Feature gate permissioned signer

[runtian-zhou]

Description

Adds support for permissioned signer functionality in the Aptos framework by introducing a new feature flag PERMISSIONED_SIGNER. This change enables controlled access to signer capabilities through permission checks. The implementation includes feature flag assertions in the permissioned signer module to ensure the feature is enabled before use.

How Has This Been Tested?

The feature flag implementation follows established patterns used for other feature flags in the system. Testing is enforced through the existing feature flag testing infrastructure.

Key Areas to Review

• Feature flag integration in permissioned_signer.move
• New permission checks added to signer_from_permissioned_handle and signer_from_storable_permissioned_handle
• Feature flag constant definition and helper functions in features.move

Type of Change

• New feature
• Aptos Framework

Which Components or Systems Does This Change Impact?

• Move/Aptos Virtual Machine
• Aptos Framework

Checklist

• I have read and followed the CONTRIBUTING doc
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation

[trunk-io]

⏱️ 35m total CI duration on this PR

Job	Cumulative Duration	Recent Runs
rust-move-tests	14m	🟩
rust-move-tests	13m	🟩
rust-cargo-deny	3m	🟩 🟩
check-dynamic-deps	2m	🟩 🟩
general-lints	58s	🟩 🟩
semgrep/ci	57s	🟩 🟩
file_change_determinator	32s	🟩 🟩
permission-check	10s	🟩 🟩
permission-check	6s	🟩 🟩
check-branch-prefix	1s	🟩

_{settings ⋅ feedback ⋅ docs ⋅ learn more about trunk.io}

[runtian-zhou]

• Add permission check to account #14535
• Feature gate permissioned signer #15622 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[igor-aptos]

relooking - this is not gated properly:

• nobody should be able to make a native call before feature is enabled. so is_permissioned_signer needs to be gated, and also all places that call permission_address - though those seem to be conditional to is_permissioned_signer as far as I can see
• we should also gate create_permissioned_handle and create_storable_permissioned_handle

[github-actions]

✅ Forge suite compat success on 6593fb81261f25490ffddc2252a861c994234c2a ==> 54d5d9941638c535e0f196c59ece4176ed14097e

Compatibility test results for 6593fb81261f25490ffddc2252a861c994234c2a ==> 54d5d9941638c535e0f196c59ece4176ed14097e (PR)
1. Check liveness of validators at old version: 6593fb81261f25490ffddc2252a861c994234c2a
compatibility::simple-validator-upgrade::liveness-check : committed: 17128.94 txn/s, latency: 2028.38 ms, (p50: 1900 ms, p70: 2100, p90: 2600 ms, p99: 4500 ms), latency samples: 571880
2. Upgrading first Validator to new version: 54d5d9941638c535e0f196c59ece4176ed14097e
compatibility::simple-validator-upgrade::single-validator-upgrading : committed: 4667.84 txn/s, latency: 6600.03 ms, (p50: 7400 ms, p70: 7800, p90: 8100 ms, p99: 8200 ms), latency samples: 96140
compatibility::simple-validator-upgrade::single-validator-upgrade : committed: 4931.70 txn/s, latency: 7005.23 ms, (p50: 7600 ms, p70: 7700, p90: 7900 ms, p99: 8100 ms), latency samples: 174300
3. Upgrading rest of first batch to new version: 54d5d9941638c535e0f196c59ece4176ed14097e
compatibility::simple-validator-upgrade::half-validator-upgrading : committed: 4504.26 txn/s, latency: 6836.74 ms, (p50: 7600 ms, p70: 8200, p90: 8500 ms, p99: 8600 ms), latency samples: 93380
compatibility::simple-validator-upgrade::half-validator-upgrade : committed: 4439.37 txn/s, latency: 7647.87 ms, (p50: 8600 ms, p70: 8600, p90: 8900 ms, p99: 9100 ms), latency samples: 156200
4. upgrading second batch to new version: 54d5d9941638c535e0f196c59ece4176ed14097e
compatibility::simple-validator-upgrade::rest-validator-upgrading : committed: 7829.86 txn/s, latency: 3828.79 ms, (p50: 4000 ms, p70: 4400, p90: 5400 ms, p99: 5900 ms), latency samples: 145220
compatibility::simple-validator-upgrade::rest-validator-upgrade : committed: 8298.59 txn/s, latency: 4069.05 ms, (p50: 4100 ms, p70: 4700, p90: 4900 ms, p99: 5200 ms), latency samples: 279060
5. check swarm health
Compatibility test for 6593fb81261f25490ffddc2252a861c994234c2a ==> 54d5d9941638c535e0f196c59ece4176ed14097e passed
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite realistic_env_max_load success on 54d5d9941638c535e0f196c59ece4176ed14097e

two traffics test: inner traffic : committed: 14923.65 txn/s, latency: 2660.68 ms, (p50: 2700 ms, p70: 2700, p90: 2800 ms, p99: 3000 ms), latency samples: 5674300
two traffics test : committed: 100.00 txn/s, latency: 1362.61 ms, (p50: 1300 ms, p70: 1400, p90: 1500 ms, p99: 1700 ms), latency samples: 1740
Latency breakdown for phase 0: ["MempoolToBlockCreation: max: 1.550, avg: 1.522", "ConsensusProposalToOrdered: max: 0.291, avg: 0.286", "ConsensusOrderedToCommit: max: 0.308, avg: 0.298", "ConsensusProposalToCommit: max: 0.594, avg: 0.585"]
Max non-epoch-change gap was: 0 rounds at version 0 (avg 0.00) [limit 4], 0.53s no progress at version 26396 (avg 0.19s) [limit 15].
Max epoch-change gap was: 0 rounds at version 0 (avg 0.00) [limit 4], 0.57s no progress at version 2684275 (avg 0.57s) [limit 16].
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Validator CPU Profile
• Fullnode CPU Profile
• Test runner output
• Test run is land-blocking