https://github.com/NEARFoundation/near-contract-tools/blob/6a5992033dc4a092a5d45d64b4f205ce9aeb2939/src/owner.rs#L55-L67

Update workspaces version and clean up the tests in workspaces to follow best practices

For smart contracts that manage multiple NEP-141 tokens in a treasury and issue a backed token. Inspired by the Skyward Finance hack. Should work well in conjunction with the existing NEP-141 infrastructure in this package (optional).

• Provides mint and redeem actions. Each action could be exposed / limited / permissioned by the contract author as desired.
• Mint action is backed by something (token, NEAR native, etc.). This would be specified by the contract author, probably via some sort of hook.
• Redeem action would return the backing asset(s) to the redeemer.
• Mechanism for controlled / limited release (e.g. time release, cliff / vest schedule, etc.)

Request for comments

• Design suggestions
• Should the component that would solve the Skyward issue be a "backed token" (i.e. NEP-141 extension of sorts) or a "treasury manager" (contract-agnostic multi-token (NEP-141 only?) manager)
• Is this component in-scope for this project? It is definitely a little bit more "niche" in use-case, but I think if the component is sufficiently generalized, it could be useful for implementing:
  • Arbitrary token lockups (cliff/vest schedule)
  • Backed tokens (single- and multi-asset)
  • DAO treasuries

https://github.com/near/NEPs/blob/master/neps/nep-0141.md#event-interface

Probably should just add a batch modifier to the event macro that makes it a Vec instead.

I think "yes" and "possibly". Smart contract programming is pretty similar to embedded systems programming.

A few ways to implement multisig:

1. Follow a preexisting pattern (e.g. copy/translate from core-contracts/multisig2).
   • Pros: Logic & structures predefined, pattern is somewhat well-known (at least, not new)
   • Cons: Code is not very well-maintained, large, complex (complexity = opportunity for error), not NEP-standardized, and such a standard would likely take a long time due to the complexity
2. Implement our own: state machine (similar logic to core-contracts version)
   • Pros: We can clean up the logic from core-contracts a lot and simplify as necessary
   • Cons: Still relatively complex, and that comes with the same NEP approval difficulties.
3. Implement our own: tx queue/approval. The idea is to accept an arbitrary transaction-like blob and simply sign&send when quorum is reached.
   • Pros: Simpler than state machine model, since we don't have to re-implement every possible action in our own custom data structures. Management actions (e.g. add member) could be implemented as normal #[private] functions which are called via normal, reflexive FUNCTION_CALL proposal blobs. Possibly easier to standardize as NEP since the logic is simpler.
   • Cons: Contract will have to do a little extra legwork (tx blob parsing) if it wants to implement any sort of limits on what sort of actions can be proposed, since this implementation would be written for generically signing opaque transaction blobs. I'm not aware if this pattern has been implemented before (on NEAR), so this would be new technology. Requires more testing, and I'm not even absolutely sure it's possible since I've not written a PoC.
4. Implement our own: transaction signing protocol. Accept a transaction blob and an array of signatures (generated off-chain).
   • Pros: Probably the most straightforward implementation of multisig.
   • Cons: Suffers from the same lack of control as option 3 since it accepts an opaque blob. Requires some sort of off-chain mechanism for generating signatures.

Standards like NEP-141 have a field called reference_hash, described as:

the base64-encoded sha256 hash of the JSON file contained in the reference field.

With compile-time macros, it is possible to automatically download the reference field and calculate the hash. This would be immensely convenient for quickly adding an additional layer of security. Currently, not very many fungible tokens use the reference, and therefore the reference_hash fields, but the ones that do use reference don't seem to use reference_hash. This may be due to projects wanting to keep non-volatile metadata on-chain and volatile metadata off-chain, where it's easier to maintain control of and update.

Regardless, this would be a really cool feature to have.

For example, ownership::Ownership::propose_owner_internal would not call require_owner or emit an OwnershipEvent::Propose event.

For Owner, it might make more sense to just have a non-event-emitting version of update_owner and update_proposed. For Pause, set_is_paused already doesn’t emit events or have any require! calls, so it wouldn’t require updating for this issue. I think the method names could use some work though, i.e. just by looking at the name of the method I should be able to tell whether it emits events & performs, for example, predecessor checks, and also the method that does perform those things should appear to the untrained eye as the “natural” choice. Hence, I had initially thought using names like update_owner_internal would be a good idea, but maybe update_owner_unchecked would be a better choice.

This is essentially the question: Which derive macros expose external methods that are not yet standardized via an NEP?

In order to be merged into SDK, a component's Exposes Interface? column should match its NEP Standard column.

Ref: state machine-like implementation in core contracts

It's not technically unsafe.

Macro that adds an external method that returns the commit hash of the build.

This should be possible because macros run at compile time.

Existing similar NEP: https://github.com/near/NEPs/blob/master/neps/nep-0330.md

Possible Example Usage

trait BuildId {
    fn build_id(&self) -> String;
}

#[derive(BuildId)]
#[derive(BorshSerialize, BorshDeserialize, PanicOnDefault)]
#[near_bindgen]
pub struct MyContract {
    // ...
}

let contract = MyContract::new();
println!("{}", contract.build_id()); // 6a5992033dc4a092a5d45d64b4f205ce9aeb2939

For ease-of-use

rls fails with just the previous version of rustc.

[ERROR rust_analyzer::lsp_utils] failed to run build scripts

error: package `near-jsonrpc-primitives v0.15.0` cannot be built because it requires rustc 1.64.0 or newer, while the currently active rustc version is 1.63.0

The tooling can be informed of hard requirement by adding a rust-toolchain.toml with the following. Then it works properly.

[toolchain]     
channel = "1.64"

Will help to clean up the macro boilerplate

This issue is resolved when all of the below point are resolved or moot:

• Should the name of the package be changed?
• To what should the name of the package be changed?
• All internal references/mentions have been updated, the repository has been moved, the old package has been deprecated on crates.io, and the renamed package has been published to crates.io.

This could mean:

• Changing the current Rbac to support role holder enumeration. This would be a state-breaking change.
• Adding an EnumerableRbac alternative that supports enumeration.

#[event(standard = "x-name-collision", version = "1.0.0")]
enum NameCollision {
    First,
    #[nep297(name = "first")]
    Second,
}

println!("{}", NameCollision::First.to_event_string());
println!("{}", NameCollision::Second.to_event_string());

Output:

EVENT_JSON:{"standard":"x-name-collision","version":"1.0.0","event":"first","data":null}
EVENT_JSON:{"standard":"x-name-collision","version":"1.0.0","event":"first","data":null}

Though this technically has a "valid" use-case (wherein a single event's data can take multiple forms), it is almost always better to use another enum for the metadata type instead of having two events using the same name.

This issue is resolved when the above code produces a compiler error. Obviously it is much more difficult to make separate macro invocations produce a compiler error together, even if they are using the same standard field value.

Specify the path of near-contract-tools. Every crate that is used in a macro should be able to be specified like this (serde, near-sdk, etc.).

A method and macro attribute standard for the pause utility is named paus which looks inconsistent compared to other methods which are named with full pause.

https://github.com/NEARFoundation/near-contract-tools/blob/aad160bb15455eff3bb3b733d0e9da46bb01ceae/macros/src/pause.rs#L46-L49

https://github.com/NEARFoundation/near-contract-tools/blob/aad160bb15455eff3bb3b733d0e9da46bb01ceae/src/pause.rs#L25-L32

It would be very neat to have a standardized way of upgrading a smart contract and migrating its state to mitigate common security vulnerabilities.

• Should provide a callback for calling a migration state
• Can only be executed with a full access key or by the contract owner.
• Possibly support storing the previous state of the contract in case of an immediate rollback

Add event emission to Rbac functions

Like a generic version of Owner. Like Rbac, but there is a 1:0..1 relationship between an identity and an account ID. It will also be possible to retrieve the holder of an identity (enumeration is not possible in the current version of Rbac). Identity transfer (via propose/accept) and renunciation are optionally allowed.

Possible Example

enum Identity {
    Owner,
    Administrator,
    Manager,
}

#[derive(Identities)]
#[identities(identities = "Identity")]
#[near_bindgen]
struct MyContract {}

#[near_bindgen]
impl MyContract {
    #[init]
    fn init() -> Self {
        let mut contract = Self {};

        contract.initialize_identity(&Identity::Owner, env::predecessor_account_id());
        contract.initialize_identity(&Identity::Administrator, env::predecessor_account_id());
        contract.initialize_identity(&Identity::Manager, env::predecessor_account_id());
    }

    fn only_owner(&self, account: AccountId) {
        self.require_identity(&Identity::Owner);
    }

    fn only_administrator(&self, account: AccountId) {
        self.require_identity(&Identity::Administrator);
    }
}

impl IdentityHook<Identity> for MyContract {
    fn on_transfer(identity: &Identity, from: AccountId, to: AccountId) -> Result<(), ?> { }

    fn on_propose(identity: &Identity, account: AccountId) -> Result<(), ?> { }

    fn on_accept(identity: &Identity, account: AccountId) -> Result<(), ?> { }
}

Would expose the following interface to the blockchain:

(Caveat: Identities need a to/from string serialization)

trait IdentityExternal<Identity> {
    fn id_is(&self, account: AccountId, identity: Identity) -> bool;
    fn id_get(&self, identity: Identity) -> Option<AccountId>;
    fn id_renounce(&mut self, identity: Identity);
    fn id_propose(&mut self, identity: Identity, to: AccountId);
    fn id_accept(&mut self, identity: Identity, from: AccountId);
}

We should show examples about how to write a contract that uses this library.

For example, see #39 (comment)

We'll want to instruct how to make error messages human-readable, such as via:

self.approve_request(request_id)
    .map_err(|e| env::panic_str(&e.to_string()))
    .unwrap()

Let's add (in a separate repo if necessary... and this one can link to it) complete examples of projects taking advantage of near-contract-tools.

E.g. https://github.com/NEARFoundation/near-contract-tools/blob/01a64242717af71a27fa49197a96912d1c5aeedb/README.md#fungible-token isn't enough to get me started. Part (most?) of it is that I'm new to Rust, but I'm having trouble knowing where to put these lines, what Cargo.toml needs to contain, how to build the project, etc. So a full working example would be helpful.

I looked at https://github.com/NEAR-Edu/near-certification-tools/blob/938255e1adbecbe0605c2749f9a7ebd9a9df317a/data-contract/src/contract.rs#L5 but couldn't figure it out. (Maybe certain types of macros are different from "derive" macros?

On proposal/request creation, approval (ensure there's something in the approval event that makes it clear when it is fully approved & can be executed), and execution.

Currently, many of the components are composed of traits that contain methods that are primarily (nigh exclusively) for internal use (e.g. many of them have a root() function that returns a Slot). For someone who isn't super familiar with how this library works, these methods may appear to be freely usable, and may unintentionally cause the component to malfunction by their misuse.

There are a few ways we could think about fixing this problem:

1. Just be really clear in the documentation which functions are for general use and which ones are internal.
2. Rename the functions…
   a. …by prefixing with an underscore (e.g. root -> _root).
   b. …by prefixing with a word (e.g. root -> internal_root).
3. We could consider using #[doc(hidden)], but I don't think that's really what that attribute is for.
4. Split the internal functions off into a separate trait.
5. Restructure the entire library such that hidden/private functions are actually hidden/private. Probably quite difficult to do at this point in the library's development, plus it would almost definitely make the derive macros more complicated to correctly implement.

Add prohibit_role function to Rbac module so that roles can also be used for blacklisting.

The top level doc page for the package shows the modules but not the traits it offers.

Since the primary aim of this repo is to capture common patterns as traits. They can be exposed at the top level. This is will also expose those traits in the top level documentation. This can be done by re-exporting them from lib.rs.

Again we can take a cue from serde docs and lib.rs

Proper version specification & optionality.

For all components

https://nomicon.io/Standards/Tokens/FungibleToken/Core

Create a checklist that every new derive macro must accomplish before it can be merged / considered completed.

Replace the on_migrate attribute in the Migrate macro with the hooks pattern like that used in nep141.

Switch to https://github.com/dtolnay/rust-toolchain

See: actions-rs/toolchain#216 (comment)

For consistency with the rest of the crate, they should be refactored to remove the &self argument.

Rust docs makes it easy to hyperlink doc items by name. This makes it easier to navigate the docs because the reader can quickly jump to the definition of an item being referred.

That being said hyperlinking everything everywhere can make the docs look noisy and hinder readability. This is somewhat subjective but some general rules of thumb -

• Only need to hyperlink items in this crate
• If an items is mentioned multiple times in a paragraph or couple of paragraphs, hyperlinking the first time it's mentioned is good enough
• If a many items from a module are enumerated (like in bulleted list) hyperlinking the module is good enough

from discussion in #73

For assistance on the audit, every component should have a list of invariants / assumptions for use and for every function. For example, the Owner component's list would include:

• The root storage key is not used for any other data.
• Only the owner will ever be able to call own_renounce_owner, own_propose_owner.
• Only the account most recently proposed (by the current owner, via own_propose_owner) will be able to call own_accept_owner.
• After own_accept_owner has been called, the formerly "proposed owner" will become the owner, and the former owner will be removed. There will not be a "proposed owner".
• Et cetera.

This list should appear in the module level documentation comments for each component.

It would be nice to eliminate the missing docs clippy issue as well, without having to resort to #![allow(missing_docs)] for every module.

This functionality had been removed for reasons later shown to be invalid. This functionality should be restored.

The Cow stuff is kinda dumb.

We should have a discussion about supporting WebAssembly Interface Types (WIT). This would make near-contract-tools compatible with tools like the RAEN suite, which allows contracts to self-report ABI for use in tools like RAEN Admin.

Relevant links:

• https://github.com/bytecodealliance/wit-bindgen
• https://github.com/bnjjj/witgen

Support multiple, binary state flags.

Inspired by the functionality of the pause component in Aurora's NEAR plugins repo: https://github.com/aurora-is-near/near-plugins#pausable

Discussion Points

• No function decorators if the decorator would be equivalent to a simple function call (see Owner::require_owner). We're trying to stay away from Solidity-style implementations in favor of Rust.
• Flags should be implemented as an enum, similar to how roles are for Rbac.
• It is probably worth investigating whether bit packing (e.g. using bitflags) is as gas-efficient as checking for storage key existence. If flags are not purely binary, then this point is moot (bit packing is impossible). For example, bit packing would be impossible:

  enum MyFlags {
      PausedOne(u8),
      PausedTwo,
  }

Proposed Usage

(derives on MyFlags as of yet undetermined)

enum MyFlags {
    PausedOne,
    PausedTwo,
}

#[derive(Flags)]
#[flags(flags = "MyFlags", storage_key = "StorageKey::Flags")]
struct Contract {
    // ...
}

impl Contract {
    fn one(&self) {
        Self::require_flag_unset(MyFlags::PausedOne);
        // ...
    }

    fn set_one(&self, on: bool) {
        if on {
            Self::set_flag(MyFlags::PausedOne);
        } else {
            Self::unset_flag(MyFlags::PausedOne);
        }
    }

    // similar for MyFlags::PausedTwo
}

For example, "Unauthorized" in https://github.com/NEARFoundation/near-contract-tools/blob/main/src/rbac.rs#L43 could be extracted to a constant called something like REQUIRE_ROLE_FAIL_MESSAGE or something like that.

Alternatively, change the function signature (or add new functions) that accept a fail_message parameter to allow contract authors to customize the messages to their liking.

Use owned values

It's a bit inconvenient to use borrowed values everywhere, but they are technically more memory-efficient. However, since they're pretty volatile (i.e. probably never appear in smart contract storage), maybe it is better to use owned values, since they'd be easier to read and work with.

Remove generic from Event trait

Essentially translating the /tests/macros/ folder into workspaces tests.