@bananapus/core-v6 0.0.5 → 0.0.6

package/README.md

@@ -8,77 +8,127 @@ For full documentation, see [docs.juicebox.money](https://docs.juicebox.money/).
 
 Juicebox projects have two main entry points:
 
-- **Terminals** handle inflows and outflows of funds — payments, cash outs, payouts, and surplus allowance usage. Each project can use multiple terminals, and a single terminal can serve many projects. `JBMultiTerminal` is the standard implementation.
+- **Terminals** handle inflows and outflows of funds -- payments, cash outs, payouts, and surplus allowance usage. Each project can use multiple terminals, and a single terminal can serve many projects. `JBMultiTerminal` is the standard implementation.
 - **Controllers** manage rulesets and tokens. `JBController` is the standard implementation that coordinates ruleset queuing, token minting/burning, splits, and fund access limits.
 
 `JBDirectory` maps each project to its controller and terminals.
 
 ### Rulesets
 
-A project's behavior is governed by a queue of **rulesets**. Each ruleset defines the rules that apply for a specific duration: payment weight (tokens minted per unit paid), cash out rate, reserved rate, payout limits, approval hooks, and more. When a ruleset ends, the next one in the queue takes effect. If the queue is empty, the current ruleset keeps cycling with weight decay applied each cycle. Rulesets give project creators the ability to evolve their project's rules while offering supporters contractual guarantees about the future.
+A project's behavior is governed by a queue of **rulesets**. Each ruleset defines the rules that apply for a specific duration: payment weight (tokens minted per unit paid), cash out tax rate, reserved percent, payout limits, approval hooks, and more. When a ruleset ends, the next one in the queue takes effect. If the queue is empty, the current ruleset keeps cycling with weight decay applied each cycle. Rulesets give project creators the ability to evolve their project's rules while offering supporters contractual guarantees about the future.
+
+Key ruleset behaviors:
+- **Weight** determines token issuance per unit paid. A weight of 1 means "inherit decayed weight from the previous ruleset". A weight of 0 means "no issuance".
+- **Weight decay** is controlled by `weightCutPercent`. Each cycle, the weight is reduced by this percent (9-decimal precision out of `1_000_000_000`).
+- **Duration of 0** means the ruleset never expires and must be explicitly replaced by a new queued ruleset (which takes effect immediately).
+- **Approval hooks** can gate whether queued rulesets take effect. For example, `JBDeadline` requires rulesets to be queued a minimum number of seconds before the current ruleset ends.
 
 ### Fund Distribution
 
-Funds can be accessed through **payouts** (distributed to splits within payout limits, resetting each ruleset) or **surplus allowance** (discretionary withdrawal of surplus funds, does not reset). Funds beyond payout limits are surplus — available for cash outs if the project's cash out rate allows it.
+Funds can be accessed through **payouts** (distributed to splits within payout limits, resetting each ruleset cycle) or **surplus allowance** (discretionary withdrawal of surplus funds, does not reset each cycle). Funds beyond payout limits are surplus -- available for cash outs if the project's cash out tax rate allows it.
+
+- **Payout limits** are denominated in configurable currencies and can be set per terminal/token. Multiple limits in different currencies can be active simultaneously.
+- **Surplus allowances** allow project owners to withdraw surplus funds up to a configured amount, also denominated in configurable currencies.
 
 ### Payments, Tokens, and Cash Outs
 
-Payments mint credits (or ERC-20 tokens if deployed) for the payer. Credits and tokens can be **cashed out** to reclaim surplus funds along a bonding curve determined by the cash out rate. A 100% rate gives 1:1 redemption; lower rates incentivize holding by giving later redeemers a better rate.
+Payments mint credits (or ERC-20 tokens if an ERC-20 has been deployed for the project) for the payer based on the current ruleset's weight. The number of tokens minted can be influenced by a data hook.
+
+Credits and tokens can be **cashed out** to reclaim surplus funds along a bonding curve determined by the cash out tax rate:
+- A **0% tax rate** gives proportional (1:1) redemption of surplus.
+- A **100% tax rate** means nothing can be reclaimed (all surplus is locked).
+- Tax rates between 0% and 100% create a bonding curve that incentivizes holding -- later cashers-out get a better rate per token.
+
+### Reserved Tokens
+
+Each ruleset can define a `reservedPercent` (0-10,000 basis points). When tokens are minted from payments, this percentage is set aside. Reserved tokens accumulate in `pendingReservedTokenBalanceOf` and are distributed to the reserved token split group when `sendReservedTokensToSplitsOf` is called.
 
 ### Permissions
 
-`JBPermissions` lets addresses delegate specific capabilities to operators, scoped by project ID. Each permission ID grants access to specific functions (see [`JBPermissionIds`](https://github.com/Bananapus/nana-permission-ids-v6/blob/main/src/JBPermissionIds.sol) for the full list of 34 permission IDs used across the protocol).
+`JBPermissions` lets addresses delegate specific capabilities to operators, scoped by project ID. Each permission ID grants access to specific functions. See [`JBPermissionIds`](https://github.com/Bananapus/nana-permission-ids-v6/blob/main/src/JBPermissionIds.sol) for the full list.
+
+- Permission ID `255` is `ROOT` and grants all permissions for the scoped project.
+- Project ID `0` is a wildcard, granting permissions across all projects (cannot be combined with `ROOT` for safety).
+- ROOT operators can set non-ROOT permissions for other operators, but cannot grant ROOT or set wildcard-project permissions.
 
 ### Hooks
 
 Hooks are customizable contracts that plug into protocol flows:
 
-- **Approval hooks** — Gate whether the next queued ruleset can take effect (e.g., `JBDeadline` enforces a minimum queue time).
-- **Data hooks** — Override payment/cash-out weight or memo, and specify pay/cash-out hooks to call.
-- **Pay hooks** — Custom logic triggered after a payment is recorded (e.g., `JB721TiersHook` mints NFTs).
-- **Cash out hooks** — Custom logic triggered after a cash out is recorded.
-- **Split hooks** — Custom logic triggered when a payout is routed to a split.
+- **Approval hooks** -- Gate whether the next queued ruleset can take effect (e.g., `JBDeadline` enforces a minimum queue time).
+- **Data hooks** -- Override payment/cash-out weight, cash out tax rate, token counts, and specify pay/cash-out hooks to call. Data hooks can also grant `hasMintPermissionFor` to allow addresses to mint tokens on demand.
+- **Pay hooks** -- Custom logic triggered after a payment is recorded (e.g., `JB721TiersHook` mints NFTs). Receive tokens and `JBAfterPayRecordedContext`.
+- **Cash out hooks** -- Custom logic triggered after a cash out is recorded. Receive tokens and `JBAfterCashOutRecordedContext`.
+- **Split hooks** -- Custom logic triggered when a payout or reserved token distribution is routed to a split. Receive tokens and `JBSplitHookContext`.
 
 ### Fees
 
-`JBMultiTerminal` charges a 2.5% fee on payouts to addresses (not to other projects), surplus allowance usage, and cash outs when the cash out rate is below 100%.
+`JBMultiTerminal` charges a 2.5% fee (`FEE = 25` out of `MAX_FEE = 1000`) on:
+- Payouts to external addresses (not to other Juicebox projects).
+- Surplus allowance usage.
+- Cash outs when the cash out tax rate is below 100%.
+
+Fees are paid to **project #1** (the fee beneficiary project, minted in the `JBProjects` constructor). Addresses on the `JBFeelessAddresses` allowlist are exempt from fees.
+
+When a ruleset has `holdFees` enabled, fees are held for 28 days before being processed. During this period, if funds are returned to the project via `addToBalanceOf`, held fees can be unlocked and returned.
+
+### Meta-Transactions
+
+`JBController`, `JBMultiTerminal`, `JBProjects`, `JBPrices`, and `JBPermissions` support ERC-2771 meta-transactions through a trusted forwarder. This allows gasless interactions where a relayer submits transactions on behalf of users.
+
+### Permit2
+
+`JBMultiTerminal` integrates with Uniswap's [Permit2](https://github.com/Uniswap/permit2) for gas-efficient ERC-20 token approvals. Payers can include a `JBSingleAllowance` in the payment metadata to authorize token transfers without a separate approval transaction.
+
+### Controller Migration
+
+Projects can migrate between controllers using the `IJBMigratable` interface. The migration lifecycle calls `beforeReceiveMigrationFrom` on the new controller, then `migrate` on the old controller (while the directory still points to it), then updates the directory, and finally calls `afterReceiveMigrationFrom`. Terminal migration is also supported via `migrateBalanceOf`.
 
 ## Architecture
 
 Juicebox V6 separates concerns across specialized contracts that coordinate through a central directory. Projects are represented as ERC-721 NFTs. Each project configures rulesets that dictate how payments, payouts, cash outs, and token minting behave over time.
 
+All contracts use Solidity `0.8.26`.
+
 ### Core Contracts
 
 | Contract | Description |
 |----------|-------------|
-| `JBProjects` | ERC-721 registry of projects. Minting an NFT creates a project. |
-| `JBPermissions` | Bitmap-based permission system. Accounts grant operators specific permissions scoped to project IDs. |
-| `JBDirectory` | Maps each project to its controller and terminals. Entry point for looking up where to interact with a project. |
-| `JBController` | Coordinates rulesets, tokens, splits, and fund access limits. Entry point for launching projects, launching and queuing rulesets, minting/burning tokens, and sending reserved tokens. |
-| `JBMultiTerminal` | Accepts payments (native ETH and ERC-20s), processes cash outs, distributes payouts, and manages surplus allowances. Charges a 2.5% fee on payouts and surplus usage. |
-| `JBTerminalStore` | Bookkeeping engine for all terminal inflows and outflows. Tracks balances, enforces payout limits and surplus allowances, and computes cash out reclaim amounts via a bonding curve. |
+| `JBProjects` | ERC-721 registry of projects. Minting an NFT creates a project. Optionally mints project #1 to a fee beneficiary owner. |
+| `JBPermissions` | Bitmap-based permission system. Accounts grant operators specific permissions scoped to project IDs. Supports ROOT (255) for all-permissions and wildcard project ID (0). |
+| `JBDirectory` | Maps each project to its controller and terminals. Entry point for looking up where to interact with a project. Manages an allowlist of addresses permitted to set a project's first controller. |
+| `JBController` | Coordinates rulesets, tokens, splits, and fund access limits. Entry point for launching projects, queuing rulesets, minting/burning tokens, deploying ERC-20s, sending reserved tokens, setting project URIs, adding price feeds, and transferring credits. |
+| `JBMultiTerminal` | Accepts payments (native ETH and ERC-20s), processes cash outs, distributes payouts, manages surplus allowances, and handles fees. Integrates with Permit2 for ERC-20 approvals. |
+| `JBTerminalStore` | Bookkeeping engine for all terminal inflows and outflows. Tracks balances, enforces payout limits and surplus allowances, computes cash out reclaim amounts via a bonding curve, and integrates with data hooks. |
 | `JBRulesets` | Stores and manages project rulesets. Handles queuing, cycling, weight decay, approval hook validation, and weight caching for long-running projects. |
-| `JBTokens` | Manages dual-balance token accounting (credits + ERC-20). Credits are minted by default; once an ERC-20 is deployed, credits can be claimed as tokens. |
-| `JBSplits` | Stores split configurations per project, ruleset, and group. Splits route percentages of payouts or reserved tokens to beneficiaries, projects, or hooks. |
-| `JBFundAccessLimits` | Stores payout limits and surplus allowances per project, ruleset, terminal, and token. Limits are denominated in configurable currencies. |
-| `JBPrices` | Price feed registry. Maps currency pairs to `IJBPriceFeed` implementations, with per-project overrides and protocol-wide defaults. |
+| `JBTokens` | Manages dual-balance token accounting (credits + ERC-20). Credits are minted by default; once an ERC-20 is deployed or set, credits can be claimed as tokens. Credits are burned before ERC-20 tokens. |
+| `JBSplits` | Stores split configurations per project, ruleset, and group. Splits route percentages of payouts or reserved tokens to beneficiaries, projects, or hooks. Packed storage for gas efficiency. Falls back to ruleset ID 0 if no splits are set for a specific ruleset. |
+| `JBFundAccessLimits` | Stores payout limits and surplus allowances per project, ruleset, terminal, and token. Limits are denominated in configurable currencies and must be set in strictly increasing currency order to prevent duplicates. |
+| `JBPrices` | Price feed registry. Maps currency pairs to `IJBPriceFeed` implementations, with per-project overrides and protocol-wide defaults. Feeds are immutable once set. Inverse prices are auto-calculated. |
 
-### Token & Price Feed Contracts
+### Token and Price Feed Contracts
 
 | Contract | Description |
 |----------|-------------|
-| `JBERC20` | Cloneable ERC-20 with ERC20Votes and ERC20Permit. Deployed by `JBTokens` when a project calls `deployERC20For`. |
-| `JBChainlinkV3PriceFeed` | `IJBPriceFeed` backed by a Chainlink `AggregatorV3Interface` with staleness checks. |
-| `JBChainlinkV3SequencerPriceFeed` | Extends `JBChainlinkV3PriceFeed` with L2 sequencer uptime validation for Optimism/Arbitrum. |
-| `JBMatchingPriceFeed` | Returns 1:1 price (e.g. ETH/NATIVE_TOKEN on applicable chains). Lives in `src/periphery/`. |
+| `JBERC20` | Cloneable ERC-20 with ERC20Votes and ERC20Permit. Deployed by `JBTokens` via `Clones.clone()`. Owned by `JBTokens`. |
+| `JBChainlinkV3PriceFeed` | `IJBPriceFeed` backed by a Chainlink `AggregatorV3Interface` with staleness threshold. Rejects negative/zero prices and incomplete rounds. |
+| `JBChainlinkV3SequencerPriceFeed` | Extends `JBChainlinkV3PriceFeed` with L2 sequencer uptime validation and grace period for Optimism/Arbitrum. |
+| `JBMatchingPriceFeed` | Returns 1:1 price (e.g., ETH/NATIVE_TOKEN on applicable chains). Lives in `src/periphery/`. |
 
 ### Utility Contracts
 
 | Contract | Description |
 |----------|-------------|
-| `JBFeelessAddresses` | Owner-managed allowlist of addresses exempt from terminal fees. |
+| `JBFeelessAddresses` | Owner-managed allowlist of addresses exempt from terminal fees. Supports `IERC165`. |
 | `JBDeadline` | Approval hook that rejects rulesets queued too close to the current ruleset's end. Ships as `JBDeadline3Hours`, `JBDeadline1Day`, `JBDeadline3Days`, `JBDeadline7Days`. |
 
+### Abstract Contracts
+
+| Contract | Description |
+|----------|-------------|
+| `JBControlled` | Provides `onlyControllerOf(projectId)` modifier. Used by `JBRulesets`, `JBTokens`, `JBSplits`, `JBFundAccessLimits`, and `JBPrices`. |
+| `JBPermissioned` | Provides `_requirePermissionFrom` and `_requirePermissionAllowingOverrideFrom` helpers. Used by `JBController`, `JBMultiTerminal`, `JBDirectory`, and `JBPrices`. |
+
 ### Libraries
 
 | Library | Description |
@@ -86,12 +136,22 @@ Juicebox V6 separates concerns across specialized contracts that coordinate thro
 | `JBConstants` | Protocol-wide constants: `NATIVE_TOKEN` address, max percentages, max fee. |
 | `JBCurrencyIds` | Currency identifiers (`ETH = 1`, `USD = 2`). |
 | `JBSplitGroupIds` | Group identifiers (`RESERVED_TOKENS = 1`). |
-| `JBCashOuts` | Bonding curve math for computing cash out reclaim amounts. |
-| `JBSurplus` | Calculates a project's surplus across terminals. |
-| `JBFees` | Fee calculation helpers. |
-| `JBFixedPointNumber` | Decimal adjustment for fixed-point numbers. |
-| `JBMetadataResolver` | Packs and unpacks metadata bytes for pay/cash-out hooks. |
-| `JBRulesetMetadataResolver` | Packs and unpacks the `uint256 metadata` field on `JBRuleset` into `JBRulesetMetadata`. |
+| `JBCashOuts` | Bonding curve math for computing cash out reclaim amounts. Includes `minCashOutCountFor` inverse via binary search. |
+| `JBSurplus` | Calculates a project's surplus across all terminals. |
+| `JBFees` | Fee calculation helpers. `feeAmountFrom` (forward) and `feeAmountResultingIn` (backward). |
+| `JBFixedPointNumber` | Decimal adjustment between fixed-point number precisions. |
+| `JBMetadataResolver` | Packs and unpacks variable-length `{id: data}` metadata entries with a lookup table. Used by pay/cash-out hooks. |
+| `JBRulesetMetadataResolver` | Packs and unpacks the `uint256 metadata` field on `JBRuleset` into `JBRulesetMetadata`. Bit layout: version (4 bits), reservedPercent (16), cashOutTaxRate (16), baseCurrency (32), 14 boolean flags (1 bit each), dataHook address (160), metadata (14). |
+
+### Hook Interfaces
+
+| Interface | Description |
+|-----------|-------------|
+| `IJBRulesetApprovalHook` | Determines whether the next queued ruleset is approved or rejected. Must implement `approvalStatusOf` and `DURATION`. |
+| `IJBRulesetDataHook` | Overrides payment/cash-out parameters. Implements `beforePayRecordedWith`, `beforeCashOutRecordedWith`, and `hasMintPermissionFor`. |
+| `IJBPayHook` | Called after a payment is recorded. Implements `afterPayRecordedWith`. |
+| `IJBCashOutHook` | Called after a cash out is recorded. Implements `afterCashOutRecordedWith`. |
+| `IJBSplitHook` | Called when processing a split. Implements `processSplitWith`. |
 
 ## Install
 

package/SKILLS.md

@@ -12,44 +12,137 @@ The core Juicebox V6 protocol on EVM: a modular system for launching treasury-ba
 | `JBPermissions` | Packed `uint256` bitmap permissions. Operators get specific permission IDs scoped to projects. |
 | `JBDirectory` | Maps project IDs to their controller (`IERC165`) and terminals (`IJBTerminal[]`). |
 | `JBController` | Orchestrates rulesets, tokens, splits, fund access limits. Entry point for project lifecycle. |
-| `JBMultiTerminal` | Handles ETH/ERC-20 payments, cash outs, payouts, surplus allowance, fees. |
+| `JBMultiTerminal` | Handles ETH/ERC-20 payments, cash outs, payouts, surplus allowance, fees. Permit2 integration. |
 | `JBTerminalStore` | Bookkeeping: balances, payout limit tracking, surplus calculation, bonding curve reclaim math. |
 | `JBRulesets` | Stores/cycles rulesets with weight decay, approval hooks, and weight cache for gas-efficient long-running cycles. |
 | `JBTokens` | Dual-balance system: credits (internal) + ERC-20. Credits burned first on burn. |
 | `JBSplits` | Split configurations per project/ruleset/group. Packed storage for gas efficiency. |
 | `JBFundAccessLimits` | Payout limits and surplus allowances per project/ruleset/terminal/token. |
-| `JBPrices` | Price feed registry with project-specific and protocol-wide default feeds. |
-| `JBERC20` | Cloneable ERC-20 with Votes + Permit. Owned by `JBTokens`. |
+| `JBPrices` | Price feed registry with project-specific and protocol-wide default feeds. Immutable once set. |
+| `JBERC20` | Cloneable ERC-20 with Votes + Permit. Owned by `JBTokens`. Deployed via `Clones.clone()`. |
 | `JBFeelessAddresses` | Allowlist for fee-exempt addresses. |
-| `JBChainlinkV3PriceFeed` | Chainlink AggregatorV3 price feed with staleness threshold. |
-| `JBChainlinkV3SequencerPriceFeed` | L2 sequencer-aware Chainlink feed (Optimism/Arbitrum). |
-| `JBDeadline` | Approval hook: rejects rulesets queued within `DURATION` seconds of start. |
-| `JBMatchingPriceFeed` | Always returns 1:1. For equivalent currencies. |
+| `JBChainlinkV3PriceFeed` | Chainlink AggregatorV3 price feed with staleness threshold. Rejects negative/zero prices. |
+| `JBChainlinkV3SequencerPriceFeed` | L2 sequencer-aware Chainlink feed (Optimism/Arbitrum) with grace period after restart. |
+| `JBDeadline` | Approval hook: rejects rulesets queued within `DURATION` seconds of start. Ships as `JBDeadline3Hours`, `JBDeadline1Day`, `JBDeadline3Days`, `JBDeadline7Days`. |
+| `JBMatchingPriceFeed` | Always returns 1:1. For equivalent currencies (e.g. ETH/NATIVE_TOKEN). |
 
 ## Key Functions
 
-| Function | Contract | What it does |
-|----------|----------|--------------|
-| `launchProjectFor(address owner, string uri, JBRulesetConfig[] rulesetConfigs, JBTerminalConfig[] terminalConfigs, string memo)` | `JBController` | Creates a project, queues its first rulesets, and configures terminals. Returns `projectId`. |
-| `launchRulesetsFor(uint256 projectId, JBRulesetConfig[] rulesetConfigs, JBTerminalConfig[] terminalConfigs, string memo)` | `JBController` | Launches the first rulesets for an existing project that has none. |
-| `queueRulesetsOf(uint256 projectId, JBRulesetConfig[] rulesetConfigs, string memo)` | `JBController` | Queues new rulesets for a project. Takes effect after the current ruleset ends (or immediately if duration is 0). |
-| `mintTokensOf(uint256 projectId, uint256 tokenCount, address beneficiary, string memo, bool useReservedPercent)` | `JBController` | Mints project tokens. Requires `allowOwnerMinting` in the current ruleset or caller must be a terminal/hook. |
-| `burnTokensOf(address holder, uint256 projectId, uint256 tokenCount, string memo)` | `JBController` | Burns tokens from a holder. Requires holder's permission (`BURN_TOKENS`). |
-| `sendReservedTokensToSplitsOf(uint256 projectId)` | `JBController` | Distributes accumulated reserved tokens to the reserved token split group. Returns token count sent. |
-| `deployERC20For(uint256 projectId, string name, string symbol, bytes32 salt)` | `JBController` | Deploys a cloneable `JBERC20` for the project. Credits become claimable. |
-| `claimTokensFor(address holder, uint256 projectId, uint256 count, address beneficiary)` | `JBController` | Redeems credits for ERC-20 tokens into beneficiary's wallet. |
-| `pay(uint256 projectId, address token, uint256 amount, address beneficiary, uint256 minReturnedTokens, string memo, bytes metadata)` | `JBMultiTerminal` | Pays a project. Mints project tokens to beneficiary based on ruleset weight. Returns token count. |
-| `cashOutTokensOf(address holder, uint256 projectId, uint256 cashOutCount, address tokenToReclaim, uint256 minTokensReclaimed, address beneficiary, bytes metadata)` | `JBMultiTerminal` | Burns project tokens and reclaims surplus terminal tokens via bonding curve. |
-| `sendPayoutsOf(uint256 projectId, address token, uint256 amount, uint256 currency, uint256 minTokensPaidOut)` | `JBMultiTerminal` | Distributes payouts from the project's balance to its payout split group, up to the payout limit. |
-| `useAllowanceOf(uint256 projectId, address token, uint256 amount, uint256 currency, uint256 minTokensPaidOut, address beneficiary, string memo)` | `JBMultiTerminal` | Withdraws from the project's surplus allowance to a beneficiary. |
-| `addToBalanceOf(uint256 projectId, address token, uint256 amount, bool shouldReturnHeldFees, string memo, bytes metadata)` | `JBMultiTerminal` | Adds funds to a project's balance without minting tokens. Can unlock held fees. |
-| `migrateBalanceOf(uint256 projectId, address token, IJBTerminal to)` | `JBMultiTerminal` | Migrates a project's token balance to another terminal. Requires `allowTerminalMigration`. |
-| `currentOf(uint256 projectId)` | `JBRulesets` | Returns the currently active ruleset with decayed weight and correct cycle number. |
-| `queueFor(uint256 projectId, uint256 duration, uint256 weight, uint256 weightCutPercent, IJBRulesetApprovalHook approvalHook, uint256 metadata, uint256 mustStartAtOrAfter)` | `JBRulesets` | Queues a new ruleset. Only callable by the project's controller. |
-| `setPermissionsFor(address account, JBPermissionsData permissionsData)` | `JBPermissions` | Grants or revokes operator permissions. ROOT operators can set non-ROOT permissions. |
-| `addPriceFeedFor(uint256 projectId, uint256 pricingCurrency, uint256 unitCurrency, IJBPriceFeed feed)` | `JBPrices` | Registers a price feed. Project ID 0 sets protocol-wide defaults (owner-only). |
-| `pricePerUnitOf(uint256 projectId, uint256 pricingCurrency, uint256 unitCurrency, uint256 decimals)` | `JBPrices` | Returns the price of 1 `unitCurrency` in `pricingCurrency`. Checks project-specific, inverse, then default feeds. |
-| `setFeelessAddress(address addr, bool flag)` | `JBFeelessAddresses` | Adds or removes an address from the fee exemption list. Owner-only. |
+### JBController
+
+| Function | What it does |
+|----------|--------------|
+| `launchProjectFor(address owner, string uri, JBRulesetConfig[] rulesetConfigs, JBTerminalConfig[] terminalConfigs, string memo)` | Creates a project, queues its first rulesets, and configures terminals. Returns `projectId`. |
+| `launchRulesetsFor(uint256 projectId, JBRulesetConfig[] rulesetConfigs, JBTerminalConfig[] terminalConfigs, string memo)` | Launches the first rulesets for an existing project that has none. |
+| `queueRulesetsOf(uint256 projectId, JBRulesetConfig[] rulesetConfigs, string memo)` | Queues new rulesets for a project. Takes effect after the current ruleset ends (or immediately if duration is 0). |
+| `mintTokensOf(uint256 projectId, uint256 tokenCount, address beneficiary, string memo, bool useReservedPercent)` | Mints project tokens. Requires `allowOwnerMinting` in the current ruleset or caller must be a terminal/hook with mint permission. |
+| `burnTokensOf(address holder, uint256 projectId, uint256 tokenCount, string memo)` | Burns tokens from a holder. Requires holder's permission (`BURN_TOKENS`). |
+| `sendReservedTokensToSplitsOf(uint256 projectId)` | Distributes accumulated reserved tokens to the reserved token split group. Returns token count sent. |
+| `deployERC20For(uint256 projectId, string name, string symbol, bytes32 salt)` | Deploys a cloneable `JBERC20` for the project. Credits become claimable. |
+| `claimTokensFor(address holder, uint256 projectId, uint256 count, address beneficiary)` | Redeems credits for ERC-20 tokens into beneficiary's wallet. |
+| `setSplitGroupsOf(uint256 projectId, uint256 rulesetId, JBSplitGroup[] splitGroups)` | Sets the split groups for a project's ruleset. |
+| `setTokenFor(uint256 projectId, IJBToken token)` | Sets an existing ERC-20 token for the project (requires `allowSetCustomToken` in ruleset). |
+| `setUriOf(uint256 projectId, string uri)` | Sets the project's metadata URI. |
+| `transferCreditsFrom(address holder, uint256 projectId, address recipient, uint256 creditCount)` | Transfers credits between addresses (reverts if `pauseCreditTransfers` is set in ruleset). |
+| `addPriceFeedFor(uint256 projectId, uint256 pricingCurrency, uint256 unitCurrency, IJBPriceFeed feed)` | Registers a price feed (requires `allowAddPriceFeed` in ruleset). |
+| `migrateController(uint256 projectId, IJBMigratable to)` | Migrates the project to a new controller. Calls `beforeReceiveMigrationFrom`, `migrate`, updates directory, then `afterReceiveMigrationFrom`. |
+| `currentRulesetOf(uint256 projectId)` | Returns the current ruleset and unpacked metadata. |
+| `upcomingRulesetOf(uint256 projectId)` | Returns the upcoming ruleset and unpacked metadata. |
+| `allRulesetsOf(uint256 projectId, uint256 startingId, uint256 size)` | Returns an array of rulesets with metadata, paginated. |
+| `pendingReservedTokenBalanceOf(uint256 projectId)` | Returns accumulated reserved tokens not yet distributed. |
+| `totalTokenSupplyWithReservedTokensOf(uint256 projectId)` | Returns total supply including pending reserved tokens. |
+
+### JBMultiTerminal
+
+| Function | What it does |
+|----------|--------------|
+| `pay(uint256 projectId, address token, uint256 amount, address beneficiary, uint256 minReturnedTokens, string memo, bytes metadata)` | Pays a project. Mints project tokens to beneficiary based on ruleset weight. Returns token count. |
+| `cashOutTokensOf(address holder, uint256 projectId, uint256 cashOutCount, address tokenToReclaim, uint256 minTokensReclaimed, address beneficiary, bytes metadata)` | Burns project tokens and reclaims surplus terminal tokens via bonding curve. |
+| `sendPayoutsOf(uint256 projectId, address token, uint256 amount, uint256 currency, uint256 minTokensPaidOut)` | Distributes payouts from the project's balance to its payout split group, up to the payout limit. |
+| `useAllowanceOf(uint256 projectId, address token, uint256 amount, uint256 currency, uint256 minTokensPaidOut, address payable beneficiary, address payable feeBeneficiary, string memo)` | Withdraws from the project's surplus allowance to a beneficiary. The `feeBeneficiary` receives tokens minted by the fee payment. |
+| `addToBalanceOf(uint256 projectId, address token, uint256 amount, bool shouldReturnHeldFees, string memo, bytes metadata)` | Adds funds to a project's balance without minting tokens. Can unlock held fees. |
+| `migrateBalanceOf(uint256 projectId, address token, IJBTerminal to)` | Migrates a project's token balance to another terminal. Requires `allowTerminalMigration`. |
+| `processHeldFeesOf(uint256 projectId, address token, uint256 count)` | Processes up to `count` held fees for a project, sending them to the fee beneficiary project. |
+| `addAccountingContextsFor(uint256 projectId, JBAccountingContext[] accountingContexts)` | Adds new accounting contexts (token types) to a terminal for a project. |
+| `currentSurplusOf(uint256 projectId, JBAccountingContext[] accountingContexts, uint256 decimals, uint256 currency)` | Returns the project's current surplus in the specified currency. |
+| `accountingContextForTokenOf(uint256 projectId, address token)` | Returns the accounting context for a specific token. |
+| `accountingContextsOf(uint256 projectId)` | Returns all accounting contexts for a project. |
+| `heldFeesOf(uint256 projectId, address token, uint256 count)` | Returns up to `count` held fees for a project/token. |
+
+### JBTerminalStore
+
+| Function | What it does |
+|----------|--------------|
+| `recordPaymentFrom(address payer, JBTokenAmount amount, uint256 projectId, address beneficiary, bytes metadata)` | Records a payment. Applies data hook if enabled. Returns ruleset, token count, hook specifications. |
+| `recordPayoutFor(uint256 projectId, JBAccountingContext accountingContext, uint256 amount, uint256 currency)` | Records a payout. Enforces payout limits. Returns ruleset and amount paid out. |
+| `recordCashOutFor(address holder, uint256 projectId, uint256 cashOutCount, JBAccountingContext accountingContext, JBAccountingContext[] balanceAccountingContexts, bytes metadata)` | Records a cash out. Computes reclaim via bonding curve. Returns ruleset, reclaim amount, tax rate, and hook specifications. |
+| `recordUsedAllowanceOf(uint256 projectId, JBAccountingContext accountingContext, uint256 amount, uint256 currency)` | Records surplus allowance usage. Enforces allowance limits. Returns ruleset and used amount. |
+| `recordAddedBalanceFor(uint256 projectId, address token, uint256 amount)` | Records funds added to a project's balance. |
+| `recordTerminalMigration(uint256 projectId, address token)` | Records a terminal migration, returning the full balance. |
+| `balanceOf(address terminal, uint256 projectId, address token)` | Returns the balance of a project at a terminal for a given token. |
+| `usedPayoutLimitOf(address terminal, uint256 projectId, address token, uint256 rulesetCycleNumber, uint256 currency)` | Returns the used payout limit for a project in a given cycle. |
+| `usedSurplusAllowanceOf(address terminal, uint256 projectId, address token, uint256 rulesetId, uint256 currency)` | Returns the used surplus allowance for a project in a given ruleset. |
+| `currentSurplusOf(address terminal, uint256 projectId, JBAccountingContext[] accountingContexts, uint256 decimals, uint256 currency)` | Returns the current surplus for a project at a terminal. |
+
+### JBRulesets
+
+| Function | What it does |
+|----------|--------------|
+| `currentOf(uint256 projectId)` | Returns the currently active ruleset with decayed weight and correct cycle number. |
+| `latestQueuedOf(uint256 projectId)` | Returns the latest queued ruleset and its approval status. |
+| `queueFor(uint256 projectId, uint256 duration, uint256 weight, uint256 weightCutPercent, IJBRulesetApprovalHook approvalHook, uint256 metadata, uint256 mustStartAtOrAfter)` | Queues a new ruleset. Only callable by the project's controller. |
+| `updateRulesetWeightCache(uint256 projectId)` | Updates the weight cache for long-running rulesets. Required when `weightCutMultiple > 20,000` to avoid gas limits. |
+
+### JBPermissions
+
+| Function | What it does |
+|----------|--------------|
+| `setPermissionsFor(address account, JBPermissionsData permissionsData)` | Grants or revokes operator permissions. ROOT operators can set non-ROOT permissions for others. |
+| `hasPermission(address operator, address account, uint256 projectId, uint256 permissionId)` | Checks if an operator has a specific permission. |
+| `hasPermissions(address operator, address account, uint256 projectId, uint256[] permissionIds)` | Checks if an operator has all specified permissions. |
+
+### JBDirectory
+
+| Function | What it does |
+|----------|--------------|
+| `controllerOf(uint256 projectId)` | Returns the project's controller as `IERC165`. |
+| `terminalsOf(uint256 projectId)` | Returns the project's terminals as `IJBTerminal[]`. |
+| `primaryTerminalOf(uint256 projectId, address token)` | Returns the project's primary terminal for a given token. |
+| `isTerminalOf(uint256 projectId, IJBTerminal terminal)` | Checks if a terminal belongs to a project. |
+| `setControllerOf(uint256 projectId, IERC165 controller)` | Sets the project's controller. |
+| `setTerminalsOf(uint256 projectId, IJBTerminal[] terminals)` | Sets the project's terminals. |
+| `setPrimaryTerminalOf(uint256 projectId, address token, IJBTerminal terminal)` | Sets the primary terminal for a token. |
+| `setIsAllowedToSetFirstController(address addr, bool flag)` | Allows/disallows an address to set a project's first controller. Owner-only. |
+
+### JBPrices
+
+| Function | What it does |
+|----------|--------------|
+| `pricePerUnitOf(uint256 projectId, uint256 pricingCurrency, uint256 unitCurrency, uint256 decimals)` | Returns the price of 1 `unitCurrency` in `pricingCurrency`. Checks project-specific, inverse, then default feeds. |
+| `addPriceFeedFor(uint256 projectId, uint256 pricingCurrency, uint256 unitCurrency, IJBPriceFeed feed)` | Registers a price feed. Project ID 0 sets protocol-wide defaults (owner-only). Immutable once set. |
+
+### JBTokens
+
+| Function | What it does |
+|----------|--------------|
+| `totalSupplyOf(uint256 projectId)` | Returns total supply: credits + ERC-20 tokens. |
+| `totalBalanceOf(address holder, uint256 projectId)` | Returns combined credit + ERC-20 balance. |
+| `creditBalanceOf(address holder, uint256 projectId)` | Returns the holder's credit balance. |
+| `tokenOf(uint256 projectId)` | Returns the ERC-20 token for a project (`IJBToken`). |
+
+### JBSplits
+
+| Function | What it does |
+|----------|--------------|
+| `splitsOf(uint256 projectId, uint256 rulesetId, uint256 groupId)` | Returns splits for a project/ruleset/group. Falls back to ruleset ID 0 if none set. |
+
+### Other
+
+| Function | What it does |
+|----------|--------------|
+| `setFeelessAddress(address addr, bool flag)` | Adds or removes an address from the fee exemption list. Owner-only. (`JBFeelessAddresses`) |
+| `setControllerAllowed(uint256 projectId)` | Returns whether a project's controller can currently be set. (`IJBDirectoryAccessControl`) |
+| `setTerminalsAllowed(uint256 projectId)` | Returns whether a project's terminals can currently be set. (`IJBDirectoryAccessControl`) |
 
 ## Key Types
 
@@ -69,8 +162,21 @@ The core Juicebox V6 protocol on EVM: a modular system for launching treasury-ba
 | `JBFee` | `amount (uint256)`, `beneficiary (address)`, `unlockTimestamp (uint48)` | Held fees in `JBMultiTerminal` |
 | `JBSingleAllowance` | `sigDeadline (uint256)`, `amount (uint160)`, `expiration (uint48)`, `nonce (uint48)`, `signature (bytes)` | Permit2 allowance in terminal payments |
 | `JBRulesetWithMetadata` | `ruleset (JBRuleset)`, `metadata (JBRulesetMetadata)` | `allRulesetsOf()`, `currentRulesetOf()` return values |
+| `JBRulesetWeightCache` | `weight (uint112)`, `weightCutMultiple (uint168)` | Weight caching for long-running rulesets in `JBRulesets` |
 | `JBApprovalStatus` (enum) | `Empty`, `Upcoming`, `Active`, `ApprovalExpected`, `Approved`, `Failed` | Approval hook status for queued rulesets |
 
+### Hook Structs
+
+| Struct | Key Fields | Used In |
+|--------|------------|---------|
+| `JBBeforePayRecordedContext` | `terminal`, `payer`, `amount (JBTokenAmount)`, `projectId`, `rulesetId`, `beneficiary`, `weight`, `reservedPercent`, `metadata` | `IJBRulesetDataHook.beforePayRecordedWith()` input |
+| `JBBeforeCashOutRecordedContext` | `terminal`, `holder`, `projectId`, `rulesetId`, `cashOutCount`, `totalSupply`, `surplus (JBTokenAmount)`, `useTotalSurplus`, `cashOutTaxRate`, `metadata` | `IJBRulesetDataHook.beforeCashOutRecordedWith()` input |
+| `JBAfterPayRecordedContext` | `payer`, `projectId`, `rulesetId`, `amount (JBTokenAmount)`, `forwardedAmount (JBTokenAmount)`, `weight`, `newlyIssuedTokenCount`, `beneficiary`, `hookMetadata`, `payerMetadata` | `IJBPayHook.afterPayRecordedWith()` input |
+| `JBAfterCashOutRecordedContext` | `holder`, `projectId`, `rulesetId`, `cashOutCount`, `reclaimedAmount (JBTokenAmount)`, `forwardedAmount (JBTokenAmount)`, `cashOutTaxRate`, `beneficiary`, `hookMetadata`, `cashOutMetadata` | `IJBCashOutHook.afterCashOutRecordedWith()` input |
+| `JBPayHookSpecification` | `hook (IJBPayHook)`, `amount`, `metadata` | Returned by data hook; specifies which pay hooks to call and how much to forward |
+| `JBCashOutHookSpecification` | `hook (IJBCashOutHook)`, `amount`, `metadata` | Returned by data hook; specifies which cash out hooks to call and how much to forward |
+| `JBSplitHookContext` | `token`, `amount`, `decimals`, `projectId`, `groupId`, `split (JBSplit)` | `IJBSplitHook.processSplitWith()` input |
+
 ### Constants (`JBConstants`)
 
 | Constant | Value | Meaning |
@@ -89,6 +195,24 @@ The core Juicebox V6 protocol on EVM: a modular system for launching treasury-ba
 | `1` | ETH |
 | `2` | USD |
 
+### Split Group IDs (`JBSplitGroupIds`)
+
+| ID | Group |
+|----|-------|
+| `1` | `RESERVED_TOKENS` -- reserved token distribution |
+
+### Special Values
+
+| Value | Context | Meaning |
+|-------|---------|---------|
+| `weight = 0` | `JBRuleset` / `JBRulesetConfig` | No token issuance for payments. |
+| `weight = 1` | `JBRuleset` / `JBRulesetConfig` | Inherit decayed weight from previous ruleset (sentinel). |
+| `duration = 0` | `JBRuleset` / `JBRulesetConfig` | Ruleset never expires; must be explicitly replaced by a new queued ruleset (takes effect immediately). |
+| `projectId = 0` | `JBPermissionsData` | Wildcard: permission applies to ALL projects. Cannot be combined with ROOT (255). |
+| `permissionId = 255` | `JBPermissions` | ROOT: grants all permissions for the scoped project. |
+| `rulesetId = 0` | `JBSplits.splitsOf()` | Fallback split group used when no splits are set for a specific ruleset. |
+| `projectId = 0` | `JBPrices.addPriceFeedFor()` | Sets a protocol-wide default price feed (owner-only). |
+
 ## Gotchas
 
 - `IJBDirectory.controllerOf()` returns `IERC165`, NOT `address` -- must wrap: `address(directory.controllerOf(projectId))`
@@ -110,12 +234,24 @@ The core Juicebox V6 protocol on EVM: a modular system for launching treasury-ba
 - `JBProjects` constructor optionally mints project #1 to `feeProjectOwner` -- if `address(0)`, no fee project is created
 - `JBMultiTerminal` derives `DIRECTORY` and `RULESETS` from the provided `store` in its constructor -- not passed directly
 - `JBPrices.pricePerUnitOf()` checks project-specific feed, then inverse, then falls back to `DEFAULT_PROJECT_ID = 0`
+- `useAllowanceOf()` takes 8 args including `address payable feeBeneficiary` -- do NOT omit it
+- Cash out tax rate of 0% = proportional (1:1) redemption; 100% = nothing reclaimable (all surplus locked). Do NOT confuse with a "cash out rate" where 100% means full redemption.
+- `cashOutTaxRate` in `JBRulesetMetadata` is `uint16` (max 10,000 basis points), NOT 9-decimal precision
+- `reservedPercent` in `JBRulesetMetadata` is `uint16` (max 10,000 basis points), NOT 9-decimal precision
+- `weight` in `JBRuleset` is `uint112`, but `weight` in `JBRulesetConfig` is also `uint112` -- both use 18 decimals
+- `JBSplits.splitsOf()` falls back to ruleset ID 0 if no splits are set for the given rulesetId
+- Held fees are held for 28 days (`_FEE_HOLDING_SECONDS = 2,419,200`) before they can be processed
+- `JBController`, `JBMultiTerminal`, `JBProjects`, `JBPrices`, `JBPermissions` all support ERC-2771 meta-transactions
+- `JBRulesetMetadataResolver` bit layout: version (4 bits), reservedPercent (16), cashOutTaxRate (16), baseCurrency (32), 14 boolean flags (1 bit each), dataHook address (160), metadata (14)
+- `IJBDirectoryAccessControl` has `setControllerAllowed()` and `setTerminalsAllowed()` -- NOT `setControllerAllowedFor()`
+- Price feeds are immutable once set in `JBPrices` -- they cannot be replaced or removed
+- `JBFundAccessLimits` requires payout limits and surplus allowances to be in strictly increasing currency order to prevent duplicates
 
 ## Example Integration
 
 ```solidity
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.23;
+pragma solidity 0.8.26;
 
 import {IJBController} from "@bananapus/core-v6/src/interfaces/IJBController.sol";
 import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/core-v6",
-  "version": "0.0.5",
+  "version": "0.0.6",
   "license": "MIT",
   "repository": {
     "type": "git",

package/src/libraries/JBMetadataResolver.sol

@@ -123,7 +123,7 @@ library JBMetadataResolver {
         // Pad as needed - inlined for gas saving
         uint256 paddedLength =
             newMetadata.length % WORD_SIZE == 0 ? newMetadata.length : (newMetadata.length / WORD_SIZE + 1) * WORD_SIZE;
-        assembly {
+        assembly ("memory-safe") {
             mstore(newMetadata, paddedLength)
         }
 
@@ -135,7 +135,7 @@ library JBMetadataResolver {
         // Pad as needed
         paddedLength =
             newMetadata.length % WORD_SIZE == 0 ? newMetadata.length : (newMetadata.length / WORD_SIZE + 1) * WORD_SIZE;
-        assembly {
+        assembly ("memory-safe") {
             mstore(newMetadata, paddedLength)
         }
 
@@ -146,7 +146,7 @@ library JBMetadataResolver {
         paddedLength =
             newMetadata.length % WORD_SIZE == 0 ? newMetadata.length : (newMetadata.length / WORD_SIZE + 1) * WORD_SIZE;
 
-        assembly {
+        assembly ("memory-safe") {
             mstore(newMetadata, paddedLength)
         }
     }
@@ -192,7 +192,7 @@ library JBMetadataResolver {
         uint256 paddedLength = metadata.length % JBMetadataResolver.WORD_SIZE == 0
             ? metadata.length
             : (metadata.length / JBMetadataResolver.WORD_SIZE + 1) * JBMetadataResolver.WORD_SIZE;
-        assembly {
+        assembly ("memory-safe") {
             mstore(metadata, paddedLength)
         }
 
@@ -206,7 +206,7 @@ library JBMetadataResolver {
                 ? metadata.length
                 : (metadata.length / JBMetadataResolver.WORD_SIZE + 1) * JBMetadataResolver.WORD_SIZE;
 
-            assembly {
+            assembly ("memory-safe") {
                 mstore(metadata, paddedLength)
             }
         }
@@ -231,7 +231,7 @@ library JBMetadataResolver {
             uint256 currentOffset = uint256(uint8(metadata[i + ID_SIZE]));
 
             bytes4 parsedId;
-            assembly {
+            assembly ("memory-safe") {
                 parsedId := mload(add(add(metadata, 0x20), i))
             }
 
@@ -279,7 +279,7 @@ library JBMetadataResolver {
         pure
         returns (bytes memory slicedBytes)
     {
-        assembly {
+        assembly ("memory-safe") {
             let length := sub(end, start)
 
             // M-20: Allocate memory at freemem — round up to 32-byte boundary so subsequent

package/test/FlashLoanAttacks.t.sol

@@ -262,13 +262,14 @@ contract FlashLoanAttacks_Local is TestBaseWorkflow {
     }
 
     // ═══════════════════════════════════════════════════════════════════
-    //  Test 5: C-5 variant — addToBalance → cashOut(0) with totalSupply==0
+    //  Test 5: C-5 regression — cashOut(0) with totalSupply==0 must return 0
     // ═══════════════════════════════════════════════════════════════════
 
-    /// @notice C-5 KNOWN FINDING: cashOut(0) with totalSupply==0 returns the entire surplus.
-    /// @dev This is the known C-5 critical finding from the audit. When totalSupply==0 and
-    /// cashOutCount==0, the cashOut formula returns the full surplus to the caller.
-    /// This test documents the finding and verifies it's present in V5 (fixed in V5.1).
+    /// @notice C-5 was a V5 audit finding where cashOut(0) with totalSupply==0 returned the entire surplus.
+    /// @dev In V5, `cashOutCount >= totalSupply` (0 >= 0) was true and returned the full surplus before
+    /// checking for zero cashOutCount. Fixed since V5.1: `JBCashOuts.cashOutFrom` returns 0 when
+    /// cashOutCount==0 (line 31) before reaching the `cashOutCount >= totalSupply` check (line 37).
+    /// This test verifies the fix holds.
     function test_C5_variant_addToBalance_zeroCashOut() public {
         // Add to balance when no tokens exist
         vm.deal(address(0xD000), 5 ether);
@@ -282,7 +283,7 @@ contract FlashLoanAttacks_Local is TestBaseWorkflow {
             metadata: new bytes(0)
         });
 
-        // C-5: cashOut(0) with totalSupply==0 returns full surplus
+        // cashOut(0) with totalSupply==0 must reclaim nothing.
         address attacker = address(0xA77AC0);
         vm.prank(attacker);
         uint256 reclaimAmount = jbMultiTerminal()
@@ -296,13 +297,7 @@ contract FlashLoanAttacks_Local is TestBaseWorkflow {
                 metadata: new bytes(0)
             });
 
-        // C-5: This SHOULD be 0, but the bug allows extraction of entire surplus.
-        // Documenting the known critical finding.
-        if (reclaimAmount > 0) {
-            emit log_named_uint("C-5 CONFIRMED: cashOut(0) extracted surplus", reclaimAmount);
-        }
-        // Test passes either way to document behavior
-        assertTrue(true, "C-5 documented");
+        assertEq(reclaimAmount, 0, "C-5 regression: cashOut(0) must return 0");
     }
 
     // ═══════════════════════════════════════════════════════════════════

package/test/PermissionsInvariant.t.sol

@@ -0,0 +1,403 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.6;
+
+import {Test} from "forge-std/Test.sol";
+import {CommonBase} from "forge-std/Base.sol";
+import {StdCheats} from "forge-std/StdCheats.sol";
+import {StdUtils} from "forge-std/StdUtils.sol";
+
+import {JBPermissions} from "../src/JBPermissions.sol";
+import {IJBPermissions} from "../src/interfaces/IJBPermissions.sol";
+import {JBPermissionsData} from "../src/structs/JBPermissionsData.sol";
+
+/// @title PermissionsHandler
+/// @notice Stateful handler for JBPermissions invariant testing.
+///         Randomly sets, revokes, and checks permissions while tracking expected state.
+contract PermissionsHandler is CommonBase, StdCheats, StdUtils {
+    JBPermissions public immutable PERMISSIONS;
+
+    address[] public accounts;
+    address[] public operators;
+    uint56[] public projectIds;
+
+    // Ghost state: track what we've set.
+    // Keyed by keccak256(operator, account, projectId).
+    mapping(bytes32 => uint256) public expectedPacked;
+
+    // Counters.
+    uint256 public setCount;
+    uint256 public revokeCount;
+    uint256 public rootSetCount;
+    uint256 public rootForwardAttempts;
+    uint256 public rootForwardBlocked;
+    uint256 public wildcardSetAttempts;
+    uint256 public wildcardSetBlocked;
+
+    constructor() {
+        PERMISSIONS = new JBPermissions(address(0));
+
+        accounts.push(makeAddr("accountA"));
+        accounts.push(makeAddr("accountB"));
+        accounts.push(makeAddr("accountC"));
+
+        operators.push(makeAddr("operatorX"));
+        operators.push(makeAddr("operatorY"));
+        operators.push(makeAddr("operatorZ"));
+
+        projectIds.push(1);
+        projectIds.push(2);
+        projectIds.push(3);
+    }
+
+    /// @notice Set random permissions for a random (operator, account, projectId) triple.
+    function setPermissions(
+        uint256 accountSeed,
+        uint256 operatorSeed,
+        uint256 projectSeed,
+        uint8[] memory permissionIds
+    )
+        public
+    {
+        address account = accounts[bound(accountSeed, 0, accounts.length - 1)];
+        address operator = operators[bound(operatorSeed, 0, operators.length - 1)];
+        uint56 projectId = projectIds[bound(projectSeed, 0, projectIds.length - 1)];
+
+        // Filter out permission ID 0 (invalid) and truncate long arrays.
+        if (permissionIds.length > 10) {
+            assembly {
+                mstore(permissionIds, 10)
+            }
+        }
+
+        uint8[] memory validIds = new uint8[](permissionIds.length);
+        uint256 validCount;
+        for (uint256 i; i < permissionIds.length; i++) {
+            if (permissionIds[i] > 0) {
+                validIds[validCount] = permissionIds[i];
+                validCount++;
+            }
+        }
+
+        // Resize to valid count.
+        uint8[] memory finalIds = new uint8[](validCount);
+        for (uint256 i; i < validCount; i++) {
+            finalIds[i] = validIds[i];
+        }
+
+        // Track expected state.
+        bytes32 key = keccak256(abi.encodePacked(operator, account, projectId));
+        uint256 packed;
+        for (uint256 i; i < validCount; i++) {
+            packed |= uint256(1) << finalIds[i];
+        }
+        expectedPacked[key] = packed;
+
+        // Account sets permissions for itself.
+        vm.prank(account);
+        PERMISSIONS.setPermissionsFor(
+            account, JBPermissionsData({operator: operator, projectId: projectId, permissionIds: finalIds})
+        );
+
+        setCount++;
+
+        // Track ROOT sets.
+        for (uint256 i; i < validCount; i++) {
+            if (finalIds[i] == 1) {
+                rootSetCount++;
+                break;
+            }
+        }
+    }
+
+    /// @notice Revoke permissions by setting empty array.
+    function revokePermissions(uint256 accountSeed, uint256 operatorSeed, uint256 projectSeed) public {
+        address account = accounts[bound(accountSeed, 0, accounts.length - 1)];
+        address operator = operators[bound(operatorSeed, 0, operators.length - 1)];
+        uint56 projectId = projectIds[bound(projectSeed, 0, projectIds.length - 1)];
+
+        bytes32 key = keccak256(abi.encodePacked(operator, account, projectId));
+        expectedPacked[key] = 0;
+
+        uint8[] memory emptyIds = new uint8[](0);
+
+        vm.prank(account);
+        PERMISSIONS.setPermissionsFor(
+            account, JBPermissionsData({operator: operator, projectId: projectId, permissionIds: emptyIds})
+        );
+
+        revokeCount++;
+    }
+
+    /// @notice Attempt ROOT forwarding (should always be blocked).
+    function attemptRootForwarding(uint256 accountSeed, uint256 projectSeed) public {
+        address account = accounts[bound(accountSeed, 0, accounts.length - 1)];
+        address operator = operators[0]; // operatorX
+        address thirdParty = operators[1]; // operatorY
+        uint56 projectId = projectIds[bound(projectSeed, 0, projectIds.length - 1)];
+
+        rootForwardAttempts++;
+
+        // First give operator ROOT.
+        uint8[] memory rootPerms = new uint8[](1);
+        rootPerms[0] = 1; // ROOT
+
+        vm.prank(account);
+        PERMISSIONS.setPermissionsFor(
+            account, JBPermissionsData({operator: operator, projectId: projectId, permissionIds: rootPerms})
+        );
+
+        // Update ghost state.
+        bytes32 rootKey = keccak256(abi.encodePacked(operator, account, projectId));
+        expectedPacked[rootKey] = uint256(1) << 1;
+
+        // Now operator tries to forward ROOT to thirdParty.
+        vm.prank(operator);
+        try PERMISSIONS.setPermissionsFor(
+            account, JBPermissionsData({operator: thirdParty, projectId: projectId, permissionIds: rootPerms})
+        ) {
+        // Should not reach here.
+        }
+        catch {
+            rootForwardBlocked++;
+        }
+    }
+
+    /// @notice Attempt wildcard permission setting by operator (should be blocked).
+    function attemptWildcardByOperator(uint256 accountSeed, uint256 projectSeed) public {
+        address account = accounts[bound(accountSeed, 0, accounts.length - 1)];
+        address operator = operators[0];
+        address thirdParty = operators[1];
+        uint56 projectId = projectIds[bound(projectSeed, 0, projectIds.length - 1)];
+
+        wildcardSetAttempts++;
+
+        // Give operator ROOT on a specific project.
+        uint8[] memory rootPerms = new uint8[](1);
+        rootPerms[0] = 1;
+
+        vm.prank(account);
+        PERMISSIONS.setPermissionsFor(
+            account, JBPermissionsData({operator: operator, projectId: projectId, permissionIds: rootPerms})
+        );
+
+        bytes32 rootKey = keccak256(abi.encodePacked(operator, account, projectId));
+        expectedPacked[rootKey] = uint256(1) << 1;
+
+        // Operator tries to set permission on wildcard project (0).
+        uint8[] memory somePerms = new uint8[](1);
+        somePerms[0] = 5;
+
+        vm.prank(operator);
+        try PERMISSIONS.setPermissionsFor(
+            account, JBPermissionsData({operator: thirdParty, projectId: 0, permissionIds: somePerms})
+        ) {
+        // Should not reach here.
+        }
+        catch {
+            wildcardSetBlocked++;
+        }
+    }
+
+    /// @notice Get the expected packed permissions for a triple.
+    function getExpected(address operator, address account, uint56 projectId) external view returns (uint256) {
+        bytes32 key = keccak256(abi.encodePacked(operator, account, projectId));
+        return expectedPacked[key];
+    }
+}
+
+/// @title PermissionsInvariantTest
+/// @notice Stateful invariant tests proving JBPermissions maintains consistency
+///         through random set/revoke cycles.
+contract PermissionsInvariantTest is Test {
+    PermissionsHandler handler;
+
+    function setUp() public {
+        handler = new PermissionsHandler();
+        targetContract(address(handler));
+    }
+
+    /// @notice Packed permissions in storage always match what was last set.
+    function invariant_packedMatchesExpected() public view {
+        JBPermissions perms = handler.PERMISSIONS();
+
+        // Check all (operator, account, projectId) combinations.
+        for (uint256 o; o < 3; o++) {
+            for (uint256 a; a < 3; a++) {
+                for (uint256 p; p < 3; p++) {
+                    address operator = handler.operators(o);
+                    address account = handler.accounts(a);
+                    uint56 projectId = handler.projectIds(p);
+
+                    uint256 expected = handler.getExpected(operator, account, projectId);
+                    uint256 actual = perms.permissionsOf(operator, account, projectId);
+
+                    assertEq(actual, expected, "Packed permissions mismatch");
+                }
+            }
+        }
+    }
+
+    /// @notice Bit 0 is never set in any stored permissions.
+    function invariant_bit0NeverSet() public view {
+        JBPermissions perms = handler.PERMISSIONS();
+
+        for (uint256 o; o < 3; o++) {
+            for (uint256 a; a < 3; a++) {
+                for (uint256 p; p < 3; p++) {
+                    uint256 packed =
+                        perms.permissionsOf(handler.operators(o), handler.accounts(a), handler.projectIds(p));
+                    assertFalse((packed & 1) == 1, "Bit 0 should never be set");
+                }
+            }
+        }
+    }
+
+    /// @notice ROOT forwarding is always blocked.
+    function invariant_rootForwardingAlwaysBlocked() public view {
+        if (handler.rootForwardAttempts() > 0) {
+            assertEq(
+                handler.rootForwardBlocked(),
+                handler.rootForwardAttempts(),
+                "All ROOT forwarding attempts must be blocked"
+            );
+        }
+    }
+
+    /// @notice Wildcard permission setting by operators is always blocked.
+    function invariant_wildcardByOperatorAlwaysBlocked() public view {
+        if (handler.wildcardSetAttempts() > 0) {
+            assertEq(
+                handler.wildcardSetBlocked(),
+                handler.wildcardSetAttempts(),
+                "All wildcard-by-operator attempts must be blocked"
+            );
+        }
+    }
+
+    /// @notice hasPermission returns true iff the bit is set (no false positives/negatives).
+    function invariant_hasPermissionMatchesBits() public view {
+        JBPermissions perms = handler.PERMISSIONS();
+
+        // Spot-check a few permission IDs across all triples.
+        uint256[5] memory checkIds = [uint256(1), 2, 5, 42, 255];
+
+        for (uint256 o; o < 3; o++) {
+            for (uint256 a; a < 3; a++) {
+                for (uint256 p; p < 3; p++) {
+                    address operator = handler.operators(o);
+                    address account = handler.accounts(a);
+                    uint56 projectId = handler.projectIds(p);
+
+                    uint256 packed = perms.permissionsOf(operator, account, projectId);
+
+                    for (uint256 c; c < checkIds.length; c++) {
+                        bool expected = ((packed >> checkIds[c]) & 1) == 1;
+                        bool actual = perms.hasPermission(operator, account, projectId, checkIds[c], false, false);
+                        assertEq(actual, expected, "hasPermission must match bit state");
+                    }
+                }
+            }
+        }
+    }
+}
+
+/// @title PermissionsBitPackingTest
+/// @notice Formal property tests for JBPermissions bit-packing roundtrip
+///         and hasPermissions batch logic.
+contract PermissionsBitPackingTest is Test {
+    JBPermissions perms;
+
+    address account = makeAddr("account");
+    address operator = makeAddr("operator");
+    uint56 projectId = 7;
+
+    function setUp() public {
+        perms = new JBPermissions(address(0));
+    }
+
+    /// @notice hasPermissions with an empty array returns true (vacuous truth).
+    function test_hasPermissions_emptyArray_returnsTrue() public view {
+        uint256[] memory empty = new uint256[](0);
+        bool result = perms.hasPermissions(operator, account, projectId, empty, false, false);
+        assertTrue(result, "Empty permission array should return true (vacuous truth)");
+    }
+
+    /// @notice Fuzz: set N permissions, verify each bit is set and all others are not.
+    function testFuzz_bitPackingRoundtrip(uint8 id1, uint8 id2, uint8 id3) public {
+        // Bound to valid range (1-255).
+        id1 = uint8(bound(uint256(id1), 1, 255));
+        id2 = uint8(bound(uint256(id2), 1, 255));
+        id3 = uint8(bound(uint256(id3), 1, 255));
+
+        uint8[] memory ids = new uint8[](3);
+        ids[0] = id1;
+        ids[1] = id2;
+        ids[2] = id3;
+
+        vm.prank(account);
+        perms.setPermissionsFor(
+            account, JBPermissionsData({operator: operator, projectId: projectId, permissionIds: ids})
+        );
+
+        // Each set ID should return true.
+        assertTrue(perms.hasPermission(operator, account, projectId, id1, false, false), "id1 should be set");
+        assertTrue(perms.hasPermission(operator, account, projectId, id2, false, false), "id2 should be set");
+        assertTrue(perms.hasPermission(operator, account, projectId, id3, false, false), "id3 should be set");
+
+        // Verify the packed value has exactly the right bits.
+        uint256 packed = perms.permissionsOf(operator, account, projectId);
+        uint256 expectedPacked = (uint256(1) << id1) | (uint256(1) << id2) | (uint256(1) << id3);
+        assertEq(packed, expectedPacked, "Packed value should exactly match OR of set bits");
+
+        // Bit 0 must not be set.
+        assertFalse((packed & 1) == 1, "Bit 0 must never be set");
+    }
+
+    /// @notice hasPermissions batch check: all permissions must be present.
+    function test_hasPermissions_batch_allRequired() public {
+        uint8[] memory ids = new uint8[](3);
+        ids[0] = 5;
+        ids[1] = 10;
+        ids[2] = 200;
+
+        vm.prank(account);
+        perms.setPermissionsFor(
+            account, JBPermissionsData({operator: operator, projectId: projectId, permissionIds: ids})
+        );
+
+        // All three set -> true.
+        uint256[] memory check3 = new uint256[](3);
+        check3[0] = 5;
+        check3[1] = 10;
+        check3[2] = 200;
+        assertTrue(perms.hasPermissions(operator, account, projectId, check3, false, false), "All three should pass");
+
+        // Missing one (15 not set) -> false.
+        uint256[] memory check4 = new uint256[](4);
+        check4[0] = 5;
+        check4[1] = 10;
+        check4[2] = 200;
+        check4[3] = 15;
+        assertFalse(
+            perms.hasPermissions(operator, account, projectId, check4, false, false),
+            "Missing permission 15 should fail batch check"
+        );
+    }
+
+    /// @notice Event emission includes correct packed value.
+    function test_eventEmission_packedValue() public {
+        uint8[] memory ids = new uint8[](2);
+        ids[0] = 3;
+        ids[1] = 7;
+
+        uint256 expectedPacked = (uint256(1) << 3) | (uint256(1) << 7);
+
+        vm.expectEmit(true, true, true, true);
+        emit IJBPermissions.OperatorPermissionsSet(operator, account, projectId, ids, expectedPacked, account);
+
+        vm.prank(account);
+        perms.setPermissionsFor(
+            account, JBPermissionsData({operator: operator, projectId: projectId, permissionIds: ids})
+        );
+    }
+}