auramaxx 0.0.1

package/server/types.ts

@@ -0,0 +1,146 @@
+export type WalletTier = 'cold' | 'hot' | 'temp';
+
+export interface WalletInfo {
+  address: string;
+  tier: WalletTier;
+  chain: string;
+  createdAt: string;
+  name?: string;
+  color?: string;
+  description?: string;
+  emoji?: string;
+  tokenHash?: string;
+  balance?: string;
+}
+
+export interface EncryptedData {
+  ciphertext: string;
+  iv: string;
+  salt: string;
+  mac: string; // AEAD auth tag (legacy key name kept for envelope compatibility)
+}
+
+/** Limit value: plain number (single-currency, backward compat) or address-keyed (multi-currency) */
+export type LimitValue = number | Record<string, number>;
+
+/**
+ * Agent token payload - issued to AI agents with specific permissions and limits
+ */
+export interface AgentTokenPayload {
+  agentId: string;
+  permissions: string[];      // Route permissions (e.g., 'wallet:list', 'send:hot')
+  exp: number;                // Expiry timestamp (ms)
+
+  // Per-permission limits (optional, in native currency units)
+  // Plain number = legacy single-currency limit
+  // Record<string, number> = address-keyed multi-currency limit
+  //   e.g. { "0x0000...0000": 1.0, "So111...112": 10.0 }
+  limits?: {
+    fund?: LimitValue;
+    send?: LimitValue;
+    swap?: LimitValue;
+    launch?: LimitValue;
+  };
+
+  // Wallet access grants (access existing wallets not created by this token)
+  walletAccess?: string[];    // Array of wallet addresses
+
+  // Token issued-at timestamp (ms) — used for credential TTL calculations
+  iat?: number;
+
+  // Credential vault access grants
+  credentialAccess?: {
+    read?: string[];           // Scopes for reading credentials (e.g., ["*"], ["tag:api"], ["cred-abc123"])
+    write?: string[];          // Scopes for writing credentials
+    excludeFields?: string[];  // Fields to exclude from reads (e.g., ["password", "cvv"])
+    ttl?: number;              // Max seconds from iat this token can read credentials
+    maxReads?: number;         // Max number of credential read operations
+  };
+
+  // Agent's public key (for future E2E encryption)
+  agentPubkey?: string;
+
+  // Legacy compatibility
+  limit?: number;             // Legacy: Max spend in ETH (maps to limits.fund)
+}
+
+/**
+ * Token payload type (admin tokens are just AgentTokenPayload with admin:* permission)
+ */
+export type TokenPayload = AgentTokenPayload;
+
+/** Spent value: plain number (single-currency) or address-keyed (multi-currency) */
+export type SpentValue = number | Record<string, number>;
+
+export interface TokenSession {
+  token: AgentTokenPayload;
+  spent: number;
+  // Per-permission spending tracking
+  // Plain number = legacy single-currency tracking
+  // Record<string, number> = address-keyed multi-currency tracking
+  spentByType?: {
+    fund?: SpentValue;
+    send?: SpentValue;
+    swap?: SpentValue;
+    launch?: SpentValue;
+  };
+  // Credential vault access tracking
+  credentialReads?: number;
+  tokenIssuedAt?: number;
+}
+
+export interface HumanAction {
+  id: string;
+  type: 'fund' | 'send' | 'agent_access' | 'auth' | 'permission_update' | 'action' | 'notify';
+  fromTier: WalletTier | 'system';
+  toAddress?: string;
+  amount?: string;
+  chain: string;
+  status: 'pending' | 'approved' | 'rejected' | 'acknowledged';
+  createdAt: string;
+  resolvedAt?: string;
+  metadata?: Record<string, unknown>;
+}
+
+export interface SendRequest {
+  from: string;
+  to: string;
+  amount: string;
+  chain?: string;
+}
+
+export interface CreateWalletRequest {
+  tier: 'hot' | 'temp';
+  chain?: string;
+  label?: string;
+}
+
+export interface FundRequest {
+  toHotAddress: string;
+  amount: string;
+  chain?: string;
+}
+
+// ─── Credential Vault Types ──────────────────────────────────────────
+
+export type CredentialType = 'login' | 'card' | 'note' | 'plain_note' | 'hot_wallet' | 'api' | 'apikey' | 'custom' | 'passkey' | 'oauth2' | 'ssh' | 'gpg';
+
+export interface CredentialField {
+  key: string;
+  value: string;
+  type: 'text' | 'secret' | 'url' | 'email' | 'number';
+  sensitive: boolean;
+}
+
+export interface CredentialFile {
+  id: string;
+  vaultId: string;
+  type: CredentialType;
+  name: string;
+  meta: Record<string, unknown>;
+  encrypted: EncryptedData;
+  createdAt: string;
+  updatedAt: string;
+  archivedAt?: string;
+  deletedAt?: string;
+}

package/shared/credential-field-schema.ts

@@ -0,0 +1,248 @@
+export type CredentialFieldType = 'text' | 'secret' | 'url' | 'email' | 'number';
+
+export type CredentialType =
+  | 'login'
+  | 'card'
+  | 'note'
+  | 'plain_note'
+  | 'hot_wallet'
+  | 'api'
+  | 'apikey'
+  | 'custom'
+  | 'passkey'
+  | 'oauth2'
+  | 'ssh'
+  | 'gpg';
+
+export interface CredentialFieldSpec {
+  key: string;
+  label: string;
+  type: CredentialFieldType;
+  sensitive: boolean;
+  requiredOnCreate?: boolean;
+  aliases?: string[];
+}
+
+type FieldSchemaMap = Record<CredentialType, CredentialFieldSpec[]>;
+
+export const CREDENTIAL_FIELD_KEYS = {
+  login: {
+    url: 'url',
+    username: 'username',
+    password: 'password',
+    notes: 'notes',
+    totp: 'totp',
+  },
+  card: {
+    cardholder: 'cardholder',
+    brand: 'brand',
+    billingZip: 'billing_zip',
+    last4: 'last4',
+    number: 'number',
+    cvv: 'cvv',
+    expiry: 'expiry',
+    notes: 'notes',
+  },
+  note: {
+    content: 'content',
+  },
+  plain_note: {
+    content: 'content',
+  },
+  hot_wallet: {
+    address: 'address',
+    privateKey: 'private_key',
+    chain: 'chain',
+  },
+  apikey: {
+    key: 'key',
+    value: 'value',
+  },
+  oauth2: {
+    accessToken: 'access_token',
+    refreshToken: 'refresh_token',
+    clientId: 'client_id',
+    clientSecret: 'client_secret',
+    tokenEndpoint: 'token_endpoint',
+    scopes: 'scopes',
+    authMethod: 'auth_method',
+    expiresAt: 'expires_at',
+  },
+  ssh: {
+    privateKey: 'private_key',
+    passphrase: 'passphrase',
+    publicKey: 'public_key',
+    fingerprint: 'fingerprint',
+    keyType: 'key_type',
+    hosts: 'hosts',
+  },
+  gpg: {
+    privateKey: 'private_key',
+    publicKey: 'public_key',
+    fingerprint: 'fingerprint',
+    keyId: 'key_id',
+    uidEmail: 'uid_email',
+    expiresAt: 'expires_at',
+  },
+  custom: {
+    value: 'value',
+  },
+} as const;
+
+export const CREDENTIAL_FIELD_SCHEMA: FieldSchemaMap = {
+  login: [
+    { key: CREDENTIAL_FIELD_KEYS.login.url, label: 'URL', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.login.username, label: 'Username', type: 'text', sensitive: false, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.login.password, label: 'Password', type: 'secret', sensitive: true, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.login.notes, label: 'Notes', type: 'text', sensitive: true },
+    { key: CREDENTIAL_FIELD_KEYS.login.totp, label: 'TOTP', type: 'secret', sensitive: true, aliases: ['otp'] },
+  ],
+  card: [
+    { key: CREDENTIAL_FIELD_KEYS.card.cardholder, label: 'Cardholder', type: 'text', sensitive: false, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.card.brand, label: 'Brand', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.card.billingZip, label: 'Billing ZIP', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.card.last4, label: 'Last 4', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.card.number, label: 'Number', type: 'text', sensitive: true, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.card.cvv, label: 'CVV', type: 'secret', sensitive: true, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.card.expiry, label: 'Expiry', type: 'text', sensitive: true, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.card.notes, label: 'Notes', type: 'text', sensitive: true },
+  ],
+  note: [
+    { key: CREDENTIAL_FIELD_KEYS.note.content, label: 'Content', type: 'text', sensitive: true, requiredOnCreate: true, aliases: ['value'] },
+  ],
+  plain_note: [
+    { key: CREDENTIAL_FIELD_KEYS.plain_note.content, label: 'Content', type: 'text', sensitive: false, requiredOnCreate: true, aliases: ['value'] },
+  ],
+  hot_wallet: [
+    { key: CREDENTIAL_FIELD_KEYS.hot_wallet.address, label: 'Address', type: 'text', sensitive: false, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.hot_wallet.chain, label: 'Chain', type: 'text', sensitive: false, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.hot_wallet.privateKey, label: 'Private Key', type: 'secret', sensitive: true, requiredOnCreate: true },
+  ],
+  api: [],
+  apikey: [
+    { key: CREDENTIAL_FIELD_KEYS.apikey.key, label: 'Key', type: 'text', sensitive: false, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.apikey.value, label: 'Value', type: 'secret', sensitive: true, requiredOnCreate: true },
+  ],
+  custom: [],
+  passkey: [],
+  oauth2: [
+    { key: CREDENTIAL_FIELD_KEYS.oauth2.tokenEndpoint, label: 'Token Endpoint', type: 'url', sensitive: false, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.oauth2.scopes, label: 'Scopes', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.oauth2.authMethod, label: 'Auth Method', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.oauth2.expiresAt, label: 'Expires At', type: 'number', sensitive: false, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.oauth2.accessToken, label: 'Access Token', type: 'secret', sensitive: true, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.oauth2.refreshToken, label: 'Refresh Token', type: 'secret', sensitive: true, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.oauth2.clientId, label: 'Client ID', type: 'secret', sensitive: true, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.oauth2.clientSecret, label: 'Client Secret', type: 'secret', sensitive: true, requiredOnCreate: true },
+  ],
+  ssh: [
+    { key: CREDENTIAL_FIELD_KEYS.ssh.fingerprint, label: 'Fingerprint', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.ssh.keyType, label: 'Key Type', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.ssh.hosts, label: 'Hosts', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.ssh.privateKey, label: 'Private Key', type: 'secret', sensitive: true, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.ssh.passphrase, label: 'Passphrase', type: 'secret', sensitive: true },
+    { key: CREDENTIAL_FIELD_KEYS.ssh.publicKey, label: 'Public Key', type: 'text', sensitive: false },
+  ],
+  gpg: [
+    { key: CREDENTIAL_FIELD_KEYS.gpg.fingerprint, label: 'Fingerprint', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.gpg.keyId, label: 'Key ID', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.gpg.uidEmail, label: 'UID Email', type: 'email', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.gpg.expiresAt, label: 'Expires At', type: 'text', sensitive: false },
+    { key: CREDENTIAL_FIELD_KEYS.gpg.privateKey, label: 'Private Key', type: 'secret', sensitive: true, requiredOnCreate: true },
+    { key: CREDENTIAL_FIELD_KEYS.gpg.publicKey, label: 'Public Key', type: 'text', sensitive: false },
+  ],
+};
+
+export const NOTE_CONTENT_KEY = CREDENTIAL_FIELD_KEYS.note.content;
+
+export const CREDENTIAL_PRIMARY_FIELD_KEY: Record<CredentialType, string> = {
+  login: CREDENTIAL_FIELD_KEYS.login.password,
+  card: CREDENTIAL_FIELD_KEYS.card.number,
+  note: CREDENTIAL_FIELD_KEYS.note.content,
+  plain_note: CREDENTIAL_FIELD_KEYS.plain_note.content,
+  hot_wallet: CREDENTIAL_FIELD_KEYS.hot_wallet.privateKey,
+  api: CREDENTIAL_FIELD_KEYS.apikey.value,
+  apikey: CREDENTIAL_FIELD_KEYS.apikey.value,
+  custom: CREDENTIAL_FIELD_KEYS.custom.value,
+  passkey: CREDENTIAL_FIELD_KEYS.ssh.privateKey,
+  oauth2: CREDENTIAL_FIELD_KEYS.oauth2.accessToken,
+  ssh: CREDENTIAL_FIELD_KEYS.ssh.privateKey,
+  gpg: CREDENTIAL_FIELD_KEYS.gpg.privateKey,
+};
+
+export function getCredentialPrimaryFieldKey(type: string): string {
+  if (!isCredentialType(type)) return 'value';
+  return CREDENTIAL_PRIMARY_FIELD_KEY[type] || 'value';
+}
+
+export function getCredentialPrimaryFieldSpec(type: string): CredentialFieldSpec | undefined {
+  if (!isCredentialType(type)) return undefined;
+  const primaryKey = getCredentialPrimaryFieldKey(type);
+  return CREDENTIAL_FIELD_SCHEMA[type].find((field) => field.key === primaryKey);
+}
+
+type CredentialFieldLike = { key: string };
+
+const SCHEMA_KEY_LOOKUP = Object.fromEntries(
+  (Object.entries(CREDENTIAL_FIELD_SCHEMA) as Array<[CredentialType, CredentialFieldSpec[]]>).map(([type, fields]) => {
+    const lookup = new Map<string, string>();
+    for (const field of fields) {
+      lookup.set(field.key.toLowerCase(), field.key);
+      for (const alias of field.aliases || []) {
+        lookup.set(alias.toLowerCase(), field.key);
+      }
+    }
+    return [type, lookup];
+  }),
+) as Record<CredentialType, Map<string, string>>;
+
+function isCredentialType(value: string): value is CredentialType {
+  return Object.prototype.hasOwnProperty.call(CREDENTIAL_FIELD_SCHEMA, value);
+}
+
+export function canonicalizeCredentialFieldKey(type: string, key: string): string {
+  const trimmed = key.trim();
+  if (!trimmed) return trimmed;
+  if (!isCredentialType(type)) return trimmed;
+
+  const canonical = SCHEMA_KEY_LOOKUP[type].get(trimmed.toLowerCase());
+  return canonical || trimmed;
+}
+
+export function normalizeCredentialFieldsForType<T extends CredentialFieldLike>(
+  type: string,
+  fields: readonly T[],
+): T[] {
+  if (!Array.isArray(fields) || fields.length === 0) return [];
+
+  const normalized: T[] = [];
+  const indexByKey = new Map<string, number>();
+
+  for (const field of fields) {
+    const canonicalKey = canonicalizeCredentialFieldKey(type, field.key);
+    const normalizedField = canonicalKey === field.key
+      ? field
+      : ({ ...field, key: canonicalKey } as T);
+    const existingIndex = indexByKey.get(canonicalKey);
+
+    if (existingIndex === undefined) {
+      indexByKey.set(canonicalKey, normalized.length);
+      normalized.push(normalizedField);
+      continue;
+    }
+
+    normalized[existingIndex] = normalizedField;
+  }
+
+  return normalized;
+}
+
+export function getCredentialFieldValue(
+  type: string,
+  fields: Array<{ key: string; value: string }>,
+  key: string,
+): string | undefined {
+  const normalized = normalizeCredentialFieldsForType(type, fields);
+  const canonicalKey = canonicalizeCredentialFieldKey(type, key);
+  return normalized.find((field) => field.key === canonicalKey)?.value;
+}

package/skills/auramaxx/HEARTBEAT.md

@@ -0,0 +1,78 @@
+# AuraMaxx Heartbeat
+
+This runs periodically, but you can check in anytime you want.
+
+## Heartbeat Routine
+
+1. Check what changed:
+   - MCP: `api { method: "GET", endpoint: "/what_is_happening" }`
+   - CLI: `curl http://localhost:4242/what_is_happening`
+   - Strategy engine: `wallet_api { method: "GET", endpoint: "/what_is_happening" }`
+   - Optional query params: `?since=<last_check_timestamp_ms>` and/or `&agentId=<your_agent_id>`
+
+2. Review response in this order:
+   - `highlights`
+   - `humanActions`
+   - `recentEvents`
+   - `syncHealth`
+
+3. Decide if human attention is needed:
+   - Pending approvals that block work
+   - Rejections that need a plan change
+   - Sync errors that keep repeating
+   - Security-sensitive credential activity that looks wrong
+
+4. Write a diary entry:
+   - Preferred: call `write_diary` with a compact summary of what you observed and what you did.
+   - CLI fallback: `npx auramaxx diary write --entry "..." [--date YYYY-MM-DD]`.
+   - Do not call raw unauthenticated `POST /what_is_happening/diary`.
+   - If diary write fails with auth/approval issues, ask the human to open the approval link and approve, then retry once.
+   - Diary note naming is `{YYYY-MM-DD}_LOGS` (UTC day).
+   - Use plain facts. Include counts and IDs when possible.
+
+5. Save your next cursor:
+   - Store current timestamp as your next `since` bookmark.
+
+## Ask Yourself
+
+- Did anything urgent appear?
+- Is there a blocked request waiting for a human?
+- Were any secrets accessed or changed? Which ones, by whom?
+- If no secrets were touched — has it been 12+ hours since you last told your human?
+- Is sync healthy across chains?
+
+## When To Tell Your Human
+
+**Always update your human.** Even if nothing happened, they should know you're watching.
+
+Tell your human immediately when:
+- Action is blocked on approval
+- A sync status is failing or degraded
+- A rejection changes your plan
+- Sensitive credential access/change looks unexpected
+- Any credential was read or modified since last check
+
+Tell your human every ~12 hours even if nothing happened:
+- No secrets were accessed, no actions pending, sync healthy
+- Keep it short and brainrot — you're busy auramaxxing and didn't need any secrets
+- Example: "been auramaxxing all day, vault is chilling, zero secrets touched, sync green across the board"
+
+## Response Format
+
+<response_format>
+If everything is fine and no follow-up is needed:
+HEARTBEAT_OK: [what you checked] [secrets accessed or "no secrets touched"] [sync status] [diary entry written]
+
+If follow-up is needed:
+FOLLOWUP_NEEDED: [short issue] [why it matters] [exact human action needed]
+
+If nothing happened and it's been ~12h since last human update:
+HEARTBEAT_VIBES: [brainrot status update] [vault status] [diary entry written]
+</response_format>
+
+## Examples
+
+- `HEARTBEAT_OK: checked /what_is_happening since last run; agent xyz read 'deploy-key' at 14:30 UTC; 1 pending, sync healthy; diary entry written for 2026-02-18`
+- `HEARTBEAT_OK: checked /what_is_happening; no secrets touched, 0 pending, sync green; diary entry written for 2026-02-18`
+- `FOLLOWUP_NEEDED: 2 pending fund approvals >30m old; execution is blocked; please approve/reject requests in dashboard`
+- `HEARTBEAT_VIBES: been auramaxxing all day no cap, vault is untouched, zero secrets needed, all chains synced and vibing; diary entry written for 2026-02-18`