Add signer lifecycle manager

[punk6529]

Summary

• Separate drop-signing identity from signer-management authority in StreamAdmins.
• Add owner-managed signer managers, owner-approved signer lifecycle targets, and exact grant helpers for StreamDrops signer lifecycle selectors.
• Remove the constructor drop signer's implicit global admin/role-management authority while preserving owner/root recovery.
• Add focused signer lifecycle tests for grant/revoke boundaries, rotation invalidating stale payloads, fresh signer success, cancellation before execution, and unauthorized failures.
• Refresh ADR, roadmap, status, blocker, test README, autonomous-run, and Slither baseline traceability.

Closes #79

Validation

• $env:Path="$HOME\.foundry\bin;$env:Path"; forge test --match-contract "Stream(Admins|AdminSelectors|SignerAdmin|DropsEIP712|PauseControls)Test" -vvv passed with 59 tests.
• $env:Path="$HOME\.foundry\bin;$env:Path"; make check passed with 197 tests.
• $env:Path="$HOME\.foundry\bin;$env:Path"; powershell -ExecutionPolicy Bypass -File scripts\check.ps1 passed with 197 tests.
• forge fmt --check ... passed for all touched Solidity/test files.
• git diff --check and git diff --cached --check passed.
• Markdown heading scan passed for touched roadmap/docs files.
• Traceability grep passed for P0-ADMIN-003, signer manager APIs, and StreamSignerAdmin.
• Slither ran with pinned toolchain and expected non-zero baseline exit: 721 total findings, High 4, Medium 19, Low 92, Informational 595, Optimization 11. High/medium counts remain unchanged; arbitrary-send-eth, reentrancy-eth, encode-packed-collision, weak-prng, and uninitialized-state remain zero current findings.

Review Notes

• Claude intentionally not requested per maintainer instruction; CodeRabbit is the requested bot reviewer for this PR.

Summary by CodeRabbit

Release Notes

• New Features

  • Added signer lifecycle management capabilities with owner-approved authorization controls.
  • Enhanced admin registration to enforce stricter authorization requirements.

• Documentation

  • Updated governance and implementation roadmap documentation.
  • Refreshed baseline test coverage and security analysis records.

• Tests

  • Expanded test coverage for signer lifecycle management and authorization scenarios.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[punk6529]

@coderabbitai review

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9c3484a4-aec5-452a-878b-16e85f89c0b8

📥 Commits

Reviewing files that changed from the base of the PR and between 785f9eb and d4a13a1.

📒 Files selected for processing (19)

• docs/adr/0004-admin-governance.md
• docs/known-blockers.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• ops/SLITHER_BASELINE.md
• smart-contracts/StreamAdmins.sol
• test/README.md
• test/StreamAdminSelectors.t.sol
• test/StreamAdmins.t.sol
• test/StreamCoreAdminCharacterization.t.sol
• test/StreamCuratorsPool.t.sol
• test/StreamDropsCharacterization.t.sol
• test/StreamDropsEIP712.t.sol
• test/StreamDropsERC1271.t.sol
• test/StreamEmergencyWithdraw.t.sol
• test/StreamRandomizerRetry.t.sol
• test/StreamSignerAdmin.t.sol
• test/helpers/StreamFixture.sol

---

📝 Walkthrough

Walkthrough

This PR implements P0-ADMIN-003: signer lifecycle manager. StreamAdmins now requires owner-only admin registration, adds explicit signer-manager and signer-lifecycle-target registration, restricts signer-scoped function-admin grants to exact lifecycle selectors, and introduces comprehensive characterization tests validating signer rotation, epoch invalidation, cancellation, and unauthorized access patterns.

Changes

Signer Lifecycle Manager and Access Control Implementation

Layer / File(s)	Summary
StreamAdmins core authority model and signer manager registration smart-contracts/StreamAdmins.sol	StreamAdmins adds DROP_SIGNER_*_SELECTOR constants, signerManagers and signerLifecycleTargets mappings, SignerManagerUpdated and SignerLifecycleTargetUpdated events, and signerManagerOrOwner modifier. Changes registerAdmin, registerFunctionAdmin, and registerBatchFunctionAdmin to onlyOwner (removing authorized() pathway). Adds registerSignerManager, registerSignerLifecycleTarget, registerSignerFunctionAdmin, and registerBatchSignerFunctionAdmin public functions. Internal _setSignerFunctionAdmin and _isSignerLifecycleSelector enforce approved-selector whitelist and registered-target eligibility.
Admin authorization and access control tests test/StreamAdmins.t.sol, test/StreamAdminSelectors.t.sol	StreamAdmins.t.sol replaces prior TDH-signer-grants-admin tests with owner-scoped registration tests; adds new events for signer-manager/lifecycle-target updates; introduces comprehensive signer-manager/lifecycle-target test clusters (register/revoke, selector scoping, target eligibility, revocation enforcement). StreamAdminSelectors.t.sol replaces signer-registrar-bypass test with test verifying drop signer cannot manage roles by default; updates _deployCore() to register test contract as admin.
Signer lifecycle characterization test suite test/StreamSignerAdmin.t.sol	New StreamSignerAdminTest contract validates P0-ADMIN-003 behaviors: signer-manager grants exact three lifecycle selectors; signer rotation via updateTDHsigner and incrementSignerEpoch invalidates old-epoch payloads and accepts new-signer signatures; cancellation prevents minting before consumption but fails after; unauthorized callers cannot rotate/increment/cancel. Includes deployment (_deployDrops) and permission-wiring (_grantSignerLifecycle) helpers and selector-list builder (_signerSelectors).
Test deployment function-admin authorization setup test/StreamCore...t.sol, test/StreamCurators...t.sol, test/StreamDrops...t.sol, test/StreamEmergency...t.sol, test/StreamRandomizer...t.sol, test/helpers/StreamFixture.sol	Twelve test files updated to explicitly register function-admin permissions for test-contract callers via registerFunctionAdmin in deployment helpers, ensuring selector-based access control aligns with test execution paths for createCollection, emergencyWithdraw, updateAuctionContract, signer lifecycle selectors, and retryRandomnessPostProcessing.
Architecture and roadmap documentation updates docs/adr/0004-admin-governance.md, docs/known-blockers.md, docs/status.md, test/README.md, ops/ROADMAP.md	ADR 0004 implementation status expanded to cover P0-ADMIN-003 signer-manager controls; current-behavior bullets clarify owner as root recovery (not operational admin), drop signers no longer default global admins, and signer-managers grant exact lifecycle selectors on approved targets. Known-blockers and status updated to reflect signer-lifecycle separation and remaining deployment/collection-admin gaps. Test README documents new signer-lifecycle characterization suite. Roadmap includes full P0-ADMIN-003 section with problem, intended behavior, code/test/docs changes, and acceptance criteria; test-matrix updated for single-active-signer model.
Operational state and Slither baseline updates ops/AUTONOMOUS_RUN.md, ops/SLITHER_BASELINE.md	AUTONOMOUS_RUN records PR #78 merge, Queue Item 37 (signer lifecycle manager, PR #80) open status, updated branch/timestamp/validation notes, and decision-log entries. SLITHER_BASELINE refreshes timestamp, updates total findings count and Low/Informational impact totals, and documents signer-manager and lifecycle-target allowlist deltas (low/informational increases, high/medium unchanged).

Sequence Diagrams

sequenceDiagram
  participant Admin as Owner
  participant Admins as StreamAdmins
  participant Manager as Signer Manager
  participant Drops as StreamDrops
  participant Operator as Authorized Operator
  
  Admin->>Admins: registerSignerManager(Manager)
  Admin->>Admins: registerSignerLifecycleTarget(Drops)
  Manager->>Admins: registerSignerFunctionAdmin(Operator, Drops, updateTDHsigner)
  Manager->>Admins: registerSignerFunctionAdmin(Operator, Drops, incrementSignerEpoch)
  Manager->>Admins: registerSignerFunctionAdmin(Operator, Drops, cancelDrop)
  Operator->>Drops: updateTDHsigner(newSigner)
  Operator->>Drops: incrementSignerEpoch()
  Operator->>Drops: cancelDrop(dropId)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• 6529-Collections/6529Stream#63: Upstream PR that implemented scoped function-admin grants; this PR extends that model with signer-manager-specific authorization paths and lifecycle-selector restrictions.
• 6529-Collections/6529Stream#56: Related PR that introduced EIP-712 authorization and signer-lifecycle selectors (updateTDHsigner, incrementSignerEpoch, cancelDrop) on which this PR's access control layer depends.
• 6529-Collections/6529Stream#6: Foundational PR that introduced StreamAdmins.t.sol authorization tests; this PR reshapes those test patterns to reflect the new owner-only and signer-manager-gated registration authority model.

Poem

🐰 Signer lifecycle blooms anew,
Root managers guard what signers do,
Drop rotations dance with epoch's grace,
Stale payloads fade without a trace!
Authorization scoped and clean,
The finest admin flow you've seen. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add signer lifecycle manager' directly and clearly summarizes the main change in the PR, matching the issue P0-ADMIN-003 objective.
Linked Issues check	✅ Passed	All core code changes in StreamAdmins.sol, StreamAdminSelectors.t.sol, StreamAdmins.t.sol, and StreamSignerAdmin.t.sol directly implement issue #79 requirements: explicit signer-manager registration, owner-managed authority, removal of drop-signer admin privilege, and comprehensive testing of grants, rotation, and cancellation.
Out of Scope Changes check	✅ Passed	All changes are in-scope: core signer-manager implementation and new dedicated tests, function-admin registration additions to align with new access control model, and documentation/roadmap updates reflecting P0-ADMIN-003 completion.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/add-signer-lifecycle-manager

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[punk6529]

@coderabbitai review

Please review the latest head after the state-only follow-up commit.

[coderabbitai]

@punk6529 — triggering a review of the latest head now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.