Programmable Calldata Policy Engine

Define type-safe constraints on ABI-encoded data. Enforce them onchain in Solidity, or offchain in TypeScript.

a policy is just canonical byteshover or tap a field

01095ea7b300040102401f0100020000007200490101000007004000000000000000000000000011111111111111111111111111111111111111110000000000000000000000002222222222222222222222222222222222222222002901010001050020000000000000000000000000000000000000000000000000000000e8d4a51000

One spec, two implementations

The policy format is a specification with two independent implementations, a Solidity library and a TypeScript SDK. Reach for whichever your scenario needs: embed the engine in your contracts for dynamic onchain rules, or check payloads in TypeScript before they’re signed. Use one, the other, or both.

Solidity library

Dynamic guardrails in your contracts

// function approve(address spender, uint256 amount)
bytes memory policy = PolicyBuilder
    .create("approve(address,uint256)")
    .add(arg(0).isIn(trustedSpenders))     // spender
    .add(arg(1).lte(uint256(1_000_000e6))) // amount
    .build();

// reverts on a violation
PolicyEnforcer.enforce(policy, msg.data);

TypeScript SDK

Check payloads before signing

// function approve(address spender, uint256 amount)
const policy = PolicyBuilder
    .create("approve(address,uint256)")
    .add(arg(0).isIn(trustedSpenders))       // spender
    .add(arg(1).lte(1_000_000n * 10n ** 6n)) // amount
    .build();

// throws on a violation
PolicyEnforcer.enforce(policy, calldata);

Both implementations also expose check, which returns a result instead of reverting or throwing.

Express any constraint

Scalar arguments, nested struct fields, array elements, transaction context, even raw ABI blobs. Compose them with AND/OR logic. Pick a capability.

Set membership, ranges, and comparisons on scalar arguments.

// function withdraw(address to, uint256 amount)
bytes memory policy = PolicyBuilder
    .create("withdraw(address,uint256)")
    .add(arg(0).isIn(allowed))          // to
    .add(arg(1).lte(uint256(1_000e18))) // amount
    .build();

// function withdraw(address to, uint256 amount)
const policy = PolicyBuilder
    .create("withdraw(address,uint256)")
    .add(arg(0).isIn(allowed))            // to
    .add(arg(1).lte(1_000n * 10n ** 18n)) // amount
    .build();

Target fields deep inside struct arguments by path.

// struct SwapParams { address tokenIn; address tokenOut; uint256 amount; }
// function swap(SwapParams params)
bytes memory policy = PolicyBuilder
    .create("swap((address,address,uint256))")
    .add(arg(0, 0).notIn(denied))  // params.tokenIn
    .add(arg(0, 1).notIn(denied))  // params.tokenOut
    .add(arg(0, 2).gt(uint256(0))) // params.amount
    .build();

// struct SwapParams { address tokenIn; address tokenOut; uint256 amount; }
// function swap(SwapParams params)
const policy = PolicyBuilder
    .create("swap((address,address,uint256))")
    .add(arg(0, 0).notIn(denied)) // params.tokenIn
    .add(arg(0, 1).notIn(denied)) // params.tokenOut
    .add(arg(0, 2).gt(0n))        // params.amount
    .build();

ANY/ALL quantifiers across array elements, with length bounds.

// struct Transfer { address to; uint256 value; }
// function batch(Transfer[] transfers)
bytes memory policy = PolicyBuilder
    .create("batch((address,uint256)[])")
    .add(arg(0).lengthBetween(1, 50))            // transfers.length
    .add(arg(0, Path.ALL, 0).notIn(denied))      // transfers[*].to
    .add(arg(0, Path.ALL, 1).lte(uint256(1e18))) // transfers[*].value
    .build();

// struct Transfer { address to; uint256 value; }
// function batch(Transfer[] transfers)
const policy = PolicyBuilder
    .create("batch((address,uint256)[])")
    .add(arg(0).lengthBetween(1, 50))                    // transfers.length
    .add(arg(0, Quantifier.ALL, 0).notIn(denied))        // transfers[*].to
    .add(arg(0, Quantifier.ALL, 1).lte(1n * 10n ** 18n)) // transfers[*].value
    .build();

Constrain msg.sender, msg.value, block, and chain, not just calldata.

// function transfer(address to, uint256 amount)
bytes memory policy = PolicyBuilder
    .create("transfer(address,uint256)")
    .add(msgSender().isIn(operators)) // msg.sender
    .add(msgValue().eq(uint256(0)))   // msg.value
    .add(arg(1).lte(uint256(100e18))) // amount
    .build();

// function transfer(address to, uint256 amount)
const policy = PolicyBuilder
    .create("transfer(address,uint256)")
    .add(msgSender().isIn(operators))   // msg.sender
    .add(msgValue().eq(0n))             // msg.value
    .add(arg(1).lte(100n * 10n ** 18n)) // amount
    .build();

Compose alternative rule paths. All constraints hold within a group.

// function supply(address asset, uint256 amount)
bytes memory policy = PolicyBuilder
    .create("supply(address,uint256)")
    .add(msgSender().eq(OPERATOR)) // path A
    .or()
    .add(arg(0).isIn(allowed))     // path B
    .build();

// function supply(address asset, uint256 amount)
const policy = PolicyBuilder
    .create("supply(address,uint256)")
    .add(msgSender().eq(OPERATOR)) // path A
    .or()
    .add(arg(0).isIn(allowed))     // path B
    .build();

Apply the same policy to a raw ABI blob with no function selector.

// raw ABI payload: (address recipient, uint256 amount)
bytes memory policy = PolicyBuilder
    .createRaw("address,uint256")
    .add(arg(0).isIn(allowed))          // recipient
    .add(arg(1).lte(uint256(1_000e18))) // amount
    .build();

// raw ABI payload: (address recipient, uint256 amount)
const policy = PolicyBuilder
    .createRaw("address,uint256")
    .add(arg(0).isIn(allowed))            // recipient
    .add(arg(1).lte(1_000n * 10n ** 18n)) // amount
    .build();