@agenticprimitives/contracts 0.1.0-alpha.2

package/src/AgentAccountFactory.sol

@@ -0,0 +1,274 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
+import "./AgentAccount.sol";
+import {AgentAccountInitParams} from "./IAgentAccount.sol";
+import {CustodyPolicy} from "./custody/CustodyPolicy.sol";
+import "./governance/GovernanceManaged.sol";
+
+/**
+ * @title AgentAccountFactory
+ * @notice Single-entry factory for AgentAccount proxies with
+ *         deterministic CREATE2 addresses. Phase 6f.5 — collapsed
+ *         createPersonAgent + createMultiSigSmartAgent into one
+ *         entry point so every account on chain has the same shape;
+ *         the only axis is `mode` on the init params.
+ *
+ *           - mode == 0 → no CustodyPolicy installed. Single-signer
+ *             "simple" shape (admin changes go through the account's
+ *             onlySelf surface only). Trustees ignored.
+ *           - mode  > 0 → CustodyPolicy module installed at birth;
+ *             trustees are REQUIRED (≥1 for hybrid, ≥2 for threshold,
+ *             ≥3 for org per spec § 8). Cannot ship an un-recoverable
+ *             multi-sig account through this path.
+ *
+ *         All accounts accept any combination of external custodians
+ *         (EOAs / SIWE / third-party smart wallets) plus an optional
+ *         initial passkey. At least one signer must be supplied. The
+ *         AgentAccount initializer enforces the spec 211 § 3 /
+ *         spec 212 § 2.2 invariant: no agenticprimitives AgentAccount
+ *         may appear in another account's custodian set (ERC-165
+ *         marker check).
+ *
+ *         The canonical CustodyPolicy address is wired at construction
+ *         (factory-immutable) — there is no per-call validator
+ *         override. Swapping CustodyPolicy versions means redeploying
+ *         the factory, which is the same blast radius as a CREATE2
+ *         salt bump.
+ *
+ * Phase A (spec 007) capability roles:
+ *   `bundlerSigner` and `sessionIssuer` are factory-level capability
+ *   addresses. They are NEVER custodians of any deployed account; each
+ *   account reads them off this factory on demand. Phase A.5 made both
+ *   mutable under governance — rotation flows through a governance
+ *   proposal + 48h timelock and propagates automatically to every
+ *   existing AgentAccount.
+ */
+contract AgentAccountFactory is GovernanceManaged {
+    AgentAccount public immutable accountImplementation;
+    address public immutable delegationManager;
+    address public immutable custodyPolicy;
+
+    address public bundlerSigner;
+    address public sessionIssuer;
+
+    event AgentAccountCreated(
+        address indexed account,
+        uint8 mode,
+        uint256 nExternalCustodians,
+        bool withPasskey,
+        uint256 salt
+    );
+
+    event BundlerSignerChanged(address indexed oldVal, address indexed newVal);
+    event SessionIssuerChanged(address indexed oldVal, address indexed newVal);
+
+    uint256[50] private __gap;
+
+    // ─── Errors ─────────────────────────────────────────────────────────
+
+    error InvalidMode(uint8 mode);
+    error NoInitialSigner();
+    error InsufficientTrusteesForMode(uint8 mode, uint256 actual, uint256 required);
+    error TrusteesRequiredForRecoverableMode(uint8 mode);
+    error ZeroAddress();
+
+    constructor(
+        IEntryPoint entryPoint_,
+        address delegationManager_,
+        address custodyPolicy_,
+        address bundlerSigner_,
+        address sessionIssuer_,
+        address governance_
+    ) GovernanceManaged(governance_) {
+        if (custodyPolicy_ == address(0)) revert ZeroAddress();
+        accountImplementation = new AgentAccount(entryPoint_);
+        delegationManager = delegationManager_;
+        custodyPolicy = custodyPolicy_;
+        bundlerSigner = bundlerSigner_;
+        sessionIssuer = sessionIssuer_;
+        emit BundlerSignerChanged(address(0), bundlerSigner_);
+        emit SessionIssuerChanged(address(0), sessionIssuer_);
+    }
+
+    // ─── Governance-only setters ─────────────────────────────────────────
+
+    function setBundlerSigner(address newBundler) external onlyGovernance {
+        address old = bundlerSigner;
+        bundlerSigner = newBundler;
+        emit BundlerSignerChanged(old, newBundler);
+    }
+
+    function setSessionIssuer(address newIssuer) external onlyGovernance {
+        address old = sessionIssuer;
+        sessionIssuer = newIssuer;
+        emit SessionIssuerChanged(old, newIssuer);
+    }
+
+    // ─── Factory entry ──────────────────────────────────────────────────
+
+    /**
+     * @notice Deploy an AgentAccount. Mode picks the shape:
+     *           - 0 → simple (no CustodyPolicy)
+     *           - 1 → hybrid (CustodyPolicy, ≥1 trustee required)
+     *           - 2 → threshold (CustodyPolicy, ≥2 trustees required)
+     *           - 3 → org (CustodyPolicy, ≥3 trustees required)
+     *
+     * @param params Init params bundle.
+     * @param timelockOverrides Per-tier timelock override (index 0 unused;
+     *        tier t uses index t for t in 1..6). Where the override is 0,
+     *        the factory default applies: T4=1h, T5=24h, T6=48h. Demo
+     *        deploys can set short overrides; production uses 0s
+     *        everywhere to inherit the spec defaults. Ignored for mode 0.
+     * @param salt CREATE2 deployment salt.
+     */
+    function createAgentAccount(
+        AgentAccountInitParams calldata params,
+        uint32[7] calldata timelockOverrides,
+        uint256 salt
+    ) external whenNotPaused returns (AgentAccount account) {
+        // H7-C.10 / EXT3-010: gated behind the system-wide governance pause.
+        // An incident-mode guardian can freeze new account creation while
+        // an exploit is being investigated; unpause requires the 24h
+        // timelock (see AgenticGovernance).
+        _validateInitParams(params);
+
+        address addr = _getAddressForAgentAccount(params, salt);
+        if (addr.code.length > 0) return AgentAccount(payable(addr));
+
+        ERC1967Proxy proxy = new ERC1967Proxy{salt: bytes32(salt)}(
+            address(accountImplementation),
+            _initData(params)
+        );
+        account = AgentAccount(payable(address(proxy)));
+
+        if (params.mode > 0) {
+            bytes memory validatorInit = _buildValidatorInitData(params, timelockOverrides);
+            account.installModule(2 /* MODULE_TYPE_EXECUTOR */, custodyPolicy, validatorInit);
+        }
+
+        bool hasPasskey = params.initialPasskeyX != 0 && params.initialPasskeyY != 0;
+        emit AgentAccountCreated(
+            address(account),
+            params.mode,
+            params.custodians.length,
+            hasPasskey,
+            salt
+        );
+    }
+
+    /// @notice Counterfactual address for `createAgentAccount`.
+    function getAddressForAgentAccount(
+        AgentAccountInitParams calldata params,
+        uint256 salt
+    ) external view returns (address) {
+        _validateInitParams(params);
+        return _getAddressForAgentAccount(params, salt);
+    }
+
+    // ─── Internals ──────────────────────────────────────────────────────
+
+    /// @dev Build the unified-initializer calldata. Used by both factory
+    ///      entries + counterfactual derivation so the CREATE2 address
+    ///      computation matches the actual deploy bytecode exactly.
+    function _initData(AgentAccountInitParams calldata params) internal view returns (bytes memory) {
+        return abi.encodeCall(
+            AgentAccount.initialize,
+            (
+                params.custodians,
+                params.initialPasskeyCredentialIdDigest,
+                params.initialPasskeyX,
+                params.initialPasskeyY,
+                params.initialPasskeyRpIdHash,
+                delegationManager,
+                address(this)
+            )
+        );
+    }
+
+    function _getAddressForAgentAccount(
+        AgentAccountInitParams calldata params,
+        uint256 salt
+    ) internal view returns (address) {
+        bytes memory initData = _initData(params);
+        return _create2Address(initData, salt);
+    }
+
+    function _create2Address(bytes memory initData, uint256 salt) internal view returns (address) {
+        bytes memory proxyBytecode = abi.encodePacked(
+            type(ERC1967Proxy).creationCode,
+            abi.encode(address(accountImplementation), initData)
+        );
+        bytes32 bytecodeHash = keccak256(proxyBytecode);
+        return address(uint160(uint256(keccak256(
+            abi.encodePacked(bytes1(0xff), address(this), bytes32(salt), bytecodeHash)
+        ))));
+    }
+
+    /// @dev Per-mode validation:
+    ///        - mode ≤ 3
+    ///        - at least one signer (custodian or passkey)
+    ///        - modes 1-3 require trustees ≥ {1, 2, 3}
+    ///
+    ///      The AgentAccount initializer enforces the actual "≥1 signer"
+    ///      check; we duplicate it here so counterfactual `getAddress`
+    ///      consistently reverts on the same invariant.
+    function _validateInitParams(AgentAccountInitParams calldata params) internal pure {
+        if (params.mode > 3) revert InvalidMode(params.mode);
+
+        bool hasPasskey = params.initialPasskeyX != 0 && params.initialPasskeyY != 0;
+        if (params.custodians.length == 0 && !hasPasskey) revert NoInitialSigner();
+
+        if (params.mode == 0) return;
+
+        uint256 nTrustees = params.trustees.length;
+        if (nTrustees == 0) revert TrusteesRequiredForRecoverableMode(params.mode);
+        if (params.mode == 2 && nTrustees < 2) {
+            revert InsufficientTrusteesForMode(params.mode, nTrustees, 2);
+        }
+        if (params.mode == 3 && nTrustees < 3) {
+            revert InsufficientTrusteesForMode(params.mode, nTrustees, 3);
+        }
+    }
+
+    /// @dev Composes the ABI-encoded init blob the validator's `onInstall`
+    ///      expects. Pulls per-tier thresholds from the spec § 5.1
+    ///      matrix; uses caller-supplied timelock overrides where
+    ///      non-zero, otherwise falls back to spec defaults
+    ///      (T4=1h / T5=24h / T6=48h); default T3 ceiling 0.01 ETH;
+    ///      recovery threshold floor(N/2)+1 (trustees are required for
+    ///      modes 1-3 so this is always ≥ 1).
+    ///
+    ///      `N` for the threshold-matrix is the total signer count =
+    ///      external custodians + (1 if initial passkey, else 0).
+    function _buildValidatorInitData(
+        AgentAccountInitParams calldata params,
+        uint32[7] calldata timelockOverrides
+    ) internal view returns (bytes memory) {
+        uint256 nSigners = params.custodians.length;
+        if (params.initialPasskeyX != 0 && params.initialPasskeyY != 0) nSigners++;
+
+        uint8[7] memory thresholds;
+        for (uint8 t = 1; t <= 5; t++) {
+            thresholds[t] = CustodyPolicy(custodyPolicy).defaultApprovals(uint8(nSigners), t);
+        }
+
+        uint32[7] memory timelocks;
+        timelocks[4] = timelockOverrides[4] == 0 ? uint32(1 hours)  : timelockOverrides[4];
+        timelocks[5] = timelockOverrides[5] == 0 ? uint32(24 hours) : timelockOverrides[5];
+        timelocks[6] = timelockOverrides[6] == 0 ? uint32(48 hours) : timelockOverrides[6];
+
+        uint8 recThr = uint8(params.trustees.length / 2 + 1);
+
+        return abi.encode(
+            params.mode,
+            recThr,
+            params.trustees,
+            thresholds,
+            timelocks,
+            uint256(0.01 ether),
+            address(0)
+        );
+    }
+}

package/src/ApprovedHashRegistry.sol

@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+/**
+ * @title ApprovedHashRegistry
+ * @notice On-chain pre-approved hashes — the `v == 1` path of Safe's
+ *         `checkSignatures` packing format, ported into the
+ *         agenticprimitives multi-sig surface so signers that can't
+ *         easily produce off-chain ECDSA over arbitrary EIP-712 payloads
+ *         (passkey-only smart accounts, hardware wallets without typed
+ *         data support, etc.) can pre-approve a hash by transaction
+ *         instead of off-chain signature.
+ *
+ * @dev Mirrors Safe's `Safe.approveHash` semantics exactly:
+ *      `QuorumEnforcer.beforeHook` consults `isApproved(signer, hash)`
+ *      when it parses a 65-byte signature slot with `v = 1`. The signer
+ *      address rides in the slot's `r` field (left-padded); the
+ *      pre-approval gates whether that signer's "signature" counts
+ *      toward the threshold.
+ *
+ *      Anyone may approve their own hashes — the verifier
+ *      (`QuorumEnforcer`) only counts approvals from addresses present
+ *      in the delegation's bound signer set, so spam approvals from
+ *      non-signers are no-ops.
+ *
+ *      Pairs with `MultiSendCallOnly` (atomic batch) so a passkey
+ *      smart account can `approveHash` + perform the delegated action
+ *      in one userOp.
+ */
+contract ApprovedHashRegistry {
+    /// signer => hash => approved
+    mapping(address => mapping(bytes32 => bool)) public approved;
+
+    event HashApproved(address indexed signer, bytes32 indexed hash);
+    event HashRevoked(address indexed signer, bytes32 indexed hash);
+
+    /**
+     * @notice Pre-approve a hash. `msg.sender` is the signer; only
+     *         this address can later be counted by `QuorumEnforcer`
+     *         for this hash.
+     */
+    function approveHash(bytes32 hash) external {
+        approved[msg.sender][hash] = true;
+        emit HashApproved(msg.sender, hash);
+    }
+
+    /// @notice Revoke a previously-approved hash before redemption.
+    function revokeHash(bytes32 hash) external {
+        approved[msg.sender][hash] = false;
+        emit HashRevoked(msg.sender, hash);
+    }
+
+    /// @notice External view used by `QuorumEnforcer`'s `v == 1` path.
+    function isApproved(address signer, bytes32 hash) external view returns (bool) {
+        return approved[signer][hash];
+    }
+}

package/src/IAgentAccount.sol

@@ -0,0 +1,138 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import "account-abstraction/interfaces/IAccount.sol";
+
+/**
+ * @title IAgenticPrimitivesAgentAccount
+ * @notice ERC-165 marker interface for AgentAccounts deployed by
+ *         agenticprimitives. `AgentAccount.addCustodian` queries this
+ *         (via ERC-165 `supportsInterface`) to enforce the architectural
+ *         invariant from spec 211 § 3 + spec 212 § 2.2: an
+ *         agenticprimitives AgentAccount MUST NEVER appear in another
+ *         AgentAccount's custodian set. Smart-agent ↔ smart-agent
+ *         relationships are stewardship/delegation, not custody —
+ *         custody bottoms out at external signer authority (EOA / SIWE /
+ *         passkey / third-party smart wallet).
+ *
+ *         Third-party smart wallets (Safe, Argent, Privy, …) are
+ *         intentionally permitted as custodians because they wrap
+ *         external human signers and validate via ERC-1271 without
+ *         recursing into our own custody system.
+ */
+interface IAgenticPrimitivesAgentAccount {
+    /// @dev Marker — implementations MUST return true. The selector is
+    ///      the ERC-165 interfaceId via `type(IAgenticPrimitivesAgentAccount).interfaceId`.
+    function isAgenticPrimitivesAgentAccount() external pure returns (bool);
+}
+
+/**
+ * @notice Parameters bundled into one struct so the factory entry point
+ *         + the matching `initializeWithThresholdPolicy` initializer
+ *         share an exact shape. Captures everything the spec 207
+ *         threshold-policy surface needs at account birth — mode,
+ *         owners, guardians, optional initial passkey. The factory
+ *         installs the spec § 5.1 default threshold matrix + default
+ *         T4/T5/T6 timelocks automatically; callers tune them
+ *         post-deploy via T4/T5 admin flows.
+ *
+ * `mode`: 0=single, 1=hybrid, 2=threshold, 3=org. Factory enforces
+ *         per-mode guardian-count minima per spec § 8 (single: 0,
+ *         hybrid: 0+, threshold: ≥ 2, org: ≥ 3).
+ */
+struct AgentAccountInitParams {
+    uint8 mode;
+    address[] custodians;
+    address[] trustees;
+    bytes32 initialPasskeyCredentialIdDigest; // 0x0 to skip the passkey
+    uint256 initialPasskeyX;
+    uint256 initialPasskeyY;
+    // H7-C.1 / CON-WEBAUTHN-001: rpIdHash the initial passkey was registered
+    // against. Required (non-zero) when the passkey is present.
+    bytes32 initialPasskeyRpIdHash;
+}
+
+/**
+ * @notice One passkey to add as part of a T6 recovery. Coupled to
+ *         `AgentAccountRecoveryArgs.addPasskeys` so callers can name
+ *         each entry instead of juggling parallel arrays.
+ *
+ *         H7-C.1 added `rpIdHash` — see `IAgentAccount.addPasskey`.
+ */
+struct AgentAccountRecoveryPasskeyAdd {
+    bytes32 credentialIdDigest;
+    uint256 x;
+    uint256 y;
+    bytes32 rpIdHash;
+}
+
+/**
+ * @notice Payload for `AdminAction.RecoverAccount` (T6). Atomically
+ *         adds + removes owners and passkeys in a single executed
+ *         action so the recovery flow doesn't pass through fragmented
+ *         intermediate states (half-rotated signer set).
+ *
+ *         Spec 207 § 8 describes the flow:
+ *           1. Guardian quorum proposes recovery.
+ *           2. 48h timelock; first 24h is the primary-owner
+ *              cancel window.
+ *           3. Guardian quorum executes; signer set rotates atomically.
+ *
+ *         Removal lists may name signers that don't exist (no-op);
+ *         add lists may include signers already present (no-op). This
+ *         lets callers idempotently re-propose if a recovery race
+ *         partially succeeded.
+ */
+struct AgentAccountRecoveryArgs {
+    address[] addOwners;
+    address[] removeOwners;
+    AgentAccountRecoveryPasskeyAdd[] addPasskeys;
+    bytes32[] removePasskeyCredentialIdDigests;
+}
+
+/**
+ * @title IAgentAccount
+ * @notice Interface for an agent-native ERC-4337 smart account.
+ */
+interface IAgentAccount is IAccount {
+    /// @notice Emitted when an owner is added.
+    event CustodianAdded(address indexed owner);
+
+    /// @notice Emitted when an owner is removed.
+    event CustodianRemoved(address indexed owner);
+
+    /// @notice Returns true if the address is an owner.
+    function isCustodian(address account) external view returns (bool);
+
+    /// @notice Returns the number of owners.
+    function custodianCount() external view returns (uint256);
+
+    /// @notice Add a new owner. Callable only by the account itself (via UserOp).
+    function addCustodian(address owner) external;
+
+    /// @notice Remove an owner. Callable only by the account itself (via UserOp).
+    function removeCustodian(address owner) external;
+
+    /// @notice ERC-1271: validate a signature against account owners.
+    function isValidSignature(bytes32 hash, bytes calldata signature) external view returns (bytes4);
+
+    // ─── Spec 007 Phase A — capability roles ────────────────────────
+
+    /// @notice Bundler signer (resolved through the factory).
+    function bundlerSigner() external view returns (address);
+
+    /// @notice Session-issuer (resolved through the factory).
+    function sessionIssuer() external view returns (address);
+
+    /// @notice True iff the owner has pre-authorized this session
+    ///         delegation hash on chain (Variant B).
+    function hasAcceptedSessionDelegation(bytes32 sessionDelegationHash) external view returns (bool);
+
+    /// @notice Pre-authorize an on-chain session delegation (Variant B).
+    ///         `onlySelf` — must be reached via a userOp the owner signed.
+    function acceptSessionDelegation(bytes32 sessionDelegationHash) external;
+
+    /// @notice Owner-signed UUPS upgrade. Any caller can submit the tx;
+    ///         what matters is whose signature `ownerSig` recovers to.
+    function upgradeToWithAuthorization(address newImpl, bytes calldata ownerSig) external;
+}