npm - auramaxx - Versions diffs - 0.0.1 - Mend

auramaxx 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (418) hide show

package/LICENSE +26 -0
package/README.md +77 -0
package/apps/desktop-electron/main.js +428 -0
package/bin/auramaxx.js +1063 -0
package/docs/ADAPTERS.md +466 -0
package/docs/AGENT_SETUP.md +159 -0
package/docs/API.md +127 -0
package/docs/APPS.md +199 -0
package/docs/ARCHITECTURE.md +235 -0
package/docs/AUTH.md +318 -0
package/docs/BEST-PRACTICES.md +82 -0
package/docs/CLI.md +141 -0
package/docs/DESKTOP_ELECTRON.md +26 -0
package/docs/DEVELOPING-APPS.md +453 -0
package/docs/MCP.md +122 -0
package/docs/PACKAGING_POLICY.md +19 -0
package/docs/PERMISSION.md +137 -0
package/docs/PROTOCOL.md +142 -0
package/docs/README.md +50 -0
package/docs/SKILLS.md +132 -0
package/docs/TROUBLESHOOTING.md +376 -0
package/docs/WORKSPACE.md +673 -0
package/docs/agent-auth.md +14 -0
package/docs/api/authentication.md +79 -0
package/docs/api/secrets/api-keys.md +28 -0
package/docs/api/secrets/credentials.md +80 -0
package/docs/api/secrets/sharing.md +48 -0
package/docs/api/system.md +41 -0
package/docs/api/wallets/apps-strategies.md +66 -0
package/docs/api/wallets/core.md +46 -0
package/docs/api/wallets/data-portfolio.md +42 -0
package/docs/aura-file.md +48 -0
package/docs/core-concepts/FEATURES.md +114 -0
package/docs/credentials.md +120 -0
package/docs/external/HOW_TO_AURAMAXX/GETTING_SECRETS.md +33 -0
package/docs/external/HOW_TO_AURAMAXX/README.md +45 -0
package/docs/external/getting-started.md +10 -0
package/docs/external/overview.md +19 -0
package/docs/external/persona-paths.md +7 -0
package/docs/external/share-secret.md +76 -0
package/docs/external/why-aura.md +7 -0
package/docs/security.md +227 -0
package/docs/templates/RELEASE_NOTES_TEMPLATE.md +22 -0
package/docs/wallet/AI.md +508 -0
package/docs/wallet/DEVELOPING-STRATEGIES.md +713 -0
package/docs/wallet/README.md +47 -0
package/docs/wallet/STRATEGY.md +89 -0
package/next.config.ts +28 -0
package/package.json +167 -0
package/postcss.config.mjs +8 -0
package/prisma/migrations/20260214170000_baseline/migration.sql +511 -0
package/prisma/migrations/20260216214537_add_passkey_model/migration.sql +18 -0
package/prisma/migrations/20260217150500_add_credential_access_audit/migration.sql +31 -0
package/prisma/migrations/20260222090000_update_admin_ttl_default/migration.sql +10 -0
package/prisma/migrations/migration_lock.toml +3 -0
package/prisma/schema.prisma +447 -0
package/public/logo.webp +0 -0
package/scripts/add-app.js +245 -0
package/server/abi/SwapHelper.json +438 -0
package/server/cli/approval.ts +447 -0
package/server/cli/commands/actions.ts +474 -0
package/server/cli/commands/api.ts +220 -0
package/server/cli/commands/apikey.ts +277 -0
package/server/cli/commands/app.ts +204 -0
package/server/cli/commands/auth.ts +464 -0
package/server/cli/commands/cron.ts +24 -0
package/server/cli/commands/diary.ts +274 -0
package/server/cli/commands/doctor.ts +1247 -0
package/server/cli/commands/env.ts +476 -0
package/server/cli/commands/experimental.ts +69 -0
package/server/cli/commands/init.ts +798 -0
package/server/cli/commands/lock.ts +157 -0
package/server/cli/commands/mcp.ts +285 -0
package/server/cli/commands/quickhack.ts +86 -0
package/server/cli/commands/release-check.ts +231 -0
package/server/cli/commands/restore.ts +314 -0
package/server/cli/commands/service.ts +320 -0
package/server/cli/commands/shell-hook.ts +512 -0
package/server/cli/commands/skill.ts +216 -0
package/server/cli/commands/start.ts +139 -0
package/server/cli/commands/status.ts +59 -0
package/server/cli/commands/stop.ts +36 -0
package/server/cli/commands/token.ts +180 -0
package/server/cli/commands/unlock.ts +50 -0
package/server/cli/commands/vault.ts +1323 -0
package/server/cli/commands/wallet.ts +209 -0
package/server/cli/index.ts +280 -0
package/server/cli/lib/approval-poll.ts +94 -0
package/server/cli/lib/aura-parser.ts +64 -0
package/server/cli/lib/credential-create.ts +74 -0
package/server/cli/lib/credential-resolve.ts +280 -0
package/server/cli/lib/dotenv-migrate.ts +116 -0
package/server/cli/lib/dotenv-parser.ts +146 -0
package/server/cli/lib/escalation.ts +57 -0
package/server/cli/lib/http.ts +91 -0
package/server/cli/lib/init-steps.ts +76 -0
package/server/cli/lib/local-agent-trust.ts +45 -0
package/server/cli/lib/lock-unlock-helper.ts +71 -0
package/server/cli/lib/process.ts +162 -0
package/server/cli/lib/prompt.ts +294 -0
package/server/cli/lib/theme.ts +240 -0
package/server/cli/socket.ts +579 -0
package/server/cli/transport-client.ts +50 -0
package/server/cron/index.ts +137 -0
package/server/cron/job.ts +31 -0
package/server/cron/jobs/balance-sync.ts +436 -0
package/server/cron/jobs/incoming-scan.ts +506 -0
package/server/cron/jobs/native-price.ts +70 -0
package/server/cron/jobs/orphan-cleanup.ts +40 -0
package/server/cron/jobs/strategy-runner.ts +175 -0
package/server/cron/scheduler.ts +125 -0
package/server/index.ts +420 -0
package/server/lib/adapters/factory.ts +119 -0
package/server/lib/adapters/index.ts +19 -0
package/server/lib/adapters/router.ts +297 -0
package/server/lib/adapters/telegram.ts +645 -0
package/server/lib/adapters/types.ts +89 -0
package/server/lib/adapters/webhook.ts +95 -0
package/server/lib/address.ts +49 -0
package/server/lib/agent-auth/contracts.ts +1194 -0
package/server/lib/agent-profiles.ts +419 -0
package/server/lib/ai.ts +285 -0
package/server/lib/api-registry/contracts.ts +86 -0
package/server/lib/api-registry/validation.ts +172 -0
package/server/lib/apikey-migration.ts +258 -0
package/server/lib/app-installer.ts +505 -0
package/server/lib/app-tokens.ts +247 -0
package/server/lib/approval-link.ts +27 -0
package/server/lib/auth.ts +314 -0
package/server/lib/auto-execute.ts +160 -0
package/server/lib/batch.ts +242 -0
package/server/lib/cold.ts +1048 -0
package/server/lib/config.ts +408 -0
package/server/lib/credential-access-audit.ts +85 -0
package/server/lib/credential-access-policy.ts +111 -0
package/server/lib/credential-health.ts +343 -0
package/server/lib/credential-import.ts +608 -0
package/server/lib/credential-scope.ts +102 -0
package/server/lib/credential-shares.ts +190 -0
package/server/lib/credential-transport.ts +533 -0
package/server/lib/credential-vault.ts +77 -0
package/server/lib/credentials.ts +422 -0
package/server/lib/crypto.ts +8 -0
package/server/lib/db.ts +58 -0
package/server/lib/defaults.ts +386 -0
package/server/lib/dex/index.ts +80 -0
package/server/lib/dex/relay.ts +235 -0
package/server/lib/dex/types.ts +59 -0
package/server/lib/dex/uniswap.ts +370 -0
package/server/lib/diary.ts +34 -0
package/server/lib/dont-ask-again-policy.ts +41 -0
package/server/lib/e2e-agent/artifacts.ts +36 -0
package/server/lib/e2e-agent/contracts.ts +112 -0
package/server/lib/e2e-agent/validation.ts +135 -0
package/server/lib/encrypt.ts +114 -0
package/server/lib/error.ts +20 -0
package/server/lib/events.ts +217 -0
package/server/lib/feature-flags.ts +93 -0
package/server/lib/hot.ts +357 -0
package/server/lib/human-action-summary.ts +80 -0
package/server/lib/key-fingerprint.ts +28 -0
package/server/lib/logger.ts +340 -0
package/server/lib/network.ts +137 -0
package/server/lib/notifications.ts +230 -0
package/server/lib/oauth2-refresh.ts +241 -0
package/server/lib/oursecret.ts +71 -0
package/server/lib/passkey-credential.ts +360 -0
package/server/lib/passkey.ts +68 -0
package/server/lib/permissions.ts +299 -0
package/server/lib/pino.ts +24 -0
package/server/lib/policy-preview.ts +138 -0
package/server/lib/price.ts +338 -0
package/server/lib/prices.ts +34 -0
package/server/lib/project-scope.ts +297 -0
package/server/lib/resolve-action.ts +328 -0
package/server/lib/resolve.ts +36 -0
package/server/lib/secret-gist-share.ts +296 -0
package/server/lib/sessions.ts +634 -0
package/server/lib/socket-path.ts +56 -0
package/server/lib/solana/connection.ts +26 -0
package/server/lib/solana/jupiter.ts +128 -0
package/server/lib/solana/transfer.ts +108 -0
package/server/lib/solana/wallet.ts +136 -0
package/server/lib/strategy/emits.ts +21 -0
package/server/lib/strategy/engine.ts +1305 -0
package/server/lib/strategy/executor.ts +115 -0
package/server/lib/strategy/hook-context.ts +159 -0
package/server/lib/strategy/hooks.ts +990 -0
package/server/lib/strategy/index.ts +28 -0
package/server/lib/strategy/installer.ts +305 -0
package/server/lib/strategy/loader.ts +256 -0
package/server/lib/strategy/message.ts +237 -0
package/server/lib/strategy/repository.ts +218 -0
package/server/lib/strategy/session-logger.ts +693 -0
package/server/lib/strategy/sources.ts +288 -0
package/server/lib/strategy/state.ts +189 -0
package/server/lib/strategy/templates.ts +403 -0
package/server/lib/strategy/tick.ts +404 -0
package/server/lib/strategy/types.ts +230 -0
package/server/lib/swap.ts +3 -0
package/server/lib/temp.ts +86 -0
package/server/lib/token-metadata.ts +86 -0
package/server/lib/token-safety.ts +200 -0
package/server/lib/token-search.ts +444 -0
package/server/lib/totp.ts +194 -0
package/server/lib/transactions.ts +123 -0
package/server/lib/transport.ts +84 -0
package/server/lib/txhistory/decoder.ts +262 -0
package/server/lib/txhistory/enricher.ts +652 -0
package/server/lib/txhistory/index.ts +391 -0
package/server/lib/txhistory/signatures.ts +59 -0
package/server/lib/update-check.ts +35 -0
package/server/lib/verified-summary.ts +414 -0
package/server/lib/view-registry.ts +80 -0
package/server/mcp/profile-policy.ts +30 -0
package/server/mcp/server.ts +1589 -0
package/server/mcp/tools.ts +276 -0
package/server/middleware/auth.ts +119 -0
package/server/middleware/requestLogger.ts +84 -0
package/server/routes/actions.ts +539 -0
package/server/routes/adapters.ts +711 -0
package/server/routes/addressbook.ts +113 -0
package/server/routes/ai.ts +34 -0
package/server/routes/apikeys.ts +343 -0
package/server/routes/apps.ts +601 -0
package/server/routes/auth.ts +406 -0
package/server/routes/backup.ts +404 -0
package/server/routes/batch.ts +270 -0
package/server/routes/bookmarks.ts +162 -0
package/server/routes/credential-shares.ts +380 -0
package/server/routes/credential-vaults.ts +159 -0
package/server/routes/credentials.ts +1782 -0
package/server/routes/dashboard.ts +97 -0
package/server/routes/defaults.ts +124 -0
package/server/routes/flags.ts +11 -0
package/server/routes/fund.ts +225 -0
package/server/routes/heartbeat.ts +375 -0
package/server/routes/import.ts +364 -0
package/server/routes/launch.ts +665 -0
package/server/routes/lock.ts +54 -0
package/server/routes/logs.ts +68 -0
package/server/routes/nuke.ts +111 -0
package/server/routes/passkey-credentials.ts +99 -0
package/server/routes/passkey.ts +366 -0
package/server/routes/portfolio.ts +217 -0
package/server/routes/price.ts +63 -0
package/server/routes/resolve.ts +31 -0
package/server/routes/security.ts +45 -0
package/server/routes/send-evm.ts +241 -0
package/server/routes/send-solana.ts +281 -0
package/server/routes/send.ts +178 -0
package/server/routes/setup.ts +210 -0
package/server/routes/strategy.ts +894 -0
package/server/routes/swap-evm.ts +352 -0
package/server/routes/swap-solana.ts +176 -0
package/server/routes/swap.ts +356 -0
package/server/routes/token.ts +247 -0
package/server/routes/unlock.ts +467 -0
package/server/routes/views.ts +41 -0
package/server/routes/wallet-assets.ts +361 -0
package/server/routes/wallet-transactions.ts +515 -0
package/server/routes/wallet.ts +709 -0
package/server/types.ts +146 -0
package/shared/credential-field-schema.ts +248 -0
package/skills/auramaxx/HEARTBEAT.md +78 -0
package/skills/auramaxx/SKILL.md +745 -0
package/skills/auramaxx/docs/AGENT_SETUP.md +155 -0
package/skills/auramaxx/docs/API.md +127 -0
package/skills/auramaxx/docs/AUTH.md +318 -0
package/skills/auramaxx/docs/CLI.md +130 -0
package/skills/auramaxx/docs/MCP.md +122 -0
package/skills/auramaxx/docs/TROUBLESHOOTING.md +357 -0
package/skills/auramaxx/docs/WORKSPACE.md +673 -0
package/skills/auramaxx/docs/security.md +227 -0
package/skills/task-lifecycle/SKILL.md +378 -0
package/src/app/api/[...doc]/page.tsx +36 -0
package/src/app/api/agent-requests/route.ts +30 -0
package/src/app/api/apps/install/route.ts +132 -0
package/src/app/api/apps/manifests/route.ts +16 -0
package/src/app/api/apps/static/[...path]/route.ts +57 -0
package/src/app/api/docs/plain/route.ts +74 -0
package/src/app/api/events/route.ts +92 -0
package/src/app/api/page.tsx +290 -0
package/src/app/api/workspace/[id]/apps/[wid]/route.ts +119 -0
package/src/app/api/workspace/[id]/apps/route.ts +81 -0
package/src/app/api/workspace/[id]/export/route.ts +67 -0
package/src/app/api/workspace/[id]/route.ts +168 -0
package/src/app/api/workspace/auth.ts +40 -0
package/src/app/api/workspace/config/route.ts +121 -0
package/src/app/api/workspace/import/route.ts +127 -0
package/src/app/api/workspace/route.ts +116 -0
package/src/app/app-legacy-do-not-use/page.tsx +2245 -0
package/src/app/apple-icon.png +0 -0
package/src/app/approve/[actionId]/page.tsx +409 -0
package/src/app/docs/DocsPageContent.tsx +269 -0
package/src/app/docs/[...doc]/page.tsx +41 -0
package/src/app/docs/page.tsx +38 -0
package/src/app/favicon.ico +0 -0
package/src/app/globals.css +819 -0
package/src/app/health/page.tsx +5 -0
package/src/app/hello/page.tsx +102 -0
package/src/app/icon.png +0 -0
package/src/app/layout.tsx +39 -0
package/src/app/page.tsx +1964 -0
package/src/app/privacy/page.tsx +63 -0
package/src/app/providers.tsx +87 -0
package/src/app/share/[token]/page.tsx +295 -0
package/src/app/terms/page.tsx +80 -0
package/src/components/ChainSelector.tsx +44 -0
package/src/components/HumanActionBar.tsx +697 -0
package/src/components/NotificationDrawer.tsx +387 -0
package/src/components/PasskeyEnrollmentPrompt.tsx +235 -0
package/src/components/apps/AgentKeysApp.tsx +490 -0
package/src/components/apps/App.tsx +153 -0
package/src/components/apps/AppGrid.tsx +15 -0
package/src/components/apps/DetailedAddressDrawer.tsx +325 -0
package/src/components/apps/DraggableApp.tsx +562 -0
package/src/components/apps/IFrameApp.tsx +73 -0
package/src/components/apps/LogsApp.tsx +360 -0
package/src/components/apps/SendApp.tsx +394 -0
package/src/components/apps/SetupWizardApp.tsx +1004 -0
package/src/components/apps/SystemDefaultsApp.tsx +845 -0
package/src/components/apps/ThirdPartyApp.tsx +428 -0
package/src/components/apps/TokenApp.tsx +319 -0
package/src/components/apps/TransactionsApp.tsx +438 -0
package/src/components/apps/WalletDetailApp.tsx +1505 -0
package/src/components/apps/index.ts +13 -0
package/src/components/design-system/Button.tsx +88 -0
package/src/components/design-system/ChainIndicator.tsx +65 -0
package/src/components/design-system/ChainSelector.tsx +147 -0
package/src/components/design-system/ConfirmationModal.tsx +107 -0
package/src/components/design-system/ConfirmationPopover.tsx +81 -0
package/src/components/design-system/DownloadButton.tsx +149 -0
package/src/components/design-system/Drawer.tsx +133 -0
package/src/components/design-system/FilterDropdown.tsx +183 -0
package/src/components/design-system/ItemPicker.tsx +157 -0
package/src/components/design-system/Modal.tsx +296 -0
package/src/components/design-system/Popover.tsx +142 -0
package/src/components/design-system/TextInput.tsx +85 -0
package/src/components/design-system/Toggle.tsx +65 -0
package/src/components/design-system/TyvekCollapsibleSection.tsx +55 -0
package/src/components/design-system/index.ts +14 -0
package/src/components/docs/ClientSideMarkdown.tsx +51 -0
package/src/components/docs/DocsSearchBar.tsx +118 -0
package/src/components/docs/DocsThemeToggle.tsx +38 -0
package/src/components/docs/PersistentDocGroup.tsx +91 -0
package/src/components/docs/ShareUrlButton.tsx +33 -0
package/src/components/docs/SidebarScrollMemory.tsx +56 -0
package/src/components/health/CredentialHealthDashboard.tsx +214 -0
package/src/components/icons/ChainIcons.tsx +72 -0
package/src/components/layout/AppStoreDrawer.tsx +369 -0
package/src/components/layout/ContentArea.tsx +21 -0
package/src/components/layout/CreateViewModal.tsx +88 -0
package/src/components/layout/LeftRail.tsx +114 -0
package/src/components/layout/TabBar.tsx +284 -0
package/src/components/layout/WalletSidebar.tsx +1030 -0
package/src/components/layout/index.ts +6 -0
package/src/components/marketing/AuraMaxxSpecOverlay.tsx +653 -0
package/src/components/marketing/DeviceMorphExperience.tsx +216 -0
package/src/components/vault/ApiKeysConsole.tsx +1272 -0
package/src/components/vault/AuditConsole.tsx +600 -0
package/src/components/vault/CredentialDetail.tsx +625 -0
package/src/components/vault/CredentialEmpty.tsx +55 -0
package/src/components/vault/CredentialField.tsx +583 -0
package/src/components/vault/CredentialForm.tsx +1484 -0
package/src/components/vault/CredentialList.tsx +265 -0
package/src/components/vault/CredentialRow.tsx +130 -0
package/src/components/vault/CredentialShareModal.tsx +273 -0
package/src/components/vault/CredentialVault.tsx +1662 -0
package/src/components/vault/CredentialWalletWidget.tsx +103 -0
package/src/components/vault/DocsConsole.tsx +113 -0
package/src/components/vault/ImportCredentialsModal.tsx +578 -0
package/src/components/vault/LargeTypeModal.tsx +88 -0
package/src/components/vault/PasswordGenerator.tsx +232 -0
package/src/components/vault/TOTPDisplay.tsx +108 -0
package/src/components/vault/TotpSetupPanel.tsx +198 -0
package/src/components/vault/VaultSidebar.tsx +881 -0
package/src/components/vault/credentialFormName.ts +91 -0
package/src/components/vault/hooks/useVaultKeyboardShortcuts.ts +69 -0
package/src/components/vault/types.ts +56 -0
package/src/context/AuthContext.tsx +365 -0
package/src/context/PriceContext.tsx +113 -0
package/src/context/ThemeContext.tsx +164 -0
package/src/context/WebSocketContext.tsx +269 -0
package/src/context/WorkspaceContext.tsx +668 -0
package/src/hooks/index.ts +4 -0
package/src/hooks/useAgentActions.ts +552 -0
package/src/hooks/useBalance.ts +103 -0
package/src/hooks/useBalances.ts +129 -0
package/src/hooks/useTheme.ts +156 -0
package/src/instrumentation.ts +12 -0
package/src/lib/api-docs.ts +154 -0
package/src/lib/api.ts +474 -0
package/src/lib/app-loader.ts +148 -0
package/src/lib/app-registry.ts +178 -0
package/src/lib/app-sdk.ts +157 -0
package/src/lib/audit-console-adapter.ts +151 -0
package/src/lib/auth-client.ts +75 -0
package/src/lib/config.ts +74 -0
package/src/lib/credential-field-schema.ts +11 -0
package/src/lib/crypto.ts +112 -0
package/src/lib/db.ts +21 -0
package/src/lib/docs.ts +544 -0
package/src/lib/events.ts +363 -0
package/src/lib/pino.ts +24 -0
package/src/lib/theme-handlers.ts +168 -0
package/src/lib/theme.ts +351 -0
package/src/lib/tokenData.ts +378 -0
package/src/lib/totp-import.ts +57 -0
package/src/lib/vault-crypto.ts +129 -0
package/src/lib/view-registry.ts +57 -0
package/src/lib/websocket-server.ts +302 -0
package/src/lib/websocket-setup.ts +79 -0
package/src/lib/wordlist.ts +2050 -0
package/src/lib/workspace-handlers.ts +285 -0
package/start.sh +170 -0
package/tailwind.config.ts +99 -0
package/tsconfig.json +42 -0

package/server/routes/auth.ts ADDED Viewed

@@ -0,0 +1,406 @@
+import { Router, Request, Response } from 'express';
+import { randomBytes, timingSafeEqual } from 'crypto';
+import { prisma } from '../lib/db';
+import { createHumanActionNotification } from '../lib/notifications';
+import { events } from '../lib/events';
+import { getPublicKey } from '../lib/transport';
+import { claimEscrowedToken } from '../lib/auth';
+import { isValidAgentPubkey, normalizeAgentPubkey, encryptToAgentPubkey } from '../lib/credential-transport';
+import { hashSecret } from '../lib/crypto';
+import { getDefault } from '../lib/defaults';
+import { logger } from '../lib/logger';
+import { getErrorMessage } from '../lib/error';
+import { AgentProfileError, resolveProfileToEffectivePolicy } from '../lib/agent-profiles';
+import { buildApproveUrl } from '../lib/approval-link';
+const router = Router();
+// GET /auth/connect - Get server's public key for encrypting passwords
+// This is a public endpoint - no authentication required
+router.get('/connect', (_req: Request, res: Response) => {
+  res.json({ publicKey: getPublicKey() });
+});
+// POST /auth - Agent requests access token (queued for human approval)
+// Returns a requestId and secret that can be used to retrieve the token later
+router.post('/', async (req: Request, res: Response) => {
+  try {
+    const {
+      agentId,
+      limit,
+      permissions,
+      ttl,
+      limits,
+      walletAccess,
+      pubkey,
+      credentialAccess,
+      profile,
+      profileVersion,
+      profileOverrides,
+      action,
+    } = req.body;
+    if (!agentId || typeof agentId !== 'string') {
+      res.status(400).json({ error: 'agentId is required' });
+      return;
+    }
+    if (typeof profile !== 'string' || profile.trim().length === 0) {
+      res.status(400).json({
+        error: 'profile is required for agent issuance',
+        code: 'AGENT_PROFILE_REQUIRED',
+      });
+      return;
+    }
+    const hasRawIssuancePayload = (
+      permissions !== undefined ||
+      ttl !== undefined ||
+      credentialAccess !== undefined
+    );
+    if (hasRawIssuancePayload) {
+      res.status(400).json({
+        error: 'Raw permission issuance is disabled on /auth. Use profile + optional profileOverrides.',
+        code: 'AGENT_PROFILE_ONLY',
+      });
+      return;
+    }
+    const defaultFundLimit = await getDefault<number>('limits.fund', 0);
+    const providedLimits = limits && typeof limits === 'object' && !Array.isArray(limits)
+      ? limits as { fund?: number; send?: number; swap?: number }
+      : undefined;
+    const requestedFundFromLimits = typeof providedLimits?.fund === 'number' ? providedLimits.fund : undefined;
+    const requestedLimitExplicit = typeof limit === 'number' || typeof requestedFundFromLimits === 'number';
+    const requestedLimit = requestedFundFromLimits ?? (typeof limit === 'number' ? limit : defaultFundLimit);
+    const resolvedProfile = resolveProfileToEffectivePolicy({
+      profileId: profile,
+      profileVersion: typeof profileVersion === 'string' ? profileVersion : undefined,
+      overrides: profileOverrides,
+    });
+    const requestedPermissions = [...resolvedProfile.permissions];
+    const requestedTtl = resolvedProfile.ttlSeconds;
+    const requestedLimits = providedLimits
+      ? { ...providedLimits, fund: requestedLimit }
+      : { fund: requestedLimit };
+    const approvalSummary = requestedLimitExplicit
+      ? `${agentId} requesting ${requestedLimit} ETH access`
+      : `${agentId} requesting access`;
+    const requestedWalletAccess = Array.isArray(walletAccess)
+      ? walletAccess.map((addr: string) => addr.toLowerCase())
+      : undefined;
+    const requestedCredentialAccess = resolvedProfile.credentialAccess;
+    if (typeof pubkey !== 'string' || !pubkey.trim()) {
+      res.status(400).json({ error: 'pubkey is required' });
+      return;
+    }
+    if (!isValidAgentPubkey(pubkey)) {
+      res.status(400).json({ error: 'pubkey must be a valid RSA public key (PEM or base64)' });
+      return;
+    }
+    const normalizedPubkey = normalizeAgentPubkey(pubkey);
+    // Validate optional pre-computed action for auto-execute on approval
+    let validatedAction: { endpoint: string; method: string; body?: Record<string, unknown> } | undefined;
+    if (action && typeof action === 'object' && !Array.isArray(action)) {
+      const { endpoint, method, body } = action as Record<string, unknown>;
+      if (typeof endpoint === 'string' && typeof method === 'string') {
+        validatedAction = {
+          endpoint,
+          method: method.toUpperCase(),
+          ...(body && typeof body === 'object' && !Array.isArray(body) ? { body: body as Record<string, unknown> } : {}),
+        };
+      }
+    }
+    // Generate a secret for retrieving the token later
+    const secret = randomBytes(32).toString('hex');
+    const secretHash = hashSecret(secret);
+    // Create pending request with secretHash in metadata
+    const request = await prisma.humanAction.create({
+      data: {
+        type: 'auth',
+        fromTier: 'system',
+        toAddress: null,
+        amount: null,
+        chain: 'base',
+        status: 'pending',
+        metadata: JSON.stringify({
+          agentId,
+          limit: requestedLimit,
+          requestedLimitExplicit,
+          defaultFundLimit,
+          permissions: requestedPermissions,
+          ttl: requestedTtl,
+          limits: requestedLimits,
+          walletAccess: requestedWalletAccess,
+          credentialAccess: requestedCredentialAccess,
+          profile: resolvedProfile.profile,
+          effectivePolicyHash: resolvedProfile.effectivePolicyHash,
+          overrideDelta: resolvedProfile.overrideDelta,
+          warnings: resolvedProfile.warnings,
+          summary: approvalSummary,
+          pubkey: normalizedPubkey,
+          secretHash,
+          ...(validatedAction ? { action: validatedAction } : {}),
+          // tokenHash will be added here when approved (raw token stays in memory escrow)
+        })
+      }
+    });
+    // Create notification for human approval
+    await createHumanActionNotification(request);
+    // Emit WebSocket event
+    events.actionCreated({
+      id: request.id,
+      type: 'agent_access',
+      source: `agent:${agentId}`,
+      summary: approvalSummary,
+      expiresAt: null,
+      metadata: {
+        agentId,
+        limit: requestedLimit,
+        limits: requestedLimits,
+        requestedLimitExplicit,
+        defaultFundLimit,
+        permissions: requestedPermissions,
+        summary: approvalSummary,
+        profile: resolvedProfile.profile,
+        effectivePolicyHash: resolvedProfile.effectivePolicyHash,
+      },
+    });
+    logger.agentRequested(agentId, request.id, requestedLimit);
+    const dashboardBase = `http://localhost:${process.env.DASHBOARD_PORT || '4747'}`;
+    res.json({
+      success: true,
+      requestId: request.id,
+      secret, // Only returned once - agent must store this!
+      approveUrl: buildApproveUrl(dashboardBase, request.id),
+      message: 'Action escalated — waiting for human approval',
+      agentId,
+      limit: requestedLimit,
+      permissions: requestedPermissions,
+      limits: requestedLimits,
+      credentialAccess: requestedCredentialAccess,
+      profile: resolvedProfile.profile,
+      effectivePolicyHash: resolvedProfile.effectivePolicyHash,
+      overrideDelta: resolvedProfile.overrideDelta,
+      warnings: resolvedProfile.warnings,
+      ttl: requestedTtl,
+      requestedLimitExplicit,
+      defaultFundLimit,
+    });
+  } catch (error) {
+    if (error instanceof AgentProfileError) {
+      res.status(400).json({ error: error.message, code: error.code });
+      return;
+    }
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+// GET /auth/pending - List pending auth requests (public, shows sanitized info)
+router.get('/pending', async (_req: Request, res: Response) => {
+  try {
+    const requests = await prisma.humanAction.findMany({
+      where: {
+        type: 'auth',
+        status: 'pending'
+      },
+      orderBy: { createdAt: 'desc' }
+    });
+    res.json({
+      success: true,
+      requests: requests.map(r => {
+        const metadata = r.metadata ? JSON.parse(r.metadata) : {};
+        // Don't expose secretHash
+        const safeMetadata = { ...metadata };
+        delete safeMetadata.secretHash;
+        return {
+          ...r,
+          metadata: safeMetadata
+        };
+      })
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+// POST /auth/validate - Validate a token and return its info
+// Used by Next.js WebSocket server to authenticate connections
+router.post('/validate', async (req: Request, res: Response) => {
+  try {
+    const { token } = req.body;
+    if (!token || typeof token !== 'string') {
+      res.status(400).json({ valid: false, error: 'token is required' });
+      return;
+    }
+    // Import validation functions
+    const { validateToken, getTokenHash } = await import('../lib/auth');
+    const { isRevoked } = await import('../lib/sessions');
+    // Validate token (admin tokens are just tokens with admin:* permission)
+    const payload = validateToken(token);
+    if (!payload) {
+      res.json({ valid: false, error: 'Invalid or expired token' });
+      return;
+    }
+    const tokenHash = getTokenHash(token);
+    // Check if revoked
+    if (isRevoked(tokenHash)) {
+      res.json({ valid: false, error: 'Token has been revoked' });
+      return;
+    }
+    logger.tokenValidated(payload.agentId, tokenHash);
+    res.json({
+      valid: true,
+      isAdmin: payload.permissions.includes('admin:*'),
+      tokenHash,
+      payload: {
+        agentId: payload.agentId,
+        permissions: payload.permissions,
+        limits: payload.limits,
+        walletAccess: payload.walletAccess,
+        exp: payload.exp
+      }
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ valid: false, error: message });
+  }
+});
+// GET /auth/:requestId - Agent polls for token (requires secret)
+router.get('/:requestId', async (req: Request<{ requestId: string }>, res: Response) => {
+  try {
+    const { requestId } = req.params;
+    const { secret } = req.query;
+    if (!secret || typeof secret !== 'string') {
+      res.status(400).json({ error: 'secret query parameter is required' });
+      return;
+    }
+    const request = await prisma.humanAction.findUnique({
+      where: { id: requestId }
+    });
+    if (!request) {
+      res.status(404).json({ error: 'Request not found' });
+      return;
+    }
+    // Parse metadata
+    let metadata: {
+      agentId?: string;
+      limit?: number;
+      requestedLimitExplicit?: boolean;
+      defaultFundLimit?: number;
+      permissions?: string[];
+      ttl?: number;
+      secretHash?: string;
+      tokenHash?: string;
+      limits?: { fund?: number; send?: number; swap?: number };
+      walletAccess?: string[];
+      profile?: { id: string; version: string; displayName?: string; rationale?: string };
+      effectivePolicyHash?: string;
+      overrideDelta?: string[];
+      warnings?: string[];
+    } = {};
+    if (request.metadata) {
+      try {
+        metadata = JSON.parse(request.metadata);
+      } catch {
+        // ignore parse errors
+      }
+    }
+    // Verify secret (timing-safe comparison)
+    const providedHash = hashSecret(secret);
+    if (!metadata.secretHash) {
+      res.status(403).json({ error: 'Invalid secret' });
+      return;
+    }
+    const providedBuf = Buffer.from(providedHash, 'hex');
+    const expectedBuf = Buffer.from(metadata.secretHash, 'hex');
+    if (providedBuf.length !== expectedBuf.length || !timingSafeEqual(providedBuf, expectedBuf)) {
+      res.status(403).json({ error: 'Invalid secret' });
+      return;
+    }
+    // Return status based on request state
+    if (request.status === 'pending') {
+      const dashboardBase = `http://localhost:${process.env.DASHBOARD_PORT || '4747'}`;
+      res.json({
+        success: true,
+        status: 'pending',
+        approveUrl: buildApproveUrl(dashboardBase, request.id),
+        message: 'Waiting for human approval'
+      });
+      return;
+    }
+    if (request.status === 'rejected') {
+      res.json({
+        success: true,
+        status: 'rejected',
+        message: 'Request was rejected'
+      });
+      return;
+    }
+    if (request.status === 'approved') {
+      const tokenToReturn = claimEscrowedToken(requestId);
+      if (!tokenToReturn) {
+        res.status(410).json({ error: 'Token already claimed or expired', status: 'approved' });
+        return;
+      }
+      // Encrypt token to agent pubkey for transport (plaintext is no longer supported)
+      const pubkey = (metadata as { pubkey?: string }).pubkey;
+      if (!pubkey) {
+        res.status(500).json({ error: 'No pubkey available to return encrypted token' });
+        return;
+      }
+      res.json({
+        success: true,
+        status: 'approved',
+        encryptedToken: encryptToAgentPubkey(tokenToReturn, pubkey),
+        agentId: metadata.agentId,
+        limit: metadata.limit,
+        limits: metadata.limits,
+        permissions: metadata.permissions,
+        walletAccess: metadata.walletAccess,
+        profile: metadata.profile,
+        effectivePolicyHash: metadata.effectivePolicyHash,
+        overrideDelta: metadata.overrideDelta,
+        warnings: metadata.warnings,
+      });
+      return;
+    }
+    res.status(400).json({ error: `Unknown status: ${request.status}` });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+export default router;