npm - @bananapus/ownable-v6 - Versions diffs - 0.0.22 → 0.0.24 - Mend

@bananapus/ownable-v6 0.0.22 → 0.0.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/foundry.toml +1 -1
package/package.json +13 -4
package/src/JBOwnable.sol +5 -10
package/src/JBOwnableOverrides.sol +29 -23
package/src/interfaces/IJBOwnable.sol +7 -5
package/src/structs/JBOwner.sol +6 -6
package/ADMINISTRATION.md +0 -79
package/ARCHITECTURE.md +0 -92
package/AUDIT_INSTRUCTIONS.md +0 -69
package/RISKS.md +0 -51
package/SKILLS.md +0 -41
package/STYLE_GUIDE.md +0 -610
package/USER_JOURNEYS.md +0 -117
package/slither-ci.config.json +0 -10
package/test/CodexUnmintedProjectHijack.t.sol +0 -45
package/test/Ownable.t.sol +0 -383
package/test/OwnableAttacks.t.sol +0 -190
package/test/OwnableEdgeCases.t.sol +0 -437
package/test/OwnableInvariantTests.sol +0 -48
package/test/audit/PermissionDriftAfterProjectTransfer.t.sol +0 -58
package/test/audit/PermissionIdNFTTransfer.t.sol +0 -93
package/test/audit/ProjectTransferPermissionPolicy.t.sol +0 -58
package/test/handlers/OwnableHandler.sol +0 -75
package/test/regression/BurnLockProtection.t.sol +0 -112
package/test/regression/RootPermissionBypassesPermissionIdZero.t.sol +0 -87
package/test/regression/ZeroAddressValidation.t.sol +0 -67

package/USER_JOURNEYS.md DELETED Viewed

@@ -1,117 +0,0 @@
-# User Journeys
-## Repo Purpose
-This repo adapts `Ownable`-style control to Juicebox project ownership and project-scoped operator permissions. It is an ownership adapter. It does not replace the underlying ownership or permission registries in [nana-core-v6](../nana-core-v6/USER_JOURNEYS.md).
-## Primary Actors
-- protocol or product teams that want `onlyOwner` to follow a project NFT
-- operators who need owner-like access without receiving the project itself
-- auditors checking whether delegated owner semantics strand or over-grant authority
-## Key Surfaces
-- `JBOwnable`: `Ownable`-style adapter whose owner follows a Juicebox project
-- `JBOwnableOverrides`: extension that lets a project-scoped permission satisfy `onlyOwner`
-- `owner()`, `transferOwnership(...)`, `transferOwnershipToProject(...)`, `setPermissionId(...)`: core ownership-resolution and migration paths
-## Journey 1: Give A Contract To A Juicebox Project Instead Of A Wallet
-**Actor:** downstream contract author.
-**Intent:** make a contract follow Juicebox project ownership instead of a fixed EOA or multisig.
-**Preconditions**
-- the downstream contract wants `onlyOwner` ergonomics
-- a project ID and `JBProjects` dependency are already known
-**Main Flow**
-1. Inherit `JBOwnable` or `JBOwnableOverrides`.
-2. Initialize ownership with the relevant project ID and `JBProjects` reference.
-3. Let `owner()` resolve through the current project NFT holder instead of a fixed address.
-**Failure Modes**
-- the contract assumes ordinary `Ownable` transfer semantics after adopting project-based ownership
-- the wrong project ID is configured
-- reviewers ignore the adapter and audit the downstream contract as if `owner` were fixed
-**Postconditions**
-- `owner()` now resolves through the configured project NFT instead of a fixed wallet
-## Journey 2: Delegate Owner-Level Access To Operators
-**Actor:** current project owner.
-**Intent:** let an operator satisfy `onlyOwner` for one contract without transferring the project.
-**Preconditions**
-- the downstream contract uses `JBOwnableOverrides`
-- the team has chosen the permission ID that should count as delegated owner access
-**Main Flow**
-1. Choose the permission ID the downstream contract should respect.
-2. Grant that permission through `JBPermissions`.
-3. `JBOwnableOverrides` treats the operator as satisfying `onlyOwner` for that contract.
-**Failure Modes**
-- teams grant a broader permission than intended
-- downstream reviewers forget that `onlyOwner` may resolve through permissions instead of direct ownership
-- operators keep stale permissions after governance changes
-**Postconditions**
-- the chosen operator can satisfy `onlyOwner` without receiving direct ownership of the project or contract
-## Journey 3: Change The Delegated Permission ID Without Changing Ownership
-**Actor:** current effective owner.
-**Intent:** rotate delegated owner policy without changing the underlying owner.
-**Preconditions**
-- the contract already uses `JBOwnableOverrides`
-- all operators who need continued access can be regranted under the new permission ID
-**Main Flow**
-1. Update the permission ID the adapter treats as owner-equivalent with `setPermissionId(...)`.
-2. Re-grant the new permission where needed.
-3. Re-audit operator assumptions because the old permission no longer satisfies `onlyOwner`.
-**Failure Modes**
-- operator access disappears unintentionally after a permission-ID rotation
-- teams forget that old delegations stop working immediately
-**Postconditions**
-- the adapter now resolves delegated owner access through the new permission ID only
-## Journey 4: Transfer Or Burn Ownership Deliberately
-**Actor:** current effective owner.
-**Intent:** move or remove control with full awareness of the consequences.
-**Preconditions**
-- the team understands whether admin recovery should remain possible
-- downstream integrations can tolerate the new owner model
-**Main Flow**
-1. Use `transferOwnership(...)` for an address owner or `transferOwnershipToProject(...)` for a project owner.
-2. Re-establish delegated permission policy if the new owner still wants operators.
-3. Renounce only when permanent admin loss is intentional.
-**Failure Modes**
-- ownership is burned even though the downstream contract still needs administration
-- teams forget that delegated permissions reset across ownership changes
-**Postconditions**
-- control moves to the chosen address or project, or is intentionally removed
-## Trust Boundaries
-- this repo trusts `JBProjects` for project ownership and `JBPermissions` for delegated authority
-- downstream contracts still need their own audit because this adapter changes who satisfies `onlyOwner`
-## Hand-Offs
-- Use [nana-core-v6](../nana-core-v6/USER_JOURNEYS.md) for the project-NFT and permission machinery this adapter depends on.
-- Use [nana-permission-ids-v6](../nana-permission-ids-v6/USER_JOURNEYS.md) if you need the shared numeric permission vocabulary for delegated `onlyOwner` checks.

package/slither-ci.config.json DELETED Viewed

@@ -1,10 +0,0 @@
-{
-    "detectors_to_exclude": "timestamp,uninitialized-local,naming-convention,solc-version,shadowing-local",
-    "exclude_informational": true,
-    "exclude_low": false,
-    "exclude_medium": false,
-    "exclude_high": false,
-    "disable_color": false,
-    "filter_paths": "(mocks/|test/|node_modules/|lib/)",
-    "legacy_ast": false
-}

package/test/CodexUnmintedProjectHijack.t.sol DELETED Viewed

@@ -1,45 +0,0 @@
-// SPDX-License-Identifier: UNLICENSED
-pragma solidity 0.8.28;
-import {Test} from "forge-std/Test.sol";
-import {MockOwnable} from "./mocks/MockOwnable.sol";
-import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
-import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
-import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
-import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
-contract CodexUnmintedProjectHijackTest is Test {
-    IJBProjects internal projects;
-    IJBPermissions internal permissions;
-    address internal deployer = makeAddr("deployer");
-    address internal attacker = makeAddr("attacker");
-    address internal intendedOwner = makeAddr("intendedOwner");
-    function setUp() public {
-        permissions = new JBPermissions(address(0));
-        projects = new JBProjects(address(this), address(0), address(0));
-    }
-    function test_unmintedProjectOwnerCanBeHijackedByFirstMinter() external {
-        vm.prank(deployer);
-        MockOwnable ownable = new MockOwnable(projects, permissions, address(0), 1);
-        assertEq(ownable.owner(), address(0), "owner should be unresolved before project 1 exists");
-        vm.prank(attacker);
-        uint256 hijackedProjectId = projects.createFor(attacker);
-        assertEq(hijackedProjectId, 1, "attacker should receive the configured project ID");
-        assertEq(ownable.owner(), attacker, "first minter becomes owner of the ownable contract");
-        vm.prank(attacker);
-        ownable.protectedMethod();
-        vm.prank(intendedOwner);
-        vm.expectRevert();
-        ownable.protectedMethod();
-    }
-}

package/test/Ownable.t.sol DELETED Viewed

@@ -1,383 +0,0 @@
-// SPDX-License-Identifier: UNLICENSED
-pragma solidity 0.8.28;
-import {Test} from "forge-std/Test.sol";
-import {MockOwnable} from "./mocks/MockOwnable.sol";
-import {JBOwnableOverrides} from "../src/JBOwnableOverrides.sol";
-import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
-import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
-import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
-import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
-import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
-import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
-contract OwnableTest is Test {
-    IJBProjects projects;
-    IJBPermissions permissions;
-    modifier isNotContract(address a) {
-        uint256 size;
-        assembly {
-            size := extcodesize(a)
-        }
-        vm.assume(size == 0);
-        _;
-    }
-    function setUp() public {
-        // Deploy the permissions contract.
-        permissions = new JBPermissions(address(0));
-        // Deploy the projects contract.
-        projects = new JBProjects(address(123), address(0), address(0));
-    }
-    function testDeployerDoesNotBecomeOwner(address deployer, address owner) public isNotContract(owner) {
-        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
-        vm.assume(owner != address(0));
-        vm.prank(deployer);
-        MockOwnable ownable = new MockOwnable(projects, permissions, owner, uint88(0));
-        assertEq(owner, ownable.owner(), "Deployer did not become the owner.");
-    }
-    function testJBOwnableFollowsTheProjectOwner(
-        address projectOwner,
-        address newProjectOwner
-    )
-        public
-        isNotContract(projectOwner)
-        isNotContract(newProjectOwner)
-    {
-        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
-        vm.assume(projectOwner != address(0));
-        // Can't transfer ownership to the zero address.
-        vm.assume(newProjectOwner != address(0));
-        // Create a project for the owner.
-        uint256 projectId = projects.createFor(projectOwner);
-        // Create the `Ownable` contract.
-        // forge-lint: disable-next-line(unsafe-typecast)
-        MockOwnable ownable = new MockOwnable(projects, permissions, address(0), uint88(projectId));
-        // Make sure the deployer owns it.
-        assertEq(projectOwner, ownable.owner(), "Deployer is not the owner.");
-        // Transfer the project's ownership.
-        vm.prank(projectOwner);
-        projects.transferFrom(projectOwner, newProjectOwner, projectId);
-        // Make sure the `Ownable` contract has also been transferred to the new project owner.
-        assertEq(newProjectOwner, ownable.owner(), "Ownable did not follow the Project owner.");
-    }
-    function testBasicOwnable(
-        address projectOwner,
-        address newOwnableOwner
-    )
-        public
-        isNotContract(projectOwner)
-        isNotContract(newOwnableOwner)
-    {
-        // Ownership can't be transferred to the 0 address. To transfer to the 0 address, ownership must be renounced.
-        vm.assume(newOwnableOwner != address(0));
-        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
-        vm.assume(projectOwner != address(0));
-        // Create a project for the owner.
-        uint256 _projectId = projects.createFor(projectOwner);
-        // Create the `Ownable` contract.
-        // forge-lint: disable-next-line(unsafe-typecast)
-        MockOwnable ownable = new MockOwnable(projects, permissions, address(0), uint88(_projectId));
-        // Make sure the project owner owns it.
-        assertEq(projectOwner, ownable.owner(), "Deployer is not the owner.");
-        // We now stop using it as a `JBOwnable` and start using it like a basic `Ownable`.
-        vm.prank(projectOwner);
-        ownable.transferOwnership(newOwnableOwner);
-        // Make sure it was transferred to the new owner.
-        assertEq(newOwnableOwner, ownable.owner());
-        // Sanity check to make sure it only the `Ownable` changed, and that the project did not.
-        assertEq(projects.ownerOf(_projectId), projectOwner);
-    }
-    function testCantTransferToProjectZero(address owner) public {
-        vm.assume(owner != address(0));
-        vm.startPrank(owner);
-        // Create the `Ownable` contract.
-        MockOwnable ownable = new MockOwnable(projects, permissions, owner, 0);
-        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_InvalidNewOwner.selector));
-        // Transfer ownership to project ID 0 (should revert).
-        ownable.transferOwnershipToProject(0);
-        vm.stopPrank();
-    }
-    function testCantTransferToAddressZero(address owner) public {
-        vm.assume(owner != address(0));
-        vm.startPrank(owner);
-        // Create the `Ownable` contract.
-        MockOwnable ownable = new MockOwnable(projects, permissions, owner, uint88(0));
-        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_InvalidNewOwner.selector));
-        // Transfer ownership to the 0 address (should revert).
-        ownable.transferOwnership(address(0));
-        vm.stopPrank();
-    }
-    function testOwnableFollowsProjectOwner(
-        address projectOwner,
-        address newProjectOwner
-    )
-        public
-        isNotContract(projectOwner)
-        isNotContract(newProjectOwner)
-    {
-        vm.assume(projectOwner != newProjectOwner);
-        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
-        vm.assume(projectOwner != address(0));
-        vm.assume(newProjectOwner != address(0));
-        // Create a project for the owner.
-        uint256 _projectId = projects.createFor(projectOwner);
-        // Create the `Ownable` contract.
-        // forge-lint: disable-next-line(unsafe-typecast)
-        MockOwnable ownable = new MockOwnable(projects, permissions, address(0), uint88(_projectId));
-        // Make sure the project owner owns it.
-        assertEq(projectOwner, ownable.owner(), "Deployer is not the owner.");
-        // Transfer the project ownership.
-        vm.prank(projectOwner);
-        projects.transferFrom(projectOwner, newProjectOwner, _projectId);
-        assertEq(projects.ownerOf(_projectId), newProjectOwner);
-        // Make sure the `Ownable` contract has also been transferred to the new project owner.
-        assertEq(newProjectOwner, ownable.owner());
-    }
-    function testOwnableOwnerCanRennounce(address deployer, address owner) public {
-        vm.assume(owner != address(0));
-        vm.assume(deployer != owner);
-        // Create the `Ownable` contract.
-        MockOwnable ownable = new MockOwnable(projects, permissions, owner, uint88(0));
-        // Transfer ownership to the project owner.
-        vm.prank(owner);
-        ownable.transferOwnership(owner);
-        assertEq(owner, ownable.owner(), "Deployer is not the owner.");
-        // Renounce the ownership.
-        vm.prank(owner);
-        ownable.renounceOwnership();
-        assertEq(address(0), ownable.owner(), "Owner was not renounced.");
-    }
-    function testJBOwnableOwnerCanRennounce(address deployer, address projectOwner) public isNotContract(projectOwner) {
-        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
-        vm.assume(projectOwner != address(0));
-        // Create a project for the owner.
-        uint256 _projectId = projects.createFor(projectOwner);
-        // Create the `Ownable` contract.
-        vm.prank(deployer);
-        // forge-lint: disable-next-line(unsafe-typecast)
-        MockOwnable ownable = new MockOwnable(projects, permissions, address(0), uint88(_projectId));
-        // Renounce the ownership.
-        vm.prank(projectOwner);
-        ownable.renounceOwnership();
-        assertEq(address(0), ownable.owner(), "Owner was not renounced.");
-    }
-    function testJBOwnablePermissions(
-        address projectOwner,
-        address callerAddress,
-        uint8 requiredPermissionId,
-        uint8[] memory permissionIdsToGrant
-    )
-        public
-        isNotContract(projectOwner)
-    {
-        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
-        vm.assume(projectOwner != address(0) && callerAddress != projectOwner);
-        requiredPermissionId = uint8(bound(uint256(requiredPermissionId), 1, 255));
-        // Truncate array instead of rejecting to avoid exceeding max_test_rejects.
-        if (permissionIdsToGrant.length > 4) {
-            assembly {
-                mstore(permissionIdsToGrant, 4)
-            }
-        }
-        // Create a project for the owner.
-        uint256 _projectId = projects.createFor(projectOwner);
-        // Create the `Ownable` contract.
-        // forge-lint: disable-next-line(unsafe-typecast)
-        MockOwnable ownable = new MockOwnable(projects, permissions, address(0), uint88(_projectId));
-        // Set the required permission.
-        vm.prank(projectOwner);
-        ownable.setPermissionId(requiredPermissionId);
-        // Attempt to call the protected method without permission.
-        vm.expectRevert(
-            abi.encodeWithSelector(
-                JBPermissioned.JBPermissioned_Unauthorized.selector,
-                projectOwner,
-                callerAddress,
-                _projectId,
-                requiredPermissionId
-            )
-        );
-        vm.prank(callerAddress);
-        ownable.protectedMethod();
-        // Give permission.
-        bool _shouldHavePermission;
-        uint8[] memory _permissionIds = new uint8[](permissionIdsToGrant.length);
-        for (uint256 i; i < permissionIdsToGrant.length; i++) {
-            permissionIdsToGrant[i] = uint8(bound(uint256(permissionIdsToGrant[i]), 1, 255));
-            // Check if the permission we need is in the permissions to grant, including if it's ROOT.
-            if (permissionIdsToGrant[i] == requiredPermissionId || permissionIdsToGrant[i] == 1) {
-                _shouldHavePermission = true;
-            }
-            _permissionIds[i] = permissionIdsToGrant[i];
-        }
-        // The owner gives permission to the caller.
-        vm.prank(projectOwner);
-        permissions.setPermissionsFor(
-            projectOwner,
-            // forge-lint: disable-next-line(unsafe-typecast)
-            JBPermissionsData({operator: callerAddress, projectId: uint56(_projectId), permissionIds: _permissionIds})
-        );
-        if (!_shouldHavePermission) {
-            vm.expectRevert(
-                abi.encodeWithSelector(
-                    JBPermissioned.JBPermissioned_Unauthorized.selector,
-                    projectOwner,
-                    callerAddress,
-                    _projectId,
-                    requiredPermissionId
-                )
-            );
-        }
-        vm.prank(callerAddress);
-        ownable.protectedMethod();
-    }
-    function testJBOwnablePermissionsRequiredModifier(
-        address projectOwner,
-        address callerAddress,
-        uint8 requiredPermissionId,
-        uint8[] memory permissionIdsToGrant
-    )
-        public
-        isNotContract(projectOwner)
-    {
-        // `CreateFor` won't work if the address is a contract that doesn't support `ERC721Receiver`.
-        vm.assume(projectOwner != address(0) && callerAddress != projectOwner);
-        requiredPermissionId = uint8(bound(uint256(requiredPermissionId), 1, 255));
-        // Truncate array instead of rejecting to avoid exceeding max_test_rejects.
-        if (permissionIdsToGrant.length > 4) {
-            assembly {
-                mstore(permissionIdsToGrant, 4)
-            }
-        }
-        // Create a project for the owner.
-        uint256 _projectId = projects.createFor(projectOwner);
-        // Create the `Ownable` contract.
-        // forge-lint: disable-next-line(unsafe-typecast)
-        MockOwnable ownable = new MockOwnable(projects, permissions, address(0), uint88(_projectId));
-        // Set the permission that is required.
-        ownable.setPermission(requiredPermissionId);
-        // Attempt to call the protected method without permission.
-        vm.expectRevert(
-            abi.encodeWithSelector(
-                JBPermissioned.JBPermissioned_Unauthorized.selector,
-                projectOwner,
-                callerAddress,
-                _projectId,
-                requiredPermissionId
-            )
-        );
-        vm.prank(callerAddress);
-        ownable.protectedMethodWithRequirePermission();
-        // Give permission.
-        bool _shouldHavePermission;
-        uint8[] memory _permissionIds = new uint8[](permissionIdsToGrant.length);
-        for (uint256 i; i < permissionIdsToGrant.length; i++) {
-            permissionIdsToGrant[i] = uint8(bound(uint256(permissionIdsToGrant[i]), 1, 255));
-            // Check if the permission we need is in the permissions to grant, including if it's ROOT.
-            if (permissionIdsToGrant[i] == requiredPermissionId || permissionIdsToGrant[i] == 1) {
-                _shouldHavePermission = true;
-            }
-            _permissionIds[i] = permissionIdsToGrant[i];
-        }
-        // The owner gives permission to the caller.
-        vm.prank(projectOwner);
-        permissions.setPermissionsFor(
-            projectOwner,
-            // forge-lint: disable-next-line(unsafe-typecast)
-            JBPermissionsData({operator: callerAddress, projectId: uint56(_projectId), permissionIds: _permissionIds})
-        );
-        if (!_shouldHavePermission) {
-            vm.expectRevert(
-                abi.encodeWithSelector(
-                    JBPermissioned.JBPermissioned_Unauthorized.selector,
-                    projectOwner,
-                    callerAddress,
-                    _projectId,
-                    requiredPermissionId
-                )
-            );
-        }
-        vm.prank(callerAddress);
-        ownable.protectedMethodWithRequirePermission();
-    }
-    function testCantConfigureOwnerAndProject(address owner, address projectOwner) public isNotContract(projectOwner) {
-        vm.assume(owner != address(0) && projectOwner != address(0));
-        // Create a project for the owner.
-        uint256 _projectId = projects.createFor(projectOwner);
-        // Should revert because we set both a owner and a projectOwner
-        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_InvalidNewOwner.selector));
-        // Create the `Ownable` contract.
-        // forge-lint: disable-next-line(unsafe-typecast)
-        new MockOwnable(projects, permissions, address(owner), uint88(_projectId));
-    }
-    function testCantInitializeAsRenounced() public {
-        // Should revert because we set both a owner and a projectOwner
-        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_InvalidNewOwner.selector));
-        // Create the `Ownable` contract.
-        new MockOwnable(projects, permissions, address(0), uint88(0));
-    }
-}