npm - auramaxx - Versions diffs - 1.0.0-alpha.4 - Mend

auramaxx 1.0.0-alpha.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (363) hide show

package/LICENSE +26 -0
package/README.md +112 -0
package/bin/aurawallet.js +121 -0
package/docs/ADAPTERS.md +467 -0
package/docs/API.md +2679 -0
package/docs/APPS.md +198 -0
package/docs/ARCHITECTURE.md +350 -0
package/docs/AUTH.md +698 -0
package/docs/BEST-PRACTICES.md +121 -0
package/docs/CLI.md +61 -0
package/docs/DEVELOPING-APPS.md +452 -0
package/docs/EXTENSION.md +97 -0
package/docs/JOBS.md +33 -0
package/docs/MCP.md +76 -0
package/docs/PROTOCOL.md +142 -0
package/docs/SETUP.md +219 -0
package/docs/WORKSPACE.md +672 -0
package/docs/agent-auth.md +63 -0
package/docs/aura-file.md +48 -0
package/docs/credentials.md +53 -0
package/docs/external/getting-started.md +65 -0
package/docs/external/overview.md +45 -0
package/docs/external/use-cases.md +48 -0
package/docs/external/why-aura.md +35 -0
package/docs/jobs/connect-agent.md +77 -0
package/docs/jobs/migrate-from-dotenv.md +79 -0
package/docs/jobs/recover-from-lockout.md +72 -0
package/docs/jobs/secure-ci.md +63 -0
package/docs/oauth2.md +42 -0
package/docs/passkeys.md +60 -0
package/docs/security.md +540 -0
package/docs/specs/aura-open-protocol.md +61 -0
package/docs/specs/aura-provider-plugin.md +24 -0
package/docs/specs/aura-registry-model.md +31 -0
package/docs/specs/fixtures/invalid-bad-key.aura +1 -0
package/docs/specs/fixtures/invalid-bad-unicode-escape.aura +1 -0
package/docs/specs/fixtures/invalid-duplicate-key.aura +2 -0
package/docs/specs/fixtures/valid-basic.aura +4 -0
package/docs/specs/fixtures/valid-provider-ref.aura +1 -0
package/docs/specs/fixtures/valid-quoted-escapes.aura +2 -0
package/docs/templates/RELEASE_NOTES_TEMPLATE.md +22 -0
package/docs/totp.md +40 -0
package/docs/wallet/AI.md +508 -0
package/docs/wallet/DEVELOPING-STRATEGIES.md +713 -0
package/docs/wallet/README.md +47 -0
package/docs/wallet/STRATEGY.md +89 -0
package/next.config.ts +21 -0
package/package.json +151 -0
package/postcss.config.mjs +8 -0
package/prisma/migrations/20260214170000_baseline/migration.sql +511 -0
package/prisma/migrations/20260216214537_add_passkey_model/migration.sql +18 -0
package/prisma/migrations/20260217150500_add_credential_access_audit/migration.sql +31 -0
package/prisma/migrations/migration_lock.toml +3 -0
package/prisma/schema.prisma +447 -0
package/public/logo-chevron.svg +31 -0
package/public/logo-concentric.svg +31 -0
package/public/logo-crosshatch.svg +39 -0
package/public/logo-dashed.svg +39 -0
package/public/logo-horizontal.svg +31 -0
package/public/logo-m56.svg +64 -0
package/public/logo.webp +0 -0
package/scripts/add-app.js +245 -0
package/scripts/init.sh +57 -0
package/scripts/migrate-apikeys-to-credentials.ts +35 -0
package/scripts/sandbox-agent-flow.sh +235 -0
package/scripts/sandbox.sh +175 -0
package/scripts/validate-job-docs.mjs +125 -0
package/server/abi/SwapHelper.json +438 -0
package/server/cli/approval.ts +447 -0
package/server/cli/commands/app.ts +204 -0
package/server/cli/commands/cron.ts +24 -0
package/server/cli/commands/doctor.ts +1007 -0
package/server/cli/commands/env.ts +456 -0
package/server/cli/commands/init.ts +752 -0
package/server/cli/commands/mcp.ts +125 -0
package/server/cli/commands/restore.ts +314 -0
package/server/cli/commands/shell-hook.ts +468 -0
package/server/cli/commands/start.ts +62 -0
package/server/cli/commands/status.ts +59 -0
package/server/cli/commands/stop.ts +14 -0
package/server/cli/commands/token.ts +180 -0
package/server/cli/commands/unlock.ts +49 -0
package/server/cli/commands/vault.ts +417 -0
package/server/cli/index.ts +328 -0
package/server/cli/lib/aura-parser.ts +64 -0
package/server/cli/lib/credential-create.ts +74 -0
package/server/cli/lib/credential-resolve.ts +254 -0
package/server/cli/lib/dotenv-migrate.ts +116 -0
package/server/cli/lib/dotenv-parser.ts +146 -0
package/server/cli/lib/http.ts +91 -0
package/server/cli/lib/init-steps.ts +76 -0
package/server/cli/lib/local-agent-trust.ts +45 -0
package/server/cli/lib/process.ts +136 -0
package/server/cli/lib/prompt.ts +85 -0
package/server/cli/lib/theme.ts +240 -0
package/server/cli/socket.ts +570 -0
package/server/cli/transport-client.ts +50 -0
package/server/cron/index.ts +137 -0
package/server/cron/job.ts +31 -0
package/server/cron/jobs/balance-sync.ts +436 -0
package/server/cron/jobs/incoming-scan.ts +506 -0
package/server/cron/jobs/native-price.ts +70 -0
package/server/cron/jobs/orphan-cleanup.ts +40 -0
package/server/cron/jobs/strategy-runner.ts +175 -0
package/server/cron/scheduler.ts +125 -0
package/server/index.ts +406 -0
package/server/lib/adapters/factory.ts +110 -0
package/server/lib/adapters/index.ts +19 -0
package/server/lib/adapters/router.ts +297 -0
package/server/lib/adapters/telegram.ts +645 -0
package/server/lib/adapters/types.ts +89 -0
package/server/lib/adapters/webhook.ts +95 -0
package/server/lib/address.ts +49 -0
package/server/lib/agent-auth/contracts.ts +1194 -0
package/server/lib/agent-profiles.ts +328 -0
package/server/lib/ai.ts +285 -0
package/server/lib/api-registry/contracts.ts +86 -0
package/server/lib/api-registry/validation.ts +172 -0
package/server/lib/apikey-migration.ts +189 -0
package/server/lib/app-installer.ts +505 -0
package/server/lib/app-tokens.ts +247 -0
package/server/lib/auth.ts +314 -0
package/server/lib/batch.ts +242 -0
package/server/lib/cold.ts +874 -0
package/server/lib/config.ts +381 -0
package/server/lib/credential-access-audit.ts +85 -0
package/server/lib/credential-access-policy.ts +110 -0
package/server/lib/credential-health.ts +343 -0
package/server/lib/credential-import.ts +487 -0
package/server/lib/credential-scope.ts +87 -0
package/server/lib/credential-shares.ts +190 -0
package/server/lib/credential-transport.ts +342 -0
package/server/lib/credential-vault.ts +77 -0
package/server/lib/credentials.ts +333 -0
package/server/lib/crypto.ts +8 -0
package/server/lib/db.ts +15 -0
package/server/lib/defaults.ts +366 -0
package/server/lib/dex/index.ts +80 -0
package/server/lib/dex/relay.ts +235 -0
package/server/lib/dex/types.ts +59 -0
package/server/lib/dex/uniswap.ts +370 -0
package/server/lib/e2e-agent/artifacts.ts +36 -0
package/server/lib/e2e-agent/contracts.ts +112 -0
package/server/lib/e2e-agent/validation.ts +135 -0
package/server/lib/encrypt.ts +128 -0
package/server/lib/error.ts +20 -0
package/server/lib/events.ts +205 -0
package/server/lib/hot.ts +357 -0
package/server/lib/key-fingerprint.ts +28 -0
package/server/lib/logger.ts +331 -0
package/server/lib/network.ts +137 -0
package/server/lib/notifications.ts +219 -0
package/server/lib/oauth2-refresh.ts +241 -0
package/server/lib/oursecret.ts +54 -0
package/server/lib/passkey-credential.ts +360 -0
package/server/lib/passkey.ts +68 -0
package/server/lib/permissions.ts +248 -0
package/server/lib/pino.ts +24 -0
package/server/lib/policy-preview.ts +138 -0
package/server/lib/price.ts +338 -0
package/server/lib/prices.ts +34 -0
package/server/lib/project-scope.ts +239 -0
package/server/lib/resolve-action.ts +427 -0
package/server/lib/resolve.ts +36 -0
package/server/lib/sessions.ts +632 -0
package/server/lib/solana/connection.ts +26 -0
package/server/lib/solana/jupiter.ts +128 -0
package/server/lib/solana/transfer.ts +108 -0
package/server/lib/solana/wallet.ts +136 -0
package/server/lib/strategy/emits.ts +21 -0
package/server/lib/strategy/engine.ts +1305 -0
package/server/lib/strategy/executor.ts +115 -0
package/server/lib/strategy/hook-context.ts +158 -0
package/server/lib/strategy/hooks.ts +990 -0
package/server/lib/strategy/index.ts +28 -0
package/server/lib/strategy/installer.ts +305 -0
package/server/lib/strategy/loader.ts +256 -0
package/server/lib/strategy/message.ts +235 -0
package/server/lib/strategy/repository.ts +218 -0
package/server/lib/strategy/session-logger.ts +693 -0
package/server/lib/strategy/sources.ts +288 -0
package/server/lib/strategy/state.ts +189 -0
package/server/lib/strategy/templates.ts +403 -0
package/server/lib/strategy/tick.ts +404 -0
package/server/lib/strategy/types.ts +230 -0
package/server/lib/swap.ts +3 -0
package/server/lib/temp.ts +86 -0
package/server/lib/token-metadata.ts +86 -0
package/server/lib/token-safety.ts +200 -0
package/server/lib/token-search.ts +444 -0
package/server/lib/totp.ts +194 -0
package/server/lib/transactions.ts +123 -0
package/server/lib/transport.ts +75 -0
package/server/lib/txhistory/decoder.ts +262 -0
package/server/lib/txhistory/enricher.ts +652 -0
package/server/lib/txhistory/index.ts +391 -0
package/server/lib/txhistory/signatures.ts +59 -0
package/server/lib/verified-summary.ts +421 -0
package/server/mcp/profile-policy.ts +30 -0
package/server/mcp/server.ts +619 -0
package/server/mcp/tools.ts +523 -0
package/server/middleware/auth.ts +119 -0
package/server/middleware/requestLogger.ts +84 -0
package/server/routes/actions.ts +459 -0
package/server/routes/adapters.ts +703 -0
package/server/routes/addressbook.ts +113 -0
package/server/routes/ai.ts +34 -0
package/server/routes/apikeys.ts +295 -0
package/server/routes/apps.ts +601 -0
package/server/routes/auth.ts +457 -0
package/server/routes/backup.ts +340 -0
package/server/routes/batch.ts +270 -0
package/server/routes/bookmarks.ts +162 -0
package/server/routes/credential-shares.ts +198 -0
package/server/routes/credential-vaults.ts +154 -0
package/server/routes/credentials.ts +1290 -0
package/server/routes/dashboard.ts +71 -0
package/server/routes/defaults.ts +124 -0
package/server/routes/fund.ts +229 -0
package/server/routes/import.ts +352 -0
package/server/routes/launch.ts +665 -0
package/server/routes/lock.ts +54 -0
package/server/routes/logs.ts +68 -0
package/server/routes/nuke.ts +111 -0
package/server/routes/passkey-credentials.ts +99 -0
package/server/routes/passkey.ts +346 -0
package/server/routes/portfolio.ts +217 -0
package/server/routes/price.ts +63 -0
package/server/routes/resolve.ts +31 -0
package/server/routes/security.ts +45 -0
package/server/routes/send-evm.ts +241 -0
package/server/routes/send-solana.ts +281 -0
package/server/routes/send.ts +178 -0
package/server/routes/setup.ts +210 -0
package/server/routes/strategy.ts +894 -0
package/server/routes/swap-evm.ts +353 -0
package/server/routes/swap-solana.ts +177 -0
package/server/routes/swap.ts +356 -0
package/server/routes/token.ts +247 -0
package/server/routes/unlock.ts +403 -0
package/server/routes/wallet-assets.ts +361 -0
package/server/routes/wallet-transactions.ts +515 -0
package/server/routes/wallet.ts +710 -0
package/server/types.ts +146 -0
package/skills/aurawallet/SKILL.md +739 -0
package/skills/aurawallet-setup/SKILL.md +74 -0
package/skills/security-review/SKILL.md +148 -0
package/src/app/api/agent-requests/route.ts +30 -0
package/src/app/api/apps/install/route.ts +126 -0
package/src/app/api/apps/manifests/route.ts +16 -0
package/src/app/api/apps/static/[...path]/route.ts +57 -0
package/src/app/api/events/route.ts +92 -0
package/src/app/api/page.tsx +212 -0
package/src/app/api/workspace/[id]/apps/[wid]/route.ts +119 -0
package/src/app/api/workspace/[id]/apps/route.ts +81 -0
package/src/app/api/workspace/[id]/export/route.ts +67 -0
package/src/app/api/workspace/[id]/route.ts +168 -0
package/src/app/api/workspace/auth.ts +34 -0
package/src/app/api/workspace/config/route.ts +106 -0
package/src/app/api/workspace/import/route.ts +127 -0
package/src/app/api/workspace/route.ts +116 -0
package/src/app/app/page.tsx +2122 -0
package/src/app/apple-icon.png +0 -0
package/src/app/docs/page.tsx +178 -0
package/src/app/favicon.ico +0 -0
package/src/app/globals.css +572 -0
package/src/app/health/page.tsx +5 -0
package/src/app/hello/page.tsx +15 -0
package/src/app/icon.png +0 -0
package/src/app/layout.tsx +34 -0
package/src/app/page.tsx +986 -0
package/src/app/providers.tsx +90 -0
package/src/app/share/[token]/page.tsx +295 -0
package/src/components/ChainSelector.tsx +144 -0
package/src/components/HumanActionBar.tsx +695 -0
package/src/components/NotificationDrawer.tsx +129 -0
package/src/components/apps/AgentKeysApp.tsx +490 -0
package/src/components/apps/App.tsx +153 -0
package/src/components/apps/AppGrid.tsx +15 -0
package/src/components/apps/DetailedAddressDrawer.tsx +325 -0
package/src/components/apps/DraggableApp.tsx +562 -0
package/src/components/apps/IFrameApp.tsx +73 -0
package/src/components/apps/LogsApp.tsx +360 -0
package/src/components/apps/SendApp.tsx +394 -0
package/src/components/apps/SetupWizardApp.tsx +1004 -0
package/src/components/apps/SystemDefaultsApp.tsx +845 -0
package/src/components/apps/ThirdPartyApp.tsx +428 -0
package/src/components/apps/TokenApp.tsx +319 -0
package/src/components/apps/TransactionsApp.tsx +438 -0
package/src/components/apps/WalletDetailApp.tsx +1505 -0
package/src/components/apps/index.ts +13 -0
package/src/components/design-system/Button.tsx +53 -0
package/src/components/design-system/ChainIndicator.tsx +65 -0
package/src/components/design-system/ChainSelector.tsx +137 -0
package/src/components/design-system/ConfirmationModal.tsx +106 -0
package/src/components/design-system/ConfirmationPopover.tsx +81 -0
package/src/components/design-system/Drawer.tsx +123 -0
package/src/components/design-system/FilterDropdown.tsx +72 -0
package/src/components/design-system/Modal.tsx +206 -0
package/src/components/design-system/Popover.tsx +142 -0
package/src/components/design-system/TextInput.tsx +85 -0
package/src/components/design-system/Toggle.tsx +58 -0
package/src/components/design-system/index.ts +11 -0
package/src/components/docs/DocsThemeToggle.tsx +49 -0
package/src/components/health/CredentialHealthDashboard.tsx +214 -0
package/src/components/icons/ChainIcons.tsx +72 -0
package/src/components/layout/AppStoreDrawer.tsx +369 -0
package/src/components/layout/ContentArea.tsx +21 -0
package/src/components/layout/TabBar.tsx +278 -0
package/src/components/layout/WalletSidebar.tsx +1033 -0
package/src/components/layout/index.ts +4 -0
package/src/components/marketing/AuraWalletSpecOverlay.tsx +635 -0
package/src/components/marketing/DeviceMorphExperience.tsx +216 -0
package/src/components/vault/ApiKeysConsole.tsx +1080 -0
package/src/components/vault/AuditConsole.tsx +584 -0
package/src/components/vault/CredentialDetail.tsx +455 -0
package/src/components/vault/CredentialEmpty.tsx +55 -0
package/src/components/vault/CredentialField.tsx +361 -0
package/src/components/vault/CredentialForm.tsx +1212 -0
package/src/components/vault/CredentialList.tsx +165 -0
package/src/components/vault/CredentialRow.tsx +97 -0
package/src/components/vault/CredentialShareModal.tsx +178 -0
package/src/components/vault/CredentialVault.tsx +754 -0
package/src/components/vault/CredentialWalletWidget.tsx +103 -0
package/src/components/vault/ImportCredentialsModal.tsx +515 -0
package/src/components/vault/LargeTypeModal.tsx +64 -0
package/src/components/vault/PasswordGenerator.tsx +224 -0
package/src/components/vault/TOTPDisplay.tsx +123 -0
package/src/components/vault/VaultSidebar.tsx +413 -0
package/src/components/vault/types.ts +54 -0
package/src/context/AuthContext.tsx +337 -0
package/src/context/PriceContext.tsx +113 -0
package/src/context/ThemeContext.tsx +164 -0
package/src/context/WebSocketContext.tsx +269 -0
package/src/context/WorkspaceContext.tsx +668 -0
package/src/hooks/index.ts +3 -0
package/src/hooks/useAgentActions.ts +368 -0
package/src/hooks/useBalance.ts +103 -0
package/src/hooks/useBalances.ts +129 -0
package/src/instrumentation.ts +12 -0
package/src/lib/api.ts +449 -0
package/src/lib/app-loader.ts +148 -0
package/src/lib/app-registry.ts +178 -0
package/src/lib/app-sdk.ts +157 -0
package/src/lib/audit-console-adapter.ts +151 -0
package/src/lib/auth-client.ts +75 -0
package/src/lib/config.ts +74 -0
package/src/lib/crypto.ts +112 -0
package/src/lib/db.ts +21 -0
package/src/lib/docs.ts +390 -0
package/src/lib/events.ts +361 -0
package/src/lib/pino.ts +24 -0
package/src/lib/theme-handlers.ts +168 -0
package/src/lib/theme.ts +351 -0
package/src/lib/tokenData.ts +378 -0
package/src/lib/vault-crypto.ts +129 -0
package/src/lib/websocket-server.ts +302 -0
package/src/lib/websocket-setup.ts +79 -0
package/src/lib/wordlist.ts +2050 -0
package/src/lib/workspace-handlers.ts +285 -0
package/start.sh +80 -0
package/tailwind.config.ts +99 -0
package/tsconfig.json +42 -0

package/server/lib/credential-health.ts ADDED Viewed

@@ -0,0 +1,343 @@
+import { createHash, createHmac } from 'crypto';
+import { CredentialField, CredentialFile, CredentialType } from '../types';
+export type CredentialHealthStatus =
+  | 'unknown'
+  | 'weak_reused_breached'
+  | 'reused_breached'
+  | 'weak_breached'
+  | 'weak_reused'
+  | 'breached'
+  | 'reused'
+  | 'weak'
+  | 'safe';
+export interface CredentialHealthFlags {
+  weak: boolean;
+  reused: boolean;
+  breached: boolean;
+  unknown: boolean;
+}
+export interface CredentialHealthSummary {
+  total: number;
+  safe: number;
+  weak: number;
+  reused: number;
+  breached: number;
+  unknown: number;
+}
+export interface CredentialHealthEnvelope {
+  status: CredentialHealthStatus;
+  flags: CredentialHealthFlags;
+  evidence: {
+    reuseCount: number;
+    breachCount: number | null;
+    weakReasons: Array<'short_length' | 'low_charset_diversity' | 'low_entropy_estimate'>;
+  };
+  lastScannedAt: string | null;
+  engineVersion: string;
+}
+export interface CredentialHealthRow {
+  id: string;
+  name: string;
+  type: CredentialType;
+  vaultId: string;
+  health: CredentialHealthEnvelope;
+}
+const DEFAULT_CUSTOM_SENSITIVE_KEYS = new Set(['password', 'passwd', 'passphrase']);
+const EXPANDED_CUSTOM_SENSITIVE_KEYS = new Set(['secret', 'token']);
+const HEALTH_ENGINE_VERSION = '1';
+const DEFAULT_TIMEOUT_MS = 4_000;
+const HIBP_MAX_RETRIES = 2;
+export function deriveCredentialHealthStatus(
+  flags: CredentialHealthFlags,
+  opts?: { allDimensionsUnavailable?: boolean },
+): CredentialHealthStatus {
+  if (opts?.allDimensionsUnavailable) return 'unknown';
+  const { weak, reused, breached } = flags;
+  if (weak && reused && breached) return 'weak_reused_breached';
+  if (!weak && reused && breached) return 'reused_breached';
+  if (weak && !reused && breached) return 'weak_breached';
+  if (weak && reused && !breached) return 'weak_reused';
+  if (breached) return 'breached';
+  if (reused) return 'reused';
+  if (weak) return 'weak';
+  return 'safe';
+}
+export function summarizeCredentialHealthFlags(flagsList: CredentialHealthFlags[]): CredentialHealthSummary {
+  const summary: CredentialHealthSummary = {
+    total: flagsList.length,
+    safe: 0,
+    weak: 0,
+    reused: 0,
+    breached: 0,
+    unknown: 0,
+  };
+  for (const flags of flagsList) {
+    if (flags.weak) summary.weak += 1;
+    if (flags.reused) summary.reused += 1;
+    if (flags.breached) summary.breached += 1;
+    if (flags.unknown) summary.unknown += 1;
+    if (!flags.weak && !flags.reused && !flags.breached && !flags.unknown) {
+      summary.safe += 1;
+    }
+  }
+  return summary;
+}
+export function shouldScanSensitiveField(
+  credentialType: CredentialType,
+  key: string,
+  opts?: { expandedCustomSensitiveKeys?: boolean },
+): boolean {
+  const normalizedKey = key.toLowerCase();
+  if (credentialType === 'login') return normalizedKey === 'password';
+  if (credentialType === 'card') return normalizedKey === 'pin';
+  if (credentialType === 'api') return normalizedKey === 'passphrase';
+  if (credentialType !== 'custom') return false;
+  if (DEFAULT_CUSTOM_SENSITIVE_KEYS.has(normalizedKey)) return true;
+  return !!opts?.expandedCustomSensitiveKeys && EXPANDED_CUSTOM_SENSITIVE_KEYS.has(normalizedKey);
+}
+function countByteFrequencies(bytes: Buffer): Map<number, number> {
+  const counts = new Map<number, number>();
+  for (const b of bytes) {
+    counts.set(b, (counts.get(b) || 0) + 1);
+  }
+  return counts;
+}
+function getCategoryCount(secret: string): number {
+  let lower = false;
+  let upper = false;
+  let digit = false;
+  let symbol = false;
+  for (const ch of secret) {
+    if (/[a-z]/.test(ch)) {
+      lower = true;
+    } else if (/[A-Z]/.test(ch)) {
+      upper = true;
+    } else if (/[0-9]/.test(ch)) {
+      digit = true;
+    } else {
+      symbol = true;
+    }
+  }
+  return Number(lower) + Number(upper) + Number(digit) + Number(symbol);
+}
+export interface WeaknessAnalysis {
+  weak: boolean;
+  reasons: Array<'short_length' | 'low_charset_diversity' | 'low_entropy_estimate'>;
+  codePointLength: number;
+  entropyBits: number;
+  entropyBitsRounded: number;
+  categoryCount: number;
+}
+export function analyzeSecretWeakness(secret: string, minEntropy = 50): WeaknessAnalysis {
+  const codePointLength = [...secret].length;
+  const categoryCount = getCategoryCount(secret);
+  const bytes = Buffer.from(secret, 'utf8');
+  let entropyPerByte = 0;
+  if (bytes.length > 0) {
+    const counts = countByteFrequencies(bytes);
+    for (const count of counts.values()) {
+      const p = count / bytes.length;
+      entropyPerByte -= p * Math.log2(p);
+    }
+  }
+  const entropyBits = entropyPerByte * bytes.length;
+  const reasons: WeaknessAnalysis['reasons'] = [];
+  if (codePointLength < 12) reasons.push('short_length');
+  if (categoryCount < 3) reasons.push('low_charset_diversity');
+  if (entropyBits < minEntropy) reasons.push('low_entropy_estimate');
+  return {
+    weak: reasons.length > 0,
+    reasons,
+    codePointLength,
+    entropyBits,
+    entropyBitsRounded: Math.round(entropyBits * 100) / 100,
+    categoryCount,
+  };
+}
+export type HealthLogPhase = 'normalize' | 'reuse' | 'weak' | 'hibp_fetch' | 'hibp_match' | 'persist';
+export type HealthLogErrorClass = 'timeout' | 'network' | 'rate_limit' | 'parse' | 'internal';
+const HEALTH_LOG_ALLOWLIST = new Set([
+  'credentialId',
+  'vaultId',
+  'scanId',
+  'phase',
+  'errorClass',
+  'processed',
+  'total',
+  'durationMs',
+]);
+export function redactHealthLogMetadata(metadata: Record<string, unknown>): Record<string, unknown> {
+  const redacted: Record<string, unknown> = {};
+  for (const [key, value] of Object.entries(metadata)) {
+    if (HEALTH_LOG_ALLOWLIST.has(key)) {
+      redacted[key] = value;
+    }
+  }
+  return redacted;
+}
+function firstEligibleSecret(credential: CredentialFile, fields: CredentialField[]): string | null {
+  const expanded = process.env.HEALTH_SCAN_CUSTOM_SENSITIVE_KEYS === 'true';
+  const field = fields.find((f) => shouldScanSensitiveField(credential.type, f.key, { expandedCustomSensitiveKeys: expanded }));
+  return field?.value ?? null;
+}
+function secretReuseDigest(secret: string): string {
+  const pepper = process.env.HEALTH_SECRET_PEPPER || 'aurawallet-health-pepper-dev';
+  return createHmac('sha256', pepper).update(secret, 'utf8').digest('hex');
+}
+function sha1Hex(secret: string): string {
+  return createHash('sha1').update(secret, 'utf8').digest('hex').toUpperCase();
+}
+const hibpCache = new Map<string, { expiresAt: number; lines: string[] }>();
+async function hibpRangeLookup(prefix: string, fetchImpl: typeof fetch): Promise<string[]> {
+  const cached = hibpCache.get(prefix);
+  const now = Date.now();
+  if (cached && cached.expiresAt > now) return cached.lines;
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT_MS);
+  try {
+    const response = await fetchImpl(`https://api.pwnedpasswords.com/range/${prefix}`, {
+      method: 'GET',
+      signal: controller.signal,
+      headers: {
+        'Add-Padding': 'true',
+      },
+    });
+    if (!response.ok) {
+      throw new Error(`HIBP range lookup failed (${response.status})`);
+    }
+    const body = await response.text();
+    const lines = body.split('\n').map((line) => line.trim()).filter(Boolean);
+    hibpCache.set(prefix, { expiresAt: now + 24 * 60 * 60 * 1000, lines });
+    return lines;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function resolveBreachCount(secret: string, fetchImpl: typeof fetch): Promise<number | null> {
+  const full = sha1Hex(secret);
+  const prefix = full.slice(0, 5);
+  const suffix = full.slice(5);
+  for (let attempt = 0; attempt <= HIBP_MAX_RETRIES; attempt++) {
+    try {
+      const lines = await hibpRangeLookup(prefix, fetchImpl);
+      for (const line of lines) {
+        const idx = line.indexOf(':');
+        if (idx <= 0) continue;
+        const lineSuffix = line.slice(0, idx).trim();
+        if (lineSuffix.toUpperCase() !== suffix) continue;
+        const count = Number.parseInt(line.slice(idx + 1).trim(), 10);
+        return Number.isFinite(count) ? count : 0;
+      }
+      return 0;
+    } catch {
+      if (attempt === HIBP_MAX_RETRIES) return null;
+      await new Promise((resolve) => setTimeout(resolve, attempt === 0 ? 250 : 750));
+    }
+  }
+  return null;
+}
+export async function buildCredentialHealthRows(
+  credentials: CredentialFile[],
+  readSecrets: (credentialId: string) => CredentialField[],
+  opts?: { fetchImpl?: typeof fetch; minEntropy?: number },
+): Promise<CredentialHealthRow[]> {
+  const fetchImpl = opts?.fetchImpl || fetch;
+  const minEntropy = opts?.minEntropy ?? Number(process.env.HEALTH_MIN_ENTROPY || 50);
+  const usable: Array<{ credential: CredentialFile; secret: string }> = [];
+  for (const credential of credentials) {
+    try {
+      const secrets = readSecrets(credential.id);
+      const secret = firstEligibleSecret(credential, secrets);
+      if (!secret) continue;
+      usable.push({ credential, secret });
+    } catch {
+      // Skip locked/inaccessible credential.
+    }
+  }
+  const reuseClusters = new Map<string, number>();
+  for (const entry of usable) {
+    const digest = secretReuseDigest(entry.secret);
+    reuseClusters.set(digest, (reuseClusters.get(digest) || 0) + 1);
+  }
+  const rows: CredentialHealthRow[] = [];
+  for (const entry of usable) {
+    const weakness = analyzeSecretWeakness(entry.secret, minEntropy);
+    const reuseCount = reuseClusters.get(secretReuseDigest(entry.secret)) || 1;
+    const breachChecksEnabled = process.env.HEALTH_BREACH_CHECK === 'true';
+    const breachCount = breachChecksEnabled ? await resolveBreachCount(entry.secret, fetchImpl) : null;
+    const flags: CredentialHealthFlags = {
+      weak: weakness.weak,
+      reused: reuseCount >= 2,
+      breached: typeof breachCount === 'number' && breachCount > 0,
+      unknown: breachCount === null,
+    };
+    const allDimensionsUnavailable = breachCount === null && !flags.weak && !flags.reused;
+    rows.push({
+      id: entry.credential.id,
+      name: entry.credential.name,
+      type: entry.credential.type,
+      vaultId: entry.credential.vaultId,
+      health: {
+        status: deriveCredentialHealthStatus(flags, { allDimensionsUnavailable }),
+        flags,
+        evidence: {
+          reuseCount,
+          breachCount,
+          weakReasons: weakness.reasons,
+        },
+        lastScannedAt: new Date().toISOString(),
+        engineVersion: HEALTH_ENGINE_VERSION,
+      },
+    });
+  }
+  return rows;
+}