auramaxx 0.0.1

package/server/cli/commands/wallet.ts

@@ -0,0 +1,209 @@
+/**
+ * auramaxx wallet — opinionated wallet API wrappers (incremental parity)
+ */
+
+import {
+  bootstrapViaAuthRequest,
+  bootstrapViaSocket,
+  generateEphemeralKeypair,
+  type ProfileIssuanceSelection,
+} from '../../lib/credential-transport';
+import { getErrorMessage } from '../../lib/error';
+import { serverUrl } from '../lib/http';
+import { printHelp } from '../lib/theme';
+
+type WalletCommand =
+  | 'status'
+  | 'assets'
+  | 'transactions'
+  | 'swap'
+  | 'send'
+  | 'fund'
+  | 'launch';
+
+interface WalletCliArgs {
+  command: WalletCommand;
+  bodyRaw?: string;
+  noAuth: boolean;
+  yes: boolean;
+  profile?: string;
+  profileVersion?: string;
+  profileOverridesRaw?: string;
+}
+
+function showHelp(): void {
+  printHelp('WALLET', 'npx auramaxx wallet <command> [options]', [], [
+    'Commands:',
+    '  status                     GET /wallet',
+    '  assets                     GET /wallet/assets',
+    '  transactions               GET /wallet/transactions',
+    '  swap --body <json>         POST /swap',
+    '  send --body <json>         POST /send',
+    '  fund --body <json>         POST /fund',
+    '  launch --body <json>       POST /launch',
+    '',
+    'Options:',
+    '  --body <json>             JSON request body (required for mutating commands)',
+    '  --no-auth                 Do not attach bearer auth token',
+    '  --yes                     Confirm mutating wallet actions (swap/send/fund/launch)',
+    '  --profile <p>             Profile for /auth fallback when socket auto-approve is blocked',
+    '  --profile-version <v>     Profile version for /auth fallback',
+    '  --profile-overrides <j>   Tighten-only profile override JSON for /auth fallback',
+  ]);
+}
+
+export function parseArgs(argv: string[]): WalletCliArgs | null {
+  const args = [...argv];
+  if (args.length === 0 || args.includes('--help') || args.includes('-h')) return null;
+
+  const command = args.shift() as WalletCommand | undefined;
+  if (!command || !['status', 'assets', 'transactions', 'swap', 'send', 'fund', 'launch'].includes(command)) {
+    return null;
+  }
+
+  const getValue = (flag: string): string | undefined => {
+    const idx = args.indexOf(flag);
+    return idx >= 0 ? args[idx + 1] : undefined;
+  };
+
+  return {
+    command,
+    bodyRaw: getValue('--body'),
+    noAuth: args.includes('--no-auth'),
+    yes: args.includes('--yes'),
+    profile: getValue('--profile'),
+    profileVersion: getValue('--profile-version'),
+    profileOverridesRaw: getValue('--profile-overrides'),
+  };
+}
+
+export function resolveRoute(command: WalletCommand): { method: 'GET' | 'POST'; route: string } {
+  switch (command) {
+    case 'status':
+      return { method: 'GET', route: '/wallet' };
+    case 'assets':
+      return { method: 'GET', route: '/wallet/assets' };
+    case 'transactions':
+      return { method: 'GET', route: '/wallet/transactions' };
+    case 'swap':
+      return { method: 'POST', route: '/swap' };
+    case 'send':
+      return { method: 'POST', route: '/send' };
+    case 'fund':
+      return { method: 'POST', route: '/fund' };
+    case 'launch':
+      return { method: 'POST', route: '/launch' };
+    default:
+      return { method: 'GET', route: '/wallet' };
+  }
+}
+
+function parseProfileOverrides(raw?: string): ProfileIssuanceSelection['profileOverrides'] | undefined {
+  if (!raw) return undefined;
+  const parsed = JSON.parse(raw) as unknown;
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    throw new Error('--profile-overrides must be a JSON object');
+  }
+  return parsed as ProfileIssuanceSelection['profileOverrides'];
+}
+
+function parseBody(raw?: string): unknown | undefined {
+  if (!raw) return undefined;
+  return JSON.parse(raw) as unknown;
+}
+
+async function resolveAuthToken(selection: ProfileIssuanceSelection): Promise<string> {
+  const envToken = process.env.AURA_TOKEN;
+  if (envToken) return envToken;
+
+  const keypair = generateEphemeralKeypair();
+
+  if (selection.profile) {
+    const result = await bootstrapViaAuthRequest(serverUrl(), 'cli-wallet', keypair, {
+      ...selection,
+      noWait: true,
+      onStatus: (message) => console.error(message),
+    });
+    if (result.approveUrl) {
+      console.error(`Approve at: ${result.approveUrl}`);
+    }
+    console.error(`After approval, re-run with: AURA_TOKEN=<token> npx auramaxx wallet ...`);
+    console.error(`Or use: npx auramaxx auth request --profile ${selection.profile} --raw-token`);
+    process.exit(1);
+  }
+
+  try {
+    return await bootstrapViaSocket('cli-wallet', keypair);
+  } catch (socketErr) {
+    return bootstrapViaAuthRequest(serverUrl(), 'cli-wallet', keypair, {
+      ...selection,
+      onStatus: (message) => console.error(message),
+    }).catch((authErr) => {
+      throw new Error(`${getErrorMessage(socketErr)}\n${getErrorMessage(authErr)}`);
+    });
+  }
+}
+
+async function main(): Promise<void> {
+  const parsed = parseArgs(process.argv.slice(2));
+  if (!parsed) {
+    showHelp();
+    process.exit(0);
+  }
+
+  const { method, route } = resolveRoute(parsed.command);
+  const body = parseBody(parsed.bodyRaw);
+  if (method === 'POST' && body === undefined) {
+    throw new Error(`'${parsed.command}' requires --body <json>`);
+  }
+  if (method === 'POST' && !parsed.yes) {
+    throw new Error(`'${parsed.command}' is mutating and requires --yes`);
+  }
+
+  const profileOverrides = parseProfileOverrides(parsed.profileOverridesRaw);
+  const authSelection: ProfileIssuanceSelection = {
+    ...(parsed.profile ? { profile: parsed.profile } : {}),
+    ...(parsed.profileVersion ? { profileVersion: parsed.profileVersion } : {}),
+    ...(profileOverrides ? { profileOverrides } : {}),
+  };
+
+  const token = parsed.noAuth ? null : await resolveAuthToken(authSelection);
+  const headers: Record<string, string> = {};
+  if (body !== undefined) headers['Content-Type'] = 'application/json';
+  if (token) headers['Authorization'] = `Bearer ${token}`;
+
+  const res = await fetch(`${serverUrl()}${route}`, {
+    method,
+    headers,
+    body: body !== undefined ? JSON.stringify(body) : undefined,
+    signal: AbortSignal.timeout(15_000),
+  });
+
+  const text = await res.text();
+  let payload: unknown = text;
+  try {
+    payload = text ? JSON.parse(text) as unknown : {};
+  } catch {
+    payload = text;
+  }
+
+  if (!res.ok) {
+    if (typeof payload === 'string') console.error(`HTTP ${res.status}: ${payload}`);
+    else console.error(`HTTP ${res.status}: ${JSON.stringify(payload, null, 2)}`);
+    process.exit(1);
+  }
+
+  if (typeof payload === 'string') {
+    console.log(payload);
+    return;
+  }
+
+  console.log(JSON.stringify(payload, null, 2));
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) {
+  main().catch((error) => {
+    console.error(`wallet command failed: ${getErrorMessage(error)}`);
+    process.exit(1);
+  });
+}

package/server/cli/index.ts

@@ -0,0 +1,280 @@
+#!/usr/bin/env node
+/**
+ * Aura Wallet CLI - Headless mode for programmatic wallet control
+ *
+ * Security Design:
+ * - Admin token stored in-process memory only (never touches disk)
+ * - Main wallet server hosts Unix socket IPC for local agent connections
+ * - Crash = re-auth required (aligns with server restart security model)
+ *
+ * Usage:
+ *   npx tsx server/cli/index.ts                    # Interactive password prompt
+ *   npx tsx server/cli/index.ts --password-stdin   # Read password from stdin (CI/automation)
+ *   npx tsx server/cli/index.ts --auto-approve     # Auto-approve all requests (DANGEROUS)
+ */
+
+import * as readline from 'readline';
+import { encryptPassword, generateAgentKeypair } from './transport-client';
+import { ApprovalManager } from './approval';
+import * as fs from 'fs';
+import { getErrorMessage } from '../lib/error';
+import { printBanner, printBox, printStatus } from './lib/theme';
+import { resolveAuraSocketPath } from '../lib/socket-path';
+import { promptPassword } from './lib/prompt';
+
+const SERVER_URL = process.env.WALLET_SERVER_URL || 'http://localhost:4242';
+const LOCK_FILE = `/tmp/aura-cli-${process.getuid?.() ?? 'unknown'}.lock`;
+
+// In-process memory only - never persisted
+let adminToken: string | null = null;
+let coldWalletAddress: string | null = null;
+
+// Parse command line arguments
+const args = process.argv.slice(2);
+const passwordStdin = args.includes('--password-stdin');
+const autoApprove = args.includes('--auto-approve');
+
+/**
+ * Check if another CLI instance is running
+ */
+function checkLockFile(): boolean {
+  try {
+    if (fs.existsSync(LOCK_FILE)) {
+      const pid = parseInt(fs.readFileSync(LOCK_FILE, 'utf8'), 10);
+      // Check if process is still running
+      try {
+        process.kill(pid, 0); // Signal 0 tests if process exists
+        return true; // Process exists, lock is valid
+      } catch {
+        // Process doesn't exist, stale lock file
+        fs.unlinkSync(LOCK_FILE);
+        return false;
+      }
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Create lock file with our PID
+ */
+function createLockFile(): void {
+  fs.writeFileSync(LOCK_FILE, process.pid.toString(), { mode: 0o600 });
+}
+
+/**
+ * Remove lock file on exit
+ */
+function removeLockFile(): void {
+  try {
+    if (fs.existsSync(LOCK_FILE)) {
+      const pid = parseInt(fs.readFileSync(LOCK_FILE, 'utf8'), 10);
+      if (pid === process.pid) {
+        fs.unlinkSync(LOCK_FILE);
+      }
+    }
+  } catch {
+    // Ignore cleanup errors
+  }
+}
+
+/**
+ * Fetch the server's RSA public key for password encryption
+ */
+async function fetchPublicKey(): Promise<string> {
+  const response = await fetch(`${SERVER_URL}/auth/connect`);
+  if (!response.ok) {
+    throw new Error(`Failed to connect to wallet server: ${response.status}`);
+  }
+  const data = await response.json() as { publicKey: string };
+  return data.publicKey;
+}
+
+/**
+ * Unlock the wallet with encrypted password
+ */
+async function unlockWallet(encryptedPassword: string, pubkey: string): Promise<{ token: string; address: string }> {
+  const response = await fetch(`${SERVER_URL}/unlock`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ encrypted: encryptedPassword, pubkey })
+  });
+
+  const data = await response.json() as { success?: boolean; token?: string; address?: string; error?: string };
+
+  if (!response.ok || !data.success) {
+    throw new Error(data.error || 'Failed to unlock wallet');
+  }
+
+  return { token: data.token!, address: data.address! };
+}
+
+/**
+ * Read password from stdin (for automation)
+ */
+async function readPasswordFromStdin(): Promise<string> {
+  return new Promise((resolve, reject) => {
+    let data = '';
+
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (chunk) => {
+      data += chunk;
+    });
+    process.stdin.on('end', () => {
+      const password = data.trim();
+      if (!password) {
+        reject(new Error('No password provided on stdin'));
+      } else {
+        resolve(password);
+      }
+    });
+    process.stdin.on('error', reject);
+
+    // Set a timeout for stdin read
+    setTimeout(() => {
+      if (!data) {
+        reject(new Error('Timeout waiting for password on stdin'));
+      }
+    }, 5000);
+  });
+}
+
+/**
+ * Get the admin token (for use by other modules)
+ */
+export function getAdminToken(): string | null {
+  return adminToken;
+}
+
+/**
+ * Get the cold wallet address
+ */
+export function getColdWalletAddress(): string | null {
+  return coldWalletAddress;
+}
+
+/**
+ * Get the server URL
+ */
+export function getServerUrl(): string {
+  return SERVER_URL;
+}
+
+/**
+ * Main entry point
+ */
+async function main() {
+  printBanner('CLI MODE');
+
+  // Check for existing instance
+  if (checkLockFile()) {
+    console.error('ERROR: Another CLI instance is already running.');
+    console.error('If this is incorrect, remove the lock file:', LOCK_FILE);
+    process.exit(1);
+  }
+
+  // Auto-approve warning
+  if (autoApprove) {
+    console.log('⚠️  WARNING: --auto-approve is enabled!');
+    console.log('   All agent requests will be automatically approved.');
+    console.log('   This is DANGEROUS in production environments.\n');
+  }
+
+  try {
+    // 1. Fetch server's public key
+    console.log('Connecting to wallet server...');
+    const publicKey = await fetchPublicKey();
+    console.log('Connected. Server RSA key received.\n');
+
+    // 2. Get password
+    let password: string;
+    if (passwordStdin) {
+      console.log('Reading password from stdin...');
+      password = await readPasswordFromStdin();
+    } else {
+      password = await promptPassword();
+    }
+
+    // 3. Encrypt and unlock
+    console.log('Unlocking wallet...');
+    const encryptedPassword = encryptPassword(password, publicKey);
+    const { publicKey: agentPubkey } = generateAgentKeypair();
+    const { token, address } = await unlockWallet(encryptedPassword, agentPubkey);
+
+    // Clear password from memory
+    password = '';
+
+    // Store token in memory only
+    adminToken = token;
+    coldWalletAddress = address;
+
+    console.log(`\n✓ Wallet unlocked successfully`);
+    console.log(`  Address: ${address}`);
+    console.log(`  Token: ${token.substring(0, 20)}...`);
+
+    // Create lock file
+    createLockFile();
+
+    // 4. Start approval manager (WebSocket listener)
+    console.log('\nStarting approval listener...');
+    const approvalManager = new ApprovalManager({
+      serverUrl: SERVER_URL,
+      getToken: () => adminToken,
+      autoApprove,
+      headless: passwordStdin // Skip terminal interface when using stdin
+    });
+    await approvalManager.start();
+
+    // 5. Socket broker now runs in the main wallet server process.
+    const socketPath = resolveAuraSocketPath({
+      serverUrl: SERVER_URL,
+      serverPort: process.env.WALLET_SERVER_PORT,
+    });
+
+    console.log('');
+    printBox([
+      'CLI Ready — Listening for agent requests',
+      '',
+      `Socket: ${socketPath}`,
+      'Press Ctrl+C to exit',
+    ]);
+
+    // Handle graceful shutdown
+    const shutdown = async () => {
+      console.log('\n\nShutting down...');
+      approvalManager.stop();
+      removeLockFile();
+
+      // Clear sensitive data
+      adminToken = null;
+      coldWalletAddress = null;
+
+      console.log('Goodbye.');
+      process.exit(0);
+    };
+
+    process.on('SIGINT', shutdown);
+    process.on('SIGTERM', shutdown);
+    process.on('exit', removeLockFile);
+
+    // Keep process alive
+    await new Promise(() => {
+      // Never resolves - keeps CLI running
+    });
+
+  } catch (error) {
+    const message = getErrorMessage(error);
+    console.error(`\nERROR: ${message}`);
+    removeLockFile();
+    process.exit(1);
+  }
+}
+
+// Run main
+main().catch((error) => {
+  console.error('Fatal error:', error);
+  removeLockFile();
+  process.exit(1);
+});

package/server/cli/lib/approval-poll.ts

@@ -0,0 +1,94 @@
+import { getErrorMessage } from '../../lib/error';
+
+export type AuthDecisionStatus = 'pending' | 'approved' | 'rejected';
+
+export interface AuthDecisionResponse {
+  success?: boolean;
+  status?: AuthDecisionStatus;
+  encryptedToken?: string;
+  error?: string;
+  [key: string]: unknown;
+}
+
+export interface AuthDecisionFetchResult {
+  httpStatus: number;
+  payload: AuthDecisionResponse;
+}
+
+export interface AuthDecisionPollOptions {
+  timeoutMs?: number;
+  intervalMs?: number;
+  signal?: AbortSignal;
+  onPending?: (info: { attempt: number; elapsedMs: number }) => void;
+}
+
+async function sleep(ms: number): Promise<void> {
+  await new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+export async function fetchAuthDecisionOnce(
+  baseUrl: string,
+  requestId: string,
+  secret: string,
+): Promise<AuthDecisionFetchResult> {
+  const res = await fetch(
+    `${baseUrl}/auth/${encodeURIComponent(requestId)}?secret=${encodeURIComponent(secret)}`,
+    { signal: AbortSignal.timeout(10_000) },
+  );
+
+  const payload = await res.json().catch(() => ({})) as AuthDecisionResponse;
+  return { httpStatus: res.status, payload };
+}
+
+export async function waitForAuthDecision(
+  baseUrl: string,
+  requestId: string,
+  secret: string,
+  options: AuthDecisionPollOptions = {},
+): Promise<{ response: AuthDecisionResponse; attempts: number; elapsedMs: number }> {
+  const timeoutMs = options.timeoutMs ?? 120_000;
+  const intervalMs = options.intervalMs ?? 3_000;
+  const startedAt = Date.now();
+  let attempts = 0;
+
+  while (Date.now() - startedAt <= timeoutMs) {
+    if (options.signal?.aborted) {
+      throw new Error('Polling aborted');
+    }
+
+    attempts += 1;
+    let result: AuthDecisionFetchResult;
+    try {
+      result = await fetchAuthDecisionOnce(baseUrl, requestId, secret);
+    } catch (error) {
+      const message = getErrorMessage(error);
+      throw new Error(`Auth polling request failed: ${message}`);
+    }
+
+    const { httpStatus, payload } = result;
+
+    if (httpStatus === 200 && payload.success) {
+      if (payload.status === 'approved' || payload.status === 'rejected') {
+        return {
+          response: payload,
+          attempts,
+          elapsedMs: Date.now() - startedAt,
+        };
+      }
+
+      if (payload.status === 'pending') {
+        options.onPending?.({ attempt: attempts, elapsedMs: Date.now() - startedAt });
+      }
+    } else if (httpStatus === 410) {
+      throw new Error('Token already claimed or expired (HTTP 410).');
+    } else if (httpStatus === 403) {
+      throw new Error(payload.error || 'Invalid secret for auth polling (HTTP 403).');
+    } else if (httpStatus >= 400 && httpStatus < 500 && httpStatus !== 404) {
+      throw new Error(payload.error || `Auth polling failed (HTTP ${httpStatus}).`);
+    }
+
+    await sleep(intervalMs);
+  }
+
+  throw new Error(`Timed out waiting for approval after ${Math.round(timeoutMs / 1000)}s.`);
+}

package/server/cli/lib/aura-parser.ts

@@ -0,0 +1,64 @@
+/**
+ * .aura file parser — shared between env.ts and init.ts
+ */
+
+import * as fs from 'fs';
+import {
+  type AuraMapping,
+  validateEnvVarName,
+} from './credential-resolve';
+
+export { type AuraMapping } from './credential-resolve';
+
+/**
+ * Parse a .aura file into an array of env-var → credential mappings.
+ */
+export function parseAuraFile(filePath: string): AuraMapping[] {
+  const content = fs.readFileSync(filePath, 'utf-8');
+  const mappings: AuraMapping[] = [];
+
+  for (const rawLine of content.split('\n')) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith('#')) continue;
+
+    const eqIdx = line.indexOf('=');
+    if (eqIdx === -1) {
+      throw new Error(`Invalid line in .aura (missing '='): ${line}`);
+    }
+
+    const envVar = line.substring(0, eqIdx).trim();
+    const ref = line.substring(eqIdx + 1).trim();
+
+    if (!envVar || !ref) {
+      throw new Error(`Invalid line in .aura: ${line}`);
+    }
+
+    // Validate env var name (audit finding #6)
+    validateEnvVarName(envVar);
+
+    let vault: string | null = null;
+    let credentialName: string;
+    let field: string;
+
+    if (ref.startsWith('@')) {
+      const parts = ref.substring(1).split('/');
+      if (parts.length < 3) {
+        throw new Error(`Invalid vault reference (expected @vault/credential/field): ${ref}`);
+      }
+      vault = parts[0];
+      credentialName = parts[1];
+      field = parts.slice(2).join('/');
+    } else {
+      const parts = ref.split('/');
+      if (parts.length < 2) {
+        throw new Error(`Invalid reference (expected credential/field): ${ref}`);
+      }
+      credentialName = parts[0];
+      field = parts.slice(1).join('/');
+    }
+
+    mappings.push({ envVar, vault, credentialName, field });
+  }
+
+  return mappings;
+}