@wlfi-agent/cli 1.4.17 → 1.4.19

package/crates/vault-domain/src/tests.rs

@@ -2,6 +2,7 @@ use std::collections::BTreeSet;
 
 use alloy_primitives::U256;
 use alloy_sol_types::{sol, SolCall};
+use serde::{Deserialize, Serialize};
 use time::OffsetDateTime;
 use uuid::Uuid;
 
@@ -53,6 +54,22 @@ fn manual_approval_capability_token_rejects_invalid_secret() {
     assert!(matches!(err, DomainError::InvalidRelayCapabilitySecret));
 }
 
+#[test]
+fn manual_approval_capability_helpers_reject_blank_and_short_inputs() {
+    let approval_request_id = Uuid::new_v4();
+    let err = manual_approval_capability_token("  ", approval_request_id)
+        .expect_err("must reject blank secret");
+    assert!(matches!(err, DomainError::InvalidRelayCapabilitySecret));
+
+    let err = manual_approval_capability_token("11", approval_request_id)
+        .expect_err("must reject short secret");
+    assert!(matches!(err, DomainError::InvalidRelayCapabilitySecret));
+
+    let err =
+        manual_approval_capability_hash("   ").expect_err("must reject blank capability token");
+    assert!(matches!(err, DomainError::InvalidRelayCapabilityToken));
+}
+
 #[test]
 fn address_deserialize_rejects_invalid_values() {
     let invalid =
@@ -88,6 +105,110 @@ fn policy_set_cannot_be_empty() {
     assert!(matches!(result, Err(DomainError::EmptyPolicySet)));
 }
 
+#[test]
+fn policy_attachment_applies_to_all_and_selected_ids() {
+    let first = Uuid::new_v4();
+    let second = Uuid::new_v4();
+    let attachment = PolicyAttachment::policy_set(BTreeSet::from([first])).expect("policy set");
+
+    assert!(PolicyAttachment::AllPolicies.applies_to(first));
+    assert!(attachment.applies_to(first));
+    assert!(!attachment.applies_to(second));
+}
+
+#[test]
+fn spending_policy_rejects_invalid_ranges_and_network_sets() {
+    let recipient: EvmAddress = "0x1111111111111111111111111111111111111111"
+        .parse()
+        .expect("recipient");
+    let asset = AssetId::Erc20(
+        "0x2222222222222222222222222222222222222222"
+            .parse()
+            .expect("token"),
+    );
+
+    let err = SpendingPolicy::new(
+        1,
+        PolicyType::PerTxMaxSpending,
+        0,
+        EntityScope::All,
+        EntityScope::All,
+        EntityScope::All,
+    )
+    .expect_err("zero max amount");
+    assert!(matches!(err, DomainError::InvalidAmount));
+
+    let err = SpendingPolicy::new_manual_approval(
+        1,
+        0,
+        10,
+        EntityScope::Set(BTreeSet::from([recipient.clone()])),
+        EntityScope::Set(BTreeSet::from([asset.clone()])),
+        EntityScope::Set(BTreeSet::from([1])),
+    )
+    .expect_err("zero min amount");
+    assert!(matches!(err, DomainError::InvalidAmount));
+
+    let err = SpendingPolicy::new_manual_approval(
+        1,
+        11,
+        10,
+        EntityScope::Set(BTreeSet::from([recipient.clone()])),
+        EntityScope::Set(BTreeSet::from([asset.clone()])),
+        EntityScope::Set(BTreeSet::from([1])),
+    )
+    .expect_err("min greater than max");
+    assert!(matches!(err, DomainError::InvalidAmount));
+
+    let err = SpendingPolicy::new(
+        1,
+        PolicyType::PerTxMaxSpending,
+        10,
+        EntityScope::Set(BTreeSet::from([recipient])),
+        EntityScope::Set(BTreeSet::from([asset])),
+        EntityScope::Set(BTreeSet::from([0])),
+    )
+    .expect_err("zero chain id");
+    assert!(matches!(err, DomainError::InvalidChainId));
+}
+
+#[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
+struct U128Wrapper {
+    #[serde(with = "super::u128_as_decimal_string")]
+    value: u128,
+}
+
+#[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
+struct OptionalU128Wrapper {
+    #[serde(with = "super::u128_as_decimal_string::option")]
+    value: Option<u128>,
+}
+
+#[test]
+fn u128_decimal_string_helpers_roundtrip_and_reject_invalid_values() {
+    let encoded = serde_json::to_string(&U128Wrapper { value: 42 }).expect("encode");
+    assert_eq!(encoded, r#"{"value":"42"}"#);
+    let decoded: U128Wrapper = serde_json::from_str(&encoded).expect("decode");
+    assert_eq!(decoded, U128Wrapper { value: 42 });
+
+    let some = serde_json::to_string(&OptionalU128Wrapper { value: Some(7) }).expect("encode");
+    assert_eq!(some, r#"{"value":"7"}"#);
+    let decoded: OptionalU128Wrapper = serde_json::from_str(&some).expect("decode");
+    assert_eq!(decoded, OptionalU128Wrapper { value: Some(7) });
+
+    let none = serde_json::to_string(&OptionalU128Wrapper { value: None }).expect("encode");
+    assert_eq!(none, r#"{"value":null}"#);
+    let decoded: OptionalU128Wrapper = serde_json::from_str(&none).expect("decode");
+    assert_eq!(decoded, OptionalU128Wrapper { value: None });
+
+    let err = serde_json::from_str::<U128Wrapper>(r#"{"value":"nope"}"#).expect_err("invalid u128");
+    assert!(err.to_string().contains("invalid digit"));
+
+    let err =
+        serde_json::from_str::<OptionalU128Wrapper>(r#"{"value":"bad"}"#).expect_err("invalid option u128");
+    assert!(err.to_string().contains("invalid digit"));
+}
+
 #[test]
 fn parse_erc20_transfer_call_succeeds() {
     let to = alloy_primitives::Address::from([0x11; 20]);
@@ -430,6 +551,32 @@ sol! {
 
     function permit(address owner, PermitSingle permitSingle, bytes signature);
     function transferWithAuthorization(address from, address to, uint256 value, uint256 validAfter, uint256 validBefore, bytes32 nonce, bytes signature);
+    function receiveWithAuthorization(address from, address to, uint256 value, uint256 validAfter, uint256 validBefore, bytes32 nonce, bytes signature);
+}
+
+#[test]
+fn asset_id_display_formats_native_and_erc20_variants() {
+    let token: EvmAddress = "0x1234000000000000000000000000000000000000"
+        .parse()
+        .expect("token");
+
+    assert_eq!(AssetId::NativeEth.to_string(), "native_eth");
+    assert_eq!(AssetId::Erc20(token).to_string(), "erc20:0x1234000000000000000000000000000000000000");
+}
+
+#[test]
+fn spending_policy_rejects_empty_network_sets() {
+    let err = SpendingPolicy::new(
+        1,
+        PolicyType::PerTxMaxSpending,
+        10,
+        EntityScope::All,
+        EntityScope::All,
+        EntityScope::Set(BTreeSet::new()),
+    )
+    .expect_err("empty network set must fail");
+
+    assert!(matches!(err, DomainError::InvalidChainId));
 }
 
 #[test]
@@ -617,6 +764,474 @@ fn permit2_and_eip3009_actions_produce_signing_hashes() {
     assert_ne!(transfer_hash, receive_hash);
 }
 
+#[test]
+fn permit2_and_eip3009_validation_reject_invalid_inputs() {
+    let base_permit = Permit2Permit {
+        chain_id: 1,
+        permit2_contract: "0x000000000022d473030f116ddee9f6b43ac78ba3"
+            .parse()
+            .expect("permit2"),
+        token: "0x1111111111111111111111111111111111111111"
+            .parse()
+            .expect("token"),
+        spender: "0x2222222222222222222222222222222222222222"
+            .parse()
+            .expect("spender"),
+        amount_wei: 123,
+        expiration: 100,
+        nonce: 7,
+        sig_deadline: 200,
+    };
+    assert!(matches!(
+        Permit2Permit {
+            chain_id: 0,
+            ..base_permit.clone()
+        }
+        .validate(),
+        Err(DomainError::InvalidChainId)
+    ));
+    assert!(matches!(
+        Permit2Permit {
+            amount_wei: 0,
+            ..base_permit.clone()
+        }
+        .validate(),
+        Err(DomainError::InvalidAmount)
+    ));
+    assert!(matches!(
+        Permit2Permit {
+            expiration: (1u64 << 48),
+            ..base_permit.clone()
+        }
+        .validate(),
+        Err(DomainError::AmountOutOfRange)
+    ));
+    assert!(matches!(
+        Permit2Permit {
+            nonce: (1u64 << 48),
+            ..base_permit
+        }
+        .validate(),
+        Err(DomainError::AmountOutOfRange)
+    ));
+
+    let base_eip3009 = Eip3009Transfer {
+        chain_id: 1,
+        token: "0x3333333333333333333333333333333333333333"
+            .parse()
+            .expect("token"),
+        token_name: "USD Coin".to_string(),
+        token_version: Some(String::new()),
+        from: "0x4444444444444444444444444444444444444444"
+            .parse()
+            .expect("from"),
+        to: "0x5555555555555555555555555555555555555555"
+            .parse()
+            .expect("to"),
+        amount_wei: 456,
+        valid_after: 10,
+        valid_before: 20,
+        nonce_hex: format!("0x{}", hex::encode([0xabu8; 32])),
+    };
+    let _ = base_eip3009
+        .transfer_signing_hash()
+        .expect("empty version should be ignored");
+    assert!(matches!(
+        Eip3009Transfer {
+            chain_id: 0,
+            ..base_eip3009.clone()
+        }
+        .validate(),
+        Err(DomainError::InvalidChainId)
+    ));
+    assert!(matches!(
+        Eip3009Transfer {
+            amount_wei: 0,
+            ..base_eip3009.clone()
+        }
+        .validate(),
+        Err(DomainError::InvalidAmount)
+    ));
+    assert!(matches!(
+        Eip3009Transfer {
+            token_name: "   ".to_string(),
+            ..base_eip3009.clone()
+        }
+        .validate(),
+        Err(DomainError::InvalidTypedDataDomain(_))
+    ));
+    assert!(matches!(
+        Eip3009Transfer {
+            valid_before: 10,
+            ..base_eip3009.clone()
+        }
+        .validate(),
+        Err(DomainError::InvalidAuthorizationWindow)
+    ));
+    assert!(matches!(
+        Eip3009Transfer {
+            nonce_hex: "0x1234".to_string(),
+            ..base_eip3009
+        }
+        .validate(),
+        Err(DomainError::InvalidTypedDataDomain(_))
+    ));
+}
+
+#[test]
+fn broadcast_tx_validation_covers_remaining_error_paths() {
+    let base_tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: "0xf0109fc8df283027b6285cc889f5aa624eac1f55"
+            .parse()
+            .expect("to"),
+        value_wei: 0,
+        data_hex: "0x".to_string(),
+        gas_limit: 21_000,
+        max_fee_per_gas_wei: 1_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: 0x02,
+        delegation_enabled: false,
+    };
+
+    assert!(matches!(
+        BroadcastTx {
+            chain_id: 0,
+            ..base_tx.clone()
+        }
+        .validate(),
+        Err(DomainError::InvalidChainId)
+    ));
+    assert!(matches!(
+        BroadcastTx {
+            gas_limit: 0,
+            ..base_tx.clone()
+        }
+        .validate(),
+        Err(DomainError::InvalidGasConfiguration)
+    ));
+    assert!(matches!(
+        BroadcastTx {
+            max_priority_fee_per_gas_wei: 2_000_000_000,
+            ..base_tx.clone()
+        }
+        .validate(),
+        Err(DomainError::InvalidGasConfiguration)
+    ));
+    assert!(matches!(
+        BroadcastTx {
+            gas_limit: u64::MAX,
+            max_fee_per_gas_wei: u128::MAX,
+            ..base_tx.clone()
+        }
+        .validate(),
+        Err(DomainError::AmountOutOfRange)
+    ));
+    assert!(matches!(
+        base_tx
+            .clone()
+            .eip1559_signed_raw_transaction(2, [0u8; 32], [0u8; 32]),
+        Err(DomainError::InvalidSignatureParity)
+    ));
+    assert!(matches!(
+        BroadcastTx {
+            tx_type: EIP7702_TX_TYPE,
+            ..base_tx
+        }
+        .eip1559_signed_raw_transaction(1, [0u8; 32], [0u8; 32]),
+        Err(DomainError::UnsupportedTransactionType(_))
+    ));
+}
+
+#[test]
+fn agent_action_helpers_cover_remaining_variants_and_none_paths() {
+    let approve = AgentAction::Approve {
+        chain_id: 1,
+        token: "0x1111111111111111111111111111111111111111"
+            .parse()
+            .expect("token"),
+        spender: "0x2222222222222222222222222222222222222222"
+            .parse()
+            .expect("spender"),
+        amount_wei: 12,
+    };
+    assert_eq!(
+        approve.recipient(),
+        "0x2222222222222222222222222222222222222222"
+            .parse()
+            .expect("spender")
+    );
+    assert_eq!(approve.max_fee_per_gas_wei(), None);
+    assert_eq!(approve.max_priority_fee_per_gas_wei(), None);
+    assert_eq!(approve.calldata_len_bytes(), None);
+    assert_eq!(approve.signing_hash().expect("non-typed action"), None);
+
+    let receive_authorization = Eip3009Transfer {
+        chain_id: 1,
+        token: "0x3333333333333333333333333333333333333333"
+            .parse()
+            .expect("token"),
+        token_name: "USD Coin".to_string(),
+        token_version: Some("2".to_string()),
+        from: "0x4444444444444444444444444444444444444444"
+            .parse()
+            .expect("from"),
+        to: "0x5555555555555555555555555555555555555555"
+            .parse()
+            .expect("to"),
+        amount_wei: 34,
+        valid_after: 10,
+        valid_before: 20,
+        nonce_hex: format!("0x{}", hex::encode([0xceu8; 32])),
+    };
+    let receive = AgentAction::Eip3009ReceiveWithAuthorization {
+        authorization: receive_authorization,
+    };
+    assert_eq!(
+        receive.asset(),
+        AssetId::Erc20(
+            "0x3333333333333333333333333333333333333333"
+                .parse()
+                .expect("token")
+        )
+    );
+    assert_eq!(
+        receive.recipient(),
+        "0x5555555555555555555555555555555555555555"
+            .parse()
+            .expect("to")
+    );
+
+    assert!(matches!(
+        AgentAction::TransferNative {
+            chain_id: 1,
+            to: "0x6666666666666666666666666666666666666666"
+                .parse()
+                .expect("to"),
+            amount_wei: 0,
+        }
+        .validate(),
+        Err(DomainError::InvalidAmount)
+    ));
+    assert!(matches!(
+        AgentAction::TransferNative {
+            chain_id: 0,
+            to: "0x6666666666666666666666666666666666666666"
+                .parse()
+                .expect("to"),
+            amount_wei: 1,
+        }
+        .validate(),
+        Err(DomainError::InvalidChainId)
+    ));
+}
+
+#[test]
+fn action_from_erc20_calldata_covers_transfer_and_zero_chain_guard() {
+    let to = alloy_primitives::Address::from([0x11; 20]);
+    let calldata = transferCall {
+        to,
+        value: U256::from(42_u64),
+    }
+    .abi_encode();
+    let token: EvmAddress = "0x3333333333333333333333333333333333333333"
+        .parse()
+        .expect("token");
+
+    assert!(matches!(
+        action_from_erc20_calldata(0, token.clone(), &calldata),
+        Err(DomainError::InvalidChainId)
+    ));
+    assert_eq!(
+        action_from_erc20_calldata(1, token.clone(), &calldata).expect("transfer action"),
+        AgentAction::Transfer {
+            chain_id: 1,
+            token,
+            to: "0x1111111111111111111111111111111111111111"
+                .parse()
+                .expect("to"),
+            amount_wei: 42,
+        }
+    );
+}
+
+#[test]
+fn broadcast_action_derives_approve_and_receive_with_authorization_scope() {
+    let approve_calldata = approveCall {
+        spender: alloy_primitives::Address::from([0x77; 20]),
+        value: U256::from(88_u64),
+    }
+    .abi_encode();
+    let approve_action = AgentAction::BroadcastTx {
+        tx: BroadcastTx {
+            chain_id: 1,
+            nonce: 0,
+            to: "0x8888000000000000000000000000000000000000"
+                .parse()
+                .expect("token"),
+            value_wei: 0,
+            data_hex: format!("0x{}", hex::encode(approve_calldata)),
+            gas_limit: 80_000,
+            max_fee_per_gas_wei: 1_000_000_000,
+            max_priority_fee_per_gas_wei: 1_000_000_000,
+            tx_type: 0x02,
+            delegation_enabled: false,
+        },
+    };
+    assert_eq!(
+        approve_action.recipient(),
+        "0x7777777777777777777777777777777777777777"
+            .parse()
+            .expect("spender")
+    );
+    assert_eq!(approve_action.amount_wei(), 88);
+
+    let receive_calldata = receiveWithAuthorizationCall {
+        from: alloy_primitives::Address::from([0x11; 20]),
+        to: alloy_primitives::Address::from([0x22; 20]),
+        value: U256::from(99_u64),
+        validAfter: U256::from(1_u64),
+        validBefore: U256::from(2_u64),
+        nonce: [0x44; 32].into(),
+        signature: vec![0xaa, 0xbb].into(),
+    }
+    .abi_encode();
+    let receive_action = AgentAction::BroadcastTx {
+        tx: BroadcastTx {
+            chain_id: 1,
+            nonce: 0,
+            to: "0x9999000000000000000000000000000000000000"
+                .parse()
+                .expect("token"),
+            value_wei: 0,
+            data_hex: format!("0x{}", hex::encode(receive_calldata)),
+            gas_limit: 90_000,
+            max_fee_per_gas_wei: 1_000_000_000,
+            max_priority_fee_per_gas_wei: 1_000_000_000,
+            tx_type: 0x02,
+            delegation_enabled: false,
+        },
+    };
+    assert_eq!(
+        receive_action.recipient(),
+        "0x2222222222222222222222222222222222222222"
+            .parse()
+            .expect("recipient")
+    );
+    assert_eq!(receive_action.amount_wei(), 99);
+}
+
+#[test]
+fn broadcast_tx_supports_long_rlp_payloads_and_rejects_out_of_range_token_amounts() {
+    let tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: "0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+            .parse()
+            .expect("to"),
+        value_wei: 0,
+        data_hex: format!("0x{}", "11".repeat(64)),
+        gas_limit: 21_000,
+        max_fee_per_gas_wei: 1_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: 0x02,
+        delegation_enabled: false,
+    };
+    let raw = tx
+        .eip1559_signed_raw_transaction(1, [0x11; 32], [0x22; 32])
+        .expect("long payload should encode");
+    assert_eq!(raw.first().copied(), Some(0x02));
+
+    let oversized_approve = approveCall {
+        spender: alloy_primitives::Address::from([0x33; 20]),
+        value: U256::from(u128::MAX) + U256::from(1u8),
+    }
+    .abi_encode();
+    assert!(matches!(
+        parse_erc20_call(&oversized_approve),
+        Err(DomainError::AmountOutOfRange)
+    ));
+
+    let oversized_permit = permitCall {
+        owner: alloy_primitives::Address::from([0x66; 20]),
+        permitSingle: PermitSingle {
+            details: PermitDetails {
+                token: alloy_primitives::Address::from([0x44; 20]),
+                amount: alloy_primitives::U160::MAX,
+                expiration: alloy_primitives::aliases::U48::from_be_slice(&100u64.to_be_bytes()[2..]),
+                nonce: alloy_primitives::aliases::U48::from_be_slice(&7u64.to_be_bytes()[2..]),
+            },
+            spender: alloy_primitives::Address::from([0x55; 20]),
+            sigDeadline: U256::from(1234u64),
+        },
+        signature: vec![0x12, 0x34].into(),
+    }
+    .abi_encode();
+    let action = AgentAction::BroadcastTx {
+        tx: BroadcastTx {
+            chain_id: 1,
+            nonce: 0,
+            to: "0x9999000000000000000000000000000000000000"
+                .parse()
+                .expect("permit2 contract"),
+            value_wei: 0,
+            data_hex: format!("0x{}", hex::encode(oversized_permit)),
+            gas_limit: 60_000,
+            max_fee_per_gas_wei: 1_000_000_000,
+            max_priority_fee_per_gas_wei: 1_000_000_000,
+            tx_type: 0x02,
+            delegation_enabled: false,
+        },
+    };
+    assert_eq!(action.asset(), AssetId::NativeEth);
+}
+
+#[test]
+fn invalid_hex_payloads_are_rejected_for_transactions_and_typed_nonces() {
+    let tx = BroadcastTx {
+        chain_id: 1,
+        nonce: 0,
+        to: "0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+            .parse()
+            .expect("to"),
+        value_wei: 0,
+        data_hex: "0x123".to_string(),
+        gas_limit: 21_000,
+        max_fee_per_gas_wei: 1_000_000_000,
+        max_priority_fee_per_gas_wei: 1_000_000_000,
+        tx_type: 0x02,
+        delegation_enabled: false,
+    };
+    assert!(matches!(
+        tx.validate(),
+        Err(DomainError::InvalidTransactionDataHex)
+    ));
+
+    let authorization = Eip3009Transfer {
+        chain_id: 1,
+        token: "0x3333333333333333333333333333333333333333"
+            .parse()
+            .expect("token"),
+        token_name: "USD Coin".to_string(),
+        token_version: Some("2".to_string()),
+        from: "0x4444444444444444444444444444444444444444"
+            .parse()
+            .expect("from"),
+        to: "0x5555555555555555555555555555555555555555"
+            .parse()
+            .expect("to"),
+        amount_wei: 456,
+        valid_after: 10,
+        valid_before: 20,
+        nonce_hex: "0xzz".to_string(),
+    };
+    assert!(matches!(
+        authorization.validate(),
+        Err(DomainError::InvalidTypedDataDomain(_))
+    ));
+}
+
 #[test]
 fn nonce_reservation_request_debug_redacts_agent_auth_token() {
     let request = NonceReservationRequest {
@@ -625,6 +1240,7 @@ fn nonce_reservation_request_debug_redacts_agent_auth_token() {
         agent_auth_token: "super-secret-token".to_string(),
         chain_id: 1,
         min_nonce: 7,
+        exact_nonce: false,
         requested_at: OffsetDateTime::UNIX_EPOCH,
         expires_at: OffsetDateTime::UNIX_EPOCH + time::Duration::minutes(2),
     };