npm - axvault - Versions diffs - 1.8.0 → 1.8.2 - Mend

axvault 1.8.0 → 1.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

package/README.md +120 -36
package/dist/cli.js +7 -7
package/dist/commands/credential.d.ts +1 -1
package/dist/commands/credential.js +26 -32
package/dist/commands/init.js +12 -11
package/dist/commands/serve.js +1 -0
package/dist/db/migrations.d.ts +3 -2
package/dist/db/migrations.js +25 -120
package/dist/db/repositories/api-key-utilities.d.ts +3 -3
package/dist/db/repositories/api-key-utilities.js +9 -10
package/dist/db/repositories/audit-log.d.ts +3 -5
package/dist/db/repositories/audit-log.js +7 -8
package/dist/db/repositories/credentials-queries.d.ts +9 -5
package/dist/db/repositories/credentials-queries.js +28 -12
package/dist/db/repositories/credentials.d.ts +31 -14
package/dist/db/repositories/credentials.js +39 -21
package/dist/db/repositories/list-credentials-paginated.d.ts +26 -0
package/dist/db/repositories/list-credentials-paginated.js +69 -0
package/dist/db/repositories/parse-credential-row.d.ts +2 -9
package/dist/db/repositories/parse-credential-row.js +2 -17
package/dist/db/types.d.ts +3 -12
package/dist/db/types.js +1 -1
package/dist/handlers/delete-credential.d.ts +2 -3
package/dist/handlers/delete-credential.js +8 -11
package/dist/handlers/get-credential.d.ts +6 -3
package/dist/handlers/get-credential.js +35 -78
package/dist/handlers/list-credentials.d.ts +19 -3
package/dist/handlers/list-credentials.js +83 -8
package/dist/handlers/put-credential.d.ts +10 -3
package/dist/handlers/put-credential.js +25 -78
package/dist/handlers/refresh-credential-on-read.d.ts +26 -0
package/dist/handlers/refresh-credential-on-read.js +145 -0
package/dist/index.d.ts +1 -1
package/dist/index.js +1 -1
package/dist/lib/credential-name.d.ts +10 -0
package/dist/lib/credential-name.js +12 -0
package/dist/lib/format.d.ts +1 -7
package/dist/lib/format.js +7 -55
package/dist/middleware/validate-parameters.d.ts +3 -3
package/dist/middleware/validate-parameters.js +7 -14
package/dist/server/routes.js +3 -3
package/package.json +9 -9
package/dist/refresh/check-refresh.d.ts +0 -29
package/dist/refresh/check-refresh.js +0 -51
package/dist/refresh/log-refresh.d.ts +0 -17
package/dist/refresh/log-refresh.js +0 -35
package/dist/refresh/refresh-manager.d.ts +0 -54
package/dist/refresh/refresh-manager.js +0 -137

package/dist/handlers/put-credential.js CHANGED Viewed

@@ -1,25 +1,31 @@
 /**
- * PUT /api/v1/credentials/:agent/:name handler.
+ * PUT /api/v1/credentials/:name handler.
+ *
+ * Fully opaque: The request body is treated as an opaque blob. axvault does not
+ * validate or inspect its structure - that responsibility belongs to axauth.
+ * The blob is encrypted and stored as-is.
  */
-import { CredentialType, } from "axshared";
 import { hasWriteAccess } from "../db/repositories/api-keys.js";
 import { upsertCredential } from "../db/repositories/credentials.js";
 import { logAccess } from "../db/repositories/audit-log.js";
 import { encryptCredential } from "../lib/encryption.js";
 /**
  * Store or update a credential.
+ *
+ * Request body is treated as an opaque blob. axvault does not validate its
+ * structure - the client (via axauth) is responsible for providing a valid
+ * Credentials object. The blob is encrypted and stored as-is.
  */
 function createPutCredentialHandler(database) {
     return (request, response) => {
         const authenticatedRequest = request;
-        const { agent, name } = request.params;
+        const { name } = request.params;
         const { apiKey } = authenticatedRequest;
-        if (!hasWriteAccess(apiKey, agent, name)) {
+        if (!hasWriteAccess(apiKey, name)) {
             logAccess(database, {
                 apiKeyId: apiKey.id,
                 action: "write",
-                agent,
-                name,
+                credentialName: name,
                 success: false,
                 errorMessage: "Access denied",
             });
@@ -27,95 +33,37 @@ function createPutCredentialHandler(database) {
             return;
         }
         const body = request.body;
-        if (!body ||
-            typeof body.data !== "object" ||
-            body.data === null ||
-            Array.isArray(body.data)) {
+        // Minimal validation: body must be a non-null object (the blob)
+        if (typeof body !== "object" || body === null || Array.isArray(body)) {
             logAccess(database, {
                 apiKeyId: apiKey.id,
                 action: "write",
-                agent,
-                name,
+                credentialName: name,
                 success: false,
                 errorMessage: "Invalid request body",
             });
             response
                 .status(400)
-                .json({ error: "Request body must include 'data' object" });
-            return;
-        }
-        const typeResult = CredentialType.safeParse(body.type);
-        if (!typeResult.success) {
-            logAccess(database, {
-                apiKeyId: apiKey.id,
-                action: "write",
-                agent,
-                name,
-                success: false,
-                errorMessage: "Invalid type",
-            });
-            response.status(400).json({
-                error: `Request body must include 'type' (${CredentialType.options.map((t) => `"${t}"`).join(", ")})`,
-            });
+                .json({ error: "Request body must be a JSON object" });
             return;
         }
-        const credentialType = typeResult.data;
-        // Validate provider if present (must be non-empty string)
-        let provider;
-        if (body.provider !== undefined) {
-            if (typeof body.provider !== "string" || body.provider.trim() === "") {
-                logAccess(database, {
-                    apiKeyId: apiKey.id,
-                    action: "write",
-                    agent,
-                    name,
-                    success: false,
-                    errorMessage: "Invalid provider",
-                });
-                response
-                    .status(400)
-                    .json({ error: "Provider must be a non-empty string" });
-                return;
-            }
-            provider = body.provider.trim();
-        }
         try {
-            const encrypted = encryptCredential(body.data);
-            let expiresAt;
-            if (body.expiresAt) {
-                expiresAt = new Date(body.expiresAt);
-                if (Number.isNaN(expiresAt.getTime())) {
-                    logAccess(database, {
-                        apiKeyId: apiKey.id,
-                        action: "write",
-                        agent,
-                        name,
-                        success: false,
-                        errorMessage: "Invalid expiresAt date",
-                    });
-                    response.status(400).json({ error: "Invalid expiresAt date" });
-                    return;
-                }
-            }
-            upsertCredential(database, {
-                agent,
+            // Encrypt the blob as-is (opaque storage)
+            const encrypted = encryptCredential(body);
+            const timestamps = upsertCredential(database, {
                 name,
-                type: credentialType,
-                provider,
                 ...encrypted,
-                expiresAt,
             });
             logAccess(database, {
                 apiKeyId: apiKey.id,
                 action: "write",
-                agent,
-                name,
+                credentialName: name,
                 success: true,
             });
             response.status(201).json({
-                message: "Credential stored",
-                agent,
                 name,
+                createdAt: timestamps.createdAt.toISOString(),
+                updatedAt: timestamps.updatedAt.toISOString(),
             });
         }
         catch (error) {
@@ -123,12 +71,11 @@ function createPutCredentialHandler(database) {
             logAccess(database, {
                 apiKeyId: apiKey.id,
                 action: "write",
-                agent,
-                name,
+                credentialName: name,
                 success: false,
-                errorMessage: `Encryption failed: ${message}`,
+                errorMessage: `Storage failed: ${message}`,
             });
-            response.status(500).json({ error: "Failed to encrypt credential" });
+            response.status(500).json({ error: "Failed to store credential" });
         }
     };
 }

package/dist/handlers/refresh-credential-on-read.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Refresh-on-read helper for GET /api/v1/credentials/:name.
+ *
+ * Encapsulates refresh decision logic + per-credential mutex so the handler
+ * stays small enough for static complexity checks (FTA).
+ */
+import type Database from "better-sqlite3";
+type RefreshCredentialOnReadResult = {
+    status: "not-found";
+} | {
+    status: "ok";
+    blob: unknown;
+    updatedAt: Date;
+    wasRefreshed: boolean;
+    refreshFailed: boolean;
+};
+declare function refreshCredentialOnRead(options: {
+    database: Database.Database;
+    apiKeyId: string;
+    name: string;
+    blob: unknown;
+    expectedUpdatedAt: Date;
+    refreshThresholdSeconds: number;
+    refreshTimeoutMs: number;
+}): Promise<RefreshCredentialOnReadResult>;
+export { refreshCredentialOnRead };

package/dist/handlers/refresh-credential-on-read.js ADDED Viewed

@@ -0,0 +1,145 @@
+/**
+ * Refresh-on-read helper for GET /api/v1/credentials/:name.
+ *
+ * Encapsulates refresh decision logic + per-credential mutex so the handler
+ * stays small enough for static complexity checks (FTA).
+ */
+import { isCredentialExpired, isRefreshable, refreshBlob, } from "axauth";
+import { isRefreshableCredentialType, parseCredentials } from "axshared";
+import { getCredential, updateCredentialIfUnchanged, } from "../db/repositories/credentials.js";
+import { logAccess } from "../db/repositories/audit-log.js";
+import { decryptCredential, encryptCredential } from "../lib/encryption.js";
+/** Per-credential mutex to prevent concurrent refreshes */
+const pendingRefreshes = new Map();
+function getRefreshPromise(name, blob, refreshTimeoutMs) {
+    const existing = pendingRefreshes.get(name);
+    if (existing)
+        return existing;
+    const promise = refreshBlob(blob, { timeout: refreshTimeoutMs });
+    pendingRefreshes.set(name, promise);
+    void promise.finally(() => {
+        if (pendingRefreshes.get(name) === promise) {
+            pendingRefreshes.delete(name);
+        }
+    });
+    return promise;
+}
+async function refreshCredentialOnRead(options) {
+    if (options.refreshThresholdSeconds <= 0) {
+        return {
+            status: "ok",
+            blob: options.blob,
+            updatedAt: options.expectedUpdatedAt,
+            wasRefreshed: false,
+            refreshFailed: false,
+        };
+    }
+    const parsedCredentials = parseCredentials(options.blob);
+    if (parsedCredentials === undefined ||
+        !isRefreshableCredentialType(parsedCredentials.type) ||
+        !isRefreshable(parsedCredentials.data) ||
+        isCredentialExpired(parsedCredentials.data, options.refreshThresholdSeconds) !== true) {
+        return {
+            status: "ok",
+            blob: options.blob,
+            updatedAt: options.expectedUpdatedAt,
+            wasRefreshed: false,
+            refreshFailed: false,
+        };
+    }
+    try {
+        const refreshResult = await getRefreshPromise(options.name, options.blob, options.refreshTimeoutMs);
+        if (refreshResult.ok) {
+            const encrypted = encryptCredential(refreshResult.blob);
+            const updateResult = updateCredentialIfUnchanged(options.database, {
+                name: options.name,
+                ...encrypted,
+                expectedUpdatedAt: options.expectedUpdatedAt,
+            });
+            if (updateResult.updated) {
+                logAccess(options.database, {
+                    apiKeyId: options.apiKeyId,
+                    action: "refresh",
+                    credentialName: options.name,
+                    success: true,
+                });
+                return {
+                    status: "ok",
+                    blob: refreshResult.blob,
+                    updatedAt: updateResult.updatedAt,
+                    wasRefreshed: true,
+                    refreshFailed: false,
+                };
+            }
+            const currentCredential = getCredential(options.database, options.name);
+            if (!currentCredential) {
+                logAccess(options.database, {
+                    apiKeyId: options.apiKeyId,
+                    action: "read",
+                    credentialName: options.name,
+                    success: false,
+                    errorMessage: "Credential deleted during refresh",
+                });
+                return { status: "not-found" };
+            }
+            logAccess(options.database, {
+                apiKeyId: options.apiKeyId,
+                action: "refresh",
+                credentialName: options.name,
+                success: false,
+                errorMessage: "Credential changed during refresh; skipped persist",
+            });
+            return {
+                status: "ok",
+                blob: decryptCredential(currentCredential),
+                updatedAt: currentCredential.updatedAt,
+                wasRefreshed: false,
+                refreshFailed: false,
+            };
+        }
+        const currentCredential = getCredential(options.database, options.name);
+        if (!currentCredential) {
+            logAccess(options.database, {
+                apiKeyId: options.apiKeyId,
+                action: "read",
+                credentialName: options.name,
+                success: false,
+                errorMessage: "Credential deleted during refresh",
+            });
+            return { status: "not-found" };
+        }
+        let finalBlob = options.blob;
+        let finalUpdatedAt = options.expectedUpdatedAt;
+        if (currentCredential.updatedAt.getTime() !==
+            options.expectedUpdatedAt.getTime()) {
+            finalBlob = decryptCredential(currentCredential);
+            finalUpdatedAt = currentCredential.updatedAt;
+        }
+        logAccess(options.database, {
+            apiKeyId: options.apiKeyId,
+            action: "refresh",
+            credentialName: options.name,
+            success: false,
+            errorMessage: refreshResult.error,
+        });
+        return {
+            status: "ok",
+            blob: finalBlob,
+            updatedAt: finalUpdatedAt,
+            wasRefreshed: false,
+            refreshFailed: true,
+        };
+    }
+    catch (error) {
+        pendingRefreshes.delete(options.name);
+        console.error(`Unexpected refresh error for ${options.name}:`, error instanceof Error ? error.message : error);
+        return {
+            status: "ok",
+            blob: options.blob,
+            updatedAt: options.expectedUpdatedAt,
+            wasRefreshed: false,
+            refreshFailed: true,
+        };
+    }
+}
+export { refreshCredentialOnRead };

package/dist/index.d.ts CHANGED Viewed

@@ -15,4 +15,4 @@ export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasReadAcc
 export type { AuditLogEntry } from "./db/repositories/audit-log.js";
 export { getLogsForCredential, getRecentLogs, logAccess, pruneOldLogs, } from "./db/repositories/audit-log.js";
 export type { CredentialMetadata, CredentialRecord, } from "./db/repositories/credentials.js";
-export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, } from "./db/repositories/credentials.js";
+export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, listCredentialsPaginated, upsertCredential, } from "./db/repositories/credentials.js";

package/dist/index.js CHANGED Viewed

@@ -11,4 +11,4 @@ export { closeDatabase, getDatabase, isDatabaseConnected, } from "./db/client.js
 export { CURRENT_VERSION, getSchemaVersion, runMigrations, } from "./db/migrations.js";
 export { createApiKey, deleteApiKey, findApiKeyById, findApiKeyByKey, hasReadAccess, hasWriteAccess, listApiKeys, updateLastUsed, } from "./db/repositories/api-keys.js";
 export { getLogsForCredential, getRecentLogs, logAccess, pruneOldLogs, } from "./db/repositories/audit-log.js";
-export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, updateExpiresAt, upsertCredential, } from "./db/repositories/credentials.js";
+export { deleteCredential, getCredential, listCredentials, listCredentialsForApiKey, listCredentialsPaginated, upsertCredential, } from "./db/repositories/credentials.js";

package/dist/lib/credential-name.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * Shared credential name validation.
+ *
+ * Used by both HTTP routes and CLI utilities to keep rules consistent.
+ */
+/** Valid pattern for credential names (and access list entries). */
+declare const CREDENTIAL_NAME_PATTERN: RegExp;
+declare const CREDENTIAL_NAME_FORMAT_DESCRIPTION = "1-128 characters: letters, numbers, dots, hyphens, underscores";
+declare function isValidCredentialName(name: string): boolean;
+export { CREDENTIAL_NAME_FORMAT_DESCRIPTION, CREDENTIAL_NAME_PATTERN, isValidCredentialName, };

package/dist/lib/credential-name.js ADDED Viewed

@@ -0,0 +1,12 @@
+/**
+ * Shared credential name validation.
+ *
+ * Used by both HTTP routes and CLI utilities to keep rules consistent.
+ */
+/** Valid pattern for credential names (and access list entries). */
+const CREDENTIAL_NAME_PATTERN = /^[\w.-]{1,128}$/u;
+const CREDENTIAL_NAME_FORMAT_DESCRIPTION = "1-128 characters: letters, numbers, dots, hyphens, underscores";
+function isValidCredentialName(name) {
+    return CREDENTIAL_NAME_PATTERN.test(name);
+}
+export { CREDENTIAL_NAME_FORMAT_DESCRIPTION, CREDENTIAL_NAME_PATTERN, isValidCredentialName, };

package/dist/lib/format.d.ts CHANGED Viewed

@@ -19,8 +19,7 @@ export declare function sanitizeForTsv(value: string): string;
  *
  * This helper is intended for past events (e.g., "last updated"), so future
  * dates are treated as unexpected and return the generic string "in the future"
- * instead of using granular units. For precise future-oriented formatting
- * (e.g., "in 2h", "in 3d"), use {@link formatExpiresAt}.
+ * instead of using granular units.
  */
 export declare function formatRelativeTime(date: Date | undefined): string;
 /**
@@ -87,8 +86,3 @@ export declare function formatDateForJson(date: Date | undefined): string | null
  * Returns the error's message if it's an Error, otherwise stringifies it.
  */
 export declare function getErrorMessage(error: unknown): string;
-/**
- * Format expiration time relative to now.
- * Returns "(never)" for no expiration, or relative time like "in 2h", "expired 5m ago".
- */
-export declare function formatExpiresAt(date: Date | undefined): string;

package/dist/lib/format.js CHANGED Viewed

@@ -1,6 +1,7 @@
 /**
  * Shared formatting utilities for CLI output.
  */
+import { CREDENTIAL_NAME_FORMAT_DESCRIPTION, CREDENTIAL_NAME_PATTERN, } from "./credential-name.js";
 /**
  * Strip control characters and ANSI escape sequences to prevent terminal
  * injection and preserve TSV structure.
@@ -30,8 +31,7 @@ export function sanitizeForTsv(value) {
  *
  * This helper is intended for past events (e.g., "last updated"), so future
  * dates are treated as unexpected and return the generic string "in the future"
- * instead of using granular units. For precise future-oriented formatting
- * (e.g., "in 2h", "in 3d"), use {@link formatExpiresAt}.
+ * instead of using granular units.
  */
 export function formatRelativeTime(date) {
     if (!date)
@@ -92,24 +92,15 @@ export function formatKeyRow(key) {
  * Validate access list entry format.
  * Valid formats:
  * - "*" (full wildcard granting access to all credentials)
- * - "agent/name" (exactly one slash, both parts non-empty, no wildcards)
+ * - "name" (1-128 characters: letters, numbers, dots, hyphens, underscores)
  *
- * Partial wildcards like "claude/*" are rejected because the authorization
+ * Partial wildcards like "claude.*" are rejected because the authorization
  * logic uses exact matching, not pattern matching.
  */
 function isValidAccessEntry(entry) {
     if (entry === "*")
         return true;
-    const parts = entry.split("/");
-    const agent = parts[0];
-    const name = parts[1];
-    return (parts.length === 2 &&
-        agent !== undefined &&
-        agent.length > 0 &&
-        !agent.includes("*") &&
-        name !== undefined &&
-        name.length > 0 &&
-        !name.includes("*"));
+    return CREDENTIAL_NAME_PATTERN.test(entry);
 }
 /**
  * Parse comma-separated access list into array of entries.
@@ -132,7 +123,7 @@ export function parseAccessList(value) {
     const entries = rawEntries
         .map((item) => item.trim())
         .filter((item) => item.length > 0);
-    // Validate entry format: must be "*" or "agent/name"
+    // Validate entry format: must be "*" or "name"
     if (!entries.every((entry) => isValidAccessEntry(entry))) {
         return { error: "invalid-format" };
     }
@@ -145,7 +136,7 @@ export function getAccessListErrorMessage(error) {
     if (error === "control-chars") {
         return "Access list contains control characters.";
     }
-    return 'Invalid access list entry format. Entries must be "*" or "agent/name" (e.g., claude/work).';
+    return `Invalid access list entry format. Entries must be "*" or a credential name (${CREDENTIAL_NAME_FORMAT_DESCRIPTION}).`;
 }
 /**
  * Normalize access list by collapsing to ['*'] if wildcard is present with other entries.
@@ -186,42 +177,3 @@ export function formatDateForJson(date) {
 export function getErrorMessage(error) {
     return error instanceof Error ? error.message : String(error);
 }
-/**
- * Format expiration time relative to now.
- * Returns "(never)" for no expiration, or relative time like "in 2h", "expired 5m ago".
- */
-export function formatExpiresAt(date) {
-    if (!date)
-        return "(never)";
-    const now = Date.now();
-    const diff = date.getTime() - now;
-    // Already expired
-    if (diff < 0) {
-        const elapsed = Math.abs(diff);
-        const seconds = Math.floor(elapsed / 1000);
-        if (seconds < 60)
-            return "expired just now";
-        const minutes = Math.floor(seconds / 60);
-        if (minutes < 60)
-            return `expired ${minutes}m ago`;
-        const hours = Math.floor(minutes / 60);
-        if (hours < 24)
-            return `expired ${hours}h ago`;
-        const days = Math.floor(hours / 24);
-        return `expired ${days}d ago`;
-    }
-    // Future expiration
-    const seconds = Math.floor(diff / 1000);
-    if (seconds === 0)
-        return "expires soon";
-    if (seconds < 60)
-        return `in ${seconds}s`;
-    const minutes = Math.floor(seconds / 60);
-    if (minutes < 60)
-        return `in ${minutes}m`;
-    const hours = Math.floor(minutes / 60);
-    if (hours < 24)
-        return `in ${hours}h`;
-    const days = Math.floor(hours / 24);
-    return `in ${days}d`;
-}

package/dist/middleware/validate-parameters.d.ts CHANGED Viewed

@@ -1,10 +1,10 @@
 /**
  * Path parameter validation middleware.
  *
- * Validates agent and name parameters to prevent injection attacks
- * and ensure consistent credential naming.
+ * Validates credential name parameter to prevent injection attacks
+ * and ensure consistent naming.
  */
 import type { NextFunction, Request, Response } from "express";
-/** Validate agent and name path parameters */
+/** Validate credential name path parameter */
 declare function validateParameters(request: Request, response: Response, next: NextFunction): void;
 export { validateParameters };

package/dist/middleware/validate-parameters.js CHANGED Viewed

@@ -1,23 +1,16 @@
 /**
  * Path parameter validation middleware.
  *
- * Validates agent and name parameters to prevent injection attacks
- * and ensure consistent credential naming.
+ * Validates credential name parameter to prevent injection attacks
+ * and ensure consistent naming.
  */
-/** Valid pattern for agent and name path segments */
-const VALID_PATH_SEGMENT = /^[\w.-]{1,64}$/u;
-/** Validate agent and name path parameters */
+import { CREDENTIAL_NAME_FORMAT_DESCRIPTION, isValidCredentialName, } from "../lib/credential-name.js";
+/** Validate credential name path parameter */
 function validateParameters(request, response, next) {
-    const { agent, name } = request.params;
-    if (agent !== undefined && !VALID_PATH_SEGMENT.test(agent)) {
+    const { name } = request.params;
+    if (name !== undefined && !isValidCredentialName(name)) {
         response.status(400).json({
-            error: "Invalid agent format. Must be 1-64 characters: letters, numbers, dots, hyphens, underscores.",
-        });
-        return;
-    }
-    if (name !== undefined && !VALID_PATH_SEGMENT.test(name)) {
-        response.status(400).json({
-            error: "Invalid name format. Must be 1-64 characters: letters, numbers, dots, hyphens, underscores.",
+            error: `Invalid name format. Must be ${CREDENTIAL_NAME_FORMAT_DESCRIPTION}.`,
         });
         return;
     }

package/dist/server/routes.js CHANGED Viewed

@@ -29,11 +29,11 @@ export function createCredentialRouter(database, config) {
     // List all accessible credentials
     router.get("/api/v1/credentials", createListCredentialsHandler(database));
     // Get a specific credential (with automatic refresh)
-    router.get("/api/v1/credentials/:agent/:name", validateParameters, createGetCredentialHandler(database, config));
+    router.get("/api/v1/credentials/:name", validateParameters, createGetCredentialHandler(database, config));
     // Store/update a credential
-    router.put("/api/v1/credentials/:agent/:name", validateParameters, createPutCredentialHandler(database));
+    router.put("/api/v1/credentials/:name", validateParameters, createPutCredentialHandler(database));
     // Delete a credential
-    router.delete("/api/v1/credentials/:agent/:name", validateParameters, createDeleteCredentialHandler(database));
+    router.delete("/api/v1/credentials/:name", validateParameters, createDeleteCredentialHandler(database));
     return router;
 }
 /** Create all API routers (legacy compatibility) */

package/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.8.0",
+  "version": "1.8.2",
   "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",
@@ -49,8 +49,8 @@
   },
   "dependencies": {
     "@commander-js/extra-typings": "^14.0.0",
-    "axauth": "^2.1.0",
-    "axshared": "2.0.0",
+    "axauth": "^3.1.1",
+    "axshared": "4.0.0",
     "better-sqlite3": "^12.6.2",
     "commander": "^14.0.2",
     "express": "^5.2.1"
@@ -70,7 +70,7 @@
     "automation",
     "coding-assistant"
   ],
-  "packageManager": "pnpm@10.27.0",
+  "packageManager": "pnpm@10.28.1",
   "engines": {
     "node": ">=22.14.0"
   },
@@ -78,16 +78,16 @@
     "@total-typescript/ts-reset": "^0.6.1",
     "@types/better-sqlite3": "^7.6.13",
     "@types/express": "^5.0.6",
-    "@types/node": "^25.0.9",
-    "@vitest/coverage-v8": "^4.0.17",
+    "@types/node": "^25.0.10",
+    "@vitest/coverage-v8": "^4.0.18",
     "eslint": "^9.39.2",
     "eslint-config-axkit": "^1.1.0",
     "fta-check": "^1.5.1",
     "fta-cli": "^3.0.0",
-    "knip": "^5.81.0",
-    "prettier": "3.8.0",
+    "knip": "^5.82.1",
+    "prettier": "3.8.1",
     "semantic-release": "^25.0.2",
     "typescript": "^5.9.3",
-    "vitest": "^4.0.17"
+    "vitest": "^4.0.18"
   }
 }

package/dist/refresh/check-refresh.d.ts DELETED Viewed

@@ -1,29 +0,0 @@
-/**
- * Pure functions for checking if credentials need refresh.
- *
- * Extracted from refresh-manager to reduce complexity.
- */
-import { type Credentials } from "axauth";
-/**
- * Check if credential needs refresh based on expiry.
- *
- * Only returns true if:
- * 1. Credential data is an object with refresh token (required for axauth refresh)
- * 2. Credential has expiry info that is within threshold
- *
- * @param data - Decrypted credential data (accepts unknown for safety)
- * @param thresholdSeconds - Refresh if expires within this many seconds
- * @returns true if refresh needed, false otherwise
- */
-declare function needsRefresh(data: unknown, thresholdSeconds: number): boolean;
-/**
- * Map vault credential data to axauth Credentials type.
- *
- * @param agent - Agent CLI name
- * @param data - Decrypted credential data from vault (must have refresh token)
- * @param provider - Optional provider for multi-provider agents like OpenCode
- * @returns Credentials object for axauth, or undefined if not mappable
- */
-declare function toAxauthCredentials(agent: string, data: Record<string, unknown>, provider?: string): Credentials | undefined;
-export { extractExpiryDate, isRefreshable } from "axauth";
-export { needsRefresh, toAxauthCredentials };