@inco/lightning 0.11.0-testnet-3 → 1.0.0-devnet-2

package/src/lightning-parts/AccessControl/AdvancedAccessControl.sol

@@ -1,7 +1,11 @@
 // SPDX-License-Identifier: No License
 pragma solidity ^0.8;
 
-import {AllowanceVoucher, AllowanceProof} from "./AdvancedAccessControl.types.sol";
+import {
+    AllowanceVoucher,
+    AllowanceProof,
+    REQUIRED_ALLOWANCE_VOUCHER_WARNING_HASH
+} from "./AdvancedAccessControl.types.sol";
 import {ALLOWANCE_GRANTED_MAGIC_VALUE} from "../../Types.sol";
 import {EIP712Upgradeable} from "@openzeppelin/contracts-upgradeable/utils/cryptography/EIP712Upgradeable.sol";
 import {IAdvancedAccessControl, IVoucherEip712Checker} from "./interfaces/IAdvancedAccessControl.sol";
@@ -9,6 +13,8 @@ import {SharerNotAllowedForHandle} from "../../Types.sol";
 import {SignatureChecker} from "@openzeppelin/contracts/utils/cryptography/SignatureChecker.sol";
 import {IBaseAccessControlList} from "./interfaces/IBaseAccessControlList.sol";
 import {LightningAddressGetter} from "../primitives/LightningAddressGetter.sol";
+import {PausableUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/PausableUpgradeable.sol";
+import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
 
 /// @title AdvancedAccessControlStorage
 /// @notice Diamond storage pattern for advanced ACL session nonce tracking
@@ -47,7 +53,7 @@ abstract contract VoucherEip712Checker is IVoucherEip712Checker, EIP712Upgradeab
     /// @notice EIP-712 type hash for the AllowanceVoucher struct
     /// @dev Computed once at compile time for gas efficiency
     bytes32 constant ALLOWANCE_VOUCHER_STRUCT_HASH = keccak256(
-        "AllowanceVoucher(bytes32 sessionNonce,address verifyingContract,bytes4 callFunction,bytes sharerArgData)"
+        "AllowanceVoucher(string warning,bytes32 sessionNonce,address verifyingContract,bytes4 callFunction,bytes sharerArgData)"
     );
 
     /// @notice Computes the EIP-712 digest for an allowance voucher
@@ -60,6 +66,7 @@ abstract contract VoucherEip712Checker is IVoucherEip712Checker, EIP712Upgradeab
             keccak256(
                 abi.encode(
                     ALLOWANCE_VOUCHER_STRUCT_HASH,
+                    keccak256(bytes(voucher.warning)),
                     voucher.sessionNonce,
                     voucher.verifyingContract,
                     voucher.callFunction,
@@ -86,15 +93,22 @@ abstract contract VoucherEip712Checker is IVoucherEip712Checker, EIP712Upgradeab
 ///      - Session nonces allow sharers to invalidate all previous vouchers
 ///      - EIP-712 typed data ensures vouchers are human-readable when signing
 ///      - Supports both EOA and smart contract signatures (ERC-1271)
+/// @dev `OwnableUpgradeable` is only here to align Context ordering with DecryptionAttester
+///      for IncoVerifier's C3 linearization.
 abstract contract AdvancedAccessControl is
     IAdvancedAccessControl,
     AdvancedAccessControlStorage,
+    OwnableUpgradeable,
     VoucherEip712Checker,
-    LightningAddressGetter
+    LightningAddressGetter,
+    PausableUpgradeable
 {
 
     using SignatureChecker for address;
 
+    /// @notice Thrown when a voucher's warning field does not match the required warning text
+    error InvalidVoucherWarning();
+
     /// @notice Thrown when a voucher signature is invalid for the claimed signer
     /// @param signer The address that allegedly signed the voucher
     /// @param digest The EIP-712 digest that should have been signed
@@ -111,6 +125,7 @@ abstract contract AdvancedAccessControl is
 
     /// @notice Checks if an account is allowed to access a handle using a signed voucher proof
     /// @dev Intended for simulation/off-chain calls. Not a view function as it calls external contracts.
+    ///      Returns false unconditionally when this contract is paused, before any input validation.
     ///      Verification steps:
     ///      1. Verify the sharer has access to the handle
     ///      2. Verify the voucher signature is valid
@@ -120,7 +135,17 @@ abstract contract AdvancedAccessControl is
     /// @param account The account requesting access
     /// @param proof The allowance proof containing voucher, signature, and requester data
     /// @return True if access is allowed, false or reverts otherwise
-    function isAllowedWithProof(bytes32 handle, address account, AllowanceProof memory proof) public returns (bool) {
+    function isAllowedWithProof(bytes32 handle, address account, AllowanceProof memory proof)
+        public
+        virtual
+        returns (bool)
+    {
+        if (paused()) {
+            return false;
+        }
+        require(
+            keccak256(bytes(proof.voucher.warning)) == REQUIRED_ALLOWANCE_VOUCHER_WARNING_HASH, InvalidVoucherWarning()
+        );
         require(proof.voucher.verifyingContract != address(0), InvalidVerifyingContract());
         require(
             IBaseAccessControlList(incoLightningAddress).isAllowed(handle, proof.sharer),

package/src/lightning-parts/AccessControl/AdvancedAccessControl.types.sol

@@ -1,9 +1,21 @@
 // SPDX-License-Identifier: No License
 pragma solidity ^0.8;
 
+// Required warning that must be present in every AllowanceVoucher.
+// Must match SESSION_KEY_WARNING in js/src/advancedacl/session-key.ts.
+string constant REQUIRED_ALLOWANCE_VOUCHER_WARNING =
+    "Inco Warning: signing this message may leak your private data, including from unrelated apps. Sign only if you fully trust this app.";
+
+// Precomputed hash of REQUIRED_ALLOWANCE_VOUCHER_WARNING for cheap runtime comparison.
+// Evaluated at compile time — no storage slot used, no runtime keccak256 of the full string.
+bytes32 constant REQUIRED_ALLOWANCE_VOUCHER_WARNING_HASH = keccak256(bytes(REQUIRED_ALLOWANCE_VOUCHER_WARNING));
+
 // can be for arbitrary handles to arbitrary accounts
 // signed by the account sharing its read access
 struct AllowanceVoucher {
+    // Human-readable warning displayed by wallets at signing time.
+    // Must be first so wallets show it before the opaque byte fields below.
+    string warning;
     bytes32 sessionNonce;
     address verifyingContract;
     bytes4 callFunction;

package/src/lightning-parts/AccessControl/BaseAccessControlList.sol

@@ -162,17 +162,25 @@ abstract contract BaseAccessControlList is
 
     /// @notice Checks if an account has access to an encrypted handle.
     /// @dev Returns true if any of: transient access, persistent access, or handle is revealed.
+    ///      Returns false unconditionally when the contract is paused.
     /// @param handle The encrypted handle to check.
     /// @param account The account to check access for.
     /// @return True if the account has access to the handle.
     function isAllowed(bytes32 handle, address account) public view returns (bool) {
+        if (paused()) {
+            return false;
+        }
         return allowedTransient(handle, account) || persistAllowed(handle, account) || isRevealed(handle);
     }
 
     /// @notice Checks if a handle has been revealed for public access.
+    /// @dev Returns false unconditionally when the contract is paused.
     /// @param handle The encrypted handle to check.
     /// @return True if the handle has been revealed.
     function isRevealed(bytes32 handle) public view returns (bool) {
+        if (paused()) {
+            return false;
+        }
         AclStorage storage $ = getAclStorage();
         return $.persistedAllowedForDecryption[handle];
     }

package/src/lightning-parts/AccessControl/test/TestAdvancedAccessControl.t.sol

@@ -4,6 +4,7 @@ pragma solidity ^0.8;
 import {IncoTest} from "../../../test/IncoTest.sol";
 import {SessionVerifier, Session} from "../../../periphery/SessionVerifier.sol";
 import {AllowanceVoucher, AllowanceProof} from "../AdvancedAccessControl.sol";
+import {REQUIRED_ALLOWANCE_VOUCHER_WARNING} from "../AdvancedAccessControl.types.sol";
 import {euint256, SharerNotAllowedForHandle} from "../../../Types.sol";
 import {e, inco} from "../../../Lib.sol";
 import {AdvancedAccessControl} from "../AdvancedAccessControl.sol";
@@ -93,7 +94,8 @@ contract TestAdvancedAccessControl is IncoTest {
             sessionNonce: bytes32(0),
             verifyingContract: address(0),
             callFunction: SessionVerifier.canUseSession.selector,
-            sharerArgData: abi.encode(Session({decrypter: bob, expiresAt: block.timestamp + 1 days}))
+            sharerArgData: abi.encode(Session({decrypter: bob, expiresAt: block.timestamp + 1 days})),
+            warning: REQUIRED_ALLOWANCE_VOUCHER_WARNING
         });
         AllowanceProof memory bobsProof = getBobsProof(invalidSessionVoucher);
         vm.expectRevert(abi.encodeWithSelector(AdvancedAccessControl.InvalidVerifyingContract.selector));
@@ -111,7 +113,8 @@ contract TestAdvancedAccessControl is IncoTest {
             sessionNonce: bytes32(0),
             verifyingContract: address(sessionVerifier),
             callFunction: SessionVerifier.canUseSession.selector,
-            sharerArgData: abi.encode(Session({decrypter: bob, expiresAt: block.timestamp + 1 days}))
+            sharerArgData: abi.encode(Session({decrypter: bob, expiresAt: block.timestamp + 1 days})),
+            warning: REQUIRED_ALLOWANCE_VOUCHER_WARNING
         });
         AllowanceProof memory bobsProof = getBobsProof(aliceSessionVoucherForBob);
         assertTrue(
@@ -128,7 +131,8 @@ contract TestAdvancedAccessControl is IncoTest {
             sessionNonce: bytes32(0),
             verifyingContract: address(verifier),
             callFunction: verifier.someCheck.selector,
-            sharerArgData: ""
+            sharerArgData: "",
+            warning: REQUIRED_ALLOWANCE_VOUCHER_WARNING
         });
         AllowanceProof memory bobsFirstProof = getBobsProof(voucher);
         assertTrue(
@@ -140,7 +144,8 @@ contract TestAdvancedAccessControl is IncoTest {
             sessionNonce: madeUpNonce,
             verifyingContract: address(verifier),
             callFunction: verifier.someCheck.selector,
-            sharerArgData: ""
+            sharerArgData: "",
+            warning: REQUIRED_ALLOWANCE_VOUCHER_WARNING
         });
         AllowanceProof memory invalidBobProof = getBobsProof(voucher);
         // the session nonce should be checked by inco
@@ -164,7 +169,8 @@ contract TestAdvancedAccessControl is IncoTest {
             sessionNonce: alicesNewNonce,
             verifyingContract: address(verifier),
             callFunction: verifier.someCheck.selector,
-            sharerArgData: ""
+            sharerArgData: "",
+            warning: REQUIRED_ALLOWANCE_VOUCHER_WARNING
         });
         AllowanceProof memory bobsSecondProof = getBobsProof(voucher);
         assertTrue(
@@ -179,7 +185,8 @@ contract TestAdvancedAccessControl is IncoTest {
             sessionNonce: bytes32(0),
             verifyingContract: address(verifier),
             callFunction: verifier.someCheck.selector,
-            sharerArgData: abi.encode(SomeVerifier.SharerArg({handleShared: secretHandle, allowedAccount: bob}))
+            sharerArgData: abi.encode(SomeVerifier.SharerArg({handleShared: secretHandle, allowedAccount: bob})),
+            warning: REQUIRED_ALLOWANCE_VOUCHER_WARNING
         });
         AllowanceProof memory bobsProof = AllowanceProof({
             sharer: alice,
@@ -217,7 +224,8 @@ contract TestAdvancedAccessControl is IncoTest {
             sessionNonce: bytes32(0),
             verifyingContract: address(verifier),
             callFunction: verifier.someCheck.selector,
-            sharerArgData: ""
+            sharerArgData: "",
+            warning: REQUIRED_ALLOWANCE_VOUCHER_WARNING
         });
         // Use bob as sharer, but bob is NOT allowed on the secret (only alice is)
         AllowanceProof memory proof = AllowanceProof({
@@ -237,7 +245,8 @@ contract TestAdvancedAccessControl is IncoTest {
             sessionNonce: bytes32(0),
             verifyingContract: address(verifier),
             callFunction: verifier.someCheck.selector,
-            sharerArgData: ""
+            sharerArgData: "",
+            warning: REQUIRED_ALLOWANCE_VOUCHER_WARNING
         });
         // Alice is the sharer (and is allowed), but we sign with Bob's key
         bytes memory wrongSignature = getSignatureForDigest(incoVerifier.allowanceVoucherDigest(voucher), bobPrivKey);
@@ -252,6 +261,23 @@ contract TestAdvancedAccessControl is IncoTest {
         incoVerifier.isAllowedWithProof(secretHandle, bob, proof);
     }
 
+    /// @notice Test InvalidVoucherWarning error when voucher warning does not match required text
+    function testIsAllowedWithProofInvalidVoucherWarning() public {
+        DoesNotVerifyAnything verifier = new DoesNotVerifyAnything();
+        AllowanceVoucher memory voucher = AllowanceVoucher({
+            sessionNonce: bytes32(0),
+            verifyingContract: address(verifier),
+            callFunction: verifier.someCheck.selector,
+            sharerArgData: "",
+            warning: "wrong warning"
+        });
+        AllowanceProof memory proof = AllowanceProof({
+            sharer: alice, voucher: voucher, voucherSignature: getAliceSig(voucher), requesterArgData: ""
+        });
+        vm.expectRevert(abi.encodeWithSelector(AdvancedAccessControl.InvalidVoucherWarning.selector));
+        incoVerifier.isAllowedWithProof(secretHandle, bob, proof);
+    }
+
     /// @notice Test claimHandle fails when proof verification fails (line 107)
     function testClaimHandleProofVerificationFailed() public {
         SomeVerifier verifier = new SomeVerifier();
@@ -261,7 +287,8 @@ contract TestAdvancedAccessControl is IncoTest {
             sessionNonce: bytes32(0),
             verifyingContract: address(verifier),
             callFunction: verifier.someCheck.selector,
-            sharerArgData: abi.encode(SomeVerifier.SharerArg({handleShared: secretHandle, allowedAccount: bob}))
+            sharerArgData: abi.encode(SomeVerifier.SharerArg({handleShared: secretHandle, allowedAccount: bob})),
+            warning: REQUIRED_ALLOWANCE_VOUCHER_WARNING
         });
         AllowanceProof memory proof = AllowanceProof({
             sharer: alice, // alice IS allowed on the secret

package/src/lightning-parts/DecryptionAttester.sol

@@ -10,6 +10,7 @@ import {EIP712Upgradeable} from "@openzeppelin/contracts-upgradeable/utils/crypt
 import {ECDSA} from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
 import {SignatureVerifier} from "./primitives/SignatureVerifier.sol";
 import {IDecryptionAttester} from "./interfaces/IDecryptionAttester.sol";
+import {PausableUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/PausableUpgradeable.sol";
 
 /// @title DecryptionAttester
 /// @notice Verifies decryption attestations signed by covalidators.
@@ -17,7 +18,7 @@ import {IDecryptionAttester} from "./interfaces/IDecryptionAttester.sol";
 /// the value and signs an attestation. This contract verifies that attestation using EIP-712
 /// typed data signatures. The attestation binds a handle to its decrypted value, allowing
 /// on-chain verification that a decryption was performed correctly by authorized covalidators.
-abstract contract DecryptionAttester is IDecryptionAttester, SignatureVerifier, EIP712Upgradeable {
+abstract contract DecryptionAttester is IDecryptionAttester, SignatureVerifier, EIP712Upgradeable, PausableUpgradeable {
 
     using ECDSA for bytes32;
 
@@ -61,14 +62,19 @@ abstract contract DecryptionAttester is IDecryptionAttester, SignatureVerifier,
 
     /// @notice Validates a decryption attestation against covalidator signatures.
     /// @dev Verifies that the attestation was signed by the required threshold of covalidators.
+    ///      Returns false unconditionally when this contract is paused.
     /// @param decryption The decryption attestation to validate.
     /// @param signatures Array of signatures from covalidators.
     /// @return True if the attestation has valid signatures from the required covalidators.
     function isValidDecryptionAttestation(DecryptionAttestation memory decryption, bytes[] calldata signatures)
         public
         view
+        virtual
         returns (bool)
     {
+        if (paused()) {
+            return false;
+        }
         return isValidSignature(decryptionAttestationDigest(decryption), signatures);
     }
 
@@ -85,7 +91,10 @@ abstract contract DecryptionAttester is IDecryptionAttester, SignatureVerifier,
         ElementAttestationWithProof[] calldata proofElements,
         bytes32 proof,
         bytes[] calldata signatures
-    ) public view override returns (bool) {
+    ) public view virtual override returns (bool) {
+        if (paused()) {
+            return false;
+        }
         DecryptionAttestation memory attestation = DecryptionAttestation({handle: elistHandle, value: proof});
 
         // Verify the provided proof by reconstructing it from the provided value-commitment pairs and/or hashes.
@@ -118,7 +127,10 @@ abstract contract DecryptionAttester is IDecryptionAttester, SignatureVerifier,
     function isValidReencryptionAttestation(
         ReencryptionAttestation[] calldata attestations,
         bytes[] calldata signatures
-    ) public view returns (bool) {
+    ) public view virtual returns (bool) {
+        if (paused()) {
+            return false;
+        }
         if (attestations.length != signatures.length) {
             revert AttestationsSignaturesLengthMismatch(attestations.length, signatures.length);
         }

package/src/lightning-parts/primitives/EventCounter.sol

@@ -2,6 +2,7 @@
 pragma solidity ^0.8;
 
 import {IEventCounter} from "./interfaces/IEventCounter.sol";
+import {PausableUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/PausableUpgradeable.sol";
 
 /// @title EventCounterStorage
 /// @notice Diamond storage pattern for the event counter state
@@ -40,7 +41,7 @@ contract EventCounterStorage {
 ///
 ///      The event ID is incorporated into handle generation to ensure uniqueness even when
 ///      the same operation is performed multiple times in the same transaction.
-contract EventCounter is IEventCounter, EventCounterStorage {
+contract EventCounter is IEventCounter, EventCounterStorage, PausableUpgradeable {
 
     /// @notice Generates and returns a new unique event ID
     /// @dev Post-increments the counter, so the returned value is the ID before incrementing.
@@ -52,9 +53,12 @@ contract EventCounter is IEventCounter, EventCounterStorage {
 
     /// @notice Sets the event counter to a digest value for batch operation tracking
     /// @dev Used when processing batched operations where a serialization hash
-    ///      provides better uniqueness than sequential IDs
+    ///      provides better uniqueness than sequential IDs. Reverts when the contract
+    ///      is paused, which transitively blocks every event-emitting operation that
+    ///      finalizes by calling this function (encrypted ops, list ops, trivial encryption,
+    ///      input registration, allow/reveal).
     /// @param serialization The serialized batch data to hash
-    function setDigest(bytes memory serialization) internal {
+    function setDigest(bytes memory serialization) internal whenNotPaused {
         getEventCounterStorage().eventCounter = uint256(keccak256(serialization));
     }
 

package/src/periphery/SessionVerifier.sol

@@ -26,18 +26,21 @@ struct Session {
 
 /// @title SessionVerifier
 /// @notice Inco access sharing verifier for browser dApp sessions
-/// @dev Grants access to all encrypted data held by the sharer to one decrypter for a limited time.
-///      This is the recommended pattern for dApps that need to decrypt user data during a browsing session.
+/// @dev Grants a single decrypter address temporary access to all of the sharer's
+///      encrypted handles. The session is valid as long as block.timestamp < expiresAt
+///      and the requesting account matches the authorized decrypter.
 ///
 ///      Usage:
-///      1. User signs a voucher containing a Session struct with their chosen decrypter and expiration
-///      2. The voucher specifies canUseSession.selector as the callFunction
-///      3. When the decrypter requests access, this contract verifies the session is still valid
+///      1. User signs a voucher containing a Session struct with their chosen decrypter
+///         and expiration time.
+///      2. The voucher specifies canUseSession.selector as the callFunction.
+///      3. When the decrypter requests access, this contract verifies the session is still
+///         valid and the caller matches the authorized decrypter.
 ///
 ///      To use this verifier, set the voucher's callFunction to SessionVerifier.canUseSession.selector
 contract SessionVerifier is UUPSUpgradeable, OwnableUpgradeable, Version {
 
-    /// @notice Initializes the SessionVerifier with version information
+    /// @notice Initializes the SessionVerifier with version information.
     /// @param _salt Unique salt used for deterministic deployment via CreateX
     constructor(bytes32 _salt)
         Version(
@@ -49,29 +52,28 @@ contract SessionVerifier is UUPSUpgradeable, OwnableUpgradeable, Version {
         )
     {}
 
-    /// @notice Verifies if an account can use a session to access encrypted data
+    /// @notice Verifies if an account can use a session to access an encrypted handle.
     /// @dev This function is called by the ACL system when validating access permissions.
-    ///      The session grants blanket access to all handles owned by the sharer - the handle
-    ///      parameter is intentionally ignored.
+    ///      Access is granted if the session has not expired and the caller is the authorized decrypter.
     /// @param account The address requesting access (must match session.decrypter)
-    /// @param sharerArgData ABI-encoded Session struct containing decrypter address and expiration
-    /// @return ALLOWANCE_GRANTED_MAGIC_VALUE if session is valid, bytes32(0) otherwise
+    /// @param sharerArgData ABI-encoded Session struct containing decrypter and expiration
+    /// @return ALLOWANCE_GRANTED_MAGIC_VALUE if access is granted, bytes32(0) otherwise
     function canUseSession(
         bytes32, /* handle */
         address account,
         bytes memory sharerArgData,
-        bytes memory requesterArgData
+        bytes memory /* requesterArgData */
     )
         external
         view
         returns (bytes32)
     {
-        // unused variable just here to bypass linter
-        (requesterArgData);
         Session memory session = abi.decode(sharerArgData, (Session));
+
         if (session.expiresAt >= block.timestamp && session.decrypter == account) {
             return ALLOWANCE_GRANTED_MAGIC_VALUE;
         }
+
         return bytes32(0);
     }
 

package/src/test/IncoTest.sol

@@ -12,6 +12,7 @@ import {FakeQuoteVerifier} from "./FakeIncoInfra/FakeQuoteVerifier.sol";
 import {IOwnable} from "../../src/shared/IOwnable.sol";
 import {MockRemoteAttestation} from "./FakeIncoInfra/MockRemoteAttestation.sol";
 import {BootstrapResult} from "../lightning-parts/TEELifecycle.types.sol";
+import {AllowanceProof, AllowanceVoucher} from "../lightning-parts/AccessControl/AdvancedAccessControl.sol";
 import {Safe} from "safe-smart-account/Safe.sol";
 import {SafeProxyFactory} from "safe-smart-account/proxies/SafeProxyFactory.sol";
 
@@ -61,7 +62,7 @@ contract IncoTest is MockOpHandler, DeployUtils, FakeDecryptionAttester, MockRem
             deployer: testDeployer,
             owner: owner,
             // The highest precedent deployment pepper
-            pepper: "testnet",
+            pepper: "devnet",
             quoteVerifier: new FakeQuoteVerifier()
         });
         vm.stopPrank();
@@ -82,4 +83,20 @@ contract IncoTest is MockOpHandler, DeployUtils, FakeDecryptionAttester, MockRem
         vm.recordLogs();
     }
 
+    /// @dev Creates an empty AllowanceProof (no proof required when sharer is address(0))
+    function _emptyAllowanceProof() internal pure returns (AllowanceProof memory) {
+        return AllowanceProof({
+            sharer: address(0),
+            voucher: AllowanceVoucher({
+                sessionNonce: bytes32(0),
+                verifyingContract: address(0),
+                callFunction: bytes4(0),
+                sharerArgData: "",
+                warning: ""
+            }),
+            voucherSignature: "",
+            requesterArgData: ""
+        });
+    }
+
 }

package/src/test/TestLib.t.sol

@@ -18,7 +18,6 @@ import {
 } from "../Types.sol";
 import {EncryptedOperations} from "../lightning-parts/EncryptedOperations.sol";
 import {DecryptionAttestation, ElementAttestationWithProof} from "../lightning-parts/DecryptionAttester.types.sol";
-import {AllowanceProof, AllowanceVoucher} from "../lightning-parts/AccessControl/AdvancedAccessControl.sol";
 
 /// @notice Wrapper to expose internal requireEqual as an external call so vm.expectRevert works
 contract RequireEqualCaller {
@@ -958,18 +957,6 @@ contract TestLib is IncoTest {
         assertFalse(isValid, "Invalid bool value should return false");
     }
 
-    /// @dev Creates an empty AllowanceProof (no proof required when sharer is address(0))
-    function _emptyAllowanceProof() internal pure returns (AllowanceProof memory) {
-        return AllowanceProof({
-            sharer: address(0),
-            voucher: AllowanceVoucher({
-                sessionNonce: bytes32(0), verifyingContract: address(0), callFunction: bytes4(0), sharerArgData: ""
-            }),
-            voucherSignature: "",
-            requesterArgData: ""
-        });
-    }
-
     // ============ REQUIRE EQUAL TESTS ============
 
     function testRequireEqual_Ebool_ValidAttestation_True() public {

package/src/test/TestPause.t.sol

@@ -0,0 +1,152 @@
+// SPDX-License-Identifier: No License
+pragma solidity ^0.8;
+
+import {inco} from "../Lib.sol";
+import {euint256, ebool, ETypes, elist, typeBitSize, SenderNotAllowedForHandle} from "../Types.sol";
+import {IncoTest} from "./IncoTest.sol";
+import {IEncryptedOperations} from "../lightning-parts/interfaces/IEncryptedOperations.sol";
+import {ITrivialEncryption} from "../lightning-parts/interfaces/ITrivialEncryption.sol";
+import {IBaseAccessControlList} from "../lightning-parts/AccessControl/interfaces/IBaseAccessControlList.sol";
+import {IEList} from "../lightning-parts/interfaces/IEList.sol";
+import {PausableUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/PausableUpgradeable.sol";
+import {BIT_FEE, FEE} from "../lightning-parts/Fee.sol";
+
+contract TestPause is IncoTest {
+
+    /// @dev A single op spec: calldata, msg.value, and the exact selector the op must
+    /// revert with when the contract is paused. Annotating each op keeps payable and
+    /// non-payable ops in one loop while still asserting the specific expected error.
+    struct Op {
+        bytes data;
+        uint256 value;
+        bytes4 expectedPauseError;
+    }
+
+    function testPausedOpsRevertAndUnpausedOpsSucceed() public {
+        // Fund this contract for the payable ops below.
+        vm.deal(address(this), 100 ether);
+
+        // Create encrypted operands. Trivial-encryption grants transient ACL access to
+        // this contract for the lifetime of this transaction, so subsequent ops can
+        // call back into `inco` as msg.sender.
+        euint256 a = inco.asEuint256(10);
+        euint256 b = inco.asEuint256(5);
+        ebool t = inco.asEbool(true);
+        bytes32 aH = euint256.unwrap(a);
+        bytes32 bH = euint256.unwrap(b);
+
+        // Build a 3-element euint256 elist to feed into list ops.
+        uint256 listFee = uint256(3) * typeBitSize(ETypes.Uint256) * BIT_FEE;
+        elist list = inco.listRange{value: listFee}(0, 3, ETypes.Uint256);
+        // Pull a valid encrypted index/value out of the list (transient ACL access).
+        bytes32 idxH = inco.listGet(list, 0);
+        uint256 listBits = uint256(3) * typeBitSize(ETypes.Uint256);
+        uint256 listAppendFee = listBits + typeBitSize(ETypes.Uint256);
+
+        // Selector each op is expected to revert with under pause:
+        // - aclErr: ops that take input handles. `isAllowed(...)` returns false when
+        //   paused, so `checkInput` reverts before the op reaches `setDigest`.
+        // - pauseErr: ops without input handle checks. They reach `setDigest`, which
+        //   has the `whenNotPaused` modifier.
+        bytes4 aclErr = SenderNotAllowedForHandle.selector;
+        bytes4 pauseErr = PausableUpgradeable.EnforcedPause.selector;
+
+        // Build the op list. Each op MUST revert with `expectedPauseError` when paused
+        // and succeed when unpaused.
+        Op[] memory ops = new Op[](41);
+        uint256 i;
+        // ----- EncryptedOperations: all check input handles -----
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eAdd, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eSub, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eMul, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eDiv, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eRem, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eShl, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eShr, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eRotl, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eRotr, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eBitAnd, (aH, bH)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eBitOr, (aH, bH)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eBitXor, (aH, bH)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eEq, (aH, bH)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eNe, (aH, bH)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eGe, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eGt, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eLe, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eLt, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eMin, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eMax, (a, b)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eNot, (t)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eCast, (aH, ETypes.AddressOrUint160OrBytes20)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eIfThenElse, (t, aH, bH)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEncryptedOperations.eRandBounded, (aH, ETypes.Uint256)), FEE, aclErr);
+        // ----- TrivialEncryption: plaintext inputs, no ACL check -----
+        ops[i++] = Op(abi.encodeCall(ITrivialEncryption.asEuint256, (uint256(7))), 0, pauseErr);
+        ops[i++] = Op(abi.encodeCall(ITrivialEncryption.asEbool, (false)), 0, pauseErr);
+        ops[i++] = Op(abi.encodeCall(ITrivialEncryption.asEaddress, (bob)), 0, pauseErr);
+        // ----- ACL grant: gated on `isAllowed(handle, msg.sender)` -----
+        ops[i++] = Op(abi.encodeCall(IBaseAccessControlList.allow, (aH, bob)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IBaseAccessControlList.reveal, (bH)), 0, aclErr);
+        // ----- EList -----
+        // listRange takes only plain integers; reaches setDigest directly.
+        ops[i++] = Op(
+            abi.encodeCall(IEList.listRange, (0, 2, ETypes.Uint256)),
+            2 * typeBitSize(ETypes.Uint256) * BIT_FEE,
+            pauseErr
+        );
+        // The rest take a list handle (and often value/index handles).
+        ops[i++] = Op(abi.encodeCall(IEList.listAppend, (list, idxH)), listAppendFee * BIT_FEE, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEList.listGet, (list, uint16(0))), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEList.listGetOr, (list, idxH, idxH)), 0, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEList.listSet, (list, idxH, idxH)), listBits * BIT_FEE, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEList.listInsert, (list, idxH, idxH)), listAppendFee * BIT_FEE, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEList.listConcat, (list, list)), (listBits + listBits) * BIT_FEE, aclErr);
+        ops[i++] = Op(
+            abi.encodeCall(IEList.listSlice, (list, idxH, uint16(2), idxH)),
+            2 * typeBitSize(ETypes.Uint256) * BIT_FEE,
+            aclErr
+        );
+        ops[i++] = Op(abi.encodeCall(IEList.listShuffle, (list)), listBits * BIT_FEE, aclErr);
+        ops[i++] = Op(abi.encodeCall(IEList.listReverse, (list)), listBits * BIT_FEE, aclErr);
+        // newEList overloads — overloaded, so resolve by signature.
+        // Empty arrays are valid inputs and skip the inner loops, isolating the pause
+        // gate (the `setDigest` call) as the only thing that can revert.
+        bytes32[] memory emptyHandles = new bytes32[](0);
+        bytes[] memory emptyInputs = new bytes[](0);
+        ops[i++] = Op(abi.encodeWithSignature("newEList(bytes32[],uint8)", emptyHandles, ETypes.Uint256), 0, pauseErr);
+        ops[i++] = Op(
+            abi.encodeWithSignature("newEList(bytes[],uint8,address)", emptyInputs, ETypes.Uint256, address(this)),
+            0,
+            pauseErr
+        );
+        assertEq(i, ops.length, "ops list length mismatch");
+
+        // ---- Pause: every op must revert with its expected selector ----
+        vm.prank(owner);
+        inco.pause();
+
+        for (uint256 j = 0; j < ops.length; j++) {
+            (bool ok, bytes memory ret) = address(inco).call{value: ops[j].value}(ops[j].data);
+            assertFalse(ok, string.concat("expected revert when paused, op #", vm.toString(j)));
+            assertGe(ret.length, 4, "revert payload too short");
+            // Read the first 4 bytes of revert data (the error selector).
+            bytes4 sel;
+            assembly {
+                sel := mload(add(ret, 0x20))
+            }
+            assertTrue(
+                sel == ops[j].expectedPauseError, string.concat("unexpected revert selector, op #", vm.toString(j))
+            );
+        }
+
+        // ---- Unpause: every op must succeed ----
+        vm.prank(owner);
+        inco.unpause();
+
+        for (uint256 j = 0; j < ops.length; j++) {
+            (bool ok,) = address(inco).call{value: ops[j].value}(ops[j].data);
+            assertTrue(ok, string.concat("expected success when unpaused, op #", vm.toString(j)));
+        }
+    }
+
+}

package/src/test/TestUpgrade.t.sol

@@ -277,7 +277,7 @@ contract TestUpgrade is IncoTest {
 
     // Helpers
     function _deploySessionVerifierProxy(address proxyOwner) private returns (SessionVerifier) {
-        SessionVerifier impl = new SessionVerifier("");
+        SessionVerifier impl = new SessionVerifier(bytes32(0));
         ERC1967Proxy proxy = new ERC1967Proxy(address(impl), abi.encodeCall(SessionVerifier.initialize, (proxyOwner)));
         return SessionVerifier(address(proxy));
     }