axvault 1.13.1 → 1.14.0

package/README.md

@@ -2,6 +2,9 @@
 
 Remote credential storage server for a╳kit.
 
+Uses the standard a╳kit stateful server lifecycle: `init` for migrations and
+admin bootstrap, `serve` for the long-running server.
+
 ## Prerequisites
 
 - Node.js 22.19+
@@ -29,26 +32,39 @@ set -a
 . ./.env
 set +a
 
-# Start server (runs migrations and creates bootstrap admin key on first startup)
+# Initialize database and create the first admin key
+npx -y axvault init --create-admin-key
+
+# Or, instead of generating one, provision a deterministic admin key for deployment
+export AXVAULT_ADMIN_KEY='axv_sk_0123456789abcdef0123456789abcdef'
+npx -y axvault init --create-admin-key \
+  --admin-key-env AXVAULT_ADMIN_KEY
+
+# Start server
 npx -y axvault serve
 ```
 
-On first startup, axvault runs database migrations and creates a bootstrap admin API key with full access. The secret is printed to stderr — **save it immediately**, it cannot be retrieved later.
+Generated and provisioned admin keys use the same format: `axv_sk_` followed by
+32 lowercase hexadecimal characters.
 
 Keep the `.env` file and reuse the same encryption key between restarts to avoid losing access to existing credentials.
 
 ## Architecture
 
-axvault is a server-only tool. The CLI has a single command (`serve`) that starts the HTTP server. All key and credential management is done through the HTTP API.
+axvault is a server-only tool with an explicit `init` / `serve` lifecycle.
+Initialization and long-running serving are separate operations.
 
-On startup, the server:
+The CLI provides:
 
-1. Runs database migrations (idempotent, so they are safe to re-run on every startup)
-2. Creates a bootstrap admin API key if no keys exist (serialized with an advisory lock, prints secret to stderr)
-3. Starts listening for HTTP requests
+1. `axvault init` for database migrations and first admin key bootstrap
+2. `axvault serve` for starting the HTTP server
+
+`axvault init --create-admin-key` is idempotent with respect to bootstrap: it
+uses an advisory lock and creates the first bootstrap-capable key only when no
+existing key has `grantAccess: ["*"]`.
 
 Migration files must remain replay-safe because axvault re-runs them on every
-startup instead of tracking applied versions. Use guarded SQL such as
+`init` instead of tracking applied versions. Use guarded SQL such as
 `CREATE ... IF NOT EXISTS` or `ALTER ... ADD COLUMN IF NOT EXISTS`. If a future
 schema change cannot be written safely that way, switch back to tracked
 migrations rather than adding a one-shot file to this runner.
@@ -62,9 +78,9 @@ Add to your `CLAUDE.md` or `AGENTS.md`:
 
 Run `npx -y axvault --help` to learn available options.
 
-Use `axvault serve` to start the credential vault server. All key and credential
-management is done via the HTTP API. On first startup, a bootstrap admin API key
-is created and printed to stderr.
+Use `axvault init` for migrations and admin bootstrap, then `axvault serve` to
+start the credential vault server. Ongoing key and credential management is done
+via the HTTP API.
 ```
 
 ## Configuration
@@ -83,9 +99,14 @@ is created and printed to stderr.
 
 ### CLI Flags
 
-The `serve` command accepts flags that override environment variables:
+The `init` and `serve` commands accept `--database-url`. The `serve` command
+also accepts runtime flags that override environment variables:
 
 ```bash
+npx -y axvault init \
+  --database-url postgresql://localhost:5432/axvault \
+  --create-admin-key
+
 npx -y axvault serve \
   --port 8080 \
   --host 0.0.0.0 \
@@ -107,7 +128,13 @@ API keys control access to the credential API. Each key has configurable permiss
 
 ### Bootstrap Key
 
-On first startup (when no keys exist), axvault creates a "Bootstrap Admin" key with full access (`*` for read, write, and grant). The secret is printed to stderr.
+`axvault init --create-admin-key` creates a "Bootstrap Admin" key with full
+access (`*` for read, write, and grant) only when no full-admin key exists yet.
+Omit `--admin-key`, `--admin-key-env`, and `--admin-key-file` to generate a
+one-time secret. For production, prefer `--admin-key-env` or
+`--admin-key-file` over raw `--admin-key`: command-line arguments are visible
+in process listings. Generated secrets are printed once to stdout; provided
+secrets are used without being echoed back.
 
 ### Managing Keys via API
 
@@ -183,19 +210,84 @@ podman run -d \
 
 **Note:** `AXVAULT_DATABASE_URL` must point to an accessible PostgreSQL instance. The Containerfile default (`postgresql://localhost:5432/axvault`) refers to the container itself, so standalone `docker run` users must provide this variable. For a batteries-included setup, use `docker-compose.yml` which includes a PostgreSQL service.
 
-The bootstrap admin key is created on first startup and printed to the container logs. Retrieve it with `docker logs axvault` or `podman logs axvault`.
+Initialize the database and first admin key with a one-shot container before
+starting the long-running service:
+
+```bash
+# Docker
+docker run --rm \
+  -u 1000:1000 \
+  -e AXVAULT_ENCRYPTION_KEY="your-secret-key-minimum-32-chars!" \
+  -e AXVAULT_DATABASE_URL="postgresql://user:pass@db-host:5432/axvault" \
+  registry.j4k.dev/axvault:latest init --create-admin-key
+
+# Podman
+podman run --rm \
+  --user 1000:1000 \
+  -e AXVAULT_ENCRYPTION_KEY="your-secret-key-minimum-32-chars!" \
+  -e AXVAULT_DATABASE_URL="postgresql://user:pass@db-host:5432/axvault" \
+  registry.j4k.dev/axvault:latest init --create-admin-key
+```
+
+When using `docker-compose.yml` or `podman-compose`, initialize against the
+bundled PostgreSQL service, then start the long-running server:
+
+```bash
+# Docker Compose
+docker compose up -d db
+docker compose run --rm axvault init --create-admin-key
+docker compose up -d axvault
+
+# Podman Compose
+podman-compose up -d db
+podman-compose run --rm axvault init --create-admin-key
+podman-compose up -d axvault
+```
+
+For production, prefer provisioning a deterministic admin key rather than
+capturing a one-time generated secret from logs:
+
+```bash
+docker compose run --rm \
+  -e AXVAULT_ADMIN_KEY='axv_sk_0123456789abcdef0123456789abcdef' \
+  axvault init --create-admin-key \
+  --admin-key-env AXVAULT_ADMIN_KEY
+```
 
 #### Quadlet (systemd)
 
 This example references `axvault-db.service`, which is a PostgreSQL container you must provide separately as a companion Quadlet (`axvault-db.container`). Alternatively, point `AXVAULT_DATABASE_URL` at an existing PostgreSQL instance and remove the `Requires`/`After` lines.
 
+Create `/etc/containers/systemd/axvault-init.container`:
+
+```ini
+[Unit]
+Description=axvault bootstrap initialization
+Requires=axvault-db.service
+After=axvault-db.service
+
+[Container]
+Image=registry.j4k.dev/axvault:latest
+User=1000
+Group=1000
+Environment=AXVAULT_ENCRYPTION_KEY=your-secret-key-minimum-32-chars!
+Environment=AXVAULT_DATABASE_URL=postgresql://axvault:axvault@axvault-db:5432/axvault
+Exec=init --create-admin-key
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+```
+
 Create `/etc/containers/systemd/axvault.container`:
 
 ```ini
 [Unit]
 Description=axvault credential server
 Requires=axvault-db.service
+Requires=axvault-init.service
 After=axvault-db.service
+After=axvault-init.service
 
 [Container]
 Image=registry.j4k.dev/axvault:latest
@@ -216,6 +308,7 @@ Then reload and start:
 
 ```bash
 sudo systemctl daemon-reload
+sudo systemctl start axvault-init
 sudo systemctl start axvault
 ```
 

package/dist/cli.d.ts

@@ -2,8 +2,8 @@
 /**
  * axvault - Remote credential storage server for axkit.
  *
- * Starts the vault server. All key and credential management is done
- * via the HTTP API once the server is running.
+ * Initializes and starts the vault server. Key and credential management is
+ * done via explicit bootstrap plus the HTTP API once the server is running.
  */
 export {};
 //# sourceMappingURL=cli.d.ts.map

package/dist/cli.js

@@ -2,11 +2,12 @@
 /**
  * axvault - Remote credential storage server for axkit.
  *
- * Starts the vault server. All key and credential management is done
- * via the HTTP API once the server is running.
+ * Initializes and starts the vault server. Key and credential management is
+ * done via explicit bootstrap plus the HTTP API once the server is running.
  */
 import { Command } from "@commander-js/extra-typings";
 import packageJson from "../package.json" with { type: "json" };
+import { handleInit } from "./commands/init.js";
 import { handleServe } from "./commands/serve.js";
 const program = new Command()
     .name(packageJson.name)
@@ -17,7 +18,14 @@ const program = new Command()
     .helpCommand(false)
     .addHelpText("after", String.raw `
 Examples:
-  # Start server (runs migrations and creates bootstrap key on first run)
+  # Initialize database and create the first admin key
+  axvault init --create-admin-key
+
+  # Initialize database and provision a deterministic admin key from an env var
+  AXVAULT_ADMIN_KEY=axv_sk_0123456789abcdef0123456789abcdef \
+    axvault init --create-admin-key --admin-key-env AXVAULT_ADMIN_KEY
+
+  # Start server
   axvault serve
 
   # Start server on custom port
@@ -25,6 +33,16 @@ Examples:
 
   # Start with debug logging
   axvault serve --log-level debug`);
+program
+    .command("init")
+    .description("Initialize database")
+    .option("--database-url <url>", "PostgreSQL connection URL")
+    .option("--create-admin-key", "Create an admin key with full access")
+    .option("--admin-key <key>", "Provision a specific admin API key (requires --create-admin-key; exposes the secret in the process list)")
+    .option("--admin-key-env <name>", "Read the admin API key from an environment variable (requires --create-admin-key)")
+    .option("--admin-key-file <path>", "Read the admin API key from a file (requires --create-admin-key)")
+    .option("-v, --verbose", "Enable verbose output")
+    .action(handleInit);
 program
     .command("serve")
     .description("Start the vault server")

package/dist/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,6BAA6B,CAAC;AAEtD,OAAO,WAAW,MAAM,iBAAiB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAElD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE;KAC1B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;KACtB,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC;KACpC,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,eAAe,CAAC;KAC7C,kBAAkB,CAAC,yCAAyC,CAAC;KAC7D,wBAAwB,EAAE;KAC1B,WAAW,CAAC,KAAK,CAAC;KAClB,WAAW,CACV,OAAO,EACP,MAAM,CAAC,GAAG,CAAA;;;;;;;;;kCASoB,CAC/B,CAAC;AAEJ,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,wBAAwB,CAAC;KACrC,MAAM,CAAC,mBAAmB,EAAE,mBAAmB,CAAC;KAChD,MAAM,CAAC,mBAAmB,EAAE,iBAAiB,CAAC;KAC9C,MAAM,CAAC,sBAAsB,EAAE,2BAA2B,CAAC;KAC3D,MAAM,CACL,+BAA+B,EAC/B,sEAAsE,CACvE;KACA,MAAM,CACL,wBAAwB,EACxB,gDAAgD,CACjD;KACA,MAAM,CACL,qBAAqB,EACrB,4DAA4D,CAC7D;KACA,MAAM,CAAC,eAAe,EAAE,uBAAuB,CAAC;KAChD,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,MAAM,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,6BAA6B,CAAC;AAEtD,OAAO,WAAW,MAAM,iBAAiB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAElD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE;KAC1B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;KACtB,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC;KACpC,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,eAAe,CAAC;KAC7C,kBAAkB,CAAC,yCAAyC,CAAC;KAC7D,wBAAwB,EAAE;KAC1B,WAAW,CAAC,KAAK,CAAC;KAClB,WAAW,CACV,OAAO,EACP,MAAM,CAAC,GAAG,CAAA;;;;;;;;;;;;;;;;kCAgBoB,CAC/B,CAAC;AAEJ,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,qBAAqB,CAAC;KAClC,MAAM,CAAC,sBAAsB,EAAE,2BAA2B,CAAC;KAC3D,MAAM,CAAC,oBAAoB,EAAE,sCAAsC,CAAC;KACpE,MAAM,CACL,mBAAmB,EACnB,0GAA0G,CAC3G;KACA,MAAM,CACL,wBAAwB,EACxB,mFAAmF,CACpF;KACA,MAAM,CACL,yBAAyB,EACzB,kEAAkE,CACnE;KACA,MAAM,CAAC,eAAe,EAAE,uBAAuB,CAAC;KAChD,MAAM,CAAC,UAAU,CAAC,CAAC;AAEtB,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,wBAAwB,CAAC;KACrC,MAAM,CAAC,mBAAmB,EAAE,mBAAmB,CAAC;KAChD,MAAM,CAAC,mBAAmB,EAAE,iBAAiB,CAAC;KAC9C,MAAM,CAAC,sBAAsB,EAAE,2BAA2B,CAAC;KAC3D,MAAM,CACL,+BAA+B,EAC/B,sEAAsE,CACvE;KACA,MAAM,CACL,wBAAwB,EACxB,gDAAgD,CACjD;KACA,MAAM,CACL,qBAAqB,EACrB,4DAA4D,CAC7D;KACA,MAAM,CAAC,eAAe,EAAE,uBAAuB,CAAC;KAChD,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,MAAM,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/dist/commands/init.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Initialize database command handler.
+ */
+interface InitOptions {
+    databaseUrl?: string;
+    createAdminKey?: boolean;
+    adminKey?: string;
+    adminKeyEnv?: string;
+    adminKeyFile?: string;
+    verbose?: boolean;
+}
+export declare function handleInit(options: InitOptions): Promise<void>;
+export {};
+//# sourceMappingURL=init.d.ts.map

package/dist/commands/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA;;GAEG;AAgBH,UAAU,WAAW;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAmFpE"}

package/dist/commands/init.js

@@ -0,0 +1,88 @@
+/**
+ * Initialize database command handler.
+ */
+import { fileURLToPath } from "node:url";
+import { formatErrorMessage } from "../format-error-message.js";
+import { bootstrapApiKey } from "../db/bootstrap-api-key.js";
+import { closePool, createPool } from "../db/create-pool.js";
+import { resolveApiKeySecret } from "../db/repositories/api-keys.js";
+import { runMigrations } from "../db/run-migrations.js";
+import { resolveSecretSource } from "../resolve-secret-source.js";
+import { resolveDatabaseUrl } from "../resolve-database-url.js";
+const migrationsDirectory = fileURLToPath(new URL("../db/migrations", import.meta.url));
+export async function handleInit(options) {
+    const verbose = options.verbose === true;
+    if ((options.adminKey || options.adminKeyEnv || options.adminKeyFile) &&
+        options.createAdminKey !== true) {
+        console.error("Invalid option: --admin-key, --admin-key-env, and --admin-key-file require --create-admin-key.");
+        process.exitCode = 2;
+        return;
+    }
+    let adminKey;
+    try {
+        adminKey = await resolveSecretSource({
+            directValue: options.adminKey,
+            envName: options.adminKeyEnv,
+            filePath: options.adminKeyFile,
+            directOption: "--admin-key",
+            envOption: "--admin-key-env",
+            fileOption: "--admin-key-file",
+        });
+        adminKey =
+            adminKey === undefined ? undefined : resolveApiKeySecret(adminKey);
+    }
+    catch (error) {
+        const message = formatErrorMessage(error);
+        console.error(message);
+        process.exitCode = 1;
+        return;
+    }
+    let pool;
+    try {
+        const databaseUrl = resolveDatabaseUrl(options.databaseUrl);
+        const initializedPool = createPool(databaseUrl);
+        pool = initializedPool;
+        await runMigrations(initializedPool, migrationsDirectory);
+        if (verbose) {
+            try {
+                const sanitizedUrl = new URL(databaseUrl);
+                if (sanitizedUrl.password) {
+                    sanitizedUrl.password = "***";
+                }
+                console.error(`Database initialized at: ${sanitizedUrl.toString()}`);
+            }
+            catch {
+                console.error("Database initialized.");
+            }
+        }
+        if (options.createAdminKey === true) {
+            const key = await bootstrapApiKey(initializedPool, {
+                key: adminKey,
+            });
+            if (!key) {
+                console.error("Admin API key already exists; bootstrap skipped.");
+                return;
+            }
+            console.error("");
+            console.error(`Created admin API key: ${key.name}`);
+            console.error(`ID: ${key.id}`);
+            console.error("");
+            if (adminKey === undefined) {
+                console.error("Save this key securely - it cannot be retrieved later.");
+                console.error("");
+                console.log(key.key);
+            }
+        }
+    }
+    catch (error) {
+        const message = formatErrorMessage(error);
+        console.error(`Failed to initialize database: ${message}`);
+        process.exitCode = 1;
+    }
+    finally {
+        if (pool) {
+            await closePool(pool);
+        }
+    }
+}
+//# sourceMappingURL=init.js.map

package/dist/commands/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAEhE,MAAM,mBAAmB,GAAG,aAAa,CACvC,IAAI,GAAG,CAAC,kBAAkB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAC7C,CAAC;AAWF,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAAoB;IACnD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,KAAK,IAAI,CAAC;IAEzC,IACE,CAAC,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,YAAY,CAAC;QACjE,OAAO,CAAC,cAAc,KAAK,IAAI,EAC/B,CAAC;QACD,OAAO,CAAC,KAAK,CACX,gGAAgG,CACjG,CAAC;QACF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,IAAI,QAA4B,CAAC;IACjC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,mBAAmB,CAAC;YACnC,WAAW,EAAE,OAAO,CAAC,QAAQ;YAC7B,OAAO,EAAE,OAAO,CAAC,WAAW;YAC5B,QAAQ,EAAE,OAAO,CAAC,YAAY;YAC9B,YAAY,EAAE,aAAa;YAC3B,SAAS,EAAE,iBAAiB;YAC5B,UAAU,EAAE,kBAAkB;SAC/B,CAAC,CAAC;QACH,QAAQ;YACN,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACvE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACvB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,IAAI,IAA+C,CAAC;IAEpD,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,kBAAkB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QAC5D,MAAM,eAAe,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;QAChD,IAAI,GAAG,eAAe,CAAC;QAEvB,MAAM,aAAa,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;QAE1D,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;gBAC1C,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;oBAC1B,YAAY,CAAC,QAAQ,GAAG,KAAK,CAAC;gBAChC,CAAC;gBACD,OAAO,CAAC,KAAK,CAAC,4BAA4B,YAAY,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YACvE,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;YACpC,MAAM,GAAG,GAAG,MAAM,eAAe,CAAC,eAAe,EAAE;gBACjD,GAAG,EAAE,QAAQ;aACd,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;gBAClE,OAAO;YACT,CAAC;YAED,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,0BAA0B,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;YACpD,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC;YAC/B,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC3B,OAAO,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;gBACxE,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,kCAAkC,OAAO,EAAE,CAAC,CAAC;QAC3D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACvB,CAAC;YAAS,CAAC;QACT,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/commands/serve.d.ts

@@ -2,8 +2,7 @@
  * Start server command handler.
  *
  * Builds the Fastify app, registers plugins in dependency order
- * (database → auth → routes), runs migrations, creates a bootstrap
- * API key on first startup, and starts listening.
+ * (database → auth → routes), verifies initialization, and starts listening.
  */
 interface ServeOptions {
     port?: string;

package/dist/commands/serve.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"serve.d.ts","sourceRoot":"","sources":["../../src/commands/serve.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAkBH,UAAU,YAAY;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAMD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA2GtE"}
+{"version":3,"file":"serve.d.ts","sourceRoot":"","sources":["../../src/commands/serve.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgBH,UAAU,YAAY;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAyGtE"}

package/dist/commands/serve.js

@@ -2,15 +2,13 @@
  * Start server command handler.
  *
  * Builds the Fastify app, registers plugins in dependency order
- * (database → auth → routes), runs migrations, creates a bootstrap
- * API key on first startup, and starts listening.
+ * (database → auth → routes), verifies initialization, and starts listening.
  */
-import { fileURLToPath } from "node:url";
 import closeWithGrace from "close-with-grace";
 import { formatErrorMessage } from "../format-error-message.js";
 import { resolveBuildAppConfig } from "../config.js";
-import { bootstrapApiKey } from "../db/bootstrap-api-key.js";
-import { runMigrations } from "../db/run-migrations.js";
+import { countApiKeys } from "../db/repositories/api-keys.js";
+import { verifyDatabaseInitialization } from "../db/verify-database-initialization.js";
 import configPlugin from "../server/plugins/config.js";
 import databasePlugin from "../server/plugins/database.js";
 import authPlugin from "../server/plugins/auth.js";
@@ -18,7 +16,6 @@ import credentialRoutes from "../server/routes/credentials.js";
 import healthRoutes from "../server/routes/health.js";
 import keyRoutes from "../server/routes/keys.js";
 import { buildApp } from "../server/server.js";
-const migrationsDirectory = fileURLToPath(new URL("../db/migrations", import.meta.url));
 export async function handleServe(options) {
     let buildConfig;
     try {
@@ -66,32 +63,28 @@ export async function handleServe(options) {
         // eslint-disable-next-line unicorn/no-process-exit -- CLI config/startup error
         process.exit(1);
     }
-    // Run migrations using the pool created by @fastify/postgres
+    // `serve` assumes `init` already prepared the database schema.
     try {
-        await runMigrations(app.pg.pool, migrationsDirectory);
+        await verifyDatabaseInitialization(app.pg);
     }
     catch (error) {
         const message = formatErrorMessage(error);
-        app.log.error(`Failed to initialize database: ${message}`);
+        app.log.error(`Failed to verify database initialization: ${message}`);
+        console.error("Database is not initialized or the schema is outdated. Run `axvault init` first.");
         await app.close();
         // eslint-disable-next-line unicorn/no-process-exit -- CLI startup failure
         process.exit(1);
     }
-    // Create bootstrap admin key on first startup (no keys exist)
+    let apiKeyCount;
     try {
-        const bootstrapKey = await bootstrapApiKey(app.pg);
-        if (bootstrapKey) {
-            app.log.info({ keyId: bootstrapKey.id }, "Created bootstrap admin API key — save this secret, it cannot be retrieved later:");
-            // Print the secret to stderr so it's visible but not mixed with structured logs
-            console.error(`\n  ${bootstrapKey.key}\n`);
-        }
+        apiKeyCount = await countApiKeys(app.pg);
     }
     catch (error) {
         const message = formatErrorMessage(error);
-        app.log.error(`Failed to create bootstrap key: ${message}`);
-        await app.close();
-        // eslint-disable-next-line unicorn/no-process-exit -- CLI startup failure
-        process.exit(1);
+        app.log.warn(`Failed to check API key count: ${message}`);
+    }
+    if (apiKeyCount === 0) {
+        app.log.warn("No API keys configured. Run `axvault init --create-admin-key` before relying on the server.");
     }
     // Graceful shutdown
     closeWithGrace({ delay: 5000, logger: false }, async ({ signal, err }) => {

package/dist/commands/serve.js.map

@@ -1 +1 @@
-{"version":3,"file":"serve.js","sourceRoot":"","sources":["../../src/commands/serve.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,cAAc,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,YAAY,MAAM,6BAA6B,CAAC;AACvD,OAAO,cAAc,MAAM,+BAA+B,CAAC;AAC3D,OAAO,UAAU,MAAM,2BAA2B,CAAC;AACnD,OAAO,gBAAgB,MAAM,iCAAiC,CAAC;AAC/D,OAAO,YAAY,MAAM,4BAA4B,CAAC;AACtD,OAAO,SAAS,MAAM,0BAA0B,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAY/C,MAAM,mBAAmB,GAAG,aAAa,CACvC,IAAI,GAAG,CAAC,kBAAkB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAC7C,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAqB;IACrD,IAAI,WAAW,CAAC;IAChB,IAAI,CAAC;QACH,WAAW,GAAG,qBAAqB,CAAC;YAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACnC,uEAAuE;QACvE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,6DAA6D;IAC7D,MAAM,GAAG,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;IAElC,IAAI,CAAC;QACH,0EAA0E;QAC1E,MAAM,GAAG,CAAC,QAAQ,CAAC,YAAY,EAAE;YAC/B,SAAS,EAAE;gBACT,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,uBAAuB,EAAE,OAAO,CAAC,gBAAgB;gBACjD,gBAAgB,EAAE,OAAO,CAAC,cAAc;gBACxC,QAAQ,EAAE,OAAO,CAAC,QAAQ;aAC3B;SACF,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAC9C,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW;SAC5C,CAAC,CAAC,CAAC;QACJ,MAAM,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC/B,MAAM,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QACjC,MAAM,GAAG,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChD,uBAAuB,EAAE,MAAM,CAAC,MAAM,CAAC,uBAAuB;YAC9D,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,gBAAgB;SACjD,CAAC,CAAC,CAAC;QACJ,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAE9B,kEAAkE;QAClE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACnC,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,+EAA+E;QAC/E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,6DAA6D;IAC7D,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IACxD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,kCAAkC,OAAO,EAAE,CAAC,CAAC;QAC3D,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,8DAA8D;IAC9D,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnD,IAAI,YAAY,EAAE,CAAC;YACjB,GAAG,CAAC,GAAG,CAAC,IAAI,CACV,EAAE,KAAK,EAAE,YAAY,CAAC,EAAE,EAAE,EAC1B,mFAAmF,CACpF,CAAC;YACF,gFAAgF;YAChF,OAAO,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,GAAG,IAAI,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;QAC5D,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,oBAAoB;IACpB,cAAc,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE;QACvE,IAAI,GAAG,EAAE,CAAC;YACR,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,4BAA4B,CAAC,CAAC;QAC/D,CAAC;aAAM,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAC3B,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAClB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC;YAC/B,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI;YACrB,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI;SACtB,CAAC,CAAC;QACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,EAAE,mBAAmB,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CACX,oCAAoC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,EACzE,OAAO,CACR,CAAC;QACF,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}
+{"version":3,"file":"serve.js","sourceRoot":"","sources":["../../src/commands/serve.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,cAAc,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAC9D,OAAO,EAAE,4BAA4B,EAAE,MAAM,yCAAyC,CAAC;AACvF,OAAO,YAAY,MAAM,6BAA6B,CAAC;AACvD,OAAO,cAAc,MAAM,+BAA+B,CAAC;AAC3D,OAAO,UAAU,MAAM,2BAA2B,CAAC;AACnD,OAAO,gBAAgB,MAAM,iCAAiC,CAAC;AAC/D,OAAO,YAAY,MAAM,4BAA4B,CAAC;AACtD,OAAO,SAAS,MAAM,0BAA0B,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAY/C,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAqB;IACrD,IAAI,WAAW,CAAC;IAChB,IAAI,CAAC;QACH,WAAW,GAAG,qBAAqB,CAAC;YAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACnC,uEAAuE;QACvE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,6DAA6D;IAC7D,MAAM,GAAG,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;IAElC,IAAI,CAAC;QACH,0EAA0E;QAC1E,MAAM,GAAG,CAAC,QAAQ,CAAC,YAAY,EAAE;YAC/B,SAAS,EAAE;gBACT,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,uBAAuB,EAAE,OAAO,CAAC,gBAAgB;gBACjD,gBAAgB,EAAE,OAAO,CAAC,cAAc;gBACxC,QAAQ,EAAE,OAAO,CAAC,QAAQ;aAC3B;SACF,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAC9C,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW;SAC5C,CAAC,CAAC,CAAC;QACJ,MAAM,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC/B,MAAM,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QACjC,MAAM,GAAG,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChD,uBAAuB,EAAE,MAAM,CAAC,MAAM,CAAC,uBAAuB;YAC9D,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,gBAAgB;SACjD,CAAC,CAAC,CAAC;QACJ,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAE9B,kEAAkE;QAClE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACnC,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,+EAA+E;QAC/E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,+DAA+D;IAC/D,IAAI,CAAC;QACH,MAAM,4BAA4B,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC7C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,6CAA6C,OAAO,EAAE,CAAC,CAAC;QACtE,OAAO,CAAC,KAAK,CACX,kFAAkF,CACnF,CAAC;QACF,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,WAA+B,CAAC;IACpC,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,kCAAkC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,WAAW,KAAK,CAAC,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,IAAI,CACV,6FAA6F,CAC9F,CAAC;IACJ,CAAC;IAED,oBAAoB;IACpB,cAAc,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE;QACvE,IAAI,GAAG,EAAE,CAAC;YACR,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,4BAA4B,CAAC,CAAC;QAC/D,CAAC;aAAM,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAC3B,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAClB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC;YAC/B,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI;YACrB,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI;SACtB,CAAC,CAAC;QACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,EAAE,mBAAmB,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,CAAC,KAAK,CACX,oCAAoC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,GAAG,EACzE,OAAO,CACR,CAAC;QACF,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,eAAe;QACvB,MAAM,EAAE,YAAY,CAAC;KACtB;CACF;AAED,KAAK,QAAQ,GACT,OAAO,GACP,OAAO,GACP,MAAM,GACN,MAAM,GACN,OAAO,GACP,OAAO,GACP,QAAQ,CAAC;AAEb,UAAU,YAAY;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB,EAAE,MAAM,CAAC;IAChC,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,QAAQ,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,UAAU,eAAe;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,UAAU,cAAc;IACtB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAuBD,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2Bd,CAAC;AAEX,iBAAS,gBAAgB,CACvB,SAAS,GAAE,eAAoB,GAC9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAczB;AAED,iBAAS,qBAAqB,CAC5B,SAAS,GAAE,IAAI,CAAC,eAAe,EAAE,UAAU,CAAM,GAChD,cAAc,CAahB;AAED,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,YAAY,EAAE,CAAC"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,eAAe;QACvB,MAAM,EAAE,YAAY,CAAC;KACtB;CACF;AAED,KAAK,QAAQ,GACT,OAAO,GACP,OAAO,GACP,MAAM,GACN,MAAM,GACN,OAAO,GACP,OAAO,GACP,QAAQ,CAAC;AAEb,UAAU,YAAY;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB,EAAE,MAAM,CAAC;IAChC,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,QAAQ,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,UAAU,eAAe;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,UAAU,cAAc;IACtB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAsBD,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2Bd,CAAC;AAEX,iBAAS,gBAAgB,CACvB,SAAS,GAAE,eAAoB,GAC9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAczB;AAED,iBAAS,qBAAqB,CAC5B,SAAS,GAAE,IAAI,CAAC,eAAe,EAAE,UAAU,CAAM,GAChD,cAAc,CAahB;AAED,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,YAAY,EAAE,CAAC"}

package/dist/config.js

@@ -5,9 +5,9 @@
  * `fastify.config`. Logger level is resolved separately because the logger is
  * configured before plugins are registered.
  */
+import { DEFAULT_DATABASE_URL } from "./resolve-database-url.js";
 const DEFAULT_PORT = 3847;
 const DEFAULT_HOST = "127.0.0.1";
-const DEFAULT_DATABASE_URL = "postgresql://localhost:5432/axvault";
 const DEFAULT_REFRESH_THRESHOLD_SECONDS = 3600; // 1 hour
 const DEFAULT_REFRESH_TIMEOUT_MS = 30_000; // 30 seconds
 const DEFAULT_LOG_LEVEL = "info";

package/dist/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAyCH,MAAM,YAAY,GAAG,IAAI,CAAC;AAC1B,MAAM,YAAY,GAAG,WAAW,CAAC;AACjC,MAAM,oBAAoB,GAAG,qCAAqC,CAAC;AACnE,MAAM,iCAAiC,GAAG,IAAI,CAAC,CAAC,SAAS;AACzD,MAAM,0BAA0B,GAAG,MAAM,CAAC,CAAC,aAAa;AACxD,MAAM,iBAAiB,GAAa,MAAM,CAAC;AAE3C,MAAM,gBAAgB,GAAG;IACvB,OAAO;IACP,OAAO;IACP,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,QAAQ;CACA,CAAC;AAEX,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAQ,gBAAsC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,kBAAkB,GAAG;IACzB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,CAAC,eAAe,CAAC;IAC3B,UAAU,EAAE;QACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE;QAC/C,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE;QAC/C,WAAW,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,oBAAoB,EAAE;QAC9D,uBAAuB,EAAE;YACvB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,CAAC;YACV,OAAO,EAAE,iCAAiC;SAC3C;QACD,gBAAgB,EAAE;YAChB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,CAAC;YACV,OAAO,EAAE,0BAA0B;SACpC;QACD,QAAQ,EAAE;YACR,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,GAAG,gBAAgB,CAAC;YAC3B,OAAO,EAAE,iBAAiB;SAC3B;QACD,aAAa,EAAE;YACb,IAAI,EAAE,QAAQ;YACd,SAAS,EAAE,EAAE;SACd;KACF;CACO,CAAC;AAEX,SAAS,gBAAgB,CACvB,YAA6B,EAAE;IAE/B,OAAO;QACL,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY;QAChD,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY;QAChD,WAAW,EAAE,SAAS,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB;QACtE,uBAAuB,EACrB,SAAS,CAAC,uBAAuB;YACjC,OAAO,CAAC,GAAG,CAAC,yBAAyB;QACvC,gBAAgB,EACd,SAAS,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B;QACtE,QAAQ,EAAE,SAAS,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAC7D,aAAa,EACX,SAAS,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB;KAChE,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAC5B,YAA+C,EAAE;IAEjD,MAAM,WAAW,GAAG,SAAS,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IACxE,MAAM,QAAQ,GAAG,WAAW,IAAI,iBAAiB,CAAC;IAElD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,uBAAuB,QAAQ,sBAAsB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAyCjE,MAAM,YAAY,GAAG,IAAI,CAAC;AAC1B,MAAM,YAAY,GAAG,WAAW,CAAC;AACjC,MAAM,iCAAiC,GAAG,IAAI,CAAC,CAAC,SAAS;AACzD,MAAM,0BAA0B,GAAG,MAAM,CAAC,CAAC,aAAa;AACxD,MAAM,iBAAiB,GAAa,MAAM,CAAC;AAE3C,MAAM,gBAAgB,GAAG;IACvB,OAAO;IACP,OAAO;IACP,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,QAAQ;CACA,CAAC;AAEX,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAQ,gBAAsC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,kBAAkB,GAAG;IACzB,IAAI,EAAE,QAAQ;IACd,QAAQ,EAAE,CAAC,eAAe,CAAC;IAC3B,UAAU,EAAE;QACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE;QAC/C,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE;QAC/C,WAAW,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,oBAAoB,EAAE;QAC9D,uBAAuB,EAAE;YACvB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,CAAC;YACV,OAAO,EAAE,iCAAiC;SAC3C;QACD,gBAAgB,EAAE;YAChB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,CAAC;YACV,OAAO,EAAE,0BAA0B;SACpC;QACD,QAAQ,EAAE;YACR,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,GAAG,gBAAgB,CAAC;YAC3B,OAAO,EAAE,iBAAiB;SAC3B;QACD,aAAa,EAAE;YACb,IAAI,EAAE,QAAQ;YACd,SAAS,EAAE,EAAE;SACd;KACF;CACO,CAAC;AAEX,SAAS,gBAAgB,CACvB,YAA6B,EAAE;IAE/B,OAAO;QACL,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY;QAChD,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY;QAChD,WAAW,EAAE,SAAS,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB;QACtE,uBAAuB,EACrB,SAAS,CAAC,uBAAuB;YACjC,OAAO,CAAC,GAAG,CAAC,yBAAyB;QACvC,gBAAgB,EACd,SAAS,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B;QACtE,QAAQ,EAAE,SAAS,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAC7D,aAAa,EACX,SAAS,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB;KAChE,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAC5B,YAA+C,EAAE;IAEjD,MAAM,WAAW,GAAG,SAAS,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IACxE,MAAM,QAAQ,GAAG,WAAW,IAAI,iBAAiB,CAAC;IAElD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,uBAAuB,QAAQ,sBAAsB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,CAAC"}

package/dist/db/bootstrap-api-key.d.ts

@@ -4,11 +4,11 @@
  * Serializes the bootstrap check inside a transaction-scoped advisory lock so
  * concurrent first-time startups cannot mint multiple root keys.
  */
-import type { PoolClient } from "pg";
+import type { Pool } from "pg";
 import { type ApiKeyWithSecret } from "./repositories/api-keys.js";
-interface TransactionalDatabase {
-    transact<TResult>(runInTransaction: (client: PoolClient) => Promise<TResult>): Promise<TResult>;
+interface BootstrapApiKeyOptions {
+    key?: string;
 }
-declare function bootstrapApiKey(database: TransactionalDatabase): Promise<ApiKeyWithSecret | undefined>;
+declare function bootstrapApiKey(pool: Pool, options?: BootstrapApiKeyOptions): Promise<ApiKeyWithSecret | undefined>;
 export { bootstrapApiKey };
 //# sourceMappingURL=bootstrap-api-key.d.ts.map

package/dist/db/bootstrap-api-key.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap-api-key.d.ts","sourceRoot":"","sources":["../../src/db/bootstrap-api-key.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AACrC,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,4BAA4B,CAAC;AAIpC,UAAU,qBAAqB;IAC7B,QAAQ,CAAC,OAAO,EACd,gBAAgB,EAAE,CAAC,MAAM,EAAE,UAAU,KAAK,OAAO,CAAC,OAAO,CAAC,GACzD,OAAO,CAAC,OAAO,CAAC,CAAC;CACrB;AAED,iBAAe,eAAe,CAC5B,QAAQ,EAAE,qBAAqB,GAC9B,OAAO,CAAC,gBAAgB,GAAG,SAAS,CAAC,CAmBvC;AAED,OAAO,EAAE,eAAe,EAAE,CAAC"}
+{"version":3,"file":"bootstrap-api-key.d.ts","sourceRoot":"","sources":["../../src/db/bootstrap-api-key.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,EAEL,KAAK,gBAAgB,EACtB,MAAM,4BAA4B,CAAC;AASpC,UAAU,sBAAsB;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,iBAAe,eAAe,CAC5B,IAAI,EAAE,IAAI,EACV,OAAO,GAAE,sBAA2B,GACnC,OAAO,CAAC,gBAAgB,GAAG,SAAS,CAAC,CAsDvC;AAED,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/db/bootstrap-api-key.js

@@ -5,22 +5,55 @@
  * concurrent first-time startups cannot mint multiple root keys.
  */
 import { createApiKey, } from "./repositories/api-keys.js";
+import { findApiKeyByKey, hasGrantAccess, listApiKeys, } from "./repositories/api-keys.js";
 const BOOTSTRAP_API_KEY_LOCK_ID = 980_641_073;
-async function bootstrapApiKey(database) {
-    return database.transact(async (client) => {
+async function bootstrapApiKey(pool, options = {}) {
+    const client = await pool.connect();
+    try {
+        await client.query("BEGIN");
         await client.query("SELECT pg_advisory_xact_lock($1)", [
             BOOTSTRAP_API_KEY_LOCK_ID,
         ]);
-        const result = await client.query("SELECT EXISTS (SELECT 1 FROM api_keys) AS has_api_keys");
-        if (result.rows[0]?.has_api_keys)
+        if (options.key !== undefined) {
+            const existingBootstrapKey = await findApiKeyByKey(client, options.key);
+            if (existingBootstrapKey) {
+                if (hasGrantAccess(existingBootstrapKey, "*")) {
+                    await client.query("COMMIT");
+                    return;
+                }
+                throw new Error("The requested bootstrap admin key does not match the existing database state.");
+            }
+        }
+        const existingKeys = await listApiKeys(client);
+        if (existingKeys.some((key) => hasGrantAccess(key, "*"))) {
+            if (options.key !== undefined) {
+                throw new Error("The requested bootstrap admin key does not match the existing database state.");
+            }
+            await client.query("COMMIT");
             return;
-        return createApiKey(client, {
+        }
+        const createdKey = await createApiKey(client, {
             name: "Bootstrap Admin",
             readAccess: ["*"],
             writeAccess: ["*"],
             grantAccess: ["*"],
+            key: options.key,
         });
-    });
+        await client.query("COMMIT");
+        return createdKey;
+    }
+    catch (error) {
+        try {
+            await client.query("ROLLBACK");
+        }
+        catch {
+            // PostgreSQL automatically rolls back on disconnect; preserve the cause.
+        }
+        throw error;
+    }
+    finally {
+        client.release();
+    }
 }
 export { bootstrapApiKey };
 //# sourceMappingURL=bootstrap-api-key.js.map

package/dist/db/bootstrap-api-key.js.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap-api-key.js","sourceRoot":"","sources":["../../src/db/bootstrap-api-key.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,YAAY,GAEb,MAAM,4BAA4B,CAAC;AAEpC,MAAM,yBAAyB,GAAG,WAAW,CAAC;AAQ9C,KAAK,UAAU,eAAe,CAC5B,QAA+B;IAE/B,OAAO,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACxC,MAAM,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE;YACrD,yBAAyB;SAC1B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,CAC/B,wDAAwD,CACzD,CAAC;QAEF,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY;YAAE,OAAO;QAEzC,OAAO,YAAY,CAAC,MAAM,EAAE;YAC1B,IAAI,EAAE,iBAAiB;YACvB,UAAU,EAAE,CAAC,GAAG,CAAC;YACjB,WAAW,EAAE,CAAC,GAAG,CAAC;YAClB,WAAW,EAAE,CAAC,GAAG,CAAC;SACnB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,OAAO,EAAE,eAAe,EAAE,CAAC"}
+{"version":3,"file":"bootstrap-api-key.js","sourceRoot":"","sources":["../../src/db/bootstrap-api-key.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,YAAY,GAEb,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,eAAe,EACf,cAAc,EACd,WAAW,GACZ,MAAM,4BAA4B,CAAC;AAEpC,MAAM,yBAAyB,GAAG,WAAW,CAAC;AAM9C,KAAK,UAAU,eAAe,CAC5B,IAAU,EACV,UAAkC,EAAE;IAEpC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;IAEpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC5B,MAAM,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE;YACrD,yBAAyB;SAC1B,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,oBAAoB,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;YACxE,IAAI,oBAAoB,EAAE,CAAC;gBACzB,IAAI,cAAc,CAAC,oBAAoB,EAAE,GAAG,CAAC,EAAE,CAAC;oBAC9C,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;oBAC7B,OAAO;gBACT,CAAC;gBAED,MAAM,IAAI,KAAK,CACb,+EAA+E,CAChF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,CAAC;QAC/C,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;YACzD,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;gBAC9B,MAAM,IAAI,KAAK,CACb,+EAA+E,CAChF,CAAC;YACJ,CAAC;YACD,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE;YAC5C,IAAI,EAAE,iBAAiB;YACvB,UAAU,EAAE,CAAC,GAAG,CAAC;YACjB,WAAW,EAAE,CAAC,GAAG,CAAC;YAClB,WAAW,EAAE,CAAC,GAAG,CAAC;YAClB,GAAG,EAAE,OAAO,CAAC,GAAG;SACjB,CAAC,CAAC;QAEH,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC7B,OAAO,UAAU,CAAC;IACpB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,yEAAyE;QAC3E,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,OAAO,EAAE,CAAC;IACnB,CAAC;AACH,CAAC;AAED,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/db/repositories/api-key-utilities.d.ts

@@ -5,8 +5,8 @@
  */
 /** Generate a new API key ID */
 declare function generateKeyId(): string;
-/** Generate a new API key secret */
-declare function generateKeySecret(): string;
+/** Generate or validate an API key secret for deterministic provisioning. */
+declare function resolveApiKeySecret(key?: string): string;
 /** Hash an API key for storage */
 declare function hashApiKey(key: string): string;
 /** Extract key prefix for display (axv_sk_ + first 8 hex chars of secret) */
@@ -23,5 +23,5 @@ declare function hasReadAccess(apiKey: AccessLists, name: string): boolean;
 declare function hasWriteAccess(apiKey: AccessLists, name: string): boolean;
 /** Check if API key has grant access to a credential */
 declare function hasGrantAccess(apiKey: AccessLists, name: string): boolean;
-export { extractKeyPrefix, generateKeyId, generateKeySecret, hashApiKey, hasGrantAccess, hasReadAccess, hasWriteAccess, };
+export { extractKeyPrefix, generateKeyId, hashApiKey, hasGrantAccess, hasReadAccess, hasWriteAccess, resolveApiKeySecret, };
 //# sourceMappingURL=api-key-utilities.d.ts.map

package/dist/db/repositories/api-key-utilities.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api-key-utilities.d.ts","sourceRoot":"","sources":["../../../src/db/repositories/api-key-utilities.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAOH,gCAAgC;AAChC,iBAAS,aAAa,IAAI,MAAM,CAE/B;AAED,oCAAoC;AACpC,iBAAS,iBAAiB,IAAI,MAAM,CAEnC;AAED,kCAAkC;AAClC,iBAAS,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEvC;AAED,6EAA6E;AAC7E,iBAAS,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAG7C;AAED,4CAA4C;AAC5C,UAAU,WAAW;IACnB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAOD,uDAAuD;AACvD,iBAAS,aAAa,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAEjE;AAED,wDAAwD;AACxD,iBAAS,cAAc,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAElE;AAED,wDAAwD;AACxD,iBAAS,cAAc,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAElE;AAED,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,aAAa,EACb,cAAc,GACf,CAAC"}
+{"version":3,"file":"api-key-utilities.d.ts","sourceRoot":"","sources":["../../../src/db/repositories/api-key-utilities.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAQH,gCAAgC;AAChC,iBAAS,aAAa,IAAI,MAAM,CAE/B;AAOD,6EAA6E;AAC7E,iBAAS,mBAAmB,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAYjD;AAED,kCAAkC;AAClC,iBAAS,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEvC;AAED,6EAA6E;AAC7E,iBAAS,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAG7C;AAED,4CAA4C;AAC5C,UAAU,WAAW;IACnB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAOD,uDAAuD;AACvD,iBAAS,aAAa,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAEjE;AAED,wDAAwD;AACxD,iBAAS,cAAc,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAElE;AAED,wDAAwD;AACxD,iBAAS,cAAc,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAElE;AAED,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,UAAU,EACV,cAAc,EACd,aAAa,EACb,cAAc,EACd,mBAAmB,GACpB,CAAC"}

package/dist/db/repositories/api-key-utilities.js

@@ -6,6 +6,7 @@
 import { createHash, randomBytes } from "node:crypto";
 /** Key prefix for identification (e.g., "axv_sk_01234567") */
 const KEY_PREFIX_LENGTH = 8;
+const API_KEY_SECRET_PATTERN = /^axv_sk_[0-9a-f]{32}$/u;
 /** Generate a new API key ID */
 function generateKeyId() {
     return `k_${randomBytes(6).toString("hex")}`;
@@ -14,6 +15,16 @@ function generateKeyId() {
 function generateKeySecret() {
     return `axv_sk_${randomBytes(16).toString("hex")}`;
 }
+/** Generate or validate an API key secret for deterministic provisioning. */
+function resolveApiKeySecret(key) {
+    if (key === undefined) {
+        return generateKeySecret();
+    }
+    if (!API_KEY_SECRET_PATTERN.test(key)) {
+        throw new Error("Invalid API key secret: expected axv_sk_ followed by 32 lowercase hexadecimal characters.");
+    }
+    return key;
+}
 /** Hash an API key for storage */
 function hashApiKey(key) {
     return createHash("sha256").update(key).digest("hex");
@@ -39,5 +50,5 @@ function hasWriteAccess(apiKey, name) {
 function hasGrantAccess(apiKey, name) {
     return hasAccess(apiKey.grantAccess, name);
 }
-export { extractKeyPrefix, generateKeyId, generateKeySecret, hashApiKey, hasGrantAccess, hasReadAccess, hasWriteAccess, };
+export { extractKeyPrefix, generateKeyId, hashApiKey, hasGrantAccess, hasReadAccess, hasWriteAccess, resolveApiKeySecret, };
 //# sourceMappingURL=api-key-utilities.js.map

package/dist/db/repositories/api-key-utilities.js.map

@@ -1 +1 @@
-{"version":3,"file":"api-key-utilities.js","sourceRoot":"","sources":["../../../src/db/repositories/api-key-utilities.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtD,8DAA8D;AAC9D,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAE5B,gCAAgC;AAChC,SAAS,aAAa;IACpB,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AAC/C,CAAC;AAED,oCAAoC;AACpC,SAAS,iBAAiB;IACxB,OAAO,UAAU,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACrD,CAAC;AAED,kCAAkC;AAClC,SAAS,UAAU,CAAC,GAAW;IAC7B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,6EAA6E;AAC7E,SAAS,gBAAgB,CAAC,GAAW;IACnC,qCAAqC;IACrC,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,iBAAiB,CAAC,CAAC,CAAC,0BAA0B;AACxE,CAAC;AASD,8DAA8D;AAC9D,SAAS,SAAS,CAAC,UAAoB,EAAE,IAAY;IACnD,OAAO,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED,uDAAuD;AACvD,SAAS,aAAa,CAAC,MAAmB,EAAE,IAAY;IACtD,OAAO,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;AAC5C,CAAC;AAED,wDAAwD;AACxD,SAAS,cAAc,CAAC,MAAmB,EAAE,IAAY;IACvD,OAAO,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,wDAAwD;AACxD,SAAS,cAAc,CAAC,MAAmB,EAAE,IAAY;IACvD,OAAO,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,aAAa,EACb,cAAc,GACf,CAAC"}
+{"version":3,"file":"api-key-utilities.js","sourceRoot":"","sources":["../../../src/db/repositories/api-key-utilities.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtD,8DAA8D;AAC9D,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAC5B,MAAM,sBAAsB,GAAG,wBAAwB,CAAC;AAExD,gCAAgC;AAChC,SAAS,aAAa;IACpB,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AAC/C,CAAC;AAED,oCAAoC;AACpC,SAAS,iBAAiB;IACxB,OAAO,UAAU,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACrD,CAAC;AAED,6EAA6E;AAC7E,SAAS,mBAAmB,CAAC,GAAY;IACvC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,OAAO,iBAAiB,EAAE,CAAC;IAC7B,CAAC;IAED,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;IACJ,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,kCAAkC;AAClC,SAAS,UAAU,CAAC,GAAW;IAC7B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,6EAA6E;AAC7E,SAAS,gBAAgB,CAAC,GAAW;IACnC,qCAAqC;IACrC,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,iBAAiB,CAAC,CAAC,CAAC,0BAA0B;AACxE,CAAC;AASD,8DAA8D;AAC9D,SAAS,SAAS,CAAC,UAAoB,EAAE,IAAY;IACnD,OAAO,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED,uDAAuD;AACvD,SAAS,aAAa,CAAC,MAAmB,EAAE,IAAY;IACtD,OAAO,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;AAC5C,CAAC;AAED,wDAAwD;AACxD,SAAS,cAAc,CAAC,MAAmB,EAAE,IAAY;IACvD,OAAO,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,wDAAwD;AACxD,SAAS,cAAc,CAAC,MAAmB,EAAE,IAAY;IACvD,OAAO,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,UAAU,EACV,cAAc,EACd,aAAa,EACb,cAAc,EACd,mBAAmB,GACpB,CAAC"}

package/dist/db/repositories/api-keys.d.ts

@@ -11,13 +11,15 @@ declare function findApiKeyByKey(database: Queryable, key: string): Promise<ApiK
 declare function findApiKeyById(database: Queryable, id: string): Promise<ApiKeyRecord | undefined>;
 /** List all API keys (without revealing the raw key values) */
 declare function listApiKeys(database: Queryable): Promise<ApiKeyRecord[]>;
+/** Count API keys without loading full records. */
+declare function countApiKeys(database: Queryable): Promise<number>;
 /** Update last used timestamp */
 declare function updateLastUsed(database: Queryable, id: string): Promise<void>;
 /** Delete an API key */
 declare function deleteApiKey(database: Queryable, id: string): Promise<boolean>;
-export { deleteApiKey, findApiKeyById, findApiKeyByKey, listApiKeys, updateLastUsed, };
+export { countApiKeys, deleteApiKey, findApiKeyById, findApiKeyByKey, listApiKeys, updateLastUsed, };
 export { createApiKey } from "./create-api-key.js";
-export { hasGrantAccess, hasReadAccess, hasWriteAccess, } from "./api-key-utilities.js";
+export { hasGrantAccess, hasReadAccess, hasWriteAccess, resolveApiKeySecret, } from "./api-key-utilities.js";
 export { updateApiKeyAccess } from "./update-api-key-access.js";
 export type { ApiKeyRecord, ApiKeyWithSecret } from "./create-api-key.js";
 //# sourceMappingURL=api-keys.d.ts.map

package/dist/db/repositories/api-keys.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api-keys.d.ts","sourceRoot":"","sources":["../../../src/db/repositories/api-keys.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAa,SAAS,EAAE,MAAM,aAAa,CAAC;AAExD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAmBxD,oCAAoC;AACpC,iBAAe,eAAe,CAC5B,QAAQ,EAAE,SAAS,EACnB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CAOnC;AAED,yBAAyB;AACzB,iBAAe,cAAc,CAC3B,QAAQ,EAAE,SAAS,EACnB,EAAE,EAAE,MAAM,GACT,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CAOnC;AAED,+DAA+D;AAC/D,iBAAe,WAAW,CAAC,QAAQ,EAAE,SAAS,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAKvE;AAED,iCAAiC;AACjC,iBAAe,cAAc,CAAC,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAK5E;AAED,wBAAwB;AACxB,iBAAe,YAAY,CAAC,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAK7E;AAED,OAAO,EACL,YAAY,EACZ,cAAc,EACd,eAAe,EACf,WAAW,EACX,cAAc,GACf,CAAC;AACF,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EACL,cAAc,EACd,aAAa,EACb,cAAc,GACf,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"api-keys.d.ts","sourceRoot":"","sources":["../../../src/db/repositories/api-keys.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAa,SAAS,EAAE,MAAM,aAAa,CAAC;AAExD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAmBxD,oCAAoC;AACpC,iBAAe,eAAe,CAC5B,QAAQ,EAAE,SAAS,EACnB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CAOnC;AAED,yBAAyB;AACzB,iBAAe,cAAc,CAC3B,QAAQ,EAAE,SAAS,EACnB,EAAE,EAAE,MAAM,GACT,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC,CAOnC;AAED,+DAA+D;AAC/D,iBAAe,WAAW,CAAC,QAAQ,EAAE,SAAS,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAKvE;AAED,mDAAmD;AACnD,iBAAe,YAAY,CAAC,QAAQ,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAKhE;AAED,iCAAiC;AACjC,iBAAe,cAAc,CAAC,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAK5E;AAED,wBAAwB;AACxB,iBAAe,YAAY,CAAC,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAK7E;AAED,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,WAAW,EACX,cAAc,GACf,CAAC;AACF,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EACL,cAAc,EACd,aAAa,EACb,cAAc,EACd,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/db/repositories/api-keys.js

@@ -36,6 +36,11 @@ async function listApiKeys(database) {
     const result = await database.query(`SELECT ${SELECT_COLUMNS} FROM api_keys ORDER BY created_at DESC`);
     return result.rows.map((row) => rowToRecord(row));
 }
+/** Count API keys without loading full records. */
+async function countApiKeys(database) {
+    const result = await database.query("SELECT COUNT(*)::int AS count FROM api_keys");
+    return result.rows[0]?.count ?? 0;
+}
 /** Update last used timestamp */
 async function updateLastUsed(database, id) {
     await database.query(`UPDATE api_keys SET last_used_at = $1 WHERE id = $2`, [
@@ -50,8 +55,8 @@ async function deleteApiKey(database, id) {
     ]);
     return (result.rowCount ?? 0) > 0;
 }
-export { deleteApiKey, findApiKeyById, findApiKeyByKey, listApiKeys, updateLastUsed, };
+export { countApiKeys, deleteApiKey, findApiKeyById, findApiKeyByKey, listApiKeys, updateLastUsed, };
 export { createApiKey } from "./create-api-key.js";
-export { hasGrantAccess, hasReadAccess, hasWriteAccess, } from "./api-key-utilities.js";
+export { hasGrantAccess, hasReadAccess, hasWriteAccess, resolveApiKeySecret, } from "./api-key-utilities.js";
 export { updateApiKeyAccess } from "./update-api-key-access.js";
 //# sourceMappingURL=api-keys.js.map

package/dist/db/repositories/api-keys.js.map

@@ -1 +1 @@
-{"version":3,"file":"api-keys.js","sourceRoot":"","sources":["../../../src/db/repositories/api-keys.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAGpD,qCAAqC;AACrC,SAAS,WAAW,CAAC,GAAc;IACjC,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,OAAO,EAAE,GAAG,CAAC,QAAQ;QACrB,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;QACtC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAa;QACnD,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAa;QACrD,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAa;QACrD,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;QACnC,UAAU,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS;KACtE,CAAC;AACJ,CAAC;AAED,MAAM,cAAc,GAAG,mGAAmG,CAAC;AAE3H,oCAAoC;AACpC,KAAK,UAAU,eAAe,CAC5B,QAAmB,EACnB,GAAW;IAEX,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,oCAAoC,EAC5D,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAClB,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3B,OAAO,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC5C,CAAC;AAED,yBAAyB;AACzB,KAAK,UAAU,cAAc,CAC3B,QAAmB,EACnB,EAAU;IAEV,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,8BAA8B,EACtD,CAAC,EAAE,CAAC,CACL,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3B,OAAO,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC5C,CAAC;AAED,+DAA+D;AAC/D,KAAK,UAAU,WAAW,CAAC,QAAmB;IAC5C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,yCAAyC,CAClE,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,iCAAiC;AACjC,KAAK,UAAU,cAAc,CAAC,QAAmB,EAAE,EAAU;IAC3D,MAAM,QAAQ,CAAC,KAAK,CAAC,qDAAqD,EAAE;QAC1E,IAAI,CAAC,GAAG,EAAE;QACV,EAAE;KACH,CAAC,CAAC;AACL,CAAC;AAED,wBAAwB;AACxB,KAAK,UAAU,YAAY,CAAC,QAAmB,EAAE,EAAU;IACzD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,oCAAoC,EAAE;QACxE,EAAE;KACH,CAAC,CAAC;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;AACpC,CAAC;AAED,OAAO,EACL,YAAY,EACZ,cAAc,EACd,eAAe,EACf,WAAW,EACX,cAAc,GACf,CAAC;AACF,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EACL,cAAc,EACd,aAAa,EACb,cAAc,GACf,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC"}
+{"version":3,"file":"api-keys.js","sourceRoot":"","sources":["../../../src/db/repositories/api-keys.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAGpD,qCAAqC;AACrC,SAAS,WAAW,CAAC,GAAc;IACjC,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,OAAO,EAAE,GAAG,CAAC,QAAQ;QACrB,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;QACtC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAa;QACnD,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAa;QACrD,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAa;QACrD,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;QACnC,UAAU,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS;KACtE,CAAC;AACJ,CAAC;AAED,MAAM,cAAc,GAAG,mGAAmG,CAAC;AAE3H,oCAAoC;AACpC,KAAK,UAAU,eAAe,CAC5B,QAAmB,EACnB,GAAW;IAEX,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,oCAAoC,EAC5D,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAClB,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3B,OAAO,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC5C,CAAC;AAED,yBAAyB;AACzB,KAAK,UAAU,cAAc,CAC3B,QAAmB,EACnB,EAAU;IAEV,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,8BAA8B,EACtD,CAAC,EAAE,CAAC,CACL,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3B,OAAO,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC5C,CAAC;AAED,+DAA+D;AAC/D,KAAK,UAAU,WAAW,CAAC,QAAmB;IAC5C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,UAAU,cAAc,yCAAyC,CAClE,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,mDAAmD;AACnD,KAAK,UAAU,YAAY,CAAC,QAAmB;IAC7C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CACjC,6CAA6C,CAC9C,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,CAAC;AACpC,CAAC;AAED,iCAAiC;AACjC,KAAK,UAAU,cAAc,CAAC,QAAmB,EAAE,EAAU;IAC3D,MAAM,QAAQ,CAAC,KAAK,CAAC,qDAAqD,EAAE;QAC1E,IAAI,CAAC,GAAG,EAAE;QACV,EAAE;KACH,CAAC,CAAC;AACL,CAAC;AAED,wBAAwB;AACxB,KAAK,UAAU,YAAY,CAAC,QAAmB,EAAE,EAAU;IACzD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,oCAAoC,EAAE;QACxE,EAAE;KACH,CAAC,CAAC;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;AACpC,CAAC;AAED,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,WAAW,EACX,cAAc,GACf,CAAC;AACF,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EACL,cAAc,EACd,aAAa,EACb,cAAc,EACd,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC"}

package/dist/db/repositories/create-api-key.d.ts

@@ -24,6 +24,7 @@ declare function createApiKey(database: Queryable, options: {
     readAccess: string[];
     writeAccess: string[];
     grantAccess: string[];
+    key?: string;
 }): Promise<ApiKeyWithSecret>;
 export { createApiKey };
 export type { ApiKeyRecord, ApiKeyWithSecret };

package/dist/db/repositories/create-api-key.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"create-api-key.d.ts","sourceRoot":"","sources":["../../../src/db/repositories/create-api-key.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAQ7C,sCAAsC;AACtC,UAAU,YAAY;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,UAAU,EAAE,IAAI,GAAG,SAAS,CAAC;CAC9B;AAED,2DAA2D;AAC3D,UAAU,gBAAiB,SAAQ,YAAY;IAC7C,GAAG,EAAE,MAAM,CAAC;CACb;AAED,2BAA2B;AAC3B,iBAAe,YAAY,CACzB,QAAQ,EAAE,SAAS,EACnB,OAAO,EAAE;IACP,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB,GACA,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,OAAO,EAAE,YAAY,EAAE,CAAC;AACxB,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,CAAC"}
+{"version":3,"file":"create-api-key.d.ts","sourceRoot":"","sources":["../../../src/db/repositories/create-api-key.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAQ7C,sCAAsC;AACtC,UAAU,YAAY;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,SAAS,EAAE,IAAI,CAAC;IAChB,UAAU,EAAE,IAAI,GAAG,SAAS,CAAC;CAC9B;AAED,2DAA2D;AAC3D,UAAU,gBAAiB,SAAQ,YAAY;IAC7C,GAAG,EAAE,MAAM,CAAC;CACb;AAED,2BAA2B;AAC3B,iBAAe,YAAY,CACzB,QAAQ,EAAE,SAAS,EACnB,OAAO,EAAE;IACP,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,GACA,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,OAAO,EAAE,YAAY,EAAE,CAAC;AACxB,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,CAAC"}

package/dist/db/repositories/create-api-key.js

@@ -1,11 +1,11 @@
 /**
  * Create a new API key.
  */
-import { extractKeyPrefix, generateKeyId, generateKeySecret, hashApiKey, } from "./api-key-utilities.js";
+import { extractKeyPrefix, generateKeyId, hashApiKey, resolveApiKeySecret, } from "./api-key-utilities.js";
 /** Create a new API key */
 async function createApiKey(database, options) {
     const id = generateKeyId();
-    const key = generateKeySecret();
+    const key = resolveApiKeySecret(options.key);
     const keyHash = hashApiKey(key);
     const keyPrefix = extractKeyPrefix(key);
     const now = Date.now();

package/dist/db/repositories/create-api-key.js.map

@@ -1 +1 @@
-{"version":3,"file":"create-api-key.js","sourceRoot":"","sources":["../../../src/db/repositories/create-api-key.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,iBAAiB,EACjB,UAAU,GACX,MAAM,wBAAwB,CAAC;AAoBhC,2BAA2B;AAC3B,KAAK,UAAU,YAAY,CACzB,QAAmB,EACnB,OAKC;IAED,MAAM,EAAE,GAAG,aAAa,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,SAAS,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,MAAM,QAAQ,CAAC,KAAK,CAClB;6CACyC,EACzC;QACE,EAAE;QACF,OAAO,CAAC,IAAI;QACZ,OAAO;QACP,SAAS;QACT,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC;QAClC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC;QACnC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC;QACnC,GAAG;KACJ,CACF,CAAC;IAEF,OAAO;QACL,EAAE;QACF,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,GAAG;QACH,OAAO;QACP,SAAS;QACT,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC;QACxB,UAAU,EAAE,SAAS;KACtB,CAAC;AACJ,CAAC;AAED,OAAO,EAAE,YAAY,EAAE,CAAC"}
+{"version":3,"file":"create-api-key.js","sourceRoot":"","sources":["../../../src/db/repositories/create-api-key.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,UAAU,EACV,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAoBhC,2BAA2B;AAC3B,KAAK,UAAU,YAAY,CACzB,QAAmB,EACnB,OAMC;IAED,MAAM,EAAE,GAAG,aAAa,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,SAAS,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,MAAM,QAAQ,CAAC,KAAK,CAClB;6CACyC,EACzC;QACE,EAAE;QACF,OAAO,CAAC,IAAI;QACZ,OAAO;QACP,SAAS;QACT,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC;QAClC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC;QACnC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC;QACnC,GAAG;KACJ,CACF,CAAC;IAEF,OAAO;QACL,EAAE;QACF,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,GAAG;QACH,OAAO;QACP,SAAS;QACT,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC;QACxB,UAAU,EAAE,SAAS;KACtB,CAAC;AACJ,CAAC;AAED,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/dist/db/verify-database-initialization.d.ts

@@ -0,0 +1,4 @@
+import type { Queryable } from "./types.js";
+declare function verifyDatabaseInitialization(database: Queryable): Promise<void>;
+export { verifyDatabaseInitialization };
+//# sourceMappingURL=verify-database-initialization.d.ts.map

package/dist/db/verify-database-initialization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-database-initialization.d.ts","sourceRoot":"","sources":["../../src/db/verify-database-initialization.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAwB5C,iBAAe,4BAA4B,CACzC,QAAQ,EAAE,SAAS,GAClB,OAAO,CAAC,IAAI,CAAC,CAsDf;AAED,OAAO,EAAE,4BAA4B,EAAE,CAAC"}

package/dist/db/verify-database-initialization.js

@@ -0,0 +1,66 @@
+const REQUIRED_CREDENTIAL_COLUMNS = [
+    "name",
+    "agent",
+    "provider",
+    "display_name",
+    "notes",
+    "encrypted_data",
+    "salt",
+    "iv",
+    "auth_tag",
+    "created_at",
+    "updated_at",
+];
+async function verifyDatabaseInitialization(database) {
+    const result = await database.query(`
+    SELECT
+      to_regclass('api_keys') IS NOT NULL AS has_api_keys,
+      to_regclass('credentials') IS NOT NULL AS has_credentials,
+      to_regclass('audit_log') IS NOT NULL AS has_audit_log,
+      EXISTS (
+        SELECT 1
+        FROM information_schema.columns
+        WHERE table_schema = current_schema()
+          AND table_name = 'audit_log'
+          AND column_name = 'detail'
+      ) AS has_audit_log_detail,
+      COALESCE(
+        ARRAY(
+          SELECT column_name
+          FROM information_schema.columns
+          WHERE table_schema = current_schema()
+            AND table_name = 'credentials'
+        ),
+        ARRAY[]::text[]
+      ) AS credential_columns
+  `);
+    const status = result.rows[0];
+    if (!status) {
+        throw new Error("Failed to inspect database schema.");
+    }
+    const missingParts = [];
+    if (!status.has_api_keys) {
+        missingParts.push("table api_keys");
+    }
+    if (status.has_credentials) {
+        for (const column of REQUIRED_CREDENTIAL_COLUMNS) {
+            if (!status.credential_columns.includes(column)) {
+                missingParts.push(`column credentials.${column}`);
+            }
+        }
+    }
+    else {
+        missingParts.push("table credentials");
+    }
+    if (!status.has_audit_log) {
+        missingParts.push("table audit_log");
+    }
+    else if (!status.has_audit_log_detail) {
+        missingParts.push("column audit_log.detail");
+    }
+    if (missingParts.length > 0) {
+        throw new Error(`Database schema is missing ${missingParts.join(", ")}.`);
+    }
+}
+export { verifyDatabaseInitialization };
+//# sourceMappingURL=verify-database-initialization.js.map

package/dist/db/verify-database-initialization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-database-initialization.js","sourceRoot":"","sources":["../../src/db/verify-database-initialization.ts"],"names":[],"mappings":"AAUA,MAAM,2BAA2B,GAAG;IAClC,MAAM;IACN,OAAO;IACP,UAAU;IACV,cAAc;IACd,OAAO;IACP,gBAAgB;IAChB,MAAM;IACN,IAAI;IACJ,UAAU;IACV,YAAY;IACZ,YAAY;CACJ,CAAC;AAEX,KAAK,UAAU,4BAA4B,CACzC,QAAmB;IAEnB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAA0B;;;;;;;;;;;;;;;;;;;;;GAqB5D,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,YAAY,GAAa,EAAE,CAAC;IAElC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACzB,YAAY,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;QAC3B,KAAK,MAAM,MAAM,IAAI,2BAA2B,EAAE,CAAC;YACjD,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChD,YAAY,CAAC,IAAI,CAAC,sBAAsB,MAAM,EAAE,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,YAAY,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC1B,YAAY,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACvC,CAAC;SAAM,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;QACxC,YAAY,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,8BAA8B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC;AAED,OAAO,EAAE,4BAA4B,EAAE,CAAC"}

package/dist/index.d.ts

@@ -7,6 +7,8 @@
  */
 export type { ServerConfig } from "./config.js";
 export type { BuildAppConfig } from "./config.js";
+export { createConfigData, resolveBuildAppConfig, serverConfigSchema, } from "./config.js";
+export { resolveDatabaseUrl } from "./resolve-database-url.js";
 export { buildApp } from "./server/server.js";
 export { default as configPlugin } from "./server/plugins/config.js";
 export { default as databasePlugin } from "./server/plugins/database.js";
@@ -15,10 +17,10 @@ export { default as healthRoutes } from "./server/routes/health.js";
 export { default as credentialRoutes } from "./server/routes/credentials.js";
 export { default as keyRoutes } from "./server/routes/keys.js";
 export { runMigrations } from "./db/run-migrations.js";
-export { bootstrapApiKey } from "./db/bootstrap-api-key.js";
+export { closePool, createPool } from "./db/create-pool.js";
 export type { Queryable } from "./db/types.js";
 export type { ApiKeyRecord, ApiKeyWithSecret, } from "./db/repositories/api-keys.js";
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, } from "./db/repositories/api-keys.js";
+export { countApiKeys, createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, resolveApiKeySecret, updateApiKeyAccess, updateLastUsed, } from "./db/repositories/api-keys.js";
 export type { AuditLogEntry } from "./db/repositories/audit-log.js";
 export { getLogsForCredential, getRecentLogs, logAccess, pruneOldLogs, } from "./db/repositories/audit-log.js";
 export type { CredentialMetadata, CredentialRecord, } from "./db/repositories/credentials.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAG9C,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,8BAA8B,CAAC;AACzE,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAGjE,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,OAAO,IAAI,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAC7E,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAG/D,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAG/C,YAAY,EACV,YAAY,EACZ,gBAAgB,GACjB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,EACd,aAAa,EACb,cAAc,EACd,WAAW,EACX,kBAAkB,EAClB,cAAc,GACf,MAAM,+BAA+B,CAAC;AACvC,YAAY,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AACpE,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,YAAY,GACb,MAAM,gCAAgC,CAAC;AACxC,YAAY,EACV,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,wBAAwB,EACxB,wBAAwB,EACxB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAG9C,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,8BAA8B,CAAC;AACzE,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAGjE,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,OAAO,IAAI,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAC7E,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAG/D,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAC5D,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAG/C,YAAY,EACV,YAAY,EACZ,gBAAgB,GACjB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,EACd,aAAa,EACb,cAAc,EACd,WAAW,EACX,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,GACf,MAAM,+BAA+B,CAAC;AACvC,YAAY,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AACpE,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,YAAY,GACb,MAAM,gCAAgC,CAAC;AACxC,YAAY,EACV,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,wBAAwB,EACxB,wBAAwB,EACxB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC"}

package/dist/index.js

@@ -5,6 +5,8 @@
  * The legacy createServer/createPool surface was intentionally removed; build
  * the app with `buildApp()` plus the exported Fastify plugins instead.
  */
+export { createConfigData, resolveBuildAppConfig, serverConfigSchema, } from "./config.js";
+export { resolveDatabaseUrl } from "./resolve-database-url.js";
 export { buildApp } from "./server/server.js";
 // Plugins
 export { default as configPlugin } from "./server/plugins/config.js";
@@ -16,8 +18,8 @@ export { default as credentialRoutes } from "./server/routes/credentials.js";
 export { default as keyRoutes } from "./server/routes/keys.js";
 // Database
 export { runMigrations } from "./db/run-migrations.js";
-export { bootstrapApiKey } from "./db/bootstrap-api-key.js";
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, } from "./db/repositories/api-keys.js";
+export { closePool, createPool } from "./db/create-pool.js";
+export { countApiKeys, createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, resolveApiKeySecret, updateApiKeyAccess, updateLastUsed, } from "./db/repositories/api-keys.js";
 export { getLogsForCredential, getRecentLogs, logAccess, pruneOldLogs, } from "./db/repositories/audit-log.js";
 export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, listCredentialsPaginated, upsertCredential, } from "./db/repositories/credentials.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C,UAAU;AACV,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,8BAA8B,CAAC;AACzE,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAEjE,gBAAgB;AAChB,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,OAAO,IAAI,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAC7E,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAE/D,WAAW;AACX,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAQ5D,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,EACd,aAAa,EACb,cAAc,EACd,WAAW,EACX,kBAAkB,EAClB,cAAc,GACf,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,YAAY,GACb,MAAM,gCAAgC,CAAC;AAKxC,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,wBAAwB,EACxB,wBAAwB,EACxB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C,UAAU;AACV,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,8BAA8B,CAAC;AACzE,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAEjE,gBAAgB;AAChB,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,OAAO,IAAI,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAC7E,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAE/D,WAAW;AACX,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAQ5D,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,EACd,aAAa,EACb,cAAc,EACd,WAAW,EACX,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,GACf,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,YAAY,GACb,MAAM,gCAAgC,CAAC;AAKxC,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,wBAAwB,EACxB,wBAAwB,EACxB,gBAAgB,GACjB,MAAM,kCAAkC,CAAC"}

package/dist/resolve-database-url.d.ts

@@ -0,0 +1,4 @@
+declare const DEFAULT_DATABASE_URL = "postgresql://localhost:5432/axvault";
+declare function resolveDatabaseUrl(databaseUrl?: string): string;
+export { DEFAULT_DATABASE_URL, resolveDatabaseUrl };
+//# sourceMappingURL=resolve-database-url.d.ts.map

package/dist/resolve-database-url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-database-url.d.ts","sourceRoot":"","sources":["../src/resolve-database-url.ts"],"names":[],"mappings":"AAAA,QAAA,MAAM,oBAAoB,wCAAwC,CAAC;AAEnE,iBAAS,kBAAkB,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAUxD;AAED,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,CAAC"}

package/dist/resolve-database-url.js

@@ -0,0 +1,11 @@
+const DEFAULT_DATABASE_URL = "postgresql://localhost:5432/axvault";
+function resolveDatabaseUrl(databaseUrl) {
+    const value = databaseUrl ?? process.env.AXVAULT_DATABASE_URL ?? DEFAULT_DATABASE_URL;
+    const trimmedValue = value.trim();
+    if (trimmedValue.length === 0) {
+        throw new Error("Database URL must not be empty.");
+    }
+    return trimmedValue;
+}
+export { DEFAULT_DATABASE_URL, resolveDatabaseUrl };
+//# sourceMappingURL=resolve-database-url.js.map

package/dist/resolve-database-url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-database-url.js","sourceRoot":"","sources":["../src/resolve-database-url.ts"],"names":[],"mappings":"AAAA,MAAM,oBAAoB,GAAG,qCAAqC,CAAC;AAEnE,SAAS,kBAAkB,CAAC,WAAoB;IAC9C,MAAM,KAAK,GACT,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,oBAAoB,CAAC;IAC1E,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAElC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,CAAC"}

package/dist/resolve-secret-source.d.ts

@@ -0,0 +1,11 @@
+interface SecretSourceOptions {
+    directValue?: string;
+    envName?: string;
+    filePath?: string;
+    directOption: string;
+    envOption: string;
+    fileOption: string;
+}
+export declare function resolveSecretSource(options: SecretSourceOptions): Promise<string | undefined>;
+export {};
+//# sourceMappingURL=resolve-secret-source.d.ts.map

package/dist/resolve-secret-source.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-secret-source.d.ts","sourceRoot":"","sources":["../src/resolve-secret-source.ts"],"names":[],"mappings":"AAEA,UAAU,mBAAmB;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CA2C7B"}

package/dist/resolve-secret-source.js

@@ -0,0 +1,36 @@
+import { readFile } from "node:fs/promises";
+export async function resolveSecretSource(options) {
+    const configuredSources = [];
+    if (typeof options.directValue === "string") {
+        configuredSources.push(options.directOption);
+    }
+    if (typeof options.envName === "string") {
+        configuredSources.push(options.envOption);
+    }
+    if (typeof options.filePath === "string") {
+        configuredSources.push(options.fileOption);
+    }
+    if (configuredSources.length > 1) {
+        throw new Error(`Choose only one of ${configuredSources.join(", ")}.`);
+    }
+    if (typeof options.directValue === "string") {
+        return options.directValue;
+    }
+    if (typeof options.envName === "string") {
+        const value = process.env[options.envName]?.trim();
+        if (!value) {
+            throw new Error(`Environment variable ${options.envName} is not set or is empty.`);
+        }
+        return value;
+    }
+    if (typeof options.filePath === "string") {
+        const fileContents = await readFile(options.filePath, "utf8");
+        const value = fileContents.trim();
+        if (!value) {
+            throw new Error(`Secret file ${options.filePath} is empty.`);
+        }
+        return value;
+    }
+    return undefined;
+}
+//# sourceMappingURL=resolve-secret-source.js.map

package/dist/resolve-secret-source.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-secret-source.js","sourceRoot":"","sources":["../src/resolve-secret-source.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAW5C,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAA4B;IAE5B,MAAM,iBAAiB,GAAa,EAAE,CAAC;IAEvC,IAAI,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QAC5C,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACxC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACzC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC7C,CAAC;IAED,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,sBAAsB,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAC,WAAW,CAAC;IAC7B,CAAC;IAED,IAAI,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC;QACnD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CACb,wBAAwB,OAAO,CAAC,OAAO,0BAA0B,CAClE,CAAC;QACJ,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,OAAO,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACzC,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC9D,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;QAClC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,eAAe,OAAO,CAAC,QAAQ,YAAY,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/server/plugins/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/server/plugins/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,EAIL,KAAK,YAAY,EAClB,MAAM,mCAAmC,CAAC;AAG3C,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,cAAc;QACtB,MAAM,EAAE,YAAY,CAAC;KACtB;IAED,UAAU,eAAe;QACvB,YAAY,EAAE,CACZ,OAAO,EAAE,cAAc,EACvB,KAAK,EAAE,YAAY,KAChB,OAAO,CAAC,IAAI,CAAC,CAAC;QACnB,kBAAkB,EAAE,CAClB,OAAO,EAAE,cAAc,EACvB,KAAK,EAAE,YAAY,KAChB,OAAO,CAAC,IAAI,CAAC,CAAC;KACpB;CACF;;AAWD,wBA+CE"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/server/plugins/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,EAIL,KAAK,YAAY,EAClB,MAAM,mCAAmC,CAAC;AAG3C,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,cAAc;QACtB,MAAM,EAAE,YAAY,CAAC;KACtB;IAED,UAAU,eAAe;QACvB,YAAY,EAAE,CACZ,OAAO,EAAE,cAAc,EACvB,KAAK,EAAE,YAAY,KAChB,OAAO,CAAC,IAAI,CAAC,CAAC;QACnB,kBAAkB,EAAE,CAClB,OAAO,EAAE,cAAc,EACvB,KAAK,EAAE,YAAY,KAChB,OAAO,CAAC,IAAI,CAAC,CAAC;KACpB;CACF;;AAWD,wBA8CE"}

package/dist/server/plugins/auth.js

@@ -14,9 +14,7 @@ function extractBearerToken(authorizationHeader) {
     const match = /^Bearer\s+(\S+)$/iu.exec(authorizationHeader);
     return match?.[1];
 }
-export default fp(
-// eslint-disable-next-line @typescript-eslint/require-await -- Fastify plugin signature requires async
-async function authPlugin(fastify) {
+export default fp(async function authPlugin(fastify) {
     // eslint-disable-next-line unicorn/no-null -- Fastify decorator requires an initial value
     fastify.decorateRequest("apiKey", null);
     fastify.decorate("authenticate", async (request, reply) => {

package/dist/server/plugins/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/server/plugins/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAEhC,OAAO,EACL,eAAe,EACf,cAAc,EACd,cAAc,GAEf,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAC;AAmB/D,qDAAqD;AACrD,SAAS,kBAAkB,CACzB,mBAAuC;IAEvC,IAAI,CAAC,mBAAmB;QAAE,OAAO,SAAS,CAAC;IAC3C,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC7D,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC;AAED,eAAe,EAAE;AACf,uGAAuG;AACvG,KAAK,UAAU,UAAU,CAAC,OAAO;IAC/B,0FAA0F;IAC1F,OAAO,CAAC,eAAe,CAAC,QAAQ,EAAE,IAAa,CAAC,CAAC;IAEjD,OAAO,CAAC,QAAQ,CACd,cAAc,EACd,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAiB,EAAE;QACpE,MAAM,KAAK,GAAG,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAEhE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,SAAS,CAAC,OAAO,CAAC,EAAE,EAAE;gBAC1B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,KAAK;gBACd,YAAY,EAAE,8BAA8B;aAC7C,CAAC,CAAC;YACH,OAAO,KAAK,CAAC,YAAY,CAAC,8BAA8B,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAExD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,SAAS,CAAC,OAAO,CAAC,EAAE,EAAE;gBAC1B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,KAAK;gBACd,YAAY,EAAE,iBAAiB;aAChC,CAAC,CAAC;YACH,OAAO,KAAK,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,cAAc,CAAC,OAAO,CAAC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QAC5C,sGAAsG;QACtG,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;IAC1B,CAAC,CACF,CAAC;IAEF,OAAO,CAAC,QAAQ,CACd,oBAAoB,EACpB,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAiB,EAAE;QACpE,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YACzC,OAAO,KAAK,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC,EACD,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,UAAU,CAAC,EAAE,CAC7C,CAAC"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/server/plugins/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAEhC,OAAO,EACL,eAAe,EACf,cAAc,EACd,cAAc,GAEf,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAC;AAmB/D,qDAAqD;AACrD,SAAS,kBAAkB,CACzB,mBAAuC;IAEvC,IAAI,CAAC,mBAAmB;QAAE,OAAO,SAAS,CAAC;IAC3C,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC7D,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC;AAED,eAAe,EAAE,CACf,KAAK,UAAU,UAAU,CAAC,OAAO;IAC/B,0FAA0F;IAC1F,OAAO,CAAC,eAAe,CAAC,QAAQ,EAAE,IAAa,CAAC,CAAC;IAEjD,OAAO,CAAC,QAAQ,CACd,cAAc,EACd,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAiB,EAAE;QACpE,MAAM,KAAK,GAAG,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAEhE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,SAAS,CAAC,OAAO,CAAC,EAAE,EAAE;gBAC1B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,KAAK;gBACd,YAAY,EAAE,8BAA8B;aAC7C,CAAC,CAAC;YACH,OAAO,KAAK,CAAC,YAAY,CAAC,8BAA8B,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAExD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,SAAS,CAAC,OAAO,CAAC,EAAE,EAAE;gBAC1B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,KAAK;gBACd,YAAY,EAAE,iBAAiB;aAChC,CAAC,CAAC;YACH,OAAO,KAAK,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,cAAc,CAAC,OAAO,CAAC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QAC5C,sGAAsG;QACtG,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;IAC1B,CAAC,CACF,CAAC;IAEF,OAAO,CAAC,QAAQ,CACd,oBAAoB,EACpB,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAiB,EAAE;QACpE,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YACzC,OAAO,KAAK,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC,EACD,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,UAAU,CAAC,EAAE,CAC7C,CAAC"}

package/package.json

@@ -19,7 +19,7 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.13.1",
+  "version": "1.14.0",
   "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",