auramaxx 1.0.0-alpha.4

package/server/routes/send-solana.ts

@@ -0,0 +1,281 @@
+import { Request, Response } from 'express';
+import { PublicKey, VersionedTransaction } from '@solana/web3.js';
+import { getMint } from '@solana/spl-token';
+import { getHotWallet, tokenCanAccessWallet } from '../lib/hot';
+import { getTempSolanaKeypair, hasTempWallet } from '../lib/temp';
+import { isUnlocked, getSolanaColdAddress, listVaults } from '../lib/cold';
+import { reserveSpend, releaseSpend } from '../lib/sessions';
+import { logger } from '../lib/logger';
+import { hasAnyPermission, isAdmin } from '../lib/permissions';
+import { getNativeAddress, getNativeCurrency } from '../lib/address';
+import { getSolanaConnection } from '../lib/solana/connection';
+import { getSolanaKeypair } from '../lib/solana/wallet';
+import { buildSolTransfer, buildSplTransfer, sendSolanaTransaction } from '../lib/solana/transfer';
+import { getErrorMessage, HttpError } from '../lib/error';
+import { recordTransaction, autoTrackToken } from '../lib/transactions';
+import type { AuthInfo } from '../middleware/auth';
+import type { ChainConfig } from '../lib/config';
+
+export async function handleSolanaSend(
+  req: Request,
+  res: Response,
+  auth: AuthInfo,
+  targetChain: string,
+  chainConfig: ChainConfig
+): Promise<void> {
+  try {
+    const {
+      from,
+      amount,
+      value,
+      data,
+      chain,
+      tokenAddress,
+      transaction: rawTransaction,
+      description: userDescription
+    } = req.body;
+
+    // 'to' may have been resolved by the dispatcher (ENS resolution)
+    const to = req.body.to;
+    const rawValue = amount || value;
+
+    // Parse value for limit checks
+    let valueWei = BigInt(0);
+    if (rawValue) {
+      valueWei = BigInt(rawValue);
+    }
+
+    // 'to' is required for simple sends, but not for raw VersionedTransaction
+    if (!rawTransaction && !to) {
+      res.status(400).json({ error: 'to address is required for Solana sends' });
+      return;
+    }
+
+    const currency = getNativeAddress(targetChain);
+    const nativeCurrency = getNativeCurrency(targetChain);
+
+    // Determine wallet type
+    const hotWallet = await getHotWallet(from);
+    const isTempWallet = hasTempWallet(from);
+
+    if (!hotWallet && !isTempWallet) {
+      res.status(404).json({ error: 'Wallet not found' });
+      return;
+    }
+
+    // Permission checks
+    if (hotWallet) {
+      if (!isAdmin(auth) && !hasAnyPermission(auth.token.permissions, ['send:hot'])) {
+        logger.permissionDenied('send:hot', auth.token.agentId, '/send');
+        res.status(403).json({ error: 'Token does not have send:hot permission' });
+        return;
+      }
+      const canAccess = await tokenCanAccessWallet(auth.tokenHash, auth.token.walletAccess, from, targetChain);
+      if (!isAdmin(auth) && !canAccess) {
+        logger.permissionDenied('wallet_access', auth.token.agentId, '/send');
+        res.status(403).json({ error: 'Token does not have access to this wallet' });
+        return;
+      }
+    } else if (isTempWallet) {
+      if (!isAdmin(auth) && !hasAnyPermission(auth.token.permissions, ['send:temp'])) {
+        logger.permissionDenied('send:temp', auth.token.agentId, '/send');
+        res.status(403).json({ error: 'Token does not have send:temp permission' });
+        return;
+      }
+    }
+
+    if (!isUnlocked()) {
+      logger.authFailed('Cold wallet locked', '/send');
+      res.status(401).json({ error: 'Cold wallet must be unlocked to send from hot wallet' });
+      return;
+    }
+
+    // Get signer keypair (shared by both raw tx and simple transfer paths)
+    let signerKeypair;
+    if (hotWallet) {
+      signerKeypair = await getSolanaKeypair(from);
+    } else {
+      signerKeypair = getTempSolanaKeypair(from);
+      if (!signerKeypair) {
+        res.status(404).json({ error: 'Temp Solana wallet not found' });
+        return;
+      }
+    }
+
+    // --- Raw VersionedTransaction path ---
+    if (rawTransaction) {
+      if (typeof rawTransaction !== 'string') {
+        res.status(400).json({ error: 'transaction must be a base64-encoded string' });
+        return;
+      }
+
+      let tx: VersionedTransaction;
+      try {
+        tx = VersionedTransaction.deserialize(Buffer.from(rawTransaction, 'base64'));
+      } catch (err) {
+        res.status(400).json({ error: 'Invalid transaction: failed to deserialize VersionedTransaction' });
+        return;
+      }
+
+      const connection = await getSolanaConnection(targetChain);
+
+      // Sign and submit
+      tx.sign([signerKeypair]);
+      const signature = await connection.sendRawTransaction(tx.serialize(), {
+        skipPreflight: false,
+        maxRetries: 2,
+      });
+      await connection.confirmTransaction(signature, 'confirmed');
+
+      // Log
+      const description = userDescription || `Program transaction from ${from}`;
+      await recordTransaction({
+        walletAddress: from,
+        txHash: signature,
+        type: 'contract',
+        amount: '0',
+        from,
+        to: to || undefined,
+        description,
+        chain: targetChain,
+        logTitle: 'Program Transaction',
+      });
+
+      res.json({
+        success: true,
+        hash: signature,
+        from,
+        chain: targetChain,
+        type: 'program'
+      });
+      return;
+    }
+
+    // --- SPL Token transfer path ---
+    if (tokenAddress) {
+      const connection = await getSolanaConnection(targetChain);
+      const fromPubkey = new PublicKey(from);
+      const toPubkey = new PublicKey(to!);
+      const mint = new PublicKey(tokenAddress);
+
+      // Resolve decimals from on-chain mint account
+      const mintInfo = await getMint(connection, mint);
+      const decimals = mintInfo.decimals;
+
+      // Token sends skip native spending limits (spending tokens, not SOL)
+      let txHash: string;
+      try {
+        const tx = await buildSplTransfer(connection, fromPubkey, toPubkey, mint, BigInt(rawValue || '0'), decimals);
+        txHash = await sendSolanaTransaction(connection, tx, signerKeypair);
+      } catch (err) {
+        throw err;
+      }
+
+      // Log
+      const tokenAmountStr = rawValue || '0';
+      const description = userDescription || `Sent ${tokenAmountStr} tokens of ${tokenAddress} to ${to}`;
+      await recordTransaction({
+        walletAddress: from,
+        txHash,
+        type: 'send',
+        tokenAddress,
+        tokenAmount: tokenAmountStr,
+        from,
+        to: to!,
+        description,
+        chain: targetChain,
+        logTitle: 'Token Send',
+      });
+
+      await autoTrackToken({
+        walletAddress: from,
+        tokenAddress,
+        chain: targetChain,
+      });
+
+      const agentId = !isAdmin(auth) ? auth.token.agentId : undefined;
+      logger.send(from, to!, `${tokenAmountStr} tokens`, txHash, agentId);
+
+      res.json({
+        success: true,
+        hash: txHash,
+        from,
+        to,
+        tokenAddress,
+        tokenAmount: tokenAmountStr,
+        chain: targetChain
+      });
+      return;
+    }
+
+    // --- Simple SOL transfer path ---
+
+    // Check if send is going to any vault's Solana address (vault bypass)
+    const solColdAddress = getSolanaColdAddress();
+    let isSendToVault = solColdAddress && to === solColdAddress;
+    if (!isSendToVault) {
+      const vaults = listVaults();
+      isSendToVault = vaults.some(v => v.solanaAddress === to);
+    }
+
+    // For Solana, convert lamports to SOL for limit checks (9 decimals, not 18)
+    const valueSol = Number(valueWei) / 1e9;
+
+    // Reserve spending atomically (prevents TOCTOU race between concurrent requests)
+    const needsLimit = !isAdmin(auth) && !isSendToVault && valueSol > 0;
+    if (needsLimit) {
+      const reserve = reserveSpend(auth.tokenHash, auth.token, 'send', valueSol, currency);
+      if (!reserve.ok) {
+        logger.limitExceeded(auth.token.agentId, 'send', valueSol, reserve.remaining);
+        res.status(403).json({ error: 'Amount exceeds remaining send limit', remaining: reserve.remaining, requested: valueSol });
+        return;
+      }
+    }
+
+    let txHash: string;
+    try {
+      const connection = await getSolanaConnection(targetChain);
+      const fromPubkey = new PublicKey(from);
+      const toPubkey = new PublicKey(to!);
+
+      // Build SOL transfer -- pass lamports directly
+      const tx = await buildSolTransfer(connection, fromPubkey, toPubkey, Number(valueWei));
+
+      txHash = await sendSolanaTransaction(connection, tx, signerKeypair);
+    } catch (err) {
+      if (needsLimit) releaseSpend(auth.tokenHash, 'send', valueSol, currency);
+      throw err;
+    }
+
+    // Log
+    const description = userDescription || `Sent ${valueSol} ${nativeCurrency} to ${to}`;
+    await recordTransaction({
+      walletAddress: from,
+      txHash,
+      type: 'send',
+      amount: valueSol.toString(),
+      from,
+      to: to!,
+      description,
+      chain: targetChain,
+      logTitle: 'Send Transaction',
+    });
+
+    if (!data) {
+      const agentId = !isAdmin(auth) ? auth.token.agentId : undefined;
+      logger.send(from, to!, valueSol.toString(), txHash, agentId);
+    }
+
+    res.json({
+      success: true,
+      hash: txHash,
+      from,
+      to,
+      amount: valueSol.toString(),
+      chain: targetChain
+    });
+  } catch (error) {
+    if (error instanceof HttpError) { res.status(error.status).json({ error: error.message }); return; }
+    res.status(400).json({ error: getErrorMessage(error) });
+  }
+}

package/server/routes/send.ts

@@ -0,0 +1,178 @@
+import { Router, Request, Response } from 'express';
+import { ethers } from 'ethers';
+import { resolveChain, getRpcUrl } from '../lib/config';
+import { requireWalletAuth } from '../middleware/auth';
+import { isSolanaChain } from '../lib/address';
+import { resolveName, looksLikeName } from '../lib/resolve';
+import { getErrorMessage, HttpError } from '../lib/error';
+import { handleSolanaSend } from './send-solana';
+import { handleEvmSend } from './send-evm';
+
+const router = Router();
+
+// POST /send - Generic transaction endpoint
+// Supports simple ETH sends and complex contract calls
+//
+// Simple send: { from, to, amount: "100000000000000000", chain }  // amount in wei or lamports
+// Contract call: { from, to, value, data, gasLimit, ... }
+//
+// Requires Bearer token authentication
+//
+// Spending limit enforced for agent tokens (send limit).
+// Sends to the cold wallet address bypass the limit (returning funds to vault).
+// Admin tokens bypass all limits.
+router.post('/', requireWalletAuth, async (req: Request, res: Response) => {
+  try {
+    const {
+      from,
+      to: rawTo,
+      amount,  // Amount in wei (EVM) or lamports (Solana)
+      value,   // Advanced mode: wei (alias for amount)
+      data,
+      tokenAddress,                  // Optional: ERC-20/SPL token contract address
+      transaction: rawTransaction,   // Solana: base64-encoded VersionedTransaction
+    } = req.body;
+
+    const auth = req.auth!;
+
+    if (!from || typeof from !== 'string') {
+      res.status(400).json({ error: 'from address is required' });
+      return;
+    }
+
+    // Token sends require 'to'
+    if (tokenAddress && !rawTo) {
+      res.status(400).json({ error: 'to address is required for token sends' });
+      return;
+    }
+
+    // Resolve ENS names (e.g. "vitalik.eth" -> "0x...")
+    let to = rawTo;
+    if (to && typeof to === 'string' && looksLikeName(to)) {
+      try {
+        const resolved = await resolveName(to);
+        to = resolved.address;
+      } catch (err) {
+        const msg = getErrorMessage(err);
+        res.status(400).json({ error: msg });
+        return;
+      }
+    }
+
+    // 'to' is optional for contract deployment
+    if (to && typeof to !== 'string') {
+      res.status(400).json({ error: 'to must be a valid address' });
+      return;
+    }
+
+    // For simple sends, 'to' is required (raw Solana transactions don't need 'to')
+    if (!data && !rawTransaction && !to) {
+      res.status(400).json({ error: 'to address is required for simple sends' });
+      return;
+    }
+
+    // Parse value - amount must be in wei (EVM) or lamports (Solana).
+    // Callers must convert before calling.
+    let valueWei = BigInt(0);
+    let valueEth = 0;
+    const rawValue = amount || value;
+
+    if (rawValue) {
+      if (typeof rawValue === 'string') {
+        valueWei = BigInt(rawValue);
+      } else if (typeof rawValue === 'number') {
+        valueWei = BigInt(rawValue);
+      }
+      valueEth = parseFloat(ethers.formatEther(valueWei));  // for limits only
+    }
+
+    // For simple native sends without data, require some value (raw Solana transactions carry value in instructions)
+    // Token sends use amount as token units, not native currency, so skip this check
+    if (!data && !rawTransaction && !tokenAddress && valueEth <= 0) {
+      res.status(400).json({ error: 'amount is required for simple sends' });
+      return;
+    }
+
+    // For token sends, require amount
+    if (tokenAddress && (!rawValue || BigInt(rawValue) <= 0n)) {
+      res.status(400).json({ error: 'amount is required for token sends' });
+      return;
+    }
+
+    // Validate data if provided
+    if (data && typeof data === 'string' && !data.startsWith('0x')) {
+      res.status(400).json({ error: 'data must be hex-encoded (start with 0x)' });
+      return;
+    }
+
+    const { targetChain, chainConfig } = resolveChain(req.body.chain);
+
+    // Mutate req.body.to so handlers see the resolved address
+    req.body.to = to;
+
+    // Dispatch to chain-specific handler
+    if (isSolanaChain(targetChain)) {
+      return handleSolanaSend(req, res, auth, targetChain, chainConfig);
+    }
+    return handleEvmSend(req, res, auth, targetChain, chainConfig);
+  } catch (error) {
+    if (error instanceof HttpError) { res.status(error.status).json({ error: error.message }); return; }
+    res.status(400).json({ error: getErrorMessage(error) });
+  }
+});
+
+// POST /send/estimate - Estimate gas for a transaction
+router.post('/estimate', async (req: Request, res: Response) => {
+  try {
+    const { from, to, amount, value, data, chain } = req.body;
+
+    if (!from || typeof from !== 'string') {
+      res.status(400).json({ error: 'from address is required' });
+      return;
+    }
+
+    const { targetChain } = resolveChain(chain);
+
+    const provider = new ethers.JsonRpcProvider(await getRpcUrl(targetChain));
+
+    // Build transaction for estimation
+    const tx: ethers.TransactionRequest = { from };
+    if (to) tx.to = to;
+
+    const rawValue = amount || value;
+    if (rawValue) {
+      tx.value = BigInt(rawValue);
+    }
+    if (data) tx.data = data;
+
+    // Estimate gas
+    const gasEstimate = await provider.estimateGas(tx);
+    const feeData = await provider.getFeeData();
+
+    const response: Record<string, unknown> = {
+      success: true,
+      gasLimit: gasEstimate.toString(),
+      gasPrice: feeData.gasPrice?.toString() || null,
+      maxFeePerGas: feeData.maxFeePerGas?.toString() || null,
+      maxPriorityFeePerGas: feeData.maxPriorityFeePerGas?.toString() || null
+    };
+
+    // Calculate estimated cost
+    if (feeData.maxFeePerGas) {
+      const estimatedCost = gasEstimate * feeData.maxFeePerGas;
+      response.estimatedCostWei = estimatedCost.toString();
+      response.estimatedCostEth = ethers.formatEther(estimatedCost);
+    } else if (feeData.gasPrice) {
+      const estimatedCost = gasEstimate * feeData.gasPrice;
+      response.estimatedCostWei = estimatedCost.toString();
+      response.estimatedCostEth = ethers.formatEther(estimatedCost);
+    }
+
+    res.json(response);
+  } catch (error) {
+    if (error instanceof HttpError) { res.status(error.status).json({ error: error.message }); return; }
+    res.status(400).json({ error: getErrorMessage(error) });
+  }
+});
+
+export default router;

package/server/routes/setup.ts

@@ -0,0 +1,210 @@
+import { Router, Request, Response } from 'express';
+import {
+  createColdWallet,
+  hasColdWallet,
+  isUnlocked,
+  getColdWalletAddress,
+  createVault,
+  importVault,
+  listVaults,
+  rotatePrimaryVaultPassword,
+} from '../lib/cold';
+import { createAdminToken } from '../lib/auth';
+import { parseEncryptedPassword } from '../lib/transport';
+import { prisma } from '../lib/db';
+import { loadConfig } from '../lib/config';
+import { logger } from '../lib/logger';
+import { requireWalletAuth } from '../middleware/auth';
+import { requireAdmin } from '../lib/permissions';
+import { isValidAgentPubkey, normalizeAgentPubkey } from '../lib/credential-transport';
+import { getErrorMessage, HttpError } from '../lib/error';
+
+const router = Router();
+
+// POST /setup - Create cold wallet with encrypted password
+router.post('/', async (req: Request, res: Response) => {
+  try {
+    const pubkey = typeof req.body?.pubkey === 'string' ? req.body.pubkey : '';
+    if (!pubkey.trim()) {
+      res.status(400).json({ error: 'pubkey is required' });
+      return;
+    }
+    if (!isValidAgentPubkey(pubkey)) {
+      res.status(400).json({ error: 'pubkey must be a valid RSA public key (PEM or base64)' });
+      return;
+    }
+    const normalizedPubkey = normalizeAgentPubkey(pubkey);
+    const password = parseEncryptedPassword(req.body.encrypted);
+
+    const result = createColdWallet(password);
+
+    // Log the setup event
+    logger.setup(result.address);
+
+    // Create admin token (vault is auto-unlocked after creation)
+    const token = await createAdminToken(normalizedPubkey);
+
+    res.json({
+      success: true,
+      address: result.address,
+      mnemonic: result.mnemonic,
+      token,
+      message: 'Cold wallet created. SAVE YOUR MNEMONIC SECURELY. It will not be shown again.'
+    });
+  } catch (error) {
+    if (error instanceof HttpError) { res.status(error.status).json({ error: error.message }); return; }
+    res.status(400).json({ error: getErrorMessage(error) });
+  }
+});
+
+// GET /setup - Check setup status (includes adapter/key status for agents)
+router.get('/', async (_req: Request, res: Response) => {
+  try {
+    const hasWallet = hasColdWallet();
+    const unlocked = isUnlocked();
+    const address = getColdWalletAddress();
+    const config = loadConfig();
+
+    // Check which API keys are configured
+    const apiKeys = await prisma.apiKey.findMany({
+      where: { isActive: true },
+      select: { service: true },
+    });
+    const apiKeyServices = new Set(apiKeys.map((k) => k.service));
+
+    // Check adapter config
+    let telegramEnabled = false;
+    let webhookEnabled = false;
+    try {
+      const appConfig = await prisma.appConfig.findUnique({ where: { id: 'global' } });
+      if (appConfig?.adapterConfig) {
+        const parsed = JSON.parse(appConfig.adapterConfig);
+        const adapters: Array<{ type: string; enabled: boolean }> = parsed.adapters || [];
+        telegramEnabled = adapters.some((a) => a.type === 'telegram' && a.enabled);
+        webhookEnabled = adapters.some((a) => a.type === 'webhook' && a.enabled);
+      }
+    } catch {
+      // Ignore parse errors
+    }
+
+    res.json({
+      hasWallet,
+      unlocked,
+      address,
+      adapters: {
+        telegram: telegramEnabled,
+        webhook: webhookEnabled,
+      },
+      apiKeys: {
+        alchemy: apiKeyServices.has('alchemy'),
+        anthropic: apiKeyServices.has('anthropic'),
+      },
+      defaultChain: config.defaultChain,
+    });
+  } catch (error) {
+    res.status(500).json({ error: getErrorMessage(error) });
+  }
+});
+
+// POST /setup/vault - Create additional vault (requires admin + unlocked primary)
+router.post('/vault', requireWalletAuth, requireAdmin, (req: Request, res: Response) => {
+  try {
+    const { name } = req.body;
+    const password = parseEncryptedPassword(req.body.encrypted);
+
+    if (!isUnlocked()) {
+      res.status(401).json({ error: 'Primary vault must be unlocked to create additional vaults' });
+      return;
+    }
+
+    const result = createVault(password, name);
+
+    logger.setup(result.address);
+
+    res.json({
+      success: true,
+      id: result.id,
+      address: result.address,
+      solanaAddress: result.solanaAddress,
+      mnemonic: result.mnemonic,
+      name: result.name,
+      message: 'Vault created. SAVE YOUR MNEMONIC SECURELY. It will not be shown again.'
+    });
+  } catch (error) {
+    if (error instanceof HttpError) { res.status(error.status).json({ error: error.message }); return; }
+    res.status(400).json({ error: getErrorMessage(error) });
+  }
+});
+
+// POST /setup/vault/import - Import vault from seed (requires admin + unlocked primary)
+router.post('/vault/import', requireWalletAuth, requireAdmin, (req: Request, res: Response) => {
+  try {
+    const { mnemonic, name } = req.body;
+
+    if (!mnemonic || typeof mnemonic !== 'string') {
+      res.status(400).json({ error: 'Seed phrase (mnemonic) is required' });
+      return;
+    }
+
+    const password = parseEncryptedPassword(req.body.encrypted);
+
+    if (!isUnlocked()) {
+      res.status(401).json({ error: 'Primary vault must be unlocked to import additional vaults' });
+      return;
+    }
+
+    const result = importVault(mnemonic, password, name);
+
+    logger.setup(result.address);
+
+    res.json({
+      success: true,
+      id: result.id,
+      address: result.address,
+      solanaAddress: result.solanaAddress,
+      name: result.name,
+      message: 'Vault imported successfully'
+    });
+  } catch (error) {
+    if (error instanceof HttpError) { res.status(error.status).json({ error: error.message }); return; }
+    res.status(400).json({ error: getErrorMessage(error) });
+  }
+});
+
+// GET /setup/vaults - List all vaults
+router.get('/vaults', (_req: Request, res: Response) => {
+  const vaults = listVaults();
+  res.json({ vaults });
+});
+
+// POST /setup/password - Rotate primary vault password (admin)
+router.post('/password', requireWalletAuth, requireAdmin, (req: Request, res: Response) => {
+  try {
+    const currentPassword = parseEncryptedPassword(req.body.currentEncrypted);
+    const newPassword = parseEncryptedPassword(req.body.newEncrypted);
+
+    if (newPassword.length < 8) {
+      res.status(400).json({ error: 'Password must be at least 8 characters' });
+      return;
+    }
+
+    const changed = rotatePrimaryVaultPassword(currentPassword, newPassword);
+    if (!changed) {
+      res.status(401).json({ error: 'Invalid current password' });
+      return;
+    }
+
+    res.json({
+      success: true,
+      message: 'Primary vault password updated',
+    });
+  } catch (error) {
+    if (error instanceof HttpError) {
+      res.status(error.status).json({ error: error.message });
+      return;
+    }
+    res.status(400).json({ error: getErrorMessage(error) });
+  }
+});
+
+export default router;