auramaxx 0.0.1

package/server/cli/commands/auth.ts

@@ -0,0 +1,464 @@
+/**
+ * auramaxx auth — Request/poll agent auth approvals from CLI
+ */
+
+import fs from 'fs';
+import {
+  decryptWithPrivateKey,
+  generateEphemeralKeypair,
+  type ProfileIssuanceSelection,
+} from '../../lib/credential-transport';
+import { getErrorMessage } from '../../lib/error';
+import { waitForAuthDecision, fetchAuthDecisionOnce } from '../lib/approval-poll';
+import { serverUrl } from '../lib/http';
+import { printHelp } from '../lib/theme';
+
+type JsonObject = Record<string, unknown>;
+
+interface AuthCreateResponse {
+  success?: boolean;
+  requestId?: string;
+  secret?: string;
+  error?: string;
+  [key: string]: unknown;
+}
+
+interface ParsedCommon {
+  json: boolean;
+  noWait: boolean;
+  rawToken: boolean;
+  timeoutMs: number;
+  intervalMs: number;
+}
+
+interface ParsedRequestFlags extends ParsedCommon {
+  agentId: string;
+  profile: string;
+  profileVersion?: string;
+  profileOverrides?: JsonObject;
+  action?: { endpoint: string; method: string; body?: JsonObject };
+}
+
+function showHelp(): void {
+  printHelp('AUTH', 'npx auramaxx auth <subcommand> [options]', [
+    { name: 'request', desc: 'Request auth token via /auth and optionally poll for approval' },
+    { name: 'poll <requestId>', desc: 'Poll /auth/:requestId with secret' },
+    { name: 'pending', desc: 'List pending auth requests' },
+    { name: 'validate', desc: 'Validate a bearer token' },
+  ], [
+    'Request options:',
+    '  --agent-id <id>              Agent id (default: cli-auth)',
+    '  --profile <id>               Profile id (default: strict)',
+    '  --profile-version <v>        Profile version (default: v1)',
+    '  --profile-overrides <json>   Tighten-only profile override JSON',
+    '  --action <json>              Pre-computed action to auto-execute on approval',
+    '                               JSON: {"endpoint":"/send","method":"POST","body":{...}}',
+    '  --no-wait                    Do not poll after creating request',
+    '  --timeout-ms <ms>            Poll timeout (default: 120000)',
+    '  --interval-ms <ms>           Poll interval (default: 3000)',
+    '  --raw-token                  Print full token when approved',
+    '  --json                       JSON output',
+    '',
+    'Poll options:',
+    '  --secret <secret>            Required request secret',
+    '  --once                       Single poll attempt (no loop)',
+    '  --private-key-file <path>    Optional private key PEM to decrypt approved token',
+    '',
+    'Validate options:',
+    '  --token <token>              Token to validate (default: AURA_TOKEN env)',
+    '',
+    'Examples:',
+    '  npx auramaxx auth request --agent-id codex --profile strict',
+    '  npx auramaxx auth request --profile dev --profile-overrides \'{"ttlSeconds":900}\' --json',
+    '  npx auramaxx auth request --profile strict --action \'{"endpoint":"/send","method":"POST","body":{"to":"0x...","amount":"0.01"}}\'',
+    '  npx auramaxx auth poll <requestId> --secret <secret>',
+    '  npx auramaxx auth validate --token $AURA_TOKEN',
+  ]);
+}
+
+function getFlagValue(args: string[], flag: string): string | undefined {
+  const idx = args.indexOf(flag);
+  return idx >= 0 ? args[idx + 1] : undefined;
+}
+
+function parseIntegerFlag(args: string[], flag: string, fallback: number): number {
+  const raw = getFlagValue(args, flag);
+  if (!raw) return fallback;
+  const parsed = Number(raw);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    throw new Error(`${flag} must be a positive number`);
+  }
+  return Math.floor(parsed);
+}
+
+function parseJsonObjectFlag(args: string[], flag: string): JsonObject | undefined {
+  const raw = getFlagValue(args, flag);
+  if (!raw) return undefined;
+  const parsed = JSON.parse(raw) as unknown;
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    throw new Error(`${flag} must be a JSON object`);
+  }
+  return parsed as JsonObject;
+}
+
+function parseCommon(args: string[]): ParsedCommon {
+  return {
+    json: args.includes('--json'),
+    noWait: args.includes('--no-wait'),
+    rawToken: args.includes('--raw-token'),
+    timeoutMs: parseIntegerFlag(args, '--timeout-ms', 120_000),
+    intervalMs: parseIntegerFlag(args, '--interval-ms', 3_000),
+  };
+}
+
+function parseActionFlag(args: string[]): ParsedRequestFlags['action'] {
+  const raw = getFlagValue(args, '--action');
+  if (!raw) return undefined;
+  const parsed = JSON.parse(raw) as unknown;
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    throw new Error('--action must be a JSON object with endpoint and method');
+  }
+  const obj = parsed as Record<string, unknown>;
+  if (typeof obj.endpoint !== 'string' || typeof obj.method !== 'string') {
+    throw new Error('--action requires "endpoint" (string) and "method" (string)');
+  }
+  const action: { endpoint: string; method: string; body?: JsonObject } = {
+    endpoint: obj.endpoint,
+    method: obj.method.toUpperCase(),
+  };
+  if (obj.body && typeof obj.body === 'object' && !Array.isArray(obj.body)) {
+    action.body = obj.body as JsonObject;
+  }
+  return action;
+}
+
+function parseRequestFlags(args: string[]): ParsedRequestFlags {
+  const common = parseCommon(args);
+  return {
+    ...common,
+    agentId: getFlagValue(args, '--agent-id') || 'cli-auth',
+    profile: getFlagValue(args, '--profile') || 'strict',
+    profileVersion: getFlagValue(args, '--profile-version') || 'v1',
+    profileOverrides: parseJsonObjectFlag(args, '--profile-overrides'),
+    action: parseActionFlag(args),
+  };
+}
+
+async function createAuthRequest(payload: JsonObject): Promise<AuthCreateResponse> {
+  let res: Response;
+  try {
+    res = await fetch(`${serverUrl()}/auth`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(payload),
+      signal: AbortSignal.timeout(10_000),
+    });
+  } catch (error) {
+    throw new Error(`Cannot reach AuraMaxx server at ${serverUrl()}. Run 'npx auramaxx' first. (${getErrorMessage(error)})`);
+  }
+  const data = await res.json().catch(() => ({})) as AuthCreateResponse;
+  if (!res.ok || !data.success || !data.requestId || !data.secret) {
+    throw new Error(data.error || `Failed to create auth request (HTTP ${res.status})`);
+  }
+  return data;
+}
+
+function maskToken(token: string): string {
+  if (token.length <= 24) return token;
+  return `${token.slice(0, 20)}...${token.slice(-4)}`;
+}
+
+async function handleApprovalFlow(
+  createResult: AuthCreateResponse,
+  privateKeyPem: string,
+  options: ParsedCommon,
+): Promise<number> {
+  const requestId = createResult.requestId!;
+  const secret = createResult.secret!;
+
+  const approveUrl = typeof createResult.approveUrl === 'string' ? createResult.approveUrl : undefined;
+
+  if (options.noWait) {
+    if (options.json) {
+      console.log(JSON.stringify({
+        success: true,
+        status: 'pending',
+        requestId,
+        secret,
+        ...(approveUrl ? { approveUrl } : {}),
+        message: 'Request created. Poll /auth/:requestId with secret.',
+      }, null, 2));
+    } else {
+      console.log(`Request created.`);
+      if (approveUrl) console.log(`  approveUrl: ${approveUrl}`);
+      console.log(`  requestId: ${requestId}`);
+      console.log(`  secret: ${secret}`);
+      console.log('Use `npx auramaxx auth poll <requestId> --secret <secret>` to continue.');
+    }
+    return 0;
+  }
+
+  if (approveUrl) {
+    console.log(`Request created (${requestId}). Approve at:\n  ${approveUrl}\nWaiting for approval...`);
+  } else {
+    console.log(`Request created (${requestId}). Waiting for approval...`);
+  }
+
+  const { response, attempts, elapsedMs } = await waitForAuthDecision(
+    serverUrl(),
+    requestId,
+    secret,
+    {
+      timeoutMs: options.timeoutMs,
+      intervalMs: options.intervalMs,
+      onPending: ({ attempt }) => {
+        if (attempt === 1 || attempt % 5 === 0) {
+          console.log('  pending...');
+        }
+      },
+    },
+  );
+
+  if (response.status === 'rejected') {
+    if (options.json) {
+      console.log(JSON.stringify({
+        success: true,
+        status: 'rejected',
+        requestId,
+        attempts,
+        elapsedMs,
+      }, null, 2));
+    } else {
+      console.log('Request was rejected.');
+    }
+    return 1;
+  }
+
+  if (!response.encryptedToken) {
+    throw new Error('Approved response did not include encryptedToken');
+  }
+
+  const token = decryptWithPrivateKey(response.encryptedToken, privateKeyPem);
+
+  if (options.json) {
+    console.log(JSON.stringify({
+      success: true,
+      status: 'approved',
+      requestId,
+      attempts,
+      elapsedMs,
+      token: options.rawToken ? token : undefined,
+      tokenPreview: maskToken(token),
+    }, null, 2));
+  } else {
+    console.log('Approved.');
+    if (options.rawToken) {
+      console.log(`  token: ${token}`);
+    } else {
+      console.log(`  token: ${maskToken(token)}`);
+      console.log('  (use --raw-token to print the full token)');
+    }
+    console.log(`  export AURA_TOKEN='${token}'`);
+  }
+
+  return 0;
+}
+
+async function cmdRequest(args: string[]): Promise<number> {
+  const flags = parseRequestFlags(args);
+  const keypair = generateEphemeralKeypair();
+  const profileSelection: ProfileIssuanceSelection = {
+    profile: flags.profile,
+    profileVersion: flags.profileVersion,
+    ...(flags.profileOverrides ? { profileOverrides: flags.profileOverrides } : {}),
+  };
+
+  const createResult = await createAuthRequest({
+    agentId: flags.agentId,
+    profile: profileSelection.profile,
+    ...(profileSelection.profileVersion ? { profileVersion: profileSelection.profileVersion } : {}),
+    ...(profileSelection.profileOverrides ? { profileOverrides: profileSelection.profileOverrides } : {}),
+    ...(flags.action ? { action: flags.action } : {}),
+    pubkey: keypair.publicKeyPem,
+  });
+
+  return handleApprovalFlow(createResult, keypair.privateKeyPem, flags);
+}
+
+async function cmdPoll(args: string[]): Promise<number> {
+  const requestId = args[0];
+  if (!requestId) {
+    throw new Error('Usage: npx auramaxx auth poll <requestId> --secret <secret>');
+  }
+
+  const secret = getFlagValue(args, '--secret');
+  if (!secret) {
+    throw new Error('--secret is required');
+  }
+
+  const json = args.includes('--json');
+  const once = args.includes('--once');
+  const timeoutMs = parseIntegerFlag(args, '--timeout-ms', 120_000);
+  const intervalMs = parseIntegerFlag(args, '--interval-ms', 3_000);
+  const privateKeyFile = getFlagValue(args, '--private-key-file');
+  const privateKeyPem = privateKeyFile ? fs.readFileSync(privateKeyFile, 'utf8') : undefined;
+
+  if (once) {
+    const result = await fetchAuthDecisionOnce(serverUrl(), requestId, secret);
+    const payload = { httpStatus: result.httpStatus, ...result.payload };
+
+    if (privateKeyPem && result.payload.status === 'approved' && result.payload.encryptedToken) {
+      const token = decryptWithPrivateKey(result.payload.encryptedToken, privateKeyPem);
+      if (json) {
+        console.log(JSON.stringify({ ...payload, token }, null, 2));
+      } else {
+        console.log(JSON.stringify(payload, null, 2));
+        console.log(`token=${token}`);
+      }
+      return 0;
+    }
+
+    console.log(JSON.stringify(payload, null, 2));
+    return result.payload.status === 'rejected' ? 1 : 0;
+  }
+
+  const { response, attempts, elapsedMs } = await waitForAuthDecision(serverUrl(), requestId, secret, {
+    timeoutMs,
+    intervalMs,
+    onPending: ({ attempt }) => {
+      if (attempt === 1 || attempt % 5 === 0) {
+        console.log('  pending...');
+      }
+    },
+  });
+
+  if (json) {
+    const out: Record<string, unknown> = {
+      requestId,
+      status: response.status,
+      attempts,
+      elapsedMs,
+      response,
+    };
+    if (privateKeyPem && response.status === 'approved' && response.encryptedToken) {
+      out.token = decryptWithPrivateKey(response.encryptedToken, privateKeyPem);
+    }
+    console.log(JSON.stringify(out, null, 2));
+  } else {
+    console.log(`status=${response.status}`);
+    if (response.status === 'approved') {
+      if (privateKeyPem && response.encryptedToken) {
+        console.log(`token=${decryptWithPrivateKey(response.encryptedToken, privateKeyPem)}`);
+      } else {
+        console.log('Approved token available (encryptedToken present).');
+      }
+    }
+  }
+
+  return response.status === 'rejected' ? 1 : 0;
+}
+
+async function cmdPending(json: boolean): Promise<number> {
+  const res = await fetch(`${serverUrl()}/auth/pending`, {
+    signal: AbortSignal.timeout(10_000),
+  });
+  const data = await res.json().catch(() => ({})) as Record<string, unknown>;
+  if (!res.ok) {
+    throw new Error(String(data.error || `HTTP ${res.status}`));
+  }
+
+  if (json) {
+    console.log(JSON.stringify(data, null, 2));
+    return 0;
+  }
+
+  const requests = Array.isArray((data as { requests?: unknown[] }).requests)
+    ? (data as { requests: Array<{ id: string; status: string; createdAt: string; metadata?: { agentId?: string } }> }).requests
+    : [];
+
+  if (requests.length === 0) {
+    console.log('No pending auth requests.');
+    return 0;
+  }
+
+  for (const req of requests) {
+    const agentId = typeof req.metadata?.agentId === 'string' ? req.metadata.agentId : 'unknown';
+    console.log(`${req.id}  agent=${agentId}  status=${req.status}  createdAt=${req.createdAt}`);
+  }
+  return 0;
+}
+
+async function cmdValidate(args: string[]): Promise<number> {
+  const json = args.includes('--json');
+  const token = getFlagValue(args, '--token') || args[0] || process.env.AURA_TOKEN;
+  if (!token || token.startsWith('--')) {
+    throw new Error('validate requires --token <token> (or AURA_TOKEN)');
+  }
+
+  const res = await fetch(`${serverUrl()}/auth/validate`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ token }),
+    signal: AbortSignal.timeout(10_000),
+  });
+  const data = await res.json().catch(() => ({})) as Record<string, unknown>;
+
+  if (json) {
+    console.log(JSON.stringify(data, null, 2));
+  } else {
+    console.log(`valid=${String(data.valid ?? false)}`);
+    if (typeof data.error === 'string' && data.error) {
+      console.log(`error=${data.error}`);
+    }
+    if (typeof data.tokenHash === 'string') {
+      console.log(`tokenHash=${data.tokenHash}`);
+    }
+  }
+
+  return data.valid === true ? 0 : 1;
+}
+
+async function main(): Promise<void> {
+  const args = process.argv.slice(2);
+  const subcommand = args[0];
+
+  if (!subcommand || subcommand === '--help' || subcommand === '-h') {
+    showHelp();
+    process.exit(0);
+  }
+
+  try {
+    let code = 0;
+    switch (subcommand) {
+      case 'request':
+        code = await cmdRequest(args.slice(1));
+        break;
+      case 'poll':
+        code = await cmdPoll(args.slice(1));
+        break;
+      case 'pending':
+        code = await cmdPending(args.includes('--json'));
+        break;
+      case 'validate':
+        code = await cmdValidate(args.slice(1));
+        break;
+      default:
+        throw new Error(`Unknown auth subcommand: ${subcommand}`);
+    }
+
+    process.exit(code);
+  } catch (error) {
+    console.error(`Auth command failed: ${getErrorMessage(error)}`);
+    process.exit(1);
+  }
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) {
+  main().catch((error) => {
+    console.error(`Auth command failed: ${getErrorMessage(error)}`);
+    process.exit(1);
+  });
+}
+
+// Exposed for testing only
+export const _testOnly = { parseActionFlag, parseRequestFlags };

package/server/cli/commands/cron.ts

@@ -0,0 +1,24 @@
+/**
+ * auramaxx cron — Run the cron server standalone
+ * Useful for development or running cron separately from the main server.
+ */
+
+import { findProjectRoot } from '../lib/process';
+import { execFileSync } from 'child_process';
+import path from 'path';
+
+const root = findProjectRoot();
+const cronEntry = path.join(root, 'server', 'cron', 'index.ts');
+
+console.log('Starting AuraMaxx Cron Server...\n');
+
+try {
+  execFileSync('npx', ['tsx', cronEntry], {
+    cwd: root,
+    stdio: 'inherit',
+    env: process.env,
+  });
+} catch (error: unknown) {
+  const exitCode = (error as { status?: number }).status || 1;
+  process.exit(exitCode);
+}