@croptop/core-v6 0.0.38 → 0.0.39

package/README.md

@@ -80,8 +80,8 @@ npm install @croptop/core-v6
 
 ```bash
 npm install
-forge build
-forge test
+forge build --deny notes
+forge test --deny notes --fail-fast --summary --detailed --skip "*/script/**"
 ```
 
 Useful scripts:

package/foundry.toml

@@ -17,7 +17,8 @@ fail_on_revert = false
 ethereum = "${RPC_ETHEREUM_MAINNET}"
 
 [lint]
-exclude_lints = ["pascal-case-struct", "mixed-case-variable"]
+exclude_lints = ["mixed-case-variable", "pascal-case-struct"]
+
 [fmt]
 number_underscore = "thousands"
 multiline_func_header = "all"

package/package.json

@@ -1,11 +1,24 @@
 {
   "name": "@croptop/core-v6",
-  "version": "0.0.38",
+  "version": "0.0.39",
   "license": "MIT",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/mejango/croptop-core-v6"
   },
+  "files": [
+    "CHANGELOG.md",
+    "foundry.toml",
+    "references/",
+    "remappings.txt",
+    "script/ConfigureFeeProject.s.sol",
+    "script/Deploy.s.sol",
+    "script/helpers/",
+    "src/"
+  ],
+  "engines": {
+    "node": ">=20.0.0"
+  },
   "scripts": {
     "test": "forge test",
     "coverage:integration": "forge coverage --match-path \"./src/*.sol\" --report lcov --report summary",
@@ -13,21 +26,20 @@
     "deploy:mainnets:project": "source ./.env && export START_TIME=$(date +%s) && npx sphinx propose ./script/ConfigureFeeProject.s.sol --networks mainnets",
     "deploy:testnets": "source ./.env && npx sphinx propose ./script/Deploy.s.sol --networks testnets",
     "deploy:testnets:project": "source ./.env && export START_TIME=$(date +%s) && npx sphinx propose ./script/ConfigureFeeProject.s.sol --networks testnets",
-    "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'croptop-core-v5'"
+    "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'croptop-core-v6'"
   },
   "dependencies": {
-    "@bananapus/721-hook-v6": "^0.0.38",
-    "@bananapus/buyback-hook-v6": "^0.0.30",
-    "@bananapus/core-v6": "^0.0.36",
-    "@bananapus/ownable-v6": "^0.0.20",
-    "@bananapus/permission-ids-v6": "^0.0.19",
-    "@bananapus/router-terminal-v6": "^0.0.30",
-    "@bananapus/suckers-v6": "^0.0.28",
-    "@openzeppelin/contracts": "^5.6.1"
+    "@bananapus/721-hook-v6": "0.0.43",
+    "@bananapus/core-v6": "0.0.39",
+    "@bananapus/ownable-v6": "0.0.24",
+    "@bananapus/permission-ids-v6": "0.0.22",
+    "@bananapus/router-terminal-v6": "0.0.36",
+    "@bananapus/suckers-v6": "0.0.33",
+    "@openzeppelin/contracts": "5.6.1",
+    "@rev-net/core-v6": "0.0.37"
   },
   "devDependencies": {
-    "@bananapus/address-registry-v6": "^0.0.17",
-    "@rev-net/core-v6": "^0.0.32",
-    "@sphinx-labs/plugins": "^0.33.3"
+    "@bananapus/address-registry-v6": "0.0.25",
+    "@sphinx-labs/plugins": "0.33.3"
   }
 }

package/script/ConfigureFeeProject.s.sol

@@ -248,14 +248,16 @@ contract ConfigureFeeProjectScript is Script, Sphinx {
             if (block.chainid == 1 || block.chainid == 11_155_111) {
                 suckerDeployerConfigurations = new JBSuckerDeployerConfig[](3);
                 // OP
-                suckerDeployerConfigurations[0] =
-                    JBSuckerDeployerConfig({deployer: suckers.optimismDeployer, mappings: tokenMappings});
+                suckerDeployerConfigurations[0] = JBSuckerDeployerConfig({
+                    deployer: suckers.optimismDeployer, peer: bytes32(0), mappings: tokenMappings
+                });
 
                 suckerDeployerConfigurations[1] =
-                    JBSuckerDeployerConfig({deployer: suckers.baseDeployer, mappings: tokenMappings});
+                    JBSuckerDeployerConfig({deployer: suckers.baseDeployer, peer: bytes32(0), mappings: tokenMappings});
 
-                suckerDeployerConfigurations[2] =
-                    JBSuckerDeployerConfig({deployer: suckers.arbitrumDeployer, mappings: tokenMappings});
+                suckerDeployerConfigurations[2] = JBSuckerDeployerConfig({
+                    deployer: suckers.arbitrumDeployer, peer: bytes32(0), mappings: tokenMappings
+                });
             } else {
                 suckerDeployerConfigurations = new JBSuckerDeployerConfig[](1);
                 // L2 -> Mainnet
@@ -263,6 +265,7 @@ contract ConfigureFeeProjectScript is Script, Sphinx {
                     deployer: address(suckers.optimismDeployer) != address(0)
                         ? suckers.optimismDeployer
                         : address(suckers.baseDeployer) != address(0) ? suckers.baseDeployer : suckers.arbitrumDeployer,
+                    peer: bytes32(0),
                     mappings: tokenMappings
                 });
 

package/src/CTDeployer.sol

@@ -43,17 +43,22 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
     //*********************************************************************//
 
     error CTDeployer_NotOwnerOfProject(uint256 projectId, address hook, address caller);
+    //*********************************************************************//
+    // ---------------------------- events -------------------------------- //
+    //*********************************************************************//
+
+    event CTDeployer_SuckerDeploymentFailed(uint256 indexed projectId, bytes32 indexed salt, bytes reason);
 
     //*********************************************************************//
     // ---------------- public immutable stored properties --------------- //
     //*********************************************************************//
 
-    /// @notice Mints ERC-721s that represent Juicebox project ownership and transfers.
-    IJBProjects public immutable override PROJECTS;
-
     /// @notice The deployer to launch Croptop recorded collections from.
     IJB721TiersHookDeployer public immutable override DEPLOYER;
 
+    /// @notice Mints ERC-721s that represent Juicebox project ownership and transfers.
+    IJBProjects public immutable override PROJECTS;
+
     /// @notice The Croptop publisher.
     ICTPublisher public immutable override PUBLISHER;
 
@@ -95,25 +100,13 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         PUBLISHER = publisher;
         SUCKER_REGISTRY = suckerRegistry;
 
-        // Give the sucker registry permission to map tokens for all revnets.
+        // Set permission for the CTPublisher to adjust tiers while the deployer temporarily owns new hooks.
         uint8[] memory permissionIds = new uint8[](1);
-        permissionIds[0] = JBPermissionIds.MAP_SUCKER_TOKEN;
-
-        // Give the operator the permission.
-        // Set up the permission data.
-        JBPermissionsData memory permissionData =
-            JBPermissionsData({operator: address(SUCKER_REGISTRY), projectId: 0, permissionIds: permissionIds});
-
-        // Set the permissions.
-        PERMISSIONS.setPermissionsFor({account: address(this), permissionsData: permissionData});
-
-        // Set permission for the CTPublisher to adjust the tier.
         permissionIds[0] = JBPermissionIds.ADJUST_721_TIERS;
 
-        // Set permission for the CTPublisher to mint the NFT.
-        permissionData = JBPermissionsData({operator: address(PUBLISHER), projectId: 0, permissionIds: permissionIds});
+        JBPermissionsData memory permissionData =
+            JBPermissionsData({operator: address(PUBLISHER), projectId: 0, permissionIds: permissionIds});
 
-        // Set permission for the CTPublisher to adjust the tier.
         PERMISSIONS.setPermissionsFor({account: address(this), permissionsData: permissionData});
     }
 
@@ -137,7 +130,7 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
 
         // Make sure the caller is the owner of the project.
         if (PROJECTS.ownerOf(projectId) != _msgSender()) {
-            revert CTDeployer_NotOwnerOfProject(projectId, address(hook), _msgSender());
+            revert CTDeployer_NotOwnerOfProject({projectId: projectId, hook: address(hook), caller: _msgSender()});
         }
 
         // Transfer the hook's ownership to the project.
@@ -145,9 +138,9 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
     }
 
     /// @notice Deploy a simple project meant to receive posts from Croptop templates.
-    /// @dev The initial project owner is intentionally granted direct hook-management permissions from
-    /// `CTDeployer`. This means the owner/operator can bypass the Croptop publisher path and interact
-    /// with the hook directly if they choose to. That is an explicit product tradeoff.
+    /// @dev The deployed hook remains owned by `CTDeployer` until the project owner claims collection ownership.
+    /// The initial owner is granted direct deployer-scoped hook permissions as a launch-time convenience. Those
+    /// permissions can bypass Croptop's publisher surface until ownership is claimed away from the deployer.
     /// @param owner The address that'll own the project.
     /// @param projectConfig The configuration for the project.
     /// @param suckerDeploymentConfiguration The configuration for the suckers to deploy.
@@ -170,8 +163,8 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         rulesetConfigurations[0].weight = 1_000_000 * (10 ** 18);
         rulesetConfigurations[0].metadata.baseCurrency = JBCurrencyIds.ETH;
 
-        // Get the next project ID.
-        projectId = PROJECTS.count() + 1;
+        // Reserve the project ID up front so permissionless project creations cannot invalidate hook deployment.
+        projectId = PROJECTS.createFor(address(this));
 
         // Deploy a blank project.
         // slither-disable-next-line reentrancy-benign
@@ -202,17 +195,15 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         rulesetConfigurations[0].metadata.useDataHookForPay = true;
         rulesetConfigurations[0].metadata.useDataHookForCashOut = true;
 
-        // Launch the project, and sanity check the project ID.
-        assert(
-            projectId
-                == controller.launchProjectFor({
-                    owner: address(this),
-                    projectUri: projectConfig.projectUri,
-                    rulesetConfigurations: rulesetConfigurations,
-                    terminalConfigurations: projectConfig.terminalConfigurations,
-                    memo: "Deployed from Croptop"
-                })
-        );
+        // Launch the rulesets for the reserved project.
+        // slither-disable-next-line unused-return
+        controller.launchRulesetsFor({
+            projectId: projectId,
+            projectUri: projectConfig.projectUri,
+            rulesetConfigurations: rulesetConfigurations,
+            terminalConfigurations: projectConfig.terminalConfigurations,
+            memo: "Deployed from Croptop"
+        });
 
         // Set the data hook for the project.
         dataHookOf[projectId] = IJBRulesetDataHook(hook);
@@ -227,23 +218,32 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         // intentionally ordered. If both deployers fail, the deployment proceeds without suckers rather than reverting,
         // allowing projects to launch on unsupported chains with manual sucker setup later.
         if (suckerDeploymentConfiguration.salt != bytes32(0)) {
+            bytes32 suckerSalt = keccak256(abi.encode(suckerDeploymentConfiguration.salt, _msgSender()));
+
+            // Successful deployments are discoverable from the registry, and failures are reported without reverting
+            // the project launch.
             // slither-disable-next-line unused-return
-            SUCKER_REGISTRY.deploySuckersFor({
+            try SUCKER_REGISTRY.deploySuckersFor({
                 projectId: projectId,
-                salt: keccak256(abi.encode(suckerDeploymentConfiguration.salt, _msgSender())),
+                salt: suckerSalt,
                 configurations: suckerDeploymentConfiguration.deployerConfigurations
-            });
+            }) returns (
+                address[] memory
+            ) {
+            // no-op
+            }
+            catch (bytes memory reason) {
+                // slither-disable-next-line reentrancy-events
+                emit CTDeployer_SuckerDeploymentFailed({projectId: projectId, salt: suckerSalt, reason: reason});
+            }
         }
 
-        //transfer to _owner.
+        // Transfer the project NFT to its intended owner.
         PROJECTS.transferFrom({from: address(this), to: owner, tokenId: projectId});
 
-        // Set permission for the project's owner to do all the NFT things.
-        // These permissions are granted from CTDeployer (address(this)) to the initial owner.
-        // The hook checks permissions against hook.owner(), which after claimCollectionOwnershipOf() resolves
-        // dynamically via PROJECTS.ownerOf(projectId). Before claiming, CTDeployer is the static hook owner,
-        // so these permissions allow the project owner to manage tiers through CTDeployer. As a tradeoff,
-        // the owner can also bypass the Croptop publisher surface until ownership is claimed away.
+        // Give the initial project owner direct collection-control permissions while CTDeployer remains the hook's
+        // owner. This preserves the documented Croptop launch tradeoff: the owner can manage the collection directly
+        // before calling `claimCollectionOwnershipOf(...)`, after which hook permissions follow the project NFT owner.
         uint8[] memory permissionIds = new uint8[](4);
         permissionIds[0] = JBPermissionIds.ADJUST_721_TIERS;
         permissionIds[1] = JBPermissionIds.SET_721_METADATA;
@@ -253,7 +253,7 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         PERMISSIONS.setPermissionsFor({
             account: address(this),
             permissionsData: JBPermissionsData({
-                operator: address(owner),
+                operator: owner,
                 // forge-lint: disable-next-line(unsafe-typecast)
                 projectId: uint64(projectId),
                 permissionIds: permissionIds
@@ -272,12 +272,13 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         external
         returns (address[] memory suckers)
     {
-        // Enforce permissions.
-        _requirePermissionFrom({
-            account: PROJECTS.ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.DEPLOY_SUCKERS
-        });
+        address owner = PROJECTS.ownerOf(projectId);
+
+        // First prove the external caller is allowed to request sucker deployment for the project owner.
+        _requirePermissionFrom({account: owner, projectId: projectId, permissionId: JBPermissionIds.DEPLOY_SUCKERS});
 
-        // Deploy the suckers.
+        // Deploy the suckers. The sucker registry performs its own permission check against this forwarding helper,
+        // so an unapproved CTDeployer fails at the downstream registry boundary without an extra preflight read here.
         // slither-disable-next-line unused-return
         suckers = SUCKER_REGISTRY.deploySuckersFor({
             projectId: projectId,

package/src/interfaces/ICTDeployer.sol

@@ -24,8 +24,8 @@ interface ICTDeployer {
     function PUBLISHER() external view returns (ICTPublisher);
 
     /// @notice Claim ownership of a tiered ERC-721 hook collection by transferring it to the project.
-    /// @dev After claiming, CTPublisher is atomically granted the ADJUST_721_TIERS permission so that mintFrom()
-    /// continues to work.
+    /// @dev After claiming, hook ownership resolves through the current project NFT owner. That owner must grant
+    /// CTPublisher the ADJUST_721_TIERS permission separately for mintFrom() to continue working.
     /// @param hook The hook to claim ownership of. The caller must own the project the hook belongs to.
     function claimCollectionOwnershipOf(IJB721TiersHook hook) external;
 

package/ADMINISTRATION.md

@@ -1,94 +0,0 @@
-# Administration
-
-## At A Glance
-
-| Item | Details |
-| --- | --- |
-| Scope | Croptop deployment flow, publish-policy administration, and irreversible project owner sink behavior |
-| Control posture | Mixed deployer-managed and project-local control |
-| Highest-risk actions | Burn-locking a project into `CTProjectOwner`, misconfiguring posting criteria, and deploying suckers with the wrong authority assumptions |
-| Recovery posture | Posting policy can often be changed, but burn-lock and some deployer wiring choices usually require replacement flows |
-
-## Purpose
-
-`croptop-core-v6` has two distinct control planes: project-local publishing control and deployer-level structural wiring. The high-risk surfaces are posting criteria, hook ownership, publisher permissions, and the irreversible `CTProjectOwner` burn-lock path.
-
-## Control Model
-
-- `CTPublisher` enforces publish policy but does not own the project.
-- `CTDeployer` is both a deployment helper and a live ruleset data-hook wrapper.
-- The initial project owner receives direct hook-management permissions from `CTDeployer` at deployment time.
-- Project owners or delegates administer publishing through the hook owner and `JBPermissions`.
-- `CTProjectOwner` is an irreversible ownership sink for projects that want Croptop-mediated control.
-- `SUCKER_REGISTRY` and `PUBLISHER` receive structural permissions from `CTDeployer`.
-
-## Roles
-
-| Role | How Assigned | Scope | Notes |
-| --- | --- | --- | --- |
-| Project owner | `JBProjects.ownerOf(projectId)` | Per project | May grant delegates through `JBPermissions` |
-| Hook owner | `JBOwnable(hook).owner()` | Per hook | Often resolves to the project owner after claim |
-| `CTDeployer` | Immutable singleton | Global | Launch helper and runtime wrapper |
-| `CTPublisher` | Immutable singleton | Global runtime surface | Needs `ADJUST_721_TIERS` authority on relevant hooks |
-| `CTProjectOwner` | Receives project NFT transfer | Per project | Burn-lock path with no return function |
-| `SUCKER_REGISTRY` | Immutable dependency | Global | Holds wildcard `MAP_SUCKER_TOKEN` from the deployer |
-
-## Privileged Surfaces
-
-| Contract | Function | Who Can Call | Effect |
-| --- | --- | --- | --- |
-| `CTDeployer` | `deployProjectFor(...)` | Anyone | Launches a Croptop-shaped project and configures initial permissions |
-| `CTDeployer` | `claimCollectionOwnershipOf(...)` | Current project owner | Transfers hook ownership from the deployer path to the project |
-| `CTDeployer` | `deploySuckersFor(...)` | Project owner or `DEPLOY_SUCKERS` delegate | Extends a project with suckers |
-| `CTPublisher` | `configurePostingCriteriaFor(...)` | Hook owner or `ADJUST_721_TIERS` delegate | Changes posting policy for a hook and category |
-| `CTPublisher` | `mintFrom(...)` | Anyone subject to policy | Publishes posts, mints first copies, and routes the Croptop fee |
-| `CTProjectOwner` | `onERC721Received(...)` | Any project NFT transfer into it | Locks the project into the Croptop owner helper and grants `CTPublisher` tier-adjust authority |
-
-Important nuance:
-
-- after `deployProjectFor(...)`, the initial project owner can directly manage tiers, metadata, minting, and discount percent through permissions granted from `CTDeployer`
-- that means the owner can bypass the publisher path until ownership is claimed away from `CTDeployer`
-
-## Immutable And One-Way
-
-- `CTDeployer`'s wildcard permission grants to `SUCKER_REGISTRY` and `CTPublisher` are structural.
-- `dataHookOf[projectId]` is write-once through deployment flow.
-- Sending a project NFT into `CTProjectOwner` is effectively irreversible.
-- `FEE_PROJECT_ID` in `CTPublisher` is constructor-immutable.
-
-## Operational Notes
-
-- Validate posting criteria before broad publisher access.
-- Decide intentionally whether the project should keep the initial direct-management path or move to project-owned hook control with `claimCollectionOwnershipOf(...)`.
-- Use `claimCollectionOwnershipOf(...)` when the project should own the hook directly instead of relying on the deployer as the ownership bridge.
-- Treat the burn-lock path as governance finality, not convenience.
-- Review Croptop deployer changes as both launch-time and runtime changes.
-
-## Machine Notes
-
-- Do not treat `CTDeployer` as a passive script helper; it is also part of the live runtime path.
-- Treat `src/CTPublisher.sol`, `src/CTDeployer.sol`, and `src/CTProjectOwner.sol` as the minimum source set for control-plane review.
-- If a project NFT has already been sent to `CTProjectOwner`, stop assuming the original owner can recover it.
-
-## Recovery
-
-- If posting policy is wrong but the project still controls the hook, fix it through `configurePostingCriteriaFor(...)`.
-- If the wrong hook path or burn-lock path was chosen, recovery usually means a new project or new hook arrangement.
-- `CTProjectOwner` is not a reversible safety valve.
-
-## Admin Boundaries
-
-- Neither project owners nor Croptop can change the fixed fee divisor in `CTPublisher`.
-- `CTPublisher` cannot trap fee ETH intentionally; failed fee-terminal payments refund `_msgSender()` or revert.
-- `CTProjectOwner` cannot return project ownership once it receives the NFT.
-- `CTDeployer` cannot later rewrite `dataHookOf[projectId]` through a setter.
-- `CTDeployer` does not stop the initial project owner from using the directly granted hook permissions before ownership is claimed away.
-
-## Source Map
-
-- `src/CTPublisher.sol`
-- `src/CTDeployer.sol`
-- `src/CTProjectOwner.sol`
-- `script/Deploy.s.sol`
-- `script/helpers/CroptopDeploymentLib.sol`
-- `test/TestAuditGaps.sol`

package/ARCHITECTURE.md

@@ -1,96 +0,0 @@
-# Architecture
-
-## Purpose
-
-`croptop-core-v6` turns a Juicebox project with a 721 tiers hook into a permissioned publishing market. Project owners define what posts are valid, third parties publish content by minting or reusing tiers, and Croptop routes a fixed publish fee to the canonical fee project.
-
-## System Overview
-
-`CTPublisher` is the runtime policy and fee-routing surface. `CTDeployer` is the launch wrapper that can package a project, its 721 hook config, posting rules, and optional omnichain setup in one transaction. `CTProjectOwner` is the irreversible ownership helper for projects that want Croptop-mediated administration instead of a plain owner EOA.
-
-## Core Invariants
-
-- A post can only be published if it satisfies the configured category, pricing, supply, split, and allowlist rules.
-- Publish fees must be computed from the call value, not from ambient contract balance.
-- `CTPublisher` must not trap fee funds. If fee-project payment fails, the fee is refunded to `_msgSender()`, and if that refund fails the publish reverts.
-- Tier creation and minting must still respect `nana-721-hook-v6` invariants.
-- `CTDeployer` intentionally creates a temporary owner-bypass period before collection ownership is claimed away from the deployer.
-- `CTProjectOwner` is a burn-lock primitive, not a flexible admin panel.
-
-## Modules
-
-| Module | Responsibility | Notes |
-| --- | --- | --- |
-| `CTPublisher` | Post validation, tier reuse or creation, first-copy minting, fee routing | Main runtime contract |
-| `CTDeployer` | Project launch, hook wiring, optional sucker setup, wrapper behavior | Launch-time and runtime wrapper |
-| `CTProjectOwner` | Irreversible ownership helper | Governance-sensitive |
-| `CTAllowedPost`, `CTPost`, related structs | Publishing policy and request encoding | Shared config surface |
-
-## Trust Boundaries
-
-- Tier storage and minting semantics live in `nana-721-hook-v6`.
-- Terminal accounting and project ownership live in `nana-core-v6`.
-- When omnichain setup is enabled, this repo composes patterns from `nana-suckers-v6` and `nana-omnichain-deployers-v6`.
-
-## Critical Flows
-
-### Publish
-
-```text
-poster
-  -> calls mintFrom(...)
-  -> publisher validates each post against project policy
-  -> publisher creates or reuses 721 tiers
-  -> project terminal receives the publish payment
-  -> fee project receives the fixed fee slice, or _msgSender() is refunded if that fee payment fails
-  -> first copy of each post tier is minted to the poster
-```
-
-### Launch
-
-```text
-creator
-  -> CTDeployer launches the project and 721-hook shape
-  -> configures Croptop posting rules
-  -> optionally wires omnichain sucker deployment
-  -> may remain in the flow as a runtime wrapper when hook composition is enabled
-```
-
-## Accounting Model
-
-This repo does not define treasury accounting. Its critical economic logic is publish-fee routing and the mapping from valid post data to tier creation or reuse.
-
-`CTPublisher` also relies on duplicate-content and pricing checks to stop fee evasion through batch composition or tier reuse.
-
-## Security Model
-
-- Fee routing is liveness-first but still value-sensitive; fallback refunds must stay correct.
-- `CTDeployer` has a larger review surface than a normal deployer because it can also participate at runtime.
-- Croptop's product boundary is partly social: until collection ownership is claimed away from `CTDeployer`, the project owner can interact through the granted permissions rather than only through the publisher surface.
-- Posting-policy bugs are product-level authorization bugs, not just metadata bugs.
-
-## Safe Change Guide
-
-- Put generic tier logic in `nana-721-hook-v6`, not here.
-- If fee behavior changes, review payment ordering, fee-project fallback, and refund failure handling together.
-- If deployer ownership or permission grants change, re-check the temporary bypass window and post-claim ownership behavior together.
-- If `CTDeployer` changes, test both project launch and any wrapped hook flow it participates in.
-- Treat `CTProjectOwner` changes as governance changes.
-
-## Canonical Checks
-
-- publish-path fee routing and policy enforcement:
-  `test/CTPublisher.t.sol`
-- fee fallback and refund safety:
-  `test/audit/FeeFallbackBlackhole.t.sol`
-- duplicate-content and batch-fee-evasion resistance:
-  `test/regression/DuplicateUriFeeEvasion.t.sol`
-
-## Source Map
-
-- `src/CTPublisher.sol`
-- `src/CTDeployer.sol`
-- `src/CTProjectOwner.sol`
-- `test/CTPublisher.t.sol`
-- `test/audit/FeeFallbackBlackhole.t.sol`
-- `test/regression/DuplicateUriFeeEvasion.t.sol`

package/AUDIT_INSTRUCTIONS.md

@@ -1,88 +0,0 @@
-# Audit Instructions
-
-Croptop is a publishing layer on top of Juicebox projects and the tiered 721 stack. Audit it as a permissions, fee-routing, and project-launch system.
-
-## Audit Objective
-
-Find issues that:
-
-- let publishers create or mint posts outside configured criteria
-- let users evade Croptop fees or route them incorrectly
-- grant fee-free or privileged cash-outs to the wrong actors
-- make tier reuse bypass stale-content, fee, or policy checks
-- leave a project in an unintended ownership or admin state
-
-## Scope
-
-In scope:
-
-- `src/CTPublisher.sol`
-- `src/CTDeployer.sol`
-- `src/CTProjectOwner.sol`
-- all interfaces in `src/interfaces/`
-- all structs in `src/structs/`
-- deployment helpers in `script/`
-
-## Start Here
-
-1. `src/CTPublisher.sol`
-2. `src/CTDeployer.sol`
-3. `src/CTProjectOwner.sol`
-
-## Security Model
-
-Croptop composes several subsystems:
-
-- `CTPublisher` enforces posting criteria, creates or adjusts tiers, and routes fees
-- `CTDeployer` launches projects and wires hooks, criteria, and ownership helpers
-- `CTProjectOwner` lets a project follow Croptop-specific admin rules instead of a fixed EOA
-
-Trust boundaries that matter:
-
-- project owners choose policy, but should not be able to bypass the policy they configured
-- fee recipients and external hooks may revert or reenter
-- sucker-based privileges must stay limited to genuine omnichain components
-
-## Roles And Privileges
-
-| Role | Powers | How constrained |
-|------|--------|-----------------|
-| Project owner | Choose policy and ownership mode | Must not bypass the active policy through helper paths |
-| `CTPublisher` | Create or reuse tiers and route fees | Must stay within configured criteria |
-| `CTDeployer` | Launch projects and wire helpers | Must not retain unexpected post-launch authority |
-| Sucker integration | Access narrow omnichain-only paths | Must be backed by authentic registry state |
-
-## Integration Assumptions
-
-| Dependency | Assumption | What breaks if wrong |
-|------------|------------|----------------------|
-| `nana-721-hook-v6` | Tier state and tier adjustments match Croptop policy checks | Posting criteria and tier-reuse safety break |
-| `nana-core-v6` | Terminal and project routing are authentic | Fee routing and publish settlement drift |
-| `nana-ownable-v6` | Ownership helper resolves the intended admin | Projects can end up misowned or stranded |
-| `nana-suckers-v6` | Registry identifies genuine omnichain actors | Fee-free or privileged paths widen incorrectly |
-
-## Critical Invariants
-
-1. Minimum price, supply bounds, split limits, category restrictions, and allowlists stay binding on every publish path.
-2. Every Croptop mint either pays the configured fee or takes the documented fallback path without underpaying Croptop.
-3. Existing tiers cannot be reused in a way that revives stale criteria or dodges fee collection.
-4. Sucker-only or fee-exempt paths cannot be reached through spoofed registry state or stale deployment wiring.
-5. Ownership handoff and burn-lock flows do not accidentally widen privileges or strand administration.
-
-## Attack Surfaces
-
-- publish and mint entrypoints
-- fee computation from user input versus onchain state
-- tier creation, adjustment, and reuse logic
-- deployer-mediated pay or cash-out data-hook behavior
-- permission grants during deployment and ownership transfer
-
-## Accepted Risks Or Behaviors
-
-- Fee routing may degrade to a fallback path rather than block publishing entirely.
-
-## Verification
-
-- `npm install`
-- `forge build`
-- `forge test`