axvault 1.2.0 → 1.3.0

package/README.md

@@ -192,13 +192,17 @@ curl -X PUT https://vault.example.com/api/v1/credentials/claude/prod \
   -H "Authorization: Bearer <api_key>" \
   -H "Content-Type: application/json" \
   -d '{
-    "type": "oauth",
+    "type": "oauth-credentials",
     "data": {"access_token": "...", "refresh_token": "..."},
     "expiresAt": "2025-12-31T23:59:59Z"
   }'
 ```
 
-The `type` field is required and must be either `"oauth"` (for refreshable tokens) or `"api-key"` (for static keys). Only `oauth` credentials are eligible for auto-refresh.
+The `type` field is required and must be one of:
+
+- `"oauth-credentials"` — Full OAuth with refresh_token (eligible for auto-refresh)
+- `"oauth-token"` — Long-lived OAuth token like `CLAUDE_CODE_OAUTH_TOKEN` (static)
+- `"api-key"` — API key (static)
 
 ### Retrieve a Credential
 
@@ -216,7 +220,7 @@ curl -X DELETE https://vault.example.com/api/v1/credentials/claude/prod \
 
 ## Auto-Refresh
 
-axvault automatically refreshes OAuth credentials that are near expiration when they are retrieved. This behavior is controlled by the refresh threshold setting.
+axvault automatically refreshes `oauth-credentials` type credentials that are near expiration when they are retrieved. This behavior is controlled by the refresh threshold setting. Only credentials with a `refresh_token` in their data are eligible for auto-refresh.
 
 ### Access Control Note
 

package/dist/db/migrations.d.ts

@@ -4,7 +4,7 @@
  * Uses a simple version-based migration system.
  */
 import type Database from "better-sqlite3";
-declare const CURRENT_VERSION = 4;
+declare const CURRENT_VERSION = 5;
 /** Run all pending migrations */
 declare function runMigrations(database: Database.Database): void;
 /** Get current schema version */

package/dist/db/migrations.js

@@ -3,7 +3,7 @@
  *
  * Uses a simple version-based migration system.
  */
-const CURRENT_VERSION = 4;
+const CURRENT_VERSION = 5;
 /** Run all pending migrations */
 function runMigrations(database) {
     const version = getSchemaVersion(database);
@@ -19,6 +19,9 @@ function runMigrations(database) {
     if (version < 4) {
         migrateToV4(database);
     }
+    if (version < 5) {
+        migrateToV5(database);
+    }
 }
 /** Get current schema version */
 function getSchemaVersion(database) {
@@ -127,4 +130,22 @@ function migrateToV4(database) {
         setSchemaVersion(database, 4);
     })();
 }
+/**
+ * Migration to version 5: Rename credential type "oauth" to "oauth-credentials"
+ *
+ * Distinguishes refreshable OAuth credentials (oauth-credentials) from
+ * long-lived OAuth tokens like CLAUDE_CODE_OAUTH_TOKEN (oauth-token).
+ *
+ * - `oauth-credentials`: Full OAuth flow with accessToken, refreshToken, expiresAt (refreshable)
+ * - `oauth-token`: Long-lived OAuth token for CI/CD (static, no refresh)
+ * - `api-key`: API key (static)
+ */
+function migrateToV5(database) {
+    database.transaction(() => {
+        database.exec(`
+      UPDATE credentials SET type = 'oauth-credentials' WHERE type = 'oauth'
+    `);
+        setSchemaVersion(database, 5);
+    })();
+}
 export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/credentials-queries.d.ts

@@ -0,0 +1,8 @@
+/**
+ * SQL queries for credentials repository.
+ */
+export declare const UPSERT_CREDENTIAL = "\n  INSERT INTO credentials (agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)\n  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n  ON CONFLICT(agent, name) DO UPDATE SET\n    type = excluded.type, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,\n    updated_at = excluded.updated_at, expires_at = excluded.expires_at";
+export declare const SELECT_CREDENTIAL = "\n  SELECT agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at\n  FROM credentials WHERE agent = ? AND name = ?";
+export declare const SELECT_ALL_METADATA = "\n  SELECT agent, name, type, created_at, updated_at, expires_at\n  FROM credentials ORDER BY agent, name";
+export declare const DELETE_CREDENTIAL = "\n  DELETE FROM credentials WHERE agent = ? AND name = ?";
+export declare const UPDATE_EXPIRES_AT = "\n  UPDATE credentials SET expires_at = ?, updated_at = ? WHERE agent = ? AND name = ?";

package/dist/db/repositories/credentials-queries.js

@@ -0,0 +1,19 @@
+/**
+ * SQL queries for credentials repository.
+ */
+export const UPSERT_CREDENTIAL = `
+  INSERT INTO credentials (agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)
+  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  ON CONFLICT(agent, name) DO UPDATE SET
+    type = excluded.type, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
+    updated_at = excluded.updated_at, expires_at = excluded.expires_at`;
+export const SELECT_CREDENTIAL = `
+  SELECT agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at
+  FROM credentials WHERE agent = ? AND name = ?`;
+export const SELECT_ALL_METADATA = `
+  SELECT agent, name, type, created_at, updated_at, expires_at
+  FROM credentials ORDER BY agent, name`;
+export const DELETE_CREDENTIAL = `
+  DELETE FROM credentials WHERE agent = ? AND name = ?`;
+export const UPDATE_EXPIRES_AT = `
+  UPDATE credentials SET expires_at = ?, updated_at = ? WHERE agent = ? AND name = ?`;

package/dist/db/repositories/credentials.d.ts

@@ -4,30 +4,8 @@
  * Manages encrypted credential storage.
  */
 import type Database from "better-sqlite3";
-/** Valid credential types */
-type CredentialType = "oauth" | "api-key";
-/** Credential record stored in database */
-interface CredentialRecord {
-    agent: string;
-    name: string;
-    type: CredentialType;
-    encryptedData: Buffer;
-    salt: Buffer;
-    iv: Buffer;
-    authTag: Buffer;
-    createdAt: Date;
-    updatedAt: Date;
-    expiresAt: Date | undefined;
-}
-/** Credential metadata (without encrypted data) */
-interface CredentialMetadata {
-    agent: string;
-    name: string;
-    type: CredentialType;
-    createdAt: Date;
-    updatedAt: Date;
-    expiresAt: Date | undefined;
-}
+import type { CredentialType } from "axshared";
+import { type CredentialMetadata, type CredentialRecord } from "./parse-credential-row.js";
 /** Store or update a credential */
 declare function upsertCredential(database: Database.Database, credential: {
     agent: string;
@@ -50,4 +28,4 @@ declare function deleteCredential(database: Database.Database, agent: string, na
 /** Update expiration time after refresh */
 declare function updateExpiresAt(database: Database.Database, agent: string, name: string, expiresAt: Date | undefined): void;
 export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, };
-export type { CredentialMetadata, CredentialRecord, CredentialType };
+export type { CredentialMetadata, CredentialRecord, } from "./parse-credential-row.js";

package/dist/db/repositories/credentials.js

@@ -3,64 +3,25 @@
  *
  * Manages encrypted credential storage.
  */
-/** Validate credential type from database */
-function validateType(type) {
-    if (type !== "oauth" && type !== "api-key") {
-        throw new Error(`Invalid credential type: ${type}`);
-    }
-    return type;
-}
-/** Convert database row to record */
-function rowToRecord(row) {
-    return {
-        agent: row.agent,
-        name: row.name,
-        type: validateType(row.type),
-        encryptedData: row.encrypted_data,
-        salt: row.salt,
-        iv: row.iv,
-        authTag: row.auth_tag,
-        createdAt: new Date(row.created_at),
-        updatedAt: new Date(row.updated_at),
-        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
-    };
-}
-/** Convert metadata row to metadata */
-function rowToMetadata(row) {
-    return {
-        agent: row.agent,
-        name: row.name,
-        type: validateType(row.type),
-        createdAt: new Date(row.created_at),
-        updatedAt: new Date(row.updated_at),
-        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
-    };
-}
+import * as SQL from "./credentials-queries.js";
+import { rowToMetadata, rowToRecord, } from "./parse-credential-row.js";
 /** Store or update a credential */
 function upsertCredential(database, credential) {
     const now = Date.now();
-    /* eslint-disable unicorn/no-null -- SQLite requires null for NULL values */
+    // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
+    const expiresAt = credential.expiresAt?.getTime() ?? null;
     database
-        .prepare(`INSERT INTO credentials (agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)
-     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-     ON CONFLICT(agent, name) DO UPDATE SET
-       type = excluded.type, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
-       updated_at = excluded.updated_at, expires_at = excluded.expires_at`)
-        .run(credential.agent, credential.name, credential.type, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now, credential.expiresAt?.getTime() ?? null);
-    /* eslint-enable unicorn/no-null */
+        .prepare(SQL.UPSERT_CREDENTIAL)
+        .run(credential.agent, credential.name, credential.type, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now, expiresAt);
 }
 /** Get a credential by agent and name */
 function getCredential(database, agent, name) {
-    const row = database
-        .prepare(`SELECT agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at FROM credentials WHERE agent = ? AND name = ?`)
-        .get(agent, name);
+    const row = database.prepare(SQL.SELECT_CREDENTIAL).get(agent, name);
     return row ? rowToRecord(row) : undefined;
 }
 /** List all credentials (metadata only) */
 function listCredentials(database) {
-    const rows = database
-        .prepare(`SELECT agent, name, type, created_at, updated_at, expires_at FROM credentials ORDER BY agent, name`)
-        .all();
+    const rows = database.prepare(SQL.SELECT_ALL_METADATA).all();
     return rows.map((row) => rowToMetadata(row));
 }
 /** List credentials accessible by an API key's read access list */
@@ -71,15 +32,12 @@ function listCredentialsForApiKey(database, readAccess) {
 }
 /** Delete a credential */
 function deleteCredential(database, agent, name) {
-    return (database
-        .prepare(`DELETE FROM credentials WHERE agent = ? AND name = ?`)
-        .run(agent, name).changes > 0);
+    return database.prepare(SQL.DELETE_CREDENTIAL).run(agent, name).changes > 0;
 }
 /** Update expiration time after refresh */
 function updateExpiresAt(database, agent, name, expiresAt) {
-    database
-        .prepare(`UPDATE credentials SET expires_at = ?, updated_at = ? WHERE agent = ? AND name = ?`)
-        // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
-        .run(expiresAt?.getTime() ?? null, Date.now(), agent, name);
+    // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
+    const expires = expiresAt?.getTime() ?? null;
+    database.prepare(SQL.UPDATE_EXPIRES_AT).run(expires, Date.now(), agent, name);
 }
 export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, };

package/dist/db/repositories/parse-credential-row.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Pure functions for parsing credential database rows.
+ */
+import { CredentialType } from "axshared";
+import type { CredentialRow, MetadataRow } from "../types.js";
+/** Credential record stored in database */
+interface CredentialRecord {
+    agent: string;
+    name: string;
+    type: CredentialType;
+    encryptedData: Buffer;
+    salt: Buffer;
+    iv: Buffer;
+    authTag: Buffer;
+    createdAt: Date;
+    updatedAt: Date;
+    expiresAt: Date | undefined;
+}
+/** Credential metadata (without encrypted data) */
+interface CredentialMetadata {
+    agent: string;
+    name: string;
+    type: CredentialType;
+    createdAt: Date;
+    updatedAt: Date;
+    expiresAt: Date | undefined;
+}
+/** Convert database row to record */
+declare function rowToRecord(row: CredentialRow): CredentialRecord;
+/** Convert metadata row to metadata */
+declare function rowToMetadata(row: MetadataRow): CredentialMetadata;
+export { rowToMetadata, rowToRecord };
+export type { CredentialMetadata, CredentialRecord };

package/dist/db/repositories/parse-credential-row.js

@@ -0,0 +1,39 @@
+/**
+ * Pure functions for parsing credential database rows.
+ */
+import { CredentialType } from "axshared";
+/** Parse and validate credential type from database */
+function parseCredentialType(type) {
+    const result = CredentialType.safeParse(type);
+    if (!result.success) {
+        throw new Error(`Invalid credential type: ${type}`);
+    }
+    return result.data;
+}
+/** Convert database row to record */
+function rowToRecord(row) {
+    return {
+        agent: row.agent,
+        name: row.name,
+        type: parseCredentialType(row.type),
+        encryptedData: row.encrypted_data,
+        salt: row.salt,
+        iv: row.iv,
+        authTag: row.auth_tag,
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at),
+        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
+    };
+}
+/** Convert metadata row to metadata */
+function rowToMetadata(row) {
+    return {
+        agent: row.agent,
+        name: row.name,
+        type: parseCredentialType(row.type),
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at),
+        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
+    };
+}
+export { rowToMetadata, rowToRecord };

package/dist/handlers/get-credential.js

@@ -1,6 +1,7 @@
 /**
  * GET /api/v1/credentials/:agent/:name handler.
  */
+import { isRefreshableCredentialType } from "axshared";
 import { hasReadAccess } from "../db/repositories/api-keys.js";
 import { getCredential } from "../db/repositories/credentials.js";
 import { logAccess } from "../db/repositories/audit-log.js";
@@ -69,7 +70,7 @@ function createGetCredentialHandler(database, config) {
         let wasRefreshed = false;
         let refreshFailed = false;
         if (config.refreshThresholdSeconds > 0 &&
-            credential.type === "oauth" &&
+            isRefreshableCredentialType(credential.type) &&
             isRefreshable(data) &&
             needsRefresh(data, config.refreshThresholdSeconds)) {
             try {

package/dist/handlers/put-credential.js

@@ -1,6 +1,7 @@
 /**
  * PUT /api/v1/credentials/:agent/:name handler.
  */
+import { CredentialType, } from "axshared";
 import { hasWriteAccess } from "../db/repositories/api-keys.js";
 import { upsertCredential } from "../db/repositories/credentials.js";
 import { logAccess } from "../db/repositories/audit-log.js";
@@ -43,7 +44,8 @@ function createPutCredentialHandler(database) {
                 .json({ error: "Request body must include 'data' object" });
             return;
         }
-        if (body.type !== "oauth" && body.type !== "api-key") {
+        const typeResult = CredentialType.safeParse(body.type);
+        if (!typeResult.success) {
             logAccess(database, {
                 apiKeyId: apiKey.id,
                 action: "write",
@@ -53,11 +55,11 @@ function createPutCredentialHandler(database) {
                 errorMessage: "Invalid type",
             });
             response.status(400).json({
-                error: 'Request body must include \'type\' ("oauth" or "api-key")',
+                error: `Request body must include 'type' (${CredentialType.options.map((t) => `"${t}"`).join(", ")})`,
             });
             return;
         }
-        const credentialType = body.type;
+        const credentialType = typeResult.data;
         try {
             const encrypted = encryptCredential(body.data);
             let expiresAt;

package/dist/refresh/check-refresh.js

@@ -50,10 +50,10 @@ function toAxauthCredentials(agent, data) {
     if (!VALID_AGENTS.has(agent)) {
         return undefined;
     }
-    // Only OAuth credentials can be refreshed
+    // Only OAuth credentials with refresh tokens can be refreshed
     return {
         agent: agent,
-        type: "oauth",
+        type: "oauth-credentials",
         data,
     };
 }

package/dist/refresh/refresh-manager.d.ts

@@ -5,7 +5,7 @@
  * with axauth's refresh functionality.
  */
 import type Database from "better-sqlite3";
-import type { CredentialType } from "../db/repositories/credentials.js";
+import type { CredentialType } from "axshared";
 /** Key for credential-specific mutex */
 type CredentialKey = `${string}/${string}`;
 /** Result type for the full refresh operation */

package/package.json

@@ -2,7 +2,7 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",
@@ -49,9 +49,9 @@
   },
   "dependencies": {
     "@commander-js/extra-typings": "^14.0.0",
-    "axauth": "^1.7.2",
-    "axshared": "^1.8.0",
-    "better-sqlite3": "^12.5.0",
+    "axauth": "^1.9.0",
+    "axshared": "1.9.0",
+    "better-sqlite3": "^12.6.0",
     "commander": "^14.0.2",
     "express": "^5.2.1"
   },
@@ -78,13 +78,13 @@
     "@total-typescript/ts-reset": "^0.6.1",
     "@types/better-sqlite3": "^7.6.13",
     "@types/express": "^5.0.6",
-    "@types/node": "^25.0.3",
+    "@types/node": "^25.0.5",
     "@vitest/coverage-v8": "^4.0.16",
     "eslint": "^9.39.2",
     "eslint-config-axkit": "^1.0.0",
     "fta-check": "^1.5.1",
     "fta-cli": "^3.0.0",
-    "knip": "^5.80.0",
+    "knip": "^5.80.2",
     "prettier": "3.7.4",
     "semantic-release": "^25.0.2",
     "typescript": "^5.9.3",