@croptop/core-v6 0.0.27 → 0.0.29

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@croptop/core-v6",
-    "version": "0.0.27",
+  "version": "0.0.29",
     "license": "MIT",
     "repository": {
         "type": "git",
@@ -16,13 +16,12 @@
         "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'croptop-core-v5'"
     },
     "dependencies": {
-        "@bananapus/721-hook-v6": "^0.0.28",
-        "@bananapus/address-registry-v6": "^0.0.16",
-        "@bananapus/buyback-hook-v6": "^0.0.24",
-        "@bananapus/core-v6": "^0.0.30",
+        "@bananapus/721-hook-v6": "^0.0.30",
+        "@bananapus/buyback-hook-v6": "^0.0.25",
+        "@bananapus/core-v6": "^0.0.31",
         "@bananapus/ownable-v6": "^0.0.16",
         "@bananapus/permission-ids-v6": "^0.0.15",
-        "@bananapus/router-terminal-v6": "^0.0.24",
+        "@bananapus/router-terminal-v6": "^0.0.25",
         "@bananapus/suckers-v6": "^0.0.20",
         "@openzeppelin/contracts": "^5.6.1"
     },

package/references/operations.md

@@ -0,0 +1,25 @@
+# Croptop Operations
+
+## Deployment Surface
+
+- [`src/CTDeployer.sol`](../src/CTDeployer.sol) is the first stop for project launch shape, hook forwarding, and optional sucker integration.
+- [`script/Deploy.s.sol`](../script/Deploy.s.sol) and [`script/ConfigureFeeProject.s.sol`](../script/ConfigureFeeProject.s.sol) cover the current deployment and fee-project wiring.
+- [`src/structs/`](../src/structs/) contains config types that often drift from memory.
+
+## Change Checklist
+
+- If you edit posting criteria, verify both direct publisher calls and deployer-created project flows.
+- If you edit fee behavior, check both the designated fee project path and any exemption behavior.
+- If you edit burn-lock ownership assumptions, confirm the intended irreversibility still holds.
+- If you edit data-hook forwarding, re-check sucker-related fee-free cash-out behavior.
+
+## Common Failure Modes
+
+- Publishing bug is blamed on the publisher when the deployer packaged the project or hook incorrectly.
+- Immutable-owner expectations are missed after ownership moves into [`src/CTProjectOwner.sol`](../src/CTProjectOwner.sol).
+- Content reuse or duplicate-post behavior changes and silently alters user-facing publishing semantics.
+
+## Useful Proof Points
+
+- [`test/fork/`](../test/fork/) when deployment shape matters.
+- [`script/helpers/`](../script/helpers/) if the issue is really script/config assembly.

package/references/runtime.md

@@ -0,0 +1,27 @@
+# Croptop Runtime
+
+## Contract Roles
+
+- [`src/CTPublisher.sol`](../src/CTPublisher.sol) validates posts, configures or reuses tiers, mints first copies, and routes Croptop fees.
+- [`src/CTDeployer.sol`](../src/CTDeployer.sol) packages project deployment, hook forwarding, and optional sucker support.
+- [`src/CTProjectOwner.sol`](../src/CTProjectOwner.sol) is the burn-lock ownership helper for immutable administration patterns.
+
+## Runtime Path
+
+1. A project is deployed or configured with Croptop posting rules.
+2. Publishers call into [`src/CTPublisher.sol`](../src/CTPublisher.sol) with content, supply, and pricing data.
+3. The publisher validates category-level rules, creates or reuses tiers, mints the first copy, and routes fees and proceeds.
+4. If the project uses the deployer wrapper, data-hook calls forward through [`src/CTDeployer.sol`](../src/CTDeployer.sol).
+
+## High-Risk Areas
+
+- Posting criteria: category rules are the policy surface that protects the project from bad content or bad economics.
+- Fee routing: fee-project assumptions and fee exemptions are operationally important.
+- Tier reuse and duplicate content: content identity is part of runtime behavior, not just metadata.
+- Burn-lock ownership: once ownership moves into the lock helper, reversibility expectations change drastically.
+
+## Tests To Trust First
+
+- [`test/regression/`](../test/regression/) for pinned content and tier edge cases.
+- [`test/fork/`](../test/fork/) for live integration assumptions.
+- [`test/`](../test/) broadly when the issue could be in publisher or deployer behavior rather than one isolated function.

package/script/Deploy.s.sol

@@ -64,29 +64,10 @@ contract DeployScript is Script, Sphinx {
     }
 
     function deploy() public sphinx {
-        // If the fee project id is 0, then we want to deploy a new fee project — but only if the publisher
-        // singleton doesn't already exist. Re-running with FEE_PROJECT_ID=0 would create a second fee project
-        // with different CREATE2 addresses, stranding the previous suite.
-        if (FEE_PROJECT_ID == 0) {
-            // Check if the publisher already exists by scanning existing project IDs.
-            uint256 _existingCount = core.projects.count();
-            bool _found;
-            for (uint256 _candidateId = 1; _candidateId <= _existingCount; _candidateId++) {
-                (, bool _exists) = _isDeployed({
-                    salt: PUBLISHER_SALT,
-                    creationCode: type(CTPublisher).creationCode,
-                    arguments: abi.encode(core.directory, core.permissions, _candidateId, TRUSTED_FORWARDER)
-                });
-                if (_exists) {
-                    FEE_PROJECT_ID = _candidateId;
-                    _found = true;
-                    break;
-                }
-            }
-            if (!_found) {
-                FEE_PROJECT_ID = core.projects.createFor(safeAddress());
-            }
-        }
+        // Canonical Croptop deployments must bind fees to an explicit fee project. Autodiscovering the first
+        // matching publisher by scanning project IDs is unsafe because a preexisting publisher can pin fees to
+        // the wrong project forever.
+        require(FEE_PROJECT_ID != 0, "explicit fee project id required");
 
         CTPublisher publisher;
         {

package/src/CTDeployer.sol

@@ -248,6 +248,9 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
     }
 
     /// @notice Deploy a simple project meant to receive posts from Croptop templates.
+    /// @dev The initial project owner is intentionally granted direct hook-management permissions from
+    /// `CTDeployer`. This means the owner/operator can bypass the Croptop publisher path and interact
+    /// with the hook directly if they choose to. That is an explicit product tradeoff.
     /// @param owner The address that'll own the project.
     /// @param projectConfig The configuration for the project.
     /// @param suckerDeploymentConfiguration The configuration for the suckers to deploy.
@@ -342,7 +345,8 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         // These permissions are granted from CTDeployer (address(this)) to the initial owner.
         // The hook checks permissions against hook.owner(), which after claimCollectionOwnershipOf() resolves
         // dynamically via PROJECTS.ownerOf(projectId). Before claiming, CTDeployer is the static hook owner,
-        // so these permissions allow the project owner to manage tiers through CTDeployer.
+        // so these permissions allow the project owner to manage tiers through CTDeployer. As a tradeoff,
+        // the owner can also bypass the Croptop publisher surface until ownership is claimed away.
         uint8[] memory permissionIds = new uint8[](4);
         permissionIds[0] = JBPermissionIds.ADJUST_721_TIERS;
         permissionIds[1] = JBPermissionIds.SET_721_METADATA;

package/src/CTPublisher.sol

@@ -5,6 +5,7 @@ import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721Tiers
 import {IJB721TiersHookStore} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookStore.sol";
 import {JB721Tier} from "@bananapus/721-hook-v6/src/structs/JB721Tier.sol";
 import {JB721TierConfig} from "@bananapus/721-hook-v6/src/structs/JB721TierConfig.sol";
+import {JB721TierConfigFlags} from "@bananapus/721-hook-v6/src/structs/JB721TierConfigFlags.sol";
 import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
 import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
@@ -33,6 +34,7 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
     error CTPublisher_MaxTotalSupplyLessThanMin(uint256 min, uint256 max);
     error CTPublisher_NotInAllowList(address addr, address[] allowedAddresses);
     error CTPublisher_PriceTooSmall(uint256 price, uint256 minimumPrice);
+    error CTPublisher_FeePaymentFailed(uint256 feeAmount);
     error CTPublisher_SplitPercentExceedsMaximum(uint256 splitPercent, uint256 maximumSplitPercent);
     error CTPublisher_TotalSupplyTooBig(uint256 totalSupply, uint256 maximumTotalSupply);
     error CTPublisher_TotalSupplyTooSmall(uint256 totalSupply, uint256 minimumTotalSupply);
@@ -416,7 +418,8 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
             IJBTerminal feeTerminal =
                 DIRECTORY.primaryTerminalOf({projectId: FEE_PROJECT_ID, token: JBConstants.NATIVE_TOKEN});
 
-            // Make the fee payment. Wrapped in try-catch so a reverting fee terminal doesn't block mints.
+            // Make the fee payment. If the fee sink is unavailable, refund the fee to the caller
+            // rather than trapping or silently redirecting protocol funds.
             // slither-disable-next-line unused-return
             try feeTerminal.pay{value: payValue}({
                 projectId: FEE_PROJECT_ID,
@@ -428,13 +431,9 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
                 metadata: feeMetadata
             }) {}
             catch {
-                // If the fee payment fails, send the fee to the beneficiary instead.
-                (bool success,) = feeBeneficiary.call{value: payValue}("");
-                if (!success) {
-                    // If that also fails, send to the msg.sender.
-                    // slither-disable-next-line low-level-calls
-                    (success,) = msg.sender.call{value: payValue}("");
-                }
+                // slither-disable-next-line low-level-calls
+                (bool success,) = _msgSender().call{value: payValue}("");
+                if (!success) revert CTPublisher_FeePaymentFailed(payValue);
             }
         }
     }
@@ -569,13 +568,15 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
                     encodedIPFSUri: post.encodedIPFSUri,
                     category: post.category,
                     discountPercent: 0,
-                    allowOwnerMint: false,
-                    useReserveBeneficiaryAsDefault: false,
-                    transfersPausable: false,
-                    useVotingUnits: true,
-                    cantBeRemoved: false,
-                    cantIncreaseDiscountPercent: false,
-                    cantBuyWithCredits: false,
+                    flags: JB721TierConfigFlags({
+                        allowOwnerMint: false,
+                        useReserveBeneficiaryAsDefault: false,
+                        transfersPausable: false,
+                        useVotingUnits: true,
+                        cantBeRemoved: false,
+                        cantIncreaseDiscountPercent: false,
+                        cantBuyWithCredits: false
+                    }),
                     splitPercent: post.splitPercent,
                     splits: post.splits
                 });

package/test/CTPublisher.t.sol

@@ -15,6 +15,7 @@ import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
 import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
 
 import {JB721TierConfig} from "@bananapus/721-hook-v6/src/structs/JB721TierConfig.sol";
+import {JB721TierConfigFlags} from "@bananapus/721-hook-v6/src/structs/JB721TierConfigFlags.sol";
 
 import {CTPublisher} from "../src/CTPublisher.sol";
 import {CTAllowedPost} from "../src/structs/CTAllowedPost.sol";
@@ -809,13 +810,15 @@ contract TestCTPublisher is Test {
             encodedIPFSUri: keccak256("split-beneficiary-test"),
             category: 5,
             discountPercent: 0,
-            allowOwnerMint: false,
-            useReserveBeneficiaryAsDefault: false,
-            transfersPausable: false,
-            useVotingUnits: true,
-            cantBeRemoved: false,
-            cantIncreaseDiscountPercent: false,
-            cantBuyWithCredits: false,
+            flags: JB721TierConfigFlags({
+                allowOwnerMint: false,
+                useReserveBeneficiaryAsDefault: false,
+                transfersPausable: false,
+                useVotingUnits: true,
+                cantBeRemoved: false,
+                cantIncreaseDiscountPercent: false,
+                cantBuyWithCredits: false
+            }),
             splitPercent: 250_000_000,
             splits: splits
         });

package/test/audit/DeployerPermissionBypass.t.sol

@@ -0,0 +1,213 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "forge-std/Test.sol";
+
+import {IJB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookDeployer.sol";
+import {JBDeploy721TiersHookConfig} from "@bananapus/721-hook-v6/src/structs/JBDeploy721TiersHookConfig.sol";
+import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHook.sol";
+import {JB721TierConfig} from "@bananapus/721-hook-v6/src/structs/JB721TierConfig.sol";
+import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
+import {IJBController} from "@bananapus/core-v6/src/interfaces/IJBController.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBRulesetConfig} from "@bananapus/core-v6/src/structs/JBRulesetConfig.sol";
+import {JBTerminalConfig} from "@bananapus/core-v6/src/structs/JBTerminalConfig.sol";
+import {JBPermissionIds} from "@bananapus/permission-ids-v6/src/JBPermissionIds.sol";
+import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
+import {JBSuckerDeployerConfig} from "@bananapus/suckers-v6/src/structs/JBSuckerDeployerConfig.sol";
+
+import {CTDeployer} from "../../src/CTDeployer.sol";
+import {CTPublisher} from "../../src/CTPublisher.sol";
+import {ICTPublisher} from "../../src/interfaces/ICTPublisher.sol";
+import {CTDeployerAllowedPost} from "../../src/structs/CTDeployerAllowedPost.sol";
+import {CTProjectConfig} from "../../src/structs/CTProjectConfig.sol";
+import {CTSuckerDeploymentConfig} from "../../src/structs/CTSuckerDeploymentConfig.sol";
+
+contract MockProjects {
+    uint256 public countValue;
+    address public ownerOfProject;
+
+    function setCount(uint256 count_) external {
+        countValue = count_;
+    }
+
+    function setOwner(address owner_) external {
+        ownerOfProject = owner_;
+    }
+
+    function count() external view returns (uint256) {
+        return countValue;
+    }
+
+    function ownerOf(uint256) external view returns (address) {
+        return ownerOfProject;
+    }
+
+    function transferFrom(address, address to, uint256) external {
+        ownerOfProject = to;
+    }
+}
+
+contract MockController {
+    MockProjects public immutable PROJECTS;
+    // forge-lint: disable-next-line(screaming-snake-case-immutable)
+    uint256 public immutable nextProjectId;
+
+    constructor(MockProjects projects_, uint256 nextProjectId_) {
+        PROJECTS = projects_;
+        nextProjectId = nextProjectId_;
+    }
+
+    function launchProjectFor(
+        address,
+        string calldata,
+        JBRulesetConfig[] calldata,
+        JBTerminalConfig[] calldata,
+        string calldata
+    )
+        external
+        view
+        returns (uint256)
+    {
+        return nextProjectId;
+    }
+}
+
+contract MockSuckerRegistry {
+    function isSuckerOf(uint256, address) external pure returns (bool) {
+        return false;
+    }
+
+    function deploySuckersFor(
+        uint256,
+        bytes32,
+        JBSuckerDeployerConfig[] calldata
+    )
+        external
+        pure
+        returns (address[] memory suckers)
+    {
+        return suckers;
+    }
+}
+
+contract PermissionedHook is JBPermissioned {
+    // forge-lint: disable-next-line(screaming-snake-case-immutable)
+    address public immutable ownerAccount;
+    // forge-lint: disable-next-line(screaming-snake-case-immutable)
+    uint256 public immutable projectId;
+    bool public adjusted;
+
+    constructor(IJBPermissions permissions, address ownerAccount_, uint256 projectId_) JBPermissioned(permissions) {
+        ownerAccount = ownerAccount_;
+        projectId = projectId_;
+    }
+
+    // forge-lint: disable-next-line(mixed-case-function)
+    function PROJECT_ID() external view returns (uint256) {
+        return projectId;
+    }
+
+    function owner() external view returns (address) {
+        return ownerAccount;
+    }
+
+    function adjustTiers(JB721TierConfig[] calldata, uint256[] calldata) external {
+        _requirePermissionFrom(ownerAccount, projectId, JBPermissionIds.ADJUST_721_TIERS);
+        adjusted = true;
+    }
+}
+
+contract MockHookDeployer {
+    IJB721TiersHook public hook;
+
+    function setHook(IJB721TiersHook hook_) external {
+        hook = hook_;
+    }
+
+    function deployHookFor(
+        uint256,
+        JBDeploy721TiersHookConfig calldata,
+        bytes32
+    )
+        external
+        view
+        returns (IJB721TiersHook)
+    {
+        return hook;
+    }
+}
+
+contract DeployerPermissionBypassTest is Test {
+    JBPermissions permissions;
+    MockProjects projects;
+    MockHookDeployer hookDeployer;
+    MockSuckerRegistry suckerRegistry;
+    MockController controller;
+    CTPublisher publisher;
+    CTDeployer deployer;
+    PermissionedHook hook;
+
+    address owner = makeAddr("owner");
+
+    function setUp() public {
+        permissions = new JBPermissions(address(0));
+        projects = new MockProjects();
+        projects.setCount(5);
+        hookDeployer = new MockHookDeployer();
+        suckerRegistry = new MockSuckerRegistry();
+        publisher = new CTPublisher(IJBDirectory(makeAddr("directory")), permissions, 1, address(0));
+        deployer = new CTDeployer(
+            permissions,
+            IJBProjects(address(projects)),
+            IJB721TiersHookDeployer(address(hookDeployer)),
+            ICTPublisher(address(publisher)),
+            IJBSuckerRegistry(address(suckerRegistry)),
+            address(0)
+        );
+        hook = new PermissionedHook(permissions, address(deployer), 6);
+        hookDeployer.setHook(IJB721TiersHook(address(hook)));
+        controller = new MockController(projects, 6);
+    }
+
+    function test_projectOwnerCanBypassCroptopAndCallHookDirectlyAfterDeployment() public {
+        CTDeployerAllowedPost[] memory allowedPosts = new CTDeployerAllowedPost[](1);
+        allowedPosts[0] = CTDeployerAllowedPost({
+            category: 1,
+            minimumPrice: 1 ether,
+            minimumTotalSupply: 10,
+            maximumTotalSupply: 10,
+            maximumSplitPercent: 0,
+            allowedAddresses: new address[](0)
+        });
+
+        CTProjectConfig memory config = CTProjectConfig({
+            terminalConfigurations: new JBTerminalConfig[](0),
+            projectUri: "ipfs://project",
+            allowedPosts: allowedPosts,
+            contractUri: "ipfs://contract",
+            name: "Croptop",
+            symbol: "CT",
+            salt: bytes32(0)
+        });
+
+        CTSuckerDeploymentConfig memory suckerConfig =
+            CTSuckerDeploymentConfig({deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: bytes32(0)});
+
+        deployer.deployProjectFor(owner, config, suckerConfig, IJBController(address(controller)));
+
+        assertEq(projects.ownerOf(6), owner, "deployment should hand the project NFT to the owner");
+
+        JB721TierConfig[] memory arbitraryTiers = new JB721TierConfig[](0);
+        uint256[] memory removals = new uint256[](0);
+
+        vm.prank(owner);
+        PermissionedHook(address(hook)).adjustTiers(arbitraryTiers, removals);
+
+        assertTrue(hook.adjusted(), "project owner can mutate the hook without going through Croptop");
+    }
+}