@chainlink/ace 0.5.0

package/packages/cross-chain-identity/src/IdentityRegistry.sol

@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {IIdentityRegistry} from "./interfaces/IIdentityRegistry.sol";
+import {PolicyProtected} from "@chainlink/policy-management/core/PolicyProtected.sol";
+
+contract IdentityRegistry is PolicyProtected, IIdentityRegistry {
+  /// @custom:storage-location erc7201:cross-chain-identity.IdentityRegistry
+  struct IdentityRegistryStorage {
+    mapping(address account => bytes32 ccid) accountToCcid;
+    mapping(bytes32 ccid => address[] accounts) ccidToAccounts;
+  }
+
+  // keccak256(abi.encode(uint256(keccak256("cross-chain-identity.IdentityRegistry")) - 1)) &
+  // ~bytes32(uint256(0xff))
+  // solhint-disable-next-line const-name-snakecase
+  bytes32 private constant identityRegistryStorageLocation =
+    0x95c7dd14054992de17881168e75df13bb7ed90a1eacfff26d4643d48ec30de00;
+
+  function _identityRegistryStorage() private pure returns (IdentityRegistryStorage storage $) {
+    // solhint-disable-next-line no-inline-assembly
+    assembly {
+      $.slot := identityRegistryStorageLocation
+    }
+  }
+
+  /**
+   * @dev Initializes the identity registry and sets the policy engine.
+   * @param policyEngine The address of the policy engine contract.
+   * @param initialOwner The address that will own the newly created registry contract.
+   */
+  function initialize(address policyEngine, address initialOwner) public virtual initializer {
+    __IdentityRegistry_init(policyEngine, initialOwner);
+  }
+
+  function __IdentityRegistry_init(address policyEngine, address initialOwner) internal onlyInitializing {
+    __IdentityRegistry_init_unchained();
+    __PolicyProtected_init(initialOwner, policyEngine);
+  }
+
+  // solhint-disable-next-line no-empty-blocks
+  function __IdentityRegistry_init_unchained() internal onlyInitializing {}
+
+  /// @inheritdoc IIdentityRegistry
+  function registerIdentity(
+    bytes32 ccid,
+    address account,
+    bytes calldata context
+  )
+    public
+    virtual
+    override
+    runPolicyWithContext(context)
+  {
+    _registerIdentity(ccid, account, context);
+  }
+
+  /// @inheritdoc IIdentityRegistry
+  function registerIdentities(
+    bytes32[] calldata ccids,
+    address[] calldata accounts,
+    bytes calldata context
+  )
+    public
+    virtual
+    override
+    runPolicyWithContext(context)
+  {
+    if (ccids.length == 0 || ccids.length != accounts.length) {
+      revert InvalidIdentityConfiguration("Invalid input length");
+    }
+    for (uint256 i = 0; i < ccids.length; i++) {
+      _registerIdentity(ccids[i], accounts[i], context);
+    }
+  }
+
+  function _registerIdentity(bytes32 ccid, address account, bytes calldata /*context*/ ) internal {
+    if (ccid == bytes32(0)) {
+      revert InvalidIdentityConfiguration("CCID cannot be empty");
+    }
+    if (_identityRegistryStorage().accountToCcid[account] != bytes32(0)) {
+      revert IdentityAlreadyRegistered(ccid, account);
+    }
+    _identityRegistryStorage().accountToCcid[account] = ccid;
+    _identityRegistryStorage().ccidToAccounts[ccid].push(account);
+    emit IdentityRegistered(ccid, account);
+  }
+
+  /// @inheritdoc IIdentityRegistry
+  function removeIdentity(
+    bytes32 ccid,
+    address account,
+    bytes calldata context
+  )
+    public
+    virtual
+    override
+    runPolicyWithContext(context)
+  {
+    uint256 length = _identityRegistryStorage().ccidToAccounts[ccid].length;
+    for (uint256 i = 0; i < length; i++) {
+      if (_identityRegistryStorage().ccidToAccounts[ccid][i] == account) {
+        _identityRegistryStorage().ccidToAccounts[ccid][i] = _identityRegistryStorage().ccidToAccounts[ccid][length - 1];
+        _identityRegistryStorage().ccidToAccounts[ccid].pop();
+        delete _identityRegistryStorage().accountToCcid[account];
+
+        emit IdentityRemoved(ccid, account);
+        return;
+      }
+    }
+    revert IdentityNotFound(ccid, account);
+  }
+
+  /// @inheritdoc IIdentityRegistry
+  function getIdentity(address account) public view virtual override returns (bytes32) {
+    return _identityRegistryStorage().accountToCcid[account];
+  }
+
+  /// @inheritdoc IIdentityRegistry
+  function getAccounts(bytes32 ccid) public view virtual override returns (address[] memory) {
+    return _identityRegistryStorage().ccidToAccounts[ccid];
+  }
+}

package/packages/cross-chain-identity/src/TrustedIssuerRegistry.sol

@@ -0,0 +1,140 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {ITrustedIssuerRegistry} from "./interfaces/ITrustedIssuerRegistry.sol";
+import {PolicyProtected} from "@chainlink/policy-management/core/PolicyProtected.sol";
+
+/**
+ * @title TrustedIssuerRegistry
+ * @dev Implementation of the ITrustedIssuerRegistry interface using ERC-7201 storage pattern.
+ */
+contract TrustedIssuerRegistry is PolicyProtected, ITrustedIssuerRegistry {
+  /// @custom:storage-location erc7201:cross-chain-identity.TrustedIssuerRegistry
+  struct TrustedIssuerRegistryStorage {
+    mapping(bytes32 issuerIdHash => bool isTrusted) trustedIssuers;
+    bytes32[] issuerList;
+  }
+
+  // keccak256(abi.encode(uint256(keccak256("cross-chain-identity.TrustedIssuerRegistry")) - 1)) &
+  // ~bytes32(uint256(0xff))
+  // solhint-disable-next-line const-name-snakecase
+  bytes32 private constant trustedIssuerRegistryStorageLocation =
+    0x68705e3417317ecc3ac2b3879fdff408d88085552fb211d60abc5b025809c200;
+
+  function _trustedIssuerRegistryStorage() private pure returns (TrustedIssuerRegistryStorage storage $) {
+    assembly {
+      $.slot := trustedIssuerRegistryStorageLocation
+    }
+  }
+
+  constructor() {
+    _disableInitializers();
+  }
+
+  /**
+   * @dev Initializes the trusted issuer registry and sets the policy engine.
+   * @param policyEngine The address of the policy engine contract.
+   * @param initialOwner The address that will own the newly created registry contract.
+   */
+  function initialize(address policyEngine, address initialOwner) public virtual initializer {
+    __TrustedIssuerRegistry_init(policyEngine, initialOwner);
+  }
+
+  function __TrustedIssuerRegistry_init(address policyEngine, address initialOwner) internal onlyInitializing {
+    __TrustedIssuerRegistry_init_unchained();
+    __PolicyProtected_init(initialOwner, policyEngine);
+  }
+
+  function __TrustedIssuerRegistry_init_unchained() internal onlyInitializing {}
+
+  // ------------------------------------------------------------------------
+  // Externals
+  // ------------------------------------------------------------------------
+
+  function addTrustedIssuer(
+    string memory issuerId,
+    bytes calldata context
+  )
+    external
+    override
+    runPolicyWithContext(context)
+  {
+    _addTrustedIssuer(issuerId, context);
+  }
+
+  function removeTrustedIssuer(
+    string memory issuerId,
+    bytes calldata context
+  )
+    external
+    override
+    runPolicyWithContext(context)
+  {
+    _removeTrustedIssuer(issuerId, context);
+  }
+
+  // ------------------------------------------------------------------------
+  // internals
+  // ------------------------------------------------------------------------
+
+  function _addTrustedIssuer(string memory issuerId, bytes calldata context) internal {
+    if (bytes(issuerId).length == 0) {
+      revert("issuerId cannot be empty");
+    }
+
+    bytes32 issuerIdHash = keccak256(abi.encodePacked(issuerId));
+
+    TrustedIssuerRegistryStorage storage $ = _trustedIssuerRegistryStorage();
+    if ($.trustedIssuers[issuerIdHash]) {
+      revert("Issuer already trusted");
+    }
+
+    $.trustedIssuers[issuerIdHash] = true;
+    $.issuerList.push(issuerIdHash);
+
+    emit TrustedIssuerAdded(issuerIdHash, issuerId);
+  }
+
+  function _removeTrustedIssuer(string memory issuerId, bytes calldata context) internal {
+    if (bytes(issuerId).length == 0) {
+      revert("issuerId cannot be empty");
+    }
+
+    bytes32 issuerIdHash = keccak256(abi.encodePacked(issuerId));
+
+    TrustedIssuerRegistryStorage storage $ = _trustedIssuerRegistryStorage();
+    if (!$.trustedIssuers[issuerIdHash]) {
+      revert("Issuer not trusted");
+    }
+
+    $.trustedIssuers[issuerIdHash] = false;
+
+    uint256 length = $.issuerList.length;
+    for (uint256 i = 0; i < length; i++) {
+      if ($.issuerList[i] == issuerIdHash) {
+        $.issuerList[i] = $.issuerList[length - 1];
+        $.issuerList.pop();
+        break;
+      }
+    }
+
+    emit TrustedIssuerRemoved(issuerIdHash, issuerId);
+  }
+
+  function _isTrustedIssuer(bytes32 issuerIdHash) internal view returns (bool) {
+    return _trustedIssuerRegistryStorage().trustedIssuers[issuerIdHash];
+  }
+
+  // ------------------------------------------------------------------------
+  // View
+  // ------------------------------------------------------------------------
+
+  function getTrustedIssuers() public view virtual override returns (bytes32[] memory) {
+    return _trustedIssuerRegistryStorage().issuerList;
+  }
+
+  function isTrustedIssuer(string memory issuerId) external view override returns (bool) {
+    bytes32 issuerIdHash = keccak256(abi.encodePacked(issuerId));
+    return _isTrustedIssuer(issuerIdHash);
+  }
+}

package/packages/cross-chain-identity/src/interfaces/ICredentialDataValidator.sol

@@ -0,0 +1,30 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+/**
+ * @title ICredentialDataValidator
+ * @dev Interface for validating the data associated with a credential.
+ */
+interface ICredentialDataValidator {
+  /**
+   * @notice Validates the data associated with a credential assignment.
+   * @dev This function MUST NOT revert. Handle all validation failures gracefully and return
+   * false instead of allowing exceptions to propagate.
+   * @param ccid The cross-chain identity of the account.
+   * @param account The account to validate.
+   * @param credentialTypeId The credential type identifier to validate.
+   * @param credentialData The data associated with the credential.
+   * @param context Additional information or authorization to perform the operation.
+   * @return True if the credential is valid, false otherwise.
+   */
+  function validateCredentialData(
+    bytes32 ccid,
+    address account,
+    bytes32 credentialTypeId,
+    bytes calldata credentialData,
+    bytes calldata context
+  )
+    external
+    view
+    returns (bool);
+}

package/packages/cross-chain-identity/src/interfaces/ICredentialRegistry.sol

@@ -0,0 +1,170 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+import {ICredentialValidator} from "./ICredentialValidator.sol";
+
+/**
+ * @title ICredentialRegistry
+ * @dev Interface for managing the credential registry.
+ */
+interface ICredentialRegistry is ICredentialValidator {
+  /// @notice Error emitted when a credential type identifier is already registered to the ccid.
+  error CredentialAlreadyRegistered(bytes32 ccid, bytes32 credentialTypeId);
+  /// @notice Error emitted when a credential type identifier is not found to be associated to the ccid.
+  error CredentialNotFound(bytes32 ccid, bytes32 credentialTypeId);
+  /// @notice Error emitted when an invalid credential configuration was attempted.
+  error InvalidCredentialConfiguration(string errorReason);
+
+  /**
+   * @dev The struct for a credential. A credential is a piece of arbitrary data that is associated with a credential
+   * type identifier, and optionally has an expiration time. The data can be anything that is relevant to the credential
+   * type.
+   * The ICredentialRegistry maps a cross-chain identifier (CCID) to one or more credentials, managing their lifecycle.
+   */
+  struct Credential {
+    uint40 expiresAt;
+    bytes credentialData;
+  }
+
+  /**
+   * @notice Emitted when a credential is registered.
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeId The credential type identifier that was registered.
+   * @param expiresAt The expiration time of the credential.
+   * @param credentialData The data associated with the credential.
+   */
+  event CredentialRegistered(
+    bytes32 indexed ccid, bytes32 indexed credentialTypeId, uint40 expiresAt, bytes credentialData
+  );
+
+  /**
+   * @notice Emitted when a credential is removed.
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeId The credential type identifier that was removed.
+   */
+  event CredentialRemoved(bytes32 indexed ccid, bytes32 indexed credentialTypeId);
+
+  /**
+   * @notice Emitted when a credential is renewed.
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeId The credential type identifier that was renewed.
+   * @param previousExpiresAt The previous expiration time of the credential.
+   * @param expiresAt The new expiration time of the credential.
+   */
+  event CredentialRenewed(
+    bytes32 indexed ccid, bytes32 indexed credentialTypeId, uint40 previousExpiresAt, uint40 expiresAt
+  );
+
+  /**
+   * @notice Registers a credential for an account.
+   *
+   * - MUST revert with `CredentialAlreadyRegistered` if the credential is already registered.
+   * - MUST emit the `CredentialRegistered` event.
+   *
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeId The credential type identifier to associate with the account.
+   * @param expiresAt The expiration time (MUST be a future timestamp) of the credential, 0 for no expiration.
+   * @param credentialData The data associated with the credential.
+   * @param context Additional information or authorization to perform the operation.
+   */
+  function registerCredential(
+    bytes32 ccid,
+    bytes32 credentialTypeId,
+    uint40 expiresAt,
+    bytes calldata credentialData,
+    bytes calldata context
+  )
+    external;
+
+  /**
+   * @notice Registers a list of credentials for an account.
+   *
+   * - MUST revert with `CredentialAlreadyRegistered` if one of the credentials is already registered.
+   * - MUST emit the `CredentialRegistered` event for each credential.
+   *
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeIds The credential type identifiers to associate with the account.
+   * @param expiresAt The expiration time (MUST be a future timestamp) of the credential, 0 for no expiration.
+   * @param credentialDatas The list of data associated with each credential.
+   * @param context Additional information or authorization to perform the operation.
+   */
+  function registerCredentials(
+    bytes32 ccid,
+    bytes32[] calldata credentialTypeIds,
+    uint40 expiresAt,
+    bytes[] calldata credentialDatas,
+    bytes calldata context
+  )
+    external;
+
+  /**
+   * @notice Removes a credential from an account.
+   *
+   * - MUST revert with `CredentialNotFound` if the credential is not found.
+   * - MUST emit the `CredentialRemoved` event.
+   *
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeId The credential type identifier to remove from the account.
+   * @param context Additional information or authorization to perform the operation.
+   */
+  function removeCredential(bytes32 ccid, bytes32 credentialTypeId, bytes calldata context) external;
+
+  /**
+   * @notice Renews the expiration time of a credential.
+   *
+   * - MUST revert with `CredentialNotFound` if the credential is not found.
+   * - MUST emit the `CredentialRenewed` event.
+   *
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeId The credential type identifier to renew.
+   * @param expiresAt The updated expiration time (MUST be a future timestamp) of the credential, 0 for no expiration.
+   * @param context Additional information or authorization to perform the operation.
+   */
+  function renewCredential(bytes32 ccid, bytes32 credentialTypeId, uint40 expiresAt, bytes calldata context) external;
+
+  /**
+   * @notice Checks if a credential is expired.
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeId The credential type identifier.
+   * @return True if the credential is expired, false otherwise.
+   */
+  function isCredentialExpired(bytes32 ccid, bytes32 credentialTypeId) external view returns (bool);
+
+  /**
+   * @notice Gets all of the credential types associated with an account, expired or not.
+   * @param ccid The cross-chain identity of the account.
+   * @return The credential type identifiers associated with the account.
+   */
+  function getCredentialTypes(bytes32 ccid) external view returns (bytes32[] memory);
+
+  /**
+   * @notice Retrieves a credential associated with a given account and credential type.
+   * - MUST revert with `CredentialNotFound` if the credential does not exist for the given `ccid` and
+   * `credentialTypeId`.
+   *
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeId The credential type identifier to fetch.
+   * @return A `Credential` struct containing:
+   *         - `expiresAt`: The expiration time of the credential (0 if no expiration).
+   *         - `credentialData`: The arbitrary data associated with the credential.
+   */
+  function getCredential(bytes32 ccid, bytes32 credentialTypeId) external view returns (Credential memory);
+
+  /**
+   * @notice Retrieves multiple credentials associated with a given account and a list of credential types.
+   * - MUST revert with `CredentialNotFound` if any of the requested credentials do not exist for the given `ccid`.
+   *
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeIds The list of credential type identifiers to fetch.
+   * @return An array of `Credential` structs, each containing:
+   *         - `expiresAt`: The expiration time of the credential (0 if no expiration).
+   *         - `credentialData`: The arbitrary data associated with the credential.
+   */
+  function getCredentials(
+    bytes32 ccid,
+    bytes32[] calldata credentialTypeIds
+  )
+    external
+    view
+    returns (Credential[] memory);
+}

package/packages/cross-chain-identity/src/interfaces/ICredentialRequirements.sol

@@ -0,0 +1,192 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+/**
+ * @title ICredentialRequirements
+ * @dev The interface for specifying the required credentials of an application/token.
+ */
+interface ICredentialRequirements {
+  /// @notice Error emitted when a requirement already exists.
+  error RequirementExists(bytes32 requirementId);
+  /// @notice Error emitted when a requirement is not found.
+  error RequirementNotFound(bytes32 requirementId);
+  /// @notice Error emitted when a source has already been added.
+  error SourceExists(bytes32 credentialTypeId, address identityRegistry, address credentialRegistry);
+  /// @notice Error emitted when a credential source is not found.
+  error CredentialSourceNotFound(bytes32 credentialTypeId, address identityRegistry, address credentialRegistry);
+  /// @notice Error emitted when an invalid requirement configuration was attempted.
+  error InvalidRequirementConfiguration(string errorReason);
+
+  /**
+   * @dev The struct for a credential requirement. A requirement is a common identifier that encompasses a list of
+   * credentials that satisfies the requirement, how many validations are required of the credential.
+   * A credential requirement could be 'invert'. This means that the requirement is satisfied if the credential
+   * is not validated in the credential registry. This is useful for requirements that are satisfied by the absence of
+   * a credential.
+   */
+  struct CredentialRequirement {
+    bytes32[] credentialTypeIds;
+    uint256 minValidations;
+    bool invert;
+  }
+
+  /**
+   * @dev The struct for a credential source. A `source` is an identity registry and credential registry pair. The
+   * IIdentityRegistry maps local addresses to the common cross-chain identifier (CCID). The ICredentialRegistry
+   * maps a CCID with one or more credentials, and each credential mapping can optionally have additional data.
+   * A data validator contract can optionally be provided, and if present, is used to validate the data associated
+   * with the credential.
+   */
+  struct CredentialSource {
+    address identityRegistry;
+    address credentialRegistry;
+    address dataValidator;
+  }
+
+  /**
+   * @dev The input struct used to add a new credential requirement.
+   *
+   * @param requirementId The identifier of the requirement.
+   * @param credentialTypeIds The credential type identifier(s) that satisfy the requirement.
+   * @param minValidations The minimum number of validations required for the requirement.
+   * @param invert If the requirement is satisfied by the absence of all of the credential(s).
+   */
+  struct CredentialRequirementInput {
+    bytes32 requirementId;
+    bytes32[] credentialTypeIds;
+    uint256 minValidations;
+    bool invert;
+  }
+
+  /**
+   * @dev The input struct used to add a new credential source.
+   *
+   * @param credentialTypeId The credential type identifier.
+   * @param identityRegistry The address of the identity registry.
+   * @param credentialRegistry The address of the credential registry.
+   * @param dataValidator The address of the data validator contract.
+   */
+  struct CredentialSourceInput {
+    bytes32 credentialTypeId;
+    address identityRegistry;
+    address credentialRegistry;
+    address dataValidator;
+  }
+
+  /**
+   * @notice Emitted when a new credential requirement is added.
+   * @param requirementId The identifier of the requirement.
+   * @param credentialTypeIds The credential type identifiers that satisfy the requirement.
+   * @param minValidations The minimum number of validations required for the requirement.
+   * @param invert Whether the requirement is satisfied by the absence of all of the credential(s).
+   */
+  event CredentialRequirementAdded(
+    bytes32 indexed requirementId, bytes32[] credentialTypeIds, uint256 minValidations, bool invert
+  );
+
+  /**
+   * @notice Emitted when a credential requirement is removed.
+   * @param requirementId The identifier of the requirement.
+   * @param credentialTypeIds The list of credential type identifiers that satisfy the requirement.
+   * @param minValidations The minimum number of validations required for the requirement.
+   * @param invert Whether the requirement was satisfied by the absence of all of the credential(s).
+   */
+  event CredentialRequirementRemoved(
+    bytes32 indexed requirementId, bytes32[] credentialTypeIds, uint256 minValidations, bool invert
+  );
+
+  /**
+   * @notice Emitted when a new credential source is added.
+   * @param credentialTypeId The credential type identifier.
+   * @param identityRegistry The address of the identity registry.
+   * @param credentialRegistry The address of the credential registry.
+   * @param dataValidator The address of the data validator contract.
+   */
+  event CredentialSourceAdded(
+    bytes32 indexed credentialTypeId,
+    address indexed identityRegistry,
+    address indexed credentialRegistry,
+    address dataValidator
+  );
+
+  /**
+   * @notice Emitted when a credential source is removed.
+   * @param credentialTypeId The credential type identifier.
+   * @param identityRegistry The address of the identity registry.
+   * @param credentialRegistry The address of the credential registry.
+   * @param dataValidator The address of the data validator contract.
+   */
+  event CredentialSourceRemoved(
+    bytes32 indexed credentialTypeId,
+    address indexed identityRegistry,
+    address indexed credentialRegistry,
+    address dataValidator
+  );
+
+  /**
+   * @notice Adds a new credential requirement.
+   *
+   * - MUST revert with `RequirementExists` if the requirement already exists.
+   * - MUST emit the `CredentialRequirementAdded` event.
+   *
+   * @param CredentialRequirementInput The input struct used to add a new credential requirement.
+   */
+  function addCredentialRequirement(CredentialRequirementInput memory CredentialRequirementInput) external;
+
+  /**
+   * @notice Removes a credential requirement.
+   *
+   * - MUST revert with `RequirementNotFound` if the requirement does not exist.
+   * - MUST emit the `CredentialRequirementRemoved` event.
+   *
+   * @param requirementId The identifier of the requirement.
+   */
+  function removeCredentialRequirement(bytes32 requirementId) external;
+
+  /**
+   * @notice Gets a credential requirement.
+   * @param requirementId The identifier of the requirement.
+   * @return The credential requirement.
+   */
+  function getCredentialRequirement(bytes32 requirementId) external view returns (CredentialRequirement memory);
+
+  /**
+   * @notice Get all of the credential requirement identifiers.
+   * @return The credential requirement identifiers.
+   */
+  function getCredentialRequirementIds() external view returns (bytes32[] memory);
+
+  /**
+   * @notice Adds a new credential source.
+   *
+   * - MUST revert with `SourceExists` if the source already exists.
+   * - MUST emit the `CredentialSourceAdded` event.
+   *
+   * @param CredentialSourceInput The input struct used to add a new credential source.
+   */
+  function addCredentialSource(CredentialSourceInput memory CredentialSourceInput) external;
+
+  /**
+   * @notice Removes a credential source.
+   *
+   * - MUST revert with `CredentialSourceNotFound` if the source does not exist.
+   * - MUST emit the `CredentialSourceRemoved` event.
+   *
+   * @param credentialTypeId The credential type identifier.
+   * @param identityRegistry The address of the identity registry.
+   * @param credentialRegistry The address of the credential registry.
+   */
+  function removeCredentialSource(
+    bytes32 credentialTypeId,
+    address identityRegistry,
+    address credentialRegistry
+  )
+    external;
+
+  /**
+   * @notice Gets all credential sources.
+   * @param credentialTypeId The credential type identifier.
+   * @return The credential sources.
+   */
+  function getCredentialSources(bytes32 credentialTypeId) external view returns (CredentialSource[] memory);
+}

package/packages/cross-chain-identity/src/interfaces/ICredentialValidator.sol

@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+/**
+ * @title ICredentialValidator
+ * @dev Interface for validating a ccid has a credential.
+ */
+interface ICredentialValidator {
+  /**
+   * @notice Checks if a credential is valid for the specified cross-chain identity.
+   * @dev This function MUST NOT revert. Handle all validation failures gracefully and return
+   * false instead of allowing exceptions to propagate.
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeId The credential type identifier.
+   * @param context Additional information or authorization to perform the operation.
+   * @return True if the credential is valid, otherwise false.
+   */
+  function validate(bytes32 ccid, bytes32 credentialTypeId, bytes calldata context) external view returns (bool);
+
+  /**
+   * @notice Checks if all of the credentials are valid for the specified cross-chain identity.
+   * @dev This function MUST NOT revert. Handle all validation failures gracefully and return
+   * false instead of allowing exceptions to propagate.
+   * @param ccid The cross-chain identity of the account.
+   * @param credentialTypeIds The credential type identifiers.
+   * @param context Additional information or authorization to perform the operation.
+   * @return True if the credential is valid, otherwise false.
+   */
+  function validateAll(
+    bytes32 ccid,
+    bytes32[] calldata credentialTypeIds,
+    bytes calldata context
+  )
+    external
+    view
+    returns (bool);
+}