[Task] Intent-level permissions per public key on Verifier accounts #153
Description
Background
Hot keys that market makers add through add_public_key automatically obtain full control over the Verifier account. Any leaked or compromised key can execute ft_withdraw, native_withdraw, token_diff, add/remove keys, etc. Operators would like to scope different keys to different responsibilities (e.g. quoting vs. treasury) to reduce the blast radius of a compromise and to meet operational/compliance requirements.
User Story
_As a market maker running multiple automated services, I need to mark certain public keys as “quote-only” and others as “withdrawal-enabled” so that leaking one hot key cannot drain all assets and so that my operational policies.
Acceptance Criteria
- Proposal describing how to store per-key permission metadata and ABI changes required.
- Ability to specify allowed intent types when adding a public key (default = current “all intents”).
- Execution path rejects any signed payload whose intents are not allowed for the signing key.
- View method (or equivalent) exposing the permissions for each key.
- Migration path for existing keys (they keep full access unless explicitly updated).
- Tests covering at least: successful execution with allowed intents, rejection when an intent is not permitted, permission updates, and backward compatibility.
- Documentation updated (intent-types docs, security guidance) explaining how to use the feature.
Resources & Additional Notes
- Current intent enum:
intents/core/src/intents/mod.rs. - Public key management:
intents/core/src/intents/account.rsanddefuse/src/accounts.rs. - Execution pipeline (
execute_signed_intentandverify_intent_nonce):intents/core/src/engine/mod.rs.