@chainlink/ace 0.5.0 → 1.0.0

package/getting_started/GETTING_STARTED.md

@@ -436,6 +436,12 @@ You now understand the core ACE integration pattern:
 
 Choose your path based on what you want to build:
 
+#### **Upgrade an existing contract**
+
+Already have a deployed contract that needs ACE compliance? Follow our step-by-step upgrade guide:
+
+- **[Upgrade Guide](../UPGRADE_GUIDE.md)** - Add ACE to existing deployed contracts without disrupting functionality
+
 #### **Learn more about Policy Management**
 
 You've seen one policy (`PausePolicy`) on two functions. Ready to level up?

package/getting_started/MyVault.sol

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: BUSL-1.1
 pragma solidity 0.8.26;
 
-import {PolicyProtected} from "@chainlink/policy-management/core/PolicyProtected.sol";
+import {PolicyProtectedUpgradeable} from "@chainlink/policy-management/core/PolicyProtectedUpgradeable.sol";
 
 /**
  * @title MyVault
@@ -10,7 +10,7 @@ import {PolicyProtected} from "@chainlink/policy-management/core/PolicyProtected
  * Both the `deposit` and `withdraw` functions are protected with the `runPolicy` modifier.
  * This contract is designed to be deployed behind a proxy for upgradeability.
  */
-contract MyVault is PolicyProtected {
+contract MyVault is PolicyProtectedUpgradeable {
   mapping(address => uint256) public deposits;
 
   function initialize(address initialOwner, address policyEngine) public initializer {

package/getting_started/advanced/SanctionsPolicy.sol

@@ -6,7 +6,9 @@ import {IPolicyEngine} from "../../packages/policy-management/src/interfaces/IPo
 import {SanctionsList} from "./SanctionsList.sol";
 
 contract SanctionsPolicy is Policy {
-  address public sanctionsList;
+    string public constant override typeAndVersion = "SanctionsPolicy 1.0.0";
+
+    address public sanctionsList;
 
   /**
    * @notice Configures the policy with the sanctions list address.
@@ -42,7 +44,9 @@ contract SanctionsPolicy is Policy {
     override
     returns (IPolicyEngine.PolicyResult)
   {
-    require(parameters.length == 1, "SanctionsPolicy: Expected 1 parameter");
+    if (parameters.length != 1) {
+      revert InvalidParameters("SanctionsPolicy: Expected 1 parameter");
+    }
     // This policy expects the "to" address as the first parameter
     address recipient = abi.decode(parameters[0], (address));
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chainlink/ace",
-  "version": "0.5.0",
+  "version": "1.0.0",
   "description": "Chainlink Automated Compliance Engine (ACE) Contracts",
   "keywords": [
     "chainlink",
@@ -13,7 +13,7 @@
     "url": "https://github.com/smartcontractkit/chainlink-ace.git"
   },
   "license": "BUSL-1.1",
-  "author": "Chainlink Labs",
+  "author": "smartcontractkit",
   "scripts": {
     "build": "forge build --sizes",
     "clean": "rm -rf cache out",
@@ -32,7 +32,7 @@
     "wtf": "which forge"
   },
   "devDependencies": {
-    "@chainlink/contracts": "1.3.0",
+    "@chainlink/contracts": "1.5.0",
     "@openzeppelin/contracts": "^5.0.2",
     "@openzeppelin/contracts-upgradeable": "^5.0.2",
     "forge-std": "github:foundry-rs/forge-std#v1.9.4",

package/packages/cross-chain-identity/docs/API_REFERENCE.md

@@ -58,6 +58,8 @@ struct Credential {
 
 ```solidity
 interface ICredentialRegistry {
+    function typeAndVersion() external pure returns (string memory);
+
     function registerCredential(
         bytes32 ccid,
         bytes32 credentialTypeId,

package/packages/cross-chain-identity/src/CredentialRegistry.sol

@@ -1,22 +1,24 @@
 // SPDX-License-Identifier: BUSL-1.1
-pragma solidity 0.8.26;
+pragma solidity ^0.8.20;
 
 import {ICredentialRegistry} from "./interfaces/ICredentialRegistry.sol";
 import {ICredentialValidator} from "./interfaces/ICredentialValidator.sol";
-import {PolicyProtected} from "@chainlink/policy-management/core/PolicyProtected.sol";
+import {PolicyProtectedUpgradeable} from "@chainlink/policy-management/core/PolicyProtectedUpgradeable.sol";
 
-contract CredentialRegistry is PolicyProtected, ICredentialRegistry {
-  /// @custom:storage-location erc7201:cross-chain-identity.CredentialRegistry
+contract CredentialRegistry is PolicyProtectedUpgradeable, ICredentialRegistry {
+  string public constant override typeAndVersion = "CredentialRegistry 1.0.0";
+
+  /// @custom:storage-location erc7201:chainlink.ace.CredentialRegistry
   struct CredentialRegistryStorage {
     mapping(bytes32 ccid => bytes32[] credentialTypeIds) credentialTypeIdsByCCID;
     mapping(bytes32 ccid => mapping(bytes32 credentialTypeId => Credential credentials)) credentials;
   }
 
-  // keccak256(abi.encode(uint256(keccak256("cross-chain-identity.CredentialRegistry")) - 1)) &
+  // keccak256(abi.encode(uint256(keccak256("chainlink.ace.CredentialRegistry")) - 1)) &
   // ~bytes32(uint256(0xff))
   // solhint-disable-next-line const-name-snakecase
   bytes32 private constant credentialRegistryStorageLocation =
-    0xda878a21d431ff897bdb535b211ae68088a4b0265066b239bc4db2e51d9a8200;
+    0xa402d759ab0c43f5f6ba3a2cdc5bb0f98c15af3daf1f94f873714cacbe789800;
 
   function _credentialRegistryStorage() private pure returns (CredentialRegistryStorage storage $) {
     // solhint-disable-next-line no-inline-assembly
@@ -168,7 +170,7 @@ contract CredentialRegistry is PolicyProtected, ICredentialRegistry {
     view
     returns (Credential[] memory)
   {
-    uint8 length = uint8(credentialTypeIds.length);
+    uint256 length = credentialTypeIds.length;
     Credential[] memory credentials = new Credential[](length);
     for (uint256 i = 0; i < length; i++) {
       credentials[i] = getCredential(ccid, credentialTypeIds[i]);

package/packages/cross-chain-identity/src/CredentialRegistryFactory.sol

@@ -0,0 +1,96 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+import {CredentialRegistry} from "./CredentialRegistry.sol";
+import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
+
+/**
+ * @title CredentialRegistryFactory
+ * @notice Factory contract for creating deterministic minimal proxy clones of credential registry implementations.
+ * @dev Uses OpenZeppelin's Clones library to create deterministic minimal proxies (EIP-1167) of credential
+ *      registry contracts.
+ *      Each registry is deployed with a unique salt derived from the creator's address and a unique registry ID,
+ *      ensuring deterministic addresses and preventing duplicate deployments.
+ */
+contract CredentialRegistryFactory {
+  /// @notice Emitted when a new credential registry is created
+  event CredentialRegistryCreated(address registry);
+
+  /// @notice Emitted when registry initialization fails
+  error RegistryInitializationFailed(bytes reason);
+
+  /// @notice Emitted when implementation address is zero
+  error ImplementationIsZeroAddress();
+
+  /**
+   * @notice Creates a new credential registry contract using deterministic minimal proxy cloning.
+   * @dev If a registry with the same salt already exists, returns the existing address instead of reverting.
+   *      Uses CREATE2 for deterministic deployment addresses. The registry is automatically initialized
+   *      with the provided parameters after deployment.
+   * @param implementation The address of the credential registry implementation contract to clone
+   * @param uniqueRegistryId A unique identifier for this registry (combined with msg.sender to create salt)
+   * @param policyEngine The address of the policy engine that will manage this registry
+   * @param initialOwner The address that will own the newly created registry contract
+   * @return registryAddress The address of the created (or existing) registry contract
+   */
+  function createCredentialRegistry(
+    address implementation,
+    bytes32 uniqueRegistryId,
+    address policyEngine,
+    address initialOwner
+  )
+    public
+    returns (address registryAddress)
+  {
+    if (implementation == address(0)) revert ImplementationIsZeroAddress();
+
+    bytes32 salt = getSalt(msg.sender, uniqueRegistryId);
+    registryAddress = Clones.predictDeterministicAddress(implementation, salt);
+    if (registryAddress.code.length > 0) {
+      return registryAddress;
+    }
+
+    registryAddress = Clones.cloneDeterministic(implementation, salt);
+
+    try CredentialRegistry(registryAddress).initialize(policyEngine, initialOwner) {
+      emit CredentialRegistryCreated(registryAddress);
+    } catch (bytes memory reason) {
+      revert RegistryInitializationFailed(reason);
+    }
+  }
+
+  /**
+   * @notice Predicts the deterministic address where a credential registry would be deployed.
+   * @dev Useful for calculating registry addresses before deployment or checking if a registry already exists.
+   *      Uses the same salt generation as createCredentialRegistry to ensure address consistency.
+   * @param creator The address of the account that would create the registry
+   * @param implementation The address of the credential registry implementation contract
+   * @param uniqueRegistryId The unique identifier for the registry
+   * @return The predicted address where the registry would be deployed
+   */
+  function predictRegistryAddress(
+    address creator,
+    address implementation,
+    bytes32 uniqueRegistryId
+  )
+    public
+    view
+    returns (address)
+  {
+    bytes32 salt = getSalt(creator, uniqueRegistryId);
+    return Clones.predictDeterministicAddress(implementation, salt);
+  }
+
+  /**
+   * @notice Generates a deterministic salt for registry deployment.
+   * @dev Combines the sender address and unique registry ID to create a unique salt.
+   *      This ensures that the same creator cannot deploy multiple registries with the same ID,
+   *      while allowing different creators to use the same registry ID.
+   * @param sender The address of the registry creator
+   * @param uniqueRegistryId The unique identifier for the registry
+   * @return The generated salt for deterministic deployment
+   */
+  function getSalt(address sender, bytes32 uniqueRegistryId) public pure returns (bytes32) {
+    return keccak256(abi.encodePacked(sender, uniqueRegistryId));
+  }
+}

package/packages/cross-chain-identity/src/CredentialRegistryIdentityValidator.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: BUSL-1.1
-pragma solidity 0.8.26;
+pragma solidity ^0.8.20;
 
 import {ICredentialRequirements} from "./interfaces/ICredentialRequirements.sol";
 import {IIdentityValidator} from "./interfaces/IIdentityValidator.sol";
@@ -11,19 +11,20 @@ import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/Own
 contract CredentialRegistryIdentityValidator is OwnableUpgradeable, ICredentialRequirements, IIdentityValidator {
   uint256 private constant MAX_REQUIREMENTS = 8;
   uint256 private constant MAX_REQUIREMENT_SOURCES = 8;
+  uint256 private constant MAX_CREDENTIAL_TYPES_PER_REQUIREMENT = 32;
 
-  /// @custom:storage-location erc7201:cross-chain-identity.CredentialRegistryIdentityValidator
+  /// @custom:storage-location erc7201:chainlink.ace.CredentialRegistryIdentityValidator
   struct CredentialRegistryIdentityValidatorStorage {
     bytes32[] requirements;
     mapping(bytes32 requirementId => CredentialRequirement credentialRequirement) credentialRequirementMap;
     mapping(bytes32 credential => CredentialSource[] sources) credentialSources;
   }
 
-  // keccak256(abi.encode(uint256(keccak256("cross-chain-identity.CredentialRegistryIdentityValidator")) - 1)) &
+  // keccak256(abi.encode(uint256(keccak256("chainlink.ace.CredentialRegistryIdentityValidator")) - 1)) &
   // ~bytes32(uint256(0xff))
   // solhint-disable-next-line const-name-snakecase
   bytes32 private constant credentialRegistryIdentityValidatorStorageLocation =
-    0xc27301a28eb510a5458d7558b8bccbf4cdde3a4546d3bf041997133950e7d200;
+    0xd345ab5a3e8073283824dcc06e7ac0c586290818c864e9d2ee66361ecca47600;
 
   function _credentialRegistryIdentityValidatorStorage()
     private
@@ -36,6 +37,11 @@ contract CredentialRegistryIdentityValidator is OwnableUpgradeable, ICredentialR
     }
   }
 
+  constructor() {
+    // disabling initializers on the implementation contract itself
+    _disableInitializers();
+  }
+
   /**
    * @dev Initializes the credential validator and sets the initial credential sources and requirements.
    * @param credentialSourceInputs The credential sources to add.
@@ -96,6 +102,11 @@ contract CredentialRegistryIdentityValidator is OwnableUpgradeable, ICredentialR
       }
     }
     bytes32[] memory credentialTypeIds = input.credentialTypeIds;
+    uint256 credentialTypesLength = credentialTypeIds.length;
+
+    if (credentialTypesLength == 0 || credentialTypesLength > MAX_CREDENTIAL_TYPES_PER_REQUIREMENT) {
+      revert InvalidRequirementConfiguration("Invalid credential types length");
+    }
     _credentialRegistryIdentityValidatorStorage().requirements.push(requirementId);
     _credentialRegistryIdentityValidatorStorage().credentialRequirementMap[requirementId] =
       CredentialRequirement(credentialTypeIds, minValidations, input.invert);

package/packages/cross-chain-identity/src/CredentialRegistryIdentityValidatorPolicy.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: BUSL-1.1
-pragma solidity 0.8.26;
+pragma solidity ^0.8.20;
 
 import {CredentialRegistryIdentityValidator} from "./CredentialRegistryIdentityValidator.sol";
 import {IPolicyEngine} from "@chainlink/policy-management/interfaces/IPolicyEngine.sol";
@@ -7,6 +7,8 @@ import {Policy} from "@chainlink/policy-management/core/Policy.sol";
 import {ICredentialRequirements} from "@chainlink/cross-chain-identity/interfaces/ICredentialRequirements.sol";
 
 contract CredentialRegistryIdentityValidatorPolicy is Policy, CredentialRegistryIdentityValidator {
+  string public constant override typeAndVersion = "CredentialRegistryIdentityValidatorPolicy 1.0.0";
+
   /**
    * @notice Configures the policy by setting up credential sources and credential requirements.
    * @dev The `parameters` input must be the ABI encoding of two dynamic arrays:
@@ -53,14 +55,15 @@ contract CredentialRegistryIdentityValidatorPolicy is Policy, CredentialRegistry
     override
     returns (IPolicyEngine.PolicyResult)
   {
-    // expected parameters: [account(address)]
-    if (parameters.length != 1) {
-      revert IPolicyEngine.InvalidConfiguration("expected 1 parameter");
+    if (parameters.length < 1) {
+      revert InvalidParameters("expected at least 1 parameter");
     }
-    address account = abi.decode(parameters[0], (address));
 
-    if (!validate(account, context)) {
-      revert IPolicyEngine.PolicyRejected("account identity validation failed");
+    for (uint256 i = 0; i < parameters.length; i++) {
+      address account = abi.decode(parameters[i], (address));
+      if (!validate(account, context)) {
+        revert IPolicyEngine.PolicyRejected("account identity validation failed");
+      }
     }
     return IPolicyEngine.PolicyResult.Continue;
   }

package/packages/cross-chain-identity/src/IdentityRegistry.sol

@@ -1,21 +1,25 @@
 // SPDX-License-Identifier: BUSL-1.1
-pragma solidity 0.8.26;
+pragma solidity ^0.8.20;
 
 import {IIdentityRegistry} from "./interfaces/IIdentityRegistry.sol";
-import {PolicyProtected} from "@chainlink/policy-management/core/PolicyProtected.sol";
+import {PolicyProtectedUpgradeable} from "@chainlink/policy-management/core/PolicyProtectedUpgradeable.sol";
 
-contract IdentityRegistry is PolicyProtected, IIdentityRegistry {
-  /// @custom:storage-location erc7201:cross-chain-identity.IdentityRegistry
+contract IdentityRegistry is PolicyProtectedUpgradeable, IIdentityRegistry {
+  string public constant override typeAndVersion = "IdentityRegistry 1.0.0";
+
+  /// @custom:storage-location erc7201:chainlink.ace.IdentityRegistry
   struct IdentityRegistryStorage {
     mapping(address account => bytes32 ccid) accountToCcid;
     mapping(bytes32 ccid => address[] accounts) ccidToAccounts;
+    // Maps ccid => account => index in ccidToAccounts array (index + 1, 0 means not found)
+    mapping(bytes32 ccid => mapping(address account => uint256 index)) accountIndex;
   }
 
-  // keccak256(abi.encode(uint256(keccak256("cross-chain-identity.IdentityRegistry")) - 1)) &
+  // keccak256(abi.encode(uint256(keccak256("chainlink.ace.IdentityRegistry")) - 1)) &
   // ~bytes32(uint256(0xff))
   // solhint-disable-next-line const-name-snakecase
   bytes32 private constant identityRegistryStorageLocation =
-    0x95c7dd14054992de17881168e75df13bb7ed90a1eacfff26d4643d48ec30de00;
+    0x31dacf4de1329b533dc7ad419a7ae424eacaaf799ae802e5d062dea412180200;
 
   function _identityRegistryStorage() private pure returns (IdentityRegistryStorage storage $) {
     // solhint-disable-next-line no-inline-assembly
@@ -83,6 +87,8 @@ contract IdentityRegistry is PolicyProtected, IIdentityRegistry {
     }
     _identityRegistryStorage().accountToCcid[account] = ccid;
     _identityRegistryStorage().ccidToAccounts[ccid].push(account);
+    // Store index + 1 (so 0 means not found)
+    _identityRegistryStorage().accountIndex[ccid][account] = _identityRegistryStorage().ccidToAccounts[ccid].length;
     emit IdentityRegistered(ccid, account);
   }
 
@@ -97,18 +103,28 @@ contract IdentityRegistry is PolicyProtected, IIdentityRegistry {
     override
     runPolicyWithContext(context)
   {
-    uint256 length = _identityRegistryStorage().ccidToAccounts[ccid].length;
-    for (uint256 i = 0; i < length; i++) {
-      if (_identityRegistryStorage().ccidToAccounts[ccid][i] == account) {
-        _identityRegistryStorage().ccidToAccounts[ccid][i] = _identityRegistryStorage().ccidToAccounts[ccid][length - 1];
-        _identityRegistryStorage().ccidToAccounts[ccid].pop();
-        delete _identityRegistryStorage().accountToCcid[account];
-
-        emit IdentityRemoved(ccid, account);
-        return;
-      }
+    uint256 indexPlusOne = _identityRegistryStorage().accountIndex[ccid][account];
+    if (indexPlusOne == 0) {
+      revert IdentityNotFound(ccid, account);
+    }
+
+    uint256 index = indexPlusOne - 1;
+    uint256 lastIndex = _identityRegistryStorage().ccidToAccounts[ccid].length - 1;
+
+    if (index != lastIndex) {
+      // Move the last element to the position being removed
+      address lastAccount = _identityRegistryStorage().ccidToAccounts[ccid][lastIndex];
+      _identityRegistryStorage().ccidToAccounts[ccid][index] = lastAccount;
+      // Update the moved account's index
+      _identityRegistryStorage().accountIndex[ccid][lastAccount] = indexPlusOne;
     }
-    revert IdentityNotFound(ccid, account);
+
+    // Remove the last element
+    _identityRegistryStorage().ccidToAccounts[ccid].pop();
+    delete _identityRegistryStorage().accountToCcid[account];
+    delete _identityRegistryStorage().accountIndex[ccid][account];
+
+    emit IdentityRemoved(ccid, account);
   }
 
   /// @inheritdoc IIdentityRegistry

package/packages/cross-chain-identity/src/IdentityRegistryFactory.sol

@@ -0,0 +1,96 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+import {IdentityRegistry} from "./IdentityRegistry.sol";
+import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
+
+/**
+ * @title IdentityRegistryFactory
+ * @notice Factory contract for creating deterministic minimal proxy clones of identity registry implementations.
+ * @dev Uses OpenZeppelin's Clones library to create deterministic minimal proxies (EIP-1167) of identity
+ *      registry contracts.
+ *      Each registry is deployed with a unique salt derived from the creator's address and a unique registry ID,
+ *      ensuring deterministic addresses and preventing duplicate deployments.
+ */
+contract IdentityRegistryFactory {
+  /// @notice Emitted when a new identity registry is created
+  event IdentityRegistryCreated(address registry);
+
+  /// @notice Emitted when registry initialization fails
+  error RegistryInitializationFailed(bytes reason);
+
+  /// @notice Emitted when implementation address is zero
+  error ImplementationIsZeroAddress();
+
+  /**
+   * @notice Creates a new identity registry contract using deterministic minimal proxy cloning.
+   * @dev If a registry with the same salt already exists, returns the existing address instead of reverting.
+   *      Uses CREATE2 for deterministic deployment addresses. The registry is automatically initialized
+   *      with the provided parameters after deployment.
+   * @param implementation The address of the identity registry implementation contract to clone
+   * @param uniqueRegistryId A unique identifier for this registry (combined with msg.sender to create salt)
+   * @param policyEngine The address of the policy engine that will manage this registry
+   * @param initialOwner The address that will own the newly created registry contract
+   * @return registryAddress The address of the created (or existing) registry contract
+   */
+  function createIdentityRegistry(
+    address implementation,
+    bytes32 uniqueRegistryId,
+    address policyEngine,
+    address initialOwner
+  )
+    public
+    returns (address registryAddress)
+  {
+    if (implementation == address(0)) revert ImplementationIsZeroAddress();
+
+    bytes32 salt = getSalt(msg.sender, uniqueRegistryId);
+    registryAddress = Clones.predictDeterministicAddress(implementation, salt);
+    if (registryAddress.code.length > 0) {
+      return registryAddress;
+    }
+
+    registryAddress = Clones.cloneDeterministic(implementation, salt);
+
+    try IdentityRegistry(registryAddress).initialize(policyEngine, initialOwner) {
+      emit IdentityRegistryCreated(registryAddress);
+    } catch (bytes memory reason) {
+      revert RegistryInitializationFailed(reason);
+    }
+  }
+
+  /**
+   * @notice Predicts the deterministic address where an identity registry would be deployed.
+   * @dev Useful for calculating registry addresses before deployment or checking if a registry already exists.
+   *      Uses the same salt generation as createIdentityRegistry to ensure address consistency.
+   * @param creator The address of the account that would create the registry
+   * @param implementation The address of the identity registry implementation contract
+   * @param uniqueRegistryId The unique identifier for the registry
+   * @return The predicted address where the registry would be deployed
+   */
+  function predictRegistryAddress(
+    address creator,
+    address implementation,
+    bytes32 uniqueRegistryId
+  )
+    public
+    view
+    returns (address)
+  {
+    bytes32 salt = getSalt(creator, uniqueRegistryId);
+    return Clones.predictDeterministicAddress(implementation, salt);
+  }
+
+  /**
+   * @notice Generates a deterministic salt for registry deployment.
+   * @dev Combines the sender address and unique registry ID to create a unique salt.
+   *      This ensures that the same creator cannot deploy multiple registries with the same ID,
+   *      while allowing different creators to use the same registry ID.
+   * @param sender The address of the registry creator
+   * @param uniqueRegistryId The unique identifier for the registry
+   * @return The generated salt for deterministic deployment
+   */
+  function getSalt(address sender, bytes32 uniqueRegistryId) public pure returns (bytes32) {
+    return keccak256(abi.encodePacked(sender, uniqueRegistryId));
+  }
+}

package/packages/cross-chain-identity/src/TrustedIssuerRegistry.sol

@@ -1,25 +1,27 @@
 // SPDX-License-Identifier: BUSL-1.1
-pragma solidity 0.8.26;
+pragma solidity ^0.8.20;
 
 import {ITrustedIssuerRegistry} from "./interfaces/ITrustedIssuerRegistry.sol";
-import {PolicyProtected} from "@chainlink/policy-management/core/PolicyProtected.sol";
+import {PolicyProtectedUpgradeable} from "@chainlink/policy-management/core/PolicyProtectedUpgradeable.sol";
 
 /**
  * @title TrustedIssuerRegistry
  * @dev Implementation of the ITrustedIssuerRegistry interface using ERC-7201 storage pattern.
  */
-contract TrustedIssuerRegistry is PolicyProtected, ITrustedIssuerRegistry {
-  /// @custom:storage-location erc7201:cross-chain-identity.TrustedIssuerRegistry
+contract TrustedIssuerRegistry is PolicyProtectedUpgradeable, ITrustedIssuerRegistry {
+  string public constant override typeAndVersion = "TrustedIssuerRegistry 1.0.0";
+
+  /// @custom:storage-location erc7201:chainlink.ace.TrustedIssuerRegistry
   struct TrustedIssuerRegistryStorage {
     mapping(bytes32 issuerIdHash => bool isTrusted) trustedIssuers;
     bytes32[] issuerList;
   }
 
-  // keccak256(abi.encode(uint256(keccak256("cross-chain-identity.TrustedIssuerRegistry")) - 1)) &
+  // keccak256(abi.encode(uint256(keccak256("chainlink.ace.TrustedIssuerRegistry")) - 1)) &
   // ~bytes32(uint256(0xff))
   // solhint-disable-next-line const-name-snakecase
   bytes32 private constant trustedIssuerRegistryStorageLocation =
-    0x68705e3417317ecc3ac2b3879fdff408d88085552fb211d60abc5b025809c200;
+    0x24368af76f28f75e0d3c893af5175655a9b97a18e82e58c43f9152ef16421900;
 
   function _trustedIssuerRegistryStorage() private pure returns (TrustedIssuerRegistryStorage storage $) {
     assembly {

package/packages/cross-chain-identity/src/TrustedIssuerRegistryFactory.sol

@@ -0,0 +1,96 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+import {TrustedIssuerRegistry} from "./TrustedIssuerRegistry.sol";
+import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
+
+/**
+ * @title TrustedIssuerRegistryFactory
+ * @notice Factory contract for creating deterministic minimal proxy clones of trusted issuer registry implementations.
+ * @dev Uses OpenZeppelin's Clones library to create deterministic minimal proxies (EIP-1167) of trusted issuer
+ *      registry contracts.
+ *      Each registry is deployed with a unique salt derived from the creator's address and a unique registry ID,
+ *      ensuring deterministic addresses and preventing duplicate deployments.
+ */
+contract TrustedIssuerRegistryFactory {
+  /// @notice Emitted when a new trusted issuer registry is created
+  event TrustedIssuerRegistryCreated(address registry);
+
+  /// @notice Emitted when registry initialization fails
+  error RegistryInitializationFailed(bytes reason);
+
+  /// @notice Emitted when implementation address is zero
+  error ImplementationIsZeroAddress();
+
+  /**
+   * @notice Creates a new trusted issuer registry contract using deterministic minimal proxy cloning.
+   * @dev If a registry with the same salt already exists, returns the existing address instead of reverting.
+   *      Uses CREATE2 for deterministic deployment addresses. The registry is automatically initialized
+   *      with the provided parameters after deployment.
+   * @param implementation The address of the trusted issuer registry implementation contract to clone
+   * @param uniqueRegistryId A unique identifier for this registry (combined with msg.sender to create salt)
+   * @param policyEngine The address of the policy engine that will manage this registry
+   * @param initialOwner The address that will own the newly created registry contract
+   * @return registryAddress The address of the created (or existing) registry contract
+   */
+  function createTrustedIssuerRegistry(
+    address implementation,
+    bytes32 uniqueRegistryId,
+    address policyEngine,
+    address initialOwner
+  )
+    public
+    returns (address registryAddress)
+  {
+    if (implementation == address(0)) revert ImplementationIsZeroAddress();
+
+    bytes32 salt = getSalt(msg.sender, uniqueRegistryId);
+    registryAddress = Clones.predictDeterministicAddress(implementation, salt);
+    if (registryAddress.code.length > 0) {
+      return registryAddress;
+    }
+
+    registryAddress = Clones.cloneDeterministic(implementation, salt);
+
+    try TrustedIssuerRegistry(registryAddress).initialize(policyEngine, initialOwner) {
+      emit TrustedIssuerRegistryCreated(registryAddress);
+    } catch (bytes memory reason) {
+      revert RegistryInitializationFailed(reason);
+    }
+  }
+
+  /**
+   * @notice Predicts the deterministic address where a trusted issuer registry would be deployed.
+   * @dev Useful for calculating registry addresses before deployment or checking if a registry already exists.
+   *      Uses the same salt generation as createTrustedIssuerRegistry to ensure address consistency.
+   * @param creator The address of the account that would create the registry
+   * @param implementation The address of the trusted issuer registry implementation contract
+   * @param uniqueRegistryId The unique identifier for the registry
+   * @return The predicted address where the registry would be deployed
+   */
+  function predictRegistryAddress(
+    address creator,
+    address implementation,
+    bytes32 uniqueRegistryId
+  )
+    public
+    view
+    returns (address)
+  {
+    bytes32 salt = getSalt(creator, uniqueRegistryId);
+    return Clones.predictDeterministicAddress(implementation, salt);
+  }
+
+  /**
+   * @notice Generates a deterministic salt for registry deployment.
+   * @dev Combines the sender address and unique registry ID to create a unique salt.
+   *      This ensures that the same creator cannot deploy multiple registries with the same ID,
+   *      while allowing different creators to use the same registry ID.
+   * @param sender The address of the registry creator
+   * @param uniqueRegistryId The unique identifier for the registry
+   * @return The generated salt for deterministic deployment
+   */
+  function getSalt(address sender, bytes32 uniqueRegistryId) public pure returns (bytes32) {
+    return keccak256(abi.encodePacked(sender, uniqueRegistryId));
+  }
+}

package/packages/cross-chain-identity/src/interfaces/ICredentialRegistry.sol

@@ -55,6 +55,12 @@ interface ICredentialRegistry is ICredentialValidator {
     bytes32 indexed ccid, bytes32 indexed credentialTypeId, uint40 previousExpiresAt, uint40 expiresAt
   );
 
+  /**
+   * @notice Returns the type and version of the credential registry.
+   * @return A string representing the type and version of the credential registry.
+   */
+  function typeAndVersion() external pure returns (string memory);
+
   /**
    * @notice Registers a credential for an account.
    *

package/packages/cross-chain-identity/src/interfaces/ICredentialRequirements.sol

@@ -49,7 +49,8 @@ interface ICredentialRequirements {
    * @param requirementId The identifier of the requirement.
    * @param credentialTypeIds The credential type identifier(s) that satisfy the requirement.
    * @param minValidations The minimum number of validations required for the requirement.
-   * @param invert If the requirement is satisfied by the absence of all of the credential(s).
+   * @param invert If true, the requirement is satisfied when at least minValidations sources confirm the credential is
+   * absent. This is useful for requirements that are satisfied by the absence of a credential on multiple sources.
    */
   struct CredentialRequirementInput {
     bytes32 requirementId;