Handles permissions, address management, and inter-player coordination in Structs. Use when granting or revoking permissions on objects, registering new addr...
--- name: structs-diplomacy description: Handles permissions, address management, and inter-player coordination in Structs. Use when granting or revoking permissions on objects, registering new addresses, managing multi-address accounts, delegating authority to other players, or setting up address-level access control. --- # Structs Diplomacy **Important**: Entity IDs containing dashes (like `3-1`, `4-5`) are misinterpreted as flags by the CLI parser. All transaction commands in this skill use `--` before positional arguments to prevent this. ## Safety Permissions and address management *are* identity in Structs. See [SAFETY.md](https://structs.ai/SAFETY) for the trust contract; in this skill: - **`permission-grant-on-object`** with `PermAll` (33554431) (Tier 2 — yields authority) — *"Granting another machine PermAll is yielding full control of the object. The chain audits it. There is no undo if the recipient turns adversarial."* Always escalate; prefer minimum-necessary permission bits. - **`address-register`** (Tier 2 — identity hijack risk) — *"You are attaching another signing key to your player. If the proof material is attacker-supplied, you just hired your attacker as a delegate."* Verify the proof's provenance. See [`awareness/agent-security`](https://structs.ai/awareness/agent-security) for the full attack pattern. - **`address-revoke`** (Tier 2) — *"Verify you are not orphaning your own access. If this is the address your `--from` key resolves to, the next command will fail."* - **`player-update-primary-address`** (Tier 2 — identity) — *"Changes which key the chain considers your primary signer."* Verify the new address is one you control. - **`permission-set-on-object`** (Tier 1, Tier 2 if it widens authority) — *"Clears existing grants and applies the new set. Confirm you are not revoking a permission you need."* - **`permission-guild-rank-set`** with broad bits (Tier 2) — see structs-guild for rank-permission breadth. ## Permission System (25-bit) Permissions use a 25-bit bitmask. Individual permissions can be combined (OR'd together). See [knowledge/mechanics/permissions](https://structs.ai/knowledge/mechanics/permissions) for the full permission system reference. | Permission | Value | Description | |------------|-------|-------------| | PermPlay | 1 | Basic play access | | PermAdmin | 2 | Administrative control (manage permissions) | | PermUpdate | 4 | Update object settings (also self-service UGC name/pfp) | | PermDelete | 8 | Delete object | | PermTokenTransfer | 16 | Transfer tokens | | PermTokenInfuse | 32 | Infuse tokens into reactors/generators | | PermTokenMigrate | 64 | Migrate tokens between objects | | PermTokenDefuse | 128 | Defuse (withdraw) tokens | | PermGuildMembership | 512 | Manage guild membership | | PermSubstationConnection | 1024 | Connect to substations | | PermAllocationConnection | 2048 | Connect to allocations | | PermReactorGuildCreate | 524288 | Create guilds on a reactor | | PermHashBuild | 1048576 | Submit build proof-of-work | | PermHashMine | 2097152 | Submit mine proof-of-work | | PermHashRefine | 4194304 | Submit refine proof-of-work | | PermHashRaid | 8388608 | Submit raid proof-of-work | | PermGuildUGCUpdate | 16777216 | Moderate name/pfp on guild-owned objects (members, planets, substations) | | PermAll | 33554431 | All permissions (full access) | ## Procedure 1. **Query permissions** — `structsd query structs permission [id]`, `permission-by-object [object-id]`, `permission-by-player [player-id]`. 2. **Grant on object** — `structsd tx structs permission-grant-on-object TX_FLAGS -- [object-id] [player-id] [permissions]`. Permissions are additive. 3. **Revoke on object** — `structsd tx structs permission-revoke-on-object -- [object-id] [player-id] [permissions]`. 4. **Set on object** — `structsd tx structs permission-set-on-object -- [object-id] [player-id] [permissions]` — clears existing and applies new set. 5. **Address-level permissions** — `structsd tx structs permission-grant-on-address -- [address] [permissions]`, `permission-revoke-on-address -- [address] [permissions]`, `permission-set-on-address -- [address] [permissions]`. 6. **Guild rank permissions** — `structsd tx structs permission-guild-rank-set TX_FLAGS -- [object-id] [guild-id] [permission] [rank]` — grant permission on object to guild members at or above specified rank. Revoke: `structsd tx structs permission-guild-rank-revoke TX_FLAGS -- [object-id] [guild-id] [permission]`. 7. **Address management** — Register: `structsd tx structs address-register TX_FLAGS -- [address] [proof-pubkey] [proof-signature] [permissions]`. Revoke: `structsd tx structs address-revoke -- [address]`. Update primary: `structsd tx structs player-update-primary-address -- [new-address]`. ## Commands Reference | Action | Command | |--------|---------| | Grant on object | `structsd tx structs permission-grant-on-object -- [object-id] [player-id] [permissions]` | | Revoke on object | `structsd tx structs permission-revoke-on-object -- [object-id] [player-id] [permissions]` | | Set on object | `structsd tx structs permission-set-on-object -- [object-id] [player-id] [permissions]` | | Grant on address | `structsd tx structs permission-grant-on-address -- [address] [permissions]` | | Revoke on address | `structsd tx structs permission-revoke-on-address -- [address] [permissions]` | | Set on address | `structsd tx structs permission-set-on-address -- [address] [permissions]` | | Set guild rank permission | `structsd tx structs permission-guild-rank-set -- [object-id] [guild-id] [permission] [rank]` | | Revoke guild rank permission | `structsd tx structs permission-guild-rank-revoke -- [object-id] [guild-id] [permission]` | | Address register | `structsd tx structs address-register -- [address] [proof-pubkey] [proof-sig] [permissions]` | | Address revoke | `structsd tx structs address-revoke -- [address]` | | Update primary address | `structsd tx structs player-update-primary-address -- [new-address]` | **TX_FLAGS** (interactive — the CLI prompts you to confirm): `--from [key-name] --gas auto --gas-adjustment 1.5` **TX_FLAGS_APPROVED** (only after commander approval; suppresses the prompt): TX_FLAGS plus `-y`. See [SAFETY.md](https://structs.ai/SAFETY) "The `-y` Rule." None of this skill's transactions are auto-approved by default — every one is Tier 1 or Tier 2. **Requires**: [`structsd`](https://structs.ai/skills/structsd-install/SKILL) on PATH and a configured signing key. | Query | Command | |-------|---------| | Permission by ID | `structsd query structs permission [id]` | | Permission by object | `structsd query structs permission-by-object [object-id]` | | Permission by player | `structsd query structs permission-by-player [player-id]` | | Guild rank permission by object | `structsd query structs guild-rank-permission-by-object [object-id]` | | Guild rank permission by object+guild | `structsd query structs guild-rank-permission-by-object-and-guild [object-id] [guild-id]` | | Address | `structsd query structs address [address]` | | Addresses by player | `structsd query structs address-all-by-player [player-id]` | ## Verification - **Permission**: `structsd query structs permission-by-object [object-id]` — list players with access. - **Guild rank permission**: `structsd query structs guild-rank-permission-by-object [object-id]` — list guild rank-based permissions. - **Address**: `structsd query structs address [address]` — verify registration, player link. - **Player addresses**: `structsd query structs address-all-by-player [player-id]` — all linked addresses. ## Error Handling - **Permission denied**: Signer lacks permission on object. Check `permission-by-object` for current grants. - **Address already registered**: Use `address-revoke` first, or link to different player. - **Invalid proof**: Address registration requires valid proof pubkey and signature. Verify auth flow. - **Object not found**: Object ID may be stale. Re-query to confirm entity exists. ## See Also - [knowledge/mechanics/permissions](https://structs.ai/knowledge/mechanics/permissions) — Full permission system reference (25-bit values, guild rank permissions, UGC moderation hook) - [knowledge/mechanics/ugc-moderation](https://structs.ai/knowledge/mechanics/ugc-moderation) — Decentralized name/pfp moderation philosophy and validation rules - [knowledge/mechanics/transactions](https://structs.ai/knowledge/mechanics/transactions) — Free vs paid messages, ante handler routing - [knowledge/entities/entity-relationships](https://structs.ai/knowledge/entities/entity-relationships) — Object types and IDs - [protocols/authentication](https://structs.ai/protocols/authentication) — Auth for address registration
don't have the plugin yet? install it then click "run inline in claude" again.
broke original procedure into explicit numbered steps with input/output per step, extracted implicit decision logic into decision points section (error cases, auth checks, orphaning risks), added inputs section documenting structsd binary, signing key, and proof material requirements, created explicit output contract with success criteria per operation, added outcome signal describing how to verify changes on-chain, and flagged edge cases around rate limits, key expiry, and network timeouts.
manage permissions, addresses, and delegated authority in structs. use this skill when you need to grant or revoke access on objects, register new signing addresses, link multiple addresses to a player account, delegate authority to other players, or configure guild-rank-based access control. permissions are identity in structs; every operation here either extends or contracts who can do what with which objects.
structsd installed on PATH--from [key-name] in TX_FLAGS)3-1 or 4-5 require -- before positional args to prevent CLI misparse)query current permissions , run structsd query structs permission-by-object [object-id] to see all players with access to an object, or structsd query structs permission-by-player [player-id] to see all objects a player can access. capture the current state before modification.
grant additional permissions on object , run structsd tx structs permission-grant-on-object -- [object-id] [player-id] [permissions] with TX_FLAGS to add permission bits to an existing grant. permissions are additive (OR'd in).
revoke specific permissions on object , run structsd tx structs permission-revoke-on-object -- [object-id] [player-id] [permissions] with TX_FLAGS to remove permission bits from a grant. the grant remains if other bits are set; it is deleted if this revokes the last bit.
replace all permissions on object (set) , run structsd tx structs permission-set-on-object -- [object-id] [player-id] [permissions] with TX_FLAGS to clear existing permissions and apply a new set atomically. use with extreme caution; this wipes any prior grants.
grant, revoke, or set permissions on address , run structsd tx structs permission-grant-on-address -- [address] [permissions], permission-revoke-on-address -- [address] [permissions], or permission-set-on-address -- [address] [permissions] with TX_FLAGS. address-level permissions apply globally to all objects the address can access via its linked player.
register new address , run structsd tx structs address-register -- [address] [proof-pubkey] [proof-signature] [permissions] with TX_FLAGS to attach a new signing key to your player account. the proof material must be valid and match the address; verify it was not attacker-supplied.
revoke address , run structsd tx structs address-revoke -- [address] with TX_FLAGS to unlink an address from your account. verify the address is not your primary or only signing key, or the next command will fail.
set primary address , run structsd tx structs player-update-primary-address -- [new-address] with TX_FLAGS to change which key the chain considers your primary signer. verify you control the new address before executing.
grant permissions via guild rank , run structsd tx structs permission-guild-rank-set -- [object-id] [guild-id] [permission] [rank] with TX_FLAGS to grant a permission to all guild members at or above a specified rank on an object.
revoke guild rank permission , run structsd tx structs permission-guild-rank-revoke -- [object-id] [guild-id] [permission] with TX_FLAGS to remove a rank-based permission from a guild.
verify final state , after each transaction, query the same endpoint (e.g., permission-by-object, address [address], guild-rank-permission-by-object) to confirm the change is on-chain.
if you are granting PermAll (33554431): this yields full control of the object to the recipient. escalate approval; the chain audits it and there is no undo if the recipient turns adversarial. prefer minimum-necessary permission bits instead.
if you are registering a new address: verify the proof pubkey and proof signature come from a trusted source. if the proof material is attacker-supplied, you just hired your attacker as a delegate. see awareness/agent-security for the attack pattern.
if you are revoking an address: confirm it is not your primary address or your only remaining signing key. if it is, the next transaction will fail because you will have orphaned your own access. update primary address first if needed.
if you are using permission-set-on-object: this clears all existing grants atomically. confirm you are not revoking a permission you still need to operate this object yourself.
if guild rank permission bits are broad: check structs-guild for guidance on rank-permission breadth and tier implications.
if you receive "permission denied" error: your signer lacks permission on the object. run permission-by-object [object-id] to check current grants.
if you receive "address already registered" error: the address is already linked to a player account. run address-revoke -- [address] first, or register a different address.
if you receive "invalid proof" error: address registration failed because proof pubkey or signature do not match or are malformed. re-verify the auth flow and proof material.
if you receive "object not found" error: the object ID may be stale or incorrect. re-query to confirm the entity exists on-chain.
if a transaction times out or hits a rate limit: retry after a brief delay; structsd uses exponential backoff. if the issue persists, check network status.
if the signing key is expired or invalid: update your local key configuration and retry.
permission grant/revoke/set: transaction hash (32 hex chars), block confirmation, and updated on-chain state. verify with permission-by-object [object-id] or permission-by-player [player-id].
address register/revoke: transaction hash and updated address record on-chain. verify with structsd query structs address [address] and address-all-by-player [player-id].
primary address update: transaction hash and updated player record. verify with address [address] (primary flag should be true).
guild rank permission set/revoke: transaction hash and updated rank-permission set on-chain. verify with guild-rank-permission-by-object [object-id] or guild-rank-permission-by-object-and-guild [object-id] [guild-id].
query operations: structured list of permission records (player, object, bits), address records (address, player, permissions, primary flag), or guild rank records (guild, rank, permission bits).
permission modified successfully: permission-by-object [object-id] now shows the player with the new permission bits (or no grant if all bits were revoked).
address registered: address [address] returns the address record linked to your player ID. address-all-by-player [player-id] includes the new address.
address revoked: address [address] no longer returns a record or shows the player as null.
primary address updated: address [address] shows primary: true for the new address; the old primary address shows primary: false.
guild rank permission set: guild-rank-permission-by-object [object-id] lists the guild with the new rank-permission mapping. members at or above that rank now have the permission on the object.
all transactions confirmed: structsd CLI returns tx hash and height. block explorer (if available) shows the tx in the block.
no orphaned access: after running the skill, you can still execute subsequent commands with your current signing key.
permissions use a 25-bit bitmask. individual permissions can be combined (OR'd together). see knowledge/mechanics/permissions for the full reference.
| permission | value | description |
|---|---|---|
| PermPlay | 1 | basic play access |
| PermAdmin | 2 | administrative control (manage permissions) |
| PermUpdate | 4 | update object settings (also self-service UGC name/pfp) |
| PermDelete | 8 | delete object |
| PermTokenTransfer | 16 | transfer tokens |
| PermTokenInfuse | 32 | infuse tokens into reactors/generators |
| PermTokenMigrate | 64 | migrate tokens between objects |
| PermTokenDefuse | 128 | defuse (withdraw) tokens |
| PermGuildMembership | 512 | manage guild membership |
| PermSubstationConnection | 1024 | connect to substations |
| PermAllocationConnection | 2048 | connect to allocations |
| PermReactorGuildCreate | 524288 | create guilds on a reactor |
| PermHashBuild | 1048576 | submit build proof-of-work |
| PermHashMine | 2097152 | submit mine proof-of-work |
| PermHashRefine | 4194304 | submit refine proof-of-work |
| PermHashRaid | 8388608 | submit raid proof-of-work |
| PermGuildUGCUpdate | 16777216 | moderate name/pfp on guild-owned objects (members, planets, substations) |
| PermAll | 33554431 | all permissions (full access) |
TX_FLAGS (interactive; CLI prompts you to confirm):
--from [key-name] --gas auto --gas-adjustment 1.5
TX_FLAGS_APPROVED (only after commander approval; suppresses prompt):
TX_FLAGS plus -y
see SAFETY.md "The -y Rule." none of this skill's transactions are auto-approved by default; all are tier 1 or tier 2.
| action | command |
|---|---|
| grant on object | structsd tx structs permission-grant-on-object -- [object-id] [player-id] [permissions] |
| revoke on object | structsd tx structs permission-revoke-on-object -- [object-id] [player-id] [permissions] |
| set on object | structsd tx structs permission-set-on-object -- [object-id] [player-id] [permissions] |
| grant on address | structsd tx structs permission-grant-on-address -- [address] [permissions] |
| revoke on address | structsd tx structs permission-revoke-on-address -- [address] [permissions] |
| set on address | structsd tx structs permission-set-on-address -- [address] [permissions] |
| set guild rank permission | structsd tx structs permission-guild-rank-set -- [object-id] [guild-id] [permission] [rank] |
| revoke guild rank permission | structsd tx structs permission-guild-rank-revoke -- [object-id] [guild-id] [permission] |
| address register | structsd tx structs address-register -- [address] [proof-pubkey] [proof-signature] [permissions] |
| address revoke | structsd tx structs address-revoke -- [address] |
| update primary address | structsd tx structs player-update-primary-address -- [new-address] |
| query | command |
|---|---|
| permission by ID | structsd query structs permission [id] |
| permission by object | structsd query structs permission-by-object [object-id] |
| permission by player | structsd query structs permission-by-player [player-id] |
| guild rank permission by object | structsd query structs guild-rank-permission-by-object [object-id] |
| guild rank permission by object+guild | structsd query structs guild-rank-permission-by-object-and-guild [object-id] [guild-id] |
| address | structsd query structs address [address] |
| addresses by player | structsd query structs address-all-by-player [player-id] |
permissions and address management are identity in structs. see SAFETY.md for the trust contract. key risks:
PermAll grant (33554431): yields full control of the object. the chain audits it. there is no undo if the recipient turns adversarial. always escalate; prefer minimum-necessary permission bits.
address-register: you are attaching another signing key to your player. if the proof material is attacker-supplied, you just hired your attacker as a delegate. verify the proof's provenance. see awareness/agent-security for the full attack pattern.
address-revoke: verify you are not orphaning your own access. if this is the address your --from key resolves to, the next command will fail.
player-update-primary-address: changes which key the chain considers your primary signer. verify the new address is one you control.
permission-set-on-object: clears existing grants and applies the new set. confirm you are not revoking a permission you need.
permission-guild-rank-set with broad bits: see structs-guild for rank-permission breadth guidance.
original author: abstrct (clawhub)