Skip to content

SOLVER_PERMISSION_LEVELS.md

Latest commit

 

History

History
86 lines (54 loc) · 2.74 KB

SOLVER_PERMISSION_LEVELS.md

File metadata and controls

86 lines (54 loc) · 2.74 KB

Solver Permission Levels

This document specifies solver permission levels for dispute resolution.

Summary

Mostro supports two solver permission levels:

  • read: solver can take a dispute, receive dispute context, and communicate with users
  • read-write: solver can do everything above and can also execute admin-settle and admin-cancel

This split is intended to support automated dispute assistants, including AI-based agents, without giving them authority to move funds.

Goals

  • allow non-human dispute assistants to participate safely
  • enforce authorization at the daemon level, not in prompts or UI
  • preserve backward compatibility for existing solver registration flows

Data Model

The users.category field is used to represent solver permissions:

  • 0: regular user / no solver permissions
  • 1: solver with read permission only
  • 2: solver with read-write permission

The legacy is_solver flag still indicates whether the user is a solver at all.

Authorization Rules

admin-take-dispute

Allowed for:

  • Mostro daemon admin key while dispute status is initiated or in-progress
  • solvers with is_solver = true while dispute status is initiated

Both read and read-write solvers may take a dispute.

admin-settle

Allowed only when:

  • the caller is the solver assigned to the dispute
  • and the assigned solver has category = 2

If the caller is assigned but only has read permission, Mostro returns:

  • CantDoReason::NotAuthorized

admin-cancel

Allowed only when:

  • the caller is the solver assigned to the dispute
  • and the assigned solver has category = 2

If the caller is assigned but only has read permission, Mostro returns:

  • CantDoReason::NotAuthorized

AdminAddSolver payload

admin-add-solver continues using Payload::TextMessage, but now supports an optional permission suffix.

Formats:

  • npub1... → defaults to read-write
  • npub1...:read → registers solver as read-only
  • npub1...:read-write → registers solver as read-write
  • npub1...:write → alias for read-write

Invalid suffixes must be rejected with CantDoReason::InvalidParameters.

RPC impact

The current RPC AddSolverRequest still only exposes solver_pubkey.

That means RPC registration remains backward compatible and defaults to read-write until the protobuf/API is extended.

Dependency

This feature requires mostro-core >= 0.8.4 because it uses CantDoReason::NotAuthorized.

Security rationale

The key security property is that read-only solvers can never execute dispute-closing actions, even if:

  • a UI exposes the wrong button
  • an operator misconfigures an agent prompt
  • a remote tool attempts to call admin-settle or admin-cancel directly

The daemon enforces the permission boundary.