axvault 1.2.0 → 1.4.0

package/README.md

@@ -192,13 +192,17 @@ curl -X PUT https://vault.example.com/api/v1/credentials/claude/prod \
   -H "Authorization: Bearer <api_key>" \
   -H "Content-Type: application/json" \
   -d '{
-    "type": "oauth",
+    "type": "oauth-credentials",
     "data": {"access_token": "...", "refresh_token": "..."},
     "expiresAt": "2025-12-31T23:59:59Z"
   }'
 ```
 
-The `type` field is required and must be either `"oauth"` (for refreshable tokens) or `"api-key"` (for static keys). Only `oauth` credentials are eligible for auto-refresh.
+The `type` field is required and must be one of:
+
+- `"oauth-credentials"` — Full OAuth with refresh_token (eligible for auto-refresh)
+- `"oauth-token"` — Long-lived OAuth token like `CLAUDE_CODE_OAUTH_TOKEN` (static)
+- `"api-key"` — API key (static)
 
 ### Retrieve a Credential
 
@@ -216,7 +220,7 @@ curl -X DELETE https://vault.example.com/api/v1/credentials/claude/prod \
 
 ## Auto-Refresh
 
-axvault automatically refreshes OAuth credentials that are near expiration when they are retrieved. This behavior is controlled by the refresh threshold setting.
+axvault automatically refreshes `oauth-credentials` type credentials that are near expiration when they are retrieved. This behavior is controlled by the refresh threshold setting. Only credentials with a `refresh_token` in their data are eligible for auto-refresh.
 
 ### Access Control Note
 

package/dist/commands/key-list.js

@@ -16,6 +16,8 @@ export function handleKeyList(options) {
             const output = keys.map((key) => ({
                 id: key.id,
                 name: key.name,
+                // eslint-disable-next-line unicorn/no-null -- JSON requires null for missing values
+                keyPrefix: key.keyPrefix ?? null,
                 readAccess: key.readAccess,
                 writeAccess: key.writeAccess,
                 grantAccess: key.grantAccess,
@@ -28,7 +30,7 @@ export function handleKeyList(options) {
             console.error("No API keys found.\nCreate one with: axvault key create --name <name> [--read <access>] [--write <access>] [--grant <access>]");
         }
         else {
-            console.log("ID\tNAME\tREAD ACCESS\tWRITE ACCESS\tGRANT ACCESS\tLAST USED");
+            console.log("ID\tNAME\tKEY\tREAD ACCESS\tWRITE ACCESS\tGRANT ACCESS\tLAST USED");
             for (const key of keys)
                 console.log(formatKeyRow(key));
         }

package/dist/db/migrations.d.ts

@@ -4,7 +4,7 @@
  * Uses a simple version-based migration system.
  */
 import type Database from "better-sqlite3";
-declare const CURRENT_VERSION = 4;
+declare const CURRENT_VERSION = 6;
 /** Run all pending migrations */
 declare function runMigrations(database: Database.Database): void;
 /** Get current schema version */

package/dist/db/migrations.js

@@ -3,7 +3,7 @@
  *
  * Uses a simple version-based migration system.
  */
-const CURRENT_VERSION = 4;
+const CURRENT_VERSION = 6;
 /** Run all pending migrations */
 function runMigrations(database) {
     const version = getSchemaVersion(database);
@@ -19,6 +19,12 @@ function runMigrations(database) {
     if (version < 4) {
         migrateToV4(database);
     }
+    if (version < 5) {
+        migrateToV5(database);
+    }
+    if (version < 6) {
+        migrateToV6(database);
+    }
 }
 /** Get current schema version */
 function getSchemaVersion(database) {
@@ -127,4 +133,36 @@ function migrateToV4(database) {
         setSchemaVersion(database, 4);
     })();
 }
+/**
+ * Migration to version 5: Rename credential type "oauth" to "oauth-credentials"
+ *
+ * Distinguishes refreshable OAuth credentials (oauth-credentials) from
+ * long-lived OAuth tokens like CLAUDE_CODE_OAUTH_TOKEN (oauth-token).
+ *
+ * - `oauth-credentials`: Full OAuth flow with accessToken, refreshToken, expiresAt (refreshable)
+ * - `oauth-token`: Long-lived OAuth token for CI/CD (static, no refresh)
+ * - `api-key`: API key (static)
+ */
+function migrateToV5(database) {
+    database.transaction(() => {
+        database.exec(`
+      UPDATE credentials SET type = 'oauth-credentials' WHERE type = 'oauth'
+    `);
+        setSchemaVersion(database, 5);
+    })();
+}
+/**
+ * Migration to version 6: Add key_prefix column to api_keys
+ *
+ * Stores first 8 characters of the key secret for identification.
+ * Existing keys will have NULL prefix (key value not recoverable).
+ */
+function migrateToV6(database) {
+    database.transaction(() => {
+        database.exec(`
+      ALTER TABLE api_keys ADD COLUMN key_prefix TEXT
+    `);
+        setSchemaVersion(database, 6);
+    })();
+}
 export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/api-key-utilities.d.ts

@@ -0,0 +1,26 @@
+/**
+ * API key utility functions.
+ *
+ * Pure functions for key generation and hashing.
+ */
+/** Generate a new API key ID */
+declare function generateKeyId(): string;
+/** Generate a new API key secret */
+declare function generateKeySecret(): string;
+/** Hash an API key for storage */
+declare function hashApiKey(key: string): string;
+/** Extract key prefix for display (axv_sk_ + first 8 hex chars of secret) */
+declare function extractKeyPrefix(key: string): string;
+/** Minimal interface for access checking */
+interface AccessLists {
+    readAccess: string[];
+    writeAccess: string[];
+    grantAccess: string[];
+}
+/** Check if API key has read access to a credential */
+declare function hasReadAccess(apiKey: AccessLists, agent: string, name: string): boolean;
+/** Check if API key has write access to a credential */
+declare function hasWriteAccess(apiKey: AccessLists, agent: string, name: string): boolean;
+/** Check if API key has grant access to a credential */
+declare function hasGrantAccess(apiKey: AccessLists, agent: string, name: string): boolean;
+export { extractKeyPrefix, generateKeyId, generateKeySecret, hashApiKey, hasGrantAccess, hasReadAccess, hasWriteAccess, };

package/dist/db/repositories/api-key-utilities.js

@@ -0,0 +1,43 @@
+/**
+ * API key utility functions.
+ *
+ * Pure functions for key generation and hashing.
+ */
+import { createHash, randomBytes } from "node:crypto";
+/** Key prefix for identification (e.g., "axv_sk_01234567") */
+const KEY_PREFIX_LENGTH = 8;
+/** Generate a new API key ID */
+function generateKeyId() {
+    return `k_${randomBytes(6).toString("hex")}`;
+}
+/** Generate a new API key secret */
+function generateKeySecret() {
+    return `axv_sk_${randomBytes(16).toString("hex")}`;
+}
+/** Hash an API key for storage */
+function hashApiKey(key) {
+    return createHash("sha256").update(key).digest("hex");
+}
+/** Extract key prefix for display (axv_sk_ + first 8 hex chars of secret) */
+function extractKeyPrefix(key) {
+    // Key format: axv_sk_ + 32 hex chars
+    return key.slice(0, 7 + KEY_PREFIX_LENGTH); // "axv_sk_" (7) + 8 chars
+}
+/** Check if access list includes the given credential path */
+function hasAccess(accessList, agent, name) {
+    const path = `${agent}/${name}`;
+    return accessList.includes("*") || accessList.includes(path);
+}
+/** Check if API key has read access to a credential */
+function hasReadAccess(apiKey, agent, name) {
+    return hasAccess(apiKey.readAccess, agent, name);
+}
+/** Check if API key has write access to a credential */
+function hasWriteAccess(apiKey, agent, name) {
+    return hasAccess(apiKey.writeAccess, agent, name);
+}
+/** Check if API key has grant access to a credential */
+function hasGrantAccess(apiKey, agent, name) {
+    return hasAccess(apiKey.grantAccess, agent, name);
+}
+export { extractKeyPrefix, generateKeyId, generateKeySecret, hashApiKey, hasGrantAccess, hasReadAccess, hasWriteAccess, };

package/dist/db/repositories/api-keys.d.ts

@@ -9,6 +9,7 @@ interface ApiKeyRecord {
     id: string;
     name: string;
     keyHash: string;
+    keyPrefix: string | undefined;
     readAccess: string[];
     writeAccess: string[];
     grantAccess: string[];
@@ -36,17 +37,12 @@ declare function listApiKeys(database: Database.Database): ApiKeyRecord[];
 declare function updateLastUsed(database: Database.Database, id: string): void;
 /** Delete an API key */
 declare function deleteApiKey(database: Database.Database, id: string): boolean;
-/** Check if API key has read access to a credential */
-declare function hasReadAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
-/** Check if API key has write access to a credential */
-declare function hasWriteAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
-/** Check if API key has grant access to a credential */
-declare function hasGrantAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
 /** Update an API key's access permissions */
 declare function updateApiKeyAccess(database: Database.Database, id: string, options: {
     readAccess?: string[];
     writeAccess?: string[];
     grantAccess?: string[];
 }): boolean;
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, };
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, listApiKeys, updateApiKeyAccess, updateLastUsed, };
+export { hasGrantAccess, hasReadAccess, hasWriteAccess, } from "./api-key-utilities.js";
 export type { ApiKeyRecord, ApiKeyWithSecret };

package/dist/db/repositories/api-keys.js

@@ -3,13 +3,14 @@
  *
  * Manages API keys with read/write access lists for credentials.
  */
-import { createHash, randomBytes } from "node:crypto";
+import { extractKeyPrefix, generateKeyId, generateKeySecret, hashApiKey, } from "./api-key-utilities.js";
 /** Convert database row to record */
 function rowToRecord(row) {
     return {
         id: row.id,
         name: row.name,
         keyHash: row.key_hash,
+        keyPrefix: row.key_prefix ?? undefined,
         readAccess: JSON.parse(row.read_access),
         writeAccess: JSON.parse(row.write_access),
         grantAccess: JSON.parse(row.grant_access),
@@ -17,26 +18,24 @@ function rowToRecord(row) {
         lastUsedAt: row.last_used_at ? new Date(row.last_used_at) : undefined,
     };
 }
-/** Hash an API key for storage */
-function hashApiKey(key) {
-    return createHash("sha256").update(key).digest("hex");
-}
-const SELECT_COLUMNS = `id, name, key_hash, read_access, write_access, grant_access, created_at, last_used_at`;
+const SELECT_COLUMNS = `id, name, key_hash, key_prefix, read_access, write_access, grant_access, created_at, last_used_at`;
 /** Create a new API key */
 function createApiKey(database, options) {
-    const id = `k_${randomBytes(6).toString("hex")}`;
-    const key = `axv_sk_${randomBytes(16).toString("hex")}`;
+    const id = generateKeyId();
+    const key = generateKeySecret();
     const keyHash = hashApiKey(key);
+    const keyPrefix = extractKeyPrefix(key);
     const now = Date.now();
     database
-        .prepare(`INSERT INTO api_keys (id, name, key_hash, read_access, write_access, grant_access, created_at)
-     VALUES (?, ?, ?, ?, ?, ?, ?)`)
-        .run(id, options.name, keyHash, JSON.stringify(options.readAccess), JSON.stringify(options.writeAccess), JSON.stringify(options.grantAccess), now);
+        .prepare(`INSERT INTO api_keys (id, name, key_hash, key_prefix, read_access, write_access, grant_access, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?)`)
+        .run(id, options.name, keyHash, keyPrefix, JSON.stringify(options.readAccess), JSON.stringify(options.writeAccess), JSON.stringify(options.grantAccess), now);
     return {
         id,
         name: options.name,
         key,
         keyHash,
+        keyPrefix,
         readAccess: options.readAccess,
         writeAccess: options.writeAccess,
         grantAccess: options.grantAccess,
@@ -75,21 +74,6 @@ function updateLastUsed(database, id) {
 function deleteApiKey(database, id) {
     return (database.prepare(`DELETE FROM api_keys WHERE id = ?`).run(id).changes > 0);
 }
-/** Check if API key has read access to a credential */
-function hasReadAccess(apiKey, agent, name) {
-    const path = `${agent}/${name}`;
-    return apiKey.readAccess.includes("*") || apiKey.readAccess.includes(path);
-}
-/** Check if API key has write access to a credential */
-function hasWriteAccess(apiKey, agent, name) {
-    const path = `${agent}/${name}`;
-    return apiKey.writeAccess.includes("*") || apiKey.writeAccess.includes(path);
-}
-/** Check if API key has grant access to a credential */
-function hasGrantAccess(apiKey, agent, name) {
-    const path = `${agent}/${name}`;
-    return apiKey.grantAccess.includes("*") || apiKey.grantAccess.includes(path);
-}
 /** Update an API key's access permissions */
 function updateApiKeyAccess(database, id, options) {
     const updates = [];
@@ -112,4 +96,5 @@ function updateApiKeyAccess(database, id, options) {
     const sql = `UPDATE api_keys SET ${updates.join(", ")} WHERE id = ?`;
     return database.prepare(sql).run(...values).changes > 0;
 }
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, };
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, listApiKeys, updateApiKeyAccess, updateLastUsed, };
+export { hasGrantAccess, hasReadAccess, hasWriteAccess, } from "./api-key-utilities.js";

package/dist/db/repositories/credentials-queries.d.ts

@@ -0,0 +1,8 @@
+/**
+ * SQL queries for credentials repository.
+ */
+export declare const UPSERT_CREDENTIAL = "\n  INSERT INTO credentials (agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)\n  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n  ON CONFLICT(agent, name) DO UPDATE SET\n    type = excluded.type, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,\n    updated_at = excluded.updated_at, expires_at = excluded.expires_at";
+export declare const SELECT_CREDENTIAL = "\n  SELECT agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at\n  FROM credentials WHERE agent = ? AND name = ?";
+export declare const SELECT_ALL_METADATA = "\n  SELECT agent, name, type, created_at, updated_at, expires_at\n  FROM credentials ORDER BY agent, name";
+export declare const DELETE_CREDENTIAL = "\n  DELETE FROM credentials WHERE agent = ? AND name = ?";
+export declare const UPDATE_EXPIRES_AT = "\n  UPDATE credentials SET expires_at = ?, updated_at = ? WHERE agent = ? AND name = ?";

package/dist/db/repositories/credentials-queries.js

@@ -0,0 +1,19 @@
+/**
+ * SQL queries for credentials repository.
+ */
+export const UPSERT_CREDENTIAL = `
+  INSERT INTO credentials (agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)
+  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  ON CONFLICT(agent, name) DO UPDATE SET
+    type = excluded.type, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
+    updated_at = excluded.updated_at, expires_at = excluded.expires_at`;
+export const SELECT_CREDENTIAL = `
+  SELECT agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at
+  FROM credentials WHERE agent = ? AND name = ?`;
+export const SELECT_ALL_METADATA = `
+  SELECT agent, name, type, created_at, updated_at, expires_at
+  FROM credentials ORDER BY agent, name`;
+export const DELETE_CREDENTIAL = `
+  DELETE FROM credentials WHERE agent = ? AND name = ?`;
+export const UPDATE_EXPIRES_AT = `
+  UPDATE credentials SET expires_at = ?, updated_at = ? WHERE agent = ? AND name = ?`;

package/dist/db/repositories/credentials.d.ts

@@ -4,30 +4,8 @@
  * Manages encrypted credential storage.
  */
 import type Database from "better-sqlite3";
-/** Valid credential types */
-type CredentialType = "oauth" | "api-key";
-/** Credential record stored in database */
-interface CredentialRecord {
-    agent: string;
-    name: string;
-    type: CredentialType;
-    encryptedData: Buffer;
-    salt: Buffer;
-    iv: Buffer;
-    authTag: Buffer;
-    createdAt: Date;
-    updatedAt: Date;
-    expiresAt: Date | undefined;
-}
-/** Credential metadata (without encrypted data) */
-interface CredentialMetadata {
-    agent: string;
-    name: string;
-    type: CredentialType;
-    createdAt: Date;
-    updatedAt: Date;
-    expiresAt: Date | undefined;
-}
+import type { CredentialType } from "axshared";
+import { type CredentialMetadata, type CredentialRecord } from "./parse-credential-row.js";
 /** Store or update a credential */
 declare function upsertCredential(database: Database.Database, credential: {
     agent: string;
@@ -50,4 +28,4 @@ declare function deleteCredential(database: Database.Database, agent: string, na
 /** Update expiration time after refresh */
 declare function updateExpiresAt(database: Database.Database, agent: string, name: string, expiresAt: Date | undefined): void;
 export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, };
-export type { CredentialMetadata, CredentialRecord, CredentialType };
+export type { CredentialMetadata, CredentialRecord, } from "./parse-credential-row.js";

package/dist/db/repositories/credentials.js

@@ -3,64 +3,25 @@
  *
  * Manages encrypted credential storage.
  */
-/** Validate credential type from database */
-function validateType(type) {
-    if (type !== "oauth" && type !== "api-key") {
-        throw new Error(`Invalid credential type: ${type}`);
-    }
-    return type;
-}
-/** Convert database row to record */
-function rowToRecord(row) {
-    return {
-        agent: row.agent,
-        name: row.name,
-        type: validateType(row.type),
-        encryptedData: row.encrypted_data,
-        salt: row.salt,
-        iv: row.iv,
-        authTag: row.auth_tag,
-        createdAt: new Date(row.created_at),
-        updatedAt: new Date(row.updated_at),
-        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
-    };
-}
-/** Convert metadata row to metadata */
-function rowToMetadata(row) {
-    return {
-        agent: row.agent,
-        name: row.name,
-        type: validateType(row.type),
-        createdAt: new Date(row.created_at),
-        updatedAt: new Date(row.updated_at),
-        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
-    };
-}
+import * as SQL from "./credentials-queries.js";
+import { rowToMetadata, rowToRecord, } from "./parse-credential-row.js";
 /** Store or update a credential */
 function upsertCredential(database, credential) {
     const now = Date.now();
-    /* eslint-disable unicorn/no-null -- SQLite requires null for NULL values */
+    // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
+    const expiresAt = credential.expiresAt?.getTime() ?? null;
     database
-        .prepare(`INSERT INTO credentials (agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)
-     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-     ON CONFLICT(agent, name) DO UPDATE SET
-       type = excluded.type, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
-       updated_at = excluded.updated_at, expires_at = excluded.expires_at`)
-        .run(credential.agent, credential.name, credential.type, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now, credential.expiresAt?.getTime() ?? null);
-    /* eslint-enable unicorn/no-null */
+        .prepare(SQL.UPSERT_CREDENTIAL)
+        .run(credential.agent, credential.name, credential.type, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now, expiresAt);
 }
 /** Get a credential by agent and name */
 function getCredential(database, agent, name) {
-    const row = database
-        .prepare(`SELECT agent, name, type, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at FROM credentials WHERE agent = ? AND name = ?`)
-        .get(agent, name);
+    const row = database.prepare(SQL.SELECT_CREDENTIAL).get(agent, name);
     return row ? rowToRecord(row) : undefined;
 }
 /** List all credentials (metadata only) */
 function listCredentials(database) {
-    const rows = database
-        .prepare(`SELECT agent, name, type, created_at, updated_at, expires_at FROM credentials ORDER BY agent, name`)
-        .all();
+    const rows = database.prepare(SQL.SELECT_ALL_METADATA).all();
     return rows.map((row) => rowToMetadata(row));
 }
 /** List credentials accessible by an API key's read access list */
@@ -71,15 +32,12 @@ function listCredentialsForApiKey(database, readAccess) {
 }
 /** Delete a credential */
 function deleteCredential(database, agent, name) {
-    return (database
-        .prepare(`DELETE FROM credentials WHERE agent = ? AND name = ?`)
-        .run(agent, name).changes > 0);
+    return database.prepare(SQL.DELETE_CREDENTIAL).run(agent, name).changes > 0;
 }
 /** Update expiration time after refresh */
 function updateExpiresAt(database, agent, name, expiresAt) {
-    database
-        .prepare(`UPDATE credentials SET expires_at = ?, updated_at = ? WHERE agent = ? AND name = ?`)
-        // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
-        .run(expiresAt?.getTime() ?? null, Date.now(), agent, name);
+    // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
+    const expires = expiresAt?.getTime() ?? null;
+    database.prepare(SQL.UPDATE_EXPIRES_AT).run(expires, Date.now(), agent, name);
 }
 export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, };

package/dist/db/repositories/parse-credential-row.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Pure functions for parsing credential database rows.
+ */
+import { CredentialType } from "axshared";
+import type { CredentialRow, MetadataRow } from "../types.js";
+/** Credential record stored in database */
+interface CredentialRecord {
+    agent: string;
+    name: string;
+    type: CredentialType;
+    encryptedData: Buffer;
+    salt: Buffer;
+    iv: Buffer;
+    authTag: Buffer;
+    createdAt: Date;
+    updatedAt: Date;
+    expiresAt: Date | undefined;
+}
+/** Credential metadata (without encrypted data) */
+interface CredentialMetadata {
+    agent: string;
+    name: string;
+    type: CredentialType;
+    createdAt: Date;
+    updatedAt: Date;
+    expiresAt: Date | undefined;
+}
+/** Convert database row to record */
+declare function rowToRecord(row: CredentialRow): CredentialRecord;
+/** Convert metadata row to metadata */
+declare function rowToMetadata(row: MetadataRow): CredentialMetadata;
+export { rowToMetadata, rowToRecord };
+export type { CredentialMetadata, CredentialRecord };

package/dist/db/repositories/parse-credential-row.js

@@ -0,0 +1,39 @@
+/**
+ * Pure functions for parsing credential database rows.
+ */
+import { CredentialType } from "axshared";
+/** Parse and validate credential type from database */
+function parseCredentialType(type) {
+    const result = CredentialType.safeParse(type);
+    if (!result.success) {
+        throw new Error(`Invalid credential type: ${type}`);
+    }
+    return result.data;
+}
+/** Convert database row to record */
+function rowToRecord(row) {
+    return {
+        agent: row.agent,
+        name: row.name,
+        type: parseCredentialType(row.type),
+        encryptedData: row.encrypted_data,
+        salt: row.salt,
+        iv: row.iv,
+        authTag: row.auth_tag,
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at),
+        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
+    };
+}
+/** Convert metadata row to metadata */
+function rowToMetadata(row) {
+    return {
+        agent: row.agent,
+        name: row.name,
+        type: parseCredentialType(row.type),
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at),
+        expiresAt: row.expires_at ? new Date(row.expires_at) : undefined,
+    };
+}
+export { rowToMetadata, rowToRecord };

package/dist/db/types.d.ts

@@ -6,6 +6,7 @@ export interface ApiKeyRow {
     id: string;
     name: string;
     key_hash: string;
+    key_prefix: string | null;
     read_access: string;
     write_access: string;
     grant_access: string;

package/dist/handlers/get-credential.js

@@ -1,6 +1,7 @@
 /**
  * GET /api/v1/credentials/:agent/:name handler.
  */
+import { isRefreshableCredentialType } from "axshared";
 import { hasReadAccess } from "../db/repositories/api-keys.js";
 import { getCredential } from "../db/repositories/credentials.js";
 import { logAccess } from "../db/repositories/audit-log.js";
@@ -69,7 +70,7 @@ function createGetCredentialHandler(database, config) {
         let wasRefreshed = false;
         let refreshFailed = false;
         if (config.refreshThresholdSeconds > 0 &&
-            credential.type === "oauth" &&
+            isRefreshableCredentialType(credential.type) &&
             isRefreshable(data) &&
             needsRefresh(data, config.refreshThresholdSeconds)) {
             try {

package/dist/handlers/put-credential.js

@@ -1,6 +1,7 @@
 /**
  * PUT /api/v1/credentials/:agent/:name handler.
  */
+import { CredentialType, } from "axshared";
 import { hasWriteAccess } from "../db/repositories/api-keys.js";
 import { upsertCredential } from "../db/repositories/credentials.js";
 import { logAccess } from "../db/repositories/audit-log.js";
@@ -43,7 +44,8 @@ function createPutCredentialHandler(database) {
                 .json({ error: "Request body must include 'data' object" });
             return;
         }
-        if (body.type !== "oauth" && body.type !== "api-key") {
+        const typeResult = CredentialType.safeParse(body.type);
+        if (!typeResult.success) {
             logAccess(database, {
                 apiKeyId: apiKey.id,
                 action: "write",
@@ -53,11 +55,11 @@ function createPutCredentialHandler(database) {
                 errorMessage: "Invalid type",
             });
             response.status(400).json({
-                error: 'Request body must include \'type\' ("oauth" or "api-key")',
+                error: `Request body must include 'type' (${CredentialType.options.map((t) => `"${t}"`).join(", ")})`,
             });
             return;
         }
-        const credentialType = body.type;
+        const credentialType = typeResult.data;
         try {
             const encrypted = encryptCredential(body.data);
             let expiresAt;

package/dist/lib/format.d.ts

@@ -37,6 +37,7 @@ export declare function isValidKeyId(id: string): boolean;
 export declare function formatKeyRow(key: {
     id: string;
     name: string;
+    keyPrefix?: string;
     readAccess: string[];
     writeAccess: string[];
     grantAccess: string[];

package/dist/lib/format.js

@@ -66,17 +66,27 @@ const KEY_ID_PATTERN = /^k_[0-9a-f]{12}$/u;
 export function isValidKeyId(id) {
     return KEY_ID_PATTERN.test(id);
 }
+/**
+ * Format key prefix for display with redaction suffix.
+ * Returns "(unavailable)" for keys created before prefix storage.
+ */
+function formatKeyPrefix(prefix) {
+    if (!prefix)
+        return "(unavailable)";
+    return `${prefix}...`;
+}
 /**
  * Format a single API key row for TSV output.
  */
 export function formatKeyRow(key) {
     const id = sanitizeForTsv(key.id);
     const name = sanitizeForTsv(key.name);
+    const keyPrefix = sanitizeForTsv(formatKeyPrefix(key.keyPrefix));
     const readAccess = sanitizeForTsv(formatAccessList(key.readAccess));
     const writeAccess = sanitizeForTsv(formatAccessList(key.writeAccess));
     const grantAccess = sanitizeForTsv(formatAccessList(key.grantAccess));
     const lastUsed = formatRelativeTime(key.lastUsedAt);
-    return `${id}\t${name}\t${readAccess}\t${writeAccess}\t${grantAccess}\t${lastUsed}`;
+    return `${id}\t${name}\t${keyPrefix}\t${readAccess}\t${writeAccess}\t${grantAccess}\t${lastUsed}`;
 }
 /**
  * Validate access list entry format.

package/dist/refresh/check-refresh.js

@@ -50,10 +50,10 @@ function toAxauthCredentials(agent, data) {
     if (!VALID_AGENTS.has(agent)) {
         return undefined;
     }
-    // Only OAuth credentials can be refreshed
+    // Only OAuth credentials with refresh tokens can be refreshed
     return {
         agent: agent,
-        type: "oauth",
+        type: "oauth-credentials",
         data,
     };
 }

package/dist/refresh/refresh-manager.d.ts

@@ -5,7 +5,7 @@
  * with axauth's refresh functionality.
  */
 import type Database from "better-sqlite3";
-import type { CredentialType } from "../db/repositories/credentials.js";
+import type { CredentialType } from "axshared";
 /** Key for credential-specific mutex */
 type CredentialKey = `${string}/${string}`;
 /** Result type for the full refresh operation */

package/package.json

@@ -2,7 +2,7 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.2.0",
+  "version": "1.4.0",
   "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",
@@ -49,9 +49,9 @@
   },
   "dependencies": {
     "@commander-js/extra-typings": "^14.0.0",
-    "axauth": "^1.7.2",
-    "axshared": "^1.8.0",
-    "better-sqlite3": "^12.5.0",
+    "axauth": "^1.9.0",
+    "axshared": "1.9.0",
+    "better-sqlite3": "^12.6.0",
     "commander": "^14.0.2",
     "express": "^5.2.1"
   },
@@ -78,13 +78,13 @@
     "@total-typescript/ts-reset": "^0.6.1",
     "@types/better-sqlite3": "^7.6.13",
     "@types/express": "^5.0.6",
-    "@types/node": "^25.0.3",
+    "@types/node": "^25.0.5",
     "@vitest/coverage-v8": "^4.0.16",
     "eslint": "^9.39.2",
     "eslint-config-axkit": "^1.0.0",
     "fta-check": "^1.5.1",
     "fta-cli": "^3.0.0",
-    "knip": "^5.80.0",
+    "knip": "^5.80.2",
     "prettier": "3.7.4",
     "semantic-release": "^25.0.2",
     "typescript": "^5.9.3",