npm - @wlfi-agent/cli - Versions diffs - 1.4.17 → 1.4.18 - Mend

@wlfi-agent/cli 1.4.17 → 1.4.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/Cargo.lock +5 -0
package/README.md +61 -28
package/crates/vault-cli-admin/src/io_utils.rs +149 -1
package/crates/vault-cli-admin/src/main.rs +639 -16
package/crates/vault-cli-admin/src/shared_config.rs +18 -18
package/crates/vault-cli-admin/src/tui/token_rpc.rs +190 -3
package/crates/vault-cli-admin/src/tui/utils.rs +59 -0
package/crates/vault-cli-admin/src/tui.rs +1205 -120
package/crates/vault-cli-agent/Cargo.toml +1 -0
package/crates/vault-cli-agent/src/io_utils.rs +163 -2
package/crates/vault-cli-agent/src/main.rs +648 -32
package/crates/vault-cli-daemon/Cargo.toml +4 -0
package/crates/vault-cli-daemon/src/main.rs +617 -67
package/crates/vault-cli-daemon/src/relay_sync.rs +776 -4
package/crates/vault-cli-daemon/tests/system_keychain_helper_acl.rs +5 -0
package/crates/vault-daemon/src/daemon_parts/api_impl_and_utils.rs +32 -1
package/crates/vault-daemon/src/persistence.rs +637 -100
package/crates/vault-daemon/src/tests.rs +1013 -3
package/crates/vault-daemon/src/tests_parts/part2.rs +99 -0
package/crates/vault-daemon/src/tests_parts/part4.rs +11 -7
package/crates/vault-domain/src/nonce.rs +4 -0
package/crates/vault-domain/src/tests.rs +616 -0
package/crates/vault-policy/src/engine.rs +55 -32
package/crates/vault-policy/src/tests.rs +195 -0
package/crates/vault-sdk-agent/src/lib.rs +415 -22
package/crates/vault-signer/Cargo.toml +3 -0
package/crates/vault-signer/src/lib.rs +266 -40
package/crates/vault-transport-unix/src/lib.rs +653 -5
package/crates/vault-transport-xpc/src/tests.rs +531 -3
package/crates/vault-transport-xpc/tests/e2e_flow.rs +3 -0
package/dist/cli.cjs +663 -190
package/dist/cli.cjs.map +1 -1
package/package.json +5 -2
package/packages/cache/.turbo/turbo-build.log +20 -20
package/packages/cache/coverage/clover.xml +529 -394
package/packages/cache/coverage/coverage-final.json +2 -2
package/packages/cache/coverage/index.html +21 -21
package/packages/cache/coverage/src/client/index.html +1 -1
package/packages/cache/coverage/src/client/index.ts.html +1 -1
package/packages/cache/coverage/src/errors/index.html +1 -1
package/packages/cache/coverage/src/errors/index.ts.html +12 -12
package/packages/cache/coverage/src/index.html +1 -1
package/packages/cache/coverage/src/index.ts.html +1 -1
package/packages/cache/coverage/src/service/index.html +21 -21
package/packages/cache/coverage/src/service/index.ts.html +769 -313
package/packages/cache/dist/{chunk-QNK6GOTI.js → chunk-KC53LH5Z.js} +35 -2
package/packages/cache/dist/chunk-KC53LH5Z.js.map +1 -0
package/packages/cache/dist/{chunk-QF4XKEIA.cjs → chunk-UVU7VFE3.cjs} +35 -2
package/packages/cache/dist/chunk-UVU7VFE3.cjs.map +1 -0
package/packages/cache/dist/index.cjs +2 -2
package/packages/cache/dist/index.js +1 -1
package/packages/cache/dist/service/index.cjs +2 -2
package/packages/cache/dist/service/index.js +1 -1
package/packages/cache/node_modules/.bin/tsc +2 -2
package/packages/cache/node_modules/.bin/tsserver +2 -2
package/packages/cache/node_modules/.bin/tsup +2 -2
package/packages/cache/node_modules/.bin/tsup-node +2 -2
package/packages/cache/node_modules/.bin/vitest +4 -4
package/packages/cache/node_modules/.vite/vitest/da39a3ee5e6b4b0d3255bfef95601890afd80709/results.json +1 -1
package/packages/cache/src/service/index.test.ts +165 -19
package/packages/cache/src/service/index.ts +38 -1
package/packages/config/.turbo/turbo-build.log +4 -4
package/packages/config/dist/index.cjs +0 -17
package/packages/config/dist/index.cjs.map +1 -1
package/packages/config/src/index.ts +0 -17
package/packages/rpc/.turbo/turbo-build.log +11 -11
package/packages/rpc/dist/index.cjs +0 -17
package/packages/rpc/dist/index.cjs.map +1 -1
package/packages/rpc/src/index.js +1 -0
package/packages/ui/node_modules/.bin/tsc +2 -2
package/packages/ui/node_modules/.bin/tsserver +2 -2
package/packages/ui/node_modules/.bin/tsup +2 -2
package/packages/ui/node_modules/.bin/tsup-node +2 -2
package/scripts/install-cli-launcher.mjs +37 -0
package/scripts/install-rust-binaries.mjs +47 -0
package/scripts/run-tests-isolated.mjs +210 -0
package/src/cli.ts +310 -50
package/src/lib/admin-reset.ts +15 -30
package/src/lib/admin-setup.ts +246 -55
package/src/lib/agent-auth-migrate.ts +5 -1
package/src/lib/asset-broadcast.ts +15 -4
package/src/lib/config-amounts.ts +6 -4
package/src/lib/hidden-tty-prompt.js +1 -0
package/src/lib/hidden-tty-prompt.ts +105 -0
package/src/lib/keychain.ts +1 -0
package/src/lib/local-admin-access.ts +4 -29
package/src/lib/rust.ts +129 -33
package/src/lib/signed-tx.ts +1 -0
package/src/lib/sudo.ts +15 -5
package/src/lib/wallet-profile.ts +3 -0
package/src/lib/wallet-setup.ts +52 -0
package/packages/cache/dist/chunk-QF4XKEIA.cjs.map +0 -1
package/packages/cache/dist/chunk-QNK6GOTI.js.map +0 -1

package/packages/cache/src/service/index.test.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { createHash } from 'node:crypto';
 import { describe, expect, it } from 'vitest';
-import { CacheError, cacheErrorCodes } from '../errors/index.js';
+import { cacheErrorCodes } from '../errors/index.js';
+import type { CacheError } from '../errors/index.js';
 import { RelayCacheService } from './index.js';
 class InMemoryCacheClient {
@@ -383,6 +384,87 @@ describe('RelayCacheService approval capability guards', () => {
     expect(synced?.metadata?.approvalCapabilityToken).not.toBe(originalToken);
   });
+  it('removes approvals omitted from a later daemon sync snapshot', async () => {
+    const client = new MutableInMemoryCacheClient();
+    const service = new RelayCacheService({
+      client: client as never,
+      namespace: 'test:relay',
+    });
+    const daemonId = '44'.repeat(32);
+    const retainedApprovalId = 'dddddddd-dddd-4ddd-8ddd-dddddddddddd';
+    const removedApprovalId = 'eeeeeeee-eeee-4eee-8eee-eeeeeeeeeeee';
+    const activeApprovalKey = `test:relay:approval:${removedApprovalId}:active-update`;
+    const failureKey = `test:relay:approval:${removedApprovalId}:capability-failures`;
+    await service.syncDaemonRegistration({
+      daemon: {
+        daemonId,
+        daemonPublicKey: '12'.repeat(32),
+        ethereumAddress: '0x1212121212121212121212121212121212121212',
+        lastSeenAt: new Date().toISOString(),
+        registeredAt: new Date().toISOString(),
+        status: 'active',
+        updatedAt: new Date().toISOString(),
+      },
+      approvalRequests: [
+        {
+          approvalRequestId: retainedApprovalId,
+          daemonId,
+          destination: '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+          requestedAt: new Date().toISOString(),
+          status: 'pending',
+          transactionType: 'transfer_native',
+          updatedAt: new Date().toISOString(),
+        },
+        {
+          approvalRequestId: removedApprovalId,
+          daemonId,
+          destination: '0xbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb',
+          requestedAt: new Date().toISOString(),
+          status: 'pending',
+          transactionType: 'transfer_native',
+          updatedAt: new Date().toISOString(),
+        },
+      ],
+    });
+    await client.forceSet(activeApprovalKey, 'stale-update-id');
+    await service.recordApprovalCapabilityFailure(removedApprovalId);
+    await service.syncDaemonRegistration({
+      daemon: {
+        daemonId,
+        daemonPublicKey: '12'.repeat(32),
+        ethereumAddress: '0x1212121212121212121212121212121212121212',
+        lastSeenAt: new Date().toISOString(),
+        registeredAt: new Date().toISOString(),
+        status: 'active',
+        updatedAt: new Date().toISOString(),
+      },
+      approvalRequests: [
+        {
+          approvalRequestId: retainedApprovalId,
+          daemonId,
+          destination: '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+          requestedAt: new Date().toISOString(),
+          status: 'pending',
+          transactionType: 'transfer_native',
+          updatedAt: new Date().toISOString(),
+        },
+      ],
+    });
+    await expect(service.getApprovalRequest(removedApprovalId)).resolves.toBeNull();
+    await expect(service.listApprovalRequests({ daemonId })).resolves.toMatchObject([
+      {
+        approvalRequestId: retainedApprovalId,
+      },
+    ]);
+    await expect(client.forceGet(activeApprovalKey)).resolves.toBeNull();
+    await expect(client.forceGet(failureKey)).resolves.toBeNull();
+  });
   it('rejects secure approval capability rotation for non-pending approvals', async () => {
     const service = new RelayCacheService({
       client: new InMemoryCacheClient() as never,
@@ -508,11 +590,16 @@ describe('RelayCacheService approval capability guards', () => {
       }),
     ).rejects.toThrow(/already has a queued operator update/);
-    const [claimed] = await service.claimEncryptedUpdates({
-      daemonId,
-      leaseSeconds: 30,
-      limit: 1,
-    });
+    const claimed = (
+      await service.claimEncryptedUpdates({
+        daemonId,
+        leaseSeconds: 30,
+        limit: 1,
+      })
+    )[0];
+    if (!claimed) {
+      throw new Error('expected a claimed update');
+    }
     await expect(
       service.submitUpdateFeedback({
@@ -597,10 +684,10 @@ describe('RelayCacheService approval capability guards', () => {
         targetApprovalRequestId: approvalRequestId,
         type: 'manual_approval_decision',
       }),
-    ).rejects.toMatchObject<Partial<CacheError>>({
+    ).rejects.toMatchObject({
       code: cacheErrorCodes.invalidPayload,
       message: `Approval '${approvalRequestId}' is 'approved' and cannot accept new updates`,
-    });
+    } satisfies Partial<CacheError>);
   });
   it('rejects manual approval updates that target another daemon approval', async () => {
@@ -652,10 +739,10 @@ describe('RelayCacheService approval capability guards', () => {
         targetApprovalRequestId: approvalRequestId,
         type: 'manual_approval_decision',
       }),
-    ).rejects.toMatchObject<Partial<CacheError>>({
+    ).rejects.toMatchObject({
       code: cacheErrorCodes.invalidPayload,
       message: `Approval '${approvalRequestId}' belongs to daemon '${approvalDaemonId}', not '${updateDaemonId}'`,
-    });
+    } satisfies Partial<CacheError>);
   });
   it('keeps the original active slot intact after rejecting a duplicate manual approval update', async () => {
@@ -774,12 +861,10 @@ describe('RelayCacheService approval capability guards', () => {
       type: 'daemon_status',
     });
-    await expect(service.removeEncryptedUpdate('20'.repeat(32), update.updateId)).rejects.toMatchObject<
-      Partial<CacheError>
-    >({
+    await expect(service.removeEncryptedUpdate('20'.repeat(32), update.updateId)).rejects.toMatchObject({
       code: cacheErrorCodes.notFound,
       message: `Unknown update '${update.updateId}' for daemon '${'20'.repeat(32)}'`,
-    });
+    } satisfies Partial<CacheError>);
     await expect(service.getEncryptedUpdate(update.updateId)).resolves.toMatchObject({
       daemonId: '10'.repeat(32),
       updateId: update.updateId,
@@ -813,11 +898,17 @@ describe('RelayCacheService approval capability guards', () => {
       type: 'manual_approval_decision',
     });
-    const [claimed] = await service.claimEncryptedUpdates({
-      daemonId,
-      leaseSeconds: 30,
-      limit: 1,
-    });
+    const claimed = (
+      await service.claimEncryptedUpdates({
+        daemonId,
+        leaseSeconds: 30,
+        limit: 1,
+      })
+    )[0];
+    if (!claimed) {
+      throw new Error('expected a claimed update');
+    }
     const activeApprovalKey = `test:relay:approval:${approvalRequestId}:active-update`;
     await client.forceSet(activeApprovalKey, 'other-update-id');
@@ -835,4 +926,59 @@ describe('RelayCacheService approval capability guards', () => {
     await expect(client.forceGet(activeApprovalKey)).resolves.toBe('other-update-id');
   });
+  it('rejects feedback for an expired claim lease even when the claim token still matches', async () => {
+    const client = new MutableInMemoryCacheClient();
+    const service = new RelayCacheService({
+      client: client as never,
+      namespace: 'test:relay',
+    });
+    const daemonId = '66'.repeat(32);
+    const update = await service.createEncryptedUpdate({
+      daemonId,
+      metadata: {
+        source: 'test-seed',
+      },
+      payload: {
+        algorithm: 'x25519-xchacha20poly1305-v1',
+        ciphertextBase64: 'aa',
+        encapsulatedKeyBase64: 'bb',
+        nonceBase64: 'cc',
+        schemaVersion: 1,
+      },
+      type: 'daemon_status',
+    });
+    const claimed = (
+      await service.claimEncryptedUpdates({
+        daemonId,
+        leaseSeconds: 30,
+        limit: 1,
+      })
+    )[0];
+    if (!claimed) {
+      throw new Error('expected a claimed update');
+    }
+    await client.forceSet(
+      `test:relay:update:${update.updateId}`,
+      JSON.stringify({
+        ...claimed,
+        claimUntil: new Date(Date.now() - 1_000).toISOString(),
+      }),
+    );
+    await expect(
+      service.submitUpdateFeedback({
+        claimToken: claimed.claimToken ?? '',
+        daemonId,
+        status: 'applied',
+        updateId: update.updateId,
+      }),
+    ).rejects.toMatchObject({
+      code: cacheErrorCodes.invalidPayload,
+      message: `Claim for update '${update.updateId}' has expired`,
+    });
+  });
 });

package/packages/cache/src/service/index.ts CHANGED Viewed

@@ -295,6 +295,10 @@ export class RelayCacheService {
       }
       if (input.approvalRequests) {
+        const approvalIndexKey = this.daemonApprovalsKey(profile.daemonId);
+        const existingApprovalIds = new Set(await this.client.zrange(approvalIndexKey, 0, -1));
+        const nextApprovalIds = new Set<string>();
         for (const approvalRequest of input.approvalRequests) {
           const existing = await this.readJson<RelayApprovalRequestRecord>(
             this.approvalKey(approvalRequest.approvalRequestId),
@@ -303,13 +307,26 @@ export class RelayCacheService {
             { ...approvalRequest, daemonId: profile.daemonId },
             existing,
           );
+          nextApprovalIds.add(normalized.approvalRequestId);
           await this.writeJson(this.approvalKey(normalized.approvalRequestId), normalized);
           await this.client.zadd(
-            this.daemonApprovalsKey(profile.daemonId),
+            approvalIndexKey,
             Date.parse(normalized.requestedAt),
             normalized.approvalRequestId,
           );
         }
+        const staleApprovalIds = [...existingApprovalIds].filter(
+          (approvalRequestId) => !nextApprovalIds.has(approvalRequestId),
+        );
+        if (staleApprovalIds.length > 0) {
+          await this.client.zrem(approvalIndexKey, ...staleApprovalIds);
+          for (const approvalRequestId of staleApprovalIds) {
+            await this.client.del(this.approvalKey(approvalRequestId));
+            await this.client.del(this.activeApprovalUpdateKey(approvalRequestId));
+            await this.client.del(this.approvalCapabilityFailuresKey(approvalRequestId));
+          }
+        }
       }
       return {
@@ -734,6 +751,7 @@ export class RelayCacheService {
   ): Promise<RelayEncryptedUpdateRecord> {
     const key = this.updateKey(input.updateId);
     const record = await this.readJson<RelayEncryptedUpdateRecord>(key);
+    const nowMs = Date.now();
     if (!record || record.daemonId !== input.daemonId) {
       throw new CacheError({
@@ -744,6 +762,25 @@ export class RelayCacheService {
       });
     }
+    if (record.status !== 'inflight') {
+      throw new CacheError({
+        code: cacheErrorCodes.invalidPayload,
+        key,
+        message: `Update '${input.updateId}' is '${record.status}' and is not currently claimed`,
+        operation: 'submitUpdateFeedback',
+      });
+    }
+    const claimUntilMs = record.claimUntil ? Date.parse(record.claimUntil) : Number.NaN;
+    if (!Number.isFinite(claimUntilMs) || claimUntilMs <= nowMs) {
+      throw new CacheError({
+        code: cacheErrorCodes.invalidPayload,
+        key,
+        message: `Claim for update '${input.updateId}' has expired`,
+        operation: 'submitUpdateFeedback',
+      });
+    }
     if (!record.claimToken || record.claimToken !== input.claimToken) {
       throw new CacheError({
         code: cacheErrorCodes.invalidPayload,

package/packages/config/.turbo/turbo-build.log CHANGED Viewed

@@ -10,9 +10,9 @@
 [34mCLI[39m Target: node20
 [34mCLI[39m Cleaning output folder
 [34mESM[39m Build start
-[32mESM[39m [1mdist/index.cjs     [22m[32m36.27 KB[39m
-[32mESM[39m [1mdist/index.cjs.map [22m[32m66.36 KB[39m
-[32mESM[39m ⚡️ Build success in 22ms
+[32mESM[39m [1mdist/index.cjs     [22m[32m35.92 KB[39m
+[32mESM[39m [1mdist/index.cjs.map [22m[32m65.75 KB[39m
+[32mESM[39m ⚡️ Build success in 8ms
 DTS Build start
-DTS ⚡️ Build success in 400ms
+DTS ⚡️ Build success in 377ms
 DTS dist/index.d.ts 5.23 KB

package/packages/config/dist/index.cjs CHANGED Viewed

@@ -52,23 +52,6 @@ var BUILTIN_TOKENS = {
       arbitrum: { chainId: 42161, isNative: true, decimals: 18 }
     }
   },
-  usdc: {
-    symbol: "USDC",
-    chains: {
-      ethereum: {
-        chainId: 1,
-        isNative: false,
-        address: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
-        decimals: 6
-      },
-      base: {
-        chainId: 8453,
-        isNative: false,
-        address: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
-        decimals: 6
-      }
-    }
-  },
   usd1: {
     name: "USD1",
     symbol: "USD1",