npm - @etherisc/gif-next - Versions diffs - 0.0.2-e922e07-736 → 0.0.2-e9a637d-547 - Mend

@etherisc/gif-next 0.0.2-e922e07-736 → 0.0.2-e9a637d-547

Files changed (256) hide show

package/contracts/instance/InstanceService.sol CHANGED Viewed

@@ -2,53 +2,66 @@
 pragma solidity ^0.8.20;
 import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
+import {ShortString, ShortStrings} from "@openzeppelin/contracts/utils/ShortStrings.sol";
-import {Instance} from "./Instance.sol";
-import {IInstance} from "./IInstance.sol";
-import {InstanceAccessManager} from "./InstanceAccessManager.sol";
-import {IInstanceService} from "./IInstanceService.sol";
-import {InstanceReader} from "./InstanceReader.sol";
-import {BundleManager} from "./BundleManager.sol";
-import {IRegistry} from "../registry/IRegistry.sol";
-import {IRegistryService} from "../registry/IRegistryService.sol";
-import {ChainNft} from "../registry/ChainNft.sol";
-import {Service} from "../../contracts/shared/Service.sol";
-import {IService} from "../shared/IService.sol";
 import {NftId} from "../../contracts/types/NftId.sol";
 import {RoleId} from "../types/RoleId.sol";
-import {ADMIN_ROLE, DISTRIBUTION_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE, PUBLIC_ROLE, INSTANCE_SERVICE_ROLE, DISTRIBUTION_SERVICE_ROLE, POOL_SERVICE_ROLE, PRODUCT_SERVICE_ROLE, APPLICATION_SERVICE_ROLE, POLICY_SERVICE_ROLE, CLAIM_SERVICE_ROLE, BUNDLE_SERVICE_ROLE} from "../types/RoleId.sol";
+import {ADMIN_ROLE, INSTANCE_OWNER_ROLE, DISTRIBUTION_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE, INSTANCE_SERVICE_ROLE, DISTRIBUTION_SERVICE_ROLE, POOL_SERVICE_ROLE, PRODUCT_SERVICE_ROLE, APPLICATION_SERVICE_ROLE, POLICY_SERVICE_ROLE, CLAIM_SERVICE_ROLE, BUNDLE_SERVICE_ROLE, INSTANCE_ROLE} from "../types/RoleId.sol";
 import {ObjectType, INSTANCE, BUNDLE, APPLICATION, POLICY, CLAIM, PRODUCT, DISTRIBUTION, REGISTRY, POOL} from "../types/ObjectType.sol";
+import {Service} from "../shared/Service.sol";
+import {IService} from "../shared/IService.sol";
 import {IDistributionComponent} from "../components/IDistributionComponent.sol";
 import {IPoolComponent} from "../components/IPoolComponent.sol";
 import {IProductComponent} from "../components/IProductComponent.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
+import {IRegistryService} from "../registry/IRegistryService.sol";
+import {ChainNft} from "../registry/ChainNft.sol";
+import {Instance} from "./Instance.sol";
+import {IInstance} from "./IInstance.sol";
+import {InstanceAccessManager} from "./InstanceAccessManager.sol";
+import {IInstanceService} from "./IInstanceService.sol";
+import {InstanceReader} from "./InstanceReader.sol";
+import {BundleManager} from "./BundleManager.sol";
+import {AccessManagerUpgradeableInitializeable} from "./AccessManagerUpgradeableInitializeable.sol";
+import {InstanceStore} from "./InstanceStore.sol";
 contract InstanceService is
     Service,
     IInstanceService
 {
+    address internal _masterOzAccessManager;
     address internal _masterInstanceAccessManager;
     address internal _masterInstance;
     address internal _masterInstanceReader;
     address internal _masterInstanceBundleManager;
+    address internal _masterInstanceStore;
     // TODO update to real hash when instance is stable
     bytes32 public constant INSTANCE_CREATION_CODE_HASH = bytes32(0);
-    modifier onlyInstanceOwner(NftId instanceNftId) {
-        IRegistry registry = getRegistry();
-        ChainNft chainNft = ChainNft(registry.getChainNftAddress());
-        if( msg.sender != chainNft.ownerOf(instanceNftId.toInt())) {
-            revert ErrorInstanceServiceNotInstanceOwner(msg.sender, instanceNftId);
+    modifier onlyInstanceOwner(NftId instanceNftId) {
+        if(msg.sender != getRegistry().ownerOf(instanceNftId)) {
+            revert ErrorInstanceServiceRequestUnauhorized(msg.sender);
         }
         _;
     }
+    // TODO check service domain?
+    // TODO check release version?
     modifier onlyRegisteredService() {
-        address caller = msg.sender;
-        if (! getRegistry().isRegisteredService(caller)) {
-            revert ErrorInstanceServiceRequestUnauhorized(caller);
+        if (! getRegistry().isRegisteredService(msg.sender)) {
+            revert ErrorInstanceServiceRequestUnauhorized(msg.sender);
+        }
+        _;
+    }
+    // TODO check release version?
+    modifier onlyComponent() {
+        if (! getRegistry().isRegisteredComponent(msg.sender)) {
+            revert ErrorInstanceServiceRequestUnauhorized(msg.sender);
         }
         _;
     }
@@ -56,189 +69,226 @@ contract InstanceService is
     function createInstanceClone()
         external
         returns (
-            InstanceAccessManager clonedAccessManager,
+            AccessManagerUpgradeableInitializeable clonedOzAccessManager,
+            InstanceAccessManager clonedInstanceAccessManager,
             Instance clonedInstance,
             NftId clonedInstanceNftId,
             InstanceReader clonedInstanceReader,
-            BundleManager clonedBundleManager
+            BundleManager clonedBundleManager,
+            InstanceStore clonedInstanceStore
         )
     {
         address instanceOwner = msg.sender;
         IRegistry registry = getRegistry();
-        address registryAddress = address(registry);
-        NftId registryNftId = registry.getNftId(registryAddress);
-        address registryServiceAddress = registry.getServiceAddress(REGISTRY(), getMajorVersion());
-        IRegistryService registryService = IRegistryService(registryServiceAddress);
+        NftId registryNftId = registry.getNftId(address(registry));
+        IRegistryService registryService = IRegistryService(
+            registry.getServiceAddress(REGISTRY(), getVersion().toMajorPart())
+        );
+        clonedOzAccessManager = AccessManagerUpgradeableInitializeable(Clones.clone(_masterOzAccessManager));
-        // initially set the authority of the access managar to this (being the instance service).
-        // This will allow the instance service to bootstrap the authorizations of the instance
-        // and then transfer the ownership of the access manager to the instance owner once everything is setup
-        clonedAccessManager = InstanceAccessManager(Clones.clone(_masterInstanceAccessManager));
-        clonedAccessManager.initialize(address(this));
+        // initially grants ADMIN_ROLE to this (being the instance service).
+        // This will allow the instance service to bootstrap the authorizations of the instance.
+        // Instance service will not use oz access manager directlly but through instance access manager instead
+        // Instance service will renounce ADMIN_ROLE when bootstraping is finished
+        clonedOzAccessManager.initialize(address(this));
         clonedInstance = Instance(Clones.clone(_masterInstance));
-        clonedInstance.initialize(address(clonedAccessManager), registryAddress, registryNftId, msg.sender);
+        clonedInstance.initialize(
+            address(clonedOzAccessManager),
+            address(registry),
+            instanceOwner);
+        // initialize and set before instance reader
+        clonedInstanceStore = InstanceStore(Clones.clone(address(_masterInstanceStore)));
+        clonedInstanceStore.initialize(address(clonedInstance));
+        clonedInstance.setInstanceStore(clonedInstanceStore);
         clonedInstanceReader = InstanceReader(Clones.clone(address(_masterInstanceReader)));
-        clonedInstanceReader.initialize(registryAddress, address(clonedInstance));
+        clonedInstanceReader.initialize(address(clonedInstance));
         clonedInstance.setInstanceReader(clonedInstanceReader);
         clonedBundleManager = BundleManager(Clones.clone(_masterInstanceBundleManager));
-        clonedBundleManager.initialize(address(clonedAccessManager), registryAddress, address(clonedInstance));
+        clonedBundleManager.initialize(address(clonedInstance));
         clonedInstance.setBundleManager(clonedBundleManager);
+        clonedInstanceAccessManager = InstanceAccessManager(Clones.clone(_masterInstanceAccessManager));
+        clonedOzAccessManager.grantRole(ADMIN_ROLE().toInt(), address(clonedInstanceAccessManager), 0);
+        clonedInstanceAccessManager.initialize(address(clonedInstance));
+        clonedInstance.setInstanceAccessManager(clonedInstanceAccessManager);
         // TODO amend setters with instance specific , policy manager ...
-        _grantInitialAuthorizations(clonedAccessManager, clonedInstance, clonedBundleManager);
+        _grantInitialAuthorizations(clonedInstanceAccessManager, clonedInstance, clonedBundleManager, clonedInstanceStore, instanceOwner);
-        // to complete setup switch instance ownership to the instance owner
-        // TODO: use a role less powerful than admin, maybe INSTANCE_ADMIN (does not exist yet)
-        clonedAccessManager.grantRole(ADMIN_ROLE(), instanceOwner);
-        clonedAccessManager.revokeRole(ADMIN_ROLE(), address(this));
+        clonedOzAccessManager.renounceRole(ADMIN_ROLE().toInt(), address(this));
         IRegistry.ObjectInfo memory info = registryService.registerInstance(clonedInstance, instanceOwner);
         clonedInstanceNftId = info.nftId;
-        // clonedInstance.linkToRegisteredNftId();
-        emit LogInstanceCloned(address(clonedAccessManager), address(clonedInstance), address(clonedInstanceReader), clonedInstanceNftId);
+        emit LogInstanceCloned(
+            address(clonedOzAccessManager),
+            address(clonedInstanceAccessManager),
+            address(clonedInstance),
+            address(clonedInstanceStore),
+            address(clonedBundleManager),
+            address(clonedInstanceReader),
+            clonedInstanceNftId);
     }
-    function _grantInitialAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
-        _createGifRoles(clonedAccessManager);
-        _createGifTargets(clonedAccessManager, clonedInstance, clonedBundleManager);
-        _grantDistributionServiceAuthorizations(clonedAccessManager, clonedInstance);
-        _grantPoolServiceAuthorizations(clonedAccessManager, clonedInstance);
-        _grantProductServiceAuthorizations(clonedAccessManager, clonedInstance);
-        _grantApplicationServiceAuthorizations(clonedAccessManager, clonedInstance);
-        _grantPolicyServiceAuthorizations(clonedAccessManager, clonedInstance);
-        _grantClaimServiceAuthorizations(clonedAccessManager, clonedInstance);
-        _grantBundleServiceAuthorizations(clonedAccessManager, clonedInstance, clonedBundleManager);
+    function _grantInitialAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        Instance clonedInstance,
+        BundleManager clonedBundleManager,
+        InstanceStore clonedInstanceStore,
+        address instanceOwner)
+            internal
+    {
+        _createCoreAndGifRoles(clonedAccessManager);
+        _createCoreTargets(clonedAccessManager, clonedInstance, clonedBundleManager, clonedInstanceStore);
+        _grantDistributionServiceAuthorizations(clonedAccessManager, clonedInstanceStore);
+        _grantPoolServiceAuthorizations(clonedAccessManager, clonedInstanceStore);
+        _grantProductServiceAuthorizations(clonedAccessManager, clonedInstanceStore);
+        _grantApplicationServiceAuthorizations(clonedAccessManager, clonedInstanceStore);
+        _grantPolicyServiceAuthorizations(clonedAccessManager, clonedInstanceStore);
+        _grantClaimServiceAuthorizations(clonedAccessManager, clonedInstanceStore);
+        _grantBundleServiceAuthorizations(clonedAccessManager, clonedInstanceStore, clonedBundleManager);
         _grantInstanceServiceAuthorizations(clonedAccessManager, clonedInstance);
+        _grantInstanceAuthorizations(clonedAccessManager);
+        _grantInstanceOwnerAuthorizations(clonedAccessManager, clonedInstance);
     }
-    function _createGifRoles(InstanceAccessManager clonedAccessManager) internal {
-        clonedAccessManager.createGifRole(DISTRIBUTION_OWNER_ROLE(), "DistributionOwnerRole");
-        clonedAccessManager.createGifRole(POOL_OWNER_ROLE(), "PoolOwnerRole");
-        clonedAccessManager.createGifRole(PRODUCT_OWNER_ROLE(), "ProductOwnerRole");
-        clonedAccessManager.createGifRole(DISTRIBUTION_SERVICE_ROLE(), "DistributionServiceRole");
-        clonedAccessManager.createGifRole(POOL_SERVICE_ROLE(), "PoolServiceRole");
-        clonedAccessManager.createGifRole(PRODUCT_SERVICE_ROLE(), "ProductServiceRole");
-        clonedAccessManager.createGifRole(APPLICATION_SERVICE_ROLE(), "ApplicationServiceRole");
-        clonedAccessManager.createGifRole(POLICY_SERVICE_ROLE(), "PolicyServiceRole");
-        clonedAccessManager.createGifRole(CLAIM_SERVICE_ROLE(), "ClaimServiceRole");
-        clonedAccessManager.createGifRole(BUNDLE_SERVICE_ROLE(), "BundleServiceRole");
-        clonedAccessManager.createGifRole(INSTANCE_SERVICE_ROLE(), "InstanceServiceRole");
+    function _createCoreAndGifRoles(InstanceAccessManager clonedAccessManager) internal {
+        // default roles controlled by ADMIN_ROLE -> core roles
+        // all set/granted only once during cloning (the only exception is INSTANCE_OWNER_ROLE, hooked to instance nft)
+        clonedAccessManager.createCoreRole(INSTANCE_SERVICE_ROLE(), "InstanceServiceRole");
+        clonedAccessManager.createCoreRole(DISTRIBUTION_SERVICE_ROLE(), "DistributionServiceRole");
+        clonedAccessManager.createCoreRole(POOL_SERVICE_ROLE(), "PoolServiceRole");
+        clonedAccessManager.createCoreRole(APPLICATION_SERVICE_ROLE(), "ApplicationServiceRole");
+        clonedAccessManager.createCoreRole(PRODUCT_SERVICE_ROLE(), "ProductServiceRole");
+        clonedAccessManager.createCoreRole(CLAIM_SERVICE_ROLE(), "ClaimServiceRole");
+        clonedAccessManager.createCoreRole(POLICY_SERVICE_ROLE(), "PolicyServiceRole");
+        clonedAccessManager.createCoreRole(BUNDLE_SERVICE_ROLE(), "BundleServiceRole");
+        // default roles controlled by INSTANCE_OWNER_ROLE -> gif roles
+        clonedAccessManager.createGifRole(DISTRIBUTION_OWNER_ROLE(), "DistributionOwnerRole", INSTANCE_OWNER_ROLE());
+        clonedAccessManager.createGifRole(POOL_OWNER_ROLE(), "PoolOwnerRole", INSTANCE_OWNER_ROLE());
+        clonedAccessManager.createGifRole(PRODUCT_OWNER_ROLE(), "ProductOwnerRole", INSTANCE_OWNER_ROLE());
     }
-    function _createGifTargets(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
-        clonedAccessManager.createGifTarget(address(clonedAccessManager), "InstanceAccessManager");
-        clonedAccessManager.createGifTarget(address(clonedInstance), "Instance");
-        clonedAccessManager.createGifTarget(address(clonedBundleManager), "BundleManager");
-    }
+    function _createCoreTargets(
+        InstanceAccessManager clonedAccessManager,
+        Instance clonedInstance,
+        BundleManager clonedBundleManager,
+        InstanceStore clonedInstanceStore)
+        internal
+    {
+        clonedAccessManager.createCoreTarget(address(clonedAccessManager), "InstanceAccessManager");// TODO create in instance access manager initializer?
+        clonedAccessManager.createCoreTarget(address(clonedInstance), "Instance");// TODO create in instance access manager initializer?
+        clonedAccessManager.createCoreTarget(address(clonedBundleManager), "BundleManager");
+        clonedAccessManager.createCoreTarget(address(clonedInstanceStore), "InstanceStore");
+    }
-    function _grantDistributionServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+    function _grantDistributionServiceAuthorizations(InstanceAccessManager clonedAccessManager, InstanceStore clonedInstanceStore) internal {
         // configure authorization for distribution service on instance
-        IRegistry registry = getRegistry();
-        address distributionServiceAddress = registry.getServiceAddress(DISTRIBUTION(), getMajorVersion());
+        address distributionServiceAddress = getRegistry().getServiceAddress(DISTRIBUTION(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(DISTRIBUTION_SERVICE_ROLE(), distributionServiceAddress);
         bytes4[] memory instanceDistributionServiceSelectors = new bytes4[](11);
-        instanceDistributionServiceSelectors[0] = clonedInstance.createDistributionSetup.selector;
-        instanceDistributionServiceSelectors[1] = clonedInstance.updateDistributionSetup.selector;
-        instanceDistributionServiceSelectors[2] = clonedInstance.createDistributorType.selector;
-        instanceDistributionServiceSelectors[3] = clonedInstance.updateDistributorType.selector;
-        instanceDistributionServiceSelectors[4] = clonedInstance.updateDistributorTypeState.selector;
-        instanceDistributionServiceSelectors[5] = clonedInstance.createDistributor.selector;
-        instanceDistributionServiceSelectors[6] = clonedInstance.updateDistributor.selector;
-        instanceDistributionServiceSelectors[7] = clonedInstance.updateDistributorState.selector;
-        instanceDistributionServiceSelectors[8] = clonedInstance.createReferral.selector;
-        instanceDistributionServiceSelectors[9] = clonedInstance.updateReferral.selector;
-        instanceDistributionServiceSelectors[10] = clonedInstance.updateReferralState.selector;
-        clonedAccessManager.setTargetFunctionRole(
-            "Instance",
+        instanceDistributionServiceSelectors[0] = clonedInstanceStore.createDistributionSetup.selector;
+        instanceDistributionServiceSelectors[1] = clonedInstanceStore.updateDistributionSetup.selector;
+        instanceDistributionServiceSelectors[2] = clonedInstanceStore.createDistributorType.selector;
+        instanceDistributionServiceSelectors[3] = clonedInstanceStore.updateDistributorType.selector;
+        instanceDistributionServiceSelectors[4] = clonedInstanceStore.updateDistributorTypeState.selector;
+        instanceDistributionServiceSelectors[5] = clonedInstanceStore.createDistributor.selector;
+        instanceDistributionServiceSelectors[6] = clonedInstanceStore.updateDistributor.selector;
+        instanceDistributionServiceSelectors[7] = clonedInstanceStore.updateDistributorState.selector;
+        instanceDistributionServiceSelectors[8] = clonedInstanceStore.createReferral.selector;
+        instanceDistributionServiceSelectors[9] = clonedInstanceStore.updateReferral.selector;
+        instanceDistributionServiceSelectors[10] = clonedInstanceStore.updateReferralState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
             instanceDistributionServiceSelectors,
             DISTRIBUTION_SERVICE_ROLE());
     }
-    function _grantPoolServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+    function _grantPoolServiceAuthorizations(InstanceAccessManager clonedAccessManager, InstanceStore clonedInstanceStore) internal {
         // configure authorization for pool service on instance
-        address poolServiceAddress = getRegistry().getServiceAddress(POOL(), getMajorVersion());
+        address poolServiceAddress = getRegistry().getServiceAddress(POOL(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(POOL_SERVICE_ROLE(), address(poolServiceAddress));
         bytes4[] memory instancePoolServiceSelectors = new bytes4[](4);
-        instancePoolServiceSelectors[0] = clonedInstance.createPoolSetup.selector;
-        instancePoolServiceSelectors[1] = clonedInstance.updatePoolSetup.selector;
-        clonedAccessManager.setTargetFunctionRole(
-            "Instance",
+        instancePoolServiceSelectors[0] = clonedInstanceStore.createPoolSetup.selector;
+        instancePoolServiceSelectors[1] = clonedInstanceStore.updatePoolSetup.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
             instancePoolServiceSelectors,
             POOL_SERVICE_ROLE());
     }
-    function _grantProductServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+    function _grantProductServiceAuthorizations(InstanceAccessManager clonedAccessManager, InstanceStore clonedInstanceStore) internal {
         // configure authorization for product service on instance
-        address productServiceAddress = getRegistry().getServiceAddress(PRODUCT(), getMajorVersion());
+        address productServiceAddress = getRegistry().getServiceAddress(PRODUCT(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(PRODUCT_SERVICE_ROLE(), address(productServiceAddress));
         bytes4[] memory instanceProductServiceSelectors = new bytes4[](5);
-        instanceProductServiceSelectors[0] = clonedInstance.createProductSetup.selector;
-        instanceProductServiceSelectors[1] = clonedInstance.updateProductSetup.selector;
-        instanceProductServiceSelectors[2] = clonedInstance.createRisk.selector;
-        instanceProductServiceSelectors[3] = clonedInstance.updateRisk.selector;
-        instanceProductServiceSelectors[4] = clonedInstance.updateRiskState.selector;
-        clonedAccessManager.setTargetFunctionRole(
-            "Instance",
+        instanceProductServiceSelectors[0] = clonedInstanceStore.createProductSetup.selector;
+        instanceProductServiceSelectors[1] = clonedInstanceStore.updateProductSetup.selector;
+        instanceProductServiceSelectors[2] = clonedInstanceStore.createRisk.selector;
+        instanceProductServiceSelectors[3] = clonedInstanceStore.updateRisk.selector;
+        instanceProductServiceSelectors[4] = clonedInstanceStore.updateRiskState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
             instanceProductServiceSelectors,
             PRODUCT_SERVICE_ROLE());
     }
-    function _grantApplicationServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+    function _grantApplicationServiceAuthorizations(InstanceAccessManager clonedAccessManager, InstanceStore clonedInstanceStore) internal {
         // configure authorization for application services on instance
-        address applicationServiceAddress = getRegistry().getServiceAddress(APPLICATION(), getMajorVersion());
+        address applicationServiceAddress = getRegistry().getServiceAddress(APPLICATION(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(APPLICATION_SERVICE_ROLE(), applicationServiceAddress);
         bytes4[] memory instanceApplicationServiceSelectors = new bytes4[](3);
-        instanceApplicationServiceSelectors[0] = clonedInstance.createApplication.selector;
-        instanceApplicationServiceSelectors[1] = clonedInstance.updateApplication.selector;
-        instanceApplicationServiceSelectors[2] = clonedInstance.updateApplicationState.selector;
-        clonedAccessManager.setTargetFunctionRole(
-            "Instance",
+        instanceApplicationServiceSelectors[0] = clonedInstanceStore.createApplication.selector;
+        instanceApplicationServiceSelectors[1] = clonedInstanceStore.updateApplication.selector;
+        instanceApplicationServiceSelectors[2] = clonedInstanceStore.updateApplicationState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
             instanceApplicationServiceSelectors,
             APPLICATION_SERVICE_ROLE());
     }
-    function _grantPolicyServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+    function _grantPolicyServiceAuthorizations(InstanceAccessManager clonedAccessManager, InstanceStore clonedInstanceStore) internal {
         // configure authorization for policy services on instance
-        address policyServiceAddress = getRegistry().getServiceAddress(POLICY(), getMajorVersion());
+        address policyServiceAddress = getRegistry().getServiceAddress(POLICY(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(POLICY_SERVICE_ROLE(), policyServiceAddress);
         bytes4[] memory instancePolicyServiceSelectors = new bytes4[](2);
-        instancePolicyServiceSelectors[0] = clonedInstance.updatePolicy.selector;
-        instancePolicyServiceSelectors[1] = clonedInstance.updatePolicyState.selector;
-        clonedAccessManager.setTargetFunctionRole(
-            "Instance",
+        instancePolicyServiceSelectors[0] = clonedInstanceStore.updatePolicy.selector;
+        instancePolicyServiceSelectors[1] = clonedInstanceStore.updatePolicyState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
             instancePolicyServiceSelectors,
             POLICY_SERVICE_ROLE());
     }
-    function _grantClaimServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+    function _grantClaimServiceAuthorizations(InstanceAccessManager clonedAccessManager, InstanceStore clonedInstanceStore) internal {
         // configure authorization for claim/payout services on instance
-        address claimServiceAddress = getRegistry().getServiceAddress(CLAIM(), getMajorVersion());
+        address claimServiceAddress = getRegistry().getServiceAddress(CLAIM(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(POLICY_SERVICE_ROLE(), claimServiceAddress);
         // TODO add claims function authz
         bytes4[] memory instanceClaimServiceSelectors = new bytes4[](0);
-        // instanceClaimServiceSelectors[0] = clonedInstance.updatePolicy.selector;
-        // instanceClaimServiceSelectors[1] = clonedInstance.updatePolicyState.selector;
-        clonedAccessManager.setTargetFunctionRole(
-            "Instance",
+        // instanceClaimServiceSelectors[0] = clonedInstanceStore.updatePolicy.selector;
+        // instanceClaimServiceSelectors[1] = clonedInstanceStore.updatePolicyState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
             instanceClaimServiceSelectors,
             CLAIM_SERVICE_ROLE());
     }
-    function _grantBundleServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
+    function _grantBundleServiceAuthorizations(InstanceAccessManager clonedAccessManager, InstanceStore clonedInstanceStore, BundleManager clonedBundleManager) internal {
         // configure authorization for bundle service on instance
-        address bundleServiceAddress = getRegistry().getServiceAddress(BUNDLE(), getMajorVersion());
+        address bundleServiceAddress = getRegistry().getServiceAddress(BUNDLE(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(BUNDLE_SERVICE_ROLE(), address(bundleServiceAddress));
-        bytes4[] memory instanceBundleServiceSelectors = new bytes4[](2);
-        instanceBundleServiceSelectors[0] = clonedInstance.createBundle.selector;
-        instanceBundleServiceSelectors[1] = clonedInstance.updateBundle.selector;
-        clonedAccessManager.setTargetFunctionRole(
-            "Instance",
+        bytes4[] memory instanceBundleServiceSelectors = new bytes4[](3);
+        instanceBundleServiceSelectors[0] = clonedInstanceStore.createBundle.selector;
+        instanceBundleServiceSelectors[1] = clonedInstanceStore.updateBundle.selector;
+        instanceBundleServiceSelectors[2] = clonedInstanceStore.updateBundleState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
             instanceBundleServiceSelectors,
             BUNDLE_SERVICE_ROLE());
@@ -249,69 +299,107 @@ contract InstanceService is
         bundleManagerBundleServiceSelectors[2] = clonedBundleManager.add.selector;
         bundleManagerBundleServiceSelectors[3] = clonedBundleManager.lock.selector;
         bundleManagerBundleServiceSelectors[4] = clonedBundleManager.unlock.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        clonedAccessManager.setCoreTargetFunctionRole(
             "BundleManager",
             bundleManagerBundleServiceSelectors,
             BUNDLE_SERVICE_ROLE());
     }
     function _grantInstanceServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
-// configure authorization for instance service on instance
-        address instanceServiceAddress = getRegistry().getServiceAddress(INSTANCE(), getMajorVersion());
+        // configure authorization for instance service on instance
+        address instanceServiceAddress = getRegistry().getServiceAddress(INSTANCE(), getVersion().toMajorPart());
         clonedAccessManager.grantRole(INSTANCE_SERVICE_ROLE(), instanceServiceAddress);
         bytes4[] memory instanceInstanceServiceSelectors = new bytes4[](1);
         instanceInstanceServiceSelectors[0] = clonedInstance.setInstanceReader.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        clonedAccessManager.setCoreTargetFunctionRole(
             "Instance",
             instanceInstanceServiceSelectors,
             INSTANCE_SERVICE_ROLE());
-        bytes4[] memory instanceAccessManagerInstanceServiceSelectors = new bytes4[](1);
-        instanceAccessManagerInstanceServiceSelectors[0] = clonedAccessManager.createGifTarget.selector;
-        clonedAccessManager.setTargetFunctionRole(
+        // configure authorizations for instance service on instance access manager
+        bytes4[] memory accessManagerInstanceServiceSelectors = new bytes4[](3);
+        accessManagerInstanceServiceSelectors[0] = clonedAccessManager.createGifTarget.selector;
+        accessManagerInstanceServiceSelectors[1] = clonedAccessManager.setTargetLockedByService.selector;
+        accessManagerInstanceServiceSelectors[2] = clonedAccessManager.setCoreTargetFunctionRole.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
             "InstanceAccessManager",
-            instanceAccessManagerInstanceServiceSelectors,
+            accessManagerInstanceServiceSelectors,
             INSTANCE_SERVICE_ROLE());
     }
-    function setAndRegisterMasterInstance(address instanceAddress)
+    function _grantInstanceAuthorizations(InstanceAccessManager clonedAccessManager) internal {
+        bytes4[] memory accessManagerInstanceSelectors = new bytes4[](4);
+        accessManagerInstanceSelectors[0] = clonedAccessManager.createRole.selector;
+        accessManagerInstanceSelectors[1] = clonedAccessManager.createTarget.selector;
+        accessManagerInstanceSelectors[2] = clonedAccessManager.setTargetFunctionRole.selector;
+        accessManagerInstanceSelectors[3] = clonedAccessManager.setTargetLockedByInstance.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceAccessManager",
+            accessManagerInstanceSelectors,
+            INSTANCE_ROLE());
+    }
+    function _grantInstanceOwnerAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+        // configure authorization for instance owner on instance access manager
+        // instance owner role is granted/revoked ONLY by INSTANCE_ROLE
+        bytes4[] memory instanceInstanceOwnerSelectors = new bytes4[](4);
+        instanceInstanceOwnerSelectors[0] = clonedInstance.createRole.selector;
+        instanceInstanceOwnerSelectors[1] = clonedInstance.createTarget.selector;
+        instanceInstanceOwnerSelectors[2] = clonedInstance.setTargetFunctionRole.selector;
+        instanceInstanceOwnerSelectors[3] = clonedInstance.setTargetLocked.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "Instance",
+            instanceInstanceOwnerSelectors,
+            INSTANCE_OWNER_ROLE());
+    }
+    function setAndRegisterMasterInstance(address instanceAddress)
             external
             onlyOwner
             returns(NftId masterInstanceNftId)
     {
         if(_masterInstance != address(0)) { revert ErrorInstanceServiceMasterInstanceAlreadySet(); }
+        if(_masterOzAccessManager != address(0)) { revert ErrorInstanceServiceMasterOzAccessManagerAlreadySet(); }
         if(_masterInstanceAccessManager != address(0)) { revert ErrorInstanceServiceMasterInstanceAccessManagerAlreadySet(); }
         if(_masterInstanceBundleManager != address(0)) { revert ErrorInstanceServiceMasterBundleManagerAlreadySet(); }
         if(instanceAddress == address(0)) { revert ErrorInstanceServiceInstanceAddressZero(); }
         IInstance instance = IInstance(instanceAddress);
-        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
-        address accessManagerAddress = address(accessManager);
+        AccessManagerUpgradeableInitializeable ozAccessManager = AccessManagerUpgradeableInitializeable(instance.authority());
+        address ozAccessManagerAddress = address(ozAccessManager);
+        InstanceAccessManager instanceAccessManager = instance.getInstanceAccessManager();
+        address instanceAccessManagerAddress = address(instanceAccessManager);
         InstanceReader instanceReader = instance.getInstanceReader();
         address instanceReaderAddress = address(instanceReader);
         BundleManager bundleManager = instance.getBundleManager();
         address bundleManagerAddress = address(bundleManager);
+        InstanceStore instanceStore = instance.getInstanceStore();
+        address instanceStoreAddress = address(instanceStore);
-        if(accessManagerAddress == address(0)) { revert ErrorInstanceServiceAccessManagerZero(); }
+        if(ozAccessManagerAddress == address(0)) { revert ErrorInstanceServiceOzAccessManagerZero();}
+        if(instanceAccessManagerAddress == address(0)) { revert ErrorInstanceServiceInstanceAccessManagerZero(); }
         if(instanceReaderAddress == address(0)) { revert ErrorInstanceServiceInstanceReaderZero(); }
         if(bundleManagerAddress == address(0)) { revert ErrorInstanceServiceBundleManagerZero(); }
+        if(instanceStoreAddress == address(0)) { revert ErrorInstanceServiceInstanceStoreZero(); }
-        if(instance.authority() != accessManagerAddress) { revert ErrorInstanceServiceInstanceAuthorityMismatch(); }
+        if(instance.authority() != instanceAccessManager.authority()) { revert ErrorInstanceServiceInstanceAuthorityMismatch(); }
+        if(bundleManager.authority() != instanceAccessManager.authority()) { revert ErrorInstanceServiceBundleManagerAuthorityMismatch(); }
+        if(instanceStore.authority() != instanceAccessManager.authority()) { revert ErrorInstanceServiceInstanceStoreAuthorityMismatch(); }
         if(instanceReader.getInstance() != instance) { revert ErrorInstanceServiceInstanceReaderInstanceMismatch2(); }
         if(bundleManager.getInstance() != instance) { revert ErrorInstanceServiceBundleMangerInstanceMismatch(); }
-        _masterInstanceAccessManager = accessManagerAddress;
+        _masterOzAccessManager = ozAccessManagerAddress;
+        _masterInstanceAccessManager = instanceAccessManagerAddress;
         _masterInstance = instanceAddress;
         _masterInstanceReader = instanceReaderAddress;
         _masterInstanceBundleManager = bundleManagerAddress;
+        _masterInstanceStore = instanceStoreAddress;
-        IRegistryService registryService = IRegistryService(getRegistry().getServiceAddress(REGISTRY(), getMajorVersion()));
+        IRegistryService registryService = IRegistryService(getRegistry().getServiceAddress(REGISTRY(), getVersion().toMajorPart()));
         IInstance masterInstance = IInstance(_masterInstance);
         IRegistry.ObjectInfo memory info = registryService.registerInstance(masterInstance, getOwner());
         masterInstanceNftId = info.nftId;
-        // masterInstance.linkToRegisteredNftId();
     }
     function setMasterInstanceReader(address instanceReaderAddress) external onlyOwner {
@@ -325,19 +413,16 @@ contract InstanceService is
         _masterInstanceReader = instanceReaderAddress;
     }
-    // TODO access restriction
-    function upgradeInstanceReader(NftId instanceNftId) external {
+    function upgradeInstanceReader(NftId instanceNftId)
+        external
+        onlyInstanceOwner(instanceNftId)
+    {
         IRegistry registry = getRegistry();
         IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
         Instance instance = Instance(instanceInfo.objectAddress);
-        address owner = instance.getOwner();
-        if (msg.sender != owner) {
-            revert ErrorInstanceServiceRequestUnauhorized(msg.sender);
-        }
         InstanceReader upgradedInstanceReaderClone = InstanceReader(Clones.clone(address(_masterInstanceReader)));
-        upgradedInstanceReaderClone.initialize(address(registry), address(instance));
+        upgradedInstanceReaderClone.initialize(address(instance));
         instance.setInstanceReader(upgradedInstanceReaderClone);
     }
@@ -358,7 +443,7 @@ contract InstanceService is
     }
     // From IService
-    function getDomain() public pure override(Service, IService) returns(ObjectType) {
+    function getDomain() public pure override returns(ObjectType) {
         return INSTANCE();
     }
@@ -376,114 +461,70 @@ contract InstanceService is
         (registryAddress, initialOwner) = abi.decode(data, (address, address));
         // TODO while InstanceService is not deployed in InstanceServiceManager constructor
         //      owner is InstanceServiceManager deployer
-        initializeService(registryAddress, owner);
+        initializeService(registryAddress, address(0), owner);
         registerInterface(type(IInstanceService).interfaceId);
     }
-    function hasRole(address account, RoleId role, address instanceAddress) public view returns (bool) {
-        Instance instance = Instance(instanceAddress);
-        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
-        return accessManager.hasRole(role, account);
-    }
+    // all gif targets MUST be childs of instanceNftId
+    function createGifTarget(
+        NftId instanceNftId,
+        address targetAddress,
+        string memory targetName,
+        bytes4[][] memory selectors,
+        RoleId[] memory roles
+    )
+        external
+        onlyRegisteredService
+    {
+        (
+            IInstance instance, // or instanceInfo
+            NftId targetNftId  // or targetInfo
+        ) = _validateInstanceAndComponent(instanceNftId, targetAddress);
-    function createGifTarget(NftId instanceNftId, address targetAddress, string memory targetName) external onlyRegisteredService {
-        IRegistry registry = getRegistry();
-        IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
-        Instance instance = Instance(instanceInfo.objectAddress);
-        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
+        InstanceAccessManager accessManager = instance.getInstanceAccessManager();
         accessManager.createGifTarget(targetAddress, targetName);
-    }
-    function grantDistributionDefaultPermissions(NftId instanceNftId, address distributionAddress, string memory distributionName) external onlyRegisteredService {
-        IRegistry registry = getRegistry();
-        IRegistry.ObjectInfo memory distributionInfo = registry.getObjectInfo(distributionAddress);
-        if (distributionInfo.objectType != DISTRIBUTION()) {
-            revert ErrorInstanceServiceInvalidComponentType(distributionAddress, DISTRIBUTION(), distributionInfo.objectType);
+        // set proposed target config
+        // TODO restriction: gif targets are set only once and only here?
+        //      assume config is a mix of gif and custom roles and no further configuration by INSTANCE_OWNER_ROLE is ever needed?
+        for(uint roleIdx = 0; roleIdx < roles.length; roleIdx++)
+        {
+            accessManager.setCoreTargetFunctionRole(targetName, selectors[roleIdx], roles[roleIdx]);
         }
-        IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
-        Instance instance = Instance(instanceInfo.objectAddress);
-        InstanceAccessManager instanceAccessManager = InstanceAccessManager(instance.authority());
-        bytes4[] memory fctSelectors = new bytes4[](1);
-        fctSelectors[0] = IDistributionComponent.setFees.selector;
-        instanceAccessManager.setTargetFunctionRole(distributionName, fctSelectors, DISTRIBUTION_OWNER_ROLE());
-        bytes4[] memory fctSelectors2 = new bytes4[](1);
-        fctSelectors2[0] = IDistributionComponent.processRenewal.selector;
-        instanceAccessManager.setTargetFunctionRole(distributionName, fctSelectors2, PRODUCT_SERVICE_ROLE());
     }
-    function grantPoolDefaultPermissions(NftId instanceNftId, address poolAddress, string memory poolName) external onlyRegisteredService {
+    // TODO called by component, but target can be component helper...so needs target name
+    // TODO check that targetName associated with component...how???
+    function setComponentLocked(bool locked) onlyComponent external {
+        address componentAddress = msg.sender;
         IRegistry registry = getRegistry();
-        IRegistry.ObjectInfo memory poolInfo = registry.getObjectInfo(poolAddress);
+        NftId instanceNftId = registry.getObjectInfo(componentAddress).parentNftId;
-        if (poolInfo.objectType != POOL()) {
-            revert ErrorInstanceServiceInvalidComponentType(poolAddress, POOL(), poolInfo.objectType);
-        }
+        IInstance instance = IInstance(
+            registry.getObjectInfo(
+                instanceNftId).objectAddress);
-        IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
-        Instance instance = Instance(instanceInfo.objectAddress);
-        InstanceAccessManager instanceAccessManager = InstanceAccessManager(instance.authority());
-        bytes4[] memory fctSelectors = new bytes4[](1);
-        fctSelectors[0] = IPoolComponent.setFees.selector;
-        instanceAccessManager.setTargetFunctionRole(poolName, fctSelectors, POOL_OWNER_ROLE());
-        bytes4[] memory fctSelectors2 = new bytes4[](1);
-        fctSelectors2[0] = IPoolComponent.verifyApplication.selector;
-        instanceAccessManager.setTargetFunctionRole(poolName, fctSelectors2, POLICY_SERVICE_ROLE());
-        // bundle owner specific functions
-        bytes4[] memory fctSelectors3 = new bytes4[](7);
-        fctSelectors3[0] = IPoolComponent.stake.selector;
-        fctSelectors3[1] = IPoolComponent.unstake.selector;
-        fctSelectors3[2] = IPoolComponent.extend.selector;
-        fctSelectors3[3] = IPoolComponent.lockBundle.selector;
-        fctSelectors3[4] = IPoolComponent.unlockBundle.selector;
-        fctSelectors3[5] = IPoolComponent.close.selector;
-        fctSelectors3[6] = IPoolComponent.setBundleFee.selector;
-        instanceAccessManager.setTargetFunctionRole(
-            poolName,
-            fctSelectors3,
-            IPoolComponent(poolAddress).getBundleOwnerRole());
+        instance.getInstanceAccessManager().setTargetLockedByService(
+            componentAddress,
+            locked);
     }
-    function grantProductDefaultPermissions(NftId instanceNftId, address productAddress, string memory productName) external onlyRegisteredService {
+    function _validateInstanceAndComponent(NftId instanceNftId, address componentAddress)
+        internal
+        view
+        returns (IInstance instance, NftId componentNftId)
+    {
         IRegistry registry = getRegistry();
-        IRegistry.ObjectInfo memory productInfo = registry.getObjectInfo(productAddress);
-        if (productInfo.objectType != PRODUCT()) {
-            revert ErrorInstanceServiceInvalidComponentType(productAddress, PRODUCT(), productInfo.objectType);
-        }
         IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
-        Instance instance = Instance(instanceInfo.objectAddress);
-        InstanceAccessManager instanceAccessManager = InstanceAccessManager(instance.authority());
-        bytes4[] memory fctSelectors = new bytes4[](1);
-        fctSelectors[0] = IProductComponent.setFees.selector;
-        instanceAccessManager.setTargetFunctionRole(productName, fctSelectors, PRODUCT_OWNER_ROLE());
-    }
+        if(instanceInfo.objectType != INSTANCE()) {
+            revert ErrorInstanceServiceNotInstance(instanceNftId);
+        }
-    function setTargetLocked(string memory targetName, bool locked) external {
-        address componentAddress = msg.sender;
-        IRegistry registry = getRegistry();
         IRegistry.ObjectInfo memory componentInfo = registry.getObjectInfo(componentAddress);
-        if (componentInfo.nftId.eqz()) {
-            revert ErrorInstanceServiceComponentNotRegistered(componentAddress);
+        if(componentInfo.parentNftId != instanceNftId) {
+            revert ErrorInstanceServiceInstanceComponentMismatch(instanceNftId, componentInfo.nftId);
         }
-        // TODO validate component type
-        address instanceAddress = registry.getObjectInfo(componentInfo.parentNftId).objectAddress;
-        IInstance instance = IInstance(instanceAddress);
-        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
-        accessManager.setTargetClosed(targetName, locked);
+        instance = Instance(instanceInfo.objectAddress);
+        componentNftId = componentInfo.nftId;
     }
-}
+}