@croptop/core-v6 0.0.32 → 0.0.34

package/RISKS.md

@@ -22,6 +22,7 @@ This file focuses on the publishing, fee-routing, and hook-composition risks tha
 - **Trusted forwarder.** ERC-2771 `_msgSender()` is trusted in both CTPublisher and CTDeployer for permission checks, allowlist validation, and payment routing. A compromised forwarder can post as any allowed address, deploy projects as any owner, and redirect payments.
 - **CTDeployer as permanent data hook proxy.** `CTDeployer` sets itself as the data hook for projects it deploys. `dataHookOf[projectId]` is set once during `deployProjectFor` and has no setter to update it. If the underlying data hook needs to change, there is no mechanism to do so without redeploying.
 - **Sucker registry.** `CTDeployer.beforeCashOutRecordedWith` trusts `SUCKER_REGISTRY.isSuckerOf()` for 0% tax cashouts, same risk as the omnichain deployer.
+- **Sucker deployment is intended to be fail-open at launch time.** `deployProjectFor` calls `SUCKER_REGISTRY.deploySuckersFor` only when a non-zero deployment salt is configured, and the current deployment path is documented as allowing launch to continue on chains where the configured sucker deployer cascade cannot complete. Operators should not assume a successful Croptop launch implies omnichain support is live.
 - **CTProjectOwner as burn target.** Projects transferred to `CTProjectOwner` grant `ADJUST_721_TIERS` to `PUBLISHER`. The project NFT cannot be recovered -- this is intentional but irreversible.
 - **JBDirectory / Terminal resolution.** `CTPublisher.mintFrom` resolves terminals via `DIRECTORY.primaryTerminalOf()`. A compromised directory could redirect payment and fee flows.
 - **721 hook store.** `_setupPosts` calls `hook.STORE().tierOf()` and `hook.STORE().isTierRemoved()`. The store is trusted to return accurate tier data. A malicious hook returning a fake store can report manipulated prices, supply limits, and removal status, causing `_setupPosts` to miscalculate `totalPrice` or skip duplicate detection.
@@ -59,6 +60,7 @@ This file focuses on the publishing, fee-routing, and hook-composition risks tha
 
 - **CTDeployer forwards pay/cashout calls to `dataHookOf` with null check.** `beforePayRecordedWith` and `beforeCashOutRecordedWith` check for a null `dataHookOf` and return defaults (context weight, empty specs) instead of reverting. If a non-null data hook reverts, payments/cashouts for the project are still blocked.
 - **No mechanism for hook migration.** `dataHookOf` is written once in `deployProjectFor` and never updated. If the data hook becomes compromised, there is no governance path to replace it without deploying a new project.
+- **Sucker support can be absent even when deployment requested it.** Launch does not treat successful sucker setup as part of the Croptop app's core publish flow. A project can come online with the publisher, hook, and main terminal flow active while no suckers were actually deployed yet. Monitoring and deployment tooling should verify the returned sucker set explicitly instead of inferring success from project launch.
 - **Tier ID prediction.** `_setupPosts` predicts new tier IDs as `maxTierIdOf(hook) + 1 + i`. If another transaction adds tiers between `maxTierIdOf` read and `adjustTiers` execution, tier IDs shift and the wrong tiers are minted. This is a race condition in concurrent posting.
 - **CTProjectOwner accepts any project NFT.** `onERC721Received` grants `ADJUST_721_TIERS` to `PUBLISHER` for whatever tokenId is received. If a non-Croptop project is accidentally transferred to `CTProjectOwner`, the publisher gains tier adjustment permission for it.
 - **Fee payment destination.** Fees are routed to `FEE_PROJECT_ID` via its primary terminal. If the fee project changes its terminal or token acceptance incompatibly, `mintFrom` attempts to refund the fee to `_msgSender()`. If the caller cannot receive ETH, the mint reverts.

package/SKILLS.md

@@ -3,7 +3,7 @@
 ## Use This File For
 
 - Use this file when the task touches Croptop publishing, project deployment, data-hook forwarding, fee routing, or burn-locked ownership behavior.
-- Start here, then jump into the publisher, deployer, or owner contract depending on which path the user is actually asking about.
+- Start here, then decide whether the issue is posting-policy validation, tier reuse/content identity, deployer-packaged project shape, or burn-locked ownership. Those concerns interact, but they are not the same subsystem.
 
 ## Read This Next
 
@@ -13,7 +13,9 @@
 | Publishing and metadata behavior | [`src/CTPublisher.sol`](./src/CTPublisher.sol) |
 | Deployment and fee-project wiring | [`src/CTDeployer.sol`](./src/CTDeployer.sol), [`script/Deploy.s.sol`](./script/Deploy.s.sol), [`script/ConfigureFeeProject.s.sol`](./script/ConfigureFeeProject.s.sol) |
 | Ownership burn-lock behavior | [`src/CTProjectOwner.sol`](./src/CTProjectOwner.sol) |
-| Regression, attack, or fork coverage | [`test/regression/`](./test/regression/), [`test/fork/`](./test/fork/), [`test/`](./test/) |
+| Runtime and operational invariants | [`references/runtime.md`](./references/runtime.md), [`references/operations.md`](./references/operations.md) |
+| Publishing, metadata, and attack coverage | [`test/CTPublisher.t.sol`](./test/CTPublisher.t.sol), [`test/Test_MetadataGeneration.t.sol`](./test/Test_MetadataGeneration.t.sol), [`test/CroptopAttacks.t.sol`](./test/CroptopAttacks.t.sol) |
+| Deployment, ownership, and fork coverage | [`test/CTDeployer.t.sol`](./test/CTDeployer.t.sol), [`test/CTProjectOwner.t.sol`](./test/CTProjectOwner.t.sol), [`test/ClaimCollectionOwnership.t.sol`](./test/ClaimCollectionOwnership.t.sol), [`test/Fork.t.sol`](./test/Fork.t.sol), [`test/TestAuditGaps.sol`](./test/TestAuditGaps.sol) |
 
 ## Repo Map
 
@@ -37,5 +39,8 @@ Permissioned publishing layer for Juicebox 721 projects. Project owners define p
 
 - Start in [`src/CTPublisher.sol`](./src/CTPublisher.sol) for posting-rule and fee behavior, but check [`src/CTDeployer.sol`](./src/CTDeployer.sol) when the bug might come from project shape or hook forwarding.
 - Treat posting criteria, fee routing, and duplicate-content handling as treasury-sensitive and product-sensitive at the same time.
+- Category policy is part of the product surface. Changes to allowed addresses, supply bounds, or split caps alter what can be published, not just how it is paid for.
 - If the task mentions project immutability or admin recovery, inspect [`src/CTProjectOwner.sol`](./src/CTProjectOwner.sol) before changing deployer or publisher code.
+- Metadata bugs can be publishing bugs, resolver-shape bugs, or duplicate-content bugs. Check all three before assuming a string-formatting issue.
+- Duplicate-post and tier-reuse behavior are first-class runtime semantics. Do not treat them like cacheable convenience logic.
 - When a bug looks like generic 721 issuance, confirm it is not actually in `nana-721-hook-v6`.

package/USER_JOURNEYS.md

@@ -1,67 +1,118 @@
 # User Journeys
 
-## Who This Repo Serves
+## Repo Purpose
 
-- project owners turning a Juicebox 721 project into a publishing marketplace
-- publishers creating or reusing NFT tiers as posts
-- operators locking project administration into Croptop-specific ownership patterns
+This repo turns a Juicebox 721 project into a permissioned publishing system.
+It owns post validation, Croptop fee routing, and the deployment packaging that turns a project into a Croptop-managed
+publisher. It does not own the base terminal accounting or the underlying 721 tier mechanics it wraps.
+
+## Primary Actors
+
+- project owners creating a Croptop publishing surface
+- publishers minting posts into an existing Croptop project
+- auditors reviewing fee routing, posting policy, and owner-lock semantics
+
+## Key Surfaces
+
+- `CTPublisher`: validates posts, adjusts tiers, mints the first copy, and routes Croptop fees
+- `CTDeployer`: launches a Croptop-shaped project and can compose omnichain deployment
+- `CTProjectOwner`: owner helper that can burn-lock administration into Croptop
+- `mintFrom(...)`: main publishing entrypoint for new content
 
 ## Journey 1: Turn A Project Into A Croptop Publisher
 
-**Starting state:** a project already exists or is about to launch, and the owner wants category-level posting rules.
+**Actor:** project owner.
+
+**Intent:** install Croptop publishing policy on a project.
+
+**Preconditions**
+- the project already exists or will be launched through `CTDeployer`
+- the owner has chosen category rules and the expected 721 hook shape
+
+**Main Flow**
+1. Configure category-level constraints such as price floor, supply, splits, and allowlists.
+2. Install or verify the expected 721 hook setup.
+3. Route publishing through Croptop so future posts are policy-checked instead of free-form tier edits.
 
-**Success:** Croptop posting criteria are installed and future posts must satisfy them.
+**Failure Modes**
+- category rules do not match the intended publishing product
+- teams assume Croptop replaces the need to audit the underlying 721 hook
 
-**Flow**
-1. Configure category-level posting constraints such as price floor, supply bounds, split limits, and optional allowlists.
-2. Install or verify the 721 hook shape the project expects.
-3. Route the project through Croptop's publisher logic so future post creation is policy-checked instead of free-form tier editing.
+**Postconditions**
+- the project now routes publishing through Croptop policy rather than direct free-form tier creation
 
 ## Journey 2: Publish Content Into An Existing Croptop Project
 
-**Starting state:** a publisher has a post that satisfies the target project's posting rules.
+**Actor:** publisher.
 
-**Success:** the post becomes a valid 721 tier and the first mint settles correctly.
+**Intent:** publish one post into a Croptop project and mint the first copy.
 
-**Flow**
-1. The publisher calls `mintFrom(...)` or the equivalent publishing surface with the content URI and pricing data.
-2. `CTPublisher` checks the post against category rules and fee policy.
-3. It creates or reuses the underlying 721 tier, mints the first copy, and routes both project revenue and the Croptop fee. If the fee terminal is unavailable, the fee is refunded to `_msgSender()` instead.
+**Preconditions**
+- the post satisfies the target project's category policy
+- the caller can receive ETH if the fee refund fallback is needed
+- duplicate-content and stale-tier implications are understood
 
-**Failure cases that matter:** duplicate URIs, split configurations that evade fees, stale tier mappings, publisher inputs that satisfy the 721 hook but violate Croptop's stricter publishing rules, and callers that cannot receive ETH when a fee refund fallback is needed.
+**Main Flow**
+1. Call `mintFrom(...)` with the content URI and pricing data.
+2. `CTPublisher` validates the post against category and fee policy.
+3. It creates or reuses the underlying tier, mints the first copy, and routes project revenue plus the Croptop fee.
+
+**Failure Modes**
+- duplicate URIs or stale tier mappings
+- publisher inputs satisfy the base 721 hook but violate Croptop's stricter rules
+- the fee terminal rejects the fee payment and `_msgSender()` cannot receive the refund
+
+**Postconditions**
+- the post is minted or reused as a tier under Croptop policy and the fee path is accounted for
 
 ## Journey 3: Launch A New Croptop Project End To End
 
-**Starting state:** the product wants a fresh project that already has Croptop deployment choices baked in.
+**Actor:** product team or deployer.
+
+**Intent:** launch a project already wired for Croptop publishing.
 
-**Success:** one deployment flow launches the project, wires the 721 hook, and installs the initial posting rules.
+**Preconditions**
+- the team has project config, posting rules, and any omnichain requirements ready
+- the correct `FEE_PROJECT_ID` is known for deployment
 
-**Flow**
-1. Use `CTDeployer` with project config, posting rules, and any omnichain deployment config.
-2. The deployer launches the Juicebox project, configures the Croptop-specific owner model, and wires in publisher behavior.
-3. The project is ready for publishers without a manual post-launch setup phase.
+**Main Flow**
+1. Use `CTDeployer` with project config, posting rules, and optional omnichain config.
+2. The deployer launches the project, configures Croptop ownership assumptions, and wires publisher behavior.
+3. The resulting project is ready for publishers without a manual post-launch setup gap.
+
+**Failure Modes**
+- the fee project is misconfigured or omitted
+- teams treat `CTDeployer` as packaging only and miss its policy implications
+
+**Postconditions**
+- the resulting project is ready for Croptop publishers without a post-launch wiring gap
 
 ## Journey 4: Lock Administration Into Croptop's Owner Surface
 
-**Starting state:** the project should continue operating through Croptop's policy surface instead of ordinary project-owner discretion.
+**Actor:** project owner.
+
+**Intent:** keep governance inside Croptop's constrained owner surface.
 
-**Success:** the project's admin path is burn-locked or otherwise routed through `CTProjectOwner`.
+**Preconditions**
+- the owner wants irreversible product-shaping constraints, not ordinary owner flexibility
 
-**Flow**
-1. Transfer or configure ownership so Croptop's owner helper controls the relevant admin surface.
+**Main Flow**
+1. Transfer or configure ownership so `CTProjectOwner` controls the relevant admin surface.
 2. Restrict future edits to the paths Croptop intentionally exposes.
-3. Accept that this is a product-shaping choice, not a cosmetic deployment detail.
+3. Accept that this is an ownership-model decision, not cosmetic packaging.
 
-## Journey 5: Support Cross-Chain Payments Through Data Hooks
+**Failure Modes**
+- teams burn-lock before validating the publishing policy in production-like conditions
+- reviewers miss that prior owner discretion no longer exists directly
 
-**Starting state:** a sucker pays the Croptop project on behalf of a remote user via `payRemote`, and `CTDeployer.beforePayRecordedWith` needs to forward the correct beneficiary to downstream hooks.
+**Postconditions**
+- future administration is constrained to the Croptop owner surface instead of ordinary owner discretion
 
-**Success:** downstream data hooks see the real remote user so any hook-specific accounting accrues to the right person.
+## Trust Boundaries
 
-**Flow**
-1. The sucker calls `terminal.pay()` with relay-beneficiary metadata.
-2. `CTDeployer.beforePayRecordedWith()` resolves the relay beneficiary when the payer is a registered sucker.
-3. The swapped beneficiary is forwarded to the downstream data hook.
+- this repo is trusted for publishing policy and fee routing
+- the underlying 721 hook remains trusted for tier issuance and lower-level NFT accounting
+- Croptop fee behavior depends on the fee project and its terminal remaining correctly configured
 
 ## Hand-Offs
 

package/foundry.toml

@@ -16,6 +16,8 @@ fail_on_revert = false
 [rpc_endpoints]
 ethereum = "${RPC_ETHEREUM_MAINNET}"
 
+[lint]
+exclude_lints = ["pascal-case-struct", "mixed-case-variable"]
 [fmt]
 number_underscore = "thousands"
 multiline_func_header = "all"

package/package.json

@@ -1,33 +1,33 @@
 {
-    "name": "@croptop/core-v6",
-    "version": "0.0.32",
-    "license": "MIT",
-    "repository": {
-        "type": "git",
-        "url": "git+https://github.com/mejango/croptop-core-v6"
-    },
-    "scripts": {
-        "test": "forge test",
-        "coverage:integration": "forge coverage --match-path \"./src/*.sol\" --report lcov --report summary",
-        "deploy:mainnets": "source ./.env && npx sphinx propose ./script/Deploy.s.sol --networks mainnets",
-        "deploy:mainnets:project": "source ./.env && export START_TIME=$(date +%s) && npx sphinx propose ./script/ConfigureFeeProject.s.sol --networks mainnets",
-        "deploy:testnets": "source ./.env && npx sphinx propose ./script/Deploy.s.sol --networks testnets",
-        "deploy:testnets:project": "source ./.env && export START_TIME=$(date +%s) && npx sphinx propose ./script/ConfigureFeeProject.s.sol --networks testnets",
-        "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'croptop-core-v5'"
-    },
-    "dependencies": {
-        "@bananapus/721-hook-v6": "^0.0.33",
-        "@bananapus/buyback-hook-v6": "^0.0.27",
-        "@bananapus/core-v6": "^0.0.34",
-        "@bananapus/ownable-v6": "^0.0.17",
-        "@bananapus/permission-ids-v6": "^0.0.17",
-        "@bananapus/router-terminal-v6": "^0.0.26",
-        "@bananapus/suckers-v6": "^0.0.25",
-        "@openzeppelin/contracts": "^5.6.1"
-    },
-    "devDependencies": {
-        "@bananapus/address-registry-v6": "^0.0.17",
-        "@rev-net/core-v6": "^0.0.30",
-        "@sphinx-labs/plugins": "^0.33.3"
-    }
+  "name": "@croptop/core-v6",
+  "version": "0.0.34",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/mejango/croptop-core-v6"
+  },
+  "scripts": {
+    "test": "forge test",
+    "coverage:integration": "forge coverage --match-path \"./src/*.sol\" --report lcov --report summary",
+    "deploy:mainnets": "source ./.env && npx sphinx propose ./script/Deploy.s.sol --networks mainnets",
+    "deploy:mainnets:project": "source ./.env && export START_TIME=$(date +%s) && npx sphinx propose ./script/ConfigureFeeProject.s.sol --networks mainnets",
+    "deploy:testnets": "source ./.env && npx sphinx propose ./script/Deploy.s.sol --networks testnets",
+    "deploy:testnets:project": "source ./.env && export START_TIME=$(date +%s) && npx sphinx propose ./script/ConfigureFeeProject.s.sol --networks testnets",
+    "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'croptop-core-v5'"
+  },
+  "dependencies": {
+    "@bananapus/721-hook-v6": "^0.0.35",
+    "@bananapus/buyback-hook-v6": "^0.0.27",
+    "@bananapus/core-v6": "^0.0.34",
+    "@bananapus/ownable-v6": "^0.0.17",
+    "@bananapus/permission-ids-v6": "^0.0.17",
+    "@bananapus/router-terminal-v6": "^0.0.26",
+    "@bananapus/suckers-v6": "^0.0.25",
+    "@openzeppelin/contracts": "^5.6.1"
+  },
+  "devDependencies": {
+    "@bananapus/address-registry-v6": "^0.0.17",
+    "@rev-net/core-v6": "^0.0.32",
+    "@sphinx-labs/plugins": "^0.33.3"
+  }
 }

package/references/operations.md

@@ -21,5 +21,5 @@
 
 ## Useful Proof Points
 
-- [`test/fork/`](../test/fork/) when deployment shape matters.
-- [`script/helpers/`](../script/helpers/) if the issue is really script/config assembly.
+- [`test/Fork.t.sol`](../test/Fork.t.sol) when deployment shape matters.
+- [`script/ConfigureFeeProject.s.sol`](../script/ConfigureFeeProject.s.sol) if the issue is really script/config assembly.

package/references/runtime.md

@@ -22,6 +22,6 @@
 
 ## Tests To Trust First
 
-- [`test/regression/`](../test/regression/) for pinned content and tier edge cases.
-- [`test/fork/`](../test/fork/) for live integration assumptions.
-- [`test/`](../test/) broadly when the issue could be in publisher or deployer behavior rather than one isolated function.
+- [`test/CTPublisher.t.sol`](../test/CTPublisher.t.sol) and [`test/Test_MetadataGeneration.t.sol`](../test/Test_MetadataGeneration.t.sol) for content and metadata behavior.
+- [`test/CTDeployer.t.sol`](../test/CTDeployer.t.sol) and [`test/Fork.t.sol`](../test/Fork.t.sol) for live deployment assumptions.
+- [`test/CroptopAttacks.t.sol`](../test/CroptopAttacks.t.sol) and [`test/TestAuditGaps.sol`](../test/TestAuditGaps.sol) when the issue could be in publisher or deployer behavior rather than one isolated function.

package/src/CTDeployer.sol

@@ -1,9 +1,6 @@
 // SPDX-License-Identifier: MIT
 pragma solidity 0.8.28;
 
-import {ERC2771Context} from "@openzeppelin/contracts/metatx/ERC2771Context.sol";
-import {IERC721Receiver} from "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
-import {Context} from "@openzeppelin/contracts/utils/Context.sol";
 import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHook.sol";
 import {IJB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookDeployer.sol";
 import {IJB721TokenUriResolver} from "@bananapus/721-hook-v6/src/interfaces/IJB721TokenUriResolver.sol";
@@ -28,7 +25,9 @@ import {JBRulesetConfig} from "@bananapus/core-v6/src/structs/JBRulesetConfig.so
 import {JBOwnable} from "@bananapus/ownable-v6/src/JBOwnable.sol";
 import {JBPermissionIds} from "@bananapus/permission-ids-v6/src/JBPermissionIds.sol";
 import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
-import {JBRelayBeneficiary} from "@bananapus/suckers-v6/src/libraries/JBRelayBeneficiary.sol";
+import {ERC2771Context} from "@openzeppelin/contracts/metatx/ERC2771Context.sol";
+import {IERC721Receiver} from "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
+import {Context} from "@openzeppelin/contracts/utils/Context.sol";
 
 import {ICTDeployer} from "./interfaces/ICTDeployer.sol";
 import {ICTPublisher} from "./interfaces/ICTPublisher.sol";
@@ -118,127 +117,6 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         PERMISSIONS.setPermissionsFor({account: address(this), permissionsData: permissionData});
     }
 
-    //*********************************************************************//
-    // ------------------------- external views -------------------------- //
-    //*********************************************************************//
-
-    /// @notice Allow cash outs from suckers without a tax.
-    /// @dev This function is part of `IJBRulesetDataHook`, and gets called before the revnet processes a cash out.
-    /// @param context Standard Juicebox cash out context. See `JBBeforeCashOutRecordedContext`.
-    /// @return cashOutTaxRate The cash out tax rate, which influences the amount of terminal tokens which get cashed
-    /// out.
-    /// @return cashOutCount The number of project tokens that are cashed out.
-    /// @return totalSupply The total project token supply.
-    /// @return hookSpecifications The amount of funds and the data to send to cash out hooks (this contract).
-    function beforeCashOutRecordedWith(JBBeforeCashOutRecordedContext calldata context)
-        external
-        view
-        override
-        returns (
-            uint256 cashOutTaxRate,
-            uint256 cashOutCount,
-            uint256 totalSupply,
-            JBCashOutHookSpecification[] memory hookSpecifications
-        )
-    {
-        // If the cash out is from a sucker, return the full cash out amount without taxes or fees.
-        if (SUCKER_REGISTRY.isSuckerOf({projectId: context.projectId, addr: context.holder})) {
-            return (0, context.cashOutCount, context.totalSupply, hookSpecifications);
-        }
-
-        // If the ruleset has a data hook, forward the call to the datahook.
-        IJBRulesetDataHook hook = dataHookOf[context.projectId];
-        if (address(hook) == address(0)) {
-            return (context.cashOutTaxRate, context.cashOutCount, context.totalSupply, hookSpecifications);
-        }
-        // slither-disable-next-line unused-return
-        return hook.beforeCashOutRecordedWith(context);
-    }
-
-    /// @notice Forward the call to the original data hook.
-    /// @dev This function is part of `IJBRulesetDataHook`, and gets called before the revnet processes a payment.
-    /// @param context Standard Juicebox payment context. See `JBBeforePayRecordedContext`.
-    /// @return weight The weight which project tokens are minted relative to. This can be used to customize how many
-    /// tokens get minted by a payment.
-    /// @return hookSpecifications Amounts (out of what's being paid in) to be sent to pay hooks instead of being paid
-    /// into the project. Useful for automatically routing funds from a treasury as payments come in.
-    function beforePayRecordedWith(JBBeforePayRecordedContext calldata context)
-        external
-        view
-        override
-        returns (uint256 weight, JBPayHookSpecification[] memory hookSpecifications)
-    {
-        // Forward the call to the data hook.
-        IJBRulesetDataHook hook = dataHookOf[context.projectId];
-        if (address(hook) == address(0)) {
-            return (context.weight, hookSpecifications);
-        }
-
-        // Resolve the relay beneficiary — if the payer is a sucker with relay metadata,
-        // swap the beneficiary so downstream hooks see the real user.
-        address effectiveBeneficiary = JBRelayBeneficiary.resolve({
-            payer: context.payer,
-            beneficiary: context.beneficiary,
-            projectId: context.projectId,
-            metadata: context.metadata,
-            registry: SUCKER_REGISTRY
-        });
-
-        // If the beneficiary was swapped, create a memory copy with the new beneficiary.
-        if (effectiveBeneficiary != context.beneficiary) {
-            JBBeforePayRecordedContext memory hookContext = context;
-            hookContext.beneficiary = effectiveBeneficiary;
-            return hook.beforePayRecordedWith(hookContext);
-        }
-
-        // slither-disable-next-line unused-return
-        return hook.beforePayRecordedWith(context);
-    }
-
-    /// @notice A flag indicating whether an address has permission to mint a project's tokens on-demand.
-    /// @dev A project's data hook can allow any address to mint its tokens.
-    /// @param projectId The ID of the project whose token can be minted.
-    /// @param addr The address to check the token minting permission of.
-    /// @return flag A flag indicating whether the address has permission to mint the project's tokens on-demand.
-    function hasMintPermissionFor(uint256 projectId, JBRuleset memory, address addr) external view returns (bool flag) {
-        // If the address is a sucker for this project.
-        return SUCKER_REGISTRY.isSuckerOf({projectId: projectId, addr: addr});
-    }
-
-    /// @dev Make sure only mints can be received.
-    function onERC721Received(
-        address operator,
-        address from,
-        uint256 tokenId,
-        bytes calldata data
-    )
-        external
-        view
-        returns (bytes4)
-    {
-        data;
-        tokenId;
-        operator;
-
-        // Make sure the 721 received is the JBProjects contract.
-        if (msg.sender != address(PROJECTS)) revert();
-        // Make sure the 721 is being received as a mint.
-        if (from != address(0)) revert();
-        return IERC721Receiver.onERC721Received.selector;
-    }
-
-    //*********************************************************************//
-    // -------------------------- public views --------------------------- //
-    //*********************************************************************//
-
-    /// @notice Indicates if this contract adheres to the specified interface.
-    /// @dev See `IERC165.supportsInterface`.
-    /// @return A flag indicating if the provided interface ID is supported.
-    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
-        return interfaceId == type(ICTDeployer).interfaceId || interfaceId == type(IJBRulesetDataHook).interfaceId
-            || interfaceId == type(IERC721Receiver).interfaceId;
-    }
-
     //*********************************************************************//
     // ---------------------- external transactions ---------------------- //
     //*********************************************************************//
@@ -408,6 +286,118 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         });
     }
 
+    //*********************************************************************//
+    // ------------------------- external views -------------------------- //
+    //*********************************************************************//
+
+    /// @notice Allow cash outs from suckers without a tax.
+    /// @dev This function is part of `IJBRulesetDataHook`, and gets called before the revnet processes a cash out.
+    /// @param context Standard Juicebox cash out context. See `JBBeforeCashOutRecordedContext`.
+    /// @return cashOutTaxRate The cash out tax rate, which influences the amount of terminal tokens which get cashed
+    /// out.
+    /// @return cashOutCount The number of project tokens that are cashed out.
+    /// @return totalSupply The total project token supply.
+    /// @return surplusValue The surplus value to use for the bonding curve calculation.
+    /// @return hookSpecifications The amount of funds and the data to send to cash out hooks (this contract).
+    function beforeCashOutRecordedWith(JBBeforeCashOutRecordedContext calldata context)
+        external
+        view
+        override
+        returns (
+            uint256 cashOutTaxRate,
+            uint256 cashOutCount,
+            uint256 totalSupply,
+            uint256 surplusValue,
+            JBCashOutHookSpecification[] memory hookSpecifications
+        )
+    {
+        // If the cash out is from a sucker, return the full cash out amount without taxes or fees.
+        if (SUCKER_REGISTRY.isSuckerOf({projectId: context.projectId, addr: context.holder})) {
+            return (0, context.cashOutCount, context.totalSupply, context.surplus.value, hookSpecifications);
+        }
+
+        // If the ruleset has a data hook, forward the call to the datahook.
+        IJBRulesetDataHook hook = dataHookOf[context.projectId];
+        if (address(hook) == address(0)) {
+            return (
+                context.cashOutTaxRate,
+                context.cashOutCount,
+                context.totalSupply,
+                context.surplus.value,
+                hookSpecifications
+            );
+        }
+        // slither-disable-next-line unused-return
+        return hook.beforeCashOutRecordedWith(context);
+    }
+
+    /// @notice Forward the call to the original data hook.
+    /// @dev This function is part of `IJBRulesetDataHook`, and gets called before the revnet processes a payment.
+    /// @param context Standard Juicebox payment context. See `JBBeforePayRecordedContext`.
+    /// @return weight The weight which project tokens are minted relative to. This can be used to customize how many
+    /// tokens get minted by a payment.
+    /// @return hookSpecifications Amounts (out of what's being paid in) to be sent to pay hooks instead of being paid
+    /// into the project. Useful for automatically routing funds from a treasury as payments come in.
+    function beforePayRecordedWith(JBBeforePayRecordedContext calldata context)
+        external
+        view
+        override
+        returns (uint256 weight, JBPayHookSpecification[] memory hookSpecifications)
+    {
+        // Forward the call to the data hook.
+        IJBRulesetDataHook hook = dataHookOf[context.projectId];
+        if (address(hook) == address(0)) {
+            return (context.weight, hookSpecifications);
+        }
+
+        // slither-disable-next-line unused-return
+        return hook.beforePayRecordedWith(context);
+    }
+
+    /// @notice A flag indicating whether an address has permission to mint a project's tokens on-demand.
+    /// @dev A project's data hook can allow any address to mint its tokens.
+    /// @param projectId The ID of the project whose token can be minted.
+    /// @param addr The address to check the token minting permission of.
+    /// @return flag A flag indicating whether the address has permission to mint the project's tokens on-demand.
+    function hasMintPermissionFor(uint256 projectId, JBRuleset memory, address addr) external view returns (bool flag) {
+        // If the address is a sucker for this project.
+        return SUCKER_REGISTRY.isSuckerOf({projectId: projectId, addr: addr});
+    }
+
+    /// @dev Make sure only mints can be received.
+    function onERC721Received(
+        address operator,
+        address from,
+        uint256 tokenId,
+        bytes calldata data
+    )
+        external
+        view
+        returns (bytes4)
+    {
+        data;
+        tokenId;
+        operator;
+
+        // Make sure the 721 received is the JBProjects contract.
+        if (msg.sender != address(PROJECTS)) revert();
+        // Make sure the 721 is being received as a mint.
+        if (from != address(0)) revert();
+        return IERC721Receiver.onERC721Received.selector;
+    }
+
+    //*********************************************************************//
+    // -------------------------- public views --------------------------- //
+    //*********************************************************************//
+
+    /// @notice Indicates if this contract adheres to the specified interface.
+    /// @dev See `IERC165.supportsInterface`.
+    /// @return A flag indicating if the provided interface ID is supported.
+    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
+        return interfaceId == type(ICTDeployer).interfaceId || interfaceId == type(IJBRulesetDataHook).interfaceId
+            || interfaceId == type(IERC721Receiver).interfaceId;
+    }
+
     //*********************************************************************//
     // --------------------- internal transactions ----------------------- //
     //*********************************************************************//
@@ -451,7 +441,7 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
     }
 
     //*********************************************************************//
-    // ------------------------ internal functions ----------------------- //
+    // -------------------------- internal views ------------------------- //
     //*********************************************************************//
 
     /// @dev ERC-2771 specifies the context as being a single address (20 bytes).