@etherisc/gif-next 0.0.2-bf75dbb-287 → 0.0.2-c2a8d66-341

package/contracts/instance/InstanceAccessManager.sol

@@ -1,288 +1,455 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
 
+import {AccessManager} from "@openzeppelin/contracts/access/manager/AccessManager.sol";
+import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
 import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
 import {ShortString, ShortStrings} from "@openzeppelin/contracts/utils/ShortStrings.sol";
-import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
-import {AccessManagerUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagerUpgradeable.sol";
-
-import {IBundle} from "./module/IBundle.sol";
-import {IPolicy} from "./module/IPolicy.sol";
-import {IRisk} from "./module/IRisk.sol";
-import {ISetup} from "./module/ISetup.sol";
-import {Key32, KeyId, Key32Lib} from "../types/Key32.sol";
-import {KeyValueStore} from "./base/KeyValueStore.sol";
+
+import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE, INSTANCE_SERVICE_ROLE, INSTANCE_OWNER_ROLE} from "../types/RoleId.sol";
+import {TimestampLib} from "../types/Timestamp.sol";
 import {NftId} from "../types/NftId.sol";
-import {NumberId} from "../types/NumberId.sol";
-import {ObjectType, BUNDLE, DISTRIBUTION, POLICY, POOL, ROLE, PRODUCT, TARGET} from "../types/ObjectType.sol";
-import {RiskId, RiskIdLib} from "../types/RiskId.sol";
-import {RoleId, RoleIdLib} from "../types/RoleId.sol";
-import {StateId, ACTIVE} from "../types/StateId.sol";
-import {Timestamp, TimestampLib} from "../types/Timestamp.sol";
+
+import {IAccess} from "./module/IAccess.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
 
 contract InstanceAccessManager is
     AccessManagedUpgradeable
 {
+    using RoleIdLib for RoleId;
+
     string public constant ADMIN_ROLE_NAME = "AdminRole";
     string public constant PUBLIC_ROLE_NAME = "PublicRole";
 
     uint64 public constant CUSTOM_ROLE_ID_MIN = 10000;
     uint32 public constant EXECUTION_DELAY = 0;
 
-    struct RoleInfo {
-        ShortString name;
-        bool isCustom;
-        bool isLocked;
-        Timestamp createdAt;
-        Timestamp updatedAt;
-    }
-
-    struct TargetInfo {
-        ShortString name;
-        bool isCustom;
-        bool isLocked;
-        Timestamp createdAt;
-        Timestamp updatedAt;
-    }
-
-    error ErrorRoleIdInvalid(RoleId roleId);
-    error ErrorRoleIdTooBig(RoleId roleId);
-    error ErrorRoleIdTooSmall(RoleId roleId);
-    error ErrorRoleIdAlreadyExists(RoleId roleId, ShortString name);
-    error ErrorRoleIdNotActive(RoleId roleId);
-    error ErrorRoleNameEmpty(RoleId roleId);
-    error ErrorRoleNameNotUnique(RoleId roleId, ShortString name);
-    error ErrorRoleInvalidUpdate(RoleId roleId, bool isCustom);
-    error ErrorRoleIsCustomIsImmutable(RoleId roleId, bool isCustom, bool isCustomExisting);
-    error ErrorSetLockedForNonexstentRole(RoleId roleId);
-    error ErrorGrantNonexstentRole(RoleId roleId);
-    error ErrorRevokeNonexstentRole(RoleId roleId);
-    error ErrorRenounceNonexstentRole(RoleId roleId);
-
-    error ErrorTargetAddressZero();
-    error ErrorTargetAlreadyExists(address target, ShortString name);
-    error ErrorTargetNameEmpty(address target);
-    error ErrorTargetNameExists(address target, address existingTarget, ShortString name);
-    error ErrorSetLockedForNonexstentTarget(address target);
-
     // role specific state
-    mapping(RoleId roleId => RoleInfo info) internal _role;
+    mapping(RoleId roleId => IAccess.RoleInfo info) internal _roleInfo;
     mapping(RoleId roleId => EnumerableSet.AddressSet roleMembers) internal _roleMembers; 
-    mapping(ShortString name => RoleId roleId) internal _roleForName;
-    RoleId [] internal _roles;
+    mapping(ShortString name => RoleId roleId) internal _roleIdForName;
+    RoleId [] internal _roleIds;
+    uint64 _idNext;
 
     // target specific state
-    mapping(address target => TargetInfo info) internal _target;
-    mapping(ShortString name => address target) internal _targetForName;
+    mapping(address target => IAccess.TargetInfo info) internal _targetInfo;
+    mapping(ShortString name => address target) internal _targetAddressForName;
     address [] internal _targets;
 
-    AccessManagerUpgradeable internal _accessManager;
+    AccessManager internal _accessManager;
+    IRegistry internal _registry;
 
-    constructor(address accessManager)
+    modifier restrictedToRoleAdmin(RoleId roleId) {
+        RoleId admin = getRoleAdmin(roleId);
+        (bool inRole, uint32 executionDelay) = _accessManager.hasRole(admin.toInt(), _msgSender());
+        assert(executionDelay == 0); // to be sure no delayed execution functionality is used
+        if (!inRole) {
+            revert IAccess.ErrorIAccessCallerIsNotRoleAdmin(_msgSender(), roleId);
+        }
+        _;
+    }
+
+    function initialize(address initialAdmin, address registry) external initializer 
     {
-        _accessManager = AccessManagerUpgradeable(accessManager);
-        __AccessManaged_init(accessManager);
+        require(initialAdmin != address(0));
+        require(registry != address(0));
 
-        _createRole(RoleIdLib.toRoleId(_accessManager.ADMIN_ROLE()), ADMIN_ROLE_NAME, false, false);
-        _createRole(RoleIdLib.toRoleId(_accessManager.PUBLIC_ROLE()), PUBLIC_ROLE_NAME, false, false);
-    }
+        // if size of the contract gets too large, this can be externalized which will reduce the contract size considerably
+        _accessManager = new AccessManager(address(this));
 
-    //--- Role ------------------------------------------------------//
+        __AccessManaged_init(address(_accessManager));
 
-    function createDefaultRole(RoleId roleId, string memory name) external restricted() {
-        _createRole(roleId, name, false, true);
-    }
+        _registry = IRegistry(registry);
+        _idNext = CUSTOM_ROLE_ID_MIN;
 
-    function createRole(RoleId roleId, string memory name) external restricted() {
-        _createRole(roleId, name, true, true);
-    }
+        _createRole(ADMIN_ROLE(), ADMIN_ROLE_NAME, IAccess.Type.Core);
+        _createRole(PUBLIC_ROLE(), PUBLIC_ROLE_NAME, IAccess.Type.Core);
 
-    function setRoleLocked(RoleId roleId, bool locked) external restricted() {
-        if (!roleExists(roleId)) {
-            revert ErrorSetLockedForNonexstentRole(roleId);
-        }
+        // assume initialAdmin is instance service which requires admin rights to access manager during instance cloning
+        _accessManager.grantRole(ADMIN_ROLE().toInt(), initialAdmin, 0);
 
-        _role[roleId].isLocked = locked;
-        _role[roleId].updatedAt = TimestampLib.blockTimestamp();
+        EnumerableSet.add(_roleMembers[ADMIN_ROLE()], address(this));
+        EnumerableSet.add(_roleMembers[ADMIN_ROLE()], initialAdmin);
     }
 
-    function roleExists(RoleId roleId) public view returns (bool exists) {
-        return _role[roleId].createdAt.gtz();
+    //--- Role ------------------------------------------------------//
+    // INSTANCE_SERVICE_ROLE 
+    // assume core roles are never revoked or renounced -> core roles admin is never active after intialization
+    function createCoreRole(RoleId roleId, string memory name, RoleId admin) 
+        external
+        restricted()
+    {
+        _validateRoleParameters(roleId, name, IAccess.Type.Core);// TODO put inside _createRole
+        _createRole(roleId, name, IAccess.Type.Core);
+        setRoleAdmin(roleId, admin);
+    }
+    // INSTANCE_SERVICE_ROLE
+    // assume gif roles can be revoked or renounced
+    function createGifRole(RoleId roleId, string memory name, RoleId admin) 
+        external
+        restricted()
+    {
+        _validateRoleParameters(roleId, name, IAccess.Type.Gif);
+        _createRole(roleId, name, IAccess.Type.Gif);
+        setRoleAdmin(roleId, admin);
     }
 
-    function grantRole(RoleId roleId, address member) external restricted() returns (bool granted) {
-        if (!roleExists(roleId)) {
-            revert ErrorGrantNonexstentRole(roleId);
-        }
+    // INSTANCE_OWNER_ROLE
+    // creates custom roles only
+    // TODO INSTANCE_OWNER_ROLE as default admin
+    function createCustomRole(string memory name, RoleId admin) 
+        external
+        restricted()
+        returns(RoleId roleId)
+    {
+        RoleId roleId = _getNextCustomRoleId();
+        _validateRoleParameters(roleId, name, IAccess.Type.Custom);
+        _createRole(roleId, name, IAccess.Type.Custom);
+        setRoleAdmin(roleId, admin);
+    }
 
-        if (_role[roleId].isLocked) {
-            revert ErrorRoleIdNotActive(roleId);
+    // TODO MUST always be restricted to ADMIN_ROLE? -> use onlyAdminRole or use similar _getAdminRestrictions()
+    function setRoleAdmin(RoleId roleId, RoleId admin) 
+        public 
+        restricted()
+    {
+        if (!roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
         }
 
-        if (!EnumerableSet.contains(_roleMembers[roleId], member)) {
-            _accessManager.grantRole(roleId.toInt(), member, EXECUTION_DELAY);
-            EnumerableSet.add(_roleMembers[roleId], member);
-            return true;
-        }
+        if (!roleExists(admin)) {
+            revert IAccess.ErrorIAccessRoleIdInvalid(admin);
+        }        
 
-        return false;
+        _roleInfo[roleId].admin = admin;      
     }
 
-    function revokeRole(RoleId roleId, address member) external restricted() returns (bool revoked) {
+    // TODO notify member?
+    // TODO granting/revoking can be `attached` to nft transfer?
+    function grantRole(RoleId roleId, address member) 
+        external 
+        restrictedToRoleAdmin(roleId) 
+        returns (bool granted) 
+    {
         if (!roleExists(roleId)) {
-            revert ErrorRevokeNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
         }
 
-        if (EnumerableSet.contains(_roleMembers[roleId], member)) {
-            _accessManager.revokeRole(roleId.toInt(), member);
-            EnumerableSet.remove(_roleMembers[roleId], member);
-            return true;
-        }
+        granted = EnumerableSet.add(_roleMembers[roleId], member);
+        if(granted) {
+            _accessManager.grantRole(roleId.toInt(), member, EXECUTION_DELAY);
+        }    
+    }
 
-        return false;
+    function revokeRole(RoleId roleId, address member)
+        external 
+        restrictedToRoleAdmin(roleId) 
+        returns (bool) 
+    {
+        return _revokeRole(roleId, member);
     }
 
     /// @dev not restricted function by intention
-    /// the restriction to role members is already enforced by the call to the access manger
-    function renounceRole(RoleId roleId) external returns (bool revoked) {
+    /// the restriction to role members is already enforced by the call to the access manager
+    function renounceRole(RoleId roleId) 
+        external 
+        returns (bool) 
+    {
         address member = msg.sender;
+        // cannot use accessManger.renounce as it directly checks against msg.sender
+        return _revokeRole(roleId, member);
+    }
 
-        if (!roleExists(roleId)) {
-            revert ErrorRenounceNonexstentRole(roleId);
-        }
+    function roleExists(RoleId roleId) public view returns (bool exists) {
+        return _roleInfo[roleId].createdAt.gtz();
+    }
 
-        if (EnumerableSet.contains(_roleMembers[roleId], member)) {
-            // cannot use accessManger.renounce as it directly checks against msg.sender
-            _accessManager.revokeRole(roleId.toInt(), member);
-            EnumerableSet.remove(_roleMembers[roleId], member);
-            return true;
-        }
+    function getRoleAdmin(RoleId roleId) public view returns(RoleId admin) {
+        return _roleInfo[roleId].admin;
+    }
 
-        return false;
+    function getRoleInfo(RoleId roleId) external view returns (IAccess.RoleInfo memory role) {
+        return _roleInfo[roleId];
     }
 
-    function roles() external view returns (uint256 numberOfRoles) {
-        return _roles.length;
+    function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
+        return EnumerableSet.length(_roleMembers[roleId]);
     }
 
     function getRoleId(uint256 idx) external view returns (RoleId roleId) {
-        return _roles[idx];
+        return _roleIds[idx];
     }
 
     function getRoleIdForName(string memory name) external view returns (RoleId roleId) {
-        return _roleForName[ShortStrings.toShortString(name)];
+        return _roleIdForName[ShortStrings.toShortString(name)];
     }
 
-    function getRole(RoleId roleId) external view returns (RoleInfo memory role) {
-        return _role[roleId];
+    function roleMember(RoleId roleId, uint256 idx) external view returns (address roleMember) {
+        return EnumerableSet.at(_roleMembers[roleId], idx);
     }
 
     function hasRole(RoleId roleId, address account) external view returns (bool accountHasRole) {
         (accountHasRole, ) = _accessManager.hasRole(roleId.toInt(), account);
     }
 
-    function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
-        return EnumerableSet.length(_roleMembers[roleId]);
-    }
-
-    function getRoleMember(RoleId roleId, uint256 idx) external view returns (address roleMember) {
-        return EnumerableSet.at(_roleMembers[roleId], idx);
+    function roles() external view returns (uint256 numberOfRoles) {
+        return _roleIds.length;
     }
 
     //--- Target ------------------------------------------------------//
-    function createTarget(address target, string memory name) external restricted() {
-        _createTarget(target, name, true, true);
+    // INSTANCE_SERVICE_ROLE
+    function createCoreTarget(address target, string memory name) external restricted() {
+        _createTarget(target, name, IAccess.Type.Core);
     }
+    // INSTANCE_SERVICE_ROLE
+    function createGifTarget(address target, string memory name) external restricted() {
+        _createTarget(target, name, IAccess.Type.Gif);
+    }
+    // INSTANCE_OWNER_ROLE
+    function createCustomTarget(address target, string memory name) 
+        external 
+        restricted() 
+    {
+        // TODO custom targets can not be registered before this function, but possibly can after...
+        if(_registry.isRegistered(target)) {
+            revert IAccess.ErrorIAccessTargetIsRegistered(target);
+        }
 
-    function setTargetLocked(address target, bool locked) external restricted() {
-        if (!targetExists(target)) {
-            revert ErrorSetLockedForNonexstentTarget(target);
+        _createTarget(target, name, IAccess.Type.Custom);
+    }
+    // INSTANCE_SERVICE_ROLE
+    function setTargetLocked(string memory targetName, bool locked) 
+        external 
+        restricted() 
+    {
+        ShortString nameShort = ShortStrings.toShortString(targetName);
+        address target = _targetAddressForName[nameShort];
+        
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(nameShort);
         }
 
-        _target[target].isLocked = locked;
+        if(_targetInfo[target].ttype == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(nameShort, _targetInfo[target].ttype);
+        }
+        // TODO isLocked is redundant but makes getTargetInfo() faster
+        _targetInfo[target].isLocked = locked;
         _accessManager.setTargetClosed(target, locked);
     }
 
-    function targetExists(address target) public view returns (bool exists) {
-        return _target[target].createdAt.gtz();
+    // allowed combinations of roles and targets:
+    //1) set core role for core target 
+    //2) set gif role for gif target  
+    //3) set custom role for gif target
+    //4) set custom role for custom target
+
+    // ADMIN_ROLE if used only during initialization, works with:
+    //      any roles for any targets
+    // INSTANCE_SERVICE_ROLE if used not only during initilization, works with:
+    //      core roles for core targets
+    //      gif roles for gif targets
+    // TODO taget admin example: 
+    // 1) INSTANCE_OWNER_ROLE is admin role for component target
+    // 2) ADMIN_ROLE is admin role for core targets
+    function setTargetFunctionRole(
+        string memory targetName,
+        bytes4[] calldata selectors,
+        RoleId roleId
+    ) 
+        public 
+        virtual 
+        restricted()
+    {
+        ShortString nameShort = ShortStrings.toShortString(targetName);
+        address target = _targetAddressForName[nameShort];
+
+        // not custom target
+        if(_targetInfo[target].ttype == IAccess.Type.Custom) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(nameShort, _targetInfo[target].ttype);
+        }
+
+        // not custom role
+        if(_roleInfo[roleId].rtype == IAccess.Type.Custom) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, _roleInfo[roleId].rtype);
+        }
+
+        _setTargetFunctionRole(target, nameShort, selectors, roleId);
     }
 
-    //--- internal view/pure functions --------------------------------------//
+    // INSTANCE_OWNER_ROLE
+    // custom role for gif target -> instance owner can mess with gif target (component) -> e.g. set custom role for function intendent to work with gif role
+    // custom role for custom target
+    function setTargetFunctionCustomRole(
+        string memory targetName,
+        bytes4[] calldata selectors,
+        RoleId roleId
+    ) 
+        public 
+        virtual 
+        restricted() 
+    {
+        ShortString nameShort = ShortStrings.toShortString(targetName);
+        address target = _targetAddressForName[nameShort];
+
+        // not core target
+        if(_targetInfo[target].ttype == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(nameShort, _targetInfo[target].ttype);
+        }
 
-    function _createRole(RoleId roleId, string memory name, bool isCustom, bool validateParameters) internal {
-        if (validateParameters) {
-            _validateRoleParameters(roleId, name, isCustom);
+        // target belongs to instance owned by caller
+        // TODO parent may be !instance
+        NftId instanceNftId = _registry.getObjectInfo(target).parentNftId;
+        address instanceAddress = _registry.getObjectInfo(instanceNftId).objectAddress;
+        if(_registry.ownerOf(instanceAddress) != msg.sender) {
+            revert IAccess.ErrorIAccessTargetInstanceMismatch(nameShort, instanceNftId);
         }
 
-        RoleInfo memory role = RoleInfo(
+        // not core role
+        if(_roleInfo[roleId].rtype == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, _roleInfo[roleId].rtype);
+        }
+
+        _setTargetFunctionRole(target, nameShort, selectors, roleId);
+    }
+
+    function isTargetLocked(address target) public view returns (bool locked) {
+        return _accessManager.isTargetClosed(target);
+    }
+
+    function targetExists(address target) public view returns (bool exists) {
+        return _targetInfo[target].createdAt.gtz();
+    }
+
+    function getTargetInfo(address target) public view returns (IAccess.TargetInfo memory) {
+        return _targetInfo[target];
+    }
+
+    //--- internal view/pure functions --------------------------------------//
+
+    function _createRole(RoleId roleId, string memory name, IAccess.Type rtype) 
+        internal
+    {
+        IAccess.RoleInfo memory role = IAccess.RoleInfo(
             ShortStrings.toShortString(name), 
-            isCustom,
-            false, // role un-locked,
+            rtype,
+            ADMIN_ROLE(),
             TimestampLib.blockTimestamp(),
             TimestampLib.blockTimestamp());
 
-        _role[roleId] = role;
-        _roleForName[role.name] = roleId;
-        _roles.push(roleId);
+        _roleInfo[roleId] = role;
+        _roleIdForName[role.name] = roleId;
+        _roleIds.push(roleId);
     }
 
     function _validateRoleParameters(
         RoleId roleId, 
         string memory name, 
-        bool isCustom
+        IAccess.Type rtype
     )
         internal
         view 
-        returns (RoleInfo memory existingRole)
+        returns (IAccess.RoleInfo memory existingRole)
     {
-        // check role id
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        if(roleIdInt == _accessManager.ADMIN_ROLE() || roleIdInt == _accessManager.PUBLIC_ROLE()) {
-            revert ErrorRoleIdInvalid(roleId); 
+        if(roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdAlreadyExists(roleId);
         }
 
-        // prevent changing isCustom for existing roles
-        existingRole = _role[roleId];
-
-        if (existingRole.createdAt.gtz() && isCustom != existingRole.isCustom) {
-            revert ErrorRoleIsCustomIsImmutable(roleId, isCustom, existingRole.isCustom); 
+        uint roleIdInt = roleId.toInt();
+        if(rtype == IAccess.Type.Custom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
+            revert IAccess.ErrorIAccessRoleIdTooSmall(roleId);
         }
 
-        if (isCustom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
-            revert ErrorRoleIdTooSmall(roleId); 
-        } else if (!isCustom && roleIdInt >= CUSTOM_ROLE_ID_MIN) {
-            revert ErrorRoleIdTooBig(roleId); 
+        if(rtype != IAccess.Type.Custom && roleIdInt >= CUSTOM_ROLE_ID_MIN) {
+            revert IAccess.ErrorIAccessRoleIdTooBig(roleId);
         }
 
         // role name checks
         ShortString nameShort = ShortStrings.toShortString(name);
         if (ShortStrings.byteLength(nameShort) == 0) {
-            revert ErrorRoleNameEmpty(roleId);
+            revert IAccess.ErrorIAccessRoleNameEmpty(roleId);
         }
 
-        if (_roleForName[nameShort] != RoleIdLib.zero() && _roleForName[nameShort] != roleId) {
-            revert ErrorRoleNameNotUnique(_roleForName[nameShort], nameShort);
+        if (_roleIdForName[nameShort].gtz()) {
+            revert IAccess.ErrorIAccessRoleNameNotUnique(_roleIdForName[nameShort], nameShort);
         }
     }
 
-    function _createTarget(address target, string memory name, bool isCustom, bool validateParameters) internal {
-        if (validateParameters) {
-            _validateTargetParameters(target, name, isCustom);
+    function _revokeRole(RoleId roleId, address member) 
+        internal
+        returns(bool revoked)
+    {
+        if (!roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
         }
 
-        TargetInfo memory info = TargetInfo(
+        revoked = EnumerableSet.remove(_roleMembers[roleId], member);
+        if(revoked) {
+            _accessManager.revokeRole(roleId.toInt(), member);
+        }
+    }
+
+    function _getNextCustomRoleId() internal returns(RoleId) {
+        return RoleIdLib.toRoleId(_idNext++);
+    }
+
+    function _createTarget(address target, string memory name, IAccess.Type ttype) internal {
+        _validateTargetParameters(target, name);
+
+        IAccess.TargetInfo memory info = IAccess.TargetInfo(
             ShortStrings.toShortString(name), 
-            isCustom,
+            ttype,
             _accessManager.isTargetClosed(target), // sync with state in access manager
             TimestampLib.blockTimestamp(),
             TimestampLib.blockTimestamp());
 
-        _target[target] = info;
-        _targetForName[info.name] = target;
+        _targetInfo[target] = info;
+        _targetAddressForName[info.name] = target;
         _targets.push(target);
     }
 
-    function _validateTargetParameters(address target, string memory name, bool isCustom) internal view {
+    function _validateTargetParameters(address target, string memory name) internal view {
+        if (_targetInfo[target].createdAt.gtz()) {
+            revert IAccess.ErrorIAccessTargetAlreadyExists(target, _targetInfo[target].name);
+        }
+
+        ShortString nameShort = ShortStrings.toShortString(name);
+        if (ShortStrings.byteLength(nameShort) == 0) {
+            revert IAccess.ErrorIAccessTargetNameEmpty(target);
+        }
+
+        if (_targetAddressForName[nameShort] != address(0)) {
+            revert IAccess.ErrorIAccessTargetNameExists(
+                target, 
+                _targetAddressForName[nameShort], 
+                nameShort);
+        }
+    }
+
+    function _setTargetFunctionRole(
+        address target,
+        ShortString name,
+        bytes4[] calldata selectors,
+        RoleId roleId
+    ) 
+        internal
+    {
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(name);
+        }
+
+        if (!roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
+        }
+
+        uint64 roleIdInt = RoleId.unwrap(roleId);
+        _accessManager.setTargetFunctionRole(target, selectors, roleIdInt);
+    }
 
+    function canCall(
+        address caller,
+        address target,
+        bytes4 selector
+    ) public view virtual returns (bool immediate, uint32 delay) {
+        return _accessManager.canCall(caller, target, selector);
     }
 }

package/contracts/instance/InstanceReader.sol

@@ -31,39 +31,21 @@ contract InstanceReader {
     bool private _initialized;
 
     IRegistry internal _registry;
-    NftId internal _instanceNftId;
     IInstance internal _instance;
     IKeyValueStore internal _store;
 
-    constructor(
-        address registry, 
-        NftId instanceNftId
-    )
-    {
-        initialize(registry, instanceNftId);
-    }
-
-    function initialize(address registry, NftId instanceNftId) public {
+    function initialize(address registry, address instance) public {
         require(!_initialized, "ERROR:CRD-000:ALREADY_INITIALIZED");
 
         require(
             address(registry) != address(0),
             "ERROR:CRD-001:REGISTRY_ZERO");
 
-        require(
-            instanceNftId.gtz(),
-            "ERROR:CRD-002:NFT_ID_ZERO");
 
         _registry = IRegistry(registry);
-        _instanceNftId = instanceNftId;
-        IRegistry.ObjectInfo memory instanceInfo = _registry.getObjectInfo(_instanceNftId);
 
-        require(
-            instanceInfo.objectType == INSTANCE(), 
-            "ERROR:CRD-003:PARENT_NOT_INSTANCE");
-
-        _instance = IInstance(instanceInfo.objectAddress);
-        _store = IKeyValueStore(instanceInfo.objectAddress);
+        _instance = IInstance(instance);
+        _store = IKeyValueStore(instance);
 
         _initialized = true;
     }
@@ -301,10 +283,6 @@ contract InstanceReader {
         return _store;
     }
 
-    function getInstanceNftId() external view returns (NftId nftId) {
-        return _instanceNftId;
-    }
-
     function toUFixed(uint256 value, int8 exp) public pure returns (UFixed) {
         return UFixedLib.toUFixed(value, exp);
     }