@wlfi-agent/cli 1.4.17 → 1.4.19

package/crates/vault-transport-unix/src/lib.rs

@@ -1232,21 +1232,33 @@ impl KeyManagerDaemonApi for UnixDaemonClient {
 #[cfg(test)]
 mod tests {
     use super::{
-        assert_root_owned_daemon_socket_path, combined_allowed_peer_euids, ensure_socket_parent,
-        handle_connection, read_frame, rpc_access_level, socket_mode_for_allowed_peer_euids,
+        assert_root_owned_daemon_socket_path, assert_trusted_daemon_socket_path,
+        combined_allowed_peer_euids, ensure_socket_parent, handle_connection, read_frame,
+        remove_existing_socket_file, rpc_access_level, socket_mode_for_allowed_peer_euids,
         write_frame, RpcAccessLevel, UnixDaemonClient, UnixDaemonServer, UnixTransportError,
-        WireRequest, WireResponse,
+        WireDaemonError, WireRequest, WireResponse, MAX_WIRE_BODY_BYTES,
     };
+    use serde_json::to_vec;
     use std::collections::BTreeSet;
     use std::path::Path;
     use std::sync::Arc;
     use std::time::Duration;
     use time::OffsetDateTime;
+    use tokio::io::AsyncWriteExt;
     use tokio::net::UnixStream;
     use uuid::Uuid;
-    use vault_daemon::{DaemonConfig, InMemoryDaemon, KeyManagerDaemonApi};
-    use vault_domain::{AgentAction, SignRequest};
+    use vault_daemon::{
+        DaemonConfig, DaemonError, DaemonRpcRequest, DaemonRpcResponse, KeyManagerDaemonApi,
+        InMemoryDaemon,
+    };
+    use vault_domain::{
+        AdminSession, AgentAction, AgentCredentials, EntityScope, ManualApprovalStatus,
+        NonceReleaseRequest, NonceReservationRequest, PolicyAttachment, PolicyType, RelayConfig,
+        SignRequest, SpendingPolicy,
+    };
+    use vault_policy::{PolicyDecision, PolicyError};
     use vault_signer::SoftwareSignerBackend;
+    use vault_signer::{KeyCreateRequest, SignerError};
 
     fn unique_socket_path(label: &str) -> std::path::PathBuf {
         std::env::temp_dir().join(format!(
@@ -1257,6 +1269,19 @@ mod tests {
         ))
     }
 
+    fn short_test_root(label: &str) -> std::path::PathBuf {
+        let base = if Path::new("/private/tmp").is_dir() {
+            Path::new("/private/tmp")
+        } else {
+            Path::new("/tmp")
+        };
+        base.join(format!(
+            "w-{}-{}",
+            label,
+            &uuid::Uuid::new_v4().simple().to_string()[..6]
+        ))
+    }
+
     fn singleton_allowed_set(euid: u32) -> BTreeSet<u32> {
         let mut set = BTreeSet::new();
         set.insert(euid);
@@ -1281,6 +1306,97 @@ mod tests {
         }
     }
 
+    fn policy_all_per_tx(max_amount_wei: u128) -> SpendingPolicy {
+        SpendingPolicy::new(
+            0,
+            PolicyType::PerTxMaxSpending,
+            max_amount_wei,
+            EntityScope::All,
+            EntityScope::All,
+            EntityScope::All,
+        )
+        .expect("policy")
+    }
+
+    fn admin_session(lease: vault_domain::Lease) -> AdminSession {
+        AdminSession {
+            vault_password: "vault-password".to_string(),
+            lease,
+        }
+    }
+
+    fn sign_request(credentials: &AgentCredentials, amount_wei: u128) -> SignRequest {
+        let action = AgentAction::TransferNative {
+            chain_id: 1,
+            to: "0x2222222222222222222222222222222222222222"
+                .parse()
+                .expect("recipient"),
+            amount_wei,
+        };
+        let now = OffsetDateTime::now_utc();
+        SignRequest {
+            request_id: Uuid::new_v4(),
+            agent_key_id: credentials.agent_key.id,
+            agent_auth_token: credentials.auth_token.clone(),
+            payload: to_vec(&action).expect("serialize action"),
+            action,
+            requested_at: now,
+            expires_at: now + time::Duration::minutes(2),
+        }
+    }
+
+    fn nonce_reservation_request(
+        credentials: &AgentCredentials,
+        min_nonce: u64,
+    ) -> NonceReservationRequest {
+        let now = OffsetDateTime::now_utc();
+        NonceReservationRequest {
+            request_id: Uuid::new_v4(),
+            agent_key_id: credentials.agent_key.id,
+            agent_auth_token: credentials.auth_token.clone(),
+            chain_id: 1,
+            min_nonce,
+            exact_nonce: false,
+            requested_at: now,
+            expires_at: now + time::Duration::minutes(2),
+        }
+    }
+
+    fn nonce_release_request(
+        credentials: &AgentCredentials,
+        reservation_id: Uuid,
+    ) -> NonceReleaseRequest {
+        let now = OffsetDateTime::now_utc();
+        NonceReleaseRequest {
+            request_id: Uuid::new_v4(),
+            agent_key_id: credentials.agent_key.id,
+            agent_auth_token: credentials.auth_token.clone(),
+            reservation_id,
+            requested_at: now,
+            expires_at: now + time::Duration::minutes(2),
+        }
+    }
+
+    async fn spawn_one_shot_server(
+        socket_path: std::path::PathBuf,
+        response: WireResponse,
+    ) -> tokio::task::JoinHandle<()> {
+        if let Some(parent) = socket_path.parent() {
+            std::fs::create_dir_all(parent).expect("create server parent");
+        }
+        let _ = std::fs::remove_file(&socket_path);
+        let listener = tokio::net::UnixListener::bind(&socket_path).expect("bind fake server");
+        tokio::spawn(async move {
+            let (mut stream, _) = listener.accept().await.expect("accept");
+            let _: WireRequest = read_frame(&mut stream, Duration::from_secs(2))
+                .await
+                .expect("read request");
+            write_frame(&mut stream, &response, Duration::from_secs(2))
+                .await
+                .expect("write response");
+        })
+    }
+
     #[cfg(unix)]
     fn socket_mode(path: &Path) -> u32 {
         use std::os::unix::fs::PermissionsExt;
@@ -1361,6 +1477,114 @@ mod tests {
         std::fs::remove_dir_all(&root).expect("cleanup");
     }
 
+    #[test]
+    #[cfg(unix)]
+    fn assert_trusted_daemon_socket_path_accepts_current_user_socket_and_rejects_bad_parents() {
+        use std::os::unix::fs::symlink;
+        use std::os::unix::net::UnixListener as StdUnixListener;
+
+        let err = assert_trusted_daemon_socket_path(Path::new(""))
+            .expect_err("empty path must be rejected");
+        assert!(err.contains("must not be empty"));
+
+        let err = assert_trusted_daemon_socket_path(Path::new("daemon.sock")).expect_err("must reject");
+        assert!(err.contains("must have a parent directory"));
+
+        let root = short_test_root("trusted");
+        let real_dir = root.join("real");
+        std::fs::create_dir_all(&real_dir).expect("create real dir");
+        let socket_path = real_dir.join("daemon.sock");
+        let _listener = StdUnixListener::bind(&socket_path).expect("bind socket");
+        assert_eq!(
+            assert_trusted_daemon_socket_path(&socket_path).expect("trusted socket"),
+            socket_path
+        );
+
+        let linked_dir = root.join("linked");
+        symlink(&real_dir, &linked_dir).expect("symlink dir");
+        let err = assert_trusted_daemon_socket_path(&linked_dir.join("daemon.sock"))
+            .expect_err("symlink parent must fail");
+        assert!(err.contains("socket directory"));
+        assert!(err.contains("must not be a symlink"));
+
+        std::fs::remove_file(root.join("linked")).expect("remove symlink");
+        std::fs::remove_file(socket_path).expect("remove socket");
+        std::fs::remove_dir_all(root).expect("cleanup");
+    }
+
+    #[tokio::test(flavor = "current_thread")]
+    async fn write_and_read_frame_cover_protocol_and_serialization_errors() {
+        let (mut writer, mut reader) = UnixStream::pair().expect("stream pair");
+        let message = WireRequest {
+            body_json: "{\"ok\":true}".to_string(),
+        };
+        write_frame(&mut writer, &message, Duration::from_secs(2))
+            .await
+            .expect("write frame");
+        let decoded: WireRequest = read_frame(&mut reader, Duration::from_secs(2))
+            .await
+            .expect("read frame");
+        assert_eq!(decoded.body_json, message.body_json);
+
+        let oversized = WireRequest {
+            body_json: "x".repeat(MAX_WIRE_BODY_BYTES + 1),
+        };
+        let err = write_frame(&mut writer, &oversized, Duration::from_secs(2))
+            .await
+            .expect_err("oversized write");
+        assert!(matches!(err, UnixTransportError::Protocol(message) if message.contains("wire body exceeds max bytes")));
+
+        let (mut invalid_writer, mut invalid_reader) = UnixStream::pair().expect("stream pair");
+        invalid_writer
+            .write_all(&((MAX_WIRE_BODY_BYTES as u32) + 1).to_be_bytes())
+            .await
+            .expect("write length");
+        let err = read_frame::<WireRequest>(&mut invalid_reader, Duration::from_secs(2))
+            .await
+            .expect_err("oversized read");
+        assert!(matches!(err, UnixTransportError::Protocol(message) if message.contains("wire frame exceeds max bytes")));
+
+        let (mut malformed_writer, mut malformed_reader) = UnixStream::pair().expect("stream pair");
+        malformed_writer
+            .write_all(&(4u32).to_be_bytes())
+            .await
+            .expect("write length");
+        malformed_writer
+            .write_all(b"nope")
+            .await
+            .expect("write body");
+        let err = read_frame::<WireRequest>(&mut malformed_reader, Duration::from_secs(2))
+            .await
+            .expect_err("malformed read");
+        assert!(matches!(err, UnixTransportError::Serialization(_)));
+    }
+
+    #[test]
+    #[cfg(unix)]
+    fn remove_existing_socket_file_covers_missing_socket_and_non_socket_paths() {
+        use std::os::unix::net::UnixListener as StdUnixListener;
+
+        let root = short_test_root("rm");
+        std::fs::create_dir_all(&root).expect("create root");
+
+        let missing = root.join("missing.sock");
+        remove_existing_socket_file(&missing).expect("missing is a noop");
+
+        let file = root.join("file.sock");
+        std::fs::write(&file, "not a socket").expect("write file");
+        let err = remove_existing_socket_file(&file).expect_err("non-socket path");
+        assert!(err.contains("is not a unix socket"));
+        std::fs::remove_file(&file).expect("remove file");
+
+        let socket = root.join("daemon.sock");
+        let _listener = StdUnixListener::bind(&socket).expect("bind socket");
+        drop(_listener);
+        remove_existing_socket_file(&socket).expect("remove socket");
+        assert!(!socket.exists());
+
+        std::fs::remove_dir_all(root).expect("cleanup");
+    }
+
     #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
     async fn unix_round_trip_for_issue_lease() {
         let socket_path = unique_socket_path("lease");
@@ -1398,6 +1622,154 @@ mod tests {
         let _ = server_task.await;
     }
 
+    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+    async fn unix_round_trip_for_full_key_manager_api_surface() {
+        let socket_path = unique_socket_path("full-surface");
+        let daemon = Arc::new(
+            InMemoryDaemon::new(
+                "vault-password",
+                SoftwareSignerBackend::default(),
+                DaemonConfig::default(),
+            )
+            .expect("daemon"),
+        );
+        let server = UnixDaemonServer::bind(
+            socket_path.clone(),
+            singleton_allowed_set(nix::unistd::geteuid().as_raw()),
+        )
+        .await
+        .expect("server");
+        let server_task = tokio::spawn({
+            let daemon = daemon.clone();
+            async move {
+                server
+                    .run_until_shutdown(daemon, async {
+                        std::future::pending::<()>().await;
+                    })
+                    .await
+            }
+        });
+
+        tokio::time::sleep(Duration::from_millis(50)).await;
+        let client = UnixDaemonClient::new(socket_path.clone(), Duration::from_secs(2));
+
+        let lease = client.issue_lease("vault-password").await.expect("lease");
+        let session = admin_session(lease);
+
+        let policy = policy_all_per_tx(100);
+        client
+            .add_policy(&session, policy.clone())
+            .await
+            .expect("add policy");
+
+        let policies = client.list_policies(&session).await.expect("list policies");
+        assert_eq!(policies.len(), 1);
+        assert!(policies[0].enabled);
+
+        let vault_key = client
+            .create_vault_key(&session, KeyCreateRequest::Generate)
+            .await
+            .expect("create vault key");
+        let exported = client
+            .export_vault_private_key(&session, vault_key.id)
+            .await
+            .expect("export key");
+        assert!(exported.is_some());
+
+        let mut credentials = client
+            .create_agent_key(&session, vault_key.id, PolicyAttachment::AllPolicies)
+            .await
+            .expect("create agent key");
+
+        let evaluation = client
+            .evaluate_for_agent(sign_request(&credentials, 1))
+            .await
+            .expect("evaluate");
+        assert_eq!(evaluation.evaluated_policy_ids, vec![policy.id]);
+
+        let explanation = client
+            .explain_for_agent(sign_request(&credentials, 1))
+            .await
+            .expect("explain");
+        assert!(matches!(explanation.decision, PolicyDecision::Allow));
+
+        let signature = client
+            .sign_for_agent(sign_request(&credentials, 1))
+            .await
+            .expect("sign");
+        assert!(!signature.bytes.is_empty());
+
+        let reservation = client
+            .reserve_nonce(nonce_reservation_request(&credentials, 7))
+            .await
+            .expect("reserve nonce");
+        assert_eq!(reservation.nonce, 7);
+        client
+            .release_nonce(nonce_release_request(&credentials, reservation.reservation_id))
+            .await
+            .expect("release nonce");
+
+        let rotated_token = client
+            .rotate_agent_auth_token(&session, credentials.agent_key.id)
+            .await
+            .expect("rotate token");
+        credentials.auth_token = rotated_token;
+
+        let approvals = client
+            .list_manual_approval_requests(&session)
+            .await
+            .expect("list approvals");
+        assert!(approvals.is_empty());
+
+        let relay_config = client
+            .set_relay_config(
+                &session,
+                Some("http://127.0.0.1:8787".to_string()),
+                Some("https://relay.example".to_string()),
+            )
+            .await
+            .expect("set relay config");
+        assert_eq!(
+            relay_config,
+            RelayConfig {
+                relay_url: Some("http://127.0.0.1:8787".to_string()),
+                frontend_url: Some("https://relay.example".to_string()),
+                daemon_id_hex: relay_config.daemon_id_hex.clone(),
+                daemon_public_key_hex: relay_config.daemon_public_key_hex.clone(),
+            }
+        );
+        let current_relay_config = client
+            .get_relay_config(&session)
+            .await
+            .expect("get relay config");
+        assert_eq!(current_relay_config.relay_url, relay_config.relay_url);
+        assert_eq!(current_relay_config.frontend_url, relay_config.frontend_url);
+
+        client
+            .disable_policy(&session, policy.id)
+            .await
+            .expect("disable policy");
+        let disabled = client.list_policies(&session).await.expect("list disabled");
+        assert_eq!(disabled.len(), 1);
+        assert!(!disabled[0].enabled);
+
+        client
+            .revoke_agent_key(&session, credentials.agent_key.id)
+            .await
+            .expect("revoke agent");
+        let err = client
+            .sign_for_agent(sign_request(&credentials, 1))
+            .await
+            .expect_err("revoked agent must fail");
+        assert!(matches!(
+            err,
+            DaemonError::UnknownAgentKey(id) if id == credentials.agent_key.id
+        ) || matches!(err, DaemonError::AgentAuthenticationFailed));
+
+        server_task.abort();
+        let _ = server_task.await;
+    }
+
     #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
     async fn client_rejects_unexpected_daemon_euid() {
         let socket_path = unique_socket_path("peer-euid");
@@ -1445,6 +1817,74 @@ mod tests {
         let _ = server_task.await;
     }
 
+    #[tokio::test(flavor = "current_thread")]
+    async fn call_rpc_surfaces_wire_daemon_errors_and_transport_fallbacks() {
+        let socket_path = unique_socket_path("wire-error");
+        let client = UnixDaemonClient::new(socket_path.clone(), Duration::from_secs(2));
+
+        let daemon_task = spawn_one_shot_server(
+            socket_path.clone(),
+            WireResponse {
+                ok: false,
+                body_json: serde_json::to_string(&WireDaemonError::UnknownLease)
+                    .expect("serialize daemon error"),
+            },
+        )
+        .await;
+        let err = client
+            .call_rpc(DaemonRpcRequest::IssueLease {
+                vault_password: "vault-password".to_string(),
+            })
+            .await
+            .expect_err("daemon error");
+        assert!(matches!(err, UnixTransportError::Daemon(DaemonError::UnknownLease)));
+        daemon_task.await.expect("daemon task");
+
+        let transport_task = spawn_one_shot_server(
+            socket_path,
+            WireResponse {
+                ok: false,
+                body_json: "plain transport failure".to_string(),
+            },
+        )
+        .await;
+        let err = client
+            .call_rpc(DaemonRpcRequest::IssueLease {
+                vault_password: "vault-password".to_string(),
+            })
+            .await
+            .expect_err("transport fallback");
+        assert!(matches!(
+            err,
+            UnixTransportError::Daemon(DaemonError::Transport(message))
+                if message == "plain transport failure"
+        ));
+        transport_task.await.expect("transport task");
+    }
+
+    #[tokio::test(flavor = "current_thread")]
+    async fn issue_lease_rejects_unexpected_response_types() {
+        let socket_path = unique_socket_path("unexpected-response");
+        let client = UnixDaemonClient::new(socket_path.clone(), Duration::from_secs(2));
+        let response_task = spawn_one_shot_server(
+            socket_path,
+            WireResponse {
+                ok: true,
+                body_json: serde_json::to_string(&DaemonRpcResponse::Unit)
+                    .expect("serialize response"),
+            },
+        )
+        .await;
+
+        let err = client
+            .issue_lease("vault-password")
+            .await
+            .expect_err("wrong response type");
+        assert!(matches!(err, DaemonError::Transport(message) if message == "unexpected response type"));
+
+        response_task.await.expect("response task");
+    }
+
     #[test]
     fn rpc_access_level_classifies_admin_and_agent_requests() {
         let admin_request = vault_daemon::DaemonRpcRequest::IssueLease {
@@ -1493,6 +1933,214 @@ mod tests {
         );
     }
 
+    #[tokio::test(flavor = "current_thread")]
+    async fn bind_rejects_empty_admin_and_agent_allowlists() {
+        let socket_path = unique_socket_path("empty-allowlists");
+        let err = match UnixDaemonServer::bind_with_allowed_peer_euids(
+            socket_path.clone(),
+            BTreeSet::new(),
+            singleton_allowed_set(nix::unistd::geteuid().as_raw()),
+        )
+        .await
+        {
+            Ok(_) => panic!("empty admin allowlist must fail"),
+            Err(err) => err,
+        };
+        assert!(matches!(err, UnixTransportError::Protocol(message) if message.contains("allowed admin peer euid set must not be empty")));
+
+        let err = match UnixDaemonServer::bind_with_allowed_peer_euids(
+            socket_path,
+            singleton_allowed_set(nix::unistd::geteuid().as_raw()),
+            BTreeSet::new(),
+        )
+        .await
+        {
+            Ok(_) => panic!("empty agent allowlist must fail"),
+            Err(err) => err,
+        };
+        assert!(matches!(err, UnixTransportError::Protocol(message) if message.contains("allowed agent peer euid set must not be empty")));
+    }
+
+    #[tokio::test(flavor = "current_thread")]
+    async fn run_until_shutdown_honors_ready_shutdown_and_exposes_socket_path() {
+        let socket_path = unique_socket_path("ready-shutdown");
+        let server = UnixDaemonServer::bind(
+            socket_path.clone(),
+            singleton_allowed_set(nix::unistd::geteuid().as_raw()),
+        )
+        .await
+        .expect("server");
+        assert_eq!(server.socket_path(), socket_path.as_path());
+
+        let daemon = Arc::new(
+            InMemoryDaemon::new(
+                "vault-password",
+                SoftwareSignerBackend::default(),
+                DaemonConfig::default(),
+            )
+            .expect("daemon"),
+        );
+        server
+            .run_until_shutdown(daemon, async {})
+            .await
+            .expect("shutdown must succeed");
+    }
+
+    #[test]
+    fn wire_daemon_error_roundtrip_covers_all_variants() {
+        let manual_approval_id = Uuid::new_v4();
+        let unknown_vault_key = Uuid::new_v4();
+        let unknown_agent_key = Uuid::new_v4();
+        let unknown_policy = Uuid::new_v4();
+        let unknown_approval = Uuid::new_v4();
+        let unknown_reservation = Uuid::new_v4();
+
+        let cases = vec![
+            (
+                DaemonError::AuthenticationFailed,
+                DaemonError::AuthenticationFailed.to_string(),
+            ),
+            (DaemonError::UnknownLease, DaemonError::UnknownLease.to_string()),
+            (DaemonError::InvalidLease, DaemonError::InvalidLease.to_string()),
+            (
+                DaemonError::TooManyActiveLeases,
+                DaemonError::TooManyActiveLeases.to_string(),
+            ),
+            (
+                DaemonError::UnknownVaultKey(unknown_vault_key),
+                DaemonError::UnknownVaultKey(unknown_vault_key).to_string(),
+            ),
+            (
+                DaemonError::UnknownAgentKey(unknown_agent_key),
+                DaemonError::UnknownAgentKey(unknown_agent_key).to_string(),
+            ),
+            (
+                DaemonError::UnknownPolicy(unknown_policy),
+                DaemonError::UnknownPolicy(unknown_policy).to_string(),
+            ),
+            (
+                DaemonError::UnknownManualApprovalRequest(unknown_approval),
+                DaemonError::UnknownManualApprovalRequest(unknown_approval).to_string(),
+            ),
+            (
+                DaemonError::AgentAuthenticationFailed,
+                DaemonError::AgentAuthenticationFailed.to_string(),
+            ),
+            (
+                DaemonError::PayloadActionMismatch,
+                DaemonError::PayloadActionMismatch.to_string(),
+            ),
+            (
+                DaemonError::PayloadTooLarge { max_bytes: 1024 },
+                DaemonError::PayloadTooLarge { max_bytes: 1024 }.to_string(),
+            ),
+            (
+                DaemonError::InvalidRequestTimestamps,
+                DaemonError::InvalidRequestTimestamps.to_string(),
+            ),
+            (DaemonError::RequestExpired, DaemonError::RequestExpired.to_string()),
+            (
+                DaemonError::RequestReplayDetected,
+                DaemonError::RequestReplayDetected.to_string(),
+            ),
+            (
+                DaemonError::InvalidPolicyAttachment("attachment".to_string()),
+                DaemonError::InvalidPolicyAttachment("attachment".to_string()).to_string(),
+            ),
+            (
+                DaemonError::InvalidNonceReservation("nonce".to_string()),
+                DaemonError::InvalidNonceReservation("nonce".to_string()).to_string(),
+            ),
+            (
+                DaemonError::UnknownNonceReservation(unknown_reservation),
+                DaemonError::UnknownNonceReservation(unknown_reservation).to_string(),
+            ),
+            (
+                DaemonError::MissingNonceReservation {
+                    chain_id: 1,
+                    nonce: 7,
+                },
+                DaemonError::MissingNonceReservation {
+                    chain_id: 1,
+                    nonce: 7,
+                }
+                .to_string(),
+            ),
+            (
+                DaemonError::InvalidPolicy("policy".to_string()),
+                DaemonError::InvalidPolicy("policy".to_string()).to_string(),
+            ),
+            (
+                DaemonError::InvalidRelayConfig("relay".to_string()),
+                DaemonError::InvalidRelayConfig("relay".to_string()).to_string(),
+            ),
+            (
+                DaemonError::ManualApprovalRequired {
+                    approval_request_id: manual_approval_id,
+                    relay_url: Some("https://relay.example".to_string()),
+                    frontend_url: Some("https://frontend.example".to_string()),
+                },
+                DaemonError::ManualApprovalRequired {
+                    approval_request_id: manual_approval_id,
+                    relay_url: Some("https://relay.example".to_string()),
+                    frontend_url: Some("https://frontend.example".to_string()),
+                }
+                .to_string(),
+            ),
+            (
+                DaemonError::ManualApprovalRejected {
+                    approval_request_id: manual_approval_id,
+                },
+                DaemonError::ManualApprovalRejected {
+                    approval_request_id: manual_approval_id,
+                }
+                .to_string(),
+            ),
+            (
+                DaemonError::ManualApprovalRequestNotPending {
+                    approval_request_id: manual_approval_id,
+                    status: ManualApprovalStatus::Approved,
+                },
+                DaemonError::ManualApprovalRequestNotPending {
+                    approval_request_id: manual_approval_id,
+                    status: ManualApprovalStatus::Approved,
+                }
+                .to_string(),
+            ),
+            (
+                DaemonError::Policy(PolicyError::NoAttachedPolicies),
+                DaemonError::Policy(PolicyError::NoAttachedPolicies).to_string(),
+            ),
+            (
+                DaemonError::Signer(SignerError::InvalidPrivateKey),
+                DaemonError::Signer(SignerError::InvalidPrivateKey).to_string(),
+            ),
+            (
+                DaemonError::PasswordHash("hash".to_string()),
+                DaemonError::PasswordHash("hash".to_string()).to_string(),
+            ),
+            (
+                DaemonError::InvalidConfig("config".to_string()),
+                DaemonError::InvalidConfig("config".to_string()).to_string(),
+            ),
+            (
+                DaemonError::Transport("transport".to_string()),
+                DaemonError::Transport("transport".to_string()).to_string(),
+            ),
+            (
+                DaemonError::Persistence("persistence".to_string()),
+                DaemonError::Persistence("persistence".to_string()).to_string(),
+            ),
+            (DaemonError::LockPoisoned, DaemonError::LockPoisoned.to_string()),
+        ];
+
+        for (original, expected_message) in cases {
+            let wire = WireDaemonError::from(original);
+            let recovered = wire.into_daemon_error();
+            assert_eq!(recovered.to_string(), expected_message);
+        }
+    }
+
     #[tokio::test(flavor = "current_thread")]
     async fn handle_connection_rejects_admin_requests_from_agent_only_peers() {
         let daemon = Arc::new(