Apply code quality, documentation, and architecture improvements

Author: rya-sge

AGENTS.md

@@ -55,11 +55,13 @@ All three share their core logic through `RuleEngineBase` directly or via `RuleE
 ```
 RuleEngineBase (abstract)
 ├── VersionModule                         → version() returns "3.0.0"
-├── RulesManagementModule                 → add/remove/set/clear rules
+├── RulesManagementModule                 → add/remove/set/clear rules, maxRules cap
 │   ├── AccessControl (OZ)
 │   └── RulesManagementModuleInvariantStorage  → errors, events, roles
-├── ERC3643ComplianceModule               → bind/unbind tokens
-│   └── IERC3643Compliance
+├── ERC3643ComplianceExtendedModule       → bind/unbind tokens (extended API)
+│   └── ERC3643ComplianceModule           → core ERC-3643 compliance
+│       ├── IERC3643Compliance
+│       └── ERC3643ComplianceModuleInvariantStorage  → errors
 ├── RuleEngineInvariantStorage            → errors
 └── IRuleEngineERC1404                    → CMTAT interface
 
@@ -87,16 +89,19 @@ Modules define **virtual internal hooks** for access control. Concrete contracts
 ```solidity
 // In RulesManagementModule (abstract):
 function _onlyRulesManager() internal virtual;
+function _onlyRulesLimitManager() internal virtual;  // guards setMaxRules
 
 // In ERC3643ComplianceModule (abstract):
 function _onlyComplianceManager() internal virtual;
 
 // RuleEngine overrides with RBAC:
 function _onlyRulesManager() internal virtual override onlyRole(RULES_MANAGEMENT_ROLE) {}
+function _onlyRulesLimitManager() internal virtual override onlyRole(DEFAULT_ADMIN_ROLE) {}
 function _onlyComplianceManager() internal virtual override onlyRole(COMPLIANCE_MANAGER_ROLE) {}
 
 // RuleEngineOwnable overrides with Ownable:
 function _onlyRulesManager() internal virtual override onlyOwner {}
+function _onlyRulesLimitManager() internal virtual override onlyOwner {}
 function _onlyComplianceManager() internal virtual override onlyOwner {}
 ```
 
@@ -127,7 +132,7 @@ function _checkRule(address rule_) internal view virtual override {
 ### Rule Execution Flow
 
 ```
-Token operation → RuleEngine.transferred(spender, from, to, value)   ← used by CMTAT v3.3.0+ for all operations
+Token operation → RuleEngine.transferred(spender, from, to, value)   ← CMTAT v3.3.0+ primary path
                    ├── onlyBoundToken modifier (caller must be bound)
                    └── for each rule in _rules:
                          rule.transferred(spender, from, to, value)  // reverts if disallowed
@@ -136,10 +141,20 @@ Token operation → RuleEngine.transferred(spender, from, to, value)   ← used
                    ├── onlyBoundToken modifier
                    └── for each rule in _rules:
                          rule.transferred(from, to, value)
+
+                  RuleEngine.created(to, value)                      ← ERC-3643 mint entry point
+                   ├── onlyBoundToken modifier
+                   └── calls _transferred(address(0), to, value)
+
+                  RuleEngine.destroyed(from, value)                  ← ERC-3643 burn entry point
+                   ├── onlyBoundToken modifier
+                   └── calls _transferred(from, address(0), value)
 ```
 
 Since CMTAT v3.3.0, mint (`from == address(0)`) and burn (`to == address(0)`) also go through the 4-argument overload with the operator as `spender`. Rules that check `spender` must skip or adapt that check for mint/burn to avoid blocking those operations unintentionally.
 
+`created` and `destroyed` use the 3-argument `_transferred` path (no spender), consistent with the ERC-3643 spec which does not carry a spender for mint/burn.
+
 View path: `detectTransferRestriction()` iterates rules, returns first non-zero code.
 
 ### Storage: EnumerableSet

CLAUDE.md

@@ -55,11 +55,13 @@ All three share their core logic through `RuleEngineBase` directly or via `RuleE
 ```
 RuleEngineBase (abstract)
 ├── VersionModule                         → version() returns "3.0.0"
-├── RulesManagementModule                 → add/remove/set/clear rules
+├── RulesManagementModule                 → add/remove/set/clear rules, maxRules cap
 │   ├── AccessControl (OZ)
 │   └── RulesManagementModuleInvariantStorage  → errors, events, roles
-├── ERC3643ComplianceModule               → bind/unbind tokens
-│   └── IERC3643Compliance
+├── ERC3643ComplianceExtendedModule       → bind/unbind tokens (extended API)
+│   └── ERC3643ComplianceModule           → core ERC-3643 compliance
+│       ├── IERC3643Compliance
+│       └── ERC3643ComplianceModuleInvariantStorage  → errors
 ├── RuleEngineInvariantStorage            → errors
 └── IRuleEngineERC1404                    → CMTAT interface
 
@@ -87,16 +89,19 @@ Modules define **virtual internal hooks** for access control. Concrete contracts
 ```solidity
 // In RulesManagementModule (abstract):
 function _onlyRulesManager() internal virtual;
+function _onlyRulesLimitManager() internal virtual;  // guards setMaxRules
 
 // In ERC3643ComplianceModule (abstract):
 function _onlyComplianceManager() internal virtual;
 
 // RuleEngine overrides with RBAC:
 function _onlyRulesManager() internal virtual override onlyRole(RULES_MANAGEMENT_ROLE) {}
+function _onlyRulesLimitManager() internal virtual override onlyRole(DEFAULT_ADMIN_ROLE) {}
 function _onlyComplianceManager() internal virtual override onlyRole(COMPLIANCE_MANAGER_ROLE) {}
 
 // RuleEngineOwnable overrides with Ownable:
 function _onlyRulesManager() internal virtual override onlyOwner {}
+function _onlyRulesLimitManager() internal virtual override onlyOwner {}
 function _onlyComplianceManager() internal virtual override onlyOwner {}
 ```
 
@@ -127,7 +132,7 @@ function _checkRule(address rule_) internal view virtual override {
 ### Rule Execution Flow
 
 ```
-Token operation → RuleEngine.transferred(spender, from, to, value)   ← used by CMTAT v3.3.0+ for all operations
+Token operation → RuleEngine.transferred(spender, from, to, value)   ← CMTAT v3.3.0+ primary path
                    ├── onlyBoundToken modifier (caller must be bound)
                    └── for each rule in _rules:
                          rule.transferred(spender, from, to, value)  // reverts if disallowed
@@ -136,10 +141,20 @@ Token operation → RuleEngine.transferred(spender, from, to, value)   ← used
                    ├── onlyBoundToken modifier
                    └── for each rule in _rules:
                          rule.transferred(from, to, value)
+
+                  RuleEngine.created(to, value)                      ← ERC-3643 mint entry point
+                   ├── onlyBoundToken modifier
+                   └── calls _transferred(address(0), to, value)
+
+                  RuleEngine.destroyed(from, value)                  ← ERC-3643 burn entry point
+                   ├── onlyBoundToken modifier
+                   └── calls _transferred(from, address(0), value)
 ```
 
 Since CMTAT v3.3.0, mint (`from == address(0)`) and burn (`to == address(0)`) also go through the 4-argument overload with the operator as `spender`. Rules that check `spender` must skip or adapt that check for mint/burn to avoid blocking those operations unintentionally.
 
+`created` and `destroyed` use the 3-argument `_transferred` path (no spender), consistent with the ERC-3643 spec which does not carry a spender for mint/burn.
+
 View path: `detectTransferRestriction()` iterates rules, returns first non-zero code.
 
 ### Storage: EnumerableSet

README.md

@@ -279,7 +279,7 @@ The toolchain includes the following components, where the versions are the late
 - Foundry (forge-std) [v1.14.0](https://github.com/foundry-rs/forge-std/releases/tag/v1.14.0)
 - Solidity [0.8.34](https://docs.soliditylang.org/en/v0.8.34/)
 - OpenZeppelin Contracts (submodule) [v5.6.1](https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.6.1)
-- CMTAT [v3.2.0](https://github.com/CMTA/CMTAT/releases/tag/v3.2.0)
+- CMTAT [v3.3.0](https://github.com/CMTA/CMTAT/releases/tag/v3.3.0)
 
 ### Access Control
 
@@ -377,8 +377,8 @@ For function signatures, struct arguments are represented with their correspondi
 |                         | `addRule(address rule_)`                                     | public | `IRule rule_` |-|RULES_MANAGEMENT_ROLE|
 |                         | `removeRule(address rule_)`                                  | public | `IRule rule_` |-|RULES_MANAGEMENT_ROLE|
 | ERC3643ComplianceModule |  |                              |                                      |                                      |               |
-|  | `bindToken(address token)` | public | `address token` | - | COMPLIANCE_MANAGER_ROLE |
-|  | `unbindToken(address token)` | public | `address token` | - | COMPLIANCE_MANAGER_ROLE |
+|  | `bindToken(address token)` | public | `address token` | - | COMPLIANCE_MANAGER_ROLE or approved token self-call |
+|  | `unbindToken(address token)` | public | `address token` | - | COMPLIANCE_MANAGER_ROLE or approved token self-call |
 | ERC3643ComplianceExtendedModule |  |                              |                                      |                                      |               |
 |  | `bindTokens(address[] tokens)` | public | `address[] tokens` | - | COMPLIANCE_MANAGER_ROLE |
 |  | `unbindTokens(address[] tokens)` | public | `address[] tokens` | - | COMPLIANCE_MANAGER_ROLE |

src/deployment/RuleEngine.sol

@@ -39,7 +39,11 @@ contract RuleEngine is ERC2771ModuleStandalone, RuleEngineBase, AccessControlEnu
     /* ============ ACCESS CONTROL ============ */
     /**
      * @notice Grants `role` to `account`.
-     * @dev Prevents granting any role to accounts already configured as rules.
+     * @dev Prevents granting any role to accounts currently configured as rules.
+     * Note: this check is intentionally one-directional. {addRule} does not verify
+     * whether the rule address already holds a privileged role, and this function does
+     * not prevent adding a privileged address as a rule afterwards. Operators are
+     * responsible for keeping rule contracts and privileged accounts disjoint.
      */
     function grantRole(bytes32 role, address account) public virtual override(AccessControl, IAccessControl) {
         if (_rules.contains(account)) {

src/deployment/RuleEngineOwnable2Step.sol

@@ -14,9 +14,10 @@ import {Ownable2StepInterfaceId} from "../modules/library/Ownable2StepInterfaceI
  */
 contract RuleEngineOwnable2Step is RuleEngineOwnableShared, Ownable2Step {
     /**
-     * @param owner_ Address of the contract owner (ERC-173)
-     * @param forwarderIrrevocable Address of the forwarder, required for the gasless support
-     * @param tokenContract Address of the token contract to bind (can be zero address)
+     * @notice Deploys a RuleEngine with ERC-173 two-step ownership transfer.
+     * @param owner_ Address of the initial contract owner (ERC-173).
+     * @param forwarderIrrevocable Address of the ERC-2771 trusted forwarder (use zero address to disable gasless).
+     * @param tokenContract Address of the token contract to bind at deployment (use zero address to skip).
      */
     constructor(address owner_, address forwarderIrrevocable, address tokenContract)
         RuleEngineOwnableShared(forwarderIrrevocable, tokenContract)

src/interfaces/IRulesManagementModule.sol

@@ -14,6 +14,8 @@ interface IRulesManagementModule {
     /**
      * @notice Updates the maximum number of rules allowed in the engine.
      * @dev Access control is implementation specific (admin/owner).
+     * Setting a very high cap re-exposes unbounded gas cost for administrative operations
+     * such as {clearRules} even though normal per-transfer cost remains bounded.
      * @param maxRules_ New maximum number of rules.
      */
     function setMaxRules(uint256 maxRules_) external;
@@ -60,9 +62,9 @@ interface IRulesManagementModule {
     /**
      * @notice Removes all configured rules.
      * @dev After calling this function, no rules will remain set.
-     * Developers should keep in mind that this function has an unbounded cost
-     * and using it may render the function uncallable if the set grows to the point
-     * where clearing it consumes too much gas to fit in a block.
+     * Cost is O(n) in the number of configured rules. With the default cap of 10 this is
+     * negligible, but a high {maxRules} setting re-exposes unbounded cost here even though
+     * per-transfer cost remains bounded.
      */
     function clearRules() external;
 
@@ -88,5 +90,5 @@ interface IRulesManagementModule {
      * @dev Complexity: O(1).
      * @return exists True if the rule is present, false otherwise.
      */
-    function containsRule(IRule rule_) external returns (bool exists);
+    function containsRule(IRule rule_) external view returns (bool exists);
 }

src/mocks/rules/operation/RuleMintAllowance.sol

@@ -53,7 +53,7 @@ contract RuleMintAllowance is AccessControl, RuleMintAllowanceInvariantStorage,
      * @notice Called for transfers where no spender context is available.
      *         Mint allowance cannot be enforced without a spender; passes through.
      */
-    function transferred(address from, address to, uint256 value) public view {
+    function transferred(address from, address to, uint256 value) public {
         // no-op: spender unknown, enforcement requires transferred(spender,...)
     }
 

src/mocks/rules/validation/RuleWhitelist.sol

@@ -2,10 +2,8 @@
 
 pragma solidity ^0.8.20;
 
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "./abstract/RuleAddressList/RuleAddressList.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "./abstract/RuleWhitelistCommon.sol";
+import {RuleAddressList} from "./abstract/RuleAddressList/RuleAddressList.sol";
+import {RuleWhitelistCommon} from "./abstract/RuleWhitelistCommon.sol";
 import {AccessControl} from "@openzeppelin/contracts/access/AccessControl.sol";
 import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
 import {RuleInterfaceId} from "../../../modules/library/RuleInterfaceId.sol";
@@ -92,12 +90,12 @@ contract RuleWhitelist is RuleAddressList, RuleWhitelistCommon {
         }
     }
 
-    function transferred(address from, address to, uint256 value) public view {
+    function transferred(address from, address to, uint256 value) public {
         uint8 code = detectTransferRestriction(from, to, value);
         require(code == uint8(REJECTED_CODE_BASE.TRANSFER_OK), RuleWhitelist_InvalidTransfer(from, to, value, code));
     }
 
-    function transferred(address spender, address from, address to, uint256 value) public view {
+    function transferred(address spender, address from, address to, uint256 value) public {
         uint8 code = detectTransferRestrictionFrom(spender, from, to, value);
         require(code == uint8(REJECTED_CODE_BASE.TRANSFER_OK), RuleWhitelist_InvalidTransfer(from, to, value, code));
     }

src/modules/ERC3643ComplianceExtendedModule.sol

@@ -12,7 +12,12 @@ abstract contract ERC3643ComplianceExtendedModule is ERC3643ComplianceModule, IE
 
     mapping(address token => bool approved) private _tokenSelfBindingApproval;
 
-    /// @inheritdoc IERC3643ComplianceExtended
+    /**
+     * @inheritdoc IERC3643ComplianceExtended
+     * @custom:security-note See {bindToken} for multi-tenant accounting risks. All tokens bound
+     * in this batch share the same rule state. Only bind tokens that are equally trusted and
+     * governed together.
+     */
     function bindTokens(address[] calldata tokens) public virtual override onlyComplianceManager {
         for (uint256 i = 0; i < tokens.length; ++i) {
             _bindToken(tokens[i]);

src/modules/ERC3643ComplianceModule.sol

@@ -7,23 +7,20 @@ import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet
 import {Context} from "@openzeppelin/contracts/utils/Context.sol";
 /* ==== Interface and other library === */
 import {IERC3643Compliance} from "../interfaces/IERC3643Compliance.sol";
-
-abstract contract ERC3643ComplianceModule is Context, IERC3643Compliance {
+import {ERC3643ComplianceModuleInvariantStorage} from "./library/ERC3643ComplianceModuleInvariantStorage.sol";
+import {ERC3643ComplianceRolesStorage} from "./library/ERC3643ComplianceRolesStorage.sol";
+
+abstract contract ERC3643ComplianceModule is
+    Context,
+    IERC3643Compliance,
+    ERC3643ComplianceModuleInvariantStorage,
+    ERC3643ComplianceRolesStorage
+{
     /* ==== Type declaration === */
     using EnumerableSet for EnumerableSet.AddressSet;
     /* ==== State Variables === */
     // Token binding tracking
     EnumerableSet.AddressSet internal _boundTokens;
-    // Access Control
-    // Will not be present in the final bytecode if not used
-    bytes32 public constant COMPLIANCE_MANAGER_ROLE = keccak256("COMPLIANCE_MANAGER_ROLE");
-
-    /* ==== Errors === */
-    error RuleEngine_ERC3643Compliance_InvalidTokenAddress();
-    error RuleEngine_ERC3643Compliance_TokenAlreadyBound();
-    error RuleEngine_ERC3643Compliance_TokenNotBound();
-    error RuleEngine_ERC3643Compliance_UnauthorizedCaller();
-    error RuleEngine_ERC3643Compliance_OperationNotSuccessful();
 
     /* ==== Modifier === */
     modifier onlyBoundToken() {
@@ -46,6 +43,10 @@ abstract contract ERC3643ComplianceModule is Context, IERC3643Compliance {
      * @dev Operator warning: "multi-tenant" means one RuleEngine is shared by
      * multiple token contracts. In that setup, bind only tokens that are equally
      * trusted and governed together.
+     * @custom:security-note Operation rules (stateful rules such as `RuleConditionalTransferLight`
+     * or `RuleMintAllowance`) maintain per-address accounting that is shared across all bound tokens.
+     * Binding tokens from different issuers to the same engine will silently cross-contaminate
+     * their accounting. Only bind tokens that are equally trusted and governed together.
      */
     function bindToken(address token) public virtual override {
         _authorizeComplianceBindingChange(token);