feat(cast): KeyAuthorization signing via non-EOA wallets#14743
Merged
Conversation
Add 'cast keychain sign-authorization' (alias 'sign-auth') for signing a Tempo KeyAuthorization with the connected browser/passkey wallet. - Converts CLI flags (--limit, --scope/--scopes, --expiry, --chain-id, key type) into tempo-primitives types - Drives BrowserSigner::sign_key_authorization via the local wallet bridge - Prints the RLP-encoded SignedKeyAuthorization as 0x-prefixed hex (or JSON) Enforce policy completeness at clap arg-parsing time: - 'spending_policy' group: --limit | --deny-all-spending (mutually exclusive, required) - 'call_policy' group: --scope | --scopes | --deny-all-calls (mutually exclusive, required) Cargo.toml: temporary local path override for foundry-wallets while the companion foundry-core branch lands. Co-authored-by: Amp <amp@ampcode.com>
eychain` command
mablr
changed the title
keychain sign-authorization subcommand
mablr
changed the title
mablr
requested review from
0xrusowsky,
DaniPopes,
figtracer,
grandizzy,
mattsse and
stevencartavia
as code owners
Member
|
One remaining pre-merge blocker: Once foundry-core#67 lands, please switch this to the merged/released dependency, or at least a fixed |
Contributor
|
cast keychain authorize --limit now parses TOKEN:AMOUNT[:PERIOD] into TokenLimit.period at crates/cast/src/cmd/keychain.rs:515, but the pre-T3 legacy path later converts those limits into LegacyTokenLimit by copying only token and amount at crates/cast/src/cmd/keychain.rs:2695. This means a user can request a periodic limit, have the command succeed, and silently receive a non-periodic legacy authorization. The legacy branch should reject any limit.period != 0 with a clear error that periodic limits require a T3- Suggested as following : |
Contributor
|
Tempo validation rejects admin authorizations carrying expiry, limits, or allowed call scopes, so Should reject these flag combinations upfront . |
Remove the not-yet-supported T5 KeyAuthorization fields from the cast key-authorization encode/sign surface. This drops witness, account binding, and admin-key flags from the CLI parser, artifact construction, and JSON output so cast no longer emits artifacts that rely on fields we are not ready to support. Keep the lower-level witness inspection and burn/check RPC commands intact; those operate on already-existing stored authorizations or explicit AccountKeychain RPC state and do not expose witness creation through the key-authorization artifact helper. Also reject periodic spending limits on the legacy pre-T3 authorizeKey path before building calldata. Previously TOKEN:AMOUNT:PERIOD parsed successfully but the legacy calldata conversion silently discarded the period. Update the focused tests for the reduced key-authorization argument shape and keep stored authorization witness decoding covered directly. Refresh Cargo.lock so foundry-wallets resolves to the foundry-core branch head that restores the browser wallet assets to the master version.
Member
Author
grandizzy
reviewed
Jun 11, 2026
figtracer
reviewed
Jun 11, 2026
Use a key-authorization-specific root signer check for cast key-authorization sign so --from mismatches report that an artifact signature must come from the expected root account, not that an AccountKeychain transaction signer is wrong. Pin foundry-wallets to the fixed foundry-core revision 521a152b306bc21605d55d436097fde44327c2b6 and update Cargo.lock from the moving branch source to the matching rev source. Add a focused unit test for the new key authorization signer mismatch error text.
Update foundry-wallets to foundry-core rev 4042c61abd24f065ce8387caf7ec0a35c24ed7ce, which rejects unsupported T5 KeyAuthorization fields before enqueueing browser signing requests. Keep Cargo.lock pinned to the same fixed rev source so the dependency remains reproducible.
Restore --witness for cast key-authorization encode/sign so TIP-1053 witnesses can be included in the KeyAuthorization signing hash again. Keep account/admin T5 fields out of scope; browser signing now safely rejects witness-bearing requests in foundry-wallets before enqueueing a browser prompt. Add coverage for CLI witness parsing and for preserving an explicit zero witness as distinct from an omitted witness.
figtracer
reviewed
Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Depends on foundry-rs/foundry-core#67 and foundry-rs/foundry-browser-wallet#67 foundry-rs/foundry-browser-wallet#75.
Motivation
Close OSS-168
This PR wires the Foundry side of browser/passkey-backed
KeyAuthorizationsigning intocast.Changes
--browser/passkey-backed root signers.cast key-authorizationkeepscast key-authas the short alias.CLI example
Sign an authorization with the browser wallet:
Manual browser-wallet signing was also tested against
foundry-browser-walletrunning locally withnpm run dev.