hypercall_admin/

testnet.rs

//! Testnet-only admin endpoints (feature `test-endpoints`).
//!
//! `POST /monitoring/test/agent-authorization` applies an agent authorization
//! directly through the engine channel, bypassing the EIP-712 signature flow.
//! It refuses to run unless the runtime is in testnet mode.

use axum::extract::State;
use axum::http::StatusCode;
use serde::{Deserialize, Serialize};
use utoipa::ToSchema;

use hypercall_runtime_api::error::ApiError;
use hypercall_runtime_api::sonic_json::SonicJson;
use hypercall_types::api_models::ApiResponse;
use hypercall_types::WalletAddress;

use crate::state::{AdminState, ENGINE_RESPONSE_TIMEOUT};

#[derive(Debug, Deserialize, ToSchema)]
pub struct TestAgentAuthorizationRequest {
    #[schema(value_type = String)]
    pub wallet: WalletAddress,
    #[schema(value_type = String)]
    pub agent: WalletAddress,
    pub approve: bool,
    pub nonce: u64,
}

#[derive(Debug, Serialize, ToSchema)]
pub struct TestAgentAuthorizationResponse {
    #[schema(value_type = String)]
    pub wallet: WalletAddress,
    #[schema(value_type = String)]
    pub agent: WalletAddress,
    pub approved: bool,
}

/// API envelope for testnet agent authorization updates.
#[derive(Debug, Serialize, ToSchema)]
pub struct TestAgentAuthorizationApiResponse {
    /// Whether the request succeeded.
    pub success: bool,
    pub data: Option<TestAgentAuthorizationResponse>,
    /// Error message, present on failure.
    pub error: Option<String>,
}

/// Apply testnet agent authorization.
#[utoipa::path(
    post,
    path = "/monitoring/test/agent-authorization",
    request_body = TestAgentAuthorizationRequest,
    responses(
        (status = 200, description = "Agent authorization applied", body = TestAgentAuthorizationApiResponse),
        (status = 403, description = "Not enabled (production mode)"),
        (status = 503, description = "Engine communication failure"),
        (status = 504, description = "Engine response timeout")
    ),
    tag = "Monitoring",
    security(("admin_key" = []))
)]
pub async fn apply_agent_authorization(
    State(state): State<AdminState>,
    SonicJson(request): SonicJson<TestAgentAuthorizationRequest>,
) -> Result<SonicJson<ApiResponse<TestAgentAuthorizationResponse>>, ApiError> {
    if !state.runtime_config.testnet_mode {
        return Err(ApiError::forbidden(
            "Agent authorization test endpoint requires testnet mode",
        ));
    }

    let (applied_tx, applied_rx) = tokio::sync::oneshot::channel();
    state
        .agent_auth_sender
        .send(hypercall_runtime_api::AgentAuthRequest {
            wallet: request.wallet,
            agent: request.agent,
            approve: request.approve,
            expires_at_ms: None,
            nonce: Some(request.nonce),
            applied_tx,
        })
        .await
        .map_err(|_| {
            ApiError::new(
                StatusCode::SERVICE_UNAVAILABLE,
                "service_unavailable",
                "agent authorization engine path closed",
            )
        })?;

    match tokio::time::timeout(ENGINE_RESPONSE_TIMEOUT, applied_rx).await {
        Ok(Ok(Ok(()))) => {}
        Ok(Ok(Err(error))) => return Ok(SonicJson(ApiResponse::error(error))),
        Ok(Err(_)) => {
            return Err(ApiError::new(
                StatusCode::SERVICE_UNAVAILABLE,
                "service_unavailable",
                "agent authorization apply dropped",
            ))
        }
        Err(_) => {
            return Err(ApiError::gateway_timeout(
                "agent authorization apply timed out",
            ))
        }
    }

    Ok(SonicJson(ApiResponse::success(
        TestAgentAuthorizationResponse {
            wallet: request.wallet,
            agent: request.agent,
            approved: request.approve,
        },
    )))
}