@wlfi-agent/cli 1.4.17 → 1.4.19

package/crates/vault-cli-agent/Cargo.toml

@@ -7,6 +7,7 @@ authors.workspace = true
 
 [dependencies]
 anyhow.workspace = true
+async-trait.workspace = true
 clap.workspace = true
 hex.workspace = true
 libc.workspace = true

package/crates/vault-cli-agent/src/io_utils.rs

@@ -80,13 +80,24 @@ fn read_secret_from_reader(mut reader: impl Read, label: &str) -> Result<String>
 #[cfg(test)]
 mod tests {
     use super::{
-        ensure_output_parent, read_secret_from_reader, validate_secret, write_output_file,
+        emit_output, ensure_output_parent, is_symlink_path, print_agent_output,
+        read_secret_from_reader, resolve_agent_auth_token, resolve_output_target,
+        temporary_output_path, validate_secret, write_output_file,
     };
+    use crate::{AgentCommandOutput, OutputFormat, OutputTarget};
     use std::fs;
-    use std::io::Cursor;
+    use std::io::{Cursor, Read};
     use std::path::PathBuf;
     use std::time::{SystemTime, UNIX_EPOCH};
 
+    struct FailingReader;
+
+    impl Read for FailingReader {
+        fn read(&mut self, _buf: &mut [u8]) -> std::io::Result<usize> {
+            Err(std::io::Error::other("boom"))
+        }
+    }
+
     fn temp_path(prefix: &str) -> PathBuf {
         std::env::temp_dir().join(format!(
             "{prefix}-{}-{}",
@@ -105,6 +116,25 @@ mod tests {
         assert!(err.to_string().contains("must not exceed"));
     }
 
+    #[test]
+    fn read_secret_from_reader_trims_newlines_and_rejects_blank_values() {
+        let trimmed = read_secret_from_reader(Cursor::new("agent-token\r\n"), "agent auth token")
+            .expect("trimmed token");
+        assert_eq!(trimmed, "agent-token");
+
+        let err = read_secret_from_reader(Cursor::new(" \n"), "agent auth token")
+            .expect_err("must fail");
+        assert!(err.to_string().contains("must not be empty or whitespace"));
+    }
+
+    #[test]
+    fn read_secret_from_reader_propagates_io_errors() {
+        let err = read_secret_from_reader(FailingReader, "agent auth token").expect_err("must fail");
+        assert!(err
+            .to_string()
+            .contains("failed to read agent auth token from stdin"));
+    }
+
     #[test]
     fn validate_secret_rejects_oversized_non_stdin_secret() {
         let err = validate_secret("a".repeat((16 * 1024) + 1), "argument or environment")
@@ -112,6 +142,22 @@ mod tests {
         assert!(err.to_string().contains("must not exceed"));
     }
 
+    #[test]
+    fn validate_secret_rejects_whitespace_only() {
+        let err = validate_secret(" \t ".to_string(), "environment").expect_err("must fail");
+        assert!(err.to_string().contains("must not be empty or whitespace"));
+    }
+
+    #[test]
+    fn resolve_agent_auth_token_covers_env_and_non_interactive_paths() {
+        let token = resolve_agent_auth_token(None, Some("secret".to_string()), false, false)
+            .expect("environment token");
+        assert_eq!(token, "secret");
+
+        let err = resolve_agent_auth_token(None, None, false, true).expect_err("must fail");
+        assert!(err.to_string().contains("agent auth token is required in non-interactive mode"));
+    }
+
     #[test]
     #[cfg(unix)]
     fn ensure_output_parent_rejects_symlinked_parent_directory() {
@@ -199,6 +245,36 @@ mod tests {
         fs::remove_dir_all(&root).expect("cleanup temp tree");
     }
 
+    #[test]
+    fn ensure_output_parent_rejects_directory_output_path() {
+        let root = temp_path("vault-cli-agent-output-directory");
+        fs::create_dir_all(&root).expect("create root directory");
+
+        let err = ensure_output_parent(&root).expect_err("must reject directory path");
+        assert!(err.to_string().contains("is a directory; provide a file path"));
+
+        fs::remove_dir_all(&root).expect("cleanup temp tree");
+    }
+
+    #[test]
+    #[cfg(unix)]
+    fn ensure_output_parent_rejects_symlinked_output_path() {
+        use std::os::unix::fs::symlink;
+
+        let root = temp_path("vault-cli-agent-output-path-symlink");
+        fs::create_dir_all(&root).expect("create root directory");
+        let target = root.join("target.json");
+        let link = root.join("link.json");
+        fs::write(&target, "seed\n").expect("seed target");
+        symlink(&target, &link).expect("symlink output path");
+
+        let err = ensure_output_parent(&link).expect_err("must reject symlink path");
+        assert!(err.to_string().contains("must not be a symlink"));
+        assert!(is_symlink_path(&link).expect("symlink metadata"));
+
+        fs::remove_dir_all(&root).expect("cleanup temp tree");
+    }
+
     #[test]
     #[cfg(unix)]
     fn write_output_file_overwrite_replaces_existing_hard_link_instead_of_mutating_shared_inode() {
@@ -229,6 +305,91 @@ mod tests {
 
         fs::remove_dir_all(&root).expect("cleanup temp tree");
     }
+
+    #[test]
+    fn resolve_output_target_preserves_file_paths() {
+        let path = temp_path("vault-cli-agent-output-target");
+        let target = resolve_output_target(Some(path.clone()), true).expect("target");
+        match target {
+            OutputTarget::File { path: actual, overwrite } => {
+                assert_eq!(actual, path);
+                assert!(overwrite);
+            }
+            OutputTarget::Stdout => panic!("expected file target"),
+        }
+    }
+
+    #[test]
+    fn emit_output_and_print_agent_output_write_expected_content() {
+        let output_path = temp_path("vault-cli-agent-emit-output");
+        let agent_output_path = temp_path("vault-cli-agent-render-output");
+
+        emit_output(
+            "hello",
+            &OutputTarget::File {
+                path: output_path.clone(),
+                overwrite: false,
+            },
+        )
+        .expect("emit file output");
+        assert_eq!(fs::read_to_string(&output_path).expect("read output"), "hello\n");
+
+        let output = AgentCommandOutput {
+            command: "broadcast".to_string(),
+            network: "1".to_string(),
+            asset: "native_eth".to_string(),
+            counterparty: "0x2000000000000000000000000000000000000000".to_string(),
+            amount_wei: "7".to_string(),
+            estimated_max_gas_spend_wei: Some("21000".to_string()),
+            tx_type: Some("0x02".to_string()),
+            delegation_enabled: Some(false),
+            signature_hex: "0xdead".to_string(),
+            r_hex: Some("0x01".to_string()),
+            s_hex: Some("0x02".to_string()),
+            v: Some(1),
+            raw_tx_hex: Some("0xbeef".to_string()),
+            tx_hash_hex: Some("0xcafe".to_string()),
+        };
+
+        print_agent_output(
+            &output,
+            OutputFormat::Text,
+            &OutputTarget::File {
+                path: agent_output_path.clone(),
+                overwrite: false,
+            },
+        )
+        .expect("text render");
+        let rendered = fs::read_to_string(&agent_output_path).expect("read rendered");
+        assert!(rendered.contains("Command: broadcast"));
+        assert!(rendered.contains("Estimated Max Gas Spend (wei): 21000"));
+        assert!(rendered.contains("Delegation Enabled: false"));
+        assert!(rendered.contains("Tx Hash: 0xcafe"));
+
+        print_agent_output(
+            &output,
+            OutputFormat::Json,
+            &OutputTarget::File {
+                path: agent_output_path.clone(),
+                overwrite: true,
+            },
+        )
+        .expect("json render");
+        let rendered = fs::read_to_string(&agent_output_path).expect("read rendered");
+        assert!(rendered.contains("\"command\": \"broadcast\""));
+        assert!(rendered.contains("\"tx_hash_hex\": \"0xcafe\""));
+
+        fs::remove_file(&output_path).expect("cleanup output");
+        fs::remove_file(&agent_output_path).expect("cleanup rendered");
+    }
+
+    #[test]
+    fn temporary_output_path_stays_in_parent_directory() {
+        let output = temp_path("vault-cli-agent-temp-output");
+        let temp = temporary_output_path(&output);
+        assert_eq!(temp.parent(), output.parent());
+        assert!(temp.file_name().expect("file name").to_string_lossy().contains(".tmp-"));
+    }
 }
 
 pub(crate) fn resolve_output_format(