@bananapus/ownable-v6 0.0.17 → 0.0.19

package/README.md

@@ -1,124 +1,104 @@
 # Juicebox Ownable
 
-Ownership that follows the project, not a person. Transfer control of any contract to a Juicebox project NFT, and anyone the project owner delegates through `JBPermissions` can act as owner.
+`@bananapus/ownable-v6` is an ownership helper for contracts that should be controlled by a Juicebox project rather than a fixed wallet. It keeps the familiar `Ownable` shape while letting ownership follow a project NFT and optional delegated permissions.
 
-This is a variation on OpenZeppelin [`Ownable`](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable.sol) that adds:
+Architecture: [ARCHITECTURE.md](./ARCHITECTURE.md)  
+User journeys: [USER_JOURNEYS.md](./USER_JOURNEYS.md)  
+Skills: [SKILLS.md](./SKILLS.md)  
+Risks: [RISKS.md](./RISKS.md)  
+Administration: [ADMINISTRATION.md](./ADMINISTRATION.md)  
+Audit instructions: [AUDIT_INSTRUCTIONS.md](./AUDIT_INSTRUCTIONS.md)
 
-- The ability to transfer contract ownership to a Juicebox project instead of a specific address. When owned by a project, ownership dynamically follows whoever holds that project's ERC-721 NFT -- no on-chain update needed.
-- The ability to grant other addresses `onlyOwner` access using `JBPermissions`, with a configurable `permissionId`.
-- `JBPermissioned` base class with support for OpenZeppelin `Context` (enabling optional meta-transaction support).
+## Overview
 
-All features are backwards compatible with OpenZeppelin `Ownable`. `JBOwnable` is a drop-in replacement: it provides the same `onlyOwner` modifier, `owner()` view, `transferOwnership(address)`, and `renounceOwnership()` functions.
+This package extends the standard ownership model in three useful ways:
 
-Forked from [`jbx-protocol/juice-ownable`](https://github.com/jbx-protocol/juice-ownable).
+- ownership can point to a Juicebox project ID instead of an address
+- `owner()` resolves dynamically to the current holder of that project NFT when the referenced project remains readable
+- delegated operators can satisfy `onlyOwner` through a configurable `JBPermissions` permission ID
 
-_If you have questions, take a look at the [core protocol contracts](https://github.com/Bananapus/nana-core-v6) and the [documentation](https://docs.juicebox.money/) first, or reach out on [Discord](https://discord.com/invite/ErQYmth4dS)._
+For contracts that are already conceptually "owned by the project," this avoids manual ownership transfers when the project NFT changes hands.
 
-## Repository Layout
+Use this repo when ownership should follow a Juicebox project. Do not use it if plain single-address ownership is good enough; standard `Ownable` is simpler.
 
-```
-src/
-├── JBOwnable.sol               -- Concrete implementation (inherit this)
-├── JBOwnableOverrides.sol      -- Abstract base with all ownership logic
-├── interfaces/
-│   └── IJBOwnable.sol          -- Interface for ownership queries, transfers, and events
-└── structs/
-    └── JBOwner.sol             -- Packed struct: owner (160 bits) + projectId (88 bits) + permissionId (8 bits)
+If your issue is in project ownership itself, start in `nana-core-v6` and `JBProjects`. This repo starts mattering when another contract wants its own admin surface to follow that project ownership.
 
-test/
-├── Ownable.t.sol               -- Core ownership tests
-├── OwnableAttacks.t.sol        -- Attack vector tests
-├── OwnableEdgeCases.t.sol      -- Edge case coverage
-├── OwnableInvariantTests.sol   -- Invariant/fuzz tests
-├── handlers/
-│   └── OwnableHandler.sol      -- Invariant test handler
-├── mocks/
-│   └── MockOwnable.sol         -- Mock contract for testing
-└── regression/
-    ├── BurnLockProtection.t.sol -- Regression: burned NFT lockout
-    └── ZeroAddressValidation.t.sol -- Regression: zero-address edge cases
-```
+## Key Contracts
 
-## Architecture
+| Contract | Role |
+| --- | --- |
+| `JBOwnable` | Concrete contract to inherit when you want Juicebox-aware ownership with the standard `onlyOwner` interface. |
+| `JBOwnableOverrides` | Abstract base that holds the owner-resolution and permission-checking logic. |
+| `IJBOwnable` | Interface for queries, transfers, permission ID changes, and events. |
 
-```
-JBOwnable
-  └── JBOwnableOverrides (abstract)
-        ├── Context (OpenZeppelin)
-        ├── JBPermissioned (nana-core-v6)
-        └── IJBOwnable (interface)
-```
-
-| Contract | Description |
-|----------|-------------|
-| [`JBOwnable`](src/JBOwnable.sol) | Concrete implementation. Provides the `onlyOwner` modifier and emits `OwnershipTransferred` events (resolving project NFT holders at emission time). Inherit this in your contract. |
-| [`JBOwnableOverrides`](src/JBOwnableOverrides.sol) | Abstract base containing all ownership logic: owner resolution, transfers, renunciation, permission delegation, and internal helpers. Use this directly only if you need to customize `_emitTransferEvent` (e.g., when deploying contracts before the project NFT is minted). |
+## Mental Model
 
-### Supporting Types
+This package is a thin ownership adapter:
 
-| Type | Location | Description |
-|------|----------|-------------|
-| [`JBOwner`](src/structs/JBOwner.sol) | `src/structs/` | Struct packing `address owner` (160 bits), `uint88 projectId` (88 bits), and `uint8 permissionId` (8 bits) into a single 256-bit storage slot. |
-| [`IJBOwnable`](src/interfaces/IJBOwnable.sol) | `src/interfaces/` | Interface exposing ownership queries, transfers, renunciation, permission ID management, and events. |
+1. resolve who the effective owner is
+2. optionally delegate `onlyOwner` through a permission ID
+3. preserve an `Ownable`-like interface for downstream contracts
 
-### Ownership Modes
+## Read These Files First
 
-1. **Project ownership** -- If `JBOwner.projectId` is nonzero, the current holder of that `JBProjects` ERC-721 is the owner. Ownership automatically follows the NFT: when the NFT is transferred, `owner()` immediately reflects the new holder without any additional transaction.
-2. **Address ownership** -- If `projectId` is zero, `JBOwner.owner` is the owner directly.
-3. **Delegated access** -- The owner can grant other addresses access via `JBPermissions.setPermissionsFor(...)` using the configured `permissionId`. The owner must first call `setPermissionId(uint8)` to set which permission ID represents owner-level access.
-4. **Renounced** -- After calling `renounceOwnership()`, both `owner` and `projectId` are set to zero. No one can call `onlyOwner` functions. This is irreversible.
+1. `src/JBOwnable.sol`
+2. `src/JBOwnableOverrides.sol`
+3. `src/interfaces/IJBOwnable.sol`
 
-The `permissionId` resets to 0 on every ownership transfer to prevent permission clashes for the new owner.
+## Integration Traps
 
-### Events
+- ownership may resolve to a project NFT holder rather than a fixed address, so caching `owner()` off-chain can become stale
+- `owner()` can resolve to `address(0)` if the referenced project NFT is burned, invalid, or otherwise unreadable, which effectively renounces the contract
+- delegated operator access depends on a chosen permission ID, not on a generic admin role
+- ownership transfer and permission-ID updates are part of the security model, not just convenience helpers
 
-| Event | Emitted By |
-|-------|-----------|
-| `OwnershipTransferred(address indexed previousOwner, address indexed newOwner, address caller)` | `_emitTransferEvent` (called on every ownership change) |
-| `PermissionIdChanged(uint8 newId, address caller)` | `_setPermissionId` |
+## Where State Lives
 
-### Errors
+- effective ownership configuration lives in `JBOwnableOverrides`
+- downstream contract state still lives in the inheriting contract, not in this package
+- project ownership truth lives in `nana-core-v6` when the owner target is a Juicebox project
 
-| Error | Thrown When |
-|-------|-----------|
-| `JBOwnableOverrides_InvalidNewOwner()` | Constructor receives both zero owner and zero projectId; `transferOwnership` receives zero address; `transferOwnershipToProject` receives zero or overflow projectId; `_transferOwnership` receives both non-zero owner and non-zero projectId. |
-| `JBOwnableOverrides_ProjectDoesNotExist()` | `transferOwnershipToProject` receives a projectId greater than `PROJECTS.count()`. |
-| `JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner()` | Constructor receives a non-zero `initialProjectIdOwner` with `projects` set to `address(0)`. |
+## High-Signal Tests
 
-## How Ownership Resolution Works
+1. `test/Ownable.t.sol`
+2. `test/OwnableAttacks.t.sol`
+3. `test/CodexUnmintedProjectHijack.t.sol`
+4. `test/regression/BurnLockProtection.t.sol`
 
-When `_checkOwner()` is called (by the `onlyOwner` modifier), it:
+## Install
 
-1. Reads the `JBOwner` struct from storage.
-2. Resolves the owner address: if `projectId != 0`, calls `PROJECTS.ownerOf(projectId)` via try-catch (returns `address(0)` if the call reverts, e.g., burned NFT); otherwise uses the stored `owner` address.
-3. Calls `_requirePermissionFrom(account, projectId, permissionId)` from `JBPermissioned`, which passes if the caller is:
-   - The resolved owner address, OR
-   - An address granted the configured `permissionId` on the relevant project via `JBPermissions`, OR
-   - An address granted the ROOT permission (permission ID 1) on the relevant project via `JBPermissions`.
+```bash
+npm install @bananapus/ownable-v6
+```
 
-## How Delegated Access Works
+## Development
 
-1. The owner calls `setPermissionId(uint8)` on the `JBOwnable` contract to configure which permission ID represents owner-level access.
-2. The owner calls `JBPermissions.setPermissionsFor(...)` to grant that permission ID to specific addresses on the relevant project.
-3. Those addresses can now call `onlyOwner` functions.
-4. If the project NFT is transferred to a new holder, delegated permissions granted by the previous holder stop working -- the new holder must re-grant permissions.
+```bash
+npm install
+forge build
+forge test
+```
 
-## Risks
+## Repository Layout
 
-- **Burned project NFT permanently locks the contract.** If ownership is tied to a project and the project NFT is burned, `owner()` returns `address(0)` (the `ownerOf` call reverts and the try-catch falls through). No one can call `onlyOwner` functions, and there is no recovery path -- this is effectively permanent renunciation. JBProjects V6 does not expose a public burn function, but a project NFT could still be burned via a custom token wrapper or a future upgrade.
-- **Silent loss of delegated access on ownership transfer.** The `permissionId` resets to 0 on every ownership transfer (both `transferOwnership` and `transferOwnershipToProject`). Any operators previously granted the old `permissionId` via `JBPermissions` lose their `onlyOwner` access without notification. The new owner must call `setPermissionId` and re-grant permissions to restore delegated access. Off-chain monitoring of the `PermissionIdChanged` event is recommended.
-- **Permission ID collisions with other JBPermissions grants.** The `permissionId` set on a `JBOwnable` contract is checked via the same `JBPermissions` registry used by the rest of the protocol. If the chosen `permissionId` overlaps with an ID already granted to operators for other purposes (e.g., a terminal permission or a hook permission), those operators will also pass the `onlyOwner` check -- gaining unintended owner-level access to the `JBOwnable` contract. Choose a `permissionId` that is not used by any other permission in the project's permission set.
+```text
+src/
+  JBOwnable.sol
+  JBOwnableOverrides.sol
+  interfaces/
+  structs/
+test/
+  core, attack, invariant, mock, and regression coverage
+```
 
-## Install
+## Risks And Notes
 
-```bash
-npm install
-```
+- if ownership is tied to a project NFT and that NFT becomes unreachable, the contract is effectively locked
+- delegated access depends on a chosen permission ID, so collisions with other permission schemes are an operational risk
+- permission IDs reset on ownership transfer, which is safer by default but easy to miss if an integration expects long-lived operator access
+- transferring ownership to a project validates that the project exists, but later project-NFT invalidation can still collapse effective ownership to `address(0)`
 
-## Develop
+## For AI Agents
 
-| Command | Description |
-|---------|-------------|
-| `forge build` | Compile contracts |
-| `forge test` | Run tests |
-| `forge coverage --match-path "./src/*.sol" --report lcov --report summary` | Generate coverage report |
+- Do not collapse project-based ownership into ordinary wallet-based ownership in your summary.
+- Read the attack and regression tests before making claims about burn-lock or unminted-project edge cases.

package/RISKS.md

@@ -1,27 +1,51 @@
-# RISKS.md -- nana-ownable-v6
+# Juicebox Ownable Risk Register
+
+This file covers the ownership-model risks in `JBOwnable`: dynamic ownership through project NFTs, delegated owner authority, and mismatches with standard `Ownable` expectations.
+
+## How To Use This File
+
+- Read `Priority risks` first. Most failures here come from authority-model mistakes, not arithmetic bugs.
+- Use the later sections to understand what changes when ownership follows a project instead of a fixed address.
+- Treat `Invariants to verify` as the minimum proof that owner resolution stays coherent.
+
+## Priority Risks
+
+| Priority | Risk | Why it matters | Primary controls |
+|----------|------|----------------|------------------|
+| P1 | Misunderstanding dynamic owner resolution | Ownership can move when the project NFT moves or when permissions change, which breaks static `Ownable` assumptions. | Clear docs, careful integration review, and explicit tests around transfer paths. |
+| P1 | Over-broad delegated owner permissions | `JBPermissions` can broaden who effectively acts as owner. Bad configuration expands blast radius quickly. | Permission hygiene and explicit review of delegated grants. |
+| P2 | Tooling assumptions about standard `Ownable` | Some tooling assumes `owner()` maps to one address with no external permission system behind it. | Integration testing and clear documentation of the semantic differences. |
 
 ## 1. Trust Assumptions
 
-- **JBPermissions.** Permission checks delegate to JBPermissions contract. A bug in JBPermissions affects all JBOwnable contracts.
-- **JBProjects ERC-721.** When owned by a project, ownership follows the ERC-721 token. Whoever holds the project NFT has owner access.
-- **Permission Delegation.** Anyone granted the configured `permissionId` via JBPermissions gets owner-equivalent access for the scoped function.
+- **`JBPermissions` works correctly.** A bug there affects every `JBOwnable` contract that relies on delegated owner access.
+- **`JBProjects` ownership is the source of truth.** When a contract is project-owned, whoever holds the project NFT has owner access.
+- **Delegated permission means owner-equivalent access.** Anyone granted the configured `permissionId` through `JBPermissions` can satisfy owner checks for the scoped contract.
+- **Deployment inputs are intentional.** If `initialProjectIdOwner != 0`, deployers must understand whether that project already exists.
 
 ## 2. Known Risks
 
-- **Project NFT transfer = ownership transfer.** If ownership is tied to a project ID, anyone who acquires the project NFT (via transfer, marketplace purchase, or social engineering) gains full owner access to all contracts using that JBOwnable instance. Project NFT holders must treat the NFT as a high-value key.
-- **Dual ownership ambiguity.** Setting both `newOwner` and `projectId` to non-zero reverts, but the two-mode design could confuse integrators about which mode is active. `jbOwner()` exposes both fields for inspection.
-- **`renounceOwnership` permanently disables all owner-gated functions.** Defined directly in `JBOwnableOverrides` (not inherited from OpenZeppelin's `Ownable` -- the contract does not inherit from `Ownable`). Once called, `owner()` returns `address(0)` and all `onlyOwner` / `_checkOwner()` calls revert permanently. There is no recovery mechanism. This applies whether ownership is direct (address) or project-based (project NFT holder).
+- **Project NFT transfer changes contract ownership.** Anyone who acquires the project NFT gains owner access to contracts using that project-owned mode.
+- **Two ownership modes can confuse integrations.** Setting both `newOwner` and `projectId` is disallowed, but integrators still need to check which mode is active.
+- **`renounceOwnership` is final.** Once called, `owner()` resolves to `address(0)` and owner-gated functions stop working permanently unless a downstream contract adds its own recovery path.
+- **Constructor pre-binding can intentionally lock the contract.** If a deployer points ownership at a future project ID, `owner()` resolves to `address(0)` until that project exists.
+- **`PROJECTS == address(0)` breaks project-owned mode.** The constructor defends against this, but wrappers should still treat it as a high-signal deployment surface.
+- **Unminted project ID ownership.** Contracts using `JBOwnableOverrides` can be configured with an `initialProjectIdOwner` that references a project ID not yet minted. The first account to mint that sequential project ID will become the effective owner of the contract. Deployers must ensure the referenced project ID is already minted, or deploy the ownable contract and the project in the same transaction to prevent front-running.
 
 ## 3. Accepted Behaviors
 
-- **Permission ID reset on transfer.** `permissionId` resets to 0 on ownership transfer, which temporarily locks out delegated operators. This is intentional -- it prevents permission clashes for new owners.
-- **Burned/invalid project NFT.** If the project NFT were burned or `ownerOf` reverted, the contract would be effectively renounced (owner resolves to `address(0)`). Defensive try-catch in `owner()` and `_checkOwner()` handles this gracefully. JBProjects V6 has no burn function, so this scenario cannot occur in practice.
-- **`transferOwnershipToProject` rejects non-existent projects.** The function checks `projectId > PROJECTS.count()` and reverts, preventing transfers to non-existent projects.
-
-## 4. Invariants to Verify
-
-- Ownership is always exactly one of: direct address OR project NFT holder (never both, never neither unless renounced).
-- `_checkOwner()` reverts for all callers when the owner resolves to `address(0)`.
-- `permissionId` is correctly reset to 0 on every ownership transfer.
-- After `renounceOwnership()`, `jbOwner()` returns `(address(0), 0, 0)` and no address can pass `_checkOwner()`.
-- `transferOwnershipToProject(projectId)` reverts for all `projectId > PROJECTS.count()` at call time.
+- **Permission ID resets on transfer.** `permissionId` resets to `0` on ownership transfer so old delegated operators do not automatically retain power.
+- **`permissionId = 0` means direct-owner-only mode.** This is a valid configuration, not an error state.
+- **Invalid project ownership resolves fail-closed.** If `ownerOf` cannot resolve, the contract is effectively renounced until ownership becomes readable again.
+- **`transferOwnershipToProject` rejects non-existent projects.** The function checks existence at transfer time.
+- **Constructor pre-binding to a future project ID is supported.** This is useful in controlled deployment flows, but dangerous if the deployer does not control mint sequencing.
+- **Transfer events can temporarily show `address(0)`.** When ownership points to an unminted future project, the transfer event shows `address(0)` until ownership can resolve dynamically.
+
+## 4. Invariants To Verify
+
+- ownership is always exactly one of: direct address or project NFT holder
+- `_checkOwner()` reverts for all callers when the owner resolves to `address(0)`
+- `permissionId` resets to `0` on every ownership transfer
+- after `renounceOwnership()`, `jbOwner()` returns `(address(0), 0, 0)` and no address can pass `_checkOwner()`
+- `transferOwnershipToProject(projectId)` reverts for all `projectId > PROJECTS.count()` at call time
+- `initialProjectIdOwner != 0` with `PROJECTS == address(0)` always reverts during construction

package/SKILLS.md

@@ -1,185 +1,41 @@
 # Juicebox Ownable
 
-## Purpose
-
-Drop-in Juicebox-aware replacement for OpenZeppelin `Ownable`. A contract inheriting `JBOwnable` can be owned by a Juicebox project (via its ERC-721 NFT) or a plain address, with delegated access through `JBPermissions`. When owned by a project, ownership dynamically follows the NFT holder -- no on-chain update is needed when the NFT changes hands.
-
-## Contracts
-
-| Contract | Role |
-|----------|------|
-| `JBOwnable` | Concrete implementation. Provides the `onlyOwner` modifier and `_emitTransferEvent` (resolves project NFT holder at emission time). Inherit this in your contract. |
-| `JBOwnableOverrides` | Abstract base with all ownership state and logic: owner resolution, transfers, renunciation, permission delegation, and internal helpers. Only inherit this directly if you need to customize `_emitTransferEvent`. |
-
-## Inheritance Chain
-
-```
-JBOwnable
-  └── JBOwnableOverrides (abstract)
-        ├── Context (@openzeppelin/contracts)
-        ├── JBPermissioned (@bananapus/core-v6)
-        └── IJBOwnable (interface)
-```
-
-## Deployed Addresses
-
-Library contract -- deployed as part of inheriting contracts (e.g., `JB721TiersHook`, `JBBuybackHook`). No standalone deployment.
-
-## Key Functions
-
-### Public / External
-
-| Function | Contract | What it does |
-|----------|----------|--------------|
-| `owner()` | `JBOwnableOverrides` | Returns the current owner address. If `projectId != 0`, calls `PROJECTS.ownerOf(projectId)` via try-catch -- returns the project NFT holder on success, or `address(0)` if the call reverts (e.g., burned NFT). Otherwise returns `jbOwner.owner`. |
-| `transferOwnership(address newOwner)` | `JBOwnableOverrides` | Transfers ownership to a new address. Reverts if `newOwner` is `address(0)`. Resets `permissionId` to 0. |
-| `transferOwnershipToProject(uint256 projectId)` | `JBOwnableOverrides` | Transfers ownership to a Juicebox project. The NFT holder becomes the owner. Validates: `projectId != 0`, fits in `uint88`, and `projectId <= PROJECTS.count()`. Resets `permissionId` to 0. |
-| `renounceOwnership()` | `JBOwnableOverrides` | Permanently gives up ownership. Sets both `owner` and `projectId` to zero. Irreversible -- no one can call `onlyOwner` functions afterward. |
-| `setPermissionId(uint8 permissionId)` | `JBOwnableOverrides` | Sets which `JBPermissions` permission ID grants delegated owner access. Only callable by the current owner. |
-
-### Internal
-
-| Function | Contract | What it does |
-|----------|----------|--------------|
-| `_checkOwner()` | `JBOwnableOverrides` | Resolves the owner, then calls `_requirePermissionFrom(account, projectId, permissionId)`. Used by the `onlyOwner` modifier. |
-| `_transferOwnership(address newOwner, uint88 projectId)` | `JBOwnableOverrides` | Core transfer logic. Reverts if both `newOwner` and `projectId` are non-zero. Updates `jbOwner` struct and resets `permissionId` to 0. Calls `_emitTransferEvent`. No access restriction. |
-| `_transferOwnership(address newOwner)` | `JBOwnableOverrides` | Convenience overload that calls `_transferOwnership(newOwner, 0)`. Exists for drop-in compatibility with OpenZeppelin `Ownable`. |
-| `_setPermissionId(uint8 permissionId)` | `JBOwnableOverrides` | Sets `jbOwner.permissionId` and emits `PermissionIdChanged`. No access restriction -- meant for internal use. |
-| `_emitTransferEvent(address previousOwner, address newOwner, uint88 newProjectId)` | `JBOwnable` (overrides abstract in `JBOwnableOverrides`) | Emits `OwnershipTransferred`. Resolves `newProjectId` to the current NFT holder via `PROJECTS.ownerOf()`. Override this in `JBOwnableOverrides` subclasses if you need custom transfer event behavior (e.g., deploying before a project NFT is minted). |
-
-## Immutable State
-
-| Variable | Type | Description |
-|----------|------|-------------|
-| `PROJECTS` | `IJBProjects` | The `JBProjects` ERC-721 contract used to resolve project ownership. |
-| `PERMISSIONS` | `IJBPermissions` | Inherited from `JBPermissioned`. The `JBPermissions` contract used for delegated access checks. |
-
-## Key Types
+## Use This File For
 
-| Type | Fields | Storage |
-|------|--------|---------|
-| `JBOwner` | `address owner` (160 bits), `uint88 projectId` (88 bits), `uint8 permissionId` (8 bits) | Single 256-bit slot. `owner` and `projectId` are mutually exclusive (both non-zero is invalid). |
+- Use this file when the task involves project-based ownership, delegated `onlyOwner` permissions, or how ownership should follow a Juicebox project NFT instead of a fixed wallet.
+- Start here, then decide whether the question is about owner resolution, permission delegation, or ownership transfer semantics. Those surfaces are intentionally compact but security-sensitive.
 
-## Events
+## Read This Next
 
-| Event | Fields | When |
-|-------|--------|------|
-| `OwnershipTransferred` | `address indexed previousOwner`, `address indexed newOwner`, `address caller` | Every ownership change (transfer, project transfer, renounce). |
-| `PermissionIdChanged` | `uint8 newId`, `address caller` | When `setPermissionId` or `_setPermissionId` is called. |
+| If you need... | Open this next |
+|---|---|
+| Repo overview and ownership model | [`README.md`](./README.md), [`ARCHITECTURE.md`](./ARCHITECTURE.md) |
+| Concrete contract | [`src/JBOwnable.sol`](./src/JBOwnable.sol) |
+| Resolution and permission logic | [`src/JBOwnableOverrides.sol`](./src/JBOwnableOverrides.sol), [`src/interfaces/`](./src/interfaces/), [`src/structs/`](./src/structs/) |
+| Runtime and migration assumptions | [`references/runtime.md`](./references/runtime.md), [`references/operations.md`](./references/operations.md) |
+| Edge, attack, and invariant coverage | [`test/Ownable.t.sol`](./test/Ownable.t.sol), [`test/OwnableEdgeCases.t.sol`](./test/OwnableEdgeCases.t.sol), [`test/OwnableAttacks.t.sol`](./test/OwnableAttacks.t.sol), [`test/OwnableInvariantTests.sol`](./test/OwnableInvariantTests.sol), [`test/CodexUnmintedProjectHijack.t.sol`](./test/CodexUnmintedProjectHijack.t.sol) |
 
-## Errors
+## Repo Map
 
-| Error | When |
-|-------|------|
-| `JBOwnableOverrides_InvalidNewOwner()` | Constructor gets both zero owner and zero projectId. `transferOwnership(address(0))`. `transferOwnershipToProject(0)` or `transferOwnershipToProject(id > type(uint88).max)`. `_transferOwnership` called with both non-zero owner and non-zero projectId. |
-| `JBOwnableOverrides_ProjectDoesNotExist()` | `transferOwnershipToProject(id)` where `id > PROJECTS.count()`. |
-| `JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner()` | Constructor receives a non-zero `initialProjectIdOwner` with `projects` set to `address(0)`. |
+| Area | Where to look |
+|---|---|
+| Main contracts | [`src/`](./src/) |
+| Types | [`src/interfaces/`](./src/interfaces/), [`src/structs/`](./src/structs/) |
+| Tests | [`test/`](./test/) |
 
-## IJBOwnable Interface
-
-Defined in `src/interfaces/IJBOwnable.sol`. Pragma `^0.8.0`.
-
-| Method | Signature | Returns |
-|--------|-----------|---------|
-| `PROJECTS()` | `function PROJECTS() external view` | `IJBProjects` |
-| `jbOwner()` | `function jbOwner() external view` | `(address owner, uint88 projectId, uint8 permissionId)` |
-| `owner()` | `function owner() external view` | `address` |
-| `renounceOwnership()` | `function renounceOwnership() external` | -- |
-| `setPermissionId(uint8)` | `function setPermissionId(uint8 permissionId) external` | -- |
-| `transferOwnership(address)` | `function transferOwnership(address newOwner) external` | -- |
-| `transferOwnershipToProject(uint256)` | `function transferOwnershipToProject(uint256 projectId) external` | -- |
-
-Events: `OwnershipTransferred(address indexed previousOwner, address indexed newOwner, address caller)`, `PermissionIdChanged(uint8 newId, address caller)`.
-
-## Integration Points
-
-| Dependency | Import | Used For |
-|------------|--------|----------|
-| `nana-core-v6` | `IJBPermissions`, `JBPermissioned` | Permission checks for delegated access via `_requirePermissionFrom` |
-| `nana-core-v6` | `IJBProjects` | Resolving project NFT holder as owner via `PROJECTS.ownerOf(projectId)` |
-| `@openzeppelin/contracts` | `Context` | `_msgSender()` support for meta-transaction compatibility |
-
-## Gotchas
-
-- **Mutually exclusive ownership modes.** You cannot set both `owner` and `projectId` to non-zero values. The constructor, `transferOwnership`, and `transferOwnershipToProject` all enforce this. `_transferOwnership` reverts with `JBOwnableOverrides_InvalidNewOwner` if both are non-zero.
-- **Constructor rejects zero-zero initialization.** If both `initialOwner` and `initialProjectIdOwner` are zero, the constructor reverts. To create an unowned contract, set an initial owner and call `renounceOwnership()` in the constructor body.
-- **`permissionId` resets to 0 on every ownership transfer.** This is intentional -- it prevents stale permission delegation from carrying over to new owners. The new owner must explicitly call `setPermissionId()` to re-enable delegated access.
-- **Delegated permissions are scoped to the granting address.** When a project NFT is transferred, delegates authorized by the old holder lose access immediately. The new holder must re-grant permissions via `JBPermissions.setPermissionsFor(...)`.
-- **ROOT permission (ID 1) always grants access.** `_checkOwner()` delegates to `_requirePermissionFrom` from `JBPermissioned`, which recognizes the ROOT permission (ID 1) as granting access regardless of the configured `permissionId`.
-- **`renounceOwnership()` is irreversible.** After renouncing, `owner()` returns `address(0)`, and all `onlyOwner` functions permanently revert. There is no recovery mechanism.
-- **`projectId` is `uint88`.** Project IDs above `type(uint88).max` (309,485,009,821,345,068,724,781,055) are rejected by `transferOwnershipToProject`. This constraint enables the `JBOwner` struct to fit in a single storage slot.
-- **`transferOwnershipToProject` checks existence.** It compares the project ID against `PROJECTS.count()` and reverts with `JBOwnableOverrides_ProjectDoesNotExist` if the project does not exist, preventing permanent loss of contract control.
-- **`owner()` makes an external call in project mode.** When `projectId != 0`, `owner()` calls `PROJECTS.ownerOf(projectId)`, which is an external call. This is relevant for gas-sensitive contexts. If the call reverts (e.g., the project NFT was burned), `owner()` returns `address(0)` and the contract degrades to a renounced state.
-- **Constructor rejects zero-address PROJECTS with project ownership.** Deploying with `projects = address(0)` and a non-zero `initialProjectIdOwner` reverts with `JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner`, preventing permanently broken ownership resolution.
-- **No ERC2771 support.** Despite inheriting `Context`, `JBOwnable` uses plain `Context._msgSender()` (which returns `msg.sender`), not `ERC2771Context`. A trusted forwarder appending a sender address to calldata has no effect on ownership checks. If you need meta-tx support, override `_msgSender()` and `_msgData()` with `ERC2771Context` in your inheriting contract.
-
-## Example: Inherit JBOwnable
-
-```solidity
-import {JBOwnable} from "@bananapus/ownable-v6/src/JBOwnable.sol";
-import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
-import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
-
-contract MyHook is JBOwnable {
-    constructor(
-        IJBPermissions permissions,
-        IJBProjects projects,
-        uint88 projectId
-    ) JBOwnable(permissions, projects, address(0), projectId) {}
-
-    function restrictedAction() external onlyOwner {
-        // Only the project NFT holder (or delegated addresses) can call this.
-    }
-}
-```
-
-## Example: Address-Owned Contract
-
-```solidity
-contract MyContract is JBOwnable {
-    constructor(
-        IJBPermissions permissions,
-        IJBProjects projects,
-        address initialOwner
-    ) JBOwnable(permissions, projects, initialOwner, 0) {}
-
-    function adminFunction() external onlyOwner {
-        // Only initialOwner (or delegated addresses) can call this.
-    }
-}
-```
-
-## Example: Override _emitTransferEvent
+## Purpose
 
-If you need to deploy a `JBOwnableOverrides`-based contract before the project NFT exists (e.g., the contract is deployed as part of the project creation flow), override `_emitTransferEvent` to handle the case where the project ID is not yet minted:
+Ownership adapter for contracts that should follow Juicebox project ownership instead of a fixed address, with optional delegated permission IDs layered on top of the familiar `Ownable` pattern.
 
-```solidity
-import {JBOwnableOverrides} from "@bananapus/ownable-v6/src/JBOwnableOverrides.sol";
+## Reference Files
 
-contract MyPreDeployContract is JBOwnableOverrides {
-    modifier onlyOwner() {
-        _checkOwner();
-        _;
-    }
+- Open [`references/runtime.md`](./references/runtime.md) when you need owner resolution, transfer semantics, or delegated access behavior.
+- Open [`references/operations.md`](./references/operations.md) when you need migration pitfalls, test breadcrumbs, or the common stale assumptions around permission resets.
 
-    constructor(
-        IJBPermissions permissions,
-        IJBProjects projects,
-        address initialOwner,
-        uint88 initialProjectIdOwner
-    ) JBOwnableOverrides(permissions, projects, initialOwner, initialProjectIdOwner) {}
+## Working Rules
 
-    function _emitTransferEvent(
-        address previousOwner,
-        address newOwner,
-        uint88 newProjectId
-    ) internal override {
-        // Custom logic -- e.g., skip ownerOf() if the project NFT is not yet minted.
-        emit OwnershipTransferred({
-            previousOwner: previousOwner,
-            newOwner: newProjectId == 0 ? newOwner : address(0), // Resolve later.
-            caller: msg.sender
-        });
-    }
-}
-```
+- Start in [`src/JBOwnableOverrides.sol`](./src/JBOwnableOverrides.sol) when the question is about who the effective owner is or why `onlyOwner` passed or failed.
+- Treat ownership transfer and delegated permission resets as security-sensitive.
+- Project-based ownership can intentionally become unusable if it points at an unminted or invalid project. Treat that as a deployment invariant, not a runtime surprise.
+- Unminted or unexpectedly transferred project NFTs can change the effective owner surface. Check the project lifecycle, not just this adapter.
+- When a bug looks like project ownership itself, confirm whether the real source is upstream in `nana-core-v6` rather than this adapter layer.