axvault 1.8.0 → 1.8.2

package/dist/db/migrations.js

@@ -1,32 +1,23 @@
 /**
  * Database schema migrations.
  *
- * Uses a simple version-based migration system.
+ * Simple schema with opaque credential storage.
+ * Credentials are identified by name only - the blob contains all metadata.
  */
-const CURRENT_VERSION = 7;
+const CURRENT_VERSION = 1;
 /** Run all pending migrations */
 function runMigrations(database) {
-    const version = getSchemaVersion(database);
-    if (version < 1) {
-        migrateToV1(database);
+    let version = getSchemaVersion(database);
+    if (version > CURRENT_VERSION) {
+        throw new Error(`Unsupported database schema version v${version} (expected v${CURRENT_VERSION}). Delete the database file to reinitialize.`);
     }
-    if (version < 2) {
-        migrateToV2(database);
-    }
-    if (version < 3) {
-        migrateToV3(database);
-    }
-    if (version < 4) {
-        migrateToV4(database);
-    }
-    if (version < 5) {
-        migrateToV5(database);
-    }
-    if (version < 6) {
-        migrateToV6(database);
-    }
-    if (version < 7) {
-        migrateToV7(database);
+    while (version < CURRENT_VERSION) {
+        if (version === 0) {
+            migrateToV1(database);
+            version = 1;
+            continue;
+        }
+        throw new Error(`Unsupported database schema version v${version} (expected v${CURRENT_VERSION}). Delete the database file to reinitialize.`);
     }
 }
 /** Get current schema version */
@@ -41,7 +32,10 @@ function setSchemaVersion(database, version) {
 /**
  * Migration to version 1: Initial schema
  *
- * Creates tables for API keys, credentials, and audit log.
+ * Simple opaque credential storage:
+ * - Credentials identified by name only
+ * - All credential metadata (agent, type, provider, data) in encrypted blob
+ * - API keys with name-based access patterns
  */
 function migrateToV1(database) {
     database.transaction(() => {
@@ -51,8 +45,10 @@ function migrateToV1(database) {
         id TEXT PRIMARY KEY,
         name TEXT NOT NULL,
         key_hash TEXT NOT NULL UNIQUE,
+        key_prefix TEXT,
         read_access TEXT NOT NULL,
         write_access TEXT NOT NULL,
+        grant_access TEXT NOT NULL DEFAULT '[]',
         created_at INTEGER NOT NULL,
         last_used_at INTEGER
       )
@@ -61,29 +57,26 @@ function migrateToV1(database) {
         database.exec(`
       CREATE INDEX idx_api_keys_key_hash ON api_keys(key_hash)
     `);
-        // Encrypted credentials
+        // Encrypted credentials (opaque blob storage)
         database.exec(`
       CREATE TABLE credentials (
-        agent TEXT NOT NULL,
-        name TEXT NOT NULL,
+        name TEXT PRIMARY KEY,
         encrypted_data BLOB NOT NULL,
+        salt BLOB NOT NULL,
         iv BLOB NOT NULL,
         auth_tag BLOB NOT NULL,
         created_at INTEGER NOT NULL,
-        updated_at INTEGER NOT NULL,
-        expires_at INTEGER,
-        PRIMARY KEY (agent, name)
+        updated_at INTEGER NOT NULL
       )
     `);
-        // Audit log - intentionally no FK on api_key_id to preserve logs after key deletion
+        // Audit log
         database.exec(`
       CREATE TABLE audit_log (
         id INTEGER PRIMARY KEY AUTOINCREMENT,
         timestamp INTEGER NOT NULL,
         api_key_id TEXT,
         action TEXT NOT NULL,
-        agent TEXT,
-        name TEXT,
+        credential_name TEXT,
         success INTEGER NOT NULL,
         error_message TEXT
       )
@@ -95,92 +88,4 @@ function migrateToV1(database) {
         setSchemaVersion(database, 1);
     })();
 }
-/**
- * Migration to version 2: Add salt column to credentials
- *
- * AES-256-GCM with PBKDF2 requires a salt for key derivation.
- */
-function migrateToV2(database) {
-    database.transaction(() => {
-        database.exec(`
-      ALTER TABLE credentials ADD COLUMN salt BLOB
-    `);
-        setSchemaVersion(database, 2);
-    })();
-}
-/**
- * Migration to version 3: Add type column to credentials
- *
- * Explicit credential type ("oauth" or "api-key") instead of inferring from data.
- * Existing credentials without type must be re-uploaded.
- */
-function migrateToV3(database) {
-    database.transaction(() => {
-        database.exec(`
-      ALTER TABLE credentials ADD COLUMN type TEXT
-    `);
-        setSchemaVersion(database, 3);
-    })();
-}
-/**
- * Migration to version 4: Add grant_access column to api_keys
- *
- * The grant permission controls which credentials a key can delegate access to.
- * Existing keys get an empty grant_access array (no delegation rights).
- */
-function migrateToV4(database) {
-    database.transaction(() => {
-        database.exec(`
-      ALTER TABLE api_keys ADD COLUMN grant_access TEXT NOT NULL DEFAULT '[]'
-    `);
-        setSchemaVersion(database, 4);
-    })();
-}
-/**
- * Migration to version 5: Rename credential type "oauth" to "oauth-credentials"
- *
- * Distinguishes refreshable OAuth credentials (oauth-credentials) from
- * long-lived OAuth tokens like CLAUDE_CODE_OAUTH_TOKEN (oauth-token).
- *
- * - `oauth-credentials`: Full OAuth flow with accessToken, refreshToken, expiresAt (refreshable)
- * - `oauth-token`: Long-lived OAuth token for CI/CD (static, no refresh)
- * - `api-key`: API key (static)
- */
-function migrateToV5(database) {
-    database.transaction(() => {
-        database.exec(`
-      UPDATE credentials SET type = 'oauth-credentials' WHERE type = 'oauth'
-    `);
-        setSchemaVersion(database, 5);
-    })();
-}
-/**
- * Migration to version 6: Add key_prefix column to api_keys
- *
- * Stores first 8 characters of the key secret for identification.
- * Existing keys will have NULL prefix (key value not recoverable).
- */
-function migrateToV6(database) {
-    database.transaction(() => {
-        database.exec(`
-      ALTER TABLE api_keys ADD COLUMN key_prefix TEXT
-    `);
-        setSchemaVersion(database, 6);
-    })();
-}
-/**
- * Migration to version 7: Add provider column to credentials
- *
- * Stores the provider name for multi-provider agents like OpenCode.
- * For example, OpenCode credentials can have provider = "anthropic", "openai",
- * "gemini", or "opencode" (the OpenCode Zen service).
- */
-function migrateToV7(database) {
-    database.transaction(() => {
-        database.exec(`
-      ALTER TABLE credentials ADD COLUMN provider TEXT
-    `);
-        setSchemaVersion(database, 7);
-    })();
-}
 export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/api-key-utilities.d.ts

@@ -18,9 +18,9 @@ interface AccessLists {
     grantAccess: string[];
 }
 /** Check if API key has read access to a credential */
-declare function hasReadAccess(apiKey: AccessLists, agent: string, name: string): boolean;
+declare function hasReadAccess(apiKey: AccessLists, name: string): boolean;
 /** Check if API key has write access to a credential */
-declare function hasWriteAccess(apiKey: AccessLists, agent: string, name: string): boolean;
+declare function hasWriteAccess(apiKey: AccessLists, name: string): boolean;
 /** Check if API key has grant access to a credential */
-declare function hasGrantAccess(apiKey: AccessLists, agent: string, name: string): boolean;
+declare function hasGrantAccess(apiKey: AccessLists, name: string): boolean;
 export { extractKeyPrefix, generateKeyId, generateKeySecret, hashApiKey, hasGrantAccess, hasReadAccess, hasWriteAccess, };

package/dist/db/repositories/api-key-utilities.js

@@ -23,21 +23,20 @@ function extractKeyPrefix(key) {
     // Key format: axv_sk_ + 32 hex chars
     return key.slice(0, 7 + KEY_PREFIX_LENGTH); // "axv_sk_" (7) + 8 chars
 }
-/** Check if access list includes the given credential path */
-function hasAccess(accessList, agent, name) {
-    const path = `${agent}/${name}`;
-    return accessList.includes("*") || accessList.includes(path);
+/** Check if access list includes the given credential name */
+function hasAccess(accessList, name) {
+    return accessList.includes("*") || accessList.includes(name);
 }
 /** Check if API key has read access to a credential */
-function hasReadAccess(apiKey, agent, name) {
-    return hasAccess(apiKey.readAccess, agent, name);
+function hasReadAccess(apiKey, name) {
+    return hasAccess(apiKey.readAccess, name);
 }
 /** Check if API key has write access to a credential */
-function hasWriteAccess(apiKey, agent, name) {
-    return hasAccess(apiKey.writeAccess, agent, name);
+function hasWriteAccess(apiKey, name) {
+    return hasAccess(apiKey.writeAccess, name);
 }
 /** Check if API key has grant access to a credential */
-function hasGrantAccess(apiKey, agent, name) {
-    return hasAccess(apiKey.grantAccess, agent, name);
+function hasGrantAccess(apiKey, name) {
+    return hasAccess(apiKey.grantAccess, name);
 }
 export { extractKeyPrefix, generateKeyId, generateKeySecret, hashApiKey, hasGrantAccess, hasReadAccess, hasWriteAccess, };

package/dist/db/repositories/audit-log.d.ts

@@ -10,8 +10,7 @@ interface AuditLogEntry {
     timestamp: Date;
     apiKeyId: string | undefined;
     action: "auth" | "read" | "write" | "delete" | "refresh" | "list" | "grant";
-    agent: string | undefined;
-    name: string | undefined;
+    credentialName: string | undefined;
     success: boolean;
     errorMessage: string | undefined;
 }
@@ -19,8 +18,7 @@ interface AuditLogEntry {
 declare function logAccess(database: Database.Database, entry: {
     apiKeyId?: string;
     action: AuditLogEntry["action"];
-    agent?: string;
-    name?: string;
+    credentialName?: string;
     success: boolean;
     errorMessage?: string;
 }): void;
@@ -30,7 +28,7 @@ declare function getRecentLogs(database: Database.Database, options?: {
     apiKeyId?: string;
 }): AuditLogEntry[];
 /** Get logs for a specific credential */
-declare function getLogsForCredential(database: Database.Database, agent: string, name: string, limit_?: number): AuditLogEntry[];
+declare function getLogsForCredential(database: Database.Database, credentialName: string, limit_?: number): AuditLogEntry[];
 /** Prune old audit log entries */
 declare function pruneOldLogs(database: Database.Database, olderThanDays: number): number;
 export { getLogsForCredential, getRecentLogs, logAccess, pruneOldLogs };

package/dist/db/repositories/audit-log.js

@@ -10,19 +10,18 @@ function rowToEntry(row) {
         timestamp: new Date(row.timestamp),
         apiKeyId: row.api_key_id ?? undefined,
         action: row.action,
-        agent: row.agent ?? undefined,
-        name: row.name ?? undefined,
+        credentialName: row.credential_name ?? undefined,
         success: row.success === 1,
         errorMessage: row.error_message ?? undefined,
     };
 }
-const SELECT_COLUMNS = `id, timestamp, api_key_id, action, agent, name, success, error_message`;
+const SELECT_COLUMNS = `id, timestamp, api_key_id, action, credential_name, success, error_message`;
 /** Log a credential access event */
 function logAccess(database, entry) {
     /* eslint-disable unicorn/no-null -- SQLite requires null for NULL values */
     database
-        .prepare(`INSERT INTO audit_log (timestamp, api_key_id, action, agent, name, success, error_message) VALUES (?, ?, ?, ?, ?, ?, ?)`)
-        .run(Date.now(), entry.apiKeyId ?? null, entry.action, entry.agent ?? null, entry.name ?? null, entry.success ? 1 : 0, entry.errorMessage ?? null);
+        .prepare(`INSERT INTO audit_log (timestamp, api_key_id, action, credential_name, success, error_message) VALUES (?, ?, ?, ?, ?, ?)`)
+        .run(Date.now(), entry.apiKeyId ?? null, entry.action, entry.credentialName ?? null, entry.success ? 1 : 0, entry.errorMessage ?? null);
     /* eslint-enable unicorn/no-null */
 }
 /** Get recent audit log entries */
@@ -39,11 +38,11 @@ function getRecentLogs(database, options) {
     return database.prepare(query).all(...parameters).map((row) => rowToEntry(row));
 }
 /** Get logs for a specific credential */
-function getLogsForCredential(database, agent, name, limit_ = 50) {
+function getLogsForCredential(database, credentialName, limit_ = 50) {
     const limit = Math.max(1, Math.min(limit_, 1000));
     const rows = database
-        .prepare(`SELECT ${SELECT_COLUMNS} FROM audit_log WHERE agent = ? AND name = ? ORDER BY timestamp DESC LIMIT ?`)
-        .all(agent, name, limit);
+        .prepare(`SELECT ${SELECT_COLUMNS} FROM audit_log WHERE credential_name = ? ORDER BY timestamp DESC LIMIT ?`)
+        .all(credentialName, limit);
     return rows.map((row) => rowToEntry(row));
 }
 /** Prune old audit log entries */

package/dist/db/repositories/credentials-queries.d.ts

@@ -1,8 +1,12 @@
 /**
  * SQL queries for credentials repository.
+ *
+ * Name-only primary key, opaque blob storage.
  */
-export declare const UPSERT_CREDENTIAL = "\n  INSERT INTO credentials (agent, name, type, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)\n  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n  ON CONFLICT(agent, name) DO UPDATE SET\n    type = excluded.type, provider = excluded.provider, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,\n    updated_at = excluded.updated_at, expires_at = excluded.expires_at";
-export declare const SELECT_CREDENTIAL = "\n  SELECT agent, name, type, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at\n  FROM credentials WHERE agent = ? AND name = ?";
-export declare const SELECT_ALL_METADATA = "\n  SELECT agent, name, type, provider, created_at, updated_at, expires_at\n  FROM credentials ORDER BY agent, name";
-export declare const DELETE_CREDENTIAL = "\n  DELETE FROM credentials WHERE agent = ? AND name = ?";
-export declare const UPDATE_EXPIRES_AT = "\n  UPDATE credentials SET expires_at = ?, updated_at = ? WHERE agent = ? AND name = ?";
+export declare const UPSERT_CREDENTIAL = "\n  INSERT INTO credentials (name, encrypted_data, salt, iv, auth_tag, created_at, updated_at)\n  VALUES (?, ?, ?, ?, ?, ?, ?)\n  ON CONFLICT(name) DO UPDATE SET\n    encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,\n    updated_at = excluded.updated_at\n  RETURNING created_at, updated_at";
+export declare const UPDATE_CREDENTIAL_IF_UPDATED_AT_MATCHES = "\n  UPDATE credentials\n  SET encrypted_data = ?, salt = ?, iv = ?, auth_tag = ?, updated_at = ?\n  WHERE name = ? AND updated_at = ?";
+export declare const SELECT_CREDENTIAL = "\n  SELECT name, encrypted_data, salt, iv, auth_tag, created_at, updated_at\n  FROM credentials WHERE name = ?";
+export declare const SELECT_ALL_METADATA = "\n  SELECT name, created_at, updated_at\n  FROM credentials ORDER BY name";
+export declare const SELECT_METADATA_PAGINATED = "\n  SELECT name, created_at, updated_at\n  FROM credentials\n  WHERE name > ?\n  ORDER BY name\n  LIMIT ?";
+export declare const SELECT_METADATA_FIRST_PAGE = "\n  SELECT name, created_at, updated_at\n  FROM credentials\n  ORDER BY name\n  LIMIT ?";
+export declare const DELETE_CREDENTIAL = "\n  DELETE FROM credentials WHERE name = ?";

package/dist/db/repositories/credentials-queries.js

@@ -1,19 +1,35 @@
 /**
  * SQL queries for credentials repository.
+ *
+ * Name-only primary key, opaque blob storage.
  */
 export const UPSERT_CREDENTIAL = `
-  INSERT INTO credentials (agent, name, type, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at)
-  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-  ON CONFLICT(agent, name) DO UPDATE SET
-    type = excluded.type, provider = excluded.provider, encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
-    updated_at = excluded.updated_at, expires_at = excluded.expires_at`;
+  INSERT INTO credentials (name, encrypted_data, salt, iv, auth_tag, created_at, updated_at)
+  VALUES (?, ?, ?, ?, ?, ?, ?)
+  ON CONFLICT(name) DO UPDATE SET
+    encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
+    updated_at = excluded.updated_at
+  RETURNING created_at, updated_at`;
+export const UPDATE_CREDENTIAL_IF_UPDATED_AT_MATCHES = `
+  UPDATE credentials
+  SET encrypted_data = ?, salt = ?, iv = ?, auth_tag = ?, updated_at = ?
+  WHERE name = ? AND updated_at = ?`;
 export const SELECT_CREDENTIAL = `
-  SELECT agent, name, type, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at, expires_at
-  FROM credentials WHERE agent = ? AND name = ?`;
+  SELECT name, encrypted_data, salt, iv, auth_tag, created_at, updated_at
+  FROM credentials WHERE name = ?`;
 export const SELECT_ALL_METADATA = `
-  SELECT agent, name, type, provider, created_at, updated_at, expires_at
-  FROM credentials ORDER BY agent, name`;
+  SELECT name, created_at, updated_at
+  FROM credentials ORDER BY name`;
+export const SELECT_METADATA_PAGINATED = `
+  SELECT name, created_at, updated_at
+  FROM credentials
+  WHERE name > ?
+  ORDER BY name
+  LIMIT ?`;
+export const SELECT_METADATA_FIRST_PAGE = `
+  SELECT name, created_at, updated_at
+  FROM credentials
+  ORDER BY name
+  LIMIT ?`;
 export const DELETE_CREDENTIAL = `
-  DELETE FROM credentials WHERE agent = ? AND name = ?`;
-export const UPDATE_EXPIRES_AT = `
-  UPDATE credentials SET expires_at = ?, updated_at = ? WHERE agent = ? AND name = ?`;
+  DELETE FROM credentials WHERE name = ?`;

package/dist/db/repositories/credentials.d.ts

@@ -1,32 +1,49 @@
 /**
  * Credentials repository.
  *
- * Manages encrypted credential storage.
+ * Manages encrypted credential storage with name-only keys.
+ * Credentials are fully opaque blobs.
  */
 import type Database from "better-sqlite3";
-import type { CredentialType } from "axshared";
 import { type CredentialMetadata, type CredentialRecord } from "./parse-credential-row.js";
-/** Store or update a credential */
+/** Timestamps returned after storing a credential */
+interface UpsertTimestamps {
+    createdAt: Date;
+    updatedAt: Date;
+}
+/** Store or update a credential, returning the resulting timestamps */
 declare function upsertCredential(database: Database.Database, credential: {
-    agent: string;
     name: string;
-    type: CredentialType;
-    provider?: string;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;
     authTag: Buffer;
-    expiresAt?: Date;
-}): void;
-/** Get a credential by agent and name */
-declare function getCredential(database: Database.Database, agent: string, name: string): CredentialRecord | undefined;
+}): UpsertTimestamps;
+/**
+ * Update a credential only if its updated_at matches the expected value.
+ *
+ * Used to avoid overwriting concurrent PUT/DELETE changes when performing
+ * background refreshes during GET.
+ */
+declare function updateCredentialIfUnchanged(database: Database.Database, credential: {
+    name: string;
+    encryptedData: Buffer;
+    salt: Buffer;
+    iv: Buffer;
+    authTag: Buffer;
+    expectedUpdatedAt: Date;
+}): {
+    updated: boolean;
+    updatedAt: Date;
+};
+/** Get a credential by name */
+declare function getCredential(database: Database.Database, name: string): CredentialRecord | undefined;
 /** List all credentials (metadata only) */
 declare function listCredentials(database: Database.Database): CredentialMetadata[];
 /** List credentials accessible by an API key's read access list */
 declare function listCredentialsForApiKey(database: Database.Database, readAccess: string[]): CredentialMetadata[];
 /** Delete a credential */
-declare function deleteCredential(database: Database.Database, agent: string, name: string): boolean;
-/** Update expiration time after refresh */
-declare function updateExpiresAt(database: Database.Database, agent: string, name: string, expiresAt: Date | undefined): void;
-export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, };
+declare function deleteCredential(database: Database.Database, name: string): boolean;
+export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateCredentialIfUnchanged, upsertCredential, };
+export { listCredentialsPaginated } from "./list-credentials-paginated.js";
 export type { CredentialMetadata, CredentialRecord, } from "./parse-credential-row.js";

package/dist/db/repositories/credentials.js

@@ -1,24 +1,38 @@
 /**
  * Credentials repository.
  *
- * Manages encrypted credential storage.
+ * Manages encrypted credential storage with name-only keys.
+ * Credentials are fully opaque blobs.
  */
 import * as SQL from "./credentials-queries.js";
 import { rowToMetadata, rowToRecord, } from "./parse-credential-row.js";
-/** Store or update a credential */
+/** Store or update a credential, returning the resulting timestamps */
 function upsertCredential(database, credential) {
     const now = Date.now();
-    // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
-    const expiresAt = credential.expiresAt?.getTime() ?? null;
-    // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
-    const provider = credential.provider ?? null;
-    database
+    const row = database
         .prepare(SQL.UPSERT_CREDENTIAL)
-        .run(credential.agent, credential.name, credential.type, provider, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now, expiresAt);
+        .get(credential.name, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now);
+    return {
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at),
+    };
 }
-/** Get a credential by agent and name */
-function getCredential(database, agent, name) {
-    const row = database.prepare(SQL.SELECT_CREDENTIAL).get(agent, name);
+/**
+ * Update a credential only if its updated_at matches the expected value.
+ *
+ * Used to avoid overwriting concurrent PUT/DELETE changes when performing
+ * background refreshes during GET.
+ */
+function updateCredentialIfUnchanged(database, credential) {
+    const now = Date.now();
+    const changes = database
+        .prepare(SQL.UPDATE_CREDENTIAL_IF_UPDATED_AT_MATCHES)
+        .run(credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, credential.name, credential.expectedUpdatedAt.getTime()).changes;
+    return { updated: changes > 0, updatedAt: new Date(now) };
+}
+/** Get a credential by name */
+function getCredential(database, name) {
+    const row = database.prepare(SQL.SELECT_CREDENTIAL).get(name);
     return row ? rowToRecord(row) : undefined;
 }
 /** List all credentials (metadata only) */
@@ -30,16 +44,20 @@ function listCredentials(database) {
 function listCredentialsForApiKey(database, readAccess) {
     if (readAccess.includes("*"))
         return listCredentials(database);
-    return listCredentials(database).filter((cred) => readAccess.includes(`${cred.agent}/${cred.name}`));
+    if (readAccess.length === 0)
+        return [];
+    const placeholders = readAccess.map(() => "?").join(", ");
+    const sql = `
+    SELECT name, created_at, updated_at
+    FROM credentials
+    WHERE name IN (${placeholders})
+    ORDER BY name`;
+    const rows = database.prepare(sql).all(...readAccess);
+    return rows.map((row) => rowToMetadata(row));
 }
 /** Delete a credential */
-function deleteCredential(database, agent, name) {
-    return database.prepare(SQL.DELETE_CREDENTIAL).run(agent, name).changes > 0;
-}
-/** Update expiration time after refresh */
-function updateExpiresAt(database, agent, name, expiresAt) {
-    // eslint-disable-next-line unicorn/no-null -- SQLite requires null for NULL values
-    const expires = expiresAt?.getTime() ?? null;
-    database.prepare(SQL.UPDATE_EXPIRES_AT).run(expires, Date.now(), agent, name);
+function deleteCredential(database, name) {
+    return database.prepare(SQL.DELETE_CREDENTIAL).run(name).changes > 0;
 }
-export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, };
+export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateCredentialIfUnchanged, upsertCredential, };
+export { listCredentialsPaginated } from "./list-credentials-paginated.js";

package/dist/db/repositories/list-credentials-paginated.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Paginated credential listing with SQL-level filtering.
+ *
+ * Both wildcard and specific access lists use SQL-level pagination,
+ * avoiding full table scans of the credentials table.
+ */
+import type Database from "better-sqlite3";
+import { type CredentialMetadata } from "./parse-credential-row.js";
+/** Pagination options for listing credentials */
+interface PaginationOptions {
+    cursor: string | undefined;
+    limit: number;
+}
+/** Paginated result with optional next cursor */
+interface PaginatedResult {
+    credentials: CredentialMetadata[];
+    nextCursor: string | undefined;
+}
+/**
+ * List credentials with cursor-based pagination.
+ *
+ * Fetches limit+1 rows to detect whether more results exist.
+ * Both wildcard and specific access lists use SQL-level pagination.
+ */
+declare function listCredentialsPaginated(database: Database.Database, readAccess: string[], options: PaginationOptions): PaginatedResult;
+export { listCredentialsPaginated };

package/dist/db/repositories/list-credentials-paginated.js

@@ -0,0 +1,69 @@
+/**
+ * Paginated credential listing with SQL-level filtering.
+ *
+ * Both wildcard and specific access lists use SQL-level pagination,
+ * avoiding full table scans of the credentials table.
+ */
+import * as SQL from "./credentials-queries.js";
+import { rowToMetadata, } from "./parse-credential-row.js";
+/**
+ * Build a parameterized query for fetching metadata filtered by an IN clause.
+ *
+ * Generates `WHERE name IN (?, ?, ...)` with optional cursor and limit.
+ * All filtering and pagination happen in SQL — no full table scan needed.
+ */
+function buildFilteredQuery(names, cursor, limit) {
+    const placeholders = names.map(() => "?").join(", ");
+    const cursorClause = cursor ? " AND name > ?" : "";
+    const sql = `
+    SELECT name, created_at, updated_at
+    FROM credentials
+    WHERE name IN (${placeholders})${cursorClause}
+    ORDER BY name
+    LIMIT ?`;
+    const parameters = [...names];
+    if (cursor)
+        parameters.push(cursor);
+    parameters.push(limit);
+    return { sql, parameters };
+}
+/** Extract pagination result from a limit+1 fetch */
+function paginateResults(rows, limit) {
+    if (rows.length > limit) {
+        const credentials = rows.slice(0, limit);
+        const lastCredential = credentials.at(-1);
+        return {
+            credentials,
+            nextCursor: lastCredential?.name,
+        };
+    }
+    return { credentials: rows, nextCursor: undefined };
+}
+/**
+ * List credentials with cursor-based pagination.
+ *
+ * Fetches limit+1 rows to detect whether more results exist.
+ * Both wildcard and specific access lists use SQL-level pagination.
+ */
+function listCredentialsPaginated(database, readAccess, options) {
+    const fetchLimit = options.limit + 1;
+    if (readAccess.includes("*")) {
+        const rows = options.cursor
+            ? database
+                .prepare(SQL.SELECT_METADATA_PAGINATED)
+                .all(options.cursor, fetchLimit)
+            : database
+                .prepare(SQL.SELECT_METADATA_FIRST_PAGE)
+                .all(fetchLimit);
+        const credentials = rows.map((row) => rowToMetadata(row));
+        return paginateResults(credentials, options.limit);
+    }
+    if (readAccess.length === 0) {
+        return { credentials: [], nextCursor: undefined };
+    }
+    const { sql, parameters } = buildFilteredQuery(readAccess, options.cursor, fetchLimit);
+    const rows = database.prepare(sql).all(...parameters);
+    const credentials = rows.map((row) => rowToMetadata(row));
+    return paginateResults(credentials, options.limit);
+}
+export { listCredentialsPaginated };

package/dist/db/repositories/parse-credential-row.d.ts

@@ -1,31 +1,24 @@
 /**
  * Pure functions for parsing credential database rows.
+ *
+ * Credentials are fully opaque blobs - we don't inspect their structure.
  */
-import { CredentialType } from "axshared";
 import type { CredentialRow, MetadataRow } from "../types.js";
 /** Credential record stored in database */
 interface CredentialRecord {
-    agent: string;
     name: string;
-    type: CredentialType;
-    provider: string | undefined;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;
     authTag: Buffer;
     createdAt: Date;
     updatedAt: Date;
-    expiresAt: Date | undefined;
 }
 /** Credential metadata (without encrypted data) */
 interface CredentialMetadata {
-    agent: string;
     name: string;
-    type: CredentialType;
-    provider: string | undefined;
     createdAt: Date;
     updatedAt: Date;
-    expiresAt: Date | undefined;
 }
 /** Convert database row to record */
 declare function rowToRecord(row: CredentialRow): CredentialRecord;