Merge pull request #5 from base/amie/push-authorization-into-policies

Prototype updates

Author: amiecorso

README.md

@@ -1,96 +1,43 @@
-## Foundry
+### account-permissions
 
-**Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.**
+A modular system for allowing smart contract users the ability to authorize third parties to take specific, well-defined, onchain actions via their account.
 
-Foundry consists of:
+### How it works (high level)
 
-- **Forge**: Ethereum testing framework (like Truffle, Hardhat and DappTools).
-- **Cast**: Swiss army knife for interacting with EVM smart contracts, sending transactions and getting chain data.
-- **Anvil**: Local Ethereum node, akin to Ganache, Hardhat Network.
-- **Chisel**: Fast, utilitarian, and verbose solidity REPL.
+- **`src/PolicyManager.sol`**: installs policy instances authorized by the account and executes policy-prepared calldata on the account.
+- **`src/PolicyTypes.sol`**: shared type definitions (notably `PolicyTypes.Install`) used by the manager and policies.
+- **`src/policies/`**: example policies (each policy defines its own authorization semantics via `authorize(...)` and constructs wallet calldata via `onExecute(...)`).
 
-## Documentation
+### Setup
 
-https://book.getfoundry.sh/
-
-## Usage
-
-### Getting started (submodules)
-
-This repo uses git submodules for Foundry dependencies (in `lib/`).
+This repo uses git submodules for dependencies (in `lib/`).
 
 Clone with submodules:
 
 ```shell
-$ git clone --recurse-submodules <repo>
+git clone --recurse-submodules <repo>
 ```
 
 If you already cloned without submodules:
 
 ```shell
-$ git submodule update --init --recursive
-```
-
-Then build / test as usual:
-
-```shell
-$ forge build
-$ forge test
-```
-
-To update dependencies later:
-
-```shell
-$ forge install
-$ git submodule update --init --recursive
+git submodule update --init --recursive
 ```
 
 ### Build
 
 ```shell
-$ forge build
+forge build
 ```
 
 ### Test
 
 ```shell
-$ forge test
+forge test --offline
 ```
 
 ### Format
 
 ```shell
-$ forge fmt
-```
-
-### Gas Snapshots
-
-```shell
-$ forge snapshot
-```
-
-### Anvil
-
-```shell
-$ anvil
-```
-
-### Deploy
-
-```shell
-$ forge script script/Counter.s.sol:CounterScript --rpc-url <your_rpc_url> --private-key <your_private_key>
-```
-
-### Cast
-
-```shell
-$ cast <subcommand>
-```
-
-### Help
-
-```shell
-$ forge --help
-$ anvil --help
-$ cast --help
+forge fmt
 ```

src/PermissionManager.sol src/PolicyManager.solsrc/PermissionManager.sol renamed to src/PolicyManager.sol

@@ -5,13 +5,13 @@ import {ReentrancyGuard} from "openzeppelin-contracts/contracts/utils/Reentrancy
 import {EIP712} from "solady/utils/EIP712.sol";
 
 import {PublicERC6492Validator} from "./PublicERC6492Validator.sol";
-import {PermissionTypes} from "./PermissionTypes.sol";
+import {PolicyTypes} from "./PolicyTypes.sol";
 import {Policy} from "./policies/Policy.sol";
 
-/// @title PermissionManager
+/// @title PolicyManager
 /// @notice Wallet-agnostic module that installs policies authorized by the account and executes policy-prepared
-///         calldata on the account using an authority signature or direct call.
-contract PermissionManager is EIP712, ReentrancyGuard {
+///         calldata on the account.
+contract PolicyManager is EIP712, ReentrancyGuard {
     /// @notice Separated contract for validating signatures and executing ERC-6492 side effects.
     PublicERC6492Validator public immutable PUBLIC_ERC6492_VALIDATOR;
 
@@ -72,7 +72,7 @@ contract PermissionManager is EIP712, ReentrancyGuard {
     /// @notice Install a policy via a signature from the account.
     /// @dev Compatible with ERC-6492 signatures including side effects.
     function installPolicyWithSignature(
-        PermissionTypes.Install calldata install,
+        PolicyTypes.Install calldata install,
         bytes calldata policyConfig,
         bytes calldata userSig
     ) external nonReentrant returns (bytes32 policyId) {
@@ -96,7 +96,7 @@ contract PermissionManager is EIP712, ReentrancyGuard {
     }
 
     /// @notice Install a policy via a direct call from the account.
-    function installPolicy(PermissionTypes.Install calldata install, bytes calldata policyConfig)
+    function installPolicy(PolicyTypes.Install calldata install, bytes calldata policyConfig)
         external
         nonReentrant
         requireSender(install.account)
@@ -119,7 +119,7 @@ contract PermissionManager is EIP712, ReentrancyGuard {
     /// @notice Revoke a policy via a signature from the account.
     /// @dev Compatible with ERC-6492 signatures including side effects.
     function revokePolicyWithSignature(
-        PermissionTypes.Install calldata install,
+        PolicyTypes.Install calldata install,
         bytes calldata policyConfig,
         bytes calldata userSig
     ) external nonReentrant returns (bytes32 policyId) {
@@ -143,7 +143,7 @@ contract PermissionManager is EIP712, ReentrancyGuard {
     }
 
     /// @notice Revoke a policy via a direct call from the account.
-    function revokePolicy(PermissionTypes.Install calldata install, bytes calldata policyConfig)
+    function revokePolicy(PolicyTypes.Install calldata install, bytes calldata policyConfig)
         external
         nonReentrant
         requireSender(install.account)
@@ -162,15 +162,15 @@ contract PermissionManager is EIP712, ReentrancyGuard {
         emit PolicyRevoked(policyId, install.account, install.policy);
     }
 
-    /// @notice Execute an action authorized by an authority for an installed policy instance.
-    /// @dev Policy defines authority semantics and returns wallet-specific calldata for the account.
+    /// @notice Execute an action for an installed policy instance.
+    /// @dev Policy defines authorization semantics and returns wallet-specific calldata for the account.
     function execute(
-        PermissionTypes.Install calldata install,
+        PolicyTypes.Install calldata install,
         bytes calldata policyConfig,
         bytes calldata policyData,
         uint256 execNonce,
         uint48 deadline,
-        bytes calldata authoritySig
+        bytes calldata authorizationData
     ) external nonReentrant {
         _checkPolicyConfigHash(install.policyConfigHash, policyConfig);
         _checkInstallWindow(install.validAfter, install.validUntil);
@@ -179,17 +179,12 @@ contract PermissionManager is EIP712, ReentrancyGuard {
         bytes32 policyId = getInstallStructHash(install);
         _getActivePolicyState(policyId);
 
-        address authority = _policyAuthority(install.policy, policyConfig);
         bytes32 execDigest = _getExecutionDigest(policyId, install, keccak256(policyData), execNonce, deadline);
 
         if (_usedExecutionDigest[execDigest]) revert InvalidSignature();
         _usedExecutionDigest[execDigest] = true;
 
-        if (msg.sender != authority) {
-            if (!PUBLIC_ERC6492_VALIDATOR.isValidSignatureNowAllowSideEffects(authority, execDigest, authoritySig)) {
-                revert InvalidSignature();
-            }
-        }
+        Policy(install.policy).authorize(install, execNonce, policyConfig, policyData, execDigest, msg.sender, authorizationData);
 
         (bytes memory accountCallData, bytes memory postCallData) =
             _policyOnExecute(install.policy, install, execNonce, policyConfig, policyData);
@@ -199,7 +194,7 @@ contract PermissionManager is EIP712, ReentrancyGuard {
         emit Executed(policyId, install.account, install.policy, execNonce);
     }
 
-    function getInstallStructHash(PermissionTypes.Install calldata install) public pure returns (bytes32) {
+    function getInstallStructHash(PolicyTypes.Install calldata install) public pure returns (bytes32) {
         return keccak256(
             abi.encode(
                 INSTALL_TYPEHASH,
@@ -241,7 +236,7 @@ contract PermissionManager is EIP712, ReentrancyGuard {
 
     function _getExecutionDigest(
         bytes32 policyId,
-        PermissionTypes.Install calldata install,
+        PolicyTypes.Install calldata install,
         bytes32 policyDataHash,
         uint256 nonce,
         uint48 deadline
@@ -267,13 +262,9 @@ contract PermissionManager is EIP712, ReentrancyGuard {
         if (!success) revert AccountCallFailed(account, returnData);
     }
 
-    function _policyAuthority(address policy, bytes calldata policyConfig) internal view returns (address) {
-        return Policy(policy).authority(policyConfig);
-    }
-
     function _policyOnExecute(
         address policy,
-        PermissionTypes.Install calldata install,
+        PolicyTypes.Install calldata install,
         uint256 execNonce,
         bytes calldata policyConfig,
         bytes calldata policyData
@@ -290,7 +281,7 @@ contract PermissionManager is EIP712, ReentrancyGuard {
     }
 
     function _domainNameAndVersion() internal pure override returns (string memory name, string memory version) {
-        name = "Permission Manager";
+        name = "Policy Manager";
         version = "1";
     }
 }

src/PermissionTypes.sol src/PolicyTypes.solsrc/PermissionTypes.sol renamed to src/PolicyTypes.sol

@@ -1,8 +1,8 @@
 // SPDX-License-Identifier: MIT
 pragma solidity ^0.8.23;
 
-/// @notice Shared types for PermissionManager and policies to avoid circular imports.
-library PermissionTypes {
+/// @notice Shared types for PolicyManager and policies to avoid circular imports.
+library PolicyTypes {
     /// @notice Policy installation parameters authorized by the account.
     struct Install {
         address account;
@@ -14,4 +14,3 @@ library PermissionTypes {
     }
 }
 
-