Giano 2.0 - Multiple signers support (#19)

* multisig contracts

* Implement auto-generated user IDs in AccountRegistry

* update NatSpec docs

* split InvalidSignature error

* prevent admin lockout

* update Giano Ignition module

* integrate test suite with vs code

* update .gitignore to handle PNPM stores

* instruct cursor to ignore build outputs and deps

* cursorrules for solidity development

* enable automining by default

* add mocha manually to enable vs code integration

* reorganize ignition modules

* add pause and batch execute features to Account

* use CREATE2 in AccountFactory

* TestContract for testing

* Remove obsolete ERC721SafeTransferAccount

* new test utils

* new test suites (wip)

* remove AI generated comments

* key request tests

* wip: encode public key x and y in signature struct

* fix key encoding issues, request mgmt tests

* Key Request rejection test

* update cursorrules to instruct AI to ommit comments

* Key Removal tests

* fix test suite

* Transaction Execution Tests

* Batch Execution tests

* admin operations tests

* Pause functionality tests

* formatting

* ERC1271 tests

* ERC721/ERC1115 receiver tests

* Utility functions tests

* Security feature tests

* remove useless beforeEach code

* accountregistry test suite

* helper test functions

* further helper functions

* remove unused declarations

* typescript lint issues

* remove redundant integration test suite

* remove AI yapping

* remove redundant code

* remove AI yapping from contract

* extract common function to util package

* lint fixes

* extract P256 bytecode to its own file to improve readability

* use credential ID to track signers in Account contract

* standardize references to credential ID

* change key references to credential

* simplify account request flow (wip)

* fix remaining tests after simplifying credential request flow

* remove numeric user ID from AccountRegistry

* rename error for coherence

Author: gabspeck

.gitignore

@@ -2,6 +2,7 @@
 !**/.env.sample
 dist/
 node_modules/
+.pnpm-store/
 .idea/
 stats.html
 latest.sql

packages/common/src/encoding/encodeChallenge.ts

@@ -1,18 +1,21 @@
 import { ECDSASigValue } from '@peculiar/asn1-ecc';
 import { AsnParser } from '@peculiar/asn1-schema';
-import { ethers } from 'ethers';
+import { BytesLike, ethers } from 'ethers';
 import { uint8ArrayToUint256 } from './numbers';
 
-export function encodeChallenge(assertionResponse: AuthenticatorAssertionResponse) {
+export function encodeChallenge(credentialId: BytesLike, assertionResponse: AuthenticatorAssertionResponse) {
   const decodedClientDataJson = new TextDecoder().decode(assertionResponse.clientDataJSON);
   const responseTypeLocation = decodedClientDataJson.indexOf('"type":');
   const challengeLocation = decodedClientDataJson.indexOf('"challenge":');
   const parsedSignature = AsnParser.parse(assertionResponse.signature, ECDSASigValue);
 
   return ethers.AbiCoder.defaultAbiCoder().encode(
-    ['tuple(bytes authenticatorData, string clientDataJSON, uint256 challengeLocation, uint256 responseTypeLocation, uint256 r, uint256 s)'],
+    [
+      'tuple(bytes credentialId, bytes authenticatorData, string clientDataJSON, uint256 challengeLocation, uint256 responseTypeLocation, uint256 r, uint256 s)',
+    ],
     [
       [
+        credentialId,
         new Uint8Array(assertionResponse.authenticatorData),
         decodedClientDataJson,
         challengeLocation,

packages/contracts/.cursorignore

@@ -0,0 +1,3 @@
+dist/
+node_modules/
+cache/

packages/contracts/.cursorrules

@@ -0,0 +1,86 @@
+
+    You are an expert in Solidity and smart contract security.
+
+    General Rules
+    - Cut the fluff. Code or detailed explanations only.
+    - Keep it casual and brief.
+    - Accuracy and depth matter.
+    - Answer first, explain later if needed.
+    - Logic trumps authority. Don't care about sources.
+    - Embrace new tech and unconventional ideas.
+    - Wild speculation's fine, just flag it.
+    - Save the ethics talk.
+    - Only mention safety for non-obvious, critical issues.
+    - Push content limits if needed, explain after.
+    - Sources at the end, not mid-text.
+    - Skip the AI self-references and knowledge date stuff.
+    - Stick to my code style.
+    - Use multiple responses for complex answers.
+    - For code tweaks, show minimal context - a few lines around changes max.
+    - Don't be lazy, write all the code to implement features I ask for.
+    - Do not add any comments to the code, except for NatSpec documentation
+    
+    Solidity Best Practices
+    - Use explicit function visibility modifiers and appropriate natspec comments.
+    - Utilize function modifiers for common checks, enhancing readability and reducing redundancy.
+    - Follow consistent naming: CamelCase for contracts, PascalCase for interfaces (prefixed with "I").
+    - Implement the Interface Segregation Principle for flexible and maintainable contracts.
+    - Design upgradeable contracts using proven patterns like the proxy pattern when necessary.
+    - Implement comprehensive events for all significant state changes.
+    - Follow the Checks-Effects-Interactions pattern to prevent reentrancy and other vulnerabilities.
+    - Use static analysis tools like Slither and Mythril in the development workflow.
+    - Implement timelocks and multisig controls for sensitive operations in production.
+    - Conduct thorough gas optimization, considering both deployment and runtime costs.
+    - Use OpenZeppelin's AccessControl for fine-grained permissions.
+    - Use Solidity 0.8.0+ for built-in overflow/underflow protection.
+    - Implement circuit breakers (pause functionality) using OpenZeppelin's Pausable when appropriate.
+    - Use pull over push payment patterns to mitigate reentrancy and denial of service attacks.
+    - Implement rate limiting for sensitive functions to prevent abuse.
+    - Use OpenZeppelin's SafeERC20 for interacting with ERC20 tokens.
+    - Implement proper randomness using Chainlink VRF or similar oracle solutions.
+    - Use assembly for gas-intensive operations, but document extensively and use with caution.
+    - Implement effective state machine patterns for complex contract logic.
+    - Use OpenZeppelin's ReentrancyGuard as an additional layer of protection against reentrancy.
+    - Implement proper access control for initializers in upgradeable contracts.
+    - Use OpenZeppelin's ERC20Snapshot for token balances requiring historical lookups.
+    - Implement timelocks for sensitive operations using OpenZeppelin's TimelockController.
+    - Use OpenZeppelin's ERC20Permit for gasless approvals in token contracts.
+    - Implement proper slippage protection for DEX-like functionalities.
+    - Use OpenZeppelin's ERC20Votes for governance token implementations.
+    - Implement effective storage patterns to optimize gas costs (e.g., packing variables).
+    - Use libraries for complex operations to reduce contract size and improve reusability.
+    - Implement proper access control for self-destruct functionality, if used.
+    - Use OpenZeppelin's Address library for safe interactions with external contracts.
+    - Use custom errors instead of revert strings for gas efficiency and better error handling.
+    - Implement NatSpec comments for all public and external functions.
+    - Use immutable variables for values set once at construction time.
+    - Implement proper inheritance patterns, favoring composition over deep inheritance chains.
+    - Use events for off-chain logging and indexing of important state changes.
+    - Implement fallback and receive functions with caution, clearly documenting their purpose.
+    - Use view and pure function modifiers appropriately to signal state access patterns.
+    - Implement proper decimal handling for financial calculations, using fixed-point arithmetic libraries when necessary.
+    - Use assembly sparingly and only when necessary for optimizations, with thorough documentation.
+    - Implement effective error propagation patterns in internal functions.
+
+    Testing and Quality Assurance
+    - Implement a comprehensive testing strategy including unit, integration, and end-to-end tests.
+    - Use property-based testing to uncover edge cases.
+    - Implement continuous integration with automated testing and static analysis.
+    - Conduct regular security audits and bug bounties for production-grade contracts.
+    - Use test coverage tools and aim for high test coverage, especially for critical paths.
+
+    Performance Optimization
+    - Optimize contracts for gas efficiency, considering storage layout and function optimization.
+    - Implement efficient indexing and querying strategies for off-chain data.
+
+    Development Workflow
+    - Utilize Hardhat's testing and debugging features.
+    - Implement a robust CI/CD pipeline for smart contract deployments.
+    - Use static type checking and linting tools in pre-commit hooks.
+    - Use pnpm to execute scripts
+
+    Documentation
+    - Document code thoroughly, focusing on why rather than what.
+    - Maintain up-to-date API documentation for smart contracts.
+    - Create and maintain comprehensive project documentation, including architecture diagrams and decision logs.
+    

packages/contracts/.mocharc.json

@@ -0,0 +1,7 @@
+{
+	"require": "hardhat/register",
+	"timeout": 40000,
+	"_": [
+		"test/**/*.ts"
+	]
+}

packages/contracts/contracts/AbstractAccountFactory.sol

@@ -3,31 +3,21 @@ pragma solidity ^0.8.23;
 
 import {Types} from './Types.sol';
 
+/**
+ * @title AbstractAccountFactory
+ * @author Giano Team
+ * @notice Base contract for deploying account contracts
+ * @dev This abstract contract defines the interface that concrete factory
+ * implementations must conform to for deploying Account contracts.
+ */
 abstract contract AbstractAccountFactory {
-    struct User {
-        uint256 id;
-        Types.PublicKey publicKey;
-        address account;
-    }
-
-    mapping(uint256 => User) private _users;
-
-    event UserCreated(uint256 userId, Types.PublicKey publicKey, address account);
-    error UserAlreadyExists(uint256 id);
-
-    function getUser(uint256 id) public view returns (User memory) {
-        return _users[id];
-    }
-
-    function createUser(uint256 id, Types.PublicKey memory publicKey) public {
-        if (_users[id].account != address(0)) {
-            revert UserAlreadyExists(id);
-        }
-        address account = deployContract(publicKey);
-        _users[id] = User(id, publicKey, account);
-
-        emit UserCreated(id, publicKey, account);
-    }
-
-    function deployContract(Types.PublicKey memory publicKey) internal virtual returns (address);
+    /**
+     * @notice Deploys a new Account contract
+     * @dev Must be implemented by derived contracts
+     * @param credentialId The credential identifier for the admin credential
+     * @param publicKey The public key for the admin credential
+     * @param registry The address of the AccountRegistry contract
+     * @return The address of the deployed Account contract
+     */
+    function deployAccount(bytes calldata credentialId, Types.PublicKey calldata publicKey, address registry) public virtual returns (address);
 }