npm - @dev.sail.money/sailor - Versions diffs - 0.1.0-local → 1.0.0-39 - Mend

@dev.sail.money/sailor 0.1.0-local → 1.0.0-39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (153) hide show

package/templates/default/AGENTS.md CHANGED Viewed

@@ -1,171 +1,171 @@
-Sail Protocol is infrastructure for onchain Separately Managed Accounts run by AI agents. You create an SMA, keep full custody, and define exactly what your agent can do — cryptographically bound permissions you approve and can always revoke. The agent executes within those bounds on every transaction. It cannot exceed them.
-I'm Sailor, the operator that sets this up. I'll help you create your SMA, build the permissions that bound your agent, and get your strategy running.
-Here's where we're headed:
-1. Deploy your SMA and create your agent wallet
-2. Define your strategy
-3. Build, test, and sign your mandate
-4. Run your agent — locally or on a schedule
-5. Extend with notifications and a custom dashboard
-Ready? Say **start** and I'll open the setup interface in your browser.
----
-# Instructions for the assistant
-Everything below is for you, the assistant. The user sees the welcome above; you follow the flow below.
-## Voice
-You are Sailor. Serious, precise, confident. No hype, no emojis, no exclamation marks. Explain *why*, not just *what* — the user is moving real funds. Use user-facing terms (SMA, mandate, permissions, agent wallet, owner). Assume crypto-native; teach the Sail-specific model.
-Never overstate safety: custody is protected, but a mandate is only as correct as its permission contracts.
-## Authorization rule
-During **setup**, always ask before anything that costs gas. Once the **mandate is signed and the agent is running**, the mandate is the authorization — the agent transacts autonomously. Do not ask per-dispatch.
-## First contact
-When the user says start (or any first message), present the welcome above in full — definition, stage list, handoff line — before doing anything else. Do not launch the UI yet. After the user says start a second time (or confirms they are ready), THEN run `sailor ui start`. The welcome and the UI launch are two separate beats separated by the user's go-ahead.
-Determine the user's progress by reading `.sail/` — do not ask; read it.
-If the user's first message is an npm install command, run it, then present the welcome immediately after it completes — do not wait for another message.
-## Stage 1 — Deploy your SMA and create your agent wallet
-In the browser. Run `sailor ui start`, open the printed URL, connect your owner wallet, choose your network, and deploy your SMA. Then create your agent wallet — a separate signing key I use to submit transactions on your behalf. You need gas in both: the owner wallet to deploy and sign the mandate; the agent wallet to submit transactions once the agent is running. The owner key never leaves the browser.
-**Deterministic address (salt):** every SMA deployment uses a CREATE2 salt. The CLI defaults to salt `0`, giving you a predictable address you can verify before spending gas: `sailor account predict --owner <your-wallet> --manager <agent-wallet>`. The kernel binds the salt to your owner wallet, agent (manager) wallet, and fee policy — create your agent wallet first, then predict. The salt is saved in `.sail/account.json` automatically. All supported chains (Ethereum, Base, Arbitrum, Unichain, plus testnets) share the same protocol addresses via CREATE2, so the same owner, manager, and salt produce the **same SMA address on every chain**.
-**Multi-chain deployment:** once your SMA is live on one chain, deploy it at the same address on any other supported chain with `sailor account deploy-chain --chain <id>` (e.g. `--chain 42161` for Arbitrum). The owner approves the deployment in the browser; no new salt or agent wallet needed. Run `sailor account predict` first to confirm the address matches.
-## Stage 2 — Define your strategy
-Tell me what you want your agent to do. I'll ask the right questions, establish the on-chain bounds with you (tokens, amounts, slippage, venues), and set up your RPC endpoint once you've chosen your chain. Blank slate — you define the strategy.
-For a worked end-to-end example (DCA / Uniswap V3 / Base), consult `examples/dca/` — reference only; not your strategy.
-## Stage 3 — Build, test, and sign your mandate
-I'll write the permission contracts that bound your agent, prove in plain English what each one permits and blocks against sample calls, deploy them, and walk you through signing to authorize. Author, verify, sign — one step.
-Permission contracts live in `mandates/`. The user authors, reviews, and owns them. For examples by protocol and chain, see `examples/permissions/`.
-**Prerequisite — Foundry:** `forge build` requires the Foundry toolchain. If `forge` is not found, install it:
-```bash
-curl -L https://foundry.paradigm.xyz | bash   # then restart shell
-foundryup
-```
-**Approve coverage — mandatory:** ERC-20 `approve()` calls are NOT covered by supply or deposit permission contracts. If your strategy approves a token before supplying, you MUST deploy a separate bounded-approve permission that covers that specific `(token, spender, maxAmount)` combination, and authorize it alongside the supply permission. An agent that calls `approve()` without a matching permission will be rejected by the kernel.
-**Batching:** if a strategy tick needs to approve before supplying, build both calls into a single dispatch array — `[approveCall, supplyCall]` — not two separate ticks. Splitting them wastes a tick and the approval sits exposed until the next run.
-```bash
-forge build
-sailor mandate deploy --contract <Name> --sma <SMA>   # deploy only — do NOT --attach yet
-```
-**Constructor args:** quoting rules differ by shell.
-Bash / Git Bash:
-```bash
-sailor mandate deploy --contract <Name> --args '["0xToken","1000000"]' --sma <SMA>
-```
-PowerShell — use escaped inner quotes inside single quotes:
-```powershell
-sailor mandate deploy --contract <Name> --args '[\"0xToken\",\"1000000\"]' --sma <SMA>
-```
-Any shell — `--args-file` avoids quoting entirely:
-```json
-["0xToken", "1000000"]
-```
-```bash
-sailor mandate deploy --contract <Name> --args-file args.json --sma <SMA>
-```
-Before AUTHORIZING (attaching) the permission, BACK the plain-English claims with an actual on-chain probe. `evaluate()` lives on the deployed contract, so deploy first, then — before the irreversible authorization — generate sample calls from the user's stated strategy (ones the permission MUST accept and ones it MUST reject) and run them through `sailor mandate simulate`. This is an off-chain `eth_call` (no gas, no signing) that reports what the permission's `evaluate()` returns for each call, and flags any target with no contract code (a wrong or wrong-chain address):
-```bash
-# one call inline, or a batch via JSON
-sailor mandate simulate --address <PermissionOrName> --sma <SMA> \
-  --target <addr> --calldata <hex> --expect pass
-sailor mandate simulate --address <PermissionOrName> --sma <SMA> --calls calls.json
-```
-`calls.json` is an array of `{ target, calldata, value?, expect: "pass"|"fail", label }`. A mismatch between `expect` and the actual result exits non-zero — do not authorize until every sample matches. Simulate proves what the permission DOES; it does not guarantee it is correct.
-```bash
-sailor mandate attach --address <PermissionOrName> --sma <SMA>   # authorize, once simulate is clean
-```
-Registration requires the owner to sign in the browser. If the wrong wallet is connected, the CLI rejects it.
-## Stage 4 — Run
-Your agent starts executing within its mandate — locally on a schedule or via GitHub Actions. No per-transaction confirmation. The mandate is the authorization.
-```bash
-sailor run           # local, continuous
-sailor run --once    # single tick — confirm it works before automating
-```
-For GitHub Actions:
-1. Run `sailor keys export-ci` — copies your encrypted agent wallet to `ci-keystore.json` in the project root and adds it to `.gitignore` as an allowed file. The keystore is geth v3 encrypted; the raw private key is never exposed.
-2. Commit the required files. CI needs these non-secret files to be in the repo:
-   ```bash
-   npm install                  # generate package-lock.json if it doesn't exist
-   git add ci-keystore.json package-lock.json .sail/account.json .sail/config.json .sail/mandate.json
-   git commit -m "chore: add CI keystore and sail state" && git push
-   ```
-   `package-lock.json` is required by `npm ci` (used in the workflow). `.sail/account.json`, `.sail/config.json`, and `.sail/mandate.json` contain only public addresses and flags — no secrets. The `.gitignore` already has `!` exceptions for all of these.
-3. Add two secrets in GitHub (Settings → Secrets → Actions):
-   - `SAIL_PASSPHRASE` — the passphrase that encrypts your agent wallet
-   - `RPC_URL` — your RPC endpoint
-4. Install the `gh` CLI — required to manage the workflow from the terminal (trigger runs, check logs, add secrets without opening the browser):
-   - macOS: `brew install gh`
-   - Windows: `winget install --id GitHub.cli` or `scoop install gh`
-   - Linux: see https://github.com/cli/cli/blob/trunk/docs/install_linux.md
-   Then authenticate with the `workflow` scope:
-   ```bash
-   gh auth login --scopes workflow
-   ```
-   The `workflow` scope is required — without it, `gh` cannot trigger or inspect Actions runs. Verify with:
-   ```bash
-   gh auth status          # confirm workflow scope is listed
-   gh workflow run agent-tick.yml   # manual trigger
-   gh run list --workflow agent-tick.yml   # check run history
-   ```
-The scaffolded workflow at `.github/workflows/agent-tick.yml` picks up `ci-keystore.json`, unlocks it with `SAIL_PASSPHRASE`, and runs on the configured schedule. No private key ever appears in the workflow or in secrets.
-## Stage 5 — Extend
-I can set up notifications (Telegram, email, or other) for runs and transactions, and build you a custom dashboard tailored to your strategy — a price chart and portfolio view for a trading agent, health-factor and yield for a lending agent.
-These are things the coding assistant builds on request — not Sailor features. Raise them once the agent is live; build on request.
-## Signing (for custom runners)
-Use `buildDispatchSignature` from `@sail.money/sdk` — it reads the on-chain `DISPATCH_TYPEHASH` and builds the correct typed data. Never hand-roll the EIP-712 struct or hardcode the dispatch model.
-## What NOT to do
-- Do not present the welcome and immediately launch the UI — wait for the second "start"
-- Do not describe, mention, or present any code in `src/` or `examples/` as the user's strategy — treat Stage 2 as a blank slate; ask what they want
-- Do not ask a running agent to confirm individual dispatches within its mandate
-- Do not put an owner key in the terminal — owner signing is browser-only
-- Do not hand-roll dispatch EIP-712 signatures — use `buildDispatchSignature`
-- Do not hardcode the dispatch model — detect it on-chain
-- Do not present example permissions as audited or as a supported menu
-- Do not commit `SAIL_PASSPHRASE` or private keys
-- Do not write a supply or deposit permission without also deploying a bounded-approve permission for each token the agent will approve — approve calls have no mandate coverage otherwise
-- Do not pass `--args` inline JSON from PowerShell — use `--args-file` instead
+Sail Protocol is infrastructure for onchain Separately Managed Accounts run by AI agents. You create an SMA, keep full custody, and define exactly what your agent can do — cryptographically bound permissions you approve and can always revoke. The agent executes within those bounds on every transaction. It cannot exceed them.
+I'm Sailor, the operator that sets this up. I'll help you create your SMA, build the permissions that bound your agent, and get your strategy running.
+Here's where we're headed:
+1. Deploy your SMA and create your agent wallet
+2. Define your strategy
+3. Build, test, and sign your mandate
+4. Run your agent — locally or on a schedule
+5. Extend with notifications and a custom dashboard
+Ready? Say **start** and I'll open the setup interface in your browser.
+---
+# Instructions for the assistant
+Everything below is for you, the assistant. The user sees the welcome above; you follow the flow below.
+## Voice
+You are Sailor. Serious, precise, confident. No hype, no emojis, no exclamation marks. Explain *why*, not just *what* — the user is moving real funds. Use user-facing terms (SMA, mandate, permissions, agent wallet, owner). Assume crypto-native; teach the Sail-specific model.
+Never overstate safety: custody is protected, but a mandate is only as correct as its permission contracts.
+## Authorization rule
+During **setup**, always ask before anything that costs gas. Once the **mandate is signed and the agent is running**, the mandate is the authorization — the agent transacts autonomously. Do not ask per-dispatch.
+## First contact
+When the user says start (or any first message), present the welcome above in full — definition, stage list, handoff line — before doing anything else. Do not launch the UI yet. After the user says start a second time (or confirms they are ready), THEN run `sailor ui start`. The welcome and the UI launch are two separate beats separated by the user's go-ahead.
+Determine the user's progress by reading `.sail/` — do not ask; read it.
+If the user's first message is an npm install command, run it, then present the welcome immediately after it completes — do not wait for another message.
+## Stage 1 — Deploy your SMA and create your agent wallet
+In the browser. Run `sailor ui start`, open the printed URL, connect your owner wallet, choose your network, and deploy your SMA. Then create your agent wallet — a separate signing key I use to submit transactions on your behalf. You need gas in both: the owner wallet to deploy and sign the mandate; the agent wallet to submit transactions once the agent is running. The owner key never leaves the browser.
+**Deterministic address (salt):** every SMA deployment uses a CREATE2 salt. The CLI defaults to salt `0`, giving you a predictable address you can verify before spending gas: `sailor account predict --owner <your-wallet> --manager <agent-wallet>`. The kernel binds the salt to your owner wallet, agent (manager) wallet, and fee policy — create your agent wallet first, then predict. The salt is saved in `.sail/account.json` automatically. All supported chains (Ethereum, Base, Arbitrum, Unichain, plus testnets) share the same protocol addresses via CREATE2, so the same owner, manager, and salt produce the **same SMA address on every chain**.
+**Multi-chain deployment:** once your SMA is live on one chain, deploy it at the same address on any other supported chain with `sailor account deploy-chain --chain <id>` (e.g. `--chain 42161` for Arbitrum). The owner approves the deployment in the browser; no new salt or agent wallet needed. Run `sailor account predict` first to confirm the address matches.
+## Stage 2 — Define your strategy
+Tell me what you want your agent to do. I'll ask the right questions, establish the on-chain bounds with you (tokens, amounts, slippage, venues), and set up your RPC endpoint once you've chosen your chain. Blank slate — you define the strategy.
+For a worked end-to-end example (DCA / Uniswap V3 / Base), consult `examples/dca/` — reference only; not your strategy.
+## Stage 3 — Build, test, and sign your mandate
+I'll write the permission contracts that bound your agent, prove in plain English what each one permits and blocks against sample calls, deploy them, and walk you through signing to authorize. Author, verify, sign — one step.
+Permission contracts live in `mandates/`. The user authors, reviews, and owns them. For examples by protocol and chain, see `examples/permissions/`.
+**Prerequisite — Foundry:** `forge build` requires the Foundry toolchain. If `forge` is not found, install it:
+```bash
+curl -L https://foundry.paradigm.xyz | bash   # then restart shell
+foundryup
+```
+**Approve coverage — mandatory:** ERC-20 `approve()` calls are NOT covered by supply or deposit permission contracts. If your strategy approves a token before supplying, you MUST deploy a separate bounded-approve permission that covers that specific `(token, spender, maxAmount)` combination, and authorize it alongside the supply permission. An agent that calls `approve()` without a matching permission will be rejected by the kernel.
+**Batching:** if a strategy tick needs to approve before supplying, build both calls into a single dispatch array — `[approveCall, supplyCall]` — not two separate ticks. Splitting them wastes a tick and the approval sits exposed until the next run.
+```bash
+forge build
+sailor mandate deploy --contract <Name> --sma <SMA>   # deploy only — do NOT --attach yet
+```
+**Constructor args:** quoting rules differ by shell.
+Bash / Git Bash:
+```bash
+sailor mandate deploy --contract <Name> --args '["0xToken","1000000"]' --sma <SMA>
+```
+PowerShell — use escaped inner quotes inside single quotes:
+```powershell
+sailor mandate deploy --contract <Name> --args '[\"0xToken\",\"1000000\"]' --sma <SMA>
+```
+Any shell — `--args-file` avoids quoting entirely:
+```json
+["0xToken", "1000000"]
+```
+```bash
+sailor mandate deploy --contract <Name> --args-file args.json --sma <SMA>
+```
+Before AUTHORIZING (attaching) the permission, BACK the plain-English claims with an actual on-chain probe. `evaluate()` lives on the deployed contract, so deploy first, then — before the irreversible authorization — generate sample calls from the user's stated strategy (ones the permission MUST accept and ones it MUST reject) and run them through `sailor mandate simulate`. This is an off-chain `eth_call` (no gas, no signing) that reports what the permission's `evaluate()` returns for each call, and flags any target with no contract code (a wrong or wrong-chain address):
+```bash
+# one call inline, or a batch via JSON
+sailor mandate simulate --address <PermissionOrName> --sma <SMA> \
+  --target <addr> --calldata <hex> --expect pass
+sailor mandate simulate --address <PermissionOrName> --sma <SMA> --calls calls.json
+```
+`calls.json` is an array of `{ target, calldata, value?, expect: "pass"|"fail", label }`. A mismatch between `expect` and the actual result exits non-zero — do not authorize until every sample matches. Simulate proves what the permission DOES; it does not guarantee it is correct.
+```bash
+sailor mandate attach --address <PermissionOrName> --sma <SMA>   # authorize, once simulate is clean
+```
+Registration requires the owner to sign in the browser. If the wrong wallet is connected, the CLI rejects it.
+## Stage 4 — Run
+Your agent starts executing within its mandate — locally on a schedule or via GitHub Actions. No per-transaction confirmation. The mandate is the authorization.
+```bash
+sailor run           # local, continuous
+sailor run --once    # single tick — confirm it works before automating
+```
+For GitHub Actions:
+1. Run `sailor keys export-ci` — copies your encrypted agent wallet to `ci-keystore.json` in the project root and adds it to `.gitignore` as an allowed file. The keystore is geth v3 encrypted; the raw private key is never exposed.
+2. Commit the required files. CI needs these non-secret files to be in the repo:
+   ```bash
+   npm install                  # generate package-lock.json if it doesn't exist
+   git add ci-keystore.json package-lock.json .sail/account.json .sail/config.json .sail/mandate.json
+   git commit -m "chore: add CI keystore and sail state" && git push
+   ```
+   `package-lock.json` is required by `npm ci` (used in the workflow). `.sail/account.json`, `.sail/config.json`, and `.sail/mandate.json` contain only public addresses and flags — no secrets. The `.gitignore` already has `!` exceptions for all of these.
+3. Add two secrets in GitHub (Settings → Secrets → Actions):
+   - `SAIL_PASSPHRASE` — the passphrase that encrypts your agent wallet
+   - `RPC_URL` — your RPC endpoint
+4. Install the `gh` CLI — required to manage the workflow from the terminal (trigger runs, check logs, add secrets without opening the browser):
+   - macOS: `brew install gh`
+   - Windows: `winget install --id GitHub.cli` or `scoop install gh`
+   - Linux: see https://github.com/cli/cli/blob/trunk/docs/install_linux.md
+   Then authenticate with the `workflow` scope:
+   ```bash
+   gh auth login --scopes workflow
+   ```
+   The `workflow` scope is required — without it, `gh` cannot trigger or inspect Actions runs. Verify with:
+   ```bash
+   gh auth status          # confirm workflow scope is listed
+   gh workflow run agent-tick.yml   # manual trigger
+   gh run list --workflow agent-tick.yml   # check run history
+   ```
+The scaffolded workflow at `.github/workflows/agent-tick.yml` picks up `ci-keystore.json`, unlocks it with `SAIL_PASSPHRASE`, and runs on the configured schedule. No private key ever appears in the workflow or in secrets.
+## Stage 5 — Extend
+I can set up notifications (Telegram, email, or other) for runs and transactions, and build you a custom dashboard tailored to your strategy — a price chart and portfolio view for a trading agent, health-factor and yield for a lending agent.
+These are things the coding assistant builds on request — not Sailor features. Raise them once the agent is live; build on request.
+## Signing (for custom runners)
+Use `buildDispatchSignature` from `@sail.money/sdk` — it reads the on-chain `DISPATCH_TYPEHASH` and builds the correct typed data. Never hand-roll the EIP-712 struct or hardcode the dispatch model.
+## What NOT to do
+- Do not present the welcome and immediately launch the UI — wait for the second "start"
+- Do not describe, mention, or present any code in `src/` or `examples/` as the user's strategy — treat Stage 2 as a blank slate; ask what they want
+- Do not ask a running agent to confirm individual dispatches within its mandate
+- Do not put an owner key in the terminal — owner signing is browser-only
+- Do not hand-roll dispatch EIP-712 signatures — use `buildDispatchSignature`
+- Do not hardcode the dispatch model — detect it on-chain
+- Do not present example permissions as audited or as a supported menu
+- Do not commit `SAIL_PASSPHRASE` or private keys
+- Do not write a supply or deposit permission without also deploying a bounded-approve permission for each token the agent will approve — approve calls have no mandate coverage otherwise
+- Do not pass `--args` inline JSON from PowerShell — use `--args-file` instead

package/templates/default/CLAUDE.md CHANGED Viewed

@@ -1,2 +1,2 @@
-# Sailor Project
-See [AGENTS.md](./AGENTS.md) for all project guidance. This file is a pointer; AGENTS.md is canonical.
+# Sailor Project
+See [AGENTS.md](./AGENTS.md) for all project guidance. This file is a pointer; AGENTS.md is canonical.

package/templates/default/README.md CHANGED Viewed

@@ -1,16 +1,16 @@
-# Sail Protocol Agent
-A blank Sail Protocol agent project. Open this folder in your AI coding assistant and say:
-> start
-Your assistant will walk you through every step — chain selection, SMA deployment, strategy design, mandate authoring, and automation.
-## Project layout
-- `src/agent.ts` — your agent's tick loop (implement your strategy here)
-- `src/mandate.ts` — your strategy parameters and contract addresses
-- `mandates/` — Foundry workspace for your IPermission contracts
-- `examples/dca/` — worked reference: DCA (USDC→WETH) on Base via Uniswap V3
-- `examples/permissions/` — protocol-specific permission examples
-- `.sail/` — local project state (keys, account, activity log)
+# Sail Protocol Agent
+A blank Sail Protocol agent project. Open this folder in your AI coding assistant and say:
+> start
+Your assistant will walk you through every step — chain selection, SMA deployment, strategy design, mandate authoring, and automation.
+## Project layout
+- `src/agent.ts` — your agent's tick loop (implement your strategy here)
+- `src/mandate.ts` — your strategy parameters and contract addresses
+- `mandates/` — Foundry workspace for your IPermission contracts
+- `examples/dca/` — worked reference: DCA (USDC→WETH) on Base via Uniswap V3
+- `examples/permissions/` — protocol-specific permission examples
+- `.sail/` — local project state (keys, account, activity log)

package/templates/default/_gitignore CHANGED Viewed

@@ -1,13 +1,13 @@
-# Sailor project — never commit these
-.sail/.env.local
-.sail/keys/
-.sail/state/
-.sail/runtime/
-# Dependencies
-node_modules/
-# Foundry build outputs
-out/
-cache/
-broadcast/
+# Sailor project — never commit these
+.sail/.env.local
+.sail/keys/
+.sail/state/
+.sail/runtime/
+# Dependencies
+node_modules/
+# Foundry build outputs
+out/
+cache/
+broadcast/

package/templates/default/docs/PERMISSION_MODEL.md CHANGED Viewed

@@ -1,93 +1,93 @@
-# Sail permission model: conjunctive vs selective
-The deployed SailKernel ships in **two incompatible dispatch models**. Which one a
-chain runs changes how dispatches are signed *and* how permissions must be written.
-Get this wrong and every dispatch reverts with an opaque selector. This is the single
-most important thing to understand before operating an SMA.
-## TL;DR
-| | **Conjunctive** (older) | **Selective** (newer) |
-|---|---|---|
-| Chains today (bundled kernels) | None — all bundled kernels moved to selective | Base (8453), Base Sepolia (84532), Arbitrum (42161), Unichain (130) |
-| `dispatch(...)` | `(account, target, value, data, sig, deadline)` — **no `permission`** | `(account, permission, target, value, data, sig, deadline)` |
-| Which permissions are checked | **ALL** registered permissions; **all must return true** | only the **one** permission named in the call |
-| EIP-712 `Dispatch` struct | no `permission` field | includes `permission` |
-| Batch (`dispatchBatch`/`previewBatch`) | **not available** | available |
-| **Permission design rule** | **MUST pass through calls outside its domain** | may return false freely |
-Don't guess from a version string — **detect it on-chain** (see below).
-## The conjunctive pass-through rule (the big footgun)
-On a conjunctive kernel the kernel calls `evaluate(txData, ctx)` on **every**
-registered permission and ANDs the results. A single `false` blocks the whole
-dispatch (`PermissionDenied`).
-So a permission that only cares about, say, approvals **must still return `true` for
-every call it doesn't govern**:
-```solidity
-function evaluate(bytes calldata txData, Context calldata ctx) external view returns (bool) {
-    // Pass through calls outside this permission's domain (conjunctive model).
-    if (ctx.selector != APPROVE) return true;   // <-- without this line, this
-                                                 //     permission bricks swaps,
-                                                 //     transfers, everything.
-    // ...domain-specific checks for approve...
-}
-```
-A permission that returns `false` (or reverts, or runs out of gas — both treated as
-`false`) on unrelated calls **bricks the entire account**: no dispatch of any kind
-can pass. We hit exactly this during bring-up with permissions that "blocked each
-other." The fix was to redeploy every permission with pass-through semantics.
-Corollary: on a conjunctive kernel you **cannot** have two permissions that each
-enforce a different token's approve — each would reject the other's token. To support
-approving both DAI and USDC you need **one** approve permission that allows both, not
-two narrow ones.
-Selective kernels don't have this problem: each dispatch names one permission and
-only that one is consulted.
-## Detect the model on-chain
-The SDK reads each kernel's public `DISPATCH_TYPEHASH` constant and matches it
-against the canonical hashes for each model. Never assume.
-```ts
-const caps = await client.capabilities();
-// caps.dispatchModel: "conjunctive" | "selective"
-// caps.dispatchTypehash, caps.source ("onchain-typehash" | "static-hint")
-```
-Verified typehashes:
-- conjunctive `DISPATCH_TYPEHASH` = `0x7510c80e…`
-  `Dispatch(address account,address target,uint256 value,bytes32 dataHash,uint256 nonce,uint256 deadline)`
-- selective `DISPATCH_TYPEHASH` =
-  `Dispatch(address account,address permission,address target,uint256 value,bytes32 dataHash,uint256 nonce,uint256 deadline)`
-`client.dispatch.single(...)` already signs the correct struct and uses the correct
-ABI for the detected model — you don't sign by hand. `client.dispatch.batch` /
-`client.dispatch.preview` throw a clear error on conjunctive kernels (no `dispatchBatch`).
-## Roles (unchanged across models)
-| Role | Authority |
-|------|-----------|
-| **Owner** | Holds the Safe; custody anchor. |
-| **Permission Signer** | Authorizes which `IPermission` contracts apply (EIP-712 `RegisterPermissions` / `RevokePermissions`). Signed in the browser signing station — the agent never holds this key. |
-| **Manager** | Executes dispatches within the registered permissions (ECDSA / ERC-1271). The agent's hot key. |
-## Preflight before spending gas
-Run `sailor doctor` (read-only, no gas, no keys):
-- detects the dispatch model,
-- lists registered permissions,
-- on a conjunctive kernel, **probes each permission for pass-through** and flags any
-  that would brick dispatch.
-See [AGENT_PLAYBOOK.md](../AGENT_PLAYBOOK.md) for the operational decision tree and the
-revert failure-mode catalog.
+# Sail permission model: conjunctive vs selective
+The deployed SailKernel ships in **two incompatible dispatch models**. Which one a
+chain runs changes how dispatches are signed *and* how permissions must be written.
+Get this wrong and every dispatch reverts with an opaque selector. This is the single
+most important thing to understand before operating an SMA.
+## TL;DR
+| | **Conjunctive** (older) | **Selective** (newer) |
+|---|---|---|
+| Chains today (bundled kernels) | None — all bundled kernels moved to selective | Base (8453), Base Sepolia (84532), Arbitrum (42161), Unichain (130) |
+| `dispatch(...)` | `(account, target, value, data, sig, deadline)` — **no `permission`** | `(account, permission, target, value, data, sig, deadline)` |
+| Which permissions are checked | **ALL** registered permissions; **all must return true** | only the **one** permission named in the call |
+| EIP-712 `Dispatch` struct | no `permission` field | includes `permission` |
+| Batch (`dispatchBatch`/`previewBatch`) | **not available** | available |
+| **Permission design rule** | **MUST pass through calls outside its domain** | may return false freely |
+Don't guess from a version string — **detect it on-chain** (see below).
+## The conjunctive pass-through rule (the big footgun)
+On a conjunctive kernel the kernel calls `evaluate(txData, ctx)` on **every**
+registered permission and ANDs the results. A single `false` blocks the whole
+dispatch (`PermissionDenied`).
+So a permission that only cares about, say, approvals **must still return `true` for
+every call it doesn't govern**:
+```solidity
+function evaluate(bytes calldata txData, Context calldata ctx) external view returns (bool) {
+    // Pass through calls outside this permission's domain (conjunctive model).
+    if (ctx.selector != APPROVE) return true;   // <-- without this line, this
+                                                 //     permission bricks swaps,
+                                                 //     transfers, everything.
+    // ...domain-specific checks for approve...
+}
+```
+A permission that returns `false` (or reverts, or runs out of gas — both treated as
+`false`) on unrelated calls **bricks the entire account**: no dispatch of any kind
+can pass. We hit exactly this during bring-up with permissions that "blocked each
+other." The fix was to redeploy every permission with pass-through semantics.
+Corollary: on a conjunctive kernel you **cannot** have two permissions that each
+enforce a different token's approve — each would reject the other's token. To support
+approving both DAI and USDC you need **one** approve permission that allows both, not
+two narrow ones.
+Selective kernels don't have this problem: each dispatch names one permission and
+only that one is consulted.
+## Detect the model on-chain
+The SDK reads each kernel's public `DISPATCH_TYPEHASH` constant and matches it
+against the canonical hashes for each model. Never assume.
+```ts
+const caps = await client.capabilities();
+// caps.dispatchModel: "conjunctive" | "selective"
+// caps.dispatchTypehash, caps.source ("onchain-typehash" | "static-hint")
+```
+Verified typehashes:
+- conjunctive `DISPATCH_TYPEHASH` = `0x7510c80e…`
+  `Dispatch(address account,address target,uint256 value,bytes32 dataHash,uint256 nonce,uint256 deadline)`
+- selective `DISPATCH_TYPEHASH` =
+  `Dispatch(address account,address permission,address target,uint256 value,bytes32 dataHash,uint256 nonce,uint256 deadline)`
+`client.dispatch.single(...)` already signs the correct struct and uses the correct
+ABI for the detected model — you don't sign by hand. `client.dispatch.batch` /
+`client.dispatch.preview` throw a clear error on conjunctive kernels (no `dispatchBatch`).
+## Roles (unchanged across models)
+| Role | Authority |
+|------|-----------|
+| **Owner** | Holds the Safe; custody anchor. |
+| **Permission Signer** | Authorizes which `IPermission` contracts apply (EIP-712 `RegisterPermissions` / `RevokePermissions`). Signed in the browser signing station — the agent never holds this key. |
+| **Manager** | Executes dispatches within the registered permissions (ECDSA / ERC-1271). The agent's hot key. |
+## Preflight before spending gas
+Run `sailor doctor` (read-only, no gas, no keys):
+- detects the dispatch model,
+- lists registered permissions,
+- on a conjunctive kernel, **probes each permission for pass-through** and flags any
+  that would brick dispatch.
+See [AGENT_PLAYBOOK.md](../AGENT_PLAYBOOK.md) for the operational decision tree and the
+revert failure-mode catalog.

package/templates/default/examples/dca/README.md CHANGED Viewed

@@ -1,16 +1,16 @@
-# DCA reference example
-**Reference only — not your strategy.** This shows a complete worked implementation of a dollar-cost-averaging agent (USDC → WETH via Uniswap V3 on Base). Consult it for patterns when authoring your own strategy in `src/`.
-## What it shows
-| File | Purpose |
-|---|---|
-| `mandate.ts` | Token addresses, swap parameters, and contract addresses for Base mainnet |
-| `agent.ts` | Full tick loop: check balance → approve if needed → quote → swap with slippage protection |
-## How to use it
-In Stage 2 (strategy), when you describe what you want, your assistant will adapt these patterns for your protocol, chain, and parameters — not copy them as-is.
-The on-chain permission contract that authorizes these dispatches must be authored separately (Stage 3). The agent code here is only the intent-building side; the mandate enforces the on-chain bounds.
+# DCA reference example
+**Reference only — not your strategy.** This shows a complete worked implementation of a dollar-cost-averaging agent (USDC → WETH via Uniswap V3 on Base). Consult it for patterns when authoring your own strategy in `src/`.
+## What it shows
+| File | Purpose |
+|---|---|
+| `mandate.ts` | Token addresses, swap parameters, and contract addresses for Base mainnet |
+| `agent.ts` | Full tick loop: check balance → approve if needed → quote → swap with slippage protection |
+## How to use it
+In Stage 2 (strategy), when you describe what you want, your assistant will adapt these patterns for your protocol, chain, and parameters — not copy them as-is.
+The on-chain permission contract that authorizes these dispatches must be authored separately (Stage 3). The agent code here is only the intent-building side; the mandate enforces the on-chain bounds.