Merge pull request #6 from Synaps3Protocol/attestment/signglobal/policy

Attestment/signglobal/policy

.env.vault

@@ -4,20 +4,20 @@
 #/--------------------------------------------------/
 
 # development
-DOTENV_VAULT_DEVELOPMENT="w+rE/VlqvK/4OCCxpL3HXqA0FZNUnyUeWgUspZZLl0Rnv6SiNWzqPRHiYvEW6eTNGzQj9Zbuh6TH2XtllQSGNJWp0P3FXS5GOMZW4bEALZld/QYQm/6dg5Gs1KrXjFVqEwv5wOzlv5o6t2X8VI2isvWU84KgL9yA6H2F7hqMuWe6aHv4v0veT8xCvMtJkDOvUcohW9qs/tsuKYrarq+v3m7BBpFvajEBSDALKes6CVEufLTyV+eack+WJfRCYNKdtk8UdF3jNC+iIW3JXQNvLc0KmBHathIkEzNTHKN2SF413ybo9Nr/6RpH5ymnV6iWjoNsvyaSGvo596H6CIlUc0+85dehWQpuYqzQxuFnzyd9k3vLAKcUW3PQo6/PVT9hiLYkkM5I9diSy3Y/0SGfq7NEMK5leGy2XuKOddT1RFLgq3A0C0Isyuao08p/Z9wdKi1g5uk87j0DdA=="
-DOTENV_VAULT_DEVELOPMENT_VERSION=2
+DOTENV_VAULT_DEVELOPMENT="HeswKUHQZ6V3JFcr3HseUApYQfkppT9FsW6OxOmSSn4Cgo33fEz4JfaY347xzbh4o4bhvZqL54EdLnP5+pBAvsnBqigpIJqHHH9D77Nxg7CocMwIXgVA787vJc+ZB0CUj4AgjgsXyUwXOrHOzQPW5ZlzDyS4W8lI2957TExfYoVxHZDkjXEwPBRL4/o7iKpuRVlpyKXpClf8DcJj5qt4opJ4HwHWqEkSed/4oUoAlRJydFXhHSPfz14DsMKIQiHoADM6kNlyZvG2fUbJv5Km52y254lu/1TKUBgfjVtyh4ZkNci2ABWTfhg1llwWSR4HuIhVZbkB+C36VIl2Ea2COQAfhLgAgjMo2oSuS8JwylNItSzB9ciBcd2yxEeMWk7Ae2H2l1hRZ9TaqK386zKU88mMol8VRLCzSYJXLrROQgTI1WCzSJ6zXRTuXBOQo7x4scty7dkkeifFlxxY6I86SHvnypa4BNrC+Y03Xsr/"
+DOTENV_VAULT_DEVELOPMENT_VERSION=3
 
 # ci
-DOTENV_VAULT_CI="UVGl9xnLTE43mmz6fdpKwRloo7CLoMXvFFEcVTCIY+VKQ/UP"
-DOTENV_VAULT_CI_VERSION=1
+DOTENV_VAULT_CI="YWh+MD58ktYnoFAO2ztru4XOPky3R9ch6HIp8huOLEvXgd5mOXJ6jB5VtJQHWcpdw2gzsFeaVJCVVZl8a428/9udnvxsVGmMooH49/Hg0MUISCfs+FLvy9opaxI1xILMfFKlqOWrFMM/2wSQkbIcBe14EyX1+w=="
+DOTENV_VAULT_CI_VERSION=2
 
 # staging
-DOTENV_VAULT_STAGING="z2K26nMprsq8kffcrle6dyN7tzKez7OhKEO8I+cnqFHYbAGy"
-DOTENV_VAULT_STAGING_VERSION=1
+DOTENV_VAULT_STAGING="DbZGU/4SMi8vp5FJozFZPF5CqizRkB1cKVjlkkzGiOsLyk5fOEAL2MAYlPbjp2iZZwsQ3EduZrEIDEZ+kHLmYWHyjiodKKYMM7S0TKGR1wyT+Gb8oCuZvsRH9rTEp8IJ12geLFwIb9Y9akzSXBcJoNBKD5JEdA=="
+DOTENV_VAULT_STAGING_VERSION=2
 
 # production
-DOTENV_VAULT_PRODUCTION="kWMxCM42JLyW6JYRTYvnUZ4owagPQV0xEwvQQxw7Z9QbL+pC"
-DOTENV_VAULT_PRODUCTION_VERSION=1
+DOTENV_VAULT_PRODUCTION="OgCYr+2TDmNB/wCWLwVeQEiJpRM/h05tO+j9VBDBIV3p6sBvn3VegSuD7YOK3aU4i/Qr42lSS2QTuSDZpJHBChWoJwhWdrzQcI6ZvStAQYykdb0HHhSu1PUe3VDwF3f5w9Km0EkoLuMuq6rRN8ndIPm1uN3PqQ=="
+DOTENV_VAULT_PRODUCTION_VERSION=2
 
 #/----------------settings/metadata-----------------/
 DOTENV_VAULT="vlt_c13402acfe780a1795cccf0f6ba62b7a1680026d5c398b258cb9787607bf9c21"

.gitignore

@@ -25,4 +25,6 @@ ignition/deployments/chain-31337
 .env
 .env.me
 .flaskenv*
-!.env.project
+!.env.project
+.env*
+!.env.vault

.gitmodules

@@ -4,9 +4,6 @@
 [submodule "lib/openzeppelin-foundry-upgrades"]
 	path = lib/openzeppelin-foundry-upgrades
 	url = https://github.com/OpenZeppelin/openzeppelin-foundry-upgrades
-[submodule "lib/openzeppelin-contracts"]
-	path = lib/openzeppelin-contracts
-	url = https://github.com/OpenZeppelin/openzeppelin-contracts
 [submodule "lib/openzeppelin-contracts-upgradeable"]
 	path = lib/openzeppelin-contracts-upgradeable
 	url = https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable

Makefile

@@ -20,12 +20,18 @@ clean:
 	@rm -rf artifacts
 	@rm -rf node_modules
 	@rm -rf cache_forge
+	@npm cache clean --force
 	@forge clean
 
 .PHONY: forge-clean ## clean forge
 forge-clean:
 	rm -rf .gitmodules && rm -rf .git/modules/* && rm -rf lib && touch .gitmodules && git add . && git commit -m "modules"
 
+.PHONY: forge-update ## upgrade forge
+forge-update:
+	@foundryup
+	@forge update
+
 .PHONY: compile ## compile contracts
 compile:
 	@forge build
@@ -34,10 +40,9 @@ compile:
 force-compile:
 	@forge clean && forge build
 
-# https://jestjs.io/docs/cli#--coverageboolean
 .PHONY: test ## run tests
 test:
-	@forge test --via-ir --gas-report --show-progress -vvv  --force
+	@forge test --show-progress --gas-report -vvv 
 
 .PHONY: coverage ## run tests coverage report
 coverage:
@@ -87,7 +92,6 @@ deploy:
 verify: 
 	@forge verify-contract $(address) $(contract) --api-key $(network) --chain $(network)
 
-
 rebuild: clean
 all: test lint
 

README.md

@@ -30,11 +30,4 @@ Note: Run `make help` to see additional capabilities.
 
 - Code Maturity: https://github.com/crytic/building-secure-contracts/blob/master/development-guidelines/code_maturity.md
 
-- Style Guide: https://docs.soliditylang.org/en/latest/style-guide.html
-
-
-
-
-
-
-
+- Style Guide: https://docs.soliditylang.org/en/latest/style-guide.html

contracts/assets/ContentReferendum.sol

@@ -27,28 +27,47 @@ contract ContentReferendum is
     IContentReferendum
 {
     using EnumerableSet for EnumerableSet.UintSet;
+
+    /// @dev Mapping that tracks content submissions for each address.
+    /// Each address maps to a set of content IDs (UintSet) that have been submitted by that address.
     mapping(address => EnumerableSet.UintSet) private submissions;
-    // This role is granted to any representant trusted account. eg: Verified Accounts, etc.
-    bytes32 private constant VERIFIED_ROLE = keccak256("VERIFIED_ROLE");
+
     /// @dev Event emitted when a content is submitted for referendum.
-    /// @param contentId The ID of the content submitted.
+    /// @param contentId The ID of the content that has been submitted.
     /// @param initiator The address of the initiator who submitted the content.
-    event Submitted(address initiator, uint256 indexed contentId);
+    /// @param timestamp The timestamp indicating when the content was submitted.
+    event Submitted(address indexed initiator, uint256 timestamp, uint256 contentId);
+
     /// @dev Event emitted when a content is approved.
-    /// @param contentId The ID of the content approved.
-    event Approved(uint256 indexed contentId);
+    /// @param contentId The ID of the content that has been approved.
+    /// @param timestamp The timestamp indicating when the content was approved.
+    event Approved(uint256 contentId, uint256 timestamp);
+
     /// @dev Event emitted when a content is revoked.
-    /// @param contentId The ID of the content revoked.
-    event Revoked(uint256 indexed contentId);
-    /// @notice Emitted when the verified role is granted to an account.
+    /// @param contentId The ID of the content that has been revoked.
+    /// @param timestamp The timestamp indicating when the content was revoked.
+    event Revoked(uint256 contentId, uint256 timestamp);
+
+    /// @dev Event emitted when a content is rejected.
+    /// @param contentId The ID of the content that has been rejected.
+    /// @param timestamp The timestamp indicating when the content was revoked.
+    event Rejected(uint256 contentId, uint256 timestamp);
+
+    /// @notice Event emitted when the verified role is granted to an account.
     /// @param account The address of the account that has been granted the verified role.
     event VerifiedRoleGranted(address indexed account);
 
-    /// @notice Emitted when the verified role is revoked from an account.
-    /// @param account The address of the account from which the verified role has been revoked.
+    /// @notice Event emitted when the verified role is revoked from an account.
+    /// @param account The address of the account that has lost the verified role.
     event VerifiedRoleRevoked(address indexed account);
-    // Error to be thrown when the submission initiator is invalid.
+
+    /// @dev Error thrown when the content submission is invalid (e.g., incorrect or missing data).
+    error InvalidSubmissionContent();
+
+    /// @dev Error thrown when the signature of the content submission is invalid.
     error InvalidSubmissionSignature();
+
+    /// @dev Error thrown when the initiator of the submission is invalid (e.g., not authorized to submit content).
     error InvalidSubmissionInitiator();
 
     /// @dev Constructor that disables initializers to prevent the implementation contract from being initialized.
@@ -72,15 +91,15 @@ contract ContentReferendum is
     /// @param account The address of the account to verify.
     /// @dev Only governance is allowed to grant the role.
     function grantVerifiedRole(address account) external onlyGov {
-        _grantRole(VERIFIED_ROLE, account);
+        _grantRole(C.VERIFIED_ROLE, account);
         emit VerifiedRoleGranted(account);
     }
 
     /// @notice Revoke the verified role to a specific account.
     /// @param account The address of the account to revoke.
     /// @dev Only governance is allowed to revoke the role.
     function revokeVerifiedRole(address account) external onlyGov {
-        _revokeRole(VERIFIED_ROLE, account);
+        _revokeRole(C.VERIFIED_ROLE, account);
         emit VerifiedRoleRevoked(account);
     }
 
@@ -120,23 +139,30 @@ contract ContentReferendum is
     function isApproved(address initiator, uint256 contentId) public view returns (bool) {
         bool approved = isActive(contentId);
         bool validAccount = submissions[initiator].contains(contentId);
-        bool verifiedRole = hasRole(VERIFIED_ROLE, initiator);
+        bool verifiedRole = hasRole(C.VERIFIED_ROLE, initiator);
         // is approved with a valid submission account or is verified account..
         return (approved && validAccount) || verifiedRole;
     }
 
-    /// @notice Reject a content proposition.
+    /// @notice Revoke an approved content.
     /// @param contentId The ID of the content to be revoked.
+    function revoke(uint256 contentId) public onlyGov {
+        _revoke(contentId); // bundled check-effects-interaction
+        emit Revoked(contentId, block.timestamp);
+    }
+
+    /// @notice Reject a content proposition.
+    /// @param contentId The ID of the content to be rejected.
     function reject(uint256 contentId) public onlyGov {
-        _revoke(contentId);
-        emit Revoked(contentId);
+        _block(contentId); // bundled check-effects-interaction
+        emit Rejected(contentId, block.timestamp);
     }
 
     /// @notice Approves a content proposition.
     /// @param contentId The ID of the content to be approved.
     function approve(uint256 contentId) public onlyGov {
-        _approve(contentId);
-        emit Approved(contentId);
+        _approve(contentId); // bundled check-effects-interaction
+        emit Approved(contentId, block.timestamp);
     }
 
     /// @notice Function that should revert when msg.sender is not authorized to upgrade the contract.
@@ -149,8 +175,8 @@ contract ContentReferendum is
     /// @param contentId The unique identifier of the content being submitted.
     /// @param initiator The address of the entity initiating the content submission.
     function _submit(uint256 contentId, address initiator) private {
-        _register(contentId);
+        _register(contentId); // bundled check-effects-interaction
         submissions[initiator].add(contentId);
-        emit Submitted(initiator, contentId);
+        emit Submitted(initiator, block.timestamp, contentId);
     }
 }

contracts/assets/ContentVault.sol

@@ -8,14 +8,16 @@ import { GovernableUpgradeable } from "contracts/base/upgradeable/GovernableUpgr
 import { IContentOwnership } from "contracts/interfaces/assets/IContentOwnership.sol";
 import { IContentVault } from "contracts/interfaces/assets/IContentVault.sol";
 
-/// @title ContentVault
-/// @notice This contract stores encrypted content and ensures only the rightful
-/// content holder can access or modify the content.
+import { T } from "contracts/libraries/Types.sol";
+
+/// @notice This contract is designed as a secure and decentralized area to exchange complementary data related to
+/// content access, such as encrypted keys, license keys, or metadata. It does not store the actual content itself,
+/// but manages the complementary data necessary to access that content.
 contract ContentVault is Initializable, UUPSUpgradeable, GovernableUpgradeable, IContentVault {
     /// Preventing accidental/malicious changes during contract reinitializations.
     IContentOwnership public immutable CONTENT_OWNSERSHIP;
     /// @dev Mapping to store encrypted content, identified by content ID.
-    mapping(uint256 => bytes) private secured;
+    mapping(uint256 => mapping(T.VaultType => bytes)) private secured;
     /// @notice Error thrown when a non-owner tries to modify or access the content.
     error InvalidContentHolder();
 
@@ -46,27 +48,19 @@ contract ContentVault is Initializable, UUPSUpgradeable, GovernableUpgradeable,
 
     /// @notice Retrieves the encrypted content for a given content ID.
     /// @param contentId The identifier of the content.
-    /// @dev This function is used to access encrypted data stored in the vault,
-    /// which can include various types of encrypted information such as LIT chain data or shared key-encrypted data.
-    function getContent(uint256 contentId) public view returns (bytes memory) {
-        // In common scenarios, only custodians are allowed to access the secured content.
-        // However, this does not prevent access since all data on a smart contract is publicly readable.
-        return secured[contentId];
+    /// @param vault The vault type used to retrieve the content (e.g., LIT, RSA, EC).
+    function getContent(uint256 contentId, T.VaultType vault) public view returns (bytes memory) {
+        return secured[contentId][vault];
     }
 
     /// @notice Stores encrypted content in the vault under a specific content ID.
     /// @param contentId The identifier of the content.
-    /// @param encryptedContent The encrypted content to store, represented as bytes.
-    /// @dev Only the rightful content holder can set or modify the content.
-    /// This allows for dynamic secure storage, handling encrypted data like public key encrypted content or
-    /// hash-encrypted data.
-    function setContent(uint256 contentId, bytes memory encryptedContent) public onlyHolder(contentId) {
-        secured[contentId] = encryptedContent;
+    /// @param vault The vault type to associate with the encrypted content (e.g., LIT, RSA, EC).
+    /// @param data The secure content to store, represented as bytes.
+    function setContent(uint256 contentId, T.VaultType vault, bytes memory data) public onlyHolder(contentId) {
+        secured[contentId][vault] = data;
     }
 
-    // TODO tests
-    // TODO dejar directo LIT? permitir multiples alg? establecer por un enum los tipos?
-
     /// @notice Function that authorizes the contract upgrade. It ensures that only the admin
     /// can authorize a contract upgrade to a new implementation.
     /// @param newImplementation The address of the new contract implementation.

contracts/base/Governable.sol

@@ -0,0 +1,67 @@
+// SPDX-License-Identifier: MIT
+// NatSpec format convention - https://docs.soliditylang.org/en/v0.5.10/natspec-format.html
+pragma solidity 0.8.26;
+
+import { AccessControl } from "@openzeppelin/contracts/access/AccessControl.sol";
+import { IGovernable } from "contracts/interfaces/IGovernable.sol";
+import { C } from "contracts/libraries/Constants.sol";
+
+/// @title GovernableU
+/// @dev Abstract contract that provides governance functionality to contracts.
+/// @notice This contract manages roles for governance, moderators, and admin permissions.
+abstract contract Governable is AccessControl, IGovernable {
+    /// @notice Address of the current governor.
+    address public governor;
+
+    /// @dev Modifier that checks if the caller has the GOB_ROLE (Governor Role).
+    modifier onlyGov() {
+        _checkRole(C.GOV_ROLE);
+        _;
+    }
+
+    /// @dev Modifier that checks if the caller has the MOD_ROLE (Moderator Role).
+    modifier onlyMod() {
+        _checkRole(C.MOD_ROLE);
+        _;
+    }
+
+    /// @dev Modifier that checks if the caller has the DEFAULT_ADMIN_ROLE (Admin Role).
+    modifier onlyAdmin() {
+        _checkRole(DEFAULT_ADMIN_ROLE);
+        _;
+    }
+
+    /// @notice Constructor to set the initial admin of the contract.
+    /// @param initialAdmin The address to be granted the DEFAULT_ADMIN_ROLE.
+    constructor(address initialAdmin) {
+        _grantRole(DEFAULT_ADMIN_ROLE, initialAdmin);
+    }
+
+    /// @notice Sets the governance address (Governor Role).
+    /// @dev Only callable by the address with DEFAULT_ADMIN_ROLE.
+    /// @param newGovernance The address to set as the new governor.
+    function setGovernance(address newGovernance) external onlyAdmin {
+        _grantRole(C.GOV_ROLE, newGovernance);
+        governor = newGovernance;
+    }
+
+    /// @notice Sets the emergency admin address (Admin Role).
+    /// @dev Only callable by the address with the GOB_ROLE.
+    /// @param newEmergencyAdmin The address to set as the new emergency admin.
+    function setEmergencyAdmin(address newEmergencyAdmin) external onlyGov {
+        _grantRole(DEFAULT_ADMIN_ROLE, newEmergencyAdmin);
+    }
+
+    /// @notice Revokes the emergency admin role from a specified address.
+    /// @dev Only callable by the address with the GOB_ROLE.
+    /// @param revokedAddress The address from which the emergency admin role will be revoked.
+    function revokeEmergencyAdmin(address revokedAddress) external onlyGov {
+        _revokeRole(DEFAULT_ADMIN_ROLE, revokedAddress);
+    }
+
+    /// @notice Returns the current governor address.
+    /// @return The address of the current governor.
+    function getGovernance() external view returns (address) {
+        return governor;
+    }
+}

contracts/base/Ledger.sol

@@ -2,16 +2,15 @@
 // NatSpec format convention - https://docs.soliditylang.org/en/v0.8.24/natspec-format.html
 pragma solidity 0.8.26;
 
-import { ILedger } from "contracts/interfaces/ILedger.sol";
+import { ILedgerVerifiable } from "contracts/interfaces/ILedgerVerifiable.sol";
 
 /// @title Ledger
 /// @notice Abstract contract to manage and store ledger entries for different accounts and currencies.
 /// @dev This contract defines internal functions to manipulate ledger balances and retrieve account data.
-abstract contract Ledger is ILedger {
+abstract contract Ledger is ILedgerVerifiable {
     // Mapping to store balances per account and currency.
     mapping(address => mapping(address => uint256)) private ledger;
 
-    /// @inheritdoc ILedger
     /// @notice Retrieves the registered currency balance for the specified account.
     /// @param account The address of the account to retrieve the balance for.
     /// @param currency The address of the currency to retrieve the balance for.