@zoralabs/limit-orders 0.2.0 → 0.2.2

package/src/access/SimpleAccessManager.sol

@@ -1,268 +0,0 @@
-// SPDX-License-Identifier: MIT
-pragma solidity ^0.8.20;
-
-import {IAuthority} from "@openzeppelin/contracts/access/manager/IAuthority.sol";
-import {Context} from "@openzeppelin/contracts/utils/Context.sol";
-
-/**
- * @title SimpleAccessManager
- * @author Zora
- * @notice A simplified single-contract access manager providing role-based access control
- * without time-based validation.
- *
- * @dev This contract is designed to manage access for a single target contract by mapping
- * function selectors directly to required roles. It implements the IAuthority interface
- * for compatibility with SimpleAccessManaged contracts.
- *
- * Key features:
- * - Maps function selectors to roles (selector -> roleId)
- * - Immediate role grants/revokes (no delays)
- * - PUBLIC_ROLE grants access to all addresses
- * - ADMIN_ROLE (role 0) can configure function roles and manage other roles
- * - Each role can have a custom admin role for delegation
- *
- * This is intentionally simpler than OpenZeppelin's AccessManager:
- * - No execution delays or scheduled operations
- * - No guardian role
- * - No target address tracking (single-contract authority)
- */
-contract SimpleAccessManager is Context, IAuthority {
-    /// @notice The admin role identifier (0). Members can configure function roles and grant other roles.
-    uint64 public constant ADMIN_ROLE = type(uint64).min;
-
-    /// @notice The public role identifier (max uint64). All addresses implicitly have this role.
-    uint64 public constant PUBLIC_ROLE = type(uint64).max;
-
-    /// @notice Configuration for setting a function's required role at deployment
-    /// @param selector The function selector to configure
-    /// @param roleId The role required to call the function
-    struct InitialFunctionRole {
-        bytes4 selector;
-        uint64 roleId;
-    }
-
-    /// @dev Maps function selector to the role required to call it
-    mapping(bytes4 selector => uint64 roleId) private _functionRoles;
-
-    /// @dev Maps role to its members
-    mapping(uint64 roleId => mapping(address user => bool isMember)) private _roleMembers;
-
-    /// @dev Maps role to its admin role (the role that can grant/revoke it)
-    mapping(uint64 roleId => uint64 admin) private _roleAdmins;
-
-    /// @notice Emitted when a role is granted to an account
-    /// @param roleId The role that was granted
-    /// @param account The account that received the role
-    event RoleGranted(uint64 indexed roleId, address indexed account);
-
-    /// @notice Emitted when a role is revoked from an account
-    /// @param roleId The role that was revoked
-    /// @param account The account that lost the role
-    event RoleRevoked(uint64 indexed roleId, address indexed account);
-
-    /// @notice Emitted when a role's admin is changed
-    /// @param roleId The role whose admin changed
-    /// @param admin The new admin role
-    event RoleAdminChanged(uint64 indexed roleId, uint64 indexed admin);
-
-    /// @notice Emitted when a function's required role is updated
-    /// @param selector The function selector that was configured
-    /// @param roleId The new required role
-    event FunctionRoleUpdated(bytes4 indexed selector, uint64 indexed roleId);
-
-    /// @notice Thrown when the initial admin address is invalid (zero address)
-    /// @param initialAdmin The invalid admin address provided
-    error AccessManagerInvalidInitialAdmin(address initialAdmin);
-
-    /// @notice Thrown when an account lacks the required role
-    /// @param account The account that attempted the action
-    /// @param roleId The role that was required
-    error AccessManagerUnauthorizedAccount(address account, uint64 roleId);
-
-    /// @notice Thrown when attempting to modify a locked role (ADMIN_ROLE or PUBLIC_ROLE)
-    /// @param roleId The locked role that was targeted
-    error AccessManagerLockedRole(uint64 roleId);
-
-    /// @dev Restricts function access to accounts with ADMIN_ROLE.
-    modifier onlyAdmin() {
-        if (!hasRole(ADMIN_ROLE, _msgSender())) {
-            revert AccessManagerUnauthorizedAccount(_msgSender(), ADMIN_ROLE);
-        }
-        _;
-    }
-
-    /// @dev Restricts function access to accounts that have the admin role for the specified role.
-    /// @param roleId The role whose admin is required to call the function
-    modifier onlyRoleAdmin(uint64 roleId) {
-        uint64 adminRole = getRoleAdmin(roleId);
-        if (!hasRole(adminRole, _msgSender())) {
-            revert AccessManagerUnauthorizedAccount(_msgSender(), adminRole);
-        }
-        _;
-    }
-
-    /// @notice Initializes the access manager with an admin and optional function role configurations.
-    /// @dev The initial admin is granted ADMIN_ROLE immediately. Initial function roles allow
-    /// configuring access permissions at deployment time without additional transactions.
-    /// @param initialAdmin The address that will receive ADMIN_ROLE (cannot be zero address)
-    /// @param initialFunctionRoles Array of selector-to-role mappings to configure at deployment
-    constructor(address initialAdmin, InitialFunctionRole[] memory initialFunctionRoles) {
-        if (initialAdmin == address(0)) {
-            revert AccessManagerInvalidInitialAdmin(address(0));
-        }
-
-        // Admin is active immediately
-        _grantRole(ADMIN_ROLE, initialAdmin);
-
-        // Set up initial function roles
-        for (uint256 i = 0; i < initialFunctionRoles.length; ++i) {
-            _setFunctionRole(initialFunctionRoles[i].selector, initialFunctionRoles[i].roleId);
-        }
-    }
-
-    // =================================================== IAuthority ====================================================
-
-    /// @inheritdoc IAuthority
-    /// @notice Checks if a caller is authorized to invoke a function.
-    /// @dev The target parameter is ignored since this is a single-contract authority.
-    /// Returns true if the caller has the role required for the selector, or if the
-    /// selector is mapped to PUBLIC_ROLE (which all addresses implicitly have).
-    /// @param caller The address attempting to call the function
-    /// @param selector The function selector being called
-    /// @return True if the caller is authorized to call the function
-    function canCall(
-        address caller,
-        address,
-        /* target */
-        bytes4 selector
-    ) external view override returns (bool) {
-        uint64 roleId = _functionRoles[selector];
-        return hasRole(roleId, caller);
-    }
-
-    // =================================================== GETTERS ====================================================
-
-    /// @notice Returns the role required to call a specific function.
-    /// @dev If no role has been set for the selector, returns 0 (ADMIN_ROLE), meaning
-    /// only admins can call unconfigured functions by default.
-    /// @param selector The function selector to query
-    /// @return The role ID required to call the function
-    function getFunctionRole(bytes4 selector) public view returns (uint64) {
-        return _functionRoles[selector];
-    }
-
-    /// @notice Returns the admin role for a given role.
-    /// @dev The admin role is the role that can grant/revoke the specified role.
-    /// If no admin has been set, returns 0 (ADMIN_ROLE).
-    /// @param roleId The role to query the admin for
-    /// @return The admin role ID that can manage the specified role
-    function getRoleAdmin(uint64 roleId) public view returns (uint64) {
-        return _roleAdmins[roleId];
-    }
-
-    /// @notice Checks if an account has a specific role.
-    /// @dev PUBLIC_ROLE always returns true for any account. For other roles,
-    /// returns true only if the account has been explicitly granted the role.
-    /// @param roleId The role to check
-    /// @param account The account to check
-    /// @return True if the account has the role
-    function hasRole(uint64 roleId, address account) public view returns (bool) {
-        if (roleId == PUBLIC_ROLE) {
-            return true;
-        }
-        return _roleMembers[roleId][account];
-    }
-
-    // =============================================== ROLE MANAGEMENT ===============================================
-
-    /// @notice Grants a role to an account.
-    /// @dev Only callable by accounts that have the admin role for the specified role.
-    /// Emits {RoleGranted} if the account did not already have the role.
-    /// @param roleId The role to grant
-    /// @param account The account to receive the role
-    function grantRole(uint64 roleId, address account) public onlyRoleAdmin(roleId) {
-        _grantRole(roleId, account);
-    }
-
-    /// @notice Revokes a role from an account.
-    /// @dev Only callable by accounts that have the admin role for the specified role.
-    /// Emits {RoleRevoked} if the account had the role.
-    /// @param roleId The role to revoke
-    /// @param account The account to lose the role
-    function revokeRole(uint64 roleId, address account) public onlyRoleAdmin(roleId) {
-        _revokeRole(roleId, account);
-    }
-
-    /// @notice Allows an account to renounce a role it has.
-    /// @dev The callerConfirmation parameter must match msg.sender to prevent accidental
-    /// role renunciation. Emits {RoleRevoked} if the account had the role.
-    /// @param roleId The role to renounce
-    /// @param callerConfirmation Must be msg.sender's address as confirmation
-    function renounceRole(uint64 roleId, address callerConfirmation) public {
-        if (callerConfirmation != _msgSender()) {
-            revert AccessManagerUnauthorizedAccount(_msgSender(), roleId);
-        }
-        _revokeRole(roleId, callerConfirmation);
-    }
-
-    /// @notice Sets the admin role for a given role.
-    /// @dev Only callable by accounts with ADMIN_ROLE. Cannot modify the admin of
-    /// ADMIN_ROLE or PUBLIC_ROLE. Emits {RoleAdminChanged}.
-    /// @param roleId The role to set the admin for
-    /// @param admin The new admin role ID
-    function setRoleAdmin(uint64 roleId, uint64 admin) public onlyAdmin {
-        if (roleId == ADMIN_ROLE || roleId == PUBLIC_ROLE) {
-            revert AccessManagerLockedRole(roleId);
-        }
-
-        _roleAdmins[roleId] = admin;
-        emit RoleAdminChanged(roleId, admin);
-    }
-
-    /// @dev Grants a role to an account without access control checks.
-    /// @param roleId The role to grant (cannot be PUBLIC_ROLE)
-    /// @param account The account to receive the role
-    function _grantRole(uint64 roleId, address account) internal {
-        if (roleId == PUBLIC_ROLE) {
-            revert AccessManagerLockedRole(roleId);
-        }
-
-        if (!_roleMembers[roleId][account]) {
-            _roleMembers[roleId][account] = true;
-            emit RoleGranted(roleId, account);
-        }
-    }
-
-    /// @dev Revokes a role from an account without access control checks.
-    /// @param roleId The role to revoke (cannot be PUBLIC_ROLE)
-    /// @param account The account to lose the role
-    function _revokeRole(uint64 roleId, address account) internal {
-        if (roleId == PUBLIC_ROLE) {
-            revert AccessManagerLockedRole(roleId);
-        }
-
-        if (_roleMembers[roleId][account]) {
-            _roleMembers[roleId][account] = false;
-            emit RoleRevoked(roleId, account);
-        }
-    }
-
-    // ============================================= FUNCTION MANAGEMENT ==============================================
-
-    /// @notice Sets the role required to call a specific function.
-    /// @dev Only callable by accounts with ADMIN_ROLE. Set to PUBLIC_ROLE to make a
-    /// function callable by anyone. Emits {FunctionRoleUpdated}.
-    /// @param selector The function selector to configure
-    /// @param roleId The role that will be required to call the function
-    function setFunctionRole(bytes4 selector, uint64 roleId) public onlyAdmin {
-        _setFunctionRole(selector, roleId);
-    }
-
-    /// @dev Sets a function's required role without access control checks.
-    /// @param selector The function selector to configure
-    /// @param roleId The role that will be required to call the function
-    function _setFunctionRole(bytes4 selector, uint64 roleId) internal {
-        _functionRoles[selector] = roleId;
-        emit FunctionRoleUpdated(selector, roleId);
-    }
-}

package/test/SimpleAccessManager.t.sol

@@ -1,420 +0,0 @@
-// SPDX-License-Identifier: MIT
-pragma solidity ^0.8.20;
-
-import {Test} from "forge-std/Test.sol";
-import {Vm} from "forge-std/Vm.sol";
-import {SimpleAccessManager} from "../src/access/SimpleAccessManager.sol";
-
-/// @title SimpleAccessManagerTest
-/// @notice Comprehensive tests for SimpleAccessManager contract
-contract SimpleAccessManagerTest is Test {
-    SimpleAccessManager public accessManager;
-
-    address public admin = makeAddr("admin");
-    address public user1 = makeAddr("user1");
-    address public user2 = makeAddr("user2");
-
-    uint64 public constant ADMIN_ROLE = type(uint64).min; // 0
-    uint64 public constant PUBLIC_ROLE = type(uint64).max;
-    uint64 public constant CUSTOM_ROLE = 1;
-    uint64 public constant ANOTHER_ROLE = 2;
-
-    bytes4 public constant TEST_SELECTOR = bytes4(keccak256("testFunction()"));
-    bytes4 public constant ANOTHER_SELECTOR = bytes4(keccak256("anotherFunction()"));
-
-    event RoleGranted(uint64 indexed roleId, address indexed account);
-    event RoleRevoked(uint64 indexed roleId, address indexed account);
-    event RoleAdminChanged(uint64 indexed roleId, uint64 indexed admin);
-    event FunctionRoleUpdated(bytes4 indexed selector, uint64 indexed roleId);
-
-    function setUp() public {
-        // Deploy with no initial function roles
-        SimpleAccessManager.InitialFunctionRole[] memory noRoles = new SimpleAccessManager.InitialFunctionRole[](0);
-        accessManager = new SimpleAccessManager(admin, noRoles);
-    }
-
-    // ================================ CONSTRUCTOR TESTS ================================
-
-    function test_constructor_setsInitialAdmin() public view {
-        assertTrue(accessManager.hasRole(ADMIN_ROLE, admin));
-    }
-
-    function test_constructor_revertsOnZeroAdmin() public {
-        SimpleAccessManager.InitialFunctionRole[] memory noRoles = new SimpleAccessManager.InitialFunctionRole[](0);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerInvalidInitialAdmin.selector, address(0)));
-        new SimpleAccessManager(address(0), noRoles);
-    }
-
-    function test_constructor_setsInitialFunctionRoles() public {
-        SimpleAccessManager.InitialFunctionRole[] memory initialRoles = new SimpleAccessManager.InitialFunctionRole[](2);
-        initialRoles[0] = SimpleAccessManager.InitialFunctionRole({selector: TEST_SELECTOR, roleId: PUBLIC_ROLE});
-        initialRoles[1] = SimpleAccessManager.InitialFunctionRole({selector: ANOTHER_SELECTOR, roleId: CUSTOM_ROLE});
-
-        SimpleAccessManager manager = new SimpleAccessManager(admin, initialRoles);
-
-        assertEq(manager.getFunctionRole(TEST_SELECTOR), PUBLIC_ROLE);
-        assertEq(manager.getFunctionRole(ANOTHER_SELECTOR), CUSTOM_ROLE);
-    }
-
-    function test_constructor_emitsEvents() public {
-        SimpleAccessManager.InitialFunctionRole[] memory initialRoles = new SimpleAccessManager.InitialFunctionRole[](1);
-        initialRoles[0] = SimpleAccessManager.InitialFunctionRole({selector: TEST_SELECTOR, roleId: PUBLIC_ROLE});
-
-        vm.expectEmit(true, true, false, false);
-        emit RoleGranted(ADMIN_ROLE, admin);
-
-        vm.expectEmit(true, true, false, false);
-        emit FunctionRoleUpdated(TEST_SELECTOR, PUBLIC_ROLE);
-
-        new SimpleAccessManager(admin, initialRoles);
-    }
-
-    // ================================ canCall TESTS ================================
-
-    function test_canCall_returnsTrueForPublicRole() public {
-        vm.prank(admin);
-        accessManager.setFunctionRole(TEST_SELECTOR, PUBLIC_ROLE);
-
-        // Anyone should be able to call
-        assertTrue(accessManager.canCall(user1, address(0), TEST_SELECTOR));
-        assertTrue(accessManager.canCall(user2, address(0), TEST_SELECTOR));
-        assertTrue(accessManager.canCall(address(0), address(0), TEST_SELECTOR));
-    }
-
-    function test_canCall_returnsTrueForRoleMember() public {
-        vm.startPrank(admin);
-        accessManager.setFunctionRole(TEST_SELECTOR, CUSTOM_ROLE);
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-        vm.stopPrank();
-
-        assertTrue(accessManager.canCall(user1, address(0), TEST_SELECTOR));
-    }
-
-    function test_canCall_returnsFalseForNonRoleMember() public {
-        vm.startPrank(admin);
-        accessManager.setFunctionRole(TEST_SELECTOR, CUSTOM_ROLE);
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-        vm.stopPrank();
-
-        assertFalse(accessManager.canCall(user2, address(0), TEST_SELECTOR));
-    }
-
-    function test_canCall_defaultsToAdminRoleForUnconfiguredFunctions() public view {
-        // Unconfigured function defaults to role 0 (ADMIN_ROLE)
-        assertTrue(accessManager.canCall(admin, address(0), TEST_SELECTOR));
-        assertFalse(accessManager.canCall(user1, address(0), TEST_SELECTOR));
-    }
-
-    function test_canCall_ignoresTargetParameter() public {
-        vm.prank(admin);
-        accessManager.setFunctionRole(TEST_SELECTOR, PUBLIC_ROLE);
-
-        // Target should be ignored
-        assertTrue(accessManager.canCall(user1, address(1), TEST_SELECTOR));
-        assertTrue(accessManager.canCall(user1, address(2), TEST_SELECTOR));
-        assertTrue(accessManager.canCall(user1, makeAddr("anyTarget"), TEST_SELECTOR));
-    }
-
-    // ================================ ROLE MANAGEMENT TESTS ================================
-
-    function test_grantRole_byAdmin() public {
-        vm.prank(admin);
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-
-        assertTrue(accessManager.hasRole(CUSTOM_ROLE, user1));
-    }
-
-    function test_grantRole_emitsEvent() public {
-        vm.expectEmit(true, true, false, false);
-        emit RoleGranted(CUSTOM_ROLE, user1);
-
-        vm.prank(admin);
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-    }
-
-    function test_grantRole_noopIfAlreadyHasRole() public {
-        vm.startPrank(admin);
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-
-        // Grant again - should not emit event
-        vm.recordLogs();
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-        Vm.Log[] memory logs = vm.getRecordedLogs();
-
-        // No RoleGranted event should be emitted
-        for (uint256 i; i < logs.length; ++i) {
-            assertFalse(logs[i].topics[0] == keccak256("RoleGranted(uint64,address)"));
-        }
-        vm.stopPrank();
-    }
-
-    function test_grantRole_revertsForPublicRole() public {
-        vm.prank(admin);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerLockedRole.selector, PUBLIC_ROLE));
-        accessManager.grantRole(PUBLIC_ROLE, user1);
-    }
-
-    function test_grantRole_revertsIfNotRoleAdmin() public {
-        vm.prank(user1);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerUnauthorizedAccount.selector, user1, ADMIN_ROLE));
-        accessManager.grantRole(CUSTOM_ROLE, user2);
-    }
-
-    function test_revokeRole_byAdmin() public {
-        vm.startPrank(admin);
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-        accessManager.revokeRole(CUSTOM_ROLE, user1);
-        vm.stopPrank();
-
-        assertFalse(accessManager.hasRole(CUSTOM_ROLE, user1));
-    }
-
-    function test_revokeRole_emitsEvent() public {
-        vm.prank(admin);
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-
-        vm.expectEmit(true, true, false, false);
-        emit RoleRevoked(CUSTOM_ROLE, user1);
-
-        vm.prank(admin);
-        accessManager.revokeRole(CUSTOM_ROLE, user1);
-    }
-
-    function test_revokeRole_noopIfDoesntHaveRole() public {
-        vm.prank(admin);
-        vm.recordLogs();
-        accessManager.revokeRole(CUSTOM_ROLE, user1);
-        Vm.Log[] memory logs = vm.getRecordedLogs();
-
-        // No RoleRevoked event should be emitted
-        for (uint256 i; i < logs.length; ++i) {
-            assertFalse(logs[i].topics[0] == keccak256("RoleRevoked(uint64,address)"));
-        }
-    }
-
-    function test_revokeRole_revertsForPublicRole() public {
-        vm.prank(admin);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerLockedRole.selector, PUBLIC_ROLE));
-        accessManager.revokeRole(PUBLIC_ROLE, user1);
-    }
-
-    function test_revokeRole_revertsIfNotRoleAdmin() public {
-        vm.prank(admin);
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-
-        vm.prank(user2);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerUnauthorizedAccount.selector, user2, ADMIN_ROLE));
-        accessManager.revokeRole(CUSTOM_ROLE, user1);
-    }
-
-    function test_renounceRole_selfRevoke() public {
-        vm.prank(admin);
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-
-        vm.prank(user1);
-        accessManager.renounceRole(CUSTOM_ROLE, user1);
-
-        assertFalse(accessManager.hasRole(CUSTOM_ROLE, user1));
-    }
-
-    function test_renounceRole_revertsIfConfirmationMismatch() public {
-        vm.prank(admin);
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-
-        vm.prank(user1);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerUnauthorizedAccount.selector, user1, CUSTOM_ROLE));
-        accessManager.renounceRole(CUSTOM_ROLE, user2);
-    }
-
-    function test_renounceRole_revertsForPublicRole() public {
-        vm.prank(user1);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerLockedRole.selector, PUBLIC_ROLE));
-        accessManager.renounceRole(PUBLIC_ROLE, user1);
-    }
-
-    // ================================ ROLE ADMIN TESTS ================================
-
-    function test_setRoleAdmin_byGlobalAdmin() public {
-        vm.prank(admin);
-        accessManager.setRoleAdmin(CUSTOM_ROLE, ANOTHER_ROLE);
-
-        assertEq(accessManager.getRoleAdmin(CUSTOM_ROLE), ANOTHER_ROLE);
-    }
-
-    function test_setRoleAdmin_emitsEvent() public {
-        vm.expectEmit(true, true, false, false);
-        emit RoleAdminChanged(CUSTOM_ROLE, ANOTHER_ROLE);
-
-        vm.prank(admin);
-        accessManager.setRoleAdmin(CUSTOM_ROLE, ANOTHER_ROLE);
-    }
-
-    function test_setRoleAdmin_revertsForAdminRole() public {
-        vm.prank(admin);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerLockedRole.selector, ADMIN_ROLE));
-        accessManager.setRoleAdmin(ADMIN_ROLE, CUSTOM_ROLE);
-    }
-
-    function test_setRoleAdmin_revertsForPublicRole() public {
-        vm.prank(admin);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerLockedRole.selector, PUBLIC_ROLE));
-        accessManager.setRoleAdmin(PUBLIC_ROLE, CUSTOM_ROLE);
-    }
-
-    function test_setRoleAdmin_revertsIfNotGlobalAdmin() public {
-        vm.prank(user1);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerUnauthorizedAccount.selector, user1, ADMIN_ROLE));
-        accessManager.setRoleAdmin(CUSTOM_ROLE, ANOTHER_ROLE);
-    }
-
-    function test_grantRole_withCustomRoleAdmin() public {
-        // Set ANOTHER_ROLE as admin for CUSTOM_ROLE
-        vm.prank(admin);
-        accessManager.setRoleAdmin(CUSTOM_ROLE, ANOTHER_ROLE);
-
-        // Grant ANOTHER_ROLE to user1
-        vm.prank(admin);
-        accessManager.grantRole(ANOTHER_ROLE, user1);
-
-        // user1 should now be able to grant CUSTOM_ROLE
-        vm.prank(user1);
-        accessManager.grantRole(CUSTOM_ROLE, user2);
-
-        assertTrue(accessManager.hasRole(CUSTOM_ROLE, user2));
-    }
-
-    function test_getRoleAdmin_defaultsToAdminRole() public view {
-        // Unconfigured role admin defaults to ADMIN_ROLE (0)
-        assertEq(accessManager.getRoleAdmin(CUSTOM_ROLE), ADMIN_ROLE);
-    }
-
-    // ================================ FUNCTION ROLE TESTS ================================
-
-    function test_setFunctionRole_byAdmin() public {
-        vm.prank(admin);
-        accessManager.setFunctionRole(TEST_SELECTOR, CUSTOM_ROLE);
-
-        assertEq(accessManager.getFunctionRole(TEST_SELECTOR), CUSTOM_ROLE);
-    }
-
-    function test_setFunctionRole_emitsEvent() public {
-        vm.expectEmit(true, true, false, false);
-        emit FunctionRoleUpdated(TEST_SELECTOR, CUSTOM_ROLE);
-
-        vm.prank(admin);
-        accessManager.setFunctionRole(TEST_SELECTOR, CUSTOM_ROLE);
-    }
-
-    function test_setFunctionRole_revertsIfNotAdmin() public {
-        vm.prank(user1);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerUnauthorizedAccount.selector, user1, ADMIN_ROLE));
-        accessManager.setFunctionRole(TEST_SELECTOR, CUSTOM_ROLE);
-    }
-
-    function test_setFunctionRole_canUpdateExisting() public {
-        vm.startPrank(admin);
-        accessManager.setFunctionRole(TEST_SELECTOR, CUSTOM_ROLE);
-        accessManager.setFunctionRole(TEST_SELECTOR, ANOTHER_ROLE);
-        vm.stopPrank();
-
-        assertEq(accessManager.getFunctionRole(TEST_SELECTOR), ANOTHER_ROLE);
-    }
-
-    function test_getFunctionRole_defaultsToAdminRole() public view {
-        // Unconfigured function defaults to 0 (ADMIN_ROLE)
-        assertEq(accessManager.getFunctionRole(TEST_SELECTOR), ADMIN_ROLE);
-    }
-
-    // ================================ hasRole TESTS ================================
-
-    function test_hasRole_returnsTrueForPublicRole() public view {
-        // All addresses have PUBLIC_ROLE
-        assertTrue(accessManager.hasRole(PUBLIC_ROLE, user1));
-        assertTrue(accessManager.hasRole(PUBLIC_ROLE, user2));
-        assertTrue(accessManager.hasRole(PUBLIC_ROLE, address(0)));
-        assertTrue(accessManager.hasRole(PUBLIC_ROLE, address(this)));
-    }
-
-    function test_hasRole_returnsFalseForNonMember() public view {
-        assertFalse(accessManager.hasRole(CUSTOM_ROLE, user1));
-    }
-
-    function test_hasRole_returnsTrueForMember() public {
-        vm.prank(admin);
-        accessManager.grantRole(CUSTOM_ROLE, user1);
-
-        assertTrue(accessManager.hasRole(CUSTOM_ROLE, user1));
-    }
-
-    // ================================ IAuthority INTERFACE TESTS ================================
-
-    function test_implementsIAuthority() public view {
-        // Verify the contract implements IAuthority
-        assertTrue(accessManager.canCall(admin, address(0), TEST_SELECTOR) || !accessManager.canCall(admin, address(0), TEST_SELECTOR));
-    }
-
-    // ================================ INTEGRATION TESTS ================================
-
-    function test_integration_limitOrderBookScenario() public {
-        // This test simulates the limit order book deployment scenario
-        bytes4 createSelector = bytes4(keccak256("create(bytes32,address,int24,uint128,bool)"));
-        bytes4 setMaxFillCountSelector = bytes4(keccak256("setMaxFillCount(uint256)"));
-
-        // Deploy with create() set to PUBLIC_ROLE
-        SimpleAccessManager.InitialFunctionRole[] memory initialRoles = new SimpleAccessManager.InitialFunctionRole[](1);
-        initialRoles[0] = SimpleAccessManager.InitialFunctionRole({selector: createSelector, roleId: PUBLIC_ROLE});
-
-        SimpleAccessManager manager = new SimpleAccessManager(admin, initialRoles);
-
-        // create() should be callable by anyone
-        assertTrue(manager.canCall(user1, address(0), createSelector));
-        assertTrue(manager.canCall(user2, address(0), createSelector));
-
-        // setMaxFillCount() defaults to ADMIN_ROLE (only admin can call)
-        assertTrue(manager.canCall(admin, address(0), setMaxFillCountSelector));
-        assertFalse(manager.canCall(user1, address(0), setMaxFillCountSelector));
-    }
-
-    function test_integration_delegatedRoleManagement() public {
-        // Admin sets up a role hierarchy:
-        // - ADMIN_ROLE can manage ANOTHER_ROLE
-        // - ANOTHER_ROLE can manage CUSTOM_ROLE
-
-        vm.startPrank(admin);
-        accessManager.setRoleAdmin(CUSTOM_ROLE, ANOTHER_ROLE);
-        accessManager.grantRole(ANOTHER_ROLE, user1);
-        vm.stopPrank();
-
-        // user1 (with ANOTHER_ROLE) can now grant CUSTOM_ROLE
-        vm.prank(user1);
-        accessManager.grantRole(CUSTOM_ROLE, user2);
-
-        assertTrue(accessManager.hasRole(CUSTOM_ROLE, user2));
-
-        // user1 can also revoke CUSTOM_ROLE
-        vm.prank(user1);
-        accessManager.revokeRole(CUSTOM_ROLE, user2);
-
-        assertFalse(accessManager.hasRole(CUSTOM_ROLE, user2));
-    }
-
-    function test_integration_adminCannotGrantPublicRole() public {
-        // Even admin cannot grant PUBLIC_ROLE - it's automatic
-        vm.prank(admin);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerLockedRole.selector, PUBLIC_ROLE));
-        accessManager.grantRole(PUBLIC_ROLE, user1);
-    }
-
-    function test_integration_adminCanRenounceOwnRole() public {
-        // Admin can renounce their own role (dangerous but allowed)
-        vm.prank(admin);
-        accessManager.renounceRole(ADMIN_ROLE, admin);
-
-        assertFalse(accessManager.hasRole(ADMIN_ROLE, admin));
-
-        // Now admin can't do admin things
-        vm.prank(admin);
-        vm.expectRevert(abi.encodeWithSelector(SimpleAccessManager.AccessManagerUnauthorizedAccount.selector, admin, ADMIN_ROLE));
-        accessManager.setFunctionRole(TEST_SELECTOR, CUSTOM_ROLE);
-    }
-}