auramaxx 1.0.0-alpha.4

package/server/cli/lib/credential-resolve.ts

@@ -0,0 +1,254 @@
+/**
+ * Shared credential resolution logic for env.ts and shell-hook.ts
+ *
+ * Consolidates search → read → decrypt flow to prevent drift between
+ * the two consumers (audit finding #3).
+ */
+
+import { getErrorMessage } from '../../lib/error';
+import { evaluateProjectScopeAccess, emitProjectScopeEvent } from '../../lib/project-scope';
+
+// ── Types ──
+
+export interface CredentialMeta {
+  id: string;
+  name: string;
+  type: string;
+  vaultId: string;
+}
+
+export interface DecryptedCredential {
+  id: string;
+  vaultId: string;
+  type: string;
+  fields: Array<{ key: string; value: string }>;
+}
+
+export interface AuraMapping {
+  envVar: string;
+  vault: string | null;
+  credentialName: string;
+  field: string;
+}
+
+export interface ResolveResult {
+  resolved: Map<string, string>;
+  errors: string[];
+  missing: AuraMapping[];
+}
+
+// ── Env var name validation (audit finding #6) ──
+
+const ENV_VAR_NAME_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
+
+export function isValidEnvVarName(name: string): boolean {
+  return ENV_VAR_NAME_RE.test(name);
+}
+
+export function validateEnvVarName(name: string): void {
+  if (!isValidEnvVarName(name)) {
+    throw new Error(
+      `Invalid env var name '${name}': must match [A-Za-z_][A-Za-z0-9_]*`
+    );
+  }
+}
+
+// ── Shell escaping (audit finding #1) ──
+
+/**
+ * Escape a value for safe use in shell export statements.
+ * Uses ANSI-C quoting ($'...') to safely handle newlines, tabs,
+ * single quotes, backslashes, and other control characters.
+ */
+export function escapeForShell(value: string): string {
+  // Use ANSI-C $'...' quoting which handles all special chars
+  const escaped = value
+    .replace(/\\/g, '\\\\')
+    .replace(/'/g, "\\'")
+    .replace(/\n/g, '\\n')
+    .replace(/\r/g, '\\r')
+    .replace(/\t/g, '\\t')
+    .replace(/\0/g, '\\0')
+    // Escape any other control characters
+    .replace(/[\x01-\x08\x0b\x0c\x0e-\x1f\x7f]/g, (ch) => {
+      return '\\x' + ch.charCodeAt(0).toString(16).padStart(2, '0');
+    });
+  return `$'${escaped}'`;
+}
+
+// ── Credential search with exact-match preference (audit finding #4) ──
+
+export async function searchCredential(
+  baseUrl: string,
+  token: string,
+  name: string,
+): Promise<CredentialMeta | null> {
+  for (const param of [
+    `q=${encodeURIComponent(name)}`,
+    `tag=${encodeURIComponent(name)}`,
+  ]) {
+    const res = await fetch(`${baseUrl}/credentials?${param}`, {
+      headers: { Authorization: `Bearer ${token}` },
+      signal: AbortSignal.timeout(5000),
+    });
+    if (!res.ok) continue;
+
+    const data = (await res.json()) as { credentials: CredentialMeta[] };
+    const creds = data.credentials;
+    if (!creds || creds.length === 0) continue;
+
+    // Prefer exact name match (audit finding #4: ambiguous matching)
+    const exact = creds.find(
+      (c) => c.name.toLowerCase() === name.toLowerCase(),
+    );
+    if (exact) return exact;
+
+    // Warn if multiple non-exact matches
+    if (creds.length > 1) {
+      console.error(
+        `aura: warning: '${name}' matched ${creds.length} credentials, using first. ` +
+          `Matches: ${creds.map((c) => c.name).join(', ')}`,
+      );
+    }
+    return creds[0];
+  }
+  return null;
+}
+
+// ── Credential read + decrypt ──
+
+export async function readCredential(
+  baseUrl: string,
+  readToken: string,
+  credentialId: string,
+  decryptFn: (encrypted: string) => string,
+): Promise<DecryptedCredential> {
+  const res = await fetch(`${baseUrl}/credentials/${credentialId}/read`, {
+    method: 'POST',
+    headers: { Authorization: `Bearer ${readToken}` },
+    signal: AbortSignal.timeout(5000),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Read failed (${res.status}): ${text}`);
+  }
+  const data = (await res.json()) as { encrypted: string };
+  const plaintext = decryptFn(data.encrypted);
+  return JSON.parse(plaintext);
+}
+
+// ── Resolve mappings to env vars ──
+
+export async function resolveMappings(
+  mappings: AuraMapping[],
+  baseUrl: string,
+  token: string,
+  readToken: string,
+  decryptFn: (encrypted: string) => string,
+): Promise<ResolveResult> {
+  const resolved = new Map<string, string>();
+  const errors: string[] = [];
+  const missing: AuraMapping[] = [];
+
+  const credentialCache = new Map<string, DecryptedCredential | null>();
+  const CONCURRENCY = 5;
+
+  let vaultNameById = new Map<string, string>();
+  try {
+    const vaultRes = await fetch(`${baseUrl}/setup/vaults`, { signal: AbortSignal.timeout(5000) });
+    if (vaultRes.ok) {
+      const vaultData = await vaultRes.json() as { vaults?: Array<{ id: string; name: string }> };
+      vaultNameById = new Map((vaultData.vaults || []).map((v) => [v.id, v.name]));
+    }
+  } catch {
+    // best effort only
+  }
+
+  const uniqueTargets = new Map<string, AuraMapping>();
+  for (const mapping of mappings) {
+    const key = `${(mapping.vault || '').toLowerCase()}::${mapping.credentialName.toLowerCase()}`;
+    if (!uniqueTargets.has(key)) uniqueTargets.set(key, mapping);
+  }
+
+  const targetList = [...uniqueTargets.values()];
+
+  for (let i = 0; i < targetList.length; i += CONCURRENCY) {
+    const batch = targetList.slice(i, i + CONCURRENCY);
+    await Promise.all(
+      batch.map(async (mapping) => {
+        const cacheKey = `${(mapping.vault || '').toLowerCase()}::${mapping.credentialName.toLowerCase()}`;
+        const meta = await searchCredential(baseUrl, token, mapping.credentialName);
+        if (!meta) {
+          credentialCache.set(cacheKey, null);
+          return;
+        }
+
+        const decision = evaluateProjectScopeAccess({
+          surface: 'cli_env',
+          requested: { vaultName: mapping.vault, credentialName: mapping.credentialName },
+          candidates: [{ id: meta.id, name: meta.name, vaultName: vaultNameById.get(meta.vaultId) || null }],
+          actor: 'cli-env',
+        });
+        emitProjectScopeEvent({
+          actor: 'cli-env',
+          surface: 'cli_env',
+          requestedCredential: { vaultName: mapping.vault, credentialName: mapping.credentialName },
+          decision,
+        });
+        if (!decision.allowed) {
+          credentialCache.set(cacheKey, null);
+          errors.push(`credential '${mapping.credentialName}': ${decision.code}: ${decision.remediation}`);
+          return;
+        }
+
+        try {
+          const decrypted = await readCredential(
+            baseUrl,
+            readToken,
+            meta.id,
+            decryptFn,
+          );
+          credentialCache.set(cacheKey, decrypted);
+        } catch (err) {
+          credentialCache.set(cacheKey, null);
+          errors.push(`credential '${mapping.credentialName}': ${getErrorMessage(err)}`);
+        }
+      }),
+    );
+  }
+
+  for (const mapping of mappings) {
+    const cacheKey = `${(mapping.vault || '').toLowerCase()}::${mapping.credentialName.toLowerCase()}`;
+    const cred = credentialCache.get(cacheKey);
+    if (!cred) {
+      if (
+        !errors.some((e) =>
+          e.startsWith(`credential '${mapping.credentialName}'`),
+        )
+      ) {
+        errors.push(
+          `${mapping.envVar}: credential '${mapping.credentialName}' not found`,
+        );
+      } else {
+        errors.push(
+          `${mapping.envVar}: credential '${mapping.credentialName}' failed to resolve`,
+        );
+      }
+      missing.push(mapping);
+      continue;
+    }
+    const field = cred.fields.find(
+      (f) => f.key.toLowerCase() === mapping.field.toLowerCase(),
+    );
+    if (!field) {
+      const available = cred.fields.map((f) => f.key).join(', ');
+      errors.push(
+        `${mapping.envVar}: field '${mapping.field}' not found in '${mapping.credentialName}' (available: ${available})`,
+      );
+      continue;
+    }
+    resolved.set(mapping.envVar, field.value);
+  }
+
+  return { resolved, errors, missing };
+}

package/server/cli/lib/dotenv-migrate.ts

@@ -0,0 +1,116 @@
+/**
+ * Shared dotenv → vault migration logic.
+ * Used by both `aura init --from-dotenv` and `aura env init`.
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import { parseDotenv, groupByPrefix, noGrouping, generateAuraFile, type CredentialGroup } from './dotenv-parser';
+import { createCredentialViaApi, getPrimaryVaultId } from './credential-create';
+
+export interface MigrateOptions {
+  token: string;
+  envPath: string;
+  noGroup?: boolean;
+  dryRun?: boolean;
+}
+
+export interface MigrateResult {
+  groups: CredentialGroup[];
+  created: number;
+  failed: number;
+  auraPath: string;
+}
+
+/**
+ * Migrate a .env file into the vault and generate a .aura file.
+ * Returns summary of what was done.
+ */
+export async function migrateDotenv(opts: MigrateOptions): Promise<MigrateResult> {
+  const { token, envPath, noGroup, dryRun } = opts;
+
+  if (!fs.existsSync(envPath)) {
+    throw new Error(`No .env file found at ${envPath}`);
+  }
+
+  const auraPath = path.join(path.dirname(envPath), '.aura');
+  const shouldWriteAura = !fs.existsSync(auraPath);
+
+  if (!shouldWriteAura && !dryRun) {
+    console.log(`\n  Note: existing .aura file found at ${auraPath} — skipping overwrite.`);
+  }
+
+  const envContent = fs.readFileSync(envPath, 'utf-8');
+  const vars = parseDotenv(envContent);
+
+  if (vars.size === 0) {
+    throw new Error('No variables found in .env file.');
+  }
+
+  const groups = noGroup ? noGrouping(vars) : groupByPrefix(vars);
+
+  if (dryRun) {
+    console.log(`\n  .env → .aura migration plan (${vars.size} variables → ${groups.length} credentials)\n`);
+    for (const group of groups) {
+      console.log(`  📦 ${group.name} (${group.fields.length} field${group.fields.length > 1 ? 's' : ''})`);
+      for (const field of group.fields) {
+        const preview = field.value.length > 20 ? field.value.substring(0, 20) + '...' : field.value;
+        console.log(`     ${field.envVar} → ${group.name}/${field.key}  (${preview})`);
+      }
+    }
+    console.log(`\n  Run without --dry-run to execute.\n`);
+    return { groups, created: 0, failed: 0, auraPath };
+  }
+
+  const vaultId = await getPrimaryVaultId(token);
+
+  console.log(`\n  Migrating ${vars.size} variables → ${groups.length} credentials\n`);
+
+  let created = 0;
+  let failed = 0;
+
+  for (const group of groups) {
+    const result = await createCredentialViaApi({
+      token,
+      vaultId,
+      name: group.name,
+      fields: group.fields.map(f => ({ key: f.key, value: f.value })),
+    });
+
+    if (result.success) {
+      console.log(`  ✓ Created credential: ${group.name} (${group.fields.length} field${group.fields.length > 1 ? 's' : ''})`);
+      created++;
+    } else if (result.error?.includes('already exists') || result.error?.includes('duplicate')) {
+      console.log(`  ⚠ Skipped credential: ${group.name} (already exists)`);
+    } else {
+      console.error(`  ✗ Failed to create ${group.name}: ${result.error}`);
+      failed++;
+    }
+  }
+
+  // Generate .aura file when needed
+  if (shouldWriteAura) {
+    const auraContent = generateAuraFile(groups);
+    fs.writeFileSync(auraPath, auraContent, 'utf-8');
+    console.log(`\n  ✓ Generated .aura file (${groups.length} credential${groups.length > 1 ? 's' : ''})`);
+  }
+
+  // Add .env to .gitignore
+  const gitignorePath = path.join(path.dirname(envPath), '.gitignore');
+  if (fs.existsSync(gitignorePath)) {
+    const gitignore = fs.readFileSync(gitignorePath, 'utf-8');
+    if (!gitignore.includes('.env')) {
+      fs.appendFileSync(gitignorePath, '\n.env\n');
+      console.log('  ✓ Added .env to .gitignore');
+    }
+  }
+
+  console.log(`\n  Summary: ${created} created, ${failed} failed`);
+  if (created > 0) {
+    console.log('  Your .env variables are now in the vault.');
+    console.log('  Use `aura env -- <cmd>` to run commands with vault-injected env vars.');
+    console.log('  You can safely delete your .env file.\n');
+  }
+
+  return { groups, created, failed, auraPath };
+}

package/server/cli/lib/dotenv-parser.ts

@@ -0,0 +1,146 @@
+/**
+ * .env file parser and credential grouping for `aura env init`
+ */
+
+import { isValidEnvVarName } from './credential-resolve';
+
+export interface CredentialGroup {
+  name: string;
+  fields: Array<{ key: string; value: string; envVar: string }>;
+}
+
+/**
+ * Parse a .env file into key-value pairs.
+ * Handles: comments, blank lines, `export` prefix, single/double quotes, escaped chars.
+ * Does NOT handle: multiline values, variable expansion.
+ */
+export function parseDotenv(content: string): Map<string, string> {
+  const result = new Map<string, string>();
+
+  for (const rawLine of content.split('\n')) {
+    const line = rawLine.trim();
+
+    // Skip empty lines and comments
+    if (!line || line.startsWith('#')) continue;
+
+    // Strip optional `export ` prefix
+    const stripped = line.startsWith('export ') ? line.slice(7).trim() : line;
+
+    const eqIdx = stripped.indexOf('=');
+    if (eqIdx === -1) continue;
+
+    const key = stripped.substring(0, eqIdx).trim();
+    if (!key) continue;
+
+    // Validate env var name (audit finding #6)
+    if (!isValidEnvVarName(key)) {
+      console.error(`warning: skipping invalid env var name '${key}'`);
+      continue;
+    }
+
+    let value = stripped.substring(eqIdx + 1).trim();
+
+    // Handle quoted values
+    if ((value.startsWith('"') && value.endsWith('"')) ||
+        (value.startsWith("'") && value.endsWith("'"))) {
+      const quote = value[0];
+      value = value.slice(1, -1);
+      if (quote === '"') {
+        // Unescape double-quoted values
+        value = value
+          .replace(/\\n/g, '\n')
+          .replace(/\\r/g, '\r')
+          .replace(/\\t/g, '\t')
+          .replace(/\\"/g, '"')
+          .replace(/\\\\/g, '\\');
+      }
+      // Single-quoted: literal, no escaping
+    } else {
+      // Unquoted: strip inline comment
+      const commentIdx = value.indexOf(' #');
+      if (commentIdx !== -1) {
+        value = value.substring(0, commentIdx).trim();
+      }
+    }
+
+    result.set(key, value);
+  }
+
+  return result;
+}
+
+/**
+ * Group env vars by common prefix for credential creation.
+ *
+ * Rules:
+ * - Split var name by `_`, use first segment as group prefix
+ * - Groups with 1 member: credential name = full lowercased var name, field = "value"
+ * - Groups with 2+ members: credential name = prefix, field = rest lowercased
+ */
+export function groupByPrefix(vars: Map<string, string>): CredentialGroup[] {
+  const prefixGroups = new Map<string, Array<{ key: string; value: string; envVar: string }>>();
+
+  for (const [envVar, value] of vars) {
+    const underscoreIdx = envVar.indexOf('_');
+    const prefix = underscoreIdx === -1
+      ? envVar.toLowerCase()
+      : envVar.substring(0, underscoreIdx).toLowerCase();
+
+    if (!prefixGroups.has(prefix)) {
+      prefixGroups.set(prefix, []);
+    }
+
+    const fieldName = underscoreIdx === -1
+      ? 'value'
+      : envVar.substring(underscoreIdx + 1).toLowerCase();
+
+    prefixGroups.get(prefix)!.push({ key: fieldName, value, envVar });
+  }
+
+  const groups: CredentialGroup[] = [];
+
+  for (const [prefix, fields] of prefixGroups) {
+    if (fields.length === 1 && fields[0].key !== 'value') {
+      groups.push({
+        name: fields[0].envVar.toLowerCase(),
+        fields: [{ key: 'value', value: fields[0].value, envVar: fields[0].envVar }],
+      });
+    } else {
+      groups.push({ name: prefix, fields });
+    }
+  }
+
+  return groups;
+}
+
+/**
+ * No grouping — one credential per env var, field always "value".
+ */
+export function noGrouping(vars: Map<string, string>): CredentialGroup[] {
+  const groups: CredentialGroup[] = [];
+  for (const [envVar, value] of vars) {
+    groups.push({
+      name: envVar.toLowerCase(),
+      fields: [{ key: 'value', value, envVar }],
+    });
+  }
+  return groups;
+}
+
+/**
+ * Generate .aura file content from credential groups.
+ */
+export function generateAuraFile(groups: CredentialGroup[]): string {
+  const lines = ['# Generated by aura env init'];
+
+  for (const group of groups) {
+    for (const field of group.fields) {
+      const ref = field.key === 'value'
+        ? `${group.name}/value`
+        : `${group.name}/${field.key}`;
+      lines.push(`${field.envVar}=${ref}`);
+    }
+  }
+
+  return lines.join('\n') + '\n';
+}

package/server/cli/lib/http.ts

@@ -0,0 +1,91 @@
+/**
+ * HTTP helpers for CLI commands
+ */
+
+const DEFAULT_SERVER_URL = 'http://localhost:4242';
+
+/**
+ * Get the wallet server URL from env or default
+ */
+export function serverUrl(): string {
+  return process.env.WALLET_SERVER_URL || DEFAULT_SERVER_URL;
+}
+
+/**
+ * Fetch JSON from the wallet server
+ */
+export async function fetchJson<T = unknown>(
+  path: string,
+  opts: { method?: string; body?: unknown; token?: string } = {}
+): Promise<T> {
+  const url = `${serverUrl()}${path}`;
+  const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+  if (opts.token) {
+    headers['Authorization'] = `Bearer ${opts.token}`;
+  }
+
+  const response = await fetch(url, {
+    method: opts.method || (opts.body ? 'POST' : 'GET'),
+    headers,
+    body: opts.body ? JSON.stringify(opts.body) : undefined,
+  });
+
+  const data = await response.json() as T & { error?: string };
+
+  if (!response.ok) {
+    throw new Error((data as { error?: string }).error || `HTTP ${response.status}`);
+  }
+
+  return data;
+}
+
+/**
+ * Fetch the server's RSA public key for password encryption
+ */
+export async function fetchPublicKey(): Promise<string> {
+  const data = await fetchJson<{ publicKey: string }>('/auth/connect');
+  return data.publicKey;
+}
+
+/**
+ * Check if the wallet server is running
+ */
+export async function isServerRunning(): Promise<boolean> {
+  try {
+    await fetchJson('/health');
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Poll /health until the server is up, or timeout
+ */
+export async function waitForServer(timeoutMs: number = 15000): Promise<void> {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    if (await isServerRunning()) return;
+    await new Promise((r) => setTimeout(r, 500));
+  }
+  throw new Error(`Server did not start within ${timeoutMs / 1000}s`);
+}
+
+/**
+ * Setup status from GET /setup
+ */
+export interface SetupStatus {
+  hasWallet: boolean;
+  unlocked: boolean;
+  address: string | null;
+  adapters?: { telegram: boolean; webhook: boolean };
+  apiKeys?: { alchemy: boolean; anthropic: boolean };
+  defaultChain?: string;
+}
+
+/**
+ * Fetch setup status from the wallet server
+ */
+export async function fetchSetupStatus(): Promise<SetupStatus> {
+  return fetchJson<SetupStatus>('/setup');
+}

package/server/cli/lib/init-steps.ts

@@ -0,0 +1,76 @@
+/**
+ * Filesystem + Prisma setup steps for init command
+ */
+
+import * as path from 'path';
+import * as fs from 'fs';
+import * as os from 'os';
+import { execSync } from 'child_process';
+import { findProjectRoot } from './process';
+
+function getDataDir(): string {
+  return process.env.WALLET_DATA_DIR || path.join(os.homedir(), '.aurawallet');
+}
+
+/**
+ * Create the ~/.aurawallet/ directory structure
+ */
+export function ensureDirectories(): void {
+  const dataDir = getDataDir();
+  const dirs = [
+    dataDir,
+    path.join(dataDir, 'hot'),
+    path.join(dataDir, 'pending'),
+  ];
+
+  for (const dir of dirs) {
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+  }
+
+  // Root-level tmp/backups directories are no longer created here.
+}
+
+/**
+ * Run Prisma migrations against ~/.aurawallet/aurawallet.db
+ */
+export function runMigrations(root?: string): void {
+  const projectRoot = root || findProjectRoot();
+  const dbUrl = process.env.DATABASE_URL || `file:${getDataDir()}/aurawallet.db`;
+  const env = { ...process.env, DATABASE_URL: dbUrl };
+
+  try {
+    // Try deploy first (production-style, no prompts)
+    execSync('npx prisma migrate deploy', {
+      cwd: projectRoot,
+      env,
+      stdio: 'pipe',
+    });
+  } catch {
+    // Fallback to dev migration (creates migration if needed)
+    execSync('npx prisma migrate dev --name init', {
+      cwd: projectRoot,
+      env,
+      stdio: 'pipe',
+    });
+  }
+}
+
+/**
+ * Generate the Prisma client
+ */
+export function generatePrismaClient(root?: string): void {
+  const projectRoot = root || findProjectRoot();
+  execSync('npx prisma generate', {
+    cwd: projectRoot,
+    stdio: 'pipe',
+  });
+}
+
+/**
+ * Check if a primary vault file already exists
+ */
+export function hasVault(): boolean {
+  return fs.existsSync(path.join(getDataDir(), 'vault-primary.json'));
+}