npm - auramaxx - Versions diffs - 1.0.0-alpha.4 - Mend

auramaxx 1.0.0-alpha.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (363) hide show

package/LICENSE +26 -0
package/README.md +112 -0
package/bin/aurawallet.js +121 -0
package/docs/ADAPTERS.md +467 -0
package/docs/API.md +2679 -0
package/docs/APPS.md +198 -0
package/docs/ARCHITECTURE.md +350 -0
package/docs/AUTH.md +698 -0
package/docs/BEST-PRACTICES.md +121 -0
package/docs/CLI.md +61 -0
package/docs/DEVELOPING-APPS.md +452 -0
package/docs/EXTENSION.md +97 -0
package/docs/JOBS.md +33 -0
package/docs/MCP.md +76 -0
package/docs/PROTOCOL.md +142 -0
package/docs/SETUP.md +219 -0
package/docs/WORKSPACE.md +672 -0
package/docs/agent-auth.md +63 -0
package/docs/aura-file.md +48 -0
package/docs/credentials.md +53 -0
package/docs/external/getting-started.md +65 -0
package/docs/external/overview.md +45 -0
package/docs/external/use-cases.md +48 -0
package/docs/external/why-aura.md +35 -0
package/docs/jobs/connect-agent.md +77 -0
package/docs/jobs/migrate-from-dotenv.md +79 -0
package/docs/jobs/recover-from-lockout.md +72 -0
package/docs/jobs/secure-ci.md +63 -0
package/docs/oauth2.md +42 -0
package/docs/passkeys.md +60 -0
package/docs/security.md +540 -0
package/docs/specs/aura-open-protocol.md +61 -0
package/docs/specs/aura-provider-plugin.md +24 -0
package/docs/specs/aura-registry-model.md +31 -0
package/docs/specs/fixtures/invalid-bad-key.aura +1 -0
package/docs/specs/fixtures/invalid-bad-unicode-escape.aura +1 -0
package/docs/specs/fixtures/invalid-duplicate-key.aura +2 -0
package/docs/specs/fixtures/valid-basic.aura +4 -0
package/docs/specs/fixtures/valid-provider-ref.aura +1 -0
package/docs/specs/fixtures/valid-quoted-escapes.aura +2 -0
package/docs/templates/RELEASE_NOTES_TEMPLATE.md +22 -0
package/docs/totp.md +40 -0
package/docs/wallet/AI.md +508 -0
package/docs/wallet/DEVELOPING-STRATEGIES.md +713 -0
package/docs/wallet/README.md +47 -0
package/docs/wallet/STRATEGY.md +89 -0
package/next.config.ts +21 -0
package/package.json +151 -0
package/postcss.config.mjs +8 -0
package/prisma/migrations/20260214170000_baseline/migration.sql +511 -0
package/prisma/migrations/20260216214537_add_passkey_model/migration.sql +18 -0
package/prisma/migrations/20260217150500_add_credential_access_audit/migration.sql +31 -0
package/prisma/migrations/migration_lock.toml +3 -0
package/prisma/schema.prisma +447 -0
package/public/logo-chevron.svg +31 -0
package/public/logo-concentric.svg +31 -0
package/public/logo-crosshatch.svg +39 -0
package/public/logo-dashed.svg +39 -0
package/public/logo-horizontal.svg +31 -0
package/public/logo-m56.svg +64 -0
package/public/logo.webp +0 -0
package/scripts/add-app.js +245 -0
package/scripts/init.sh +57 -0
package/scripts/migrate-apikeys-to-credentials.ts +35 -0
package/scripts/sandbox-agent-flow.sh +235 -0
package/scripts/sandbox.sh +175 -0
package/scripts/validate-job-docs.mjs +125 -0
package/server/abi/SwapHelper.json +438 -0
package/server/cli/approval.ts +447 -0
package/server/cli/commands/app.ts +204 -0
package/server/cli/commands/cron.ts +24 -0
package/server/cli/commands/doctor.ts +1007 -0
package/server/cli/commands/env.ts +456 -0
package/server/cli/commands/init.ts +752 -0
package/server/cli/commands/mcp.ts +125 -0
package/server/cli/commands/restore.ts +314 -0
package/server/cli/commands/shell-hook.ts +468 -0
package/server/cli/commands/start.ts +62 -0
package/server/cli/commands/status.ts +59 -0
package/server/cli/commands/stop.ts +14 -0
package/server/cli/commands/token.ts +180 -0
package/server/cli/commands/unlock.ts +49 -0
package/server/cli/commands/vault.ts +417 -0
package/server/cli/index.ts +328 -0
package/server/cli/lib/aura-parser.ts +64 -0
package/server/cli/lib/credential-create.ts +74 -0
package/server/cli/lib/credential-resolve.ts +254 -0
package/server/cli/lib/dotenv-migrate.ts +116 -0
package/server/cli/lib/dotenv-parser.ts +146 -0
package/server/cli/lib/http.ts +91 -0
package/server/cli/lib/init-steps.ts +76 -0
package/server/cli/lib/local-agent-trust.ts +45 -0
package/server/cli/lib/process.ts +136 -0
package/server/cli/lib/prompt.ts +85 -0
package/server/cli/lib/theme.ts +240 -0
package/server/cli/socket.ts +570 -0
package/server/cli/transport-client.ts +50 -0
package/server/cron/index.ts +137 -0
package/server/cron/job.ts +31 -0
package/server/cron/jobs/balance-sync.ts +436 -0
package/server/cron/jobs/incoming-scan.ts +506 -0
package/server/cron/jobs/native-price.ts +70 -0
package/server/cron/jobs/orphan-cleanup.ts +40 -0
package/server/cron/jobs/strategy-runner.ts +175 -0
package/server/cron/scheduler.ts +125 -0
package/server/index.ts +406 -0
package/server/lib/adapters/factory.ts +110 -0
package/server/lib/adapters/index.ts +19 -0
package/server/lib/adapters/router.ts +297 -0
package/server/lib/adapters/telegram.ts +645 -0
package/server/lib/adapters/types.ts +89 -0
package/server/lib/adapters/webhook.ts +95 -0
package/server/lib/address.ts +49 -0
package/server/lib/agent-auth/contracts.ts +1194 -0
package/server/lib/agent-profiles.ts +328 -0
package/server/lib/ai.ts +285 -0
package/server/lib/api-registry/contracts.ts +86 -0
package/server/lib/api-registry/validation.ts +172 -0
package/server/lib/apikey-migration.ts +189 -0
package/server/lib/app-installer.ts +505 -0
package/server/lib/app-tokens.ts +247 -0
package/server/lib/auth.ts +314 -0
package/server/lib/batch.ts +242 -0
package/server/lib/cold.ts +874 -0
package/server/lib/config.ts +381 -0
package/server/lib/credential-access-audit.ts +85 -0
package/server/lib/credential-access-policy.ts +110 -0
package/server/lib/credential-health.ts +343 -0
package/server/lib/credential-import.ts +487 -0
package/server/lib/credential-scope.ts +87 -0
package/server/lib/credential-shares.ts +190 -0
package/server/lib/credential-transport.ts +342 -0
package/server/lib/credential-vault.ts +77 -0
package/server/lib/credentials.ts +333 -0
package/server/lib/crypto.ts +8 -0
package/server/lib/db.ts +15 -0
package/server/lib/defaults.ts +366 -0
package/server/lib/dex/index.ts +80 -0
package/server/lib/dex/relay.ts +235 -0
package/server/lib/dex/types.ts +59 -0
package/server/lib/dex/uniswap.ts +370 -0
package/server/lib/e2e-agent/artifacts.ts +36 -0
package/server/lib/e2e-agent/contracts.ts +112 -0
package/server/lib/e2e-agent/validation.ts +135 -0
package/server/lib/encrypt.ts +128 -0
package/server/lib/error.ts +20 -0
package/server/lib/events.ts +205 -0
package/server/lib/hot.ts +357 -0
package/server/lib/key-fingerprint.ts +28 -0
package/server/lib/logger.ts +331 -0
package/server/lib/network.ts +137 -0
package/server/lib/notifications.ts +219 -0
package/server/lib/oauth2-refresh.ts +241 -0
package/server/lib/oursecret.ts +54 -0
package/server/lib/passkey-credential.ts +360 -0
package/server/lib/passkey.ts +68 -0
package/server/lib/permissions.ts +248 -0
package/server/lib/pino.ts +24 -0
package/server/lib/policy-preview.ts +138 -0
package/server/lib/price.ts +338 -0
package/server/lib/prices.ts +34 -0
package/server/lib/project-scope.ts +239 -0
package/server/lib/resolve-action.ts +427 -0
package/server/lib/resolve.ts +36 -0
package/server/lib/sessions.ts +632 -0
package/server/lib/solana/connection.ts +26 -0
package/server/lib/solana/jupiter.ts +128 -0
package/server/lib/solana/transfer.ts +108 -0
package/server/lib/solana/wallet.ts +136 -0
package/server/lib/strategy/emits.ts +21 -0
package/server/lib/strategy/engine.ts +1305 -0
package/server/lib/strategy/executor.ts +115 -0
package/server/lib/strategy/hook-context.ts +158 -0
package/server/lib/strategy/hooks.ts +990 -0
package/server/lib/strategy/index.ts +28 -0
package/server/lib/strategy/installer.ts +305 -0
package/server/lib/strategy/loader.ts +256 -0
package/server/lib/strategy/message.ts +235 -0
package/server/lib/strategy/repository.ts +218 -0
package/server/lib/strategy/session-logger.ts +693 -0
package/server/lib/strategy/sources.ts +288 -0
package/server/lib/strategy/state.ts +189 -0
package/server/lib/strategy/templates.ts +403 -0
package/server/lib/strategy/tick.ts +404 -0
package/server/lib/strategy/types.ts +230 -0
package/server/lib/swap.ts +3 -0
package/server/lib/temp.ts +86 -0
package/server/lib/token-metadata.ts +86 -0
package/server/lib/token-safety.ts +200 -0
package/server/lib/token-search.ts +444 -0
package/server/lib/totp.ts +194 -0
package/server/lib/transactions.ts +123 -0
package/server/lib/transport.ts +75 -0
package/server/lib/txhistory/decoder.ts +262 -0
package/server/lib/txhistory/enricher.ts +652 -0
package/server/lib/txhistory/index.ts +391 -0
package/server/lib/txhistory/signatures.ts +59 -0
package/server/lib/verified-summary.ts +421 -0
package/server/mcp/profile-policy.ts +30 -0
package/server/mcp/server.ts +619 -0
package/server/mcp/tools.ts +523 -0
package/server/middleware/auth.ts +119 -0
package/server/middleware/requestLogger.ts +84 -0
package/server/routes/actions.ts +459 -0
package/server/routes/adapters.ts +703 -0
package/server/routes/addressbook.ts +113 -0
package/server/routes/ai.ts +34 -0
package/server/routes/apikeys.ts +295 -0
package/server/routes/apps.ts +601 -0
package/server/routes/auth.ts +457 -0
package/server/routes/backup.ts +340 -0
package/server/routes/batch.ts +270 -0
package/server/routes/bookmarks.ts +162 -0
package/server/routes/credential-shares.ts +198 -0
package/server/routes/credential-vaults.ts +154 -0
package/server/routes/credentials.ts +1290 -0
package/server/routes/dashboard.ts +71 -0
package/server/routes/defaults.ts +124 -0
package/server/routes/fund.ts +229 -0
package/server/routes/import.ts +352 -0
package/server/routes/launch.ts +665 -0
package/server/routes/lock.ts +54 -0
package/server/routes/logs.ts +68 -0
package/server/routes/nuke.ts +111 -0
package/server/routes/passkey-credentials.ts +99 -0
package/server/routes/passkey.ts +346 -0
package/server/routes/portfolio.ts +217 -0
package/server/routes/price.ts +63 -0
package/server/routes/resolve.ts +31 -0
package/server/routes/security.ts +45 -0
package/server/routes/send-evm.ts +241 -0
package/server/routes/send-solana.ts +281 -0
package/server/routes/send.ts +178 -0
package/server/routes/setup.ts +210 -0
package/server/routes/strategy.ts +894 -0
package/server/routes/swap-evm.ts +353 -0
package/server/routes/swap-solana.ts +177 -0
package/server/routes/swap.ts +356 -0
package/server/routes/token.ts +247 -0
package/server/routes/unlock.ts +403 -0
package/server/routes/wallet-assets.ts +361 -0
package/server/routes/wallet-transactions.ts +515 -0
package/server/routes/wallet.ts +710 -0
package/server/types.ts +146 -0
package/skills/aurawallet/SKILL.md +739 -0
package/skills/aurawallet-setup/SKILL.md +74 -0
package/skills/security-review/SKILL.md +148 -0
package/src/app/api/agent-requests/route.ts +30 -0
package/src/app/api/apps/install/route.ts +126 -0
package/src/app/api/apps/manifests/route.ts +16 -0
package/src/app/api/apps/static/[...path]/route.ts +57 -0
package/src/app/api/events/route.ts +92 -0
package/src/app/api/page.tsx +212 -0
package/src/app/api/workspace/[id]/apps/[wid]/route.ts +119 -0
package/src/app/api/workspace/[id]/apps/route.ts +81 -0
package/src/app/api/workspace/[id]/export/route.ts +67 -0
package/src/app/api/workspace/[id]/route.ts +168 -0
package/src/app/api/workspace/auth.ts +34 -0
package/src/app/api/workspace/config/route.ts +106 -0
package/src/app/api/workspace/import/route.ts +127 -0
package/src/app/api/workspace/route.ts +116 -0
package/src/app/app/page.tsx +2122 -0
package/src/app/apple-icon.png +0 -0
package/src/app/docs/page.tsx +178 -0
package/src/app/favicon.ico +0 -0
package/src/app/globals.css +572 -0
package/src/app/health/page.tsx +5 -0
package/src/app/hello/page.tsx +15 -0
package/src/app/icon.png +0 -0
package/src/app/layout.tsx +34 -0
package/src/app/page.tsx +986 -0
package/src/app/providers.tsx +90 -0
package/src/app/share/[token]/page.tsx +295 -0
package/src/components/ChainSelector.tsx +144 -0
package/src/components/HumanActionBar.tsx +695 -0
package/src/components/NotificationDrawer.tsx +129 -0
package/src/components/apps/AgentKeysApp.tsx +490 -0
package/src/components/apps/App.tsx +153 -0
package/src/components/apps/AppGrid.tsx +15 -0
package/src/components/apps/DetailedAddressDrawer.tsx +325 -0
package/src/components/apps/DraggableApp.tsx +562 -0
package/src/components/apps/IFrameApp.tsx +73 -0
package/src/components/apps/LogsApp.tsx +360 -0
package/src/components/apps/SendApp.tsx +394 -0
package/src/components/apps/SetupWizardApp.tsx +1004 -0
package/src/components/apps/SystemDefaultsApp.tsx +845 -0
package/src/components/apps/ThirdPartyApp.tsx +428 -0
package/src/components/apps/TokenApp.tsx +319 -0
package/src/components/apps/TransactionsApp.tsx +438 -0
package/src/components/apps/WalletDetailApp.tsx +1505 -0
package/src/components/apps/index.ts +13 -0
package/src/components/design-system/Button.tsx +53 -0
package/src/components/design-system/ChainIndicator.tsx +65 -0
package/src/components/design-system/ChainSelector.tsx +137 -0
package/src/components/design-system/ConfirmationModal.tsx +106 -0
package/src/components/design-system/ConfirmationPopover.tsx +81 -0
package/src/components/design-system/Drawer.tsx +123 -0
package/src/components/design-system/FilterDropdown.tsx +72 -0
package/src/components/design-system/Modal.tsx +206 -0
package/src/components/design-system/Popover.tsx +142 -0
package/src/components/design-system/TextInput.tsx +85 -0
package/src/components/design-system/Toggle.tsx +58 -0
package/src/components/design-system/index.ts +11 -0
package/src/components/docs/DocsThemeToggle.tsx +49 -0
package/src/components/health/CredentialHealthDashboard.tsx +214 -0
package/src/components/icons/ChainIcons.tsx +72 -0
package/src/components/layout/AppStoreDrawer.tsx +369 -0
package/src/components/layout/ContentArea.tsx +21 -0
package/src/components/layout/TabBar.tsx +278 -0
package/src/components/layout/WalletSidebar.tsx +1033 -0
package/src/components/layout/index.ts +4 -0
package/src/components/marketing/AuraWalletSpecOverlay.tsx +635 -0
package/src/components/marketing/DeviceMorphExperience.tsx +216 -0
package/src/components/vault/ApiKeysConsole.tsx +1080 -0
package/src/components/vault/AuditConsole.tsx +584 -0
package/src/components/vault/CredentialDetail.tsx +455 -0
package/src/components/vault/CredentialEmpty.tsx +55 -0
package/src/components/vault/CredentialField.tsx +361 -0
package/src/components/vault/CredentialForm.tsx +1212 -0
package/src/components/vault/CredentialList.tsx +165 -0
package/src/components/vault/CredentialRow.tsx +97 -0
package/src/components/vault/CredentialShareModal.tsx +178 -0
package/src/components/vault/CredentialVault.tsx +754 -0
package/src/components/vault/CredentialWalletWidget.tsx +103 -0
package/src/components/vault/ImportCredentialsModal.tsx +515 -0
package/src/components/vault/LargeTypeModal.tsx +64 -0
package/src/components/vault/PasswordGenerator.tsx +224 -0
package/src/components/vault/TOTPDisplay.tsx +123 -0
package/src/components/vault/VaultSidebar.tsx +413 -0
package/src/components/vault/types.ts +54 -0
package/src/context/AuthContext.tsx +337 -0
package/src/context/PriceContext.tsx +113 -0
package/src/context/ThemeContext.tsx +164 -0
package/src/context/WebSocketContext.tsx +269 -0
package/src/context/WorkspaceContext.tsx +668 -0
package/src/hooks/index.ts +3 -0
package/src/hooks/useAgentActions.ts +368 -0
package/src/hooks/useBalance.ts +103 -0
package/src/hooks/useBalances.ts +129 -0
package/src/instrumentation.ts +12 -0
package/src/lib/api.ts +449 -0
package/src/lib/app-loader.ts +148 -0
package/src/lib/app-registry.ts +178 -0
package/src/lib/app-sdk.ts +157 -0
package/src/lib/audit-console-adapter.ts +151 -0
package/src/lib/auth-client.ts +75 -0
package/src/lib/config.ts +74 -0
package/src/lib/crypto.ts +112 -0
package/src/lib/db.ts +21 -0
package/src/lib/docs.ts +390 -0
package/src/lib/events.ts +361 -0
package/src/lib/pino.ts +24 -0
package/src/lib/theme-handlers.ts +168 -0
package/src/lib/theme.ts +351 -0
package/src/lib/tokenData.ts +378 -0
package/src/lib/vault-crypto.ts +129 -0
package/src/lib/websocket-server.ts +302 -0
package/src/lib/websocket-setup.ts +79 -0
package/src/lib/wordlist.ts +2050 -0
package/src/lib/workspace-handlers.ts +285 -0
package/start.sh +80 -0
package/tailwind.config.ts +99 -0
package/tsconfig.json +42 -0

package/server/routes/lock.ts ADDED Viewed

@@ -0,0 +1,54 @@
+import { Router, Request, Response } from 'express';
+import { lock, isUnlocked, lockVault, isVaultUnlocked } from '../lib/cold';
+import { requireWalletAuth } from '../middleware/auth';
+import { requireAdmin } from '../lib/permissions';
+import { logger } from '../lib/logger';
+import { revokeAllTokens } from '../lib/sessions';
+import { revokeAdminTokens } from '../lib/auth';
+const router = Router();
+// POST /lock - Lock all vaults (clear memory)
+// Requires admin authentication
+// Also revokes all active sessions so clients must re-authenticate.
+router.post('/', requireWalletAuth, requireAdmin, async (_req: Request, res: Response) => {
+  const wasUnlocked = isUnlocked();
+  // Lock all vaults
+  lock();
+  // Revoke all active admin + agent tokens
+  revokeAdminTokens();
+  await revokeAllTokens();
+  // Log the lock event
+  if (wasUnlocked) {
+    logger.locked();
+  }
+  res.json({
+    success: true,
+    message: wasUnlocked
+      ? 'All vaults locked and active sessions revoked'
+      : 'Vaults were already locked; active sessions revoked'
+  });
+});
+// POST /lock/:vaultId - Lock a specific vault
+router.post('/:vaultId', requireWalletAuth, requireAdmin, (req: Request<{ vaultId: string }>, res: Response) => {
+  const { vaultId } = req.params;
+  const wasUnlocked = isVaultUnlocked(vaultId);
+  lockVault(vaultId);
+  if (wasUnlocked) {
+    logger.locked();
+  }
+  res.json({
+    success: true,
+    message: wasUnlocked ? `Vault ${vaultId} locked` : `Vault ${vaultId} was already locked`
+  });
+});
+export default router;

package/server/routes/logs.ts ADDED Viewed

@@ -0,0 +1,68 @@
+import { Router, Request, Response } from 'express';
+import { prisma } from '../lib/db';
+import { getErrorMessage } from '../lib/error';
+const router = Router();
+// GET /logs - Event logs - fetch historical events from database
+// Supports filtering by: type, category (prefix match), agentId, since/until (timestamps), path
+router.get('/', async (req: Request, res: Response) => {
+  try {
+    const limit = Math.min(parseInt(req.query.limit as string) || 50, 250);
+    const offset = parseInt(req.query.offset as string) || 0;
+    const type = req.query.type as string | undefined;
+    const category = req.query.category as string | undefined;
+    const agentId = req.query.agentId as string | undefined;
+    const since = req.query.since as string | undefined;
+    const until = req.query.until as string | undefined;
+    const where: Record<string, unknown> = {};
+    if (type) {
+      where.type = type;
+    } else if (category) {
+      // Prefix match: category=auth matches auth:unlocked, auth:auth_failed, etc.
+      where.type = { startsWith: `${category}:` };
+    }
+    // Filter by agentId in the JSON data field
+    if (agentId) {
+      where.data = { contains: `"agentId":"${agentId}"` };
+    }
+    // Date range filtering
+    if (since || until) {
+      const timestampFilter: Record<string, Date> = {};
+      if (since) timestampFilter.gte = new Date(parseInt(since) || since);
+      if (until) timestampFilter.lte = new Date(parseInt(until) || until);
+      where.timestamp = timestampFilter;
+    }
+    const [logs, total] = await Promise.all([
+      prisma.event.findMany({
+        where,
+        orderBy: { timestamp: 'desc' },
+        take: limit,
+        skip: offset,
+      }),
+      prisma.event.count({ where }),
+    ]);
+    res.json({
+      success: true,
+      logs,
+      count: logs.length,
+      total,
+      pagination: {
+        limit,
+        offset,
+        hasMore: offset + logs.length < total,
+      },
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(500).json({ success: false, error: message });
+  }
+});
+export default router;

package/server/routes/nuke.ts ADDED Viewed

@@ -0,0 +1,111 @@
+import { Router, Request, Response } from 'express';
+import fs from 'fs';
+import { deleteColdWallet, importColdWallet, listVaults, deleteVault } from '../lib/cold';
+import { DATA_PATHS } from '../lib/config';
+import { prisma } from '../lib/db';
+import { lockAllCredentialVaults } from '../lib/credential-vault';
+import { requireWalletAuth } from '../middleware/auth';
+import { requireAdmin } from '../lib/permissions';
+import { parseEncryptedPassword } from '../lib/transport';
+import { logger } from '../lib/logger';
+import { getErrorMessage, HttpError } from '../lib/error';
+const router = Router();
+// POST /nuke - Delete all wallet data (requires admin)
+router.post('/', requireWalletAuth, requireAdmin, async (_req: Request, res: Response) => {
+  try {
+    // 1. Delete all vaults (files + memory)
+    try {
+      const vaults = listVaults();
+      for (const vault of vaults) {
+        deleteVault(vault.id);
+      }
+      deleteColdWallet(); // Also handles legacy cold.json
+    } catch (e) {
+      console.log('No cold wallet to delete:', e);
+    }
+    // 2. Delete all hot wallet files
+    const hotDir = DATA_PATHS.hotWallets;
+    if (fs.existsSync(hotDir)) {
+      fs.rmSync(hotDir, { recursive: true, force: true });
+      fs.mkdirSync(hotDir, { recursive: true });
+    }
+    // 3. Delete pending requests directory
+    const pendingDir = DATA_PATHS.pending;
+    if (fs.existsSync(pendingDir)) {
+      fs.rmSync(pendingDir, { recursive: true, force: true });
+      fs.mkdirSync(pendingDir, { recursive: true });
+    }
+    // 4. Delete credential files directory and clear in-memory credential sessions
+    const credentialsDir = DATA_PATHS.credentials;
+    if (fs.existsSync(credentialsDir)) {
+      fs.rmSync(credentialsDir, { recursive: true, force: true });
+    }
+    fs.mkdirSync(credentialsDir, { recursive: true });
+    lockAllCredentialVaults();
+    // 5. Clear database tables
+    try {
+      await prisma.humanAction.deleteMany({});
+      await prisma.agentToken.deleteMany({});
+      await prisma.hotWallet.deleteMany({});
+    } catch (e) {
+      console.log('Error clearing database:', e);
+    }
+    logger.nuke();
+    res.json({
+      success: true,
+      message: 'All data nuked. Ready for fresh setup.'
+    });
+  } catch (error) {
+    console.error('[NUKE ERROR]', error);
+    res.status(500).json({
+      success: false,
+      error: getErrorMessage(error)
+    });
+  }
+});
+// POST /nuke/import - Import wallet from seed phrase (requires admin)
+router.post('/import', requireWalletAuth, requireAdmin, (req: Request, res: Response) => {
+  try {
+    const { mnemonic, password, encrypted } = req.body;
+    if (!mnemonic || typeof mnemonic !== 'string') {
+      res.status(400).json({ error: 'Seed phrase is required' });
+      return;
+    }
+    // Support encrypted password transport (dashboard) or plaintext (CLI)
+    let plainPassword: string;
+    if (encrypted && typeof encrypted === 'string') {
+      plainPassword = parseEncryptedPassword(encrypted);
+    } else if (password && typeof password === 'string') {
+      if (password.length < 8) {
+        throw new HttpError(400, 'Password must be at least 8 characters');
+      }
+      plainPassword = password;
+    } else {
+      throw new HttpError(400, 'Password is required (encrypted or plaintext)');
+    }
+    const result = importColdWallet(mnemonic, plainPassword);
+    res.json({
+      success: true,
+      address: result.address,
+      message: 'Wallet imported successfully'
+    });
+  } catch (error) {
+    if (error instanceof HttpError) { res.status(error.status).json({ error: error.message }); return; }
+    res.status(400).json({ error: getErrorMessage(error) });
+  }
+});
+export default router;

package/server/routes/passkey-credentials.ts ADDED Viewed

@@ -0,0 +1,99 @@
+/**
+ * Passkey Credential Routes — WebAuthn software authenticator endpoints
+ * =====================================================================
+ *
+ * POST /credentials/passkey/register   — Generate keypair, store, return attestation
+ * POST /credentials/passkey/authenticate — Sign challenge, return assertion
+ * GET  /credentials/passkey/match      — Find passkeys matching rpId
+ */
+import { Router, Request, Response } from 'express';
+import { requireWalletAuth } from '../middleware/auth';
+import { registerPasskey, authenticatePasskey, matchPasskeys, PasskeyCredentialValidationError } from '../lib/passkey-credential';
+import { getErrorMessage } from '../lib/error';
+import { log } from '../lib/pino';
+const router = Router();
+router.use(requireWalletAuth);
+// POST /credentials/passkey/register
+router.post('/register', (req: Request, res: Response) => {
+  try {
+    const { vaultId, rpId, rpName, userName, displayName, userHandle, challenge, origin, clientDataJSON } = req.body;
+    if (!vaultId || !rpId || !userHandle || !clientDataJSON) {
+      res.status(400).json({ error: 'vaultId, rpId, userHandle, and clientDataJSON are required' });
+      return;
+    }
+    const result = registerPasskey({
+      vaultId,
+      rpId,
+      rpName,
+      userName,
+      displayName,
+      userHandle,
+      challenge,
+      origin,
+      clientDataJSON,
+    });
+    log.info('Passkey registered', { rpId, credentialId: result.credentialId });
+    res.json(result);
+  } catch (error) {
+    const message = getErrorMessage(error);
+    if (error instanceof PasskeyCredentialValidationError) {
+      res.status(400).json({ error: message });
+      return;
+    }
+    log.error('Passkey register error', { error: message });
+    res.status(500).json({ error: message });
+  }
+});
+// POST /credentials/passkey/authenticate
+router.post('/authenticate', (req: Request, res: Response) => {
+  try {
+    const { auraCredentialId, rpId, challenge, origin, clientDataJSON } = req.body;
+    if (!auraCredentialId || !rpId || !challenge || !clientDataJSON) {
+      res.status(400).json({ error: 'auraCredentialId, rpId, challenge, and clientDataJSON are required' });
+      return;
+    }
+    const result = authenticatePasskey({ auraCredentialId, rpId, challenge, origin, clientDataJSON });
+    log.info('Passkey authenticated', { rpId, credentialId: result.credentialId });
+    res.json(result);
+  } catch (error) {
+    const message = getErrorMessage(error);
+    if (error instanceof PasskeyCredentialValidationError) {
+      res.status(400).json({ error: message });
+      return;
+    }
+    log.error('Passkey authenticate error', { error: message });
+    res.status(500).json({ error: message });
+  }
+});
+// GET /credentials/passkey/match?rpId=xxx
+router.get('/match', (req: Request, res: Response) => {
+  try {
+    const rpId = req.query.rpId as string;
+    const vaultId = req.query.vaultId as string | undefined;
+    if (!rpId) {
+      res.status(400).json({ error: 'rpId query parameter is required' });
+      return;
+    }
+    const matches = matchPasskeys(rpId, vaultId);
+    res.json({ matches });
+  } catch (error) {
+    res.status(500).json({ error: getErrorMessage(error) });
+  }
+});
+export default router;

package/server/routes/passkey.ts ADDED Viewed

@@ -0,0 +1,346 @@
+import { Router, Request, Response } from 'express';
+import {
+  generateRegistrationOptions,
+  verifyRegistrationResponse,
+  generateAuthenticationOptions,
+  verifyAuthenticationResponse,
+} from '@simplewebauthn/server';
+import { prisma } from '../lib/db';
+import { requireWalletAuth } from '../middleware/auth';
+import { requireAdmin } from '../lib/permissions';
+import { isUnlocked } from '../lib/cold';
+import { createAdminToken } from '../lib/auth';
+import { storeChallenge, consumeChallenge, uint8ArrayToBase64url, base64urlToUint8Array } from '../lib/passkey';
+import { isValidAgentPubkey, normalizeAgentPubkey } from '../lib/credential-transport';
+import { log } from '../lib/pino';
+import { getErrorMessage } from '../lib/error';
+const router = Router();
+// Helper: extract rpId from request
+function getRpId(req: Request, bodyRpId?: string): string {
+  return bodyRpId || req.hostname || 'localhost';
+}
+// ─── Status ─────────────────────────────────────────────────────────────────
+// GET /auth/passkey/status — public, returns whether passkeys registered for origin
+router.get('/status', async (req: Request, res: Response) => {
+  try {
+    const rpId = getRpId(req, req.query.rpId as string | undefined);
+    const passkeys = await prisma.passkey.findMany({
+      where: { rpId },
+      select: { credentialId: true, createdAt: true },
+    });
+    res.json({
+      registered: passkeys.length > 0,
+      count: passkeys.length,
+      rpId,
+      credentials: passkeys.map(p => ({ id: p.credentialId, createdAt: p.createdAt })),
+    });
+  } catch (error) {
+    res.status(500).json({ error: getErrorMessage(error) });
+  }
+});
+// ─── Registration ───────────────────────────────────────────────────────────
+// POST /auth/passkey/register/options — requires admin token
+router.post('/register/options', requireWalletAuth, requireAdmin, async (req: Request, res: Response) => {
+  try {
+    if (!isUnlocked()) {
+      res.status(400).json({ error: 'Vault must be unlocked to register passkey' });
+      return;
+    }
+    const rpId = getRpId(req, req.body?.rpId);
+    // Get existing credentials for this rpId to exclude
+    const existing = await prisma.passkey.findMany({
+      where: { rpId },
+      select: { credentialId: true, transports: true },
+    });
+    const excludeCredentials = existing.map((p) => ({
+      id: p.credentialId,
+      transports: JSON.parse(p.transports || '[]'),
+    }));
+    const options = await generateRegistrationOptions({
+      rpName: 'AuraWallet',
+      rpID: rpId,
+      userName: 'owner',
+      userDisplayName: 'Vault Owner',
+      attestationType: 'none',
+      authenticatorSelection: {
+        authenticatorAttachment: 'platform',
+        userVerification: 'required',
+        residentKey: 'preferred',
+      },
+      excludeCredentials,
+      timeout: 60000,
+    });
+    // Store challenge
+    storeChallenge(options.challenge, 'register');
+    res.json(options);
+  } catch (error) {
+    res.status(500).json({ error: getErrorMessage(error) });
+  }
+});
+// POST /auth/passkey/register/verify — requires admin token
+router.post('/register/verify', requireWalletAuth, requireAdmin, async (req: Request, res: Response) => {
+  try {
+    if (!isUnlocked()) {
+      res.status(400).json({ error: 'Vault must be unlocked to register passkey' });
+      return;
+    }
+    const { credential } = req.body;
+    if (!credential) {
+      res.status(400).json({ error: 'credential is required' });
+      return;
+    }
+    const rpId = getRpId(req, req.body?.rpId);
+    const origin = `${req.protocol}://${req.get('host')}`;
+    // Consume challenge
+    const challenge = credential.response?.clientDataJSON
+      ? JSON.parse(Buffer.from(credential.response.clientDataJSON, 'base64url').toString()).challenge
+      : undefined;
+    if (!challenge || !consumeChallenge(challenge, 'register')) {
+      res.status(400).json({ error: 'Invalid or expired challenge' });
+      return;
+    }
+    const verification = await verifyRegistrationResponse({
+      response: credential,
+      expectedChallenge: challenge,
+      expectedOrigin: origin,
+      expectedRPID: rpId,
+      requireUserVerification: true,
+    });
+    if (!verification.verified || !verification.registrationInfo) {
+      res.status(400).json({ error: 'Registration verification failed' });
+      return;
+    }
+    const { credential: cred, credentialBackedUp, aaguid } = verification.registrationInfo;
+    // Store in DB
+    await prisma.passkey.create({
+      data: {
+        credentialId: cred.id,
+        publicKey: Buffer.from(cred.publicKey),
+        counter: cred.counter,
+        transports: JSON.stringify(credential.response.transports || []),
+        rpId,
+        aaguid: aaguid || '',
+      },
+    });
+    res.json({
+      success: true,
+      credentialId: cred.id,
+    });
+  } catch (error) {
+    res.status(500).json({ error: getErrorMessage(error) });
+  }
+});
+// ─── Authentication ─────────────────────────────────────────────────────────
+// POST /auth/passkey/authenticate/options — public (vault must be unlocked server-side)
+router.post('/authenticate/options', async (req: Request, res: Response) => {
+  try {
+    // Specific vault_locked error per audit
+    if (!isUnlocked()) {
+      res.status(400).json({
+        error: 'vault_locked',
+        message: 'Password required after server restart',
+      });
+      return;
+    }
+    const rpId = getRpId(req, req.body?.rpId);
+    // Get credentials for this rpId — reject if none exist (audit item)
+    const passkeys = await prisma.passkey.findMany({
+      where: { rpId },
+      select: { credentialId: true, transports: true },
+    });
+    if (passkeys.length === 0) {
+      res.status(400).json({ error: 'No passkeys registered for this origin' });
+      return;
+    }
+    const allowCredentials = passkeys.map((p) => ({
+      id: p.credentialId,
+      transports: JSON.parse(p.transports || '[]'),
+    }));
+    const options = await generateAuthenticationOptions({
+      rpID: rpId,
+      allowCredentials,
+      userVerification: 'required',
+      timeout: 60000,
+    });
+    storeChallenge(options.challenge, 'authenticate');
+    res.json(options);
+  } catch (error) {
+    res.status(500).json({ error: getErrorMessage(error) });
+  }
+});
+// POST /auth/passkey/authenticate/verify — public (assertion IS the auth)
+router.post('/authenticate/verify', async (req: Request, res: Response) => {
+  try {
+    // Specific vault_locked error per audit
+    if (!isUnlocked()) {
+      res.status(400).json({
+        error: 'vault_locked',
+        message: 'Password required after server restart',
+      });
+      return;
+    }
+    const { credential, pubkey } = req.body;
+    if (!credential) {
+      res.status(400).json({ error: 'credential is required' });
+      return;
+    }
+    if (!pubkey || typeof pubkey !== 'string') {
+      res.status(400).json({ error: 'pubkey is required' });
+      return;
+    }
+    if (!isValidAgentPubkey(pubkey)) {
+      res.status(400).json({ error: 'pubkey must be a valid RSA public key' });
+      return;
+    }
+    const rpId = getRpId(req, req.body?.rpId);
+    const origin = `${req.protocol}://${req.get('host')}`;
+    // Extract and consume challenge
+    const challenge = credential.response?.clientDataJSON
+      ? JSON.parse(Buffer.from(credential.response.clientDataJSON, 'base64url').toString()).challenge
+      : undefined;
+    if (!challenge || !consumeChallenge(challenge, 'authenticate')) {
+      log.warn('Passkey auth: invalid or expired challenge', { ip: req.ip, origin });
+      res.status(401).json({ error: 'Invalid or expired challenge' });
+      return;
+    }
+    // Look up the credential
+    const credentialId = credential.id || credential.rawId;
+    const passkey = await prisma.passkey.findUnique({
+      where: { credentialId },
+    });
+    if (!passkey) {
+      log.warn('Passkey auth: unknown credential', { credentialId, ip: req.ip, origin });
+      res.status(401).json({ error: 'Unknown credential' });
+      return;
+    }
+    let verification;
+    try {
+      verification = await verifyAuthenticationResponse({
+        response: credential,
+        expectedChallenge: challenge,
+        expectedOrigin: origin,
+        expectedRPID: rpId,
+        credential: {
+          id: passkey.credentialId,
+          publicKey: new Uint8Array(passkey.publicKey),
+          counter: passkey.counter,
+          transports: JSON.parse(passkey.transports || '[]'),
+        },
+        requireUserVerification: true,
+      });
+    } catch (err) {
+      // Log failed attempt (audit item)
+      log.warn('Passkey auth: verification failed', {
+        credentialId,
+        ip: req.ip,
+        origin,
+        error: getErrorMessage(err),
+      });
+      res.status(401).json({ error: 'Authentication verification failed' });
+      return;
+    }
+    if (!verification.verified) {
+      log.warn('Passkey auth: assertion not verified', { credentialId, ip: req.ip, origin });
+      res.status(401).json({ error: 'Authentication verification failed' });
+      return;
+    }
+    // Counter validation (clone detection) — @simplewebauthn handles this,
+    // but we double-check per audit
+    const newCounter = verification.authenticationInfo.newCounter;
+    if (newCounter > 0 && newCounter <= passkey.counter) {
+      log.warn('Passkey auth: counter regression (possible clone)', {
+        credentialId,
+        storedCounter: passkey.counter,
+        newCounter,
+        ip: req.ip,
+        origin,
+      });
+      res.status(401).json({ error: 'Credential counter regression detected' });
+      return;
+    }
+    // Update counter and lastUsedAt
+    await prisma.passkey.update({
+      where: { credentialId: passkey.credentialId },
+      data: {
+        counter: newCounter,
+        lastUsedAt: new Date(),
+      },
+    });
+    // Issue admin token (same as rekey flow)
+    const normalizedPubkey = normalizeAgentPubkey(pubkey);
+    const token = await createAdminToken(normalizedPubkey);
+    res.json({
+      success: true,
+      token,
+    });
+  } catch (error) {
+    res.status(500).json({ error: getErrorMessage(error) });
+  }
+});
+// ─── Delete ─────────────────────────────────────────────────────────────────
+// DELETE /auth/passkey/:credentialId — requires admin token
+router.delete('/:credentialId', requireWalletAuth, requireAdmin, async (req: Request<{ credentialId: string }>, res: Response) => {
+  try {
+    const { credentialId } = req.params;
+    const passkey = await prisma.passkey.findUnique({ where: { credentialId } });
+    if (!passkey) {
+      res.status(404).json({ error: 'Passkey not found' });
+      return;
+    }
+    await prisma.passkey.delete({ where: { credentialId } });
+    res.json({ success: true });
+  } catch (error) {
+    res.status(500).json({ error: getErrorMessage(error) });
+  }
+});
+export default router;