@bananapus/omnichain-deployers-v6 0.0.28 → 0.0.29

package/RISKS.md

@@ -1,81 +1,92 @@
 # Omnichain Deployers Risk Register
 
-This file focuses on the risks in the deployer layer that launches Juicebox projects across chains while composing 721 hooks, suckers, and optional custom data hooks.
+This file covers the risks in the deployer layer that launches Juicebox projects across chains while composing 721 hooks, suckers, and optional custom data hooks.
 
-## How to use this file
+## How To Use This File
 
-- Read `Priority risks` first; they capture the highest-blast-radius deployment and cash-out assumptions.
-- Use the detailed sections for access control, integration, and reentrancy analysis.
-- Treat `Invariants to Verify` as required checks for any new omnichain deployment flow.
+- Read `Priority risks` first. They capture the highest-blast-radius deployment and cash-out assumptions.
+- Treat `Invariants to verify` as required checks for any new omnichain deployment flow.
 
-## Priority risks
+## Priority Risks
 
 | Priority | Risk | Why it matters | Primary controls |
 |----------|------|----------------|------------------|
 | P0 | Registry-trusted sucker bypass | This deployer gives suckers privileged cash-out behavior based on registry answers. A bad registry entry can affect many projects. | Registry allowlists, deployment verification, and explicit registry scrutiny. |
 | P1 | Cross-chain deployment drift | Omnichain assumptions fail if chain-specific wiring, peers, or composed hooks do not match. | Deterministic deploy ordering, parity checks, and post-deploy peer verification. |
-| P1 | Data-hook composition mistakes | The deployer wraps or forwards custom data hooks; a bad composition can alter pay or cash-out semantics unexpectedly. | Integration tests for wrapped hooks and careful review of forwarding logic. |
-
+| P1 | Data-hook composition mistakes | The deployer wraps or forwards custom data hooks. A bad composition can alter pay or cash-out semantics unexpectedly. | Integration tests and careful forwarding review. |
 
 ## 1. Trust Assumptions
 
-- **Trusted forwarder.** ERC-2771 `_msgSender()` is trusted to append the real sender. A compromised forwarder can impersonate any address for `deploySuckersFor`, `launchProjectFor`, `queueRulesetsOf`, and `launchRulesetsFor`.
-- **Sucker registry.** `SUCKER_REGISTRY.isSuckerOf()` is the sole gatekeeper for 0% cashout tax and mint permission. A compromised or malicious registry lets any address bypass cashout taxes and mint tokens freely.
-- **Controller trust.** The deployer passes an arbitrary `IJBController controller` parameter. `_validateController` checks `controller.DIRECTORY().controllerOf(projectId)` (a reflexive lookup through the controller's own directory reference), but during `launchProjectFor` the project does not yet exist, so no pre-launch controller validation is possible. The post-launch safeguard is the explicit project-ID match check on `controller.launchProjectFor(...)`.
-- **Extra data hooks.** Arbitrary `IJBRulesetDataHook` addresses from ruleset metadata are stored and called directly from the deployer's pay/cash-out wrapper paths. A malicious hook can return arbitrary weight, cashout tax rate, or hook specifications, and can also consume all available gas or revert.
+- **Trusted forwarder is trusted.**
+- **Sucker registry answers are trusted.**
+- **Controller trust matters.**
+- **Extra data hooks are trusted code.**
 
-## 2. Economic / Manipulation Risks
+## 2. Economic Risks
 
-- **Sucker cashout bypass.** Any address registered as a sucker for a project gets 0% cashout tax rate and full reclaim. If a malicious sucker is registered (via compromised `SUCKER_REGISTRY`), it can drain the project's surplus.
-- **Weight manipulation via extra data hook.** `beforePayRecordedWith` forwards to the extra data hook, which can return any `weight`. A malicious hook can inflate token minting or set weight=0 to block minting.
-- **721 hook amount splitting.** The deployer computes `projectAmount = context.amount.value - totalSplitAmount`. The 721 hook's returned weight (already adjusted for splits via `JB721TiersHookLib.calculateWeight`) is used directly -- no proportional scaling is applied. If the 721 hook returns a `totalSplitAmount >= context.amount.value`, `projectAmount` is set to 0 and weight becomes 0 -- no tokens are minted for the payment.
-- **Cross-chain sender dependence in sucker deployment salts.** `deploySuckersFor` salts deployments with `keccak256(abi.encode(userSalt, _msgSender()))`. This prevents replay collisions, but it also means the same logical project deployed by different operators on different chains will not get matching deterministic sucker addresses.
+- **Sucker cashout bypass exists for registered suckers.**
+- **Extra data hooks can manipulate weight or cash-out behavior.**
+- **721 hook amount splitting can zero out project amount in edge cases.**
+- **Cross-chain sender dependence affects deterministic sucker salts.**
 
 ## 3. Access Control
 
-- **Wildcard MAP_SUCKER_TOKEN permission.** Constructor grants `SUCKER_REGISTRY` the `MAP_SUCKER_TOKEN` permission with `projectId=0` (wildcard). This grants the registry token-mapping rights across all projects ever deployed through this deployer.
-- **Permission checks on `launchRulesetsFor`.** Requires both `LAUNCH_RULESETS` and `SET_TERMINALS` from the project owner. If an operator has one but not the other, the call reverts. No combined permission ID exists.
-- **No permission check on `launchProjectFor`.** Anyone can call it because a new project is being created. The `owner` parameter receives the project NFT -- verify frontends do not allow this to be set to unexpected addresses.
+- **Wildcard `MAP_SUCKER_TOKEN` permission is broad.**
+- **`launchRulesetsFor` requires combined permissions.**
+- **`launchProjectFor` is intentionally permissionless for new projects.**
 
 ## 4. DoS Vectors
 
-- **Ruleset ID collision.** `_setup721` stores hook configs at `block.timestamp + i`. If `latestRulesetIdOf >= block.timestamp` (rulesets already queued this block), `queueRulesetsOf` reverts with `RulesetIdsUnpredictable`. An attacker who queues rulesets in the same block as the legitimate owner can front-run and block their queue attempt. Gas impact: `queueRulesetsOf` costs ~200-400k gas per ruleset queued. The collision only occurs when two transactions queue rulesets in the same block for the same project — race condition window is one block (~12 seconds on L1, 2 seconds on L2).
-- **External hook revert.** `beforePayRecordedWith` and `beforeCashOutRecordedWith` call external hooks without try-catch. A reverting hook blocks all payments or cashouts for that project/ruleset. For cash-outs, if the 721 hook reverts, the custom hook is never reached (the revert propagates before it). Gas impact: the direct call into the extra data hook has no gas limit, so a gas-griefing hook can consume the entire transaction gas. The 721 hook call is similarly unbounded.
-- **721 hook deployment revert.** `HOOK_DEPLOYER.deployHookFor` is called without try-catch. A failing deployment blocks the entire project launch.
-- **Unexpected safe NFT receipt reverts, but non-safe transfers can still strand assets.** `onERC721Received` only accepts `PROJECTS` NFTs. Safe transfers of any other ERC-721 revert instead of being accepted. The narrower residual risk is `transferFrom` or other non-safe delivery into the deployer, which bypasses the receiver hook and has no generalized rescue path.
+- **Ruleset ID collision can block queueing.**
+- **External hook reverts can block pay or cash-out flows.**
+- **721 hook deployment revert blocks launch.**
+- **Non-safe NFT transfers can still strand assets.**
 
 ## 5. Reentrancy Surface
 
-- **`launchProjectFor` external call chain.** The function makes external calls to: (1) `_deploy721Hook()` via `HOOK_DEPLOYER.deployHookFor()` (deploys 721 hook clone), (2) `controller.launchProjectFor()` (creates project, deploys rulesets), (3) `JBOwnable(hook).transferOwnershipToProject()` (transfers hook ownership to the new project), (4) `SUCKER_REGISTRY.deploySuckersFor()` (deploys suckers if configured), (5) `PROJECTS.transferFrom()` (transfers the project NFT to the owner). None of these calls are try-catch wrapped — a revert in any of them fails the entire launch. Reentrancy from the controller callback during project creation could call back into `launchProjectFor`, but the new project would get a different ID (monotonically incrementing), so state corruption is not possible.
-- **`beforePayRecordedWith` delegates to external hooks.** Calls `IJBRulesetDataHook(tiered721Hook).beforePayRecordedWith(context)` (not try-caught) and optionally calls the extra data hook directly. The 721 hook and extra hook can execute arbitrary code. At callback time, no deployer state has been modified (the deployer is stateless during payments — it only routes). Reentrancy through the pay path processes as an independent payment.
-- **`beforeCashOutRecordedWith` delegates to external hooks.** Same pattern as pay: calls the 721 hook (not try-caught), then optionally the extra data hook. Sucker check via `SUCKER_REGISTRY.isSuckerOf` is a view call. No deployer state is modified during cashouts.
-- **No `ReentrancyGuard`.** Safe because the deployer is effectively stateless during pay/cashout operations — it reads `_tiered721HookOf` and `_extraDataHookOf` mappings but never writes them outside of deployment functions.
+- **`launchProjectFor` makes several external calls in sequence.**
+- **`beforePayRecordedWith` delegates to external hooks.**
+- **`beforeCashOutRecordedWith` delegates to external hooks.**
+- **There is no `ReentrancyGuard`.** The deployer relies on being effectively stateless during pay and cash-out operations.
 
 ## 6. Integration Risks
 
-- **Hook config keyed by predicted rulesetId.** Configs stored at `block.timestamp + i` must match the actual rulesetId assigned by the controller. If the controller assigns different IDs (e.g., due to approval hook delays), the stored configs become unreachable -- payments/cashouts fall through to default behavior (no 721 handling, no extra hook).
-- **Carried-forward 721 hook on queue.** When `tiers.length == 0`, `queueRulesetsOf` carries forward the hook from a previous ruleset. The source is selected by first checking `latestQueuedOf(projectId)` — if the queued ruleset's approval status is `Approved` or `Empty` and it has a stored hook config, that config is used. Otherwise it falls back to `currentOf(projectId)`. If neither has a hook deployed through this deployer, the mapping is empty and the call reverts with `JBOmnichainDeployer_InvalidHook`. The `useDataHookForCashOut` flag is also preserved from whichever source ruleset is selected.
-- **ERC721Receiver restriction.** `onERC721Received` only accepts from `PROJECTS`. Non-project NFTs sent via `safeTransferFrom` revert cleanly; non-safe transfers can still become stuck because the deployer has no generalized rescue function.
-- **Empty simplified launch config reverts.** The convenience overload that derives a default 721 config from `rulesetConfigurations[0]` reverts with `JBOmnichainDeployer_NoRulesetConfigurations()` when called with an empty ruleset array.
-- **Cross-reference: sucker registration.** The deployer grants `MAP_SUCKER_TOKEN` to `SUCKER_REGISTRY` with `projectId=0` (wildcard). This means the registry can map tokens for ALL projects deployed through this deployer. See [nana-suckers-v6 RISKS.md](../nana-suckers-v6/RISKS.md) for the full sucker lifecycle risks.
-- **Cross-reference: core reentrancy.** The deployer delegates to `JBController` and `JBMultiTerminal` for all fund operations. See [nana-core-v6 RISKS.md](../nana-core-v6/RISKS.md) section 3 for the reentrancy surface of these contracts.
+- **Hook config is keyed by predicted ruleset ID.**
+- **Carried-forward 721 hook behavior on queue depends on prior ruleset state.**
+- **ERC721Receiver restrictions are narrow but non-safe transfers can still strand assets.**
+- **Empty simplified launch config reverts.**
 
-## 7. Invariants to Verify
+## 7. Invariants To Verify
 
-- For any project launched through this deployer, `DIRECTORY.controllerOf(projectId)` matches the controller used during launch.
-- `_tiered721HookOf[projectId][rulesetId]` is non-zero for every rulesetId created through this deployer.
-- Sucker cashouts always receive 0% tax rate (no path where `isSuckerOf` returns true but tax > 0).
-- `beforePayRecordedWith` uses the 721 hook's weight directly (already split-adjusted by `JB721TiersHookLib.calculateWeight`), so no additional scaling is applied.
-- Self-reference prevention: `rulesetConfigurations[i].metadata.dataHook` cannot be `address(this)` after `_setup721`.
-- Project NFT ownership: after `_launchProjectFor`, the project NFT is owned by `owner`, not the deployer.
-- `deploySuckersFor` uses the same `_msgSender()` on every chain when deterministic cross-chain peer symmetry is expected.
+- launched projects point at the intended controller
+- stored 721 hook config exists for every ruleset created through this deployer
+- sucker cashouts always get the intended zero-tax path
+- self-reference prevention holds after setup
+- the project NFT ends owned by the intended owner
 
 ## 8. Accepted Behaviors
 
-### 8.1 Controller validation skipped during `launchProjectFor` (by design)
+### 8.1 Controller validation is skipped during initial launch
+
+Pre-launch controller validation is impossible because the project does not yet exist. The accepted safeguard is the post-launch project ID match check.
+
+### 8.2 Registered suckers receive 0% cashout tax
+
+This is intentional and shares the same trust boundary as the sucker registry.
+
+## 9. Accepted Security Risks
+
+Documented risks that were reviewed and accepted.
+
+### Configuration Risks
+
+**Unvalidated extra data hooks can brick live flows.** *(Minor)*
+Extra data hooks provided by the project owner in `_setup721` configuration can fail and brick live pay/cashout flows. Accepted because this is self-inflicted misconfiguration — only the project owner can set these hooks.
 
-`_validateController` checks `controller.DIRECTORY().controllerOf(projectId)` to verify the provided controller matches the project's registered controller. During `launchProjectFor`, the project does not yet exist, so no directory entry exists and no pre-launch validation is possible. The accepted safeguard is the explicit `ProjectIdMismatch` check immediately after `controller.launchProjectFor()` returns. This is accepted because: (1) the project is created atomically within the same transaction, (2) the caller provides the controller address, so they choose their own trust boundary, and (3) validating against a non-existent project would always fail, making the check useless.
+**Missing hook721 alias check enables double invocation.** *(Minor)*
+If the project owner configures the 721 hook as both the primary hook and as an extra data hook, it could be invoked twice. Accepted because this is self-inflicted misconfiguration — the deployer correctly processes each hook independently.
 
-### 8.2 Suckers receive 0% cashout tax (shared with revnet-core)
+### Cross-Chain Deployment
 
-`beforeCashOutRecordedWith` returns `cashOutTaxRate = 0` for addresses registered in `SUCKER_REGISTRY`. This is the same trust model as REVDeployer. The security boundary is the sucker registry — only addresses deployed through authorized deployers receive this privilege. See [revnet-core-v6 RISKS.md](../revnet-core-v6/RISKS.md) section 4 for the full sucker bypass analysis.
+**`_msgSender()` in deployment salt breaks cross-chain determinism.** *(Minor)*
+`deploySuckersFor` includes `_msgSender()` in the CREATE2 salt, which means the same deployment from different callers produces different addresses across chains. Accepted because this is intentional replay protection — prevents frontrunning of cross-chain deployments.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/omnichain-deployers-v6",
-  "version": "0.0.28",
+  "version": "0.0.29",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -17,12 +17,12 @@
     "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'nana-omnichain-deployers-v6'"
   },
   "dependencies": {
-    "@bananapus/721-hook-v6": "^0.0.35",
-    "@bananapus/buyback-hook-v6": "^0.0.27",
-    "@bananapus/core-v6": "^0.0.34",
-    "@bananapus/ownable-v6": "^0.0.17",
-    "@bananapus/permission-ids-v6": "^0.0.17",
-    "@bananapus/suckers-v6": "^0.0.25",
+    "@bananapus/721-hook-v6": "^0.0.38",
+    "@bananapus/buyback-hook-v6": "^0.0.30",
+    "@bananapus/core-v6": "^0.0.36",
+    "@bananapus/ownable-v6": "^0.0.20",
+    "@bananapus/permission-ids-v6": "^0.0.19",
+    "@bananapus/suckers-v6": "^0.0.28",
     "@openzeppelin/contracts": "^5.6.1",
     "@uniswap/v4-core": "^1.0.2"
   },

package/script/Deploy.s.sol

@@ -8,6 +8,7 @@ import {CoreDeployment, CoreDeploymentLib} from "@bananapus/core-v6/script/helpe
 import {Hook721Deployment, Hook721DeploymentLib} from "@bananapus/721-hook-v6/script/helpers/Hook721DeploymentLib.sol";
 import {SuckerDeployment, SuckerDeploymentLib} from "@bananapus/suckers-v6/script/helpers/SuckerDeploymentLib.sol";
 
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {JBOmnichainDeployer} from "src/JBOmnichainDeployer.sol";
 
 contract Deploy is Script, Sphinx {
@@ -61,7 +62,12 @@ contract Deploy is Script, Sphinx {
                 salt: NANA_OMNICHAIN_DEPLOYER_SALT,
                 creationCode: type(JBOmnichainDeployer).creationCode,
                 arguments: abi.encode(
-                    suckers.registry, hook.hook_deployer, core.permissions, core.projects, core.trustedForwarder
+                    suckers.registry,
+                    hook.hook_deployer,
+                    core.permissions,
+                    core.projects,
+                    core.directory,
+                    core.trustedForwarder
                 ),
                 deployer: safeAddress()
             })) {
@@ -70,6 +76,7 @@ contract Deploy is Script, Sphinx {
                 hookDeployer: hook.hook_deployer,
                 permissions: core.permissions,
                 projects: core.projects,
+                directory: IJBDirectory(address(core.directory)),
                 trustedForwarder: core.trustedForwarder
             });
         }

package/src/JBOmnichainDeployer.sol

@@ -6,6 +6,7 @@ import {IJB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB
 import {JBApprovalStatus} from "@bananapus/core-v6/src/enums/JBApprovalStatus.sol";
 import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
 import {IJBController} from "@bananapus/core-v6/src/interfaces/IJBController.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
 import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
 import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
@@ -79,6 +80,10 @@ contract JBOmnichainDeployer is
     /// @notice Deploys and tracks suckers for projects.
     IJBSuckerRegistry public immutable SUCKER_REGISTRY;
 
+    /// @notice The directory used to validate controllers. Stored as immutable to prevent a user-provided
+    /// controller from returning a fake directory that confirms itself.
+    IJBDirectory public immutable DIRECTORY;
+
     //*********************************************************************//
     // -------------------- internal stored properties ------------------- //
     //*********************************************************************//
@@ -101,12 +106,14 @@ contract JBOmnichainDeployer is
     /// @param hookDeployer The deployer to use for project's tiered ERC-721 hooks.
     /// @param permissions The permissions to use for the contract.
     /// @param projects The projects to use for the contract.
+    /// @param directory The directory used to validate controllers against a trusted source.
     /// @param trustedForwarder The trusted forwarder for the ERC2771Context.
     constructor(
         IJBSuckerRegistry suckerRegistry,
         IJB721TiersHookDeployer hookDeployer,
         IJBPermissions permissions,
         IJBProjects projects,
+        IJBDirectory directory,
         address trustedForwarder
     )
         JBPermissioned(permissions)
@@ -115,6 +122,7 @@ contract JBOmnichainDeployer is
         PROJECTS = projects;
         SUCKER_REGISTRY = suckerRegistry;
         HOOK_DEPLOYER = hookDeployer;
+        DIRECTORY = directory;
 
         // Give the sucker registry permission to map tokens for all revnets.
         uint8[] memory permissionIds = new uint8[](1);
@@ -715,8 +723,9 @@ contract JBOmnichainDeployer is
             });
         }
 
-        // Transfer ownership of the project to the owner.
-        PROJECTS.transferFrom({from: address(this), to: owner, tokenId: projectId});
+        // Transfer ownership of the project to the owner. Uses safeTransferFrom so contract receivers
+        // get an onERC721Received callback.
+        PROJECTS.safeTransferFrom({from: address(this), to: owner, tokenId: projectId});
     }
 
     /// @notice Internal implementation of `launchRulesetsFor`.
@@ -920,13 +929,12 @@ contract JBOmnichainDeployer is
     }
 
     /// @notice Validates that the provided controller matches the project's controller in the directory.
-    /// @dev The reflexive lookup (controller.DIRECTORY().controllerOf()) is intentional — it confirms the
-    /// caller-provided controller is the one the directory recognizes for this project, preventing a
-    /// malicious controller from being passed in.
+    /// @dev Uses the immutable DIRECTORY instead of querying the controller, preventing a malicious
+    /// controller from returning a fake directory that confirms itself.
     /// @param projectId The ID of the project to validate the controller for.
     /// @param controller The controller to validate.
     function _validateController(uint256 projectId, IJBController controller) internal view {
-        address current = address(controller.DIRECTORY().controllerOf(projectId));
+        address current = address(DIRECTORY.controllerOf(projectId));
         // Allow address(0) for fresh projects that haven't launched rulesets yet.
         if (current != address(0) && current != address(controller)) {
             revert JBOmnichainDeployer_ControllerMismatch();

package/test/JBOmnichainDeployer.t.sol

@@ -42,6 +42,7 @@ contract TestJBOmnichainDeployer is Test {
     IJBProjects projects = IJBProjects(makeAddr("projects"));
     IJBSuckerRegistry suckerRegistry = IJBSuckerRegistry(makeAddr("suckerRegistry"));
     IJB721TiersHookDeployer hookDeployer = IJB721TiersHookDeployer(makeAddr("hookDeployer"));
+    IJBDirectory directory = IJBDirectory(makeAddr("directory"));
 
     address projectOwner = makeAddr("projectOwner");
     address sucker = makeAddr("sucker");
@@ -63,6 +64,7 @@ contract TestJBOmnichainDeployer is Test {
             hookDeployer,
             permissions,
             projects,
+            directory,
             address(0) // trustedForwarder
         );
 
@@ -331,11 +333,7 @@ contract TestJBOmnichainDeployer is Test {
 
     function test_launchRulesetsFor_simplified_usesDefaultCurrency() public {
         IJBController controller = IJBController(makeAddr("controller"));
-        IJBDirectory directory = IJBDirectory(makeAddr("directory"));
 
-        vm.mockCall(
-            address(controller), abi.encodeWithSelector(IJBController.DIRECTORY.selector), abi.encode(directory)
-        );
         vm.mockCall(
             address(directory),
             abi.encodeWithSelector(IJBDirectory.controllerOf.selector, projectId),
@@ -369,7 +367,6 @@ contract TestJBOmnichainDeployer is Test {
     function test_queueRulesetsOf_simplified_carriesForwardHook() public {
         // First launch a project so there's a hook to carry forward.
         IJBController controller = IJBController(makeAddr("controller"));
-        IJBDirectory directory = IJBDirectory(makeAddr("directory"));
         IJBRulesets rulesets = IJBRulesets(makeAddr("rulesets"));
 
         vm.mockCall(address(projects), abi.encodeWithSelector(IJBProjects.count.selector), abi.encode(uint256(41)));
@@ -391,9 +388,6 @@ contract TestJBOmnichainDeployer is Test {
         deployer.launchProjectFor(projectOwner, "test", configs, terminals, "", _emptySuckerConfig(), controller);
 
         // Now set up mocks for queueRulesetsOf.
-        vm.mockCall(
-            address(controller), abi.encodeWithSelector(IJBController.DIRECTORY.selector), abi.encode(directory)
-        );
         vm.mockCall(
             address(directory),
             abi.encodeWithSelector(IJBDirectory.controllerOf.selector, projectId),
@@ -462,7 +456,6 @@ contract TestJBOmnichainDeployer is Test {
     function test_queueRulesetsOf_carryForward_preservesCashOutFlag() public {
         // --- Step 1: Launch a project with useDataHookForCashOut = true ---
         IJBController controller = IJBController(makeAddr("controller"));
-        IJBDirectory directory = IJBDirectory(makeAddr("directory"));
         IJBRulesets rulesets = IJBRulesets(makeAddr("rulesets"));
 
         vm.mockCall(address(projects), abi.encodeWithSelector(IJBProjects.count.selector), abi.encode(uint256(41)));
@@ -495,9 +488,6 @@ contract TestJBOmnichainDeployer is Test {
         assertTrue(initialCashOutFlag, "initial launch should store useDataHookForCashOut = true");
 
         // --- Step 2: Queue a new ruleset with no tiers (carry-forward) ---
-        vm.mockCall(
-            address(controller), abi.encodeWithSelector(IJBController.DIRECTORY.selector), abi.encode(directory)
-        );
         vm.mockCall(
             address(directory),
             abi.encodeWithSelector(IJBDirectory.controllerOf.selector, projectId),

package/test/JBOmnichainDeployerGuard.t.sol

@@ -126,6 +126,7 @@ contract JBOmnichainDeployerGuardTest is TestBaseWorkflow {
             IJB721TiersHookDeployer(mockHookDeployerAddr),
             IJBPermissions(address(jbPermissions())),
             IJBProjects(address(jbProjects())),
+            IJBDirectory(address(jbDirectory())),
             trustedForwarder()
         );
 

package/test/OmnichainDeployerAttacks.t.sol

@@ -4,6 +4,7 @@ pragma solidity 0.8.28;
 import {Test} from "forge-std/Test.sol";
 
 import {IJBController} from "@bananapus/core-v6/src/interfaces/IJBController.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
 import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
 import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
@@ -97,6 +98,7 @@ contract OmnichainDeployerAttacks is Test {
     IJBProjects projects = IJBProjects(makeAddr("projects"));
     IJBSuckerRegistry suckerRegistry = IJBSuckerRegistry(makeAddr("suckerRegistry"));
     IJB721TiersHookDeployer hookDeployer = IJB721TiersHookDeployer(makeAddr("hookDeployer"));
+    IJBDirectory directory = IJBDirectory(makeAddr("directory"));
 
     address projectOwner = makeAddr("projectOwner");
     address sucker = makeAddr("sucker");
@@ -119,7 +121,7 @@ contract OmnichainDeployerAttacks is Test {
             address(permissions), abi.encodeWithSelector(IJBPermissions.setPermissionsFor.selector), abi.encode()
         );
 
-        deployer = new JBOmnichainDeployer(suckerRegistry, hookDeployer, permissions, projects, address(0));
+        deployer = new JBOmnichainDeployer(suckerRegistry, hookDeployer, permissions, projects, directory, address(0));
 
         // Default mocks.
         vm.mockCall(

package/test/OmnichainDeployerEdgeCases.t.sol

@@ -113,6 +113,7 @@ contract OmnichainDeployerEdgeCases is Test {
     IJBProjects projects = IJBProjects(makeAddr("projects"));
     IJBSuckerRegistry suckerRegistry = IJBSuckerRegistry(makeAddr("suckerRegistry"));
     IJB721TiersHookDeployer hookDeployer = IJB721TiersHookDeployer(makeAddr("hookDeployer"));
+    IJBDirectory directory = IJBDirectory(makeAddr("directory"));
 
     address projectOwner = makeAddr("projectOwner");
     address sucker = makeAddr("sucker");
@@ -131,7 +132,7 @@ contract OmnichainDeployerEdgeCases is Test {
             address(permissions), abi.encodeWithSelector(IJBPermissions.setPermissionsFor.selector), abi.encode()
         );
 
-        deployer = new JBOmnichainDeployer(suckerRegistry, hookDeployer, permissions, projects, address(0));
+        deployer = new JBOmnichainDeployer(suckerRegistry, hookDeployer, permissions, projects, directory, address(0));
 
         vm.mockCall(
             address(projects), abi.encodeWithSelector(IERC721.ownerOf.selector, projectId), abi.encode(projectOwner)
@@ -575,12 +576,8 @@ contract OmnichainDeployerEdgeCases is Test {
     // =========================================================================
     function test_launchRulesetsFor_requiresLaunchRulesetsPermission() public {
         IJBController controller = IJBController(makeAddr("controller"));
-        IJBDirectory directory = IJBDirectory(makeAddr("directory"));
 
-        // Mock controller validation chain.
-        vm.mockCall(
-            address(controller), abi.encodeWithSelector(IJBController.DIRECTORY.selector), abi.encode(directory)
-        );
+        // Mock controllerOf on the deployer's immutable DIRECTORY.
         vm.mockCall(
             address(directory),
             abi.encodeWithSelector(IJBDirectory.controllerOf.selector, projectId),
@@ -609,13 +606,9 @@ contract OmnichainDeployerEdgeCases is Test {
         _launchProjectWithHook(address(0));
 
         IJBController controller = IJBController(makeAddr("controller"));
-        IJBDirectory directory = IJBDirectory(makeAddr("directory"));
         IJBRulesets rulesets = IJBRulesets(makeAddr("rulesets"));
 
-        // Mock controller validation chain.
-        vm.mockCall(
-            address(controller), abi.encodeWithSelector(IJBController.DIRECTORY.selector), abi.encode(directory)
-        );
+        // Mock controllerOf on the deployer's immutable DIRECTORY.
         vm.mockCall(
             address(directory),
             abi.encodeWithSelector(IJBDirectory.controllerOf.selector, projectId),

package/test/TestAuditGaps.sol

@@ -279,7 +279,7 @@ contract TestAuditGaps is Test {
         vm.mockCall(
             address(permissions), abi.encodeWithSelector(IJBPermissions.setPermissionsFor.selector), abi.encode()
         );
-        deployer = new JBOmnichainDeployer(suckerRegistry, hookDeployer, permissions, projects, address(0));
+        deployer = new JBOmnichainDeployer(suckerRegistry, hookDeployer, permissions, projects, directory, address(0));
 
         // Default mocks.
         vm.mockCall(
@@ -292,9 +292,7 @@ contract TestAuditGaps is Test {
         vm.mockCall(
             address(controller), abi.encodeWithSelector(IJBController.launchProjectFor.selector), abi.encode(projectId)
         );
-        vm.mockCall(
-            address(controller), abi.encodeWithSelector(IJBController.DIRECTORY.selector), abi.encode(directory)
-        );
+        // Mock controllerOf on the deployer's immutable DIRECTORY.
         vm.mockCall(
             address(directory),
             abi.encodeWithSelector(IJBDirectory.controllerOf.selector, projectId),
@@ -804,21 +802,9 @@ contract TestAuditGaps is Test {
 
         vm.warp(BASE_TIME + 10);
 
-        // Mock a different controller for the project.
+        // The deployer's immutable DIRECTORY returns `controller` for this project.
+        // Passing a different controller should trigger ControllerMismatch.
         IJBController wrongController = IJBController(makeAddr("wrongController"));
-        IJBDirectory wrongDirectory = IJBDirectory(makeAddr("wrongDirectory"));
-
-        vm.mockCall(
-            address(wrongController),
-            abi.encodeWithSelector(IJBController.DIRECTORY.selector),
-            abi.encode(wrongDirectory)
-        );
-        // controllerOf returns a different address than wrongController.
-        vm.mockCall(
-            address(wrongDirectory),
-            abi.encodeWithSelector(IJBDirectory.controllerOf.selector, projectId),
-            abi.encode(IERC165(makeAddr("otherController")))
-        );
 
         JBRulesetConfig[] memory configs = new JBRulesetConfig[](1);
         configs[0] = _makeRulesetConfig(address(0), false, false);

package/test/Tiered721HookComposition.t.sol

@@ -65,7 +65,7 @@ contract Tiered721HookComposition is Test {
         vm.mockCall(
             address(permissions), abi.encodeWithSelector(IJBPermissions.setPermissionsFor.selector), abi.encode()
         );
-        deployer = new JBOmnichainDeployer(suckerRegistry, hookDeployer, permissions, projects, address(0));
+        deployer = new JBOmnichainDeployer(suckerRegistry, hookDeployer, permissions, projects, directory, address(0));
         vm.mockCall(
             address(projects), abi.encodeWithSelector(IERC721.ownerOf.selector, projectId), abi.encode(projectOwner)
         );
@@ -76,9 +76,7 @@ contract Tiered721HookComposition is Test {
         vm.mockCall(
             address(controller), abi.encodeWithSelector(IJBController.launchProjectFor.selector), abi.encode(projectId)
         );
-        vm.mockCall(
-            address(controller), abi.encodeWithSelector(IJBController.DIRECTORY.selector), abi.encode(directory)
-        );
+        // Mock controllerOf on the deployer's immutable DIRECTORY.
         vm.mockCall(
             address(directory),
             abi.encodeWithSelector(IJBDirectory.controllerOf.selector, projectId),