npm - axvault - Versions diffs - 1.9.3 → 1.10.0 - Mend

axvault 1.9.3 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md +18 -4
package/dist/commands/credential.js +9 -4
package/dist/config.js +2 -2
package/dist/db/migrations.d.ts +1 -1
package/dist/db/migrations.js +25 -1
package/dist/db/repositories/credentials-queries.d.ts +5 -5
package/dist/db/repositories/credentials-queries.js +7 -6
package/dist/db/repositories/credentials.d.ts +2 -0
package/dist/db/repositories/credentials.js +2 -2
package/dist/db/repositories/list-credentials-paginated.js +1 -1
package/dist/db/repositories/parse-credential-row.d.ts +4 -0
package/dist/db/repositories/parse-credential-row.js +4 -0
package/dist/db/types.d.ts +4 -0
package/dist/handlers/get-credential.js +4 -0
package/dist/handlers/list-credentials.js +2 -0
package/dist/handlers/put-credential.js +14 -2
package/package.json +9 -9

package/README.md CHANGED Viewed

@@ -192,7 +192,7 @@ This command requires `--force` or `--yes` to confirm.
 ### Container Deployments
-Container images are published automatically to `registry.j4k.dev/axvault` on every release (multi-arch: amd64 + arm64). Use `workflow_dispatch` on the `publish-image` workflow to rebuild manually.
+Container images are published automatically to `registry.j4k.dev/axvault` on every release (multi-arch: amd64 + arm64). To rebuild manually, run `workflow_dispatch` on `publish-image` and provide the required `version` input (for example `1.7.0`).
 #### Running the Container
@@ -308,6 +308,13 @@ The `type` field is required and must be one of:
 The `provider` field is optional for single-provider agents. For OpenCode (multi-provider), `provider` is required (e.g., `"anthropic"`, `"openai"`, `"gemini"`).
+Optional metadata fields:
+- `"displayName"` — Human-readable label (e.g., `"Claude (Work)"`)
+- `"notes"` — Free-form notes about the credential
+These fields are stored as plaintext metadata (not encrypted) and returned in list and get responses.
 ### List Credentials
 ```bash
@@ -339,13 +346,20 @@ Response includes `nextCursor` when `limit` is set and more results are availabl
 ```json
 {
   "credentials": [
-    { "name": "claude.staging", "createdAt": "...", "updatedAt": "..." },
+    {
+      "name": "claude.staging",
+      "displayName": "Claude (Staging)",
+      "createdAt": "...",
+      "updatedAt": "..."
+    },
     { "name": "gemini.ci", "createdAt": "...", "updatedAt": "..." }
   ],
   "nextCursor": "gemini.ci"
 }
 ```
+Optional fields (`agent`, `provider`, `displayName`, `notes`) are included in responses only when set.
 ### Retrieve a Credential
 ```bash
@@ -392,14 +406,14 @@ When `X-Axvault-Refresh-Failed` is present, the response still returns HTTP 200
 ### With axrun (Recommended)
-Use the `--vault-credential` flag to fetch credentials directly:
+Use the `--vault-credential` flag to fetch credentials directly. Match the credential name to the agent (for example `ci-claude-oauth-token` for Claude and `ci-codex-oauth-credentials` for Codex):
 ```yaml
 - name: Run Claude Review
   env:
     AXVAULT: ${{ secrets.AXVAULT }}
   run: |
-    axrun --agent claude --vault-credential ci-oauth-token \
+    axrun --agent claude --vault-credential ci-claude-oauth-token \
       --prompt "Review this PR"
 ```

package/dist/commands/credential.js CHANGED Viewed

@@ -9,14 +9,15 @@ import { containsControlChars, formatRelativeTime, getErrorMessage, sanitizeForT
 import { CREDENTIAL_NAME_FORMAT_DESCRIPTION, isValidCredentialName, } from "../lib/credential-name.js";
 /** Print credentials as TSV table */
 function printCredentialTable(credentials) {
-    console.log("NAME\tAGENT\tPROVIDER\tCREATED\tUPDATED");
+    console.log("NAME\tAGENT\tPROVIDER\tDISPLAY_NAME\tCREATED\tUPDATED");
     for (const cred of credentials) {
         const name = sanitizeForTsv(cred.name);
-        const agent = cred.agent || "";
-        const provider = cred.provider ?? "";
+        const agent = sanitizeForTsv(cred.agent || "");
+        const provider = sanitizeForTsv(cred.provider ?? "");
+        const displayName = sanitizeForTsv(cred.displayName ?? "");
         const created = formatRelativeTime(cred.createdAt);
         const updated = formatRelativeTime(cred.updatedAt);
-        console.log(`${name}\t${agent}\t${provider}\t${created}\t${updated}`);
+        console.log(`${name}\t${agent}\t${provider}\t${displayName}\t${created}\t${updated}`);
     }
 }
 /**
@@ -59,6 +60,10 @@ export function handleCredentialList(options) {
                 name: cred.name,
                 ...(cred.agent !== "" && { agent: cred.agent }),
                 ...(cred.provider !== undefined && { provider: cred.provider }),
+                ...(cred.displayName !== undefined && {
+                    displayName: cred.displayName,
+                }),
+                ...(cred.notes !== undefined && { notes: cred.notes }),
                 createdAt: cred.createdAt.toISOString(),
                 updatedAt: cred.updatedAt.toISOString(),
             }));

package/dist/config.js CHANGED Viewed

@@ -26,7 +26,7 @@ export function getServerConfig(overrides = {}) {
 function parsePort(value) {
     if (!value)
         return DEFAULT_PORT;
-    const port = Number.parseInt(value);
+    const port = Number.parseInt(value, 10);
     if (Number.isNaN(port) || port < 1 || port > 65_535) {
         throw new Error(`Invalid port: ${value}`);
     }
@@ -35,7 +35,7 @@ function parsePort(value) {
 function parseNonNegativeInt(value, defaultValue, name) {
     if (!value)
         return defaultValue;
-    const parsed = Number.parseInt(value);
+    const parsed = Number.parseInt(value, 10);
     if (Number.isNaN(parsed) || parsed < 0) {
         console.warn(`Invalid ${name} value "${value}", using default ${defaultValue}`);
         return defaultValue;

package/dist/db/migrations.d.ts CHANGED Viewed

@@ -5,7 +5,7 @@
  * Credentials are identified by name only - the blob contains all metadata.
  */
 import type Database from "better-sqlite3";
-declare const CURRENT_VERSION = 2;
+declare const CURRENT_VERSION = 3;
 /** Run all pending migrations */
 declare function runMigrations(database: Database.Database): void;
 /** Get current schema version */

package/dist/db/migrations.js CHANGED Viewed

@@ -4,7 +4,7 @@
  * Simple schema with opaque credential storage.
  * Credentials are identified by name only - the blob contains all metadata.
  */
-const CURRENT_VERSION = 2;
+const CURRENT_VERSION = 3;
 /** Run all pending migrations */
 function runMigrations(database) {
     let version = getSchemaVersion(database);
@@ -22,6 +22,11 @@ function runMigrations(database) {
             version = 2;
             continue;
         }
+        if (version === 2) {
+            migrateToV3(database);
+            version = 3;
+            continue;
+        }
         throw new Error(`Unsupported database schema version v${version} (expected v${CURRENT_VERSION}). Delete the database file to reinitialize.`);
     }
 }
@@ -113,4 +118,23 @@ function migrateToV2(database) {
         setSchemaVersion(database, 2);
     })();
 }
+/**
+ * Migration to version 3: Add display_name and notes columns
+ *
+ * Optional metadata for credential identification. display_name provides
+ * a human-readable label (e.g., "Claude (Work)") and notes provides
+ * additional context. Both flow through axauth to axusage for
+ * multi-instance identification.
+ */
+function migrateToV3(database) {
+    database.transaction(() => {
+        database.exec(`
+      ALTER TABLE credentials ADD COLUMN display_name TEXT DEFAULT NULL
+    `);
+        database.exec(`
+      ALTER TABLE credentials ADD COLUMN notes TEXT DEFAULT NULL
+    `);
+        setSchemaVersion(database, 3);
+    })();
+}
 export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/credentials-queries.d.ts CHANGED Viewed

@@ -1,10 +1,10 @@
 /**
  * SQL queries for credentials repository.
  */
-export declare const UPSERT_CREDENTIAL = "\n  INSERT INTO credentials (name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at)\n  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)\n  ON CONFLICT(name) DO UPDATE SET\n    agent = excluded.agent, provider = excluded.provider,\n    encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,\n    updated_at = excluded.updated_at\n  RETURNING created_at, updated_at";
+export declare const UPSERT_CREDENTIAL = "\n  INSERT INTO credentials (name, agent, provider, display_name, notes, encrypted_data, salt, iv, auth_tag, created_at, updated_at)\n  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n  ON CONFLICT(name) DO UPDATE SET\n    agent = excluded.agent, provider = excluded.provider,\n    display_name = excluded.display_name, notes = excluded.notes,\n    encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,\n    updated_at = excluded.updated_at\n  RETURNING created_at, updated_at";
 export declare const UPDATE_CREDENTIAL_IF_UPDATED_AT_MATCHES = "\n  UPDATE credentials\n  SET encrypted_data = ?, salt = ?, iv = ?, auth_tag = ?, updated_at = ?\n  WHERE name = ? AND updated_at = ?";
-export declare const SELECT_CREDENTIAL = "\n  SELECT name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at\n  FROM credentials WHERE name = ?";
-export declare const SELECT_ALL_METADATA = "\n  SELECT name, agent, provider, created_at, updated_at\n  FROM credentials ORDER BY name";
-export declare const SELECT_METADATA_PAGINATED = "\n  SELECT name, agent, provider, created_at, updated_at\n  FROM credentials\n  WHERE name > ?\n  ORDER BY name\n  LIMIT ?";
-export declare const SELECT_METADATA_FIRST_PAGE = "\n  SELECT name, agent, provider, created_at, updated_at\n  FROM credentials\n  ORDER BY name\n  LIMIT ?";
+export declare const SELECT_CREDENTIAL = "\n  SELECT name, agent, provider, display_name, notes, encrypted_data, salt, iv, auth_tag, created_at, updated_at\n  FROM credentials WHERE name = ?";
+export declare const SELECT_ALL_METADATA = "\n  SELECT name, agent, provider, display_name, notes, created_at, updated_at\n  FROM credentials ORDER BY name";
+export declare const SELECT_METADATA_PAGINATED = "\n  SELECT name, agent, provider, display_name, notes, created_at, updated_at\n  FROM credentials\n  WHERE name > ?\n  ORDER BY name\n  LIMIT ?";
+export declare const SELECT_METADATA_FIRST_PAGE = "\n  SELECT name, agent, provider, display_name, notes, created_at, updated_at\n  FROM credentials\n  ORDER BY name\n  LIMIT ?";
 export declare const DELETE_CREDENTIAL = "\n  DELETE FROM credentials WHERE name = ?";

package/dist/db/repositories/credentials-queries.js CHANGED Viewed

@@ -2,10 +2,11 @@
  * SQL queries for credentials repository.
  */
 export const UPSERT_CREDENTIAL = `
-  INSERT INTO credentials (name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at)
-  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+  INSERT INTO credentials (name, agent, provider, display_name, notes, encrypted_data, salt, iv, auth_tag, created_at, updated_at)
+  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
   ON CONFLICT(name) DO UPDATE SET
     agent = excluded.agent, provider = excluded.provider,
+    display_name = excluded.display_name, notes = excluded.notes,
     encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
     updated_at = excluded.updated_at
   RETURNING created_at, updated_at`;
@@ -14,19 +15,19 @@ export const UPDATE_CREDENTIAL_IF_UPDATED_AT_MATCHES = `
   SET encrypted_data = ?, salt = ?, iv = ?, auth_tag = ?, updated_at = ?
   WHERE name = ? AND updated_at = ?`;
 export const SELECT_CREDENTIAL = `
-  SELECT name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at
+  SELECT name, agent, provider, display_name, notes, encrypted_data, salt, iv, auth_tag, created_at, updated_at
   FROM credentials WHERE name = ?`;
 export const SELECT_ALL_METADATA = `
-  SELECT name, agent, provider, created_at, updated_at
+  SELECT name, agent, provider, display_name, notes, created_at, updated_at
   FROM credentials ORDER BY name`;
 export const SELECT_METADATA_PAGINATED = `
-  SELECT name, agent, provider, created_at, updated_at
+  SELECT name, agent, provider, display_name, notes, created_at, updated_at
   FROM credentials
   WHERE name > ?
   ORDER BY name
   LIMIT ?`;
 export const SELECT_METADATA_FIRST_PAGE = `
-  SELECT name, agent, provider, created_at, updated_at
+  SELECT name, agent, provider, display_name, notes, created_at, updated_at
   FROM credentials
   ORDER BY name
   LIMIT ?`;

package/dist/db/repositories/credentials.d.ts CHANGED Viewed

@@ -16,6 +16,8 @@ declare function upsertCredential(database: Database.Database, credential: {
     name: string;
     agent: string;
     provider: string | undefined;
+    displayName: string | undefined;
+    notes: string | undefined;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;

package/dist/db/repositories/credentials.js CHANGED Viewed

@@ -11,7 +11,7 @@ function upsertCredential(database, credential) {
     const now = Date.now();
     const row = database
         .prepare(SQL.UPSERT_CREDENTIAL)
-        .get(credential.name, credential.agent, credential.provider ?? undefined, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now);
+        .get(credential.name, credential.agent, credential.provider ?? undefined, credential.displayName ?? undefined, credential.notes ?? undefined, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now);
     return {
         createdAt: new Date(row.created_at),
         updatedAt: new Date(row.updated_at),
@@ -48,7 +48,7 @@ function listCredentialsForApiKey(database, readAccess) {
         return [];
     const placeholders = readAccess.map(() => "?").join(", ");
     const sql = `
-    SELECT name, created_at, updated_at
+    SELECT name, agent, provider, display_name, notes, created_at, updated_at
     FROM credentials
     WHERE name IN (${placeholders})
     ORDER BY name`;

package/dist/db/repositories/list-credentials-paginated.js CHANGED Viewed

@@ -16,7 +16,7 @@ function buildFilteredQuery(names, cursor, limit) {
     const placeholders = names.map(() => "?").join(", ");
     const cursorClause = cursor ? " AND name > ?" : "";
     const sql = `
-    SELECT name, agent, provider, created_at, updated_at
+    SELECT name, agent, provider, display_name, notes, created_at, updated_at
     FROM credentials
     WHERE name IN (${placeholders})${cursorClause}
     ORDER BY name

package/dist/db/repositories/parse-credential-row.d.ts CHANGED Viewed

@@ -9,6 +9,8 @@ interface CredentialRecord {
     name: string;
     agent: string;
     provider: string | undefined;
+    displayName: string | undefined;
+    notes: string | undefined;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;
@@ -21,6 +23,8 @@ interface CredentialMetadata {
     name: string;
     agent: string;
     provider: string | undefined;
+    displayName: string | undefined;
+    notes: string | undefined;
     createdAt: Date;
     updatedAt: Date;
 }

package/dist/db/repositories/parse-credential-row.js CHANGED Viewed

@@ -9,6 +9,8 @@ function rowToRecord(row) {
         name: row.name,
         agent: row.agent,
         provider: row.provider ?? undefined,
+        displayName: row.display_name ?? undefined,
+        notes: row.notes ?? undefined,
         encryptedData: row.encrypted_data,
         salt: row.salt,
         iv: row.iv,
@@ -23,6 +25,8 @@ function rowToMetadata(row) {
         name: row.name,
         agent: row.agent,
         provider: row.provider ?? undefined,
+        displayName: row.display_name ?? undefined,
+        notes: row.notes ?? undefined,
         createdAt: new Date(row.created_at),
         updatedAt: new Date(row.updated_at),
     };

package/dist/db/types.d.ts CHANGED Viewed

@@ -28,6 +28,8 @@ export interface CredentialRow {
     name: string;
     agent: string;
     provider: string | null;
+    display_name: string | null;
+    notes: string | null;
     encrypted_data: Buffer;
     salt: Buffer;
     iv: Buffer;
@@ -40,6 +42,8 @@ export interface MetadataRow {
     name: string;
     agent: string;
     provider: string | null;
+    display_name: string | null;
+    notes: string | null;
     created_at: number;
     updated_at: number;
 }

package/dist/handlers/get-credential.js CHANGED Viewed

@@ -103,6 +103,10 @@ function createGetCredentialHandler(database, config) {
             ...(credential.provider !== undefined && {
                 provider: credential.provider,
             }),
+            ...(credential.displayName !== undefined && {
+                displayName: credential.displayName,
+            }),
+            ...(credential.notes !== undefined && { notes: credential.notes }),
             credential: finalBlob,
             updatedAt: finalUpdatedAt.toISOString(),
         });

package/dist/handlers/list-credentials.js CHANGED Viewed

@@ -16,6 +16,8 @@ function formatCredentialMetadata(cred) {
         name: cred.name,
         ...(cred.agent !== "" && { agent: cred.agent }),
         ...(cred.provider !== undefined && { provider: cred.provider }),
+        ...(cred.displayName !== undefined && { displayName: cred.displayName }),
+        ...(cred.notes !== undefined && { notes: cred.notes }),
         createdAt: cred.createdAt.toISOString(),
         updatedAt: cred.updatedAt.toISOString(),
     };

package/dist/handlers/put-credential.js CHANGED Viewed

@@ -54,13 +54,25 @@ function createPutCredentialHandler(database) {
             const provider = typeof bodyRecord.provider === "string"
                 ? bodyRecord.provider
                 : undefined;
-            // Encrypt the credential blob (agent/provider stored as columns, not in blob)
-            const credentialBlob = Object.fromEntries(Object.entries(bodyRecord).filter(([key]) => key !== "agent" && key !== "provider"));
+            const displayName = typeof bodyRecord.displayName === "string"
+                ? bodyRecord.displayName
+                : undefined;
+            const notes = typeof bodyRecord.notes === "string" ? bodyRecord.notes : undefined;
+            // Encrypt the credential blob (metadata stored as columns, not in blob)
+            const metadataKeys = new Set([
+                "agent",
+                "provider",
+                "displayName",
+                "notes",
+            ]);
+            const credentialBlob = Object.fromEntries(Object.entries(bodyRecord).filter(([key]) => !metadataKeys.has(key)));
             const encrypted = encryptCredential(credentialBlob);
             const timestamps = upsertCredential(database, {
                 name,
                 agent,
                 provider,
+                displayName,
+                notes,
                 ...encrypted,
             });
             logAccess(database, {

package/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.9.3",
+  "version": "1.10.0",
   "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",
@@ -49,10 +49,10 @@
   },
   "dependencies": {
     "@commander-js/extra-typings": "^14.0.0",
-    "axauth": "^3.1.4",
+    "axauth": "^3.1.6",
     "axshared": "5.0.0",
     "better-sqlite3": "^12.6.2",
-    "commander": "^14.0.2",
+    "commander": "^14.0.3",
     "express": "^5.2.1"
   },
   "keywords": [
@@ -70,7 +70,7 @@
     "automation",
     "coding-assistant"
   ],
-  "packageManager": "pnpm@10.28.1",
+  "packageManager": "pnpm@10.30.1",
   "engines": {
     "node": ">=22.14.0"
   },
@@ -78,15 +78,15 @@
     "@total-typescript/ts-reset": "^0.6.1",
     "@types/better-sqlite3": "^7.6.13",
     "@types/express": "^5.0.6",
-    "@types/node": "^25.0.10",
+    "@types/node": "^25.3.0",
     "@vitest/coverage-v8": "^4.0.18",
-    "eslint": "^9.39.2",
-    "eslint-config-axkit": "^1.1.0",
+    "eslint": "^10.0.1",
+    "eslint-config-axkit": "^1.3.0",
     "fta-check": "^1.5.1",
     "fta-cli": "^3.0.0",
-    "knip": "^5.82.1",
+    "knip": "^5.85.0",
     "prettier": "3.8.1",
-    "semantic-release": "^25.0.2",
+    "semantic-release": "^25.0.3",
     "typescript": "^5.9.3",
     "vitest": "^4.0.18"
   }