npm - @bananapus/ownable-v6 - Versions diffs - 0.0.4 → 0.0.5 - Mend

@bananapus/ownable-v6 0.0.4 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +58 -16
package/SKILLS.md +127 -24
package/package.json +6 -3
package/slither-ci.config.json +1 -1
package/src/JBOwnableOverrides.sol +46 -6
package/test/OwnableEdgeCases.t.sol +368 -0
package/test/regression/L65_BurnLockProtection.t.sol +110 -0
package/test/regression/L66_ZeroAddressValidation.t.sol +66 -0

package/README.md CHANGED Viewed

@@ -1,40 +1,82 @@
-# nana-ownable-v6
+# Juicebox Ownable
-Juicebox-aware ownership model that ties contract ownership to a Juicebox project NFT or an address, with delegated access through `JBPermissions`.
+Ownership that follows the project, not a person. Transfer control of any contract to a Juicebox project NFT, and anyone the project owner delegates through `JBPermissions` can act as owner.
 This is a variation on OpenZeppelin [`Ownable`](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable.sol) that adds:
-- The ability to transfer contract ownership to a Juicebox project instead of a specific address.
-- The ability to grant other addresses `onlyOwner` access using `JBPermissions`.
-- `JBPermissioned` modifiers with support for OpenZeppelin `Context` (enabling optional meta-transaction support).
+- The ability to transfer contract ownership to a Juicebox project instead of a specific address. When owned by a project, ownership dynamically follows whoever holds that project's ERC-721 NFT -- no on-chain update needed.
+- The ability to grant other addresses `onlyOwner` access using `JBPermissions`, with a configurable `permissionId`.
+- `JBPermissioned` base class with support for OpenZeppelin `Context` (enabling optional meta-transaction support).
-All features are backwards compatible with OpenZeppelin `Ownable`. This should be a drop-in replacement. Only use `JBOwnableOverrides` if you are overriding OpenZeppelin `Ownable` v4.7.0 or higher.
+All features are backwards compatible with OpenZeppelin `Ownable`. `JBOwnable` is a drop-in replacement: it provides the same `onlyOwner` modifier, `owner()` view, `transferOwnership(address)`, and `renounceOwnership()` functions.
 Forked from [`jbx-protocol/juice-ownable`](https://github.com/jbx-protocol/juice-ownable).
-_If you have questions, take a look at the [core protocol contracts](https://github.com/Bananapus/nana-core) and the [documentation](https://docs.juicebox.money/) first, or reach out on [Discord](https://discord.com/invite/ErQYmth4dS)._
+_If you have questions, take a look at the [core protocol contracts](https://github.com/Bananapus/nana-core-v6) and the [documentation](https://docs.juicebox.money/) first, or reach out on [Discord](https://discord.com/invite/ErQYmth4dS)._
 ## Architecture
+```
+JBOwnable
+  └── JBOwnableOverrides (abstract)
+        ├── Context (OpenZeppelin)
+        ├── JBPermissioned (nana-core-v6)
+        └── IJBOwnable (interface)
+```
 | Contract | Description |
 |----------|-------------|
-| `JBOwnable` | Concrete implementation providing an `onlyOwner` modifier and ownership transfer events. Inherits `JBOwnableOverrides`. |
-| `JBOwnableOverrides` | Abstract base containing all ownership logic: owner resolution, transfers, renunciation, and permission delegation via `JBPermissions`. |
+| [`JBOwnable`](src/JBOwnable.sol) | Concrete implementation. Provides the `onlyOwner` modifier and emits `OwnershipTransferred` events (resolving project NFT holders at emission time). Inherit this in your contract. |
+| [`JBOwnableOverrides`](src/JBOwnableOverrides.sol) | Abstract base containing all ownership logic: owner resolution, transfers, renunciation, permission delegation, and internal helpers. Use this directly only if you need to customize `_emitTransferEvent` (e.g., when deploying contracts before the project NFT is minted). |
 ### Supporting Types
-| Type | Description |
-|------|-------------|
-| `JBOwner` | Struct packing `address owner`, `uint88 projectId`, and `uint8 permissionId` into a single slot. |
-| `IJBOwnable` | Interface exposing ownership queries, transfers, renunciation, and permission ID management. |
+| Type | Location | Description |
+|------|----------|-------------|
+| [`JBOwner`](src/structs/JBOwner.sol) | `src/structs/` | Struct packing `address owner` (160 bits), `uint88 projectId` (88 bits), and `uint8 permissionId` (8 bits) into a single 256-bit storage slot. |
+| [`IJBOwnable`](src/interfaces/IJBOwnable.sol) | `src/interfaces/` | Interface exposing ownership queries, transfers, renunciation, permission ID management, and events. |
 ### Ownership Modes
-1. **Project ownership** -- If `JBOwner.projectId` is nonzero, the holder of that `JBProjects` ERC-721 is the owner.
+1. **Project ownership** -- If `JBOwner.projectId` is nonzero, the current holder of that `JBProjects` ERC-721 is the owner. Ownership automatically follows the NFT: when the NFT is transferred, `owner()` immediately reflects the new holder without any additional transaction.
 2. **Address ownership** -- If `projectId` is zero, `JBOwner.owner` is the owner directly.
-3. **Delegated access** -- The owner can grant others access via `JBPermissions.setPermissionsFor(...)` using the configured `permissionId`.
+3. **Delegated access** -- The owner can grant other addresses access via `JBPermissions.setPermissionsFor(...)` using the configured `permissionId`. The owner must first call `setPermissionId(uint8)` to set which permission ID represents owner-level access.
+4. **Renounced** -- After calling `renounceOwnership()`, both `owner` and `projectId` are set to zero. No one can call `onlyOwner` functions. This is irreversible.
+The `permissionId` resets to 0 on every ownership transfer to prevent permission clashes for the new owner.
+### Events
+| Event | Emitted By |
+|-------|-----------|
+| `OwnershipTransferred(address indexed previousOwner, address indexed newOwner, address caller)` | `_emitTransferEvent` (called on every ownership change) |
+| `PermissionIdChanged(uint8 newId, address caller)` | `_setPermissionId` |
+### Errors
+| Error | Thrown When |
+|-------|-----------|
+| `JBOwnableOverrides_InvalidNewOwner()` | Constructor receives both zero owner and zero projectId; `transferOwnership` receives zero address; `transferOwnershipToProject` receives zero or overflow projectId; `_transferOwnership` receives both non-zero owner and non-zero projectId. |
+| `JBOwnableOverrides_ProjectDoesNotExist()` | `transferOwnershipToProject` receives a projectId greater than `PROJECTS.count()`. |
+| `JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner()` | Constructor receives a non-zero `initialProjectIdOwner` with `projects` set to `address(0)`. |
+## How Ownership Resolution Works
+When `_checkOwner()` is called (by the `onlyOwner` modifier), it:
+1. Reads the `JBOwner` struct from storage.
+2. Resolves the owner address: if `projectId != 0`, calls `PROJECTS.ownerOf(projectId)` via try-catch (returns `address(0)` if the call reverts, e.g., burned NFT); otherwise uses the stored `owner` address.
+3. Calls `_requirePermissionFrom(account, projectId, permissionId)` from `JBPermissioned`, which passes if the caller is:
+   - The resolved owner address, OR
+   - An address granted the configured `permissionId` on the relevant project via `JBPermissions`, OR
+   - An address granted the ROOT permission (permission ID 1) on the relevant project via `JBPermissions`.
+## How Delegated Access Works
-The `permissionId` resets to 0 on every ownership transfer to prevent permission clashes.
+1. The owner calls `setPermissionId(uint8)` on the `JBOwnable` contract to configure which permission ID represents owner-level access.
+2. The owner calls `JBPermissions.setPermissionsFor(...)` to grant that permission ID to specific addresses on the relevant project.
+3. Those addresses can now call `onlyOwner` functions.
+4. If the project NFT is transferred to a new holder, delegated permissions granted by the previous holder stop working -- the new holder must re-grant permissions.
 ## Install

package/SKILLS.md CHANGED Viewed

@@ -1,52 +1,104 @@
-# nana-ownable-v6
+# Juicebox Ownable
 ## Purpose
-Drop-in Juicebox-aware replacement for OpenZeppelin `Ownable` that lets a contract be owned by a Juicebox project (via its ERC-721) or a plain address, with delegated access through `JBPermissions`.
+Drop-in Juicebox-aware replacement for OpenZeppelin `Ownable`. A contract inheriting `JBOwnable` can be owned by a Juicebox project (via its ERC-721 NFT) or a plain address, with delegated access through `JBPermissions`. When owned by a project, ownership dynamically follows the NFT holder -- no on-chain update is needed when the NFT changes hands.
 ## Contracts
 | Contract | Role |
 |----------|------|
-| `JBOwnable` | Concrete modifier (`onlyOwner`) and event emission for ownership transfers. |
-| `JBOwnableOverrides` | Abstract base with ownership state, resolution, transfers, renunciation, and permission delegation. |
+| `JBOwnable` | Concrete implementation. Provides the `onlyOwner` modifier and `_emitTransferEvent` (resolves project NFT holder at emission time). Inherit this in your contract. |
+| `JBOwnableOverrides` | Abstract base with all ownership state and logic: owner resolution, transfers, renunciation, permission delegation, and internal helpers. Only inherit this directly if you need to customize `_emitTransferEvent`. |
+## Inheritance Chain
+```
+JBOwnable
+  └── JBOwnableOverrides (abstract)
+        ├── Context (@openzeppelin/contracts)
+        ├── JBPermissioned (@bananapus/core-v6)
+        └── IJBOwnable (interface)
+```
 ## Key Functions
+### Public / External
 | Function | Contract | What it does |
 |----------|----------|--------------|
-| `owner()` | `JBOwnableOverrides` | Returns the current owner address -- resolves project NFT holder if `projectId` is set. |
-| `transferOwnership(address)` | `JBOwnableOverrides` | Transfers ownership to a new address. Resets `permissionId`. |
-| `transferOwnershipToProject(uint256)` | `JBOwnableOverrides` | Transfers ownership to a Juicebox project. The project NFT holder becomes owner. |
-| `renounceOwnership()` | `JBOwnableOverrides` | Permanently gives up ownership (sets owner to zero address, projectId to 0). |
-| `setPermissionId(uint8)` | `JBOwnableOverrides` | Changes which `JBPermissions` permission ID grants delegated owner access. |
-| `_checkOwner()` | `JBOwnableOverrides` | Internal view used by `onlyOwner`; calls `_requirePermissionFrom` against the resolved owner. |
+| `owner()` | `JBOwnableOverrides` | Returns the current owner address. If `projectId != 0`, calls `PROJECTS.ownerOf(projectId)` via try-catch -- returns the project NFT holder on success, or `address(0)` if the call reverts (e.g., burned NFT). Otherwise returns `jbOwner.owner`. |
+| `transferOwnership(address newOwner)` | `JBOwnableOverrides` | Transfers ownership to a new address. Reverts if `newOwner` is `address(0)`. Resets `permissionId` to 0. |
+| `transferOwnershipToProject(uint256 projectId)` | `JBOwnableOverrides` | Transfers ownership to a Juicebox project. The NFT holder becomes the owner. Validates: `projectId != 0`, fits in `uint88`, and `projectId <= PROJECTS.count()`. Resets `permissionId` to 0. |
+| `renounceOwnership()` | `JBOwnableOverrides` | Permanently gives up ownership. Sets both `owner` and `projectId` to zero. Irreversible -- no one can call `onlyOwner` functions afterward. |
+| `setPermissionId(uint8 permissionId)` | `JBOwnableOverrides` | Sets which `JBPermissions` permission ID grants delegated owner access. Only callable by the current owner. |
-## Integration Points
+### Internal
-| Dependency | Import | Used For |
-|------------|--------|----------|
-| `nana-core-v6` | `IJBPermissions`, `JBPermissioned` | Permission checks for delegated access |
-| `nana-core-v6` | `IJBProjects` | Resolving project NFT holder as owner |
-| `@openzeppelin/contracts` | `Context` | `_msgSender()` support |
+| Function | Contract | What it does |
+|----------|----------|--------------|
+| `_checkOwner()` | `JBOwnableOverrides` | Resolves the owner, then calls `_requirePermissionFrom(account, projectId, permissionId)`. Used by the `onlyOwner` modifier. |
+| `_transferOwnership(address newOwner, uint88 projectId)` | `JBOwnableOverrides` | Core transfer logic. Reverts if both `newOwner` and `projectId` are non-zero. Updates `jbOwner` struct and resets `permissionId` to 0. Calls `_emitTransferEvent`. No access restriction. |
+| `_transferOwnership(address newOwner)` | `JBOwnableOverrides` | Convenience overload that calls `_transferOwnership(newOwner, 0)`. Exists for drop-in compatibility with OpenZeppelin `Ownable`. |
+| `_setPermissionId(uint8 permissionId)` | `JBOwnableOverrides` | Sets `jbOwner.permissionId` and emits `PermissionIdChanged`. No access restriction -- meant for internal use. |
+| `_emitTransferEvent(address previousOwner, address newOwner, uint88 newProjectId)` | `JBOwnable` (overrides abstract in `JBOwnableOverrides`) | Emits `OwnershipTransferred`. Resolves `newProjectId` to the current NFT holder via `PROJECTS.ownerOf()`. Override this in `JBOwnableOverrides` subclasses if you need custom transfer event behavior (e.g., deploying before a project NFT is minted). |
+## Immutable State
+| Variable | Type | Description |
+|----------|------|-------------|
+| `PROJECTS` | `IJBProjects` | The `JBProjects` ERC-721 contract used to resolve project ownership. |
+| `PERMISSIONS` | `IJBPermissions` | Inherited from `JBPermissioned`. The `JBPermissions` contract used for delegated access checks. |
 ## Key Types
-| Struct/Enum | Key Fields | Used In |
-|-------------|------------|---------|
-| `JBOwner` | `address owner`, `uint88 projectId`, `uint8 permissionId` | `JBOwnableOverrides.jbOwner` -- single storage slot (160+88+8=256 bits) |
+| Type | Fields | Storage |
+|------|--------|---------|
+| `JBOwner` | `address owner` (160 bits), `uint88 projectId` (88 bits), `uint8 permissionId` (8 bits) | Single 256-bit slot. `owner` and `projectId` are mutually exclusive (both non-zero is invalid). |
+## Events
+| Event | Fields | When |
+|-------|--------|------|
+| `OwnershipTransferred` | `address indexed previousOwner`, `address indexed newOwner`, `address caller` | Every ownership change (transfer, project transfer, renounce). |
+| `PermissionIdChanged` | `uint8 newId`, `address caller` | When `setPermissionId` or `_setPermissionId` is called. |
+## Errors
+| Error | When |
+|-------|------|
+| `JBOwnableOverrides_InvalidNewOwner()` | Constructor gets both zero owner and zero projectId. `transferOwnership(address(0))`. `transferOwnershipToProject(0)` or `transferOwnershipToProject(id > type(uint88).max)`. `_transferOwnership` called with both non-zero owner and non-zero projectId. |
+| `JBOwnableOverrides_ProjectDoesNotExist()` | `transferOwnershipToProject(id)` where `id > PROJECTS.count()`. |
+| `JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner()` | Constructor receives a non-zero `initialProjectIdOwner` with `projects` set to `address(0)`. |
+## Integration Points
+| Dependency | Import | Used For |
+|------------|--------|----------|
+| `nana-core-v6` | `IJBPermissions`, `JBPermissioned` | Permission checks for delegated access via `_requirePermissionFrom` |
+| `nana-core-v6` | `IJBProjects` | Resolving project NFT holder as owner via `PROJECTS.ownerOf(projectId)` |
+| `@openzeppelin/contracts` | `Context` | `_msgSender()` support for meta-transaction compatibility |
 ## Gotchas
-- You cannot set both `owner` and `projectId` to nonzero values simultaneously -- `_transferOwnership` reverts with `JBOwnableOverrides_InvalidNewOwner`.
-- Constructor reverts if both `initialOwner` and `initialProjectIdOwner` are zero. To create an unowned contract, set an owner then call `renounceOwnership()` in the constructor body.
-- `_transferOwnership` resets `permissionId` to 0 on every transfer, which revokes all previously delegated access.
-- `projectId` is `uint88`, so project IDs above `type(uint88).max` are rejected by `transferOwnershipToProject`.
+- **Mutually exclusive ownership modes.** You cannot set both `owner` and `projectId` to non-zero values. The constructor, `transferOwnership`, and `transferOwnershipToProject` all enforce this. `_transferOwnership` reverts with `JBOwnableOverrides_InvalidNewOwner` if both are non-zero.
+- **Constructor rejects zero-zero initialization.** If both `initialOwner` and `initialProjectIdOwner` are zero, the constructor reverts. To create an unowned contract, set an initial owner and call `renounceOwnership()` in the constructor body.
+- **`permissionId` resets to 0 on every ownership transfer.** This is intentional -- it prevents stale permission delegation from carrying over to new owners. The new owner must explicitly call `setPermissionId()` to re-enable delegated access.
+- **Delegated permissions are scoped to the granting address.** When a project NFT is transferred, delegates authorized by the old holder lose access immediately. The new holder must re-grant permissions via `JBPermissions.setPermissionsFor(...)`.
+- **ROOT permission (ID 1) always grants access.** `_checkOwner()` delegates to `_requirePermissionFrom` from `JBPermissioned`, which recognizes the ROOT permission (ID 1) as granting access regardless of the configured `permissionId`.
+- **`renounceOwnership()` is irreversible.** After renouncing, `owner()` returns `address(0)`, and all `onlyOwner` functions permanently revert. There is no recovery mechanism.
+- **`projectId` is `uint88`.** Project IDs above `type(uint88).max` (309,485,009,821,345,068,724,781,055) are rejected by `transferOwnershipToProject`. This constraint enables the `JBOwner` struct to fit in a single storage slot.
+- **`transferOwnershipToProject` checks existence.** It compares the project ID against `PROJECTS.count()` and reverts with `JBOwnableOverrides_ProjectDoesNotExist` if the project does not exist, preventing permanent loss of contract control.
+- **`owner()` makes an external call in project mode.** When `projectId != 0`, `owner()` calls `PROJECTS.ownerOf(projectId)`, which is an external call. This is relevant for gas-sensitive contexts. If the call reverts (e.g., the project NFT was burned), `owner()` returns `address(0)` and the contract degrades to a renounced state.
+- **Constructor rejects zero-address PROJECTS with project ownership.** Deploying with `projects = address(0)` and a non-zero `initialProjectIdOwner` reverts with `JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner`, preventing permanently broken ownership resolution.
+- **No ERC2771 support.** Despite inheriting `Context`, `JBOwnable` uses plain `Context._msgSender()` (which returns `msg.sender`), not `ERC2771Context`. A trusted forwarder appending a sender address to calldata has no effect on ownership checks.
-## Example Integration
+## Example: Inherit JBOwnable
 ```solidity
 import {JBOwnable} from "@bananapus/ownable-v6/src/JBOwnable.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
 contract MyHook is JBOwnable {
     constructor(
@@ -60,3 +112,54 @@ contract MyHook is JBOwnable {
     }
 }
 ```
+## Example: Address-Owned Contract
+```solidity
+contract MyContract is JBOwnable {
+    constructor(
+        IJBPermissions permissions,
+        IJBProjects projects,
+        address initialOwner
+    ) JBOwnable(permissions, projects, initialOwner, 0) {}
+    function adminFunction() external onlyOwner {
+        // Only initialOwner (or delegated addresses) can call this.
+    }
+}
+```
+## Example: Override _emitTransferEvent
+If you need to deploy a `JBOwnableOverrides`-based contract before the project NFT exists (e.g., the contract is deployed as part of the project creation flow), override `_emitTransferEvent` to handle the case where the project ID is not yet minted:
+```solidity
+import {JBOwnableOverrides} from "@bananapus/ownable-v6/src/JBOwnableOverrides.sol";
+contract MyPreDeployContract is JBOwnableOverrides {
+    modifier onlyOwner() {
+        _checkOwner();
+        _;
+    }
+    constructor(
+        IJBPermissions permissions,
+        IJBProjects projects,
+        address initialOwner,
+        uint88 initialProjectIdOwner
+    ) JBOwnableOverrides(permissions, projects, initialOwner, initialProjectIdOwner) {}
+    function _emitTransferEvent(
+        address previousOwner,
+        address newOwner,
+        uint88 newProjectId
+    ) internal override {
+        // Custom logic -- e.g., skip ownerOf() if the project NFT is not yet minted.
+        emit OwnershipTransferred({
+            previousOwner: previousOwner,
+            newOwner: newProjectId == 0 ? newOwner : address(0), // Resolve later.
+            caller: msg.sender
+        });
+    }
+}
+```

package/package.json CHANGED Viewed

@@ -1,17 +1,20 @@
 {
   "name": "@bananapus/ownable-v6",
-  "version": "0.0.4",
+  "version": "0.0.5",
   "license": "MIT",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/Bananapus/nana-ownable-v6"
   },
+  "engines": {
+    "node": ">=20.0.0"
+  },
   "dependencies": {
-    "@bananapus/core-v6": "^0.0.5",
+    "@bananapus/core-v6": "^0.0.9",
     "@openzeppelin/contracts": "^5.0.2"
   },
   "scripts": {
     "test": "forge test",
-    "coverage:integration": "forge coverage --match-path \"./src/*.sol\" --report lcov --report summary"
+    "coverage": "forge coverage --match-path \"./src/*.sol\" --report lcov --report summary"
   }
 }

package/slither-ci.config.json CHANGED Viewed

@@ -5,6 +5,6 @@
     "exclude_medium": false,
     "exclude_high": false,
     "disable_color": false,
-    "filter_paths": "(mocks/|test/|node_modules/)",
+    "filter_paths": "(mocks/|test/|node_modules/|lib/)",
     "legacy_ast": false
 }

package/src/JBOwnableOverrides.sol CHANGED Viewed

@@ -20,6 +20,7 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     error JBOwnableOverrides_InvalidNewOwner();
     error JBOwnableOverrides_ProjectDoesNotExist();
+    error JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner();
     //*********************************************************************//
     // ---------------- public immutable stored properties --------------- //
@@ -59,6 +60,13 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     {
         PROJECTS = projects;
+        // If using project-based ownership, the PROJECTS contract must be provided.
+        // Deploying with projects=address(0) and a non-zero projectId would permanently disable
+        // ownership resolution, as all ownerOf() calls would revert on the zero address.
+        if (initialProjectIdOwner != 0 && address(projects) == address(0)) {
+            revert JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner();
+        }
         // We force the inheriting contract to set an owner, as there is a low chance someone will use `JBOwnable` to
         // create an unowned contract.
         // It's more likely both were accidentally set to `0`. If you really want an unowned contract, set the owner to
@@ -75,6 +83,11 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     //*********************************************************************//
     /// @notice Returns the owner's address based on this contract's `JBOwner`.
+    /// @dev If `projectId` is non-zero, resolves via `PROJECTS.ownerOf()`. If that call reverts (e.g., because the
+    /// project NFT was burned or invalidated), returns `address(0)` — effectively treating the contract as renounced.
+    /// @dev **Assumption:** `JBProjects` V6 has no burn function, so this scenario cannot occur under normal
+    /// conditions. The try-catch is a defensive measure against hypothetical future changes to `JBProjects` or
+    /// unexpected ERC-721 behavior.
     function owner() public view virtual returns (address) {
         JBOwner memory ownerInfo = jbOwner;
@@ -82,7 +95,13 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
             return ownerInfo.owner;
         }
-        return PROJECTS.ownerOf(ownerInfo.projectId);
+        // Use try-catch to gracefully handle the case where the project NFT no longer exists.
+        // If ownerOf reverts, the contract is effectively renounced (returns address(0)).
+        try PROJECTS.ownerOf(ownerInfo.projectId) returns (address projectOwner) {
+            return projectOwner;
+        } catch {
+            return address(0);
+        }
     }
     //*********************************************************************//
@@ -90,13 +109,25 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     //*********************************************************************//
     /// @notice Reverts if the sender is not the owner.
+    /// @dev If `projectId` is non-zero and `PROJECTS.ownerOf()` reverts (e.g., burned NFT), the resolved owner is
+    /// `address(0)`, causing all `_checkOwner` calls to revert — equivalent to a renounced contract.
     function _checkOwner() internal view virtual {
         JBOwner memory ownerInfo = jbOwner;
+        address resolvedOwner;
+        if (ownerInfo.projectId == 0) {
+            resolvedOwner = ownerInfo.owner;
+        } else {
+            // Use try-catch to gracefully handle the case where the project NFT no longer exists.
+            try PROJECTS.ownerOf(ownerInfo.projectId) returns (address projectOwner) {
+                resolvedOwner = projectOwner;
+            } catch {
+                resolvedOwner = address(0);
+            }
+        }
         _requirePermissionFrom({
-            account: ownerInfo.projectId == 0 ? ownerInfo.owner : PROJECTS.ownerOf(ownerInfo.projectId),
-            projectId: ownerInfo.projectId,
-            permissionId: ownerInfo.permissionId
+            account: resolvedOwner, projectId: ownerInfo.projectId, permissionId: ownerInfo.permissionId
         });
     }
@@ -192,8 +223,17 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
         }
         // Load the owner information from storage.
         JBOwner memory ownerInfo = jbOwner;
-        // Get the address of the old owner.
-        address oldOwner = ownerInfo.projectId == 0 ? ownerInfo.owner : PROJECTS.ownerOf(ownerInfo.projectId);
+        // Get the address of the old owner. Use try-catch for project-based ownership in case the NFT was burned.
+        address oldOwner;
+        if (ownerInfo.projectId == 0) {
+            oldOwner = ownerInfo.owner;
+        } else {
+            try PROJECTS.ownerOf(ownerInfo.projectId) returns (address projectOwner) {
+                oldOwner = projectOwner;
+            } catch {
+                oldOwner = address(0);
+            }
+        }
         // Update the stored owner information to the new owner and reset the `permissionId`.
         // This is to prevent permissions clashes for the new user/owner.
         jbOwner = JBOwner({owner: newOwner, projectId: projectId, permissionId: 0});

package/test/OwnableEdgeCases.t.sol ADDED Viewed

@@ -0,0 +1,368 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.26;
+import "forge-std/Test.sol";
+import {MockOwnable} from "./mocks/MockOwnable.sol";
+import {JBOwnableOverrides} from "../src/JBOwnableOverrides.sol";
+import {JBOwner} from "../src/structs/JBOwner.sol";
+import {IJBOwnable} from "../src/interfaces/IJBOwnable.sol";
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
+import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+/// @title OwnableEdgeCases
+/// @notice Edge case and gap tests for JBOwnable: multi-hop NFT transfers,
+///         project-to-project ownership, permissionId lifecycle, and nonexistent projects.
+contract OwnableEdgeCases is Test {
+    IJBProjects PROJECTS;
+    IJBPermissions PERMISSIONS;
+    address alice = makeAddr("alice");
+    address bob = makeAddr("bob");
+    address charlie = makeAddr("charlie");
+    address dave = makeAddr("dave");
+    modifier isNotContract(address a) {
+        uint256 size;
+        assembly {
+            size := extcodesize(a)
+        }
+        vm.assume(size == 0);
+        _;
+    }
+    function setUp() public {
+        PERMISSIONS = new JBPermissions(address(0));
+        PROJECTS = new JBProjects(address(123), address(0), address(0));
+    }
+    // =========================================================================
+    // Test 1: Multi-hop NFT transfer — ownership follows through A→B→C→D
+    // =========================================================================
+    function test_multiHopNFTTransfer_ownerFollows() public {
+        uint256 projectId = PROJECTS.createFor(alice);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(projectId));
+        assertEq(ownable.owner(), alice);
+        // Transfer NFT: alice → bob
+        vm.prank(alice);
+        PROJECTS.transferFrom(alice, bob, projectId);
+        assertEq(ownable.owner(), bob, "Should follow to bob");
+        // Transfer NFT: bob → charlie
+        vm.prank(bob);
+        PROJECTS.transferFrom(bob, charlie, projectId);
+        assertEq(ownable.owner(), charlie, "Should follow to charlie");
+        // Transfer NFT: charlie → dave
+        vm.prank(charlie);
+        PROJECTS.transferFrom(charlie, dave, projectId);
+        assertEq(ownable.owner(), dave, "Should follow to dave");
+        // dave can call protectedMethod, alice/bob/charlie cannot
+        vm.prank(dave);
+        ownable.protectedMethod();
+        vm.prank(alice);
+        vm.expectRevert();
+        ownable.protectedMethod();
+        vm.prank(bob);
+        vm.expectRevert();
+        ownable.protectedMethod();
+        vm.prank(charlie);
+        vm.expectRevert();
+        ownable.protectedMethod();
+    }
+    // =========================================================================
+    // Test 2: Transfer project → different project
+    // =========================================================================
+    function test_transferProjectToProject() public {
+        uint256 projectA = PROJECTS.createFor(alice);
+        uint256 projectB = PROJECTS.createFor(bob);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(projectA));
+        assertEq(ownable.owner(), alice);
+        // Transfer ownership from project A to project B.
+        vm.prank(alice);
+        ownable.transferOwnershipToProject(projectB);
+        // Owner should now be bob (owner of project B).
+        assertEq(ownable.owner(), bob, "Owner should be projectB's owner (bob)");
+        // alice no longer has access
+        vm.prank(alice);
+        vm.expectRevert();
+        ownable.protectedMethod();
+        // bob has access
+        vm.prank(bob);
+        ownable.protectedMethod();
+    }
+    // =========================================================================
+    // Test 3: Full ownership cycle: address → project → address → project
+    // =========================================================================
+    function test_fullOwnershipCycle() public {
+        uint256 projectA = PROJECTS.createFor(alice);
+        uint256 projectB = PROJECTS.createFor(bob);
+        // Start with address ownership.
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, charlie, 0);
+        assertEq(ownable.owner(), charlie);
+        // charlie → project A (alice)
+        vm.prank(charlie);
+        ownable.transferOwnershipToProject(projectA);
+        assertEq(ownable.owner(), alice);
+        // project A → bob (address)
+        vm.prank(alice);
+        ownable.transferOwnership(bob);
+        assertEq(ownable.owner(), bob);
+        // bob → project B (bob is also project B owner, but that's fine)
+        vm.prank(bob);
+        ownable.transferOwnershipToProject(projectB);
+        assertEq(ownable.owner(), bob, "bob owns projectB so still bob");
+        // Verify jbOwner struct is correct (projectId set, owner zeroed).
+        (address storedOwner, uint88 storedProjectId, uint8 storedPermId) = ownable.jbOwner();
+        assertEq(storedOwner, address(0), "owner field should be zero in project mode");
+        assertEq(storedProjectId, uint88(projectB), "projectId should be projectB");
+        assertEq(storedPermId, 0, "permissionId should be 0");
+    }
+    // =========================================================================
+    // Test 4: permissionId lifecycle through multiple transfers
+    // =========================================================================
+    function test_permissionIdLifecycle() public {
+        uint256 projectA = PROJECTS.createFor(alice);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(projectA));
+        // Set permissionId to 42.
+        vm.prank(alice);
+        ownable.setPermissionId(42);
+        (,, uint8 permId) = ownable.jbOwner();
+        assertEq(permId, 42);
+        // Transfer to bob — permissionId should reset.
+        vm.prank(alice);
+        ownable.transferOwnership(bob);
+        (,, permId) = ownable.jbOwner();
+        assertEq(permId, 0, "permissionId should reset after transferOwnership");
+        // Set permissionId again as new owner.
+        vm.prank(bob);
+        ownable.setPermissionId(99);
+        (,, permId) = ownable.jbOwner();
+        assertEq(permId, 99);
+        // Transfer to project — permissionId should reset again.
+        vm.prank(bob);
+        ownable.transferOwnershipToProject(projectA);
+        (,, permId) = ownable.jbOwner();
+        assertEq(permId, 0, "permissionId should reset after transferOwnershipToProject");
+        // Set permissionId as project owner.
+        vm.prank(alice);
+        ownable.setPermissionId(200);
+        (,, permId) = ownable.jbOwner();
+        assertEq(permId, 200);
+        // Renounce — permissionId should be 0.
+        vm.prank(alice);
+        ownable.renounceOwnership();
+        (,, permId) = ownable.jbOwner();
+        assertEq(permId, 0, "permissionId should be 0 after renounce");
+    }
+    // =========================================================================
+    // Test 5: Non-owner cannot call setPermissionId
+    // =========================================================================
+    function test_nonOwnerCannotSetPermissionId(address nonOwner) public {
+        vm.assume(nonOwner != alice && nonOwner != address(0));
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, alice, 0);
+        vm.prank(nonOwner);
+        vm.expectRevert();
+        ownable.setPermissionId(42);
+    }
+    // =========================================================================
+    // Test 6: Transfer to nonexistent project reverts
+    // =========================================================================
+    function test_transferToNonexistentProject_reverts() public {
+        // Create one project so count == 1.
+        PROJECTS.createFor(alice);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, alice, 0);
+        // Project 2 doesn't exist.
+        vm.prank(alice);
+        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_ProjectDoesNotExist.selector));
+        ownable.transferOwnershipToProject(2);
+        // Project 999 doesn't exist.
+        vm.prank(alice);
+        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_ProjectDoesNotExist.selector));
+        ownable.transferOwnershipToProject(999);
+    }
+    // =========================================================================
+    // Test 7: Delegated access — permission granted on project, then NFT
+    //         transferred, old delegate loses access
+    // =========================================================================
+    function test_delegatedAccess_lostAfterNFTTransfer() public {
+        uint256 projectId = PROJECTS.createFor(alice);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(projectId));
+        // Set permissionId so delegation is possible.
+        vm.prank(alice);
+        ownable.setPermissionId(42);
+        // Alice grants charlie permission 42 on the project.
+        uint8[] memory permIds = new uint8[](1);
+        permIds[0] = 42;
+        vm.prank(alice);
+        PERMISSIONS.setPermissionsFor(
+            alice, JBPermissionsData({operator: charlie, projectId: uint56(projectId), permissionIds: permIds})
+        );
+        // Charlie can call protectedMethod (delegated via permissions).
+        vm.prank(charlie);
+        ownable.protectedMethod();
+        // Transfer NFT to bob.
+        vm.prank(alice);
+        PROJECTS.transferFrom(alice, bob, projectId);
+        // Charlie's delegation was from alice. Now owner is bob.
+        // Charlie should lose access because _checkOwner resolves to bob,
+        // and charlie has no permissions from bob.
+        vm.prank(charlie);
+        vm.expectRevert();
+        ownable.protectedMethod();
+        // bob can still call directly.
+        vm.prank(bob);
+        ownable.protectedMethod();
+    }
+    // =========================================================================
+    // Test 8: OwnershipTransferred event emitted correctly
+    // =========================================================================
+    function test_ownershipTransferredEvent() public {
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, alice, 0);
+        // Transfer to bob — expect event.
+        vm.expectEmit(true, true, false, true);
+        emit IJBOwnable.OwnershipTransferred(alice, bob, alice);
+        vm.prank(alice);
+        ownable.transferOwnership(bob);
+    }
+    // =========================================================================
+    // Test 9: PermissionIdChanged event emitted correctly
+    // =========================================================================
+    function test_permissionIdChangedEvent() public {
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, alice, 0);
+        vm.expectEmit(true, true, false, true);
+        emit IJBOwnable.PermissionIdChanged(42, alice);
+        vm.prank(alice);
+        ownable.setPermissionId(42);
+    }
+    // =========================================================================
+    // Test 10: Fuzz — transfer to any valid project, verify owner resolution
+    // =========================================================================
+    function testFuzz_transferToProject(address projectOwner) public isNotContract(projectOwner) {
+        vm.assume(projectOwner != address(0));
+        uint256 projectId = PROJECTS.createFor(projectOwner);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, alice, 0);
+        vm.prank(alice);
+        ownable.transferOwnershipToProject(projectId);
+        assertEq(ownable.owner(), projectOwner, "Owner should match project owner");
+        // Verify jbOwner struct.
+        (address storedOwner, uint88 storedProjectId,) = ownable.jbOwner();
+        assertEq(storedOwner, address(0), "stored owner should be zero");
+        assertEq(storedProjectId, uint88(projectId), "stored projectId should match");
+    }
+    // =========================================================================
+    // Test 11: Renounced contract cannot reclaim ownership
+    // =========================================================================
+    /// @notice After renouncing, no one can call transferOwnership, transferOwnershipToProject,
+    ///         setPermissionId, or renounceOwnership again.
+    function test_renouncedContract_cannotReclaim() public {
+        uint256 projectId = PROJECTS.createFor(alice);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, alice, 0);
+        vm.prank(alice);
+        ownable.renounceOwnership();
+        // Nobody can transfer ownership back.
+        vm.prank(alice);
+        vm.expectRevert();
+        ownable.transferOwnership(alice);
+        vm.prank(bob);
+        vm.expectRevert();
+        ownable.transferOwnership(bob);
+        // Nobody can transfer to a project.
+        vm.prank(alice);
+        vm.expectRevert();
+        ownable.transferOwnershipToProject(projectId);
+        // Nobody can set permissionId.
+        vm.prank(alice);
+        vm.expectRevert();
+        ownable.setPermissionId(1);
+        // Nobody can renounce again (already renounced, _checkOwner fails).
+        vm.prank(alice);
+        vm.expectRevert();
+        ownable.renounceOwnership();
+    }
+    // =========================================================================
+    // Test 12: _msgSender is NOT ERC2771-aware (design documentation)
+    // =========================================================================
+    /// @notice JBOwnable uses plain Context._msgSender() (returns msg.sender),
+    ///         NOT ERC2771Context. This test documents that a trusted forwarder
+    ///         appending a sender address to calldata does NOT affect _checkOwner.
+    function test_noERC2771_trustedForwarderHasNoEffect() public {
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, alice, 0);
+        // Simulate what a trusted forwarder would do: call with alice's address
+        // appended to calldata. Since JBOwnable uses plain Context, this has no effect.
+        // The msg.sender is still bob, not alice.
+        bytes memory callData = abi.encodeWithSelector(MockOwnable.protectedMethod.selector);
+        bytes memory forwardedCallData = abi.encodePacked(callData, alice);
+        vm.prank(bob);
+        (bool success,) = address(ownable).call(forwardedCallData);
+        assertFalse(success, "Forwarded call should fail - JBOwnable ignores appended sender");
+        // Direct call from alice still works.
+        vm.prank(alice);
+        ownable.protectedMethod();
+    }
+}

package/test/regression/L65_BurnLockProtection.t.sol ADDED Viewed

@@ -0,0 +1,110 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.26;
+import {Test} from "forge-std/Test.sol";
+import {MockOwnable} from "../mocks/MockOwnable.sol";
+import {JBOwnableOverrides} from "../../src/JBOwnableOverrides.sol";
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+import {IERC721} from "@openzeppelin/contracts/token/ERC721/IERC721.sol";
+/// @title L65_BurnLockProtection
+/// @notice Regression test for L-65: Verifies that if a project NFT is burned/invalidated,
+///         owner() returns address(0) and _checkOwner() reverts gracefully instead of
+///         permanently locking the contract with an unrecoverable revert.
+contract L65_BurnLockProtection is Test {
+    IJBProjects PROJECTS;
+    IJBPermissions PERMISSIONS;
+    address alice = makeAddr("alice");
+    address bob = makeAddr("bob");
+    function setUp() public {
+        PERMISSIONS = new JBPermissions(address(0));
+        PROJECTS = new JBProjects(address(123), address(0), address(0));
+    }
+    /// @notice When a project NFT is burned (simulated via mockCallRevert), owner() should
+    ///         return address(0) instead of reverting — contract degrades to "renounced" state.
+    function test_burnedProjectNFT_ownerReturnsZero() public {
+        uint256 projectId = PROJECTS.createFor(alice);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(projectId));
+        // Verify normal operation first.
+        assertEq(ownable.owner(), alice, "Owner should be alice before burn");
+        // Simulate project NFT burn by making ownerOf revert for this projectId.
+        vm.mockCallRevert(
+            address(PROJECTS), abi.encodeWithSelector(IERC721.ownerOf.selector, projectId), "ERC721: invalid token ID"
+        );
+        // After burn, owner() should return address(0) — NOT revert.
+        address resolvedOwner = ownable.owner();
+        assertEq(resolvedOwner, address(0), "owner() should return address(0) when project NFT is burned");
+    }
+    /// @notice When a project NFT is burned, _checkOwner() should revert with the standard
+    ///         Unauthorized error (not an unrecoverable ownerOf revert), making the contract
+    ///         behave as if ownership was renounced.
+    function test_burnedProjectNFT_checkOwnerRevertsGracefully() public {
+        uint256 projectId = PROJECTS.createFor(alice);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(projectId));
+        // Alice can call the protected method before burn.
+        vm.prank(alice);
+        ownable.protectedMethod();
+        // Simulate project NFT burn.
+        vm.mockCallRevert(
+            address(PROJECTS), abi.encodeWithSelector(IERC721.ownerOf.selector, projectId), "ERC721: invalid token ID"
+        );
+        // After burn, nobody can call protected methods — but the revert is graceful
+        // (Unauthorized from _requirePermissionFrom, not a raw ownerOf revert).
+        vm.prank(alice);
+        vm.expectRevert();
+        ownable.protectedMethod();
+        vm.prank(bob);
+        vm.expectRevert();
+        ownable.protectedMethod();
+    }
+    /// @notice Address-based ownership is unaffected by the try-catch change.
+    function test_addressBasedOwnership_unaffectedByTryCatch() public {
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, alice, 0);
+        assertEq(ownable.owner(), alice, "Owner should be alice");
+        vm.prank(alice);
+        ownable.protectedMethod();
+        // Transfer to bob.
+        vm.prank(alice);
+        ownable.transferOwnership(bob);
+        assertEq(ownable.owner(), bob, "Owner should be bob after transfer");
+        vm.prank(bob);
+        ownable.protectedMethod();
+    }
+    /// @notice Normal project-based ownership still works correctly after the fix.
+    function test_normalProjectOwnership_stillWorks() public {
+        uint256 projectId = PROJECTS.createFor(alice);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(projectId));
+        assertEq(ownable.owner(), alice);
+        // Transfer project NFT.
+        vm.prank(alice);
+        PROJECTS.transferFrom(alice, bob, projectId);
+        assertEq(ownable.owner(), bob, "Owner should follow project NFT transfer");
+        vm.prank(bob);
+        ownable.protectedMethod();
+    }
+}

package/test/regression/L66_ZeroAddressValidation.t.sol ADDED Viewed

@@ -0,0 +1,66 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.26;
+import {Test} from "forge-std/Test.sol";
+import {MockOwnable} from "../mocks/MockOwnable.sol";
+import {JBOwnableOverrides} from "../../src/JBOwnableOverrides.sol";
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+/// @title L66_ZeroAddressValidation
+/// @notice Regression test for L-66: Verifies that deploying with a zero-address PROJECTS
+///         contract and a non-zero projectId reverts at construction time, preventing
+///         permanently broken project-based ownership.
+contract L66_ZeroAddressValidation is Test {
+    IJBProjects PROJECTS;
+    IJBPermissions PERMISSIONS;
+    address alice = makeAddr("alice");
+    function setUp() public {
+        PERMISSIONS = new JBPermissions(address(0));
+        PROJECTS = new JBProjects(address(123), address(0), address(0));
+    }
+    /// @notice Deploying with projects=address(0) and non-zero projectId must revert.
+    function test_zeroProjectsWithProjectId_reverts() public {
+        vm.expectRevert(
+            abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner.selector)
+        );
+        new MockOwnable(IJBProjects(address(0)), PERMISSIONS, address(0), uint88(1));
+    }
+    /// @notice Fuzz: any non-zero projectId with projects=address(0) must revert.
+    function testFuzz_zeroProjectsWithAnyProjectId_reverts(uint88 projectId) public {
+        vm.assume(projectId != 0);
+        vm.expectRevert(
+            abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_ZeroAddressProjectsWithProjectOwner.selector)
+        );
+        new MockOwnable(IJBProjects(address(0)), PERMISSIONS, address(0), projectId);
+    }
+    /// @notice Deploying with projects=address(0) and projectId=0 (address-based ownership)
+    ///         should NOT revert for this error — it's valid as long as initialOwner != address(0).
+    function test_zeroProjectsWithAddressOwnership_succeeds() public {
+        // This is valid: address-based ownership with projects=address(0).
+        MockOwnable ownable = new MockOwnable(IJBProjects(address(0)), PERMISSIONS, alice, uint88(0));
+        assertEq(ownable.owner(), alice, "Owner should be alice with address-based ownership");
+    }
+    /// @notice Normal deployment with valid PROJECTS contract and projectId succeeds.
+    function test_validProjectsWithProjectId_succeeds() public {
+        uint256 projectId = PROJECTS.createFor(alice);
+        MockOwnable ownable = new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(projectId));
+        assertEq(ownable.owner(), alice, "Owner should be alice via project NFT");
+    }
+    /// @notice The existing check for both zero owner and zero projectId is still enforced.
+    function test_bothZero_stillReverts() public {
+        vm.expectRevert(abi.encodeWithSelector(JBOwnableOverrides.JBOwnableOverrides_InvalidNewOwner.selector));
+        new MockOwnable(PROJECTS, PERMISSIONS, address(0), uint88(0));
+    }
+}