feat(manager): add _initialOwner constructor param for CREATE2 deploys

VRFConsumerBaseV2Plus hard-wires Chainlink's ConfirmedOwner to set
s_owner = msg.sender at construction. With Arachnid's deterministic
CREATE2 deployer (msg.sender = 0x4e59...), the Manager would be
permanently un-owned — every administrative function (setTreasury,
allowlistToken, pause, etc.) uncallable. This blocks any cross-chain
deterministic deploy strategy.

Fix: add _initialOwner as the last constructor param. After the parent
constructors run (VRFConsumerBaseV2Plus sets s_owner = msg.sender),
call transferOwnership(_initialOwner) to propose ownership to the
intended EOA. Two-step transfer (the only available path —
Chainlink's _transferOwnership is private, not internal). Deploy
scripts finalize via acceptOwnership() from the EOA.

Skipped when _initialOwner == msg.sender (Chainlink reverts on
self-transfer); preserves in-test ownership semantics where the test
contract deploys and owns directly.

Test base updated to pass address(this) as _initialOwner. All 85 tests
remain green; zero behavioral changes for non-CREATE2 deploy paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: GeObts

src/TandaManager.sol

@@ -249,10 +249,18 @@ contract TandaManager is VRFConsumerBaseV2Plus, Pausable {
     // ─────────────────────────────────────────────────────────────────────
 
     /// @notice Deploys the Manager as the singleton orchestrator.
-    /// @dev    `VRFConsumerBaseV2Plus` hard-wires the owner to `msg.sender`
-    ///         via `ConfirmedOwner(msg.sender)`. To run with a different
-    ///         initial owner, call `transferOwnership` immediately
-    ///         post-deploy (Chainlink's two-step transfer).
+    /// @dev    `VRFConsumerBaseV2Plus` hard-wires `s_owner = msg.sender`
+    ///         via `ConfirmedOwner(msg.sender)`. For CREATE2 deploys
+    ///         (where `msg.sender` is the deterministic deployer
+    ///         contract rather than the operator EOA) we propose
+    ///         ownership to `_initialOwner` here so the deploy script
+    ///         can finalize via `acceptOwnership()` from that wallet.
+    ///         Chainlink's two-step transfer is the only path
+    ///         available — `_transferOwnership` in
+    ///         `ConfirmedOwnerWithProposal` is `private`. The transfer
+    ///         is skipped when `_initialOwner == msg.sender` (e.g. tests
+    ///         deploying directly), so the in-test ownership semantics
+    ///         are unchanged.
     /// @param _tandaImplementation  EIP-1167 implementation that
     ///                              `createTanda` will clone. Must already
     ///                              be deployed and verified on this chain.
@@ -269,6 +277,10 @@ contract TandaManager is VRFConsumerBaseV2Plus, Pausable {
     ///                              address. Immutable.
     /// @param _completionNFT        Soulbound Completion NFT contract
     ///                              address. Immutable.
+    /// @param _initialOwner         Wallet that will own the Manager after
+    ///                              `acceptOwnership()`. Required nonzero.
+    ///                              When equal to `msg.sender` the transfer
+    ///                              is skipped (no pending-owner window).
     constructor(
         address _tandaImplementation,
         address _vrfCoordinator,
@@ -278,14 +290,16 @@ contract TandaManager is VRFConsumerBaseV2Plus, Pausable {
         address _treasury,
         address _passNFT,
         address _receiptNFT,
-        address _completionNFT
+        address _completionNFT,
+        address _initialOwner
     ) VRFConsumerBaseV2Plus(_vrfCoordinator) {
         if (_tandaImplementation == address(0)) revert ZeroAddress();
         if (_treasury == address(0)) revert ZeroAddress();
         if (_callbackGasLimit == 0) revert ZeroAmount();
         if (_passNFT == address(0)) revert ZeroAddress();
         if (_receiptNFT == address(0)) revert ZeroAddress();
         if (_completionNFT == address(0)) revert ZeroAddress();
+        if (_initialOwner == address(0)) revert ZeroAddress();
         // _vrfCoordinator zero-check is handled by VRFConsumerBaseV2Plus.
 
         tandaImplementation = _tandaImplementation;
@@ -303,6 +317,13 @@ contract TandaManager is VRFConsumerBaseV2Plus, Pausable {
 
         nextTandaId = 1;
         nextCollectionId = 1;
+
+        // Two-step ownership handoff for CREATE2 deploys. Skipped when
+        // the deployer wallet is also the intended owner — Chainlink's
+        // `_transferOwnership` reverts on self-transfer.
+        if (_initialOwner != msg.sender) {
+            transferOwnership(_initialOwner);
+        }
     }
 
     // ─────────────────────────────────────────────────────────────────────

test/helpers/MitandaTestBase.sol

@@ -92,6 +92,10 @@ abstract contract MitandaTestBase is Test {
 
         // 7. Deploy Manager. Its actual address MUST match the prediction
         //    or every NFT call from any tanda will fail forever.
+        // _initialOwner = address(this): test contract is both deployer
+        // and intended owner, so the constructor skips transferOwnership
+        // (Chainlink reverts on self-transfer). Same effective behavior
+        // as the pre-_initialOwner version.
         manager = new TandaManager(
             address(tandaImpl),
             address(vrfCoordinator),
@@ -101,7 +105,8 @@ abstract contract MitandaTestBase is Test {
             TREASURY,
             address(passNFT),
             address(receiptNFT),
-            address(completionNFT)
+            address(completionNFT),
+            address(this)
         );
         require(address(manager) == predictedManager, "MitandaTestBase: Manager address prediction failed");