axvault 1.3.0 → 1.4.0

package/dist/commands/key-list.js

@@ -16,6 +16,8 @@ export function handleKeyList(options) {
             const output = keys.map((key) => ({
                 id: key.id,
                 name: key.name,
+                // eslint-disable-next-line unicorn/no-null -- JSON requires null for missing values
+                keyPrefix: key.keyPrefix ?? null,
                 readAccess: key.readAccess,
                 writeAccess: key.writeAccess,
                 grantAccess: key.grantAccess,
@@ -28,7 +30,7 @@ export function handleKeyList(options) {
             console.error("No API keys found.\nCreate one with: axvault key create --name <name> [--read <access>] [--write <access>] [--grant <access>]");
         }
         else {
-            console.log("ID\tNAME\tREAD ACCESS\tWRITE ACCESS\tGRANT ACCESS\tLAST USED");
+            console.log("ID\tNAME\tKEY\tREAD ACCESS\tWRITE ACCESS\tGRANT ACCESS\tLAST USED");
             for (const key of keys)
                 console.log(formatKeyRow(key));
         }

package/dist/db/migrations.d.ts

@@ -4,7 +4,7 @@
  * Uses a simple version-based migration system.
  */
 import type Database from "better-sqlite3";
-declare const CURRENT_VERSION = 5;
+declare const CURRENT_VERSION = 6;
 /** Run all pending migrations */
 declare function runMigrations(database: Database.Database): void;
 /** Get current schema version */

package/dist/db/migrations.js

@@ -3,7 +3,7 @@
  *
  * Uses a simple version-based migration system.
  */
-const CURRENT_VERSION = 5;
+const CURRENT_VERSION = 6;
 /** Run all pending migrations */
 function runMigrations(database) {
     const version = getSchemaVersion(database);
@@ -22,6 +22,9 @@ function runMigrations(database) {
     if (version < 5) {
         migrateToV5(database);
     }
+    if (version < 6) {
+        migrateToV6(database);
+    }
 }
 /** Get current schema version */
 function getSchemaVersion(database) {
@@ -148,4 +151,18 @@ function migrateToV5(database) {
         setSchemaVersion(database, 5);
     })();
 }
+/**
+ * Migration to version 6: Add key_prefix column to api_keys
+ *
+ * Stores first 8 characters of the key secret for identification.
+ * Existing keys will have NULL prefix (key value not recoverable).
+ */
+function migrateToV6(database) {
+    database.transaction(() => {
+        database.exec(`
+      ALTER TABLE api_keys ADD COLUMN key_prefix TEXT
+    `);
+        setSchemaVersion(database, 6);
+    })();
+}
 export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/api-key-utilities.d.ts

@@ -0,0 +1,26 @@
+/**
+ * API key utility functions.
+ *
+ * Pure functions for key generation and hashing.
+ */
+/** Generate a new API key ID */
+declare function generateKeyId(): string;
+/** Generate a new API key secret */
+declare function generateKeySecret(): string;
+/** Hash an API key for storage */
+declare function hashApiKey(key: string): string;
+/** Extract key prefix for display (axv_sk_ + first 8 hex chars of secret) */
+declare function extractKeyPrefix(key: string): string;
+/** Minimal interface for access checking */
+interface AccessLists {
+    readAccess: string[];
+    writeAccess: string[];
+    grantAccess: string[];
+}
+/** Check if API key has read access to a credential */
+declare function hasReadAccess(apiKey: AccessLists, agent: string, name: string): boolean;
+/** Check if API key has write access to a credential */
+declare function hasWriteAccess(apiKey: AccessLists, agent: string, name: string): boolean;
+/** Check if API key has grant access to a credential */
+declare function hasGrantAccess(apiKey: AccessLists, agent: string, name: string): boolean;
+export { extractKeyPrefix, generateKeyId, generateKeySecret, hashApiKey, hasGrantAccess, hasReadAccess, hasWriteAccess, };

package/dist/db/repositories/api-key-utilities.js

@@ -0,0 +1,43 @@
+/**
+ * API key utility functions.
+ *
+ * Pure functions for key generation and hashing.
+ */
+import { createHash, randomBytes } from "node:crypto";
+/** Key prefix for identification (e.g., "axv_sk_01234567") */
+const KEY_PREFIX_LENGTH = 8;
+/** Generate a new API key ID */
+function generateKeyId() {
+    return `k_${randomBytes(6).toString("hex")}`;
+}
+/** Generate a new API key secret */
+function generateKeySecret() {
+    return `axv_sk_${randomBytes(16).toString("hex")}`;
+}
+/** Hash an API key for storage */
+function hashApiKey(key) {
+    return createHash("sha256").update(key).digest("hex");
+}
+/** Extract key prefix for display (axv_sk_ + first 8 hex chars of secret) */
+function extractKeyPrefix(key) {
+    // Key format: axv_sk_ + 32 hex chars
+    return key.slice(0, 7 + KEY_PREFIX_LENGTH); // "axv_sk_" (7) + 8 chars
+}
+/** Check if access list includes the given credential path */
+function hasAccess(accessList, agent, name) {
+    const path = `${agent}/${name}`;
+    return accessList.includes("*") || accessList.includes(path);
+}
+/** Check if API key has read access to a credential */
+function hasReadAccess(apiKey, agent, name) {
+    return hasAccess(apiKey.readAccess, agent, name);
+}
+/** Check if API key has write access to a credential */
+function hasWriteAccess(apiKey, agent, name) {
+    return hasAccess(apiKey.writeAccess, agent, name);
+}
+/** Check if API key has grant access to a credential */
+function hasGrantAccess(apiKey, agent, name) {
+    return hasAccess(apiKey.grantAccess, agent, name);
+}
+export { extractKeyPrefix, generateKeyId, generateKeySecret, hashApiKey, hasGrantAccess, hasReadAccess, hasWriteAccess, };

package/dist/db/repositories/api-keys.d.ts

@@ -9,6 +9,7 @@ interface ApiKeyRecord {
     id: string;
     name: string;
     keyHash: string;
+    keyPrefix: string | undefined;
     readAccess: string[];
     writeAccess: string[];
     grantAccess: string[];
@@ -36,17 +37,12 @@ declare function listApiKeys(database: Database.Database): ApiKeyRecord[];
 declare function updateLastUsed(database: Database.Database, id: string): void;
 /** Delete an API key */
 declare function deleteApiKey(database: Database.Database, id: string): boolean;
-/** Check if API key has read access to a credential */
-declare function hasReadAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
-/** Check if API key has write access to a credential */
-declare function hasWriteAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
-/** Check if API key has grant access to a credential */
-declare function hasGrantAccess(apiKey: ApiKeyRecord, agent: string, name: string): boolean;
 /** Update an API key's access permissions */
 declare function updateApiKeyAccess(database: Database.Database, id: string, options: {
     readAccess?: string[];
     writeAccess?: string[];
     grantAccess?: string[];
 }): boolean;
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, };
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, listApiKeys, updateApiKeyAccess, updateLastUsed, };
+export { hasGrantAccess, hasReadAccess, hasWriteAccess, } from "./api-key-utilities.js";
 export type { ApiKeyRecord, ApiKeyWithSecret };

package/dist/db/repositories/api-keys.js

@@ -3,13 +3,14 @@
  *
  * Manages API keys with read/write access lists for credentials.
  */
-import { createHash, randomBytes } from "node:crypto";
+import { extractKeyPrefix, generateKeyId, generateKeySecret, hashApiKey, } from "./api-key-utilities.js";
 /** Convert database row to record */
 function rowToRecord(row) {
     return {
         id: row.id,
         name: row.name,
         keyHash: row.key_hash,
+        keyPrefix: row.key_prefix ?? undefined,
         readAccess: JSON.parse(row.read_access),
         writeAccess: JSON.parse(row.write_access),
         grantAccess: JSON.parse(row.grant_access),
@@ -17,26 +18,24 @@ function rowToRecord(row) {
         lastUsedAt: row.last_used_at ? new Date(row.last_used_at) : undefined,
     };
 }
-/** Hash an API key for storage */
-function hashApiKey(key) {
-    return createHash("sha256").update(key).digest("hex");
-}
-const SELECT_COLUMNS = `id, name, key_hash, read_access, write_access, grant_access, created_at, last_used_at`;
+const SELECT_COLUMNS = `id, name, key_hash, key_prefix, read_access, write_access, grant_access, created_at, last_used_at`;
 /** Create a new API key */
 function createApiKey(database, options) {
-    const id = `k_${randomBytes(6).toString("hex")}`;
-    const key = `axv_sk_${randomBytes(16).toString("hex")}`;
+    const id = generateKeyId();
+    const key = generateKeySecret();
     const keyHash = hashApiKey(key);
+    const keyPrefix = extractKeyPrefix(key);
     const now = Date.now();
     database
-        .prepare(`INSERT INTO api_keys (id, name, key_hash, read_access, write_access, grant_access, created_at)
-     VALUES (?, ?, ?, ?, ?, ?, ?)`)
-        .run(id, options.name, keyHash, JSON.stringify(options.readAccess), JSON.stringify(options.writeAccess), JSON.stringify(options.grantAccess), now);
+        .prepare(`INSERT INTO api_keys (id, name, key_hash, key_prefix, read_access, write_access, grant_access, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?)`)
+        .run(id, options.name, keyHash, keyPrefix, JSON.stringify(options.readAccess), JSON.stringify(options.writeAccess), JSON.stringify(options.grantAccess), now);
     return {
         id,
         name: options.name,
         key,
         keyHash,
+        keyPrefix,
         readAccess: options.readAccess,
         writeAccess: options.writeAccess,
         grantAccess: options.grantAccess,
@@ -75,21 +74,6 @@ function updateLastUsed(database, id) {
 function deleteApiKey(database, id) {
     return (database.prepare(`DELETE FROM api_keys WHERE id = ?`).run(id).changes > 0);
 }
-/** Check if API key has read access to a credential */
-function hasReadAccess(apiKey, agent, name) {
-    const path = `${agent}/${name}`;
-    return apiKey.readAccess.includes("*") || apiKey.readAccess.includes(path);
-}
-/** Check if API key has write access to a credential */
-function hasWriteAccess(apiKey, agent, name) {
-    const path = `${agent}/${name}`;
-    return apiKey.writeAccess.includes("*") || apiKey.writeAccess.includes(path);
-}
-/** Check if API key has grant access to a credential */
-function hasGrantAccess(apiKey, agent, name) {
-    const path = `${agent}/${name}`;
-    return apiKey.grantAccess.includes("*") || apiKey.grantAccess.includes(path);
-}
 /** Update an API key's access permissions */
 function updateApiKeyAccess(database, id, options) {
     const updates = [];
@@ -112,4 +96,5 @@ function updateApiKeyAccess(database, id, options) {
     const sql = `UPDATE api_keys SET ${updates.join(", ")} WHERE id = ?`;
     return database.prepare(sql).run(...values).changes > 0;
 }
-export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasGrantAccess, hasReadAccess, hasWriteAccess, listApiKeys, updateApiKeyAccess, updateLastUsed, };
+export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, listApiKeys, updateApiKeyAccess, updateLastUsed, };
+export { hasGrantAccess, hasReadAccess, hasWriteAccess, } from "./api-key-utilities.js";

package/dist/db/types.d.ts

@@ -6,6 +6,7 @@ export interface ApiKeyRow {
     id: string;
     name: string;
     key_hash: string;
+    key_prefix: string | null;
     read_access: string;
     write_access: string;
     grant_access: string;

package/dist/lib/format.d.ts

@@ -37,6 +37,7 @@ export declare function isValidKeyId(id: string): boolean;
 export declare function formatKeyRow(key: {
     id: string;
     name: string;
+    keyPrefix?: string;
     readAccess: string[];
     writeAccess: string[];
     grantAccess: string[];

package/dist/lib/format.js

@@ -66,17 +66,27 @@ const KEY_ID_PATTERN = /^k_[0-9a-f]{12}$/u;
 export function isValidKeyId(id) {
     return KEY_ID_PATTERN.test(id);
 }
+/**
+ * Format key prefix for display with redaction suffix.
+ * Returns "(unavailable)" for keys created before prefix storage.
+ */
+function formatKeyPrefix(prefix) {
+    if (!prefix)
+        return "(unavailable)";
+    return `${prefix}...`;
+}
 /**
  * Format a single API key row for TSV output.
  */
 export function formatKeyRow(key) {
     const id = sanitizeForTsv(key.id);
     const name = sanitizeForTsv(key.name);
+    const keyPrefix = sanitizeForTsv(formatKeyPrefix(key.keyPrefix));
     const readAccess = sanitizeForTsv(formatAccessList(key.readAccess));
     const writeAccess = sanitizeForTsv(formatAccessList(key.writeAccess));
     const grantAccess = sanitizeForTsv(formatAccessList(key.grantAccess));
     const lastUsed = formatRelativeTime(key.lastUsedAt);
-    return `${id}\t${name}\t${readAccess}\t${writeAccess}\t${grantAccess}\t${lastUsed}`;
+    return `${id}\t${name}\t${keyPrefix}\t${readAccess}\t${writeAccess}\t${grantAccess}\t${lastUsed}`;
 }
 /**
  * Validate access list entry format.

package/package.json

@@ -2,7 +2,7 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",