Skip to main content

PolicyEngine

The PolicyEngine is the central contract that stores policy configurations and coordinates rule evaluation. It serves as the registry for all account policies and the dispatcher for rule evaluation.

Overview

contract PolicyEngine {
    // Policy set storage per account
    mapping(address => PolicySet) public policySets;

    // Register or update a policy set
    function setPolicySet(
        bytes32 policyCID,
        address pkpAddress,
        bytes calldata encodedRules,
        uint8 failMode,
        bool requiresAttestation
    ) external;

    // Remove a policy set
    function removePolicySet() external;

    // Evaluate a transaction against the caller's policy
    function evaluate(
        address target,
        uint256 value,
        bytes calldata data,
        bytes calldata attestation
    ) external returns (bool);
}

Policy Set Structure

struct PolicySet {
    bytes32 policyCID;          // IPFS CID of the full policy
    address pkpAddress;         // PKP address for attestation verification
    bytes encodedRules;         // Compact binary-encoded on-chain rules
    FailMode failMode;          // CLOSED or OPEN
    bool requiresAttestation;   // Whether Tier 3 attestation is required
    bool active;                // Whether the policy is active
}

Functions

setPolicySet

Register or update the caller’s policy set. 
function setPolicySet(
    bytes32 policyCID,
    address pkpAddress,
    bytes calldata encodedRules,
    uint8 failMode,
    bool requiresAttestation
) external;
ParameterTypeDescription
policyCIDbytes32IPFS CID (truncated to 32 bytes)
pkpAddressaddressLit Protocol PKP address
encodedRulesbytesBinary-encoded on-chain rules
failModeuint80 = CLOSED, 1 = OPEN
requiresAttestationboolWhether off-chain attestation is needed

removePolicySet

Remove the caller’s policy set and stop enforcement. 
function removePolicySet() external;

evaluate

Evaluate a transaction against the caller’s registered policy. Called by PolicyGuard or PolicyKit7579Module. 
function evaluate(
    address target,
    uint256 value,
    bytes calldata data,
    bytes calldata attestation
) external returns (bool allowed);
ParameterTypeDescription
targetaddressTransaction destination
valueuint256ETH value in wei
databytesTransaction calldata
attestationbytesEIP-712 signed attestation (empty if no Tier 3)
Returns: bool — Whether the transaction is allowed.

getPolicySet

Read the policy set for an account. 
function getPolicySet(address account) external view returns (PolicySet memory);

Events

event PolicySetUpdated(address indexed account, bytes32 policyCID);
event PolicySetRemoved(address indexed account);
event TransactionEvaluated(
    address indexed account,
    address indexed target,
    bool allowed
);

Encoding Format

On-chain rules are encoded using the PolicyCodec library into a compact binary format: 
[ruleCount: uint8]
[rule1Type: uint8][rule1DataLength: uint16][rule1Data: bytes]
[rule2Type: uint8][rule2DataLength: uint16][rule2Data: bytes]
...
The SDK’s PolicyEncoder handles encoding and decoding automatically.