auramaxx 1.0.0-alpha.4

package/server/routes/portfolio.ts

@@ -0,0 +1,217 @@
+/**
+ * Portfolio endpoint — cross-wallet asset aggregation.
+ * Returns native balances by chain + token balances aggregated across wallets.
+ * Supports filtering by token address or symbol for per-wallet breakdown.
+ */
+
+import { Router, Request, Response } from 'express';
+import { optionalWalletAuth } from '../middleware/auth';
+import { isAdmin, hasAnyPermission } from '../lib/permissions';
+import { prisma } from '../lib/db';
+import { listHotWallets } from '../lib/hot';
+import { getEthToUsd, getSolToUsd } from '../lib/prices';
+import { getTokenPrices } from '../lib/price';
+import { getNativeCurrency } from '../lib/address';
+import { getErrorMessage } from '../lib/error';
+
+const router = Router();
+
+// GET /portfolio — aggregated balances across all wallets
+// Requires wallet:list permission for agents (admin always OK, no-auth OK)
+// Query params:
+//   token  — filter by token contract address (returns per-wallet breakdown)
+//   symbol — filter by token symbol, case-insensitive (returns per-wallet breakdown)
+//   chain  — filter by chain name
+router.get('/', optionalWalletAuth, async (req: Request, res: Response) => {
+  try {
+    const auth = req.auth;
+    const isAgent = auth && !isAdmin(auth);
+    const canListAll = isAgent && hasAnyPermission(auth.token.permissions, ['wallet:list']);
+
+    // Agents without wallet:list can only see their own wallets
+    let walletFilter: string[] | undefined;
+    if (isAgent && !canListAll) {
+      const owned = await listHotWallets(auth.tokenHash);
+      walletFilter = owned.map((w) => w.address.toLowerCase());
+      if (walletFilter.length === 0) {
+        res.json({ success: true, byChain: [], byToken: [] });
+        return;
+      }
+    }
+
+    const { token, symbol, chain } = req.query as Record<string, string | undefined>;
+
+    // Native balances by chain
+    const nativeWhere: Record<string, unknown> = {};
+    if (walletFilter) nativeWhere.walletAddress = { in: walletFilter };
+    if (chain) nativeWhere.chain = chain;
+
+    const nativeBalances = await prisma.nativeBalance.findMany({
+      where: nativeWhere,
+    });
+
+    // Group native balances by chain
+    const byChainMap = new Map<string, { chain: string; totalBalance: number; walletCount: number }>();
+    for (const nb of nativeBalances) {
+      const entry = byChainMap.get(nb.chain) || { chain: nb.chain, totalBalance: 0, walletCount: 0 };
+      entry.totalBalance += parseFloat(nb.balance) || 0;
+      entry.walletCount += 1;
+      byChainMap.set(nb.chain, entry);
+    }
+
+    // Token balances — build filter (exclude bookmarks with null walletAddress)
+    const assetWhere: Record<string, unknown> = {};
+    if (walletFilter) {
+      assetWhere.walletAddress = { in: walletFilter };
+    } else {
+      assetWhere.walletAddress = { not: null };
+    }
+    assetWhere.lastBalance = { not: null };
+    if (chain) assetWhere.chain = chain;
+    if (token) assetWhere.tokenAddress = token.toLowerCase();
+    if (symbol) assetWhere.symbol = symbol.toUpperCase();
+
+    const trackedAssets = await prisma.trackedAsset.findMany({
+      where: assetWhere,
+      select: {
+        tokenAddress: true,
+        symbol: true,
+        name: true,
+        decimals: true,
+        lastBalance: true,
+        chain: true,
+        walletAddress: true,
+      },
+    });
+
+    // Batch-lookup TokenMetadata for enrichment
+    const uniqueTokenKeys = [...new Set(trackedAssets.map(a => `${a.tokenAddress}:${a.chain}`))];
+    const tokenMetaList = uniqueTokenKeys.length > 0
+      ? await prisma.tokenMetadata.findMany({
+          where: {
+            OR: uniqueTokenKeys.map(k => {
+              const [addr, ch] = k.split(':');
+              return { tokenAddress: addr, chain: ch };
+            }),
+          },
+        })
+      : [];
+    const metaMap = new Map(tokenMetaList.map(m => [`${m.tokenAddress}:${m.chain}`, m]));
+
+    // Group by tokenAddress+chain
+    const tokenKey = (addr: string, c: string) => `${addr.toLowerCase()}:${c}`;
+    const byTokenMap = new Map<string, {
+      tokenAddress: string;
+      chain: string;
+      symbol: string | null;
+      name: string | null;
+      decimals: number;
+      totalBalance: number;
+      walletCount: number;
+    }>();
+
+    // When filtering by token/symbol, also collect per-wallet breakdown
+    const isFiltered = !!(token || symbol);
+    const walletBreakdown: { walletAddress: string; chain: string; balance: number }[] = [];
+
+    for (const asset of trackedAssets) {
+      const key = tokenKey(asset.tokenAddress, asset.chain);
+      const meta = metaMap.get(`${asset.tokenAddress}:${asset.chain}`);
+      const existing = byTokenMap.get(key);
+      const balance = parseFloat(asset.lastBalance || '0') || 0;
+
+      if (isFiltered && asset.walletAddress) {
+        walletBreakdown.push({
+          walletAddress: asset.walletAddress,
+          chain: asset.chain,
+          balance,
+        });
+      }
+
+      if (existing) {
+        existing.totalBalance += balance;
+        existing.walletCount += 1;
+        if (!existing.symbol && (meta?.symbol || asset.symbol)) existing.symbol = meta?.symbol ?? asset.symbol;
+        if (!existing.name && (meta?.name || asset.name)) existing.name = meta?.name ?? asset.name;
+      } else {
+        byTokenMap.set(key, {
+          tokenAddress: asset.tokenAddress,
+          chain: asset.chain,
+          symbol: meta?.symbol ?? asset.symbol,
+          name: meta?.name ?? asset.name,
+          decimals: meta?.decimals ?? asset.decimals,
+          totalBalance: balance,
+          walletCount: 1,
+        });
+      }
+    }
+
+    // Fetch cached native prices
+    const [ethPrice, solPrice] = await Promise.all([getEthToUsd(), getSolToUsd()]);
+    const nativePrices: Record<string, number | null> = { ETH: ethPrice, SOL: solPrice };
+
+    // Batch-fetch USD prices for all tracked tokens
+    const tokenEntries = Array.from(byTokenMap.values());
+    const priceMap = await getTokenPrices(
+      tokenEntries.map((t) => ({ address: t.tokenAddress, chain: t.chain })),
+    );
+
+    // Enrich tokens with USD values
+    let totalValueUsd = 0;
+    const byToken = tokenEntries.map((t) => {
+      const cacheKey = `${t.chain}:${t.tokenAddress.toLowerCase()}`;
+      const price = priceMap.get(cacheKey);
+      const priceUsd = price ? parseFloat(price.priceUsd) : null;
+      const valueUsd = priceUsd !== null ? t.totalBalance * priceUsd : null;
+      if (valueUsd !== null) totalValueUsd += valueUsd;
+      return {
+        ...t,
+        priceUsd: priceUsd !== null ? priceUsd.toString() : null,
+        valueUsd: valueUsd !== null ? valueUsd.toFixed(2) : null,
+      };
+    }).sort((a, b) => {
+      const aVal = a.valueUsd ? parseFloat(a.valueUsd) : -1;
+      const bVal = b.valueUsd ? parseFloat(b.valueUsd) : -1;
+      return bVal - aVal;
+    });
+
+    // Enrich chains with USD values
+    const byChain = Array.from(byChainMap.values()).map((c) => {
+      const currency = getNativeCurrency(c.chain);
+      const nativePrice = nativePrices[currency];
+      const valueUsd = nativePrice !== null ? c.totalBalance * nativePrice : null;
+      if (valueUsd !== null) totalValueUsd += valueUsd;
+      return {
+        ...c,
+        valueUsd: valueUsd !== null ? valueUsd.toFixed(2) : null,
+      };
+    });
+
+    // Enrich wallet breakdown with USD when filtered
+    let wallets: { walletAddress: string; chain: string; balance: number; valueUsd: string | null }[] | undefined;
+    if (isFiltered && walletBreakdown.length > 0) {
+      // Use first token's price for all wallet entries (same token)
+      const firstPrice = byToken[0]?.priceUsd ? parseFloat(byToken[0].priceUsd) : null;
+      wallets = walletBreakdown.map((w) => ({
+        ...w,
+        valueUsd: firstPrice !== null ? (w.balance * firstPrice).toFixed(2) : null,
+      }));
+    }
+
+    const response: Record<string, unknown> = {
+      success: true,
+      byChain,
+      byToken,
+      prices: { ETH: ethPrice, SOL: solPrice },
+      totalValueUsd: totalValueUsd.toFixed(2),
+    };
+    if (wallets) response.wallets = wallets;
+
+    res.json(response);
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(500).json({ success: false, error: message });
+  }
+});
+
+export default router;

package/server/routes/price.ts

@@ -0,0 +1,63 @@
+import { Router, Request, Response } from 'express';
+import { getTokenPrice } from '../lib/price';
+import { loadConfig } from '../lib/config';
+import { isSolanaChain } from '../lib/address';
+import { getErrorMessage } from '../lib/error';
+
+const router = Router();
+
+// GET /price/:address — Public endpoint (no auth required)
+router.get('/:address', async (req: Request, res: Response) => {
+  try {
+    const { address } = req.params;
+    const config = loadConfig();
+    const chain = (req.query.chain as string) || config.defaultChain;
+
+    // Validate chain
+    if (!config.chains[chain]) {
+      res.status(400).json({ success: false, error: `Unknown chain: ${chain}` });
+      return;
+    }
+
+    // Validate address format (skip for 'native')
+    if (address !== 'native') {
+      if (isSolanaChain(chain)) {
+        // Base58: alphanumeric (no 0, O, I, l), 32-44 chars
+        if (!/^[1-9A-HJ-NP-Za-km-z]{32,44}$/.test(address)) {
+          res.status(400).json({ success: false, error: 'Invalid Solana address format' });
+          return;
+        }
+      } else {
+        // EVM: 0x-prefixed hex, 42 chars
+        if (!/^0x[0-9a-fA-F]{40}$/.test(address)) {
+          res.status(400).json({ success: false, error: 'Invalid EVM address format' });
+          return;
+        }
+      }
+    }
+
+    const result = await getTokenPrice(address, chain);
+
+    if (!result) {
+      res.status(404).json({
+        success: false,
+        error: `No price found for ${address} on ${chain}`,
+      });
+      return;
+    }
+
+    res.json({
+      success: true,
+      token: address,
+      chain,
+      priceUsd: result.priceUsd,
+      source: result.source,
+      cached: result.cached,
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(500).json({ success: false, error: message });
+  }
+});
+
+export default router;

package/server/routes/resolve.ts

@@ -0,0 +1,31 @@
+import { Router, Request, Response } from 'express';
+import { resolveName } from '../lib/resolve';
+import { getErrorMessage } from '../lib/error';
+
+const router = Router();
+
+// GET /resolve/:name - Resolve ENS name to address
+// Public endpoint (no auth required)
+router.get('/:name', async (req: Request, res: Response) => {
+  try {
+    const { name } = req.params;
+
+    if (!name) {
+      res.status(400).json({ error: 'Name parameter is required' });
+      return;
+    }
+
+    const result = await resolveName(name);
+
+    res.json({
+      success: true,
+      address: result.address,
+      name: result.name,
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    res.status(400).json({ error: message });
+  }
+});
+
+export default router;

package/server/routes/security.ts

@@ -0,0 +1,45 @@
+import { Request, Response, Router } from 'express';
+import { getErrorMessage } from '../lib/error';
+import { requireAdmin, requireWalletAuth } from '../middleware/auth';
+import {
+  listNoisyCredentials,
+  listNoisyCredentialTokens,
+  listRecentCredentialAccess,
+} from '../lib/credential-access-audit';
+
+const router = Router();
+router.use(requireWalletAuth, requireAdmin);
+
+router.get('/credential-access/recent', async (req: Request, res: Response) => {
+  try {
+    const limit = Number.parseInt(String(req.query.limit ?? '50'), 10);
+    const rows = await listRecentCredentialAccess(limit);
+    res.json({ success: true, rows });
+  } catch (error) {
+    res.status(500).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+router.get('/credential-access/noisy-credentials', async (req: Request, res: Response) => {
+  try {
+    const windowMs = Number.parseInt(String(req.query.windowMs ?? 3600000), 10);
+    const limit = Number.parseInt(String(req.query.limit ?? '20'), 10);
+    const rows = await listNoisyCredentials(windowMs, limit);
+    res.json({ success: true, windowMs, rows });
+  } catch (error) {
+    res.status(500).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+router.get('/credential-access/noisy-tokens', async (req: Request, res: Response) => {
+  try {
+    const windowMs = Number.parseInt(String(req.query.windowMs ?? 3600000), 10);
+    const limit = Number.parseInt(String(req.query.limit ?? '20'), 10);
+    const rows = await listNoisyCredentialTokens(windowMs, limit);
+    res.json({ success: true, windowMs, rows });
+  } catch (error) {
+    res.status(500).json({ success: false, error: getErrorMessage(error) });
+  }
+});
+
+export default router;

package/server/routes/send-evm.ts

@@ -0,0 +1,241 @@
+import { Request, Response } from 'express';
+import { ethers } from 'ethers';
+import { getHotWallet, signWithHotWallet, tokenCanAccessWallet } from '../lib/hot';
+import { getTempWallet, signWithTempWallet } from '../lib/temp';
+import { isUnlocked, getColdWalletAddress, listVaults } from '../lib/cold';
+import { reserveSpend, releaseSpend } from '../lib/sessions';
+import { getRpcUrl } from '../lib/config';
+import { logger } from '../lib/logger';
+import { hasAnyPermission, isAdmin } from '../lib/permissions';
+import { getErrorMessage, HttpError } from '../lib/error';
+import { recordTransaction, autoTrackToken } from '../lib/transactions';
+import type { AuthInfo } from '../middleware/auth';
+import type { ChainConfig } from '../lib/config';
+
+export async function handleEvmSend(
+  req: Request,
+  res: Response,
+  auth: AuthInfo,
+  targetChain: string,
+  chainConfig: ChainConfig
+): Promise<void> {
+  try {
+    const {
+      from,
+      amount,
+      value,
+      data,
+      gasLimit,
+      gasPrice,
+      maxFeePerGas,
+      maxPriorityFeePerGas,
+      nonce,
+      tokenAddress,
+      description: userDescription
+    } = req.body;
+
+    // 'to' may have been resolved by the dispatcher (ENS resolution)
+    const to = req.body.to;
+    const rawValue = amount || value;
+
+    // Parse value
+    let valueWei = BigInt(0);
+    let valueEth = 0;
+    if (rawValue) {
+      if (typeof rawValue === 'string') {
+        valueWei = BigInt(rawValue);
+      } else if (typeof rawValue === 'number') {
+        valueWei = BigInt(rawValue);
+      }
+      valueEth = parseFloat(ethers.formatEther(valueWei));
+    }
+
+    const provider = new ethers.JsonRpcProvider(await getRpcUrl(targetChain));
+
+    // Determine wallet type
+    const hotWallet = await getHotWallet(from);
+    const tempWallet = getTempWallet(from);
+
+    let txHash: string;
+
+    // Build transaction object
+    const tx: ethers.TransactionRequest = {
+      from,
+      value: valueWei
+    };
+
+    if (to) tx.to = to;
+    if (data) tx.data = data;
+    if (gasLimit) tx.gasLimit = BigInt(gasLimit);
+    if (nonce !== undefined) tx.nonce = nonce;
+
+    // Gas price settings (EIP-1559 or legacy)
+    if (maxFeePerGas) {
+      tx.maxFeePerGas = BigInt(maxFeePerGas);
+      if (maxPriorityFeePerGas) {
+        tx.maxPriorityFeePerGas = BigInt(maxPriorityFeePerGas);
+      }
+    } else if (gasPrice) {
+      tx.gasPrice = BigInt(gasPrice);
+    }
+
+    // ERC-20 token send: encode transfer(to, amount) calldata
+    const isTokenSend = !!tokenAddress;
+    if (isTokenSend) {
+      if (!to) {
+        res.status(400).json({ error: 'to address is required for token sends' });
+        return;
+      }
+      const iface = new ethers.Interface(['function transfer(address to, uint256 amount) returns (bool)']);
+      tx.data = iface.encodeFunctionData('transfer', [to, valueWei]);
+      tx.to = tokenAddress;    // send to the token contract
+      tx.value = 0n;           // no native value
+    }
+
+    // Check if this send is going to any vault's EVM address (returning funds to vault bypasses limit)
+    const coldAddress = getColdWalletAddress();
+    let isSendToVault = to && coldAddress && to.toLowerCase() === coldAddress.toLowerCase();
+    if (!isSendToVault && to) {
+      const vaults = listVaults();
+      isSendToVault = vaults.some(v => v.address.toLowerCase() === to.toLowerCase());
+    }
+
+    if (hotWallet) {
+      // Check permission
+      if (!isAdmin(auth) && !hasAnyPermission(auth.token.permissions, ['send:hot'])) {
+        logger.permissionDenied('send:hot', auth.token.agentId, '/send');
+        res.status(403).json({ error: 'Token does not have send:hot permission' });
+        return;
+      }
+
+      // Verify token can access this wallet
+      const canAccess = await tokenCanAccessWallet(auth.tokenHash, auth.token.walletAccess, from);
+      if (!isAdmin(auth) && !canAccess) {
+        logger.permissionDenied('wallet_access', auth.token.agentId, '/send');
+        res.status(403).json({ error: 'Token does not have access to this wallet' });
+        return;
+      }
+
+      // Reserve spending atomically (prevents TOCTOU race between concurrent requests)
+      // Token sends skip native spending limits (spending tokens, not ETH)
+      const needsHotLimit = !isAdmin(auth) && !isSendToVault && !isTokenSend && valueEth > 0;
+      if (needsHotLimit) {
+        const reserve = reserveSpend(auth.tokenHash, auth.token, 'send', valueEth);
+        if (!reserve.ok) {
+          logger.limitExceeded(auth.token.agentId, 'send', valueEth, reserve.remaining);
+          res.status(403).json({ error: 'Amount exceeds remaining send limit', remaining: reserve.remaining, requested: valueEth });
+          return;
+        }
+      }
+
+      if (!isUnlocked()) {
+        if (needsHotLimit) releaseSpend(auth.tokenHash, 'send', valueEth);
+        logger.authFailed('Cold wallet locked', '/send');
+        res.status(401).json({ error: 'Cold wallet must be unlocked to send from hot wallet' });
+        return;
+      }
+
+      try {
+        const result = await signWithHotWallet(from, tx, provider);
+        txHash = result.hash;
+      } catch (err) {
+        if (needsHotLimit) releaseSpend(auth.tokenHash, 'send', valueEth);
+        throw err;
+      }
+    } else if (tempWallet) {
+      // Check permission
+      if (!isAdmin(auth) && !hasAnyPermission(auth.token.permissions, ['send:temp'])) {
+        logger.permissionDenied('send:temp', auth.token.agentId, '/send');
+        res.status(403).json({ error: 'Token does not have send:temp permission' });
+        return;
+      }
+
+      // Reserve spending atomically for temp wallets too
+      // Token sends skip native spending limits (spending tokens, not ETH)
+      const needsTempLimit = !isAdmin(auth) && !isSendToVault && !isTokenSend && valueEth > 0;
+      if (needsTempLimit) {
+        const reserve = reserveSpend(auth.tokenHash, auth.token, 'send', valueEth);
+        if (!reserve.ok) {
+          logger.limitExceeded(auth.token.agentId, 'send', valueEth, reserve.remaining);
+          res.status(403).json({ error: 'Amount exceeds remaining send limit', remaining: reserve.remaining, requested: valueEth });
+          return;
+        }
+      }
+
+      try {
+        txHash = await signWithTempWallet(from, tx, provider);
+      } catch (err) {
+        if (needsTempLimit) releaseSpend(auth.tokenHash, 'send', valueEth);
+        throw err;
+      }
+    } else {
+      res.status(404).json({ error: 'Wallet not found' });
+      return;
+    }
+
+    // Log the transaction
+    const tokenAmountStr = rawValue || '0';
+    const txType = data && !isTokenSend ? 'contract' : 'send';
+    const description = userDescription || (isTokenSend
+      ? `Sent ${tokenAmountStr} tokens of ${tokenAddress} to ${to}`
+      : data
+        ? `Contract call to ${to || 'deploy'} with ${ethers.formatEther(valueWei)} ETH`
+        : `Sent ${ethers.formatEther(valueWei)} ETH to ${to}`);
+
+    await recordTransaction({
+      walletAddress: from,
+      txHash,
+      type: txType,
+      amount: isTokenSend ? undefined : ethers.formatEther(valueWei),
+      tokenAddress: isTokenSend ? tokenAddress : undefined,
+      tokenAmount: isTokenSend ? tokenAmountStr : undefined,
+      from,
+      to,
+      description,
+      chain: targetChain,
+      logTitle: isTokenSend ? 'Token Send' : data ? 'Contract Transaction' : 'Send Transaction',
+    });
+
+    // Auto-track token after successful ERC-20 send
+    if (isTokenSend) {
+      await autoTrackToken({
+        walletAddress: from,
+        tokenAddress,
+        chain: targetChain,
+      });
+    }
+
+    // Log send event (only for simple sends and token sends, not contract calls)
+    if ((!data || isTokenSend) && to) {
+      const agentId = !isAdmin(auth) ? auth.token.agentId : undefined;
+      const amountStr = isTokenSend ? `${tokenAmountStr} tokens` : ethers.formatEther(valueWei);
+      logger.send(from, to, amountStr, txHash, agentId);
+    }
+
+    const response: Record<string, unknown> = {
+      success: true,
+      hash: txHash,
+      from,
+      to: to || null,
+      chain: targetChain
+    };
+
+    if (isTokenSend) {
+      response.tokenAddress = tokenAddress;
+      response.tokenAmount = tokenAmountStr;
+    } else {
+      response.amount = ethers.formatEther(valueWei);
+      response.value = valueWei.toString();
+    }
+
+    if (data && !isTokenSend) {
+      response.type = 'contract';
+      response.data = data.slice(0, 10) + '...'; // Just show selector
+    }
+
+    res.json(response);
+  } catch (error) {
+    if (error instanceof HttpError) { res.status(error.status).json({ error: error.message }); return; }
+    res.status(400).json({ error: getErrorMessage(error) });
+  }
+}