Proxy deny by default

[l0r1s]

Proxy filters: deny-by-default, additive allow-lists

What

Reworks proxy call filtering from denylists (allow everything except…) to
additive allow-lists (deny unless explicitly granted). New extrinsics are
now denied by default until they are classified into a call group.

• call_groups.rs — a flat inventory of call groups. Each pallet is one
  group, split only where a proxy needs a subset. A call_filter_group! macro
  generates both the Contains filter and the CallFilterMetadata view from a
  single declaration, so they cannot drift.
• mod.rs — each ProxyType is an additive union of whole groups; the two
  amount/nested-call proxies (SmallTransfer, SudoUncheckedSetCode) are
  generated with where constraints. Also exposes the runtime-API metadata,
  derived from the same groups.
• Admin-utils calls are split strictly by their dispatch guard:
  owner-settable (ensure_sn_owner_or_root) vs root-only (ensure_root), so
  the Owner proxy no longer carries inert root-only grants.

Behavior

Preserves main's per-proxy permissions, with two intentional changes:

• Tightened denylist leaks: newer calls the old denylists allowed by
  omission are now denied for the broad proxies — reset_coldkey_swap
  (NonTransfer/NonFungible/NonCritical), and root_dissolve_network,
  schedule_swap_coldkey, swap_coldkey (NonCritical).
• SubnetLeaseBeneficiary now grants the full owner-settable subnet-management
  surface (was a narrower hand-picked list).

ProxyType indices and is_superset are unchanged (no storage migration).

Tests

• Coverage oracle: asserts the inventory matches RuntimeCall metadata exactly
  (GetCallMetadata) — fails if any call is unclassified.
• Golden tests: exact allow-list per narrow proxy; broad proxies cross-checked
  subtractively; owner/lease boundaries; tightened-leak guards.
• Conditional predicates: SmallTransfer amount limits and
  SudoUncheckedSetCode nested-call matching, exercised through the filter.

[github-actions]

🛡️ AI Review — Skeptic (security review)

VERDICT: SAFE

BASELINE scrutiny: l0r1s has repo write permission, a 2018 account, substantial contribution history, and no Gittensor allowlist hit; branch proxy-deny-by-default -> devnet-ready.

Static Skeptic review used the prefetched PR metadata, author signals, prior sticky, and full diff. The PR does not modify .github/ai-review/* or .github/copilot-instructions.md. I found no malicious code path, supply-chain escalation, prompt/workflow tampering, runtime panic introduced into dispatch filtering, or proxy permission expansion that creates a reachable privilege bypass.

Findings

No findings.

Conclusion

The diff moves proxy filtering to additive allow-lists and closes the previously-denylist-leaked coldkey/hotkey/owner-key paths without introducing a security finding. Verdict is SAFE.

---

🔍 AI Review — Auditor (domain review)

VERDICT: 👍

Gittensor: LIKELY by recent subtensor-focused PR history; author has write permission and is an established contributor, so review focused on runtime correctness and compatibility.

The PR body is substantive and matches the implementation: ProxyType indices stay stable, the broad proxy types are rebuilt as additive allow-lists, deprecated proxy types continue to deny all calls, and the runtime API now exposes allow-list metadata derived from the same call groups used by the executable filter.

Duplicate-work check: overlapping open PRs only appear to share common runtime/Cargo files; none looks like a competing proxy-filter implementation.

Auto-fix / verification notes: git diff --check passed. I attempted the targeted proxy-filter runtime tests with cargo test -p node-subtensor-runtime proxy_filters --lib, but the runner cannot create rustup temp files under the read-only home directory, so tests did not execute here. The local spec_version is unchanged at 423; I attempted the required devnet RPC check, but DNS resolution for dev.chain.opentensor.ai failed in this environment, so no spec-version auto-fix was applied.

Findings

No findings.

Conclusion

No blocking domain issues found in the proxy deny-by-default rewrite. The remaining risk is environmental: targeted tests and the live devnet spec-version comparison need to run in CI.

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍