only allow script inputs from the effect and governor

agora/Agora/Effect/GovernorMutation.hs

@@ -62,6 +62,7 @@ import Agora.Governor.Scripts (
   governorSTAssetClassFromGovernor,
  )
 import Agora.Utils (
+  isScriptAddress,
   mustBePDJust,
   mustBePJust,
   passert,
@@ -148,8 +149,19 @@ mutateGovernorValidator gov = makeEffect (authorityTokenSymbolFromGovernor gov)
     passert "Nothing should be minted/burnt other than GAT" $
       plength # mint #== 1
 
-    passert "Only self and governor inputs are allowed" $
-      plength # pfromData txInfo.inputs #== 2
+    passert "Only self and governor script inputs are allowed" $
+      pfoldr
+        # phoistAcyclic
+          ( plam $ \inInfo count ->
+              let address = pfield @"address" #$ pfield @"resolved" # inInfo
+               in pif
+                    (isScriptAddress # address)
+                    (count + 1)
+                    count
+          )
+        # (0 :: Term _ PInteger)
+        # pfromData txInfo.inputs
+        #== 2
 
     let inputWithGST =
           mustBePJust # "Governor input not found" #$ pfind

agora/Agora/Utils.hs

@@ -59,6 +59,7 @@ module Agora.Utils (
   validatorHashToAddress,
   pmergeBy,
   phalve,
+  isScriptAddress
 ) where
 
 --------------------------------------------------------------------------------
@@ -619,6 +620,12 @@ scriptHashFromAddress = phoistAcyclic $
       PScriptCredential ((pfield @"_0" #) -> h) -> pcon $ PJust h
       _ -> pcon PNothing
 
+isScriptAddress :: Term s (PAddress :--> PBool)
+isScriptAddress = phoistAcyclic $ plam $ \addr ->
+  pmatch (pfromData $ pfield @"credential" # addr) $ \case
+      PScriptCredential _ -> pconstant True
+      _ -> pconstant False
+
 -- | Find all TxOuts sent to an Address
 findOutputsToAddress :: Term s (PBuiltinList (PAsData PTxOut) :--> PAddress :--> PBuiltinList (PAsData PTxOut))
 findOutputsToAddress = phoistAcyclic $