feat(policy): implement full IPolicyRegistry precompile

[eric-ships]

Motivation

The IPolicyRegistry interface (base-std) defines the singleton that B-20 tokens call for every transfer, mint, and redeem authorization check. This PR delivers the full precompile, replacing the helloWorld stub.

Storage namespacing: We explored both ERC-7201 sequential namespacing and per-field named slots (e.g. keccak256("base.policy_registry.policies")) to allow field reordering across hardforks. Both approaches work with the #[contract] macro. Deferring to a follow-up PR for @refcell to decide the right convention — sequential slots (append-only) are safe for now since the precompile owns its address exclusively.

What changed

• Full IPolicyRegistry implementation in crates/common/precompiles/src/policy/: all 13 ABI functions, SolInterface dispatch, 4-field storage layout (slots 0-3, append-only), and 22 unit tests
• PolicyType enum: ALWAYS_ALLOW=0, ALWAYS_BLOCK=1, ALLOWLIST=2, BLOCKLIST=3; built-in IDs are 0 and 1
• Policy ID encoding: top byte = uint8(PolicyType), low 56 bits = global counter (checked add, 56-bit cap)
• Packed policy word: [167:8] = admin, [7:0] = PolicyType; packed == 0 reliably means never created

[cb-heimdall]

✅ Heimdall Review Status

Requirement	Status	More Info
Reviews	✅ 1/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
base	Ignored	Preview	May 21, 2026 2:07am

[github-actions]

The PolicyRegistry trait bundles 12 admin-mutation methods alongside the single is_authorized read. In practice, B20 tokens only ever need authorization checks — Token::policy() returns &Self::Policy, so mutating methods are inaccessible through that bound anyway. But any new consumer that takes impl PolicyRegistry gets the full mutation surface whether they need it or not.

Consider splitting into two traits:

pub trait PolicyAuthorizer {
    fn is_authorized(&self, policy_id: u64, account: Address) -> Result<bool>;
}

pub trait PolicyAdmin: PolicyAuthorizer {
    fn create_policy(&mut self, admin: Address, policy_type: PolicyType) -> Result<u64>;
    // ... remaining mutation methods
}

Then B20Token<S, P: PolicyAuthorizer> expresses the minimal bound, and PolicyRegistryStorage implements both. This eliminates the need for stub Fatal("not supported in test fake") implementations in InMemoryPolicy for methods that can never be called through the token path.

[github-actions]

Stale error context: still references helloWorld after the function was renamed to policyExists.

Suggested change

	client.call(PolicyRegistryStorage::ADDRESS, IPolicyRegistry::policyExistsCall { policyId: 0 }).await?;
	.wrap_err("Failed to decode policyExists")?;

[github-actions]

The Err(_) arm conflates two distinct failure modes: (1) truly unknown selector, and (2) known selector with malformed ABI arguments. SolInterface::abi_decode returns Err for both. Reporting UnknownFunctionSelector for case 2 is misleading — a caller sending createPolicy(...) with truncated args will get an error saying the function doesn't exist instead of indicating malformed calldata.

Consider attempting a selector-only match first, or at minimum adding a comment documenting that this arm intentionally covers both cases.

[github-actions]

Stale error message: the call now decodes policyExistsCall, not helloWorld.

Suggested change

	.wrap_err("Failed to decode helloWorld")?;
	.wrap_err("Failed to decode policyExists")?;

[github-actions]

Doc comment references PolicyRegistry (the full admin trait), but the generic bound is P: Policy (the minimal read-only trait). This is misleading — readers will think the full PolicyRegistry is required when only Policy::is_authorized is used.

Suggested change

	/// generic `P` provides the [`PolicyRegistry`] implementation consulted on
	/// every transfer and mint. In production,
	/// [`B20Token::with_storage_and_policy`] wires in [`crate::B20TokenStorage`]
	/// and [`Policy`].
	/// and [`PolicyRegistry`].
	/// generic `P` provides the [`Policy`] implementation consulted on
	/// every transfer and mint. In production,
	/// [`B20Token::with_storage_and_policy`] wires in [`crate::B20TokenStorage`]
	/// and [`Policy`].

[github-actions]

next_policy_id reads the counter, then create_policy re-reads and validates counter < (1 << 56). But the value fed into checked_add(1).filter(...) is extracted from policy_id (computed in next_policy_id), not re-read from storage. This works but is subtle — the counter read in next_policy_id and the increment here are not atomic. In the current single-threaded EVM execution model this is fine, but the indirection through next_policy_id (a pub method callers may also invoke) makes it easy to misread the code.

A clearer pattern would be to read the counter directly here rather than extracting it back out of the composed ID:

let counter = self.next_counter.read()?;
let next = counter
    .checked_add(1)
    .filter(|&n| n < (1u64 << 56))
    .ok_or_else(|| BasePrecompileError::revert(IPolicyRegistry::CounterExhausted {}))?;
self.next_counter.write(next)?;
let policy_id = (policy_type_u8 as u64) << 56 | counter;

This avoids the round-trip through next_policy_id and makes the read-increment-write sequence explicit in one place.

Nit-level, not blocking.

[github-actions]

renounce_admin sets the admin to Address::ZERO in the packed word, but after renouncing, require_custom still passes (the packed word is non-zero because the PolicyType byte is still set). However, require_admin will now check decode_admin(packed) != caller against Address::ZERO, meaning no one can pass the admin check — which is the intended behavior.

The subtlety is that encode_packed(Address::ZERO, policy_type) produces a non-zero packed word (the type byte is non-zero for ALLOWLIST=2 / BLOCKLIST=3), so require_custom correctly distinguishes "renounced admin" from "never created". This is correct but worth documenting in the encode_packed doc comment since the invariant "packed == 0 means never created" depends on the type byte always being non-zero for valid custom policies.

[github-actions]

policy_type as u8 is used directly without going through as_discriminant(). This is safe today because create_policy (called on line 127) already validated the type via as_discriminant(), but it means correctness here depends on the caller having validated the type first. If someone later adds another code path that calls create_policy_with_accounts after a different validation, this as u8 cast could silently produce a wrong type byte.

Consider using the already-validated discriminant:

let policy_type_u8 = policy_type.as_discriminant()?;

Or extract the type byte from the already-created policy:

let policy_type_u8 = (policy_id >> 56) as u8;

Either makes the correctness self-contained rather than depending on create_policy's internal validation.

[github-actions]

The doc comment was shortened from a detailed explanation of why G_sha3word is used (and what attack it prevents) to a terse one-liner. The original comment was valuable documentation for reviewers unfamiliar with precompile gas design — it explained why this specific rate was chosen and what happens without it. Consider preserving the rationale.

Suggested change

	/// Returns the EIP-3860-style input cost for calldata of the given length.
	pub const fn input_cost(calldata_len: usize) -> u64 {
	/// Returns the EIP-3860-style input cost for calldata of the given length.
	///
	/// Charges `G_sha3word` (6 gas) per 32-byte word, rounded up — the same rate the EVM uses for
	/// data-processing operations (keccak256). This prevents large calldata from being free to
	/// process in precompiles that define their own input cost.
	pub const fn input_cost(calldata_len: usize) -> u64 {

[github-actions]

The doc comment says "Passing address(0) clears a previously-staged transfer per the interface spec" — but the ABI definition in abi.rs doesn't document this behavior. The Solidity interface just says function stageUpdateAdmin(uint64 policyId, address newAdmin) external; with no mention of zero-address semantics.

If this is part of the spec, it should also be documented in the sol! block (even as a comment) or in the PolicyRegistry trait definition in common/policy.rs. Currently a consumer reading either the ABI or the trait would not know that address(0) has special clear-pending semantics.

Also note: passing address(0) emits a PolicyAdminStaged event with newAdmin = address(0), which indexers and UIs may interpret as "staging a transfer to the zero address" rather than "clearing the pending transfer." Consider whether a separate clearPendingAdmin function or event would be more explicit.

[github-actions]

Review Summary

Thorough review of the full IPolicyRegistry precompile implementation (1562 additions across 14 files). This replaces the helloWorld stub with all 13 ABI functions, storage layout, and 22 unit tests.

Previous-round issues — all addressed

The prior review iteration raised ~15 issues. All have been resolved in this revision:

• Counter overflow — Now uses checked_add with dedicated CounterExhausted error
• Unbounded allocation from calldata — MAX_ACCOUNTS = 64 cap enforced with BatchTooLarge error
• Missing is_static guard — require_write helper added, gates all 7 mutating methods
• pending_policy_admin missing existence check — Now guards built-in IDs and calls require_custom
• Misleading InvalidPolicyType on counter exhaustion — Replaced with CounterExhausted error
• update_allowlist/update_blocklist duplication — Extracted into shared update_membership helper
• next_policy_id accepting invalid types — Now calls as_discriminant which rejects ALWAYS_ALLOW/ALWAYS_BLOCK
• is_authorized implicit fallthrough — Now uses explicit match with error arm
• Event emission in create_policy_with_accounts — Uses match with unreachable for exhaustive coverage

Architecture assessment

The implementation is well-structured:

• Storage packing correctly places admin at [167:8] and type at [7:0], with the invariant that packed == 0 reliably means never created (since ALLOWLIST=2 and BLOCKLIST=3 are non-zero)
• Policy ID encoding cleanly separates type discriminant (top byte) from counter (low 56 bits), with no collision against built-in IDs (0, 1)
• Two-step admin transfer follows the standard pattern with stage/finalize/renounce, properly cleaning up pending state on renounce
• Trait separation (Policy for read-only token checks vs PolicyRegistry for admin mutations) maintains clean dependency boundaries
• PolicyHandle correctly delegates to PolicyRegistryStorage, maintaining the layer separation between token consumers and raw storage

No new issues found

The code is clean. Test coverage is comprehensive, covering built-in IDs, ALLOWLIST/BLOCKLIST membership, batch operations, admin transfers, static call guards, authorization checks, idempotent operations, and trait delegation.

[rayyan224]

LGTM