Separate general policy logic from block builder policy logic to improve usability for other TEE projects

[spencer-ritual]

Refactor: extract BasePolicy + deriver architecture; keep BlockBuilderPolicy upgrade-safe

Summary

This PR refactors BlockBuilderPolicy by extracting reusable policy logic into a new abstract BasePolicy, and introduces a pluggable workload-derivation layer (IWorkloadDeriver) so workload ID derivation can evolve without rewriting policy code. The refactor is designed to preserve upgradeability by maintaining BlockBuilderPolicy’s storage layout.

Previous Discussion

Discussion occurred in #45 (comment)

What changed

• New shared surface
  • Added src/BasePolicy.sol with common policy logic (addWorkloadToPolicy, removeWorkloadFromPolicy, getWorkloadMetadata, isAllowedPolicy, _cachedIsAllowedPolicy) and hooks for auth/deriver/cache
  • Added src/interfaces/IPolicyCommon.sol for shared WorkloadId type, WorkloadMetadata, and common events/errors
  • Added src/interfaces/IBasePolicy.sol for the shared policy interface
  • Added src/interfaces/IWorkloadDeriver.sol for injected workload derivation (workloadIdForQuote(bytes))
• Deriver implementation
  • Added src/derivers/TDXWorkloadDeriver.sol containing the current TDX derivation logic behind IWorkloadDeriver
• Refactored BlockBuilderPolicy
  • BlockBuilderPolicy now inherits BasePolicy and keeps block-builder-specific logic (EIP-712 domain, proof verification, permit nonce handling)
  • Added configurable workloadDeriver and wired it through initialize(...) and setWorkloadDeriver(...)
  • Overrode isAllowedPolicy to derive from registration.parsedReportBody to avoid re-parsing raw quotes on cache misses
    • Added a runtime guard in _setWorkloadDeriver to ensure the configured deriver supports the report-body derivation method assumed by the override
• Examples
  • Added examples/DualDeriverPolicy.sol (UNAUDITED EXAMPLE) demonstrating a migration approach that tries an “old” and “new” deriver
  • Added examples/TDXTD15WorkloadDeriver.sol showing how a hypothetical future report-body format could be supported by swapping derivers
• Tests + scripts
  • Added test/UpgradeRegression.t.sol to upgrade a proxy from a legacy policy implementation to the refactored BlockBuilderPolicy and assert state + behavior preservation
  • Added/updated tests for the examples (test/Examples.t.sol) and updated existing tests/scripts for the new initializer/deriver wiring

Why

• Reuse shared policy logic for other policy types beyond block-building
• Make workload ID derivation upgradeable/swappable via an injected deriver contract
• Preserve production upgrade paths by keeping BlockBuilderPolicy storage layout compatible

Storage / upgradeability notes

• BasePolicy only introduces shared storage in the original order (approvedWorkloads, registry) and uses hooks so derived contracts can own additional state
• BlockBuilderPolicy keeps its existing slots and introduces workloadDeriver in reserved space; the upgrade regression test validates this end-to-end

Test plan

• forge test