@bananapus/address-registry-v6 0.0.25 → 0.0.26

package/ARCHITECTURE.md

@@ -47,7 +47,7 @@ No economic accounting lives here. The only important state is `deployerOf[addre
 
 - the risk is concentrated in a small amount of address-derivation logic
 - the registry records the derived deployer, not the transaction caller
-- overengineering is more dangerous than minimal, auditable derivation code
+- overengineering is more dangerous than minimal, reviewable derivation code
 
 ## Safe Change Guide
 
@@ -63,10 +63,10 @@ No economic accounting lives here. The only important state is `deployerOf[addre
 - edge-path validation and first-write behavior:
   `test/JBAddressRegistryEdge.t.sol`
 - pre-registration, frontrun, and undeployed-code defenses:
-  `test/audit/CodexFrontRunRegistrationDoS.t.sol`
+  `test/regression/RegressionFrontRunRegistrationDoS.t.sol`
 - provenance abuse and zero-deployer edge cases:
-  `test/audit/CodexUnauthorizedRegistrar.t.sol`
-  `test/audit/ZeroDeployerRegistration.t.sol`
+  `test/regression/RegressionUnauthorizedRegistrar.t.sol`
+  `test/regression/ZeroDeployerRegistration.t.sol`
 
 ## Source Map
 
@@ -74,9 +74,9 @@ No economic accounting lives here. The only important state is `deployerOf[addre
 - `src/interfaces/IJBAddressRegistry.sol`
 - `test/JBAddressRegistry.t.sol`
 - `test/JBAddressRegistryEdge.t.sol`
-- `test/audit/CodexFrontRunRegistrationDoS.t.sol`
-- `test/audit/CodexUnauthorizedRegistrar.t.sol`
-- `test/audit/ZeroDeployerRegistration.t.sol`
+- `test/regression/RegressionFrontRunRegistrationDoS.t.sol`
+- `test/regression/RegressionUnauthorizedRegistrar.t.sol`
+- `test/regression/ZeroDeployerRegistration.t.sol`
 - `test/regression/NonceTruncation.t.sol`
 - `script/Deploy.s.sol`
 - `script/helpers/AddressRegistryDeploymentLib.sol`

package/AUDIT_INSTRUCTIONS.md

@@ -4,7 +4,9 @@ This repo is a small registry, but it sits on a deployer-verification boundary a
 
 ## Audit Objective
 
-Find issues that:
+There is a billion dollars of well-meaning projects' money in the Juicebox Money Engine, growing exponentially. Your job is to hack it before anyone else. Whoever hacks it first saves/steals the money, and you are obsessed with being this winner, while also being a steward of the protocol and wanting it to keep growing safely.
+
+Suggestions of where to look:
 
 - let callers register contracts under the wrong deployer
 - break determinism or uniqueness assumptions around registration

package/README.md

@@ -18,7 +18,7 @@ The registry supports both `create` and `create2` deployments:
 
 Because the address is computed deterministically, registrations do not need access control. Anyone can submit the correct deployment inputs, and the registry records the deployer for the computed address after confirming code already exists there.
 
-Use this repo when deployer provenance matters. Do not confuse it with an allowlist, audit registry, or trust oracle.
+Use this repo when deployer provenance matters. Do not confuse it with an allowlist, review registry, or trust oracle.
 
 If the question is "is this hook safe?" this repo can only tell you who deployed it, not whether the code is good.
 
@@ -43,7 +43,7 @@ Anything beyond that is out of scope.
 1. `src/JBAddressRegistry.sol`
 2. `test/JBAddressRegistry.t.sol`
 3. `test/JBAddressRegistryEdge.t.sol`
-4. `test/audit/CodexFrontRunRegistrationDoS.t.sol`
+4. `test/regression/RegressionFrontRunRegistrationDoS.t.sol`
 
 ## Integration Traps
 
@@ -60,7 +60,7 @@ Anything beyond that is out of scope.
 
 1. `test/JBAddressRegistry.t.sol`
 2. `test/JBAddressRegistryEdge.t.sol`
-3. `test/audit/CodexUnauthorizedRegistrar.t.sol`
+3. `test/regression/RegressionUnauthorizedRegistrar.t.sol`
 
 ## Install
 
@@ -93,7 +93,7 @@ src/
   JBAddressRegistry.sol
   interfaces/
 test/
-  unit, edge, fork, audit, and regression coverage
+  unit, edge, fork, review, and regression coverage
 script/
   Deploy.s.sol
   helpers/
@@ -108,4 +108,4 @@ script/
 ## For AI Agents
 
 - Describe this repo as a provenance registry, not as an allowlist or safety oracle.
-- Read the edge and audit tests before making claims about frontrunning or unauthorized registration.
+- Read the edge and review tests before making claims about frontrunning or unauthorized registration.

package/RISKS.md

@@ -12,7 +12,7 @@ This file covers what `JBAddressRegistry` actually proves: deterministic address
 
 | Priority | Risk | Why it matters | Primary controls |
 |----------|------|----------------|------------------|
-| P1 | Over-trusting registration as safety approval | A registered deployer mapping does not mean the contract is audited, canonical, or safe. | UIs should label registration as provenance evidence only. |
+| P1 | Over-trusting registration as safety approval | A registered deployer mapping does not mean the contract is reviewed, canonical, or safe. | UIs should label registration as provenance evidence only. |
 | P1 | First-writer capture of a valid provenance claim | The registry records the first valid claim for an address and never updates it. | Operational discipline for trusted deployers and curated allowlists for consumers. |
 | P2 | Completeness assumptions | Unregistered contracts can still be legitimate; absence from the registry is not proof of malice. | Treat registry data as additive metadata, not an allowlist. |
 
@@ -27,7 +27,7 @@ This file covers what `JBAddressRegistry` actually proves: deterministic address
 - **First registration wins.** Once `deployerOf[addr]` is set, later registrations revert.
 - **No pre-registration of future deployments.** `registerAddress(...)` requires code to already exist at the computed address.
 - **No removal or correction path.** The registry is intentionally append-only per address.
-- **Registration is provenance, not endorsement.** `deployerOf[hook] = someFactory` says nothing about code safety, upgradeability, audit status, or whether the deployer itself is trustworthy.
+- **Registration is provenance, not endorsement.** `deployerOf[hook] = someFactory` says nothing about code safety, upgradeability, review status, or whether the deployer itself is trustworthy.
 - **Operational lag matters.** If a trusted deployer forgets to register immediately, someone else can publish the first valid claim for that address.
 
 ## 3. Integration Risks

package/STYLE_GUIDE.md

@@ -451,54 +451,9 @@ jobs:
         run: forge fmt --check
 ```
 
-**slither.yml** (repos with `src/` contracts only):
-```yaml
-name: slither
-on:
-    pull_request:
-      branches:
-        - main
-    push:
-      branches:
-        - main
-jobs:
-  analyze:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: recursive
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 25.9.0
-      - name: Install npm dependencies
-        run: npm install --omit=dev
-      - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
-      - name: Run slither
-        uses: crytic/slither-action@v0.4.1
-        with:
-            slither-config: slither-ci.config.json
-            fail-on: medium
-```
-
-**slither-ci.config.json:**
-```json
-{
-  "detectors_to_exclude": "timestamp,uninitialized-local,naming-convention,solc-version,shadowing-local",
-  "exclude_informational": true,
-  "exclude_low": false,
-  "exclude_medium": false,
-  "exclude_high": false,
-  "disable_color": false,
-  "filter_paths": "(mocks/|test/|node_modules/|lib/)",
-  "legacy_ast": false
-}
-```
+**Static review workflow** (repos with `src/` contracts only):
 
-**Variations:**
-- Deployer-only repos (no `src/`, only `script/`) skip slither entirely — the action's internal `forge build` skips `test/` and `script/` by default, leaving nothing to compile.
-- Use inline `// slither-disable-next-line <detector>` to suppress known false positives rather than adding to `detectors_to_exclude` in the config. The comment must be on the line immediately before the flagged expression.
+Keep repo-local static review automation current with the package's runtime surface. At minimum, CI should run formatting, linting, and build checks with `--deny notes`. Repos that only contain deployment scripts can rely on the shared formatting and lint jobs unless they add runtime contracts.
 
 ### package.json
 

package/foundry.toml

@@ -1,5 +1,6 @@
 [profile.default]
 solc = '0.8.28'
+bytecode_hash = "none"
 evm_version = 'cancun'
 optimizer_runs = 200
 libs = ["node_modules", "lib"]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/address-registry-v6",
-  "version": "0.0.25",
+  "version": "0.0.26",
   "license": "MIT",
   "repository": {
     "type": "git",

package/references/operations.md

@@ -5,7 +5,7 @@
 - If you edit `create` reconstruction logic, verify nonce-boundary behavior.
 - If you edit `create2` behavior, verify bytecode hashing and salt assumptions.
 - If a user asks whether a contract is "safe," redirect the question to code provenance plus code review, not the registry alone.
-- If you change registration guards, re-read the audit tests before trusting a narrower unit proof.
+- If you change registration guards, re-read the review tests before trusting a narrower unit proof.
 
 ## Common Failure Modes
 

package/references/runtime.md

@@ -16,4 +16,4 @@
 - [`test/JBAddressRegistryEdge.t.sol`](../test/JBAddressRegistryEdge.t.sol) for boundary conditions.
 - [`test/JBAddressRegistry_Fork.t.sol`](../test/JBAddressRegistry_Fork.t.sol) for live assumptions.
 - [`test/regression/NonceTruncation.t.sol`](../test/regression/NonceTruncation.t.sol) for nonce-width and reconstruction regressions.
-- [`test/audit/ZeroDeployerRegistration.t.sol`](../test/audit/ZeroDeployerRegistration.t.sol), [`test/audit/CodexUnauthorizedRegistrar.t.sol`](../test/audit/CodexUnauthorizedRegistrar.t.sol), and [`test/audit/CodexFrontRunRegistrationDoS.t.sol`](../test/audit/CodexFrontRunRegistrationDoS.t.sol) for the abuse cases this repo is expected to resist.
+- [`test/regression/ZeroDeployerRegistration.t.sol`](../test/regression/ZeroDeployerRegistration.t.sol), [`test/regression/RegressionUnauthorizedRegistrar.t.sol`](../test/regression/RegressionUnauthorizedRegistrar.t.sol), and [`test/regression/RegressionFrontRunRegistrationDoS.t.sol`](../test/regression/RegressionFrontRunRegistrationDoS.t.sol) for the abuse cases this repo is expected to resist.

package/script/Deploy.s.sol

@@ -10,7 +10,7 @@ contract Deploy is Script, Sphinx {
     bytes32 constant ADDRESS_REGISTRY_SALT = "_JBAddressRegistryV6_";
 
     function configureSphinx() public override {
-        // TODO: Update to contain JB Emergency Developers
+        // Safe owners and threshold are resolved by the Sphinx project config.
         sphinxConfig.projectName = "nana-address-registry-v6";
         sphinxConfig.mainnets = ["ethereum", "optimism", "base", "arbitrum"];
         sphinxConfig.testnets = ["ethereum_sepolia", "optimism_sepolia", "base_sepolia", "arbitrum_sepolia"];

package/script/helpers/AddressRegistryDeploymentLib.sol

@@ -19,11 +19,10 @@ library AddressRegistryDeploymentLib {
     Vm internal constant vm = Vm(VM_ADDRESS);
 
     function getDeployment(string memory path) internal returns (AddressRegistryDeployment memory deployment) {
-        // get chainId for which we need to get the deployment.
+        // Match the current chain ID to the Sphinx network name used in deployment artifacts.
         uint256 chainId = block.chainid;
 
-        // Deploy to get the constants.
-        // TODO: get constants without deploy.
+        // `SphinxConstants` exposes Sphinx's supported chain ID to network name mapping.
         SphinxConstants sphinxConstants = new SphinxConstants();
         NetworkInfo[] memory networks = sphinxConstants.getNetworkInfoArray();
 

package/src/JBAddressRegistry.sol

@@ -22,7 +22,8 @@ contract JBAddressRegistry is IJBAddressRegistry {
     error JBAddressRegistry_NonceTooLarge(uint256 nonce);
 
     /// @notice Thrown when attempting to register with `address(0)` as the deployer.
-    error JBAddressRegistry_ZeroDeployer();
+    /// @param deployer The invalid deployer address.
+    error JBAddressRegistry_ZeroDeployer(address deployer);
 
     /// @notice Thrown when attempting to register an address before code exists there.
     /// @param addr The undeployed address being registered.
@@ -80,7 +81,7 @@ contract JBAddressRegistry is IJBAddressRegistry {
     /// @param deployer The deployer's address.
     function _registerAddress(address addr, address deployer) internal {
         // The registry only records non-zero deployers.
-        if (deployer == address(0)) revert JBAddressRegistry_ZeroDeployer();
+        if (deployer == address(0)) revert JBAddressRegistry_ZeroDeployer(deployer);
         // The address must already contain runtime code before it can be registered.
         if (addr.code.length == 0) revert JBAddressRegistry_AddressNotDeployed(addr);
         // Each address can only be registered once.

package/test/JBAddressRegistryEdge.t.sol

@@ -239,13 +239,13 @@ contract JBAddressRegistryEdge is Test {
 
     /// @notice Registration with address(0) as deployer reverts with `ZeroDeployer`.
     function test_zeroAddressDeployer_reverts() public {
-        vm.expectRevert(JBAddressRegistry.JBAddressRegistry_ZeroDeployer.selector);
+        vm.expectRevert(abi.encodeWithSelector(JBAddressRegistry.JBAddressRegistry_ZeroDeployer.selector, address(0)));
         registry.registerAddress(address(0), 1);
     }
 
     /// @notice Create2 registration with address(0) as deployer reverts with `ZeroDeployer`.
     function test_zeroAddressDeployer_create2_reverts() public {
-        vm.expectRevert(JBAddressRegistry.JBAddressRegistry_ZeroDeployer.selector);
+        vm.expectRevert(abi.encodeWithSelector(JBAddressRegistry.JBAddressRegistry_ZeroDeployer.selector, address(0)));
         registry.registerAddress(address(0), bytes32(uint256(42)), hex"60006000f3");
     }
 

package/test/{audit → regression}/DeploymentHelperNonceSideEffect.t.sol

@@ -28,7 +28,7 @@ contract DeploymentHelperNonceSideEffectTest is Test {
         vm.etch(registry, hex"6080604052");
 
         string memory json = string.concat('{"address":"', vm.toString(registry), '"}');
-        string memory dir = "test/audit/tmp-nonce/nana-address-registry-v6/anvil/";
+        string memory dir = "test/regression/tmp-nonce/nana-address-registry-v6/anvil/";
         string memory file = string.concat(dir, "JBAddressRegistry.json");
 
         vm.createDir(dir, true);
@@ -36,7 +36,7 @@ contract DeploymentHelperNonceSideEffectTest is Test {
 
         uint64 nonceBefore = vm.getNonce(address(caller));
 
-        caller.getDeployment("test/audit/tmp-nonce/");
+        caller.getDeployment("test/regression/tmp-nonce/");
 
         uint64 nonceAfter = vm.getNonce(address(caller));
 

package/test/{audit → regression}/DeploymentHelperValidation.t.sol

@@ -16,13 +16,14 @@ contract DeploymentLibCaller {
         string memory networkName
     )
         external
+        view
         returns (AddressRegistryDeployment memory)
     {
         return AddressRegistryDeploymentLib.getDeployment({path: path, networkName: networkName});
     }
 }
 
-/// @notice Tests M-40: Deployment helper rejects stale artifacts pointing to non-contract addresses.
+/// @notice Tests Deployment helper rejects stale artifacts pointing to non-contract addresses.
 contract DeploymentHelperValidationTest is Test {
     DeploymentLibCaller internal caller;
 
@@ -35,12 +36,12 @@ contract DeploymentHelperValidationTest is Test {
         address eoa = makeAddr("staleEOA");
         string memory json = string.concat('{"address":"', vm.toString(eoa), '"}');
 
-        string memory dir = "test/audit/tmp-eoa/nana-address-registry-v6/testnet/";
+        string memory dir = "test/regression/tmp-eoa/nana-address-registry-v6/testnet/";
         vm.createDir(dir, true);
         vm.writeFile(string.concat(dir, "JBAddressRegistry.json"), json);
 
         vm.expectRevert("AddressRegistryDeploymentLib: registry has no code");
-        caller.getDeployment({path: "test/audit/tmp-eoa/", networkName: "testnet"});
+        caller.getDeployment({path: "test/regression/tmp-eoa/", networkName: "testnet"});
 
         vm.removeFile(string.concat(dir, "JBAddressRegistry.json"));
     }
@@ -51,11 +52,11 @@ contract DeploymentHelperValidationTest is Test {
         vm.etch(registry, hex"6080604052");
         string memory json = string.concat('{"address":"', vm.toString(registry), '"}');
 
-        string memory dir = "test/audit/tmp-contract/nana-address-registry-v6/testnet/";
+        string memory dir = "test/regression/tmp-contract/nana-address-registry-v6/testnet/";
         vm.createDir(dir, true);
         vm.writeFile(string.concat(dir, "JBAddressRegistry.json"), json);
 
-        caller.getDeployment({path: "test/audit/tmp-contract/", networkName: "testnet"});
+        caller.getDeployment({path: "test/regression/tmp-contract/", networkName: "testnet"});
 
         vm.removeFile(string.concat(dir, "JBAddressRegistry.json"));
     }

package/test/{audit/CodexFrontRunRegistrationDoS.t.sol → regression/RegressionFrontRunRegistrationDoS.t.sol}

@@ -5,7 +5,7 @@ import {Test} from "forge-std/Test.sol";
 
 import {JBAddressRegistry} from "../../src/JBAddressRegistry.sol";
 
-contract CodexFrontRunRegistrationDoSTest is Test {
+contract RegressionFrontRunRegistrationDoSTest is Test {
     JBAddressRegistry internal registry;
     MockPostDeployRegistrar internal deployer;
 

package/test/{audit/CodexUnauthorizedRegistrar.t.sol → regression/RegressionUnauthorizedRegistrar.t.sol}

@@ -5,7 +5,7 @@ import {Test} from "forge-std/Test.sol";
 
 import {JBAddressRegistry} from "../../src/JBAddressRegistry.sol";
 
-contract CodexUnauthorizedRegistrarTest is Test {
+contract RegressionUnauthorizedRegistrarTest is Test {
     JBAddressRegistry internal registry;
     address internal deployer = makeAddr("deployer");
     address internal attacker = makeAddr("attacker");

package/test/{audit → regression}/ZeroDeployerRegistration.t.sol

@@ -16,7 +16,7 @@ contract ZeroDeployerRegistrationTest is Test {
     function test_createRegistrationWithZeroDeployerReverts() external {
         uint256 nonce = 1;
 
-        vm.expectRevert(JBAddressRegistry.JBAddressRegistry_ZeroDeployer.selector);
+        vm.expectRevert(abi.encodeWithSelector(JBAddressRegistry.JBAddressRegistry_ZeroDeployer.selector, address(0)));
         registry.registerAddress(address(0), nonce);
     }
 
@@ -25,7 +25,7 @@ contract ZeroDeployerRegistrationTest is Test {
         bytes32 salt = keccak256("salt");
         bytes memory bytecode = hex"60006000f3";
 
-        vm.expectRevert(JBAddressRegistry.JBAddressRegistry_ZeroDeployer.selector);
+        vm.expectRevert(abi.encodeWithSelector(JBAddressRegistry.JBAddressRegistry_ZeroDeployer.selector, address(0)));
         registry.registerAddress(address(0), salt, bytecode);
     }
 }

package/slither-ci.config.json

@@ -1,10 +0,0 @@
-{
-    "detectors_to_exclude": "timestamp,uninitialized-local,naming-convention,solc-version,shadowing-local",
-    "exclude_informational": true,
-    "exclude_low": false,
-    "exclude_medium": false,
-    "exclude_high": false,
-    "disable_color": false,
-    "filter_paths": "(mocks/|test/|node_modules/|lib/)",
-    "legacy_ast": false
-}