Search Apps Documentation Source Content File Folder Download Copy Actions Download

names package

Overview

Package names enforces namespace permissions for package deployment.

Two namespace shapes grant deploy authority when enforcement is enabled:

  1. PA (personal-address) namespaces — gno.land/{r,p}/<addr>/* — the deployer's address string equals the namespace literal. Anyone can deploy under their own address.

  2. Registered-name namespaces — gno.land/{r,p}/<name>/* — r/sys/users has a (name → addr) mapping where the resolved address equals the deployer AND the name is the user's CURRENT name (not a historical alias from a rename chain). This is the bridge that lets r/sys/namereg/v1 (or any other DAO-whitelisted controller) grant deploy authority via name registration.

Authority is unscoped: a registered name owns BOTH r/<name>/* and p/<name>/* paths. There is no sub-prefix isolation (e.g. r/u/<name>/*).

The realm exposes an emergency-halt switch via SetPaused. When paused, the verifier rejects EVERY namespace check — PA included — until unpaused. This is the "true emergency" semantic; the narrow alternative (pause registered-name only, preserve PA) was considered and rejected because the threats most likely to justify pausing this realm (verifier bug, compromised controller, signature-layer incident) do not reliably exempt PA from the same blast radius.

Functions

Enable

func Enable(cur realm)

Enable enables the namespace check for this realm. The namespace check is disabled initially to ease txtar and other testing contexts, but this function is meant to be called in the genesis of a chain.

Command

# WARNING: This command is running in an INSECURE mode.
# It is strongly recommended to use a hardware device for signing
# and avoid trusting any computer connected to the internet,
# as your private keys could be exposed.

gnokey maketx call -pkgpath "gno.land/r/sys/names" -func "Enable" -gas-fee 1000000ugnot -gas-wanted 1_000_000_000 -send "" -chainid "dev" -remote "https://api.gno.berty.io:443" ADDRESSgnokey query -remote "https://api.gno.berty.io:443" auth/accounts/ADDRESS
gnokey maketx call -pkgpath "gno.land/r/sys/names" -func "Enable" -gas-fee 1000000ugnot -gas-wanted 1_000_000_000 -send "" -broadcast=false ADDRESS > call.tx
gnokey sign -tx-path call.tx -chainid "dev" -account-number ACCOUNTNUMBER -account-sequence SEQUENCENUMBER ADDRESS
gnokey broadcast -remote "https://api.gno.berty.io:443" call.tx

IsAuthorizedAddressForNamespace

func IsAuthorizedAddressForNamespace(address_XXX address, namespace string) bool

IsAuthorizedAddressForNamespace checks if the given address can deploy to the given namespace. See package doc for the two authorization paths and the pause semantic.

Pre-Enable, all checks pass (testing/dev convenience).

Params

Command

gnokey query vm/qeval -remote "https://api.gno.berty.io:443" -data "gno.land/r/sys/names.IsAuthorizedAddressForNamespace(,)"

Result

IsEnabled

func IsEnabled() bool

Command

gnokey query vm/qeval -remote "https://api.gno.berty.io:443" -data "gno.land/r/sys/names.IsEnabled()"

Result

IsPaused

func IsPaused() bool

IsPaused reports the current value of the pause flag. Note: when the realm is pre-Enable, IsPaused may return true but the verifier will still pass-through (pre-Enable bypass takes priority).

Command

gnokey query vm/qeval -remote "https://api.gno.berty.io:443" -data "gno.land/r/sys/names.IsPaused()"

Result

ProposeSetPaused

func ProposeSetPaused(v bool) dao.ProposalRequest

ProposeSetPaused returns a GovDAO proposal request that, when voted through and executed, toggles the chain-wide deploy gate. When the realm is paused, the verifier rejects EVERY namespace check — PA (personal-address) included — until a subsequent ProposeSetPaused(false) proposal executes.

This is an emergency halt. A paused state means NO new MsgAddPackage transactions land at any path on the chain. Existing realms continue to receive MsgCall traffic normally — pause is scoped to addpkg, not to all VM operations. Use cases:

  • Bug discovered in this realm or r/sys/users that requires a hotfix before further deploys can be trusted.
  • Wallet/signature-layer incident under investigation.

(A "compromised controller" use case was considered and removed: the controller's RegisterUser path is direct into r/sys/users and does NOT go through this verifier, so pause does not freeze new registrations. To contain a compromised controller, the appropriate flow is ProposeControllerRemoval in r/sys/users, not pause here.)

The narrow alternative (pause registered-name path only, preserve PA) was considered and rejected. See package doc for rationale.

Gated on GovDAO proposal at T1 tier — not the hardcoded admin used by Enable. Pause is consequential enough to warrant a tier-restricted governance vote rather than a single-multisig click. T1 filter prevents lower-tier members from spamming pause proposals to dilute attention. Trade-off is response time: a T1 vote takes hours-to-days; if a faster emergency-halt mechanism is needed, that belongs at a different layer (e.g. an ante-handler-level chain pause), not here.

Pause is orthogonal to the pre-Enable bypass: before Enable, the verifier returns true regardless of paused state. So executing a pause proposal before Enable has no effect on deploys, but the value persists and applies the moment Enable runs. To avoid this staging trap, operators should call Enable BEFORE any pause proposals are voted in.

Idempotency: calling ProposeSetPaused(v) when the realm's current paused state already equals v panics at proposal-creation time so voters never see a proposal whose execution would no-op.

Param

Command

gnokey query vm/qeval -remote "https://api.gno.berty.io:443" -data "gno.land/r/sys/names.ProposeSetPaused()"

Result

Render

func Render(_ string) string

Param

Command

gnokey query vm/qeval -remote "https://api.gno.berty.io:443" -data "gno.land/r/sys/names.Render()"

Result