axvault 1.9.0 → 1.9.2

package/dist/commands/credential.js

@@ -7,14 +7,16 @@ import { runMigrations } from "../db/migrations.js";
 import { deleteCredential, listCredentials, } from "../db/repositories/credentials.js";
 import { containsControlChars, formatRelativeTime, getErrorMessage, sanitizeForTsv, } from "../lib/format.js";
 import { CREDENTIAL_NAME_FORMAT_DESCRIPTION, isValidCredentialName, } from "../lib/credential-name.js";
-/** Print credentials as TSV table (opaque schema - no type/expires columns) */
+/** Print credentials as TSV table */
 function printCredentialTable(credentials) {
-    console.log("NAME\tCREATED\tUPDATED");
+    console.log("NAME\tAGENT\tPROVIDER\tCREATED\tUPDATED");
     for (const cred of credentials) {
         const name = sanitizeForTsv(cred.name);
+        const agent = cred.agent || "";
+        const provider = cred.provider ?? "";
         const created = formatRelativeTime(cred.createdAt);
         const updated = formatRelativeTime(cred.updatedAt);
-        console.log(`${name}\t${created}\t${updated}`);
+        console.log(`${name}\t${agent}\t${provider}\t${created}\t${updated}`);
     }
 }
 /**
@@ -53,9 +55,10 @@ export function handleCredentialList(options) {
         runMigrations(database);
         const credentials = listCredentials(database);
         if (options.json) {
-            // Opaque schema: type/provider/expiresAt not available without decrypting
             const output = credentials.map((cred) => ({
                 name: cred.name,
+                ...(cred.agent !== "" && { agent: cred.agent }),
+                ...(cred.provider !== undefined && { provider: cred.provider }),
                 createdAt: cred.createdAt.toISOString(),
                 updatedAt: cred.updatedAt.toISOString(),
             }));

package/dist/db/migrations.d.ts

@@ -5,7 +5,7 @@
  * Credentials are identified by name only - the blob contains all metadata.
  */
 import type Database from "better-sqlite3";
-declare const CURRENT_VERSION = 1;
+declare const CURRENT_VERSION = 2;
 /** Run all pending migrations */
 declare function runMigrations(database: Database.Database): void;
 /** Get current schema version */

package/dist/db/migrations.js

@@ -4,7 +4,7 @@
  * Simple schema with opaque credential storage.
  * Credentials are identified by name only - the blob contains all metadata.
  */
-const CURRENT_VERSION = 1;
+const CURRENT_VERSION = 2;
 /** Run all pending migrations */
 function runMigrations(database) {
     let version = getSchemaVersion(database);
@@ -17,6 +17,11 @@ function runMigrations(database) {
             version = 1;
             continue;
         }
+        if (version === 1) {
+            migrateToV2(database);
+            version = 2;
+            continue;
+        }
         throw new Error(`Unsupported database schema version v${version} (expected v${CURRENT_VERSION}). Delete the database file to reinitialize.`);
     }
 }
@@ -88,4 +93,24 @@ function migrateToV1(database) {
         setSchemaVersion(database, 1);
     })();
 }
+/**
+ * Migration to version 2: Add agent and provider columns
+ *
+ * Moves routing metadata (agent, provider) from the encrypted blob to
+ * unencrypted columns. This enables refresh-on-read to pass agent/provider
+ * to axauth without parsing the blob, and allows future filtering by agent.
+ *
+ * Existing rows get empty agent (new PUTs populate the column).
+ */
+function migrateToV2(database) {
+    database.transaction(() => {
+        database.exec(`
+      ALTER TABLE credentials ADD COLUMN agent TEXT NOT NULL DEFAULT ''
+    `);
+        database.exec(`
+      ALTER TABLE credentials ADD COLUMN provider TEXT DEFAULT NULL
+    `);
+        setSchemaVersion(database, 2);
+    })();
+}
 export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/credentials-queries.d.ts

@@ -1,12 +1,10 @@
 /**
  * SQL queries for credentials repository.
- *
- * Name-only primary key, opaque blob storage.
  */
-export declare const UPSERT_CREDENTIAL = "\n  INSERT INTO credentials (name, encrypted_data, salt, iv, auth_tag, created_at, updated_at)\n  VALUES (?, ?, ?, ?, ?, ?, ?)\n  ON CONFLICT(name) DO UPDATE SET\n    encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,\n    updated_at = excluded.updated_at\n  RETURNING created_at, updated_at";
+export declare const UPSERT_CREDENTIAL = "\n  INSERT INTO credentials (name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at)\n  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)\n  ON CONFLICT(name) DO UPDATE SET\n    agent = excluded.agent, provider = excluded.provider,\n    encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,\n    updated_at = excluded.updated_at\n  RETURNING created_at, updated_at";
 export declare const UPDATE_CREDENTIAL_IF_UPDATED_AT_MATCHES = "\n  UPDATE credentials\n  SET encrypted_data = ?, salt = ?, iv = ?, auth_tag = ?, updated_at = ?\n  WHERE name = ? AND updated_at = ?";
-export declare const SELECT_CREDENTIAL = "\n  SELECT name, encrypted_data, salt, iv, auth_tag, created_at, updated_at\n  FROM credentials WHERE name = ?";
-export declare const SELECT_ALL_METADATA = "\n  SELECT name, created_at, updated_at\n  FROM credentials ORDER BY name";
-export declare const SELECT_METADATA_PAGINATED = "\n  SELECT name, created_at, updated_at\n  FROM credentials\n  WHERE name > ?\n  ORDER BY name\n  LIMIT ?";
-export declare const SELECT_METADATA_FIRST_PAGE = "\n  SELECT name, created_at, updated_at\n  FROM credentials\n  ORDER BY name\n  LIMIT ?";
+export declare const SELECT_CREDENTIAL = "\n  SELECT name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at\n  FROM credentials WHERE name = ?";
+export declare const SELECT_ALL_METADATA = "\n  SELECT name, agent, provider, created_at, updated_at\n  FROM credentials ORDER BY name";
+export declare const SELECT_METADATA_PAGINATED = "\n  SELECT name, agent, provider, created_at, updated_at\n  FROM credentials\n  WHERE name > ?\n  ORDER BY name\n  LIMIT ?";
+export declare const SELECT_METADATA_FIRST_PAGE = "\n  SELECT name, agent, provider, created_at, updated_at\n  FROM credentials\n  ORDER BY name\n  LIMIT ?";
 export declare const DELETE_CREDENTIAL = "\n  DELETE FROM credentials WHERE name = ?";

package/dist/db/repositories/credentials-queries.js

@@ -1,12 +1,11 @@
 /**
  * SQL queries for credentials repository.
- *
- * Name-only primary key, opaque blob storage.
  */
 export const UPSERT_CREDENTIAL = `
-  INSERT INTO credentials (name, encrypted_data, salt, iv, auth_tag, created_at, updated_at)
-  VALUES (?, ?, ?, ?, ?, ?, ?)
+  INSERT INTO credentials (name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at)
+  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
   ON CONFLICT(name) DO UPDATE SET
+    agent = excluded.agent, provider = excluded.provider,
     encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
     updated_at = excluded.updated_at
   RETURNING created_at, updated_at`;
@@ -15,19 +14,19 @@ export const UPDATE_CREDENTIAL_IF_UPDATED_AT_MATCHES = `
   SET encrypted_data = ?, salt = ?, iv = ?, auth_tag = ?, updated_at = ?
   WHERE name = ? AND updated_at = ?`;
 export const SELECT_CREDENTIAL = `
-  SELECT name, encrypted_data, salt, iv, auth_tag, created_at, updated_at
+  SELECT name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at
   FROM credentials WHERE name = ?`;
 export const SELECT_ALL_METADATA = `
-  SELECT name, created_at, updated_at
+  SELECT name, agent, provider, created_at, updated_at
   FROM credentials ORDER BY name`;
 export const SELECT_METADATA_PAGINATED = `
-  SELECT name, created_at, updated_at
+  SELECT name, agent, provider, created_at, updated_at
   FROM credentials
   WHERE name > ?
   ORDER BY name
   LIMIT ?`;
 export const SELECT_METADATA_FIRST_PAGE = `
-  SELECT name, created_at, updated_at
+  SELECT name, agent, provider, created_at, updated_at
   FROM credentials
   ORDER BY name
   LIMIT ?`;

package/dist/db/repositories/credentials.d.ts

@@ -14,6 +14,8 @@ interface UpsertTimestamps {
 /** Store or update a credential, returning the resulting timestamps */
 declare function upsertCredential(database: Database.Database, credential: {
     name: string;
+    agent: string;
+    provider: string | undefined;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;

package/dist/db/repositories/credentials.js

@@ -11,7 +11,7 @@ function upsertCredential(database, credential) {
     const now = Date.now();
     const row = database
         .prepare(SQL.UPSERT_CREDENTIAL)
-        .get(credential.name, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now);
+        .get(credential.name, credential.agent, credential.provider ?? undefined, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now);
     return {
         createdAt: new Date(row.created_at),
         updatedAt: new Date(row.updated_at),

package/dist/db/repositories/list-credentials-paginated.js

@@ -16,7 +16,7 @@ function buildFilteredQuery(names, cursor, limit) {
     const placeholders = names.map(() => "?").join(", ");
     const cursorClause = cursor ? " AND name > ?" : "";
     const sql = `
-    SELECT name, created_at, updated_at
+    SELECT name, agent, provider, created_at, updated_at
     FROM credentials
     WHERE name IN (${placeholders})${cursorClause}
     ORDER BY name

package/dist/db/repositories/parse-credential-row.d.ts

@@ -7,6 +7,8 @@ import type { CredentialRow, MetadataRow } from "../types.js";
 /** Credential record stored in database */
 interface CredentialRecord {
     name: string;
+    agent: string;
+    provider: string | undefined;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;
@@ -17,6 +19,8 @@ interface CredentialRecord {
 /** Credential metadata (without encrypted data) */
 interface CredentialMetadata {
     name: string;
+    agent: string;
+    provider: string | undefined;
     createdAt: Date;
     updatedAt: Date;
 }

package/dist/db/repositories/parse-credential-row.js

@@ -7,6 +7,8 @@
 function rowToRecord(row) {
     return {
         name: row.name,
+        agent: row.agent,
+        provider: row.provider ?? undefined,
         encryptedData: row.encrypted_data,
         salt: row.salt,
         iv: row.iv,
@@ -19,6 +21,8 @@ function rowToRecord(row) {
 function rowToMetadata(row) {
     return {
         name: row.name,
+        agent: row.agent,
+        provider: row.provider ?? undefined,
         createdAt: new Date(row.created_at),
         updatedAt: new Date(row.updated_at),
     };

package/dist/db/types.d.ts

@@ -23,9 +23,11 @@ export interface AuditLogRow {
     success: number;
     error_message: string | null;
 }
-/** Raw credential row from database (opaque blob storage) */
+/** Raw credential row from database */
 export interface CredentialRow {
     name: string;
+    agent: string;
+    provider: string | null;
     encrypted_data: Buffer;
     salt: Buffer;
     iv: Buffer;
@@ -36,6 +38,8 @@ export interface CredentialRow {
 /** Raw credential metadata row from database */
 export interface MetadataRow {
     name: string;
+    agent: string;
+    provider: string | null;
     created_at: number;
     updated_at: number;
 }

package/dist/handlers/get-credential.js

@@ -67,6 +67,8 @@ function createGetCredentialHandler(database, config) {
             apiKeyId: apiKey.id,
             name,
             blob,
+            agent: credential.agent,
+            provider: credential.provider,
             expectedUpdatedAt: credential.updatedAt,
             refreshThresholdSeconds: config.refreshThresholdSeconds,
             refreshTimeoutMs: config.refreshTimeoutMs,
@@ -94,9 +96,13 @@ function createGetCredentialHandler(database, config) {
         if (refreshFailed) {
             response.setHeader("X-Axvault-Refresh-Failed", "true");
         }
-        // Return the blob as-is (opaque to axvault)
+        // Return the blob along with routing metadata from columns
         response.json({
             name,
+            ...(credential.agent !== "" && { agent: credential.agent }),
+            ...(credential.provider !== undefined && {
+                provider: credential.provider,
+            }),
             credential: finalBlob,
             updatedAt: finalUpdatedAt.toISOString(),
         });

package/dist/handlers/list-credentials.js

@@ -10,6 +10,16 @@
  */
 import { listCredentialsForApiKey, listCredentialsPaginated, } from "../db/repositories/credentials.js";
 import { logAccess } from "../db/repositories/audit-log.js";
+/** Format credential metadata for API response */
+function formatCredentialMetadata(cred) {
+    return {
+        name: cred.name,
+        ...(cred.agent !== "" && { agent: cred.agent }),
+        ...(cred.provider !== undefined && { provider: cred.provider }),
+        createdAt: cred.createdAt.toISOString(),
+        updatedAt: cred.updatedAt.toISOString(),
+    };
+}
 /** Maximum page size when limit is specified */
 const MAX_LIMIT = 1000;
 /**
@@ -61,11 +71,7 @@ function createListCredentialsHandler(database) {
                 success: true,
             });
             response.json({
-                credentials: credentials.map((cred) => ({
-                    name: cred.name,
-                    createdAt: cred.createdAt.toISOString(),
-                    updatedAt: cred.updatedAt.toISOString(),
-                })),
+                credentials: credentials.map((cred) => formatCredentialMetadata(cred)),
             });
             return;
         }
@@ -92,11 +98,7 @@ function createListCredentialsHandler(database) {
             success: true,
         });
         response.json({
-            credentials: result.credentials.map((cred) => ({
-                name: cred.name,
-                createdAt: cred.createdAt.toISOString(),
-                updatedAt: cred.updatedAt.toISOString(),
-            })),
+            credentials: result.credentials.map((cred) => formatCredentialMetadata(cred)),
             ...(result.nextCursor !== undefined && {
                 nextCursor: result.nextCursor,
             }),

package/dist/handlers/put-credential.js

@@ -48,10 +48,19 @@ function createPutCredentialHandler(database) {
             return;
         }
         try {
-            // Encrypt the blob as-is (opaque storage)
-            const encrypted = encryptCredential(body);
+            // Extract routing metadata from body before encrypting
+            const bodyRecord = body;
+            const agent = typeof bodyRecord.agent === "string" ? bodyRecord.agent : "";
+            const provider = typeof bodyRecord.provider === "string"
+                ? bodyRecord.provider
+                : undefined;
+            // Encrypt the credential blob (agent/provider stored as columns, not in blob)
+            const credentialBlob = Object.fromEntries(Object.entries(bodyRecord).filter(([key]) => key !== "agent" && key !== "provider"));
+            const encrypted = encryptCredential(credentialBlob);
             const timestamps = upsertCredential(database, {
                 name,
+                agent,
+                provider,
                 ...encrypted,
             });
             logAccess(database, {

package/dist/handlers/refresh-credential-on-read.d.ts

@@ -19,6 +19,8 @@ declare function refreshCredentialOnRead(options: {
     apiKeyId: string;
     name: string;
     blob: unknown;
+    agent: string;
+    provider: string | undefined;
     expectedUpdatedAt: Date;
     refreshThresholdSeconds: number;
     refreshTimeoutMs: number;

package/dist/handlers/refresh-credential-on-read.js

@@ -5,17 +5,21 @@
  * stays small enough for static complexity checks (FTA).
  */
 import { isCredentialExpired, isRefreshable, refreshBlob, } from "axauth";
-import { isRefreshableCredentialType, parseCredentials } from "axshared";
+import { isValidAgentCli, isRefreshableCredentialType, parseCredentials, } from "axshared";
 import { getCredential, updateCredentialIfUnchanged, } from "../db/repositories/credentials.js";
 import { logAccess } from "../db/repositories/audit-log.js";
 import { decryptCredential, encryptCredential } from "../lib/encryption.js";
 /** Per-credential mutex to prevent concurrent refreshes */
 const pendingRefreshes = new Map();
-function getRefreshPromise(name, blob, refreshTimeoutMs) {
+function getRefreshPromise(name, blob, agent, provider, refreshTimeoutMs) {
     const existing = pendingRefreshes.get(name);
     if (existing)
         return existing;
-    const promise = refreshBlob(blob, { timeout: refreshTimeoutMs });
+    const promise = refreshBlob(blob, {
+        agent,
+        provider,
+        timeout: refreshTimeoutMs,
+    });
     pendingRefreshes.set(name, promise);
     void promise.finally(() => {
         if (pendingRefreshes.get(name) === promise) {
@@ -34,6 +38,17 @@ async function refreshCredentialOnRead(options) {
             refreshFailed: false,
         };
     }
+    // Refresh requires a valid agent ID (empty means pre-v2 credential)
+    if (!isValidAgentCli(options.agent)) {
+        return {
+            status: "ok",
+            blob: options.blob,
+            updatedAt: options.expectedUpdatedAt,
+            wasRefreshed: false,
+            refreshFailed: false,
+        };
+    }
+    const agent = options.agent;
     const parsedCredentials = parseCredentials(options.blob);
     if (parsedCredentials === undefined ||
         !isRefreshableCredentialType(parsedCredentials.type) ||
@@ -48,7 +63,7 @@ async function refreshCredentialOnRead(options) {
         };
     }
     try {
-        const refreshResult = await getRefreshPromise(options.name, options.blob, options.refreshTimeoutMs);
+        const refreshResult = await getRefreshPromise(options.name, options.blob, agent, options.provider, options.refreshTimeoutMs);
         if (refreshResult.ok) {
             const encrypted = encryptCredential(refreshResult.blob);
             const updateResult = updateCredentialIfUnchanged(options.database, {

package/package.json

@@ -2,7 +2,7 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",
@@ -49,8 +49,8 @@
   },
   "dependencies": {
     "@commander-js/extra-typings": "^14.0.0",
-    "axauth": "^3.1.1",
-    "axshared": "4.0.0",
+    "axauth": "^3.1.4",
+    "axshared": "5.0.0",
     "better-sqlite3": "^12.6.2",
     "commander": "^14.0.2",
     "express": "^5.2.1"