npm - @wlfi-agent/cli - Versions diffs - 1.4.12 → 1.4.14 - Mend

@wlfi-agent/cli 1.4.12 → 1.4.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (289) hide show

package/Cargo.lock +3968 -0
package/Cargo.toml +50 -0
package/README.md +426 -6
package/crates/vault-cli-admin/Cargo.toml +26 -0
package/crates/vault-cli-admin/src/io_utils.rs +500 -0
package/crates/vault-cli-admin/src/main.rs +3990 -0
package/crates/vault-cli-admin/src/shared_config.rs +624 -0
package/crates/vault-cli-admin/src/tui/amounts.rs +180 -0
package/crates/vault-cli-admin/src/tui/token_rpc.rs +250 -0
package/crates/vault-cli-admin/src/tui/utils.rs +82 -0
package/crates/vault-cli-admin/src/tui.rs +3410 -0
package/crates/vault-cli-agent/Cargo.toml +24 -0
package/crates/vault-cli-agent/src/io_utils.rs +576 -0
package/crates/vault-cli-agent/src/main.rs +833 -0
package/crates/vault-cli-daemon/Cargo.toml +28 -0
package/crates/vault-cli-daemon/src/bin/wlfi-agent-system-keychain.rs +216 -0
package/crates/vault-cli-daemon/src/main.rs +644 -0
package/crates/vault-cli-daemon/src/relay_sync.rs +894 -0
package/crates/vault-cli-daemon/tests/system_keychain_helper_acl.rs +167 -0
package/crates/vault-daemon/Cargo.toml +32 -0
package/crates/vault-daemon/src/daemon_parts/api_impl_and_utils.rs +1041 -0
package/crates/vault-daemon/src/daemon_parts/core_helpers.rs +1256 -0
package/crates/vault-daemon/src/daemon_parts/types_api_rpc.rs +622 -0
package/crates/vault-daemon/src/lib.rs +54 -0
package/crates/vault-daemon/src/persistence.rs +441 -0
package/crates/vault-daemon/src/tests.rs +237 -0
package/crates/vault-daemon/src/tests_parts/part1.rs +1224 -0
package/crates/vault-daemon/src/tests_parts/part2.rs +1021 -0
package/crates/vault-daemon/src/tests_parts/part3.rs +835 -0
package/crates/vault-daemon/src/tests_parts/part4.rs +604 -0
package/crates/vault-domain/Cargo.toml +20 -0
package/crates/vault-domain/src/action.rs +849 -0
package/crates/vault-domain/src/address.rs +51 -0
package/crates/vault-domain/src/approval.rs +90 -0
package/crates/vault-domain/src/constants.rs +4 -0
package/crates/vault-domain/src/error.rs +54 -0
package/crates/vault-domain/src/keys.rs +71 -0
package/crates/vault-domain/src/lib.rs +42 -0
package/crates/vault-domain/src/nonce.rs +102 -0
package/crates/vault-domain/src/policy.rs +172 -0
package/crates/vault-domain/src/request.rs +53 -0
package/crates/vault-domain/src/scope.rs +24 -0
package/crates/vault-domain/src/session.rs +50 -0
package/crates/vault-domain/src/signature.rs +34 -0
package/crates/vault-domain/src/tests.rs +651 -0
package/crates/vault-domain/src/u128_as_decimal_string.rs +44 -0
package/crates/vault-policy/Cargo.toml +17 -0
package/crates/vault-policy/src/engine.rs +301 -0
package/crates/vault-policy/src/error.rs +81 -0
package/crates/vault-policy/src/lib.rs +17 -0
package/crates/vault-policy/src/report.rs +34 -0
package/crates/vault-policy/src/tests.rs +891 -0
package/crates/vault-policy/src/tests_explain.rs +78 -0
package/crates/vault-sdk-agent/Cargo.toml +21 -0
package/crates/vault-sdk-agent/src/lib.rs +711 -0
package/crates/vault-signer/Cargo.toml +25 -0
package/crates/vault-signer/src/lib.rs +731 -0
package/crates/vault-signer/tests/secure_enclave_acl.rs +54 -0
package/crates/vault-transport-unix/Cargo.toml +24 -0
package/crates/vault-transport-unix/src/lib.rs +1640 -0
package/crates/vault-transport-xpc/Cargo.toml +25 -0
package/crates/vault-transport-xpc/src/client_codec_api.rs +635 -0
package/crates/vault-transport-xpc/src/lib.rs +680 -0
package/crates/vault-transport-xpc/src/tests.rs +818 -0
package/crates/vault-transport-xpc/tests/e2e_flow.rs +773 -0
package/dist/cli.cjs +35088 -0
package/dist/cli.cjs.map +1 -0
package/package.json +49 -43
package/packages/cache/.turbo/turbo-build.log +52 -0
package/packages/cache/dist/chunk-2QFWMUXT.cjs +43 -0
package/packages/cache/dist/chunk-2QFWMUXT.cjs.map +1 -0
package/packages/cache/dist/chunk-4U63TZTQ.js +43 -0
package/packages/cache/dist/chunk-4U63TZTQ.js.map +1 -0
package/packages/cache/dist/chunk-ALQ6H7KG.cjs +404 -0
package/packages/cache/dist/chunk-ALQ6H7KG.cjs.map +1 -0
package/packages/cache/dist/chunk-FGJEEF5N.js +404 -0
package/packages/cache/dist/chunk-FGJEEF5N.js.map +1 -0
package/packages/cache/dist/chunk-UYNEHZHB.cjs +45 -0
package/packages/cache/dist/chunk-UYNEHZHB.cjs.map +1 -0
package/packages/cache/dist/chunk-VXVMPG3W.js +45 -0
package/packages/cache/dist/chunk-VXVMPG3W.js.map +1 -0
package/packages/cache/dist/client/index.cjs +11 -0
package/packages/cache/dist/client/index.cjs.map +1 -0
package/packages/cache/dist/client/index.d.cts +15 -0
package/packages/cache/dist/client/index.d.ts +15 -0
package/packages/cache/dist/client/index.js +11 -0
package/packages/cache/dist/client/index.js.map +1 -0
package/packages/cache/dist/errors/index.cjs +11 -0
package/packages/cache/dist/errors/index.cjs.map +1 -0
package/packages/cache/dist/errors/index.d.cts +26 -0
package/packages/cache/dist/errors/index.d.ts +26 -0
package/packages/cache/dist/errors/index.js +11 -0
package/packages/cache/dist/errors/index.js.map +1 -0
package/packages/cache/dist/index.cjs +29 -0
package/packages/cache/dist/index.cjs.map +1 -0
package/packages/cache/dist/index.d.cts +4 -0
package/packages/cache/dist/index.d.ts +4 -0
package/packages/cache/dist/index.js +29 -0
package/packages/cache/dist/index.js.map +1 -0
package/packages/cache/dist/service/index.cjs +15 -0
package/packages/cache/dist/service/index.cjs.map +1 -0
package/packages/cache/dist/service/index.d.cts +184 -0
package/packages/cache/dist/service/index.d.ts +184 -0
package/packages/cache/dist/service/index.js +15 -0
package/packages/cache/dist/service/index.js.map +1 -0
package/packages/cache/node_modules/.bin/jiti +17 -0
package/packages/cache/node_modules/.bin/tsc +17 -0
package/packages/cache/node_modules/.bin/tsserver +17 -0
package/packages/cache/node_modules/.bin/tsup +17 -0
package/packages/cache/node_modules/.bin/tsup-node +17 -0
package/packages/cache/node_modules/.bin/tsx +17 -0
package/packages/cache/node_modules/.bin/vitest +17 -0
package/packages/cache/package.json +48 -0
package/packages/cache/src/client/index.ts +56 -0
package/packages/cache/src/errors/index.ts +53 -0
package/packages/cache/src/index.ts +3 -0
package/packages/cache/src/service/index.test.ts +263 -0
package/packages/cache/src/service/index.ts +678 -0
package/packages/cache/tsconfig.json +13 -0
package/packages/cache/tsup.config.ts +13 -0
package/packages/cache/vitest.config.ts +16 -0
package/packages/config/.turbo/turbo-build.log +18 -0
package/packages/config/dist/index.cjs +1037 -0
package/packages/config/dist/index.cjs.map +1 -0
package/packages/config/dist/index.d.ts +131 -0
package/packages/config/node_modules/.bin/jiti +17 -0
package/packages/config/node_modules/.bin/tsc +17 -0
package/packages/config/node_modules/.bin/tsserver +17 -0
package/packages/config/node_modules/.bin/tsup +17 -0
package/packages/config/node_modules/.bin/tsup-node +17 -0
package/packages/config/node_modules/.bin/tsx +17 -0
package/packages/config/package.json +21 -0
package/packages/config/src/index.js +1 -0
package/packages/config/src/index.ts +1282 -0
package/packages/config/tsconfig.json +4 -0
package/packages/rpc/.turbo/turbo-build.log +32 -0
package/packages/rpc/dist/_esm-BCLXDO2R.cjs +3660 -0
package/packages/rpc/dist/_esm-BCLXDO2R.cjs.map +1 -0
package/packages/rpc/dist/ccip-OWJLAW55.cjs +16 -0
package/packages/rpc/dist/ccip-OWJLAW55.cjs.map +1 -0
package/packages/rpc/dist/chunk-APQIFZ3B.cjs +6247 -0
package/packages/rpc/dist/chunk-APQIFZ3B.cjs.map +1 -0
package/packages/rpc/dist/chunk-CDO2GWRD.cjs +410 -0
package/packages/rpc/dist/chunk-CDO2GWRD.cjs.map +1 -0
package/packages/rpc/dist/chunk-QGTNTFJ7.cjs +2249 -0
package/packages/rpc/dist/chunk-QGTNTFJ7.cjs.map +1 -0
package/packages/rpc/dist/chunk-TZDTAHWR.cjs +44 -0
package/packages/rpc/dist/chunk-TZDTAHWR.cjs.map +1 -0
package/packages/rpc/dist/index.cjs +7342 -0
package/packages/rpc/dist/index.cjs.map +1 -0
package/packages/rpc/dist/index.d.ts +3857 -0
package/packages/rpc/dist/secp256k1-WCNM675D.cjs +18 -0
package/packages/rpc/dist/secp256k1-WCNM675D.cjs.map +1 -0
package/packages/rpc/node_modules/.bin/jiti +17 -0
package/packages/rpc/node_modules/.bin/tsc +17 -0
package/packages/rpc/node_modules/.bin/tsserver +17 -0
package/packages/rpc/node_modules/.bin/tsup +17 -0
package/packages/rpc/node_modules/.bin/tsup-node +17 -0
package/packages/rpc/node_modules/.bin/tsx +17 -0
package/packages/rpc/package.json +25 -0
package/packages/rpc/src/index.ts +206 -0
package/packages/rpc/tsconfig.json +4 -0
package/packages/typescript/base.json +36 -0
package/packages/typescript/nextjs.json +17 -0
package/packages/typescript/package.json +10 -0
package/packages/ui/.turbo/turbo-build.log +44 -0
package/packages/ui/dist/chunk-MOAFBKSA.js +11 -0
package/packages/ui/dist/chunk-MOAFBKSA.js.map +1 -0
package/packages/ui/dist/components/badge.d.ts +12 -0
package/packages/ui/dist/components/badge.js +31 -0
package/packages/ui/dist/components/badge.js.map +1 -0
package/packages/ui/dist/components/button.d.ts +13 -0
package/packages/ui/dist/components/button.js +40 -0
package/packages/ui/dist/components/button.js.map +1 -0
package/packages/ui/dist/components/card.d.ts +10 -0
package/packages/ui/dist/components/card.js +39 -0
package/packages/ui/dist/components/card.js.map +1 -0
package/packages/ui/dist/components/input.d.ts +5 -0
package/packages/ui/dist/components/input.js +28 -0
package/packages/ui/dist/components/input.js.map +1 -0
package/packages/ui/dist/components/label.d.ts +5 -0
package/packages/ui/dist/components/label.js +13 -0
package/packages/ui/dist/components/label.js.map +1 -0
package/packages/ui/dist/components/separator.d.ts +5 -0
package/packages/ui/dist/components/separator.js +13 -0
package/packages/ui/dist/components/separator.js.map +1 -0
package/packages/ui/dist/components/textarea.d.ts +5 -0
package/packages/ui/dist/components/textarea.js +27 -0
package/packages/ui/dist/components/textarea.js.map +1 -0
package/packages/ui/dist/tailwind.d.ts +56 -0
package/packages/ui/dist/tailwind.js +60 -0
package/packages/ui/dist/tailwind.js.map +1 -0
package/packages/ui/dist/utils/cn.d.ts +5 -0
package/packages/ui/dist/utils/cn.js +7 -0
package/packages/ui/dist/utils/cn.js.map +1 -0
package/packages/ui/node_modules/.bin/jiti +17 -0
package/packages/ui/node_modules/.bin/tsc +17 -0
package/packages/ui/node_modules/.bin/tsserver +17 -0
package/packages/ui/node_modules/.bin/tsup +17 -0
package/packages/ui/node_modules/.bin/tsup-node +17 -0
package/packages/ui/node_modules/.bin/tsx +17 -0
package/packages/ui/package.json +69 -0
package/packages/ui/src/components/badge.tsx +27 -0
package/packages/ui/src/components/button.tsx +40 -0
package/packages/ui/src/components/card.tsx +31 -0
package/packages/ui/src/components/input.tsx +21 -0
package/packages/ui/src/components/label.tsx +6 -0
package/packages/ui/src/components/separator.tsx +6 -0
package/packages/ui/src/components/textarea.tsx +20 -0
package/packages/ui/src/globals.css +70 -0
package/packages/ui/src/tailwind.ts +56 -0
package/packages/ui/src/utils/cn.ts +6 -0
package/packages/ui/tsconfig.json +20 -0
package/packages/ui/tsup.config.ts +20 -0
package/pnpm-workspace.yaml +4 -0
package/scripts/install-rust-binaries.mjs +84 -0
package/scripts/launchd/install-user-daemon.sh +358 -0
package/scripts/launchd/run-vault-daemon.sh +5 -0
package/scripts/launchd/run-wlfi-agent-daemon.sh +73 -0
package/scripts/launchd/uninstall-user-daemon.sh +103 -0
package/src/cli.ts +2121 -0
package/src/lib/admin-guard.js +1 -0
package/src/lib/admin-guard.ts +185 -0
package/src/lib/admin-passthrough.ts +33 -0
package/src/lib/admin-reset.ts +751 -0
package/src/lib/admin-setup.ts +1612 -0
package/src/lib/agent-auth-clear.js +1 -0
package/src/lib/agent-auth-clear.ts +58 -0
package/src/lib/agent-auth-forwarding.js +1 -0
package/src/lib/agent-auth-forwarding.ts +149 -0
package/src/lib/agent-auth-migrate.js +1 -0
package/src/lib/agent-auth-migrate.ts +150 -0
package/src/lib/agent-auth-revoke.ts +103 -0
package/src/lib/agent-auth-rotate.ts +107 -0
package/src/lib/agent-auth-token.js +1 -0
package/src/lib/agent-auth-token.ts +25 -0
package/src/lib/agent-auth.ts +89 -0
package/src/lib/asset-broadcast.js +1 -0
package/src/lib/asset-broadcast.ts +285 -0
package/src/lib/bootstrap-artifacts.js +1 -0
package/src/lib/bootstrap-artifacts.ts +205 -0
package/src/lib/bootstrap-credentials.js +1 -0
package/src/lib/bootstrap-credentials.ts +832 -0
package/src/lib/config-amounts.js +1 -0
package/src/lib/config-amounts.ts +189 -0
package/src/lib/config-mutation.ts +27 -0
package/src/lib/fs-trust.js +1 -0
package/src/lib/fs-trust.ts +537 -0
package/src/lib/keychain.js +1 -0
package/src/lib/keychain.ts +225 -0
package/src/lib/local-admin-access.ts +106 -0
package/src/lib/network-selection.js +1 -0
package/src/lib/network-selection.ts +71 -0
package/src/lib/passthrough-security.js +1 -0
package/src/lib/passthrough-security.ts +114 -0
package/src/lib/rpc-guard.js +1 -0
package/src/lib/rpc-guard.ts +7 -0
package/src/lib/rust-spawn-options.js +1 -0
package/src/lib/rust-spawn-options.ts +98 -0
package/src/lib/rust.js +1 -0
package/src/lib/rust.ts +143 -0
package/src/lib/signed-tx.js +1 -0
package/src/lib/signed-tx.ts +116 -0
package/src/lib/status-repair-cli.ts +116 -0
package/src/lib/sudo.js +1 -0
package/src/lib/sudo.ts +172 -0
package/src/lib/vault-password-forwarding.js +1 -0
package/src/lib/vault-password-forwarding.ts +155 -0
package/src/lib/wallet-profile.js +1 -0
package/src/lib/wallet-profile.ts +332 -0
package/src/lib/wallet-repair.js +1 -0
package/src/lib/wallet-repair.ts +304 -0
package/src/lib/wallet-setup.js +1 -0
package/src/lib/wallet-setup.ts +1466 -0
package/src/lib/wallet-status.js +1 -0
package/src/lib/wallet-status.ts +640 -0
package/tsconfig.base.json +17 -0
package/tsconfig.json +10 -0
package/tsup.config.ts +25 -0
package/turbo.json +41 -0
package/LICENSE.md +0 -1
package/dist/wlfa/index.cjs +0 -250
package/dist/wlfa/index.d.cts +0 -1
package/dist/wlfa/index.d.ts +0 -1
package/dist/wlfa/index.js +0 -250
package/dist/wlfc/index.cjs +0 -1894
package/dist/wlfc/index.d.cts +0 -1
package/dist/wlfc/index.d.ts +0 -1
package/dist/wlfc/index.js +0 -1894

package/src/lib/admin-reset.ts ADDED Viewed

@@ -0,0 +1,751 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import readline from 'node:readline';
+import { Command } from 'commander';
+import {
+  deleteConfigKey,
+  readConfig,
+  redactConfig,
+  resolveConfigPath,
+  resolveWlfiHome,
+  type WlfiConfig,
+} from '../../packages/config/src/index.js';
+import {
+  cleanupAutoGeneratedBootstrapArtifacts,
+  type CleanupBootstrapArtifactsResult,
+} from './bootstrap-artifacts.js';
+import {
+  AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE,
+  DAEMON_PASSWORD_KEYCHAIN_SERVICE,
+  deleteAgentAuthTokenFromKeychain,
+} from './keychain.js';
+import { createSudoSession } from './sudo.js';
+const DEFAULT_LAUNCH_DAEMON_LABEL = 'com.wlfi.agent.daemon';
+const DEFAULT_MANAGED_DAEMON_SOCKET = '/Library/WLFI/run/daemon.sock';
+const DEFAULT_MANAGED_STATE_FILE = '/var/db/wlfi-agent/daemon-state.enc';
+const DEFAULT_LAUNCH_DAEMON_PLIST = `/Library/LaunchDaemons/${DEFAULT_LAUNCH_DAEMON_LABEL}.plist`;
+const DEFAULT_MANAGED_ROOT_DIR = '/Library/WLFI';
+const DEFAULT_MANAGED_STATE_DIR = '/var/db/wlfi-agent';
+const DEFAULT_MANAGED_LOG_DIR = '/var/log/wlfi-agent';
+const MAX_SECRET_STDIN_BYTES = 16 * 1024;
+const SPINNER_FRAMES = ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏'];
+interface ProgressHandle {
+  succeed(message?: string): void;
+  fail(message?: string): void;
+}
+interface AdminResetOptions {
+  yes?: boolean;
+  nonInteractive?: boolean;
+  deleteConfig?: boolean;
+  json?: boolean;
+}
+interface AdminUninstallOptions {
+  yes?: boolean;
+  nonInteractive?: boolean;
+  json?: boolean;
+}
+export interface CleanupLocalAdminResetStateResult {
+  agentKeyId: string | null;
+  keychain: {
+    removed: boolean;
+    service: string | null;
+  };
+  config: {
+    path: string;
+    existed: boolean;
+    deleted: boolean;
+    clearedAgentKeyId: boolean;
+    clearedLegacyAgentAuthToken: boolean;
+    value: Record<string, unknown> | null;
+  };
+  bootstrapArtifacts: {
+    attempted: boolean;
+    action: 'deleted';
+    fileCount: number;
+    cleanedCount: number;
+    skippedCount: number;
+    error: string | null;
+  };
+}
+interface CleanupLocalAdminResetStateDeps {
+  platform?: NodeJS.Platform;
+  existsSync?: (targetPath: string) => boolean;
+  resolveConfigPath?: () => string;
+  resolveWlfiHome?: () => string;
+  readConfig?: () => WlfiConfig;
+  deleteConfigKey?: (key: keyof WlfiConfig) => WlfiConfig;
+  deleteAgentAuthToken?: (agentKeyId: string) => boolean;
+  unlinkSync?: (targetPath: string) => void;
+  cleanupBootstrapArtifacts?: (action: 'deleted') => CleanupBootstrapArtifactsResult;
+}
+export interface CleanupLocalAdminUninstallStateResult {
+  agentKeyId: string | null;
+  keychain: {
+    removed: boolean;
+    service: string | null;
+  };
+  config: {
+    path: string;
+    existed: boolean;
+    deleted: boolean;
+  };
+  wlfiHome: {
+    path: string;
+    existed: boolean;
+    deleted: boolean;
+  };
+}
+interface CleanupLocalAdminUninstallStateDeps {
+  platform?: NodeJS.Platform;
+  existsSync?: (targetPath: string) => boolean;
+  resolveConfigPath?: () => string;
+  resolveWlfiHome?: () => string;
+  readConfig?: () => WlfiConfig;
+  deleteAgentAuthToken?: (agentKeyId: string) => boolean;
+  rmSync?: (targetPath: string, options: { recursive: boolean; force: boolean }) => void;
+}
+function renderError(error: unknown): string {
+  return error instanceof Error ? error.message : String(error);
+}
+function validateSecret(value: string, label: string): string {
+  if (Buffer.byteLength(value, 'utf8') > MAX_SECRET_STDIN_BYTES) {
+    throw new Error(`${label} must not exceed ${MAX_SECRET_STDIN_BYTES} bytes`);
+  }
+  if (!value.trim()) {
+    throw new Error(`${label} must not be empty or whitespace`);
+  }
+  return value;
+}
+async function promptHidden(query: string, label: string): Promise<string> {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    throw new Error(`${label} is required; rerun on a local TTY`);
+  }
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+    terminal: true,
+  }) as readline.Interface & { stdoutMuted?: boolean; _writeToOutput?: (value: string) => void };
+  rl.stdoutMuted = true;
+  rl._writeToOutput = (value: string) => {
+    if (value.includes(query)) {
+      (rl as unknown as { output: NodeJS.WritableStream }).output.write(value);
+      return;
+    }
+    if (!rl.stdoutMuted) {
+      (rl as unknown as { output: NodeJS.WritableStream }).output.write(value);
+    }
+  };
+  const answer = await new Promise<string>((resolve) => {
+    rl.question(query, resolve);
+  });
+  rl.close();
+  process.stdout.write('\n');
+  return validateSecret(answer, label);
+}
+async function promptVisible(query: string): Promise<string> {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    throw new Error('admin reset requires --yes in non-interactive environments');
+  }
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+    terminal: true,
+  });
+  const answer = await new Promise<string>((resolve) => {
+    rl.question(query, resolve);
+  });
+  rl.close();
+  return answer.trim();
+}
+const sudoSession = createSudoSession({
+  promptPassword: async () =>
+    await promptHidden(
+      'Root password (input hidden; required to uninstall the root daemon and delete its state): ',
+      'root password',
+    ),
+});
+function createProgress(message: string, enabled = true): ProgressHandle {
+  if (!enabled) {
+    return {
+      succeed() {},
+      fail() {},
+    };
+  }
+  if (!process.stderr.isTTY) {
+    process.stderr.write(`==> ${message}\n`);
+    return {
+      succeed(finalMessage = message) {
+        process.stderr.write(`✓ ${finalMessage}\n`);
+      },
+      fail(finalMessage = `${message} failed`) {
+        process.stderr.write(`✗ ${finalMessage}\n`);
+      },
+    };
+  }
+  let frameIndex = 0;
+  const render = (prefix: string, currentMessage: string) => {
+    process.stderr.write(`\r\u001b[2K${prefix} ${currentMessage}`);
+  };
+  render(SPINNER_FRAMES[frameIndex], message);
+  const timer = setInterval(() => {
+    frameIndex = (frameIndex + 1) % SPINNER_FRAMES.length;
+    render(SPINNER_FRAMES[frameIndex], message);
+  }, 80);
+  const stop = (prefix: string, finalMessage: string) => {
+    clearInterval(timer);
+    render(prefix, finalMessage);
+    process.stderr.write('\n');
+  };
+  return {
+    succeed(finalMessage = message) {
+      stop('✓', finalMessage);
+    },
+    fail(finalMessage = `${message} failed`) {
+      stop('✗', finalMessage);
+    },
+  };
+}
+function print(payload: unknown, asJson: boolean | undefined): void {
+  if (asJson) {
+    console.log(JSON.stringify(payload, null, 2));
+    return;
+  }
+  if (typeof payload === 'string') {
+    console.log(payload);
+    return;
+  }
+  console.dir(payload, { depth: null, colors: process.stdout.isTTY });
+}
+function printResetSummary(result: {
+  daemon: {
+    label: string;
+    daemonSocket: string;
+    stateFile: string;
+  };
+  local: CleanupLocalAdminResetStateResult;
+}): void {
+  const lines = [
+    'reset complete',
+    `managed daemon removed: ${result.daemon.label}`,
+    `managed state deleted: ${result.daemon.stateFile}`,
+    `managed socket removed: ${result.daemon.daemonSocket}`,
+  ];
+  if (result.local.agentKeyId) {
+    lines.push(`old agent key cleared: ${result.local.agentKeyId}`);
+  } else {
+    lines.push('old agent key cleared: no configured agent key was found');
+  }
+  if (result.local.config.deleted) {
+    lines.push(`config deleted: ${result.local.config.path}`);
+  } else if (result.local.config.existed) {
+    lines.push(`config kept: ${result.local.config.path}`);
+  } else {
+    lines.push(`config not found: ${result.local.config.path}`);
+  }
+  if (result.local.bootstrapArtifacts.error) {
+    lines.push(`bootstrap artifact cleanup warning: ${result.local.bootstrapArtifacts.error}`);
+  } else if (result.local.bootstrapArtifacts.attempted) {
+    lines.push(
+      `bootstrap artifacts deleted: ${result.local.bootstrapArtifacts.cleanedCount}/${result.local.bootstrapArtifacts.fileCount}`,
+    );
+  }
+  lines.push('next: run `wlfi-agent admin setup` to create a new wallet');
+  console.log(lines.join('\n'));
+}
+function resolveLaunchDaemonUninstallScriptPath(): string {
+  const candidates = [
+    path.resolve(__dirname, '../scripts/launchd/uninstall-user-daemon.sh'),
+    path.resolve(__dirname, '../../scripts/launchd/uninstall-user-daemon.sh'),
+    path.resolve(process.cwd(), 'scripts/launchd/uninstall-user-daemon.sh'),
+  ];
+  for (const candidate of candidates) {
+    if (fs.existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  return candidates[0];
+}
+export function cleanupLocalAdminResetState(
+  options: { deleteConfig?: boolean } = {},
+  deps: CleanupLocalAdminResetStateDeps = {},
+): CleanupLocalAdminResetStateResult {
+  const platform = deps.platform ?? process.platform;
+  const existsSync = deps.existsSync ?? fs.existsSync;
+  const resolveConfigPathImpl = deps.resolveConfigPath ?? resolveConfigPath;
+  const resolveWlfiHomeImpl = deps.resolveWlfiHome ?? resolveWlfiHome;
+  const readConfigImpl = deps.readConfig ?? readConfig;
+  const deleteConfigKeyImpl = deps.deleteConfigKey ?? deleteConfigKey;
+  const deleteAgentAuthTokenImpl = deps.deleteAgentAuthToken ?? deleteAgentAuthTokenFromKeychain;
+  const unlinkSyncImpl = deps.unlinkSync ?? fs.unlinkSync;
+  const cleanupBootstrapArtifactsImpl =
+    deps.cleanupBootstrapArtifacts ?? cleanupAutoGeneratedBootstrapArtifacts;
+  const configPath = resolveConfigPathImpl();
+  const wlfiHome = resolveWlfiHomeImpl();
+  const configExists = existsSync(configPath);
+  const currentConfig = configExists ? readConfigImpl() : null;
+  const agentKeyId = currentConfig?.agentKeyId ?? null;
+  const clearedAgentKeyId = currentConfig?.agentKeyId !== undefined;
+  const clearedLegacyAgentAuthToken = currentConfig?.agentAuthToken !== undefined;
+  const keychainRemoved = agentKeyId ? deleteAgentAuthTokenImpl(agentKeyId) : false;
+  let configDeleted = false;
+  let configValue: Record<string, unknown> | null = configExists ? redactConfig(currentConfig ?? {}) : null;
+  if (options.deleteConfig) {
+    if (configExists) {
+      unlinkSyncImpl(configPath);
+      configDeleted = true;
+      configValue = null;
+    }
+  } else if (configExists) {
+    if (clearedAgentKeyId) {
+      deleteConfigKeyImpl('agentKeyId');
+    }
+    if (clearedLegacyAgentAuthToken) {
+      deleteConfigKeyImpl('agentAuthToken');
+    }
+    configValue = redactConfig(readConfigImpl());
+  }
+  let bootstrapArtifacts: CleanupLocalAdminResetStateResult['bootstrapArtifacts'];
+  if (!existsSync(wlfiHome)) {
+    bootstrapArtifacts = {
+      attempted: false,
+      action: 'deleted',
+      fileCount: 0,
+      cleanedCount: 0,
+      skippedCount: 0,
+      error: null,
+    };
+  } else {
+    try {
+      const cleanup = cleanupBootstrapArtifactsImpl('deleted');
+      bootstrapArtifacts = {
+        attempted: true,
+        action: 'deleted',
+        fileCount: cleanup.files.length,
+        cleanedCount: cleanup.files.filter((file) => file.cleanup === 'deleted').length,
+        skippedCount: cleanup.files.filter((file) => file.cleanup === 'skipped').length,
+        error: null,
+      };
+    } catch (error) {
+      bootstrapArtifacts = {
+        attempted: true,
+        action: 'deleted',
+        fileCount: 0,
+        cleanedCount: 0,
+        skippedCount: 0,
+        error: renderError(error),
+      };
+    }
+  }
+  return {
+    agentKeyId,
+    keychain: {
+      removed: keychainRemoved,
+      service: platform === 'darwin' ? AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE : null,
+    },
+    config: {
+      path: configPath,
+      existed: configExists,
+      deleted: configDeleted,
+      clearedAgentKeyId,
+      clearedLegacyAgentAuthToken,
+      value: configValue,
+    },
+    bootstrapArtifacts,
+  };
+}
+function isPathInside(parentPath: string, childPath: string): boolean {
+  const relative = path.relative(path.resolve(parentPath), path.resolve(childPath));
+  return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative));
+}
+export function cleanupLocalAdminUninstallState(
+  deps: CleanupLocalAdminUninstallStateDeps = {},
+): CleanupLocalAdminUninstallStateResult {
+  const platform = deps.platform ?? process.platform;
+  const existsSync = deps.existsSync ?? fs.existsSync;
+  const resolveConfigPathImpl = deps.resolveConfigPath ?? resolveConfigPath;
+  const resolveWlfiHomeImpl = deps.resolveWlfiHome ?? resolveWlfiHome;
+  const readConfigImpl = deps.readConfig ?? readConfig;
+  const deleteAgentAuthTokenImpl = deps.deleteAgentAuthToken ?? deleteAgentAuthTokenFromKeychain;
+  const rmSyncImpl = deps.rmSync ?? fs.rmSync;
+  const configPath = resolveConfigPathImpl();
+  const wlfiHome = resolveWlfiHomeImpl();
+  const configExists = existsSync(configPath);
+  const wlfiHomeExists = existsSync(wlfiHome);
+  const currentConfig = configExists ? readConfigImpl() : null;
+  const agentKeyId = currentConfig?.agentKeyId ?? null;
+  const keychainRemoved = agentKeyId ? deleteAgentAuthTokenImpl(agentKeyId) : false;
+  let configDeleted = false;
+  if (configExists && (!wlfiHomeExists || !isPathInside(wlfiHome, configPath))) {
+    rmSyncImpl(configPath, { recursive: true, force: true });
+    configDeleted = true;
+  } else if (configExists && wlfiHomeExists) {
+    configDeleted = true;
+  }
+  let wlfiHomeDeleted = false;
+  if (wlfiHomeExists) {
+    rmSyncImpl(wlfiHome, { recursive: true, force: true });
+    wlfiHomeDeleted = true;
+  }
+  return {
+    agentKeyId,
+    keychain: {
+      removed: keychainRemoved,
+      service: platform === 'darwin' ? AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE : null,
+    },
+    config: {
+      path: configPath,
+      existed: configExists,
+      deleted: configDeleted,
+    },
+    wlfiHome: {
+      path: wlfiHome,
+      existed: wlfiHomeExists,
+      deleted: wlfiHomeDeleted,
+    },
+  };
+}
+async function confirmReset(options: AdminResetOptions): Promise<void> {
+  if (options.yes) {
+    return;
+  }
+  if (options.nonInteractive) {
+    throw new Error('`wlfi-agent admin reset` requires --yes in non-interactive mode');
+  }
+  process.stderr.write(
+    'warning: admin reset permanently deletes the managed daemon state and the current wallet; if you do not have an external backup, the old address is lost forever.\n',
+  );
+  const confirmation = await promptVisible(
+    'Type RESET to delete the managed daemon state and local wallet credentials: ',
+  );
+  if (confirmation !== 'RESET') {
+    throw new Error('admin reset aborted');
+  }
+}
+async function runAdminReset(options: AdminResetOptions): Promise<void> {
+  await confirmReset(options);
+  const showProgress = !options.json;
+  const keychainAccount = os.userInfo().username;
+  if (!options.json && typeof process.geteuid === 'function' && process.geteuid() !== 0) {
+    process.stderr.write(
+      'Root password required: reset must uninstall the root LaunchDaemon and delete the root-managed daemon state.\n',
+    );
+  }
+  await sudoSession.prime();
+  const uninstallProgress = createProgress('Uninstalling managed daemon', showProgress);
+  let uninstallResult;
+  try {
+    uninstallResult = await sudoSession.run([
+      resolveLaunchDaemonUninstallScriptPath(),
+      '--label',
+      DEFAULT_LAUNCH_DAEMON_LABEL,
+      '--keychain-service',
+      DAEMON_PASSWORD_KEYCHAIN_SERVICE,
+      '--keychain-account',
+      keychainAccount,
+      '--delete-keychain-password',
+    ]);
+  } catch (error) {
+    uninstallProgress.fail();
+    throw error;
+  }
+  if (uninstallResult.code !== 0) {
+    uninstallProgress.fail();
+    throw new Error(
+      uninstallResult.stderr.trim()
+        || uninstallResult.stdout.trim()
+        || `failed to uninstall managed daemon (exit code ${uninstallResult.code})`,
+    );
+  }
+  uninstallProgress.succeed('Managed daemon uninstalled');
+  const stateProgress = createProgress('Deleting root-managed daemon state', showProgress);
+  let deleteRootArtifactsResult;
+  try {
+    deleteRootArtifactsResult = await sudoSession.run([
+      '/bin/rm',
+      '-f',
+      DEFAULT_MANAGED_STATE_FILE,
+      DEFAULT_MANAGED_DAEMON_SOCKET,
+    ]);
+  } catch (error) {
+    stateProgress.fail();
+    throw error;
+  }
+  if (deleteRootArtifactsResult.code !== 0) {
+    stateProgress.fail();
+    throw new Error(
+      deleteRootArtifactsResult.stderr.trim()
+        || deleteRootArtifactsResult.stdout.trim()
+        || `failed to delete managed daemon state (exit code ${deleteRootArtifactsResult.code})`,
+    );
+  }
+  stateProgress.succeed('Root-managed daemon state deleted');
+  const localProgress = createProgress('Removing local wallet credentials', showProgress);
+  const local = cleanupLocalAdminResetState({ deleteConfig: options.deleteConfig });
+  localProgress.succeed('Local wallet credentials removed');
+  const result = {
+    command: 'reset',
+    daemon: {
+      autostart: false,
+      label: DEFAULT_LAUNCH_DAEMON_LABEL,
+      launchdDomain: 'system',
+      plist: DEFAULT_LAUNCH_DAEMON_PLIST,
+      daemonSocket: DEFAULT_MANAGED_DAEMON_SOCKET,
+      stateFile: DEFAULT_MANAGED_STATE_FILE,
+      systemKeychainPasswordService: DAEMON_PASSWORD_KEYCHAIN_SERVICE,
+      systemKeychainPasswordAccount: keychainAccount,
+    },
+    local,
+    nextStep: 'Run `wlfi-agent admin setup` to create a new wallet and re-install the managed daemon.',
+  };
+  if (options.json) {
+    print(result, true);
+    return;
+  }
+  printResetSummary({
+    daemon: {
+      label: result.daemon.label,
+      daemonSocket: result.daemon.daemonSocket,
+      stateFile: result.daemon.stateFile,
+    },
+    local,
+  });
+}
+async function confirmUninstall(options: AdminUninstallOptions): Promise<void> {
+  if (options.yes) {
+    return;
+  }
+  if (options.nonInteractive) {
+    throw new Error('`wlfi-agent admin uninstall` requires --yes in non-interactive mode');
+  }
+  process.stderr.write(
+    'warning: admin uninstall permanently removes the managed daemon, root-managed state, local wallet config, local binaries, and logs.\n',
+  );
+  const confirmation = await promptVisible(
+    'Type UNINSTALL to delete all WLFI managed files and local credentials: ',
+  );
+  if (confirmation !== 'UNINSTALL') {
+    throw new Error('admin uninstall aborted');
+  }
+}
+function printUninstallSummary(result: {
+  daemon: {
+    label: string;
+    daemonRoot: string;
+    stateDir: string;
+    logDir: string;
+  };
+  local: CleanupLocalAdminUninstallStateResult;
+}): void {
+  const lines = [
+    'uninstall complete',
+    `managed daemon removed: ${result.daemon.label}`,
+    `managed daemon files removed: ${result.daemon.daemonRoot}`,
+    `managed state directory removed: ${result.daemon.stateDir}`,
+    `managed log directory removed: ${result.daemon.logDir}`,
+    result.local.agentKeyId
+      ? `old agent key cleared: ${result.local.agentKeyId}`
+      : 'old agent key cleared: no configured agent key was found',
+    result.local.wlfiHome.existed
+      ? `local WLFI home removed: ${result.local.wlfiHome.path}`
+      : `local WLFI home not found: ${result.local.wlfiHome.path}`,
+    result.local.config.existed
+      ? `config removed: ${result.local.config.path}`
+      : `config not found: ${result.local.config.path}`,
+    'next: reinstall with `wlfi-agent admin setup` only if you want a fresh managed wallet again',
+  ];
+  console.log(lines.join('\n'));
+}
+async function runAdminUninstall(options: AdminUninstallOptions): Promise<void> {
+  await confirmUninstall(options);
+  const showProgress = !options.json;
+  const keychainAccount = os.userInfo().username;
+  if (!options.json && typeof process.geteuid === 'function' && process.geteuid() !== 0) {
+    process.stderr.write(
+      'Root password required: uninstall must remove the root LaunchDaemon and all managed root-owned files.\n',
+    );
+  }
+  await sudoSession.prime();
+  const uninstallProgress = createProgress('Uninstalling managed daemon', showProgress);
+  let uninstallResult;
+  try {
+    uninstallResult = await sudoSession.run([
+      resolveLaunchDaemonUninstallScriptPath(),
+      '--label',
+      DEFAULT_LAUNCH_DAEMON_LABEL,
+      '--keychain-service',
+      DAEMON_PASSWORD_KEYCHAIN_SERVICE,
+      '--keychain-account',
+      keychainAccount,
+      '--delete-keychain-password',
+    ]);
+  } catch (error) {
+    uninstallProgress.fail();
+    throw error;
+  }
+  if (uninstallResult.code !== 0) {
+    uninstallProgress.fail();
+    throw new Error(
+      uninstallResult.stderr.trim()
+        || uninstallResult.stdout.trim()
+        || `failed to uninstall managed daemon (exit code ${uninstallResult.code})`,
+    );
+  }
+  uninstallProgress.succeed('Managed daemon uninstalled');
+  const rootProgress = createProgress('Removing managed root-owned files', showProgress);
+  let deleteRootArtifactsResult;
+  try {
+    deleteRootArtifactsResult = await sudoSession.run([
+      '/bin/rm',
+      '-rf',
+      DEFAULT_MANAGED_ROOT_DIR,
+      DEFAULT_MANAGED_STATE_DIR,
+      DEFAULT_MANAGED_LOG_DIR,
+    ]);
+  } catch (error) {
+    rootProgress.fail();
+    throw error;
+  }
+  if (deleteRootArtifactsResult.code !== 0) {
+    rootProgress.fail();
+    throw new Error(
+      deleteRootArtifactsResult.stderr.trim()
+        || deleteRootArtifactsResult.stdout.trim()
+        || `failed to delete managed root-owned files (exit code ${deleteRootArtifactsResult.code})`,
+    );
+  }
+  rootProgress.succeed('Managed root-owned files removed');
+  const localProgress = createProgress('Removing local WLFI files and credentials', showProgress);
+  const local = cleanupLocalAdminUninstallState();
+  localProgress.succeed('Local WLFI files and credentials removed');
+  const result = {
+    command: 'uninstall',
+    daemon: {
+      autostart: false,
+      label: DEFAULT_LAUNCH_DAEMON_LABEL,
+      launchdDomain: 'system',
+      plist: DEFAULT_LAUNCH_DAEMON_PLIST,
+      daemonSocket: DEFAULT_MANAGED_DAEMON_SOCKET,
+      stateFile: DEFAULT_MANAGED_STATE_FILE,
+      daemonRoot: DEFAULT_MANAGED_ROOT_DIR,
+      stateDir: DEFAULT_MANAGED_STATE_DIR,
+      logDir: DEFAULT_MANAGED_LOG_DIR,
+      systemKeychainPasswordService: DAEMON_PASSWORD_KEYCHAIN_SERVICE,
+      systemKeychainPasswordAccount: keychainAccount,
+    },
+    local,
+  };
+  if (options.json) {
+    print(result, true);
+    return;
+  }
+  printUninstallSummary({
+    daemon: {
+      label: result.daemon.label,
+      daemonRoot: result.daemon.daemonRoot,
+      stateDir: result.daemon.stateDir,
+      logDir: result.daemon.logDir,
+    },
+    local,
+  });
+}
+export async function runAdminResetCli(argv: string[]): Promise<void> {
+  const program = new Command();
+  program
+    .name('wlfi-agent admin reset')
+    .description(
+      'Delete the root-managed daemon state and local wallet credentials so a fresh wallet can be set up',
+    )
+    .option('-y, --yes', 'Skip the destructive confirmation prompt', false)
+    .option('--non-interactive', 'Disable confirmation prompts; requires --yes', false)
+    .option(
+      '--delete-config',
+      'Delete ~/.wlfi_agent/config.json instead of only clearing wallet-specific credentials',
+      false,
+    )
+    .option('--json', 'Print JSON output', false)
+    .action(runAdminReset);
+  await program.parseAsync(argv, { from: 'user' });
+}
+export async function runAdminUninstallCli(argv: string[]): Promise<void> {
+  const program = new Command();
+  program
+    .name('wlfi-agent admin uninstall')
+    .description(
+      'Fully remove the managed daemon, root-owned state, local wallet config, local binaries, and logs',
+    )
+    .option('-y, --yes', 'Skip the destructive confirmation prompt', false)
+    .option('--non-interactive', 'Disable confirmation prompts; requires --yes', false)
+    .option('--json', 'Print JSON output', false)
+    .action(runAdminUninstall);
+  await program.parseAsync(argv, { from: 'user' });
+}