@bananapus/address-registry-v6 0.0.21 → 0.0.24

package/AUDIT_INSTRUCTIONS.md

@@ -8,7 +8,7 @@ Find issues that:
 
 - let callers register contracts under the wrong deployer
 - break determinism or uniqueness assumptions around registration
-- let a malicious deployer spoof provenance for contracts it did not create
+- let callers spoof provenance for contracts the claimed deployer did not create
 - create truncation-related collisions or stale mapping assumptions
 
 ## Scope
@@ -35,8 +35,8 @@ The registry maps deployed addresses to the deployer that created them. Downstre
 
 | Role | Powers | How constrained |
 |------|--------|-----------------|
-| Deployer | Register contracts as its outputs | Must prove authentic deployment provenance |
-| Registry reader | Trust provenance for privileged decisions | Must not observe spoofable or mutable history |
+| Registrant | Register contracts by supplying deterministic deployment inputs | Must supply inputs that reconstruct an already-deployed contract address |
+| Registry reader | Interpret provenance for downstream decisions | Must pair provenance with an external trust model |
 
 ## Integration Assumptions
 
@@ -47,7 +47,7 @@ The registry maps deployed addresses to the deployer that created them. Downstre
 ## Critical Invariants
 
 1. Provenance cannot be forged.  
-   Only the actual deployer path the registry intends to trust may create a successful registration for a contract.
+   Only inputs matching the actual deployer path may create a successful registration for a contract.
 2. One contract maps to one authoritative deployer record.  
    No aliasing or overwrite path should let a later caller replace provenance unexpectedly.
 3. Registration metadata is stable.  

package/STYLE_GUIDE.md

@@ -419,7 +419,7 @@ jobs:
           submodules: recursive
       - uses: actions/setup-node@v4
         with:
-          node-version: 22.4.x
+          node-version: 25.9.0
       - name: Install npm dependencies
         run: npm install --omit=dev
       - name: Install Foundry
@@ -470,13 +470,13 @@ jobs:
           submodules: recursive
       - uses: actions/setup-node@v4
         with:
-          node-version: latest
+          node-version: 25.9.0
       - name: Install npm dependencies
         run: npm install --omit=dev
       - name: Install Foundry
         uses: foundry-rs/foundry-toolchain@v1
       - name: Run slither
-        uses: crytic/slither-action@v0.3.1
+        uses: crytic/slither-action@v0.4.1
         with:
             slither-config: slither-ci.config.json
             fail-on: medium
@@ -515,7 +515,7 @@ jobs:
   },
   "dependencies": { ... },
   "devDependencies": {
-    "@sphinx-labs/plugins": "^0.33.2"
+    "@sphinx-labs/plugins": "0.33.3"
   }
 }
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/address-registry-v6",
-  "version": "0.0.21",
+  "version": "0.0.24",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -18,9 +18,9 @@
     "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'nana-address-registry-v6'"
   },
   "dependencies": {
-    "@openzeppelin/contracts": "^5.6.1"
+    "@sphinx-labs/contracts": "0.23.1"
   },
   "devDependencies": {
-    "@sphinx-labs/plugins": "^0.33.2"
+    "@sphinx-labs/plugins": "0.33.3"
   }
 }

package/script/Deploy.s.sol

@@ -4,7 +4,7 @@ pragma solidity 0.8.28;
 import {Sphinx} from "@sphinx-labs/contracts/contracts/foundry/SphinxPlugin.sol";
 import {Script} from "forge-std/Script.sol";
 
-import {JBAddressRegistry} from "src/JBAddressRegistry.sol";
+import {JBAddressRegistry} from "../src/JBAddressRegistry.sol";
 
 contract Deploy is Script, Sphinx {
     bytes32 constant ADDRESS_REGISTRY_SALT = "_JBAddressRegistryV6_";

package/src/JBAddressRegistry.sol

@@ -72,6 +72,26 @@ contract JBAddressRegistry is IJBAddressRegistry {
         _registerAddress({addr: hook, deployer: deployer});
     }
 
+    //*********************************************************************//
+    // ------------------------ internal functions ----------------------- //
+    //*********************************************************************//
+
+    /// @notice Register a contract's deployer in the `deployerOf` mapping.
+    /// @param addr The deployed contract's address.
+    /// @param deployer The deployer's address.
+    function _registerAddress(address addr, address deployer) internal {
+        // The registry only records non-zero deployers.
+        if (deployer == address(0)) revert JBAddressRegistry_ZeroDeployer();
+        // The address must already contain runtime code before it can be registered.
+        if (addr.code.length == 0) revert JBAddressRegistry_AddressNotDeployed(addr);
+        // Each address can only be registered once.
+        if (deployerOf[addr] != address(0)) revert JBAddressRegistry_AlreadyRegistered(addr);
+
+        deployerOf[addr] = deployer;
+
+        emit AddressRegistered({addr: addr, deployer: deployer, caller: msg.sender});
+    }
+
     //*********************************************************************//
     // -------------------------- internal views ------------------------- //
     //*********************************************************************//
@@ -126,24 +146,4 @@ contract JBAddressRegistry is IJBAddressRegistry {
             addr := mload(0)
         }
     }
-
-    //*********************************************************************//
-    // ------------------------ internal functions ----------------------- //
-    //*********************************************************************//
-
-    /// @notice Register a contract's deployer in the `deployerOf` mapping.
-    /// @param addr The deployed contract's address.
-    /// @param deployer The deployer's address.
-    function _registerAddress(address addr, address deployer) internal {
-        // The registry only records non-zero deployers.
-        if (deployer == address(0)) revert JBAddressRegistry_ZeroDeployer();
-        // The address must already contain runtime code before it can be registered.
-        if (addr.code.length == 0) revert JBAddressRegistry_AddressNotDeployed(addr);
-        // Each address can only be registered once.
-        if (deployerOf[addr] != address(0)) revert JBAddressRegistry_AlreadyRegistered(addr);
-
-        deployerOf[addr] = deployer;
-
-        emit AddressRegistered({addr: addr, deployer: deployer, caller: msg.sender});
-    }
 }

package/test/audit/CodexFrontRunRegistrationDoS.t.sol

@@ -3,7 +3,7 @@ pragma solidity 0.8.28;
 
 import {Test} from "forge-std/Test.sol";
 
-import {JBAddressRegistry} from "src/JBAddressRegistry.sol";
+import {JBAddressRegistry} from "../../src/JBAddressRegistry.sol";
 
 contract CodexFrontRunRegistrationDoSTest is Test {
     JBAddressRegistry internal registry;

package/test/audit/CodexUnauthorizedRegistrar.t.sol

@@ -3,7 +3,7 @@ pragma solidity 0.8.28;
 
 import {Test} from "forge-std/Test.sol";
 
-import {JBAddressRegistry} from "src/JBAddressRegistry.sol";
+import {JBAddressRegistry} from "../../src/JBAddressRegistry.sol";
 
 contract CodexUnauthorizedRegistrarTest is Test {
     JBAddressRegistry internal registry;

package/test/audit/ZeroDeployerRegistration.t.sol

@@ -3,7 +3,7 @@ pragma solidity 0.8.28;
 
 import {Test} from "forge-std/Test.sol";
 
-import {JBAddressRegistry} from "src/JBAddressRegistry.sol";
+import {JBAddressRegistry} from "../../src/JBAddressRegistry.sol";
 
 contract ZeroDeployerRegistrationTest is Test {
     JBAddressRegistry internal registry;