malbeclabs
diff --git a/‎CHANGELOG.md‎
Lines changed: 6 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎activator/src/process/user.rs‎
Lines changed: 4 additions & 4 deletions b/‎activator/src/process/user.rs‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎smartcontract/programs/doublezero-serviceability/src/instructions.rs‎
Lines changed: 0 additions & 1 deletion b/‎smartcontract/programs/doublezero-serviceability/src/instructions.rs‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎smartcontract/programs/doublezero-serviceability/src/processors/accesspass/close.rs‎
Lines changed: 13 additions & 5 deletions b/‎smartcontract/programs/doublezero-serviceability/src/processors/accesspass/close.rs‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎smartcontract/programs/doublezero-serviceability/src/processors/accesspass/set.rs‎
Lines changed: 10 additions & 12 deletions b/‎smartcontract/programs/doublezero-serviceability/src/processors/accesspass/set.rs‎
Lines changed: 10 additions & 12 deletions
diff --git a/‎smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/subscribe.rs‎
Lines changed: 76 additions & 99 deletions b/‎smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/subscribe.rs‎
Lines changed: 76 additions & 99 deletions
diff --git a/‎smartcontract/programs/doublezero-serviceability/src/processors/user/ban.rs‎
Lines changed: 9 additions & 4 deletions b/‎smartcontract/programs/doublezero-serviceability/src/processors/user/ban.rs‎
Lines changed: 9 additions & 4 deletions
@@ -8,6 +8,12 @@ All notable changes to this project will be documented in this file.
 
 ### Changes
 
+- Onchain Programs
+  - Serviceability: add `Permission` account with `CreatePermission`, `UpdatePermission`, `DeletePermission`, `SuspendPermission`, and `ResumePermission` instructions for managing per-keypair permission bitmasks onchain
+- SDK
+  - Split `execute_transaction` into `execute_transaction` (no auth) and `execute_authorized_transaction` (injects Permission PDA) to avoid breaking processors that use `accounts.len()` for optional-account detection
+- CLI
+  - Add `permission get`, `permission list`, and `permission set` commands with table and JSON output; `permission set` supports incremental `--add` / `--remove` flags and creates or updates the account as needed
 - Activator
   - Suppress noisy program log output from race conditions caused by dual event processing (websocket + snapshot poll). The SDK's new `execute_transaction_quiet` returns a `SimulationError` with program logs; the activator verifies suspected races by re-fetching user state before deciding whether to print logs ([#3197](https://github.com/malbeclabs/doublezero/pull/3197))
 - Telemetry
@@ -62,7 +68,6 @@ All notable changes to this project will be documented in this file.
   - Serviceability: DeleteUser instruction supports atomic deallocate+closeaccount when OnchainAllocation feature is enabled
   - Serviceability: CreateLink instruction supports atomic create+allocate+activate when OnchainAllocation feature is enabled
   - Serviceability: DeleteLink instruction supports atomic deallocate+closeaccount when OnchainAllocation feature is enabled
-  - Serviceability: CreateSubscribeUser instruction supports atomic create+allocate+activate when OnchainAllocation feature is enabled
 
 ## [v0.9.0](https://github.com/malbeclabs/doublezero/compare/client/v0.8.11...client/v0.9.0) - 2026-02-27
 
 
@@ -1765,7 +1765,7 @@ mod tests {
             UserStatus::Deleting,
             |user_service, _, seq| {
                 user_service
-                    .expect_execute_transaction_quiet()
+                    .expect_execute_authorized_transaction()
                     .times(1)
                     .in_sequence(seq)
                     .with(
@@ -1789,7 +1789,7 @@ mod tests {
             UserStatus::PendingBan,
             |user_service, _, seq| {
                 user_service
-                    .expect_execute_transaction_quiet()
+                    .expect_execute_authorized_transaction()
                     .times(1)
                     .in_sequence(seq)
                     .with(
@@ -2837,7 +2837,7 @@ mod tests {
 
             // Stateless mode: use_onchain_deallocation=true
             client
-                .expect_execute_transaction_quiet()
+                .expect_execute_authorized_transaction()
                 .times(1)
                 .in_sequence(&mut seq)
                 .with(
@@ -2941,7 +2941,7 @@ mod tests {
                 .returning(move |_| Ok(AccountData::User(user2.clone())));
 
             client
-                .expect_execute_transaction_quiet()
+                .expect_execute_authorized_transaction()
                 .times(1)
                 .in_sequence(&mut seq)
                 .with(
 
@@ -1035,7 +1035,6 @@ mod tests {
                 publisher: false,
                 subscriber: true,
                 tunnel_endpoint: Ipv4Addr::UNSPECIFIED,
-                dz_prefix_count: 0,
             }),
             "CreateSubscribeUser",
         );
 
@@ -1,7 +1,11 @@
 use crate::{
+    authorize::authorize,
     error::DoubleZeroError,
     serializer::try_acc_close,
-    state::{accesspass::AccessPass, accounttype::AccountType, globalstate::GlobalState},
+    state::{
+        accesspass::AccessPass, accounttype::AccountType, globalstate::GlobalState,
+        permission::permission_flags,
+    },
 };
 use borsh::BorshSerialize;
 use borsh_incremental::BorshDeserializeIncremental;
@@ -70,11 +74,15 @@ pub fn process_close_access_pass(
         "Invalid System Program Account Owner"
     );
 
-    // Parse the global state account & check if the payer is in the allowlist
+    // Parse the global state account & check authorization
     let globalstate = GlobalState::try_from(globalstate_account)?;
-    if !globalstate.foundation_allowlist.contains(payer_account.key) {
-        return Err(DoubleZeroError::NotAllowed.into());
-    }
+    authorize(
+        program_id,
+        accounts_iter,
+        payer_account.key,
+        &globalstate,
+        permission_flags::ACCESS_PASS_ADMIN,
+    )?;
 
     if let Ok(data) = accesspass_account.try_borrow_data() {
         let account_type: AccountType = data[0].into();
 
@@ -1,4 +1,5 @@
 use crate::{
+    authorize::authorize,
     error::DoubleZeroError,
     pda::*,
     seeds::{SEED_ACCESS_PASS, SEED_PREFIX},
@@ -7,6 +8,7 @@ use crate::{
         accesspass::{AccessPass, AccessPassStatus, AccessPassType, ALLOW_MULTIPLE_IP, IS_DYNAMIC},
         accounttype::AccountType,
         globalstate::GlobalState,
+        permission::permission_flags,
         tenant::Tenant,
     },
 };
@@ -107,19 +109,15 @@ pub fn process_set_access_pass(
         "Invalid System Program Account Owner"
     );
 
-    // Parse the global state account & check if the payer is in the allowlist
+    // Parse the global state account & check authorization
     let globalstate = GlobalState::try_from(globalstate_account)?;
-    if globalstate.sentinel_authority_pk != *payer_account.key
-        && !globalstate.foundation_allowlist.contains(payer_account.key)
-    {
-        msg!(
-            "sentinel_authority_pk: {} payer: {} foundation_allowlist: {:?}",
-            globalstate.sentinel_authority_pk,
-            payer_account.key,
-            globalstate.foundation_allowlist
-        );
-        return Err(DoubleZeroError::NotAllowed.into());
-    }
+    authorize(
+        program_id,
+        accounts_iter,
+        payer_account.key,
+        &globalstate,
+        permission_flags::ACCESS_PASS_ADMIN,
+    )?;
 
     if let AccessPassType::SolanaValidator(node_id) = value.accesspass_type {
         if node_id == Pubkey::default() {
 
@@ -14,7 +14,6 @@ use solana_program::{
     account_info::{next_account_info, AccountInfo},
     entrypoint::ProgramResult,
     msg,
-    program_error::ProgramError,
     pubkey::Pubkey,
 };
 use std::{fmt, net::Ipv4Addr};
@@ -36,90 +35,6 @@ impl fmt::Debug for MulticastGroupSubscribeArgs {
     }
 }
 
-pub struct SubscribeUserResult {
-    pub mgroup: MulticastGroup,
-    /// True if the publisher list transitioned between empty and non-empty
-    /// (gained first publisher or lost last publisher). Callers that need to
-    /// trigger activator reprocessing should check this flag.
-    pub publisher_list_transitioned: bool,
-}
-
-/// Toggle a user's multicast group subscription.
-///
-/// Handles both create-time subscription (user lists start empty, only adds)
-/// and post-activation subscription changes (add/remove toggle). The caller is
-/// responsible for setting `user.status = Updating` when
-/// `publisher_list_transitioned` is true and the user is already activated.
-pub fn subscribe_user_to_multicastgroup(
-    mgroup_account: &AccountInfo,
-    accesspass: &AccessPass,
-    user: &mut User,
-    publisher: bool,
-    subscriber: bool,
-) -> Result<SubscribeUserResult, ProgramError> {
-    let mut mgroup = MulticastGroup::try_from(mgroup_account)?;
-    if mgroup.status != MulticastGroupStatus::Activated {
-        msg!("MulticastGroupStatus: {:?}", mgroup.status);
-        return Err(DoubleZeroError::InvalidStatus.into());
-    }
-
-    // Check allowlists for additions
-    if publisher && !accesspass.mgroup_pub_allowlist.contains(mgroup_account.key) {
-        msg!("{:?}", accesspass);
-        return Err(DoubleZeroError::NotAllowed.into());
-    }
-    if subscriber && !accesspass.mgroup_sub_allowlist.contains(mgroup_account.key) {
-        msg!("{:?}", accesspass);
-        return Err(DoubleZeroError::NotAllowed.into());
-    }
-
-    let mut publisher_list_transitioned = false;
-
-    // Manage the publisher list
-    match publisher {
-        true => {
-            if !user.publishers.contains(mgroup_account.key) {
-                let was_empty = user.publishers.is_empty();
-                mgroup.publisher_count = mgroup.publisher_count.saturating_add(1);
-                user.publishers.push(*mgroup_account.key);
-                if was_empty {
-                    publisher_list_transitioned = true;
-                }
-            }
-        }
-        false => {
-            if user.publishers.contains(mgroup_account.key) {
-                mgroup.publisher_count = mgroup.publisher_count.saturating_sub(1);
-                user.publishers.retain(|&x| x != *mgroup_account.key);
-                if user.publishers.is_empty() {
-                    publisher_list_transitioned = true;
-                }
-            }
-        }
-    }
-
-    // Manage the subscriber list
-    match subscriber {
-        true => {
-            if !user.subscribers.contains(mgroup_account.key) {
-                mgroup.subscriber_count = mgroup.subscriber_count.saturating_add(1);
-                user.subscribers.push(*mgroup_account.key);
-            }
-        }
-        false => {
-            if user.subscribers.contains(mgroup_account.key) {
-                mgroup.subscriber_count = mgroup.subscriber_count.saturating_sub(1);
-                user.subscribers.retain(|&x| x != *mgroup_account.key);
-            }
-        }
-    }
-
-    Ok(SubscribeUserResult {
-        mgroup,
-        publisher_list_transitioned,
-    })
-}
-
 pub fn process_subscribe_multicastgroup(
     program_id: &Pubkey,
     accounts: &[AccountInfo],
@@ -163,7 +78,15 @@ pub fn process_subscribe_multicastgroup(
     );
     assert!(user_account.is_writable, "user account is not writable");
 
-    // Parse and validate user
+    // Parse accounts
+    let mut mgroup: MulticastGroup = MulticastGroup::try_from(mgroup_account)?;
+    if mgroup.status != MulticastGroupStatus::Activated {
+        #[cfg(test)]
+        msg!("MulticastGroupStatus: {:?}", mgroup.status);
+
+        return Err(DoubleZeroError::InvalidStatus.into());
+    }
+
     let mut user: User = User::try_from(user_account)?;
     if user.status != UserStatus::Activated && user.status != UserStatus::Updating {
         msg!("UserStatus: {:?}", user.status);
@@ -193,22 +116,76 @@ pub fn process_subscribe_multicastgroup(
         return Err(DoubleZeroError::Unauthorized.into());
     }
 
-    let result = subscribe_user_to_multicastgroup(
-        mgroup_account,
-        &accesspass,
-        &mut user,
-        value.publisher,
-        value.subscriber,
-    )?;
-
-    // Trigger activator reprocessing when publisher list transitions
-    // (gaining first publisher requires dz_ip allocation, losing last means it's no longer needed)
-    if result.publisher_list_transitioned {
-        user.status = UserStatus::Updating;
+    // Check if the user is in the allowlist
+    if value.publisher && !accesspass.mgroup_pub_allowlist.contains(mgroup_account.key) {
+        msg!("{:?}", accesspass);
+        return Err(DoubleZeroError::NotAllowed.into());
+    }
+    if value.subscriber && !accesspass.mgroup_sub_allowlist.contains(mgroup_account.key) {
+        msg!("{:?}", accesspass);
+        return Err(DoubleZeroError::NotAllowed.into());
+    }
+
+    // Manage the publisher lists
+    match value.publisher {
+        true => {
+            if !user.publishers.contains(mgroup_account.key) {
+                let was_empty = user.publishers.is_empty();
+                // Increment publisher count
+                mgroup.publisher_count = mgroup.publisher_count.saturating_add(1);
+                // Add multicast group to user's publisher list
+                user.publishers.push(*mgroup_account.key);
+                // Only trigger activator reprocessing when gaining first publisher
+                // (activator needs to allocate dz_ip)
+                if was_empty {
+                    user.status = UserStatus::Updating;
+                }
+            }
+        }
+        false => {
+            if user.publishers.contains(mgroup_account.key) {
+                // Decrement publisher count
+                mgroup.publisher_count = mgroup.publisher_count.saturating_sub(1);
+                // Remove multicast group from user's publisher list
+                user.publishers.retain(|&x| x != *mgroup_account.key);
+                // Trigger activator reprocessing when losing last publisher
+                // (dz_ip no longer needed)
+                if user.publishers.is_empty() {
+                    user.status = UserStatus::Updating;
+                }
+            }
+        }
+    }
+
+    // Manage the subscriber lists
+    match value.subscriber {
+        true => {
+            if !user.subscribers.contains(mgroup_account.key) {
+                // Increment subscriber count
+                mgroup.subscriber_count = mgroup.subscriber_count.saturating_add(1);
+                // Add multicast group to user's subscriber list
+                user.subscribers.push(*mgroup_account.key);
+                // No activator reprocessing needed for subscriber changes
+                // (subscriber groups don't affect tunnel or dz_ip config)
+            }
+        }
+        false => {
+            if user.subscribers.contains(mgroup_account.key) {
+                // Decrement subscriber count
+                mgroup.subscriber_count = mgroup.subscriber_count.saturating_sub(1);
+                // Remove multicast group from user's subscriber list
+                user.subscribers.retain(|&x| x != *mgroup_account.key);
+            }
+        }
     }
 
-    try_acc_write(&result.mgroup, mgroup_account, payer_account, accounts)?;
+    try_acc_write(&mgroup, mgroup_account, payer_account, accounts)?;
     try_acc_write(&user, user_account, payer_account, accounts)?;
 
+    #[cfg(test)]
+    msg!("Updated: {:?}", mgroup);
+    #[cfg(test)]
+    msg!("Updated: {:?}", user_account);
+
     Ok(())
 }
@@ -1,7 +1,8 @@
 use crate::{
+    authorize::authorize,
     error::DoubleZeroError,
     serializer::try_acc_write,
-    state::{globalstate::GlobalState, user::*},
+    state::{globalstate::GlobalState, permission::permission_flags, user::*},
 };
 use borsh::BorshSerialize;
 use borsh_incremental::BorshDeserializeIncremental;
@@ -56,9 +57,13 @@ pub fn process_ban_user(
     assert!(user_account.is_writable, "PDA Account is not writable");
 
     let globalstate = GlobalState::try_from(globalstate_account)?;
-    if globalstate.activator_authority_pk != *payer_account.key {
-        return Err(DoubleZeroError::NotAllowed.into());
-    }
+    authorize(
+        program_id,
+        accounts_iter,
+        payer_account.key,
+        &globalstate,
+        permission_flags::USER_ADMIN,
+    )?;
 
     let mut user: User = User::try_from(user_account)?;
     if user.status != UserStatus::PendingBan {