Account flags to control locked alpha transfers

[gztensor]

Description

Add a new map AccountFlags to subtensor pallet that stores a u128 bitmap of account flags. The bit0 flag controls whether the account can receive locked alpha. The new extrinsic set_reject_locked_alpha allow the coldkey to set it's own reject locked alpha flag.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Other (please describe):

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have run ./scripts/fix_rust.sh to ensure my code is formatted and linted correctly
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[github-actions]

🚨🚨🚨 HOTFIX DETECTED 🚨🚨🚨

It looks like you are trying to merge a hotfix PR into main. If this isn't what you wanted to do, and you just wanted to make a regular PR, please close this PR, base your changes off the devnet-ready branch and open a new PR into devnet ready.

If you are trying to merge a hotfix PR, please complete the following essential steps:

1. go ahead and get this PR into main merged, so we can get the change in as quickly as possible!
2. merge main into testnet, bumping spec_version
3. deploy testnet
4. merge testnet into devnet, bumping spec_version
5. deploy devnet
6. merge devnet into devnet-ready

If you do not complete these steps, your hotfix may be inadvertently removed in the future when branches are promoted to main, so it is essential that you do so.

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

BASELINE scrutiny: author has write permission and substantial prior subtensor history; branch feat/account-flags targets main with a hotfix label but no body justification.

No .github/ai-review/*, .github/copilot-instructions.md, dependency, lockfile, or build-script changes are present. The runtime AccountFlags cleanup from the earlier review remains addressed: clearing the flag removes the storage entry when the resulting bitmap is zero.

Findings

Sev	File	Finding
HIGH	PR body	Direct-to-main hotfix path is not justified	(off-diff)

Other findings

• [HIGH] Direct-to-main hotfix path is not justified (PR body) — This PR targets main from feat/account-flags, not from testnet. The trusted branch policy allows direct-to-main only for hotfixes or deployment flow, and the PR description must justify that explicitly. The body describes a new feature and has a hotfix label, but it does not explain why this must skip the normal devnet-ready path. Add an explicit hotfix justification or retarget the PR to the normal integration branch.

Prior-comment reconciliation

• d58b2b4c: not addressed — The PR body still describes a new feature and does not explain why this branch must target main directly.

Conclusion

The runtime diff did not show malicious code or a new security vulnerability in the changed account-flag logic, but the direct-to-main hotfix path remains unjustified under the trusted branch policy.

---

📜 Previous run (superseded)

Sev	File	Finding	Status
HIGH	PR body	Direct-to-main hotfix path is not justified	➡️ Carried forward to current findings The PR body still describes a new feature and does not explain why this branch must target main directly.

---

# 🔍 AI Review — Auditor (domain review) has not yet run on this PR.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE