npm - @wlfi-agent/cli - Versions diffs - 1.4.13 → 1.4.14 - Mend

@wlfi-agent/cli 1.4.13 → 1.4.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (289) hide show

package/Cargo.lock +3968 -0
package/Cargo.toml +50 -0
package/README.md +426 -6
package/crates/vault-cli-admin/Cargo.toml +26 -0
package/crates/vault-cli-admin/src/io_utils.rs +500 -0
package/crates/vault-cli-admin/src/main.rs +3990 -0
package/crates/vault-cli-admin/src/shared_config.rs +624 -0
package/crates/vault-cli-admin/src/tui/amounts.rs +180 -0
package/crates/vault-cli-admin/src/tui/token_rpc.rs +250 -0
package/crates/vault-cli-admin/src/tui/utils.rs +82 -0
package/crates/vault-cli-admin/src/tui.rs +3410 -0
package/crates/vault-cli-agent/Cargo.toml +24 -0
package/crates/vault-cli-agent/src/io_utils.rs +576 -0
package/crates/vault-cli-agent/src/main.rs +833 -0
package/crates/vault-cli-daemon/Cargo.toml +28 -0
package/crates/vault-cli-daemon/src/bin/wlfi-agent-system-keychain.rs +216 -0
package/crates/vault-cli-daemon/src/main.rs +644 -0
package/crates/vault-cli-daemon/src/relay_sync.rs +894 -0
package/crates/vault-cli-daemon/tests/system_keychain_helper_acl.rs +167 -0
package/crates/vault-daemon/Cargo.toml +32 -0
package/crates/vault-daemon/src/daemon_parts/api_impl_and_utils.rs +1041 -0
package/crates/vault-daemon/src/daemon_parts/core_helpers.rs +1256 -0
package/crates/vault-daemon/src/daemon_parts/types_api_rpc.rs +622 -0
package/crates/vault-daemon/src/lib.rs +54 -0
package/crates/vault-daemon/src/persistence.rs +441 -0
package/crates/vault-daemon/src/tests.rs +237 -0
package/crates/vault-daemon/src/tests_parts/part1.rs +1224 -0
package/crates/vault-daemon/src/tests_parts/part2.rs +1021 -0
package/crates/vault-daemon/src/tests_parts/part3.rs +835 -0
package/crates/vault-daemon/src/tests_parts/part4.rs +604 -0
package/crates/vault-domain/Cargo.toml +20 -0
package/crates/vault-domain/src/action.rs +849 -0
package/crates/vault-domain/src/address.rs +51 -0
package/crates/vault-domain/src/approval.rs +90 -0
package/crates/vault-domain/src/constants.rs +4 -0
package/crates/vault-domain/src/error.rs +54 -0
package/crates/vault-domain/src/keys.rs +71 -0
package/crates/vault-domain/src/lib.rs +42 -0
package/crates/vault-domain/src/nonce.rs +102 -0
package/crates/vault-domain/src/policy.rs +172 -0
package/crates/vault-domain/src/request.rs +53 -0
package/crates/vault-domain/src/scope.rs +24 -0
package/crates/vault-domain/src/session.rs +50 -0
package/crates/vault-domain/src/signature.rs +34 -0
package/crates/vault-domain/src/tests.rs +651 -0
package/crates/vault-domain/src/u128_as_decimal_string.rs +44 -0
package/crates/vault-policy/Cargo.toml +17 -0
package/crates/vault-policy/src/engine.rs +301 -0
package/crates/vault-policy/src/error.rs +81 -0
package/crates/vault-policy/src/lib.rs +17 -0
package/crates/vault-policy/src/report.rs +34 -0
package/crates/vault-policy/src/tests.rs +891 -0
package/crates/vault-policy/src/tests_explain.rs +78 -0
package/crates/vault-sdk-agent/Cargo.toml +21 -0
package/crates/vault-sdk-agent/src/lib.rs +711 -0
package/crates/vault-signer/Cargo.toml +25 -0
package/crates/vault-signer/src/lib.rs +731 -0
package/crates/vault-signer/tests/secure_enclave_acl.rs +54 -0
package/crates/vault-transport-unix/Cargo.toml +24 -0
package/crates/vault-transport-unix/src/lib.rs +1640 -0
package/crates/vault-transport-xpc/Cargo.toml +25 -0
package/crates/vault-transport-xpc/src/client_codec_api.rs +635 -0
package/crates/vault-transport-xpc/src/lib.rs +680 -0
package/crates/vault-transport-xpc/src/tests.rs +818 -0
package/crates/vault-transport-xpc/tests/e2e_flow.rs +773 -0
package/dist/cli.cjs +35088 -0
package/dist/cli.cjs.map +1 -0
package/package.json +49 -43
package/packages/cache/.turbo/turbo-build.log +52 -0
package/packages/cache/dist/chunk-2QFWMUXT.cjs +43 -0
package/packages/cache/dist/chunk-2QFWMUXT.cjs.map +1 -0
package/packages/cache/dist/chunk-4U63TZTQ.js +43 -0
package/packages/cache/dist/chunk-4U63TZTQ.js.map +1 -0
package/packages/cache/dist/chunk-ALQ6H7KG.cjs +404 -0
package/packages/cache/dist/chunk-ALQ6H7KG.cjs.map +1 -0
package/packages/cache/dist/chunk-FGJEEF5N.js +404 -0
package/packages/cache/dist/chunk-FGJEEF5N.js.map +1 -0
package/packages/cache/dist/chunk-UYNEHZHB.cjs +45 -0
package/packages/cache/dist/chunk-UYNEHZHB.cjs.map +1 -0
package/packages/cache/dist/chunk-VXVMPG3W.js +45 -0
package/packages/cache/dist/chunk-VXVMPG3W.js.map +1 -0
package/packages/cache/dist/client/index.cjs +11 -0
package/packages/cache/dist/client/index.cjs.map +1 -0
package/packages/cache/dist/client/index.d.cts +15 -0
package/packages/cache/dist/client/index.d.ts +15 -0
package/packages/cache/dist/client/index.js +11 -0
package/packages/cache/dist/client/index.js.map +1 -0
package/packages/cache/dist/errors/index.cjs +11 -0
package/packages/cache/dist/errors/index.cjs.map +1 -0
package/packages/cache/dist/errors/index.d.cts +26 -0
package/packages/cache/dist/errors/index.d.ts +26 -0
package/packages/cache/dist/errors/index.js +11 -0
package/packages/cache/dist/errors/index.js.map +1 -0
package/packages/cache/dist/index.cjs +29 -0
package/packages/cache/dist/index.cjs.map +1 -0
package/packages/cache/dist/index.d.cts +4 -0
package/packages/cache/dist/index.d.ts +4 -0
package/packages/cache/dist/index.js +29 -0
package/packages/cache/dist/index.js.map +1 -0
package/packages/cache/dist/service/index.cjs +15 -0
package/packages/cache/dist/service/index.cjs.map +1 -0
package/packages/cache/dist/service/index.d.cts +184 -0
package/packages/cache/dist/service/index.d.ts +184 -0
package/packages/cache/dist/service/index.js +15 -0
package/packages/cache/dist/service/index.js.map +1 -0
package/packages/cache/node_modules/.bin/jiti +17 -0
package/packages/cache/node_modules/.bin/tsc +17 -0
package/packages/cache/node_modules/.bin/tsserver +17 -0
package/packages/cache/node_modules/.bin/tsup +17 -0
package/packages/cache/node_modules/.bin/tsup-node +17 -0
package/packages/cache/node_modules/.bin/tsx +17 -0
package/packages/cache/node_modules/.bin/vitest +17 -0
package/packages/cache/package.json +48 -0
package/packages/cache/src/client/index.ts +56 -0
package/packages/cache/src/errors/index.ts +53 -0
package/packages/cache/src/index.ts +3 -0
package/packages/cache/src/service/index.test.ts +263 -0
package/packages/cache/src/service/index.ts +678 -0
package/packages/cache/tsconfig.json +13 -0
package/packages/cache/tsup.config.ts +13 -0
package/packages/cache/vitest.config.ts +16 -0
package/packages/config/.turbo/turbo-build.log +18 -0
package/packages/config/dist/index.cjs +1037 -0
package/packages/config/dist/index.cjs.map +1 -0
package/packages/config/dist/index.d.ts +131 -0
package/packages/config/node_modules/.bin/jiti +17 -0
package/packages/config/node_modules/.bin/tsc +17 -0
package/packages/config/node_modules/.bin/tsserver +17 -0
package/packages/config/node_modules/.bin/tsup +17 -0
package/packages/config/node_modules/.bin/tsup-node +17 -0
package/packages/config/node_modules/.bin/tsx +17 -0
package/packages/config/package.json +21 -0
package/packages/config/src/index.js +1 -0
package/packages/config/src/index.ts +1282 -0
package/packages/config/tsconfig.json +4 -0
package/packages/rpc/.turbo/turbo-build.log +32 -0
package/packages/rpc/dist/_esm-BCLXDO2R.cjs +3660 -0
package/packages/rpc/dist/_esm-BCLXDO2R.cjs.map +1 -0
package/packages/rpc/dist/ccip-OWJLAW55.cjs +16 -0
package/packages/rpc/dist/ccip-OWJLAW55.cjs.map +1 -0
package/packages/rpc/dist/chunk-APQIFZ3B.cjs +6247 -0
package/packages/rpc/dist/chunk-APQIFZ3B.cjs.map +1 -0
package/packages/rpc/dist/chunk-CDO2GWRD.cjs +410 -0
package/packages/rpc/dist/chunk-CDO2GWRD.cjs.map +1 -0
package/packages/rpc/dist/chunk-QGTNTFJ7.cjs +2249 -0
package/packages/rpc/dist/chunk-QGTNTFJ7.cjs.map +1 -0
package/packages/rpc/dist/chunk-TZDTAHWR.cjs +44 -0
package/packages/rpc/dist/chunk-TZDTAHWR.cjs.map +1 -0
package/packages/rpc/dist/index.cjs +7342 -0
package/packages/rpc/dist/index.cjs.map +1 -0
package/packages/rpc/dist/index.d.ts +3857 -0
package/packages/rpc/dist/secp256k1-WCNM675D.cjs +18 -0
package/packages/rpc/dist/secp256k1-WCNM675D.cjs.map +1 -0
package/packages/rpc/node_modules/.bin/jiti +17 -0
package/packages/rpc/node_modules/.bin/tsc +17 -0
package/packages/rpc/node_modules/.bin/tsserver +17 -0
package/packages/rpc/node_modules/.bin/tsup +17 -0
package/packages/rpc/node_modules/.bin/tsup-node +17 -0
package/packages/rpc/node_modules/.bin/tsx +17 -0
package/packages/rpc/package.json +25 -0
package/packages/rpc/src/index.ts +206 -0
package/packages/rpc/tsconfig.json +4 -0
package/packages/typescript/base.json +36 -0
package/packages/typescript/nextjs.json +17 -0
package/packages/typescript/package.json +10 -0
package/packages/ui/.turbo/turbo-build.log +44 -0
package/packages/ui/dist/chunk-MOAFBKSA.js +11 -0
package/packages/ui/dist/chunk-MOAFBKSA.js.map +1 -0
package/packages/ui/dist/components/badge.d.ts +12 -0
package/packages/ui/dist/components/badge.js +31 -0
package/packages/ui/dist/components/badge.js.map +1 -0
package/packages/ui/dist/components/button.d.ts +13 -0
package/packages/ui/dist/components/button.js +40 -0
package/packages/ui/dist/components/button.js.map +1 -0
package/packages/ui/dist/components/card.d.ts +10 -0
package/packages/ui/dist/components/card.js +39 -0
package/packages/ui/dist/components/card.js.map +1 -0
package/packages/ui/dist/components/input.d.ts +5 -0
package/packages/ui/dist/components/input.js +28 -0
package/packages/ui/dist/components/input.js.map +1 -0
package/packages/ui/dist/components/label.d.ts +5 -0
package/packages/ui/dist/components/label.js +13 -0
package/packages/ui/dist/components/label.js.map +1 -0
package/packages/ui/dist/components/separator.d.ts +5 -0
package/packages/ui/dist/components/separator.js +13 -0
package/packages/ui/dist/components/separator.js.map +1 -0
package/packages/ui/dist/components/textarea.d.ts +5 -0
package/packages/ui/dist/components/textarea.js +27 -0
package/packages/ui/dist/components/textarea.js.map +1 -0
package/packages/ui/dist/tailwind.d.ts +56 -0
package/packages/ui/dist/tailwind.js +60 -0
package/packages/ui/dist/tailwind.js.map +1 -0
package/packages/ui/dist/utils/cn.d.ts +5 -0
package/packages/ui/dist/utils/cn.js +7 -0
package/packages/ui/dist/utils/cn.js.map +1 -0
package/packages/ui/node_modules/.bin/jiti +17 -0
package/packages/ui/node_modules/.bin/tsc +17 -0
package/packages/ui/node_modules/.bin/tsserver +17 -0
package/packages/ui/node_modules/.bin/tsup +17 -0
package/packages/ui/node_modules/.bin/tsup-node +17 -0
package/packages/ui/node_modules/.bin/tsx +17 -0
package/packages/ui/package.json +69 -0
package/packages/ui/src/components/badge.tsx +27 -0
package/packages/ui/src/components/button.tsx +40 -0
package/packages/ui/src/components/card.tsx +31 -0
package/packages/ui/src/components/input.tsx +21 -0
package/packages/ui/src/components/label.tsx +6 -0
package/packages/ui/src/components/separator.tsx +6 -0
package/packages/ui/src/components/textarea.tsx +20 -0
package/packages/ui/src/globals.css +70 -0
package/packages/ui/src/tailwind.ts +56 -0
package/packages/ui/src/utils/cn.ts +6 -0
package/packages/ui/tsconfig.json +20 -0
package/packages/ui/tsup.config.ts +20 -0
package/pnpm-workspace.yaml +4 -0
package/scripts/install-rust-binaries.mjs +84 -0
package/scripts/launchd/install-user-daemon.sh +358 -0
package/scripts/launchd/run-vault-daemon.sh +5 -0
package/scripts/launchd/run-wlfi-agent-daemon.sh +73 -0
package/scripts/launchd/uninstall-user-daemon.sh +103 -0
package/src/cli.ts +2121 -0
package/src/lib/admin-guard.js +1 -0
package/src/lib/admin-guard.ts +185 -0
package/src/lib/admin-passthrough.ts +33 -0
package/src/lib/admin-reset.ts +751 -0
package/src/lib/admin-setup.ts +1612 -0
package/src/lib/agent-auth-clear.js +1 -0
package/src/lib/agent-auth-clear.ts +58 -0
package/src/lib/agent-auth-forwarding.js +1 -0
package/src/lib/agent-auth-forwarding.ts +149 -0
package/src/lib/agent-auth-migrate.js +1 -0
package/src/lib/agent-auth-migrate.ts +150 -0
package/src/lib/agent-auth-revoke.ts +103 -0
package/src/lib/agent-auth-rotate.ts +107 -0
package/src/lib/agent-auth-token.js +1 -0
package/src/lib/agent-auth-token.ts +25 -0
package/src/lib/agent-auth.ts +89 -0
package/src/lib/asset-broadcast.js +1 -0
package/src/lib/asset-broadcast.ts +285 -0
package/src/lib/bootstrap-artifacts.js +1 -0
package/src/lib/bootstrap-artifacts.ts +205 -0
package/src/lib/bootstrap-credentials.js +1 -0
package/src/lib/bootstrap-credentials.ts +832 -0
package/src/lib/config-amounts.js +1 -0
package/src/lib/config-amounts.ts +189 -0
package/src/lib/config-mutation.ts +27 -0
package/src/lib/fs-trust.js +1 -0
package/src/lib/fs-trust.ts +537 -0
package/src/lib/keychain.js +1 -0
package/src/lib/keychain.ts +225 -0
package/src/lib/local-admin-access.ts +106 -0
package/src/lib/network-selection.js +1 -0
package/src/lib/network-selection.ts +71 -0
package/src/lib/passthrough-security.js +1 -0
package/src/lib/passthrough-security.ts +114 -0
package/src/lib/rpc-guard.js +1 -0
package/src/lib/rpc-guard.ts +7 -0
package/src/lib/rust-spawn-options.js +1 -0
package/src/lib/rust-spawn-options.ts +98 -0
package/src/lib/rust.js +1 -0
package/src/lib/rust.ts +143 -0
package/src/lib/signed-tx.js +1 -0
package/src/lib/signed-tx.ts +116 -0
package/src/lib/status-repair-cli.ts +116 -0
package/src/lib/sudo.js +1 -0
package/src/lib/sudo.ts +172 -0
package/src/lib/vault-password-forwarding.js +1 -0
package/src/lib/vault-password-forwarding.ts +155 -0
package/src/lib/wallet-profile.js +1 -0
package/src/lib/wallet-profile.ts +332 -0
package/src/lib/wallet-repair.js +1 -0
package/src/lib/wallet-repair.ts +304 -0
package/src/lib/wallet-setup.js +1 -0
package/src/lib/wallet-setup.ts +1466 -0
package/src/lib/wallet-status.js +1 -0
package/src/lib/wallet-status.ts +640 -0
package/tsconfig.base.json +17 -0
package/tsconfig.json +10 -0
package/tsup.config.ts +25 -0
package/turbo.json +41 -0
package/LICENSE.md +0 -1
package/dist/wlfa/index.cjs +0 -250
package/dist/wlfa/index.d.cts +0 -1
package/dist/wlfa/index.d.ts +0 -1
package/dist/wlfa/index.js +0 -250
package/dist/wlfc/index.cjs +0 -1839
package/dist/wlfc/index.d.cts +0 -1
package/dist/wlfc/index.d.ts +0 -1
package/dist/wlfc/index.js +0 -1839

package/crates/vault-cli-admin/src/shared_config.rs ADDED Viewed

@@ -0,0 +1,624 @@
+use std::collections::BTreeMap;
+use std::fs::{self, OpenOptions};
+use std::io::Write;
+use std::path::{Path, PathBuf};
+use anyhow::{bail, Context, Result};
+use serde::{Deserialize, Serialize};
+use serde_json::Value;
+#[cfg(unix)]
+use std::os::unix::fs::{OpenOptionsExt, PermissionsExt};
+const CONFIG_FILENAME: &str = "config.json";
+#[cfg(unix)]
+const PRIVATE_DIR_MODE: u32 = 0o700;
+#[cfg(unix)]
+const PRIVATE_FILE_MODE: u32 = 0o600;
+const DEFAULT_ETH_RPC_URL: &str = "https://eth.llamarpc.com";
+const DEFAULT_BSC_RPC_URL: &str = "https://bsc.drpc.org";
+const DEFAULT_USD1_ADDRESS: &str = "0xc83DE66ebA6a91B6F3d167f2ee9F0C42aD70B611";
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+#[serde(default, rename_all = "camelCase")]
+pub(crate) struct WlfiConfig {
+    pub(crate) rpc_url: Option<String>,
+    pub(crate) chain_id: Option<u64>,
+    pub(crate) chain_name: Option<String>,
+    pub(crate) daemon_socket: Option<String>,
+    pub(crate) state_file: Option<String>,
+    pub(crate) rust_bin_dir: Option<String>,
+    pub(crate) agent_key_id: Option<String>,
+    pub(crate) agent_auth_token: Option<String>,
+    pub(crate) wallet: Option<WalletProfile>,
+    pub(crate) chains: BTreeMap<String, ChainProfile>,
+    pub(crate) tokens: BTreeMap<String, TokenProfile>,
+    #[serde(flatten)]
+    pub(crate) extra: BTreeMap<String, Value>,
+}
+impl Default for WlfiConfig {
+    fn default() -> Self {
+        Self {
+            rpc_url: None,
+            chain_id: None,
+            chain_name: None,
+            daemon_socket: None,
+            state_file: None,
+            rust_bin_dir: None,
+            agent_key_id: None,
+            agent_auth_token: None,
+            wallet: None,
+            chains: default_chain_profiles(),
+            tokens: default_token_profiles(),
+            extra: BTreeMap::new(),
+        }
+    }
+}
+#[derive(Debug, Clone, Default, PartialEq, Serialize, Deserialize)]
+#[serde(default, rename_all = "camelCase")]
+pub(crate) struct WalletProfile {
+    pub(crate) vault_key_id: Option<String>,
+    pub(crate) vault_public_key: String,
+    pub(crate) address: Option<String>,
+    pub(crate) agent_key_id: Option<String>,
+    pub(crate) policy_attachment: String,
+    pub(crate) attached_policy_ids: Vec<String>,
+    pub(crate) policy_note: Option<String>,
+    pub(crate) network_scope: Option<String>,
+    pub(crate) asset_scope: Option<String>,
+    pub(crate) recipient_scope: Option<String>,
+    #[serde(flatten)]
+    pub(crate) extra: BTreeMap<String, Value>,
+}
+#[derive(Debug, Clone, Default, PartialEq, Serialize, Deserialize)]
+#[serde(default, rename_all = "camelCase")]
+pub(crate) struct ChainProfile {
+    pub(crate) chain_id: u64,
+    pub(crate) name: String,
+    pub(crate) rpc_url: Option<String>,
+    #[serde(flatten)]
+    pub(crate) extra: BTreeMap<String, Value>,
+}
+#[derive(Debug, Clone, Default, PartialEq, Serialize, Deserialize)]
+#[serde(default, rename_all = "camelCase")]
+pub(crate) struct TokenPolicyProfile {
+    pub(crate) per_tx_amount: Option<f64>,
+    pub(crate) daily_amount: Option<f64>,
+    pub(crate) weekly_amount: Option<f64>,
+    pub(crate) per_tx_amount_decimal: Option<String>,
+    pub(crate) daily_amount_decimal: Option<String>,
+    pub(crate) weekly_amount_decimal: Option<String>,
+    pub(crate) per_tx_limit: Option<String>,
+    pub(crate) daily_limit: Option<String>,
+    pub(crate) weekly_limit: Option<String>,
+    pub(crate) max_gas_per_chain_wei: Option<String>,
+    pub(crate) daily_max_tx_count: Option<String>,
+    pub(crate) per_tx_max_fee_per_gas_gwei: Option<String>,
+    pub(crate) per_tx_max_fee_per_gas_wei: Option<String>,
+    pub(crate) per_tx_max_priority_fee_per_gas_wei: Option<String>,
+    pub(crate) per_tx_max_calldata_bytes: Option<String>,
+    #[serde(flatten)]
+    pub(crate) extra: BTreeMap<String, Value>,
+}
+#[derive(Debug, Clone, Default, PartialEq, Serialize, Deserialize)]
+#[serde(default, rename_all = "camelCase")]
+pub(crate) struct TokenDestinationOverrideProfile {
+    pub(crate) recipient: String,
+    #[serde(flatten)]
+    pub(crate) limits: TokenPolicyProfile,
+}
+#[derive(Debug, Clone, Default, PartialEq, Serialize, Deserialize)]
+#[serde(default, rename_all = "camelCase")]
+pub(crate) struct TokenManualApprovalProfile {
+    pub(crate) priority: u32,
+    pub(crate) recipient: Option<String>,
+    pub(crate) min_amount: Option<f64>,
+    pub(crate) max_amount: Option<f64>,
+    pub(crate) min_amount_decimal: Option<String>,
+    pub(crate) max_amount_decimal: Option<String>,
+    pub(crate) min_amount_wei: Option<String>,
+    pub(crate) max_amount_wei: Option<String>,
+    #[serde(flatten)]
+    pub(crate) extra: BTreeMap<String, Value>,
+}
+#[derive(Debug, Clone, Default, PartialEq, Serialize, Deserialize)]
+#[serde(default, rename_all = "camelCase")]
+pub(crate) struct TokenChainProfile {
+    pub(crate) chain_id: u64,
+    pub(crate) is_native: bool,
+    pub(crate) address: Option<String>,
+    pub(crate) decimals: u8,
+    pub(crate) default_policy: Option<TokenPolicyProfile>,
+    #[serde(flatten)]
+    pub(crate) extra: BTreeMap<String, Value>,
+}
+#[derive(Debug, Clone, Default, PartialEq, Serialize, Deserialize)]
+#[serde(default, rename_all = "camelCase")]
+pub(crate) struct TokenProfile {
+    pub(crate) name: Option<String>,
+    pub(crate) symbol: String,
+    pub(crate) default_policy: Option<TokenPolicyProfile>,
+    pub(crate) destination_overrides: Vec<TokenDestinationOverrideProfile>,
+    pub(crate) manual_approval_policies: Vec<TokenManualApprovalProfile>,
+    pub(crate) chains: BTreeMap<String, TokenChainProfile>,
+    #[serde(flatten)]
+    pub(crate) extra: BTreeMap<String, Value>,
+}
+fn default_chain_profiles() -> BTreeMap<String, ChainProfile> {
+    BTreeMap::from([
+        (
+            "bsc".to_string(),
+            ChainProfile {
+                chain_id: 56,
+                name: "BSC".to_string(),
+                rpc_url: Some(DEFAULT_BSC_RPC_URL.to_string()),
+                extra: BTreeMap::new(),
+            },
+        ),
+        (
+            "eth".to_string(),
+            ChainProfile {
+                chain_id: 1,
+                name: "ETH".to_string(),
+                rpc_url: Some(DEFAULT_ETH_RPC_URL.to_string()),
+                extra: BTreeMap::new(),
+            },
+        ),
+    ])
+}
+fn default_token_profiles() -> BTreeMap<String, TokenProfile> {
+    let usd1_policy = default_token_policy("10", "100", "700");
+    let bnb_policy = default_token_policy("0.01", "0.2", "1.4");
+    BTreeMap::from([
+        (
+            "bnb".to_string(),
+            TokenProfile {
+                name: Some("BNB".to_string()),
+                symbol: "BNB".to_string(),
+                default_policy: Some(bnb_policy.clone()),
+                destination_overrides: Vec::new(),
+                manual_approval_policies: Vec::new(),
+                chains: BTreeMap::from([(
+                    "bsc".to_string(),
+                    TokenChainProfile {
+                        chain_id: 56,
+                        is_native: true,
+                        address: None,
+                        decimals: 18,
+                        default_policy: Some(bnb_policy),
+                        extra: BTreeMap::new(),
+                    },
+                )]),
+                extra: BTreeMap::new(),
+            },
+        ),
+        (
+            "usd1".to_string(),
+            TokenProfile {
+                name: Some("USD1".to_string()),
+                symbol: "USD1".to_string(),
+                default_policy: Some(usd1_policy.clone()),
+                destination_overrides: Vec::new(),
+                manual_approval_policies: Vec::new(),
+                chains: BTreeMap::from([
+                    (
+                        "bsc".to_string(),
+                        TokenChainProfile {
+                            chain_id: 56,
+                            is_native: false,
+                            address: Some(DEFAULT_USD1_ADDRESS.to_string()),
+                            decimals: 18,
+                            default_policy: Some(usd1_policy.clone()),
+                            extra: BTreeMap::new(),
+                        },
+                    ),
+                    (
+                        "eth".to_string(),
+                        TokenChainProfile {
+                            chain_id: 1,
+                            is_native: false,
+                            address: Some(DEFAULT_USD1_ADDRESS.to_string()),
+                            decimals: 18,
+                            default_policy: Some(usd1_policy),
+                            extra: BTreeMap::new(),
+                        },
+                    ),
+                ]),
+                extra: BTreeMap::new(),
+            },
+        ),
+    ])
+}
+fn default_token_policy(per_tx: &str, daily: &str, weekly: &str) -> TokenPolicyProfile {
+    TokenPolicyProfile {
+        per_tx_amount: None,
+        daily_amount: None,
+        weekly_amount: None,
+        per_tx_amount_decimal: Some(per_tx.to_string()),
+        daily_amount_decimal: Some(daily.to_string()),
+        weekly_amount_decimal: Some(weekly.to_string()),
+        per_tx_limit: None,
+        daily_limit: None,
+        weekly_limit: None,
+        max_gas_per_chain_wei: None,
+        daily_max_tx_count: None,
+        per_tx_max_fee_per_gas_gwei: None,
+        per_tx_max_fee_per_gas_wei: None,
+        per_tx_max_priority_fee_per_gas_wei: None,
+        per_tx_max_calldata_bytes: None,
+        extra: BTreeMap::new(),
+    }
+}
+#[derive(Debug, Clone, PartialEq)]
+pub(crate) struct LoadedConfig {
+    pub(crate) path: PathBuf,
+    pub(crate) config: WlfiConfig,
+}
+impl LoadedConfig {
+    pub(crate) fn load_default() -> Result<Self> {
+        let path = default_config_path()?;
+        let config = WlfiConfig::read_from_path(&path)?;
+        Ok(Self { path, config })
+    }
+    pub(crate) fn save(&self) -> Result<()> {
+        self.config.write_to_path(&self.path)
+    }
+}
+impl WlfiConfig {
+    fn apply_seed_defaults_if_legacy_empty(mut self) -> Self {
+        if self.chains.is_empty() && self.tokens.is_empty() {
+            self.chains = default_chain_profiles();
+            self.tokens = default_token_profiles();
+        }
+        self
+    }
+    pub(crate) fn read_from_path(path: &Path) -> Result<Self> {
+        match fs::read_to_string(path) {
+            Ok(raw) => serde_json::from_str::<Self>(&raw)
+                .map(Self::apply_seed_defaults_if_legacy_empty)
+                .with_context(|| format!("failed to parse config file '{}'", path.display())),
+            Err(error) if error.kind() == std::io::ErrorKind::NotFound => Ok(Self::default()),
+            Err(error) => Err(error)
+                .with_context(|| format!("failed to read config file '{}'", path.display())),
+        }
+    }
+    pub(crate) fn write_to_path(&self, path: &Path) -> Result<()> {
+        if let Some(parent) = path.parent() {
+            fs::create_dir_all(parent).with_context(|| {
+                format!("failed to create config directory '{}'", parent.display())
+            })?;
+            #[cfg(unix)]
+            {
+                fs::set_permissions(parent, fs::Permissions::from_mode(PRIVATE_DIR_MODE))
+                    .with_context(|| {
+                        format!("failed to secure config directory '{}'", parent.display())
+                    })?;
+            }
+        }
+        let rendered = serde_json::to_string_pretty(self).context("failed to serialize config")?;
+        let mut options = OpenOptions::new();
+        options.create(true).truncate(true).write(true);
+        #[cfg(unix)]
+        options.mode(PRIVATE_FILE_MODE);
+        let mut file = options
+            .open(path)
+            .with_context(|| format!("failed to open config file '{}'", path.display()))?;
+        file.write_all(rendered.as_bytes())
+            .with_context(|| format!("failed to write config file '{}'", path.display()))?;
+        file.write_all(b"\n")
+            .with_context(|| format!("failed to finalize config file '{}'", path.display()))?;
+        #[cfg(unix)]
+        fs::set_permissions(path, fs::Permissions::from_mode(PRIVATE_FILE_MODE))
+            .with_context(|| format!("failed to secure config file '{}'", path.display()))?;
+        Ok(())
+    }
+}
+pub(crate) fn default_config_path() -> Result<PathBuf> {
+    Ok(wlfi_home_dir()?.join(CONFIG_FILENAME))
+}
+fn wlfi_home_dir() -> Result<PathBuf> {
+    if let Some(path) = std::env::var_os("WLFI_HOME") {
+        let candidate = PathBuf::from(path);
+        if candidate.as_os_str().is_empty() {
+            bail!("WLFI_HOME must not be empty");
+        }
+        return Ok(candidate);
+    }
+    let Some(home) = std::env::var_os("HOME") else {
+        bail!("HOME is not set; use WLFI_HOME to choose config directory");
+    };
+    Ok(PathBuf::from(home).join(".wlfi_agent"))
+}
+#[cfg(test)]
+mod tests {
+    use super::{
+        default_config_path, LoadedConfig, TokenChainProfile, TokenDestinationOverrideProfile,
+        TokenManualApprovalProfile, TokenPolicyProfile, TokenProfile, WlfiConfig,
+    };
+    use std::collections::BTreeMap;
+    use std::fs;
+    use std::path::PathBuf;
+    fn temp_root(label: &str) -> PathBuf {
+        let unique = format!(
+            "wlfi-agent-admin-shared-config-{label}-{}-{}",
+            std::process::id(),
+            std::time::SystemTime::now()
+                .duration_since(std::time::UNIX_EPOCH)
+                .expect("unix time")
+                .as_nanos()
+        );
+        std::env::temp_dir().join(unique)
+    }
+    #[test]
+    fn read_from_missing_path_returns_default_config() {
+        let root = temp_root("missing");
+        let path = root.join("config.json");
+        let config = WlfiConfig::read_from_path(&path).expect("missing path should default");
+        assert_eq!(config, WlfiConfig::default());
+    }
+    #[test]
+    fn read_from_legacy_empty_config_reseeds_defaults() {
+        let root = temp_root("legacy-empty");
+        fs::create_dir_all(&root).expect("create root");
+        let path = root.join("config.json");
+        fs::write(
+            &path,
+            r#"{
+  "chains": {},
+  "tokens": {},
+  "chainId": 11155111,
+  "chainName": "sepolia",
+  "rpcUrl": "https://rpc.sepolia.example"
+}
+"#,
+        )
+        .expect("write legacy config");
+        let config = WlfiConfig::read_from_path(&path).expect("read config");
+        assert!(config.chains.contains_key("eth"));
+        assert!(config.chains.contains_key("bsc"));
+        assert!(config.tokens.contains_key("usd1"));
+        assert!(config.tokens.contains_key("bnb"));
+        assert_eq!(config.chain_id, Some(11155111));
+        assert_eq!(config.chain_name.as_deref(), Some("sepolia"));
+        assert_eq!(
+            config.rpc_url.as_deref(),
+            Some("https://rpc.sepolia.example")
+        );
+        fs::remove_dir_all(&root).expect("cleanup temp root");
+    }
+    #[test]
+    fn default_config_seeds_eth_bsc_usd1_and_bnb() {
+        let config = WlfiConfig::default();
+        assert_eq!(config.chains["eth"].chain_id, 1);
+        assert_eq!(
+            config.chains["eth"].rpc_url.as_deref(),
+            Some("https://eth.llamarpc.com")
+        );
+        assert_eq!(config.chains["bsc"].chain_id, 56);
+        assert_eq!(
+            config.chains["bsc"].rpc_url.as_deref(),
+            Some("https://bsc.drpc.org")
+        );
+        let usd1 = config.tokens.get("usd1").expect("usd1 default");
+        assert_eq!(usd1.symbol, "USD1");
+        assert_eq!(
+            usd1.default_policy
+                .as_ref()
+                .and_then(|policy| policy.per_tx_amount_decimal.as_deref()),
+            Some("10")
+        );
+        assert_eq!(
+            usd1.default_policy
+                .as_ref()
+                .and_then(|policy| policy.daily_amount_decimal.as_deref()),
+            Some("100")
+        );
+        assert_eq!(
+            usd1.default_policy
+                .as_ref()
+                .and_then(|policy| policy.weekly_amount_decimal.as_deref()),
+            Some("700")
+        );
+        assert_eq!(
+            usd1.chains["eth"].address.as_deref(),
+            Some("0xc83DE66ebA6a91B6F3d167f2ee9F0C42aD70B611")
+        );
+        assert_eq!(
+            usd1.chains["bsc"].address.as_deref(),
+            Some("0xc83DE66ebA6a91B6F3d167f2ee9F0C42aD70B611")
+        );
+        let bnb = config.tokens.get("bnb").expect("bnb default");
+        assert_eq!(bnb.symbol, "BNB");
+        assert!(bnb.chains["bsc"].is_native);
+        assert_eq!(
+            bnb.default_policy
+                .as_ref()
+                .and_then(|policy| policy.per_tx_amount_decimal.as_deref()),
+            Some("0.01")
+        );
+        assert_eq!(
+            bnb.default_policy
+                .as_ref()
+                .and_then(|policy| policy.daily_amount_decimal.as_deref()),
+            Some("0.2")
+        );
+        assert_eq!(
+            bnb.default_policy
+                .as_ref()
+                .and_then(|policy| policy.weekly_amount_decimal.as_deref()),
+            Some("1.4")
+        );
+    }
+    #[test]
+    fn write_and_read_round_trip_preserves_chain_and_token_profiles() {
+        let root = temp_root("roundtrip");
+        fs::create_dir_all(&root).expect("create root");
+        let path = root.join("config.json");
+        let mut config = WlfiConfig {
+            chain_id: Some(11155111),
+            chain_name: Some("sepolia".to_string()),
+            rpc_url: Some("https://rpc.sepolia.example".to_string()),
+            ..WlfiConfig::default()
+        };
+        config.chains.insert(
+            "sepolia".to_string(),
+            super::ChainProfile {
+                chain_id: 11155111,
+                name: "sepolia".to_string(),
+                rpc_url: Some("https://rpc.sepolia.example".to_string()),
+                extra: BTreeMap::new(),
+            },
+        );
+        config.tokens.insert(
+            "usdc".to_string(),
+            TokenProfile {
+                name: Some("USD Coin".to_string()),
+                symbol: "USDC".to_string(),
+                default_policy: Some(TokenPolicyProfile {
+                    per_tx_amount: Some(25.0),
+                    daily_amount: Some(100.0),
+                    weekly_amount: Some(500.0),
+                    per_tx_amount_decimal: Some("25".to_string()),
+                    daily_amount_decimal: Some("100".to_string()),
+                    weekly_amount_decimal: Some("500".to_string()),
+                    per_tx_limit: None,
+                    daily_limit: None,
+                    weekly_limit: None,
+                    max_gas_per_chain_wei: Some("1000000000000000".to_string()),
+                    daily_max_tx_count: Some("0".to_string()),
+                    per_tx_max_fee_per_gas_gwei: Some("25".to_string()),
+                    per_tx_max_fee_per_gas_wei: Some("25000000000".to_string()),
+                    per_tx_max_priority_fee_per_gas_wei: Some("0".to_string()),
+                    per_tx_max_calldata_bytes: Some("0".to_string()),
+                    extra: BTreeMap::new(),
+                }),
+                destination_overrides: vec![TokenDestinationOverrideProfile {
+                    recipient: "0x1000000000000000000000000000000000000001".to_string(),
+                    limits: TokenPolicyProfile {
+                        per_tx_amount: None,
+                        daily_amount: None,
+                        weekly_amount: None,
+                        per_tx_amount_decimal: Some("10".to_string()),
+                        daily_amount_decimal: Some("50".to_string()),
+                        weekly_amount_decimal: Some("200".to_string()),
+                        per_tx_limit: None,
+                        daily_limit: None,
+                        weekly_limit: None,
+                        max_gas_per_chain_wei: Some("100000000000000".to_string()),
+                        daily_max_tx_count: Some("0".to_string()),
+                        per_tx_max_fee_per_gas_gwei: Some("15".to_string()),
+                        per_tx_max_fee_per_gas_wei: Some("15000000000".to_string()),
+                        per_tx_max_priority_fee_per_gas_wei: Some("0".to_string()),
+                        per_tx_max_calldata_bytes: Some("0".to_string()),
+                        extra: BTreeMap::new(),
+                    },
+                }],
+                manual_approval_policies: vec![TokenManualApprovalProfile {
+                    priority: 100,
+                    recipient: None,
+                    min_amount: Some(250.0),
+                    max_amount: Some(500.0),
+                    min_amount_decimal: Some("250".to_string()),
+                    max_amount_decimal: Some("500".to_string()),
+                    min_amount_wei: None,
+                    max_amount_wei: None,
+                    extra: BTreeMap::new(),
+                }],
+                chains: BTreeMap::from([(
+                    "sepolia".to_string(),
+                    TokenChainProfile {
+                        chain_id: 11155111,
+                        is_native: false,
+                        address: Some("0x1000000000000000000000000000000000000000".to_string()),
+                        decimals: 6,
+                        default_policy: Some(TokenPolicyProfile {
+                            per_tx_amount: Some(25.0),
+                            daily_amount: Some(100.0),
+                            weekly_amount: Some(500.0),
+                            per_tx_amount_decimal: Some("25".to_string()),
+                            daily_amount_decimal: Some("100".to_string()),
+                            weekly_amount_decimal: Some("500".to_string()),
+                            per_tx_limit: Some("25".to_string()),
+                            daily_limit: Some("100".to_string()),
+                            weekly_limit: Some("500".to_string()),
+                            max_gas_per_chain_wei: Some("1000000000000000".to_string()),
+                            daily_max_tx_count: Some("0".to_string()),
+                            per_tx_max_fee_per_gas_gwei: Some("25".to_string()),
+                            per_tx_max_fee_per_gas_wei: Some("0".to_string()),
+                            per_tx_max_priority_fee_per_gas_wei: Some("0".to_string()),
+                            per_tx_max_calldata_bytes: Some("0".to_string()),
+                            extra: BTreeMap::new(),
+                        }),
+                        extra: BTreeMap::new(),
+                    },
+                )]),
+                extra: BTreeMap::new(),
+            },
+        );
+        config.write_to_path(&path).expect("write config");
+        let loaded = WlfiConfig::read_from_path(&path).expect("read config");
+        assert_eq!(loaded, config);
+        let loaded_document = LoadedConfig {
+            path: path.clone(),
+            config,
+        };
+        loaded_document.save().expect("save loaded document");
+        assert!(path.exists());
+        fs::remove_dir_all(&root).expect("cleanup temp root");
+    }
+    #[test]
+    fn default_config_path_uses_wlfi_home_when_present() {
+        let root = temp_root("wlfi-home");
+        fs::create_dir_all(&root).expect("create root");
+        let previous = std::env::var_os("WLFI_HOME");
+        std::env::set_var("WLFI_HOME", &root);
+        let path = default_config_path().expect("resolve default config path");
+        assert_eq!(path, root.join("config.json"));
+        if let Some(value) = previous {
+            std::env::set_var("WLFI_HOME", value);
+        } else {
+            std::env::remove_var("WLFI_HOME");
+        }
+        fs::remove_dir_all(&root).expect("cleanup temp root");
+    }
+}