feat(privacy-proxy): add JSON-RPC proxy with role-based access control#302
Draft
AnshuJalan wants to merge 3 commits into
Draft
feat(privacy-proxy): add JSON-RPC proxy with role-based access control#302AnshuJalan wants to merge 3 commits into
AnshuJalan wants to merge 3 commits into
Conversation
A new Rust package that sits between users and the upstream execution client. Wallets target it like a normal Ethereum JSON-RPC endpoint (adding an Authorization: Bearer <token> header); the proxy gates contract calls and address-parameterized reads against an admin-managed access registry. - Wallet sign-in flow (EIP-191 challenge/verify) issues opaque bearer tokens bound to the signer's EOA. SQLite-backed. - Access registry keyed by (contract_address, function_selector), with allow/deny rules and per-role entries. Optional named in-build lambda predicates over caller_info and function arguments. Contracts or selectors not in the registry are freely callable. - For call-bearing methods (eth_call, eth_sendRawTransaction, eth_estimateGas, eth_createAccessList) the proxy issues debug_traceCall and validates every CALL frame, top-level and internal. Any forbidden frame rejects the whole request. - Address-parameterized reads (eth_getBalance, eth_getProof, eth_getTransactionCount, eth_getCode, eth_getStorageAt) are gated via synthetic 4-byte selectors over the same registry. Default policy: an EOA can only query its own state; contracts are free unless an admin installs a rule. - /admin/* REST surface (18 capabilities) for rules, entries, roles, users, and lambda listing. Seed admins from the ADMIN_EOAS env var, reconciled on every boot. - Docs live under packages/privacy-proxy/docs/ (system-design, wallet-integration, admin-api, operator-guide); package README is the external front-door. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Caller attributes are now typed per role instead of a generic
caller_info JSON blob. Roles are code-declared in src/roles.rs and
reconciled to the DB at boot; the previous role-mutation endpoints are
gone. Lambdas are organized by role under src/acl/lambdas/<role>/ and
receive the role's typed attribute struct directly.
- Schema: top-level identity table renamed users -> members (admins and
users both live here). Per-user-role state moves to user_attributes
(kyc, blacklisted). caller_info_json column dropped.
- Self-registration: /auth/verify seeds a members row with default
kyc=false, blacklisted=false; admin-only thereafter.
- Lambda base in src/acl/lambdas/mod.rs is generic over the role's
attribute type C. user-role lambdas (require_kyc, erc20_self_only)
live under src/acl/lambdas/user/ and read UserCallerInfo directly.
- Admin API: routes moved to /admin/members; PUT takes
{ role, attributes? } typed by role; capability index renumbered to
a clean 1-16 sequence with no gaps.
- Docs: system-design.md gains a Roles section with an explicit
"Adding a role" procedure; admin-api.md rewritten as fresh spec.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…tors `LambdaSpec.expected_selector: Option<[u8;4]>` becomes `expected_selectors: &'static [[u8;4]]` — empty means selector-agnostic. `erc20_self_only` now correctly lists the two selectors it actually handles (balanceOf 0x70a08231 and allowance 0xdd62ed3e); admins authoring rules can see at a glance which selectors a lambda is built for. - `GET /admin/registry/lambdas` returns `expected_selectors: string[]`. - Docs updated (admin-api §9, system-design §5). - Adds a package-local .gitignore for the runtime sqlite DB. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
New Rust package
packages/privacy-proxy/— an EVM JSON-RPC proxy that sits between users and the upstream execution client and enforces role-based access control on contract calls and address-parameterized reads.What it does
eth_namespace. Drop-in replacement for the chain's RPC URL; the only addition is anAuthorization: Bearer <token>header.(contract_address, function_selector). Rules are allow or deny with per-role entries and optional named in-build lambda predicates over caller context and function arguments. Contracts or selectors not in the registry are freely callable.eth_call,eth_sendRawTransaction,eth_estimateGas,eth_createAccessList) the proxy issuesdebug_traceCalland applies the registry to every CALL frame — top-level and internal. Any forbidden frame rejects the whole request before it reaches the chain.eth_getBalance,eth_getProof,eth_getTransactionCount,eth_getCode,eth_getStorageAt) are gated via synthetic 4-byte selectors over the same registry. Default policy: an EOA can only query its own state; contracts are free unless an admin installs a rule./admin/*(18 capabilities) for managing rules, entries, roles, users, and listing in-build lambdas. Seed admins come from theADMIN_EOASenv var and are reconciled on every boot.Docs
All under
packages/privacy-proxy/docs/:system-design.md— architecture, request flow, schema, moduleswallet-integration.md— for wallet developers integrating the sign-in flowadmin-api.md— full admin endpoint reference for the future operator UIoperator-guide.md— deploying,ADMIN_EOAS, key rotation, restart semanticsThe package README is the external front-door.