@etherisc/gif-next 0.0.2-f30e0eb-805 → 0.0.2-f398177-971

package/contracts/instance/InstanceAccessManager.sol

@@ -9,7 +9,7 @@ import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE, INSTANCE_SERVICE_ROLE, INSTA
 import {TimestampLib} from "../types/Timestamp.sol";
 import {NftId} from "../types/NftId.sol";
 
-import {AccessManagerUpgradeableInitializeable} from "./AccessManagerUpgradeableInitializeable.sol";
+import {AccessManagerUpgradeableInitializeable} from "../shared/AccessManagerUpgradeableInitializeable.sol";
 
 import {IRegistry} from "../registry/IRegistry.sol";
 
@@ -73,7 +73,7 @@ contract InstanceAccessManager is
         _createRole(ADMIN_ROLE(), ADMIN_ROLE_NAME, IAccess.Type.Core);
         _createRole(PUBLIC_ROLE(), PUBLIC_ROLE_NAME, IAccess.Type.Core);
         _createRole(INSTANCE_ROLE(), INSTANCE_ROLE_NAME, IAccess.Type.Core);
-        _createRole(INSTANCE_OWNER_ROLE(), INSTANCE_OWNER_ROLE_NAME, IAccess.Type.Gif);
+        _createRole(INSTANCE_OWNER_ROLE(), INSTANCE_OWNER_ROLE_NAME, IAccess.Type.Gif);// TODO should be of core type
 
         // assume `this` is already a member of ADMIN_ROLE
         EnumerableSet.add(_roleMembers[ADMIN_ROLE()], address(this));
@@ -105,6 +105,7 @@ contract InstanceAccessManager is
     }
 
     // INSTANCE_OWNER_ROLE
+    // TODO specify how many owners role can have -> many roles MUST have exactly 1 member?
     function createRole(string memory roleName, string memory adminName)
         external
         restricted()
@@ -142,6 +143,7 @@ contract InstanceAccessManager is
         _roleInfo[roleId].admin = admin;      
     }
 
+    // TODO core role can be granted only to 1 member
     function grantRole(RoleId roleId, address member) 
         public
         restrictedToRoleAdmin(roleId) 
@@ -226,7 +228,7 @@ contract InstanceAccessManager is
         return _roleIds[idx];
     }
 
-    // TODO now: for non existent name returns ADMIN_ROLE id
+    // TODO returns ADMIN_ROLE id for non existent name
     function getRoleIdForName(string memory name) external view returns (RoleId roleId) {
         return _roleIdForName[ShortStrings.toShortString(name)];
     }
@@ -250,7 +252,7 @@ contract InstanceAccessManager is
         _createTarget(target, name, IAccess.Type.Core);
     }
     // INSTANCE_SERVICE_ROLE
-    // assume gif target is registered and belongs to the same instance as instance access manager
+    // TODO check for instance mismatch?
     function createGifTarget(address target, string memory name) external restricted() 
     {
         if(!_registry.isRegistered(target)) {
@@ -268,27 +270,23 @@ contract InstanceAccessManager is
     {
         _createTarget(target, name, IAccess.Type.Custom);
     }
-    // INSTANCE_SERVICE_ROLE
-    // IMPORTANT: instance access manager MUST be of Core type -> otherwise will be locked forever
-    function setTargetLocked(string memory targetName, bool locked) 
+
+    // TODO instance owner locks component instead of revoking it access to the instance...
+    function setTargetLockedByService(address target, bool locked)
         external 
-        restricted() 
+        restricted // INSTANCE_SERVICE_ROLE
     {
-        ShortString nameShort = ShortStrings.toShortString(targetName);
-        address target = _targetAddressForName[nameShort];
-        
-        if (target == address(0)) {
-            revert IAccess.ErrorIAccessTargetDoesNotExist(nameShort);
-        }
+        _setTargetLocked(target, locked);
+    }
 
-        if(_targetInfo[target].ttype == IAccess.Type.Core) {
-            revert IAccess.ErrorIAccessTargetTypeInvalid(nameShort, _targetInfo[target].ttype);
-        }
-        // TODO isLocked is redundant but makes getTargetInfo() faster
-        _targetInfo[target].isLocked = locked;
-        _accessManager.setTargetClosed(target, locked);
+    function setTargetLockedByInstance(address target, bool locked)
+        external
+        restricted // INSTANCE_ROLE
+    {
+        _setTargetLocked(target, locked);
     }
 
+
     // allowed combinations of roles and targets:
     //1) set core role for core target 
     //2) set gif role for gif target  
@@ -314,7 +312,7 @@ contract InstanceAccessManager is
 
         // not custom target
         if(_targetInfo[target].ttype == IAccess.Type.Custom) {
-            revert IAccess.ErrorIAccessTargetTypeInvalid(nameShort, IAccess.Type.Custom);
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, IAccess.Type.Custom);
         }
 
         // not custom role
@@ -345,7 +343,7 @@ contract InstanceAccessManager is
 
         // not core target
         if(_targetInfo[target].ttype == IAccess.Type.Core) {
-            revert IAccess.ErrorIAccessTargetTypeInvalid(nameShort, IAccess.Type.Core);
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, IAccess.Type.Core);
         }
 
         // not core role
@@ -356,8 +354,13 @@ contract InstanceAccessManager is
         _setTargetFunctionRole(target, nameShort, selectors, roleId);
     }
 
+    function getTargetAddress(string memory targetName) public view returns(address targetAddress) {
+        ShortString nameShort = ShortStrings.toShortString(targetName);
+        return _targetAddressForName[nameShort];
+    }
+
     function isTargetLocked(address target) public view returns (bool locked) {
-        return _accessManager.isTargetClosed(target);
+        return _targetInfo[target].isLocked;
     }
 
     function targetExists(address target) public view returns (bool exists) {
@@ -492,6 +495,22 @@ contract InstanceAccessManager is
         }
     }
 
+    // IMPORTANT: instance access manager MUST be of Core type -> otherwise can be locked forever
+    function _setTargetLocked(address target, bool locked) internal
+    {
+        IAccess.Type targetType = _targetInfo[target].ttype;
+        if(target == address(0) || targetType == IAccess.Type.NotInitialized) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(target);
+        }
+
+        if(targetType == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, targetType);
+        }
+
+        _targetInfo[target].isLocked = locked;
+        _accessManager.setTargetClosed(target, locked);
+    }
+
     function _setTargetFunctionRole(
         address target,
         ShortString name,
@@ -501,7 +520,7 @@ contract InstanceAccessManager is
         internal
     {
         if (target == address(0)) {
-            revert IAccess.ErrorIAccessTargetDoesNotExist(name);
+            revert IAccess.ErrorIAccessTargetDoesNotExist(target);
         }
 
         if (!roleExists(roleId)) {
@@ -519,4 +538,4 @@ contract InstanceAccessManager is
     ) public view virtual returns (bool immediate, uint32 delay) {
         return _accessManager.canCall(caller, target, selector);
     }
-}
+}

package/contracts/instance/InstanceAuthorizationsLib.sol

@@ -0,0 +1,308 @@
+// SPDX-License-Identifier: Apache-2.0
+pragma solidity ^0.8.20;
+
+import {ADMIN_ROLE, INSTANCE_OWNER_ROLE, DISTRIBUTION_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE, INSTANCE_SERVICE_ROLE, DISTRIBUTION_SERVICE_ROLE, POOL_SERVICE_ROLE, PRODUCT_SERVICE_ROLE, APPLICATION_SERVICE_ROLE, POLICY_SERVICE_ROLE, CLAIM_SERVICE_ROLE, BUNDLE_SERVICE_ROLE, INSTANCE_ROLE} from "../types/RoleId.sol";
+import {INSTANCE, BUNDLE, APPLICATION, POLICY, CLAIM, PRODUCT, DISTRIBUTION, REGISTRY, POOL} from "../types/ObjectType.sol";
+import {VersionPart} from "../types/Version.sol";
+
+import {IRegistry} from "../registry/IRegistry.sol";
+
+import {Instance} from "./Instance.sol";
+import {InstanceAccessManager} from "./InstanceAccessManager.sol";
+import {InstanceReader} from "./InstanceReader.sol";
+import {BundleManager} from "./BundleManager.sol";
+import {AccessManagerUpgradeableInitializeable} from "../shared/AccessManagerUpgradeableInitializeable.sol";
+import {InstanceStore} from "./InstanceStore.sol";
+
+
+library InstanceAuthorizationsLib
+{
+    function grantInitialAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        Instance clonedInstance,
+        BundleManager clonedBundleManager,
+        InstanceStore clonedInstanceStore,
+        address instanceOwner,
+        IRegistry registry,
+        VersionPart majorVersion)
+            external
+    {
+        _createCoreAndGifRoles(clonedAccessManager);
+        _createCoreTargets(clonedAccessManager, clonedInstance, clonedBundleManager, clonedInstanceStore);
+        _grantDistributionServiceAuthorizations(clonedAccessManager, clonedInstanceStore, registry, majorVersion);
+        _grantPoolServiceAuthorizations(clonedAccessManager, clonedInstanceStore, registry, majorVersion);
+        _grantProductServiceAuthorizations(clonedAccessManager, clonedInstanceStore, registry, majorVersion);
+        _grantApplicationServiceAuthorizations(clonedAccessManager, clonedInstanceStore, registry, majorVersion);
+        _grantPolicyServiceAuthorizations(clonedAccessManager, clonedInstanceStore, registry, majorVersion);
+        _grantClaimServiceAuthorizations(clonedAccessManager, clonedInstanceStore, registry, majorVersion);
+        _grantBundleServiceAuthorizations(clonedAccessManager, clonedInstanceStore, clonedBundleManager, registry, majorVersion);
+        _grantInstanceServiceAuthorizations(clonedAccessManager, clonedInstance, registry, majorVersion);
+        _grantInstanceAuthorizations(clonedAccessManager, registry, majorVersion);
+        _grantInstanceOwnerAuthorizations(clonedAccessManager, clonedInstance, registry, majorVersion);
+    }
+
+    function _createCoreAndGifRoles(InstanceAccessManager clonedAccessManager) private {
+        // default roles controlled by ADMIN_ROLE -> core roles
+        // all set/granted only once during cloning (the only exception is INSTANCE_OWNER_ROLE, hooked to instance nft)
+        clonedAccessManager.createCoreRole(INSTANCE_SERVICE_ROLE(), "InstanceServiceRole");
+        clonedAccessManager.createCoreRole(DISTRIBUTION_SERVICE_ROLE(), "DistributionServiceRole");
+        clonedAccessManager.createCoreRole(POOL_SERVICE_ROLE(), "PoolServiceRole");
+        clonedAccessManager.createCoreRole(APPLICATION_SERVICE_ROLE(), "ApplicationServiceRole");
+        clonedAccessManager.createCoreRole(PRODUCT_SERVICE_ROLE(), "ProductServiceRole");
+        clonedAccessManager.createCoreRole(CLAIM_SERVICE_ROLE(), "ClaimServiceRole");
+        clonedAccessManager.createCoreRole(POLICY_SERVICE_ROLE(), "PolicyServiceRole");
+        clonedAccessManager.createCoreRole(BUNDLE_SERVICE_ROLE(), "BundleServiceRole");
+        // default roles controlled by INSTANCE_OWNER_ROLE -> gif roles
+        clonedAccessManager.createGifRole(DISTRIBUTION_OWNER_ROLE(), "DistributionOwnerRole", INSTANCE_OWNER_ROLE());
+        clonedAccessManager.createGifRole(POOL_OWNER_ROLE(), "PoolOwnerRole", INSTANCE_OWNER_ROLE());
+        clonedAccessManager.createGifRole(PRODUCT_OWNER_ROLE(), "ProductOwnerRole", INSTANCE_OWNER_ROLE());
+    }
+
+    function _createCoreTargets(
+        InstanceAccessManager clonedAccessManager,
+        Instance clonedInstance,
+        BundleManager clonedBundleManager,
+        InstanceStore clonedInstanceStore)
+        private
+    {
+        clonedAccessManager.createCoreTarget(address(clonedAccessManager), "InstanceAccessManager");// TODO create in instance access manager initializer?
+        clonedAccessManager.createCoreTarget(address(clonedInstance), "Instance");// TODO create in instance access manager initializer?
+        clonedAccessManager.createCoreTarget(address(clonedBundleManager), "BundleManager");
+        clonedAccessManager.createCoreTarget(address(clonedInstanceStore), "InstanceStore");
+    }
+
+    function _grantDistributionServiceAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        InstanceStore clonedInstanceStore,
+        IRegistry registry,
+        VersionPart majorVersion)
+        private
+    {
+        // configure authorization for distribution service on instance
+        address distributionServiceAddress = registry.getServiceAddress(DISTRIBUTION(), majorVersion);
+        clonedAccessManager.grantRole(DISTRIBUTION_SERVICE_ROLE(), distributionServiceAddress);
+        bytes4[] memory instanceDistributionServiceSelectors = new bytes4[](11);
+        instanceDistributionServiceSelectors[0] = clonedInstanceStore.createDistributionSetup.selector;
+        instanceDistributionServiceSelectors[1] = clonedInstanceStore.updateDistributionSetup.selector;
+        instanceDistributionServiceSelectors[2] = clonedInstanceStore.createDistributorType.selector;
+        instanceDistributionServiceSelectors[3] = clonedInstanceStore.updateDistributorType.selector;
+        instanceDistributionServiceSelectors[4] = clonedInstanceStore.updateDistributorTypeState.selector;
+        instanceDistributionServiceSelectors[5] = clonedInstanceStore.createDistributor.selector;
+        instanceDistributionServiceSelectors[6] = clonedInstanceStore.updateDistributor.selector;
+        instanceDistributionServiceSelectors[7] = clonedInstanceStore.updateDistributorState.selector;
+        instanceDistributionServiceSelectors[8] = clonedInstanceStore.createReferral.selector;
+        instanceDistributionServiceSelectors[9] = clonedInstanceStore.updateReferral.selector;
+        instanceDistributionServiceSelectors[10] = clonedInstanceStore.updateReferralState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
+            instanceDistributionServiceSelectors,
+            DISTRIBUTION_SERVICE_ROLE());
+    }
+
+    function _grantPoolServiceAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        InstanceStore clonedInstanceStore,
+        IRegistry registry,
+        VersionPart majorVersion)
+        private
+    {
+        // configure authorization for pool service on instance
+        address poolServiceAddress = registry.getServiceAddress(POOL(), majorVersion);
+        clonedAccessManager.grantRole(POOL_SERVICE_ROLE(), address(poolServiceAddress));
+        bytes4[] memory instancePoolServiceSelectors = new bytes4[](4);
+        instancePoolServiceSelectors[0] = clonedInstanceStore.createPoolSetup.selector;
+        instancePoolServiceSelectors[1] = clonedInstanceStore.updatePoolSetup.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
+            instancePoolServiceSelectors,
+            POOL_SERVICE_ROLE());
+    }
+
+    function _grantProductServiceAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        InstanceStore clonedInstanceStore,
+        IRegistry registry,
+        VersionPart majorVersion)
+        private
+    {
+        // configure authorization for product service on instance
+        address productServiceAddress = registry.getServiceAddress(PRODUCT(), majorVersion);
+        clonedAccessManager.grantRole(PRODUCT_SERVICE_ROLE(), address(productServiceAddress));
+        bytes4[] memory instanceProductServiceSelectors = new bytes4[](5);
+        instanceProductServiceSelectors[0] = clonedInstanceStore.createProductSetup.selector;
+        instanceProductServiceSelectors[1] = clonedInstanceStore.updateProductSetup.selector;
+        instanceProductServiceSelectors[2] = clonedInstanceStore.createRisk.selector;
+        instanceProductServiceSelectors[3] = clonedInstanceStore.updateRisk.selector;
+        instanceProductServiceSelectors[4] = clonedInstanceStore.updateRiskState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
+            instanceProductServiceSelectors,
+            PRODUCT_SERVICE_ROLE());
+    }
+
+    function _grantApplicationServiceAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        InstanceStore clonedInstanceStore,
+        IRegistry registry,
+        VersionPart majorVersion)
+        private
+    {
+        // configure authorization for application services on instance
+        address applicationServiceAddress = registry.getServiceAddress(APPLICATION(), majorVersion);
+        clonedAccessManager.grantRole(APPLICATION_SERVICE_ROLE(), applicationServiceAddress);
+        bytes4[] memory instanceApplicationServiceSelectors = new bytes4[](3);
+        instanceApplicationServiceSelectors[0] = clonedInstanceStore.createApplication.selector;
+        instanceApplicationServiceSelectors[1] = clonedInstanceStore.updateApplication.selector;
+        instanceApplicationServiceSelectors[2] = clonedInstanceStore.updateApplicationState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
+            instanceApplicationServiceSelectors,
+            APPLICATION_SERVICE_ROLE());
+    }
+
+    function _grantPolicyServiceAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        InstanceStore clonedInstanceStore,
+        IRegistry registry,
+        VersionPart majorVersion)
+        private
+    {
+        // configure authorization for policy services on instance
+        address policyServiceAddress = registry.getServiceAddress(POLICY(), majorVersion);
+        clonedAccessManager.grantRole(POLICY_SERVICE_ROLE(), policyServiceAddress);
+        bytes4[] memory instancePolicyServiceSelectors = new bytes4[](2);
+        instancePolicyServiceSelectors[0] = clonedInstanceStore.updatePolicy.selector;
+        instancePolicyServiceSelectors[1] = clonedInstanceStore.updatePolicyState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
+            instancePolicyServiceSelectors,
+            POLICY_SERVICE_ROLE());
+    }
+
+    function _grantClaimServiceAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        InstanceStore clonedInstanceStore,
+        IRegistry registry,
+        VersionPart majorVersion)
+        private
+    {
+        // configure authorization for claim/payout services on instance
+        address claimServiceAddress = registry.getServiceAddress(CLAIM(), majorVersion);
+        clonedAccessManager.grantRole(CLAIM_SERVICE_ROLE(), claimServiceAddress);
+
+        bytes4[] memory instancePolicyServiceSelectors = new bytes4[](1);
+        instancePolicyServiceSelectors[0] = clonedInstanceStore.updatePolicyClaims.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
+            instancePolicyServiceSelectors, 
+            CLAIM_SERVICE_ROLE());
+
+        bytes4[] memory instanceClaimServiceSelectors = new bytes4[](4);
+        instanceClaimServiceSelectors[0] = clonedInstanceStore.createClaim.selector;
+        instanceClaimServiceSelectors[1] = clonedInstanceStore.updateClaim.selector;
+        instanceClaimServiceSelectors[2] = clonedInstanceStore.createPayout.selector;
+        instanceClaimServiceSelectors[3] = clonedInstanceStore.updatePayout.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
+            instanceClaimServiceSelectors, 
+            CLAIM_SERVICE_ROLE());
+    }
+
+    function _grantBundleServiceAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        InstanceStore clonedInstanceStore,
+        BundleManager clonedBundleManager,
+        IRegistry registry,
+        VersionPart majorVersion)
+        private
+    {
+        // configure authorization for bundle service on instance
+        address bundleServiceAddress = registry.getServiceAddress(BUNDLE(), majorVersion);
+        clonedAccessManager.grantRole(BUNDLE_SERVICE_ROLE(), address(bundleServiceAddress));
+        bytes4[] memory instanceBundleServiceSelectors = new bytes4[](3);
+        instanceBundleServiceSelectors[0] = clonedInstanceStore.createBundle.selector;
+        instanceBundleServiceSelectors[1] = clonedInstanceStore.updateBundle.selector;
+        instanceBundleServiceSelectors[2] = clonedInstanceStore.updateBundleState.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceStore",
+            instanceBundleServiceSelectors,
+            BUNDLE_SERVICE_ROLE());
+
+        // configure authorization for bundle service on bundle manager
+        bytes4[] memory bundleManagerBundleServiceSelectors = new bytes4[](5);
+        bundleManagerBundleServiceSelectors[0] = clonedBundleManager.linkPolicy.selector;
+        bundleManagerBundleServiceSelectors[1] = clonedBundleManager.unlinkPolicy.selector;
+        bundleManagerBundleServiceSelectors[2] = clonedBundleManager.add.selector;
+        bundleManagerBundleServiceSelectors[3] = clonedBundleManager.lock.selector;
+        bundleManagerBundleServiceSelectors[4] = clonedBundleManager.unlock.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "BundleManager",
+            bundleManagerBundleServiceSelectors,
+            BUNDLE_SERVICE_ROLE());
+    }
+
+    function _grantInstanceServiceAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        Instance clonedInstance,
+        IRegistry registry,
+        VersionPart majorVersion)
+        private
+    {
+        // configure authorization for instance service on instance
+        address instanceServiceAddress = registry.getServiceAddress(INSTANCE(), majorVersion);
+        clonedAccessManager.grantRole(INSTANCE_SERVICE_ROLE(), instanceServiceAddress);
+        bytes4[] memory instanceInstanceServiceSelectors = new bytes4[](1);
+        instanceInstanceServiceSelectors[0] = clonedInstance.setInstanceReader.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "Instance",
+            instanceInstanceServiceSelectors,
+            INSTANCE_SERVICE_ROLE());
+
+        // configure authorizations for instance service on instance access manager
+        bytes4[] memory accessManagerInstanceServiceSelectors = new bytes4[](3);
+        accessManagerInstanceServiceSelectors[0] = clonedAccessManager.createGifTarget.selector;
+        accessManagerInstanceServiceSelectors[1] = clonedAccessManager.setTargetLockedByService.selector;
+        accessManagerInstanceServiceSelectors[2] = clonedAccessManager.setCoreTargetFunctionRole.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceAccessManager",
+            accessManagerInstanceServiceSelectors,
+            INSTANCE_SERVICE_ROLE());
+    }
+
+    function _grantInstanceAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        IRegistry registry,
+        VersionPart majorVersion)
+        private
+    {
+        bytes4[] memory accessManagerInstanceSelectors = new bytes4[](4);
+        accessManagerInstanceSelectors[0] = clonedAccessManager.createRole.selector;
+        accessManagerInstanceSelectors[1] = clonedAccessManager.createTarget.selector;
+        accessManagerInstanceSelectors[2] = clonedAccessManager.setTargetFunctionRole.selector;
+        accessManagerInstanceSelectors[3] = clonedAccessManager.setTargetLockedByInstance.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "InstanceAccessManager",
+            accessManagerInstanceSelectors,
+            INSTANCE_ROLE());
+    }
+
+    function _grantInstanceOwnerAuthorizations(
+        InstanceAccessManager clonedAccessManager,
+        Instance clonedInstance,
+        IRegistry registry,
+        VersionPart majorVersion) 
+        private 
+    {
+        // configure authorization for instance owner on instance access manager
+        // instance owner role is granted/revoked ONLY by INSTANCE_ROLE
+        bytes4[] memory instanceInstanceOwnerSelectors = new bytes4[](4);
+        instanceInstanceOwnerSelectors[0] = clonedInstance.createRole.selector;
+        instanceInstanceOwnerSelectors[1] = clonedInstance.createTarget.selector;
+        instanceInstanceOwnerSelectors[2] = clonedInstance.setTargetFunctionRole.selector;
+        instanceInstanceOwnerSelectors[3] = clonedInstance.setTargetLocked.selector;
+        clonedAccessManager.setCoreTargetFunctionRole(
+            "Instance",
+            instanceInstanceOwnerSelectors,
+            INSTANCE_OWNER_ROLE());
+    }
+}

package/contracts/instance/InstanceReader.sol

@@ -3,11 +3,13 @@ pragma solidity ^0.8.20;
 
 import {IERC20Metadata} from "@openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol";
 
+import {ClaimId} from "../types/ClaimId.sol";
 import {DistributorType} from "../types/DistributorType.sol";
 import {Fee, FeeLib} from "../types/Fee.sol";
 import {Key32} from "../types/Key32.sol";
 import {NftId} from "../types/NftId.sol";
 import {ObjectType, DISTRIBUTOR, DISTRIBUTION, INSTANCE, PRODUCT, POLICY, POOL, TREASURY, BUNDLE} from "../types/ObjectType.sol";
+import {PayoutId} from "../types/PayoutId.sol";
 import {ReferralId, ReferralStatus, ReferralLib, REFERRAL_OK, REFERRAL_ERROR_UNKNOWN, REFERRAL_ERROR_EXPIRED, REFERRAL_ERROR_EXHAUSTED} from "../types/Referral.sol";
 import {Registerable} from "../shared/Registerable.sol";
 import {RiskId} from "../types/RiskId.sol";
@@ -27,22 +29,30 @@ import {ISetup} from "../instance/module/ISetup.sol";
 import {ITreasury} from "../instance/module/ITreasury.sol";
 import {TimestampLib} from "../types/Timestamp.sol";
 
+import {InstanceStore} from "./InstanceStore.sol";
+
 
 contract InstanceReader {
+
+    error ErrorInstanceReaderAlreadyInitialized();
+    error ErrorInstanceReaderInstanceAddressZero();
+
     bool private _initialized;
 
     IInstance internal _instance;
     IKeyValueStore internal _store;
 
     function initialize(address instance) public {
-        require(!_initialized, "ERROR:CRD-000:ALREADY_INITIALIZED");
+        if(_initialized) {
+            revert ErrorInstanceReaderAlreadyInitialized();
+        }
 
-        require(
-            address(instance) != address(0),
-            "ERROR:CRD-001:INSTANCE_ZERO");
+        if(instance == address(0)) {
+            revert ErrorInstanceReaderInstanceAddressZero();
+        }
 
         _instance = IInstance(instance);
-        _store = IKeyValueStore(instance);
+        _store = _instance.getInstanceStore();
 
         _initialized = true;
     }
@@ -66,7 +76,74 @@ contract InstanceReader {
         view
         returns (StateId state)
     {
-        return _instance.getState(toPolicyKey(policyNftId));
+        return _store.getState(toPolicyKey(policyNftId));
+    }
+
+    /// @dev returns true iff policy may be closed
+    /// a policy can be closed all conditions below are met
+    /// - policy exists
+    /// - has been activated
+    /// - is not yet closed
+    /// - has no open claims
+    /// - claim amount matches sum insured amount or is expired
+    function policyIsCloseable(NftId policyNftId)
+        public
+        view
+        returns (bool isCloseable)
+    {
+        IPolicy.PolicyInfo memory info = getPolicyInfo(policyNftId);
+
+        if (info.productNftId.eqz()) { return false; } // not closeable: policy does not exist (or does not belong to this instance)
+        if (info.activatedAt.eqz()) { return false; } // not closeable: not yet activated
+        if (info.closedAt.gtz()) { return false; } // not closeable: already closed
+        if (info.openClaimsCount > 0) { return false; } // not closeable: has open claims
+
+        // closeable: if sum of claims matches sum insured a policy may be closed prior to the expiry date
+        if (info.claimAmount == info.sumInsuredAmount) { return true; }
+
+        // not closeable: not yet expired
+        if (TimestampLib.blockTimestamp() < info.expiredAt) { return false; }
+
+        // all conditionsl to close the policy are met
+        return true; 
+    }
+
+    function getClaimInfo(NftId policyNftId, ClaimId claimId)
+        public
+        view
+        returns (IPolicy.ClaimInfo memory info)
+    {
+        bytes memory data = _store.getData(claimId.toKey32(policyNftId));
+        if (data.length > 0) {
+            return abi.decode(data, (IPolicy.ClaimInfo));
+        }
+    }
+
+    function getClaimState(NftId policyNftId, ClaimId claimId)
+        public
+        view
+        returns (StateId state)
+    {
+        return _store.getState(claimId.toKey32(policyNftId));
+    }
+
+    function getPayoutInfo(NftId policyNftId, PayoutId payoutId)
+        public
+        view
+        returns (IPolicy.PayoutInfo memory info)
+    {
+        bytes memory data = _store.getData(payoutId.toKey32(policyNftId));
+        if (data.length > 0) {
+            return abi.decode(data, (IPolicy.PayoutInfo));
+        }
+    }
+
+    function getPayoutState(NftId policyNftId, PayoutId payoutId)
+        public
+        view
+        returns (StateId state)
+    {
+        return _store.getState(payoutId.toKey32(policyNftId));
     }
 
     function getRiskInfo(RiskId riskId)
@@ -148,6 +225,7 @@ contract InstanceReader {
         }
     }
 
+    // TODO consider to replace by component type specific getXyzInfo
     function getComponentInfo(NftId poolNftId)
         public
         view
@@ -287,4 +365,4 @@ contract InstanceReader {
     function toInt(UFixed value) public pure returns (uint256) {
         return UFixedLib.toInt(value);
     }
-}
+}