auramaxx 0.0.11 → 0.0.13

package/src/server/cli/commands/start.ts

@@ -3,7 +3,14 @@
  */
 
 import { isServerRunning, waitForServer } from '../lib/http';
-import { acquireStartLock, startServer, stopServer } from '../lib/process';
+import {
+  acquireStartLock,
+  ensurePrismaClientGenerated,
+  findProjectRoot,
+  getRuntimeLogPaths,
+  startServer,
+  stopServer,
+} from '../lib/process';
 import { getErrorMessage } from '../../lib/error';
 import { printBanner, printStatus, printHelp } from '../lib/theme';
 import {
@@ -14,6 +21,7 @@ import {
   stopServiceProcesses,
   SERVICE_BOOTSTRAP_ENV,
 } from './service';
+import * as fs from 'fs';
 
 export interface StartCliArgs {
   headless: boolean;
@@ -55,6 +63,15 @@ function printRunningStatus(headless: boolean, serviceInstalled: boolean): void
   console.log('');
 }
 
+function hasPrismaClientMissingCrash(logPath: string): boolean {
+  try {
+    const content = fs.readFileSync(logPath, 'utf8');
+    return content.includes("Cannot find module '.prisma/client/default'");
+  } catch {
+    return false;
+  }
+}
+
 export async function runStartCli(argv: string[] = process.argv.slice(2)): Promise<number> {
   const parsed = parseStartArgs(argv);
   if (parsed.help) {
@@ -77,6 +94,22 @@ export async function runStartCli(argv: string[] = process.argv.slice(2)): Promi
     return 0;
   }
 
+  const root = findProjectRoot();
+  const prismaBootstrap = ensurePrismaClientGenerated(root);
+  if (!prismaBootstrap.ok) {
+    console.error('Prisma runtime client is missing and automatic recovery failed.');
+    if (prismaBootstrap.error) {
+      console.error(`Details: ${prismaBootstrap.error}`);
+    }
+    console.error('Run the following, then retry:');
+    console.error(`  cd "${root}"`);
+    console.error('  npx prisma generate --schema prisma/schema.prisma');
+    return 1;
+  }
+  if (prismaBootstrap.generated) {
+    printStatus('Prisma Client', 'regenerated');
+  }
+
   // Canonical start path: install + launch the background service and rely on it.
   // Avoid recursive service bootstrapping when already inside service-launched `start --background`.
   if (prefersServiceStart) {
@@ -169,8 +202,14 @@ export async function runStartCli(argv: string[] = process.argv.slice(2)): Promi
     try {
       await waitForServer(15000);
     } catch {
-      console.error('Server failed to start within 15 seconds.');
-      console.error('Check for port conflicts on :4242');
+      const runtimeLogs = getRuntimeLogPaths(root);
+      if (hasPrismaClientMissingCrash(runtimeLogs.server)) {
+        console.error('Server failed to boot: generated Prisma client is missing.');
+        console.error('Run: npx prisma generate --schema prisma/schema.prisma');
+      } else {
+        console.error('Server failed to start within 15 seconds.');
+        console.error('Check for port conflicts on :4242');
+      }
       if (parsed.dev) {
         stopServer();
       }

package/src/server/cli/commands/token.ts

@@ -3,7 +3,7 @@
  *
  * Usage:
  *   npx auramaxx token preview --profile dev
- *   npx auramaxx token preview --profile strict --profile-version v1 --json
+ *   npx auramaxx token preview --profile dev --profile-version v1 --json
  *   npx auramaxx token preview --profile dev --overrides '{"ttlSeconds":900}'
  *
  * Auth:
@@ -118,7 +118,7 @@ function showHelp(): void {
 
   Examples:
     npx auramaxx token preview --profile dev
-    npx auramaxx token preview --profile strict --profile-version v1 --json
+    npx auramaxx token preview --profile dev --profile-version v1 --json
     npx auramaxx token preview --profile dev --overrides '{"ttlSeconds":900}'
 `);
 }

package/src/server/cli/lib/escalation.ts

@@ -37,6 +37,10 @@ interface DeterministicErrorBody {
   instructions?: string[];
 }
 
+interface PermissionDeniedContext {
+  retryCommandTemplate?: string;
+}
+
 function isEscalationPayload(body: unknown): body is Record<string, unknown> {
   if (!body || typeof body !== 'object' || Array.isArray(body)) return false;
   const obj = body as Record<string, unknown>;
@@ -59,6 +63,83 @@ function isDeterministicErrorBody(body: Record<string, unknown>): boolean {
   return errorCode.length > 0 && DETERMINISTIC_ESCALATION_ERROR_CODES.has(errorCode);
 }
 
+function shellQuote(arg: string): string {
+  if (/^[A-Za-z0-9_./:=+-]+$/.test(arg)) return arg;
+  return `'${arg.replace(/'/g, `'\"'\"'`)}'`;
+}
+
+function deriveRetryCommandTemplateFromArgv(): string | undefined {
+  const scriptPath = process.argv[1] || '';
+  const match = scriptPath.match(/\/([^/]+)\.ts$/);
+  if (!match) return undefined;
+  const commandName = match[1];
+  const args = process.argv.slice(2).map(shellQuote).join(' ').trim();
+  return args.length > 0
+    ? `npx auramaxx ${commandName} ${args}`
+    : `npx auramaxx ${commandName}`;
+}
+
+function materializeRetryCommand(baseCommand: string | undefined, reqId: string): string | undefined {
+  const base = String(baseCommand || '').trim();
+  if (!base) return undefined;
+  let command = base.replace(/<reqId>/g, reqId);
+  command = command
+    .replace(/--req-id\s+\S+/g, `--reqId ${reqId}`)
+    .replace(/--request-id\s+\S+/g, `--reqId ${reqId}`)
+    .replace(/--requestId\s+\S+/g, `--reqId ${reqId}`)
+    .replace(/--reqId\s+\S+/g, `--reqId ${reqId}`);
+  if (!/\s--(?:reqId|req-id|requestId|request-id)(?:\s|=|$)/.test(command)) {
+    command = `${command} --reqId ${reqId}`;
+  }
+  return command;
+}
+
+function isPlaceholderRetryCommand(command: string | undefined): boolean {
+  const value = String(command || '').trim();
+  if (!value) return true;
+  return value.includes('<retry_original_command>') || value.includes('<retry_original_tool>');
+}
+
+function resolveRetryCommand(params: {
+  reqId: string;
+  body: Record<string, unknown>;
+  context?: PermissionDeniedContext;
+}): string {
+  const retryAction = (
+    params.body.retryAction
+    && typeof params.body.retryAction === 'object'
+    && !Array.isArray(params.body.retryAction)
+  ) ? params.body.retryAction as Record<string, unknown> : null;
+
+  const actionCommand = retryAction && typeof retryAction.command === 'string'
+    ? retryAction.command
+    : undefined;
+  const retryCommand = typeof params.body.retryCommand === 'string'
+    ? params.body.retryCommand
+    : undefined;
+  const template = String(params.context?.retryCommandTemplate || '').trim();
+  const derivedTemplate = deriveRetryCommandTemplateFromArgv();
+
+  const candidate = [
+    template,
+    retryCommand,
+    isPlaceholderRetryCommand(actionCommand) ? '' : (actionCommand || ''),
+    derivedTemplate || '',
+  ]
+    .map((entry) => String(entry || '').trim())
+    .find((entry) => entry.length > 0);
+
+  return materializeRetryCommand(candidate || '<retry_original_command>', params.reqId)
+    || `<retry_original_command> --reqId ${params.reqId}`;
+}
+
+function hasPlaceholderInstructions(instructions: unknown): boolean {
+  if (!Array.isArray(instructions)) return false;
+  return instructions.some((entry) =>
+    typeof entry === 'string'
+    && (entry.includes('<retry_original_command>') || entry.includes('<retry_original_tool>')));
+}
+
 function emitUnsupportedContractVersion(status: number, rawVersion: string): void {
   const payload = {
     contractVersion: ESCALATION_CONTRACT_VERSION,
@@ -78,7 +159,11 @@ function emitUnsupportedContractVersion(status: number, rawVersion: string): voi
  * Returns `true` if the error was handled (caller should exit),
  * `false` if this isn't an escalation-shaped permission response.
  */
-export async function handlePermissionDenied(status: number, body: unknown): Promise<boolean> {
+export async function handlePermissionDenied(
+  status: number,
+  body: unknown,
+  context?: PermissionDeniedContext,
+): Promise<boolean> {
   if (status !== 400 && status !== 403) return false;
   if (!isEscalationPayload(body)) return false;
 
@@ -93,24 +178,26 @@ export async function handlePermissionDenied(status: number, body: unknown): Pro
     const reqId = typeof body.reqId === 'string' ? body.reqId.trim() : '';
     const claimCommand = reqId ? `npx auramaxx auth claim ${reqId} --json` : undefined;
     const retryCommand = reqId
-      ? `<retry_original_command> --reqId ${reqId}`
+      ? resolveRetryCommand({ reqId, body: deterministic, context })
       : '<retry_original_command>';
+    const existingInstructions = Array.isArray(deterministic.instructions) ? deterministic.instructions : [];
+    const instructions = reqId && (existingInstructions.length === 0 || hasPlaceholderInstructions(existingInstructions))
+      ? [
+          ...(claimCommand ? [`1) Re-claim token: ${claimCommand}`] : []),
+          `2) Run this exact command now: ${retryCommand}`,
+        ]
+      : deterministic.instructions;
     const guidance = {
       status,
       ...deterministic,
       ...(reqId ? { reqId } : {}),
-      ...(reqId && !deterministic.claimAction ? {
+      ...(reqId ? {
         claimAction: buildCliClaimAction(reqId),
       } : {}),
-      ...(reqId && !deterministic.retryAction ? {
+      ...(reqId ? {
         retryAction: buildCliRetryAction(retryCommand),
       } : {}),
-      ...(reqId && (!Array.isArray(deterministic.instructions) || deterministic.instructions.length === 0) ? {
-        instructions: [
-          ...(claimCommand ? [`1) Re-claim token: ${claimCommand}`] : []),
-          `2) Retry original command: ${retryCommand}`,
-        ],
-      } : {}),
+      ...(instructions ? { instructions } : {}),
     };
     console.error(JSON.stringify(guidance, null, 2));
     return true;
@@ -123,26 +210,24 @@ export async function handlePermissionDenied(status: number, body: unknown): Pro
       ? approval.approveUrl
       : '<approve_url>';
     const claimCommand = `npx auramaxx auth claim ${reqId} --json`;
-    const retryCommand = `<retry_original_command> --reqId ${reqId}`;
+    const retryCommand = resolveRetryCommand({ reqId, body: approval, context });
+    const existingInstructions = Array.isArray(approval.instructions) ? approval.instructions : [];
+    const instructions = existingInstructions.length === 0 || hasPlaceholderInstructions(existingInstructions)
+      ? [
+          `1) Ask a human to approve: ${approveUrl}`,
+          `2) Claim now: ${claimCommand}`,
+          `3) Run this exact command now: ${retryCommand}`,
+        ]
+      : approval.instructions;
     const guidance = {
       status,
       ...approval,
       reqId,
       claimStatus: typeof approval.claimStatus === 'string' ? approval.claimStatus : 'pending',
       retryReady: typeof approval.retryReady === 'boolean' ? approval.retryReady : false,
-      ...(approval.claimAction ? {} : {
-        claimAction: buildCliClaimAction(reqId),
-      }),
-      ...(approval.retryAction ? {} : {
-        retryAction: buildCliRetryAction(retryCommand),
-      }),
-      ...(!Array.isArray(approval.instructions) || approval.instructions.length === 0 ? {
-        instructions: [
-          `1) Ask a human to approve: ${approveUrl}`,
-          `2) Claim now: ${claimCommand}`,
-          `3) Retry now: ${retryCommand}`,
-        ],
-      } : {}),
+      claimAction: buildCliClaimAction(reqId),
+      retryAction: buildCliRetryAction(retryCommand),
+      ...(instructions ? { instructions } : {}),
     };
     console.error(JSON.stringify(guidance, null, 2));
     return true;

package/src/server/cli/lib/process.ts

@@ -8,6 +8,7 @@ import * as path from 'path';
 import * as fs from 'fs';
 import * as os from 'os';
 import { resolveAuraSocketPath } from '../../lib/socket-path';
+import { getErrorMessage } from '../../lib/error';
 
 /**
  * Find the project root by walking up from __dirname to find the package.json.
@@ -48,6 +49,57 @@ export function getRuntimeLogPaths(root: string = findProjectRoot()): RuntimeLog
   };
 }
 
+export interface PrismaBootstrapResult {
+  ok: boolean;
+  generated: boolean;
+  clientPath: string;
+  error?: string;
+}
+
+export function getGeneratedPrismaClientPath(root: string = findProjectRoot()): string {
+  return path.join(root, 'node_modules', '.prisma', 'client', 'default.js');
+}
+
+/**
+ * Ensure generated Prisma runtime client exists for @prisma/client imports.
+ * This can be missing in some global-install/update paths.
+ */
+export function ensurePrismaClientGenerated(
+  root: string = findProjectRoot(),
+  env: NodeJS.ProcessEnv = process.env,
+): PrismaBootstrapResult {
+  const clientPath = getGeneratedPrismaClientPath(root);
+  if (fs.existsSync(clientPath)) {
+    return { ok: true, generated: false, clientPath };
+  }
+
+  try {
+    execSync('npx prisma generate --schema prisma/schema.prisma', {
+      cwd: root,
+      env,
+      stdio: 'pipe',
+    });
+  } catch (error) {
+    return {
+      ok: false,
+      generated: false,
+      clientPath,
+      error: getErrorMessage(error),
+    };
+  }
+
+  if (!fs.existsSync(clientPath)) {
+    return {
+      ok: false,
+      generated: false,
+      clientPath,
+      error: `Prisma client is still missing after generate at: ${clientPath}`,
+    };
+  }
+
+  return { ok: true, generated: true, clientPath };
+}
+
 function getBackgroundLogStdio(logFilePath: string): { stdio: 'ignore' | ['ignore', number, number]; close: () => void } {
   try {
     fs.mkdirSync(path.dirname(logFilePath), { recursive: true });
@@ -324,10 +376,11 @@ export function startDashboardProcess(opts: StartDashboardProcessOptions = {}):
   let hasProductionBuild = fs.existsSync(buildIdPath);
 
   // If build artifacts are missing, recover once by rebuilding in place.
+  // Use the package build script so prebuild cleanup runs and avoids stale chunk graphs.
   if (!opts.dev && !hasProductionBuild) {
     console.warn(`[AuraMaxx] Missing production dashboard build (${buildIdPath}); attempting one-time dashboard build.`);
     try {
-      execSync('npx next build', { cwd: root, env, stdio: buildStdioMode });
+      execSync('npm run build', { cwd: root, env, stdio: buildStdioMode });
     } catch {
       // Fall back to next dev below so local workflows remain usable if build fails.
     }

package/src/server/cli/socket.ts

@@ -237,7 +237,7 @@ export class SocketServer {
 
       // ── Auto-approve path ──
       if (request.autoApprove) {
-        const autoApproveEnabled = getDefaultSync<boolean>('trust.localAutoApprove', false);
+        const autoApproveEnabled = getDefaultSync<boolean>('trust.localAutoApprove', true);
         if (!autoApproveEnabled) {
           this.send(socket, { type: 'error', message: 'Auto-approve is disabled. Use standard approval flow.' });
           return;

package/src/server/index.ts

@@ -29,6 +29,7 @@ import appRoutes from './routes/apps';
 import actionsRoutes from './routes/actions';
 import credentialAgentRoutes from './routes/credential-agents';
 import credentialsRoutes from './routes/credentials';
+import agentProfilesRoutes from './routes/agent-profiles';
 import credentialSharesRoutes from './routes/credential-shares';
 import passkeyCredentialRoutes from './routes/passkey-credentials';
 import importRoutes from './routes/import';
@@ -198,6 +199,7 @@ app.use('/agents/credential', credentialAgentRoutes);
 app.use('/credentials/import', importRoutes);
 app.use('/credentials/passkey', passkeyCredentialRoutes);
 app.use('/credentials', credentialsRoutes);
+app.use('/agent-profiles', agentProfilesRoutes);
 app.use('/credential-shares', credentialSharesRoutes);
 app.use('/adapters', adaptersRoutes);
 app.use('/defaults', defaultsRoutes);

package/src/server/lib/agent-profile-records.ts

@@ -0,0 +1,72 @@
+import fs from 'fs';
+import path from 'path';
+import { DATA_PATHS } from './config';
+import type { AgentProfileInput, AgentProfileRecord } from '../../../shared/agent-profile-schema';
+
+interface AgentProfilesFile {
+  version: 1;
+  profiles: Record<string, AgentProfileRecord>;
+}
+
+const AGENT_PROFILES_FILE = 'agent-profiles.json';
+
+function getAgentProfilesPath(): string {
+  return path.join(DATA_PATHS.wallets, AGENT_PROFILES_FILE);
+}
+
+function defaultStore(): AgentProfilesFile {
+  return { version: 1, profiles: {} };
+}
+
+function readStore(): AgentProfilesFile {
+  const filePath = getAgentProfilesPath();
+  if (!fs.existsSync(filePath)) return defaultStore();
+
+  try {
+    const raw = fs.readFileSync(filePath, 'utf8');
+    const parsed = JSON.parse(raw) as Partial<AgentProfilesFile> | null;
+    if (!parsed || typeof parsed !== 'object') return defaultStore();
+    if (parsed.version !== 1 || !parsed.profiles || typeof parsed.profiles !== 'object') return defaultStore();
+    return {
+      version: 1,
+      profiles: parsed.profiles as Record<string, AgentProfileRecord>,
+    };
+  } catch {
+    return defaultStore();
+  }
+}
+
+function writeStore(store: AgentProfilesFile): void {
+  const filePath = getAgentProfilesPath();
+  fs.writeFileSync(filePath, JSON.stringify(store, null, 2), { mode: 0o600 });
+}
+
+export function listAgentProfiles(): AgentProfileRecord[] {
+  return Object.values(readStore().profiles).sort((a, b) => a.agentId.localeCompare(b.agentId));
+}
+
+export function getAgentProfile(agentId: string): AgentProfileRecord | null {
+  return readStore().profiles[agentId] || null;
+}
+
+export function upsertAgentProfile(input: AgentProfileInput): AgentProfileRecord {
+  const store = readStore();
+  const existing = store.profiles[input.agentId];
+  const now = new Date().toISOString();
+  const next: AgentProfileRecord = {
+    ...input,
+    createdAt: existing?.createdAt || now,
+    updatedAt: now,
+  };
+  store.profiles[input.agentId] = next;
+  writeStore(store);
+  return next;
+}
+
+export function deleteAgentProfile(agentId: string): boolean {
+  const store = readStore();
+  if (!store.profiles[agentId]) return false;
+  delete store.profiles[agentId];
+  writeStore(store);
+  return true;
+}

package/src/server/lib/credential-transport.ts

@@ -11,6 +11,7 @@ import {
 } from 'crypto';
 import * as net from 'net';
 import { buildPollUrl } from './approval-flow';
+import { getDefault, SEED_DEFAULTS } from './defaults';
 import { resolveAuraSocketCandidates } from './socket-path';
 
 interface HybridEnvelope {
@@ -275,6 +276,29 @@ function parseProfileOverridesFromEnv(): ProfileIssuanceOverrides | undefined {
   }
 }
 
+function seedStringDefault(key: string, fallback: string): string {
+  const seed = SEED_DEFAULTS.find((entry) => entry.key === key);
+  if (!seed || typeof seed.value !== 'string') return fallback;
+  const normalized = seed.value.trim();
+  return normalized || fallback;
+}
+
+export async function resolveAuthFallbackProfileConfig(options?: AuthRequestBootstrapOptions): Promise<{
+  profile: string;
+  profileVersion: string;
+}> {
+  const explicitProfile = options?.profile?.trim();
+  const explicitProfileVersion = options?.profileVersion?.trim();
+
+  const defaultProfile = String(await getDefault<string | null>('trust.localProfile', '') || '').trim();
+  const defaultProfileVersion = String(await getDefault<string | null>('trust.localProfileVersion', '') || '').trim();
+
+  return {
+    profile: explicitProfile || defaultProfile || seedStringDefault('trust.localProfile', 'admin'),
+    profileVersion: explicitProfileVersion || defaultProfileVersion || seedStringDefault('trust.localProfileVersion', 'v1'),
+  };
+}
+
 // ── Socket bootstrap (CLI auth via Unix socket) ──
 
 /**
@@ -394,21 +418,13 @@ export async function bootstrapViaAuthRequest(
   keypair: EphemeralKeypair,
   options: AuthRequestBootstrapOptions = {},
 ): Promise<string | AuthRequestCreated> {
-  const profile = (
-    options.profile ||
-    process.env.AURA_AUTH_PROFILE ||
-    process.env.AURA_AGENT_PROFILE ||
-    'strict'
-  ).trim();
+  const resolvedProfile = await resolveAuthFallbackProfileConfig(options);
+  const profile = resolvedProfile.profile;
   if (!profile) {
     throw new Error('No profile configured for /auth fallback');
   }
 
-  const profileVersion = (
-    options.profileVersion ||
-    process.env.AURA_AUTH_PROFILE_VERSION ||
-    'v1'
-  ).trim();
+  const profileVersion = resolvedProfile.profileVersion;
   const profileOverrides = options.profileOverrides || parseProfileOverridesFromEnv();
   const timeoutMs = options.timeoutMs ?? 120_000;
   const pollIntervalMs = options.pollIntervalMs ?? 3_000;

package/src/server/lib/defaults.ts

@@ -36,10 +36,10 @@ export const SEED_DEFAULTS: SeedDefault[] = [
   { key: 'gas.sol_buffer', value: 0.000005, type: 'financial', label: 'Solana Gas Buffer (SOL)', description: 'Reserved SOL buffer for max-send in UI' },
 
   // TTLs
-  { key: 'ttl.agent', value: 3600, type: 'ttl', label: 'Agent Token TTL (seconds)', description: 'Default time-to-live for agent tokens' },
+  { key: 'ttl.agent', value: 604800, type: 'ttl', label: 'Agent Token TTL (seconds)', description: 'Default time-to-live for agent tokens (7 days)' },
   { key: 'ttl.admin', value: 2592000, type: 'ttl', label: 'Admin Token TTL (seconds)', description: 'Time-to-live for admin tokens (30 days)' },
   { key: 'ttl.app', value: 86400, type: 'ttl', label: 'App Token TTL (seconds)', description: 'Time-to-live for app tokens (24h)' },
-  { key: 'ttl.action', value: 600, type: 'ttl', label: 'Action Token TTL (seconds)', description: 'Default time-to-live for action tokens' },
+  { key: 'ttl.action', value: 3600, type: 'ttl', label: 'Action Token TTL (seconds)', description: 'Default time-to-live for action tokens (1 hour)' },
 
   // Strategy runtime (cron-owned)
   { key: 'strategy.cron_enabled', value: true, type: 'strategy', label: 'Enable Cron-Owned Strategy Runtime', description: 'When true, strategy ticks and message hooks are owned by the cron process only' },
@@ -89,7 +89,7 @@ export const SEED_DEFAULTS: SeedDefault[] = [
   { key: 'discovery.max_initial_lookback', value: 302400, type: 'discovery', label: 'Max Initial Lookback (blocks)', description: 'How far back to scan on first run (~7 days on Base)' },
 
   // Trust / auto-approve defaults
-  { key: 'trust.localAutoApprove', value: false, type: 'trust', label: 'Auto-Approve Local Socket Connections', description: 'Auto-approve auth requests from same-UID processes via Unix socket (0600 permission = same user = trusted)' },
+  { key: 'trust.localAutoApprove', value: true, type: 'trust', label: 'Auto-Approve Local Socket Connections', description: 'Auto-approve auth requests from same-UID processes via Unix socket (0600 permission = same user = trusted)' },
   { key: 'trust.localProfile', value: 'admin', type: 'trust', label: 'Local Socket Agent Profile', description: 'Built-in profile used for local socket-issued agent tokens (strict/dev/admin). Default is admin.' },
   { key: 'trust.localProfileVersion', value: 'v1', type: 'trust', label: 'Local Socket Agent Profile Version', description: 'Version for local socket profile resolution' },
   { key: 'trust.localProfileOverrides', value: null, type: 'trust', label: 'Local Socket Agent Profile Overrides', description: 'Optional tighten-only overrides for the local socket profile' },

package/src/server/lib/escalation-responder.ts

@@ -25,7 +25,7 @@ import {
 
 const SESSION_TOKEN_TTL_SECONDS = 7 * 24 * 60 * 60;
 const STRICT_SESSION_TOKEN_TTL_SECONDS = 60 * 60;
-const ESCALATION_PROFILE_ORDER = ['strict', 'dev', 'admin'] as const;
+const ESCALATION_PROFILE_ORDER = ['dev', 'strict', 'admin'] as const;
 
 export interface OneShotEscalationContext {
   routeContractId: string;

package/src/server/lib/resolve-action.ts

@@ -122,7 +122,7 @@ export async function resolveAction(
     const defaultSendLimit = await getDefault<number>('limits.send', 0.1);
     const defaultSwapLimit = await getDefault<number>('limits.swap', 0.1);
     const defaultPermissions = await getDefault<string[]>('permissions.default', ['wallet:create:hot', 'send:hot', 'swap', 'fund', 'action:create']);
-    const defaultTtl = await getDefault<number>('ttl.agent', 3600);
+    const defaultTtl = await getDefault<number>('ttl.agent', 604800);
     const effectivePolicy = parseRequestedPolicy(metadata.effectivePolicy);
     const compiledBinding = parsePolicyOperationBinding(metadata.binding);
     const oneShotBinding = metadata.approvalScope === 'one_shot_read'
@@ -315,7 +315,7 @@ export async function resolveAction(
       return { success: false, statusCode: 400, data: { success: false, error: 'requestedPubkey is required for token issuance' } };
     }
 
-    const ttl = await getDefault<number>('ttl.agent', 3600);
+    const ttl = await getDefault<number>('ttl.agent', 604800);
     const token = await createToken(agentId, newLimits?.fund ?? 0, newPermissions, ttl, {
       limits: newLimits,
       walletAccess: newWalletAccess,

package/src/server/lib/update-check.ts

@@ -31,7 +31,7 @@ export function buildVersionInfo(current: string, latest: string): VersionInfo {
 }
 
 export function buildUpdateCommand(packageName = 'auramaxx'): string {
-  return `npm install -g ${packageName}`;
+  return `npm install -g ${packageName} --foreground-scripts`;
 }
 
 export function buildNpxLatestCommand(packageName = 'auramaxx', args: string[] = []): string {

package/src/server/mcp/server.ts

@@ -1501,6 +1501,7 @@ server.tool(
           'Authorization': `Bearer ${authToken}`,
           'X-Secret-Surface': 'get_secret',
           'X-Credential-Name': credentialName || name,
+          'X-Aura-Original-Command': `mcp get_secret ${JSON.stringify(name)}`,
         },
         signal: AbortSignal.timeout(5000),
       });
@@ -1532,7 +1533,10 @@ server.tool(
         try {
           const totpRes = await fetch(`${base}/credentials/${credentialId}/totp`, {
             method: 'POST',
-            headers: { 'Authorization': `Bearer ${authToken}` },
+            headers: {
+              'Authorization': `Bearer ${authToken}`,
+              'X-Aura-Original-Command': `mcp get_secret ${JSON.stringify(name)}`,
+            },
             signal: AbortSignal.timeout(5000),
           });
           if (totpRes.ok) {
@@ -1993,6 +1997,7 @@ server.tool(
           'X-Secret-Surface': 'inject_secret',
           'X-Secret-EnvVar': resolvedEnvVar,
           'X-Credential-Name': resolved.credentialName || name,
+          'X-Aura-Original-Command': `mcp inject_secret ${JSON.stringify(name)}`,
         },
         signal: AbortSignal.timeout(5000),
       });