feat(relayer): make register_relayer sudo/gov-only; refactor node RPC and service

pallet-relayer (v0.2.2 → v0.3.0):
- register_relayer: change from self-service (ensure_signed + IsValidator)
  to ManageOrigin (sudo/gov) with explicit `who: AccountId` parameter
- Remove T::IsValidator config trait and Error::NotValidator
- Benchmark: replace manual #[block] storage-insert with #[extrinsic_call]
  using RawOrigin::Root — weights now reflect real dispatch path
- Tests: rewrite registry_tests for RuntimeOrigin::root(); add
  dispatch_info_tests (Pays::Yes, DispatchClass::Normal)
- mock.rs: remove MockValidators

node (template/node/):
- relayer_register.rs: rewrite auto_register as log-only — derives EVM
  address from Aura key and prints a log box at block #1 instructing
  sudo to call registerRelayer; removes all extrinsic submission logic
- relayer_author.rs: rewrite RelayerAuthorApi as informational RPC —
  returns {substrate_account, evm_address} from keystore; no longer
  submits transactions; remove generic C/B params
- rpc/mod.rs: update RelayerAuthor::new(keystore) — drop client arg
- service.rs: remove transaction pool from auto_register call; add
  ValidatorSet + Session pallets to service setup
- node/Cargo.toml: remove unused pallet-relayer direct dependency

runtime (template/runtime/):
- genesis_config_preset.rs: add session + validator_set genesis config

Author: nol4lej

Cargo.lock

@@ -2,6 +2,41 @@
 
 All notable changes to `pallet-relayer` will be documented in this file.
 
+## [0.3.0] - 2026-06-03
+
+### Changed
+
+- **`register_relayer` is now sudo/governance-only** (`ManageOrigin`). Previously it was
+  a self-service call restricted to validator nodes via `T::IsValidator`. The new signature
+  adds an explicit `who: T::AccountId` argument so the privileged origin can register any
+  account:
+  ```
+  // before: register_relayer(origin, evm_address)   — signed by validator
+  // after:  register_relayer(origin, who, evm_address) — ManageOrigin (sudo/gov)
+  ```
+- **Benchmark** for `register_relayer` updated to use `#[extrinsic_call]` with
+  `RawOrigin::Root` instead of the previous manual `#[block]` storage-insert approach.
+  Measured weights now reflect the real extrinsic dispatch path.
+- Event doc comments updated: `RelayerRegistered` and `RelayerUnregistered` now note
+  sudo/governance as the acting origin.
+- Module-level doc updated: registry is "managed exclusively by sudo/governance".
+
+### Removed
+
+- `T::IsValidator: Contains<AccountId>` — config trait no longer needed. Validator gating
+  is handled upstream by `pallet-validator-set`.
+- `Error::NotValidator` — removed alongside `IsValidator`.
+- `MockValidators` from `mock.rs` — no longer meaningful.
+
+### Migration
+
+Update runtime `Config` impl and any `register_relayer` call sites:
+- Remove `type IsValidator = ...` from the `pallet_relayer::Config` impl.
+- Change origin from a signed validator to `ManageOrigin` (e.g. `sudo`).
+- Add `who: AccountId` as the first call argument before `evm_address`.
+
+---
+
 ## [0.2.2] - 2026-06-01
 
 ### Changed

frame/relayer/CHANGELOG.md

@@ -1,6 +1,6 @@
 [package]
 name = "pallet-relayer"
-version = "0.2.2"
+version = "0.3.0"
 description = "On-chain relay configuration, relayer registry and fee accounting."
 authors = { workspace = true }
 license = "GPL-3.0-or-later"

frame/relayer/Cargo.toml

@@ -65,22 +65,18 @@ Emits: `MinRelayFeeUpdated { new_fee }`.
 Replaces the ABI selector whitelist. Pass `vec![]` to restore the Runtime API defaults.  
 Bounded by `T::MaxAllowedSelectors`. Emits: `AllowedSelectorsUpdated { count }`.
 
-### `register_relayer(evm_address: H160)` — origin: `Signed`
-Binds the caller's EVM address to their substrate AccountId.  
-Fails if the EVM address is already claimed by another account (`AlreadyRegistered`).  
+### `register_relayer(who: AccountId, evm_address: H160)` — origin: `ManageOrigin`
+Registers an EVM address for the given `who` account. Must be called by sudo or governance.  
+Fails if the EVM address is already claimed (`AlreadyRegistered`) or the account already has a binding (`AccountAlreadyRegistered`).  
 Emits: `RelayerRegistered { evm_address, account }`.
 
 ### `unregister_relayer()` — origin: `Signed`
 Removes the caller's EVM binding. Clears both forward and reverse maps.  
 Fails if the caller has no binding (`NotRegistered`).  
 Emits: `RelayerUnregistered { evm_address, account }`.
 
-### `claim_relay_fees(asset_id: u32, amount: u128)` — origin: `Signed`
-Decrements `amount` from the caller's pending fee balance (accounting only — no token transfer).  
-Emits: `RelayFeesConsumed { relayer, asset_id, amount }`.
-
-> **Note:** This extrinsic only updates the `PendingRelayerFees` counter. To receive real tokens, the validator must call one of the two claim paths in `pallet-shielded-pool`:
-> - `claim_shielded_fees` — receives the fee as a private ZK note (requires a value_proof ZK proof)
+> **Claiming fees:** To receive accumulated relay fees, the validator calls one of the two claim paths in `pallet-shielded-pool` (not in this pallet):
+> - `claim_shielded_fees` — receives fees as a private ZK note (requires a value_proof ZK proof)
 > - `claim_relay_fees_to_evm` — transfers public ORB directly to the H160 mirror AccountId (no proof required; ideal for refilling the relayer's EVM gas wallet)
 
 ---
@@ -94,7 +90,7 @@ Each node has **two separate identities**:
 | `AccountId` (sr25519/Aura) | Substrate | Aura key | Receives and accumulates fees in `PendingRelayerFees` |
 | `H160` (ECDSA) | EVM | `--evm-relayer-key` | Signs EVM transactions, pays gas |
 
-Both are linked at startup via `register_relayer(evm_address)`, which writes both indexes (`RelayerRegistry` and `RelayerByAccount`).
+Both are linked by sudo/governance via `register_relayer(who, evm_address)`, which writes both indexes (`RelayerRegistry` and `RelayerByAccount`). The node derives and logs the EVM address automatically at block #1 (see [Validator registration flow](#validator-registration-flow) below).
 
 ```
 1. shield(1000)
@@ -162,6 +158,37 @@ In `pallet-shielded-pool` unit tests: a lightweight mock struct in `mock.rs` bac
 
 ---
 
+## Validator registration flow
+
+A new validator node does not call `register_relayer` directly — it is a privileged call. The intended flow is:
+
+1. **Insert Aura key** into the node keystore:
+   ```bash
+   curl -s -X POST http://localhost:9944 -H 'Content-Type: application/json' \
+     -d '{"jsonrpc":"2.0","id":1,"method":"author_insertKey",
+          "params":["aura","<mnemonic>","<public_key_hex>"]}'
+   ```
+2. **Restart the node.** At block #1 `auto_register` (in `template/node/src/relayer_register.rs`) reads the Aura key from the keystore, derives the EVM address, checks `RelayerRegistry`, and if not registered **prints a log box**:
+   ```
+   ╔══════════════════════════════════════════════════╗
+   ║   EVM relay key detected — register via sudo     ║
+   ╠══════════════════════════════════════════════════╣
+   ║  Substrate : 5GrwvaEF5...
+   ║  EVM addr  : 0xd43593c7...
+   ╠══════════════════════════════════════════════════╣
+   ║  relayer.registerRelayer(who, evmAddress)        ║
+   ╚══════════════════════════════════════════════════╝
+   ```
+3. **Sudo** calls `relayer → registerRelayer(who, evmAddress)` on-chain with the values from the log.
+4. The validator can now complete the `pallet-validator-set` registration:
+   ```
+   session → setKeys(aura + grandpa keys, proof)
+   validatorSet → registerValidator()   // has_relayer check now passes
+   ```
+5. **Governance** approves: `validatorSet → approveValidator(who)`.
+
+---
+
 ## Runtime integration
 
 ```rust
@@ -170,9 +197,10 @@ In `pallet-shielded-pool` unit tests: a lightweight mock struct in `mock.rs` bac
 impl pallet_relayer::Config for Runtime {
     type BlockAuthor         = RelayerBlockAuthor;                  // wraps pallet_authorship
     type DefaultMinRelayFee  = ConstU128<1_000_000_000_000_000>;   // 1e15 planck = 0.001 ORB
-    type ManageOrigin        = EnsureRoot<AccountId>;
+    type ManageOrigin        = EnsureRoot<AccountId>;              // sudo/governance only
     type MaxAllowedSelectors = ConstU32<16>;
     type WeightInfo          = pallet_relayer::weights::SubstrateWeight<Runtime>;
+    // Note: IsValidator removed in v0.3.0 — validator gating is handled by pallet-validator-set
 }
 
 impl pallet_shielded_pool::Config for Runtime {
@@ -194,7 +222,6 @@ Weights in `src/weights.rs` were generated with Substrate Benchmark CLI v49.1.0
 | `set_allowed_selectors(n)` | linear in `n` | — |
 | `register_relayer` | ~10 ms | 2.5 KB |
 | `unregister_relayer` | ~10 ms | 2.5 KB |
-| `claim_relay_fees` | ~8 ms | 2.5 KB |
 
 To regenerate after modifying the pallet:
 
@@ -218,8 +245,9 @@ cargo build --release --features runtime-benchmarks
 ```
 src/tests/
 ├── config_tests.rs    — MinRelayFee and AllowedSelectors (governance gating, storage, events, capacity limits)
-├── registry_tests.rs  — register/unregister + registered_evm_address (duplicate guard, reverse index, signed-only, reverse lookup)
-└── fees_tests.rs      — accumulate, pending query, consume, claim (saturation, insufficient, events, per-account isolation)
+├── registry_tests.rs  — register/unregister + registered_evm_address (duplicate guard, reverse index, sudo-only, reverse lookup)
+└── dispatch_info_tests.rs — call dispatch info (Pays::Yes, DispatchClass::Normal for register_relayer)
+    fees_tests.rs      — accumulate, pending query, consume, claim (saturation, insufficient, events, per-account isolation)
 ```
 
 ```bash

frame/relayer/README.md

@@ -55,28 +55,19 @@ mod benchmarks {
 
 	// ── register_relayer ─────────────────────────────────────────────────────
 
-	/// Benchmark the storage write path for relayer registration.
+	/// Worst case: two storage writes + event deposit.
 	///
-	/// `register_relayer` is gated by `T::IsValidator`, which is a runtime
-	/// trait that cannot be generically seeded in benchmarks. We measure the
-	/// two storage inserts + event deposit directly — the validator check is
-	/// a cheap in-memory read and does not contribute meaningful weight.
+	/// `register_relayer` is gated by `ManageOrigin` (sudo/governance).
+	/// We call it with `RawOrigin::Root` which always satisfies that bound.
 	#[benchmark]
 	fn register_relayer() {
-		let caller: T::AccountId = whitelisted_caller();
+		let who: T::AccountId = whitelisted_caller();
 		let evm = evm_address_for(0xA11CE);
 
-		#[block]
-		{
-			RelayerRegistry::<T>::insert(evm, caller.clone());
-			RelayerByAccount::<T>::insert(caller.clone(), evm);
-			Pallet::<T>::deposit_event(Event::RelayerRegistered {
-				evm_address: evm,
-				account: caller.clone(),
-			});
-		}
-
-		assert_eq!(RelayerRegistry::<T>::get(evm), Some(caller));
+		#[extrinsic_call]
+		register_relayer(RawOrigin::Root, who.clone(), evm);
+
+		assert_eq!(RelayerRegistry::<T>::get(evm), Some(who));
 	}
 
 	// ── unregister_relayer ───────────────────────────────────────────────────

frame/relayer/src/benchmarking.rs

@@ -9,7 +9,7 @@
 //!   `ShieldedPoolRuntimeApi::relay_config()`.
 //! - **Registry**: EVM address → AccountId binding so fee attribution is
 //!   unambiguous even when the EVM and substrate keys differ.
-//!   Only validator nodes (as determined by `T::IsValidator`) may register.
+//!   Managed exclusively by sudo/governance via `register_relayer`.
 //! - **Fee accounting**: `PendingRelayerFees` tracks accrued relay fees per
 //!   (AccountId, asset_id).  Other pallets (pallet-shielded-pool) call
 //!   `T::Relayer::accumulate_relay_fee()` and `T::Relayer::consume_relay_fee()`
@@ -57,7 +57,7 @@ mod tests;
 #[frame_support::pallet]
 pub mod pallet {
 	use super::{RelayerInterface, WeightInfo};
-	use frame_support::{dispatch::DispatchResult, pallet_prelude::*, traits::Contains};
+	use frame_support::{dispatch::DispatchResult, pallet_prelude::*};
 	use frame_system::pallet_prelude::*;
 	use sp_core::H160;
 	use sp_std::vec::Vec;
@@ -74,12 +74,6 @@ pub mod pallet {
 		#[pallet::constant]
 		type DefaultMinRelayFee: Get<u128>;
 
-		/// Returns whether an account is currently a validator node.
-		///
-		/// Only accounts recognised as validators may call `register_relayer`.
-		/// Wire this to a session-validator or Aura-authority check in the runtime.
-		type IsValidator: frame_support::traits::Contains<Self::AccountId>;
-
 		/// Origin allowed to update relay configuration (fee, selectors).
 		/// Use `EnsureRoot` for testnets; a governance pallet for mainnet.
 		type ManageOrigin: EnsureOrigin<Self::RuntimeOrigin>;
@@ -112,7 +106,6 @@ pub mod pallet {
 		StorageValue<_, BoundedVec<[u8; 4], T::MaxAllowedSelectors>, ValueQuery>;
 
 	/// On-chain registry: EVM address → substrate AccountId.
-	/// Only validator nodes may have entries here.
 	#[pallet::storage]
 	pub type RelayerRegistry<T: Config> =
 		StorageMap<_, Blake2_128Concat, H160, T::AccountId, OptionQuery>;
@@ -143,12 +136,12 @@ pub mod pallet {
 		MinRelayFeeUpdated { new_fee: u128 },
 		/// `ManageOrigin` updated the allowed selector whitelist.
 		AllowedSelectorsUpdated { count: u32 },
-		/// A validator node registered an EVM address.
+		/// sudo/governance registered a relayer mapping.
 		RelayerRegistered {
 			evm_address: H160,
 			account: T::AccountId,
 		},
-		/// A validator node unregistered its EVM address.
+		/// sudo/governance removed a relayer mapping.
 		RelayerUnregistered {
 			evm_address: H160,
 			account: T::AccountId,
@@ -171,8 +164,6 @@ pub mod pallet {
 
 	#[pallet::error]
 	pub enum Error<T> {
-		/// Caller is not a validator node. Only validators may register as relayers.
-		NotValidator,
 		/// No EVM address registered for this account.
 		NotRegistered,
 		/// The EVM address already has a registered AccountId.
@@ -227,15 +218,23 @@ pub mod pallet {
 			Ok(())
 		}
 
-		/// Register a substrate account as the owner of an EVM relay address.
+		/// Register an EVM address for a substrate account.
 		///
-		/// Only validator nodes (as determined by `T::IsValidator`) may call this.
-		/// Non-validator accounts are rejected with `NotValidator`.
+		/// Requires `ManageOrigin` (sudo / governance). The `who` account is
+		/// registered as the owner of `evm_address`. One registration per account
+		/// (`AccountAlreadyRegistered`) and one per EVM address (`AlreadyRegistered`)
+		/// are enforced.
+		///
+		/// Intended to be called after a validator inserts their Aura key and the
+		/// node derives and logs the corresponding EVM relay address.
 		#[pallet::call_index(2)]
 		#[pallet::weight(T::WeightInfo::register_relayer())]
-		pub fn register_relayer(origin: OriginFor<T>, evm_address: H160) -> DispatchResult {
-			let who = ensure_signed(origin)?;
-			ensure!(T::IsValidator::contains(&who), Error::<T>::NotValidator);
+		pub fn register_relayer(
+			origin: OriginFor<T>,
+			who: T::AccountId,
+			evm_address: H160,
+		) -> DispatchResult {
+			T::ManageOrigin::ensure_origin(origin)?;
 			ensure!(
 				!RelayerRegistry::<T>::contains_key(evm_address),
 				Error::<T>::AlreadyRegistered
@@ -253,9 +252,9 @@ pub mod pallet {
 			Ok(())
 		}
 
-		/// Remove the caller's EVM address from the relay registry.
+		/// Remove an EVM relay address mapping.
 		///
-		/// The caller must be a registered validator node.
+		/// The caller (account owner) may remove their own registration.
 		#[pallet::call_index(3)]
 		#[pallet::weight(T::WeightInfo::unregister_relayer())]
 		pub fn unregister_relayer(origin: OriginFor<T>) -> DispatchResult {

frame/relayer/src/lib.rs

@@ -31,18 +31,9 @@ impl frame_support::traits::Get<Option<u64>> for MockBlockAuthor {
 	}
 }
 
-/// Accounts with ID >= 100 are treated as validator nodes in tests.
-pub struct MockValidators;
-impl frame_support::traits::Contains<u64> for MockValidators {
-	fn contains(who: &u64) -> bool {
-		*who >= 100
-	}
-}
-
 impl pallet_relayer::Config for Test {
 	type BlockAuthor = MockBlockAuthor;
 	type DefaultMinRelayFee = DefaultMinRelayFee;
-	type IsValidator = MockValidators;
 	type ManageOrigin = frame_system::EnsureRoot<u64>;
 	type MaxAllowedSelectors = MaxAllowedSelectors;
 	type WeightInfo = ();