@wlfi-agent/cli 1.4.13 → 1.4.15

package/crates/vault-domain/src/tests.rs

@@ -0,0 +1,651 @@
+use std::collections::BTreeSet;
+
+use alloy_primitives::U256;
+use alloy_sol_types::{sol, SolCall};
+use time::OffsetDateTime;
+use uuid::Uuid;
+
+use super::*;
+
+sol! {
+    function approve(address spender, uint256 value);
+    function transfer(address to, uint256 value);
+}
+
+#[test]
+fn address_parser_validates_prefix_and_length() {
+    let valid = "0x1111111111111111111111111111111111111111"
+        .parse::<EvmAddress>()
+        .expect("must parse");
+    assert_eq!(valid.as_str(), "0x1111111111111111111111111111111111111111");
+
+    let missing_prefix = "1111111111111111111111111111111111111111".parse::<EvmAddress>();
+    assert!(missing_prefix.is_err());
+
+    let too_short = "0x1234".parse::<EvmAddress>();
+    assert!(too_short.is_err());
+}
+
+#[test]
+fn manual_approval_capability_token_is_deterministic_per_request() {
+    let approval_request_id =
+        Uuid::parse_str("aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa").expect("uuid");
+    let relay_private_key_hex = "11".repeat(32);
+
+    let first = manual_approval_capability_token(&relay_private_key_hex, approval_request_id)
+        .expect("must derive token");
+    let second = manual_approval_capability_token(&relay_private_key_hex, approval_request_id)
+        .expect("must derive token");
+
+    assert_eq!(first, second);
+    assert_eq!(first.len(), 64);
+
+    let capability_hash = manual_approval_capability_hash(&first).expect("must hash token");
+    assert_eq!(capability_hash.len(), 64);
+    assert_ne!(capability_hash, first);
+}
+
+#[test]
+fn manual_approval_capability_token_rejects_invalid_secret() {
+    let approval_request_id = Uuid::new_v4();
+    let err = manual_approval_capability_token("not-hex", approval_request_id)
+        .expect_err("must reject invalid secret");
+    assert!(matches!(err, DomainError::InvalidRelayCapabilitySecret));
+}
+
+#[test]
+fn address_deserialize_rejects_invalid_values() {
+    let invalid =
+        serde_json::from_str::<EvmAddress>(r#""not-an-address""#).expect_err("must reject");
+    assert!(invalid.to_string().contains("address"));
+}
+
+#[test]
+fn address_deserialize_normalizes_case() {
+    let parsed =
+        serde_json::from_str::<EvmAddress>(r#""0xABCD000000000000000000000000000000000000""#)
+            .expect("must deserialize");
+    assert_eq!(
+        parsed.as_str(),
+        "0xabcd000000000000000000000000000000000000"
+    );
+}
+
+#[test]
+fn all_scope_allows_any_value() {
+    let addr = "0x2222222222222222222222222222222222222222"
+        .parse::<EvmAddress>()
+        .expect("must parse");
+    let scope: EntityScope<EvmAddress> = EntityScope::All;
+
+    assert!(scope.allows(&addr));
+}
+
+#[test]
+fn policy_set_cannot_be_empty() {
+    let empty = BTreeSet::new();
+    let result = PolicyAttachment::policy_set(empty);
+    assert!(matches!(result, Err(DomainError::EmptyPolicySet)));
+}
+
+#[test]
+fn parse_erc20_transfer_call_succeeds() {
+    let to = alloy_primitives::Address::from([0x11; 20]);
+    let amount = U256::from(42_u64);
+    let calldata = transferCall { to, value: amount }.abi_encode();
+
+    let parsed = parse_erc20_call(&calldata).expect("decode");
+    assert_eq!(
+        parsed,
+        Erc20Call::Transfer {
+            to: "0x1111111111111111111111111111111111111111"
+                .parse()
+                .expect("address"),
+            amount_wei: 42,
+        }
+    );
+}
+
+#[test]
+fn parse_erc20_approve_call_succeeds() {
+    let spender = alloy_primitives::Address::from([0x22; 20]);
+    let amount = U256::from(1337_u64);
+    let calldata = approveCall {
+        spender,
+        value: amount,
+    }
+    .abi_encode();
+
+    let action = action_from_erc20_calldata(
+        1,
+        "0x3333333333333333333333333333333333333333"
+            .parse()
+            .expect("token"),
+        &calldata,
+    )
+    .expect("action");
+
+    assert_eq!(
+        action,
+        AgentAction::Approve {
+            chain_id: 1,
+            token: "0x3333333333333333333333333333333333333333"
+                .parse()
+                .expect("token"),
+            spender: "0x2222222222222222222222222222222222222222"
+                .parse()
+                .expect("spender"),
+            amount_wei: 1337,
+        }
+    );
+}
+
+#[test]
+fn parse_erc20_call_rejects_unknown_selector() {
+    let err = parse_erc20_call(&[0xde, 0xad, 0xbe, 0xef, 0x00]).expect_err("must fail");
+    assert!(matches!(err, DomainError::InvalidErc20Calldata(_)));
+}
+
+#[test]
+fn broadcast_tx_rejects_delegation() {
+    let tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: "0x1234000000000000000000000000000000000000"
+            .parse()
+            .expect("to"),
+        value_wei: 0,
+        data_hex: "0x".to_string(),
+        gas_limit: 21_000,
+        max_fee_per_gas_wei: 1_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: 0x02,
+        delegation_enabled: true,
+    };
+
+    let err = tx.validate().expect_err("must reject delegation");
+    assert!(matches!(err, DomainError::DelegationNotAllowed));
+}
+
+#[test]
+fn broadcast_tx_rejects_delegation_for_eip7702() {
+    let tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: "0x1234000000000000000000000000000000000000"
+            .parse()
+            .expect("to"),
+        value_wei: 0,
+        data_hex: "0x".to_string(),
+        gas_limit: 21_000,
+        max_fee_per_gas_wei: 1_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: EIP7702_TX_TYPE,
+        delegation_enabled: true,
+    };
+
+    let err = tx.validate().expect_err("must reject delegation");
+    assert!(matches!(err, DomainError::DelegationNotAllowed));
+}
+
+#[test]
+fn broadcast_tx_rejects_erc20_call_with_native_value() {
+    let to = alloy_primitives::Address::from([0x11; 20]);
+    let amount = U256::from(7_u64);
+    let calldata = transferCall { to, value: amount }.abi_encode();
+
+    let tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: "0x1000000000000000000000000000000000000000"
+            .parse()
+            .expect("token"),
+        value_wei: 1,
+        data_hex: format!("0x{}", hex::encode(calldata)),
+        gas_limit: 60_000,
+        max_fee_per_gas_wei: 1_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: 0x02,
+        delegation_enabled: false,
+    };
+
+    let err = tx.validate().expect_err("must reject mixed erc20/native");
+    assert!(matches!(err, DomainError::Erc20CallWithNativeValue));
+}
+
+#[test]
+fn broadcast_action_derives_erc20_scope_from_calldata() {
+    let to = alloy_primitives::Address::from([0x33; 20]);
+    let calldata = transferCall {
+        to,
+        value: U256::from(77_u64),
+    }
+    .abi_encode();
+    let token: EvmAddress = "0x4444000000000000000000000000000000000000"
+        .parse()
+        .expect("token");
+    let tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: token.clone(),
+        value_wei: 0,
+        data_hex: format!("0x{}", hex::encode(calldata)),
+        gas_limit: 60_000,
+        max_fee_per_gas_wei: 1_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: 0x02,
+        delegation_enabled: false,
+    };
+    let action = AgentAction::BroadcastTx { tx };
+
+    assert_eq!(action.asset(), AssetId::Erc20(token));
+    assert_eq!(action.amount_wei(), 77);
+    assert_eq!(
+        action.recipient(),
+        "0x3333333333333333333333333333333333333333"
+            .parse()
+            .expect("recipient")
+    );
+}
+
+#[test]
+fn broadcast_action_unknown_selector_uses_native_fields() {
+    let to: EvmAddress = "0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+        .parse()
+        .expect("to");
+    let tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: to.clone(),
+        value_wei: 123,
+        data_hex: "0xdeadbeef".to_string(),
+        gas_limit: 21_000,
+        max_fee_per_gas_wei: 1_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: 0x02,
+        delegation_enabled: false,
+    };
+    let action = AgentAction::BroadcastTx { tx };
+
+    assert_eq!(action.asset(), AssetId::NativeEth);
+    assert_eq!(action.amount_wei(), 123);
+    assert_eq!(action.recipient(), to);
+}
+
+#[test]
+fn debug_output_redacts_secret_fields() {
+    let lease = Lease {
+        lease_id: Uuid::nil(),
+        issued_at: OffsetDateTime::UNIX_EPOCH,
+        expires_at: OffsetDateTime::UNIX_EPOCH + time::Duration::minutes(5),
+    };
+    let session = AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease: lease.clone(),
+    };
+    let credentials = AgentCredentials {
+        agent_key: AgentKey {
+            id: Uuid::nil(),
+            vault_key_id: Uuid::nil(),
+            policies: PolicyAttachment::AllPolicies,
+            created_at: OffsetDateTime::UNIX_EPOCH,
+        },
+        auth_token: "agent-secret".to_string(),
+    };
+    let request = SignRequest {
+        request_id: Uuid::nil(),
+        agent_key_id: Uuid::nil(),
+        agent_auth_token: "agent-secret".to_string(),
+        payload: vec![1, 2, 3],
+        action: AgentAction::TransferNative {
+            chain_id: 1,
+            to: "0x2222222222222222222222222222222222222222"
+                .parse()
+                .expect("to"),
+            amount_wei: 1,
+        },
+        requested_at: OffsetDateTime::UNIX_EPOCH,
+        expires_at: OffsetDateTime::UNIX_EPOCH + time::Duration::minutes(1),
+    };
+
+    let session_debug = format!("{session:?}");
+    let credentials_debug = format!("{credentials:?}");
+    let request_debug = format!("{request:?}");
+
+    assert!(!session_debug.contains("vault-password"));
+    assert!(session_debug.contains("<redacted>"));
+    assert!(!credentials_debug.contains("agent-secret"));
+    assert!(credentials_debug.contains("<redacted>"));
+    assert!(!request_debug.contains("agent-secret"));
+    assert!(request_debug.contains("<redacted>"));
+}
+
+#[test]
+fn broadcast_action_exposes_gas_and_calldata_metadata() {
+    let action = AgentAction::BroadcastTx {
+        tx: BroadcastTx {
+            chain_id: 1,
+            nonce: 0,
+            to: "0xbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+                .parse()
+                .expect("to"),
+            value_wei: 0,
+            data_hex: "0xdeadbeef".to_string(),
+            gas_limit: 21_000,
+            max_fee_per_gas_wei: 2_000_000_000,
+            max_priority_fee_per_gas_wei: 1_000_000_000,
+            tx_type: 0x02,
+            delegation_enabled: false,
+        },
+    };
+
+    assert_eq!(action.max_fee_per_gas_wei(), Some(2_000_000_000));
+    assert_eq!(action.max_priority_fee_per_gas_wei(), Some(1_000_000_000));
+    assert_eq!(action.calldata_len_bytes(), Some(4));
+}
+
+#[test]
+fn eip1559_signing_message_is_typed_and_non_empty() {
+    let tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: "0xf0109fc8df283027b6285cc889f5aa624eac1f55"
+            .parse()
+            .expect("to"),
+        value_wei: 1_000_000_000,
+        data_hex: "0x".to_string(),
+        gas_limit: 2_000_000,
+        max_fee_per_gas_wei: 21_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: 0x02,
+        delegation_enabled: false,
+    };
+
+    let signing_message = tx.eip1559_signing_message().expect("signing message");
+    assert_eq!(signing_message.first().copied(), Some(0x02));
+    assert!(!signing_message.is_empty());
+}
+
+#[test]
+fn eip1559_signed_raw_transaction_includes_signature_components() {
+    let tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: "0xf0109fc8df283027b6285cc889f5aa624eac1f55"
+            .parse()
+            .expect("to"),
+        value_wei: 1_000_000_000,
+        data_hex: "0x".to_string(),
+        gas_limit: 2_000_000,
+        max_fee_per_gas_wei: 21_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: 0x02,
+        delegation_enabled: false,
+    };
+
+    let r = [0x11u8; 32];
+    let s = [0x22u8; 32];
+    let raw = tx
+        .eip1559_signed_raw_transaction(1, r, s)
+        .expect("signed raw tx");
+    assert_eq!(raw.first().copied(), Some(0x02));
+    assert!(!raw.is_empty());
+}
+
+#[test]
+fn eip1559_helpers_reject_unsupported_tx_type() {
+    let tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: "0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+            .parse()
+            .expect("to"),
+        value_wei: 0,
+        data_hex: "0x".to_string(),
+        gas_limit: 21_000,
+        max_fee_per_gas_wei: 1_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: EIP7702_TX_TYPE,
+        delegation_enabled: false,
+    };
+    let err = tx
+        .eip1559_signing_message()
+        .expect_err("must reject non-eip-1559 tx type");
+    assert!(matches!(err, DomainError::UnsupportedTransactionType(_)));
+}
+
+sol! {
+    struct PermitDetails {
+        address token;
+        uint160 amount;
+        uint48 expiration;
+        uint48 nonce;
+    }
+
+    struct PermitSingle {
+        PermitDetails details;
+        address spender;
+        uint256 sigDeadline;
+    }
+
+    function permit(address owner, PermitSingle permitSingle, bytes signature);
+    function transferWithAuthorization(address from, address to, uint256 value, uint256 validAfter, uint256 validBefore, bytes32 nonce, bytes signature);
+}
+
+#[test]
+fn broadcast_tx_rejects_permit2_call_with_native_value() {
+    let permit_single = PermitSingle {
+        details: PermitDetails {
+            token: alloy_primitives::Address::from([0x44; 20]),
+            amount: alloy_primitives::U160::from_be_slice(&42u128.to_be_bytes()),
+            expiration: alloy_primitives::aliases::U48::from_be_slice(&100u64.to_be_bytes()[2..]),
+            nonce: alloy_primitives::aliases::U48::from_be_slice(&7u64.to_be_bytes()[2..]),
+        },
+        spender: alloy_primitives::Address::from([0x55; 20]),
+        sigDeadline: U256::from(1234u64),
+    };
+    let calldata = permitCall {
+        owner: alloy_primitives::Address::from([0x66; 20]),
+        permitSingle: permit_single,
+        signature: vec![0x12, 0x34].into(),
+    }
+    .abi_encode();
+
+    let tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: "0x9999000000000000000000000000000000000000"
+            .parse()
+            .expect("permit2 contract"),
+        value_wei: 1,
+        data_hex: format!("0x{}", hex::encode(calldata)),
+        gas_limit: 60_000,
+        max_fee_per_gas_wei: 1_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: 0x02,
+        delegation_enabled: false,
+    };
+
+    let err = tx.validate().expect_err("must reject mixed permit2/native");
+    assert!(matches!(err, DomainError::Erc20CallWithNativeValue));
+}
+
+#[test]
+fn broadcast_action_derives_permit2_scope_from_calldata() {
+    let token: EvmAddress = "0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+        .parse()
+        .expect("token");
+    let spender: EvmAddress = "0xbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+        .parse()
+        .expect("spender");
+    let permit2_contract: EvmAddress = "0xcccccccccccccccccccccccccccccccccccccccc"
+        .parse()
+        .expect("permit2 contract");
+    let permit_single = PermitSingle {
+        details: PermitDetails {
+            token: alloy_primitives::Address::from([0xaa; 20]),
+            amount: alloy_primitives::U160::from_be_slice(&77u128.to_be_bytes()),
+            expiration: alloy_primitives::aliases::U48::from_be_slice(&100u64.to_be_bytes()[2..]),
+            nonce: alloy_primitives::aliases::U48::from_be_slice(&5u64.to_be_bytes()[2..]),
+        },
+        spender: alloy_primitives::Address::from([0xbb; 20]),
+        sigDeadline: U256::from(200u64),
+    };
+    let calldata = permitCall {
+        owner: alloy_primitives::Address::from([0xdd; 20]),
+        permitSingle: permit_single,
+        signature: vec![0xab, 0xcd].into(),
+    }
+    .abi_encode();
+    let action = AgentAction::BroadcastTx {
+        tx: BroadcastTx {
+            chain_id: 1,
+            nonce: 0,
+            to: permit2_contract,
+            value_wei: 0,
+            data_hex: format!("0x{}", hex::encode(calldata)),
+            gas_limit: 120_000,
+            max_fee_per_gas_wei: 1_000_000_000,
+            max_priority_fee_per_gas_wei: 1_000_000_000,
+            tx_type: 0x02,
+            delegation_enabled: false,
+        },
+    };
+
+    assert_eq!(action.asset(), AssetId::Erc20(token));
+    assert_eq!(action.recipient(), spender);
+    assert_eq!(action.amount_wei(), 77);
+}
+
+#[test]
+fn broadcast_action_derives_eip3009_scope_from_calldata() {
+    let token: EvmAddress = "0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"
+        .parse()
+        .expect("token");
+    let recipient: EvmAddress = "0xffffffffffffffffffffffffffffffffffffffff"
+        .parse()
+        .expect("recipient");
+    let calldata = transferWithAuthorizationCall {
+        from: alloy_primitives::Address::from([0x11; 20]),
+        to: alloy_primitives::Address::from([0xff; 20]),
+        value: U256::from(91u64),
+        validAfter: U256::from(1u64),
+        validBefore: U256::from(2u64),
+        nonce: [0x55; 32].into(),
+        signature: vec![0xde, 0xad].into(),
+    }
+    .abi_encode();
+    let action = AgentAction::BroadcastTx {
+        tx: BroadcastTx {
+            chain_id: 1,
+            nonce: 0,
+            to: token.clone(),
+            value_wei: 0,
+            data_hex: format!("0x{}", hex::encode(calldata)),
+            gas_limit: 120_000,
+            max_fee_per_gas_wei: 1_000_000_000,
+            max_priority_fee_per_gas_wei: 1_000_000_000,
+            tx_type: 0x02,
+            delegation_enabled: false,
+        },
+    };
+
+    assert_eq!(action.asset(), AssetId::Erc20(token));
+    assert_eq!(action.recipient(), recipient);
+    assert_eq!(action.amount_wei(), 91);
+}
+
+#[test]
+fn permit2_and_eip3009_actions_produce_signing_hashes() {
+    let permit = Permit2Permit {
+        chain_id: 1,
+        permit2_contract: "0x000000000022d473030f116ddee9f6b43ac78ba3"
+            .parse()
+            .expect("permit2"),
+        token: "0x1111111111111111111111111111111111111111"
+            .parse()
+            .expect("token"),
+        spender: "0x2222222222222222222222222222222222222222"
+            .parse()
+            .expect("spender"),
+        amount_wei: 123,
+        expiration: 1_700_000_000,
+        nonce: 7,
+        sig_deadline: 1_700_000_100,
+    };
+    let eip3009 = Eip3009Transfer {
+        chain_id: 1,
+        token: "0x3333333333333333333333333333333333333333"
+            .parse()
+            .expect("token"),
+        token_name: "USD Coin".to_string(),
+        token_version: Some("2".to_string()),
+        from: "0x4444444444444444444444444444444444444444"
+            .parse()
+            .expect("from"),
+        to: "0x5555555555555555555555555555555555555555"
+            .parse()
+            .expect("to"),
+        amount_wei: 456,
+        valid_after: 10,
+        valid_before: 20,
+        nonce_hex: format!("0x{}", hex::encode([0xabu8; 32])),
+    };
+
+    let permit_hash = AgentAction::Permit2Permit {
+        permit: permit.clone(),
+    }
+    .signing_hash()
+    .expect("permit2 hash")
+    .expect("permit2 typed hash");
+    let transfer_hash = AgentAction::Eip3009TransferWithAuthorization {
+        authorization: eip3009.clone(),
+    }
+    .signing_hash()
+    .expect("eip3009 transfer hash")
+    .expect("transfer typed hash");
+    let receive_hash = AgentAction::Eip3009ReceiveWithAuthorization {
+        authorization: eip3009,
+    }
+    .signing_hash()
+    .expect("eip3009 receive hash")
+    .expect("receive typed hash");
+
+    assert_ne!(permit_hash, [0u8; 32]);
+    assert_ne!(transfer_hash, [0u8; 32]);
+    assert_ne!(receive_hash, [0u8; 32]);
+    assert_ne!(transfer_hash, receive_hash);
+}
+
+#[test]
+fn nonce_reservation_request_debug_redacts_agent_auth_token() {
+    let request = NonceReservationRequest {
+        request_id: Uuid::nil(),
+        agent_key_id: Uuid::nil(),
+        agent_auth_token: "super-secret-token".to_string(),
+        chain_id: 1,
+        min_nonce: 7,
+        requested_at: OffsetDateTime::UNIX_EPOCH,
+        expires_at: OffsetDateTime::UNIX_EPOCH + time::Duration::minutes(2),
+    };
+
+    let rendered = format!("{request:?}");
+    assert!(rendered.contains("<redacted>"));
+    assert!(!rendered.contains("super-secret-token"));
+}
+
+#[test]
+fn nonce_release_request_debug_redacts_agent_auth_token() {
+    let request = NonceReleaseRequest {
+        request_id: Uuid::nil(),
+        agent_key_id: Uuid::nil(),
+        agent_auth_token: "super-secret-token".to_string(),
+        reservation_id: Uuid::nil(),
+        requested_at: OffsetDateTime::UNIX_EPOCH,
+        expires_at: OffsetDateTime::UNIX_EPOCH + time::Duration::minutes(2),
+    };
+
+    let rendered = format!("{request:?}");
+    assert!(rendered.contains("<redacted>"));
+    assert!(!rendered.contains("super-secret-token"));
+}

package/crates/vault-domain/src/u128_as_decimal_string.rs

@@ -0,0 +1,44 @@
+use serde::{Deserialize, Deserializer, Serializer};
+
+pub fn serialize<S>(value: &u128, serializer: S) -> Result<S::Ok, S::Error>
+where
+    S: Serializer,
+{
+    serializer.serialize_str(&value.to_string())
+}
+
+pub fn deserialize<'de, D>(deserializer: D) -> Result<u128, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    let value = String::deserialize(deserializer)?;
+    value.parse::<u128>().map_err(serde::de::Error::custom)
+}
+
+pub mod option {
+    use serde::{Deserialize, Deserializer, Serializer};
+
+    pub fn serialize<S>(value: &Option<u128>, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        match value {
+            Some(value) => serializer.serialize_some(&value.to_string()),
+            None => serializer.serialize_none(),
+        }
+    }
+
+    pub fn deserialize<'de, D>(deserializer: D) -> Result<Option<u128>, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let value = Option::<String>::deserialize(deserializer)?;
+        match value {
+            Some(value) => value
+                .parse::<u128>()
+                .map(Some)
+                .map_err(serde::de::Error::custom),
+            None => Ok(None),
+        }
+    }
+}

package/crates/vault-policy/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "vault-policy"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+authors.workspace = true
+
+[dependencies]
+serde.workspace = true
+thiserror.workspace = true
+time.workspace = true
+uuid.workspace = true
+vault-domain = { path = "../vault-domain" }
+
+[dev-dependencies]
+alloy-primitives.workspace = true
+alloy-sol-types.workspace = true