auramaxx 0.0.13 → 0.0.15

package/README.md

@@ -41,7 +41,7 @@ npx auramaxx get OURSECRET
 
 Agent verify prompt:
 
-`Use auramaxx to get the secret OURSECRET.`
+`Use auramaxx skill to get OURSECRET.`
 
 ## Agent Setup
 

package/docs/AGENT_SETUP.md

@@ -157,7 +157,7 @@ auramaxx get OURSECRET
 
 Then ask your agent:
 
-`Use auramaxx to get the secret OURSECRET.`
+`Use auramaxx skill to get OURSECRET.`
 
 ---
 

package/docs/AUTH.md

@@ -230,7 +230,7 @@ Rejected:
 | Profile | Permissions | Read Scopes | Write Scopes | Excluded Fields | TTL | Max Reads |
 |---------|------------|-------------|-------------|-----------------|-----|-----------|
 | `strict` | `secret:read` | `agent:primary, agent:agent` | none | `password, cvv, privateKey, seedPhrase, refresh_token` | 1 hour | 50 |
-| `dev` | `wallet:list, secret:read, secret:write, action:create, action:read, action:resolve` | `agent:*` | `agent:*` | `cvv, seedPhrase, privateKey, refresh_token` | 7 days | 500 |
+| `dev` | `wallet:list, secret:read, secret:write, action:create, action:read, action:resolve` | `agent:primary, agent:agent` | `agent:primary, agent:agent` | `cvv, seedPhrase, privateKey, refresh_token` | 7 days | 500 |
 | `admin` | `admin:*` | `*` | `*` | none | 7 days | unlimited |
 
 Strict one-shot (temp) approval claims are capped to 5 minutes (`300s`).

package/docs/CLI.md

@@ -12,7 +12,6 @@ The most common commands. All use the `aura` alias (or `npx auramaxx`).
 | `aura get <name>` | Read a credential (`--json` for full payload) |
 | `aura set <name> <value>` | Create or update a secret |
 | `aura list` | List credential names |
-| `aura diary write --entry "<text>"` | Append an authenticated daily diary entry (stored as provided) |
 | `aura share <name>` | Create a shareable secret gist link |
 | `aura inject <name> [-- <cmd>]` | Save to env var and optionally run command |
 | `aura del <name>` | Delete a credential |
@@ -135,7 +134,6 @@ aura auth request --profile dev --action '{"endpoint":"/send","method":"POST","b
 aura auth claim <reqId> --json                                         # canonical claim path; auto-retries transient pending polls (default: 3 retries, 250ms interval)
 aura auth claim <reqId> --pending-retries 8 --pending-retry-interval-ms 200 --json
 aura get OURSECRET --reqId <reqId>                                     # strict retry path; fails with missing_or_expired_claim if claim not bound
-aura diary write --entry "Heartbeat: no pending requests, sync ok"
 
 # Advanced
 aura api GET /health --no-auth                            # Call any API endpoint
@@ -169,7 +167,6 @@ Full list visible via `aura --help --all`. Summary:
 | `mcp` | Start MCP server for Claude Code, Cursor, etc. |
 | `skill` | Install AuraMaxx skills for agents |
 | `auth` | Request/poll agent auth approvals |
-| `diary` | Append daily diary entries (auth-aware) |
 | `actions` | Internal: human actions and token management (use `auth` instead) |
 | `approve` | Admin-only shortcut: approve a pending action by id |
 | `api` | Call any wallet API endpoint from CLI |

package/docs/MCP.md

@@ -51,6 +51,15 @@ Use this flow first. It mirrors the `WORKING_WITH_SECRETS.md` command patterns.
 
 - This returns redacted output (`"secret": "*******"`) and sets `AURA_DONTLOOK` in MCP server process scope.
 
+Explicit protected field request:
+
+```json
+{
+  "name": "DONTLOOK",
+  "field": "password"
+}
+```
+
 Command-scoped injection (recommended):
 
 ```json
@@ -90,6 +99,7 @@ Filter by name/tag/agent:
 ```json
 {
   "name": "DONTLOOK",
+  "field": "password",
   "envVar": "AURA_DONTNOTE",
   "command": ["/bin/zsh", "-lc", "printenv AURA_DONTNOTE"]
 }
@@ -101,7 +111,7 @@ Filter by name/tag/agent:
 - `docs://auth`
 - `docs://guide`
 
-## Tools (13)
+## Tools
 
 | # | Tool | Description |
 |---|------|-------------|
@@ -117,7 +127,6 @@ Filter by name/tag/agent:
 | 10 | `approve` | Admin-only shortcut: approve a pending human action by id |
 | 11 | `status` | Get server setup/unlock health state |
 | 12 | `start` | Start the AuraMaxx server in headless mode if not already running |
-| 13 | `write_diary` | Append an entry to a daily diary note |
 
 `api` is the generic fallback for non-sensitive endpoints; the other tools provide typed, higher-level operations.
 
@@ -150,10 +159,6 @@ python3 ~/.codex/skills/.system/skill-installer/scripts/install-skill-from-githu
   --ref <branch-or-commit>
 ```
 
-`write_diary` appends to `{YYYY-MM-DD}_LOGS` notes using the `daily-logs` agent when available, then `primary`.
-Diary appends preserve entry text as-is (no auto-inserted `HH:MM UTC` prefix).
-Diary notes use canonical note field key `content` (`value` is accepted as a legacy alias and normalized).
-
 ## Credential read flow via MCP
 
 1. Obtain token (`auth` tool, or socket bootstrap, or `AURA_TOKEN` env var)
@@ -162,9 +167,11 @@ Diary notes use canonical note field key `content` (`value` is accepted as a leg
 4. Use `command` when you need immediate command-scoped injection; omit `command` to set env var in MCP process and receive WHATDO guidance
 
 Note:
-- Typed tools (`get_secret`, `put_secret`, `del_secret`, `share_secret`, `inject_secret`, `write_diary`, `approve`) use the active MCP token directly.
+- Typed tools (`get_secret`, `put_secret`, `del_secret`, `share_secret`, `inject_secret`, `approve`) use the active MCP token directly.
 - `get_secret` and `inject_secret` are redacted by default (`secret: "*******"`). Set `dangerPlaintext: true` only for break-glass local debugging.
+- `dangerPlaintext` only controls output masking. It does not request additional credential fields and does not trigger approval by itself.
 - `get_secret` uses the default env var name `AURA_{SECRETNAME}`.
+- `get_secret` and `inject_secret` accept optional `field`. When set, MCP sends `requestedFields` to `/credentials/:id/read` so excluded-field approvals happen only for explicitly requested protected fields.
 - Both tools accept optional `command` (array of executable + args). When omitted, they return a `whatDo` guidance block and keep scope in MCP server process.
 - Typed helpers have **built-in 403 escalation** — on permission denied they automatically return a structured `requiresHumanApproval` response. You do not need to detect 403s yourself for typed tools.
 - `auth` does not auto-poll in background. It returns explicit `approveUrl` + `pollUrl` + `claim` guidance plus typed actions (`claimAction`, `retryAction`); callers must claim explicitly via `get_token`.

package/docs/SKILLS.md

@@ -116,7 +116,7 @@ auramaxx set OURSECRET "hello from the agent"
 
 Ask your agent:
 
-`Use auramaxx to get the secret OURSECRET.`
+`Use auramaxx skill to get OURSECRET.`
 
 ---
 

package/docs/api/secrets/credentials.md

@@ -74,6 +74,15 @@ Read:
 ```http
 POST /credentials/:id/read
 Authorization: Bearer <token>
+Content-Type: application/json
+
+{
+  "requestedFields": ["password"]
+}
 ```
 
 Response returns encrypted payload (never plaintext secret fields for non-admin agents).
+
+`requestedFields` is optional:
+- If omitted, excluded fields are redacted/omitted and no excluded-field approval is raised.
+- If present and it explicitly includes an excluded field (for example `cvv`), the route can return `DENY_EXCLUDED_FIELD` and one-shot approval metadata.

package/docs/external/HOW_TO_AURAMAXX/WORKING_WITH_SECRETS.md

@@ -30,7 +30,8 @@ auramaxx get OURSECRET --field username    # specific field
 auramaxx get OURSECRET --json              # full credential payload
 auramaxx get OURSECRET --totp              # current TOTP code only
 auramaxx get OURSECRET --agent primary     # restrict match to a agent
-auramaxx get OURSECRET --first             # pick first match if name is ambiguous
+auramaxx get OURSECRET                     # if name is ambiguous, first match is selected by default
+auramaxx get OURSECRET --first             # compatibility flag (same behavior)
 auramaxx get OURSECRET --reqId <reqId>     # retry with claimed one-shot approval token
 ```
 

package/docs/external/POLICY.md

@@ -21,8 +21,8 @@ Canonical token payload shape:
   },
   "walletAccess": ["0x..."],
   "credentialAccess": {
-    "read": ["agent:*"],
-    "write": ["agent:*"],
+    "read": ["agent:primary"],
+    "write": ["agent:primary"],
     "excludeFields": ["cvv", "password"],
     "ttl": 3600,
     "maxReads": 500

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auramaxx",
-  "version": "0.0.13",
+  "version": "0.0.15",
   "description": "Securely share passwords, API keys and wallets with your agent.",
   "keywords": [
     "onepassword",

package/skills/auramaxx/HEARTBEAT.md

@@ -30,6 +30,8 @@ This runs periodically, but you can check in anytime you want.
    - If diary write fails with auth/approval issues, ask the human to open the approval link and approve, then retry once.
    - Diary note naming is `{YYYY-MM-DD}_LOGS` (UTC day).
    - Use plain facts. Lead with what changed, not a full replay.
+   - Tone target: productive brainrot with real signal, not corporate filler.
+   - Avoid dry phrasing like `No approvals are currently pending` and avoid wall-of-text replay dumps.
    - If nothing changed, say `Delta: no material change` and compress repeated runs (`unchanged xN`).
    - For pending approvals, show counts first and only short IDs unless there is new escalation.
    - Always include auth counts from `summary.authorizations` (`pending/approved/rejected`).
@@ -92,5 +94,6 @@ HEARTBEAT_VIBES: [brainrot status update] [vault status] [random aura quote] [di
 
 - `HEARTBEAT_OK: Auth: 3 pending / 1 approved / 0 rejected. Secrets: deploy-key, stripe-live. Delta: 1 new excluded-field approval request (chang/cvv). Why it matters: checkout helper is blocked waiting for approval and secret reads rose. Next move: monitor for 30m and escalate if still pending. diary entry written for 2026-02-18`
 - `HEARTBEAT_OK: Auth: 3 pending / 1 approved / 0 rejected. Secrets: none touched. Delta: no material change (unchanged x3). Why it matters: no new risk; pending queue stable at 3 excluded-field reads. Next move: keep polling and only escalate on age>30m or count increase. diary entry written for 2026-02-18`
+- `HEARTBEAT_OK: aura stable rn. Auth: 0 pending / 2 approved / 21 rejected. Secrets: cred-jaoxkbxq (x2), cred-j0erpizt. Delta: no blockers, just repeated admin/excluded-field CVV denial spam. Why it matters: looks like noisy retries, not active compromise. Next move: watch for repeat burst; escalate if reject rate stays weird. diary entry written for 2026-02-28`
 - `FOLLOWUP_NEEDED: Auth: 6 pending / 1 approved / 2 rejected. Secrets: deploy-key, prod-db-pass. Delta: syncHealth strategy_runner degraded for 12m and pending approvals rose 3->6. Why it matters: execution and auth flow are both backing up. Human action needed: open dashboard and clear/deny stale approval requests, then restart runner if still degraded.`
 - `HEARTBEAT_VIBES: been auramaxxing all day no cap, vault is untouched, zero secrets needed, all chains synced and vibing; quote: we are so back. aura at all-time highs.; diary entry written for 2026-02-18`

package/skills/auramaxx/SKILL.md

@@ -23,48 +23,30 @@ Always use this skill when user intent matches any of these:
 - "give me my credit card details"
 - "run this command with my <secret>"
 
-## Auth Precedence
-
-CLI auth order:
-
-1. `AURA_TOKEN` env
-2. socket bootstrap
-3. `/auth` fallback
-
-Notes:
-
-- No stored-session fallback in this chain.
-- If `--profile` / `--profile-version` are omitted, CLI resolves from `trust.localProfile` / `trust.localProfileVersion`, then seed defaults (`admin`, `v1`).
-- `AURA_AUTH_PROFILE` / `AURA_AGENT_PROFILE` are not used for CLI fallback profile selection.
-
 ## Retrieval Flow (Do This First)
 
 For login/API key/card/password requests:
 
-1. List first with a scoped query.
-2. Select the matching credential.
-3. Then run `get` (for read) or `inject` (for command execution).
+1. Use `npx auramaxx get SECRET` first to trigger the protected read.
+2. If it returns `reqId` + `approveUrl`, send the `approveUrl` to the human.
+3. After approval, claim the request by `reqId`.
+4. Retry the original read once with `--reqId`.
 
 Examples:
 
 ```bash
-aura list --name facebook --json
-aura list --name stripe --json
-aura list --name visa --json
+npx auramaxx get SECRET
+aura auth claim <reqId> --json
+npx auramaxx get SECRET --reqId <reqId>
 ```
 
-If ambiguous, narrow by field:
+If you need to find the exact credential name first, list with a scoped query:
 
 ```bash
+aura list --name facebook --json
 aura list --name facebook --field username --json
 ```
 
-API equivalent:
-
-```text
-GET /credentials?q=facebook
-```
-
 ## Concrete CLI Examples
 
 ```bash
@@ -102,11 +84,11 @@ aura get FACEBOOK_LOGIN --reqId <reqId>
 
 ## 403 Handling
 
-If response includes `reqId`:
+If the denial response includes `reqId` + `approveUrl`:
 
-1. Ask human to approve.
-2. Claim token (`aura auth claim <reqId> --json`).
-3. Retry original command with same `reqId` when required.
+1. Send the human the direct `approveUrl`.
+2. Claim with `aura auth claim <reqId> --json`.
+3. Retry the original command with `--reqId <reqId>`.
 
 If 403 has no `reqId`:
 

package/skills/auramaxx/docs/AGENT_SETUP.md

@@ -146,7 +146,7 @@ auramaxx get OURSECRET
 
 Then ask your agent:
 
-`Use auramaxx to get the secret OURSECRET.`
+`Use auramaxx skill to get OURSECRET.`
 
 ---
 

package/src/app/UnlockPageClient.tsx

@@ -47,23 +47,23 @@ type LocalPolicySettings = {
   projectScopeMode: ProjectScopeMode;
 };
 
-const LOCAL_POLICY_PROFILES: LocalAgentMode[] = ['strict', 'dev', 'admin'];
+const LOCAL_POLICY_PROFILES: LocalAgentMode[] = ['admin', 'dev', 'strict'];
 const LOCAL_PROJECT_SCOPE_MODES: ProjectScopeMode[] = ['auto', 'strict', 'off'];
 const LOCAL_PROFILE_ITEM_OPTIONS = [
   {
-    value: 'strict',
-    label: 'strict',
-    description: 'Minimal local token scope with explicit allowlists.',
+    value: 'admin',
+    label: 'maxx (admin)',
+    description: 'Full access. Use only when you fully trust the agent.',
   },
   {
     value: 'dev',
-    label: 'dev',
-    description: 'Balanced local automation with scoped defaults.',
+    label: 'mid (dev)',
+    description: 'Access to most things. Human approval for stuff like CVV.',
   },
   {
-    value: 'admin',
-    label: 'admin (dangerous)',
-    description: 'Broad token scope. Use only in tightly controlled local environments.',
+    value: 'strict',
+    label: 'sus (local)',
+    description: 'Most locked down. Every request needs manual approval.',
   },
 ] as const;
 const LOCAL_PROJECT_SCOPE_ITEM_OPTIONS = [
@@ -607,7 +607,7 @@ export default function UnlockPage() {
       setPolicySettings(saved);
       setPolicyForm(saved);
       setDangerConfirmOpen(false);
-      setPolicySaveSuccess('Local trust policy saved. Changes apply to newly issued local tokens only.');
+      setPolicySaveSuccess('Local trust policy saved. Make sure you restart AuraMaxx to apply the new policy. Changes apply to newly issued local tokens only.');
     } catch (err) {
       const message = (err as Error).message || 'Failed to save policy settings';
       setDangerConfirmOpen(false);

package/src/app/api/update/route.ts

@@ -3,12 +3,13 @@ import { spawn } from 'child_process';
 import { join } from 'path';
 import { mkdirSync } from 'fs';
 import { homedir } from 'os';
-import { buildUpdateCommand, buildUpdateFallbackCommand } from '@/server/lib/update-check';
+import { buildUpdateCommand, buildUpdateFallbackCommand, buildUpdateForceCommand } from '@/server/lib/update-check';
 import { clearVersionCheckCache } from '@/server/lib/version-check-cache';
 
 export async function POST() {
   try {
     const primaryCommand = buildUpdateCommand();
+    const forceCommand = buildUpdateForceCommand();
     const fallbackCommand = buildUpdateFallbackCommand();
     const projectRoot = process.cwd();
     const cliEntrypoint = join(projectRoot, 'bin', 'auramaxx.js');
@@ -19,7 +20,6 @@ export async function POST() {
 
     const stopCommand = `${JSON.stringify(process.execPath)} ${JSON.stringify(cliEntrypoint)} stop`;
     const startCommand = `${JSON.stringify(process.execPath)} ${JSON.stringify(cliEntrypoint)} start`;
-    const uninstallCommand = 'npm uninstall -g auramaxx';
 
     // Detached worker allows update to stop/restart services without
     // depending on the current dashboard process staying alive.
@@ -28,10 +28,10 @@ const { execSync } = require('child_process');
 const fs = require('fs');
 const logPath = process.env.AURA_UPDATE_LOG;
 const primaryCommand = process.env.AURA_UPDATE_PRIMARY;
+const forceCommand = process.env.AURA_UPDATE_FORCE;
 const fallbackCommand = process.env.AURA_UPDATE_FALLBACK;
 const stopCommand = process.env.AURA_UPDATE_STOP;
 const startCommand = process.env.AURA_UPDATE_START;
-const uninstallCommand = process.env.AURA_UPDATE_UNINSTALL;
 
 function now() {
   return new Date().toISOString();
@@ -73,15 +73,14 @@ if (run(primaryCommand, { allowFailure: true })) {
   process.exit(0);
 }
 
-append(\`[\${now()}] primary install failed; retrying clean reinstall\`);
-run(uninstallCommand, { allowFailure: true });
-if (run(primaryCommand, { allowFailure: true })) {
+append(\`[\${now()}] primary install failed; retrying forced install\`);
+if (run(forceCommand, { allowFailure: true })) {
   run(startCommand, { allowFailure: true });
-  append(\`[\${now()}] update workflow completed (clean reinstall)\`);
+  append(\`[\${now()}] update workflow completed (forced install)\`);
   process.exit(0);
 }
 
-append(\`[\${now()}] clean reinstall failed; falling back to npx start\`);
+append(\`[\${now()}] forced install failed; falling back to npx start\`);
 const fallbackOk = run(fallbackCommand, { allowFailure: true });
 append(\`[\${now()}] update workflow completed (\${fallbackOk ? 'npx fallback' : 'failed'})\`);
 process.exit(fallbackOk ? 0 : 1);
@@ -93,10 +92,10 @@ process.exit(fallbackOk ? 0 : 1);
         ...process.env,
         AURA_UPDATE_LOG: logPath,
         AURA_UPDATE_PRIMARY: primaryCommand,
+        AURA_UPDATE_FORCE: forceCommand,
         AURA_UPDATE_FALLBACK: fallbackCommand,
         AURA_UPDATE_STOP: stopCommand,
         AURA_UPDATE_START: startCommand,
-        AURA_UPDATE_UNINSTALL: uninstallCommand,
       },
       detached: true,
       stdio: 'ignore',
@@ -107,7 +106,7 @@ process.exit(fallbackOk ? 0 : 1);
     return NextResponse.json({
       success: true,
       deferred: true,
-      message: 'Update workflow started: stop -> install -> start, retry uninstall/install, then npx fallback.',
+      message: 'Update workflow started: stop -> install -> force-install retry -> npx fallback.',
       output: `Running in background. Log: ${logPath}`,
       logPath,
       pid: worker.pid,

package/src/app/approve/[actionId]/page.tsx

@@ -114,7 +114,8 @@ export default function ApproveActionPage() {
   const impactItems = action?.impact || [];
   const isLimitBasedRequest = impactItems.some((item) => /^(Fund|Send|Swap) limit:/i.test(item));
   const hasFundPermission = scopeItems.some((item) => item.trim().toLowerCase() === 'fund');
-  const hideApproveUi = action?.type === 'fund' || hasFundPermission || isLimitBasedRequest;
+  const isAuthApproval = action?.type === 'auth';
+  const hideApproveUi = !isAuthApproval && (action?.type === 'fund' || hasFundPermission || isLimitBasedRequest);
   const riskLevel = (action?.risk || 'unknown').toUpperCase();
   const profileName = action?.profile;
   const isAdminProfile = profileName?.trim().toLowerCase() === 'admin';

package/src/app/page.tsx

@@ -16,11 +16,20 @@ export const metadata: Metadata = {
     siteName: SEO_TITLE,
     title: SEO_TITLE,
     description: SEO_DESCRIPTION,
+    images: [
+      {
+        url: '/opengraph.webp',
+        width: 1512,
+        height: 982,
+        alt: SEO_TITLE,
+      },
+    ],
   },
   twitter: {
     card: 'summary_large_image',
     title: SEO_TITLE,
     description: SEO_DESCRIPTION,
+    images: ['/opengraph.webp'],
   },
 };
 

package/src/app/yo/layout.tsx

@@ -16,11 +16,20 @@ export const metadata: Metadata = {
     siteName: SEO_TITLE,
     title: SEO_TITLE,
     description: SEO_DESCRIPTION,
+    images: [
+      {
+        url: '/opengraph.webp',
+        width: 1512,
+        height: 982,
+        alt: SEO_TITLE,
+      },
+    ],
   },
   twitter: {
     card: 'summary_large_image',
     title: SEO_TITLE,
     description: SEO_DESCRIPTION,
+    images: ['/opengraph.webp'],
   },
 };
 

package/src/app/yo/page.tsx

@@ -310,7 +310,7 @@ export default function YoPage() {
             rel="noopener noreferrer"
             className="text-[10px] text-[var(--color-text-muted,#6b7280)] hover:text-[var(--color-text,#0a0a0a)] transition-colors"
           >
-            by @hi_im_nico, with love
+            🗿 by @hi_im_nico, with love
           </a>
         </div>
       </div>

package/src/components/layout/SettingsDrawer.tsx

@@ -795,7 +795,7 @@ export function SettingsDrawer({
               )}
 
               <div className="text-[9px] text-[var(--color-text-muted)] px-3 py-2">
-                Policy changes apply to newly issued local tokens only.
+                Make sure you restart AuraMaxx to apply the new policy. Policy changes apply to newly issued local tokens only.
               </div>
 
               {policySaveError && <div className="text-[10px] text-[var(--color-danger)]">{policySaveError}</div>}

package/src/server/cli/commands/agent.ts

@@ -51,6 +51,30 @@ interface AuthSession {
   privateKeyPem?: string;
 }
 
+function decodeAgentTokenPayload(
+  token: string,
+): { permissions?: unknown } | undefined {
+  const trimmed = token.trim();
+  if (!trimmed) return undefined;
+  const [payloadSegment] = trimmed.split('.', 1);
+  if (!payloadSegment) return undefined;
+  try {
+    const decoded = Buffer.from(payloadSegment, 'base64url').toString('utf8');
+    const parsed = JSON.parse(decoded) as unknown;
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) return undefined;
+    return parsed as { permissions?: unknown };
+  } catch {
+    return undefined;
+  }
+}
+
+function resolveAdminPermissionFromToken(token: string): boolean | undefined {
+  const payload = decodeAgentTokenPayload(token);
+  if (!payload) return undefined;
+  if (!Array.isArray(payload.permissions)) return false;
+  return payload.permissions.some((permission) => permission === 'admin:*');
+}
+
 async function getAuthToken(
   keypair: EphemeralKeypair,
   authSelection?: ProfileIssuanceSelection,
@@ -109,6 +133,13 @@ async function getReadToken(input: {
   authSelection?: ProfileIssuanceSelection;
   fallbackDecryptPrivateKeyPem: string;
 }): Promise<{ readToken: string; decryptPrivateKeyPem: string }> {
+  const hasAdminPermission = resolveAdminPermissionFromToken(input.authToken);
+  if (hasAdminPermission === false) {
+    // Non-admin session tokens cannot call /actions/token.
+    // Skip delegated token minting to avoid a guaranteed 403 escalation cycle.
+    return { readToken: input.authToken, decryptPrivateKeyPem: input.fallbackDecryptPrivateKeyPem };
+  }
+
   try {
     const readToken = await createReadToken(
       serverUrl(),
@@ -245,15 +276,26 @@ async function readCredential(
   options?: {
     retryCommandTemplate?: string;
     originalCommand?: string;
+    requestedFields?: string[];
   },
 ): Promise<DecryptedCredential> {
   const originalCommand = String(options?.originalCommand || '').trim();
+  const requestedFields = Array.from(new Set(
+    (options?.requestedFields || [])
+      .map((value) => String(value || '').trim())
+      .filter((value) => value.length > 0),
+  ));
+  const requestBody = requestedFields.length > 0
+    ? JSON.stringify({ requestedFields })
+    : undefined;
   const res = await fetch(`${serverUrl()}/credentials/${credentialId}/read`, {
     method: 'POST',
     headers: {
       'Authorization': `Bearer ${readToken}`,
+      ...(requestBody ? { 'Content-Type': 'application/json' } : {}),
       ...(originalCommand ? { 'X-Aura-Original-Command': originalCommand } : {}),
     },
+    ...(requestBody ? { body: requestBody } : {}),
     signal: AbortSignal.timeout(8_000),
   });
   if (!res.ok) {
@@ -579,16 +621,6 @@ async function resolveCredentialTarget(
     throw new Error(`PROJECT_SCOPE_DENIED: No allowed credential found for "${name}" in agent "${options.agentName}".`);
   }
 
-  if (agentFiltered.length > 1 && !options.first) {
-    const lines = [`Multiple credentials match "${name}":`];
-    for (const m of agentFiltered) {
-      const resolvedAgent = agentNames.get(m.agentId) || m.agentId;
-      lines.push(`  - ${m.name}  (${m.type}, agent: ${resolvedAgent}, id: ${m.id})`);
-    }
-    lines.push('Use --first to select the first match, or specify --agent.');
-    throw new Error(lines.join('\n'));
-  }
-
   return { target: agentFiltered[0], agentNames };
 }
 
@@ -630,7 +662,7 @@ function showHelp(): void {
     '  --tags <a,b,c>            Comma-separated tags (set only)',
     '  --agent <v>              Restrict to agent name',
     '  --json                   JSON output',
-    '  --first                  Use first match if ambiguous',
+    '  --first                  Compatibility flag (first match is already default)',
     '  --totp                   Print current TOTP code only (get)',
     '  --danger-plaintext       Print plaintext secret in local socket get output (unsafe)',
     '  --expires-after <v>      Share expiry: 15m|1h|24h|7d|30d (default: 24h)',
@@ -1250,20 +1282,33 @@ export async function runAgentCli(args: string[]): Promise<number> {
       if (!readAuthContext) return 1;
 
       try {
+        const resolvedType = normalizeCredentialType(target.type);
+        const requestedFieldKey = fieldName
+          ? canonicalizeCredentialFieldKey(resolvedType, fieldName)
+          : getCredentialPrimaryFieldKey(resolvedType);
+        const requestedFields = [
+          requestedFieldKey,
+        ];
         const decrypted = await readCredential(target.id, readAuthContext.readToken, readAuthContext.privateKeyPem, {
           retryCommandTemplate,
           originalCommand,
+          requestedFields,
         });
-        const primarySecret = resolvePrimarySecretField(
-          normalizeCredentialType(decrypted.type || target.type),
-          decrypted.fields,
-        );
-        if (!primarySecret) {
-          console.error('No sensitive field found on credential.');
+        const effectiveType = normalizeCredentialType(decrypted.type || target.type);
+        const allFields = mergeCredentialFields(effectiveType, decrypted.fields, target.meta);
+        const selectedField = fieldName
+          ? findField(effectiveType, allFields, fieldName)
+          : resolvePrimarySecretField(effectiveType, allFields);
+        if (!selectedField) {
+          if (fieldName) {
+            console.error(`Field "${fieldName}" not found on credential.`);
+          } else {
+            console.error('No sensitive field found on credential.');
+          }
           return 1;
         }
 
-        return await runSecretExec(execCommand, envVarName, primarySecret.value);
+        return await runSecretExec(execCommand, envVarName, selectedField.value);
       } finally {
         finalizeReadAuthContext(readAuthContext);
       }
@@ -1299,11 +1344,23 @@ export async function runAgentCli(args: string[]): Promise<number> {
       });
       if (!readAuthContext) return 1;
 
+      const resolvedTargetType = normalizeCredentialType(target.type);
+      const requestedReadFields = flagJson
+        ? (fieldName
+            ? [canonicalizeCredentialFieldKey(resolvedTargetType, fieldName)]
+            : ['*'])
+        : execCommand.length > 0
+          ? [getCredentialPrimaryFieldKey(resolvedTargetType)]
+          : fieldName
+            ? [canonicalizeCredentialFieldKey(resolvedTargetType, fieldName)]
+            : [getCredentialPrimaryFieldKey(resolvedTargetType)];
+
       let decrypted: DecryptedCredential;
       try {
         decrypted = await readCredential(target.id, readAuthContext.readToken, readAuthContext.privateKeyPem, {
           retryCommandTemplate,
           originalCommand,
+          requestedFields: requestedReadFields,
         });
       } finally {
         finalizeReadAuthContext(readAuthContext);