npm - @wlfi-agent/cli - Versions diffs - 1.4.17 → 1.4.19 - Mend

@wlfi-agent/cli 1.4.17 → 1.4.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/Cargo.lock +5 -0
package/README.md +61 -28
package/crates/vault-cli-admin/src/io_utils.rs +149 -1
package/crates/vault-cli-admin/src/main.rs +639 -16
package/crates/vault-cli-admin/src/shared_config.rs +18 -18
package/crates/vault-cli-admin/src/tui/token_rpc.rs +190 -3
package/crates/vault-cli-admin/src/tui/utils.rs +59 -0
package/crates/vault-cli-admin/src/tui.rs +1205 -120
package/crates/vault-cli-agent/Cargo.toml +1 -0
package/crates/vault-cli-agent/src/io_utils.rs +163 -2
package/crates/vault-cli-agent/src/main.rs +648 -32
package/crates/vault-cli-daemon/Cargo.toml +4 -0
package/crates/vault-cli-daemon/src/main.rs +617 -67
package/crates/vault-cli-daemon/src/relay_sync.rs +776 -4
package/crates/vault-cli-daemon/tests/system_keychain_helper_acl.rs +5 -0
package/crates/vault-daemon/src/daemon_parts/api_impl_and_utils.rs +32 -1
package/crates/vault-daemon/src/persistence.rs +637 -100
package/crates/vault-daemon/src/tests.rs +1013 -3
package/crates/vault-daemon/src/tests_parts/part2.rs +99 -0
package/crates/vault-daemon/src/tests_parts/part4.rs +11 -7
package/crates/vault-domain/src/nonce.rs +4 -0
package/crates/vault-domain/src/tests.rs +616 -0
package/crates/vault-policy/src/engine.rs +55 -32
package/crates/vault-policy/src/tests.rs +195 -0
package/crates/vault-sdk-agent/src/lib.rs +415 -22
package/crates/vault-signer/Cargo.toml +3 -0
package/crates/vault-signer/src/lib.rs +266 -40
package/crates/vault-transport-unix/src/lib.rs +653 -5
package/crates/vault-transport-xpc/src/tests.rs +531 -3
package/crates/vault-transport-xpc/tests/e2e_flow.rs +3 -0
package/dist/cli.cjs +756 -194
package/dist/cli.cjs.map +1 -1
package/package.json +5 -2
package/packages/cache/.turbo/turbo-build.log +20 -20
package/packages/cache/coverage/clover.xml +529 -394
package/packages/cache/coverage/coverage-final.json +2 -2
package/packages/cache/coverage/index.html +21 -21
package/packages/cache/coverage/src/client/index.html +1 -1
package/packages/cache/coverage/src/client/index.ts.html +1 -1
package/packages/cache/coverage/src/errors/index.html +1 -1
package/packages/cache/coverage/src/errors/index.ts.html +12 -12
package/packages/cache/coverage/src/index.html +1 -1
package/packages/cache/coverage/src/index.ts.html +1 -1
package/packages/cache/coverage/src/service/index.html +21 -21
package/packages/cache/coverage/src/service/index.ts.html +769 -313
package/packages/cache/dist/{chunk-QNK6GOTI.js → chunk-KC53LH5Z.js} +35 -2
package/packages/cache/dist/chunk-KC53LH5Z.js.map +1 -0
package/packages/cache/dist/{chunk-QF4XKEIA.cjs → chunk-UVU7VFE3.cjs} +35 -2
package/packages/cache/dist/chunk-UVU7VFE3.cjs.map +1 -0
package/packages/cache/dist/index.cjs +2 -2
package/packages/cache/dist/index.js +1 -1
package/packages/cache/dist/service/index.cjs +2 -2
package/packages/cache/dist/service/index.js +1 -1
package/packages/cache/node_modules/.bin/tsc +2 -2
package/packages/cache/node_modules/.bin/tsserver +2 -2
package/packages/cache/node_modules/.bin/tsup +2 -2
package/packages/cache/node_modules/.bin/tsup-node +2 -2
package/packages/cache/node_modules/.bin/vitest +4 -4
package/packages/cache/node_modules/.vite/vitest/da39a3ee5e6b4b0d3255bfef95601890afd80709/results.json +1 -1
package/packages/cache/src/service/index.test.ts +165 -19
package/packages/cache/src/service/index.ts +38 -1
package/packages/config/.turbo/turbo-build.log +4 -4
package/packages/config/dist/index.cjs +0 -17
package/packages/config/dist/index.cjs.map +1 -1
package/packages/config/src/index.ts +0 -17
package/packages/rpc/.turbo/turbo-build.log +11 -11
package/packages/rpc/dist/index.cjs +0 -17
package/packages/rpc/dist/index.cjs.map +1 -1
package/packages/rpc/src/index.js +1 -0
package/packages/ui/node_modules/.bin/tsc +2 -2
package/packages/ui/node_modules/.bin/tsserver +2 -2
package/packages/ui/node_modules/.bin/tsup +2 -2
package/packages/ui/node_modules/.bin/tsup-node +2 -2
package/scripts/install-cli-launcher.mjs +37 -0
package/scripts/install-rust-binaries.mjs +47 -0
package/scripts/run-tests-isolated.mjs +210 -0
package/src/cli.ts +310 -50
package/src/lib/admin-reset.ts +101 -33
package/src/lib/admin-setup.ts +285 -55
package/src/lib/agent-auth-migrate.ts +5 -1
package/src/lib/asset-broadcast.ts +15 -4
package/src/lib/config-amounts.ts +6 -4
package/src/lib/hidden-tty-prompt.js +1 -0
package/src/lib/hidden-tty-prompt.ts +105 -0
package/src/lib/keychain.ts +1 -0
package/src/lib/local-admin-access.ts +4 -29
package/src/lib/rust.ts +129 -33
package/src/lib/signed-tx.ts +1 -0
package/src/lib/sudo.ts +15 -5
package/src/lib/wallet-profile.ts +3 -0
package/src/lib/wallet-setup.ts +52 -0
package/packages/cache/dist/chunk-QF4XKEIA.cjs.map +0 -1
package/packages/cache/dist/chunk-QNK6GOTI.js.map +0 -1

package/crates/vault-daemon/src/tests_parts/part2.rs CHANGED Viewed

@@ -97,6 +97,7 @@ async fn reserve_nonce_is_monotonic_for_same_agent_and_chain() {
             agent_auth_token: agent_credentials.auth_token.clone(),
             chain_id: 1,
             min_nonce: 7,
+            exact_nonce: false,
             requested_at: now,
             expires_at: now + time::Duration::minutes(2),
         })
@@ -109,6 +110,7 @@ async fn reserve_nonce_is_monotonic_for_same_agent_and_chain() {
             agent_auth_token: agent_credentials.auth_token,
             chain_id: 1,
             min_nonce: 7,
+            exact_nonce: false,
             requested_at: now,
             expires_at: now + time::Duration::minutes(2),
         })
@@ -152,6 +154,7 @@ async fn reserve_nonce_replayed_request_id_is_rejected() {
         agent_auth_token: agent_credentials.auth_token,
         chain_id: 1,
         min_nonce: 0,
+        exact_nonce: false,
         requested_at: now,
         expires_at: now + time::Duration::minutes(2),
     };
@@ -203,6 +206,7 @@ async fn release_nonce_reclaims_latest_unused_nonce() {
             agent_auth_token: agent_credentials.auth_token.clone(),
             chain_id: 56,
             min_nonce: 0,
+            exact_nonce: false,
             requested_at: now,
             expires_at: now + time::Duration::minutes(2),
         })
@@ -229,6 +233,7 @@ async fn release_nonce_reclaims_latest_unused_nonce() {
             agent_auth_token: agent_credentials.auth_token,
             chain_id: 56,
             min_nonce: 0,
+            exact_nonce: false,
             requested_at: now,
             expires_at: now + time::Duration::minutes(2),
         })
@@ -237,6 +242,94 @@ async fn release_nonce_reclaims_latest_unused_nonce() {
     assert_eq!(next.nonce, 0);
 }
+#[tokio::test]
+async fn exact_nonce_can_reuse_chain_nonce_after_signed_request_advances_head() {
+    let daemon = InMemoryDaemon::new(
+        "vault-password",
+        SoftwareSignerBackend::default(),
+        DaemonConfig::default(),
+    )
+    .expect("daemon");
+    let lease = daemon.issue_lease("vault-password").await.expect("lease");
+    let session = AdminSession {
+        vault_password: "vault-password".to_string(),
+        lease,
+    };
+    daemon
+        .add_policy(&session, policy_all_per_tx(1_000_000_000_000_000_000))
+        .await
+        .expect("add per-tx policy");
+    daemon
+        .add_policy(&session, policy_per_chain_gas(1, 1_000_000_000_000_000))
+        .await
+        .expect("add gas policy");
+    let key = daemon
+        .create_vault_key(&session, KeyCreateRequest::Generate)
+        .await
+        .expect("key");
+    let agent_credentials = daemon
+        .create_agent_key(&session, key.id, PolicyAttachment::AllPolicies)
+        .await
+        .expect("agent");
+    reserve_nonce_for_agent(&daemon, &agent_credentials, 1, 0).await;
+    daemon
+        .sign_for_agent(sign_request(
+            &agent_credentials,
+            AgentAction::BroadcastTx {
+                tx: BroadcastTx {
+                    chain_id: 1,
+                    nonce: 0,
+                    to: "0x9300000000000000000000000000000000000000"
+                        .parse()
+                        .expect("to"),
+                    value_wei: 0,
+                    data_hex: "0x".to_string(),
+                    gas_limit: 21_000,
+                    max_fee_per_gas_wei: 1_000_000_000,
+                    max_priority_fee_per_gas_wei: 1_000_000_000,
+                    tx_type: 0x02,
+                    delegation_enabled: false,
+                },
+            },
+        ))
+        .await
+        .expect("consume first reservation");
+    let now = time::OffsetDateTime::now_utc();
+    let exact = daemon
+        .reserve_nonce(NonceReservationRequest {
+            request_id: Uuid::new_v4(),
+            agent_key_id: agent_credentials.agent_key.id,
+            agent_auth_token: agent_credentials.auth_token.clone(),
+            chain_id: 1,
+            min_nonce: 0,
+            exact_nonce: true,
+            requested_at: now,
+            expires_at: now + time::Duration::minutes(2),
+        })
+        .await
+        .expect("exact reserve");
+    assert_eq!(exact.nonce, 0);
+    let next = daemon
+        .reserve_nonce(NonceReservationRequest {
+            request_id: Uuid::new_v4(),
+            agent_key_id: agent_credentials.agent_key.id,
+            agent_auth_token: agent_credentials.auth_token,
+            chain_id: 1,
+            min_nonce: 0,
+            exact_nonce: false,
+            requested_at: now,
+            expires_at: now + time::Duration::minutes(2),
+        })
+        .await
+        .expect("next reserve");
+    assert_eq!(next.nonce, 1);
+}
 #[tokio::test]
 async fn expired_nonce_reservation_is_reclaimed_before_next_reserve() {
     let daemon = InMemoryDaemon::new(
@@ -275,6 +368,7 @@ async fn expired_nonce_reservation_is_reclaimed_before_next_reserve() {
             agent_auth_token: agent_credentials.auth_token.clone(),
             chain_id: 56,
             min_nonce: 0,
+            exact_nonce: false,
             requested_at: now,
             expires_at: now + time::Duration::minutes(2),
         })
@@ -291,6 +385,7 @@ async fn expired_nonce_reservation_is_reclaimed_before_next_reserve() {
             agent_auth_token: agent_credentials.auth_token,
             chain_id: 56,
             min_nonce: 0,
+            exact_nonce: false,
             requested_at: time::OffsetDateTime::now_utc(),
             expires_at: time::OffsetDateTime::now_utc() + time::Duration::minutes(2),
         })
@@ -334,6 +429,7 @@ async fn reserve_nonce_rejects_zero_chain_id() {
             agent_auth_token: agent_credentials.auth_token,
             chain_id: 0,
             min_nonce: 0,
+            exact_nonce: false,
             requested_at: now,
             expires_at: now + time::Duration::minutes(2),
         })
@@ -382,6 +478,7 @@ async fn release_nonce_replayed_request_id_is_rejected() {
             agent_auth_token: agent_credentials.auth_token.clone(),
             chain_id: 1,
             min_nonce: 0,
+            exact_nonce: false,
             requested_at: now,
             expires_at: now + time::Duration::minutes(2),
         })
@@ -449,6 +546,7 @@ async fn release_nonce_rejects_non_owner_agent() {
             agent_auth_token: owner_credentials.auth_token.clone(),
             chain_id: 1,
             min_nonce: 0,
+            exact_nonce: false,
             requested_at: now,
             expires_at: now + time::Duration::minutes(2),
         })
@@ -614,6 +712,7 @@ async fn release_nonce_removes_reservation_from_snapshot() {
             agent_auth_token: agent_credentials.auth_token.clone(),
             chain_id: 1,
             min_nonce: 0,
+            exact_nonce: false,
             requested_at: now,
             expires_at: now + time::Duration::minutes(2),
         })

package/crates/vault-daemon/src/tests_parts/part4.rs CHANGED Viewed

@@ -365,6 +365,7 @@ async fn daily_spend_limit_counts_in_scope_history_across_assets_and_chains() {
     ));
 }
+#[cfg(not(coverage))]
 #[tokio::test]
 async fn persistent_store_restores_policies_and_agent_auth_state() {
     let state_path = unique_state_path("restore");
@@ -374,7 +375,7 @@ async fn persistent_store_restores_policies_and_agent_auth_state() {
         "vault-password",
         SoftwareSignerBackend::default(),
         config.clone(),
-        PersistentStoreConfig::new(state_path.clone()),
+        PersistentStoreConfig::new_test(state_path.clone()),
     )
     .expect("daemon");
@@ -420,7 +421,7 @@ async fn persistent_store_restores_policies_and_agent_auth_state() {
         "vault-password",
         SoftwareSignerBackend::default(),
         config,
-        PersistentStoreConfig::new(state_path.clone()),
+        PersistentStoreConfig::new_test(state_path.clone()),
     )
     .expect("restarted daemon");
     let lease = restarted
@@ -463,6 +464,7 @@ async fn persistent_store_restores_policies_and_agent_auth_state() {
     std::fs::remove_file(&state_path).expect("cleanup");
 }
+#[cfg(not(coverage))]
 #[tokio::test]
 async fn persistent_store_rejects_wrong_password() {
     let state_path = unique_state_path("wrong-password");
@@ -472,7 +474,7 @@ async fn persistent_store_rejects_wrong_password() {
         "vault-password",
         SoftwareSignerBackend::default(),
         config.clone(),
-        PersistentStoreConfig::new(state_path.clone()),
+        PersistentStoreConfig::new_test(state_path.clone()),
     )
     .expect("daemon");
     let lease = daemon.issue_lease("vault-password").await.expect("lease");
@@ -490,7 +492,7 @@ async fn persistent_store_rejects_wrong_password() {
         "wrong-password",
         SoftwareSignerBackend::default(),
         config,
-        PersistentStoreConfig::new(state_path.clone()),
+        PersistentStoreConfig::new_test(state_path.clone()),
     ) {
         Ok(_) => panic!("wrong password must fail state load"),
         Err(err) => err,
@@ -519,6 +521,7 @@ fn validate_loaded_state_rejects_insecure_remote_http_relay_url() {
 }
 #[cfg(unix)]
+#[cfg(not(coverage))]
 #[tokio::test]
 async fn persistent_store_rejects_group_writable_ancestor_directory() {
     use std::os::unix::fs::PermissionsExt;
@@ -542,7 +545,7 @@ async fn persistent_store_rejects_group_writable_ancestor_directory() {
         "vault-password",
         SoftwareSignerBackend::default(),
         DaemonConfig::default(),
-        PersistentStoreConfig::new(leaf.join("daemon-state.enc")),
+        PersistentStoreConfig::new_test(leaf.join("daemon-state.enc")),
     ) {
         Ok(_) => panic!("group-writable ancestor must be rejected"),
         Err(err) => err,
@@ -557,6 +560,7 @@ async fn persistent_store_rejects_group_writable_ancestor_directory() {
 }
 #[cfg(unix)]
+#[cfg(not(coverage))]
 #[tokio::test]
 async fn persistent_store_rejects_group_readable_state_file() {
     use std::os::unix::fs::PermissionsExt;
@@ -568,7 +572,7 @@ async fn persistent_store_rejects_group_readable_state_file() {
         "vault-password",
         SoftwareSignerBackend::default(),
         config.clone(),
-        PersistentStoreConfig::new(state_path.clone()),
+        PersistentStoreConfig::new_test(state_path.clone()),
     )
     .expect("daemon");
     let lease = daemon.issue_lease("vault-password").await.expect("lease");
@@ -589,7 +593,7 @@ async fn persistent_store_rejects_group_readable_state_file() {
         "vault-password",
         SoftwareSignerBackend::default(),
         config,
-        PersistentStoreConfig::new(state_path.clone()),
+        PersistentStoreConfig::new_test(state_path.clone()),
     ) {
         Ok(_) => panic!("group-readable state file must be rejected"),
         Err(err) => err,

package/crates/vault-domain/src/nonce.rs CHANGED Viewed

@@ -18,6 +18,9 @@ pub struct NonceReservationRequest {
     pub chain_id: u64,
     /// Minimum nonce the caller is willing to reserve.
     pub min_nonce: u64,
+    /// When true, reserve exactly `min_nonce` instead of allowing a higher nonce head.
+    #[serde(default)]
+    pub exact_nonce: bool,
     /// Request timestamp.
     pub requested_at: OffsetDateTime,
     /// Request expiry timestamp.
@@ -33,6 +36,7 @@ impl fmt::Debug for NonceReservationRequest {
             .field("agent_auth_token", &"<redacted>")
             .field("chain_id", &self.chain_id)
             .field("min_nonce", &self.min_nonce)
+            .field("exact_nonce", &self.exact_nonce)
             .field("requested_at", &self.requested_at)
             .field("expires_at", &self.expires_at)
             .finish()