@bananapus/ownable-v6 0.0.1

package/test/Ownable.t.sol

@@ -0,0 +1,374 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.23;
+
+import "forge-std/Test.sol";
+import {MockOwnable} from "./mocks/MockOwnable.sol";
+import {JBOwnableOverrides} from "../src/JBOwnableOverrides.sol";
+
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
+import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+
+contract OwnableTest is Test {
+    IJBProjects PROJECTS;
+    IJBPermissions PERMISSIONS;
+
+    modifier isNotContract(address a) {
+        uint256 size;
+        assembly {
+            size := extcodesize(a)
+        }
+        vm.assume(size == 0);
+        _;
+    }
+
+    function setUp() public {
+        // Deploy the permissions contract.
+        PERMISSIONS = new JBPermissions(address(0));
+        // Deploy the projects contract.
+        PROJECTS = new JBProjects(address(123), address(0), address(0));
+    }
+
+    function testDeployerDoesNotBecomeOwner(address deployer, address owner) public isNotContract(owner) {
+        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
+        vm.assume(owner != address(0));
+
+        vm.prank(deployer);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, owner, uint88(0));
+
+        assertEq(owner, ownable.owner(), "Deployer did not become the owner.");
+    }
+
+    function testJBOwnableFollowsTheProjectOwner(
+        address projectOwner,
+        address newProjectOwner
+    )
+        public
+        isNotContract(projectOwner)
+        isNotContract(newProjectOwner)
+    {
+        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
+        vm.assume(projectOwner != address(0));
+        // Can't transfer ownership to the zero address.
+        vm.assume(newProjectOwner != address(0));
+
+        // Create a project for the owner.
+        uint256 projectId = PROJECTS.createFor(projectOwner);
+
+        // Create the `Ownable` contract.
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(projectId));
+
+        // Make sure the deployer owns it.
+        assertEq(projectOwner, ownable.owner(), "Deployer is not the owner.");
+
+        // Transfer the project's ownership.
+        vm.prank(projectOwner);
+        PROJECTS.transferFrom(projectOwner, newProjectOwner, projectId);
+
+        // Make sure the `Ownable` contract has also been transferred to the new project owner.
+        assertEq(newProjectOwner, ownable.owner(), "Ownable did not follow the Project owner.");
+    }
+
+    function testBasicOwnable(
+        address projectOwner,
+        address newOwnableOwner
+    )
+        public
+        isNotContract(projectOwner)
+        isNotContract(newOwnableOwner)
+    {
+        // Ownership can't be transferred to the 0 address. To transfer to the 0 address, ownership must be renounced.
+        vm.assume(newOwnableOwner != address(0));
+        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
+        vm.assume(projectOwner != address(0));
+
+        // Create a project for the owner.
+        uint256 _projectId = PROJECTS.createFor(projectOwner);
+
+        // Create the `Ownable` contract.
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(_projectId));
+
+        // Make sure the project owner owns it.
+        assertEq(projectOwner, ownable.owner(), "Deployer is not the owner.");
+
+        // We now stop using it as a `JBOwnable` and start using it like a basic `Ownable`.
+        vm.prank(projectOwner);
+        ownable.transferOwnership(newOwnableOwner);
+        // Make sure it was transferred to the new owner.
+        assertEq(newOwnableOwner, ownable.owner());
+        // Sanity check to make sure it only the `Ownable` changed, and that the project did not.
+        assertEq(PROJECTS.ownerOf(_projectId), projectOwner);
+    }
+
+    function testCantTransferToProjectZero(address owner) public {
+        vm.assume(owner != address(0));
+        vm.startPrank(owner);
+
+        // Create the `Ownable` contract.
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, owner, 0);
+
+        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_InvalidNewOwner.selector));
+
+        // Transfer ownership to project ID 0 (should revert).
+        ownable.transferOwnershipToProject(0);
+        vm.stopPrank();
+    }
+
+    function testCantTransferToAddressZero(address owner) public {
+        vm.assume(owner != address(0));
+        vm.startPrank(owner);
+
+        // Create the `Ownable` contract.
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, owner, uint88(0));
+
+        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_InvalidNewOwner.selector));
+
+        // Transfer ownership to the 0 address (should revert).
+        ownable.transferOwnership(address(0));
+        vm.stopPrank();
+    }
+
+    function testOwnableFollowsProjectOwner(
+        address projectOwner,
+        address newProjectOwner
+    )
+        public
+        isNotContract(projectOwner)
+        isNotContract(newProjectOwner)
+    {
+        vm.assume(projectOwner != newProjectOwner);
+        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
+        vm.assume(projectOwner != address(0));
+        vm.assume(newProjectOwner != address(0));
+
+        // Create a project for the owner.
+        uint256 _projectId = PROJECTS.createFor(projectOwner);
+
+        // Create the `Ownable` contract.
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(_projectId));
+
+        // Make sure the project owner owns it.
+        assertEq(projectOwner, ownable.owner(), "Deployer is not the owner.");
+
+        // Transfer the project ownership.
+        vm.prank(projectOwner);
+        PROJECTS.transferFrom(projectOwner, newProjectOwner, _projectId);
+        assertEq(PROJECTS.ownerOf(_projectId), newProjectOwner);
+
+        // Make sure the `Ownable` contract has also been transferred to the new project owner.
+        assertEq(newProjectOwner, ownable.owner());
+    }
+
+    function testOwnableOwnerCanRennounce(address deployer, address owner) public {
+        vm.assume(owner != address(0));
+        vm.assume(deployer != owner);
+
+        // Create the `Ownable` contract.
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, owner, uint88(0));
+
+        // Transfer ownership to the project owner.
+        vm.prank(owner);
+        ownable.transferOwnership(owner);
+        assertEq(owner, ownable.owner(), "Deployer is not the owner.");
+
+        // Renounce the ownership.
+        vm.prank(owner);
+        ownable.renounceOwnership();
+        assertEq(address(0), ownable.owner(), "Owner was not renounced.");
+    }
+
+    function testJBOwnableOwnerCanRennounce(address deployer, address projectOwner) public isNotContract(projectOwner) {
+        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
+        vm.assume(projectOwner != address(0));
+
+        // Create a project for the owner.
+        uint256 _projectId = PROJECTS.createFor(projectOwner);
+
+        // Create the `Ownable` contract.
+        vm.prank(deployer);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(_projectId));
+
+        // Renounce the ownership.
+        vm.prank(projectOwner);
+        ownable.renounceOwnership();
+        assertEq(address(0), ownable.owner(), "Owner was not renounced.");
+    }
+
+    function testJBOwnablePermissions(
+        address projectOwner,
+        address callerAddress,
+        uint8 requiredPermissionId,
+        uint8[] memory permissionIdsToGrant
+    )
+        public
+        isNotContract(projectOwner)
+    {
+        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
+        vm.assume(projectOwner != address(0) && callerAddress != projectOwner);
+        requiredPermissionId = uint8(bound(uint256(requiredPermissionId), 1, 255));
+
+        // Truncate array instead of rejecting to avoid exceeding max_test_rejects.
+        if (permissionIdsToGrant.length > 4) {
+            assembly {
+                mstore(permissionIdsToGrant, 4)
+            }
+        }
+
+        // Create a project for the owner.
+        uint256 _projectId = PROJECTS.createFor(projectOwner);
+
+        // Create the `Ownable` contract.
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(_projectId));
+
+        // Set the required permission.
+        vm.prank(projectOwner);
+        ownable.setPermissionId(requiredPermissionId);
+
+        // Attempt to call the protected method without permission.
+        vm.expectRevert(
+            abi.encodeWithSelector(
+                JBPermissioned.JBPermissioned_Unauthorized.selector,
+                projectOwner,
+                callerAddress,
+                _projectId,
+                requiredPermissionId
+            )
+        );
+        vm.prank(callerAddress);
+        ownable.protectedMethod();
+
+        // Give permission.
+        bool _shouldHavePermission;
+        uint8[] memory _permissionIds = new uint8[](permissionIdsToGrant.length);
+        for (uint256 i; i < permissionIdsToGrant.length; i++) {
+            permissionIdsToGrant[i] = uint8(bound(uint256(permissionIdsToGrant[i]), 1, 255));
+            // Check if the permission we need is in the permissions to grant, including if it's ROOT.
+            if (permissionIdsToGrant[i] == requiredPermissionId || permissionIdsToGrant[i] == 1) {
+                _shouldHavePermission = true;
+            }
+            _permissionIds[i] = permissionIdsToGrant[i];
+        }
+
+        // The owner gives permission to the caller.
+        vm.prank(projectOwner);
+        PERMISSIONS.setPermissionsFor(
+            projectOwner,
+            JBPermissionsData({operator: callerAddress, projectId: uint56(_projectId), permissionIds: _permissionIds})
+        );
+
+        if (!_shouldHavePermission) {
+            vm.expectRevert(
+                abi.encodeWithSelector(
+                    JBPermissioned.JBPermissioned_Unauthorized.selector,
+                    projectOwner,
+                    callerAddress,
+                    _projectId,
+                    requiredPermissionId
+                )
+            );
+        }
+
+        vm.prank(callerAddress);
+        ownable.protectedMethod();
+    }
+
+    function testJBOwnablePermissionsRequiredModifier(
+        address projectOwner,
+        address callerAddress,
+        uint8 requiredPermissionId,
+        uint8[] memory permissionIdsToGrant
+    )
+        public
+        isNotContract(projectOwner)
+    {
+        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
+        vm.assume(projectOwner != address(0) && callerAddress != projectOwner);
+        requiredPermissionId = uint8(bound(uint256(requiredPermissionId), 1, 255));
+
+        // Truncate array instead of rejecting to avoid exceeding max_test_rejects.
+        if (permissionIdsToGrant.length > 4) {
+            assembly {
+                mstore(permissionIdsToGrant, 4)
+            }
+        }
+
+        // Create a project for the owner.
+        uint256 _projectId = PROJECTS.createFor(projectOwner);
+
+        // Create the `Ownable` contract.
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(_projectId));
+
+        // Set the permission that is required.
+        ownable.setPermission(requiredPermissionId);
+
+        // Attempt to call the protected method without permission.
+        vm.expectRevert(
+            abi.encodeWithSelector(
+                JBPermissioned.JBPermissioned_Unauthorized.selector,
+                projectOwner,
+                callerAddress,
+                _projectId,
+                requiredPermissionId
+            )
+        );
+        vm.prank(callerAddress);
+        ownable.protectedMethodWithRequirePermission();
+
+        // Give permission.
+        bool _shouldHavePermission;
+        uint8[] memory _permissionIds = new uint8[](permissionIdsToGrant.length);
+        for (uint256 i; i < permissionIdsToGrant.length; i++) {
+            permissionIdsToGrant[i] = uint8(bound(uint256(permissionIdsToGrant[i]), 1, 255));
+            // Check if the permission we need is in the permissions to grant, including if it's ROOT.
+            if (permissionIdsToGrant[i] == requiredPermissionId || permissionIdsToGrant[i] == 1) {
+                _shouldHavePermission = true;
+            }
+            _permissionIds[i] = permissionIdsToGrant[i];
+        }
+
+        // The owner gives permission to the caller.
+        vm.prank(projectOwner);
+        PERMISSIONS.setPermissionsFor(
+            projectOwner,
+            JBPermissionsData({operator: callerAddress, projectId: uint56(_projectId), permissionIds: _permissionIds})
+        );
+
+        if (!_shouldHavePermission) {
+            vm.expectRevert(
+                abi.encodeWithSelector(
+                    JBPermissioned.JBPermissioned_Unauthorized.selector,
+                    projectOwner,
+                    callerAddress,
+                    _projectId,
+                    requiredPermissionId
+                )
+            );
+        }
+
+        vm.prank(callerAddress);
+        ownable.protectedMethodWithRequirePermission();
+    }
+
+    function testCantConfigureOwnerAndProject(address owner, address projectOwner) public isNotContract(projectOwner) {
+        vm.assume(owner != address(0) && projectOwner != address(0));
+
+        // Create a project for the owner.
+        uint256 _projectId = PROJECTS.createFor(projectOwner);
+
+        // Should revert because we set both a owner and a projectOwner
+        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_InvalidNewOwner.selector));
+
+        // Create the `Ownable` contract.
+        new MockOwnable(PROJECTS, PERMISSIONS, address(owner), uint88(_projectId));
+    }
+
+    function testCantInitializeAsRenounced() public {
+        // Should revert because we set both a owner and a projectOwner
+        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_InvalidNewOwner.selector));
+        // Create the `Ownable` contract.
+        new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(0));
+    }
+}

package/test/OwnableAttacks.t.sol

@@ -0,0 +1,185 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.23;
+
+import "forge-std/Test.sol";
+import {MockOwnable} from "./mocks/MockOwnable.sol";
+import {JBOwnableOverrides} from "../src/JBOwnableOverrides.sol";
+
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
+import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+
+/// @title OwnableAttacks
+/// @notice Adversarial security tests for JBOwnable covering edge cases
+///         around dual ownership, permission semantics, and renounced contracts.
+contract OwnableAttacks is Test {
+    IJBProjects PROJECTS;
+    IJBPermissions PERMISSIONS;
+
+    address alice = makeAddr("alice");
+    address bob = makeAddr("bob");
+    address attacker = makeAddr("attacker");
+
+    modifier isNotContract(address a) {
+        uint256 size;
+        assembly {
+            size := extcodesize(a)
+        }
+        vm.assume(size == 0);
+        _;
+    }
+
+    function setUp() public {
+        PERMISSIONS = new JBPermissions(address(0));
+        PROJECTS = new JBProjects(address(123), address(0), address(0));
+    }
+
+    // =========================================================================
+    // Test 1: Constructor rejects both owner AND projectId set
+    // =========================================================================
+    function test_bothOwnerAndProjectId_constructorReverts() public {
+        uint256 projectId = PROJECTS.createFor(alice);
+
+        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_InvalidNewOwner.selector));
+        new MockOwnable(PROJECTS, PERMISSIONS, bob, uint88(projectId));
+    }
+
+    // =========================================================================
+    // Test 2: Renounced contract — protectedMethod always reverts
+    // =========================================================================
+    function test_renounced_protectedMethodAlwaysReverts() public {
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, alice, 0);
+
+        // Owner can call.
+        vm.prank(alice);
+        ownable.protectedMethod();
+
+        // Renounce.
+        vm.prank(alice);
+        ownable.renounceOwnership();
+        assertEq(ownable.owner(), address(0), "Should be renounced");
+
+        // Now NOBODY can call — not alice, not bob, not anyone.
+        vm.prank(alice);
+        vm.expectRevert();
+        ownable.protectedMethod();
+
+        vm.prank(bob);
+        vm.expectRevert();
+        ownable.protectedMethod();
+
+        vm.prank(attacker);
+        vm.expectRevert();
+        ownable.protectedMethod();
+    }
+
+    // =========================================================================
+    // Test 3: Permission ID reset on transfer
+    // =========================================================================
+    /// @notice After any ownership transfer, permissionId should reset to 0.
+    ///         This prevents stale permission delegation.
+    function test_permissionIdResetOnTransfer() public {
+        uint256 projectId = PROJECTS.createFor(alice);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(projectId));
+
+        // Set permission ID.
+        vm.prank(alice);
+        ownable.setPermissionId(42);
+
+        (, uint88 pid, uint8 permId) = ownable.jbOwner();
+        assertEq(permId, 42, "Permission ID should be 42");
+
+        // Transfer to bob directly.
+        vm.prank(alice);
+        ownable.transferOwnership(bob);
+
+        (, pid, permId) = ownable.jbOwner();
+        assertEq(permId, 0, "Permission ID should reset to 0 after transfer");
+    }
+
+    // =========================================================================
+    // Test 4: Stale owner after NFT transfer
+    // =========================================================================
+    /// @notice After transferring project NFT, old owner should lose access.
+    function test_staleOwner_afterNFTTransfer() public {
+        uint256 projectId = PROJECTS.createFor(alice);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(projectId));
+
+        // Alice is current owner.
+        assertEq(ownable.owner(), alice);
+        vm.prank(alice);
+        ownable.protectedMethod(); // Should succeed.
+
+        // Transfer project NFT to bob.
+        vm.prank(alice);
+        PROJECTS.transferFrom(alice, bob, projectId);
+
+        // Alice should no longer be owner.
+        assertEq(ownable.owner(), bob, "Bob should be new owner");
+
+        // Alice cannot call protectedMethod anymore.
+        vm.prank(alice);
+        vm.expectRevert();
+        ownable.protectedMethod();
+
+        // Bob can call.
+        vm.prank(bob);
+        ownable.protectedMethod();
+    }
+
+    // =========================================================================
+    // Test 5: Transfer to project with overflow ID — must revert
+    // =========================================================================
+    /// @notice transferOwnershipToProject with projectId > type(uint88).max should revert.
+    function test_transferOwnershipToProject_overflowReverts() public {
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, alice, 0);
+
+        // type(uint88).max + 1 = 309485009821345068724781056
+        uint256 overflowId = uint256(type(uint88).max) + 1;
+
+        vm.prank(alice);
+        vm.expectRevert();
+        ownable.transferOwnershipToProject(overflowId);
+    }
+
+    // =========================================================================
+    // Test 6: ROOT permission on wrong project doesn't grant access
+    // =========================================================================
+    /// @notice Attacker has ROOT permission on their own project. Verify it
+    ///         doesn't grant access to a different project's JBOwnable.
+    function test_rootOnWrongProject_noAccess() public {
+        // Create two projects.
+        uint256 aliceProject = PROJECTS.createFor(alice);
+        uint256 attackerProject = PROJECTS.createFor(attacker);
+
+        // Ownable is owned by alice's project.
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(aliceProject));
+
+        // Set permission ID so delegated access is possible.
+        vm.prank(alice);
+        ownable.setPermissionId(42);
+
+        // Attacker grants themselves ROOT (permission 1) on their OWN project.
+        uint8[] memory rootPerms = new uint8[](1);
+        rootPerms[0] = 1; // ROOT
+
+        vm.prank(attacker);
+        PERMISSIONS.setPermissionsFor(
+            attacker,
+            JBPermissionsData({operator: attacker, projectId: uint56(attackerProject), permissionIds: rootPerms})
+        );
+
+        // Attacker tries to call protectedMethod — should still fail because
+        // ROOT is on attackerProject, not aliceProject.
+        vm.prank(attacker);
+        vm.expectRevert(
+            abi.encodeWithSelector(
+                JBPermissioned.JBPermissioned_Unauthorized.selector, alice, attacker, aliceProject, 42
+            )
+        );
+        ownable.protectedMethod();
+    }
+}

package/test/OwnableInvariantTests.sol

@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.23;
+
+import {Test} from "forge-std/Test.sol";
+import {OwnableHandler} from "./handlers/OwnableHandler.sol";
+
+import {MockOwnable} from "./mocks/MockOwnable.sol";
+import {JBOwnableOverrides} from "../src/JBOwnableOverrides.sol";
+import {JBOwner} from "../src/structs/JBOwner.sol";
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+
+contract OwnableInvariantTests is Test {
+    OwnableHandler handler;
+
+    function setUp() public {
+        handler = new OwnableHandler();
+        targetContract(address(handler));
+    }
+
+    /// @notice Owner address and project ID are mutually exclusive: can't both be non-zero.
+    function invariant_cantBelongToUserAndProject() public {
+        (address owner, uint88 projectId,) = handler.OWNABLE().jbOwner();
+        assertTrue(owner == address(0) || projectId == uint256(0), "owner and projectId cannot both be non-zero");
+    }
+
+    /// @notice After renouncing, both owner and projectId must be zero.
+    function invariant_renounceZerosOut() public {
+        if (
+            handler.wasEverRenounced()
+                && handler.renounceCount() > handler.transferCount() + handler.projectTransferCount()
+        ) {
+            (address owner, uint88 projectId,) = handler.OWNABLE().jbOwner();
+            assertTrue(owner == address(0) && projectId == 0, "renounced state should have zero owner and projectId");
+        }
+    }
+
+    /// @notice The permissionId is always reset to 0 on ownership transfers.
+    function invariant_permissionIdResetOnTransfer() public {
+        (,, uint8 permissionId) = handler.OWNABLE().jbOwner();
+        // After any ownership change, permissionId should be 0 (reset by _transferOwnership).
+        // This is always true because the handler only calls transfer/renounce functions,
+        // and never calls setPermissionId.
+        assertEq(permissionId, 0, "permissionId should be 0 after transfers");
+    }
+
+    /// @notice If projectId is set, owner address must be zero.
+    function invariant_projectOwnershipExcludesAddress() public {
+        (address owner, uint88 projectId,) = handler.OWNABLE().jbOwner();
+        if (projectId != 0) {
+            assertEq(owner, address(0), "project ownership should zero the owner address");
+        }
+    }
+}

package/test/handlers/OwnableHandler.sol

@@ -0,0 +1,78 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.23;
+
+// import { Test } from "forge-std/Test.sol";
+import {CommonBase} from "forge-std/Base.sol";
+import {StdCheats} from "forge-std/StdCheats.sol";
+import {StdUtils} from "forge-std/StdUtils.sol";
+import {console} from "forge-std/console.sol";
+
+import {MockOwnable, JBOwnableOverrides} from "../mocks/MockOwnable.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
+
+contract OwnableHandler is CommonBase, StdCheats, StdUtils {
+    IJBProjects public immutable PROJECTS;
+    IJBPermissions public immutable PERMISSIONS;
+    MockOwnable public immutable OWNABLE;
+
+    address[] public actors;
+    address internal currentActor;
+
+    // Ghost variables for tracking state.
+    uint256 public transferCount;
+    uint256 public renounceCount;
+    uint256 public projectTransferCount;
+    bool public wasEverRenounced;
+
+    modifier useActor(uint256 actorIndexSeed) {
+        currentActor = actors[bound(actorIndexSeed, 0, actors.length - 1)];
+        vm.startPrank(currentActor);
+        _;
+        vm.stopPrank();
+    }
+
+    constructor() {
+        address deployer = vm.addr(1);
+        address initialOwner = vm.addr(2);
+        // Deploy the permissions contract.
+        PERMISSIONS = new JBPermissions(address(0));
+        // Deploy the `JBProjects` contract.
+        PROJECTS = new JBProjects(address(123), address(0), address(0));
+        // Deploy the `JBOwnable` contract.
+        vm.prank(deployer);
+        OWNABLE = new MockOwnable(PROJECTS, PERMISSIONS, initialOwner, uint88(0));
+
+        actors.push(deployer);
+        actors.push(initialOwner);
+        actors.push(address(420));
+    }
+
+    function transferOwnershipToAddress(uint256 actorIndexSeed, address _newOwner) public useActor(actorIndexSeed) {
+        // Skip zero address — that's renounceOwnership's job.
+        if (_newOwner == address(0)) return;
+
+        try OWNABLE.transferOwnership(_newOwner) {
+            transferCount++;
+        } catch {}
+    }
+
+    function renounceOwnership(uint256 actorIndexSeed) public useActor(actorIndexSeed) {
+        try OWNABLE.renounceOwnership() {
+            renounceCount++;
+            wasEverRenounced = true;
+        } catch {}
+    }
+
+    function transferOwnershipToProject(uint256 actorIndexSeed, uint256 projectId) public useActor(actorIndexSeed) {
+        // Bound to valid project ID range (1 to type(uint88).max).
+        projectId = bound(projectId, 1, type(uint88).max);
+
+        try OWNABLE.transferOwnershipToProject(projectId) {
+            projectTransferCount++;
+        } catch {}
+    }
+}