@etherisc/gif-next 0.0.2-fd2113c-488 → 0.0.2-fd2ea71-734

package/contracts/instance/InstanceAuthorizationV3.sol

@@ -0,0 +1,204 @@
+// SPDX-License-Identifier: Apache-2.0
+pragma solidity ^0.8.20;
+
+import {
+     PRODUCT, ORACLE, POOL, INSTANCE, COMPONENT, DISTRIBUTION, APPLICATION, POLICY, CLAIM, BUNDLE
+} from "../../contracts/type/ObjectType.sol";
+
+import {
+     ADMIN_ROLE, DISTRIBUTION_OWNER_ROLE, ORACLE_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE
+} from "../../contracts/type/RoleId.sol";
+
+import {BundleSet} from "../instance/BundleSet.sol"; 
+import {IAccess} from "../authorization/IAccess.sol";
+import {Instance} from "../instance/Instance.sol";
+import {InstanceAdmin} from "../instance/InstanceAdmin.sol";
+import {InstanceStore} from "../instance/InstanceStore.sol";
+import {ModuleAuthorization} from "../authorization/ModuleAuthorization.sol";
+import {RoleId} from "../type/RoleId.sol";
+import {VersionPart, VersionPartLib} from "../type/Version.sol";
+
+
+contract InstanceAuthorizationV3
+     is ModuleAuthorization
+{
+
+     string public constant INSTANCE_TARGET_NAME = "Instance";
+     string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
+     string public constant INSTANCE_ADMIN_TARGET_NAME = "InstanceAdmin";
+     string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
+
+     string public constant INSTANCE_ROLE_NAME = "InstanceRole";
+     string public constant DISTRIBUTION_OWNER_ROLE_NAME = "DistributionOwnerRole";
+     string public constant ORACLE_OWNER_ROLE_NAME = "OracleOwnerRole";
+     string public constant POOL_OWNER_ROLE_NAME = "PoolOwnerRole";
+     string public constant PRODUCT_OWNER_ROLE_NAME = "ProductOwnerRole";
+
+     constructor() ModuleAuthorization(INSTANCE_TARGET_NAME) {}
+
+
+     function _setupRoles()
+          internal
+          override
+     {
+          _addGifRole(DISTRIBUTION_OWNER_ROLE(), DISTRIBUTION_OWNER_ROLE_NAME);
+          _addGifRole(ORACLE_OWNER_ROLE(), ORACLE_OWNER_ROLE_NAME);
+          _addGifRole(POOL_OWNER_ROLE(), POOL_OWNER_ROLE_NAME);
+          _addGifRole(PRODUCT_OWNER_ROLE(), PRODUCT_OWNER_ROLE_NAME);
+     }
+
+
+     function _setupTargets()
+          internal
+          override
+     {
+          // instance target
+          _addTargetWithRole(
+               INSTANCE_TARGET_NAME, 
+               _getTargetRoleId(INSTANCE()),
+               INSTANCE_ROLE_NAME);
+
+          // instance supporting targets
+          _addTarget(INSTANCE_STORE_TARGET_NAME);
+          _addTarget(INSTANCE_ADMIN_TARGET_NAME);
+          _addTarget(BUNDLE_SET_TARGET_NAME);
+
+          // service targets relevant to instance
+          _addServiceTargetWithRole(INSTANCE());
+          _addServiceTargetWithRole(COMPONENT());
+          _addServiceTargetWithRole(DISTRIBUTION());
+          _addServiceTargetWithRole(ORACLE());
+          _addServiceTargetWithRole(POOL());
+          _addServiceTargetWithRole(BUNDLE());
+          _addServiceTargetWithRole(PRODUCT());
+          _addServiceTargetWithRole(APPLICATION());
+          _addServiceTargetWithRole(POLICY());
+          _addServiceTargetWithRole(CLAIM());
+     }
+
+
+     function _setupTargetAuthorizations()
+          internal
+          override
+     {
+          _setupInstanceAuthorization();
+          _setupInstanceAdminAuthorization();
+          _setupInstanceStoreAuthorization();
+          _setupBundleSetAuthorization();
+     }
+
+
+     function _setupBundleSetAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          // authorize bundle service role
+          functions = _authorizeForTarget(BUNDLE_SET_TARGET_NAME, getServiceRole(BUNDLE()));
+          _authorize(functions, BundleSet.linkPolicy.selector, "linkPolicy");
+          _authorize(functions, BundleSet.unlinkPolicy.selector, "unlinkPolicy");
+          _authorize(functions, BundleSet.add.selector, "add");
+          _authorize(functions, BundleSet.lock.selector, "lock");
+          _authorize(functions, BundleSet.unlock.selector, "unlock");
+     }
+
+
+     function _setupInstanceAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          // authorize instance service role
+          functions = _authorizeForTarget(INSTANCE_TARGET_NAME, getServiceRole(INSTANCE()));
+          _authorize(functions, Instance.setInstanceReader.selector, "setInstanceReader");
+     }
+
+
+     function _setupInstanceAdminAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          // authorize instance role
+          functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, _getTargetRoleId(INSTANCE()));
+          _authorize(functions, InstanceAdmin.grantRole.selector, "grantRole");
+
+          // authorize instance service role
+          // functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(INSTANCE()));
+     }
+
+
+     function _setupInstanceStoreAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          // authorize component service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(COMPONENT()));
+          _authorize(functions, InstanceStore.createComponent.selector, "createComponent");
+          _authorize(functions, InstanceStore.updateComponent.selector, "updateComponent");
+          _authorize(functions, InstanceStore.createPool.selector, "createPool");
+          _authorize(functions, InstanceStore.createProduct.selector, "createProduct");
+          _authorize(functions, InstanceStore.updateProduct.selector, "updateProduct");
+          _authorize(functions, InstanceStore.increaseBalance.selector, "increaseBalance");
+          _authorize(functions, InstanceStore.decreaseBalance.selector, "decreaseBalance");
+          _authorize(functions, InstanceStore.increaseFees.selector, "increaseFees");
+          _authorize(functions, InstanceStore.decreaseFees.selector, "decreaseFees");
+
+          // authorize distribution service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(DISTRIBUTION()));
+          _authorize(functions, InstanceStore.createDistributorType.selector, "createDistributorType");
+          _authorize(functions, InstanceStore.updateDistributorType.selector, "updateDistributorType");
+          _authorize(functions, InstanceStore.updateDistributorTypeState.selector, "updateDistributorTypeState");
+          _authorize(functions, InstanceStore.createDistributor.selector, "createDistributor");
+          _authorize(functions, InstanceStore.updateDistributor.selector, "updateDistributor");
+          _authorize(functions, InstanceStore.updateDistributorState.selector, "updateDistributorState");
+          _authorize(functions, InstanceStore.createReferral.selector, "createReferral");
+          _authorize(functions, InstanceStore.updateReferral.selector, "updateReferral");
+          _authorize(functions, InstanceStore.updateReferralState.selector, "updateReferralState");
+
+          // authorize oracle service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(ORACLE()));
+          _authorize(functions, InstanceStore.createRequest.selector, "createRequest");
+          _authorize(functions, InstanceStore.updateRequest.selector, "updateRequest");
+          _authorize(functions, InstanceStore.updateRequestState.selector, "updateRequestState");
+
+          // authorize pool service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(POOL()));
+          _authorize(functions, InstanceStore.updatePool.selector, "updatePool");
+
+          // authorize bundle service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(BUNDLE()));
+          _authorize(functions, InstanceStore.createBundle.selector, "createBundle");
+          _authorize(functions, InstanceStore.updateBundle.selector, "updateBundle");
+          _authorize(functions, InstanceStore.updateBundleState.selector, "updateBundleState");
+          _authorize(functions, InstanceStore.increaseLocked.selector, "increaseLocked");
+          _authorize(functions, InstanceStore.decreaseLocked.selector, "decreaseLocked");
+
+          // authorize product service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(PRODUCT()));
+          _authorize(functions, InstanceStore.createRisk.selector, "createRisk");
+          _authorize(functions, InstanceStore.updateRisk.selector, "updateRisk");
+          _authorize(functions, InstanceStore.updateRiskState.selector, "updateRiskState");
+
+          // authorize application service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(APPLICATION()));
+          _authorize(functions, InstanceStore.createApplication.selector, "createApplication");
+          _authorize(functions, InstanceStore.updateApplication.selector, "updateApplication");
+          _authorize(functions, InstanceStore.updateApplicationState.selector, "updateApplicationState");
+
+          // authorize policy service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(POLICY()));
+          _authorize(functions, InstanceStore.updatePolicy.selector, "updatePolicy");
+          _authorize(functions, InstanceStore.updatePolicyState.selector, "updatePolicyState");
+
+          // authorize claim service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(CLAIM()));
+          _authorize(functions, InstanceStore.updatePolicyClaims.selector, "updatePolicyClaims");
+          _authorize(functions, InstanceStore.createClaim.selector, "createClaim");
+          _authorize(functions, InstanceStore.updateClaim.selector, "updateClaim");
+          _authorize(functions, InstanceStore.createPayout.selector, "createPayout");
+          _authorize(functions, InstanceStore.updatePayout.selector, "updatePayout");
+     }
+}
+

package/contracts/instance/InstanceReader.sol

@@ -1,25 +1,20 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
 
-import {IERC20Metadata} from "@openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol";
-
 import {Amount} from "../type/Amount.sol";
 import {ClaimId} from "../type/ClaimId.sol";
 import {DistributorType} from "../type/DistributorType.sol";
-import {Fee, FeeLib} from "../type/Fee.sol";
 import {Key32} from "../type/Key32.sol";
 import {NftId} from "../type/NftId.sol";
-import {ObjectType, COMPONENT, DISTRIBUTOR, DISTRIBUTION, INSTANCE, PRODUCT, POLICY, POOL, BUNDLE} from "../type/ObjectType.sol";
+import {COMPONENT, DISTRIBUTOR, DISTRIBUTION, PRODUCT, POLICY, POOL, BUNDLE} from "../type/ObjectType.sol";
 import {PayoutId} from "../type/PayoutId.sol";
 import {ReferralId, ReferralStatus, ReferralLib, REFERRAL_OK, REFERRAL_ERROR_UNKNOWN, REFERRAL_ERROR_EXPIRED, REFERRAL_ERROR_EXHAUSTED} from "../type/Referral.sol";
 import {RequestId} from "../type/RequestId.sol";
 import {RiskId} from "../type/RiskId.sol";
 import {RoleId} from "../type/RoleId.sol";
 import {StateId} from "../type/StateId.sol";
-import {UFixed, MathLib, UFixedLib} from "../type/UFixed.sol";
-import {Version} from "../type/Version.sol";
+import {UFixed, UFixedLib} from "../type/UFixed.sol";
 
-import {IRegistry} from "../registry/IRegistry.sol";
 import {IBundle} from "../instance/module/IBundle.sol";
 import {IComponents} from "../instance/module/IComponents.sol";
 import {IDistribution} from "../instance/module/IDistribution.sol";
@@ -38,24 +33,29 @@ contract InstanceReader {
     error ErrorInstanceReaderAlreadyInitialized();
     error ErrorInstanceReaderInstanceAddressZero();
 
-    bool private _initialized;
+    bool private _initialized = false;
 
     IInstance internal _instance;
     InstanceStore internal _store;
 
-    function initialize(address instance) public {
+    /// @dev This initializer needs to be called from the instance itself.
+    function initialize() public {
         if(_initialized) {
             revert ErrorInstanceReaderAlreadyInitialized();
         }
 
-        if(instance == address(0)) {
-            revert ErrorInstanceReaderInstanceAddressZero();
-        }
+        initializeWithInstance(msg.sender);
+    }
 
-        _instance = IInstance(instance);
-        _store = _instance.getInstanceStore();
+    /// @dev This initializer needs to be called from the instance itself.
+    function initializeWithInstance(address instanceAddress) public {
+        if(_initialized) {
+            revert ErrorInstanceReaderAlreadyInitialized();
+        }
 
         _initialized = true;
+        _instance = IInstance(instanceAddress);
+        _store = _instance.getInstanceStore();
     }
 
 
@@ -80,6 +80,14 @@ contract InstanceReader {
         return _store.getState(toPolicyKey(policyNftId));
     }
 
+    function getBundleState(NftId bundleNftId)
+        public
+        view
+        returns (StateId state)
+    {
+        return _store.getState(toBundleKey(bundleNftId));
+    }
+
     /// @dev returns true iff policy may be closed
     /// a policy can be closed all conditions below are met
     /// - policy exists
@@ -339,11 +347,19 @@ contract InstanceReader {
 
 
     function hasRole(address account, RoleId roleId) public view returns (bool isMember) {
-        (isMember, ) = _instance.getInstanceAccessManager().hasRole(
-            roleId.toInt(), account);
+        return _instance.getInstanceAdmin().hasRole(account, roleId);
     }
 
 
+    function hasAdminRole(address account, RoleId roleId) public view returns (bool isMember) {
+        return _instance.getInstanceAdmin().hasAdminRole(account, roleId);
+    }
+
+
+    function isTargetLocked(address target) public view returns (bool) {
+        return _instance.getInstanceAdmin().isTargetLocked(target);
+    }
+
     function toPolicyKey(NftId policyNftId) public pure returns (Key32) { 
         return policyNftId.toKey32(POLICY());
     }

package/contracts/instance/InstanceService.sol

@@ -4,20 +4,20 @@ pragma solidity ^0.8.20;
 import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
 import {ShortString, ShortStrings} from "@openzeppelin/contracts/utils/ShortStrings.sol";
 
+import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
 import {Amount} from "../type/Amount.sol";
-import {BundleManager} from "./BundleManager.sol";
+import {BundleSet} from "./BundleSet.sol";
 import {ChainNft} from "../registry/ChainNft.sol";
 import {NftId} from "../type/NftId.sol";
 import {RoleId} from "../type/RoleId.sol";
 import {SecondsLib} from "../type/Seconds.sol";
 import {UFixed, UFixedLib} from "../type/UFixed.sol";
-import {ADMIN_ROLE, INSTANCE_OWNER_ROLE, DISTRIBUTION_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE, INSTANCE_SERVICE_ROLE, DISTRIBUTION_SERVICE_ROLE, POOL_SERVICE_ROLE, PRODUCT_SERVICE_ROLE, APPLICATION_SERVICE_ROLE, POLICY_SERVICE_ROLE, CLAIM_SERVICE_ROLE, BUNDLE_SERVICE_ROLE, INSTANCE_ROLE} from "../type/RoleId.sol";
+import {ADMIN_ROLE, DISTRIBUTION_OWNER_ROLE, ORACLE_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE} from "../type/RoleId.sol";
 import {ObjectType, INSTANCE, BUNDLE, APPLICATION, CLAIM, DISTRIBUTION, INSTANCE, POLICY, POOL, PRODUCT, REGISTRY, STAKING} from "../type/ObjectType.sol";
 
 import {Service} from "../shared/Service.sol";
 import {IInstanceLinkedComponent} from "../shared/IInstanceLinkedComponent.sol";
 import {IService} from "../shared/IService.sol";
-import {AccessManagerExtendedInitializeable} from "../shared/AccessManagerExtendedInitializeable.sol";
 
 import {IDistributionComponent} from "../distribution/IDistributionComponent.sol";
 import {IPoolComponent} from "../pool/IPoolComponent.sol";
@@ -29,12 +29,12 @@ import {IStakingService} from "../staking/IStakingService.sol";
 import {TargetManagerLib} from "../staking/TargetManagerLib.sol";
 
 import {Instance} from "./Instance.sol";
+import {IModuleAuthorization} from "../authorization/IModuleAuthorization.sol";
 import {IInstance} from "./IInstance.sol";
 import {InstanceAdmin} from "./InstanceAdmin.sol";
 import {IInstanceService} from "./IInstanceService.sol";
 import {InstanceReader} from "./InstanceReader.sol";
 import {InstanceStore} from "./InstanceStore.sol";
-import {InstanceAuthorizationsLib} from "./InstanceAuthorizationsLib.sol";
 import {Seconds} from "../type/Seconds.sol";
 import {VersionPart, VersionPartLib} from "../type/Version.sol";
 
@@ -54,7 +54,7 @@ contract InstanceService is
     address internal _masterInstanceAdmin;
     address internal _masterInstance;
     address internal _masterInstanceReader;
-    address internal _masterInstanceBundleManager;
+    address internal _masterInstanceBundleSet;
     address internal _masterInstanceStore;
 
 
@@ -94,78 +94,36 @@ contract InstanceService is
         _;
     }
 
-    function createInstanceClone()
+    function createInstance()
         external 
         returns (
             Instance clonedInstance,
             NftId clonedInstanceNftId
         )
     {
+        // tx sender will become instance owner
         address instanceOwner = msg.sender;
-        AccessManagerExtendedInitializeable clonedAccessManager = AccessManagerExtendedInitializeable(
-            Clones.clone(_masterAccessManager));
-
-        // initially grants ADMIN_ROLE to this (being the instance service). 
-        // This will allow the instance service to bootstrap the authorizations of the instance.
-        // Instance service will renounce ADMIN_ROLE when bootstraping is finished
-        clonedAccessManager.initialize(address(this));
-
-        clonedInstance = Instance(Clones.clone(_masterInstance));
-        clonedInstance.initialize(
-            address(clonedAccessManager),
-            address(getRegistry()), 
-            instanceOwner);
-        // initialize and set before instance reader
-        InstanceStore clonedInstanceStore = InstanceStore(Clones.clone(address(_masterInstanceStore)));
-        clonedInstanceStore.initialize(address(clonedInstance));
-        clonedInstance.setInstanceStore(clonedInstanceStore);
-        
-        InstanceReader clonedInstanceReader = InstanceReader(Clones.clone(address(_masterInstanceReader)));
-        clonedInstanceReader.initialize(address(clonedInstance));
-        clonedInstance.setInstanceReader(clonedInstanceReader);
-
-        BundleManager clonedBundleManager = BundleManager(Clones.clone(_masterInstanceBundleManager));
-        clonedBundleManager.initialize(address(clonedInstance));
-        clonedInstance.setBundleManager(clonedBundleManager);
-
-        InstanceAdmin clonedInstanceAdmin = InstanceAdmin(Clones.clone(_masterInstanceAdmin));
-        clonedAccessManager.grantRole(ADMIN_ROLE().toInt(), address(clonedInstanceAdmin), 0);
-        clonedInstanceAdmin.initialize(address(clonedInstance));
-        clonedInstance.setInstanceAdmin(clonedInstanceAdmin);
-
-        // TODO amend setters with instance specific , policy manager ...
-
-        // TODO library does external calls -> but it is registry and access manager -> find out is it best practice
-        InstanceAuthorizationsLib.grantInitialAuthorizations(
-            clonedAccessManager, 
-            clonedInstanceAdmin, 
-            clonedInstance, 
-            clonedBundleManager, 
-            clonedInstanceStore, 
-            instanceOwner,
-            getRegistry(),
-            getVersion().toMajorPart());
 
-        clonedAccessManager.renounceRole(ADMIN_ROLE().toInt(), address(this));
+        // create instance admin and instance
+        InstanceAdmin instanceAdmin = _createInstanceAdmin();
+        clonedInstance = _createInstance(instanceAdmin, instanceOwner);
 
-        // register new instance with registry
-        IRegistry.ObjectInfo memory info = _registryService.registerInstance(clonedInstance, instanceOwner);
-        clonedInstanceNftId = info.nftId;
+        // register cloned instance with registry
+        clonedInstanceNftId = _registryService.registerInstance(
+            clonedInstance, instanceOwner).nftId;
 
-        // create corresponding staking target
+        // register cloned instance as staking target
         _stakingService.createInstanceTarget(
             clonedInstanceNftId,
             TargetManagerLib.getDefaultLockingPeriod(),
             TargetManagerLib.getDefaultRewardRate());
 
+        // MUST be set after instance is set up and registered
+        instanceAdmin.initializeInstanceAuthorization(address(clonedInstance));
+
         emit LogInstanceCloned(
-            address(clonedAccessManager), 
-            address(clonedInstanceAdmin), 
-            address(clonedInstance),
-            address(clonedInstanceStore),
-            address(clonedBundleManager), 
-            address(clonedInstanceReader), 
-            clonedInstanceNftId);
+            clonedInstanceNftId,
+            address(clonedInstance));
     }
 
 
@@ -239,9 +197,10 @@ contract InstanceService is
                 instanceNftId).objectAddress);
 
         // no revert in case already locked
-        instance.getInstanceAdmin().setTargetLockedByService(
-            componentAddress, 
-            locked);
+        // TODO refactor/implement
+        // instance.getInstanceAdmin().setTargetLockedByService(
+        //     componentAddress, 
+        //     locked);
     }
 
 
@@ -255,38 +214,39 @@ contract InstanceService is
             returns(NftId masterInstanceNftId)
     {
         if(_masterInstance != address(0)) { revert ErrorInstanceServiceMasterInstanceAlreadySet(); }
-        if(_masterAccessManager != address(0)) { revert ErrorInstanceServiceMasterInstanceAccessManagerAlreadySet(); }
         if(_masterInstanceAdmin != address(0)) { revert ErrorInstanceServiceMasterInstanceAdminAlreadySet(); }
-        if(_masterInstanceBundleManager != address(0)) { revert ErrorInstanceServiceMasterBundleManagerAlreadySet(); }
+        if(_masterInstanceBundleSet != address(0)) { revert ErrorInstanceServiceMasterBundleSetAlreadySet(); }
 
         if(instanceAddress == address(0)) { revert ErrorInstanceServiceInstanceAddressZero(); }
 
         IInstance instance = IInstance(instanceAddress);
+        address accessManagerAddress = instance.authority();
         InstanceAdmin instanceAdmin = instance.getInstanceAdmin();
         address instanceAdminAddress = address(instanceAdmin);
         InstanceReader instanceReader = instance.getInstanceReader();
         address instanceReaderAddress = address(instanceReader);
-        BundleManager bundleManager = instance.getBundleManager();
+        BundleSet bundleManager = instance.getBundleSet();
         address bundleManagerAddress = address(bundleManager);
         InstanceStore instanceStore = instance.getInstanceStore();
         address instanceStoreAddress = address(instanceStore);
 
+        if(accessManagerAddress == address(0)) { revert ErrorInstanceServiceAccessManagerZero(); }
         if(instanceAdminAddress == address(0)) { revert ErrorInstanceServiceInstanceAdminZero(); }
         if(instanceReaderAddress == address(0)) { revert ErrorInstanceServiceInstanceReaderZero(); }
-        if(bundleManagerAddress == address(0)) { revert ErrorInstanceServiceBundleManagerZero(); }
+        if(bundleManagerAddress == address(0)) { revert ErrorInstanceServiceBundleSetZero(); }
         if(instanceStoreAddress == address(0)) { revert ErrorInstanceServiceInstanceStoreZero(); }
         
         if(instance.authority() != instanceAdmin.authority()) { revert ErrorInstanceServiceInstanceAuthorityMismatch(); }
-        if(bundleManager.authority() != instanceAdmin.authority()) { revert ErrorInstanceServiceBundleManagerAuthorityMismatch(); }
+        if(bundleManager.authority() != instanceAdmin.authority()) { revert ErrorInstanceServiceBundleSetAuthorityMismatch(); }
         if(instanceStore.authority() != instanceAdmin.authority()) { revert ErrorInstanceServiceInstanceStoreAuthorityMismatch(); }
         if(bundleManager.getInstance() != instance) { revert ErrorInstanceServiceBundleMangerInstanceMismatch(); }
         if(instanceReader.getInstance() != instance) { revert ErrorInstanceServiceInstanceReaderInstanceMismatch2(); }
 
-        _masterAccessManager = instance.authority();
+        _masterAccessManager = accessManagerAddress;
         _masterInstanceAdmin = instanceAdminAddress;
         _masterInstance = instanceAddress;
         _masterInstanceReader = instanceReaderAddress;
-        _masterInstanceBundleManager = bundleManagerAddress;
+        _masterInstanceBundleSet = bundleManagerAddress;
         _masterInstanceStore = instanceStoreAddress;
         
         IInstance masterInstance = IInstance(_masterInstance);
@@ -314,7 +274,7 @@ contract InstanceService is
         Instance instance = Instance(instanceInfo.objectAddress);
         
         InstanceReader upgradedInstanceReaderClone = InstanceReader(Clones.clone(address(_masterInstanceReader)));
-        upgradedInstanceReaderClone.initialize(address(instance));
+        upgradedInstanceReaderClone.initializeWithInstance(address(instance));
         instance.setInstanceReader(upgradedInstanceReaderClone);
     }
 
@@ -340,6 +300,25 @@ contract InstanceService is
     }
 
 
+    function initializeAuthorization(
+        NftId instanceNftId, 
+        IInstanceLinkedComponent component
+    )
+        external
+        virtual
+        restricted()
+    {
+        (IInstance instance, ) = _validateInstanceAndComponent(
+            instanceNftId, 
+            address(component));
+
+        InstanceAdmin instanceAdmin = instance.getInstanceAdmin();
+        instanceAdmin.initializeComponentAuthorization(
+            component,
+            component.getAuthorization());
+    }
+
+
     function createComponentTarget(
         NftId instanceNftId,
         address targetAddress,
@@ -360,6 +339,53 @@ contract InstanceService is
         );
     }
 
+    /// @dev create new cloned instance admin
+    /// function used to setup a new instance
+    function _createInstanceAdmin()
+        internal
+        virtual
+        returns (InstanceAdmin clonedInstanceAdmin)
+    {
+        // start with setting up a new OZ access manager
+        AccessManagerCloneable clonedAccessManager = AccessManagerCloneable(
+            Clones.clone(_masterAccessManager));
+        
+        // set up the instance admin
+        clonedInstanceAdmin = InstanceAdmin(Clones.clone(_masterInstanceAdmin));
+        clonedAccessManager.initialize(
+            address(clonedInstanceAdmin)); // grant ADMIN_ROLE to instance admin
+
+        clonedInstanceAdmin.initialize(
+            clonedAccessManager,
+            InstanceAdmin(_masterInstanceAdmin).getInstanceAuthorization());
+    }
+
+
+    /// @dev create new cloned instance
+    /// function used to setup a new instance
+    function _createInstance(
+        InstanceAdmin instanceAdmin,
+        address instanceOwner
+    )
+        internal
+        virtual
+        returns (Instance clonedInstance)
+    {
+        InstanceStore clonedInstanceStore = InstanceStore(Clones.clone(address(_masterInstanceStore)));
+        BundleSet clonedBundleSet = BundleSet(Clones.clone(_masterInstanceBundleSet));
+        InstanceReader clonedInstanceReader = InstanceReader(Clones.clone(address(_masterInstanceReader)));
+
+        // clone instance
+        clonedInstance = Instance(Clones.clone(_masterInstance));
+        clonedInstance.initialize(
+            instanceAdmin,
+            clonedInstanceStore,
+            clonedBundleSet,
+            clonedInstanceReader,
+            getRegistry(),
+            instanceOwner);
+    }
+
 
     /// all gif targets MUST be children of instanceNftId
     function _createGifTarget(
@@ -379,12 +405,14 @@ contract InstanceService is
         ) = _validateInstanceAndComponent(instanceNftId, targetAddress);
 
         InstanceAdmin instanceAdmin = instance.getInstanceAdmin();
-        instanceAdmin.createGifTarget(targetAddress, targetName);
+
+        // TODO refactor/implement
+        // instanceAdmin.createGifTarget(targetAddress, targetName);
+
         // set proposed target config
-        // TODO restriction: gif targets are set only once and only here?
-        //      assume config is a mix of gif and custom roles and no further configuration by INSTANCE_OWNER_ROLE is ever needed?
         for(uint roleIdx = 0; roleIdx < roles.length; roleIdx++) {
-            instanceAdmin.setTargetFunctionRoleByService(targetName, selectors[roleIdx], roles[roleIdx]);
+            // TODO refactor/implement
+            // instanceAdmin.setTargetFunctionRoleByService(targetName, selectors[roleIdx], roles[roleIdx]);
         }
     }
     

package/contracts/instance/InstanceServiceManager.sol

@@ -1,13 +1,9 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
 
-import {Instance} from "./Instance.sol";
-import {IVersionable} from "../shared/IVersionable.sol";
-import {ProxyManager} from "../shared/ProxyManager.sol";
+import {IVersionable} from "../upgradeability/IVersionable.sol";
+import {ProxyManager} from "../upgradeability/ProxyManager.sol";
 import {InstanceService} from "./InstanceService.sol";
-import {Registry} from "../registry/Registry.sol";
-import {RegistryService} from "../registry/RegistryService.sol";
-import {REGISTRY} from "../type/ObjectType.sol";
 
 contract InstanceServiceManager is ProxyManager {