Proxy deny by default

[l0r1s]

Proxy filters: deny-by-default, additive allow-lists

What

Reworks proxy call filtering from denylists (allow everything except…) to
additive allow-lists (deny unless explicitly granted). New extrinsics are
now denied by default until they are classified into a call group.

• call_groups.rs — a flat inventory of call groups. Each pallet is one
  group, split only where a proxy needs a subset. A call_filter_group! macro
  generates both the Contains filter and the CallFilterMetadata view from a
  single declaration, so they cannot drift.
• mod.rs — each ProxyType is an additive union of whole groups; the two
  amount/nested-call proxies (SmallTransfer, SudoUncheckedSetCode) are
  generated with where constraints. Also exposes the runtime-API metadata,
  derived from the same groups.
• Admin-utils calls are split strictly by their dispatch guard:
  owner-settable (ensure_sn_owner_or_root) vs root-only (ensure_root), so
  the Owner proxy no longer carries inert root-only grants.

Behavior

Preserves main's per-proxy permissions, with two intentional changes:

• Tightened denylist leaks: newer calls the old denylists allowed by
  omission are now denied for the broad proxies — reset_coldkey_swap
  (NonTransfer/NonFungible/NonCritical), and root_dissolve_network,
  schedule_swap_coldkey, swap_coldkey (NonCritical).
• SubnetLeaseBeneficiary now grants the full owner-settable subnet-management
  surface (was a narrower hand-picked list).

ProxyType indices and is_superset are unchanged (no storage migration).

Tests

• Coverage oracle: asserts the inventory matches RuntimeCall metadata exactly
  (GetCallMetadata) — fails if any call is unclassified.
• Golden tests: exact allow-list per narrow proxy; broad proxies cross-checked
  subtractively; owner/lease boundaries; tightened-leak guards.
• Conditional predicates: SmallTransfer amount limits and
  SudoUncheckedSetCode nested-call matching, exercised through the filter.

[github-actions]

🛡️ AI Review — Skeptic (security review)

VERDICT: SAFE

BASELINE scrutiny: l0r1s has repo write permission, a 2018 account, substantial prior contribution history, and no Gittensor allowlist hit; branch proxy-deny-by-default -> devnet-ready.

Static review used the prefetched metadata, prior sticky, author signals, and PR diff only. The PR does not modify .github/ai-review/* or .github/copilot-instructions.md. I found no malicious path, trusted-prompt/workflow tampering, supply-chain escalation, runtime-dispatch panic surface, or proxy permission bypass.

Findings

No findings.

Conclusion

The diff moves proxy filtering to additive allow-lists, keeps stable proxy indices and superset behavior, and tightens the broad-proxy coldkey/network-critical leaks without introducing a security finding. Verdict is SAFE.

---

🔍 AI Review — Auditor (domain review)

VERDICT: 👍

Author has write permission and substantial prior Subtensor activity; no trusted gittensor allowlist hit, and no competing open PR appears to implement the same proxy-filter rewrite.

The PR body is substantive and matches the implementation: proxy filtering is rebuilt as additive allow-lists, ProxyType indices remain stable, deprecated proxy types continue to deny all calls, and the runtime API metadata is derived from the same call groups used by InstanceFilter.

Duplicate-work check: overlapping open PRs share common runtime/Cargo files only; none appears to be a competing proxy-filter implementation.

Verification notes: git diff --check passed. I attempted the targeted proxy-filter runtime tests with cargo test -p node-subtensor-runtime proxy_filters --lib; rustup is blocked by the read-only home directory, and pinning the real cargo/rustc binaries then failed because Cargo could not create its git dependency cache under the read-only home. I also attempted the required devnet spec_version RPC check, but DNS resolution for dev.chain.opentensor.ai failed in this runner, so no spec-version auto-fix was applied.

Findings

No findings.

Conclusion

No blocking domain issues found in the proxy deny-by-default rewrite. The remaining risk is environmental: CI still needs to run the targeted runtime tests and the live devnet spec-version comparison.

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍