@dev.sail.money/sailor 0.0.2-22 → 0.0.2-24

package/packages/cli/dist/index.cjs

@@ -38416,6 +38416,7 @@ function getRpcUrl(chainId) {
 }
 
 // src/lib/keys.ts
+init_esm2();
 var ROLES = ["manager", "permissionSigner"];
 function normalizeRole(input) {
   const n = input.trim().toLowerCase().replace(/[-_\s]/g, "");
@@ -38482,6 +38483,13 @@ async function loadManagerSigner(safe) {
   }
   return loadKeyring("manager", safe);
 }
+function managerKeystorePath(managerAddr) {
+  if (!isAddress(managerAddr, { strict: false })) {
+    throw new Error(`managerKeystorePath: invalid address "${managerAddr}"`);
+  }
+  const hex = managerAddr.toLowerCase().replace(/^0x/, "");
+  return sailPath("keys", "managers", `${hex}.json`);
+}
 async function loadAnySigner() {
   if (keyExists("permissionSigner")) return loadKeyring("permissionSigner");
   if (keyExists("manager")) return loadKeyring("manager");
@@ -39899,11 +39907,29 @@ init_esm2();
 async function checkContractExists(pc, address) {
   try {
     const code = await pc.getCode({ address });
-    return { address, hasCode: !!code && code !== "0x" };
+    const hasCode = !!code && code !== "0x";
+    return { address, hasCode, bytecode: hasCode ? code : void 0 };
   } catch (err) {
     return { address, hasCode: false, error: err.message.split("\n")[0] };
   }
 }
+function checkSelectorRoutes(calldata, bytecode) {
+  if (calldata.length < 10) {
+    return { selector: "", routes: null, reason: "calldata shorter than 4 bytes \u2014 no selector" };
+  }
+  const selector = calldata.slice(2, 10).toLowerCase();
+  const body = bytecode.slice(2).toLowerCase();
+  if (body.length < 100) {
+    return { selector, routes: null, reason: "proxy or minimal contract \u2014 routing not determinable from bytecode" };
+  }
+  if (body.includes("360894a13ba1a321")) {
+    return { selector, routes: null, reason: "EIP-1967 proxy detected \u2014 routing is in the implementation contract" };
+  }
+  if (body.includes("a3f0ad74e5423aeb")) {
+    return { selector, routes: null, reason: "EIP-1967 beacon proxy detected \u2014 routing is in the beacon implementation" };
+  }
+  return { selector, routes: body.includes(selector) };
+}
 
 // src/lib/permission-resolver.ts
 var IPERMISSION_ABI = [
@@ -40775,14 +40801,48 @@ var MandateStore = class {
       (m) => m.address.toLowerCase() === needle || m.name === addressOrName
     );
   }
-  /** Append a newly deployed mandate (replacing any prior record at the same address). */
+  /**
+   * Append a newly deployed mandate (replacing any prior record at the same address).
+   * When another mandate with the same name already exists on the same chain, the
+   * incoming mandate's name is suffixed with `[2]`, `[3]`, … to keep names unique.
+   */
   add(mandate2) {
     const data = this.read();
     data.mandates = data.mandates.filter(
       (m) => m.address.toLowerCase() !== mandate2.address.toLowerCase()
     );
+    const baseName = mandate2.name;
+    const sameName = (m) => m.name === mandate2.name && m.chainId === mandate2.chainId;
+    if (data.mandates.some(sameName)) {
+      let n = 2;
+      while (data.mandates.some((m) => m.name === `${baseName}[${n}]` && m.chainId === mandate2.chainId)) {
+        n++;
+      }
+      mandate2 = { ...mandate2, name: `${baseName}[${n}]` };
+    }
     data.mandates.push(mandate2);
     this.write(data);
+    return mandate2;
+  }
+  /** Update mutable metadata fields on a tracked mandate (name, sourcePath, artifactPath). */
+  update(addressOrName, patch) {
+    const data = this.read();
+    const needle = addressOrName.toLowerCase();
+    const mandate2 = data.mandates.find(
+      (m) => m.address.toLowerCase() === needle || m.name === addressOrName
+    );
+    if (!mandate2) throw new Error(`No tracked mandate found for: ${addressOrName}`);
+    if (patch.name !== void 0 && patch.name !== mandate2.name) {
+      const conflict = data.mandates.find(
+        (m) => m.name === patch.name && m.chainId === mandate2.chainId && m.address.toLowerCase() !== mandate2.address.toLowerCase()
+      );
+      if (conflict) throw new Error(`Name "${patch.name}" is already used by ${conflict.address} on chain ${mandate2.chainId}`);
+      mandate2.name = patch.name;
+    }
+    if (patch.sourcePath !== void 0) mandate2.sourcePath = patch.sourcePath;
+    if (patch.artifactPath !== void 0) mandate2.artifactPath = patch.artifactPath;
+    this.write(data);
+    return mandate2;
   }
   /** Record that a tracked mandate was attached to an SMA. */
   recordAttachment(address, attachment) {
@@ -41290,6 +41350,7 @@ async function persistAccount(publicClient, account2) {
     owner: checksum4(account2.owner),
     permissionSigner: checksum4(account2.permissionSigner),
     manager: checksum4(account2.manager),
+    managers: [checksum4(account2.manager)],
     chainId: account2.chainId,
     createdAtBlock,
     ...account2.saltNonce != null ? { saltNonce: account2.saltNonce.toString() } : {}
@@ -41396,7 +41457,18 @@ async function runDeploy(project, channel, options) {
     );
   }
   const { abi: abi2, bytecode, contractName, artifactPath } = resolveArtifact(options);
-  const args = coerceConstructorArgs(abi2, options.args);
+  let argsJson;
+  if (options.argsFile) {
+    const argsFilePath = (0, import_node_path9.resolve)(options.argsFile);
+    try {
+      argsJson = (0, import_node_fs10.readFileSync)(argsFilePath, "utf8").trim();
+    } catch {
+      throw new Error(`Cannot read --args-file: ${argsFilePath}`);
+    }
+  } else {
+    argsJson = options.args;
+  }
+  const args = coerceConstructorArgs(abi2, argsJson);
   const deployData = encodeDeployData({ abi: abi2, bytecode, args });
   const chainId = project.chainId;
   const publicClient = publicClientFor(project);
@@ -41419,7 +41491,10 @@ async function runDeploy(project, channel, options) {
     data: deployData,
     details: [
       { label: "Contract", value: contractName },
-      { label: "Constructor args", value: options.args ? options.args : "(none)" }
+      {
+        label: options.argsFile ? "Constructor args (from file)" : "Constructor args",
+        value: argsJson ? argsJson : "(none)"
+      }
     ]
   });
   if (response.status === "rejected") {
@@ -41445,13 +41520,13 @@ async function runDeploy(project, channel, options) {
     deployedAt: (/* @__PURE__ */ new Date()).toISOString()
   };
   const store = new MandateStore();
-  store.add(record);
-  say(() => console.log("Tracked in .sail/state/mandates.json"));
+  const stored = store.add(record);
+  say(() => console.log("Tracked in .sail/state/mandates.json" + (stored.name !== record.name ? ` as "${stored.name}"` : "")));
   appendActivity({
     ts: nowIso(),
     actor: "owner",
     type: "mandate_deployed",
-    name: record.name,
+    name: stored.name,
     address: deployed,
     txHash: response.txHash,
     chainId
@@ -41465,7 +41540,7 @@ async function runDeploy(project, channel, options) {
       publicClient,
       sma,
       deployed,
-      record.name,
+      stored.name,
       json
     );
     store.recordAttachment(deployed, { sma, txHash: attachTxHash });
@@ -41480,7 +41555,7 @@ Register it later with: sailor mandate attach --address ${deployed} --sma <SMA>`
   emit(json, () => {
   }, {
     status: "ok",
-    mandate: { name: record.name, address: deployed, txHash: response.txHash, chainId },
+    mandate: { name: stored.name, address: deployed, txHash: response.txHash, chainId },
     attached: options.attach ? { sma: getAddress(options.sma), txHash: attachTxHash } : null
   });
 }
@@ -41742,7 +41817,7 @@ Connect the owner wallet (mandate signer) in the browser \u2014 the agent wallet
   }
   say(() => console.log("\u2713", `Deployed + registered ${spec.label} at ${clone}`));
   const store = new MandateStore();
-  store.add({
+  const storedClone = store.add({
     name: label,
     address: clone,
     txHash,
@@ -41755,7 +41830,7 @@ Connect the owner wallet (mandate signer) in the browser \u2014 the agent wallet
     actor: "agent",
     type: "permission_registered",
     permission: clone,
-    name: label,
+    name: storedClone.name,
     sma,
     txHash,
     chainId: project.chainId
@@ -42076,6 +42151,21 @@ function mandateContractsList() {
     }
   }
 }
+function mandateUpdate(options) {
+  const { address, name, sourcePath, artifactPath, json } = options;
+  if (!name && !sourcePath && !artifactPath) {
+    throw new Error("Provide at least one of --name, --source-path, or --artifact-path");
+  }
+  const store = new MandateStore();
+  const updated = store.update(address, { name, sourcePath, artifactPath });
+  emit(!!json, () => {
+    const changes = [];
+    if (name) changes.push(`name \u2192 ${updated.name}`);
+    if (sourcePath) changes.push(`sourcePath \u2192 ${updated.sourcePath}`);
+    if (artifactPath) changes.push(`artifactPath \u2192 ${updated.artifactPath}`);
+    console.log(`Updated ${updated.address}: ${changes.join(", ")}`);
+  }, { status: "ok", mandate: updated });
+}
 function resolveArtifact(options) {
   let artifactPath = options.artifact;
   let contractName = options.contract ?? options.name ?? "";
@@ -42085,7 +42175,7 @@ function resolveArtifact(options) {
   }
   const resolved = (0, import_node_path9.resolve)(artifactPath);
   const projectRoot = (0, import_node_path9.resolve)(process.cwd());
-  if (!resolved.startsWith(projectRoot + "/") && resolved !== projectRoot) {
+  if (!resolved.startsWith(projectRoot + import_node_path9.sep) && resolved !== projectRoot) {
     throw new Error(
       `Artifact path must be inside the project directory.
 Resolved: ${resolved}`
@@ -42530,6 +42620,7 @@ async function mandateSimulate(options) {
         checkContractExists(pc, c.target)
       ]);
       const result = probe.accepted ? "pass" : "fail";
+      const selectorCheck = codeCheck.hasCode && codeCheck.bytecode ? checkSelectorRoutes(c.data, codeCheck.bytecode) : { selector: "", routes: null, reason: codeCheck.hasCode ? "bytecode unavailable" : void 0 };
       return {
         index: i,
         label: c.label,
@@ -42541,7 +42632,10 @@ async function mandateSimulate(options) {
         expect: c.expect ?? null,
         match: c.expect ? c.expect === result : null,
         targetHasCode: codeCheck.hasCode,
-        targetCheckError: codeCheck.error
+        targetCheckError: codeCheck.error,
+        selectorRoutes: selectorCheck.routes,
+        selector: selectorCheck.selector,
+        selectorRoutesReason: selectorCheck.reason
       };
     })
   );
@@ -42572,7 +42666,10 @@ async function mandateSimulate(options) {
         expect: r.expect,
         match: r.match,
         targetHasCode: r.targetHasCode,
-        targetCheckError: r.targetCheckError
+        targetCheckError: r.targetCheckError,
+        selector: r.selector,
+        selectorRoutes: r.selectorRoutes,
+        selectorRoutesReason: r.selectorRoutesReason
       })),
       mismatches: mismatches.length,
       noCodeTargets: noCodeTargets.map((r) => r.target),
@@ -42598,7 +42695,9 @@ async function mandateSimulate(options) {
     const expectStr = r.expect === null ? "" : r.match ? `  expected ${r.expect}  \u2713 MATCH` : `  expected ${r.expect}  \u2717 MISMATCH`;
     console.log(`[${r.index + 1}] ${verdict}  ${r.label}${expectStr}`);
     const codeNote = r.targetCheckError ? `\u26A0 could not verify contract code (${r.targetCheckError})` : r.targetHasCode ? "\u2713 contract present" : `\u26A0 NO contract code on chain ${chainId} \u2014 this call would fail on-chain regardless of the permission`;
+    const selectorNote = r.selectorRoutes === true ? `\u2713 selector 0x${r.selector} routes` : r.selectorRoutes === false ? `\u26A0 selector 0x${r.selector} NOT found in bytecode \u2014 call would likely revert with unknown selector` : r.selectorRoutesReason ? `~ selector check skipped (${r.selectorRoutesReason})` : null;
     console.log(`     target ${r.target}   ${codeNote}`);
+    if (selectorNote) console.log(`     ${selectorNote}`);
     if (r.reverted && r.revertReason) {
       console.log(`     evaluate() reverted: ${r.revertReason}`);
     }
@@ -42661,6 +42760,24 @@ async function runRotateSigner(project, channel, options) {
   const account2 = resolveAccount(options);
   const smaAddress = account2.safe;
   const owner2 = account2.owner;
+  if (options.list) {
+    const stored = readJsonFile(sailPath("account.json"));
+    const known = stored?.managers ?? (stored?.manager ? [stored.manager] : []);
+    const active = stored?.manager ?? "";
+    return {
+      sma: smaAddress,
+      oldManager: null,
+      newManager: active,
+      rotated: false,
+      reattached: [],
+      reattachDeferred: false,
+      managers: known.map((m) => ({
+        address: m,
+        active: m.toLowerCase() === active.toLowerCase(),
+        keystoreStored: readJsonFile(managerKeystorePath(m)) !== null
+      }))
+    };
+  }
   const publicClient = createPublicClient({
     chain: getChainById(project.chainId),
     transport: http(getRpcUrl(project.chainId))
@@ -42793,6 +42910,7 @@ SMA:            ${smaAddress}`);
     chainId: project.chainId
   });
   persistManager(smaAddress, newManager);
+  if (options.to) promoteManagerKeystore(newManager, say);
   if (options.skipReattach || currentPermissions.length === 0) {
     return {
       sma: smaAddress,
@@ -42956,13 +43074,23 @@ async function resolveNewManager(options, oldManager, json, say) {
       throw new Error(`Invalid --to address: ${options.to}`);
     }
     const to = getAddress(options.to);
-    say(
-      () => console.log(
-        `
-Rotating to existing address ${to}. The local agent keystore is left unchanged \u2014
+    if (readJsonFile(managerKeystorePath(to)) !== null) {
+      say(
+        () => console.log(
+          `
+Rotating to ${to}. Its stored keystore will become the active one
+(.sail/keys/manager.json) once the rotation confirms.`
+        )
+      );
+    } else {
+      say(
+        () => console.log(
+          `
+Rotating to existing address ${to}. No local keystore found for this address \u2014
 ensure the agent that signs dispatches holds this key.`
-      )
-    );
+        )
+      );
+    }
     return to;
   }
   if (json) {
@@ -42982,6 +43110,9 @@ ensure the agent that signs dispatches holds this key.`
   const keyring = LocalKeyring.generate();
   const keystore = await keyring.exportKeystore(password);
   writeJsonFile(target, keystore);
+  const perManagerPath = managerKeystorePath(keyring.address);
+  (0, import_node_fs13.mkdirSync)(sailPath("keys", "managers"), { recursive: true });
+  writeJsonFile(perManagerPath, keystore);
   say(
     () => console.log(
       `  New agent wallet: ${checksum4(keyring.address)} (keystore at .sail/keys/manager.json)`
@@ -42989,10 +43120,28 @@ ensure the agent that signs dispatches holds this key.`
   );
   return keyring.address;
 }
+function promoteManagerKeystore(newManager, say) {
+  const stored = readJsonFile(managerKeystorePath(newManager));
+  if (!stored) return;
+  (0, import_node_fs13.mkdirSync)(sailPath("keys", "managers"), { recursive: true });
+  const activeTarget = keyPath("manager");
+  const displaced = readJsonFile(activeTarget);
+  if (displaced?.address) {
+    const snapshotPath = managerKeystorePath(displaced.address);
+    if (readJsonFile(snapshotPath) === null) writeJsonFile(snapshotPath, displaced);
+  } else if (displaced) {
+    writeJsonFile(`${activeTarget}.${Date.now()}.bak`, displaced);
+  }
+  writeJsonFile(activeTarget, stored);
+  say(
+    () => console.log(`  Agent wallet keystore for ${newManager} is now active (.sail/keys/manager.json).`)
+  );
+}
 function persistManager(safe, manager) {
   const account2 = readJsonFile(sailPath("account.json"));
   if (account2 && account2.safe.toLowerCase() === safe.toLowerCase()) {
-    writeJsonFile(sailPath("account.json"), { ...account2, manager: checksum4(manager) });
+    const managers = addToManagerList(account2.managers, account2.manager, manager);
+    writeJsonFile(sailPath("account.json"), { ...account2, manager: checksum4(manager), managers });
   }
   const listPath = sailPath("state", "accounts.json");
   const list = readJsonFile(
@@ -43001,11 +43150,26 @@ function persistManager(safe, manager) {
   if (Array.isArray(list)) {
     const idx = list.findIndex((a) => a.safe.toLowerCase() === safe.toLowerCase());
     if (idx !== -1) {
-      list[idx] = { ...list[idx], manager: checksum4(manager) };
+      const entry = list[idx];
+      const managers = addToManagerList(entry.managers, entry.manager, manager);
+      list[idx] = { ...entry, manager: checksum4(manager), managers };
       writeJsonFile(listPath, list);
     }
   }
 }
+function addToManagerList(existing, current, next) {
+  const all = [...existing ?? [current], checksum4(next)];
+  const seen = /* @__PURE__ */ new Set();
+  const deduped = [];
+  for (const a of all) {
+    const lower = a.toLowerCase();
+    if (!seen.has(lower)) {
+      seen.add(lower);
+      deduped.push(checksum4(a));
+    }
+  }
+  return deduped;
+}
 function writePending(pending) {
   writeJsonFile(sailPath(...PENDING_REATTACH_FILE), pending);
 }
@@ -43016,6 +43180,19 @@ function clearPending() {
   }
 }
 function printSummary2(r) {
+  if (r.managers) {
+    console.log("\nKnown agent wallets for this SMA:");
+    if (r.managers.length === 0) {
+      console.log("  (none recorded)");
+    } else {
+      for (const m of r.managers) {
+        const marker = m.active ? "* " : "  ";
+        console.log(`${marker}${m.address}${m.keystoreStored ? " (keystore stored)" : ""}`);
+      }
+      console.log("\n* = active");
+    }
+    return;
+  }
   console.log(`
 ${"\u2500".repeat(56)}`);
   if (r.rotated) {
@@ -43138,13 +43315,30 @@ function isProcessAlive(pid) {
 // src/commands/run.ts
 var DEFAULT_INTERVAL_SEC = 60;
 var sleep2 = (ms) => new Promise((resolve3) => setTimeout(resolve3, ms));
-var ERC20_BALANCE_ABI = [
+var ERC20_READ_ABI = [
   {
     type: "function",
     name: "balanceOf",
     stateMutability: "view",
     inputs: [{ name: "account", type: "address" }],
     outputs: [{ name: "", type: "uint256" }]
+  },
+  {
+    type: "function",
+    name: "allowance",
+    stateMutability: "view",
+    inputs: [
+      { name: "owner", type: "address" },
+      { name: "spender", type: "address" }
+    ],
+    outputs: [{ name: "", type: "uint256" }]
+  },
+  {
+    type: "function",
+    name: "decimals",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ name: "", type: "uint8" }]
   }
 ];
 function loadAgentData(filePath) {
@@ -43164,7 +43358,8 @@ async function loadAgent() {
     let mod2;
     if (abs.endsWith(".ts")) {
       const { tsImport } = await import("tsx/esm/api");
-      mod2 = await tsImport(abs, (0, import_node_url.pathToFileURL)(abs).href);
+      const absUrl = (0, import_node_url.pathToFileURL)(abs).href;
+      mod2 = await tsImport(absUrl, absUrl);
     } else {
       mod2 = await import((0, import_node_url.pathToFileURL)(abs).href);
     }
@@ -43291,11 +43486,30 @@ Configure the chain in @sail/chains or set KERNEL_ADDRESS in .sail/.env.local.`
     }
     return publicClient.readContract({
       address: token,
-      abi: ERC20_BALANCE_ABI,
+      abi: ERC20_READ_ABI,
       functionName: "balanceOf",
       args: [accountAddr]
     });
   };
+  const readAllowance = (token, owner2, spender) => publicClient.readContract({
+    address: token,
+    abi: ERC20_READ_ABI,
+    functionName: "allowance",
+    args: [owner2, spender]
+  });
+  const decimalsCache = /* @__PURE__ */ new Map();
+  const readDecimals = async (token) => {
+    const key = getAddress(token);
+    const cached = decimalsCache.get(key);
+    if (cached !== void 0) return cached;
+    const d = await publicClient.readContract({
+      address: token,
+      abi: ERC20_READ_ABI,
+      functionName: "decimals"
+    });
+    decimalsCache.set(key, d);
+    return d;
+  };
   async function runTick() {
     appendActivity({ ts: nowIso(), actor: "agent", type: "tick_start" });
     let blockInfo = { number: 0n, timestamp: 0n };
@@ -43325,10 +43539,15 @@ Configure the chain in @sail/chains or set KERNEL_ADDRESS in .sail/.env.local.`
         dispatch: execClient.dispatch,
         strategy: execClient.strategy
       }),
+      publicClient,
       manager: agentManager,
       log,
       data: agentData,
-      read: { balance: readBalance }
+      read: {
+        balance: readBalance,
+        allowance: readAllowance,
+        decimals: readDecimals
+      }
     };
     let dispatches;
     try {
@@ -43949,11 +44168,11 @@ account.command("predict").description(
   "Agent (manager) wallet \u2014 mixed into the kernel salt (defaults to .sail/account.json)"
 ).option("--salt <n>", "CREATE2 salt nonce (default: 0)").option("--chain <id>", "Show prediction for one chain only").option("--json", "Emit machine-readable JSON").action(actionWith(accountPredict));
 account.command("deploy-chain").description("Deploy the same SMA address on an additional chain using the same owner, manager, and salt").requiredOption("--chain <id>", "Target EVM chain ID (e.g. 8453, 42161, 130, 1)").option("--salt <n>", "CREATE2 salt (defaults to saltNonce stored in .sail/account.json)").option("--json", "Emit machine-readable JSON").action(actionWith(accountDeployChain));
-account.command("rotate-signer").description("Rotate the SMA's delegated signer (agent wallet) and re-approve its mandates").option("--sma <address>", "SMA to rotate (defaults to the active account)").option("--to <address>", "Rotate to an existing agent-wallet address instead of generating one").option("--generate", "Generate a fresh local agent wallet (default when --to is omitted)").option("--skip-reattach", "Do not re-approve the previously-attached mandates").option("--reattach-only", "Skip rotation; only re-approve mandates (resume after funding)").option("--json", "Machine-readable output").action(actionWith(rotateSigner));
+account.command("rotate-signer").description("Rotate the SMA's delegated signer (agent wallet) and re-approve its mandates").option("--sma <address>", "SMA to rotate (defaults to the active account)").option("--to <address>", "Rotate to an existing agent-wallet address instead of generating one").option("--generate", "Generate a fresh local agent wallet (default when --to is omitted)").option("--skip-reattach", "Do not re-approve the previously-attached mandates").option("--reattach-only", "Skip rotation; only re-approve mandates (resume after funding)").option("--list", "List known agent wallets for this SMA without rotating").option("--json", "Machine-readable output").action(actionWith(rotateSigner));
 var mandate = program2.command("mandate").description("Manage mandates");
 mandate.command("prepare").description("Prepare a mandate draft for review and signing in the UI (MetaMask)").action(action(mandatePrepare));
 mandate.command("sign").description("Review and confirm the permissions authorized for your SMA").option("--yes", "Skip the confirmation prompt (for non-interactive / CI use)").action(actionWith(mandateSign));
-mandate.command("deploy").description("Deploy a Foundry-compiled permission contract via the browser signing UI").option("--artifact <path>", "Path to the Foundry artifact JSON (out/<Name>.sol/<Name>.json)").option("--contract <name>", "Contract name; resolves to <out>/<name>.sol/<name>.json").option("--out <dir>", "Foundry output directory", "out").option("--name <label>", "Label to track this permission under (defaults to contract name)").option("--args <json>", `Constructor args as a JSON array, e.g. '[["0x.."],"1000"]'`).option("--build", "Run `forge build` before deploying").option("--attach", "After deploy, register the permission on --sma").option("--sma <address>", "SMA to register on (required with --attach)").option("--json", "Emit machine-readable JSON").action(actionWith(mandateDeploy));
+mandate.command("deploy").description("Deploy a Foundry-compiled permission contract via the browser signing UI").option("--artifact <path>", "Path to the Foundry artifact JSON (out/<Name>.sol/<Name>.json)").option("--contract <name>", "Contract name; resolves to <out>/<name>.sol/<name>.json").option("--out <dir>", "Foundry output directory", "out").option("--name <label>", "Label to track this permission under (defaults to contract name)").option("--args <json>", `Constructor args as JSON array. Bash: '["0x..","1"]'. PowerShell: '[\\"0x..\\",\\"1\\"]'. Use --args-file to avoid quoting.`).option("--args-file <path>", "Path to a JSON file containing constructor args array (recommended on PowerShell)").option("--build", "Run `forge build` before deploying").option("--attach", "After deploy, register the permission on --sma").option("--sma <address>", "SMA to register on (required with --attach)").option("--json", "Emit machine-readable JSON").action(actionWith(mandateDeploy));
 mandate.command("attach").description("Register an already-deployed permission on an SMA (EIP-712 RegisterPermission)").requiredOption("--address <mandateOrName>", "Permission address, or a name tracked locally").requiredOption("--sma <address>", "SMA to register the permission on").option("--label <label>", "Human-readable label shown in the signing UI").option("--json", "Emit machine-readable JSON").action(actionWith(mandateAttach));
 mandate.command("deploy-clone").description("Deploy + register a standalone clone permission (e.g. boundedApprove) via the signing UI").requiredOption("--template <key>", "Standalone clone template key (e.g. boundedApprove)").requiredOption("--sma <address>", "SMA to deploy the clone for and register it on").option("--tokens <csv>", "Comma-separated allowed token addresses").option("--spenders <csv>", "Comma-separated allowed spender addresses").option("--max <amount>", "Max amount per tx in base units (default: uint256 max)").option("--label <label>", "Human-readable label to track this permission under").option("--json", "Emit machine-readable JSON").action(actionWith(mandateDeployClone));
 mandate.command("revoke").description("Revoke permission(s) from an SMA (EIP-712 RevokePermissions, owner-authorized)").option("--address <permissionOrName>", "Permission address, or a name tracked locally").requiredOption("--sma <address>", "Safe (SMA) to revoke the permission(s) from").option("--all", "Revoke every permission currently registered on the SMA").option("--json", "Output JSON").action(actionWith(mandateRevoke));
@@ -43961,6 +44180,7 @@ mandate.command("templates").description("Show how to author your own permission
 mandate.command("simulate").description(
   "Probe a permission against sample calls off-chain (eth_call, NO gas) \u2014 prove it accepts the calls you want and rejects the ones you don't, before authorizing on-chain"
 ).requiredOption("--address <permissionOrName>", "Permission to probe (address or tracked name)").option("--sma <address>", "SMA to probe as (ctx.account; defaults to .sail/account.json)").option("--target <address>", "Inline single call: target contract address").option("--calldata <hex>", "Inline single call: 0x-prefixed calldata").option("--value <wei>", "Inline single call: ETH value in wei (default 0)").option("--expect <pass|fail>", "Inline single call: expected outcome (sets non-zero exit on mismatch)").option("--label <text>", "Inline single call: human-readable label").option("--calls <file>", "Batch: JSON array of { target, calldata, value?, expect?, label? }").option("--json", "Emit machine-readable JSON").action(actionWith(mandateSimulate));
+mandate.command("update").description("Update metadata for a tracked permission contract (rename, source path, artifact path)").requiredOption("--address <mandateOrName>", "Permission address or tracked name to update").option("--name <label>", "New tracking label (must be unique within the same chain)").option("--source-path <path>", "Update the relative path to the Solidity source file").option("--artifact-path <path>", "Update the relative path to the Foundry artifact JSON").option("--json", "Emit machine-readable JSON").action(actionWith(mandateUpdate));
 mandate.command("list").description("List permission contracts deployed from this project").action(action(async () => mandateContractsList()));
 program2.command("onboard").description("Set up an SMA, register a permission, confirm the agent is operational").option("--sma <address>", "Use a specific SMA address instead of prompting").option("--new-sma", "Create a new SMA via SailKernel").option("--salt <n>", "CREATE2 salt for deterministic Safe address (default: 0; use 0 for first SMA, increment for subsequent)").option("--template <kindOrAddress>", "Register this permission contract (kind, label, or address)").option("--skip-mandate", "Skip the permission registration step").option("--json", "Emit machine-readable JSON (implies non-interactive)").action(actionWith(onboard));
 var station = program2.command("station").description("Manage the persistent signing station (browser signing daemon)");

package/packages/cli/dist/server.cjs

@@ -49593,6 +49593,17 @@ function signerEntry(role, address, balanceByAddr) {
     status: balanceStatus(wei)
   };
 }
+function addManagerToList(existing, current, next) {
+  const base = existing ?? (current ? [getAddress(current)] : []);
+  const all = [...base, getAddress(next)];
+  const seen = /* @__PURE__ */ new Set();
+  return all.filter((a) => {
+    const l = a.toLowerCase();
+    if (seen.has(l)) return false;
+    seen.add(l);
+    return true;
+  });
+}
 var OVERVIEW_TTL_MS = 1e4;
 function startServer(sailDir, { port = PORT } = {}) {
   const app = (0, import_express.default)();
@@ -49883,7 +49894,8 @@ function startServer(sailDir, { port = PORT } = {}) {
       try {
         const account = JSON.parse(import_node_fs2.default.readFileSync(at("account.json"), "utf-8"));
         if (account?.safe?.toLowerCase() === safe.toLowerCase()) {
-          import_node_fs2.default.writeFileSync(at("account.json"), `${JSON.stringify({ ...account, manager }, null, 2)}
+          const managers = addManagerToList(account.managers, account.manager, manager);
+          import_node_fs2.default.writeFileSync(at("account.json"), `${JSON.stringify({ ...account, manager, managers }, null, 2)}
 `);
         }
       } catch {
@@ -49893,7 +49905,9 @@ function startServer(sailDir, { port = PORT } = {}) {
         const list = JSON.parse(import_node_fs2.default.readFileSync(listPath, "utf-8"));
         const idx = list.findIndex((a) => a.safe?.toLowerCase() === safe.toLowerCase());
         if (idx !== -1) {
-          list[idx] = { ...list[idx], manager };
+          const entry = list[idx];
+          const managers = addManagerToList(entry.managers, entry.manager, manager);
+          list[idx] = { ...entry, manager, managers };
           import_node_fs2.default.writeFileSync(listPath, `${JSON.stringify(list, null, 2)}
 `);
         }
@@ -49915,7 +49929,20 @@ function startServer(sailDir, { port = PORT } = {}) {
       res.status(500).json({ error: String(err) });
     }
   });
-  const isManagerKeyFile = (file) => file === "manager.json" || file.startsWith("manager-") && file.endsWith(".json");
+  const isManagerKeyFile = (file) => file === "manager.json" || file.startsWith("manager-") && file.endsWith(".json") || file.startsWith("managers/") && file.endsWith(".json");
+  const listManagerKeyFiles = () => {
+    let files = [];
+    try {
+      files = import_node_fs2.default.readdirSync(at("keys"));
+    } catch {
+      files = [];
+    }
+    try {
+      files.push(...import_node_fs2.default.readdirSync(at("keys/managers")).map((f) => `managers/${f}`));
+    } catch {
+    }
+    return files;
+  };
   const keystoreAddress = (file) => {
     try {
       const ks = JSON.parse(import_node_fs2.default.readFileSync(at(`keys/${file}`), "utf-8"));
@@ -49927,12 +49954,7 @@ function startServer(sailDir, { port = PORT } = {}) {
   };
   app.get("/api/signers", (_req, res) => {
     try {
-      let files = [];
-      try {
-        files = import_node_fs2.default.readdirSync(at("keys"));
-      } catch {
-        files = [];
-      }
+      const files = listManagerKeyFiles();
       const activeSafe = readActiveSafe();
       let activeManager = null;
       try {
@@ -49972,12 +49994,7 @@ function startServer(sailDir, { port = PORT } = {}) {
       return;
     }
     try {
-      let files = [];
-      try {
-        files = import_node_fs2.default.readdirSync(at("keys"));
-      } catch {
-        files = [];
-      }
+      const files = listManagerKeyFiles();
       const want = getAddress(address).toLowerCase();
       const match = files.find((file) => isManagerKeyFile(file) && keystoreAddress(file)?.toLowerCase() === want);
       if (!match) {
@@ -50610,8 +50627,9 @@ function startServer(sailDir, { port = PORT } = {}) {
         const [permissionSigner, manager, , sessionActive] = configs;
         const managerSet = Boolean(manager) && getAddress(manager) !== zeroAddress2;
         const managerAddr = managerSet ? getAddress(manager) : localSigner;
+        const knownManagerAddrs = (account.managers ?? []).map((a) => getAddress(a));
         const signerAddrs = [
-          ...new Set([managerAddr, account.owner ? getAddress(account.owner) : null, ...localManagerAddrs].filter(Boolean))
+          ...new Set([managerAddr, account.owner ? getAddress(account.owner) : null, ...localManagerAddrs, ...knownManagerAddrs].filter(Boolean))
         ];
         const balances = await Promise.all(signerAddrs.map((a) => client.getBalance({ address: a })));
         const balanceByAddr = new Map(signerAddrs.map((a, i) => [a.toLowerCase(), balances[i]]));
@@ -50637,6 +50655,17 @@ function startServer(sailDir, { port = PORT } = {}) {
         } else {
           managerEntry = { role: "manager", address: null, balanceWei: null, balanceEth: null, status: "unconfigured" };
         }
+        if (knownManagerAddrs.length > 0) {
+          const activeLower = (managerSet ? getAddress(manager) : account.manager ?? null)?.toLowerCase() ?? null;
+          managerEntry.managers = knownManagerAddrs.map((a) => {
+            const bal = balanceByAddr.get(a.toLowerCase());
+            return {
+              address: a,
+              balanceEth: bal != null ? formatEther(bal) : null,
+              isActive: a.toLowerCase() === activeLower
+            };
+          });
+        }
         const signers = [managerEntry];
         for (const la of localManagerAddrs) {
           if (getAddress(la) !== (managerAddr ? getAddress(managerAddr) : null)) {
@@ -50665,6 +50694,17 @@ function startServer(sailDir, { port = PORT } = {}) {
         status: "local"
       }));
     }
+    if (account.managers?.length > 0) {
+      const onchainMgr = result.sma.manager;
+      const activeLower = (onchainMgr && onchainMgr !== zeroAddress2 ? onchainMgr : account.manager ?? null)?.toLowerCase() ?? null;
+      const managersPayload = account.managers.map((a) => ({
+        address: getAddress(a),
+        balanceEth: null,
+        isActive: a.toLowerCase() === activeLower
+      }));
+      const mgrSigner = result.signers.find((s) => s.role === "manager");
+      if (mgrSigner && !mgrSigner.managers) mgrSigner.managers = managersPayload;
+    }
     return result;
   }
   const distDir = process.env.SAILOR_UI_DIST ?? import_node_path.default.join(import_node_path.default.dirname(_thisFile), "dist");