@wlfi-agent/cli 1.4.13 → 1.4.15

package/src/lib/rust.ts

@@ -0,0 +1,143 @@
+import { spawn } from 'node:child_process';
+import fs from 'node:fs';
+import type { WlfiConfig } from '../../packages/config/src/index.js';
+import * as configModule from '../../packages/config/src/index.js';
+import { assertTrustedExecutablePath } from './fs-trust.js';
+import { resolveValidatedPassthroughDaemonSocket } from './passthrough-security.js';
+import { prepareSpawnOptions, type RunRustBinaryOptions } from './rust-spawn-options.js';
+
+const { readConfig, resolveRustBinaryPath } =
+  configModule as typeof import('../../packages/config/src/index.js');
+
+export type RustBinaryName = 'wlfi-agent-daemon' | 'wlfi-agent-admin' | 'wlfi-agent-agent';
+
+export class RustBinaryExitError extends Error {
+  readonly binaryName: RustBinaryName;
+  readonly code: number;
+  readonly stdout: string;
+  readonly stderr: string;
+
+  constructor(binaryName: RustBinaryName, code: number, stdout: string, stderr: string) {
+    super(stderr.trim() || `${binaryName} exited with code ${code}`);
+    this.name = 'RustBinaryExitError';
+    this.binaryName = binaryName;
+    this.code = code;
+    this.stdout = stdout;
+    this.stderr = stderr;
+  }
+}
+
+function ensureBinary(binaryName: RustBinaryName, config?: WlfiConfig): string {
+  const resolved = resolveRustBinaryPath(binaryName, config ?? readConfig());
+  if (!fs.existsSync(resolved)) {
+    throw new Error(
+      `${binaryName} is not installed at ${resolved}. Re-run npm install -g @wlfi-agent/cli or npm run install:rust-binaries.`,
+    );
+  }
+  assertTrustedExecutablePath(resolved);
+  return resolved;
+}
+
+function forwardedArgsIncludeDaemonSocket(args: string[]): boolean {
+  return args.some(
+    (arg, _index) => arg === '--daemon-socket' || arg.startsWith('--daemon-socket='),
+  );
+}
+
+export async function passthroughRustBinary(
+  binaryName: RustBinaryName,
+  args: string[],
+  config?: WlfiConfig,
+): Promise<number> {
+  const resolvedConfig = config ?? readConfig();
+  const resolvedDaemonSocket = resolveValidatedPassthroughDaemonSocket(
+    binaryName,
+    args,
+    resolvedConfig,
+  );
+  const executable = ensureBinary(binaryName, resolvedConfig);
+  const prepared = await prepareSpawnOptions(binaryName, args, {});
+  const env = { ...prepared.env };
+  if (
+    resolvedDaemonSocket &&
+    !forwardedArgsIncludeDaemonSocket(args) &&
+    !env.WLFI_DAEMON_SOCKET?.trim()
+  ) {
+    env.WLFI_DAEMON_SOCKET = resolvedDaemonSocket;
+  }
+  const child = spawn(executable, prepared.args, {
+    stdio: [prepared.stdin !== undefined ? 'pipe' : 'inherit', 'inherit', 'inherit'],
+    env,
+  });
+
+  if (prepared.stdin !== undefined) {
+    child.stdin?.end(prepared.stdin);
+  }
+
+  return await new Promise((resolve, reject) => {
+    child.on('error', reject);
+    child.on('close', (code) => resolve(code ?? 1));
+  });
+}
+
+export async function runRustBinary(
+  binaryName: RustBinaryName,
+  args: string[],
+  config?: WlfiConfig,
+  options: RunRustBinaryOptions = {},
+): Promise<{ stdout: string; stderr: string; code: number }> {
+  const resolvedConfig = config ?? readConfig();
+  const resolvedDaemonSocket = resolveValidatedPassthroughDaemonSocket(
+    binaryName,
+    args,
+    resolvedConfig,
+  );
+  const executable = ensureBinary(binaryName, resolvedConfig);
+  const prepared = await prepareSpawnOptions(binaryName, args, options);
+  const env = { ...prepared.env };
+  if (
+    resolvedDaemonSocket &&
+    !forwardedArgsIncludeDaemonSocket(args) &&
+    !env.WLFI_DAEMON_SOCKET?.trim()
+  ) {
+    env.WLFI_DAEMON_SOCKET = resolvedDaemonSocket;
+  }
+  const child = spawn(executable, prepared.args, {
+    stdio: [prepared.stdin !== undefined ? 'pipe' : 'ignore', 'pipe', 'pipe'],
+    env,
+  });
+
+  let stdout = '';
+  let stderr = '';
+  child.stdout?.on('data', (chunk) => {
+    stdout += chunk.toString();
+  });
+  child.stderr?.on('data', (chunk) => {
+    stderr += chunk.toString();
+  });
+
+  if (prepared.stdin !== undefined) {
+    child.stdin?.end(prepared.stdin);
+  }
+
+  const code = await new Promise<number>((resolve, reject) => {
+    child.on('error', reject);
+    child.on('close', (value) => resolve(value ?? 1));
+  });
+
+  if (code !== 0) {
+    throw new RustBinaryExitError(binaryName, code, stdout, stderr);
+  }
+
+  return { stdout, stderr, code };
+}
+
+export async function runRustBinaryJson<T>(
+  binaryName: RustBinaryName,
+  args: string[],
+  config?: WlfiConfig,
+  options: RunRustBinaryOptions = {},
+): Promise<T> {
+  const { stdout } = await runRustBinary(binaryName, args, config, options);
+  return JSON.parse(stdout) as T;
+}

package/src/lib/signed-tx.js

@@ -0,0 +1 @@
+export * from './signed-tx.ts';

package/src/lib/signed-tx.ts

@@ -0,0 +1,116 @@
+import {
+  isAddressEqual,
+  parseTransaction,
+  recoverTransactionAddress,
+  type Address,
+  type Hex
+} from 'viem';
+
+export interface ExpectedSignedBroadcastTransaction {
+  rawTxHex: Hex;
+  from: Address;
+  to: Address;
+  chainId: number;
+  nonce: number;
+  allowHigherNonce?: boolean;
+  value: bigint;
+  data: Hex;
+  gasLimit: bigint;
+  maxFeePerGas: bigint;
+  maxPriorityFeePerGas: bigint;
+  txType: string;
+}
+
+export interface SignedBroadcastInspection {
+  nonce: number;
+}
+
+function normalizeHex(value: Hex): string {
+  return value.toLowerCase();
+}
+
+function normalizeTxType(value: string): string {
+  const normalized = value.trim().toLowerCase();
+  if (!normalized) {
+    throw new Error('txType is required');
+  }
+
+  let parsed: bigint;
+  try {
+    parsed = normalized.startsWith('0x') ? BigInt(normalized) : BigInt(normalized);
+  } catch {
+    throw new Error(`Unsupported txType '${value}'`);
+  }
+
+  switch (parsed) {
+    case 0n:
+      return 'legacy';
+    case 1n:
+      return 'eip2930';
+    case 2n:
+      return 'eip1559';
+    case 3n:
+      return 'eip4844';
+    case 4n:
+      return 'eip7702';
+    default:
+      throw new Error(`Unsupported txType '${value}'`);
+  }
+}
+
+function assertEqual<T>(actual: T, expected: T, label: string): void {
+  if (actual !== expected) {
+    throw new Error(`signed raw transaction ${label} mismatch: expected ${expected}, received ${actual}`);
+  }
+}
+
+export async function assertSignedBroadcastTransactionMatchesRequest(
+  expected: ExpectedSignedBroadcastTransaction
+): Promise<SignedBroadcastInspection> {
+  const parsed = parseTransaction(expected.rawTxHex);
+  const recoveredFrom = await recoverTransactionAddress({
+    serializedTransaction:
+      expected.rawTxHex as Parameters<typeof recoverTransactionAddress>[0]['serializedTransaction']
+  });
+
+  if (!isAddressEqual(recoveredFrom, expected.from)) {
+    throw new Error(
+      `signed raw transaction from mismatch: expected ${expected.from}, received ${recoveredFrom}`
+    );
+  }
+
+  const parsedTo = parsed.to;
+  if (!parsedTo || !isAddressEqual(parsedTo, expected.to)) {
+    throw new Error(`signed raw transaction to mismatch: expected ${expected.to}, received ${parsedTo ?? 'null'}`);
+  }
+
+  if (parsed.nonce === undefined) {
+    throw new Error('signed raw transaction nonce is missing');
+  }
+
+  assertEqual(parsed.chainId, expected.chainId, 'chainId');
+  if (expected.allowHigherNonce) {
+    if (parsed.nonce < expected.nonce) {
+      throw new Error(
+        `signed raw transaction nonce mismatch: expected at least ${expected.nonce}, received ${parsed.nonce}`
+      );
+    }
+  } else {
+    assertEqual(parsed.nonce, expected.nonce, 'nonce');
+  }
+  assertEqual(parsed.value ?? 0n, expected.value, 'value');
+  assertEqual(parsed.gas, expected.gasLimit, 'gasLimit');
+  assertEqual(parsed.maxFeePerGas, expected.maxFeePerGas, 'maxFeePerGas');
+  assertEqual(parsed.maxPriorityFeePerGas, expected.maxPriorityFeePerGas, 'maxPriorityFeePerGas');
+  assertEqual(parsed.type, normalizeTxType(expected.txType), 'txType');
+
+  const parsedData = normalizeHex((parsed.data ?? '0x') as Hex);
+  const expectedData = normalizeHex(expected.data);
+  if (parsedData !== expectedData) {
+    throw new Error(`signed raw transaction data mismatch: expected ${expectedData}, received ${parsedData}`);
+  }
+
+  return {
+    nonce: parsed.nonce,
+  };
+}

package/src/lib/status-repair-cli.ts

@@ -0,0 +1,116 @@
+import type { Command } from 'commander';
+import {
+  formatWalletRepairText,
+  repairWalletState,
+  type WalletRepairResult,
+} from './wallet-repair.js';
+import {
+  formatWalletStatusText,
+  getWalletStatus,
+  resolveWalletStatusExitCode,
+  type WalletStatusExitOptions,
+  type WalletStatusResult,
+} from './wallet-status.js';
+
+interface CliOutputOptions {
+  asJson: boolean;
+}
+
+export interface StatusCommandDeps {
+  getWalletStatus?: () => WalletStatusResult;
+  print?: (payload: unknown, options: CliOutputOptions) => void;
+  setExitCode?: (code: number) => void;
+  resolveWalletStatusExitCode?: (
+    result: WalletStatusResult,
+    options?: WalletStatusExitOptions,
+  ) => number;
+}
+
+export interface RepairCommandDeps {
+  repairWalletState?: (input?: {
+    agentKeyId?: string;
+    overwriteKeychain?: boolean;
+    redactBootstrap?: boolean;
+  }) => WalletRepairResult;
+  print?: (payload: unknown, options: CliOutputOptions) => void;
+  setExitCode?: (code: number) => void;
+  resolveWalletStatusExitCode?: (
+    result: WalletStatusResult,
+    options?: WalletStatusExitOptions,
+  ) => number;
+}
+
+function defaultPrint(payload: unknown, options: CliOutputOptions): void {
+  if (options.asJson) {
+    process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
+    return;
+  }
+  process.stdout.write(`${String(payload)}\n`);
+}
+
+function defaultSetExitCode(code: number): void {
+  process.exitCode = code;
+}
+
+export function registerStatusCommand(program: Command, deps: StatusCommandDeps = {}): Command {
+  const loadStatus = deps.getWalletStatus ?? getWalletStatus;
+  const print = deps.print ?? defaultPrint;
+  const setExitCode = deps.setExitCode ?? defaultSetExitCode;
+  const resolveExitCode = deps.resolveWalletStatusExitCode ?? resolveWalletStatusExitCode;
+
+  return program
+    .command('status')
+    .description('Inspect local wallet security, daemon, and credential health')
+    .option('--strict', 'Exit with status 1 when warnings are present', false)
+    .option('--json', 'Print JSON output', false)
+    .action((options) => {
+      const result = loadStatus();
+      print(options.json ? result : formatWalletStatusText(result), {
+        asJson: options.json,
+      });
+      setExitCode(
+        resolveExitCode(result, {
+          strict: options.strict,
+        }),
+      );
+    });
+}
+
+export function registerRepairCommand(program: Command, deps: RepairCommandDeps = {}): Command {
+  const runRepair = deps.repairWalletState ?? repairWalletState;
+  const print = deps.print ?? defaultPrint;
+  const setExitCode = deps.setExitCode ?? defaultSetExitCode;
+  const resolveExitCode = deps.resolveWalletStatusExitCode ?? resolveWalletStatusExitCode;
+
+  return program
+    .command('repair')
+    .description('Repair non-privileged local wallet issues and clean plaintext artifacts')
+    .option('--agent-key-id <uuid>', 'Agent key id override for legacy token migration')
+    .option(
+      '--overwrite-keychain',
+      'Replace a different existing Keychain token for this agent when migrating plaintext config storage',
+      false,
+    )
+    .option(
+      '--redact-bootstrap',
+      'Redact auto-generated bootstrap files instead of deleting them',
+      false,
+    )
+    .option('--strict', 'Exit with status 1 when warnings remain after repair', false)
+    .option('--json', 'Print JSON output', false)
+    .action((options) => {
+      const result = runRepair({
+        agentKeyId: options.agentKeyId,
+        overwriteKeychain: options.overwriteKeychain,
+        redactBootstrap: options.redactBootstrap,
+      });
+      print(options.json ? result : formatWalletRepairText(result), {
+        asJson: options.json,
+      });
+      setExitCode(
+        resolveExitCode(result.after, {
+          strict: options.strict,
+        }),
+      );
+    });
+}

package/src/lib/sudo.js

@@ -0,0 +1 @@
+export * from './sudo.ts';

package/src/lib/sudo.ts

@@ -0,0 +1,172 @@
+import { spawn, type SpawnOptions } from 'node:child_process';
+
+export interface SudoCommandResult {
+  code: number;
+  stdout: string;
+  stderr: string;
+}
+
+export interface RunSudoCommandOptions {
+  stdin?: string;
+  inheritOutput?: boolean;
+}
+
+interface CreateSudoSessionDeps {
+  promptPassword: () => Promise<string>;
+  isRoot?: () => boolean;
+  spawnCommand?: typeof spawn;
+  stdout?: Pick<NodeJS.WriteStream, 'write'>;
+  stderr?: Pick<NodeJS.WriteStream, 'write'>;
+}
+
+function currentProcessIsRoot(): boolean {
+  return typeof process.geteuid === 'function' && process.geteuid() === 0;
+}
+
+function isSudoAuthenticationFailure(output: string): boolean {
+  return (
+    /sudo: .*password is required/iu.test(output) ||
+    /sudo: .*incorrect password/iu.test(output) ||
+    /sudo: no password was provided/iu.test(output) ||
+    /sorry, try again\./iu.test(output)
+  );
+}
+
+async function runCommand(
+  command: string,
+  args: string[],
+  options: RunSudoCommandOptions,
+  deps: {
+    spawnCommand: typeof spawn;
+    stdout: Pick<NodeJS.WriteStream, 'write'>;
+    stderr: Pick<NodeJS.WriteStream, 'write'>;
+  },
+): Promise<SudoCommandResult> {
+  return await new Promise((resolve, reject) => {
+    const spawnOptions: SpawnOptions = {
+      stdio: ['pipe', 'pipe', 'pipe'],
+    };
+    const child = deps.spawnCommand(command, args, spawnOptions);
+
+    let stdout = '';
+    let stderr = '';
+
+    child.stdout?.on('data', (chunk: Buffer | string) => {
+      const text = chunk.toString();
+      stdout += text;
+      if (options.inheritOutput) {
+        deps.stdout.write(text);
+      }
+    });
+    child.stderr?.on('data', (chunk: Buffer | string) => {
+      const text = chunk.toString();
+      stderr += text;
+      if (options.inheritOutput) {
+        deps.stderr.write(text);
+      }
+    });
+
+    child.on('error', reject);
+    child.on('close', (code) => resolve({ code: code ?? 1, stdout, stderr }));
+    child.stdin?.end(options.stdin ?? '');
+  });
+}
+
+export function createSudoSession(deps: CreateSudoSessionDeps) {
+  const spawnCommand = deps.spawnCommand ?? spawn;
+  const isRoot = deps.isRoot ?? currentProcessIsRoot;
+  const stdout = deps.stdout ?? process.stdout;
+  const stderr = deps.stderr ?? process.stderr;
+  let primed = false;
+
+  async function prime(): Promise<void> {
+    if (isRoot()) {
+      primed = true;
+      return;
+    }
+    if (primed) {
+      return;
+    }
+
+    const password = await deps.promptPassword();
+    const result = await runCommand(
+      'sudo',
+      ['-S', '-p', '', '-v'],
+      {
+        stdin: `${password}\n`,
+      },
+      {
+        spawnCommand,
+        stdout,
+        stderr,
+      },
+    );
+
+    if (result.code !== 0) {
+      throw new Error(
+        result.stderr.trim() ||
+          result.stdout.trim() ||
+          `sudo credential check failed (exit code ${result.code})`,
+      );
+    }
+
+    primed = true;
+  }
+
+  async function run(
+    args: string[],
+    options: RunSudoCommandOptions = {},
+  ): Promise<SudoCommandResult> {
+    if (args.length === 0) {
+      throw new Error('sudo command arguments are required');
+    }
+
+    if (isRoot()) {
+      return await runCommand(args[0], args.slice(1), options, {
+        spawnCommand,
+        stdout,
+        stderr,
+      });
+    }
+
+    await prime();
+    let result = await runCommand(
+      'sudo',
+      ['-n', ...args],
+      options,
+      {
+        spawnCommand,
+        stdout,
+        stderr,
+      },
+    );
+
+    if (result.code === 0) {
+      return result;
+    }
+
+    const combinedOutput = `${result.stderr}\n${result.stdout}`;
+    if (!isSudoAuthenticationFailure(combinedOutput)) {
+      return result;
+    }
+
+    primed = false;
+    await prime();
+    result = await runCommand(
+      'sudo',
+      ['-n', ...args],
+      options,
+      {
+        spawnCommand,
+        stdout,
+        stderr,
+      },
+    );
+    return result;
+  }
+
+  return {
+    prime,
+    run,
+  };
+}

package/src/lib/vault-password-forwarding.js

@@ -0,0 +1 @@
+export * from './vault-password-forwarding.ts';

package/src/lib/vault-password-forwarding.ts

@@ -0,0 +1,155 @@
+const MAX_SECRET_STDIN_BYTES = 16 * 1024
+
+export interface VaultPasswordRelayOptions {
+  env?: NodeJS.ProcessEnv
+  readFromStdin?: (label: string) => Promise<string>
+}
+
+export interface PreparedVaultPasswordRelay {
+  args: string[]
+  stdin?: string
+  scrubSensitiveEnv: boolean
+}
+
+const HELP_FLAGS = new Set(['-h', '--help', '-V', '--version'])
+
+function forwardedArgsPrefix(args: string[]): string[] {
+  const terminatorIndex = args.indexOf('--')
+  return terminatorIndex >= 0 ? args.slice(0, terminatorIndex) : args
+}
+
+function skipEnvRelayForArgs(args: string[]): boolean {
+  const forwarded = forwardedArgsPrefix(args)
+  return forwarded[0] === 'help' || forwarded.some((arg) => HELP_FLAGS.has(arg))
+}
+
+function resolveInlineVaultPasswordArg(args: string[]): {
+  index: number
+  value: string
+} | null {
+  let match: { index: number; value: string } | null = null
+
+  for (let index = 0; index < forwardedArgsPrefix(args).length; index += 1) {
+    const current = args[index]
+    let nextMatch: { index: number; value: string } | null = null
+    if (current === '--vault-password') {
+      const value = args[index + 1]
+      if (value === undefined || value === '--' || value.startsWith('-')) {
+        throw new Error(
+          '--vault-password requires a value; use --vault-password=<value> if the value starts with -'
+        )
+      }
+      nextMatch = { index, value }
+      index += 1
+    } else if (current.startsWith('--vault-password=')) {
+      nextMatch = {
+        index,
+        value: current.slice('--vault-password='.length)
+      }
+    }
+
+    if (nextMatch) {
+      if (match) {
+        throw new Error('--vault-password may only be provided once')
+      }
+      match = nextMatch
+    }
+  }
+
+  return match
+}
+
+function countVaultPasswordStdinFlags(args: string[]): number {
+  let matches = 0
+
+  for (const current of forwardedArgsPrefix(args)) {
+    if (current === '--vault-password-stdin') {
+      matches += 1
+    }
+  }
+
+  return matches
+}
+
+function withTrailingNewline(secret: string): string {
+  return `${secret}\n`
+}
+
+function validateSecret(secret: string, label: string): string {
+  if (Buffer.byteLength(secret, 'utf8') > MAX_SECRET_STDIN_BYTES) {
+    throw new Error(`${label} must not exceed ${MAX_SECRET_STDIN_BYTES} bytes`)
+  }
+
+  const trimmed = secret.replace(/[\r\n]+$/u, '')
+  if (!trimmed.trim()) {
+    throw new Error(`${label} is required`)
+  }
+
+  return trimmed
+}
+
+async function readTrimmedSecretFromProcessStdin(label: string): Promise<string> {
+  process.stdin.setEncoding('utf8')
+  let raw = ''
+  for await (const chunk of process.stdin) {
+    raw += chunk
+    if (Buffer.byteLength(raw, 'utf8') > MAX_SECRET_STDIN_BYTES) {
+      throw new Error(`${label} must not exceed ${MAX_SECRET_STDIN_BYTES} bytes`)
+    }
+  }
+
+  return validateSecret(raw, label)
+}
+
+export async function prepareVaultPasswordRelay(
+  args: string[],
+  options: VaultPasswordRelayOptions = {}
+): Promise<PreparedVaultPasswordRelay> {
+  const env = options.env ?? process.env
+  const readFromStdin = options.readFromStdin ?? readTrimmedSecretFromProcessStdin
+  const inlineArg = resolveInlineVaultPasswordArg(args)
+  const stdinFlagCount = countVaultPasswordStdinFlags(args)
+  const usesStdinFlag = stdinFlagCount > 0
+
+  if (stdinFlagCount > 1) {
+    throw new Error('--vault-password-stdin may only be provided once')
+  }
+
+  if (inlineArg && usesStdinFlag) {
+    throw new Error('--vault-password conflicts with --vault-password-stdin')
+  }
+
+  if (inlineArg) {
+    validateSecret(inlineArg.value, 'vaultPassword')
+    throw new Error(
+      'insecure --vault-password is disabled; use --vault-password-stdin or a local TTY prompt'
+    )
+  }
+
+  if (usesStdinFlag) {
+    return {
+      args: [...args],
+      stdin: withTrailingNewline(await readFromStdin('vaultPassword')),
+      scrubSensitiveEnv: true
+    }
+  }
+
+  if (Object.prototype.hasOwnProperty.call(env, 'WLFI_VAULT_PASSWORD')) {
+    if (skipEnvRelayForArgs(args)) {
+      return {
+        args: [...args],
+        scrubSensitiveEnv: true
+      }
+    }
+
+    validateSecret(env.WLFI_VAULT_PASSWORD ?? '', 'vaultPassword')
+    throw new Error(
+      'WLFI_VAULT_PASSWORD is disabled for security; use --vault-password-stdin or a local TTY prompt'
+    )
+  }
+
+  return {
+    args: [...args],
+    scrubSensitiveEnv: true
+  }
+}