@wlfi-agent/cli 1.4.17 → 1.4.19

package/crates/vault-cli-agent/src/main.rs

@@ -14,6 +14,12 @@ mod io_utils;
 
 use io_utils::*;
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+enum CommandRunOutcome {
+    Completed,
+    ManualApprovalRequired,
+}
+
 #[derive(Debug, Parser)]
 #[command(name = "wlfi-agent-agent")]
 #[command(about = "Agent CLI for sending signing requests through daemon policy checks")]
@@ -224,7 +230,35 @@ async fn main() -> Result<()> {
 
     let sdk = AgentSdk::new_with_key_id_and_token(daemon, cli.agent_key_id, agent_auth_token);
 
-    match cli.command {
+    match run_command(
+        cli.command,
+        cli.quiet,
+        &daemon_socket,
+        output_format,
+        &output_target,
+        &sdk,
+    )
+    .await?
+    {
+        CommandRunOutcome::Completed => {}
+        CommandRunOutcome::ManualApprovalRequired => std::process::exit(2),
+    }
+
+    Ok(())
+}
+
+async fn run_command<A>(
+    command: Commands,
+    quiet: bool,
+    daemon_socket: &Path,
+    output_format: OutputFormat,
+    output_target: &OutputTarget,
+    sdk: &A,
+) -> Result<CommandRunOutcome>
+where
+    A: AgentOperations + ?Sized,
+{
+    match command {
         Commands::Transfer {
             network,
             token,
@@ -233,18 +267,18 @@ async fn main() -> Result<()> {
         } => {
             let token_str = token.to_string();
             let to_str = to.to_string();
-            print_status("submitting transfer request", output_format, cli.quiet);
+            print_status("submitting transfer request", output_format, quiet);
             let signature = match await_signature_or_handle_manual_approval(
                 "transfer",
-                &daemon_socket,
+                daemon_socket,
                 output_format,
-                &output_target,
+                output_target,
                 sdk.transfer(network, token, to, amount_wei),
             )
             .await?
             {
                 Some(signature) => signature,
-                None => std::process::exit(2),
+                None => return Ok(CommandRunOutcome::ManualApprovalRequired),
             };
             let output = AgentCommandOutput {
                 command: "transfer".to_string(),
@@ -262,8 +296,8 @@ async fn main() -> Result<()> {
                 raw_tx_hex: None,
                 tx_hash_hex: None,
             };
-            print_status("transfer request signed", output_format, cli.quiet);
-            print_agent_output(&output, output_format, &output_target)?;
+            print_status("transfer request signed", output_format, quiet);
+            print_agent_output(&output, output_format, output_target)?;
         }
         Commands::TransferNative {
             network,
@@ -274,19 +308,19 @@ async fn main() -> Result<()> {
             print_status(
                 "submitting native transfer request",
                 output_format,
-                cli.quiet,
+                quiet,
             );
             let signature = match await_signature_or_handle_manual_approval(
                 "transfer-native",
-                &daemon_socket,
+                daemon_socket,
                 output_format,
-                &output_target,
+                output_target,
                 sdk.transfer_native(network, to, amount_wei),
             )
             .await?
             {
                 Some(signature) => signature,
-                None => std::process::exit(2),
+                None => return Ok(CommandRunOutcome::ManualApprovalRequired),
             };
             let output = AgentCommandOutput {
                 command: "transfer-native".to_string(),
@@ -304,8 +338,8 @@ async fn main() -> Result<()> {
                 raw_tx_hex: None,
                 tx_hash_hex: None,
             };
-            print_status("native transfer request signed", output_format, cli.quiet);
-            print_agent_output(&output, output_format, &output_target)?;
+            print_status("native transfer request signed", output_format, quiet);
+            print_agent_output(&output, output_format, output_target)?;
         }
         Commands::Approve {
             network,
@@ -315,18 +349,18 @@ async fn main() -> Result<()> {
         } => {
             let token_str = token.to_string();
             let spender_str = spender.to_string();
-            print_status("submitting approve request", output_format, cli.quiet);
+            print_status("submitting approve request", output_format, quiet);
             let signature = match await_signature_or_handle_manual_approval(
                 "approve",
-                &daemon_socket,
+                daemon_socket,
                 output_format,
-                &output_target,
+                output_target,
                 sdk.approve(network, token, spender, amount_wei),
             )
             .await?
             {
                 Some(signature) => signature,
-                None => std::process::exit(2),
+                None => return Ok(CommandRunOutcome::ManualApprovalRequired),
             };
             let output = AgentCommandOutput {
                 command: "approve".to_string(),
@@ -344,8 +378,8 @@ async fn main() -> Result<()> {
                 raw_tx_hex: None,
                 tx_hash_hex: None,
             };
-            print_status("approve request signed", output_format, cli.quiet);
-            print_agent_output(&output, output_format, &output_target)?;
+            print_status("approve request signed", output_format, quiet);
+            print_agent_output(&output, output_format, output_target)?;
         }
         Commands::Broadcast {
             network,
@@ -379,18 +413,18 @@ async fn main() -> Result<()> {
             let asset = action.asset();
             let counterparty = action.recipient();
 
-            print_status("submitting broadcast request", output_format, cli.quiet);
+            print_status("submitting broadcast request", output_format, quiet);
             let signature = match await_signature_or_handle_manual_approval(
                 "broadcast",
-                &daemon_socket,
+                daemon_socket,
                 output_format,
-                &output_target,
+                output_target,
                 sdk.broadcast_tx(tx),
             )
             .await?
             {
                 Some(signature) => signature,
-                None => std::process::exit(2),
+                None => return Ok(CommandRunOutcome::ManualApprovalRequired),
             };
             let output = AgentCommandOutput {
                 command: "broadcast".to_string(),
@@ -408,12 +442,12 @@ async fn main() -> Result<()> {
                 raw_tx_hex: signature.raw_tx_hex,
                 tx_hash_hex: signature.tx_hash_hex,
             };
-            print_status("broadcast request signed", output_format, cli.quiet);
-            print_agent_output(&output, output_format, &output_target)?;
+            print_status("broadcast request signed", output_format, quiet);
+            print_agent_output(&output, output_format, output_target)?;
         }
     }
 
-    Ok(())
+    Ok(CommandRunOutcome::Completed)
 }
 
 async fn await_signature_or_handle_manual_approval(
@@ -436,9 +470,9 @@ async fn await_signature_or_handle_manual_approval(
                 relay_url,
                 frontend_url,
                 cli_approval_command: format!(
-                    "wlfi-agent admin approve-manual-approval-request --approval-request-id {} --daemon-socket {}",
-                    approval_request_id,
-                    daemon_socket.display()
+                    "wlfi-agent admin --daemon-socket {} approve-manual-approval-request --approval-request-id {}",
+                    daemon_socket.display(),
+                    approval_request_id
                 ),
             };
             print_manual_approval_required_output(&output, format, target)?;
@@ -555,16 +589,223 @@ fn parse_non_negative_u64(input: &str) -> Result<u64, String> {
 #[cfg(test)]
 mod tests {
     use super::{
-        ensure_output_parent, resolve_agent_auth_token, resolve_output_format,
-        resolve_output_target, should_print_status, write_output_file, Cli, Commands, OutputFormat,
-        OutputTarget,
+        await_signature_or_handle_manual_approval, ensure_output_parent,
+        print_manual_approval_required_output, resolve_agent_auth_token, resolve_output_format,
+        resolve_output_target, run_command, should_print_status, write_output_file, Cli,
+        CommandRunOutcome, Commands, ManualApprovalRequiredOutput, OutputFormat, OutputTarget,
     };
+    use async_trait::async_trait;
     use clap::Parser;
+    use std::path::{Path, PathBuf};
+    use std::sync::Mutex;
     use std::fs;
     use std::time::{SystemTime, UNIX_EPOCH};
+    use tokio::runtime::Builder;
+    use uuid::Uuid;
+    use vault_daemon::DaemonError;
+    use vault_domain::{BroadcastTx, EvmAddress, Signature};
+    use vault_sdk_agent::{AgentOperations, AgentSdkError};
 
     const TEST_AGENT_KEY_ID: &str = "11111111-1111-1111-1111-111111111111";
 
+    #[derive(Debug, Clone, PartialEq, Eq)]
+    enum FakeCall {
+        Transfer {
+            chain_id: u64,
+            token: EvmAddress,
+            to: EvmAddress,
+            amount_wei: u128,
+        },
+        TransferNative {
+            chain_id: u64,
+            to: EvmAddress,
+            amount_wei: u128,
+        },
+        Approve {
+            chain_id: u64,
+            token: EvmAddress,
+            spender: EvmAddress,
+            amount_wei: u128,
+        },
+        Broadcast(BroadcastTx),
+    }
+
+    #[derive(Clone)]
+    enum FakeOutcome {
+        Signature(Signature),
+        ManualApprovalRequired {
+            approval_request_id: Uuid,
+            relay_url: Option<String>,
+            frontend_url: Option<String>,
+        },
+        Serialization(String),
+    }
+
+    struct FakeAgentOps {
+        calls: Mutex<Vec<FakeCall>>,
+        outcome: FakeOutcome,
+    }
+
+    impl FakeAgentOps {
+        fn result(&self) -> Result<Signature, AgentSdkError> {
+            match &self.outcome {
+                FakeOutcome::Signature(signature) => Ok(signature.clone()),
+                FakeOutcome::ManualApprovalRequired {
+                    approval_request_id,
+                    relay_url,
+                    frontend_url,
+                } => Err(AgentSdkError::Daemon(DaemonError::ManualApprovalRequired {
+                    approval_request_id: *approval_request_id,
+                    relay_url: relay_url.clone(),
+                    frontend_url: frontend_url.clone(),
+                })),
+                FakeOutcome::Serialization(err) => {
+                    Err(AgentSdkError::Serialization(err.clone()))
+                }
+            }
+        }
+    }
+
+    #[async_trait]
+    impl AgentOperations for FakeAgentOps {
+        async fn approve(
+            &self,
+            chain_id: u64,
+            token: EvmAddress,
+            spender: EvmAddress,
+            amount_wei: u128,
+        ) -> Result<Signature, AgentSdkError> {
+            self.calls.lock().expect("lock").push(FakeCall::Approve {
+                chain_id,
+                token,
+                spender,
+                amount_wei,
+            });
+            self.result()
+        }
+
+        async fn transfer(
+            &self,
+            chain_id: u64,
+            token: EvmAddress,
+            to: EvmAddress,
+            amount_wei: u128,
+        ) -> Result<Signature, AgentSdkError> {
+            self.calls.lock().expect("lock").push(FakeCall::Transfer {
+                chain_id,
+                token,
+                to,
+                amount_wei,
+            });
+            self.result()
+        }
+
+        async fn transfer_native(
+            &self,
+            chain_id: u64,
+            to: EvmAddress,
+            amount_wei: u128,
+        ) -> Result<Signature, AgentSdkError> {
+            self.calls
+                .lock()
+                .expect("lock")
+                .push(FakeCall::TransferNative {
+                    chain_id,
+                    to,
+                    amount_wei,
+                });
+            self.result()
+        }
+
+        async fn permit2_permit(
+            &self,
+            _permit: vault_domain::Permit2Permit,
+        ) -> Result<Signature, AgentSdkError> {
+            panic!("unused in test");
+        }
+
+        async fn eip3009_transfer_with_authorization(
+            &self,
+            _authorization: vault_domain::Eip3009Transfer,
+        ) -> Result<Signature, AgentSdkError> {
+            panic!("unused in test");
+        }
+
+        async fn eip3009_receive_with_authorization(
+            &self,
+            _authorization: vault_domain::Eip3009Transfer,
+        ) -> Result<Signature, AgentSdkError> {
+            panic!("unused in test");
+        }
+
+        async fn sign_erc20_calldata(
+            &self,
+            _chain_id: u64,
+            _token: EvmAddress,
+            _calldata: Vec<u8>,
+        ) -> Result<Signature, AgentSdkError> {
+            panic!("unused in test");
+        }
+
+        async fn broadcast_tx(&self, tx: BroadcastTx) -> Result<Signature, AgentSdkError> {
+            self.calls.lock().expect("lock").push(FakeCall::Broadcast(tx));
+            self.result()
+        }
+
+        async fn reserve_broadcast_nonce(
+            &self,
+            _chain_id: u64,
+            _min_nonce: u64,
+        ) -> Result<vault_domain::NonceReservation, AgentSdkError> {
+            panic!("unused in test");
+        }
+
+        async fn release_broadcast_nonce(
+            &self,
+            _reservation_id: Uuid,
+        ) -> Result<(), AgentSdkError> {
+            panic!("unused in test");
+        }
+    }
+
+    fn test_runtime() -> tokio::runtime::Runtime {
+        Builder::new_current_thread()
+            .enable_all()
+            .build()
+            .expect("runtime")
+    }
+
+    fn sample_signature() -> Signature {
+        Signature {
+            bytes: vec![0xaa, 0xbb, 0xcc],
+            r_hex: Some("0x01".to_string()),
+            s_hex: Some("0x02".to_string()),
+            v: Some(1),
+            raw_tx_hex: Some("0x1234".to_string()),
+            tx_hash_hex: Some("0xabcd".to_string()),
+        }
+    }
+
+    fn temp_path(prefix: &str, ext: &str) -> PathBuf {
+        std::env::temp_dir().join(format!(
+            "{prefix}-{}-{}.{}",
+            std::process::id(),
+            SystemTime::now()
+                .duration_since(UNIX_EPOCH)
+                .expect("time")
+                .as_nanos(),
+            ext
+        ))
+    }
+
+    fn socket_path() -> PathBuf {
+        temp_path("wlfi-agent-cli-socket", "sock")
+    }
+
+    fn read_file(path: &Path) -> String {
+        fs::read_to_string(path).expect("read output")
+    }
+
     #[test]
     fn resolve_output_format_defaults_to_text() {
         let format = resolve_output_format(None, false).expect("format");
@@ -830,4 +1071,379 @@ mod tests {
         assert!(rendered.contains("--agent-auth-token"));
         assert!(rendered.contains("--agent-auth-token-stdin"));
     }
+
+    #[test]
+    fn manual_approval_output_renders_text_and_json() {
+        let text_path = temp_path("manual-approval-output", "txt");
+        let json_path = temp_path("manual-approval-output", "json");
+        let output = ManualApprovalRequiredOutput {
+            command: "transfer".to_string(),
+            approval_request_id: Uuid::nil().to_string(),
+            relay_url: Some("https://relay.example".to_string()),
+            frontend_url: Some("https://frontend.example/approvals/1".to_string()),
+            cli_approval_command: "wlfi-agent admin approve".to_string(),
+        };
+
+        print_manual_approval_required_output(
+            &output,
+            OutputFormat::Text,
+            &OutputTarget::File {
+                path: text_path.clone(),
+                overwrite: false,
+            },
+        )
+        .expect("text output");
+        let text = read_file(&text_path);
+        assert!(text.contains("Command: transfer"));
+        assert!(text.contains("Approval Request ID: 00000000-0000-0000-0000-000000000000"));
+        assert!(text.contains("Frontend Approval URL: https://frontend.example/approvals/1"));
+        assert!(text.contains("Relay URL: https://relay.example"));
+
+        print_manual_approval_required_output(
+            &output,
+            OutputFormat::Json,
+            &OutputTarget::File {
+                path: json_path.clone(),
+                overwrite: false,
+            },
+        )
+        .expect("json output");
+        let json = read_file(&json_path);
+        assert!(json.contains("\"command\": \"transfer\""));
+        assert!(json.contains("\"relay_url\": \"https://relay.example\""));
+
+        fs::remove_file(&text_path).expect("cleanup text");
+        fs::remove_file(&json_path).expect("cleanup json");
+    }
+
+    #[test]
+    fn await_signature_handles_success_manual_approval_and_error_paths() {
+        let runtime = test_runtime();
+        let output_path = temp_path("manual-approval-await", "json");
+        let output_target = OutputTarget::File {
+            path: output_path.clone(),
+            overwrite: false,
+        };
+        let daemon_socket = socket_path();
+
+        let signature = runtime
+            .block_on(await_signature_or_handle_manual_approval(
+                "transfer",
+                &daemon_socket,
+                OutputFormat::Json,
+                &output_target,
+                std::future::ready(Ok(sample_signature())),
+            ))
+            .expect("success path");
+        assert_eq!(signature, Some(sample_signature()));
+        assert!(!output_path.exists());
+
+        let manual = runtime
+            .block_on(await_signature_or_handle_manual_approval(
+                "approve",
+                &daemon_socket,
+                OutputFormat::Json,
+                &output_target,
+                std::future::ready(Err(AgentSdkError::Daemon(
+                    DaemonError::ManualApprovalRequired {
+                        approval_request_id: Uuid::nil(),
+                        relay_url: Some("https://relay.example".to_string()),
+                        frontend_url: None,
+                    },
+                ))),
+            ))
+            .expect("manual approval path");
+        assert_eq!(manual, None);
+        let rendered = read_file(&output_path);
+        assert!(rendered.contains("\"approval_request_id\": \"00000000-0000-0000-0000-000000000000\""));
+        assert!(rendered.contains(&format!(
+            "wlfi-agent admin --daemon-socket {} approve-manual-approval-request --approval-request-id 00000000-0000-0000-0000-000000000000",
+            daemon_socket.display()
+        )));
+
+        let err = runtime
+            .block_on(await_signature_or_handle_manual_approval(
+                "approve",
+                &daemon_socket,
+                OutputFormat::Json,
+                &output_target,
+                std::future::ready(Err(AgentSdkError::Daemon(DaemonError::Transport(
+                    "boom".to_string(),
+                )))),
+            ))
+            .expect_err("transport error must bubble");
+        assert!(err.to_string().contains("daemon call failed"));
+
+        fs::remove_file(&output_path).expect("cleanup");
+    }
+
+    #[test]
+    fn run_command_covers_success_and_manual_approval_flows() {
+        let runtime = test_runtime();
+        let daemon_socket = socket_path();
+        let token: EvmAddress = "0x1000000000000000000000000000000000000000"
+            .parse()
+            .expect("token");
+        let to: EvmAddress = "0x2000000000000000000000000000000000000000"
+            .parse()
+            .expect("recipient");
+        let spender: EvmAddress = "0x3000000000000000000000000000000000000000"
+            .parse()
+            .expect("spender");
+
+        let transfer_output = temp_path("transfer-output", "json");
+        let transfer_ops = FakeAgentOps {
+            calls: Mutex::new(Vec::new()),
+            outcome: FakeOutcome::Signature(sample_signature()),
+        };
+        let outcome = runtime
+            .block_on(run_command(
+                Commands::Transfer {
+                    network: 1,
+                    token: token.clone(),
+                    to: to.clone(),
+                    amount_wei: 7,
+                },
+                true,
+                &daemon_socket,
+                OutputFormat::Json,
+                &OutputTarget::File {
+                    path: transfer_output.clone(),
+                    overwrite: false,
+                },
+                &transfer_ops,
+            ))
+            .expect("transfer run");
+        assert_eq!(outcome, CommandRunOutcome::Completed);
+        assert_eq!(
+            transfer_ops.calls.lock().expect("lock").as_slice(),
+            &[FakeCall::Transfer {
+                chain_id: 1,
+                token: token.clone(),
+                to: to.clone(),
+                amount_wei: 7,
+            }]
+        );
+        let transfer_json = read_file(&transfer_output);
+        assert!(transfer_json.contains("\"command\": \"transfer\""));
+        assert!(transfer_json.contains("\"asset\": \"erc20:0x1000000000000000000000000000000000000000\""));
+        fs::remove_file(&transfer_output).expect("cleanup transfer");
+
+        let native_output = temp_path("native-output", "json");
+        let native_ops = FakeAgentOps {
+            calls: Mutex::new(Vec::new()),
+            outcome: FakeOutcome::Signature(sample_signature()),
+        };
+        let outcome = runtime
+            .block_on(run_command(
+                Commands::TransferNative {
+                    network: 10,
+                    to: to.clone(),
+                    amount_wei: 9,
+                },
+                true,
+                &daemon_socket,
+                OutputFormat::Json,
+                &OutputTarget::File {
+                    path: native_output.clone(),
+                    overwrite: false,
+                },
+                &native_ops,
+            ))
+            .expect("native run");
+        assert_eq!(outcome, CommandRunOutcome::Completed);
+        assert_eq!(
+            native_ops.calls.lock().expect("lock").as_slice(),
+            &[FakeCall::TransferNative {
+                chain_id: 10,
+                to: to.clone(),
+                amount_wei: 9,
+            }]
+        );
+        let native_json = read_file(&native_output);
+        assert!(native_json.contains("\"command\": \"transfer-native\""));
+        assert!(native_json.contains("\"asset\": \"native_eth\""));
+        fs::remove_file(&native_output).expect("cleanup native");
+
+        let approve_output = temp_path("approve-output", "json");
+        let approve_ops = FakeAgentOps {
+            calls: Mutex::new(Vec::new()),
+            outcome: FakeOutcome::Signature(sample_signature()),
+        };
+        let outcome = runtime
+            .block_on(run_command(
+                Commands::Approve {
+                    network: 137,
+                    token: token.clone(),
+                    spender: spender.clone(),
+                    amount_wei: 11,
+                },
+                true,
+                &daemon_socket,
+                OutputFormat::Json,
+                &OutputTarget::File {
+                    path: approve_output.clone(),
+                    overwrite: false,
+                },
+                &approve_ops,
+            ))
+            .expect("approve run");
+        assert_eq!(outcome, CommandRunOutcome::Completed);
+        assert_eq!(
+            approve_ops.calls.lock().expect("lock").as_slice(),
+            &[FakeCall::Approve {
+                chain_id: 137,
+                token: token.clone(),
+                spender: spender.clone(),
+                amount_wei: 11,
+            }]
+        );
+        let approve_json = read_file(&approve_output);
+        assert!(approve_json.contains("\"command\": \"approve\""));
+        assert!(approve_json.contains("\"counterparty\": \"0x3000000000000000000000000000000000000000\""));
+        fs::remove_file(&approve_output).expect("cleanup approve");
+
+        let broadcast_output = temp_path("broadcast-output", "json");
+        let broadcast_ops = FakeAgentOps {
+            calls: Mutex::new(Vec::new()),
+            outcome: FakeOutcome::Signature(sample_signature()),
+        };
+        let broadcast_command = Commands::Broadcast {
+            network: 8453,
+            nonce: 2,
+            to: to.clone(),
+            value_wei: 13,
+            data_hex: "0xdeadbeef".to_string(),
+            gas_limit: 21000,
+            max_fee_per_gas_wei: 100,
+            max_priority_fee_per_gas_wei: 3,
+            tx_type: 0x02,
+            delegation_enabled: false,
+        };
+        let outcome = runtime
+            .block_on(run_command(
+                broadcast_command,
+                true,
+                &daemon_socket,
+                OutputFormat::Json,
+                &OutputTarget::File {
+                    path: broadcast_output.clone(),
+                    overwrite: false,
+                },
+                &broadcast_ops,
+            ))
+            .expect("broadcast run");
+        assert_eq!(outcome, CommandRunOutcome::Completed);
+        assert_eq!(
+            broadcast_ops.calls.lock().expect("lock").len(),
+            1
+        );
+        let broadcast_json = read_file(&broadcast_output);
+        assert!(broadcast_json.contains("\"command\": \"broadcast\""));
+        assert!(broadcast_json.contains("\"estimated_max_gas_spend_wei\":"));
+        assert!(broadcast_json.contains("\"delegation_enabled\": false"));
+        fs::remove_file(&broadcast_output).expect("cleanup broadcast");
+
+        let manual_output = temp_path("manual-output", "json");
+        let manual_ops = FakeAgentOps {
+            calls: Mutex::new(Vec::new()),
+            outcome: FakeOutcome::ManualApprovalRequired {
+                approval_request_id: Uuid::nil(),
+                relay_url: Some("https://relay.example".to_string()),
+                frontend_url: Some("https://frontend.example/approval".to_string()),
+            },
+        };
+        let outcome = runtime
+            .block_on(run_command(
+                Commands::Transfer {
+                    network: 1,
+                    token: token.clone(),
+                    to: to.clone(),
+                    amount_wei: 1,
+                },
+                true,
+                &daemon_socket,
+                OutputFormat::Json,
+                &OutputTarget::File {
+                    path: manual_output.clone(),
+                    overwrite: false,
+                },
+                &manual_ops,
+            ))
+            .expect("manual approval run");
+        assert_eq!(outcome, CommandRunOutcome::ManualApprovalRequired);
+        let manual_json = read_file(&manual_output);
+        assert!(manual_json.contains("\"relay_url\": \"https://relay.example\""));
+        fs::remove_file(&manual_output).expect("cleanup manual");
+    }
+
+    #[test]
+    fn run_command_bubbles_sdk_errors() {
+        let runtime = test_runtime();
+        let output_path = temp_path("agent-run-error", "json");
+        let ops = FakeAgentOps {
+            calls: Mutex::new(Vec::new()),
+            outcome: FakeOutcome::Serialization("bad payload".to_string()),
+        };
+
+        let err = runtime
+            .block_on(run_command(
+                Commands::TransferNative {
+                    network: 1,
+                    to: "0x2000000000000000000000000000000000000000"
+                        .parse()
+                        .expect("to"),
+                    amount_wei: 3,
+                },
+                true,
+                Path::new("/tmp/wlfi.sock"),
+                OutputFormat::Json,
+                &OutputTarget::File {
+                    path: output_path,
+                    overwrite: false,
+                },
+                &ops,
+            ))
+            .expect_err("sdk error must bubble");
+        assert!(err.to_string().contains("failed to serialize action payload"));
+    }
+
+    #[test]
+    fn run_command_rejects_invalid_broadcast_payloads_before_sdk_call() {
+        let runtime = test_runtime();
+        let output_path = temp_path("agent-run-invalid-broadcast", "json");
+        let ops = FakeAgentOps {
+            calls: Mutex::new(Vec::new()),
+            outcome: FakeOutcome::Signature(sample_signature()),
+        };
+
+        let err = runtime
+            .block_on(run_command(
+                Commands::Broadcast {
+                    network: 1,
+                    nonce: 0,
+                    to: "0x2000000000000000000000000000000000000000"
+                        .parse()
+                        .expect("to"),
+                    value_wei: 0,
+                    data_hex: "0x".to_string(),
+                    gas_limit: 21_000,
+                    max_fee_per_gas_wei: 1,
+                    max_priority_fee_per_gas_wei: 0,
+                    tx_type: 0x02,
+                    delegation_enabled: true,
+                },
+                true,
+                Path::new("/tmp/wlfi.sock"),
+                OutputFormat::Json,
+                &OutputTarget::File {
+                    path: output_path,
+                    overwrite: false,
+                },
+                &ops,
+            ))
+            .expect_err("invalid broadcast must fail before sdk call");
+        assert!(err.to_string().contains("invalid broadcast transaction payload"));
+        assert!(ops.calls.lock().expect("lock").is_empty());
+    }
 }