dojo-world
$
npx mdskill add dojoengine/book/dojo-worldConfigure world permissions and manage access control hierarchies.
- Enables agents to grant owner or writer permissions to resources.
- Integrates with Dojo world APIs for namespace and resource management.
- Executes commands via Bash, Grep, Read, and Write tools.
- Delivers results by listing permissions and executing grant commands.
SKILL.md
.github/skills/dojo-worldView on GitHub ↗
---
name: dojo-world
description: Manage world permissions, namespaces, resource registration, and access control. Use when configuring world ownership, setting up authorization policies, or managing resource permissions.
allowed-tools: Read, Write, Bash, Grep
---
# Dojo World Management
Manage your Dojo world's permissions, namespaces, resource registration, and access control policies.
## When to Use This Skill
- "Configure world permissions"
- "Set up namespace access"
- "Grant writer permissions"
- "Manage resource ownership"
## What This Skill Does
Handles world management:
- Namespace configuration
- Writer permissions (can write data)
- Owner permissions (can write data + manage permissions)
- Permission hierarchy management
## Quick Start
**Configure permissions:**
```
"Grant writer permission to my system"
```
**Check permissions:**
```
"List permissions for my world"
```
## Permission Concepts
### Permission Types
**Owner Permission:**
- Write data to the resource
- Grant and revoke permissions to others
- Upgrade the resource
- Set resource metadata
**Writer Permission:**
- Write data to the resource
- Cannot grant permissions to others
- Cannot upgrade the resource
**Reading is always permissionless.**
### Permission Hierarchy
```
World Owner (highest)
└── Namespace Owner
└── Resource Owner / Writer (lowest)
```
- **World Owner**: Can do anything in the world
- **Namespace Owner**: Can manage all resources in their namespace
- **Resource Owner**: Can manage a specific resource (model/contract/event)
- **Writer**: Can only write data to a resource
## Configuration-Based Permissions
Set permissions during deployment in `dojo_<profile>.toml`:
```toml
[writers]
# Namespace-level: actions can write to all resources in my_game
"my_game" = ["my_game-actions"]
# Resource-specific: movement can only write to Position
"my_game-Position" = ["my_game-movement"]
[owners]
# Namespace ownership
"my_game" = ["my_game-admin"]
```
**Format:** `"<TARGET_TAG>" = ["<GRANTEE_TAG>"]`
## CLI Permission Management
### Grant Permissions
```bash
# Grant writer permission
sozo auth grant writer my_game-Position,my_game-actions
# Grant owner permission
sozo auth grant owner my_game,my_game-admin
```
### Revoke Permissions
```bash
# Revoke writer permission
sozo auth revoke writer my_game-Position,my_game-actions
# Revoke owner permission
sozo auth revoke owner my_game,my_game-admin
```
### List Permissions
```bash
# List all permissions
sozo auth list
```
## Runtime Permission Management (Cairo)
### Grant Permissions
```cairo
use dojo::world::WorldStorage;
// Grant writer permission to a contract
world.grant_writer(
selector_from_tag!("my_game-Position"),
movement_system_address
);
// Grant owner permission
world.grant_owner(
selector_from_tag!("my_game-GameState"),
new_owner_address
);
```
### Revoke Permissions
```cairo
// Revoke writer permission
world.revoke_writer(
selector_from_tag!("my_game-Position"),
old_system_address
);
// Revoke owner permission
world.revoke_owner(
selector_from_tag!("my_game-GameState"),
old_owner_address
);
```
### Check Permissions
```cairo
// Check if address is owner
let is_owner = world.is_owner(resource_selector, address);
// Check if address is writer
let can_write = world.is_writer(resource_selector, address);
```
## Permission Patterns
### Principle of Least Privilege
```cairo
// Good: Specific permissions for specific functions
world.grant_writer(selector_from_tag!("my_game-Position"), movement_contract);
world.grant_writer(selector_from_tag!("my_game-Health"), combat_contract);
// Bad: Overly broad permissions
world.grant_owner(selector_from_tag!("my_game"), movement_contract);
```
### Multi-System Architecture
```cairo
// Different systems handle different aspects
world.grant_writer(selector_from_tag!("my_game-Position"), movement_system);
world.grant_writer(selector_from_tag!("my_game-Health"), combat_system);
world.grant_writer(selector_from_tag!("my_game-Inventory"), inventory_system);
// Trading system needs access to Inventory too
world.grant_writer(selector_from_tag!("my_game-Inventory"), trading_system);
```
### Namespace-Level Permissions
Grant access to all resources in a namespace:
```cairo
// This system can write to ANY resource in "my_game" namespace
world.grant_writer(
selector_from_tag!("my_game"),
system_contract
);
```
### Admin System
```cairo
// Admin has owner permission on namespace
world.grant_owner(selector_from_tag!("my_game"), game_admin);
// Admin has owner permission on critical resources
world.grant_owner(selector_from_tag!("my_game-GameConfig"), game_admin);
```
## Authorization in Systems
### Public Functions
Anyone can call:
```cairo
fn spawn(ref self: ContractState) {
let mut world = self.world_default();
let player = get_caller_address();
// No permission check - anyone can spawn
world.write_model(@Position { player, vec: Vec2 { x: 0, y: 0 } });
}
```
### Checking Permissions
```cairo
fn admin_function(ref self: ContractState) {
let mut world = self.world_default();
let caller = get_caller_address();
// Check caller is owner of the namespace
assert(
world.is_owner(selector_from_tag!("my_game"), caller),
'not authorized'
);
// Proceed with admin logic
}
```
## Permission Events
The World contract emits events when permissions change:
```cairo
#[derive(Drop, starknet::Event)]
pub struct OwnerUpdated {
#[key]
pub resource: felt252,
#[key]
pub contract: ContractAddress,
pub value: bool,
}
#[derive(Drop, starknet::Event)]
pub struct WriterUpdated {
#[key]
pub resource: felt252,
#[key]
pub contract: ContractAddress,
pub value: bool,
}
```
## Common Scenarios
### Initial Setup (via config)
```toml
# dojo_dev.toml
[namespace]
default = "my_game"
[writers]
# All resources in my_game can be written by actions
"my_game" = ["my_game-actions"]
[owners]
# Admin system owns the namespace
"my_game" = ["my_game-admin"]
```
### Adding New System (runtime)
```cairo
fn add_new_system(ref self: ContractState, new_system_address: ContractAddress) {
let mut world = self.world_default();
// Must be namespace owner to grant permissions
world.grant_writer(
selector_from_tag!("my_game-Position"),
new_system_address
);
}
```
### Transfer Namespace Ownership
```cairo
fn transfer_ownership(ref self: ContractState, new_owner: ContractAddress) {
let mut world = self.world_default();
// Grant owner to new address
world.grant_owner(selector_from_tag!("my_game"), new_owner);
// Revoke from current owner
world.revoke_owner(selector_from_tag!("my_game"), get_caller_address());
}
```
## Troubleshooting
### "Not authorized" errors
- Check writer permissions are granted
- Verify the system address is correct
- Check if permission is at namespace or resource level
### "Permission denied"
- Check you have owner permission to grant/revoke
- Verify you're calling from the correct account
### Debugging Permissions
```cairo
fn debug_permissions(world: @WorldStorage, resource: felt252, address: ContractAddress) {
let is_owner = world.is_owner(resource, address);
let is_writer = world.is_writer(resource, address);
// Log or print these values for debugging
}
```
## Next Steps
After permission setup:
1. Test all permission checks work correctly
2. Document the permission structure
3. Set up monitoring for permission changes
4. Consider using a multi-sig for production owner accounts
## Related Skills
- **dojo-deploy**: Deploy world first
- **dojo-system**: Add authorization to systems
- **dojo-config**: Configure permissions in profile
- **dojo-review**: Audit permission setup