@wlfi-agent/cli 1.4.13 → 1.4.15

package/packages/config/dist/index.cjs

@@ -0,0 +1,1037 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import fs from "fs";
+import os from "os";
+import path from "path";
+var WLFI_DIRNAME = ".wlfi_agent";
+var CONFIG_FILENAME = "config.json";
+var PRIVATE_DIR_MODE = 448;
+var PRIVATE_FILE_MODE = 384;
+var GROUP_OTHER_WRITE_MODE_MASK = 18;
+var PRIVATE_FILE_MODE_MASK = 63;
+var STICKY_BIT_MODE = 512;
+var MAX_CONFIG_FILE_BYTES = 256 * 1024;
+var DEFAULT_ETH_RPC_URL = "https://eth.llamarpc.com";
+var DEFAULT_BSC_RPC_URL = "https://bsc.drpc.org";
+var DEFAULT_USD1_ADDRESS = "0xc83DE66ebA6a91B6F3d167f2ee9F0C42aD70B611";
+var BUILTIN_CHAINS = {
+  eth: { chainId: 1, name: "eth", rpcUrl: DEFAULT_ETH_RPC_URL },
+  ethereum: { chainId: 1, name: "ethereum", rpcUrl: DEFAULT_ETH_RPC_URL },
+  mainnet: { chainId: 1, name: "mainnet", rpcUrl: DEFAULT_ETH_RPC_URL },
+  sepolia: { chainId: 11155111, name: "sepolia" },
+  base: { chainId: 8453, name: "base" },
+  "base-sepolia": { chainId: 84532, name: "base-sepolia" },
+  optimism: { chainId: 10, name: "optimism" },
+  arbitrum: { chainId: 42161, name: "arbitrum" },
+  polygon: { chainId: 137, name: "polygon" },
+  bsc: { chainId: 56, name: "bsc", rpcUrl: DEFAULT_BSC_RPC_URL }
+};
+var BUILTIN_TOKENS = {
+  bnb: {
+    name: "BNB",
+    symbol: "BNB",
+    defaultPolicy: defaultTokenPolicy("0.01", "0.2", "1.4"),
+    chains: {
+      bsc: {
+        chainId: 56,
+        isNative: true,
+        decimals: 18,
+        defaultPolicy: defaultTokenPolicy("0.01", "0.2", "1.4")
+      }
+    }
+  },
+  eth: {
+    symbol: "ETH",
+    chains: {
+      ethereum: { chainId: 1, isNative: true, decimals: 18 },
+      sepolia: { chainId: 11155111, isNative: true, decimals: 18 },
+      base: { chainId: 8453, isNative: true, decimals: 18 },
+      "base-sepolia": { chainId: 84532, isNative: true, decimals: 18 },
+      optimism: { chainId: 10, isNative: true, decimals: 18 },
+      arbitrum: { chainId: 42161, isNative: true, decimals: 18 }
+    }
+  },
+  usdc: {
+    symbol: "USDC",
+    chains: {
+      ethereum: {
+        chainId: 1,
+        isNative: false,
+        address: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
+        decimals: 6
+      },
+      base: {
+        chainId: 8453,
+        isNative: false,
+        address: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
+        decimals: 6
+      }
+    }
+  },
+  usd1: {
+    name: "USD1",
+    symbol: "USD1",
+    defaultPolicy: defaultTokenPolicy("10", "100", "700"),
+    chains: {
+      eth: {
+        chainId: 1,
+        isNative: false,
+        address: DEFAULT_USD1_ADDRESS,
+        decimals: 18,
+        defaultPolicy: defaultTokenPolicy("10", "100", "700")
+      },
+      bsc: {
+        chainId: 56,
+        isNative: false,
+        address: DEFAULT_USD1_ADDRESS,
+        decimals: 18,
+        defaultPolicy: defaultTokenPolicy("10", "100", "700")
+      }
+    }
+  }
+};
+function defaultTokenPolicy(perTxAmountDecimal, dailyAmountDecimal, weeklyAmountDecimal) {
+  return {
+    perTxAmountDecimal,
+    dailyAmountDecimal,
+    weeklyAmountDecimal
+  };
+}
+function defaultChainProfiles() {
+  return {
+    eth: {
+      chainId: 1,
+      name: "ETH",
+      rpcUrl: DEFAULT_ETH_RPC_URL
+    },
+    bsc: {
+      chainId: 56,
+      name: "BSC",
+      rpcUrl: DEFAULT_BSC_RPC_URL
+    }
+  };
+}
+function defaultTokenProfiles() {
+  return {
+    usd1: {
+      name: "USD1",
+      symbol: "USD1",
+      defaultPolicy: defaultTokenPolicy("10", "100", "700"),
+      destinationOverrides: [],
+      manualApprovalPolicies: [],
+      chains: {
+        eth: {
+          chainId: 1,
+          isNative: false,
+          address: DEFAULT_USD1_ADDRESS,
+          decimals: 18,
+          defaultPolicy: defaultTokenPolicy("10", "100", "700")
+        },
+        bsc: {
+          chainId: 56,
+          isNative: false,
+          address: DEFAULT_USD1_ADDRESS,
+          decimals: 18,
+          defaultPolicy: defaultTokenPolicy("10", "100", "700")
+        }
+      }
+    },
+    bnb: {
+      name: "BNB",
+      symbol: "BNB",
+      defaultPolicy: defaultTokenPolicy("0.01", "0.2", "1.4"),
+      destinationOverrides: [],
+      manualApprovalPolicies: [],
+      chains: {
+        bsc: {
+          chainId: 56,
+          isNative: true,
+          decimals: 18,
+          defaultPolicy: defaultTokenPolicy("0.01", "0.2", "1.4")
+        }
+      }
+    }
+  };
+}
+function normalizeLoopbackHostname(hostname) {
+  if (hostname.startsWith("[") && hostname.endsWith("]")) {
+    return hostname.slice(1, -1).toLowerCase();
+  }
+  return hostname.toLowerCase();
+}
+function isIpv4Loopback(hostname) {
+  const parts = hostname.split(".");
+  if (parts.length !== 4 || parts.some((part) => !/^\d+$/u.test(part))) {
+    return false;
+  }
+  const octets = parts.map((part) => Number(part));
+  if (octets.some((octet) => octet < 0 || octet > 255)) {
+    return false;
+  }
+  return octets[0] === 127;
+}
+function isLoopbackHostname(hostname) {
+  const normalized = normalizeLoopbackHostname(hostname);
+  return normalized === "localhost" || normalized.endsWith(".localhost") || normalized === "::1" || isIpv4Loopback(normalized);
+}
+function assertSafeRpcUrl(value, label = "rpcUrl") {
+  const normalized = value.trim();
+  if (!normalized) {
+    throw new Error(`${label} is required`);
+  }
+  let parsed;
+  try {
+    parsed = new URL(normalized);
+  } catch {
+    throw new Error(`${label} must be a valid http(s) URL`);
+  }
+  if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+    throw new Error(`${label} must use https or localhost http`);
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error(`${label} must not include embedded credentials`);
+  }
+  if (!parsed.hostname) {
+    throw new Error(`${label} must include a hostname`);
+  }
+  if (parsed.protocol === "http:" && !isLoopbackHostname(parsed.hostname)) {
+    throw new Error(`${label} must use https unless it targets localhost or a loopback address`);
+  }
+  return normalized;
+}
+var ADDRESS_PATTERN = /^0x[a-f0-9]{40}$/iu;
+function assertValidEvmAddress(value, label) {
+  const normalized = value.trim();
+  if (!ADDRESS_PATTERN.test(normalized)) {
+    throw new Error(`${label} must be a valid EVM address`);
+  }
+  return normalized;
+}
+function assertPositiveSafeInteger(value, label) {
+  if (!Number.isSafeInteger(value) || value <= 0) {
+    throw new Error(`${label} must be a positive safe integer`);
+  }
+  return value;
+}
+function assertTokenDecimals(value, label) {
+  if (!Number.isInteger(value) || value < 0 || value > 255) {
+    throw new Error(`${label} must be an integer between 0 and 255`);
+  }
+  return value;
+}
+function assertOptionalTokenAmount(value, label) {
+  if (value == null) {
+    return void 0;
+  }
+  if (typeof value !== "number" || !Number.isFinite(value) || value <= 0) {
+    throw new Error(`${label} must be a positive finite number`);
+  }
+  return value;
+}
+function assertOptionalTrimmedString(value, label) {
+  if (value == null) {
+    return void 0;
+  }
+  const normalized = value.trim();
+  if (!normalized) {
+    return void 0;
+  }
+  return normalized;
+}
+function assertRequiredTrimmedString(value, label) {
+  const normalized = assertOptionalTrimmedString(value, label);
+  if (!normalized) {
+    throw new Error(`${label} is required`);
+  }
+  return normalized;
+}
+function assertOptionalStringArray(value, label) {
+  if (value == null) {
+    return void 0;
+  }
+  if (!Array.isArray(value) || value.some((entry) => typeof entry !== "string")) {
+    throw new Error(`${label} must be an array of strings`);
+  }
+  const normalized = value.map((entry) => entry.trim()).filter((entry) => entry.length > 0);
+  return normalized.length > 0 ? normalized : void 0;
+}
+function normalizeWalletProfile(profile) {
+  if (profile == null) {
+    return void 0;
+  }
+  return {
+    vaultKeyId: assertOptionalTrimmedString(profile.vaultKeyId, "wallet.vaultKeyId"),
+    vaultPublicKey: assertRequiredTrimmedString(profile.vaultPublicKey, "wallet.vaultPublicKey"),
+    address: profile.address ? assertValidEvmAddress(profile.address, "wallet.address") : void 0,
+    agentKeyId: assertOptionalTrimmedString(profile.agentKeyId, "wallet.agentKeyId"),
+    policyAttachment: assertRequiredTrimmedString(profile.policyAttachment, "wallet.policyAttachment"),
+    attachedPolicyIds: assertOptionalStringArray(profile.attachedPolicyIds, "wallet.attachedPolicyIds"),
+    policyNote: assertOptionalTrimmedString(profile.policyNote, "wallet.policyNote"),
+    networkScope: assertOptionalTrimmedString(profile.networkScope, "wallet.networkScope"),
+    assetScope: assertOptionalTrimmedString(profile.assetScope, "wallet.assetScope"),
+    recipientScope: assertOptionalTrimmedString(profile.recipientScope, "wallet.recipientScope")
+  };
+}
+function normalizeTokenPolicyProfile(tokenKey, chainKey, policy) {
+  if (!policy) {
+    return void 0;
+  }
+  return {
+    perTxAmount: assertOptionalTokenAmount(policy.perTxAmount, `token '${tokenKey}' chain '${chainKey}' perTxAmount`),
+    dailyAmount: assertOptionalTokenAmount(policy.dailyAmount, `token '${tokenKey}' chain '${chainKey}' dailyAmount`),
+    weeklyAmount: assertOptionalTokenAmount(policy.weeklyAmount, `token '${tokenKey}' chain '${chainKey}' weeklyAmount`),
+    perTxAmountDecimal: assertOptionalTrimmedString(policy.perTxAmountDecimal, `token '${tokenKey}' chain '${chainKey}' perTxAmountDecimal`),
+    dailyAmountDecimal: assertOptionalTrimmedString(policy.dailyAmountDecimal, `token '${tokenKey}' chain '${chainKey}' dailyAmountDecimal`),
+    weeklyAmountDecimal: assertOptionalTrimmedString(policy.weeklyAmountDecimal, `token '${tokenKey}' chain '${chainKey}' weeklyAmountDecimal`),
+    perTxLimit: assertOptionalTrimmedString(policy.perTxLimit, `token '${tokenKey}' chain '${chainKey}' perTxLimit`),
+    dailyLimit: assertOptionalTrimmedString(policy.dailyLimit, `token '${tokenKey}' chain '${chainKey}' dailyLimit`),
+    weeklyLimit: assertOptionalTrimmedString(policy.weeklyLimit, `token '${tokenKey}' chain '${chainKey}' weeklyLimit`),
+    maxGasPerChainWei: assertOptionalTrimmedString(policy.maxGasPerChainWei, `token '${tokenKey}' chain '${chainKey}' maxGasPerChainWei`),
+    dailyMaxTxCount: assertOptionalTrimmedString(policy.dailyMaxTxCount, `token '${tokenKey}' chain '${chainKey}' dailyMaxTxCount`),
+    perTxMaxFeePerGasGwei: assertOptionalTrimmedString(policy.perTxMaxFeePerGasGwei, `token '${tokenKey}' chain '${chainKey}' perTxMaxFeePerGasGwei`),
+    perTxMaxFeePerGasWei: assertOptionalTrimmedString(policy.perTxMaxFeePerGasWei, `token '${tokenKey}' chain '${chainKey}' perTxMaxFeePerGasWei`),
+    perTxMaxPriorityFeePerGasWei: assertOptionalTrimmedString(policy.perTxMaxPriorityFeePerGasWei, `token '${tokenKey}' chain '${chainKey}' perTxMaxPriorityFeePerGasWei`),
+    perTxMaxCalldataBytes: assertOptionalTrimmedString(policy.perTxMaxCalldataBytes, `token '${tokenKey}' chain '${chainKey}' perTxMaxCalldataBytes`)
+  };
+}
+function normalizeTokenDestinationOverrideProfile(tokenKey, profile) {
+  const recipient = assertValidEvmAddress(profile.recipient, `token '${tokenKey}' destination override recipient`);
+  return {
+    recipient,
+    limits: normalizeTokenPolicyProfile(tokenKey, "override", profile.limits) ?? {}
+  };
+}
+function normalizeTokenManualApprovalProfile(tokenKey, profile) {
+  return {
+    priority: profile.priority === void 0 ? void 0 : assertPositiveSafeInteger(profile.priority, `token '${tokenKey}' manual approval priority`),
+    recipient: profile.recipient ? assertValidEvmAddress(profile.recipient, `token '${tokenKey}' manual approval recipient`) : void 0,
+    minAmount: assertOptionalTokenAmount(profile.minAmount, `token '${tokenKey}' manual approval minAmount`),
+    maxAmount: assertOptionalTokenAmount(profile.maxAmount, `token '${tokenKey}' manual approval maxAmount`),
+    minAmountDecimal: assertOptionalTrimmedString(profile.minAmountDecimal, `token '${tokenKey}' manual approval minAmountDecimal`),
+    maxAmountDecimal: assertOptionalTrimmedString(profile.maxAmountDecimal, `token '${tokenKey}' manual approval maxAmountDecimal`),
+    minAmountWei: assertOptionalTrimmedString(profile.minAmountWei, `token '${tokenKey}' manual approval minAmountWei`),
+    maxAmountWei: assertOptionalTrimmedString(profile.maxAmountWei, `token '${tokenKey}' manual approval maxAmountWei`)
+  };
+}
+function normalizeTokenChainProfile(tokenKey, chainKey, profile) {
+  const normalizedChainKey = chainKey.trim().toLowerCase();
+  if (!normalizedChainKey) {
+    throw new Error(`token '${tokenKey}' chain key is required`);
+  }
+  const normalized = {
+    chainId: assertPositiveSafeInteger(profile.chainId, `token '${tokenKey}' chain '${normalizedChainKey}' chainId`),
+    isNative: Boolean(profile.isNative),
+    decimals: assertTokenDecimals(profile.decimals, `token '${tokenKey}' chain '${normalizedChainKey}' decimals`),
+    defaultPolicy: normalizeTokenPolicyProfile(tokenKey, normalizedChainKey, profile.defaultPolicy)
+  };
+  if (normalized.isNative) {
+    if (profile.address?.trim()) {
+      throw new Error(`token '${tokenKey}' chain '${normalizedChainKey}' must not set address when isNative=true`);
+    }
+  } else {
+    normalized.address = assertValidEvmAddress(
+      profile.address ?? "",
+      `token '${tokenKey}' chain '${normalizedChainKey}' address`
+    );
+  }
+  return normalized;
+}
+function normalizeTokenProfile(key, profile) {
+  const normalizedKey = key.trim().toLowerCase();
+  if (!normalizedKey) {
+    throw new Error("token profile key is required");
+  }
+  const symbol = profile.symbol?.trim();
+  if (!symbol) {
+    throw new Error(`token profile '${normalizedKey}' symbol is required`);
+  }
+  const name = assertOptionalTrimmedString(profile.name, `token profile '${normalizedKey}' name`);
+  const normalizedChains = {};
+  for (const [chainKey, chainProfile] of Object.entries(profile.chains ?? {})) {
+    const normalizedChainKey = chainKey.trim().toLowerCase();
+    if (!normalizedChainKey) {
+      throw new Error(`token profile '${normalizedKey}' contains an empty chain key`);
+    }
+    normalizedChains[normalizedChainKey] = normalizeTokenChainProfile(normalizedKey, normalizedChainKey, chainProfile);
+  }
+  return {
+    name,
+    symbol,
+    defaultPolicy: normalizeTokenPolicyProfile(normalizedKey, "default", profile.defaultPolicy),
+    destinationOverrides: (profile.destinationOverrides ?? []).map(
+      (item) => normalizeTokenDestinationOverrideProfile(normalizedKey, item)
+    ),
+    manualApprovalPolicies: (profile.manualApprovalPolicies ?? []).map(
+      (item) => normalizeTokenManualApprovalProfile(normalizedKey, item)
+    ),
+    chains: normalizedChains
+  };
+}
+function normalizeChainProfileEntry(key, profile) {
+  const normalizedKey = key.trim().toLowerCase();
+  if (!normalizedKey) {
+    throw new Error("chain profile key is required");
+  }
+  const name = profile.name?.trim() || normalizedKey;
+  return {
+    chainId: assertPositiveSafeInteger(profile.chainId, `chain profile '${normalizedKey}' chainId`),
+    name,
+    rpcUrl: profile.rpcUrl ? assertSafeRpcUrl(profile.rpcUrl, `chain profile '${normalizedKey}' rpcUrl`) : void 0
+  };
+}
+function normalizeChainProfiles(profiles) {
+  const normalized = {};
+  for (const [key, profile] of Object.entries(profiles ?? {})) {
+    const normalizedKey = key.trim().toLowerCase();
+    if (!normalizedKey) {
+      throw new Error("chain profile key is required");
+    }
+    normalized[normalizedKey] = normalizeChainProfileEntry(normalizedKey, profile);
+  }
+  return normalized;
+}
+function normalizeTokenProfiles(profiles) {
+  const normalized = {};
+  for (const [key, profile] of Object.entries(profiles ?? {})) {
+    const normalizedKey = key.trim().toLowerCase();
+    if (!normalizedKey) {
+      throw new Error("token profile key is required");
+    }
+    normalized[normalizedKey] = normalizeTokenProfile(normalizedKey, profile);
+  }
+  return normalized;
+}
+function normalizePath(targetPath) {
+  return path.resolve(targetPath);
+}
+function requirePathValue(targetPath, label) {
+  const normalized = targetPath.trim();
+  if (!normalized) {
+    throw new Error(`${label} is required`);
+  }
+  return normalizePath(normalized);
+}
+function readLstat(targetPath) {
+  try {
+    return fs.lstatSync(targetPath);
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+function readLstatAllowInaccessible(targetPath) {
+  try {
+    return fs.lstatSync(targetPath);
+  } catch (error) {
+    const code = error.code;
+    if (code === "ENOENT") {
+      return null;
+    }
+    if (code === "EACCES" || code === "EPERM") {
+      return "inaccessible";
+    }
+    throw error;
+  }
+}
+function isStableRootOwnedSymlink(stats, targetPath) {
+  if (process.platform === "win32" || typeof stats.uid !== "number" || stats.uid !== 0) {
+    return false;
+  }
+  const parentPath = path.dirname(targetPath);
+  const parentStats = readLstat(parentPath);
+  return Boolean(
+    parentStats && parentStats.isDirectory() && typeof parentStats.uid === "number" && parentStats.uid === 0 && (parentStats.mode & GROUP_OTHER_WRITE_MODE_MASK) === 0
+  );
+}
+function assertNoSymlinkAncestorDirectories(targetPath, label) {
+  const normalized = normalizePath(targetPath);
+  const parent = path.dirname(normalized);
+  if (parent === normalized) {
+    return;
+  }
+  const { root } = path.parse(parent);
+  const relativeParent = parent.slice(root.length);
+  if (!relativeParent) {
+    return;
+  }
+  let currentPath = root;
+  for (const segment of relativeParent.split(path.sep).filter(Boolean)) {
+    currentPath = path.join(currentPath, segment);
+    const stats = readLstat(currentPath);
+    if (!stats) {
+      break;
+    }
+    if (stats.isSymbolicLink()) {
+      if (isStableRootOwnedSymlink(stats, currentPath)) {
+        continue;
+      }
+      throw new Error(`${label} '${normalized}' must not traverse symlinked ancestor directories`);
+    }
+  }
+}
+function findNearestExistingPath(targetPath) {
+  let currentPath = normalizePath(targetPath);
+  while (true) {
+    const stats = readLstat(currentPath);
+    if (stats) {
+      return {
+        path: currentPath,
+        stats
+      };
+    }
+    const parentPath = path.dirname(currentPath);
+    if (parentPath === currentPath) {
+      throw new Error(`No existing ancestor directory found for '${targetPath}'`);
+    }
+    currentPath = parentPath;
+  }
+}
+function allowedOwnerUids() {
+  const allowed = /* @__PURE__ */ new Set();
+  const effectiveUid = typeof process.geteuid === "function" ? process.geteuid() : null;
+  if (effectiveUid !== null) {
+    allowed.add(effectiveUid);
+  }
+  const sudoUid = process.env.SUDO_UID?.trim();
+  if (effectiveUid === 0 && sudoUid && /^\d+$/u.test(sudoUid)) {
+    allowed.add(Number(sudoUid));
+  }
+  return allowed;
+}
+function assertTrustedOwner(stats, targetPath, label) {
+  if (process.platform === "win32" || typeof stats.uid !== "number") {
+    return;
+  }
+  if (stats.uid === 0) {
+    return;
+  }
+  const allowed = allowedOwnerUids();
+  if (!allowed.has(stats.uid)) {
+    throw new Error(
+      `${label} '${targetPath}' must be owned by the current user, sudo caller, or root`
+    );
+  }
+}
+function assertSecureDirectory(stats, targetPath, label) {
+  assertTrustedOwner(stats, targetPath, label);
+  if (process.platform === "win32") {
+    return;
+  }
+  if ((stats.mode & GROUP_OTHER_WRITE_MODE_MASK) !== 0) {
+    throw new Error(`${label} '${targetPath}' must not be writable by group/other`);
+  }
+}
+function isStickyDirectory(stats) {
+  return process.platform !== "win32" && (stats.mode & STICKY_BIT_MODE) !== 0;
+}
+function assertSecureDirectoryPath(targetPath, label) {
+  const normalized = normalizePath(targetPath);
+  assertNoSymlinkAncestorDirectories(normalized, label);
+  const targetStats = fs.lstatSync(normalized);
+  if (targetStats.isSymbolicLink()) {
+    throw new Error(`${label} '${normalized}' must not be a symlink`);
+  }
+  if (!targetStats.isDirectory()) {
+    throw new Error(`${label} '${normalized}' must be a directory`);
+  }
+  assertSecureDirectory(targetStats, normalized, label);
+  const ancestors = [];
+  let currentPath = fs.realpathSync.native(normalized);
+  while (true) {
+    ancestors.push(currentPath);
+    const parentPath = path.dirname(currentPath);
+    if (parentPath === currentPath) {
+      break;
+    }
+    currentPath = parentPath;
+  }
+  for (const [index, currentDirectory] of ancestors.entries()) {
+    if (index === 0) {
+      continue;
+    }
+    const stats = fs.lstatSync(currentDirectory);
+    if (!stats.isDirectory()) {
+      throw new Error(`${label} '${currentDirectory}' must be a directory`);
+    }
+    assertTrustedOwner(stats, currentDirectory, label);
+    if (process.platform !== "win32" && (stats.mode & GROUP_OTHER_WRITE_MODE_MASK) !== 0) {
+      const allowStickyAncestor = index > 0 && isStickyDirectory(stats);
+      if (!allowStickyAncestor) {
+        throw new Error(`${label} '${currentDirectory}' must not be writable by group/other`);
+      }
+    }
+  }
+}
+function assertSecureFile(stats, targetPath, label) {
+  assertTrustedOwner(stats, targetPath, label);
+  if (process.platform === "win32") {
+    return;
+  }
+  if ((stats.mode & PRIVATE_FILE_MODE_MASK) !== 0) {
+    throw new Error(`${label} '${targetPath}' must not grant group/other permissions`);
+  }
+}
+function assertNotSymlink(targetPath, label) {
+  const stats = readLstat(targetPath);
+  if (stats?.isSymbolicLink()) {
+    throw new Error(`${label} '${targetPath}' must not be a symlink`);
+  }
+  return stats;
+}
+function tightenPermissions(targetPath, mode) {
+  try {
+    fs.chmodSync(targetPath, mode);
+  } catch {
+  }
+}
+function ensurePrivateDirectory(targetPath, label) {
+  const normalized = normalizePath(targetPath);
+  assertNoSymlinkAncestorDirectories(normalized, label);
+  const stats = assertNotSymlink(normalized, label);
+  if (stats && !stats.isDirectory()) {
+    throw new Error(`${label} '${normalized}' must be a directory`);
+  }
+  if (!stats) {
+    fs.mkdirSync(normalized, { recursive: true, mode: PRIVATE_DIR_MODE });
+  }
+  tightenPermissions(normalized, PRIVATE_DIR_MODE);
+  assertSecureDirectoryPath(normalized, label);
+  return normalized;
+}
+function readUtf8FileSecure(targetPath, label, maxBytes) {
+  const normalized = normalizePath(targetPath);
+  assertSecureDirectoryPath(path.dirname(normalized), `${label} parent directory`);
+  const openFlags = process.platform === "win32" ? fs.constants.O_RDONLY : fs.constants.O_RDONLY | fs.constants.O_NOFOLLOW;
+  const fd = fs.openSync(normalized, openFlags);
+  try {
+    const stats = fs.fstatSync(fd);
+    if (!stats.isFile()) {
+      throw new Error(`${label} '${normalized}' must be a regular file`);
+    }
+    assertSecureFile(stats, normalized, label);
+    if (maxBytes !== void 0 && stats.size > maxBytes) {
+      throw new Error(`${label} '${normalized}' must not exceed ${maxBytes} bytes`);
+    }
+    return fs.readFileSync(fd, "utf8");
+  } finally {
+    fs.closeSync(fd);
+  }
+}
+function readPrivateJsonFile(targetPath, label) {
+  const normalized = normalizePath(targetPath);
+  const stats = assertNotSymlink(normalized, label);
+  if (!stats) {
+    return null;
+  }
+  if (!stats.isFile()) {
+    throw new Error(`${label} '${normalized}' must be a regular file`);
+  }
+  tightenPermissions(normalized, PRIVATE_FILE_MODE);
+  return JSON.parse(readUtf8FileSecure(normalized, label, MAX_CONFIG_FILE_BYTES));
+}
+function assertSecurePlannedDirectoryPath(targetPath, label) {
+  const normalized = requirePathValue(targetPath, label);
+  assertNoSymlinkAncestorDirectories(normalized, label);
+  const stats = readLstat(normalized);
+  if (stats) {
+    if (stats.isSymbolicLink()) {
+      throw new Error(`${label} '${normalized}' must not be a symlink`);
+    }
+    if (!stats.isDirectory()) {
+      throw new Error(`${label} '${normalized}' must be a directory`);
+    }
+    assertSecureDirectoryPath(normalized, label);
+    return normalized;
+  }
+  const nearestExistingPath = findNearestExistingPath(normalized);
+  if (nearestExistingPath.stats.isSymbolicLink()) {
+    throw new Error(`${label} '${nearestExistingPath.path}' must not be a symlink`);
+  }
+  if (!nearestExistingPath.stats.isDirectory()) {
+    throw new Error(`${label} '${nearestExistingPath.path}' must be a directory`);
+  }
+  assertSecureDirectoryPath(nearestExistingPath.path, label);
+  return normalized;
+}
+function assertSecurePlannedDaemonSocketPath(targetPath, label) {
+  const normalized = requirePathValue(targetPath, label);
+  assertSecurePlannedDirectoryPath(path.dirname(normalized), `${label} directory`);
+  const stats = readLstat(normalized);
+  if (!stats) {
+    return normalized;
+  }
+  if (stats.isSymbolicLink()) {
+    throw new Error(`${label} '${normalized}' must not be a symlink`);
+  }
+  if (process.platform !== "win32" && !stats.isSocket()) {
+    throw new Error(`${label} '${normalized}' must be a unix socket`);
+  }
+  assertTrustedOwner(stats, normalized, label);
+  return normalized;
+}
+function assertSecurePlannedPrivateFilePath(targetPath, label) {
+  const normalized = requirePathValue(targetPath, label);
+  assertSecurePlannedDirectoryPath(path.dirname(normalized), `${label} directory`);
+  const stats = readLstatAllowInaccessible(normalized);
+  if (!stats || stats === "inaccessible") {
+    return normalized;
+  }
+  if (stats.isSymbolicLink()) {
+    throw new Error(`${label} '${normalized}' must not be a symlink`);
+  }
+  if (!stats.isFile()) {
+    throw new Error(`${label} '${normalized}' must be a regular file`);
+  }
+  assertSecureFile(stats, normalized, label);
+  return normalized;
+}
+function writePrivateFile(targetPath, contents, label) {
+  const normalized = normalizePath(targetPath);
+  const parent = ensurePrivateDirectory(path.dirname(normalized), `${label} parent`);
+  assertNotSymlink(normalized, label);
+  const tempPath = path.join(
+    parent,
+    `.${path.basename(normalized)}.tmp-${process.pid}-${Date.now()}`
+  );
+  try {
+    fs.writeFileSync(tempPath, contents, {
+      encoding: "utf8",
+      mode: PRIVATE_FILE_MODE,
+      flag: "wx"
+    });
+    tightenPermissions(tempPath, PRIVATE_FILE_MODE);
+    fs.renameSync(tempPath, normalized);
+    tightenPermissions(normalized, PRIVATE_FILE_MODE);
+  } finally {
+    try {
+      if (fs.existsSync(tempPath)) {
+        fs.rmSync(tempPath);
+      }
+    } catch {
+    }
+  }
+}
+function normalizedDefaultConfig() {
+  return {
+    daemonSocket: defaultDaemonSocketPath(),
+    stateFile: defaultStateFilePath(),
+    rustBinDir: defaultRustBinDir(),
+    chains: defaultChainProfiles(),
+    tokens: defaultTokenProfiles()
+  };
+}
+function applySeedDefaultsIfLegacyEmpty(config) {
+  const chainCount = Object.keys(config.chains ?? {}).length;
+  const tokenCount = Object.keys(config.tokens ?? {}).length;
+  if (chainCount === 0 && tokenCount === 0) {
+    return {
+      ...config,
+      chains: defaultChainProfiles(),
+      tokens: defaultTokenProfiles()
+    };
+  }
+  return config;
+}
+function resolveWlfiHome() {
+  const explicit = process.env.WLFI_HOME?.trim();
+  if (explicit) {
+    return normalizePath(explicit);
+  }
+  return path.join(os.homedir(), WLFI_DIRNAME);
+}
+function resolveConfigPath() {
+  return path.join(resolveWlfiHome(), CONFIG_FILENAME);
+}
+function defaultDaemonSocketPath() {
+  return path.join(resolveWlfiHome(), "daemon.sock");
+}
+function defaultStateFilePath() {
+  return path.join(resolveWlfiHome(), "daemon-state.enc");
+}
+function defaultRustBinDir() {
+  return path.join(resolveWlfiHome(), "bin");
+}
+function defaultConfig() {
+  return normalizedDefaultConfig();
+}
+function ensureWlfiHome() {
+  return ensurePrivateDirectory(resolveWlfiHome(), "WLFI home");
+}
+function readConfig() {
+  ensureWlfiHome();
+  const parsed = readPrivateJsonFile(resolveConfigPath(), "config file");
+  const merged = applySeedDefaultsIfLegacyEmpty({
+    ...normalizedDefaultConfig(),
+    ...parsed ?? {}
+  });
+  return {
+    ...merged,
+    wallet: normalizeWalletProfile(merged.wallet),
+    chains: normalizeChainProfiles(merged.chains),
+    tokens: normalizeTokenProfiles(merged.tokens)
+  };
+}
+function writeConfig(nextConfig) {
+  ensureWlfiHome();
+  const merged = {
+    ...normalizedDefaultConfig(),
+    ...readConfig(),
+    ...nextConfig
+  };
+  if (Object.prototype.hasOwnProperty.call(nextConfig, "rpcUrl") && merged.rpcUrl !== void 0) {
+    merged.rpcUrl = assertSafeRpcUrl(merged.rpcUrl, "rpcUrl");
+  }
+  if (Object.prototype.hasOwnProperty.call(nextConfig, "daemonSocket") && merged.daemonSocket !== void 0) {
+    merged.daemonSocket = assertSecurePlannedDaemonSocketPath(merged.daemonSocket, "daemonSocket");
+  }
+  if (Object.prototype.hasOwnProperty.call(nextConfig, "stateFile") && merged.stateFile !== void 0) {
+    merged.stateFile = assertSecurePlannedPrivateFilePath(merged.stateFile, "stateFile");
+  }
+  if (Object.prototype.hasOwnProperty.call(nextConfig, "rustBinDir") && merged.rustBinDir !== void 0) {
+    merged.rustBinDir = assertSecurePlannedDirectoryPath(merged.rustBinDir, "rustBinDir");
+  }
+  merged.wallet = normalizeWalletProfile(merged.wallet);
+  merged.chains = normalizeChainProfiles(merged.chains);
+  merged.tokens = normalizeTokenProfiles(merged.tokens);
+  writePrivateFile(resolveConfigPath(), JSON.stringify(merged, null, 2) + "\n", "config file");
+  return merged;
+}
+function deleteConfigKey(key) {
+  ensureWlfiHome();
+  const current = {
+    ...normalizedDefaultConfig(),
+    ...readConfig()
+  };
+  delete current[key];
+  const normalized = {
+    ...normalizedDefaultConfig(),
+    ...current,
+    chains: current.chains ?? {},
+    tokens: current.tokens ?? {}
+  };
+  writePrivateFile(resolveConfigPath(), JSON.stringify(normalized, null, 2) + "\n", "config file");
+  return normalized;
+}
+function listBuiltinChains() {
+  return Object.entries(BUILTIN_CHAINS).map(([key, value]) => ({ ...value, name: key })).sort((left, right) => left.chainId - right.chainId || left.name.localeCompare(right.name));
+}
+function listBuiltinTokens() {
+  return Object.entries(BUILTIN_TOKENS).map(([key, value]) => ({
+    key,
+    name: value.name,
+    symbol: value.symbol,
+    chains: Object.entries(value.chains ?? {}).map(([chainKey, chainValue]) => ({ key: chainKey, ...chainValue })).sort((left, right) => left.chainId - right.chainId || left.key.localeCompare(right.key))
+  })).sort((left, right) => left.key.localeCompare(right.key));
+}
+function listConfiguredTokens(config = readConfig()) {
+  return Object.entries(config.tokens ?? {}).map(([key, value]) => ({
+    key,
+    name: value.name,
+    symbol: value.symbol,
+    chains: Object.entries(value.chains ?? {}).map(([chainKey, chainValue]) => ({ key: chainKey, ...chainValue })).sort((left, right) => left.chainId - right.chainId || left.key.localeCompare(right.key))
+  })).sort((left, right) => left.key.localeCompare(right.key));
+}
+function resolveTokenProfile(selector, config = readConfig()) {
+  const normalized = selector.trim().toLowerCase();
+  if (!normalized) {
+    return null;
+  }
+  for (const [key, value] of Object.entries(config.tokens ?? {})) {
+    if (key.toLowerCase() === normalized || value.symbol.toLowerCase() === normalized) {
+      return { key, source: "configured", ...value };
+    }
+  }
+  for (const [key, value] of Object.entries(BUILTIN_TOKENS)) {
+    if (key.toLowerCase() === normalized || value.symbol.toLowerCase() === normalized) {
+      return { key, source: "builtin", ...value };
+    }
+  }
+  return null;
+}
+function listConfiguredChains(config = readConfig()) {
+  return Object.entries(config.chains ?? {}).map(([key, value]) => ({ key, ...value })).sort((left, right) => left.chainId - right.chainId || left.key.localeCompare(right.key));
+}
+function resolveChainProfile(selector, config = readConfig()) {
+  const normalized = selector.trim().toLowerCase();
+  if (!normalized) {
+    return null;
+  }
+  for (const [key, value] of Object.entries(config.chains ?? {})) {
+    if (key.toLowerCase() === normalized || value.name.toLowerCase() === normalized || String(value.chainId) === selector) {
+      return { ...value, key, source: "configured" };
+    }
+  }
+  if (BUILTIN_CHAINS[normalized]) {
+    return { ...BUILTIN_CHAINS[normalized], key: normalized, source: "builtin" };
+  }
+  if (config.chainId !== void 0 && String(config.chainId) === selector) {
+    return {
+      chainId: config.chainId,
+      name: config.chainName ?? normalized,
+      rpcUrl: config.rpcUrl,
+      source: "active"
+    };
+  }
+  return null;
+}
+function saveChainProfile(key, profile) {
+  const normalizedKey = key.trim().toLowerCase();
+  if (!normalizedKey) {
+    throw new Error("chain profile key is required");
+  }
+  const normalizedProfile = normalizeChainProfileEntry(normalizedKey, profile);
+  return writeConfig({
+    chains: {
+      ...readConfig().chains ?? {},
+      [normalizedKey]: normalizedProfile
+    }
+  });
+}
+function removeChainProfile(key) {
+  const normalizedKey = key.trim().toLowerCase();
+  const nextChains = { ...readConfig().chains ?? {} };
+  delete nextChains[normalizedKey];
+  return writeConfig({ chains: nextChains });
+}
+function saveTokenProfile(key, profile) {
+  const normalizedKey = key.trim().toLowerCase();
+  return writeConfig({
+    tokens: {
+      ...readConfig().tokens ?? {},
+      [normalizedKey]: normalizeTokenProfile(normalizedKey, profile)
+    }
+  });
+}
+function saveTokenChainProfile(tokenKey, chainKey, profile, options = {}) {
+  const normalizedTokenKey = tokenKey.trim().toLowerCase();
+  const normalizedChainKey = chainKey.trim().toLowerCase();
+  const current = readConfig();
+  const existing = current.tokens?.[normalizedTokenKey];
+  const symbol = options.symbol?.trim() || existing?.symbol;
+  if (!symbol) {
+    throw new Error(`token '${normalizedTokenKey}' symbol is required`);
+  }
+  return writeConfig({
+    tokens: {
+      ...current.tokens ?? {},
+      [normalizedTokenKey]: normalizeTokenProfile(normalizedTokenKey, {
+        name: existing?.name,
+        symbol,
+        defaultPolicy: existing?.defaultPolicy,
+        destinationOverrides: existing?.destinationOverrides,
+        manualApprovalPolicies: existing?.manualApprovalPolicies,
+        chains: {
+          ...existing?.chains ?? {},
+          [normalizedChainKey]: normalizeTokenChainProfile(normalizedTokenKey, normalizedChainKey, profile)
+        }
+      })
+    }
+  });
+}
+function removeTokenProfile(key) {
+  const normalizedKey = key.trim().toLowerCase();
+  const nextTokens = { ...readConfig().tokens ?? {} };
+  delete nextTokens[normalizedKey];
+  return writeConfig({ tokens: nextTokens });
+}
+function removeTokenChainProfile(tokenKey, chainKey) {
+  const normalizedTokenKey = tokenKey.trim().toLowerCase();
+  const normalizedChainKey = chainKey.trim().toLowerCase();
+  const current = readConfig();
+  const token = current.tokens?.[normalizedTokenKey];
+  if (!token) {
+    return current;
+  }
+  const nextChains = { ...token.chains ?? {} };
+  delete nextChains[normalizedChainKey];
+  const nextTokens = { ...current.tokens ?? {} };
+  if (Object.keys(nextChains).length === 0) {
+    delete nextTokens[normalizedTokenKey];
+  } else {
+    nextTokens[normalizedTokenKey] = normalizeTokenProfile(normalizedTokenKey, {
+      name: token.name,
+      symbol: token.symbol,
+      defaultPolicy: token.defaultPolicy,
+      destinationOverrides: token.destinationOverrides,
+      manualApprovalPolicies: token.manualApprovalPolicies,
+      chains: nextChains
+    });
+  }
+  return writeConfig({ tokens: nextTokens });
+}
+function switchActiveChain(selector, options = {}) {
+  const config = readConfig();
+  const profile = resolveChainProfile(selector, config);
+  if (!profile) {
+    throw new Error(`Unknown chain selector: ${selector}`);
+  }
+  const nextRpcUrl = options.rpcUrl ?? profile.rpcUrl;
+  const normalizedRpcUrl = nextRpcUrl ? assertSafeRpcUrl(nextRpcUrl, "rpcUrl") : void 0;
+  let next = writeConfig({
+    chainId: profile.chainId,
+    chainName: profile.name,
+    rpcUrl: normalizedRpcUrl,
+    chains: config.chains ?? {}
+  });
+  if (options.persistProfile) {
+    next = saveChainProfile(profile.key ?? profile.name, {
+      chainId: profile.chainId,
+      name: profile.name,
+      rpcUrl: normalizedRpcUrl
+    });
+  }
+  return next;
+}
+function redactConfig(config) {
+  return {
+    ...config,
+    agentAuthToken: config.agentAuthToken ? "<redacted>" : void 0,
+    paths: {
+      wlfiHome: resolveWlfiHome(),
+      configPath: resolveConfigPath(),
+      daemonSocket: config.daemonSocket ?? defaultDaemonSocketPath(),
+      stateFile: config.stateFile ?? defaultStateFilePath(),
+      rustBinDir: config.rustBinDir ?? defaultRustBinDir()
+    }
+  };
+}
+function resolveRustBinaryPath(binaryName, config = readConfig()) {
+  return path.join(config.rustBinDir ?? defaultRustBinDir(), binaryName + (process.platform === "win32" ? ".exe" : ""));
+}
+export {
+  BUILTIN_CHAINS,
+  BUILTIN_TOKENS,
+  CONFIG_FILENAME,
+  WLFI_DIRNAME,
+  allowedOwnerUids,
+  assertSafeRpcUrl,
+  defaultConfig,
+  defaultDaemonSocketPath,
+  defaultRustBinDir,
+  defaultStateFilePath,
+  deleteConfigKey,
+  ensureWlfiHome,
+  listBuiltinChains,
+  listBuiltinTokens,
+  listConfiguredChains,
+  listConfiguredTokens,
+  readConfig,
+  redactConfig,
+  removeChainProfile,
+  removeTokenChainProfile,
+  removeTokenProfile,
+  resolveChainProfile,
+  resolveConfigPath,
+  resolveRustBinaryPath,
+  resolveTokenProfile,
+  resolveWlfiHome,
+  saveChainProfile,
+  saveTokenChainProfile,
+  saveTokenProfile,
+  switchActiveChain,
+  writeConfig
+};
+//# sourceMappingURL=index.cjs.map