@dev.sail.money/sailor 0.0.2-15 → 0.0.2-17

package/packages/cli/dist/index.cjs

@@ -39455,6 +39455,40 @@ ${label} key saved. Address: ${checksum4(keyring.address)}`);
     }
   }
 }
+async function keysExportCi() {
+  const account2 = readJsonFile(sailPath("account.json"));
+  const src = resolveKeyPath("manager", account2?.safe);
+  if (!fileExists(src)) {
+    throw new Error(
+      'No agent wallet keystore found.\nComplete Stage 1 (browser UI) to generate your agent wallet, or run\n"sailor keys generate" and choose "agent wallet" to create one manually.'
+    );
+  }
+  const dest = import_node_path6.default.resolve(process.cwd(), "ci-keystore.json");
+  import_node_fs7.default.copyFileSync(src, dest);
+  console.log(`\u2713 Keystore copied to ci-keystore.json`);
+  console.log(`  Source: ${src}`);
+  const gitignorePath = import_node_path6.default.resolve(process.cwd(), ".gitignore");
+  if (import_node_fs7.default.existsSync(gitignorePath)) {
+    const content = import_node_fs7.default.readFileSync(gitignorePath, "utf-8");
+    if (!content.includes("ci-keystore.json")) {
+      import_node_fs7.default.appendFileSync(
+        gitignorePath,
+        "\n# CI keystore \u2014 encrypted agent wallet, safe to commit\n!ci-keystore.json\n"
+      );
+      console.log("\u2713 Added !ci-keystore.json allowlist entry to .gitignore");
+    } else {
+      console.log("\u2713 .gitignore already tracks ci-keystore.json");
+    }
+  }
+  console.log("\nNext steps:");
+  console.log("  1. Add two GitHub Actions secrets (Settings \u2192 Secrets \u2192 Actions):");
+  console.log("       SAIL_PASSPHRASE \u2014 the passphrase that encrypts your agent wallet");
+  console.log("       RPC_URL         \u2014 your RPC endpoint");
+  console.log("  2. Commit and push ci-keystore.json:");
+  console.log('       git add ci-keystore.json && git commit -m "chore: add CI keystore" && git push');
+  console.log("\n  The keystore is encrypted \u2014 the raw private key is never exposed.");
+  console.log("  The workflow at .github/workflows/agent-tick.yml unlocks it with SAIL_PASSPHRASE.");
+}
 async function keysShow() {
   const present = ROLES.filter((role) => keyExists(role));
   if (present.length === 0) {
@@ -40403,7 +40437,7 @@ async function resolveSmaChoice(options, json) {
     if (!isAddress(options.sma, { strict: false })) {
       throw new Error(`Invalid --sma address: ${options.sma}`);
     }
-    return { kind: "address", address: options.sma };
+    return { kind: "address", address: getAddress(options.sma) };
   }
   if (options.newSma) return { kind: "new" };
   if (json) {
@@ -40415,7 +40449,7 @@ async function resolveSmaChoice(options, json) {
   );
   if (choice.toLowerCase() === "y" || choice.toLowerCase() === "yes") return { kind: "new" };
   if (!isAddress(choice, { strict: false })) throw new Error(`Invalid SMA address: ${choice}`);
-  return { kind: "address", address: choice };
+  return { kind: "address", address: getAddress(choice) };
 }
 async function resolveTemplate(project, options, json) {
   const templates = (() => {
@@ -40432,7 +40466,7 @@ async function resolveTemplate(project, options, json) {
     );
     if (match) return { address: match.address, label: match.label };
     if (isAddress(options.template, { strict: false })) {
-      return { address: options.template, label: options.template };
+      return { address: getAddress(options.template), label: options.template };
     }
     throw new Error(
       `Unknown mandate template "${options.template}". Run "sailor mandate templates".`
@@ -40779,7 +40813,7 @@ async function runDeploy(project, channel, options) {
     if (!json) fn();
   };
   if (options.attach && !options.sma) throw new Error("--attach requires --sma <address>");
-  if (options.sma && !isAddress(options.sma)) {
+  if (options.sma && !isAddress(options.sma, { strict: false })) {
     throw new Error(`Invalid --sma address: ${options.sma}`);
   }
   if (project.chainId !== 8453) {
@@ -40855,16 +40889,17 @@ async function runDeploy(project, channel, options) {
   });
   let attachTxHash;
   if (options.attach && options.sma) {
+    const sma = getAddress(options.sma);
     attachTxHash = await attachToSma(
       project,
       channel,
       publicClient,
-      options.sma,
+      sma,
       deployed,
       record.name,
       json
     );
-    store.recordAttachment(deployed, { sma: options.sma, txHash: attachTxHash });
+    store.recordAttachment(deployed, { sma, txHash: attachTxHash });
   } else {
     say(
       () => console.log(
@@ -40877,7 +40912,283 @@ Register it later with: sailor mandate attach --address ${deployed} --sma <SMA>`
   }, {
     status: "ok",
     mandate: { name: record.name, address: deployed, txHash: response.txHash, chainId },
-    attached: options.attach ? { sma: options.sma, txHash: attachTxHash } : null
+    attached: options.attach ? { sma: getAddress(options.sma), txHash: attachTxHash } : null
+  });
+}
+var CLONE_INIT_PREFIX = "0x3d602d80600a3d3981f3363d3d373d3d3d363d73";
+var CLONE_INIT_SUFFIX = "0x5af43d82803e903d91602b57fd5bf3";
+var PERMISSION_FACTORY_ABI = [
+  {
+    type: "function",
+    name: "deployAndAttach",
+    stateMutability: "payable",
+    inputs: [
+      { name: "account", type: "address" },
+      { name: "impl", type: "address" },
+      { name: "salt", type: "bytes32" },
+      { name: "initData", type: "bytes" },
+      { name: "kernelDeadline", type: "uint256" },
+      { name: "kernelSig", type: "bytes" }
+    ],
+    outputs: [{ name: "clone", type: "address" }]
+  }
+];
+var CLONE_TEMPLATES = {
+  boundedApprove: {
+    label: "Bounded Approve",
+    buildInitData: (p) => encodeFunctionData({
+      abi: [
+        {
+          type: "function",
+          name: "initialize",
+          stateMutability: "nonpayable",
+          inputs: [
+            { name: "allowedTokens", type: "address[]" },
+            { name: "allowedSpenders", type: "address[]" },
+            { name: "_maxAmountPerTx", type: "uint256" },
+            { name: "_permissionSigner", type: "address" }
+          ],
+          outputs: []
+        }
+      ],
+      functionName: "initialize",
+      args: [p.tokens, p.spenders, p.max, p.permissionSigner]
+    }),
+    describe: (p) => [
+      { label: "Allowed tokens", value: p.tokens.join(", ") },
+      { label: "Allowed spenders", value: p.spenders.join(", ") },
+      {
+        label: "Max approval / tx",
+        value: p.max === maxUint256 ? "unlimited (uint256 max)" : p.max.toString()
+      }
+    ]
+  }
+};
+function predictCloneAddress(impl, factory, submitter, salt) {
+  const namespacedSalt = keccak256(
+    encodeAbiParameters([{ type: "address" }, { type: "bytes32" }], [submitter, salt])
+  );
+  const initCode = concatHex([CLONE_INIT_PREFIX, impl, CLONE_INIT_SUFFIX]);
+  return getCreate2Address({
+    from: factory,
+    salt: namespacedSalt,
+    bytecodeHash: keccak256(initCode)
+  });
+}
+function parseAddressList(csv, flag) {
+  if (!csv) throw new Error(`${flag} is required (comma-separated address list)`);
+  const list = csv.split(",").map((s) => s.trim()).filter(Boolean);
+  if (list.length === 0) throw new Error(`${flag} is empty`);
+  for (const a of list) {
+    if (!isAddress(a, { strict: false })) throw new Error(`${flag} contains an invalid address: ${a}`);
+  }
+  return list.map((a) => getAddress(a));
+}
+async function mandateDeployClone(options) {
+  const project = requireProject();
+  const channel = await createSigningChannel(process.cwd());
+  try {
+    await channel.start();
+    await runDeployClone(project, channel, options);
+  } catch (err) {
+    fail(err, options.json);
+  } finally {
+    channel.stop();
+  }
+}
+async function runDeployClone(project, channel, options) {
+  const json = !!options.json;
+  const say = (fn) => {
+    if (!json) fn();
+  };
+  if (!isAddress(options.sma, { strict: false })) throw new Error(`Invalid --sma address: ${options.sma}`);
+  const sma = getAddress(options.sma);
+  const spec = CLONE_TEMPLATES[options.template];
+  if (!spec) {
+    throw new Error(
+      `Unsupported clone template "${options.template}". Supported: ${Object.keys(CLONE_TEMPLATES).join(", ")}`
+    );
+  }
+  const impl = project.deployment.standaloneTemplates?.[options.template];
+  if (!impl || !isAddress(impl, { strict: false })) {
+    throw new Error(
+      `No "${options.template}" standalone template is bundled for chain ${project.chainId}.`
+    );
+  }
+  const chain2 = getChainById(project.chainId);
+  const publicClient = publicClientFor(project);
+  const agentSigner = await loadManagerSigner2();
+  const registered = await publicClient.readContract({
+    address: project.contracts.kernel,
+    abi: SailKernelAbi,
+    functionName: "registered",
+    args: [sma]
+  });
+  if (!registered) {
+    throw new Error(`SMA ${sma} is not registered with SailKernel; cannot register a permission.`);
+  }
+  const kernelConfig = await publicClient.readContract({
+    address: project.contracts.kernel,
+    abi: SailKernelAbi,
+    functionName: "configs",
+    args: [sma]
+  });
+  const permissionSigner = kernelConfig[0];
+  const initParams = {
+    permissionSigner,
+    tokens: parseAddressList(options.tokens, "--tokens"),
+    spenders: parseAddressList(options.spenders, "--spenders"),
+    max: options.max ? BigInt(options.max) : maxUint256
+  };
+  const initData = spec.buildInitData(initParams);
+  const submitter = agentSigner.address;
+  const salt = keccak256(
+    encodeAbiParameters(
+      [{ type: "address" }, { type: "address" }, { type: "uint256" }],
+      [sma, impl, BigInt(Math.floor(Date.now() / 1e3))]
+    )
+  );
+  const clone = predictCloneAddress(impl, project.contracts.permissionFactory, submitter, salt);
+  say(() => {
+    console.log(`
+${spec.label} clone (${options.template})`);
+    console.log(`  logic impl:      ${impl}`);
+    console.log(`  predicted clone: ${clone}`);
+    console.log(`  SMA:             ${sma}`);
+    for (const d of spec.describe(initParams)) console.log(`  ${d.label}: ${d.value}`);
+    console.log(`
+\u2192 Signing station:
+  Open ${channel.url} and connect your Owner wallet
+`);
+  });
+  const nonce = await publicClient.readContract({
+    address: project.contracts.kernel,
+    abi: SailKernelAbi,
+    functionName: "signerNonces",
+    args: [sma]
+  });
+  let registerPermissionHasDeadline = false;
+  try {
+    const caps = await detectKernelCapabilities(publicClient, project.contracts.kernel, {
+      chainId: project.chainId
+    });
+    registerPermissionHasDeadline = caps.registerPermissionHasDeadline;
+  } catch {
+  }
+  const deadline = registerPermissionHasDeadline ? BigInt(Math.floor(Date.now() / 1e3) + 300) : void 0;
+  const typedData = buildRegisterPermissionTypedData({
+    chainId: project.chainId,
+    kernel: project.contracts.kernel,
+    account: sma,
+    permission: clone,
+    nonce,
+    hasDeadline: registerPermissionHasDeadline,
+    deadline
+  });
+  const label = options.label ?? `${spec.label} (${options.template})`;
+  say(
+    () => console.log(
+      `Pushing signing request \u2014 the mandate signer (${permissionSigner}) must sign in the browser.`
+    )
+  );
+  const response = await channel.requestSignature({
+    type: "typed-data",
+    kind: "register-permission",
+    title: `Authorize "${label}"`,
+    description: `Sign to authorize a new ${spec.label} permission on your SMA. The agent deploys and registers it in one transaction.`,
+    chainId: project.chainId,
+    details: [
+      { label: "SMA", value: sma },
+      { label: "Permission (predicted)", value: clone },
+      { label: "Template", value: options.template },
+      { label: "Mandate signer", value: permissionSigner },
+      ...spec.describe(initParams)
+    ],
+    typedData
+  });
+  if (response.status === "rejected") {
+    throw new Error(`User rejected authorization: ${response.reason ?? "no reason given"}`);
+  }
+  if (response.status !== "signature") {
+    throw new Error(`Expected EIP-712 signature response, got: ${response.status}`);
+  }
+  const signature = response.signature;
+  try {
+    const recoveredSigner = await recoverTypedDataAddress({
+      domain: sailKernelDomain({ chainId: project.chainId, kernel: project.contracts.kernel }),
+      types: registerPermissionHasDeadline ? REGISTER_PERMISSION_TYPES : REGISTER_PERMISSION_TYPES_NO_DEADLINE,
+      primaryType: "RegisterPermission",
+      message: registerPermissionHasDeadline ? { account: sma, permission: clone, nonce, deadline } : { account: sma, permission: clone, nonce },
+      signature
+    });
+    if (recoveredSigner.toLowerCase() !== permissionSigner.toLowerCase()) {
+      throw new Error(
+        `Security: RegisterPermission was signed by ${recoveredSigner} but the on-chain mandate signer is ${permissionSigner}.
+Connect the owner wallet (mandate signer) in the browser \u2014 the agent wallet must never sign permission registrations.`
+      );
+    }
+  } catch (err) {
+    if (err.message.startsWith("Security:")) throw err;
+  }
+  const fee = await estimatePermissionFee(publicClient, project.contracts.governance, clone);
+  if (!registerPermissionHasDeadline || deadline === void 0) {
+    throw new Error(
+      "deploy-clone requires a selective kernel (RegisterPermission with deadline). This chain's kernel does not match."
+    );
+  }
+  say(() => console.log(`Submitting deployAndAttach (agent pays gas; fee ${fee} wei)\u2026`));
+  const walletClient = createWalletClient({
+    account: agentSigner.viemAccount,
+    chain: chain2,
+    transport: http(getRpcUrl(project.chainId))
+  });
+  const data = encodeFunctionData({
+    abi: PERMISSION_FACTORY_ABI,
+    functionName: "deployAndAttach",
+    args: [sma, impl, salt, initData, deadline, signature]
+  });
+  const txHash = await walletClient.sendTransaction({
+    to: project.contracts.permissionFactory,
+    data,
+    value: fee,
+    account: agentSigner.viemAccount,
+    chain: chain2
+  });
+  say(() => console.log("Waiting for confirmation\u2026"));
+  const receipt = await publicClient.waitForTransactionReceipt({ hash: txHash });
+  if (receipt.status !== "success") {
+    throw new Error(`deployAndAttach reverted (tx ${txHash})`);
+  }
+  const attached = await pollForPermission(publicClient, project.contracts.kernel, sma, clone);
+  if (!attached) {
+    throw new Error(
+      `Tx ${txHash} mined, but clone ${clone} is not in getPermissions(${sma}). Verify on-chain.`
+    );
+  }
+  say(() => console.log("\u2713", `Deployed + registered ${spec.label} at ${clone}`));
+  const store = new MandateStore();
+  store.add({
+    name: label,
+    address: clone,
+    txHash,
+    chainId: project.chainId,
+    deployedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  store.recordAttachment(clone, { sma, txHash });
+  appendActivity({
+    ts: nowIso(),
+    actor: "agent",
+    type: "permission_registered",
+    permission: clone,
+    name: label,
+    sma,
+    txHash,
+    chainId: project.chainId
+  });
+  emit(json, () => {
+  }, {
+    status: "ok",
+    clone: { template: options.template, address: clone, impl, txHash, sma, chainId: project.chainId }
   });
 }
 async function mandateAttach(options) {
@@ -40894,15 +41205,17 @@ async function mandateAttach(options) {
 }
 async function runAttach(project, channel, options) {
   const json = !!options.json;
-  if (!isAddress(options.sma)) throw new Error(`Invalid --sma address: ${options.sma}`);
+  if (!isAddress(options.sma, { strict: false })) throw new Error(`Invalid --sma address: ${options.sma}`);
+  const sma = getAddress(options.sma);
   const store = new MandateStore();
   const tracked = store.find(options.address);
-  const mandateAddress = tracked?.address ?? options.address;
-  if (!isAddress(mandateAddress)) {
+  const rawAddress = tracked?.address ?? options.address;
+  if (!isAddress(rawAddress, { strict: false })) {
     throw new Error(
       `--address must be a deployed mandate address or a tracked name: ${options.address}`
     );
   }
+  const mandateAddress = getAddress(rawAddress);
   const label = options.label ?? tracked?.name ?? "mandate";
   const publicClient = publicClientFor(project);
   if (!json) {
@@ -40917,16 +41230,16 @@ async function runAttach(project, channel, options) {
     project,
     channel,
     publicClient,
-    options.sma,
+    sma,
     mandateAddress,
     label,
     json
   );
-  if (tracked) store.recordAttachment(mandateAddress, { sma: options.sma, txHash });
+  if (tracked) store.recordAttachment(mandateAddress, { sma, txHash });
   emit(json, () => {
   }, {
     status: "ok",
-    attached: { sma: options.sma, mandate: mandateAddress, txHash }
+    attached: { sma, mandate: mandateAddress, txHash }
   });
 }
 async function mandateRevoke(options) {
@@ -40946,11 +41259,11 @@ async function runRevoke(project, channel, options) {
   const say = (fn) => {
     if (!json) fn();
   };
-  if (!isAddress(options.sma)) throw new Error(`Invalid --sma address: ${options.sma}`);
+  if (!isAddress(options.sma, { strict: false })) throw new Error(`Invalid --sma address: ${options.sma}`);
   if (!options.all && !options.address) {
     throw new Error("Provide --address <permission> (or a tracked name), or --all");
   }
-  const sma = options.sma;
+  const sma = getAddress(options.sma);
   const kernel = project.contracts.kernel;
   const publicClient = publicClientFor(project);
   const onchain = await publicClient.readContract({
@@ -40966,10 +41279,11 @@ async function runRevoke(project, channel, options) {
     targets = onchain;
   } else {
     const tracked = store.find(options.address);
-    const wanted = tracked?.address ?? options.address;
-    if (!isAddress(wanted)) {
+    const rawWanted = tracked?.address ?? options.address;
+    if (!isAddress(rawWanted, { strict: false })) {
       throw new Error(`--address must be a permission address or a tracked name: ${options.address}`);
     }
+    const wanted = getAddress(rawWanted);
     const match = onchain.find((p) => p.toLowerCase() === wanted.toLowerCase());
     if (!match) {
       throw new Error(`${wanted} is not in the SMA's current permission set; nothing to revoke.`);
@@ -41291,9 +41605,29 @@ function runForgeBuild() {
 }
 
 // src/commands/mandate.ts
-function trackedPermissionsFor(account2) {
+init_esm2();
+async function fetchOnChainPermissions(account2) {
+  try {
+    const project = new ProjectContext();
+    const rpcUrl = getRpcUrl(project.chainId) ?? getChainById(project.chainId).rpcUrls.default.http[0];
+    const pc = createPublicClient({
+      chain: getChainById(project.chainId),
+      transport: http(rpcUrl)
+    });
+    const onChain = await pc.readContract({
+      address: project.contracts.kernel,
+      abi: SailKernelAbi,
+      functionName: "getPermissions",
+      args: [account2.safe]
+    });
+    return new Set(onChain.map((a) => a.toLowerCase()));
+  } catch {
+    return null;
+  }
+}
+async function trackedPermissionsFor(account2) {
   const store = new MandateStore();
-  return store.list().filter((m) => m.chainId === account2.chainId).map((m) => {
+  const local = store.list().filter((m) => m.chainId === account2.chainId).map((m) => {
     const attachment = m.attachments?.find(
       (a) => a.sma.toLowerCase() === account2.safe.toLowerCase()
     );
@@ -41304,6 +41638,15 @@ function trackedPermissionsFor(account2) {
       attachedAt: attachment?.at
     };
   });
+  const onChain = await fetchOnChainPermissions(account2);
+  if (onChain !== null) {
+    for (const p of local) {
+      if (p.registeredOnSma && !onChain.has(p.address.toLowerCase())) {
+        p.revokedOnChain = true;
+      }
+    }
+  }
+  return local;
 }
 function printNoPermissionsGuidance() {
   console.log(
@@ -41315,7 +41658,7 @@ async function mandatePrepare() {
   if (!account2) {
     throw new Error('No account found at .sail/account.json.\nRun "sailor account create" first.');
   }
-  const permissions = trackedPermissionsFor(account2);
+  const permissions = await trackedPermissionsFor(account2);
   if (permissions.length === 0) {
     printNoPermissionsGuidance();
     return;
@@ -41324,7 +41667,7 @@ async function mandatePrepare() {
 ${permissions.length} permission(s) tracked for SMA ${account2.safe}:
 `);
   for (const p of permissions) {
-    const status2 = p.registeredOnSma ? `registered on this SMA${p.attachedAt ? ` (${p.attachedAt})` : ""}` : "not yet registered on this SMA";
+    const status2 = p.revokedOnChain ? "revoked on-chain (local record is stale)" : p.registeredOnSma ? `registered on this SMA${p.attachedAt ? ` (${p.attachedAt})` : ""}` : "not yet registered on this SMA";
     console.log(`\u2022 ${p.label}`);
     console.log(`    ${p.address}`);
     console.log(`    ${status2}`);
@@ -41332,7 +41675,8 @@ ${permissions.length} permission(s) tracked for SMA ${account2.safe}:
   const draft = {
     account: account2.safe,
     chainId: account2.chainId,
-    permissions: permissions.map((p) => ({ address: p.address, label: p.label })),
+    // Exclude permissions revoked on-chain — the draft reflects the live set.
+    permissions: permissions.filter((p) => !p.revokedOnChain).map((p) => ({ address: p.address, label: p.label })),
     createdAt: (/* @__PURE__ */ new Date()).toISOString()
   };
   writeJsonFile(sailPath("mandate-draft.json"), draft);
@@ -41343,7 +41687,7 @@ async function mandateSign(opts = {}) {
   if (!account2) {
     throw new Error('No account found at .sail/account.json.\nRun "sailor account create" first.');
   }
-  const permissions = trackedPermissionsFor(account2);
+  const permissions = await trackedPermissionsFor(account2);
   if (permissions.length === 0) {
     printNoPermissionsGuidance();
     return;
@@ -41353,22 +41697,25 @@ Permissions tracked for SMA ${account2.safe}:
 `);
   for (const p of permissions) {
     console.log(`\u2022 ${p.label}  (${p.address})`);
-    console.log(`    ${p.registeredOnSma ? "registered on-chain" : "NOT yet registered on this SMA"}`);
+    console.log(
+      `    ${p.revokedOnChain ? "revoked on-chain (local record is stale)" : p.registeredOnSma ? "registered on-chain" : "NOT yet registered on this SMA"}`
+    );
   }
   console.log(
     "\nNote: `sailor mandate sign` reviews and confirms the permissions attached to your SMA.\nOn-chain registration happens via `sailor mandate attach` (or `sailor mandate deploy --attach`)."
   );
+  const activePermissions = permissions.filter((p) => !p.revokedOnChain);
   const proceed = opts.yes || await confirm(
-    `Confirm these ${permissions.length} permission(s) are authorized for your SMA?`
+    `Confirm these ${activePermissions.length} permission(s) are authorized for your SMA?`
   );
   if (!proceed) {
     console.log("No permissions confirmed.");
     return;
   }
-  const unregistered = permissions.filter((p) => !p.registeredOnSma);
+  const unregistered = activePermissions.filter((p) => !p.registeredOnSma);
   if (unregistered.length === 0) {
     console.log(`
-\u2713 Confirmed ${permissions.length} permission(s) for ${account2.safe}.`);
+\u2713 Confirmed ${activePermissions.length} permission(s) for ${account2.safe}.`);
   } else {
     console.log(
       `
@@ -41384,7 +41731,8 @@ ${unregistered.length} permission(s) are not yet registered on this SMA. Initiat
     signedAt: (/* @__PURE__ */ new Date()).toISOString(),
     signature: "",
     registeredOnChain: true,
-    permissions: permissions.map((p) => ({ template: p.label, params: {} }))
+    // Only include permissions that are currently active on-chain.
+    permissions: activePermissions.map((p) => ({ template: p.label, params: {} }))
   };
   writeJsonFile(sailPath("mandate.json"), storedMandate);
   console.log(`
@@ -41723,14 +42071,15 @@ async function resolveNewManager(options, oldManager, json, say) {
     if (!isAddress(options.to, { strict: false })) {
       throw new Error(`Invalid --to address: ${options.to}`);
     }
+    const to = getAddress(options.to);
     say(
       () => console.log(
         `
-Rotating to existing address ${options.to}. The local agent keystore is left unchanged \u2014
+Rotating to existing address ${to}. The local agent keystore is left unchanged \u2014
 ensure the agent that signs dispatches holds this key.`
       )
     );
-    return options.to;
+    return to;
   }
   if (json) {
     throw new Error("Pass --to <address> in --json mode (key generation is interactive).");
@@ -42114,7 +42463,8 @@ Configure the chain in @sail/chains or set KERNEL_ADDRESS in .sail/.env.local.`
     } catch (err) {
       console.error(`could not read registered permissions: ${err.message}`);
     }
-    let tickDispatched = 0;
+    let tickExecuted = 0;
+    let tickReverted = 0;
     let tickSkipped = 0;
     for (const rawDispatch of dispatches) {
       const dispatch = rawDispatch;
@@ -42193,9 +42543,15 @@ Configure the chain in @sail/chains or set KERNEL_ADDRESS in .sail/.env.local.`
           } catch {
           }
         }
-        appendActivity({ ts: nowIso(), actor: "agent", type: "dispatch_executed", permission, target, txHash: result.txHash });
-        console.log(`executed: ${result.txHash}`);
-        tickDispatched++;
+        if (!result.success) {
+          appendActivity({ ts: nowIso(), actor: "agent", type: "dispatch_reverted", permission, target, txHash: result.txHash, gasUsed: String(result.gasUsed) });
+          console.error(`reverted: ${result.txHash}  (gas used: ${result.gasUsed})`);
+          tickReverted++;
+        } else {
+          appendActivity({ ts: nowIso(), actor: "agent", type: "dispatch_executed", permission, target, txHash: result.txHash });
+          console.log(`executed: ${result.txHash}`);
+          tickExecuted++;
+        }
       } catch (err) {
         const reason = err.message;
         console.error(`dispatch error: ${reason}`);
@@ -42204,13 +42560,10 @@ Configure the chain in @sail/chains or set KERNEL_ADDRESS in .sail/.env.local.`
       }
     }
     if (dispatches.length > 0) {
-      if (tickSkipped > 0) {
-        console.log(
-          `tick complete: ${tickDispatched} dispatched, ${tickSkipped} skipped (no matching permission or denied)`
-        );
-      } else {
-        console.log(`tick complete: ${tickDispatched} dispatched`);
-      }
+      const parts = [`${tickExecuted} executed`];
+      if (tickReverted > 0) parts.push(`${tickReverted} reverted`);
+      if (tickSkipped > 0) parts.push(`${tickSkipped} skipped`);
+      console.log(`tick complete: ${parts.join(", ")}`);
     }
     appendActivity({ ts: nowIso(), actor: "agent", type: "tick_end" });
   }
@@ -42265,8 +42618,8 @@ async function scan(options) {
     process.exit(1);
   }
   const project = new ProjectContext();
-  const owner2 = options.owner ?? project.getOwner() ?? void 0;
-  if (!owner2 || !isAddress(owner2, { strict: false })) {
+  const rawOwner = options.owner ?? project.getOwner() ?? void 0;
+  if (!rawOwner || !isAddress(rawOwner, { strict: false })) {
     emit(
       options.json,
       () => console.log(
@@ -42276,6 +42629,7 @@ async function scan(options) {
     );
     process.exit(1);
   }
+  const owner2 = getAddress(rawOwner);
   const chainId = project.chainId;
   const kernel = project.contracts.kernel;
   const publicClient = createPublicClient({
@@ -42699,6 +43053,9 @@ ui.action(action(uiCommand));
 var keys = program2.command("keys").description("Manage local signing keys");
 keys.command("generate").description("Generate and encrypt an agent wallet or mandate signer key").action(action(keysGenerate));
 keys.command("show").description("Show the address of each stored key").action(action(keysShow));
+keys.command("export-ci").description(
+  "Copy the encrypted agent wallet keystore to ci-keystore.json for committing to CI"
+).action(action(keysExportCi));
 var account = program2.command("account").description("Manage the Sail SMA");
 account.command("create").description("Create a new Sail SMA on-chain").action(action(accountCreate));
 account.command("rotate-signer").description("Rotate the SMA's delegated signer (agent wallet) and re-approve its mandates").option("--sma <address>", "SMA to rotate (defaults to the active account)").option("--to <address>", "Rotate to an existing agent-wallet address instead of generating one").option("--generate", "Generate a fresh local agent wallet (default when --to is omitted)").option("--skip-reattach", "Do not re-approve the previously-attached mandates").option("--reattach-only", "Skip rotation; only re-approve mandates (resume after funding)").option("--json", "Machine-readable output").action(actionWith(rotateSigner));
@@ -42707,6 +43064,7 @@ mandate.command("prepare").description("Prepare a mandate draft for review and s
 mandate.command("sign").description("Review and confirm the permissions authorized for your SMA").option("--yes", "Skip the confirmation prompt (for non-interactive / CI use)").action(actionWith(mandateSign));
 mandate.command("deploy").description("Deploy a Foundry-compiled permission contract via the browser signing UI").option("--artifact <path>", "Path to the Foundry artifact JSON (out/<Name>.sol/<Name>.json)").option("--contract <name>", "Contract name; resolves to <out>/<name>.sol/<name>.json").option("--out <dir>", "Foundry output directory", "out").option("--name <label>", "Label to track this permission under (defaults to contract name)").option("--args <json>", `Constructor args as a JSON array, e.g. '[["0x.."],"1000"]'`).option("--build", "Run `forge build` before deploying").option("--attach", "After deploy, register the permission on --sma").option("--sma <address>", "SMA to register on (required with --attach)").option("--json", "Emit machine-readable JSON").action(actionWith(mandateDeploy));
 mandate.command("attach").description("Register an already-deployed permission on an SMA (EIP-712 RegisterPermission)").requiredOption("--address <mandateOrName>", "Permission address, or a name tracked locally").requiredOption("--sma <address>", "SMA to register the permission on").option("--label <label>", "Human-readable label shown in the signing UI").option("--json", "Emit machine-readable JSON").action(actionWith(mandateAttach));
+mandate.command("deploy-clone").description("Deploy + register a standalone clone permission (e.g. boundedApprove) via the signing UI").requiredOption("--template <key>", "Standalone clone template key (e.g. boundedApprove)").requiredOption("--sma <address>", "SMA to deploy the clone for and register it on").option("--tokens <csv>", "Comma-separated allowed token addresses").option("--spenders <csv>", "Comma-separated allowed spender addresses").option("--max <amount>", "Max amount per tx in base units (default: uint256 max)").option("--label <label>", "Human-readable label to track this permission under").option("--json", "Emit machine-readable JSON").action(actionWith(mandateDeployClone));
 mandate.command("revoke").description("Revoke permission(s) from an SMA (EIP-712 RevokePermissions, owner-authorized)").option("--address <permissionOrName>", "Permission address, or a name tracked locally").requiredOption("--sma <address>", "Safe (SMA) to revoke the permission(s) from").option("--all", "Revoke every permission currently registered on the SMA").option("--json", "Output JSON").action(actionWith(mandateRevoke));
 mandate.command("templates").description("Show how to author your own permission contract (and any community-deployed addresses)").option("--json", "Emit machine-readable JSON").action(actionWith(mandateTemplates));
 mandate.command("list").description("List permission contracts deployed from this project").action(action(async () => mandateContractsList()));
@@ -42744,7 +43102,6 @@ function stub(name, description) {
     console.log(`sailor ${name}: not implemented yet`);
   });
 }
-stub("setup", "Walk through the Sailor setup guide");
 stub("dispatch preview", "Preview a dispatch without submitting");
 program2.parse(process.argv);
 /*! Bundled license information: