explorer-monorepo/docs/TOKENFACTORY138_CRITICAL_ISSUE.md

# TokenFactory138 Critical Issue - Role Permissions

**Date**: 2025-12-24  
**Severity**: ⚠️ **CRITICAL** - Will cause deployment failures

---

## 🚨 Problem

TokenFactory138 calls PolicyManager functions that require `POLICY_OPERATOR_ROLE`:

```solidity
// In TokenFactory138.deployToken() - lines 85-88
IPolicyManager(policyManager).setLienMode(token, config.defaultLienMode);
IPolicyManager(policyManager).setBridgeOnly(token, config.bridgeOnly);
IPolicyManager(policyManager).setBridge(token, config.bridge);
```

But PolicyManager requires `POLICY_OPERATOR_ROLE`:
```solidity
// In PolicyManager
function setLienMode(...) external override onlyRole(POLICY_OPERATOR_ROLE)
function setBridgeOnly(...) external override onlyRole(POLICY_OPERATOR_ROLE)
function setBridge(...) external override onlyRole(POLICY_OPERATOR_ROLE)
```

**Current deployment script** (`DeployChain138.s.sol` line 122) grants the role to `config.policyOperator` (a person/address), **NOT** to TokenFactory138 contract itself.

---

## ✅ Solution

The deployment script needs to grant `POLICY_OPERATOR_ROLE` to TokenFactory138:

```solidity
// After deploying TokenFactory138 (around line 122)
policyManager.grantRole(policyManager.POLICY_OPERATOR_ROLE(), address(factory));
```

---

## 🔧 Fix Required

Update `script/emoney/DeployChain138.s.sol`:

**Current** (line 122):
```solidity
policyManager.grantRole(policyManager.POLICY_OPERATOR_ROLE(), config.policyOperator);
```

**Should be** (add after line 121):
```solidity
// Grant POLICY_OPERATOR_ROLE to TokenFactory138 so it can configure tokens
policyManager.grantRole(policyManager.POLICY_OPERATOR_ROLE(), address(factory));
// Also grant to policyOperator for manual operations
policyManager.grantRole(policyManager.POLICY_OPERATOR_ROLE(), config.policyOperator);
```

---

## ✅ Compilation Test

Before fixing, test compilation:

```bash
cd /home/intlc/projects/proxmox/smom-dbis-138

# Test compilation
forge build --via-ir --contracts contracts/emoney/TokenFactory138.sol

# If successful, check for the role issue in deployment script
grep -A 5 "POLICY_OPERATOR_ROLE" script/emoney/DeployChain138.s.sol
```

---

## 📋 Action Items

1. ✅ Test compilation (use `--via-ir`)
2. ⏳ Fix deployment script to grant role to TokenFactory138
3. ⏳ Test deployment script (dry run)
4. ⏳ Deploy TokenFactory138

---

**Last Updated**: 2025-12-24