auramaxx 1.0.0-alpha.4

package/server/cli/index.ts

@@ -0,0 +1,328 @@
+#!/usr/bin/env node
+/**
+ * Aura Wallet CLI - Headless mode for programmatic wallet control
+ *
+ * Security Design:
+ * - Admin token stored in-process memory only (never touches disk)
+ * - Main wallet server hosts Unix socket IPC for local agent connections
+ * - Crash = re-auth required (aligns with server restart security model)
+ *
+ * Usage:
+ *   npm run cli              # Interactive password prompt
+ *   npm run cli --password-stdin   # Read password from stdin (CI/automation)
+ *   npm run cli --auto-approve     # Auto-approve all requests (DANGEROUS)
+ */
+
+import * as readline from 'readline';
+import { encryptPassword, generateAgentKeypair } from './transport-client';
+import { ApprovalManager } from './approval';
+import * as fs from 'fs';
+import { getErrorMessage } from '../lib/error';
+import { printBanner, printBox, printStatus } from './lib/theme';
+
+const SERVER_URL = process.env.WALLET_SERVER_URL || 'http://localhost:4242';
+const LOCK_FILE = `/tmp/aura-cli-${process.getuid?.() ?? 'unknown'}.lock`;
+
+// In-process memory only - never persisted
+let adminToken: string | null = null;
+let coldWalletAddress: string | null = null;
+
+// Parse command line arguments
+const args = process.argv.slice(2);
+const passwordStdin = args.includes('--password-stdin');
+const autoApprove = args.includes('--auto-approve');
+
+/**
+ * Check if another CLI instance is running
+ */
+function checkLockFile(): boolean {
+  try {
+    if (fs.existsSync(LOCK_FILE)) {
+      const pid = parseInt(fs.readFileSync(LOCK_FILE, 'utf8'), 10);
+      // Check if process is still running
+      try {
+        process.kill(pid, 0); // Signal 0 tests if process exists
+        return true; // Process exists, lock is valid
+      } catch {
+        // Process doesn't exist, stale lock file
+        fs.unlinkSync(LOCK_FILE);
+        return false;
+      }
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Create lock file with our PID
+ */
+function createLockFile(): void {
+  fs.writeFileSync(LOCK_FILE, process.pid.toString(), { mode: 0o600 });
+}
+
+/**
+ * Remove lock file on exit
+ */
+function removeLockFile(): void {
+  try {
+    if (fs.existsSync(LOCK_FILE)) {
+      const pid = parseInt(fs.readFileSync(LOCK_FILE, 'utf8'), 10);
+      if (pid === process.pid) {
+        fs.unlinkSync(LOCK_FILE);
+      }
+    }
+  } catch {
+    // Ignore cleanup errors
+  }
+}
+
+/**
+ * Fetch the server's RSA public key for password encryption
+ */
+async function fetchPublicKey(): Promise<string> {
+  const response = await fetch(`${SERVER_URL}/auth/connect`);
+  if (!response.ok) {
+    throw new Error(`Failed to connect to wallet server: ${response.status}`);
+  }
+  const data = await response.json() as { publicKey: string };
+  return data.publicKey;
+}
+
+/**
+ * Unlock the wallet with encrypted password
+ */
+async function unlockWallet(encryptedPassword: string, pubkey: string): Promise<{ token: string; address: string }> {
+  const response = await fetch(`${SERVER_URL}/unlock`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ encrypted: encryptedPassword, pubkey })
+  });
+
+  const data = await response.json() as { success?: boolean; token?: string; address?: string; error?: string };
+
+  if (!response.ok || !data.success) {
+    throw new Error(data.error || 'Failed to unlock wallet');
+  }
+
+  return { token: data.token!, address: data.address! };
+}
+
+/**
+ * Prompt for password (hidden input)
+ */
+async function promptPassword(): Promise<string> {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+
+    // Hide input by writing to stderr and using raw mode
+    process.stdout.write('Password: ');
+
+    // For hidden input, we need to handle it manually
+    const stdin = process.stdin;
+    const wasRaw = stdin.isRaw;
+
+    if (stdin.isTTY) {
+      stdin.setRawMode(true);
+    }
+
+    let password = '';
+
+    const onData = (char: Buffer) => {
+      const c = char.toString();
+
+      if (c === '\n' || c === '\r') {
+        // Enter pressed
+        stdin.removeListener('data', onData);
+        if (stdin.isTTY) {
+          stdin.setRawMode(wasRaw ?? false);
+        }
+        process.stdout.write('\n');
+        rl.close();
+        resolve(password);
+      } else if (c === '\u0003') {
+        // Ctrl+C
+        process.stdout.write('\n');
+        process.exit(1);
+      } else if (c === '\u007f' || c === '\b') {
+        // Backspace
+        if (password.length > 0) {
+          password = password.slice(0, -1);
+        }
+      } else {
+        password += c;
+      }
+    };
+
+    stdin.on('data', onData);
+  });
+}
+
+/**
+ * Read password from stdin (for automation)
+ */
+async function readPasswordFromStdin(): Promise<string> {
+  return new Promise((resolve, reject) => {
+    let data = '';
+
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (chunk) => {
+      data += chunk;
+    });
+    process.stdin.on('end', () => {
+      const password = data.trim();
+      if (!password) {
+        reject(new Error('No password provided on stdin'));
+      } else {
+        resolve(password);
+      }
+    });
+    process.stdin.on('error', reject);
+
+    // Set a timeout for stdin read
+    setTimeout(() => {
+      if (!data) {
+        reject(new Error('Timeout waiting for password on stdin'));
+      }
+    }, 5000);
+  });
+}
+
+/**
+ * Get the admin token (for use by other modules)
+ */
+export function getAdminToken(): string | null {
+  return adminToken;
+}
+
+/**
+ * Get the cold wallet address
+ */
+export function getColdWalletAddress(): string | null {
+  return coldWalletAddress;
+}
+
+/**
+ * Get the server URL
+ */
+export function getServerUrl(): string {
+  return SERVER_URL;
+}
+
+/**
+ * Main entry point
+ */
+async function main() {
+  printBanner('CLI MODE');
+
+  // Check for existing instance
+  if (checkLockFile()) {
+    console.error('ERROR: Another CLI instance is already running.');
+    console.error('If this is incorrect, remove the lock file:', LOCK_FILE);
+    process.exit(1);
+  }
+
+  // Auto-approve warning
+  if (autoApprove) {
+    console.log('⚠️  WARNING: --auto-approve is enabled!');
+    console.log('   All agent requests will be automatically approved.');
+    console.log('   This is DANGEROUS in production environments.\n');
+  }
+
+  try {
+    // 1. Fetch server's public key
+    console.log('Connecting to wallet server...');
+    const publicKey = await fetchPublicKey();
+    console.log('Connected. Server RSA key received.\n');
+
+    // 2. Get password
+    let password: string;
+    if (passwordStdin) {
+      console.log('Reading password from stdin...');
+      password = await readPasswordFromStdin();
+    } else {
+      password = await promptPassword();
+    }
+
+    // 3. Encrypt and unlock
+    console.log('Unlocking wallet...');
+    const encryptedPassword = encryptPassword(password, publicKey);
+    const { publicKey: agentPubkey } = generateAgentKeypair();
+    const { token, address } = await unlockWallet(encryptedPassword, agentPubkey);
+
+    // Clear password from memory
+    password = '';
+
+    // Store token in memory only
+    adminToken = token;
+    coldWalletAddress = address;
+
+    console.log(`\n✓ Wallet unlocked successfully`);
+    console.log(`  Address: ${address}`);
+    console.log(`  Token: ${token.substring(0, 20)}...`);
+
+    // Create lock file
+    createLockFile();
+
+    // 4. Start approval manager (WebSocket listener)
+    console.log('\nStarting approval listener...');
+    const approvalManager = new ApprovalManager({
+      serverUrl: SERVER_URL,
+      getToken: () => adminToken,
+      autoApprove,
+      headless: passwordStdin // Skip terminal interface when using stdin
+    });
+    await approvalManager.start();
+
+    // 5. Socket broker now runs in the main wallet server process.
+    const socketPath = `/tmp/aura-cli-${process.getuid?.() ?? 'unknown'}.sock`;
+
+    console.log('');
+    printBox([
+      'CLI Ready — Listening for agent requests',
+      '',
+      `Socket: ${socketPath}`,
+      'Press Ctrl+C to exit',
+    ]);
+
+    // Handle graceful shutdown
+    const shutdown = async () => {
+      console.log('\n\nShutting down...');
+      approvalManager.stop();
+      removeLockFile();
+
+      // Clear sensitive data
+      adminToken = null;
+      coldWalletAddress = null;
+
+      console.log('Goodbye.');
+      process.exit(0);
+    };
+
+    process.on('SIGINT', shutdown);
+    process.on('SIGTERM', shutdown);
+    process.on('exit', removeLockFile);
+
+    // Keep process alive
+    await new Promise(() => {
+      // Never resolves - keeps CLI running
+    });
+
+  } catch (error) {
+    const message = getErrorMessage(error);
+    console.error(`\nERROR: ${message}`);
+    removeLockFile();
+    process.exit(1);
+  }
+}
+
+// Run main
+main().catch((error) => {
+  console.error('Fatal error:', error);
+  removeLockFile();
+  process.exit(1);
+});

package/server/cli/lib/aura-parser.ts

@@ -0,0 +1,64 @@
+/**
+ * .aura file parser — shared between env.ts and init.ts
+ */
+
+import * as fs from 'fs';
+import {
+  type AuraMapping,
+  validateEnvVarName,
+} from './credential-resolve';
+
+export { type AuraMapping } from './credential-resolve';
+
+/**
+ * Parse a .aura file into an array of env-var → credential mappings.
+ */
+export function parseAuraFile(filePath: string): AuraMapping[] {
+  const content = fs.readFileSync(filePath, 'utf-8');
+  const mappings: AuraMapping[] = [];
+
+  for (const rawLine of content.split('\n')) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith('#')) continue;
+
+    const eqIdx = line.indexOf('=');
+    if (eqIdx === -1) {
+      throw new Error(`Invalid line in .aura (missing '='): ${line}`);
+    }
+
+    const envVar = line.substring(0, eqIdx).trim();
+    const ref = line.substring(eqIdx + 1).trim();
+
+    if (!envVar || !ref) {
+      throw new Error(`Invalid line in .aura: ${line}`);
+    }
+
+    // Validate env var name (audit finding #6)
+    validateEnvVarName(envVar);
+
+    let vault: string | null = null;
+    let credentialName: string;
+    let field: string;
+
+    if (ref.startsWith('@')) {
+      const parts = ref.substring(1).split('/');
+      if (parts.length < 3) {
+        throw new Error(`Invalid vault reference (expected @vault/credential/field): ${ref}`);
+      }
+      vault = parts[0];
+      credentialName = parts[1];
+      field = parts.slice(2).join('/');
+    } else {
+      const parts = ref.split('/');
+      if (parts.length < 2) {
+        throw new Error(`Invalid reference (expected credential/field): ${ref}`);
+      }
+      credentialName = parts[0];
+      field = parts.slice(1).join('/');
+    }
+
+    mappings.push({ envVar, vault, credentialName, field });
+  }
+
+  return mappings;
+}

package/server/cli/lib/credential-create.ts

@@ -0,0 +1,74 @@
+/**
+ * CLI helper for creating credentials via the server API.
+ */
+
+import { serverUrl } from './http';
+
+interface CreateCredentialOpts {
+  token: string;
+  vaultId: string;
+  name: string;
+  type?: string;
+  fields: Array<{ key: string; value: string }>;
+}
+
+interface CreateResult {
+  success: boolean;
+  credential?: { id: string; name: string };
+  error?: string;
+}
+
+/**
+ * Create a credential via POST /credentials.
+ * Fields are sent as sensitiveFields (server encrypts them).
+ */
+export async function createCredentialViaApi(opts: CreateCredentialOpts): Promise<CreateResult> {
+  const base = serverUrl();
+  const body = {
+    vaultId: opts.vaultId,
+    type: opts.type || 'api',
+    name: opts.name,
+    sensitiveFields: opts.fields.map(f => ({
+      key: f.key,
+      value: f.value,
+      sensitive: true,
+    })),
+  };
+
+  const res = await fetch(`${base}/credentials`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Authorization': `Bearer ${opts.token}`,
+    },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(10000),
+  });
+
+  const data = await res.json() as CreateResult;
+  if (!res.ok) {
+    return { success: false, error: data.error || `HTTP ${res.status}` };
+  }
+  return data;
+}
+
+/**
+ * Get the primary vault ID.
+ */
+export async function getPrimaryVaultId(token: string): Promise<string> {
+  const base = serverUrl();
+  const res = await fetch(`${base}/vaults/credential`, {
+    headers: { 'Authorization': `Bearer ${token}` },
+    signal: AbortSignal.timeout(5000),
+  });
+
+  if (!res.ok) throw new Error(`Failed to list vaults: HTTP ${res.status}`);
+
+  const data = await res.json() as { vaults: Array<{ id: string; name: string; isPrimary: boolean }> };
+  const primary = data.vaults?.find(v => v.isPrimary);
+  if (!primary) {
+    if (data.vaults?.length > 0) return data.vaults[0].id;
+    throw new Error('No vaults found. Run `aura init` first.');
+  }
+  return primary.id;
+}