@wlfi-agent/cli 1.4.17 → 1.4.19

package/dist/cli.cjs

@@ -12981,6 +12981,9 @@ var require_commander = __commonJS({
   }
 });
 
+// src/cli.ts
+var import_promises2 = require("timers/promises");
+
 // packages/config/src/index.js
 var src_exports = {};
 __export(src_exports, {
@@ -13069,23 +13072,6 @@ var BUILTIN_TOKENS = {
       arbitrum: { chainId: 42161, isNative: true, decimals: 18 }
     }
   },
-  usdc: {
-    symbol: "USDC",
-    chains: {
-      ethereum: {
-        chainId: 1,
-        isNative: false,
-        address: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
-        decimals: 6
-      },
-      base: {
-        chainId: 8453,
-        isNative: false,
-        address: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
-        decimals: 6
-      }
-    }
-  },
   usd1: {
     name: "USD1",
     symbol: "USD1",
@@ -14019,7 +14005,7 @@ function resolveRustBinaryPath(binaryName, config = readConfig()) {
   return import_node_path.default.join(config.rustBinDir ?? defaultRustBinDir(), binaryName + (process.platform === "win32" ? ".exe" : ""));
 }
 
-// packages/rpc/src/index.ts
+// packages/rpc/src/index.js
 var src_exports2 = {};
 __export(src_exports2, {
   TRANSFER_EVENT: () => TRANSFER_EVENT,
@@ -23709,6 +23695,78 @@ function resolveLaunchDaemonHelperScriptPath(scriptName, config) {
   return candidates[0];
 }
 
+// src/lib/hidden-tty-prompt.ts
+async function promptHiddenTty(query, nonInteractiveError, deps = {}) {
+  const input = deps.input ?? process.stdin;
+  const output = deps.output ?? process.stderr;
+  if (!input.isTTY || !output.isTTY || typeof input.setRawMode !== "function") {
+    throw new Error(nonInteractiveError);
+  }
+  output.write("\r\x1B[2K");
+  output.write(query);
+  const wasRaw = Boolean(input.isRaw);
+  if (!wasRaw) {
+    input.setRawMode(true);
+  }
+  input.resume?.();
+  return await new Promise((resolve, reject) => {
+    let answer = "";
+    let settled = false;
+    const cleanup = () => {
+      input.removeListener("data", onData);
+      input.removeListener("error", onError);
+      if (!wasRaw) {
+        input.setRawMode?.(false);
+      }
+      input.pause?.();
+      output.write("\n");
+    };
+    const finish = (callback) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      cleanup();
+      callback();
+    };
+    const onError = (error) => {
+      finish(() => reject(error));
+    };
+    const onData = (chunk) => {
+      const text = typeof chunk === "string" ? chunk : chunk.toString("utf8");
+      if (text.includes("\x1B")) {
+        return;
+      }
+      for (const char of text) {
+        if (char === "\r" || char === "\n") {
+          finish(() => resolve(answer));
+          return;
+        }
+        if (char === "") {
+          finish(() => reject(new Error("prompt canceled")));
+          return;
+        }
+        if (char === "\x7F" || char === "\b") {
+          const chars = Array.from(answer);
+          chars.pop();
+          answer = chars.join("");
+          continue;
+        }
+        if (char === "") {
+          answer = "";
+          continue;
+        }
+        if (/[\u0000-\u001f\u007f]/u.test(char)) {
+          continue;
+        }
+        answer += char;
+      }
+    };
+    input.on("data", onData);
+    input.on("error", onError);
+  });
+}
+
 // src/lib/sudo.ts
 var import_node_child_process2 = require("child_process");
 function currentProcessIsRoot() {
@@ -23717,6 +23775,14 @@ function currentProcessIsRoot() {
 function isSudoAuthenticationFailure(output) {
   return /sudo: .*password is required/iu.test(output) || /sudo: .*incorrect password/iu.test(output) || /sudo: no password was provided/iu.test(output) || /sorry, try again\./iu.test(output);
 }
+function formatSudoFailureMessage(result) {
+  const combinedOutput = `${result.stderr}
+${result.stdout}`;
+  if (isSudoAuthenticationFailure(combinedOutput)) {
+    return "sudo authentication failed. Enter your system admin password used for sudo, not the WLFI vault password.";
+  }
+  return result.stderr.trim() || result.stdout.trim() || `sudo credential check failed (exit code ${result.code})`;
+}
 async function runCommand(command, args, options, deps) {
   return await new Promise((resolve, reject) => {
     const spawnOptions = {
@@ -23773,9 +23839,7 @@ function createSudoSession(deps) {
       }
     );
     if (result.code !== 0) {
-      throw new Error(
-        result.stderr.trim() || result.stdout.trim() || `sudo credential check failed (exit code ${result.code})`
-      );
+      throw new Error(formatSudoFailureMessage(result));
     }
     primed = true;
   }
@@ -23853,29 +23917,7 @@ function validateSecret(value, label) {
   return value;
 }
 async function promptHidden(query, label) {
-  if (!process.stdin.isTTY || !process.stdout.isTTY) {
-    throw new Error(`${label} is required; rerun on a local TTY`);
-  }
-  const rl = import_node_readline.default.createInterface({
-    input: process.stdin,
-    output: process.stdout,
-    terminal: true
-  });
-  rl.stdoutMuted = true;
-  rl._writeToOutput = (value) => {
-    if (value.includes(query)) {
-      rl.output.write(value);
-      return;
-    }
-    if (!rl.stdoutMuted) {
-      rl.output.write(value);
-    }
-  };
-  const answer = await new Promise((resolve) => {
-    rl.question(query, resolve);
-  });
-  rl.close();
-  process.stdout.write("\n");
+  const answer = await promptHiddenTty(query, `${label} is required; rerun on a local TTY`);
   return validateSecret(answer, label);
 }
 async function promptVisible(query) {
@@ -23895,10 +23937,21 @@ async function promptVisible(query) {
 }
 var sudoSession = createSudoSession({
   promptPassword: async () => await promptHidden(
-    "Root password (input hidden; required to uninstall the root daemon and delete its state): ",
-    "root password"
+    "macOS admin password for sudo (input hidden; required to uninstall the root daemon and delete its state): ",
+    "macOS admin password for sudo"
   )
 });
+function isSudoWrappedInvocation() {
+  return typeof process.geteuid === "function" && process.geteuid() === 0 && typeof process.env.SUDO_UID === "string" && process.env.SUDO_UID.trim().length > 0;
+}
+function assertNotInvokedViaSudo(commandName) {
+  if (!isSudoWrappedInvocation()) {
+    return;
+  }
+  throw new Error(
+    `run \`wlfi-agent ${commandName}\` as your normal macOS user, not with sudo; the CLI prompts for sudo internally and running it as root can target the wrong local WLFI home`
+  );
+}
 function createProgress(message, enabled = true) {
   if (!enabled) {
     return {
@@ -23956,6 +24009,43 @@ function print(payload, asJson) {
   }
   console.dir(payload, { depth: null, colors: process.stdout.isTTY });
 }
+async function managedPathExists(targetPath) {
+  const result = await sudoSession.run(["/bin/test", "-e", targetPath]);
+  if (result.code === 0) {
+    return true;
+  }
+  if (result.code === 1 && !/password is required|try again|authentication failed|sorry/iu.test(result.stderr)) {
+    return false;
+  }
+  throw new Error(
+    result.stderr.trim() || result.stdout.trim() || `failed to inspect managed path '${targetPath}' (exit code ${result.code})`
+  );
+}
+async function assertManagedUninstallArtifactsRemoved(targetPaths) {
+  const remaining = [];
+  for (const targetPath of targetPaths) {
+    if (await managedPathExists(targetPath)) {
+      remaining.push(targetPath);
+    }
+  }
+  if (remaining.length > 0) {
+    throw new Error(
+      `admin uninstall left managed root-owned files behind: ${remaining.join(", ")}`
+    );
+  }
+}
+function assertLocalUninstallArtifactsRemoved(result) {
+  const remaining = [];
+  if (result.config.existed && import_node_fs6.default.existsSync(result.config.path)) {
+    remaining.push(result.config.path);
+  }
+  if (result.wlfiHome.existed && import_node_fs6.default.existsSync(result.wlfiHome.path)) {
+    remaining.push(result.wlfiHome.path);
+  }
+  if (remaining.length > 0) {
+    throw new Error(`admin uninstall left local WLFI files behind: ${remaining.join(", ")}`);
+  }
+}
 function printResetSummary(result) {
   const lines = [
     "reset complete",
@@ -24150,12 +24240,13 @@ async function confirmReset(options) {
   }
 }
 async function runAdminReset(options) {
+  assertNotInvokedViaSudo("admin reset");
   await confirmReset(options);
   const showProgress = !options.json;
   const keychainAccount = import_node_os2.default.userInfo().username;
   if (!options.json && typeof process.geteuid === "function" && process.geteuid() !== 0) {
     process.stderr.write(
-      "Root password required: reset must uninstall the root LaunchDaemon and delete the root-managed daemon state.\n"
+      "macOS admin password required: reset uses sudo to uninstall the root LaunchDaemon and delete the root-managed daemon state.\n"
     );
   }
   await sudoSession.prime();
@@ -24261,19 +24352,22 @@ function printUninstallSummary(result) {
     `managed state directory removed: ${result.daemon.stateDir}`,
     `managed log directory removed: ${result.daemon.logDir}`,
     result.local.agentKeyId ? `old agent key cleared: ${result.local.agentKeyId}` : "old agent key cleared: no configured agent key was found",
+    /* c8 ignore start -- public uninstall summary only reaches here when a WLFI home existed or config provided the helper paths */
     result.local.wlfiHome.existed ? `local WLFI home removed: ${result.local.wlfiHome.path}` : `local WLFI home not found: ${result.local.wlfiHome.path}`,
+    /* c8 ignore stop */
     result.local.config.existed ? `config removed: ${result.local.config.path}` : `config not found: ${result.local.config.path}`,
     "next: reinstall with `wlfi-agent admin setup` only if you want a fresh managed wallet again"
   ];
   console.log(lines.join("\n"));
 }
 async function runAdminUninstall(options) {
+  assertNotInvokedViaSudo("admin uninstall");
   await confirmUninstall(options);
   const showProgress = !options.json;
   const keychainAccount = import_node_os2.default.userInfo().username;
   if (!options.json && typeof process.geteuid === "function" && process.geteuid() !== 0) {
     process.stderr.write(
-      "Root password required: uninstall must remove the root LaunchDaemon and all managed root-owned files.\n"
+      "macOS admin password required: uninstall uses sudo to remove the root LaunchDaemon and all managed root-owned files.\n"
     );
   }
   await sudoSession.prime();
@@ -24322,10 +24416,28 @@ async function runAdminUninstall(options) {
       deleteRootArtifactsResult.stderr.trim() || deleteRootArtifactsResult.stdout.trim() || `failed to delete managed root-owned files (exit code ${deleteRootArtifactsResult.code})`
     );
   }
-  rootProgress.succeed("Managed root-owned files removed");
+  try {
+    await assertManagedUninstallArtifactsRemoved([
+      DEFAULT_LAUNCH_DAEMON_PLIST,
+      DEFAULT_MANAGED_ROOT_DIR,
+      DEFAULT_MANAGED_STATE_DIR,
+      DEFAULT_MANAGED_LOG_DIR
+    ]);
+    rootProgress.succeed("Managed root-owned files removed");
+  } catch (error) {
+    rootProgress.fail();
+    throw error;
+  }
   const localProgress = createProgress("Removing local WLFI files and credentials", showProgress);
-  const local = cleanupLocalAdminUninstallState();
-  localProgress.succeed("Local WLFI files and credentials removed");
+  let local;
+  try {
+    local = cleanupLocalAdminUninstallState();
+    assertLocalUninstallArtifactsRemoved(local);
+    localProgress.succeed("Local WLFI files and credentials removed");
+  } catch (error) {
+    localProgress.fail();
+    throw error;
+  }
   const result = {
     command: "uninstall",
     daemon: {
@@ -24935,6 +25047,7 @@ async function prepareSpawnOptions(binaryName, args, options) {
 
 // src/lib/rust.ts
 var { readConfig: readConfig2, resolveRustBinaryPath: resolveRustBinaryPath2 } = src_exports;
+var MAX_STDOUT_SNIPPET_CHARS = 200;
 var RustBinaryExitError = class extends Error {
   binaryName;
   code;
@@ -24949,6 +25062,20 @@ var RustBinaryExitError = class extends Error {
     this.stderr = stderr;
   }
 };
+var RustBinaryJsonParseError = class extends Error {
+  binaryName;
+  stdout;
+  cause;
+  constructor(binaryName, stdout, cause) {
+    const snippet = stdout.length > MAX_STDOUT_SNIPPET_CHARS ? `${stdout.slice(0, MAX_STDOUT_SNIPPET_CHARS)}...` : stdout;
+    const message = cause instanceof Error ? `${binaryName} produced invalid JSON: ${cause.message}. stdout: ${snippet}` : `${binaryName} produced invalid JSON. stdout: ${snippet}`;
+    super(message);
+    this.name = "RustBinaryJsonParseError";
+    this.binaryName = binaryName;
+    this.stdout = stdout;
+    this.cause = cause;
+  }
+};
 function ensureBinary(binaryName, config) {
   const resolved = resolveRustBinaryPath2(binaryName, config ?? readConfig2());
   if (!import_node_fs7.default.existsSync(resolved)) {
@@ -24964,6 +25091,37 @@ function forwardedArgsIncludeDaemonSocket(args) {
     (arg, _index) => arg === "--daemon-socket" || arg.startsWith("--daemon-socket=")
   );
 }
+async function writeChildStdin(child, stdin) {
+  const stream = child.stdin;
+  if (!stream) {
+    return;
+  }
+  await new Promise((resolve, reject) => {
+    let settled = false;
+    const finish = () => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      stream.off("error", handleError);
+      resolve();
+    };
+    const handleError = (error) => {
+      if (settled) {
+        return;
+      }
+      if (error?.code === "EPIPE" || error?.code === "ERR_STREAM_DESTROYED") {
+        finish();
+        return;
+      }
+      settled = true;
+      stream.off("error", handleError);
+      reject(error);
+    };
+    stream.on("error", handleError);
+    stream.end(stdin, finish);
+  });
+}
 async function passthroughRustBinary(binaryName, args, config) {
   const resolvedConfig = config ?? readConfig2();
   const resolvedDaemonSocket = resolveValidatedPassthroughDaemonSocket(
@@ -24974,20 +25132,25 @@ async function passthroughRustBinary(binaryName, args, config) {
   const executable = ensureBinary(binaryName, resolvedConfig);
   const prepared = await prepareSpawnOptions(binaryName, args, {});
   const env = { ...prepared.env };
-  if (resolvedDaemonSocket && !forwardedArgsIncludeDaemonSocket(args) && !env.WLFI_DAEMON_SOCKET?.trim()) {
+  if (resolvedDaemonSocket && !forwardedArgsIncludeDaemonSocket(args) && /* c8 ignore next -- explicit env override is exercised, but c8 misattributes this optional-chain/nullish check */
+  !env.WLFI_DAEMON_SOCKET?.trim()) {
     env.WLFI_DAEMON_SOCKET = resolvedDaemonSocket;
   }
   const child = (0, import_node_child_process3.spawn)(executable, prepared.args, {
-    stdio: [prepared.stdin !== void 0 ? "pipe" : "inherit", "inherit", "inherit"],
+    stdio: [
+      prepared.stdin !== void 0 ? "pipe" : "inherit",
+      "inherit",
+      "inherit"
+    ],
     env
   });
-  if (prepared.stdin !== void 0) {
-    child.stdin?.end(prepared.stdin);
-  }
-  return await new Promise((resolve, reject) => {
+  const codePromise = new Promise((resolve, reject) => {
     child.on("error", reject);
-    child.on("close", (code) => resolve(code ?? 1));
+    child.on("close", (code2) => resolve(code2 ?? 1));
   });
+  const stdinPromise = prepared.stdin !== void 0 ? writeChildStdin(child, prepared.stdin) : Promise.resolve();
+  const [code] = await Promise.all([codePromise, stdinPromise]);
+  return code;
 }
 async function runRustBinary(binaryName, args, config, options = {}) {
   const resolvedConfig = config ?? readConfig2();
@@ -25014,13 +25177,20 @@ async function runRustBinary(binaryName, args, config, options = {}) {
   child.stderr?.on("data", (chunk) => {
     stderr += chunk.toString();
   });
-  if (prepared.stdin !== void 0) {
-    child.stdin?.end(prepared.stdin);
-  }
-  const code = await new Promise((resolve, reject) => {
+  const codePromise = new Promise((resolve, reject) => {
     child.on("error", reject);
-    child.on("close", (value) => resolve(value ?? 1));
+    child.on("close", (code2, signal) => {
+      if (code2 !== null && code2 !== void 0) {
+        resolve(code2);
+      } else {
+        resolve(
+          signal ? 128 + (require("os").constants.errno?.SIGTERM ?? 143) : 1
+        );
+      }
+    });
   });
+  const stdinPromise = prepared.stdin !== void 0 ? writeChildStdin(child, prepared.stdin) : Promise.resolve();
+  const [code] = await Promise.all([codePromise, stdinPromise]);
   if (code !== 0) {
     throw new RustBinaryExitError(binaryName, code, stdout, stderr);
   }
@@ -25028,7 +25198,11 @@ async function runRustBinary(binaryName, args, config, options = {}) {
 }
 async function runRustBinaryJson(binaryName, args, config, options = {}) {
   const { stdout } = await runRustBinary(binaryName, args, config, options);
-  return JSON.parse(stdout);
+  try {
+    return JSON.parse(stdout);
+  } catch (error) {
+    throw new RustBinaryJsonParseError(binaryName, stdout, error);
+  }
 }
 
 // src/lib/wallet-profile.ts
@@ -25126,6 +25300,7 @@ function collectWalletBalanceTargets(config) {
         symbol: tokenProfile.symbol,
         name: tokenProfile.name,
         chainKey,
+        /* c8 ignore next -- resolveChainProfile only yields usable balance targets when a chain name is available */
         chainName: resolvedChain?.name ?? chainKey,
         chainId: chainProfile.chainId,
         rpcUrl,
@@ -25623,6 +25798,22 @@ function resolveValidatedWalletSetupPolicyIds(values) {
     normalizedList(values).map((value) => assertWalletSetupUuid(value, "attachPolicyId"))
   );
 }
+function resolveValidatedExistingVaultReuse(input) {
+  const keyId = presentString4(input.existingVaultKeyId);
+  const publicKey = presentString4(input.existingVaultPublicKey);
+  if (!keyId && !publicKey) {
+    return {};
+  }
+  if (!keyId || !publicKey) {
+    throw new Error(
+      "existingVaultKeyId and existingVaultPublicKey must be provided together to reuse an existing wallet"
+    );
+  }
+  return {
+    keyId: assertWalletSetupUuid(keyId, "existingVaultKeyId"),
+    publicKey
+  };
+}
 function previewBootstrapOutputPath(inputPath) {
   const explicitPath = presentString4(inputPath);
   if (explicitPath) {
@@ -26040,7 +26231,9 @@ function formatBooleanPlanValue(value) {
 }
 function formatWalletSetupScope(plan) {
   return [
+    /* c8 ignore next -- both default-network and explicit-network renderings are exercised, but c8 misattributes this ternary under --experimental-strip-types */
     `- Network: ${plan.policyScope.network === null ? "daemon default" : String(plan.policyScope.network)}`,
+    /* c8 ignore next -- both default and explicit chain-name renderings are exercised, but c8 misattributes this nullish expression */
     `- Chain Name: ${plan.policyScope.chainName ?? "daemon default"}`,
     `- Recipient: ${plan.policyScope.recipient ?? "all recipients"}`,
     `- Asset Mode: ${plan.policyScope.assets.mode}`,
@@ -26066,6 +26259,7 @@ function formatWalletSetupPreflight(plan) {
   return [
     `- Daemon Socket Trusted: ${formatBooleanPlanValue(plan.preflight.daemonSocketTrusted)}`,
     plan.preflight.daemonSocketError ? `  ${plan.preflight.daemonSocketError}` : null,
+    /* c8 ignore next -- both null and boolean RPC preflight states are exercised, but c8 misattributes this ternary */
     `- RPC URL Trusted: ${plan.preflight.rpcUrlTrusted === null ? "not applicable" : formatBooleanPlanValue(plan.preflight.rpcUrlTrusted)}`,
     plan.preflight.rpcUrlError ? `  ${plan.preflight.rpcUrlError}` : null,
     `- Bootstrap Output Ready: ${formatBooleanPlanValue(plan.preflight.bootstrapOutputReady)}`,
@@ -26076,6 +26270,7 @@ function formatWalletSetupPlanText(plan) {
   const bootstrapOutputLabel = `${plan.bootstrapOutput.path} (${plan.bootstrapOutput.autoGenerated ? "auto-generated" : "explicit"}, ${plan.bootstrapOutput.cleanupAction} after import)`;
   const lines = [
     "Wallet Setup Preview",
+    /* c8 ignore next -- allowed and blocked admin access renderings are both exercised, but c8 misattributes this ternary */
     `Admin Access: ${plan.adminAccess.permitted ? "allowed" : "blocked"} (${plan.adminAccess.mode})`,
     `Admin Access Reason: ${plan.adminAccess.reason}`,
     `Daemon Socket: ${plan.daemonSocket}`,
@@ -26098,8 +26293,11 @@ function formatWalletSetupPlanText(plan) {
     "Config After Setup",
     `- Agent Key ID: ${plan.configAfterSetup.agentKeyId}`,
     `- Daemon Socket: ${plan.configAfterSetup.daemonSocket}`,
+    /* c8 ignore next -- unchanged and explicit chain-id renderings are both exercised, but c8 misattributes this ternary */
     `- Chain ID: ${plan.configAfterSetup.chainId === null ? "unchanged" : String(plan.configAfterSetup.chainId)}`,
+    /* c8 ignore next -- unchanged and explicit chain-name renderings are both exercised, but c8 misattributes this nullish expression */
     `- Chain Name: ${plan.configAfterSetup.chainName ?? "unchanged"}`,
+    /* c8 ignore next -- unchanged and explicit RPC URL renderings are both exercised, but c8 misattributes this nullish expression */
     `- RPC URL: ${plan.configAfterSetup.rpcUrl ?? "unchanged"}`,
     "",
     "Preflight",
@@ -26146,6 +26344,7 @@ function buildWalletSetupAdminArgs(input) {
   const tokens = resolveValidatedWalletSetupTokenList(input.token);
   const policyIds = resolveValidatedWalletSetupPolicyIds(input.attachPolicyId);
   const fromSharedConfig = shouldBootstrapFromSharedConfig(input);
+  const existingVaultReuse = resolveValidatedExistingVaultReuse(input);
   if (input.vaultPassword) {
     throw new Error(
       "insecure vaultPassword is disabled; use vaultPasswordStdin or an interactive prompt"
@@ -26164,6 +26363,14 @@ function buildWalletSetupAdminArgs(input) {
   if (fromSharedConfig) {
     args.push("--from-shared-config");
   }
+  if (existingVaultReuse.keyId && existingVaultReuse.publicKey) {
+    args.push(
+      "--existing-vault-key-id",
+      existingVaultReuse.keyId,
+      "--existing-vault-public-key",
+      existingVaultReuse.publicKey
+    );
+  }
   const appendValue = (flag, value) => {
     if (value) {
       args.push(flag, value);
@@ -26244,7 +26451,8 @@ function completeWalletSetup(options, deps = {}) {
     }
     if (options.network !== void 0) {
       nextConfig.chainId = assertPositiveChainId(options.network);
-      nextConfig.chainName = normalizedChainName ?? configuredChainName(nextConfig.chainId, currentConfig) ?? `chain-${nextConfig.chainId}`;
+      nextConfig.chainName = normalizedChainName ?? /* c8 ignore next -- configured-chain and synthetic fallback label paths are exercised, but c8 misattributes this nullish expression */
+      configuredChainName(nextConfig.chainId, currentConfig) ?? `chain-${nextConfig.chainId}`;
       nextConfig.rpcUrl = normalizedRpcUrl ?? configuredRpcUrl(nextConfig.chainId, currentConfig);
     }
     storeAgentAuthToken(credentials.agentKeyId, credentials.agentAuthToken);
@@ -26302,31 +26510,9 @@ async function readTrimmedStdin(label) {
   }
   return validateSecret4(raw.replace(/[\r\n]+$/u, ""), label);
 }
-async function promptHidden2(query) {
-  if (!process.stdin.isTTY || !process.stdout.isTTY) {
-    throw new Error("vault password is required; use --vault-password-stdin or a local TTY prompt");
-  }
-  const rl = import_node_readline2.default.createInterface({
-    input: process.stdin,
-    output: process.stdout,
-    terminal: true
-  });
-  rl.stdoutMuted = true;
-  rl._writeToOutput = (value) => {
-    if (value.includes(query)) {
-      rl.output.write(value);
-      return;
-    }
-    if (!rl.stdoutMuted) {
-      rl.output.write(value);
-    }
-  };
-  const answer = await new Promise((resolve) => {
-    rl.question(query, resolve);
-  });
-  rl.close();
-  process.stdout.write("\n");
-  return validateSecret4(answer, "vault password");
+async function promptHidden2(query, label = "vault password", nonInteractiveError = "vault password is required; use --vault-password-stdin or a local TTY prompt") {
+  const answer = await promptHiddenTty(query, nonInteractiveError);
+  return validateSecret4(answer, label);
 }
 async function promptVisible2(query, nonInteractiveError) {
   if (!process.stdin.isTTY || !process.stdout.isTTY) {
@@ -26369,6 +26555,28 @@ function resolveExistingWalletSetupTarget(config) {
     hasLegacyAgentAuthToken
   };
 }
+function resolveReusableWalletSetupTarget(config) {
+  let walletProfile;
+  try {
+    walletProfile = resolveWalletProfile(config);
+  } catch (error) {
+    throw new Error(
+      `--reuse-existing-wallet requires a local wallet to reuse; ${renderError5(error)}`
+    );
+  }
+  const existingVaultKeyId = walletProfile.vaultKeyId?.trim();
+  const existingVaultPublicKey = walletProfile.vaultPublicKey?.trim();
+  if (!existingVaultKeyId || !existingVaultPublicKey) {
+    throw new Error(
+      "--reuse-existing-wallet requires wallet.vaultKeyId and wallet.vaultPublicKey in the local wallet profile"
+    );
+  }
+  return {
+    address: walletProfile.address?.trim() || deriveWalletAddress2(existingVaultPublicKey),
+    existingVaultKeyId,
+    existingVaultPublicKey
+  };
+}
 async function confirmAdminSetupOverwrite(options, config, deps = {}) {
   const existing = resolveExistingWalletSetupTarget(config);
   if (!existing || options.yes) {
@@ -26376,12 +26584,12 @@ async function confirmAdminSetupOverwrite(options, config, deps = {}) {
   }
   if (options.nonInteractive) {
     throw new Error(
-      "`wlfi-agent admin setup` would overwrite the existing wallet; rerun with --yes in non-interactive mode"
+      options.reuseExistingWallet ? "`wlfi-agent admin setup --reuse-existing-wallet` would refresh the existing local wallet metadata and agent credentials; rerun with --yes in non-interactive mode" : "`wlfi-agent admin setup` would overwrite the existing wallet; rerun with --yes in non-interactive mode"
     );
   }
   const stderr = deps.stderr ?? process.stderr;
   stderr.write(
-    "warning: admin setup will overwrite the current local wallet metadata and agent credentials.\n"
+    options.reuseExistingWallet ? "warning: admin setup will reuse the current vault and refresh the local wallet metadata and agent credentials.\n" : "warning: admin setup will overwrite the current local wallet metadata and agent credentials.\n"
   );
   if (existing.address) {
     stderr.write(`current address: ${existing.address}
@@ -26394,11 +26602,13 @@ async function confirmAdminSetupOverwrite(options, config, deps = {}) {
   if (existing.hasLegacyAgentAuthToken) {
     stderr.write("legacy agent auth token is still present in config.json\n");
   }
+  const confirmationToken = options.reuseExistingWallet ? "REUSE" : "OVERWRITE";
+  const confirmationPrompt = options.reuseExistingWallet ? "Type REUSE to reattach the current local vault: " : "Type OVERWRITE to replace the current local wallet: ";
   const confirmation = await (deps.prompt ?? ((query) => promptVisible2(
     query,
-    "`wlfi-agent admin setup` requires --yes in non-interactive environments when overwriting an existing wallet"
-  )))("Type OVERWRITE to replace the current local wallet: ");
-  if (confirmation !== "OVERWRITE") {
+    options.reuseExistingWallet ? "`wlfi-agent admin setup --reuse-existing-wallet` requires --yes in non-interactive environments when reusing an existing wallet" : "`wlfi-agent admin setup` requires --yes in non-interactive environments when overwriting an existing wallet"
+  )))(confirmationPrompt);
+  if (confirmation !== confirmationToken) {
     throw new Error("admin setup aborted");
   }
 }
@@ -26429,7 +26639,9 @@ async function resolveAdminSetupVaultPassword(options, deps = {}) {
       "vault password is required in non-interactive mode; use --vault-password-stdin"
     );
   }
-  return promptForVaultPassword("Vault password (input hidden; nothing will be echoed): ");
+  return promptForVaultPassword(
+    "Vault password (input hidden; this unlocks the wallet, not sudo): "
+  );
 }
 function resolveDaemonSocket(optionValue) {
   return import_node_path8.default.resolve(optionValue?.trim() || DEFAULT_MANAGED_DAEMON_SOCKET2);
@@ -26437,6 +26649,21 @@ function resolveDaemonSocket(optionValue) {
 function resolveStateFile() {
   return import_node_path8.default.resolve(DEFAULT_MANAGED_STATE_FILE2);
 }
+function resolveDefaultActiveChainForFreshSetup(config) {
+  try {
+    const profile = resolveCliNetworkProfile("bsc", config);
+    return {
+      chainId: profile.chainId,
+      chainName: profile.key?.trim() || profile.name.trim().toLowerCase() || "bsc",
+      ...profile.rpcUrl?.trim() ? { rpcUrl: profile.rpcUrl.trim() } : {}
+    };
+  } catch {
+    return null;
+  }
+}
+function shouldSeedDefaultActiveChain(options, config) {
+  return !options.network && !options.rpcUrl && !options.chainName && config.chainId === void 0 && !config.chainName?.trim() && !config.rpcUrl?.trim();
+}
 function createAdminSetupPlan(options, deps = {}) {
   if (options.rpcUrl && !options.network) {
     throw new Error("--rpc-url requires --network");
@@ -26460,6 +26687,7 @@ function createAdminSetupPlan(options, deps = {}) {
     installError = renderError5(error);
   }
   const existingWallet = resolveExistingWalletSetupTarget(config);
+  const reusableWallet = options.reuseExistingWallet ? resolveReusableWalletSetupTarget(config) : null;
   return {
     command: "setup",
     mode: "plan",
@@ -26502,6 +26730,8 @@ function createAdminSetupPlan(options, deps = {}) {
         recipient: options.recipient,
         attachPolicyId: options.attachPolicyId,
         attachBootstrapPolicies: options.attachBootstrapPolicies,
+        existingVaultKeyId: reusableWallet?.existingVaultKeyId,
+        existingVaultPublicKey: reusableWallet?.existingVaultPublicKey,
         bootstrapOutputPath: options.bootstrapOutput,
         deleteBootstrapOutput: options.deleteBootstrapOutput
       },
@@ -26826,7 +27056,9 @@ ${error.stdout}`;
 }
 var sudoSession2 = createSudoSession({
   promptPassword: async () => await promptHidden2(
-    "Root password (input hidden; required to install or recover the root daemon): "
+    "macOS admin password for sudo (input hidden; required to install or recover the root daemon): ",
+    "macOS admin password for sudo",
+    "macOS admin password for sudo is required; rerun on a local TTY"
   )
 });
 async function managedStateFileExists(stateFile) {
@@ -26841,6 +27073,134 @@ async function managedStateFileExists(stateFile) {
     result.stderr.trim() || result.stdout.trim() || `failed to inspect managed daemon state file '${stateFile}' (exit code ${result.code})`
   );
 }
+async function inspectManagedState(stateFile, showProgress, message = "Inspecting managed daemon state") {
+  await sudoSession2.prime();
+  const stateProbeProgress = createProgress2(message, showProgress);
+  let stateExists;
+  try {
+    stateExists = await managedStateFileExists(stateFile);
+    stateProbeProgress.succeed(
+      stateExists ? "Managed daemon state already exists" : "No managed daemon state found"
+    );
+  } catch (error) {
+    stateProbeProgress.fail();
+    throw error;
+  }
+  return stateExists;
+}
+function createManagedStatePasswordMismatchError(stateFile) {
+  return new Error(
+    `managed daemon state already exists at ${stateFile} and is encrypted with a different vault password. Re-run setup with the original vault password, or remove/reset the managed daemon state before initializing a fresh wallet.`
+  );
+}
+function isManagedStatePasswordMismatch(output) {
+  return /failed to decrypt state|wrong password or tampered file|authentication failed/iu.test(
+    output
+  );
+}
+async function managedStateAcceptsRequestedVaultPassword(config, daemonSocket, stateFile, vaultPassword) {
+  const installPreconditions = assertManagedDaemonInstallPreconditions(
+    config,
+    daemonSocket,
+    stateFile
+  );
+  const tempRoot = import_node_fs9.default.mkdtempSync(import_node_path8.default.join(import_node_os3.default.tmpdir(), "wlfi-managed-state-probe-"));
+  const tempSocket = import_node_path8.default.join(tempRoot, "daemon.sock");
+  const allowedUid = String(process.getuid?.() ?? process.geteuid?.() ?? 0);
+  const probeScript = [
+    "set -euo pipefail",
+    'vault_password="$(cat)"',
+    'daemon_bin="$1"',
+    'state_file="$2"',
+    'daemon_socket="$3"',
+    'admin_uid="$4"',
+    'agent_uid="$5"',
+    'signer_backend="$6"',
+    '"$daemon_bin" \\',
+    "  --non-interactive \\",
+    "  --vault-password-stdin \\",
+    '  --state-file "$state_file" \\',
+    '  --daemon-socket "$daemon_socket" \\',
+    '  --signer-backend "$signer_backend" \\',
+    '  --allow-admin-euid "$admin_uid" \\',
+    '  --allow-agent-euid "$agent_uid" <<<"$vault_password" &',
+    'child="$!"',
+    "for _ in $(seq 1 20); do",
+    '  if ! kill -0 "$child" 2>/dev/null; then',
+    '    wait "$child"',
+    "    exit $?",
+    "  fi",
+    "  sleep 0.25",
+    "done",
+    'kill "$child" >/dev/null 2>&1 || true',
+    'wait "$child" >/dev/null 2>&1 || true',
+    "exit 0"
+  ].join("\n");
+  try {
+    const result = await sudoSession2.run(
+      [
+        "/bin/bash",
+        "-lc",
+        probeScript,
+        "--",
+        installPreconditions.daemonBin,
+        stateFile,
+        tempSocket,
+        allowedUid,
+        allowedUid,
+        DEFAULT_SIGNER_BACKEND
+      ],
+      {
+        stdin: `${vaultPassword}
+`
+      }
+    );
+    if (result.code === 0) {
+      return true;
+    }
+    const combinedOutput = `${result.stderr}
+${result.stdout}`.trim();
+    if (isManagedStatePasswordMismatch(combinedOutput)) {
+      return false;
+    }
+    throw new Error(
+      combinedOutput || `failed to validate the managed daemon state with the requested vault password (exit code ${result.code})`
+    );
+  } finally {
+    import_node_fs9.default.rmSync(tempRoot, { recursive: true, force: true });
+  }
+}
+async function assertManagedStateMatchesRequestedVaultPasswordBeforeInstall(config, daemonSocket, stateFile, vaultPassword, showProgress) {
+  const stateExists = await inspectManagedState(
+    stateFile,
+    showProgress,
+    "Inspecting managed daemon state before install"
+  );
+  if (!stateExists) {
+    return;
+  }
+  const verifyProgress = createProgress2(
+    "Verifying the requested vault password against the managed daemon state",
+    showProgress
+  );
+  let accepted;
+  try {
+    accepted = await managedStateAcceptsRequestedVaultPassword(
+      config,
+      daemonSocket,
+      stateFile,
+      vaultPassword
+    );
+  } catch (error) {
+    verifyProgress.fail();
+    throw error;
+  }
+  if (!accepted) {
+    verifyProgress.fail("Existing daemon password does not unlock the stored daemon state");
+    throw createManagedStatePasswordMismatchError(stateFile);
+  }
+  verifyProgress.succeed("Requested vault password unlocks the existing managed daemon state");
+}
 async function waitForTrustedDaemonSocket(targetPath, timeoutMs = 15e3) {
   async function canConnect(socketPath) {
     return new Promise((resolve) => {
@@ -27019,6 +27379,8 @@ async function runAdminSetup(options) {
   const config = readConfig();
   const daemonSocket = resolveDaemonSocket(options.daemonSocket);
   const stateFile = resolveStateFile();
+  const defaultActiveChain = shouldSeedDefaultActiveChain(options, config) ? resolveDefaultActiveChainForFreshSetup(config) : null;
+  const reusableWallet = options.reuseExistingWallet ? resolveReusableWalletSetupTarget(config) : null;
   assertManagedDaemonInstallPreconditions(config, daemonSocket, stateFile);
   await confirmAdminSetupOverwrite(options, config);
   const vaultPassword = await resolveAdminSetupVaultPassword(options);
@@ -27076,10 +27438,17 @@ async function runAdminSetup(options) {
       }
       if (!options.json && typeof process.geteuid === "function" && process.geteuid() !== 0) {
         process.stderr.write(
-          "Root password required: setup must install or recover the root LaunchDaemon and store the daemon password in System Keychain.\n"
+          "macOS admin password required: setup uses sudo to install or recover the root LaunchDaemon and store the daemon password in System Keychain.\n"
         );
       }
       await sudoSession2.prime();
+      await assertManagedStateMatchesRequestedVaultPasswordBeforeInstall(
+        config,
+        daemonSocket,
+        stateFile,
+        vaultPassword,
+        showProgress
+      );
       const installProgress = createProgress2("Installing and restarting daemon", showProgress);
       try {
         daemon = await installLaunchDaemon(config, daemonSocket, stateFile, vaultPassword);
@@ -27109,34 +27478,20 @@ async function runAdminSetup(options) {
   if (!daemonAcceptedPassword) {
     if (existingDaemonRejectedPassword) {
       authProgress.fail("Existing daemon password does not unlock the stored daemon state");
-      throw new Error(
-        `managed daemon state already exists at ${stateFile} and is encrypted with a different vault password. Re-run setup with the original vault password, or remove/reset the managed daemon state before initializing a fresh wallet.`
-      );
+      throw createManagedStatePasswordMismatchError(stateFile);
     }
     authProgress.info("Daemon rejected the requested vault password; inspecting managed state");
-    const stateProbeProgress = createProgress2("Inspecting managed daemon state", showProgress);
-    let stateExists;
-    try {
-      stateExists = await managedStateFileExists(stateFile);
-      stateProbeProgress.succeed(
-        stateExists ? "Managed daemon state already exists" : "No managed daemon state found"
-      );
-    } catch (error) {
-      stateProbeProgress.fail();
-      throw error;
-    }
+    const stateExists = await inspectManagedState(stateFile, showProgress);
     if (stateExists) {
       authProgress.fail("Existing daemon password does not unlock the stored daemon state");
-      throw new Error(
-        `managed daemon state already exists at ${stateFile} and is encrypted with a different vault password. Re-run setup with the original vault password, or remove/reset the managed daemon state before initializing a fresh wallet.`
-      );
+      throw createManagedStatePasswordMismatchError(stateFile);
     }
     authProgress.fail(
       "Existing daemon password differs; reinstalling with the requested vault password"
     );
     if (!options.json && typeof process.geteuid === "function" && process.geteuid() !== 0) {
       process.stderr.write(
-        "Root password required: setup must reinstall the root LaunchDaemon to rotate the managed daemon password.\n"
+        "macOS admin password required: setup uses sudo to reinstall the root LaunchDaemon and rotate the managed daemon password.\n"
       );
     }
     await sudoSession2.prime();
@@ -27216,6 +27571,8 @@ async function runAdminSetup(options) {
     recipient: options.recipient,
     attachPolicyId: options.attachPolicyId,
     attachBootstrapPolicies: options.attachBootstrapPolicies,
+    existingVaultKeyId: reusableWallet?.existingVaultKeyId,
+    existingVaultPublicKey: reusableWallet?.existingVaultPublicKey,
     bootstrapOutputPath: bootstrapOutput.path
   });
   const bootstrapProgress = createProgress2("Setting up wallet access", showProgress);
@@ -27286,7 +27643,12 @@ async function runAdminSetup(options) {
   }
   const persistedConfig = writeConfig({
     daemonSocket,
-    stateFile
+    stateFile,
+    ...defaultActiveChain ? {
+      chainId: defaultActiveChain.chainId,
+      chainName: defaultActiveChain.chainName,
+      ...defaultActiveChain.rpcUrl ? { rpcUrl: defaultActiveChain.rpcUrl } : {}
+    } : {}
   });
   printCliPayload(
     {
@@ -27338,6 +27700,8 @@ function buildAdminSetupBootstrapInvocation(input) {
       recipient: input.recipient,
       attachPolicyId: input.attachPolicyId,
       attachBootstrapPolicies: input.attachBootstrapPolicies,
+      existingVaultKeyId: input.existingVaultKeyId,
+      existingVaultPublicKey: input.existingVaultPublicKey,
       bootstrapOutputPath: input.bootstrapOutputPath
     }),
     stdin: `${validateSecret4(input.vaultPassword, "vault password")}
@@ -27396,7 +27760,11 @@ async function runAdminSetupCli(argv) {
   const program2 = new Command();
   program2.name("wlfi-agent admin setup").description(
     "Store the vault password, install the root daemon autostart, set up wallet access, and print the wallet address"
-  ).option("--plan", "Print a sanitized setup preview without prompting or mutating state", false).option("--vault-password-stdin", "Read vault password from stdin", false).option("--non-interactive", "Disable password prompts", false).option("-y, --yes", "Skip the overwrite confirmation prompt", false).option("--daemon-socket <path>", "Daemon unix socket path").option("--per-tx-max-wei <wei>", "Per-transaction max spend in wei").option("--daily-max-wei <wei>", "Daily max spend in wei").option("--weekly-max-wei <wei>", "Weekly max spend in wei").option("--max-gas-per-chain-wei <wei>", "Per-chain gas-spend ceiling in wei").option("--daily-max-tx-count <count>", "Optional daily tx-count cap").option("--per-tx-max-fee-per-gas-wei <wei>", "Optional max fee-per-gas cap").option("--per-tx-max-priority-fee-per-gas-wei <wei>", "Optional max priority fee-per-gas cap").option("--per-tx-max-calldata-bytes <bytes>", "Optional calldata size cap").option(
+  ).option("--plan", "Print a sanitized setup preview without prompting or mutating state", false).option("--vault-password-stdin", "Read vault password from stdin", false).option("--non-interactive", "Disable password prompts", false).option("-y, --yes", "Skip the overwrite confirmation prompt", false).option(
+    "--reuse-existing-wallet",
+    "Reuse the current local vault instead of generating a fresh wallet",
+    false
+  ).option("--daemon-socket <path>", "Daemon unix socket path").option("--per-tx-max-wei <wei>", "Per-transaction max spend in wei").option("--daily-max-wei <wei>", "Daily max spend in wei").option("--weekly-max-wei <wei>", "Weekly max spend in wei").option("--max-gas-per-chain-wei <wei>", "Per-chain gas-spend ceiling in wei").option("--daily-max-tx-count <count>", "Optional daily tx-count cap").option("--per-tx-max-fee-per-gas-wei <wei>", "Optional max fee-per-gas cap").option("--per-tx-max-priority-fee-per-gas-wei <wei>", "Optional max priority fee-per-gas cap").option("--per-tx-max-calldata-bytes <bytes>", "Optional calldata size cap").option(
     "--token <address>",
     "Allowed ERC-20 token address",
     (value, acc) => {
@@ -27531,8 +27899,12 @@ function resolveConfiguredAgentKeyId(config, explicitAgentKeyId) {
     if (explicitAgentKeyId) {
       return void 0;
     }
+    const renderedError = error instanceof Error ? error.message : (
+      /* c8 ignore next -- assertValidAgentKeyId throws Error objects */
+      String(error)
+    );
     throw new Error(
-      (error instanceof Error ? error.message : String(error)) + "; pass --agent-key-id to migrate the legacy config secret explicitly"
+      renderedError + "; pass --agent-key-id to migrate the legacy config secret explicitly"
     );
   }
 }
@@ -27818,11 +28190,26 @@ function rewriteAmountPolicyErrorMessage(message, asset) {
     (_match, usedAmountWei, requestedAmountWei, maxAmountWei) => `window usage ${formatAmount(usedAmountWei)} + requested ${formatAmount(requestedAmountWei)} > max ${formatAmount(maxAmountWei)}`
   ).replace(
     /requires manual approval for requested amount (\d+) within range (None|Some\((\d+)\))\.\.=(\d+)/gu,
-    (_match, requestedAmountWei, minAmountLiteral, minAmountWei, maxAmountWei) => `requires manual approval for requested amount ${formatAmount(requestedAmountWei)} within range ${minAmountLiteral === "None" ? "None" : `Some(${formatAmount(minAmountWei ?? "0")})`}..=${formatAmount(maxAmountWei)}`
+    (_match, requestedAmountWei, minAmountLiteral, minAmountWei, maxAmountWei) => {
+      const minAmountDisplay = (
+        /* c8 ignore next -- both None and Some(...) paths are exercised, but c8 misattributes this ternary under --experimental-strip-types */
+        minAmountLiteral === "None" ? "None" : `Some(${formatAmount(minAmountWei ?? "0")})`
+      );
+      return `requires manual approval for requested amount ${formatAmount(requestedAmountWei)} within range ${minAmountDisplay}..=${formatAmount(maxAmountWei)}`;
+    }
   );
 }
 
 // src/lib/asset-broadcast.ts
+function resolveEstimatedPriorityFeePerGasWei(fees) {
+  const resolved = fees.maxPriorityFeePerGas ?? fees.gasPrice;
+  if (resolved === null || resolved <= 0n) {
+    throw new Error(
+      "Could not determine maxPriorityFeePerGas; pass --max-priority-fee-per-gas-wei"
+    );
+  }
+  return resolved;
+}
 function encodeErc20TransferData(recipient, amountWei) {
   return encodeFunctionData({
     abi: erc20Abi,
@@ -27851,10 +28238,10 @@ async function resolveAssetBroadcastPlan(input, deps) {
   const fees = await deps.estimateFees(input.rpcUrl);
   const resolvedFees = fees;
   const maxFeePerGasWei = input.maxFeePerGasWei ?? (resolvedFees.maxFeePerGas ?? resolvedFees.gasPrice);
-  const maxPriorityFeePerGasWei = input.maxPriorityFeePerGasWei ?? (resolvedFees.maxPriorityFeePerGas ?? resolvedFees.gasPrice ?? 0n);
   if (maxFeePerGasWei === null || maxFeePerGasWei <= 0n) {
     throw new Error("Could not determine maxFeePerGas; pass --max-fee-per-gas-wei");
   }
+  const maxPriorityFeePerGasWei = input.maxPriorityFeePerGasWei ?? resolveEstimatedPriorityFeePerGasWei(resolvedFees);
   return {
     rpcUrl: input.rpcUrl,
     chainId: input.chainId,
@@ -27879,7 +28266,7 @@ async function completeAssetBroadcast(plan, signed, deps) {
     to: plan.to,
     chainId: plan.chainId,
     nonce: plan.nonce,
-    allowHigherNonce: true,
+    allowHigherNonce: false,
     value: plan.valueWei,
     data: plan.dataHex,
     gasLimit: plan.gasLimit,
@@ -27986,7 +28373,6 @@ function resolveConfigMutationCommandLabel(command, key) {
 }
 
 // src/lib/local-admin-access.ts
-var import_node_readline3 = __toESM(require("readline"), 1);
 var MAX_SECRET_STDIN_BYTES4 = 16 * 1024;
 function renderError6(error) {
   return error instanceof Error ? error.message : String(error);
@@ -28004,35 +28390,13 @@ function currentProcessIsRoot2() {
   return typeof process.geteuid === "function" && process.geteuid() === 0;
 }
 async function promptHidden3(query, label) {
-  if (!process.stdin.isTTY || !process.stdout.isTTY) {
-    throw new Error(`${label} is required; rerun on a local TTY`);
-  }
-  const rl = import_node_readline3.default.createInterface({
-    input: process.stdin,
-    output: process.stdout,
-    terminal: true
-  });
-  rl.stdoutMuted = true;
-  rl._writeToOutput = (value) => {
-    if (value.includes(query)) {
-      rl.output.write(value);
-      return;
-    }
-    if (!rl.stdoutMuted) {
-      rl.output.write(value);
-    }
-  };
-  const answer = await new Promise((resolve) => {
-    rl.question(query, resolve);
-  });
-  rl.close();
-  process.stdout.write("\n");
+  const answer = await promptHiddenTty(query, `${label} is required; rerun on a local TTY`);
   return validateSecret5(answer, label);
 }
 var sudoSession3 = createSudoSession({
   promptPassword: async () => await promptHidden3(
-    "Root password (input hidden; required to change local admin chain and token configuration): ",
-    "root password"
+    "macOS admin password for sudo (input hidden; required to change local admin chain and token configuration): ",
+    "macOS admin password for sudo"
   )
 });
 async function requireLocalAdminMutationAccess(commandLabel, deps = {}) {
@@ -28915,10 +29279,9 @@ function isManualApprovalRequiredOutput(value) {
   const candidate = value;
   return typeof candidate.command === "string" && typeof candidate.approval_request_id === "string" && typeof candidate.cli_approval_command === "string";
 }
-function printManualApprovalRequired(output, asJson) {
+function renderManualApprovalRequired(output, asJson) {
   if (asJson) {
-    print2(output, true);
-    return;
+    return formatJson(output);
   }
   const lines = [
     `Command: ${output.command}`,
@@ -28931,7 +29294,27 @@ function printManualApprovalRequired(output, asJson) {
     lines.push(`Relay URL: ${output.relay_url}`);
   }
   lines.push(`CLI Approval Command: ${output.cli_approval_command}`);
-  print2(lines.join("\n"), false);
+  return lines.join("\n");
+}
+function printManualApprovalRequired(output, asJson, useStderr = false) {
+  const rendered = renderManualApprovalRequired(output, asJson);
+  if (useStderr) {
+    console.error(rendered);
+    return;
+  }
+  console.log(rendered);
+}
+function printManualApprovalWaiting(output, asJson) {
+  if (asJson) {
+    console.error(
+      formatJson({
+        event: "manualApprovalPending",
+        approvalRequestId: output.approval_request_id
+      })
+    );
+    return;
+  }
+  console.error(`Waiting for manual approval decision: ${output.approval_request_id}`);
 }
 var MAX_SECRET_STDIN_BYTES5 = 16 * 1024;
 var AGENT_KEY_ID_PATTERN2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/iu;
@@ -29052,6 +29435,15 @@ function print2(payload, asJson) {
 }
 var ONCHAIN_RECEIPT_TIMEOUT_MS = 3e4;
 var ONCHAIN_RECEIPT_POLL_INTERVAL_MS = 2e3;
+var MANUAL_APPROVAL_POLL_INTERVAL_MS = 2e3;
+var MANUAL_APPROVAL_WAIT_TIMEOUT_MS = (() => {
+  const raw = process.env.WLFI_TEST_MANUAL_APPROVAL_TIMEOUT_MS;
+  if (!raw) {
+    return 5 * 6e4;
+  }
+  const parsed = Number(raw);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : 5 * 6e4;
+})();
 async function reportOnchainReceiptStatus(input) {
   if (input.asJson) {
     console.error(
@@ -29193,39 +29585,40 @@ async function resolveAgentCommandContext(options, config) {
   warnForAgentAuthTokenSource(agentAuthTokenSource, agentKeyId);
   return { agentKeyId, agentAuthToken, daemonSocket };
 }
-async function runAgentCommandJson(input) {
-  const { agentKeyId, agentAuthToken, daemonSocket } = await resolveAgentCommandContext(
-    input.auth,
-    input.config
-  );
+async function runAgentCommandJsonOnce(input) {
   try {
-    return await runRustBinaryJson(
-      "wlfi-agent-agent",
-      [
-        "--json",
-        "--agent-key-id",
-        agentKeyId,
-        "--agent-auth-token-stdin",
-        "--daemon-socket",
-        daemonSocket,
-        ...input.commandArgs
-      ],
-      input.config,
-      {
-        stdin: `${agentAuthToken}
+    return {
+      type: "success",
+      value: await runRustBinaryJson(
+        "wlfi-agent-agent",
+        [
+          "--json",
+          "--agent-key-id",
+          input.agentKeyId,
+          "--agent-auth-token-stdin",
+          "--daemon-socket",
+          input.daemonSocket,
+          ...input.commandArgs
+        ],
+        input.config,
+        {
+          stdin: `${input.agentAuthToken}
 `,
-        preSuppliedSecretStdin: "agentAuthToken",
-        scrubSensitiveEnv: true
-      }
-    );
+          preSuppliedSecretStdin: "agentAuthToken",
+          scrubSensitiveEnv: true
+        }
+      )
+    };
   } catch (error) {
     if (error instanceof RustBinaryExitError && error.stdout.trim()) {
       try {
         const parsed = JSON.parse(error.stdout);
         if (isManualApprovalRequiredOutput(parsed)) {
-          printManualApprovalRequired(parsed, input.asJson);
-          process.exitCode = error.code;
-          return null;
+          return {
+            type: "manualApproval",
+            output: parsed,
+            exitCode: error.code
+          };
         }
       } catch {
       }
@@ -29233,6 +29626,49 @@ async function runAgentCommandJson(input) {
     throw error;
   }
 }
+async function runAgentCommandJson(input) {
+  const { agentKeyId, agentAuthToken, daemonSocket } = await resolveAgentCommandContext(
+    input.auth,
+    input.config
+  );
+  const runOnce = () => runAgentCommandJsonOnce({
+    commandArgs: input.commandArgs,
+    config: input.config,
+    agentKeyId,
+    agentAuthToken,
+    daemonSocket
+  });
+  const firstAttempt = await runOnce();
+  if (firstAttempt.type === "success") {
+    return firstAttempt.value;
+  }
+  if (!input.waitForManualApproval) {
+    printManualApprovalRequired(firstAttempt.output, input.asJson);
+    process.exitCode = firstAttempt.exitCode;
+    return null;
+  }
+  printManualApprovalRequired(firstAttempt.output, input.asJson, true);
+  printManualApprovalWaiting(firstAttempt.output, input.asJson);
+  const pendingApprovalRequestId = firstAttempt.output.approval_request_id;
+  const startedWaitingAt = Date.now();
+  for (; ; ) {
+    await (0, import_promises2.setTimeout)(MANUAL_APPROVAL_POLL_INTERVAL_MS);
+    const nextAttempt = await runOnce();
+    if (nextAttempt.type === "success") {
+      return nextAttempt.value;
+    }
+    if (nextAttempt.output.approval_request_id !== pendingApprovalRequestId) {
+      throw new Error(
+        `manual approval request changed while waiting for a decision (${pendingApprovalRequestId} -> ${nextAttempt.output.approval_request_id}); stop and rerun the command after checking the approval status.`
+      );
+    }
+    if (Date.now() - startedWaitingAt >= MANUAL_APPROVAL_WAIT_TIMEOUT_MS) {
+      throw new Error(
+        `Timed out after ${Math.ceil(MANUAL_APPROVAL_WAIT_TIMEOUT_MS / 1e3)}s waiting for manual approval decision: ${pendingApprovalRequestId}`
+      );
+    }
+  }
+}
 function legacyAmountToDecimalString(value) {
   if (value === void 0) {
     return void 0;
@@ -29870,7 +30306,8 @@ async function main() {
           ],
           auth: options,
           config,
-          asJson: options.json
+          asJson: options.json,
+          waitForManualApproval: true
         });
         if (!signed) {
           return;
@@ -29926,20 +30363,108 @@ async function main() {
     }
   });
   addAgentCommandAuthOptions(
-    program2.command("transfer-native").description("Submit a native ETH transfer request through policy checks").requiredOption("--network <name>", "Network name").requiredOption("--to <address>", "Recipient address").requiredOption("--amount <amount>", "Transfer amount in configured native token units").addOption(new Option("--amount-wei <wei>").hideHelp())
+    program2.command("transfer-native").description("Submit a native ETH transfer request through policy checks").requiredOption("--network <name>", "Network name").requiredOption("--to <address>", "Recipient address").requiredOption("--amount <amount>", "Transfer amount in configured native token units").option("--broadcast", "Broadcast the signed transaction through RPC", false).option("--rpc-url <url>", "Ethereum RPC URL override used only for broadcast").option(
+      "--from <address>",
+      "Sender address override for broadcast; defaults to configured wallet address"
+    ).option("--nonce <nonce>", "Explicit nonce override for broadcast").option("--gas-limit <gas>", "Gas limit override for broadcast").option("--max-fee-per-gas-wei <wei>", "Max fee per gas override for broadcast").option("--max-priority-fee-per-gas-wei <wei>", "Priority fee per gas override for broadcast").option("--tx-type <type>", "Typed tx value for broadcast", "0x02").option("--no-wait", "Do not wait up to 30s for an on-chain receipt after broadcast").option(
+      "--reveal-raw-tx",
+      "Include the signed raw transaction bytes in broadcast output",
+      false
+    ).option("--reveal-signature", "Include signer r/s/v fields in broadcast output", false).addOption(new Option("--amount-wei <wei>").hideHelp())
   ).action(async (options) => {
     const config = readConfig3();
     const network = resolveCliNetworkProfile(options.network, config).chainId;
     const asset = resolveConfiguredNativeAsset(config, network);
+    const recipient = assertAddress(options.to, "to");
     const amountWei = options.amount ? parseConfiguredAmount(options.amount, asset.decimals, "amount") : parseBigIntString(options.amountWei, "amountWei");
     try {
+      if (options.broadcast) {
+        const plan = await resolveAssetBroadcastPlan(
+          {
+            rpcUrl: resolveCliRpcUrl(options.rpcUrl, options.network, config),
+            chainId: network,
+            from: options.from ? assertAddress(options.from, "from") : resolveWalletAddress(config),
+            to: recipient,
+            valueWei: amountWei,
+            dataHex: "0x",
+            nonce: options.nonce ? parseIntegerString(options.nonce, "nonce") : void 0,
+            gasLimit: options.gasLimit ? parsePositiveBigIntString(options.gasLimit, "gasLimit") : void 0,
+            maxFeePerGasWei: options.maxFeePerGasWei ? parsePositiveBigIntString(options.maxFeePerGasWei, "maxFeePerGasWei") : void 0,
+            maxPriorityFeePerGasWei: options.maxPriorityFeePerGasWei ? parseBigIntString(options.maxPriorityFeePerGasWei, "maxPriorityFeePerGasWei") : void 0,
+            txType: options.txType
+          },
+          {
+            getChainInfo: getChainInfo2,
+            assertRpcChainIdMatches,
+            getNonce: getNonce2,
+            estimateGas: estimateGas3,
+            estimateFees: estimateFees2
+          }
+        );
+        const signed = await runAgentCommandJson({
+          commandArgs: [
+            "broadcast",
+            "--network",
+            String(plan.chainId),
+            "--nonce",
+            String(plan.nonce),
+            "--to",
+            recipient,
+            "--value-wei",
+            amountWei.toString(),
+            "--data-hex",
+            "0x",
+            "--gas-limit",
+            plan.gasLimit.toString(),
+            "--max-fee-per-gas-wei",
+            plan.maxFeePerGasWei.toString(),
+            "--max-priority-fee-per-gas-wei",
+            plan.maxPriorityFeePerGasWei.toString(),
+            "--tx-type",
+            plan.txType
+          ],
+          auth: options,
+          config,
+          asJson: options.json,
+          waitForManualApproval: true
+        });
+        if (!signed) {
+          return;
+        }
+        const completed = await completeAssetBroadcast(plan, signed, {
+          assertSignedBroadcastTransactionMatchesRequest,
+          broadcastRawTransaction: broadcastRawTransaction2
+        });
+        print2(
+          formatBroadcastedAssetOutput({
+            command: "transfer-native",
+            counterparty: recipient,
+            asset,
+            signed,
+            plan,
+            signedNonce: completed.signedNonce,
+            networkTxHash: completed.networkTxHash,
+            revealRawTx: options.revealRawTx,
+            revealSignature: options.revealSignature
+          }),
+          options.json
+        );
+        if (options.wait) {
+          await reportOnchainReceiptStatus({
+            rpcUrl: plan.rpcUrl,
+            txHash: completed.networkTxHash,
+            asJson: options.json
+          });
+        }
+        return;
+      }
       const result = await runAgentCommandJson({
         commandArgs: [
           "transfer-native",
           "--network",
           String(network),
           "--to",
-          assertAddress(options.to, "to"),
+          recipient,
           "--amount-wei",
           amountWei.toString()
         ],
@@ -30018,7 +30543,8 @@ async function main() {
           ],
           auth: options,
           config,
-          asJson: options.json
+          asJson: options.json,
+          waitForManualApproval: true
         });
         if (!signed) {
           return;
@@ -30074,29 +30600,46 @@ async function main() {
     }
   });
   addAgentCommandAuthOptions(
-    program2.command("broadcast").description("Submit a raw transaction broadcast request through policy checks").requiredOption("--network <name>", "Network name").requiredOption("--to <address>", "Recipient or target contract").requiredOption("--gas-limit <gas>", "Gas limit").requiredOption("--max-fee-per-gas-wei <wei>", "Max fee per gas in wei").option("--nonce <nonce>", "Explicit nonce override", "0").option("--value-wei <wei>", "Value in wei", "0").option("--data-hex <hex>", "Calldata hex", "0x").option("--max-priority-fee-per-gas-wei <wei>", "Priority fee per gas in wei", "0").option("--tx-type <type>", "Typed tx value", "2").option("--delegation-enabled", "Forward delegation flag to Rust signing request", false)
+    program2.command("broadcast").description("Submit a raw transaction broadcast request through policy checks").requiredOption("--network <name>", "Network name").requiredOption("--to <address>", "Recipient or target contract").requiredOption("--gas-limit <gas>", "Gas limit").requiredOption("--max-fee-per-gas-wei <wei>", "Max fee per gas in wei").option("--nonce <nonce>", "Explicit nonce override").option("--value-wei <wei>", "Value in wei", "0").option("--data-hex <hex>", "Calldata hex", "0x").option("--max-priority-fee-per-gas-wei <wei>", "Priority fee per gas in wei").option("--tx-type <type>", "Typed tx value", "0x02").option("--delegation-enabled", "Forward delegation flag to Rust signing request", false)
   ).action(async (options) => {
     const config = readConfig3();
     const network = resolveCliNetworkProfile(options.network, config);
-    const result = await runAgentCommandJson({
+    const to = assertAddress(options.to, "to");
+    const valueWei = parseBigIntString(options.valueWei, "valueWei");
+    const dataHex = assertHex(options.dataHex, "dataHex");
+    const gasLimit = parsePositiveBigIntString(options.gasLimit, "gasLimit");
+    const maxFeePerGasWei = parsePositiveBigIntString(options.maxFeePerGasWei, "maxFeePerGasWei");
+    const explicitNonce = options.nonce ? parseIntegerString(options.nonce, "nonce") : void 0;
+    const rpcUrl = resolveCliRpcUrl(void 0, options.network, config);
+    const from14 = resolveWalletAddress(config);
+    const chainInfo = await getChainInfo2(rpcUrl);
+    assertRpcChainIdMatches(network.chainId, chainInfo.chainId);
+    const nonce = explicitNonce ?? await getNonce2(rpcUrl, from14);
+    const fees = options.maxPriorityFeePerGasWei ? null : await estimateFees2(rpcUrl);
+    const maxPriorityFeePerGasWei = options.maxPriorityFeePerGasWei ? parseBigIntString(options.maxPriorityFeePerGasWei, "maxPriorityFeePerGasWei") : resolveEstimatedPriorityFeePerGasWei({
+      gasPrice: fees?.gasPrice ?? null,
+      maxFeePerGas: fees?.maxFeePerGas ?? null,
+      maxPriorityFeePerGas: fees?.maxPriorityFeePerGas ?? null
+    });
+    const signed = await runAgentCommandJson({
       commandArgs: [
         "broadcast",
         "--network",
         String(network.chainId),
         "--nonce",
-        String(parseIntegerString(options.nonce, "nonce")),
+        String(nonce),
         "--to",
-        assertAddress(options.to, "to"),
+        to,
         "--value-wei",
-        parseBigIntString(options.valueWei, "valueWei").toString(),
+        valueWei.toString(),
         "--data-hex",
-        assertHex(options.dataHex, "dataHex"),
+        dataHex,
         "--gas-limit",
-        parsePositiveBigIntString(options.gasLimit, "gasLimit").toString(),
+        gasLimit.toString(),
         "--max-fee-per-gas-wei",
-        parsePositiveBigIntString(options.maxFeePerGasWei, "maxFeePerGasWei").toString(),
+        maxFeePerGasWei.toString(),
         "--max-priority-fee-per-gas-wei",
-        parseBigIntString(options.maxPriorityFeePerGasWei, "maxPriorityFeePerGasWei").toString(),
+        maxPriorityFeePerGasWei.toString(),
         "--tx-type",
         options.txType,
         ...options.delegationEnabled ? ["--delegation-enabled"] : []
@@ -30105,9 +30648,28 @@ async function main() {
       config,
       asJson: options.json
     });
-    if (result) {
-      print2(result, options.json);
+    if (!signed) {
+      return;
+    }
+    if (!signed.raw_tx_hex) {
+      throw new Error("Rust agent did not return raw_tx_hex for broadcast signing");
     }
+    await assertSignedBroadcastTransactionMatchesRequest({
+      rawTxHex: signed.raw_tx_hex,
+      from: from14,
+      to,
+      chainId: network.chainId,
+      nonce,
+      allowHigherNonce: false,
+      value: valueWei,
+      data: dataHex,
+      gasLimit,
+      maxFeePerGas: maxFeePerGasWei,
+      maxPriorityFeePerGas: maxPriorityFeePerGasWei,
+      txType: options.txType
+    });
+    await broadcastRawTransaction2(rpcUrl, signed.raw_tx_hex);
+    print2(signed, options.json);
   });
   const rpc = program2.command("rpc").description("RPC methods implemented in TypeScript");
   rpc.command("chain").option("--rpc-url <url>", "Ethereum RPC URL").option("--json", "Print JSON output", false).action(async (options) => {
@@ -30319,7 +30881,7 @@ async function main() {
       to,
       chainId,
       nonce,
-      allowHigherNonce: true,
+      allowHigherNonce: false,
       value: valueWei,
       data: dataHex,
       gasLimit,