@wlfi-agent/cli 1.4.15 → 1.4.17

package/scripts/install-rust-binaries.mjs

@@ -2,83 +2,254 @@ import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
 import { spawnSync } from 'node:child_process';
-
-if (process.env.WLFI_SKIP_RUST_INSTALL === '1') {
-  process.exit(0);
-}
+import { pathToFileURL } from 'node:url';
 
 const repoRoot = new URL('..', import.meta.url).pathname;
-const wlfiHome = process.env.WLFI_HOME?.trim() || path.join(os.homedir(), '.wlfi_agent');
-const binDir = path.join(wlfiHome, 'bin');
 const extension = process.platform === 'win32' ? '.exe' : '';
+const MIN_RUST_VERSION = {
+  major: 1,
+  minor: 87,
+  patch: 0,
+};
 const rustBins = [
   'wlfi-agent-daemon',
   'wlfi-agent-admin',
   'wlfi-agent-agent',
-  'wlfi-agent-system-keychain'
+  'wlfi-agent-system-keychain',
 ];
-const helperScripts = [
-  {
-    source: path.join(repoRoot, 'scripts', 'launchd', 'run-wlfi-agent-daemon.sh'),
-    destination: path.join(binDir, 'run-wlfi-agent-daemon.sh')
+const RERUN_INSTRUCTIONS =
+  'After installing prerequisites, rerun `npm install -g @wlfi-agent/cli`.';
+
+function decodeOutput(value) {
+  if (!value) {
+    return '';
   }
-];
+  return value.toString().trim();
+}
 
-fs.mkdirSync(binDir, { recursive: true, mode: 0o700 });
-const cargo = spawnSync('cargo', ['--version'], { cwd: repoRoot, stdio: 'pipe' });
-if (cargo.status !== 0) {
-  console.warn('[wlfi-agent] cargo was not found; skipping Rust binary installation');
-  console.warn('[wlfi-agent] install Rust from https://rustup.rs and rerun `npm run install:rust-binaries`.');
-  process.exit(0);
+function formatMinimumRustVersion() {
+  return `${MIN_RUST_VERSION.major}.${MIN_RUST_VERSION.minor}.${MIN_RUST_VERSION.patch}`;
 }
 
-const build = spawnSync(
-  'cargo',
-  [
-    'build',
-    '--release',
-    '-p',
-    'wlfi-agent-daemon',
-    '-p',
-    'wlfi-agent-admin',
-    '-p',
-    'wlfi-agent-agent'
-  ],
-  { cwd: repoRoot, stdio: 'inherit' }
-);
-if (build.status !== 0) {
-  process.exit(build.status ?? 1);
+function parseRustVersion(output) {
+  const match = output.match(/\b(\d+)\.(\d+)\.(\d+)(?:[-+][^\s]+)?\b/);
+  if (!match) {
+    return null;
+  }
+  return {
+    major: Number(match[1]),
+    minor: Number(match[2]),
+    patch: Number(match[3]),
+  };
 }
 
-for (const binary of rustBins) {
-  const source = path.join(repoRoot, 'target', 'release', binary + extension);
-  const destination = path.join(binDir, binary + extension);
-  fs.copyFileSync(source, destination);
-  if (process.platform !== 'win32') {
-    fs.chmodSync(destination, 0o755);
+function compareVersions(left, right) {
+  if (left.major !== right.major) {
+    return left.major - right.major;
+  }
+  if (left.minor !== right.minor) {
+    return left.minor - right.minor;
   }
+  return left.patch - right.patch;
+}
+
+function runCheck(spawnSyncImpl, command, args, options = {}) {
+  return spawnSyncImpl(command, args, {
+    cwd: repoRoot,
+    stdio: 'pipe',
+    ...options,
+  });
+}
+
+function resolveWlfiPaths(env) {
+  const wlfiHome = env.WLFI_HOME?.trim() || path.join(os.homedir(), '.wlfi_agent');
+  return {
+    wlfiHome,
+    binDir: path.join(wlfiHome, 'bin'),
+  };
+}
+
+function resolveHelperScripts(binDir) {
+  return [
+    {
+      source: path.join(repoRoot, 'scripts', 'launchd', 'run-wlfi-agent-daemon.sh'),
+      destination: path.join(binDir, 'run-wlfi-agent-daemon.sh'),
+    },
+    {
+      source: path.join(repoRoot, 'scripts', 'launchd', 'install-user-daemon.sh'),
+      destination: path.join(binDir, 'install-user-daemon.sh'),
+    },
+    {
+      source: path.join(repoRoot, 'scripts', 'launchd', 'uninstall-user-daemon.sh'),
+      destination: path.join(binDir, 'uninstall-user-daemon.sh'),
+    },
+  ];
 }
 
-for (const script of helperScripts) {
-  fs.copyFileSync(script.source, script.destination);
-  if (process.platform !== 'win32') {
-    fs.chmodSync(script.destination, 0o755);
+function checkCargoAvailable(spawnSyncImpl) {
+  const result = runCheck(spawnSyncImpl, 'cargo', ['--version']);
+  if (result.status === 0) {
+    return;
+  }
+
+  const detail = decodeOutput(result.stderr) || decodeOutput(result.stdout);
+  const lines = [
+    '[wlfi-agent] Rust toolchain was not found on PATH.',
+    '[wlfi-agent] Install Rust from https://rustup.rs.',
+  ];
+  if (detail) {
+    lines.push(`[wlfi-agent] cargo check output: ${detail}`);
+  }
+  lines.push(`[wlfi-agent] ${RERUN_INSTRUCTIONS}`);
+  throw new Error(lines.join('\n'));
+}
+
+function checkRustcVersion(spawnSyncImpl) {
+  const result = runCheck(spawnSyncImpl, 'rustc', ['--version']);
+  if (result.status !== 0) {
+    const detail = decodeOutput(result.stderr) || decodeOutput(result.stdout);
+    const lines = [
+      '[wlfi-agent] Rust compiler was not found on PATH.',
+      `[wlfi-agent] Install Rust ${formatMinimumRustVersion()} or newer from https://rustup.rs.`,
+    ];
+    if (detail) {
+      lines.push(`[wlfi-agent] rustc check output: ${detail}`);
+    }
+    lines.push(`[wlfi-agent] ${RERUN_INSTRUCTIONS}`);
+    throw new Error(lines.join('\n'));
+  }
+
+  const versionOutput = decodeOutput(result.stdout) || decodeOutput(result.stderr);
+  const parsedVersion = parseRustVersion(versionOutput);
+  if (!parsedVersion) {
+    throw new Error(
+      `[wlfi-agent] Unable to determine the installed Rust compiler version from: ${versionOutput || '<empty output>'}`,
+    );
+  }
+
+  if (compareVersions(parsedVersion, MIN_RUST_VERSION) < 0) {
+    throw new Error(
+      `[wlfi-agent] Rust ${formatMinimumRustVersion()} or newer is required; found ${versionOutput}.\n` +
+        `[wlfi-agent] Update Rust with \`rustup update\`.\n` +
+        `[wlfi-agent] ${RERUN_INSTRUCTIONS}`,
+    );
   }
 }
 
-const configPath = path.join(wlfiHome, 'config.json');
-if (!fs.existsSync(configPath)) {
-  fs.writeFileSync(
-    configPath,
-    JSON.stringify(
-      {
-        daemonSocket: path.join(wlfiHome, 'daemon.sock'),
-        stateFile: path.join(wlfiHome, 'daemon-state.enc'),
-        rustBinDir: binDir
-      },
-      null,
-      2
-    ) + '\n',
-    { mode: 0o600 }
+function checkMacOsToolchainAvailable(spawnSyncImpl, platform) {
+  if (platform !== 'darwin') {
+    return;
+  }
+
+  const result = runCheck(spawnSyncImpl, 'xcrun', ['--sdk', 'macosx', '--find', 'clang']);
+  if (result.status === 0) {
+    return;
+  }
+
+  const detail = decodeOutput(result.stderr) || decodeOutput(result.stdout);
+  const lines = [
+    '[wlfi-agent] macOS Command Line Tools were not found or are not configured.',
+    '[wlfi-agent] Install them with `xcode-select --install`.',
+  ];
+  if (detail) {
+    lines.push(`[wlfi-agent] xcrun check output: ${detail}`);
+  }
+  lines.push(`[wlfi-agent] ${RERUN_INSTRUCTIONS}`);
+  throw new Error(lines.join('\n'));
+}
+
+export function verifyRustInstallPrerequisites({
+  spawnSyncImpl = spawnSync,
+  platform = process.platform,
+} = {}) {
+  checkCargoAvailable(spawnSyncImpl);
+  checkRustcVersion(spawnSyncImpl);
+  checkMacOsToolchainAvailable(spawnSyncImpl, platform);
+}
+
+export function installRustBinaries({
+  spawnSyncImpl = spawnSync,
+  env = process.env,
+  platform = process.platform,
+} = {}) {
+  if (env.WLFI_SKIP_RUST_INSTALL === '1') {
+    return 0;
+  }
+
+  verifyRustInstallPrerequisites({ spawnSyncImpl, platform });
+
+  const { wlfiHome, binDir } = resolveWlfiPaths(env);
+  const helperScripts = resolveHelperScripts(binDir);
+
+  fs.mkdirSync(binDir, { recursive: true, mode: 0o700 });
+  const build = spawnSyncImpl(
+    'cargo',
+    [
+      'build',
+      '--locked',
+      '--release',
+      '-p',
+      'wlfi-agent-daemon',
+      '-p',
+      'wlfi-agent-admin',
+      '-p',
+      'wlfi-agent-agent',
+    ],
+    { cwd: repoRoot, stdio: 'inherit' },
+  );
+  if (build.status !== 0) {
+    return build.status ?? 1;
+  }
+
+  for (const binary of rustBins) {
+    const source = path.join(repoRoot, 'target', 'release', binary + extension);
+    const destination = path.join(binDir, binary + extension);
+    fs.copyFileSync(source, destination);
+    if (platform !== 'win32') {
+      fs.chmodSync(destination, 0o755);
+    }
+  }
+
+  for (const script of helperScripts) {
+    fs.copyFileSync(script.source, script.destination);
+    if (platform !== 'win32') {
+      fs.chmodSync(script.destination, 0o755);
+    }
+  }
+
+  const configPath = path.join(wlfiHome, 'config.json');
+  if (!fs.existsSync(configPath)) {
+    fs.writeFileSync(
+      configPath,
+      JSON.stringify(
+        {
+          daemonSocket: path.join(wlfiHome, 'daemon.sock'),
+          stateFile: path.join(wlfiHome, 'daemon-state.enc'),
+          rustBinDir: binDir,
+        },
+        null,
+        2,
+      ) + '\n',
+      { mode: 0o600 },
+    );
+  }
+
+  return 0;
+}
+
+function isDirectExecution() {
+  return (
+    Boolean(process.argv[1]) &&
+    import.meta.url === pathToFileURL(path.resolve(process.argv[1])).href
   );
 }
+
+if (isDirectExecution()) {
+  try {
+    process.exitCode = installRustBinaries();
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    process.stderr.write(`${message}\n`);
+    process.exitCode = 1;
+  }
+}

package/src/cli.ts

@@ -1,41 +1,6 @@
-import {
-  type ChainProfile,
-  defaultDaemonSocketPath,
-  deleteConfigKey,
-  ensureWlfiHome,
-  listBuiltinChains,
-  listBuiltinTokens,
-  listConfiguredChains,
-  listConfiguredTokens,
-  readConfig,
-  redactConfig,
-  removeChainProfile,
-  removeTokenChainProfile,
-  removeTokenProfile,
-  resolveChainProfile,
-  resolveConfigPath,
-  resolveTokenProfile,
-  saveChainProfile,
-  saveTokenChainProfile,
-  switchActiveChain,
-  type TokenChainProfile,
-  type WlfiConfig,
-  writeConfig,
-} from '@wlfi-agent/config';
-import {
-  broadcastRawTransaction,
-  estimateFees,
-  estimateGas,
-  getAccountSnapshot,
-  getChainInfo,
-  getCodeAtAddress,
-  getLatestBlockNumber,
-  getNativeBalance,
-  getNonce,
-  getTokenBalance,
-  getTransactionByHash,
-  getTransactionReceiptByHash,
-} from '@wlfi-agent/rpc';
+import * as configPackage from '../packages/config/src/index.js';
+import * as rpcPackage from '../packages/rpc/src/index.ts';
+import type { ChainProfile, TokenChainProfile, WlfiConfig } from '../packages/config/src/index.js';
 import { Command, Option } from 'commander';
 import { type Address, type Hex, isAddress, isHex } from 'viem';
 import { assertSafeRpcUrl } from '../packages/config/src/index.js';
@@ -118,6 +83,49 @@ import {
   walletProfileFromBootstrapSummary,
 } from './lib/wallet-profile.js';
 
+const configExports = (
+  'default' in configPackage ? configPackage.default : configPackage
+) as typeof import('../packages/config/src/index.js');
+const {
+  defaultDaemonSocketPath,
+  deleteConfigKey,
+  ensureWlfiHome,
+  listBuiltinChains,
+  listBuiltinTokens,
+  listConfiguredChains,
+  listConfiguredTokens,
+  readConfig,
+  redactConfig,
+  removeChainProfile,
+  removeTokenChainProfile,
+  removeTokenProfile,
+  resolveChainProfile,
+  resolveConfigPath,
+  resolveTokenProfile,
+  saveChainProfile,
+  saveTokenChainProfile,
+  switchActiveChain,
+  writeConfig,
+} = configExports;
+
+const rpcExports = ('default' in rpcPackage ? rpcPackage.default : rpcPackage) as typeof import(
+  '../packages/rpc/src/index.ts'
+);
+const {
+  broadcastRawTransaction,
+  estimateFees,
+  estimateGas,
+  getAccountSnapshot,
+  getChainInfo,
+  getCodeAtAddress,
+  getLatestBlockNumber,
+  getNativeBalance,
+  getNonce,
+  getTokenBalance,
+  getTransactionByHash,
+  getTransactionReceiptByHash,
+} = rpcExports;
+
 interface RustBroadcastOutput {
   command: string;
   network: string;
@@ -302,7 +310,11 @@ async function readTrimmedStdin(label: string): Promise<string> {
 }
 
 function formatJson(payload: unknown) {
-  return JSON.stringify(payload, null, 2);
+  return JSON.stringify(
+    payload,
+    (_key, value) => (typeof value === 'bigint' ? value.toString() : value),
+    2,
+  );
 }
 
 function stringifyOptionalValue(value: { toString(): string } | null | undefined): string | null {

package/src/lib/admin-passthrough.js

@@ -0,0 +1 @@
+export * from './admin-passthrough.ts';

package/src/lib/admin-reset.js

@@ -0,0 +1 @@
+export * from './admin-reset.ts';

package/src/lib/admin-reset.ts

@@ -20,6 +20,10 @@ import {
   DAEMON_PASSWORD_KEYCHAIN_SERVICE,
   deleteAgentAuthTokenFromKeychain,
 } from './keychain.js';
+import {
+  LAUNCHD_UNINSTALL_SCRIPT_NAME,
+  resolveLaunchDaemonHelperScriptPath,
+} from './launchd-assets.js';
 import { createSudoSession } from './sudo.js';
 
 const DEFAULT_LAUNCH_DAEMON_LABEL = 'com.wlfi.agent.daemon';
@@ -29,6 +33,7 @@ const DEFAULT_LAUNCH_DAEMON_PLIST = `/Library/LaunchDaemons/${DEFAULT_LAUNCH_DAE
 const DEFAULT_MANAGED_ROOT_DIR = '/Library/WLFI';
 const DEFAULT_MANAGED_STATE_DIR = '/var/db/wlfi-agent';
 const DEFAULT_MANAGED_LOG_DIR = '/var/log/wlfi-agent';
+const DEFAULT_MANAGED_RELAY_DAEMON_TOKEN_FILE = `${DEFAULT_MANAGED_STATE_DIR}/relay-daemon-token`;
 const MAX_SECRET_STDIN_BYTES = 16 * 1024;
 const SPINNER_FRAMES = ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏'];
 
@@ -247,6 +252,7 @@ function printResetSummary(result: {
   daemon: {
     label: string;
     daemonSocket: string;
+    relayDaemonTokenFile: string;
     stateFile: string;
   };
   local: CleanupLocalAdminResetStateResult;
@@ -256,6 +262,7 @@ function printResetSummary(result: {
     `managed daemon removed: ${result.daemon.label}`,
     `managed state deleted: ${result.daemon.stateFile}`,
     `managed socket removed: ${result.daemon.daemonSocket}`,
+    `managed relay token removed: ${result.daemon.relayDaemonTokenFile}`,
   ];
 
   if (result.local.agentKeyId) {
@@ -284,20 +291,20 @@ function printResetSummary(result: {
   console.log(lines.join('\n'));
 }
 
-function resolveLaunchDaemonUninstallScriptPath(): string {
-  const candidates = [
-    path.resolve(__dirname, '../scripts/launchd/uninstall-user-daemon.sh'),
-    path.resolve(__dirname, '../../scripts/launchd/uninstall-user-daemon.sh'),
-    path.resolve(process.cwd(), 'scripts/launchd/uninstall-user-daemon.sh'),
-  ];
+function resolveLaunchDaemonUninstallScriptPath(config?: WlfiConfig): string {
+  return resolveLaunchDaemonHelperScriptPath(LAUNCHD_UNINSTALL_SCRIPT_NAME, config);
+}
 
-  for (const candidate of candidates) {
-    if (fs.existsSync(candidate)) {
-      return candidate;
-    }
-  }
+function readConfigIfPresent(): WlfiConfig | undefined {
+  return fs.existsSync(resolveConfigPath()) ? readConfig() : undefined;
+}
 
-  return candidates[0];
+export function managedDaemonResetArtifactPaths(): string[] {
+  return [
+    DEFAULT_MANAGED_STATE_FILE,
+    DEFAULT_MANAGED_DAEMON_SOCKET,
+    DEFAULT_MANAGED_RELAY_DAEMON_TOKEN_FILE,
+  ];
 }
 
 export function cleanupLocalAdminResetState(
@@ -480,12 +487,13 @@ async function runAdminReset(options: AdminResetOptions): Promise<void> {
     );
   }
   await sudoSession.prime();
+  const currentConfig = readConfigIfPresent();
 
   const uninstallProgress = createProgress('Uninstalling managed daemon', showProgress);
   let uninstallResult;
   try {
     uninstallResult = await sudoSession.run([
-      resolveLaunchDaemonUninstallScriptPath(),
+      resolveLaunchDaemonUninstallScriptPath(currentConfig),
       '--label',
       DEFAULT_LAUNCH_DAEMON_LABEL,
       '--keychain-service',
@@ -514,8 +522,7 @@ async function runAdminReset(options: AdminResetOptions): Promise<void> {
     deleteRootArtifactsResult = await sudoSession.run([
       '/bin/rm',
       '-f',
-      DEFAULT_MANAGED_STATE_FILE,
-      DEFAULT_MANAGED_DAEMON_SOCKET,
+      ...managedDaemonResetArtifactPaths(),
     ]);
   } catch (error) {
     stateProgress.fail();
@@ -543,6 +550,7 @@ async function runAdminReset(options: AdminResetOptions): Promise<void> {
       launchdDomain: 'system',
       plist: DEFAULT_LAUNCH_DAEMON_PLIST,
       daemonSocket: DEFAULT_MANAGED_DAEMON_SOCKET,
+      relayDaemonTokenFile: DEFAULT_MANAGED_RELAY_DAEMON_TOKEN_FILE,
       stateFile: DEFAULT_MANAGED_STATE_FILE,
       systemKeychainPasswordService: DAEMON_PASSWORD_KEYCHAIN_SERVICE,
       systemKeychainPasswordAccount: keychainAccount,
@@ -560,6 +568,7 @@ async function runAdminReset(options: AdminResetOptions): Promise<void> {
     daemon: {
       label: result.daemon.label,
       daemonSocket: result.daemon.daemonSocket,
+      relayDaemonTokenFile: result.daemon.relayDaemonTokenFile,
       stateFile: result.daemon.stateFile,
     },
     local,
@@ -625,12 +634,13 @@ async function runAdminUninstall(options: AdminUninstallOptions): Promise<void>
     );
   }
   await sudoSession.prime();
+  const currentConfig = readConfigIfPresent();
 
   const uninstallProgress = createProgress('Uninstalling managed daemon', showProgress);
   let uninstallResult;
   try {
     uninstallResult = await sudoSession.run([
-      resolveLaunchDaemonUninstallScriptPath(),
+      resolveLaunchDaemonUninstallScriptPath(currentConfig),
       '--label',
       DEFAULT_LAUNCH_DAEMON_LABEL,
       '--keychain-service',

package/src/lib/admin-setup.js

@@ -0,0 +1 @@
+export * from './admin-setup.ts';

package/src/lib/admin-setup.ts

@@ -21,6 +21,11 @@ import {
   assertTrustedRootPlannedPrivateFilePath,
 } from './fs-trust.js';
 import { DAEMON_PASSWORD_KEYCHAIN_SERVICE } from './keychain.js';
+import {
+  LAUNCHD_INSTALL_SCRIPT_NAME,
+  LAUNCHD_RUNNER_SCRIPT_NAME,
+  resolveLaunchDaemonHelperScriptPath,
+} from './launchd-assets.js';
 import { resolveCliNetworkProfile } from './network-selection.js';
 import { passthroughRustBinary, RustBinaryExitError, runRustBinary } from './rust.js';
 import { createSudoSession } from './sudo.js';
@@ -639,7 +644,7 @@ function resolveRustBinDir(config: WlfiConfig): string {
 function resolveSourceLaunchDaemonPaths(config: WlfiConfig): LaunchDaemonAssetPaths {
   const rustBinDir = resolveRustBinDir(config);
   return {
-    runnerPath: path.join(rustBinDir, 'run-wlfi-agent-daemon.sh'),
+    runnerPath: path.join(rustBinDir, LAUNCHD_RUNNER_SCRIPT_NAME),
     daemonBin: path.join(
       rustBinDir,
       `wlfi-agent-daemon${process.platform === 'win32' ? '.exe' : ''}`,
@@ -662,20 +667,8 @@ export function resolveManagedLaunchDaemonPaths(): LaunchDaemonAssetPaths {
   };
 }
 
-function resolveLaunchDaemonInstallScriptPath(): string {
-  const candidates = [
-    path.resolve(__dirname, '../scripts/launchd/install-user-daemon.sh'),
-    path.resolve(__dirname, '../../scripts/launchd/install-user-daemon.sh'),
-    path.resolve(process.cwd(), 'scripts/launchd/install-user-daemon.sh'),
-  ];
-
-  for (const candidate of candidates) {
-    if (fs.existsSync(candidate)) {
-      return candidate;
-    }
-  }
-
-  return candidates[0];
+function resolveLaunchDaemonInstallScriptPath(config: WlfiConfig): string {
+  return resolveLaunchDaemonHelperScriptPath(LAUNCHD_INSTALL_SCRIPT_NAME, config);
 }
 
 function filesHaveIdenticalContents(leftPath: string, rightPath: string): boolean {
@@ -718,23 +711,24 @@ export function assertManagedDaemonInstallPreconditions(
     deps.assertTrustedRootPlannedDaemonSocketPath ?? assertTrustedRootPlannedDaemonSocketPath;
   const trustStateFilePath =
     deps.assertTrustedRootPlannedPrivateFilePath ?? assertTrustedRootPlannedPrivateFilePath;
-  const installScript = (deps.resolveInstallScriptPath ?? resolveLaunchDaemonInstallScriptPath)();
+  const installScript =
+    (deps.resolveInstallScriptPath ?? (() => resolveLaunchDaemonInstallScriptPath(config)))();
   const sourcePaths = resolveSourceLaunchDaemonPaths(config);
   const managedPaths = resolveManagedLaunchDaemonPaths();
 
   if (!existsSync(sourcePaths.runnerPath)) {
     throw new Error(
-      `daemon runner is not installed at ${sourcePaths.runnerPath}; rerun npm run install:rust-binaries`,
+      `daemon runner is not installed at ${sourcePaths.runnerPath}; reinstall @wlfi-agent/cli`,
     );
   }
   if (!existsSync(sourcePaths.daemonBin)) {
     throw new Error(
-      `daemon binary is not installed at ${sourcePaths.daemonBin}; rerun npm run install:rust-binaries`,
+      `daemon binary is not installed at ${sourcePaths.daemonBin}; reinstall @wlfi-agent/cli`,
     );
   }
   if (!existsSync(sourcePaths.keychainHelperBin)) {
     throw new Error(
-      `daemon keychain helper is not installed at ${sourcePaths.keychainHelperBin}; rerun npm run install:rust-binaries`,
+      `daemon keychain helper is not installed at ${sourcePaths.keychainHelperBin}; reinstall @wlfi-agent/cli`,
     );
   }
   if (!existsSync(installScript)) {
@@ -927,6 +921,17 @@ function plistContainsValue(plistContents: string, value: string): boolean {
   return plistContents.includes(`<string>${value}</string>`);
 }
 
+export function launchDaemonPlistValue(
+  plistContents: string,
+  key: string,
+): string | null {
+  const escapedKey = key.replace(/[.*+?^${}()|[\]\\]/gu, '\\$&');
+  const match = plistContents.match(
+    new RegExp(`<key>${escapedKey}</key>\\s*<string>([^<]+)</string>`, 'u'),
+  );
+  return match?.[1] ?? null;
+}
+
 function resolveInstalledLaunchDaemonPaths(
   config: WlfiConfig,
   plistContents: string,
@@ -961,6 +966,7 @@ function isManagedDaemonInstallCurrent(
   const sourcePaths = resolveSourceLaunchDaemonPaths(config);
   const keychainAccount = os.userInfo().username;
   const expectedAdminUid = String(process.getuid?.() ?? process.geteuid?.() ?? 0);
+  const expectedAgentUid = String(process.getuid?.() ?? process.geteuid?.() ?? 0);
 
   if (!fs.existsSync(DEFAULT_LAUNCH_DAEMON_PLIST)) {
     return false;
@@ -1003,6 +1009,13 @@ function isManagedDaemonInstallCurrent(
     return false;
   }
 
+  if (
+    launchDaemonPlistValue(plistContents, 'WLFI_ALLOW_ADMIN_EUID') !== expectedAdminUid ||
+    launchDaemonPlistValue(plistContents, 'WLFI_ALLOW_AGENT_EUID') !== expectedAgentUid
+  ) {
+    return false;
+  }
+
   return [
     DEFAULT_LAUNCH_DAEMON_LABEL,
     installedPaths.runnerPath,
@@ -1013,7 +1026,6 @@ function isManagedDaemonInstallCurrent(
     DAEMON_PASSWORD_KEYCHAIN_SERVICE,
     keychainAccount,
     DEFAULT_SIGNER_BACKEND,
-    expectedAdminUid,
   ].every((value) => plistContainsValue(plistContents, value));
 }
 

package/src/lib/agent-auth-revoke.js

@@ -0,0 +1 @@
+export * from './agent-auth-revoke.ts';

package/src/lib/agent-auth-rotate.js

@@ -0,0 +1 @@
+export * from './agent-auth-rotate.ts';

package/src/lib/agent-auth.js

@@ -0,0 +1 @@
+export * from './agent-auth.ts';

package/src/lib/config-mutation.js

@@ -0,0 +1 @@
+export * from './config-mutation.ts';

package/src/lib/launchd-assets.js

@@ -0,0 +1 @@
+export * from './launchd-assets.ts';