Merge pull request #413 from paritytech/feat/builder-identity-gate

feat: gate mod/deploy/decentralize/deploy-all behind a revealed builder identity

Author: UtkarshBhardwaj007

.changeset/builder-identity-gate.md

@@ -0,0 +1,13 @@
+---
+"playground-cli": minor
+---
+
+Gate `mod`, `init`, `deploy`, `decentralize`, and `deploy-all` behind a revealed
+builder identity. These commands now require you to be signed in (`playground
+login`) and to have joined the competition at playground.dot in your desktop
+app — the CLI reads your product account's on-chain identity binding from the
+playground registry (via the keyless read-only origin, no phone tap) and refuses
+to act for anonymous accounts. When you haven't joined yet, the command prints a
+friendly yellow notice explaining how to become a builder and exits without
+error. The check is signer-mode-agnostic: dev and `--suri` runs are gated too,
+but once you've revealed yourself they work as before.

src/commands/decentralize/index.ts

@@ -48,7 +48,8 @@ import {
     type DecentralizeOutcome,
     type DecentralizeSource,
 } from "../../utils/decentralize/run.js";
-import { destroyConnection } from "../../utils/connection.js";
+import { getConnection, destroyConnection } from "../../utils/connection.js";
+import { enforceIdentityGate } from "../shared/gateOrNotice.js";
 import {
     ensureGitInstalled,
     ModdablePreflightError,
@@ -147,6 +148,18 @@ export const decentralizeCommand = new Command("decentralize")
     .action(async (opts: DecentralizeOpts) =>
         runCliCommand("decentralize", { hardExit: true }, async () => {
             const env: Env = resolveLegacyEnv(opts.env);
+
+            // Builder-identity gate (any signer mode): only revealed builders
+            // who joined the competition may decentralize. Blocked is a soft
+            // outcome (yellow box, exit 0); release the shared connection we
+            // primed for the read before returning.
+            const conn = await getConnection();
+            if (await enforceIdentityGate(conn.raw.assetHub)) {
+                destroyConnection();
+                process.exitCode = 0;
+                return;
+            }
+
             if (opts.site || opts.path) {
                 await runHeadless({ env, opts });
             } else {

src/commands/deploy-all/index.ts

@@ -31,6 +31,7 @@ import { Command, Option } from "commander";
 import { captureWarning, errorMessage, withSpan } from "../../telemetry.js";
 import { resolveSigner, SignerNotAvailableError, type ResolvedSigner } from "../../utils/signer.js";
 import { getConnection, destroyConnection } from "../../utils/connection.js";
+import { enforceIdentityGate } from "../shared/gateOrNotice.js";
 import { checkMapping } from "../../utils/account/mapping.js";
 import { readLoginStampMs, staleSessionWarning } from "../../utils/loginStamp.js";
 import { onProcessShutdown } from "../../utils/process-guard.js";
@@ -141,6 +142,16 @@ async function runDeployAll(opts: DeployAllOpts): Promise<void> {
     onProcessShutdown(cleanupOnce);
 
     try {
+        // Builder-identity gate (any signer mode): only revealed builders who
+        // joined the competition may deploy. Runs before signer resolution;
+        // reuses the shared connection. Blocked is a soft outcome (exit 0).
+        const conn = await getConnection();
+        if (await enforceIdentityGate(conn.raw.assetHub)) {
+            cleanupOnce();
+            process.exitCode = 0;
+            return;
+        }
+
         userSigner = await preflightSigner({ env, mode, suri: opts.suri, publishToPlayground });
 
         if (mode === "phone" && userSigner?.source !== "session") {

src/commands/deploy/index.ts

@@ -26,6 +26,7 @@ import { captureWarning, errorMessage, withSpan } from "../../telemetry.js";
 import { readLoginStampMs, staleSessionWarning } from "../../utils/loginStamp.js";
 import { resolveSigner, SignerNotAvailableError, type ResolvedSigner } from "../../utils/signer.js";
 import { getConnection, destroyConnection } from "../../utils/connection.js";
+import { enforceIdentityGate } from "../shared/gateOrNotice.js";
 import { checkMapping } from "../../utils/account/mapping.js";
 import { onProcessShutdown } from "../../utils/process-guard.js";
 import { runCliCommand } from "../../cli-runtime.js";
@@ -157,6 +158,24 @@ export const deployCommand = new Command("deploy")
             })();
             onProcessShutdown(cleanupOnce);
 
+            // Builder-identity gate (any signer mode): only revealed builders
+            // who joined the competition may deploy. Runs before signer
+            // resolution / phone work; reuses the shared connection preflight
+            // will use. Blocked is a soft outcome (yellow box, exit 0).
+            try {
+                const conn = await getConnection();
+                if (await enforceIdentityGate(conn.raw.assetHub)) {
+                    cleanupOnce();
+                    process.exitCode = 0;
+                    return;
+                }
+            } catch (err) {
+                process.stderr.write(`\n✖ ${errorMessage(err)}\n`);
+                cleanupOnce();
+                process.exitCode = 1;
+                throw err;
+            }
+
             // `--yes` fills the fields the TUI would prompt for (signer ⇒ dev,
             // buildDir ⇒ default) and requires --domain. Resolve it BEFORE
             // preflight so the signer-resolution path sees the dev default and a

src/commands/mod/index.ts

@@ -20,6 +20,7 @@ import { existsSync } from "node:fs";
 import { withSpan } from "../../telemetry.js";
 import { getConnection, destroyConnection } from "../../utils/connection.js";
 import { getReadOnlyRegistryContract } from "../../utils/registry.js";
+import { enforceIdentityGate } from "../shared/gateOrNotice.js";
 import { AppBrowser, type AppEntry } from "./AppBrowser.js";
 import { SetupScreen } from "./SetupScreen.js";
 import { QuestPicker } from "./QuestPicker.js";
@@ -59,6 +60,15 @@ export async function runModCommand(rawDomain: string | undefined): Promise<void
             getReadOnlyRegistryContract(client.raw.assetHub),
         );
 
+        // Builder-identity gate: modding is reserved for revealed builders who
+        // joined the competition. This also gates `playground init`, which
+        // delegates here. Reuse the registry we just resolved so the gate
+        // doesn't re-resolve it. Blocked is a soft outcome (yellow box, exit 0).
+        if (await enforceIdentityGate(client.raw.assetHub, registry)) {
+            process.exitCode = 0;
+            return;
+        }
+
         let domain: string;
         let metadata: AppEntry | null = null;
 

src/commands/shared/IdentityGateNotice.tsx

@@ -0,0 +1,65 @@
+// Copyright (C) Parity Technologies (UK) Ltd.
+// SPDX-License-Identifier: Apache-2.0
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import React, { useEffect } from "react";
+import { render, Text } from "ink";
+import { Callout } from "../../utils/ui/theme/index.js";
+import type { BlockedIdentityStatus } from "../../utils/identity/identityGate.js";
+import { identityGateCopy } from "./identityGateCopy.js";
+
+/**
+ * One-shot yellow callout shown when the builder-identity gate blocks a
+ * command. No interaction: it paints once, then signals the host to unmount.
+ */
+export function IdentityGateNotice({
+    status,
+    onDone,
+}: {
+    status: BlockedIdentityStatus;
+    onDone: () => void;
+}) {
+    // Defer the unmount one tick so Ink flushes the frame before teardown.
+    useEffect(() => {
+        const t = setTimeout(onDone, 0);
+        return () => clearTimeout(t);
+    }, [onDone]);
+
+    const copy = identityGateCopy(status);
+    return (
+        <Callout tone="warning" title={copy.title}>
+            {copy.lines.map((line, i) => (
+                // Blank entries are intentional spacers; Ink collapses an empty
+                // string, so render a single space (matches the drip screen).
+                <Text key={i}>{line === "" ? " " : line}</Text>
+            ))}
+        </Callout>
+    );
+}
+
+/**
+ * Render the blocked-gate notice once and resolve after it has been shown and
+ * torn down. Mirrors the `status`/`drip` render/`waitUntilExit` shape.
+ */
+export function renderIdentityGateNotice(status: BlockedIdentityStatus): Promise<void> {
+    return new Promise((resolve) => {
+        const app = render(
+            React.createElement(IdentityGateNotice, {
+                status,
+                onDone: () => app.unmount(),
+            }),
+        );
+        void app.waitUntilExit().then(() => resolve());
+    });
+}

src/commands/shared/gateOrNotice.test.ts

@@ -0,0 +1,81 @@
+// Copyright (C) Parity Technologies (UK) Ltd.
+// SPDX-License-Identifier: Apache-2.0
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+// Mock the gate decision + the Ink render so the test exercises only the
+// mapping contract enforceIdentityGate owns. withSpan is collapsed to a
+// pass-through so the span wrapper doesn't pull in Sentry.
+const { checkIdentityGateMock, renderNoticeMock } = vi.hoisted(() => ({
+    checkIdentityGateMock: vi.fn(),
+    renderNoticeMock: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock("../../utils/identity/identityGate.js", () => ({
+    checkIdentityGate: checkIdentityGateMock,
+}));
+
+vi.mock("./IdentityGateNotice.js", () => ({
+    renderIdentityGateNotice: renderNoticeMock,
+}));
+
+vi.mock("../../telemetry.js", () => ({
+    withSpan: (_op: string, _name: string, fn: () => unknown) => fn(),
+}));
+
+import { enforceIdentityGate } from "./gateOrNotice.js";
+
+const RAW = {} as any;
+const H160 = "0xbeefbeefbeefbeefbeefbeefbeefbeefbeefbeef" as `0x${string}`;
+
+beforeEach(() => {
+    vi.clearAllMocks();
+    renderNoticeMock.mockResolvedValue(undefined);
+});
+
+describe("enforceIdentityGate", () => {
+    it("does not block a revealed builder and prints nothing", async () => {
+        checkIdentityGateMock.mockResolvedValue({ status: "revealed", productH160: H160 });
+
+        const blocked = await enforceIdentityGate(RAW);
+
+        expect(blocked).toBe(false);
+        expect(renderNoticeMock).not.toHaveBeenCalled();
+    });
+
+    it.each(["not-logged-in", "anonymous", "unverifiable"] as const)(
+        "blocks and renders the %s notice",
+        async (status) => {
+            checkIdentityGateMock.mockResolvedValue(
+                status === "unverifiable" ? { status, detail: "x" } : { status, productH160: H160 },
+            );
+
+            const blocked = await enforceIdentityGate(RAW);
+
+            expect(blocked).toBe(true);
+            expect(renderNoticeMock).toHaveBeenCalledTimes(1);
+            expect(renderNoticeMock).toHaveBeenCalledWith(status);
+        },
+    );
+
+    it("forwards a pre-resolved registry to the gate (so mod doesn't re-resolve)", async () => {
+        checkIdentityGateMock.mockResolvedValue({ status: "revealed", productH160: H160 });
+        const registry = { getRootAccount: { query: vi.fn() } };
+
+        await enforceIdentityGate(RAW, registry as any);
+
+        expect(checkIdentityGateMock).toHaveBeenCalledWith(RAW, { registry });
+    });
+});

src/commands/shared/gateOrNotice.ts

@@ -0,0 +1,39 @@
+// Copyright (C) Parity Technologies (UK) Ltd.
+// SPDX-License-Identifier: Apache-2.0
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import type { PolkadotClient } from "polkadot-api";
+import { withSpan } from "../../telemetry.js";
+import { checkIdentityGate, type IdentityRegistry } from "../../utils/identity/identityGate.js";
+import { renderIdentityGateNotice } from "./IdentityGateNotice.js";
+
+/**
+ * Enforce the builder-identity gate for the signed-in session.
+ *
+ * Returns `true` when the user is BLOCKED — the caller should set
+ * `process.exitCode = 0` (a soft, actionable outcome) and return after running
+ * its own cleanup. Returns `false` when the user is a revealed builder and the
+ * command may proceed; nothing is printed on that path (no flash on success).
+ */
+export async function enforceIdentityGate(
+    rawAssetHubClient: PolkadotClient,
+    registry?: IdentityRegistry,
+): Promise<boolean> {
+    const result = await withSpan("cli.identity-gate", "check builder identity", () =>
+        checkIdentityGate(rawAssetHubClient, { registry }),
+    );
+    if (result.status === "revealed") return false;
+    await renderIdentityGateNotice(result.status);
+    return true;
+}

src/commands/shared/identityGateCopy.test.ts

@@ -0,0 +1,50 @@
+// Copyright (C) Parity Technologies (UK) Ltd.
+// SPDX-License-Identifier: Apache-2.0
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { describe, expect, it } from "vitest";
+import { identityGateCopy } from "./identityGateCopy.js";
+import type { BlockedIdentityStatus } from "../../utils/identity/identityGate.js";
+
+const STATUSES: BlockedIdentityStatus[] = ["not-logged-in", "anonymous", "unverifiable"];
+
+describe("identityGateCopy", () => {
+    it("returns a non-empty title and body for every blocked status", () => {
+        for (const status of STATUSES) {
+            const copy = identityGateCopy(status);
+            expect(copy.title.length).toBeGreaterThan(0);
+            const body = copy.lines.filter((l) => l.trim().length > 0);
+            expect(body.length).toBeGreaterThan(0);
+        }
+    });
+
+    it("points not-logged-in at `playground login`", () => {
+        const copy = identityGateCopy("not-logged-in");
+        expect(copy.lines.join(" ")).toContain("playground login");
+        expect(copy.lines.join(" ")).toContain("playground.dot");
+    });
+
+    it("tells anonymous builders to join the competition at playground.dot", () => {
+        const copy = identityGateCopy("anonymous");
+        expect(copy.lines.join(" ").toLowerCase()).toContain("become a builder");
+        expect(copy.lines.join(" ")).toContain("playground.dot");
+    });
+
+    it("tells unverifiable users to confirm they joined, then retry", () => {
+        const copy = identityGateCopy("unverifiable");
+        const body = copy.lines.join(" ");
+        expect(body).toContain("playground.dot");
+        expect(body.toLowerCase()).toContain("try again");
+    });
+});