Skip to content

feat: add ExecutionBoundEnforcer — exact execution commitment at redemption#173

Open
terriclaw wants to merge 1 commit intoMetaMask:mainfrom
terriclaw:feat/execution-bound-enforcer
Open

feat: add ExecutionBoundEnforcer — exact execution commitment at redemption#173
terriclaw wants to merge 1 commit intoMetaMask:mainfrom
terriclaw:feat/execution-bound-enforcer

Conversation

@terriclaw
Copy link
Copy Markdown

@terriclaw terriclaw commented Apr 11, 2026
edited
Loading

What?

  • Add ExecutionBoundEnforcer, a CaveatEnforcer that binds execution to an EIP-712 signed commitment at redemption

Why?

  • Existing caveats enforce policy constraints, not exact execution
  • Offchain calldata construction can drift within allowed bounds
  • Requires exact equality between execution and a signed commitment

How?

  • Inherits CaveatEnforcer
  • terms: unused
  • args: abi.encode(ExecutionIntent intent, address signer, bytes signature)
  • ExecutionIntent: (account, target, value, dataHash, nonce, deadline)
  • dataHash = keccak256(execution.callData)
  • Nonce scoped by (delegationManager, account, nonce)
  • Nonce is consumed before signature verification (CEI)
  • Supports EOA + ERC-1271 signatures via SignatureChecker
  • Restricted to single-call + default execution mode

Closes #172

@terriclaw terriclaw requested a review from a team as a code owner April 11, 2026 00:26
cursor[bot]
cursor bot reviewed Apr 11, 2026
View reviewed changes
@terriclaw terriclaw force-pushed the feat/execution-bound-enforcer branch from 47cd4ea to b898af3 Compare April 11, 2026 01:19
@terriclaw
Copy link
Copy Markdown
Author

terriclaw commented Apr 11, 2026

addressed both issues:

  1. authorizedSigner moved to _terms — delegator now commits to the trusted signer at delegation time. _args carries only (intent, signature).
  2. nonce scoped by msg.sender (delegation manager) — direct beforeHook calls use a different scope and cannot grief legitimate redemptions. added test_directCall_cannotGriefNonce to prove this.

10/10 tests passing.

cursor[bot]
cursor bot reviewed Apr 11, 2026
View reviewed changes
@terriclaw terriclaw force-pushed the feat/execution-bound-enforcer branch from b898af3 to 118ead0 Compare April 11, 2026 01:30
@terriclaw
Copy link
Copy Markdown
Author

terriclaw commented Apr 11, 2026

good catch — switching to OZ EIP712 base removes the custom cached domain separator and matches DelegationManager's behavior on chainId changes. _hashTypedDataV4 now handles digest construction dynamically.

cursor[bot]
cursor bot reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit 118ead0. Configure here.

@terriclaw terriclaw force-pushed the feat/execution-bound-enforcer branch from 118ead0 to 8e76363 Compare April 11, 2026 01:48
@terriclaw
Copy link
Copy Markdown
Author

terriclaw commented Apr 11, 2026

good catch — moved nonce consumption before signature verification to follow CEI. also removed the incorrect NatDoc justification; the ordering is for CEI compliance, not griefing prevention (revert rolls back state regardless).

@terriclaw terriclaw force-pushed the feat/execution-bound-enforcer branch from 8e76363 to b20a18f Compare April 12, 2026 00:08
@terriclaw
Copy link
Copy Markdown
Author

terriclaw commented Apr 12, 2026

tightening pass: fixed stale NatDoc comment — nonce is consumed before signature verification (CEI), not after. the previous wording was left over from an earlier iteration and incorrectly described the ordering.
no logic changes. 10/10 tests passing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: ExecutionBoundEnforcer — exact execution commitment at redemption

1 participant

@terriclaw