@croptop/core-v6 0.0.31 → 0.0.33

package/README.md

@@ -90,4 +90,6 @@ script/
 - fee routing depends on the designated fee project remaining correctly configured; if its terminal rejects payments,
   Croptop refunds the fee to `_msgSender()` instead of trapping ETH in `CTPublisher`
 - burn-lock ownership is intentionally irreversible and should only be used when immutability is desired
+- after burn-locking into `CTProjectOwner`, the previous owner no longer holds the project NFT directly; control is
+  intentionally mediated through Croptop's owner helper and hook-admin surface instead of remaining a plain owner EOA
 - duplicate-content and stale-tier edge cases are guarded by tests, but integrations should still treat metadata reuse carefully

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@croptop/core-v6",
-    "version": "0.0.31",
+    "version": "0.0.33",
     "license": "MIT",
     "repository": {
         "type": "git",
@@ -16,18 +16,18 @@
         "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'croptop-core-v5'"
     },
     "dependencies": {
-        "@bananapus/721-hook-v6": "^0.0.32",
-        "@bananapus/buyback-hook-v6": "^0.0.26",
-        "@bananapus/core-v6": "^0.0.32",
+        "@bananapus/721-hook-v6": "^0.0.33",
+        "@bananapus/buyback-hook-v6": "^0.0.27",
+        "@bananapus/core-v6": "^0.0.34",
         "@bananapus/ownable-v6": "^0.0.17",
-        "@bananapus/permission-ids-v6": "^0.0.15",
+        "@bananapus/permission-ids-v6": "^0.0.17",
         "@bananapus/router-terminal-v6": "^0.0.26",
-        "@bananapus/suckers-v6": "^0.0.22",
+        "@bananapus/suckers-v6": "^0.0.25",
         "@openzeppelin/contracts": "^5.6.1"
     },
     "devDependencies": {
         "@bananapus/address-registry-v6": "^0.0.17",
-        "@rev-net/core-v6": "^0.0.28",
+        "@rev-net/core-v6": "^0.0.31",
         "@sphinx-labs/plugins": "^0.33.3"
     }
-}
+}

package/src/CTDeployer.sol

@@ -1,9 +1,6 @@
 // SPDX-License-Identifier: MIT
 pragma solidity 0.8.28;
 
-import {ERC2771Context} from "@openzeppelin/contracts/metatx/ERC2771Context.sol";
-import {IERC721Receiver} from "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
-import {Context} from "@openzeppelin/contracts/utils/Context.sol";
 import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHook.sol";
 import {IJB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookDeployer.sol";
 import {IJB721TokenUriResolver} from "@bananapus/721-hook-v6/src/interfaces/IJB721TokenUriResolver.sol";
@@ -28,6 +25,9 @@ import {JBRulesetConfig} from "@bananapus/core-v6/src/structs/JBRulesetConfig.so
 import {JBOwnable} from "@bananapus/ownable-v6/src/JBOwnable.sol";
 import {JBPermissionIds} from "@bananapus/permission-ids-v6/src/JBPermissionIds.sol";
 import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
+import {ERC2771Context} from "@openzeppelin/contracts/metatx/ERC2771Context.sol";
+import {IERC721Receiver} from "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
+import {Context} from "@openzeppelin/contracts/utils/Context.sol";
 
 import {ICTDeployer} from "./interfaces/ICTDeployer.sol";
 import {ICTPublisher} from "./interfaces/ICTPublisher.sol";
@@ -117,109 +117,6 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         PERMISSIONS.setPermissionsFor({account: address(this), permissionsData: permissionData});
     }
 
-    //*********************************************************************//
-    // ------------------------- external views -------------------------- //
-    //*********************************************************************//
-
-    /// @notice Allow cash outs from suckers without a tax.
-    /// @dev This function is part of `IJBRulesetDataHook`, and gets called before the revnet processes a cash out.
-    /// @param context Standard Juicebox cash out context. See `JBBeforeCashOutRecordedContext`.
-    /// @return cashOutTaxRate The cash out tax rate, which influences the amount of terminal tokens which get cashed
-    /// out.
-    /// @return cashOutCount The number of project tokens that are cashed out.
-    /// @return totalSupply The total project token supply.
-    /// @return hookSpecifications The amount of funds and the data to send to cash out hooks (this contract).
-    function beforeCashOutRecordedWith(JBBeforeCashOutRecordedContext calldata context)
-        external
-        view
-        override
-        returns (
-            uint256 cashOutTaxRate,
-            uint256 cashOutCount,
-            uint256 totalSupply,
-            JBCashOutHookSpecification[] memory hookSpecifications
-        )
-    {
-        // If the cash out is from a sucker, return the full cash out amount without taxes or fees.
-        if (SUCKER_REGISTRY.isSuckerOf({projectId: context.projectId, addr: context.holder})) {
-            return (0, context.cashOutCount, context.totalSupply, hookSpecifications);
-        }
-
-        // If the ruleset has a data hook, forward the call to the datahook.
-        IJBRulesetDataHook hook = dataHookOf[context.projectId];
-        if (address(hook) == address(0)) {
-            return (context.cashOutTaxRate, context.cashOutCount, context.totalSupply, hookSpecifications);
-        }
-        // slither-disable-next-line unused-return
-        return hook.beforeCashOutRecordedWith(context);
-    }
-
-    /// @notice Forward the call to the original data hook.
-    /// @dev This function is part of `IJBRulesetDataHook`, and gets called before the revnet processes a payment.
-    /// @param context Standard Juicebox payment context. See `JBBeforePayRecordedContext`.
-    /// @return weight The weight which project tokens are minted relative to. This can be used to customize how many
-    /// tokens get minted by a payment.
-    /// @return hookSpecifications Amounts (out of what's being paid in) to be sent to pay hooks instead of being paid
-    /// into the project. Useful for automatically routing funds from a treasury as payments come in.
-    function beforePayRecordedWith(JBBeforePayRecordedContext calldata context)
-        external
-        view
-        override
-        returns (uint256 weight, JBPayHookSpecification[] memory hookSpecifications)
-    {
-        // Forward the call to the data hook.
-        IJBRulesetDataHook hook = dataHookOf[context.projectId];
-        if (address(hook) == address(0)) {
-            return (context.weight, hookSpecifications);
-        }
-        // slither-disable-next-line unused-return
-        return hook.beforePayRecordedWith(context);
-    }
-
-    /// @notice A flag indicating whether an address has permission to mint a project's tokens on-demand.
-    /// @dev A project's data hook can allow any address to mint its tokens.
-    /// @param projectId The ID of the project whose token can be minted.
-    /// @param addr The address to check the token minting permission of.
-    /// @return flag A flag indicating whether the address has permission to mint the project's tokens on-demand.
-    function hasMintPermissionFor(uint256 projectId, JBRuleset memory, address addr) external view returns (bool flag) {
-        // If the address is a sucker for this project.
-        return SUCKER_REGISTRY.isSuckerOf({projectId: projectId, addr: addr});
-    }
-
-    /// @dev Make sure only mints can be received.
-    function onERC721Received(
-        address operator,
-        address from,
-        uint256 tokenId,
-        bytes calldata data
-    )
-        external
-        view
-        returns (bytes4)
-    {
-        data;
-        tokenId;
-        operator;
-
-        // Make sure the 721 received is the JBProjects contract.
-        if (msg.sender != address(PROJECTS)) revert();
-        // Make sure the 721 is being received as a mint.
-        if (from != address(0)) revert();
-        return IERC721Receiver.onERC721Received.selector;
-    }
-
-    //*********************************************************************//
-    // -------------------------- public views --------------------------- //
-    //*********************************************************************//
-
-    /// @notice Indicates if this contract adheres to the specified interface.
-    /// @dev See `IERC165.supportsInterface`.
-    /// @return A flag indicating if the provided interface ID is supported.
-    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
-        return interfaceId == type(ICTDeployer).interfaceId || interfaceId == type(IJBRulesetDataHook).interfaceId
-            || interfaceId == type(IERC721Receiver).interfaceId;
-    }
-
     //*********************************************************************//
     // ---------------------- external transactions ---------------------- //
     //*********************************************************************//
@@ -389,6 +286,118 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         });
     }
 
+    //*********************************************************************//
+    // ------------------------- external views -------------------------- //
+    //*********************************************************************//
+
+    /// @notice Allow cash outs from suckers without a tax.
+    /// @dev This function is part of `IJBRulesetDataHook`, and gets called before the revnet processes a cash out.
+    /// @param context Standard Juicebox cash out context. See `JBBeforeCashOutRecordedContext`.
+    /// @return cashOutTaxRate The cash out tax rate, which influences the amount of terminal tokens which get cashed
+    /// out.
+    /// @return cashOutCount The number of project tokens that are cashed out.
+    /// @return totalSupply The total project token supply.
+    /// @return surplusValue The surplus value to use for the bonding curve calculation.
+    /// @return hookSpecifications The amount of funds and the data to send to cash out hooks (this contract).
+    function beforeCashOutRecordedWith(JBBeforeCashOutRecordedContext calldata context)
+        external
+        view
+        override
+        returns (
+            uint256 cashOutTaxRate,
+            uint256 cashOutCount,
+            uint256 totalSupply,
+            uint256 surplusValue,
+            JBCashOutHookSpecification[] memory hookSpecifications
+        )
+    {
+        // If the cash out is from a sucker, return the full cash out amount without taxes or fees.
+        if (SUCKER_REGISTRY.isSuckerOf({projectId: context.projectId, addr: context.holder})) {
+            return (0, context.cashOutCount, context.totalSupply, context.surplus.value, hookSpecifications);
+        }
+
+        // If the ruleset has a data hook, forward the call to the datahook.
+        IJBRulesetDataHook hook = dataHookOf[context.projectId];
+        if (address(hook) == address(0)) {
+            return (
+                context.cashOutTaxRate,
+                context.cashOutCount,
+                context.totalSupply,
+                context.surplus.value,
+                hookSpecifications
+            );
+        }
+        // slither-disable-next-line unused-return
+        return hook.beforeCashOutRecordedWith(context);
+    }
+
+    /// @notice Forward the call to the original data hook.
+    /// @dev This function is part of `IJBRulesetDataHook`, and gets called before the revnet processes a payment.
+    /// @param context Standard Juicebox payment context. See `JBBeforePayRecordedContext`.
+    /// @return weight The weight which project tokens are minted relative to. This can be used to customize how many
+    /// tokens get minted by a payment.
+    /// @return hookSpecifications Amounts (out of what's being paid in) to be sent to pay hooks instead of being paid
+    /// into the project. Useful for automatically routing funds from a treasury as payments come in.
+    function beforePayRecordedWith(JBBeforePayRecordedContext calldata context)
+        external
+        view
+        override
+        returns (uint256 weight, JBPayHookSpecification[] memory hookSpecifications)
+    {
+        // Forward the call to the data hook.
+        IJBRulesetDataHook hook = dataHookOf[context.projectId];
+        if (address(hook) == address(0)) {
+            return (context.weight, hookSpecifications);
+        }
+
+        // slither-disable-next-line unused-return
+        return hook.beforePayRecordedWith(context);
+    }
+
+    /// @notice A flag indicating whether an address has permission to mint a project's tokens on-demand.
+    /// @dev A project's data hook can allow any address to mint its tokens.
+    /// @param projectId The ID of the project whose token can be minted.
+    /// @param addr The address to check the token minting permission of.
+    /// @return flag A flag indicating whether the address has permission to mint the project's tokens on-demand.
+    function hasMintPermissionFor(uint256 projectId, JBRuleset memory, address addr) external view returns (bool flag) {
+        // If the address is a sucker for this project.
+        return SUCKER_REGISTRY.isSuckerOf({projectId: projectId, addr: addr});
+    }
+
+    /// @dev Make sure only mints can be received.
+    function onERC721Received(
+        address operator,
+        address from,
+        uint256 tokenId,
+        bytes calldata data
+    )
+        external
+        view
+        returns (bytes4)
+    {
+        data;
+        tokenId;
+        operator;
+
+        // Make sure the 721 received is the JBProjects contract.
+        if (msg.sender != address(PROJECTS)) revert();
+        // Make sure the 721 is being received as a mint.
+        if (from != address(0)) revert();
+        return IERC721Receiver.onERC721Received.selector;
+    }
+
+    //*********************************************************************//
+    // -------------------------- public views --------------------------- //
+    //*********************************************************************//
+
+    /// @notice Indicates if this contract adheres to the specified interface.
+    /// @dev See `IERC165.supportsInterface`.
+    /// @return A flag indicating if the provided interface ID is supported.
+    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
+        return interfaceId == type(ICTDeployer).interfaceId || interfaceId == type(IJBRulesetDataHook).interfaceId
+            || interfaceId == type(IERC721Receiver).interfaceId;
+    }
+
     //*********************************************************************//
     // --------------------- internal transactions ----------------------- //
     //*********************************************************************//
@@ -432,7 +441,7 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
     }
 
     //*********************************************************************//
-    // ------------------------ internal functions ----------------------- //
+    // -------------------------- internal views ------------------------- //
     //*********************************************************************//
 
     /// @dev ERC-2771 specifies the context as being a single address (20 bytes).

package/src/CTPublisher.sol

@@ -105,141 +105,6 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
         FEE_PROJECT_ID = feeProjectId;
     }
 
-    //*********************************************************************//
-    // ------------------------- external views -------------------------- //
-    //*********************************************************************//
-
-    /// @notice Get the tiers for the provided encoded IPFS URIs.
-    /// @dev The returned tier IDs may be stale if the corresponding tiers were removed externally via adjustTiers.
-    /// In that case, the store's tierOf call will return a tier with default/empty values. Callers should check
-    /// the returned tier's initialSupply or other fields to confirm the tier still exists.
-    /// @param hook The hook from which to get tiers.
-    /// @param encodedIPFSUris The URIs to get tiers of.
-    /// @return tiers The tiers that correspond to the provided encoded IPFS URIs. If there's no tier yet, an empty tier
-    /// is returned.
-    function tiersFor(
-        address hook,
-        // forge-lint: disable-next-line(mixed-case-variable)
-        bytes32[] memory encodedIPFSUris
-    )
-        external
-        view
-        override
-        returns (JB721Tier[] memory tiers)
-    {
-        // forge-lint: disable-next-line(mixed-case-variable)
-        uint256 numberOfEncodedIPFSUris = encodedIPFSUris.length;
-
-        // Initialize the tier array being returned.
-        tiers = new JB721Tier[](numberOfEncodedIPFSUris);
-
-        // Get the tier for each provided encoded IPFS URI.
-        for (uint256 i; i < numberOfEncodedIPFSUris;) {
-            // Check if there's a tier ID stored for the encoded IPFS URI.
-            uint256 tierId = tierIdForEncodedIPFSUriOf[hook][encodedIPFSUris[i]];
-
-            // If there's a tier ID stored, resolve it.
-            if (tierId != 0) {
-                // slither-disable-next-line calls-loop
-                tiers[i] = IJB721TiersHook(hook).STORE().tierOf({hook: hook, id: tierId, includeResolvedUri: false});
-            }
-
-            unchecked {
-                ++i;
-            }
-        }
-    }
-
-    //*********************************************************************//
-    // -------------------------- public views --------------------------- //
-    //*********************************************************************//
-
-    /// @notice Post allowances for a particular category on a particular hook.
-    /// @param hook The hook contract for which this allowance applies.
-    /// @param category The category for which this allowance applies.
-    /// @return minimumPrice The minimum price that a poster must pay to record a new NFT.
-    /// @return minimumTotalSupply The minimum total number of available tokens that a minter must set to record a new
-    /// NFT.
-    /// @return maximumTotalSupply The max total supply of NFTs that can be made available when minting. Must be >=
-    /// minimumTotalSupply.
-    /// @return maximumSplitPercent The maximum split percent that a poster can set. 0 means splits are not allowed.
-    /// @return allowedAddresses The addresses allowed to post. Returns empty if all addresses are allowed.
-    function allowanceFor(
-        address hook,
-        uint256 category
-    )
-        public
-        view
-        override
-        returns (
-            uint256 minimumPrice,
-            uint256 minimumTotalSupply,
-            uint256 maximumTotalSupply,
-            uint256 maximumSplitPercent,
-            address[] memory allowedAddresses
-        )
-    {
-        // Get a reference to the packed values.
-        uint256 packed = _packedAllowanceFor[hook][category];
-
-        // minimum price in bits 0-103 (104 bits).
-        // forge-lint: disable-next-line(unsafe-typecast)
-        minimumPrice = uint256(uint104(packed));
-        // minimum supply in bits 104-135 (32 bits).
-        // forge-lint: disable-next-line(unsafe-typecast)
-        minimumTotalSupply = uint256(uint32(packed >> 104));
-        // maximum supply in bits 136-167 (32 bits).
-        // forge-lint: disable-next-line(unsafe-typecast)
-        maximumTotalSupply = uint256(uint32(packed >> 136));
-        // maximum split percent in bits 168-199 (32 bits).
-        // forge-lint: disable-next-line(unsafe-typecast)
-        maximumSplitPercent = uint256(uint32(packed >> 168));
-
-        allowedAddresses = _allowedAddresses[hook][category];
-    }
-
-    //*********************************************************************//
-    // -------------------------- internal views ------------------------- //
-    //*********************************************************************//
-
-    /// @dev ERC-2771 specifies the context as being a single address (20 bytes).
-    function _contextSuffixLength() internal view virtual override(ERC2771Context, Context) returns (uint256) {
-        return super._contextSuffixLength();
-    }
-
-    /// @notice Check if an address is included in an allow list.
-    /// @dev Uses an O(n) linear scan over the `addresses` array. This is acceptable for typical allow list sizes
-    /// (fewer than ~100 addresses), where gas cost is negligible. For very large allow lists, a Merkle proof
-    /// pattern would scale better, but the added complexity is not warranted for the expected use case.
-    /// @param addrs The candidate address.
-    /// @param addresses An array of allowed addresses.
-    function _isAllowed(address addrs, address[] memory addresses) internal pure returns (bool) {
-        // Keep a reference to the number of address to check against.
-        uint256 numberOfAddresses = addresses.length;
-
-        // Check if the address is included
-        for (uint256 i; i < numberOfAddresses;) {
-            if (addrs == addresses[i]) return true;
-            unchecked {
-                ++i;
-            }
-        }
-
-        return false;
-    }
-
-    /// @notice Returns the calldata, prefered to use over `msg.data`
-    /// @return calldata the `msg.data` of this call
-    function _msgData() internal view override(ERC2771Context, Context) returns (bytes calldata) {
-        return ERC2771Context._msgData();
-    }
-
-    /// @notice Returns the sender, prefered to use over `msg.sender`
-    /// @return sender the sender address of this call.
-    function _msgSender() internal view override(ERC2771Context, Context) returns (address sender) {
-        return ERC2771Context._msgSender();
-    }
-
     //*********************************************************************//
     // ---------------------- external transactions ---------------------- //
     //*********************************************************************//
@@ -446,7 +311,100 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
     }
 
     //*********************************************************************//
-    // ------------------------ internal functions ----------------------- //
+    // ------------------------- external views -------------------------- //
+    //*********************************************************************//
+
+    /// @notice Get the tiers for the provided encoded IPFS URIs.
+    /// @dev The returned tier IDs may be stale if the corresponding tiers were removed externally via adjustTiers.
+    /// In that case, the store's tierOf call will return a tier with default/empty values. Callers should check
+    /// the returned tier's initialSupply or other fields to confirm the tier still exists.
+    /// @param hook The hook from which to get tiers.
+    /// @param encodedIPFSUris The URIs to get tiers of.
+    /// @return tiers The tiers that correspond to the provided encoded IPFS URIs. If there's no tier yet, an empty tier
+    /// is returned.
+    function tiersFor(
+        address hook,
+        // forge-lint: disable-next-line(mixed-case-variable)
+        bytes32[] memory encodedIPFSUris
+    )
+        external
+        view
+        override
+        returns (JB721Tier[] memory tiers)
+    {
+        // forge-lint: disable-next-line(mixed-case-variable)
+        uint256 numberOfEncodedIPFSUris = encodedIPFSUris.length;
+
+        // Initialize the tier array being returned.
+        tiers = new JB721Tier[](numberOfEncodedIPFSUris);
+
+        // Get the tier for each provided encoded IPFS URI.
+        for (uint256 i; i < numberOfEncodedIPFSUris;) {
+            // Check if there's a tier ID stored for the encoded IPFS URI.
+            uint256 tierId = tierIdForEncodedIPFSUriOf[hook][encodedIPFSUris[i]];
+
+            // If there's a tier ID stored, resolve it.
+            if (tierId != 0) {
+                // slither-disable-next-line calls-loop
+                tiers[i] = IJB721TiersHook(hook).STORE().tierOf({hook: hook, id: tierId, includeResolvedUri: false});
+            }
+
+            unchecked {
+                ++i;
+            }
+        }
+    }
+
+    //*********************************************************************//
+    // -------------------------- public views --------------------------- //
+    //*********************************************************************//
+
+    /// @notice Post allowances for a particular category on a particular hook.
+    /// @param hook The hook contract for which this allowance applies.
+    /// @param category The category for which this allowance applies.
+    /// @return minimumPrice The minimum price that a poster must pay to record a new NFT.
+    /// @return minimumTotalSupply The minimum total number of available tokens that a minter must set to record a new
+    /// NFT.
+    /// @return maximumTotalSupply The max total supply of NFTs that can be made available when minting. Must be >=
+    /// minimumTotalSupply.
+    /// @return maximumSplitPercent The maximum split percent that a poster can set. 0 means splits are not allowed.
+    /// @return allowedAddresses The addresses allowed to post. Returns empty if all addresses are allowed.
+    function allowanceFor(
+        address hook,
+        uint256 category
+    )
+        public
+        view
+        override
+        returns (
+            uint256 minimumPrice,
+            uint256 minimumTotalSupply,
+            uint256 maximumTotalSupply,
+            uint256 maximumSplitPercent,
+            address[] memory allowedAddresses
+        )
+    {
+        // Get a reference to the packed values.
+        uint256 packed = _packedAllowanceFor[hook][category];
+
+        // minimum price in bits 0-103 (104 bits).
+        // forge-lint: disable-next-line(unsafe-typecast)
+        minimumPrice = uint256(uint104(packed));
+        // minimum supply in bits 104-135 (32 bits).
+        // forge-lint: disable-next-line(unsafe-typecast)
+        minimumTotalSupply = uint256(uint32(packed >> 104));
+        // maximum supply in bits 136-167 (32 bits).
+        // forge-lint: disable-next-line(unsafe-typecast)
+        maximumTotalSupply = uint256(uint32(packed >> 136));
+        // maximum split percent in bits 168-199 (32 bits).
+        // forge-lint: disable-next-line(unsafe-typecast)
+        maximumSplitPercent = uint256(uint32(packed >> 168));
+
+        allowedAddresses = _allowedAddresses[hook][category];
+    }
+
+    //*********************************************************************//
+    // ------------------------ internal helpers ------------------------- //
     //*********************************************************************//
 
     /// @notice Setup the posts.
@@ -613,4 +571,46 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
             }
         }
     }
+
+    /// @notice Check if an address is included in an allow list.
+    /// @dev Uses an O(n) linear scan over the `addresses` array. This is acceptable for typical allow list sizes
+    /// (fewer than ~100 addresses), where gas cost is negligible. For very large allow lists, a Merkle proof
+    /// pattern would scale better, but the added complexity is not warranted for the expected use case.
+    /// @param addrs The candidate address.
+    /// @param addresses An array of allowed addresses.
+    function _isAllowed(address addrs, address[] memory addresses) internal pure returns (bool) {
+        // Keep a reference to the number of address to check against.
+        uint256 numberOfAddresses = addresses.length;
+
+        // Check if the address is included
+        for (uint256 i; i < numberOfAddresses;) {
+            if (addrs == addresses[i]) return true;
+            unchecked {
+                ++i;
+            }
+        }
+
+        return false;
+    }
+
+    //*********************************************************************//
+    // -------------------------- internal views ------------------------- //
+    //*********************************************************************//
+
+    /// @dev ERC-2771 specifies the context as being a single address (20 bytes).
+    function _contextSuffixLength() internal view virtual override(ERC2771Context, Context) returns (uint256) {
+        return super._contextSuffixLength();
+    }
+
+    /// @notice Returns the calldata, prefered to use over `msg.data`
+    /// @return calldata the `msg.data` of this call
+    function _msgData() internal view override(ERC2771Context, Context) returns (bytes calldata) {
+        return ERC2771Context._msgData();
+    }
+
+    /// @notice Returns the sender, prefered to use over `msg.sender`
+    /// @return sender the sender address of this call.
+    function _msgSender() internal view override(ERC2771Context, Context) returns (address sender) {
+        return ERC2771Context._msgSender();
+    }
 }

package/test/CTDeployer.t.sol

@@ -56,10 +56,11 @@ contract MockDataHook is IJBRulesetDataHook {
             uint256 cashOutTaxRate,
             uint256 cashOutCount,
             uint256 totalSupply,
+            uint256 surplusValue,
             JBCashOutHookSpecification[] memory hookSpecifications
         )
     {
-        return (TAX_RATE, context.cashOutCount, context.totalSupply, hookSpecifications);
+        return (TAX_RATE, context.cashOutCount, context.totalSupply, context.surplus.value, hookSpecifications);
     }
 
     function beforePayRecordedWith(JBBeforePayRecordedContext calldata)
@@ -434,7 +435,7 @@ contract TestCTDeployer is Test {
         JBBeforeCashOutRecordedContext memory context =
             _buildCashOutContext(deployedProjectId, unauthorized, 100e18, 1000e18);
 
-        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply,) = deployer.beforeCashOutRecordedWith(context);
+        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply,,) = deployer.beforeCashOutRecordedWith(context);
 
         assertEq(taxRate, 5000, "tax rate should come from data hook");
         assertEq(cashOutCount, 100e18, "cashOutCount should be forwarded");
@@ -455,7 +456,7 @@ contract TestCTDeployer is Test {
         JBBeforeCashOutRecordedContext memory context =
             _buildCashOutContext(deployedProjectId, suckerAddr, 100e18, 1000e18);
 
-        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply,) = deployer.beforeCashOutRecordedWith(context);
+        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply,,) = deployer.beforeCashOutRecordedWith(context);
 
         assertEq(taxRate, 0, "sucker should get 0% tax rate");
         assertEq(cashOutCount, 100e18, "cashOutCount should pass through");
@@ -466,7 +467,7 @@ contract TestCTDeployer is Test {
     function test_beforeCashOutRecordedWith_returnsDefaultsWhenNoDataHook() public {
         JBBeforeCashOutRecordedContext memory context = _buildCashOutContext(999, unauthorized, 100e18, 1000e18);
 
-        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply, JBCashOutHookSpecification[] memory specs) =
+        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply,, JBCashOutHookSpecification[] memory specs) =
             deployer.beforeCashOutRecordedWith(context);
 
         assertEq(taxRate, context.cashOutTaxRate, "cashOutTaxRate should be returned as-is from context");

package/test/Fork.t.sol

@@ -21,6 +21,7 @@ import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
 import {JB721TiersHookStore} from "@bananapus/721-hook-v6/src/JB721TiersHookStore.sol";
 import {JB721TiersHook} from "@bananapus/721-hook-v6/src/JB721TiersHook.sol";
 import {JB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/JB721TiersHookDeployer.sol";
+import {JB721CheckpointsDeployer} from "@bananapus/721-hook-v6/src/JB721CheckpointsDeployer.sol";
 import {JBAddressRegistry} from "@bananapus/address-registry-v6/src/JBAddressRegistry.sol";
 
 // Suckers — deploy fresh within fork.
@@ -166,7 +167,7 @@ contract ForkTest is Test {
         jbPermissions = new JBPermissions(trustedForwarder);
         jbProjects = new JBProjects(multisig, address(0), trustedForwarder);
         jbDirectory = new JBDirectory(jbPermissions, jbProjects, multisig);
-        JBERC20 jbErc20 = new JBERC20();
+        JBERC20 jbErc20 = new JBERC20(jbPermissions, jbProjects);
         jbTokens = new JBTokens(jbDirectory, jbErc20);
         jbRulesets = new JBRulesets(jbDirectory);
         jbPrices = new JBPrices(jbDirectory, jbPermissions, jbProjects, multisig, trustedForwarder);
@@ -193,9 +194,11 @@ contract ForkTest is Test {
     function _deploy721Hook() internal {
         JB721TiersHookStore store = new JB721TiersHookStore();
         JBAddressRegistry addressRegistry = new JBAddressRegistry();
+        JB721CheckpointsDeployer checkpointsDeployer = new JB721CheckpointsDeployer();
 
-        JB721TiersHook hookImpl =
-            new JB721TiersHook(jbDirectory, jbPermissions, jbPrices, jbRulesets, store, jbSplits, trustedForwarder);
+        JB721TiersHook hookImpl = new JB721TiersHook(
+            jbDirectory, jbPermissions, jbPrices, jbRulesets, store, jbSplits, checkpointsDeployer, trustedForwarder
+        );
 
         hookDeployer = new JB721TiersHookDeployer(hookImpl, store, addressRegistry, trustedForwarder);
     }

package/test/TestAuditGaps.sol

@@ -37,7 +37,7 @@ contract RevertingDataHook is IJBRulesetDataHook {
         external
         pure
         override
-        returns (uint256, uint256, uint256, JBCashOutHookSpecification[] memory)
+        returns (uint256, uint256, uint256, uint256, JBCashOutHookSpecification[] memory)
     {
         revert("DATA_HOOK_REVERTED");
     }
@@ -81,10 +81,11 @@ contract SuccessDataHook is IJBRulesetDataHook {
             uint256 cashOutTaxRate,
             uint256 cashOutCount,
             uint256 totalSupply,
+            uint256 surplusValue,
             JBCashOutHookSpecification[] memory hookSpecifications
         )
     {
-        return (TAX_RATE, context.cashOutCount, context.totalSupply, hookSpecifications);
+        return (TAX_RATE, context.cashOutCount, context.totalSupply, context.surplus.value, hookSpecifications);
     }
 
     function beforePayRecordedWith(JBBeforePayRecordedContext calldata context)
@@ -243,7 +244,7 @@ contract TestAuditGaps is Test {
         // dataHookOf[999] is address(0) by default (never set).
         JBBeforeCashOutRecordedContext memory context = _buildCashOutContext(999, unauthorized, 100e18, 1000e18);
 
-        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply, JBCashOutHookSpecification[] memory specs) =
+        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply,, JBCashOutHookSpecification[] memory specs) =
             deployer.beforeCashOutRecordedWith(context);
 
         assertEq(taxRate, context.cashOutTaxRate, "cashOutTaxRate should be returned as-is from context");
@@ -269,7 +270,7 @@ contract TestAuditGaps is Test {
         JBBeforeCashOutRecordedContext memory context =
             _buildCashOutContext(hookProjectId, unauthorized, 100e18, 1000e18);
 
-        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply,) = deployer.beforeCashOutRecordedWith(context);
+        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply,,) = deployer.beforeCashOutRecordedWith(context);
 
         assertEq(taxRate, 5000, "tax rate should be forwarded from data hook");
         assertEq(cashOutCount, 100e18, "cashOutCount should be forwarded");
@@ -302,7 +303,7 @@ contract TestAuditGaps is Test {
         JBBeforeCashOutRecordedContext memory context = _buildCashOutContext(hookProjectId, realSucker, 100e18, 1000e18);
 
         // Should NOT revert because suckers bypass the data hook entirely.
-        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply,) = deployer.beforeCashOutRecordedWith(context);
+        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply,,) = deployer.beforeCashOutRecordedWith(context);
 
         assertEq(taxRate, 0, "sucker should get 0% tax rate");
         assertEq(cashOutCount, 100e18, "cashOutCount should pass through");
@@ -320,7 +321,7 @@ contract TestAuditGaps is Test {
         // fakeSucker is NOT registered as a sucker (default mock returns false).
         JBBeforeCashOutRecordedContext memory context = _buildCashOutContext(hookProjectId, fakeSucker, 100e18, 1000e18);
 
-        (uint256 taxRate,,,) = deployer.beforeCashOutRecordedWith(context);
+        (uint256 taxRate,,,,) = deployer.beforeCashOutRecordedWith(context);
 
         // Should get the data hook's tax rate (5000), not 0.
         assertEq(taxRate, 5000, "non-sucker should not bypass tax");
@@ -340,7 +341,7 @@ contract TestAuditGaps is Test {
 
         JBBeforeCashOutRecordedContext memory context = _buildCashOutContext(hookProjectId, realSucker, 100e18, 1000e18);
 
-        (uint256 taxRate,,,) = deployer.beforeCashOutRecordedWith(context);
+        (uint256 taxRate,,,,) = deployer.beforeCashOutRecordedWith(context);
 
         // Should get the data hook's tax rate, not 0.
         assertEq(taxRate, 5000, "sucker from wrong project should not bypass tax");
@@ -359,7 +360,7 @@ contract TestAuditGaps is Test {
 
         JBBeforeCashOutRecordedContext memory context = _buildCashOutContext(hookProjectId, realSucker, 100e18, 1000e18);
 
-        (uint256 taxRate,,,) = deployer.beforeCashOutRecordedWith(context);
+        (uint256 taxRate,,,,) = deployer.beforeCashOutRecordedWith(context);
 
         assertEq(taxRate, 0, "valid sucker should get 0% tax");
     }

package/test/audit/CodexNemesisPoCs.t.sol

@@ -0,0 +1,263 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "forge-std/Test.sol";
+
+import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHook.sol";
+import {IJB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookDeployer.sol";
+import {JBDeploy721TiersHookConfig} from "@bananapus/721-hook-v6/src/structs/JBDeploy721TiersHookConfig.sol";
+import {JB721TierConfig} from "@bananapus/721-hook-v6/src/structs/JB721TierConfig.sol";
+import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
+import {IJBController} from "@bananapus/core-v6/src/interfaces/IJBController.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBRulesetConfig} from "@bananapus/core-v6/src/structs/JBRulesetConfig.sol";
+import {JBTerminalConfig} from "@bananapus/core-v6/src/structs/JBTerminalConfig.sol";
+import {JBPermissionIds} from "@bananapus/permission-ids-v6/src/JBPermissionIds.sol";
+import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
+import {JBSuckerRegistry} from "@bananapus/suckers-v6/src/JBSuckerRegistry.sol";
+import {JBSuckerDeployerConfig} from "@bananapus/suckers-v6/src/structs/JBSuckerDeployerConfig.sol";
+
+import {CTDeployer} from "../../src/CTDeployer.sol";
+import {CTPublisher} from "../../src/CTPublisher.sol";
+import {ICTPublisher} from "../../src/interfaces/ICTPublisher.sol";
+import {CTDeployerAllowedPost} from "../../src/structs/CTDeployerAllowedPost.sol";
+import {CTProjectConfig} from "../../src/structs/CTProjectConfig.sol";
+import {CTSuckerDeploymentConfig} from "../../src/structs/CTSuckerDeploymentConfig.sol";
+
+contract NemesisMockProjects {
+    uint256 public countValue;
+    mapping(uint256 => address) internal _ownerOf;
+
+    function setCount(uint256 count_) external {
+        countValue = count_;
+    }
+
+    function setOwner(uint256 projectId, address owner_) external {
+        _ownerOf[projectId] = owner_;
+    }
+
+    function count() external view returns (uint256) {
+        return countValue;
+    }
+
+    function ownerOf(uint256 projectId) external view returns (address) {
+        return _ownerOf[projectId];
+    }
+
+    function transferFrom(address from, address to, uint256 tokenId) external {
+        require(_ownerOf[tokenId] == from, "wrong from");
+        _ownerOf[tokenId] = to;
+    }
+}
+
+contract NemesisMockController {
+    NemesisMockProjects public immutable PROJECTS;
+    uint256 public immutable nextProjectId;
+
+    constructor(NemesisMockProjects projects_, uint256 nextProjectId_) {
+        PROJECTS = projects_;
+        nextProjectId = nextProjectId_;
+    }
+
+    function launchProjectFor(
+        address owner,
+        string calldata,
+        JBRulesetConfig[] calldata,
+        JBTerminalConfig[] calldata,
+        string calldata
+    )
+        external
+        returns (uint256)
+    {
+        PROJECTS.setOwner(nextProjectId, owner);
+        return nextProjectId;
+    }
+}
+
+contract NemesisPermissionedHook is JBPermissioned {
+    address public immutable ownerAccount;
+    uint256 public immutable projectId;
+    bool public adjusted;
+
+    constructor(IJBPermissions permissions, address ownerAccount_, uint256 projectId_) JBPermissioned(permissions) {
+        ownerAccount = ownerAccount_;
+        projectId = projectId_;
+    }
+
+    // forge-lint: disable-next-line(mixed-case-function)
+    function PROJECT_ID() external view returns (uint256) {
+        return projectId;
+    }
+
+    function owner() external view returns (address) {
+        return ownerAccount;
+    }
+
+    function adjustTiers(JB721TierConfig[] calldata, uint256[] calldata) external {
+        _requirePermissionFrom(ownerAccount, projectId, JBPermissionIds.ADJUST_721_TIERS);
+        adjusted = true;
+    }
+}
+
+contract NemesisMockHookDeployer {
+    IJB721TiersHook public hook;
+
+    function setHook(IJB721TiersHook hook_) external {
+        hook = hook_;
+    }
+
+    function deployHookFor(
+        uint256,
+        JBDeploy721TiersHookConfig calldata,
+        bytes32
+    )
+        external
+        view
+        returns (IJB721TiersHook)
+    {
+        return hook;
+    }
+}
+
+contract NemesisNoopSuckerRegistry {
+    function isSuckerOf(uint256, address) external pure returns (bool) {
+        return false;
+    }
+
+    function deploySuckersFor(
+        uint256,
+        bytes32,
+        JBSuckerDeployerConfig[] calldata
+    )
+        external
+        pure
+        returns (address[] memory suckers)
+    {
+        return suckers;
+    }
+}
+
+contract NemesisMockDirectory {
+    IJBProjects public immutable PROJECTS;
+
+    constructor(IJBProjects projects_) {
+        PROJECTS = projects_;
+    }
+}
+
+contract CodexNemesisPoCs is Test {
+    JBPermissions permissions;
+    NemesisMockProjects projects;
+    NemesisMockHookDeployer hookDeployer;
+    NemesisMockController controller;
+    CTPublisher publisher;
+    CTDeployer deployer;
+    NemesisPermissionedHook hook;
+
+    address alice = makeAddr("alice");
+    address bob = makeAddr("bob");
+
+    function setUp() public {
+        permissions = new JBPermissions(address(0));
+        projects = new NemesisMockProjects();
+        projects.setCount(5);
+
+        hookDeployer = new NemesisMockHookDeployer();
+        publisher = new CTPublisher(IJBDirectory(makeAddr("directory")), permissions, 1, address(0));
+        deployer = new CTDeployer(
+            permissions,
+            IJBProjects(address(projects)),
+            IJB721TiersHookDeployer(address(hookDeployer)),
+            ICTPublisher(address(publisher)),
+            IJBSuckerRegistry(address(new NemesisNoopSuckerRegistry())),
+            address(0)
+        );
+
+        hook = new NemesisPermissionedHook(permissions, address(deployer), 6);
+        hookDeployer.setHook(IJB721TiersHook(address(hook)));
+        controller = new NemesisMockController(projects, 6);
+    }
+
+    function test_oldProjectOwnerRetainsHookControlAfterProjectNftTransferUntilClaim() public {
+        CTProjectConfig memory config = CTProjectConfig({
+            terminalConfigurations: new JBTerminalConfig[](0),
+            projectUri: "ipfs://project",
+            allowedPosts: new CTDeployerAllowedPost[](0),
+            contractUri: "ipfs://contract",
+            name: "Croptop",
+            symbol: "CT",
+            salt: bytes32(0)
+        });
+
+        CTSuckerDeploymentConfig memory suckerConfig =
+            CTSuckerDeploymentConfig({deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: bytes32(0)});
+
+        deployer.deployProjectFor(alice, config, suckerConfig, IJBController(address(controller)));
+        assertEq(projects.ownerOf(6), alice, "alice should receive the project NFT");
+
+        projects.transferFrom(alice, bob, 6);
+        assertEq(projects.ownerOf(6), bob, "bob should own the project NFT after transfer");
+
+        JB721TierConfig[] memory arbitraryTiers = new JB721TierConfig[](0);
+        uint256[] memory removals = new uint256[](0);
+
+        vm.prank(alice);
+        NemesisPermissionedHook(address(hook)).adjustTiers(arbitraryTiers, removals);
+
+        assertTrue(
+            hook.adjusted(),
+            "the previous owner should still be able to mutate hook state until the new NFT owner explicitly claims"
+        );
+    }
+
+    function test_deploySuckersHelperBreaksAfterOwnershipTransferBecauseRegistrySeesCtDeployerAsCaller() public {
+        NemesisMockDirectory directory = new NemesisMockDirectory(IJBProjects(address(projects)));
+        JBSuckerRegistry registry =
+            new JBSuckerRegistry(IJBDirectory(address(directory)), permissions, address(this), address(0));
+
+        deployer = new CTDeployer(
+            permissions,
+            IJBProjects(address(projects)),
+            IJB721TiersHookDeployer(address(hookDeployer)),
+            ICTPublisher(address(publisher)),
+            IJBSuckerRegistry(address(registry)),
+            address(0)
+        );
+
+        hook = new NemesisPermissionedHook(permissions, address(deployer), 6);
+        hookDeployer.setHook(IJB721TiersHook(address(hook)));
+
+        CTProjectConfig memory config = CTProjectConfig({
+            terminalConfigurations: new JBTerminalConfig[](0),
+            projectUri: "ipfs://project",
+            allowedPosts: new CTDeployerAllowedPost[](0),
+            contractUri: "ipfs://contract",
+            name: "Croptop",
+            symbol: "CT",
+            salt: bytes32(0)
+        });
+
+        CTSuckerDeploymentConfig memory emptySuckerConfig =
+            CTSuckerDeploymentConfig({deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: bytes32(0)});
+        deployer.deployProjectFor(alice, config, emptySuckerConfig, IJBController(address(controller)));
+
+        CTSuckerDeploymentConfig memory laterSuckerConfig =
+            CTSuckerDeploymentConfig({deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: bytes32("later")});
+
+        vm.prank(alice);
+        vm.expectRevert(
+            abi.encodeWithSelector(
+                JBPermissioned.JBPermissioned_Unauthorized.selector,
+                alice,
+                address(deployer),
+                6,
+                JBPermissionIds.DEPLOY_SUCKERS
+            )
+        );
+        deployer.deploySuckersFor(6, laterSuckerConfig);
+    }
+}

package/test/fork/PublishFork.t.sol

@@ -32,6 +32,7 @@ import {MockPriceFeed} from "@bananapus/core-v6/test/mock/MockPriceFeed.sol";
 import {JB721TiersHookStore} from "@bananapus/721-hook-v6/src/JB721TiersHookStore.sol";
 import {JB721TiersHook} from "@bananapus/721-hook-v6/src/JB721TiersHook.sol";
 import {JB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/JB721TiersHookDeployer.sol";
+import {JB721CheckpointsDeployer} from "@bananapus/721-hook-v6/src/JB721CheckpointsDeployer.sol";
 import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHook.sol";
 import {JBAddressRegistry} from "@bananapus/address-registry-v6/src/JBAddressRegistry.sol";
 import {IERC721} from "@openzeppelin/contracts/token/ERC721/IERC721.sol";
@@ -276,7 +277,7 @@ contract PublishForkTest is Test, DeployPermit2 {
         jbPermissions = new JBPermissions(trustedForwarder);
         jbProjects = new JBProjects(multisig, address(0), trustedForwarder);
         jbDirectory = new JBDirectory(jbPermissions, jbProjects, multisig);
-        JBERC20 jbErc20 = new JBERC20();
+        JBERC20 jbErc20 = new JBERC20(jbPermissions, jbProjects);
         jbTokens = new JBTokens(jbDirectory, jbErc20);
         jbRulesets = new JBRulesets(jbDirectory);
         jbPrices = new JBPrices(jbDirectory, jbPermissions, jbProjects, multisig, trustedForwarder);
@@ -321,9 +322,11 @@ contract PublishForkTest is Test, DeployPermit2 {
     function _deploy721Hook() internal {
         JB721TiersHookStore store = new JB721TiersHookStore();
         JBAddressRegistry addressRegistry = new JBAddressRegistry();
+        JB721CheckpointsDeployer checkpointsDeployer = new JB721CheckpointsDeployer();
 
-        JB721TiersHook hookImpl =
-            new JB721TiersHook(jbDirectory, jbPermissions, jbPrices, jbRulesets, store, jbSplits, trustedForwarder);
+        JB721TiersHook hookImpl = new JB721TiersHook(
+            jbDirectory, jbPermissions, jbPrices, jbRulesets, store, jbSplits, checkpointsDeployer, trustedForwarder
+        );
 
         hookDeployer = new JB721TiersHookDeployer(hookImpl, store, addressRegistry, trustedForwarder);
     }