npm - auramaxx - Versions diffs - 0.0.1 - Mend

auramaxx 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (418) hide show

package/LICENSE +26 -0
package/README.md +77 -0
package/apps/desktop-electron/main.js +428 -0
package/bin/auramaxx.js +1063 -0
package/docs/ADAPTERS.md +466 -0
package/docs/AGENT_SETUP.md +159 -0
package/docs/API.md +127 -0
package/docs/APPS.md +199 -0
package/docs/ARCHITECTURE.md +235 -0
package/docs/AUTH.md +318 -0
package/docs/BEST-PRACTICES.md +82 -0
package/docs/CLI.md +141 -0
package/docs/DESKTOP_ELECTRON.md +26 -0
package/docs/DEVELOPING-APPS.md +453 -0
package/docs/MCP.md +122 -0
package/docs/PACKAGING_POLICY.md +19 -0
package/docs/PERMISSION.md +137 -0
package/docs/PROTOCOL.md +142 -0
package/docs/README.md +50 -0
package/docs/SKILLS.md +132 -0
package/docs/TROUBLESHOOTING.md +376 -0
package/docs/WORKSPACE.md +673 -0
package/docs/agent-auth.md +14 -0
package/docs/api/authentication.md +79 -0
package/docs/api/secrets/api-keys.md +28 -0
package/docs/api/secrets/credentials.md +80 -0
package/docs/api/secrets/sharing.md +48 -0
package/docs/api/system.md +41 -0
package/docs/api/wallets/apps-strategies.md +66 -0
package/docs/api/wallets/core.md +46 -0
package/docs/api/wallets/data-portfolio.md +42 -0
package/docs/aura-file.md +48 -0
package/docs/core-concepts/FEATURES.md +114 -0
package/docs/credentials.md +120 -0
package/docs/external/HOW_TO_AURAMAXX/GETTING_SECRETS.md +33 -0
package/docs/external/HOW_TO_AURAMAXX/README.md +45 -0
package/docs/external/getting-started.md +10 -0
package/docs/external/overview.md +19 -0
package/docs/external/persona-paths.md +7 -0
package/docs/external/share-secret.md +76 -0
package/docs/external/why-aura.md +7 -0
package/docs/security.md +227 -0
package/docs/templates/RELEASE_NOTES_TEMPLATE.md +22 -0
package/docs/wallet/AI.md +508 -0
package/docs/wallet/DEVELOPING-STRATEGIES.md +713 -0
package/docs/wallet/README.md +47 -0
package/docs/wallet/STRATEGY.md +89 -0
package/next.config.ts +28 -0
package/package.json +167 -0
package/postcss.config.mjs +8 -0
package/prisma/migrations/20260214170000_baseline/migration.sql +511 -0
package/prisma/migrations/20260216214537_add_passkey_model/migration.sql +18 -0
package/prisma/migrations/20260217150500_add_credential_access_audit/migration.sql +31 -0
package/prisma/migrations/20260222090000_update_admin_ttl_default/migration.sql +10 -0
package/prisma/migrations/migration_lock.toml +3 -0
package/prisma/schema.prisma +447 -0
package/public/logo.webp +0 -0
package/scripts/add-app.js +245 -0
package/server/abi/SwapHelper.json +438 -0
package/server/cli/approval.ts +447 -0
package/server/cli/commands/actions.ts +474 -0
package/server/cli/commands/api.ts +220 -0
package/server/cli/commands/apikey.ts +277 -0
package/server/cli/commands/app.ts +204 -0
package/server/cli/commands/auth.ts +464 -0
package/server/cli/commands/cron.ts +24 -0
package/server/cli/commands/diary.ts +274 -0
package/server/cli/commands/doctor.ts +1247 -0
package/server/cli/commands/env.ts +476 -0
package/server/cli/commands/experimental.ts +69 -0
package/server/cli/commands/init.ts +798 -0
package/server/cli/commands/lock.ts +157 -0
package/server/cli/commands/mcp.ts +285 -0
package/server/cli/commands/quickhack.ts +86 -0
package/server/cli/commands/release-check.ts +231 -0
package/server/cli/commands/restore.ts +314 -0
package/server/cli/commands/service.ts +320 -0
package/server/cli/commands/shell-hook.ts +512 -0
package/server/cli/commands/skill.ts +216 -0
package/server/cli/commands/start.ts +139 -0
package/server/cli/commands/status.ts +59 -0
package/server/cli/commands/stop.ts +36 -0
package/server/cli/commands/token.ts +180 -0
package/server/cli/commands/unlock.ts +50 -0
package/server/cli/commands/vault.ts +1323 -0
package/server/cli/commands/wallet.ts +209 -0
package/server/cli/index.ts +280 -0
package/server/cli/lib/approval-poll.ts +94 -0
package/server/cli/lib/aura-parser.ts +64 -0
package/server/cli/lib/credential-create.ts +74 -0
package/server/cli/lib/credential-resolve.ts +280 -0
package/server/cli/lib/dotenv-migrate.ts +116 -0
package/server/cli/lib/dotenv-parser.ts +146 -0
package/server/cli/lib/escalation.ts +57 -0
package/server/cli/lib/http.ts +91 -0
package/server/cli/lib/init-steps.ts +76 -0
package/server/cli/lib/local-agent-trust.ts +45 -0
package/server/cli/lib/lock-unlock-helper.ts +71 -0
package/server/cli/lib/process.ts +162 -0
package/server/cli/lib/prompt.ts +294 -0
package/server/cli/lib/theme.ts +240 -0
package/server/cli/socket.ts +579 -0
package/server/cli/transport-client.ts +50 -0
package/server/cron/index.ts +137 -0
package/server/cron/job.ts +31 -0
package/server/cron/jobs/balance-sync.ts +436 -0
package/server/cron/jobs/incoming-scan.ts +506 -0
package/server/cron/jobs/native-price.ts +70 -0
package/server/cron/jobs/orphan-cleanup.ts +40 -0
package/server/cron/jobs/strategy-runner.ts +175 -0
package/server/cron/scheduler.ts +125 -0
package/server/index.ts +420 -0
package/server/lib/adapters/factory.ts +119 -0
package/server/lib/adapters/index.ts +19 -0
package/server/lib/adapters/router.ts +297 -0
package/server/lib/adapters/telegram.ts +645 -0
package/server/lib/adapters/types.ts +89 -0
package/server/lib/adapters/webhook.ts +95 -0
package/server/lib/address.ts +49 -0
package/server/lib/agent-auth/contracts.ts +1194 -0
package/server/lib/agent-profiles.ts +419 -0
package/server/lib/ai.ts +285 -0
package/server/lib/api-registry/contracts.ts +86 -0
package/server/lib/api-registry/validation.ts +172 -0
package/server/lib/apikey-migration.ts +258 -0
package/server/lib/app-installer.ts +505 -0
package/server/lib/app-tokens.ts +247 -0
package/server/lib/approval-link.ts +27 -0
package/server/lib/auth.ts +314 -0
package/server/lib/auto-execute.ts +160 -0
package/server/lib/batch.ts +242 -0
package/server/lib/cold.ts +1048 -0
package/server/lib/config.ts +408 -0
package/server/lib/credential-access-audit.ts +85 -0
package/server/lib/credential-access-policy.ts +111 -0
package/server/lib/credential-health.ts +343 -0
package/server/lib/credential-import.ts +608 -0
package/server/lib/credential-scope.ts +102 -0
package/server/lib/credential-shares.ts +190 -0
package/server/lib/credential-transport.ts +533 -0
package/server/lib/credential-vault.ts +77 -0
package/server/lib/credentials.ts +422 -0
package/server/lib/crypto.ts +8 -0
package/server/lib/db.ts +58 -0
package/server/lib/defaults.ts +386 -0
package/server/lib/dex/index.ts +80 -0
package/server/lib/dex/relay.ts +235 -0
package/server/lib/dex/types.ts +59 -0
package/server/lib/dex/uniswap.ts +370 -0
package/server/lib/diary.ts +34 -0
package/server/lib/dont-ask-again-policy.ts +41 -0
package/server/lib/e2e-agent/artifacts.ts +36 -0
package/server/lib/e2e-agent/contracts.ts +112 -0
package/server/lib/e2e-agent/validation.ts +135 -0
package/server/lib/encrypt.ts +114 -0
package/server/lib/error.ts +20 -0
package/server/lib/events.ts +217 -0
package/server/lib/feature-flags.ts +93 -0
package/server/lib/hot.ts +357 -0
package/server/lib/human-action-summary.ts +80 -0
package/server/lib/key-fingerprint.ts +28 -0
package/server/lib/logger.ts +340 -0
package/server/lib/network.ts +137 -0
package/server/lib/notifications.ts +230 -0
package/server/lib/oauth2-refresh.ts +241 -0
package/server/lib/oursecret.ts +71 -0
package/server/lib/passkey-credential.ts +360 -0
package/server/lib/passkey.ts +68 -0
package/server/lib/permissions.ts +299 -0
package/server/lib/pino.ts +24 -0
package/server/lib/policy-preview.ts +138 -0
package/server/lib/price.ts +338 -0
package/server/lib/prices.ts +34 -0
package/server/lib/project-scope.ts +297 -0
package/server/lib/resolve-action.ts +328 -0
package/server/lib/resolve.ts +36 -0
package/server/lib/secret-gist-share.ts +296 -0
package/server/lib/sessions.ts +634 -0
package/server/lib/socket-path.ts +56 -0
package/server/lib/solana/connection.ts +26 -0
package/server/lib/solana/jupiter.ts +128 -0
package/server/lib/solana/transfer.ts +108 -0
package/server/lib/solana/wallet.ts +136 -0
package/server/lib/strategy/emits.ts +21 -0
package/server/lib/strategy/engine.ts +1305 -0
package/server/lib/strategy/executor.ts +115 -0
package/server/lib/strategy/hook-context.ts +159 -0
package/server/lib/strategy/hooks.ts +990 -0
package/server/lib/strategy/index.ts +28 -0
package/server/lib/strategy/installer.ts +305 -0
package/server/lib/strategy/loader.ts +256 -0
package/server/lib/strategy/message.ts +237 -0
package/server/lib/strategy/repository.ts +218 -0
package/server/lib/strategy/session-logger.ts +693 -0
package/server/lib/strategy/sources.ts +288 -0
package/server/lib/strategy/state.ts +189 -0
package/server/lib/strategy/templates.ts +403 -0
package/server/lib/strategy/tick.ts +404 -0
package/server/lib/strategy/types.ts +230 -0
package/server/lib/swap.ts +3 -0
package/server/lib/temp.ts +86 -0
package/server/lib/token-metadata.ts +86 -0
package/server/lib/token-safety.ts +200 -0
package/server/lib/token-search.ts +444 -0
package/server/lib/totp.ts +194 -0
package/server/lib/transactions.ts +123 -0
package/server/lib/transport.ts +84 -0
package/server/lib/txhistory/decoder.ts +262 -0
package/server/lib/txhistory/enricher.ts +652 -0
package/server/lib/txhistory/index.ts +391 -0
package/server/lib/txhistory/signatures.ts +59 -0
package/server/lib/update-check.ts +35 -0
package/server/lib/verified-summary.ts +414 -0
package/server/lib/view-registry.ts +80 -0
package/server/mcp/profile-policy.ts +30 -0
package/server/mcp/server.ts +1589 -0
package/server/mcp/tools.ts +276 -0
package/server/middleware/auth.ts +119 -0
package/server/middleware/requestLogger.ts +84 -0
package/server/routes/actions.ts +539 -0
package/server/routes/adapters.ts +711 -0
package/server/routes/addressbook.ts +113 -0
package/server/routes/ai.ts +34 -0
package/server/routes/apikeys.ts +343 -0
package/server/routes/apps.ts +601 -0
package/server/routes/auth.ts +406 -0
package/server/routes/backup.ts +404 -0
package/server/routes/batch.ts +270 -0
package/server/routes/bookmarks.ts +162 -0
package/server/routes/credential-shares.ts +380 -0
package/server/routes/credential-vaults.ts +159 -0
package/server/routes/credentials.ts +1782 -0
package/server/routes/dashboard.ts +97 -0
package/server/routes/defaults.ts +124 -0
package/server/routes/flags.ts +11 -0
package/server/routes/fund.ts +225 -0
package/server/routes/heartbeat.ts +375 -0
package/server/routes/import.ts +364 -0
package/server/routes/launch.ts +665 -0
package/server/routes/lock.ts +54 -0
package/server/routes/logs.ts +68 -0
package/server/routes/nuke.ts +111 -0
package/server/routes/passkey-credentials.ts +99 -0
package/server/routes/passkey.ts +366 -0
package/server/routes/portfolio.ts +217 -0
package/server/routes/price.ts +63 -0
package/server/routes/resolve.ts +31 -0
package/server/routes/security.ts +45 -0
package/server/routes/send-evm.ts +241 -0
package/server/routes/send-solana.ts +281 -0
package/server/routes/send.ts +178 -0
package/server/routes/setup.ts +210 -0
package/server/routes/strategy.ts +894 -0
package/server/routes/swap-evm.ts +352 -0
package/server/routes/swap-solana.ts +176 -0
package/server/routes/swap.ts +356 -0
package/server/routes/token.ts +247 -0
package/server/routes/unlock.ts +467 -0
package/server/routes/views.ts +41 -0
package/server/routes/wallet-assets.ts +361 -0
package/server/routes/wallet-transactions.ts +515 -0
package/server/routes/wallet.ts +709 -0
package/server/types.ts +146 -0
package/shared/credential-field-schema.ts +248 -0
package/skills/auramaxx/HEARTBEAT.md +78 -0
package/skills/auramaxx/SKILL.md +745 -0
package/skills/auramaxx/docs/AGENT_SETUP.md +155 -0
package/skills/auramaxx/docs/API.md +127 -0
package/skills/auramaxx/docs/AUTH.md +318 -0
package/skills/auramaxx/docs/CLI.md +130 -0
package/skills/auramaxx/docs/MCP.md +122 -0
package/skills/auramaxx/docs/TROUBLESHOOTING.md +357 -0
package/skills/auramaxx/docs/WORKSPACE.md +673 -0
package/skills/auramaxx/docs/security.md +227 -0
package/skills/task-lifecycle/SKILL.md +378 -0
package/src/app/api/[...doc]/page.tsx +36 -0
package/src/app/api/agent-requests/route.ts +30 -0
package/src/app/api/apps/install/route.ts +132 -0
package/src/app/api/apps/manifests/route.ts +16 -0
package/src/app/api/apps/static/[...path]/route.ts +57 -0
package/src/app/api/docs/plain/route.ts +74 -0
package/src/app/api/events/route.ts +92 -0
package/src/app/api/page.tsx +290 -0
package/src/app/api/workspace/[id]/apps/[wid]/route.ts +119 -0
package/src/app/api/workspace/[id]/apps/route.ts +81 -0
package/src/app/api/workspace/[id]/export/route.ts +67 -0
package/src/app/api/workspace/[id]/route.ts +168 -0
package/src/app/api/workspace/auth.ts +40 -0
package/src/app/api/workspace/config/route.ts +121 -0
package/src/app/api/workspace/import/route.ts +127 -0
package/src/app/api/workspace/route.ts +116 -0
package/src/app/app-legacy-do-not-use/page.tsx +2245 -0
package/src/app/apple-icon.png +0 -0
package/src/app/approve/[actionId]/page.tsx +409 -0
package/src/app/docs/DocsPageContent.tsx +269 -0
package/src/app/docs/[...doc]/page.tsx +41 -0
package/src/app/docs/page.tsx +38 -0
package/src/app/favicon.ico +0 -0
package/src/app/globals.css +819 -0
package/src/app/health/page.tsx +5 -0
package/src/app/hello/page.tsx +102 -0
package/src/app/icon.png +0 -0
package/src/app/layout.tsx +39 -0
package/src/app/page.tsx +1964 -0
package/src/app/privacy/page.tsx +63 -0
package/src/app/providers.tsx +87 -0
package/src/app/share/[token]/page.tsx +295 -0
package/src/app/terms/page.tsx +80 -0
package/src/components/ChainSelector.tsx +44 -0
package/src/components/HumanActionBar.tsx +697 -0
package/src/components/NotificationDrawer.tsx +387 -0
package/src/components/PasskeyEnrollmentPrompt.tsx +235 -0
package/src/components/apps/AgentKeysApp.tsx +490 -0
package/src/components/apps/App.tsx +153 -0
package/src/components/apps/AppGrid.tsx +15 -0
package/src/components/apps/DetailedAddressDrawer.tsx +325 -0
package/src/components/apps/DraggableApp.tsx +562 -0
package/src/components/apps/IFrameApp.tsx +73 -0
package/src/components/apps/LogsApp.tsx +360 -0
package/src/components/apps/SendApp.tsx +394 -0
package/src/components/apps/SetupWizardApp.tsx +1004 -0
package/src/components/apps/SystemDefaultsApp.tsx +845 -0
package/src/components/apps/ThirdPartyApp.tsx +428 -0
package/src/components/apps/TokenApp.tsx +319 -0
package/src/components/apps/TransactionsApp.tsx +438 -0
package/src/components/apps/WalletDetailApp.tsx +1505 -0
package/src/components/apps/index.ts +13 -0
package/src/components/design-system/Button.tsx +88 -0
package/src/components/design-system/ChainIndicator.tsx +65 -0
package/src/components/design-system/ChainSelector.tsx +147 -0
package/src/components/design-system/ConfirmationModal.tsx +107 -0
package/src/components/design-system/ConfirmationPopover.tsx +81 -0
package/src/components/design-system/DownloadButton.tsx +149 -0
package/src/components/design-system/Drawer.tsx +133 -0
package/src/components/design-system/FilterDropdown.tsx +183 -0
package/src/components/design-system/ItemPicker.tsx +157 -0
package/src/components/design-system/Modal.tsx +296 -0
package/src/components/design-system/Popover.tsx +142 -0
package/src/components/design-system/TextInput.tsx +85 -0
package/src/components/design-system/Toggle.tsx +65 -0
package/src/components/design-system/TyvekCollapsibleSection.tsx +55 -0
package/src/components/design-system/index.ts +14 -0
package/src/components/docs/ClientSideMarkdown.tsx +51 -0
package/src/components/docs/DocsSearchBar.tsx +118 -0
package/src/components/docs/DocsThemeToggle.tsx +38 -0
package/src/components/docs/PersistentDocGroup.tsx +91 -0
package/src/components/docs/ShareUrlButton.tsx +33 -0
package/src/components/docs/SidebarScrollMemory.tsx +56 -0
package/src/components/health/CredentialHealthDashboard.tsx +214 -0
package/src/components/icons/ChainIcons.tsx +72 -0
package/src/components/layout/AppStoreDrawer.tsx +369 -0
package/src/components/layout/ContentArea.tsx +21 -0
package/src/components/layout/CreateViewModal.tsx +88 -0
package/src/components/layout/LeftRail.tsx +114 -0
package/src/components/layout/TabBar.tsx +284 -0
package/src/components/layout/WalletSidebar.tsx +1030 -0
package/src/components/layout/index.ts +6 -0
package/src/components/marketing/AuraMaxxSpecOverlay.tsx +653 -0
package/src/components/marketing/DeviceMorphExperience.tsx +216 -0
package/src/components/vault/ApiKeysConsole.tsx +1272 -0
package/src/components/vault/AuditConsole.tsx +600 -0
package/src/components/vault/CredentialDetail.tsx +625 -0
package/src/components/vault/CredentialEmpty.tsx +55 -0
package/src/components/vault/CredentialField.tsx +583 -0
package/src/components/vault/CredentialForm.tsx +1484 -0
package/src/components/vault/CredentialList.tsx +265 -0
package/src/components/vault/CredentialRow.tsx +130 -0
package/src/components/vault/CredentialShareModal.tsx +273 -0
package/src/components/vault/CredentialVault.tsx +1662 -0
package/src/components/vault/CredentialWalletWidget.tsx +103 -0
package/src/components/vault/DocsConsole.tsx +113 -0
package/src/components/vault/ImportCredentialsModal.tsx +578 -0
package/src/components/vault/LargeTypeModal.tsx +88 -0
package/src/components/vault/PasswordGenerator.tsx +232 -0
package/src/components/vault/TOTPDisplay.tsx +108 -0
package/src/components/vault/TotpSetupPanel.tsx +198 -0
package/src/components/vault/VaultSidebar.tsx +881 -0
package/src/components/vault/credentialFormName.ts +91 -0
package/src/components/vault/hooks/useVaultKeyboardShortcuts.ts +69 -0
package/src/components/vault/types.ts +56 -0
package/src/context/AuthContext.tsx +365 -0
package/src/context/PriceContext.tsx +113 -0
package/src/context/ThemeContext.tsx +164 -0
package/src/context/WebSocketContext.tsx +269 -0
package/src/context/WorkspaceContext.tsx +668 -0
package/src/hooks/index.ts +4 -0
package/src/hooks/useAgentActions.ts +552 -0
package/src/hooks/useBalance.ts +103 -0
package/src/hooks/useBalances.ts +129 -0
package/src/hooks/useTheme.ts +156 -0
package/src/instrumentation.ts +12 -0
package/src/lib/api-docs.ts +154 -0
package/src/lib/api.ts +474 -0
package/src/lib/app-loader.ts +148 -0
package/src/lib/app-registry.ts +178 -0
package/src/lib/app-sdk.ts +157 -0
package/src/lib/audit-console-adapter.ts +151 -0
package/src/lib/auth-client.ts +75 -0
package/src/lib/config.ts +74 -0
package/src/lib/credential-field-schema.ts +11 -0
package/src/lib/crypto.ts +112 -0
package/src/lib/db.ts +21 -0
package/src/lib/docs.ts +544 -0
package/src/lib/events.ts +363 -0
package/src/lib/pino.ts +24 -0
package/src/lib/theme-handlers.ts +168 -0
package/src/lib/theme.ts +351 -0
package/src/lib/tokenData.ts +378 -0
package/src/lib/totp-import.ts +57 -0
package/src/lib/vault-crypto.ts +129 -0
package/src/lib/view-registry.ts +57 -0
package/src/lib/websocket-server.ts +302 -0
package/src/lib/websocket-setup.ts +79 -0
package/src/lib/wordlist.ts +2050 -0
package/src/lib/workspace-handlers.ts +285 -0
package/start.sh +170 -0
package/tailwind.config.ts +99 -0
package/tsconfig.json +42 -0

package/server/cli/socket.ts ADDED Viewed

@@ -0,0 +1,579 @@
+/**
+ * Unix Socket IPC Server
+ *
+ * Provides a secure Unix socket for agent connections with:
+ * - Socket at /tmp/aura-cli-{uid}.sock (default 4242) or /tmp/aura-cli-{uid}-{port}.sock for non-default ports
+ *   with mode 0600 (owner only)
+ * - Auto-approve for same-UID processes (socket permission = peer credential)
+ * - Encrypted token delivery (server-issued RSA-OAEP/AES-256-GCM envelope)
+ *
+ * Protocol (JSON over newline-delimited messages):
+ *
+ * Agent -> CLI:
+ *   { "type": "auth", "agentId": "my-agent", "pubkey": "...", "autoApprove": true }
+ *   { "type": "auth", "agentId": "my-agent", "pubkey": "...", "limit": 0.1, "permissions": [...] }
+ *   { "type": "ping" }
+ *
+ * CLI -> Agent:
+ *   { "type": "auth_pending", "requestId": "..." }
+ *   { "type": "auth_approved", "encryptedToken": "...", "agentId": "...", ... }
+ *   { "type": "auth_rejected", "requestId": "..." }
+ *   { "type": "pong" }
+ *   { "type": "error", "message": "..." }
+ */
+import * as net from 'net';
+import * as fs from 'fs';
+import { getDefaultSync } from '../lib/defaults';
+import { getErrorMessage } from '../lib/error';
+import { isValidAgentPubkey, normalizeAgentPubkey, encryptToAgentPubkey } from '../lib/credential-transport';
+import { createToken } from '../lib/auth';
+import { isUnlocked } from '../lib/cold';
+import { AgentProfileError, resolveProfileToEffectivePolicy } from '../lib/agent-profiles';
+import { resolveAuraSocketPath } from '../lib/socket-path';
+import { buildApproveUrl } from '../lib/approval-link';
+interface SocketServerOptions {
+  serverUrl: string;
+  getToken?: () => string | null;
+}
+interface AgentAuthRequest {
+  type: 'auth';
+  agentId: string;
+  autoApprove?: boolean;
+  limit?: number;
+  permissions?: string[];
+  ttl?: number;
+  limits?: { fund?: number; send?: number; swap?: number };
+  walletAccess?: string[];
+  credentialAccess?: { read?: string[]; write?: string[]; excludeFields?: string[]; ttl?: number; maxReads?: number };
+  profile?: string;
+  profileVersion?: string;
+  profileOverrides?: {
+    ttlSeconds?: number;
+    maxReads?: number;
+    readScopes?: string[];
+    writeScopes?: string[];
+    excludeFields?: string[];
+  };
+  pubkey?: string;
+}
+interface PendingAgentAuth {
+  socket: net.Socket;
+  requestId: string;
+  secret: string;
+  agentId: string;
+  pubkey?: string;
+}
+// Rate limiting for auto-approve: track tokens per socket
+const autoApproveRates = new WeakMap<net.Socket, { count: number; resetAt: number }>();
+const AUTO_APPROVE_MAX = 10;
+const AUTO_APPROVE_WINDOW_MS = 60_000;
+function checkAutoApproveRate(socket: net.Socket): boolean {
+  const now = Date.now();
+  let entry = autoApproveRates.get(socket);
+  if (!entry || now > entry.resetAt) {
+    entry = { count: 0, resetAt: now + AUTO_APPROVE_WINDOW_MS };
+    autoApproveRates.set(socket, entry);
+  }
+  if (entry.count >= AUTO_APPROVE_MAX) return false;
+  entry.count++;
+  return true;
+}
+export class SocketServer {
+  private server: net.Server | null = null;
+  private socketPath: string;
+  private options: SocketServerOptions;
+  private pendingAuths: Map<string, PendingAgentAuth> = new Map();
+  private pollIntervals: Map<string, NodeJS.Timeout> = new Map();
+  constructor(options: SocketServerOptions) {
+    this.options = options;
+    const uid = process.getuid?.() ?? 'unknown';
+    this.socketPath = resolveAuraSocketPath({
+      uid,
+      serverUrl: options.serverUrl,
+      serverPort: process.env.WALLET_SERVER_PORT,
+    });
+  }
+  getSocketPath(): string {
+    return this.socketPath;
+  }
+  async start(): Promise<void> {
+    if (fs.existsSync(this.socketPath)) {
+      fs.unlinkSync(this.socketPath);
+    }
+    return new Promise((resolve, reject) => {
+      this.server = net.createServer((socket) => {
+        this.handleConnection(socket);
+      });
+      this.server.on('error', (err) => {
+        console.error('Socket server error:', err.message);
+        reject(err);
+      });
+      this.server.listen(this.socketPath, () => {
+        fs.chmodSync(this.socketPath, 0o600);
+        console.log(`Unix socket listening at ${this.socketPath}`);
+        resolve();
+      });
+    });
+  }
+  async stop(): Promise<void> {
+    this.pollIntervals.forEach((interval) => {
+      clearInterval(interval);
+    });
+    this.pollIntervals.clear();
+    return new Promise((resolve) => {
+      if (this.server) {
+        this.server.close(() => {
+          if (fs.existsSync(this.socketPath)) {
+            try { fs.unlinkSync(this.socketPath); } catch { /* ignore */ }
+          }
+          resolve();
+        });
+      } else {
+        resolve();
+      }
+    });
+  }
+  private handleConnection(socket: net.Socket): void {
+    const MAX_BUFFER_SIZE = 64 * 1024; // 64KB
+    let buffer = '';
+    socket.on('data', (data) => {
+      buffer += data.toString();
+      if (buffer.length > MAX_BUFFER_SIZE) {
+        console.error('[socket] Buffer overflow — disconnecting client');
+        this.send(socket, { type: 'error', message: 'Message too large' });
+        socket.destroy();
+        return;
+      }
+      let newlineIndex;
+      while ((newlineIndex = buffer.indexOf('\n')) !== -1) {
+        const line = buffer.substring(0, newlineIndex);
+        buffer = buffer.substring(newlineIndex + 1);
+        if (line.trim()) {
+          this.handleMessage(socket, line.trim());
+        }
+      }
+    });
+    socket.on('error', (err) => {
+      console.error(`[socket] Connection error: ${err.message} (code=${(err as NodeJS.ErrnoException).code})`);
+    });
+    socket.on('close', () => {
+      const toDelete: string[] = [];
+      this.pendingAuths.forEach((pending, requestId) => {
+        if (pending.socket === socket) {
+          const interval = this.pollIntervals.get(requestId);
+          if (interval) {
+            clearInterval(interval);
+            this.pollIntervals.delete(requestId);
+          }
+          toDelete.push(requestId);
+        }
+      });
+      toDelete.forEach(id => this.pendingAuths.delete(id));
+    });
+  }
+  private handleMessage(socket: net.Socket, message: string): void {
+    try {
+      const msg = JSON.parse(message);
+      switch (msg.type) {
+        case 'ping':
+          this.send(socket, { type: 'pong' });
+          break;
+        case 'auth':
+          this.handleAuthRequest(socket, msg as AgentAuthRequest);
+          break;
+        default:
+          this.send(socket, { type: 'error', message: `Unknown message type: ${msg.type}` });
+      }
+    } catch {
+      this.send(socket, { type: 'error', message: 'Invalid JSON message' });
+    }
+  }
+  /**
+   * Handle auth request — auto-approve path or standard approval flow
+   */
+  private async handleAuthRequest(socket: net.Socket, request: AgentAuthRequest): Promise<void> {
+    try {
+      if (typeof request.pubkey !== 'string' || !request.pubkey.trim()) {
+        this.send(socket, { type: 'error', message: 'pubkey is required for auth requests' });
+        return;
+      }
+      if (!isValidAgentPubkey(request.pubkey)) {
+        this.send(socket, { type: 'error', message: 'Invalid RSA public key' });
+        return;
+      }
+      const normalizedPubkey = normalizeAgentPubkey(request.pubkey);
+      // ── Auto-approve path ──
+      if (request.autoApprove) {
+        const autoApproveEnabled = getDefaultSync<boolean>('trust.localAutoApprove', false);
+        if (!autoApproveEnabled) {
+          this.send(socket, { type: 'error', message: 'Auto-approve is disabled. Use standard approval flow.' });
+          return;
+        }
+        // Rate limit
+        if (!checkAutoApproveRate(socket)) {
+          this.send(socket, { type: 'error', message: 'Rate limit exceeded for auto-approve (max 10/minute)' });
+          return;
+        }
+        // Resolve local auto-approve policy defaults
+        const limits = getDefaultSync<Record<string, number>>('trust.localLimits', { fund: 0, send: 0, swap: 0 });
+        const localProfile = String(getDefaultSync<string>('trust.localProfile', 'dev') || '').trim();
+        const localProfileVersion = String(getDefaultSync<string>('trust.localProfileVersion', 'v1') || '').trim();
+        const localProfileOverrides = getDefaultSync<AgentAuthRequest['profileOverrides'] | null>('trust.localProfileOverrides', null);
+        const agentId = request.agentId || 'local-agent';
+        if (!localProfile) {
+          this.send(socket, { type: 'error', message: 'Local profile is not configured for socket issuance.' });
+          return;
+        }
+        if (localProfile === 'strict') {
+          this.send(socket, { type: 'error', message: 'Strict profile requires manual approval (auto-approve disabled).' });
+          return;
+        }
+        const hasTokenProvider = typeof this.options.getToken === 'function';
+        const adminToken = hasTokenProvider ? this.options.getToken() : null;
+        // CLI daemon mode: require unlocked admin token callback.
+        if (hasTokenProvider && !adminToken) {
+          this.send(socket, { type: 'error', message: 'CLI daemon is locked. Unlock before socket auto-approve.' });
+          return;
+        }
+        // When an admin token callback exists, issue via HTTP route.
+        if (adminToken) {
+          const issueBody: Record<string, unknown> = {
+            agentId,
+            limits,
+            pubkey: normalizedPubkey,
+            profile: localProfile,
+            profileVersion: localProfileVersion || 'v1',
+          };
+          if (localProfileOverrides) {
+            issueBody.profileOverrides = localProfileOverrides;
+          }
+          const issueResponse = await fetch(`${this.options.serverUrl}/actions/token`, {
+            method: 'POST',
+            headers: {
+              'Authorization': `Bearer ${adminToken}`,
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify(issueBody),
+          });
+          let issueData: {
+            success?: boolean;
+            error?: string;
+            code?: string;
+            encryptedToken?: string;
+            permissions?: string[];
+            limits?: { fund?: number; send?: number; swap?: number };
+            profile?: { id: string; version: string; displayName?: string; rationale?: string };
+            effectivePolicyHash?: string;
+            overrideDelta?: string[];
+            warnings?: string[];
+            expiresIn?: number;
+          } = {};
+          try {
+            issueData = await issueResponse.json();
+          } catch {
+            issueData = {};
+          }
+          if (!issueResponse.ok || !issueData.success || !issueData.encryptedToken) {
+            const message = issueData.error
+              ? (issueData.code ? `${issueData.error} (${issueData.code})` : issueData.error)
+              : `Auto-approve token issue failed (${issueResponse.status})`;
+            this.send(socket, { type: 'error', message });
+            return;
+          }
+          this.send(socket, {
+            type: 'auth_approved',
+            encryptedToken: issueData.encryptedToken,
+            agentId,
+            permissions: issueData.permissions || [],
+            limits: issueData.limits || limits,
+            ttl: issueData.expiresIn,
+            profile: issueData.profile,
+            effectivePolicyHash: issueData.effectivePolicyHash,
+            overrideDelta: issueData.overrideDelta,
+            warnings: issueData.warnings,
+          });
+          console.log(`[socket][audit] auto-approve issued token agentId=${agentId} ttl=${issueData.expiresIn ?? 0}s profile=${profile.id}@${profile.version}`);
+          return;
+        }
+        // Server-runtime mode: issue token in-process so settings changes apply immediately.
+        if (!isUnlocked()) {
+          this.send(socket, { type: 'error', message: 'Wallet is locked. Unlock first.' });
+          return;
+        }
+        const fundLimit = typeof limits.fund === 'number' ? limits.fund : 0;
+        const defaultSendLimit = getDefaultSync<number>('limits.send', 0.1);
+        const defaultSwapLimit = getDefaultSync<number>('limits.swap', 0.1);
+        const resolvedProfile = resolveProfileToEffectivePolicy({
+          profileId: localProfile,
+          profileVersion: localProfileVersion || 'v1',
+          overrides: localProfileOverrides ?? undefined,
+        });
+        const effectivePermissions = [...resolvedProfile.permissions];
+        const ttlSeconds = resolvedProfile.ttlSeconds;
+        const tokenLimits = {
+          fund: fundLimit,
+          send: defaultSendLimit,
+          swap: defaultSwapLimit,
+          ...limits,
+        };
+        const token = await createToken(agentId, fundLimit, effectivePermissions, ttlSeconds, {
+          limits: tokenLimits,
+          credentialAccess: resolvedProfile.credentialAccess,
+          agentPubkey: normalizedPubkey,
+        });
+        const encryptedToken = encryptToAgentPubkey(token, normalizedPubkey);
+        this.send(socket, {
+          type: 'auth_approved',
+          encryptedToken,
+          agentId,
+          permissions: effectivePermissions,
+          limits: tokenLimits,
+          ttl: ttlSeconds,
+          profile: resolvedProfile.profile,
+          effectivePolicyHash: resolvedProfile.effectivePolicyHash,
+          overrideDelta: resolvedProfile.overrideDelta,
+          warnings: resolvedProfile.warnings,
+        });
+        console.log(`[socket][audit] auto-approve issued token agentId=${agentId} ttl=${ttlSeconds}s profile=${localProfile}@${localProfileVersion} path=in-process`);
+        return;
+      }
+      // ── Standard approval flow (proxy to HTTP) ──
+      if (request.permissions !== undefined || request.ttl !== undefined || request.credentialAccess !== undefined) {
+        this.send(socket, {
+          type: 'error',
+          message: 'Raw permission issuance is disabled. Use profile + optional profileOverrides.',
+        });
+        return;
+      }
+      const requestProfile = (
+        typeof request.profile === 'string' && request.profile.trim().length > 0
+          ? request.profile.trim()
+          : String(getDefaultSync<string>('trust.localProfile', 'dev') || '').trim()
+      );
+      const requestProfileVersion = (
+        typeof request.profileVersion === 'string' && request.profileVersion.trim().length > 0
+          ? request.profileVersion.trim()
+          : String(getDefaultSync<string>('trust.localProfileVersion', 'v1') || '').trim()
+      );
+      if (!requestProfile) {
+        this.send(socket, { type: 'error', message: 'profile is required for auth requests' });
+        return;
+      }
+      const response = await fetch(`${this.options.serverUrl}/auth`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          agentId: request.agentId,
+          limit: request.limit ?? getDefaultSync<number>('limits.fund', 0),
+          limits: request.limits,
+          walletAccess: request.walletAccess,
+          profile: requestProfile,
+          profileVersion: requestProfileVersion || 'v1',
+          profileOverrides: request.profileOverrides,
+          pubkey: request.pubkey,
+        })
+      });
+      const data = await response.json() as {
+        success?: boolean;
+        requestId?: string;
+        secret?: string;
+        error?: string;
+      };
+      if (!response.ok || !data.success) {
+        this.send(socket, {
+          type: 'error',
+          message: data.error || 'Failed to create auth request'
+        });
+        return;
+      }
+      // Store pending auth info (with pubkey for encrypted delivery)
+      const pending: PendingAgentAuth = {
+        socket,
+        requestId: data.requestId!,
+        secret: data.secret!,
+        agentId: request.agentId,
+        pubkey: normalizedPubkey,
+      };
+      this.pendingAuths.set(data.requestId!, pending);
+      const dashboardBase = `http://localhost:${process.env.DASHBOARD_PORT || '4747'}`;
+      this.send(socket, {
+        type: 'auth_pending',
+        requestId: data.requestId,
+        approveUrl: buildApproveUrl(dashboardBase, data.requestId!),
+        message: 'Action escalated — waiting for human approval'
+      });
+      this.startPolling(data.requestId!, data.secret!);
+    } catch (error) {
+      if (error instanceof AgentProfileError) {
+        const suffix = error.code ? ` (${error.code})` : '';
+        this.send(socket, { type: 'error', message: `${error.message}${suffix}` });
+        return;
+      }
+      const message = getErrorMessage(error);
+      this.send(socket, { type: 'error', message });
+    }
+  }
+  /**
+   * Start polling for request approval
+   */
+  private startPolling(requestId: string, secret: string): void {
+    const MAX_POLL_DURATION_MS = 10 * 60 * 1000; // 10 minutes
+    const pollStart = Date.now();
+    const interval = setInterval(async () => {
+      // Timeout: stop polling after 10 minutes
+      if (Date.now() - pollStart > MAX_POLL_DURATION_MS) {
+        const pending = this.pendingAuths.get(requestId);
+        if (pending) {
+          this.send(pending.socket, { type: 'error', message: 'Auth request timed out (10 minutes)' });
+          this.pendingAuths.delete(requestId);
+        }
+        clearInterval(interval);
+        this.pollIntervals.delete(requestId);
+        console.error(`[socket] Poll timeout for request ${requestId}`);
+        return;
+      }
+      try {
+        const response = await fetch(
+          `${this.options.serverUrl}/auth/${requestId}?secret=${encodeURIComponent(secret)}`
+        );
+        const data = await response.json() as {
+          success?: boolean;
+          status?: string;
+          token?: string;
+          encryptedToken?: string;
+          agentId?: string;
+          limit?: number;
+          limits?: { fund?: number; send?: number; swap?: number };
+          permissions?: string[];
+          walletAccess?: string[];
+          profile?: { id: string; version: string; displayName?: string; rationale?: string };
+          effectivePolicyHash?: string;
+          overrideDelta?: string[];
+          warnings?: string[];
+          error?: string;
+        };
+        if (!response.ok || !data.success) {
+          return; // Keep polling
+        }
+        const pending = this.pendingAuths.get(requestId);
+        if (!pending) {
+          clearInterval(interval);
+          this.pollIntervals.delete(requestId);
+          return;
+        }
+        if (data.status === 'approved') {
+          if (!data.encryptedToken) {
+            this.send(pending.socket, {
+              type: 'error',
+              message: 'Encrypted token unavailable for auth approval',
+            });
+            clearInterval(interval);
+            this.pollIntervals.delete(requestId);
+            this.pendingAuths.delete(requestId);
+            return;
+          }
+          this.send(pending.socket, {
+            type: 'auth_approved',
+            encryptedToken: data.encryptedToken,
+            agentId: data.agentId,
+            limit: data.limit,
+            limits: data.limits,
+            permissions: data.permissions,
+            walletAccess: data.walletAccess,
+            profile: data.profile,
+            effectivePolicyHash: data.effectivePolicyHash,
+            overrideDelta: data.overrideDelta,
+            warnings: data.warnings,
+          });
+          clearInterval(interval);
+          this.pollIntervals.delete(requestId);
+          this.pendingAuths.delete(requestId);
+        } else if (data.status === 'rejected') {
+          this.send(pending.socket, {
+            type: 'auth_rejected',
+            requestId,
+            message: 'Request was rejected'
+          });
+          clearInterval(interval);
+          this.pollIntervals.delete(requestId);
+          this.pendingAuths.delete(requestId);
+        }
+      } catch (err) {
+        console.error(`[socket] Poll error for ${requestId}: ${getErrorMessage(err)}`);
+      }
+    }, 2000);
+    this.pollIntervals.set(requestId, interval);
+  }
+  private send(socket: net.Socket, message: object): void {
+    try {
+      socket.write(JSON.stringify(message) + '\n');
+    } catch {
+      // Socket may be closed
+    }
+  }
+}

package/server/cli/transport-client.ts ADDED Viewed

@@ -0,0 +1,50 @@
+/**
+ * Transport Client - RSA encryption for CLI password transport
+ *
+ * Mirrors the server's transport.ts but provides the encryption side
+ * (server has decryption). Uses RSA-OAEP with SHA-256 for semantic security.
+ */
+import { publicEncrypt, constants, generateKeyPairSync } from 'crypto';
+export interface AgentKeypair {
+  publicKey: string;
+  privateKey: string;
+}
+/**
+ * Encrypt a password using the server's RSA public key
+ * @param password Plaintext password
+ * @param publicKeyPem Server's RSA public key in PEM format
+ * @returns Base64-encoded RSA-OAEP encrypted password
+ */
+export function encryptPassword(password: string, publicKeyPem: string): string {
+  const buffer = Buffer.from(password, 'utf8');
+  const encrypted = publicEncrypt(
+    {
+      key: publicKeyPem,
+      padding: constants.RSA_PKCS1_OAEP_PADDING,
+      oaepHash: 'sha256'
+    },
+    buffer
+  );
+  return encrypted.toString('base64');
+}
+/**
+ * Generate an RSA-OAEP keypair for agent token mint requests.
+ *
+ * The public key is sent as `pubkey` when minting tokens. The private key can
+ * be retained by the caller runtime if credential decryption is needed.
+ */
+export function generateAgentKeypair(): AgentKeypair {
+  const pair = generateKeyPairSync('rsa', {
+    modulusLength: 2048,
+    publicKeyEncoding: { type: 'spki', format: 'pem' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+  });
+  return {
+    publicKey: pair.publicKey,
+    privateKey: pair.privateKey,
+  };
+}