axvault 1.9.2 → 1.9.4

package/README.md

@@ -192,7 +192,7 @@ This command requires `--force` or `--yes` to confirm.
 
 ### Container Deployments
 
-Container images are published automatically to `registry.j4k.dev/axvault` on every release (multi-arch: amd64 + arm64). Use `workflow_dispatch` on the `publish-image` workflow to rebuild manually.
+Container images are published automatically to `registry.j4k.dev/axvault` on every release (multi-arch: amd64 + arm64). To rebuild manually, run `workflow_dispatch` on `publish-image` and provide the required `version` input (for example `1.7.0`).
 
 #### Running the Container
 
@@ -392,14 +392,14 @@ When `X-Axvault-Refresh-Failed` is present, the response still returns HTTP 200
 
 ### With axrun (Recommended)
 
-Use the `--vault-credential` flag to fetch credentials directly:
+Use the `--vault-credential` flag to fetch credentials directly. Match the credential name to the agent (for example `ci-claude-oauth-token` for Claude and `ci-codex-oauth-credentials` for Codex):
 
 ```yaml
 - name: Run Claude Review
   env:
     AXVAULT: ${{ secrets.AXVAULT }}
   run: |
-    axrun --agent claude --vault-credential ci-oauth-token \
+    axrun --agent claude --vault-credential ci-claude-oauth-token \
       --prompt "Review this PR"
 ```
 

package/dist/handlers/refresh-credential-on-read.js

@@ -4,11 +4,11 @@
  * Encapsulates refresh decision logic + per-credential mutex so the handler
  * stays small enough for static complexity checks (FTA).
  */
-import { isCredentialExpired, isRefreshable, refreshBlob, } from "axauth";
-import { isValidAgentCli, isRefreshableCredentialType, parseCredentials, } from "axshared";
+import { refreshBlob } from "axauth";
 import { getCredential, updateCredentialIfUnchanged, } from "../db/repositories/credentials.js";
 import { logAccess } from "../db/repositories/audit-log.js";
 import { decryptCredential, encryptCredential } from "../lib/encryption.js";
+import { shouldRefreshCredential } from "./should-refresh-credential.js";
 /** Per-credential mutex to prevent concurrent refreshes */
 const pendingRefreshes = new Map();
 function getRefreshPromise(name, blob, agent, provider, refreshTimeoutMs) {
@@ -29,31 +29,8 @@ function getRefreshPromise(name, blob, agent, provider, refreshTimeoutMs) {
     return promise;
 }
 async function refreshCredentialOnRead(options) {
-    if (options.refreshThresholdSeconds <= 0) {
-        return {
-            status: "ok",
-            blob: options.blob,
-            updatedAt: options.expectedUpdatedAt,
-            wasRefreshed: false,
-            refreshFailed: false,
-        };
-    }
-    // Refresh requires a valid agent ID (empty means pre-v2 credential)
-    if (!isValidAgentCli(options.agent)) {
-        return {
-            status: "ok",
-            blob: options.blob,
-            updatedAt: options.expectedUpdatedAt,
-            wasRefreshed: false,
-            refreshFailed: false,
-        };
-    }
-    const agent = options.agent;
-    const parsedCredentials = parseCredentials(options.blob);
-    if (parsedCredentials === undefined ||
-        !isRefreshableCredentialType(parsedCredentials.type) ||
-        !isRefreshable(parsedCredentials.data) ||
-        isCredentialExpired(parsedCredentials.data, options.refreshThresholdSeconds) !== true) {
+    const decision = shouldRefreshCredential(options.blob, options.agent, options.refreshThresholdSeconds);
+    if (!decision.refresh) {
         return {
             status: "ok",
             blob: options.blob,
@@ -63,7 +40,7 @@ async function refreshCredentialOnRead(options) {
         };
     }
     try {
-        const refreshResult = await getRefreshPromise(options.name, options.blob, agent, options.provider, options.refreshTimeoutMs);
+        const refreshResult = await getRefreshPromise(options.name, options.blob, decision.agent, options.provider, options.refreshTimeoutMs);
         if (refreshResult.ok) {
             const encrypted = encryptCredential(refreshResult.blob);
             const updateResult = updateCredentialIfUnchanged(options.database, {

package/dist/handlers/should-refresh-credential.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Decision logic for whether a credential should be refreshed on read.
+ *
+ * Extracted to keep refresh-credential-on-read.ts under the FTA threshold.
+ */
+import { type AgentCli } from "axshared";
+/** Check whether a credential should be refreshed */
+declare function shouldRefreshCredential(blob: unknown, agent: string, refreshThresholdSeconds: number): {
+    refresh: true;
+    agent: AgentCli;
+} | {
+    refresh: false;
+};
+export { shouldRefreshCredential };

package/dist/handlers/should-refresh-credential.js

@@ -0,0 +1,23 @@
+/**
+ * Decision logic for whether a credential should be refreshed on read.
+ *
+ * Extracted to keep refresh-credential-on-read.ts under the FTA threshold.
+ */
+import { isCredentialExpired, isRefreshable } from "axauth";
+import { isValidAgentCli, isRefreshableCredentialType, parseCredentials, } from "axshared";
+/** Check whether a credential should be refreshed */
+function shouldRefreshCredential(blob, agent, refreshThresholdSeconds) {
+    if (refreshThresholdSeconds <= 0)
+        return { refresh: false };
+    if (!isValidAgentCli(agent))
+        return { refresh: false };
+    const parsed = parseCredentials(blob);
+    if (parsed === undefined ||
+        !isRefreshableCredentialType(parsed.type) ||
+        !isRefreshable(parsed.data) ||
+        isCredentialExpired(parsed.data, refreshThresholdSeconds) !== true) {
+        return { refresh: false };
+    }
+    return { refresh: true, agent };
+}
+export { shouldRefreshCredential };

package/package.json

@@ -2,7 +2,7 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.9.2",
+  "version": "1.9.4",
   "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",