auramaxx 1.0.0-alpha.4

package/server/cli/commands/token.ts

@@ -0,0 +1,180 @@
+/**
+ * aurawallet token — Profile-first token tooling
+ *
+ * Usage:
+ *   npx aurawallet token preview --profile dev
+ *   npx aurawallet token preview --profile strict --profile-version v1 --json
+ *   npx aurawallet token preview --profile dev --overrides '{"ttlSeconds":900}'
+ *
+ * Auth:
+ *   Requires admin token in AURA_TOKEN (or --token <token>)
+ */
+
+import { fetchJson } from '../lib/http';
+import { getErrorMessage } from '../../lib/error';
+
+type Json = Record<string, unknown>;
+
+interface PolicyPreviewResponse {
+  version: string;
+  profile: { id: string; version: string; displayName?: string; rationale?: string };
+  request: {
+    profile: string;
+    profileVersion?: string;
+    profileOverrides?: Json;
+  };
+  effectivePolicy: {
+    permissions: string[];
+    credentialAccess: { read: string[]; write: string[] };
+    excludeFields: string[];
+    ttlSeconds: number;
+    maxReads: number | null;
+    rateBudget: {
+      state: 'none' | 'inherited' | 'explicit';
+      requests: number | null;
+      windowSeconds: number | null;
+      source: 'none' | 'profile' | 'override';
+    };
+  };
+  effectivePolicyHash: string;
+  warnings: string[];
+  denyExamples: Array<{ code: string; message: string }>;
+}
+
+export interface TokenCliArgs {
+  subcommand?: string;
+  profile?: string;
+  profileVersion?: string;
+  overridesRaw?: string;
+  token?: string;
+  json: boolean;
+}
+
+export function parseTokenArgs(args: string[]): TokenCliArgs {
+  const getValue = (flag: string): string | undefined => {
+    const idx = args.indexOf(flag);
+    return idx >= 0 ? args[idx + 1] : undefined;
+  };
+
+  return {
+    subcommand: args[0],
+    profile: getValue('--profile'),
+    profileVersion: getValue('--profile-version'),
+    overridesRaw: getValue('--overrides'),
+    token: getValue('--token'),
+    json: args.includes('--json'),
+  };
+}
+
+function parseOverrides(raw?: string): Json | undefined {
+  if (!raw) return undefined;
+  const parsed = JSON.parse(raw) as unknown;
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    throw new Error('--overrides must be a JSON object');
+  }
+  return parsed as Json;
+}
+
+export function formatPolicyPreview(preview: PolicyPreviewResponse): string {
+  const lines: string[] = [];
+  lines.push(`Profile: ${preview.profile.id}@${preview.profile.version}`);
+  lines.push(`Hash: ${preview.effectivePolicyHash}`);
+  lines.push(`Permissions: ${preview.effectivePolicy.permissions.join(', ') || '(none)'}`);
+  lines.push(`Credential read scope: ${preview.effectivePolicy.credentialAccess.read.join(', ') || '(none)'}`);
+  lines.push(`Credential write scope: ${preview.effectivePolicy.credentialAccess.write.join(', ') || '(none)'}`);
+  lines.push(`Excluded fields: ${preview.effectivePolicy.excludeFields.join(', ') || '(none)'}`);
+  lines.push(`TTL seconds: ${preview.effectivePolicy.ttlSeconds}`);
+  lines.push(`Max reads: ${preview.effectivePolicy.maxReads ?? 'unlimited'}`);
+
+  const rb = preview.effectivePolicy.rateBudget;
+  lines.push(`Rate budget: ${rb.state} (${rb.requests ?? 'n/a'} / ${rb.windowSeconds ?? 'n/a'}s, source=${rb.source})`);
+
+  if (preview.warnings.length > 0) {
+    lines.push('Warnings:');
+    for (const warning of preview.warnings) lines.push(`  - ${warning}`);
+  }
+
+  if (preview.denyExamples.length > 0) {
+    lines.push('Expected deny examples:');
+    for (const deny of preview.denyExamples) lines.push(`  - ${deny.code}: ${deny.message}`);
+  }
+
+  return lines.join('\n');
+}
+
+function showHelp(): void {
+  console.log(`
+  aurawallet token — Token policy preview
+
+  Usage:
+    npx aurawallet token preview --profile <id> [--profile-version <v>] [--overrides <json>] [--json]
+
+  Options:
+    --profile <id>          Profile id (required)
+    --profile-version <v>   Profile version (default: v1)
+    --overrides <json>      JSON object for profile overrides (tighten-only)
+    --json                  Print raw PolicyPreviewV1 payload
+    --token <token>         Admin token (falls back to AURA_TOKEN env)
+
+  Examples:
+    npx aurawallet token preview --profile dev
+    npx aurawallet token preview --profile strict --profile-version v1 --json
+    npx aurawallet token preview --profile dev --overrides '{"ttlSeconds":900}'
+`);
+}
+
+async function main(): Promise<void> {
+  const parsed = parseTokenArgs(process.argv.slice(2));
+
+  if (!parsed.subcommand || parsed.subcommand === '--help' || parsed.subcommand === '-h') {
+    showHelp();
+    process.exit(0);
+  }
+
+  if (parsed.subcommand !== 'preview') {
+    console.error(`Unknown token subcommand: ${parsed.subcommand}`);
+    showHelp();
+    process.exit(1);
+  }
+
+  if (!parsed.profile) {
+    console.error('--profile is required');
+    process.exit(1);
+  }
+
+  const token = parsed.token || process.env.AURA_TOKEN;
+  if (!token) {
+    console.error('Admin auth required. Provide --token or set AURA_TOKEN.');
+    process.exit(1);
+  }
+
+  try {
+    const profileOverrides = parseOverrides(parsed.overridesRaw);
+    const preview = await fetchJson<PolicyPreviewResponse>('/actions/token/preview', {
+      method: 'POST',
+      token,
+      body: {
+        profile: parsed.profile,
+        profileVersion: parsed.profileVersion,
+        profileOverrides,
+      },
+    });
+
+    if (parsed.json) {
+      console.log(JSON.stringify(preview, null, 2));
+      return;
+    }
+
+    console.log(formatPolicyPreview(preview));
+  } catch (error) {
+    console.error(`Token preview failed: ${getErrorMessage(error)}`);
+    process.exit(1);
+  }
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) {
+  main().catch((error) => {
+    console.error(`Token preview failed: ${getErrorMessage(error)}`);
+    process.exit(1);
+  });
+}

package/server/cli/commands/unlock.ts

@@ -0,0 +1,49 @@
+/**
+ * aurawallet unlock — Unlock the vault interactively
+ */
+
+import { fetchPublicKey, fetchJson, isServerRunning } from '../lib/http';
+import { promptPassword } from '../lib/prompt';
+import { encryptPassword, generateAgentKeypair } from '../../cli/transport-client';
+import { getErrorMessage } from '../../lib/error';
+
+async function main() {
+  // Check server is running
+  if (!(await isServerRunning())) {
+    console.error('Wallet server is not running.');
+    console.error('Start it with: npx aurawallet start');
+    process.exit(1);
+  }
+
+  // Get public key
+  const publicKey = await fetchPublicKey();
+
+  // Prompt for password
+  const password = await promptPassword('Password');
+
+  // Encrypt and unlock
+  const encrypted = encryptPassword(password, publicKey);
+  const { publicKey: agentPubkey } = generateAgentKeypair();
+
+  try {
+    const result = await fetchJson<{
+      success: boolean;
+      address: string;
+      token: string;
+      error?: string;
+    }>('/unlock', { body: { encrypted, pubkey: agentPubkey } });
+
+    console.log(`\nWallet unlocked.`);
+    console.log(`  Address: ${result.address}`);
+    console.log(`  Token:   ${result.token.substring(0, 20)}...`);
+  } catch (error) {
+    const msg = getErrorMessage(error);
+    console.error(`\nFailed to unlock: ${msg}`);
+    process.exit(1);
+  }
+}
+
+main().catch((error) => {
+  console.error('Error:', getErrorMessage(error));
+  process.exit(1);
+});

package/server/cli/commands/vault.ts

@@ -0,0 +1,417 @@
+/**
+ * aurawallet vault — Retrieve credentials from the vault
+ *
+ * Usage:
+ *   npx aurawallet vault list                     List all credential names
+ *   npx aurawallet vault get <name>               Print all fields as key=value
+ *   npx aurawallet vault get <name> --field <f>   Print single field value (raw, for piping)
+ *   npx aurawallet vault get <name> --json        JSON output
+ *   npx aurawallet vault get <name> --first       Use first match if multiple results
+ */
+
+import {
+  generateEphemeralKeypair,
+  bootstrapViaSocket,
+  decryptWithPrivateKey,
+  createReadToken,
+  EphemeralKeypair,
+} from '../../lib/credential-transport';
+import { serverUrl } from '../lib/http';
+import { getErrorMessage } from '../../lib/error';
+import { evaluateProjectScopeAccess, emitProjectScopeEvent } from '../../lib/project-scope';
+import { printHelp } from '../lib/theme';
+
+// ── Auth: socket or AURA_TOKEN env var ──
+
+async function getAuthToken(keypair: EphemeralKeypair): Promise<string> {
+  try {
+    return await bootstrapViaSocket('cli-vault', keypair);
+  } catch (socketErr) {
+    // Socket bootstrap is preferred; env token is fallback for headless/CI.
+    const envToken = process.env.AURA_TOKEN;
+    if (envToken) return envToken;
+    throw socketErr;
+  }
+}
+
+function decryptCredentialPayload(encrypted: string, keypair: EphemeralKeypair): DecryptedCredential {
+  const plaintext = decryptWithPrivateKey(encrypted, keypair.privateKeyPem);
+  return JSON.parse(plaintext);
+}
+
+async function getReadToken(authToken: string, keypair: EphemeralKeypair): Promise<string> {
+  return createReadToken(serverUrl(), authToken, keypair, 'cli-vault-reader');
+}
+
+// ── API helpers ──
+
+interface CredentialMeta {
+  id: string;
+  name: string;
+  type: string;
+  vaultId: string;
+  meta: Record<string, unknown>;
+}
+
+interface DecryptedCredential {
+  id: string;
+  vaultId: string;
+  type: string;
+  fields: Array<{ key: string; value: string; type?: string; sensitive?: boolean }>;
+  health?: {
+    status: string;
+    flags: { weak: boolean; reused: boolean; breached: boolean; unknown: boolean };
+    lastScannedAt: string | null;
+  };
+}
+
+interface CredentialHealthSummaryResponse {
+  summary: {
+    totalAnalyzed: number;
+    safe: number;
+    weak: number;
+    reused: number;
+    breached: number;
+    unknown: number;
+    lastScanAt: string | null;
+  };
+}
+
+async function listCredentials(token: string, query?: string): Promise<CredentialMeta[]> {
+  const base = serverUrl();
+  const qs = query ? `?q=${encodeURIComponent(query)}` : '';
+  const res = await fetch(`${base}/credentials${qs}`, {
+    headers: { 'Authorization': `Bearer ${token}` },
+    signal: AbortSignal.timeout(5000),
+  });
+  if (!res.ok) throw new Error(`List failed (${res.status})`);
+  const data = await res.json() as { credentials: CredentialMeta[] };
+  return data.credentials || [];
+}
+
+async function readCredential(
+  credentialId: string,
+  readToken: string,
+  keypair: EphemeralKeypair,
+): Promise<DecryptedCredential> {
+  const base = serverUrl();
+  const res = await fetch(`${base}/credentials/${credentialId}/read`, {
+    method: 'POST',
+    headers: { 'Authorization': `Bearer ${readToken}` },
+    signal: AbortSignal.timeout(5000),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Read failed (${res.status}): ${text}`);
+  }
+  const data = await res.json() as { encrypted: string };
+  return decryptCredentialPayload(data.encrypted, keypair);
+}
+
+// ── Search helpers ──
+
+async function searchCredentials(token: string, name: string): Promise<CredentialMeta[]> {
+  const base = serverUrl();
+  for (const param of [`q=${encodeURIComponent(name)}`, `tag=${encodeURIComponent(name)}`]) {
+    const res = await fetch(`${base}/credentials?${param}`, {
+      headers: { 'Authorization': `Bearer ${token}` },
+      signal: AbortSignal.timeout(5000),
+    });
+    if (res.ok) {
+      const data = await res.json() as { credentials: CredentialMeta[] };
+      if (data.credentials && data.credentials.length > 0) {
+        return data.credentials;
+      }
+    }
+  }
+  return [];
+}
+
+async function fetchTotpCode(credentialId: string, token: string): Promise<{ code: string; remaining: number }> {
+  const base = serverUrl();
+  const res = await fetch(`${base}/credentials/${credentialId}/totp`, {
+    method: 'POST',
+    headers: { 'Authorization': `Bearer ${token}` },
+    signal: AbortSignal.timeout(5000),
+  });
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({ error: `HTTP ${res.status}` })) as { error?: string };
+    throw new Error(data.error || `TOTP request failed (${res.status})`);
+  }
+  const data = await res.json() as { code: string; remaining: number };
+  return data;
+}
+
+async function fetchVaultNameMap(): Promise<Map<string, string>> {
+  const base = serverUrl();
+  const res = await fetch(`${base}/setup/vaults`, {
+    signal: AbortSignal.timeout(5000),
+  });
+  if (!res.ok) return new Map();
+  const data = await res.json() as { vaults?: Array<{ id: string; name: string }> };
+  return new Map((data.vaults || []).map((v) => [v.id, v.name]));
+}
+
+async function fetchHealthSummary(token: string): Promise<CredentialHealthSummaryResponse['summary']> {
+  const base = serverUrl();
+  const res = await fetch(`${base}/credentials/health/summary`, {
+    headers: { 'Authorization': `Bearer ${token}` },
+    signal: AbortSignal.timeout(5000),
+  });
+  if (!res.ok) throw new Error(`Health summary failed (${res.status})`);
+  const data = await res.json() as CredentialHealthSummaryResponse;
+  return data.summary;
+}
+
+// ── CLI ──
+
+function showHelp(): void {
+  printHelp('VAULT', 'npx aurawallet vault <subcommand> [options]', [
+    { name: 'list', desc: 'List all credential names' },
+    { name: 'get <name>', desc: 'Print fields as key=value' },
+    { name: 'health', desc: 'Print credential health summary' },
+  ], [
+    'Options:',
+    '  --field <f>    Print single field value (raw)',
+    '  --vault <v>    Restrict lookup to a specific vault name',
+    '  --json         JSON output',
+    '  --first        Use first match if ambiguous',
+    '  --totp         Print current TOTP code only',
+    '',
+    'Auth: Uses Unix socket by default. Set AURA_TOKEN env var for headless/CI.',
+  ]);
+}
+
+/** Parse CLI arguments into structured options */
+export function parseArgs(args: string[]): {
+  subcommand: string | undefined;
+  flagJson: boolean;
+  flagFirst: boolean;
+  flagTotp: boolean;
+  fieldName: string | undefined;
+  vaultName: string | undefined;
+  positional: string[];
+} {
+  const subcommand = args[0];
+  const flagJson = args.includes('--json');
+  const flagFirst = args.includes('--first');
+  const flagTotp = args.includes('--totp');
+  const fieldIdx = args.indexOf('--field');
+  const fieldName = fieldIdx !== -1 ? args[fieldIdx + 1] : undefined;
+  const vaultIdx = args.indexOf('--vault');
+  const vaultName = vaultIdx !== -1 ? args[vaultIdx + 1] : undefined;
+
+  const positional: string[] = [];
+  for (let i = 1; i < args.length; i++) {
+    if (args[i].startsWith('--')) {
+      if (args[i] === '--field' || args[i] === '--vault') i++; // skip flag values
+      continue;
+    }
+    positional.push(args[i]);
+  }
+
+  return { subcommand, flagJson, flagFirst, flagTotp, fieldName, vaultName, positional };
+}
+
+/** Format a decrypted credential for output */
+export function formatCredential(
+  target: { name: string; type: string; id: string },
+  decrypted: DecryptedCredential,
+  opts: { json: boolean; fieldName?: string },
+): { output: string; exitCode: number } {
+  if (opts.json) {
+    return {
+      output: JSON.stringify({
+        name: target.name,
+        type: target.type,
+        id: target.id,
+        fields: decrypted.fields,
+      }, null, 2),
+      exitCode: 0,
+    };
+  }
+
+  if (opts.fieldName) {
+    const field = decrypted.fields.find(f => f.key.toLowerCase() === opts.fieldName!.toLowerCase());
+    if (!field) {
+      return {
+        output: `Field "${opts.fieldName}" not found. Available: ${decrypted.fields.map(f => f.key).join(', ')}`,
+        exitCode: 1,
+      };
+    }
+    return { output: field.value, exitCode: 0 };
+  }
+
+  // Default: key=value format
+  return {
+    output: decrypted.fields.map(f => `${f.key}=${f.value}`).join('\n'),
+    exitCode: 0,
+  };
+}
+
+export async function runVaultCli(args: string[]): Promise<number> {
+  const { subcommand, flagJson, flagFirst, flagTotp, fieldName, vaultName, positional } = parseArgs(args);
+
+  if (!subcommand || subcommand === '--help' || subcommand === '-h') {
+    showHelp();
+    return 0;
+  }
+
+  const keypair = generateEphemeralKeypair();
+
+  try {
+    // Auth via socket or AURA_TOKEN fallback
+    const token = await getAuthToken(keypair);
+
+    if (subcommand === 'list') {
+      const credentials = await listCredentials(token);
+      if (flagJson) {
+        console.log(JSON.stringify(credentials.map(c => ({ name: c.name, type: c.type, id: c.id })), null, 2));
+      } else {
+        if (credentials.length === 0) {
+          console.log('No credentials found.');
+        } else {
+          for (const c of credentials) {
+            console.log(`${c.name}  (${c.type})`);
+          }
+        }
+      }
+      return 0;
+    }
+
+    if (subcommand === 'health') {
+      const summary = await fetchHealthSummary(token);
+      if (flagJson) {
+        console.log(JSON.stringify(summary, null, 2));
+      } else {
+        console.log(`Analyzed: ${summary.totalAnalyzed}`);
+        console.log(`Safe: ${summary.safe}`);
+        console.log(`Weak: ${summary.weak}`);
+        console.log(`Reused: ${summary.reused}`);
+        console.log(`Breached: ${summary.breached}`);
+        console.log(`Unknown: ${summary.unknown}`);
+      }
+      return 0;
+    }
+
+    if (subcommand === 'get') {
+      const name = positional[0];
+      if (!name) {
+        console.error('Usage: npx aurawallet vault get <name>');
+        return 1;
+      }
+
+      // Search
+      const matches = await searchCredentials(token, name);
+      if (matches.length === 0) {
+        console.error(`No credential found matching "${name}"`);
+        return 1;
+      }
+
+      const vaultNames = await fetchVaultNameMap();
+      const scopedDecision = evaluateProjectScopeAccess({
+        surface: 'cli_vault_get',
+        requested: { vaultName: vaultName || null, credentialName: name },
+        candidates: matches.map((m) => ({
+          id: m.id,
+          name: m.name,
+          vaultName: vaultNames.get(m.vaultId) || null,
+        })),
+        actor: 'cli-vault',
+      });
+      emitProjectScopeEvent({
+        actor: 'cli-vault',
+        surface: 'cli_vault_get',
+        requestedCredential: { vaultName: vaultName || null, credentialName: name },
+        decision: scopedDecision,
+      });
+      if (!scopedDecision.allowed) {
+        console.error(`${scopedDecision.code}: ${scopedDecision.remediation}`);
+        return 1;
+      }
+
+      const allowedIds = new Set(scopedDecision.allowedCandidates.map((c) => c.id).filter(Boolean));
+      const scopedMatches = matches.filter((m) => allowedIds.has(m.id));
+      const vaultFiltered = vaultName
+        ? scopedMatches.filter((m) => (vaultNames.get(m.vaultId) || '').toLowerCase() === vaultName.toLowerCase())
+        : scopedMatches;
+
+      if (vaultFiltered.length === 0) {
+        console.error(`PROJECT_SCOPE_DENIED: No allowed credential found for "${name}" in vault "${vaultName}".`);
+        return 1;
+      }
+
+      let target: CredentialMeta;
+      if (vaultFiltered.length > 1 && !flagFirst) {
+        console.error(`Multiple credentials match "${name}":`);
+        for (const m of vaultFiltered) {
+          const resolvedVault = vaultNames.get(m.vaultId) || m.vaultId;
+          console.error(`  - ${m.name}  (${m.type}, vault: ${resolvedVault}, id: ${m.id})`);
+        }
+        console.error('\nUse --first to select the first match, or specify --vault.');
+        return 1;
+      }
+      target = vaultFiltered[0];
+
+      // --totp: just print the TOTP code
+      if (flagTotp) {
+        try {
+          const totp = await fetchTotpCode(target.id, token);
+          process.stdout.write(totp.code);
+          return 0;
+        } catch (err) {
+          console.error(`TOTP error: ${getErrorMessage(err)}`);
+          return 1;
+        }
+      }
+
+      // Get scoped read token and decrypt
+      const readToken = await getReadToken(token, keypair);
+      const decrypted = await readCredential(target.id, readToken, keypair);
+
+      // If credential has TOTP, fetch the current code and append
+      const hasTotpField = decrypted.fields.some(f => f.key === 'totp' || f.key === 'otp');
+      if (hasTotpField) {
+        try {
+          const totp = await fetchTotpCode(target.id, token);
+          decrypted.fields.push({ key: 'totp_code', value: totp.code, type: 'text', sensitive: false });
+        } catch {
+          // TOTP fetch failed — skip silently (may lack permission)
+        }
+      }
+
+      const result = formatCredential(target, decrypted, { json: flagJson, fieldName });
+      if (result.exitCode !== 0) {
+        console.error(result.output);
+        return result.exitCode;
+      }
+
+      if (fieldName) {
+        // Raw value — no newline for piping
+        process.stdout.write(result.output);
+      } else {
+        console.log(result.output);
+      }
+      return 0;
+    }
+
+    console.error(`Unknown vault subcommand: ${subcommand}`);
+    showHelp();
+    return 1;
+  } catch (error) {
+    console.error(`Error: ${getErrorMessage(error)}`);
+    return 1;
+  }
+}
+
+async function main(): Promise<void> {
+  const exitCode = await runVaultCli(process.argv.slice(2));
+  process.exit(exitCode);
+}
+
+if (require.main === module) {
+  main().catch((error) => {
+    console.error(`Error: ${getErrorMessage(error)}`);
+    process.exit(1);
+  });
+}