axvault 1.9.4 → 1.10.0

package/README.md

@@ -308,6 +308,13 @@ The `type` field is required and must be one of:
 
 The `provider` field is optional for single-provider agents. For OpenCode (multi-provider), `provider` is required (e.g., `"anthropic"`, `"openai"`, `"gemini"`).
 
+Optional metadata fields:
+
+- `"displayName"` — Human-readable label (e.g., `"Claude (Work)"`)
+- `"notes"` — Free-form notes about the credential
+
+These fields are stored as plaintext metadata (not encrypted) and returned in list and get responses.
+
 ### List Credentials
 
 ```bash
@@ -339,13 +346,20 @@ Response includes `nextCursor` when `limit` is set and more results are availabl
 ```json
 {
   "credentials": [
-    { "name": "claude.staging", "createdAt": "...", "updatedAt": "..." },
+    {
+      "name": "claude.staging",
+      "displayName": "Claude (Staging)",
+      "createdAt": "...",
+      "updatedAt": "..."
+    },
     { "name": "gemini.ci", "createdAt": "...", "updatedAt": "..." }
   ],
   "nextCursor": "gemini.ci"
 }
 ```
 
+Optional fields (`agent`, `provider`, `displayName`, `notes`) are included in responses only when set.
+
 ### Retrieve a Credential
 
 ```bash

package/dist/commands/credential.js

@@ -9,14 +9,15 @@ import { containsControlChars, formatRelativeTime, getErrorMessage, sanitizeForT
 import { CREDENTIAL_NAME_FORMAT_DESCRIPTION, isValidCredentialName, } from "../lib/credential-name.js";
 /** Print credentials as TSV table */
 function printCredentialTable(credentials) {
-    console.log("NAME\tAGENT\tPROVIDER\tCREATED\tUPDATED");
+    console.log("NAME\tAGENT\tPROVIDER\tDISPLAY_NAME\tCREATED\tUPDATED");
     for (const cred of credentials) {
         const name = sanitizeForTsv(cred.name);
-        const agent = cred.agent || "";
-        const provider = cred.provider ?? "";
+        const agent = sanitizeForTsv(cred.agent || "");
+        const provider = sanitizeForTsv(cred.provider ?? "");
+        const displayName = sanitizeForTsv(cred.displayName ?? "");
         const created = formatRelativeTime(cred.createdAt);
         const updated = formatRelativeTime(cred.updatedAt);
-        console.log(`${name}\t${agent}\t${provider}\t${created}\t${updated}`);
+        console.log(`${name}\t${agent}\t${provider}\t${displayName}\t${created}\t${updated}`);
     }
 }
 /**
@@ -59,6 +60,10 @@ export function handleCredentialList(options) {
                 name: cred.name,
                 ...(cred.agent !== "" && { agent: cred.agent }),
                 ...(cred.provider !== undefined && { provider: cred.provider }),
+                ...(cred.displayName !== undefined && {
+                    displayName: cred.displayName,
+                }),
+                ...(cred.notes !== undefined && { notes: cred.notes }),
                 createdAt: cred.createdAt.toISOString(),
                 updatedAt: cred.updatedAt.toISOString(),
             }));

package/dist/config.js

@@ -26,7 +26,7 @@ export function getServerConfig(overrides = {}) {
 function parsePort(value) {
     if (!value)
         return DEFAULT_PORT;
-    const port = Number.parseInt(value);
+    const port = Number.parseInt(value, 10);
     if (Number.isNaN(port) || port < 1 || port > 65_535) {
         throw new Error(`Invalid port: ${value}`);
     }
@@ -35,7 +35,7 @@ function parsePort(value) {
 function parseNonNegativeInt(value, defaultValue, name) {
     if (!value)
         return defaultValue;
-    const parsed = Number.parseInt(value);
+    const parsed = Number.parseInt(value, 10);
     if (Number.isNaN(parsed) || parsed < 0) {
         console.warn(`Invalid ${name} value "${value}", using default ${defaultValue}`);
         return defaultValue;

package/dist/db/migrations.d.ts

@@ -5,7 +5,7 @@
  * Credentials are identified by name only - the blob contains all metadata.
  */
 import type Database from "better-sqlite3";
-declare const CURRENT_VERSION = 2;
+declare const CURRENT_VERSION = 3;
 /** Run all pending migrations */
 declare function runMigrations(database: Database.Database): void;
 /** Get current schema version */

package/dist/db/migrations.js

@@ -4,7 +4,7 @@
  * Simple schema with opaque credential storage.
  * Credentials are identified by name only - the blob contains all metadata.
  */
-const CURRENT_VERSION = 2;
+const CURRENT_VERSION = 3;
 /** Run all pending migrations */
 function runMigrations(database) {
     let version = getSchemaVersion(database);
@@ -22,6 +22,11 @@ function runMigrations(database) {
             version = 2;
             continue;
         }
+        if (version === 2) {
+            migrateToV3(database);
+            version = 3;
+            continue;
+        }
         throw new Error(`Unsupported database schema version v${version} (expected v${CURRENT_VERSION}). Delete the database file to reinitialize.`);
     }
 }
@@ -113,4 +118,23 @@ function migrateToV2(database) {
         setSchemaVersion(database, 2);
     })();
 }
+/**
+ * Migration to version 3: Add display_name and notes columns
+ *
+ * Optional metadata for credential identification. display_name provides
+ * a human-readable label (e.g., "Claude (Work)") and notes provides
+ * additional context. Both flow through axauth to axusage for
+ * multi-instance identification.
+ */
+function migrateToV3(database) {
+    database.transaction(() => {
+        database.exec(`
+      ALTER TABLE credentials ADD COLUMN display_name TEXT DEFAULT NULL
+    `);
+        database.exec(`
+      ALTER TABLE credentials ADD COLUMN notes TEXT DEFAULT NULL
+    `);
+        setSchemaVersion(database, 3);
+    })();
+}
 export { CURRENT_VERSION, getSchemaVersion, runMigrations };

package/dist/db/repositories/credentials-queries.d.ts

@@ -1,10 +1,10 @@
 /**
  * SQL queries for credentials repository.
  */
-export declare const UPSERT_CREDENTIAL = "\n  INSERT INTO credentials (name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at)\n  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)\n  ON CONFLICT(name) DO UPDATE SET\n    agent = excluded.agent, provider = excluded.provider,\n    encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,\n    updated_at = excluded.updated_at\n  RETURNING created_at, updated_at";
+export declare const UPSERT_CREDENTIAL = "\n  INSERT INTO credentials (name, agent, provider, display_name, notes, encrypted_data, salt, iv, auth_tag, created_at, updated_at)\n  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n  ON CONFLICT(name) DO UPDATE SET\n    agent = excluded.agent, provider = excluded.provider,\n    display_name = excluded.display_name, notes = excluded.notes,\n    encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,\n    updated_at = excluded.updated_at\n  RETURNING created_at, updated_at";
 export declare const UPDATE_CREDENTIAL_IF_UPDATED_AT_MATCHES = "\n  UPDATE credentials\n  SET encrypted_data = ?, salt = ?, iv = ?, auth_tag = ?, updated_at = ?\n  WHERE name = ? AND updated_at = ?";
-export declare const SELECT_CREDENTIAL = "\n  SELECT name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at\n  FROM credentials WHERE name = ?";
-export declare const SELECT_ALL_METADATA = "\n  SELECT name, agent, provider, created_at, updated_at\n  FROM credentials ORDER BY name";
-export declare const SELECT_METADATA_PAGINATED = "\n  SELECT name, agent, provider, created_at, updated_at\n  FROM credentials\n  WHERE name > ?\n  ORDER BY name\n  LIMIT ?";
-export declare const SELECT_METADATA_FIRST_PAGE = "\n  SELECT name, agent, provider, created_at, updated_at\n  FROM credentials\n  ORDER BY name\n  LIMIT ?";
+export declare const SELECT_CREDENTIAL = "\n  SELECT name, agent, provider, display_name, notes, encrypted_data, salt, iv, auth_tag, created_at, updated_at\n  FROM credentials WHERE name = ?";
+export declare const SELECT_ALL_METADATA = "\n  SELECT name, agent, provider, display_name, notes, created_at, updated_at\n  FROM credentials ORDER BY name";
+export declare const SELECT_METADATA_PAGINATED = "\n  SELECT name, agent, provider, display_name, notes, created_at, updated_at\n  FROM credentials\n  WHERE name > ?\n  ORDER BY name\n  LIMIT ?";
+export declare const SELECT_METADATA_FIRST_PAGE = "\n  SELECT name, agent, provider, display_name, notes, created_at, updated_at\n  FROM credentials\n  ORDER BY name\n  LIMIT ?";
 export declare const DELETE_CREDENTIAL = "\n  DELETE FROM credentials WHERE name = ?";

package/dist/db/repositories/credentials-queries.js

@@ -2,10 +2,11 @@
  * SQL queries for credentials repository.
  */
 export const UPSERT_CREDENTIAL = `
-  INSERT INTO credentials (name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at)
-  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+  INSERT INTO credentials (name, agent, provider, display_name, notes, encrypted_data, salt, iv, auth_tag, created_at, updated_at)
+  VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
   ON CONFLICT(name) DO UPDATE SET
     agent = excluded.agent, provider = excluded.provider,
+    display_name = excluded.display_name, notes = excluded.notes,
     encrypted_data = excluded.encrypted_data, salt = excluded.salt, iv = excluded.iv, auth_tag = excluded.auth_tag,
     updated_at = excluded.updated_at
   RETURNING created_at, updated_at`;
@@ -14,19 +15,19 @@ export const UPDATE_CREDENTIAL_IF_UPDATED_AT_MATCHES = `
   SET encrypted_data = ?, salt = ?, iv = ?, auth_tag = ?, updated_at = ?
   WHERE name = ? AND updated_at = ?`;
 export const SELECT_CREDENTIAL = `
-  SELECT name, agent, provider, encrypted_data, salt, iv, auth_tag, created_at, updated_at
+  SELECT name, agent, provider, display_name, notes, encrypted_data, salt, iv, auth_tag, created_at, updated_at
   FROM credentials WHERE name = ?`;
 export const SELECT_ALL_METADATA = `
-  SELECT name, agent, provider, created_at, updated_at
+  SELECT name, agent, provider, display_name, notes, created_at, updated_at
   FROM credentials ORDER BY name`;
 export const SELECT_METADATA_PAGINATED = `
-  SELECT name, agent, provider, created_at, updated_at
+  SELECT name, agent, provider, display_name, notes, created_at, updated_at
   FROM credentials
   WHERE name > ?
   ORDER BY name
   LIMIT ?`;
 export const SELECT_METADATA_FIRST_PAGE = `
-  SELECT name, agent, provider, created_at, updated_at
+  SELECT name, agent, provider, display_name, notes, created_at, updated_at
   FROM credentials
   ORDER BY name
   LIMIT ?`;

package/dist/db/repositories/credentials.d.ts

@@ -16,6 +16,8 @@ declare function upsertCredential(database: Database.Database, credential: {
     name: string;
     agent: string;
     provider: string | undefined;
+    displayName: string | undefined;
+    notes: string | undefined;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;

package/dist/db/repositories/credentials.js

@@ -11,7 +11,7 @@ function upsertCredential(database, credential) {
     const now = Date.now();
     const row = database
         .prepare(SQL.UPSERT_CREDENTIAL)
-        .get(credential.name, credential.agent, credential.provider ?? undefined, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now);
+        .get(credential.name, credential.agent, credential.provider ?? undefined, credential.displayName ?? undefined, credential.notes ?? undefined, credential.encryptedData, credential.salt, credential.iv, credential.authTag, now, now);
     return {
         createdAt: new Date(row.created_at),
         updatedAt: new Date(row.updated_at),
@@ -48,7 +48,7 @@ function listCredentialsForApiKey(database, readAccess) {
         return [];
     const placeholders = readAccess.map(() => "?").join(", ");
     const sql = `
-    SELECT name, created_at, updated_at
+    SELECT name, agent, provider, display_name, notes, created_at, updated_at
     FROM credentials
     WHERE name IN (${placeholders})
     ORDER BY name`;

package/dist/db/repositories/list-credentials-paginated.js

@@ -16,7 +16,7 @@ function buildFilteredQuery(names, cursor, limit) {
     const placeholders = names.map(() => "?").join(", ");
     const cursorClause = cursor ? " AND name > ?" : "";
     const sql = `
-    SELECT name, agent, provider, created_at, updated_at
+    SELECT name, agent, provider, display_name, notes, created_at, updated_at
     FROM credentials
     WHERE name IN (${placeholders})${cursorClause}
     ORDER BY name

package/dist/db/repositories/parse-credential-row.d.ts

@@ -9,6 +9,8 @@ interface CredentialRecord {
     name: string;
     agent: string;
     provider: string | undefined;
+    displayName: string | undefined;
+    notes: string | undefined;
     encryptedData: Buffer;
     salt: Buffer;
     iv: Buffer;
@@ -21,6 +23,8 @@ interface CredentialMetadata {
     name: string;
     agent: string;
     provider: string | undefined;
+    displayName: string | undefined;
+    notes: string | undefined;
     createdAt: Date;
     updatedAt: Date;
 }

package/dist/db/repositories/parse-credential-row.js

@@ -9,6 +9,8 @@ function rowToRecord(row) {
         name: row.name,
         agent: row.agent,
         provider: row.provider ?? undefined,
+        displayName: row.display_name ?? undefined,
+        notes: row.notes ?? undefined,
         encryptedData: row.encrypted_data,
         salt: row.salt,
         iv: row.iv,
@@ -23,6 +25,8 @@ function rowToMetadata(row) {
         name: row.name,
         agent: row.agent,
         provider: row.provider ?? undefined,
+        displayName: row.display_name ?? undefined,
+        notes: row.notes ?? undefined,
         createdAt: new Date(row.created_at),
         updatedAt: new Date(row.updated_at),
     };

package/dist/db/types.d.ts

@@ -28,6 +28,8 @@ export interface CredentialRow {
     name: string;
     agent: string;
     provider: string | null;
+    display_name: string | null;
+    notes: string | null;
     encrypted_data: Buffer;
     salt: Buffer;
     iv: Buffer;
@@ -40,6 +42,8 @@ export interface MetadataRow {
     name: string;
     agent: string;
     provider: string | null;
+    display_name: string | null;
+    notes: string | null;
     created_at: number;
     updated_at: number;
 }

package/dist/handlers/get-credential.js

@@ -103,6 +103,10 @@ function createGetCredentialHandler(database, config) {
             ...(credential.provider !== undefined && {
                 provider: credential.provider,
             }),
+            ...(credential.displayName !== undefined && {
+                displayName: credential.displayName,
+            }),
+            ...(credential.notes !== undefined && { notes: credential.notes }),
             credential: finalBlob,
             updatedAt: finalUpdatedAt.toISOString(),
         });

package/dist/handlers/list-credentials.js

@@ -16,6 +16,8 @@ function formatCredentialMetadata(cred) {
         name: cred.name,
         ...(cred.agent !== "" && { agent: cred.agent }),
         ...(cred.provider !== undefined && { provider: cred.provider }),
+        ...(cred.displayName !== undefined && { displayName: cred.displayName }),
+        ...(cred.notes !== undefined && { notes: cred.notes }),
         createdAt: cred.createdAt.toISOString(),
         updatedAt: cred.updatedAt.toISOString(),
     };

package/dist/handlers/put-credential.js

@@ -54,13 +54,25 @@ function createPutCredentialHandler(database) {
             const provider = typeof bodyRecord.provider === "string"
                 ? bodyRecord.provider
                 : undefined;
-            // Encrypt the credential blob (agent/provider stored as columns, not in blob)
-            const credentialBlob = Object.fromEntries(Object.entries(bodyRecord).filter(([key]) => key !== "agent" && key !== "provider"));
+            const displayName = typeof bodyRecord.displayName === "string"
+                ? bodyRecord.displayName
+                : undefined;
+            const notes = typeof bodyRecord.notes === "string" ? bodyRecord.notes : undefined;
+            // Encrypt the credential blob (metadata stored as columns, not in blob)
+            const metadataKeys = new Set([
+                "agent",
+                "provider",
+                "displayName",
+                "notes",
+            ]);
+            const credentialBlob = Object.fromEntries(Object.entries(bodyRecord).filter(([key]) => !metadataKeys.has(key)));
             const encrypted = encryptCredential(credentialBlob);
             const timestamps = upsertCredential(database, {
                 name,
                 agent,
                 provider,
+                displayName,
+                notes,
                 ...encrypted,
             });
             logAccess(database, {

package/package.json

@@ -2,7 +2,7 @@
   "name": "axvault",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.9.4",
+  "version": "1.10.0",
   "description": "Remote credential storage server for axkit",
   "repository": {
     "type": "git",
@@ -49,10 +49,10 @@
   },
   "dependencies": {
     "@commander-js/extra-typings": "^14.0.0",
-    "axauth": "^3.1.4",
+    "axauth": "^3.1.6",
     "axshared": "5.0.0",
     "better-sqlite3": "^12.6.2",
-    "commander": "^14.0.2",
+    "commander": "^14.0.3",
     "express": "^5.2.1"
   },
   "keywords": [
@@ -70,7 +70,7 @@
     "automation",
     "coding-assistant"
   ],
-  "packageManager": "pnpm@10.28.1",
+  "packageManager": "pnpm@10.30.1",
   "engines": {
     "node": ">=22.14.0"
   },
@@ -78,15 +78,15 @@
     "@total-typescript/ts-reset": "^0.6.1",
     "@types/better-sqlite3": "^7.6.13",
     "@types/express": "^5.0.6",
-    "@types/node": "^25.0.10",
+    "@types/node": "^25.3.0",
     "@vitest/coverage-v8": "^4.0.18",
-    "eslint": "^9.39.2",
-    "eslint-config-axkit": "^1.1.0",
+    "eslint": "^10.0.1",
+    "eslint-config-axkit": "^1.3.0",
     "fta-check": "^1.5.1",
     "fta-cli": "^3.0.0",
-    "knip": "^5.82.1",
+    "knip": "^5.85.0",
     "prettier": "3.8.1",
-    "semantic-release": "^25.0.2",
+    "semantic-release": "^25.0.3",
     "typescript": "^5.9.3",
     "vitest": "^4.0.18"
   }