@inco/lightning 0.8.0-devnet-4 → 0.8.0-devnet-5

package/src/lightning-parts/primitives/test/SignatureVerifier.t.sol

@@ -357,7 +357,6 @@ contract TestSignatureVerifier is TestUtils, SignatureVerifier {
         // Create 3 signatures: Alice, Bob (both valid), and Dave (invalid)
         // After sorting, Dave's signature will be placed according to his address
         // As long as the first 2 signatures checked are from valid signers, it should pass
-        bytes[] memory signatures = new bytes[](3);
         bytes memory aliceSig = getSignatureForDigest(digest, alicePrivKey);
         bytes memory bobSig = getSignatureForDigest(digest, bobPrivKey);
         bytes memory daveSig = getSignatureForDigest(digest, davePrivKey);
@@ -413,7 +412,6 @@ contract TestSignatureVerifier is TestUtils, SignatureVerifier {
         bytes32 digest = keccak256("test message");
 
         // Create signatures where an invalid signer (Dave) will be in the first threshold
-        bytes[] memory signatures = new bytes[](3);
         bytes memory aliceSig = getSignatureForDigest(digest, alicePrivKey);
         bytes memory bobSig = getSignatureForDigest(digest, bobPrivKey);
         bytes memory daveSig = getSignatureForDigest(digest, davePrivKey);

package/src/periphery/IncoUtils.sol

@@ -4,6 +4,7 @@ pragma solidity ^0.8;
 import {StorageSlot} from "@openzeppelin/contracts/utils/StorageSlot.sol";
 
 // Re-export FEE constant for convenience - consumers can import both IncoUtils and FEE from this file
+// forge-lint: disable-next-line(unused-import)
 import {FEE} from "../lightning-parts/Fee.sol";
 
 contract IncoUtils {

package/src/periphery/SessionVerifier.sol

@@ -12,18 +12,33 @@ import {
 import {Version} from "../version/Version.sol";
 import {ALLOWANCE_GRANTED_MAGIC_VALUE} from "../Types.sol";
 
-/// @notice a Session grants a temporary access to a decrypter to all data held by the sharer
-/// @dev abi encode this struct in the sharerArgData field of the voucher
+/// @notice A Session grants temporary access to a decrypter for all data held by the sharer
+/// @dev ABI encode this struct in the sharerArgData field of the voucher.
+///      The session is valid only if:
+///      1. The current block timestamp is before expiresAt
+///      2. The requesting account matches the authorized decrypter
 struct Session {
+    /// @notice The address authorized to decrypt the sharer's data
     address decrypter;
+    /// @notice Unix timestamp after which the session is no longer valid
     uint256 expiresAt;
 }
 
-/// @notice Inco access sharing verifier mainly meant for browser dapp sessions, grants access to all data held by
-/// the sharer to one decrypter for a limited time.
-/// @dev define the selector of canUseSession in the voucher to use this verifier
+/// @title SessionVerifier
+/// @notice Inco access sharing verifier for browser dApp sessions
+/// @dev Grants access to all encrypted data held by the sharer to one decrypter for a limited time.
+///      This is the recommended pattern for dApps that need to decrypt user data during a browsing session.
+///
+///      Usage:
+///      1. User signs a voucher containing a Session struct with their chosen decrypter and expiration
+///      2. The voucher specifies canUseSession.selector as the callFunction
+///      3. When the decrypter requests access, this contract verifies the session is still valid
+///
+///      To use this verifier, set the voucher's callFunction to SessionVerifier.canUseSession.selector
 contract SessionVerifier is UUPSUpgradeable, OwnableUpgradeable, Version {
 
+    /// @notice Initializes the SessionVerifier with version information
+    /// @param salt Unique salt used for deterministic deployment via CreateX
     constructor(bytes32 salt)
         Version(
             SESSION_VERIFIER_MAJOR_VERSION,
@@ -34,7 +49,13 @@ contract SessionVerifier is UUPSUpgradeable, OwnableUpgradeable, Version {
         )
     {}
 
-    // todo add text mention of what is being signed
+    /// @notice Verifies if an account can use a session to access encrypted data
+    /// @dev This function is called by the ACL system when validating access permissions.
+    ///      The session grants blanket access to all handles owned by the sharer - the handle
+    ///      parameter is intentionally ignored.
+    /// @param account The address requesting access (must match session.decrypter)
+    /// @param sharerArgData ABI-encoded Session struct containing decrypter address and expiration
+    /// @return ALLOWANCE_GRANTED_MAGIC_VALUE if session is valid, bytes32(0) otherwise
     function canUseSession(
         bytes32, /* handle */
         address account,
@@ -54,14 +75,21 @@ contract SessionVerifier is UUPSUpgradeable, OwnableUpgradeable, Version {
         return bytes32(0);
     }
 
+    /// @notice Authorizes contract upgrades (restricted to owner only)
+    /// @dev Required by UUPSUpgradeable. Only the contract owner can upgrade.
     function _authorizeUpgrade(address) internal view override {
         require(msg.sender == owner());
     }
 
+    /// @notice Initializes the contract with an owner address
+    /// @dev Must be called immediately after deployment via proxy. Can only be called once.
+    /// @param owner The address that will own this contract and can authorize upgrades
     function initialize(address owner) public initializer {
         __Ownable_init(owner);
     }
 
-    fallback() external {} // must be included for createX deploy
+    /// @notice Required for CreateX deterministic deployment
+    /// @dev Empty fallback allows the contract to be deployed via CreateX's create2 mechanism
+    fallback() external {}
 
 }

package/src/test/TestFakeInfra.t.sol

@@ -540,19 +540,554 @@ contract TestFakeInfra is IncoTest {
         assertEq(getBoolValue(inputContract.b()), true);
     }
 
-    function testUninitializedHandleIsDisallowed() public {
+    function testUninitializedHandleIsDisallowed_Add() public {
         bytes32 randomHandle = keccak256("random handle");
         euint256 a = e.asEuint256(12);
         vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
         a.add(euint256.wrap(randomHandle));
     }
 
+    function testUninitializedHandleIsDisallowed_Sub() public {
+        bytes32 randomHandle = keccak256("random handle");
+        euint256 a = e.asEuint256(12);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.sub(euint256.wrap(randomHandle));
+    }
+
     function testECastAllowed() public {
         bytes32 invalidHandle = keccak256("invalid handle");
         vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, invalidHandle, address(this)));
         euint256.wrap(invalidHandle).asEbool();
     }
 
+    function testUninitializedHandleIsDisallowed_Add_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle add lhs");
+        euint256 b = e.asEuint256(4);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).add(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Sub_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle sub lhs");
+        euint256 b = e.asEuint256(4);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).sub(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Mul_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle mul lhs");
+        euint256 b = e.asEuint256(4);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).mul(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Mul_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle mul rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.mul(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Div_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle div lhs");
+        euint256 b = e.asEuint256(4);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).div(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Div_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle div rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.div(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Rem_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle rem lhs");
+        euint256 b = e.asEuint256(4);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).rem(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Rem_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle rem rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.rem(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_And_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle and lhs");
+        euint256 b = e.asEuint256(0xFF);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).and(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_And_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle and rhs");
+        euint256 a = e.asEuint256(0xFF);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.and(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Or_Lhs() public {
+        // Craft handle with valid Uint256 type byte (8) at bits 8-15
+        bytes32 randomHandle =
+            bytes32((uint256(keccak256("random handle or lhs")) & ~(uint256(0xFF) << 8)) | (uint256(8) << 8));
+        euint256 b = e.asEuint256(0xFF);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).or(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Or_Rhs() public {
+        // Craft handle with valid Uint256 type byte (8) at bits 8-15
+        bytes32 randomHandle =
+            bytes32((uint256(keccak256("random handle or rhs")) & ~(uint256(0xFF) << 8)) | (uint256(8) << 8));
+        euint256 a = e.asEuint256(0xFF);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.or(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Xor_Lhs() public {
+        // Craft handle with valid Uint256 type byte (8) at bits 8-15
+        bytes32 randomHandle =
+            bytes32((uint256(keccak256("random handle xor lhs")) & ~(uint256(0xFF) << 8)) | (uint256(8) << 8));
+        euint256 b = e.asEuint256(0xFF);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).xor(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Xor_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle xor rhs");
+        euint256 a = e.asEuint256(0xFF);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.xor(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Shl_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle shl lhs");
+        euint256 b = e.asEuint256(2);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).shl(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Shl_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle shl rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.shl(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Shr_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle shr lhs");
+        euint256 b = e.asEuint256(2);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).shr(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Shr_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle shr rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.shr(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Rotl_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle rotl lhs");
+        euint256 b = e.asEuint256(2);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).rotl(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Rotl_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle rotl rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.rotl(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Rotr_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle rotr lhs");
+        euint256 b = e.asEuint256(2);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).rotr(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Rotr_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle rotr rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.rotr(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Eq_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle eq lhs");
+        euint256 b = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).eq(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Eq_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle eq rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.eq(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Ne_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle ne lhs");
+        euint256 b = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).ne(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Ne_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle ne rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.ne(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Ge_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle ge lhs");
+        euint256 b = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).ge(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Ge_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle ge rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.ge(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Gt_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle gt lhs");
+        euint256 b = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).gt(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Gt_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle gt rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.gt(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Le_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle le lhs");
+        euint256 b = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).le(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Le_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle le rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.le(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Lt_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle lt lhs");
+        euint256 b = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).lt(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Lt_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle lt rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.lt(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Min_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle min lhs");
+        euint256 b = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).min(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Min_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle min rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.min(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_Max_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle max lhs");
+        euint256 b = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).max(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_Max_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle max rhs");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.max(euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_AsEuint256FromEbool() public {
+        bytes32 randomHandle = keccak256("random handle ebool to euint256");
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        ebool.wrap(randomHandle).asEuint256();
+    }
+
+    function testUninitializedHandleIsDisallowed_Not() public {
+        bytes32 randomHandle = keccak256("random handle not");
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        ebool.wrap(randomHandle).not();
+    }
+
+    function testUninitializedHandleIsDisallowed_EboolAnd_Lhs() public {
+        // Craft handle with valid Bool type byte (0) at bits 8-15
+        bytes32 randomHandle = bytes32(uint256(keccak256("random handle ebool and lhs")) & ~(uint256(0xFF) << 8));
+        ebool b = e.asEbool(true);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        ebool.wrap(randomHandle).and(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_EboolAnd_Rhs() public {
+        // Craft handle with valid Bool type byte (0) at bits 8-15
+        bytes32 randomHandle = bytes32(uint256(keccak256("random handle ebool and rhs")) & ~(uint256(0xFF) << 8));
+        ebool a = e.asEbool(true);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.and(ebool.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_EboolOr_Lhs() public {
+        // Craft handle with valid Bool type byte (0) at bits 8-15
+        bytes32 randomHandle = bytes32(uint256(keccak256("random handle ebool or lhs")) & ~(uint256(0xFF) << 8));
+        ebool b = e.asEbool(false);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        ebool.wrap(randomHandle).or(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_EboolOr_Rhs() public {
+        // Craft handle with valid Bool type byte (0) at bits 8-15
+        bytes32 randomHandle = bytes32(uint256(keccak256("random handle ebool or rhs")) & ~(uint256(0xFF) << 8));
+        ebool a = e.asEbool(false);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.or(ebool.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_EboolXor_Lhs() public {
+        // Craft handle with valid Bool type byte (0) at bits 8-15
+        bytes32 randomHandle = bytes32(uint256(keccak256("random handle ebool xor lhs")) & ~(uint256(0xFF) << 8));
+        ebool b = e.asEbool(true);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        ebool.wrap(randomHandle).xor(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_EboolXor_Rhs() public {
+        // Craft handle with valid Bool type byte (0) at bits 8-15
+        bytes32 randomHandle = bytes32(uint256(keccak256("random handle ebool xor rhs")) & ~(uint256(0xFF) << 8));
+        ebool a = e.asEbool(true);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.xor(ebool.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_EaddressEq_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle eaddress eq lhs");
+        eaddress b = e.asEaddress(address(0xdeadbeef));
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        eaddress.wrap(randomHandle).eq(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_EaddressEq_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle eaddress eq rhs");
+        eaddress a = e.asEaddress(address(0xdeadbeef));
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.eq(eaddress.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_EaddressNe_Lhs() public {
+        bytes32 randomHandle = keccak256("random handle eaddress ne lhs");
+        eaddress b = e.asEaddress(address(0xdeadbeef));
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        eaddress.wrap(randomHandle).ne(b);
+    }
+
+    function testUninitializedHandleIsDisallowed_EaddressNe_Rhs() public {
+        bytes32 randomHandle = keccak256("random handle eaddress ne rhs");
+        eaddress a = e.asEaddress(address(0xdeadbeef));
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.ne(eaddress.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_SelectEuint256_Control() public {
+        bytes32 randomHandle = keccak256("random handle select euint256 control");
+        euint256 ifTrue = e.asEuint256(10);
+        euint256 ifFalse = e.asEuint256(20);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        ebool.wrap(randomHandle).select(ifTrue, ifFalse);
+    }
+
+    function testUninitializedHandleIsDisallowed_SelectEuint256_IfTrue() public {
+        // Craft handle with valid Uint256 type byte (8) at bits 8-15
+        bytes32 randomHandle = bytes32(
+            (uint256(keccak256("random handle select euint256 iftrue")) & ~(uint256(0xFF) << 8)) | (uint256(8) << 8)
+        );
+        ebool control = e.asEbool(true);
+        euint256 ifFalse = e.asEuint256(20);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        control.select(euint256.wrap(randomHandle), ifFalse);
+    }
+
+    function testUninitializedHandleIsDisallowed_SelectEuint256_IfFalse() public {
+        // Craft handle with valid Uint256 type byte (8) at bits 8-15
+        bytes32 randomHandle = bytes32(
+            (uint256(keccak256("random handle select euint256 iffalse")) & ~(uint256(0xFF) << 8)) | (uint256(8) << 8)
+        );
+        ebool control = e.asEbool(false);
+        euint256 ifTrue = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        control.select(ifTrue, euint256.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_SelectEbool_Control() public {
+        // Craft handle with valid Bool type byte (0) at bits 8-15
+        bytes32 randomHandle = bytes32(uint256(keccak256("random handle select ebool control")) & ~(uint256(0xFF) << 8));
+        ebool ifTrue = e.asEbool(true);
+        ebool ifFalse = e.asEbool(false);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        ebool.wrap(randomHandle).select(ifTrue, ifFalse);
+    }
+
+    function testUninitializedHandleIsDisallowed_SelectEbool_IfTrue() public {
+        // Craft handle with valid Bool type byte (0) at bits 8-15
+        bytes32 randomHandle = bytes32(uint256(keccak256("random handle select ebool iftrue")) & ~(uint256(0xFF) << 8));
+        ebool control = e.asEbool(true);
+        ebool ifFalse = e.asEbool(false);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        control.select(ebool.wrap(randomHandle), ifFalse);
+    }
+
+    function testUninitializedHandleIsDisallowed_SelectEbool_IfFalse() public {
+        // Craft handle with valid Bool type byte (0) at bits 8-15
+        bytes32 randomHandle = bytes32(uint256(keccak256("random handle select ebool iffalse")) & ~(uint256(0xFF) << 8));
+        ebool control = e.asEbool(false);
+        ebool ifTrue = e.asEbool(true);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        control.select(ifTrue, ebool.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_SelectEaddress_Control() public {
+        // Craft handle with valid Bool type byte (0) at bits 8-15 for control
+        bytes32 randomHandle =
+            bytes32(uint256(keccak256("random handle select eaddress control")) & ~(uint256(0xFF) << 8));
+        eaddress ifTrue = e.asEaddress(address(0x1));
+        eaddress ifFalse = e.asEaddress(address(0x2));
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        ebool.wrap(randomHandle).select(ifTrue, ifFalse);
+    }
+
+    function testUninitializedHandleIsDisallowed_SelectEaddress_IfTrue() public {
+        // Craft handle with valid AddressOrUint160OrBytes20 type byte (7) at bits 8-15
+        bytes32 randomHandle = bytes32(
+            (uint256(keccak256("random handle select eaddress iftrue")) & ~(uint256(0xFF) << 8)) | (uint256(7) << 8)
+        );
+        ebool control = e.asEbool(true);
+        eaddress ifFalse = e.asEaddress(address(0x2));
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        control.select(eaddress.wrap(randomHandle), ifFalse);
+    }
+
+    function testUninitializedHandleIsDisallowed_SelectEaddress_IfFalse() public {
+        // Craft handle with valid AddressOrUint160OrBytes20 type byte (7) at bits 8-15
+        bytes32 randomHandle = bytes32(
+            (uint256(keccak256("random handle select eaddress iffalse")) & ~(uint256(0xFF) << 8)) | (uint256(7) << 8)
+        );
+        ebool control = e.asEbool(false);
+        eaddress ifTrue = e.asEaddress(address(0x1));
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        control.select(ifTrue, eaddress.wrap(randomHandle));
+    }
+
+    function testUninitializedHandleIsDisallowed_AllowEuint256() public {
+        bytes32 randomHandle = keccak256("random handle allow euint256");
+        address recipient = address(0x1234);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).allow(recipient);
+    }
+
+    function testUninitializedHandleIsDisallowed_AllowEbool() public {
+        bytes32 randomHandle = keccak256("random handle allow ebool");
+        address recipient = address(0x1234);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        ebool.wrap(randomHandle).allow(recipient);
+    }
+
+    function testUninitializedHandleIsDisallowed_AllowEaddress() public {
+        bytes32 randomHandle = keccak256("random handle allow eaddress");
+        address recipient = address(0x1234);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        eaddress.wrap(randomHandle).allow(recipient);
+    }
+
+    function testUninitializedHandleIsDisallowed_AllowThisEuint256() public {
+        bytes32 randomHandle = keccak256("random handle allowThis euint256");
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).allowThis();
+    }
+
+    function testUninitializedHandleIsDisallowed_AllowThisEbool() public {
+        bytes32 randomHandle = keccak256("random handle allowThis ebool");
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        ebool.wrap(randomHandle).allowThis();
+    }
+
+    function testUninitializedHandleIsDisallowed_AllowThisEaddress() public {
+        bytes32 randomHandle = keccak256("random handle allowThis eaddress");
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        eaddress.wrap(randomHandle).allowThis();
+    }
+
+    function testUninitializedHandleIsDisallowed_RevealEuint256() public {
+        bytes32 randomHandle = keccak256("random handle reveal euint256");
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        euint256.wrap(randomHandle).reveal();
+    }
+
+    function testUninitializedHandleIsDisallowed_RevealEbool() public {
+        bytes32 randomHandle = keccak256("random handle reveal ebool");
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        ebool.wrap(randomHandle).reveal();
+    }
+
+    function testUninitializedHandleIsDisallowed_RevealEaddress() public {
+        bytes32 randomHandle = keccak256("random handle reveal eaddress");
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        eaddress.wrap(randomHandle).reveal();
+    }
+
+    function testUninitializedHandleIsDisallowed_SanitizeEuint256() public {
+        bytes32 randomHandle = keccak256("random handle sanitize euint256");
+        euint256 a = e.asEuint256(10);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.add(euint256.wrap(randomHandle).s());
+    }
+
+    function testUninitializedHandleIsDisallowed_SanitizeEbool() public {
+        // Craft handle with valid Bool type byte (0) at bits 8-15
+        bytes32 randomHandle = bytes32(uint256(keccak256("random handle sanitize ebool")) & ~(uint256(0xFF) << 8));
+        ebool a = e.asEbool(true);
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.and(ebool.wrap(randomHandle).s());
+    }
+
+    function testUninitializedHandleIsDisallowed_SanitizeEaddress() public {
+        bytes32 randomHandle = keccak256("random handle sanitize eaddress");
+        eaddress a = e.asEaddress(address(0x1));
+        vm.expectRevert(abi.encodeWithSelector(SenderNotAllowedForHandle.selector, randomHandle, address(this)));
+        a.eq(eaddress.wrap(randomHandle).s());
+    }
+
     function testCreateQuote() public view {
         bytes memory mrtd =
             hex"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef";