Skip to content

refactor(permission-controller)!: Add messenger alternative to restricted method hooks#8551

Merged
rekmarks merged 5 commits intomainfrom
rekm/restricted-method-messengers
Apr 24, 2026
Merged

refactor(permission-controller)!: Add messenger alternative to restricted method hooks#8551
rekmarks merged 5 commits intomainfrom
rekm/restricted-method-messengers

Conversation

@rekmarks
Copy link
Copy Markdown
Member

@rekmarks rekmarks commented Apr 22, 2026
edited
Loading

Explanation

Adds a messenger option to permission specification builders as an alternative to methodHooks, aligning spec builders with the messenger-based method middleware introduced in #8506. Restricted-method specs can now declare the root-messenger actions they need via actionNames and consume a minimally-scoped Messenger.

Incidentally, also removes the factoryHooks and validatorHooks fields from the spec builder surface. Both of these were unused in practice.

References

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've communicated my changes to consumers by updating changelogs for packages I've changed
  • I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

Note

Medium Risk
Breaking type-surface changes to permission specification builders (removing factoryHooks/validatorHooks and adding optional scoped messenger) may require downstream updates; new messenger delegation logic could impact how restricted-method specs invoke host actions.

Overview
Restricted-method permission specification builders can now receive an optional scoped messenger (constructed from spec-declared actionNames) as an alternative to relying on methodHooks, enabling specs to call only explicitly-delegated host actions.

Introduces createRestrictedMethodMessenger (exported from the package) to create a child Messenger with a minimal delegated action surface, and adds tests covering delegation behavior and the new builder option. BREAKING: removes factoryHooks, validatorHooks, and related export fields from the permission specification builder API surface.

Reviewed by Cursor Bugbot for commit 1e2fe74. Bugbot is set up for automated code reviews on this repo. Configure here.

@rekmarks rekmarks force-pushed the rekm/restricted-method-messengers branch from 79ac65f to 1564307 Compare April 22, 2026 22:31
@rekmarks @claude
feat(permission-controller): add messenger option to spec builders
a44dfea 
Introduce a `messenger` option on permission specification builders and an
`actionNames` field on the builder export, letting restricted-method specs
receive a scoped messenger in place of `methodHooks`. Add
`createRestrictedMethodMessenger`, a utility that builds a minimally-scoped
child messenger with the spec's declared actions delegated from a root
messenger.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@rekmarks rekmarks changed the title refactor!: Remove validator and factory hooks refactor(permission-controller)!: Add messenger alternative to restricted method hooks Apr 22, 2026
@rekmarks
Copy link
Copy Markdown
Member Author

rekmarks commented Apr 22, 2026

@cursor review

cursor[bot]
cursor Bot reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit a44dfea. Configure here.

@rekmarks @claude
refactor(permission-controller): tighten createRestrictedMethodMessen…
6fd37f5 
…ger types

Overload createRestrictedMethodMessenger so callers that pass actionNames
get a non-nullable scoped messenger, require actionNames to be a non-empty
tuple of the root messenger's action types, and thread the namespace
through as a string literal. Tighten the spec builder export constraint's
actionNames to a non-empty tuple and improve related JSDoc and tests.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@rekmarks rekmarks marked this pull request as ready for review April 23, 2026 00:35
@rekmarks rekmarks requested review from a team as code owners April 23, 2026 00:35
FrederikBolding
FrederikBolding reviewed Apr 23, 2026
View reviewed changes
Comment thread packages/permission-controller/CHANGELOG.md Outdated
FrederikBolding
FrederikBolding reviewed Apr 23, 2026
View reviewed changes
Comment thread packages/permission-controller/src/Permission.ts Outdated
FrederikBolding
FrederikBolding reviewed Apr 23, 2026
View reviewed changes
Comment thread packages/permission-controller/src/Permission.ts
Copy link
Copy Markdown
Member

@FrederikBolding FrederikBolding Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More generally do we still want to keep PermittedHandlerExport or should that be replaced by MethodHandler?

Copy link
Copy Markdown
Member Author

@rekmarks rekmarks Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be an improvement but it's orthogonal to this PR. Also not entirely clear to me if now is the time to force these methods onto JsonRpcEngineV2.

Copy link
Copy Markdown
Member

@FrederikBolding FrederikBolding Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is worth it to decide on this before we roll out this change. It can be done in a follow-up PR though

Copy link
Copy Markdown
Member Author

@rekmarks rekmarks Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably just ship a non-breaking /v2 version of these methods if we do it.

FrederikBolding
FrederikBolding reviewed Apr 23, 2026
View reviewed changes
Comment thread packages/permission-controller/src/createRestrictedMethodMessenger.ts Outdated
FrederikBolding
FrederikBolding reviewed Apr 23, 2026
View reviewed changes
Comment thread packages/permission-controller/src/Permission.ts
* delegated to it; {@link createRestrictedMethodMessenger} is the canonical
* way to construct it.
*/
messenger?: SpecMessenger;
Copy link
Copy Markdown
Member

@FrederikBolding FrederikBolding Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice if we could infer the messenger ala createMethodMiddleware, but it may be too much work to refactor. WDYT?

Copy link
Copy Markdown
Member Author

@rekmarks rekmarks Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's too much work to refactor. We should just do #4238 instead.

@FrederikBolding
Copy link
Copy Markdown
Member

FrederikBolding commented Apr 24, 2026

@metamaskbot publish-preview

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 24, 2026

Preview builds have been published. Learn how to use preview builds in other projects.

Expand for full list of packages and versions. 
@metamask-previews/account-tree-controller@7.1.0-preview-1e2fe74a0
@metamask-previews/accounts-controller@37.2.0-preview-1e2fe74a0
@metamask-previews/address-book-controller@7.1.1-preview-1e2fe74a0
@metamask-previews/ai-controllers@0.6.3-preview-1e2fe74a0
@metamask-previews/analytics-controller@1.0.1-preview-1e2fe74a0
@metamask-previews/analytics-data-regulation-controller@0.0.0-preview-1e2fe74a0
@metamask-previews/announcement-controller@8.1.0-preview-1e2fe74a0
@metamask-previews/app-metadata-controller@2.0.1-preview-1e2fe74a0
@metamask-previews/approval-controller@9.0.1-preview-1e2fe74a0
@metamask-previews/assets-controller@6.1.0-preview-1e2fe74a0
@metamask-previews/assets-controllers@104.3.0-preview-1e2fe74a0
@metamask-previews/authenticated-user-storage@1.0.0-preview-1e2fe74a0
@metamask-previews/base-controller@9.1.0-preview-1e2fe74a0
@metamask-previews/base-data-service@0.1.1-preview-1e2fe74a0
@metamask-previews/bridge-controller@70.2.0-preview-1e2fe74a0
@metamask-previews/bridge-status-controller@71.0.0-preview-1e2fe74a0
@metamask-previews/build-utils@3.0.4-preview-1e2fe74a0
@metamask-previews/chain-agnostic-permission@1.5.0-preview-1e2fe74a0
@metamask-previews/chomp-api-service@1.0.0-preview-1e2fe74a0
@metamask-previews/claims-controller@0.5.0-preview-1e2fe74a0
@metamask-previews/client-controller@1.0.1-preview-1e2fe74a0
@metamask-previews/compliance-controller@2.0.0-preview-1e2fe74a0
@metamask-previews/composable-controller@12.0.1-preview-1e2fe74a0
@metamask-previews/config-registry-controller@0.2.0-preview-1e2fe74a0
@metamask-previews/connectivity-controller@0.2.0-preview-1e2fe74a0
@metamask-previews/controller-utils@11.20.0-preview-1e2fe74a0
@metamask-previews/core-backend@6.2.1-preview-1e2fe74a0
@metamask-previews/delegation-controller@3.0.0-preview-1e2fe74a0
@metamask-previews/earn-controller@12.0.0-preview-1e2fe74a0
@metamask-previews/eip-5792-middleware@3.0.3-preview-1e2fe74a0
@metamask-previews/eip-7702-internal-rpc-middleware@0.1.0-preview-1e2fe74a0
@metamask-previews/eip1193-permission-middleware@1.0.3-preview-1e2fe74a0
@metamask-previews/ens-controller@19.1.1-preview-1e2fe74a0
@metamask-previews/eth-block-tracker@15.0.1-preview-1e2fe74a0
@metamask-previews/eth-json-rpc-middleware@23.1.2-preview-1e2fe74a0
@metamask-previews/eth-json-rpc-provider@6.0.1-preview-1e2fe74a0
@metamask-previews/foundryup@1.0.1-preview-1e2fe74a0
@metamask-previews/gas-fee-controller@26.1.1-preview-1e2fe74a0
@metamask-previews/gator-permissions-controller@4.0.0-preview-1e2fe74a0
@metamask-previews/geolocation-controller@0.1.2-preview-1e2fe74a0
@metamask-previews/json-rpc-engine@10.2.4-preview-1e2fe74a0
@metamask-previews/json-rpc-middleware-stream@8.0.8-preview-1e2fe74a0
@metamask-previews/keyring-controller@25.2.0-preview-1e2fe74a0
@metamask-previews/logging-controller@8.0.1-preview-1e2fe74a0
@metamask-previews/message-manager@14.1.1-preview-1e2fe74a0
@metamask-previews/messenger@1.1.1-preview-1e2fe74a0
@metamask-previews/messenger-cli@0.2.0-preview-1e2fe74a0
@metamask-previews/money-account-balance-service@0.2.0-preview-1e2fe74a0
@metamask-previews/money-account-controller@0.1.0-preview-1e2fe74a0
@metamask-previews/money-account-upgrade-controller@1.0.0-preview-1e2fe74a0
@metamask-previews/multichain-account-service@8.0.1-preview-1e2fe74a0
@metamask-previews/multichain-api-middleware@2.0.0-preview-1e2fe74a0
@metamask-previews/multichain-network-controller@3.0.6-preview-1e2fe74a0
@metamask-previews/multichain-transactions-controller@7.0.4-preview-1e2fe74a0
@metamask-previews/name-controller@9.1.1-preview-1e2fe74a0
@metamask-previews/network-controller@30.0.1-preview-1e2fe74a0
@metamask-previews/network-enablement-controller@5.0.2-preview-1e2fe74a0
@metamask-previews/notification-services-controller@23.1.0-preview-1e2fe74a0
@metamask-previews/permission-controller@12.3.0-preview-1e2fe74a0
@metamask-previews/permission-log-controller@5.1.0-preview-1e2fe74a0
@metamask-previews/perps-controller@4.0.0-preview-1e2fe74a0
@metamask-previews/phishing-controller@17.1.1-preview-1e2fe74a0
@metamask-previews/polling-controller@16.0.4-preview-1e2fe74a0
@metamask-previews/preferences-controller@23.1.0-preview-1e2fe74a0
@metamask-previews/profile-metrics-controller@3.1.3-preview-1e2fe74a0
@metamask-previews/profile-sync-controller@28.0.2-preview-1e2fe74a0
@metamask-previews/ramps-controller@13.2.0-preview-1e2fe74a0
@metamask-previews/rate-limit-controller@7.0.1-preview-1e2fe74a0
@metamask-previews/react-data-query@0.2.0-preview-1e2fe74a0
@metamask-previews/remote-feature-flag-controller@4.2.0-preview-1e2fe74a0
@metamask-previews/sample-controllers@4.0.4-preview-1e2fe74a0
@metamask-previews/seedless-onboarding-controller@9.1.0-preview-1e2fe74a0
@metamask-previews/selected-network-controller@26.1.0-preview-1e2fe74a0
@metamask-previews/shield-controller@5.1.1-preview-1e2fe74a0
@metamask-previews/signature-controller@39.2.0-preview-1e2fe74a0
@metamask-previews/social-controllers@2.0.0-preview-1e2fe74a0
@metamask-previews/storage-service@1.0.1-preview-1e2fe74a0
@metamask-previews/subscription-controller@6.1.2-preview-1e2fe74a0
@metamask-previews/transaction-controller@64.3.0-preview-1e2fe74a0
@metamask-previews/transaction-pay-controller@19.3.0-preview-1e2fe74a0
@metamask-previews/user-operation-controller@41.2.0-preview-1e2fe74a0

@rekmarks rekmarks mentioned this pull request Apr 24, 2026
Closed
@rekmarks rekmarks added this pull request to the merge queue Apr 24, 2026
Merged via the queue into main with commit bd5249d Apr 24, 2026
358 checks passed
@rekmarks rekmarks deleted the rekm/restricted-method-messengers branch April 24, 2026 19:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@FrederikBolding FrederikBolding FrederikBolding approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rekmarks @FrederikBolding