npm - @wlfi-agent/cli - Versions diffs - 1.4.12 → 1.4.14 - Mend

@wlfi-agent/cli 1.4.12 → 1.4.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (289) hide show

package/Cargo.lock +3968 -0
package/Cargo.toml +50 -0
package/README.md +426 -6
package/crates/vault-cli-admin/Cargo.toml +26 -0
package/crates/vault-cli-admin/src/io_utils.rs +500 -0
package/crates/vault-cli-admin/src/main.rs +3990 -0
package/crates/vault-cli-admin/src/shared_config.rs +624 -0
package/crates/vault-cli-admin/src/tui/amounts.rs +180 -0
package/crates/vault-cli-admin/src/tui/token_rpc.rs +250 -0
package/crates/vault-cli-admin/src/tui/utils.rs +82 -0
package/crates/vault-cli-admin/src/tui.rs +3410 -0
package/crates/vault-cli-agent/Cargo.toml +24 -0
package/crates/vault-cli-agent/src/io_utils.rs +576 -0
package/crates/vault-cli-agent/src/main.rs +833 -0
package/crates/vault-cli-daemon/Cargo.toml +28 -0
package/crates/vault-cli-daemon/src/bin/wlfi-agent-system-keychain.rs +216 -0
package/crates/vault-cli-daemon/src/main.rs +644 -0
package/crates/vault-cli-daemon/src/relay_sync.rs +894 -0
package/crates/vault-cli-daemon/tests/system_keychain_helper_acl.rs +167 -0
package/crates/vault-daemon/Cargo.toml +32 -0
package/crates/vault-daemon/src/daemon_parts/api_impl_and_utils.rs +1041 -0
package/crates/vault-daemon/src/daemon_parts/core_helpers.rs +1256 -0
package/crates/vault-daemon/src/daemon_parts/types_api_rpc.rs +622 -0
package/crates/vault-daemon/src/lib.rs +54 -0
package/crates/vault-daemon/src/persistence.rs +441 -0
package/crates/vault-daemon/src/tests.rs +237 -0
package/crates/vault-daemon/src/tests_parts/part1.rs +1224 -0
package/crates/vault-daemon/src/tests_parts/part2.rs +1021 -0
package/crates/vault-daemon/src/tests_parts/part3.rs +835 -0
package/crates/vault-daemon/src/tests_parts/part4.rs +604 -0
package/crates/vault-domain/Cargo.toml +20 -0
package/crates/vault-domain/src/action.rs +849 -0
package/crates/vault-domain/src/address.rs +51 -0
package/crates/vault-domain/src/approval.rs +90 -0
package/crates/vault-domain/src/constants.rs +4 -0
package/crates/vault-domain/src/error.rs +54 -0
package/crates/vault-domain/src/keys.rs +71 -0
package/crates/vault-domain/src/lib.rs +42 -0
package/crates/vault-domain/src/nonce.rs +102 -0
package/crates/vault-domain/src/policy.rs +172 -0
package/crates/vault-domain/src/request.rs +53 -0
package/crates/vault-domain/src/scope.rs +24 -0
package/crates/vault-domain/src/session.rs +50 -0
package/crates/vault-domain/src/signature.rs +34 -0
package/crates/vault-domain/src/tests.rs +651 -0
package/crates/vault-domain/src/u128_as_decimal_string.rs +44 -0
package/crates/vault-policy/Cargo.toml +17 -0
package/crates/vault-policy/src/engine.rs +301 -0
package/crates/vault-policy/src/error.rs +81 -0
package/crates/vault-policy/src/lib.rs +17 -0
package/crates/vault-policy/src/report.rs +34 -0
package/crates/vault-policy/src/tests.rs +891 -0
package/crates/vault-policy/src/tests_explain.rs +78 -0
package/crates/vault-sdk-agent/Cargo.toml +21 -0
package/crates/vault-sdk-agent/src/lib.rs +711 -0
package/crates/vault-signer/Cargo.toml +25 -0
package/crates/vault-signer/src/lib.rs +731 -0
package/crates/vault-signer/tests/secure_enclave_acl.rs +54 -0
package/crates/vault-transport-unix/Cargo.toml +24 -0
package/crates/vault-transport-unix/src/lib.rs +1640 -0
package/crates/vault-transport-xpc/Cargo.toml +25 -0
package/crates/vault-transport-xpc/src/client_codec_api.rs +635 -0
package/crates/vault-transport-xpc/src/lib.rs +680 -0
package/crates/vault-transport-xpc/src/tests.rs +818 -0
package/crates/vault-transport-xpc/tests/e2e_flow.rs +773 -0
package/dist/cli.cjs +35088 -0
package/dist/cli.cjs.map +1 -0
package/package.json +49 -43
package/packages/cache/.turbo/turbo-build.log +52 -0
package/packages/cache/dist/chunk-2QFWMUXT.cjs +43 -0
package/packages/cache/dist/chunk-2QFWMUXT.cjs.map +1 -0
package/packages/cache/dist/chunk-4U63TZTQ.js +43 -0
package/packages/cache/dist/chunk-4U63TZTQ.js.map +1 -0
package/packages/cache/dist/chunk-ALQ6H7KG.cjs +404 -0
package/packages/cache/dist/chunk-ALQ6H7KG.cjs.map +1 -0
package/packages/cache/dist/chunk-FGJEEF5N.js +404 -0
package/packages/cache/dist/chunk-FGJEEF5N.js.map +1 -0
package/packages/cache/dist/chunk-UYNEHZHB.cjs +45 -0
package/packages/cache/dist/chunk-UYNEHZHB.cjs.map +1 -0
package/packages/cache/dist/chunk-VXVMPG3W.js +45 -0
package/packages/cache/dist/chunk-VXVMPG3W.js.map +1 -0
package/packages/cache/dist/client/index.cjs +11 -0
package/packages/cache/dist/client/index.cjs.map +1 -0
package/packages/cache/dist/client/index.d.cts +15 -0
package/packages/cache/dist/client/index.d.ts +15 -0
package/packages/cache/dist/client/index.js +11 -0
package/packages/cache/dist/client/index.js.map +1 -0
package/packages/cache/dist/errors/index.cjs +11 -0
package/packages/cache/dist/errors/index.cjs.map +1 -0
package/packages/cache/dist/errors/index.d.cts +26 -0
package/packages/cache/dist/errors/index.d.ts +26 -0
package/packages/cache/dist/errors/index.js +11 -0
package/packages/cache/dist/errors/index.js.map +1 -0
package/packages/cache/dist/index.cjs +29 -0
package/packages/cache/dist/index.cjs.map +1 -0
package/packages/cache/dist/index.d.cts +4 -0
package/packages/cache/dist/index.d.ts +4 -0
package/packages/cache/dist/index.js +29 -0
package/packages/cache/dist/index.js.map +1 -0
package/packages/cache/dist/service/index.cjs +15 -0
package/packages/cache/dist/service/index.cjs.map +1 -0
package/packages/cache/dist/service/index.d.cts +184 -0
package/packages/cache/dist/service/index.d.ts +184 -0
package/packages/cache/dist/service/index.js +15 -0
package/packages/cache/dist/service/index.js.map +1 -0
package/packages/cache/node_modules/.bin/jiti +17 -0
package/packages/cache/node_modules/.bin/tsc +17 -0
package/packages/cache/node_modules/.bin/tsserver +17 -0
package/packages/cache/node_modules/.bin/tsup +17 -0
package/packages/cache/node_modules/.bin/tsup-node +17 -0
package/packages/cache/node_modules/.bin/tsx +17 -0
package/packages/cache/node_modules/.bin/vitest +17 -0
package/packages/cache/package.json +48 -0
package/packages/cache/src/client/index.ts +56 -0
package/packages/cache/src/errors/index.ts +53 -0
package/packages/cache/src/index.ts +3 -0
package/packages/cache/src/service/index.test.ts +263 -0
package/packages/cache/src/service/index.ts +678 -0
package/packages/cache/tsconfig.json +13 -0
package/packages/cache/tsup.config.ts +13 -0
package/packages/cache/vitest.config.ts +16 -0
package/packages/config/.turbo/turbo-build.log +18 -0
package/packages/config/dist/index.cjs +1037 -0
package/packages/config/dist/index.cjs.map +1 -0
package/packages/config/dist/index.d.ts +131 -0
package/packages/config/node_modules/.bin/jiti +17 -0
package/packages/config/node_modules/.bin/tsc +17 -0
package/packages/config/node_modules/.bin/tsserver +17 -0
package/packages/config/node_modules/.bin/tsup +17 -0
package/packages/config/node_modules/.bin/tsup-node +17 -0
package/packages/config/node_modules/.bin/tsx +17 -0
package/packages/config/package.json +21 -0
package/packages/config/src/index.js +1 -0
package/packages/config/src/index.ts +1282 -0
package/packages/config/tsconfig.json +4 -0
package/packages/rpc/.turbo/turbo-build.log +32 -0
package/packages/rpc/dist/_esm-BCLXDO2R.cjs +3660 -0
package/packages/rpc/dist/_esm-BCLXDO2R.cjs.map +1 -0
package/packages/rpc/dist/ccip-OWJLAW55.cjs +16 -0
package/packages/rpc/dist/ccip-OWJLAW55.cjs.map +1 -0
package/packages/rpc/dist/chunk-APQIFZ3B.cjs +6247 -0
package/packages/rpc/dist/chunk-APQIFZ3B.cjs.map +1 -0
package/packages/rpc/dist/chunk-CDO2GWRD.cjs +410 -0
package/packages/rpc/dist/chunk-CDO2GWRD.cjs.map +1 -0
package/packages/rpc/dist/chunk-QGTNTFJ7.cjs +2249 -0
package/packages/rpc/dist/chunk-QGTNTFJ7.cjs.map +1 -0
package/packages/rpc/dist/chunk-TZDTAHWR.cjs +44 -0
package/packages/rpc/dist/chunk-TZDTAHWR.cjs.map +1 -0
package/packages/rpc/dist/index.cjs +7342 -0
package/packages/rpc/dist/index.cjs.map +1 -0
package/packages/rpc/dist/index.d.ts +3857 -0
package/packages/rpc/dist/secp256k1-WCNM675D.cjs +18 -0
package/packages/rpc/dist/secp256k1-WCNM675D.cjs.map +1 -0
package/packages/rpc/node_modules/.bin/jiti +17 -0
package/packages/rpc/node_modules/.bin/tsc +17 -0
package/packages/rpc/node_modules/.bin/tsserver +17 -0
package/packages/rpc/node_modules/.bin/tsup +17 -0
package/packages/rpc/node_modules/.bin/tsup-node +17 -0
package/packages/rpc/node_modules/.bin/tsx +17 -0
package/packages/rpc/package.json +25 -0
package/packages/rpc/src/index.ts +206 -0
package/packages/rpc/tsconfig.json +4 -0
package/packages/typescript/base.json +36 -0
package/packages/typescript/nextjs.json +17 -0
package/packages/typescript/package.json +10 -0
package/packages/ui/.turbo/turbo-build.log +44 -0
package/packages/ui/dist/chunk-MOAFBKSA.js +11 -0
package/packages/ui/dist/chunk-MOAFBKSA.js.map +1 -0
package/packages/ui/dist/components/badge.d.ts +12 -0
package/packages/ui/dist/components/badge.js +31 -0
package/packages/ui/dist/components/badge.js.map +1 -0
package/packages/ui/dist/components/button.d.ts +13 -0
package/packages/ui/dist/components/button.js +40 -0
package/packages/ui/dist/components/button.js.map +1 -0
package/packages/ui/dist/components/card.d.ts +10 -0
package/packages/ui/dist/components/card.js +39 -0
package/packages/ui/dist/components/card.js.map +1 -0
package/packages/ui/dist/components/input.d.ts +5 -0
package/packages/ui/dist/components/input.js +28 -0
package/packages/ui/dist/components/input.js.map +1 -0
package/packages/ui/dist/components/label.d.ts +5 -0
package/packages/ui/dist/components/label.js +13 -0
package/packages/ui/dist/components/label.js.map +1 -0
package/packages/ui/dist/components/separator.d.ts +5 -0
package/packages/ui/dist/components/separator.js +13 -0
package/packages/ui/dist/components/separator.js.map +1 -0
package/packages/ui/dist/components/textarea.d.ts +5 -0
package/packages/ui/dist/components/textarea.js +27 -0
package/packages/ui/dist/components/textarea.js.map +1 -0
package/packages/ui/dist/tailwind.d.ts +56 -0
package/packages/ui/dist/tailwind.js +60 -0
package/packages/ui/dist/tailwind.js.map +1 -0
package/packages/ui/dist/utils/cn.d.ts +5 -0
package/packages/ui/dist/utils/cn.js +7 -0
package/packages/ui/dist/utils/cn.js.map +1 -0
package/packages/ui/node_modules/.bin/jiti +17 -0
package/packages/ui/node_modules/.bin/tsc +17 -0
package/packages/ui/node_modules/.bin/tsserver +17 -0
package/packages/ui/node_modules/.bin/tsup +17 -0
package/packages/ui/node_modules/.bin/tsup-node +17 -0
package/packages/ui/node_modules/.bin/tsx +17 -0
package/packages/ui/package.json +69 -0
package/packages/ui/src/components/badge.tsx +27 -0
package/packages/ui/src/components/button.tsx +40 -0
package/packages/ui/src/components/card.tsx +31 -0
package/packages/ui/src/components/input.tsx +21 -0
package/packages/ui/src/components/label.tsx +6 -0
package/packages/ui/src/components/separator.tsx +6 -0
package/packages/ui/src/components/textarea.tsx +20 -0
package/packages/ui/src/globals.css +70 -0
package/packages/ui/src/tailwind.ts +56 -0
package/packages/ui/src/utils/cn.ts +6 -0
package/packages/ui/tsconfig.json +20 -0
package/packages/ui/tsup.config.ts +20 -0
package/pnpm-workspace.yaml +4 -0
package/scripts/install-rust-binaries.mjs +84 -0
package/scripts/launchd/install-user-daemon.sh +358 -0
package/scripts/launchd/run-vault-daemon.sh +5 -0
package/scripts/launchd/run-wlfi-agent-daemon.sh +73 -0
package/scripts/launchd/uninstall-user-daemon.sh +103 -0
package/src/cli.ts +2121 -0
package/src/lib/admin-guard.js +1 -0
package/src/lib/admin-guard.ts +185 -0
package/src/lib/admin-passthrough.ts +33 -0
package/src/lib/admin-reset.ts +751 -0
package/src/lib/admin-setup.ts +1612 -0
package/src/lib/agent-auth-clear.js +1 -0
package/src/lib/agent-auth-clear.ts +58 -0
package/src/lib/agent-auth-forwarding.js +1 -0
package/src/lib/agent-auth-forwarding.ts +149 -0
package/src/lib/agent-auth-migrate.js +1 -0
package/src/lib/agent-auth-migrate.ts +150 -0
package/src/lib/agent-auth-revoke.ts +103 -0
package/src/lib/agent-auth-rotate.ts +107 -0
package/src/lib/agent-auth-token.js +1 -0
package/src/lib/agent-auth-token.ts +25 -0
package/src/lib/agent-auth.ts +89 -0
package/src/lib/asset-broadcast.js +1 -0
package/src/lib/asset-broadcast.ts +285 -0
package/src/lib/bootstrap-artifacts.js +1 -0
package/src/lib/bootstrap-artifacts.ts +205 -0
package/src/lib/bootstrap-credentials.js +1 -0
package/src/lib/bootstrap-credentials.ts +832 -0
package/src/lib/config-amounts.js +1 -0
package/src/lib/config-amounts.ts +189 -0
package/src/lib/config-mutation.ts +27 -0
package/src/lib/fs-trust.js +1 -0
package/src/lib/fs-trust.ts +537 -0
package/src/lib/keychain.js +1 -0
package/src/lib/keychain.ts +225 -0
package/src/lib/local-admin-access.ts +106 -0
package/src/lib/network-selection.js +1 -0
package/src/lib/network-selection.ts +71 -0
package/src/lib/passthrough-security.js +1 -0
package/src/lib/passthrough-security.ts +114 -0
package/src/lib/rpc-guard.js +1 -0
package/src/lib/rpc-guard.ts +7 -0
package/src/lib/rust-spawn-options.js +1 -0
package/src/lib/rust-spawn-options.ts +98 -0
package/src/lib/rust.js +1 -0
package/src/lib/rust.ts +143 -0
package/src/lib/signed-tx.js +1 -0
package/src/lib/signed-tx.ts +116 -0
package/src/lib/status-repair-cli.ts +116 -0
package/src/lib/sudo.js +1 -0
package/src/lib/sudo.ts +172 -0
package/src/lib/vault-password-forwarding.js +1 -0
package/src/lib/vault-password-forwarding.ts +155 -0
package/src/lib/wallet-profile.js +1 -0
package/src/lib/wallet-profile.ts +332 -0
package/src/lib/wallet-repair.js +1 -0
package/src/lib/wallet-repair.ts +304 -0
package/src/lib/wallet-setup.js +1 -0
package/src/lib/wallet-setup.ts +1466 -0
package/src/lib/wallet-status.js +1 -0
package/src/lib/wallet-status.ts +640 -0
package/tsconfig.base.json +17 -0
package/tsconfig.json +10 -0
package/tsup.config.ts +25 -0
package/turbo.json +41 -0
package/LICENSE.md +0 -1
package/dist/wlfa/index.cjs +0 -250
package/dist/wlfa/index.d.cts +0 -1
package/dist/wlfa/index.d.ts +0 -1
package/dist/wlfa/index.js +0 -250
package/dist/wlfc/index.cjs +0 -1894
package/dist/wlfc/index.d.cts +0 -1
package/dist/wlfc/index.d.ts +0 -1
package/dist/wlfc/index.js +0 -1894

package/crates/vault-transport-xpc/src/lib.rs ADDED Viewed

@@ -0,0 +1,680 @@
+//! XPC transport adapter for daemon RPC calls.
+//!
+//! This crate uses Apple XPC primitives to exchange typed daemon RPC messages
+//! between a server and a client.
+use std::collections::HashMap;
+use std::ffi::{CStr, CString};
+use std::fmt;
+use std::os::raw::{c_char, c_void};
+use std::ptr;
+use std::sync::mpsc::{self, Receiver};
+use std::sync::{Arc, Mutex};
+use std::time::Duration;
+use async_trait::async_trait;
+use serde::{Deserialize, Serialize};
+use thiserror::Error;
+use tokio::runtime::Handle;
+use uuid::Uuid;
+use vault_daemon::{
+    DaemonError, DaemonRpcRequest, DaemonRpcResponse, InMemoryDaemon, KeyManagerDaemonApi,
+};
+use vault_domain::{
+    AdminSession, AgentCredentials, Lease, ManualApprovalDecision, ManualApprovalRequest,
+    NonceReleaseRequest, NonceReservation, NonceReservationRequest, PolicyAttachment, RelayConfig,
+    SignRequest, Signature, SpendingPolicy, VaultKey,
+};
+use vault_policy::{PolicyError, PolicyEvaluation, PolicyExplanation};
+use vault_signer::{KeyCreateRequest, SignerError, VaultSignerBackend};
+use zeroize::Zeroize;
+#[cfg(target_os = "macos")]
+use block::{Block, ConcreteBlock, RcBlock};
+#[cfg(target_os = "macos")]
+use security_framework::os::macos::code_signing::{
+    Flags as CodeSignFlags, GuestAttributes, SecCode, SecRequirement,
+};
+#[cfg(target_os = "macos")]
+type XpcObject = *mut c_void;
+#[cfg(target_os = "macos")]
+type XpcConnection = *mut c_void;
+#[cfg(target_os = "macos")]
+type DispatchQueue = *mut c_void;
+#[cfg(target_os = "macos")]
+type XpcType = *const c_void;
+#[cfg(target_os = "macos")]
+type PeerBlocks = Arc<Mutex<HashMap<usize, SendablePeerBlock>>>;
+#[cfg(target_os = "macos")]
+const DISPATCH_QUEUE_PRIORITY_DEFAULT: isize = 0;
+/// Wrapper for copied peer callback blocks stored by the server.
+///
+/// The underlying copied Objective-C block is heap-managed by Apple runtime and
+/// can be retained/released across threads. Access to the map is synchronized by
+/// a mutex, and blocks are only invoked by XPC runtime callbacks.
+#[cfg(target_os = "macos")]
+struct SendablePeerBlock {
+    _block: RcBlock<(XpcObject,), ()>,
+}
+// SAFETY: copied Objective-C blocks are reference-counted runtime objects that
+// are designed for cross-thread ownership transfer.
+#[cfg(target_os = "macos")]
+unsafe impl Send for SendablePeerBlock {}
+// SAFETY: all shared access is mediated by synchronization on the block map.
+#[cfg(target_os = "macos")]
+unsafe impl Sync for SendablePeerBlock {}
+#[cfg(target_os = "macos")]
+unsafe extern "C" {
+    fn xpc_connection_create(name: *const c_char, target_queue: DispatchQueue) -> XpcConnection;
+    fn xpc_connection_create_from_endpoint(endpoint: XpcObject) -> XpcConnection;
+    fn xpc_endpoint_create(connection: XpcConnection) -> XpcObject;
+    fn xpc_connection_set_event_handler(connection: XpcConnection, handler: *mut c_void);
+    fn xpc_connection_resume(connection: XpcConnection);
+    fn xpc_connection_cancel(connection: XpcConnection);
+    fn xpc_connection_send_message(connection: XpcConnection, message: XpcObject);
+    fn xpc_connection_get_euid(connection: XpcConnection) -> libc::uid_t;
+    fn xpc_connection_get_pid(connection: XpcConnection) -> libc::pid_t;
+    fn xpc_dictionary_create(
+        keys: *const *const c_char,
+        values: *const XpcObject,
+        count: usize,
+    ) -> XpcObject;
+    fn xpc_dictionary_set_string(dict: XpcObject, key: *const c_char, value: *const c_char);
+    fn xpc_dictionary_set_bool(dict: XpcObject, key: *const c_char, value: bool);
+    fn xpc_dictionary_get_string(dict: XpcObject, key: *const c_char) -> *const c_char;
+    fn xpc_dictionary_get_bool(dict: XpcObject, key: *const c_char) -> bool;
+    fn xpc_get_type(object: XpcObject) -> XpcType;
+    fn xpc_retain(object: XpcObject) -> XpcObject;
+    fn xpc_release(object: XpcObject);
+    static _xpc_type_dictionary: c_void;
+    static _xpc_type_connection: c_void;
+}
+#[cfg(target_os = "macos")]
+#[link(name = "System", kind = "dylib")]
+unsafe extern "C" {
+    fn dispatch_get_global_queue(identifier: isize, flags: usize) -> DispatchQueue;
+}
+/// Errors returned by XPC transport.
+#[derive(Debug, Error)]
+pub enum XpcTransportError {
+    /// XPC is unavailable on this platform.
+    #[error("xpc transport is supported only on macOS")]
+    UnsupportedPlatform,
+    /// Message serialization or deserialization failed.
+    #[error("serialization error: {0}")]
+    Serialization(String),
+    /// Protocol-level violation.
+    #[error("protocol error: {0}")]
+    Protocol(String),
+    /// Underlying daemon returned an error.
+    #[error("daemon error: {0}")]
+    Daemon(#[from] DaemonError),
+    /// Timed out waiting for response.
+    #[error("timed out waiting for xpc response")]
+    Timeout,
+    /// Daemon server must run as root for hardened local-access boundary.
+    #[error("xpc daemon server must run as root (euid 0)")]
+    RequiresRoot,
+    /// Code-signing policy was invalid or client failed requirement checks.
+    #[error("code-signing authorization error: {0}")]
+    CodeSigning(String),
+    /// Other transport failures.
+    #[error("transport internal error: {0}")]
+    Internal(String),
+}
+#[derive(Debug, Clone, Serialize, Deserialize)]
+struct WireRequest {
+    request_id: String,
+    body_json: String,
+}
+#[derive(Debug, Clone, Serialize, Deserialize)]
+struct WireResponse {
+    request_id: String,
+    ok: bool,
+    body_json: String,
+}
+#[cfg(target_os = "macos")]
+#[derive(Debug)]
+enum IncomingWireMessage {
+    Response(WireResponse),
+    DecodeError(XpcTransportError),
+}
+const MAX_WIRE_BODY_BYTES: usize = 256 * 1024;
+const MAX_WIRE_REQUEST_ID_BYTES: usize = 128;
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(tag = "kind", content = "data")]
+enum WireDaemonError {
+    AuthenticationFailed,
+    UnknownLease,
+    InvalidLease,
+    TooManyActiveLeases,
+    UnknownVaultKey(Uuid),
+    UnknownAgentKey(Uuid),
+    UnknownPolicy(Uuid),
+    UnknownManualApprovalRequest(Uuid),
+    AgentAuthenticationFailed,
+    PayloadActionMismatch,
+    PayloadTooLarge {
+        max_bytes: usize,
+    },
+    InvalidRequestTimestamps,
+    RequestExpired,
+    RequestReplayDetected,
+    InvalidPolicyAttachment(String),
+    InvalidNonceReservation(String),
+    UnknownNonceReservation(Uuid),
+    MissingNonceReservation {
+        chain_id: u64,
+        nonce: u64,
+    },
+    InvalidPolicy(String),
+    InvalidRelayConfig(String),
+    ManualApprovalRequired {
+        approval_request_id: Uuid,
+        relay_url: Option<String>,
+        frontend_url: Option<String>,
+    },
+    ManualApprovalRejected {
+        approval_request_id: Uuid,
+    },
+    Policy(PolicyError),
+    Signer(SignerError),
+    PasswordHash(String),
+    InvalidConfig(String),
+    LockPoisoned,
+    Transport(String),
+    Persistence(String),
+}
+impl From<DaemonError> for WireDaemonError {
+    fn from(value: DaemonError) -> Self {
+        match value {
+            DaemonError::AuthenticationFailed => Self::AuthenticationFailed,
+            DaemonError::UnknownLease => Self::UnknownLease,
+            DaemonError::InvalidLease => Self::InvalidLease,
+            DaemonError::TooManyActiveLeases => Self::TooManyActiveLeases,
+            DaemonError::UnknownVaultKey(id) => Self::UnknownVaultKey(id),
+            DaemonError::UnknownAgentKey(id) => Self::UnknownAgentKey(id),
+            DaemonError::UnknownPolicy(id) => Self::UnknownPolicy(id),
+            DaemonError::UnknownManualApprovalRequest(id) => Self::UnknownManualApprovalRequest(id),
+            DaemonError::AgentAuthenticationFailed => Self::AgentAuthenticationFailed,
+            DaemonError::PayloadActionMismatch => Self::PayloadActionMismatch,
+            DaemonError::PayloadTooLarge { max_bytes } => Self::PayloadTooLarge { max_bytes },
+            DaemonError::InvalidRequestTimestamps => Self::InvalidRequestTimestamps,
+            DaemonError::RequestExpired => Self::RequestExpired,
+            DaemonError::RequestReplayDetected => Self::RequestReplayDetected,
+            DaemonError::InvalidPolicyAttachment(msg) => Self::InvalidPolicyAttachment(msg),
+            DaemonError::InvalidNonceReservation(msg) => Self::InvalidNonceReservation(msg),
+            DaemonError::UnknownNonceReservation(id) => Self::UnknownNonceReservation(id),
+            DaemonError::MissingNonceReservation { chain_id, nonce } => {
+                Self::MissingNonceReservation { chain_id, nonce }
+            }
+            DaemonError::InvalidPolicy(msg) => Self::InvalidPolicy(msg),
+            DaemonError::InvalidRelayConfig(msg) => Self::InvalidRelayConfig(msg),
+            DaemonError::ManualApprovalRequired {
+                approval_request_id,
+                relay_url,
+                frontend_url,
+            } => Self::ManualApprovalRequired {
+                approval_request_id,
+                relay_url,
+                frontend_url,
+            },
+            DaemonError::ManualApprovalRejected {
+                approval_request_id,
+            } => Self::ManualApprovalRejected {
+                approval_request_id,
+            },
+            DaemonError::Policy(err) => Self::Policy(err),
+            DaemonError::Signer(err) => Self::Signer(err),
+            DaemonError::PasswordHash(msg) => Self::PasswordHash(msg),
+            DaemonError::InvalidConfig(msg) => Self::InvalidConfig(msg),
+            DaemonError::LockPoisoned => Self::LockPoisoned,
+            DaemonError::Transport(msg) => Self::Transport(msg),
+            DaemonError::Persistence(msg) => Self::Persistence(msg),
+        }
+    }
+}
+impl WireDaemonError {
+    fn into_daemon_error(self) -> DaemonError {
+        match self {
+            WireDaemonError::AuthenticationFailed => DaemonError::AuthenticationFailed,
+            WireDaemonError::UnknownLease => DaemonError::UnknownLease,
+            WireDaemonError::InvalidLease => DaemonError::InvalidLease,
+            WireDaemonError::TooManyActiveLeases => DaemonError::TooManyActiveLeases,
+            WireDaemonError::UnknownVaultKey(id) => DaemonError::UnknownVaultKey(id),
+            WireDaemonError::UnknownAgentKey(id) => DaemonError::UnknownAgentKey(id),
+            WireDaemonError::UnknownPolicy(id) => DaemonError::UnknownPolicy(id),
+            WireDaemonError::UnknownManualApprovalRequest(id) => {
+                DaemonError::UnknownManualApprovalRequest(id)
+            }
+            WireDaemonError::AgentAuthenticationFailed => DaemonError::AgentAuthenticationFailed,
+            WireDaemonError::PayloadActionMismatch => DaemonError::PayloadActionMismatch,
+            WireDaemonError::PayloadTooLarge { max_bytes } => {
+                DaemonError::PayloadTooLarge { max_bytes }
+            }
+            WireDaemonError::InvalidRequestTimestamps => DaemonError::InvalidRequestTimestamps,
+            WireDaemonError::RequestExpired => DaemonError::RequestExpired,
+            WireDaemonError::RequestReplayDetected => DaemonError::RequestReplayDetected,
+            WireDaemonError::InvalidPolicyAttachment(msg) => {
+                DaemonError::InvalidPolicyAttachment(msg)
+            }
+            WireDaemonError::InvalidNonceReservation(msg) => {
+                DaemonError::InvalidNonceReservation(msg)
+            }
+            WireDaemonError::UnknownNonceReservation(id) => {
+                DaemonError::UnknownNonceReservation(id)
+            }
+            WireDaemonError::MissingNonceReservation { chain_id, nonce } => {
+                DaemonError::MissingNonceReservation { chain_id, nonce }
+            }
+            WireDaemonError::InvalidPolicy(msg) => DaemonError::InvalidPolicy(msg),
+            WireDaemonError::InvalidRelayConfig(msg) => DaemonError::InvalidRelayConfig(msg),
+            WireDaemonError::ManualApprovalRequired {
+                approval_request_id,
+                relay_url,
+                frontend_url,
+            } => DaemonError::ManualApprovalRequired {
+                approval_request_id,
+                relay_url,
+                frontend_url,
+            },
+            WireDaemonError::ManualApprovalRejected {
+                approval_request_id,
+            } => DaemonError::ManualApprovalRejected {
+                approval_request_id,
+            },
+            WireDaemonError::Policy(err) => DaemonError::Policy(err),
+            WireDaemonError::Signer(err) => DaemonError::Signer(err),
+            WireDaemonError::PasswordHash(msg) => DaemonError::PasswordHash(msg),
+            WireDaemonError::InvalidConfig(msg) => DaemonError::InvalidConfig(msg),
+            WireDaemonError::LockPoisoned => DaemonError::LockPoisoned,
+            WireDaemonError::Transport(msg) => DaemonError::Transport(msg),
+            WireDaemonError::Persistence(msg) => DaemonError::Persistence(msg),
+        }
+    }
+}
+/// Opaque endpoint handle used to connect XPC clients.
+#[cfg(target_os = "macos")]
+pub struct XpcEndpoint {
+    raw: XpcObject,
+}
+#[cfg(target_os = "macos")]
+impl Clone for XpcEndpoint {
+    fn clone(&self) -> Self {
+        // SAFETY: balanced retain/release lifecycle.
+        unsafe {
+            xpc_retain(self.raw);
+        }
+        Self { raw: self.raw }
+    }
+}
+#[cfg(target_os = "macos")]
+impl Drop for XpcEndpoint {
+    fn drop(&mut self) {
+        // SAFETY: balanced retain/release lifecycle.
+        unsafe {
+            xpc_release(self.raw);
+        }
+    }
+}
+#[cfg(target_os = "macos")]
+impl fmt::Debug for XpcEndpoint {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("XpcEndpoint").finish_non_exhaustive()
+    }
+}
+/// XPC server bound to an in-memory daemon instance.
+#[cfg(target_os = "macos")]
+pub struct XpcDaemonServer {
+    listener: XpcConnection,
+    endpoint: XpcEndpoint,
+    _listener_block: RcBlock<(XpcObject,), ()>,
+    _peer_blocks: PeerBlocks,
+}
+#[cfg(target_os = "macos")]
+impl Drop for XpcDaemonServer {
+    fn drop(&mut self) {
+        // SAFETY: listener is owned by this instance.
+        unsafe {
+            xpc_release(self.listener);
+        }
+    }
+}
+#[cfg(target_os = "macos")]
+impl XpcDaemonServer {
+    /// Starts an anonymous XPC listener and binds it to daemon RPC handler.
+    pub fn start_inmemory<B>(
+        daemon: Arc<InMemoryDaemon<B>>,
+        runtime_handle: Handle,
+    ) -> Result<Self, XpcTransportError>
+    where
+        B: VaultSignerBackend + 'static,
+    {
+        let current_euid = unsafe { libc::geteuid() };
+        if current_euid != 0 {
+            return Err(XpcTransportError::RequiresRoot);
+        }
+        Self::start_inmemory_impl(daemon, runtime_handle, 0, None)
+    }
+    /// Starts an anonymous XPC listener and enforces a code-sign requirement
+    /// string on each connecting client process.
+    ///
+    /// The requirement string uses Apple's requirement language (same syntax as
+    /// `codesign -r`).
+    pub fn start_inmemory_with_code_sign_requirement<B>(
+        daemon: Arc<InMemoryDaemon<B>>,
+        runtime_handle: Handle,
+        required_client_code_signing_requirement: impl Into<String>,
+    ) -> Result<Self, XpcTransportError>
+    where
+        B: VaultSignerBackend + 'static,
+    {
+        let current_euid = unsafe { libc::geteuid() };
+        if current_euid != 0 {
+            return Err(XpcTransportError::RequiresRoot);
+        }
+        Self::start_inmemory_impl(
+            daemon,
+            runtime_handle,
+            0,
+            Some(required_client_code_signing_requirement.into()),
+        )
+    }
+    /// Starts an anonymous XPC listener and restricts clients to `allowed_euid`.
+    ///
+    /// This is intended for controlled test/dev environments and is only
+    /// available in debug builds. Production should use [`Self::start_inmemory`]
+    /// so non-root startup is rejected.
+    #[cfg(debug_assertions)]
+    pub fn start_inmemory_with_allowed_euid<B>(
+        daemon: Arc<InMemoryDaemon<B>>,
+        runtime_handle: Handle,
+        allowed_euid: libc::uid_t,
+    ) -> Result<Self, XpcTransportError>
+    where
+        B: VaultSignerBackend + 'static,
+    {
+        Self::start_inmemory_impl(daemon, runtime_handle, allowed_euid, None)
+    }
+    /// Starts an anonymous XPC listener, restricting clients to `allowed_euid`
+    /// and a code-sign requirement.
+    #[cfg(debug_assertions)]
+    pub fn start_inmemory_with_allowed_euid_and_code_sign_requirement<B>(
+        daemon: Arc<InMemoryDaemon<B>>,
+        runtime_handle: Handle,
+        allowed_euid: libc::uid_t,
+        required_client_code_signing_requirement: impl Into<String>,
+    ) -> Result<Self, XpcTransportError>
+    where
+        B: VaultSignerBackend + 'static,
+    {
+        Self::start_inmemory_impl(
+            daemon,
+            runtime_handle,
+            allowed_euid,
+            Some(required_client_code_signing_requirement.into()),
+        )
+    }
+    fn start_inmemory_impl<B>(
+        daemon: Arc<InMemoryDaemon<B>>,
+        runtime_handle: Handle,
+        allowed_euid: libc::uid_t,
+        required_client_code_signing_requirement: Option<String>,
+    ) -> Result<Self, XpcTransportError>
+    where
+        B: VaultSignerBackend + 'static,
+    {
+        let current_euid = unsafe { libc::geteuid() };
+        if allowed_euid != current_euid {
+            return Err(XpcTransportError::Internal(format!(
+                "allowed_euid mismatch: requested {allowed_euid}, current daemon euid is {current_euid}"
+            )));
+        }
+        if let Some(requirement) = required_client_code_signing_requirement.as_deref() {
+            parse_code_sign_requirement(requirement)?;
+        }
+        // SAFETY: XPC/libdispatch APIs are FFI and require raw pointers.
+        unsafe {
+            let queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0);
+            if queue.is_null() {
+                return Err(XpcTransportError::Internal(
+                    "dispatch_get_global_queue returned null".to_string(),
+                ));
+            }
+            let listener = xpc_connection_create(ptr::null(), queue);
+            if listener.is_null() {
+                return Err(XpcTransportError::Internal(
+                    "xpc_connection_create returned null".to_string(),
+                ));
+            }
+            let daemon_outer = daemon.clone();
+            let handle_outer = runtime_handle.clone();
+            let required_client_code_signing_requirement_outer =
+                required_client_code_signing_requirement.clone();
+            let peer_blocks: PeerBlocks = Arc::new(Mutex::new(HashMap::new()));
+            let peer_blocks_for_listener = peer_blocks.clone();
+            let listener_block = ConcreteBlock::new(move |event: XpcObject| {
+                // Listener callback receives peer connections.
+                if !ptr::eq(xpc_get_type(event), &_xpc_type_connection) {
+                    return;
+                }
+                let peer = event;
+                let peer_euid = xpc_connection_get_euid(peer);
+                if peer_euid != allowed_euid {
+                    xpc_connection_cancel(peer);
+                    return;
+                }
+                if let Some(requirement) = required_client_code_signing_requirement_outer.as_deref()
+                {
+                    if verify_peer_code_signing_requirement(peer, requirement).is_err() {
+                        xpc_connection_cancel(peer);
+                        return;
+                    }
+                }
+                let daemon_inner = daemon_outer.clone();
+                let handle_inner = handle_outer.clone();
+                let peer_blocks_for_callback = peer_blocks_for_listener.clone();
+                let peer_blocks_for_insert = peer_blocks_for_listener.clone();
+                let peer_key = peer as usize;
+                let peer_block = ConcreteBlock::new(move |message: XpcObject| {
+                    if !ptr::eq(xpc_get_type(message), &_xpc_type_dictionary) {
+                        if let Ok(mut blocks) = peer_blocks_for_callback.lock() {
+                            blocks.remove(&peer_key);
+                        }
+                        return;
+                    }
+                    let response = match decode_wire_request(message) {
+                        Ok(request) => {
+                            let mut request = request;
+                            let daemon_request: Result<DaemonRpcRequest, XpcTransportError> =
+                                serde_json::from_str(&request.body_json).map_err(|err| {
+                                    XpcTransportError::Serialization(err.to_string())
+                                });
+                            request.body_json.zeroize();
+                            match daemon_request {
+                                Ok(req) => {
+                                    match handle_inner.block_on(daemon_inner.handle_rpc(req)) {
+                                        Ok(resp) => {
+                                            let mut resp = resp;
+                                            match serde_json::to_string(&resp) {
+                                                Ok(body_json) => {
+                                                    resp.zeroize_secrets();
+                                                    WireResponse {
+                                                        request_id: request.request_id,
+                                                        ok: true,
+                                                        body_json,
+                                                    }
+                                                }
+                                                Err(err) => {
+                                                    resp.zeroize_secrets();
+                                                    WireResponse {
+                                                        request_id: request.request_id,
+                                                        ok: false,
+                                                        body_json: format!(
+                                                        "failed to serialize daemon response: {err}"
+                                                    ),
+                                                    }
+                                                }
+                                            }
+                                        }
+                                        Err(err) => WireResponse {
+                                            request_id: request.request_id,
+                                            ok: false,
+                                            body_json: serialize_wire_daemon_error(err),
+                                        },
+                                    }
+                                }
+                                Err(err) => WireResponse {
+                                    request_id: request.request_id,
+                                    ok: false,
+                                    body_json: err.to_string(),
+                                },
+                            }
+                        }
+                        Err(err) => WireResponse {
+                            request_id: extract_safe_request_id(message),
+                            ok: false,
+                            body_json: err.to_string(),
+                        },
+                    };
+                    let mut response = enforce_wire_response_limits(response);
+                    let encoded = encode_wire_response(&response);
+                    response.body_json.zeroize();
+                    if let Ok(xpc_resp) = encoded {
+                        xpc_connection_send_message(peer, xpc_resp);
+                        xpc_release(xpc_resp);
+                    }
+                })
+                .copy();
+                xpc_connection_set_event_handler(
+                    peer,
+                    &*peer_block as *const Block<_, _> as *mut c_void,
+                );
+                xpc_connection_resume(peer);
+                if let Ok(mut blocks) = peer_blocks_for_insert.lock() {
+                    blocks.insert(peer_key, SendablePeerBlock { _block: peer_block });
+                };
+            })
+            .copy();
+            xpc_connection_set_event_handler(
+                listener,
+                &*listener_block as *const Block<_, _> as *mut c_void,
+            );
+            xpc_connection_resume(listener);
+            let endpoint_raw = xpc_endpoint_create(listener);
+            if endpoint_raw.is_null() {
+                return Err(XpcTransportError::Internal(
+                    "xpc_endpoint_create returned null".to_string(),
+                ));
+            }
+            xpc_retain(listener);
+            xpc_retain(endpoint_raw);
+            Ok(Self {
+                listener,
+                endpoint: XpcEndpoint { raw: endpoint_raw },
+                _listener_block: listener_block,
+                _peer_blocks: peer_blocks,
+            })
+        }
+    }
+    /// Returns endpoint handle for clients.
+    #[must_use]
+    pub fn endpoint(&self) -> XpcEndpoint {
+        self.endpoint.clone()
+    }
+}
+#[cfg(target_os = "macos")]
+fn parse_code_sign_requirement(requirement: &str) -> Result<SecRequirement, XpcTransportError> {
+    requirement
+        .parse::<SecRequirement>()
+        .map_err(|err| XpcTransportError::CodeSigning(format!("invalid requirement string: {err}")))
+}
+#[cfg(target_os = "macos")]
+fn verify_peer_code_signing_requirement(
+    peer: XpcConnection,
+    requirement: &str,
+) -> Result<(), XpcTransportError> {
+    let pid = unsafe { xpc_connection_get_pid(peer) };
+    if pid <= 0 {
+        return Err(XpcTransportError::CodeSigning(
+            "peer pid is unavailable".to_string(),
+        ));
+    }
+    let mut attributes = GuestAttributes::new();
+    attributes.set_pid(pid);
+    let peer_code = SecCode::copy_guest_with_attribues(None, &attributes, CodeSignFlags::default())
+        .map_err(|err| {
+            XpcTransportError::CodeSigning(format!(
+                "failed to resolve peer code object for pid {pid}: {err}"
+            ))
+        })?;
+    let requirement = parse_code_sign_requirement(requirement)?;
+    peer_code
+        .check_validity(
+            CodeSignFlags::STRICT_VALIDATE | CodeSignFlags::CHECK_TRUSTED_ANCHORS,
+            &requirement,
+        )
+        .map_err(|err| {
+            XpcTransportError::CodeSigning(format!(
+                "peer code signature does not satisfy required policy for pid {pid}: {err}"
+            ))
+        })
+}
+#[cfg(target_os = "macos")]
+include!("client_codec_api.rs");
+#[cfg(all(test, target_os = "macos"))]
+mod tests;