Custom StoreCode Authorization for authz module

[jhernandezb]

Currently signing store code transactions with multisigs can only be done if you use non-ledger keys due to the memory limit on such devices it makes impossible for signers and for this reason I think it would be very useful to have a contract upload authorization for authz.

• Authorize grantee to upload any contract (although this can already be achieved by the generic grant authorization)
• Authorize grantee to upload any contract from a list of given hashes so the granter can verify and be confident the grantee only uploads pre-approved contracts,

This can even be useful for DAOs or CW4 multisigs giving access to an uploader by creating a custom authorization.

[alpe]

This is a good idea!
Would it make sense to have the same for migration?

On store code, an instantiateAccess configuration can be set. Is this something that you want to ensure by the grant as well? I does not seem required but I want to bring this up.

[jhernandezb]

I don't see migration being necessary but would be a nice to have.

On instantiate access now that you bring it up might makes a lot of sense to limit it to a specific config per code hash

hash1 -> AnyOfAddresses(address1)
hash2 -> EveryBody

This would make it a lot easier for permissioned chains like stargaze and osmosis where it has a set of uploaders only but dealing with store codes and multisigs is a bit of a pain.