auramaxx 0.0.1

package/server/routes/dashboard.ts

@@ -0,0 +1,97 @@
+import { Router, Request, Response } from 'express';
+import { prisma } from '../lib/db';
+import { listTokensFromDb } from '../lib/sessions';
+import { getAdminTokenHashes } from '../lib/auth';
+import { getErrorMessage } from '../lib/error';
+import { buildHumanActionSummary } from '../lib/human-action-summary';
+import { getDefaultSync } from '../lib/defaults';
+
+const router = Router();
+
+// GET /dashboard - Combined view of pending/history actions and agent tokens
+router.get('/', async (_req: Request, res: Response) => {
+  try {
+    // Get pending requests + recent resolved history for drawer surfaces.
+    const [pendingActions, historyActions] = await Promise.all([
+      prisma.humanAction.findMany({
+        where: {
+          status: 'pending',
+          NOT: { type: 'strategy:message' },
+        },
+        orderBy: { createdAt: 'desc' },
+      }),
+      prisma.humanAction.findMany({
+        where: {
+          status: { not: 'pending' },
+          NOT: { type: 'strategy:message' },
+        },
+        orderBy: [{ resolvedAt: 'desc' }, { createdAt: 'desc' }],
+        take: 40,
+      }),
+    ]);
+
+    const requests = pendingActions.map((action) => ({
+      ...action,
+      humanSummary: buildHumanActionSummary(action),
+      rawPayload: action.metadata,
+    }));
+    const history = historyActions.map((action) => ({
+      ...action,
+      humanSummary: buildHumanActionSummary(action),
+      rawPayload: action.metadata,
+    }));
+
+    // Get all tokens from DB (with isActive flag from memory check)
+    const allTokens = await listTokensFromDb();
+
+    // Exclude admin tokens from DB list — they're added separately from getAdminTokenHashes()
+    const nonAdminTokens = allTokens.filter(t => t.agentId !== 'admin');
+
+    // Active = in memory + not expired + not revoked + (no fund limit OR has remaining)
+    const agentActiveTokens = nonAdminTokens.filter(t => t.isActive && (t.limit === 0 || t.remaining > 0));
+
+    // Inactive = not in memory (server restarted) OR expired OR revoked OR depleted (has limit but none remaining)
+    const inactiveTokens = nonAdminTokens.filter(t => !t.isActive || (t.limit > 0 && t.remaining <= 0));
+
+    // Get admin token hashes and create admin token entries
+    const adminHashes = getAdminTokenHashes();
+    const adminTokenTtlMs = getDefaultSync<number>('ttl.admin', 2592000) * 1000;
+    const adminTokens = adminHashes.map(hash => ({
+      tokenHash: hash,
+      agentId: 'admin',
+      isAdmin: true,
+      limit: 0,
+      spent: 0,
+      remaining: Infinity,
+      permissions: ['admin:*'],
+      expiresAt: Date.now() + adminTokenTtlMs,
+      isExpired: false,
+      isRevoked: false,
+      isActive: true,
+    }));
+
+    // Combine: admin tokens first, then agent tokens
+    const activeTokens = [...adminTokens, ...agentActiveTokens];
+
+    res.json({
+      success: true,
+      requests,
+      history,
+      tokens: {
+        active: activeTokens,
+        inactive: inactiveTokens
+      },
+      counts: {
+        pendingActions: pendingActions.length,
+        historyActions: historyActions.length,
+        activeTokens: activeTokens.length,
+        inactiveTokens: inactiveTokens.length
+      }
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(500).json({ error: message });
+  }
+});
+
+export default router;

package/server/routes/defaults.ts

@@ -0,0 +1,124 @@
+/**
+ * System Defaults Routes
+ * ======================
+ * Admin-only endpoints for managing centralized system defaults.
+ *
+ * GET    /defaults        — All defaults grouped by type
+ * PATCH  /defaults/:key   — Update a single default
+ * POST   /defaults/reset  — Reset one or all defaults to seed values
+ */
+
+import { Router, Request, Response } from 'express';
+import { requireWalletAuth } from '../middleware/auth';
+import { requireAdmin } from '../lib/permissions';
+import { getAllDefaults, setDefault, resetDefault, SEED_DEFAULTS, getDefault } from '../lib/defaults';
+import { events } from '../lib/events';
+import { getErrorMessage } from '../lib/error';
+
+const router = Router();
+
+// All defaults routes require admin access
+router.use(requireWalletAuth, requireAdmin);
+
+/**
+ * GET /defaults — List all defaults grouped by type
+ */
+router.get('/', async (_req: Request, res: Response) => {
+  try {
+    const grouped = await getAllDefaults();
+    res.json({ success: true, defaults: grouped });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(500).json({ success: false, error: message });
+  }
+});
+
+/**
+ * PATCH /defaults/:key — Update a single default value
+ * Body: { value: any }
+ */
+router.patch('/:key', async (req: Request<{ key: string }>, res: Response) => {
+  try {
+    const { key } = req.params;
+    const { value } = req.body;
+
+    if (value === undefined) {
+      res.status(400).json({ success: false, error: 'value is required' });
+      return;
+    }
+
+    // Validate the key exists in seeds (don't allow creating arbitrary keys via PATCH)
+    const seed = SEED_DEFAULTS.find(s => s.key === key);
+    if (!seed) {
+      res.status(404).json({ success: false, error: `Unknown default key: ${key}` });
+      return;
+    }
+
+    // Type-check: ensure value type matches seed type roughly
+    const seedType = typeof seed.value;
+    const valueType = typeof value;
+
+    if (seedType === 'number' && valueType !== 'number') {
+      res.status(400).json({ success: false, error: `Expected number for ${key}, got ${valueType}` });
+      return;
+    }
+
+    if (Array.isArray(seed.value) && !Array.isArray(value)) {
+      res.status(400).json({ success: false, error: `Expected array for ${key}` });
+      return;
+    }
+
+    const previousValue = key === 'trust.localProfile'
+      ? await getDefault<string>('trust.localProfile', 'dev')
+      : null;
+
+    await setDefault(key, value);
+
+    if (key === 'trust.localProfile') {
+      const previousProfile = typeof previousValue === 'string' ? previousValue.trim() : 'dev';
+      const nextProfile = typeof value === 'string' ? value.trim() : '';
+      const dangerousModeChanged = (previousProfile === 'admin') !== (nextProfile === 'admin');
+
+      if (dangerousModeChanged) {
+        events.custom('trust:local_dangerous_mode_changed', {
+          actorType: req.auth?.token?.agentId ? 'agent' : 'admin',
+          actorId: req.auth?.token?.agentId ?? 'admin',
+          tokenHash: req.auth?.tokenHash,
+          key,
+          previousValue: previousProfile,
+          nextValue: nextProfile,
+          timestamp: Date.now(),
+        });
+      }
+    }
+
+    res.json({ success: true, key, value });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(500).json({ success: false, error: message });
+  }
+});
+
+/**
+ * POST /defaults/reset — Reset one or all defaults to seed values
+ * Body: { key: string } — use "*" to reset all
+ */
+router.post('/reset', async (req: Request, res: Response) => {
+  try {
+    const { key } = req.body;
+
+    if (!key || typeof key !== 'string') {
+      res.status(400).json({ success: false, error: 'key is required (use "*" to reset all)' });
+      return;
+    }
+
+    await resetDefault(key);
+
+    res.json({ success: true, key, reset: true });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(500).json({ success: false, error: message });
+  }
+});
+
+export default router;

package/server/routes/flags.ts

@@ -0,0 +1,11 @@
+import { Router, Request, Response } from 'express';
+import { readFlags } from '../lib/feature-flags';
+
+const router = Router();
+
+// GET /flags — return current feature flag values (public, read-only)
+router.get('/', (_req: Request, res: Response) => {
+  res.json(readFlags());
+});
+
+export default router;

package/server/routes/fund.ts

@@ -0,0 +1,225 @@
+import { Router, Request, Response } from 'express';
+import { ethers } from 'ethers';
+import { PublicKey } from '@solana/web3.js';
+import { reserveSpend, releaseSpend, getRemainingByType } from '../lib/sessions';
+import { tokenCanAccessWallet, getHotWallet } from '../lib/hot';
+import {
+  isUnlocked, getColdWalletAddress, signWithColdWallet, getSolanaColdKeypair, getSolanaColdAddress,
+  isVaultUnlocked, getVaultAddress, getVaultSolanaAddress, getVaultSolanaKeypair, signWithVault, getPrimaryVaultId
+} from '../lib/cold';
+import { prisma } from '../lib/db';
+import { getRpcUrl, resolveChain } from '../lib/config';
+import { logger } from '../lib/logger';
+import { requireWalletAuth } from '../middleware/auth';
+import { hasAnyPermission, isAdmin, buildPermissionDenied } from '../lib/permissions';
+import { isSolanaChain, normalizeAddress, getNativeAddress, getNativeCurrency } from '../lib/address';
+import { getSolanaConnection } from '../lib/solana/connection';
+import { buildSolTransfer, sendSolanaTransaction } from '../lib/solana/transfer';
+import { getErrorMessage, HttpError } from '../lib/error';
+
+const router = Router();
+
+/**
+ * POST /fund - Agent transfers funds from cold wallet to their hot wallet
+ *
+ * This executes immediately if the cold wallet is unlocked.
+ * The agent's spending limit is checked and deducted.
+ *
+ * Security checks:
+ * 1. Valid bearer token (HMAC signature)
+ * 2. Token not revoked
+ * 3. Token can access the target hot wallet (owns or has walletAccess grant)
+ * 4. Token has fund permission
+ * 5. Amount within remaining spending limit (fund limit)
+ * 6. Cold wallet must be unlocked
+ */
+router.post('/', requireWalletAuth, async (req: Request, res: Response) => {
+  let rollback = () => {};
+  try {
+    const { to, amount, chain } = req.body;
+    const auth = req.auth!;
+
+    // Validate required fields
+    if (!to || typeof to !== 'string') {
+      res.status(400).json({ error: 'to (hot wallet address) is required' });
+      return;
+    }
+
+    if (!amount || (typeof amount !== 'string' && typeof amount !== 'number')) {
+      res.status(400).json({ error: 'amount is required (in wei for EVM or lamports for Solana)' });
+      return;
+    }
+
+    // Amount is in wei (EVM) or lamports (Solana). Parse as BigInt.
+    const amountWei = BigInt(amount);
+    if (amountWei <= 0n) {
+      res.status(400).json({ error: 'amount must be a positive number' });
+      return;
+    }
+
+    // Determine chain first (needed to compute decimal amount for limit checks)
+    const { targetChain } = resolveChain(chain);
+
+    const currency = getNativeAddress(targetChain);
+    const nativeCurrency = getNativeCurrency(targetChain);
+
+    // Convert wei/lamports to decimal for limit checks
+    const amountNum = isSolanaChain(targetChain)
+      ? Number(amountWei) / 1e9    // lamports -> SOL
+      : parseFloat(ethers.formatEther(amountWei));  // wei -> ETH
+
+    // Admin bypasses permission checks
+    if (!isAdmin(auth)) {
+      // Check fund permission
+      if (!hasAnyPermission(auth.token.permissions, ['fund'])) {
+        logger.permissionDenied('fund', auth.token.agentId, '/fund');
+        res.status(403).json(buildPermissionDenied('Token does not have fund permission', ['fund'], auth.token.permissions));
+        return;
+      }
+
+      // Check if token can access the target wallet
+      const canAccess = await tokenCanAccessWallet(auth.tokenHash, auth.token.walletAccess, to);
+      if (!canAccess) {
+        logger.permissionDenied('wallet_access', auth.token.agentId, '/fund');
+        res.status(403).json(buildPermissionDenied('Token does not have access to this wallet', ['wallet:access'], auth.token.permissions));
+        return;
+      }
+
+      // Reserve spending atomically (prevents TOCTOU race between concurrent requests)
+      const reserve = reserveSpend(auth.tokenHash, auth.token, 'fund', amountNum, currency);
+      if (!reserve.ok) {
+        logger.limitExceeded(auth.token.agentId, 'fund', amountNum, reserve.remaining);
+        res.status(403).json({ ...buildPermissionDenied('Amount exceeds remaining spending limit', ['fund'], auth.token.permissions), remaining: reserve.remaining, requested: amountNum });
+        return;
+      }
+    }
+
+    // Set rollback to release reserved spend on early exit or error
+    rollback = () => {
+      if (!isAdmin(auth)) releaseSpend(auth.tokenHash, 'fund', amountNum, currency);
+    };
+
+    // Look up which vault the target hot wallet belongs to
+    const hotWalletInfo = await getHotWallet(to);
+    const vaultId = hotWalletInfo?.coldWalletId || getPrimaryVaultId();
+
+    // The source vault must be unlocked
+    if (vaultId && !isVaultUnlocked(vaultId)) {
+      rollback();
+      logger.authFailed('Vault locked', '/fund');
+      res.status(401).json({ error: `Vault ${vaultId} is locked. Human must unlock it first.` });
+      return;
+    }
+    if (!isUnlocked()) {
+      rollback();
+      logger.authFailed('Vault locked', '/fund');
+      res.status(401).json({ error: 'Cold wallet is locked. Human must unlock it first.' });
+      return;
+    }
+
+    // --- Solana early branch ---
+    if (isSolanaChain(targetChain)) {
+      const coldKeypair = vaultId ? getVaultSolanaKeypair(vaultId) : getSolanaColdKeypair();
+      const coldAddress = vaultId ? getVaultSolanaAddress(vaultId) : getSolanaColdAddress();
+      if (!coldKeypair || !coldAddress) {
+        rollback();
+        res.status(400).json({ error: 'Solana cold wallet not available' });
+        return;
+      }
+
+      const connection = await getSolanaConnection(targetChain);
+      const toPubkey = new PublicKey(to);
+      // Pass lamports directly to buildSolTransfer
+      const tx = await buildSolTransfer(connection, coldKeypair.publicKey, toPubkey, Number(amountWei));
+      const txHash = await sendSolanaTransaction(connection, tx, coldKeypair);
+
+      // Spend already reserved atomically above
+
+      await prisma.log.create({
+        data: {
+          walletAddress: coldAddress,
+          title: 'Agent Fund Transfer',
+          description: `Transferred ${amountNum} ${nativeCurrency} to hot wallet ${to.slice(0, 10)}...`,
+          txHash
+        }
+      });
+
+      const agentId = !isAdmin(auth) ? auth.token.agentId : undefined;
+      logger.fund(to, amountNum.toString(), txHash, agentId);
+
+      const remaining = isAdmin(auth)
+        ? Infinity
+        : getRemainingByType(auth.tokenHash, auth.token, 'fund', currency);
+
+      res.json({
+        success: true,
+        txHash,
+        amount: amountNum.toString(),
+        from: coldAddress,
+        to,
+        chain: targetChain,
+        remaining
+      });
+      return;
+    }
+
+    // --- EVM path ---
+    const coldAddress = vaultId ? getVaultAddress(vaultId) : getColdWalletAddress();
+    if (!coldAddress) {
+      rollback();
+      res.status(400).json({ error: 'Cold wallet not available' });
+      return;
+    }
+
+    // Execute the transfer — amountWei is already in wei, pass directly
+    const provider = new ethers.JsonRpcProvider(await getRpcUrl(targetChain));
+    const txHash = vaultId
+      ? await signWithVault(vaultId, {
+          to: to.toLowerCase(),
+          value: amountWei,
+          from: coldAddress
+        }, provider)
+      : await signWithColdWallet({
+          to: to.toLowerCase(),
+          value: amountWei,
+          from: coldAddress
+        }, provider);
+
+    // Spend already reserved atomically above
+
+    // Log the transaction
+    await prisma.log.create({
+      data: {
+        walletAddress: coldAddress,
+        title: 'Agent Fund Transfer',
+        description: `Transferred ${amountNum} ETH to hot wallet ${to.slice(0, 10)}...`,
+        txHash
+      }
+    });
+
+    // Log fund event
+    const agentId = !isAdmin(auth) ? auth.token.agentId : undefined;
+    logger.fund(to, amountNum.toString(), txHash, agentId);
+
+    // Get remaining for response
+    const remaining = isAdmin(auth)
+      ? Infinity
+      : getRemainingByType(auth.tokenHash, auth.token, 'fund', currency);
+
+    res.json({
+      success: true,
+      txHash,
+      amount: amountNum.toString(),
+      from: coldAddress,
+      to: to.toLowerCase(),
+      chain: targetChain,
+      remaining
+    });
+  } catch (error) {
+    rollback();
+    if (error instanceof HttpError) { res.status(error.status).json({ error: error.message }); return; }
+    res.status(400).json({ error: getErrorMessage(error) });
+  }
+});
+
+export default router;