@dev.sail.money/sailor 0.0.2 → 0.1.0-local

package/templates/{dca-rebalancer/src → default/examples/dca}/mandate.ts

@@ -1,67 +1,45 @@
-import type { Address } from "@sail/sdk";
-
-// ── Token addresses (Base mainnet) ────────────────────────────────────────────
-
-/**
- * Tokens in the DCA basket.
- * ALLOWED_TOKENS[0] = USDC (input — what the agent spends)
- * ALLOWED_TOKENS[1] = WETH (output — what the agent accumulates)
- */
-export const ALLOWED_TOKENS: Address[] = [
-  "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913", // USDC on Base  (6 decimals)
-  "0x4200000000000000000000000000000000000006", // WETH on Base  (18 decimals)
-];
-
-// ── Swap parameters ───────────────────────────────────────────────────────────
-
-/**
- * Amount of USDC to spend per swap (in USDC base units, 6 decimals).
- * Default: 5 USDC. Adjust before deploying to production.
- */
-export const SWAP_AMOUNT_USDC = 5_000_000n; // 5 USDC
-
-/**
- * Minimum USDC balance the SMA must hold before a swap is attempted.
- * Must be ≥ SWAP_AMOUNT_USDC. Adds a safety margin so a single swap
- * doesn't drain the account to zero.
- */
-export const MIN_USDC_TO_SWAP = 6_000_000n; // 6 USDC
-
-/**
- * Slippage tolerance in basis points (100 = 1%).
- * amountOutMinimum = quote × (1 − SLIPPAGE_BPS / 10 000).
- * If no quote is available, the agent skips the swap entirely (fail closed).
- *
- * Tighten for large trades or illiquid pairs; loosen if valid swaps are
- * frequently denied by price impact. Default 1% is conservative for
- * USDC/WETH on Base.
- */
-export const SLIPPAGE_BPS = 100; // 1%
-
-/**
- * Uniswap V3 pool fee tier for the USDC/WETH pool on Base.
- * 500 = 0.05% — the most liquid USDC/WETH pool on Base mainnet.
- */
-export const SWAP_FEE_TIER = 500;
-
-// ── Rebalancing ───────────────────────────────────────────────────────────────
-
-/** Rebalance when allocation drift exceeds this fraction (0.05 = 5%). */
-export const REBALANCE_THRESHOLD = 0.05;
-
-// ── Contract addresses (Base mainnet) ─────────────────────────────────────────
-
-/** Uniswap SwapRouter02 on Base. Target for exactInputSingle swaps. */
-export const SWAP_ROUTER: Address = "0x2626664c2603336E57B271c5C0b26F421741e481";
-
-/**
- * Uniswap V3 QuoterV2 on Base.
- * Called off-chain (via eth_call) to obtain the expected output amount
- * before computing amountOutMinimum. If this call fails, the agent skips
- * the swap — it never submits with amountOutMinimum = 0.
- *
- * Note: amountOutMinimum is set by the agent from the QuoterV2 result.
- * For defense-in-depth, add an on-chain minimum check in your permission
- * contract so the kernel also validates the minimum out requirement.
- */
-export const QUOTER_V2: Address = "0x3d4e44Eb1374240CE5F1B871ab261CD16335B76a";
+// Reference example — not the user's strategy. Consult for patterns; author the user's own in src/.
+// Shows: token addresses, swap parameters, and contract addresses for a USDC→WETH DCA on Base mainnet.
+
+import type { Address } from "@sail.money/sailor/sdk";
+
+// ── Token addresses (Base mainnet) ────────────────────────────────────────────
+
+/**
+ * Tokens in the DCA basket.
+ * ALLOWED_TOKENS[0] = USDC (input — what the agent spends)
+ * ALLOWED_TOKENS[1] = WETH (output — what the agent accumulates)
+ */
+export const ALLOWED_TOKENS: Address[] = [
+  "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913", // USDC on Base  (6 decimals)
+  "0x4200000000000000000000000000000000000006", // WETH on Base  (18 decimals)
+];
+
+// ── Swap parameters ───────────────────────────────────────────────────────────
+
+/** Amount of USDC to spend per swap (in USDC base units, 6 decimals). Default: 5 USDC. */
+export const SWAP_AMOUNT_USDC = 5_000_000n; // 5 USDC
+
+/** Minimum USDC balance the SMA must hold before a swap is attempted. */
+export const MIN_USDC_TO_SWAP = 6_000_000n; // 6 USDC
+
+/** Slippage tolerance in basis points (100 = 1%). */
+export const SLIPPAGE_BPS = 100; // 1%
+
+/** Uniswap V3 pool fee tier for the USDC/WETH pool on Base (500 = 0.05%). */
+export const SWAP_FEE_TIER = 500;
+
+/** Rebalance when allocation drift exceeds this fraction (0.05 = 5%). */
+export const REBALANCE_THRESHOLD = 0.05;
+
+// ── Contract addresses (Base mainnet) ─────────────────────────────────────────
+
+/** Uniswap SwapRouter02 on Base. Target for exactInputSingle swaps. */
+export const SWAP_ROUTER: Address = "0x2626664c2603336E57B271c5C0b26F421741e481";
+
+/**
+ * Uniswap V3 QuoterV2 on Base.
+ * Called off-chain (via eth_call) to obtain the expected output amount
+ * before computing amountOutMinimum.
+ */
+export const QUOTER_V2: Address = "0x3d4e44Eb1374240CE5F1B871ab261CD16335B76a";

package/templates/{dca-rebalancer → default}/package.json

@@ -1,17 +1,17 @@
-{
-  "name": "dca-rebalancer",
-  "version": "0.1.0",
-  "description": "Dollar-cost-average rebalancer — starter Sail Protocol agent",
-  "type": "module",
-  "scripts": {
-    "typecheck": "tsc -p tsconfig.json --noEmit"
-  },
-  "dependencies": {
-    "@sail/sdk": "workspace:*",
-    "viem": "^2.21.0"
-  },
-  "devDependencies": {
-    "@types/node": "^22.0.0",
-    "typescript": "^5.5.0"
-  }
-}
+{
+  "name": "sail-agent",
+  "version": "0.1.0",
+  "description": "Sail Protocol agent starter",
+  "type": "module",
+  "scripts": {
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  },
+  "dependencies": {
+    "@sail/sdk": "workspace:*",
+    "viem": "^2.21.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "typescript": "^5.5.0"
+  }
+}

package/templates/default/src/agent.ts

@@ -0,0 +1,37 @@
+/**
+ * Your agent — implement your strategy here.
+ *
+ * The runner calls tick() on every interval. Return an array of Dispatch intents;
+ * the runner submits each one through the kernel against a matching registered permission.
+ * Return [] to skip this tick (no gas spent).
+ *
+ * The runner resolves which permission authorizes each call automatically — you
+ * express what you want to do; you do not name permissions per call.
+ *
+ * For a worked end-to-end example (DCA / Uniswap V3 / Base):
+ *   see examples/dca/agent.ts and examples/dca/mandate.ts
+ */
+
+import type { Agent, AgentContext, Dispatch } from "@sail.money/sailor/sdk";
+
+export const agent: Agent = {
+  name: "my-agent",
+  description: "Describe your strategy here.",
+
+  async tick(ctx: AgentContext): Promise<Dispatch[]> {
+    ctx.log(`tick — block ${ctx.blockNumber}, sma ${ctx.safe}`);
+
+    // TODO: implement your strategy.
+    // Read on-chain state, decide what to do, return intent dispatches.
+    // ctx.read.balance(tokenAddress) — read token balance of the SMA
+    // ctx.data._publicClient — viem PublicClient for arbitrary on-chain reads
+    // ctx.log(msg) — append a message to the activity log
+    //
+    // Example (from examples/dca/agent.ts):
+    //   const balance = await ctx.read.balance(USDC_ADDRESS);
+    //   if (balance < MIN_AMOUNT) return [];
+    //   return [{ txHash: "0x", calls: [{ target: ROUTER, value: 0n, data: swapCalldata }], success: false, gasUsed: 0n }];
+
+    return [];
+  },
+};

package/templates/default/src/config.ts

@@ -0,0 +1,24 @@
+/** Reads RPC_URL and CHAIN_ID from environment (set via .sail/.env.local or GitHub Secrets). */
+export function getEnvConfig(): { rpcUrl: string; chainId: number } {
+  const rpcUrl = process.env["RPC_URL"];
+  if (!rpcUrl) {
+    throw new Error(
+      "RPC_URL is not set.\n" +
+        "Add RPC_URL to .sail/.env.local or set it as an environment variable.",
+    );
+  }
+
+  if (!process.env["CHAIN_ID"]) {
+    throw new Error(
+      "CHAIN_ID is not set.\n" +
+        "Open this folder in your AI coding assistant and say 'start' — Stage 1 will ask\n" +
+        "which chain you want and set CHAIN_ID in .sail/.env.local.",
+    );
+  }
+  const chainId = Number(process.env["CHAIN_ID"]);
+  if (Number.isNaN(chainId)) {
+    throw new Error(`Invalid CHAIN_ID: ${process.env["CHAIN_ID"]}`);
+  }
+
+  return { rpcUrl, chainId };
+}

package/templates/default/src/mandate.ts

@@ -0,0 +1,22 @@
+/**
+ * Strategy parameters and contract addresses for your agent.
+ *
+ * Put your token addresses, protocol contracts, amounts, and other
+ * constants here. Import them into agent.ts.
+ *
+ * For a worked example (DCA / USDC→WETH / Uniswap V3 / Base):
+ *   see examples/dca/mandate.ts
+ *
+ * For protocol-specific permission examples (Uniswap, Aave, GMX, …):
+ *   see examples/permissions/
+ */
+
+// TODO: replace with your strategy's parameters.
+// Example structure:
+//
+// import type { Address } from "@sail/sdk";
+//
+// export const INPUT_TOKEN: Address = "0x...";   // token you're spending
+// export const OUTPUT_TOKEN: Address = "0x...";  // token you're acquiring
+// export const MAX_AMOUNT_PER_TICK = 0n;         // in input token base units
+// export const PROTOCOL_CONTRACT: Address = "0x..."; // target contract

package/templates/default/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "strict": true,
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "resolveJsonModule": true,
+    "noEmit": true,
+    "baseUrl": ".",
+    "paths": {
+      "@sail.money/sailor/sdk": ["../../packages/sdk/src/index.ts"]
+    }
+  },
+  "include": ["src"]
+}

package/templates/{dca-rebalancer → default}/ui/README.md

@@ -1,3 +1,3 @@
-# UI
-
-Vite + React UI lands in the next prompt.
+# UI
+
+Vite + React UI lands in the next prompt.

package/templates/lifi-permissions/LifiBoundedApprovePermissionCloneable.sol

@@ -1,84 +1,84 @@
-// SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
-
-import {IPermission, Context} from "../../.sail/contracts/interfaces/IPermission.sol";
-import {CloneInitializable} from "../../.sail/contracts/templates/base/CloneInitializable.sol";
-
-/// @title  LifiBoundedApprovePermissionCloneable
-/// @notice EIP-1167 clone-template approval permission with PER-TOKEN caps. The
-///         logic contract is deployed once and registered in the SDK's
-///         standaloneTemplates; each account clones it via
-///         PermissionFactory.deployAndAttach and configures via initialize().
-///
-///         The manager may ONLY approve the LiFi Diamond, and only on tokens that
-///         have a configured cap, up to that token's cap. Passes through any
-///         non-approve call (conjunctive model).
-///
-///         Caps are PER TOKEN (not one global cap) because token value and decimals
-///         differ — e.g. 1 DAI = 1e18 base units vs 1 USDC = 1e6. A single cap can't
-///         bound both sensibly.
-contract LifiBoundedApprovePermissionCloneable is IPermission, CloneInitializable {
-    bytes4 private constant APPROVE = 0x095ea7b3;
-    address public constant LIFI_DIAMOND = 0x1231DEB6f5749EF6cE6943a275A1D3E7486F4EaE;
-
-    // Per-token approve cap, in the token's base units. 0 = token not allowed.
-    // A mapping occupies its own slot pointer and does not pack with the
-    // CloneInitializable `_initialized` bool at slot 0.
-    mapping(address token => uint256 cap) public maxApprovePerToken;
-    address public permissionSigner;
-
-    error NotPermissionSigner();
-    error ZeroAddress();
-    error LengthMismatch();
-
-    modifier onlyPermissionSigner() {
-        if (msg.sender != permissionSigner) revert NotPermissionSigner();
-        _;
-    }
-
-    /// @dev Lock the logic contract; only clones (fresh storage) can be initialized.
-    constructor() {
-        _disableInitializers();
-    }
-
-    /// @notice One-time per-clone configuration.
-    /// @param tokens            Tokens the manager may approve to the LiFi Diamond.
-    /// @param caps              Per-token cap (token base units); index-aligned with `tokens`.
-    /// @param _permissionSigner Owner wallet; sole authority for post-init updates.
-    function initialize(
-        address[] memory tokens,
-        uint256[] memory caps,
-        address _permissionSigner
-    ) external initializer {
-        if (_permissionSigner == address(0)) revert ZeroAddress();
-        if (tokens.length != caps.length) revert LengthMismatch();
-        permissionSigner = _permissionSigner;
-        for (uint256 i; i < tokens.length; i++) {
-            maxApprovePerToken[tokens[i]] = caps[i];
-        }
-    }
-
-    /// @notice Set (cap > 0) or clear (cap == 0) a token's per-tx approve cap.
-    function setTokenCap(address token, uint256 cap) external onlyPermissionSigner {
-        maxApprovePerToken[token] = cap;
-    }
-
-    function evaluate(bytes calldata txData, Context calldata ctx) external view returns (bool) {
-        // Pass through calls outside this permission's domain (conjunctive model).
-        if (ctx.selector != APPROVE) return true;
-        if (ctx.target == address(0)) return false; // token is ctx.target
-        if (txData.length < 68) return false;
-
-        (address spender, uint256 amount) = abi.decode(txData[4:], (address, uint256));
-        if (spender != LIFI_DIAMOND) return false;
-
-        uint256 cap = maxApprovePerToken[ctx.target];
-        if (cap == 0) return false; // token not allowed
-        if (amount > cap) return false; // over the per-token cap
-        return true;
-    }
-
-    function discriminator() external pure returns (bytes32) {
-        return keccak256("LifiBoundedApprovePermissionCloneable.v1");
-    }
-}
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.26;
+
+import {IPermission, Context} from "../../.sail/contracts/interfaces/IPermission.sol";
+import {CloneInitializable} from "../../.sail/contracts/templates/base/CloneInitializable.sol";
+
+/// @title  LifiBoundedApprovePermissionCloneable
+/// @notice EIP-1167 clone-template approval permission with PER-TOKEN caps. The
+///         logic contract is deployed once and registered in the SDK's
+///         standaloneTemplates; each account clones it via
+///         PermissionFactory.deployAndAttach and configures via initialize().
+///
+///         The manager may ONLY approve the LiFi Diamond, and only on tokens that
+///         have a configured cap, up to that token's cap. Passes through any
+///         non-approve call (conjunctive model).
+///
+///         Caps are PER TOKEN (not one global cap) because token value and decimals
+///         differ — e.g. 1 DAI = 1e18 base units vs 1 USDC = 1e6. A single cap can't
+///         bound both sensibly.
+contract LifiBoundedApprovePermissionCloneable is IPermission, CloneInitializable {
+    bytes4 private constant APPROVE = 0x095ea7b3;
+    address public constant LIFI_DIAMOND = 0x1231DEB6f5749EF6cE6943a275A1D3E7486F4EaE;
+
+    // Per-token approve cap, in the token's base units. 0 = token not allowed.
+    // A mapping occupies its own slot pointer and does not pack with the
+    // CloneInitializable `_initialized` bool at slot 0.
+    mapping(address token => uint256 cap) public maxApprovePerToken;
+    address public permissionSigner;
+
+    error NotPermissionSigner();
+    error ZeroAddress();
+    error LengthMismatch();
+
+    modifier onlyPermissionSigner() {
+        if (msg.sender != permissionSigner) revert NotPermissionSigner();
+        _;
+    }
+
+    /// @dev Lock the logic contract; only clones (fresh storage) can be initialized.
+    constructor() {
+        _disableInitializers();
+    }
+
+    /// @notice One-time per-clone configuration.
+    /// @param tokens            Tokens the manager may approve to the LiFi Diamond.
+    /// @param caps              Per-token cap (token base units); index-aligned with `tokens`.
+    /// @param _permissionSigner Owner wallet; sole authority for post-init updates.
+    function initialize(
+        address[] memory tokens,
+        uint256[] memory caps,
+        address _permissionSigner
+    ) external initializer {
+        if (_permissionSigner == address(0)) revert ZeroAddress();
+        if (tokens.length != caps.length) revert LengthMismatch();
+        permissionSigner = _permissionSigner;
+        for (uint256 i; i < tokens.length; i++) {
+            maxApprovePerToken[tokens[i]] = caps[i];
+        }
+    }
+
+    /// @notice Set (cap > 0) or clear (cap == 0) a token's per-tx approve cap.
+    function setTokenCap(address token, uint256 cap) external onlyPermissionSigner {
+        maxApprovePerToken[token] = cap;
+    }
+
+    function evaluate(bytes calldata txData, Context calldata ctx) external view returns (bool) {
+        // Pass through calls outside this permission's domain (conjunctive model).
+        if (ctx.selector != APPROVE) return true;
+        if (ctx.target == address(0)) return false; // token is ctx.target
+        if (txData.length < 68) return false;
+
+        (address spender, uint256 amount) = abi.decode(txData[4:], (address, uint256));
+        if (spender != LIFI_DIAMOND) return false;
+
+        uint256 cap = maxApprovePerToken[ctx.target];
+        if (cap == 0) return false; // token not allowed
+        if (amount > cap) return false; // over the per-token cap
+        return true;
+    }
+
+    function discriminator() external pure returns (bytes32) {
+        return keccak256("LifiBoundedApprovePermissionCloneable.v1");
+    }
+}

package/templates/lifi-permissions/LifiDiamondSwapPermissionCloneable.sol

@@ -1,97 +1,97 @@
-// SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
-
-import {IPermission, Context} from "../../.sail/contracts/interfaces/IPermission.sol";
-import {CloneInitializable} from "../../.sail/contracts/templates/base/CloneInitializable.sol";
-
-/// @title  LifiDiamondSwapPermissionCloneable
-/// @notice EIP-1167 clone-template version of LifiDiamondSwapPermission. The logic
-///         contract is deployed once and registered in the SDK's standaloneTemplates;
-///         each account gets its own clone via PermissionFactory.deployAndAttach,
-///         configured through initialize() (NOT the constructor).
-///
-///         Restricts manager-initiated swaps to the official LiFi Diamond on Base:
-///          - target must be the LiFi Diamond,
-///          - selector must be allowlisted,
-///          - receiver embedded in the calldata must equal ctx.account (the SMA),
-///          - the minAmount field must not exceed the configured cap.
-///         Passes through any call whose target is not the diamond (conjunctive model).
-///
-///         Calldata layout (validated against live Base quotes):
-///          selector(4) + word0(32) + word1(32) + word2(32) + receiver(32) + minAmount(32)
-///          → receiver at offset 100, minAmount at offset 132.
-contract LifiDiamondSwapPermissionCloneable is IPermission, CloneInitializable {
-    // Official LiFi Diamond on Base Mainnet.
-    address public constant LIFI_DIAMOND = 0x1231DEB6f5749EF6cE6943a275A1D3E7486F4EaE;
-
-    // Storage starts after CloneInitializable's `_initialized` bool (slot 0). A
-    // mapping occupies its own slot pointer and does not pack with the bool.
-    mapping(bytes4 selector => bool) public isAllowedSelector;
-    uint256 public maxMinAmountPerTx;
-    address public permissionSigner;
-
-    error NotPermissionSigner();
-    error ZeroAddress();
-
-    modifier onlyPermissionSigner() {
-        if (msg.sender != permissionSigner) revert NotPermissionSigner();
-        _;
-    }
-
-    /// @dev Lock the logic contract; only clones (fresh storage) can be initialized.
-    constructor() {
-        _disableInitializers();
-    }
-
-    /// @notice One-time per-clone configuration.
-    /// @param allowedSelectors   LiFi Diamond selectors to allowlist on init.
-    /// @param _maxMinAmountPerTx Cap on the minAmount field (type(uint256).max = uncapped).
-    /// @param _permissionSigner  Owner wallet; sole authority for post-init updates.
-    function initialize(
-        bytes4[] memory allowedSelectors,
-        uint256 _maxMinAmountPerTx,
-        address _permissionSigner
-    ) external initializer {
-        if (_permissionSigner == address(0)) revert ZeroAddress();
-        maxMinAmountPerTx = _maxMinAmountPerTx;
-        permissionSigner = _permissionSigner;
-        for (uint256 i; i < allowedSelectors.length; i++) {
-            isAllowedSelector[allowedSelectors[i]] = true;
-        }
-    }
-
-    function setMaxMinAmountPerTx(uint256 newMax) external onlyPermissionSigner {
-        maxMinAmountPerTx = newMax;
-    }
-
-    /// @notice Add a LiFi selector. Only after verifying its calldata places
-    ///         `receiver` at offset 100 and `minAmount` at offset 132.
-    function addSelector(bytes4 selector) external onlyPermissionSigner {
-        isAllowedSelector[selector] = true;
-    }
-
-    function removeSelector(bytes4 selector) external onlyPermissionSigner {
-        isAllowedSelector[selector] = false;
-    }
-
-    uint256 private constant RECEIVER_OFFSET = 100;
-    uint256 private constant MIN_DATA_LEN = 164;
-
-    function evaluate(bytes calldata txData, Context calldata ctx) external view returns (bool) {
-        // Pass through calls outside this permission's domain (conjunctive model).
-        if (ctx.target != LIFI_DIAMOND) return true;
-        if (!isAllowedSelector[ctx.selector]) return false;
-        if (txData.length < MIN_DATA_LEN) return false;
-
-        address receiver = abi.decode(txData[RECEIVER_OFFSET:RECEIVER_OFFSET + 32], (address));
-        uint256 minAmount = abi.decode(txData[RECEIVER_OFFSET + 32:RECEIVER_OFFSET + 64], (uint256));
-
-        if (receiver != ctx.account) return false;
-        if (minAmount > maxMinAmountPerTx) return false;
-        return true;
-    }
-
-    function discriminator() external pure returns (bytes32) {
-        return keccak256("LifiDiamondSwapPermissionCloneable.v1");
-    }
-}
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.26;
+
+import {IPermission, Context} from "../../.sail/contracts/interfaces/IPermission.sol";
+import {CloneInitializable} from "../../.sail/contracts/templates/base/CloneInitializable.sol";
+
+/// @title  LifiDiamondSwapPermissionCloneable
+/// @notice EIP-1167 clone-template version of LifiDiamondSwapPermission. The logic
+///         contract is deployed once and registered in the SDK's standaloneTemplates;
+///         each account gets its own clone via PermissionFactory.deployAndAttach,
+///         configured through initialize() (NOT the constructor).
+///
+///         Restricts manager-initiated swaps to the official LiFi Diamond on Base:
+///          - target must be the LiFi Diamond,
+///          - selector must be allowlisted,
+///          - receiver embedded in the calldata must equal ctx.account (the SMA),
+///          - the minAmount field must not exceed the configured cap.
+///         Passes through any call whose target is not the diamond (conjunctive model).
+///
+///         Calldata layout (validated against live Base quotes):
+///          selector(4) + word0(32) + word1(32) + word2(32) + receiver(32) + minAmount(32)
+///          → receiver at offset 100, minAmount at offset 132.
+contract LifiDiamondSwapPermissionCloneable is IPermission, CloneInitializable {
+    // Official LiFi Diamond on Base Mainnet.
+    address public constant LIFI_DIAMOND = 0x1231DEB6f5749EF6cE6943a275A1D3E7486F4EaE;
+
+    // Storage starts after CloneInitializable's `_initialized` bool (slot 0). A
+    // mapping occupies its own slot pointer and does not pack with the bool.
+    mapping(bytes4 selector => bool) public isAllowedSelector;
+    uint256 public maxMinAmountPerTx;
+    address public permissionSigner;
+
+    error NotPermissionSigner();
+    error ZeroAddress();
+
+    modifier onlyPermissionSigner() {
+        if (msg.sender != permissionSigner) revert NotPermissionSigner();
+        _;
+    }
+
+    /// @dev Lock the logic contract; only clones (fresh storage) can be initialized.
+    constructor() {
+        _disableInitializers();
+    }
+
+    /// @notice One-time per-clone configuration.
+    /// @param allowedSelectors   LiFi Diamond selectors to allowlist on init.
+    /// @param _maxMinAmountPerTx Cap on the minAmount field (type(uint256).max = uncapped).
+    /// @param _permissionSigner  Owner wallet; sole authority for post-init updates.
+    function initialize(
+        bytes4[] memory allowedSelectors,
+        uint256 _maxMinAmountPerTx,
+        address _permissionSigner
+    ) external initializer {
+        if (_permissionSigner == address(0)) revert ZeroAddress();
+        maxMinAmountPerTx = _maxMinAmountPerTx;
+        permissionSigner = _permissionSigner;
+        for (uint256 i; i < allowedSelectors.length; i++) {
+            isAllowedSelector[allowedSelectors[i]] = true;
+        }
+    }
+
+    function setMaxMinAmountPerTx(uint256 newMax) external onlyPermissionSigner {
+        maxMinAmountPerTx = newMax;
+    }
+
+    /// @notice Add a LiFi selector. Only after verifying its calldata places
+    ///         `receiver` at offset 100 and `minAmount` at offset 132.
+    function addSelector(bytes4 selector) external onlyPermissionSigner {
+        isAllowedSelector[selector] = true;
+    }
+
+    function removeSelector(bytes4 selector) external onlyPermissionSigner {
+        isAllowedSelector[selector] = false;
+    }
+
+    uint256 private constant RECEIVER_OFFSET = 100;
+    uint256 private constant MIN_DATA_LEN = 164;
+
+    function evaluate(bytes calldata txData, Context calldata ctx) external view returns (bool) {
+        // Pass through calls outside this permission's domain (conjunctive model).
+        if (ctx.target != LIFI_DIAMOND) return true;
+        if (!isAllowedSelector[ctx.selector]) return false;
+        if (txData.length < MIN_DATA_LEN) return false;
+
+        address receiver = abi.decode(txData[RECEIVER_OFFSET:RECEIVER_OFFSET + 32], (address));
+        uint256 minAmount = abi.decode(txData[RECEIVER_OFFSET + 32:RECEIVER_OFFSET + 64], (uint256));
+
+        if (receiver != ctx.account) return false;
+        if (minAmount > maxMinAmountPerTx) return false;
+        return true;
+    }
+
+    function discriminator() external pure returns (bytes32) {
+        return keccak256("LifiDiamondSwapPermissionCloneable.v1");
+    }
+}