npm - auramaxx - Versions diffs - 0.0.1 - Mend

auramaxx 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (418) hide show

package/LICENSE +26 -0
package/README.md +77 -0
package/apps/desktop-electron/main.js +428 -0
package/bin/auramaxx.js +1063 -0
package/docs/ADAPTERS.md +466 -0
package/docs/AGENT_SETUP.md +159 -0
package/docs/API.md +127 -0
package/docs/APPS.md +199 -0
package/docs/ARCHITECTURE.md +235 -0
package/docs/AUTH.md +318 -0
package/docs/BEST-PRACTICES.md +82 -0
package/docs/CLI.md +141 -0
package/docs/DESKTOP_ELECTRON.md +26 -0
package/docs/DEVELOPING-APPS.md +453 -0
package/docs/MCP.md +122 -0
package/docs/PACKAGING_POLICY.md +19 -0
package/docs/PERMISSION.md +137 -0
package/docs/PROTOCOL.md +142 -0
package/docs/README.md +50 -0
package/docs/SKILLS.md +132 -0
package/docs/TROUBLESHOOTING.md +376 -0
package/docs/WORKSPACE.md +673 -0
package/docs/agent-auth.md +14 -0
package/docs/api/authentication.md +79 -0
package/docs/api/secrets/api-keys.md +28 -0
package/docs/api/secrets/credentials.md +80 -0
package/docs/api/secrets/sharing.md +48 -0
package/docs/api/system.md +41 -0
package/docs/api/wallets/apps-strategies.md +66 -0
package/docs/api/wallets/core.md +46 -0
package/docs/api/wallets/data-portfolio.md +42 -0
package/docs/aura-file.md +48 -0
package/docs/core-concepts/FEATURES.md +114 -0
package/docs/credentials.md +120 -0
package/docs/external/HOW_TO_AURAMAXX/GETTING_SECRETS.md +33 -0
package/docs/external/HOW_TO_AURAMAXX/README.md +45 -0
package/docs/external/getting-started.md +10 -0
package/docs/external/overview.md +19 -0
package/docs/external/persona-paths.md +7 -0
package/docs/external/share-secret.md +76 -0
package/docs/external/why-aura.md +7 -0
package/docs/security.md +227 -0
package/docs/templates/RELEASE_NOTES_TEMPLATE.md +22 -0
package/docs/wallet/AI.md +508 -0
package/docs/wallet/DEVELOPING-STRATEGIES.md +713 -0
package/docs/wallet/README.md +47 -0
package/docs/wallet/STRATEGY.md +89 -0
package/next.config.ts +28 -0
package/package.json +167 -0
package/postcss.config.mjs +8 -0
package/prisma/migrations/20260214170000_baseline/migration.sql +511 -0
package/prisma/migrations/20260216214537_add_passkey_model/migration.sql +18 -0
package/prisma/migrations/20260217150500_add_credential_access_audit/migration.sql +31 -0
package/prisma/migrations/20260222090000_update_admin_ttl_default/migration.sql +10 -0
package/prisma/migrations/migration_lock.toml +3 -0
package/prisma/schema.prisma +447 -0
package/public/logo.webp +0 -0
package/scripts/add-app.js +245 -0
package/server/abi/SwapHelper.json +438 -0
package/server/cli/approval.ts +447 -0
package/server/cli/commands/actions.ts +474 -0
package/server/cli/commands/api.ts +220 -0
package/server/cli/commands/apikey.ts +277 -0
package/server/cli/commands/app.ts +204 -0
package/server/cli/commands/auth.ts +464 -0
package/server/cli/commands/cron.ts +24 -0
package/server/cli/commands/diary.ts +274 -0
package/server/cli/commands/doctor.ts +1247 -0
package/server/cli/commands/env.ts +476 -0
package/server/cli/commands/experimental.ts +69 -0
package/server/cli/commands/init.ts +798 -0
package/server/cli/commands/lock.ts +157 -0
package/server/cli/commands/mcp.ts +285 -0
package/server/cli/commands/quickhack.ts +86 -0
package/server/cli/commands/release-check.ts +231 -0
package/server/cli/commands/restore.ts +314 -0
package/server/cli/commands/service.ts +320 -0
package/server/cli/commands/shell-hook.ts +512 -0
package/server/cli/commands/skill.ts +216 -0
package/server/cli/commands/start.ts +139 -0
package/server/cli/commands/status.ts +59 -0
package/server/cli/commands/stop.ts +36 -0
package/server/cli/commands/token.ts +180 -0
package/server/cli/commands/unlock.ts +50 -0
package/server/cli/commands/vault.ts +1323 -0
package/server/cli/commands/wallet.ts +209 -0
package/server/cli/index.ts +280 -0
package/server/cli/lib/approval-poll.ts +94 -0
package/server/cli/lib/aura-parser.ts +64 -0
package/server/cli/lib/credential-create.ts +74 -0
package/server/cli/lib/credential-resolve.ts +280 -0
package/server/cli/lib/dotenv-migrate.ts +116 -0
package/server/cli/lib/dotenv-parser.ts +146 -0
package/server/cli/lib/escalation.ts +57 -0
package/server/cli/lib/http.ts +91 -0
package/server/cli/lib/init-steps.ts +76 -0
package/server/cli/lib/local-agent-trust.ts +45 -0
package/server/cli/lib/lock-unlock-helper.ts +71 -0
package/server/cli/lib/process.ts +162 -0
package/server/cli/lib/prompt.ts +294 -0
package/server/cli/lib/theme.ts +240 -0
package/server/cli/socket.ts +579 -0
package/server/cli/transport-client.ts +50 -0
package/server/cron/index.ts +137 -0
package/server/cron/job.ts +31 -0
package/server/cron/jobs/balance-sync.ts +436 -0
package/server/cron/jobs/incoming-scan.ts +506 -0
package/server/cron/jobs/native-price.ts +70 -0
package/server/cron/jobs/orphan-cleanup.ts +40 -0
package/server/cron/jobs/strategy-runner.ts +175 -0
package/server/cron/scheduler.ts +125 -0
package/server/index.ts +420 -0
package/server/lib/adapters/factory.ts +119 -0
package/server/lib/adapters/index.ts +19 -0
package/server/lib/adapters/router.ts +297 -0
package/server/lib/adapters/telegram.ts +645 -0
package/server/lib/adapters/types.ts +89 -0
package/server/lib/adapters/webhook.ts +95 -0
package/server/lib/address.ts +49 -0
package/server/lib/agent-auth/contracts.ts +1194 -0
package/server/lib/agent-profiles.ts +419 -0
package/server/lib/ai.ts +285 -0
package/server/lib/api-registry/contracts.ts +86 -0
package/server/lib/api-registry/validation.ts +172 -0
package/server/lib/apikey-migration.ts +258 -0
package/server/lib/app-installer.ts +505 -0
package/server/lib/app-tokens.ts +247 -0
package/server/lib/approval-link.ts +27 -0
package/server/lib/auth.ts +314 -0
package/server/lib/auto-execute.ts +160 -0
package/server/lib/batch.ts +242 -0
package/server/lib/cold.ts +1048 -0
package/server/lib/config.ts +408 -0
package/server/lib/credential-access-audit.ts +85 -0
package/server/lib/credential-access-policy.ts +111 -0
package/server/lib/credential-health.ts +343 -0
package/server/lib/credential-import.ts +608 -0
package/server/lib/credential-scope.ts +102 -0
package/server/lib/credential-shares.ts +190 -0
package/server/lib/credential-transport.ts +533 -0
package/server/lib/credential-vault.ts +77 -0
package/server/lib/credentials.ts +422 -0
package/server/lib/crypto.ts +8 -0
package/server/lib/db.ts +58 -0
package/server/lib/defaults.ts +386 -0
package/server/lib/dex/index.ts +80 -0
package/server/lib/dex/relay.ts +235 -0
package/server/lib/dex/types.ts +59 -0
package/server/lib/dex/uniswap.ts +370 -0
package/server/lib/diary.ts +34 -0
package/server/lib/dont-ask-again-policy.ts +41 -0
package/server/lib/e2e-agent/artifacts.ts +36 -0
package/server/lib/e2e-agent/contracts.ts +112 -0
package/server/lib/e2e-agent/validation.ts +135 -0
package/server/lib/encrypt.ts +114 -0
package/server/lib/error.ts +20 -0
package/server/lib/events.ts +217 -0
package/server/lib/feature-flags.ts +93 -0
package/server/lib/hot.ts +357 -0
package/server/lib/human-action-summary.ts +80 -0
package/server/lib/key-fingerprint.ts +28 -0
package/server/lib/logger.ts +340 -0
package/server/lib/network.ts +137 -0
package/server/lib/notifications.ts +230 -0
package/server/lib/oauth2-refresh.ts +241 -0
package/server/lib/oursecret.ts +71 -0
package/server/lib/passkey-credential.ts +360 -0
package/server/lib/passkey.ts +68 -0
package/server/lib/permissions.ts +299 -0
package/server/lib/pino.ts +24 -0
package/server/lib/policy-preview.ts +138 -0
package/server/lib/price.ts +338 -0
package/server/lib/prices.ts +34 -0
package/server/lib/project-scope.ts +297 -0
package/server/lib/resolve-action.ts +328 -0
package/server/lib/resolve.ts +36 -0
package/server/lib/secret-gist-share.ts +296 -0
package/server/lib/sessions.ts +634 -0
package/server/lib/socket-path.ts +56 -0
package/server/lib/solana/connection.ts +26 -0
package/server/lib/solana/jupiter.ts +128 -0
package/server/lib/solana/transfer.ts +108 -0
package/server/lib/solana/wallet.ts +136 -0
package/server/lib/strategy/emits.ts +21 -0
package/server/lib/strategy/engine.ts +1305 -0
package/server/lib/strategy/executor.ts +115 -0
package/server/lib/strategy/hook-context.ts +159 -0
package/server/lib/strategy/hooks.ts +990 -0
package/server/lib/strategy/index.ts +28 -0
package/server/lib/strategy/installer.ts +305 -0
package/server/lib/strategy/loader.ts +256 -0
package/server/lib/strategy/message.ts +237 -0
package/server/lib/strategy/repository.ts +218 -0
package/server/lib/strategy/session-logger.ts +693 -0
package/server/lib/strategy/sources.ts +288 -0
package/server/lib/strategy/state.ts +189 -0
package/server/lib/strategy/templates.ts +403 -0
package/server/lib/strategy/tick.ts +404 -0
package/server/lib/strategy/types.ts +230 -0
package/server/lib/swap.ts +3 -0
package/server/lib/temp.ts +86 -0
package/server/lib/token-metadata.ts +86 -0
package/server/lib/token-safety.ts +200 -0
package/server/lib/token-search.ts +444 -0
package/server/lib/totp.ts +194 -0
package/server/lib/transactions.ts +123 -0
package/server/lib/transport.ts +84 -0
package/server/lib/txhistory/decoder.ts +262 -0
package/server/lib/txhistory/enricher.ts +652 -0
package/server/lib/txhistory/index.ts +391 -0
package/server/lib/txhistory/signatures.ts +59 -0
package/server/lib/update-check.ts +35 -0
package/server/lib/verified-summary.ts +414 -0
package/server/lib/view-registry.ts +80 -0
package/server/mcp/profile-policy.ts +30 -0
package/server/mcp/server.ts +1589 -0
package/server/mcp/tools.ts +276 -0
package/server/middleware/auth.ts +119 -0
package/server/middleware/requestLogger.ts +84 -0
package/server/routes/actions.ts +539 -0
package/server/routes/adapters.ts +711 -0
package/server/routes/addressbook.ts +113 -0
package/server/routes/ai.ts +34 -0
package/server/routes/apikeys.ts +343 -0
package/server/routes/apps.ts +601 -0
package/server/routes/auth.ts +406 -0
package/server/routes/backup.ts +404 -0
package/server/routes/batch.ts +270 -0
package/server/routes/bookmarks.ts +162 -0
package/server/routes/credential-shares.ts +380 -0
package/server/routes/credential-vaults.ts +159 -0
package/server/routes/credentials.ts +1782 -0
package/server/routes/dashboard.ts +97 -0
package/server/routes/defaults.ts +124 -0
package/server/routes/flags.ts +11 -0
package/server/routes/fund.ts +225 -0
package/server/routes/heartbeat.ts +375 -0
package/server/routes/import.ts +364 -0
package/server/routes/launch.ts +665 -0
package/server/routes/lock.ts +54 -0
package/server/routes/logs.ts +68 -0
package/server/routes/nuke.ts +111 -0
package/server/routes/passkey-credentials.ts +99 -0
package/server/routes/passkey.ts +366 -0
package/server/routes/portfolio.ts +217 -0
package/server/routes/price.ts +63 -0
package/server/routes/resolve.ts +31 -0
package/server/routes/security.ts +45 -0
package/server/routes/send-evm.ts +241 -0
package/server/routes/send-solana.ts +281 -0
package/server/routes/send.ts +178 -0
package/server/routes/setup.ts +210 -0
package/server/routes/strategy.ts +894 -0
package/server/routes/swap-evm.ts +352 -0
package/server/routes/swap-solana.ts +176 -0
package/server/routes/swap.ts +356 -0
package/server/routes/token.ts +247 -0
package/server/routes/unlock.ts +467 -0
package/server/routes/views.ts +41 -0
package/server/routes/wallet-assets.ts +361 -0
package/server/routes/wallet-transactions.ts +515 -0
package/server/routes/wallet.ts +709 -0
package/server/types.ts +146 -0
package/shared/credential-field-schema.ts +248 -0
package/skills/auramaxx/HEARTBEAT.md +78 -0
package/skills/auramaxx/SKILL.md +745 -0
package/skills/auramaxx/docs/AGENT_SETUP.md +155 -0
package/skills/auramaxx/docs/API.md +127 -0
package/skills/auramaxx/docs/AUTH.md +318 -0
package/skills/auramaxx/docs/CLI.md +130 -0
package/skills/auramaxx/docs/MCP.md +122 -0
package/skills/auramaxx/docs/TROUBLESHOOTING.md +357 -0
package/skills/auramaxx/docs/WORKSPACE.md +673 -0
package/skills/auramaxx/docs/security.md +227 -0
package/skills/task-lifecycle/SKILL.md +378 -0
package/src/app/api/[...doc]/page.tsx +36 -0
package/src/app/api/agent-requests/route.ts +30 -0
package/src/app/api/apps/install/route.ts +132 -0
package/src/app/api/apps/manifests/route.ts +16 -0
package/src/app/api/apps/static/[...path]/route.ts +57 -0
package/src/app/api/docs/plain/route.ts +74 -0
package/src/app/api/events/route.ts +92 -0
package/src/app/api/page.tsx +290 -0
package/src/app/api/workspace/[id]/apps/[wid]/route.ts +119 -0
package/src/app/api/workspace/[id]/apps/route.ts +81 -0
package/src/app/api/workspace/[id]/export/route.ts +67 -0
package/src/app/api/workspace/[id]/route.ts +168 -0
package/src/app/api/workspace/auth.ts +40 -0
package/src/app/api/workspace/config/route.ts +121 -0
package/src/app/api/workspace/import/route.ts +127 -0
package/src/app/api/workspace/route.ts +116 -0
package/src/app/app-legacy-do-not-use/page.tsx +2245 -0
package/src/app/apple-icon.png +0 -0
package/src/app/approve/[actionId]/page.tsx +409 -0
package/src/app/docs/DocsPageContent.tsx +269 -0
package/src/app/docs/[...doc]/page.tsx +41 -0
package/src/app/docs/page.tsx +38 -0
package/src/app/favicon.ico +0 -0
package/src/app/globals.css +819 -0
package/src/app/health/page.tsx +5 -0
package/src/app/hello/page.tsx +102 -0
package/src/app/icon.png +0 -0
package/src/app/layout.tsx +39 -0
package/src/app/page.tsx +1964 -0
package/src/app/privacy/page.tsx +63 -0
package/src/app/providers.tsx +87 -0
package/src/app/share/[token]/page.tsx +295 -0
package/src/app/terms/page.tsx +80 -0
package/src/components/ChainSelector.tsx +44 -0
package/src/components/HumanActionBar.tsx +697 -0
package/src/components/NotificationDrawer.tsx +387 -0
package/src/components/PasskeyEnrollmentPrompt.tsx +235 -0
package/src/components/apps/AgentKeysApp.tsx +490 -0
package/src/components/apps/App.tsx +153 -0
package/src/components/apps/AppGrid.tsx +15 -0
package/src/components/apps/DetailedAddressDrawer.tsx +325 -0
package/src/components/apps/DraggableApp.tsx +562 -0
package/src/components/apps/IFrameApp.tsx +73 -0
package/src/components/apps/LogsApp.tsx +360 -0
package/src/components/apps/SendApp.tsx +394 -0
package/src/components/apps/SetupWizardApp.tsx +1004 -0
package/src/components/apps/SystemDefaultsApp.tsx +845 -0
package/src/components/apps/ThirdPartyApp.tsx +428 -0
package/src/components/apps/TokenApp.tsx +319 -0
package/src/components/apps/TransactionsApp.tsx +438 -0
package/src/components/apps/WalletDetailApp.tsx +1505 -0
package/src/components/apps/index.ts +13 -0
package/src/components/design-system/Button.tsx +88 -0
package/src/components/design-system/ChainIndicator.tsx +65 -0
package/src/components/design-system/ChainSelector.tsx +147 -0
package/src/components/design-system/ConfirmationModal.tsx +107 -0
package/src/components/design-system/ConfirmationPopover.tsx +81 -0
package/src/components/design-system/DownloadButton.tsx +149 -0
package/src/components/design-system/Drawer.tsx +133 -0
package/src/components/design-system/FilterDropdown.tsx +183 -0
package/src/components/design-system/ItemPicker.tsx +157 -0
package/src/components/design-system/Modal.tsx +296 -0
package/src/components/design-system/Popover.tsx +142 -0
package/src/components/design-system/TextInput.tsx +85 -0
package/src/components/design-system/Toggle.tsx +65 -0
package/src/components/design-system/TyvekCollapsibleSection.tsx +55 -0
package/src/components/design-system/index.ts +14 -0
package/src/components/docs/ClientSideMarkdown.tsx +51 -0
package/src/components/docs/DocsSearchBar.tsx +118 -0
package/src/components/docs/DocsThemeToggle.tsx +38 -0
package/src/components/docs/PersistentDocGroup.tsx +91 -0
package/src/components/docs/ShareUrlButton.tsx +33 -0
package/src/components/docs/SidebarScrollMemory.tsx +56 -0
package/src/components/health/CredentialHealthDashboard.tsx +214 -0
package/src/components/icons/ChainIcons.tsx +72 -0
package/src/components/layout/AppStoreDrawer.tsx +369 -0
package/src/components/layout/ContentArea.tsx +21 -0
package/src/components/layout/CreateViewModal.tsx +88 -0
package/src/components/layout/LeftRail.tsx +114 -0
package/src/components/layout/TabBar.tsx +284 -0
package/src/components/layout/WalletSidebar.tsx +1030 -0
package/src/components/layout/index.ts +6 -0
package/src/components/marketing/AuraMaxxSpecOverlay.tsx +653 -0
package/src/components/marketing/DeviceMorphExperience.tsx +216 -0
package/src/components/vault/ApiKeysConsole.tsx +1272 -0
package/src/components/vault/AuditConsole.tsx +600 -0
package/src/components/vault/CredentialDetail.tsx +625 -0
package/src/components/vault/CredentialEmpty.tsx +55 -0
package/src/components/vault/CredentialField.tsx +583 -0
package/src/components/vault/CredentialForm.tsx +1484 -0
package/src/components/vault/CredentialList.tsx +265 -0
package/src/components/vault/CredentialRow.tsx +130 -0
package/src/components/vault/CredentialShareModal.tsx +273 -0
package/src/components/vault/CredentialVault.tsx +1662 -0
package/src/components/vault/CredentialWalletWidget.tsx +103 -0
package/src/components/vault/DocsConsole.tsx +113 -0
package/src/components/vault/ImportCredentialsModal.tsx +578 -0
package/src/components/vault/LargeTypeModal.tsx +88 -0
package/src/components/vault/PasswordGenerator.tsx +232 -0
package/src/components/vault/TOTPDisplay.tsx +108 -0
package/src/components/vault/TotpSetupPanel.tsx +198 -0
package/src/components/vault/VaultSidebar.tsx +881 -0
package/src/components/vault/credentialFormName.ts +91 -0
package/src/components/vault/hooks/useVaultKeyboardShortcuts.ts +69 -0
package/src/components/vault/types.ts +56 -0
package/src/context/AuthContext.tsx +365 -0
package/src/context/PriceContext.tsx +113 -0
package/src/context/ThemeContext.tsx +164 -0
package/src/context/WebSocketContext.tsx +269 -0
package/src/context/WorkspaceContext.tsx +668 -0
package/src/hooks/index.ts +4 -0
package/src/hooks/useAgentActions.ts +552 -0
package/src/hooks/useBalance.ts +103 -0
package/src/hooks/useBalances.ts +129 -0
package/src/hooks/useTheme.ts +156 -0
package/src/instrumentation.ts +12 -0
package/src/lib/api-docs.ts +154 -0
package/src/lib/api.ts +474 -0
package/src/lib/app-loader.ts +148 -0
package/src/lib/app-registry.ts +178 -0
package/src/lib/app-sdk.ts +157 -0
package/src/lib/audit-console-adapter.ts +151 -0
package/src/lib/auth-client.ts +75 -0
package/src/lib/config.ts +74 -0
package/src/lib/credential-field-schema.ts +11 -0
package/src/lib/crypto.ts +112 -0
package/src/lib/db.ts +21 -0
package/src/lib/docs.ts +544 -0
package/src/lib/events.ts +363 -0
package/src/lib/pino.ts +24 -0
package/src/lib/theme-handlers.ts +168 -0
package/src/lib/theme.ts +351 -0
package/src/lib/tokenData.ts +378 -0
package/src/lib/totp-import.ts +57 -0
package/src/lib/vault-crypto.ts +129 -0
package/src/lib/view-registry.ts +57 -0
package/src/lib/websocket-server.ts +302 -0
package/src/lib/websocket-setup.ts +79 -0
package/src/lib/wordlist.ts +2050 -0
package/src/lib/workspace-handlers.ts +285 -0
package/start.sh +170 -0
package/tailwind.config.ts +99 -0
package/tsconfig.json +42 -0

package/server/cli/commands/shell-hook.ts ADDED Viewed

@@ -0,0 +1,512 @@
+/**
+ * auramaxx shell-hook — Auto-load .aura env vars on cd (like direnv)
+ *
+ * Usage:
+ *   aura shell-hook bash       Output bash hook script
+ *   aura shell-hook zsh        Output zsh hook script
+ *   aura shell-hook install    Auto-detect shell, add to rc file
+ *   aura shell-hook allow      Whitelist current directory
+ *   aura shell-hook deny       Remove directory from whitelist
+ *   aura shell-hook status     Show whitelist + active dir
+ *   aura shell-hook resolve    Internal: resolve .aura and output export statements
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import * as crypto from 'crypto';
+import * as os from 'os';
+import { getErrorMessage } from '../../lib/error';
+import {
+  escapeForShell,
+  searchCredential,
+  readCredential,
+  validateEnvVarName,
+} from '../lib/credential-resolve';
+// ── Paths ──
+const AURA_DIR = process.env.WALLET_DATA_DIR || path.join(os.homedir(), '.auramaxx');
+const ALLOWED_FILE = path.join(AURA_DIR, 'shell-allowed.json');
+const CACHE_DIR = path.join(AURA_DIR, 'shell-cache');
+const CACHE_SECRET_FILE = path.join(AURA_DIR, 'shell-cache.secret');
+// ── Whitelist ──
+interface AllowedEntry {
+  allowedAt: string;
+  hash: string;
+}
+function loadAllowed(): Record<string, AllowedEntry> {
+  try {
+    return JSON.parse(fs.readFileSync(ALLOWED_FILE, 'utf-8'));
+  } catch {
+    return {};
+  }
+}
+function saveAllowed(allowed: Record<string, AllowedEntry>): void {
+  fs.mkdirSync(path.dirname(ALLOWED_FILE), { recursive: true, mode: 0o700 });
+  const fd = fs.openSync(ALLOWED_FILE, 'w', 0o600);
+  fs.writeSync(fd, JSON.stringify(allowed, null, 2) + '\n');
+  fs.closeSync(fd);
+  fs.chmodSync(ALLOWED_FILE, 0o600);
+}
+function hashFile(filePath: string): string {
+  const content = fs.readFileSync(filePath);
+  return crypto.createHash('sha256').update(content).digest('hex').slice(0, 16);
+}
+// ── Cache ──
+function getOrCreateCacheSecret(): string {
+  try {
+    const existing = fs.readFileSync(CACHE_SECRET_FILE, 'utf-8').trim();
+    if (existing) {
+      try { fs.chmodSync(CACHE_SECRET_FILE, 0o600); } catch {}
+      return existing;
+    }
+  } catch {
+    // fall through and recreate
+  }
+  const secret = crypto.randomBytes(32).toString('base64url');
+  fs.mkdirSync(path.dirname(CACHE_SECRET_FILE), { recursive: true, mode: 0o700 });
+  const fd = fs.openSync(CACHE_SECRET_FILE, 'w', 0o600);
+  fs.writeSync(fd, secret);
+  fs.closeSync(fd);
+  fs.chmodSync(CACHE_SECRET_FILE, 0o600);
+  return secret;
+}
+interface CacheEntry {
+  vars: Record<string, string>;
+  expiresAt: number;
+  auraHash: string;
+}
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+function getCacheKey(dir: string): string {
+  // Key cache filenames with install-local secret material so paths are not
+  // deterministically hashable from directory names alone.
+  const secret = getOrCreateCacheSecret();
+  return crypto.createHmac('sha256', secret).update(dir).digest('hex').slice(0, 16);
+}
+function getLegacyCacheKey(dir: string): string {
+  return crypto.createHash('sha256').update(dir).digest('hex').slice(0, 16);
+}
+function getCache(dir: string, auraHash: string): Record<string, string> | null {
+  const cacheFile = path.join(CACHE_DIR, `${getCacheKey(dir)}.json`);
+  const legacyCacheFile = path.join(CACHE_DIR, `${getLegacyCacheKey(dir)}.json`);
+  // Intentional invalidation of legacy deterministic cache filenames.
+  try { fs.unlinkSync(legacyCacheFile); } catch {}
+  try {
+    const raw = fs.readFileSync(cacheFile, 'utf-8');
+    const trimmed = raw.trimStart();
+    // Try encrypted format first, fall back to legacy plaintext
+    let entry: CacheEntry;
+    if (trimmed.startsWith('{')) {
+      // Legacy plaintext — delete it (audit finding #2)
+      fs.unlinkSync(cacheFile);
+      return null;
+    }
+    entry = JSON.parse(decryptCacheEntry(raw));
+    if (!entry || typeof entry !== 'object' || typeof entry.expiresAt !== 'number' || typeof entry.auraHash !== 'string' || typeof entry.vars !== 'object' || entry.vars === null) {
+      throw new Error('invalid cache entry payload');
+    }
+    if (entry.expiresAt > Date.now() && entry.auraHash === auraHash) {
+      return entry.vars;
+    }
+  } catch {
+    // Cache miss or decryption failure — best-effort cleanup of corrupt entries
+    try { fs.unlinkSync(cacheFile); } catch {}
+  }
+  return null;
+}
+/**
+ * Derive a machine- and install-local encryption key for cache at rest.
+ * Includes a per-install secret stored under ~/.auramaxx to avoid
+ * deterministic, host/user-only key derivation.
+ */
+function getCacheEncryptionKey(): Buffer {
+  const material = `auramaxx-cache:${AURA_DIR}:${getOrCreateCacheSecret()}`;
+  return crypto.createHash('sha256').update(material).digest();
+}
+function encryptCacheEntry(data: string): string {
+  const key = getCacheEncryptionKey();
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  const encrypted = Buffer.concat([cipher.update(data, 'utf-8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  // Format: iv:tag:ciphertext (all base64)
+  return `${iv.toString('base64')}:${tag.toString('base64')}:${encrypted.toString('base64')}`;
+}
+function decryptCacheEntry(blob: string): string {
+  const key = getCacheEncryptionKey();
+  const parts = blob.split(':');
+  if (parts.length !== 3) {
+    throw new Error('invalid cache entry format');
+  }
+  const [ivB64, tagB64, ctB64] = parts;
+  const iv = Buffer.from(ivB64, 'base64');
+  const tag = Buffer.from(tagB64, 'base64');
+  const ct = Buffer.from(ctB64, 'base64');
+  const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ct), decipher.final()]).toString('utf-8');
+}
+function setCache(dir: string, vars: Record<string, string>, auraHash: string): void {
+  fs.mkdirSync(CACHE_DIR, { recursive: true, mode: 0o700 });
+  try { fs.chmodSync(CACHE_DIR, 0o700); } catch {}
+  const cacheFile = path.join(CACHE_DIR, `${getCacheKey(dir)}.json`);
+  const legacyCacheFile = path.join(CACHE_DIR, `${getLegacyCacheKey(dir)}.json`);
+  try { fs.unlinkSync(legacyCacheFile); } catch {}
+  const entry: CacheEntry = {
+    vars,
+    expiresAt: Date.now() + CACHE_TTL_MS,
+    auraHash,
+  };
+  const encrypted = encryptCacheEntry(JSON.stringify(entry));
+  const fd = fs.openSync(cacheFile, 'w', 0o600);
+  fs.writeSync(fd, encrypted);
+  fs.closeSync(fd);
+  fs.chmodSync(cacheFile, 0o600);
+}
+// ── Shell hooks ──
+function bashHook(): string {
+  return `# Aura shell hook — auto-load .aura env vars
+_aura_hook() {
+  local prev_aura_dir="\${_AURA_DIR:-}"
+  local aura_file=""
+  local check_dir="$PWD"
+  while [ "$check_dir" != "/" ]; do
+    if [ -f "$check_dir/.aura" ]; then
+      aura_file="$check_dir/.aura"
+      break
+    fi
+    check_dir="$(dirname "$check_dir")"
+  done
+  if [ -n "$aura_file" ]; then
+    local aura_dir="$(dirname "$aura_file")"
+    if [ "$aura_dir" != "$prev_aura_dir" ]; then
+      if [ -n "$prev_aura_dir" ] && [ -n "\${_AURA_VARS:-}" ]; then
+        for var in $_AURA_VARS; do unset "$var"; done
+      fi
+      local output
+      output="$(aura shell-hook resolve 2>/dev/null)"
+      if [ $? -eq 0 ] && [ -n "$output" ]; then
+        eval "$output"
+        export _AURA_DIR="$aura_dir"
+      fi
+    fi
+  elif [ -n "$prev_aura_dir" ]; then
+    if [ -n "\${_AURA_VARS:-}" ]; then
+      for var in $_AURA_VARS; do unset "$var"; done
+    fi
+    unset _AURA_DIR _AURA_VARS
+  fi
+}
+if [[ ";\${PROMPT_COMMAND:-};" != *";_aura_hook;"* ]]; then
+  PROMPT_COMMAND="_aura_hook;\${PROMPT_COMMAND:-}"
+fi
+`;
+}
+function zshHook(): string {
+  return `# Aura shell hook — auto-load .aura env vars
+_aura_hook() {
+  local prev_aura_dir="\${_AURA_DIR:-}"
+  local aura_file=""
+  local check_dir="$PWD"
+  while [[ "$check_dir" != "/" ]]; do
+    if [[ -f "$check_dir/.aura" ]]; then
+      aura_file="$check_dir/.aura"
+      break
+    fi
+    check_dir="$(dirname "$check_dir")"
+  done
+  if [[ -n "$aura_file" ]]; then
+    local aura_dir="$(dirname "$aura_file")"
+    if [[ "$aura_dir" != "$prev_aura_dir" ]]; then
+      if [[ -n "$prev_aura_dir" ]] && [[ -n "\${_AURA_VARS:-}" ]]; then
+        for var in \${(z)_AURA_VARS}; do unset "$var"; done
+      fi
+      local output
+      output="$(aura shell-hook resolve 2>/dev/null)"
+      if [[ $? -eq 0 ]] && [[ -n "$output" ]]; then
+        eval "$output"
+        export _AURA_DIR="$aura_dir"
+      fi
+    fi
+  elif [[ -n "$prev_aura_dir" ]]; then
+    if [[ -n "\${_AURA_VARS:-}" ]]; then
+      for var in \${(z)_AURA_VARS}; do unset "$var"; done
+    fi
+    unset _AURA_DIR _AURA_VARS
+  fi
+}
+autoload -U add-zsh-hook
+add-zsh-hook chpwd _aura_hook
+_aura_hook
+`;
+}
+// ── Resolve (internal) ──
+async function cmdResolve(): Promise<void> {
+  let dir = process.cwd();
+  let auraFile: string | null = null;
+  while (true) {
+    const candidate = path.join(dir, '.aura');
+    if (fs.existsSync(candidate)) { auraFile = candidate; break; }
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  if (!auraFile) process.exit(1);
+  const auraDir = path.dirname(auraFile);
+  const auraHash = hashFile(auraFile);
+  // Check whitelist
+  const allowed = loadAllowed();
+  const entry = allowed[auraDir];
+  if (!entry) {
+    console.error(`aura: ${auraDir} is not allowed. Run: aura shell-hook allow`);
+    process.exit(1);
+  }
+  if (entry.hash !== auraHash) {
+    console.error(`aura: .aura file changed in ${auraDir}. Run: aura shell-hook allow`);
+    process.exit(1);
+  }
+  // Check cache
+  const cached = getCache(auraDir, auraHash);
+  if (cached) {
+    outputExports(cached);
+    return;
+  }
+  // Resolve from vault using shared module (audit finding #3)
+  const { parseAuraFile } = await import('./env');
+  const {
+    generateEphemeralKeypair,
+    bootstrapViaSocket,
+    bootstrapViaAuthRequest,
+    decryptWithPrivateKey,
+    createReadToken,
+  } = await import('../../lib/credential-transport');
+  const { serverUrl } = await import('../lib/http');
+  const { resolveMappings } = await import('../lib/credential-resolve');
+  const keypair = generateEphemeralKeypair();
+  const envToken = process.env.AURA_TOKEN;
+  const token = envToken || await (async () => {
+    try {
+      return await bootstrapViaSocket('shell-hook', keypair);
+    } catch (socketErr) {
+      return bootstrapViaAuthRequest(serverUrl(), 'shell-hook', keypair, {
+        onStatus: (message) => console.error(message),
+      }).catch((authErr) => {
+        throw new Error(`${getErrorMessage(socketErr)}\n${getErrorMessage(authErr)}`);
+      });
+    }
+  })();
+  const base = serverUrl();
+  const readToken = await createReadToken(base, token, keypair, 'shell-hook-reader');
+  const mappings = parseAuraFile(auraFile);
+  const decryptFn = (encrypted: string) => decryptWithPrivateKey(encrypted, keypair.privateKeyPem);
+  const { resolved } = await resolveMappings(mappings, base, token, readToken, decryptFn);
+  const vars: Record<string, string> = Object.fromEntries(resolved);
+  setCache(auraDir, vars, auraHash);
+  outputExports(vars);
+}
+function outputExports(vars: Record<string, string>): void {
+  const varNames: string[] = [];
+  for (const [key, value] of Object.entries(vars)) {
+    // Validate env var name to prevent injection via key (audit finding #6)
+    validateEnvVarName(key);
+    // Use ANSI-C $'...' quoting for safe shell escaping (audit finding #1)
+    console.log(`export ${key}=${escapeForShell(value)}`);
+    varNames.push(key);
+  }
+  if (varNames.length > 0) {
+    console.log(`export _AURA_VARS=${escapeForShell(varNames.join(' '))}`);
+  }
+}
+// ── Install ──
+function cmdInstall(): void {
+  const shell = path.basename(process.env.SHELL || 'bash');
+  let rcFile: string;
+  let hookCmd: string;
+  switch (shell) {
+    case 'zsh':
+      rcFile = path.join(os.homedir(), '.zshrc');
+      hookCmd = 'eval "$(aura shell-hook zsh)"';
+      break;
+    case 'bash':
+      rcFile = path.join(os.homedir(), '.bashrc');
+      hookCmd = 'eval "$(aura shell-hook bash)"';
+      break;
+    default:
+      console.error(`Unsupported shell: ${shell}. Manually add the hook to your rc file.`);
+      process.exit(1);
+      return;
+  }
+  if (fs.existsSync(rcFile)) {
+    const content = fs.readFileSync(rcFile, 'utf-8');
+    if (content.includes('aura shell-hook')) {
+      console.log(`Aura shell hook already installed in ${rcFile}`);
+      return;
+    }
+  }
+  fs.appendFileSync(rcFile, `\n# Aura shell hook — auto-load .aura env vars\n${hookCmd}\n`);
+  console.log(`✓ Added shell hook to ${rcFile}`);
+  console.log(`  Restart your shell or run: source ${rcFile}`);
+}
+// ── Allow / Deny / Status ──
+function cmdAllow(dir?: string): void {
+  const targetDir = dir ? path.resolve(dir) : process.cwd();
+  const auraFile = path.join(targetDir, '.aura');
+  if (!fs.existsSync(auraFile)) {
+    console.error(`No .aura file found in ${targetDir}`);
+    process.exit(1);
+  }
+  const allowed = loadAllowed();
+  allowed[targetDir] = {
+    allowedAt: new Date().toISOString(),
+    hash: hashFile(auraFile),
+  };
+  saveAllowed(allowed);
+  console.log(`✓ Allowed ${targetDir}`);
+}
+function cmdDeny(dir?: string): void {
+  const targetDir = dir ? path.resolve(dir) : process.cwd();
+  const allowed = loadAllowed();
+  if (allowed[targetDir]) {
+    delete allowed[targetDir];
+    saveAllowed(allowed);
+    console.log(`✓ Denied ${targetDir}`);
+  } else {
+    console.log(`${targetDir} was not in the whitelist.`);
+  }
+}
+function cmdStatus(): void {
+  const allowed = loadAllowed();
+  const entries = Object.entries(allowed);
+  if (entries.length === 0) {
+    console.log('No directories whitelisted.');
+    console.log('Run `aura shell-hook allow` in a directory with a .aura file.');
+    return;
+  }
+  console.log('Whitelisted directories:\n');
+  for (const [dir, entry] of entries) {
+    const auraExists = fs.existsSync(path.join(dir, '.aura'));
+    let status = auraExists ? '✓' : '✗ .aura missing';
+    if (auraExists) {
+      const currentHash = hashFile(path.join(dir, '.aura'));
+      if (currentHash !== entry.hash) {
+        status = '⚠ .aura changed (run allow again)';
+      }
+    }
+    console.log(`  ${status} ${dir}`);
+    console.log(`    Allowed: ${entry.allowedAt}`);
+  }
+}
+// ── Help ──
+function showHelp(): void {
+  console.log(`
+  auramaxx shell-hook — Auto-load .aura env vars on cd
+  Usage:
+    aura shell-hook bash       Output bash hook script
+    aura shell-hook zsh        Output zsh hook script
+    aura shell-hook install    Auto-detect shell, add to rc file
+    aura shell-hook allow      Whitelist current directory
+    aura shell-hook deny       Remove from whitelist
+    aura shell-hook status     Show whitelist
+  Quick start:
+    aura shell-hook install    # One-time setup
+    cd my-project              # Has .aura file
+    aura shell-hook allow      # Whitelist this project
+    cd ../ && cd my-project    # Env vars auto-loaded!
+`);
+}
+// ── Main ──
+async function main(): Promise<void> {
+  const args = process.argv.slice(2);
+  const subcommand = args[0];
+  if (!subcommand || subcommand === '--help' || subcommand === '-h') {
+    showHelp();
+    process.exit(0);
+  }
+  switch (subcommand) {
+    case 'bash':
+      process.stdout.write(bashHook());
+      return;
+    case 'zsh':
+      process.stdout.write(zshHook());
+      return;
+    case 'install':
+      return cmdInstall();
+    case 'allow':
+      return cmdAllow(args[1]);
+    case 'deny':
+      return cmdDeny(args[1]);
+    case 'status':
+      return cmdStatus();
+    case 'resolve':
+      return cmdResolve();
+    default:
+      console.error(`Unknown subcommand: ${subcommand}`);
+      showHelp();
+      process.exit(1);
+  }
+}
+main().catch((err) => {
+  console.error(`Error: ${getErrorMessage(err)}`);
+  process.exit(1);
+});