chore: refactor permission rules and add additional validation

[jeffsmale90]

Explanation

It's critical that the GatorPermissionController's Permission decoding logic is strict, and will not decode EIP-712 payload to a permission unless the payload exactly meets the expectations of that permission.

This PR refactors the permission rules to be more self contained, and self describing. This allows each permission type's decoding rules to be more thoroughly tested in isolation. Validation and decoding logic is combined, as decoding is an implicit part of the validation step.

This PR also adds explicit validation of the "implicit" caveats for each permission type (valueLte for ERC20 permissions, exactCalldata for native token permissions), where previously we were ensuring that they caveats exist, but not validating their terms.

References

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed
• I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

---

Note

Medium Risk
Refactors core permission decoding/matching logic and adds stricter term validation, which may cause previously-accepted permission contexts to be rejected if they are even slightly malformed. The change is well-covered by new rule-focused and adversarial tests but touches a security-sensitive boundary (EIP-712 permission decoding).

Overview
Refactors permission decoding to be rule-driven: GatorPermissionsController.decodePermissionFromPermissionContextForOrigin now builds permission rules per chain, finds the single matching rule by caveat/enforcer addresses, and uses the rule to validate and decode caveat terms in one step (replacing the older identifyPermissionByEnforcers + getPermissionDataAndExpiry flow).

Adds a new decodePermission/rules layer with per-permission validateAndDecodePermission implementations and shared utilities, tightening validation of caveat terms (e.g., ExactCalldataEnforcer must be 0x, ValueLteEnforcer must be 32-byte zero, term byte-length checks, positive periodAmount/durations/start times, and hex tokenAddress for ERC20 types). Extensive new tests cover each rule plus adversarial edge cases, and the changelog is updated accordingly.

^{Written by Cursor Bugbot for commit c7ba989. This will update automatically on new commits. Configure here.}

[mj-kiwi]

I think the valid 20-byte addresses should be 40 hex chars.

Suggested change

	const tokenAddress = '0xdddddddddddddddddddddddddddddddddddddddd' as Hex;
	const tokenAddress = '0xdddddddddddddddddddddddddddddddddddddd' as Hex;

[jeffsmale90]

I think it is 40 hex chars:

> "0xdddddddddddddddddddddddddddddddddddddddd".length
42

"0x" followed by 40 "d"s is 42 chars

[mj-kiwi]

Suggested change

	const tokenAddress = '0xdddddddddddddddddddddddddddddddddddddddd' as Hex;
	const tokenAddress = '0xdddddddddddddddddddddddddddddddddddddd' as Hex;

[jeffsmale90]

Lol, I counted those ds very carefully!

[jeffsmale90]

Actually, the existing string if 42 chars, which is 20 bytes, which is correct.

I added validation to the erc20 permission decoders to ensure that the token addresses are the correct length.

[jeffsmale90]

Actually, I didn't, because we can't validate individual component lengths (the bytes are concatenated), but we do have terms length validation for each permission type.

[mj-kiwi]

should we add periodAmount > 0 check here?

[jeffsmale90]

yes!

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[cursor]

Token address has 42 hex chars (21 bytes) instead of 40

Medium Severity

The tokenAddress '0xdddddddddddddddddddddddddddddddddddddddd' contains 42 d characters (21 bytes) instead of the required 40 (20 bytes). When these tests manually construct terms via `0x${tokenAddress.slice(2)}...`, the resulting byte length is 1 byte too long. This causes the byte-length validation to reject the terms before reaching the intended validation (e.g., startTime must be a positive number or amountPerSecond must be a positive number), so these tests pass for the wrong reason and don't actually cover the validation they intend to test.

Additional Locations (2)

• packages/gator-permissions-controller/src/decodePermission/rules/erc20TokenStream.test.ts#L252-L253
• packages/gator-permissions-controller/src/decodePermission/rules/erc20TokenStream.test.ts#L278-L279

 

[MoMannn]

isSubset is now dead code and can be removed

[MoMannn]

These can check only if === 0n. There are no negative numbers in solidity so its not possible for them to be less then 0.

[MoMannn]

This check is redundant. The next if is validating valueLteTerms !== ZERO_32_BYTES which also validates the length.

[MoMannn]

I believe these functions got removed now?