@wlfi-agent/cli 1.4.17 → 1.4.19

package/crates/vault-cli-admin/src/main.rs

@@ -157,6 +157,20 @@ struct BootstrapCommandArgs {
         help = "Deprecated compatibility flag; bootstrap-created policies are always attached"
     )]
     attach_bootstrap_policies: bool,
+    #[arg(
+        long,
+        value_name = "UUID",
+        requires = "existing_vault_public_key",
+        help = "Reuse an existing vault key id instead of generating a fresh wallet"
+    )]
+    existing_vault_key_id: Option<Uuid>,
+    #[arg(
+        long,
+        value_name = "HEX",
+        requires = "existing_vault_key_id",
+        help = "Reuse an existing vault public key instead of generating a fresh wallet"
+    )]
+    existing_vault_public_key: Option<String>,
     #[arg(long, default_value_t = false)]
     print_agent_auth_token: bool,
     #[arg(
@@ -650,6 +664,8 @@ async fn main() -> Result<()> {
                 recipient,
                 attach_policy_id,
                 attach_bootstrap_policies: _attach_bootstrap_policies,
+                existing_vault_key_id,
+                existing_vault_public_key,
                 print_agent_auth_token,
                 print_vault_private_key,
             } = *args;
@@ -661,6 +677,8 @@ async fn main() -> Result<()> {
                     false,
                 )?;
                 params.attach_policy_ids = attach_policy_id;
+                params.existing_vault_key_id = existing_vault_key_id;
+                params.existing_vault_public_key = existing_vault_public_key;
                 params
             } else {
                 BootstrapParams {
@@ -683,8 +701,8 @@ async fn main() -> Result<()> {
                     attach_policy_ids: attach_policy_id,
                     print_agent_auth_token,
                     print_vault_private_key,
-                    existing_vault_key_id: None,
-                    existing_vault_public_key: None,
+                    existing_vault_key_id,
+                    existing_vault_public_key,
                 }
             };
             let output = execute_bootstrap(
@@ -2909,21 +2927,36 @@ fn single_scope<T: Ord>(value: T) -> EntityScope<T> {
 mod tests {
     use super::{
         build_asset_scope, build_network_scope, describe_recipient_scope, ensure_output_parent,
-        execute_bootstrap, execute_revoke_agent_key, execute_rotate_agent_auth_token,
-        resolve_daemon_socket_path, resolve_output_format, resolve_output_target,
-        should_print_status, validate_existing_policy_attachments, validate_password,
-        validate_policy_limits, write_output_file, BootstrapParams, Cli, Commands,
-        DestinationPolicyOverride, OutputFormat, OutputTarget, RevokeAgentKeyParams,
-        RotateAgentAuthTokenParams, TokenDestinationPolicyOverride, TokenPolicyConfig,
+        execute_add_manual_approval_policy, execute_bootstrap,
+        execute_decide_manual_approval_request, execute_get_relay_config,
+        execute_list_manual_approval_requests, execute_revoke_agent_key,
+        execute_rotate_agent_auth_token, execute_set_relay_config, parse_non_negative_u128,
+        parse_positive_u128, parse_positive_u64, print_bootstrap_output,
+        print_manual_approval_policy_output, print_manual_approval_request_output,
+        print_manual_approval_requests_output, print_relay_config_output,
+        print_revoke_agent_key_output, print_rotate_agent_auth_token_output,
+        resolve_bootstrap_policy_attachment, resolve_daemon_socket_path, resolve_output_format,
+        resolve_output_target, should_print_status, validate_existing_policy_attachments,
+        validate_password, validate_policy_limits, write_output_file,
+        AddManualApprovalPolicyParams, BootstrapParams, Cli, Commands,
+        DecideManualApprovalRequestParams, DestinationPolicyOverride, ManualApprovalPolicyOutput,
+        OutputFormat, OutputTarget, RevokeAgentKeyOutput, RevokeAgentKeyParams,
+        RotateAgentAuthTokenOutput, RotateAgentAuthTokenParams, SetRelayConfigParams,
+        TokenDestinationPolicyOverride, TokenPolicyConfig,
     };
     use crate::{shared_config::WlfiConfig, tui};
     use clap::Parser;
     use serde_json::to_vec;
+    use std::fs;
     use std::sync::Arc;
+    use std::path::PathBuf;
     use std::time::{SystemTime, UNIX_EPOCH};
     use uuid::Uuid;
     use vault_daemon::{DaemonError, InMemoryDaemon, KeyManagerDaemonApi};
-    use vault_domain::{AdminSession, AgentAction, AssetId, EntityScope, EvmAddress, SignRequest};
+    use vault_domain::{
+        AdminSession, AgentAction, AssetId, EntityScope, EvmAddress, ManualApprovalDecision,
+        ManualApprovalStatus, PolicyAttachment, RelayConfig, SignRequest, SpendingPolicy,
+    };
     use vault_signer::{KeyCreateRequest, SoftwareSignerBackend};
     use zeroize::Zeroize;
 
@@ -3158,6 +3191,34 @@ mod tests {
         assert_eq!(args.attach_policy_id.len(), 2);
     }
 
+    #[test]
+    fn bootstrap_supports_existing_wallet_reuse_flags() {
+        let cli = Cli::try_parse_from([
+            "wlfi-agent-admin",
+            "--daemon-socket",
+            "/tmp/wlfi.sock",
+            "bootstrap",
+            "--from-shared-config",
+            "--existing-vault-key-id",
+            "00000000-0000-0000-0000-000000000003",
+            "--existing-vault-public-key",
+            "03abcdef",
+        ])
+        .expect("parse");
+
+        let Commands::Bootstrap(args) = cli.command else {
+            panic!("expected bootstrap command");
+        };
+        assert_eq!(
+            args.existing_vault_key_id,
+            Some(
+                Uuid::parse_str("00000000-0000-0000-0000-000000000003")
+                    .expect("valid uuid"),
+            )
+        );
+        assert_eq!(args.existing_vault_public_key.as_deref(), Some("03abcdef"));
+    }
+
     #[test]
     fn bootstrap_command_accepts_explicit_vault_private_key_export_flag() {
         let cli = Cli::try_parse_from([
@@ -3218,12 +3279,12 @@ mod tests {
 
     #[test]
     fn setup_command_is_accepted() {
-        let cli = Cli::try_parse_from(["wlfi-agent-admin", "setup", "--network", "11155111"])
+        let cli = Cli::try_parse_from(["wlfi-agent-admin", "setup", "--network", "56"])
             .expect("parse");
         let Commands::Setup(args) = cli.command else {
             panic!("expected setup command");
         };
-        assert_eq!(args.forwarded_args, vec!["--network", "11155111"]);
+        assert_eq!(args.forwarded_args, vec!["--network", "56"]);
     }
 
     #[test]
@@ -3327,15 +3388,15 @@ mod tests {
                     per_tx_max_calldata_bytes: 0,
                 },
                 TokenPolicyConfig {
-                    token_key: "usdc".to_string(),
-                    symbol: "USDC".to_string(),
+                    token_key: "usd1".to_string(),
+                    symbol: "USD1".to_string(),
                     chain_key: "ethereum".to_string(),
                     chain_id: 1,
                     is_native: false,
                     address: Some(
                         "0x1000000000000000000000000000000000000000"
                             .parse()
-                            .expect("usdc address"),
+                            .expect("usd1 address"),
                     ),
                     per_tx_max_wei: 250,
                     daily_max_wei: 1_000,
@@ -3402,6 +3463,75 @@ mod tests {
         (vault_key.id, vault_key.public_key_hex)
     }
 
+    fn unique_temp_path(label: &str) -> PathBuf {
+        let unique = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .expect("time")
+            .as_nanos();
+        std::env::temp_dir().join(format!("wlfi-admin-{label}-{unique:x}.txt"))
+    }
+
+    fn read_output(path: &PathBuf) -> String {
+        fs::read_to_string(path).expect("read output file")
+    }
+
+    async fn seed_manual_approval_request(
+        daemon: Arc<dyn KeyManagerDaemonApi>,
+    ) -> (Uuid, AdminSession) {
+        let lease = daemon
+            .issue_lease("vault-password")
+            .await
+            .expect("issue lease");
+        let session = AdminSession {
+            vault_password: "vault-password".to_string(),
+            lease,
+        };
+        daemon
+            .add_policy(
+                &session,
+                SpendingPolicy::new_manual_approval(
+                    0,
+                    1,
+                    100,
+                    EntityScope::All,
+                    EntityScope::All,
+                    EntityScope::All,
+                )
+                .expect("manual approval policy"),
+            )
+            .await
+            .expect("add policy");
+        let vault_key = daemon
+            .create_vault_key(&session, KeyCreateRequest::Generate)
+            .await
+            .expect("vault key");
+        let agent_credentials = daemon
+            .create_agent_key(&session, vault_key.id, PolicyAttachment::AllPolicies)
+            .await
+            .expect("agent");
+        let request = build_sign_request(
+            &agent_credentials.agent_key.id.to_string(),
+            &agent_credentials.auth_token,
+            AgentAction::Transfer {
+                chain_id: 1,
+                token: "0x1000000000000000000000000000000000000000"
+                    .parse()
+                    .expect("token"),
+                to: "0x2000000000000000000000000000000000000000"
+                    .parse()
+                    .expect("recipient"),
+                amount_wei: 42,
+            },
+        );
+        let approval_request_id = match daemon.sign_for_agent(request).await {
+            Err(DaemonError::ManualApprovalRequired {
+                approval_request_id, ..
+            }) => approval_request_id,
+            other => panic!("expected manual approval request, got {other:?}"),
+        };
+        (approval_request_id, session)
+    }
+
     #[tokio::test]
     async fn execute_bootstrap_creates_destination_override_policy_sets() {
         let daemon = test_daemon();
@@ -3506,7 +3636,7 @@ mod tests {
                 },
             ))
             .await
-            .expect("erc20 transfer should use the USDC token policy");
+            .expect("erc20 transfer should use the USD1 token policy");
         assert!(!erc20_signature.bytes.is_empty());
     }
 
@@ -3642,7 +3772,7 @@ mod tests {
                 },
             ))
             .await
-            .expect("non-overridden recipient should keep the base ETH limit");
+            .expect("non-overridden recipient should keep the default ETH limit");
         assert!(!allowed_elsewhere.bytes.is_empty());
     }
 
@@ -3971,6 +4101,499 @@ mod tests {
             .contains("bootstrap-created policy id(s)"));
     }
 
+    #[test]
+    fn manual_approval_and_relay_commands_are_accepted() {
+        let list_cli = Cli::try_parse_from([
+            "wlfi-agent-admin",
+            "--daemon-socket",
+            "/tmp/wlfi.sock",
+            "list-manual-approval-requests",
+        ])
+        .expect("parse list");
+        assert!(matches!(
+            list_cli.command,
+            Commands::ListManualApprovalRequests
+        ));
+
+        let approve_cli = Cli::try_parse_from([
+            "wlfi-agent-admin",
+            "--daemon-socket",
+            "/tmp/wlfi.sock",
+            "approve-manual-approval-request",
+            "--approval-request-id",
+            "00000000-0000-0000-0000-000000000123",
+        ])
+        .expect("parse approve");
+        let Commands::ApproveManualApprovalRequest(args) = approve_cli.command else {
+            panic!("expected approve-manual-approval-request");
+        };
+        assert_eq!(
+            args.approval_request_id,
+            Uuid::parse_str("00000000-0000-0000-0000-000000000123").expect("uuid")
+        );
+
+        let reject_cli = Cli::try_parse_from([
+            "wlfi-agent-admin",
+            "--daemon-socket",
+            "/tmp/wlfi.sock",
+            "reject-manual-approval-request",
+            "--approval-request-id",
+            "00000000-0000-0000-0000-000000000124",
+            "--rejection-reason",
+            "too risky",
+        ])
+        .expect("parse reject");
+        let Commands::RejectManualApprovalRequest(args) = reject_cli.command else {
+            panic!("expected reject-manual-approval-request");
+        };
+        assert_eq!(args.rejection_reason.as_deref(), Some("too risky"));
+
+        let add_cli = Cli::try_parse_from([
+            "wlfi-agent-admin",
+            "--daemon-socket",
+            "/tmp/wlfi.sock",
+            "add-manual-approval-policy",
+            "--priority",
+            "7",
+            "--min-amount-wei",
+            "10",
+            "--max-amount-wei",
+            "20",
+            "--allow-native-eth",
+            "--network",
+            "1",
+        ])
+        .expect("parse add manual approval policy");
+        let Commands::AddManualApprovalPolicy(args) = add_cli.command else {
+            panic!("expected add-manual-approval-policy");
+        };
+        assert_eq!(args.priority, 7);
+        assert!(args.allow_native_eth);
+
+        let set_cli = Cli::try_parse_from([
+            "wlfi-agent-admin",
+            "--daemon-socket",
+            "/tmp/wlfi.sock",
+            "set-relay-config",
+            "--relay-url",
+            "https://relay.example",
+            "--frontend-url",
+            "https://frontend.example",
+        ])
+        .expect("parse set relay config");
+        let Commands::SetRelayConfig(args) = set_cli.command else {
+            panic!("expected set-relay-config");
+        };
+        assert_eq!(args.relay_url.as_deref(), Some("https://relay.example"));
+        assert_eq!(args.frontend_url.as_deref(), Some("https://frontend.example"));
+
+        let get_cli = Cli::try_parse_from([
+            "wlfi-agent-admin",
+            "--daemon-socket",
+            "/tmp/wlfi.sock",
+            "get-relay-config",
+        ])
+        .expect("parse get relay config");
+        assert!(matches!(get_cli.command, Commands::GetRelayConfig));
+    }
+
+    #[tokio::test]
+    async fn manual_approval_execute_helpers_roundtrip() {
+        let daemon = test_daemon();
+        let (approval_request_id, mut session) = seed_manual_approval_request(daemon.clone()).await;
+
+        let mut list_statuses = Vec::new();
+        let requests = execute_list_manual_approval_requests(daemon.clone(), "vault-password", |msg| {
+            list_statuses.push(msg.to_string());
+        })
+        .await
+        .expect("list requests");
+        assert!(requests.iter().any(|request| request.id == approval_request_id));
+        assert_eq!(
+            list_statuses,
+            vec![
+                "issuing admin lease".to_string(),
+                "listing manual approval requests".to_string()
+            ]
+        );
+
+        let mut approve_statuses = Vec::new();
+        let approved = execute_decide_manual_approval_request(
+            daemon.clone(),
+            "vault-password",
+            DecideManualApprovalRequestParams {
+                approval_request_id,
+                decision: ManualApprovalDecision::Approve,
+                rejection_reason: None,
+            },
+            |msg| approve_statuses.push(msg.to_string()),
+        )
+        .await
+        .expect("approve request");
+        assert_eq!(approved.id, approval_request_id);
+        assert_eq!(approved.status, ManualApprovalStatus::Approved);
+        assert_eq!(
+            approve_statuses,
+            vec![
+                "issuing admin lease".to_string(),
+                "updating manual approval request".to_string()
+            ]
+        );
+
+        session.vault_password.zeroize();
+    }
+
+    #[tokio::test]
+    async fn add_manual_approval_policy_and_relay_config_helpers_roundtrip() {
+        let daemon = test_daemon();
+
+        let mut policy_statuses = Vec::new();
+        let policy_output = execute_add_manual_approval_policy(
+            daemon.clone(),
+            "vault-password",
+            AddManualApprovalPolicyParams {
+                priority: 7,
+                min_amount_wei: 10,
+                max_amount_wei: 20,
+                tokens: vec![],
+                allow_native_eth: true,
+                network: Some(1),
+                recipient: Some(
+                    "0x2000000000000000000000000000000000000000"
+                        .parse()
+                        .expect("recipient"),
+                ),
+            },
+            |msg| policy_statuses.push(msg.to_string()),
+        )
+        .await
+        .expect("manual approval policy");
+        assert_eq!(policy_output.priority, 7);
+        assert_eq!(policy_output.min_amount_wei, "10");
+        assert_eq!(policy_output.max_amount_wei, "20");
+        assert!(policy_output.asset_scope.contains("native_eth"));
+        assert_eq!(
+            policy_statuses,
+            vec![
+                "issuing admin lease".to_string(),
+                "creating manual approval policy".to_string()
+            ]
+        );
+
+        let lease = daemon
+            .issue_lease("vault-password")
+            .await
+            .expect("issue lease");
+        let mut session = AdminSession {
+            vault_password: "vault-password".to_string(),
+            lease,
+        };
+        daemon
+            .set_relay_config(
+                &session,
+                Some("https://relay.example".to_string()),
+                None,
+            )
+            .await
+            .expect("seed relay config");
+        session.vault_password.zeroize();
+
+        let mut merge_statuses = Vec::new();
+        let merged = execute_set_relay_config(
+            daemon.clone(),
+            "vault-password",
+            SetRelayConfigParams {
+                relay_url: None,
+                frontend_url: Some("https://frontend.example".to_string()),
+                clear: false,
+            },
+            |msg| merge_statuses.push(msg.to_string()),
+        )
+        .await
+        .expect("merge relay config");
+        assert_eq!(merged.relay_url.as_deref(), Some("https://relay.example"));
+        assert_eq!(merged.frontend_url.as_deref(), Some("https://frontend.example"));
+        assert_eq!(
+            merge_statuses,
+            vec![
+                "issuing admin lease".to_string(),
+                "reading existing relay configuration".to_string(),
+                "updating relay configuration".to_string()
+            ]
+        );
+
+        let current = execute_get_relay_config(daemon.clone(), "vault-password", |_| {})
+            .await
+            .expect("get relay config");
+        assert_eq!(current, merged);
+
+        let cleared = execute_set_relay_config(
+            daemon,
+            "vault-password",
+            SetRelayConfigParams {
+                relay_url: Some("https://ignored.example".to_string()),
+                frontend_url: Some("https://ignored-frontend.example".to_string()),
+                clear: true,
+            },
+            |_| {},
+        )
+        .await
+        .expect("clear relay config");
+        assert!(cleared.relay_url.is_none());
+        assert!(cleared.frontend_url.is_none());
+    }
+
+    #[tokio::test]
+    async fn output_renderers_cover_text_sections() {
+        let global_daemon = test_daemon();
+        let mut global_params = test_bootstrap_params(false);
+        global_params.print_vault_private_key = true;
+        global_params
+            .destination_overrides
+            .push(DestinationPolicyOverride {
+                recipient: "0x3000000000000000000000000000000000000003"
+                    .parse()
+                    .expect("recipient"),
+                per_tx_max_wei: 100,
+                daily_max_wei: 200,
+                weekly_max_wei: 300,
+                max_gas_per_chain_wei: 400,
+                daily_max_tx_count: 2,
+                per_tx_max_fee_per_gas_wei: 3,
+                per_tx_max_priority_fee_per_gas_wei: 4,
+                per_tx_max_calldata_bytes: 5,
+            });
+        let global_output = execute_bootstrap(
+            global_daemon.clone(),
+            "vault-password",
+            "daemon_socket:/tmp/wlfi.sock",
+            global_params,
+            |_| {},
+        )
+        .await
+        .expect("global bootstrap");
+        let global_path = unique_temp_path("bootstrap-global");
+        let global_target = OutputTarget::File {
+            path: global_path.clone(),
+            overwrite: true,
+        };
+        print_bootstrap_output(&global_output, OutputFormat::Text, &global_target)
+            .expect("render global bootstrap");
+        let global_text = read_output(&global_path);
+        assert!(global_text.contains("Policies"));
+        assert!(global_text.contains("Vault Private Key:"));
+        assert!(global_text.contains("Destination Overrides"));
+        assert!(global_text.contains("Note: pass --print-agent-auth-token"));
+        fs::remove_file(&global_path).expect("cleanup global output");
+
+        let per_token_daemon = test_daemon();
+        let mut per_token_params = test_per_token_bootstrap_params(true);
+        per_token_params
+            .token_destination_overrides
+            .push(TokenDestinationPolicyOverride {
+                token_key: "eth".to_string(),
+                chain_key: "ethereum".to_string(),
+                recipient: "0x3000000000000000000000000000000000000003"
+                    .parse()
+                    .expect("recipient"),
+                per_tx_max_wei: 50,
+                daily_max_wei: 250,
+                weekly_max_wei: 500,
+                max_gas_per_chain_wei: 1_000_000,
+                daily_max_tx_count: 0,
+                per_tx_max_fee_per_gas_wei: 0,
+                per_tx_max_priority_fee_per_gas_wei: 0,
+                per_tx_max_calldata_bytes: 0,
+            });
+        per_token_params
+            .token_manual_approval_policies
+            .push(super::TokenManualApprovalPolicyConfig {
+                token_key: "eth".to_string(),
+                symbol: "ETH".to_string(),
+                chain_key: "ethereum".to_string(),
+                chain_id: 1,
+                is_native: true,
+                address: None,
+                priority: 9,
+                recipient: Some(
+                    "0x4000000000000000000000000000000000000004"
+                        .parse()
+                        .expect("recipient"),
+                ),
+                min_amount_wei: 10,
+                max_amount_wei: 20,
+            });
+        let per_token_output = execute_bootstrap(
+            per_token_daemon,
+            "vault-password",
+            "daemon_socket:/tmp/wlfi.sock",
+            per_token_params,
+            |_| {},
+        )
+        .await
+        .expect("per-token bootstrap");
+        let per_token_path = unique_temp_path("bootstrap-per-token");
+        let per_token_target = OutputTarget::File {
+            path: per_token_path.clone(),
+            overwrite: true,
+        };
+        print_bootstrap_output(&per_token_output, OutputFormat::Text, &per_token_target)
+            .expect("render per-token bootstrap");
+        let per_token_text = read_output(&per_token_path);
+        assert!(per_token_text.contains("Per-Token Policies"));
+        assert!(per_token_text.contains("Per-Token Destination Overrides"));
+        assert!(per_token_text.contains("Per-Token Manual Approval Policies"));
+        assert!(per_token_text.contains("Attached Policy IDs"));
+        assert!(per_token_text.contains("Warning: keep the agent auth token"));
+        fs::remove_file(&per_token_path).expect("cleanup per-token output");
+    }
+
+    #[tokio::test]
+    async fn output_renderers_cover_manual_approval_and_relay_text() {
+        let daemon = test_daemon();
+        let (approval_request_id, mut session) = seed_manual_approval_request(daemon.clone()).await;
+        let request = daemon
+            .list_manual_approval_requests(&session)
+            .await
+            .expect("list manual approvals")
+            .into_iter()
+            .find(|item| item.id == approval_request_id)
+            .expect("request");
+
+        let requests_path = unique_temp_path("manual-requests");
+        let requests_target = OutputTarget::File {
+            path: requests_path.clone(),
+            overwrite: true,
+        };
+        print_manual_approval_requests_output(&[], OutputFormat::Text, &requests_target)
+            .expect("render empty requests");
+        assert_eq!(read_output(&requests_path).trim_end(), "No manual approval requests");
+
+        print_manual_approval_request_output(&request, OutputFormat::Text, &requests_target)
+            .expect("render single request");
+        let single_text = read_output(&requests_path);
+        assert!(single_text.contains("Request ID:"));
+        assert!(single_text.contains("Triggered By Policies:"));
+
+        print_manual_approval_requests_output(
+            std::slice::from_ref(&request),
+            OutputFormat::Text,
+            &requests_target,
+        )
+        .expect("render request list");
+        let list_text = read_output(&requests_path);
+        assert!(list_text.contains("Status: Pending"));
+        fs::remove_file(&requests_path).expect("cleanup manual approval output");
+
+        let relay_output = RelayConfig {
+            relay_url: Some("https://relay.example".to_string()),
+            frontend_url: None,
+            daemon_id_hex: "daemon-id".to_string(),
+            daemon_public_key_hex: "daemon-pub".to_string(),
+        };
+        let relay_path = unique_temp_path("relay-config");
+        let relay_target = OutputTarget::File {
+            path: relay_path.clone(),
+            overwrite: true,
+        };
+        print_relay_config_output(&relay_output, OutputFormat::Text, &relay_target)
+            .expect("render relay config");
+        let relay_text = read_output(&relay_path);
+        assert!(relay_text.contains("Relay URL: https://relay.example"));
+        assert!(relay_text.contains("Frontend URL: <unset>"));
+        fs::remove_file(&relay_path).expect("cleanup relay output");
+
+        let rotate_path = unique_temp_path("rotate-output");
+        let rotate_target = OutputTarget::File {
+            path: rotate_path.clone(),
+            overwrite: true,
+        };
+        print_rotate_agent_auth_token_output(
+            &RotateAgentAuthTokenOutput {
+                agent_key_id: "agent-key".to_string(),
+                agent_auth_token: "<redacted>".to_string(),
+                agent_auth_token_redacted: true,
+            },
+            OutputFormat::Text,
+            &rotate_target,
+        )
+        .expect("render rotate output");
+        assert!(read_output(&rotate_path).contains("Note: pass --print-agent-auth-token"));
+        fs::remove_file(&rotate_path).expect("cleanup rotate output");
+
+        let revoke_path = unique_temp_path("revoke-output");
+        let revoke_target = OutputTarget::File {
+            path: revoke_path.clone(),
+            overwrite: true,
+        };
+        print_revoke_agent_key_output(
+            &RevokeAgentKeyOutput {
+                agent_key_id: "agent-key".to_string(),
+                revoked: true,
+            },
+            OutputFormat::Text,
+            &revoke_target,
+        )
+        .expect("render revoke output");
+        assert!(read_output(&revoke_path).contains("Revoked: true"));
+        fs::remove_file(&revoke_path).expect("cleanup revoke output");
+
+        let policy_path = unique_temp_path("policy-output");
+        let policy_target = OutputTarget::File {
+            path: policy_path.clone(),
+            overwrite: true,
+        };
+        print_manual_approval_policy_output(
+            &ManualApprovalPolicyOutput {
+                policy_id: "policy-id".to_string(),
+                priority: 7,
+                min_amount_wei: "10".to_string(),
+                max_amount_wei: "20".to_string(),
+                network_scope: "1".to_string(),
+                asset_scope: "native_eth".to_string(),
+                recipient_scope: "all recipients".to_string(),
+            },
+            OutputFormat::Text,
+            &policy_target,
+        )
+        .expect("render manual approval policy");
+        assert!(read_output(&policy_path).contains("Amount Range (wei): 10..=20"));
+        fs::remove_file(&policy_path).expect("cleanup policy output");
+
+        session.vault_password.zeroize();
+    }
+
+    #[test]
+    fn helper_parsers_and_policy_attachment_resolution_cover_remaining_paths() {
+        assert_eq!(parse_positive_u128("10").expect("parse"), 10);
+        assert_eq!(parse_non_negative_u128("0").expect("parse"), 0);
+        assert_eq!(parse_positive_u64("12").expect("parse"), 12);
+        assert!(parse_positive_u128("0").is_err());
+        assert!(parse_positive_u64("0").is_err());
+        assert!(parse_non_negative_u128("nope").is_err());
+
+        let created = Uuid::parse_str("00000000-0000-0000-0000-000000000101").expect("uuid");
+        let explicit = Uuid::parse_str("00000000-0000-0000-0000-000000000202").expect("uuid");
+
+        let created_only =
+            resolve_bootstrap_policy_attachment([created], &[]).expect("created-only attachment");
+        assert_eq!(created_only.1, "policy_set");
+        assert_eq!(created_only.2.len(), 1);
+        assert!(created_only.3.contains("bootstrap-created policy"));
+
+        let explicit_only = resolve_bootstrap_policy_attachment([], &[explicit])
+            .expect("explicit-only attachment");
+        assert_eq!(explicit_only.2, vec![explicit.to_string()]);
+        assert!(explicit_only.3.contains("explicit policy"));
+
+        let mixed = resolve_bootstrap_policy_attachment([created], &[explicit])
+            .expect("mixed attachment");
+        assert_eq!(mixed.2.len(), 2);
+        assert!(mixed.3.contains("bootstrap-created policy id(s) and 1 explicit policy id(s)"));
+
+        assert!(resolve_bootstrap_policy_attachment([], &[]).is_err());
+    }
+
     #[test]
     #[cfg(unix)]
     fn resolve_daemon_socket_path_rejects_non_root_owned_socket() {