fix(permission): exclude disabled ContractType 51 and surface unknown ops in update-permission UI#4
Closed
Federico2014 wants to merge 2 commits into
Closed
Conversation
* feat: stdin credential input * feat: ledger support * feat: address book alias support * fix: harden standard cli ledger and aliases * ops: update version * fix: zero password buffers and rename misleading APDU constant (tronprotocol#932) * fix: ledger app-not-open detection and quiet-flag leak - Split LedgerAddressUtil.getTronAddress into getRawAddressResponse + parseTronAddress so callers can inspect APDU status words before parsing - Add LedgerPorts.AppNotOpenException for APDU 0x6511 (Tron app not open), distinct from a null return (device not found / address mismatch) - NonInteractiveLedgerSigner catches AppNotOpenException and returns APP_NOT_OPEN outcome instead of NOT_CONNECTED - ProductionLedgerPorts uses try-finally to unconditionally reset standardCliQuiet after executeSignListen returns, fixing permanent stdout suppression when device times out without a HID callback - AliasResolutionException overrides fillInStackTrace as a no-op to avoid unnecessary stack capture on control-flow exceptions Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: correctly detect app-not-open when Ledger HID open() fails On some OS/firmware combinations, HidDevice.open() returns false when the Tron app is not running, causing getLedgerHidDevice() to return null and the signer to report NOT_CONNECTED instead of APP_NOT_OPEN. - Add HidServicesWrapper.hasAnyLedgerAttached() to distinguish "no device" from "device present but not openable" - Throw AppNotOpenException in ProductionLedgerPorts when getHidDevice() returns null but a Ledger is physically attached - Also check the return value of the second device.open() call (B2 path) which was previously ignored, causing the same misclassification - Add test: returnsAppNotOpenWhenFinderThrowsAppNotOpenException Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: zero password buffers in StdinPasswordReader and rename misleading APDU constant - StdinPasswordReader.readAll wraps the read/parse in try-finally and Arrays.fill the chunk and bytes buffers before returning, matching the defensive pattern already used in StandardCliRunner.authenticate. The returned String still holds the password in its own char[], but the intermediate byte arrays no longer linger on the heap until GC. - Rename APDU_APP_IS_OPEN to APDU_APP_NOT_OPEN. The Javadoc and the error message ("Open the Tron app on your Ledger device") already treat 0x6511 as the "not open" signal; the identifier now matches. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Will <> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * chore: untrack superpowers plans, bump nile USDT alias, expand ledger timeout message - Remove docs/superpowers from git tracking (already in .gitignore, files remain on disk); add .vscode/ to .gitignore alongside. - Update Nile testnet USDT alias to TXYZopYRdj2D9XRtbG411XZZ3kM5VkAeBf. - Expand NonInteractiveLedgerSigner timeout message with device-side recovery guidance, mirroring the REPL mode wording in LedgerSignUtil#requestLedgerSignLogic. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: zerodevblock-cyber <zerodevblock@gmail.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> Co-authored-by: Will <>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Federico2014
force-pushed
the
fix/update-permission-shielded-op51
branch
2 times, most recently
from
38d4d9d to
587494d
Compare
Federico2014
changed the title
Federico2014
force-pushed
the
fix/update-permission-shielded-op51
branch
from
587494d to
d9aa970
Compare
Federico2014
force-pushed
the
fix/update-permission-shielded-op51
branch
from
d9aa970 to
a496006
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes two related problems in the interactive
updateaccountpermissionflow, both stemming from how the active-permission operations bitmap is handled.1. Default active permission grants a disabled ContractType (the reported failure)
When an account has no existing active permission, the flow applied a hardcoded default operations bitmap that granted ContractType 51 (ShieldedTransferContract). Shielded transfer is disabled on mainnet and most networks, so the node rejected the whole
AccountPermissionUpdate:This triggered even when the user only edited owner_permission, because the default active permission is auto-applied.
Fix: clear bit 51 in the default bitmap (
UpdateAccountPermissionInteractive.java): byte index 60xfb->0xf3, i.e.7fff1fc0033efb0f...->7fff1fc0033ef30f.... This matches the canonicalALL_OPERATIONS/AVAILABLE_OPERATIONSlists in the same file, which already exclude 51.2. Unknown/disabled ops were silently hidden and undeletable in the UI
Operations absent from
operationsMap(such as the disabled ContractType 51) were filtered out of the preview and the edit/delete menus. As a result a user could neither see nor remove such an op through the interactive UI — making the problem above impossible to self-diagnose or fix manually.Fix: add
opLabel(code)andcontractTypeName(code)helpers and render every operation with a visible placeholder (e.g.Unsupported/Disabled op 51) instead of dropping it. Four sites updated:editActivePermissions(removed the silent.filter(...))printPermissionSummarypreviewprintPermissionDetailfinal previewAn unknown/disabled op is now visible and deletable.
Verification
./gradlew compileJavapasses.Scope
UpdateAccountPermissionInteractive.java.AVAILABLE_OPERATIONS(which excludes 51), so it was left unchanged.Fixes #3