A comprehensive, registry-based access control system for Sui Move.
"Monban" (門番) is Japanese for "gatekeeper". This library provides a standard way to restrict access to your Move functions based on the package ID of the caller, enabling dynamic, composable allow-lists without hardcoding addresses or relying on public(friend).
In the Sui ecosystem, you often need to protect sensitive functions (e.g., minting tokens, updating configs, withdrawing funds). Standard Move access control patterns have limitations:
public: Accessible by anyone, including malicious contracts.public(package): Only accessible within your own package. Too restrictive for composability.public(friend): Only accessible by modules explicitly declared as friends. This creates a circular dependency or requires you to know all your consumers at compile time.Capabilities(Objects): Powerful, but passing objects around can be cumbersome for inter-package calls, and managing capability distribution is complex.
What if you want to let a specific external package call your function, but you want to decide which package at runtime?
Monban solves this by introducing a dynamic Access Registry.
- Registry: You create an
AccessRegistry(shared object) for your package. - Whitelisting: You (the admin) add the Package IDs of allowed callers to this registry.
- Witness: The caller creates a
Witness—proof of their identity—using a One-Time Witness (OTW) or any dropped struct from their package. - Verification: Your protected function checks the
Witnessagainst theAccessRegistry.
Because Move structs can only be created by the module that defines them, a Witness created from a struct P::M::MyStruct irrevocably proves the call originated from package P.
Option A: Git Dependency
Add monban to your Move.toml:
[dependencies]
monban = { git = "https://github.com/blockchainBard101/monban.git", rev = "testnet/v2" }Option B: Using MVR (Recommended) Using MVR (Recommended)
mvr add @pkg/monbanInitialize the registry in your module's init function:
module my_package::my_package;
use monban::monban::{Self, Witness};
public struct MY_PACKAGE has drop {}
public struct Marker has drop, store {}
fun init(otw: MY_PACKAGE, ctx: &mut TxContext) {
// Create registry and send AdminCap to deployer
monban::create_and_claim(otw, Marker {}, ctx);
}
Require an AccessRegistry and a Witness in your public functions:
public fun protected_action(
registry: &monban::AccessRegistry<Marker>,
witness: Witness
) {
// Verify allowed access (aborts if unauthorized)
monban::verify_access(registry, witness);
// ... Your sensitive logic here ...
}Use the AdminCap to whitelist a package (e.g., created via a script or CLI):
# Get the Package ID of the caller you want to allow (e.g., 0xabc...def)
sui client call \
--package $MONBAN_PACKAGE_ID \
--module monban \
--function whitelist_package \
--args $REGISTRY_ID $ADMIN_CAP_ID "0xabc...def" \
--type-args "$MONBAN_PACKAGE_ID::my_package::Marker" \
--gas-budget 10000000The allowed package simply needs to pass any of its own structs to prove its identity:
module allowed_package::caller {
use my_package::my_package::{Self, Marker};
use monban::monban::{Self, AccessRegistry};
// A throwaway struct just for the witness
public struct MyWitness has drop {}
public fun execute_call(registry: &AccessRegistry<Marker>) {
// 1. Create a witness from the passed struct
let witness = monban::create_witness(MyWitness {});
// Pass our own struct. Monban extracts our Package ID from this.
my_package::protected_action(registry, witness);
}
}Creates a new shared AccessRegistry and returns an AdminCap. Must be called with a One-Time Witness.
Adds a package ID (string, e.g., "0x123...abc") to the allowed list.
Removes a package ID from the allowed list.
Converts any drop struct W into a Witness object containing W's package ID.
Checks if the Witness's package ID is in the AccessRegistry. Aborts with EUnauthorized if not.
For full working examples, see: