fix(daemon): #22 v3 — codex P2s on rebased PR — validate + normalize --parent

Two new P2s from codex review of the rebased PR #22:

**P2 — Unknown `--parent` wallets accepted without backend validation**
The v1 `looks_like_raw_wallet` fast path returned `0x` + 40-hex input as a
literal wallet with no existence check. Any syntactically valid address,
even one that doesn't correspond to any account, was accepted — the
daemon then opened a pair request with a `parent_wallet` that no session
could ever match, so the flow hung until timeout instead of failing
immediately. Route raw wallets through `/identity/resolve` with
`identity_type="wallet"`; the backend's post-PR-#21 wallet arm validates
existence via the `accounts` table and 404s unknown values.

**P2 — Mixed-case `--parent` wallets fail approval**
EIP-55 checksummed addresses travel verbatim through the old fast path,
but the mock backend stores wallets in lowercase. `parent_wallet`
equality check at approval time compared the mixed-case input to the
stored lowercase value, so valid checksummed addresses timed out.
Normalize raw wallets to lowercase (`to_ascii_lowercase`) before
sending to `/identity/resolve`; the backend's response comes back in
canonical lowercase, so the stored `parent_wallet` matches what
subsequent approve calls compare against.

The old `looks_like_raw_wallet` helper is kept — it now just selects
between `identity_type="wallet"` (with lowercase normalization) and
`identity_type="alias"` (verbatim). Aliases with reserved characters
still percent-encode via reqwest's `.query()` builder.

Test: cargo test -p agentkeys-daemon --test pair_tests -- --test-threads=1
pair_tests: 15 passed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hanwencheng

crates/agentkeys-daemon/src/main.rs

@@ -244,9 +244,18 @@ fn looks_like_raw_wallet(s: &str) -> bool {
 }
 
 /// Resolve `--parent` to a wallet address if set, returning `Ok(None)` when
-/// the flag is absent. Uses reqwest's `.query()` builder so aliases with
-/// reserved characters (`+`, `&`, `%`, spaces) are percent-encoded per
-/// RFC 3986 (codex PR #22 P2 — URL encoding).
+/// the flag is absent.
+///
+/// Uses reqwest's `.query()` builder so aliases with reserved characters
+/// (`+`, `&`, `%`, spaces) are percent-encoded per RFC 3986 (codex PR #22
+/// v1 P2 — URL encoding).
+///
+/// All inputs — raw wallets included — go through `/identity/resolve` so
+/// the backend can validate existence before the daemon opens a pair
+/// request. Raw `0x...` wallets are normalized to lowercase first, which
+/// matches the canonical form the backend stores; mixed-case checksummed
+/// addresses therefore resolve cleanly instead of timing out at approval
+/// (codex PR #22 v2 P2 — unknown wallet accepted + case mismatch).
 async fn resolve_parent_if_set(
     backend_url: &str,
     parent: Option<&str>,
@@ -255,33 +264,37 @@ async fn resolve_parent_if_set(
         return Ok(None);
     };
 
-    // Fast path: strict 0x + 40 hex digits = literal wallet. Skip the HTTP
-    // round-trip to avoid latency on the common case.
-    if looks_like_raw_wallet(raw) {
-        return Ok(Some(WalletAddress(raw.to_string())));
-    }
+    // Pick identity_type based on shape. Raw wallets get lowercased to
+    // match the backend's canonical storage form.
+    let (identity_type, identity_value) = if looks_like_raw_wallet(raw) {
+        ("wallet", raw.to_ascii_lowercase())
+    } else {
+        ("alias", raw.to_string())
+    };
 
-    // Alias / ENS-style / `0x-office`-style value → resolve via backend.
     let http = reqwest::Client::new();
     let resp = http
         .get(format!("{backend_url}/identity/resolve"))
-        .query(&[("identity_type", "alias"), ("identity_value", raw)])
+        .query(&[
+            ("identity_type", identity_type),
+            ("identity_value", identity_value.as_str()),
+        ])
         .send()
         .await
-        .context("resolve parent alias: HTTP request failed")?;
+        .context("resolve --parent: HTTP request failed")?;
     if !resp.status().is_success() {
         anyhow::bail!(
-            "could not resolve --parent '{raw}': status={}",
+            "could not resolve --parent '{raw}' (identity_type={identity_type}): status={}",
             resp.status()
         );
     }
     let body: serde_json::Value = resp
         .json()
         .await
-        .context("resolve parent alias: JSON parse failed")?;
+        .context("resolve --parent: JSON parse failed")?;
     let wallet_str = body["wallet_address"]
         .as_str()
-        .ok_or_else(|| anyhow::anyhow!("resolve parent alias: missing wallet_address in response"))?
+        .ok_or_else(|| anyhow::anyhow!("resolve --parent: missing wallet_address in response"))?
         .to_string();
     Ok(Some(WalletAddress(wallet_str)))
 }