@bananapus/ownable-v6 0.0.33 → 0.0.36

package/README.md

@@ -1,6 +1,6 @@
 # Juicebox Ownable
 
-`@bananapus/ownable-v6` is an ownership helper for contracts that should be controlled by a Juicebox project instead of a fixed wallet. It keeps the familiar `Ownable` shape while letting ownership follow a project NFT and optional delegated permissions.
+`@bananapus/ownable-v6` is an ownership helper for contracts that should be controlled by a Juicebox project instead of a fixed wallet. It keeps the familiar `Ownable` shape while letting ownership follow a project NFT and optional project-scoped delegated permissions.
 
 ## Documentation
 
@@ -20,7 +20,8 @@ This package extends the standard ownership model in three ways:
 
 - ownership can point to a Juicebox project ID instead of an address
 - `owner()` can resolve dynamically to the current holder of that project NFT
-- delegated operators can satisfy `onlyOwner` through a configured `JBPermissions` permission ID
+- project-owned contracts can let delegated operators satisfy `onlyOwner` through a configured `JBPermissions` permission ID
+- address-owned contracts are direct-owner-only
 
 For contracts that are already meant to be owned by a project, this avoids manual ownership transfers when the project NFT changes hands.
 
@@ -41,7 +42,7 @@ If the issue is in project ownership itself, start in `nana-core-v6` and `JBProj
 This package is a small ownership adapter:
 
 1. resolve who the effective owner is
-2. optionally allow a delegated permission to satisfy `onlyOwner`
+2. optionally allow a delegated permission to satisfy `onlyOwner` when the contract is project-owned
 3. preserve an `Ownable`-like interface for downstream contracts
 
 ## Read These Files First
@@ -54,7 +55,7 @@ This package is a small ownership adapter:
 
 - ownership may resolve to a project NFT holder instead of a fixed address, so caching `owner()` off-chain can go stale
 - `owner()` can resolve to `address(0)` if the referenced project NFT is invalid or unreadable, which effectively renounces the contract
-- delegated operator access depends on a chosen permission ID, not on a generic admin role
+- delegated operator access only applies in project-owned mode and depends on a chosen permission ID, not on a generic admin role
 - explicit ownership transfers reset the permission ID, but project NFT transfers do not mutate stored owner data
 - a project NFT round trip back to the owner who last set `permissionId` can reactivate that owner's still-granted delegates
 - ownership transfer and permission-ID updates are part of the security model, not just convenience helpers
@@ -72,7 +73,8 @@ This package is a small ownership adapter:
 3. `test/RegressionUnmintedProjectHijack.t.sol`
 4. `test/regression/BurnLockProtection.t.sol`
 5. `test/regression/PermissionIdNFTTransfer.t.sol`
-6. `test/audit/CodexNemesisPermissionReactivation.t.sol`
+6. `test/regression/StaleDelegateReactivationOnProjectReturn.t.sol`
+7. `test/regression/AddressOwnerPermissionPolicy.t.sol`
 
 ## Install
 
@@ -103,7 +105,8 @@ test/
 ## Risks And Notes
 
 - if ownership is tied to a project NFT and that NFT becomes unreachable, the contract is effectively locked
-- delegated access depends on a chosen permission ID, so bad permission selection is an operational risk
+- project-owned delegated access depends on a chosen permission ID, so bad permission selection is an operational risk
+- address-owned contracts cannot enable delegated owner access
 - permission IDs reset on explicit ownership transfers; project NFT transfers leave the ID stored but stale unless the
   resolved owner still matches the owner who set it
 - transferring ownership to a project validates that the project exists at transfer time, but later project invalidation can still collapse effective ownership to `address(0)`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/ownable-v6",
-  "version": "0.0.33",
+  "version": "0.0.36",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -17,8 +17,8 @@
     "node": ">=20.0.0"
   },
   "dependencies": {
-    "@bananapus/core-v6": "^0.0.72",
-    "@bananapus/permission-ids-v6": "^0.0.27",
+    "@bananapus/core-v6": "^0.0.78",
+    "@bananapus/permission-ids-v6": "^0.0.28",
     "@openzeppelin/contracts": "5.6.1"
   },
   "scripts": {

package/src/JBOwnable.sol

@@ -67,12 +67,8 @@ contract JBOwnable is JBOwnableOverrides {
     {
         address resolvedNewOwner = newOwner;
         if (newProjectId != 0) {
-            try PROJECTS.ownerOf(newProjectId) returns (address projectOwner) {
-                resolvedNewOwner = projectOwner;
-            } catch {
-                // Pre-bound future projects have no visible owner yet, so the event reports address(0).
-                resolvedNewOwner = address(0);
-            }
+            // Pre-bound future projects have no visible owner yet, so the event reports address(0).
+            resolvedNewOwner = _projectOwnerOf(newProjectId);
         }
 
         emit OwnershipTransferred({previousOwner: previousOwner, newOwner: resolvedNewOwner, caller: _msgSender()});

package/src/JBOwnableOverrides.sol

@@ -12,7 +12,8 @@ import {JBOwner} from "./structs/JBOwner.sol";
 
 /// @notice Abstract base implementing Juicebox-aware ownership resolution, transfer, and permission delegation.
 /// Ownership is either address-based (a fixed EOA/contract) or project-based (whoever holds the project's ERC-721
-/// NFT). The owner can delegate access to other addresses by configuring a `permissionId` in `JBPermissions`.
+/// NFT). A project-based owner can delegate access by configuring a `permissionId` in `JBPermissions`; address-based
+/// ownership is direct-owner-only.
 /// @dev Project NFT transfers do not update stored owner data. A nonzero `permissionId` is only effective while the
 /// resolved owner still equals `_permissionOwner`, the owner who last set that ID. If the NFT leaves and later returns
 /// to that owner, their still-granted delegate permissions become effective again.
@@ -21,6 +22,11 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     // --------------------------- custom errors ------------------------- //
     //*********************************************************************//
 
+    /// @notice Thrown when address-based ownership tries to enable `JBPermissions` delegation.
+    /// @param owner The address-based owner.
+    /// @param permissionId The nonzero permission ID being set.
+    error JBOwnableOverrides_AddressOwnerCannotSetPermissionId(address owner, uint8 permissionId);
+
     /// @notice Thrown when an ownership transfer or constructor input does not identify exactly one valid owner.
     /// @param newOwner The address owner being set.
     /// @param projectId The project owner ID being set.
@@ -61,7 +67,9 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     /// the zero address as the `initialOwner`.
     /// To restrict access to a specific address, pass that address as the `initialOwner` and `0` as the
     /// `initialProjectIdOwner`.
-    /// @dev The owner can give owner access to other addresses through the `permissions` contract.
+    /// @dev Project-based owners can give owner access to other addresses through the `permissions` contract.
+    /// Address-based owners cannot enable delegated owner access because `JBPermissions` project ID `0` is the
+    /// wildcard project namespace.
     /// @dev If `initialProjectIdOwner` references an unminted project, `owner()` resolves to `address(0)` and
     /// owner-gated calls revert until that project is created. The first account to mint that project becomes the
     /// effective owner, so deployers must control the mint sequence.
@@ -107,12 +115,8 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
             return ownerInfo.owner;
         }
 
-        // If the project owner cannot be read, expose the owner as zero instead of bubbling the upstream revert.
-        try PROJECTS.ownerOf(ownerInfo.projectId) returns (address projectOwner) {
-            return projectOwner;
-        } catch {
-            return address(0);
-        }
+        // Expose the project owner, or zero if the project's NFT cannot be read, instead of bubbling the revert.
+        return _projectOwnerOf(ownerInfo.projectId);
     }
 
     //*********************************************************************//
@@ -131,13 +135,18 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
         address resolvedOwner;
         if (ownerInfo.projectId == 0) {
             resolvedOwner = ownerInfo.owner;
+
+            // Address-owned contracts do not have a safe project namespace in JBPermissions: project ID 0 is the
+            // wildcard scope. Keep address-based ownership direct-owner-only.
+            if (_msgSender() != resolvedOwner) {
+                revert JBPermissioned.JBPermissioned_Unauthorized({
+                    account: resolvedOwner, sender: _msgSender(), projectId: 0, permissionId: 0
+                });
+            }
+            return;
         } else {
             // Resolve the project owner dynamically; unreadable projects fail closed to address(0).
-            try PROJECTS.ownerOf(ownerInfo.projectId) returns (address projectOwner) {
-                resolvedOwner = projectOwner;
-            } catch {
-                resolvedOwner = address(0);
-            }
+            resolvedOwner = _projectOwnerOf(ownerInfo.projectId);
         }
 
         // Ignore the stored permission ID while the project NFT is held by a different owner than the one who set it.
@@ -162,6 +171,22 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
         });
     }
 
+    /// @notice Resolves the current holder of a project's ownership NFT, or `address(0)` if the project's NFT cannot
+    /// be read.
+    /// @dev Wraps `PROJECTS.ownerOf` in a try-catch so an unreadable project (for example an NFT that has not been
+    /// minted yet) resolves to `address(0)` and owner-gated logic fails closed instead of bubbling the revert. The
+    /// resolution lives in one place so the try-catch lives in a single function rather than at every call site and in
+    /// every contract that inherits this.
+    /// @param projectId The ID of the project whose owner to resolve.
+    /// @return projectOwner The project's current owner, or `address(0)` if `PROJECTS.ownerOf` reverts.
+    function _projectOwnerOf(uint256 projectId) internal view virtual returns (address projectOwner) {
+        try PROJECTS.ownerOf(projectId) returns (address resolved) {
+            projectOwner = resolved;
+        } catch {
+            projectOwner = address(0);
+        }
+    }
+
     //*********************************************************************//
     // ---------------------- public transactions ------------------------ //
     //*********************************************************************//
@@ -173,10 +198,10 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
         _transferOwnership({newOwner: address(0), projectId: 0});
     }
 
-    /// @notice Configures which `JBPermissions` permission ID grants delegate access to `onlyOwner` functions.
-    /// Set to 0 to disable delegation entirely (only the direct owner can call).
-    /// @dev Can only be called by the current owner. Records the current owner so delegation is ignored while a
-    /// different owner holds the project NFT.
+    /// @notice Configures which `JBPermissions` permission ID grants delegate access to `onlyOwner` functions while
+    /// this contract is project-owned. Set to 0 to disable delegation entirely.
+    /// @dev Can only be called by the current owner. Address-owned contracts can only set `permissionId` to 0.
+    /// Records the current owner so delegation is ignored while a different owner holds the project NFT.
     /// @param permissionId The permission ID to use for `onlyOwner` delegation.
     function setPermissionId(uint8 permissionId) public virtual override {
         _checkOwner();
@@ -231,10 +256,16 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     /// @param newProjectId The ID of the new owning project (zero if transferring to an address).
     function _emitTransferEvent(address previousOwner, address newOwner, uint88 newProjectId) internal virtual;
 
-    /// @notice Sets the permission ID the current owner can use to delegate owner access.
-    /// @dev Internal function without access restriction.
+    /// @notice Sets the permission ID the current project owner can use to delegate owner access.
+    /// @dev Internal function without access restriction. Address-owned contracts can only clear the permission ID.
     /// @param permissionId The permission ID to use for `onlyOwner`.
     function _setPermissionId(uint8 permissionId) internal virtual {
+        if (jbOwner.projectId == 0 && permissionId != 0) {
+            revert JBOwnableOverrides_AddressOwnerCannotSetPermissionId({
+                owner: jbOwner.owner, permissionId: permissionId
+            });
+        }
+
         jbOwner.permissionId = permissionId;
         _permissionOwner = owner();
         emit PermissionIdChanged({newId: permissionId, caller: _msgSender()});
@@ -265,11 +296,7 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
         if (ownerInfo.projectId == 0) {
             oldOwner = ownerInfo.owner;
         } else {
-            try PROJECTS.ownerOf(ownerInfo.projectId) returns (address projectOwner) {
-                oldOwner = projectOwner;
-            } catch {
-                oldOwner = address(0);
-            }
+            oldOwner = _projectOwnerOf(ownerInfo.projectId);
         }
         // Explicit ownership transfers clear delegated access and the owner who authorized it.
         jbOwner = JBOwner({owner: newOwner, projectId: projectId, permissionId: 0});

package/src/interfaces/IJBOwnable.sol

@@ -4,8 +4,8 @@ pragma solidity ^0.8.0;
 import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
 
 /// @notice Interface for Juicebox-aware ownership. Supports two modes: address-based (a fixed EOA/contract owns the
-/// contract) or project-based (whoever holds a specific Juicebox project's ERC-721 NFT is the owner). The owner can
-/// delegate access to other addresses via `JBPermissions`.
+/// contract) or project-based (whoever holds a specific Juicebox project's ERC-721 NFT is the owner). Project-based
+/// owners can delegate access to other addresses via `JBPermissions`; address-based ownership is direct-owner-only.
 interface IJBOwnable {
     /// @notice Emitted when ownership is transferred to a new owner.
     /// @param previousOwner The address of the previous owner.
@@ -36,7 +36,8 @@ interface IJBOwnable {
     /// @notice Gives up ownership, making it impossible to call `onlyOwner` functions.
     function renounceOwnership() external;
 
-    /// @notice Sets the permission ID the owner can use to give other addresses owner access.
+    /// @notice Sets the permission ID a project-based owner can use to give other addresses owner access.
+    /// @dev Address-based owners can only set `permissionId` to 0.
     /// @param permissionId The permission ID to use for `onlyOwner`.
     function setPermissionId(uint8 permissionId) external;