Access API Reference

Drop-only typed proof that the transaction sender held Role when the proof was minted with new_auth.

Because new_auth only mints against the singleton registry for Role's home module, consumers can take &Auth<Role> as authorization without repeating role checks.

Key object storing role membership, role-admin relationships, root-role pending state, pending delay changes, and the current root-operation delay.

RootRole is the consuming module's OTW type. It pins the registry identity and is the protected root role for the registry.

Per-role membership and admin-role data.

Pending root-role action. new_admin = some(address) means transfer, while new_admin = none means renounce.

Pending change to default_admin_delay_ms, including the new delay and the timestamp after which it can be applied.

Creates the registry for the consumer module. RootRole must be a genuine OTW, and ctx.sender() becomes the initial root-role holder.

The caller is responsible for sharing, embedding, or otherwise positioning the returned AccessControl<RootRole> registry.

Aborts with ENotOneTimeWitness if otw is not an OTW.

Aborts with EDelayTooLarge if default_admin_delay_ms exceeds max_default_admin_delay_ms().

Returns whether account currently holds Role. Returns false for roles that have never been registered.

Returns the admin role for Role, defaulting to the protected root role when no role data exists yet.

Checks that account holds Role.

Aborts with EUnauthorized if account does not hold Role.

Grants Role to account. Caller must hold the admin role of Role. No-op if account already has the role.

Aborts with EForeignRole if Role is not defined in the same module as RootRole.

Aborts with ECannotManageRootRole if Role is the root role.

Aborts with EUnauthorized if caller does not hold the admin role of Role.

Aborts with EZeroAddress if account is @0x0.

Revokes Role from account. Caller must hold the admin role of Role. No-op if account does not have the role.

Aborts with EForeignRole if Role is not defined in the same module as RootRole.

Aborts with ECannotManageRootRole if Role is the root role.

Aborts with EUnauthorized if caller does not hold the admin role of Role.

Lets the caller renounce their own non-root Role. No-op if caller does not hold Role.

Aborts with ECannotRenounceForOtherAccount if account is not ctx.sender().

Aborts with EForeignRole if Role is not defined in the same module as RootRole.

Aborts with ECannotManageRootRole if Role is the root role. Root renounce must use begin_default_admin_renounce and accept_default_admin_renounce.

Changes the admin role for Role to AdminRole. Caller must hold the current admin role of Role.

Aborts with EForeignRole if either Role or AdminRole is not defined in the same module as RootRole.

Aborts with ECannotManageRootRole if Role is the root role.

Aborts with EUnauthorized if caller lacks the current admin role of Role.

Schedules a root-role transfer to new_admin at clock.timestamp_ms() + default_admin_delay_ms.

Caller must hold the root role. An existing pending transfer or renounce is overwritten.

Aborts with EUnauthorized if caller does not hold the root role.

Aborts with EZeroAddress if new_admin is @0x0. Use begin_default_admin_renounce to permanently lock the registry.

Accepts a pending root-role transfer after the scheduled delay. Caller must be the pending new admin.

The call clears the pending action, revokes the old root holder, and grants the root role to the caller.

Aborts with ENoPendingAdminTransfer if there is no pending transfer or renounce.

Aborts with ENotPendingTransfer if the pending action is a renounce.

Aborts with ENotPendingAdmin if caller is not the scheduled new admin.

Aborts with EDelayNotElapsed if the timelock has not elapsed.

Schedules a root-role renounce at clock.timestamp_ms() + default_admin_delay_ms.

Caller must hold the root role. An existing pending transfer or renounce is overwritten.

Aborts with EUnauthorized if caller does not hold the root role.

Finalizes a pending root-role renounce after the scheduled delay. Caller must still hold the root role.

After this call, no account holds the root role and root administration is permanently unavailable unless another protocol-specific recovery path exists.

Aborts with ENoPendingAdminTransfer if there is no pending transfer or renounce.

Aborts with ENotPendingRenounce if the pending action is a transfer.

Aborts with EUnauthorized if caller does not hold the root role.

Aborts with EDelayNotElapsed if the timelock has not elapsed.

Cancels a pending root-role transfer or pending root-role renounce. Caller must hold the root role.

Aborts with ENoPendingAdminTransfer if there is no pending transfer or renounce.

Aborts with EUnauthorized if caller does not hold the root role.

Schedules a change to default_admin_delay_ms. Caller must hold the root role, and new_delay_ms must not exceed max_default_admin_delay_ms().

Increases wait for min(new_delay_ms, max_delay_increase_wait_ms()); decreases wait for current_delay_ms - new_delay_ms. An existing pending delay change is overwritten.

Aborts with EUnauthorized if caller does not hold the root role.

Aborts with EDelayTooLarge if new_delay_ms exceeds max_default_admin_delay_ms().

Applies a pending delay change after schedule_after_ms.

No authorization is required at accept time; the root holder authorized the change when scheduling it.

Aborts with ENoPendingDelayChange if no delay change is pending.

Aborts with EDelayNotElapsed if schedule_after_ms has not been reached.

Cancels a pending delay change. Caller must hold the root role.

Aborts with ENoPendingDelayChange if no delay change is pending.

Aborts with EUnauthorized if caller does not hold the root role.

Mints a temporary Auth<Role> proof for ctx.sender(). Pass it by reference to gated functions in the same PTB.

Aborts with EForeignRole if Role is not defined in the same module as RootRole.

Aborts with EUnauthorized if sender does not hold Role.

Returns the address that held Role when auth was minted.

Returns the TypeName of the protected root role captured at construction time.

Returns the maximum allowed root-operation delay: 60 days in milliseconds.

Returns the current delay, in milliseconds, for root transfers and root renounces.

Returns whether there is any pending root-role action: either a transfer or a renounce.

Returns whether the pending root-role action is specifically a renounce. Returns false when there is no pending action or when the pending action is a transfer.

Returns some(address) for a pending transfer. Returns none when there is no pending action or when the pending action is a renounce.

Use is_pending_default_admin_renounce to distinguish no pending action from pending renounce.

Returns some(timestamp_ms) with the timestamp after which the pending root-role action can be accepted. Returns none when no root action is pending.

Returns the maximum wait before a scheduled delay increase can take effect: 48 hours in milliseconds.

Returns whether a default-admin delay change is pending.

Returns some(new_delay_ms) with the proposed delay if a change is pending. Returns none otherwise.

Returns some(timestamp_ms) with the timestamp after which a pending delay change can be applied. Returns none otherwise.

Emitted when a role is granted to an account.

Fired by grant_role when account was not already a member, by new for the initial root holder, and by accept_default_admin_transfer for the incoming root holder.

The role field is a TypeName that identifies the defining package address and module of the role struct.

Emitted when a role is removed from an account.

Fired by revoke_role when account held the role, by renounce_role, by accept_default_admin_transfer for the previous root holder, and by accept_default_admin_renounce for the renouncing root holder.

The role field is a TypeName that identifies the defining package address and module of the role struct.

Emitted when a role's admin role is reconfigured by set_role_admin.

The role, previous_admin_role, and new_admin_role fields are TypeNames.

Emitted when a root-role transfer is scheduled by begin_default_admin_transfer.

execute_after_ms is the earliest timestamp at which accept_default_admin_transfer can be called.

Emitted when a root-role renounce is scheduled by begin_default_admin_renounce.

execute_after_ms is the earliest timestamp at which accept_default_admin_renounce can be called.

Emitted by cancel_default_admin_transfer when a pending root-role transfer or renounce is cancelled.

Indexers can correlate this event with the prior DefaultAdminTransferScheduled or DefaultAdminRenounceScheduled event to identify which pending action was cancelled.

Emitted when a default-admin delay change is scheduled by begin_default_admin_delay_change.

new_delay_ms is the proposed new delay. schedule_after_ms is the earliest timestamp at which accept_default_admin_delay_change can apply it.

Emitted by cancel_default_admin_delay_change when a pending default-admin delay change is cancelled.

Raised when the caller or checked account does not hold the required role.

Raised when grant, revoke, renounce, or admin-change logic is used on the root role instead of the delayed root flows.

Raised when accept_default_admin_transfer, accept_default_admin_renounce, or cancel_default_admin_transfer expects a pending root transfer or renounce but none exists.

Raised when a caller other than the scheduled new root holder tries to accept a root transfer.

Raised when accept_default_admin_transfer, accept_default_admin_renounce, or accept_default_admin_delay_change is called before the pending action's timelock has elapsed.

Raised when renounce_role is called for an account other than ctx.sender().

Raised when the initial or scheduled default-admin delay exceeds max_default_admin_delay_ms().

Raised when new receives a value that is not a genuine OTW.

Raised when a write path or new_auth uses a role type from a module other than the root role's home module.

Raised when accept_default_admin_transfer is called while the pending root action is a renounce.

Raised when accept_default_admin_renounce is called while the pending root action is a transfer or there is no pending root action.

Raised when accepting or cancelling a default-admin delay change but no delay change is pending.

Raised when grant_role or begin_default_admin_transfer is called with @0x0 as the target address.

The zero address has no signing key, so a role granted to it can never be exercised and a root transfer scheduled to it can never be accepted.

Dynamic object-field key used to store the wrapped object under the wrapper.

Wrapper object that custody-locks an underlying object and controls transfer flow.

The wrapper intentionally omits store so transfer paths stay constrained to this module's logic.

Shared pending-transfer object storing wrapper identity, current owner (from), and prospective owner (to).

Wrapper custody is held by this request object through transfer-to-object (TTO) until accept/cancel resolution.

Hot-potato guard proving that a value taken via borrow_val is returned to the same wrapper.

Hot-potato guard proving a wrapper borrowed through a pending request is returned to that request.

Wraps obj in a new transfer wrapper. The wrapped object is stored as a dynamic object field so off-chain indexers can still discover the underlying object ID.

Emits a WrapExecuted event.

Returns immutable access to the wrapped object.

Returns mutable access to the wrapped object without changing ownership state.

Temporarily extracts the wrapped object and returns a Borrow guard that must be consumed by return_val.

Returns a previously borrowed object to the wrapper.

Aborts when wrapper/object identity checks fail.

Destroys the wrapper and returns the underlying object directly to the caller.

This bypasses pending-request flow and recovers direct ownership of the wrapped object.

Emits an UnwrapExecuted event.

Starts a transfer by creating a shared request and transferring wrapper custody to that request.

Security note: cancellation authority is tied to the initiating signer recorded as from. Only use this flow when the signer executing initiation is intentionally the logical owner/cancel authority.

Emits a TransferInitiated event.

Completes a pending transfer and sends the wrapper to the designated new owner.

Aborts if caller is not request.to or wrapper identity does not match.

Emits a TransferAccepted event.

Cancels a pending transfer and returns the wrapper to request.from.

Aborts if caller is not request.from or wrapper identity does not match.

Emits a TransferCancelled event.

Receives wrapper custody from a shared request so the recorded owner can operate on the wrapped object during a pending transfer.

Aborts if caller is not request.from or if request/wrapper identity checks fail.

Returns a wrapper borrowed via request_borrow_val back to the pending request.

Aborts if either wrapper or borrow does not match the target request.

Emitted when an object is wrapped.

Emitted when an object is unwrapped.

Emitted when a two-step transfer request is created.

Emitted when a pending transfer is accepted and ownership moves to the new owner.

Emitted when a pending transfer is cancelled.

Raised when request and wrapper identities do not match.

Raised when a Borrow guard is used against a different wrapper.

Raised when returning an object different from the one originally borrowed.

Raised when caller is not authorized as the current owner for the requested operation.

Raised when caller is not the designated prospective owner in accept_transfer.

Dynamic object-field key used to store the wrapped object under the wrapper.

Wrapper object storing min_delay_ms and optional pending schedule state.

Represents a scheduled transfer (recipient = some) or scheduled unwrap (recipient = none).

Hot-potato guard proving a value extracted with borrow_val is returned to the same wrapper.

Wraps obj in a delayed-transfer wrapper, records the minimum execution delay, and transfers initial wrapper custody to recipient.

The wrapped object is stored under a dynamic object field so object ID discovery remains straightforward for indexers.

Emits a WrapExecuted event.

Returns immutable access to the wrapped object.

Returns mutable access to the wrapped object.

Temporarily extracts the wrapped object and returns a guard that must be consumed by return_val.

Returns a previously borrowed object to its wrapper.

Aborts when wrapper/object identity checks fail.

Schedules a transfer to new_owner at clock.timestamp_ms() + min_delay_ms.

Aborts when another action is already scheduled.

Emits a TransferScheduled event.

Schedules delayed self-recovery (unwrap) of the wrapped object.

Aborts when another action is already scheduled.

Emits an UnwrapScheduled event.

Executes a scheduled transfer once delay has elapsed.

Consumes the wrapper.

Aborts when no transfer is scheduled, wrong action type is scheduled, or delay has not elapsed.

Emits an OwnershipTransferred event on success.

Executes a scheduled unwrap once delay has elapsed and returns the wrapped object.

Aborts when no unwrap is scheduled, wrong action type is scheduled, or delay has not elapsed.

Emits an UnwrapExecuted event.

Cancels the currently scheduled transfer or unwrap action.

Aborts when no action is pending.

Emits a PendingTransferCancelled event.

Emitted when an object is wrapped.

Emitted when a delayed transfer is scheduled.

Emitted when delayed unwrap is scheduled.

Emitted when scheduled transfer execution completes.

Emitted when pending schedule is cancelled.

Emitted when delayed unwrap execution completes.

Raised when trying to schedule while another action is already pending.

Raised when execution/cancellation is requested without pending state.

Raised when execution occurs before execute_after_ms.

Raised when calling transfer execution on unwrap state (or vice versa).

Raised when a Borrow guard is used against a different wrapper.

Raised when returning an object different from the one originally borrowed.