auramaxx 0.0.1

package/server/routes/bookmarks.ts

@@ -0,0 +1,162 @@
+import { Router, Request, Response } from 'express';
+import { prisma } from '../lib/db';
+import { upsertTokenMetadata } from '../lib/token-metadata';
+import { safeJsonParse } from '../lib/token-search';
+import { requireWalletAuth, optionalWalletAuth } from '../middleware/auth';
+import { isAdmin, buildPermissionDenied } from '../lib/permissions';
+import { getErrorMessage } from '../lib/error';
+
+const router = Router();
+
+// GET /bookmarks - List all bookmarked tokens (TrackedAsset where walletAddress is null)
+router.get('/', optionalWalletAuth, async (req: Request, res: Response) => {
+  try {
+    const chain = req.query.chain as string | undefined;
+    const q = req.query.q as string | undefined;
+
+    const where: Record<string, unknown> = {
+      walletAddress: null,
+    };
+
+    if (chain) where.chain = chain;
+
+    if (q) {
+      where.OR = [
+        { symbol: { contains: q.toUpperCase() } },
+        { name: { contains: q.toLowerCase() } },
+        { tokenAddress: { contains: q.toLowerCase() } },
+      ];
+    }
+
+    const bookmarks = await prisma.trackedAsset.findMany({
+      where,
+      orderBy: { updatedAt: 'desc' },
+    });
+
+    // Enrich with TokenMetadata if available
+    const tokenKeys = bookmarks.map(b => ({ tokenAddress: b.tokenAddress, chain: b.chain }));
+    const metadata = tokenKeys.length > 0
+      ? await prisma.tokenMetadata.findMany({
+          where: {
+            OR: tokenKeys.map(k => ({
+              tokenAddress: k.tokenAddress,
+              chain: k.chain,
+            })),
+          },
+        })
+      : [];
+
+    const metaMap = new Map(metadata.map(m => [`${m.tokenAddress}:${m.chain}`, m]));
+
+    const enriched = bookmarks.map(b => {
+      const meta = metaMap.get(`${b.tokenAddress}:${b.chain}`);
+      return {
+        ...b,
+        symbol: meta?.symbol ?? b.symbol,
+        name: meta?.name ?? b.name,
+        decimals: meta?.decimals ?? b.decimals,
+        icon: meta?.icon ?? b.icon,
+        priceUsd: meta?.priceUsd ?? null,
+        marketCap: meta?.marketCap ?? null,
+        fdv: meta?.fdv ?? null,
+        liquidity: meta?.liquidity ?? null,
+        volume24h: meta?.volume24h ?? null,
+        dexId: meta?.dexId ?? null,
+        pairAddress: meta?.pairAddress ?? null,
+        websites: meta?.websites ? safeJsonParse(meta.websites, []) : [],
+        socials: meta?.socials ? safeJsonParse(meta.socials, []) : [],
+      };
+    });
+
+    res.json({ success: true, bookmarks: enriched });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+
+// POST /bookmarks - Create a token bookmark
+router.post('/', requireWalletAuth, async (req: Request, res: Response) => {
+  try {
+    const auth = req.auth!;
+
+    // Check permission
+    if (!isAdmin(auth)) {
+      const perms = auth.token.permissions;
+      if (!perms.includes('bookmark:write') && !perms.includes('admin:*')) {
+        res.status(403).json(buildPermissionDenied('Token does not have bookmark:write permission', ['bookmark:write'], auth.token.permissions));
+        return;
+      }
+    }
+
+    const { tokenAddress, chain = 'base' } = req.body;
+
+    if (!tokenAddress) {
+      res.status(400).json({ error: 'tokenAddress is required' });
+      return;
+    }
+
+    const normalizedToken = tokenAddress.toLowerCase();
+
+    // Find-or-create bookmark (Prisma can't upsert on compound unique with NULL)
+    let bookmark = await prisma.trackedAsset.findFirst({
+      where: { walletAddress: null, tokenAddress: normalizedToken, chain },
+    });
+
+    if (bookmark) {
+      bookmark = await prisma.trackedAsset.update({
+        where: { id: bookmark.id },
+        data: { updatedAt: new Date() },
+      });
+    } else {
+      bookmark = await prisma.trackedAsset.create({
+        data: {
+          walletAddress: null,
+          tokenAddress: normalizedToken,
+          chain,
+        },
+      });
+    }
+
+    // Seed TokenMetadata if not cached
+    upsertTokenMetadata(normalizedToken, chain);
+
+    res.json({ success: true, bookmark });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+
+// DELETE /bookmarks/:id - Delete a bookmark
+router.delete('/:id', requireWalletAuth, async (req: Request<{ id: string }>, res: Response) => {
+  try {
+    const auth = req.auth!;
+
+    // Check permission
+    if (!isAdmin(auth)) {
+      const perms = auth.token.permissions;
+      if (!perms.includes('bookmark:write') && !perms.includes('admin:*')) {
+        res.status(403).json(buildPermissionDenied('Token does not have bookmark:write permission', ['bookmark:write'], auth.token.permissions));
+        return;
+      }
+    }
+
+    const { id } = req.params;
+
+    const existing = await prisma.trackedAsset.findUnique({ where: { id } });
+    if (!existing || existing.walletAddress !== null) {
+      res.status(404).json({ error: 'Bookmark not found' });
+      return;
+    }
+
+    await prisma.trackedAsset.delete({ where: { id } });
+
+    res.json({ success: true });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+
+export default router;

package/server/routes/credential-shares.ts

@@ -0,0 +1,380 @@
+import { Request, Response, Router } from 'express';
+import {
+  createCredentialShare,
+  consumeCredentialShare,
+  getCredentialShare,
+  getCredentialShareStatus,
+  ShareAccessMode,
+  ShareExpiresAfter,
+} from '../lib/credential-shares';
+import { getCredential, isValidCredentialId, readCredentialSecrets } from '../lib/credentials';
+import { hasAnyPermission, isAdmin } from '../lib/permissions';
+import { matchesScope } from '../lib/credential-scope';
+import { CredentialFile } from '../types';
+import { requireWalletAuth } from '../middleware/auth';
+import { getErrorMessage } from '../lib/error';
+import { createSecretGist, SecretGistError } from '../lib/secret-gist-share';
+
+const router = Router();
+
+const SHARE_EXPIRY_OPTIONS = new Set<ShareExpiresAfter>(['15m', '1h', '24h', '7d', '30d']);
+
+class ShareRequestError extends Error {
+  status: number;
+
+  constructor(status: number, message: string) {
+    super(message);
+    this.name = 'ShareRequestError';
+    this.status = status;
+  }
+}
+
+function canReadCredential(req: Request, credential: CredentialFile): boolean {
+  const auth = req.auth!;
+  if (isAdmin(auth)) return true;
+  if (!hasAnyPermission(auth.token.permissions, ['secret:read'])) return false;
+  const scopes = auth.token.credentialAccess?.read || [];
+  return matchesScope(credential, scopes);
+}
+
+function parseShareBaseUrl(raw: unknown): string | null {
+  if (typeof raw !== 'string') return null;
+  const trimmed = raw.trim();
+  if (!trimmed) return null;
+  try {
+    const parsed = new URL(trimmed);
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') return null;
+    return trimmed.replace(/\/+$/, '');
+  } catch {
+    return null;
+  }
+}
+
+function resolveFallbackShareUrl(req: Request, shareToken: string): string {
+  const forwardedProto = req.headers['x-forwarded-proto'];
+  const protocol = typeof forwardedProto === 'string'
+    ? forwardedProto.split(',')[0].trim()
+    : req.protocol || 'http';
+
+  const forwardedHost = req.headers['x-forwarded-host'];
+  const host = typeof forwardedHost === 'string'
+    ? forwardedHost.split(',')[0].trim()
+    : req.get('host');
+
+  if (!host) return `/credential-shares/${shareToken}`;
+  return `${protocol}://${host}/credential-shares/${shareToken}`;
+}
+
+function resolveShareUrl(req: Request, shareToken: string, shareBaseUrl: unknown): string {
+  const base = parseShareBaseUrl(shareBaseUrl);
+  if (base) {
+    return `${base}/share/${shareToken}`;
+  }
+  return resolveFallbackShareUrl(req, shareToken);
+}
+
+function toMetaFieldValue(raw: unknown): string | null {
+  if (raw === null || raw === undefined) return null;
+  if (typeof raw === 'string') return raw;
+  if (typeof raw === 'number' || typeof raw === 'boolean') return String(raw);
+  if (Array.isArray(raw)) {
+    const parts = raw
+      .map((item) => {
+        if (item === null || item === undefined) return '';
+        if (typeof item === 'string' || typeof item === 'number' || typeof item === 'boolean') return String(item);
+        try {
+          return JSON.stringify(item);
+        } catch {
+          return '';
+        }
+      })
+      .map((value) => value.trim())
+      .filter(Boolean);
+    return parts.join(',');
+  }
+  try {
+    return JSON.stringify(raw);
+  } catch {
+    return null;
+  }
+}
+
+function buildPlaintextGistFields(
+  credential: CredentialFile,
+): Array<{ key: string; value: string; sensitive?: boolean }> {
+  const fields: Array<{ key: string; value: string; sensitive?: boolean }> = [];
+  const seenKeys = new Set<string>();
+
+  for (const field of readCredentialSecrets(credential.id)) {
+    const key = String(field.key || '').trim();
+    const value = String(field.value || '').trim();
+    if (!key || !value) continue;
+    const normalized = key.toLowerCase();
+    if (seenKeys.has(normalized)) continue;
+    seenKeys.add(normalized);
+    fields.push({ key, value, sensitive: field.sensitive !== false });
+  }
+
+  for (const [key, value] of Object.entries(credential.meta || {})) {
+    const normalized = key.toLowerCase();
+    if (seenKeys.has(normalized)) continue;
+    const serialized = toMetaFieldValue(value);
+    if (!serialized || serialized.trim().length === 0) continue;
+    seenKeys.add(normalized);
+    fields.push({ key, value: serialized, sensitive: false });
+  }
+
+  return fields;
+}
+
+function parseShareRequest(req: Request): {
+  credential: CredentialFile;
+  credentialId: string;
+  expiresAfter: ShareExpiresAfter;
+  accessMode: ShareAccessMode;
+  oneTimeOnly: boolean;
+  password?: string;
+  createdBy: string;
+} {
+  const auth = req.auth!;
+  if (!isAdmin(auth) && !hasAnyPermission(auth.token.permissions, ['secret:read'])) {
+    throw new ShareRequestError(403, 'secret:read permission required');
+  }
+
+  const credentialId = typeof req.body?.credentialId === 'string' ? req.body.credentialId.trim() : '';
+  if (!credentialId) {
+    throw new ShareRequestError(400, 'credentialId is required');
+  }
+  if (!isValidCredentialId(credentialId)) {
+    throw new ShareRequestError(400, 'credentialId format is invalid');
+  }
+
+  const credential = getCredential(credentialId);
+  if (!credential) {
+    throw new ShareRequestError(404, 'Credential not found');
+  }
+  if (!canReadCredential(req, credential)) {
+    throw new ShareRequestError(403, 'Credential read scope denied');
+  }
+
+  const expiresAfterRaw = typeof req.body?.expiresAfter === 'string' ? req.body.expiresAfter : '24h';
+  const expiresAfter = expiresAfterRaw as ShareExpiresAfter;
+  if (!SHARE_EXPIRY_OPTIONS.has(expiresAfter)) {
+    throw new ShareRequestError(400, 'expiresAfter must be one of: 15m, 1h, 24h, 7d, 30d');
+  }
+
+  const accessModeRaw = typeof req.body?.accessMode === 'string' ? req.body.accessMode : 'anyone';
+  const accessMode = accessModeRaw as ShareAccessMode;
+  if (accessMode !== 'anyone' && accessMode !== 'password') {
+    throw new ShareRequestError(400, 'accessMode must be either "anyone" or "password"');
+  }
+
+  const oneTimeOnly = req.body?.oneTimeOnly === true;
+  const password = typeof req.body?.password === 'string' ? req.body.password : undefined;
+  if (accessMode === 'password' && (!password || password.length === 0)) {
+    throw new ShareRequestError(400, 'password is required when accessMode is "password"');
+  }
+
+  return {
+    credential,
+    credentialId,
+    expiresAfter,
+    accessMode,
+    oneTimeOnly,
+    password,
+    createdBy: isAdmin(auth) ? 'admin' : auth.token.agentId,
+  };
+}
+
+function toShareResponse(share: ReturnType<typeof createCredentialShare>) {
+  return {
+    token: share.token,
+    credentialId: share.credentialId,
+    expiresAt: share.expiresAt,
+    accessMode: share.accessMode,
+    oneTimeOnly: share.oneTimeOnly,
+  };
+}
+
+// GET /credential-shares/:token - public share metadata
+router.get('/:token', (req: Request<{ token: string }>, res: Response) => {
+  const share = getCredentialShare(req.params.token);
+  if (!share) {
+    res.status(404).json({ success: false, error: 'Share link not found' });
+    return;
+  }
+
+  const credential = getCredential(share.credentialId);
+  if (!credential) {
+    res.status(410).json({ success: false, error: 'Shared credential no longer exists', reason: 'credential_missing' });
+    return;
+  }
+
+  const status = getCredentialShareStatus(share);
+  if (status.isExpired) {
+    res.status(410).json({ success: false, error: 'Share link expired', reason: 'expired' });
+    return;
+  }
+  if (status.isAlreadyViewed) {
+    res.status(410).json({ success: false, error: 'Share link already used', reason: 'already_viewed' });
+    return;
+  }
+
+  res.json({
+    success: true,
+    share: {
+      token: share.token,
+      credentialId: share.credentialId,
+      credentialName: credential.name,
+      credentialType: credential.type,
+      expiresAt: share.expiresAt,
+      accessMode: share.accessMode,
+      passwordRequired: share.accessMode === 'password',
+      oneTimeOnly: share.oneTimeOnly,
+      viewCount: share.viewCount,
+      maxViews: share.oneTimeOnly ? 1 : null,
+    },
+  });
+});
+
+// POST /credential-shares/:token/read - public shared credential read
+router.post('/:token/read', (req: Request<{ token: string }>, res: Response) => {
+  const password = typeof req.body?.password === 'string' ? req.body.password : undefined;
+  const result = consumeCredentialShare(req.params.token, password);
+
+  if (!result.ok) {
+    if (result.reason === 'not_found') {
+      res.status(404).json({ success: false, error: 'Share link not found', reason: 'not_found' });
+      return;
+    }
+    if (result.reason === 'expired') {
+      res.status(410).json({ success: false, error: 'Share link expired', reason: 'expired' });
+      return;
+    }
+    if (result.reason === 'already_viewed') {
+      res.status(410).json({ success: false, error: 'Share link already used', reason: 'already_viewed' });
+      return;
+    }
+    if (result.reason === 'password_required') {
+      res.status(401).json({ success: false, error: 'Share password required', reason: 'password_required' });
+      return;
+    }
+    res.status(401).json({ success: false, error: 'Invalid share password', reason: 'invalid_password' });
+    return;
+  }
+
+  const credential = getCredential(result.share.credentialId);
+  if (!credential) {
+    res.status(410).json({ success: false, error: 'Shared credential no longer exists', reason: 'credential_missing' });
+    return;
+  }
+
+  try {
+    const fields = readCredentialSecrets(credential.id);
+    res.json({
+      success: true,
+      credential: {
+        id: credential.id,
+        name: credential.name,
+        type: credential.type,
+        meta: credential.meta,
+        fields,
+        createdAt: credential.createdAt,
+        updatedAt: credential.updatedAt,
+      },
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    if (message.toLowerCase().includes('locked')) {
+      res.status(423).json({ success: false, error: 'Vault is locked', reason: 'vault_locked' });
+      return;
+    }
+    res.status(500).json({ success: false, error: message });
+  }
+});
+
+router.use(requireWalletAuth);
+
+// POST /credential-shares/gist - create share + publish secret gist
+router.post('/gist', async (req: Request, res: Response) => {
+  try {
+    const parsed = parseShareRequest(req);
+    const share = createCredentialShare({
+      credentialId: parsed.credentialId,
+      createdBy: parsed.createdBy,
+      expiresAfter: parsed.expiresAfter,
+      accessMode: parsed.accessMode,
+      password: parsed.password,
+      oneTimeOnly: parsed.oneTimeOnly,
+    });
+
+    const link = resolveShareUrl(req, share.token, req.body?.shareBaseUrl);
+    const fields = buildPlaintextGistFields(parsed.credential);
+    const gist = await createSecretGist({
+      credentialId: parsed.credential.id,
+      credentialName: parsed.credential.name,
+      credentialType: parsed.credential.type,
+      shareUrl: link,
+      accessMode: share.accessMode,
+      oneTimeOnly: share.oneTimeOnly,
+      expiresAfter: parsed.expiresAfter,
+      fields,
+    });
+
+    res.json({
+      success: true,
+      gist: {
+        url: gist.url,
+        marker: gist.marker,
+        identifier: gist.identifier,
+        title: gist.title,
+      },
+      share: toShareResponse(share),
+      link,
+    });
+  } catch (error) {
+    if (error instanceof ShareRequestError) {
+      res.status(error.status).json({ success: false, error: error.message });
+      return;
+    }
+    if (error instanceof SecretGistError) {
+      res.status(400).json({
+        success: false,
+        error: error.message,
+        code: error.code,
+        remediation: error.remediation,
+        detail: error.detail,
+      });
+      return;
+    }
+    res.status(400).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+// POST /credential-shares - create a share link
+router.post('/', (req: Request, res: Response) => {
+  try {
+    const parsed = parseShareRequest(req);
+    const share = createCredentialShare({
+      credentialId: parsed.credentialId,
+      createdBy: parsed.createdBy,
+      expiresAfter: parsed.expiresAfter,
+      accessMode: parsed.accessMode,
+      password: parsed.password,
+      oneTimeOnly: parsed.oneTimeOnly,
+    });
+
+    res.json({
+      success: true,
+      share: toShareResponse(share),
+    });
+  } catch (error) {
+    if (error instanceof ShareRequestError) {
+      res.status(error.status).json({ success: false, error: error.message });
+      return;
+    }
+    res.status(400).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+export default router;

package/server/routes/credential-vaults.ts

@@ -0,0 +1,159 @@
+import { Request, Response, Router } from 'express';
+import { createVault, deleteVault, getPrimaryVaultId, getPrimaryVaultPassword, listVaults, lockVault, type VaultMode } from '../lib/cold';
+import { deleteCredential, listCredentials } from '../lib/credentials';
+import { requireAdmin } from '../lib/permissions';
+import { requireWalletAuth } from '../middleware/auth';
+import { parseEncryptedPassword } from '../lib/transport';
+import { HttpError, getErrorMessage } from '../lib/error';
+
+const router = Router();
+
+function resolvePassword(body: Record<string, unknown>): string {
+  const encrypted = body.encrypted;
+
+  if (typeof encrypted === 'string') {
+    return parseEncryptedPassword(encrypted);
+  }
+
+  throw new HttpError(400, 'Encrypted password is required');
+}
+
+function resolveVaultMode(body: Record<string, unknown>): Exclude<VaultMode, 'primary'> {
+  const mode = body.mode;
+  if (mode === undefined) return 'linked';
+  if (mode === 'linked' || mode === 'independent') return mode;
+  throw new HttpError(400, 'mode must be either "linked" or "independent"');
+}
+
+function resolveParentTarget(body: Record<string, unknown>): string | undefined {
+  const parentVaultId = body.parentVaultId;
+  if (typeof parentVaultId === 'string') {
+    const trimmed = parentVaultId.trim();
+    if (trimmed) return trimmed;
+  } else if (parentVaultId !== undefined && parentVaultId !== null && parentVaultId !== '') {
+    throw new HttpError(400, 'parentVaultId must be a string when provided');
+  }
+
+  // Backward compatibility: accept legacy linkedTo input.
+  const linkedTo = body.linkedTo;
+  if (linkedTo === undefined || linkedTo === null || linkedTo === '') return undefined;
+  if (typeof linkedTo === 'string') return linkedTo.trim();
+  throw new HttpError(400, 'linkedTo must be a string when provided');
+}
+
+// POST /vaults/credential — create credential vault (admin)
+router.post('/', requireWalletAuth, requireAdmin, (req: Request, res: Response) => {
+  try {
+    const body = req.body as Record<string, unknown>;
+    const mode = resolveVaultMode(body);
+    const name = typeof req.body?.name === 'string' ? req.body.name.trim() : undefined;
+    const parentVaultId = resolveParentTarget(body);
+    if (mode === 'independent' && parentVaultId) {
+      throw new HttpError(400, 'independent vaults cannot set parentVaultId/linkedTo');
+    }
+
+    let password: string;
+    if (mode === 'linked') {
+      const primaryPassword = getPrimaryVaultPassword();
+      if (!primaryPassword) {
+        throw new HttpError(401, 'Primary vault must be unlocked to create linked vaults');
+      }
+      password = primaryPassword;
+    } else {
+      password = resolvePassword(body);
+    }
+
+    const created = createVault(password, name, { mode, parentVaultId });
+
+    res.json({
+      success: true,
+      vault: {
+        id: created.id,
+        name: created.name,
+        address: created.address,
+        solanaAddress: created.solanaAddress,
+        mode: created.mode,
+        parentVaultId: created.parentVaultId,
+        linkedTo: created.linkedTo,
+        isPrimary: false,
+        isUnlocked: true,
+      },
+    });
+  } catch (error) {
+    if (error instanceof HttpError) {
+      res.status(error.status).json({ success: false, error: error.message });
+      return;
+    }
+    res.status(400).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+// GET /vaults/credential — list vaults + unlock status (admin)
+router.get('/', requireWalletAuth, requireAdmin, (_req: Request, res: Response) => {
+  try {
+    const vaults = listVaults();
+    const counts = new Map<string, number>();
+    for (const cred of listCredentials()) {
+      counts.set(cred.vaultId, (counts.get(cred.vaultId) || 0) + 1);
+    }
+
+    res.json({
+      success: true,
+      vaults: vaults.map(vault => ({
+        ...vault,
+        credentialCount: counts.get(vault.id) || 0,
+      })),
+    });
+  } catch (error) {
+    res.status(500).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+// POST /vaults/credential/:id/lock — lock vault (admin)
+router.post('/:id/lock', requireWalletAuth, requireAdmin, (req: Request<{ id: string }>, res: Response) => {
+  try {
+    const { id } = req.params;
+    const exists = listVaults().some(vault => vault.id === id);
+    if (!exists) {
+      res.status(404).json({ success: false, error: 'Vault not found' });
+      return;
+    }
+
+    lockVault(id);
+    res.json({ success: true, message: `Vault ${id} locked` });
+  } catch (error) {
+    res.status(500).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+// DELETE /vaults/credential/:id — delete vault + credentials (admin)
+router.delete('/:id', requireWalletAuth, requireAdmin, (req: Request<{ id: string }>, res: Response) => {
+  try {
+    const { id } = req.params;
+    const exists = listVaults().some(vault => vault.id === id);
+    if (!exists) {
+      res.status(404).json({ success: false, error: 'Vault not found' });
+      return;
+    }
+    if (id === getPrimaryVaultId()) {
+      res.status(400).json({ success: false, error: 'Cannot delete primary vault from this endpoint' });
+      return;
+    }
+
+    const credentials = listCredentials({ vaultId: id });
+    for (const credential of credentials) {
+      deleteCredential(credential.id);
+    }
+    deleteVault(id);
+
+    res.json({
+      success: true,
+      message: `Vault ${id} deleted`,
+      deletedCredentials: credentials.length,
+    });
+  } catch (error) {
+    res.status(500).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+export default router;