Full TimelockGuard implementation (#17584)

* feat: implement configureTimelockGuard function

- Add configureTimelockGuard function to allow Safes to set timelock delays
- Validate timelock delay between 1 second and 1 year
- Check that guard is properly enabled on calling Safe using getStorageAt()
- Store configuration per Safe with GuardConfigured event emission
- Add comprehensive test suite covering all spec requirements
- Implement IGuard interface for Safe compatibility

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* feat: implement clearTimelockGuard function

- Add clearTimelockGuard function to allow Safes to clear timelock configuration
- Validate that guard is disabled before allowing configuration clearing
- Check that Safe was previously configured before clearing
- Delete configuration data and emit GuardCleared event
- Add comprehensive test suite covering all spec requirements
- Add new errors: TimelockGuard_GuardNotConfigured, TimelockGuard_GuardStillEnabled

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* refactor: extract guard checking logic to internal helper function

- Add internal _getGuard() helper to centralize guard address retrieval
- Update configureTimelockGuard and clearTimelockGuard to use helper
- Reduces code duplication and improves maintainability

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* feat: implement cancellationThreshold function

- Add cancellationThreshold function to return current threshold for a Safe
- Return 0 if guard not enabled or not configured
- Initialize to 1 when Safe configures guard
- Clear threshold when Safe clears guard configuration
- Add comprehensive test suite covering all spec requirements
- Function never reverts as per spec requirements

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* feat: add placeholder functions for remaining TimelockGuard functionality

- Add scheduleTransaction placeholder (Function 4)
- Add checkPendingTransactions placeholder (Function 6)
- Add rejectTransaction placeholder (Function 7)
- Add rejectTransactionWithSignature placeholder (Function 8)
- Add cancelTransaction placeholder (Function 9)
- Update checkTransaction placeholder (Function 5)
- All placeholders have proper signatures and documentation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Self review fixes

* Fix warnings on unimplemented functions

* Fix names of test functions

* Satisfy semgrep by removing revert with string

* Remove arg names from unimplemented functions

* Snapshots

* Add interface

* Simplify cancellationThreshold() getter

* Replace _getGuard with isGuardEnabled

* Allow a timelock delay of zero

* TimelockGuard: Add scheduleTransaction()

* Add todo note

* Pseudocode draft of a non-nested timelock

Simpler code

Add cancelTransaction function relying on the Safe's internal logic

undo type change

Add note explaining getScheduledTransactions

* Remove signatures field from ExecTransactionParams

* Refactor tests with improve utils (_getDummyTx, _getSignaturesForTx)

* Test for TransactionCancelled event

* Further improve util functions

* Add approve hash test case

* fix warnings

* Use correct typing for Safe addresses

This is applied to function inputs/outputs as well as mappings and
events

* Add additional scheduleTransaction tests

* Enable specifying which safeInstance in utility functions

* Change cancelTransaction to accept a tx hash

* Add increaseCancellationThreshold to cancelTransaction

* Add configured boolean to guard config

* Fix signature reuse vulnerability in cancelTransaction

Include transaction hash in cancellation signature data to prevent
signatures from being reused across different transactions with the
same nonce. Updates both contract implementation and tests.

* Move signature verification before existence check in scheduleTransaction

* Remove unused console.logs

* Fix increaseCancellationThreshold inputs

* Separate cancellation threshold events from transaction cancellation

Add CancellationThresholdUpdated event and emit it from threshold
modification functions. Remove threshold parameter from TransactionCancelled
event for cleaner separation of concerns.

* Remove unused _txHash argument from resetCancellation function

* Update ITimelockGuard to match implementation

* Use configured flag instead of timelockDelay check in clearTimelockGuard

* Add configuration check to scheduleTransaction and fix test names

* Implement checkTransaction

* Add itest placeholder contract

* Add comment to checkAfterExecution body

* pre-pr checks

* Remove GuardConfig.configured boolean field

We can simply use `timelock > 0` as an indicator of configuration

* Remove clearTimelockGuard

The right way to do this is now just to set timelockDelay to zero.

* Refactor: Add TransactionBuilder library

This library significantly reduces the amount of boilerplace required to
setup a Safe transaction, then schedule, cancel, or execute it.

* Add unreachable AlreadyExecuted error

* Add integration tests

* Add getPendingTransactions function and tests

* Add tests for getScheduledTransaction

* Add _ prefix in front of internal mappings

* Rename viewTimelockGuard to timelockSafeConfigurationper specs

* Add maxCancellationThreshold

* Improve names on getter functions

* Remove @dev tags with invariants

Avoids duplicating logic between specs and implementation

* Update configureTimelockGuard to accept and validate signatures outside of the Safe

* Refactor: use a single struct to store all state for a given Safe

* Do not unnecessarily reset cancellation threshold when config set to 0

* Revert "Update configureTimelockGuard to accept and validate signatures outside of the Safe"

This reverts commit daad53b.

* Move timelockDelay out of unnecessary struct

* Add top level detail natspec, reorder functions by vis and mutability

* Remove test that does not conform to spec

* Add cancelTransactionOnSafe to interface as reverting function

* Add many more comments

* Apply suggestions from code review

Co-authored-by: Alberto Cuesta Cañada <[email protected]>

* Fix ITimelockGuard iface to match impl

* Rename arguments for consistency

* Add/fixup @param on events

* Small fixes

* Fix ITimelockGuard declaration

* Improve names on getter functions

* Move ExecTransactionParams into TimelockGuard.sol

* Address comment nits

* Add TimelockGuard_MaxCancellationThreshold_Test and _deploySafe helper

* Fix up iface and comment typos

* Fix storage lookup in test

* Add enum Transaction state and remove cancelled/executed booleans

* add /// @Custom:field on ScheduledTransaction struct

* add /// @Custom:field on ExecTransactionParams struct

* Add SemverComp to enforce minimum Safe version

* Rename empty function to signCancellationForSafe

* Fix location of external view functions

* Add some more comments where helpful.

* Further expand on the maxCancellationThreshold rationale

* Clarify blocking threshold

* iFace fixes

* Fix iface

* Move update of tx state, event emission and cancellationThreshold into checkAfterExection

* Simplified comment

* remove unclear comments

* fix semgrep sol-style-use-abi-encodecall

* snapshots

* Add course of actions table

* Remove unnecessary address arg from signCancellation

* Fix test names

* Fix test name validation

* Remove enabled guard check from configureTimelockGuard

* Allow <ContractName>_Integration_Test in tests

* Add isExcludedTest in checkContractNameFilePath()

* Update semver-lock

* Fix typo

* fix typo in tests

---------

Co-authored-by: Claude <[email protected]>
Co-authored-by: alcueca <[email protected]>
Co-authored-by: Alberto Cuesta Cañada <[email protected]>

Author: 4 people

packages/contracts-bedrock/interfaces/safe/ITimelockGuard.sol

@@ -0,0 +1,92 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.4;
+
+library Enum {
+    type Operation is uint8;
+}
+
+interface ITimelockGuard {
+    enum TransactionState {
+        NotScheduled,
+        Pending,
+        Cancelled,
+        Executed
+    }
+    struct ScheduledTransaction {
+        uint256 executionTime;
+        TransactionState state;
+        ExecTransactionParams params;
+    }
+
+    struct ExecTransactionParams {
+        address to;
+        uint256 value;
+        bytes data;
+        Enum.Operation operation;
+        uint256 safeTxGas;
+        uint256 baseGas;
+        uint256 gasPrice;
+        address gasToken;
+        address payable refundReceiver;
+    }
+
+    error TimelockGuard_GuardNotConfigured();
+    error TimelockGuard_GuardNotEnabled();
+    error TimelockGuard_GuardStillEnabled();
+    error TimelockGuard_InvalidTimelockDelay();
+    error TimelockGuard_TransactionAlreadyCancelled();
+    error TimelockGuard_TransactionAlreadyScheduled();
+    error TimelockGuard_TransactionNotScheduled();
+    error TimelockGuard_TransactionNotReady();
+    error TimelockGuard_TransactionAlreadyExecuted();
+    error TimelockGuard_InvalidVersion();
+
+    event CancellationThresholdUpdated(address indexed safe, uint256 oldThreshold, uint256 newThreshold);
+    event GuardConfigured(address indexed safe, uint256 timelockDelay);
+    event TransactionCancelled(address indexed safe, bytes32 indexed txHash);
+    event TransactionScheduled(address indexed safe, bytes32 indexed txHash, uint256 executionTime);
+    event TransactionExecuted(address indexed safe, bytes32 txHash);
+    event Message(string message);
+
+    function cancelTransaction(address _safe, bytes32 _txHash, uint256 _nonce, bytes memory _signatures) external;
+    function signCancellation(bytes32 _txHash) external;
+    function cancellationThreshold(address _safe) external view returns (uint256);
+    function checkTransaction(
+        address _to,
+        uint256 _value,
+        bytes memory _data,
+        Enum.Operation _operation,
+        uint256 _safeTxGas,
+        uint256 _baseGas,
+        uint256 _gasPrice,
+        address _gasToken,
+        address payable _refundReceiver,
+        bytes memory _signatures,
+        address _msgSender
+    )
+        external;
+    function checkAfterExecution(bytes32, bool) external;
+    function configureTimelockGuard(uint256 _timelockDelay) external;
+    function scheduledTransaction(
+        address _safe,
+        bytes32 _txHash
+    )
+        external
+        view
+        returns (ScheduledTransaction memory);
+    function safeConfigs(address) external view returns (uint256 timelockDelay);
+    function scheduleTransaction(
+        address _safe,
+        uint256 _nonce,
+        ExecTransactionParams memory _params,
+        bytes memory _signatures
+    )
+        external;
+    function version() external view returns (string memory);
+    function timelockConfiguration(address _safe) external view returns (uint256 timelockDelay);
+    function maxCancellationThreshold(address _safe) external view returns (uint256);
+    function pendingTransactions(address _safe)
+        external
+        view
+        returns (ScheduledTransaction[] memory);
+}

packages/contracts-bedrock/scripts/checks/test-validation/exclusions.toml

@@ -92,5 +92,6 @@ contracts = [
     "OptimismPortal2_MigrateLiquidity_Test",    # Interop tests hosted in the OptimismPortal2 test file
     "OptimismPortal2_MigrateToSuperRoots_Test", # Interop tests hosted in the OptimismPortal2 test file
     "OptimismPortal2_UpgradeInterop_Test",      # Interop tests hosted in the OptimismPortal2 test file
+    "TransactionBuilder",                       # Transaction builder helper library in TimelockGuard test file
     "Constants_Test",                           # Invalid naming pattern - doesn't specify function or Uncategorized
 ]

packages/contracts-bedrock/scripts/checks/test-validation/main.go

@@ -194,9 +194,12 @@ func checkTestStructure(artifact *solc.ForgeArtifact) []error {
 
 func checkTestMethodName(artifact *solc.ForgeArtifact, contractName string, functionName string, _ string) []error {
 	// Check for uncategorized test pattern
-	if functionName == "Uncategorized" {
-		// Pattern: <ContractName>_Uncategorized_Test
-		return nil
+	allowedFunctionNames := []string{"Uncategorized", "Integration"}
+	for _, allowed := range allowedFunctionNames {
+		if functionName == allowed {
+			// Pattern: <ContractName>_Uncategorized_Test or <ContractName>_Integration_Test
+			return nil
+		}
 	}
 	// Pattern: <ContractName>_<FunctionName>_Test - validate function exists
 	if !checkFunctionExists(artifact, functionName) {
@@ -250,6 +253,11 @@ func checkSrcPath(artifact *solc.ForgeArtifact) bool {
 // Validates that contract name matches the file path
 func checkContractNameFilePath(artifact *solc.ForgeArtifact) bool {
 	for filePath, contractName := range artifact.Metadata.Settings.CompilationTarget {
+
+		if isExcludedTest(contractName) {
+			continue
+		}
+
 		// Split contract name to get the base contract name (before first underscore)
 		contractParts := strings.Split(contractName, "_")
 		// Split file path to get individual path components