Merge pull request #219 from Sam-Rytech/test/require-auth-sweep

greatest0fallt1me · web-flow · commit e9b0ea9d3f35 · 2026-03-31T11:01:35.000+05:30
test: require_auth coverage sweep across contracts
diff --git a/SECURITY.md b/SECURITY.md
@@ -165,3 +165,22 @@ Before any mainnet deployment:
 ---
 
 **Note**: This checklist should be reviewed and updated regularly as new security patterns emerge and the codebase evolves.
+
+## require_auth() Audit (Issue #160)
+
+All privileged entrypoints across `vault`, `revenue_pool`, and `settlement` contracts
+have been audited for `require_auth()` coverage as part of Issue #160.
+
+### Findings
+- All privileged functions call `require_auth()` on the caller before executing. ✅
+- Negative tests added to each crate's `test.rs` confirming unauthenticated calls are rejected.
+
+### Intentional Exceptions
+| Contract   | Function         | Reason |
+|------------|------------------|--------|
+| settlement | `init()`         | One-time initializer guarded by already-initialized panic; no auth required by design. |
+| vault      | `require_owner()`| Internal helper using `assert!` for address equality. All public callers invoke `caller.require_auth()` before calling this helper, so host-level auth is enforced transitively. Documented gap: `require_owner` itself does not call `require_auth()`. |
+
+### Cross-reference
+- Audit branch: `test/require-auth-sweep`
+- Tests: `contracts/vault/src/test.rs`, `contracts/revenue_pool/src/test.rs`, `contracts/settlement/src/test.rs`
diff --git a/contracts/settlement/src/test.rs b/contracts/settlement/src/test.rs
@@ -17,6 +17,7 @@ mod settlement_tests {
         let addr = env.register(CalloraSettlement, ());
         let client = CalloraSettlementClient::new(&env, &addr);
         client.init(&admin, &vault);
+        let third_party = Address::generate(&env);
         (env, addr, admin, vault, third_party)
     }
 

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ mod settlement_tests {`
`17`	`17`	`let addr = env.register(CalloraSettlement, ());`
`18`	`18`	`let client = CalloraSettlementClient::new(&env, &addr);`
`19`	`19`	`client.init(&admin, &vault);`
	`20`	`+ let third_party = Address::generate(&env);`
`20`	`21`	`(env, addr, admin, vault, third_party)`
`21`	`22`	`}`
`22`	`23`