npm - @wlfi-agent/cli - Versions diffs - 1.4.17 → 1.4.19 - Mend

@wlfi-agent/cli 1.4.17 → 1.4.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/Cargo.lock +5 -0
package/README.md +61 -28
package/crates/vault-cli-admin/src/io_utils.rs +149 -1
package/crates/vault-cli-admin/src/main.rs +639 -16
package/crates/vault-cli-admin/src/shared_config.rs +18 -18
package/crates/vault-cli-admin/src/tui/token_rpc.rs +190 -3
package/crates/vault-cli-admin/src/tui/utils.rs +59 -0
package/crates/vault-cli-admin/src/tui.rs +1205 -120
package/crates/vault-cli-agent/Cargo.toml +1 -0
package/crates/vault-cli-agent/src/io_utils.rs +163 -2
package/crates/vault-cli-agent/src/main.rs +648 -32
package/crates/vault-cli-daemon/Cargo.toml +4 -0
package/crates/vault-cli-daemon/src/main.rs +617 -67
package/crates/vault-cli-daemon/src/relay_sync.rs +776 -4
package/crates/vault-cli-daemon/tests/system_keychain_helper_acl.rs +5 -0
package/crates/vault-daemon/src/daemon_parts/api_impl_and_utils.rs +32 -1
package/crates/vault-daemon/src/persistence.rs +637 -100
package/crates/vault-daemon/src/tests.rs +1013 -3
package/crates/vault-daemon/src/tests_parts/part2.rs +99 -0
package/crates/vault-daemon/src/tests_parts/part4.rs +11 -7
package/crates/vault-domain/src/nonce.rs +4 -0
package/crates/vault-domain/src/tests.rs +616 -0
package/crates/vault-policy/src/engine.rs +55 -32
package/crates/vault-policy/src/tests.rs +195 -0
package/crates/vault-sdk-agent/src/lib.rs +415 -22
package/crates/vault-signer/Cargo.toml +3 -0
package/crates/vault-signer/src/lib.rs +266 -40
package/crates/vault-transport-unix/src/lib.rs +653 -5
package/crates/vault-transport-xpc/src/tests.rs +531 -3
package/crates/vault-transport-xpc/tests/e2e_flow.rs +3 -0
package/dist/cli.cjs +756 -194
package/dist/cli.cjs.map +1 -1
package/package.json +5 -2
package/packages/cache/.turbo/turbo-build.log +20 -20
package/packages/cache/coverage/clover.xml +529 -394
package/packages/cache/coverage/coverage-final.json +2 -2
package/packages/cache/coverage/index.html +21 -21
package/packages/cache/coverage/src/client/index.html +1 -1
package/packages/cache/coverage/src/client/index.ts.html +1 -1
package/packages/cache/coverage/src/errors/index.html +1 -1
package/packages/cache/coverage/src/errors/index.ts.html +12 -12
package/packages/cache/coverage/src/index.html +1 -1
package/packages/cache/coverage/src/index.ts.html +1 -1
package/packages/cache/coverage/src/service/index.html +21 -21
package/packages/cache/coverage/src/service/index.ts.html +769 -313
package/packages/cache/dist/{chunk-QNK6GOTI.js → chunk-KC53LH5Z.js} +35 -2
package/packages/cache/dist/chunk-KC53LH5Z.js.map +1 -0
package/packages/cache/dist/{chunk-QF4XKEIA.cjs → chunk-UVU7VFE3.cjs} +35 -2
package/packages/cache/dist/chunk-UVU7VFE3.cjs.map +1 -0
package/packages/cache/dist/index.cjs +2 -2
package/packages/cache/dist/index.js +1 -1
package/packages/cache/dist/service/index.cjs +2 -2
package/packages/cache/dist/service/index.js +1 -1
package/packages/cache/node_modules/.bin/tsc +2 -2
package/packages/cache/node_modules/.bin/tsserver +2 -2
package/packages/cache/node_modules/.bin/tsup +2 -2
package/packages/cache/node_modules/.bin/tsup-node +2 -2
package/packages/cache/node_modules/.bin/vitest +4 -4
package/packages/cache/node_modules/.vite/vitest/da39a3ee5e6b4b0d3255bfef95601890afd80709/results.json +1 -1
package/packages/cache/src/service/index.test.ts +165 -19
package/packages/cache/src/service/index.ts +38 -1
package/packages/config/.turbo/turbo-build.log +4 -4
package/packages/config/dist/index.cjs +0 -17
package/packages/config/dist/index.cjs.map +1 -1
package/packages/config/src/index.ts +0 -17
package/packages/rpc/.turbo/turbo-build.log +11 -11
package/packages/rpc/dist/index.cjs +0 -17
package/packages/rpc/dist/index.cjs.map +1 -1
package/packages/rpc/src/index.js +1 -0
package/packages/ui/node_modules/.bin/tsc +2 -2
package/packages/ui/node_modules/.bin/tsserver +2 -2
package/packages/ui/node_modules/.bin/tsup +2 -2
package/packages/ui/node_modules/.bin/tsup-node +2 -2
package/scripts/install-cli-launcher.mjs +37 -0
package/scripts/install-rust-binaries.mjs +47 -0
package/scripts/run-tests-isolated.mjs +210 -0
package/src/cli.ts +310 -50
package/src/lib/admin-reset.ts +101 -33
package/src/lib/admin-setup.ts +285 -55
package/src/lib/agent-auth-migrate.ts +5 -1
package/src/lib/asset-broadcast.ts +15 -4
package/src/lib/config-amounts.ts +6 -4
package/src/lib/hidden-tty-prompt.js +1 -0
package/src/lib/hidden-tty-prompt.ts +105 -0
package/src/lib/keychain.ts +1 -0
package/src/lib/local-admin-access.ts +4 -29
package/src/lib/rust.ts +129 -33
package/src/lib/signed-tx.ts +1 -0
package/src/lib/sudo.ts +15 -5
package/src/lib/wallet-profile.ts +3 -0
package/src/lib/wallet-setup.ts +52 -0
package/packages/cache/dist/chunk-QF4XKEIA.cjs.map +0 -1
package/packages/cache/dist/chunk-QNK6GOTI.js.map +0 -1

package/crates/vault-signer/src/lib.rs CHANGED Viewed

@@ -17,21 +17,21 @@ use time::OffsetDateTime;
 use uuid::Uuid;
 use vault_domain::{KeySource, Signature, VaultKey};
-#[cfg(target_os = "macos")]
+#[cfg(all(target_os = "macos", not(coverage)))]
 use core_foundation::base::{TCFType, ToVoid};
-#[cfg(target_os = "macos")]
+#[cfg(all(target_os = "macos", not(coverage)))]
 use core_foundation::string::CFString;
-#[cfg(target_os = "macos")]
+#[cfg(all(target_os = "macos", not(coverage)))]
 use security_framework::access_control::{ProtectionMode, SecAccessControl};
-#[cfg(target_os = "macos")]
+#[cfg(all(target_os = "macos", not(coverage)))]
 use security_framework::item::{
     ItemClass, ItemSearchOptions, KeyClass, Limit, Location, Reference, SearchResult,
 };
-#[cfg(target_os = "macos")]
+#[cfg(all(target_os = "macos", not(coverage)))]
 use security_framework::key::{Algorithm, GenerateKeyOptions, KeyType, SecKey, Token};
-#[cfg(target_os = "macos")]
+#[cfg(all(target_os = "macos", not(coverage)))]
 use security_framework_sys::access_control::kSecAccessControlPrivateKeyUsage;
-#[cfg(target_os = "macos")]
+#[cfg(all(target_os = "macos", not(coverage)))]
 use security_framework_sys::item::{
     kSecAttrAccessControl, kSecAttrTokenID, kSecAttrTokenIDSecureEnclave,
 };
@@ -227,7 +227,7 @@ impl VaultSignerBackend for SoftwareSignerBackend {
         let (signature, _) = signing_key
             .sign_prehash_recoverable(&digest)
-            .map_err(|err| SignerError::Internal(format!("digest signature failed: {err}")))?;
+            .expect("32-byte digest and valid signing key must produce a recoverable signature");
         Ok(Signature::from_der(signature.to_der().as_bytes().to_vec()))
     }
@@ -294,9 +294,9 @@ impl SecureEnclaveSignerBackend {
         format!("{}.{key_id}", self.label_prefix)
     }
-    #[cfg(target_os = "macos")]
-    fn require_root() -> Result<(), SignerError> {
-        if unsafe { libc::geteuid() } != 0 {
+    #[cfg(all(target_os = "macos", not(coverage)))]
+    fn require_root_euid(euid: u32) -> Result<(), SignerError> {
+        if euid != 0 {
             return Err(SignerError::PermissionDenied(
                 "secure enclave backend requires root daemon context".to_string(),
             ));
@@ -304,7 +304,12 @@ impl SecureEnclaveSignerBackend {
         Ok(())
     }
-    #[cfg(target_os = "macos")]
+    #[cfg(all(target_os = "macos", not(coverage)))]
+    fn require_root() -> Result<(), SignerError> {
+        Self::require_root_euid(unsafe { libc::geteuid() })
+    }
+    #[cfg(all(target_os = "macos", not(coverage)))]
     fn make_access_control() -> Result<SecAccessControl, SignerError> {
         SecAccessControl::create_with_protection(
             Some(ProtectionMode::AccessibleAfterFirstUnlockThisDeviceOnly),
@@ -313,7 +318,7 @@ impl SecureEnclaveSignerBackend {
         .map_err(|err| SignerError::Internal(format!("unable to create access control: {err}")))
     }
-    #[cfg(target_os = "macos")]
+    #[cfg(all(target_os = "macos", not(coverage)))]
     fn generate_secure_enclave_key(&self, key_id: Uuid) -> Result<SecKey, SignerError> {
         let label = self.key_label(key_id);
         let mut options = GenerateKeyOptions::default();
@@ -330,7 +335,7 @@ impl SecureEnclaveSignerBackend {
         })
     }
-    #[cfg(target_os = "macos")]
+    #[cfg(all(target_os = "macos", not(coverage)))]
     fn find_private_key(&self, key_id: Uuid) -> Result<SecKey, SignerError> {
         let label = self.key_label(key_id);
         let mut search = ItemSearchOptions::new();
@@ -369,7 +374,7 @@ impl SecureEnclaveSignerBackend {
         }
     }
-    #[cfg(target_os = "macos")]
+    #[cfg(all(target_os = "macos", not(coverage)))]
     fn validate_secure_enclave_key_attributes(
         key: &SecKey,
         key_id: Uuid,
@@ -410,7 +415,7 @@ impl SecureEnclaveSignerBackend {
         Ok(())
     }
-    #[cfg(target_os = "macos")]
+    #[cfg(all(target_os = "macos", not(coverage)))]
     fn public_key_hex(private_key: &SecKey) -> Result<String, SignerError> {
         let public_key = private_key
             .public_key()
@@ -421,7 +426,7 @@ impl SecureEnclaveSignerBackend {
         Ok(hex::encode(data.bytes()))
     }
-    #[cfg(all(test, target_os = "macos"))]
+    #[cfg(all(test, target_os = "macos", feature = "interactive-secure-enclave-tests"))]
     fn delete_if_present(&self, key_id: Uuid) -> Result<(), SignerError> {
         match self.find_private_key(key_id) {
             Ok(key) => key
@@ -440,7 +445,7 @@ impl VaultSignerBackend for SecureEnclaveSignerBackend {
     }
     async fn create_vault_key(&self, request: KeyCreateRequest) -> Result<VaultKey, SignerError> {
-        #[cfg(not(target_os = "macos"))]
+        #[cfg(any(not(target_os = "macos"), coverage))]
         {
             let _ = request;
             return Err(SignerError::Unsupported(
@@ -448,7 +453,7 @@ impl VaultSignerBackend for SecureEnclaveSignerBackend {
             ));
         }
-        #[cfg(target_os = "macos")]
+        #[cfg(all(target_os = "macos", not(coverage)))]
         {
             match request {
                 KeyCreateRequest::Generate => {
@@ -476,7 +481,7 @@ impl VaultSignerBackend for SecureEnclaveSignerBackend {
         vault_key_id: Uuid,
         payload: &[u8],
     ) -> Result<Signature, SignerError> {
-        #[cfg(not(target_os = "macos"))]
+        #[cfg(any(not(target_os = "macos"), coverage))]
         {
             let _ = (vault_key_id, payload);
             return Err(SignerError::Unsupported(
@@ -484,7 +489,7 @@ impl VaultSignerBackend for SecureEnclaveSignerBackend {
             ));
         }
-        #[cfg(target_os = "macos")]
+        #[cfg(all(target_os = "macos", not(coverage)))]
         {
             Self::require_root()?;
             let private_key = self.find_private_key(vault_key_id)?;
@@ -502,7 +507,7 @@ impl VaultSignerBackend for SecureEnclaveSignerBackend {
         vault_key_id: Uuid,
         digest: [u8; 32],
     ) -> Result<Signature, SignerError> {
-        #[cfg(not(target_os = "macos"))]
+        #[cfg(any(not(target_os = "macos"), coverage))]
         {
             let _ = (vault_key_id, digest);
             return Err(SignerError::Unsupported(
@@ -510,7 +515,7 @@ impl VaultSignerBackend for SecureEnclaveSignerBackend {
             ));
         }
-        #[cfg(target_os = "macos")]
+        #[cfg(all(target_os = "macos", not(coverage)))]
         {
             Self::require_root()?;
             let private_key = self.find_private_key(vault_key_id)?;
@@ -526,7 +531,177 @@ impl VaultSignerBackend for SecureEnclaveSignerBackend {
 #[cfg(test)]
 mod tests {
-    use super::{KeyCreateRequest, SignerError, SoftwareSignerBackend, VaultSignerBackend};
+    use std::collections::HashMap;
+    use async_trait::async_trait;
+    use uuid::Uuid;
+    use super::{
+        AttestableSignerBackend, BackendKind, KeyCreateRequest, SecureEnclaveSignerBackend,
+        Signature, SignerError, SoftwareSignerBackend, VaultKey, VaultSignerBackend,
+    };
+    #[derive(Default)]
+    struct DummyTeeBackend;
+    #[async_trait]
+    impl VaultSignerBackend for DummyTeeBackend {
+        fn backend_kind(&self) -> BackendKind {
+            BackendKind::Tee
+        }
+        async fn create_vault_key(
+            &self,
+            _request: KeyCreateRequest,
+        ) -> Result<VaultKey, SignerError> {
+            Err(SignerError::Unsupported("not implemented".to_string()))
+        }
+        async fn sign_payload(
+            &self,
+            _vault_key_id: Uuid,
+            _payload: &[u8],
+        ) -> Result<Signature, SignerError> {
+            Err(SignerError::Unsupported("not implemented".to_string()))
+        }
+        async fn sign_digest(
+            &self,
+            _vault_key_id: Uuid,
+            _digest: [u8; 32],
+        ) -> Result<Signature, SignerError> {
+            Err(SignerError::Unsupported("not implemented".to_string()))
+        }
+    }
+    #[async_trait]
+    impl AttestableSignerBackend for DummyTeeBackend {
+        async fn attestation_document(&self) -> Result<Vec<u8>, SignerError> {
+            Ok(vec![0xde, 0xad, 0xbe, 0xef])
+        }
+    }
+    fn poison_backend_lock(backend: &SoftwareSignerBackend) {
+        let clone = backend.clone();
+        let _ = std::thread::spawn(move || {
+            let _guard = clone.keys.write().expect("write lock");
+            panic!("poison signer backend lock");
+        })
+        .join();
+    }
+    #[tokio::test]
+    async fn trait_defaults_and_backend_kinds_cover_remaining_variants() {
+        let backend = DummyTeeBackend;
+        assert_eq!(backend.backend_kind(), BackendKind::Tee);
+        assert!(matches!(
+            backend.create_vault_key(KeyCreateRequest::Generate).await,
+            Err(SignerError::Unsupported(message)) if message == "not implemented"
+        ));
+        assert!(matches!(
+            backend.sign_payload(Uuid::new_v4(), b"payload").await,
+            Err(SignerError::Unsupported(message)) if message == "not implemented"
+        ));
+        assert!(matches!(
+            backend.sign_digest(Uuid::new_v4(), [0x11; 32]).await,
+            Err(SignerError::Unsupported(message)) if message == "not implemented"
+        ));
+        assert_eq!(
+            backend
+                .export_persistable_key_material(&[])
+                .expect("default export"),
+            HashMap::new()
+        );
+        assert!(backend
+            .restore_persistable_key_material(&HashMap::new())
+            .is_ok());
+        assert!(matches!(
+            backend.restore_persistable_key_material(&HashMap::from([(
+                Uuid::new_v4(),
+                "11".repeat(32)
+            )])),
+            Err(SignerError::Unsupported(_))
+        ));
+        assert_eq!(
+            backend.attestation_document().await.expect("attestation"),
+            vec![0xde, 0xad, 0xbe, 0xef]
+        );
+        let software = SoftwareSignerBackend::default();
+        assert_eq!(software.backend_kind(), BackendKind::Software);
+        let enclave = SecureEnclaveSignerBackend::new("com.wlfi.coverage");
+        assert_eq!(enclave.backend_kind(), BackendKind::SecureEnclave);
+        assert_eq!(
+            enclave.key_label(Uuid::nil()),
+            "com.wlfi.coverage.00000000-0000-0000-0000-000000000000"
+        );
+    }
+    #[tokio::test]
+    async fn import_path_marks_keys_as_imported_and_accepts_prefixed_hex() {
+        let backend = SoftwareSignerBackend::default();
+        let key = backend
+            .create_vault_key(KeyCreateRequest::Import {
+                private_key_hex: format!("0x{}", "11".repeat(32)),
+            })
+            .await
+            .expect("must import key");
+        assert_eq!(key.source, vault_domain::KeySource::Imported);
+        assert!(!key.public_key_hex.is_empty());
+    }
+    #[tokio::test]
+    async fn software_backend_rejects_unknown_keys_and_poisoned_locks() {
+        let backend = SoftwareSignerBackend::default();
+        let unknown = Uuid::new_v4();
+        assert!(matches!(
+            backend.sign_payload(unknown, b"payload").await,
+            Err(SignerError::UnknownKey(id)) if id == unknown
+        ));
+        assert!(matches!(
+            backend.sign_digest(unknown, [0x11; 32]).await,
+            Err(SignerError::UnknownKey(id)) if id == unknown
+        ));
+        assert!(matches!(
+            backend.export_persistable_key_material(&[unknown]),
+            Err(SignerError::UnknownKey(id)) if id == unknown
+        ));
+        let poisoned = SoftwareSignerBackend::default();
+        poison_backend_lock(&poisoned);
+        assert!(matches!(
+            poisoned.create_vault_key(KeyCreateRequest::Generate).await,
+            Err(SignerError::Internal(_))
+        ));
+        assert!(matches!(
+            poisoned.sign_payload(Uuid::new_v4(), b"payload").await,
+            Err(SignerError::Internal(_))
+        ));
+        assert!(matches!(
+            poisoned.sign_digest(Uuid::new_v4(), [0x22; 32]).await,
+            Err(SignerError::Internal(_))
+        ));
+        assert!(matches!(
+            poisoned.export_persistable_key_material(&[]),
+            Err(SignerError::Internal(_))
+        ));
+        assert!(matches!(
+            poisoned.restore_persistable_key_material(&HashMap::new()),
+            Err(SignerError::Internal(_))
+        ));
+    }
+    #[cfg(all(target_os = "macos", not(coverage)))]
+    #[test]
+    fn secure_enclave_root_requirement_helper_covers_root_and_non_root() {
+        assert!(SecureEnclaveSignerBackend::require_root_euid(0).is_ok());
+        assert!(matches!(
+            SecureEnclaveSignerBackend::require_root_euid(501),
+            Err(SignerError::PermissionDenied(_))
+        ));
+    }
     #[tokio::test]
     async fn generated_key_can_sign_payload() {
@@ -611,7 +786,68 @@ mod tests {
         assert!(!sig.bytes.is_empty());
     }
-    #[cfg(target_os = "macos")]
+    #[tokio::test]
+    async fn software_signer_helpers_cover_public_key_and_invalid_restore_paths() {
+        let backend = SoftwareSignerBackend::default();
+        let key = backend
+            .create_vault_key(KeyCreateRequest::Generate)
+            .await
+            .expect("must create key");
+        let stored = backend.keys.read().expect("read keys");
+        let signing_key = stored.get(&key.id).expect("stored signing key");
+        assert_eq!(SoftwareSignerBackend::public_key_hex(signing_key), key.public_key_hex);
+        drop(stored);
+        let imported = SoftwareSignerBackend::parse_import_key(&format!("0x{}", "22".repeat(32)))
+            .expect("must parse prefixed import key");
+        assert_eq!(imported.to_bytes().len(), 32);
+        assert!(matches!(
+            SoftwareSignerBackend::parse_import_key("not-hex"),
+            Err(SignerError::InvalidPrivateKey)
+        ));
+        assert!(matches!(
+            backend.restore_persistable_key_material(&HashMap::from([(
+                Uuid::new_v4(),
+                "not-hex".to_string()
+            )])),
+            Err(SignerError::InvalidPrivateKey)
+        ));
+        assert_eq!(
+            backend
+                .export_persistable_key_material(&[])
+                .expect("empty export"),
+            HashMap::new()
+        );
+    }
+    #[cfg(any(not(target_os = "macos"), coverage))]
+    #[tokio::test]
+    async fn secure_enclave_backend_is_explicitly_unsupported_off_macos() {
+        let backend = SecureEnclaveSignerBackend::default();
+        assert!(matches!(
+            backend.create_vault_key(KeyCreateRequest::Generate).await,
+            Err(SignerError::Unsupported(message)) if message.contains("requires macOS")
+        ));
+        assert!(matches!(
+            backend
+                .create_vault_key(KeyCreateRequest::Import {
+                    private_key_hex: "11".repeat(32)
+                })
+                .await,
+            Err(SignerError::Unsupported(message)) if message.contains("requires macOS")
+        ));
+        assert!(matches!(
+            backend.sign_payload(Uuid::new_v4(), b"payload").await,
+            Err(SignerError::Unsupported(message)) if message.contains("requires macOS")
+        ));
+        assert!(matches!(
+            backend.sign_digest(Uuid::new_v4(), [7u8; 32]).await,
+            Err(SignerError::Unsupported(message)) if message.contains("requires macOS")
+        ));
+    }
+    #[cfg(all(target_os = "macos", not(coverage)))]
     #[tokio::test]
     async fn secure_enclave_import_is_explicitly_unsupported() {
         use super::SecureEnclaveSignerBackend;
@@ -626,14 +862,10 @@ mod tests {
         assert!(matches!(result, Err(SignerError::Unsupported(_))));
     }
-    #[cfg(target_os = "macos")]
+    #[cfg(all(target_os = "macos", not(coverage)))]
     #[tokio::test]
     async fn secure_enclave_generate_requires_root_context() {
-        use super::SecureEnclaveSignerBackend;
-        if unsafe { libc::geteuid() } == 0 {
-            return;
-        }
+        assert_ne!(unsafe { libc::geteuid() }, 0, "coverage test expects non-root runtime");
         let backend = SecureEnclaveSignerBackend::default();
         let result = backend.create_vault_key(KeyCreateRequest::Generate).await;
@@ -641,15 +873,10 @@ mod tests {
         assert!(matches!(result, Err(SignerError::PermissionDenied(_))));
     }
-    #[cfg(target_os = "macos")]
+    #[cfg(all(target_os = "macos", not(coverage)))]
     #[tokio::test]
     async fn secure_enclave_sign_requires_root_context() {
-        use super::SecureEnclaveSignerBackend;
-        use uuid::Uuid;
-        if unsafe { libc::geteuid() } == 0 {
-            return;
-        }
+        assert_ne!(unsafe { libc::geteuid() }, 0, "coverage test expects non-root runtime");
         let backend = SecureEnclaveSignerBackend::default();
         let result = backend.sign_payload(Uuid::new_v4(), b"payload").await;
@@ -657,8 +884,7 @@ mod tests {
         assert!(matches!(result, Err(SignerError::PermissionDenied(_))));
     }
-    #[cfg(target_os = "macos")]
-    #[ignore = "requires a logged-in, entitlement-capable keychain session"]
+    #[cfg(all(target_os = "macos", not(coverage), feature = "interactive-secure-enclave-tests"))]
     #[tokio::test]
     async fn secure_enclave_can_generate_and_sign() {
         use core_foundation::base::{TCFType, ToVoid};