0 -1
package/dist/schemas/api.d.ts.map +0 -1
package/dist/schemas/api.js +0 -119
package/dist/schemas/api.js.map +0 -1
package/dist/server/routes.d.ts +0 -14
package/dist/server/routes.d.ts.map +0 -1
package/dist/server/routes.js +0 -200
package/dist/server/routes.js.map +0 -1

package/dist/commands/serve.js CHANGED Viewed

@@ -1,111 +1,120 @@
 /**
  * Start server command handler.
+ *
+ * Builds the Fastify app, registers plugins in dependency order
+ * (database → auth → routes), runs migrations, creates a bootstrap
+ * API key on first startup, and starts listening.
  */
-import { existsSync, mkdirSync } from "node:fs";
-import path from "node:path";
+import { fileURLToPath } from "node:url";
 import closeWithGrace from "close-with-grace";
-import { getServerConfig } from "../config.js";
-import { getDatabase, closeDatabase } from "../db/client.js";
-import { runMigrations } from "../db/migrations.js";
-import { createHealthPlugin, createCredentialPlugin, createKeyPlugin, } from "../server/routes.js";
-import { createServer } from "../server/server.js";
+import { formatErrorMessage } from "../format-error-message.js";
+import { resolveBuildAppConfig } from "../config.js";
+import { bootstrapApiKey } from "../db/bootstrap-api-key.js";
+import { runMigrations } from "../db/run-migrations.js";
+import configPlugin from "../server/plugins/config.js";
+import databasePlugin from "../server/plugins/database.js";
+import authPlugin from "../server/plugins/auth.js";
+import credentialRoutes from "../server/routes/credentials.js";
+import healthRoutes from "../server/routes/health.js";
+import keyRoutes from "../server/routes/keys.js";
+import { buildApp } from "../server/server.js";
+const migrationsDirectory = fileURLToPath(new URL("../db/migrations", import.meta.url));
 export async function handleServe(options) {
-    let config;
-    const verbose = options.verbose === true;
+    let buildConfig;
     try {
-        config = getServerConfig({
-            port: options.port,
-            host: options.host,
-            dbPath: options.dbPath,
-            refreshThresholdSeconds: options.refreshThreshold,
-            refreshTimeoutMs: options.refreshTimeout,
+        buildConfig = resolveBuildAppConfig({
             logLevel: options.logLevel,
         });
     }
     catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
+        const message = formatErrorMessage(error);
         console.error(`Error: ${message}`);
         // eslint-disable-next-line unicorn/no-process-exit -- CLI config error
         process.exit(1);
     }
-    // Check encryption key is set
-    const encryptionKey = process.env["AXVAULT_ENCRYPTION_KEY"];
-    if (!encryptionKey || encryptionKey.length < 32) {
-        console.error("Error: AXVAULT_ENCRYPTION_KEY must be set to at least 32 characters");
-        // eslint-disable-next-line unicorn/no-process-exit -- CLI config error
+    // Build core app with security middleware and error handling
+    const app = buildApp(buildConfig);
+    try {
+        // Register plugins in dependency order: config → database → auth → routes
+        await app.register(configPlugin, {
+            overrides: {
+                port: options.port,
+                host: options.host,
+                databaseUrl: options.databaseUrl,
+                refreshThresholdSeconds: options.refreshThreshold,
+                refreshTimeoutMs: options.refreshTimeout,
+                logLevel: options.logLevel,
+            },
+        });
+        await app.register(databasePlugin, (parent) => ({
+            connectionString: parent.config.databaseUrl,
+        }));
+        await app.register(authPlugin);
+        await app.register(healthRoutes);
+        await app.register(credentialRoutes, (parent) => ({
+            refreshThresholdSeconds: parent.config.refreshThresholdSeconds,
+            refreshTimeoutMs: parent.config.refreshTimeoutMs,
+        }));
+        await app.register(keyRoutes);
+        // Initialize plugins (creates pool, decorators, validated config)
+        await app.ready();
+    }
+    catch (error) {
+        const message = formatErrorMessage(error);
+        console.error(`Error: ${message}`);
+        await app.close();
+        // eslint-disable-next-line unicorn/no-process-exit -- CLI config/startup error
         process.exit(1);
     }
-    // Ensure data directory exists (enables direct execution without init command)
-    const dataDirectory = path.dirname(config.databasePath);
-    if (!existsSync(dataDirectory)) {
-        try {
-            mkdirSync(dataDirectory, { recursive: true });
-            if (verbose)
-                console.error(`Created data directory: ${dataDirectory}`);
-        }
-        catch (error) {
-            const message = error instanceof Error ? error.message : String(error);
-            console.error(`Failed to create data directory '${dataDirectory}': ${message}`);
-            // eslint-disable-next-line unicorn/no-process-exit -- CLI startup failure
-            process.exit(1);
-        }
+    // Run migrations using the pool created by @fastify/postgres
+    try {
+        await runMigrations(app.pg.pool, migrationsDirectory);
     }
-    // Initialize database
-    let database;
+    catch (error) {
+        const message = formatErrorMessage(error);
+        app.log.error(`Failed to initialize database: ${message}`);
+        await app.close();
+        // eslint-disable-next-line unicorn/no-process-exit -- CLI startup failure
+        process.exit(1);
+    }
+    // Create bootstrap admin key on first startup (no keys exist)
     try {
-        database = getDatabase(config.databasePath);
-        runMigrations(database);
+        const bootstrapKey = await bootstrapApiKey(app.pg);
+        if (bootstrapKey) {
+            app.log.info({ keyId: bootstrapKey.id }, "Created bootstrap admin API key — save this secret, it cannot be retrieved later:");
+            // Print the secret to stderr so it's visible but not mixed with structured logs
+            console.error(`\n  ${bootstrapKey.key}\n`);
+        }
     }
     catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        console.error(`Failed to initialize database: ${message}`);
-        console.error(`If this is a schema version mismatch, delete '${config.databasePath}' and restart.`);
+        const message = formatErrorMessage(error);
+        app.log.error(`Failed to create bootstrap key: ${message}`);
+        await app.close();
         // eslint-disable-next-line unicorn/no-process-exit -- CLI startup failure
         process.exit(1);
     }
-    // Create server with plugins
-    const server = createServer(config, [
-        createHealthPlugin(),
-        createCredentialPlugin(database, {
-            refreshThresholdSeconds: config.refreshThresholdSeconds,
-            refreshTimeoutMs: config.refreshTimeoutMs,
-        }),
-        createKeyPlugin(database),
-    ]);
-    // Graceful shutdown with close-with-grace.
-    // The composition root owns both the server and the database, so it is
-    // responsible for closing both in the correct order.
-    closeWithGrace({
-        delay: 5000,
-        logger: false,
-    }, async ({ signal, err }) => {
-        try {
-            if (err) {
-                server.app.log.error({ err, signal }, "Shutting down due to error");
-            }
-            else if (verbose) {
-                server.app.log.info({ signal }, "Shutting down...");
-            }
+    // Graceful shutdown
+    closeWithGrace({ delay: 5000, logger: false }, async ({ signal, err }) => {
+        if (err) {
+            app.log.error({ err, signal }, "Shutting down due to error");
         }
-        catch {
-            // Server not started yet; use console.error as fallback
-            if (err) {
-                console.error("Shutting down due to error:", err);
-            }
-            else if (verbose) {
-                console.error(`Shutting down (signal: ${signal})...`);
-            }
+        else if (options.verbose) {
+            app.log.info({ signal }, "Shutting down...");
         }
-        await server.stop();
-        closeDatabase();
+        await app.close();
     });
+    // Start listening
     try {
-        await server.start();
+        const address = await app.listen({
+            port: app.config.port,
+            host: app.config.host,
+        });
+        app.log.info({ address }, "axvault listening");
     }
     catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        console.error(`Failed to start server on http://${config.host}:${config.port}:`, message);
-        closeDatabase();
+        const message = formatErrorMessage(error);
+        console.error(`Failed to start server on http://${app.config.host}:${app.config.port}:`, message);
+        await app.close();
         // eslint-disable-next-line unicorn/no-process-exit -- CLI startup failure
         process.exit(1);
     }

package/dist/commands/serve.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"serve.js","sourceRoot":"","sources":["../../src/commands/serve.ts"],"names":[],"mappings":"AAAA~~;;GAEG~~;AAEH,OAAO,EAAE,~~UAAU~~,EAAE,~~SAAS,EAAE,~~MAAM,~~SAAS~~,CAAC;~~AAChD~~,OAAO,~~IAAI~~,MAAM,~~WAAW~~,CAAC;~~AAE7B~~,OAAO,~~cAAc~~,MAAM,~~kBAAkB~~,CAAC;~~AAE9C~~,OAAO,EAAE,~~eAAe~~,EAAE,MAAM,cAAc,CAAC;~~AAC/C~~,OAAO,EAAE,~~WAAW~~,EAAE,~~aAAa,EAAE,~~MAAM,~~iBAAiB~~,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,~~qBAAqB~~,CAAC;~~AACpD~~,OAAO,~~EACL~~,~~kBAAkB~~,~~EAClB~~,~~sBAAsB~~,~~EACtB~~,~~eAAe~~,~~GAChB,~~MAAM,~~qBAAqB,~~CAAC;~~AAC7B~~,OAAO,~~EAAE~~,~~YAAY,EAAE,~~MAAM,~~qBAAqB~~,CAAC;~~AAYnD~~,~~MAAM~~,~~CAAC~~,~~KAAK~~,~~UAAU~~,~~WAAW,~~CAAC~~,OAAqB~~;~~IACrD~~,~~IAAI~~,MAAM,CAAC;~~IACX~~,~~MAAM,~~OAAO,~~GAAG~~,~~OAAO~~,CAAC,OAAO,~~KAAK~~,~~IAAI~~,~~CAAC;IACzC~~,~~IAAI~~,CAAC;~~QACH~~,MAAM,GAAG,~~eAAe~~,~~CAAC;YACvB~~,IAAI,EAAE,~~OAAO~~,CAAC,IAAI~~;YAClB~~,~~IAAI~~,~~EAAE~~,~~OAAO~~,CAAC~~,IAAI~~;~~YAClB~~,MAAM,~~EAAE~~,~~OAAO~~,CAAC,~~MAAM~~;~~YACtB~~,~~uBAAuB~~,~~EAAE~~,~~OAAO~~,CAAC~~,gBAAgB~~;~~YACjD~~,~~gBAAgB~~,~~EAAE~~,~~OAAO~~,CAAC~~,cAAc~~;~~YACxC~~,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,~~KAAK~~,~~YAAY,KAAK,~~CAAC,~~CAAC,CAAC,~~KAAK,CAAC,~~OAAO,~~CAAC~~,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC~~;~~QACvE~~,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACnC,uEAAuE;QACvE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,~~8BAA8B~~;~~IAC9B~~,MAAM,~~aAAa~~,GAAG,~~OAAO~~,CAAC,GAAG,CAAC,~~wBAAwB~~,CAAC,~~CAAC~~;~~IAC5D~~,IAAI,CAAC,~~aAAa~~,IAAI,~~aAAa~~,CAAC,~~MAAM~~,~~GAAG~~,EAAE,~~EAAE~~,CAAC;~~QAChD~~,OAAO,CAAC,~~KAAK~~,~~CACX~~,~~qEAAqE~~,~~CACtE~~,CAAC~~;QACF~~,~~uEAAuE~~;~~QACvE~~,OAAO,CAAC,~~IAAI~~,CAAC,CAAC,CAAC,CAAC~~;IAClB~~,CAAC~~;IAED,+EAA+E;IAC/E~~,MAAM,~~aAAa~~,~~GAAG~~,~~IAAI~~,CAAC,~~OAAO~~,CAAC,MAAM,CAAC,~~YAAY~~,CAAC,CAAC;~~IACxD~~,~~IAAI~~,CAAC,~~UAAU~~,CAAC,~~aAAa~~,CAAC,~~EAAE,~~CAAC;QAC/B,~~IAAI~~,CAAC;~~YACH~~,~~SAAS~~,CAAC,~~aAAa~~,~~EAAE~~,EAAE,~~SAAS~~,EAAE,~~IAAI,~~EAAE,CAAC,CAAC;~~YAC9C~~,~~IAAI~~,~~OAAO;gBAAE~~,~~OAAO~~,CAAC,~~KAAK~~,CAAC,~~2BAA2B~~,~~aAAa~~,EAAE,CAAC,CAAC;~~QACzE~~,CAAC~~;QAAC~~,~~OAAO~~,~~KAAK,EAAE,~~CAAC;~~YACf~~,MAAM,~~OAAO,~~GAAG,~~KAAK~~,~~YAAY~~,~~KAAK~~,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,~~CAAC~~,~~CAAC~~,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;~~YACvE~~,OAAO,CAAC,KAAK,~~CACX~~,~~oCAAoC~~,~~aAAa,MAAM,~~OAAO,EAAE,~~CACjE~~,CAAC;~~YACF~~,~~0EAA0E~~;~~YAC1E~~,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;~~QAClB~~,CAAC;~~IACH,CAAC;~~IAED,~~sBAAsB~~;~~IACtB~~,IAAI,~~QAAQ,~~CAAC;~~IACb,IAAI,CAAC;~~QACH,~~QAAQ~~,~~GAAG~~,~~WAAW,~~CAAC,~~MAAM~~,CAAC,~~YAAY~~,CAAC,~~CAAC;QAC5C~~,~~aAAa~~,~~CAAC~~,~~QAAQ,~~CAAC,CAAC;~~IAC1B~~,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,~~KAAK~~,~~YAAY~~,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,~~CAAC~~,CAAC,CAAC,MAAM,CAAC,KAAK,~~CAAC~~,CAAC;~~QACvE~~,OAAO,CAAC,~~KAAK~~,CAAC,~~kCAAkC~~,~~OAAO~~,~~EAAE,~~CAAC,CAAC;~~QAC3D~~,~~OAAO~~,CAAC,~~KAAK~~,~~CACX~~,~~iDAAiD~~,MAAM,CAAC,YAAY,~~gBAAgB~~,~~CACrF~~,CAAC;~~QACF~~,~~0EAA0E~~;~~QAC1E~~,OAAO,CAAC,~~IAAI~~,CAAC,CAAC,CAAC,CAAC;~~IAClB~~,CAAC;~~IAED~~,~~6BAA6B~~;~~IAC7B~~,~~MAAM~~,MAAM,GAAG,~~YAAY~~,CAAC,~~MAAM~~,~~EAAE~~;~~QAClC~~,~~kBAAkB~~,~~EAAE;QACpB~~,~~sBAAsB~~,CAAC,~~QAAQ~~,~~EAAE;YAC/B~~,~~uBAAuB~~,EAAE,~~MAAM~~,CAAC~~,uBAAuB~~;~~YACvD~~,~~gBAAgB~~,~~EAAE~~,~~MAAM,~~CAAC,~~gBAAgB;SAC1C~~,CAAC;~~QACF~~,~~eAAe~~,CAAC,~~QAAQ~~,CAAC~~;KAC1B~~,CAAC,CAAC~~;IAEH~~,~~2CAA2C~~;~~IAC3C~~,~~uEAAuE~~;~~IACvE~~,~~qDAAqD~~;~~IACrD~~,cAAc,~~CACZ;QACE~~,KAAK,EAAE,IAAI~~;QACX~~,MAAM,EAAE,KAAK~~;KACd~~,~~EACD~~,KAAK,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE;~~QACxB~~,IAAI,~~CAAC;YACH,IAAI,~~GAAG,EAAE,CAAC;~~gBACR~~,~~MAAM,CAAC,~~GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,4BAA4B,CAAC,CAAC;~~YACtE~~,CAAC;~~iBAAM~~,IAAI,OAAO,EAAE,CAAC;~~gBACnB~~,~~MAAM,CAAC,~~GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;~~YACtD~~,CAAC;~~QACH~~,~~CAAC;QAAC,~~MAAM,CAAC~~;YACP~~,~~wDAAwD;YACxD~~,~~IAAI,GAAG,~~EAAE,CAAC;~~gBACR~~,~~OAAO,~~CAAC,~~KAAK,~~CAAC,~~6BAA6B,EAAE,GAAG,~~CAAC,~~CAAC~~;~~YACpD~~,CAAC;~~iBAAM~~,~~IAAI~~,OAAO,~~EAAE~~,~~CAAC;gBACnB~~,~~OAAO~~,CAAC,~~KAAK~~,CAAC,~~0BAA0B~~,~~MAAM~~,~~MAAM~~,CAAC,CAAC~~;YACxD~~,~~CAAC~~;~~QACH~~,CAAC~~;QAED~~,MAAM,~~MAAM,~~CAAC,IAAI,~~EAAE~~,CAAC;~~QACpB~~,~~aAAa~~,~~EAAE,~~CAAC~~;IAClB~~,~~CAAC~~,~~CACF,~~CAAC~~;IAEF~~,IAAI,CAAC~~;QACH~~,~~MAAM~~,~~MAAM~~,~~CAAC~~,~~KAAK,~~EAAE,CAAC;~~IACvB~~,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,~~KAAK~~,~~YAAY,KAAK,~~CAAC,~~CAAC,CAAC,~~KAAK,CAAC,~~OAAO,~~CAAC~~,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC~~;~~QACvE~~,OAAO,CAAC,KAAK,CACX,oCAAoC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,~~EACjE~~,OAAO,CACR,CAAC;QACF,~~aAAa~~,EAAE,CAAC;~~QAChB~~,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}
1	+ {"version":3,"file":"serve.js","sourceRoot":"","sources":["../../src/commands/serve.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,cAAc,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,YAAY,MAAM,6BAA6B,CAAC;AACvD,OAAO,cAAc,MAAM,+BAA+B,CAAC;AAC3D,OAAO,UAAU,MAAM,2BAA2B,CAAC;AACnD,OAAO,gBAAgB,MAAM,iCAAiC,CAAC;AAC/D,OAAO,YAAY,MAAM,4BAA4B,CAAC;AACtD,OAAO,SAAS,MAAM,0BAA0B,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAY/C,MAAM,mBAAmB,GAAG,aAAa,CACvC,IAAI,GAAG,CAAC,kBAAkB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAC7C,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAqB;IACrD,IAAI,WAAW,CAAC;IAChB,IAAI,CAAC;QACH,WAAW,GAAG,qBAAqB,CAAC;YAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACnC,uEAAuE;QACvE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,6DAA6D;IAC7D,MAAM,GAAG,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;IAElC,IAAI,CAAC;QACH,0EAA0E;QAC1E,MAAM,GAAG,CAAC,QAAQ,CAAC,YAAY,EAAE;YAC/B,SAAS,EAAE;gBACT,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,uBAAuB,EAAE,OAAO,CAAC,gBAAgB;gBACjD,gBAAgB,EAAE,OAAO,CAAC,cAAc;gBACxC,QAAQ,EAAE,OAAO,CAAC,QAAQ;aAC3B;SACF,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAC9C,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW;SAC5C,CAAC,CAAC,CAAC;QACJ,MAAM,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC/B,MAAM,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QACjC,MAAM,GAAG,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChD,uBAAuB,EAAE,MAAM,CAAC,MAAM,CAAC,uBAAuB;YAC9D,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,gBAAgB;SACjD,CAAC,CAAC,CAAC;QACJ,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAE9B,kEAAkE;QAClE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACnC,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,+EAA+E;QAC/E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,6DAA6D;IAC7D,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IACxD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,kCAAkC,OAAO,EAAE,CAAC,CAAC;QAC3D,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,8DAA8D;IAC9D,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnD,IAAI,YAAY,EAAE,CAAC;YACjB,GAAG,CAAC,GAAG,CAAC,IAAI,CACV,EAAE,KAAK,EAAE,YAAY,CAAC,EAAE,EAAE,EAC1B,mFAAmF,CACpF,CAAC;YACF,gFAAgF;YAChF,OAAO,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,GAAG,IAAI,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;QAC5D,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,oBAAoB;IACpB,cAAc,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE;QACvE,IAAI,GAAG,EAAE,CAAC;YACR,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,4BAA4B,CAAC,CAAC;QAC/D,CAAC;aAAM,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAC3B,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAClB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC;YAC/B,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI;YACrB,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI;SACtB,CAAC,CAAC;QACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,EAAE,mBAAmB,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CACX,oCAAoC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,EACzE,OAAO,CACR,CAAC;QACF,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/config.d.ts CHANGED Viewed

@@ -1,25 +1,76 @@
 /**
- * Configuration for axvault server.
+ * Server configuration schema and helpers.
  *
- * Priority: CLI flags > environment variables > defaults.
+ * Runtime configuration is validated by @fastify/env and exposed as
+ * `fastify.config`. Logger level is resolved separately because the logger is
+ * configured before plugins are registered.
  */
-export interface ServerConfig {
+declare module "fastify" {
+    interface FastifyInstance {
+        config: ServerConfig;
+    }
+}
+type LogLevel = "trace" | "debug" | "info" | "warn" | "error" | "fatal" | "silent";
+interface ServerConfig {
     port: number;
     host: string;
-    databasePath: string;
+    databaseUrl: string;
     refreshThresholdSeconds: number;
     refreshTimeoutMs: number;
-    logLevel: string;
+    logLevel: LogLevel;
+    encryptionKey: string;
 }
 interface ConfigOverrides {
     port?: string;
     host?: string;
-    dbPath?: string;
+    databaseUrl?: string;
     refreshThresholdSeconds?: string;
     refreshTimeoutMs?: string;
     logLevel?: string;
+    encryptionKey?: string;
+}
+interface BuildAppConfig {
+    logLevel: LogLevel;
 }
-/** Parse config from environment and CLI overrides */
-export declare function getServerConfig(overrides?: ConfigOverrides): ServerConfig;
-export {};
+declare const serverConfigSchema: {
+    readonly type: "object";
+    readonly required: readonly ["encryptionKey"];
+    readonly properties: {
+        readonly port: {
+            readonly type: "number";
+            readonly default: 3847;
+        };
+        readonly host: {
+            readonly type: "string";
+            readonly default: "127.0.0.1";
+        };
+        readonly databaseUrl: {
+            readonly type: "string";
+            readonly default: "postgresql://localhost:5432/axvault";
+        };
+        readonly refreshThresholdSeconds: {
+            readonly type: "number";
+            readonly minimum: 0;
+            readonly default: 3600;
+        };
+        readonly refreshTimeoutMs: {
+            readonly type: "number";
+            readonly minimum: 0;
+            readonly default: 30000;
+        };
+        readonly logLevel: {
+            readonly type: "string";
+            readonly enum: readonly ["trace", "debug", "info", "warn", "error", "fatal", "silent"];
+            readonly default: "info";
+        };
+        readonly encryptionKey: {
+            readonly type: "string";
+            readonly minLength: 32;
+        };
+    };
+};
+declare function createConfigData(overrides?: ConfigOverrides): Record<string, unknown>;
+declare function resolveBuildAppConfig(overrides?: Pick<ConfigOverrides, "logLevel">): BuildAppConfig;
+export { createConfigData, resolveBuildAppConfig, serverConfigSchema };
+export type { BuildAppConfig, ConfigOverrides, ServerConfig };
 //# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA~~;;;;GAIG~~;AAEH,MAAM,~~WAAW~~,YAAY;~~IAC3B~~,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,~~YAAY~~,EAAE,MAAM,CAAC;~~IACrB~~,uBAAuB,EAAE,MAAM,CAAC;IAChC,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;~~CAClB~~;AAED,UAAU,eAAe;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,~~MAAM~~,CAAC,EAAE,MAAM,CAAC;~~IAChB~~,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;~~CACnB~~;~~AAmBD~~,~~sDAAsD~~;~~AACtD~~,~~wBAAgB~~,~~eAAe~~,CAAC,SAAS,GAAE,eAAoB,~~GAAG~~,YAAY,~~CAkC7E~~"}
1	+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,eAAe;QACvB,MAAM,EAAE,YAAY,CAAC;KACtB;CACF;AAED,KAAK,QAAQ,GACT,OAAO,GACP,OAAO,GACP,MAAM,GACN,MAAM,GACN,OAAO,GACP,OAAO,GACP,QAAQ,CAAC;AAEb,UAAU,YAAY;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB,EAAE,MAAM,CAAC;IAChC,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,QAAQ,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,UAAU,eAAe;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,UAAU,cAAc;IACtB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAuBD,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2Bd,CAAC;AAEX,iBAAS,gBAAgB,CACvB,SAAS,GAAE,eAAoB,GAC9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAczB;AAED,iBAAS,qBAAqB,CAC5B,SAAS,GAAE,IAAI,CAAC,eAAe,EAAE,UAAU,CAAM,GAChD,cAAc,CAahB;AAED,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,YAAY,EAAE,CAAC"}

package/dist/config.js CHANGED Viewed

@@ -1,11 +1,13 @@
 /**
- * Configuration for axvault server.
+ * Server configuration schema and helpers.
  *
- * Priority: CLI flags > environment variables > defaults.
+ * Runtime configuration is validated by @fastify/env and exposed as
+ * `fastify.config`. Logger level is resolved separately because the logger is
+ * configured before plugins are registered.
  */
 const DEFAULT_PORT = 3847;
 const DEFAULT_HOST = "127.0.0.1";
-const DEFAULT_DATABASE_PATH = "./data/axvault.db";
+const DEFAULT_DATABASE_URL = "postgresql://localhost:5432/axvault";
 const DEFAULT_REFRESH_THRESHOLD_SECONDS = 3600; // 1 hour
 const DEFAULT_REFRESH_TIMEOUT_MS = 30_000; // 30 seconds
 const DEFAULT_LOG_LEVEL = "info";
@@ -18,43 +20,58 @@ const VALID_LOG_LEVELS = [
     "fatal",
     "silent",
 ];
-/** Parse config from environment and CLI overrides */
-export function getServerConfig(overrides = {}) {
-    const port = parsePort(overrides.port ?? process.env.AXVAULT_PORT);
-    const host = overrides.host ?? process.env.AXVAULT_HOST ?? DEFAULT_HOST;
-    const databasePath = overrides.dbPath ?? process.env.AXVAULT_DB_PATH ?? DEFAULT_DATABASE_PATH;
-    const refreshThresholdSeconds = parseNonNegativeInt(overrides.refreshThresholdSeconds ?? process.env.AXVAULT_REFRESH_THRESHOLD, DEFAULT_REFRESH_THRESHOLD_SECONDS, "AXVAULT_REFRESH_THRESHOLD");
-    const refreshTimeoutMs = parseNonNegativeInt(overrides.refreshTimeoutMs ?? process.env.AXVAULT_REFRESH_TIMEOUT_MS, DEFAULT_REFRESH_TIMEOUT_MS, "AXVAULT_REFRESH_TIMEOUT_MS");
-    const logLevel = overrides.logLevel ?? process.env.AXVAULT_LOG_LEVEL ?? DEFAULT_LOG_LEVEL;
-    if (!VALID_LOG_LEVELS.includes(logLevel)) {
+function isLogLevel(value) {
+    return VALID_LOG_LEVELS.includes(value);
+}
+const serverConfigSchema = {
+    type: "object",
+    required: ["encryptionKey"],
+    properties: {
+        port: { type: "number", default: DEFAULT_PORT },
+        host: { type: "string", default: DEFAULT_HOST },
+        databaseUrl: { type: "string", default: DEFAULT_DATABASE_URL },
+        refreshThresholdSeconds: {
+            type: "number",
+            minimum: 0,
+            default: DEFAULT_REFRESH_THRESHOLD_SECONDS,
+        },
+        refreshTimeoutMs: {
+            type: "number",
+            minimum: 0,
+            default: DEFAULT_REFRESH_TIMEOUT_MS,
+        },
+        logLevel: {
+            type: "string",
+            enum: [...VALID_LOG_LEVELS],
+            default: DEFAULT_LOG_LEVEL,
+        },
+        encryptionKey: {
+            type: "string",
+            minLength: 32,
+        },
+    },
+};
+function createConfigData(overrides = {}) {
+    return {
+        port: overrides.port ?? process.env.AXVAULT_PORT,
+        host: overrides.host ?? process.env.AXVAULT_HOST,
+        databaseUrl: overrides.databaseUrl ?? process.env.AXVAULT_DATABASE_URL,
+        refreshThresholdSeconds: overrides.refreshThresholdSeconds ??
+            process.env.AXVAULT_REFRESH_THRESHOLD,
+        refreshTimeoutMs: overrides.refreshTimeoutMs ?? process.env.AXVAULT_REFRESH_TIMEOUT_MS,
+        logLevel: overrides.logLevel ?? process.env.AXVAULT_LOG_LEVEL,
+        encryptionKey: overrides.encryptionKey ?? process.env.AXVAULT_ENCRYPTION_KEY,
+    };
+}
+function resolveBuildAppConfig(overrides = {}) {
+    const rawLogLevel = overrides.logLevel ?? process.env.AXVAULT_LOG_LEVEL;
+    const logLevel = rawLogLevel ?? DEFAULT_LOG_LEVEL;
+    if (!isLogLevel(logLevel)) {
         throw new Error(`Invalid log level: "${logLevel}". Must be one of: ${VALID_LOG_LEVELS.join(", ")}`);
     }
     return {
-        port,
-        host,
-        databasePath,
-        refreshThresholdSeconds,
-        refreshTimeoutMs,
         logLevel,
     };
 }
-function parsePort(value) {
-    if (!value)
-        return DEFAULT_PORT;
-    const port = Number.parseInt(value, 10);
-    if (Number.isNaN(port) || port < 1 || port > 65_535) {
-        throw new Error(`Invalid port: ${value}`);
-    }
-    return port;
-}
-function parseNonNegativeInt(value, defaultValue, name) {
-    if (!value)
-        return defaultValue;
-    const parsed = Number.parseInt(value, 10);
-    if (Number.isNaN(parsed) || parsed < 0) {
-        console.warn(`Invalid ${name} value "${value}", using default ${defaultValue}`);
-        return defaultValue;
-    }
-    return parsed;
-}
+export { createConfigData, resolveBuildAppConfig, serverConfigSchema };
 //# sourceMappingURL=config.js.map

package/dist/config.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA~~;;;;GAIG~~;~~AAoBH~~,MAAM,YAAY,GAAG,IAAI,CAAC;AAC1B,MAAM,YAAY,GAAG,WAAW,CAAC;AACjC,MAAM,~~qBAAqB~~,GAAG,~~mBAAmB~~,CAAC;~~AAClD~~,MAAM,iCAAiC,GAAG,IAAI,CAAC,CAAC,SAAS;AACzD,MAAM,0BAA0B,GAAG,MAAM,CAAC,CAAC,aAAa;AACxD,MAAM,iBAAiB,~~GAAG~~,MAAM,CAAC;~~AAEjC~~,MAAM,gBAAgB,GAAG;IACvB,OAAO;IACP,OAAO;IACP,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,QAAQ;CACA,CAAC;AAEX,~~sDAAsD;AACtD~~,~~MAAM,~~UAAU,~~eAAe,~~CAAC,~~YAA6B,EAAE~~;~~IAC7D~~,~~MAAM~~,~~IAAI~~,~~GAAG,SAAS,~~CAAC,~~SAAS~~,CAAC,~~IAAI~~,~~IAAI,OAAO,~~CAAC,~~GAAG,~~CAAC,~~YAAY,~~CAAC~~,CAAC~~;~~IACnE~~,MAAM,~~IAAI~~,GAAG,~~SAAS~~,~~CAAC~~,~~IAAI~~,~~IAAI~~,~~OAAO~~,CAAC,~~GAAG~~,CAAC,~~YAAY~~,IAAI,~~YAAY~~,~~CAAC;IACxE~~,~~MAAM~~,~~YAAY~~,~~GAChB~~,~~SAAS~~,~~CAAC~~,~~MAAM~~,~~IAAI~~,~~OAAO~~,~~CAAC~~,~~GAAG~~,~~CAAC~~,~~eAAe,~~IAAI,~~qBAAqB~~,~~CAAC;IAE3E~~,~~MAAM~~,~~uBAAuB~~,~~GAAG~~,~~mBAAmB~~,~~CACjD~~,~~SAAS~~,~~CAAC~~,~~uBAAuB~~,IAAI,OAAO,~~CAAC~~,~~GAAG~~,~~CAAC~~,~~yBAAyB~~,~~EAC1E~~,~~iCAAiC~~,~~EACjC~~,~~2BAA2B~~,~~CAC5B~~,CAAC;~~IACF~~,~~MAAM~~,~~gBAAgB~~,~~GAAG~~,~~mBAAmB~~,~~CAC1C~~,~~SAAS~~,~~CAAC~~,~~gBAAgB~~,~~IAAI,~~OAAO,~~CAAC~~,~~GAAG,~~CAAC,~~0BAA0B~~,~~EACpE~~,0BAA0B~~,EAC1B,4BAA4B,CAC7B,CAAC~~;~~IAEF~~,~~MAAM,~~QAAQ,~~GACZ~~,~~SAAS~~,~~CAAC~~,QAAQ,IAAI,~~OAAO~~,CAAC,GAAG,CAAC,~~iBAAiB~~,~~IAAI~~,iBAAiB,~~CAAC~~;~~IAE3E~~,IAAI,~~CAAE~~,~~gBAAsC~~,~~CAAC~~,~~QAAQ~~,CAAC,~~QAAQ~~,~~CAAC~~,EAAE,~~CAAC~~;~~QAChE~~,~~MAAM,~~IAAI,~~KAAK~~,~~CACb~~,~~uBAAuB~~,~~QAAQ~~,~~sBAAsB~~,~~gBAAgB~~,CAAC,~~IAAI~~,CAAC,IAAI,~~CAAC,~~EAAE,~~CACnF~~,CAAC~~;IACJ~~,~~CAAC;IAED,OAAO;QACL,~~IAAI~~;QACJ~~,IAAI~~;QACJ~~,~~YAAY;QACZ~~,~~uBAAuB;QACvB~~,~~gBAAgB;QAChB~~,~~QAAQ;KACT,~~CAAC~~;AACJ~~,~~CAAC~~;~~AAED~~,~~SAAS~~,SAAS,CAAC,~~KAAyB;IAC1C~~,IAAI,CAAC,~~KAAK~~;~~QAAE~~,~~OAAO~~,~~YAAY~~,CAAC;~~IAChC~~,~~MAAM~~,~~IAAI~~,GAAG,~~MAAM,~~CAAC,~~QAAQ~~,~~CAAC~~,~~KAAK~~,~~EAAE~~,~~EAAE,~~CAAC,~~CAAC;IACxC~~,IAAI,~~MAAM~~,CAAC,~~KAAK~~,CAAC,~~IAAI~~,~~CAAC~~,~~IAAI~~,~~IAAI~~,~~GAAG,~~CAAC,~~IAAI~~,IAAI,~~GAAG~~,~~MAAM~~,~~EAAE~~,CAAC;~~QACpD~~,~~MAAM~~,~~IAAI~~,~~KAAK~~,CAAC,~~iBAAiB~~,~~KAAK~~,~~EAAE~~,CAAC,CAAC~~;IAC5C~~,~~CAAC~~;~~IACD~~,~~OAAO,IAAI,~~CAAC;~~AACd~~,CAAC;AAED,SAAS,~~mBAAmB~~,~~CAC1B~~,~~KAAyB~~,~~EACzB~~,~~YAAoB~~,~~EACpB~~,~~IAAY;IAEZ~~,~~IAAI~~,CAAC,~~KAAK;QAAE~~,OAAO,~~YAAY~~,CAAC;~~IAChC~~,MAAM,~~MAAM~~,GAAG,~~MAAM~~,~~CAAC~~,~~QAAQ~~,CAAC,~~KAAK~~,~~EAAE~~,~~EAAE~~,CAAC,~~CAAC;IAC1C~~,~~IAAI,MAAM,~~CAAC,~~KAAK~~,CAAC,MAAM,~~CAAC,~~IAAI,~~MAAM~~,~~GAAG~~,~~CAAC~~,~~EAAE~~,~~CAAC;QACvC~~,~~OAAO~~,CAAC,IAAI,~~CACV~~,~~WAAW,~~IAAI,~~WAAW~~,~~KAAK,oBAAoB,YAAY,~~EAAE,~~CAClE~~,CAAC;~~QACF~~,OAAO,~~YAAY~~,CAAC;~~IACtB~~,CAAC;~~IACD~~,OAAO,~~MAAM~~,~~CAAC;AAChB~~,CAAC"}
1	+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAyCH,MAAM,YAAY,GAAG,IAAI,CAAC;AAC1B,MAAM,YAAY,GAAG,WAAW,CAAC;AACjC,MAAM,oBAAoB,GAAG,qCAAqC,CAAC;AACnE,MAAM,iCAAiC,GAAG,IAAI,CAAC,CAAC,SAAS;AACzD,MAAM,0BAA0B,GAAG,MAAM,CAAC,CAAC,aAAa;AACxD,MAAM,iBAAiB,GAAa,MAAM,CAAC;AAE3C,MAAM,gBAAgB,GAAG;IACvB,OAAO;IACP,OAAO;IACP,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,QAAQ;CACA,CAAC;AAEX,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAQ,gBAAsC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,kBAAkB,GAAG;IACzB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,CAAC,eAAe,CAAC;IAC3B,UAAU,EAAE;QACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE;QAC/C,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE;QAC/C,WAAW,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,oBAAoB,EAAE;QAC9D,uBAAuB,EAAE;YACvB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,CAAC;YACV,OAAO,EAAE,iCAAiC;SAC3C;QACD,gBAAgB,EAAE;YAChB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,CAAC;YACV,OAAO,EAAE,0BAA0B;SACpC;QACD,QAAQ,EAAE;YACR,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,GAAG,gBAAgB,CAAC;YAC3B,OAAO,EAAE,iBAAiB;SAC3B;QACD,aAAa,EAAE;YACb,IAAI,EAAE,QAAQ;YACd,SAAS,EAAE,EAAE;SACd;KACF;CACO,CAAC;AAEX,SAAS,gBAAgB,CACvB,YAA6B,EAAE;IAE/B,OAAO;QACL,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY;QAChD,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY;QAChD,WAAW,EAAE,SAAS,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB;QACtE,uBAAuB,EACrB,SAAS,CAAC,uBAAuB;YACjC,OAAO,CAAC,GAAG,CAAC,yBAAyB;QACvC,gBAAgB,EACd,SAAS,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B;QACtE,QAAQ,EAAE,SAAS,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAC7D,aAAa,EACX,SAAS,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB;KAChE,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAC5B,YAA+C,EAAE;IAEjD,MAAM,WAAW,GAAG,SAAS,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IACxE,MAAM,QAAQ,GAAG,WAAW,IAAI,iBAAiB,CAAC;IAElD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,uBAAuB,QAAQ,sBAAsB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,CAAC"}

package/dist/db/bootstrap-api-key.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Bootstrap API key creation for first server startup.
+ *
+ * Serializes the bootstrap check inside a transaction-scoped advisory lock so
+ * concurrent first-time startups cannot mint multiple root keys.
+ */
+import type { PoolClient } from "pg";
+import { type ApiKeyWithSecret } from "./repositories/api-keys.js";
+interface TransactionalDatabase {
+    transact<TResult>(runInTransaction: (client: PoolClient) => Promise<TResult>): Promise<TResult>;
+}
+declare function bootstrapApiKey(database: TransactionalDatabase): Promise<ApiKeyWithSecret | undefined>;
+export { bootstrapApiKey };
+//# sourceMappingURL=bootstrap-api-key.d.ts.map

package/dist/db/bootstrap-api-key.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"bootstrap-api-key.d.ts","sourceRoot":"","sources":["../../src/db/bootstrap-api-key.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AACrC,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,4BAA4B,CAAC;AAIpC,UAAU,qBAAqB;IAC7B,QAAQ,CAAC,OAAO,EACd,gBAAgB,EAAE,CAAC,MAAM,EAAE,UAAU,KAAK,OAAO,CAAC,OAAO,CAAC,GACzD,OAAO,CAAC,OAAO,CAAC,CAAC;CACrB;AAED,iBAAe,eAAe,CAC5B,QAAQ,EAAE,qBAAqB,GAC9B,OAAO,CAAC,gBAAgB,GAAG,SAAS,CAAC,CAmBvC;AAED,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/db/bootstrap-api-key.js ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Bootstrap API key creation for first server startup.
+ *
+ * Serializes the bootstrap check inside a transaction-scoped advisory lock so
+ * concurrent first-time startups cannot mint multiple root keys.
+ */
+import { createApiKey, } from "./repositories/api-keys.js";
+const BOOTSTRAP_API_KEY_LOCK_ID = 980_641_073;
+async function bootstrapApiKey(database) {
+    return database.transact(async (client) => {
+        await client.query("SELECT pg_advisory_xact_lock($1)", [
+            BOOTSTRAP_API_KEY_LOCK_ID,
+        ]);
+        const result = await client.query("SELECT EXISTS (SELECT 1 FROM api_keys) AS has_api_keys");
+        if (result.rows[0]?.has_api_keys)
+            return;
+        return createApiKey(client, {
+            name: "Bootstrap Admin",
+            readAccess: ["*"],
+            writeAccess: ["*"],
+            grantAccess: ["*"],
+        });
+    });
+}
+export { bootstrapApiKey };
+//# sourceMappingURL=bootstrap-api-key.js.map

package/dist/db/bootstrap-api-key.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"bootstrap-api-key.js","sourceRoot":"","sources":["../../src/db/bootstrap-api-key.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,YAAY,GAEb,MAAM,4BAA4B,CAAC;AAEpC,MAAM,yBAAyB,GAAG,WAAW,CAAC;AAQ9C,KAAK,UAAU,eAAe,CAC5B,QAA+B;IAE/B,OAAO,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACxC,MAAM,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE;YACrD,yBAAyB;SAC1B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,CAC/B,wDAAwD,CACzD,CAAC;QAEF,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY;YAAE,OAAO;QAEzC,OAAO,YAAY,CAAC,MAAM,EAAE;YAC1B,IAAI,EAAE,iBAAiB;YACvB,UAAU,EAAE,CAAC,GAAG,CAAC;YACjB,WAAW,EAAE,CAAC,GAAG,CAAC;YAClB,WAAW,EAAE,CAAC,GAAG,CAAC;SACnB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/db/create-pool.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import pg from "pg";
+declare function createPool(connectionString: string): pg.Pool;
+declare function closePool(pool: pg.Pool): Promise<void>;
+export { closePool, createPool };
+//# sourceMappingURL=create-pool.d.ts.map

package/dist/db/create-pool.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"create-pool.d.ts","sourceRoot":"","sources":["../../src/db/create-pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AAOpB,iBAAS,UAAU,CAAC,gBAAgB,EAAE,MAAM,GAAG,EAAE,CAAC,IAAI,CAErD;AAED,iBAAe,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAErD;AAED,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC"}

package/dist/db/create-pool.js ADDED Viewed

@@ -0,0 +1,13 @@
+import pg from "pg";
+// Parse BIGINT (OID 20) as JavaScript numbers instead of strings.
+// Safe for timestamps and auto-increment IDs within Number.MAX_SAFE_INTEGER.
+// Global mutation: pg.types is shared across all Pool instances in this process.
+pg.types.setTypeParser(20, (value) => Number.parseInt(value, 10));
+function createPool(connectionString) {
+    return new pg.Pool({ connectionString });
+}
+async function closePool(pool) {
+    await pool.end();
+}
+export { closePool, createPool };
+//# sourceMappingURL=create-pool.js.map

package/dist/db/create-pool.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"create-pool.js","sourceRoot":"","sources":["../../src/db/create-pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AAEpB,kEAAkE;AAClE,6EAA6E;AAC7E,iFAAiF;AACjF,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;AAElE,SAAS,UAAU,CAAC,gBAAwB;IAC1C,OAAO,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,IAAa;IACpC,MAAM,IAAI,CAAC,GAAG,EAAE,CAAC;AACnB,CAAC;AAED,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC"}

package/dist/db/migrations/001-initial.sql ADDED Viewed

@@ -0,0 +1,41 @@
+-- Initial schema for axvault.
+CREATE TABLE IF NOT EXISTS api_keys (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  key_hash TEXT NOT NULL UNIQUE,
+  key_prefix TEXT,
+  read_access TEXT NOT NULL,
+  write_access TEXT NOT NULL,
+  grant_access TEXT NOT NULL DEFAULT '[]',
+  created_at BIGINT NOT NULL,
+  last_used_at BIGINT
+);
+CREATE TABLE IF NOT EXISTS credentials (
+  name TEXT PRIMARY KEY,
+  agent TEXT NOT NULL DEFAULT '',
+  provider TEXT DEFAULT NULL,
+  display_name TEXT DEFAULT NULL,
+  notes TEXT DEFAULT NULL,
+  encrypted_data BYTEA NOT NULL,
+  salt BYTEA NOT NULL,
+  iv BYTEA NOT NULL,
+  auth_tag BYTEA NOT NULL,
+  created_at BIGINT NOT NULL,
+  updated_at BIGINT NOT NULL
+);
+CREATE TABLE IF NOT EXISTS audit_log (
+  id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
+  timestamp BIGINT NOT NULL,
+  api_key_id TEXT,
+  action TEXT NOT NULL,
+  credential_name TEXT,
+  success BOOLEAN NOT NULL,
+  error_message TEXT
+);
+ALTER TABLE audit_log ADD COLUMN IF NOT EXISTS detail TEXT;
+CREATE INDEX IF NOT EXISTS idx_audit_log_timestamp ON audit_log(timestamp DESC);

package/dist/db/repositories/api-keys.d.ts CHANGED Viewed

@@ -3,47 +3,21 @@
  *
  * Manages API keys with read/write access lists for credentials.
  */
-import type Database from "better-sqlite3";
-/** API key data stored in database */
-interface ApiKeyRecord {
-    id: string;
-    name: string;
-    keyHash: string;
-    keyPrefix: string | undefined;
-    readAccess: string[];
-    writeAccess: string[];
-    grantAccess: string[];
-    createdAt: Date;
-    lastUsedAt: Date | undefined;
-}
-/** API key with the raw key (only returned on creation) */
-interface ApiKeyWithSecret extends ApiKeyRecord {
-    key: string;
-}
-/** Create a new API key */
-declare function createApiKey(database: Database.Database, options: {
-    name: string;
-    readAccess: string[];
-    writeAccess: string[];
-    grantAccess: string[];
-}): ApiKeyWithSecret;
+import type { Queryable } from "../types.js";
+import type { ApiKeyRecord } from "./create-api-key.js";
 /** Find API key by raw key value */
-declare function findApiKeyByKey(database: Database.Database, key: string): ApiKeyRecord | undefined;
+declare function findApiKeyByKey(database: Queryable, key: string): Promise<ApiKeyRecord | undefined>;
 /** Find API key by ID */
-declare function findApiKeyById(database: Database.Database, id: string): ApiKeyRecord | undefined;
+declare function findApiKeyById(database: Queryable, id: string): Promise<ApiKeyRecord | undefined>;
 /** List all API keys (without revealing the raw key values) */
-declare function listApiKeys(database: Database.Database): ApiKeyRecord[];
+declare function listApiKeys(database: Queryable): Promise<ApiKeyRecord[]>;
 /** Update last used timestamp */
-declare function updateLastUsed(database: Database.Database, id: string): void;
+declare function updateLastUsed(database: Queryable, id: string): Promise<void>;
 /** Delete an API key */
-declare function deleteApiKey(database: Database.Database, id: string): boolean;
-/** Update an API key's access permissions */
-declare function updateApiKeyAccess(database: Database.Database, id: string, options: {
-    readAccess?: string[];
-    writeAccess?: string[];
-    grantAccess?: string[];
-}): boolean;
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, listApiKeys, updateApiKeyAccess, updateLastUsed, };
+declare function deleteApiKey(database: Queryable, id: string): Promise<boolean>;
+export { deleteApiKey, findApiKeyById, findApiKeyByKey, listApiKeys, updateLastUsed, };
+export { createApiKey } from "./create-api-key.js";
 export { hasGrantAccess, hasReadAccess, hasWriteAccess, } from "./api-key-utilities.js";
-export type { ApiKeyRecord, ApiKeyWithSecret };
+export { updateApiKeyAccess } from "./update-api-key-access.js";
+export type { ApiKeyRecord, ApiKeyWithSecret } from "./create-api-key.js";
 //# sourceMappingURL=api-keys.d.ts.map