auramaxx 0.0.1

package/docs/api/authentication.md

@@ -0,0 +1,79 @@
+# API Authentication
+
+This page is the detailed auth/token reference used by `/api` Getting Started.
+
+## Agent Bootstrap Flow
+
+1. `POST /auth` with `agentId`, profile, and `pubkey`
+2. Human approves request
+3. Agent polls `GET /auth/:requestId?secret=...`
+4. Agent receives approved token payload and uses it as `Authorization: Bearer <token>`
+
+## Core Auth Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/auth/connect` | GET | Public | Returns server ephemeral RSA public key |
+| `/auth` | POST | Public | Create approval request for agent token |
+| `/auth/:requestId` | GET | Public (with `secret`) | Poll pending/approved/rejected token request |
+| `/auth/pending` | GET | Public | List pending auth requests |
+| `/auth/validate` | POST | Public | Validate token payload/shape |
+
+## Passkey Session Endpoints
+
+Vault-unlock passkeys for session auth (separate from credential passkeys):
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/auth/passkey/status` | GET | Public | Passkey auth readiness/status |
+| `/auth/passkey/register/options` | POST | Admin | Generate registration options |
+| `/auth/passkey/register/verify` | POST | Admin | Verify registration response |
+| `/auth/passkey/authenticate/options` | POST | Public | Generate authentication options |
+| `/auth/passkey/authenticate/verify` | POST | Public | Verify assertion and mint token |
+| `/auth/passkey/:credentialId` | DELETE | Admin | Remove registered vault passkey |
+
+For credential passkeys (`/credentials/passkeys/*`), see security and auth references in [`AUTH.md`](/docs/AUTH.md) and [`security.md`](/docs/security.md).
+
+## Human/Admin Session Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/unlock` | GET | Public | Browser unlock fallback page |
+| `/unlock` | POST | Public | Unlock primary vault; mint admin token |
+| `/unlock/:vaultId` | POST | Public | Unlock specific vault; mint admin token |
+| `/unlock/rekey` | POST | Public | Re-key session with new `pubkey` |
+| `/unlock/recover` | POST | Public | Seed-based recovery path |
+| `/lock` | POST | Admin | Lock all vaults |
+| `/lock/:vaultId` | POST | Admin | Lock one vault |
+
+## Human Action + Token Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/actions/pending` | GET | `action:read` | List pending actions |
+| `/actions` | POST | `action:create` | Create action request (or notify-only request) |
+| `/actions/:id/resolve` | POST | `action:resolve` | Approve/reject action |
+| `/actions/token` | POST | Admin | Direct token mint (no human approval) |
+| `/actions/token/preview` | POST | Admin | Preview token policy before mint |
+| `/actions/tokens` | GET | Admin | List issued tokens by status |
+| `/actions/tokens/revoke` | POST | Bearer | Revoke token |
+
+## Setup + Vault Auth Lifecycle
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/setup` | GET | Public | Setup state (`hasWallet`, `unlocked`) |
+| `/setup` | POST | Public | Create primary vault/cold wallet |
+| `/setup/password` | POST | Admin | Rotate primary vault password |
+| `/setup/vault` | POST | Admin | Create additional vault |
+| `/setup/vault/import` | POST | Admin | Import vault from mnemonic |
+| `/setup/vaults` | GET | Public | List vaults + unlock status |
+
+## Required Mint Input
+
+Token minting paths require a valid RSA `pubkey` (`/auth`, `/unlock`, `/setup`, `/actions/token`, etc.).
+Credential read payloads are encrypted to the token's pubkey.
+
+## Full Permissions Reference
+
+For the complete permission matrix and profile rules, use [AUTH.md](/docs/AUTH.md).

package/docs/api/secrets/api-keys.md

@@ -0,0 +1,28 @@
+# API Keys Endpoints
+
+API keys are stored as credential-vault records (`type: "apikey"`) with compatibility support for legacy rows.
+
+## API Key Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/apikeys` | GET | `apikey:get` | List API keys |
+| `/apikeys` | POST | `apikey:set` | Create/update API key |
+| `/apikeys/validate` | POST | `apikey:set` | Validate provider key format/connectivity |
+| `/apikeys/:id` | DELETE | `apikey:set` | Delete API key |
+| `/apikeys/revoke-all` | DELETE | `apikey:set` | Revoke/remove all API keys |
+
+## App Access-Key Endpoint
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/apps/:appId/apikey/:keyName` | GET | `app:accesskey` | Read app-scoped key material |
+
+## Adapter Secret Pattern
+
+Adapter secrets (Telegram bot token, webhook signing secret, etc.) are commonly stored via `/apikeys` with `service` values like:
+
+- `adapter:telegram`
+- `adapter:webhook`
+
+See [ADAPTERS.md](/docs/ADAPTERS.md) for adapter-specific setup details.

package/docs/api/secrets/credentials.md

@@ -0,0 +1,80 @@
+# Secrets & Credentials API
+
+## MCP Tool Mapping
+
+| MCP Tool | Typical HTTP Path |
+|---|---|
+| `get_secret` | `GET /credentials` -> `POST /credentials/:id/read` |
+| `put_secret` | `POST /credentials` or `PUT /credentials/:id` |
+| `write_diary` | `POST /what_is_happening/diary` |
+
+## Credential Vault Management
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/vaults/credential` | GET | Admin | List credential vaults + counts/unlock state |
+| `/vaults/credential` | POST | Admin | Create credential vault (`linked` or `independent`) |
+| `/vaults/credential/:id/lock` | POST | Admin | Lock credential vault |
+| `/vaults/credential/:id` | DELETE | Admin | Delete vault and assigned credentials |
+
+## Credential CRUD + Lifecycle
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/credentials` | GET | `secret:read` | List metadata; supports scope filters |
+| `/credentials` | POST | `secret:write` | Create credential |
+| `/credentials/:id` | GET | `secret:read` | Read metadata |
+| `/credentials/:id` | PUT | `secret:write` | Update credential |
+| `/credentials/:id` | DELETE | `secret:write` | Lifecycle delete (active -> archive -> recently deleted -> purge) |
+| `/credentials/:id/restore` | POST | `secret:write` | Restore archived/deleted credential |
+| `/credentials/purge` | POST | `secret:write` | Purge retention-expired deleted credentials |
+| `/credentials/:id/read` | POST | `secret:read` | Read encrypted secret payload (agent pubkey required) |
+| `/credentials/:id/totp` | POST | `totp:read` | Generate current TOTP code |
+| `/credentials/:id/secrets` | GET | Admin | Admin plaintext field read for web UI |
+| `/credentials/:id/reauth` | POST | `secret:write` | OAuth2 re-auth handoff helper |
+
+## Credential Health
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/credentials/health/summary` | GET | `secret:read` | Aggregate health summary |
+| `/credentials/health` | GET | `secret:read` | Per-credential health rows |
+| `/credentials/health/rescan` | POST | `secret:read` | Trigger async rescan job |
+| `/credentials/health/rescan/:scanId` | GET | `secret:read` | Poll scan job status |
+
+## Import + Passkey Credential Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/credentials/import` | POST | Admin | Import credentials (CSV/1PUX, preview/commit behavior) |
+| `/credentials/passkey/register` | POST | Bearer | Register credential-passkey entry |
+| `/credentials/passkey/authenticate` | POST | Bearer | Authenticate using stored credential passkey |
+| `/credentials/passkey/match` | GET | Bearer | Match passkeys for `rpId` |
+
+## Minimal Create/Read Examples
+
+Create:
+
+```http
+POST /credentials
+Authorization: Bearer <token>
+Content-Type: application/json
+
+{
+  "vaultId": "primary",
+  "type": "apikey",
+  "name": "OPENAI_API_KEY",
+  "fields": [
+    { "key": "key", "value": "sk-...", "type": "secret", "sensitive": true }
+  ]
+}
+```
+
+Read:
+
+```http
+POST /credentials/:id/read
+Authorization: Bearer <token>
+```
+
+Response returns encrypted payload (never plaintext secret fields for non-admin agents).

package/docs/api/secrets/sharing.md

@@ -0,0 +1,48 @@
+# Credential Sharing API
+
+These endpoints power secure one-time/expiring credential share links and optional GitHub secret gist publishing.
+
+## Endpoint Summary
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/credential-shares/:token` | GET | Public | Read share metadata/state |
+| `/credential-shares/:token/read` | POST | Public | Consume shared credential payload |
+| `/credential-shares` | POST | `secret:read` | Create direct share link |
+| `/credential-shares/gist` | POST | `secret:read` | Create share + publish GitHub secret gist |
+
+## Create Share Request
+
+```json
+{
+  "credentialId": "cred-abc123",
+  "expiresAfter": "24h",
+  "accessMode": "password",
+  "password": "optional-if-password-mode",
+  "oneTimeOnly": true,
+  "shareBaseUrl": "https://your-public-host"
+}
+```
+
+- `expiresAfter`: `15m | 1h | 24h | 7d | 30d`
+- `accessMode`: `anyone | password`
+- `password` required when `accessMode="password"`
+
+## Public Read Flow
+
+1. `GET /credential-shares/:token` checks metadata and status (`expired`, `already_viewed`, etc.)
+2. `POST /credential-shares/:token/read` returns sanitized credential payload (password may be required)
+
+## Gist Share Response (shape)
+
+`POST /credential-shares/gist` returns a regular share payload plus gist metadata, including gist URL and generated title.
+
+## UI Path
+
+Web share page route:
+
+```text
+/share/:token
+```
+
+This page calls `/credential-shares/:token` and `/credential-shares/:token/read`.

package/docs/api/system.md

@@ -0,0 +1,41 @@
+# System & Public Endpoints
+
+## Public/General Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/health` | GET | Public | Server liveness/health |
+| `/logs` | GET | Public | Event logs with filters/pagination |
+| `/dashboard` | GET | Public | Dashboard summary payload |
+| `/what_is_happening` | GET | Public | Heartbeat snapshot |
+| `/what_is_happening/diary` | POST | Bearer (`secret:write`) | Append `{YYYY-MM-DD}_LOGS` note |
+| `/resolve/:name` | GET | Public | ENS resolution (`.eth`) |
+| `/price/:address` | GET | Public | Token/native USD price lookup |
+| `/token/search` | GET | Public | Token search by ticker/name/address |
+| `/token/safety/:address` | GET | Public | Token safety report |
+| `/token/holders/:address` | GET | Public | Token top holders |
+| `/token/:tokenAddress/balance/:walletAddress` | GET | Public | Token balance lookup |
+| `/batch` | POST | Public endpoint; subrequest auth enforced | Execute wave-based multi-call requests |
+| `/swap/dexes` | GET | Public | List configured DEX adapters |
+
+## System/Admin Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/defaults` | GET | Admin | List system defaults |
+| `/defaults/:key` | PATCH | Admin | Update one default |
+| `/defaults/reset` | POST | Admin | Reset one/all defaults |
+| `/security/credential-access/recent` | GET | Admin | Recent credential access events |
+| `/security/credential-access/noisy-credentials` | GET | Admin | Credential hot-spot report |
+| `/security/credential-access/noisy-tokens` | GET | Admin | Token hot-spot report |
+| `/ai/status` | GET | Admin | AI provider status |
+| `/backup` | GET | Admin | List backups |
+| `/backup` | POST | Admin | Create backup |
+| `/backup` | PUT | Admin | Restore backup |
+| `/nuke` | POST | Admin | Destructive full reset |
+| `/nuke/import` | POST | Admin | Reinitialize/import from mnemonic |
+
+## Notes
+
+- `/setup` and `/dashboard` are often used as first probes by CLI/UI.
+- `/batch` is useful for reducing round-trips when workflows chain reads and writes.

package/docs/api/wallets/apps-strategies.md

@@ -0,0 +1,66 @@
+# Wallet Apps, Adapters & Strategies
+
+This page groups app/adapter/strategy surfaces under wallet operations.
+
+Action-approval endpoints live in [`docs/api/authentication.md`](/api?doc=api/authentication.md).
+
+## Adapter Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/adapters` | GET | `adapter:manage` | List adapter config/status |
+| `/adapters` | POST | `adapter:manage` | Create/update adapter config |
+| `/adapters/:type` | DELETE | `adapter:manage` | Delete adapter |
+| `/adapters/test` | POST | `adapter:manage` | Test adapter delivery |
+| `/adapters/chat` | POST | `adapter:manage` | Send adapter chat message |
+| `/adapters/:type/message` | POST | Public route with validation | Adapter inbound message ingestion |
+| `/adapters/telegram/setup-link` | POST | `adapter:manage` | Telegram setup helper |
+| `/adapters/telegram/detect-chat` | POST | `adapter:manage` | Detect Telegram chat/channel |
+| `/adapters/restart` | POST | `adapter:manage` | Reload/restart adapters |
+
+## App Storage + Messaging Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/apps/:appId/storage` | GET | `app:storage` | List app storage items |
+| `/apps/:appId/storage/:key` | GET | `app:storage` | Read app storage key |
+| `/apps/:appId/storage/:key` | PUT | `app:storage` | Set app storage key |
+| `/apps/:appId/storage/:key` | DELETE | `app:storage` | Delete app storage key |
+| `/apps/:appId/message` | POST | `app:storage` | Send app message |
+| `/apps/:appId/fetch` | POST | `app:storage` | Proxy outbound HTTP fetch with SSRF controls |
+| `/apps/:appId/token` | GET | Bearer | Issue app-scoped token |
+| `/apps/:appId/apikey/:keyName` | GET | `app:accesskey` | Resolve app API key |
+| `/apps/:appId/reload` | POST | Bearer | Reload app runtime |
+| `/apps/:appId/approve` | POST | `strategy:manage` | Approve app |
+| `/apps/:appId/approve` | DELETE | `strategy:manage` | Revoke app approval |
+
+## Strategy Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/strategies` | GET | `strategy:read` | List installed strategies |
+| `/strategies/templates` | GET | `strategy:read` | List templates |
+| `/strategies` | POST | `strategy:manage` | Create template strategy |
+| `/strategies/install` | POST | `strategy:manage` | Install third-party strategy |
+| `/strategies/health` | GET | `strategy:read` | Runtime health |
+| `/strategies/:id/toggle` | POST | `strategy:manage` | Toggle strategy |
+| `/strategies/:id/enable` | POST | `strategy:manage` | Enable strategy |
+| `/strategies/:id/disable` | POST | `strategy:manage` | Disable strategy |
+| `/strategies/:id/config` | GET | `strategy:read` | Read strategy config |
+| `/strategies/:id/config` | PUT | `strategy:manage` | Update strategy config |
+| `/strategies/:id/approve` | POST | `strategy:manage` | Approve/reject pending intents |
+| `/strategies/:id/state` | GET | `strategy:read` | Strategy debug state |
+| `/strategies/history` | GET | `strategy:read` | Strategy action history |
+| `/strategies/reload` | POST | `strategy:manage` | Reload runtime metadata |
+
+## WebSocket/Event Notes
+
+Common event channels referenced in wallet + app UI flows include:
+
+- `asset:changed`
+- `tx:created`
+- `action:created`
+- `action:resolved`
+- `action:executed`
+
+Use `/logs` and `/dashboard` for HTTP snapshots.

package/docs/api/wallets/core.md

@@ -0,0 +1,46 @@
+# Wallet Core & Trading Endpoints
+
+## Human Vault Lifecycle
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/setup` | POST | Public | Create primary vault/cold wallet |
+| `/setup/password` | POST | Admin | Change primary vault password |
+| `/setup/vault` | POST | Admin | Create additional vault |
+| `/setup/vault/import` | POST | Admin | Import additional vault from seed |
+| `/setup/vaults` | GET | Public | List vaults/unlock state |
+| `/wallet/export-seed` | GET/POST | Admin | Export seed phrase (vault must be unlocked) |
+| `/unlock` | POST | Public | Unlock primary vault |
+| `/unlock/:vaultId` | POST | Public | Unlock specific vault |
+| `/unlock/rekey` | POST | Public | Rekey unlock session to a new `pubkey` |
+| `/unlock/recover` | POST | Public | Recovery flow |
+| `/lock` | POST | Admin | Lock all vaults |
+| `/lock/:vaultId` | POST | Admin | Lock one vault |
+
+## Wallet Action Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/wallets` | GET | Token optional | List wallets + balances |
+| `/wallet/:address` | GET | Token optional | Read one wallet detail by address |
+| `/wallet/create` | POST | Bearer | Create hot/temp wallet |
+| `/wallet/search` | GET | Token optional | Search wallets |
+| `/wallet/rename` | POST | Bearer | Update wallet metadata |
+| `/wallet/:address/export` | POST | Token optional | Export wallet private key |
+| `/send` | POST | Bearer | Send native/token transaction |
+| `/send/estimate` | POST | Public | Estimate EVM gas |
+| `/fund` | POST | Bearer | Transfer cold -> hot wallet |
+| `/swap` | POST | Bearer | Execute swap |
+| `/swap/quote` | POST | Bearer | Quote swap without execution |
+| `/swap/dexes` | GET | Public | List DEX adapters |
+| `/launch` | POST | Bearer | Launch token (Doppler) |
+| `/launch/:tokenAddress/collect-fees` | POST | Bearer | Collect launch fees for one token |
+| `/launch/collect-fees` | POST | Bearer | Collect launch fees for all launched tokens |
+
+## Notes
+
+- Wallet routes support both `/wallet/*` and `/wallets/*` prefixes for compatibility.
+- This doc uses `/wallets` for list reads and `/wallet/*` for item/mutation examples.
+- Amount units are raw base units (`wei`/`lamports`/token base units).
+- Token-based operations enforce permissions + wallet access + optional spend limits.
+- Use `/actions` escalation flow on permission-denied automation cases.

package/docs/api/wallets/data-portfolio.md

@@ -0,0 +1,42 @@
+# Wallet Data, Portfolio, Address Book, Bookmarks
+
+## Transaction Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/wallets/transactions` | GET | Token optional | Global transaction list |
+| `/wallet/:address/transactions` | GET | Token optional | Wallet transactions (DB path or on-chain fallback) |
+| `/wallet/:address/transactions` | POST | Bearer | Add manual transaction record |
+
+## Asset + Portfolio Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/wallet/:address/assets` | GET | Token optional | List tracked assets for wallet |
+| `/wallet/:address/asset` | POST | Bearer | Track/add asset |
+| `/wallet/:address/asset/:assetId` | DELETE | Bearer | Remove tracked asset |
+| `/portfolio` | GET | Token optional | Aggregated portfolio (chain/token rollups) |
+
+## Address Book Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/address-labels` | GET | Token optional | List labels (supports query filter) |
+| `/address-labels` | POST | Bearer | Create/update label |
+| `/address-labels/:id` | DELETE | Bearer | Delete label |
+
+## Bookmark Endpoints
+
+| Endpoint | Method | Auth | Notes |
+|---|---|---|---|
+| `/bookmarks` | GET | Token optional | List token bookmarks |
+| `/bookmarks` | POST | Bearer | Create bookmark |
+| `/bookmarks/:id` | DELETE | Bearer | Delete bookmark |
+
+## Related Public Data Endpoints
+
+For token metadata/intel lookups used in portfolio flows, see:
+
+- [`docs/api/system.md`](/api?doc=api/system.md)
+
+Compatibility note: wallet asset/transaction routes are available under both `/wallet/*` and `/wallets/*` prefixes.

package/docs/aura-file.md

@@ -0,0 +1,48 @@
+# `.aura` File Format
+
+`.aura` maps environment variable names to vault credential fields.
+
+## Syntax
+
+```ini
+# comment
+ENV_NAME=credentialName/field
+OTHER_ENV=@vaultName/credentialName/field
+```
+
+Rules:
+
+- one mapping per line
+- comments start with `#`
+- env var names are validated (must be shell-safe)
+- `@vault/...` form selects a specific vault mapping
+
+## Examples
+
+```ini
+DATABASE_URL=postgres-prod/url
+OPENAI_API_KEY=openai-prod/api_key
+GITHUB_TOKEN=@agent/github/token
+```
+
+## Usage
+
+```bash
+auramaxx env check
+auramaxx env -- npm run dev
+auramaxx env inject
+```
+
+Migration helper:
+
+```bash
+auramaxx env init --from .env
+# or during setup
+auramaxx init --from-dotenv
+```
+
+## Security notes
+
+- `env inject` writes `.env` with mode `0600`
+- `shell-hook` requires explicit allowlist per project
+- avoid committing generated `.env`

package/docs/core-concepts/FEATURES.md

@@ -0,0 +1,114 @@
+# Features
+
+Everything AuraMaxx can do for you — at a glance, then in full.
+
+---
+
+## ✨ Highlights
+
+| | Feature | What it does |
+|---|---------|-------------|
+| 🔐 | **Encrypted Vault** | Store passwords, API keys, and wallet seeds locally — encrypted at rest, never sent to the cloud |
+| 🤖 | **Agent-Ready Auth** | Give AI agents scoped, time-limited access to your secrets with human approval |
+| ⚡ | **One-Command Setup** | `npx auramaxx` — installs, configures, and starts everything in under 60 seconds |
+| 🔌 | **MCP Integration** | Works with Claude, Codex, Cursor, VS Code, and any MCP-compatible client |
+| 💸 | **Wallet Operations** | Send, swap, fund, and launch tokens across Ethereum, Base, and Solana (coming soon) |
+| 🛡️ | **Permission Profiles** | Pre-built security profiles (strict, dev, admin) — no permission guesswork |
+| 📱 | **Telegram Approvals** | Approve agent requests from your phone via Telegram bot |
+| 🧩 | **Installable Skills** | One command installs Aura capabilities into Claude, Codex, and OpenClaw agents |
+
+---
+
+## Full Feature List
+
+### Credentials & Vault
+
+- **Encrypted local vault** — AES-256 encrypted credential storage on your machine
+- **Get / set / list / delete** — Simple CLI for credential management (`aura get`, `aura set`, `aura list`, `aura del`)
+- **Credential types** — API keys, passwords, login credentials, OAuth tokens, wallet seeds
+- **Secret sharing** — Create time-limited GitHub gist share links (`aura share`)
+- **Environment injection** — Inject secrets into env vars and run commands (`aura inject`)
+- **`.aura` file mapping** — Project-level credential mapping for team workflows
+- **Credential health monitoring** — Track expiry, usage, and rotation status
+- **Import** — Bulk import credentials from `.env` files and other formats
+- **Vault tiers** — Cold (human-only), Hot (agent-accessible), Temp (ephemeral)
+
+### CLI
+
+- **Single entry point** — `npx auramaxx` or `aura` for all operations
+- **Interactive setup** — Guided first-run experience with dashboard
+- **Status & diagnostics** — `aura status` and `aura doctor` for health checks
+- **Headless mode** — `aura start --headless` for server-only environments
+- **Feature flags** — `aura experimental` to toggle dev features
+- **Skill installer** — `aura skill` to install agent skills with doctor verification
+- **Lock / unlock** — Vault lock management from CLI
+- **Quiet by default** — Concise output with `--debug` for verbose details
+
+### Authentication & Security
+
+- **Profile-based tokens** — Request tokens by profile name (strict, dev, admin)
+- **Human approval flow** — Every agent token requires human approval
+- **Action requests** — One-time elevated permissions for specific operations
+- **Spending limits** — Per-token budget caps for send, swap, fund, and launch
+- **Token lifecycle** — Memory-only tokens with configurable TTL (auto-expire on restart)
+- **Encrypted transport** — RSA-OAEP encrypted password/token exchange
+- **Credential access controls** — TTL, read-count limits, and scope restrictions per credential
+- **Strict mode** — Disable auto-approve for maximum security
+- **Token revocation** — Revoke active tokens via CLI or API
+
+### MCP Integration
+
+- **Auto-install** — `aura mcp --install` detects and configures all supported IDEs
+- **Supported clients** — Claude Desktop, Claude Code, Cursor, VS Code, Windsurf, OpenClaw, Codex
+- **Stdio server** — Standard MCP stdio transport (`npx auramaxx mcp`)
+- **Socket auth** — Local Unix socket for zero-config authentication
+- **Tool discovery** — Full credential and wallet toolset available to MCP clients
+
+### Dashboard
+
+- **Web UI** — Local dashboard at `http://localhost:4747`
+- **Vault management** — Create, unlock, and manage vaults in the browser
+- **Approval cards** — Approve/reject agent token and action requests visually
+- **Credential browser** — View, search, and manage stored credentials
+- **Wallet overview** — See balances, transactions, and asset tracking
+- **Real-time updates** — WebSocket-powered live state sync
+
+### Wallet & Trading (coming soon)
+
+- **Multi-chain** — Ethereum, Base, and Solana support
+- **Send** — Transfer native currency and tokens
+- **Swap** — Token swaps via Relay (cross-chain), Uniswap (Base), Jupiter (Solana)
+- **Fund** — Transfer from cold wallet to hot wallet with spending limits
+- **Launch** — Deploy tokens via Doppler fair launch
+- **Gas estimation** — Pre-transaction gas cost estimation
+- **Transaction history** — Full history with type, status, and amount tracking
+- **Asset tracking** — Token balance monitoring per wallet
+
+### Adapters & Notifications
+
+- **Telegram bot** — Approve requests and chat with your agent via Telegram
+- **Webhook adapter** — HTTP webhook notifications for events
+- **Agent chat** — AI-powered conversational interface via Telegram
+- **Adapter management** — Enable, configure, and test adapters from CLI or API
+
+### Apps & Extensibility
+
+- **App platform** — Install and run custom apps in the dashboard
+- **App storage** — Per-app isolated key-value storage
+- **Strategy hooks** — Tick-based and event-driven strategy execution
+- **Workspace control** — WebSocket API for dashboard widget management
+
+### Skills & Agent Setup
+
+- **Skill installer** — `npx auramaxx skill` for Claude, Codex, and OpenClaw
+- **Bundled docs** — Skills include portable documentation for agent context
+- **Doctor verification** — `npx auramaxx skill --doctor` checks install status
+- **Fallback guidance** — Clear fallback commands when auto-install fails
+
+---
+
+See also:
+- [Getting Started](../AGENT_SETUP.md)
+- [CLI Reference](../CLI.md)
+- [Auth & Permissions](../AUTH.md)
+- [Troubleshooting](../TROUBLESHOOTING.md)