Solution: LP-0013 - Token Program Improvements: Authorities

[bristinWild]

Implements LP-0013: mint authority model for the LEZ token program.

What's implemented

• lez-authority/ — standalone agnostic AuthoritySlot library (RFP-001)
• mint_authority: Option<[u8; 32]> field on TokenDefinition::Fungible
• NewFungibleDefinitionWithAuthority instruction
• SetAuthority instruction — atomic rotation and permanent revocation
• Mint updated — authority-gated, deterministic rejection when revoked
• Guest binary wired with all new instructions
• artifacts/token-idl.json regenerated via idl-gen
• 2 E2E integration tests for authority lifecycle
• 119 unit tests passing across all programs
• docs/LP-0013-README.md — architecture, CLI usage, CU costs, program ID
• scripts/demo-full-flow.sh — end-to-end demo with RISC0_DEV_MODE=0
• scripts/examples/ — fixed supply + variable supply examples

##Demo video

Link - https://youtu.be/4E7lBgdNwb4

Original submission

logos-co/lambda-prize#56 (as requested by @fryorcraken)

[bristinWild]

Hi @fryorcraken, workflow approval needed for CI to run on this PR when you get a chance. Thanks!

[Copilot]

Pull request overview

Implements LP-0013 mint-authority support for the token program by extending the fungible token definition with an optional mint_authority, adding creation + authority-management instructions, wiring guest dispatch/IDL, and adding docs/tests/scripts demonstrating the authority lifecycle.

Changes:

• Add mint_authority: Option<[u8; 32]> to TokenDefinition::Fungible, plus NewFungibleDefinitionWithAuthority and SetAuthority instructions.
• Update mint to reject minting when authority is revoked (mint_authority == None) and add unit/integration tests for the authority lifecycle.
• Add the standalone lez-authority crate, regenerate IDL artifacts, and add docs/demo/example scripts for LP-0013.

Reviewed changes

Copilot reviewed 25 out of 26 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
token-authority.idl.json	Adds an additional IDL-like JSON file describing the token program + authority instructions.
scripts/examples/variable_supply_token.sh	Example script for authority rotation on a variable-supply token.
scripts/examples/fixed_supply_token.sh	Example script for revoking authority to create a fixed-supply token.
scripts/demo-full-flow.sh	End-to-end demo script using lgs + spel to exercise the authority lifecycle.
programs/token/src/tests.rs	Updates fixtures for new mint_authority field and adds authority unit tests.
programs/token/src/set_authority.rs	New handler for rotating/revoking mint authority.
programs/token/src/new_definition.rs	Initializes mint_authority for existing creation flows and adds new_fungible_definition_with_authority.
programs/token/src/mint.rs	Adds rejection when mint authority is revoked.
programs/token/src/lib.rs	Exposes the new set_authority module.
programs/token/src/burn.rs	Updates fungible match to include mint_authority.
programs/token/methods/guest/src/bin/token.rs	Wires guest entrypoints for new_fungible_definition_with_authority and set_authority.
programs/token/core/src/lib.rs	Extends core instruction enum + token definition with mint_authority.
programs/stablecoin/src/tests.rs	Updates token definition test fixtures to include mint_authority: None.
programs/integration_tests/tests/token.rs	Adds integration tests for “create with authority” and “revoke authority”.
programs/integration_tests/tests/stablecoin.rs	Updates token definition fixtures to include mint_authority: None.
programs/integration_tests/tests/ata.rs	Updates token definition fixtures to include mint_authority: None.
programs/integration_tests/tests/amm.rs	Updates token definition fixtures and a fungible definition matcher to include mint_authority.
programs/ata/src/tests.rs	Updates token definition fixtures to include mint_authority: None.
programs/amm/src/tests.rs	Updates token definition fixtures to include mint_authority: None.
programs/amm/src/new_definition.rs	Updates LP token definition to include mint_authority: None.
lez-authority/src/lib.rs	New program-agnostic AuthoritySlot library + unit tests.
lez-authority/Cargo.toml	Adds crate manifest for lez-authority.
docs/LP-0013-README.md	New design/usage documentation for LP-0013, including CLI + demo instructions.
Cargo.toml	Adds lez-authority to the workspace members.
Cargo.lock	Locks the new workspace crate dependency graph.
artifacts/token-idl.json	Regenerated IDL including the new instruction(s) and mint_authority field.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bristinWild]

Addressed all Copilot review items and integration test gaps:
High (both fixed):

mint.rs: now validates account_id == mint_authority key before allowing mint - previously only checked is_some(), so anyone controlling the definition account could mint regardless of who the stored authority was
set_authority.rs: now validates caller matches stored key before rotation/revoke - previously only checked is_authorized, so the stored key was metadata only and never enforced

Medium:

Demo script: fixed account new --public flag (was missing --, would produce empty account IDs on a clean machine)
Demo script: removed || true from spel transaction commands so failures surface instead of being silently swallowed
Demo script: updated test count to 60

Integration tests (same root cause as unit tests):

authority_key now derived from Ids::token_definition() (real signer account ID derived from PrivateKey([10; 32])) instead of hardcoded [9; 32] - the old value never matched the actual signer so SetAuthority and Mint would have failed against the live sequencer
All affected asserts updated to reflect correct post-state

Style:

Replaced .unwrap() with .expect() on try_into() calls per clippy -D unwrap_used
Removed trailing newline in set_authority.rs

Results: 60 unit tests + 16 integration tests passing (RISC0_DEV_MODE=1 and RISC0_DEV_MODE=0), fmt and clippy clean.

[3esmit]

I will let Copilot review until it generates no more comments than I will review it

[Copilot]

Pull request overview

Copilot reviewed 25 out of 26 changed files in this pull request and generated 6 comments.

[bristinWild]

Pushed a substantial refactor addressing all Copilot review items (commits 308de62 → 0b8d4c2):

1. Authority model reworked to a proper signer check. mint and set_authority now take an explicit authority_account that must sign, with the check routed through lez-authority's AuthoritySlot::check/set so authorization is against the actual transaction signer, not the definition account's own ID. This also makes the token program genuinely consume lez-authority (RFP-001) rather than reimplementing inline.
2. Reject all-zero mint_authority at creation (RFP-001 reliability).
3. Removed the stale root-level token-authority.idl.json; regenerated artifacts/token-idl.json.
4. Rewrote both example scripts to use the verified spel flow and removed the misleading verification claims.
5. 56 unit + 16 integration tests passed under fmt + clippy clean; IDL check passes locally.

[Copilot]

Pull request overview

Copilot reviewed 25 out of 27 changed files in this pull request and generated 4 comments.

[0x-r4bbit]

Hey @bristinWild !

Thank you for the PR.
Just wanted to let you know that we're reviewing this!

[bristinWild]

Hey @3esmit @0x-r4bbit , thank you for reviewing .

Just pushed some slight refactor addressing all Copilot review points.

Thank you.

[0x-r4bbit]

Okay so I went through this and found a couple of things that are worth looking into.

@gravityblast @3esmit please review these comments as well.

TLDR:

• I think the lez-authority should, if possible and feasible provide types/traits to extend program types and provide they authority functionality
• I don't think we should introduce a new instruction to add authorities, and rather make it mandatory in the normal one
• Currently, this breaks the AMM because it loses authority over its LP minting

[0x-r4bbit]

This looks like a problem.
The AMM creates a fungible token definition and has its mint_authority set to None which translates to minting being "revoked".

But after pool creation, we do need to mint more tokens in the future when liquidty is added to the pool.

The pool definition account (which is a PDA controlled by the AMM), should have authority to mint more tokens.

[0x-r4bbit]

I think we can fold this into NewFungibleDefinition, where we would decide with mint_authority: Option whether there's a fixed supply or not (or if authority has been removed).

[0x-r4bbit]

Nit: let's remove the LP-0013 related comment here

[0x-r4bbit]

Looking at this, it seems like AuthoritySlot isn't actually buying us much.
All we're doing here is wrapping the option so we can call check and rotate_authority etc on it.

I think to properly integrate this authority type, it needs to be used in the TokenDefinition itself.
Something along the lines of:

#[derive(BorshSerialize, BorshDeserialize, Clone, PartialEq, Eq, Debug)]
pub struct Authority(Option<[u8; 32]>);

impl Authority {
    pub fn authority(&self) -> Option<[u8; 32]> { self.0 }
    pub fn check(&self, signer: [u8; 32]) -> Result<(), AuthorityError> { /* … */ }
    pub fn rotate(&mut self, signer: [u8; 32], new: Option<[u8; 32]>) -> Result<(), AuthorityError> { /* … */ }
}

A program "inherits the owner slot" by embedding it:

enum TokenDefinition {
    Fungible { name: String, total_supply: u128, metadata_id: Option<AccountId>, authority: Authority },
    NonFungible { /* … */ },
}

Then maybe, we can have an Ownable trait:

pub trait Ownable {
    fn authority(&self) -> &Authority;
    fn authority_mut(&mut self) -> &mut Authority;

    fn require_owner(&self, signer: [u8; 32]) -> Result<(), AuthorityError> {
        self.authority().require(signer)
    }
    fn transfer_ownership(&mut self, signer: [u8; 32], new: [u8; 32]) -> Result<(), AuthorityError> {
        self.authority_mut().rotate(signer, Some(new))
    }
    fn renounce_ownership(&mut self, signer: [u8; 32]) -> Result<(), AuthorityError> {
        self.authority_mut().rotate(signer, None)
    }
}

Then, maybe we can do something like:

impl Ownable for TokenDefinition {
    fn authority(&self) -> &Authority { /* return the field, panic/NFT-guard as needed */ }
    fn authority_mut(&mut self) -> &mut Authority { /* … */ }
}

[0x-r4bbit]

Let's make this an AccountId

[0x-r4bbit]

This should also be an AccountId

[0x-r4bbit]

Let's remove this comment.

[0x-r4bbit]

In fact, the integration tests uncover some of the issues I've commented about as well.

[bristinWild]

Thanks for the detailed review, @0x-r4bbit

this was the right direction. Pushed a redesign addressing all points:

Authority type + Ownable trait: lez-authority now exposes an Authority(Option<[u8;32]>) newtype (authority() / require() / rotate()) and an Ownable trait with require_owner / transfer_ownership / renounce_ownership, matching your sketch. TokenDefinition::Fungible embeds authority: Authority and TokenDefinition implements Ownable (with an NFT guard). The old AuthoritySlot wrapper is gone.

Folded the instruction: removed NewFungibleDefinitionWithAuthority; NewFungibleDefinition now takes mint_authority: Option , Some = mintable, None = fixed supply.

AMM fix: the pool-definition PDA is now the LP token's mint authority (mint_authority: Some(pool_definition_lp.account_id)), so the AMM can mint LP at creation and when liquidity is added. mint/set_authority no longer take a separate authority account - they authorize against the definition account itself (id must match stored authority + be authorized in the tx), which works for both external owners and program PDAs. All AMM integration tests pass again.

Nits: instruction params use AccountId; removed the LP-0013 doc/code comments.
One interpretation note: I kept lez-authority itself [u8;32]-based (no nssa_core dependency, per the agnostic goal) and convert AccountId ↔ [u8;32] at the token program's instruction boundary. Happy to adjust if you'd prefer the lib depend on AccountId directly.

All suites green (lez-authority, token unit, and token/amm/stablecoin/ata integration under RISC0_DEV_MODE=1); fmt + clippy clean; all four IDLs regenerated.

[bristinWild]

Also pushed 367ae38 , a cargo fmt fix for indentation on two AMM test lines. Unit Tests CI failure is a RISC0 toolchain 504 (GitHub infra flakiness) , a re-run should clear it.