npm - auramaxx - Versions diffs - 0.0.12 → 0.0.13 - Mend

auramaxx 0.0.12 → 0.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (334) hide show

package/src/server/routes/agent-profiles.ts ADDED Viewed

@@ -0,0 +1,82 @@
+import { Request, Response, Router } from 'express';
+import { requireWalletAuth } from '../middleware/auth';
+import { requireAdmin } from '../lib/permissions';
+import { getErrorMessage } from '../lib/error';
+import { normalizeAgentProfileInput } from '../../../shared/agent-profile-schema';
+import {
+  deleteAgentProfile,
+  getAgentProfile,
+  listAgentProfiles,
+  upsertAgentProfile,
+} from '../lib/agent-profile-records';
+const router = Router();
+router.use(requireWalletAuth, requireAdmin);
+function normalizeAgentIdParam(value: string): string {
+  const decoded = decodeURIComponent(String(value || ''));
+  const agentId = decoded.trim();
+  if (!agentId) {
+    throw new Error('agentId path param is required');
+  }
+  return agentId;
+}
+router.get('/', (_req: Request, res: Response) => {
+  try {
+    const profiles = listAgentProfiles();
+    res.json({ success: true, profiles });
+  } catch (error) {
+    res.status(500).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+router.get('/:agentId', (req: Request<{ agentId: string }>, res: Response) => {
+  try {
+    const agentId = normalizeAgentIdParam(req.params.agentId);
+    const profile = getAgentProfile(agentId);
+    if (!profile) {
+      res.status(404).json({ success: false, error: 'Agent profile not found' });
+      return;
+    }
+    res.json({ success: true, profile });
+  } catch (error) {
+    res.status(400).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+router.put('/:agentId', (req: Request<{ agentId: string }>, res: Response) => {
+  try {
+    const agentId = normalizeAgentIdParam(req.params.agentId);
+    const body = req.body && typeof req.body === 'object' && !Array.isArray(req.body)
+      ? req.body as Record<string, unknown>
+      : {};
+    const bodyAgentIdRaw = body.agentId ?? body.agent_id;
+    if (typeof bodyAgentIdRaw === 'string' && bodyAgentIdRaw.trim() && bodyAgentIdRaw.trim() !== agentId) {
+      res.status(400).json({ success: false, error: 'body agentId must match path param' });
+      return;
+    }
+    const normalized = normalizeAgentProfileInput(body, { fallbackAgentId: agentId });
+    const profile = upsertAgentProfile(normalized);
+    res.json({ success: true, profile });
+  } catch (error) {
+    res.status(400).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+router.delete('/:agentId', (req: Request<{ agentId: string }>, res: Response) => {
+  try {
+    const agentId = normalizeAgentIdParam(req.params.agentId);
+    const removed = deleteAgentProfile(agentId);
+    if (!removed) {
+      res.status(404).json({ success: false, error: 'Agent profile not found' });
+      return;
+    }
+    res.json({ success: true, deleted: true, agentId });
+  } catch (error) {
+    res.status(400).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+export default router;

package/src/server/routes/auth.ts CHANGED Viewed

@@ -73,6 +73,34 @@ function buildSessionApprovalContract(input: {
   };
 }
+function materializeRetryCommand(originalCommand: string | undefined, reqId: string): string | undefined {
+  const base = String(originalCommand || '').trim();
+  if (!base) return undefined;
+  let command = base.replace(/<reqId>/g, reqId);
+  command = command
+    .replace(/--req-id\s+\S+/g, `--reqId ${reqId}`)
+    .replace(/--request-id\s+\S+/g, `--reqId ${reqId}`)
+    .replace(/--requestId\s+\S+/g, `--reqId ${reqId}`)
+    .replace(/--reqId\s+\S+/g, `--reqId ${reqId}`);
+  if (!/\s--(?:reqId|req-id|requestId|request-id)(?:\s|=|$)/.test(command)) {
+    command = `${command} --reqId ${reqId}`;
+  }
+  return command;
+}
+function buildRetryInstructions(base: unknown, retryCommand: string | undefined): string[] {
+  const existing = Array.isArray(base)
+    ? base.filter((entry): entry is string => typeof entry === 'string' && entry.trim().length > 0)
+    : [];
+  if (!retryCommand) return existing;
+  return [
+    `Run this exact command now: ${retryCommand}`,
+    ...existing,
+  ];
+}
 function auditApprovalLifecycle(input: {
   requestId: string;
   state:
@@ -481,6 +509,7 @@ router.get('/:requestId', async (req: Request<{ requestId: string }>, res: Respo
       binding?: Record<string, unknown>;
       approveUrl?: string;
       pubkey?: string;
+      originalCommand?: string;
     } = {};
     if (request.metadata) {
       try {
@@ -522,6 +551,8 @@ router.get('/:requestId', async (req: Request<{ requestId: string }>, res: Respo
       secret,
       ...(typeof metadata.approveUrl === 'string' ? { approveUrl: metadata.approveUrl } : {}),
     });
+    const retryCommand = materializeRetryCommand(metadata.originalCommand, requestId);
+    const instructions = buildRetryInstructions(contract.flow.instructions, retryCommand);
     // Return status based on request state
     if (request.status === 'pending') {
@@ -545,7 +576,8 @@ router.get('/:requestId', async (req: Request<{ requestId: string }>, res: Respo
         retryReady: false,
         claimAction: contract.claimAction,
         retryAction: contract.retryAction,
-        instructions: contract.flow.instructions || [],
+        instructions,
+        ...(retryCommand ? { retryCommand } : {}),
         ...((metadata.policyHash || metadata.effectivePolicyHash) ? { policyHash: metadata.policyHash || metadata.effectivePolicyHash } : {}),
         ...((metadata.compilerVersion || metadata.effectivePolicyHash) ? { compilerVersion: metadata.compilerVersion || 'profile.v1' } : {}),
         message: 'Waiting for human approval',
@@ -574,7 +606,8 @@ router.get('/:requestId', async (req: Request<{ requestId: string }>, res: Respo
         retryReady: false,
         claimAction: contract.claimAction,
         retryAction: contract.retryAction,
-        instructions: contract.flow.instructions || [],
+        instructions,
+        ...(retryCommand ? { retryCommand } : {}),
         ...((metadata.policyHash || metadata.effectivePolicyHash) ? { policyHash: metadata.policyHash || metadata.effectivePolicyHash } : {}),
         ...((metadata.compilerVersion || metadata.effectivePolicyHash) ? { compilerVersion: metadata.compilerVersion || 'profile.v1' } : {}),
         message: 'Request was rejected',
@@ -626,7 +659,8 @@ router.get('/:requestId', async (req: Request<{ requestId: string }>, res: Respo
           retryReady: false,
           claimAction: contract.claimAction,
           retryAction: contract.retryAction,
-          instructions: contract.flow.instructions || [],
+          instructions,
+          ...(retryCommand ? { retryCommand } : {}),
           ...(policyHash ? { policyHash } : {}),
           ...(compilerVersion ? { compilerVersion } : {}),
           ...(metadata.requestedPolicySource ? { requestedPolicySource: metadata.requestedPolicySource } : {}),
@@ -672,7 +706,8 @@ router.get('/:requestId', async (req: Request<{ requestId: string }>, res: Respo
         retryReady: true,
         claimAction: contract.claimAction,
         retryAction: contract.retryAction,
-        instructions: contract.flow.instructions || [],
+        instructions,
+        ...(retryCommand ? { retryCommand } : {}),
         ...((metadata.policyHash || metadata.effectivePolicyHash) ? { policyHash: metadata.policyHash || metadata.effectivePolicyHash } : {}),
         ...((metadata.compilerVersion || metadata.effectivePolicyHash) ? { compilerVersion: metadata.compilerVersion || 'profile.v1' } : {}),
         approvalScope: metadata.approvalScope,

package/src/server/routes/credentials.ts CHANGED Viewed

@@ -61,6 +61,7 @@ const router = Router();
 const VALID_CREDENTIAL_TYPES = new Set<CredentialType>([
   'login',
   'card',
+  'sso',
   'note',
   'plain_note',
   'hot_wallet',
@@ -108,6 +109,15 @@ function normalizeName(name: string): string {
   return name.trim().normalize('NFKC');
 }
+function readOriginalCommand(req: Request): string | undefined {
+  const value = req.header('x-aura-original-command');
+  if (typeof value !== 'string') return undefined;
+  const trimmed = value.trim();
+  if (!trimmed) return undefined;
+  // Keep header storage bounded while preserving full command intent.
+  return trimmed.slice(0, 4000);
+}
 function findSensitiveFieldValue(fields: CredentialField[], key: string): string {
   const field = fields.find((entry) => entry.key === key);
   return typeof field?.value === 'string' ? field.value : '';
@@ -572,6 +582,7 @@ function buildCredentialOneShotDenyContext(input: {
   flowSummary: string;
   finalStep: string;
   retryBehavior: string;
+  originalCommand?: string;
   metadata?: Record<string, unknown>;
   eventMetadata?: Record<string, unknown>;
   responseMetadata?: Record<string, unknown>;
@@ -611,6 +622,7 @@ function buildCredentialOneShotDenyContext(input: {
       credentialId: input.credential.id,
       credentialName: input.credential.name,
       credentialAgentId: input.credential.agentId,
+      ...(input.originalCommand ? { originalCommand: input.originalCommand } : {}),
       ...(input.metadata || {}),
     },
     eventMetadata: {
@@ -1611,6 +1623,7 @@ router.post('/purge', (req: Request, res: Response) => {
 router.post('/:id/read', async (req: Request<{ id: string }>, res: Response) => {
   try {
     const auth = req.auth!;
+    const originalCommand = readOriginalCommand(req);
     const requestedLocation = parseCredentialLocation(req.query.location, 'active');
     if (!requestedLocation) {
       res.status(400).json({ success: false, error: 'Invalid location. Expected active, archive, or recently_deleted' });
@@ -1701,6 +1714,7 @@ router.post('/:id/read', async (req: Request<{ id: string }>, res: Response) =>
         flowSummary: 'This approval grants a one-shot scoped read token (maxReads=1, short TTL).',
         finalStep: 'Retry the original secret read/inject call after claim succeeds.',
         retryBehavior: 'Retrying before claim completion will return another approval-required response.',
+        originalCommand,
         metadata: {
           policyContext: {
             readScopes: auth.token.credentialAccess?.read || [],
@@ -1849,6 +1863,7 @@ router.post('/:id/read', async (req: Request<{ id: string }>, res: Response) =>
         flowSummary: 'This approval grants a one-shot scoped read token (maxReads=1, short TTL).',
         finalStep: 'Retry the original secret read/inject call after claim succeeds.',
         retryBehavior: 'Retrying before claim completion will return another approval-required response.',
+        originalCommand,
         metadata: {
           requestedFields: requestedExcludedFields,
           policyContext: {
@@ -2006,6 +2021,7 @@ router.post('/:id/read', async (req: Request<{ id: string }>, res: Response) =>
 router.post('/:id/totp', async (req: Request<{ id: string }>, res: Response) => {
   try {
     const auth = req.auth!;
+    const originalCommand = readOriginalCommand(req);
     const credential = getCredential(req.params.id);
     if (!credential) {
@@ -2079,6 +2095,7 @@ router.post('/:id/totp', async (req: Request<{ id: string }>, res: Response) =>
         flowSummary: 'This approval grants a one-shot scoped TOTP token (maxReads=1, short TTL).',
         finalStep: 'Retry the original TOTP request after claim succeeds.',
         retryBehavior: 'Retrying before claim completion will return another approval-required response.',
+        originalCommand,
         metadata: {
           policyContext: {
             readScopes: auth.token.credentialAccess?.read || [],
@@ -2149,6 +2166,7 @@ router.post('/:id/totp', async (req: Request<{ id: string }>, res: Response) =>
         flowSummary: 'This approval grants a one-shot scoped TOTP token (maxReads=1, short TTL).',
         finalStep: 'Retry the original TOTP request after claim succeeds.',
         retryBehavior: 'Retrying before claim completion will return another approval-required response.',
+        originalCommand,
       });
       await respondPermissionDenied({
         req,

package/src/server/tests/cli/agent-auth.test.ts CHANGED Viewed

@@ -205,7 +205,7 @@ describe('agent CLI auth behavior', () => {
   });
   it('list supports --agent filter by name or id', async () => {
-    mocks.bootstrapViaSocket.mockResolvedValueOnce('socket-token');
+    mocks.bootstrapViaSocket.mockResolvedValue('socket-token');
     vi.spyOn(globalThis, 'fetch').mockImplementation(async (input: RequestInfo | URL, init?: RequestInit) => {
       const url = new URL(typeof input === 'string' ? input : input instanceof URL ? input.toString() : input.url);
@@ -644,6 +644,7 @@ describe('agent CLI auth behavior', () => {
     const claimExit = await runAuthCli(['claim', 'req-admin-cli', '--json']);
     expect(claimExit).toBe(0);
+    process.env.AURA_TOKEN = 'session-admin-token';
     const firstReadExit = await runAgentCli(['get', 'github', '--reqId', 'req-admin-cli']);
     expect(firstReadExit).toBe(0);
@@ -661,6 +662,7 @@ describe('agent CLI auth behavior', () => {
     const reqId = 'req-e2e-cli-claim';
     const secret = 'req-e2e-cli-secret';
     let oneShotReads = 0;
+    let originalCommandHeader = '';
     vi.spyOn(globalThis, 'fetch').mockImplementation(async (input: RequestInfo | URL, init?: RequestInit) => {
       const url = new URL(typeof input === 'string' ? input : input instanceof URL ? input.toString() : input.url);
@@ -694,6 +696,7 @@ describe('agent CLI auth behavior', () => {
       if (url.pathname === '/credentials/cred-github/read' && method === 'POST') {
         const headers = init?.headers as Record<string, string>;
         if (headers.Authorization === 'Bearer read-token') {
+          originalCommandHeader = headers['X-Aura-Original-Command'] || headers['x-aura-original-command'] || '';
           return new Response(JSON.stringify({
             contractVersion: 'v1',
             error: 'Excluded credential fields require human approval',
@@ -733,6 +736,7 @@ describe('agent CLI auth behavior', () => {
           status: 'approved',
           encryptedToken: 'one-shot-token',
           ttl: 60,
+          retryCommand: `npx auramaxx get github --json --reqId ${reqId}`,
         }), { status: 200, headers: { 'Content-Type': 'application/json' } });
       }
@@ -786,6 +790,8 @@ describe('agent CLI auth behavior', () => {
     const claimPayload = readJsonPayload(claimed);
     expect(claimPayload.claimStatus).toBe('approved');
     expect(claimPayload.retryReady).toBe(true);
+    expect(claimPayload.retryCommand).toBe(`npx auramaxx get github --json --reqId ${reqId}`);
+    expect(originalCommandHeader).toBe('npx auramaxx get github --json');
     const retried = await runWithCapture(() => runAgentCli(['get', 'github', '--reqId', reqId, '--json']));
     expect(retried.exitCode).toBe(0);
@@ -1282,8 +1288,9 @@ describe('agent CLI auth behavior', () => {
     expect(payload.retryReady).toBe(false);
   });
-  it('expired one-shot reqId fails deterministically and never falls back to session token', async () => {
+  it('expired one-shot reqId fails deterministically and does not continue to read', async () => {
     process.env.WALLET_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), 'auramaxx-agent-auth-'));
+    process.env.AURA_TOKEN = 'env-token';
     putClaimedToken({
       reqId: 'req-expired-oneshot',
       token: 'claimed-one-shot',
@@ -1292,11 +1299,6 @@ describe('agent CLI auth behavior', () => {
       credentialId: 'cred-github',
       credentialName: 'github',
     });
-    putActiveSessionToken({
-      token: 'session-fallback-token',
-      privateKeyPem: 'mock-private-key',
-      ttlSeconds: 120,
-    });
     const realNow = Date.now();
     const nowSpy = vi.spyOn(Date, 'now').mockReturnValue(realNow + 121_000);
@@ -1305,13 +1307,6 @@ describe('agent CLI auth behavior', () => {
       const url = new URL(typeof input === 'string' ? input : input instanceof URL ? input.toString() : input.url);
       const method = init?.method || 'GET';
-      if (url.pathname === '/auth/validate' && method === 'POST') {
-        return new Response(JSON.stringify({ valid: true }), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        });
-      }
       if (url.pathname === '/credentials' && method === 'GET' && url.searchParams.get('q') === 'github') {
         return new Response(JSON.stringify({
           credentials: [{
@@ -1391,28 +1386,23 @@ describe('agent CLI auth behavior', () => {
     expect(logSpy).toHaveBeenCalledWith('No credentials found.');
   });
-  it('uses stored session token when available and valid', async () => {
+  it('ignores stored session token and uses /auth fallback when socket bootstrap fails', async () => {
     process.env.WALLET_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), 'auramaxx-agent-auth-'));
     putActiveSessionToken({
       token: 'stored-session-token',
       privateKeyPem: 'mock-private-key',
       ttlSeconds: 120,
     });
+    mocks.bootstrapViaSocket.mockRejectedValueOnce(new Error('Cannot connect to AuraMaxx: connect ENOENT /tmp/aura-cli.sock'));
+    mocks.bootstrapViaAuthRequest.mockResolvedValueOnce('fallback-token');
     const fetchSpy = vi.spyOn(globalThis, 'fetch').mockImplementation(async (input: RequestInfo | URL, init?: RequestInit) => {
       const url = new URL(typeof input === 'string' ? input : input instanceof URL ? input.toString() : input.url);
       const method = init?.method || 'GET';
-      if (url.pathname === '/auth/validate' && method === 'POST') {
-        return new Response(JSON.stringify({ valid: true }), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        });
-      }
       if (url.pathname === '/credentials' && method === 'GET') {
         const headers = init?.headers as Record<string, string>;
-        expect(headers.Authorization).toBe('Bearer stored-session-token');
+        expect(headers.Authorization).toBe('Bearer fallback-token');
         return new Response(JSON.stringify({ credentials: [] }), {
           status: 200,
           headers: { 'Content-Type': 'application/json' },
@@ -1426,18 +1416,15 @@ describe('agent CLI auth behavior', () => {
     const exitCode = await runAgentCli(['list']);
     expect(exitCode).toBe(0);
-    expect(mocks.bootstrapViaSocket).not.toHaveBeenCalled();
-    expect(fetchSpy.mock.calls.some(([input]) => String(input).endsWith('/auth/validate'))).toBe(true);
+    expect(mocks.bootstrapViaSocket).toHaveBeenCalledTimes(1);
+    expect(mocks.bootstrapViaAuthRequest).toHaveBeenCalledTimes(1);
+    expect(fetchSpy.mock.calls.some(([input]) => String(input).includes('/auth/validate'))).toBe(false);
     expect(logSpy).toHaveBeenCalledWith('No credentials found.');
   });
-  it('uses delegated read key for stored-session reads when read token issuance succeeds', async () => {
-    process.env.WALLET_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), 'auramaxx-agent-auth-'));
-    putActiveSessionToken({
-      token: 'stored-session-token',
-      privateKeyPem: 'stored-session-private-key',
-      ttlSeconds: 120,
-    });
+  it('uses delegated read key for /auth fallback tokens when read token issuance succeeds', async () => {
+    mocks.bootstrapViaSocket.mockRejectedValueOnce(new Error('Cannot connect to AuraMaxx: connect ENOENT /tmp/aura-cli.sock'));
+    mocks.bootstrapViaAuthRequest.mockResolvedValueOnce('fallback-auth-token');
     mocks.generateEphemeralKeypair.mockReturnValueOnce({
       publicKeyPem: 'ephemeral-public-key',
       privateKeyPem: 'ephemeral-private-key',
@@ -1453,13 +1440,6 @@ describe('agent CLI auth behavior', () => {
       const url = new URL(typeof input === 'string' ? input : input instanceof URL ? input.toString() : input.url);
       const method = init?.method || 'GET';
-      if (url.pathname === '/auth/validate' && method === 'POST') {
-        return new Response(JSON.stringify({ valid: true }), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        });
-      }
       if (url.pathname === '/credentials' && method === 'GET' && url.searchParams.get('q') === 'github') {
         return new Response(JSON.stringify({
           credentials: [{
@@ -1506,6 +1486,7 @@ describe('agent CLI auth behavior', () => {
     expect(exitCode).toBe(0);
     expect(mocks.createReadToken).toHaveBeenCalledTimes(1);
+    expect(mocks.createReadToken.mock.calls[0]?.[1]).toBe('fallback-auth-token');
     expect(logSpy).toHaveBeenCalledWith('enc(gh-secret)');
   });
 });

package/src/server/tests/cli/agent.test.ts CHANGED Viewed

@@ -56,6 +56,24 @@ describe('agent CLI', () => {
       expect(result.positional).toEqual(['aws']);
     });
+    it('parses get with --req-id alias', () => {
+      const result = parseArgs(['get', 'aws', '--req-id', 'req-123']);
+      expect(result.reqId).toBe('req-123');
+      expect(result.positional).toEqual(['aws']);
+    });
+    it('parses get with --requestId alias', () => {
+      const result = parseArgs(['get', 'aws', '--requestId', 'req-123']);
+      expect(result.reqId).toBe('req-123');
+      expect(result.positional).toEqual(['aws']);
+    });
+    it('parses get with --request-id alias', () => {
+      const result = parseArgs(['get', 'aws', '--request-id', 'req-123']);
+      expect(result.reqId).toBe('req-123');
+      expect(result.positional).toEqual(['aws']);
+    });
     it('parses list', () => {
       const result = parseArgs(['list']);
       expect(result.subcommand).toBe('list');

package/src/server/tests/cli/auth-action-flag.test.ts CHANGED Viewed

@@ -94,9 +94,10 @@ describe('CLI auth --action flag parsing', () => {
       expect(parsed.noWait).toBe(true);
     });
-    it('defaults profile to dev when --profile is omitted', () => {
+    it('leaves profile/version unset when omitted (resolved later from defaults)', () => {
       const parsed = parseRequestFlags(['--agent-id', 'test-cli']);
-      expect(parsed.profile).toBe('dev');
+      expect(parsed.profile).toBeUndefined();
+      expect(parsed.profileVersion).toBeUndefined();
     });
     it('supports explicit --wait legacy mode', () => {

package/src/server/tests/cli/bin-entrypoint.test.ts CHANGED Viewed

@@ -23,7 +23,6 @@ describe('bin entrypoint', () => {
           AURA_UPDATE_CHECK_MOCK_LATEST: 'v9.9.9',
           AURA_UPDATE_CHECK_FORCE: '1',
           AURA_AUTO_ALIAS_INSTALL: '0',
-          AURA_AUTO_MCP_INSTALL: '0',
           AURA_FORCE_NODE_TSX: '1',
           AURA_TOKEN: 'test-token',
           WALLET_SERVER_URL: 'http://127.0.0.1:9',
@@ -43,7 +42,6 @@ describe('bin entrypoint', () => {
       env: {
         ...process.env,
         AURA_AUTO_ALIAS_INSTALL: '0',
-        AURA_AUTO_MCP_INSTALL: '0',
         AURA_FORCE_NODE_TSX: '1',
         AURA_TOKEN: 'test-token',
         WALLET_SERVER_URL: 'http://127.0.0.1:9',
@@ -63,7 +61,6 @@ describe('bin entrypoint', () => {
       env: {
         ...process.env,
         AURA_AUTO_ALIAS_INSTALL: '0',
-        AURA_AUTO_MCP_INSTALL: '0',
         AURA_FORCE_NODE_TSX: '1',
         AURA_TOKEN: 'test-token',
         WALLET_SERVER_URL: 'http://127.0.0.1:9',
@@ -83,7 +80,6 @@ describe('bin entrypoint', () => {
       env: {
         ...process.env,
         AURA_AUTO_ALIAS_INSTALL: '0',
-        AURA_AUTO_MCP_INSTALL: '0',
         AURA_FORCE_NODE_TSX: '1',
         AURA_TOKEN: 'test-token',
         WALLET_SERVER_URL: 'http://127.0.0.1:9',
@@ -103,7 +99,6 @@ describe('bin entrypoint', () => {
       env: {
         ...process.env,
         AURA_AUTO_ALIAS_INSTALL: '0',
-        AURA_AUTO_MCP_INSTALL: '0',
         AURA_FORCE_NODE_TSX: '1',
         AURA_TOKEN: 'test-token',
         WALLET_SERVER_URL: 'http://127.0.0.1:9',
@@ -123,7 +118,6 @@ describe('bin entrypoint', () => {
       env: {
         ...process.env,
         AURA_AUTO_ALIAS_INSTALL: '0',
-        AURA_AUTO_MCP_INSTALL: '0',
         AURA_FORCE_NODE_TSX: '1',
         AURA_NO_UPDATE_CHECK: '1',
       },
@@ -150,7 +144,6 @@ describe('bin entrypoint', () => {
           SHELL: '/bin/zsh',
           PATH: tempBin,
           AURA_AUTO_ALIAS_INSTALL_FORCE: '1',
-          AURA_AUTO_MCP_INSTALL: '0',
           AURA_FORCE_NODE_TSX: '1',
           AURA_NO_UPDATE_CHECK: '1',
           WALLET_SERVER_URL: 'http://127.0.0.1:9',
@@ -194,7 +187,6 @@ describe('bin entrypoint', () => {
           SHELL: '/bin/zsh',
           PATH: tempBin,
           AURA_AUTO_ALIAS_INSTALL_FORCE: '1',
-          AURA_AUTO_MCP_INSTALL: '0',
           AURA_FORCE_NODE_TSX: '1',
           AURA_NO_UPDATE_CHECK: '1',
           WALLET_SERVER_URL: 'http://127.0.0.1:9',
@@ -220,7 +212,6 @@ describe('bin entrypoint', () => {
       env: {
         ...process.env,
         AURA_AUTO_ALIAS_INSTALL: '0',
-        AURA_AUTO_MCP_INSTALL: '0',
         AURA_NO_UPDATE_CHECK: '1',
         NO_COLOR: '1',
       },
@@ -263,7 +254,6 @@ describe('bin entrypoint', () => {
       env: {
         ...process.env,
         AURA_AUTO_ALIAS_INSTALL: '0',
-        AURA_AUTO_MCP_INSTALL: '0',
         AURA_NO_UPDATE_CHECK: '1',
         NO_COLOR: '1',
       },
@@ -296,6 +286,38 @@ describe('bin entrypoint', () => {
           ...process.env,
           WALLET_DATA_DIR: tempData,
           AURA_AUTO_ALIAS_INSTALL: '0',
+          AURA_FORCE_NODE_TSX: '1',
+          AURA_NO_UPDATE_CHECK: '1',
+        },
+        encoding: 'utf8',
+      });
+      const combinedOutput = `${result.stdout}\n${result.stderr}`;
+      expect(result.status).toBe(0);
+      expect(combinedOutput).toContain('npx auramaxx start [options]');
+      expect(combinedOutput).not.toContain('Unknown command: --debug');
+    } finally {
+      fs.rmSync(tempData, { recursive: true, force: true });
+    }
+  });
+  it('ignores env toggles and auto-runs skill/mcp setup on explicit start', () => {
+    const tempHome = fs.mkdtempSync(path.join(os.tmpdir(), 'auramaxx-start-autoinstall-'));
+    const tempData = fs.mkdtempSync(path.join(os.tmpdir(), 'auramaxx-start-autoinstall-data-'));
+    try {
+      fs.writeFileSync(path.join(tempData, 'auramaxx.db'), '');
+      fs.writeFileSync(path.join(tempData, 'agent-primary.json'), '{}');
+      const result = spawnSync(process.execPath, [binPath, 'start', '--help'], {
+        cwd: projectRoot,
+        env: {
+          ...process.env,
+          HOME: tempHome,
+          CODEX_HOME: path.join(tempHome, '.codex'),
+          CLAUDE_HOME: path.join(tempHome, '.claude'),
+          OPENCLAW_HOME: path.join(tempHome, '.openclaw'),
+          WALLET_DATA_DIR: tempData,
+          AURA_AUTO_ALIAS_INSTALL: '0',
           AURA_AUTO_SKILL_INSTALL: '0',
           AURA_AUTO_MCP_INSTALL: '0',
           AURA_FORCE_NODE_TSX: '1',
@@ -306,9 +328,11 @@ describe('bin entrypoint', () => {
       const combinedOutput = `${result.stdout}\n${result.stderr}`;
       expect(result.status).toBe(0);
+      expect(combinedOutput).toContain('Skills… ✓');
+      expect(combinedOutput).toContain('MCP… ✓');
       expect(combinedOutput).toContain('npx auramaxx start [options]');
-      expect(combinedOutput).not.toContain('Unknown command: --debug');
     } finally {
+      fs.rmSync(tempHome, { recursive: true, force: true });
       fs.rmSync(tempData, { recursive: true, force: true });
     }
   });

package/src/server/tests/cli/escalation.test.ts CHANGED Viewed

@@ -56,6 +56,8 @@ describe('cli escalation guidance', () => {
       approveUrl: 'http://localhost:4747/approve/req-123',
       approvalScope: 'one_shot_read',
       error: 'Excluded field requires approval',
+    }, {
+      retryCommandTemplate: 'npx auramaxx get OURSECRET',
     });
     expect(handled).toBe(true);
@@ -69,12 +71,12 @@ describe('cli escalation guidance', () => {
     };
     expect(payload.reqId).toBe('req-123');
     expect(payload.claimAction?.command).toBe('npx auramaxx auth claim req-123 --json');
-    expect(payload.retryAction?.command).toBe('<retry_original_command> --reqId req-123');
+    expect(payload.retryAction?.command).toBe('npx auramaxx get OURSECRET --reqId req-123');
     expect(payload.claimStatus).toBe('pending');
     expect(payload.retryReady).toBe(false);
     expect(payload.instructions?.[0]).toContain('approve');
     expect(payload.instructions?.[1]).toContain('Claim');
-    expect(payload.instructions?.[2]).toContain('Retry');
+    expect(payload.instructions?.[2]).toContain('exact command');
     errorSpy.mockRestore();
   });
@@ -119,6 +121,8 @@ describe('cli escalation guidance', () => {
       reqId: 'req-456',
       claimStatus: 'expired',
       retryReady: false,
+    }, {
+      retryCommandTemplate: 'npx auramaxx get OURSECRET --json',
     });
     expect(handled).toBe(true);
@@ -128,7 +132,7 @@ describe('cli escalation guidance', () => {
       instructions?: string[];
     };
     expect(payload.claimAction?.command).toBe('npx auramaxx auth claim req-456 --json');
-    expect(payload.retryAction?.command).toBe('<retry_original_command> --reqId req-456');
+    expect(payload.retryAction?.command).toBe('npx auramaxx get OURSECRET --json --reqId req-456');
     expect(payload.instructions?.length).toBeGreaterThan(0);
     errorSpy.mockRestore();

package/src/server/tests/cli/process.test.ts CHANGED Viewed

@@ -223,7 +223,7 @@ describe('process management (mocked)', () => {
       startServer({ headless: false });
       expect(mockedExecSync).toHaveBeenCalledWith(
-        'npx next build',
+        'npm run build',
         expect.objectContaining({
           cwd: expect.any(String),
           stdio: 'ignore',
@@ -244,7 +244,7 @@ describe('process management (mocked)', () => {
       let buildRecovered = false;
       const buildIdSuffix = `${path.sep}.next${path.sep}BUILD_ID`;
       mockedExecSync.mockImplementation((command: unknown) => {
-        if (String(command) === 'npx next build') {
+        if (String(command) === 'npm run build') {
           buildRecovered = true;
         }
         return Buffer.from('');
@@ -258,7 +258,7 @@ describe('process management (mocked)', () => {
       startServer({ headless: false });
       expect(mockedExecSync).toHaveBeenCalledWith(
-        'npx next build',
+        'npm run build',
         expect.objectContaining({
           cwd: expect.any(String),
           stdio: 'ignore',