Skip to content

chore: use restricted access keys instead of full access keys for MPC nodes#2773

Open
barakeinav1 wants to merge 3 commits intomainfrom
barak/restricted-access-keys
Open

chore: use restricted access keys instead of full access keys for MPC nodes#2773
barakeinav1 wants to merge 3 commits intomainfrom
barak/restricted-access-keys

Conversation

@barakeinav1
Copy link
Copy Markdown
Contributor

@barakeinav1 barakeinav1 commented Apr 9, 2026
edited
Loading

Summary

  • Replace grant-full-access with grant-function-call-access in all scripts and docs that add node account keys
  • Restricted keys can only call node-facing methods on the MPC contract:
    respond, respond_ckd, respond_verify_foreign_tx, vote_pk, start_keygen_instance, vote_reshared, vote_foreign_chain_policy, start_reshare_instance, vote_abort_key_event_instance, verify_tee, submit_participant_info, conclude_node_migration
  • Allowance set to 1 NEAR

Files changed

Scripts (4):

  • localnet/tee/scripts/rust-launcher/deploy-tee-localnet.sh
  • localnet/tee/scripts/deploy-tee-localnet.sh
  • deployment/testnet/scripts/scale-testnet-tee.sh
  • scripts/launch-localnet.sh

Docs (3):

  • docs/localnet/localnet.md
  • docs/localnet/tee-localnet.md
  • docs/testnet/setup-guide-for-testnet-with-tee-support.md

The method list was verified against crates/near-mpc-contract-interface/src/method_names.rs and the ChainSendTransactionRequest enum in crates/node/src/indexer/types.rs.

Closes #2543

Test plan

  • Run localnet E2E TEE test with restricted keys
  • Verify nodes can still sign, vote, and submit attestations

@barakeinav1
fix: use restricted access keys instead of full access keys for MPC n…
cec24fb 
…odes

Node account keys should only be able to call node-facing methods on the
MPC contract, not have full access to the account. This updates all
scripts and documentation to use grant-function-call-access with the
specific method list instead of grant-full-access.

Closes #2543
@barakeinav1 barakeinav1 mentioned this pull request Apr 9, 2026
Open
@claude
Copy link
Copy Markdown

claude bot commented Apr 9, 2026

PR title type suggestion: This PR changes only deployment scripts and documentation, so the type prefix should probably be chore: instead of fix:.

Suggested title: chore: use restricted access keys instead of full access keys for MPC nodes

@claude
Copy link
Copy Markdown

claude bot commented Apr 9, 2026

Code Review

Verified the method list against crates/near-mpc-contract-interface/src/method_names.rs and the ChainSendTransactionRequest enum in crates/node/src/indexer/types.rs — all 12 methods are present and no node-facing methods are missing.

Checked quoting across all scripts: the comma-separated method list contains no whitespace so word-splitting is not a concern, even in launch-localnet.sh where it passes through eval.

Good security improvement — replacing full-access keys with restricted function-call access keys limits blast radius if a node key is compromised.

✅ Approved — clean, consistent change across all scripts and docs.

@barakeinav1 barakeinav1 requested a review from Copilot April 9, 2026 10:55
@claude
Copy link
Copy Markdown

claude bot commented Apr 9, 2026

PR title type suggestion: This PR changes only deployment scripts and documentation, so the type prefix should probably be chore: instead of fix:.

Suggested title: chore: use restricted access keys instead of full access keys for MPC nodes

Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates localnet/testnet deployment scripts and documentation to add MPC node public keys as restricted function-call access keys (instead of full-access keys), limiting what node keys can do on the MPC contract and setting a 1 NEAR allowance.

Changes:

  • Replace grant-full-access with grant-function-call-access for adding node signer/responder keys.
  • Restrict allowed contract methods to the node-facing transaction methods (respond/vote/start/TEE/migration-related).
  • Update localnet/testnet docs to reflect the restricted-key CLI commands.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
scripts/launch-localnet.sh Adds node keys as function-call-only keys scoped to mpc-contract.test.near with 1 NEAR allowance.
localnet/tee/scripts/rust-launcher/deploy-tee-localnet.sh Updates near_add_key_skip_if_exists to create restricted function-call keys for node signer/responder keys.
localnet/tee/scripts/deploy-tee-localnet.sh Same restricted-key change for the non-rust-launcher localnet TEE deploy script.
deployment/testnet/scripts/scale-testnet-tee.sh Same restricted-key change for scaling TEE nodes on testnet.
docs/localnet/localnet.md Updates localnet instructions to add restricted function-call keys (with method allowlist).
docs/localnet/tee-localnet.md Updates TEE localnet instructions to add restricted function-call keys (with method allowlist).
docs/testnet/setup-guide-for-testnet-with-tee-support.md Updates testnet setup instructions to add restricted function-call keys (with method allowlist).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

docs/testnet/setup-guide-for-testnet-with-tee-support.md Outdated
Comment on lines +248 to +254
```bash
near account add-key $SAM_ACCOUNT grant-full-access \
near account add-key $SAM_ACCOUNT grant-function-call-access \
--allowance '1 NEAR' --contract-account-id $MPC_CONTRACT_ACCOUNT --function-names "$NODE_METHODS" \
use-manually-provided-public-key "$SAM_PUBKEY" network-config testnet sign-with-keychain send

near account add-key $SAM_ACCOUNT grant-full-access \
near account add-key $SAM_ACCOUNT grant-function-call-access \
--allowance '1 NEAR' --contract-account-id $MPC_CONTRACT_ACCOUNT --function-names "$NODE_METHODS" \
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NODE_METHODS is defined in the previous fenced code block, but the $SAM_ACCOUNT add-key commands are in a separate code block. If a reader copies only the SAM block, $NODE_METHODS will be undefined and near account add-key will fail. Consider either repeating the NODE_METHODS=... line in the second block or merging both Frodo/Sam commands into a single code block.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@barakeinav1 barakeinav1 Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@barakeinav1 barakeinav1 changed the title fix: use restricted access keys instead of full access keys for MPC nodes chore: use restricted access keys instead of full access keys for MPC nodes Apr 9, 2026
@barakeinav1
fix: address review comments
f5b0d5e 
- Merge Frodo/Sam code blocks so NODE_METHODS is always defined
- Quote variable expansions in launch-localnet.sh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

update scripts and docs to use restricted access key instead of key full access key.

2 participants

@barakeinav1