@bananapus/ownable-v6 0.0.32 → 0.0.34

package/README.md

@@ -1,13 +1,18 @@
 # Juicebox Ownable
 
-`@bananapus/ownable-v6` is an ownership helper for contracts that should be controlled by a Juicebox project instead of a fixed wallet. It keeps the familiar `Ownable` shape while letting ownership follow a project NFT and optional delegated permissions.
+`@bananapus/ownable-v6` is an ownership helper for contracts that should be controlled by a Juicebox project instead of a fixed wallet. It keeps the familiar `Ownable` shape while letting ownership follow a project NFT and optional project-scoped delegated permissions.
 
-Architecture: [ARCHITECTURE.md](./ARCHITECTURE.md)  
-User journeys: [USER_JOURNEYS.md](./USER_JOURNEYS.md)  
-Skills: [SKILLS.md](./SKILLS.md)  
-Risks: [RISKS.md](./RISKS.md)  
-Administration: [ADMINISTRATION.md](./ADMINISTRATION.md)  
-Audit instructions: [AUDIT_INSTRUCTIONS.md](./AUDIT_INSTRUCTIONS.md)
+## Documentation
+
+- [ARCHITECTURE.md](./ARCHITECTURE.md) — system architecture and component interactions
+- [INVARIANTS.md](./INVARIANTS.md) — guarantees enforced by the contracts
+- [USER_JOURNEYS.md](./USER_JOURNEYS.md) — typical flows for each actor
+- [RISKS.md](./RISKS.md) — known risks and operational caveats
+- [ADMINISTRATION.md](./ADMINISTRATION.md) — administrative powers and lifecycle
+- [SKILLS.md](./SKILLS.md) — reusable patterns and gotchas for builders
+- [STYLE_GUIDE.md](./STYLE_GUIDE.md) — code style conventions
+- [AUDIT_INSTRUCTIONS.md](./AUDIT_INSTRUCTIONS.md) — guidance for auditors
+- [CHANGELOG.md](./CHANGELOG.md) — release notes
 
 ## Overview
 
@@ -15,7 +20,8 @@ This package extends the standard ownership model in three ways:
 
 - ownership can point to a Juicebox project ID instead of an address
 - `owner()` can resolve dynamically to the current holder of that project NFT
-- delegated operators can satisfy `onlyOwner` through a configured `JBPermissions` permission ID
+- project-owned contracts can let delegated operators satisfy `onlyOwner` through a configured `JBPermissions` permission ID
+- address-owned contracts are direct-owner-only
 
 For contracts that are already meant to be owned by a project, this avoids manual ownership transfers when the project NFT changes hands.
 
@@ -36,7 +42,7 @@ If the issue is in project ownership itself, start in `nana-core-v6` and `JBProj
 This package is a small ownership adapter:
 
 1. resolve who the effective owner is
-2. optionally allow a delegated permission to satisfy `onlyOwner`
+2. optionally allow a delegated permission to satisfy `onlyOwner` when the contract is project-owned
 3. preserve an `Ownable`-like interface for downstream contracts
 
 ## Read These Files First
@@ -49,7 +55,7 @@ This package is a small ownership adapter:
 
 - ownership may resolve to a project NFT holder instead of a fixed address, so caching `owner()` off-chain can go stale
 - `owner()` can resolve to `address(0)` if the referenced project NFT is invalid or unreadable, which effectively renounces the contract
-- delegated operator access depends on a chosen permission ID, not on a generic admin role
+- delegated operator access only applies in project-owned mode and depends on a chosen permission ID, not on a generic admin role
 - explicit ownership transfers reset the permission ID, but project NFT transfers do not mutate stored owner data
 - a project NFT round trip back to the owner who last set `permissionId` can reactivate that owner's still-granted delegates
 - ownership transfer and permission-ID updates are part of the security model, not just convenience helpers
@@ -67,7 +73,8 @@ This package is a small ownership adapter:
 3. `test/RegressionUnmintedProjectHijack.t.sol`
 4. `test/regression/BurnLockProtection.t.sol`
 5. `test/regression/PermissionIdNFTTransfer.t.sol`
-6. `test/audit/CodexNemesisPermissionReactivation.t.sol`
+6. `test/regression/StaleDelegateReactivationOnProjectReturn.t.sol`
+7. `test/regression/AddressOwnerPermissionPolicy.t.sol`
 
 ## Install
 
@@ -98,7 +105,8 @@ test/
 ## Risks And Notes
 
 - if ownership is tied to a project NFT and that NFT becomes unreachable, the contract is effectively locked
-- delegated access depends on a chosen permission ID, so bad permission selection is an operational risk
+- project-owned delegated access depends on a chosen permission ID, so bad permission selection is an operational risk
+- address-owned contracts cannot enable delegated owner access
 - permission IDs reset on explicit ownership transfers; project NFT transfers leave the ID stored but stale unless the
   resolved owner still matches the owner who set it
 - transferring ownership to a project validates that the project exists at transfer time, but later project invalidation can still collapse effective ownership to `address(0)`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/ownable-v6",
-  "version": "0.0.32",
+  "version": "0.0.34",
   "license": "MIT",
   "repository": {
     "type": "git",

package/src/JBOwnableOverrides.sol

@@ -12,7 +12,8 @@ import {JBOwner} from "./structs/JBOwner.sol";
 
 /// @notice Abstract base implementing Juicebox-aware ownership resolution, transfer, and permission delegation.
 /// Ownership is either address-based (a fixed EOA/contract) or project-based (whoever holds the project's ERC-721
-/// NFT). The owner can delegate access to other addresses by configuring a `permissionId` in `JBPermissions`.
+/// NFT). A project-based owner can delegate access by configuring a `permissionId` in `JBPermissions`; address-based
+/// ownership is direct-owner-only.
 /// @dev Project NFT transfers do not update stored owner data. A nonzero `permissionId` is only effective while the
 /// resolved owner still equals `_permissionOwner`, the owner who last set that ID. If the NFT leaves and later returns
 /// to that owner, their still-granted delegate permissions become effective again.
@@ -21,6 +22,11 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     // --------------------------- custom errors ------------------------- //
     //*********************************************************************//
 
+    /// @notice Thrown when address-based ownership tries to enable `JBPermissions` delegation.
+    /// @param owner The address-based owner.
+    /// @param permissionId The nonzero permission ID being set.
+    error JBOwnableOverrides_AddressOwnerCannotSetPermissionId(address owner, uint8 permissionId);
+
     /// @notice Thrown when an ownership transfer or constructor input does not identify exactly one valid owner.
     /// @param newOwner The address owner being set.
     /// @param projectId The project owner ID being set.
@@ -61,7 +67,9 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     /// the zero address as the `initialOwner`.
     /// To restrict access to a specific address, pass that address as the `initialOwner` and `0` as the
     /// `initialProjectIdOwner`.
-    /// @dev The owner can give owner access to other addresses through the `permissions` contract.
+    /// @dev Project-based owners can give owner access to other addresses through the `permissions` contract.
+    /// Address-based owners cannot enable delegated owner access because `JBPermissions` project ID `0` is the
+    /// wildcard project namespace.
     /// @dev If `initialProjectIdOwner` references an unminted project, `owner()` resolves to `address(0)` and
     /// owner-gated calls revert until that project is created. The first account to mint that project becomes the
     /// effective owner, so deployers must control the mint sequence.
@@ -131,6 +139,15 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
         address resolvedOwner;
         if (ownerInfo.projectId == 0) {
             resolvedOwner = ownerInfo.owner;
+
+            // Address-owned contracts do not have a safe project namespace in JBPermissions: project ID 0 is the
+            // wildcard scope. Keep address-based ownership direct-owner-only.
+            if (_msgSender() != resolvedOwner) {
+                revert JBPermissioned.JBPermissioned_Unauthorized({
+                    account: resolvedOwner, sender: _msgSender(), projectId: 0, permissionId: 0
+                });
+            }
+            return;
         } else {
             // Resolve the project owner dynamically; unreadable projects fail closed to address(0).
             try PROJECTS.ownerOf(ownerInfo.projectId) returns (address projectOwner) {
@@ -173,10 +190,10 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
         _transferOwnership({newOwner: address(0), projectId: 0});
     }
 
-    /// @notice Configures which `JBPermissions` permission ID grants delegate access to `onlyOwner` functions.
-    /// Set to 0 to disable delegation entirely (only the direct owner can call).
-    /// @dev Can only be called by the current owner. Records the current owner so delegation is ignored while a
-    /// different owner holds the project NFT.
+    /// @notice Configures which `JBPermissions` permission ID grants delegate access to `onlyOwner` functions while
+    /// this contract is project-owned. Set to 0 to disable delegation entirely.
+    /// @dev Can only be called by the current owner. Address-owned contracts can only set `permissionId` to 0.
+    /// Records the current owner so delegation is ignored while a different owner holds the project NFT.
     /// @param permissionId The permission ID to use for `onlyOwner` delegation.
     function setPermissionId(uint8 permissionId) public virtual override {
         _checkOwner();
@@ -231,10 +248,16 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     /// @param newProjectId The ID of the new owning project (zero if transferring to an address).
     function _emitTransferEvent(address previousOwner, address newOwner, uint88 newProjectId) internal virtual;
 
-    /// @notice Sets the permission ID the current owner can use to delegate owner access.
-    /// @dev Internal function without access restriction.
+    /// @notice Sets the permission ID the current project owner can use to delegate owner access.
+    /// @dev Internal function without access restriction. Address-owned contracts can only clear the permission ID.
     /// @param permissionId The permission ID to use for `onlyOwner`.
     function _setPermissionId(uint8 permissionId) internal virtual {
+        if (jbOwner.projectId == 0 && permissionId != 0) {
+            revert JBOwnableOverrides_AddressOwnerCannotSetPermissionId({
+                owner: jbOwner.owner, permissionId: permissionId
+            });
+        }
+
         jbOwner.permissionId = permissionId;
         _permissionOwner = owner();
         emit PermissionIdChanged({newId: permissionId, caller: _msgSender()});

package/src/interfaces/IJBOwnable.sol

@@ -4,8 +4,8 @@ pragma solidity ^0.8.0;
 import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
 
 /// @notice Interface for Juicebox-aware ownership. Supports two modes: address-based (a fixed EOA/contract owns the
-/// contract) or project-based (whoever holds a specific Juicebox project's ERC-721 NFT is the owner). The owner can
-/// delegate access to other addresses via `JBPermissions`.
+/// contract) or project-based (whoever holds a specific Juicebox project's ERC-721 NFT is the owner). Project-based
+/// owners can delegate access to other addresses via `JBPermissions`; address-based ownership is direct-owner-only.
 interface IJBOwnable {
     /// @notice Emitted when ownership is transferred to a new owner.
     /// @param previousOwner The address of the previous owner.
@@ -36,7 +36,8 @@ interface IJBOwnable {
     /// @notice Gives up ownership, making it impossible to call `onlyOwner` functions.
     function renounceOwnership() external;
 
-    /// @notice Sets the permission ID the owner can use to give other addresses owner access.
+    /// @notice Sets the permission ID a project-based owner can use to give other addresses owner access.
+    /// @dev Address-based owners can only set `permissionId` to 0.
     /// @param permissionId The permission ID to use for `onlyOwner`.
     function setPermissionId(uint8 permissionId) external;