Dev

[JaCoderX]

Summary by CodeRabbit

• New Features

  • Added a new controller operation type for guard-configuration flows and exposed it in the ABI and SDK.
  • Added request-time validation for payment details to reject invalid recipient or ERC20 addresses.

• Improvements

  • Adjusted secure-request handling to allow certain ownership and broadcaster requests to coexist where permitted.
  • Improved interface support reporting for account contracts.

• Tests & Docs

  • Updated tests and documentation to use the new operation type.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new operation type CONTROLLER_CONFIG_OPERATION, expands GuardController function schemas (adds executeWithPayment), enforces request-time payment address validation, splits SecureOwnable pending-request state into separate lanes, updates interface checks in Account, and migrates tests to an AccountPatternTest helper.

Changes

Cohort / File(s)	Summary
GuardController definitions & ABIs abi/GuardControllerDefinitions.abi.json, sdk/typescript/abi/GuardControllerDefinitions.abi.json, contracts/core/execution/lib/definitions/GuardControllerDefinitions.sol, sdk/typescript/types/core.execution.index.tsx, docs/core/execution/lib/definitions/GuardControllerDefinitions.md, sdk/typescript/docs/guard-controller.md	Added CONTROLLER_CONFIG_OPERATION constant and ABI entry; expanded getFunctionSchemas() from 8→9 (added executeWithPayment schema and handler); reclassified two guard-config batch functions to use the new operation type; docs and SDK examples updated.
Payment request validation contracts/core/lib/EngineBlox.sol, test/foundry/fuzz/ComprehensivePaymentSecurityFuzz.t.sol	Added request-time validation in txRequestWithPayment and meta-tx requestAndApprove to reject zero recipient or zero erc20TokenAddress when corresponding payment amounts are non-zero; added negative tests.
Secure request concurrency / SecureOwnable contracts/core/security/SecureOwnable.sol, test/foundry/fuzz/SecureOwnableFuzz.t.sol, test/foundry/security/EdgeCases.t.sol	Replaced single _hasOpenRequest with _hasOpenOwnershipRequest and _hasOpenBroadcasterRequest; added typed _requireNoPendingRequest(bytes32) and _clearPendingFlagForOperation(bytes32); updated completion logic; added tests covering overlapping pending requests.
Interface support checks contracts/core/pattern/Account.sol	supportsInterface now explicitly compares against IGuardController, IRuntimeRBAC, and ISecureOwnable interface IDs and otherwise falls back to super.supportsInterface.
RuntimeRBAC micro-optimization contracts/core/access/RuntimeRBAC.sol	Changed loop increment from i++ to ++i in _executeRoleConfigBatch (behavior preserved).
Test harness / pattern contract test/foundry/helpers/AccountPatternTest.sol, test/foundry/CommonBase.sol, many test/foundry/* files	Added AccountPatternTest (Foundry-only), migrated multiple tests from AccountBlox to AccountPatternTest, removed unused imports, and updated fuzz/meta-tx call sites to use CONTROLLER_CONFIG_OPERATION for guard-config flows.
Sanity / SDK test updates scripts/sanity-sdk/guard-controller/base-test.ts, scripts/sanity/guard-controller/base-test.cjs	Switched guard-config meta-tx operation type to CONTROLLER_CONFIG_OPERATION in SDK sanity tests.
Package bumps package.json, package/package.json, sdk/typescript/package.json	Bumped package versions from 1.0.0-alpha.18 → 1.0.0-alpha.19.

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly Related PRs

• feat: introduce CONTROLLER_CONFIG_OPERATION and enhance GuardControll… #141: Adds the same CONTROLLER_CONFIG_OPERATION constant and reclassifies guard-config functions in GuardControllerDefinitions.
• Work #81: Related changes around adding executeWithPayment selector/schema wiring in GuardControllerDefinitions.
• Work #112: Changes to EngineBlox request/approve/payment validation logic that overlap with request-time payment checks.

Poem

🐰 I hopped a constant into the code so neat,
Guard-configs now march to their own little beat.
Payments checked before the record is made,
Two flags now watch where the requests parade.
A tiny rabbit cheers—tests pass, code complete! 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Dev' is vague and generic, providing no meaningful information about the changeset's purpose or primary changes.	Use a descriptive title that conveys the main changes, such as 'Add CONTROLLER_CONFIG_OPERATION type and executeWithPayment function' or 'Introduce config operation type and related schema updates'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

contracts/core/security/SecureOwnable.sol (1)

326-348: Prefer custom errors over bare revert() for unknown operation types.

Lines 332 and 346 use bare revert() for unrecognized operation types. Per coding guidelines, custom errors are preferred for gas efficiency and clarity.

♻️ Suggested fix

     function _requireNoPendingRequest(bytes32 requestOperationType) internal view {
         if (requestOperationType == SecureOwnableDefinitions.OWNERSHIP_TRANSFER) {
             if (_hasOpenOwnershipRequest) revert SharedValidation.PendingSecureRequest();
         } else if (requestOperationType == SecureOwnableDefinitions.BROADCASTER_UPDATE) {
             if (_hasOpenBroadcasterRequest) revert SharedValidation.PendingSecureRequest();
         } else {
-            revert();
+            revert SharedValidation.NotSupported();
         }
     }

     function _clearPendingFlagForOperation(bytes32 operationType) private {
         if (operationType == SecureOwnableDefinitions.OWNERSHIP_TRANSFER) {
             _hasOpenOwnershipRequest = false;
         } else if (operationType == SecureOwnableDefinitions.BROADCASTER_UPDATE) {
             _hasOpenBroadcasterRequest = false;
         } else {
-            revert();
+            revert SharedValidation.NotSupported();
         }
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/core/security/SecureOwnable.sol` around lines 326 - 348, Replace
the bare revert() calls in _requireNoPendingRequest and
_clearPendingFlagForOperation with a custom error that includes the unknown
operationType for clarity and gas efficiency; define a new error like
UnknownSecureOperation(bytes32 operationType) (or reuse an existing
SharedValidation error if available) and throw it with the operationType when
neither SecureOwnableDefinitions.OWNERSHIP_TRANSFER nor
SecureOwnableDefinitions.BROADCASTER_UPDATE matches, updating both functions to
revert with that custom error instead of calling revert().

contracts/core/lib/EngineBlox.sol (1)

379-387: Extract duplicated payment request validation into one helper.

The new checks are good, but duplicating them in two paths increases drift risk.

♻️ Suggested DRY refactor

     function txRequestWithPayment(
         SecureOperationState storage self,
@@
-        if (paymentDetails.nativeTokenAmount > 0 || paymentDetails.erc20TokenAmount > 0) {
-            SharedValidation.validateNotZeroAddress(paymentDetails.recipient);
-        }
-        if (paymentDetails.erc20TokenAmount > 0) {
-            SharedValidation.validateNotZeroAddress(paymentDetails.erc20TokenAddress);
-        }
+        _validatePaymentDetailsForRequest(paymentDetails);
@@
     function requestAndApprove(
         SecureOperationState storage self,
         MetaTransaction memory metaTx
     ) public returns (TxRecord memory) {
@@
-        if (metaTx.txRecord.payment.nativeTokenAmount > 0 || metaTx.txRecord.payment.erc20TokenAmount > 0) {
-            SharedValidation.validateNotZeroAddress(metaTx.txRecord.payment.recipient);
-        }
-        if (metaTx.txRecord.payment.erc20TokenAmount > 0) {
-            SharedValidation.validateNotZeroAddress(metaTx.txRecord.payment.erc20TokenAddress);
-        }
+        _validatePaymentDetailsForRequest(metaTx.txRecord.payment);
@@
+    function _validatePaymentDetailsForRequest(PaymentDetails memory payment) private pure {
+        if (payment.nativeTokenAmount > 0 || payment.erc20TokenAmount > 0) {
+            SharedValidation.validateNotZeroAddress(payment.recipient);
+        }
+        if (payment.erc20TokenAmount > 0) {
+            SharedValidation.validateNotZeroAddress(payment.erc20TokenAddress);
+        }
+    }

Also applies to: 587-595

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/core/lib/EngineBlox.sol` around lines 379 - 387, Extract the
duplicated payment validation into a single helper (e.g., validatePaymentDetails
or validateAttachedPaymentDetails) and call it from both locations where the
current checks appear; move the logic that checks
paymentDetails.nativeTokenAmount, paymentDetails.erc20TokenAmount and calls
SharedValidation.validateNotZeroAddress(paymentDetails.recipient) and
SharedValidation.validateNotZeroAddress(paymentDetails.erc20TokenAddress) into
that helper so the two code paths simply call
validatePaymentDetails(paymentDetails) instead of repeating the conditions and
validateNotZeroAddress calls.

test/foundry/helpers/AccountPatternTest.sol (1)

12-20: Add function-level NatSpec for the initializer override.

Behavior is fine, but this new Solidity 0.8.34 helper should include canonical machine-readable function docs.

📝 Suggested NatSpec addition

 contract AccountPatternTest is Account {
+    /**
+     * `@notice` Initializes the account test fixture.
+     * `@param` initialOwner Owner wallet assigned during initialization.
+     * `@param` broadcaster Broadcaster wallet assigned during initialization.
+     * `@param` recovery Recovery wallet assigned during initialization.
+     * `@param` timeLockPeriodSec Timelock duration in seconds.
+     * `@param` eventForwarder Optional event forwarder contract address.
+     */
     function initialize(
         address initialOwner,
         address broadcaster,
         address recovery,
         uint256 timeLockPeriodSec,
         address eventForwarder
     ) public virtual override initializer {
         Account.initialize(initialOwner, broadcaster, recovery, timeLockPeriodSec, eventForwarder);
     }
 }

As per coding guidelines: In Solidity 0.8.34 contracts, maintain or improve NatSpec documentation as the canonical machine-readable spec.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/foundry/helpers/AccountPatternTest.sol` around lines 12 - 20, Add a
function-level NatSpec block above the initialize(...) override: include a brief
`@dev` describing that this is the test helper initializer which delegates to
Account.initialize, add `@param` tags for initialOwner, broadcaster, recovery,
timeLockPeriodSec, and eventForwarder describing their purpose/expected values,
and include `@inheritdoc` Account.initialize (or an `@notice` if you prefer explicit
docs) so the override is machine-readable and follows the Solidity 0.8.34
canonical NatSpec style.

test/foundry/fuzz/ComprehensivePaymentSecurityFuzz.t.sol (1)

534-534: Unused parameter _timeAdvance.

The parameter was renamed to _timeAdvance (with underscore prefix indicating intentional non-use), but the variable is never used in the function body. The test function description mentions "Payment Update Timing" but the fuzzed time advance value isn't applied anywhere.

Consider either:

1. Using the parameter to vary timing scenarios (e.g., advanceTime(bound(_timeAdvance, timeLockPeriod + 1, timeLockPeriod * 2)))
2. Removing the parameter entirely if timing variation isn't needed for this test

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/foundry/fuzz/ComprehensivePaymentSecurityFuzz.t.sol` at line 534, The
parameter `_timeAdvance` in the fuzz test signature is unused; either remove it
or apply it to vary the timing as intended. If you want timing variation, use
the fuzzed value (e.g., call your test helper to advance block timestamp using a
bounded version of `_timeAdvance` such as bound(_timeAdvance, timeLockPeriod +
1, timeLockPeriod * 2) and then advanceTime/warp before performing the payment
update assertions), or simply delete `_timeAdvance` from the function signature
and test description if timing variation is not required; update references in
the test name/comments accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@contracts/core/execution/lib/definitions/GuardControllerDefinitions.sol`:
- Line 19: Update the NatSpec comment that currently says "Registers all 7
GuardController public execution functions" to match the actual number of
schemas returned by getFunctionSchemas() (which is 9); locate the
contract/contract comment referencing GuardController and modify the sentence to
read the correct count (e.g., "Registers all 9 GuardController public execution
functions") so the documentation and the getFunctionSchemas() implementation are
consistent.

---

Nitpick comments:
In `@contracts/core/lib/EngineBlox.sol`:
- Around line 379-387: Extract the duplicated payment validation into a single
helper (e.g., validatePaymentDetails or validateAttachedPaymentDetails) and call
it from both locations where the current checks appear; move the logic that
checks paymentDetails.nativeTokenAmount, paymentDetails.erc20TokenAmount and
calls SharedValidation.validateNotZeroAddress(paymentDetails.recipient) and
SharedValidation.validateNotZeroAddress(paymentDetails.erc20TokenAddress) into
that helper so the two code paths simply call
validatePaymentDetails(paymentDetails) instead of repeating the conditions and
validateNotZeroAddress calls.

In `@contracts/core/security/SecureOwnable.sol`:
- Around line 326-348: Replace the bare revert() calls in
_requireNoPendingRequest and _clearPendingFlagForOperation with a custom error
that includes the unknown operationType for clarity and gas efficiency; define a
new error like UnknownSecureOperation(bytes32 operationType) (or reuse an
existing SharedValidation error if available) and throw it with the
operationType when neither SecureOwnableDefinitions.OWNERSHIP_TRANSFER nor
SecureOwnableDefinitions.BROADCASTER_UPDATE matches, updating both functions to
revert with that custom error instead of calling revert().

In `@test/foundry/fuzz/ComprehensivePaymentSecurityFuzz.t.sol`:
- Line 534: The parameter `_timeAdvance` in the fuzz test signature is unused;
either remove it or apply it to vary the timing as intended. If you want timing
variation, use the fuzzed value (e.g., call your test helper to advance block
timestamp using a bounded version of `_timeAdvance` such as bound(_timeAdvance,
timeLockPeriod + 1, timeLockPeriod * 2) and then advanceTime/warp before
performing the payment update assertions), or simply delete `_timeAdvance` from
the function signature and test description if timing variation is not required;
update references in the test name/comments accordingly.

In `@test/foundry/helpers/AccountPatternTest.sol`:
- Around line 12-20: Add a function-level NatSpec block above the
initialize(...) override: include a brief `@dev` describing that this is the test
helper initializer which delegates to Account.initialize, add `@param` tags for
initialOwner, broadcaster, recovery, timeLockPeriodSec, and eventForwarder
describing their purpose/expected values, and include `@inheritdoc`
Account.initialize (or an `@notice` if you prefer explicit docs) so the override
is machine-readable and follows the Solidity 0.8.34 canonical NatSpec style.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 49a3d153-a773-4012-a4c4-e6f12784eece

📥 Commits

Reviewing files that changed from the base of the PR and between dad9c5a and d5a231d.

📒 Files selected for processing (27)

• abi/GuardControllerDefinitions.abi.json
• contracts/core/access/RuntimeRBAC.sol
• contracts/core/execution/lib/definitions/GuardControllerDefinitions.sol
• contracts/core/lib/EngineBlox.sol
• contracts/core/pattern/Account.sol
• contracts/core/security/SecureOwnable.sol
• docs/core/execution/lib/definitions/GuardControllerDefinitions.md
• scripts/sanity-sdk/guard-controller/base-test.ts
• scripts/sanity/guard-controller/base-test.cjs
• sdk/typescript/abi/GuardControllerDefinitions.abi.json
• sdk/typescript/docs/guard-controller.md
• sdk/typescript/types/core.execution.index.tsx
• test/foundry/CommonBase.sol
• test/foundry/fuzz/ComprehensiveCompositeFuzz.t.sol
• test/foundry/fuzz/ComprehensiveDefinitionSecurityFuzz.t.sol
• test/foundry/fuzz/ComprehensiveEventForwardingFuzz.t.sol
• test/foundry/fuzz/ComprehensiveGasExhaustionFuzz.t.sol
• test/foundry/fuzz/ComprehensiveHookSystemFuzz.t.sol
• test/foundry/fuzz/ComprehensiveInitializationFuzz.t.sol
• test/foundry/fuzz/ComprehensivePaymentSecurityFuzz.t.sol
• test/foundry/fuzz/ComprehensiveStateMachineFuzz.t.sol
• test/foundry/fuzz/ComprehensiveWhitelistSchemaFuzz.t.sol
• test/foundry/fuzz/SecureOwnableFuzz.t.sol
• test/foundry/helpers/AccountPatternTest.sol
• test/foundry/security/EdgeCases.t.sol
• test/foundry/unit/BaseStateMachine.t.sol
• test/foundry/unit/SecureOwnable.t.sol

💤 Files with no reviewable changes (2)

• test/foundry/fuzz/ComprehensiveWhitelistSchemaFuzz.t.sol
• test/foundry/fuzz/ComprehensiveHookSystemFuzz.t.sol

[coderabbitai]

🧹 Nitpick comments (1)

contracts/core/execution/lib/definitions/GuardControllerDefinitions.sol (1)

257-269: Schema 8 registered without default OWNER_ROLE permission—verify this is intentional design.

Schema 8 for executeWithPayment is registered and protected, but has no corresponding OWNER_ROLE permission entry in getRolePermissions(). The comment indicates permissions must be added manually to enable this flow. This means the function will be blocked until explicitly granted, making the payment flow opt-in by default.

Clarify in the NatSpec for getRolePermissions() that executeWithPayment requires manual permission setup, or document the rationale for this opt-in design in the schema comment.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/core/execution/lib/definitions/GuardControllerDefinitions.sol`
around lines 257 - 269, Schema 8 registers executeWithPayment
(EXECUTE_WITH_PAYMENT_SELECTOR) as protected but lacks a default OWNER_ROLE
grant, making the payment flow opt-in; update the NatSpec for
getRolePermissions() to explicitly state that the executeWithPayment schema
requires a manual OWNER_ROLE permission grant (or, if intentional alternative,
document the rationale for leaving it opt-in) and mention the schema identifier
(schemas[8]) and handler mapping (executeWithPaymentHandlerForSelectors) so
callers know to add the OWNER_ROLE entry when enabling this flow.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@contracts/core/execution/lib/definitions/GuardControllerDefinitions.sol`:
- Around line 257-269: Schema 8 registers executeWithPayment
(EXECUTE_WITH_PAYMENT_SELECTOR) as protected but lacks a default OWNER_ROLE
grant, making the payment flow opt-in; update the NatSpec for
getRolePermissions() to explicitly state that the executeWithPayment schema
requires a manual OWNER_ROLE permission grant (or, if intentional alternative,
document the rationale for leaving it opt-in) and mention the schema identifier
(schemas[8]) and handler mapping (executeWithPaymentHandlerForSelectors) so
callers know to add the OWNER_ROLE entry when enabling this flow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 41bc9d33-f647-464d-bd7e-78202f8b5172

📥 Commits

Reviewing files that changed from the base of the PR and between d5a231d and 5767433.

📒 Files selected for processing (4)

• contracts/core/execution/lib/definitions/GuardControllerDefinitions.sol
• package.json
• package/package.json
• sdk/typescript/package.json

✅ Files skipped from review due to trivial changes (3)

• package.json
• package/package.json
• sdk/typescript/package.json