@dev.sail.money/sailor 0.0.2-17 → 0.0.2-19

package/packages/cli/dist/server.cjs

@@ -5113,7 +5113,7 @@ var require_lib2 = __commonJS({
     iconv.encodings = null;
     iconv.defaultCharUnicode = "\uFFFD";
     iconv.defaultCharSingleByte = "?";
-    iconv.encode = function encode4(str, encoding, options) {
+    iconv.encode = function encode5(str, encoding, options) {
       str = "" + (str || "");
       var encoder7 = iconv.getEncoder(encoding, options);
       var res = encoder7.write(str);
@@ -15943,7 +15943,7 @@ var require_get_intrinsic = __commonJS({
     var abs = require_abs();
     var floor = require_floor();
     var max = require_max();
-    var min = require_min();
+    var min2 = require_min();
     var pow = require_pow();
     var round = require_round();
     var sign3 = require_sign();
@@ -16057,7 +16057,7 @@ var require_get_intrinsic = __commonJS({
       "%Math.abs%": abs,
       "%Math.floor%": floor,
       "%Math.max%": max,
-      "%Math.min%": min,
+      "%Math.min%": min2,
       "%Math.pow%": pow,
       "%Math.round%": round,
       "%Math.sign%": sign3,
@@ -16626,7 +16626,7 @@ var require_utils = __commonJS({
       }
     };
     var limit = 1024;
-    var encode4 = function encode5(str, defaultEncoder, charset, kind, format) {
+    var encode5 = function encode6(str, defaultEncoder, charset, kind, format) {
       if (str.length === 0) {
         return str;
       }
@@ -16728,7 +16728,7 @@ var require_utils = __commonJS({
       combine,
       compact,
       decode: decode2,
-      encode: encode4,
+      encode: encode5,
       isBuffer,
       isOverflow,
       isRegExp,
@@ -22055,12 +22055,12 @@ var require_cookie = __commonJS({
       } while (++index2 < max);
       return max;
     }
-    function endIndex(str, index2, min) {
-      while (index2 > min) {
+    function endIndex(str, index2, min2) {
+      while (index2 > min2) {
         var code = str.charCodeAt(--index2);
         if (code !== 32 && code !== 9) return index2 + 1;
       }
-      return min;
+      return min2;
     }
     function serialize(name, val, opt) {
       var enc = opt && opt.encode || encodeURIComponent;
@@ -27538,7 +27538,7 @@ var init_base = __esm({
 });
 
 // ../../node_modules/.pnpm/viem@2.51.3_bufferutil@4.1.0_typescript@5.9.3_utf-8-validate@5.0.10_zod@4.4.3/node_modules/viem/_esm/errors/abi.js
-var AbiEncodingArrayLengthMismatchError, AbiEncodingBytesSizeMismatchError, AbiEncodingLengthMismatchError, AbiFunctionNotFoundError, AbiItemAmbiguityError, BytesSizeMismatchError, InvalidAbiEncodingTypeError, InvalidArrayError, InvalidDefinitionTypeError;
+var AbiEncodingArrayLengthMismatchError, AbiEncodingBytesSizeMismatchError, AbiEncodingLengthMismatchError, AbiFunctionNotFoundError, AbiItemAmbiguityError, BytesSizeMismatchError, InvalidAbiEncodingTypeError, InvalidArrayError, InvalidDefinitionTypeError, UnsupportedPackedAbiType;
 var init_abi = __esm({
   "../../node_modules/.pnpm/viem@2.51.3_bufferutil@4.1.0_typescript@5.9.3_utf-8-validate@5.0.10_zod@4.4.3/node_modules/viem/_esm/errors/abi.js"() {
     init_formatAbiItem2();
@@ -27622,6 +27622,13 @@ var init_abi = __esm({
         ].join("\n"), { name: "InvalidDefinitionTypeError" });
       }
     };
+    UnsupportedPackedAbiType = class extends BaseError2 {
+      constructor(type) {
+        super(`Type "${type}" is not supported for packed encoding.`, {
+          name: "UnsupportedPackedAbiType"
+        });
+      }
+    };
   }
 });
 
@@ -27689,8 +27696,8 @@ var init_encoding = __esm({
   "../../node_modules/.pnpm/viem@2.51.3_bufferutil@4.1.0_typescript@5.9.3_utf-8-validate@5.0.10_zod@4.4.3/node_modules/viem/_esm/errors/encoding.js"() {
     init_base();
     IntegerOutOfRangeError = class extends BaseError2 {
-      constructor({ max, min, signed, size: size6, value }) {
-        super(`Number "${value}" is not in safe ${size6 ? `${size6 * 8}-bit ${signed ? "signed" : "unsigned"} ` : ""}integer range ${max ? `(${min} to ${max})` : `(above ${min})`}`, { name: "IntegerOutOfRangeError" });
+      constructor({ max, min: min2, signed, size: size6, value }) {
+        super(`Number "${value}" is not in safe ${size6 ? `${size6 * 8}-bit ${signed ? "signed" : "unsigned"} ` : ""}integer range ${max ? `(${min2} to ${max})` : `(above ${min2})`}`, { name: "IntegerOutOfRangeError" });
       }
     };
     SizeOverflowError = class extends BaseError2 {
@@ -28001,9 +28008,9 @@ function aexists(instance, checkFinished = true) {
 }
 function aoutput(out, instance) {
   abytes(out);
-  const min = instance.outputLen;
-  if (out.length < min) {
-    throw new Error("digestInto() expects output buffer of length at least " + min);
+  const min2 = instance.outputLen;
+  if (out.length < min2) {
+    throw new Error("digestInto() expects output buffer of length at least " + min2);
   }
 }
 function u32(arr) {
@@ -28639,9 +28646,10 @@ var init_slice = __esm({
 });
 
 // ../../node_modules/.pnpm/viem@2.51.3_bufferutil@4.1.0_typescript@5.9.3_utf-8-validate@5.0.10_zod@4.4.3/node_modules/viem/_esm/utils/regex.js
-var bytesRegex2, integerRegex2;
+var arrayRegex, bytesRegex2, integerRegex2;
 var init_regex2 = __esm({
   "../../node_modules/.pnpm/viem@2.51.3_bufferutil@4.1.0_typescript@5.9.3_utf-8-validate@5.0.10_zod@4.4.3/node_modules/viem/_esm/utils/regex.js"() {
+    arrayRegex = /^(.*)\[([0-9]*)\]$/;
     bytesRegex2 = /^bytes([1-9]|1[0-9]|2[0-9]|3[0-2])?$/;
     integerRegex2 = /^(u?int)(8|16|24|32|40|48|56|64|72|80|88|96|104|112|120|128|136|144|152|160|168|176|184|192|200|208|216|224|232|240|248|256)?$/;
   }
@@ -28799,11 +28807,11 @@ function encodeBool(value) {
 function encodeNumber(value, { signed, size: size6 = 256 }) {
   if (typeof size6 === "number") {
     const max = 2n ** (BigInt(size6) - (signed ? 1n : 0n)) - 1n;
-    const min = signed ? -max - 1n : 0n;
-    if (value > max || value < min)
+    const min2 = signed ? -max - 1n : 0n;
+    if (value > max || value < min2)
       throw new IntegerOutOfRangeError({
         max: max.toString(),
-        min: min.toString(),
+        min: min2.toString(),
         signed,
         size: size6 / 8,
         value: value.toString()
@@ -29412,8 +29420,8 @@ function getEncodableList(list) {
         else
           cursor.pushUint32(bodyLength);
       }
-      for (const { encode: encode4 } of list) {
-        encode4(cursor);
+      for (const { encode: encode5 } of list) {
+        encode5(cursor);
       }
     }
   };
@@ -30634,12 +30642,12 @@ function utf8ToBytes2(str) {
     throw new Error("string expected");
   return new Uint8Array(new TextEncoder().encode(str));
 }
-function inRange(n, min, max) {
-  return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
+function inRange(n, min2, max) {
+  return isPosBig(n) && isPosBig(min2) && isPosBig(max) && min2 <= n && n < max;
 }
-function aInRange(title, n, min, max) {
-  if (!inRange(n, min, max))
-    throw new Error("expected valid " + title + ": " + min + " <= n < " + max + ", got " + n);
+function aInRange(title, n, min2, max) {
+  if (!inRange(n, min2, max))
+    throw new Error("expected valid " + title + ": " + min2 + " <= n < " + max + ", got " + n);
 }
 function bitLen(n) {
   let len;
@@ -30764,6 +30772,80 @@ var init_chain = __esm({
   }
 });
 
+// ../../node_modules/.pnpm/viem@2.51.3_bufferutil@4.1.0_typescript@5.9.3_utf-8-validate@5.0.10_zod@4.4.3/node_modules/viem/_esm/utils/abi/encodePacked.js
+function encodePacked(types, values) {
+  if (types.length !== values.length)
+    throw new AbiEncodingLengthMismatchError({
+      expectedLength: types.length,
+      givenLength: values.length
+    });
+  const data = [];
+  for (let i = 0; i < types.length; i++) {
+    const type = types[i];
+    const value = values[i];
+    data.push(encode(type, value));
+  }
+  return concatHex(data);
+}
+function encode(type, value, isArray = false) {
+  if (type === "address") {
+    const address = value;
+    if (!isAddress(address))
+      throw new InvalidAddressError({ address });
+    return pad(address.toLowerCase(), {
+      size: isArray ? 32 : null
+    });
+  }
+  if (type === "string")
+    return stringToHex(value);
+  if (type === "bytes")
+    return value;
+  if (type === "bool")
+    return pad(boolToHex(value), { size: isArray ? 32 : 1 });
+  const intMatch = type.match(integerRegex2);
+  if (intMatch) {
+    const [_type, baseType, bits = "256"] = intMatch;
+    const size6 = Number.parseInt(bits, 10) / 8;
+    return numberToHex(value, {
+      size: isArray ? 32 : size6,
+      signed: baseType === "int"
+    });
+  }
+  const bytesMatch = type.match(bytesRegex2);
+  if (bytesMatch) {
+    const [_type, size6] = bytesMatch;
+    if (Number.parseInt(size6, 10) !== (value.length - 2) / 2)
+      throw new BytesSizeMismatchError({
+        expectedSize: Number.parseInt(size6, 10),
+        givenSize: (value.length - 2) / 2
+      });
+    return pad(value, { dir: "right", size: isArray ? 32 : null });
+  }
+  const arrayMatch = type.match(arrayRegex);
+  if (arrayMatch && Array.isArray(value)) {
+    const [_type, childType] = arrayMatch;
+    const data = [];
+    for (let i = 0; i < value.length; i++) {
+      data.push(encode(childType, value[i], true));
+    }
+    if (data.length === 0)
+      return "0x";
+    return concatHex(data);
+  }
+  throw new UnsupportedPackedAbiType(type);
+}
+var init_encodePacked = __esm({
+  "../../node_modules/.pnpm/viem@2.51.3_bufferutil@4.1.0_typescript@5.9.3_utf-8-validate@5.0.10_zod@4.4.3/node_modules/viem/_esm/utils/abi/encodePacked.js"() {
+    init_abi();
+    init_address();
+    init_isAddress();
+    init_concat();
+    init_pad();
+    init_toHex();
+    init_regex2();
+  }
+});
+
 // ../../node_modules/.pnpm/viem@2.51.3_bufferutil@4.1.0_typescript@5.9.3_utf-8-validate@5.0.10_zod@4.4.3/node_modules/viem/_esm/utils/transaction/assertTransaction.js
 function assertTransactionEIP7702(transaction) {
   const { authorizationList } = transaction;
@@ -33539,6 +33621,8 @@ var init_esm = __esm({
     init_exports();
     init_address2();
     init_encodeFunctionData();
+    init_encodePacked();
+    init_pad();
     init_toBytes();
     init_keccak256();
     init_hashTypedData();
@@ -34998,8 +35082,8 @@ var init_encoding2 = __esm({
   "../../node_modules/.pnpm/viem@2.51.3_bufferutil@4.1.0_typescript@5.9.3_utf-8-validate@5.0.10_zod@3.25.76/node_modules/viem/_esm/errors/encoding.js"() {
     init_base2();
     IntegerOutOfRangeError2 = class extends BaseError4 {
-      constructor({ max, min, signed, size: size6, value }) {
-        super(`Number "${value}" is not in safe ${size6 ? `${size6 * 8}-bit ${signed ? "signed" : "unsigned"} ` : ""}integer range ${max ? `(${min} to ${max})` : `(above ${min})`}`, { name: "IntegerOutOfRangeError" });
+      constructor({ max, min: min2, signed, size: size6, value }) {
+        super(`Number "${value}" is not in safe ${size6 ? `${size6 * 8}-bit ${signed ? "signed" : "unsigned"} ` : ""}integer range ${max ? `(${min2} to ${max})` : `(above ${min2})`}`, { name: "IntegerOutOfRangeError" });
       }
     };
     InvalidBytesBooleanError = class extends BaseError4 {
@@ -35728,11 +35812,11 @@ function encodeBool2(value) {
 function encodeNumber2(value, { signed, size: size6 = 256 }) {
   if (typeof size6 === "number") {
     const max = 2n ** (BigInt(size6) - (signed ? 1n : 0n)) - 1n;
-    const min = signed ? -max - 1n : 0n;
-    if (value > max || value < min)
+    const min2 = signed ? -max - 1n : 0n;
+    if (value > max || value < min2)
       throw new IntegerOutOfRangeError2({
         max: max.toString(),
-        min: min.toString(),
+        min: min2.toString(),
         signed,
         size: size6 / 8,
         value: value.toString()
@@ -38832,8 +38916,8 @@ var init_Hex = __esm({
     encoder6 = /* @__PURE__ */ new TextEncoder();
     hexes5 = /* @__PURE__ */ Array.from({ length: 256 }, (_v, i) => i.toString(16).padStart(2, "0"));
     IntegerOutOfRangeError3 = class extends BaseError5 {
-      constructor({ max, min, signed, size: size6, value }) {
-        super(`Number \`${value}\` is not in safe${size6 ? ` ${size6 * 8}-bit` : ""}${signed ? " signed" : " unsigned"} integer range ${max ? `(\`${min}\` to \`${max}\`)` : `(above \`${min}\`)`}`);
+      constructor({ max, min: min2, signed, size: size6, value }) {
+        super(`Number \`${value}\` is not in safe${size6 ? ` ${size6 * 8}-bit` : ""}${signed ? " signed" : " unsigned"} integer range ${max ? `(\`${min2}\` to \`${max}\`)` : `(above \`${min2}\`)`}`);
         Object.defineProperty(this, "name", {
           enumerable: true,
           configurable: true,
@@ -40696,6 +40780,35 @@ var KERNEL_ERROR_SIGNATURES = [
 ];
 var KERNEL_ERROR_ABI = parseAbi(KERNEL_ERROR_SIGNATURES);
 
+// ../sdk/dist/eip712.js
+var REGISTER_PERMISSIONS_BATCH_TYPES = {
+  RegisterPermissions: [
+    { name: "account", type: "address" },
+    { name: "permissions", type: "address[]" },
+    { name: "nonce", type: "uint256" },
+    { name: "deadline", type: "uint256" }
+  ]
+};
+function buildRegisterPermissionsBatchTypedData(args) {
+  const deadline = args.deadline ?? BigInt(Math.floor(Date.now() / 1e3) + 600);
+  return {
+    domain: {
+      name: "SailKernel",
+      version: "1",
+      chainId: args.chainId,
+      verifyingContract: args.kernel
+    },
+    types: REGISTER_PERMISSIONS_BATCH_TYPES,
+    primaryType: "RegisterPermissions",
+    message: {
+      account: args.account,
+      permissions: args.permissions,
+      nonce: args.nonce.toString(),
+      deadline: deadline.toString()
+    }
+  };
+}
+
 // ../sdk/dist/lifi.js
 init_esm();
 var ERC20_ABI = parseAbi([
@@ -40761,9 +40874,9 @@ function anumArr(label, input) {
 function chain(...args) {
   const id = (a) => a;
   const wrap3 = (a, b) => (c) => a(b(c));
-  const encode4 = args.map((x) => x.encode).reduceRight(wrap3, id);
+  const encode5 = args.map((x) => x.encode).reduceRight(wrap3, id);
   const decode2 = args.map((x) => x.decode).reduce(wrap3, id);
-  return { encode: encode4, decode: decode2 };
+  return { encode: encode5, decode: decode2 };
 }
 // @__NO_SIDE_EFFECTS__
 function alphabet(letters) {
@@ -41530,8 +41643,83 @@ var LocalKeyring = class _LocalKeyring {
   }
 };
 
+// ../sdk/dist/abis/SailGovernance.js
+var SailGovernanceAbi = [
+  {
+    type: "function",
+    name: "baseFee",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ type: "uint256" }]
+  },
+  {
+    type: "function",
+    name: "complexityRate",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ type: "uint256" }]
+  },
+  {
+    type: "function",
+    name: "MAX_PERMISSION_FEE_WEI",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ type: "uint256" }]
+  },
+  {
+    type: "function",
+    name: "permissionRegistrationFee",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ type: "uint256" }]
+  },
+  {
+    type: "function",
+    name: "maxPermissionsPerAccount",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ type: "uint256" }]
+  },
+  {
+    type: "function",
+    name: "isPaused",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ type: "bool" }]
+  }
+];
+
 // ../sdk/dist/safe.js
 init_esm();
+var setManagerAbi = [
+  {
+    type: "function",
+    name: "setManager",
+    stateMutability: "nonpayable",
+    inputs: [{ name: "newManager", type: "address" }],
+    outputs: []
+  }
+];
+var gnosisSafeExecAbi = [
+  {
+    type: "function",
+    name: "execTransaction",
+    stateMutability: "payable",
+    inputs: [
+      { name: "to", type: "address" },
+      { name: "value", type: "uint256" },
+      { name: "data", type: "bytes" },
+      { name: "operation", type: "uint8" },
+      { name: "safeTxGas", type: "uint256" },
+      { name: "baseGas", type: "uint256" },
+      { name: "gasPrice", type: "uint256" },
+      { name: "gasToken", type: "address" },
+      { name: "refundReceiver", type: "address" },
+      { name: "signatures", type: "bytes" }
+    ],
+    outputs: [{ name: "success", type: "bool" }]
+  }
+];
 var gnosisSafeAbi = [
   {
     type: "function",
@@ -41590,6 +41778,81 @@ function buildSafeSetupInitializer(params) {
     ]
   });
 }
+function buildApprovedHashSignature(owner) {
+  return encodePacked(["bytes32", "bytes32", "uint8"], [pad(owner, { size: 32 }), pad("0x", { size: 32 }), 1]);
+}
+function encodeSetManager(newManager) {
+  return encodeFunctionData({
+    abi: setManagerAbi,
+    functionName: "setManager",
+    args: [newManager]
+  });
+}
+function buildSetManagerExecTransaction(params) {
+  const innerData = encodeSetManager(params.newManager);
+  const data = encodeFunctionData({
+    abi: gnosisSafeExecAbi,
+    functionName: "execTransaction",
+    args: [
+      params.kernel,
+      // to
+      0n,
+      // value
+      innerData,
+      // data: setManager(newManager)
+      0,
+      // operation: Call
+      0n,
+      // safeTxGas
+      0n,
+      // baseGas
+      0n,
+      // gasPrice
+      zeroAddress,
+      // gasToken
+      zeroAddress,
+      // refundReceiver
+      buildApprovedHashSignature(params.owner)
+    ]
+  });
+  return { to: params.safe, data };
+}
+
+// ../sdk/dist/fees.js
+function min(a, b) {
+  return a < b ? a : b;
+}
+async function estimatePermissionFee(publicClient, governance, permission) {
+  try {
+    const [baseFee, complexityRate, cap, code] = await Promise.all([
+      publicClient.readContract({
+        address: governance,
+        abi: SailGovernanceAbi,
+        functionName: "baseFee"
+      }),
+      publicClient.readContract({
+        address: governance,
+        abi: SailGovernanceAbi,
+        functionName: "complexityRate"
+      }),
+      publicClient.readContract({
+        address: governance,
+        abi: SailGovernanceAbi,
+        functionName: "MAX_PERMISSION_FEE_WEI"
+      }),
+      publicClient.getBytecode({ address: permission })
+    ]);
+    const byteLength = code ? BigInt((code.length - 2) / 2) : 0n;
+    const fee = min(baseFee, cap) + min(byteLength * complexityRate, cap);
+    return min(fee, cap);
+  } catch {
+    return publicClient.readContract({
+      address: governance,
+      abi: SailGovernanceAbi,
+      functionName: "permissionRegistrationFee"
+    });
+  }
+}
 
 // ../../node_modules/.pnpm/viem@2.51.3_bufferutil@4.1.0_typescript@5.9.3_utf-8-validate@5.0.10_zod@3.25.76/node_modules/viem/_esm/utils/getAction.js
 function getAction(client, actionFn, name) {
@@ -41844,8 +42107,8 @@ function getEncodableList2(list) {
         else
           cursor.pushUint32(bodyLength);
       }
-      for (const { encode: encode4 } of list) {
-        encode4(cursor);
+      for (const { encode: encode5 } of list) {
+        encode5(cursor);
       }
     }
   };
@@ -46003,7 +46266,7 @@ init_Errors();
 init_Hex();
 
 // ../../node_modules/.pnpm/ox@0.14.25_typescript@5.9.3_zod@3.25.76/node_modules/ox/_esm/core/Solidity.js
-var arrayRegex = /^(.*)\[([0-9]*)\]$/;
+var arrayRegex2 = /^(.*)\[([0-9]*)\]$/;
 var bytesRegex5 = /^bytes([1-9]|1[0-9]|2[0-9]|3[0-2])?$/;
 var integerRegex5 = /^(u?int)(8|16|24|32|40|48|56|64|72|80|88|96|104|112|120|128|136|144|152|160|168|176|184|192|200|208|216|224|232|240|248|256)?$/;
 var maxInt83 = 2n ** (8n - 1n) - 1n;
@@ -46316,7 +46579,7 @@ function prepareParameter({ checksumAddress: checksumAddress3 = false, parameter
   }
   throw new InvalidTypeError(parameter.type);
 }
-function encode(preparedParameters) {
+function encode2(preparedParameters) {
   let staticSize = 0;
   for (let i = 0; i < preparedParameters.length; i++) {
     const { dynamic, encoded } = preparedParameters[i];
@@ -46372,7 +46635,7 @@ function encodeArray3(value, options) {
     preparedParameters.push(preparedParam);
   }
   if (dynamic || dynamicChild) {
-    const data = encode(preparedParameters);
+    const data = encode2(preparedParameters);
     if (dynamic) {
       const length2 = fromNumber(preparedParameters.length, { size: 32 });
       return {
@@ -46415,11 +46678,11 @@ function encodeBoolean(value) {
 function encodeNumber3(value, { signed, size: size6 }) {
   if (typeof size6 === "number") {
     const max = 2n ** (BigInt(size6) - (signed ? 1n : 0n)) - 1n;
-    const min = signed ? -max - 1n : 0n;
-    if (value > max || value < min)
+    const min2 = signed ? -max - 1n : 0n;
+    if (value > max || value < min2)
       throw new IntegerOutOfRangeError3({
         max: max.toString(),
-        min: min.toString(),
+        min: min2.toString(),
         signed,
         size: size6 / 8,
         value: value.toString()
@@ -46463,7 +46726,7 @@ function encodeTuple3(value, options) {
   }
   return {
     dynamic,
-    encoded: dynamic ? encode(preparedParameters) : concat3(...preparedParameters.map(({ encoded }) => encoded))
+    encoded: dynamic ? encode2(preparedParameters) : concat3(...preparedParameters.map(({ encoded }) => encoded))
   };
 }
 function getArrayComponents3(type) {
@@ -46725,7 +46988,7 @@ function decode(parameters, data, options = {}) {
   }
   return values;
 }
-function encode2(parameters, values, options) {
+function encode3(parameters, values, options) {
   const { checksumAddress: checksumAddress3 = false } = options ?? {};
   if (parameters.length !== values.length)
     throw new LengthMismatchError({
@@ -46737,7 +47000,7 @@ function encode2(parameters, values, options) {
     parameters,
     values
   });
-  const data = encode(preparedParameters);
+  const data = encode2(preparedParameters);
   if (data.length === 0)
     return "0x";
   return data;
@@ -46757,7 +47020,7 @@ function encodePacked2(types, values) {
   return concat3(...data);
 }
 (function(encodePacked3) {
-  function encode4(type, value, isArray = false) {
+  function encode5(type, value, isArray = false) {
     if (type === "address") {
       const address = value;
       assert4(address);
@@ -46788,12 +47051,12 @@ function encodePacked2(types, values) {
         });
       return padRight(value, isArray ? 32 : 0);
     }
-    const arrayMatch = type.match(arrayRegex);
+    const arrayMatch = type.match(arrayRegex2);
     if (arrayMatch && Array.isArray(value)) {
       const [_type, childType] = arrayMatch;
       const data = [];
       for (let i = 0; i < value.length; i++) {
-        data.push(encode4(childType, value[i], true));
+        data.push(encode5(childType, value[i], true));
       }
       if (data.length === 0)
         return "0x";
@@ -46801,7 +47064,7 @@ function encodePacked2(types, values) {
     }
     throw new InvalidTypeError(type);
   }
-  encodePacked3.encode = encode4;
+  encodePacked3.encode = encode5;
 })(encodePacked2 || (encodePacked2 = {}));
 function from5(parameters) {
   if (Array.isArray(parameters) && typeof parameters[0] === "string")
@@ -46946,8 +47209,8 @@ function getEncodableList3(list) {
         else
           cursor.pushUint32(bodyLength);
       }
-      for (const { encode: encode4 } of list) {
-        encode4(cursor);
+      for (const { encode: encode5 } of list) {
+        encode5(cursor);
       }
     }
   };
@@ -47281,7 +47544,7 @@ function wrap(value) {
     payload: getSignPayload(value.authorization),
     signature: from7(value.authorization)
   });
-  const suffix = encode2(suffixParameters, [
+  const suffix = encode3(suffixParameters, [
     {
       ...value.authorization,
       delegation: value.authorization.address,
@@ -47937,7 +48200,7 @@ var NotFoundError = class extends BaseError5 {
 
 // ../../node_modules/.pnpm/ox@0.14.25_typescript@5.9.3_zod@3.25.76/node_modules/ox/_esm/core/AbiConstructor.js
 init_Hex();
-function encode3(...parameters) {
+function encode4(...parameters) {
   const [abiConstructor, options] = (() => {
     if (Array.isArray(parameters[0])) {
       const [abi2, options2] = parameters;
@@ -47946,7 +48209,7 @@ function encode3(...parameters) {
     return parameters;
   })();
   const { bytecode, args } = options;
-  return concat3(bytecode, abiConstructor.inputs?.length && args?.length ? encode2(abiConstructor.inputs, args) : "0x");
+  return concat3(bytecode, abiConstructor.inputs?.length && args?.length ? encode3(abiConstructor.inputs, args) : "0x");
 }
 function from11(abiConstructor) {
   return from10(abiConstructor);
@@ -47974,7 +48237,7 @@ function encodeData3(...parameters) {
     args
   }) : abiFunction;
   const selector = getSelector2(item);
-  const data = args.length > 0 ? encode2(item.inputs, args) : void 0;
+  const data = args.length > 0 ? encode3(item.inputs, args) : void 0;
   return data ? concat3(selector, data) : selector;
 }
 function from12(abiFunction, options = {}) {
@@ -48007,7 +48270,7 @@ async function simulateCalls(client, parameters) {
   const account = parameters.account ? parseAccount(parameters.account) : void 0;
   if (traceAssetChanges && !account)
     throw new BaseError4("`account` is required when `traceAssetChanges` is true");
-  const getBalanceData = account ? encode3(from11("constructor(bytes, bytes)"), {
+  const getBalanceData = account ? encode4(from11("constructor(bytes, bytes)"), {
     bytecode: deploylessCallViaBytecodeBytecode,
     args: [
       getBalanceCode,
@@ -48274,7 +48537,7 @@ function unwrap2(wrapped) {
 }
 function wrap2(value) {
   const { data, signature, to } = value;
-  return concat3(encode2(from5("address, bytes, bytes"), [
+  return concat3(encode3(from5("address, bytes, bytes"), [
     to,
     data,
     signature
@@ -49399,6 +49662,7 @@ function http(url, config = {}) {
 }
 
 // ../../node_modules/.pnpm/viem@2.51.3_bufferutil@4.1.0_typescript@5.9.3_utf-8-validate@5.0.10_zod@3.25.76/node_modules/viem/_esm/index.js
+init_encodeDeployData();
 init_encodeFunctionData2();
 init_getAddress2();
 init_isAddress2();
@@ -49629,6 +49893,8 @@ function startServer(sailDir, { port = PORT } = {}) {
   app.use((0, import_cors.default)({ origin: "http://localhost:3333" }));
   app.use(import_express.default.json());
   const at = (name) => import_node_path.default.join(sailDir, name);
+  const projectRoot = import_node_path.default.dirname(sailDir);
+  const outAt = (name) => import_node_path.default.join(projectRoot, "out", name);
   const overviewCacheByAccount = /* @__PURE__ */ new Map();
   const overviewInFlight = /* @__PURE__ */ new Set();
   const overviewSnapshotPath = (safe) => at(`state/overview/${safe.toLowerCase()}.json`);
@@ -50030,6 +50296,514 @@ function startServer(sailDir, { port = PORT } = {}) {
       res.status(500).json({ error: String(err) });
     }
   });
+  const rotationContext = () => {
+    let account;
+    try {
+      account = JSON.parse(import_node_fs2.default.readFileSync(at("account.json"), "utf-8"));
+    } catch {
+      return { error: "no-account", message: "No active SMA. Deploy one first." };
+    }
+    const env = parseEnvFile(at(".env.local"));
+    const chainId = Number(account.chainId ?? env.CHAIN_ID ?? 0);
+    let kernel = env.KERNEL_ADDRESS;
+    let governance;
+    try {
+      const deployment = getSailDeployment(chainId);
+      kernel = kernel ?? deployment?.kernel;
+      governance = deployment?.governance;
+    } catch {
+    }
+    const rpcUrl = env.RPC_URL;
+    if (!kernel || !isAddress2(kernel)) {
+      return { error: "no-kernel", message: "No kernel address for this chain." };
+    }
+    if (!rpcUrl) {
+      return { error: "no-rpc", message: "No RPC_URL configured (.sail/.env.local)." };
+    }
+    const client = createPublicClient({ transport: http(rpcUrl) });
+    return { account, env, chainId, kernel: getAddress(kernel), governance, rpcUrl, client };
+  };
+  app.get("/api/account/rotation-preview", async (_req, res) => {
+    const ctx = rotationContext();
+    if (ctx.error) {
+      res.status(400).json({ error: ctx.error, message: ctx.message });
+      return;
+    }
+    try {
+      const safe = getAddress(ctx.account.safe);
+      const [configs, permissions] = await Promise.all([
+        ctx.client.readContract({ address: ctx.kernel, abi: SailKernelAbi, functionName: "configs", args: [safe] }),
+        ctx.client.readContract({ address: ctx.kernel, abi: SailKernelAbi, functionName: "getPermissions", args: [safe] })
+      ]);
+      const [permissionSigner, manager] = configs;
+      res.json({
+        safe,
+        chainId: ctx.chainId,
+        owner: getAddress(ctx.account.owner),
+        permissionSigner: getAddress(permissionSigner),
+        currentManager: manager && getAddress(manager) !== zeroAddress2 ? getAddress(manager) : null,
+        permissions: permissions.map((p) => getAddress(p))
+      });
+    } catch (err) {
+      res.status(502).json({ error: "rpc", message: String(err) });
+    }
+  });
+  app.post("/api/account/build-set-manager", async (req, res) => {
+    const { newManager } = req.body ?? {};
+    if (!isAddress2(newManager)) {
+      res.status(400).json({ error: "newManager must be a valid address" });
+      return;
+    }
+    const ctx = rotationContext();
+    if (ctx.error) {
+      res.status(400).json({ error: ctx.error, message: ctx.message });
+      return;
+    }
+    try {
+      const safe = getAddress(ctx.account.safe);
+      const owner = getAddress(ctx.account.owner);
+      const configs = await ctx.client.readContract({
+        address: ctx.kernel,
+        abi: SailKernelAbi,
+        functionName: "configs",
+        args: [safe]
+      });
+      const oldManager = configs[1] && getAddress(configs[1]) !== zeroAddress2 ? getAddress(configs[1]) : null;
+      if (oldManager && oldManager.toLowerCase() === getAddress(newManager).toLowerCase()) {
+        res.status(400).json({ error: "same-signer", message: "New signer is the same as the current one." });
+        return;
+      }
+      const permissions = await ctx.client.readContract({
+        address: ctx.kernel,
+        abi: SailKernelAbi,
+        functionName: "getPermissions",
+        args: [safe]
+      });
+      const { to, data } = buildSetManagerExecTransaction({
+        safe,
+        kernel: ctx.kernel,
+        newManager: getAddress(newManager),
+        owner
+      });
+      res.json({ to, data, chainId: ctx.chainId, oldManager, permissions: permissions.map((p) => getAddress(p)) });
+    } catch (err) {
+      res.status(502).json({ error: "rpc", message: String(err) });
+    }
+  });
+  app.post("/api/account/rotate-generate-key", async (req, res) => {
+    const target = at("keys/manager.json");
+    try {
+      const passphrase = req.body?.passphrase ?? "";
+      if (import_node_fs2.default.existsSync(target)) {
+        const backup = `${target}.${Date.now()}.bak`;
+        import_node_fs2.default.copyFileSync(target, backup);
+      }
+      const privateKey = generatePrivateKey2();
+      const keyring = LocalKeyring.fromPrivateKey(privateKey);
+      const keystore = await keyring.exportKeystore(passphrase);
+      import_node_fs2.default.mkdirSync(at("keys"), { recursive: true });
+      import_node_fs2.default.writeFileSync(target, `${JSON.stringify(keystore, null, 2)}
+`);
+      res.json({ address: getAddress(keyring.address) });
+    } catch (err) {
+      res.status(500).json({ error: String(err) });
+    }
+  });
+  app.post("/api/account/build-reattach", async (req, res) => {
+    const permissions = Array.isArray(req.body?.permissions) ? req.body.permissions : [];
+    if (permissions.length === 0 || !permissions.every((p) => isAddress2(p))) {
+      res.status(400).json({ error: "permissions must be a non-empty array of addresses" });
+      return;
+    }
+    const ctx = rotationContext();
+    if (ctx.error) {
+      res.status(400).json({ error: ctx.error, message: ctx.message });
+      return;
+    }
+    try {
+      const safe = getAddress(ctx.account.safe);
+      const nonce = await ctx.client.readContract({
+        address: ctx.kernel,
+        abi: SailKernelAbi,
+        functionName: "signerNonces",
+        args: [safe]
+      });
+      const deadline = BigInt(Math.floor(Date.now() / 1e3) + 600);
+      const typedData = buildRegisterPermissionsBatchTypedData({
+        chainId: ctx.chainId,
+        kernel: ctx.kernel,
+        account: safe,
+        permissions: permissions.map((p) => getAddress(p)),
+        nonce,
+        deadline
+      });
+      res.json({ typedData, deadline: deadline.toString() });
+    } catch (err) {
+      res.status(502).json({ error: "rpc", message: String(err) });
+    }
+  });
+  app.post("/api/account/build-reattach-tx", async (req, res) => {
+    const { permissions, deadline, signature } = req.body ?? {};
+    if (!Array.isArray(permissions) || permissions.length === 0 || !permissions.every((p) => isAddress2(p))) {
+      res.status(400).json({ error: "permissions must be a non-empty array of addresses" });
+      return;
+    }
+    if (typeof signature !== "string" || !signature.startsWith("0x")) {
+      res.status(400).json({ error: "signature is required" });
+      return;
+    }
+    if (deadline == null) {
+      res.status(400).json({ error: "deadline is required" });
+      return;
+    }
+    const ctx = rotationContext();
+    if (ctx.error) {
+      res.status(400).json({ error: ctx.error, message: ctx.message });
+      return;
+    }
+    try {
+      const safe = getAddress(ctx.account.safe);
+      const perms = permissions.map((p) => getAddress(p));
+      let fee = 0n;
+      if (ctx.governance && isAddress2(ctx.governance)) {
+        for (const permission of perms) {
+          fee += await estimatePermissionFee(ctx.client, ctx.governance, permission);
+        }
+      }
+      const data = encodeFunctionData2({
+        abi: SailKernelAbi,
+        functionName: "registerPermissions",
+        args: [safe, perms, BigInt(deadline), signature]
+      });
+      res.json({ to: ctx.kernel, data, value: fee.toString(), chainId: ctx.chainId });
+    } catch (err) {
+      res.status(502).json({ error: "rpc", message: String(err) });
+    }
+  });
+  const REVOKE_PERMISSIONS_ABI = [
+    {
+      type: "function",
+      name: "revokePermissions",
+      stateMutability: "nonpayable",
+      inputs: [
+        { name: "account", type: "address" },
+        { name: "permissions", type: "address[]" },
+        { name: "deadline", type: "uint256" },
+        { name: "sig", type: "bytes" }
+      ],
+      outputs: []
+    }
+  ];
+  const REVOKE_PERMISSIONS_TYPES = {
+    RevokePermissions: [
+      { name: "account", type: "address" },
+      { name: "permissions", type: "address[]" },
+      { name: "nonce", type: "uint256" },
+      { name: "deadline", type: "uint256" }
+    ]
+  };
+  app.post("/api/account/build-revoke", async (req, res) => {
+    const permissions = Array.isArray(req.body?.permissions) ? req.body.permissions : [];
+    if (permissions.length === 0 || !permissions.every((p) => isAddress2(p))) {
+      res.status(400).json({ error: "permissions must be a non-empty array of addresses" });
+      return;
+    }
+    const ctx = rotationContext();
+    if (ctx.error) {
+      res.status(400).json({ error: ctx.error, message: ctx.message });
+      return;
+    }
+    try {
+      const safe = getAddress(ctx.account.safe);
+      const [active, nonce] = await Promise.all([
+        ctx.client.readContract({ address: ctx.kernel, abi: SailKernelAbi, functionName: "getPermissions", args: [safe] }),
+        ctx.client.readContract({ address: ctx.kernel, abi: SailKernelAbi, functionName: "signerNonces", args: [safe] })
+      ]);
+      const activeSet = new Set(active.map((p) => getAddress(p).toLowerCase()));
+      const targets = permissions.map((p) => getAddress(p));
+      const missing = targets.filter((p) => !activeSet.has(p.toLowerCase()));
+      if (missing.length > 0) {
+        res.status(409).json({ error: "not-active", message: `Not in the SMA's active permission set: ${missing.join(", ")}` });
+        return;
+      }
+      const deadline = BigInt(Math.floor(Date.now() / 1e3) + 600);
+      const typedData = {
+        domain: { name: "SailKernel", version: "1", chainId: ctx.chainId, verifyingContract: ctx.kernel },
+        types: REVOKE_PERMISSIONS_TYPES,
+        primaryType: "RevokePermissions",
+        message: { account: safe, permissions: targets, nonce: nonce.toString(), deadline: deadline.toString() }
+      };
+      res.json({ typedData, deadline: deadline.toString() });
+    } catch (err) {
+      res.status(502).json({ error: "rpc", message: String(err) });
+    }
+  });
+  app.post("/api/account/build-revoke-tx", async (req, res) => {
+    const { permissions, deadline, signature } = req.body ?? {};
+    if (!Array.isArray(permissions) || permissions.length === 0 || !permissions.every((p) => isAddress2(p))) {
+      res.status(400).json({ error: "permissions must be a non-empty array of addresses" });
+      return;
+    }
+    if (typeof signature !== "string" || !signature.startsWith("0x")) {
+      res.status(400).json({ error: "signature is required" });
+      return;
+    }
+    if (deadline == null) {
+      res.status(400).json({ error: "deadline is required" });
+      return;
+    }
+    const ctx = rotationContext();
+    if (ctx.error) {
+      res.status(400).json({ error: ctx.error, message: ctx.message });
+      return;
+    }
+    try {
+      const safe = getAddress(ctx.account.safe);
+      const perms = permissions.map((p) => getAddress(p));
+      const data = encodeFunctionData2({
+        abi: REVOKE_PERMISSIONS_ABI,
+        functionName: "revokePermissions",
+        args: [safe, perms, BigInt(deadline), signature]
+      });
+      res.json({ to: ctx.kernel, data, chainId: ctx.chainId });
+    } catch (err) {
+      res.status(502).json({ error: "rpc", message: String(err) });
+    }
+  });
+  app.post("/api/account/revoke-complete", (req, res) => {
+    const { permissions, txHash } = req.body ?? {};
+    if (!Array.isArray(permissions) || permissions.length === 0 || !permissions.every((p) => isAddress2(p))) {
+      res.status(400).json({ error: "permissions must be a non-empty array of addresses" });
+      return;
+    }
+    const safe = readActiveSafe();
+    if (!safe) {
+      res.status(400).json({ error: "No active SMA." });
+      return;
+    }
+    try {
+      const nameByAddr = /* @__PURE__ */ new Map();
+      try {
+        const tracked = JSON.parse(import_node_fs2.default.readFileSync(at("state/mandates.json"), "utf-8"));
+        for (const m of tracked.mandates ?? []) {
+          if (m.address && m.name) nameByAddr.set(m.address.toLowerCase(), m.name);
+        }
+      } catch {
+      }
+      const ts = (/* @__PURE__ */ new Date()).toISOString();
+      for (const p of permissions) {
+        const permission = getAddress(p);
+        const ev = {
+          ts,
+          actor: "owner",
+          type: "permission_revoked",
+          permission,
+          safe,
+          ...nameByAddr.has(permission.toLowerCase()) ? { name: nameByAddr.get(permission.toLowerCase()) } : {},
+          ...txHash ? { txHash } : {}
+        };
+        import_node_fs2.default.appendFileSync(at("activity.jsonl"), `${JSON.stringify(ev)}
+`);
+      }
+      overviewCacheByAccount.delete(safe.toLowerCase());
+      try {
+        import_node_fs2.default.rmSync(overviewSnapshotPath(safe));
+      } catch {
+      }
+      res.json({ ok: true, revoked: permissions.length });
+    } catch (err) {
+      res.status(500).json({ error: String(err) });
+    }
+  });
+  const isSafeArtifactName = (name) => typeof name === "string" && /^[A-Za-z0-9_]+$/.test(name);
+  const readArtifact = (name) => {
+    if (!isSafeArtifactName(name)) return null;
+    try {
+      const artifact = JSON.parse(import_node_fs2.default.readFileSync(outAt(`${name}.sol/${name}.json`), "utf-8"));
+      const bytecodeRaw = artifact.bytecode?.object ?? artifact.bytecode;
+      if (!artifact.abi || !bytecodeRaw) return null;
+      const bytecode = String(bytecodeRaw).startsWith("0x") ? bytecodeRaw : `0x${bytecodeRaw}`;
+      if (bytecode.length <= 2) return null;
+      return { abi: artifact.abi, bytecode, path: outAt(`${name}.sol/${name}.json`) };
+    } catch {
+      return null;
+    }
+  };
+  app.get("/api/mandate-templates", (_req, res) => {
+    const templates = [];
+    try {
+      const outDir = import_node_path.default.join(projectRoot, "out");
+      for (const dir of import_node_fs2.default.readdirSync(outDir)) {
+        if (!dir.endsWith(".sol")) continue;
+        const name = dir.slice(0, -4);
+        if (!/permission/i.test(name)) continue;
+        const art = readArtifact(name);
+        if (!art) continue;
+        const ctor = (art.abi ?? []).find((x) => x.type === "constructor");
+        templates.push({
+          name,
+          inputs: (ctor?.inputs ?? []).map((i) => ({ name: i.name, type: i.type }))
+        });
+      }
+    } catch {
+    }
+    res.json({ templates });
+  });
+  const coerceArg = (type, value) => {
+    const asList = (v) => {
+      if (Array.isArray(v)) return v;
+      const s = String(v ?? "").trim();
+      if (!s) return [];
+      if (s.startsWith("[")) return JSON.parse(s);
+      return s.split(/[\n,]+/).map((x) => x.trim()).filter(Boolean);
+    };
+    if (type.endsWith("[]")) {
+      const base = type.slice(0, -2);
+      return asList(value).map((v) => coerceArg(base, v));
+    }
+    if (type.startsWith("uint") || type.startsWith("int")) return BigInt(String(value).trim() || "0");
+    if (type === "bool") return value === true || /^(true|1|yes)$/i.test(String(value).trim());
+    if (type === "address") return getAddress(String(value).trim());
+    return String(value).trim();
+  };
+  app.post("/api/account/build-deploy-mandate", (req, res) => {
+    const { template, args } = req.body ?? {};
+    const art = readArtifact(template);
+    if (!art) {
+      res.status(404).json({ error: "no-artifact", message: `No compiled artifact for "${template}". Run \`forge build\` in the project first.` });
+      return;
+    }
+    const ctx = rotationContext();
+    if (ctx.error) {
+      res.status(400).json({ error: ctx.error, message: ctx.message });
+      return;
+    }
+    try {
+      const ctor = (art.abi ?? []).find((x) => x.type === "constructor");
+      const inputs = ctor?.inputs ?? [];
+      const provided = Array.isArray(args) ? args : [];
+      if (provided.length !== inputs.length) {
+        res.status(400).json({ error: "args", message: `Expected ${inputs.length} constructor arg(s), got ${provided.length}.` });
+        return;
+      }
+      const coerced = inputs.map((inp, i) => coerceArg(inp.type, provided[i]));
+      const data = encodeDeployData({ abi: art.abi, bytecode: art.bytecode, args: coerced });
+      res.json({ data, chainId: ctx.chainId, name: template });
+    } catch (err) {
+      res.status(400).json({ error: "encode", message: String(err) });
+    }
+  });
+  app.post("/api/account/mandate-complete", (req, res) => {
+    const { name, address, template, constructorArgs, deployTxHash, registerTxHash } = req.body ?? {};
+    if (!isAddress2(address)) {
+      res.status(400).json({ error: "address must be a valid address" });
+      return;
+    }
+    const safe = readActiveSafe();
+    if (!safe) {
+      res.status(400).json({ error: "No active SMA." });
+      return;
+    }
+    try {
+      const permission = getAddress(address);
+      const label = name || template || "Mandate";
+      const account = (() => {
+        try {
+          return JSON.parse(import_node_fs2.default.readFileSync(at("account.json"), "utf-8"));
+        } catch {
+          return {};
+        }
+      })();
+      const chainId = Number(account.chainId ?? 0) || void 0;
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      const storePath = at("state/mandates.json");
+      let store = { version: 1, mandates: [] };
+      try {
+        store = JSON.parse(import_node_fs2.default.readFileSync(storePath, "utf-8"));
+      } catch {
+      }
+      if (!Array.isArray(store.mandates)) store.mandates = [];
+      const attachment = { sma: safe, txHash: registerTxHash ?? null, at: now };
+      const idx = store.mandates.findIndex((m) => m.address?.toLowerCase() === permission.toLowerCase());
+      if (idx === -1) {
+        store.mandates.push({
+          name: label,
+          address: permission,
+          txHash: deployTxHash ?? null,
+          chainId,
+          ...template ? { artifactPath: outAt(`${template}.sol/${template}.json`) } : {},
+          ...Array.isArray(constructorArgs) ? { constructorArgs } : {},
+          deployedAt: now,
+          attachments: [attachment]
+        });
+      } else {
+        store.mandates[idx].attachments = [...store.mandates[idx].attachments ?? [], attachment];
+      }
+      import_node_fs2.default.mkdirSync(at("state"), { recursive: true });
+      import_node_fs2.default.writeFileSync(storePath, `${JSON.stringify(store, null, 2)}
+`);
+      if (deployTxHash) {
+        import_node_fs2.default.appendFileSync(at("activity.jsonl"), `${JSON.stringify({ ts: now, actor: "owner", type: "mandate_deployed", name: label, address: permission, safe, txHash: deployTxHash, ...chainId ? { chainId } : {} })}
+`);
+      }
+      import_node_fs2.default.appendFileSync(at("activity.jsonl"), `${JSON.stringify({ ts: now, actor: "owner", type: "permission_registered", permission, name: label, sma: safe, safe, ...registerTxHash ? { txHash: registerTxHash } : {}, ...chainId ? { chainId } : {} })}
+`);
+      overviewCacheByAccount.delete(safe.toLowerCase());
+      try {
+        import_node_fs2.default.rmSync(overviewSnapshotPath(safe));
+      } catch {
+      }
+      res.json({ ok: true, address: permission });
+    } catch (err) {
+      res.status(500).json({ error: String(err) });
+    }
+  });
+  app.post("/api/account/rotate-complete", (req, res) => {
+    const { newManager, txHash, reattachTxHash, permissions } = req.body ?? {};
+    if (!isAddress2(newManager)) {
+      res.status(400).json({ error: "newManager must be a valid address" });
+      return;
+    }
+    try {
+      const account = JSON.parse(import_node_fs2.default.readFileSync(at("account.json"), "utf-8"));
+      const safe = account.safe;
+      const manager = getAddress(newManager);
+      const oldManager = account.manager ? getAddress(account.manager) : null;
+      import_node_fs2.default.writeFileSync(at("account.json"), `${JSON.stringify({ ...account, manager }, null, 2)}
+`);
+      try {
+        const listPath = at("state/accounts.json");
+        const list = JSON.parse(import_node_fs2.default.readFileSync(listPath, "utf-8"));
+        const idx = list.findIndex((a) => a.safe.toLowerCase() === safe.toLowerCase());
+        if (idx !== -1) {
+          list[idx] = { ...list[idx], manager };
+          import_node_fs2.default.writeFileSync(listPath, `${JSON.stringify(list, null, 2)}
+`);
+        }
+      } catch {
+      }
+      const append = (event) => {
+        try {
+          import_node_fs2.default.mkdirSync(sailDir, { recursive: true });
+          import_node_fs2.default.appendFileSync(at("activity.jsonl"), `${JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), safe, ...event })}
+`);
+        } catch {
+        }
+      };
+      append({ actor: "owner", type: "signer_rotated", oldManager, newManager: manager, txHash, chainId: account.chainId });
+      if (reattachTxHash && Array.isArray(permissions) && permissions.length > 0) {
+        append({ actor: "owner", type: "mandates_reattached", permissions, txHash: reattachTxHash, chainId: account.chainId });
+      }
+      overviewCacheByAccount.delete(safe.toLowerCase());
+      try {
+        import_node_fs2.default.rmSync(overviewSnapshotPath(safe));
+      } catch {
+      }
+      res.json({ ok: true, manager });
+    } catch (err) {
+      res.status(500).json({ error: String(err) });
+    }
+  });
   app.get("/api/mandate", (_req, res) => {
     try {
       res.json(JSON.parse(import_node_fs2.default.readFileSync(at("mandate.json"), "utf-8")));
@@ -50122,7 +50896,13 @@ function startServer(sailDir, { port = PORT } = {}) {
           if (match) repoUrl = match[1].replace(/\.git$/, "");
         } catch {
         }
-        return { file, repoUrl };
+        let cron = null;
+        try {
+          const cm = content.match(/cron:\s*["']([^"']+)["']/);
+          if (cm) cron = cm[1].trim();
+        } catch {
+        }
+        return { file, repoUrl, cron };
       }
     } catch {
     }
@@ -50462,35 +51242,7 @@ function startServer(sailDir, { port = PORT } = {}) {
       res.status(500).json({ error: String(err) });
     }
   });
-  app.get("/api/wizard-state", (_req, res) => {
-    try {
-      const raw = import_node_fs2.default.readFileSync(at(".wizard-state.json"), "utf-8");
-      res.json(JSON.parse(raw));
-    } catch {
-      res.json(null);
-    }
-  });
-  app.post("/api/wizard-state", (req, res) => {
-    try {
-      import_node_fs2.default.mkdirSync(sailDir, { recursive: true });
-      import_node_fs2.default.writeFileSync(at(".wizard-state.json"), `${JSON.stringify(req.body, null, 2)}
-`);
-      res.json({ ok: true });
-    } catch (err) {
-      res.status(500).json({ error: String(err) });
-    }
-  });
-  app.get("/api/positions", (_req, res) => {
-    try {
-      const account = JSON.parse(import_node_fs2.default.readFileSync(at("account.json"), "utf-8"));
-      const chainId = account?.chainId ?? 8453;
-      const file = at(`state/positions-${chainId}.json`);
-      res.json(JSON.parse(import_node_fs2.default.readFileSync(file, "utf-8")));
-    } catch {
-      res.status(404).json({ error: "no positions snapshot" });
-    }
-  });
-  app.get("/api/overview", async (_req, res) => {
+  app.get("/api/overview", async (req, res) => {
     let account = null;
     try {
       account = JSON.parse(import_node_fs2.default.readFileSync(at("account.json"), "utf-8"));
@@ -50503,6 +51255,16 @@ function startServer(sailDir, { port = PORT } = {}) {
       return;
     }
     const key = account.safe.toLowerCase();
+    if (req.query?.fresh != null) {
+      try {
+        const data2 = await computeOverview(account);
+        storeOverview(account.safe, data2);
+        res.json(data2);
+      } catch {
+        res.json(overviewCacheByAccount.get(key)?.data ?? readOverviewSnapshot(account.safe) ?? null);
+      }
+      return;
+    }
     const cached = overviewCacheByAccount.get(key);
     if (cached && Date.now() - cached.at < OVERVIEW_TTL_MS) {
       res.json(cached.data);
@@ -50518,6 +51280,74 @@ function startServer(sailDir, { port = PORT } = {}) {
     storeOverview(account.safe, data);
     res.json(data);
   });
+  const buildMandateLedger = (safe, activeAddrs, nameByAddr, templateByAddr, network) => {
+    const safeLower = safe.toLowerCase();
+    const meta = /* @__PURE__ */ new Map();
+    try {
+      const tracked = JSON.parse(import_node_fs2.default.readFileSync(at("state/mandates.json"), "utf-8"));
+      for (const m of tracked.mandates ?? []) {
+        if (!m.address) continue;
+        const mine = (m.attachments ?? []).filter((a) => a.sma?.toLowerCase() === safeLower);
+        if (mine.length === 0) continue;
+        const first = mine.reduce((a, b) => a.at && b.at && a.at < b.at ? a : b);
+        meta.set(m.address.toLowerCase(), { firstAt: first?.at ?? m.deployedAt ?? null, txHash: first?.txHash ?? m.txHash ?? null });
+      }
+    } catch {
+    }
+    const registeredAt = /* @__PURE__ */ new Map();
+    const revokedAt = /* @__PURE__ */ new Map();
+    try {
+      for (const line of import_node_fs2.default.readFileSync(at("activity.jsonl"), "utf-8").split("\n")) {
+        if (!line.trim()) continue;
+        let e;
+        try {
+          e = JSON.parse(line);
+        } catch {
+          continue;
+        }
+        if (e.safe && e.safe.toLowerCase() !== safeLower) continue;
+        const addrs = [];
+        if (typeof e.permission === "string") addrs.push(e.permission);
+        if (Array.isArray(e.permissions)) addrs.push(...e.permissions);
+        if (e.type === "mandate_deployed" && typeof e.address === "string") addrs.push(e.address);
+        const reg = e.type === "permission_registered" || e.type === "mandates_reattached" || e.type === "mandate_deployed";
+        const rev = e.type === "permission_revoked" || e.type === "mandate_revoked" || e.type === "permission_detached";
+        for (const a of addrs) {
+          const al = a.toLowerCase();
+          if (reg && (!registeredAt.has(al) || e.ts < registeredAt.get(al))) registeredAt.set(al, e.ts);
+          if (rev && (!revokedAt.has(al) || e.ts > revokedAt.get(al))) revokedAt.set(al, e.ts);
+        }
+      }
+    } catch {
+    }
+    const all = /* @__PURE__ */ new Set([...activeAddrs, ...meta.keys(), ...registeredAt.keys()]);
+    const ledger = [];
+    for (const al of all) {
+      const isActive = activeAddrs.has(al);
+      const revoked = revokedAt.get(al);
+      let status;
+      if (isActive) status = "active";
+      else if (revoked) status = "revoked";
+      else if (meta.has(al) || registeredAt.has(al)) status = "revoked";
+      else continue;
+      ledger.push({
+        address: getAddress(`0x${al.replace(/^0x/, "")}`),
+        name: nameByAddr.get(al) ?? null,
+        template: templateByAddr.get(al) ?? null,
+        status,
+        registeredAt: registeredAt.get(al) ?? meta.get(al)?.firstAt ?? null,
+        revokedAt: revoked ?? null,
+        txHash: meta.get(al)?.txHash ?? null,
+        network
+      });
+    }
+    const ts = (m) => m.revokedAt ?? m.registeredAt ?? "";
+    ledger.sort((a, b) => {
+      if (a.status === "active" !== (b.status === "active")) return a.status === "active" ? -1 : 1;
+      return ts(b).localeCompare(ts(a));
+    });
+    return ledger;
+  };
   async function computeOverview(account) {
     const env = parseEnvFile(at(".env.local"));
     const chainId = Number(account.chainId ?? env.CHAIN_ID ?? 0);
@@ -50611,12 +51441,8 @@ function startServer(sailDir, { port = PORT } = {}) {
         result.sma.balanceWei = safeBal.toString();
         result.sma.balanceEth = formatEther(safeBal);
         result.sma.balanceStatus = balanceStatus(safeBal);
-        result.mandates = perms.map((addr) => ({
-          address: addr,
-          name: nameByAddr.get(addr.toLowerCase()) ?? null,
-          template: templateByAddr.get(addr.toLowerCase()) ?? null,
-          network
-        }));
+        const activeAddrs = new Set(perms.map((a) => a.toLowerCase()));
+        result.mandates = buildMandateLedger(account.safe, activeAddrs, nameByAddr, templateByAddr, network);
         let managerEntry;
         if (managerSet) {
           managerEntry = signerEntry("manager", managerAddr, balanceByAddr);
@@ -50688,6 +51514,20 @@ function startServer(sailDir, { port = PORT } = {}) {
       socket.destroy();
       return;
     }
+    const origin = req.headers.origin;
+    if (origin) {
+      try {
+        const { hostname } = new URL(origin);
+        if (hostname !== "localhost" && hostname !== "127.0.0.1") {
+          socket.write("HTTP/1.1 403 Forbidden\r\n\r\n");
+          socket.destroy();
+          return;
+        }
+      } catch {
+        socket.destroy();
+        return;
+      }
+    }
     wss.handleUpgrade(req, socket, head, (client) => relayToDaemon(client));
   });
   async function relayToDaemon(client) {