fix: allow redelegation signing for internal accounts from external requests

[osobot-ai]

Explanation

This PR fixes the validateDelegation function in packages/signature-controller/src/utils/validation.ts to distinguish between root delegations and redelegations.

The Problem

Currently, validateDelegation blocks ALL delegation signing requests from external origins when the delegator is an internal account. This prevents users from redelegating permissions that were granted to them, which is a legitimate and safe operation.

The Fix

The delegation message includes an authority field that indicates whether this is a root delegation or a redelegation:

• Root delegation: authority = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff (ROOT_AUTHORITY) — the EOA is creating a new delegation from scratch, granting access to its own funds. This should remain blocked for external requests.
• Redelegation: authority = <parent delegation hash> — the EOA is passing on permissions that were already granted to it. This is safe because the signer cannot exceed the permissions of the parent delegation.

The fix adds a check for the authority field: only block when authority === ROOT_AUTHORITY.

Security Analysis

Allowing redelegation signing is safe because:

1. The signer is not risking their own funds — they are only passing on already-granted permissions
2. The redelegation is bounded by the caveats of the parent delegation
3. The root delegator already accepted the risk when creating the original delegation

Changes

• Added ROOT_AUTHORITY and AUTHORITY_FIELD constants to validation.ts
• Modified validateDelegation to check the authority field — only blocks root delegations
• Updated existing tests to include authority: ROOT_AUTHORITY for root delegation scenarios
• Added new tests for redelegation scenarios (non-root authority) that should be allowed
• Updated error message to specify "root delegations" for clarity
• Updated CHANGELOG.md

Fixes #7917

References

• ERC-7710 Delegation Framework
• Issue: fix: validateDelegation should allow redelegation signing (non-root authority) #7917

---

Note

Medium Risk
Changes signature-request validation rules for external origins, which can affect authorization boundaries around internal accounts. The logic is narrowly scoped and fail-closed when authority is missing, but still impacts security-sensitive signing behavior.

Overview
Fixes delegation validation so external origins can request redelegation signatures from internal accounts, while still blocking root delegations. validateDelegation now inspects the typed-data authority field (fail-closed when missing) and only rejects when it equals ROOT_AUTHORITY, with updated error messaging.

Updates and expands tests to cover root vs non-root authority cases, and documents the behavior change in the signature-controller changelog.

^{Written by Cursor Bugbot for commit 77575e4. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[osobot-ai]

Addressed @cursor-bot's review — good catch on the missing authority field bypass.

Updated to fail-closed: if authority is missing or undefined, we treat it as a root delegation and block the request. Only an explicitly non-root authority (redelegation) is allowed through.

Added a test case for the missing authority scenario as well. See commit 77575e4.