@etherisc/gif-next 0.0.2-fb8d07b-779 → 0.0.2-fbe22f0-239

package/contracts/instance/Instance.sol

@@ -1,42 +1,50 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
 
-import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
-import {ShortString, ShortStrings} from "@openzeppelin/contracts/utils/ShortStrings.sol";
+import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
 
-import {AccessManagedSimple} from "./AccessManagedSimple.sol";
-import {AccessManagerSimple} from "./AccessManagerSimple.sol";
-import {IAccess} from "./module/IAccess.sol";
-import {IBundle} from "./module/IBundle.sol";
-import {IPolicy} from "./module/IPolicy.sol";
-import {IRisk} from "./module/IRisk.sol";
-import {ISetup} from "./module/ISetup.sol";
 import {Key32, KeyId, Key32Lib} from "../types/Key32.sol";
-import {KeyValueStore} from "./base/KeyValueStore.sol";
-import {IInstance} from "./IInstance.sol";
-import {InstanceReader} from "./InstanceReader.sol";
 import {NftId} from "../types/NftId.sol";
 import {NumberId} from "../types/NumberId.sol";
-import {ObjectType, BUNDLE, DISTRIBUTION, INSTANCE, POLICY, POOL, ROLE, PRODUCT, TARGET} from "../types/ObjectType.sol";
+import {ObjectType, BUNDLE, DISTRIBUTION, INSTANCE, POLICY, POOL, ROLE, PRODUCT, TARGET, COMPONENT} from "../types/ObjectType.sol";
 import {RiskId, RiskIdLib} from "../types/RiskId.sol";
 import {RoleId, RoleIdLib} from "../types/RoleId.sol";
 import {StateId, ACTIVE} from "../types/StateId.sol";
+import {TimestampLib} from "../types/Timestamp.sol";
+import {VersionPart} from "../types/Version.sol";
+
 import {ERC165} from "../shared/ERC165.sol";
 import {Registerable} from "../shared/Registerable.sol";
-import {ComponentOwnerService} from "./service/ComponentOwnerService.sol";
-import {IComponentOwnerService} from "./service/IComponentOwnerService.sol";
+
+import {IInstance} from "./IInstance.sol";
+import {InstanceReader} from "./InstanceReader.sol";
+import {InstanceAccessManager} from "./InstanceAccessManager.sol";
+import {BundleManager} from "./BundleManager.sol";
+
+import {KeyValueStore} from "./base/KeyValueStore.sol";
+
+import {IAccess} from "./module/IAccess.sol";
+import {IBundle} from "./module/IBundle.sol";
+import {IPolicy} from "./module/IPolicy.sol";
+import {IRisk} from "./module/IRisk.sol";
+import {ISetup} from "./module/ISetup.sol";
+
 import {IDistributionService} from "./service/IDistributionService.sol";
 import {IPoolService} from "./service/IPoolService.sol";
-import {VersionPart} from "../types/Version.sol";
+import {IProductService} from "./service/IProductService.sol";
+import {IPolicyService} from "./service/IPolicyService.sol";
+import {IBundleService} from "./service/IBundleService.sol";
+import {VersionPart, VersionPartLib} from "../types/Version.sol";
 
 contract Instance is
-    AccessManagedSimple,
-    KeyValueStore,
     IInstance,
-    ERC165,
-    Registerable
+    AccessManagedUpgradeable,
+    Registerable,
+    KeyValueStore
 {
 
+    uint256 public constant GIF_MAJOR_VERSION = 3;
+
     uint64 public constant ADMIN_ROLE = type(uint64).min;
     uint64 public constant PUBLIC_ROLE = type(uint64).max;
     uint64 public constant CUSTOM_ROLE_ID_MIN = 10000;
@@ -45,153 +53,18 @@ contract Instance is
 
     bool private _initialized;
 
-    mapping(ShortString name => RoleId roleId) internal _role;
-    mapping(RoleId roleId => EnumerableSet.AddressSet roleMembers) internal _roleMembers; 
-    RoleId [] internal _roles;
-
-    mapping(ShortString name => address target) internal _target;
-
-    AccessManagerSimple internal _accessManager;
+    InstanceAccessManager internal _accessManager;
     InstanceReader internal _instanceReader;
+    BundleManager internal _bundleManager;
 
-    constructor(address accessManagerAddress, address registryAddress, NftId registryNftId)
+    function initialize(address accessManagerAddress, address registryAddress, NftId registryNftId, address initialOwner) 
+        public 
+        initializer()
     {
-        initialize(accessManagerAddress, registryAddress, registryNftId, msg.sender);
-    }
-
-    function initialize(address accessManagerAddress, address registryAddress, NftId registryNftId, address initialOwner) public {
-        require(!_initialized, "Contract instance has already been initialized");
-
-        initializeAccessManagedSimple(accessManagerAddress);
-                
-        _accessManager = AccessManagerSimple(accessManagerAddress);
-        _createRole(RoleIdLib.toRoleId(ADMIN_ROLE), "AdminRole", false, false);
-        _createRole(RoleIdLib.toRoleId(PUBLIC_ROLE), "PublicRole", false, false);
-
-        _initializeRegisterable(registryAddress, registryNftId, INSTANCE(), false, initialOwner, "");
-
-        _registerInterface(type(IInstance).interfaceId);    
-        _initialized = true;
-    }
-
-    //--- Role ------------------------------------------------------//
-    function createStandardRole(RoleId roleId, string memory name) external restricted() {
-        _createRole(roleId, name, false, true);
-    }
-
-    function createCustomRole(RoleId roleId, string memory name) external restricted() {
-        _createRole(roleId, name, true, true);
-    }
-
-    function updateRole(RoleId roleId, string memory name, StateId newState) external restricted() {
-        (bool isCustom,) = _validateRoleParameters(roleId, name, false);
-        IAccess.RoleInfo memory role = _toRole(roleId, name, isCustom);
-        update(toRoleKey32(roleId), abi.encode(role), newState);
-    }
-
-    function updateRoleState(RoleId roleId, StateId newState) external restricted() {
-        updateState(toRoleKey32(roleId), newState);
-    }
-
-    function grantRole(RoleId roleId, address member) external restricted() returns (bool granted) {
-        Key32 roleKey = toRoleKey32(roleId);
-
-        if (!exists(roleKey)) {
-            revert IAccess.ErrorGrantNonexstentRole(roleId);
-        }
-
-        if (getState(roleKey) != ACTIVE()) {
-            revert IAccess.ErrorRoleIdNotActive(roleId);
-        }
-
-        if (!EnumerableSet.contains(_roleMembers[roleId], member)) {
-            _accessManager.grantRole(roleId.toInt(), member, EXECUTION_DELAY);
-            EnumerableSet.add(_roleMembers[roleId], member);
-            return true;
-        }
-
-        return false;
-    }
-
-    function revokeRole(RoleId roleId, address member) external restricted() returns (bool revoked) {
-        Key32 roleKey = toRoleKey32(roleId);
-
-        if (!exists(roleKey)) {
-            revert IAccess.ErrorRevokeNonexstentRole(roleId);
-        }
-
-        if (EnumerableSet.contains(_roleMembers[roleId], member)) {
-            _accessManager.revokeRole(roleId.toInt(), member);
-            EnumerableSet.remove(_roleMembers[roleId], member);
-            return true;
-        }
-
-        return false;
-    }
-
-    /// @dev not restricted function by intention
-    /// the restriction to role members is already enforced by the call to the access manger
-    function renounceRole(RoleId roleId) external returns (bool revoked) {
-        address member = msg.sender;
-        Key32 roleKey = toRoleKey32(roleId);
-
-        if (!exists(roleKey)) {
-            revert IAccess.ErrorRenounceNonexstentRole(roleId);
-        }
-
-        if (EnumerableSet.contains(_roleMembers[roleId], member)) {
-            _accessManager.renounceRole(roleId.toInt(), member);
-            EnumerableSet.remove(_roleMembers[roleId], member);
-            return true;
-        }
-
-        return false;
-    }
-
-    function roles() external view returns (uint256 numberOfRoles) {
-        return _roles.length;
-    }
-
-    function getRoleId(uint256 idx) external view returns (RoleId roleId) {
-        return _roles[idx];
-    }
-
-    function getRole(RoleId roleId) external view returns (IAccess.RoleInfo memory role) {
-        return abi.decode(getData(roleId.toKey32()), (IAccess.RoleInfo));
-    }
-
-    function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
-        return EnumerableSet.length(_roleMembers[roleId]);
-    }
-
-    function getRoleMember(RoleId roleId, uint256 idx) external view returns (address roleMember) {
-        return EnumerableSet.at(_roleMembers[roleId], idx);
-    }
-
-    function _createRole(RoleId roleId, string memory name, bool isCustom, bool validateParameters) internal {
-        if (validateParameters) {
-            _validateRoleParameters(roleId, name, isCustom);
-        }
-
-        IAccess.RoleInfo memory role = _toRole(roleId, name, isCustom);
-        _role[role.name] = roleId;
-        _roles.push(roleId);
-
-        create(toRoleKey32(roleId), abi.encode(role));
-    }
-
-    //--- Target ------------------------------------------------------//
-    function createTarget(address target, IAccess.TargetInfo memory targetInfo) external restricted() {
-        _validateTargetParameters(target, targetInfo);
-        create(toTargetKey32(target), abi.encode(targetInfo));
-    }
-
-    function setTargetClosed(address target, bool closed) external restricted() {
-        if (!exists(toTargetKey32(target))) {
-            revert IAccess.ErrorTargetDoesNotExist(target);
-        }
-
-        _accessManager.setTargetClosed(target, closed);
+        __AccessManaged_init(accessManagerAddress);
+        
+        initializeRegisterable(registryAddress, registryNftId, INSTANCE(), false, initialOwner, "");
+        registerInterface(type(IInstance).interfaceId);    
     }
 
     //--- ProductSetup ------------------------------------------------------//
@@ -338,71 +211,6 @@ contract Instance is
     }
 
     //--- internal view/pure functions --------------------------------------//
-    function _toRole(RoleId roleId, string memory name, bool isCustom)
-        internal
-        pure
-        returns (IAccess.RoleInfo memory role)
-    {
-        return IAccess.RoleInfo(
-            ShortStrings.toShortString(name), 
-            isCustom);
-    }
-
-    function _validateRoleParameters(
-        RoleId roleId, 
-        string memory name, 
-        bool isCustom
-    )
-        internal
-        view 
-        returns (
-            bool roleExists,
-            bool roleIsCustom
-        )
-    {
-        Key32 roleKey = toRoleKey32(roleId);
-        roleExists = exists(roleKey);
-        if (roleExists) {
-            roleIsCustom = abi.decode(getData(roleKey), (IAccess.RoleInfo)).isCustom;
-        } else {
-            roleIsCustom = isCustom;
-        }
-
-        // check role id
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        if(roleIdInt == ADMIN_ROLE || roleIdInt == PUBLIC_ROLE) {
-            revert IAccess.ErrorRoleIdInvalid(roleId); 
-        }
-
-        if (roleIsCustom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
-            revert IAccess.ErrorRoleIdTooSmall(roleId); 
-        } else if (roleIsCustom && roleIdInt >= CUSTOM_ROLE_ID_MIN) {
-            revert IAccess.ErrorRoleIdTooBig(roleId); 
-        }
-
-        // role name checks
-        ShortString nameShort = ShortStrings.toShortString(name);
-        if (ShortStrings.byteLength(nameShort) == 0) {
-            revert IAccess.ErrorRoleNameEmpty(roleId);
-        }
-
-        if (_role[nameShort] != RoleIdLib.zero() && _role[nameShort] != roleId) {
-            revert IAccess.ErrorRoleNameNotUnique(_role[nameShort], nameShort);
-        }
-    }
-
-    function _validateTargetParameters(address target, IAccess.TargetInfo memory targetInfo) internal view {
-
-    }
-
-    function toRoleKey32(RoleId roleId) public pure returns (Key32) {
-        return roleId.toKey32();
-    }
-
-    function toTargetKey32(address target) public pure returns (Key32) {
-        return Key32Lib.toKey32(TARGET(), KeyId.wrap(bytes20(target)));
-    }
-
     function _toNftKey32(NftId nftId, ObjectType objectType) internal pure returns (Key32) {
         return nftId.toKey32(objectType);
     }
@@ -415,29 +223,46 @@ contract Instance is
         return policyNftId.toKey32(POLICY());
     }
 
-    function getComponentOwnerService() external view returns (IComponentOwnerService) {
-        return ComponentOwnerService(_registry.getServiceAddress("ComponentOwnerService", VersionPart.wrap(3)));
-    }
-
     function getDistributionService() external view returns (IDistributionService) {
-        return IDistributionService(_registry.getServiceAddress("DistributionService", VersionPart.wrap(3)));
+        return IDistributionService(getRegistry().getServiceAddress(DISTRIBUTION(), VersionPart.wrap(3)));
     }
 
-    // TODO reactivate when services are available
-    // function getProductService() external view returns (IProductService) {
-    //     return ProductService(_registry.getServiceAddress("ProductService", VersionPart.wrap(3)));
-    // }
+    function getProductService() external view returns (IProductService) {
+        return IProductService(getRegistry().getServiceAddress(PRODUCT(), VersionPart.wrap(3)));
+    }
 
     function getPoolService() external view returns (IPoolService) {
-        return IPoolService(_registry.getServiceAddress("PoolService", VersionPart.wrap(3)));
+        return IPoolService(getRegistry().getServiceAddress(POOL(), VersionPart.wrap(3)));
+    }
+
+    function getPolicyService() external view returns (IPolicyService) {
+        return IPolicyService(getRegistry().getServiceAddress(POLICY(), VersionPart.wrap(3)));
+    }
+
+    function getBundleService() external view returns (IBundleService) {
+        return IBundleService(getRegistry().getServiceAddress(BUNDLE(), VersionPart.wrap(3)));
     }
 
     function setInstanceReader(InstanceReader instanceReader) external restricted() {
-        require(address(_instanceReader) == address(0), "InstanceReader is set");
+        require(instanceReader.getInstance() == Instance(this), "InstanceReader instance mismatch");
         _instanceReader = instanceReader;
     }
 
+    function getMajorVersion() external pure returns (VersionPart majorVersion) {
+        return VersionPartLib.toVersionPart(GIF_MAJOR_VERSION);
+    }
+
     function getInstanceReader() external view returns (InstanceReader) {
         return _instanceReader;
     }
+    
+    function setBundleManager(BundleManager bundleManager) external restricted() {
+        require(address(_bundleManager) == address(0), "BundleManager is set");
+        require(bundleManager.getInstance() == Instance(this), "BundleManager instance mismatch");
+        _bundleManager = bundleManager;
+    }
+
+    function getBundleManager() external view returns (BundleManager) {
+        return _bundleManager;
+    }
 }

package/contracts/instance/InstanceAccessManager.sol

@@ -1,95 +1,54 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
 
+import {AccessManager} from "@openzeppelin/contracts/access/manager/AccessManager.sol";
+import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
 import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
 import {ShortString, ShortStrings} from "@openzeppelin/contracts/utils/ShortStrings.sol";
 
-import {AccessManagedSimple} from "./AccessManagedSimple.sol";
-import {AccessManagerSimple} from "./AccessManagerSimple.sol";
-import {IBundle} from "./module/IBundle.sol";
-import {IPolicy} from "./module/IPolicy.sol";
-import {IRisk} from "./module/IRisk.sol";
-import {ISetup} from "./module/ISetup.sol";
-import {Key32, KeyId, Key32Lib} from "../types/Key32.sol";
-import {KeyValueStore} from "./base/KeyValueStore.sol";
-import {NftId} from "../types/NftId.sol";
-import {NumberId} from "../types/NumberId.sol";
-import {ObjectType, BUNDLE, DISTRIBUTION, POLICY, POOL, ROLE, PRODUCT, TARGET} from "../types/ObjectType.sol";
-import {RiskId, RiskIdLib} from "../types/RiskId.sol";
-import {RoleId, RoleIdLib} from "../types/RoleId.sol";
-import {StateId, ACTIVE} from "../types/StateId.sol";
-import {Timestamp, TimestampLib} from "../types/Timestamp.sol";
+import {RoleId, RoleIdLib } from "../types/RoleId.sol";
+import {TimestampLib} from "../types/Timestamp.sol";
+import {IAccess} from "./module/IAccess.sol";
 
 contract InstanceAccessManager is
-    AccessManagedSimple
+    AccessManagedUpgradeable
 {
+    using RoleIdLib for RoleId;
+
     string public constant ADMIN_ROLE_NAME = "AdminRole";
     string public constant PUBLIC_ROLE_NAME = "PublicRole";
 
     uint64 public constant CUSTOM_ROLE_ID_MIN = 10000;
     uint32 public constant EXECUTION_DELAY = 0;
 
-    struct RoleInfo {
-        ShortString name;
-        bool isCustom;
-        bool isLocked;
-        Timestamp createdAt;
-        Timestamp updatedAt;
-    }
-
-    struct TargetInfo {
-        ShortString name;
-        bool isCustom;
-        bool isLocked;
-        Timestamp createdAt;
-        Timestamp updatedAt;
-    }
-
-    error ErrorRoleIdInvalid(RoleId roleId);
-    error ErrorRoleIdTooBig(RoleId roleId);
-    error ErrorRoleIdTooSmall(RoleId roleId);
-    error ErrorRoleIdAlreadyExists(RoleId roleId, ShortString name);
-    error ErrorRoleIdNotActive(RoleId roleId);
-    error ErrorRoleNameEmpty(RoleId roleId);
-    error ErrorRoleNameNotUnique(RoleId roleId, ShortString name);
-    error ErrorRoleInvalidUpdate(RoleId roleId, bool isCustom);
-    error ErrorRoleIsCustomIsImmutable(RoleId roleId, bool isCustom, bool isCustomExisting);
-    error ErrorSetLockedForNonexstentRole(RoleId roleId);
-    error ErrorGrantNonexstentRole(RoleId roleId);
-    error ErrorRevokeNonexstentRole(RoleId roleId);
-    error ErrorRenounceNonexstentRole(RoleId roleId);
-
-    error ErrorTargetAddressZero();
-    error ErrorTargetAlreadyExists(address target, ShortString name);
-    error ErrorTargetNameEmpty(address target);
-    error ErrorTargetNameExists(address target, address existingTarget, ShortString name);
-    error ErrorSetLockedForNonexstentTarget(address target);
-
     // role specific state
-    mapping(RoleId roleId => RoleInfo info) internal _role;
+    mapping(RoleId roleId => IAccess.RoleInfo info) internal _role;
     mapping(RoleId roleId => EnumerableSet.AddressSet roleMembers) internal _roleMembers; 
     mapping(ShortString name => RoleId roleId) internal _roleForName;
     RoleId [] internal _roles;
 
     // target specific state
-    mapping(address target => TargetInfo info) internal _target;
+    mapping(address target => IAccess.TargetInfo info) internal _target;
     mapping(ShortString name => address target) internal _targetForName;
     address [] internal _targets;
 
-    AccessManagerSimple internal _accessManager;
+    AccessManager internal _accessManager;
 
-    constructor(address accessManager)
+    function initialize(address initialAdmin) external initializer
     {
-        _accessManager = AccessManagerSimple(accessManager);
-        initializeAccessManagedSimple(accessManager);
+        // if size of the contract gets too large, this can be externalized which will reduce the contract size considerably
+        _accessManager = new AccessManager(address(this));
+        // this service required admin rights to access manager to be able to grant/revoke roles
+        _accessManager.grantRole(_accessManager.ADMIN_ROLE(), initialAdmin, 0);
+
+        __AccessManaged_init(address(_accessManager));
 
         _createRole(RoleIdLib.toRoleId(_accessManager.ADMIN_ROLE()), ADMIN_ROLE_NAME, false, false);
         _createRole(RoleIdLib.toRoleId(_accessManager.PUBLIC_ROLE()), PUBLIC_ROLE_NAME, false, false);
     }
 
     //--- Role ------------------------------------------------------//
-
-    function createDefaultRole(RoleId roleId, string memory name) external restricted() {
+    function createGifRole(RoleId roleId, string memory name) external restricted() {
         _createRole(roleId, name, false, true);
     }
 
@@ -99,7 +58,7 @@ contract InstanceAccessManager is
 
     function setRoleLocked(RoleId roleId, bool locked) external restricted() {
         if (!roleExists(roleId)) {
-            revert ErrorSetLockedForNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
         }
 
         _role[roleId].isLocked = locked;
@@ -112,11 +71,11 @@ contract InstanceAccessManager is
 
     function grantRole(RoleId roleId, address member) external restricted() returns (bool granted) {
         if (!roleExists(roleId)) {
-            revert ErrorGrantNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
         }
 
         if (_role[roleId].isLocked) {
-            revert ErrorRoleIdNotActive(roleId);
+            revert IAccess.ErrorIAccessRoleIdNotActive(roleId);
         }
 
         if (!EnumerableSet.contains(_roleMembers[roleId], member)) {
@@ -130,7 +89,7 @@ contract InstanceAccessManager is
 
     function revokeRole(RoleId roleId, address member) external restricted() returns (bool revoked) {
         if (!roleExists(roleId)) {
-            revert ErrorRevokeNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRevokeNonexstentRole(roleId);
         }
 
         if (EnumerableSet.contains(_roleMembers[roleId], member)) {
@@ -148,7 +107,7 @@ contract InstanceAccessManager is
         address member = msg.sender;
 
         if (!roleExists(roleId)) {
-            revert ErrorRenounceNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRenounceNonexstentRole(roleId);
         }
 
         if (EnumerableSet.contains(_roleMembers[roleId], member)) {
@@ -173,7 +132,7 @@ contract InstanceAccessManager is
         return _roleForName[ShortStrings.toShortString(name)];
     }
 
-    function getRole(RoleId roleId) external view returns (RoleInfo memory role) {
+    function getRole(RoleId roleId) external view returns (IAccess.RoleInfo memory role) {
         return _role[roleId];
     }
 
@@ -190,13 +149,19 @@ contract InstanceAccessManager is
     }
 
     //--- Target ------------------------------------------------------//
+    function createGifTarget(address target, string memory name) external restricted() {
+        _createTarget(target, name, false, true);
+    }
+
     function createTarget(address target, string memory name) external restricted() {
         _createTarget(target, name, true, true);
     }
 
-    function setTargetLocked(address target, bool locked) external restricted() {
-        if (!targetExists(target)) {
-            revert ErrorSetLockedForNonexstentTarget(target);
+    function setTargetLocked(string memory targetName, bool locked) external restricted() {
+        address target = _targetForName[ShortStrings.toShortString(targetName)];
+        
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(ShortStrings.toShortString(targetName));
         }
 
         _target[target].isLocked = locked;
@@ -214,7 +179,7 @@ contract InstanceAccessManager is
             _validateRoleParameters(roleId, name, isCustom);
         }
 
-        RoleInfo memory role = RoleInfo(
+        IAccess.RoleInfo memory role = IAccess.RoleInfo(
             ShortStrings.toShortString(name), 
             isCustom,
             false, // role un-locked,
@@ -233,35 +198,35 @@ contract InstanceAccessManager is
     )
         internal
         view 
-        returns (RoleInfo memory existingRole)
+        returns (IAccess.RoleInfo memory existingRole)
     {
         // check role id
         uint64 roleIdInt = RoleId.unwrap(roleId);
         if(roleIdInt == _accessManager.ADMIN_ROLE() || roleIdInt == _accessManager.PUBLIC_ROLE()) {
-            revert ErrorRoleIdInvalid(roleId); 
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId); 
         }
 
         // prevent changing isCustom for existing roles
         existingRole = _role[roleId];
 
         if (existingRole.createdAt.gtz() && isCustom != existingRole.isCustom) {
-            revert ErrorRoleIsCustomIsImmutable(roleId, isCustom, existingRole.isCustom); 
+            revert IAccess.ErrorIAccessRoleIsCustomIsImmutable(roleId, isCustom, existingRole.isCustom); 
         }
 
         if (isCustom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
-            revert ErrorRoleIdTooSmall(roleId); 
+            revert IAccess.ErrorIAccessRoleIdTooSmall(roleId); 
         } else if (!isCustom && roleIdInt >= CUSTOM_ROLE_ID_MIN) {
-            revert ErrorRoleIdTooBig(roleId); 
+            revert IAccess.ErrorIAccessRoleIdTooBig(roleId); 
         }
 
         // role name checks
         ShortString nameShort = ShortStrings.toShortString(name);
         if (ShortStrings.byteLength(nameShort) == 0) {
-            revert ErrorRoleNameEmpty(roleId);
+            revert IAccess.ErrorIAccessRoleNameEmpty(roleId);
         }
 
         if (_roleForName[nameShort] != RoleIdLib.zero() && _roleForName[nameShort] != roleId) {
-            revert ErrorRoleNameNotUnique(_roleForName[nameShort], nameShort);
+            revert IAccess.ErrorIAccessRoleNameNotUnique(_roleForName[nameShort], nameShort);
         }
     }
 
@@ -270,7 +235,14 @@ contract InstanceAccessManager is
             _validateTargetParameters(target, name, isCustom);
         }
 
-        TargetInfo memory info = TargetInfo(
+        if (_target[target].createdAt.gtz()) {
+            revert IAccess.ErrorIAccessTargetExists(target, _target[target].name);
+        }
+        if (_targetForName[ShortStrings.toShortString(name)] != address(0)) {
+            revert IAccess.ErrorIAccessTargetNameExists(target, _targetForName[ShortStrings.toShortString(name)], ShortStrings.toShortString(name));
+        }
+
+        IAccess.TargetInfo memory info = IAccess.TargetInfo(
             ShortStrings.toShortString(name), 
             isCustom,
             _accessManager.isTargetClosed(target), // sync with state in access manager
@@ -283,6 +255,43 @@ contract InstanceAccessManager is
     }
 
     function _validateTargetParameters(address target, string memory name, bool isCustom) internal view {
+        // TODO: implement
+    }
+
+    function setTargetFunctionRole(
+        string memory targetName,
+        bytes4[] calldata selectors,
+        RoleId roleId
+    ) public virtual restricted() {
+        address target = _targetForName[ShortStrings.toShortString(targetName)];
+        
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(ShortStrings.toShortString(targetName));
+        }
+        if (! roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
+        }
+        uint64 roleIdInt = RoleId.unwrap(roleId);
+        _accessManager.setTargetFunctionRole(target, selectors, roleIdInt);
+    }
+
+    function setTargetClosed(string memory targetName, bool closed) public restricted() {
+        address target = _targetForName[ShortStrings.toShortString(targetName)];
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(ShortStrings.toShortString(targetName));
+        }
+        _accessManager.setTargetClosed(target, closed);
+    }
+
+    function isTargetLocked(address target) public view returns (bool locked) {
+        return _accessManager.isTargetClosed(target);
+    }
 
+    function canCall(
+        address caller,
+        address target,
+        bytes4 selector
+    ) public view virtual returns (bool immediate, uint32 delay) {
+        return _accessManager.canCall(caller, target, selector);
     }
 }