npm - @wlfi-agent/cli - Versions diffs - 1.4.13 → 1.4.15 - Mend

@wlfi-agent/cli 1.4.13 → 1.4.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (289) hide show

package/Cargo.lock +3968 -0
package/Cargo.toml +50 -0
package/README.md +426 -6
package/crates/vault-cli-admin/Cargo.toml +26 -0
package/crates/vault-cli-admin/src/io_utils.rs +500 -0
package/crates/vault-cli-admin/src/main.rs +3990 -0
package/crates/vault-cli-admin/src/shared_config.rs +624 -0
package/crates/vault-cli-admin/src/tui/amounts.rs +180 -0
package/crates/vault-cli-admin/src/tui/token_rpc.rs +250 -0
package/crates/vault-cli-admin/src/tui/utils.rs +82 -0
package/crates/vault-cli-admin/src/tui.rs +3410 -0
package/crates/vault-cli-agent/Cargo.toml +24 -0
package/crates/vault-cli-agent/src/io_utils.rs +576 -0
package/crates/vault-cli-agent/src/main.rs +833 -0
package/crates/vault-cli-daemon/Cargo.toml +28 -0
package/crates/vault-cli-daemon/src/bin/wlfi-agent-system-keychain.rs +216 -0
package/crates/vault-cli-daemon/src/main.rs +644 -0
package/crates/vault-cli-daemon/src/relay_sync.rs +894 -0
package/crates/vault-cli-daemon/tests/system_keychain_helper_acl.rs +167 -0
package/crates/vault-daemon/Cargo.toml +32 -0
package/crates/vault-daemon/src/daemon_parts/api_impl_and_utils.rs +1041 -0
package/crates/vault-daemon/src/daemon_parts/core_helpers.rs +1256 -0
package/crates/vault-daemon/src/daemon_parts/types_api_rpc.rs +622 -0
package/crates/vault-daemon/src/lib.rs +54 -0
package/crates/vault-daemon/src/persistence.rs +441 -0
package/crates/vault-daemon/src/tests.rs +237 -0
package/crates/vault-daemon/src/tests_parts/part1.rs +1224 -0
package/crates/vault-daemon/src/tests_parts/part2.rs +1021 -0
package/crates/vault-daemon/src/tests_parts/part3.rs +835 -0
package/crates/vault-daemon/src/tests_parts/part4.rs +604 -0
package/crates/vault-domain/Cargo.toml +20 -0
package/crates/vault-domain/src/action.rs +849 -0
package/crates/vault-domain/src/address.rs +51 -0
package/crates/vault-domain/src/approval.rs +90 -0
package/crates/vault-domain/src/constants.rs +4 -0
package/crates/vault-domain/src/error.rs +54 -0
package/crates/vault-domain/src/keys.rs +71 -0
package/crates/vault-domain/src/lib.rs +42 -0
package/crates/vault-domain/src/nonce.rs +102 -0
package/crates/vault-domain/src/policy.rs +172 -0
package/crates/vault-domain/src/request.rs +53 -0
package/crates/vault-domain/src/scope.rs +24 -0
package/crates/vault-domain/src/session.rs +50 -0
package/crates/vault-domain/src/signature.rs +34 -0
package/crates/vault-domain/src/tests.rs +651 -0
package/crates/vault-domain/src/u128_as_decimal_string.rs +44 -0
package/crates/vault-policy/Cargo.toml +17 -0
package/crates/vault-policy/src/engine.rs +301 -0
package/crates/vault-policy/src/error.rs +81 -0
package/crates/vault-policy/src/lib.rs +17 -0
package/crates/vault-policy/src/report.rs +34 -0
package/crates/vault-policy/src/tests.rs +891 -0
package/crates/vault-policy/src/tests_explain.rs +78 -0
package/crates/vault-sdk-agent/Cargo.toml +21 -0
package/crates/vault-sdk-agent/src/lib.rs +711 -0
package/crates/vault-signer/Cargo.toml +25 -0
package/crates/vault-signer/src/lib.rs +731 -0
package/crates/vault-signer/tests/secure_enclave_acl.rs +54 -0
package/crates/vault-transport-unix/Cargo.toml +24 -0
package/crates/vault-transport-unix/src/lib.rs +1640 -0
package/crates/vault-transport-xpc/Cargo.toml +25 -0
package/crates/vault-transport-xpc/src/client_codec_api.rs +635 -0
package/crates/vault-transport-xpc/src/lib.rs +680 -0
package/crates/vault-transport-xpc/src/tests.rs +818 -0
package/crates/vault-transport-xpc/tests/e2e_flow.rs +773 -0
package/dist/cli.cjs +35088 -0
package/dist/cli.cjs.map +1 -0
package/package.json +45 -41
package/packages/cache/.turbo/turbo-build.log +52 -0
package/packages/cache/dist/chunk-2QFWMUXT.cjs +43 -0
package/packages/cache/dist/chunk-2QFWMUXT.cjs.map +1 -0
package/packages/cache/dist/chunk-4U63TZTQ.js +43 -0
package/packages/cache/dist/chunk-4U63TZTQ.js.map +1 -0
package/packages/cache/dist/chunk-ALQ6H7KG.cjs +404 -0
package/packages/cache/dist/chunk-ALQ6H7KG.cjs.map +1 -0
package/packages/cache/dist/chunk-FGJEEF5N.js +404 -0
package/packages/cache/dist/chunk-FGJEEF5N.js.map +1 -0
package/packages/cache/dist/chunk-UYNEHZHB.cjs +45 -0
package/packages/cache/dist/chunk-UYNEHZHB.cjs.map +1 -0
package/packages/cache/dist/chunk-VXVMPG3W.js +45 -0
package/packages/cache/dist/chunk-VXVMPG3W.js.map +1 -0
package/packages/cache/dist/client/index.cjs +11 -0
package/packages/cache/dist/client/index.cjs.map +1 -0
package/packages/cache/dist/client/index.d.cts +15 -0
package/packages/cache/dist/client/index.d.ts +15 -0
package/packages/cache/dist/client/index.js +11 -0
package/packages/cache/dist/client/index.js.map +1 -0
package/packages/cache/dist/errors/index.cjs +11 -0
package/packages/cache/dist/errors/index.cjs.map +1 -0
package/packages/cache/dist/errors/index.d.cts +26 -0
package/packages/cache/dist/errors/index.d.ts +26 -0
package/packages/cache/dist/errors/index.js +11 -0
package/packages/cache/dist/errors/index.js.map +1 -0
package/packages/cache/dist/index.cjs +29 -0
package/packages/cache/dist/index.cjs.map +1 -0
package/packages/cache/dist/index.d.cts +4 -0
package/packages/cache/dist/index.d.ts +4 -0
package/packages/cache/dist/index.js +29 -0
package/packages/cache/dist/index.js.map +1 -0
package/packages/cache/dist/service/index.cjs +15 -0
package/packages/cache/dist/service/index.cjs.map +1 -0
package/packages/cache/dist/service/index.d.cts +184 -0
package/packages/cache/dist/service/index.d.ts +184 -0
package/packages/cache/dist/service/index.js +15 -0
package/packages/cache/dist/service/index.js.map +1 -0
package/packages/cache/node_modules/.bin/jiti +17 -0
package/packages/cache/node_modules/.bin/tsc +17 -0
package/packages/cache/node_modules/.bin/tsserver +17 -0
package/packages/cache/node_modules/.bin/tsup +17 -0
package/packages/cache/node_modules/.bin/tsup-node +17 -0
package/packages/cache/node_modules/.bin/tsx +17 -0
package/packages/cache/node_modules/.bin/vitest +17 -0
package/packages/cache/package.json +48 -0
package/packages/cache/src/client/index.ts +56 -0
package/packages/cache/src/errors/index.ts +53 -0
package/packages/cache/src/index.ts +3 -0
package/packages/cache/src/service/index.test.ts +263 -0
package/packages/cache/src/service/index.ts +678 -0
package/packages/cache/tsconfig.json +13 -0
package/packages/cache/tsup.config.ts +13 -0
package/packages/cache/vitest.config.ts +16 -0
package/packages/config/.turbo/turbo-build.log +18 -0
package/packages/config/dist/index.cjs +1037 -0
package/packages/config/dist/index.cjs.map +1 -0
package/packages/config/dist/index.d.ts +131 -0
package/packages/config/node_modules/.bin/jiti +17 -0
package/packages/config/node_modules/.bin/tsc +17 -0
package/packages/config/node_modules/.bin/tsserver +17 -0
package/packages/config/node_modules/.bin/tsup +17 -0
package/packages/config/node_modules/.bin/tsup-node +17 -0
package/packages/config/node_modules/.bin/tsx +17 -0
package/packages/config/package.json +21 -0
package/packages/config/src/index.js +1 -0
package/packages/config/src/index.ts +1282 -0
package/packages/config/tsconfig.json +4 -0
package/packages/rpc/.turbo/turbo-build.log +32 -0
package/packages/rpc/dist/_esm-BCLXDO2R.cjs +3660 -0
package/packages/rpc/dist/_esm-BCLXDO2R.cjs.map +1 -0
package/packages/rpc/dist/ccip-OWJLAW55.cjs +16 -0
package/packages/rpc/dist/ccip-OWJLAW55.cjs.map +1 -0
package/packages/rpc/dist/chunk-APQIFZ3B.cjs +6247 -0
package/packages/rpc/dist/chunk-APQIFZ3B.cjs.map +1 -0
package/packages/rpc/dist/chunk-CDO2GWRD.cjs +410 -0
package/packages/rpc/dist/chunk-CDO2GWRD.cjs.map +1 -0
package/packages/rpc/dist/chunk-QGTNTFJ7.cjs +2249 -0
package/packages/rpc/dist/chunk-QGTNTFJ7.cjs.map +1 -0
package/packages/rpc/dist/chunk-TZDTAHWR.cjs +44 -0
package/packages/rpc/dist/chunk-TZDTAHWR.cjs.map +1 -0
package/packages/rpc/dist/index.cjs +7342 -0
package/packages/rpc/dist/index.cjs.map +1 -0
package/packages/rpc/dist/index.d.ts +3857 -0
package/packages/rpc/dist/secp256k1-WCNM675D.cjs +18 -0
package/packages/rpc/dist/secp256k1-WCNM675D.cjs.map +1 -0
package/packages/rpc/node_modules/.bin/jiti +17 -0
package/packages/rpc/node_modules/.bin/tsc +17 -0
package/packages/rpc/node_modules/.bin/tsserver +17 -0
package/packages/rpc/node_modules/.bin/tsup +17 -0
package/packages/rpc/node_modules/.bin/tsup-node +17 -0
package/packages/rpc/node_modules/.bin/tsx +17 -0
package/packages/rpc/package.json +25 -0
package/packages/rpc/src/index.ts +206 -0
package/packages/rpc/tsconfig.json +4 -0
package/packages/typescript/base.json +36 -0
package/packages/typescript/nextjs.json +17 -0
package/packages/typescript/package.json +10 -0
package/packages/ui/.turbo/turbo-build.log +44 -0
package/packages/ui/dist/chunk-MOAFBKSA.js +11 -0
package/packages/ui/dist/chunk-MOAFBKSA.js.map +1 -0
package/packages/ui/dist/components/badge.d.ts +12 -0
package/packages/ui/dist/components/badge.js +31 -0
package/packages/ui/dist/components/badge.js.map +1 -0
package/packages/ui/dist/components/button.d.ts +13 -0
package/packages/ui/dist/components/button.js +40 -0
package/packages/ui/dist/components/button.js.map +1 -0
package/packages/ui/dist/components/card.d.ts +10 -0
package/packages/ui/dist/components/card.js +39 -0
package/packages/ui/dist/components/card.js.map +1 -0
package/packages/ui/dist/components/input.d.ts +5 -0
package/packages/ui/dist/components/input.js +28 -0
package/packages/ui/dist/components/input.js.map +1 -0
package/packages/ui/dist/components/label.d.ts +5 -0
package/packages/ui/dist/components/label.js +13 -0
package/packages/ui/dist/components/label.js.map +1 -0
package/packages/ui/dist/components/separator.d.ts +5 -0
package/packages/ui/dist/components/separator.js +13 -0
package/packages/ui/dist/components/separator.js.map +1 -0
package/packages/ui/dist/components/textarea.d.ts +5 -0
package/packages/ui/dist/components/textarea.js +27 -0
package/packages/ui/dist/components/textarea.js.map +1 -0
package/packages/ui/dist/tailwind.d.ts +56 -0
package/packages/ui/dist/tailwind.js +60 -0
package/packages/ui/dist/tailwind.js.map +1 -0
package/packages/ui/dist/utils/cn.d.ts +5 -0
package/packages/ui/dist/utils/cn.js +7 -0
package/packages/ui/dist/utils/cn.js.map +1 -0
package/packages/ui/node_modules/.bin/jiti +17 -0
package/packages/ui/node_modules/.bin/tsc +17 -0
package/packages/ui/node_modules/.bin/tsserver +17 -0
package/packages/ui/node_modules/.bin/tsup +17 -0
package/packages/ui/node_modules/.bin/tsup-node +17 -0
package/packages/ui/node_modules/.bin/tsx +17 -0
package/packages/ui/package.json +69 -0
package/packages/ui/src/components/badge.tsx +27 -0
package/packages/ui/src/components/button.tsx +40 -0
package/packages/ui/src/components/card.tsx +31 -0
package/packages/ui/src/components/input.tsx +21 -0
package/packages/ui/src/components/label.tsx +6 -0
package/packages/ui/src/components/separator.tsx +6 -0
package/packages/ui/src/components/textarea.tsx +20 -0
package/packages/ui/src/globals.css +70 -0
package/packages/ui/src/tailwind.ts +56 -0
package/packages/ui/src/utils/cn.ts +6 -0
package/packages/ui/tsconfig.json +20 -0
package/packages/ui/tsup.config.ts +20 -0
package/pnpm-workspace.yaml +4 -0
package/scripts/install-rust-binaries.mjs +84 -0
package/scripts/launchd/install-user-daemon.sh +358 -0
package/scripts/launchd/run-vault-daemon.sh +5 -0
package/scripts/launchd/run-wlfi-agent-daemon.sh +73 -0
package/scripts/launchd/uninstall-user-daemon.sh +103 -0
package/src/cli.ts +2121 -0
package/src/lib/admin-guard.js +1 -0
package/src/lib/admin-guard.ts +185 -0
package/src/lib/admin-passthrough.ts +33 -0
package/src/lib/admin-reset.ts +751 -0
package/src/lib/admin-setup.ts +1612 -0
package/src/lib/agent-auth-clear.js +1 -0
package/src/lib/agent-auth-clear.ts +58 -0
package/src/lib/agent-auth-forwarding.js +1 -0
package/src/lib/agent-auth-forwarding.ts +149 -0
package/src/lib/agent-auth-migrate.js +1 -0
package/src/lib/agent-auth-migrate.ts +150 -0
package/src/lib/agent-auth-revoke.ts +103 -0
package/src/lib/agent-auth-rotate.ts +107 -0
package/src/lib/agent-auth-token.js +1 -0
package/src/lib/agent-auth-token.ts +25 -0
package/src/lib/agent-auth.ts +89 -0
package/src/lib/asset-broadcast.js +1 -0
package/src/lib/asset-broadcast.ts +285 -0
package/src/lib/bootstrap-artifacts.js +1 -0
package/src/lib/bootstrap-artifacts.ts +205 -0
package/src/lib/bootstrap-credentials.js +1 -0
package/src/lib/bootstrap-credentials.ts +832 -0
package/src/lib/config-amounts.js +1 -0
package/src/lib/config-amounts.ts +189 -0
package/src/lib/config-mutation.ts +27 -0
package/src/lib/fs-trust.js +1 -0
package/src/lib/fs-trust.ts +537 -0
package/src/lib/keychain.js +1 -0
package/src/lib/keychain.ts +225 -0
package/src/lib/local-admin-access.ts +106 -0
package/src/lib/network-selection.js +1 -0
package/src/lib/network-selection.ts +71 -0
package/src/lib/passthrough-security.js +1 -0
package/src/lib/passthrough-security.ts +114 -0
package/src/lib/rpc-guard.js +1 -0
package/src/lib/rpc-guard.ts +7 -0
package/src/lib/rust-spawn-options.js +1 -0
package/src/lib/rust-spawn-options.ts +98 -0
package/src/lib/rust.js +1 -0
package/src/lib/rust.ts +143 -0
package/src/lib/signed-tx.js +1 -0
package/src/lib/signed-tx.ts +116 -0
package/src/lib/status-repair-cli.ts +116 -0
package/src/lib/sudo.js +1 -0
package/src/lib/sudo.ts +172 -0
package/src/lib/vault-password-forwarding.js +1 -0
package/src/lib/vault-password-forwarding.ts +155 -0
package/src/lib/wallet-profile.js +1 -0
package/src/lib/wallet-profile.ts +332 -0
package/src/lib/wallet-repair.js +1 -0
package/src/lib/wallet-repair.ts +304 -0
package/src/lib/wallet-setup.js +1 -0
package/src/lib/wallet-setup.ts +1466 -0
package/src/lib/wallet-status.js +1 -0
package/src/lib/wallet-status.ts +640 -0
package/tsconfig.base.json +17 -0
package/tsconfig.json +10 -0
package/tsup.config.ts +25 -0
package/turbo.json +41 -0
package/LICENSE.md +0 -1
package/dist/wlfa/index.cjs +0 -250
package/dist/wlfa/index.d.cts +0 -1
package/dist/wlfa/index.d.ts +0 -1
package/dist/wlfa/index.js +0 -250
package/dist/wlfc/index.cjs +0 -1839
package/dist/wlfc/index.d.cts +0 -1
package/dist/wlfc/index.d.ts +0 -1
package/dist/wlfc/index.js +0 -1839

package/src/lib/admin-guard.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export * from './admin-guard.ts';

package/src/lib/admin-guard.ts ADDED Viewed

@@ -0,0 +1,185 @@
+import type { RustBinaryName } from './rust.js';
+const HELP_FLAGS = new Set(['-h', '--help', '-V', '--version']);
+export type AdminAccessMode =
+  | 'not-required'
+  | 'vault-password-stdin'
+  | 'interactive-prompt'
+  | 'blocked';
+export interface AdminAccessGuardDeps {
+  env?: NodeJS.ProcessEnv;
+  getEffectiveUid?: () => number | null;
+  stdinIsTty?: boolean;
+  stderrIsTty?: boolean;
+}
+export interface AdminAccessResolution {
+  permitted: boolean;
+  mode: AdminAccessMode;
+  reason: string;
+  runningAsRoot: boolean;
+  hasVaultPasswordSource: boolean;
+  canPromptSecurely: boolean;
+  nonInteractive: boolean;
+}
+function defaultGetEffectiveUid(): number | null {
+  if (typeof process.geteuid === 'function') {
+    return process.geteuid();
+  }
+  if (typeof process.getuid === 'function') {
+    return process.getuid();
+  }
+  return null;
+}
+function forwardedArgsPrefix(args: string[]): string[] {
+  const terminatorIndex = args.indexOf('--');
+  return terminatorIndex >= 0 ? args.slice(0, terminatorIndex) : args;
+}
+function findForwardedOptionValue(args: string[], optionName: string): string | null {
+  const forwarded = forwardedArgsPrefix(args);
+  for (let index = 0; index < forwarded.length; index += 1) {
+    const current = forwarded[index];
+    if (current === optionName) {
+      const next = forwarded[index + 1];
+      if (next === undefined || next === '--' || next.startsWith('-')) {
+        throw new Error(
+          `${optionName} requires a value; use ${optionName}=<value> if the value starts with -`
+        );
+      }
+      return next;
+    }
+    if (current.startsWith(`${optionName}=`)) {
+      return current.slice(optionName.length + 1);
+    }
+  }
+  return null;
+}
+function hasVaultPasswordInlineArg(args: string[]): boolean {
+  const value = findForwardedOptionValue(args, '--vault-password');
+  return value !== null && value.trim().length > 0;
+}
+function hasVaultPasswordStdinFlag(args: string[]): boolean {
+  return forwardedArgsPrefix(args).includes('--vault-password-stdin');
+}
+function hasNonInteractiveFlag(args: string[]): boolean {
+  return forwardedArgsPrefix(args).includes('--non-interactive');
+}
+export function forwardedArgsSkipAdminAccessGuard(args: string[]): boolean {
+  return args[0] === 'help' || forwardedArgsPrefix(args).some((arg) => HELP_FLAGS.has(arg));
+}
+export function resolveAdminAccess(
+  binaryName: RustBinaryName,
+  args: string[],
+  deps: AdminAccessGuardDeps = {}
+): AdminAccessResolution {
+  if (binaryName !== 'wlfi-agent-admin' || forwardedArgsSkipAdminAccessGuard(args)) {
+    return {
+      permitted: true,
+      mode: 'not-required',
+      reason: 'admin access guard is not required for this invocation',
+      runningAsRoot: false,
+      hasVaultPasswordSource: false,
+      canPromptSecurely: false,
+      nonInteractive: hasNonInteractiveFlag(args)
+    };
+  }
+  const env = deps.env ?? process.env;
+  const getEffectiveUid = deps.getEffectiveUid ?? defaultGetEffectiveUid;
+  const stdinIsTty = deps.stdinIsTty ?? Boolean(process.stdin.isTTY);
+  const stderrIsTty = deps.stderrIsTty ?? Boolean(process.stderr.isTTY);
+  const runningAsRoot = getEffectiveUid() === 0;
+  const inlineVaultPassword = hasVaultPasswordInlineArg(args);
+  const stdinVaultPassword = hasVaultPasswordStdinFlag(args);
+  const envVaultPassword = Boolean(env.WLFI_VAULT_PASSWORD?.trim());
+  const nonInteractive = hasNonInteractiveFlag(args);
+  const hasVaultPasswordSource = inlineVaultPassword || stdinVaultPassword || envVaultPassword;
+  const canPromptSecurely = !nonInteractive && stdinIsTty && stderrIsTty;
+  if (inlineVaultPassword) {
+    return {
+      permitted: false,
+      mode: 'blocked',
+      reason:
+        'insecure --vault-password is disabled; use --vault-password-stdin or a local TTY prompt',
+      runningAsRoot,
+      hasVaultPasswordSource,
+      canPromptSecurely,
+      nonInteractive
+    };
+  }
+  if (stdinVaultPassword) {
+    return {
+      permitted: true,
+      mode: 'vault-password-stdin',
+      reason: 'vault password will be read from stdin',
+      runningAsRoot,
+      hasVaultPasswordSource,
+      canPromptSecurely,
+      nonInteractive
+    };
+  }
+  if (envVaultPassword) {
+    return {
+      permitted: false,
+      mode: 'blocked',
+      reason:
+        'WLFI_VAULT_PASSWORD is disabled for security; use --vault-password-stdin or a local TTY prompt',
+      runningAsRoot,
+      hasVaultPasswordSource,
+      canPromptSecurely,
+      nonInteractive
+    };
+  }
+  if (canPromptSecurely) {
+    return {
+      permitted: true,
+      mode: 'interactive-prompt',
+      reason: 'a local tty is available for secure password entry',
+      runningAsRoot,
+      hasVaultPasswordSource,
+      canPromptSecurely,
+      nonInteractive
+    };
+  }
+  return {
+    permitted: false,
+    mode: 'blocked',
+    reason: nonInteractive
+      ? 'vault password is required in non-interactive mode; use --vault-password-stdin'
+      : 'wlfi-agent admin commands require --vault-password-stdin or a local TTY so a human can enter the vault password securely',
+    runningAsRoot,
+    hasVaultPasswordSource,
+    canPromptSecurely,
+    nonInteractive
+  };
+}
+export function assertAdminAccessPreconditions(
+  binaryName: RustBinaryName,
+  args: string[],
+  deps: AdminAccessGuardDeps = {}
+): void {
+  const access = resolveAdminAccess(binaryName, args, deps);
+  if (access.permitted) {
+    return;
+  }
+  throw new Error(access.reason);
+}

package/src/lib/admin-passthrough.ts ADDED Viewed

@@ -0,0 +1,33 @@
+export function rewriteAdminHelpText(value: string): string {
+  return value
+    .replaceAll('wlfi-agent-admin', 'wlfi-agent admin')
+    .replace(/^\s*bootstrap\s+.*\n/gmu, '')
+    .replace(/^\s*rotate-agent-auth-token\s+.*\n/gmu, '')
+    .replace(/^\s*revoke-agent-key\s+.*\n/gmu, '')
+    .replace(
+      'Admin CLI for configuring vault policies and agent keys',
+      'Admin CLI for configuring daemon setup, policies, chains, tokens, and agent keys',
+    )
+    .replace(
+      'Launch interactive terminal UI for bootstrap configuration',
+      'Launch interactive terminal UI for wallet setup and policy configuration',
+    )
+    .replace(
+      '  reset                            Remove the managed daemon state and local wallet credentials\n  help                             Print this message or the help of the given subcommand(s)',
+      '  chain                            Manage active chain selection and chain profiles\n  token                            Manage shared token definitions and default policies\n  daemon                           Daemon launch is managed by admin setup\n  reset                            Remove the managed daemon state and local wallet credentials\n  uninstall                        Fully remove the managed daemon, local files, and logs\n  help                             Print this message or the help of the given subcommand(s)',
+    )
+    .replace(
+      '  help                             Print this message or the help of the given subcommand(s)',
+      '  chain                            Manage active chain selection and chain profiles\n  token                            Manage shared token definitions and default policies\n  daemon                           Daemon launch is managed by admin setup\n  uninstall                        Fully remove the managed daemon, local files, and logs\n  help                             Print this message or the help of the given subcommand(s)',
+    );
+}
+export function blockedRawAdminPassthroughMessage(command: string | undefined): string | null {
+  if (command === 'rotate-agent-auth-token') {
+    return '`wlfi-agent admin rotate-agent-auth-token` is disabled; use `wlfi-agent config agent-auth rotate` so the rotated token is stored in macOS Keychain.';
+  }
+  if (command === 'revoke-agent-key') {
+    return '`wlfi-agent admin revoke-agent-key` is disabled; use `wlfi-agent config agent-auth revoke` so local credentials are removed safely.';
+  }
+  return null;
+}