fix(validation): enforce fee payer policy for ALT instructions

[dev-jodee]

Summary

• add explicit ALT parsing and typed ALT instruction classification
• enforce validation.fee_payer_policy.alt flags for create, extend, freeze, deactivate, and close when fee payer is authority or payer
• add ALT policy warnings in config validation and expand validator/parser tests
• expose ALT policy in getConfig responses and update shipped TOML configs with explicit ALT defaults

Test Plan (if applicable)

• just fmt
• just check
• cargo test -p kora-lib test_parse_alt_instructions -- --nocapture
• cargo test -p kora-lib test_fee_payer_policy_alt_ -- --nocapture
• cargo test -p kora-lib test_validate_with_result_fee_payer_policy_warnings -- --nocapture
• cargo test -p kora-lib test_get_config_success -- --nocapture

Breaking Changes (if applicable)

• none

---

📊 Unit Test Coverage

Unit Test Coverage: 84.8%

View Detailed Coverage Report

[github-actions]

📊 TypeScript Coverage Report

Coverage: 33.9%

View detailed report

Coverage artifacts have been uploaded to this workflow run.
View Artifacts

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 6 additional findings.

[greptile-apps]

Greptile Summary

This PR enforces fee-payer policy for Address Lookup Table instructions by adding a new AltInstructionPolicy (5 flags: create, extend, freeze, deactivate, close), all defaulting to false (deny), with parsing logic in instruction_util.rs, enforcement in transaction_validator.rs, config-validator warnings, and updated shipped TOML configs.

Existing deployments without an explicit [validation.fee_payer_policy.alt] section will have ALT fee-payer operations blocked by default after upgrading — worth treating as a behavioral change in release notes even if real-world operator impact is limited.

Confidence Score: 5/5

Safe to merge; implementation is logically correct and secure-by-default ALT policy is appropriate

All findings are P2 (style and testing gaps). Parsing logic, account-index constants, and per-instruction enforcement conditions are correct. The false default for all ALT flags is consistent with every other policy field in the codebase.

crates/lib/src/config.rs (add #[serde(default)] to AltInstructionPolicy) and crates/lib/src/validator/transaction_validator.rs (add validator tests for Extend, Deactivate, and Close policy enforcement)

Important Files Changed

Filename	Overview
crates/lib/src/transaction/instruction_util.rs	Adds parse_alt_instructions; ExtendLookupTable account-count guard (reject count==3, accept 2 or >=4) is correct per Solana ALT spec; parse tests exist for Freeze and Extend but validator-level policy tests for Extend/Deactivate/Close are absent
crates/lib/src/validator/transaction_validator.rs	Enforces ALT fee-payer policy for all 5 instruction types; optional-payer handled correctly with is_some_and; validator tests only cover Freeze and Create
crates/lib/src/config.rs	Adds AltInstructionPolicy with 5 bool flags defaulting to false; missing #[serde(default)] unlike SystemInstructionPolicy
crates/lib/src/validator/config_validator.rs	Adds ALT policy security warnings to validate_fee_payer_policy macro, consistent with existing System/SPL/Token2022 patterns
crates/lib/src/transaction/versioned_transaction.rs	Adds parsed_alt_instructions cache field and get_or_parse_alt_instructions() following the established lazy-parse pattern
crates/lib/src/constant.rs	Adds ALT instruction account index constants for all 5 operations with correct account counts
crates/lib/src/rpc_server/method/get_config.rs	Test assertions added for all 5 ALT policy defaults (all false)
crates/lib/src/tests/config_mock.rs	FeePayerPolicyBuilder updated with explicit AltInstructionPolicy field initialization
kora.toml	Ships with explicit [validation.fee_payer_policy.alt] section, all flags false by default with inline comments

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Transaction submitted] --> B[get_or_parse_alt_instructions]
    B --> C{ALT program instructions found?}
    C -- No --> D[Skip ALT validation]
    C -- Yes --> E{Instruction type}
    E -- CreateLookupTable --> F{authority == fee_payer OR payer == fee_payer?}
    E -- ExtendLookupTable --> G{authority == fee_payer OR optional payer == fee_payer?}
    E -- FreezeLookupTable --> H{authority == fee_payer?}
    E -- DeactivateLookupTable --> I{authority == fee_payer?}
    E -- CloseLookupTable --> J{authority == fee_payer?}
    F -- Yes --> K{allow_create?}
    G -- Yes --> L{allow_extend?}
    H -- Yes --> M{allow_freeze?}
    I -- Yes --> N{allow_deactivate?}
    J -- Yes --> O{allow_close?}
    K -- No --> P[Error: fee payer not allowed]
    L -- No --> P
    M -- No --> P
    N -- No --> P
    O -- No --> P
    K -- Yes --> Q[OK]
    L -- Yes --> Q
    M -- Yes --> Q
    N -- Yes --> Q
    O -- Yes --> Q
    F -- No --> Q
    G -- No --> Q
    H -- No --> Q
    I -- No --> Q
    J -- No --> Q

Loading

_{Reviews (1): Last reviewed commit: "fix(validation): enforce fee payer polic..." | Re-trigger Greptile}