@wlfi-agent/cli 1.4.17 → 1.4.18

package/crates/vault-cli-daemon/src/main.rs

@@ -4,6 +4,7 @@ use std::path::{Path, PathBuf};
 use std::sync::Arc;
 
 use anyhow::{anyhow, bail, Context, Result};
+use async_trait::async_trait;
 use clap::{Parser, ValueEnum};
 use vault_daemon::{DaemonConfig, InMemoryDaemon, PersistentStoreConfig};
 use vault_signer::{SecureEnclaveSignerBackend, SoftwareSignerBackend};
@@ -120,13 +121,47 @@ impl Drop for StateFileLock {
     }
 }
 
+#[async_trait]
+trait DaemonRuntime {
+    async fn run_secure_enclave(
+        &self,
+        daemon_socket: PathBuf,
+        allowed_peer_euids: AllowedPeerEuids,
+        vault_password: String,
+        state_file: PathBuf,
+        secure_enclave_label_prefix: String,
+        signer_backend_label: &'static str,
+    ) -> Result<()>;
+
+    async fn run_software(
+        &self,
+        daemon_socket: PathBuf,
+        allowed_peer_euids: AllowedPeerEuids,
+        vault_password: String,
+        state_file: PathBuf,
+        signer_backend_label: &'static str,
+    ) -> Result<()>;
+}
+
+struct RealDaemonRuntime;
+
 #[tokio::main]
 async fn main() -> Result<()> {
     let cli = Cli::parse();
-    validate_signer_backend_runtime(cli.signer_backend)?;
     let mut vault_password = resolve_vault_password(cli.vault_password_stdin, cli.non_interactive)?;
-    let state_file = resolve_state_file_path(cli.state_file)?;
-    let daemon_socket = resolve_socket_path(cli.daemon_socket)?;
+    let runtime = RealDaemonRuntime;
+    let result = run_cli_with_runtime(cli, vault_password.clone(), &runtime).await;
+    vault_password.zeroize();
+    result
+}
+
+async fn run_cli_with_runtime<R>(cli: Cli, vault_password: String, runtime: &R) -> Result<()>
+where
+    R: DaemonRuntime + ?Sized,
+{
+    validate_signer_backend_runtime(cli.signer_backend)?;
+    let state_file = resolve_state_file_path(cli.state_file.clone())?;
+    let daemon_socket = resolve_socket_path(cli.daemon_socket.clone())?;
     let _state_lock = acquire_state_file_lock(&state_file)?;
 
     let allowed_peer_euids = resolve_allowed_peer_euids(
@@ -139,6 +174,71 @@ async fn main() -> Result<()> {
             "==> warning: --allow-client-euid grants both admin and agent access; prefer --allow-admin-euid and --allow-agent-euid"
         );
     }
+
+    dispatch_runtime(
+        cli,
+        vault_password,
+        state_file,
+        daemon_socket,
+        allowed_peer_euids,
+        runtime,
+    )
+    .await
+}
+
+async fn dispatch_runtime<R>(
+    cli: Cli,
+    vault_password: String,
+    state_file: PathBuf,
+    daemon_socket: PathBuf,
+    allowed_peer_euids: AllowedPeerEuids,
+    runtime: &R,
+) -> Result<()>
+where
+    R: DaemonRuntime + ?Sized,
+{
+    let signer_backend_label = relay_signer_backend_label(cli.signer_backend);
+    match cli.signer_backend {
+        SignerBackendKind::SecureEnclave => {
+            runtime
+                .run_secure_enclave(
+                    daemon_socket,
+                    allowed_peer_euids,
+                    vault_password,
+                    state_file,
+                    cli.secure_enclave_label_prefix,
+                    signer_backend_label,
+                )
+                .await
+        }
+        SignerBackendKind::Software => {
+            runtime
+                .run_software(
+                    daemon_socket,
+                    allowed_peer_euids,
+                    vault_password,
+                    state_file,
+                    signer_backend_label,
+                )
+                .await
+        }
+    }
+}
+
+fn print_server_banner(daemon_socket: &Path, allowed_peer_euids: &AllowedPeerEuids) {
+    eprintln!(
+        "==> daemon listening on {} (allowed admin euid(s): {}; allowed agent euid(s): {})",
+        daemon_socket.display(),
+        format_allowed_euids(&allowed_peer_euids.admin),
+        format_allowed_euids(&allowed_peer_euids.agent)
+    );
+    eprintln!("==> press Ctrl+C to stop");
+}
+
+async fn bind_server(
+    daemon_socket: PathBuf,
+    allowed_peer_euids: &AllowedPeerEuids,
+) -> Result<UnixDaemonServer> {
     let server = UnixDaemonServer::bind_with_allowed_peer_euids(
         daemon_socket.clone(),
         allowed_peer_euids.admin.clone(),
@@ -151,62 +251,70 @@ async fn main() -> Result<()> {
             daemon_socket.display()
         )
     })?;
+    print_server_banner(&daemon_socket, allowed_peer_euids);
+    Ok(server)
+}
 
-    eprintln!(
-        "==> daemon listening on {} (allowed admin euid(s): {}; allowed agent euid(s): {})",
-        daemon_socket.display(),
-        format_allowed_euids(&allowed_peer_euids.admin),
-        format_allowed_euids(&allowed_peer_euids.agent)
-    );
-    eprintln!("==> press Ctrl+C to stop");
+async fn run_bound_daemon<B>(
+    server: UnixDaemonServer,
+    daemon: Arc<InMemoryDaemon<B>>,
+    signer_backend_label: &'static str,
+) -> Result<()>
+where
+    B: vault_signer::VaultSignerBackend + Send + Sync + 'static,
+{
+    let relay_task = relay_sync::spawn_relay_sync_task(Arc::clone(&daemon), signer_backend_label);
+    server
+        .run_until_shutdown(daemon, async {
+            let _ = tokio::signal::ctrl_c().await;
+            relay_task.abort();
+        })
+        .await
+        .context("daemon server loop failed")
+}
 
-    let signer_backend_label = relay_signer_backend_label(cli.signer_backend);
-    match cli.signer_backend {
-        SignerBackendKind::SecureEnclave => {
-            let daemon = Arc::new(
-                InMemoryDaemon::new_with_persistent_store(
-                    &vault_password,
-                    SecureEnclaveSignerBackend::new(cli.secure_enclave_label_prefix),
-                    DaemonConfig::default(),
-                    PersistentStoreConfig::new(state_file),
-                )
-                .context("failed to initialize daemon")?,
-            );
-            let relay_task =
-                relay_sync::spawn_relay_sync_task(Arc::clone(&daemon), signer_backend_label);
-            vault_password.zeroize();
-            server
-                .run_until_shutdown(daemon, async {
-                    let _ = tokio::signal::ctrl_c().await;
-                    relay_task.abort();
-                })
-                .await
-                .context("daemon server loop failed")?;
-        }
-        SignerBackendKind::Software => {
-            let daemon = Arc::new(
-                InMemoryDaemon::new_with_persistent_store(
-                    &vault_password,
-                    SoftwareSignerBackend::default(),
-                    DaemonConfig::default(),
-                    PersistentStoreConfig::new(state_file),
-                )
-                .context("failed to initialize daemon")?,
-            );
-            let relay_task =
-                relay_sync::spawn_relay_sync_task(Arc::clone(&daemon), signer_backend_label);
-            vault_password.zeroize();
-            server
-                .run_until_shutdown(daemon, async {
-                    let _ = tokio::signal::ctrl_c().await;
-                    relay_task.abort();
-                })
-                .await
-                .context("daemon server loop failed")?;
-        }
+#[async_trait]
+impl DaemonRuntime for RealDaemonRuntime {
+    async fn run_secure_enclave(
+        &self,
+        daemon_socket: PathBuf,
+        allowed_peer_euids: AllowedPeerEuids,
+        mut vault_password: String,
+        state_file: PathBuf,
+        secure_enclave_label_prefix: String,
+        signer_backend_label: &'static str,
+    ) -> Result<()> {
+        let server = bind_server(daemon_socket, &allowed_peer_euids).await?;
+        let daemon = InMemoryDaemon::new_with_persistent_store(
+            &vault_password,
+            SecureEnclaveSignerBackend::new(secure_enclave_label_prefix),
+            DaemonConfig::default(),
+            PersistentStoreConfig::new(state_file),
+        );
+        vault_password.zeroize();
+        let daemon = Arc::new(daemon.context("failed to initialize daemon")?);
+        run_bound_daemon(server, daemon, signer_backend_label).await
     }
 
-    Ok(())
+    async fn run_software(
+        &self,
+        daemon_socket: PathBuf,
+        allowed_peer_euids: AllowedPeerEuids,
+        mut vault_password: String,
+        state_file: PathBuf,
+        signer_backend_label: &'static str,
+    ) -> Result<()> {
+        let server = bind_server(daemon_socket, &allowed_peer_euids).await?;
+        let daemon = InMemoryDaemon::new_with_persistent_store(
+            &vault_password,
+            SoftwareSignerBackend::default(),
+            DaemonConfig::default(),
+            PersistentStoreConfig::new(state_file),
+        );
+        vault_password.zeroize();
+        let daemon = Arc::new(daemon.context("failed to initialize daemon")?);
+        run_bound_daemon(server, daemon, signer_backend_label).await
+    }
 }
 
 fn relay_signer_backend_label(backend: SignerBackendKind) -> &'static str {
@@ -514,14 +622,148 @@ fn lock_path(path: &Path) -> PathBuf {
 #[cfg(test)]
 mod tests {
     use super::{
-        ensure_file_parent, relay_signer_backend_label, resolve_allowed_peer_euids_with_sudo_uid,
-        resolve_vault_password, validate_password, Cli, SignerBackendKind,
+        acquire_state_file_lock, default_socket_path, default_state_file_path, dispatch_runtime,
+        ensure_file_parent, format_allowed_euids, is_symlink, lock_path, read_secret_from_reader,
+        relay_signer_backend_label, resolve_allowed_peer_euids, resolve_allowed_peer_euids_with_sudo_uid,
+        resolve_socket_path, resolve_state_file_path, resolve_vault_password, run_cli_with_runtime,
+        validate_password, validate_signer_backend_runtime, wlfi_home_dir, AllowedPeerEuids, Cli,
+        DaemonRuntime, SignerBackendKind,
     };
+    use anyhow::{anyhow, Result};
+    use async_trait::async_trait;
     use clap::Parser;
     use std::collections::BTreeSet;
-    use std::path::Path;
+    use std::io::{Cursor, Read};
+    use std::path::{Path, PathBuf};
+    use std::sync::{Mutex, OnceLock};
     use std::time::{SystemTime, UNIX_EPOCH};
 
+    fn env_lock() -> &'static Mutex<()> {
+        static ENV_LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+        ENV_LOCK.get_or_init(|| Mutex::new(()))
+    }
+
+    fn temp_path(prefix: &str) -> PathBuf {
+        std::env::temp_dir().join(format!(
+            "{prefix}-{}-{}",
+            std::process::id(),
+            SystemTime::now()
+                .duration_since(UNIX_EPOCH)
+                .expect("time")
+                .as_nanos()
+        ))
+    }
+
+    struct FailingReader;
+
+    impl Read for FailingReader {
+        fn read(&mut self, _buf: &mut [u8]) -> std::io::Result<usize> {
+            Err(std::io::Error::other("boom"))
+        }
+    }
+
+    #[derive(Debug, Clone, PartialEq, Eq)]
+    enum RuntimeCall {
+        SecureEnclave {
+            daemon_socket: PathBuf,
+            allowed_admin: BTreeSet<u32>,
+            allowed_agent: BTreeSet<u32>,
+            vault_password: String,
+            state_file: PathBuf,
+            secure_enclave_label_prefix: String,
+            signer_backend_label: &'static str,
+        },
+        Software {
+            daemon_socket: PathBuf,
+            allowed_admin: BTreeSet<u32>,
+            allowed_agent: BTreeSet<u32>,
+            vault_password: String,
+            state_file: PathBuf,
+            signer_backend_label: &'static str,
+        },
+    }
+
+    struct FakeRuntime {
+        calls: Mutex<Vec<RuntimeCall>>,
+        fail_message: Option<&'static str>,
+    }
+
+    #[async_trait]
+    impl DaemonRuntime for FakeRuntime {
+        async fn run_secure_enclave(
+            &self,
+            daemon_socket: PathBuf,
+            allowed_peer_euids: AllowedPeerEuids,
+            vault_password: String,
+            state_file: PathBuf,
+            secure_enclave_label_prefix: String,
+            signer_backend_label: &'static str,
+        ) -> Result<()> {
+            self.calls
+                .lock()
+                .expect("lock")
+                .push(RuntimeCall::SecureEnclave {
+                    daemon_socket,
+                    allowed_admin: allowed_peer_euids.admin,
+                    allowed_agent: allowed_peer_euids.agent,
+                    vault_password,
+                    state_file,
+                    secure_enclave_label_prefix,
+                    signer_backend_label,
+                });
+            match self.fail_message {
+                Some(message) => Err(anyhow!(message)),
+                None => Ok(()),
+            }
+        }
+
+        async fn run_software(
+            &self,
+            daemon_socket: PathBuf,
+            allowed_peer_euids: AllowedPeerEuids,
+            vault_password: String,
+            state_file: PathBuf,
+            signer_backend_label: &'static str,
+        ) -> Result<()> {
+            self.calls
+                .lock()
+                .expect("lock")
+                .push(RuntimeCall::Software {
+                    daemon_socket,
+                    allowed_admin: allowed_peer_euids.admin,
+                    allowed_agent: allowed_peer_euids.agent,
+                    vault_password,
+                    state_file,
+                    signer_backend_label,
+                });
+            match self.fail_message {
+                Some(message) => Err(anyhow!(message)),
+                None => Ok(()),
+            }
+        }
+    }
+
+    fn sample_cli(root: &Path, signer_backend: SignerBackendKind) -> Cli {
+        Cli {
+            vault_password_stdin: false,
+            non_interactive: false,
+            state_file: Some(root.join("state").join("daemon-state.enc")),
+            daemon_socket: Some(root.join("socket").join("daemon.sock")),
+            secure_enclave_label_prefix: "com.wlfi.test".to_string(),
+            signer_backend,
+            allow_admin_euid: vec![11],
+            allow_agent_euid: vec![22],
+            allow_client_euid: vec![33],
+        }
+    }
+
+    fn test_runtime() -> tokio::runtime::Runtime {
+        tokio::runtime::Builder::new_current_thread()
+            .enable_all()
+            .build()
+            .expect("runtime")
+    }
+
     #[test]
     fn validate_password_rejects_oversized_non_stdin_secret() {
         let err = validate_password("a".repeat((16 * 1024) + 1), "argument or environment")
@@ -529,6 +771,12 @@ mod tests {
         assert!(err.to_string().contains("must not exceed"));
     }
 
+    #[test]
+    fn validate_password_rejects_whitespace_only() {
+        let err = validate_password(" \n\t ".to_string(), "stdin").expect_err("must fail");
+        assert!(err.to_string().contains("must not be empty or whitespace"));
+    }
+
     #[test]
     fn cli_rejects_inline_vault_password_argument() {
         let err = Cli::try_parse_from([
@@ -547,18 +795,30 @@ mod tests {
         assert!(err.to_string().contains("use --vault-password-stdin"));
     }
 
+    #[test]
+    fn read_secret_from_reader_trims_trailing_newlines() {
+        let secret = read_secret_from_reader(Cursor::new("vault-secret\r\n"), "vault password")
+            .expect("trimmed secret");
+        assert_eq!(secret, "vault-secret");
+    }
+
+    #[test]
+    fn read_secret_from_reader_rejects_blank_after_trimming() {
+        let err = read_secret_from_reader(Cursor::new(" \n"), "vault password")
+            .expect_err("must fail");
+        assert!(err.to_string().contains("must not be empty or whitespace"));
+    }
+
+    #[test]
+    fn read_secret_from_reader_propagates_io_errors() {
+        let err = read_secret_from_reader(FailingReader, "vault password").expect_err("must fail");
+        assert!(err.to_string().contains("failed to read vault password from stdin"));
+    }
+
     #[cfg(unix)]
     #[test]
     fn ensure_file_parent_accepts_current_user_owned_directory() {
-        let unique = SystemTime::now()
-            .duration_since(UNIX_EPOCH)
-            .expect("time")
-            .as_nanos();
-        let parent = std::env::temp_dir().join(format!(
-            "wlfi-daemon-parent-{}-{}",
-            std::process::id(),
-            unique
-        ));
+        let parent = temp_path("wlfi-daemon-parent");
         std::fs::create_dir_all(&parent).expect("create parent");
         let path = parent.join("daemon-state.enc");
         ensure_file_parent(&path, "state").expect("current-user-owned directory should pass");
@@ -616,6 +876,13 @@ mod tests {
         assert_eq!(resolved.agent, BTreeSet::from([0, 22, 33]));
     }
 
+    #[test]
+    fn resolve_allowed_peer_euids_wrapper_matches_internal_helper() {
+        let resolved = resolve_allowed_peer_euids(&[7], &[8], &[9]).expect("allowed peer euids");
+        assert_eq!(resolved.admin, BTreeSet::from([0, 7, 9]));
+        assert_eq!(resolved.agent, BTreeSet::from([0, 8, 9]));
+    }
+
     #[test]
     fn relay_signer_backend_label_matches_runtime_backend() {
         assert_eq!(
@@ -628,6 +895,289 @@ mod tests {
         );
     }
 
+    #[test]
+    fn validate_signer_backend_runtime_accepts_software_everywhere() {
+        validate_signer_backend_runtime(SignerBackendKind::Software).expect("software backend");
+    }
+
+    #[cfg(not(target_os = "macos"))]
+    #[test]
+    fn validate_signer_backend_runtime_rejects_secure_enclave_off_macos() {
+        let err = validate_signer_backend_runtime(SignerBackendKind::SecureEnclave)
+            .expect_err("must fail");
+        assert!(err
+            .to_string()
+            .contains("Secure Enclave daemon mode is supported only on macOS"));
+    }
+
+    #[test]
+    fn format_allowed_euids_renders_sorted_csv() {
+        assert_eq!(format_allowed_euids(&BTreeSet::from([0, 11, 33])), "0,11,33");
+    }
+
+    #[test]
+    fn lock_path_appends_lock_suffix() {
+        assert_eq!(
+            lock_path(Path::new("/tmp/wlfi/daemon-state.enc")),
+            PathBuf::from("/tmp/wlfi/daemon-state.enc.lock")
+        );
+    }
+
+    #[test]
+    fn wlfi_home_dir_prefers_wlfi_home_and_falls_back_to_home() {
+        let _guard = env_lock().lock().expect("env lock");
+        let wlfi_home = temp_path("wlfi-home");
+        let home = temp_path("home-dir");
+
+        std::env::set_var("WLFI_HOME", &wlfi_home);
+        std::env::set_var("HOME", &home);
+        assert_eq!(wlfi_home_dir().expect("wlfi home"), wlfi_home);
+
+        std::env::remove_var("WLFI_HOME");
+        assert_eq!(
+            wlfi_home_dir().expect("home fallback"),
+            home.join(".wlfi_agent")
+        );
+
+        std::env::remove_var("HOME");
+    }
+
+    #[test]
+    fn wlfi_home_dir_rejects_empty_and_missing_env() {
+        let _guard = env_lock().lock().expect("env lock");
+
+        std::env::set_var("WLFI_HOME", "");
+        let err = wlfi_home_dir().expect_err("must reject empty WLFI_HOME");
+        assert!(err.to_string().contains("WLFI_HOME must not be empty"));
+
+        std::env::remove_var("WLFI_HOME");
+        std::env::remove_var("HOME");
+        let err = wlfi_home_dir().expect_err("must reject missing HOME");
+        assert!(err
+            .to_string()
+            .contains("HOME is not set; use WLFI_HOME to choose config directory"));
+    }
+
+    #[test]
+    fn default_paths_and_resolvers_use_wlfi_home() {
+        let _guard = env_lock().lock().expect("env lock");
+        let wlfi_home = temp_path("wlfi-daemon-defaults");
+        std::env::set_var("WLFI_HOME", &wlfi_home);
+
+        assert_eq!(
+            default_state_file_path().expect("default state"),
+            wlfi_home.join("daemon-state.enc")
+        );
+        assert_eq!(
+            default_socket_path().expect("default socket"),
+            wlfi_home.join("daemon.sock")
+        );
+        assert_eq!(
+            resolve_state_file_path(None).expect("resolved state"),
+            wlfi_home.join("daemon-state.enc")
+        );
+        assert_eq!(
+            resolve_socket_path(None).expect("resolved socket"),
+            wlfi_home.join("daemon.sock")
+        );
+
+        std::env::remove_var("WLFI_HOME");
+    }
+
+    #[test]
+    fn dispatch_runtime_routes_to_expected_backend() {
+        let runtime = test_runtime();
+        let root = temp_path("wlfi-daemon-dispatch");
+        let state_file = root.join("state.enc");
+        let daemon_socket = root.join("daemon.sock");
+        let allowed = AllowedPeerEuids {
+            admin: BTreeSet::from([0, 11, 33]),
+            agent: BTreeSet::from([0, 22, 33]),
+        };
+
+        let secure_runtime = FakeRuntime {
+            calls: Mutex::new(Vec::new()),
+            fail_message: None,
+        };
+        runtime
+            .block_on(dispatch_runtime(
+                sample_cli(&root, SignerBackendKind::SecureEnclave),
+                "vault-secret".to_string(),
+                state_file.clone(),
+                daemon_socket.clone(),
+                allowed.clone(),
+                &secure_runtime,
+            ))
+            .expect("secure enclave dispatch");
+        assert_eq!(
+            secure_runtime.calls.lock().expect("lock").as_slice(),
+            &[RuntimeCall::SecureEnclave {
+                daemon_socket: daemon_socket.clone(),
+                allowed_admin: BTreeSet::from([0, 11, 33]),
+                allowed_agent: BTreeSet::from([0, 22, 33]),
+                vault_password: "vault-secret".to_string(),
+                state_file: state_file.clone(),
+                secure_enclave_label_prefix: "com.wlfi.test".to_string(),
+                signer_backend_label: "secure-enclave",
+            }]
+        );
+
+        let software_runtime = FakeRuntime {
+            calls: Mutex::new(Vec::new()),
+            fail_message: None,
+        };
+        runtime
+            .block_on(dispatch_runtime(
+                sample_cli(&root, SignerBackendKind::Software),
+                "vault-secret".to_string(),
+                state_file.clone(),
+                daemon_socket.clone(),
+                allowed,
+                &software_runtime,
+            ))
+            .expect("software dispatch");
+        assert_eq!(
+            software_runtime.calls.lock().expect("lock").as_slice(),
+            &[RuntimeCall::Software {
+                daemon_socket,
+                allowed_admin: BTreeSet::from([0, 11, 33]),
+                allowed_agent: BTreeSet::from([0, 22, 33]),
+                vault_password: "vault-secret".to_string(),
+                state_file,
+                signer_backend_label: "software",
+            }]
+        );
+    }
+
+    #[test]
+    fn run_cli_with_runtime_resolves_paths_and_lock_before_invoking_runtime() {
+        let runtime = test_runtime();
+        let root = temp_path("wlfi-daemon-run-runtime");
+        let cli = sample_cli(&root, SignerBackendKind::Software);
+        let fake_runtime = FakeRuntime {
+            calls: Mutex::new(Vec::new()),
+            fail_message: None,
+        };
+
+        runtime
+            .block_on(run_cli_with_runtime(
+                cli,
+                "vault-secret".to_string(),
+                &fake_runtime,
+            ))
+            .expect("runtime dispatch");
+
+        assert!(root.join("state").exists());
+        assert!(root.join("socket").exists());
+        assert!(root.join("state").join("daemon-state.enc.lock").exists());
+        assert_eq!(fake_runtime.calls.lock().expect("lock").len(), 1);
+
+        std::fs::remove_dir_all(&root).expect("cleanup");
+    }
+
+    #[cfg(not(target_os = "macos"))]
+    #[test]
+    fn run_cli_with_runtime_rejects_secure_enclave_before_runtime_invocation() {
+        let runtime = test_runtime();
+        let root = temp_path("wlfi-daemon-secure-enclave");
+        let fake_runtime = FakeRuntime {
+            calls: Mutex::new(Vec::new()),
+            fail_message: None,
+        };
+
+        let err = runtime
+            .block_on(run_cli_with_runtime(
+                sample_cli(&root, SignerBackendKind::SecureEnclave),
+                "vault-secret".to_string(),
+                &fake_runtime,
+            ))
+            .expect_err("secure enclave must fail");
+        assert!(err
+            .to_string()
+            .contains("Secure Enclave daemon mode is supported only on macOS"));
+        assert!(fake_runtime.calls.lock().expect("lock").is_empty());
+    }
+
+    #[test]
+    fn dispatch_runtime_bubbles_runtime_failures() {
+        let runtime = test_runtime();
+        let root = temp_path("wlfi-daemon-runtime-error");
+        let err_runtime = FakeRuntime {
+            calls: Mutex::new(Vec::new()),
+            fail_message: Some("runtime boom"),
+        };
+
+        let err = runtime
+            .block_on(dispatch_runtime(
+                sample_cli(&root, SignerBackendKind::Software),
+                "vault-secret".to_string(),
+                root.join("daemon-state.enc"),
+                root.join("daemon.sock"),
+                AllowedPeerEuids {
+                    admin: BTreeSet::from([0]),
+                    agent: BTreeSet::from([0]),
+                },
+                &err_runtime,
+            ))
+            .expect_err("runtime failure must bubble");
+        assert!(err.to_string().contains("runtime boom"));
+    }
+
+    #[test]
+    fn explicit_state_and_socket_paths_are_preserved() {
+        let root = temp_path("wlfi-daemon-explicit");
+        let state = root.join("state").join("daemon-state.enc");
+        let socket = root.join("sock").join("daemon.sock");
+
+        let resolved_state = resolve_state_file_path(Some(state.clone())).expect("state path");
+        let resolved_socket = resolve_socket_path(Some(socket.clone())).expect("socket path");
+        assert_eq!(resolved_state, state);
+        assert_eq!(resolved_socket, socket);
+        assert!(root.join("state").exists());
+        assert!(root.join("sock").exists());
+
+        std::fs::remove_dir_all(&root).expect("cleanup");
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn acquire_state_file_lock_creates_lock_file() {
+        let root = temp_path("wlfi-daemon-lock");
+        let state_path = root.join("daemon-state.enc");
+
+        let lock = acquire_state_file_lock(&state_path).expect("lock file");
+        let lock_file = lock_path(&state_path);
+        assert!(lock_file.exists());
+        drop(lock);
+
+        std::fs::remove_dir_all(&root).expect("cleanup");
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn ensure_file_parent_rejects_symlink_path_and_is_symlink_reports_it() {
+        use std::os::unix::fs::symlink;
+
+        let root = temp_path("wlfi-daemon-symlink");
+        std::fs::create_dir_all(&root).expect("create root");
+        let target = root.join("real-state.enc");
+        let link = root.join("linked-state.enc");
+        std::fs::write(&target, "seed").expect("seed");
+        symlink(&target, &link).expect("symlink");
+
+        assert!(is_symlink(&link).expect("symlink metadata"));
+        let err = ensure_file_parent(&link, "state").expect_err("must reject symlink file");
+        assert!(err.to_string().contains("must not be a symlink"));
+
+        std::fs::remove_dir_all(&root).expect("cleanup");
+    }
+
+    #[test]
+    fn is_symlink_returns_false_for_missing_path() {
+        let missing = temp_path("wlfi-daemon-missing");
+        assert!(!is_symlink(&missing).expect("missing path is not symlink"));
+    }
+
     #[cfg(unix)]
     #[test]
     fn assert_allowed_directory_owner_rejects_non_root_owner_for_root_runtime() {