npm - @etherisc/gif-next - Versions diffs - 0.0.2-9d3eab3-323 → 0.0.2-9dd1984-016 - Mend

@etherisc/gif-next 0.0.2-9d3eab3-323 → 0.0.2-9dd1984-016

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (222) hide show

package/contracts/instance/InstanceAccessManager.sol CHANGED Viewed

@@ -4,92 +4,52 @@ pragma solidity ^0.8.20;
 import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
 import {ShortString, ShortStrings} from "@openzeppelin/contracts/utils/ShortStrings.sol";
 import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
-import {AccessManagerUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagerUpgradeable.sol";
-import {IBundle} from "./module/IBundle.sol";
-import {IPolicy} from "./module/IPolicy.sol";
-import {IRisk} from "./module/IRisk.sol";
-import {ISetup} from "./module/ISetup.sol";
-import {Key32, KeyId, Key32Lib} from "../types/Key32.sol";
-import {KeyValueStore} from "./base/KeyValueStore.sol";
-import {NftId} from "../types/NftId.sol";
-import {NumberId} from "../types/NumberId.sol";
-import {ObjectType, BUNDLE, DISTRIBUTION, POLICY, POOL, ROLE, PRODUCT, TARGET} from "../types/ObjectType.sol";
-import {RiskId, RiskIdLib} from "../types/RiskId.sol";
-import {RoleId, RoleIdLib} from "../types/RoleId.sol";
-import {StateId, ACTIVE} from "../types/StateId.sol";
-import {Timestamp, TimestampLib} from "../types/Timestamp.sol";
+import {AccessManagerUpgradeableInitializeable} from "../../contracts/instance/AccessManagerUpgradeableInitializeable.sol";
+import {RoleId, RoleIdLib } from "../types/RoleId.sol";
+import {TimestampLib} from "../types/Timestamp.sol";
+import {IAccess} from "./module/IAccess.sol";
 contract InstanceAccessManager is
     AccessManagedUpgradeable
 {
+    using RoleIdLib for RoleId;
     string public constant ADMIN_ROLE_NAME = "AdminRole";
     string public constant PUBLIC_ROLE_NAME = "PublicRole";
     uint64 public constant CUSTOM_ROLE_ID_MIN = 10000;
     uint32 public constant EXECUTION_DELAY = 0;
-    struct RoleInfo {
-        ShortString name;
-        bool isCustom;
-        bool isLocked;
-        Timestamp createdAt;
-        Timestamp updatedAt;
-    }
-    struct TargetInfo {
-        ShortString name;
-        bool isCustom;
-        bool isLocked;
-        Timestamp createdAt;
-        Timestamp updatedAt;
-    }
-    error ErrorRoleIdInvalid(RoleId roleId);
-    error ErrorRoleIdTooBig(RoleId roleId);
-    error ErrorRoleIdTooSmall(RoleId roleId);
-    error ErrorRoleIdAlreadyExists(RoleId roleId, ShortString name);
-    error ErrorRoleIdNotActive(RoleId roleId);
-    error ErrorRoleNameEmpty(RoleId roleId);
-    error ErrorRoleNameNotUnique(RoleId roleId, ShortString name);
-    error ErrorRoleInvalidUpdate(RoleId roleId, bool isCustom);
-    error ErrorRoleIsCustomIsImmutable(RoleId roleId, bool isCustom, bool isCustomExisting);
-    error ErrorSetLockedForNonexstentRole(RoleId roleId);
-    error ErrorGrantNonexstentRole(RoleId roleId);
-    error ErrorRevokeNonexstentRole(RoleId roleId);
-    error ErrorRenounceNonexstentRole(RoleId roleId);
-    error ErrorTargetAddressZero();
-    error ErrorTargetAlreadyExists(address target, ShortString name);
-    error ErrorTargetNameEmpty(address target);
-    error ErrorTargetNameExists(address target, address existingTarget, ShortString name);
-    error ErrorSetLockedForNonexstentTarget(address target);
     // role specific state
-    mapping(RoleId roleId => RoleInfo info) internal _role;
+    mapping(RoleId roleId => IAccess.RoleInfo info) internal _role;
     mapping(RoleId roleId => EnumerableSet.AddressSet roleMembers) internal _roleMembers;
     mapping(ShortString name => RoleId roleId) internal _roleForName;
     RoleId [] internal _roles;
     // target specific state
-    mapping(address target => TargetInfo info) internal _target;
+    mapping(address target => IAccess.TargetInfo info) internal _target;
     mapping(ShortString name => address target) internal _targetForName;
     address [] internal _targets;
-    AccessManagerUpgradeable internal _accessManager;
+    AccessManagerUpgradeableInitializeable internal _accessManager;
-    constructor(address accessManager)
+    function __InstanceAccessManager_initialize(address initialAdmin) external initializer
     {
-        _accessManager = AccessManagerUpgradeable(accessManager);
-        __AccessManaged_init(accessManager);
+        // if size of the contract gets too large, this can be externalized which will reduce the contract size considerably
+        _accessManager = new AccessManagerUpgradeableInitializeable();
+        // this service required adin rights to access manager to be able to grant/revoke roles
+        _accessManager.__AccessManagerUpgradeableInitializeable_init(address(this));
+        _accessManager.grantRole(_accessManager.ADMIN_ROLE(), initialAdmin, 0);
+        __AccessManaged_init(address(_accessManager));
         _createRole(RoleIdLib.toRoleId(_accessManager.ADMIN_ROLE()), ADMIN_ROLE_NAME, false, false);
         _createRole(RoleIdLib.toRoleId(_accessManager.PUBLIC_ROLE()), PUBLIC_ROLE_NAME, false, false);
     }
     //--- Role ------------------------------------------------------//
-    function createDefaultRole(RoleId roleId, string memory name) external restricted() {
+    function createGifRole(RoleId roleId, string memory name) external restricted() {
         _createRole(roleId, name, false, true);
     }
@@ -99,7 +59,7 @@ contract InstanceAccessManager is
     function setRoleLocked(RoleId roleId, bool locked) external restricted() {
         if (!roleExists(roleId)) {
-            revert ErrorSetLockedForNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessSetLockedForNonexstentRole(roleId);
         }
         _role[roleId].isLocked = locked;
@@ -112,11 +72,11 @@ contract InstanceAccessManager is
     function grantRole(RoleId roleId, address member) external restricted() returns (bool granted) {
         if (!roleExists(roleId)) {
-            revert ErrorGrantNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessGrantNonexstentRole(roleId);
         }
         if (_role[roleId].isLocked) {
-            revert ErrorRoleIdNotActive(roleId);
+            revert IAccess.ErrorIAccessRoleIdNotActive(roleId);
         }
         if (!EnumerableSet.contains(_roleMembers[roleId], member)) {
@@ -130,7 +90,7 @@ contract InstanceAccessManager is
     function revokeRole(RoleId roleId, address member) external restricted() returns (bool revoked) {
         if (!roleExists(roleId)) {
-            revert ErrorRevokeNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRevokeNonexstentRole(roleId);
         }
         if (EnumerableSet.contains(_roleMembers[roleId], member)) {
@@ -148,7 +108,7 @@ contract InstanceAccessManager is
         address member = msg.sender;
         if (!roleExists(roleId)) {
-            revert ErrorRenounceNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRenounceNonexstentRole(roleId);
         }
         if (EnumerableSet.contains(_roleMembers[roleId], member)) {
@@ -173,7 +133,7 @@ contract InstanceAccessManager is
         return _roleForName[ShortStrings.toShortString(name)];
     }
-    function getRole(RoleId roleId) external view returns (RoleInfo memory role) {
+    function getRole(RoleId roleId) external view returns (IAccess.RoleInfo memory role) {
         return _role[roleId];
     }
@@ -190,13 +150,19 @@ contract InstanceAccessManager is
     }
     //--- Target ------------------------------------------------------//
+    function createGifTarget(address target, string memory name) external restricted() {
+        _createTarget(target, name, false, true);
+    }
     function createTarget(address target, string memory name) external restricted() {
         _createTarget(target, name, true, true);
     }
-    function setTargetLocked(address target, bool locked) external restricted() {
-        if (!targetExists(target)) {
-            revert ErrorSetLockedForNonexstentTarget(target);
+    function setTargetLocked(string memory targetName, bool locked) external restricted() {
+        address target = _targetForName[ShortStrings.toShortString(targetName)];
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessSetLockedForNonexstentTarget(target);
         }
         _target[target].isLocked = locked;
@@ -214,7 +180,7 @@ contract InstanceAccessManager is
             _validateRoleParameters(roleId, name, isCustom);
         }
-        RoleInfo memory role = RoleInfo(
+        IAccess.RoleInfo memory role = IAccess.RoleInfo(
             ShortStrings.toShortString(name),
             isCustom,
             false, // role un-locked,
@@ -233,35 +199,35 @@ contract InstanceAccessManager is
     )
         internal
         view
-        returns (RoleInfo memory existingRole)
+        returns (IAccess.RoleInfo memory existingRole)
     {
         // check role id
         uint64 roleIdInt = RoleId.unwrap(roleId);
         if(roleIdInt == _accessManager.ADMIN_ROLE() || roleIdInt == _accessManager.PUBLIC_ROLE()) {
-            revert ErrorRoleIdInvalid(roleId);
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
         }
         // prevent changing isCustom for existing roles
         existingRole = _role[roleId];
         if (existingRole.createdAt.gtz() && isCustom != existingRole.isCustom) {
-            revert ErrorRoleIsCustomIsImmutable(roleId, isCustom, existingRole.isCustom);
+            revert IAccess.ErrorIAccessRoleIsCustomIsImmutable(roleId, isCustom, existingRole.isCustom);
         }
         if (isCustom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
-            revert ErrorRoleIdTooSmall(roleId);
+            revert IAccess.ErrorIAccessRoleIdTooSmall(roleId);
         } else if (!isCustom && roleIdInt >= CUSTOM_ROLE_ID_MIN) {
-            revert ErrorRoleIdTooBig(roleId);
+            revert IAccess.ErrorIAccessRoleIdTooBig(roleId);
         }
         // role name checks
         ShortString nameShort = ShortStrings.toShortString(name);
         if (ShortStrings.byteLength(nameShort) == 0) {
-            revert ErrorRoleNameEmpty(roleId);
+            revert IAccess.ErrorIAccessRoleNameEmpty(roleId);
         }
         if (_roleForName[nameShort] != RoleIdLib.zero() && _roleForName[nameShort] != roleId) {
-            revert ErrorRoleNameNotUnique(_roleForName[nameShort], nameShort);
+            revert IAccess.ErrorIAccessRoleNameNotUnique(_roleForName[nameShort], nameShort);
         }
     }
@@ -270,7 +236,14 @@ contract InstanceAccessManager is
             _validateTargetParameters(target, name, isCustom);
         }
-        TargetInfo memory info = TargetInfo(
+        if (_target[target].createdAt.gtz()) {
+            revert IAccess.ErrorIAccessTargetAlreadyExists(target, _target[target].name);
+        }
+        if (_targetForName[ShortStrings.toShortString(name)] != address(0)) {
+            revert IAccess.ErrorIAccessTargetNameExists(target, _targetForName[ShortStrings.toShortString(name)], ShortStrings.toShortString(name));
+        }
+        IAccess.TargetInfo memory info = IAccess.TargetInfo(
             ShortStrings.toShortString(name),
             isCustom,
             _accessManager.isTargetClosed(target), // sync with state in access manager
@@ -283,6 +256,48 @@ contract InstanceAccessManager is
     }
     function _validateTargetParameters(address target, string memory name, bool isCustom) internal view {
+        // TODO: implement
+    }
+    function setTargetFunctionRole(
+        address target,
+        bytes4[] calldata selectors,
+        uint64 roleId
+    ) public virtual restricted() {
+        _accessManager.setTargetFunctionRole(target, selectors, roleId);
+    }
+    function setTargetFunctionRole(
+        string memory targetName,
+        bytes4[] calldata selectors,
+        RoleId roleId
+    ) public virtual restricted() {
+        address target = _targetForName[ShortStrings.toShortString(targetName)];
+        uint64 roleIdInt = RoleId.unwrap(roleId);
+        _accessManager.setTargetFunctionRole(target, selectors, roleIdInt);
+    }
+    function getAccessManager() public restricted() returns (AccessManagerUpgradeableInitializeable) {
+        return _accessManager;
+    }
+    function setTargetClosed(string memory targetName, bool closed) public restricted() {
+        address target = _targetForName[ShortStrings.toShortString(targetName)];
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessTargetAddressZero();
+        }
+        _accessManager.setTargetClosed(target, closed);
+    }
+    function isTargetLocked(address target) public view returns (bool locked) {
+        return _accessManager.isTargetClosed(target);
+    }
+    function canCall(
+        address caller,
+        address target,
+        bytes4 selector
+    ) public view virtual returns (bool immediate, uint32 delay) {
+        return _accessManager.canCall(caller, target, selector);
     }
 }

package/contracts/instance/InstanceBase.sol CHANGED Viewed

@@ -22,8 +22,6 @@ import {RoleId, RoleIdLib} from "../types/RoleId.sol";
 import {StateId, ACTIVE} from "../types/StateId.sol";
 import {ERC165} from "../shared/ERC165.sol";
 import {Registerable} from "../shared/Registerable.sol";
-import {ComponentOwnerService} from "./service/ComponentOwnerService.sol";
-import {IComponentOwnerService} from "./service/IComponentOwnerService.sol";
 import {IDistributionService} from "./service/IDistributionService.sol";
 import {IPoolService} from "./service/IPoolService.sol";
 import {IProductService} from "./service/IProductService.sol";

package/contracts/instance/InstanceService.sol CHANGED Viewed

@@ -2,22 +2,22 @@
 pragma solidity ^0.8.20;
 import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
-import {AccessManagerUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagerUpgradeable.sol";
-import {AccessManagerUpgradeableInitializeable} from "./AccessManagerUpgradeableInitializeable.sol";
 import {Instance} from "./Instance.sol";
+import {IInstance} from "./IInstance.sol";
+import {InstanceAccessManager} from "./InstanceAccessManager.sol";
 import {IInstanceService} from "./IInstanceService.sol";
 import {InstanceReader} from "./InstanceReader.sol";
 import {BundleManager} from "./BundleManager.sol";
 import {IRegistry} from "../registry/IRegistry.sol";
 import {RegistryService} from "../registry/RegistryService.sol";
+import {ChainNft} from "../registry/ChainNft.sol";
 import {Service} from "../../contracts/shared/Service.sol";
 import {IService} from "../shared/IService.sol";
 import {NftId} from "../../contracts/types/NftId.sol";
 import {RoleId} from "../types/RoleId.sol";
-import {VersionLib} from "../types/Version.sol";
-import {ADMIN_ROLE, INSTANCE_SERVICE_ROLE, DISTRIBUTION_SERVICE_ROLE, POOL_SERVICE_ROLE, PRODUCT_SERVICE_ROLE, POLICY_SERVICE_ROLE, BUNDLE_SERVICE_ROLE} from "../types/RoleId.sol";
-import {ObjectType, INSTANCE, SERVICE, PRODUCT, POOL, DISTRIBUTION, POLICY, BUNDLE} from "../types/ObjectType.sol";
+import {ADMIN_ROLE, DISTRIBUTION_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE, INSTANCE_SERVICE_ROLE, DISTRIBUTION_SERVICE_ROLE, POOL_SERVICE_ROLE, PRODUCT_SERVICE_ROLE, POLICY_SERVICE_ROLE, BUNDLE_SERVICE_ROLE} from "../types/RoleId.sol";
+import {ObjectType, INSTANCE, BUNDLE, POLICY, PRODUCT, DISTRIBUTION, REGISTRY, POOL} from "../types/ObjectType.sol";
 contract InstanceService is Service, IInstanceService {
@@ -28,11 +28,30 @@ contract InstanceService is Service, IInstanceService {
     // TODO update to real hash when instance is stable
     bytes32 public constant INSTANCE_CREATION_CODE_HASH = bytes32(0);
+    string public constant NAME = "InstanceService";
+    modifier onlyInstanceOwner(NftId instanceNftId) {
+        IRegistry registry = getRegistry();
+        ChainNft chainNft = registry.getChainNft();
+        if( msg.sender != chainNft.ownerOf(instanceNftId.toInt())) {
+            revert ErrorInstanceServiceNotInstanceOwner(msg.sender, instanceNftId);
+        }
+        _;
+    }
+    modifier onlyRegisteredService() {
+        address caller = msg.sender;
+        if (! getRegistry().isRegisteredService(caller)) {
+            revert ErrorInstanceServiceRequestUnauhorized(caller);
+        }
+        _;
+    }
     function createInstanceClone()
         external
         returns (
-            AccessManagerUpgradeableInitializeable clonedAccessManager,
+            InstanceAccessManager clonedAccessManager,
             Instance clonedInstance,
             NftId clonedInstanceNftId,
             InstanceReader clonedInstanceReader,
@@ -43,14 +62,14 @@ contract InstanceService is Service, IInstanceService {
         IRegistry registry = getRegistry();
         address registryAddress = address(registry);
         NftId registryNftId = registry.getNftId(registryAddress);
-        address registryServiceAddress = registry.getServiceAddress(SERVICE(), VersionLib.toVersion(3, 0, 0).toMajorPart());
+        address registryServiceAddress = registry.getServiceAddress(REGISTRY(), getMajorVersion());
         RegistryService registryService = RegistryService(registryServiceAddress);
         // initially set the authority of the access managar to this (being the instance service).
         // This will allow the instance service to bootstrap the authorizations of the instance
         // and then transfer the ownership of the access manager to the instance owner once everything is setup
-        clonedAccessManager = AccessManagerUpgradeableInitializeable(Clones.clone(_masterInstanceAccessManager));
-        clonedAccessManager.__AccessManagerUpgradeableInitializeable_init(address(this));
+        clonedAccessManager = InstanceAccessManager(Clones.clone(_masterInstanceAccessManager));
+        clonedAccessManager.__InstanceAccessManager_initialize(address(this));
         clonedInstance = Instance(Clones.clone(_masterInstance));
         clonedInstance.initialize(address(clonedAccessManager), registryAddress, registryNftId, msg.sender);
@@ -71,14 +90,16 @@ contract InstanceService is Service, IInstanceService {
         // to complete setup switch instance ownership to the instance owner
         // TODO: use a role less powerful than admin, maybe INSTANCE_ADMIN (does not exist yet)
-        clonedAccessManager.grantRole(ADMIN_ROLE().toInt(), instanceOwner, 0);
-        clonedAccessManager.revokeRole(ADMIN_ROLE().toInt(), address(this));
+        clonedAccessManager.grantRole(ADMIN_ROLE(), instanceOwner);
+        clonedAccessManager.revokeRole(ADMIN_ROLE(), address(this));
         emit LogInstanceCloned(address(clonedAccessManager), address(clonedInstance), address(clonedInstanceReader), clonedInstanceNftId);
     }
-    function _grantInitialAuthorizations(AccessManagerUpgradeable clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
-        _grantRegistryServiceAuthorizations(clonedAccessManager, clonedInstance);
+    function _grantInitialAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
+        _createGifRoles(clonedAccessManager);
+        _createGifTargets(clonedAccessManager, clonedInstance, clonedBundleManager);
+        _grantDistributionServiceAuthorizations(clonedAccessManager, clonedInstance);
         _grantPoolServiceAuthorizations(clonedAccessManager, clonedInstance);
         _grantProductServiceAuthorizations(clonedAccessManager, clonedInstance);
         _grantPolicyServiceAuthorizations(clonedAccessManager, clonedInstance);
@@ -86,37 +107,55 @@ contract InstanceService is Service, IInstanceService {
         _grantInstanceServiceAuthorizations(clonedAccessManager, clonedInstance);
     }
-    function _grantRegistryServiceAuthorizations(AccessManagerUpgradeable clonedAccessManager, Instance clonedInstance) internal {
+    function _createGifRoles(InstanceAccessManager clonedAccessManager) internal {
+        clonedAccessManager.createGifRole(DISTRIBUTION_OWNER_ROLE(), "DistributionOwnerRole");
+        clonedAccessManager.createGifRole(POOL_OWNER_ROLE(), "PoolOwnerRole");
+        clonedAccessManager.createGifRole(PRODUCT_OWNER_ROLE(), "ProductOwnerRole");
+        clonedAccessManager.createGifRole(DISTRIBUTION_SERVICE_ROLE(), "DistributionServiceRole");
+        clonedAccessManager.createGifRole(POOL_SERVICE_ROLE(), "PoolServiceRole");
+        clonedAccessManager.createGifRole(PRODUCT_SERVICE_ROLE(), "ProductServiceRole");
+        clonedAccessManager.createGifRole(POLICY_SERVICE_ROLE(), "PolicyServiceRole");
+        clonedAccessManager.createGifRole(BUNDLE_SERVICE_ROLE(), "BundleServiceRole");
+        clonedAccessManager.createGifRole(INSTANCE_SERVICE_ROLE(), "InstanceServiceRole");
+    }
+    function _createGifTargets(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
+        clonedAccessManager.createGifTarget(address(clonedInstance), "Instance");
+        clonedAccessManager.createGifTarget(address(clonedBundleManager), "BundleManager");
+    }
+    function _grantDistributionServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
         // configure authorization for distribution service on instance
         IRegistry registry = getRegistry();
-        address distributionServiceAddress = registry.getServiceAddress(DISTRIBUTION(), VersionLib.toVersion(3, 0, 0).toMajorPart());
-        clonedAccessManager.grantRole(DISTRIBUTION_SERVICE_ROLE().toInt(), distributionServiceAddress, 0);
+        address distributionServiceAddress = registry.getServiceAddress(DISTRIBUTION(), getMajorVersion());
+        clonedAccessManager.grantRole(DISTRIBUTION_SERVICE_ROLE(), distributionServiceAddress);
         bytes4[] memory instanceDistributionServiceSelectors = new bytes4[](2);
         instanceDistributionServiceSelectors[0] = clonedInstance.createDistributionSetup.selector;
         instanceDistributionServiceSelectors[1] = clonedInstance.updateDistributionSetup.selector;
         clonedAccessManager.setTargetFunctionRole(
-            address(clonedInstance),
+            "Instance",
             instanceDistributionServiceSelectors,
-            DISTRIBUTION_SERVICE_ROLE().toInt());
+            DISTRIBUTION_SERVICE_ROLE());
     }
-    function _grantPoolServiceAuthorizations(AccessManagerUpgradeable clonedAccessManager, Instance clonedInstance) internal {
+    function _grantPoolServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
         // configure authorization for pool service on instance
-        address poolServiceAddress = _registry.getServiceAddress(POOL(), VersionLib.toVersion(3, 0, 0).toMajorPart());
-        clonedAccessManager.grantRole(POOL_SERVICE_ROLE().toInt(), address(poolServiceAddress), 0);
+        address poolServiceAddress = _registry.getServiceAddress(POOL(), getMajorVersion());
+        clonedAccessManager.grantRole(POOL_SERVICE_ROLE(), address(poolServiceAddress));
         bytes4[] memory instancePoolServiceSelectors = new bytes4[](4);
         instancePoolServiceSelectors[0] = clonedInstance.createPoolSetup.selector;
         instancePoolServiceSelectors[1] = clonedInstance.updatePoolSetup.selector;
         clonedAccessManager.setTargetFunctionRole(
-            address(clonedInstance),
+            "Instance",
             instancePoolServiceSelectors,
-            POOL_SERVICE_ROLE().toInt());
+            POOL_SERVICE_ROLE());
     }
-    function _grantProductServiceAuthorizations(AccessManagerUpgradeable clonedAccessManager, Instance clonedInstance) internal {
+    function _grantProductServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
         // configure authorization for product service on instance
-        address productServiceAddress = _registry.getServiceAddress(PRODUCT(), VersionLib.toVersion(3, 0, 0).toMajorPart());
-        clonedAccessManager.grantRole(PRODUCT_SERVICE_ROLE().toInt(), address(productServiceAddress), 0);
+        address productServiceAddress = _registry.getServiceAddress(PRODUCT(), getMajorVersion());
+        clonedAccessManager.grantRole(PRODUCT_SERVICE_ROLE(), address(productServiceAddress));
         bytes4[] memory instanceProductServiceSelectors = new bytes4[](5);
         instanceProductServiceSelectors[0] = clonedInstance.createProductSetup.selector;
         instanceProductServiceSelectors[1] = clonedInstance.updateProductSetup.selector;
@@ -124,36 +163,36 @@ contract InstanceService is Service, IInstanceService {
         instanceProductServiceSelectors[3] = clonedInstance.updateRisk.selector;
         instanceProductServiceSelectors[4] = clonedInstance.updateRiskState.selector;
         clonedAccessManager.setTargetFunctionRole(
-            address(clonedInstance),
+            "Instance",
             instanceProductServiceSelectors,
-            PRODUCT_SERVICE_ROLE().toInt());
+            PRODUCT_SERVICE_ROLE());
     }
-    function _grantPolicyServiceAuthorizations(AccessManagerUpgradeable clonedAccessManager, Instance clonedInstance) internal {
+    function _grantPolicyServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
         // configure authorization for policy service on instance
-        address policyServiceAddress = _registry.getServiceAddress(POLICY(), VersionLib.toVersion(3, 0, 0).toMajorPart());
-        clonedAccessManager.grantRole(POLICY_SERVICE_ROLE().toInt(), address(policyServiceAddress), 0);
+        address policyServiceAddress = _registry.getServiceAddress(POLICY(), getMajorVersion());
+        clonedAccessManager.grantRole(POLICY_SERVICE_ROLE(), address(policyServiceAddress));
         bytes4[] memory instancePolicyServiceSelectors = new bytes4[](3);
         instancePolicyServiceSelectors[0] = clonedInstance.createPolicy.selector;
         instancePolicyServiceSelectors[1] = clonedInstance.updatePolicy.selector;
         instancePolicyServiceSelectors[2] = clonedInstance.updatePolicyState.selector;
         clonedAccessManager.setTargetFunctionRole(
-            address(clonedInstance),
+            "Instance",
             instancePolicyServiceSelectors,
-            POLICY_SERVICE_ROLE().toInt());
+            POLICY_SERVICE_ROLE());
     }
-    function _grantBundleServiceAuthorizations(AccessManagerUpgradeable clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
+    function _grantBundleServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
         // configure authorization for bundle service on instance
-        address bundleServiceAddress = _registry.getServiceAddress(BUNDLE(), VersionLib.toVersion(3, 0, 0).toMajorPart());
-        clonedAccessManager.grantRole(BUNDLE_SERVICE_ROLE().toInt(), address(bundleServiceAddress), 0);
+        address bundleServiceAddress = _registry.getServiceAddress(BUNDLE(), getMajorVersion());
+        clonedAccessManager.grantRole(BUNDLE_SERVICE_ROLE(), address(bundleServiceAddress));
         bytes4[] memory instanceBundleServiceSelectors = new bytes4[](2);
         instanceBundleServiceSelectors[0] = clonedInstance.createBundle.selector;
         instanceBundleServiceSelectors[1] = clonedInstance.updateBundle.selector;
         clonedAccessManager.setTargetFunctionRole(
-            address(clonedInstance),
+            "Instance",
             instanceBundleServiceSelectors,
-            BUNDLE_SERVICE_ROLE().toInt());
+            BUNDLE_SERVICE_ROLE());
         // configure authorization for bundle service on bundle manager
         bytes4[] memory bundleManagerBundleServiceSelectors = new bytes4[](5);
@@ -163,21 +202,21 @@ contract InstanceService is Service, IInstanceService {
         bundleManagerBundleServiceSelectors[3] = clonedBundleManager.lock.selector;
         bundleManagerBundleServiceSelectors[4] = clonedBundleManager.unlock.selector;
         clonedAccessManager.setTargetFunctionRole(
-            address(clonedBundleManager),
+            "BundleManager",
             bundleManagerBundleServiceSelectors,
-            BUNDLE_SERVICE_ROLE().toInt());
+            BUNDLE_SERVICE_ROLE());
     }
-    function _grantInstanceServiceAuthorizations(AccessManagerUpgradeable clonedAccessManager, Instance clonedInstance) internal {
+    function _grantInstanceServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
 // configure authorization for instance service on instance
-        address instanceServiceAddress = _registry.getServiceAddress(INSTANCE(), VersionLib.toVersion(3, 0, 0).toMajorPart());
-        clonedAccessManager.grantRole(INSTANCE_SERVICE_ROLE().toInt(), instanceServiceAddress, 0);
+        address instanceServiceAddress = _registry.getServiceAddress(INSTANCE(), getMajorVersion());
+        clonedAccessManager.grantRole(INSTANCE_SERVICE_ROLE(), instanceServiceAddress);
         bytes4[] memory instanceInstanceServiceSelectors = new bytes4[](1);
         instanceInstanceServiceSelectors[0] = clonedInstance.setInstanceReader.selector;
         clonedAccessManager.setTargetFunctionRole(
-            address(clonedInstance),
+            "Instance",
             instanceInstanceServiceSelectors,
-            INSTANCE_SERVICE_ROLE().toInt());
+            INSTANCE_SERVICE_ROLE());
     }
     function setMasterInstance(address accessManagerAddress, address instanceAddress, address instanceReaderAddress, address bundleManagerAddress) external onlyOwner {
@@ -252,10 +291,6 @@ contract InstanceService is Service, IInstanceService {
     }
     /// @dev top level initializer
-    // 1) registry is non upgradeable -> don't need a proxy and uses constructor !
-    // 2) deploy registry service first -> from its initialization func it is easier to deploy registry then vice versa
-    // 3) deploy registry -> pass registry service address as constructor argument
-    // registry is getting instantiated and locked to registry service address forever
     function _initialize(
         address owner,
         bytes memory data
@@ -264,36 +299,47 @@ contract InstanceService is Service, IInstanceService {
         initializer
         virtual override
     {
-        address initialOwner = address(0);
-        address registryAddress = address(0);
+        address initialOwner;
+        address registryAddress;
         (registryAddress, initialOwner) = abi.decode(data, (address, address));
         // TODO while InstanceService is not deployed in InstanceServiceManager constructor
         //      owner is InstanceServiceManager deployer
         _initializeService(registryAddress, owner);
-        _registerInterface(type(IService).interfaceId);
         _registerInterface(type(IInstanceService).interfaceId);
     }
-    // TODO use instanceAddress instead of nft
-    /*function hasRole(address account, RoleId role, NftId instanceNftId) external view returns (bool) {
-        IRegistry.ObjectInfo memory instanceObjectInfo = getRegistry().getObjectInfo(instanceNftId);
-        address instanceAddress = instanceObjectInfo.objectAddress;
-        Instance instance = Instance(instanceAddress);
-        AccessManagerUpgradeable accessManager = AccessManagerUpgradeable(instance.authority());
-        (bool isMember, uint32 executionDelay) = accessManager.hasRole(role.toInt(), account);
-        if (executionDelay > 0) {
-            return false;
-        }
-        return isMember;
-    }*/
-    function hasRole(address account, RoleId role, address instanceAddress) external view returns (bool) {
+    function hasRole(address account, RoleId role, address instanceAddress) public view returns (bool) {
         Instance instance = Instance(instanceAddress);
-        AccessManagerUpgradeable accessManager = AccessManagerUpgradeable(instance.authority());
-        (bool isMember, uint32 executionDelay) = accessManager.hasRole(role.toInt(), account);
-        if (executionDelay > 0) {
-            return false;
-        }
-        return isMember;
+        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
+        return accessManager.hasRole(role, account);
     }
+    function createTarget(NftId instanceNftId, address targetAddress, string memory targetName) external onlyRegisteredService {
+        IRegistry registry = getRegistry();
+        IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
+        Instance instance = Instance(instanceInfo.objectAddress);
+        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
+        accessManager.createTarget(targetAddress, targetName);
+    }
+    function setTargetLocked(string memory targetName, bool locked) external {
+        address componentAddress = msg.sender;
+        IRegistry registry = getRegistry();
+        IRegistry.ObjectInfo memory componentInfo = registry.getObjectInfo(componentAddress);
+        if (componentInfo.nftId.eqz()) {
+            revert ErrorInstanceServiceComponentNotRegistered(componentAddress);
+        }
+        // TODO validate component type
+        address instanceAddress = registry.getObjectInfo(componentInfo.parentNftId).objectAddress;
+        IInstance instance = IInstance(instanceAddress);
+        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
+        accessManager.setTargetClosed(targetName, locked);
+    }
 }