sec gov

remollemo · remollemo · commit 57d5fa3fe852 · 2025-11-06T17:11:21.000+02:00
diff --git a/packages/utils/src/components/roles/interface.cairo b/packages/utils/src/components/roles/interface.cairo
@@ -12,6 +12,7 @@ pub type RoleId = felt252;
 // TOKEN_ADMIN         |   APP_ROLE_ADMIN
 // SECURITY_ADMIN      |   SECURITY_ADMIN
 // SECURITY_AGENT      |   SECURITY_ADMIN.
+// SECURITY_GOVERNOR   |   SECURITY_ADMIN.
 
 // int.from_bytes(Web3.keccak(text="ROLE_APP_GOVERNOR"), "big") & MASK_250 .
 pub const APP_GOVERNOR: RoleId = 0xd2ead78c620e94b02d0a996e99298c59ddccfa1d8a0149080ac3a20de06068;
@@ -45,6 +46,10 @@ pub const SECURITY_ADMIN: RoleId =
 pub const SECURITY_AGENT: RoleId =
     0x37693ba312785932d430dccf0f56ffedd0aa7c0f8b6da2cc4530c2717689b96;
 
+// int.from_bytes(Web3.keccak(text="ROLE_SECURITY_GOVERNOR"), "big") & MASK_250 .
+pub const SECURITY_GOVERNOR: RoleId =
+    0xa5a83e9807e87f281d865ab54b7b0ed2f7f4bbfef73888810ca16e95e734eb;
+
 #[starknet::interface]
 pub trait IRoles<TContractState> {
     fn is_app_governor(self: @TContractState, account: ContractAddress) -> bool;
@@ -56,6 +61,7 @@ pub trait IRoles<TContractState> {
     fn is_upgrade_governor(self: @TContractState, account: ContractAddress) -> bool;
     fn is_security_admin(self: @TContractState, account: ContractAddress) -> bool;
     fn is_security_agent(self: @TContractState, account: ContractAddress) -> bool;
+    fn is_security_governor(self: @TContractState, account: ContractAddress) -> bool;
     fn register_app_governor(ref self: TContractState, account: ContractAddress);
     fn remove_app_governor(ref self: TContractState, account: ContractAddress);
     fn register_app_role_admin(ref self: TContractState, account: ContractAddress);
@@ -75,6 +81,8 @@ pub trait IRoles<TContractState> {
     fn remove_security_admin(ref self: TContractState, account: ContractAddress);
     fn register_security_agent(ref self: TContractState, account: ContractAddress);
     fn remove_security_agent(ref self: TContractState, account: ContractAddress);
+    fn register_security_governor(ref self: TContractState, account: ContractAddress);
+    fn remove_security_governor(ref self: TContractState, account: ContractAddress);
     fn has_legacy_role(self: @TContractState, account: ContractAddress, role: RoleId) -> bool;
     fn reclaim_legacy_roles(ref self: TContractState);
 }
@@ -146,6 +154,18 @@ pub(crate) struct SecurityAgentRemoved {
     pub removed_by: ContractAddress,
 }
 
+#[derive(Copy, Drop, PartialEq, starknet::Event)]
+pub(crate) struct SecurityGovernorAdded {
+    pub added_account: ContractAddress,
+    pub added_by: ContractAddress,
+}
+
+#[derive(Copy, Drop, PartialEq, starknet::Event)]
+pub(crate) struct SecurityGovernorRemoved {
+    pub removed_account: ContractAddress,
+    pub removed_by: ContractAddress,
+}
+
 #[derive(Copy, Drop, PartialEq, starknet::Event)]
 pub(crate) struct SecurityAdminAdded {
     pub added_account: ContractAddress,
diff --git a/packages/utils/src/components/roles/roles.cairo b/packages/utils/src/components/roles/roles.cairo
@@ -4,9 +4,10 @@ pub(crate) mod RolesComponent {
         APP_GOVERNOR, APP_ROLE_ADMIN, AppGovernorAdded, AppGovernorRemoved, AppRoleAdminAdded,
         AppRoleAdminRemoved, GOVERNANCE_ADMIN, GovernanceAdminAdded, GovernanceAdminRemoved, IRoles,
         OPERATOR, OperatorAdded, OperatorRemoved, RoleId, SECURITY_ADMIN, SECURITY_AGENT,
-        SecurityAdminAdded, SecurityAdminRemoved, SecurityAgentAdded, SecurityAgentRemoved,
-        TOKEN_ADMIN, TokenAdminAdded, TokenAdminRemoved, UPGRADE_AGENT, UPGRADE_GOVERNOR,
-        UpgradeAgentAdded, UpgradeAgentRemoved, UpgradeGovernorAdded, UpgradeGovernorRemoved,
+        SECURITY_GOVERNOR, SecurityAdminAdded, SecurityAdminRemoved, SecurityAgentAdded,
+        SecurityAgentRemoved, SecurityGovernorAdded, SecurityGovernorRemoved, TOKEN_ADMIN,
+        TokenAdminAdded, TokenAdminRemoved, UPGRADE_AGENT, UPGRADE_GOVERNOR, UpgradeAgentAdded,
+        UpgradeAgentRemoved, UpgradeGovernorAdded, UpgradeGovernorRemoved,
     };
     use core::num::traits::Zero;
     use starknet::storage::StorageMapReadAccess;
@@ -36,6 +37,8 @@ pub(crate) mod RolesComponent {
         SecurityAdminRemoved: SecurityAdminRemoved,
         SecurityAgentAdded: SecurityAgentAdded,
         SecurityAgentRemoved: SecurityAgentRemoved,
+        SecurityGovernorAdded: SecurityGovernorAdded,
+        SecurityGovernorRemoved: SecurityGovernorRemoved,
         TokenAdminAdded: TokenAdminAdded,
         TokenAdminRemoved: TokenAdminRemoved,
         UpgradeGovernorAdded: UpgradeGovernorAdded,
@@ -97,6 +100,13 @@ pub(crate) mod RolesComponent {
             access_comp.has_role(role: SECURITY_AGENT, :account)
         }
 
+        fn is_security_governor(
+            self: @ComponentState<TContractState>, account: ContractAddress,
+        ) -> bool {
+            let access_comp = get_dep_component!(self, Access);
+            access_comp.has_role(role: SECURITY_GOVERNOR, :account)
+        }
+
         fn is_token_admin(self: @ComponentState<TContractState>, account: ContractAddress) -> bool {
             let access_comp = get_dep_component!(self, Access);
             access_comp.has_role(role: TOKEN_ADMIN, :account)
@@ -186,6 +196,25 @@ pub(crate) mod RolesComponent {
             self._revoke_role_and_emit(role: SECURITY_AGENT, :account, :event);
         }
 
+        fn register_security_governor(
+            ref self: ComponentState<TContractState>, account: ContractAddress,
+        ) {
+            let event = Event::SecurityGovernorAdded(
+                SecurityGovernorAdded { added_account: account, added_by: get_caller_address() },
+            );
+            self._grant_role_and_emit(role: SECURITY_GOVERNOR, :account, :event);
+        }
+
+        fn remove_security_governor(
+            ref self: ComponentState<TContractState>, account: ContractAddress,
+        ) {
+            let event = Event::SecurityGovernorRemoved(
+                SecurityGovernorRemoved {
+                    removed_account: account, removed_by: get_caller_address(),
+                },
+            );
+            self._revoke_role_and_emit(role: SECURITY_GOVERNOR, :account, :event);
+        }
 
         fn register_governance_admin(
             ref self: ComponentState<TContractState>, account: ContractAddress,
@@ -382,6 +411,7 @@ pub(crate) mod RolesComponent {
             access_comp._grant_role(role: SECURITY_ADMIN, account: governance_admin);
             access_comp.set_role_admin(role: SECURITY_ADMIN, admin_role: SECURITY_ADMIN);
             access_comp.set_role_admin(role: SECURITY_AGENT, admin_role: SECURITY_ADMIN);
+            access_comp.set_role_admin(role: SECURITY_GOVERNOR, admin_role: SECURITY_ADMIN);
         }
 
         fn only_app_governor(self: @ComponentState<TContractState>) {
@@ -432,5 +462,13 @@ pub(crate) mod RolesComponent {
                 AccessErrors::ONLY_SECURITY_AGENT,
             );
         }
+
+        fn only_security_governor(self: @ComponentState<TContractState>) {
+            assert!(
+                self.is_security_governor(get_caller_address()),
+                "{}",
+                AccessErrors::ONLY_SECURITY_GOVERNOR,
+            );
+        }
     }
 }
