@rev-net/core-v6 0.0.17 → 0.0.19

package/ADMINISTRATION.md

@@ -40,7 +40,7 @@ Admin privileges and their scope in revnet-core-v6. Revnets are designed to be a
 | `setSplitOperatorOf()` | Split Operator | Checked via `_checkIfIsSplitOperatorOf()` | Replaces the current split operator with a new address. Revokes all operator permissions from the caller and grants them to the new address. |
 | `autoIssueFor()` | Anyone | None | Mints pre-configured auto-issuance tokens for a beneficiary once the relevant stage has started. Amounts are set at deployment and can only be claimed once. |
 | `burnHeldTokensOf()` | Anyone | None | Burns any of a revnet's tokens held by the `REVDeployer` contract (e.g., from reserved token splits that did not sum to 100%). |
-| `afterCashOutRecordedWith()` | Anyone (called by terminal) | None | Processes cash-out fees. No caller validation needed because a non-terminal caller would only be donating their own funds. |
+| `afterCashOutRecordedWith()` | Anyone (called by terminal) | None | **Note: This function lives on REVOwner, not REVDeployer.** Processes cash-out fees. No caller validation needed because a non-terminal caller would only be donating their own funds. |
 
 ### Split Operator Permissions (granted via JBPermissions)
 
@@ -95,8 +95,8 @@ Revnets are designed to operate without a traditional project owner. The followi
 - **No ruleset queuing.** The `REVDeployer` does not expose any function to queue new rulesets after deployment. The stage progression is fully determined at deploy time. Nobody -- not the split operator, not the deployer, not anyone -- can change the issuance schedule, cash-out tax rates, or stage timing after deployment.
 - **No approval hooks.** All rulesets are deployed with `approvalHook = address(0)`. There is no mechanism to block or delay stage transitions.
 - **Cash outs cannot be fully disabled.** The deployer enforces `cashOutTaxRate < MAX_CASH_OUT_TAX_RATE` for every stage, guaranteeing that token holders always retain some ability to cash out.
-- **Data hook is the deployer itself.** The `REVDeployer` is set as the data hook (`metadata.dataHook = address(this)`) for all rulesets, ensuring consistent fee and sucker logic without external admin control.
-- **Mint permission is restricted.** Only the loans contract, the buyback hook (and its delegates), and registered suckers can mint tokens. The split operator cannot mint fungible revnet tokens.
+- **Data hook is REVOwner.** `REVOwner` is set as the data hook (`metadata.dataHook = address(OWNER())`) for all rulesets, ensuring consistent fee and sucker logic without external admin control. REVOwner stores `cashOutDelayOf` and `tiered721HookOf` in its own storage (set by REVDeployer via DEPLOYER-restricted setters during deployment).
+- **Mint permission is restricted.** Only the loans contract, the buyback hook (and its delegates), and registered suckers can mint tokens (as determined by `REVOwner.hasMintPermissionFor`). The split operator cannot mint fungible revnet tokens.
 - **No held fee manipulation.** The deployer has no function to process or return held fees arbitrarily.
 - **Owner minting is constrained.** While `allowOwnerMinting = true` is set in ruleset metadata, the "owner" is the `REVDeployer` contract. It only uses this to mint auto-issuance tokens (amounts fixed at deployment) and to return loan collateral.
 
@@ -138,6 +138,16 @@ The following parameters are set at deployment and can never be changed:
 - `DEFAULT_BUYBACK_POOL_FEE` -- 10,000 (1% Uniswap V4 fee tier)
 - `DEFAULT_BUYBACK_TICK_SPACING` -- 200
 - `DEFAULT_BUYBACK_TWAP_WINDOW` -- 2 days
+- `OWNER()` -- view returning the REVOwner address
+
+### REVOwner (global, set at contract deployment + initialize)
+- `BUYBACK_HOOK` -- the buyback hook (shared immutable with REVDeployer)
+- `DIRECTORY` -- the Juicebox directory (shared immutable with REVDeployer)
+- `FEE_REVNET_ID` -- the project ID that receives cash-out fees (shared immutable)
+- `SUCKER_REGISTRY` -- the sucker registry (shared immutable)
+- `LOANS` -- the loans contract address (shared immutable)
+- `FEE` -- the cash-out fee constant (2.5%)
+- `DEPLOYER` -- the REVDeployer address (storage variable, set once via `initialize()`)
 
 ### REVLoans (global, set at contract deployment)
 - `CONTROLLER`, `DIRECTORY`, `PRICES`, `PROJECTS` -- protocol infrastructure
@@ -186,5 +196,5 @@ What admins **cannot** do -- this is the most important section for understandin
 - Prevent token holders from eventually cashing out
 - Extract funds from the treasury without going through the bonding curve
 - Modify the fee structure (2.5% cash-out fee, loan fees)
-- Change which contract is the data hook for a revnet
+- Change which contract is the data hook for a revnet (always REVOwner)
 - Alter auto-issuance amounts after deployment (they can only be claimed, not changed)

package/ARCHITECTURE.md

@@ -2,16 +2,18 @@
 
 ## Purpose
 
-Autonomous revenue networks ("revnets") built on Juicebox V6. REVDeployer creates projects with pre-programmed multi-stage rulesets that cannot be changed after deployment. REVLoans enables borrowing against locked revnet tokens.
+Autonomous revenue networks ("revnets") built on Juicebox V6. REVDeployer creates projects with pre-programmed multi-stage rulesets that cannot be changed after deployment. REVOwner handles all runtime hook behavior (pay hooks, cash-out hooks, mint permissions) as the `dataHook` for every revnet. REVLoans enables borrowing against locked revnet tokens.
 
 ## Contract Map
 
 ```
 src/
-├── REVDeployer.sol  — Deploys revnets: stages → rulesets, data hook, buyback, suckers, 721 tiers
+├── REVDeployer.sol  — Deploys revnets: stages → rulesets, buyback, suckers, 721 tiers, state storage
+├── REVOwner.sol     — Runtime data hook + cash-out hook for all revnets, stores cashOutDelayOf + tiered721HookOf (~310 lines)
 ├── REVLoans.sol     — Borrow against burned revnet tokens (10-year max, permissionless liquidation)
 ├── interfaces/
 │   ├── IREVDeployer.sol
+│   ├── IREVOwner.sol
 │   └── IREVLoans.sol
 └── structs/         — REVConfig, REVStageConfig, REVLoanSource, REVAutoIssuance, etc.
 ```
@@ -25,7 +27,7 @@ Deployer → REVDeployer.deployFor()
   → Convert REV stages → JBRulesetConfigs (see Stage-to-Ruleset Mapping below)
     → Each stage: duration, weight, cashOutTaxRate, splits
     → Auto-issuance: record per-beneficiary token counts for later claiming
-  → Set REVDeployer as data hook (controls pay + cashout behavior)
+  → Set REVOwner as data hook (controls pay + cashout behavior)
   → Initialize buyback pools at fair issuance price (derived from initialIssuance)
   → Deploy suckers for cross-chain operation
   → Deploy tiered ERC-721 hook (always — empty by default, pre-configured if specified)
@@ -55,17 +57,18 @@ Claiming is a separate step: anyone can call `autoIssueFor(revnetId, stageId, be
 
 Stage IDs are assigned as `block.timestamp + i` (where `i` is the stage index), matching the JBRulesets ID assignment scheme when all stages are queued in a single transaction.
 
-### Data Hook Behavior
+### Data Hook Behavior (REVOwner)
 ```
-Payment → REVDeployer.beforePayRecordedWith()
+Payment → REVOwner.beforePayRecordedWith()
+  → Read tiered721HookOf from REVOwner storage
   → Query 721 tier hook for tier split specs (if configured)
   → Delegate remaining amount to buyback hook for swap-vs-mint decision
   → Scale weight so tokens are only minted for the project's share (after tier splits)
   → Return merged hook specifications (721 hook + buyback hook)
 
-Cash Out → REVDeployer.beforeCashOutRecordedWith()
+Cash Out → REVOwner.beforeCashOutRecordedWith()
   → If caller is a sucker: 0% cash out tax, full reclaim (bridging privilege)
-  → Enforce cash out delay (for cross-chain deployments of existing revnets)
+  → Enforce cash out delay (reads cashOutDelayOf from REVOwner storage)
   → If no tax, no fee terminal, or feeless beneficiary: delegate directly to buyback hook
   → Otherwise: split tokens into fee/non-fee portions via bonding curve
   → Delegate non-fee portion to buyback hook
@@ -76,6 +79,7 @@ Cash Out → REVDeployer.beforeCashOutRecordedWith()
 ### Loan Flow
 ```
 Borrower → REVLoans.borrowFrom()
+  → Enforce cash-out delay if set (cross-chain deployment protection)
   → Burn borrower's revnet tokens as collateral
   → Calculate borrow amount from bonding curve value of collateral
   → Pull funds from treasury via USE_ALLOWANCE
@@ -111,7 +115,7 @@ Fields set automatically by the deployer (not configurable per stage):
 - `metadata.allowOwnerMinting` — always `true` (required for auto-issuance)
 - `metadata.useDataHookForPay` — always `true`
 - `metadata.useDataHookForCashOut` — always `true`
-- `metadata.dataHook` — always `address(REVDeployer)`
+- `metadata.dataHook` — always `address(REVOwner)`
 - `approvalHook` — always `address(0)` (no approval hook; stages are immutable)
 - `fundAccessLimitGroups` — set to `uint224.max` surplus allowance per terminal token for loan withdrawals
 
@@ -119,7 +123,7 @@ Fields set automatically by the deployer (not configurable per stage):
 
 | Point | Interface | Purpose |
 |-------|-----------|---------|
-| Data hook | `IJBRulesetDataHook` | REVDeployer acts as data hook for all revnets |
+| Data hook | `IJBRulesetDataHook` | REVOwner acts as data hook for all revnets |
 | Buyback hook | `IJBBuybackHook` | Swap-vs-mint decision on payments |
 | Sucker integration | `IJBSucker` | Cross-chain token bridging |
 | 721 tiers | `IJB721TiersHook` | NFT tier rewards |
@@ -139,7 +143,7 @@ Fields set automatically by the deployer (not configurable per stage):
 ## Key Design Decisions
 - Stages are immutable after deployment — no owner can change ruleset parameters
 - Matching hash ensures cross-chain deployments have identical economic parameters. It covers all economic fields (issuance, decay, tax rates, auto-issuances) but intentionally excludes split recipient addresses, which may differ by chain. The hash is used as a CREATE2 salt component for sucker deployment, so mismatched configs produce different sucker addresses that cannot peer with each other.
-- REVDeployer is the data hook for all revnets it deploys — centralizes behavioral control
+- REVOwner is the data hook for all revnets — centralizes runtime behavioral control (pay hooks, cash-out hooks, mint permissions) and stores `cashOutDelayOf` and `tiered721HookOf` per revnet. REVDeployer handles deployment and configuration state storage. The split was necessary to stay under the EIP-170 contract size limit (24,576 bytes). Deploy order: REVOwner first, then REVDeployer(owner=REVOwner), then REVOwner.initialize(deployer). REVDeployer calls DEPLOYER-restricted setters on REVOwner (`setCashOutDelayOf`, `setTiered721HookOf`) during deployment.
 - Loans use bonding curve value, not market price — independent of external DEX pricing
 - Auto-issuance is deferred, not instant — token amounts are recorded at deploy time but minted via a separate `autoIssueFor` call after the stage starts. This separates deployment from issuance, allows anyone to trigger the mint permissionlessly, and ensures tokens are not minted before their stage is active.
 - No approval hook — revnet rulesets set `approvalHook` to `address(0)` because stages are configured immutably at deployment. There is no governance or owner who could queue a change that would need approval.

package/AUDIT_INSTRUCTIONS.md

@@ -10,8 +10,9 @@ Read [RISKS.md](./RISKS.md) for the trust model and known risks. Read [ARCHITECT
 
 | Contract | Lines | Role |
 |----------|-------|------|
-| `src/REVDeployer.sol` | ~1,373 | Deploys revnets. Acts as data hook and cash-out hook for all revnets. Manages stages, splits, auto-issuance, buyback hook delegation, 721 hook deployment, suckers, and split operator permissions. |
-| `src/REVLoans.sol` | ~1,359 | Token-collateralized lending. Burns collateral on borrow, re-mints on repay. ERC-721 loan NFTs. Three-layer fee model. Permit2 integration. |
+| `src/REVDeployer.sol` | ~19,746 bytes | Deploys revnets. Manages stages, splits, auto-issuance, buyback hook delegation, 721 hook deployment, suckers, split operator permissions, and all state storage. Split from original monolith to stay under EIP-170 (24,576 bytes). |
+| `src/REVOwner.sol` | ~8,353 bytes (~310 lines) | Runtime hook contract. Implements `IJBRulesetDataHook` + `IJBCashOutHook`. Set as the `dataHook` in each revnet's ruleset metadata. Handles `beforePayRecordedWith`, `beforeCashOutRecordedWith`, `afterCashOutRecordedWith`, `hasMintPermissionFor`, and sucker verification. Stores `cashOutDelayOf` and `tiered721HookOf` mappings (set by REVDeployer via DEPLOYER-restricted setters). **Key audit focus: the `initialize()` one-shot pattern, DEPLOYER-restricted setter access control, and circular dependency with REVDeployer.** |
+| `src/REVLoans.sol` | ~1,359 lines | Token-collateralized lending. Burns collateral on borrow, re-mints on repay. ERC-721 loan NFTs. Three-layer fee model. Permit2 integration. |
 | `src/interfaces/` | ~525 | Interface definitions for both contracts |
 | `src/structs/` | ~212 | All struct definitions |
 
@@ -27,7 +28,7 @@ Read [RISKS.md](./RISKS.md) for the trust model and known risks. Read [ARCHITECT
 
 ## The System in 90 Seconds
 
-A **revnet** is a Juicebox project that nobody owns. REVDeployer deploys it, permanently holds its project NFT, and acts as the data hook for all payments and cash-outs. The revnet's economics are encoded as a sequence of **stages** that map 1:1 to Juicebox rulesets. Stages are immutable after deployment.
+A **revnet** is a Juicebox project that nobody owns. REVDeployer deploys it and permanently holds its project NFT. REVOwner acts as the data hook for all payments and cash-outs (`dataHook` in ruleset metadata). The deployer/owner split was necessary to stay under the EIP-170 contract size limit. The revnet's economics are encoded as a sequence of **stages** that map 1:1 to Juicebox rulesets. Stages are immutable after deployment.
 
 Each stage defines:
 - **Initial issuance** (`initialIssuance`): tokens minted per unit of base currency
@@ -53,26 +54,27 @@ Understanding this interaction is essential. REVDeployer wraps core Juicebox fun
 ```
 User pays terminal
   -> Terminal calls JBTerminalStore.recordPaymentFrom()
-    -> Store calls REVDeployer.beforePayRecordedWith() [data hook]
-      -> REVDeployer calls 721 hook's beforePayRecordedWith() for split specs
-      -> REVDeployer calls buyback hook's beforePayRecordedWith() for swap decision
-      -> REVDeployer scales weight: mulDiv(weight, projectAmount, totalAmount)
+    -> Store calls REVOwner.beforePayRecordedWith() [data hook]
+      -> REVOwner reads tiered721HookOf from its own storage
+      -> REVOwner calls 721 hook's beforePayRecordedWith() for split specs
+      -> REVOwner calls buyback hook's beforePayRecordedWith() for swap decision
+      -> REVOwner scales weight: mulDiv(weight, projectAmount, totalAmount)
       -> Returns merged specs: [721 hook spec, buyback hook spec]
     -> Store records payment with modified weight
   -> Terminal mints tokens via Controller
   -> Terminal executes pay hook specs (721 hook first, then buyback hook)
 ```
 
-**Key insight:** The weight scaling in `beforePayRecordedWith` ensures the terminal only mints tokens proportional to the amount entering the project (excluding 721 tier split amounts). Without this scaling, payers would get token credit for the split portion too.
+**Key insight:** The weight scaling in `REVOwner.beforePayRecordedWith` ensures the terminal only mints tokens proportional to the amount entering the project (excluding 721 tier split amounts). Without this scaling, payers would get token credit for the split portion too.
 
 ### Cash-Out Flow
 
 ```
 User cashes out via terminal
   -> Terminal calls JBTerminalStore.recordCashOutFor()
-    -> Store calls REVDeployer.beforeCashOutRecordedWith() [data hook]
+    -> Store calls REVOwner.beforeCashOutRecordedWith() [data hook]
       -> If sucker: return 0% tax, full amount (fee exempt)
-      -> If cashOutDelay not passed: revert
+      -> If cashOutDelay not passed (reads from REVOwner storage): revert
       -> If cashOutTaxRate == 0 or no fee terminal: return as-is
       -> Otherwise: split cashOutCount into fee portion + non-fee portion
         -> Compute reclaim for non-fee portion via bonding curve
@@ -81,8 +83,8 @@ User cashes out via terminal
     -> Store records cash-out with modified parameters
   -> Terminal burns tokens
   -> Terminal transfers reclaimed amount to user
-  -> Terminal calls REVDeployer.afterCashOutRecordedWith() [cash-out hook]
-    -> REVDeployer pays fee to fee revnet terminal
+  -> Terminal calls REVOwner.afterCashOutRecordedWith() [cash-out hook]
+    -> REVOwner pays fee to fee revnet terminal
     -> On failure: returns funds to originating project
 ```
 
@@ -93,6 +95,7 @@ User cashes out via terminal
 ```
 Borrower calls REVLoans.borrowFrom()
   -> Prerequisite: caller must have granted BURN_TOKENS permission to REVLoans via JBPermissions
+  -> Enforce cash-out delay: resolve REVOwner from ruleset dataHook, check IREVOwner.cashOutDelayOf(revnetId) (stored on REVOwner)
   -> Validate: collateral > 0, terminal registered, prepaidFeePercent in range
   -> Generate loan ID: revnetId * 1T + loanNumber
   -> Create loan in storage
@@ -118,11 +121,17 @@ Borrower calls REVLoans.borrowFrom()
 | Variable | Purpose | Audit Focus |
 |----------|---------|-------------|
 | `amountToAutoIssue[revnetId][stageId][beneficiary]` | Premint tokens per stage per beneficiary | Single-claim enforcement (zeroed before mint) |
-| `cashOutDelayOf[revnetId]` | Timestamp when cash-outs unlock | Applied only for existing revnets deployed to new chains |
 | `hashedEncodedConfigurationOf[revnetId]` | Config hash for cross-chain sucker validation | Gap: does NOT cover terminal configs |
-| `tiered721HookOf[revnetId]` | 721 hook address | Set once during deploy, never changed |
 | `_extraOperatorPermissions[revnetId]` | Custom permissions for split operator | Set during deploy based on 721 hook prevention flags |
 
+### REVOwner Storage
+
+| Variable | Purpose | Audit Focus |
+|----------|---------|-------------|
+| `DEPLOYER` | REVDeployer address | Set once via `initialize()`. **Not immutable** -- stored as a regular storage variable to break circular dependency. Verify `initialize()` can only be called once and with the correct address. Used to restrict access to `setCashOutDelayOf()` and `setTiered721HookOf()`. |
+| `cashOutDelayOf[revnetId]` | Timestamp when cash-outs unlock | Set by REVDeployer via `setCashOutDelayOf()` (DEPLOYER-restricted). Applied only for existing revnets deployed to new chains. **Read by REVLoans via IREVOwner.** Verify only DEPLOYER can call the setter. |
+| `tiered721HookOf[revnetId]` | 721 hook address | Set by REVDeployer via `setTiered721HookOf()` (DEPLOYER-restricted). Set once during deploy, never changed. **Read by REVOwner internally during pay hooks.** Verify only DEPLOYER can call the setter. |
+
 ### REVLoans Storage
 
 | Variable | Purpose | Audit Focus |
@@ -178,7 +187,7 @@ No reentrancy guard. Verify the CEI ordering in:
 
 ### 3. Data hook composition
 
-REVDeployer proxies between the terminal and two hooks. Verify:
+REVOwner proxies between the terminal and two hooks. REVOwner reads `tiered721HookOf` and `cashOutDelayOf` from its own storage (set by REVDeployer via DEPLOYER-restricted setters). Verify:
 
 - The 721 hook's `beforePayRecordedWith` is called with the full context, but the buyback hook's is called with a reduced amount. Is this always correct?
 - When the 721 hook returns specs with `amount >= context.amount.value`, `projectAmount` is 0 and weight is 0. This means no tokens are minted by the terminal (all funds go to 721 splits). Verify this is safe -- does the buyback hook handle a zero-amount context gracefully?
@@ -187,7 +196,7 @@ REVDeployer proxies between the terminal and two hooks. Verify:
 
 ### 4. Cash-out fee calculation
 
-The two-step bonding curve fee calculation in `beforeCashOutRecordedWith`:
+The two-step bonding curve fee calculation in `REVOwner.beforeCashOutRecordedWith`:
 
 ```solidity
 feeCashOutCount = mulDiv(cashOutCount, FEE, MAX_FEE)  // 2.5% of tokens
@@ -263,6 +272,18 @@ Verify:
 - The linear accrual formula: at `timeSinceLoanCreated = LOAN_LIQUIDATION_DURATION`, the fee percent approaches MAX_FEE (100%). The borrower would owe the full remaining loan amount as a fee, making repayment impossible.
 - At the boundary, `_determineSourceFeeAmount` reverts with `REVLoans_LoanExpired` before the fee reaches 100%. The revert uses `>` (not `>=`) so the exact boundary second is still repayable -- verify this matches the liquidation path which uses `<=`.
 
+### 8. REVOwner initialization and circular dependency
+
+REVOwner and REVDeployer have a circular dependency broken by a one-shot `initialize()` call. Deploy order: REVOwner first, then REVDeployer(owner=REVOwner), then REVOwner.initialize(deployer). Verify:
+
+- `initialize()` can only be called once (subsequent calls revert)
+- `DEPLOYER` is a storage variable, not immutable, to break the circular dependency
+- Before `initialize()` is called, the DEPLOYER-restricted setters (`setCashOutDelayOf`, `setTiered721HookOf`) would reject calls, leaving `cashOutDelayOf` and `tiered721HookOf` unpopulated
+- No path allows `initialize()` to be called with the wrong deployer address after the correct one is set
+- Only DEPLOYER can call `setCashOutDelayOf()` and `setTiered721HookOf()` -- verify access control on these setters
+- `cashOutDelayOf` and `tiered721HookOf` are stored on REVOwner (not REVDeployer) -- verify REVOwner reads from its own storage and the setters cannot be called by unauthorized addresses
+- Both contracts define `FEE = 25` independently -- verify they stay in sync
+
 ## Invariants
 
 Fuzzable properties that should hold for all valid inputs:
@@ -272,6 +293,7 @@ Fuzzable properties that should hold for all valid inputs:
 3. **Loan NFT ownership**: The ERC-721 owner of a loan NFT is the only address authorized to repay, reallocate, or manage that loan (absent ROOT or explicit permission grants).
 4. **No flash-loan profit**: Borrowing and repaying in the same block (zero time elapsed) should never yield a net profit to the borrower after all fees.
 5. **Stage monotonicity**: Stage transitions are monotonically increasing in time -- a later stage's `startsAtOrAfter` is always strictly greater than the previous stage's.
+6. **REVOwner initialization**: `DEPLOYER` is set exactly once via `initialize()` and matches the REVDeployer that references this REVOwner via `OWNER()`. Only the initialized `DEPLOYER` can call `setCashOutDelayOf()` and `setTiered721HookOf()`.
 
 ## How to Run Tests
 
@@ -295,7 +317,7 @@ forge test --gas-report
 
 | Pattern | Where | Why |
 |---------|-------|-----|
-| `mulDiv` rounding direction | `beforePayRecordedWith` weight scaling, `_determineSourceFeeAmount`, `_borrowableAmountFrom` | Rounding in borrower's favor compounds over many loans |
+| `mulDiv` rounding direction | `REVOwner.beforePayRecordedWith` weight scaling, `_determineSourceFeeAmount`, `_borrowableAmountFrom` | Rounding in borrower's favor compounds over many loans |
 | Source fee `pay` silently caught on revert | `REVLoans._adjust` try-catch block | The catch block silently returns funds to the borrower instead of paying the fee, which could allow borrowers to intentionally cause fee payment reverts to avoid paying the source fee |
 | `delete _loanOf[loanId]` after external calls | `_repayLoan`, `_reallocateCollateralFromLoan` | Verify delete happens after all references to the loan are resolved |
 | Loan storage read after `_adjust` mutates it | `_repayLoan` partial repay path | `_adjust` modifies `loan` via storage pointer; subsequent reads see mutated values |
@@ -332,6 +354,7 @@ No prior formal audit with finding IDs has been conducted on this codebase. All
 | `REVDeployer_StagesRequired` | REVDeployer | `deployFor` / `launchChainsFor` called with empty `stageConfigurations` array |
 | `REVDeployer_StageTimesMustIncrease` | REVDeployer | Stage `startsAtOrAfter` timestamps are not strictly increasing |
 | `REVDeployer_Unauthorized` | REVDeployer | Caller is not the split operator (for operator-gated functions) or not the project owner (for `launchChainsFor`) |
+| `REVLoans_CashOutDelayNotFinished` | REVLoans | `borrowFrom` called during the 30-day cash-out delay period (cross-chain deployment protection) |
 | `REVLoans_CollateralExceedsLoan` | REVLoans | `reallocateCollateralFromLoan` called with `collateralCountToReturn > loan.collateral` |
 | `REVLoans_InvalidPrepaidFeePercent` | REVLoans | `prepaidFeePercent` outside `[MIN_PREPAID_FEE_PERCENT, MAX_PREPAID_FEE_PERCENT]` range (25-500) |
 | `REVLoans_InvalidTerminal` | REVLoans | Loan source references a terminal not registered in `JBDirectory` for the revnet |

package/CHANGE_LOG.md

@@ -2,6 +2,84 @@
 
 This document describes all changes between `revnet-core` (v5, Solidity 0.8.23) and `revnet-core-v6` (v6, Solidity 0.8.28).
 
+## 0. REVDeployer/REVOwner Split (post-v6 refactor)
+
+### Motivation
+
+REVDeployer exceeded the EIP-170 contract size limit (24,576 bytes) at 26,397 bytes. The contract was split into two:
+
+| Contract | Size | Role |
+|----------|------|------|
+| `REVDeployer` | 19,746 bytes | Deployment, configuration, state storage, split operator management |
+| `REVOwner` | 8,353 bytes (~310 lines) | Runtime hook behavior: `IJBRulesetDataHook` + `IJBCashOutHook` |
+
+### What moved to REVOwner
+
+| Function | Description |
+|----------|-------------|
+| `beforePayRecordedWith()` | Pay data hook -- 721 hook delegation, buyback hook delegation, weight scaling |
+| `beforeCashOutRecordedWith()` | Cash-out data hook -- sucker bypass, fee splitting, cash-out delay enforcement |
+| `afterCashOutRecordedWith()` | Cash-out hook callback -- fee payment to fee revnet |
+| `hasMintPermissionFor()` | Mint permission check for loans, buyback hook, suckers |
+| `_isSuckerOf()` | Internal sucker verification helper |
+| `_beforeTransferTo()` | Internal pre-transfer fee handling |
+| `cashOutDelayOf(revnetId)` | View that returns the cash-out delay from REVOwner storage. Exposed via IREVOwner for REVLoans compatibility. |
+
+### What REVDeployer retains
+
+- `deployFor()` -- revnet deployment (both overloads)
+- `queueStagesToRevnetOf()` -- stage configuration
+- `autoIssueFor()` -- auto-issuance claiming
+- `setSplitOperatorOf()` -- operator management
+- `replaceSplitsOf()` -- split management
+- `deploySuckersFor()` -- sucker deployment
+- Configuration state mappings: `amountToAutoIssue`, `hashedEncodedConfigurationOf`, etc.
+- `OWNER()` -- new view returning the REVOwner address
+- `supportsInterface()` -- no longer includes `IJBRulesetDataHook` or `IJBCashOutHook`
+
+### Storage migration: `cashOutDelayOf` and `tiered721HookOf` moved to REVOwner
+
+The `cashOutDelayOf` and `tiered721HookOf` storage mappings were moved from REVDeployer to REVOwner. REVOwner now has DEPLOYER-restricted setter functions (`setCashOutDelayOf()` and `setTiered721HookOf()`) that only REVDeployer can call. REVDeployer calls these setters during deployment instead of writing to its own storage.
+
+- `cashOutDelayOf` and `tiered721HookOf` removed from `IREVDeployer` interface
+- `IREVOwner.sol` created at `src/interfaces/IREVOwner.sol` (exposes `cashOutDelayOf`)
+- REVLoans now imports `IREVOwner` (not `IREVDeployer`) for `cashOutDelayOf` calls
+- REVOwner reads `cashOutDelayOf` and `tiered721HookOf` directly from its own storage instead of delegating to `DEPLOYER`
+
+### Circular dependency pattern
+
+REVDeployer needs REVOwner (as the `dataHook` address and to set `cashOutDelayOf`/`tiered721HookOf` via restricted setters), and REVOwner references REVDeployer (to restrict setter access). This circular dependency is broken by:
+
+1. Deploy REVOwner first
+2. Deploy REVDeployer with `owner=REVOwner`
+3. Call `REVOwner.initialize(deployer)` to set the `DEPLOYER` storage variable
+
+`REVOwner.DEPLOYER` is a **storage variable** (not immutable) because the deployer address is not known at REVOwner construction time. The `initialize()` function can only be called once. After initialization, `DEPLOYER` is used to restrict access to `setCashOutDelayOf()` and `setTiered721HookOf()`.
+
+### Shared immutables
+
+Both contracts independently store these as immutables (set at construction): `BUYBACK_HOOK`, `DIRECTORY`, `FEE_REVNET_ID`, `SUCKER_REGISTRY`, `LOANS`. The `FEE` constant (25 = 2.5%) is defined in both contracts.
+
+### Interface changes
+
+| Change | Description |
+|--------|-------------|
+| `IREVDeployer.OWNER()` | New view function returning the REVOwner address |
+| `IREVDeployer` | `cashOutDelayOf` and `tiered721HookOf` removed (moved to REVOwner) |
+| `IREVOwner.sol` | New interface at `src/interfaces/IREVOwner.sol` — exposes `cashOutDelayOf` |
+| `REVOwner.setCashOutDelayOf()` | New DEPLOYER-restricted setter for `cashOutDelayOf` |
+| `REVOwner.setTiered721HookOf()` | New DEPLOYER-restricted setter for `tiered721HookOf` |
+| `REVDeployer.supportsInterface()` | No longer reports `IJBRulesetDataHook` or `IJBCashOutHook` |
+| Ruleset `metadata.dataHook` | Now set to `address(REVOwner)` instead of `address(REVDeployer)` |
+
+### Migration impact
+
+- **Indexers/subgraphs**: Data hook events now originate from the REVOwner address, not REVDeployer. `cashOutDelayOf` and `tiered721HookOf` storage reads must target REVOwner, not REVDeployer.
+- **REVLoans**: Now imports `IREVOwner` (not `IREVDeployer`) and calls `REVOwner.cashOutDelayOf(revnetId)` directly from REVOwner storage.
+- **Direct callers**: Any code that read `cashOutDelayOf` or `tiered721HookOf` from REVDeployer must now read from REVOwner. Any code that cast the deployer address to `IJBRulesetDataHook` or `IJBCashOutHook` must now use the REVOwner address instead.
+
+---
+
 ## Summary
 
 - **Buyback hook centralized**: Per-revnet `buybackHookOf` mapping replaced by a single immutable `BUYBACK_HOOK` registry — pools auto-initialized with default parameters during deployment.
@@ -108,6 +186,7 @@ The boolean semantics are **inverted**: v5 used opt-in flags (`splitOperatorCan*
 | `REVLoans` | `REVLoans_NothingToRepay()` |
 | `REVLoans` | `REVLoans_ZeroBorrowAmount()` |
 | `REVLoans` | `REVLoans_SourceMismatch()` |
+| `REVLoans` | `REVLoans_CashOutDelayNotFinished(uint256 cashOutDelay, uint256 blockTimestamp)` |
 | `REVLoans` | `REVLoans_LoanIdOverflow()` |
 
 ### 2.4 New Constants
@@ -129,6 +208,13 @@ The boolean semantics are **inverted**: v5 used opt-in flags (`splitOperatorCan*
 
 ## 3. Event Changes
 
+### 3.0 Indexer Notes
+
+For revnet-focused subgraphs:
+- both deployment flows now correlate to `deployFor` rather than a split `deployFor`/`deployWith721sFor` model;
+- revnet deployment entities should expect an associated 721 hook by default;
+- any entity that previously depended on caller-supplied buyback-hook config should be updated for the v6 auto-configured buyback path.
+
 ### 3.1 Added Events
 
 See section 2.2 above.
@@ -289,6 +375,7 @@ The following structs are identical between v5 and v6 (only `forge-lint` comment
 | **Source fee try-catch hardening** | The source fee payment in `_adjust` is now wrapped in a try-catch block. If the source terminal's `pay` call reverts, the ERC-20 allowance is reclaimed and the fee amount is returned to the beneficiary instead of blocking the entire loan operation. v5 called `terminal.pay` directly without error handling. |
 | **Timestamp cast fix** | `borrowFrom` now casts `block.timestamp` to `uint48` when setting `loan.createdAt`, matching the `REVLoan.createdAt` field width. v5 used `uint40`, which would silently truncate timestamps after the year 36812. |
 | **`ReallocateCollateral` event typo fix** | v5 used `removedcollateralCount` (lowercase 'c'). v6 fixes it to `removedCollateralCount` (uppercase 'C'). |
+| **Cash out delay enforced in loans** | `borrowFrom` now resolves REVOwner from the ruleset's `dataHook` and checks `IREVOwner.cashOutDelayOf(revnetId)` (stored on REVOwner). If the 30-day cross-chain deployment delay hasn't passed, `borrowFrom` reverts with `REVLoans_CashOutDelayNotFinished`. `borrowableAmountFrom` returns 0 during the delay so UIs reflect the restriction. v5 did not enforce the cash out delay in the loans contract. |
 | **NatSpec documentation** | Extensive NatSpec added to all functions, views, and internal helpers. Flash loan safety analysis documented in `_borrowableAmountFrom`. |
 
 ### 6.3 Named Arguments

package/README.md

@@ -17,7 +17,7 @@ Revnets are autonomous Juicebox projects with predetermined economic stages. Eac
 ```
 1. Deploy revnet with stage configurations
    → REVDeployer.deployFor(revnetId=0, config, terminals, suckerConfig)
-   → Creates Juicebox project owned by REVDeployer (permanently)
+   → Creates Juicebox project owned by REVDeployer (permanently), dataHook = REVOwner
    → Deploys ERC-20 token, initializes buyback pools at 1:1 price, deploys suckers
    |
 2. Stage 1 begins (startsAtOrAfter or block.timestamp)
@@ -90,18 +90,20 @@ Every revnet gets a tiered ERC-721 hook deployed automatically — even if no ti
 
 | Contract | Description |
 |----------|-------------|
-| `REVDeployer` | Deploys revnets as Juicebox projects owned by the deployer contract itself (no human owner). Translates stage configurations into Juicebox rulesets, manages buyback hooks, tiered 721 hooks, suckers, split operators, auto-issuance, and cash-out fees. Acts as the ruleset data hook and cash-out hook for every revnet it deploys. When 721 tier splits are active, adjusts the payment weight so the terminal only mints tokens proportional to the amount entering the project treasury (the split portion is forwarded separately). |
+| `REVDeployer` | Deploys revnets as Juicebox projects owned by the deployer contract itself (no human owner). Translates stage configurations into Juicebox rulesets, manages buyback hooks, suckers, split operators, auto-issuance, and configuration state storage. Handles deployment, configuration, and split operator management. Calls DEPLOYER-restricted setters on REVOwner during deployment to store `cashOutDelayOf` and `tiered721HookOf`. |
+| `REVOwner` | Runtime hook contract for all revnets. Implements `IJBRulesetDataHook` and `IJBCashOutHook`. Set as the `dataHook` in each revnet's ruleset metadata. Handles `beforePayRecordedWith`, `beforeCashOutRecordedWith`, `afterCashOutRecordedWith`, `hasMintPermissionFor`, and sucker verification. When 721 tier splits are active, adjusts the payment weight so the terminal only mints tokens proportional to the amount entering the project treasury (the split portion is forwarded separately). Stores `cashOutDelayOf` and `tiered721HookOf` mappings (set by REVDeployer via DEPLOYER-restricted setters `setCashOutDelayOf()` and `setTiered721HookOf()`). |
 | `REVLoans` | Lets participants borrow against their revnet tokens. Collateral tokens are burned on borrow and re-minted on repayment. Each loan is an ERC-721 NFT. Charges a prepaid fee (2.5% min, 50% max) that determines the interest-free duration; after that window, a time-proportional source fee accrues. Loans liquidate after 10 years. |
 
 ### How They Relate
 
-`REVDeployer` owns every revnet's Juicebox project NFT and holds all administrative permissions. During deployment it grants `REVLoans` the `USE_ALLOWANCE` permission so loans can pull funds from the revnet's terminal. `REVLoans` verifies that a revnet was deployed by its expected `REVDeployer` before issuing any loan.
+`REVDeployer` owns every revnet's Juicebox project NFT and holds all administrative permissions. `REVOwner` is set as the `dataHook` for every revnet's rulesets, handling all runtime hook behavior (pay hooks, cash-out hooks, mint permissions) and storing `cashOutDelayOf` and `tiered721HookOf` per revnet (set by REVDeployer via DEPLOYER-restricted setters during deployment). Deploy order: REVOwner is deployed first, then REVDeployer (with `owner=REVOwner`), then `REVOwner.initialize(deployer)` is called to link them. Both contracts share immutables: `BUYBACK_HOOK`, `DIRECTORY`, `FEE_REVNET_ID`, `SUCKER_REGISTRY`, `LOANS`. During deployment, REVDeployer grants `REVLoans` the `USE_ALLOWANCE` permission so loans can pull funds from the revnet's terminal. `REVLoans` imports `IREVOwner` (not `IREVDeployer`) for `cashOutDelayOf` calls and verifies that a revnet was deployed by its expected `REVDeployer` before issuing any loan.
 
 ### Interfaces
 
 | Interface | Description |
 |-----------|-------------|
-| `IREVDeployer` | Deployment, data hooks, auto-issuance, split operator management, sucker deployment, plus events. |
+| `IREVDeployer` | Deployment, auto-issuance, split operator management, sucker deployment, configuration state storage, `OWNER()` view, plus events. |
+| `IREVOwner` | Exposes `cashOutDelayOf` view. Used by REVLoans to read cash-out delay. |
 | `IREVLoans` | Borrow, repay, refinance, liquidate, views, plus events. |
 
 ## Install
@@ -130,10 +132,12 @@ If `forge install` has issues, try `git submodule update --init --recursive`.
 
 ```
 src/
-  REVDeployer.sol                                # Revnet deployer + data hook (~1,373 lines)
+  REVDeployer.sol                                # Revnet deployer + configuration + state storage
+  REVOwner.sol                                   # Runtime data hook + cash-out hook (~310 lines)
   REVLoans.sol                                   # Token-collateralized lending (~1,391 lines)
   interfaces/
     IREVDeployer.sol                             # Deployer interface + events
+    IREVOwner.sol                                # Owner interface (cashOutDelayOf view)
     IREVLoans.sol                                # Loans interface + events
   structs/
     REVConfig.sol                                # Top-level deployment config
@@ -205,6 +209,7 @@ Plus optional from 721 hook config: `ADJUST_721_TIERS`, `SET_721_METADATA`, `MIN
 ## Risks
 
 - **No human owner.** `REVDeployer` permanently holds the project NFT. There is no function to release it. This is by design -- revnets are ownerless. But it means bugs in stage configurations cannot be fixed after deployment.
+- **REVOwner circular dependency.** REVOwner and REVDeployer have a circular dependency broken by a one-shot `initialize()` call. `REVOwner.DEPLOYER` is a storage variable (not immutable) set via `initialize()`. If `initialize()` is never called or called with the wrong address, the DEPLOYER-restricted setters (`setCashOutDelayOf`, `setTiered721HookOf`) cannot be called correctly, and all runtime hook behavior breaks.
 - **Loan flash-loan exposure.** `borrowableAmountFrom` reads live surplus, which can be inflated via flash loans. A borrower could temporarily inflate the treasury to borrow more than the sustained value would support.
 - **uint112 truncation.** `REVLoan.amount` and `REVLoan.collateral` are `uint112` -- values above ~5.19e33 truncate silently.
 - **Cash-out fee stacking.** Cash outs incur both the Juicebox terminal fee (2.5%) and the revnet cash-out fee (2.5% to fee revnet). These compound.

package/RISKS.md

@@ -10,14 +10,15 @@ Read [ARCHITECTURE.md](./ARCHITECTURE.md) and [SKILLS.md](./SKILLS.md) for proto
 
 ### What the system assumes to be correct
 
-- **REVDeployer is a singleton data hook.** Every revnet shares one `beforePayRecordedWith` and `beforeCashOutRecordedWith` implementation. A bug in either function affects ALL revnets deployed by that deployer simultaneously. There is no per-project isolation and no circuit breaker.
+- **REVOwner is a singleton data hook.** Every revnet shares one `beforePayRecordedWith` and `beforeCashOutRecordedWith` implementation in REVOwner. A bug in either function affects ALL revnets deployed by that deployer simultaneously. There is no per-project isolation and no circuit breaker.
+- **REVOwner circular dependency.** REVOwner and REVDeployer have a circular dependency broken by a one-shot `initialize()` call. `REVOwner.DEPLOYER` is a storage variable (not immutable) set via `initialize()`. If `initialize()` is never called, REVDeployer cannot call the DEPLOYER-restricted setters (`setCashOutDelayOf`, `setTiered721HookOf`) on REVOwner, and `cashOutDelayOf`/`tiered721HookOf` will never be populated, breaking all runtime hook behavior. If called with the wrong deployer address, an unauthorized address could set incorrect state. The `initialize()` function must be called exactly once with the correct address immediately after deploying both contracts.
 - **Stage immutability is the trust model.** Once `deployFor()` completes, stage parameters (issuance, `cashOutTaxRate`, splits, auto-issuances) are locked forever. No owner, no governance, no upgrade path. A misconfigured deployment is permanent. This is intentional -- the absence of admin keys IS the security property.
 - **Bonding curve is the sole collateral oracle.** `REVLoans` uses `JBCashOuts.cashOutFrom` to value collateral. There is no external price oracle, no liquidation margin, and no health factor. The borrowable amount equals the cash-out value at the moment of borrowing.
 - **Juicebox core contracts are correct.** `JBController`, `JBMultiTerminal`, `JBTerminalStore`, `JBTokens`, `JBPrices` -- a bug in any of these is a bug in every revnet.
 - **Buyback hook operates correctly.** `BUYBACK_HOOK` handles swap-vs-mint routing. All revnets from the same deployer share one instance. Failure falls back to direct minting (not a revert), so the failure mode is economic inefficiency, not fund loss.
 - **Suckers are honest bridges.** Suckers get 0% cashout tax in `beforeCashOutRecordedWith`. A compromised or malicious sucker registered in `SUCKER_REGISTRY` can extract funds from any revnet at zero cost.
 - **Auto-issuance beneficiaries are set at deployment.** Beneficiary addresses are baked into the stage configuration. If a beneficiary address is a contract that becomes compromised, or an EOA whose keys are lost, those auto-issuance tokens are either captured or permanently unclaimable.
-- **REVLoans contract address is immutable per deployer.** `LOANS` is set once in the REVDeployer constructor with wildcard `USE_ALLOWANCE` permission (`projectId=0`). If the loans contract has a vulnerability, every revnet's surplus is exposed.
+- **REVLoans contract address is immutable per deployer.** `LOANS` is set once in the REVDeployer constructor (and shared as an immutable on REVOwner) with wildcard `USE_ALLOWANCE` permission (`projectId=0`). If the loans contract has a vulnerability, every revnet's surplus is exposed.
 
 ### What you do NOT need to trust
 
@@ -81,6 +82,10 @@ Read [ARCHITECTURE.md](./ARCHITECTURE.md) and [SKILLS.md](./SKILLS.md) for proto
 - **Source mismatch check.** `reallocateCollateralFromLoan` enforces that the new loan's source matches the existing loan's source (`source.token == existingSource.token && source.terminal == existingSource.terminal`). This prevents cross-source value extraction.
 - **MEV opportunity at stage boundaries.** If a borrower knows a stage transition will decrease `cashOutTaxRate`, they can wait until just after the transition and `reallocateCollateralFromLoan` to extract more borrowed funds from the same collateral. This is predictable and not preventable by design.
 
+### Cross-chain cash-out delay enforcement
+
+- **Loans enforce the same 30-day cash-out delay as direct cash outs.** When a revnet is deployed to a new chain where its first stage has already started, REVDeployer calls `REVOwner.setCashOutDelayOf()` to set a 30-day delay (stored on REVOwner). `borrowFrom` resolves the REVOwner from the current ruleset's `dataHook` and checks `IREVOwner.cashOutDelayOf(revnetId)` (read directly from REVOwner storage), reverting with `REVLoans_CashOutDelayNotFinished` if the delay hasn't passed. `borrowableAmountFrom` returns 0 during the delay. This prevents cross-chain arbitrage via the loan system (bridging tokens to a new chain and immediately borrowing against them before prices equilibrate).
+
 ### BURN_TOKENS permission prerequisite
 
 - **Borrowers must grant BURN_TOKENS permission before calling `borrowFrom`.** The loans contract burns the caller's tokens as collateral via `JBController.burnTokensOf`, which requires the caller to have granted `BURN_TOKENS` permission to the loans contract for the revnet's project ID. Without this, the transaction reverts deep in `JBController` with `JBPermissioned_Unauthorized`. The prerequisite is documented in `borrowFrom`'s NatSpec.
@@ -89,22 +94,22 @@ Read [ARCHITECTURE.md](./ARCHITECTURE.md) and [SKILLS.md](./SKILLS.md) for proto
 
 ## 4. Data Hook Proxy Risks
 
-REVDeployer sits between the terminal and the actual hooks (buyback hook, 721 hook). This proxy pattern creates composition risks.
+REVOwner sits between the terminal and the actual hooks (buyback hook, 721 hook). This proxy pattern creates composition risks.
 
 ### Underlying hook reverts
 
-- **721 hook revert in `beforePayRecordedWith`.** The call to `IJBRulesetDataHook(tiered721Hook).beforePayRecordedWith(context)` is NOT wrapped in try-catch. If the 721 hook reverts (e.g., due to a storage corruption or out-of-gas), the entire payment reverts. This is a single point of failure for all payments to revnets with 721 hooks.
-- **Buyback hook is more resilient.** The `BUYBACK_HOOK.beforePayRecordedWith(buybackHookContext)` call is also not try-caught, but the buyback hook is a shared singleton controlled by the protocol. If it reverts, all revnets from that deployer are affected.
-- **Cash-out fee terminal revert.** In `afterCashOutRecordedWith`, the fee payment to the fee terminal IS wrapped in try-catch with a fallback to `addToBalanceOf`. If the fallback also reverts, the entire cashout transaction reverts — no funds are stuck, but the cashout is blocked until the terminal is available.
+- **721 hook revert in `beforePayRecordedWith`.** The call to `IJBRulesetDataHook(tiered721Hook).beforePayRecordedWith(context)` in REVOwner is NOT wrapped in try-catch. If the 721 hook reverts (e.g., due to a storage corruption or out-of-gas), the entire payment reverts. This is a single point of failure for all payments to revnets with 721 hooks.
+- **Buyback hook is more resilient.** The `BUYBACK_HOOK.beforePayRecordedWith(buybackHookContext)` call in REVOwner is also not try-caught, but the buyback hook is a shared singleton controlled by the protocol. If it reverts, all revnets from that deployer are affected.
+- **Cash-out fee terminal revert.** In `REVOwner.afterCashOutRecordedWith`, the fee payment to the fee terminal IS wrapped in try-catch with a fallback to `addToBalanceOf`. If the fallback also reverts, the entire cashout transaction reverts — no funds are stuck, but the cashout is blocked until the terminal is available.
 
 ### Sucker bypass path (0% cashout tax)
 
-- **Suckers bypass all economic protections.** `beforeCashOutRecordedWith` returns `(0, context.cashOutCount, context.totalSupply, hookSpecifications)` for suckers -- zero tax, no fee. A compromised sucker effectively has a backdoor to extract the full pro-rata surplus of any token it holds.
+- **Suckers bypass all economic protections.** `REVOwner.beforeCashOutRecordedWith` returns `(0, context.cashOutCount, context.totalSupply, hookSpecifications)` for suckers -- zero tax, no fee. A compromised sucker effectively has a backdoor to extract the full pro-rata surplus of any token it holds.
 - **Sucker registration is controlled by `SUCKER_REGISTRY`.** The registry has `MAP_SUCKER_TOKEN` wildcard permission from the deployer. The split operator has `SUCKER_SAFETY` permission. Verify that `deploySuckersFor` correctly checks the `extraMetadata` bit (bit 2) for sucker deployment permission per stage.
 
 ### Permission escalation through proxy
 
-- **`hasMintPermissionFor` grants mint to four categories.** The loans contract, buyback hook, buyback hook delegates, and suckers all have unrestricted mint permission. If any of these contracts have a vulnerability that allows arbitrary calls, they can mint unlimited revnet tokens for any revnet.
+- **`hasMintPermissionFor` grants mint to four categories.** `REVOwner.hasMintPermissionFor` grants mint to: the loans contract, buyback hook, buyback hook delegates, and suckers. If any of these contracts have a vulnerability that allows arbitrary calls, they can mint unlimited revnet tokens for any revnet.
 - **Wildcard permissions.** REVDeployer grants `USE_ALLOWANCE` to `LOANS` with `projectId=0` (wildcard). This means the loans contract can drain surplus from ANY revnet deployed by this deployer, constrained only by the loan logic itself. A bug in `REVLoans._addTo` that miscalculates `addedBorrowAmount` could drain treasuries.
 
 ---
@@ -179,7 +184,7 @@ These MUST hold. Breaking any of them is a finding.
 
 - **Sucker privilege.** Only addresses returning `true` from `SUCKER_REGISTRY.isSuckerOf(projectId, addr)` get 0% cashout tax. No other code path grants this exemption.
 - **Loan ownership.** Only `_ownerOf(loanId)` can call `repayLoan` and `reallocateCollateralFromLoan`. The loan NFT is burned before any state changes in repayment, preventing double-use.
-- **Mint permission.** Only `LOANS`, `BUYBACK_HOOK`, buyback hook delegates (via `BUYBACK_HOOK.hasMintPermissionFor`), and suckers (via `_isSuckerOf`) can mint tokens. No other address passes the `hasMintPermissionFor` check.
+- **Mint permission.** Only `LOANS`, `BUYBACK_HOOK`, buyback hook delegates (via `BUYBACK_HOOK.hasMintPermissionFor`), and suckers (via `REVOwner._isSuckerOf`) can mint tokens. No other address passes the `REVOwner.hasMintPermissionFor` check.
 
 ---
 
@@ -187,7 +192,7 @@ These MUST hold. Breaking any of them is a finding.
 
 ### 8.1 Suckers receive 0% cashout tax (by design)
 
-`beforeCashOutRecordedWith` returns `cashOutTaxRate = 0` for any address where `SUCKER_REGISTRY.isSuckerOf(projectId, addr)` returns true. This grants suckers the full pro-rata reclaim with no tax retention. This is intentional: suckers burn tokens on the source chain and mint equivalent tokens on the destination chain. The zero-tax path ensures bridged tokens preserve their full economic value across chains. The security boundary is the sucker registry — only addresses registered by authorized deployers (gated by `DEPLOY_SUCKERS` permission and per-stage `extraMetadata` bit 2) receive this privilege.
+`REVOwner.beforeCashOutRecordedWith` returns `cashOutTaxRate = 0` for any address where `SUCKER_REGISTRY.isSuckerOf(projectId, addr)` returns true. This grants suckers the full pro-rata reclaim with no tax retention. This is intentional: suckers burn tokens on the source chain and mint equivalent tokens on the destination chain. The zero-tax path ensures bridged tokens preserve their full economic value across chains. The security boundary is the sucker registry — only addresses registered by authorized deployers (gated by `DEPLOY_SUCKERS` permission and per-stage `extraMetadata` bit 2) receive this privilege.
 
 ### 8.2 No liquidation trigger for under-collateralized loans (by design)