@bloxchain/contracts 1.0.0-alpha

package/abi/SimpleVaultDefinitions.abi.json

@@ -0,0 +1,250 @@
+[
+  {
+    "inputs": [],
+    "name": "APPROVE_WITHDRAWAL_DELAYED_SELECTOR",
+    "outputs": [
+      {
+        "internalType": "bytes4",
+        "name": "",
+        "type": "bytes4"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "APPROVE_WITHDRAWAL_META_SELECTOR",
+    "outputs": [
+      {
+        "internalType": "bytes4",
+        "name": "",
+        "type": "bytes4"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "CANCEL_WITHDRAWAL_SELECTOR",
+    "outputs": [
+      {
+        "internalType": "bytes4",
+        "name": "",
+        "type": "bytes4"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "GENERIC_APPROVAL",
+    "outputs": [
+      {
+        "internalType": "bytes32",
+        "name": "",
+        "type": "bytes32"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "GENERIC_CANCELLATION",
+    "outputs": [
+      {
+        "internalType": "bytes32",
+        "name": "",
+        "type": "bytes32"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "GENERIC_META_APPROVAL",
+    "outputs": [
+      {
+        "internalType": "bytes32",
+        "name": "",
+        "type": "bytes32"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "WITHDRAW_ETH",
+    "outputs": [
+      {
+        "internalType": "bytes32",
+        "name": "",
+        "type": "bytes32"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "WITHDRAW_ETH_REQUEST_SELECTOR",
+    "outputs": [
+      {
+        "internalType": "bytes4",
+        "name": "",
+        "type": "bytes4"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "WITHDRAW_ETH_SELECTOR",
+    "outputs": [
+      {
+        "internalType": "bytes4",
+        "name": "",
+        "type": "bytes4"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "WITHDRAW_TOKEN",
+    "outputs": [
+      {
+        "internalType": "bytes32",
+        "name": "",
+        "type": "bytes32"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "WITHDRAW_TOKEN_REQUEST_SELECTOR",
+    "outputs": [
+      {
+        "internalType": "bytes4",
+        "name": "",
+        "type": "bytes4"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "WITHDRAW_TOKEN_SELECTOR",
+    "outputs": [
+      {
+        "internalType": "bytes4",
+        "name": "",
+        "type": "bytes4"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "getFunctionSchemas",
+    "outputs": [
+      {
+        "components": [
+          {
+            "internalType": "string",
+            "name": "functionSignature",
+            "type": "string"
+          },
+          {
+            "internalType": "bytes4",
+            "name": "functionSelector",
+            "type": "bytes4"
+          },
+          {
+            "internalType": "bytes32",
+            "name": "operationType",
+            "type": "bytes32"
+          },
+          {
+            "internalType": "string",
+            "name": "operationName",
+            "type": "string"
+          },
+          {
+            "internalType": "uint16",
+            "name": "supportedActionsBitmap",
+            "type": "uint16"
+          },
+          {
+            "internalType": "bool",
+            "name": "isProtected",
+            "type": "bool"
+          },
+          {
+            "internalType": "bytes4[]",
+            "name": "handlerForSelectors",
+            "type": "bytes4[]"
+          }
+        ],
+        "internalType": "struct EngineBlox.FunctionSchema[]",
+        "name": "",
+        "type": "tuple[]"
+      }
+    ],
+    "stateMutability": "pure",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "getRolePermissions",
+    "outputs": [
+      {
+        "components": [
+          {
+            "internalType": "bytes32[]",
+            "name": "roleHashes",
+            "type": "bytes32[]"
+          },
+          {
+            "components": [
+              {
+                "internalType": "bytes4",
+                "name": "functionSelector",
+                "type": "bytes4"
+              },
+              {
+                "internalType": "uint16",
+                "name": "grantedActionsBitmap",
+                "type": "uint16"
+              },
+              {
+                "internalType": "bytes4[]",
+                "name": "handlerForSelectors",
+                "type": "bytes4[]"
+              }
+            ],
+            "internalType": "struct EngineBlox.FunctionPermission[]",
+            "name": "functionPermissions",
+            "type": "tuple[]"
+          }
+        ],
+        "internalType": "struct IDefinition.RolePermission",
+        "name": "",
+        "type": "tuple"
+      }
+    ],
+    "stateMutability": "pure",
+    "type": "function"
+  }
+]

package/contracts/core/access/RuntimeRBAC.sol

@@ -0,0 +1,344 @@
+// SPDX-License-Identifier: MPL-2.0
+pragma solidity 0.8.33;
+
+// Contract imports
+import "../base/BaseStateMachine.sol";
+import "../lib/EngineBlox.sol";
+import "../../utils/SharedValidation.sol";
+import "./lib/definitions/RuntimeRBACDefinitions.sol";
+import "../../interfaces/IDefinition.sol";
+import "./interface/IRuntimeRBAC.sol";
+
+/**
+ * @title RuntimeRBAC
+ * @dev Minimal Runtime Role-Based Access Control system based on EngineBlox
+ * 
+ * This contract provides essential runtime RBAC functionality:
+ * - Creation of non-protected roles
+ * - Basic wallet assignment to roles
+ * - Function permission management per role
+ * - Integration with EngineBlox for secure operations
+ * 
+ * Key Features:
+ * - Only non-protected roles can be created dynamically
+ * - Protected roles (OWNER, BROADCASTER, RECOVERY) are managed by SecureOwnable
+ * - Minimal interface for core RBAC operations
+ * - Essential role management functions only
+ */
+abstract contract RuntimeRBAC is BaseStateMachine {
+    using EngineBlox for EngineBlox.SecureOperationState;
+    using SharedValidation for *;
+    
+    /**
+     * @dev Action types for batched RBAC configuration
+     */
+    enum RoleConfigActionType {
+        CREATE_ROLE,
+        REMOVE_ROLE,
+        ADD_WALLET,
+        REVOKE_WALLET,
+        ADD_FUNCTION_TO_ROLE,
+        REMOVE_FUNCTION_FROM_ROLE
+    }
+
+    /**
+     * @dev Encodes a single RBAC configuration action in a batch
+     */
+    struct RoleConfigAction {
+        RoleConfigActionType actionType;
+        bytes data;
+    }
+    
+    /**
+     * @dev Unified event for all RBAC configuration changes applied via batches
+     *
+     * - actionType: the high-level type of configuration action
+     * - roleHash: affected role hash (if applicable, otherwise 0)
+     * - functionSelector: affected function selector (if applicable, otherwise 0)
+     * - data: optional action-specific payload (kept minimal for size; decoded off-chain if needed)
+     */
+    event RoleConfigApplied(
+        RoleConfigActionType indexed actionType,
+        bytes32 indexed roleHash,
+        bytes4 indexed functionSelector,
+        bytes data
+    );
+
+    /**
+     * @notice Initializer to initialize RuntimeRBAC
+     * @param initialOwner The initial owner address
+     * @param broadcaster The broadcaster address
+     * @param recovery The recovery address
+     * @param timeLockPeriodSec The timelock period in seconds
+     * @param eventForwarder The event forwarder address 
+     */
+    function initialize(
+        address initialOwner,
+        address broadcaster,
+        address recovery,
+        uint256 timeLockPeriodSec,
+        address eventForwarder
+    ) public virtual onlyInitializing {
+        // Initialize base state machine (only if not already initialized)
+        if (!_secureState.initialized) {
+            _initializeBaseStateMachine(initialOwner, broadcaster, recovery, timeLockPeriodSec, eventForwarder);
+        }
+        
+        // Load RuntimeRBAC-specific definitions
+        IDefinition.RolePermission memory permissions = RuntimeRBACDefinitions.getRolePermissions();
+        _loadDefinitions(
+            RuntimeRBACDefinitions.getFunctionSchemas(),
+            permissions.roleHashes,
+            permissions.functionPermissions
+        );
+    }
+
+    // ============ INTERFACE SUPPORT ============
+
+    /**
+     * @dev See {IERC165-supportsInterface}.
+     * @notice Adds IRuntimeRBAC interface ID for component detection
+     */
+    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
+        return interfaceId == type(IRuntimeRBAC).interfaceId || super.supportsInterface(interfaceId);
+    }
+
+    // ============ ROLE CONFIGURATION BATCH INTERFACE ============
+
+    /**
+     * @dev Creates execution params for a RBAC configuration batch
+     * @param actions Encoded role configuration actions
+     * @return The execution params for EngineBlox
+     */
+    function roleConfigBatchExecutionParams(
+        RoleConfigAction[] memory actions
+    ) public pure returns (bytes memory) {
+        return abi.encode(actions);
+    }
+
+    /**
+     * @dev Requests and approves a RBAC configuration batch using a meta-transaction
+     * @param metaTx The meta-transaction
+     * @return The transaction record
+     * @notice OWNER signs, BROADCASTER executes according to RuntimeRBACDefinitions
+     */
+    function roleConfigBatchRequestAndApprove(
+        EngineBlox.MetaTransaction memory metaTx
+    ) public returns (EngineBlox.TxRecord memory) {
+        _validateBroadcaster(msg.sender);
+        return _requestAndApproveTransaction(metaTx);
+    }
+
+    /**
+     * @dev External function that can only be called by the contract itself to execute a RBAC configuration batch
+     * @param actions Encoded role configuration actions
+     */
+    function executeRoleConfigBatch(RoleConfigAction[] calldata actions) external {
+        SharedValidation.validateInternalCall(address(this));
+        _executeRoleConfigBatch(actions);
+    }
+
+    // Essential Query Functions Only
+
+    /**
+     * @dev Gets function schema information
+     * @param functionSelector The function selector to get information for
+     * @return functionSignature The function signature or name
+     * @return functionSelectorReturn The function selector
+     * @return operationType The operation type
+     * @return operationName The operation name
+     * @return supportedActions The supported actions
+     * @return isProtected Whether the function schema is protected
+     */
+    function getFunctionSchema(bytes4 functionSelector) external view returns (
+        string memory functionSignature,
+        bytes4 functionSelectorReturn,
+        bytes32 operationType,
+        string memory operationName,
+        EngineBlox.TxAction[] memory supportedActions,
+        bool isProtected
+    ) {
+        EngineBlox.FunctionSchema storage schema = _getSecureState().functions[functionSelector];
+        if (schema.functionSelector != functionSelector) {
+            revert SharedValidation.ResourceNotFound(bytes32(functionSelector));
+        }
+        
+        // Convert bitmap to array
+        supportedActions = _convertBitmapToActions(schema.supportedActionsBitmap);
+        
+        return (
+            schema.functionSignature,
+            schema.functionSelector,
+            schema.operationType,
+            schema.operationName,
+            supportedActions,
+            schema.isProtected
+        );
+    }
+
+    /**
+     * @dev Gets all authorized wallets for a role
+     * @param roleHash The role hash to get wallets for
+     * @return Array of authorized wallet addresses
+     * @notice Requires caller to have any role (via _validateAnyRole) to limit information visibility
+     */
+    function getWalletsInRole(bytes32 roleHash) public view returns (address[] memory) {
+        _validateAnyRole();
+        _validateRoleExists(roleHash);
+        
+        // Get role info to determine wallet count
+        EngineBlox.Role storage role = _getSecureState().getRole(roleHash);
+        uint256 walletCount = role.walletCount;
+        
+        // Build array by iterating through wallets using _getAuthorizedWalletAt
+        address[] memory wallets = new address[](walletCount);
+        for (uint256 i = 0; i < walletCount; i++) {
+            wallets[i] = _getAuthorizedWalletAt(roleHash, i);
+        }
+        
+        return wallets;
+    }
+
+    // ============ HELPER FUNCTIONS ============
+
+    /**
+     * @dev Internal helper to execute a RBAC configuration batch
+     * @param actions Encoded role configuration actions
+     */
+    function _executeRoleConfigBatch(RoleConfigAction[] calldata actions) internal {
+        // Validate batch size limit
+        SharedValidation.validateBatchSize(
+            actions.length,
+            EngineBlox.MAX_BATCH_SIZE
+        );
+        
+        for (uint256 i = 0; i < actions.length; i++) {
+            RoleConfigAction calldata action = actions[i];
+
+            if (action.actionType == RoleConfigActionType.CREATE_ROLE) {
+                // Decode CREATE_ROLE action data
+                // Format: (string roleName, uint256 maxWallets, FunctionPermission[] functionPermissions)
+                // FunctionPermission is struct(bytes4 functionSelector, uint16 grantedActionsBitmap, bytes4 handlerForSelector)
+                // When encoding from JavaScript, it's encoded as tuple(bytes4,uint16,bytes4)[]
+                // Solidity can decode tuple[] directly into struct[] if the layout matches
+                (
+                    string memory roleName,
+                    uint256 maxWallets,
+                    EngineBlox.FunctionPermission[] memory functionPermissions
+                ) = abi.decode(action.data, (string, uint256, EngineBlox.FunctionPermission[]));
+
+                bytes32 roleHash = _createNewRole(roleName, maxWallets, functionPermissions);
+
+                emit RoleConfigApplied(
+                    RoleConfigActionType.CREATE_ROLE,
+                    roleHash,
+                    bytes4(0),
+                    "" // optional: abi.encode(roleName, maxWallets)
+                );
+            } else if (action.actionType == RoleConfigActionType.REMOVE_ROLE) {
+                (bytes32 roleHash) = abi.decode(action.data, (bytes32));
+                _removeRole(roleHash);
+
+                emit RoleConfigApplied(
+                    RoleConfigActionType.REMOVE_ROLE,
+                    roleHash,
+                    bytes4(0),
+                    ""
+                );
+            } else if (action.actionType == RoleConfigActionType.ADD_WALLET) {
+                (bytes32 roleHash, address wallet) = abi.decode(action.data, (bytes32, address));
+                
+                // Security check: Prevent editing protected roles
+                if (_getSecureState().roles[roleHash].isProtected) {
+                    revert SharedValidation.CannotModifyProtected(roleHash);
+                }
+                
+                _assignWallet(roleHash, wallet);
+
+                emit RoleConfigApplied(
+                    RoleConfigActionType.ADD_WALLET,
+                    roleHash,
+                    bytes4(0),
+                    "" // optional: abi.encode(wallet)
+                );
+            } else if (action.actionType == RoleConfigActionType.REVOKE_WALLET) {
+                (bytes32 roleHash, address wallet) = abi.decode(action.data, (bytes32, address));
+                
+                // Security check: Prevent editing protected roles
+                if (_getSecureState().roles[roleHash].isProtected) {
+                    revert SharedValidation.CannotModifyProtected(roleHash);
+                }
+                
+                _revokeWallet(roleHash, wallet);
+
+                emit RoleConfigApplied(
+                    RoleConfigActionType.REVOKE_WALLET,
+                    roleHash,
+                    bytes4(0),
+                    "" // optional: abi.encode(wallet)
+                );
+            } else if (action.actionType == RoleConfigActionType.ADD_FUNCTION_TO_ROLE) {
+                (
+                    bytes32 roleHash,
+                    EngineBlox.FunctionPermission memory functionPermission
+                ) = abi.decode(action.data, (bytes32, EngineBlox.FunctionPermission));
+
+                _addFunctionToRole(roleHash, functionPermission);
+
+                emit RoleConfigApplied(
+                    RoleConfigActionType.ADD_FUNCTION_TO_ROLE,
+                    roleHash,
+                    functionPermission.functionSelector,
+                    ""
+                );
+            } else if (action.actionType == RoleConfigActionType.REMOVE_FUNCTION_FROM_ROLE) {
+                (bytes32 roleHash, bytes4 functionSelector) = abi.decode(action.data, (bytes32, bytes4));
+                _removeFunctionFromRole(roleHash, functionSelector);
+
+                emit RoleConfigApplied(
+                    RoleConfigActionType.REMOVE_FUNCTION_FROM_ROLE,
+                    roleHash,
+                    functionSelector,
+                    ""
+                );
+            } else {
+                revert SharedValidation.NotSupported();
+            }
+        }
+    }
+
+    // ============ INTERNAL ROLE / FUNCTION HELPERS ============
+
+    function _createNewRole(
+        string memory roleName,
+        uint256 maxWallets,
+        EngineBlox.FunctionPermission[] memory functionPermissions
+    ) internal returns (bytes32 roleHash) {
+        SharedValidation.validateRoleNameNotEmpty(roleName);
+        SharedValidation.validateMaxWalletsGreaterThanZero(maxWallets);
+
+        roleHash = keccak256(bytes(roleName));
+
+        // Create the role in the secure state with isProtected = false
+        _createRole(roleName, maxWallets, false);
+
+        // Add all function permissions to the role
+        // NOTE: Function schemas must be registered BEFORE adding permissions to roles
+        // This is the same pattern used in _loadDefinitions: schemas first, then permissions
+        // The function selectors in functionPermissions must exist in supportedFunctionsSet
+        // (they should be registered during initialize() via RuntimeRBACDefinitions)
+        // 
+        // CRITICAL: The order matters - _loadDefinitions loads schemas FIRST, then permissions
+        // In _createNewRole, we assume schemas are already registered (from initialize)
+        // If schemas aren't registered, addFunctionToRole will revert with ResourceNotFound
+        for (uint256 i = 0; i < functionPermissions.length; i++) {
+            // Add function permission to role
+            // addFunctionToRole will check:
+            // 1. Role exists in supportedRolesSet (✅ just created)
+            // 2. Function selector exists in supportedFunctionsSet (must be registered during initialize)
+            // 3. Actions are supported by function schema (via _validateMetaTxPermissions)
+            _addFunctionToRole(roleHash, functionPermissions[i]);
+        }
+    }
+
+}

package/contracts/core/access/interface/IRuntimeRBAC.sol

@@ -0,0 +1,108 @@
+// SPDX-License-Identifier: MPL-2.0
+pragma solidity 0.8.33;
+
+import "../../lib/EngineBlox.sol";
+
+/**
+ * @title IRuntimeRBAC
+ * @dev Interface for Runtime Role-Based Access Control system
+ * 
+ * This interface defines the functions for managing runtime roles through batch operations.
+ * All role management operations are performed via the batch interface for atomic execution.
+ * 
+ * Key Features:
+ * - Batch-based role configuration (atomic operations)
+ * - Runtime function schema registration
+ * - Integration with EngineBlox for secure operations
+ * - Query functions for role and permission inspection
+ * 
+ * Note: This contract inherits from BaseStateMachine which provides additional query functions
+ * such as getRole(), hasRole(), getActiveRolePermissions(), getSupportedRoles(), etc.
+ */
+interface IRuntimeRBAC {
+    /**
+     * @dev Action types for batched RBAC configuration
+     */
+    enum RoleConfigActionType {
+        CREATE_ROLE,
+        REMOVE_ROLE,
+        ADD_WALLET,
+        REVOKE_WALLET,
+        REGISTER_FUNCTION,
+        UNREGISTER_FUNCTION,
+        ADD_FUNCTION_TO_ROLE,
+        REMOVE_FUNCTION_FROM_ROLE,
+        LOAD_DEFINITIONS
+    }
+
+    /**
+     * @dev Encodes a single RBAC configuration action in a batch
+     */
+    struct RoleConfigAction {
+        RoleConfigActionType actionType;
+        bytes data;
+    }
+
+    /**
+     * @dev Unified event for all RBAC configuration changes applied via batches
+     * @param actionType The type of configuration action
+     * @param roleHash Affected role hash (if applicable, otherwise 0)
+     * @param functionSelector Affected function selector (if applicable, otherwise 0)
+     * @param data Optional action-specific payload
+     */
+    event RoleConfigApplied(
+        RoleConfigActionType indexed actionType,
+        bytes32 indexed roleHash,
+        bytes4 indexed functionSelector,
+        bytes data
+    );
+
+    // ============ ROLE CONFIGURATION BATCH INTERFACE ============
+
+    /**
+     * @dev Creates execution params for a RBAC configuration batch
+     * @param actions Encoded role configuration actions
+     * @return The execution params for EngineBlox
+     */
+    function roleConfigBatchExecutionParams(
+        RoleConfigAction[] memory actions
+    ) external pure returns (bytes memory);
+
+    /**
+     * @dev Requests and approves a RBAC configuration batch using a meta-transaction
+     * @param metaTx The meta-transaction
+     * @return The transaction record
+     */
+    function roleConfigBatchRequestAndApprove(
+        EngineBlox.MetaTransaction memory metaTx
+    ) external returns (EngineBlox.TxRecord memory);
+
+    // ============ QUERY FUNCTIONS ============
+
+    /**
+     * @dev Gets function schema information
+     * @param functionSelector The function selector to get information for
+     * @return functionSignature The function signature or name
+     * @return functionSelectorReturn The function selector
+     * @return operationType The operation type
+     * @return operationName The operation name
+     * @return supportedActions The supported actions
+     * @return isProtected Whether the function schema is protected
+     */
+    function getFunctionSchema(bytes4 functionSelector) external view returns (
+        string memory functionSignature,
+        bytes4 functionSelectorReturn,
+        bytes32 operationType,
+        string memory operationName,
+        EngineBlox.TxAction[] memory supportedActions,
+        bool isProtected
+    );
+
+    /**
+     * @dev Gets all authorized wallets for a role
+     * @param roleHash The role hash to get wallets for
+     * @return Array of authorized wallet addresses
+     * @notice Requires caller to have any role (via _validateAnyRole) for privacy protection
+     */
+    function getWalletsInRole(bytes32 roleHash) external view returns (address[] memory);
+}