Passport Management
Passports are the core data structure — each one wraps a credential with metadata about scope, authorization, expiry, delegation, and audit history.CRUD Operations
createPassport(vault, input)
Create a new passport and store it in the vault. Auto-detects credential type if not specified.
Unlocked vault instance.
Passport fields:
name, credentialValue, credentialType, visaType, issuingAuthority, scope, platforms, humanOwner, and optional fields for validUntil, tags, notes, agentId.Promise<Passport>
getPassport(vault, id)
Retrieve a passport by ID. Throws if not found.
listPassports(vault, filters?)
List passports with optional filters by status, visa type, platform, or tags.
updatePassport(vault, id, updates, actor)
Update passport fields. Logs a modified audit entry.
revokePassport(vault, id, reason, actor)
Revoke a passport. Sets status to revoked, records reason and actor. Credential remains encrypted but is no longer accessible via normal API.
renewPassport(vault, id, newValidUntil, actor)
Extend a passport’s validity period. Logs a renewed audit entry.
duplicatePassport(vault, id, actor, overrides?)
Clone a passport with a new ID. Useful for rotating credentials — create the new one, then revoke the old.
deletePassport(vault, id, actor)
Permanently remove a passport from the vault. Cannot be undone.
Credential Access
accessCredential(vault, id, actor, platform?, purpose?)
Retrieve the decrypted credential value. Logs an accessed audit entry with the actor, platform, and purpose.
Returns: Promise<string> — The raw credential value.
Status Helpers
calculateStatus(passport)
Determine the current status based on validUntil, revokedAt, and the 14-day expiring threshold.
Returns: PassportStatus — 'active' | 'expiring' | 'expired' | 'revoked' | 'suspended'