Skip to content

Add AccessManager role-based account handler#248

Open
Amxx wants to merge 4 commits into
masterfrom
feature/access-manager-role-account
Open

Add AccessManager role-based account handler#248
Amxx wants to merge 4 commits into
masterfrom
feature/access-manager-role-account

Conversation

@Amxx

@Amxx Amxx commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds AccessManagerRoleAccount.sol, introducing role-based account handlers backed by an AccessManager.

  • RoleAccount: an ERC-4337 Account (with ERC-7739 support) whose signature validation delegates authorization to an AccessManager role. The bound roleId is stored as clone immutable args, and a signature is valid only if the recovered signer holds the account's role in the manager.
  • AccessManagerWithRoleAccounts: an AccessManager extension that deterministically deploys (deployConfidentialHandler) and predicts (getConfidentialHandler) a RoleAccount clone per role, using the role id as salt.

Notes

  • Formatted with prettier and passes solhint via the pre-commit hooks.

Summary by CodeRabbit

  • New Features
    • Added role-based account handlers for more secure signature validation.
    • Enabled deterministic creation and lookup of handler addresses for specific roles.
    • Prevented public-role use when generating role-specific handler addresses.

@Amxx Amxx requested a review from a team as a code owner July 6, 2026 16:14
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cb1eb99f-843e-4c78-b0f0-785766cf2606

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

This PR adds a new Solidity file implementing two contracts: RoleAccount, an ERC-4337-style account whose signature validation requires the recovered signer to hold a specific role in an AccessManager, and AccessManagerWithRoleAccounts, which deploys deterministic clones of RoleAccount per role.

Changes

Role Account and Manager Contracts

Layer / File(s) Summary
RoleAccount contract and role-gated signature validation
contracts/access/manager/AccessManagerRoleAccount.sol
Defines RoleAccount with an immutable accessManager, derives roleId() from clone immutable args, and overrides _rawSignatureValidation to require the recovered signer to hold the role before validating the signature.
AccessManagerWithRoleAccounts deterministic deployment
contracts/access/manager/AccessManagerRoleAccount.sol
Defines AccessManagerWithRoleAccounts extending AccessManager, with a deterministic _template clone, getConfidentialHandler/deployConfidentialHandler for deterministic clone addressing/deployment, and _roleToSalt which reverts for PUBLIC_ROLE.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Caller
  participant RoleAccount
  participant AccessManager

  Caller->>RoleAccount: _rawSignatureValidation(hash, signature)
  RoleAccount->>RoleAccount: roleId() via Clones immutable args
  RoleAccount->>AccessManager: check role membership of signer
  AccessManager-->>RoleAccount: membership result
  alt signer holds role
    RoleAccount->>RoleAccount: SignatureChecker.isValidSignatureNow
    RoleAccount-->>Caller: validation result
  else signer lacks role
    RoleAccount-->>Caller: false
  end
Loading
sequenceDiagram
  participant Caller
  participant AccessManagerWithRoleAccounts
  participant Clones

  Caller->>AccessManagerWithRoleAccounts: deployConfidentialHandler(roleId)
  AccessManagerWithRoleAccounts->>AccessManagerWithRoleAccounts: _roleToSalt(roleId)
  AccessManagerWithRoleAccounts-->>Caller: revert if PUBLIC_ROLE
  AccessManagerWithRoleAccounts->>Clones: deploy deterministic clone with immutable args
  Clones-->>AccessManagerWithRoleAccounts: clone address
  AccessManagerWithRoleAccounts-->>Caller: clone address
Loading

Poem

A rabbit hops through roles and keys,
Cloning accounts with practiced ease,
One salt per role, no PUBLIC allowed,
Signatures checked, hops proud and loud,
🐇 Deterministic burrows, dug just right! 🔑

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding an AccessManager-backed role-based account handler.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/access-manager-role-account

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
contracts/access/manager/AccessManagerRoleAccount.sol (1)

52-55: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Consider whether ADMIN_ROLE should also be locked.

_roleToSalt rejects PUBLIC_ROLE but permits ADMIN_ROLE (0), allowing a handler bound to the admin role. Since any admin-role member could then sign on behalf of that account, confirm this is intended or reject ADMIN_ROLE as well.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@contracts/access/manager/AccessManagerRoleAccount.sol` around lines 52 - 55,
The _roleToSalt check currently blocks PUBLIC_ROLE but still allows ADMIN_ROLE,
so review whether admin-bound handlers should be disallowed too. Update
_roleToSalt in AccessManagerRoleAccount to either reject ADMIN_ROLE alongside
PUBLIC_ROLE or clearly keep it permitted only if that is the intended behavior,
using the existing AccessManagerLockedRole guard for the rejected role(s).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@contracts/access/manager/AccessManagerRoleAccount.sol`:
- Around line 44-50: The confidential handler clone helpers are encoding roleId
with abi.encode, which produces 32 bytes and breaks the expected 8-byte
immutable args read by roleId(). Update both getConfidentialHandler and
deployConfidentialHandler in AccessManagerRoleAccount to use packed encoding for
the role id so fetchCloneArgs() receives the correct 8-byte blob and the clone
can read the uint64 properly.

---

Nitpick comments:
In `@contracts/access/manager/AccessManagerRoleAccount.sol`:
- Around line 52-55: The _roleToSalt check currently blocks PUBLIC_ROLE but
still allows ADMIN_ROLE, so review whether admin-bound handlers should be
disallowed too. Update _roleToSalt in AccessManagerRoleAccount to either reject
ADMIN_ROLE alongside PUBLIC_ROLE or clearly keep it permitted only if that is
the intended behavior, using the existing AccessManagerLockedRole guard for the
rejected role(s).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: df554d88-fc56-4499-b608-9191ebef4723

📥 Commits

Reviewing files that changed from the base of the PR and between f7e5f08 and 37a545d.

📒 Files selected for processing (1)
  • contracts/access/manager/AccessManagerRoleAccount.sol

Comment thread contracts/access/manager/AccessManagerRoleAccount.sol
@arr00

arr00 commented Jul 8, 2026

Copy link
Copy Markdown
Member

Thoughts on allowing execution from the handler by anyone with the role? Maybe it is overkill but it makes the usecase more generic. Then we don't need to use the phrasing ConfidentialHandler--it would just be a shared account across all role holders.

@Amxx

Amxx commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator Author

Thoughts on allowing execution from the handler by anyone with the role?

The current version supports execution through the ERC-7821 inheritance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants