Skip to content

smartcontract: add user ownership transfer and feed authority subscribe bypass#3364

Draft
snormore wants to merge 10 commits intomainfrom
snor/transfer-user-ownership
Draft

smartcontract: add user ownership transfer and feed authority subscribe bypass#3364
snormore wants to merge 10 commits intomainfrom
snor/transfer-user-ownership

Conversation

@snormore
Copy link
Contributor

@snormore snormore commented Mar 24, 2026
edited
Loading

Summary of Changes

  • Add a new onchain instruction TransferUserOwnership (variant 104) that transfers user ownership between access passes, updating connection counters, status, and merging multicast pub/sub allowlists
  • Authorization: old access pass must belong to the feed authority, OR the payer must be a foundation allowlist member
  • On connect multicast and disconnect multicast, automatically transfer ownership from the feed authority to the client's payer when the client has an access pass for the same IP (required for delete to succeed)
  • Allow the feed authority to update multicast subscriptions without the access pass allowlist check
  • Add a hidden user transfer-ownership admin CLI command for foundation members to manually trigger transfers

Diff Breakdown

Category Files Lines (+/-) Net
Core logic 5 +341 / -15 +326
Scaffolding 8 +32 / -5 +27
Tests 2 +1026 / -0 +1026
Docs 1 +3 / -0 +3

~74% tests, ~24% core logic — well-covered new feature.

Key files (click to expand)

Testing Verification

  • 7 onchain integration tests covering: success path, foundation member bypass, old/new AP client_ip mismatch rejection, unauthorized caller rejection, connection counter + status transitions, multicast allowlist merge
  • 2 SDK unit tests with mocked client: success path verifying correct accounts/instruction, and old access pass not found error
  • 11 existing multicast subscribe tests pass with the feed authority changes
  • All existing tests pass (cargo test -p doublezero-serviceability, cargo test -p doublezero_sdk, cargo test -p doublezero)

snormore added 7 commits March 23, 2026 21:45
@snormore
smartcontract: add TransferUserOwnership instruction
4be912a 
Add a new instruction (variant 104) that transfers ownership of a user
account from one access pass to another. The instruction validates that
both access passes share the same client_ip as the user, updates
connection counters and status on both access passes, and merges
multicast pub/sub allowlists from the old to the new access pass.

Authorization: the old access pass must have user_payer matching the
feed authority, OR the payer must be a foundation allowlist member.
@snormore
client: transfer user ownership from feed authority on connect multicast
5a5bc87 
When connecting multicast and an existing user is found that is owned by
the feed authority, automatically transfer ownership to the client's
payer if they have an access pass for the same IP. This wires up the
TransferUserOwnership instruction through the SDK and CLI.
@snormore
cli: add user transfer-ownership admin command
de5fdf2 
Add a hidden CLI subcommand `user transfer-ownership` to both the
doublezero and doublezero-admin CLIs, allowing foundation members to
manually transfer user ownership between access passes.
@snormore
smartcontract: add test coverage for transfer ownership
60097c8 
Add instruction-level test for old access pass client_ip mismatch, and
SDK unit tests for the TransferUserOwnershipCommand including the
success path and the old access pass not found error case.
@snormore
changelog: add transfer user ownership entries
afc96e5
@snormore
client: fix CI failures in connect multicast tests
5ef85bf 
Add get_globalstate mock to test fixture for maybe_transfer_user_ownership,
and fix needless borrow clippy warning.
@snormore
client: transfer user ownership from feed authority on disconnect
659a8b1 
The delete instruction validates the access pass against user.owner, so
if the user is still owned by the feed authority, a regular client's
delete will fail. Add the same maybe_transfer_user_ownership check
before deleting each user during disconnect.
@snormore snormore force-pushed the snor/transfer-user-ownership branch from 467420a to 659a8b1 Compare March 24, 2026 01:46
snormore added 2 commits March 23, 2026 21:53
@snormore
smartcontract: allow feed authority to update multicast subscriptions
680841f 
The feed authority (from globalstate) can now subscribe/unsubscribe
users to multicast groups without the access pass allowlist check.
This is needed because the feed authority manages users on behalf of
clients before ownership is transferred.
@snormore
client: fix rustfmt formatting in connect test fixture
02487f7
@snormore snormore changed the title smartcontract: add TransferUserOwnership instruction smartcontract: add TransferUserOwnership instruction and feed authority subscribe Mar 24, 2026
@snormore snormore changed the title smartcontract: add TransferUserOwnership instruction and feed authority subscribe smartcontract: add user ownership transfer and feed authority subscribe bypass Mar 24, 2026
@snormore
smartcontract: allow feed authority to update any access pass subscri…
e6142b5 
…ber allowlist

Remove the restriction that prevented the feed authority from modifying
access passes it doesn't own. The feed authority needs to manage
subscriber allowlists on behalf of users before ownership is transferred.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@snormore