axvault 1.8.0 → 1.8.2

package/dist/refresh/check-refresh.js

@@ -1,51 +0,0 @@
-/**
- * Pure functions for checking if credentials need refresh.
- *
- * Extracted from refresh-manager to reduce complexity.
- */
-import { AGENT_CLIS } from "axshared";
-import { isCredentialExpired, isRefreshable } from "axauth";
-/** Valid agent CLI names - sourced from axshared for consistency */
-const VALID_AGENTS = new Set(AGENT_CLIS);
-/**
- * Check if credential needs refresh based on expiry.
- *
- * Only returns true if:
- * 1. Credential data is an object with refresh token (required for axauth refresh)
- * 2. Credential has expiry info that is within threshold
- *
- * @param data - Decrypted credential data (accepts unknown for safety)
- * @param thresholdSeconds - Refresh if expires within this many seconds
- * @returns true if refresh needed, false otherwise
- */
-function needsRefresh(data, thresholdSeconds) {
-    // Must be an object with refresh token to be refreshable
-    if (!isRefreshable(data))
-        return false;
-    const expired = isCredentialExpired(data, thresholdSeconds);
-    // undefined means no expiry info found - don't refresh
-    return expired === true;
-}
-/**
- * Map vault credential data to axauth Credentials type.
- *
- * @param agent - Agent CLI name
- * @param data - Decrypted credential data from vault (must have refresh token)
- * @param provider - Optional provider for multi-provider agents like OpenCode
- * @returns Credentials object for axauth, or undefined if not mappable
- */
-function toAxauthCredentials(agent, data, provider) {
-    if (!VALID_AGENTS.has(agent)) {
-        return undefined;
-    }
-    // Only OAuth credentials with refresh tokens can be refreshed
-    return {
-        agent: agent,
-        type: "oauth-credentials",
-        ...(provider && { provider }),
-        data,
-    };
-}
-// Re-export from axauth for convenience
-export { extractExpiryDate, isRefreshable } from "axauth";
-export { needsRefresh, toAxauthCredentials };

package/dist/refresh/log-refresh.d.ts

@@ -1,17 +0,0 @@
-/**
- * Logging helpers for refresh operations.
- */
-import type Database from "better-sqlite3";
-interface RefreshLogContext {
-    database: Database.Database;
-    apiKeyId: string;
-    agent: string;
-    name: string;
-}
-/** Log a successful refresh */
-declare function logRefreshSuccess(context: RefreshLogContext): void;
-/** Log a failed refresh (best-effort, ignores logging errors) */
-declare function logRefreshError(context: RefreshLogContext, errorMessage: string): void;
-/** Extract error message from unknown error */
-declare function getErrorMessage(error: unknown): string;
-export { getErrorMessage, logRefreshError, logRefreshSuccess };

package/dist/refresh/log-refresh.js

@@ -1,35 +0,0 @@
-/**
- * Logging helpers for refresh operations.
- */
-import { logAccess } from "../db/repositories/audit-log.js";
-/** Log a successful refresh */
-function logRefreshSuccess(context) {
-    logAccess(context.database, {
-        apiKeyId: context.apiKeyId,
-        action: "refresh",
-        agent: context.agent,
-        name: context.name,
-        success: true,
-    });
-}
-/** Log a failed refresh (best-effort, ignores logging errors) */
-function logRefreshError(context, errorMessage) {
-    try {
-        logAccess(context.database, {
-            apiKeyId: context.apiKeyId,
-            action: "refresh",
-            agent: context.agent,
-            name: context.name,
-            success: false,
-            errorMessage,
-        });
-    }
-    catch {
-        // Ignore logging failures
-    }
-}
-/** Extract error message from unknown error */
-function getErrorMessage(error) {
-    return error instanceof Error ? error.message : String(error);
-}
-export { getErrorMessage, logRefreshError, logRefreshSuccess };

package/dist/refresh/refresh-manager.d.ts

@@ -1,54 +0,0 @@
-/**
- * Refresh manager with per-credential mutex locking.
- *
- * Prevents concurrent refreshes of the same credential and coordinates
- * with axauth's refresh functionality.
- */
-import type Database from "better-sqlite3";
-import type { CredentialType } from "axshared";
-/** Key for credential-specific mutex */
-type CredentialKey = `${string}/${string}`;
-/** Result type for the full refresh operation */
-type FullRefreshResult = {
-    ok: true;
-    data: unknown;
-    expiresAt: Date | undefined;
-    updatedAt: Date;
-} | {
-    ok: false;
-    error: string;
-};
-/** Options for refresh operation */
-interface RefreshManagerOptions {
-    timeoutMs: number;
-}
-/** Build credential key for mutex */
-declare function buildKey(agent: string, name: string): CredentialKey;
-/**
- * Perform refresh with mutex locking.
- *
- * If a refresh is already in progress for this credential, waits for it
- * rather than starting a new one. The mutex covers the FULL operation
- * (refresh + validate + persist), ensuring all callers see the same result.
- *
- * Note: There is a small race window where a request that loaded stale
- * credential data could start a duplicate refresh if it checks the mutex
- * right after the previous refresh completes. This is rare (requires precise
- * timing), harmless (produces correct results), and self-limiting (OAuth
- * providers handle duplicate refreshes). The complexity of cooldown timers
- * or reference counting isn't justified for this edge case.
- *
- * @param database - Database connection
- * @param agent - Agent name
- * @param name - Credential name
- * @param type - Credential type (must be "oauth"; caller must gate on type)
- * @param provider - Optional provider for multi-provider agents like OpenCode
- * @param data - Current decrypted credential data
- * @param apiKeyId - API key ID for audit logging
- * @param originalUpdatedAt - Original updatedAt for optimistic locking
- * @param options - Refresh options
- * @returns Refresh result with new data, expiresAt, updatedAt or error
- */
-declare function refreshWithMutex(database: Database.Database, agent: string, name: string, type: CredentialType, provider: string | undefined, data: Record<string, unknown>, apiKeyId: string, originalUpdatedAt: Date, options: RefreshManagerOptions): Promise<FullRefreshResult>;
-export { extractExpiryDate, isRefreshable, needsRefresh, toAxauthCredentials, } from "./check-refresh.js";
-export { buildKey, refreshWithMutex };

package/dist/refresh/refresh-manager.js

@@ -1,137 +0,0 @@
-/**
- * Refresh manager with per-credential mutex locking.
- *
- * Prevents concurrent refreshes of the same credential and coordinates
- * with axauth's refresh functionality.
- */
-import { refreshCredentials } from "axauth";
-import { getCredential, upsertCredential, } from "../db/repositories/credentials.js";
-import { encryptCredential } from "../lib/encryption.js";
-import { extractExpiryDate, toAxauthCredentials } from "./check-refresh.js";
-import { getErrorMessage, logRefreshError, logRefreshSuccess, } from "./log-refresh.js";
-/** Map of in-progress refreshes to prevent concurrent operations */
-const pendingRefreshes = new Map();
-/** Build credential key for mutex */
-function buildKey(agent, name) {
-    return `${agent}/${name}`;
-}
-/**
- * Execute the full refresh operation: call axauth, validate, persist.
- * This is the inner operation that gets stored in the mutex.
- */
-async function executeRefresh(database, agent, name, type, provider, data, apiKeyId, originalUpdatedAt, refreshStartedAt, options) {
-    const logContext = { database, apiKeyId, agent, name };
-    // Map to axauth format, including provider for multi-provider agents
-    const creds = toAxauthCredentials(agent, data, provider);
-    if (!creds) {
-        return { ok: false, error: `Unknown agent: ${agent}` };
-    }
-    try {
-        const result = await refreshCredentials(creds, {
-            timeout: options.timeoutMs,
-            provider,
-        });
-        if (!result.ok) {
-            logRefreshError(logContext, result.error);
-            return { ok: false, error: result.error };
-        }
-        // Check if credential still exists and wasn't modified during refresh
-        const existingCredential = getCredential(database, agent, name);
-        if (!existingCredential) {
-            logRefreshError(logContext, "Credential was deleted during refresh");
-            return { ok: false, error: "Credential was deleted during refresh" };
-        }
-        // Optimistic locking: abort if credential was modified during refresh
-        if (existingCredential.updatedAt.getTime() !== originalUpdatedAt.getTime()) {
-            logRefreshError(logContext, "Credential was modified during refresh");
-            return { ok: false, error: "Credential was modified during refresh" };
-        }
-        // Persist newly refreshed credentials to database
-        // Merge original data with refreshed data to preserve fields like refresh_token
-        const newData = { ...data, ...result.credentials.data };
-        const encrypted = encryptCredential(newData);
-        const expiresAt = extractExpiryDate(newData);
-        try {
-            upsertCredential(database, {
-                agent,
-                name,
-                type,
-                provider: existingCredential.provider,
-                ...encrypted,
-                expiresAt,
-            });
-            logRefreshSuccess(logContext);
-            return {
-                ok: true,
-                data: newData,
-                expiresAt,
-                updatedAt: refreshStartedAt,
-            };
-        }
-        catch (error) {
-            const message = getErrorMessage(error);
-            logRefreshError(logContext, `Persistence failed: ${message}`);
-            return {
-                ok: false,
-                error: `Failed to persist refreshed credentials: ${message}`,
-            };
-        }
-    }
-    catch (error) {
-        // Handle unexpected errors (e.g., refreshCredentials promise rejection)
-        const message = getErrorMessage(error);
-        logRefreshError(logContext, `Refresh error: ${message}`);
-        return { ok: false, error: `Refresh failed: ${message}` };
-    }
-}
-/**
- * Perform refresh with mutex locking.
- *
- * If a refresh is already in progress for this credential, waits for it
- * rather than starting a new one. The mutex covers the FULL operation
- * (refresh + validate + persist), ensuring all callers see the same result.
- *
- * Note: There is a small race window where a request that loaded stale
- * credential data could start a duplicate refresh if it checks the mutex
- * right after the previous refresh completes. This is rare (requires precise
- * timing), harmless (produces correct results), and self-limiting (OAuth
- * providers handle duplicate refreshes). The complexity of cooldown timers
- * or reference counting isn't justified for this edge case.
- *
- * @param database - Database connection
- * @param agent - Agent name
- * @param name - Credential name
- * @param type - Credential type (must be "oauth"; caller must gate on type)
- * @param provider - Optional provider for multi-provider agents like OpenCode
- * @param data - Current decrypted credential data
- * @param apiKeyId - API key ID for audit logging
- * @param originalUpdatedAt - Original updatedAt for optimistic locking
- * @param options - Refresh options
- * @returns Refresh result with new data, expiresAt, updatedAt or error
- */
-async function refreshWithMutex(database, agent, name, type, provider, data, apiKeyId, originalUpdatedAt, options) {
-    const key = buildKey(agent, name);
-    // Check if refresh already in progress
-    const existing = pendingRefreshes.get(key);
-    if (existing) {
-        // Wait for existing FULL operation to complete
-        // All callers observe the same final success/failure result
-        return existing.promise;
-    }
-    // Start new refresh - store promise for the FULL operation
-    const refreshStartedAt = new Date();
-    const fullOperationPromise = executeRefresh(database, agent, name, type, provider, data, apiKeyId, originalUpdatedAt, refreshStartedAt, options);
-    pendingRefreshes.set(key, {
-        promise: fullOperationPromise,
-        startedAt: refreshStartedAt,
-    });
-    try {
-        return await fullOperationPromise;
-    }
-    finally {
-        // Always clean up mutex
-        pendingRefreshes.delete(key);
-    }
-}
-export { extractExpiryDate, isRefreshable, needsRefresh, toAxauthCredentials, } from "./check-refresh.js";
-export { buildKey, refreshWithMutex };