Context
SidecarRegistry.revokeAgentDevice enforces msg.sender == operatorMasterWallet[device.operatorOmni]. For a web-onboarded (P256Account) master, NO EOA can sign that revoke — it reverts NotAuthorized(caller, master) (selector 0xc55ddc97). The per-agent web unpair migrated to the Touch-ID master-account UserOp (/v1/revoke/{build,submit}, PR #256), but the #243 master-reset fleet teardown in the daemon still shells heima-device-revoke.sh per agent (EOA-signed).
Repro steps
- Onboard a master through the web passkey flow (P256Account
operatorMasterWallet).
- Pair at least one agent.
- Hit reset master in parent-control.
- The owner-gated
resetMaster (master unbind) succeeds, but every per-agent revokeAgentDevice from the script reverts NotAuthorized and lands in the reset response's failures[] — the agents stay bound on chain.
Expected behavior
The teardown's agent revokes succeed for account-master operators — driven through the same master-account UserOp path as the web unpair. Since reset implies the master is being abandoned, options: (a) ONE executeBatch over all revokeAgentDevice calls signed by a single K11 ceremony BEFORE the master unbind, or (b) keep them in failures[] but have the reset UI walk the operator through per-agent Touch-ID unpairs first. The current honest-but-failed failures[] reporting stays the floor.
Effort
~M.
References
PR #256 (Touch-ID unpair /v1/revoke/{build,submit} + the NotAuthorized diagnosis), #243 (fleet teardown), scripts/heima-device-revoke.sh header (auth constraint documented).
Context
SidecarRegistry.revokeAgentDeviceenforcesmsg.sender == operatorMasterWallet[device.operatorOmni]. For a web-onboarded (P256Account) master, NO EOA can sign that revoke — it revertsNotAuthorized(caller, master)(selector0xc55ddc97). The per-agent web unpair migrated to the Touch-ID master-account UserOp (/v1/revoke/{build,submit}, PR #256), but the #243 master-reset fleet teardown in the daemon still shellsheima-device-revoke.shper agent (EOA-signed).Repro steps
operatorMasterWallet).resetMaster(master unbind) succeeds, but every per-agentrevokeAgentDevicefrom the script revertsNotAuthorizedand lands in the reset response'sfailures[]— the agents stay bound on chain.Expected behavior
The teardown's agent revokes succeed for account-master operators — driven through the same master-account UserOp path as the web unpair. Since reset implies the master is being abandoned, options: (a) ONE
executeBatchover allrevokeAgentDevicecalls signed by a single K11 ceremony BEFORE the master unbind, or (b) keep them infailures[]but have the reset UI walk the operator through per-agent Touch-ID unpairs first. The current honest-but-failedfailures[]reporting stays the floor.Effort
~M.
References
PR #256 (Touch-ID unpair
/v1/revoke/{build,submit}+ theNotAuthorizeddiagnosis), #243 (fleet teardown),scripts/heima-device-revoke.shheader (auth constraint documented).