auramaxx 0.0.1

package/server/cli/commands/init.ts

@@ -0,0 +1,798 @@
+/**
+ * auramaxx init — First-time setup
+ *
+ * 1. Create directories + run migrations + generate Prisma client
+ * 2. Start server headless (Express only)
+ * 3. If vault exists → start dashboard, print "Already initialized", keep running
+ * 4. Prompt: Dashboard or Terminal?
+ *   a. Dashboard → start dashboard + open browser + poll until vault created
+ *   b. Terminal  → interactive vault creation + optional config
+ * 5. Print cold wallet address + funding guidance
+ * 6. Keep servers running
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import { exec, spawn, ChildProcess } from 'child_process';
+import { fetchSetupStatus, fetchPublicKey, fetchJson, waitForServer, SetupStatus } from '../lib/http';
+import { startServer, stopServer, findProjectRoot } from '../lib/process';
+import { ensureDirectories, runMigrations, generatePrismaClient } from '../lib/init-steps';
+import { promptPassword, promptInput, promptConfirm, promptSelect } from '../lib/prompt';
+import { encryptPassword, generateAgentKeypair } from '../transport-client';
+import { getErrorMessage } from '../../lib/error';
+import { printBanner, printSection, printSeedPhrase } from '../lib/theme';
+import { migrateDotenv } from '../lib/dotenv-migrate';
+import { parseAuraFile } from '../lib/aura-parser';
+import { bootstrapViaSocket, generateEphemeralKeypair } from '../../lib/credential-transport';
+import { createCredentialViaApi, getPrimaryVaultId } from '../lib/credential-create';
+import { resolveLocalAgentModeChoice, persistLocalAgentTrustDefaults } from '../lib/local-agent-trust';
+import { loadServiceIfNeeded, isServiceInstalled } from './service';
+
+let serverChildren: ChildProcess[] = [];
+
+// SIGINT handler — if launchd is managing the servers, just detach cleanly.
+// Otherwise kill server processes.
+function cleanup() {
+  if (serverChildren.length > 0) {
+    if (isServiceInstalled()) {
+      // Service is registered — load it so servers keep running after we exit.
+      loadServiceIfNeeded();
+      console.log('\n\nServers will continue running in the background.');
+      console.log('Use `auramaxx stop` to stop.');
+    } else {
+      console.log('\n\nShutting down...');
+      stopServer();
+    }
+    serverChildren = [];
+  }
+  process.exit(0);
+}
+
+process.on('SIGINT', cleanup);
+process.on('SIGTERM', cleanup);
+
+function openBrowser(url: string) {
+  const platform = process.platform;
+  const cmd =
+    platform === 'darwin' ? `open "${url}"` :
+    platform === 'win32' ? `start "${url}"` :
+    `xdg-open "${url}"`;
+
+  exec(cmd, (err) => {
+    if (err) {
+      // Don't fail — just tell the user to open manually
+      console.log(`  Could not open browser automatically.`);
+      console.log(`  Open this URL manually: ${url}\n`);
+    }
+  });
+}
+
+const DASHBOARD_PORT = process.env.DASHBOARD_PORT || '4747';
+
+function startDashboard(): ChildProcess {
+  const root = findProjectRoot();
+  const dashboard = spawn('npx', ['next', 'dev', '-p', DASHBOARD_PORT], {
+    cwd: root,
+    env: { ...process.env, BYPASS_RATE_LIMIT: 'true' },
+    stdio: 'ignore',
+    detached: true,
+  });
+  dashboard.unref();
+  return dashboard;
+}
+
+// ─── Mode selection ──────────────────────────────────────────────
+
+async function promptSetupMode(): Promise<'dashboard' | 'terminal'> {
+  printSection('Setup Mode', 'Choose how you would like to set up your vault.');
+
+  const mode = await promptSelect(
+    '  How would you like to set up your vault?',
+    [
+      { value: 'dashboard', label: 'dashboard', aliases: ['1', 'browser'] },
+      { value: 'terminal', label: 'terminal', aliases: ['2', 'cli'] },
+    ],
+    'dashboard',
+  );
+  return mode as 'dashboard' | 'terminal';
+}
+
+// ─── Dashboard flow ──────────────────────────────────────────────
+
+async function dashboardFlow() {
+  printSection('Dashboard Setup', 'Browser-guided vault onboarding.');
+  const dashboard = startDashboard();
+  serverChildren.push(dashboard);
+
+  const dashboardUrl = `http://localhost:${DASHBOARD_PORT}`;
+  console.log('  Waiting for dashboard to start...');
+
+  // Wait for Next.js dev server to be ready before opening browser
+  const dashboardStart = Date.now();
+  while (Date.now() - dashboardStart < 30000) {
+    try {
+      const res = await fetch(dashboardUrl);
+      if (res.ok) break;
+    } catch {
+      // Not ready yet
+    }
+    await new Promise((r) => setTimeout(r, 1000));
+  }
+
+  console.log('  Opening dashboard in browser...');
+  openBrowser(dashboardUrl);
+  console.log(`  Create your vault at ${dashboardUrl}\n`);
+  console.log('  Waiting for vault creation...');
+
+  // Poll until vault is created
+  while (true) {
+    await new Promise((r) => setTimeout(r, 2000));
+    try {
+      const check = await fetchSetupStatus();
+      if (check.hasWallet) {
+        console.log('');
+        console.log('  Vault created!\n');
+        // Vault is ready — activate the launchd service so servers survive Ctrl+C
+        loadServiceIfNeeded();
+        printBanner('TIME TO AURAMAXX');
+        // Password-manager focus for now: hide wallet funding guidance in onboarding output.
+        // console.log(`  Your cold wallet address: ${check.address}`);
+        // console.log('  Send ETH on Base to this address to fund your wallet.\n');
+        console.log(`  Dashboard ready at ${dashboardUrl}`);
+        if (isServiceInstalled()) {
+          console.log('  Servers are running in the background. Use `auramaxx stop` to stop.\n');
+        } else {
+          console.log('  Servers are running. Press Ctrl+C to stop.\n');
+        }
+        break;
+      }
+    } catch {
+      // Server might be briefly unavailable, keep polling
+    }
+  }
+}
+
+// ─── Terminal flow ───────────────────────────────────────────────
+
+async function terminalFlow(): Promise<string> {
+  // Step 1: Password
+  printSection('Terminal Setup', 'Local interactive vault onboarding.');
+  const password = await promptPasswordWithConfirmation();
+
+  // Step 2: Create vault
+  console.log('\n  Creating vault...');
+  const publicKey = await fetchPublicKey();
+  const encrypted = encryptPassword(password, publicKey);
+  const { publicKey: agentPubkey } = generateAgentKeypair();
+
+  const vault = await fetchJson<{
+    success: boolean;
+    address: string;
+    mnemonic: string;
+    token: string;
+  }>('/setup', { body: { encrypted, pubkey: agentPubkey } });
+
+  console.log('  Vault created!\n');
+
+  // Step 3: Display seed phrase
+  printSeedPhrase(vault.mnemonic);
+
+  let confirmed = await promptConfirm('  Have you saved your seed phrase?');
+  while (!confirmed) {
+    console.log('\n  Please save the phrase above, then confirm to continue.');
+    confirmed = await promptConfirm('  Have you saved your seed phrase?');
+  }
+
+  const token = vault.token;
+
+  await configureLocalSocketTrust(token);
+
+  // Optional configuration is intentionally disabled for now.
+  /*
+    ── Optional Configuration ──
+
+    Press Enter to skip any step.
+
+    Anthropic API key (sk-ant-...):
+    Alchemy API key:
+    Telegram bot token:
+  */
+  // await configureApiKey(token, 'anthropic', 'Anthropic API key', 'sk-ant-...');
+  // await configureApiKey(token, 'alchemy', 'Alchemy API key', '');
+  // await configureTelegram(token);
+
+  // Step 4: Summary
+  loadServiceIfNeeded();
+  printBanner('TIME TO AURAMAXX');
+  // Password-manager focus for now: hide wallet funding/config summary in onboarding.
+  // console.log(`  Cold wallet address: ${vault.address}`);
+  // console.log('  Send ETH on Base to this address to fund your wallet.\n');
+  // const status = await fetchSetupStatus();
+  // printConfigSummary(status);
+
+  if (isServiceInstalled()) {
+    console.log('  Servers are running in the background. Use `auramaxx stop` to stop.\n');
+  } else {
+    console.log('  Servers are running. Press Ctrl+C to stop.\n');
+  }
+  return token;
+}
+
+async function promptPasswordWithConfirmation(): Promise<string> {
+  while (true) {
+    const password = await promptPassword('  Enter vault password');
+    if (password.length < 8) {
+      console.log('  Password must be at least 8 characters. Try again.\n');
+      continue;
+    }
+
+    const confirm = await promptPassword('  Confirm password');
+    if (password !== confirm) {
+      console.log('  Passwords do not match. Try again.\n');
+      continue;
+    }
+
+    return password;
+  }
+}
+
+async function configureLocalSocketTrust(token: string): Promise<void> {
+  printSection('Local Agent Trust', 'Choose default local agent mode.');
+
+  const profile = resolveLocalAgentModeChoice(
+    await promptSelect(
+      '  Local agent mode',
+      [
+        { value: 'dev', label: 'dev', aliases: ['1', 'recommended'] },
+        { value: 'strict', label: 'strict', aliases: ['2'] },
+        { value: 'admin', label: 'admin', aliases: ['3', 'dangerous'] },
+      ],
+      'dev',
+    ),
+  );
+  await persistLocalAgentTrustDefaults(token, profile);
+
+  if (profile === 'strict') {
+    console.log('  ✓ Strict mode enabled. Local auto-approve is OFF; agent requests require manual approval.\n');
+    return;
+  }
+  if (profile === 'admin') {
+    console.log('  ✓ Admin mode enabled. WARNING: local agents get broad access.\n');
+    return;
+  }
+  console.log('  ✓ Dev mode enabled. Local auto-approve remains ON with scoped profile.\n');
+}
+
+async function configureApiKey(
+  token: string,
+  service: string,
+  label: string,
+  placeholder: string,
+): Promise<boolean> {
+  const prompt = placeholder ? `  ${label} (${placeholder})` : `  ${label}`;
+  const key = await promptInput(prompt);
+
+  if (!key) return false;
+
+  // Validate
+  try {
+    const result = await fetchJson<{ valid?: boolean; error?: string }>(
+      '/apikeys/validate',
+      { body: { service, key }, token },
+    );
+
+    if (result.valid) {
+      console.log(`  ✓ Valid\n`);
+    } else {
+      console.log(`  ✗ Invalid: ${result.error || 'unknown error'}`);
+      const retry = await promptConfirm('  Try again?');
+      if (retry) return configureApiKey(token, service, label, placeholder);
+      const saveAnyway = await promptConfirm('  Save anyway?');
+      if (!saveAnyway) {
+        console.log('  Skipped.\n');
+        return false;
+      }
+    }
+  } catch (err) {
+    const msg = getErrorMessage(err);
+    console.log(`  ⚠ Could not validate: ${msg}`);
+    const saveAnyway = await promptConfirm('  Save anyway?');
+    if (!saveAnyway) {
+      console.log('  Skipped.\n');
+      return false;
+    }
+  }
+
+  // Save
+  await fetchJson('/apikeys', {
+    body: { service, name: 'default', key },
+    token,
+  });
+  console.log(`  Saved.\n`);
+  return true;
+}
+
+async function configureTelegram(token: string): Promise<boolean> {
+  const botToken = await promptInput('  Telegram bot token');
+  if (!botToken) return false;
+
+  // Validate bot token
+  try {
+    const result = await fetchJson<{ valid?: boolean; error?: string; info?: { botUsername?: string } }>(
+      '/apikeys/validate',
+      { body: { service: 'adapter:telegram', key: botToken }, token },
+    );
+
+    if (result.valid) {
+      const username = result.info?.botUsername || 'unknown';
+      console.log(`  ✓ Bot: @${username}\n`);
+    } else {
+      console.log(`  ✗ Invalid bot token: ${result.error || 'unknown error'}`);
+      const retry = await promptConfirm('  Try again?');
+      if (retry) return configureTelegram(token);
+      console.log('  Skipped.\n');
+      return false;
+    }
+  } catch (err) {
+    const msg = getErrorMessage(err);
+    console.log(`  ⚠ Could not validate bot token: ${msg}`);
+    const skip = await promptConfirm('  Skip Telegram setup?');
+    if (skip) {
+      console.log('  Skipped.\n');
+      return false;
+    }
+  }
+
+  // Auto-detect chat ID via deep link
+  let chatId = '';
+  try {
+    const linkResult = await fetchJson<{ success?: boolean; link?: string; setupToken?: string; botUsername?: string; error?: string }>(
+      '/adapters/telegram/setup-link',
+      { body: { botToken }, token },
+    );
+
+    if (linkResult.success && linkResult.link && linkResult.setupToken) {
+      console.log(`  Open this link and press Start: ${linkResult.link}\n`);
+      process.stdout.write('  Waiting for /start...');
+
+      // Poll detect-chat (up to 2 attempts ~50s)
+      for (let attempt = 0; attempt < 2; attempt++) {
+        try {
+          const detectResult = await fetchJson<{ chatId?: string | null; firstName?: string; username?: string; verified?: boolean; timeout?: boolean }>(
+            '/adapters/telegram/detect-chat',
+            { body: { setupToken: linkResult.setupToken }, token },
+          );
+
+          if (detectResult.chatId) {
+            chatId = detectResult.chatId;
+            const name = detectResult.username ? `@${detectResult.username}` : detectResult.firstName || '';
+            console.log('');
+            console.log(`  ✓ Detected chat ID: ${chatId}${name ? ` (${name})` : ''}\n`);
+            break;
+          }
+          // timeout — try again
+        } catch {
+          break;
+        }
+      }
+
+      if (!chatId) {
+        console.log(' timed out.');
+      }
+    }
+  } catch {
+    // setup-link failed, fall through to manual
+  }
+
+  // Fall back to manual input if auto-detection didn't work
+  if (!chatId) {
+    chatId = await promptInput('  Telegram chat ID');
+    if (!chatId) {
+      console.log('  Skipped (no chat ID).\n');
+      return false;
+    }
+  }
+
+  // Save bot token
+  await fetchJson('/apikeys', {
+    body: { service: 'adapter:telegram', name: 'botToken', key: botToken },
+    token,
+  });
+
+  // Save adapter config
+  await fetchJson('/adapters', {
+    body: { type: 'telegram', enabled: true, config: { chatId } },
+    token,
+  });
+
+  // Restart adapters
+  try {
+    await fetchJson('/adapters/restart', { method: 'POST', token });
+  } catch {
+    // Non-fatal
+  }
+
+  // Test
+  try {
+    const testResult = await fetchJson<{ success?: boolean; error?: string }>(
+      '/adapters/test',
+      { body: { type: 'telegram' }, token },
+    );
+    if (testResult.success) {
+      console.log('  ✓ Test message sent to Telegram.\n');
+    } else {
+      console.log(`  ⚠ Test failed: ${testResult.error || 'unknown'}. Telegram saved but may need configuration.\n`);
+    }
+  } catch {
+    console.log('  ⚠ Could not send test message. Telegram saved but may need configuration.\n');
+  }
+
+  return true;
+}
+
+function printConfigSummary(status: SetupStatus) {
+  const check = (val: boolean | undefined) => val ? '✓' : '–';
+  console.log('  Configuration:');
+  console.log(`    Vault:     ✓`);
+  console.log(`    Anthropic: ${check(status.apiKeys?.anthropic)}`);
+  console.log(`    Alchemy:   ${check(status.apiKeys?.alchemy)}`);
+  console.log(`    Telegram:  ${check(status.adapters?.telegram)}`);
+  console.log('');
+}
+
+function maybeInstallShellHook(): void {
+  if (!process.stdout.isTTY || process.env.CI === 'true') {
+    return;
+  }
+
+  const shell = path.basename(process.env.SHELL || 'bash');
+  let rcFile: string;
+  let hookCmd: string;
+
+  switch (shell) {
+    case 'zsh':
+      rcFile = path.join(os.homedir(), '.zshrc');
+      hookCmd = 'eval "$(aura shell-hook zsh)"';
+      break;
+    case 'bash':
+      rcFile = path.join(os.homedir(), '.bashrc');
+      hookCmd = 'eval "$(aura shell-hook bash)"';
+      break;
+    default:
+      return;
+  }
+
+  try {
+    if (fs.existsSync(rcFile)) {
+      const content = fs.readFileSync(rcFile, 'utf-8');
+      if (content.includes('aura shell-hook')) {
+        return;
+      }
+    }
+
+    fs.appendFileSync(rcFile, `\n# Aura shell hook — auto-load .aura env vars\n${hookCmd}\n`);
+    console.log(`  ✓ Installed shell hook in ${rcFile}`);
+    console.log(`  Restart your shell or run: source ${rcFile}\n`);
+  } catch {
+    // Non-fatal: init should succeed even if shell hook install fails.
+  }
+}
+
+// ─── Post-setup: detect .aura file and offer credential entry ───
+
+async function postSetupAuraDetection(): Promise<void> {
+  const auraPath = path.join(process.cwd(), '.aura');
+  if (!fs.existsSync(auraPath)) return;
+
+  let mappings;
+  try {
+    mappings = parseAuraFile(auraPath);
+  } catch {
+    return; // Invalid .aura file, skip
+  }
+
+  if (mappings.length === 0) return;
+
+  console.log(`\n  Found .aura file with ${mappings.length} credential(s) needed:\n`);
+  for (const m of mappings) {
+    const ref = m.vault ? `@${m.vault}/${m.credentialName}/${m.field}` : `${m.credentialName}/${m.field}`;
+    console.log(`    ${m.envVar} → ${ref}`);
+  }
+  console.log('');
+
+  const answer = await promptInput('  Ask your team for access, or enter values manually? (team/manual) [team]');
+  const choice = answer?.trim().toLowerCase() || 'team';
+
+  if (choice === 'manual') {
+    // Get auth token via socket
+    const kp = generateEphemeralKeypair();
+    const token = await bootstrapViaSocket('cli-init', kp);
+    const vaultId = await getPrimaryVaultId(token);
+
+    // Group by credential name
+    const byCredential = new Map<string, typeof mappings>();
+    for (const m of mappings) {
+      const list = byCredential.get(m.credentialName) || [];
+      list.push(m);
+      byCredential.set(m.credentialName, list);
+    }
+
+    for (const [credName, fields] of byCredential) {
+      const fieldValues: Array<{ key: string; value: string }> = [];
+
+      for (const m of fields) {
+        const value = await promptInput(`  Enter value for ${m.envVar} (→ ${credName}/${m.field})`);
+        if (value) {
+          fieldValues.push({ key: m.field, value });
+        } else {
+          console.log(`  Skipped ${m.envVar}`);
+        }
+      }
+
+      if (fieldValues.length > 0) {
+        const result = await createCredentialViaApi({
+          token,
+          vaultId,
+          name: credName,
+          fields: fieldValues,
+        });
+        if (result.success) {
+          console.log(`  ✓ Created credential: ${credName}`);
+        } else {
+          console.error(`  ✗ Failed to create ${credName}: ${result.error}`);
+        }
+      }
+    }
+    console.log('');
+  } else {
+    console.log('  Ask your team admin to share these credentials.');
+    console.log('  Once they\'re in your vault, run: aura env -- <your-command>\n');
+  }
+}
+
+// ─── Post-setup: --from-dotenv migration ────────────────────────
+
+async function resolveDotenvMigrationToken(existingToken?: string): Promise<string> {
+  if (existingToken) return existingToken;
+
+  const envToken = process.env.AURA_TOKEN?.trim();
+  if (envToken) return envToken;
+
+  const kp = generateEphemeralKeypair();
+  try {
+    return await bootstrapViaSocket('cli-init', kp);
+  } catch (socketErr) {
+    if (!process.stdin.isTTY) {
+      throw new Error(
+        `${getErrorMessage(socketErr)}\n` +
+        'Set AURA_TOKEN or run `aura unlock` in another terminal, then retry `aura init --from-dotenv`.',
+      );
+    }
+
+    console.log('  Socket auth unavailable. Unlocking vault to continue .env migration...');
+    const password = await promptPassword('  Vault password');
+    const publicKey = await fetchPublicKey();
+    const encrypted = encryptPassword(password, publicKey);
+    const { publicKey: agentPubkey } = generateAgentKeypair();
+    const unlock = await fetchJson<{ token: string }>('/unlock', {
+      body: { encrypted, pubkey: agentPubkey },
+    });
+    return unlock.token;
+  }
+}
+
+async function postSetupDotenvMigration(existingToken?: string): Promise<void> {
+  const args = process.argv.slice(2);
+  const fromIdx = args.indexOf('--from');
+  const fromPath = fromIdx >= 0 && fromIdx + 1 < args.length ? args[fromIdx + 1] : undefined;
+  const dryRun = args.includes('--dry-run');
+  const noGroup = args.includes('--no-group');
+
+  const envPath = fromPath || path.join(process.cwd(), '.env');
+
+  const token = await resolveDotenvMigrationToken(existingToken);
+
+  await migrateDotenv({
+    token,
+    envPath,
+    noGroup,
+    dryRun,
+  });
+}
+
+// ─── Headless password flow ─────────────────────────────────────
+
+async function passwordFlow(password: string): Promise<string> {
+  if (password.length < 8) {
+    console.log('  Error: Password must be at least 8 characters.');
+    process.exit(1);
+  }
+
+  console.log('  Creating vault...');
+  const publicKey = await fetchPublicKey();
+  const encrypted = encryptPassword(password, publicKey);
+  const { publicKey: agentPubkey } = generateAgentKeypair();
+
+  const vault = await fetchJson<{
+    success: boolean;
+    address: string;
+    mnemonic: string;
+    token: string;
+  }>('/setup', { body: { encrypted, pubkey: agentPubkey } });
+
+  console.log('  Vault created!\n');
+
+  printSeedPhrase(vault.mnemonic);
+  loadServiceIfNeeded();
+
+  printBanner('TIME TO AURAMAXX');
+  console.log(`  Cold wallet address: ${vault.address}`);
+  console.log(`  Admin token: ${vault.token}\n`);
+  console.log('  IMPORTANT: Save the seed phrase above. It cannot be recovered.\n');
+  if (isServiceInstalled()) {
+    console.log('  Servers are running in the background. Use `auramaxx stop` to stop.\n');
+  } else {
+    console.log('  Servers are running. Press Ctrl+C to stop.\n');
+  }
+  return vault.token;
+}
+
+// ─── Main ────────────────────────────────────────────────────────
+
+async function main() {
+  printBanner('AURAMAXX.SH BOOTING');
+
+  const root = findProjectRoot();
+  const debugMode = process.argv.includes('--debug');
+
+  // Keep boot output concise before runtime startup.
+  ensureDirectories();
+
+  // Step 1: Migrations
+  try {
+    runMigrations(root);
+    if (debugMode) console.log('  Migrating... complete');
+  } catch (error) {
+    const msg = getErrorMessage(error);
+    console.error(`  Migration failed: ${msg}`);
+    console.error('  Try running: npx prisma migrate deploy');
+    process.exit(1);
+  }
+
+  // Step 2: Prisma client
+  try {
+    generatePrismaClient(root);
+    if (debugMode) console.log('  Database... complete');
+  } catch (error) {
+    const msg = getErrorMessage(error);
+    console.error(`  Prisma generate failed: ${msg}`);
+    process.exit(1);
+  }
+
+  // Step 3: Start server headless (dashboard started later if needed)
+  if (debugMode) console.log('  Starting...');
+  stopServer();
+  serverChildren = startServer({ headless: true, debug: debugMode });
+
+  try {
+    await waitForServer(15000);
+    if (debugMode) console.log('  Starting... complete\n');
+  } catch {
+    console.error('  Server failed to start within 15 seconds.');
+    console.error(`  Check for port conflicts on :${process.env.WALLET_SERVER_PORT || '4242'}`);
+    stopServer();
+    process.exit(1);
+  }
+
+  // Step 5: Check if vault already exists
+  const status = await fetchSetupStatus();
+
+  const args = process.argv.slice(2);
+  const fromDotenv = args.includes('--from-dotenv');
+  const backgroundAfterSetup = args.includes('--background') || args.includes('--daemon') || args.includes('-d');
+  let setupToken: string | undefined;
+
+  if (status.hasWallet) {
+    if (fromDotenv) {
+      printSection('Existing Vault', 'Vault already initialized. Running dotenv migration.');
+      // Vault exists, just do the dotenv migration
+      console.log('  Vault already exists. Running .env migration...\n');
+      await postSetupDotenvMigration();
+    } else {
+      printSection('Already Initialized', 'Vault already exists. Starting dashboard.');
+      const dashboard = startDashboard();
+      serverChildren.push(dashboard);
+
+      console.log('  Vault already exists — already initialized.\n');
+      console.log(`  Cold wallet: ${status.address}`);
+      console.log(`  Dashboard:   http://localhost:${DASHBOARD_PORT}\n`);
+
+      // TODO(v2): .env-to-vault migration
+      // const envPath = path.join(process.cwd(), '.env');
+      // if (fs.existsSync(envPath)) {
+      //   console.log('  💡 Found .env file. Run `aura init --from-dotenv` to migrate secrets to the vault.\n');
+      // }
+    }
+
+    if (fromDotenv) {
+      await postSetupAuraDetection();
+    }
+
+    maybeInstallShellHook();
+    // Activate launchd service if plist was written during bootstrap
+    loadServiceIfNeeded();
+    if (backgroundAfterSetup || isServiceInstalled()) {
+      console.log('  Servers are running in the background.');
+      console.log('  Use `auramaxx stop` to stop.\n');
+      return;
+    }
+    console.log('  Servers are running. Press Ctrl+C to stop.\n');
+    // Keep event loop alive (detached children don't keep it running)
+    setInterval(() => {}, 60_000);
+    return;
+  }
+
+  // Step 6: Choose setup mode
+  const dashboardFlag = args.includes('--dashboard');
+  const passwordIdx = args.indexOf('--password');
+  const passwordValue = passwordIdx >= 0 && passwordIdx + 1 < args.length
+    ? args[passwordIdx + 1]
+    : undefined;
+
+  if (passwordValue) {
+    if (fromDotenv) {
+      setupToken = await passwordFlow(passwordValue);
+    } else {
+      await passwordFlow(passwordValue);
+    }
+  } else if (dashboardFlag) {
+    await dashboardFlow();
+  } else {
+    const mode = await promptSetupMode();
+    if (mode === 'dashboard') {
+      await dashboardFlow();
+    } else {
+      if (fromDotenv) {
+        setupToken = await terminalFlow();
+      } else {
+        await terminalFlow();
+      }
+    }
+  }
+
+  // Step 7: Post-setup — handle --from-dotenv or detect .aura
+  if (fromDotenv) {
+    try {
+      await postSetupDotenvMigration(setupToken);
+    } finally {
+      setupToken = undefined;
+    }
+  } else {
+    // Suggest --from-dotenv if .env exists but no .aura
+    // TODO(v2): .env-to-vault migration
+    // const envPath = path.join(process.cwd(), '.env');
+    // const auraPath = path.join(process.cwd(), '.aura');
+    // if (fs.existsSync(envPath) && !fs.existsSync(auraPath)) {
+    //   console.log('  💡 Found .env file. Run `aura init --from-dotenv` to migrate secrets to the vault.\n');
+    // }
+
+    // Detect .aura file and offer credential entry
+    await postSetupAuraDetection();
+  }
+
+  maybeInstallShellHook();
+  if (backgroundAfterSetup) {
+    console.log('  Aura services are running in background mode.');
+    console.log('  Use `npx auramaxx status` to check health and `npx auramaxx stop` to stop.\n');
+    return;
+  }
+  // Keep event loop alive (detached children don't keep it running)
+  setInterval(() => {}, 60_000);
+}
+
+main().catch((error) => {
+  console.error('\nError:', getErrorMessage(error));
+  stopServer();
+  process.exit(1);
+});