@chainlink/ace 0.5.0

package/packages/vendor/onchain-id/interface/IERC735.sol

@@ -0,0 +1,105 @@
+// SPDX-License-Identifier: GPL-3.0
+pragma solidity ^0.8.23;
+
+/**
+ * @dev interface of the ERC735 (Claim Holder) standard as defined in the EIP.
+ */
+interface IERC735 {
+  /**
+   * @dev Emitted when a claim was added.
+   *
+   * Specification: MUST be triggered when a claim was successfully added.
+   */
+  event ClaimAdded(
+    bytes32 indexed claimId,
+    uint256 indexed topicId,
+    uint256 scheme,
+    address indexed issuer,
+    bytes signature,
+    bytes data,
+    string uri
+  );
+
+  /**
+   * @dev Emitted when a claim was removed.
+   *
+   * Specification: MUST be triggered when removeClaim was successfully called.
+   */
+  event ClaimRemoved(
+    bytes32 indexed claimId,
+    uint256 indexed topicId,
+    uint256 scheme,
+    address indexed issuer,
+    bytes signature,
+    bytes data,
+    string uri
+  );
+
+  /**
+   * @dev Emitted when a claim was changed.
+   *
+   * Specification: MUST be triggered when addClaim was successfully called on an existing claimId.
+   */
+  event ClaimChanged(
+    bytes32 indexed claimId,
+    uint256 indexed topicId,
+    uint256 scheme,
+    address indexed issuer,
+    bytes signature,
+    bytes data,
+    string uri
+  );
+
+  /**
+   * @dev Add or update a claim.
+   *
+   * Triggers Event: `ClaimAdded`, `ClaimChanged`
+   *
+   * Specification: Add or update a claim from an issuer.
+   *
+   * _signature is a signed message of the following structure:
+   * `keccak256(abi.encode(address identityHolder_address, uint256 topic, bytes data))`.
+   * Claim IDs are generated using `keccak256(abi.encode(address issuer_address + uint256 topic))`.
+   */
+  function addClaim(
+    uint256 _topic,
+    uint256 _scheme,
+    address issuer,
+    bytes calldata _signature,
+    bytes calldata _data,
+    string calldata _uri
+  )
+    external
+    returns (bytes32 claimRequestId);
+
+  /**
+   * @dev Removes a claim.
+   *
+   * Triggers Event: `ClaimRemoved`
+   *
+   * Claim IDs are generated using `keccak256(abi.encode(address issuer_address, uint256 topic))`.
+   */
+  function removeClaim(bytes32 _claimId) external returns (bool success);
+
+  /**
+   * @dev Get a claim by its ID.
+   *
+   * Claim IDs are generated using `keccak256(abi.encode(address issuer_address, uint256 topic))`.
+   */
+  function getClaim(bytes32 _claimId)
+    external
+    view
+    returns (
+      uint256 topic,
+      uint256 scheme,
+      address issuer,
+      bytes memory signature,
+      bytes memory data,
+      string memory uri
+    );
+
+  /**
+   * @dev Returns an array of claim IDs by topic.
+   */
+  function getClaimIdsByTopic(uint256 _topic) external view returns (bytes32[] memory claimIds);
+}

package/packages/vendor/onchain-id/interface/IIdentity.sol

@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: GPL-3.0
+pragma solidity ^0.8.23;
+
+import "./IERC734.sol";
+import "./IERC735.sol";
+
+// solhint-disable-next-line no-empty-blocks
+interface IIdentity is IERC734, IERC735 {
+  /**
+   * @dev Checks if a claim is valid.
+   * @param _identity the identity contract related to the claim
+   * @param claimTopic the claim topic of the claim
+   * @param sig the signature of the claim
+   * @param data the data field of the claim
+   * @return claimValid true if the claim is valid, false otherwise
+   */
+  function isClaimValid(
+    IIdentity _identity,
+    uint256 claimTopic,
+    bytes calldata sig,
+    bytes calldata data
+  )
+    external
+    view
+    returns (bool);
+}

package/packages/vendor/onchain-id/interface/IImplementationAuthority.sol

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: GPL-3.0
+
+pragma solidity ^0.8.23;
+
+interface IImplementationAuthority {
+  // event emitted when the implementation contract is updated
+  event UpdatedImplementation(address newAddress);
+
+  /**
+   * @dev updates the address used as implementation by the proxies linked
+   * to this ImplementationAuthority contract
+   * @param _newImplementation the address of the new implementation contract
+   * only Owner can call
+   */
+  function updateImplementation(address _newImplementation) external;
+
+  /**
+   * @dev returns the address of the implementation
+   */
+  function getImplementation() external view returns (address);
+}

package/remappings.txt

@@ -0,0 +1,6 @@
+@openzeppelin/contracts/=node_modules/@openzeppelin/contracts/
+@openzeppelin/contracts-upgradeable/=node_modules/@openzeppelin/contracts-upgradeable/
+@chainlink/policy-management/=packages/policy-management/src/
+@chainlink/cross-chain-identity/=packages/cross-chain-identity/src/
+forge-std/=node_modules/forge-std/src/
+@chainlink/contracts/=node_modules/@chainlink/contracts

package/script/DeployComplianceTokenERC20.s.sol

@@ -0,0 +1,191 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
+import {IPolicyEngine} from "@chainlink/policy-management/interfaces/IPolicyEngine.sol";
+import {ComplianceTokenERC20} from "../packages/tokens/erc-20/src/ComplianceTokenERC20.sol";
+import {PolicyEngine} from "@chainlink/policy-management/core/PolicyEngine.sol";
+import {Policy} from "@chainlink/policy-management/core/Policy.sol";
+import {OnlyOwnerPolicy} from "@chainlink/policy-management/policies/OnlyOwnerPolicy.sol";
+import {IdentityRegistry} from "@chainlink/cross-chain-identity/IdentityRegistry.sol";
+import {CredentialRegistry} from "@chainlink/cross-chain-identity/CredentialRegistry.sol";
+import {CredentialRegistryIdentityValidatorPolicy} from
+  "@chainlink/cross-chain-identity/CredentialRegistryIdentityValidatorPolicy.sol";
+import {ICredentialRequirements} from "@chainlink/cross-chain-identity/interfaces/ICredentialRequirements.sol";
+
+import {ERC20TransferExtractor} from "@chainlink/policy-management/extractors/ERC20TransferExtractor.sol";
+import {Script} from "forge-std/Script.sol";
+import {console} from "forge-std/console.sol";
+
+contract DeployComplianceTokenERC20 is Script {
+  function run() external {
+    uint256 tokenOwnerPK = vm.envUint("PRIVATE_KEY");
+    address tokenOwner = vm.addr(tokenOwnerPK);
+
+    vm.startBroadcast(tokenOwnerPK);
+
+    // Deploy a PolicyEngine through proxy for identity registries and attach OnlyOwnerPolicy to administrative methods
+    PolicyEngine policyEngineImpl = new PolicyEngine();
+    bytes memory policyEngineData =
+      abi.encodeWithSelector(PolicyEngine.initialize.selector, IPolicyEngine.PolicyResult.Allowed);
+    ERC1967Proxy policyEngineProxy = new ERC1967Proxy(address(policyEngineImpl), policyEngineData);
+    PolicyEngine policyEngine = PolicyEngine(address(policyEngineProxy));
+
+    // Deploy IdentityRegistry/CredentialRegistry through proxies for use by the
+    // CredentialRegistryIdentityValidatorPolicy
+    IdentityRegistry identityRegistryImpl = new IdentityRegistry();
+    bytes memory identityRegistryData =
+      abi.encodeWithSelector(IdentityRegistry.initialize.selector, address(policyEngine));
+    ERC1967Proxy identityRegistryProxy = new ERC1967Proxy(address(identityRegistryImpl), identityRegistryData);
+    IdentityRegistry identityRegistry = IdentityRegistry(address(identityRegistryProxy));
+
+    CredentialRegistry credentialRegistryImpl = new CredentialRegistry();
+    bytes memory credentialRegistryData =
+      abi.encodeWithSelector(CredentialRegistry.initialize.selector, address(policyEngine));
+    ERC1967Proxy credentialRegistryProxy = new ERC1967Proxy(address(credentialRegistryImpl), credentialRegistryData);
+    CredentialRegistry credentialRegistry = CredentialRegistry(address(credentialRegistryProxy));
+
+    bytes32 CREDENTIAL_KYC = keccak256("common.KYC");
+    bytes32[] memory requiredCredentials = new bytes32[](1);
+    requiredCredentials[0] = CREDENTIAL_KYC;
+
+    ICredentialRequirements.CredentialRequirementInput[] memory credentialRequirementInputs =
+      new ICredentialRequirements.CredentialRequirementInput[](1);
+    credentialRequirementInputs[0] =
+      ICredentialRequirements.CredentialRequirementInput(keccak256("requirement.KYC"), requiredCredentials, 1, false);
+
+    ICredentialRequirements.CredentialSourceInput[] memory credentialSourceInputs =
+      new ICredentialRequirements.CredentialSourceInput[](1);
+    credentialSourceInputs[0] = ICredentialRequirements.CredentialSourceInput(
+      CREDENTIAL_KYC, address(identityRegistry), address(credentialRegistry), address(0)
+    );
+
+    OnlyOwnerPolicy identityOnlyOwnerPolicyImpl = new OnlyOwnerPolicy();
+    bytes memory onlyOwnerPolicyData =
+      abi.encodeWithSelector(Policy.initialize.selector, address(policyEngine), tokenOwner, new bytes(0));
+    ERC1967Proxy identityOnlyOwnerPolicyProxy =
+      new ERC1967Proxy(address(identityOnlyOwnerPolicyImpl), onlyOwnerPolicyData);
+    OnlyOwnerPolicy identityOnlyOwnerPolicy = OnlyOwnerPolicy(address(identityOnlyOwnerPolicyProxy));
+    policyEngine.addPolicy(
+      address(identityRegistry),
+      IdentityRegistry.registerIdentity.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(identityRegistry),
+      IdentityRegistry.registerIdentities.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(identityRegistry),
+      IdentityRegistry.removeIdentity.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(credentialRegistry),
+      CredentialRegistry.registerCredential.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(credentialRegistry),
+      CredentialRegistry.registerCredentials.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(credentialRegistry),
+      CredentialRegistry.removeCredential.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(credentialRegistry),
+      CredentialRegistry.renewCredential.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+
+    // Deploy the ComplianceTokenERC20 through proxy
+    ComplianceTokenERC20 tokenImpl = new ComplianceTokenERC20();
+    bytes memory tokenData = abi.encodeWithSelector(
+      ComplianceTokenERC20.initialize.selector,
+      vm.envOr("TOKEN_NAME", string("Token")),
+      vm.envOr("TOKEN_SYMBOL", string("TOKEN")),
+      18,
+      address(policyEngine)
+    );
+    ERC1967Proxy tokenProxy = new ERC1967Proxy(address(tokenImpl), tokenData);
+    ComplianceTokenERC20 token = ComplianceTokenERC20(address(tokenProxy));
+
+    OnlyOwnerPolicy tokenOnlyOwnerPolicyImpl = new OnlyOwnerPolicy();
+    bytes memory tokenOnlyOwnerPolicyData =
+      abi.encodeWithSelector(Policy.initialize.selector, address(policyEngine), tokenOwner, new bytes(0));
+    ERC1967Proxy tokenOnlyOwnerPolicyProxy =
+      new ERC1967Proxy(address(tokenOnlyOwnerPolicyImpl), tokenOnlyOwnerPolicyData);
+    OnlyOwnerPolicy tokenOnlyOwnerPolicy = OnlyOwnerPolicy(address(tokenOnlyOwnerPolicyProxy));
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC20.mint.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC20.burnFrom.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC20.forceTransfer.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC20.freeze.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC20.unfreeze.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+
+    // Attach an CredentialRegistryIdentityValidatorPolicy to validate the 'to' address of ERC20 transfers
+    ERC20TransferExtractor erc20TransferExtractor = new ERC20TransferExtractor();
+    policyEngine.setExtractor(ComplianceTokenERC20.transfer.selector, address(erc20TransferExtractor));
+    policyEngine.setExtractor(ComplianceTokenERC20.transferFrom.selector, address(erc20TransferExtractor));
+
+    CredentialRegistryIdentityValidatorPolicy identityValidatorPolicyImpl =
+      new CredentialRegistryIdentityValidatorPolicy();
+    bytes memory identityValidatorPolicyData = abi.encodeWithSelector(
+      Policy.initialize.selector,
+      address(policyEngine),
+      address(tokenOwner),
+      abi.encode(credentialSourceInputs, credentialRequirementInputs)
+    );
+    ERC1967Proxy identityValidatorPolicyProxy =
+      new ERC1967Proxy(address(identityValidatorPolicyImpl), identityValidatorPolicyData);
+    CredentialRegistryIdentityValidatorPolicy identityValidatorPolicy =
+      CredentialRegistryIdentityValidatorPolicy(address(identityValidatorPolicyProxy));
+    bytes32[] memory identityValidatorPolicyParameters = new bytes32[](1);
+    identityValidatorPolicyParameters[0] = erc20TransferExtractor.PARAM_TO();
+    // Attach the CredentialRegistryIdentityValidatorPolicy to the transfer methods, using the IdentityValidator for
+    // validations
+    policyEngine.addPolicy(
+      address(token),
+      ComplianceTokenERC20.transfer.selector,
+      address(identityValidatorPolicy),
+      identityValidatorPolicyParameters
+    );
+    policyEngine.addPolicy(
+      address(token),
+      ComplianceTokenERC20.transferFrom.selector,
+      address(identityValidatorPolicy),
+      identityValidatorPolicyParameters
+    );
+
+    vm.stopBroadcast();
+
+    console.log("Deployed ComplianceTokenERC20 at:", address(token));
+    console.log("Deployed PolicyEngine at:", address(policyEngine));
+    console.log("Deployed IdentityRegistry at:", address(identityRegistry));
+    console.log("Deployed CredentialRegistry at:", address(credentialRegistry));
+    console.log("Deployed Identity OnlyOwnerPolicy at:", address(identityOnlyOwnerPolicy));
+    console.log("Deployed Token OnlyOwnerPolicy at:", address(tokenOnlyOwnerPolicy));
+    console.log("Deployed ERC20TransferExtractor at:", address(erc20TransferExtractor));
+    console.log("Deployed CredentialRegistryIdentityValidatorPolicy at:", address(identityValidatorPolicy));
+  }
+}

package/script/DeployComplianceTokenERC3643.s.sol

@@ -0,0 +1,208 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
+import {IPolicyEngine} from "@chainlink/policy-management/interfaces/IPolicyEngine.sol";
+import {ComplianceTokenERC3643} from "../packages/tokens/erc-3643/src/ComplianceTokenERC3643.sol";
+import {PolicyEngine} from "@chainlink/policy-management/core/PolicyEngine.sol";
+import {Policy} from "@chainlink/policy-management/core/Policy.sol";
+import {OnlyOwnerPolicy} from "@chainlink/policy-management/policies/OnlyOwnerPolicy.sol";
+import {IdentityRegistry} from "@chainlink/cross-chain-identity/IdentityRegistry.sol";
+import {CredentialRegistry} from "@chainlink/cross-chain-identity/CredentialRegistry.sol";
+import {CredentialRegistryIdentityValidatorPolicy} from
+  "@chainlink/cross-chain-identity/CredentialRegistryIdentityValidatorPolicy.sol";
+import {ICredentialRequirements} from "@chainlink/cross-chain-identity/interfaces/ICredentialRequirements.sol";
+
+import {ERC20TransferExtractor} from "@chainlink/policy-management/extractors/ERC20TransferExtractor.sol";
+import {Script} from "forge-std/Script.sol";
+import {console} from "forge-std/console.sol";
+
+contract DeployComplianceTokenERC3643 is Script {
+  function run() external {
+    uint256 tokenOwnerPK = vm.envUint("PRIVATE_KEY");
+    address tokenOwner = vm.addr(tokenOwnerPK);
+
+    vm.startBroadcast(tokenOwnerPK);
+
+    // Deploy a PolicyEngine through proxy for identity registries and attach OnlyOwnerPolicy to administrative methods
+    PolicyEngine policyEngineImpl = new PolicyEngine();
+    bytes memory policyEngineData =
+      abi.encodeWithSelector(PolicyEngine.initialize.selector, IPolicyEngine.PolicyResult.Allowed);
+    ERC1967Proxy policyEngineProxy = new ERC1967Proxy(address(policyEngineImpl), policyEngineData);
+    PolicyEngine policyEngine = PolicyEngine(address(policyEngineProxy));
+
+    // Deploy IdentityRegistry/CredentialRegistry through proxies and an IdentityValidator for use by the
+    // CredentialRegistryIdentityValidatorPolicy
+    IdentityRegistry identityRegistryImpl = new IdentityRegistry();
+    bytes memory identityRegistryData =
+      abi.encodeWithSelector(IdentityRegistry.initialize.selector, address(policyEngine));
+    ERC1967Proxy identityRegistryProxy = new ERC1967Proxy(address(identityRegistryImpl), identityRegistryData);
+    IdentityRegistry identityRegistry = IdentityRegistry(address(identityRegistryProxy));
+
+    CredentialRegistry credentialRegistryImpl = new CredentialRegistry();
+    bytes memory credentialRegistryData =
+      abi.encodeWithSelector(CredentialRegistry.initialize.selector, address(policyEngine));
+    ERC1967Proxy credentialRegistryProxy = new ERC1967Proxy(address(credentialRegistryImpl), credentialRegistryData);
+    CredentialRegistry credentialRegistry = CredentialRegistry(address(credentialRegistryProxy));
+    bytes32 CREDENTIAL_KYC = keccak256("common.KYC");
+    bytes32[] memory requiredCredentials = new bytes32[](1);
+    requiredCredentials[0] = CREDENTIAL_KYC;
+
+    ICredentialRequirements.CredentialRequirementInput[] memory credentialRequirementInputs =
+      new ICredentialRequirements.CredentialRequirementInput[](1);
+    credentialRequirementInputs[0] =
+      ICredentialRequirements.CredentialRequirementInput(keccak256("requirement.KYC"), requiredCredentials, 1, false);
+
+    ICredentialRequirements.CredentialSourceInput[] memory credentialSourceInputs =
+      new ICredentialRequirements.CredentialSourceInput[](1);
+    credentialSourceInputs[0] = ICredentialRequirements.CredentialSourceInput(
+      CREDENTIAL_KYC, address(identityRegistry), address(credentialRegistry), address(0)
+    );
+
+    OnlyOwnerPolicy identityOnlyOwnerPolicyImpl = new OnlyOwnerPolicy();
+    bytes memory onlyOwnerPolicyData =
+      abi.encodeWithSelector(Policy.initialize.selector, address(policyEngine), tokenOwner, new bytes(0));
+    ERC1967Proxy identityOnlyOwnerPolicyProxy =
+      new ERC1967Proxy(address(identityOnlyOwnerPolicyImpl), onlyOwnerPolicyData);
+    OnlyOwnerPolicy identityOnlyOwnerPolicy = OnlyOwnerPolicy(address(identityOnlyOwnerPolicyProxy));
+    policyEngine.addPolicy(
+      address(identityRegistry),
+      IdentityRegistry.registerIdentity.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(identityRegistry),
+      IdentityRegistry.registerIdentities.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(identityRegistry),
+      IdentityRegistry.removeIdentity.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(credentialRegistry),
+      CredentialRegistry.registerCredential.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(credentialRegistry),
+      CredentialRegistry.registerCredentials.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(credentialRegistry),
+      CredentialRegistry.removeCredential.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(credentialRegistry),
+      CredentialRegistry.renewCredential.selector,
+      address(identityOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+
+    // Deploy the ComplianceTokenERC3643 through proxy
+    ComplianceTokenERC3643 tokenImpl = new ComplianceTokenERC3643();
+    bytes memory tokenData = abi.encodeWithSelector(
+      ComplianceTokenERC3643.initialize.selector,
+      vm.envOr("TOKEN_NAME", string("Token")),
+      vm.envOr("TOKEN_SYMBOL", string("TOKEN")),
+      18,
+      address(policyEngine)
+    );
+    ERC1967Proxy tokenProxy = new ERC1967Proxy(address(tokenImpl), tokenData);
+    ComplianceTokenERC3643 token = ComplianceTokenERC3643(address(tokenProxy));
+
+    OnlyOwnerPolicy tokenOnlyOwnerPolicyImpl = new OnlyOwnerPolicy();
+    bytes memory tokenOnlyOwnerPolicyData =
+      abi.encodeWithSelector(Policy.initialize.selector, address(policyEngine), tokenOwner, new bytes(0));
+    ERC1967Proxy tokenOnlyOwnerPolicyProxy =
+      new ERC1967Proxy(address(tokenOnlyOwnerPolicyImpl), tokenOnlyOwnerPolicyData);
+    OnlyOwnerPolicy tokenOnlyOwnerPolicy = OnlyOwnerPolicy(address(tokenOnlyOwnerPolicyProxy));
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC3643.mint.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC3643.pause.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC3643.unpause.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC3643.setAddressFrozen.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC3643.forcedTransfer.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token),
+      ComplianceTokenERC3643.freezePartialTokens.selector,
+      address(tokenOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token),
+      ComplianceTokenERC3643.unfreezePartialTokens.selector,
+      address(tokenOnlyOwnerPolicy),
+      new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC3643.setName.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+    policyEngine.addPolicy(
+      address(token), ComplianceTokenERC3643.setSymbol.selector, address(tokenOnlyOwnerPolicy), new bytes32[](0)
+    );
+
+    // Attach an CredentialRegistryIdentityValidatorPolicy to validate the 'to' address of ERC20 transfers
+    ERC20TransferExtractor erc20TransferExtractor = new ERC20TransferExtractor();
+    policyEngine.setExtractor(ComplianceTokenERC3643.transfer.selector, address(erc20TransferExtractor));
+    policyEngine.setExtractor(ComplianceTokenERC3643.transferFrom.selector, address(erc20TransferExtractor));
+
+    CredentialRegistryIdentityValidatorPolicy identityValidatorPolicyImpl =
+      new CredentialRegistryIdentityValidatorPolicy();
+    bytes memory identityValidatorPolicyData = abi.encodeWithSelector(
+      Policy.initialize.selector,
+      address(policyEngine),
+      address(tokenOwner),
+      abi.encode(credentialSourceInputs, credentialRequirementInputs)
+    );
+    ERC1967Proxy identityValidatorPolicyProxy =
+      new ERC1967Proxy(address(identityValidatorPolicyImpl), identityValidatorPolicyData);
+    CredentialRegistryIdentityValidatorPolicy identityValidatorPolicy =
+      CredentialRegistryIdentityValidatorPolicy(address(identityValidatorPolicyProxy));
+    bytes32[] memory identityValidatorPolicyParameters = new bytes32[](1);
+    identityValidatorPolicyParameters[0] = erc20TransferExtractor.PARAM_TO();
+    // Attach the CredentialRegistryIdentityValidatorPolicy to the transfer methods, using the IdentityValidator for
+    // validations
+    policyEngine.addPolicy(
+      address(token),
+      ComplianceTokenERC3643.transfer.selector,
+      address(identityValidatorPolicy),
+      identityValidatorPolicyParameters
+    );
+    policyEngine.addPolicy(
+      address(token),
+      ComplianceTokenERC3643.transferFrom.selector,
+      address(identityValidatorPolicy),
+      identityValidatorPolicyParameters
+    );
+
+    vm.stopBroadcast();
+
+    console.log("Deployed ComplianceTokenERC3643 at:", address(token));
+    console.log("Deployed PolicyEngine at:", address(policyEngine));
+    console.log("Deployed IdentityRegistry at:", address(identityRegistry));
+    console.log("Deployed CredentialRegistry at:", address(credentialRegistry));
+    console.log("Deployed Identity OnlyOwnerPolicy at:", address(identityOnlyOwnerPolicy));
+    console.log("Deployed Token OnlyOwnerPolicy at:", address(tokenOnlyOwnerPolicy));
+    console.log("Deployed ERC20TransferExtractor at:", address(erc20TransferExtractor));
+    console.log("Deployed CredentialRegistryIdentityValidatorPolicy at:", address(identityValidatorPolicy));
+  }
+}

package/script/DeploySimpleComplianceToken.s.sol

@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
+import {ComplianceTokenERC3643} from "../packages/tokens/erc-3643/src/ComplianceTokenERC3643.sol";
+import {Script} from "forge-std/Script.sol";
+import {console} from "forge-std/console.sol";
+
+contract DeploySimpleComplianceToken is Script {
+  function run() external {
+    uint256 tokenOwnerPK = vm.envUint("PRIVATE_KEY");
+    address tokenOwner = vm.addr(tokenOwnerPK);
+
+    vm.startBroadcast(tokenOwnerPK);
+
+    // Deploy the ComplianceToken through proxy
+    ComplianceTokenERC3643 tokenImpl = new ComplianceTokenERC3643();
+    bytes memory tokenData = abi.encodeWithSelector(
+      ComplianceTokenERC3643.initialize.selector,
+      vm.envOr("TOKEN_NAME", string("Token")),
+      vm.envOr("TOKEN_SYMBOL", string("TOKEN")),
+      18,
+      vm.envAddress("POLICY_ENGINE")
+    );
+    ERC1967Proxy tokenProxy = new ERC1967Proxy(address(tokenImpl), tokenData);
+    ComplianceTokenERC3643 token = ComplianceTokenERC3643(address(tokenProxy));
+
+    uint256 initialSupply = vm.envOr("INITIAL_SUPPLY", uint256(1000000));
+    address initialHolder = vm.envOr("INITIAL_HOLDER", address(0));
+    if (initialHolder != address(0)) {
+      token.mint(initialHolder, initialSupply * 10 ** token.decimals());
+    }
+
+    vm.stopBroadcast();
+
+    console.log("ComplianceToken deployed at:", address(token));
+  }
+}

package/script/getting_started/DeployGettingStarted.s.sol

@@ -0,0 +1,74 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
+import {Script} from "forge-std/Script.sol";
+import {console} from "forge-std/console.sol";
+import {MyVault} from "../../getting_started/MyVault.sol";
+import {PolicyEngine} from "@chainlink/policy-management/core/PolicyEngine.sol";
+import {Policy} from "@chainlink/policy-management/core/Policy.sol";
+import {PausePolicy} from "@chainlink/policy-management/policies/PausePolicy.sol";
+import {IPolicyEngine} from "@chainlink/policy-management/interfaces/IPolicyEngine.sol";
+
+/**
+ * @title DeployGettingStarted
+ * @notice Deployment script for the Getting Started guide example.
+ * @dev This script demonstrates the complete setup process:
+ * 1. Deploy and initialize a PolicyEngine through a proxy
+ * 2. Deploy the vault contract (connected to PolicyEngine via constructor)
+ * 3. Deploy and configure a PausePolicy
+ * 4. Attach the policy to the vault's deposit and withdraw functions
+ */
+contract DeployGettingStarted is Script {
+  function run() external {
+    uint256 deployerPK = vm.envUint("PRIVATE_KEY");
+    address deployer = vm.addr(deployerPK);
+
+    vm.startBroadcast(deployerPK);
+
+    // 1. Deploy the PolicyEngine through a proxy
+    PolicyEngine policyEngineImpl = new PolicyEngine();
+    bytes memory policyEngineData = abi.encodeWithSelector(PolicyEngine.initialize.selector, true, deployer);
+    ERC1967Proxy policyEngineProxy = new ERC1967Proxy(address(policyEngineImpl), policyEngineData);
+    PolicyEngine policyEngine = PolicyEngine(address(policyEngineProxy));
+
+    // 2. Deploy your vault through a proxy
+    MyVault vaultImpl = new MyVault();
+    bytes memory vaultData = abi.encodeWithSelector(MyVault.initialize.selector, deployer, address(policyEngine));
+    ERC1967Proxy vaultProxy = new ERC1967Proxy(address(vaultImpl), vaultData);
+    MyVault vault = MyVault(address(vaultProxy));
+
+    // 3. Deploy the PausePolicy through a proxy
+    PausePolicy pausePolicyImpl = new PausePolicy();
+    bytes memory pausePolicyConfig = abi.encode(false); // Not paused by default
+    bytes memory pausePolicyData =
+      abi.encodeWithSelector(Policy.initialize.selector, address(policyEngine), deployer, pausePolicyConfig);
+    ERC1967Proxy pausePolicyProxy = new ERC1967Proxy(address(pausePolicyImpl), pausePolicyData);
+    PausePolicy pausePolicy = PausePolicy(address(pausePolicyProxy));
+
+    // 4. Add the PausePolicy to the vault's deposit function
+    policyEngine.addPolicy(
+      address(vault),
+      vault.deposit.selector,
+      address(pausePolicy),
+      new bytes32[](0) // No parameters needed for
+        // PausePolicy
+    );
+
+    // 5. Add the PausePolicy to the vault's withdraw function
+    policyEngine.addPolicy(
+      address(vault),
+      vault.withdraw.selector,
+      address(pausePolicy),
+      new bytes32[](0) // No parameters needed for
+        // PausePolicy
+    );
+
+    vm.stopBroadcast();
+
+    console.log("--- Deployed Contracts ---");
+    console.log("MyVault deployed at:", address(vault));
+    console.log("PolicyEngine deployed at:", address(policyEngine));
+    console.log("PausePolicy deployed at:", address(pausePolicy));
+  }
+}