npm - @bananapus/permission-ids-v6 - Versions diffs - 0.0.22 → 0.0.24 - Mend

@bananapus/permission-ids-v6 0.0.22 → 0.0.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/AUDIT_INSTRUCTIONS.md CHANGED Viewed

@@ -4,7 +4,9 @@ This repo is only permission ID constants, but those constants are security-crit
 ## Audit Objective
-Find issues that:
+There is a billion dollars of well-meaning projects' money in the Juicebox Money Engine, growing exponentially. Your job is to hack it before anyone else. Whoever hacks it first saves/steals the money, and you are obsessed with being this winner, while also being a steward of the protocol and wanting it to keep growing safely.
+Suggestions of where to look:
 - assign duplicate IDs to different permissions
 - mismatch IDs that downstream repos assume are canonical
@@ -33,7 +35,7 @@ This repo defines canonical numeric IDs that other repos treat as part of their
 | Dependency | Assumption | What breaks if wrong |
 |------------|------------|----------------------|
 | `nana-core-v6` | ERC-20 signature delegation still uses the documented ID | Signature authority checks mismatch |
-| `revnet-core-v6` | Loan and hidden-token permissions still use the documented IDs | Delegated actions widen, fail, or misroute |
+| `revnet-core-v6` | Loan permissions still use the documented IDs | Delegated actions widen, fail, or misroute |
 ## Critical Invariants
@@ -41,7 +43,7 @@ This repo defines canonical numeric IDs that other repos treat as part of their
 2. No two distinct permissions share an ID.
 3. IDs match the expectations of all dependent repos in this workspace.
 4. ID `23` (`SIGN_FOR_ERC20`) matches the value used by `nana-core-v6` for ERC-1271 signature delegation.
-5. IDs `36-40` used by `revnet-core-v6` match the values used in `REVHiddenTokens` and `REVLoans`.
+5. IDs used by `revnet-core-v6` match the values used in `REVLoans`.
 ## Attack Surfaces

package/CHANGELOG.md CHANGED Viewed

@@ -19,15 +19,13 @@ This file describes the verified change from `nana-permission-ids-v5` to the cur
 - `SIGN_FOR_ERC20` (23) — sign messages on behalf of a project's ERC-20 token via ERC-1271. Used for Etherscan contract verification and other off-chain signature validation.
-## v6 additions: revnet-core delegation (IDs 36–40)
+## v6 additions: revnet-core delegation
-- `HIDE_TOKENS` (36) — hide tokens on behalf of a holder via `REVHiddenTokens.hideTokensOf`. Checked against the token holder.
-- `OPEN_LOAN` (37) — open a loan on behalf of a token holder via `REVLoans.borrowFrom`. Checked against the token holder.
-- `REALLOCATE_LOAN` (38) — reallocate loan collateral on behalf of a loan NFT owner via `REVLoans.reallocateCollateralFromLoan`. Checked against the loan NFT owner.
-- `REPAY_LOAN` (39) — repay a loan on behalf of a loan NFT owner via `REVLoans.repayLoan`. Checked against the loan NFT owner.
-- `REVEAL_TOKENS` (40) — reveal hidden tokens on behalf of a holder via `REVHiddenTokens.revealTokensOf`. Checked against the token holder.
+- `OPEN_LOAN` — open a loan on behalf of a token holder via `REVLoans.borrowFrom`. Checked against the token holder.
+- `REALLOCATE_LOAN` — reallocate loan collateral on behalf of a loan NFT owner via `REVLoans.reallocateCollateralFromLoan`. Checked against the loan NFT owner.
+- `REPAY_LOAN` — repay a loan on behalf of a loan NFT owner via `REVLoans.repayLoan`. Checked against the loan NFT owner.
-These are consumed by `revnet-core-v6` and checked via `JBPermissioned._requirePermissionFrom` (for `REVHiddenTokens`) or inline `PERMISSIONS.hasPermission` calls (for `REVLoans`).
+These are consumed by `revnet-core-v6` and checked via inline `PERMISSIONS.hasPermission` calls (for `REVLoans`).
 ## Verified deltas

package/RISKS.md CHANGED Viewed

@@ -28,11 +28,11 @@ This file covers the coordination risks in `JBPermissionIds`. The contract surfa
 - **Fund-moving IDs.** `CASH_OUT_TOKENS` (`4`), `SEND_PAYOUTS` (`5`), `MIGRATE_TERMINAL` (`6`), `SET_TERMINALS` (`15`), `USE_ALLOWANCE` (`18`), and `SET_SPLIT_GROUPS` (`19`) can redirect or release value.
 - **Hook-routing IDs.** `SET_BUYBACK_POOL` (`28`), `SET_BUYBACK_HOOK` (`30`), and `SET_ROUTER_TERMINAL` (`31`) materially control execution routes and can lock those routes permanently.
-- **Revnet loan IDs.** `OPEN_LOAN` (`37`), `REALLOCATE_LOAN` (`38`), and `REPAY_LOAN` (`39`) are operationally powerful because they move collateral and debt state.
+- **Revnet loan IDs.** `OPEN_LOAN` (`36`), `REALLOCATE_LOAN` (`37`), and `REPAY_LOAN` (`38`) are operationally powerful because they move collateral and debt state.
 ## 3. Integration Risks
-- **Docs can lag deployed assumptions.** Off-chain tooling, UIs, and audits often rely on human-readable permission names.
+- **Docs can lag deployed assumptions.** Off-chain tooling, UIs, and reviews often rely on human-readable permission names.
 - **Cross-package imports must stay canonical.** Downstream repos should import this library instead of redefining numeric literals locally.
 - **Future IDs expand current `ROOT` power.** Any new permission automatically becomes available to existing `ROOT` operators.

package/STYLE_GUIDE.md CHANGED Viewed

@@ -451,54 +451,9 @@ jobs:
         run: forge fmt --check
 ```
-**slither.yml** (repos with `src/` contracts only):
-```yaml
-name: slither
-on:
-    pull_request:
-      branches:
-        - main
-    push:
-      branches:
-        - main
-jobs:
-  analyze:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: recursive
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 25.9.0
-      - name: Install npm dependencies
-        run: npm install --omit=dev
-      - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
-      - name: Run slither
-        uses: crytic/slither-action@v0.4.1
-        with:
-            slither-config: slither-ci.config.json
-            fail-on: medium
-```
-**slither-ci.config.json:**
-```json
-{
-  "detectors_to_exclude": "timestamp,uninitialized-local,naming-convention,solc-version,shadowing-local",
-  "exclude_informational": true,
-  "exclude_low": false,
-  "exclude_medium": false,
-  "exclude_high": false,
-  "disable_color": false,
-  "filter_paths": "(mocks/|test/|node_modules/|lib/)",
-  "legacy_ast": false
-}
-```
+**Static review workflow** (repos with `src/` contracts only):
-**Variations:**
-- Deployer-only repos (no `src/`, only `script/`) skip slither entirely — the action's internal `forge build` skips `test/` and `script/` by default, leaving nothing to compile.
-- Use inline `// slither-disable-next-line <detector>` to suppress known false positives rather than adding to `detectors_to_exclude` in the config. The comment must be on the line immediately before the flagged expression.
+Keep repo-local static review automation current with the package's runtime surface. At minimum, CI should run formatting, linting, and build checks with `--deny notes`. Repos that only contain deployment scripts can rely on the shared formatting and lint jobs unless they add runtime contracts.
 ### package.json

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/permission-ids-v6",
-  "version": "0.0.22",
+  "version": "0.0.24",
   "license": "MIT",
   "repository": {
     "type": "git",

package/references/runtime.md CHANGED Viewed

@@ -13,6 +13,6 @@ Use this file when you need to confirm the canonical numeric labels, not when yo
 ## Change Checklist
-- If you edit a constant, audit every dependent repo that imports it.
+- If you edit a constant, review every dependent repo that imports it.
 - If you need to know who can exercise a permission, follow the usage into the enforcing repo rather than stopping here.
-- There are no repo-local tests here, so downstream compile and behavior audits matter more than this package in isolation.
+- There are no repo-local tests here, so downstream compile and behavior reviews matter more than this package in isolation.

package/src/JBPermissionIds.sol CHANGED Viewed

@@ -174,24 +174,15 @@ library JBPermissionIds {
     ─────────────────────────────────────────────────
     */
-    /// @notice Hide tokens on behalf of a holder, removing them from public visibility
-    /// (`REVHiddenTokens.hideTokensFor`).
-    /// @dev Hidden tokens are still owned by the holder and can be revealed later.
-    uint8 internal constant HIDE_TOKENS = 36;
     /// @notice Open a loan against project tokens as collateral on behalf of a token holder
     /// (`REVLoans.borrowFrom`).
-    uint8 internal constant OPEN_LOAN = 37;
+    uint8 internal constant OPEN_LOAN = 36;
     /// @notice Move loan collateral between projects on behalf of a loan owner
     /// (`REVLoans.reallocateCollateralFromLoan`).
-    uint8 internal constant REALLOCATE_LOAN = 38;
+    uint8 internal constant REALLOCATE_LOAN = 37;
     /// @notice Repay a loan on behalf of the loan owner, returning collateral tokens
     /// (`REVLoans.repayLoan`).
-    uint8 internal constant REPAY_LOAN = 39;
-    /// @notice Reveal previously hidden tokens on behalf of a holder, making them publicly visible again
-    /// (`REVHiddenTokens.revealTokensFor`).
-    uint8 internal constant REVEAL_TOKENS = 40;
+    uint8 internal constant REPAY_LOAN = 38;
 }

package/slither-ci.config.json DELETED Viewed

@@ -1,10 +0,0 @@
-{
-    "detectors_to_exclude": "timestamp,uninitialized-local,naming-convention,solc-version,shadowing-local",
-    "exclude_informational": true,
-    "exclude_low": false,
-    "exclude_medium": false,
-    "exclude_high": false,
-    "disable_color": false,
-    "filter_paths": "(mocks/|test/|node_modules/|lib/)",
-    "legacy_ast": false
-}