@chainlink/ace 0.5.0

package/packages/policy-management/src/policies/VolumeRatePolicy.sol

@@ -0,0 +1,192 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {IPolicyEngine} from "@chainlink/policy-management/interfaces/IPolicyEngine.sol";
+import {Policy} from "@chainlink/policy-management/core/Policy.sol";
+
+/**
+ * @title VolumeRatePolicy
+ * @notice A policy for limiting the volume of transfers within a specified time period for each account.
+ * @dev Implements Chainlink's Policy reference implementation and OpenZeppelin's Ownable for access control.
+ * This policy enforces limits on the total amount transferred per account over a configurable time period.
+ */
+contract VolumeRatePolicy is Policy {
+  /// @notice The transfer volume data of an account.
+  struct TransferredAt {
+    /// @notice The time period in which the transfer occurred.
+    /// @dev calculated as block.timestamp / timePeriodDuration.
+    uint256 timePeriod;
+    /// @notice The duration of the time period. This is used to evict the data if the time period duration changes.
+    uint256 timePeriodDuration;
+    /// @notice The total amount transferred in the current time period.
+    uint256 amount;
+  }
+
+  /// @notice Emitted when the maximum transfer amount is set.
+  event MaxAmountSet(uint256 maxAmount);
+  /// @notice Emitted when the time period duration is set.
+  event TimePeriodDurationSet(uint256 timePeriodDuration);
+
+  /// @custom:storage-location erc7201:policy-management.VolumeRatePolicy
+  struct VolumeRatePolicyStorage {
+    /// @notice The duration (in seconds) of the time period for tracking transfers.
+    uint256 timePeriodDuration;
+    /// @notice Tracks the transfer volume and time period for a specific account.
+    mapping(address account => TransferredAt transferredAt) transferredAtByAmount;
+    /// @notice The maximum allowed transfer amount within a single time period
+    uint256 maxAmount;
+  }
+
+  // keccak256(abi.encode(uint256(keccak256("policy-management.VolumeRatePolicy")) - 1)) & ~bytes32(uint256(0xff))
+  bytes32 private constant VolumeRatePolicyStorageLocation =
+    0xcb25215b4838d4e292145a50fb0434197be06c30a5e619d206e7746dc76f7700;
+
+  function _getVolumeRatePolicyStorage() private pure returns (VolumeRatePolicyStorage storage $) {
+    assembly {
+      $.slot := VolumeRatePolicyStorageLocation
+    }
+  }
+
+  /**
+   * @notice Configures the policy by setting the time period duration and the maximum allowed transfer amount.
+   * @param parameters ABI-encoded bytes containing two `uint256` values: the time period duration and the max amount.
+   *      - `timePeriodDuration`: The duration (in seconds) of the time period for tracking transfers.
+   *      - `maxAmount`: The maximum allowed transfer amount within a single time period.
+   */
+  function configure(bytes calldata parameters) internal override {
+    (uint256 timePeriodDuration, uint256 maxAmount) = abi.decode(parameters, (uint256, uint256));
+    require(timePeriodDuration != 0, "Time period duration must be non-zero");
+    VolumeRatePolicyStorage storage $ = _getVolumeRatePolicyStorage(); // Gas optimization: single storage reference
+    $.timePeriodDuration = timePeriodDuration;
+    $.maxAmount = maxAmount;
+  }
+
+  /**
+   * @notice Sets the maximum transfer amount within a single time period.
+   * @dev Reverts if the new maximum amount is the same as the current one.
+   * @param _maxAmount The new maximum transfer amount.
+   */
+  function setMaxAmount(uint256 _maxAmount) public onlyOwner {
+    VolumeRatePolicyStorage storage $ = _getVolumeRatePolicyStorage(); // Gas optimization: single storage reference
+    require($.maxAmount != _maxAmount, "new max amount same as current max amount");
+    $.maxAmount = _maxAmount;
+    emit MaxAmountSet($.maxAmount);
+  }
+
+  /**
+   * @notice Gets the maximum transfer amount within a single time period.
+   * @return maxAmount The maximum transfer amount.
+   */
+  function getMaxAmount() public view returns (uint256) {
+    VolumeRatePolicyStorage storage $ = _getVolumeRatePolicyStorage();
+    return $.maxAmount;
+  }
+
+  /**
+   * @notice Sets the time period duration for tracking transfers.
+   * @dev All volume tracking will reset after time period duration change.
+   * @param _timePeriodDuration The duration (in seconds) of the time period.
+   */
+  function setTimePeriodDuration(uint256 _timePeriodDuration) public onlyOwner {
+    require(_timePeriodDuration != 0, "Time period duration must be non-zero");
+    VolumeRatePolicyStorage storage $ = _getVolumeRatePolicyStorage(); // Gas optimization: single storage reference
+    require($.timePeriodDuration != _timePeriodDuration, "new duration same as current duration");
+    $.timePeriodDuration = _timePeriodDuration;
+    emit TimePeriodDurationSet($.timePeriodDuration);
+  }
+
+  /**
+   * @notice Gets the time period duration for tracking transfers.
+   * @return timePeriodDuration The duration (in seconds) of the time period.
+   */
+  function getTimePeriodDuration() public view returns (uint256) {
+    VolumeRatePolicyStorage storage $ = _getVolumeRatePolicyStorage();
+    return $.timePeriodDuration;
+  }
+
+  /**
+   * @notice Decodes the parameters.
+   * @param parameters [amount(uint256), from(address)] The parameters of the called method.
+   * @return data The transfer amount and the sender address.
+   */
+  function _extractParameters(bytes[] calldata parameters) internal pure returns (uint256, address) {
+    require(parameters.length == 2, "expected 2 parameters");
+
+    uint256 amount = abi.decode(parameters[0], (uint256));
+    address account = abi.decode(parameters[1], (address));
+
+    return (amount, account);
+  }
+
+  /**
+   * @notice Function to be called by the policy engine to check if execution is allowed.
+   * @param parameters [amount(uint256), from(address)] The parameters of the called method.
+   * @return result The result of the policy check.
+   */
+  function run(
+    address, /*caller*/
+    address, /*subject*/
+    bytes4, /*selector*/
+    bytes[] calldata parameters,
+    bytes calldata /*context*/
+  )
+    public
+    view
+    override
+    returns (IPolicyEngine.PolicyResult)
+  {
+    (uint256 amount, address account) = _extractParameters(parameters);
+
+    VolumeRatePolicyStorage storage $ = _getVolumeRatePolicyStorage(); // Gas optimization: single storage reference
+    uint256 timePeriod = block.timestamp / $.timePeriodDuration;
+
+    TransferredAt memory transferredAt = $.transferredAtByAmount[account];
+
+    if (timePeriod == transferredAt.timePeriod && transferredAt.timePeriodDuration == $.timePeriodDuration) {
+      if (transferredAt.amount + amount > $.maxAmount) {
+        revert IPolicyEngine.PolicyRejected("volume rate limit exceeded for time period");
+      } else {
+        return IPolicyEngine.PolicyResult.Continue;
+      }
+    }
+
+    if (amount > $.maxAmount) {
+      revert IPolicyEngine.PolicyRejected("volume rate limit exceeded for time period");
+    }
+
+    return IPolicyEngine.PolicyResult.Continue;
+  }
+
+  /**
+   * @notice Runs after the policy check if the check was successful, and updates the transfer volume tracking for
+   * the account. This function is called by the policy engine after run() succeeds but before the protected
+   * target function executes.
+   * @param parameters [from(address), amount(uint256)] The parameters of the called method.
+   */
+  function postRun(
+    address, /*caller*/
+    address, /*subject*/
+    bytes4, /*selector*/
+    bytes[] calldata parameters,
+    bytes calldata /*context*/
+  )
+    public
+    override
+    onlyPolicyEngine
+  {
+    (uint256 amount, address account) = _extractParameters(parameters);
+
+    VolumeRatePolicyStorage storage $ = _getVolumeRatePolicyStorage(); // Gas optimization: single storage reference
+    uint256 timePeriod = block.timestamp / $.timePeriodDuration;
+
+    TransferredAt storage transferredAt = $.transferredAtByAmount[account];
+
+    if (transferredAt.timePeriod == timePeriod && transferredAt.timePeriodDuration == $.timePeriodDuration) {
+      transferredAt.amount += amount;
+    } else {
+      transferredAt.timePeriod = timePeriod;
+      transferredAt.timePeriodDuration = $.timePeriodDuration;
+      transferredAt.amount = amount;
+    }
+  }
+}

package/packages/policy-management/test/PolicyEngine.t.sol

@@ -0,0 +1,368 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {IPolicyEngine} from "../src/interfaces/IPolicyEngine.sol";
+import {IExtractor} from "../src/interfaces/IExtractor.sol";
+import {PolicyEngine} from "../src/core/PolicyEngine.sol";
+import {PolicyAlwaysAllowed, PolicyAlwaysAllowedWithPostRunError} from "./helpers/PolicyAlwaysAllowed.sol";
+import {PolicyAlwaysRejected} from "./helpers/PolicyAlwaysRejected.sol";
+import {PolicyFailingRun} from "./helpers/PolicyFailingRun.sol";
+import {DummyExtractor} from "./helpers/DummyExtractor.sol";
+import {ExpectedParameterPolicy} from "./helpers/ExpectedParameterPolicy.sol";
+import {CustomMapper} from "./helpers/CustomMapper.sol";
+import {BaseProxyTest} from "./helpers/BaseProxyTest.sol";
+import {PolicyAlwaysContinue} from "./helpers/PolicyAlwaysContinue.sol";
+
+contract PolicyEngineTest is BaseProxyTest {
+  PolicyEngine public policyEngine;
+  IExtractor public extractor;
+  bytes4 public constant selector = bytes4(keccak256("someSelector()"));
+  IPolicyEngine.Payload public testPayload;
+  address target;
+
+  PolicyAlwaysAllowed public policyAlwaysAllowedImpl;
+  PolicyAlwaysRejected public policyAlwaysRejectedImpl;
+  PolicyAlwaysContinue public policyAlwaysContinueImpl;
+  PolicyFailingRun public policyFailingRunImpl;
+  PolicyAlwaysAllowedWithPostRunError public policyAllowedWithPostRunErrorImpl;
+  ExpectedParameterPolicy public expectedParameterPolicyImpl;
+
+  function setUp() public {
+    policyEngine = _deployPolicyEngine(false, address(this));
+
+    target = makeAddr("target");
+
+    extractor = new DummyExtractor();
+
+    policyAlwaysAllowedImpl = new PolicyAlwaysAllowed();
+    policyAlwaysRejectedImpl = new PolicyAlwaysRejected();
+    policyAlwaysContinueImpl = new PolicyAlwaysContinue();
+    policyFailingRunImpl = new PolicyFailingRun();
+    policyAllowedWithPostRunErrorImpl = new PolicyAlwaysAllowedWithPostRunError();
+    expectedParameterPolicyImpl = new ExpectedParameterPolicy();
+
+    testPayload = IPolicyEngine.Payload({selector: selector, sender: target, data: new bytes(0), context: new bytes(0)});
+  }
+
+  function test_setExtractor_storesExtractorAndEmitsEvent() public {
+    vm.expectEmit();
+    emit IPolicyEngine.ExtractorSet(selector, address(extractor));
+
+    policyEngine.setExtractor(selector, address(extractor));
+
+    address storedExtractor = policyEngine.getExtractor(selector);
+
+    assertEq(storedExtractor, address(extractor), "Extractor should be set");
+  }
+
+  function test_addPolicy_storesPolicyAndEmitsEvent() public {
+    PolicyAlwaysAllowed policy = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(1))
+    );
+
+    vm.expectEmit();
+    emit IPolicyEngine.PolicyAdded(target, selector, address(policy));
+
+    policyEngine.addPolicy(target, selector, address(policy), new bytes32[](0));
+
+    address[] memory policies = policyEngine.getPolicies(target, selector);
+
+    assertEq(policies.length, 1, "Policy should be added");
+    assertEq(policies[0], address(policy), "Policy address should match");
+  }
+
+  function test_addPolicy_thatIsDuplicate_thenReverts() public {
+    PolicyAlwaysAllowed policy = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(1))
+    );
+
+    policyEngine.addPolicy(target, selector, address(policy), new bytes32[](0));
+
+    vm.expectRevert(abi.encodeWithSelector(IPolicyEngine.InvalidConfiguration.selector, "Policy already added"));
+    policyEngine.addPolicy(target, selector, address(policy), new bytes32[](0));
+  }
+
+  function test_run_whenNoPoliciesAddedThenDefaultPolicyIsUsed() public {
+    bytes memory expectedRevert = abi.encodeWithSelector(
+      IPolicyEngine.PolicyRunRejected.selector, 0, address(0), "no policy allowed the action and default is reject"
+    );
+
+    vm.expectRevert(expectedRevert);
+    vm.startPrank(target);
+    policyEngine.run(testPayload);
+  }
+
+  function test_run_whenNoPoliciesDefaultAllowedEmitsCompleteEvent() public {
+    policyEngine.setDefaultPolicyAllow(true);
+
+    vm.startPrank(target);
+
+    vm.expectEmit();
+    emit IPolicyEngine.PolicyRunComplete(testPayload.sender, target, testPayload.selector);
+    policyEngine.run(testPayload);
+  }
+
+  function test_run_whenSingleAllowedPolicyAddedThenPolicyIsUsed() public {
+    PolicyAlwaysAllowed policy = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(1))
+    );
+
+    policyEngine.addPolicy(target, selector, address(policy), new bytes32[](0));
+
+    bool success;
+
+    vm.expectEmit();
+    emit PolicyAlwaysAllowed.PolicyAllowedExecuted(1);
+
+    vm.startPrank(target);
+
+    vm.expectEmit();
+    emit IPolicyEngine.PolicyRunComplete(testPayload.sender, target, testPayload.selector);
+    policyEngine.run(testPayload);
+  }
+
+  function test_run_whenSingleContinuedPolicyAddedThenPolicyIsUsed() public {
+    policyEngine.setDefaultPolicyAllow(true);
+
+    PolicyAlwaysContinue policy =
+      PolicyAlwaysContinue(_deployPolicy(address(policyAlwaysContinueImpl), address(policyEngine), address(this), ""));
+
+    policyEngine.addPolicy(target, selector, address(policy), new bytes32[](0));
+
+    vm.startPrank(target);
+
+    vm.expectEmit();
+    emit IPolicyEngine.PolicyRunComplete(testPayload.sender, target, testPayload.selector);
+    policyEngine.run(testPayload);
+  }
+
+  function test_run_whenRejectingPolicyPrecedesAllowingPolicyThenRevertsOccurs() public {
+    PolicyAlwaysRejected policyRejected = PolicyAlwaysRejected(
+      _deployPolicy(address(policyAlwaysRejectedImpl), address(policyEngine), address(this), new bytes(0))
+    );
+    PolicyAlwaysAllowed policyAllowed = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(1))
+    );
+
+    policyEngine.addPolicy(target, selector, address(policyRejected), new bytes32[](0));
+    policyEngine.addPolicy(target, selector, address(policyAllowed), new bytes32[](0));
+
+    vm.startPrank(target);
+    vm.expectRevert(_encodeRejectedRevert(selector, address(policyRejected), "test policy always rejects"));
+
+    policyEngine.run(testPayload);
+  }
+
+  function test_run_whenAllowingPolicyPrecedesRejectingPolicyThenTransactionGoesThrough() public {
+    PolicyAlwaysRejected policyRejected = PolicyAlwaysRejected(
+      _deployPolicy(address(policyAlwaysRejectedImpl), address(policyEngine), address(this), new bytes(0))
+    );
+    PolicyAlwaysAllowed policyAllowed = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(1))
+    );
+
+    policyEngine.addPolicy(target, selector, address(policyAllowed), new bytes32[](0));
+    policyEngine.addPolicy(target, selector, address(policyRejected), new bytes32[](0));
+
+    bool success;
+
+    vm.expectEmit();
+    emit PolicyAlwaysAllowed.PolicyAllowedExecuted(1);
+    vm.startPrank(target);
+
+    try policyEngine.run(testPayload) {
+      success = true;
+    } catch {
+      success = false;
+    }
+
+    assertTrue(success, "Policy should allow execution");
+  }
+
+  function test_run_whenPolicyRevertsTransactionReverts() public {
+    PolicyFailingRun policyFailingRun =
+      PolicyFailingRun(_deployPolicy(address(policyFailingRunImpl), address(policyEngine), address(this), new bytes(0)));
+    PolicyAlwaysAllowed policyAllowed = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(1))
+    );
+
+    policyEngine.addPolicy(target, selector, address(policyFailingRun), new bytes32[](0));
+    policyEngine.addPolicy(target, selector, address(policyAllowed), new bytes32[](0));
+
+    vm.startPrank(target);
+
+    vm.expectPartialRevert(IPolicyEngine.PolicyRunError.selector);
+    policyEngine.run(testPayload);
+  }
+
+  function test_run_whenAllowingPolicyRevertsOnPostRunAndActionIndicatesItShouldRevertThenTransactionReverts() public {
+    PolicyAlwaysAllowedWithPostRunError policyAllowedWithPostRunError = PolicyAlwaysAllowedWithPostRunError(
+      _deployPolicy(address(policyAllowedWithPostRunErrorImpl), address(policyEngine), address(this), abi.encode(1))
+    );
+
+    policyEngine.addPolicy(target, selector, address(policyAllowedWithPostRunError), new bytes32[](0));
+
+    vm.startPrank(target);
+
+    vm.expectPartialRevert(IPolicyEngine.PolicyPostRunError.selector);
+    policyEngine.run(testPayload);
+  }
+
+  function test_run_whenAddingAllowingPolicyAtPrecedingIndexThenTransactionDoesNotRevert() public {
+    PolicyAlwaysRejected policyRejected = PolicyAlwaysRejected(
+      _deployPolicy(address(policyAlwaysRejectedImpl), address(policyEngine), address(this), new bytes(0))
+    );
+    PolicyAlwaysAllowed policyAllowed = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(1))
+    );
+
+    policyEngine.addPolicy(target, selector, address(policyRejected), new bytes32[](0));
+    policyEngine.addPolicyAt(target, selector, address(policyAllowed), new bytes32[](0), 0);
+
+    bool success;
+
+    vm.expectEmit();
+    emit PolicyAlwaysAllowed.PolicyAllowedExecuted(1);
+    vm.startPrank(target);
+    try policyEngine.run(testPayload) {
+      success = true;
+    } catch {
+      success = false;
+    }
+
+    assertTrue(success, "Policy should allow execution");
+  }
+
+  function test_removePolicy_whenRemovingPolicyAtIntermediateIndexOrderIsPreserved() public {
+    PolicyAlwaysAllowed policyAllowed1 = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(1))
+    );
+    PolicyAlwaysAllowed policyAllowed2 = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(2))
+    );
+    PolicyAlwaysAllowed policyAllowed3 = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(3))
+    );
+    PolicyAlwaysAllowed policyAllowed4 = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(4))
+    );
+
+    policyEngine.addPolicy(target, selector, address(policyAllowed1), new bytes32[](0));
+    policyEngine.addPolicy(target, selector, address(policyAllowed2), new bytes32[](0));
+    policyEngine.addPolicy(target, selector, address(policyAllowed3), new bytes32[](0));
+    policyEngine.addPolicy(target, selector, address(policyAllowed4), new bytes32[](0));
+
+    vm.expectEmit();
+    emit IPolicyEngine.PolicyRemoved(target, selector, address(policyAllowed2));
+
+    policyEngine.removePolicy(target, selector, address(policyAllowed2));
+
+    address[] memory policies = policyEngine.getPolicies(target, selector);
+
+    assertEq(policies.length, 3, "Policy should be removed");
+    assertEq(policies[0], address(policyAllowed1), "Policy address should match");
+    assertEq(policies[1], address(policyAllowed3), "Policy address should match");
+    assertEq(policies[2], address(policyAllowed4), "Policy address should match");
+  }
+
+  function test_removePolicy_then_run_omitsRemovedPolicy() public {
+    PolicyAlwaysRejected policyRejected = PolicyAlwaysRejected(
+      _deployPolicy(address(policyAlwaysRejectedImpl), address(policyEngine), address(this), new bytes(0))
+    );
+    PolicyAlwaysAllowed policyAllowed = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(1))
+    );
+
+    policyEngine.addPolicy(target, selector, address(policyAllowed), new bytes32[](0));
+    policyEngine.addPolicy(target, selector, address(policyRejected), new bytes32[](0));
+
+    bool success;
+
+    vm.expectEmit();
+    emit PolicyAlwaysAllowed.PolicyAllowedExecuted(1);
+
+    vm.startPrank(target);
+    try policyEngine.run(testPayload) {
+      success = true;
+    } catch {
+      success = false;
+    }
+
+    assertTrue(success, "Policy should allow execution");
+    vm.stopPrank();
+
+    vm.startPrank(address(this));
+    policyEngine.removePolicy(target, selector, address(policyAllowed));
+    vm.stopPrank();
+
+    vm.startPrank(target);
+    vm.expectRevert(_encodeRejectedRevert(selector, address(policyRejected), "test policy always rejects"));
+    policyEngine.run(testPayload);
+  }
+
+  function test_run_CustomMapper() public {
+    bytes[] memory parameters = new bytes[](1);
+    parameters[0] = abi.encode("test_run_CustomMapper");
+
+    CustomMapper mapper = new CustomMapper();
+    mapper.setMappedParameters(parameters);
+
+    ExpectedParameterPolicy policy = ExpectedParameterPolicy(
+      _deployPolicy(address(expectedParameterPolicyImpl), address(policyEngine), address(this), abi.encode(parameters))
+    );
+
+    policyEngine.addPolicy(target, selector, address(policy), new bytes32[](0));
+    policyEngine.setPolicyMapper(address(policy), address(mapper));
+
+    vm.startPrank(target);
+    policyEngine.run(testPayload);
+  }
+
+  function test_run_forDifferentTargets() public {
+    address secondTarget = makeAddr("secondTarget");
+
+    PolicyAlwaysAllowed policy = PolicyAlwaysAllowed(
+      _deployPolicy(address(policyAlwaysAllowedImpl), address(policyEngine), address(this), abi.encode(1))
+    );
+
+    policyEngine.addPolicy(target, selector, address(policy), new bytes32[](0));
+
+    PolicyAlwaysRejected policyRejected = PolicyAlwaysRejected(
+      _deployPolicy(address(policyAlwaysRejectedImpl), address(policyEngine), address(this), new bytes(0))
+    );
+
+    policyEngine.addPolicy(secondTarget, selector, address(policyRejected), new bytes32[](0));
+
+    bool success;
+    vm.startPrank(target);
+    try policyEngine.run(testPayload) {
+      success = true;
+    } catch {
+      success = false;
+    }
+
+    assertTrue(success, "Policy should allow execution");
+    vm.stopPrank();
+
+    vm.startPrank(secondTarget);
+    vm.expectRevert(_encodeRejectedRevert(selector, address(policyRejected), "test policy always rejects"));
+    policyEngine.run(
+      IPolicyEngine.Payload({selector: selector, sender: secondTarget, data: new bytes(0), context: new bytes(0)})
+    );
+  }
+
+  function test_run_targetDefaultPolicyTakesPrecedenceOverGlobalDefaultPolicy() public {
+    policyEngine.setTargetDefaultPolicyAllow(target, true); // true = allow by default
+
+    bool success;
+
+    vm.startPrank(target);
+    try policyEngine.run(testPayload) {
+      success = true;
+    } catch {
+      success = false;
+    }
+
+    assertTrue(success, "Policy should allow execution");
+  }
+}

package/packages/policy-management/test/PolicyFactory.t.sol

@@ -0,0 +1,114 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {PolicyEngine} from "../src/core/PolicyEngine.sol";
+import {PolicyFactory} from "../src/core/PolicyFactory.sol";
+import {PolicyAlwaysAllowed} from "./helpers/PolicyAlwaysAllowed.sol";
+import {CredentialRegistryIdentityValidatorPolicy} from
+  "@chainlink/cross-chain-identity/CredentialRegistryIdentityValidatorPolicy.sol";
+import {ICredentialRequirements} from "@chainlink/cross-chain-identity/interfaces/ICredentialRequirements.sol";
+import {Test} from "forge-std/Test.sol";
+
+contract PolicyFactoryTest is Test {
+  PolicyEngine private s_policyEngine;
+  PolicyFactory private s_factory;
+
+  PolicyAlwaysAllowed private s_policyImplementation;
+
+  bytes32 public constant REQUIREMENT_KYC = keccak256("KYC");
+  bytes32 public constant CREDENTIAL_KYC = keccak256("common.kyc");
+
+  function setUp() public {
+    s_policyEngine = new PolicyEngine();
+    s_factory = new PolicyFactory();
+    s_policyImplementation = new PolicyAlwaysAllowed();
+  }
+
+  function test_createPolicy_success() public {
+    bytes32 policyId = keccak256(abi.encodePacked("policy-1"));
+    bytes memory configData = abi.encode(42);
+
+    address expectedPolicyAddress =
+      s_factory.predictPolicyAddress(address(this), address(s_policyImplementation), policyId);
+
+    vm.expectEmit();
+    emit PolicyFactory.PolicyCreated(expectedPolicyAddress);
+
+    address newPolicyAddress = s_factory.createPolicy(
+      address(s_policyImplementation), policyId, address(s_policyEngine), address(this), configData
+    );
+    assertEq(newPolicyAddress, expectedPolicyAddress);
+
+    PolicyAlwaysAllowed newPolicy = PolicyAlwaysAllowed(newPolicyAddress);
+    assertEq(newPolicy.getPolicyNumber(), 42);
+  }
+
+  function test_createPolicy_duplicateCreate_success() public {
+    bytes32 policyId = keccak256(abi.encodePacked("policy-1"));
+    bytes memory configData = abi.encode(42);
+
+    address expectedPolicyAddress =
+      s_factory.predictPolicyAddress(address(this), address(s_policyImplementation), policyId);
+
+    vm.expectEmit();
+    emit PolicyFactory.PolicyCreated(expectedPolicyAddress);
+
+    address newPolicyAddress = s_factory.createPolicy(
+      address(s_policyImplementation), policyId, address(s_policyEngine), address(this), configData
+    );
+    address newPolicyAddress2 = s_factory.createPolicy(
+      address(s_policyImplementation), policyId, address(s_policyEngine), address(this), configData
+    );
+    assertEq(newPolicyAddress, newPolicyAddress2);
+  }
+
+  function test_createPolicy_badconfigData_revert() public {
+    bytes32 policyId = keccak256(abi.encodePacked("policy-1"));
+
+    vm.expectPartialRevert(PolicyFactory.PolicyInitializationFailed.selector);
+    s_factory.createPolicy(address(s_policyImplementation), policyId, address(s_policyEngine), address(this), "0x1234");
+  }
+
+  function test_createCredentialRegistryIdentityValidatorPolicy_success() public {
+    bytes32 policyId = keccak256(abi.encodePacked("policy-1"));
+    address identityRegistry = vm.addr(uint256(keccak256(abi.encodePacked(block.timestamp, "identity"))));
+    address credentialRegistry = vm.addr(uint256(keccak256(abi.encodePacked(block.timestamp, "credential"))));
+    bytes32[] memory credentialsKyc = new bytes32[](1);
+    credentialsKyc[0] = CREDENTIAL_KYC;
+
+    ICredentialRequirements.CredentialRequirementInput[] memory requirementsInput =
+      new ICredentialRequirements.CredentialRequirementInput[](1);
+    requirementsInput[0] = ICredentialRequirements.CredentialRequirementInput(REQUIREMENT_KYC, credentialsKyc, 1, false);
+
+    ICredentialRequirements.CredentialSourceInput[] memory sourceInputs =
+      new ICredentialRequirements.CredentialSourceInput[](1);
+
+    sourceInputs[0] =
+      ICredentialRequirements.CredentialSourceInput(CREDENTIAL_KYC, identityRegistry, credentialRegistry, address(0));
+
+    bytes memory configData = abi.encode(sourceInputs, requirementsInput);
+
+    CredentialRegistryIdentityValidatorPolicy identityValidatorPolicy = new CredentialRegistryIdentityValidatorPolicy();
+
+    address expectedPolicyAddress =
+      s_factory.predictPolicyAddress(address(this), address(identityValidatorPolicy), policyId);
+
+    vm.expectEmit();
+    emit PolicyFactory.PolicyCreated(expectedPolicyAddress);
+
+    address newPolicyAddress = s_factory.createPolicy(
+      address(identityValidatorPolicy), policyId, address(s_policyEngine), address(this), configData
+    );
+    assertEq(newPolicyAddress, expectedPolicyAddress);
+
+    CredentialRegistryIdentityValidatorPolicy deployedPolicy =
+      CredentialRegistryIdentityValidatorPolicy(newPolicyAddress);
+    ICredentialRequirements.CredentialSource[] memory credentialSources =
+      deployedPolicy.getCredentialSources(CREDENTIAL_KYC);
+    assertEq(credentialSources.length, 1);
+    assertEq(credentialSources[0].identityRegistry, identityRegistry);
+    bytes32[] memory credentialRequirementIds = deployedPolicy.getCredentialRequirementIds();
+    assertEq(credentialRequirementIds.length, 1);
+    assertEq(credentialRequirementIds[0], REQUIREMENT_KYC);
+  }
+}