@wlfi-agent/cli 1.4.13 → 1.4.15

package/crates/vault-transport-xpc/src/tests.rs

@@ -0,0 +1,818 @@
+use super::{
+    parse_code_sign_requirement, recv_matching_response, validate_wire_lengths,
+    IncomingWireMessage, XpcDaemonClient, XpcDaemonServer, XpcTransportError, MAX_WIRE_BODY_BYTES,
+    MAX_WIRE_REQUEST_ID_BYTES,
+};
+use std::collections::BTreeSet;
+use std::sync::Arc;
+use std::time::Duration;
+use vault_daemon::{DaemonConfig, DaemonError, InMemoryDaemon, KeyManagerDaemonApi};
+use vault_signer::{KeyCreateRequest, SignerError, SoftwareSignerBackend};
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn xpc_round_trip_for_issue_lease() {
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    #[cfg(debug_assertions)]
+    let server = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+    )
+    .expect("server");
+    #[cfg(not(debug_assertions))]
+    let server =
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server");
+    let client =
+        XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client");
+
+    let lease = client
+        .issue_lease("vault-password")
+        .await
+        .expect("issue_lease");
+    assert!(lease.expires_at > lease.issued_at);
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn start_inmemory_is_root_only_by_default() {
+    if unsafe { libc::geteuid() } == 0 {
+        return;
+    }
+
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    let result = XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current());
+    assert!(matches!(result, Err(XpcTransportError::RequiresRoot)));
+}
+
+#[test]
+fn code_sign_requirement_parser_rejects_invalid_syntax() {
+    let err = match parse_code_sign_requirement("not valid requirement expression") {
+        Ok(_) => panic!("invalid requirement expression must fail"),
+        Err(err) => err,
+    };
+    assert!(matches!(err, XpcTransportError::CodeSigning(_)));
+}
+
+#[test]
+fn code_sign_requirement_parser_accepts_valid_syntax() {
+    parse_code_sign_requirement("anchor apple")
+        .expect("well-formed requirement expression should parse");
+}
+
+#[cfg(debug_assertions)]
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn start_inmemory_rejects_invalid_code_sign_requirement() {
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    let result = XpcDaemonServer::start_inmemory_with_allowed_euid_and_code_sign_requirement(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+        "this is not a valid requirement expression",
+    );
+    assert!(matches!(result, Err(XpcTransportError::CodeSigning(_))));
+}
+
+#[cfg(debug_assertions)]
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn start_inmemory_rejects_mismatched_allowed_euid() {
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    let current_euid = unsafe { libc::geteuid() };
+    let mismatched_euid = if current_euid == 0 { 1 } else { 0 };
+
+    let result = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        mismatched_euid,
+    );
+    assert!(matches!(result, Err(XpcTransportError::Internal(_))));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn concurrent_client_calls_do_not_cross_responses() {
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    #[cfg(debug_assertions)]
+    let server = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+    )
+    .expect("server");
+    #[cfg(not(debug_assertions))]
+    let server =
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server");
+    let client = Arc::new(
+        XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client"),
+    );
+
+    let c1 = client.clone();
+    let c2 = client.clone();
+    let (r1, r2) = tokio::join!(
+        c1.issue_lease("vault-password"),
+        c2.issue_lease("vault-password")
+    );
+
+    let lease1 = r1.expect("lease 1");
+    let lease2 = r2.expect("lease 2");
+    assert_ne!(lease1.lease_id, lease2.lease_id);
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn daemon_error_variants_roundtrip_over_xpc() {
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    #[cfg(debug_assertions)]
+    let server = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+    )
+    .expect("server");
+    #[cfg(not(debug_assertions))]
+    let server =
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server");
+    let client =
+        XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client");
+
+    let lease = client.issue_lease("vault-password").await.expect("lease");
+    let bad_session = vault_domain::AdminSession {
+        vault_password: "wrong-password".to_string(),
+        lease,
+    };
+
+    let err = client
+        .list_policies(&bad_session)
+        .await
+        .expect_err("must return auth failure");
+    assert!(matches!(err, DaemonError::AuthenticationFailed));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn invalid_policy_attachment_roundtrips_over_xpc() {
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    #[cfg(debug_assertions)]
+    let server = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+    )
+    .expect("server");
+    #[cfg(not(debug_assertions))]
+    let server =
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server");
+    let client =
+        XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client");
+
+    let lease = client.issue_lease("vault-password").await.expect("lease");
+    let admin = vault_domain::AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+
+    let vault_key = client
+        .create_vault_key(&admin, KeyCreateRequest::Generate)
+        .await
+        .expect("vault key");
+
+    let err = client
+        .create_agent_key(
+            &admin,
+            vault_key.id,
+            vault_domain::PolicyAttachment::PolicySet(BTreeSet::new()),
+        )
+        .await
+        .expect_err("empty attachment must fail");
+    assert!(matches!(err, DaemonError::InvalidPolicyAttachment(_)));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn invalid_policy_error_roundtrips_over_xpc() {
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    #[cfg(debug_assertions)]
+    let server = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+    )
+    .expect("server");
+    #[cfg(not(debug_assertions))]
+    let server =
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server");
+    let client =
+        XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client");
+
+    let lease = client.issue_lease("vault-password").await.expect("lease");
+    let admin = vault_domain::AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+
+    let invalid_policy = vault_domain::SpendingPolicy {
+        id: uuid::Uuid::new_v4(),
+        priority: 0,
+        policy_type: vault_domain::PolicyType::PerTxMaxSpending,
+        min_amount_wei: None,
+        max_amount_wei: 0,
+        recipients: vault_domain::EntityScope::All,
+        assets: vault_domain::EntityScope::All,
+        networks: vault_domain::EntityScope::All,
+        enabled: true,
+    };
+
+    let err = client
+        .add_policy(&admin, invalid_policy)
+        .await
+        .expect_err("invalid policy must fail");
+    assert!(matches!(err, DaemonError::InvalidPolicy(_)));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn signer_error_variants_roundtrip_over_xpc() {
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    #[cfg(debug_assertions)]
+    let server = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+    )
+    .expect("server");
+    #[cfg(not(debug_assertions))]
+    let server =
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server");
+    let client =
+        XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client");
+
+    let lease = client.issue_lease("vault-password").await.expect("lease");
+    let admin = vault_domain::AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+
+    let err = client
+        .create_vault_key(
+            &admin,
+            KeyCreateRequest::Import {
+                private_key_hex: "0x1234".to_string(),
+            },
+        )
+        .await
+        .expect_err("invalid import key must fail");
+    assert!(matches!(
+        err,
+        DaemonError::Signer(SignerError::InvalidPrivateKey)
+    ));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn invalid_config_error_roundtrips_over_xpc() {
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let config = DaemonConfig {
+        lease_ttl: time::Duration::MAX,
+        ..DaemonConfig::default()
+    };
+    let daemon = Arc::new(
+        InMemoryDaemon::new("vault-password", SoftwareSignerBackend::default(), config)
+            .expect("daemon"),
+    );
+
+    #[cfg(debug_assertions)]
+    let server = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+    )
+    .expect("server");
+    #[cfg(not(debug_assertions))]
+    let server =
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server");
+    let client =
+        XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client");
+
+    let err = client
+        .issue_lease("vault-password")
+        .await
+        .expect_err("overflowing ttl must roundtrip as invalid config");
+    assert!(matches!(err, DaemonError::InvalidConfig(_)));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn unknown_agent_key_is_not_disclosed_over_xpc() {
+    use serde_json::to_vec;
+    use time::OffsetDateTime;
+    use uuid::Uuid;
+    use vault_domain::{AgentAction, SignRequest};
+
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    #[cfg(debug_assertions)]
+    let server = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+    )
+    .expect("server");
+    #[cfg(not(debug_assertions))]
+    let server =
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server");
+    let client =
+        XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client");
+
+    let token: vault_domain::EvmAddress = "0x7200000000000000000000000000000000000000"
+        .parse()
+        .expect("token");
+    let recipient: vault_domain::EvmAddress = "0x8200000000000000000000000000000000000000"
+        .parse()
+        .expect("recipient");
+    let action = AgentAction::Transfer {
+        chain_id: 1,
+        token: token.clone(),
+        to: recipient.clone(),
+        amount_wei: 1,
+    };
+    let request = SignRequest {
+        request_id: Uuid::new_v4(),
+        agent_key_id: Uuid::new_v4(),
+        agent_auth_token: "random-token".to_string(),
+        payload: to_vec(&action).expect("payload"),
+        action,
+        requested_at: OffsetDateTime::now_utc(),
+        expires_at: OffsetDateTime::now_utc() + time::Duration::minutes(2),
+    };
+
+    let err = client
+        .sign_for_agent(request)
+        .await
+        .expect_err("unknown key must not leak key existence");
+    assert!(matches!(err, DaemonError::AgentAuthenticationFailed));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn lifecycle_and_evaluation_roundtrip_over_xpc() {
+    use serde_json::to_vec;
+    use time::OffsetDateTime;
+    use uuid::Uuid;
+    use vault_domain::{AgentAction, EntityScope, PolicyType, SignRequest, SpendingPolicy};
+
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    #[cfg(debug_assertions)]
+    let server = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+    )
+    .expect("server");
+    #[cfg(not(debug_assertions))]
+    let server =
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server");
+    let client =
+        XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client");
+
+    let lease = client.issue_lease("vault-password").await.expect("lease");
+    let admin = vault_domain::AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+
+    let per_tx_policy = SpendingPolicy::new(
+        0,
+        PolicyType::PerTxMaxSpending,
+        10,
+        EntityScope::All,
+        EntityScope::All,
+        EntityScope::All,
+    )
+    .expect("policy");
+    client
+        .add_policy(&admin, per_tx_policy.clone())
+        .await
+        .expect("add policy");
+
+    let vault_key = client
+        .create_vault_key(&admin, KeyCreateRequest::Generate)
+        .await
+        .expect("vault key");
+    let agent_credentials = client
+        .create_agent_key(
+            &admin,
+            vault_key.id,
+            vault_domain::PolicyAttachment::AllPolicies,
+        )
+        .await
+        .expect("agent key");
+
+    let token: vault_domain::EvmAddress = "0x7400000000000000000000000000000000000000"
+        .parse()
+        .expect("token");
+    let recipient: vault_domain::EvmAddress = "0x8400000000000000000000000000000000000000"
+        .parse()
+        .expect("recipient");
+    let action = AgentAction::Transfer {
+        chain_id: 1,
+        token,
+        to: recipient,
+        amount_wei: 5,
+    };
+    let request = SignRequest {
+        request_id: Uuid::new_v4(),
+        agent_key_id: agent_credentials.agent_key.id,
+        agent_auth_token: agent_credentials.auth_token.clone(),
+        payload: to_vec(&action).expect("payload"),
+        action,
+        requested_at: OffsetDateTime::now_utc(),
+        expires_at: OffsetDateTime::now_utc() + time::Duration::minutes(2),
+    };
+
+    let evaluation = client
+        .evaluate_for_agent(request.clone())
+        .await
+        .expect("evaluate_for_agent must succeed");
+    assert_eq!(
+        evaluation.evaluated_policy_ids,
+        vec![per_tx_policy.id],
+        "evaluation should report matched policy ids"
+    );
+
+    let rotated_auth_token = client
+        .rotate_agent_auth_token(&admin, agent_credentials.agent_key.id)
+        .await
+        .expect("rotate token");
+    assert_ne!(
+        rotated_auth_token, agent_credentials.auth_token,
+        "rotation must issue a fresh token"
+    );
+
+    let old_token_err = client
+        .evaluate_for_agent(request.clone())
+        .await
+        .expect_err("old token must fail after rotation");
+    assert!(matches!(
+        old_token_err,
+        DaemonError::AgentAuthenticationFailed
+    ));
+
+    let mut rotated_request = request.clone();
+    rotated_request.agent_auth_token = rotated_auth_token;
+    client
+        .evaluate_for_agent(rotated_request.clone())
+        .await
+        .expect("rotated token should evaluate");
+
+    client
+        .revoke_agent_key(&admin, agent_credentials.agent_key.id)
+        .await
+        .expect("revoke key");
+
+    let revoked_err = client
+        .sign_for_agent(rotated_request)
+        .await
+        .expect_err("revoked key must not sign");
+    assert!(matches!(
+        revoked_err,
+        DaemonError::AgentAuthenticationFailed
+    ));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn oversized_wire_request_body_is_rejected() {
+    use serde_json::to_vec;
+    use time::OffsetDateTime;
+    use uuid::Uuid;
+    use vault_domain::{AgentAction, SignRequest};
+
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    #[cfg(debug_assertions)]
+    let server = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+    )
+    .expect("server");
+    #[cfg(not(debug_assertions))]
+    let server =
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server");
+    let client =
+        XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client");
+
+    let token: vault_domain::EvmAddress = "0x7300000000000000000000000000000000000000"
+        .parse()
+        .expect("token");
+    let recipient: vault_domain::EvmAddress = "0x8300000000000000000000000000000000000000"
+        .parse()
+        .expect("recipient");
+    let action = AgentAction::Transfer {
+        chain_id: 1,
+        token: token.clone(),
+        to: recipient.clone(),
+        amount_wei: 1,
+    };
+    let request = SignRequest {
+        request_id: Uuid::new_v4(),
+        agent_key_id: Uuid::new_v4(),
+        // Force the serialized wire-body above transport cap.
+        agent_auth_token: "a".repeat(MAX_WIRE_BODY_BYTES + 1),
+        payload: to_vec(&action).expect("payload"),
+        action,
+        requested_at: OffsetDateTime::now_utc(),
+        expires_at: OffsetDateTime::now_utc() + time::Duration::minutes(2),
+    };
+
+    let err = client
+        .sign_for_agent(request)
+        .await
+        .expect_err("oversized wire body must fail");
+    match err {
+        DaemonError::Transport(msg) => {
+            assert!(msg.contains("wire body exceeds max bytes"));
+        }
+        other => panic!("unexpected error variant: {other}"),
+    }
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn oversized_wire_response_body_is_rejected_without_timeout() {
+    use vault_domain::{EntityScope, PolicyType, SpendingPolicy};
+
+    #[cfg(not(debug_assertions))]
+    if unsafe { libc::geteuid() } != 0 {
+        return;
+    }
+
+    let daemon = Arc::new(
+        InMemoryDaemon::new(
+            "vault-password",
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+        )
+        .expect("daemon"),
+    );
+
+    let lease = daemon
+        .issue_lease("vault-password")
+        .await
+        .expect("issue lease");
+    let admin = vault_domain::AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+
+    // Build one oversized policy so list_policies response exceeds the
+    // transport body cap and must be downgraded to a bounded error.
+    let mut recipients = std::collections::BTreeSet::new();
+    for i in 0..8_000_u32 {
+        let address = format!("0x{i:040x}").parse().expect("valid address");
+        recipients.insert(address);
+    }
+    let policy = SpendingPolicy::new(
+        0,
+        PolicyType::PerTxMaxSpending,
+        1,
+        EntityScope::Set(recipients),
+        EntityScope::All,
+        EntityScope::All,
+    )
+    .expect("policy");
+    daemon.add_policy(&admin, policy).await.expect("add policy");
+
+    #[cfg(debug_assertions)]
+    let server = XpcDaemonServer::start_inmemory_with_allowed_euid(
+        daemon,
+        tokio::runtime::Handle::current(),
+        unsafe { libc::geteuid() },
+    )
+    .expect("server");
+    #[cfg(not(debug_assertions))]
+    let server =
+        XpcDaemonServer::start_inmemory(daemon, tokio::runtime::Handle::current()).expect("server");
+    let client =
+        XpcDaemonClient::connect(&server.endpoint(), Duration::from_secs(5)).expect("client");
+
+    let err = client
+        .list_policies(&admin)
+        .await
+        .expect_err("oversized wire response must fail without timeout");
+    match err {
+        DaemonError::Transport(msg) => {
+            assert!(msg.contains("wire body exceeds max bytes"));
+        }
+        other => panic!("unexpected error variant: {other}"),
+    }
+}
+
+#[test]
+fn wire_length_validation_rejects_long_request_id() {
+    let request_id = "r".repeat(MAX_WIRE_REQUEST_ID_BYTES + 1);
+    let err = validate_wire_lengths(&request_id, "{}").expect_err("must reject");
+    assert!(matches!(err, XpcTransportError::Protocol(_)));
+}
+
+#[test]
+fn wire_length_validation_rejects_large_body() {
+    let body = "x".repeat(MAX_WIRE_BODY_BYTES + 1);
+    let err = validate_wire_lengths("ok-id", &body).expect_err("must reject");
+    assert!(matches!(err, XpcTransportError::Protocol(_)));
+}
+
+#[test]
+fn receive_loop_fails_fast_on_decode_errors() {
+    let (tx, rx) = std::sync::mpsc::channel::<IncomingWireMessage>();
+    tx.send(IncomingWireMessage::DecodeError(
+        XpcTransportError::Protocol("bad response".to_string()),
+    ))
+    .expect("send");
+
+    let err = recv_matching_response(
+        &rx,
+        "request-id",
+        std::time::Instant::now() + Duration::from_secs(1),
+    )
+    .expect_err("decode errors must fail fast");
+
+    assert!(matches!(err, XpcTransportError::Protocol(_)));
+}
+
+#[test]
+fn receive_loop_ignores_stale_mismatched_response_then_accepts_matching() {
+    let (tx, rx) = std::sync::mpsc::channel::<IncomingWireMessage>();
+    tx.send(IncomingWireMessage::Response(super::WireResponse {
+        request_id: "different-id".to_string(),
+        ok: true,
+        body_json: "{}".to_string(),
+    }))
+    .expect("send");
+    tx.send(IncomingWireMessage::Response(super::WireResponse {
+        request_id: "expected-id".to_string(),
+        ok: true,
+        body_json: "{}".to_string(),
+    }))
+    .expect("send");
+
+    let response = recv_matching_response(
+        &rx,
+        "expected-id",
+        std::time::Instant::now() + Duration::from_secs(1),
+    )
+    .expect("stale mismatched responses should be tolerated");
+    assert_eq!(response.request_id, "expected-id");
+}
+
+#[test]
+fn receive_loop_times_out_when_only_mismatched_responses_arrive() {
+    let (tx, rx) = std::sync::mpsc::channel::<IncomingWireMessage>();
+    for i in 0..32 {
+        tx.send(IncomingWireMessage::Response(super::WireResponse {
+            request_id: format!("wrong-{i}"),
+            ok: true,
+            body_json: "{}".to_string(),
+        }))
+        .expect("send");
+    }
+
+    let err = recv_matching_response(
+        &rx,
+        "expected-id",
+        std::time::Instant::now() + Duration::from_secs(1),
+    )
+    .expect_err("mismatched responses must eventually timeout");
+    assert!(matches!(err, XpcTransportError::Timeout));
+}