axvault 1.12.0 → 1.13.0

package/dist/commands/serve.js.map

@@ -1 +1 @@
-{"version":3,"file":"serve.js","sourceRoot":"","sources":["../../src/commands/serve.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,cAAc,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,eAAe,GAChB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAYnD,MAAM,mBAAmB,GAAG,aAAa,CACvC,IAAI,GAAG,CAAC,kBAAkB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAC7C,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAqB;IACrD,IAAI,MAAM,CAAC;IACX,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,KAAK,IAAI,CAAC;IACzC,IAAI,CAAC;QACH,MAAM,GAAG,eAAe,CAAC;YACvB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,uBAAuB,EAAE,OAAO,CAAC,gBAAgB;YACjD,gBAAgB,EAAE,OAAO,CAAC,cAAc;YACxC,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACnC,uEAAuE;QACvE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,8BAA8B;IAC9B,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IAC5D,IAAI,CAAC,aAAa,IAAI,aAAa,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAChD,OAAO,CAAC,KAAK,CACX,qEAAqE,CACtE,CAAC;QACF,uEAAuE;QACvE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,iCAAiC;IACjC,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,kCAAkC,OAAO,EAAE,CAAC,CAAC;QAC3D,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;QACtB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,0DAA0D;IAC1D,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE;QAClC,kBAAkB,EAAE;QACpB,sBAAsB,CAAC,IAAI,EAAE;YAC3B,uBAAuB,EAAE,MAAM,CAAC,uBAAuB;YACvD,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;SAC1C,CAAC;QACF,eAAe,CAAC,IAAI,CAAC;KACtB,CAAC,CAAC;IAEH,2CAA2C;IAC3C,mEAAmE;IACnE,qDAAqD;IACrD,cAAc,CACZ;QACE,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,KAAK;KACd,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE;QACxB,IAAI,CAAC;YACH,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,4BAA4B,CAAC,CAAC;YACtE,CAAC;iBAAM,IAAI,OAAO,EAAE,CAAC;gBACnB,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wDAAwD;YACxD,IAAI,GAAG,EAAE,CAAC;gBACR,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;YACpD,CAAC;iBAAM,IAAI,OAAO,EAAE,CAAC;gBACnB,OAAO,CAAC,KAAK,CAAC,0BAA0B,MAAM,MAAM,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;QACtB,CAAC;gBAAS,CAAC;YACT,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;QACxB,CAAC;IACH,CAAC,CACF,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CACX,oCAAoC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,EACjE,OAAO,CACR,CAAC;QACF,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;QACtB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}
+{"version":3,"file":"serve.js","sourceRoot":"","sources":["../../src/commands/serve.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,cAAc,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,YAAY,MAAM,6BAA6B,CAAC;AACvD,OAAO,cAAc,MAAM,+BAA+B,CAAC;AAC3D,OAAO,UAAU,MAAM,2BAA2B,CAAC;AACnD,OAAO,gBAAgB,MAAM,iCAAiC,CAAC;AAC/D,OAAO,YAAY,MAAM,4BAA4B,CAAC;AACtD,OAAO,SAAS,MAAM,0BAA0B,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAY/C,MAAM,mBAAmB,GAAG,aAAa,CACvC,IAAI,GAAG,CAAC,kBAAkB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAC7C,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAqB;IACrD,IAAI,WAAW,CAAC;IAChB,IAAI,CAAC;QACH,WAAW,GAAG,qBAAqB,CAAC;YAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACnC,uEAAuE;QACvE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,6DAA6D;IAC7D,MAAM,GAAG,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;IAElC,IAAI,CAAC;QACH,0EAA0E;QAC1E,MAAM,GAAG,CAAC,QAAQ,CAAC,YAAY,EAAE;YAC/B,SAAS,EAAE;gBACT,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,uBAAuB,EAAE,OAAO,CAAC,gBAAgB;gBACjD,gBAAgB,EAAE,OAAO,CAAC,cAAc;gBACxC,QAAQ,EAAE,OAAO,CAAC,QAAQ;aAC3B;SACF,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAC9C,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW;SAC5C,CAAC,CAAC,CAAC;QACJ,MAAM,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC/B,MAAM,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QACjC,MAAM,GAAG,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChD,uBAAuB,EAAE,MAAM,CAAC,MAAM,CAAC,uBAAuB;YAC9D,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,gBAAgB;SACjD,CAAC,CAAC,CAAC;QACJ,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAE9B,kEAAkE;QAClE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACnC,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,+EAA+E;QAC/E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,6DAA6D;IAC7D,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IACxD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,kCAAkC,OAAO,EAAE,CAAC,CAAC;QAC3D,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,8DAA8D;IAC9D,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnD,IAAI,YAAY,EAAE,CAAC;YACjB,GAAG,CAAC,GAAG,CAAC,IAAI,CACV,EAAE,KAAK,EAAE,YAAY,CAAC,EAAE,EAAE,EAC1B,mFAAmF,CACpF,CAAC;YACF,gFAAgF;YAChF,OAAO,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,GAAG,IAAI,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;QAC5D,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,oBAAoB;IACpB,cAAc,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE;QACvE,IAAI,GAAG,EAAE,CAAC;YACR,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,4BAA4B,CAAC,CAAC;QAC/D,CAAC;aAAM,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAC3B,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAClB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC;YAC/B,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI;YACrB,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI;SACtB,CAAC,CAAC;QACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,EAAE,mBAAmB,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CACX,oCAAoC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,EACzE,OAAO,CACR,CAAC;QACF,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/config.d.ts

@@ -1,15 +1,24 @@
 /**
- * Configuration for axvault server.
+ * Server configuration schema and helpers.
  *
- * Priority: CLI flags > environment variables > defaults.
+ * Runtime configuration is validated by @fastify/env and exposed as
+ * `fastify.config`. Logger level is resolved separately because the logger is
+ * configured before plugins are registered.
  */
-export interface ServerConfig {
+declare module "fastify" {
+    interface FastifyInstance {
+        config: ServerConfig;
+    }
+}
+type LogLevel = "trace" | "debug" | "info" | "warn" | "error" | "fatal" | "silent";
+interface ServerConfig {
     port: number;
     host: string;
     databaseUrl: string;
     refreshThresholdSeconds: number;
     refreshTimeoutMs: number;
-    logLevel: string;
+    logLevel: LogLevel;
+    encryptionKey: string;
 }
 interface ConfigOverrides {
     port?: string;
@@ -18,8 +27,50 @@ interface ConfigOverrides {
     refreshThresholdSeconds?: string;
     refreshTimeoutMs?: string;
     logLevel?: string;
+    encryptionKey?: string;
+}
+interface BuildAppConfig {
+    logLevel: LogLevel;
 }
-/** Parse config from environment and CLI overrides */
-export declare function getServerConfig(overrides?: ConfigOverrides): ServerConfig;
-export {};
+declare const serverConfigSchema: {
+    readonly type: "object";
+    readonly required: readonly ["encryptionKey"];
+    readonly properties: {
+        readonly port: {
+            readonly type: "number";
+            readonly default: 3847;
+        };
+        readonly host: {
+            readonly type: "string";
+            readonly default: "127.0.0.1";
+        };
+        readonly databaseUrl: {
+            readonly type: "string";
+            readonly default: "postgresql://localhost:5432/axvault";
+        };
+        readonly refreshThresholdSeconds: {
+            readonly type: "number";
+            readonly minimum: 0;
+            readonly default: 3600;
+        };
+        readonly refreshTimeoutMs: {
+            readonly type: "number";
+            readonly minimum: 0;
+            readonly default: 30000;
+        };
+        readonly logLevel: {
+            readonly type: "string";
+            readonly enum: readonly ["trace", "debug", "info", "warn", "error", "fatal", "silent"];
+            readonly default: "info";
+        };
+        readonly encryptionKey: {
+            readonly type: "string";
+            readonly minLength: 32;
+        };
+    };
+};
+declare function createConfigData(overrides?: ConfigOverrides): Record<string, unknown>;
+declare function resolveBuildAppConfig(overrides?: Pick<ConfigOverrides, "logLevel">): BuildAppConfig;
+export { createConfigData, resolveBuildAppConfig, serverConfigSchema };
+export type { BuildAppConfig, ConfigOverrides, ServerConfig };
 //# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB,EAAE,MAAM,CAAC;IAChC,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,UAAU,eAAe;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAmBD,sDAAsD;AACtD,wBAAgB,eAAe,CAAC,SAAS,GAAE,eAAoB,GAAG,YAAY,CAoC7E"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,eAAe;QACvB,MAAM,EAAE,YAAY,CAAC;KACtB;CACF;AAED,KAAK,QAAQ,GACT,OAAO,GACP,OAAO,GACP,MAAM,GACN,MAAM,GACN,OAAO,GACP,OAAO,GACP,QAAQ,CAAC;AAEb,UAAU,YAAY;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB,EAAE,MAAM,CAAC;IAChC,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,QAAQ,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,UAAU,eAAe;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,UAAU,cAAc;IACtB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAuBD,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2Bd,CAAC;AAEX,iBAAS,gBAAgB,CACvB,SAAS,GAAE,eAAoB,GAC9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAczB;AAED,iBAAS,qBAAqB,CAC5B,SAAS,GAAE,IAAI,CAAC,eAAe,EAAE,UAAU,CAAM,GAChD,cAAc,CAahB;AAED,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,YAAY,EAAE,CAAC"}

package/dist/config.js

@@ -1,7 +1,9 @@
 /**
- * Configuration for axvault server.
+ * Server configuration schema and helpers.
  *
- * Priority: CLI flags > environment variables > defaults.
+ * Runtime configuration is validated by @fastify/env and exposed as
+ * `fastify.config`. Logger level is resolved separately because the logger is
+ * configured before plugins are registered.
  */
 const DEFAULT_PORT = 3847;
 const DEFAULT_HOST = "127.0.0.1";
@@ -18,45 +20,58 @@ const VALID_LOG_LEVELS = [
     "fatal",
     "silent",
 ];
-/** Parse config from environment and CLI overrides */
-export function getServerConfig(overrides = {}) {
-    const port = parsePort(overrides.port ?? process.env.AXVAULT_PORT);
-    const host = overrides.host ?? process.env.AXVAULT_HOST ?? DEFAULT_HOST;
-    const databaseUrl = overrides.databaseUrl ??
-        process.env.AXVAULT_DATABASE_URL ??
-        DEFAULT_DATABASE_URL;
-    const refreshThresholdSeconds = parseNonNegativeInt(overrides.refreshThresholdSeconds ?? process.env.AXVAULT_REFRESH_THRESHOLD, DEFAULT_REFRESH_THRESHOLD_SECONDS, "AXVAULT_REFRESH_THRESHOLD");
-    const refreshTimeoutMs = parseNonNegativeInt(overrides.refreshTimeoutMs ?? process.env.AXVAULT_REFRESH_TIMEOUT_MS, DEFAULT_REFRESH_TIMEOUT_MS, "AXVAULT_REFRESH_TIMEOUT_MS");
-    const logLevel = overrides.logLevel ?? process.env.AXVAULT_LOG_LEVEL ?? DEFAULT_LOG_LEVEL;
-    if (!VALID_LOG_LEVELS.includes(logLevel)) {
+function isLogLevel(value) {
+    return VALID_LOG_LEVELS.includes(value);
+}
+const serverConfigSchema = {
+    type: "object",
+    required: ["encryptionKey"],
+    properties: {
+        port: { type: "number", default: DEFAULT_PORT },
+        host: { type: "string", default: DEFAULT_HOST },
+        databaseUrl: { type: "string", default: DEFAULT_DATABASE_URL },
+        refreshThresholdSeconds: {
+            type: "number",
+            minimum: 0,
+            default: DEFAULT_REFRESH_THRESHOLD_SECONDS,
+        },
+        refreshTimeoutMs: {
+            type: "number",
+            minimum: 0,
+            default: DEFAULT_REFRESH_TIMEOUT_MS,
+        },
+        logLevel: {
+            type: "string",
+            enum: [...VALID_LOG_LEVELS],
+            default: DEFAULT_LOG_LEVEL,
+        },
+        encryptionKey: {
+            type: "string",
+            minLength: 32,
+        },
+    },
+};
+function createConfigData(overrides = {}) {
+    return {
+        port: overrides.port ?? process.env.AXVAULT_PORT,
+        host: overrides.host ?? process.env.AXVAULT_HOST,
+        databaseUrl: overrides.databaseUrl ?? process.env.AXVAULT_DATABASE_URL,
+        refreshThresholdSeconds: overrides.refreshThresholdSeconds ??
+            process.env.AXVAULT_REFRESH_THRESHOLD,
+        refreshTimeoutMs: overrides.refreshTimeoutMs ?? process.env.AXVAULT_REFRESH_TIMEOUT_MS,
+        logLevel: overrides.logLevel ?? process.env.AXVAULT_LOG_LEVEL,
+        encryptionKey: overrides.encryptionKey ?? process.env.AXVAULT_ENCRYPTION_KEY,
+    };
+}
+function resolveBuildAppConfig(overrides = {}) {
+    const rawLogLevel = overrides.logLevel ?? process.env.AXVAULT_LOG_LEVEL;
+    const logLevel = rawLogLevel ?? DEFAULT_LOG_LEVEL;
+    if (!isLogLevel(logLevel)) {
         throw new Error(`Invalid log level: "${logLevel}". Must be one of: ${VALID_LOG_LEVELS.join(", ")}`);
     }
     return {
-        port,
-        host,
-        databaseUrl,
-        refreshThresholdSeconds,
-        refreshTimeoutMs,
         logLevel,
     };
 }
-function parsePort(value) {
-    if (!value)
-        return DEFAULT_PORT;
-    const port = Number.parseInt(value, 10);
-    if (Number.isNaN(port) || port < 1 || port > 65_535) {
-        throw new Error(`Invalid port: ${value}`);
-    }
-    return port;
-}
-function parseNonNegativeInt(value, defaultValue, name) {
-    if (!value)
-        return defaultValue;
-    const parsed = Number.parseInt(value, 10);
-    if (Number.isNaN(parsed) || parsed < 0) {
-        console.warn(`Invalid ${name} value "${value}", using default ${defaultValue}`);
-        return defaultValue;
-    }
-    return parsed;
-}
+export { createConfigData, resolveBuildAppConfig, serverConfigSchema };
 //# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAoBH,MAAM,YAAY,GAAG,IAAI,CAAC;AAC1B,MAAM,YAAY,GAAG,WAAW,CAAC;AACjC,MAAM,oBAAoB,GAAG,qCAAqC,CAAC;AACnE,MAAM,iCAAiC,GAAG,IAAI,CAAC,CAAC,SAAS;AACzD,MAAM,0BAA0B,GAAG,MAAM,CAAC,CAAC,aAAa;AACxD,MAAM,iBAAiB,GAAG,MAAM,CAAC;AAEjC,MAAM,gBAAgB,GAAG;IACvB,OAAO;IACP,OAAO;IACP,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,QAAQ;CACA,CAAC;AAEX,sDAAsD;AACtD,MAAM,UAAU,eAAe,CAAC,YAA6B,EAAE;IAC7D,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACnE,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,YAAY,CAAC;IACxE,MAAM,WAAW,GACf,SAAS,CAAC,WAAW;QACrB,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,oBAAoB,CAAC;IAEvB,MAAM,uBAAuB,GAAG,mBAAmB,CACjD,SAAS,CAAC,uBAAuB,IAAI,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAC1E,iCAAiC,EACjC,2BAA2B,CAC5B,CAAC;IACF,MAAM,gBAAgB,GAAG,mBAAmB,CAC1C,SAAS,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B,EACpE,0BAA0B,EAC1B,4BAA4B,CAC7B,CAAC;IAEF,MAAM,QAAQ,GACZ,SAAS,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,iBAAiB,CAAC;IAE3E,IAAI,CAAE,gBAAsC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CACb,uBAAuB,QAAQ,sBAAsB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,uBAAuB;QACvB,gBAAgB;QAChB,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,KAAyB;IAC1C,IAAI,CAAC,KAAK;QAAE,OAAO,YAAY,CAAC;IAChC,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACxC,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,MAAM,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,iBAAiB,KAAK,EAAE,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAAyB,EACzB,YAAoB,EACpB,IAAY;IAEZ,IAAI,CAAC,KAAK;QAAE,OAAO,YAAY,CAAC;IAChC,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC1C,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,OAAO,CAAC,IAAI,CACV,WAAW,IAAI,WAAW,KAAK,oBAAoB,YAAY,EAAE,CAClE,CAAC;QACF,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAyCH,MAAM,YAAY,GAAG,IAAI,CAAC;AAC1B,MAAM,YAAY,GAAG,WAAW,CAAC;AACjC,MAAM,oBAAoB,GAAG,qCAAqC,CAAC;AACnE,MAAM,iCAAiC,GAAG,IAAI,CAAC,CAAC,SAAS;AACzD,MAAM,0BAA0B,GAAG,MAAM,CAAC,CAAC,aAAa;AACxD,MAAM,iBAAiB,GAAa,MAAM,CAAC;AAE3C,MAAM,gBAAgB,GAAG;IACvB,OAAO;IACP,OAAO;IACP,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,QAAQ;CACA,CAAC;AAEX,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAQ,gBAAsC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,kBAAkB,GAAG;IACzB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,CAAC,eAAe,CAAC;IAC3B,UAAU,EAAE;QACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE;QAC/C,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE;QAC/C,WAAW,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,oBAAoB,EAAE;QAC9D,uBAAuB,EAAE;YACvB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,CAAC;YACV,OAAO,EAAE,iCAAiC;SAC3C;QACD,gBAAgB,EAAE;YAChB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,CAAC;YACV,OAAO,EAAE,0BAA0B;SACpC;QACD,QAAQ,EAAE;YACR,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,GAAG,gBAAgB,CAAC;YAC3B,OAAO,EAAE,iBAAiB;SAC3B;QACD,aAAa,EAAE;YACb,IAAI,EAAE,QAAQ;YACd,SAAS,EAAE,EAAE;SACd;KACF;CACO,CAAC;AAEX,SAAS,gBAAgB,CACvB,YAA6B,EAAE;IAE/B,OAAO;QACL,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY;QAChD,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY;QAChD,WAAW,EAAE,SAAS,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB;QACtE,uBAAuB,EACrB,SAAS,CAAC,uBAAuB;YACjC,OAAO,CAAC,GAAG,CAAC,yBAAyB;QACvC,gBAAgB,EACd,SAAS,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B;QACtE,QAAQ,EAAE,SAAS,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAC7D,aAAa,EACX,SAAS,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB;KAChE,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAC5B,YAA+C,EAAE;IAEjD,MAAM,WAAW,GAAG,SAAS,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IACxE,MAAM,QAAQ,GAAG,WAAW,IAAI,iBAAiB,CAAC;IAElD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,uBAAuB,QAAQ,sBAAsB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,CAAC"}

package/dist/db/bootstrap-api-key.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Bootstrap API key creation for first server startup.
+ *
+ * Serializes the bootstrap check inside a transaction-scoped advisory lock so
+ * concurrent first-time startups cannot mint multiple root keys.
+ */
+import type { PoolClient } from "pg";
+import { type ApiKeyWithSecret } from "./repositories/api-keys.js";
+interface TransactionalDatabase {
+    transact<TResult>(runInTransaction: (client: PoolClient) => Promise<TResult>): Promise<TResult>;
+}
+declare function bootstrapApiKey(database: TransactionalDatabase): Promise<ApiKeyWithSecret | undefined>;
+export { bootstrapApiKey };
+//# sourceMappingURL=bootstrap-api-key.d.ts.map

package/dist/db/bootstrap-api-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap-api-key.d.ts","sourceRoot":"","sources":["../../src/db/bootstrap-api-key.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AACrC,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,4BAA4B,CAAC;AAIpC,UAAU,qBAAqB;IAC7B,QAAQ,CAAC,OAAO,EACd,gBAAgB,EAAE,CAAC,MAAM,EAAE,UAAU,KAAK,OAAO,CAAC,OAAO,CAAC,GACzD,OAAO,CAAC,OAAO,CAAC,CAAC;CACrB;AAED,iBAAe,eAAe,CAC5B,QAAQ,EAAE,qBAAqB,GAC9B,OAAO,CAAC,gBAAgB,GAAG,SAAS,CAAC,CAmBvC;AAED,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/db/bootstrap-api-key.js

@@ -0,0 +1,26 @@
+/**
+ * Bootstrap API key creation for first server startup.
+ *
+ * Serializes the bootstrap check inside a transaction-scoped advisory lock so
+ * concurrent first-time startups cannot mint multiple root keys.
+ */
+import { createApiKey, } from "./repositories/api-keys.js";
+const BOOTSTRAP_API_KEY_LOCK_ID = 980_641_073;
+async function bootstrapApiKey(database) {
+    return database.transact(async (client) => {
+        await client.query("SELECT pg_advisory_xact_lock($1)", [
+            BOOTSTRAP_API_KEY_LOCK_ID,
+        ]);
+        const result = await client.query("SELECT EXISTS (SELECT 1 FROM api_keys) AS has_api_keys");
+        if (result.rows[0]?.has_api_keys)
+            return;
+        return createApiKey(client, {
+            name: "Bootstrap Admin",
+            readAccess: ["*"],
+            writeAccess: ["*"],
+            grantAccess: ["*"],
+        });
+    });
+}
+export { bootstrapApiKey };
+//# sourceMappingURL=bootstrap-api-key.js.map

package/dist/db/bootstrap-api-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap-api-key.js","sourceRoot":"","sources":["../../src/db/bootstrap-api-key.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,YAAY,GAEb,MAAM,4BAA4B,CAAC;AAEpC,MAAM,yBAAyB,GAAG,WAAW,CAAC;AAQ9C,KAAK,UAAU,eAAe,CAC5B,QAA+B;IAE/B,OAAO,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACxC,MAAM,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE;YACrD,yBAAyB;SAC1B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,CAC/B,wDAAwD,CACzD,CAAC;QAEF,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY;YAAE,OAAO;QAEzC,OAAO,YAAY,CAAC,MAAM,EAAE;YAC1B,IAAI,EAAE,iBAAiB;YACvB,UAAU,EAAE,CAAC,GAAG,CAAC;YACjB,WAAW,EAAE,CAAC,GAAG,CAAC;YAClB,WAAW,EAAE,CAAC,GAAG,CAAC;SACnB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/db/migrations/001-initial.sql

@@ -1,7 +1,6 @@
 -- Initial schema for axvault.
--- Combines SQLite v1-v3 into a single PostgreSQL migration.
 
-CREATE TABLE api_keys (
+CREATE TABLE IF NOT EXISTS api_keys (
   id TEXT PRIMARY KEY,
   name TEXT NOT NULL,
   key_hash TEXT NOT NULL UNIQUE,
@@ -13,7 +12,7 @@ CREATE TABLE api_keys (
   last_used_at BIGINT
 );
 
-CREATE TABLE credentials (
+CREATE TABLE IF NOT EXISTS credentials (
   name TEXT PRIMARY KEY,
   agent TEXT NOT NULL DEFAULT '',
   provider TEXT DEFAULT NULL,
@@ -27,7 +26,7 @@ CREATE TABLE credentials (
   updated_at BIGINT NOT NULL
 );
 
-CREATE TABLE audit_log (
+CREATE TABLE IF NOT EXISTS audit_log (
   id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
   timestamp BIGINT NOT NULL,
   api_key_id TEXT,
@@ -37,4 +36,6 @@ CREATE TABLE audit_log (
   error_message TEXT
 );
 
-CREATE INDEX idx_audit_log_timestamp ON audit_log(timestamp DESC);
+ALTER TABLE audit_log ADD COLUMN IF NOT EXISTS detail TEXT;
+
+CREATE INDEX IF NOT EXISTS idx_audit_log_timestamp ON audit_log(timestamp DESC);

package/dist/db/repositories/audit-log.d.ts

@@ -13,6 +13,7 @@ interface AuditLogEntry {
     credentialName: string | undefined;
     success: boolean;
     errorMessage: string | undefined;
+    detail: string | undefined;
 }
 /** Log a credential access event */
 declare function logAccess(database: Queryable, entry: {
@@ -21,6 +22,7 @@ declare function logAccess(database: Queryable, entry: {
     credentialName?: string;
     success: boolean;
     errorMessage?: string;
+    detail?: string;
 }): Promise<void>;
 /** Get recent audit log entries */
 declare function getRecentLogs(database: Queryable, options?: {

package/dist/db/repositories/audit-log.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit-log.d.ts","sourceRoot":"","sources":["../../../src/db/repositories/audit-log.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAe,SAAS,EAAE,MAAM,aAAa,CAAC;AAE1D,sBAAsB;AACtB,UAAU,aAAa;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,IAAI,CAAC;IAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,GAAG,OAAO,CAAC;IAC5E,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,MAAM,GAAG,SAAS,CAAC;CAClC;AAiBD,oCAAoC;AACpC,iBAAe,SAAS,CACtB,QAAQ,EAAE,SAAS,EACnB,KAAK,EAAE;IACL,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IAChC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GACA,OAAO,CAAC,IAAI,CAAC,CAcf;AAED,mCAAmC;AACnC,iBAAe,aAAa,CAC1B,QAAQ,EAAE,SAAS,EACnB,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAC9C,OAAO,CAAC,aAAa,EAAE,CAAC,CAgB1B;AAED,yCAAyC;AACzC,iBAAe,oBAAoB,CACjC,QAAQ,EAAE,SAAS,EACnB,cAAc,EAAE,MAAM,EACtB,MAAM,SAAK,GACV,OAAO,CAAC,aAAa,EAAE,CAAC,CAO1B;AAED,kCAAkC;AAClC,iBAAe,YAAY,CACzB,QAAQ,EAAE,SAAS,EACnB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED,OAAO,EAAE,oBAAoB,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC;AACxE,YAAY,EAAE,aAAa,EAAE,CAAC"}
+{"version":3,"file":"audit-log.d.ts","sourceRoot":"","sources":["../../../src/db/repositories/audit-log.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAe,SAAS,EAAE,MAAM,aAAa,CAAC;AAE1D,sBAAsB;AACtB,UAAU,aAAa;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,IAAI,CAAC;IAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,SAAS,GAAG,MAAM,GAAG,OAAO,CAAC;IAC5E,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;CAC5B;AAkBD,oCAAoC;AACpC,iBAAe,SAAS,CACtB,QAAQ,EAAE,SAAS,EACnB,KAAK,EAAE;IACL,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IAChC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACA,OAAO,CAAC,IAAI,CAAC,CAef;AAED,mCAAmC;AACnC,iBAAe,aAAa,CAC1B,QAAQ,EAAE,SAAS,EACnB,OAAO,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAC9C,OAAO,CAAC,aAAa,EAAE,CAAC,CAgB1B;AAED,yCAAyC;AACzC,iBAAe,oBAAoB,CACjC,QAAQ,EAAE,SAAS,EACnB,cAAc,EAAE,MAAM,EACtB,MAAM,SAAK,GACV,OAAO,CAAC,aAAa,EAAE,CAAC,CAO1B;AAED,kCAAkC;AAClC,iBAAe,YAAY,CACzB,QAAQ,EAAE,SAAS,EACnB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED,OAAO,EAAE,oBAAoB,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC;AACxE,YAAY,EAAE,aAAa,EAAE,CAAC"}

package/dist/db/repositories/audit-log.js

@@ -13,19 +13,21 @@ function rowToEntry(row) {
         credentialName: row.credential_name ?? undefined,
         success: row.success,
         errorMessage: row.error_message ?? undefined,
+        detail: row.detail ?? undefined,
     };
 }
-const SELECT_COLUMNS = `id, timestamp, api_key_id, action, credential_name, success, error_message`;
+const SELECT_COLUMNS = `id, timestamp, api_key_id, action, credential_name, success, error_message, detail`;
 /** Log a credential access event */
 async function logAccess(database, entry) {
     /* eslint-disable unicorn/no-null -- PostgreSQL requires null for NULL values */
-    await database.query(`INSERT INTO audit_log (timestamp, api_key_id, action, credential_name, success, error_message) VALUES ($1, $2, $3, $4, $5, $6)`, [
+    await database.query(`INSERT INTO audit_log (timestamp, api_key_id, action, credential_name, success, error_message, detail) VALUES ($1, $2, $3, $4, $5, $6, $7)`, [
         Date.now(),
         entry.apiKeyId ?? null,
         entry.action,
         entry.credentialName ?? null,
         entry.success,
         entry.errorMessage ?? null,
+        entry.detail ?? null,
     ]);
     /* eslint-enable unicorn/no-null */
 }

package/dist/db/repositories/audit-log.js.map

@@ -1 +1 @@
-{"version":3,"file":"audit-log.js","sourceRoot":"","sources":["../../../src/db/repositories/audit-log.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAeH,oCAAoC;AACpC,SAAS,UAAU,CAAC,GAAgB;IAClC,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;QAClC,QAAQ,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;QACrC,MAAM,EAAE,GAAG,CAAC,MAAiC;QAC7C,cAAc,EAAE,GAAG,CAAC,eAAe,IAAI,SAAS;QAChD,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,YAAY,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;KAC7C,CAAC;AACJ,CAAC;AAED,MAAM,cAAc,GAAG,4EAA4E,CAAC;AAEpG,oCAAoC;AACpC,KAAK,UAAU,SAAS,CACtB,QAAmB,EACnB,KAMC;IAED,gFAAgF;IAChF,MAAM,QAAQ,CAAC,KAAK,CAClB,gIAAgI,EAChI;QACE,IAAI,CAAC,GAAG,EAAE;QACV,KAAK,CAAC,QAAQ,IAAI,IAAI;QACtB,KAAK,CAAC,MAAM;QACZ,KAAK,CAAC,cAAc,IAAI,IAAI;QAC5B,KAAK,CAAC,OAAO;QACb,KAAK,CAAC,YAAY,IAAI,IAAI;KAC3B,CACF,CAAC;IACF,mCAAmC;AACrC,CAAC;AAED,mCAAmC;AACnC,KAAK,UAAU,aAAa,CAC1B,QAAmB,EACnB,OAA+C;IAE/C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,IAAI,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;IAEjE,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,wEAAwE,EAChG,CAAC,OAAO,CAAC,QAAQ,EAAE,KAAK,CAAC,CAC1B,CAAC;QACF,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,kDAAkD,EAC1E,CAAC,KAAK,CAAC,CACR,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,yCAAyC;AACzC,KAAK,UAAU,oBAAoB,CACjC,QAAmB,EACnB,cAAsB,EACtB,MAAM,GAAG,EAAE;IAEX,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,6EAA6E,EACrG,CAAC,cAAc,EAAE,KAAK,CAAC,CACxB,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,kCAAkC;AAClC,KAAK,UAAU,YAAY,CACzB,QAAmB,EACnB,aAAqB;IAErB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,aAAa,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAChE,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,4CAA4C,EAC5C,CAAC,MAAM,CAAC,CACT,CAAC;IACF,OAAO,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,OAAO,EAAE,oBAAoB,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC"}
+{"version":3,"file":"audit-log.js","sourceRoot":"","sources":["../../../src/db/repositories/audit-log.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAgBH,oCAAoC;AACpC,SAAS,UAAU,CAAC,GAAgB;IAClC,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;QAClC,QAAQ,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;QACrC,MAAM,EAAE,GAAG,CAAC,MAAiC;QAC7C,cAAc,EAAE,GAAG,CAAC,eAAe,IAAI,SAAS;QAChD,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,YAAY,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;QAC5C,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,SAAS;KAChC,CAAC;AACJ,CAAC;AAED,MAAM,cAAc,GAAG,oFAAoF,CAAC;AAE5G,oCAAoC;AACpC,KAAK,UAAU,SAAS,CACtB,QAAmB,EACnB,KAOC;IAED,gFAAgF;IAChF,MAAM,QAAQ,CAAC,KAAK,CAClB,4IAA4I,EAC5I;QACE,IAAI,CAAC,GAAG,EAAE;QACV,KAAK,CAAC,QAAQ,IAAI,IAAI;QACtB,KAAK,CAAC,MAAM;QACZ,KAAK,CAAC,cAAc,IAAI,IAAI;QAC5B,KAAK,CAAC,OAAO;QACb,KAAK,CAAC,YAAY,IAAI,IAAI;QAC1B,KAAK,CAAC,MAAM,IAAI,IAAI;KACrB,CACF,CAAC;IACF,mCAAmC;AACrC,CAAC;AAED,mCAAmC;AACnC,KAAK,UAAU,aAAa,CAC1B,QAAmB,EACnB,OAA+C;IAE/C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,IAAI,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;IAEjE,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,wEAAwE,EAChG,CAAC,OAAO,CAAC,QAAQ,EAAE,KAAK,CAAC,CAC1B,CAAC;QACF,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,kDAAkD,EAC1E,CAAC,KAAK,CAAC,CACR,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,yCAAyC;AACzC,KAAK,UAAU,oBAAoB,CACjC,QAAmB,EACnB,cAAsB,EACtB,MAAM,GAAG,EAAE;IAEX,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,6EAA6E,EACrG,CAAC,cAAc,EAAE,KAAK,CAAC,CACxB,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,kCAAkC;AAClC,KAAK,UAAU,YAAY,CACzB,QAAmB,EACnB,aAAqB;IAErB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,aAAa,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAChE,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,4CAA4C,EAC5C,CAAC,MAAM,CAAC,CACT,CAAC;IACF,OAAO,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,OAAO,EAAE,oBAAoB,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC"}

package/dist/db/run-migrations.d.ts

@@ -1,4 +1,16 @@
 import type pg from "pg";
+/**
+ * Run all SQL migration files in order.
+ *
+ * Migration files must be replay-safe because this runner executes every SQL
+ * file on every startup without tracking state.
+ *
+ * That means each migration must be written so running it repeatedly is safe:
+ * `CREATE ... IF NOT EXISTS`, `ALTER ... ADD COLUMN IF NOT EXISTS`, or other
+ * guarded statements. If a future schema change cannot be expressed safely that
+ * way, replace this strategy with tracked migrations instead of adding a
+ * one-shot migration here.
+ */
 declare function runMigrations(pool: pg.Pool, migrationsDirectory: string): Promise<void>;
 export { runMigrations };
 //# sourceMappingURL=run-migrations.d.ts.map

package/dist/db/run-migrations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"run-migrations.d.ts","sourceRoot":"","sources":["../../src/db/run-migrations.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,iBAAe,aAAa,CAC1B,IAAI,EAAE,EAAE,CAAC,IAAI,EACb,mBAAmB,EAAE,MAAM,GAC1B,OAAO,CAAC,IAAI,CAAC,CAqDf;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}
+{"version":3,"file":"run-migrations.d.ts","sourceRoot":"","sources":["../../src/db/run-migrations.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB;;;;;;;;;;;GAWG;AACH,iBAAe,aAAa,CAC1B,IAAI,EAAE,EAAE,CAAC,IAAI,EACb,mBAAmB,EAAE,MAAM,GAC1B,OAAO,CAAC,IAAI,CAAC,CAUf;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}

package/dist/db/run-migrations.js

@@ -1,50 +1,25 @@
 import { readdir, readFile } from "node:fs/promises";
 import path from "node:path";
+/**
+ * Run all SQL migration files in order.
+ *
+ * Migration files must be replay-safe because this runner executes every SQL
+ * file on every startup without tracking state.
+ *
+ * That means each migration must be written so running it repeatedly is safe:
+ * `CREATE ... IF NOT EXISTS`, `ALTER ... ADD COLUMN IF NOT EXISTS`, or other
+ * guarded statements. If a future schema change cannot be expressed safely that
+ * way, replace this strategy with tracked migrations instead of adding a
+ * one-shot migration here.
+ */
 async function runMigrations(pool, migrationsDirectory) {
-    const client = await pool.connect();
-    try {
-        await client.query("SELECT pg_advisory_lock(1)");
-        await client.query(`
-      CREATE TABLE IF NOT EXISTS schema_migrations (
-        version INTEGER PRIMARY KEY,
-        name TEXT NOT NULL,
-        applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-      )
-    `);
-        const { rows: applied } = await client.query("SELECT version FROM schema_migrations ORDER BY version");
-        const appliedVersions = new Set(applied.map((r) => r.version));
-        const files = await readdir(migrationsDirectory);
-        const sqlFiles = files
-            .filter((f) => f.endsWith(".sql"))
-            // eslint-disable-next-line unicorn/no-array-sort -- toSorted requires es2023 lib
-            .sort((a, b) => a.localeCompare(b, undefined, { numeric: true }));
-        for (const file of sqlFiles) {
-            const match = file.match(/^(\d+)-(.+)\.sql$/u);
-            if (!match?.[1])
-                continue;
-            const version = Number.parseInt(match[1], 10);
-            if (appliedVersions.has(version))
-                continue;
-            const sql = await readFile(path.join(migrationsDirectory, file), "utf8");
-            await client.query("BEGIN");
-            try {
-                await client.query(sql);
-                await client.query("INSERT INTO schema_migrations (version, name) VALUES ($1, $2)", [version, file]);
-                await client.query("COMMIT");
-            }
-            catch (error) {
-                await client.query("ROLLBACK");
-                throw error;
-            }
-        }
-    }
-    finally {
-        try {
-            await client.query("SELECT pg_advisory_unlock(1)");
-        }
-        finally {
-            client.release();
-        }
+    const files = await readdir(migrationsDirectory);
+    const sqlFiles = files
+        .filter((f) => f.endsWith(".sql"))
+        .toSorted((a, b) => a.localeCompare(b, undefined, { numeric: true }));
+    for (const file of sqlFiles) {
+        const sql = await readFile(path.join(migrationsDirectory, file), "utf8");
+        await pool.query(sql);
     }
 }
 export { runMigrations };

package/dist/db/run-migrations.js.map

@@ -1 +1 @@
-{"version":3,"file":"run-migrations.js","sourceRoot":"","sources":["../../src/db/run-migrations.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,IAAI,MAAM,WAAW,CAAC;AAI7B,KAAK,UAAU,aAAa,CAC1B,IAAa,EACb,mBAA2B;IAE3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAEjD,MAAM,MAAM,CAAC,KAAK,CAAC;;;;;;KAMlB,CAAC,CAAC;QAEH,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,KAAK,CAC1C,wDAAwD,CACzD,CAAC;QACF,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;QAE/D,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACjD,MAAM,QAAQ,GAAG,KAAK;aACnB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAClC,iFAAiF;aAChF,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAEpE,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAAE,SAAS;YAE1B,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC9C,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC;gBAAE,SAAS;YAE3C,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;YAEzE,MAAM,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACxB,MAAM,MAAM,CAAC,KAAK,CAChB,+DAA+D,EAC/D,CAAC,OAAO,EAAE,IAAI,CAAC,CAChB,CAAC;gBACF,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAC/B,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;gBAC/B,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;YAAS,CAAC;QACT,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACrD,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,CAAC;IACH,CAAC;AACH,CAAC;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}
+{"version":3,"file":"run-migrations.js","sourceRoot":"","sources":["../../src/db/run-migrations.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,IAAI,MAAM,WAAW,CAAC;AAI7B;;;;;;;;;;;GAWG;AACH,KAAK,UAAU,aAAa,CAC1B,IAAa,EACb,mBAA2B;IAE3B,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,KAAK;SACnB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;SACjC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAExE,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;QACzE,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;AACH,CAAC;AAED,OAAO,EAAE,aAAa,EAAE,CAAC"}

package/dist/db/types.d.ts

@@ -25,6 +25,7 @@ export interface AuditLogRow {
     credential_name: string | null;
     success: boolean;
     error_message: string | null;
+    detail: string | null;
 }
 /** Raw credential row from database */
 export interface CredentialRow {

package/dist/db/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/db/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAE3C,8EAA8E;AAC9E,MAAM,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,GAAG,UAAU,EAAE,OAAO,CAAC,CAAC;AAEzD,oCAAoC;AACpC,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,sCAAsC;AACtC,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED,uCAAuC;AACvC,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,gDAAgD;AAChD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/db/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAE3C,8EAA8E;AAC9E,MAAM,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,GAAG,UAAU,EAAE,OAAO,CAAC,CAAC;AAEzD,oCAAoC;AACpC,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,sCAAsC;AACtC,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,uCAAuC;AACvC,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,gDAAgD;AAChD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB"}

package/dist/index.d.ts

@@ -1,15 +1,21 @@
 /**
  * axvault - Remote credential storage server for axkit.
  *
- * This module exports types and functions for programmatic use.
+ * This module exports server-composition primitives and repository helpers.
+ * The legacy createServer/createPool surface was intentionally removed; build
+ * the app with `buildApp()` plus the exported Fastify plugins instead.
  */
 export type { ServerConfig } from "./config.js";
-export { getServerConfig } from "./config.js";
-export type { AxvaultServer } from "./server/server.js";
-export { createServer } from "./server/server.js";
-export { createHealthPlugin, createCredentialPlugin, createKeyPlugin, } from "./server/routes.js";
-export { closePool, createPool } from "./db/create-pool.js";
+export type { BuildAppConfig } from "./config.js";
+export { buildApp } from "./server/server.js";
+export { default as configPlugin } from "./server/plugins/config.js";
+export { default as databasePlugin } from "./server/plugins/database.js";
+export { default as authPlugin } from "./server/plugins/auth.js";
+export { default as healthRoutes } from "./server/routes/health.js";
+export { default as credentialRoutes } from "./server/routes/credentials.js";
+export { default as keyRoutes } from "./server/routes/keys.js";
 export { runMigrations } from "./db/run-migrations.js";
+export { bootstrapApiKey } from "./db/bootstrap-api-key.js";
 export type { Queryable } from "./db/types.js";
 export type { ApiKeyRecord, ApiKeyWithSecret, } from "./db/repositories/api-keys.js";
 export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, } from "./db/repositories/api-keys.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,YAAY,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,eAAe,GAChB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAG/C,YAAY,EACV,YAAY,EACZ,gBAAgB,GACjB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,EACd,aAAa,EACb,cAAc,EACd,WAAW,EACX,kBAAkB,EAClB,cAAc,GACf,MAAM,+BAA+B,CAAC;AACvC,YAAY,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AACpE,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,YAAY,GACb,MAAM,gCAAgC,CAAC;AACxC,YAAY,EACV,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,wBAAwB,EACxB,wBAAwB,EACxB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAG9C,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,8BAA8B,CAAC;AACzE,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAGjE,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,OAAO,IAAI,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAC7E,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAG/D,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAG/C,YAAY,EACV,YAAY,EACZ,gBAAgB,GACjB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,EACd,aAAa,EACb,cAAc,EACd,WAAW,EACX,kBAAkB,EAClB,cAAc,GACf,MAAM,+BAA+B,CAAC;AACvC,YAAY,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AACpE,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,YAAY,GACb,MAAM,gCAAgC,CAAC;AACxC,YAAY,EACV,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,wBAAwB,EACxB,wBAAwB,EACxB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC"}

package/dist/index.js

@@ -1,14 +1,22 @@
 /**
  * axvault - Remote credential storage server for axkit.
  *
- * This module exports types and functions for programmatic use.
+ * This module exports server-composition primitives and repository helpers.
+ * The legacy createServer/createPool surface was intentionally removed; build
+ * the app with `buildApp()` plus the exported Fastify plugins instead.
  */
-export { getServerConfig } from "./config.js";
-export { createServer } from "./server/server.js";
-export { createHealthPlugin, createCredentialPlugin, createKeyPlugin, } from "./server/routes.js";
-// Database client
-export { closePool, createPool } from "./db/create-pool.js";
+export { buildApp } from "./server/server.js";
+// Plugins
+export { default as configPlugin } from "./server/plugins/config.js";
+export { default as databasePlugin } from "./server/plugins/database.js";
+export { default as authPlugin } from "./server/plugins/auth.js";
+// Route plugins
+export { default as healthRoutes } from "./server/routes/health.js";
+export { default as credentialRoutes } from "./server/routes/credentials.js";
+export { default as keyRoutes } from "./server/routes/keys.js";
+// Database
 export { runMigrations } from "./db/run-migrations.js";
+export { bootstrapApiKey } from "./db/bootstrap-api-key.js";
 export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, } from "./db/repositories/api-keys.js";
 export { getLogsForCredential, getRecentLogs, logAccess, pruneOldLogs, } from "./db/repositories/audit-log.js";
 export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, listCredentialsPaginated, upsertCredential, } from "./db/repositories/credentials.js";

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,eAAe,GAChB,MAAM,oBAAoB,CAAC;AAE5B,kBAAkB;AAClB,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAQvD,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,EACd,aAAa,EACb,cAAc,EACd,WAAW,EACX,kBAAkB,EAClB,cAAc,GACf,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,YAAY,GACb,MAAM,gCAAgC,CAAC;AAKxC,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,wBAAwB,EACxB,wBAAwB,EACxB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C,UAAU;AACV,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,8BAA8B,CAAC;AACzE,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAEjE,gBAAgB;AAChB,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,OAAO,IAAI,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAC7E,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAE/D,WAAW;AACX,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAQ5D,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,EACd,aAAa,EACb,cAAc,EACd,WAAW,EACX,kBAAkB,EAClB,cAAc,GACf,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,YAAY,GACb,MAAM,gCAAgC,CAAC;AAKxC,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,wBAAwB,EACxB,wBAAwB,EACxB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC"}

package/dist/lib/access-list.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Shared access-list helpers for API key permissions.
+ */
+interface AccessLists {
+    readAccess: string[];
+    writeAccess: string[];
+    grantAccess: string[];
+}
+declare function normalizeAccessList(accessList: string[]): string[];
+declare function canDelegateKeyAccess(callerGrantAccess: string[], requestedAccess: AccessLists): boolean;
+declare function canMutateKeyAccess(callerGrantAccess: string[], currentAccess: AccessLists, nextAccess: AccessLists): boolean;
+export { canDelegateKeyAccess, canMutateKeyAccess, normalizeAccessList };
+//# sourceMappingURL=access-list.d.ts.map

package/dist/lib/access-list.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-list.d.ts","sourceRoot":"","sources":["../../src/lib/access-list.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,UAAU,WAAW;IACnB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,iBAAS,mBAAmB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAE3D;AAUD,iBAAS,oBAAoB,CAC3B,iBAAiB,EAAE,MAAM,EAAE,EAC3B,eAAe,EAAE,WAAW,GAC3B,OAAO,CAMT;AAED,iBAAS,kBAAkB,CACzB,iBAAiB,EAAE,MAAM,EAAE,EAC3B,aAAa,EAAE,WAAW,EAC1B,UAAU,EAAE,WAAW,GACtB,OAAO,CAKT;AAED,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,CAAC"}