@bloxchain/contracts 1.0.0-alpha.2 → 1.0.0-alpha.20

package/abi/SecureOwnableDefinitions.abi.json

@@ -290,6 +290,11 @@
             "name": "supportedActionsBitmap",
             "type": "uint16"
           },
+          {
+            "internalType": "bool",
+            "name": "enforceHandlerRelations",
+            "type": "bool"
+          },
           {
             "internalType": "bool",
             "name": "isProtected",

package/components/README.md

@@ -0,0 +1,8 @@
+# Bloxchain Components
+
+Official **components** built on top of `core/` that form a component library for building applications. These are maintained by the protocol team and sit outside the minimal engine.
+
+
+## Structure
+
+Subfolders will be added by domain as components are added.

package/core/access/RuntimeRBAC.sol

@@ -1,270 +1,255 @@
-// SPDX-License-Identifier: MPL-2.0
-pragma solidity 0.8.33;
-
-// Contract imports
-import "../base/BaseStateMachine.sol";
-import "../lib/EngineBlox.sol";
-import "../../utils/SharedValidation.sol";
-import "./lib/definitions/RuntimeRBACDefinitions.sol";
-import "../../interfaces/IDefinition.sol";
-import "./interface/IRuntimeRBAC.sol";
-
-/**
- * @title RuntimeRBAC
- * @dev Minimal Runtime Role-Based Access Control system based on EngineBlox
- * 
- * This contract provides essential runtime RBAC functionality:
- * - Creation of non-protected roles
- * - Basic wallet assignment to roles
- * - Function permission management per role
- * - Integration with EngineBlox for secure operations
- * 
- * Key Features:
- * - Only non-protected roles can be created dynamically
- * - Protected roles (OWNER, BROADCASTER, RECOVERY) are managed by SecureOwnable
- * - Minimal interface for core RBAC operations
- * - Essential role management functions only
- */
-abstract contract RuntimeRBAC is BaseStateMachine {
-    using EngineBlox for EngineBlox.SecureOperationState;
-    using SharedValidation for *;
-
-    /**
-     * @dev Action types for batched RBAC configuration (must match IRuntimeRBAC for encoding)
-     */
-    enum RoleConfigActionType {
-        CREATE_ROLE,
-        REMOVE_ROLE,
-        ADD_WALLET,
-        REVOKE_WALLET,
-        ADD_FUNCTION_TO_ROLE,
-        REMOVE_FUNCTION_FROM_ROLE
-    }
-
-    /**
-     * @dev Encodes a single RBAC configuration action in a batch (must match IRuntimeRBAC for encoding)
-     */
-    struct RoleConfigAction {
-        RoleConfigActionType actionType;
-        bytes data;
-    }
-
-    /**
-     * @notice Initializer to initialize RuntimeRBAC
-     * @param initialOwner The initial owner address
-     * @param broadcaster The broadcaster address
-     * @param recovery The recovery address
-     * @param timeLockPeriodSec The timelock period in seconds
-     * @param eventForwarder The event forwarder address 
-     */
-    function initialize(
-        address initialOwner,
-        address broadcaster,
-        address recovery,
-        uint256 timeLockPeriodSec,
-        address eventForwarder
-    ) public virtual onlyInitializing {
-        // Initialize base state machine (only if not already initialized)
-        if (!_secureState.initialized) {
-            _initializeBaseStateMachine(initialOwner, broadcaster, recovery, timeLockPeriodSec, eventForwarder);
-        }
-        
-        // Load RuntimeRBAC-specific definitions
-        IDefinition.RolePermission memory permissions = RuntimeRBACDefinitions.getRolePermissions();
-        _loadDefinitions(
-            RuntimeRBACDefinitions.getFunctionSchemas(),
-            permissions.roleHashes,
-            permissions.functionPermissions,
-            true // Allow protected schemas for factory settings
-        );
-    }
-
-    // ============ INTERFACE SUPPORT ============
-
-    /**
-     * @dev See {IERC165-supportsInterface}.
-     * @notice Adds IRuntimeRBAC interface ID for component detection
-     */
-    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
-        return interfaceId == type(IRuntimeRBAC).interfaceId || super.supportsInterface(interfaceId);
-    }
-
-    // ============ ROLE CONFIGURATION BATCH INTERFACE ============
-
-    /**
-     * @dev Requests and approves a RBAC configuration batch using a meta-transaction
-     * @param metaTx The meta-transaction
-     * @return The transaction record
-     * @notice OWNER signs, BROADCASTER executes according to RuntimeRBACDefinitions
-     */
-    function roleConfigBatchRequestAndApprove(
-        EngineBlox.MetaTransaction memory metaTx
-    ) public returns (EngineBlox.TxRecord memory) {
-        _validateBroadcaster(msg.sender);
-        return _requestAndApproveTransaction(metaTx);
-    }
-
-    /**
-     * @dev External function that can only be called by the contract itself to execute a RBAC configuration batch
-     * @param actions Encoded role configuration actions
-     */
-    function executeRoleConfigBatch(RoleConfigAction[] calldata actions) external {
-        _validateExecuteBySelf();
-        _executeRoleConfigBatch(actions);
-    }
-
-    // Essential Query Functions Only
-
-    /**
-     * @dev Gets function schema information
-     * @param functionSelector The function selector to get information for
-     * @return functionSignature The function signature or name
-     * @return functionSelectorReturn The function selector
-     * @return operationType The operation type
-     * @return operationName The operation name
-     * @return supportedActions The supported actions
-     * @return isProtected Whether the function schema is protected
-     */
-    function getFunctionSchema(bytes4 functionSelector) external view returns (
-        string memory functionSignature,
-        bytes4 functionSelectorReturn,
-        bytes32 operationType,
-        string memory operationName,
-        EngineBlox.TxAction[] memory supportedActions,
-        bool isProtected
-    ) {
-        EngineBlox.FunctionSchema storage schema = _getSecureState().functions[functionSelector];
-        if (schema.functionSelector != functionSelector) {
-            revert SharedValidation.ResourceNotFound(bytes32(functionSelector));
-        }
-        
-        // Convert bitmap to array
-        supportedActions = _convertBitmapToActions(schema.supportedActionsBitmap);
-        
-        return (
-            schema.functionSignature,
-            schema.functionSelector,
-            schema.operationType,
-            schema.operationName,
-            supportedActions,
-            schema.isProtected
-        );
-    }
-
-
-    // ============ HELPER FUNCTIONS ============
-
-    /**
-     * @dev Reverts if the role is protected (prevents editing OWNER, BROADCASTER, RECOVERY via batch).
-     * @param roleHash The role hash to check
-     */
-    function _requireRoleNotProtected(bytes32 roleHash) internal view {
-        if (_getSecureState().roles[roleHash].isProtected) {
-            revert SharedValidation.CannotModifyProtected(roleHash);
-        }
-    }
-
-    /**
-     * @dev Internal helper to execute a RBAC configuration batch
-     * @param actions Encoded role configuration actions
-     */
-    function _executeRoleConfigBatch(RoleConfigAction[] calldata actions) internal {
-        _validateBatchSize(actions.length);
-
-        for (uint256 i = 0; i < actions.length; i++) {
-            RoleConfigAction calldata action = actions[i];
-
-            if (action.actionType == RoleConfigActionType.CREATE_ROLE) {
-                // Decode CREATE_ROLE action data
-                // Format: (string roleName, uint256 maxWallets, FunctionPermission[] functionPermissions)
-                // FunctionPermission is struct(bytes4 functionSelector, uint16 grantedActionsBitmap, bytes4 handlerForSelector)
-                // When encoding from JavaScript, it's encoded as tuple(bytes4,uint16,bytes4)[]
-                // Solidity can decode tuple[] directly into struct[] if the layout matches
-                (
-                    string memory roleName,
-                    uint256 maxWallets,
-                    EngineBlox.FunctionPermission[] memory functionPermissions
-                ) = abi.decode(action.data, (string, uint256, EngineBlox.FunctionPermission[]));
-
-                bytes32 roleHash = _createNewRole(roleName, maxWallets, functionPermissions);
-
-                _logComponentEvent(_encodeRoleConfigEvent(RoleConfigActionType.CREATE_ROLE, roleHash, bytes4(0)));
-            } else if (action.actionType == RoleConfigActionType.REMOVE_ROLE) {
-                (bytes32 roleHash) = abi.decode(action.data, (bytes32));
-                _removeRole(roleHash);
-
-                _logComponentEvent(_encodeRoleConfigEvent(RoleConfigActionType.REMOVE_ROLE, roleHash, bytes4(0)));
-            } else if (action.actionType == RoleConfigActionType.ADD_WALLET) {
-                (bytes32 roleHash, address wallet) = abi.decode(action.data, (bytes32, address));
-                _requireRoleNotProtected(roleHash);
-                _assignWallet(roleHash, wallet);
-
-                _logComponentEvent(_encodeRoleConfigEvent(RoleConfigActionType.ADD_WALLET, roleHash, bytes4(0)));
-            } else if (action.actionType == RoleConfigActionType.REVOKE_WALLET) {
-                (bytes32 roleHash, address wallet) = abi.decode(action.data, (bytes32, address));
-                _requireRoleNotProtected(roleHash);
-                _revokeWallet(roleHash, wallet);
-
-                _logComponentEvent(_encodeRoleConfigEvent(RoleConfigActionType.REVOKE_WALLET, roleHash, bytes4(0)));
-            } else if (action.actionType == RoleConfigActionType.ADD_FUNCTION_TO_ROLE) {
-                (
-                    bytes32 roleHash,
-                    EngineBlox.FunctionPermission memory functionPermission
-                ) = abi.decode(action.data, (bytes32, EngineBlox.FunctionPermission));
-
-                _addFunctionToRole(roleHash, functionPermission);
-
-                _logComponentEvent(_encodeRoleConfigEvent(RoleConfigActionType.ADD_FUNCTION_TO_ROLE, roleHash, functionPermission.functionSelector));
-            } else if (action.actionType == RoleConfigActionType.REMOVE_FUNCTION_FROM_ROLE) {
-                (bytes32 roleHash, bytes4 functionSelector) = abi.decode(action.data, (bytes32, bytes4));
-                _removeFunctionFromRole(roleHash, functionSelector);
-
-                _logComponentEvent(_encodeRoleConfigEvent(RoleConfigActionType.REMOVE_FUNCTION_FROM_ROLE, roleHash, functionSelector));
-            } else {
-                revert SharedValidation.NotSupported();
-            }
-        }
-    }
-
-    /**
-     * @dev Encodes RBAC config event payload for ComponentEvent. Decode as (RoleConfigActionType, bytes32 roleHash, bytes4 functionSelector).
-     */
-    function _encodeRoleConfigEvent(RoleConfigActionType action, bytes32 roleHash, bytes4 selector) internal pure returns (bytes memory) {
-        return abi.encode(action, roleHash, selector);
-    }
-
-    // ============ INTERNAL ROLE / FUNCTION HELPERS ============
-
-    function _createNewRole(
-        string memory roleName,
-        uint256 maxWallets,
-        EngineBlox.FunctionPermission[] memory functionPermissions
-    ) internal returns (bytes32 roleHash) {
-        SharedValidation.validateRoleNameNotEmpty(roleName);
-        SharedValidation.validateMaxWalletsGreaterThanZero(maxWallets);
-
-        roleHash = keccak256(bytes(roleName));
-
-        // Create the role in the secure state with isProtected = false
-        _createRole(roleName, maxWallets, false);
-
-        // Add all function permissions to the role
-        // NOTE: Function schemas must be registered BEFORE adding permissions to roles
-        // This is the same pattern used in _loadDefinitions: schemas first, then permissions
-        // The function selectors in functionPermissions must exist in supportedFunctionsSet
-        // (they should be registered during initialize() via RuntimeRBACDefinitions)
-        // 
-        // CRITICAL: The order matters - _loadDefinitions loads schemas FIRST, then permissions
-        // In _createNewRole, we assume schemas are already registered (from initialize)
-        // If schemas aren't registered, addFunctionToRole will revert with ResourceNotFound
-        for (uint256 i = 0; i < functionPermissions.length; i++) {
-            // Add function permission to role
-            // addFunctionToRole will check:
-            // 1. Role exists in supportedRolesSet (✅ just created)
-            // 2. Function selector exists in supportedFunctionsSet (must be registered during initialize)
-            // 3. Actions are supported by function schema (via _validateMetaTxPermissions)
-            _addFunctionToRole(roleHash, functionPermissions[i]);
-        }
-    }
-
-}
+// SPDX-License-Identifier: MPL-2.0
+pragma solidity 0.8.34;
+
+// Contract imports
+import "../base/BaseStateMachine.sol";
+import "../lib/EngineBlox.sol";
+import "../lib/utils/SharedValidation.sol";
+import "./lib/definitions/RuntimeRBACDefinitions.sol";
+import "../lib/interfaces/IDefinition.sol";
+import "./interface/IRuntimeRBAC.sol";
+
+/**
+ * @title RuntimeRBAC
+ * @dev Minimal Runtime Role-Based Access Control system based on EngineBlox
+ *
+ * This contract provides essential runtime RBAC functionality:
+ * - Creation of non-protected roles
+ * - Basic wallet assignment to roles
+ * - Function permission management per role
+ * - Integration with EngineBlox for secure operations
+ *
+ * Key Features:
+ * - Only non-protected roles can be created dynamically
+ * - Protected roles (OWNER, BROADCASTER, RECOVERY) are managed by SecureOwnable
+ * - Minimal interface for core RBAC operations
+ * - Essential role management functions only
+ *
+ * @custom:security PROTECTED-ROLE POLICY (defense in layers):
+ * - RuntimeRBAC is **unauthorized** to modify protected roles (wallet add/revoke/remove).
+ * - For ADD_WALLET and REVOKE_WALLET we call _requireRoleNotProtected so batch ops cannot
+ *   change who holds system roles. For REMOVE_ROLE we rely on EngineBlox.removeRole, which
+ *   enforces the same policy at the library layer (cannot remove protected roles).
+ * - Function-permission updates on protected roles are intentionally supported for flexibility,
+ *   but EngineBlox.removeFunctionFromRole still blocks removal of protected function schemas
+ *   (isProtected == true). This prevents bricking core protected operations like ownership flow
+ *   selectors while still allowing policy updates for non-protected selectors.
+ * - The **only** place to modify system wallets (protected roles) is the SecureOwnable
+ *   security component (e.g. transferOwnershipRequest, broadcaster/recovery changes).
+ * - This layering is intentional: RBAC cannot touch protected roles; SecureOwnable is the
+ *   single source of truth for system wallet changes.
+ */
+abstract contract RuntimeRBAC is BaseStateMachine, IRuntimeRBAC {
+    using EngineBlox for EngineBlox.SecureOperationState;
+    using SharedValidation for *;
+
+    /**
+     * @notice Initializer to initialize RuntimeRBAC
+     * @param initialOwner The initial owner address
+     * @param broadcaster The broadcaster address
+     * @param recovery The recovery address
+     * @param timeLockPeriodSec The timelock period in seconds
+     * @param eventForwarder The event forwarder address 
+     */
+    function initialize(
+        address initialOwner,
+        address broadcaster,
+        address recovery,
+        uint256 timeLockPeriodSec,
+        address eventForwarder
+    ) public virtual onlyInitializing {
+        _initializeBaseStateMachine(initialOwner, broadcaster, recovery, timeLockPeriodSec, eventForwarder);
+
+        // Load RuntimeRBAC-specific definitions
+        IDefinition.RolePermission memory permissions = RuntimeRBACDefinitions.getRolePermissions();
+        _loadDefinitions(
+            RuntimeRBACDefinitions.getFunctionSchemas(),
+            permissions.roleHashes,
+            permissions.functionPermissions,
+            true // Enforce all function schemas are protected
+        );
+    }
+
+    // ============ INTERFACE SUPPORT ============
+
+    /**
+     * @dev See {IERC165-supportsInterface}.
+     * @notice Adds IRuntimeRBAC interface ID for component detection
+     */
+    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
+        return interfaceId == type(IRuntimeRBAC).interfaceId || super.supportsInterface(interfaceId);
+    }
+
+    // ============ ROLE CONFIGURATION BATCH INTERFACE ============
+
+    /**
+     * @dev Requests and approves a RBAC configuration batch using a meta-transaction
+     * @param metaTx The meta-transaction
+     * @return The transaction ID of the applied batch
+     * @notice OWNER signs, BROADCASTER executes according to RuntimeRBACDefinitions
+     */
+    function roleConfigBatchRequestAndApprove(
+        EngineBlox.MetaTransaction memory metaTx
+    ) public returns (uint256) {
+        _validateBroadcaster(msg.sender);
+        SharedValidation.validateEmptyPayment(
+            metaTx.txRecord.payment.recipient,
+            metaTx.txRecord.payment.nativeTokenAmount,
+            metaTx.txRecord.payment.erc20TokenAddress,
+            metaTx.txRecord.payment.erc20TokenAmount
+        );
+        EngineBlox.TxRecord memory txRecord = _requestAndApproveTransaction(metaTx);
+        return txRecord.txId;
+    }
+
+    /**
+     * @dev External function that can only be called by the contract itself to execute a RBAC configuration batch
+     * @param actions Encoded role configuration actions
+     *
+     * ## Role config batch ordering (required to avoid revert and gas waste)
+     *
+     * Actions must be ordered so that dependencies are satisfied:
+     * - **CREATE_ROLE** must appear before **ADD_WALLET** or **ADD_FUNCTION_TO_ROLE** for the same role; otherwise the role does not exist and the add will revert.
+     * - **REMOVE_ROLE** should be used only for an existing role; use **REVOKE_WALLET** first if the role has assigned wallets (optional but recommended for clarity).
+     * - For a given role, typical order: CREATE_ROLE → ADD_WALLET / ADD_FUNCTION_TO_ROLE as needed; to remove: REVOKE_WALLET (and REMOVE_FUNCTION_FROM_ROLE) as needed → REMOVE_ROLE.
+     */
+    function executeRoleConfigBatch(IRuntimeRBAC.RoleConfigAction[] calldata actions) external {
+        _validateExecuteBySelf();
+        _executeRoleConfigBatch(actions);
+    }
+
+    // ============ HELPER FUNCTIONS ============
+
+    /**
+     * @dev Reverts if the role is protected (prevents editing OWNER, BROADCASTER, RECOVERY via batch).
+     *      Used for ADD_WALLET and REVOKE_WALLET so RuntimeRBAC cannot change who holds system roles.
+     *      REMOVE_ROLE is not checked here; EngineBlox.removeRole enforces protected-role policy at
+     *      the library layer. See contract-level @custom:security PROTECTED-ROLE POLICY.
+     * @param roleHash The role hash to check
+     */
+    function _requireRoleNotProtected(bytes32 roleHash) internal view {
+        if (_getSecureState().roles[roleHash].isProtected) {
+            revert SharedValidation.CannotModifyProtected(roleHash);
+        }
+    }
+
+    /**
+     * @dev Internal helper to execute a RBAC configuration batch
+     * @param actions Encoded role configuration actions
+     *
+     * @custom:order Required ordering to avoid revert and gas waste:
+     *   1. CREATE_ROLE before any ADD_WALLET or ADD_FUNCTION_TO_ROLE for that role.
+     *   2. REMOVE_ROLE only for a role that exists; prefer REVOKE_WALLET (and REMOVE_FUNCTION_FROM_ROLE) before REMOVE_ROLE when the role has members.
+     */
+    function _executeRoleConfigBatch(IRuntimeRBAC.RoleConfigAction[] calldata actions) internal {
+        _validateBatchSize(actions.length);
+
+        for (uint256 i = 0; i < actions.length; ++i) {
+            IRuntimeRBAC.RoleConfigAction calldata action = actions[i];
+
+            if (action.actionType == IRuntimeRBAC.RoleConfigActionType.CREATE_ROLE) {
+                _executeCreateRole(action.data);
+            } else if (action.actionType == IRuntimeRBAC.RoleConfigActionType.REMOVE_ROLE) {
+                _executeRemoveRole(action.data);
+            } else if (action.actionType == IRuntimeRBAC.RoleConfigActionType.ADD_WALLET) {
+                _executeAddWallet(action.data);
+            } else if (action.actionType == IRuntimeRBAC.RoleConfigActionType.REVOKE_WALLET) {
+                _executeRevokeWallet(action.data);
+            } else if (action.actionType == IRuntimeRBAC.RoleConfigActionType.ADD_FUNCTION_TO_ROLE) {
+                _executeAddFunctionToRole(action.data);
+            } else if (action.actionType == IRuntimeRBAC.RoleConfigActionType.REMOVE_FUNCTION_FROM_ROLE) {
+                _executeRemoveFunctionFromRole(action.data);
+            } else {
+                revert SharedValidation.NotSupported();
+            }
+        }
+    }
+
+    /**
+     * @dev Executes CREATE_ROLE: creates a new non-protected role
+     * @param data ABI-encoded (string roleName, uint256 maxWallets)
+     */
+    function _executeCreateRole(bytes calldata data) internal {
+        (string memory roleName, uint256 maxWallets) = abi.decode(data, (string, uint256));
+        bytes32 roleHash = _createRole(roleName, maxWallets, false);
+        _logRoleConfigEvent(IRuntimeRBAC.RoleConfigActionType.CREATE_ROLE, roleHash, bytes4(0), address(0));
+    }
+
+    /**
+     * @dev Executes REMOVE_ROLE: removes a role by hash.
+     *      Protected-role check is enforced in EngineBlox.removeRole (library layer); RuntimeRBAC
+     *      does not duplicate it here. SecureOwnable is the only component authorized to change
+     *      system wallets; RBAC is unauthorized to modify protected roles. See @custom:security
+     *      PROTECTED-ROLE POLICY on the contract.
+     * @param data ABI-encoded (bytes32 roleHash)
+     */
+    function _executeRemoveRole(bytes calldata data) internal {
+        (bytes32 roleHash) = abi.decode(data, (bytes32));
+        _removeRole(roleHash);
+        _logRoleConfigEvent(IRuntimeRBAC.RoleConfigActionType.REMOVE_ROLE, roleHash, bytes4(0), address(0));
+    }
+
+    /**
+     * @dev Executes ADD_WALLET: assigns a wallet to a role (role must not be protected)
+     * @param data ABI-encoded (bytes32 roleHash, address wallet)
+     */
+    function _executeAddWallet(bytes calldata data) internal {
+        (bytes32 roleHash, address wallet) = abi.decode(data, (bytes32, address));
+        _requireRoleNotProtected(roleHash);
+        _assignWallet(roleHash, wallet);
+        _logRoleConfigEvent(IRuntimeRBAC.RoleConfigActionType.ADD_WALLET, roleHash, bytes4(0), wallet);
+    }
+
+    /**
+     * @dev Executes REVOKE_WALLET: revokes a wallet from a role (role must not be protected)
+     * @param data ABI-encoded (bytes32 roleHash, address wallet)
+     */
+    function _executeRevokeWallet(bytes calldata data) internal {
+        (bytes32 roleHash, address wallet) = abi.decode(data, (bytes32, address));
+        _requireRoleNotProtected(roleHash);
+        _revokeWallet(roleHash, wallet);
+        _logRoleConfigEvent(IRuntimeRBAC.RoleConfigActionType.REVOKE_WALLET, roleHash, bytes4(0), wallet);
+    }
+
+    /**
+     * @dev Executes ADD_FUNCTION_TO_ROLE: adds a function permission to a role.
+     * @param data ABI-encoded (bytes32 roleHash, FunctionPermission functionPermission)
+     * @custom:security By design we allow adding function permissions to protected roles (OWNER, BROADCASTER, RECOVERY)
+     *                 to retain flexibility to grant new function permissions to system roles; only wallet add/revoke
+     *                 are restricted on protected roles.
+     */
+    function _executeAddFunctionToRole(bytes calldata data) internal {
+        (
+            bytes32 roleHash,
+            EngineBlox.FunctionPermission memory functionPermission
+        ) = abi.decode(data, (bytes32, EngineBlox.FunctionPermission));
+        _addFunctionToRole(roleHash, functionPermission);
+        _logRoleConfigEvent(IRuntimeRBAC.RoleConfigActionType.ADD_FUNCTION_TO_ROLE, roleHash, functionPermission.functionSelector, address(0));
+    }
+
+    /**
+     * @dev Executes REMOVE_FUNCTION_FROM_ROLE: removes a function permission from a role.
+     * @param data ABI-encoded (bytes32 roleHash, bytes4 functionSelector)
+     * @custom:security By design we allow removing function permissions from protected roles (OWNER, BROADCASTER, RECOVERY)
+     *                 to retain flexibility to adjust which functions system roles can call; only wallet add/revoke
+     *                 are restricted on protected roles. EngineBlox.removeFunctionFromRole still blocks
+     *                 removing protected function schemas (isProtected == true), so critical protected
+     *                 selectors cannot be stripped from roles.
+     */
+    function _executeRemoveFunctionFromRole(bytes calldata data) internal {
+        (bytes32 roleHash, bytes4 functionSelector) = abi.decode(data, (bytes32, bytes4));
+        _removeFunctionFromRole(roleHash, functionSelector);
+        _logRoleConfigEvent(IRuntimeRBAC.RoleConfigActionType.REMOVE_FUNCTION_FROM_ROLE, roleHash, functionSelector, address(0));
+    }
+
+    /**
+     * @dev Encodes and logs a role config event via ComponentEvent. Payload decodes as (RoleConfigActionType, bytes32 roleHash, bytes4 functionSelector, address wallet).
+     * @param action The role config action type
+     * @param roleHash The role hash
+     * @param selector The function selector (or zero for N/A)
+     * @param wallet The wallet address (or zero for actions that do not apply to a wallet)
+     */
+    function _logRoleConfigEvent(IRuntimeRBAC.RoleConfigActionType action, bytes32 roleHash, bytes4 selector, address wallet) internal {
+        _logComponentEvent(abi.encode(action, roleHash, selector, wallet));
+    }
+}