@agenticprimitives/contracts 0.1.0-alpha.2

package/src/custody/IERC7579Module.sol

@@ -0,0 +1,60 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+/**
+ * @title IERC7579Module
+ * @notice Minimal marker interface from ERC-7579 so external tooling can
+ *         introspect our modules without requiring a full 7579 account port.
+ *
+ *   Our AgentAccount is not a full ERC-7579 account — it keeps the
+ *   MetaMask-DeleGator-style execution model. But our module contracts
+ *   (validators, enforcers) can declare themselves as 7579-shaped so
+ *   compatible wallets and explorers identify them correctly.
+ *
+ *   Module type ids (from the ERC-7579 spec):
+ *     1  Validator           — validates signatures / UserOps
+ *     2  Executor            — executes on behalf of the account
+ *     3  Fallback            — receives arbitrary calls
+ *     4  Hook                — pre/post execution hooks
+ *     5  Policy              — Kernel-style policy attachment (not in base spec)
+ *
+ *   We use TYPE_VALIDATOR for PasskeyValidator and a custom
+ *   TYPE_CAVEAT_ENFORCER (id=100, outside the 7579 reserved range) for our
+ *   delegation caveat enforcers, so standard tooling doesn't mis-type them
+ *   while still picking up the 7579 introspection shape.
+ */
+interface IERC7579Module {
+    /**
+     * @notice Returns true iff this module implements the given module type.
+     * @dev Callers pass one of the canonical type ids listed above.
+     */
+    function isModuleType(uint256 moduleTypeId) external view returns (bool);
+
+    /// @notice Stable identifier for this module implementation.
+    ///         Format is implementation-defined; most deployments use
+    ///         `{vendor}-{kind}-{version}` e.g. "smart-agent-rate-limit-1".
+    function moduleId() external view returns (string memory);
+}
+
+/**
+ * @title IERC7579ModuleLifecycle
+ * @notice Optional extension to IERC7579Module — adds the install/uninstall
+ *         lifecycle hooks. Phase 3 modules that participate in
+ *         AgentAccount.installModule must implement this. The base interface
+ *         (`IERC7579Module`) is left lifecycle-free so existing introspect-only
+ *         modules (e.g. caveat enforcers) keep their shape unchanged.
+ */
+interface IERC7579ModuleLifecycle is IERC7579Module {
+    function onInstall(bytes calldata data) external;
+    function onUninstall(bytes calldata data) external;
+}
+
+library SmartAgentModuleTypes {
+    uint256 internal constant TYPE_VALIDATOR = 1;
+    uint256 internal constant TYPE_EXECUTOR  = 2;
+    uint256 internal constant TYPE_FALLBACK  = 3;
+    uint256 internal constant TYPE_HOOK      = 4;
+    // Smart-Agent-specific — outside the ERC-7579 reserved range to avoid
+    // accidental cross-classification by ecosystem tools.
+    uint256 internal constant TYPE_CAVEAT_ENFORCER = 100;
+}

package/src/enforcers/AllowedMethodsEnforcer.AUDIT.md

@@ -0,0 +1,51 @@
+# `AllowedMethodsEnforcer` — Security & Architecture Audit
+
+**Status:** shipped
+**Last refreshed:** 2026-05-21
+**Owners:** delegation package CODEOWNERS
+**Registry entry:** [`docs/architecture/enforcer-registry/enforcers.json`](../../../../docs/architecture/enforcer-registry/enforcers.json) (entry: `AllowedMethodsEnforcer`)
+**Live address (Base Sepolia):** `0xdE873dEa2EdC4288FEB32Ade7fDdA798983289c0`
+
+## 1. Charter
+
+Constrains the redemption to a function-selector allowlist (`bytes4`). The selector is the first 4 bytes of the redemption's `data` parameter (calldata). The redeemer cannot escape — the enforcer reverts if the selector is not in the list.
+
+Does NOT do: target-address scoping (`AllowedTargetsEnforcer`), per-argument scoping (`ArgumentRuleEnforcer`, phase 6c.6).
+
+## 2. Security invariants
+
+- The allowlist is fixed in `terms` at delegation creation.
+- Selectors are 4 bytes; the enforcer reads `data[0:4]` exactly. Calldata shorter than 4 bytes is rejected.
+- Empty allowlist is rejected at validation time.
+- The enforcer DOES NOT check that the selector corresponds to a real function on the target. A delegator allowlisting selector `0xdeadbeef` for target `T` would grant that call regardless of whether `T` implements anything at that selector — `T` would simply revert at call time. This is correct behavior; the enforcer's job is bounding, not validating.
+
+## 3. Threat model
+
+| Threat | Likelihood | Impact | Mitigation | Status |
+| --- | --- | --- | --- | --- |
+| Selector collision (two different ABIs share a selector) | Medium | Medium | Selectors are 4-byte truncations of keccak; collisions are possible. Spec 208 doc recommends pairing with `ArgumentRuleEnforcer` for value-moving calls so the FULL signature is bound. | Documented |
+| Allowlist-bypass via fallback functions | Medium | High | Selector check is on calldata, not on what the target's fallback does. Pair with `AllowedTargetsEnforcer` so the target is a known contract. | Documented |
+| Gas DoS from large allowlist | Low | Low | SDK lint warns above 16 entries. | **Open: AM-1** |
+
+## 4. DTK / smart-agent parity
+
+**DTK:** `AllowedMethodsEnforcer` — byte-identical shape.
+
+**smart-agent:** `AllowedMethodsEnforcer.sol` — same.
+
+## 5. Test posture
+
+Forge tests: `packages/contracts/test/Enforcers.t.sol` covers single-selector / multi / empty / short-calldata cases (4 tests).
+
+## 6. Open findings
+
+| ID | Severity | Finding | Status |
+| --- | --- | --- | --- |
+| AM-1 | P3 | Add SDK lint warning above 16 selectors. | Open |
+| AM-2 | P2 | Document the "pair with `AllowedTargetsEnforcer`" pattern as a hard recommendation; consider linting against AllowedMethodsEnforcer used alone. | Open |
+
+## 7. Cross-references
+
+- [Registry entry](../../../../docs/architecture/enforcer-registry/enforcers.json)
+- Companion: [`AllowedTargetsEnforcer.AUDIT.md`](./AllowedTargetsEnforcer.AUDIT.md)
+- Subsumes-in-future: [`specs/208-argument-level-caveats.md`](../../../../specs/208-argument-level-caveats.md) — ArgumentRuleEnforcer's per-rule `selector` field overlaps with this enforcer's allowlist. Both stay shipped; ArgumentRule is for cases needing per-arg gates.

package/src/enforcers/AllowedMethodsEnforcer.sol

@@ -0,0 +1,48 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import "../agency/ICaveatEnforcer.sol";
+
+/**
+ * @title AllowedMethodsEnforcer
+ * @notice Restricts delegated calls to specific function selectors.
+ * @dev terms = abi.encode(bytes4[] allowedSelectors)
+ *      Follows ERC-7710 / MetaMask DeleGator beforeHook/afterHook pattern.
+ */
+contract AllowedMethodsEnforcer is ICaveatEnforcer {
+    error MethodNotAllowed();
+    error CalldataTooShort();
+
+    function beforeHook(
+        bytes calldata terms,
+        bytes calldata,
+        bytes32,
+        address,
+        address,
+        address,
+        uint256,
+        bytes calldata callData
+    ) external pure override {
+        if (callData.length < 4) revert CalldataTooShort();
+
+        bytes4 selector = bytes4(callData[:4]);
+        bytes4[] memory allowed = abi.decode(terms, (bytes4[]));
+        for (uint256 i = 0; i < allowed.length; i++) {
+            if (allowed[i] == selector) return;
+        }
+        revert MethodNotAllowed();
+    }
+
+    function afterHook(
+        bytes calldata,
+        bytes calldata,
+        bytes32,
+        address,
+        address,
+        address,
+        uint256,
+        bytes calldata
+    ) external pure override {
+        // No post-execution check needed
+    }
+}

package/src/enforcers/AllowedTargetsEnforcer.AUDIT.md

@@ -0,0 +1,49 @@
+# `AllowedTargetsEnforcer` — Security & Architecture Audit
+
+**Status:** shipped
+**Last refreshed:** 2026-05-21
+**Owners:** delegation package CODEOWNERS
+**Registry entry:** [`docs/architecture/enforcer-registry/enforcers.json`](../../../../docs/architecture/enforcer-registry/enforcers.json) (entry: `AllowedTargetsEnforcer`)
+**Live address (Base Sepolia):** `0x4D00295D51962a9E81Dada0b90FeA49567863dC5`
+
+## 1. Charter
+
+Constrains the redemption `target` address to an allowlist set at delegation creation. The redeemer cannot escape — the enforcer reverts if `target` is not in the list.
+
+Does NOT do: per-method scoping (use `AllowedMethodsEnforcer` for that), per-arg scoping (phase 6c.6 ships `ArgumentRuleEnforcer` for argument-level checks).
+
+## 2. Security invariants
+
+- The allowlist is encoded in `terms` at delegation creation. Redeemer cannot widen it via `args`.
+- The check is an exact `==` per entry. No CREATE2 prediction, no factory pattern, no proxy unwrap — the deployed address at redeem time IS the address checked.
+- Empty allowlist is rejected at validation time (would be a useless delegation).
+- The allowlist is a `bytes` blob decoded as `address[]`; on-chain we walk it linearly.
+
+## 3. Threat model
+
+| Threat | Likelihood | Impact | Mitigation | Status |
+| --- | --- | --- | --- | --- |
+| Allowlist-bypass via proxy or fallback to forwarder | Medium | High | Out-of-scope here — the redemption target is a STATIC address; if the target itself is a proxy, the delegator must understand what they're allowlisting | By design (documented) |
+| Allowlist size DoS (gas exhaustion) | Low | Low | Linear scan; SDK lint warns above 32 entries; on-chain enforces no hard cap (gas naturally limits it) | **Open: AT-1** — formal cap recommendation pending |
+| Address checksum mistakes in terms | Low (caught off-chain) | High (wrong allowlist) | viem auto-checksums; SDK validates each entry as a valid 20-byte address | Covered |
+
+## 4. DTK / smart-agent parity
+
+**DTK:** `AllowedTargetsEnforcer` — byte-identical shape. Independent port.
+
+**smart-agent:** `AllowedTargetsEnforcer.sol` — same.
+
+## 5. Test posture
+
+Forge tests: `packages/contracts/test/Enforcers.t.sol` — single-target / multi-target / empty / mismatch cases (4 tests).
+
+## 6. Open findings
+
+| ID | Severity | Finding | Status |
+| --- | --- | --- | --- |
+| AT-1 | P3 | Add a soft cap (32 entries) + lint warning at the SDK layer; on-chain enforces no hard cap. | Open |
+
+## 7. Cross-references
+
+- [Registry entry](../../../../docs/architecture/enforcer-registry/enforcers.json)
+- Companion enforcer: [`AllowedMethodsEnforcer.AUDIT.md`](./AllowedMethodsEnforcer.AUDIT.md) — typical pairing for "target T, method M only."

package/src/enforcers/AllowedTargetsEnforcer.sol

@@ -0,0 +1,44 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import "../agency/ICaveatEnforcer.sol";
+
+/**
+ * @title AllowedTargetsEnforcer
+ * @notice Restricts delegated calls to a specific set of target contracts.
+ * @dev terms = abi.encode(address[] allowedTargets)
+ *      Follows ERC-7710 / MetaMask DeleGator beforeHook/afterHook pattern.
+ */
+contract AllowedTargetsEnforcer is ICaveatEnforcer {
+    error TargetNotAllowed();
+
+    function beforeHook(
+        bytes calldata terms,
+        bytes calldata,
+        bytes32,
+        address,
+        address,
+        address target,
+        uint256,
+        bytes calldata
+    ) external pure override {
+        address[] memory allowed = abi.decode(terms, (address[]));
+        for (uint256 i = 0; i < allowed.length; i++) {
+            if (allowed[i] == target) return;
+        }
+        revert TargetNotAllowed();
+    }
+
+    function afterHook(
+        bytes calldata,
+        bytes calldata,
+        bytes32,
+        address,
+        address,
+        address,
+        uint256,
+        bytes calldata
+    ) external pure override {
+        // No post-execution check needed
+    }
+}

package/src/enforcers/CaveatEnforcerBase.sol

@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import "../agency/ICaveatEnforcer.sol";
+import "../custody/IERC7579Module.sol";
+
+/**
+ * @title CaveatEnforcerBase
+ * @notice Shared base for caveat enforcers that want to expose the
+ *         ERC-7579 introspection shape. Each enforcer only has to
+ *         override `moduleId()`.
+ */
+abstract contract CaveatEnforcerBase is ICaveatEnforcer, IERC7579Module {
+    function isModuleType(uint256 moduleTypeId) external pure virtual override returns (bool) {
+        return moduleTypeId == SmartAgentModuleTypes.TYPE_CAVEAT_ENFORCER;
+    }
+
+    function moduleId() external pure virtual override returns (string memory);
+}

package/src/enforcers/QuorumEnforcer.AUDIT.md

@@ -0,0 +1,71 @@
+# `QuorumEnforcer` — Security & Architecture Audit
+
+**Status:** shipped
+**Last refreshed:** 2026-05-21
+**Owners:** delegation package CODEOWNERS + agent-account CODEOWNERS
+**Registry entry:** [`docs/architecture/enforcer-registry/enforcers.json`](../../../../docs/architecture/enforcer-registry/enforcers.json) (entry: `QuorumEnforcer`)
+**Live address (Base Sepolia):** `0x3418A5297C75989000985802B8ab01229CDDDD24`
+**Spec:** [`specs/207-smart-account-threshold-policy.md`](../../../../specs/207-smart-account-threshold-policy.md)
+
+## 1. Charter
+
+n-of-m Safe-compatible signature aggregation as a caveat. The delegation's `args` carries packed sorted-ascending owner signatures; the enforcer verifies `threshold` of them recover to addresses in the bound `signers` set, then permits the redemption.
+
+This is the **agenticprimitives-only** enforcer — DTK does not have an equivalent because DTK frames multi-sig as account-shaped. We make it caveat-shaped (see [doctrine](../../../../specs/207-smart-account-threshold-policy.md) § 12) so threshold-policy threads through delegations.
+
+## 2. Security invariants
+
+- Signatures are sorted-ascending by recovered address (anti-duplicate scheme; matches Safe convention).
+- Recovery uses `SignatureSlotRecovery` library — shared with the `ThresholdValidator` admin path so signature shapes are uniform.
+- Four signature paths supported:
+  - v=27/28 → ECDSA over the payload hash directly
+  - v>30 → eth_sign EIP-191 wrapped (v - 4 = recovery)
+  - v=1 → pre-approved hash via `ApprovedHashRegistry` (passkey-only or hardware-wallet signers participating in quorum without producing ECDSA)
+  - v=0 → ERC-1271 contract sig (signer is a smart account)
+- Bound `signers` set is set at delegation creation; redeemer cannot widen.
+- `threshold ≤ signers.length` (caveat-builder enforces; redundant on-chain check).
+- `threshold ≤ 255` (uint8 packing).
+
+## 3. Threat model
+
+| Threat | Likelihood | Impact | Mitigation | Status |
+| --- | --- | --- | --- | --- |
+| Duplicate signer (sig replay within quorum) | High by design | High | Sorted-ascending invariant; `signer <= prev` reverts | Covered |
+| Signer not in bound set | Medium | High | `_inSet` per-signer check | Covered |
+| Stale ApprovedHashRegistry approval | Medium | Medium | Per-signer + per-hash approval; spam-resistant by construction (only approvals from signers in the bound set count) | Covered |
+| ERC-1271 sig from compromised smart-account signer | Low | High | Outside the enforcer's scope — the signer contract's own auth gate is the trust root | Documented |
+| Signature malleability | Low | Low | ECDSA uses canonical s-value (ecrecover handles); v variants don't change recovered address | Covered |
+
+## 4. DTK / smart-agent parity
+
+**DTK:** NONE. Multi-sig in DTK is account-shape (gnosis-safe-style), not caveat-shape. This is a deliberate divergence — see [dtk-alignment-audit.md § 5.4](../../../../docs/architecture/dtk-alignment-audit.md). DTK's `ExecuteByMultipleEnforcer` provides multi-redeemer support but is not equivalent.
+
+**smart-agent:** `QuorumEnforcer.sol` — same shape; agenticprimitives ports the contract + SignatureSlotRecovery helper.
+
+## 5. Test posture
+
+Forge tests: `packages/contracts/test/QuorumEnforcer.t.sol` covers:
+- single-sig (threshold=1)
+- multi-sig threshold=2 of 3
+- unsorted sig rejection
+- duplicate signer rejection
+- non-member signer rejection
+- v=1 approved-hash path (with ApprovedHashRegistry)
+- v=0 ERC-1271 path
+- 8 tests total. Counts toward the 172 workspace total.
+
+Property tests: none yet. Phase 7 should add fuzz over signer permutations.
+
+## 6. Open findings
+
+| ID | Severity | Finding | Status |
+| --- | --- | --- | --- |
+| QE-1 | P2 | Add property fuzz over signer permutations to catch off-by-one in sorted-asc invariant. | Open (phase 7) |
+| QE-2 | P3 | SDK helper to compute the canonical payload hash for off-chain signing isn't yet documented for the v=0 ERC-1271 case (smart-account signers). | Open |
+
+## 7. Cross-references
+
+- [Registry entry](../../../../docs/architecture/enforcer-registry/enforcers.json)
+- [`specs/207-smart-account-threshold-policy.md`](../../../../specs/207-smart-account-threshold-policy.md) — the doctrine motivating this enforcer's existence.
+- Shared library: `packages/contracts/src/libraries/SignatureSlotRecovery.sol` — used by both this enforcer AND `ThresholdValidator`'s admin-action `_verifyQuorum`. Audit changes here affect both.
+- Companion contract: [`ApprovedHashRegistry`](../ApprovedHashRegistry.sol) — required for the v=1 path.

package/src/enforcers/QuorumEnforcer.sol

@@ -0,0 +1,191 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import "../agency/ICaveatEnforcer.sol";
+import "../libraries/SignatureSlotRecovery.sol";
+
+/**
+ * @title QuorumEnforcer
+ * @notice N-of-M signature aggregation over a payload hash. Adopts
+ *         Safe's `checkSignatures` packing format verbatim so:
+ *           (a) the agenticprimitives multi-sig SDK can interoperate
+ *               with Safe-shaped signature blobs from external tooling,
+ *           (b) we inherit Safe's battle-tested anti-duplicate scheme
+ *               (sorted-ascending signer ordering) without inventing
+ *               our own, and
+ *           (c) `v` values for the four signature types (ECDSA,
+ *               eth_sign, pre-approved hash, ERC-1271) match Safe's
+ *               disambiguation so a single quorum verifier supports
+ *               every signer category we care about.
+ *
+ * @dev terms = abi.encode(
+ *        address[] signerSet,            // signers bound at delegation-mint time
+ *        uint8 threshold,                // minimum valid sigs required
+ *        address approvedHashRegistry    // companion contract for v=1 path
+ *      )
+ *
+ *      args = abi.encode(
+ *        bytes32 payloadHash,            // what the signers signed (typically the
+ *                                        // EIP-712 typed-data hash of the action)
+ *        bytes signatures                // packed sig blob, sorted-ascending by signer
+ *      )
+ *
+ *      Sig blob layout per entry (65 bytes per slot in the sorted region):
+ *        {32 r/data}{32 s/data}{1 v/type}
+ *
+ *      v-byte type discrimination:
+ *         v == 27 || v == 28  → ECDSA over `payloadHash`
+ *         v >  30             → eth_sign ECDSA: signer pre-wrapped payloadHash with
+ *                               "\x19Ethereum Signed Message:\n32"; v is passed as
+ *                               {31, 32} (subtract 4 to recover).
+ *         v == 1              → pre-approved hash; r holds the signer address
+ *                               (left-padded); signer must have called
+ *                               ApprovedHashRegistry.approveHash(payloadHash).
+ *         v == 0              → ERC-1271 contract signature; r holds signer address
+ *                               (left-padded), s holds the byte offset into the
+ *                               `signatures` blob where the length-prefixed
+ *                               dynamic sig tail starts.
+ *
+ *      v == 2 (RIP-7212 secp256r1 / passkey) is reserved but not
+ *      implemented here — passkey-only signers can use the `v == 1`
+ *      approveHash escape hatch (call `ApprovedHashRegistry.approveHash`
+ *      from the passkey-owned account in the same userOp as the
+ *      delegation redemption, batched via `MultiSendCallOnly`).
+ *
+ *      Sorted-ascending signer ordering is the anti-duplicate
+ *      mechanism: every pair of adjacent recovered signers must
+ *      satisfy `prev < curr`. This eliminates the need for a separate
+ *      "seen" mapping and ensures a malicious caller can't submit the
+ *      same signer's signature twice to inflate the threshold count.
+ *
+ *      Each recovered signer must be in `signerSet`. Membership is the
+ *      only authorization check this enforcer does — runtime
+ *      eligibility (e.g. "is this signer still an active owner of the
+ *      smart account?") is intentionally out of scope so the enforcer
+ *      stays composable with whatever upstream authority model the
+ *      delegation chain enforces.
+ *
+ *      Only the first `threshold` slots are checked. Excess entries
+ *      beyond the threshold are ignored — callers SHOULD NOT pad blobs
+ *      unnecessarily as calldata cost scales linearly.
+ */
+contract QuorumEnforcer is ICaveatEnforcer {
+    error InsufficientQuorum(uint256 supplied, uint8 threshold);
+    error UnauthorizedSigner(address signer);
+    error DuplicateOrUnsortedSigner(address signer);
+    error PayloadHashMismatch(bytes32 expected, bytes32 supplied);
+
+    /// @notice Typehash for the quorum-action binding (contract audit C-4).
+    /// @dev Bound to (chainId, enforcer, delegationHash, delegator, redeemer,
+    ///      target, value, keccak256(callData)) so quorum signatures cannot
+    ///      be replayed across executions, accounts, or chains.
+    bytes32 public constant QUORUM_ACTION_TYPEHASH = keccak256(
+        "QuorumAction(uint256 chainId,address enforcer,bytes32 delegationHash,address delegator,address redeemer,address target,uint256 value,bytes32 callDataHash)"
+    );
+
+    /**
+     * @notice Compute the canonical payload hash quorum signers MUST sign.
+     * @dev Public so the off-chain signing path can mirror it byte-for-byte
+     *      via TS helpers. Equivalent to the inline computation in
+     *      `beforeHook` — exposing it as a view function keeps the
+     *      two implementations in lockstep.
+     */
+    function computeQuorumPayloadHash(
+        bytes32 delegationHash,
+        address delegator,
+        address redeemer,
+        address target,
+        uint256 value,
+        bytes calldata callData
+    ) public view returns (bytes32) {
+        return keccak256(
+            abi.encode(
+                QUORUM_ACTION_TYPEHASH,
+                block.chainid,
+                address(this),
+                delegationHash,
+                delegator,
+                redeemer,
+                target,
+                value,
+                keccak256(callData)
+            )
+        );
+    }
+
+    function beforeHook(
+        bytes calldata terms,
+        bytes calldata args,
+        bytes32 delegationHash,
+        address delegator,
+        address redeemer,
+        address target,
+        uint256 value,
+        bytes calldata callData
+    ) external view override {
+        (address[] memory signerSet, uint8 threshold, address approvedHashRegistry) =
+            abi.decode(terms, (address[], uint8, address));
+        (bytes32 suppliedPayloadHash, bytes memory signatures) = abi.decode(args, (bytes32, bytes));
+
+        // Contract audit C-4: bind the signed payload to the actual
+        // execution context. Previously the redeemer chose payloadHash
+        // freely, so a quorum signed off-chain to "approve a transfer
+        // to alice" could be replayed against "approve a transfer to
+        // attacker" with no on-chain check. Reject any mismatch.
+        bytes32 expectedPayloadHash = keccak256(
+            abi.encode(
+                QUORUM_ACTION_TYPEHASH,
+                block.chainid,
+                address(this),
+                delegationHash,
+                delegator,
+                redeemer,
+                target,
+                value,
+                keccak256(callData)
+            )
+        );
+        if (suppliedPayloadHash != expectedPayloadHash) {
+            revert PayloadHashMismatch(expectedPayloadHash, suppliedPayloadHash);
+        }
+
+        if (signatures.length < uint256(threshold) * 65) {
+            revert InsufficientQuorum(signatures.length / 65, threshold);
+        }
+
+        address prev;
+        for (uint256 i; i < threshold; i++) {
+            address signer = SignatureSlotRecovery.recoverFromSlot(
+                expectedPayloadHash,
+                signatures,
+                i,
+                approvedHashRegistry
+            );
+
+            // Sorted-ascending check (also rejects duplicates).
+            if (signer <= prev) revert DuplicateOrUnsortedSigner(signer);
+            prev = signer;
+
+            // Membership in the signer set bound at delegation time.
+            if (!_inSet(signer, signerSet)) revert UnauthorizedSigner(signer);
+        }
+    }
+
+    function afterHook(
+        bytes calldata,
+        bytes calldata,
+        bytes32,
+        address,
+        address,
+        address,
+        uint256,
+        bytes calldata
+    ) external pure override {}
+
+    function _inSet(address signer, address[] memory set) internal pure returns (bool) {
+        for (uint256 i; i < set.length; i++) {
+            if (set[i] == signer) return true;
+        }
+        return false;
+    }
+}

package/src/enforcers/TimestampEnforcer.AUDIT.md

@@ -0,0 +1,50 @@
+# `TimestampEnforcer` — Security & Architecture Audit
+
+**Status:** shipped
+**Last refreshed:** 2026-05-21
+**Owners:** delegation package CODEOWNERS
+**Registry entry:** [`docs/architecture/enforcer-registry/enforcers.json`](../../../../docs/architecture/enforcer-registry/enforcers.json) (entry: `TimestampEnforcer`)
+**Live address (Base Sepolia):** `0x81AB5167ccEfD6a2cD7C95baFE27a120A94F37f0`
+
+## 1. Charter
+
+`TimestampEnforcer` constrains a delegation to a `[validAfter, validUntil]` window using `block.timestamp` at the redemption call. Both bounds are inclusive; either can be `0` (meaning "no bound on this side"). A delegation with both bounds 0 has no time constraint.
+
+Does NOT do: block-number windows (DTK has a separate `BlockNumberEnforcer`; we don't), wall-clock reasoning, time-of-day patterns. All time questions resolve to "what does `block.timestamp` say at redeem time."
+
+## 2. Security invariants
+
+- The redeemer cannot widen the window. `terms` is set at delegation creation; `args` is ignored.
+- `block.timestamp` clock skew across nodes is bounded to ~15s on most L1/L2; the enforcer applies no slack — callers should NOT issue delegations with tightly-bounded windows < 1 minute apart.
+- `validAfter == 0` is permitted (the delegation is valid immediately on creation).
+- `validUntil == 0` is permitted (the delegation has no expiry — useful for never-expiring roles, dangerous if accidental).
+
+## 3. Threat model
+
+| Threat | Likelihood | Impact | Mitigation | Status |
+| --- | --- | --- | --- | --- |
+| Block timestamp manipulation by miner | Low (L2 sequencer-controlled) | Low (~1-15s drift) | Spec doc warns against sub-minute windows | Documented |
+| Delegation issued with `validUntil = 0` by accident | Medium | High (never-expires) | SDK lint should warn on `0` validUntil | **Open: TE-1** — lint not yet implemented |
+| Multi-redemption inside the window | High by design | None (this is the design) | The TimestampEnforcer alone doesn't limit count; pair with a usage-counting enforcer if needed | By design |
+
+## 4. DTK / smart-agent parity
+
+**DTK:** `TimestampEnforcer` — same name, same semantics. Independent port of the ERC-7710 spec, not the DTK source. Wire-format compatible — a DTK-tooled delegation with this caveat verifies against our enforcer at our deployed address.
+
+**smart-agent:** `TimestampEnforcer.sol` — same. agenticprimitives ports the contract directly.
+
+## 5. Test posture
+
+Forge tests: `packages/contracts/test/Enforcers.t.sol` covers the validAfter / validUntil / 0-bound / equal-bound cases (4 tests). No property tests yet.
+
+## 6. Open findings
+
+| ID | Severity | Finding | Status |
+| --- | --- | --- | --- |
+| TE-1 | P3 | SDK lint should warn on `validUntil = 0` (never-expires) when not paired with a revocable-by-owner flag. | Open |
+
+## 7. Cross-references
+
+- [Registry entry](../../../../docs/architecture/enforcer-registry/enforcers.json) (search: `TimestampEnforcer`)
+- [`packages/delegation/AUDIT.md`](../../../../packages/delegation/AUDIT.md) — consumer of this enforcer.
+- [`docs/architecture/dtk-alignment-audit.md`](../../../../docs/architecture/dtk-alignment-audit.md) § 3 — parity verdict.

package/src/enforcers/TimestampEnforcer.sol

@@ -0,0 +1,43 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import "../agency/ICaveatEnforcer.sol";
+
+/**
+ * @title TimestampEnforcer
+ * @notice Enforces a time window — delegation is only valid between two timestamps.
+ * @dev terms = abi.encode(uint256 validAfter, uint256 validUntil)
+ *      Follows ERC-7710 / MetaMask DeleGator beforeHook/afterHook pattern.
+ */
+contract TimestampEnforcer is ICaveatEnforcer {
+    error TimestampNotYetValid();
+    error TimestampExpired();
+
+    function beforeHook(
+        bytes calldata terms,
+        bytes calldata,
+        bytes32,
+        address,
+        address,
+        address,
+        uint256,
+        bytes calldata
+    ) external view override {
+        (uint256 validAfter, uint256 validUntil) = abi.decode(terms, (uint256, uint256));
+        if (block.timestamp < validAfter) revert TimestampNotYetValid();
+        if (block.timestamp > validUntil) revert TimestampExpired();
+    }
+
+    function afterHook(
+        bytes calldata,
+        bytes calldata,
+        bytes32,
+        address,
+        address,
+        address,
+        uint256,
+        bytes calldata
+    ) external pure override {
+        // No post-execution check needed for timestamps
+    }
+}