@etherisc/gif-next 0.0.2-e769e2e-077 → 0.0.2-e802d97-713

package/contracts/registry/ReleaseManager.sol

@@ -1,265 +1,370 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
 
+import {Create2} from "@openzeppelin/contracts/utils/Create2.sol";
+import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
+import {IAccessManager} from "@openzeppelin/contracts/access/manager/IAccessManager.sol";
+import {Initializable} from "@openzeppelin/contracts/proxy/utils/Initializable.sol";
 import {AccessManaged} from "@openzeppelin/contracts/access/manager/AccessManaged.sol";
+import {Math} from "@openzeppelin/contracts/utils/math/Math.sol";
 
 import {NftId} from "../type/NftId.sol";
-import {RoleId} from "../type/RoleId.sol";
-import {ObjectType, ObjectTypeLib, zeroObjectType, REGISTRY, SERVICE, STAKING} from "../type/ObjectType.sol";
+import {RoleId, ADMIN_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
+import {ObjectType, ObjectTypeLib, RELEASE, REGISTRY, SERVICE, STAKING} from "../type/ObjectType.sol";
+import {Version, VersionLib, VersionPart, VersionPartLib} from "../type/Version.sol";
+import {Timestamp, TimestampLib, zeroTimestamp, ltTimestamp} from "../type/Timestamp.sol";
+import {Seconds, SecondsLib} from "../type/Seconds.sol";
+import {StateId, INITIAL, SCHEDULED, DEPLOYING, ACTIVE} from "../type/StateId.sol";
 import {Version, VersionLib, VersionPart, VersionPartLib} from "../type/Version.sol";
-import {Timestamp, TimestampLib} from "../type/Timestamp.sol";
 
+import {IService} from "../shared/IService.sol";
+import {AccessManagerExtendedWithDisableInitializeable} from "../shared/AccessManagerExtendedWithDisableInitializeable.sol";
+import {ILifecycle} from "../shared/ILifecycle.sol";
+import {INftOwnable} from "../shared/INftOwnable.sol";
 import {IRegisterable} from "../shared/IRegisterable.sol";
+
 import {IRegistry} from "./IRegistry.sol";
+import {IRegistryLinked} from "../shared/IRegistryLinked.sol";
 import {IRegistryService} from "./IRegistryService.sol";
-import {IService} from "../shared/IService.sol";
-import {IStaking} from "../staking/IStaking.sol";
-
+import {RegistryAdmin} from "./RegistryAdmin.sol";
 import {Registry} from "./Registry.sol";
-import {RegistryAccessManager} from "./RegistryAccessManager.sol";
-import {ServiceAuthorizationsLib} from "./ServiceAuthorizationsLib.sol";
 import {TokenRegistry} from "./TokenRegistry.sol";
+import {ServiceAuthorizationsLib} from "./ServiceAuthorizationsLib.sol";
 
-contract ReleaseManager is AccessManaged
+
+contract ReleaseManager is 
+    AccessManaged, 
+    ILifecycle, 
+    IRegistryLinked
 {
     using ObjectTypeLib for ObjectType;
 
-    event LogReleaseCreation(VersionPart version); 
+    uint256 public constant INITIAL_GIF_VERSION = 3;
+
+    event LogReleaseCreation(VersionPart version, bytes32 salt, AccessManagerExtendedWithDisableInitializeable accessManager); 
     event LogReleaseActivation(VersionPart version);
 
+    // constructor
+    error ErrorReleaseManagerNotRegistry(Registry registry);
+
     // createNextRelease
-    error NotRegistryService();
-    error UnexpectedServiceAuthority(address expected, address found);
+    error ErrorReleaseManagerReleaseCreationDisallowed(StateId currentStateId);
 
+    // prepareRelease
+    error ErrorReleaseManagerReleasePreparationDisallowed(StateId currentStateId);
+    error ErrorReleaseManagerReleaseAlreadyPrepared(VersionPart version);
+    
     // register staking
-    error ErrorReleaseManagerStakingAlreadySet(address stakingAddress);
+    //error ErrorReleaseManagerStakingAlreadySet(address stakingAddress);
 
     // registerService
-    error NotService();
+    error ErrorReleaseManagerNoServiceRegistrationExpected();
+    error ErrorReleaseManagerServiceRegistrationDisallowed(StateId currentStateId);
+    error ErrorReleaseManagerNotService(IService service);
+    error ErrorReleaseManagerServiceAddressInvalid(IService given, address expected);
 
     // activateNextRelease
-    error ReleaseNotCreated();
-    error ReleaseRegistrationNotFinished();
+    error ErrorReleaseManagerReleaseActivationDisallowed(StateId currentStateId);
+    error ErrorReleaseManagerReleaseNotCreated(VersionPart releaseVersion);
+    error ErrorReleaseManagerReleaseRegistrationNotFinished(VersionPart releaseVersion, uint awaitingRegistration);
+    error ErrorReleaseManagerReleaseAlreadyActivated(VersionPart releaseVersion);
 
-    // _getAndVerifyContractInfo
-    error ErrorReleaseManagerUnexpectedRegisterableAddress(address expected, address actual);
-    error ErrorReleaseManagerIsInterceptorTrue();
-    error UnexpectedRegisterableType(ObjectType expected, ObjectType found);
-    error NotRegisterableOwner(address expectedOwner, address actualOwner);
-    error SelfRegistration();
-    error RegisterableOwnerIsRegistered();
+    // disableRelease
+    error ErrorReleaseManagerReleaseNotActivated(VersionPart releaseVersion);
+    error ErrorReleaseManagerReleaseAlreadyDisabled(VersionPart releaseVersion);
 
     // _verifyService
-    error UnexpectedServiceVersion(VersionPart expected, VersionPart found);
-    error UnexpectedServiceDomain(ObjectType expected, ObjectType found);
-    
-    // _verifyAndStoreConfig
-    error ConfigMissing();
-    error ConfigServiceDomainInvalid(uint configArrayIndex, ObjectType domain);
-    error ConfigSelectorZero(uint configArrayIndex);
-    error SelectorAlreadyExists(VersionPart releaseVersion, ObjectType serviceDomain);
-
-    RegistryAccessManager private immutable _accessManager;
-    Registry private immutable _registry;
-    TokenRegistry private immutable _tokenRegistry;
-    IStaking private _staking;
-
-    VersionPart immutable _initial;// first active major version    
-    VersionPart _latest;// latest active major version
-    VersionPart _next;// major version to create and activate 
+    error ErrorReleaseManagerServiceReleaseAuthorityMismatch(IService service, address serviceAuthority, address releaseAuthority);
+    error ErrorReleaseManagerServiceReleaseVersionMismatch(IService service, VersionPart serviceVersion, VersionPart releaseVersion);
+
+    // _verifyServiceInfo
+    error ErrorReleaseManagerServiceInfoAddressInvalid(IService service, address expected);
+    error ErrorReleaseManagerServiceInfoInterceptorInvalid(IService service, bool isInterceptor);
+    error ErrorReleaseManagerServiceInfoTypeInvalid(IService service, ObjectType expected, ObjectType found);
+    error ErrorReleaseManagerServiceInfoOwnerInvalid(IService service, address expected, address found);
+    error ErrorReleaseManagerServiceSelfRegistration(IService service);
+    error ErrorReleaseManagerServiceOwnerRegistered(IService service, address owner);
+
+    // _verifyReleaseAuthorizations
+    error ErrorReleaseManagerReleaseEmpty();
+    error ErrorReleaseManagerReleaseServiceRoleInvalid(uint serviceIdx, address service, RoleId role);
+
+    Seconds public constant MIN_DISABLE_DELAY = Seconds.wrap(60 * 24 * 365); // 1 year
+
+    RegistryAdmin public immutable _admin;
+    address public immutable _releaseAccessManagerCodeAddress;
+    Registry public immutable _registry;
+    IRegisterable private _staking;
+    address private _stakingOwner;
+
+    mapping(VersionPart version => AccessManagerExtendedWithDisableInitializeable accessManager) internal _releaseAccessManager;
+    mapping(VersionPart version => IRegistry.ReleaseInfo info) internal _releaseInfo;
+    mapping(address registryService => VersionPart version) _releaseVersionByAddress;
+
+    VersionPart immutable internal _initial;// first active version    
+    VersionPart internal _latest; // latest active version
+    VersionPart internal _next; // version to create and activate 
+    StateId internal _state; // current state of release manager
+
+    uint256 internal _awaitingRegistration; // "services left to register" counter
+
+    // deployer of this contract must be gif admin
+    constructor(Registry registry)
+        AccessManaged(msg.sender)
+    {
+        // TODO move this part to RegistryLinked constructor
+        if(!_isRegistry(address(registry))) {
+            revert ErrorReleaseManagerNotRegistry(registry);
+        }
 
-    mapping(VersionPart majorVersion => IRegistry.ReleaseInfo info) _release;
+        _registry = registry;
+        setAuthority(_registry.getAuthority());
+        _admin = RegistryAdmin(_registry.getRegistryAdminAddress());
 
-    // registry service function selector assigned to domain 
-    mapping(VersionPart majorVersion => mapping(ObjectType serviceDomain => bytes4[])) _selectors; 
+        _initial = VersionPartLib.toVersionPart(INITIAL_GIF_VERSION);
+        _next = VersionPartLib.toVersionPart(INITIAL_GIF_VERSION - 1);
+        _state = getInitialState(RELEASE());
+        
+        AccessManagerExtendedWithDisableInitializeable masterReleaseAccessManager = new AccessManagerExtendedWithDisableInitializeable();
+        masterReleaseAccessManager.initialize(_registry.NFT_LOCK_ADDRESS(), VersionLib.toVersionPart(0));
+        //masterReleaseAccessManager.disable();
+        _releaseAccessManagerCodeAddress = address(masterReleaseAccessManager);
+    }
 
-    uint _awaitingRegistration; // "services left to register" counter
+    /// @dev skips previous release if was not activated
+    /// sets release manager into state SCHEDULED
+    function createNextRelease()
+        external
+        restricted() // GIF_ADMIN_ROLE
+        returns(VersionPart)
+    {
+        if (!isValidTransition(RELEASE(), _state, SCHEDULED())) {
+            revert ErrorReleaseManagerReleaseCreationDisallowed(_state);
+        }
 
-    mapping(address registryService => bool isActive) _active;
+        _next = VersionPartLib.toVersionPart(_next.toInt() + 1);
+        _awaitingRegistration = 0;
+        _state = SCHEDULED();
 
-    mapping(VersionPart majorVersion => bool isValid) _valid; // TODO refactor to use _active only
+        return _next;
+    }
 
-    constructor(
-        RegistryAccessManager accessManager, 
-        VersionPart initialVersion
+    // TODO order of events
+    function prepareNextRelease(
+        address[] memory addresses,
+        string[] memory names, 
+        RoleId[][] memory serviceRoles,
+        string[][] memory serviceRoleNames,
+        RoleId[][] memory functionRoles,
+        string[][] memory functionRoleNames,
+        bytes4[][][] memory selectors, 
+        bytes32 salt
     )
-        AccessManaged(accessManager.authority())
+        external
+        restricted() // GIF_MANAGER_ROLE
+        returns(
+            address releaseAccessManagerAddress, 
+            VersionPart version, 
+            bytes32 releaseSalt
+        )
     {
-        require(initialVersion.toInt() > 0, "ReleaseManager: initial version is 0");
+        version = getNextVersion();
 
-        _accessManager = accessManager;
+        // ensures unique salt
+        releaseSalt = keccak256(
+            bytes.concat(
+                bytes32(version.toInt()),
+                salt));
 
-        _initial = initialVersion;
-        _next = initialVersion;
+        releaseAccessManagerAddress = Clones.cloneDeterministic(_releaseAccessManagerCodeAddress, releaseSalt);
+        AccessManagerExtendedWithDisableInitializeable releaseAccessManager = AccessManagerExtendedWithDisableInitializeable(releaseAccessManagerAddress);
+        releaseAccessManager.initialize(address(this), version);
+
+        if (!isValidTransition(RELEASE(), _state, DEPLOYING())) {
+            revert ErrorReleaseManagerReleasePreparationDisallowed(_state);
+        }
 
-        _registry = new Registry();
-        _tokenRegistry = new TokenRegistry(address(_registry));
+        _verifyReleaseAuthorizations(addresses, serviceRoles, functionRoles, selectors);
 
-        _registry.setTokenRegistry(address(_tokenRegistry));
+        if(_awaitingRegistration > 0) {
+            revert ErrorReleaseManagerReleaseAlreadyPrepared(version);
+        }
+        // TODO instead of copying just set ServiceAuthorizationsLib for release and array of domains???
+        _releaseInfo[version].version = version;
+        _releaseInfo[version].salt = releaseSalt;
+        _releaseInfo[version].addresses = addresses;
+        _releaseInfo[version].names = names;
+        _releaseInfo[version].serviceRoles = serviceRoles;
+        _releaseInfo[version].serviceRoleNames = serviceRoleNames;
+        _releaseInfo[version].functionRoles = functionRoles;
+        _releaseInfo[version].functionRoleNames = functionRoleNames;
+        _releaseInfo[version].selectors = selectors;
+        _awaitingRegistration = addresses.length;
+        _state = DEPLOYING();        
+        _releaseAccessManager[version] = releaseAccessManager;
+
+        emit LogReleaseCreation(version, releaseSalt, releaseAccessManager);
     }
 
-    function registerStaking(
-        address stakingAddress,
-        address stakingOwner
-    )
+
+    function registerService(IService service) 
         external
-        restricted // GIF_ADMIN_ROLE
+        restricted // GIF_MANAGER_ROLE
         returns(NftId nftId)
     {
-        // verify staking contract
-        _getAndVerifyContractInfo(stakingAddress, STAKING(), stakingOwner);
-        _staking = IStaking(stakingAddress);
+        if (!isValidTransition(RELEASE(), _state, DEPLOYING())) {
+            revert ErrorReleaseManagerServiceRegistrationDisallowed(_state);
+        }
 
-        nftId = _registry.registerStaking(
-            stakingAddress,
-            stakingOwner);
+        (
+            IRegistry.ObjectInfo memory info,
+            ObjectType domain,
+            VersionPart version
+        ) = _verifyService(service);
 
-        _staking.linkToRegisteredNftId();
-    }
-
-    /// @dev skips previous release if was not activated
-    function createNextRelease()
-        external
-        restricted // GIF_ADMIN_ROLE
-    {
-        // allow to register new registry service for next version
-        // TODO check/test: assignment to _next likely missing ...
-        VersionPartLib.toVersionPart(_next.toInt() + 1);
+        // redundant with state var
+        if (_awaitingRegistration == 0) {
+            revert ErrorReleaseManagerNoServiceRegistrationExpected();
+        }
 
-        // disallow registration of regular services for next version while registry service is not registered 
-        _awaitingRegistration = 0;
+        uint serviceIdx = _awaitingRegistration - 1;
+        address serviceAddress = _releaseInfo[version].addresses[serviceIdx];
+        // TODO temp, while typescript addresses computation is not implemented 
+        /*if(address(service) != serviceAddress) {
+            revert ErrorReleaseManagerServiceAddressInvalid(service, serviceAddress);
+        }*/
+
+        _setServiceAuthorizations(
+            _releaseAccessManager[version],
+            // TODO temp, while typescript addresses computation is not implemented
+            address(service),//serviceAddress, 
+            _releaseInfo[version].names[serviceIdx], 
+            _releaseInfo[version].serviceRoles[serviceIdx],
+            _releaseInfo[version].serviceRoleNames[serviceIdx],
+            _releaseInfo[version].functionRoles[serviceIdx],
+            _releaseInfo[version].functionRoleNames[serviceIdx],
+            _releaseInfo[version].selectors[serviceIdx]);
+
+        // TODO decide for one of the approaches
+        // // service to service authorization
+        // ServiceAuthorizationsLib.ServiceAuthorization memory authz = ServiceAuthorizationsLib.getAuthorizations(domain);
+        // for(uint8 idx = 0; idx < authz.authorizedRole.length; idx++) {
+        //     _accessManager.setTargetFunctionRole(
+        //         address(service), 
+        //         authz.authorizedSelectors[idx], 
+        //         authz.authorizedRole[idx]);
+        // }
+
+        _awaitingRegistration = serviceIdx;
+        // TODO end state depends on (_awaitingRegistration == 0)
+        _state = DEPLOYING();
+
+        // checked in registry
+        _releaseInfo[version].domains.push(domain);
+
+        nftId = _registry.registerService(info, version, domain);
 
-        emit LogReleaseCreation(_next); 
+        service.linkToRegisteredNftId();
     }
 
+
     function activateNextRelease() 
         external 
         restricted // GIF_ADMIN_ROLE
     {
+        if (!isValidTransition(RELEASE(), _state, ACTIVE())) {
+            revert ErrorReleaseManagerReleaseActivationDisallowed(_state);
+        }
+
         VersionPart version = _next;
         address service = _registry.getServiceAddress(REGISTRY(), version);
 
-        // release was created
+        // release exists, registry service is a MUST
+        //if(_releaseAccessManager[version] == address(0)) {
         if(service == address(0)) {
-            revert ReleaseNotCreated();
+            revert ErrorReleaseManagerReleaseNotCreated(version);
         }
 
         // release fully deployed
         if(_awaitingRegistration > 0) {
-            revert ReleaseRegistrationNotFinished();
+            revert ErrorReleaseManagerReleaseRegistrationNotFinished(version, _awaitingRegistration);
         }
 
-        //setTargetClosed(service, false);
+        // release is not activated
+        if(_releaseInfo[version].activatedAt.gtz()) {
+            revert ErrorReleaseManagerReleaseAlreadyActivated(version);
+        }
 
         _latest = version;
+        _state = ACTIVE();
 
-        _active[service] = true;
-        _valid[version] = true;
+        _releaseVersionByAddress[service] = version;
+        _releaseInfo[version].activatedAt = TimestampLib.blockTimestamp();
 
         emit LogReleaseActivation(version);
     }
 
-    // TODO implement reliable way this function can only be called directly after createNextRelease()
-    // IMPORTANT: MUST never be possible to create with access/release manager, token registry
-    // callable once per release after release creation
-    // can not register regular services
-    function registerRegistryService(IRegistryService service)
+    // release becomes disabled after delay expiration (can be reenabled before that)
+    function disableRelease(VersionPart version, Seconds disableDelay)
         external
-        restricted // GIF_MANAGER_ROLE
-        returns(NftId nftId)
+        restricted // GIF_ADMIN_ROLE
     {
-        if(!service.supportsInterface(type(IRegistryService).interfaceId)) {
-            revert NotRegistryService();
+        // release was activated
+        if(_releaseInfo[version].activatedAt.eqz()) {
+            revert ErrorReleaseManagerReleaseNotActivated(version);
         }
 
-        // TODO unreliable! MUST guarantee the same authority -> how?
-        address serviceAuthority = service.authority();
-        if(serviceAuthority != authority()) {
-            revert UnexpectedServiceAuthority(
-                authority(), 
-                serviceAuthority); 
+        // release not disabled already
+        if(_releaseInfo[version].disabledAt.gtz()) {
+            revert ErrorReleaseManagerReleaseAlreadyDisabled(version);
         }
 
-        IRegistry.ObjectInfo memory info = _getAndVerifyContractInfo(address(service), SERVICE(), msg.sender);
+        disableDelay = SecondsLib.toSeconds(Math.max(disableDelay.toInt(), MIN_DISABLE_DELAY.toInt()));
 
-        VersionPart majorVersion = _next;
-        ObjectType domain = REGISTRY();
-        _verifyService(service, majorVersion, domain);
-        _createRelease(service.getFunctionConfigs());
-        
-        nftId = _registry.registerService(info, majorVersion, domain);
+        _releaseAccessManager[version].disable(disableDelay);
 
-        // external call
-        service.linkToRegisteredNftId();
+        _releaseInfo[version].disabledAt = TimestampLib.blockTimestamp().addSeconds(disableDelay);
     }
-
-    // TODO adding service to release -> synchronized with proxy upgrades or simple addServiceToRelease(service, version, selector)?
-    // TODO removing service from release? -> set _active to false forever, but keep all other records?
-    function registerService(IService service) 
+    
+    function enableRelease(VersionPart version)
         external
-        restricted // GIF_MANAGER_ROLE
-        returns(NftId nftId)
+        restricted // GIF_ADMIN_ROLE
     {
-        if(!service.supportsInterface(type(IService).interfaceId)) {
-            revert NotService();
-        }
+        // release was disabled
+        //if(_releaseInfo[version].disabledAt.eqz()) {
+        //    revert ErrorReleaseManagerReleaseAlreadyEnabled(version);
+        //}
 
-        IRegistry.ObjectInfo memory info = _getAndVerifyContractInfo(address(service), SERVICE(), msg.sender);
-        VersionPart majorVersion = getNextVersion();
-        ObjectType domain = _release[majorVersion].domains[_awaitingRegistration];// reversed registration order of services specified in RegistryService config
-        _verifyService(service, majorVersion, domain);
-
-        // setup and grant unique role if service does registrations
-        bytes4[] memory selectors = _selectors[majorVersion][domain];
-        address registryService = _registry.getServiceAddress(REGISTRY(), majorVersion);
-        if(selectors.length > 0) {
-            _accessManager.setAndGrantUniqueRole(
-                address(service), 
-                registryService, 
-                selectors);
-        }
+        // reverts if disable delay expired
+        _releaseAccessManager[version].enable();
         
-        // service to service authorization
-        ServiceAuthorizationsLib.ServiceAuthorization memory authz = ServiceAuthorizationsLib.getAuthorizations(domain);
-        for(uint8 idx = 0; idx < authz.authorizedRole.length; idx++) {
-            _accessManager.setTargetFunctionRole(
-                address(service), 
-                authz.authorizedSelectors[idx], 
-                authz.authorizedRole[idx]);
-        }
-
-        _awaitingRegistration--;
-
-        nftId = _registry.registerService(info, majorVersion, domain);
-
-        // external call
-        service.linkToRegisteredNftId(); 
+        _releaseInfo[version].disabledAt = zeroTimestamp();
     }
 
     //--- view functions ----------------------------------------------------//
 
-    function isActiveRegistryService(address service) external view returns(bool)
-    {
-        return _active[service];
+    function predictDeterministicAddress(
+        address implementation,
+        bytes32 salt,
+        address deployer
+    ) external pure returns (address predicted) {
+        return Clones.predictDeterministicAddress(implementation, salt, deployer);
     }
 
-    function isValidRelease(VersionPart version) external view returns(bool)
-    {
-        return _valid[version];
+    function isActiveRegistryService(address service) external view returns(bool) {
+        VersionPart version = _releaseVersionByAddress[service];
+        return isActiveRelease(version);
     }
 
-    function getRegistryAddress() external view returns(address)
-    {
-        return address(_registry);
+    function isActiveRelease(VersionPart version) public view returns(bool) {
+        return _releaseInfo[version].activatedAt.gtz();
     }
 
-    function getReleaseInfo(VersionPart version) external view returns(IRegistry.ReleaseInfo memory)
-    {
-        return _release[version];
+    function getReleaseInfo(VersionPart version) external view returns(IRegistry.ReleaseInfo memory) {
+        return _releaseInfo[version];
     }
 
-    function getNextVersion() public view returns(VersionPart) 
-    {
+    function getNextVersion() public view returns(VersionPart) {
         return _next;
     }
 
@@ -271,105 +376,225 @@ contract ReleaseManager is AccessManaged
         return _initial;
     }
 
-    //--- private functions ----------------------------------------------------//
+    function getState() external view returns (StateId stateId) {
+        return _state;
+    }
 
-    function _getAndVerifyContractInfo(
-        address registerableAddress,
-        ObjectType expectedType,
-        address expectedOwner // assume always valid, can not be 0
+    function getRemainingServicesToRegister() external view returns (uint256 services) {
+        return _awaitingRegistration;
+    }
+
+    function getReleaseAccessManager(VersionPart version) external view returns(AccessManagerExtendedWithDisableInitializeable) {
+        return _releaseAccessManager[version];
+    }
+    // TODO tokenr registry knows nothing about adfmin, only registry
+    function getRegistryAdmin() external view returns (address) {
+        return address(_admin);
+    }
+
+    //--- IRegistryLinked ------------------------------------------------------//
+
+    function getRegistry() external view returns (IRegistry) {
+        return _registry;
+    }
+
+    //--- ILifecycle -----------------------------------------------------------//
+
+    function hasLifecycle(ObjectType objectType) external pure returns (bool) { return objectType == RELEASE(); }
+
+    function getInitialState(ObjectType objectType) public pure returns (StateId stateId) { 
+        if (objectType == RELEASE()) {
+            stateId = INITIAL();
+        }
+    }
+
+    function isValidTransition(
+        ObjectType objectType,
+        StateId fromId,
+        StateId toId
     )
+        public 
+        pure 
+        returns (bool isValid)
+    {
+        if (objectType != RELEASE()) { return false; }
+
+        if (fromId == INITIAL() && toId == SCHEDULED()) { return true; }
+        if (fromId == SCHEDULED() && toId == DEPLOYING()) { return true; }
+        if (fromId == DEPLOYING() && toId == SCHEDULED()) { return true; }
+        if (fromId == DEPLOYING() && toId == DEPLOYING()) { return true; }
+        if (fromId == DEPLOYING() && toId == ACTIVE()) { return true; }
+        // TODO active -> scheduled missing, add tests to cover this and more scenarios (#358)
+
+        return false;
+    }
+
+    //--- private functions ----------------------------------------------------//
+
+    function _verifyService(IService service)
         internal
-        // view
+        view
         returns(
-            IRegistry.ObjectInfo memory info
+            IRegistry.ObjectInfo memory serviceInfo,
+            ObjectType serviceDomain, 
+            VersionPart serviceVersion
         )
     {
-        info = IRegisterable(registerableAddress).getInitialInfo();
+        if(!service.supportsInterface(type(IService).interfaceId)) {
+            revert ErrorReleaseManagerNotService(service);
+        }
 
-        if(info.objectAddress != registerableAddress) {
-            revert ErrorReleaseManagerUnexpectedRegisterableAddress(registerableAddress, info.objectAddress);
+        address owner = msg.sender;
+        address serviceAuthority = service.authority();
+        serviceVersion = service.getVersion().toMajorPart();
+        serviceDomain = service.getDomain();// checked in registry
+        serviceInfo = service.getInitialInfo();
+
+        _verifyServiceInfo(service, serviceInfo, owner);
+
+        VersionPart releaseVersion = getNextVersion(); // never 0
+        address releaseAuthority = address(_releaseAccessManager[releaseVersion]); // can be zero if registering service when release is not created
+
+        // IMPORTANT: can not guarantee service access is actually controlled by authority
+        if(serviceAuthority != releaseAuthority) {
+            revert ErrorReleaseManagerServiceReleaseAuthorityMismatch(
+                service,
+                serviceAuthority,
+                releaseAuthority);
         }
 
-        if(info.isInterceptor) {
-            revert ErrorReleaseManagerIsInterceptorTrue();
+        if(serviceVersion != releaseVersion) {
+            revert ErrorReleaseManagerServiceReleaseVersionMismatch(
+                service,
+                serviceVersion,
+                releaseVersion);            
         }
+    }
 
-        if(info.objectType != expectedType) {// type is checked in registry anyway...but service logic may depend on expected value
-            revert UnexpectedRegisterableType(expectedType, info.objectType);
+
+    function _verifyServiceInfo(
+        IService service,
+        IRegistry.ObjectInfo memory info,
+        address expectedOwner // assume always valid, can not be 0
+    )
+        internal
+        view
+    {
+        if(info.objectAddress != address(service)) {
+            revert ErrorReleaseManagerServiceInfoAddressInvalid(service, address(service));
+        }
+
+        if(info.isInterceptor != false) { // service is never interceptor
+            revert ErrorReleaseManagerServiceInfoInterceptorInvalid(service, info.isInterceptor);
+        }
+
+        if(info.objectType != SERVICE()) {// type is checked in registry anyway...but service logic may depend on expected value
+            revert ErrorReleaseManagerServiceInfoTypeInvalid(service, SERVICE(), info.objectType);
         }
 
         address owner = info.initialOwner;
 
         if(owner != expectedOwner) { // registerable owner protection
-            revert NotRegisterableOwner(expectedOwner, owner); 
+            revert ErrorReleaseManagerServiceInfoOwnerInvalid(service, expectedOwner, owner); 
         }
 
-        if(owner == address(registerableAddress)) {
-            revert SelfRegistration();
+        if(owner == address(service)) {
+            revert ErrorReleaseManagerServiceSelfRegistration(service);
         }
         
         if(_registry.isRegistered(owner)) { 
-            revert RegisterableOwnerIsRegistered(); 
+            revert ErrorReleaseManagerServiceOwnerRegistered(service, owner);
         }
     }
 
-    function _verifyService(
-        IService service,
-        VersionPart expectedVersion,
-        ObjectType expectedDomain
+
+    function _verifyReleaseAuthorizations(
+        address[] memory serviceAddress,
+        RoleId[][] memory serviceRoles,
+        RoleId[][] memory functionRoles,
+        bytes4[][][] memory selectors
     )
         internal
-        view
-        returns(ObjectType)
+        pure
     {
-        Version version = service.getVersion();
-        VersionPart majorVersion = version.toMajorPart();
-        if(majorVersion != expectedVersion) {
-            revert UnexpectedServiceVersion(expectedVersion, majorVersion);
+        if(serviceAddress.length == 0) {
+            revert ErrorReleaseManagerReleaseEmpty();
         }
 
-        if(service.getDomain() != expectedDomain) {
-            revert UnexpectedServiceDomain(expectedDomain, service.getDomain());
+        for(uint serviceIdx = 0; serviceIdx < serviceAddress.length; serviceIdx++)
+        {
+            for(uint roleIdx = 0; roleIdx < serviceRoles[serviceIdx].length; roleIdx++)
+            {
+                RoleId role = serviceRoles[serviceIdx][roleIdx];
+                if(role == ADMIN_ROLE() || role == PUBLIC_ROLE()) {
+                    revert ErrorReleaseManagerReleaseServiceRoleInvalid(serviceIdx, serviceAddress[serviceIdx], role);
+                }
+            }
         }
 
-        return expectedDomain;
+        // TODO no duplicate service "domain" role per release
+        // TODO no duplicate service roles per service
+        // TODO no duplicate service function roles per service
+        // TODO no duplicate service function selectors per service
     }
 
-    // TODO check if registry supports types specified in the config array
-    function _createRelease(IRegistryService.FunctionConfig[] memory config)
+    function _setServiceAuthorizations(
+        AccessManagerExtendedWithDisableInitializeable accessManager, // release access manager
+        address serviceAddress,
+        string memory serviceName,
+        RoleId[] memory serviceRoles,
+        string[] memory serviceRoleNames,
+        RoleId[] memory functionRoles,
+        string[] memory functionRoleNames,
+        bytes4[][] memory selectors
+    )
         internal
     {
-        VersionPart version = getNextVersion();
+        accessManager.createTarget(serviceAddress, serviceName);
+
+        for(uint idx = 0; idx < functionRoles.length; idx++)
+        {
+            uint64 roleInt = functionRoles[idx].toInt();
+
+            if(!accessManager.isRoleExists(roleInt)) {
+                accessManager.createRole(roleInt, functionRoleNames[idx]);
+            }
 
-        if(config.length == 0) {
-            revert ConfigMissing();
+            accessManager.setTargetFunctionRole(
+                serviceAddress, 
+                selectors[idx],
+                functionRoles[idx].toInt());
         }
-        // always in release
-        _release[version].domains.push(REGISTRY());
-        for(uint idx = 0; idx < config.length; idx++)
+    
+        for(uint idx = 0; idx < serviceRoles.length; idx++)
         {
-            ObjectType domain = config[idx].serviceDomain;
-            // not "registry service" / zero domain
-            if(
-                domain == REGISTRY() ||
-                domain.eqz()
-            ) { revert ConfigServiceDomainInvalid(idx, domain); } 
-
-            bytes4[] memory selectors = config[idx].authorizedSelectors;
-
-            // TODO can be zero -> e.g. duplicate domain, first with zero selector, second with non zero selector -> need to check _release[version].domains.contains(domain) instead
-            // no overwrite
-            if(_selectors[version][domain].length > 0) {
-                revert SelectorAlreadyExists(version, domain); 
+            uint64 roleInt = serviceRoles[idx].toInt();
+
+            if(!accessManager.isRoleExists(roleInt)) {
+                accessManager.createRole(roleInt, serviceRoleNames[idx]);
             }
-            
-            _selectors[version][domain] = selectors;
-            _release[version].domains.push(domain);
+
+            accessManager.grantRole(
+                serviceRoles[idx].toInt(),
+                serviceAddress, 
+                0);
+        }
+    }
+
+    // returns true iff a the address passes some simple proxy tests.
+    function _isRegistry(address registryAddress) internal view returns (bool) {
+
+        // zero address is certainly not registry
+        if (registryAddress == address(0)) {
+            return false;
+        }
+        // TODO try catch and return false in case of revert
+        // a just panic
+        // check if contract returns a zero nft id for its own address
+        if (IRegistry(registryAddress).getNftId(registryAddress).eqz()) {
+            return false;
         }
-        // TODO set when activated?
-        _release[version].createdAt = TimestampLib.blockTimestamp();
-        //_release[version].updatedAt = TimestampLib.blockTimestamp();
 
-        _awaitingRegistration = config.length;
+        return true;
     }
 }