feat(agglayer): RBAC-based access control for bridge roles#3130
Draft
Fumuran wants to merge 2 commits into
Draft
feat(agglayer): RBAC-based access control for bridge roles#3130Fumuran wants to merge 2 commits into
Fumuran wants to merge 2 commits into
Conversation
Replace the bridge's hard-coded admin / GER-injector / GER-remover account-ID storage slots with the miden-standards access-control stack (Ownable2Step + RoleBasedAccessControl + Authority). The role-gated procedures (register_faucet, store_faucet_metadata_hash, update_ger, remove_ger) now call authority::assert_authorized, which checks the note sender holds the FAUCET_ADMIN / GER_INJECTOR / GER_REMOVER role mapped to that procedure. A governance owner can grant/revoke roles and transfer ownership via Ownable2Step. - miden-standards: add RoleAssignment + RoleBasedAccessControl::with_roles to seed initial role members at construction; AccessControl::Rbac gains a `members` field. - bridge MASM: drop the three ID slots / bespoke assert_sender_is_* procs; gate the four privileged procedures via authority::assert_authorized. - bridge Rust: add BridgeRoleMember, role-symbol + procedure-root accessors, and the fixed procedure->role map; create_bridge_account now takes an owner and a Vec<BridgeRoleMember> instead of three bare account IDs. - build.rs: include the RBAC stack when computing BRIDGE_CODE_COMMITMENT. - update SPEC.md, agglayer integration tests, and bench setups. On-chain role-management notes (grant/revoke role, transfer ownership) are a planned follow-up, so role rotation is not yet exercisable on-chain. Refs #2706. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refactor phase of #2706. Replaces the AggLayer bridge's hard-coded admin / GER-injector / GER-remover account-ID storage slots with the
miden-standardsaccess-control stack (Ownable2Step+RoleBasedAccessControl+Authority).Per the discussion on the issue, this uses RBAC rather than
Ownable2Stepalone, with a separate governance owner over three subordinate operational roles. Each role-gated bridge procedure now callsauthority::assert_authorized, which checks the note sender holds the role mapped to that procedure.Roles
Ownable2Step): top-level authority; grants/revokes roles, two-step transferable.FAUCET_ADMIN→register_faucet,store_faucet_metadata_hashGER_INJECTOR→update_gerGER_REMOVER→remove_gerChanges
RoleAssignment+RoleBasedAccessControl::with_roles(...)to seed initial role members at construction;AccessControl::Rbacgains amembersfield (yields a seeded RBAC instead ofempty()).assert_sender_is_*procs; gate the four privileged procedures viaauthority::assert_authorized.AggLayerBridgeis now stateless; addBridgeRoleMember, role-symbol + procedure-root accessors, and the fixed procedure→role map.create_bridge_accountnow takes(seed, owner, Vec<BridgeRoleMember>).BRIDGE_CODE_COMMITMENT.SPEC.md, agglayer integration tests, and bench setups. Add awith_roles-equals-runtime-grant_roleequivalence test and a procedure→role map pinning test.Out of scope (follow-up)
On-chain role-management notes (
grant_role/revoke_role/transfer_ownership/accept_ownership) plus their allowlist entries and Rust builders. Roles are seeded and enforced, but rotation is not yet exercisable on-chain — hence this is the refactor phase (Refs #2706, notCloses).Testing
cargo +nightly fmt --all --checkandcargo clippy(affected crates,--all-targets): clean.🤖 Generated with Claude Code