npm - auramaxx - Versions diffs - 0.0.1 - Mend

auramaxx 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (418) hide show

package/LICENSE +26 -0
package/README.md +77 -0
package/apps/desktop-electron/main.js +428 -0
package/bin/auramaxx.js +1063 -0
package/docs/ADAPTERS.md +466 -0
package/docs/AGENT_SETUP.md +159 -0
package/docs/API.md +127 -0
package/docs/APPS.md +199 -0
package/docs/ARCHITECTURE.md +235 -0
package/docs/AUTH.md +318 -0
package/docs/BEST-PRACTICES.md +82 -0
package/docs/CLI.md +141 -0
package/docs/DESKTOP_ELECTRON.md +26 -0
package/docs/DEVELOPING-APPS.md +453 -0
package/docs/MCP.md +122 -0
package/docs/PACKAGING_POLICY.md +19 -0
package/docs/PERMISSION.md +137 -0
package/docs/PROTOCOL.md +142 -0
package/docs/README.md +50 -0
package/docs/SKILLS.md +132 -0
package/docs/TROUBLESHOOTING.md +376 -0
package/docs/WORKSPACE.md +673 -0
package/docs/agent-auth.md +14 -0
package/docs/api/authentication.md +79 -0
package/docs/api/secrets/api-keys.md +28 -0
package/docs/api/secrets/credentials.md +80 -0
package/docs/api/secrets/sharing.md +48 -0
package/docs/api/system.md +41 -0
package/docs/api/wallets/apps-strategies.md +66 -0
package/docs/api/wallets/core.md +46 -0
package/docs/api/wallets/data-portfolio.md +42 -0
package/docs/aura-file.md +48 -0
package/docs/core-concepts/FEATURES.md +114 -0
package/docs/credentials.md +120 -0
package/docs/external/HOW_TO_AURAMAXX/GETTING_SECRETS.md +33 -0
package/docs/external/HOW_TO_AURAMAXX/README.md +45 -0
package/docs/external/getting-started.md +10 -0
package/docs/external/overview.md +19 -0
package/docs/external/persona-paths.md +7 -0
package/docs/external/share-secret.md +76 -0
package/docs/external/why-aura.md +7 -0
package/docs/security.md +227 -0
package/docs/templates/RELEASE_NOTES_TEMPLATE.md +22 -0
package/docs/wallet/AI.md +508 -0
package/docs/wallet/DEVELOPING-STRATEGIES.md +713 -0
package/docs/wallet/README.md +47 -0
package/docs/wallet/STRATEGY.md +89 -0
package/next.config.ts +28 -0
package/package.json +167 -0
package/postcss.config.mjs +8 -0
package/prisma/migrations/20260214170000_baseline/migration.sql +511 -0
package/prisma/migrations/20260216214537_add_passkey_model/migration.sql +18 -0
package/prisma/migrations/20260217150500_add_credential_access_audit/migration.sql +31 -0
package/prisma/migrations/20260222090000_update_admin_ttl_default/migration.sql +10 -0
package/prisma/migrations/migration_lock.toml +3 -0
package/prisma/schema.prisma +447 -0
package/public/logo.webp +0 -0
package/scripts/add-app.js +245 -0
package/server/abi/SwapHelper.json +438 -0
package/server/cli/approval.ts +447 -0
package/server/cli/commands/actions.ts +474 -0
package/server/cli/commands/api.ts +220 -0
package/server/cli/commands/apikey.ts +277 -0
package/server/cli/commands/app.ts +204 -0
package/server/cli/commands/auth.ts +464 -0
package/server/cli/commands/cron.ts +24 -0
package/server/cli/commands/diary.ts +274 -0
package/server/cli/commands/doctor.ts +1247 -0
package/server/cli/commands/env.ts +476 -0
package/server/cli/commands/experimental.ts +69 -0
package/server/cli/commands/init.ts +798 -0
package/server/cli/commands/lock.ts +157 -0
package/server/cli/commands/mcp.ts +285 -0
package/server/cli/commands/quickhack.ts +86 -0
package/server/cli/commands/release-check.ts +231 -0
package/server/cli/commands/restore.ts +314 -0
package/server/cli/commands/service.ts +320 -0
package/server/cli/commands/shell-hook.ts +512 -0
package/server/cli/commands/skill.ts +216 -0
package/server/cli/commands/start.ts +139 -0
package/server/cli/commands/status.ts +59 -0
package/server/cli/commands/stop.ts +36 -0
package/server/cli/commands/token.ts +180 -0
package/server/cli/commands/unlock.ts +50 -0
package/server/cli/commands/vault.ts +1323 -0
package/server/cli/commands/wallet.ts +209 -0
package/server/cli/index.ts +280 -0
package/server/cli/lib/approval-poll.ts +94 -0
package/server/cli/lib/aura-parser.ts +64 -0
package/server/cli/lib/credential-create.ts +74 -0
package/server/cli/lib/credential-resolve.ts +280 -0
package/server/cli/lib/dotenv-migrate.ts +116 -0
package/server/cli/lib/dotenv-parser.ts +146 -0
package/server/cli/lib/escalation.ts +57 -0
package/server/cli/lib/http.ts +91 -0
package/server/cli/lib/init-steps.ts +76 -0
package/server/cli/lib/local-agent-trust.ts +45 -0
package/server/cli/lib/lock-unlock-helper.ts +71 -0
package/server/cli/lib/process.ts +162 -0
package/server/cli/lib/prompt.ts +294 -0
package/server/cli/lib/theme.ts +240 -0
package/server/cli/socket.ts +579 -0
package/server/cli/transport-client.ts +50 -0
package/server/cron/index.ts +137 -0
package/server/cron/job.ts +31 -0
package/server/cron/jobs/balance-sync.ts +436 -0
package/server/cron/jobs/incoming-scan.ts +506 -0
package/server/cron/jobs/native-price.ts +70 -0
package/server/cron/jobs/orphan-cleanup.ts +40 -0
package/server/cron/jobs/strategy-runner.ts +175 -0
package/server/cron/scheduler.ts +125 -0
package/server/index.ts +420 -0
package/server/lib/adapters/factory.ts +119 -0
package/server/lib/adapters/index.ts +19 -0
package/server/lib/adapters/router.ts +297 -0
package/server/lib/adapters/telegram.ts +645 -0
package/server/lib/adapters/types.ts +89 -0
package/server/lib/adapters/webhook.ts +95 -0
package/server/lib/address.ts +49 -0
package/server/lib/agent-auth/contracts.ts +1194 -0
package/server/lib/agent-profiles.ts +419 -0
package/server/lib/ai.ts +285 -0
package/server/lib/api-registry/contracts.ts +86 -0
package/server/lib/api-registry/validation.ts +172 -0
package/server/lib/apikey-migration.ts +258 -0
package/server/lib/app-installer.ts +505 -0
package/server/lib/app-tokens.ts +247 -0
package/server/lib/approval-link.ts +27 -0
package/server/lib/auth.ts +314 -0
package/server/lib/auto-execute.ts +160 -0
package/server/lib/batch.ts +242 -0
package/server/lib/cold.ts +1048 -0
package/server/lib/config.ts +408 -0
package/server/lib/credential-access-audit.ts +85 -0
package/server/lib/credential-access-policy.ts +111 -0
package/server/lib/credential-health.ts +343 -0
package/server/lib/credential-import.ts +608 -0
package/server/lib/credential-scope.ts +102 -0
package/server/lib/credential-shares.ts +190 -0
package/server/lib/credential-transport.ts +533 -0
package/server/lib/credential-vault.ts +77 -0
package/server/lib/credentials.ts +422 -0
package/server/lib/crypto.ts +8 -0
package/server/lib/db.ts +58 -0
package/server/lib/defaults.ts +386 -0
package/server/lib/dex/index.ts +80 -0
package/server/lib/dex/relay.ts +235 -0
package/server/lib/dex/types.ts +59 -0
package/server/lib/dex/uniswap.ts +370 -0
package/server/lib/diary.ts +34 -0
package/server/lib/dont-ask-again-policy.ts +41 -0
package/server/lib/e2e-agent/artifacts.ts +36 -0
package/server/lib/e2e-agent/contracts.ts +112 -0
package/server/lib/e2e-agent/validation.ts +135 -0
package/server/lib/encrypt.ts +114 -0
package/server/lib/error.ts +20 -0
package/server/lib/events.ts +217 -0
package/server/lib/feature-flags.ts +93 -0
package/server/lib/hot.ts +357 -0
package/server/lib/human-action-summary.ts +80 -0
package/server/lib/key-fingerprint.ts +28 -0
package/server/lib/logger.ts +340 -0
package/server/lib/network.ts +137 -0
package/server/lib/notifications.ts +230 -0
package/server/lib/oauth2-refresh.ts +241 -0
package/server/lib/oursecret.ts +71 -0
package/server/lib/passkey-credential.ts +360 -0
package/server/lib/passkey.ts +68 -0
package/server/lib/permissions.ts +299 -0
package/server/lib/pino.ts +24 -0
package/server/lib/policy-preview.ts +138 -0
package/server/lib/price.ts +338 -0
package/server/lib/prices.ts +34 -0
package/server/lib/project-scope.ts +297 -0
package/server/lib/resolve-action.ts +328 -0
package/server/lib/resolve.ts +36 -0
package/server/lib/secret-gist-share.ts +296 -0
package/server/lib/sessions.ts +634 -0
package/server/lib/socket-path.ts +56 -0
package/server/lib/solana/connection.ts +26 -0
package/server/lib/solana/jupiter.ts +128 -0
package/server/lib/solana/transfer.ts +108 -0
package/server/lib/solana/wallet.ts +136 -0
package/server/lib/strategy/emits.ts +21 -0
package/server/lib/strategy/engine.ts +1305 -0
package/server/lib/strategy/executor.ts +115 -0
package/server/lib/strategy/hook-context.ts +159 -0
package/server/lib/strategy/hooks.ts +990 -0
package/server/lib/strategy/index.ts +28 -0
package/server/lib/strategy/installer.ts +305 -0
package/server/lib/strategy/loader.ts +256 -0
package/server/lib/strategy/message.ts +237 -0
package/server/lib/strategy/repository.ts +218 -0
package/server/lib/strategy/session-logger.ts +693 -0
package/server/lib/strategy/sources.ts +288 -0
package/server/lib/strategy/state.ts +189 -0
package/server/lib/strategy/templates.ts +403 -0
package/server/lib/strategy/tick.ts +404 -0
package/server/lib/strategy/types.ts +230 -0
package/server/lib/swap.ts +3 -0
package/server/lib/temp.ts +86 -0
package/server/lib/token-metadata.ts +86 -0
package/server/lib/token-safety.ts +200 -0
package/server/lib/token-search.ts +444 -0
package/server/lib/totp.ts +194 -0
package/server/lib/transactions.ts +123 -0
package/server/lib/transport.ts +84 -0
package/server/lib/txhistory/decoder.ts +262 -0
package/server/lib/txhistory/enricher.ts +652 -0
package/server/lib/txhistory/index.ts +391 -0
package/server/lib/txhistory/signatures.ts +59 -0
package/server/lib/update-check.ts +35 -0
package/server/lib/verified-summary.ts +414 -0
package/server/lib/view-registry.ts +80 -0
package/server/mcp/profile-policy.ts +30 -0
package/server/mcp/server.ts +1589 -0
package/server/mcp/tools.ts +276 -0
package/server/middleware/auth.ts +119 -0
package/server/middleware/requestLogger.ts +84 -0
package/server/routes/actions.ts +539 -0
package/server/routes/adapters.ts +711 -0
package/server/routes/addressbook.ts +113 -0
package/server/routes/ai.ts +34 -0
package/server/routes/apikeys.ts +343 -0
package/server/routes/apps.ts +601 -0
package/server/routes/auth.ts +406 -0
package/server/routes/backup.ts +404 -0
package/server/routes/batch.ts +270 -0
package/server/routes/bookmarks.ts +162 -0
package/server/routes/credential-shares.ts +380 -0
package/server/routes/credential-vaults.ts +159 -0
package/server/routes/credentials.ts +1782 -0
package/server/routes/dashboard.ts +97 -0
package/server/routes/defaults.ts +124 -0
package/server/routes/flags.ts +11 -0
package/server/routes/fund.ts +225 -0
package/server/routes/heartbeat.ts +375 -0
package/server/routes/import.ts +364 -0
package/server/routes/launch.ts +665 -0
package/server/routes/lock.ts +54 -0
package/server/routes/logs.ts +68 -0
package/server/routes/nuke.ts +111 -0
package/server/routes/passkey-credentials.ts +99 -0
package/server/routes/passkey.ts +366 -0
package/server/routes/portfolio.ts +217 -0
package/server/routes/price.ts +63 -0
package/server/routes/resolve.ts +31 -0
package/server/routes/security.ts +45 -0
package/server/routes/send-evm.ts +241 -0
package/server/routes/send-solana.ts +281 -0
package/server/routes/send.ts +178 -0
package/server/routes/setup.ts +210 -0
package/server/routes/strategy.ts +894 -0
package/server/routes/swap-evm.ts +352 -0
package/server/routes/swap-solana.ts +176 -0
package/server/routes/swap.ts +356 -0
package/server/routes/token.ts +247 -0
package/server/routes/unlock.ts +467 -0
package/server/routes/views.ts +41 -0
package/server/routes/wallet-assets.ts +361 -0
package/server/routes/wallet-transactions.ts +515 -0
package/server/routes/wallet.ts +709 -0
package/server/types.ts +146 -0
package/shared/credential-field-schema.ts +248 -0
package/skills/auramaxx/HEARTBEAT.md +78 -0
package/skills/auramaxx/SKILL.md +745 -0
package/skills/auramaxx/docs/AGENT_SETUP.md +155 -0
package/skills/auramaxx/docs/API.md +127 -0
package/skills/auramaxx/docs/AUTH.md +318 -0
package/skills/auramaxx/docs/CLI.md +130 -0
package/skills/auramaxx/docs/MCP.md +122 -0
package/skills/auramaxx/docs/TROUBLESHOOTING.md +357 -0
package/skills/auramaxx/docs/WORKSPACE.md +673 -0
package/skills/auramaxx/docs/security.md +227 -0
package/skills/task-lifecycle/SKILL.md +378 -0
package/src/app/api/[...doc]/page.tsx +36 -0
package/src/app/api/agent-requests/route.ts +30 -0
package/src/app/api/apps/install/route.ts +132 -0
package/src/app/api/apps/manifests/route.ts +16 -0
package/src/app/api/apps/static/[...path]/route.ts +57 -0
package/src/app/api/docs/plain/route.ts +74 -0
package/src/app/api/events/route.ts +92 -0
package/src/app/api/page.tsx +290 -0
package/src/app/api/workspace/[id]/apps/[wid]/route.ts +119 -0
package/src/app/api/workspace/[id]/apps/route.ts +81 -0
package/src/app/api/workspace/[id]/export/route.ts +67 -0
package/src/app/api/workspace/[id]/route.ts +168 -0
package/src/app/api/workspace/auth.ts +40 -0
package/src/app/api/workspace/config/route.ts +121 -0
package/src/app/api/workspace/import/route.ts +127 -0
package/src/app/api/workspace/route.ts +116 -0
package/src/app/app-legacy-do-not-use/page.tsx +2245 -0
package/src/app/apple-icon.png +0 -0
package/src/app/approve/[actionId]/page.tsx +409 -0
package/src/app/docs/DocsPageContent.tsx +269 -0
package/src/app/docs/[...doc]/page.tsx +41 -0
package/src/app/docs/page.tsx +38 -0
package/src/app/favicon.ico +0 -0
package/src/app/globals.css +819 -0
package/src/app/health/page.tsx +5 -0
package/src/app/hello/page.tsx +102 -0
package/src/app/icon.png +0 -0
package/src/app/layout.tsx +39 -0
package/src/app/page.tsx +1964 -0
package/src/app/privacy/page.tsx +63 -0
package/src/app/providers.tsx +87 -0
package/src/app/share/[token]/page.tsx +295 -0
package/src/app/terms/page.tsx +80 -0
package/src/components/ChainSelector.tsx +44 -0
package/src/components/HumanActionBar.tsx +697 -0
package/src/components/NotificationDrawer.tsx +387 -0
package/src/components/PasskeyEnrollmentPrompt.tsx +235 -0
package/src/components/apps/AgentKeysApp.tsx +490 -0
package/src/components/apps/App.tsx +153 -0
package/src/components/apps/AppGrid.tsx +15 -0
package/src/components/apps/DetailedAddressDrawer.tsx +325 -0
package/src/components/apps/DraggableApp.tsx +562 -0
package/src/components/apps/IFrameApp.tsx +73 -0
package/src/components/apps/LogsApp.tsx +360 -0
package/src/components/apps/SendApp.tsx +394 -0
package/src/components/apps/SetupWizardApp.tsx +1004 -0
package/src/components/apps/SystemDefaultsApp.tsx +845 -0
package/src/components/apps/ThirdPartyApp.tsx +428 -0
package/src/components/apps/TokenApp.tsx +319 -0
package/src/components/apps/TransactionsApp.tsx +438 -0
package/src/components/apps/WalletDetailApp.tsx +1505 -0
package/src/components/apps/index.ts +13 -0
package/src/components/design-system/Button.tsx +88 -0
package/src/components/design-system/ChainIndicator.tsx +65 -0
package/src/components/design-system/ChainSelector.tsx +147 -0
package/src/components/design-system/ConfirmationModal.tsx +107 -0
package/src/components/design-system/ConfirmationPopover.tsx +81 -0
package/src/components/design-system/DownloadButton.tsx +149 -0
package/src/components/design-system/Drawer.tsx +133 -0
package/src/components/design-system/FilterDropdown.tsx +183 -0
package/src/components/design-system/ItemPicker.tsx +157 -0
package/src/components/design-system/Modal.tsx +296 -0
package/src/components/design-system/Popover.tsx +142 -0
package/src/components/design-system/TextInput.tsx +85 -0
package/src/components/design-system/Toggle.tsx +65 -0
package/src/components/design-system/TyvekCollapsibleSection.tsx +55 -0
package/src/components/design-system/index.ts +14 -0
package/src/components/docs/ClientSideMarkdown.tsx +51 -0
package/src/components/docs/DocsSearchBar.tsx +118 -0
package/src/components/docs/DocsThemeToggle.tsx +38 -0
package/src/components/docs/PersistentDocGroup.tsx +91 -0
package/src/components/docs/ShareUrlButton.tsx +33 -0
package/src/components/docs/SidebarScrollMemory.tsx +56 -0
package/src/components/health/CredentialHealthDashboard.tsx +214 -0
package/src/components/icons/ChainIcons.tsx +72 -0
package/src/components/layout/AppStoreDrawer.tsx +369 -0
package/src/components/layout/ContentArea.tsx +21 -0
package/src/components/layout/CreateViewModal.tsx +88 -0
package/src/components/layout/LeftRail.tsx +114 -0
package/src/components/layout/TabBar.tsx +284 -0
package/src/components/layout/WalletSidebar.tsx +1030 -0
package/src/components/layout/index.ts +6 -0
package/src/components/marketing/AuraMaxxSpecOverlay.tsx +653 -0
package/src/components/marketing/DeviceMorphExperience.tsx +216 -0
package/src/components/vault/ApiKeysConsole.tsx +1272 -0
package/src/components/vault/AuditConsole.tsx +600 -0
package/src/components/vault/CredentialDetail.tsx +625 -0
package/src/components/vault/CredentialEmpty.tsx +55 -0
package/src/components/vault/CredentialField.tsx +583 -0
package/src/components/vault/CredentialForm.tsx +1484 -0
package/src/components/vault/CredentialList.tsx +265 -0
package/src/components/vault/CredentialRow.tsx +130 -0
package/src/components/vault/CredentialShareModal.tsx +273 -0
package/src/components/vault/CredentialVault.tsx +1662 -0
package/src/components/vault/CredentialWalletWidget.tsx +103 -0
package/src/components/vault/DocsConsole.tsx +113 -0
package/src/components/vault/ImportCredentialsModal.tsx +578 -0
package/src/components/vault/LargeTypeModal.tsx +88 -0
package/src/components/vault/PasswordGenerator.tsx +232 -0
package/src/components/vault/TOTPDisplay.tsx +108 -0
package/src/components/vault/TotpSetupPanel.tsx +198 -0
package/src/components/vault/VaultSidebar.tsx +881 -0
package/src/components/vault/credentialFormName.ts +91 -0
package/src/components/vault/hooks/useVaultKeyboardShortcuts.ts +69 -0
package/src/components/vault/types.ts +56 -0
package/src/context/AuthContext.tsx +365 -0
package/src/context/PriceContext.tsx +113 -0
package/src/context/ThemeContext.tsx +164 -0
package/src/context/WebSocketContext.tsx +269 -0
package/src/context/WorkspaceContext.tsx +668 -0
package/src/hooks/index.ts +4 -0
package/src/hooks/useAgentActions.ts +552 -0
package/src/hooks/useBalance.ts +103 -0
package/src/hooks/useBalances.ts +129 -0
package/src/hooks/useTheme.ts +156 -0
package/src/instrumentation.ts +12 -0
package/src/lib/api-docs.ts +154 -0
package/src/lib/api.ts +474 -0
package/src/lib/app-loader.ts +148 -0
package/src/lib/app-registry.ts +178 -0
package/src/lib/app-sdk.ts +157 -0
package/src/lib/audit-console-adapter.ts +151 -0
package/src/lib/auth-client.ts +75 -0
package/src/lib/config.ts +74 -0
package/src/lib/credential-field-schema.ts +11 -0
package/src/lib/crypto.ts +112 -0
package/src/lib/db.ts +21 -0
package/src/lib/docs.ts +544 -0
package/src/lib/events.ts +363 -0
package/src/lib/pino.ts +24 -0
package/src/lib/theme-handlers.ts +168 -0
package/src/lib/theme.ts +351 -0
package/src/lib/tokenData.ts +378 -0
package/src/lib/totp-import.ts +57 -0
package/src/lib/vault-crypto.ts +129 -0
package/src/lib/view-registry.ts +57 -0
package/src/lib/websocket-server.ts +302 -0
package/src/lib/websocket-setup.ts +79 -0
package/src/lib/wordlist.ts +2050 -0
package/src/lib/workspace-handlers.ts +285 -0
package/start.sh +170 -0
package/tailwind.config.ts +99 -0
package/tsconfig.json +42 -0

package/server/cli/commands/release-check.ts ADDED Viewed

@@ -0,0 +1,231 @@
+/**
+ * auramaxx release-check — pre-release guardrail checklist
+ */
+import fs from 'fs';
+import path from 'path';
+import { spawnSync } from 'child_process';
+import { getErrorMessage } from '../../lib/error';
+import { printBanner } from '../lib/theme';
+type ItemStatus = 'PASS' | 'WARN' | 'FAIL';
+interface ChecklistItem {
+  id: string;
+  title: string;
+  status: ItemStatus;
+  details: string[];
+  blocking?: boolean;
+}
+interface ReleaseReport {
+  ok: boolean;
+  baseRef: string;
+  changed: { added: string[]; modified: string[]; deleted: string[] };
+  checklist: ChecklistItem[];
+}
+const ROOT = path.resolve(__dirname, '..', '..', '..');
+function run(command: string, args: string[]): { ok: boolean; stdout: string; stderr: string; code: number } {
+  const r = spawnSync(command, args, { cwd: ROOT, encoding: 'utf8' });
+  return {
+    ok: (r.status ?? 1) === 0,
+    stdout: r.stdout || '',
+    stderr: r.stderr || '',
+    code: r.status ?? 1,
+  };
+}
+function parseArgs(argv: string[]): { json: boolean; base?: string } {
+  const json = argv.includes('--json');
+  const baseIdx = argv.indexOf('--base');
+  const base = baseIdx >= 0 ? argv[baseIdx + 1] : undefined;
+  return { json, base };
+}
+function getLastReleaseRef(explicitBase?: string): string {
+  if (explicitBase) return explicitBase;
+  const tag = run('git', ['describe', '--tags', '--abbrev=0']);
+  if (tag.ok) return tag.stdout.trim();
+  const first = run('git', ['rev-list', '--max-parents=0', 'HEAD']);
+  if (!first.ok) throw new Error('Unable to resolve release base ref');
+  return first.stdout.trim().split('\n')[0];
+}
+function parseChangedFiles(baseRef: string): { added: string[]; modified: string[]; deleted: string[] } {
+  const diff = run('git', ['diff', '--name-status', `${baseRef}..HEAD`]);
+  if (!diff.ok) throw new Error(diff.stderr || 'git diff failed');
+  const added: string[] = [];
+  const modified: string[] = [];
+  const deleted: string[] = [];
+  for (const line of diff.stdout.split('\n')) {
+    if (!line.trim()) continue;
+    const [status, file] = line.split(/\s+/, 2);
+    if (!file) continue;
+    if (status.startsWith('A')) added.push(file);
+    else if (status.startsWith('D')) deleted.push(file);
+    else modified.push(file);
+  }
+  return { added, modified, deleted };
+}
+function runSanityChecks(): ChecklistItem {
+  const checks: Array<{ label: string; command: string; args: string[] }> = [
+    { label: 'protected gate', command: 'npm', args: ['run', 'security:protected-gate'] },
+    { label: 'job docs validation', command: 'node', args: ['scripts/validate-job-docs.mjs'] },
+  ];
+  const details: string[] = [];
+  let failed = false;
+  for (const check of checks) {
+    const r = run(check.command, check.args);
+    details.push(`${check.label}: ${r.ok ? 'ok' : `failed (exit ${r.code})`}`);
+    if (!r.ok) failed = true;
+  }
+  return {
+    id: 'sanity',
+    title: 'Run existing sanity scripts',
+    status: failed ? 'FAIL' : 'PASS',
+    details,
+    blocking: failed,
+  };
+}
+function scanDoxxing(changedFiles: string[]): ChecklistItem {
+  const patterns: Array<{ label: string; re: RegExp }> = [
+    { label: 'private key', re: /-----BEGIN (RSA |EC )?PRIVATE KEY-----/ },
+    { label: 'api key token', re: /(sk-[A-Za-z0-9]{16,}|ghp_[A-Za-z0-9]{20,}|xox[baprs]-[A-Za-z0-9-]{10,})/ },
+    { label: 'jwt-like token', re: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9._-]{10,}\.[A-Za-z0-9._-]{10,}/ },
+    { label: 'local absolute path', re: /\/Users\/[A-Za-z0-9._-]+\// },
+    { label: 'email address', re: /[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/i },
+  ];
+  const findings: string[] = [];
+  for (const file of changedFiles) {
+    const abs = path.join(ROOT, file);
+    if (!fs.existsSync(abs) || fs.statSync(abs).isDirectory()) continue;
+    const content = fs.readFileSync(abs, 'utf8');
+    for (const p of patterns) {
+      if (p.re.test(content)) findings.push(`${file}: matched ${p.label}`);
+    }
+  }
+  return {
+    id: 'doxxing',
+    title: 'Doxxing/privacy leak scan on changed files',
+    status: findings.length ? 'WARN' : 'PASS',
+    details: findings.length ? findings.slice(0, 20) : ['No obvious sensitive-pattern hits'],
+    blocking: false,
+  };
+}
+function globToRegex(glob: string): RegExp {
+  const escaped = glob
+    .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+    .replace(/\*\*/g, '::DOUBLE_STAR::')
+    .replace(/\*/g, '[^/]*')
+    .replace(/::DOUBLE_STAR::/g, '.*');
+  return new RegExp(`^${escaped}$`);
+}
+function verifySecurityRouteCoverage(changedFiles: string[]): ChecklistItem {
+  const protectedFile = path.join(ROOT, 'docs/internal/PROTECTED_FILES.md');
+  const indexFile = path.join(ROOT, 'server/index.ts');
+  const details: string[] = [];
+  if (!fs.existsSync(protectedFile)) {
+    return { id: 'security-routes', title: 'Protected/security route coverage', status: 'FAIL', details: ['Missing docs/internal/PROTECTED_FILES.md'], blocking: true };
+  }
+  const globs = fs.readFileSync(protectedFile, 'utf8')
+    .split('\n')
+    .map((line) => line.trim())
+    .filter((line) => line.startsWith('- `server/routes/'))
+    .map((line) => line.replace(/^- `|`$/g, '').trim());
+  const matchers = globs.map(globToRegex);
+  const changedRoutes = changedFiles.filter((f) => f.startsWith('server/routes/'));
+  const uncoveredChanged = changedRoutes.filter((f) => !matchers.some((re) => re.test(f)) && /(auth|lock|unlock|setup|security|passkey|credential-vaults)/.test(path.basename(f)));
+  if (uncoveredChanged.length) {
+    details.push(`Sensitive route changes not covered by protected list: ${uncoveredChanged.join(', ')}`);
+  } else {
+    details.push('Sensitive route changes are covered by protected file list.');
+  }
+  if (fs.existsSync(indexFile)) {
+    const indexText = fs.readFileSync(indexFile, 'utf8');
+    if (!indexText.includes("import securityRoutes from './routes/security'")) {
+      details.push('server/routes/security.ts is not imported by server/index.ts');
+      return { id: 'security-routes', title: 'Protected/security route coverage', status: 'FAIL', details, blocking: true };
+    }
+  }
+  return {
+    id: 'security-routes',
+    title: 'Protected/security route coverage',
+    status: uncoveredChanged.length ? 'FAIL' : 'PASS',
+    details,
+    blocking: uncoveredChanged.length > 0,
+  };
+}
+function printReport(report: ReleaseReport): void {
+  printBanner('RELEASE CHECK');
+  console.log(`Base ref: ${report.baseRef}`);
+  console.log(`Changed files: +${report.changed.added.length} ~${report.changed.modified.length} -${report.changed.deleted.length}`);
+  if (report.changed.added.length) {
+    console.log(`New files (${report.changed.added.length}):`);
+    for (const file of report.changed.added.slice(0, 20)) console.log(`  + ${file}`);
+  }
+  console.log('\nChecklist:');
+  for (const item of report.checklist) {
+    const marker = item.status === 'PASS' ? '✅' : item.status === 'WARN' ? '⚠️' : '❌';
+    console.log(`- ${marker} ${item.title} [${item.status}]`);
+    for (const line of item.details) console.log(`    - ${line}`);
+    if (item.status !== 'PASS') {
+      console.log(`    - Next step: ${item.blocking ? 'Fix before release.' : 'Review manually before release sign-off.'}`);
+    }
+  }
+}
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const baseRef = getLastReleaseRef(args.base);
+  const changed = parseChangedFiles(baseRef);
+  const changedAll = [...changed.added, ...changed.modified, ...changed.deleted];
+  const checklist: ChecklistItem[] = [
+    {
+      id: 'diff-audit',
+      title: 'Diff audit since last release',
+      status: 'PASS',
+      details: [
+        `Added: ${changed.added.length}`,
+        `Modified: ${changed.modified.length}`,
+        `Deleted: ${changed.deleted.length}`,
+      ],
+    },
+    runSanityChecks(),
+    scanDoxxing([...changed.added, ...changed.modified]),
+    verifySecurityRouteCoverage(changedAll),
+  ];
+  const ok = checklist.every((item) => item.status !== 'FAIL' || !item.blocking);
+  const report: ReleaseReport = { ok, baseRef, changed, checklist };
+  if (args.json) {
+    console.log(JSON.stringify(report, null, 2));
+  } else {
+    printReport(report);
+  }
+  process.exit(ok ? 0 : 1);
+}
+main().catch((error) => {
+  console.error('release-check failed:', getErrorMessage(error));
+  process.exit(1);
+});

package/server/cli/commands/restore.ts ADDED Viewed

@@ -0,0 +1,314 @@
+#!/usr/bin/env tsx
+/**
+ * npx auramaxx restore — Restore from a backup
+ *
+ * Usage:
+ *   npx auramaxx restore --list              # List available backups
+ *   npx auramaxx restore --latest            # Restore most recent backup
+ *   npx auramaxx restore <filename>          # Restore specific backup
+ *   npx auramaxx restore --dry-run <file>    # Preview without modifying
+ *   npx auramaxx restore --dry-run --latest  # Preview latest restore
+ */
+import { readdir, stat, copyFile, unlink, rename } from 'fs/promises';
+import { join } from 'path';
+import { existsSync, mkdirSync } from 'fs';
+import { execSync } from 'child_process';
+import { createServer } from 'net';
+import { getDbPath, getBackupsDir } from '../../lib/config';
+import { ensureBackupsDir, verifyIntegrity } from '../../routes/backup';
+const DATA_DIR = join(getDbPath(), '..');
+const CREDENTIALS_DIR = join(DATA_DIR, 'credentials');
+interface BackupEntry {
+  filename: string;
+  timestamp: string;
+  size: number;
+  date: Date;
+}
+async function listBackups(): Promise<BackupEntry[]> {
+  const backupsDir = getBackupsDir();
+  ensureBackupsDir();
+  const files = await readdir(backupsDir);
+  const backups: BackupEntry[] = [];
+  for (const file of files) {
+    if (file.startsWith('auramaxx.db.') && file.endsWith('.bak')) {
+      const match = file.match(/auramaxx\.db\.(\d{8}_\d{6})\.bak/);
+      if (!match) continue;
+      const filePath = join(backupsDir, file);
+      const fileStat = await stat(filePath);
+      backups.push({
+        filename: file,
+        timestamp: match[1],
+        size: fileStat.size,
+        date: fileStat.mtime,
+      });
+    }
+  }
+  backups.sort((a, b) => b.date.getTime() - a.date.getTime());
+  return backups;
+}
+function formatSize(bytes: number): string {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+function formatTimestamp(ts: string): string {
+  // YYYYMMDD_HHMMSS -> YYYY-MM-DD HH:MM:SS
+  return `${ts.slice(0, 4)}-${ts.slice(4, 6)}-${ts.slice(6, 8)} ${ts.slice(9, 11)}:${ts.slice(11, 13)}:${ts.slice(13, 15)}`;
+}
+async function checkServerRunning(): Promise<boolean> {
+  return new Promise((resolve) => {
+    const server = createServer();
+    server.once('error', (error: NodeJS.ErrnoException) => {
+      if (error.code === 'EADDRINUSE') {
+        resolve(true);
+      } else {
+        resolve(false);
+      }
+    });
+    server.once('listening', () => {
+      server.close();
+      resolve(false);
+    });
+    server.listen(4242, '127.0.0.1');
+  });
+}
+async function createPreRestoreBackup(): Promise<string> {
+  const dbFile = getDbPath();
+  if (!existsSync(dbFile)) return '';
+  const backupsDir = getBackupsDir();
+  ensureBackupsDir();
+  const now = new Date();
+  const timestamp = now.toISOString().replace(/[-:]/g, '').replace('T', '_').split('.')[0];
+  const filename = `pre-restore.${timestamp}.bak`;
+  const backupPath = join(backupsDir, filename);
+  await copyFile(dbFile, backupPath);
+  return filename;
+}
+async function restoreCredentials(backupsDir: string, timestamp: string): Promise<number> {
+  const allFiles = await readdir(backupsDir);
+  const credBackups = allFiles.filter(
+    (f) => f.startsWith(`credentials.${timestamp}.cred-`) && f.endsWith('.json')
+  );
+  if (credBackups.length === 0) return 0;
+  if (!existsSync(CREDENTIALS_DIR)) {
+    mkdirSync(CREDENTIALS_DIR, { recursive: true });
+  }
+  // Remove existing credentials
+  if (existsSync(CREDENTIALS_DIR)) {
+    const existing = await readdir(CREDENTIALS_DIR);
+    for (const f of existing) {
+      if (f.startsWith('cred-') && f.endsWith('.json')) {
+        await unlink(join(CREDENTIALS_DIR, f));
+      }
+    }
+  }
+  // Copy from backup
+  for (const f of credBackups) {
+    const destName = f.replace(`credentials.${timestamp}.`, '');
+    await copyFile(join(backupsDir, f), join(CREDENTIALS_DIR, destName));
+  }
+  return credBackups.length;
+}
+async function runMigrations(): Promise<number> {
+  try {
+    const output = execSync('npx prisma migrate deploy', {
+      cwd: join(__dirname, '..', '..', '..'),
+      env: { ...process.env, DATABASE_URL: `file:${getDbPath()}` },
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    // Count applied migrations from output
+    const matches = output.match(/(\d+) migration/);
+    return matches ? parseInt(matches[1], 10) : 0;
+  } catch (error: any) {
+    const errMsg = error.stderr || error.message || 'Unknown error';
+    console.error(`\n  ✗ Migration FAILED: ${errMsg}`);
+    console.error('  This is a critical error — the restored DB may have an incompatible schema.');
+    throw new Error(`Migration failed: ${errMsg}`);
+  }
+}
+async function main() {
+  const args = process.argv.slice(2);
+  const listFlag = args.includes('--list');
+  const latestFlag = args.includes('--latest');
+  const dryRun = args.includes('--dry-run');
+  const filename = args.find((a) => !a.startsWith('--'));
+  if (!listFlag && !latestFlag && !filename) {
+    console.log(`
+  auramaxx restore — Restore from a backup
+  Usage:
+    npx auramaxx restore --list              List available backups
+    npx auramaxx restore --latest            Restore most recent backup
+    npx auramaxx restore <filename>          Restore specific backup
+    npx auramaxx restore --dry-run --latest  Preview without modifying
+`);
+    process.exit(0);
+  }
+  // --list: show backups and exit
+  if (listFlag) {
+    const backups = await listBackups();
+    if (backups.length === 0) {
+      console.log('No backups found.');
+      process.exit(0);
+    }
+    console.log(`\n  Available backups (${backups.length}):\n`);
+    for (const b of backups) {
+      console.log(`    ${b.filename}  ${formatTimestamp(b.timestamp)}  ${formatSize(b.size)}`);
+    }
+    console.log();
+    process.exit(0);
+  }
+  // Determine which backup to restore
+  let targetFilename: string;
+  if (latestFlag) {
+    const backups = await listBackups();
+    if (backups.length === 0) {
+      console.error('No backups found.');
+      process.exit(1);
+    }
+    targetFilename = backups[0].filename;
+  } else {
+    targetFilename = filename!;
+  }
+  // Validate filename
+  if (!targetFilename.match(/^auramaxx\.db\.\d{8}_\d{6}\.bak$/)) {
+    console.error(`Invalid backup filename: ${targetFilename}`);
+    process.exit(1);
+  }
+  const backupsDir = getBackupsDir();
+  const backupPath = join(backupsDir, targetFilename);
+  if (!existsSync(backupPath)) {
+    console.error(`Backup not found: ${targetFilename}`);
+    process.exit(1);
+  }
+  const backupStat = await stat(backupPath);
+  const tsMatch = targetFilename.match(/auramaxx\.db\.(\d{8}_\d{6})\.bak/)!;
+  const timestamp = tsMatch[1];
+  // Count matching credential backups
+  const allFiles = await readdir(backupsDir);
+  const credCount = allFiles.filter(
+    (f) => f.startsWith(`credentials.${timestamp}.cred-`) && f.endsWith('.json')
+  ).length;
+  console.log(`\n  Restore target: ${targetFilename}`);
+  console.log(`  Created:        ${formatTimestamp(timestamp)}`);
+  console.log(`  Size:           ${formatSize(backupStat.size)}`);
+  console.log(`  Credentials:    ${credCount} file(s)`);
+  // Verify backup integrity
+  console.log('\n  Verifying backup integrity...');
+  if (!verifyIntegrity(backupPath)) {
+    console.error('  ✗ Backup FAILED integrity check. Aborting.');
+    process.exit(1);
+  }
+  console.log('  ✓ Backup integrity OK');
+  if (dryRun) {
+    console.log('\n  --dry-run: No changes made.\n');
+    process.exit(0);
+  }
+  // Check if server is running
+  const serverRunning = await checkServerRunning();
+  if (serverRunning) {
+    console.log('\n  ⚠️  WARNING: Server appears to be running on port 4242.');
+    console.log('  Stop it first with `npx auramaxx stop` for clean restore.');
+    console.log('  Proceeding anyway...\n');
+  }
+  // Pre-restore safety backup
+  const preRestoreName = await createPreRestoreBackup();
+  if (preRestoreName) {
+    console.log(`  Pre-restore backup: ${preRestoreName}`);
+  }
+  // Restore DB
+  const dbPath = getDbPath();
+  const tempPath = dbPath + '.restore-tmp';
+  await copyFile(backupPath, tempPath);
+  await rename(tempPath, dbPath);
+  console.log('  ✓ Database restored');
+  // Restore credentials
+  const restoredCreds = await restoreCredentials(backupsDir, timestamp);
+  console.log(`  ✓ Credentials restored: ${restoredCreds} file(s)`);
+  // Run migrations
+  console.log('  Running schema migrations...');
+  let migrationsApplied: number;
+  try {
+    migrationsApplied = await runMigrations();
+  } catch {
+    if (preRestoreName) {
+      console.error(`\n  Reverting to pre-restore backup: ${preRestoreName}`);
+      const revertTemp = dbPath + '.revert-tmp';
+      await copyFile(join(backupsDir, preRestoreName), revertTemp);
+      await rename(revertTemp, dbPath);
+      console.error('  ✓ Reverted to pre-restore state.');
+    }
+    process.exit(1);
+  }
+  console.log(`  ✓ Migrations applied: ${migrationsApplied}`);
+  // Final integrity check
+  console.log('  Verifying restored database...');
+  if (!verifyIntegrity(dbPath)) {
+    console.error('  ✗ Restored DB FAILED integrity check!');
+    console.error(`  Safety backup available: ${preRestoreName}`);
+    process.exit(1);
+  }
+  console.log('  ✓ Restored database integrity OK');
+  // Clean up old pre-restore backups (keep last 3)
+  const allBackupFiles = await readdir(backupsDir);
+  const preRestoreFiles = allBackupFiles
+    .filter(f => f.startsWith('pre-restore.') && f.endsWith('.bak'))
+    .sort()
+    .reverse();
+  if (preRestoreFiles.length > 3) {
+    for (let i = 3; i < preRestoreFiles.length; i++) {
+      await unlink(join(backupsDir, preRestoreFiles[i]));
+    }
+    console.log(`  ✓ Cleaned up ${preRestoreFiles.length - 3} old pre-restore backup(s)`);
+  }
+  console.log(`\n  ✅ Restore complete!\n`);
+}
+main().catch((err) => {
+  console.error('Restore failed:', err.message || err);
+  process.exit(1);
+});