npm - @chainlink/ace - Versions diffs - 0.5.0 - Mend

@chainlink/ace 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (150) hide show

package/packages/policy-management/src/core/PolicyEngine.sol ADDED Viewed

@@ -0,0 +1,382 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+import {IExtractor} from "../interfaces/IExtractor.sol";
+import {IMapper} from "../interfaces/IMapper.sol";
+import {IPolicy} from "../interfaces/IPolicy.sol";
+import {IPolicyEngine} from "../interfaces/IPolicyEngine.sol";
+import {Initializable} from "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
+import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
+contract PolicyEngine is Initializable, OwnableUpgradeable, IPolicyEngine {
+  uint256 private constant MAX_POLICIES = 8;
+  /// @custom:storage-location erc7201:policy-management.PolicyEngine
+  struct PolicyEngineStorage {
+    bool defaultPolicyAllow;
+    mapping(bytes4 selector => address extractor) extractorBySelector;
+    mapping(address policy => address mapper) policyMappers;
+    mapping(address target => bool attached) targetAttached;
+    mapping(address target => mapping(bytes4 selector => address[] policies)) targetPolicies;
+    mapping(address target => mapping(bytes4 selector => mapping(address policy => bytes32[] policyParameterNames)))
+      targetPolicyParameters;
+    mapping(address target => bool hasTargetDefault) targetHasDefault;
+    mapping(address target => bool targetDefaultPolicyAllow) targetDefaultPolicyAllow;
+  }
+  // keccak256(abi.encode(uint256(keccak256("policy-management.PolicyEngine")) - 1)) &
+  // ~bytes32(uint256(0xff))
+  // solhint-disable-next-line const-name-snakecase
+  bytes32 private constant policyEngineStorageLocation =
+    0xa1f0e32dde2a220dbeed9998863e2afeb333bc7b502562572bef1aa4cf5bf300;
+  function _policyEngineStorage() private pure returns (PolicyEngineStorage storage $) {
+    // solhint-disable-next-line no-inline-assembly
+    assembly {
+      $.slot := policyEngineStorageLocation
+    }
+  }
+  constructor() {
+    _disableInitializers();
+  }
+  /**
+   * @dev Initializes the policy engine.
+   * @param defaultAllow The default policy result. True to allow, false to reject.
+   */
+  function initialize(bool defaultAllow, address initialOwner) public virtual initializer {
+    __PolicyEngine_init(defaultAllow, initialOwner);
+  }
+  function __PolicyEngine_init(bool defaultAllow, address initialOwner) internal onlyInitializing {
+    __PolicyEngine_init_unchained(defaultAllow);
+    __Ownable_init(initialOwner);
+  }
+  function __PolicyEngine_init_unchained(bool defaultAllow) internal onlyInitializing {
+    _policyEngineStorage().defaultPolicyAllow = defaultAllow;
+  }
+  /// @inheritdoc IPolicyEngine
+  // TODO: need to review the permissioing of this function
+  function attach() public {
+    _attachTarget(msg.sender);
+  }
+  function _attachTarget(address target) internal {
+    if (_policyEngineStorage().targetAttached[target]) {
+      revert IPolicyEngine.TargetAlreadyAttached(target);
+    }
+    _policyEngineStorage().targetAttached[target] = true;
+    emit TargetAttached(target);
+  }
+  /// @inheritdoc IPolicyEngine
+  // TODO: need to review the permissioing of this function
+  function detach() public {
+    if (!_policyEngineStorage().targetAttached[msg.sender]) {
+      revert IPolicyEngine.TargetNotAttached(msg.sender);
+    }
+    _policyEngineStorage().targetAttached[msg.sender] = false;
+    emit TargetDetached(msg.sender);
+  }
+  /// @inheritdoc IPolicyEngine
+  function setDefaultPolicyAllow(bool defaultAllow) public onlyOwner {
+    _policyEngineStorage().defaultPolicyAllow = defaultAllow;
+    emit DefaultPolicyAllowSet(defaultAllow);
+  }
+  /// @inheritdoc IPolicyEngine
+  function setTargetDefaultPolicyAllow(address target, bool defaultAllow) public onlyOwner {
+    PolicyEngineStorage storage $ = _policyEngineStorage();
+    $.targetHasDefault[target] = true;
+    $.targetDefaultPolicyAllow[target] = defaultAllow;
+    emit TargetDefaultPolicyAllowSet(target, defaultAllow);
+  }
+  /// @inheritdoc IPolicyEngine
+  function setPolicyMapper(address policy, address mapper) public onlyOwner {
+    _policyEngineStorage().policyMappers[policy] = mapper;
+  }
+  /// @inheritdoc IPolicyEngine
+  function getPolicyMapper(address policy) external view returns (address) {
+    return _policyEngineStorage().policyMappers[policy];
+  }
+  /// @inheritdoc IPolicyEngine
+  function check(IPolicyEngine.Payload calldata payload) public view virtual override {
+    address[] memory policies = _policyEngineStorage().targetPolicies[msg.sender][payload.selector];
+    if (policies.length == 0) {
+      _checkDefaultPolicyAllowRevert(msg.sender, payload.selector);
+      return;
+    }
+    IPolicyEngine.Parameter[] memory extractedParameters = _extractParameters(payload);
+    for (uint256 i = 0; i < policies.length; i++) {
+      address policy = policies[i];
+      bytes[] memory policyParameterValues = _policyParameterValues(
+        policy, _policyEngineStorage().targetPolicyParameters[msg.sender][payload.selector][policy], extractedParameters
+      );
+      try IPolicy(policy).run(payload.sender, msg.sender, payload.selector, policyParameterValues, payload.context)
+      returns (IPolicyEngine.PolicyResult policyResult) {
+        if (policyResult == IPolicyEngine.PolicyResult.Allowed) {
+          return;
+        } // else continue to next policy
+      } catch (bytes memory err) {
+        _handlePolicyError(payload, policy, err);
+      }
+    }
+    _checkDefaultPolicyAllowRevert(msg.sender, payload.selector);
+  }
+  /// @inheritdoc IPolicyEngine
+  function run(IPolicyEngine.Payload calldata payload) public virtual override {
+    address[] memory policies = _policyEngineStorage().targetPolicies[msg.sender][payload.selector];
+    if (policies.length == 0) {
+      _checkDefaultPolicyAllowRevert(msg.sender, payload.selector);
+      emit PolicyRunComplete(payload.sender, msg.sender, payload.selector);
+      return;
+    }
+    IPolicyEngine.Parameter[] memory extractedParameters = _extractParameters(payload);
+    for (uint256 i = 0; i < policies.length; i++) {
+      address policy = policies[i];
+      bytes[] memory policyParameterValues = _policyParameterValues(
+        policy, _policyEngineStorage().targetPolicyParameters[msg.sender][payload.selector][policy], extractedParameters
+      );
+      try IPolicy(policy).run(payload.sender, msg.sender, payload.selector, policyParameterValues, payload.context)
+      returns (IPolicyEngine.PolicyResult policyResult) {
+        // solhint-disable-next-line no-empty-blocks
+        try IPolicy(policy).postRun(
+          payload.sender, msg.sender, payload.selector, policyParameterValues, payload.context
+        ) {} catch (bytes memory err) {
+          revert IPolicyEngine.PolicyPostRunError(payload.selector, policy, err);
+        }
+        if (policyResult == IPolicyEngine.PolicyResult.Allowed) {
+          emit PolicyRunComplete(payload.sender, msg.sender, payload.selector);
+          return;
+        }
+      } catch (bytes memory err) {
+        _handlePolicyError(payload, policy, err);
+      }
+    }
+    _checkDefaultPolicyAllowRevert(msg.sender, payload.selector);
+    emit PolicyRunComplete(payload.sender, msg.sender, payload.selector);
+  }
+  /// @inheritdoc IPolicyEngine
+  function setExtractor(bytes4 selector, address extractor) public virtual override onlyOwner {
+    _policyEngineStorage().extractorBySelector[selector] = extractor;
+    emit ExtractorSet(selector, extractor);
+  }
+  /// @inheritdoc IPolicyEngine
+  function setExtractors(bytes4[] calldata selectors, address extractor) public virtual override onlyOwner {
+    for (uint256 i = 0; i < selectors.length; i++) {
+      setExtractor(selectors[i], extractor);
+    }
+  }
+  /// @inheritdoc IPolicyEngine
+  function getExtractor(bytes4 selector) public view virtual override returns (address) {
+    return _policyEngineStorage().extractorBySelector[selector];
+  }
+  /// @inheritdoc IPolicyEngine
+  function addPolicy(
+    address target,
+    bytes4 selector,
+    address policy,
+    bytes32[] calldata policyParameterNames
+  )
+    public
+    virtual
+    override
+    onlyOwner
+  {
+    _checkPolicyConfiguration(target, selector, policy);
+    IPolicy(policy).onInstall(selector);
+    _policyEngineStorage().targetPolicies[target][selector].push(policy);
+    _policyEngineStorage().targetPolicyParameters[target][selector][policy] = policyParameterNames;
+    emit PolicyAdded(target, selector, policy);
+  }
+  /// @inheritdoc IPolicyEngine
+  function addPolicyAt(
+    address target,
+    bytes4 selector,
+    address policy,
+    bytes32[] calldata policyParameterNames,
+    uint256 position
+  )
+    public
+    virtual
+    override
+    onlyOwner
+  {
+    address[] storage policies = _policyEngineStorage().targetPolicies[target][selector];
+    if (position > policies.length) {
+      revert IPolicyEngine.InvalidConfiguration("Position is greater than the number of policies");
+    }
+    _checkPolicyConfiguration(target, selector, policy);
+    IPolicy(policy).onInstall(selector);
+    policies.push();
+    for (uint256 i = policies.length - 1; i > position; i--) {
+      policies[i] = policies[i - 1];
+    }
+    policies[position] = policy;
+    _policyEngineStorage().targetPolicyParameters[target][selector][policy] = policyParameterNames;
+    emit PolicyAdded(target, selector, policy);
+  }
+  /// @inheritdoc IPolicyEngine
+  function removePolicy(address target, bytes4 selector, address policy) public virtual override onlyOwner {
+    address[] storage policies = _policyEngineStorage().targetPolicies[target][selector];
+    for (uint256 i = 0; i < policies.length; i++) {
+      if (policies[i] == policy) {
+        IPolicy(policy).onUninstall(selector);
+        for (uint256 j = i; j < policies.length - 1; j++) {
+          policies[j] = policies[j + 1];
+        }
+        policies.pop();
+        emit PolicyRemoved(target, selector, policy);
+        return;
+      }
+    }
+  }
+  /// @inheritdoc IPolicyEngine
+  function getPolicies(
+    address target,
+    bytes4 selector
+  )
+    public
+    view
+    virtual
+    override
+    returns (address[] memory policies)
+  {
+    return _policyEngineStorage().targetPolicies[target][selector];
+  }
+  function _handlePolicyError(Payload memory payload, address policy, bytes memory err) internal pure {
+    (bytes4 errorSelector, bytes memory errorData) = _decodeError(err);
+    if (errorSelector == IPolicyEngine.PolicyRejected.selector) {
+      revert IPolicyEngine.PolicyRunRejected(payload.selector, policy, abi.decode(errorData, (string)));
+    } else {
+      revert IPolicyEngine.PolicyRunError(payload.selector, policy, err);
+    }
+  }
+  function _checkDefaultPolicyAllowRevert(address target, bytes4 selector) private view {
+    PolicyEngineStorage storage $ = _policyEngineStorage();
+    bool defaultAllow = $.defaultPolicyAllow;
+    if ($.targetHasDefault[target]) {
+      defaultAllow = $.targetDefaultPolicyAllow[target];
+    }
+    if (!defaultAllow) {
+      revert IPolicyEngine.PolicyRunRejected(0, address(0), "no policy allowed the action and default is reject");
+    }
+  }
+  function _checkPolicyConfiguration(address target, bytes4 selector, address policy) private view {
+    if (policy == address(0)) {
+      revert IPolicyEngine.InvalidConfiguration("Policy address cannot be zero");
+    }
+    if (_policyEngineStorage().targetPolicies[target][selector].length >= MAX_POLICIES) {
+      revert IPolicyEngine.InvalidConfiguration("Maximum policies reached");
+    }
+    address[] memory policies = _policyEngineStorage().targetPolicies[target][selector];
+    for (uint256 i = 0; i < policies.length; i++) {
+      if (policies[i] == policy) {
+        revert IPolicyEngine.InvalidConfiguration("Policy already added");
+      }
+    }
+  }
+  function _extractParameters(IPolicyEngine.Payload memory payload)
+    private
+    view
+    returns (IPolicyEngine.Parameter[] memory)
+  {
+    IExtractor extractor = IExtractor(_policyEngineStorage().extractorBySelector[payload.selector]);
+    IPolicyEngine.Parameter[] memory extractedParameters;
+    if (address(extractor) == address(0)) {
+      return extractedParameters;
+    }
+    try extractor.extract(payload) returns (IPolicyEngine.Parameter[] memory _extractedParameters) {
+      extractedParameters = _extractedParameters;
+    } catch (bytes memory err) {
+      revert IPolicyEngine.ExtractorError(payload.selector, address(extractor), err);
+    }
+    return extractedParameters;
+  }
+  function _policyParameterValues(
+    address policy,
+    bytes32[] memory policyParameterNames,
+    IPolicyEngine.Parameter[] memory extractedParameters
+  )
+    private
+    view
+    returns (bytes[] memory)
+  {
+    address mapper = _policyEngineStorage().policyMappers[policy];
+    // use custom mapper if set
+    if (mapper != address(0)) {
+      try IMapper(mapper).map(extractedParameters) returns (bytes[] memory mappedParameters) {
+        return mappedParameters;
+      } catch (bytes memory err) {
+        revert IPolicyEngine.PolicyMapperError(policy, err);
+      }
+    }
+    bytes[] memory policyParameterValues = new bytes[](policyParameterNames.length);
+    uint256 parameterCount = policyParameterNames.length;
+    if (parameterCount == 0) {
+      return policyParameterValues;
+    }
+    uint256 mappedParameterCount = 0;
+    for (uint256 i = 0; i < extractedParameters.length; i++) {
+      for (uint256 j = 0; j < parameterCount; j++) {
+        if (extractedParameters[i].name == policyParameterNames[j]) {
+          policyParameterValues[j] = extractedParameters[i].value;
+          mappedParameterCount++;
+          break;
+        }
+      }
+      if (mappedParameterCount == parameterCount) {
+        return policyParameterValues;
+      }
+    }
+    revert IPolicyEngine.InvalidConfiguration("Missing policy parameters");
+  }
+  function _decodeError(bytes memory err) internal pure returns (bytes4, bytes memory) {
+    // If the error length is less than 4, it is not a valid error
+    if (err.length < 4) {
+      return (0, err);
+    }
+    bytes4 selector = bytes4(err);
+    bytes memory errorData = new bytes(err.length - 4);
+    for (uint256 i = 0; i < err.length - 4; i++) {
+      errorData[i] = err[i + 4];
+    }
+    return (selector, errorData);
+  }
+}

package/packages/policy-management/src/core/PolicyFactory.sol ADDED Viewed

@@ -0,0 +1,92 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+import {Policy} from "./Policy.sol";
+import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
+/**
+ * @title PolicyFactory
+ * @notice Factory contract for creating deterministic minimal proxy clones of policy implementations.
+ * @dev Uses OpenZeppelin's Clones library to create deterministic minimal proxies (EIP-1167) of policy contracts.
+ *      Each policy is deployed with a unique salt derived from the creator's address and a unique policy ID,
+ *      ensuring deterministic addresses and preventing duplicate deployments.
+ */
+contract PolicyFactory {
+  /// @notice Emitted when a new policy is created
+  event PolicyCreated(address policy);
+  /// @notice Emitted when policy initialization fails
+  error PolicyInitializationFailed(bytes reason);
+  /**
+   * @notice Creates a new policy contract using deterministic minimal proxy cloning.
+   * @dev If a policy with the same salt already exists, returns the existing address instead of reverting.
+   *      Uses CREATE2 for deterministic deployment addresses. The policy is automatically initialized
+   *      with the provided parameters after deployment.
+   * @param implementation The address of the policy implementation contract to clone
+   * @param uniquePolicyId A unique identifier for this policy (combined with msg.sender to create salt)
+   * @param policyEngine The address of the policy engine that will manage this policy
+   * @param initialOwner The address that will own the newly created policy contract
+   * @param configData ABI-encoded configuration data specific to the policy implementation
+   * @return policyAddress The address of the created (or existing) policy contract
+   */
+  function createPolicy(
+    address implementation,
+    bytes32 uniquePolicyId,
+    address policyEngine,
+    address initialOwner,
+    bytes calldata configData
+  )
+    public
+    returns (address policyAddress)
+  {
+    bytes32 salt = getSalt(msg.sender, uniquePolicyId);
+    policyAddress = Clones.predictDeterministicAddress(implementation, salt);
+    if (policyAddress.code.length > 0) {
+      return policyAddress;
+    }
+    policyAddress = Clones.cloneDeterministic(implementation, salt);
+    try Policy(policyAddress).initialize(policyEngine, initialOwner, configData) {
+      emit PolicyCreated(policyAddress);
+    } catch (bytes memory reason) {
+      revert PolicyInitializationFailed(reason);
+    }
+  }
+  /**
+   * @notice Predicts the deterministic address where a policy would be deployed.
+   * @dev Useful for calculating policy addresses before deployment or checking if a policy already exists.
+   *      Uses the same salt generation as createPolicy to ensure address consistency.
+   * @param creator The address of the account that would create the policy
+   * @param implementation The address of the policy implementation contract
+   * @param uniquePolicyId The unique identifier for the policy
+   * @return The predicted address where the policy would be deployed
+   */
+  function predictPolicyAddress(
+    address creator,
+    address implementation,
+    bytes32 uniquePolicyId
+  )
+    public
+    view
+    returns (address)
+  {
+    bytes32 salt = getSalt(creator, uniquePolicyId);
+    return Clones.predictDeterministicAddress(implementation, salt);
+  }
+  /**
+   * @notice Generates a deterministic salt for policy deployment.
+   * @dev Combines the sender address and unique policy ID to create a unique salt.
+   *      This ensures that the same creator cannot deploy multiple policies with the same ID,
+   *      while allowing different creators to use the same policy ID.
+   * @param sender The address of the policy creator
+   * @param uniquePolicyId The unique identifier for the policy
+   * @return The generated salt for deterministic deployment
+   */
+  function getSalt(address sender, bytes32 uniquePolicyId) public pure returns (bytes32) {
+    return keccak256(abi.encodePacked(sender, uniquePolicyId));
+  }
+}

package/packages/policy-management/src/core/PolicyProtected.sol ADDED Viewed

@@ -0,0 +1,126 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+import {IPolicyEngine} from "../interfaces/IPolicyEngine.sol";
+import {IPolicyProtected} from "../interfaces/IPolicyProtected.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {ERC165Upgradeable} from "@openzeppelin/contracts-upgradeable/utils/introspection/ERC165Upgradeable.sol";
+import {Initializable} from "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
+import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
+/**
+ * @title PolicyProtected.sol
+ * @dev Base implementation for attaching a policy engine to a smart contract. Uses ERC-7201 storage
+ *      to not conflict with other storage slots of extending contracts. Provides modifiers to be attached to methods
+ *      of the extending contract to run the policy engine before executing the method.
+ */
+abstract contract PolicyProtected is Initializable, OwnableUpgradeable, ERC165Upgradeable, IPolicyProtected {
+  /// @custom:storage-location erc7201:policy-management.PolicyProtected
+  struct PolicyProtectedStorage {
+    IPolicyEngine policyEngine;
+    mapping(address sender => bytes context) senderContext; // use transient storage eventually
+  }
+  // keccak256(abi.encode(uint256(keccak256("policy-management.PolicyProtected")) - 1)) &
+  // ~bytes32(uint256(0xff))
+  // solhint-disable-next-line const-name-snakecase
+  bytes32 private constant policyProtectedStorageLocation =
+    0x381e6510830aa5d1f847c166134370760011d6c9becccc73371e64e18c3c4f00;
+  function _policyProtectedStorage() private pure returns (PolicyProtectedStorage storage $) {
+    // solhint-disable-next-line no-inline-assembly
+    assembly {
+      $.slot := policyProtectedStorageLocation
+    }
+  }
+  constructor() {
+    _disableInitializers();
+  }
+  function __PolicyProtected_init(address initialOwner, address policyEngine) internal onlyInitializing {
+    __Ownable_init(initialOwner);
+    __ERC165_init();
+    __PolicyProtected_init_unchained(policyEngine);
+  }
+  function __PolicyProtected_init_unchained(address policyEngine) internal onlyInitializing {
+    _attachPolicyEngine(policyEngine);
+  }
+  /**
+   * @dev Modifier to run the policy engine on the current method.
+   * @notice After the function execution completes, any context that was set will be automatically cleared.
+   */
+  modifier runPolicy() {
+    if (address(_policyProtectedStorage().policyEngine) == address(0)) {
+      revert IPolicyEngine.PolicyEngineUndefined();
+    }
+    bytes memory context = getContext();
+    _policyProtectedStorage().policyEngine.run(
+      IPolicyEngine.Payload({selector: msg.sig, sender: msg.sender, data: msg.data[4:], context: context})
+    );
+    _;
+    if (context.length > 0) {
+      clearContext();
+    }
+  }
+  /**
+   * @dev Modifier to run the policy engine on the current method with the provided context.
+   * @param context Additional information or authorization to perform the operation.
+   */
+  modifier runPolicyWithContext(bytes calldata context) {
+    if (address(_policyProtectedStorage().policyEngine) == address(0)) {
+      revert IPolicyEngine.PolicyEngineUndefined();
+    }
+    _policyProtectedStorage().policyEngine.run(
+      IPolicyEngine.Payload({selector: msg.sig, sender: msg.sender, data: msg.data[4:], context: context})
+    );
+    _;
+  }
+  /// @inheritdoc IPolicyProtected
+  function attachPolicyEngine(address policyEngine) external virtual override onlyOwner {
+    _attachPolicyEngine(policyEngine);
+  }
+  function _attachPolicyEngine(address policyEngine) internal {
+    _policyProtectedStorage().policyEngine = IPolicyEngine(policyEngine);
+    IPolicyEngine(policyEngine).attach();
+    emit PolicyEngineAttached(policyEngine);
+  }
+  /// @inheritdoc IPolicyProtected
+  function getPolicyEngine() public view virtual override returns (address) {
+    return address(_policyProtectedStorage().policyEngine);
+  }
+  /// @inheritdoc IPolicyProtected
+  function setContext(bytes calldata context) public override {
+    _policyProtectedStorage().senderContext[msg.sender] = context;
+  }
+  /// @inheritdoc IPolicyProtected
+  function getContext() public view override returns (bytes memory) {
+    return _policyProtectedStorage().senderContext[msg.sender];
+  }
+  /// @inheritdoc IPolicyProtected
+  function clearContext() public override {
+    delete _policyProtectedStorage().senderContext[msg.sender];
+  }
+  /**
+   * @dev See {IERC165-supportsInterface}.
+   */
+  function supportsInterface(bytes4 interfaceId)
+    public
+    view
+    virtual
+    override(ERC165Upgradeable, IERC165)
+    returns (bool)
+  {
+    return interfaceId == type(IPolicyProtected).interfaceId || super.supportsInterface(interfaceId);
+  }
+}

package/packages/policy-management/src/extractors/ComplianceTokenForceTransferExtractor.sol ADDED Viewed

@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+import {IExtractor} from "@chainlink/policy-management/interfaces/IExtractor.sol";
+import {IPolicyEngine} from "@chainlink/policy-management/interfaces/IPolicyEngine.sol";
+import {ComplianceTokenERC20} from "../../../tokens/erc-20/src/ComplianceTokenERC20.sol";
+/**
+ * @title ComplianceTokenForceTransferExtractor
+ * @notice Extracts parameters from Compliance Token ERC20 forced transfer function calls.
+ * @dev This extractor supports the forceTransfer() function selector from the ComplianceTokenERC20 contract
+ *      and extracts the from address, to address, and amount parameters. Force transfers allow
+ *      authorized agents to move tokens between addresses without approval for compliance purposes.
+ */
+contract ComplianceTokenForceTransferExtractor is IExtractor {
+  /// @notice Parameter key for the sender/from address in forced transfer operations
+  bytes32 public constant PARAM_FROM = keccak256("from");
+  /// @notice Parameter key for the recipient/to address in forced transfer operations
+  bytes32 public constant PARAM_TO = keccak256("to");
+  /// @notice Parameter key for the amount being forcefully transferred
+  bytes32 public constant PARAM_AMOUNT = keccak256("amount");
+  /**
+   * @inheritdoc IExtractor
+   * @dev Extracts parameters from ComplianceTokenERC20 forceTransfer(address from, address to, uint256 amount)
+   *      function calls.
+   * @param payload The policy engine payload containing the function selector and calldata
+   * @return An array of three parameters: PARAM_FROM, PARAM_TO, and PARAM_AMOUNT
+   */
+  function extract(IPolicyEngine.Payload calldata payload)
+    public
+    pure
+    virtual
+    returns (IPolicyEngine.Parameter[] memory)
+  {
+    address from = address(0);
+    address to = address(0);
+    uint256 amount = 0;
+    // Handle forceTransfer(address from, address to, uint256 amount)
+    if (payload.selector == ComplianceTokenERC20.forceTransfer.selector) {
+      (from, to, amount) = abi.decode(payload.data, (address, address, uint256));
+    } else {
+      revert IPolicyEngine.UnsupportedSelector(payload.selector);
+    }
+    // Build the parameter array with extracted values
+    IPolicyEngine.Parameter[] memory result = new IPolicyEngine.Parameter[](3);
+    result[0] = IPolicyEngine.Parameter(PARAM_FROM, abi.encode(from));
+    result[1] = IPolicyEngine.Parameter(PARAM_TO, abi.encode(to));
+    result[2] = IPolicyEngine.Parameter(PARAM_AMOUNT, abi.encode(amount));
+    return result;
+  }
+}