@bananapus/ownable-v6 0.0.12 → 0.0.13

package/ADMINISTRATION.md

@@ -51,6 +51,25 @@ JBOwner {
 
 **Ownership transfer resets `permissionId` to 0.** This prevents the previous owner's delegates from retaining access after a transfer. The new owner must explicitly call `setPermissionId()` to configure delegation.
 
+## Usage Pattern
+
+Contracts inherit from `JBOwnable` to bridge Juicebox project ownership into the standard `onlyOwner` modifier pattern. The typical usage:
+
+```solidity
+contract MyHook is JBOwnable {
+    function adjustTiers(...) external onlyOwner {
+        // Only the resolved owner (or a permission delegate) can call this
+    }
+}
+```
+
+The `onlyOwner` modifier calls `_checkOwner()`, which resolves the current owner (via project NFT or direct address) and checks `_requirePermissionFrom()`. This means every `onlyOwner` function automatically supports:
+- Direct ownership (EOA or contract)
+- Project-based ownership (holder of the project NFT)
+- Permission delegation (via the configured `permissionId` through `JBPermissions`)
+
+**Practical example:** `JB721TiersHook` inherits `JBOwnable`. During deployment, ownership is transferred to the project via `transferOwnershipToProject(projectId)`. The project NFT holder then becomes the hook's owner, and they can delegate specific hook permissions to operators via `JBPermissions`.
+
 ## Immutable Configuration
 
 | Property | Set At | Can Change? |
@@ -73,3 +92,4 @@ What admins **cannot** do:
 - **Undo `renounceOwnership()`.** Once ownership is renounced, all `onlyOwner` functions are permanently disabled. There is no recovery mechanism.
 - **Bypass `JBPermissions` for delegation.** Permission delegation is exclusively handled through the external `JBPermissions` contract; `JBOwnable` itself has no operator registry.
 - **Prevent project NFT transfers from changing ownership.** When owned by a project, whoever holds the `JBProjects` ERC-721 is the owner. There is no veto or lock mechanism within `JBOwnable`.
+- **Project ownership resolution can fail.** When owned by a project (`projectId != 0`), `owner()` calls `PROJECTS.ownerOf(projectId)`. If this call reverts (e.g., the project NFT is held by a contract that rejects ERC-721 queries), the resolved owner becomes `address(0)`, effectively and permanently renouncing the contract. This is an edge case but has no recovery path.

package/ARCHITECTURE.md

@@ -2,7 +2,7 @@
 
 ## Purpose
 
-Juicebox-aware ownership module. Extends OpenZeppelin's Ownable pattern to support ownership by either a Juicebox project (via ERC-721) or a direct address, with permission delegation through JBPermissions.
+Juicebox-aware ownership module. Extends OpenZeppelin's Ownable pattern to support ownership by either a Juicebox project (via ERC-721) or a direct address, with permission delegation through JBPermissions. The primary use case is contracts like `JB721TiersHook` that inherit `JBOwnable` so they can be owned by a Juicebox project rather than just an EOA -- ownership automatically follows the project's ERC-721 token without requiring manual transfers when the project changes hands.
 
 ## Contract Map
 
@@ -44,6 +44,20 @@ Current owner → renounceOwnership()
   → Permanently disables owner-only functions
 ```
 
+## Design Decisions
+
+### Project-as-owner instead of plain OpenZeppelin Ownable
+OpenZeppelin's `Ownable` binds ownership to a single address. In Juicebox, project ownership is represented by an ERC-721 (`JBProjects`), and the owner of that NFT can change over time. `JBOwnable` resolves ownership dynamically via `PROJECTS.ownerOf(projectId)`, so any contract owned by a project automatically tracks whoever holds the project NFT. This avoids the need to manually call `transferOwnership` on every peripheral contract when a project changes hands.
+
+### `permissionId` in the owner struct
+The `JBOwner` struct includes a `uint8 permissionId` that the owner can configure via `setPermissionId()`. This lets the owner delegate access to specific addresses through `JBPermissions` without transferring ownership itself. For example, a project owner can grant a multisig or automation contract the ability to call `onlyOwner` functions on a hook without giving up project ownership. The permission ID is reset to 0 on every ownership transfer to prevent stale permission grants from carrying over to new owners.
+
+### Abstract base with concrete modifier
+`JBOwnableOverrides` is abstract and omits the `onlyOwner` modifier. The concrete `JBOwnable` adds it. This split exists because some inheriting contracts (like hooks deployed before a project NFT is minted) need to customize `_emitTransferEvent` -- the abstract base lets them override the event emission while reusing all ownership resolution and transfer logic.
+
+### Struct packing
+`JBOwner` packs `address owner` (160 bits), `uint88 projectId`, and `uint8 permissionId` into a single 256-bit storage slot. This means all ownership reads and writes cost one `SLOAD`/`SSTORE`, which matters because `_checkOwner` runs on every guarded call.
+
 ## Dependencies
 - `@bananapus/core-v6` — JBPermissioned, IJBProjects, IJBPermissions
 - `@openzeppelin/contracts` — Context

package/AUDIT_INSTRUCTIONS.md

@@ -2,6 +2,19 @@
 
 You are auditing a Juicebox-aware ownership module that extends OpenZeppelin's Ownable pattern. A contract inheriting `JBOwnable` can be owned by a Juicebox project (via its ERC-721 NFT) or a direct address, with delegated access through `JBPermissions`. This is a foundational access control primitive used by hooks and extensions across the Juicebox V6 ecosystem. Read [RISKS.md](./RISKS.md) first -- it documents all known risks and trust assumptions. Then come back here.
 
+## Compiler and Version Info
+
+| Setting | Value |
+|---------|-------|
+| Solidity version | ^0.8.26 |
+| EVM target | cancun |
+| Optimizer | enabled, 200 runs |
+| via-IR | not enabled |
+| Fuzz runs | 4,096 |
+| Invariant runs | 1,024 (depth 100) |
+
+Source: [`foundry.toml`](./foundry.toml)
+
 ## Scope
 
 **In scope -- all Solidity in `src/`:**
@@ -89,7 +102,7 @@ Ownership transitions must be airtight:
 ### 4. Renunciation Edge Cases
 
 - **Renouncing when project-owned.** If `projectId != 0` and the NFT holder calls `renounceOwnership()`, both `owner` and `projectId` are set to 0. Verify the NFT holder can still call `renounceOwnership()` (passes `_checkOwner` with the project-resolved owner).
-- **Renouncing after NFT burn.** If the project NFT is burned (hypothetically -- JBProjects V6 has no burn), `owner()` returns `address(0)`, making `_checkOwner()` revert for everyone. The contract is effectively renounced without anyone calling `renounceOwnership()`. Verify this state is consistent and cannot be escaped.
+- **Implicit renunciation via unreachable `ownerOf`.** JBProjects V6 has no burn function, so `PROJECTS.ownerOf()` cannot revert for a valid project ID under normal conditions. The try-catch in `owner()` and `_checkOwner()` is a defensive measure against hypothetical future changes to `JBProjects` or unexpected ERC-721 behavior. If `ownerOf` ever did revert, `owner()` would return `address(0)` and `_checkOwner()` would revert for all callers -- the contract would be effectively renounced without anyone calling `renounceOwnership()`. Verify this state is consistent and cannot be escaped.
 - **Double renounce.** After renouncing, calling `renounceOwnership()` again should revert because `_checkOwner()` will fail (resolved owner is `address(0)` and `msg.sender` cannot be `address(0)`).
 
 ### 5. Storage Slot Packing
@@ -126,8 +139,49 @@ forge test --match-contract OwnableInvariant -vvv
 # Run regression tests
 forge test --match-path test/regression/ -vvv
 
-# Write a PoC
-forge test --match-path test/audit/ExploitPoC.t.sol -vvv
+# Write a PoC (create test/YourExploit.t.sol)
+forge test --match-path test/YourExploit.t.sol -vvv
 ```
 
+## Error Reference
+
+All custom errors are defined in `src/JBOwnableOverrides.sol`.
+
+| Error | Trigger Condition |
+|-------|-------------------|
+| `JBOwnableOverrides_InvalidNewOwner()` | (1) Constructor called with both `initialOwner == address(0)` and `initialProjectIdOwner == 0`. (2) `transferOwnership()` called with `newOwner == address(0)`. (3) `transferOwnershipToProject()` called with `projectId == 0` or `projectId > type(uint88).max`. (4) `_transferOwnership(address, uint88)` called with both `newOwner != address(0)` and `projectId != 0`. |
+| `JBOwnableOverrides_ProjectDoesNotExist()` | `transferOwnershipToProject()` called with a `projectId` greater than `PROJECTS.count()` (the project has not been minted yet). |
+| `JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner()` | Constructor called with `initialProjectIdOwner != 0` and `address(projects) == address(0)`. Prevents deploying with project-based ownership when no `JBProjects` contract is provided. |
+
+## Previous Audit Findings
+
+A Nemesis audit (Feynman + State Inconsistency methodology) was conducted on 2026-03-17. Full results are in `.audit/findings/nemesis-verified.md`.
+
+**Result: 0 Critical | 0 High | 0 Medium | 2 Low (informational)**
+
+| ID | Severity | Summary |
+|----|----------|---------|
+| NM-001 | LOW | Constructor lacks explicit project existence check -- deploys with a non-existent `initialProjectIdOwner` revert with an opaque ERC-721 error instead of `JBOwnableOverrides_ProjectDoesNotExist()`. Developer experience only, no security impact. |
+| NM-002 | LOW | `_emitTransferEvent` in `JBOwnable` does not use try-catch for `PROJECTS.ownerOf()`, unlike `owner()` and `_checkOwner()`. This is a deliberate design tradeoff: write-path failures should revert (preventing incorrect event data), while read-path failures degrade gracefully. |
+
+No other formal audit with finding IDs has been conducted.
+
+## How to Report Findings
+
+**Severity guide:**
+- **CRITICAL**: Direct fund loss, permanent DoS, or broken core invariant. Exploitable with no preconditions.
+- **HIGH**: Conditional fund loss, privilege escalation, or broken invariant. Requires specific but realistic setup.
+- **MEDIUM**: Value leakage, griefing with cost to attacker, incorrect accounting, degraded functionality.
+- **LOW**: Informational, cosmetic, edge-case-only with no material impact.
+
+For each finding:
+
+1. **Title** -- one line, starts with severity (CRITICAL/HIGH/MEDIUM/LOW)
+2. **Affected contract(s)** -- exact file path and line numbers
+3. **Description** -- what's wrong, in plain language
+4. **Trigger sequence** -- step-by-step, minimal steps to reproduce
+5. **Impact** -- what an attacker gains, what a user loses (with numbers if possible)
+6. **Proof** -- code trace showing the exact execution path, or a Foundry test
+7. **Fix** -- minimal code change that resolves the issue
+
 Go break it.

package/CHANGE_LOG.md

@@ -2,13 +2,19 @@
 
 This document describes all changes between `nana-ownable` (v5) and `nana-ownable-v6` (v6).
 
+## Summary
+
+- **Defensive `try-catch` on all `PROJECTS.ownerOf()` calls**: `owner()` now returns `address(0)` instead of reverting for burned/invalid project NFTs — changes observable behavior for callers.
+- **New safety validations**: `transferOwnershipToProject()` checks project existence; constructor rejects zero-address `PROJECTS` with project-based ownership.
+- **Solidity version pinned**: Changed from floating `^0.8.23` to exact `^0.8.26`.
+
 ---
 
 ## 1. Breaking Changes
 
 ### Solidity Version Pinned
 
-All contracts changed from `pragma solidity ^0.8.23` (floating) to `pragma solidity 0.8.26` (pinned). This means v6 can only compile with Solidity 0.8.26 exactly.
+All contracts changed from `pragma solidity ^0.8.23` (floating) to `pragma solidity ^0.8.26` (pinned). This means v6 can only compile with Solidity ^0.8.26 exactly.
 
 **Affected files:** `JBOwnable.sol`, `JBOwnableOverrides.sol`
 
@@ -216,7 +222,7 @@ All internal function calls in v6 use named arguments (e.g., `_transferOwnership
 
 | v5 | v6 | Change Type |
 |---|---|---|
-| `pragma solidity ^0.8.23` | `pragma solidity 0.8.26` | Pinned compiler version |
+| `pragma solidity ^0.8.23` | `pragma solidity ^0.8.26` | Pinned compiler version |
 | `@bananapus/core-v5` imports | `@bananapus/core-v6` imports | Dependency upgrade |
 | `PROJECTS.ownerOf()` called directly | `try PROJECTS.ownerOf() catch` in `owner()`, `_checkOwner()`, `_transferOwnership()` | Defensive error handling |
 | `transferOwnershipToProject()` -- no existence check | Reverts with `JBOwnableOverrides_ProjectDoesNotExist()` if `projectId > PROJECTS.count()` | New validation |

package/README.md

@@ -14,6 +14,31 @@ Forked from [`jbx-protocol/juice-ownable`](https://github.com/jbx-protocol/juice
 
 _If you have questions, take a look at the [core protocol contracts](https://github.com/Bananapus/nana-core-v6) and the [documentation](https://docs.juicebox.money/) first, or reach out on [Discord](https://discord.com/invite/ErQYmth4dS)._
 
+## Repository Layout
+
+```
+src/
+├── JBOwnable.sol               -- Concrete implementation (inherit this)
+├── JBOwnableOverrides.sol      -- Abstract base with all ownership logic
+├── interfaces/
+│   └── IJBOwnable.sol          -- Interface for ownership queries, transfers, and events
+└── structs/
+    └── JBOwner.sol             -- Packed struct: owner (160 bits) + projectId (88 bits) + permissionId (8 bits)
+
+test/
+├── Ownable.t.sol               -- Core ownership tests
+├── OwnableAttacks.t.sol        -- Attack vector tests
+├── OwnableEdgeCases.t.sol      -- Edge case coverage
+├── OwnableInvariantTests.sol   -- Invariant/fuzz tests
+├── handlers/
+│   └── OwnableHandler.sol      -- Invariant test handler
+├── mocks/
+│   └── MockOwnable.sol         -- Mock contract for testing
+└── regression/
+    ├── BurnLockProtection.t.sol -- Regression: burned NFT lockout
+    └── ZeroAddressValidation.t.sol -- Regression: zero-address edge cases
+```
+
 ## Architecture
 
 ```
@@ -78,6 +103,12 @@ When `_checkOwner()` is called (by the `onlyOwner` modifier), it:
 3. Those addresses can now call `onlyOwner` functions.
 4. If the project NFT is transferred to a new holder, delegated permissions granted by the previous holder stop working -- the new holder must re-grant permissions.
 
+## Risks
+
+- **Burned project NFT permanently locks the contract.** If ownership is tied to a project and the project NFT is burned, `owner()` returns `address(0)` (the `ownerOf` call reverts and the try-catch falls through). No one can call `onlyOwner` functions, and there is no recovery path -- this is effectively permanent renunciation. JBProjects V6 does not expose a public burn function, but a project NFT could still be burned via a custom token wrapper or a future upgrade.
+- **Silent loss of delegated access on ownership transfer.** The `permissionId` resets to 0 on every ownership transfer (both `transferOwnership` and `transferOwnershipToProject`). Any operators previously granted the old `permissionId` via `JBPermissions` lose their `onlyOwner` access without notification. The new owner must call `setPermissionId` and re-grant permissions to restore delegated access. Off-chain monitoring of the `PermissionIdChanged` event is recommended.
+- **Permission ID collisions with other JBPermissions grants.** The `permissionId` set on a `JBOwnable` contract is checked via the same `JBPermissions` registry used by the rest of the protocol. If the chosen `permissionId` overlaps with an ID already granted to operators for other purposes (e.g., a terminal permission or a hook permission), those operators will also pass the `onlyOwner` check -- gaining unintended owner-level access to the `JBOwnable` contract. Choose a `permissionId` that is not used by any other permission in the project's permission set.
+
 ## Install
 
 ```bash

package/RISKS.md

@@ -9,13 +9,19 @@
 ## 2. Known Risks
 
 - **Project NFT transfer = ownership transfer.** If ownership is tied to a project ID, anyone who acquires the project NFT (via transfer, marketplace purchase, or social engineering) gains full owner access to all contracts using that JBOwnable instance. Project NFT holders must treat the NFT as a high-value key.
-- **Permission ID reset on transfer.** `permissionId` resets to 0 on ownership transfer, which could temporarily lock out delegated operators. By design -- prevents permission clashes for new owners.
-- **Burned/invalid project NFT.** If the project NFT is burned or `ownerOf` reverts, the contract is effectively renounced (owner resolves to `address(0)`). Defensive try-catch in `owner()` and `_checkOwner()`. JBProjects V6 has no burn function, so this is a defensive measure.
 - **Dual ownership ambiguity.** Setting both `newOwner` and `projectId` to non-zero reverts, but the two-mode design could confuse integrators about which mode is active. `jbOwner()` exposes both fields for inspection.
-- **`transferOwnershipToProject` with future project.** Checks `projectId > PROJECTS.count()` to prevent transferring to non-existent projects.
+- **`renounceOwnership` permanently disables all owner-gated functions.** Defined directly in `JBOwnableOverrides` (not inherited from OpenZeppelin's `Ownable` -- the contract does not inherit from `Ownable`). Once called, `owner()` returns `address(0)` and all `onlyOwner` / `_checkOwner()` calls revert permanently. There is no recovery mechanism. This applies whether ownership is direct (address) or project-based (project NFT holder).
 
-## 3. Invariants to Verify
+## 3. Accepted Behaviors
+
+- **Permission ID reset on transfer.** `permissionId` resets to 0 on ownership transfer, which temporarily locks out delegated operators. This is intentional -- it prevents permission clashes for new owners.
+- **Burned/invalid project NFT.** If the project NFT were burned or `ownerOf` reverted, the contract would be effectively renounced (owner resolves to `address(0)`). Defensive try-catch in `owner()` and `_checkOwner()` handles this gracefully. JBProjects V6 has no burn function, so this scenario cannot occur in practice.
+- **`transferOwnershipToProject` rejects non-existent projects.** The function checks `projectId > PROJECTS.count()` and reverts, preventing transfers to non-existent projects.
+
+## 4. Invariants to Verify
 
 - Ownership is always exactly one of: direct address OR project NFT holder (never both, never neither unless renounced).
 - `_checkOwner()` reverts for all callers when the owner resolves to `address(0)`.
 - `permissionId` is correctly reset to 0 on every ownership transfer.
+- After `renounceOwnership()`, `jbOwner()` returns `(address(0), 0, 0)` and no address can pass `_checkOwner()`.
+- `transferOwnershipToProject(projectId)` reverts for all `projectId > PROJECTS.count()` at call time.

package/SKILLS.md

@@ -21,6 +21,10 @@ JBOwnable
         └── IJBOwnable (interface)
 ```
 
+## Deployed Addresses
+
+Library contract -- deployed as part of inheriting contracts (e.g., `JB721TiersHook`, `JBBuybackHook`). No standalone deployment.
+
 ## Key Functions
 
 ### Public / External
@@ -71,6 +75,22 @@ JBOwnable
 | `JBOwnableOverrides_ProjectDoesNotExist()` | `transferOwnershipToProject(id)` where `id > PROJECTS.count()`. |
 | `JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner()` | Constructor receives a non-zero `initialProjectIdOwner` with `projects` set to `address(0)`. |
 
+## IJBOwnable Interface
+
+Defined in `src/interfaces/IJBOwnable.sol`. Pragma `^0.8.0`.
+
+| Method | Signature | Returns |
+|--------|-----------|---------|
+| `PROJECTS()` | `function PROJECTS() external view` | `IJBProjects` |
+| `jbOwner()` | `function jbOwner() external view` | `(address owner, uint88 projectId, uint8 permissionId)` |
+| `owner()` | `function owner() external view` | `address` |
+| `renounceOwnership()` | `function renounceOwnership() external` | -- |
+| `setPermissionId(uint8)` | `function setPermissionId(uint8 permissionId) external` | -- |
+| `transferOwnership(address)` | `function transferOwnership(address newOwner) external` | -- |
+| `transferOwnershipToProject(uint256)` | `function transferOwnershipToProject(uint256 projectId) external` | -- |
+
+Events: `OwnershipTransferred(address indexed previousOwner, address indexed newOwner, address caller)`, `PermissionIdChanged(uint8 newId, address caller)`.
+
 ## Integration Points
 
 | Dependency | Import | Used For |
@@ -91,7 +111,7 @@ JBOwnable
 - **`transferOwnershipToProject` checks existence.** It compares the project ID against `PROJECTS.count()` and reverts with `JBOwnableOverrides_ProjectDoesNotExist` if the project does not exist, preventing permanent loss of contract control.
 - **`owner()` makes an external call in project mode.** When `projectId != 0`, `owner()` calls `PROJECTS.ownerOf(projectId)`, which is an external call. This is relevant for gas-sensitive contexts. If the call reverts (e.g., the project NFT was burned), `owner()` returns `address(0)` and the contract degrades to a renounced state.
 - **Constructor rejects zero-address PROJECTS with project ownership.** Deploying with `projects = address(0)` and a non-zero `initialProjectIdOwner` reverts with `JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner`, preventing permanently broken ownership resolution.
-- **No ERC2771 support.** Despite inheriting `Context`, `JBOwnable` uses plain `Context._msgSender()` (which returns `msg.sender`), not `ERC2771Context`. A trusted forwarder appending a sender address to calldata has no effect on ownership checks.
+- **No ERC2771 support.** Despite inheriting `Context`, `JBOwnable` uses plain `Context._msgSender()` (which returns `msg.sender`), not `ERC2771Context`. A trusted forwarder appending a sender address to calldata has no effect on ownership checks. If you need meta-tx support, override `_msgSender()` and `_msgData()` with `ERC2771Context` in your inheriting contract.
 
 ## Example: Inherit JBOwnable
 

package/STYLE_GUIDE.md

@@ -21,7 +21,7 @@ One contract/interface/struct/enum per file. Name the file after the type it con
 
 ```solidity
 // Contracts — pin to exact version
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 // Interfaces, structs, enums — caret for forward compatibility
 pragma solidity ^0.8.0;

package/USER_JOURNEYS.md

@@ -1,245 +1,200 @@
 # User Journeys -- nana-ownable-v6
 
-Concrete end-to-end flows through the JBOwnable system. Each journey traces the exact function calls, state changes, and external interactions.
+Concrete end-to-end flows through the JBOwnable system. Each journey traces the exact function calls, state changes, events, and edge cases.
+
+---
 
 ## Journey 1: Deploy a Project-Owned Contract
 
-**Actor:** Protocol developer deploying a hook or extension that should be owned by a Juicebox project.
-**Goal:** Create a contract where the project NFT holder has owner access.
+**Entry point**: `new MyHook(IJBPermissions permissions, IJBProjects projects, address(0), uint88 projectId)`
 
-### Precondition
+**Who can call**: Anyone (deployment is permissionless).
 
-A Juicebox project exists with ID `projectId`. The `JBProjects` and `JBPermissions` contracts are deployed.
+**Parameters**:
+- `permissions` -- The `IJBPermissions` contract used for delegated access checks
+- `projects` -- The `IJBProjects` contract used to resolve project NFT ownership
+- `initialOwner` -- Set to `address(0)` because ownership is project-based
+- `initialProjectIdOwner` -- The ID of the Juicebox project whose NFT holder becomes the owner
 
-### Steps
+**State changes**:
+1. `PROJECTS` immutable set to `projects`
+2. `PERMISSIONS` immutable set to `permissions` (inherited from `JBPermissioned`)
+3. Constructor validates that if `initialProjectIdOwner != 0`, then `address(projects) != address(0)` (reverts with `JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner` if the project ID is non-zero but the projects contract is the zero address). There is no project existence check in the constructor.
+4. Constructor validates that at least one of `initialOwner` or `initialProjectIdOwner` is non-zero (reverts with `JBOwnableOverrides_InvalidNewOwner` if both are zero)
+5. `_transferOwnership(address(0), projectId)` executes:
+   - Sets `jbOwner = JBOwner({owner: address(0), projectId: projectId, permissionId: 0})`
+   - Calls `_emitTransferEvent(address(0), address(0), projectId)`
+6. `owner()` now resolves dynamically via `PROJECTS.ownerOf(projectId)`
 
-1. **Developer deploys a contract inheriting `JBOwnable`**
+**Events**: `OwnershipTransferred(address indexed previousOwner, address indexed newOwner, address caller)` -- emitted as `OwnershipTransferred(address(0), PROJECTS.ownerOf(projectId), msg.sender)`
 
-   ```solidity
-   new MyHook(permissions, projects, address(0), projectId)
-   ```
+**Edge cases**:
+- If the project does not exist (ID > `PROJECTS.count()`), the constructor still succeeds -- the existence check is only enforced in `transferOwnershipToProject`, not the constructor. If the project NFT has not yet been minted, `PROJECTS.ownerOf()` reverts, and the try-catch in `owner()` returns `address(0)`, effectively locking the contract until the project is minted.
+- `owner()` returns the current NFT holder dynamically. If the NFT is transferred, ownership automatically follows -- no on-chain update to the JBOwnable contract is needed.
+- Deploying with both `initialOwner == address(0)` and `initialProjectIdOwner == 0` reverts with `JBOwnableOverrides_InvalidNewOwner`. To create an unowned contract, set an owner and call `renounceOwnership()` in the constructor body.
 
-   - `initialOwner = address(0)` because ownership is project-based
-   - `initialProjectIdOwner = projectId`
+**What to verify**:
+- `jbOwner.owner == address(0)` and `jbOwner.projectId == projectId` after construction
+- `jbOwner.permissionId == 0` (no delegated access until explicitly configured)
+- `owner()` returns the current NFT holder, not a cached value
 
-2. **Constructor execution in `JBOwnableOverrides`**
+---
 
-   - Stores `PROJECTS = projects` (immutable)
-   - Validates: `initialProjectIdOwner != 0` AND `address(projects) != address(0)` -- passes
-   - Validates: not both zero (passes because `initialProjectIdOwner != 0`)
-   - Calls `_transferOwnership(address(0), projectId)`:
-     - Sets `jbOwner = JBOwner({owner: address(0), projectId: projectId, permissionId: 0})`
-     - Calls `_emitTransferEvent(address(0), address(0), projectId)`
-   - In `JBOwnable._emitTransferEvent`: emits `OwnershipTransferred(address(0), PROJECTS.ownerOf(projectId), msg.sender)`
+## Journey 1b: Deploy an Address-Owned Contract
 
-3. **Ownership is now live**
+**Entry point**: `new MyHook(IJBPermissions permissions, IJBProjects projects, address initialOwner, uint88(0))`
 
-   - `owner()` calls `PROJECTS.ownerOf(projectId)` and returns the current NFT holder
-   - `_checkOwner()` validates `msg.sender` against the NFT holder (or permission delegates)
+**Who can call**: Anyone (deployment is permissionless).
 
-### Result
+**Parameters**:
+- `permissions` -- The `IJBPermissions` contract used for delegated access checks
+- `projects` -- The `IJBProjects` contract (can be `address(0)` when not using project-based ownership)
+- `initialOwner` -- The address that becomes the contract owner (must not be `address(0)`)
+- `initialProjectIdOwner` -- Set to `0` because ownership is address-based
 
-The contract is owned by whichever address holds the project NFT. If the NFT is transferred, ownership automatically follows -- no on-chain update to the JBOwnable contract is needed.
+**State changes**:
+1. `PROJECTS` immutable set to `projects`
+2. `PERMISSIONS` immutable set to `permissions` (inherited from `JBPermissioned`)
+3. Constructor validates that `initialOwner != address(0)` (reverts with `JBOwnableOverrides_InvalidNewOwner` if both `initialOwner` and `initialProjectIdOwner` are zero)
+4. `_transferOwnership(initialOwner, 0)` executes:
+   - Sets `jbOwner = JBOwner({owner: initialOwner, projectId: 0, permissionId: 0})`
+   - Calls `_emitTransferEvent(address(0), initialOwner, 0)`
 
-### What to verify
+**Events**: `OwnershipTransferred(address indexed previousOwner, address indexed newOwner, address caller)` -- emitted as `OwnershipTransferred(address(0), initialOwner, msg.sender)`
 
-- `jbOwner.owner == address(0)` and `jbOwner.projectId == projectId` after construction.
-- `jbOwner.permissionId == 0` (no delegated access until explicitly configured).
-- `owner()` returns the current NFT holder, not a cached value.
-- If the project does not exist (ID > `PROJECTS.count()`), the constructor still succeeds -- the existence check is only enforced in `transferOwnershipToProject`, not the constructor. Verify whether this is safe (the deployer presumably knows the project exists).
+**Edge cases**:
+- `owner()` returns `jbOwner.owner` directly (no `PROJECTS.ownerOf()` lookup since `projectId == 0`)
+- Ownership does NOT follow NFT transfers -- it is static until explicitly transferred via `transferOwnership()` or `transferOwnershipToProject()`
+- `PROJECTS` can be `address(0)` in this mode since it is never consulted for ownership resolution. However, `transferOwnershipToProject()` will revert if `PROJECTS` is `address(0)` (the `PROJECTS.count()` call reverts).
 
 ---
 
 ## Journey 2: Transfer Ownership to a Different Address
 
-**Actor:** Current owner (direct address or project NFT holder).
-**Goal:** Transfer ownership from the current owner to a new direct address.
-
-### Precondition
-
-The caller is the current owner or has the configured `permissionId` (or ROOT) via `JBPermissions`.
-
-### Steps
+**Entry point**: `JBOwnableOverrides.transferOwnership(address newOwner)`
 
-1. **Owner calls `transferOwnership(newOwner)`**
+**Who can call**: The current owner (resolved via `PROJECTS.ownerOf()` if project-owned, or `jbOwner.owner` if address-owned), or any address with the configured `permissionId` (or ROOT) via `JBPermissions`.
 
-   - `newOwner` must not be `address(0)` (reverts with `JBOwnableOverrides_InvalidNewOwner`)
+**Parameters**:
+- `newOwner` -- The address to transfer ownership to (must not be `address(0)`)
 
-2. **`_checkOwner()` validates the caller**
-
-   - Resolves the current owner (via `PROJECTS.ownerOf()` if project-owned, or `jbOwner.owner` if address-owned)
-   - Calls `_requirePermissionFrom(resolvedOwner, projectId, permissionId)`
-   - Passes if `msg.sender == resolvedOwner` OR `msg.sender` has the required permission
-
-3. **`_transferOwnership(newOwner, 0)` executes the transfer**
-
-   - Records `oldOwner` (resolved from current `jbOwner`)
+**State changes**:
+1. `_checkOwner()` validates the caller against the resolved owner and `permissionId`
+2. Validates `newOwner != address(0)` (reverts with `JBOwnableOverrides_InvalidNewOwner`)
+3. `_transferOwnership(newOwner, 0)` executes:
+   - Records `oldOwner` (resolved from current `jbOwner`, with try-catch for burned project NFTs)
    - Overwrites `jbOwner = JBOwner({owner: newOwner, projectId: 0, permissionId: 0})`
    - Calls `_emitTransferEvent(oldOwner, newOwner, 0)`
 
-4. **`_emitTransferEvent` in `JBOwnable`**
-
-   - Since `newProjectId == 0`: emits `OwnershipTransferred(oldOwner, newOwner, msg.sender)`
+**Events**: `OwnershipTransferred(address indexed previousOwner, address indexed newOwner, address caller)` -- emitted as `OwnershipTransferred(oldOwner, newOwner, msg.sender)`
 
-### Result
-
-`jbOwner.owner == newOwner`, `jbOwner.projectId == 0`, `jbOwner.permissionId == 0`. The new owner must call `setPermissionId()` to re-enable delegated access.
-
-### What to verify
-
-- If the contract was previously project-owned, `projectId` is now 0 (project ownership is cleared).
-- `permissionId` is reset to 0, revoking all previously delegated permissions.
-- The previous owner (or their delegates) can no longer call `onlyOwner` functions.
-- `newOwner` can immediately call `onlyOwner` functions without any additional setup.
+**Edge cases**:
+- If the contract was previously project-owned, `projectId` is now 0 (project ownership is cleared)
+- `permissionId` is reset to 0, revoking all previously delegated permissions. The new owner must call `setPermissionId()` to re-enable delegated access.
+- The previous owner (or their delegates) can no longer call `onlyOwner` functions
+- `newOwner` can immediately call `onlyOwner` functions without any additional setup
 
 ---
 
 ## Journey 3: Transfer Ownership to a Juicebox Project
 
-**Actor:** Current owner (direct address or project NFT holder).
-**Goal:** Transfer ownership from the current owner to a Juicebox project, so the NFT holder becomes the new owner.
-
-### Precondition
-
-The target project exists (ID <= `PROJECTS.count()`). The caller is the current owner or has adequate permissions.
-
-### Steps
+**Entry point**: `JBOwnableOverrides.transferOwnershipToProject(uint256 projectId)`
 
-1. **Owner calls `transferOwnershipToProject(projectId)`**
+**Who can call**: The current owner (resolved via `PROJECTS.ownerOf()` if project-owned, or `jbOwner.owner` if address-owned), or any address with the configured `permissionId` (or ROOT) via `JBPermissions`.
 
-   - Validates: `projectId != 0` (reverts with `JBOwnableOverrides_InvalidNewOwner`)
-   - Validates: `projectId <= type(uint88).max` (reverts with `JBOwnableOverrides_InvalidNewOwner`)
-   - Validates: `projectId <= PROJECTS.count()` (reverts with `JBOwnableOverrides_ProjectDoesNotExist`)
-
-2. **`_checkOwner()` validates the caller** (same as Journey 2, Step 2)
-
-3. **`_transferOwnership(address(0), uint88(projectId))` executes the transfer**
+**Parameters**:
+- `projectId` -- The ID of the Juicebox project to transfer ownership to (must be non-zero, fit in `uint88`, and refer to an existing project)
 
+**State changes**:
+1. `_checkOwner()` validates the caller
+2. Validates `projectId != 0` and `projectId <= type(uint88).max` (reverts with `JBOwnableOverrides_InvalidNewOwner`)
+3. Validates `projectId <= PROJECTS.count()` (reverts with `JBOwnableOverrides_ProjectDoesNotExist`)
+4. `_transferOwnership(address(0), uint88(projectId))` executes:
    - Records `oldOwner` (resolved from current `jbOwner`)
    - Overwrites `jbOwner = JBOwner({owner: address(0), projectId: uint88(projectId), permissionId: 0})`
    - Calls `_emitTransferEvent(oldOwner, address(0), uint88(projectId))`
 
-4. **`_emitTransferEvent` in `JBOwnable`**
-
-   - Since `newProjectId != 0`: emits `OwnershipTransferred(oldOwner, PROJECTS.ownerOf(projectId), msg.sender)`
-
-### Result
-
-`jbOwner.owner == address(0)`, `jbOwner.projectId == projectId`, `jbOwner.permissionId == 0`. The project NFT holder is now the owner. Ownership dynamically follows NFT transfers.
+**Events**: `OwnershipTransferred(address indexed previousOwner, address indexed newOwner, address caller)` -- emitted as `OwnershipTransferred(oldOwner, PROJECTS.ownerOf(projectId), msg.sender)`
 
-### What to verify
-
-- The project existence check (`projectId <= PROJECTS.count()`) prevents transferring to a nonexistent project.
-- The `uint88` cast does not truncate (the preceding `type(uint88).max` check ensures this).
-- If the project NFT is subsequently burned (hypothetically), `owner()` returns `address(0)` and the contract is effectively renounced.
+**Edge cases**:
+- The project existence check (`projectId <= PROJECTS.count()`) prevents transferring to a nonexistent project
+- The `uint88` cast does not truncate (the preceding `type(uint88).max` check ensures this)
+- `permissionId` is reset to 0 on transfer. The new project owner must call `setPermissionId()` to configure delegation.
+- If the project NFT is subsequently burned (hypothetically), `owner()` returns `address(0)` and the contract is effectively renounced
+- Unlike the constructor, `_emitTransferEvent` calls `PROJECTS.ownerOf(newProjectId)` without try-catch -- if the project does not exist, the transaction reverts. This is intentional: the `PROJECTS.count()` check above prevents this path.
 
 ---
 
 ## Journey 4: Delegate Access via Permission ID
 
-**Actor:** Current owner.
-**Goal:** Allow additional addresses to call `onlyOwner` functions through the JBPermissions system.
-
-### Precondition
-
-The contract has an owner. The owner wants to delegate access to one or more operators.
-
-### Steps
-
-1. **Owner calls `setPermissionId(permissionId)`**
-
-   - `_checkOwner()` validates the caller
-   - `_setPermissionId(permissionId)` writes `jbOwner.permissionId = permissionId`
-   - Emits `PermissionIdChanged(permissionId, msg.sender)`
+**Entry point**: `JBOwnableOverrides.setPermissionId(uint8 permissionId)`
 
-2. **Owner grants the permission to operators via JBPermissions**
+**Who can call**: The current owner (resolved via `PROJECTS.ownerOf()` if project-owned, or `jbOwner.owner` if address-owned), or any address with the currently configured `permissionId` (or ROOT) via `JBPermissions`.
 
-   - `permissions.setPermissionsFor(account, JBPermissionsData({operator: operatorAddress, projectId: projectId, permissionIds: [permissionId]}))`
-   - This is an external call on the JBPermissions contract, not on the JBOwnable contract
+**Parameters**:
+- `permissionId` -- The new permission ID to use for `onlyOwner` access delegation
 
-3. **Operator calls an `onlyOwner` function**
+**State changes**:
+1. `_checkOwner()` validates the caller
+2. `_setPermissionId(permissionId)` writes `jbOwner.permissionId = permissionId`
 
-   - `_checkOwner()` resolves the owner and calls `_requirePermissionFrom(resolvedOwner, projectId, permissionId)`
-   - `JBPermissioned._requirePermissionFrom` checks `JBPermissions.hasPermission(msg.sender, resolvedOwner, projectId, permissionId)` -- passes
+**Events**: `PermissionIdChanged(uint8 newId, address caller)` -- emitted as `PermissionIdChanged(permissionId, msg.sender)`
 
-### Result
-
-The operator can call any function protected by `onlyOwner` on this contract. The permission is scoped to the owner's account and project ID.
-
-### What to verify
+**Granting the permission to operators** (external step, not on JBOwnable):
+- The owner calls `permissions.setPermissionsFor(account, JBPermissionsData({operator: operatorAddress, projectId: projectId, permissionIds: [permissionId]}))` on the `JBPermissions` contract
+- Operators can then call any `onlyOwner` function. `_checkOwner()` resolves the owner and calls `_requirePermissionFrom(resolvedOwner, projectId, permissionId)`, which passes if the operator has the matching permission.
 
+**Edge cases**:
 - `permissionId == 0` effectively disables delegation (permission ID 0 cannot be set in `JBPermissions`). Only the owner (or ROOT holders) can call `onlyOwner` functions.
 - If the owner transfers ownership, `permissionId` resets to 0. The new owner must re-configure delegation.
-- ROOT (permission ID 1) always grants access regardless of the configured `permissionId`. This is a feature of `JBPermissioned`, not specific to `JBOwnable`.
+- ROOT (permission ID 1) bypasses the configured `permissionId` check, but only when the operator has been granted ROOT **by the resolved owner** via `JBPermissions`. ROOT is not a global override -- it is scoped to the `account` (i.e. the resolved owner) that granted it. This is a feature of `JBPermissioned`, not specific to `JBOwnable`. After renouncement (resolved owner = `address(0)`), ROOT cannot help because no one can obtain permissions granted by `address(0)`.
 - The operator's access is not stored on the JBOwnable contract -- it lives in JBPermissions. Changing the `permissionId` on JBOwnable instantly changes which JBPermissions grants are recognized.
 
 ---
 
 ## Journey 5: Renounce Ownership
 
-**Actor:** Current owner.
-**Goal:** Permanently give up ownership, making `onlyOwner` functions uncallable.
-
-### Precondition
-
-The caller is the current owner and understands this action is irreversible.
-
-### Steps
+**Entry point**: `JBOwnableOverrides.renounceOwnership()`
 
-1. **Owner calls `renounceOwnership()`**
+**Who can call**: The current owner (resolved via `PROJECTS.ownerOf()` if project-owned, or `jbOwner.owner` if address-owned), or any address with the configured `permissionId` (or ROOT) via `JBPermissions`.
 
-   - `_checkOwner()` validates the caller
-
-2. **`_transferOwnership(address(0), 0)` executes**
+**Parameters**: None.
 
+**State changes**:
+1. `_checkOwner()` validates the caller
+2. `_transferOwnership(address(0), 0)` executes:
    - Records `oldOwner` (resolved from current `jbOwner`)
    - Overwrites `jbOwner = JBOwner({owner: address(0), projectId: 0, permissionId: 0})`
    - Calls `_emitTransferEvent(oldOwner, address(0), 0)`
-   - Emits `OwnershipTransferred(oldOwner, address(0), msg.sender)`
-
-### Result
-
-`jbOwner` is zeroed out. `owner()` returns `address(0)`. All future calls to `_checkOwner()` revert because `_requirePermissionFrom(address(0), 0, 0)` fails for any `msg.sender` (no address equals `address(0)`, and no permission can satisfy the check against a zero-address account).
 
-### What to verify
+**Events**: `OwnershipTransferred(address indexed previousOwner, address indexed newOwner, address caller)` -- emitted as `OwnershipTransferred(oldOwner, address(0), msg.sender)`
 
-- After renouncing, `transferOwnership`, `transferOwnershipToProject`, `setPermissionId`, and `renounceOwnership` all revert.
+**Edge cases**:
+- After renouncing, `transferOwnership`, `transferOwnershipToProject`, `setPermissionId`, and `renounceOwnership` all revert
 - There is no recovery mechanism. No admin backdoor. No timelock. Renouncement is permanent.
-- A second call to `renounceOwnership()` also reverts (because `_checkOwner()` fails).
-- Even ROOT holders cannot act as owner after renouncement, because `_requirePermissionFrom(address(0), 0, 0)` does not recognize ROOT as a valid bypass when the account is `address(0)`.
+- A second call to `renounceOwnership()` also reverts (because `_checkOwner()` fails)
+- Even ROOT holders cannot act as owner after renouncement. Although `_requirePermissionFrom(address(0), 0, 0)` is called with `includeRoot: true`, no operator can possess ROOT (or any permission) granted by `address(0)` -- `JBPermissions.setPermissionsFor` requires the caller to be the account or an existing ROOT operator of the account, and no one starts with permissions from `address(0)`
 
 ---
 
 ## Journey 6: Implicit Renouncement via Project NFT Burn
 
-**Actor:** None (system behavior).
-**Goal:** Understand what happens when the project NFT underlying a project-owned contract ceases to exist.
-
-### Precondition
-
-The contract is project-owned (`jbOwner.projectId != 0`). The project NFT is burned or otherwise invalidated (note: JBProjects V6 has no burn function, so this is a defensive scenario).
-
-### Steps
-
-1. **`PROJECTS.ownerOf(projectId)` starts reverting**
-
-   - The ERC-721 `ownerOf` function reverts for burned tokens
-
-2. **`owner()` catches the revert and returns `address(0)`**
-
-   - The try-catch in `owner()` returns `address(0)` when `ownerOf` reverts
+**Actor**: None (system behavior).
 
-3. **`_checkOwner()` catches the revert and resolves owner to `address(0)`**
+**Who can call**: N/A -- this is an emergent behavior, not a direct function call.
 
-   - `_requirePermissionFrom(address(0), projectId, permissionId)` is called
-   - No `msg.sender` can equal `address(0)`, so the check always fails
+**Parameters**: None.
 
-### Result
+**Precondition**: The contract is project-owned (`jbOwner.projectId != 0`). The project NFT is burned or otherwise invalidated (note: JBProjects V6 has no burn function, so this is a defensive scenario).
 
-The contract is effectively renounced without anyone calling `renounceOwnership()`. All `onlyOwner` functions permanently revert. The `jbOwner` struct still contains the old `projectId`, but it has no practical effect.
+**State changes**:
+1. `PROJECTS.ownerOf(projectId)` starts reverting (ERC-721 `ownerOf` reverts for burned tokens)
+2. `owner()` catches the revert via try-catch and returns `address(0)`
+3. `_checkOwner()` catches the revert and resolves owner to `address(0)`, causing `_requirePermissionFrom(address(0), projectId, permissionId)` to fail for any `msg.sender` -- no operator can possess permissions granted by `address(0)` (same reason as explicit renouncement in Journey 5)
 
-### What to verify
+**Events**: None (no transaction occurs on the JBOwnable contract).
 
-- There is no way to "revive" ownership after the NFT is burned. Even re-minting an NFT with the same ID (if possible) would restore ownership.
-- The `jbOwner` struct is NOT cleared in this scenario -- it still shows the old `projectId`. Only the resolved owner is `address(0)`.
-- This behavior is consistent between `owner()` and `_checkOwner()` (both use the same try-catch pattern).
+**Edge cases**:
+- There is no way to "revive" ownership after the NFT is burned. However, re-minting an NFT with the same ID (if possible) would restore ownership.
+- The `jbOwner` struct is NOT cleared -- it still shows the old `projectId`. Only the resolved owner is `address(0)`.
+- This behavior is consistent between `owner()` and `_checkOwner()` (both use the same try-catch pattern)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/ownable-v6",
-  "version": "0.0.12",
+  "version": "0.0.13",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -10,8 +10,8 @@
     "node": ">=20.0.0"
   },
   "dependencies": {
-    "@bananapus/core-v6": "^0.0.22",
-    "@bananapus/permission-ids-v6": "^0.0.10",
+    "@bananapus/core-v6": "^0.0.26",
+    "@bananapus/permission-ids-v6": "^0.0.12",
     "@openzeppelin/contracts": "^5.6.1"
   },
   "scripts": {

package/src/JBOwnable.sol

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: MIT
 // Juicebox variation on OpenZeppelin Ownable
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
 import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
@@ -73,7 +73,7 @@ contract JBOwnable is JBOwnableOverrides {
         emit OwnershipTransferred({
             previousOwner: previousOwner,
             newOwner: newProjectId == 0 ? newOwner : PROJECTS.ownerOf(newProjectId),
-            caller: msg.sender
+            caller: _msgSender()
         });
     }
 }

package/src/JBOwnableOverrides.sol

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: MIT
 // Juicebox variation on OpenZeppelin Ownable
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
 import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
@@ -206,7 +206,7 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     /// @param permissionId The permission ID to use for `onlyOwner`.
     function _setPermissionId(uint8 permissionId) internal virtual {
         jbOwner.permissionId = permissionId;
-        emit PermissionIdChanged({newId: permissionId, caller: msg.sender});
+        emit PermissionIdChanged({newId: permissionId, caller: _msgSender()});
     }
 
     /// @notice Helper to allow for drop-in replacement of OpenZeppelin `Ownable`.

package/test/OwnableEdgeCases.t.sol

@@ -3,6 +3,7 @@ pragma solidity ^0.8.26;
 
 import {Test} from "forge-std/Test.sol";
 import {MockOwnable} from "./mocks/MockOwnable.sol";
+import {MockOwnableERC2771} from "./mocks/MockOwnableERC2771.sol";
 import {JBOwnableOverrides} from "../src/JBOwnableOverrides.sol";
 import {IJBOwnable} from "../src/interfaces/IJBOwnable.sol";
 
@@ -371,4 +372,50 @@ contract OwnableEdgeCases is Test {
         vm.prank(alice);
         ownable.protectedMethod();
     }
+
+    // =========================================================================
+    // Test 13: OwnershipTransferred event uses _msgSender() (L-27 fix)
+    // =========================================================================
+    /// @notice When a subclass overrides _msgSender() (e.g., for ERC-2771),
+    ///         the OwnershipTransferred event's caller field should reflect the
+    ///         forwarded sender, not msg.sender.
+    function test_ownershipTransferredEvent_usesOverriddenMsgSender() public {
+        address forwarder = makeAddr("forwarder");
+        MockOwnableERC2771 ownable = new MockOwnableERC2771(projects, permissions, alice, 0, forwarder);
+
+        // Expect event with caller=alice (the forwarded sender), not forwarder.
+        vm.expectEmit(true, true, false, true);
+        emit IJBOwnable.OwnershipTransferred(alice, bob, alice);
+
+        // Forwarder calls transferOwnership with alice's address appended (ERC-2771 style).
+        bytes memory callData = abi.encodeWithSelector(IJBOwnable.transferOwnership.selector, bob);
+        bytes memory forwardedCallData = abi.encodePacked(callData, alice);
+
+        vm.prank(forwarder);
+        (bool success,) = address(ownable).call(forwardedCallData);
+        assertTrue(success, "Forwarded transferOwnership should succeed");
+    }
+
+    // =========================================================================
+    // Test 14: PermissionIdChanged event uses _msgSender() (L-27 fix)
+    // =========================================================================
+    /// @notice When a subclass overrides _msgSender() (e.g., for ERC-2771),
+    ///         the PermissionIdChanged event's caller field should reflect the
+    ///         forwarded sender, not msg.sender.
+    function test_permissionIdChangedEvent_usesOverriddenMsgSender() public {
+        address forwarder = makeAddr("forwarder");
+        MockOwnableERC2771 ownable = new MockOwnableERC2771(projects, permissions, alice, 0, forwarder);
+
+        // Expect event with caller=alice (the forwarded sender), not forwarder.
+        vm.expectEmit(true, true, false, true);
+        emit IJBOwnable.PermissionIdChanged(42, alice);
+
+        // Forwarder calls setPermissionId with alice's address appended.
+        bytes memory callData = abi.encodeWithSelector(IJBOwnable.setPermissionId.selector, uint8(42));
+        bytes memory forwardedCallData = abi.encodePacked(callData, alice);
+
+        vm.prank(forwarder);
+        (bool success,) = address(ownable).call(forwardedCallData);
+        assertTrue(success, "Forwarded setPermissionId should succeed");
+    }
 }

package/test/mocks/MockOwnableERC2771.sol

@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.26;
+
+import {JBOwnable} from "../../src/JBOwnable.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+
+/// @notice Mock that overrides _msgSender() to simulate ERC-2771 meta-transaction behavior.
+/// @dev When called by the trusted forwarder, the last 20 bytes of calldata are treated as the real sender.
+contract MockOwnableERC2771 is JBOwnable {
+    event ProtectedMethodCalled();
+
+    address public immutable TRUSTED_FORWARDER;
+
+    constructor(
+        IJBProjects projects,
+        IJBPermissions permissions,
+        address initialOwner,
+        uint88 initialProjectIdOwner,
+        address trustedForwarder
+    )
+        JBOwnable(permissions, projects, initialOwner, initialProjectIdOwner)
+    {
+        TRUSTED_FORWARDER = trustedForwarder;
+    }
+
+    function protectedMethod() external onlyOwner {
+        emit ProtectedMethodCalled();
+    }
+
+    function _msgSender() internal view override returns (address) {
+        if (msg.sender == TRUSTED_FORWARDER && msg.data.length >= 20) {
+            return address(bytes20(msg.data[msg.data.length - 20:]));
+        }
+        return msg.sender;
+    }
+}