auramaxx 1.0.0-alpha.4

package/src/lib/app-registry.ts

@@ -0,0 +1,178 @@
+import { ComponentType, lazy } from 'react';
+import type { AppColor } from '@/components/apps/DraggableApp';
+import type { LucideIcon } from 'lucide-react';
+import {
+  Wallet,
+  Key,
+  ScrollText,
+  Send,
+  Globe,
+  Box,
+  Coins,
+  Sparkles,
+  ArrowUpDown,
+} from 'lucide-react';
+
+export interface AppDefinition {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  component: ComponentType<any>; // Allow any props since different apps have different needs
+  icon: LucideIcon;
+  color: AppColor;
+  defaultSize: { width: number; height: number };
+  title: string;
+  resizable?: boolean;
+  /** Set to true if this app needs special props from page.tsx instead of just config */
+  requiresSpecialProps?: boolean;
+  /**
+   * Singleton apps can only have one instance per workspace.
+   * Multi-instance apps (singleton: false) can be opened multiple times with different IDs.
+   * Default: true for built-in apps, false for iframe/installed
+   */
+  singleton?: boolean;
+  /** Short description for the app store */
+  description?: string;
+  /** Category for filtering in the app store */
+  category?: string;
+}
+
+// Cache for dynamically-created app definitions (installed:)
+// Without this, each call to getAppDefinition creates a new lazy() component,
+// causing React to remount the app on every render (e.g., during drag).
+const _definitionCache = new Map<string, AppDefinition>();
+
+// Built-in app types
+export const APP_TYPES: Record<string, AppDefinition> = {
+  logs: {
+    component: lazy(() => import('@/components/apps/LogsApp')),
+    icon: ScrollText,
+    color: 'gray',
+    defaultSize: { width: 600, height: 300 },
+    title: 'EVENT LOGS',
+    singleton: true,
+  },
+  send: {
+    component: lazy(() => import('@/components/apps/SendApp')),
+    icon: Send,
+    color: 'teal',
+    defaultSize: { width: 320, height: 280 },
+    title: 'SEND',
+    singleton: true,
+  },
+  agentKeys: {
+    component: lazy(() => import('@/components/apps/AgentKeysApp')),
+    icon: Key,
+    color: 'orange',
+    defaultSize: { width: 340, height: 400 },
+    title: 'AGENT KEYS',
+    singleton: true,
+  },
+  token: {
+    component: lazy(() => import('@/components/apps/TokenApp')),
+    icon: Coins,
+    color: 'lime',
+    defaultSize: { width: 380, height: 480 },
+    title: 'TOKEN',
+    singleton: false,
+    resizable: true,
+    description: 'View token market data and price chart',
+    category: 'info',
+  },
+  setup: {
+    component: lazy(() => import('@/components/apps/SetupWizardApp')),
+    icon: Sparkles,
+    color: 'blue',
+    defaultSize: { width: 420, height: 520 },
+    title: 'GETTING STARTED',
+    singleton: true,
+  },
+  transactions: {
+    component: lazy(() => import('@/components/apps/TransactionsApp')),
+    icon: ArrowUpDown,
+    color: 'teal',
+    defaultSize: { width: 520, height: 400 },
+    title: 'TRANSACTIONS',
+    singleton: true,
+    resizable: true,
+  },
+  // Multi-instance app types (can open multiple with different IDs)
+  walletDetail: {
+    component: lazy(() => import('@/components/apps/WalletDetailApp')),
+    icon: Wallet,
+    color: 'orange',
+    defaultSize: { width: 320, height: 380 },
+    title: 'WALLET',
+    resizable: true,
+    requiresSpecialProps: true,
+    singleton: false, // Can have multiple wallet detail apps open
+  },
+  iframe: {
+    component: lazy(() => import('@/components/apps/IFrameApp')),
+    icon: Globe,
+    color: 'blue',
+    defaultSize: { width: 400, height: 300 },
+    title: 'IFRAME',
+    resizable: true,
+    singleton: false,
+  },
+};
+
+/**
+ * Get app definition by type
+ * Supports:
+ * - Built-in types: 'wallets', 'logs', 'send', etc.
+ * - Installed (third-party) types: 'installed:app-id'
+ */
+export function getAppDefinition(appType: string): AppDefinition | null {
+  // Check if it's a built-in type
+  if (appType in APP_TYPES) {
+    return APP_TYPES[appType];
+  }
+
+  // Check cache for installed: types
+  if (_definitionCache.has(appType)) {
+    return _definitionCache.get(appType)!;
+  }
+
+  // Check if it's an installed (third-party) app
+  if (appType.startsWith('installed:')) {
+    const appId = appType.slice(10); // Remove 'installed:' prefix
+    const def: AppDefinition = {
+      component: lazy(() => import('@/components/apps/ThirdPartyApp')),
+      icon: Box,
+      color: 'gray',
+      defaultSize: { width: 320, height: 280 },
+      title: appId.toUpperCase(),
+      resizable: true,
+      singleton: false,
+      requiresSpecialProps: true,
+      category: 'installed',
+    };
+    _definitionCache.set(appType, def);
+    return def;
+  }
+
+  return null;
+}
+
+/**
+ * Check if a app type is singleton (only one instance per workspace)
+ */
+export function isSingletonApp(appType: string): boolean {
+  const def = getAppDefinition(appType);
+  // Default to true for unknown types (safer)
+  return def?.singleton ?? true;
+}
+
+/**
+ * Get all registered app types
+ */
+export function getRegisteredAppTypes(): string[] {
+  return Object.keys(APP_TYPES);
+}
+
+/**
+ * Check if a app type exists
+ */
+export function isValidAppType(appType: string): boolean {
+  return appType in APP_TYPES || appType.startsWith('installed:');
+}

package/src/lib/app-sdk.ts

@@ -0,0 +1,157 @@
+/**
+ * App SDK source code — injected into third-party app iframes.
+ * Provides the AuraApp API for communication with the host bridge.
+ *
+ * API:
+ *   app.send(message)              → Natural language message to agent (postMessage)
+ *   app.fetch(url, options)        → Proxy external HTTP request via server (direct fetch)
+ *   app.on(channel, callback)      → Subscribe to real-time data channels (postMessage)
+ *   app.storage.get(key)           → Read from persistent storage (direct fetch)
+ *   app.storage.set(key, value)    → Write to persistent storage (direct fetch)
+ *   app.storage.delete(key)        → Delete from persistent storage (direct fetch)
+ *
+ * Globals injected by host before this script runs:
+ *   window.__AURA_TOKEN__      — Bearer token for authenticated API calls
+ *   window.__AURA_API_BASE__   — Base URL for wallet API (e.g. http://127.0.0.1:4242)
+ *   window.__AURA_APP_ID__  — App folder name (used for scoped storage)
+ */
+
+export const APP_SDK_SOURCE = `
+(function() {
+  var _callbacks = {};
+  var _subscriptions = {};
+  var _requestId = 0;
+
+  var TOKEN = window.__AURA_TOKEN__ || '';
+  var API_BASE = window.__AURA_API_BASE__ || 'http://127.0.0.1:4242';
+  var APP_ID = window.__AURA_APP_ID__ || '';
+
+  function generateId() {
+    return 'req_' + (++_requestId) + '_' + Date.now();
+  }
+
+  function postToHost(msg) {
+    window.parent.postMessage(msg, '*');
+  }
+
+  function request(type, payload) {
+    return new Promise(function(resolve, reject) {
+      var id = generateId();
+      _callbacks[id] = { resolve: resolve, reject: reject };
+      postToHost({ type: type, id: id, payload: payload });
+      // Timeout after 30s
+      setTimeout(function() {
+        if (_callbacks[id]) {
+          delete _callbacks[id];
+          reject(new Error('Request timed out'));
+        }
+      }, 30000);
+    });
+  }
+
+  /** Direct fetch to wallet API with Bearer token */
+  function apiFetch(method, path, body) {
+    var opts = {
+      method: method,
+      headers: { 'Content-Type': 'application/json' }
+    };
+    if (TOKEN) {
+      opts.headers['Authorization'] = 'Bearer ' + TOKEN;
+    }
+    if (body !== undefined) {
+      opts.body = JSON.stringify(body);
+    }
+    return fetch(API_BASE + path, opts).then(function(res) {
+      return res.json().then(function(data) {
+        if (!res.ok) throw new Error(data.error || 'API error ' + res.status);
+        return data;
+      });
+    });
+  }
+
+  // Listen for messages from host bridge
+  window.addEventListener('message', function(event) {
+    var msg = event.data;
+    if (!msg || !msg.type) return;
+
+    // Response to a request
+    if (msg.type === 'app:response' && msg.id && _callbacks[msg.id]) {
+      var cb = _callbacks[msg.id];
+      delete _callbacks[msg.id];
+      if (msg.error) {
+        cb.reject(new Error(msg.error));
+      } else {
+        cb.resolve(msg.data);
+      }
+      return;
+    }
+
+    // Data push from subscribed channel
+    if (msg.type === 'app:data' && msg.channel && _subscriptions[msg.channel]) {
+      _subscriptions[msg.channel].forEach(function(fn) {
+        try { fn(msg.data); } catch(e) { console.error('Subscription callback error:', e); }
+      });
+    }
+  });
+
+  window.AuraApp = {
+    send: function(message) {
+      return apiFetch('POST', '/apps/' + APP_ID + '/message', { message: message })
+        .then(function(data) { return data.reply; });
+    },
+
+    on: function(channel, callback) {
+      if (!_subscriptions[channel]) {
+        _subscriptions[channel] = [];
+        postToHost({ type: 'app:subscribe', channel: channel });
+      }
+      _subscriptions[channel].push(callback);
+      // Return unsubscribe function
+      return function() {
+        var subs = _subscriptions[channel];
+        if (subs) {
+          var idx = subs.indexOf(callback);
+          if (idx !== -1) subs.splice(idx, 1);
+        }
+      };
+    },
+
+    fetch: function(url, options) {
+      return apiFetch('POST', '/apps/' + APP_ID + '/fetch', {
+        url: url,
+        method: (options && options.method) || 'GET',
+        headers: options && options.headers,
+        body: options && options.body
+      }).then(function(res) { return res.data; });
+    },
+
+    action: function(params) {
+      return apiFetch('POST', '/actions', params);
+    },
+
+    storage: {
+      get: function(key) {
+        return apiFetch('GET', '/apps/' + APP_ID + '/storage/' + encodeURIComponent(key))
+          .then(function(data) { return data.value; })
+          .catch(function(err) {
+            // 404 = key not found, return null
+            if (err.message && err.message.indexOf('not found') !== -1) return null;
+            throw err;
+          });
+      },
+      set: function(key, value) {
+        return apiFetch('PUT', '/apps/' + APP_ID + '/storage/' + encodeURIComponent(key), { value: value })
+          .then(function(data) { return data.value; });
+      },
+      delete: function(key) {
+        return apiFetch('DELETE', '/apps/' + APP_ID + '/storage/' + encodeURIComponent(key))
+          .then(function() { return true; })
+          .catch(function(err) {
+            if (err.message && err.message.indexOf('not found') !== -1) return false;
+            throw err;
+          });
+      }
+    }
+  };
+})();
+`;

package/src/lib/audit-console-adapter.ts

@@ -0,0 +1,151 @@
+export type UiDecision = 'ALLOW' | 'DENY' | 'RATE_LIMIT' | 'ERROR' | 'UNKNOWN';
+export type UiReasonCode =
+  | 'SCOPE_DENY'
+  | 'TOKEN_REVOKED'
+  | 'TOKEN_EXPIRED'
+  | 'RATE_LIMITED'
+  | 'MISSING_KEY'
+  | 'NOT_FOUND'
+  | 'INTERNAL_ERROR'
+  | 'UNKNOWN';
+
+export type AttributionConfidence = 'HIGH' | 'MEDIUM' | 'LOW';
+
+export interface UiAuditEvent {
+  id: string;
+  timestamp: number;
+  tokenKey: string;
+  tokenHash?: string;
+  agentId?: string;
+  endpoint?: string;
+  credentialKey?: string;
+  sourceVersion: 'legacy-logs-v1' | 'task40-audit-v1';
+  decision: UiDecision;
+  reasonCode: UiReasonCode;
+  rawDecision?: string;
+  rawReasonCode?: string;
+  confidence: AttributionConfidence;
+}
+
+const REASON_MAP: Record<string, UiReasonCode> = {
+  CREDENTIAL_SCOPE_DENIED: 'SCOPE_DENY',
+  TOKEN_PERMISSION_DENIED: 'SCOPE_DENY',
+  TOKEN_REVOKED: 'TOKEN_REVOKED',
+  TOKEN_EXPIRED: 'TOKEN_EXPIRED',
+  RATE_LIMIT: 'RATE_LIMITED',
+  RATE_LIMITED: 'RATE_LIMITED',
+  CREDENTIAL_NOT_FOUND: 'NOT_FOUND',
+  CREDENTIAL_TOTP_NOT_CONFIGURED: 'NOT_FOUND',
+  TOKEN_AGENT_PUBKEY_MISSING: 'MISSING_KEY',
+  INTERNAL_ERROR: 'INTERNAL_ERROR',
+  ALLOW: 'UNKNOWN',
+};
+
+function normalizeDecision(raw?: unknown, allowed?: boolean, httpStatus?: number): UiDecision {
+  const v = typeof raw === 'string' ? raw.trim().toUpperCase() : '';
+  if (v === 'ALLOW') return 'ALLOW';
+  if (v === 'DENY') return 'DENY';
+  if (v === 'RATE_LIMIT') return 'RATE_LIMIT';
+  if (v === 'ERROR') return 'ERROR';
+  if (allowed === true) return 'ALLOW';
+  if (allowed === false && (httpStatus ?? 0) === 429) return 'RATE_LIMIT';
+  if (allowed === false) return 'DENY';
+  if ((httpStatus ?? 0) >= 500) return 'ERROR';
+  return 'UNKNOWN';
+}
+
+function normalizeReasonCode(raw?: unknown): UiReasonCode {
+  const v = typeof raw === 'string' ? raw.trim().toUpperCase() : '';
+  return REASON_MAP[v] ?? 'UNKNOWN';
+}
+
+function confidenceFromRow(input: { tokenHash?: string | null; agentId?: string | null }): AttributionConfidence {
+  if (input.tokenHash) return 'HIGH';
+  if (input.agentId) return 'MEDIUM';
+  return 'LOW';
+}
+
+export function fromTask40Row(row: Record<string, unknown>): UiAuditEvent {
+  const rawDecision = typeof row.decision === 'string' ? row.decision : undefined;
+  const rawReasonCode = typeof row.reasonCode === 'string' ? row.reasonCode : undefined;
+  const tokenHash = typeof row.tokenHash === 'string' ? row.tokenHash : undefined;
+  const agentId = typeof row.agentId === 'string' ? row.agentId : undefined;
+  const timestampValue = row.timestamp;
+  const timestamp = new Date(typeof timestampValue === 'string' || typeof timestampValue === 'number' ? timestampValue : Date.now()).getTime();
+
+  return {
+    id: String(row.id ?? `${timestamp}-${tokenHash ?? agentId ?? 'unknown'}`),
+    timestamp,
+    tokenKey: tokenHash ?? agentId ?? 'unknown',
+    tokenHash,
+    agentId,
+    endpoint: typeof row.action === 'string' ? row.action : undefined,
+    credentialKey: typeof row.credentialId === 'string' ? row.credentialId : undefined,
+    sourceVersion: 'task40-audit-v1',
+    decision: normalizeDecision(rawDecision, row.allowed as boolean | undefined, row.httpStatus as number | undefined),
+    reasonCode: normalizeReasonCode(rawReasonCode),
+    rawDecision,
+    rawReasonCode,
+    confidence: confidenceFromRow({ tokenHash, agentId }),
+  };
+}
+
+export function fromLegacyLog(row: Record<string, unknown>): UiAuditEvent {
+  const data = (typeof row.data === 'object' && row.data !== null ? row.data : {}) as Record<string, unknown>;
+  const metadata = (typeof data.metadata === 'object' && data.metadata !== null ? data.metadata : {}) as Record<string, unknown>;
+  const rawDecision = typeof data.result === 'string' ? data.result : (typeof data.decision === 'string' ? data.decision : undefined);
+  const rawReasonCode = typeof data.reasonCode === 'string' ? data.reasonCode : (typeof data.reason === 'string' ? data.reason : undefined);
+  const tokenHash = typeof data.tokenHash === 'string' ? data.tokenHash : undefined;
+  const agentId = typeof data.agentId === 'string' ? data.agentId : undefined;
+  const timestampValue = row.timestamp;
+  const timestamp = new Date(typeof timestampValue === 'string' || typeof timestampValue === 'number' ? timestampValue : Date.now()).getTime();
+
+  return {
+    id: String(row.id ?? `${timestamp}-${tokenHash ?? agentId ?? 'unknown'}`),
+    timestamp,
+    tokenKey: tokenHash ?? agentId ?? 'unknown',
+    tokenHash,
+    agentId,
+    endpoint: typeof metadata.route === 'string' ? metadata.route : (typeof data.action === 'string' ? data.action : undefined),
+    credentialKey: typeof data.credentialId === 'string' ? data.credentialId : undefined,
+    sourceVersion: 'legacy-logs-v1',
+    decision: normalizeDecision(rawDecision, data.allowed as boolean | undefined, data.httpStatus as number | undefined),
+    reasonCode: normalizeReasonCode(rawReasonCode),
+    rawDecision,
+    rawReasonCode,
+    confidence: confidenceFromRow({ tokenHash, agentId }),
+  };
+}
+
+function dedupeKey(row: UiAuditEvent): string {
+  return `${row.timestamp}|${row.endpoint ?? ''}|${row.tokenKey}|${row.credentialKey ?? ''}|${row.decision}|${row.reasonCode}`;
+}
+
+function confidenceRank(confidence: AttributionConfidence): number {
+  if (confidence === 'HIGH') return 3;
+  if (confidence === 'MEDIUM') return 2;
+  return 1;
+}
+
+export function dedupeAuditEvents(rows: UiAuditEvent[]): UiAuditEvent[] {
+  const byKey = new Map<string, UiAuditEvent>();
+  for (const row of rows) {
+    const key = row.id || dedupeKey(row);
+    const existing = byKey.get(key);
+    if (!existing) {
+      byKey.set(key, row);
+      continue;
+    }
+
+    if (confidenceRank(row.confidence) > confidenceRank(existing.confidence)) {
+      byKey.set(key, row);
+      continue;
+    }
+
+    if (row.sourceVersion === 'task40-audit-v1' && existing.sourceVersion === 'legacy-logs-v1') {
+      byKey.set(key, row);
+    }
+  }
+
+  return Array.from(byKey.values()).sort((a, b) => b.timestamp - a.timestamp);
+}

package/src/lib/auth-client.ts

@@ -0,0 +1,75 @@
+/**
+ * Auth client for validating tokens from Next.js
+ * Calls the Express server's /auth/validate endpoint
+ */
+
+const WALLET_SERVER_URL = process.env.WALLET_SERVER_URL || 'http://localhost:4242';
+
+export interface TokenValidationResult {
+  valid: boolean;
+  isAdmin?: boolean;
+  tokenHash?: string;
+  payload?: {
+    agentId: string;
+    permissions: string[];
+    limits?: { fund?: number; send?: number; swap?: number };
+    walletAccess?: string[];
+    exp?: number;
+  };
+  error?: string;
+}
+
+/**
+ * Validate a token by calling the Express server
+ * @param token - The raw token string to validate
+ * @returns Token validation result with payload if valid
+ */
+export async function validateToken(token: string): Promise<TokenValidationResult> {
+  try {
+    const response = await fetch(`${WALLET_SERVER_URL}/auth/validate`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ token }),
+    });
+
+    if (!response.ok) {
+      return { valid: false, error: `Server error: ${response.status}` };
+    }
+
+    return await response.json();
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : 'Failed to validate token'
+    };
+  }
+}
+
+/**
+ * Check if a token has a specific permission
+ */
+export function hasPermission(result: TokenValidationResult, permission: string): boolean {
+  if (!result.valid || !result.payload) return false;
+  if (result.isAdmin) return true;
+  return result.payload.permissions.includes(permission);
+}
+
+/**
+ * Check if a token has any of the required permissions
+ */
+export function hasAnyPermission(result: TokenValidationResult, permissions: string[]): boolean {
+  if (!result.valid || !result.payload) return false;
+  if (result.isAdmin) return true;
+  return permissions.some(p => result.payload!.permissions.includes(p));
+}
+
+/**
+ * Extract token from Authorization header
+ */
+export function extractBearerToken(authHeader: string | null | undefined): string | null {
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return null;
+  }
+  return authHeader.slice(7);
+}
+

package/src/lib/config.ts

@@ -0,0 +1,74 @@
+import fs from 'fs';
+import path from 'path';
+
+const DATA_DIR = path.join(process.cwd(), 'data');
+const CONFIG_PATH = path.join(DATA_DIR, 'config.json');
+
+export interface ChainConfig {
+  rpc: string;
+  chainId: number;
+  explorer: string;
+  nativeCurrency: string;
+}
+
+export interface WalletConfig {
+  chains: Record<string, ChainConfig>;
+  defaultChain: string;
+  server: {
+    port: number;
+    host: string;
+  };
+}
+
+const DEFAULT_CONFIG: WalletConfig = {
+  chains: {
+    base: {
+      rpc: 'https://mainnet.base.org',
+      chainId: 8453,
+      explorer: 'https://basescan.org',
+      nativeCurrency: 'ETH'
+    },
+    ethereum: {
+      rpc: 'https://eth.llamarpc.com',
+      chainId: 1,
+      explorer: 'https://etherscan.io',
+      nativeCurrency: 'ETH'
+    }
+  },
+  defaultChain: 'base',
+  server: {
+    port: 4747,
+    host: '127.0.0.1'
+  }
+};
+
+export function ensureDataDir(): void {
+  const dirs = [DATA_DIR, path.join(DATA_DIR, 'hot'), path.join(DATA_DIR, 'pending')];
+  dirs.forEach(dir => {
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+  });
+}
+
+export function loadConfig(): WalletConfig {
+  ensureDataDir();
+  if (!fs.existsSync(CONFIG_PATH)) {
+    saveConfig(DEFAULT_CONFIG);
+    return DEFAULT_CONFIG;
+  }
+  const raw = fs.readFileSync(CONFIG_PATH, 'utf-8');
+  return { ...DEFAULT_CONFIG, ...JSON.parse(raw) };
+}
+
+export function saveConfig(config: WalletConfig): void {
+  ensureDataDir();
+  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
+}
+
+export const DATA_PATHS = {
+  config: CONFIG_PATH,
+  wallets: DATA_DIR,
+  hotWallets: path.join(DATA_DIR, 'hot'),
+  pending: path.join(DATA_DIR, 'pending')
+};