@etherisc/gif-next 0.0.2-da06f3b-803 → 0.0.2-da09ec0-359

package/contracts/instance/InstanceAccessManager.sol

@@ -1,26 +1,35 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
 
-import {AccessManager} from "@openzeppelin/contracts/access/manager/AccessManager.sol";
 import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
 import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
 import {ShortString, ShortStrings} from "@openzeppelin/contracts/utils/ShortStrings.sol";
 
-import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE, INSTANCE_SERVICE_ROLE, INSTANCE_OWNER_ROLE} from "../types/RoleId.sol";
+import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE, INSTANCE_SERVICE_ROLE, INSTANCE_OWNER_ROLE, INSTANCE_ROLE} from "../types/RoleId.sol";
 import {TimestampLib} from "../types/Timestamp.sol";
-import {IAccess} from "./module/IAccess.sol";
+import {NftId} from "../types/NftId.sol";
+
+import {AccessManagerUpgradeableInitializeable} from "../shared/AccessManagerUpgradeableInitializeable.sol";
 
 import {IRegistry} from "../registry/IRegistry.sol";
 
+import {IInstance} from "./IInstance.sol";
+import {IAccess} from "./module/IAccess.sol";
+
 contract InstanceAccessManager is
     AccessManagedUpgradeable
 {
+    event LogRoleCreation(RoleId roleId, ShortString name, IAccess.Type rtype);
+    event LogTargetCreation(address target, ShortString name, IAccess.Type ttype, bool isLocked);
+
     using RoleIdLib for RoleId;
 
     string public constant ADMIN_ROLE_NAME = "AdminRole";
     string public constant PUBLIC_ROLE_NAME = "PublicRole";
+    string public constant INSTANCE_ROLE_NAME = "InstanceRole";
+    string public constant INSTANCE_OWNER_ROLE_NAME = "InstanceOwnerRole";
 
-    uint64 public constant CUSTOM_ROLE_ID_MIN = 10000;
+    uint64 public constant CUSTOM_ROLE_ID_MIN = 10000; // MUST be even
     uint32 public constant EXECUTION_DELAY = 0;
 
     // role specific state
@@ -35,7 +44,7 @@ contract InstanceAccessManager is
     mapping(ShortString name => address target) internal _targetAddressForName;
     address [] internal _targets;
 
-    AccessManager internal _accessManager;
+    AccessManagerUpgradeableInitializeable internal _accessManager;
     IRegistry internal _registry;
 
     modifier restrictedToRoleAdmin(RoleId roleId) {
@@ -48,87 +57,105 @@ contract InstanceAccessManager is
         _;
     }
 
-    function initialize(address initialAdmin, address registry) external initializer 
+    // instance owner is granted upon instance nft minting in callback function
+    function initialize(address instanceAddress) external initializer 
     {
-        // if size of the contract gets too large, this can be externalized which will reduce the contract size considerably
-        _accessManager = new AccessManager(address(this));
+        IInstance instance = IInstance(instanceAddress);
+        IRegistry registry = instance.getRegistry();
+        address authority = instance.authority();
 
-        __AccessManaged_init(address(_accessManager));
+        __AccessManaged_init(authority);
 
-        _registry = IRegistry(_registry);
+        _accessManager = AccessManagerUpgradeableInitializeable(authority);
+        _registry = registry;
         _idNext = CUSTOM_ROLE_ID_MIN;
 
-        _createRole(ADMIN_ROLE(), ADMIN_ROLE_NAME, false);
-        _createRole(PUBLIC_ROLE(), PUBLIC_ROLE_NAME, false);
-
-        // assume initialAdmin is instance service which requires admin rights to access manager during instance cloning
-        _accessManager.grantRole(ADMIN_ROLE().toInt(), initialAdmin, 0);
+        _createRole(ADMIN_ROLE(), ADMIN_ROLE_NAME, IAccess.Type.Core);
+        _createRole(PUBLIC_ROLE(), PUBLIC_ROLE_NAME, IAccess.Type.Core);
+        _createRole(INSTANCE_ROLE(), INSTANCE_ROLE_NAME, IAccess.Type.Core);
+        _createRole(INSTANCE_OWNER_ROLE(), INSTANCE_OWNER_ROLE_NAME, IAccess.Type.Gif);// TODO should be of core type
 
+        // assume `this` is already a member of ADMIN_ROLE
         EnumerableSet.add(_roleMembers[ADMIN_ROLE()], address(this));
-        EnumerableSet.add(_roleMembers[ADMIN_ROLE()], initialAdmin);
+
+        grantRole(INSTANCE_ROLE(), instanceAddress);
+        setRoleAdmin(INSTANCE_OWNER_ROLE(), INSTANCE_ROLE());
     }
 
     //--- Role ------------------------------------------------------//
-    // INSTANCE_SERVICE_ROLE 
-    // creates core or gif roles
-    // assume core roles are never revoked or renounced -> core roles admin is never active after intialization
-    // assume gif roles can be revoked or renounced
-    function createRole(RoleId roleId, string memory name, RoleId admin) 
+    // ADMIN_ROLE
+    // assume all core roles are know at deployment time
+    // assume core roles are set and granted only during instance cloning
+    // assume core roles are never revoked -> core roles admin is never active after intialization
+    function createCoreRole(RoleId roleId, string memory name)
+        external
+        restricted()
+    {
+        _createRole(roleId, name, IAccess.Type.Core);
+    }
+    // ADMIN_ROLE
+    // assume gif roles can be revoked
+    // assume admin is INSTANCE_OWNER_ROLE or INSTANCE_ROLE
+    function createGifRole(RoleId roleId, string memory name, RoleId admin) 
         external
         restricted()
     {
-        bool isCustom = false;
-        _validateRoleParameters(roleId, name, isCustom);
-        _createRole(roleId, name, isCustom);
+        _createRole(roleId, name, IAccess.Type.Gif);
         setRoleAdmin(roleId, admin);
     }
 
     // INSTANCE_OWNER_ROLE
-    // creates custom roles only
-    // TODO INSTANCE_OWNER_ROLE as default admin
-    function createCustomRole(string memory name, RoleId admin) 
+    // TODO specify how many owners role can have -> many roles MUST have exactly 1 member?
+    function createRole(string memory roleName, string memory adminName)
         external
         restricted()
-        returns(RoleId roleId)
+        returns(RoleId roleId, RoleId admin)
     {
-        bool isCustom = true;
-        RoleId roleId = _getNextCustomRoleId();
-        _validateRoleParameters(roleId, name, isCustom);
-        _createRole(roleId, name, isCustom);
+        (roleId, admin) = _getNextCustomRoleId();
+
+        _createRole(roleId, roleName, IAccess.Type.Custom);
+        _createRole(admin, adminName, IAccess.Type.Custom);
+
+        // TODO works without this -> why?
         setRoleAdmin(roleId, admin);
+        setRoleAdmin(admin, INSTANCE_OWNER_ROLE());
     }
 
-    // TODO MUST always be restricted to ADMIN_ROLE? -> use onlyAdminRole or use similar _getAdminRestrictions()
+    // ADMIN_ROLE
+    // assume used by instance service only during instance cloning
+    // assume used only by this.createRole(), this.createGifRole() afterwards
     function setRoleAdmin(RoleId roleId, RoleId admin) 
         public 
         restricted()
     {
         if (!roleExists(roleId)) {
-            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(roleId);
+        }
+
+        if(_roleInfo[roleId].rtype == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Core);
         }
 
         if (!roleExists(admin)) {
-            revert IAccess.ErrorIAccessRoleIdInvalid(admin);
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(admin);
         }        
 
         _roleInfo[roleId].admin = admin;      
     }
 
-    // TODO notify member?
-    // TODO granting/revoking can be `attached` to nft transfer?
+    // TODO core role can be granted only to 1 member
     function grantRole(RoleId roleId, address member) 
-        external 
+        public
         restrictedToRoleAdmin(roleId) 
         returns (bool granted) 
     {
         if (!roleExists(roleId)) {
-            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(roleId);
         }
 
         granted = EnumerableSet.add(_roleMembers[roleId], member);
         if(granted) {
             _accessManager.grantRole(roleId.toInt(), member, EXECUTION_DELAY);
-            
         }    
     }
 
@@ -140,12 +167,42 @@ contract InstanceAccessManager is
         return _revokeRole(roleId, member);
     }
 
+    // INSTANCE_OWNER_ROLE
+    // IMPORTANT: unbounded function, revoke all or revert
+    // Instance owner role decides what to do in case of custom role admin bening revoked, e.g.:
+    // 1) revoke custom role from ALL members
+    // 2) revoke custom role admin from ALL members
+    // 3) 1) + 2)
+    // 4) revoke only 1 member of custom role admin
+    function revokeRoleAllMembers(RoleId roleId) 
+        external
+        restrictedToRoleAdmin(roleId) 
+        returns (bool revoked)
+    {
+        if (!roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(roleId);
+        }
+
+        uint memberCount = EnumerableSet.length(_roleMembers[roleId]);
+        for(uint memberIdx = 0; memberIdx < memberCount; memberIdx++)
+        {
+            address member = EnumerableSet.at(_roleMembers[roleId], memberIdx);
+            EnumerableSet.remove(_roleMembers[roleId], member);
+            _accessManager.revokeRole(roleId.toInt(), member);
+        }  
+    }
+
     /// @dev not restricted function by intention
     /// the restriction to role members is already enforced by the call to the access manager
     function renounceRole(RoleId roleId) 
         external 
         returns (bool) 
     {
+        IAccess.Type rtype = _roleInfo[roleId].rtype;
+        if(rtype == IAccess.Type.Core || rtype == IAccess.Type.Gif) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, rtype);
+        }
+
         address member = msg.sender;
         // cannot use accessManger.renounce as it directly checks against msg.sender
         return _revokeRole(roleId, member);
@@ -154,16 +211,16 @@ contract InstanceAccessManager is
     function roleExists(RoleId roleId) public view returns (bool exists) {
         return _roleInfo[roleId].createdAt.gtz();
     }
-
+    // TODO returns ADMIN_ROLE id for non existent roleId
     function getRoleAdmin(RoleId roleId) public view returns(RoleId admin) {
         return _roleInfo[roleId].admin;
     }
 
-    function getRoleInfo(RoleId roleId) external view returns (IAccess.RoleInfo memory role) {
+    function getRoleInfo(RoleId roleId) external view returns (IAccess.RoleInfo memory info) {
         return _roleInfo[roleId];
     }
 
-    function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
+    function roleMembers(RoleId roleId) public view returns (uint256 numberOfMembers) {
         return EnumerableSet.length(_roleMembers[roleId]);
     }
 
@@ -171,11 +228,12 @@ contract InstanceAccessManager is
         return _roleIds[idx];
     }
 
+    // TODO returns ADMIN_ROLE id for non existent name
     function getRoleIdForName(string memory name) external view returns (RoleId roleId) {
         return _roleIdForName[ShortStrings.toShortString(name)];
     }
 
-    function roleMember(RoleId roleId, uint256 idx) external view returns (address roleMember) {
+    function roleMember(RoleId roleId, uint256 idx) external view returns (address member) {
         return EnumerableSet.at(_roleMembers[roleId], idx);
     }
 
@@ -188,45 +246,47 @@ contract InstanceAccessManager is
     }
 
     //--- Target ------------------------------------------------------//
-    // INSTANCE_SERVICE_ROLE
-    function createTarget(address target, string memory name) external restricted() {
-        bool isCustom = false;
-        _createTarget(target, name, isCustom);
+    // ADMIN_ROLE
+    // assume some core targets are registred (instance) while others are not (instance accesss manager, instance reader, bundle manager)
+    function createCoreTarget(address target, string memory name) external restricted() {
+        _createTarget(target, name, IAccess.Type.Core);
     }
-    // INSTANCE_OWNER_ROLE
-    function createCustomTarget(address target, string memory name) 
-        external 
-        restricted() 
+    // INSTANCE_SERVICE_ROLE
+    // TODO check for instance mismatch?
+    function createGifTarget(address target, string memory name) external restricted() 
     {
-        // TODO custom targets can not be registered before this function, but possibly can after...
-        if(_registry.isRegistered(target)) {
-            revert IAccess.ErrorIAccessTargetIsRegistered(target);
+        if(!_registry.isRegistered(target)) {
+            revert IAccess.ErrorIAccessTargetNotRegistered(target);
         }
 
-        bool isCustom = true;
-        _createTarget(target, name, isCustom);
+        _createTarget(target, name, IAccess.Type.Gif);
     }
-    // INSTANCE_SERVICE_ROLE
-    function setTargetLocked(string memory targetName, bool locked) 
+    // INSTANCE_OWNER_ROLE
+    // assume custom target.authority() is constant -> target MUST not be used with different instance access manager
+    // assume custom target can not be registered as component -> each service which is doing component registration MUST register a gif target
+    // assume custom target can not be registered as instance or service -> why?
+    // TODO check target associated with instance owner or instance or instance components or components helpers
+    function createTarget(address target, string memory name) external restricted() 
+    {
+        _createTarget(target, name, IAccess.Type.Custom);
+    }
+
+    // TODO instance owner locks component instead of revoking it access to the instance...
+    function setTargetLockedByService(address target, bool locked)
         external 
-        restricted() 
+        restricted // INSTANCE_SERVICE_ROLE
     {
-        ShortString nameShort = ShortStrings.toShortString(targetName);
-        address target = _targetAddressForName[nameShort];
-        
-        if (target == address(0)) {
-            revert IAccess.ErrorIAccessTargetDoesNotExist(nameShort);
-        }
+        _setTargetLocked(target, locked);
+    }
 
-        // TODO setLocked() for gif and custom targets but NEVER for core targets
-        /*if(!_targetInfo[target].isCustom) {
-            revert IAccess.ErrorIAccessSetLockedForNoncustomTarget(target);
-        }*/
-        // TODO isLocked is redundant but makes getTargetInfo() faster
-        _targetInfo[target].isLocked = locked;
-        _accessManager.setTargetClosed(target, locked);
+    function setTargetLockedByInstance(address target, bool locked)
+        external
+        restricted // INSTANCE_ROLE
+    {
+        _setTargetLocked(target, locked);
     }
 
+
     // allowed combinations of roles and targets:
     //1) set core role for core target 
     //2) set gif role for gif target  
@@ -238,7 +298,7 @@ contract InstanceAccessManager is
     // INSTANCE_SERVICE_ROLE if used not only during initilization, works with:
     //      core roles for core targets
     //      gif roles for gif targets
-    function setTargetFunctionRole(
+    function setCoreTargetFunctionRole(
         string memory targetName,
         bytes4[] calldata selectors,
         RoleId roleId
@@ -250,51 +310,57 @@ contract InstanceAccessManager is
         ShortString nameShort = ShortStrings.toShortString(targetName);
         address target = _targetAddressForName[nameShort];
 
-        if (target == address(0)) {
-            revert IAccess.ErrorIAccessTargetDoesNotExist(nameShort);
+        // not custom target
+        if(_targetInfo[target].ttype == IAccess.Type.Custom) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, IAccess.Type.Custom);
         }
 
-        if (!roleExists(roleId)) {
-            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
+        // not custom role
+        if(_roleInfo[roleId].rtype == IAccess.Type.Custom) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Custom);
         }
 
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        _accessManager.setTargetFunctionRole(target, selectors, roleIdInt);
+        _setTargetFunctionRole(target, nameShort, selectors, roleId);
     }
+
     // INSTANCE_OWNER_ROLE
-    // custom role for gif target -> instance owner can mess with gif target (component) -> e.g. set custom role for function intendent to work with gif role
+    // gif role for gif target
+    // gif role for custom target
+    // custom role for gif target
     // custom role for custom target
-    function setTargetFunctionCustomRole(
+    // TODO instance owner can mess with gif target (component) -> e.g. set custom role for function intendent to work with gif role
+    function setTargetFunctionRole(
         string memory targetName,
         bytes4[] calldata selectors,
         RoleId roleId
-    ) public virtual restricted() {
+    ) 
+        public 
+        virtual 
+        restricted() 
+    {
         ShortString nameShort = ShortStrings.toShortString(targetName);
         address target = _targetAddressForName[nameShort];
-        if (target == address(0)) {
-            revert IAccess.ErrorIAccessTargetDoesNotExist(nameShort);
-        }
 
-        // TODO set for gif and custom targets but NEVER for core targets
-        /*if(!_targetInfo[target].isCustom) {
-            revert IAccess.ErrorIAccessSetForNoncustomTarget(target);
-        }*/
+        // not core target
+        if(_targetInfo[target].ttype == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, IAccess.Type.Core);
+        }
 
-        if (!roleExists(roleId)) {
-            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
+        // not core role
+        if(_roleInfo[roleId].rtype == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Core);
         }
 
-        // TODO set for gif and custom roles
-        /*if(!_roleInfo[roleId].isCustom) {
-            revert IAccess.ErrorIAccessSetNoncustomRole(roleId);
-        }*/
+        _setTargetFunctionRole(target, nameShort, selectors, roleId);
+    }
 
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        _accessManager.setTargetFunctionRole(target, selectors, roleIdInt);
+    function getTargetAddress(string memory targetName) public view returns(address targetAddress) {
+        ShortString nameShort = ShortStrings.toShortString(targetName);
+        return _targetAddressForName[nameShort];
     }
 
     function isTargetLocked(address target) public view returns (bool locked) {
-        return _accessManager.isTargetClosed(target);
+        return _targetInfo[target].isLocked;
     }
 
     function targetExists(address target) public view returns (bool exists) {
@@ -305,60 +371,63 @@ contract InstanceAccessManager is
         return _targetInfo[target];
     }
 
-    //--- internal view/pure functions --------------------------------------//
-
-    function _createRole(RoleId roleId, string memory name, bool isCustom) 
+    //--- Role internal view/pure functions --------------------------------------//
+    function _createRole(RoleId roleId, string memory roleName, IAccess.Type rtype) 
         internal
     {
-        IAccess.RoleInfo memory role = IAccess.RoleInfo(
-            ShortStrings.toShortString(name), 
-            isCustom,
+        ShortString name = ShortStrings.toShortString(roleName);
+        _validateRole(roleId, name, rtype);
+
+        if(roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdExists(roleId);
+        }
+
+        if (_roleIdForName[name].gtz()) {
+            revert IAccess.ErrorIAccessRoleNameExists(roleId, _roleIdForName[name], name);
+        }
+
+        _roleInfo[roleId] = IAccess.RoleInfo(
+            name,
+            rtype,
             ADMIN_ROLE(),
             TimestampLib.blockTimestamp(),
-            TimestampLib.blockTimestamp());
-
-        _roleInfo[roleId] = role;
-        _roleIdForName[role.name] = roleId;
+            TimestampLib.blockTimestamp()
+        );
+        _roleIdForName[name] = roleId;
         _roleIds.push(roleId);
+
+        emit LogRoleCreation(roleId, name, rtype);
     }
 
-    function _validateRoleParameters(
-        RoleId roleId, 
-        string memory name, 
-        bool isCustom
-    )
+    function _validateRole(RoleId roleId, ShortString name, IAccess.Type rtype)
         internal
-        view 
-        returns (IAccess.RoleInfo memory existingRole)
+        view
     {
-        if(roleExists(roleId)) {
-            revert IAccess.ErrorIAccessRoleIdAlreadyExists(roleId);
+        uint roleIdInt = roleId.toInt();
+        if(rtype == IAccess.Type.Custom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
+            revert IAccess.ErrorIAccessRoleIdTooSmall(roleId);
         }
 
-        uint roleIdInt = roleId.toInt();
-        if (isCustom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
-            revert IAccess.ErrorIAccessRoleIdTooSmall(roleId); 
-        } else if (!isCustom && roleIdInt >= CUSTOM_ROLE_ID_MIN) {
-            revert IAccess.ErrorIAccessRoleIdTooBig(roleId); 
+        if(
+            rtype != IAccess.Type.Custom && 
+            roleIdInt >= CUSTOM_ROLE_ID_MIN && 
+            roleIdInt != PUBLIC_ROLE().toInt()) 
+        {
+            revert IAccess.ErrorIAccessRoleIdTooBig(roleId);
         }
 
         // role name checks
-        ShortString nameShort = ShortStrings.toShortString(name);
-        if (ShortStrings.byteLength(nameShort) == 0) {
+        if (ShortStrings.byteLength(name) == 0) {
             revert IAccess.ErrorIAccessRoleNameEmpty(roleId);
         }
-
-        if (_roleIdForName[nameShort].gtz()) {
-            revert IAccess.ErrorIAccessRoleNameNotUnique(_roleIdForName[nameShort], nameShort);
-        }
     }
 
-    function _revokeRole(RoleId roleId, address member) 
+    function _revokeRole(RoleId roleId, address member)
         internal
         returns(bool revoked)
     {
         if (!roleExists(roleId)) {
-            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(roleId);
         }
 
         revoked = EnumerableSet.remove(_roleMembers[roleId], member);
@@ -367,41 +436,99 @@ contract InstanceAccessManager is
         }
     }
 
-    function _getNextCustomRoleId() internal returns(RoleId) {
-        return RoleIdLib.toRoleId(_idNext++);
+    function _getNextCustomRoleId() 
+        internal 
+        returns(RoleId roleId, RoleId admin) 
+    {
+        uint64 roleIdInt = _idNext;
+        uint64 adminInt = roleIdInt + 1;
+
+        _idNext = roleIdInt + 2;
+
+        roleId = RoleIdLib.toRoleId(roleIdInt);
+        admin = RoleIdLib.toRoleId(adminInt);
     }
 
-    function _createTarget(address target, string memory name, bool isCustom) internal {
-        _validateTargetParameters(target, name, isCustom);
+    //--- Target internal view/pure functions --------------------------------------//
+    function _createTarget(address target, string memory targetName, IAccess.Type ttype) 
+        internal 
+    {
+        ShortString name = ShortStrings.toShortString(targetName);
+        _validateTarget(target, name, ttype);
 
-        IAccess.TargetInfo memory info = IAccess.TargetInfo(
-            ShortStrings.toShortString(name), 
-            isCustom,
-            _accessManager.isTargetClosed(target), // sync with state in access manager
-            TimestampLib.blockTimestamp(),
-            TimestampLib.blockTimestamp());
+        if (_targetInfo[target].createdAt.gtz()) {
+            revert IAccess.ErrorIAccessTargetExists(target, _targetInfo[target].name);
+        }
 
-        _targetInfo[target] = info;
-        _targetAddressForName[info.name] = target;
+        if (_targetAddressForName[name] != address(0)) {
+            revert IAccess.ErrorIAccessTargetNameExists(
+                target, 
+                _targetAddressForName[name], 
+                name);
+        }
+
+        bool isLocked = _accessManager.isTargetClosed(target);// sync with state in access manager
+        _targetInfo[target] = IAccess.TargetInfo(
+            name,
+            ttype,
+            isLocked,
+            TimestampLib.blockTimestamp(),
+            TimestampLib.blockTimestamp()
+        );
+        _targetAddressForName[name] = target;
         _targets.push(target);
+
+        emit LogTargetCreation(target, name, ttype, isLocked); 
     }
 
-    function _validateTargetParameters(address target, string memory name, bool isCustom) internal view {
-        if (_targetInfo[target].createdAt.gtz()) {
-            revert IAccess.ErrorIAccessTargetAlreadyExists(target, _targetInfo[target].name);
+    function _validateTarget(address target, ShortString name, IAccess.Type ttype) 
+        internal 
+        view 
+    {
+        address targetAuthority = AccessManagedUpgradeable(target).authority();
+        if(targetAuthority != authority()) {
+            revert IAccess.ErrorIAccessTargetAuthorityInvalid(target, targetAuthority);
         }
 
-        ShortString nameShort = ShortStrings.toShortString(name);
-        if (ShortStrings.byteLength(nameShort) == 0) {
+        if (ShortStrings.byteLength(name) == 0) {
             revert IAccess.ErrorIAccessTargetNameEmpty(target);
         }
+    }
 
-        if (_targetAddressForName[nameShort] != address(0)) {
-            revert IAccess.ErrorIAccessTargetNameExists(
-                target, 
-                _targetAddressForName[nameShort], 
-                nameShort);
+    // IMPORTANT: instance access manager MUST be of Core type -> otherwise can be locked forever
+    function _setTargetLocked(address target, bool locked) internal
+    {
+        IAccess.Type targetType = _targetInfo[target].ttype;
+        if(target == address(0) || targetType == IAccess.Type.NotInitialized) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(target);
+        }
+
+        if(targetType == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, targetType);
         }
+
+        _targetInfo[target].isLocked = locked;
+        _accessManager.setTargetClosed(target, locked);
+    }
+
+    function _setTargetFunctionRole(
+        address target,
+        ShortString name,
+        bytes4[] calldata selectors,
+        RoleId roleId
+    ) 
+        internal
+    {
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(target);
+        }
+
+        if (!roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(roleId);
+        }
+
+        uint64 roleIdInt = RoleId.unwrap(roleId);
+        _accessManager.setTargetFunctionRole(target, selectors, roleIdInt);
     }
 
     function canCall(
@@ -411,4 +538,4 @@ contract InstanceAccessManager is
     ) public view virtual returns (bool immediate, uint32 delay) {
         return _accessManager.canCall(caller, target, selector);
     }
-}
+}