@bananapus/router-terminal-v6 0.0.15 → 0.0.17

package/ARCHITECTURE.md

@@ -53,9 +53,10 @@ Caller → JBRouterTerminal.previewPayFor(projectId, token, amount)
 ## Composition Boundary
 
 The router terminal exposes the `IJBTerminal` surface because it needs to participate in Juicebox routing, but its
-accounting context is intentionally synthetic. `accountingContextForTokenOf()` returns `decimals = 18` for any token,
-and the registry forwards that value unchanged. Treat the router layer as a payment router only, not as an
-accounting-sensitive terminal source for loan sizing, debt normalization, or any other decimals-dependent logic.
+accounting context is intentionally synthetic. `accountingContextForTokenOf()` returns `decimals = 18` for native
+tokens and probes `IERC20Metadata.decimals()` for ERC-20s (falling back to `18` if the call fails). The registry
+forwards that value unchanged. Treat the router layer as a payment router only, not as an accounting-sensitive
+terminal source for loan sizing, debt normalization, or any other decimals-dependent logic.
 
 ## Dependencies
 - `@bananapus/core-v6` — Terminal, directory, permissions

package/AUDIT_INSTRUCTIONS.md

@@ -141,18 +141,18 @@ The registry implements a two-phase terminal assignment:
 
 ## Fee-on-Transfer Token Risks
 
-**JBRouterTerminal:** Uses balance-delta accounting in `_acceptFundsFor()` (lines 550-556). Measures `balanceBefore` and `balanceAfter` the transfer, returning the actual amount received. This correctly handles fee-on-transfer tokens at the acceptance stage. However, the amount forwarded to the destination terminal is the delta, which may differ from what the destination terminal expects if it also performs balance-delta checks.
+**JBRouterTerminal:** Uses balance-delta accounting in `_acceptFundsFor()` (lines 569-575). Measures `balanceBefore` and `balanceAfter` the transfer, returning the actual amount received. This correctly handles fee-on-transfer tokens at the acceptance stage. However, the amount forwarded to the destination terminal is the delta, which may differ from what the destination terminal expects if it also performs balance-delta checks.
 
 **JBRouterTerminalRegistry:** Does NOT use balance-delta accounting in `_acceptFundsFor()` (line 437). It returns the user-supplied `amount` directly. If a fee-on-transfer token is used through the registry, the forwarded amount will exceed actual tokens received, causing a downstream revert or incorrect accounting.
 
-**Audit focus:** Verify that the registry's `_acceptFundsFor` cannot be exploited with fee-on-transfer tokens. The comment on line 433-435 states these are "not supported by design" -- confirm this is documented clearly enough and that no path silently loses funds.
+**Audit focus:** Verify that the registry's `_acceptFundsFor` cannot be exploited with fee-on-transfer tokens. The comment on lines 433-434 states these are "not supported by design" -- confirm this is documented clearly enough and that no path silently loses funds.
 
 ## uint160 Permit2 Truncation Risk
 
 Both contracts cast `amount` to `uint160` when falling through to `PERMIT2.transferFrom()`:
 
-- `JBRouterTerminal._transferFrom()` line 1425: `if (amount > type(uint160).max) revert JBRouterTerminal_AmountOverflow(amount);`
-- `JBRouterTerminalRegistry._transferFrom()` line 477: `if (amount > type(uint160).max) revert JBRouterTerminalRegistry_AmountOverflow();`
+- `JBRouterTerminal._transferFrom()` line 944: `if (amount > type(uint160).max) revert JBRouterTerminal_AmountOverflow(amount);`
+- `JBRouterTerminalRegistry._transferFrom()` line 510: `if (amount > type(uint160).max) revert JBRouterTerminalRegistry_AmountOverflow();`
 
 Both contracts now revert before truncation occurs. Verify these overflow checks are complete and that no code path can reach the `uint160()` cast without hitting the guard.
 

package/README.md

@@ -146,7 +146,22 @@ nana-router-terminal-v6/
     ├── RouterTerminal.t.sol              # Unit tests (mocked dependencies)
     ├── RouterTerminalRegistry.t.sol      # Registry unit tests
     ├── RouterTerminalFork.t.sol          # Fork tests against mainnet Uniswap pools
-    └── RouterTerminalPreviewFork.t.sol   # Fork parity tests for previewPayFor
+    ├── RouterTerminalPreviewFork.t.sol   # Fork parity tests for previewPayFor
+    ├── RouterTerminalCashOutFork.t.sol   # Fork tests for cashout routing
+    ├── RouterTerminalCreditCashout.t.sol # Credit cashout unit tests
+    ├── RouterTerminalERC2771.t.sol       # ERC-2771 meta-transaction tests
+    ├── RouterTerminalFeeCashOutFork.t.sol # Fee routing through cashout (fork)
+    ├── RouterTerminalMultihopFork.t.sol  # Multi-hop routing (fork)
+    ├── RouterTerminalReentrancy.t.sol    # Reentrancy attack tests
+    ├── RouterTerminalSandwichFork.t.sol  # MEV/sandwich resistance (fork)
+    ├── fork/
+    │   └── V4QuoteAndSettlementFork.t.sol # V4 quote and settlement (fork)
+    ├── invariant/
+    │   └── RouterTerminalInvariant.t.sol  # Invariant/fuzz tests
+    └── regression/
+        ├── CashOutLoopLimit.t.sol        # Circular cashout loop cap
+        ├── LockTerminalRace.t.sol        # Lock terminal race condition
+        └── V4SpotPriceSlippage.t.sol     # Sigmoid slippage math
 ```
 
 ## Payment Metadata

package/SKILLS.md

@@ -115,7 +115,7 @@ Accept payments in any ERC-20 token (or native ETH), dynamically discover what t
 | Error | When |
 |-------|------|
 | `JBRouterTerminal_NoRouteFound(uint256 projectId, address tokenIn)` | No accepted token found for the project when iterating all terminals |
-| `JBRouterTerminal_TokenNotAccepted(uint256 projectId, address token)` | The `routeTokenOut` metadata override specifies a token the project does not accept |
+| `JBRouterTerminal_NoRouteFound(uint256 projectId, address tokenIn)` | No accepted token found for the project, or the `routeTokenOut` metadata override specifies a token the project does not accept |
 | `JBRouterTerminal_CallerNotPool(address caller)` | V3 swap callback called by an address that is not a legitimate factory pool |
 | `JBRouterTerminal_CallerNotPoolManager(address caller)` | V4 unlock callback called by an address other than the PoolManager |
 | `JBRouterTerminal_SlippageExceeded(uint256 amountOut, uint256 minAmountOut)` | Swap output is below the minimum acceptable amount |

package/USER_JOURNEYS.md

@@ -108,7 +108,7 @@ State touched: Source project's token supply (burned), terminal balances. Potent
 - **Slippage exceeded:** Reverts with `JBRouterTerminal_SlippageExceeded(amountOut, minAmountOut)`.
 - **Amount overflow:** Reverts with `JBRouterTerminal_AmountOverflow(amount)` if swap amount exceeds `type(uint128).max`, or if Permit2 transfer amount exceeds `type(uint160).max`.
 - **ETH sent with ERC-20 payment:** Reverts with `JBRouterTerminal_NoMsgValueAllowed(value)`.
-- **Router is destination terminal:** If `primaryTerminalOf` returns the router itself, it is skipped to prevent infinite recursion (line 625).
+- **Router is destination terminal:** If `primaryTerminalOf` returns the router itself, it is skipped to prevent infinite recursion (line 624).
 - **Destination terminal reverts:** The entire transaction reverts atomically. No tokens are stuck.
 - **Destination terminal accepts tokens but misbehaves:** If it does not revert but does not credit the project, tokens are lost. No recovery mechanism.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/router-terminal-v6",
-  "version": "0.0.15",
+  "version": "0.0.17",
   "license": "MIT",
   "repository": {
     "type": "git",