auramaxx 1.0.0-alpha.4

package/server/routes/bookmarks.ts

@@ -0,0 +1,162 @@
+import { Router, Request, Response } from 'express';
+import { prisma } from '../lib/db';
+import { upsertTokenMetadata } from '../lib/token-metadata';
+import { safeJsonParse } from '../lib/token-search';
+import { requireWalletAuth, optionalWalletAuth } from '../middleware/auth';
+import { isAdmin } from '../lib/permissions';
+import { getErrorMessage } from '../lib/error';
+
+const router = Router();
+
+// GET /bookmarks - List all bookmarked tokens (TrackedAsset where walletAddress is null)
+router.get('/', optionalWalletAuth, async (req: Request, res: Response) => {
+  try {
+    const chain = req.query.chain as string | undefined;
+    const q = req.query.q as string | undefined;
+
+    const where: Record<string, unknown> = {
+      walletAddress: null,
+    };
+
+    if (chain) where.chain = chain;
+
+    if (q) {
+      where.OR = [
+        { symbol: { contains: q.toUpperCase() } },
+        { name: { contains: q.toLowerCase() } },
+        { tokenAddress: { contains: q.toLowerCase() } },
+      ];
+    }
+
+    const bookmarks = await prisma.trackedAsset.findMany({
+      where,
+      orderBy: { updatedAt: 'desc' },
+    });
+
+    // Enrich with TokenMetadata if available
+    const tokenKeys = bookmarks.map(b => ({ tokenAddress: b.tokenAddress, chain: b.chain }));
+    const metadata = tokenKeys.length > 0
+      ? await prisma.tokenMetadata.findMany({
+          where: {
+            OR: tokenKeys.map(k => ({
+              tokenAddress: k.tokenAddress,
+              chain: k.chain,
+            })),
+          },
+        })
+      : [];
+
+    const metaMap = new Map(metadata.map(m => [`${m.tokenAddress}:${m.chain}`, m]));
+
+    const enriched = bookmarks.map(b => {
+      const meta = metaMap.get(`${b.tokenAddress}:${b.chain}`);
+      return {
+        ...b,
+        symbol: meta?.symbol ?? b.symbol,
+        name: meta?.name ?? b.name,
+        decimals: meta?.decimals ?? b.decimals,
+        icon: meta?.icon ?? b.icon,
+        priceUsd: meta?.priceUsd ?? null,
+        marketCap: meta?.marketCap ?? null,
+        fdv: meta?.fdv ?? null,
+        liquidity: meta?.liquidity ?? null,
+        volume24h: meta?.volume24h ?? null,
+        dexId: meta?.dexId ?? null,
+        pairAddress: meta?.pairAddress ?? null,
+        websites: meta?.websites ? safeJsonParse(meta.websites, []) : [],
+        socials: meta?.socials ? safeJsonParse(meta.socials, []) : [],
+      };
+    });
+
+    res.json({ success: true, bookmarks: enriched });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+
+// POST /bookmarks - Create a token bookmark
+router.post('/', requireWalletAuth, async (req: Request, res: Response) => {
+  try {
+    const auth = req.auth!;
+
+    // Check permission
+    if (!isAdmin(auth)) {
+      const perms = auth.token.permissions;
+      if (!perms.includes('bookmark:write') && !perms.includes('admin:*')) {
+        res.status(403).json({ error: 'Token does not have bookmark:write permission' });
+        return;
+      }
+    }
+
+    const { tokenAddress, chain = 'base' } = req.body;
+
+    if (!tokenAddress) {
+      res.status(400).json({ error: 'tokenAddress is required' });
+      return;
+    }
+
+    const normalizedToken = tokenAddress.toLowerCase();
+
+    // Find-or-create bookmark (Prisma can't upsert on compound unique with NULL)
+    let bookmark = await prisma.trackedAsset.findFirst({
+      where: { walletAddress: null, tokenAddress: normalizedToken, chain },
+    });
+
+    if (bookmark) {
+      bookmark = await prisma.trackedAsset.update({
+        where: { id: bookmark.id },
+        data: { updatedAt: new Date() },
+      });
+    } else {
+      bookmark = await prisma.trackedAsset.create({
+        data: {
+          walletAddress: null,
+          tokenAddress: normalizedToken,
+          chain,
+        },
+      });
+    }
+
+    // Seed TokenMetadata if not cached
+    upsertTokenMetadata(normalizedToken, chain);
+
+    res.json({ success: true, bookmark });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+
+// DELETE /bookmarks/:id - Delete a bookmark
+router.delete('/:id', requireWalletAuth, async (req: Request<{ id: string }>, res: Response) => {
+  try {
+    const auth = req.auth!;
+
+    // Check permission
+    if (!isAdmin(auth)) {
+      const perms = auth.token.permissions;
+      if (!perms.includes('bookmark:write') && !perms.includes('admin:*')) {
+        res.status(403).json({ error: 'Token does not have bookmark:write permission' });
+        return;
+      }
+    }
+
+    const { id } = req.params;
+
+    const existing = await prisma.trackedAsset.findUnique({ where: { id } });
+    if (!existing || existing.walletAddress !== null) {
+      res.status(404).json({ error: 'Bookmark not found' });
+      return;
+    }
+
+    await prisma.trackedAsset.delete({ where: { id } });
+
+    res.json({ success: true });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+
+export default router;

package/server/routes/credential-shares.ts

@@ -0,0 +1,198 @@
+import { Request, Response, Router } from 'express';
+import {
+  createCredentialShare,
+  consumeCredentialShare,
+  getCredentialShare,
+  getCredentialShareStatus,
+  ShareAccessMode,
+  ShareExpiresAfter,
+} from '../lib/credential-shares';
+import { getCredential, readCredentialSecrets } from '../lib/credentials';
+import { hasAnyPermission, isAdmin } from '../lib/permissions';
+import { matchesScope } from '../lib/credential-scope';
+import { CredentialFile } from '../types';
+import { requireWalletAuth } from '../middleware/auth';
+import { getErrorMessage } from '../lib/error';
+
+const router = Router();
+
+const SHARE_EXPIRY_OPTIONS = new Set<ShareExpiresAfter>(['15m', '1h', '24h', '7d', '30d']);
+
+function canReadCredential(req: Request, credential: CredentialFile): boolean {
+  const auth = req.auth!;
+  if (isAdmin(auth)) return true;
+  if (!hasAnyPermission(auth.token.permissions, ['secret:read'])) return false;
+  const scopes = auth.token.credentialAccess?.read || [];
+  return matchesScope(credential, scopes);
+}
+
+// GET /credential-shares/:token - public share metadata
+router.get('/:token', (req: Request<{ token: string }>, res: Response) => {
+  const share = getCredentialShare(req.params.token);
+  if (!share) {
+    res.status(404).json({ success: false, error: 'Share link not found' });
+    return;
+  }
+
+  const credential = getCredential(share.credentialId);
+  if (!credential) {
+    res.status(410).json({ success: false, error: 'Shared credential no longer exists', reason: 'credential_missing' });
+    return;
+  }
+
+  const status = getCredentialShareStatus(share);
+  if (status.isExpired) {
+    res.status(410).json({ success: false, error: 'Share link expired', reason: 'expired' });
+    return;
+  }
+  if (status.isAlreadyViewed) {
+    res.status(410).json({ success: false, error: 'Share link already used', reason: 'already_viewed' });
+    return;
+  }
+
+  res.json({
+    success: true,
+    share: {
+      token: share.token,
+      credentialId: share.credentialId,
+      credentialName: credential.name,
+      credentialType: credential.type,
+      expiresAt: share.expiresAt,
+      accessMode: share.accessMode,
+      passwordRequired: share.accessMode === 'password',
+      oneTimeOnly: share.oneTimeOnly,
+      viewCount: share.viewCount,
+      maxViews: share.oneTimeOnly ? 1 : null,
+    },
+  });
+});
+
+// POST /credential-shares/:token/read - public shared credential read
+router.post('/:token/read', (req: Request<{ token: string }>, res: Response) => {
+  const password = typeof req.body?.password === 'string' ? req.body.password : undefined;
+  const result = consumeCredentialShare(req.params.token, password);
+
+  if (!result.ok) {
+    if (result.reason === 'not_found') {
+      res.status(404).json({ success: false, error: 'Share link not found', reason: 'not_found' });
+      return;
+    }
+    if (result.reason === 'expired') {
+      res.status(410).json({ success: false, error: 'Share link expired', reason: 'expired' });
+      return;
+    }
+    if (result.reason === 'already_viewed') {
+      res.status(410).json({ success: false, error: 'Share link already used', reason: 'already_viewed' });
+      return;
+    }
+    if (result.reason === 'password_required') {
+      res.status(401).json({ success: false, error: 'Share password required', reason: 'password_required' });
+      return;
+    }
+    res.status(401).json({ success: false, error: 'Invalid share password', reason: 'invalid_password' });
+    return;
+  }
+
+  const credential = getCredential(result.share.credentialId);
+  if (!credential) {
+    res.status(410).json({ success: false, error: 'Shared credential no longer exists', reason: 'credential_missing' });
+    return;
+  }
+
+  try {
+    const fields = readCredentialSecrets(credential.id);
+    res.json({
+      success: true,
+      credential: {
+        id: credential.id,
+        name: credential.name,
+        type: credential.type,
+        meta: credential.meta,
+        fields,
+        createdAt: credential.createdAt,
+        updatedAt: credential.updatedAt,
+      },
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    if (message.toLowerCase().includes('locked')) {
+      res.status(423).json({ success: false, error: 'Vault is locked', reason: 'vault_locked' });
+      return;
+    }
+    res.status(500).json({ success: false, error: message });
+  }
+});
+
+router.use(requireWalletAuth);
+
+// POST /credential-shares - create a share link
+router.post('/', (req: Request, res: Response) => {
+  try {
+    const auth = req.auth!;
+    if (!isAdmin(auth) && !hasAnyPermission(auth.token.permissions, ['secret:read'])) {
+      res.status(403).json({ success: false, error: 'secret:read permission required' });
+      return;
+    }
+
+    const credentialId = typeof req.body?.credentialId === 'string' ? req.body.credentialId.trim() : '';
+    if (!credentialId) {
+      res.status(400).json({ success: false, error: 'credentialId is required' });
+      return;
+    }
+
+    const credential = getCredential(credentialId);
+    if (!credential) {
+      res.status(404).json({ success: false, error: 'Credential not found' });
+      return;
+    }
+    if (!canReadCredential(req, credential)) {
+      res.status(403).json({ success: false, error: 'Credential read scope denied' });
+      return;
+    }
+
+    const expiresAfterRaw = typeof req.body?.expiresAfter === 'string' ? req.body.expiresAfter : '24h';
+    const expiresAfter = expiresAfterRaw as ShareExpiresAfter;
+    if (!SHARE_EXPIRY_OPTIONS.has(expiresAfter)) {
+      res.status(400).json({ success: false, error: 'expiresAfter must be one of: 15m, 1h, 24h, 7d, 30d' });
+      return;
+    }
+
+    const accessModeRaw = typeof req.body?.accessMode === 'string' ? req.body.accessMode : 'anyone';
+    const accessMode = accessModeRaw as ShareAccessMode;
+    if (accessMode !== 'anyone' && accessMode !== 'password') {
+      res.status(400).json({ success: false, error: 'accessMode must be either "anyone" or "password"' });
+      return;
+    }
+
+    const oneTimeOnly = req.body?.oneTimeOnly === true;
+    const password = typeof req.body?.password === 'string' ? req.body.password : undefined;
+    if (accessMode === 'password' && (!password || password.length === 0)) {
+      res.status(400).json({ success: false, error: 'password is required when accessMode is "password"' });
+      return;
+    }
+
+    const share = createCredentialShare({
+      credentialId,
+      createdBy: isAdmin(auth) ? 'admin' : auth.token.agentId,
+      expiresAfter,
+      accessMode,
+      password,
+      oneTimeOnly,
+    });
+
+    res.json({
+      success: true,
+      share: {
+        token: share.token,
+        credentialId: share.credentialId,
+        expiresAt: share.expiresAt,
+        accessMode: share.accessMode,
+        oneTimeOnly: share.oneTimeOnly,
+      },
+    });
+  } catch (error) {
+    res.status(400).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+export default router;

package/server/routes/credential-vaults.ts

@@ -0,0 +1,154 @@
+import { Request, Response, Router } from 'express';
+import { createVault, deleteVault, getPrimaryVaultId, getPrimaryVaultPassword, listVaults, lockVault, type VaultMode } from '../lib/cold';
+import { deleteCredential, listCredentials } from '../lib/credentials';
+import { requireAdmin } from '../lib/permissions';
+import { requireWalletAuth } from '../middleware/auth';
+import { parseEncryptedPassword } from '../lib/transport';
+import { HttpError, getErrorMessage } from '../lib/error';
+
+const router = Router();
+
+function resolvePassword(body: Record<string, unknown>): string {
+  const encrypted = body.encrypted;
+  const password = body.password;
+
+  if (typeof encrypted === 'string') {
+    return parseEncryptedPassword(encrypted);
+  }
+
+  if (typeof password === 'string') {
+    if (password.length < 8) {
+      throw new HttpError(400, 'Password must be at least 8 characters');
+    }
+    return password;
+  }
+
+  throw new HttpError(400, 'Password is required (encrypted or plaintext)');
+}
+
+function resolveVaultMode(body: Record<string, unknown>): Exclude<VaultMode, 'primary'> {
+  const mode = body.mode;
+  if (mode === undefined) return 'linked';
+  if (mode === 'linked' || mode === 'independent') return mode;
+  throw new HttpError(400, 'mode must be either "linked" or "independent"');
+}
+
+function resolveLinkedTarget(body: Record<string, unknown>): string | undefined {
+  const linkedTo = body.linkedTo;
+  if (linkedTo === undefined || linkedTo === null || linkedTo === '') return undefined;
+  if (typeof linkedTo === 'string') return linkedTo.trim();
+  throw new HttpError(400, 'linkedTo must be a string when provided');
+}
+
+// POST /vaults/credential — create credential vault (admin)
+router.post('/', requireWalletAuth, requireAdmin, (req: Request, res: Response) => {
+  try {
+    const body = req.body as Record<string, unknown>;
+    const mode = resolveVaultMode(body);
+    const name = typeof req.body?.name === 'string' ? req.body.name.trim() : undefined;
+    const linkedTo = resolveLinkedTarget(body);
+
+    let password: string;
+    if (mode === 'linked') {
+      const primaryPassword = getPrimaryVaultPassword();
+      if (!primaryPassword) {
+        throw new HttpError(401, 'Primary vault must be unlocked to create linked vaults');
+      }
+      password = primaryPassword;
+    } else {
+      password = resolvePassword(body);
+    }
+
+    const created = createVault(password, name, { mode, linkedTo });
+
+    res.json({
+      success: true,
+      vault: {
+        id: created.id,
+        name: created.name,
+        address: created.address,
+        solanaAddress: created.solanaAddress,
+        mode: created.mode,
+        linkedTo: created.linkedTo,
+        isPrimary: false,
+        isUnlocked: true,
+      },
+    });
+  } catch (error) {
+    if (error instanceof HttpError) {
+      res.status(error.status).json({ success: false, error: error.message });
+      return;
+    }
+    res.status(400).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+// GET /vaults/credential — list vaults + unlock status (admin)
+router.get('/', requireWalletAuth, requireAdmin, (_req: Request, res: Response) => {
+  try {
+    const vaults = listVaults();
+    const counts = new Map<string, number>();
+    for (const cred of listCredentials()) {
+      counts.set(cred.vaultId, (counts.get(cred.vaultId) || 0) + 1);
+    }
+
+    res.json({
+      success: true,
+      vaults: vaults.map(vault => ({
+        ...vault,
+        credentialCount: counts.get(vault.id) || 0,
+      })),
+    });
+  } catch (error) {
+    res.status(500).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+// POST /vaults/credential/:id/lock — lock vault (admin)
+router.post('/:id/lock', requireWalletAuth, requireAdmin, (req: Request<{ id: string }>, res: Response) => {
+  try {
+    const { id } = req.params;
+    const exists = listVaults().some(vault => vault.id === id);
+    if (!exists) {
+      res.status(404).json({ success: false, error: 'Vault not found' });
+      return;
+    }
+
+    lockVault(id);
+    res.json({ success: true, message: `Vault ${id} locked` });
+  } catch (error) {
+    res.status(500).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+// DELETE /vaults/credential/:id — delete vault + credentials (admin)
+router.delete('/:id', requireWalletAuth, requireAdmin, (req: Request<{ id: string }>, res: Response) => {
+  try {
+    const { id } = req.params;
+    const exists = listVaults().some(vault => vault.id === id);
+    if (!exists) {
+      res.status(404).json({ success: false, error: 'Vault not found' });
+      return;
+    }
+    if (id === getPrimaryVaultId()) {
+      res.status(400).json({ success: false, error: 'Cannot delete primary vault from this endpoint' });
+      return;
+    }
+
+    const credentials = listCredentials({ vaultId: id });
+    for (const credential of credentials) {
+      deleteCredential(credential.id);
+    }
+    deleteVault(id);
+
+    res.json({
+      success: true,
+      message: `Vault ${id} deleted`,
+      deletedCredentials: credentials.length,
+    });
+  } catch (error) {
+    res.status(500).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+export default router;