@chainlink/ace 0.5.0

package/packages/cross-chain-identity/src/interfaces/IIdentityRegistry.sol

@@ -0,0 +1,85 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+/**
+ * @title IIdentityRegistry
+ * @notice The interface for managing identities within a registry. Identities are a bytes32 identifier known as
+ * the Cross-Chain ID (CCID), in which credentials and other information can be associated with. Multiple local
+ * blockchain accounts can be associated with a single CCID, but each account can only be associated with one CCID
+ * within this registry.
+ */
+interface IIdentityRegistry {
+  /// @notice Error emitted when an identity is already registered.
+  error IdentityAlreadyRegistered(bytes32 ccid, address account);
+  /// @notice Error emitted when an identity is not found.
+  error IdentityNotFound(bytes32 ccid, address account);
+  /// @notice Error emitted when an invalid identity configuration was attempted.
+  error InvalidIdentityConfiguration(bytes errorReason);
+
+  /**
+   * @notice Emitted when a new identity is registered.
+   * @param ccid The common cross-chain identifier of the identity.
+   * @param account The address of the account on this chain.
+   */
+  event IdentityRegistered(bytes32 indexed ccid, address indexed account);
+
+  /**
+   * @notice Emitted when an identity is removed.
+   * @param ccid The common cross-chain identifier of the identity.
+   * @param account The address of the account on this chain.
+   */
+  event IdentityRemoved(bytes32 indexed ccid, address indexed account);
+
+  /**
+   * @notice Registers a new local account address for a cross-chain identity.
+   *
+   * - MUST be access controlled to prevent unauthorized identity registration.
+   * - MUST revert with `IdentityAlreadyRegistered` if the ccid/account pair is already registered.
+   * - MUST emit the `IdentityRegistered` event.
+   *
+   * @param ccid The common cross-chain identifier of the identity.
+   * @param account The address of the account on this chain.
+   * @param context Additional information or authorization to perform the operation.
+   */
+  function registerIdentity(bytes32 ccid, address account, bytes calldata context) external;
+
+  /**
+   * @notice Registers a list of new ccid/local account address pairs.
+   *
+   * - MUST be access controlled to prevent unauthorized identity registration.
+   * - MUST revert with `IdentityAlreadyRegistered` if one of the ccid/account pairs is already registered.
+   * - MUST emit the `IdentityRegistered` event for each ccid/account pair.
+   *
+   * @param ccids The list of common cross-chain identifiers for the identities.
+   * @param accounts The list of address for the identities on this chain.
+   * @param context Additional information or authorization to perform the operation.
+   */
+  function registerIdentities(bytes32[] calldata ccids, address[] calldata accounts, bytes calldata context) external;
+
+  /**
+   * @notice Removes an identity.
+   *
+   * - MUST be access controlled to prevent unauthorized identity removal.
+   * - MUST revert with `IdentityNotFound` if the ccid/account pair is not registered.
+   * - MUST emit the `IdentityRemoved` event.
+   *
+   * @param ccid The common cross-chain identifier of the identity.
+   * @param account The address of the account on this chain.
+   * @param context Additional information or authorization to perform the operation.
+   */
+  function removeIdentity(bytes32 ccid, address account, bytes calldata context) external;
+
+  /**
+   * @notice Gets the common cross-chain identifier of an identity.
+   * @param account The address of the account on this chain.
+   * @return the common cross-chain identifier of the identity.
+   */
+  function getIdentity(address account) external view returns (bytes32);
+
+  /**
+   * @notice Gets the addresses of an account on this chain.
+   * @param ccid The common cross-chain identifier of the identity.
+   * @return the addresses of the accounts on this chain.
+   */
+  function getAccounts(bytes32 ccid) external view returns (address[] memory);
+}

package/packages/cross-chain-identity/src/interfaces/IIdentityValidator.sol

@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+/**
+ * @title IIdentityValidator
+ * @dev Interface for validating the account identity.
+ */
+interface IIdentityValidator {
+  /**
+   * @notice Validates the identity of an account.
+   * @dev This function MUST NOT revert. Use try-catch blocks around external calls and return
+   * false for any validation failures instead of allowing exceptions to propagate.
+   * @param account The account to validate.
+   * @param context Additional information or authorization to perform the operation.
+   * @return True if the account is a valid identity, false otherwise.
+   */
+  function validate(address account, bytes calldata context) external view returns (bool);
+}

package/packages/cross-chain-identity/src/interfaces/ITrustedIssuerRegistry.sol

@@ -0,0 +1,61 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+/**
+ * @title ITrustedIssuerRegistry
+ * @dev Interface for managing trusted issuers in the system.
+ */
+interface ITrustedIssuerRegistry {
+  // ------------------------------------------------------------------------
+  // Events
+  // ------------------------------------------------------------------------
+
+  /**
+   * @notice Emitted when a new trusted issuer is added.
+   * @param issuerIdHash The keccak256 hash of the issuerId string (indexed for filtering).
+   * @param issuerId The original issuerId string (human-readable, not indexed).
+   */
+  event TrustedIssuerAdded(bytes32 indexed issuerIdHash, string issuerId);
+
+  /**
+   * @notice Emitted when a trusted issuer is removed.
+   * @param issuerIdHash The keccak256 hash of the issuerId string (indexed for filtering).
+   * @param issuerId The original issuerId string (human-readable, not indexed).
+   */
+  event TrustedIssuerRemoved(bytes32 indexed issuerIdHash, string issuerId);
+
+  // ------------------------------------------------------------------------
+  // Logic
+  // ------------------------------------------------------------------------
+
+  /**
+   * @notice Adds a new trusted issuer.
+   * @param issuerId The issuerId string of the issuer.
+   * @param context Additional information or authorization to perform the operation.
+   */
+  function addTrustedIssuer(string memory issuerId, bytes calldata context) external;
+
+  /**
+   * @notice Removes a trusted issuer.
+   * @param issuerId The issuerId string of the issuer to remove.
+   * @param context Additional information or authorization to perform the operation.
+   */
+  function removeTrustedIssuer(string memory issuerId, bytes calldata context) external;
+
+  // ------------------------------------------------------------------------
+  // View
+  // ------------------------------------------------------------------------
+
+  /**
+   * @notice Checks if a issuerId corresponds to a trusted issuer.
+   * @param issuerId The issuerId string to check.
+   * @return True if the issuerId is trusted, false otherwise.
+   */
+  function isTrustedIssuer(string memory issuerId) external view returns (bool);
+
+  /**
+   * @notice Returns the list of all trusted issuer identifiers (hashed).
+   * @return An array of keccak256 hashes of trusted issuerIds.
+   */
+  function getTrustedIssuers() external view returns (bytes32[] memory);
+}

package/packages/cross-chain-identity/test/CredentialRegistry.t.sol

@@ -0,0 +1,220 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {IPolicyEngine} from "@chainlink/policy-management/interfaces/IPolicyEngine.sol";
+import {ICredentialRegistry, CredentialRegistry} from "../src/CredentialRegistry.sol";
+import {PolicyEngine} from "@chainlink/policy-management/core/PolicyEngine.sol";
+import {BaseProxyTest} from "./helpers/BaseProxyTest.sol";
+
+contract CredentialRegistryTest is BaseProxyTest {
+  bytes32 public constant CREDENTIAL_KYC = keccak256("common.kyc");
+  bytes32 public constant CREDENTIAL_ACCREDITED = keccak256("common.accredited");
+
+  PolicyEngine internal s_policyEngine;
+  CredentialRegistry internal s_credentialRegistry;
+
+  address internal s_owner;
+
+  function setUp() public {
+    s_owner = makeAddr("owner");
+
+    vm.startPrank(s_owner);
+
+    s_policyEngine = _deployPolicyEngine(true, address(this));
+    s_credentialRegistry = _deployCredentialRegistry(address(s_policyEngine));
+  }
+
+  function test_registerCredential_success() public {
+    bytes32 ccid = keccak256("account1");
+
+    s_credentialRegistry.registerCredential(ccid, CREDENTIAL_KYC, 0, "", "");
+    s_credentialRegistry.registerCredential(ccid, CREDENTIAL_ACCREDITED, 0, "", "");
+
+    bytes32[] memory creds = s_credentialRegistry.getCredentialTypes(ccid);
+    assert(creds.length == 2);
+  }
+
+  function test_registerCredentials_success() public {
+    bytes32 ccid = keccak256("account1");
+
+    bytes32[] memory credentialTypeIds = new bytes32[](2);
+    bytes[] memory credentialDatas = new bytes[](2);
+
+    credentialTypeIds[0] = CREDENTIAL_ACCREDITED;
+    credentialDatas[0] = "ACCREDITED";
+
+    credentialTypeIds[1] = CREDENTIAL_KYC;
+    credentialDatas[1] = "KYC";
+
+    s_credentialRegistry.registerCredentials(ccid, credentialTypeIds, 0, credentialDatas, "");
+
+    bytes32[] memory creds = s_credentialRegistry.getCredentialTypes(ccid);
+    assert(creds.length == 2);
+  }
+
+  function test_registerCredential_expired_revert() public {
+    bytes32 ccid = keccak256("account1");
+
+    vm.expectPartialRevert(ICredentialRegistry.InvalidCredentialConfiguration.selector);
+    s_credentialRegistry.registerCredential(ccid, CREDENTIAL_KYC, 1, "", "");
+  }
+
+  function test_removeCredential_success() public {
+    bytes32 ccid = keccak256("account1");
+
+    bytes32[] memory credentialTypeIds = new bytes32[](2);
+    bytes[] memory credentialDatas = new bytes[](2);
+
+    credentialTypeIds[0] = CREDENTIAL_ACCREDITED;
+    credentialDatas[0] = "ACCREDITED";
+
+    credentialTypeIds[1] = CREDENTIAL_KYC;
+    credentialDatas[1] = "KYC";
+
+    s_credentialRegistry.registerCredentials(ccid, credentialTypeIds, 0, credentialDatas, "");
+
+    bytes32[] memory creds = s_credentialRegistry.getCredentialTypes(ccid);
+    assert(creds.length == 2);
+
+    s_credentialRegistry.removeCredential(ccid, credentialTypeIds[0], "");
+
+    creds = s_credentialRegistry.getCredentialTypes(ccid);
+    assert(creds.length == 1);
+  }
+
+  function test_removeCredential_notFound_failure() public {
+    bytes32 ccid = keccak256("account_not_defined");
+
+    bytes32[] memory creds = s_credentialRegistry.getCredentialTypes(ccid);
+    assert(creds.length == 0);
+
+    vm.expectRevert();
+    s_credentialRegistry.removeCredential(ccid, bytes32(0), "");
+  }
+
+  function test_getCredential_success() public {
+    bytes32 ccid = keccak256("account1");
+    bytes memory expectedData = bytes("data");
+
+    s_credentialRegistry.registerCredential(ccid, CREDENTIAL_KYC, 0, expectedData, "");
+
+    bytes memory cred_data = s_credentialRegistry.getCredential(ccid, CREDENTIAL_KYC).credentialData;
+
+    assert(expectedData.length == cred_data.length);
+    for (uint256 i = 0; i < cred_data.length; i++) {
+      assert(cred_data[i] == expectedData[i]);
+    }
+  }
+
+  function test_getCredential_notFound_failure() public {
+    bytes32 ccid = keccak256("account1");
+    bytes memory credentialData = bytes("data");
+
+    s_credentialRegistry.registerCredential(ccid, CREDENTIAL_KYC, 0, credentialData, "");
+
+    vm.expectPartialRevert(ICredentialRegistry.CredentialNotFound.selector);
+    s_credentialRegistry.getCredential(ccid, CREDENTIAL_ACCREDITED);
+  }
+
+  function test_getCredentials_success() public {
+    bytes32 ccid = keccak256("account1");
+
+    bytes32[] memory credentialTypeIds = new bytes32[](2);
+    bytes[] memory credentialDatas = new bytes[](2);
+
+    credentialTypeIds[0] = CREDENTIAL_ACCREDITED;
+    credentialDatas[0] = "ACCREDITED";
+
+    credentialTypeIds[1] = CREDENTIAL_KYC;
+    credentialDatas[1] = "KYC";
+
+    s_credentialRegistry.registerCredentials(ccid, credentialTypeIds, 0, credentialDatas, "");
+
+    bytes32[] memory creds = s_credentialRegistry.getCredentialTypes(ccid);
+    assert(creds.length == 2);
+
+    ICredentialRegistry.Credential[] memory credentials = s_credentialRegistry.getCredentials(ccid, credentialTypeIds);
+
+    assert(credentials.length == 2);
+    assert(keccak256(credentials[0].credentialData) == keccak256(bytes("ACCREDITED")));
+    assert(keccak256(credentials[1].credentialData) == keccak256(bytes("KYC")));
+  }
+
+  function test_getCredentials_notFound_failure() public {
+    bytes32 ccid = keccak256("account1");
+    bytes memory credentialData = bytes("data");
+
+    s_credentialRegistry.registerCredential(ccid, CREDENTIAL_KYC, 0, credentialData, "");
+
+    bytes32[] memory credentialTypeIds = new bytes32[](2);
+    credentialTypeIds[0] = CREDENTIAL_KYC;
+    credentialTypeIds[1] = CREDENTIAL_ACCREDITED;
+
+    vm.expectPartialRevert(ICredentialRegistry.CredentialNotFound.selector);
+    s_credentialRegistry.getCredentials(ccid, credentialTypeIds);
+  }
+
+  function test_renewCredential_success() public {
+    bytes32 ccid = keccak256("account1");
+
+    s_credentialRegistry.registerCredential(ccid, CREDENTIAL_KYC, uint40(block.timestamp + 1), "", "");
+    vm.warp(block.timestamp + 10);
+
+    bool validateBeforeRenewal = s_credentialRegistry.validate(ccid, CREDENTIAL_KYC, "");
+
+    assert(validateBeforeRenewal == false);
+
+    s_credentialRegistry.renewCredential(ccid, CREDENTIAL_KYC, uint40(block.timestamp + 20), "");
+
+    bool validateAfterRenewal = s_credentialRegistry.validate(ccid, CREDENTIAL_KYC, "");
+    assert(validateAfterRenewal == true);
+  }
+
+  function test_renewCredential_emitsEventWithPreviousExpiry() public {
+    bytes32 ccid = keccak256("account1");
+    uint40 initialExpiry = uint40(block.timestamp + 100);
+    uint40 newExpiry = uint40(block.timestamp + 200);
+
+    s_credentialRegistry.registerCredential(ccid, CREDENTIAL_KYC, initialExpiry, "", "");
+
+    vm.expectEmit();
+    emit ICredentialRegistry.CredentialRenewed(ccid, CREDENTIAL_KYC, initialExpiry, newExpiry);
+
+    s_credentialRegistry.renewCredential(ccid, CREDENTIAL_KYC, newExpiry, "");
+  }
+
+  function test_renewCredential_allowsShorteningCredential() public {
+    bytes32 ccid = keccak256("account1");
+
+    uint40 originalExpiry = uint40(block.timestamp + 100);
+    s_credentialRegistry.registerCredential(ccid, CREDENTIAL_KYC, originalExpiry, "", "");
+
+    uint40 shorterExpiry = uint40(block.timestamp + 50);
+    vm.expectEmit();
+    emit ICredentialRegistry.CredentialRenewed(ccid, CREDENTIAL_KYC, originalExpiry, shorterExpiry);
+    s_credentialRegistry.renewCredential(ccid, CREDENTIAL_KYC, shorterExpiry, "");
+
+    ICredentialRegistry.Credential memory credential = s_credentialRegistry.getCredential(ccid, CREDENTIAL_KYC);
+    assertEq(credential.expiresAt, shorterExpiry);
+
+    s_credentialRegistry.renewCredential(ccid, CREDENTIAL_KYC, shorterExpiry, "");
+  }
+
+  function test_validateAll_success() public {
+    bytes32 ccid = keccak256("account1");
+
+    bytes32[] memory credentialTypeIds = new bytes32[](2);
+    bytes[] memory credentialDatas = new bytes[](2);
+
+    credentialTypeIds[0] = CREDENTIAL_ACCREDITED;
+    credentialDatas[0] = "ACCREDITED";
+
+    credentialTypeIds[1] = CREDENTIAL_KYC;
+    credentialDatas[1] = "KYC";
+
+    s_credentialRegistry.registerCredentials(ccid, credentialTypeIds, 0, credentialDatas, "");
+
+    bool validateAllRes = s_credentialRegistry.validateAll(ccid, credentialTypeIds, "");
+    assert(validateAllRes == true);
+  }
+}