auramaxx 0.0.1

package/server/lib/resolve-action.ts

@@ -0,0 +1,328 @@
+/**
+ * Extracted resolve logic from `POST /actions/:id/resolve`.
+ *
+ * Called by both the HTTP route handler and the ApprovalRouter (direct in-process).
+ */
+
+import { prisma } from './db';
+import { events, emitWalletEvent } from './events';
+import { createToken, getTokenHash, escrowToken, type AgentTokenPayload } from './auth';
+import { isValidAgentPubkey, normalizeAgentPubkey } from './credential-transport';
+import { isUnlocked, getColdWalletAddress } from './cold';
+import { normalizeAddress } from './address';
+import { getDefault } from './defaults';
+import { logger } from './logger';
+import { getErrorMessage } from './error';
+import { autoExecuteAction } from './auto-execute';
+
+export interface ResolveActionOptions {
+  walletAccess?: string[];
+  limits?: Record<string, number>;
+}
+
+export interface ResolveActionResult {
+  success: boolean;
+  statusCode: 200 | 400 | 401 | 404;
+  data: Record<string, unknown>;
+}
+
+export async function resolveAction(
+  actionId: string,
+  approved: boolean,
+  opts?: ResolveActionOptions,
+): Promise<ResolveActionResult> {
+  const id = actionId;
+  const walletAccess = opts?.walletAccess;
+  const overrideLimits = opts?.limits;
+
+  if (typeof approved !== 'boolean') {
+    return { success: false, statusCode: 400, data: { success: false, error: 'approved (boolean) is required' } };
+  }
+
+  const request = await prisma.humanAction.findUnique({ where: { id } });
+  if (!request || request.status !== 'pending') {
+    return { success: false, statusCode: 404, data: { success: false, error: 'Action not found or already resolved' } };
+  }
+
+  if (request.type === 'strategy:message') {
+    return { success: false, statusCode: 400, data: { success: false, error: 'Internal message jobs are not manually resolvable' } };
+  }
+
+  // Handle rejection for all types
+  if (!approved) {
+    await prisma.humanAction.update({
+      where: { id },
+      data: { status: 'rejected', resolvedAt: new Date() },
+    });
+
+    events.actionResolved({ id, type: request.type, approved: false, resolvedBy: 'dashboard' });
+    logger.actionResolved(id, request.type, false, 'dashboard');
+
+    // Notify app of rejection via app:emit
+    if (request.type === 'action') {
+      let meta: { agentId?: string } = {};
+      try { meta = JSON.parse(request.metadata || '{}'); } catch {}
+      emitWalletEvent('app:emit', {
+        strategyId: (meta.agentId || '').replace(/^app:/, ''),
+        channel: 'action:resolved',
+        data: { requestId: id, approved: false },
+      });
+    }
+
+    return { success: true, statusCode: 200, data: { success: true, approved: false } };
+  }
+
+  // === APPROVAL ===
+
+  // Strategy approvals
+  if (request.type === 'strategy:approve') {
+    await prisma.humanAction.update({
+      where: { id },
+      data: { status: 'approved', resolvedAt: new Date() },
+    });
+
+    events.actionResolved({ id, type: request.type, approved: true, resolvedBy: 'dashboard' });
+    return { success: true, statusCode: 200, data: { success: true, approved: true } };
+  }
+
+  // Auth / agent_access / action approvals — generate token
+  if (request.type === 'auth' || request.type === 'agent_access' || request.type === 'action') {
+    if (!isUnlocked()) {
+      return { success: false, statusCode: 401, data: { success: false, error: 'Wallet is locked. Unlock first.' } };
+    }
+
+    let metadata: {
+      agentId?: string;
+      limit?: number;
+      permissions?: string[];
+      ttl?: number;
+      secretHash?: string;
+      limits?: { fund?: number; send?: number; swap?: number };
+      walletAccess?: string[];
+      credentialAccess?: AgentTokenPayload['credentialAccess'];
+      pubkey?: string;
+      strategyId?: string;
+      summary?: string;
+      action?: { endpoint?: string; method?: string; body?: Record<string, unknown> };
+    } = {};
+    if (request.metadata) {
+      try { metadata = JSON.parse(request.metadata); } catch { /* ignore */ }
+    }
+
+    const agentId = metadata.agentId || `agent-${id.slice(0, 8)}`;
+    const defaultFundLimit = await getDefault<number>('limits.fund', 0);
+    const defaultSendLimit = await getDefault<number>('limits.send', 0.1);
+    const defaultSwapLimit = await getDefault<number>('limits.swap', 0.1);
+    const defaultPermissions = await getDefault<string[]>('permissions.default', ['wallet:create:hot', 'send:hot', 'swap', 'fund', 'action:create']);
+    const defaultTtl = await getDefault<number>('ttl.agent', 3600);
+    const limit = overrideLimits?.fund ?? metadata.limit ?? defaultFundLimit;
+    const permissions = metadata.permissions || defaultPermissions;
+    const ttl = metadata.ttl || defaultTtl;
+    let normalizedPubkey = metadata.pubkey;
+    if (normalizedPubkey) {
+      if (!isValidAgentPubkey(normalizedPubkey)) {
+        return { success: false, statusCode: 400, data: { success: false, error: 'Stored pubkey is invalid for token issuance' } };
+      }
+      normalizedPubkey = normalizeAgentPubkey(normalizedPubkey);
+    }
+    if (!normalizedPubkey) {
+      return { success: false, statusCode: 400, data: { success: false, error: 'pubkey is required when approving token issuance' } };
+    }
+
+    const finalWalletAccess = walletAccess
+      ? walletAccess.map((addr: string) => normalizeAddress(addr))
+      : metadata.walletAccess;
+
+    // Build limits: per-token overrides > request metadata > system defaults
+    const baseLimits = { fund: limit, send: defaultSendLimit, swap: defaultSwapLimit };
+    const finalLimits = overrideLimits
+      ? { ...baseLimits, ...overrideLimits }
+      : metadata.limits
+        ? { ...baseLimits, ...metadata.limits }
+        : baseLimits;
+
+    const token = await createToken(agentId, limit, permissions, ttl, {
+      limits: finalLimits,
+      walletAccess: finalWalletAccess,
+      credentialAccess: metadata.credentialAccess,
+      agentPubkey: normalizedPubkey,
+    });
+
+    // Escrow the raw token in memory — never store it in the DB
+    escrowToken(id, token);
+
+    // Update request status with tokenHash (not raw token) for audit/display
+    await prisma.humanAction.update({
+      where: { id },
+      data: {
+        status: 'approved',
+        resolvedAt: new Date(),
+        metadata: JSON.stringify({
+          ...metadata,
+          tokenHash: getTokenHash(token),
+          limits: finalLimits,
+          walletAccess: finalWalletAccess,
+          pubkey: normalizedPubkey,
+          credentialAccess: metadata.credentialAccess,
+        }),
+      },
+    });
+
+    // Log the approval
+    await prisma.log.create({
+      data: {
+        walletAddress: getColdWalletAddress() || 'system',
+        title: 'Agent Access Approved',
+        description: `Generated token for ${agentId} with ${limit} ETH limit`,
+      },
+    });
+
+    events.tokenCreated({
+      tokenHash: getTokenHash(token),
+      agentId,
+      limit,
+      permissions,
+      expiresAt: Date.now() + ttl * 1000,
+    });
+    events.actionResolved({ id, type: request.type, approved: true, resolvedBy: 'dashboard' });
+    logger.actionResolved(id, request.type, true, 'dashboard');
+
+    // Notify app of approval via app:emit (always, even with auto-execute)
+    if (request.type === 'action') {
+      emitWalletEvent('app:emit', {
+        strategyId: (metadata.agentId || '').replace(/^app:/, ''),
+        channel: 'action:resolved',
+        data: { requestId: id, approved: true },
+      });
+    }
+
+    // Auto-execute pre-computed action if present in metadata
+    if (metadata.action && (request.type === 'action' || request.type === 'auth')) {
+      const action = metadata.action as { endpoint?: string; method?: string; body?: Record<string, unknown> };
+      if (action.endpoint && action.method) {
+        await autoExecuteAction(
+          { endpoint: action.endpoint, method: action.method, body: action.body },
+          { requestId: id, agentId: metadata.agentId || '', summary: metadata.summary, token },
+        );
+      }
+    }
+
+    return {
+      success: true,
+      statusCode: 200,
+      data: {
+        success: true,
+        token,
+        agentId,
+        limit,
+        limits: finalLimits,
+        permissions,
+        walletAccess: finalWalletAccess,
+        expiresIn: ttl,
+      },
+    };
+  }
+
+  // Permission update approvals — generate token with updated permissions
+  if (request.type === 'permission_update') {
+    if (!isUnlocked()) {
+      return { success: false, statusCode: 401, data: { success: false, error: 'Wallet is locked. Unlock first.' } };
+    }
+
+    let metadata: {
+      agentId?: string;
+      tokenHash?: string;
+      requestedPermissions?: string[];
+      requestedWalletAccess?: string[];
+      requestedLimits?: { fund?: number; send?: number; swap?: number };
+      requestedPubkey?: string;
+      secretHash?: string;
+    } = {};
+    if (request.metadata) {
+      try { metadata = JSON.parse(request.metadata); } catch { /* ignore */ }
+    }
+
+    const agentId = metadata.agentId || `agent-${id.slice(0, 8)}`;
+    const newPermissions = overrideLimits?.permissions ?? metadata.requestedPermissions ?? [];
+    const newWalletAccess = walletAccess
+      ? walletAccess.map((addr: string) => normalizeAddress(addr))
+      : metadata.requestedWalletAccess;
+    const newLimits = overrideLimits || metadata.requestedLimits;
+    let normalizedPubkey = metadata.requestedPubkey;
+    if (normalizedPubkey) {
+      if (!isValidAgentPubkey(normalizedPubkey)) {
+        return { success: false, statusCode: 400, data: { success: false, error: 'requestedPubkey is invalid' } };
+      }
+      normalizedPubkey = normalizeAgentPubkey(normalizedPubkey);
+    }
+    if (!normalizedPubkey) {
+      return { success: false, statusCode: 400, data: { success: false, error: 'requestedPubkey is required for token issuance' } };
+    }
+
+    const ttl = await getDefault<number>('ttl.agent', 3600);
+    const token = await createToken(agentId, newLimits?.fund ?? 0, newPermissions, ttl, {
+      limits: newLimits,
+      walletAccess: newWalletAccess,
+      agentPubkey: normalizedPubkey,
+    });
+
+    // Escrow the raw token in memory — never store it in the DB
+    escrowToken(id, token);
+
+    await prisma.humanAction.update({
+      where: { id },
+      data: {
+        status: 'approved',
+        resolvedAt: new Date(),
+        metadata: JSON.stringify({
+          ...metadata,
+          tokenHash: getTokenHash(token),
+          approvedPermissions: newPermissions,
+          approvedWalletAccess: newWalletAccess,
+          approvedLimits: newLimits,
+          requestedPubkey: normalizedPubkey,
+        }),
+      },
+    });
+
+    await prisma.log.create({
+      data: {
+        walletAddress: getColdWalletAddress() || 'system',
+        title: 'Permission Update Approved',
+        description: `Updated permissions for ${agentId}`,
+      },
+    });
+
+    events.tokenCreated({
+      tokenHash: getTokenHash(token),
+      agentId,
+      limit: newLimits?.fund ?? 0,
+      permissions: newPermissions,
+      expiresAt: Date.now() + ttl * 1000,
+    });
+    events.actionResolved({ id, type: request.type, approved: true, resolvedBy: 'dashboard' });
+
+    return {
+      success: true,
+      statusCode: 200,
+      data: {
+        success: true,
+        token,
+        agentId,
+        permissions: newPermissions,
+        walletAccess: newWalletAccess,
+        limits: newLimits,
+      },
+    };
+  }
+
+  // For other types (fund_transfer, etc.), update DB and emit event
+  await prisma.humanAction.update({
+    where: { id },
+    data: { status: approved ? 'approved' : 'rejected', resolvedAt: new Date() },
+  });
+
+  events.actionResolved({ id, type: request.type, approved, resolvedBy: 'dashboard' });
+
+  return { success: true, statusCode: 200, data: { success: true, approved } };
+}

package/server/lib/resolve.ts

@@ -0,0 +1,36 @@
+import { ethers } from 'ethers';
+import { getRpcUrl } from './config';
+
+/**
+ * Resolve an ENS name (.eth) to an Ethereum address.
+ * Uses ethers built-in provider.resolveName() which handles ENS natively.
+ * ENS resolution always uses Ethereum mainnet (ENS is deployed on L1).
+ */
+export async function resolveName(name: string): Promise<{ address: string; name: string }> {
+  if (!name || typeof name !== 'string') {
+    throw new Error('Name is required');
+  }
+
+  // Only support .eth names for now (.sol is out of scope)
+  if (!name.endsWith('.eth')) {
+    throw new Error(`Unsupported name format: ${name}. Only .eth names are supported.`);
+  }
+
+  // ENS lives on Ethereum mainnet — always resolve against L1
+  const rpcUrl = await getRpcUrl('ethereum');
+  const provider = new ethers.JsonRpcProvider(rpcUrl);
+
+  const address = await provider.resolveName(name);
+  if (!address) {
+    throw new Error(`Could not resolve: ${name}`);
+  }
+
+  return { address, name };
+}
+
+/**
+ * Check if a string looks like an ENS name (contains a dot).
+ */
+export function looksLikeName(value: string): boolean {
+  return value.includes('.') && !value.startsWith('0x') && !value.match(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/);
+}

package/server/lib/secret-gist-share.ts

@@ -0,0 +1,296 @@
+import { spawn } from 'child_process';
+import {
+  canonicalizeCredentialFieldKey,
+  getCredentialPrimaryFieldKey,
+} from '../../shared/credential-field-schema';
+
+export type SecretGistAccessMode = 'anyone' | 'password';
+export type SecretGistErrorCode = 'GH_MISSING' | 'GH_AUTH_REQUIRED' | 'GH_CREATE_FAILED';
+
+export interface SecretGistField {
+  key: string;
+  value: string;
+  sensitive?: boolean;
+}
+
+export class SecretGistError extends Error {
+  code: SecretGistErrorCode;
+  remediation: string;
+  detail?: string;
+
+  constructor(
+    code: SecretGistErrorCode,
+    message: string,
+    remediation: string,
+    detail?: string,
+  ) {
+    super(message);
+    this.name = 'SecretGistError';
+    this.code = code;
+    this.remediation = remediation;
+    this.detail = detail;
+  }
+}
+
+export interface SecretGistInput {
+  credentialId: string;
+  credentialName: string;
+  credentialType?: string;
+  shareUrl: string;
+  accessMode: SecretGistAccessMode;
+  oneTimeOnly: boolean;
+  expiresAfter: string;
+  fields?: SecretGistField[];
+}
+
+export interface SecretGistDraft {
+  title: string;
+  filename: string;
+  marker: string;
+  identifier: string;
+  content: string;
+}
+
+export interface SecretGistResult extends SecretGistDraft {
+  url: string;
+}
+
+interface GhCommandResult {
+  code: number;
+  stdout: string;
+  stderr: string;
+  spawnError: NodeJS.ErrnoException | null;
+}
+
+function normalizeInlineText(raw: string): string {
+  return raw.replace(/\s+/g, ' ').trim();
+}
+
+function normalizeFieldValue(raw: string): string {
+  return raw.replace(/\r?\n/g, '\\n').trim();
+}
+
+function normalizeLookupKey(type: string | undefined, key: string): string {
+  const trimmed = key.trim();
+  if (!trimmed) return '';
+  if (!type) return trimmed.toLowerCase();
+  return canonicalizeCredentialFieldKey(type, trimmed).toLowerCase();
+}
+
+function formatFieldLabel(raw: string): string {
+  const trimmed = normalizeInlineText(raw);
+  if (!trimmed) return 'FIELD';
+  return trimmed.replace(/\s+/g, '_').toUpperCase();
+}
+
+function resolvePrimaryField(fields: SecretGistField[], type?: string): { index: number; value: string } {
+  if (fields.length === 0) return { index: -1, value: '(none)' };
+
+  if (type) {
+    const mappedKey = normalizeLookupKey(type, getCredentialPrimaryFieldKey(type));
+    if (mappedKey) {
+      const mappedSensitiveIndex = fields.findIndex((field) =>
+        normalizeLookupKey(type, field.key) === mappedKey && field.sensitive !== false);
+      if (mappedSensitiveIndex >= 0) {
+        return { index: mappedSensitiveIndex, value: fields[mappedSensitiveIndex].value };
+      }
+      const mappedIndex = fields.findIndex((field) => normalizeLookupKey(type, field.key) === mappedKey);
+      if (mappedIndex >= 0) {
+        return { index: mappedIndex, value: fields[mappedIndex].value };
+      }
+    }
+  }
+
+  const valueKeyIndex = fields.findIndex((field) => normalizeLookupKey(type, field.key) === 'value');
+  if (valueKeyIndex >= 0) {
+    return { index: valueKeyIndex, value: fields[valueKeyIndex].value };
+  }
+
+  const firstSensitiveIndex = fields.findIndex((field) => field.sensitive !== false);
+  if (firstSensitiveIndex >= 0) {
+    return { index: firstSensitiveIndex, value: fields[firstSensitiveIndex].value };
+  }
+
+  return { index: 0, value: fields[0].value };
+}
+
+function sanitizeFilenameSlug(raw: string): string {
+  return raw
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    .slice(0, 48);
+}
+
+function extractFirstUrl(raw: string): string | null {
+  const match = raw.match(/https?:\/\/[^\s]+/i);
+  if (!match) return null;
+  return match[0].replace(/[)\],.]+$/, '');
+}
+
+function looksLikeAuthFailure(raw: string): boolean {
+  const lower = raw.toLowerCase();
+  return lower.includes('gh auth login')
+    || lower.includes('not logged in')
+    || lower.includes('authenticate')
+    || lower.includes('authentication');
+}
+
+function missingGhError(): SecretGistError {
+  return new SecretGistError(
+    'GH_MISSING',
+    'GitHub CLI (`gh`) is not installed. Secret gist sharing requires `gh`.',
+    'Install GitHub CLI from https://cli.github.com/ and run `gh auth login`, then retry.',
+  );
+}
+
+function unauthenticatedGhError(detail?: string): SecretGistError {
+  return new SecretGistError(
+    'GH_AUTH_REQUIRED',
+    'GitHub CLI is not authenticated for gist creation.',
+    'Run `gh auth login` (or `gh auth status`) and retry the share command.',
+    detail,
+  );
+}
+
+function gistCreateError(detail?: string): SecretGistError {
+  return new SecretGistError(
+    'GH_CREATE_FAILED',
+    'Failed to create secret gist via GitHub CLI.',
+    'Verify `gh auth status` succeeds and retry `gh gist create` (without `--public`).',
+    detail,
+  );
+}
+
+function runGh(args: string[], stdinText?: string): Promise<GhCommandResult> {
+  return new Promise((resolve) => {
+    let stdout = '';
+    let stderr = '';
+    let settled = false;
+
+    const finish = (result: GhCommandResult) => {
+      if (settled) return;
+      settled = true;
+      resolve(result);
+    };
+
+    const child = spawn('gh', args, {
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+
+    child.stdout.on('data', (chunk: Buffer | string) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on('data', (chunk: Buffer | string) => {
+      stderr += chunk.toString();
+    });
+
+    child.on('error', (error: NodeJS.ErrnoException) => {
+      finish({
+        code: 127,
+        stdout,
+        stderr,
+        spawnError: error,
+      });
+    });
+
+    child.on('close', (code) => {
+      finish({
+        code: typeof code === 'number' ? code : 1,
+        stdout,
+        stderr,
+        spawnError: null,
+      });
+    });
+
+    if (stdinText) {
+      child.stdin.write(stdinText);
+    }
+    child.stdin.end();
+  });
+}
+
+function isMissingGh(result: GhCommandResult): boolean {
+  return result.spawnError?.code === 'ENOENT';
+}
+
+export function buildSecretGistDraft(input: SecretGistInput): SecretGistDraft {
+  const normalizedName = normalizeInlineText(input.credentialName) || 'credential';
+  const filenameSlug = sanitizeFilenameSlug(normalizedName) || 'credential';
+  const title = 'AURAMAXX.SH';
+  const filename = `auramaxx-sh-${filenameSlug}.txt`;
+  const marker = '';
+  const identifier = '';
+
+  const normalizedFields = (input.fields || [])
+    .map((field) => ({
+      key: normalizeInlineText(field.key || 'field'),
+      value: normalizeFieldValue(String(field.value || '')),
+      sensitive: field.sensitive,
+    }))
+    .filter((field) => field.key.length > 0 && field.value.length > 0);
+
+  const primary = resolvePrimaryField(normalizedFields, input.credentialType);
+  const otherFields = normalizedFields.filter((_, index) => index !== primary.index);
+
+  const lines = [
+    '------------------------------',
+    'AURAMAXX.SH',
+    '------------------------------',
+    `NAME: ${normalizedName}`,
+    `VALUE: ${normalizeFieldValue(primary.value) || '(none)'}`,
+    '',
+  ];
+
+  for (const field of otherFields) {
+    lines.push(`${formatFieldLabel(field.key)}: ${field.value}`);
+  }
+
+  return {
+    title,
+    filename,
+    marker,
+    identifier,
+    content: `${lines.join('\n')}\n`,
+  };
+}
+
+export async function createSecretGist(input: SecretGistInput): Promise<SecretGistResult> {
+  const authCheck = await runGh(['auth', 'status']);
+  if (isMissingGh(authCheck)) {
+    throw missingGhError();
+  }
+  if (authCheck.code !== 0) {
+    const detail = normalizeInlineText(`${authCheck.stderr}\n${authCheck.stdout}`.trim());
+    throw unauthenticatedGhError(detail || undefined);
+  }
+
+  const draft = buildSecretGistDraft(input);
+  const createResult = await runGh(
+    // `gh gist create` defaults to secret/private. Newer gh versions do not support `--private`.
+    ['gist', 'create', '--filename', draft.filename, '--desc', draft.title, '-'],
+    draft.content,
+  );
+
+  if (isMissingGh(createResult)) {
+    throw missingGhError();
+  }
+  if (createResult.code !== 0) {
+    const detail = normalizeInlineText(`${createResult.stderr}\n${createResult.stdout}`.trim());
+    if (looksLikeAuthFailure(detail)) {
+      throw unauthenticatedGhError(detail || undefined);
+    }
+    throw gistCreateError(detail || undefined);
+  }
+
+  const combinedOutput = `${createResult.stdout}\n${createResult.stderr}`;
+  const url = extractFirstUrl(combinedOutput);
+  if (!url) {
+    throw gistCreateError('gh gist create succeeded but no gist URL was returned.');
+  }
+
+  return {
+    ...draft,
+    url,
+  };
+}