docs(key-manager): restrict what a controller can do (Allowed Calls guide)

[leo-assistant-chef]

Closes ClickUp task 86c1cf28n

Adds a new How-to guide: Restrict What a Controller Can Do (Key Manager section, sidebar position 3).

4 practical examples with viem + ethers + Solidity tabs:

1. Staking-only controller (Stakingverse bot)
2. LYX transfer to one specific address
3. LSP7 token interactions only
4. LSP8 setDataForTokenId (Marketing manager)

Also covers: two-tier staking/withdrawal controller split, Common Mistakes (SUPER_CALL bypass, encoding gotcha, LYX amount limits, LSP7 selector).

[Copilot]

Pull request overview

Adds a new Key Manager documentation guide explaining how to restrict controller capabilities using LSP6 Allowed Calls, with practical multi-library examples and a “Common Mistakes” section.

Changes:

• Introduces a new how-to guide: “Restrict What a Controller Can Do” (Allowed Calls).
• Provides 4 example scenarios with viem/ethers/Solidity tabs (plus staking controller split + liquid staking).
• Documents common pitfalls (SUPER_CALL bypass, encoding gotchas, LSP7 selector details).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[emmet-bot]

Good guide overall — the structure, examples, and Common Mistakes section are solid. But there are critical selector errors that would cause every Stakingverse example to silently fail at runtime.

---

🔴 All Stakingverse function selectors are wrong

I verified against the actual Stakingverse vault implementation (0x1711b2e1b64f38ca33e51b717cfd27acd1bd2e2d, proxy at 0x9F49...6F04). The ABI shows:

Function	PR selector	Correct selector
deposit(address)	0xd0e30db0 (deposit())	0xf340fa01
withdraw(uint256,address)	0xfbbdb3ae	0x00f714ce
claim(uint256,address)	0x76657593	0xddd5e1b2
transferStake(address,uint256,bytes)	0x1c892b5a	0xf2f1042f

Root cause: deposit() (no params) has selector 0xd0e30db0, but the actual Stakingverse function is deposit(address) (takes a recipient param) with selector 0xf340fa01. The other 3 selectors also do not match — they appear to be fabricated rather than computed from the actual function signatures.

This affects Examples 1, the two-tier split, and the liquid staking section. All need correcting.

---

🟡 deposit() vs deposit(address) — the function signature is wrong

The Stakingverse vault deposit function takes an address parameter (the recipient of vault shares). The PR shows deposit() with no params, which would revert even if the selector were correct. Update the examples to show the correct signature:

deposit(address recipient)  // selector: 0xf340fa01

---

🟡 Explorer link uses wrong domain

The sLYX token link uses explorer.execution.mainnet.lukso.network — the canonical explorer URL is explorer.lukso.network.

---

🔵 Minor: consider adding a note about testing on testnet

The Encoding gotcha warning at the bottom is good but could be stronger — suggest adding a dedicated tip at the top of the page recommending developers always test Allowed Calls on LUKSO Testnet first.

---

Summary: Fix the 4 Stakingverse selectors (critical — these are currently all wrong and would cause silent failures), correct deposit() to deposit(address), and fix the explorer URL. The rest of the guide is well-structured.

[CJ42]

Added review comments