@bananapus/address-registry-v6 0.0.16 → 0.0.18

package/ADMINISTRATION.md

@@ -1,48 +1,67 @@
 # Administration
 
-Admin privileges and their scope in nana-address-registry-v6.
+## At A Glance
+
+| Item | Details |
+| --- | --- |
+| Scope | Permissionless provenance registration for CREATE and CREATE2 addresses |
+| Control posture | Fully permissionless and adminless |
+| Highest-risk actions | Incorrect first registration or bad derivation assumptions in offchain tooling |
+| Recovery posture | No in-place recovery; replacement contract is the only fix for logic mistakes |
+
+## Purpose
+
+`nana-address-registry-v6` has no admin surface. It is a permissionless first-write provenance registry.
+
+## Control Model
+
+- No owner
+- No governance
+- No pause
+- No upgrade
+- Registration is permissionless and correctness comes from deterministic address derivation
 
 ## Roles
 
-None. `JBAddressRegistry` has no owner, no admin, and no access control. The contract does not inherit from `Ownable`, `AccessControl`, or any permissioned pattern.
+| Role | How Assigned | Scope | Notes |
+| --- | --- | --- | --- |
+| Anyone | No assignment | Global | Can register an address if they provide correct CREATE or CREATE2 inputs |
+
+## Privileged Surfaces
 
-## Privileged Functions
+There are no privileged functions. `registerAddress(...)` is permissionless for both CREATE and CREATE2 registration paths.
 
-### JBAddressRegistry
+## Immutable And One-Way
 
-| Function | Required Role | Permission ID | Scope | What It Does |
-|----------|--------------|---------------|-------|--------------|
-| `registerAddress(address deployer, uint256 nonce)` | None | N/A | Global | Computes a `create` address from deployer + nonce and stores the deployer mapping |
-| `registerAddress(address deployer, bytes32 salt, bytes bytecode)` | None | N/A | Global | Computes a `create2` address from deployer + salt + bytecode and stores the deployer mapping |
-| `deployerOf(address)` | None | N/A | Global | View function — returns the registered deployer for a given address |
+- Registration is first-write only.
+- There is no overwrite or delete path for `deployerOf[address]`.
 
-Every function is callable by any address. There are no restricted operations.
+## Operational Notes
 
-## Registration Model
+- Treat registration as provenance, not endorsement.
+- Register addresses from trustworthy operational pipelines because bad first registration is sticky even though anyone can submit the correct derivation inputs.
 
-- **Fully permissionless.** Any address can register any deployer/nonce or deployer/salt/bytecode combination.
-- **No caller verification.** The registry does not check whether `msg.sender` is the deployer. It only verifies that the computed address is valid by storing the mapping.
-- **Overwritable.** A second registration for the same computed address overwrites the previous deployer mapping. Last writer wins.
-- **Permanent storage, no removal.** There is no `unregister` or `removeAddress` function. Entries can be overwritten but never deleted.
-- **No approval or queue.** Registrations take effect immediately in the same transaction.
+## Machine Notes
 
-## Client-Side Trust
+- Do not treat registration as a safety certification or allowlist signal.
+- `src/JBAddressRegistry.sol` is the only control-relevant runtime file; there is no hidden owner path.
+- If offchain derivation and onchain registration disagree, stop and resolve the derivation logic rather than assuming overwrite is possible.
 
-The registry stores deployer mappings without making trust judgments. All trust decisions are delegated to clients:
+## Recovery
 
-- **No on-chain filtering.** The contract does not distinguish "trusted" from "untrusted" deployers. Clients must maintain their own allowlist of known deployer addresses and cross-reference against `deployerOf()`.
-- **Event-based discovery.** The contract emits an `AddressRegistered(address indexed addr, address indexed deployer, address caller)` event on every registration. Clients can monitor this event to discover new registrations in real time.
-- **Overwrite risk.** Since registrations are overwritable, a client that caches `deployerOf(addr)` at time T may see a different result at time T+1 if someone re-registers the same address with a different deployer/nonce or deployer/salt/bytecode combination. Clients should re-check at time of use rather than caching indefinitely.
-- **No validation of deployment.** The registry computes the expected address from the inputs but does not verify that a contract actually exists at that address. A registration can be created for an address that has not yet been deployed (or will never be deployed).
+- There is no admin recovery surface.
+- If derivation logic were ever wrong, the contract would need replacement rather than intervention.
 
 ## Admin Boundaries
 
-There are no admins. Specifically:
+- Nobody can curate allowlists, edit entries, or block registration.
+- Nobody can use this registry to certify code safety.
 
-- **No pause mechanism.** The registry cannot be paused or frozen.
-- **No upgrade path.** The contract is not proxied or upgradeable.
-- **No fee extraction.** The contract holds no funds and collects no fees.
-- **No blocklist.** No address can be prevented from registering.
-- **No migration.** There is no way to transfer state to a new registry contract.
+## Source Map
 
-The only trust assumption is on the frontend side: clients must maintain their own list of trusted deployers and use `deployerOf()` to check whether a contract was deployed by one of them. The registry itself makes no trust judgments.
+- `src/JBAddressRegistry.sol`
+- `src/interfaces/IJBAddressRegistry.sol`
+- `script/Deploy.s.sol`
+- `script/helpers/AddressRegistryDeploymentLib.sol`
+- `test/JBAddressRegistry_Fork.t.sol`
+- `test/regression/NonceTruncation.t.sol`

package/ARCHITECTURE.md

@@ -1,57 +1,84 @@
-# nana-address-registry-v6 — Architecture
+# Architecture
 
 ## Purpose
 
-Juicebox projects can attach arbitrary hook contracts (pay hooks, cashout hooks, 721 tier hooks, etc.) that execute during payments, cashouts, and payouts. A malicious hook could steal funds or mislead users. Frontends need a way to answer the question: "Was this hook deployed by a trusted deployer like `JB721TiersHookDeployer`?"
+`nana-address-registry-v6` is a narrow provenance primitive. It records which deployer could have created a contract address by recomputing CREATE or CREATE2 derivation inputs and storing the verified result on-chain.
 
-`JBAddressRegistry` solves this by letting contracts deployed via `create` or `create2` publicly register their deployer's address. A frontend can then call `deployerOf(hookAddress)` and check the result against its own list of trusted deployers — displaying warnings or blocking interactions for hooks with unknown origins.
+## System Overview
 
-## Contract Map
+The repo is intentionally small. `JBAddressRegistry` accepts deterministic deployment inputs, reconstructs the resulting address, and records the deployer if that address has not already been registered. It does not judge code safety, manage upgrades, or gate deployments.
 
-```
-src/
-├── JBAddressRegistry.sol     — Registry: registerAddress (create/create2), deployerOf mapping
-└── interfaces/
-    └── IJBAddressRegistry.sol — Interface
-```
-
-## Key Operations
-
-### Registration (create)
-```
-Deployer → JBAddressRegistry.registerAddress(deployer, nonce)
-  → Compute address via RLP encoding of [deployer, nonce]
-  → Store deployerOf[computedAddress] = deployer
-  → Emit AddressRegistered
-```
+## Core Invariants
 
-### Registration (create2)
-```
-Deployer → JBAddressRegistry.registerAddress(deployer, salt, bytecode)
-  → Compute address via keccak256(0xff ++ deployer ++ salt ++ keccak256(bytecode))
-  → Store deployerOf[computedAddress] = deployer
-  → Emit AddressRegistered
-```
-
-### Verification
-```
-Frontend → JBAddressRegistry.deployerOf(hookAddress)
-  → Returns deployer address (or address(0) if unregistered)
-  → Frontend checks deployer against trusted deployer list
-```
+- Registration is permissionless because correctness comes from deterministic derivation, not caller authority.
+- A contract address can only be registered once.
+- Registration must fail until runtime code actually exists at the derived address.
+- CREATE and CREATE2 derivation must match EVM rules exactly.
 
-## Design Decisions
+## Modules
 
-**Deployer verification, not a whitelist.** The registry records *who* deployed a contract, not *whether* a contract is approved. This keeps the registry permissionless and neutral — any deployer can register, and trust decisions are made by each frontend independently. There is no governance or admin role.
+| Module | Responsibility | Notes |
+| --- | --- | --- |
+| `JBAddressRegistry` | Address derivation and first-write provenance storage | Main contract |
+| `IJBAddressRegistry` | Minimal lookup and registration interface | External surface |
 
-**Both `create` and `create2` support.** Deployers that use `create` (nonce-based) and `create2` (salt + bytecode) both exist in the Juicebox ecosystem. Supporting both ensures any deployer can register its contracts regardless of deployment strategy.
+## Trust Boundaries
 
-**No validation beyond hash match.** The registry does not check that registered addresses contain code, implement a particular interface, or were recently deployed. It only verifies that the provided deployer + nonce/salt/bytecode deterministically produce the claimed address. This keeps the contract simple and gas-efficient — frontends already perform their own trust checks on the deployer address.
+- The registry attests to deterministic provenance, not code quality.
+- It does not manage ownership, upgrades, or allowlists.
+- External systems may trust its recorded provenance, so derivation correctness is the whole product.
 
-**Anyone can call `registerAddress`.** Registration is not restricted to the deployer itself. Any account that knows the deployer address and nonce (or salt + bytecode) can register a contract. This is safe because the mapping is deterministic — providing incorrect inputs simply computes a different address, not a false registration for the target contract.
+## Critical Flows
 
-## Dependencies
+### Register
 
-- `@sphinx-labs/plugins` — Deployment tooling (devDependency only)
+```text
+caller
+  -> supplies deployer plus CREATE nonce or CREATE2 salt and bytecode
+  -> registry recomputes the target address
+  -> registry records the deployer if the address was previously unregistered
+```
 
-No runtime Solidity dependencies — this is a standalone contract.
+## Accounting Model
+
+No economic accounting lives here. The only critical state is `deployerOf[address]`.
+
+## Security Model
+
+- The risk is concentrated in a small amount of address-derivation logic.
+- The registry records the derived deployer, not the transaction caller. Mixing those concepts would turn provenance into an authority bug.
+- Overengineering is more dangerous than minimal, auditable derivation code.
+
+## Safe Change Guide
+
+- Treat derivation code like cryptographic plumbing.
+- Keep the undeployed-address check and first-write-only rule intact; they are part of the provenance guarantee, not optional hygiene.
+- If nonce handling or bytecode hashing changes, keep CREATE and CREATE2 tests aligned.
+- Do not expand the repo into an allowlist or trust-oracle system.
+
+## Canonical Checks
+
+- CREATE and CREATE2 derivation correctness:
+  `test/JBAddressRegistry.t.sol`
+- edge-path validation and first-write behavior:
+  `test/JBAddressRegistryEdge.t.sol`
+- pre-registration, frontrun, and undeployed-code defenses:
+  `test/audit/CodexFrontRunRegistrationDoS.t.sol`
+- provenance abuse and zero-deployer edge cases:
+  `test/audit/CodexUnauthorizedRegistrar.t.sol`
+  `test/audit/ZeroDeployerRegistration.t.sol`
+
+## Source Map
+
+- `src/JBAddressRegistry.sol`
+- `src/interfaces/IJBAddressRegistry.sol`
+- `test/JBAddressRegistry.t.sol`
+- `test/JBAddressRegistryEdge.t.sol`
+- `test/audit/CodexFrontRunRegistrationDoS.t.sol`
+- `test/audit/CodexUnauthorizedRegistrar.t.sol`
+- `test/audit/ZeroDeployerRegistration.t.sol`
+- `test/regression/NonceTruncation.t.sol`
+- `script/Deploy.s.sol`
+- `script/helpers/AddressRegistryDeploymentLib.sol`
+- `references/runtime.md`
+- `references/operations.md`

package/AUDIT_INSTRUCTIONS.md

@@ -1,147 +1,66 @@
-# Audit Instructions -- nana-address-registry-v6
+# Audit Instructions
 
-You are auditing a permissionless address registry for Juicebox V6. The contract stores a mapping from deployed contract addresses to their deployers, computed deterministically from `create` or `create2` parameters. It has no owner, no access control, no constructor arguments, and no external dependencies. Read [RISKS.md](./RISKS.md) first -- it documents all known risks and trust assumptions. Then come back here.
+This repo is a small registry, but it participates in deployer verification across the ecosystem. Treat incorrect registration as a security boundary failure.
 
-## Compiler and Version Info
+## Audit Objective
 
-| Setting | Value |
-|---------|-------|
-| Solidity version | 0.8.28 |
-| EVM target | cancun |
-| Optimizer | enabled, 200 runs |
-| via-IR | not enabled |
-| Fuzz runs | 4,096 |
-| Invariant runs | 1,024 (depth 100) |
-
-Source: [`foundry.toml`](./foundry.toml)
-
-## Previous Audit Findings
-
-A Nemesis automated audit was conducted on 2026-03-17. Results are in [`.audit/findings/nemesis-verified.md`](./.audit/findings/nemesis-verified.md). Summary:
-
-| ID | Severity | Title | Status |
-|----|----------|-------|--------|
-| NM-001 | LOW | Deployment library project name mismatch (`"nana-address-registry"` vs `"nana-address-registry-v6"`) | Open (deployment script only, no runtime impact) |
-
-The core contract (`JBAddressRegistry`) was verified sound -- RLP encoding is correct across all 10 nonce ranges, CREATE2 computation matches EIP-1014. No CRITICAL, HIGH, or MEDIUM findings were identified.
-
-No prior formal audit with finding IDs from an external security firm has been conducted.
+Find issues that:
+- let callers register contracts under the wrong deployer
+- break determinism or uniqueness assumptions around registration
+- let a malicious deployer spoof provenance for contracts it did not create
+- create stale or truncation-related collisions in recorded mappings
 
 ## Scope
 
-**In scope -- all Solidity in `src/`:**
-```
-src/JBAddressRegistry.sol              # Registry implementation (~127 lines)
-src/interfaces/IJBAddressRegistry.sol  # Interface (~27 lines)
-```
-
-**Out of scope:** Test files, deployment scripts, forge-std.
-
-## Architecture
-
-### JBAddressRegistry
-
-A standalone, stateless-logic contract with a single storage mapping:
-
-```
-mapping(address addr => address deployer) public deployerOf;
-```
-
-Two public `registerAddress` overloads accept deployer parameters, compute the deterministic address, and store the mapping. No validation is performed beyond address computation and a nonce range check.
-
-### Registration (create)
-
-`registerAddress(address deployer, uint256 nonce)`:
-1. Calls `_addressFrom(deployer, nonce)` to compute the `create` address via RLP encoding
-2. Stores `deployerOf[computedAddress] = deployer`
-3. Emits `AddressRegistered(computedAddress, deployer, msg.sender)`
-
-### Registration (create2)
-
-`registerAddress(address deployer, bytes32 salt, bytes calldata bytecode)`:
-1. Computes `address(uint160(uint256(keccak256(abi.encodePacked(bytes1(0xff), deployer, salt, keccak256(bytecode))))))`
-2. Stores `deployerOf[computedAddress] = deployer`
-3. Emits `AddressRegistered(computedAddress, deployer, msg.sender)`
-
-### RLP Encoding (_addressFrom)
-
-The internal `_addressFrom(address origin, uint256 nonce)` function implements RLP encoding of `[origin, nonce]` for `create` address computation. It handles 10 nonce ranges covering `0` through `type(uint64).max`:
-
-| Nonce Range | RLP Prefix Byte | Nonce Length Prefix |
-|-------------|----------------|---------------------|
-| `0` | `0xd6` | `0x80` (empty byte) |
-| `1 - 0x7f` | `0xd6` | (none, raw byte) |
-| `0x80 - 0xff` | `0xd7` | `0x81` |
-| `0x100 - 0xffff` | `0xd8` | `0x82` |
-| `0x10000 - 0xffffff` | `0xd9` | `0x83` |
-| `0x1000000 - 0xffffffff` | `0xda` | `0x84` |
-| `0x100000000 - 0xffffffffff` | `0xdb` | `0x85` |
-| `0x10000000000 - 0xffffffffffff` | `0xdc` | `0x86` |
-| `0x1000000000000 - 0xffffffffffffff` | `0xdd` | `0x87` |
-| `0x100000000000000 - 0xffffffffffffffff` | `0xde` | `0x88` |
-
-The final address is extracted from `keccak256(rlp_data)` via inline assembly: `mstore(0, hash); addr := mload(0)`.
-
-Nonces above `type(uint64).max` revert with `JBAddressRegistry_NonceTooLarge`.
-
-## Priority Audit Areas
-
-### 1. RLP Encoding Correctness (Highest Priority)
-
-The `_addressFrom` function is the only non-trivial logic in the contract. Verify:
+In scope:
+- `src/JBAddressRegistry.sol`
+- `src/interfaces/IJBAddressRegistry.sol`
+- all deployment helpers in `script/`
 
-- **Every nonce range boundary is correct.** The if/else chain must produce correct RLP for every boundary value: `0`, `1`, `0x7f`, `0x80`, `0xff`, `0x100`, `0xffff`, `0x10000`, etc., up to `type(uint64).max`. An off-by-one at any boundary would silently produce wrong addresses.
-- **RLP prefix bytes are correct.** The first byte (`0xd6`-`0xde`) encodes the total length of the list. Verify each prefix matches the actual encoded data length (20-byte address + nonce encoding + overhead).
-- **Nonce encoding is correct.** For nonce `0`, the RLP encoding is `0x80` (empty byte string), not `0x00`. For nonces `1-0x7f`, the nonce IS the RLP encoding (single byte). For `0x80+`, a length prefix is prepended.
-- **Assembly address extraction.** The final `mstore(0, hash); addr := mload(0)` extracts the low 160 bits of the keccak256 hash. Verify this is equivalent to `address(uint160(uint256(hash)))`.
-- **Comparison with reference implementations.** Cross-check against the Ethereum Yellow Paper, OpenZeppelin's `Create2` library, and the linked StackExchange reference (https://ethereum.stackexchange.com/a/87840/68134).
+## Start Here
 
-### 2. create2 Address Computation
+1. `src/JBAddressRegistry.sol`
+2. `script/Deploy.s.sol`
 
-The `create2` overload uses `abi.encodePacked(bytes1(0xff), deployer, salt, keccak256(bytecode))`. Verify:
-- This matches the EIP-1014 specification exactly.
-- The `bytes calldata bytecode` parameter is hashed correctly (constructor arguments must be included by the caller; the contract does not append them).
-- No length ambiguity in the packed encoding (each component has fixed size: 1 + 20 + 32 + 32 = 85 bytes).
+## Security Model
 
-### 3. Overwrite Behavior
+The registry maps deployed addresses to the deployer that created them. Downstream repos use it to:
+- validate provenance for clones or deterministically deployed instances
+- discover whether a contract came from an approved deployer path
 
-`_registerAddress` unconditionally overwrites `deployerOf[addr]`. Verify:
-- A re-registration with the same parameters produces the same result (idempotent).
-- A re-registration with different parameters that happen to compute the same address (collision) would overwrite. Since address collisions require a keccak256 collision, this is cryptographically infeasible -- but confirm there is no cheaper attack vector.
-- The `caller` field in the `AddressRegistered` event correctly reflects `msg.sender`, not the `deployer` parameter.
+## Roles And Privileges
 
-### 4. Gas and DoS
+| Role | Powers | How constrained |
+|------|--------|-----------------|
+| Deployer | Register contracts as its outputs | Must prove authentic deployment provenance |
+| Registry reader | Trust provenance for privileged decisions | Must not observe spoofable or mutable history |
 
-The contract has no loops, no arrays, and no unbounded storage growth beyond the mapping. Verify:
-- `registerAddress` has bounded gas cost regardless of inputs.
-- The `bytecode` parameter in the `create2` overload is hashed in memory. For very large bytecode, this could consume significant memory gas but cannot cause an OOG in the registry itself (the caller pays).
+## Integration Assumptions
 
-## Invariants to Verify
+| Dependency | Assumption | What breaks if wrong |
+|------------|------------|----------------------|
+| Approved deployers | Produce the addresses they claim | Downstream provenance gates become meaningless |
 
-1. **Determinism**: For any `(deployer, nonce)` pair, `_addressFrom` always returns the same address, and that address matches what the EVM would produce for a `create` deployment from `deployer` at `nonce`.
-2. **create2 correctness**: For any `(deployer, salt, bytecode)` triple, the computed address matches what the EVM would produce for a `create2` deployment.
-3. **No side effects**: `registerAddress` only modifies `deployerOf[computedAddress]` and emits one event. No other state is touched.
-4. **Nonce boundary completeness**: Every valid nonce (0 through `type(uint64).max`) produces a correct RLP encoding. No nonce in this range falls through without being encoded.
+## Critical Invariants
 
-## Testing Setup
+1. Provenance cannot be forged
+Only the actual deployer path the registry intends to trust may create a successful registration for a contract.
 
-```bash
-cd nana-address-registry-v6
-npm install
-forge build
-forge test
+2. One contract maps to one authoritative deployer record
+No aliasing or overwrite path should let a later caller replace provenance unexpectedly.
 
-# Run edge case tests
-forge test --match-contract JBAddressRegistryEdge -vvv
+3. Registration metadata is stable
+Nonce, salt, or address truncation must not allow collisions or stale reads.
 
-# Run nonce truncation regression test
-forge test --match-path test/regression/NonceTruncation.t.sol -vvv
+## Attack Surfaces
 
-# Run fork tests
-forge test --match-contract Fork -vvv
+- registration entrypoints that rely on deployer provenance
+- overwrite and replay paths
+- deterministic deployment assumptions
+- zero-address or malformed registration attempts
 
-# Write a PoC
-forge test --match-path test/audit/ExploitPoC.t.sol -vvv
-```
+## Verification
 
-Go break it.
+- `npm install`
+- `forge build`
+- `forge test`

package/CHANGELOG.md

@@ -0,0 +1,39 @@
+# Changelog
+
+## Scope
+
+This file describes the verified change from `nana-address-registry-v5` to the current `nana-address-registry-v6` repo.
+
+## Current v6 surface
+
+- `JBAddressRegistry`
+- `IJBAddressRegistry`
+
+## Summary
+
+- Nonce handling is safer than in v5. The registry now guards against oversized nonces instead of silently producing the wrong derived address once the old encoding assumptions stopped holding.
+- Zero-address deployers are explicitly rejected.
+- The external surface remains intentionally small. This repo changed behavior more than shape.
+- The repo moved from the v5 Solidity baseline to `0.8.28`.
+
+## Verified deltas
+
+- `_addressFrom(...)` now supports RLP nonce encoding through `uint64` instead of stopping at the old `uint32` path.
+- `JBAddressRegistry_NonceTooLarge(uint256)` is thrown above that supported range.
+- `JBAddressRegistry_ZeroDeployer()` is thrown when trying to register against `address(0)`.
+- Duplicate registration now explicitly reverts with `JBAddressRegistry_AlreadyRegistered(address)`.
+
+## Breaking ABI changes
+
+- There is no meaningful function-selector migration here.
+- The practical ABI-visible change is new custom errors that callers and tooling may need to decode.
+
+## Indexer impact
+
+- Event shape is effectively unchanged.
+- The real migration concern is stricter revert behavior for previously tolerated bad inputs.
+
+## Migration notes
+
+- If you treated this repo as ABI-stable, that is mostly still true, but behavior around bad inputs is stricter.
+- Recheck any tool that depended on silent high-nonce behavior. v6 makes that path explicit instead of permissive.

package/README.md

@@ -1,99 +1,111 @@
 # Juicebox Address Registry
 
-Knowing who deployed a contract is the first step toward trusting it. This registry lets anyone prove a contract's deployer on-chain -- no access control and no admin keys.
+`@bananapus/address-registry-v6` is a permissionless registry that records deployer provenance for contracts when callers provide matching `create` or `create2` deployment inputs. It is meant to make deployer provenance visible on-chain, especially for hooks and helper contracts that users may need to trust before interacting with them.
 
-`JBAddressRegistry` maps contract addresses to their deployers using deterministic address computation. Provide the deployer address and deployment parameters, and the registry verifies the relationship and stores it permanently. Frontend clients can then look up any registered contract to see who deployed it, which is especially useful for vetting Juicebox pay and cash-out hooks before interacting with them.
+Architecture: [ARCHITECTURE.md](./ARCHITECTURE.md)  
+User journeys: [USER_JOURNEYS.md](./USER_JOURNEYS.md)  
+Skills: [SKILLS.md](./SKILLS.md)  
+Risks: [RISKS.md](./RISKS.md)  
+Administration: [ADMINISTRATION.md](./ADMINISTRATION.md)  
+Audit instructions: [AUDIT_INSTRUCTIONS.md](./AUDIT_INSTRUCTIONS.md)
 
-## Deployed Address
+## Overview
 
-`JBAddressRegistry` is deployed at the same address on all supported networks via deterministic `create2` deployment:
+The registry supports both `create` and `create2` style deployments:
 
-```
-0x2d9b78cb37ca724cfb9b32cd8e9a5dc1c88bc7bb
-```
+- for `create`, it reconstructs the deployed address from the deployer and nonce
+- for `create2`, it reconstructs the deployed address from the deployer, salt, and deployment bytecode
 
-| Network | Chain ID |
-|---------|----------|
-| Ethereum | 1 |
-| Optimism | 10 |
-| Arbitrum | 42161 |
-| Base | 8453 |
-| Ethereum Sepolia | 11155111 |
-| Optimism Sepolia | 11155420 |
-| Arbitrum Sepolia | 421614 |
-| Base Sepolia | 84532 |
+Because the address is computed deterministically, registrations do not require access control. Anyone can submit the correct deployment inputs, and the registry records the deployer for the computed address after confirming code already exists there.
 
-## Architecture
+Use this repo when deployer provenance matters. Do not confuse it with an allowlist, audit registry, or trust oracle.
 
-| Contract | Description |
-|----------|-------------|
-| `JBAddressRegistry` | Standalone registry. Computes deployed addresses deterministically from deployer parameters and stores the deployer in `deployerOf`. No constructor arguments, no access control, no external dependencies. |
+If the question is "is this hook safe?" this repo can only tell you who deployed it, not whether the code is good.
 
-### Interface
+## Key Contract
 
-| Type | Description |
-|------|-------------|
-| `IJBAddressRegistry` | Interface exposing `deployerOf`, both `registerAddress` overloads, and the `AddressRegistered` event. |
+| Contract | Role |
+| --- | --- |
+| `JBAddressRegistry` | Standalone registry that stores `deployerOf[address]` and exposes overloaded `registerAddress` entrypoints. |
 
-### How It Works
+## Mental Model
 
-Anyone can register a contract by providing its deployer and deployment parameters:
+The registry is intentionally narrow:
 
-- **`create` deployments**: Provide the deployer address and the nonce at the time of deployment. The registry reconstructs the address using RLP encoding (the same encoding the EVM uses internally to compute `create` addresses).
-- **`create2` deployments**: Provide the deployer address, the `create2` salt, and the full deployment bytecode (creation code + encoded constructor arguments). The registry computes `keccak256(0xff ++ deployer ++ salt ++ keccak256(bytecode))`.
+1. reconstruct an address from deployment inputs
+2. bind that address to a deployer once
+3. expose the result for other systems and clients
 
-In both cases, the registry stores the mapping `deployerOf[computedAddress] = deployer` and emits an `AddressRegistered` event. Frontend clients can then look up any contract's deployer to verify trust.
+Anything beyond that is out of scope by design.
 
-No access control is needed -- only the correct deployer + parameters can produce a given address, so registrations cannot be faked.
+## Read These Files First
 
-```solidity
-// Register a contract deployed via create.
-registry.registerAddress(deployer, nonce);
+1. `src/JBAddressRegistry.sol`
+2. `test/JBAddressRegistry.t.sol`
+3. `test/JBAddressRegistryEdge.t.sol`
+4. `test/audit/CodexFrontRunRegistrationDoS.t.sol`
 
-// Register a contract deployed via create2.
-registry.registerAddress(deployer, salt, bytecode);
+## Integration Traps
 
-// Look up who deployed a contract.
-address deployer = registry.deployerOf(contractAddress);
-```
+- provenance is only meaningful if callers also know what the deployer is supposed to be trusted for
+- permissionless registration is intentional, so integrations should verify the computed inputs rather than assuming caller authority
+- `create` nonce reconstruction and `create2` salt-bytecode reconstruction are different trust paths and should be reasoned about separately
+
+## Where State Lives
 
-### Events
+- deployer provenance lives in `JBAddressRegistry`
+- deployment truth still lives outside this repo in the target chain history and bytecode inputs
 
-| Event | Fields | Emitted When |
-|-------|--------|-------------|
-| `AddressRegistered` | `address indexed addr`, `address indexed deployer`, `address caller` | A contract address is registered via either `registerAddress` overload. `caller` is `msg.sender`, which may differ from the deployer. |
+## High-Signal Tests
 
-### Risks
+1. `test/JBAddressRegistry.t.sol`
+2. `test/JBAddressRegistryEdge.t.sol`
+3. `test/audit/CodexUnauthorizedRegistrar.t.sol`
 
-Hooks have token minting access, making malicious hooks dangerous. A registered deployer does not guarantee a hook is safe -- it only tells you who deployed it. Clients should warn project owners and users about any potential for unintended or adversarial behavior, especially for unknown hooks.
+## Install
+
+```bash
+npm install @bananapus/address-registry-v6
+```
 
-Deployers can be exploited or act maliciously. Clients should still communicate risk to users even when the deployer is a known entity.
+## Development
 
-### Limitations
+```bash
+npm install
+forge build
+forge test
+```
 
-- The `_addressFrom` function for `create` addresses uses RLP encoding that only supports nonces up to `uint64` max (18,446,744,073,709,551,615). Higher nonces revert with `JBAddressRegistry_NonceTooLarge`. In practice, this limit is unreachable.
-- Re-registration is prevented: registering the same computed address again reverts with `JBAddressRegistry_AlreadyRegistered`. Only the first registration is accepted.
-- Registration is permissionless -- anyone can call `registerAddress`, not just the deployer. Security relies entirely on deterministic address computation.
+Useful scripts:
 
-## Deployment
+- `npm run test:fork`
+- `npm run deploy:mainnets`
+- `npm run deploy:testnets`
 
-The deploy script uses [Sphinx](https://github.com/sphinx-labs/sphinx) for deterministic multi-chain deployment. The registry is deployed via `create2` with the salt `_JBAddressRegistryV6_`, ensuring the same address on every chain. The script skips deployment if the bytecode is already present at the computed address.
+## Deployment Notes
 
-A helper library `AddressRegistryDeploymentLib` is provided in `script/helpers/` to resolve deployed addresses from Sphinx deployment artifacts at runtime.
+The deploy script uses Sphinx for deterministic deployment. This package is intentionally small and independent because many other repos use it to record clone factories and helper deployments.
 
-## Install
+## Repository Layout
 
-```bash
-npm install
+```text
+src/
+  JBAddressRegistry.sol
+  interfaces/
+test/
+  unit, edge, fork, audit, and regression coverage
+script/
+  Deploy.s.sol
+  helpers/
 ```
 
-## Develop
+## Risks And Notes
+
+- provenance is not the same thing as safety; a known deployer can still deploy unsafe code
+- registrations are first-write only, so bad operational processes around initial registration can be sticky
+- the `create` address path relies on nonce reconstruction and intentionally rejects unrealistic nonce ranges
+
+## For AI Agents
 
-| Command | Description |
-|---------|-------------|
-| `forge build` | Compile contracts |
-| `forge test` | Run unit tests |
-| `FOUNDRY_PROFILE=CI forge test` | Run fork tests (requires `RPC_ETHEREUM_MAINNET` env var) |
-| `forge coverage --match-path "./src/*.sol" --report lcov --report summary` | Generate coverage report |
-| `npm run deploy:mainnets` | Propose mainnet deployment via Sphinx |
-| `npm run deploy:testnets` | Propose testnet deployment via Sphinx |
+- Describe this repo as a provenance registry, not as an allowlist or safety oracle.
+- Read the edge and audit tests before making claims about frontrunning or unauthorized registration.