npm - @etherisc/gif-next - Versions diffs - 0.0.2-fb8d07b-779 → 0.0.2-fbe22f0-239 - Mend

@etherisc/gif-next 0.0.2-fb8d07b-779 → 0.0.2-fbe22f0-239

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (284) hide show

package/contracts/instance/Instance.sol CHANGED Viewed

@@ -1,42 +1,50 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
-import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
-import {ShortString, ShortStrings} from "@openzeppelin/contracts/utils/ShortStrings.sol";
+import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
-import {AccessManagedSimple} from "./AccessManagedSimple.sol";
-import {AccessManagerSimple} from "./AccessManagerSimple.sol";
-import {IAccess} from "./module/IAccess.sol";
-import {IBundle} from "./module/IBundle.sol";
-import {IPolicy} from "./module/IPolicy.sol";
-import {IRisk} from "./module/IRisk.sol";
-import {ISetup} from "./module/ISetup.sol";
 import {Key32, KeyId, Key32Lib} from "../types/Key32.sol";
-import {KeyValueStore} from "./base/KeyValueStore.sol";
-import {IInstance} from "./IInstance.sol";
-import {InstanceReader} from "./InstanceReader.sol";
 import {NftId} from "../types/NftId.sol";
 import {NumberId} from "../types/NumberId.sol";
-import {ObjectType, BUNDLE, DISTRIBUTION, INSTANCE, POLICY, POOL, ROLE, PRODUCT, TARGET} from "../types/ObjectType.sol";
+import {ObjectType, BUNDLE, DISTRIBUTION, INSTANCE, POLICY, POOL, ROLE, PRODUCT, TARGET, COMPONENT} from "../types/ObjectType.sol";
 import {RiskId, RiskIdLib} from "../types/RiskId.sol";
 import {RoleId, RoleIdLib} from "../types/RoleId.sol";
 import {StateId, ACTIVE} from "../types/StateId.sol";
+import {TimestampLib} from "../types/Timestamp.sol";
+import {VersionPart} from "../types/Version.sol";
 import {ERC165} from "../shared/ERC165.sol";
 import {Registerable} from "../shared/Registerable.sol";
-import {ComponentOwnerService} from "./service/ComponentOwnerService.sol";
-import {IComponentOwnerService} from "./service/IComponentOwnerService.sol";
+import {IInstance} from "./IInstance.sol";
+import {InstanceReader} from "./InstanceReader.sol";
+import {InstanceAccessManager} from "./InstanceAccessManager.sol";
+import {BundleManager} from "./BundleManager.sol";
+import {KeyValueStore} from "./base/KeyValueStore.sol";
+import {IAccess} from "./module/IAccess.sol";
+import {IBundle} from "./module/IBundle.sol";
+import {IPolicy} from "./module/IPolicy.sol";
+import {IRisk} from "./module/IRisk.sol";
+import {ISetup} from "./module/ISetup.sol";
 import {IDistributionService} from "./service/IDistributionService.sol";
 import {IPoolService} from "./service/IPoolService.sol";
-import {VersionPart} from "../types/Version.sol";
+import {IProductService} from "./service/IProductService.sol";
+import {IPolicyService} from "./service/IPolicyService.sol";
+import {IBundleService} from "./service/IBundleService.sol";
+import {VersionPart, VersionPartLib} from "../types/Version.sol";
 contract Instance is
-    AccessManagedSimple,
-    KeyValueStore,
     IInstance,
-    ERC165,
-    Registerable
+    AccessManagedUpgradeable,
+    Registerable,
+    KeyValueStore
 {
+    uint256 public constant GIF_MAJOR_VERSION = 3;
     uint64 public constant ADMIN_ROLE = type(uint64).min;
     uint64 public constant PUBLIC_ROLE = type(uint64).max;
     uint64 public constant CUSTOM_ROLE_ID_MIN = 10000;
@@ -45,153 +53,18 @@ contract Instance is
     bool private _initialized;
-    mapping(ShortString name => RoleId roleId) internal _role;
-    mapping(RoleId roleId => EnumerableSet.AddressSet roleMembers) internal _roleMembers;
-    RoleId [] internal _roles;
-    mapping(ShortString name => address target) internal _target;
-    AccessManagerSimple internal _accessManager;
+    InstanceAccessManager internal _accessManager;
     InstanceReader internal _instanceReader;
+    BundleManager internal _bundleManager;
-    constructor(address accessManagerAddress, address registryAddress, NftId registryNftId)
+    function initialize(address accessManagerAddress, address registryAddress, NftId registryNftId, address initialOwner)
+        public
+        initializer()
     {
-        initialize(accessManagerAddress, registryAddress, registryNftId, msg.sender);
-    }
-    function initialize(address accessManagerAddress, address registryAddress, NftId registryNftId, address initialOwner) public {
-        require(!_initialized, "Contract instance has already been initialized");
-        initializeAccessManagedSimple(accessManagerAddress);
-        _accessManager = AccessManagerSimple(accessManagerAddress);
-        _createRole(RoleIdLib.toRoleId(ADMIN_ROLE), "AdminRole", false, false);
-        _createRole(RoleIdLib.toRoleId(PUBLIC_ROLE), "PublicRole", false, false);
-        _initializeRegisterable(registryAddress, registryNftId, INSTANCE(), false, initialOwner, "");
-        _registerInterface(type(IInstance).interfaceId);
-        _initialized = true;
-    }
-    //--- Role ------------------------------------------------------//
-    function createStandardRole(RoleId roleId, string memory name) external restricted() {
-        _createRole(roleId, name, false, true);
-    }
-    function createCustomRole(RoleId roleId, string memory name) external restricted() {
-        _createRole(roleId, name, true, true);
-    }
-    function updateRole(RoleId roleId, string memory name, StateId newState) external restricted() {
-        (bool isCustom,) = _validateRoleParameters(roleId, name, false);
-        IAccess.RoleInfo memory role = _toRole(roleId, name, isCustom);
-        update(toRoleKey32(roleId), abi.encode(role), newState);
-    }
-    function updateRoleState(RoleId roleId, StateId newState) external restricted() {
-        updateState(toRoleKey32(roleId), newState);
-    }
-    function grantRole(RoleId roleId, address member) external restricted() returns (bool granted) {
-        Key32 roleKey = toRoleKey32(roleId);
-        if (!exists(roleKey)) {
-            revert IAccess.ErrorGrantNonexstentRole(roleId);
-        }
-        if (getState(roleKey) != ACTIVE()) {
-            revert IAccess.ErrorRoleIdNotActive(roleId);
-        }
-        if (!EnumerableSet.contains(_roleMembers[roleId], member)) {
-            _accessManager.grantRole(roleId.toInt(), member, EXECUTION_DELAY);
-            EnumerableSet.add(_roleMembers[roleId], member);
-            return true;
-        }
-        return false;
-    }
-    function revokeRole(RoleId roleId, address member) external restricted() returns (bool revoked) {
-        Key32 roleKey = toRoleKey32(roleId);
-        if (!exists(roleKey)) {
-            revert IAccess.ErrorRevokeNonexstentRole(roleId);
-        }
-        if (EnumerableSet.contains(_roleMembers[roleId], member)) {
-            _accessManager.revokeRole(roleId.toInt(), member);
-            EnumerableSet.remove(_roleMembers[roleId], member);
-            return true;
-        }
-        return false;
-    }
-    /// @dev not restricted function by intention
-    /// the restriction to role members is already enforced by the call to the access manger
-    function renounceRole(RoleId roleId) external returns (bool revoked) {
-        address member = msg.sender;
-        Key32 roleKey = toRoleKey32(roleId);
-        if (!exists(roleKey)) {
-            revert IAccess.ErrorRenounceNonexstentRole(roleId);
-        }
-        if (EnumerableSet.contains(_roleMembers[roleId], member)) {
-            _accessManager.renounceRole(roleId.toInt(), member);
-            EnumerableSet.remove(_roleMembers[roleId], member);
-            return true;
-        }
-        return false;
-    }
-    function roles() external view returns (uint256 numberOfRoles) {
-        return _roles.length;
-    }
-    function getRoleId(uint256 idx) external view returns (RoleId roleId) {
-        return _roles[idx];
-    }
-    function getRole(RoleId roleId) external view returns (IAccess.RoleInfo memory role) {
-        return abi.decode(getData(roleId.toKey32()), (IAccess.RoleInfo));
-    }
-    function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
-        return EnumerableSet.length(_roleMembers[roleId]);
-    }
-    function getRoleMember(RoleId roleId, uint256 idx) external view returns (address roleMember) {
-        return EnumerableSet.at(_roleMembers[roleId], idx);
-    }
-    function _createRole(RoleId roleId, string memory name, bool isCustom, bool validateParameters) internal {
-        if (validateParameters) {
-            _validateRoleParameters(roleId, name, isCustom);
-        }
-        IAccess.RoleInfo memory role = _toRole(roleId, name, isCustom);
-        _role[role.name] = roleId;
-        _roles.push(roleId);
-        create(toRoleKey32(roleId), abi.encode(role));
-    }
-    //--- Target ------------------------------------------------------//
-    function createTarget(address target, IAccess.TargetInfo memory targetInfo) external restricted() {
-        _validateTargetParameters(target, targetInfo);
-        create(toTargetKey32(target), abi.encode(targetInfo));
-    }
-    function setTargetClosed(address target, bool closed) external restricted() {
-        if (!exists(toTargetKey32(target))) {
-            revert IAccess.ErrorTargetDoesNotExist(target);
-        }
-        _accessManager.setTargetClosed(target, closed);
+        __AccessManaged_init(accessManagerAddress);
+        initializeRegisterable(registryAddress, registryNftId, INSTANCE(), false, initialOwner, "");
+        registerInterface(type(IInstance).interfaceId);
     }
     //--- ProductSetup ------------------------------------------------------//
@@ -338,71 +211,6 @@ contract Instance is
     }
     //--- internal view/pure functions --------------------------------------//
-    function _toRole(RoleId roleId, string memory name, bool isCustom)
-        internal
-        pure
-        returns (IAccess.RoleInfo memory role)
-    {
-        return IAccess.RoleInfo(
-            ShortStrings.toShortString(name),
-            isCustom);
-    }
-    function _validateRoleParameters(
-        RoleId roleId,
-        string memory name,
-        bool isCustom
-    )
-        internal
-        view
-        returns (
-            bool roleExists,
-            bool roleIsCustom
-        )
-    {
-        Key32 roleKey = toRoleKey32(roleId);
-        roleExists = exists(roleKey);
-        if (roleExists) {
-            roleIsCustom = abi.decode(getData(roleKey), (IAccess.RoleInfo)).isCustom;
-        } else {
-            roleIsCustom = isCustom;
-        }
-        // check role id
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        if(roleIdInt == ADMIN_ROLE || roleIdInt == PUBLIC_ROLE) {
-            revert IAccess.ErrorRoleIdInvalid(roleId);
-        }
-        if (roleIsCustom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
-            revert IAccess.ErrorRoleIdTooSmall(roleId);
-        } else if (roleIsCustom && roleIdInt >= CUSTOM_ROLE_ID_MIN) {
-            revert IAccess.ErrorRoleIdTooBig(roleId);
-        }
-        // role name checks
-        ShortString nameShort = ShortStrings.toShortString(name);
-        if (ShortStrings.byteLength(nameShort) == 0) {
-            revert IAccess.ErrorRoleNameEmpty(roleId);
-        }
-        if (_role[nameShort] != RoleIdLib.zero() && _role[nameShort] != roleId) {
-            revert IAccess.ErrorRoleNameNotUnique(_role[nameShort], nameShort);
-        }
-    }
-    function _validateTargetParameters(address target, IAccess.TargetInfo memory targetInfo) internal view {
-    }
-    function toRoleKey32(RoleId roleId) public pure returns (Key32) {
-        return roleId.toKey32();
-    }
-    function toTargetKey32(address target) public pure returns (Key32) {
-        return Key32Lib.toKey32(TARGET(), KeyId.wrap(bytes20(target)));
-    }
     function _toNftKey32(NftId nftId, ObjectType objectType) internal pure returns (Key32) {
         return nftId.toKey32(objectType);
     }
@@ -415,29 +223,46 @@ contract Instance is
         return policyNftId.toKey32(POLICY());
     }
-    function getComponentOwnerService() external view returns (IComponentOwnerService) {
-        return ComponentOwnerService(_registry.getServiceAddress("ComponentOwnerService", VersionPart.wrap(3)));
-    }
     function getDistributionService() external view returns (IDistributionService) {
-        return IDistributionService(_registry.getServiceAddress("DistributionService", VersionPart.wrap(3)));
+        return IDistributionService(getRegistry().getServiceAddress(DISTRIBUTION(), VersionPart.wrap(3)));
     }
-    // TODO reactivate when services are available
-    // function getProductService() external view returns (IProductService) {
-    //     return ProductService(_registry.getServiceAddress("ProductService", VersionPart.wrap(3)));
-    // }
+    function getProductService() external view returns (IProductService) {
+        return IProductService(getRegistry().getServiceAddress(PRODUCT(), VersionPart.wrap(3)));
+    }
     function getPoolService() external view returns (IPoolService) {
-        return IPoolService(_registry.getServiceAddress("PoolService", VersionPart.wrap(3)));
+        return IPoolService(getRegistry().getServiceAddress(POOL(), VersionPart.wrap(3)));
+    }
+    function getPolicyService() external view returns (IPolicyService) {
+        return IPolicyService(getRegistry().getServiceAddress(POLICY(), VersionPart.wrap(3)));
+    }
+    function getBundleService() external view returns (IBundleService) {
+        return IBundleService(getRegistry().getServiceAddress(BUNDLE(), VersionPart.wrap(3)));
     }
     function setInstanceReader(InstanceReader instanceReader) external restricted() {
-        require(address(_instanceReader) == address(0), "InstanceReader is set");
+        require(instanceReader.getInstance() == Instance(this), "InstanceReader instance mismatch");
         _instanceReader = instanceReader;
     }
+    function getMajorVersion() external pure returns (VersionPart majorVersion) {
+        return VersionPartLib.toVersionPart(GIF_MAJOR_VERSION);
+    }
     function getInstanceReader() external view returns (InstanceReader) {
         return _instanceReader;
     }
+    function setBundleManager(BundleManager bundleManager) external restricted() {
+        require(address(_bundleManager) == address(0), "BundleManager is set");
+        require(bundleManager.getInstance() == Instance(this), "BundleManager instance mismatch");
+        _bundleManager = bundleManager;
+    }
+    function getBundleManager() external view returns (BundleManager) {
+        return _bundleManager;
+    }
 }

package/contracts/instance/InstanceAccessManager.sol CHANGED Viewed

@@ -1,95 +1,54 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
+import {AccessManager} from "@openzeppelin/contracts/access/manager/AccessManager.sol";
+import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
 import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
 import {ShortString, ShortStrings} from "@openzeppelin/contracts/utils/ShortStrings.sol";
-import {AccessManagedSimple} from "./AccessManagedSimple.sol";
-import {AccessManagerSimple} from "./AccessManagerSimple.sol";
-import {IBundle} from "./module/IBundle.sol";
-import {IPolicy} from "./module/IPolicy.sol";
-import {IRisk} from "./module/IRisk.sol";
-import {ISetup} from "./module/ISetup.sol";
-import {Key32, KeyId, Key32Lib} from "../types/Key32.sol";
-import {KeyValueStore} from "./base/KeyValueStore.sol";
-import {NftId} from "../types/NftId.sol";
-import {NumberId} from "../types/NumberId.sol";
-import {ObjectType, BUNDLE, DISTRIBUTION, POLICY, POOL, ROLE, PRODUCT, TARGET} from "../types/ObjectType.sol";
-import {RiskId, RiskIdLib} from "../types/RiskId.sol";
-import {RoleId, RoleIdLib} from "../types/RoleId.sol";
-import {StateId, ACTIVE} from "../types/StateId.sol";
-import {Timestamp, TimestampLib} from "../types/Timestamp.sol";
+import {RoleId, RoleIdLib } from "../types/RoleId.sol";
+import {TimestampLib} from "../types/Timestamp.sol";
+import {IAccess} from "./module/IAccess.sol";
 contract InstanceAccessManager is
-    AccessManagedSimple
+    AccessManagedUpgradeable
 {
+    using RoleIdLib for RoleId;
     string public constant ADMIN_ROLE_NAME = "AdminRole";
     string public constant PUBLIC_ROLE_NAME = "PublicRole";
     uint64 public constant CUSTOM_ROLE_ID_MIN = 10000;
     uint32 public constant EXECUTION_DELAY = 0;
-    struct RoleInfo {
-        ShortString name;
-        bool isCustom;
-        bool isLocked;
-        Timestamp createdAt;
-        Timestamp updatedAt;
-    }
-    struct TargetInfo {
-        ShortString name;
-        bool isCustom;
-        bool isLocked;
-        Timestamp createdAt;
-        Timestamp updatedAt;
-    }
-    error ErrorRoleIdInvalid(RoleId roleId);
-    error ErrorRoleIdTooBig(RoleId roleId);
-    error ErrorRoleIdTooSmall(RoleId roleId);
-    error ErrorRoleIdAlreadyExists(RoleId roleId, ShortString name);
-    error ErrorRoleIdNotActive(RoleId roleId);
-    error ErrorRoleNameEmpty(RoleId roleId);
-    error ErrorRoleNameNotUnique(RoleId roleId, ShortString name);
-    error ErrorRoleInvalidUpdate(RoleId roleId, bool isCustom);
-    error ErrorRoleIsCustomIsImmutable(RoleId roleId, bool isCustom, bool isCustomExisting);
-    error ErrorSetLockedForNonexstentRole(RoleId roleId);
-    error ErrorGrantNonexstentRole(RoleId roleId);
-    error ErrorRevokeNonexstentRole(RoleId roleId);
-    error ErrorRenounceNonexstentRole(RoleId roleId);
-    error ErrorTargetAddressZero();
-    error ErrorTargetAlreadyExists(address target, ShortString name);
-    error ErrorTargetNameEmpty(address target);
-    error ErrorTargetNameExists(address target, address existingTarget, ShortString name);
-    error ErrorSetLockedForNonexstentTarget(address target);
     // role specific state
-    mapping(RoleId roleId => RoleInfo info) internal _role;
+    mapping(RoleId roleId => IAccess.RoleInfo info) internal _role;
     mapping(RoleId roleId => EnumerableSet.AddressSet roleMembers) internal _roleMembers;
     mapping(ShortString name => RoleId roleId) internal _roleForName;
     RoleId [] internal _roles;
     // target specific state
-    mapping(address target => TargetInfo info) internal _target;
+    mapping(address target => IAccess.TargetInfo info) internal _target;
     mapping(ShortString name => address target) internal _targetForName;
     address [] internal _targets;
-    AccessManagerSimple internal _accessManager;
+    AccessManager internal _accessManager;
-    constructor(address accessManager)
+    function initialize(address initialAdmin) external initializer
     {
-        _accessManager = AccessManagerSimple(accessManager);
-        initializeAccessManagedSimple(accessManager);
+        // if size of the contract gets too large, this can be externalized which will reduce the contract size considerably
+        _accessManager = new AccessManager(address(this));
+        // this service required admin rights to access manager to be able to grant/revoke roles
+        _accessManager.grantRole(_accessManager.ADMIN_ROLE(), initialAdmin, 0);
+        __AccessManaged_init(address(_accessManager));
         _createRole(RoleIdLib.toRoleId(_accessManager.ADMIN_ROLE()), ADMIN_ROLE_NAME, false, false);
         _createRole(RoleIdLib.toRoleId(_accessManager.PUBLIC_ROLE()), PUBLIC_ROLE_NAME, false, false);
     }
     //--- Role ------------------------------------------------------//
-    function createDefaultRole(RoleId roleId, string memory name) external restricted() {
+    function createGifRole(RoleId roleId, string memory name) external restricted() {
         _createRole(roleId, name, false, true);
     }
@@ -99,7 +58,7 @@ contract InstanceAccessManager is
     function setRoleLocked(RoleId roleId, bool locked) external restricted() {
         if (!roleExists(roleId)) {
-            revert ErrorSetLockedForNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
         }
         _role[roleId].isLocked = locked;
@@ -112,11 +71,11 @@ contract InstanceAccessManager is
     function grantRole(RoleId roleId, address member) external restricted() returns (bool granted) {
         if (!roleExists(roleId)) {
-            revert ErrorGrantNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
         }
         if (_role[roleId].isLocked) {
-            revert ErrorRoleIdNotActive(roleId);
+            revert IAccess.ErrorIAccessRoleIdNotActive(roleId);
         }
         if (!EnumerableSet.contains(_roleMembers[roleId], member)) {
@@ -130,7 +89,7 @@ contract InstanceAccessManager is
     function revokeRole(RoleId roleId, address member) external restricted() returns (bool revoked) {
         if (!roleExists(roleId)) {
-            revert ErrorRevokeNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRevokeNonexstentRole(roleId);
         }
         if (EnumerableSet.contains(_roleMembers[roleId], member)) {
@@ -148,7 +107,7 @@ contract InstanceAccessManager is
         address member = msg.sender;
         if (!roleExists(roleId)) {
-            revert ErrorRenounceNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRenounceNonexstentRole(roleId);
         }
         if (EnumerableSet.contains(_roleMembers[roleId], member)) {
@@ -173,7 +132,7 @@ contract InstanceAccessManager is
         return _roleForName[ShortStrings.toShortString(name)];
     }
-    function getRole(RoleId roleId) external view returns (RoleInfo memory role) {
+    function getRole(RoleId roleId) external view returns (IAccess.RoleInfo memory role) {
         return _role[roleId];
     }
@@ -190,13 +149,19 @@ contract InstanceAccessManager is
     }
     //--- Target ------------------------------------------------------//
+    function createGifTarget(address target, string memory name) external restricted() {
+        _createTarget(target, name, false, true);
+    }
     function createTarget(address target, string memory name) external restricted() {
         _createTarget(target, name, true, true);
     }
-    function setTargetLocked(address target, bool locked) external restricted() {
-        if (!targetExists(target)) {
-            revert ErrorSetLockedForNonexstentTarget(target);
+    function setTargetLocked(string memory targetName, bool locked) external restricted() {
+        address target = _targetForName[ShortStrings.toShortString(targetName)];
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(ShortStrings.toShortString(targetName));
         }
         _target[target].isLocked = locked;
@@ -214,7 +179,7 @@ contract InstanceAccessManager is
             _validateRoleParameters(roleId, name, isCustom);
         }
-        RoleInfo memory role = RoleInfo(
+        IAccess.RoleInfo memory role = IAccess.RoleInfo(
             ShortStrings.toShortString(name),
             isCustom,
             false, // role un-locked,
@@ -233,35 +198,35 @@ contract InstanceAccessManager is
     )
         internal
         view
-        returns (RoleInfo memory existingRole)
+        returns (IAccess.RoleInfo memory existingRole)
     {
         // check role id
         uint64 roleIdInt = RoleId.unwrap(roleId);
         if(roleIdInt == _accessManager.ADMIN_ROLE() || roleIdInt == _accessManager.PUBLIC_ROLE()) {
-            revert ErrorRoleIdInvalid(roleId);
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
         }
         // prevent changing isCustom for existing roles
         existingRole = _role[roleId];
         if (existingRole.createdAt.gtz() && isCustom != existingRole.isCustom) {
-            revert ErrorRoleIsCustomIsImmutable(roleId, isCustom, existingRole.isCustom);
+            revert IAccess.ErrorIAccessRoleIsCustomIsImmutable(roleId, isCustom, existingRole.isCustom);
         }
         if (isCustom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
-            revert ErrorRoleIdTooSmall(roleId);
+            revert IAccess.ErrorIAccessRoleIdTooSmall(roleId);
         } else if (!isCustom && roleIdInt >= CUSTOM_ROLE_ID_MIN) {
-            revert ErrorRoleIdTooBig(roleId);
+            revert IAccess.ErrorIAccessRoleIdTooBig(roleId);
         }
         // role name checks
         ShortString nameShort = ShortStrings.toShortString(name);
         if (ShortStrings.byteLength(nameShort) == 0) {
-            revert ErrorRoleNameEmpty(roleId);
+            revert IAccess.ErrorIAccessRoleNameEmpty(roleId);
         }
         if (_roleForName[nameShort] != RoleIdLib.zero() && _roleForName[nameShort] != roleId) {
-            revert ErrorRoleNameNotUnique(_roleForName[nameShort], nameShort);
+            revert IAccess.ErrorIAccessRoleNameNotUnique(_roleForName[nameShort], nameShort);
         }
     }
@@ -270,7 +235,14 @@ contract InstanceAccessManager is
             _validateTargetParameters(target, name, isCustom);
         }
-        TargetInfo memory info = TargetInfo(
+        if (_target[target].createdAt.gtz()) {
+            revert IAccess.ErrorIAccessTargetExists(target, _target[target].name);
+        }
+        if (_targetForName[ShortStrings.toShortString(name)] != address(0)) {
+            revert IAccess.ErrorIAccessTargetNameExists(target, _targetForName[ShortStrings.toShortString(name)], ShortStrings.toShortString(name));
+        }
+        IAccess.TargetInfo memory info = IAccess.TargetInfo(
             ShortStrings.toShortString(name),
             isCustom,
             _accessManager.isTargetClosed(target), // sync with state in access manager
@@ -283,6 +255,43 @@ contract InstanceAccessManager is
     }
     function _validateTargetParameters(address target, string memory name, bool isCustom) internal view {
+        // TODO: implement
+    }
+    function setTargetFunctionRole(
+        string memory targetName,
+        bytes4[] calldata selectors,
+        RoleId roleId
+    ) public virtual restricted() {
+        address target = _targetForName[ShortStrings.toShortString(targetName)];
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(ShortStrings.toShortString(targetName));
+        }
+        if (! roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdInvalid(roleId);
+        }
+        uint64 roleIdInt = RoleId.unwrap(roleId);
+        _accessManager.setTargetFunctionRole(target, selectors, roleIdInt);
+    }
+    function setTargetClosed(string memory targetName, bool closed) public restricted() {
+        address target = _targetForName[ShortStrings.toShortString(targetName)];
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(ShortStrings.toShortString(targetName));
+        }
+        _accessManager.setTargetClosed(target, closed);
+    }
+    function isTargetLocked(address target) public view returns (bool locked) {
+        return _accessManager.isTargetClosed(target);
+    }
+    function canCall(
+        address caller,
+        address target,
+        bytes4 selector
+    ) public view virtual returns (bool immediate, uint32 delay) {
+        return _accessManager.canCall(caller, target, selector);
     }
 }