@dev.sail.money/sailor 1.0.0-41 → 1.1.0-43

package/AGENTS.md

@@ -1,5 +1,7 @@
 # Sailor — Codebase Guide
 
+This guide is for contributors to the Sailor codebase. The user-facing agent guide ships in templates/default/AGENTS.md.
+
 Sailor is the operator toolkit for Sail Protocol. It does **not** deploy the protocol or author
 permission templates — it targets already-deployed SailKernel instances and gives operators the
 tooling to create SMAs, register permission contracts, and run strategy agents.
@@ -8,11 +10,11 @@ tooling to create SMAs, register permission contracts, and run strategy agents.
 
 | Package / path | Name | Role |
 |---|---|---|
-| `packages/sdk` | `@sail/sdk` | SailorClient, LocalKeyring, kernel ABIs, EIP-712 builders, deployment registry, per-chain address registry |
+| `packages/sdk` | `@sail/sdk` | SailorClient, LocalKeyring, kernel ABIs, EIP-712 builders, deployment registry, per-chain address registry (publishes to npm as `@sail.money/sdk`) |
 | `packages/cli` | `sailor` | CLI: init, keys, account, mandate, onboard, station, ui, run, session, scan, status, owner, doctor, capabilities |
-| `packages/ui` | `sailor-ui` | Local dashboard + browser-driven onboarding wizard at localhost:3333 |
+| `packages/ui` | `sailor-ui` | Local dashboard + browser-driven onboarding wizard (per-project port, 3333–3999) |
 | `templates/default` | — | Default agent starter: neutral blank scaffold + Foundry workspace + onboarding guide (AGENTS.md) |
-| `templates/custom-mandate` | — | Solidity reference: IPermission scaffold (not a project template) |
+| `examples/custom-mandate` | — | Solidity reference: IPermission scaffold (not a project template) |
 
 ## Protocol roles
 

package/README.md

@@ -12,10 +12,11 @@ Sailor is the off-chain operator layer for [Sail Protocol](https://github.com/sa
 |---|---|---|
 | `packages/sdk` | `@sail.money/sdk` / `@sail.money/sailor/sdk` | TypeScript library: SailorClient, EIP-712 helpers, ABIs, deployment registry, chain registry |
 | `packages/cli` | `@sail.money/sailor` | CLI for account setup, mandate signing, and agent execution |
-| `packages/ui` | `sailor-ui` | Local dashboard running at localhost:3333 |
-| `templates/default` | — | Default agent starter (neutral; what `sailor init` scaffolds) |
-| `templates/custom-mandate` | — | Solidity reference: IPermission scaffold (not a project template) |
-| `templates/lifi-permissions` | — | Solidity reference: LiFi clone permission contracts (not a project template) |
+| `packages/ui` | `sailor-ui` | Local dashboard (per-project port; see Dashboard below) |
+| `templates/default` | — | The agent starter `sailor init` scaffolds: slim `AGENTS.md` + on-demand skills under `.agents/skills/` |
+| `examples/permissions` | — | Worked permission contracts by protocol and chain (reference, unaudited) |
+| `examples/custom-mandate` | — | Solidity reference: IPermission authoring scaffold |
+| `examples/lifi-permissions` | — | Solidity reference: LiFi clone permission contracts (source of the clone implementations) |
 
 ---
 
@@ -63,7 +64,11 @@ The path from nothing to a running agent follows the protocol lifecycle:
 4. **Run** — `sailor run` executes the agent locally on a schedule, or via the GitHub Actions workflow the scaffold provides.
 5. **Operate** — `sailor doctor` checks kernel health and gas balances; `sailor chains` lists supported chains and deployment addresses; `sailor session pause` instantly revokes dispatch rights without touching Safe custody.
 
-Run `npx sailor init my-agent`, open the scaffolded folder in Claude Code, Cursor, or any AI coding assistant, and say **"start"**. The `AGENTS.md` in the project guides the assistant through all five stages.
+Run `npx sailor init my-agent`, open the scaffolded folder in Claude Code, Cursor, or any AI coding assistant, and say **"start"**.
+
+### How the assistant is guided
+
+The scaffold follows the open [Agent Skills](https://agentskills.io) standard: a slim, always-loaded `AGENTS.md` carries the welcome flow, project-state map, and hard invariants, while detailed procedures live in seven on-demand skills under `.agents/skills/` (onboarding, project info, servers, transactions, mandates, CI, extensions). Assistants that scan skills load each one only when relevant; assistants that don't follow the routing table in `AGENTS.md` to the same plain-markdown files. Works in Claude Code, Cursor, Copilot, and Codex.
 
 ---
 
@@ -120,7 +125,7 @@ mkdir my-agent && cd my-agent && npm i @sail.money/sailor && npx sailor init &&
 mkdir my-agent ; cd my-agent ; npm i @sail.money/sailor ; npx sailor init ; npm install
 ```
 
-Open this folder in Claude Code, Cursor, Codex, or any AI coding assistant and say **"start"**. The scaffolded `AGENTS.md` guides the assistant through all five stages — SMA deployment, strategy definition, mandate authoring, running, and automation. No manual steps required.
+Open this folder in Claude Code, Cursor, Codex, or any AI coding assistant and say **"start"**. The scaffolded `AGENTS.md` and its skills guide the assistant through the whole flow — SMA deployment, strategy definition, mandate authoring, running, and automation. No manual steps required.
 
 ### Direct CLI reference
 
@@ -146,7 +151,7 @@ sailor run                 # start the agent (continuous)
 sailor keys export-ci      # copy encrypted agent wallet to ci-keystore.json for CI
 
 # Dashboard
-sailor ui start            # open http://localhost:3333
+sailor ui start            # prints the per-project dashboard URL
 ```
 
 `sailor run` writes reverted transactions to stderr as `reverted: <txHash> (gas used: N)`; successful dispatches are appended to `.sail/activity.jsonl`.
@@ -174,9 +179,9 @@ sailor init my-agent --template <name>   # named subdirectory + specific templat
 ### What makes a valid template
 
 A valid template is any directory under `templates/` that contains a
-`package.json`. Directories without one (e.g. `custom-mandate`,
-`lifi-permissions`) are Solidity reference sources, not project scaffolds, and
-are excluded from the available list.
+`package.json`. Solidity reference sources live under `examples/`
+(`examples/permissions`, `examples/custom-mandate`, `examples/lifi-permissions`)
+— they are not project scaffolds and never appear in the template list.
 
 ### Adding a template
 
@@ -193,18 +198,22 @@ Template files are bundled into the published `sailor` npm package via the
 
 ## Dashboard (`sailor ui`)
 
-The Sailor dashboard is a local React app served at `http://localhost:3333`.
-It shows live account state, mandate health, signer balances, and recent
-activity — all read from the project's `.sail/` directory with no hosted
-backend.
+The Sailor dashboard is a local React app. It shows live account state, mandate
+health, signer balances, and recent activity — all read from the project's
+`.sail/` directory with no hosted backend.
+
+Each project gets its own deterministic port in the 3333–3999 range (derived
+from the project path, so several projects can run dashboards side by side).
+Use the URL the command prints, or read it from `.sail/runtime/ui.json` —
+do not assume port 3333.
 
 ### Commands
 
 ```bash
 sailor ui             # start the dashboard (same as sailor ui start)
-sailor ui start       # start the dashboard at http://localhost:3333
+sailor ui start       # start the dashboard and print its URL
 sailor ui stop        # stop the running dashboard
-sailor ui status      # show whether the dashboard is running + pid
+sailor ui status      # show whether the dashboard is running + URL + pid
 ```
 
 ### How it works
@@ -224,7 +233,7 @@ This means you can start the dashboard in one terminal and stop it from another.
 ```bash
 # macOS / Linux
 sailor ui start &
-sailor ui status      # ● running  http://localhost:3333  (pid 12345)
+sailor ui status      # ● running  http://localhost:<port>  (pid 12345)
 sailor ui stop        # Stopped Sailor UI (pid 12345).
 
 # Windows (PowerShell)
@@ -317,8 +326,8 @@ Published to the public npm registry under the `@sail.money` scope.
 
 | Trigger | Package | Version | dist-tag |
 |---|---|---|---|
-| Tag push (`v*`) | `@sail.money/sailor` | `0.1.0` | `latest` |
-| Manual dispatch | `@dev.sail.money/sailor` | `0.1.0-42` | `dev` |
+| Tag push (`v*`) | `@sail.money/sailor` | `1.1.0` | `latest` |
+| Manual dispatch | `@dev.sail.money/sailor` | `1.1.0-42` | `dev` |
 
 ```bash
 npm install @sail.money/sailor                # latest stable (tag push)
@@ -378,7 +387,7 @@ Either way, `@sail.money/sailor/sdk` imports work unchanged.
 
 ## State of the project
 
-Sailor is functional and published as [`@sail.money/sailor`](https://www.npmjs.com/package/@sail.money/sailor) on npm (v0.1.0). The SDK, CLI, keystore, mandate flows, agent runner, and dashboard are implemented and have been exercised end to end.
+Sailor is functional and published as [`@sail.money/sailor`](https://www.npmjs.com/package/@sail.money/sailor) on npm (v1.1.0). The SDK, CLI, keystore, mandate flows, agent runner, and dashboard are implemented and have been exercised end to end.
 
 The Sail Protocol trusted core is deployed on six chains — Ethereum, Base, Arbitrum, Unichain, Base Sepolia, and Eth Sepolia — via CREATE2, with every core contract at the same address on every chain. All six run the selective dispatch model with zero fees and are bootstrapped with a genesis allowlist so `createAccount` is usable immediately. These deployments are under an ongoing external audit by [Octane Security](https://octane.security) and are not final — do not use them with funds you are not prepared to lose.
 

package/docs/PERMISSION_MODEL.md

@@ -45,7 +45,7 @@ other." The fix was to redeploy every permission with pass-through semantics.
 Corollary: on a conjunctive kernel you **cannot** have two permissions that each
 enforce a different token's approve — each would reject the other's token. To support
 approving both DAI and USDC you need **one** approve permission that allows both (see
-`templates/lifi-permissions/`), not two narrow ones.
+`examples/lifi-permissions/`), not two narrow ones.
 
 Selective kernels don't have this problem: each dispatch names one permission and
 only that one is consulted.

package/examples/README.md

@@ -0,0 +1,24 @@
+# examples/
+
+Reference material for building Sail permission contracts. Nothing here is part of
+Sail Protocol and nothing here is audited.
+
+## What's in here
+
+### `permissions/`
+
+Protocol-specific permission examples (Uniswap, Aave, GMX, Vault, Pendle, and others).
+These are copied into your project by `sailor init` so you have local starting points to
+adapt. They are not a supported or exhaustive library — review them before using.
+
+### `custom-mandate/`
+
+A standalone Foundry workspace scaffold for authoring your own `IPermission` contract as a
+separate project. Fork it, rename it, and build from `BoundedCallPermission.sol`.
+
+### `lifi-permissions/`
+
+Reference-only source for the deployed LiFi EIP-1167 clone implementations
+(`LifiBoundedApprovePermissionCloneable`, `LifiDiamondSwapPermissionCloneable`).
+These document live deployed contracts — do not adapt them directly for new projects.
+See the `README.md` inside for deployment addresses and the conjunctive-kernel caveat.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dev.sail.money/sailor",
-  "version": "1.0.0-41",
+  "version": "1.1.0-43",
   "description": "Operator toolkit for Sail Protocol",
   "bin": {
     "sailor": "packages/cli/dist/index.cjs"

package/packages/cli/README.md

@@ -14,7 +14,6 @@ sailor init my-fund
 
 - `sailor init [name]` — scaffold a new agent project from a template
 - `sailor keys generate|show` — generate/show the agent wallet and mandate signer keys
-- `sailor account create` — create a new SMA on-chain
 - `sailor onboard` — set up an SMA, register a permission, and confirm the agent is operational
 - `sailor mandate prepare` — review the permissions attached to your SMA
 - `sailor mandate sign` — confirm the permissions authorized for your SMA

package/packages/cli/dist/index.cjs

@@ -35189,6 +35189,10 @@ var require_websocket_server2 = __commonJS({
   }
 });
 
+// src/index.ts
+var import_node_fs18 = require("node:fs");
+var import_node_path14 = require("node:path");
+
 // ../../node_modules/.pnpm/commander@12.1.0/node_modules/commander/esm.mjs
 var import_index = __toESM(require_commander(), 1);
 var {
@@ -38442,14 +38446,6 @@ async function confirm(question) {
   const answer = (await prompt(`${question} (y/N)`)).toLowerCase();
   return answer === "y" || answer === "yes";
 }
-async function promptAddress(label, def) {
-  for (let attempt = 0; attempt < 5; attempt++) {
-    const raw = await prompt(label, def);
-    if (isAddress(raw)) return getAddress(raw);
-    console.log(`  "${raw}" is not a valid EVM address \u2014 try again.`);
-  }
-  throw new Error(`No valid address provided for: ${label}`);
-}
 async function promptHidden(question) {
   const isTty = process.stdin.isTTY === true;
   if (isTty) muted = true;
@@ -38492,87 +38488,6 @@ function getRpcUrl(chainId) {
   return process.env.RPC_URL?.trim() || void 0;
 }
 
-// src/lib/keys.ts
-init_esm2();
-var ROLES = ["manager", "permissionSigner"];
-function normalizeRole(input) {
-  const n = input.trim().toLowerCase().replace(/[-_\s]/g, "");
-  if (n === "manager" || n === "mgr" || n === "m" || n === "agent" || n === "agentwallet") {
-    return "manager";
-  }
-  if (n === "permissionsigner" || n === "signer" || n === "ps" || n === "permission" || n === "mandatesigner" || n === "mandate") {
-    return "permissionSigner";
-  }
-  return null;
-}
-function roleLabel(role) {
-  return role === "manager" ? "agent wallet" : "mandate signer";
-}
-function safeHex(safe) {
-  return safe.toLowerCase().replace(/^0x/, "").replace(/[^0-9a-f]/g, "");
-}
-function keyPath(role, safe) {
-  if (safe) {
-    return sailPath("keys", `${role}-0x${safeHex(safe)}.json`);
-  }
-  return sailPath("keys", `${role}.json`);
-}
-function legacyKeyPath(role, safe) {
-  return sailPath("keys", `${role}-${safeHex(safe)}.json`);
-}
-function resolveKeyPath(role, safe) {
-  if (safe) {
-    const perSma = keyPath(role, safe);
-    if (fileExists(perSma)) return perSma;
-    const legacy = legacyKeyPath(role, safe);
-    if (fileExists(legacy)) return legacy;
-  }
-  return keyPath(role);
-}
-function keyExists(role, safe) {
-  return fileExists(resolveKeyPath(role, safe));
-}
-async function loadKeyring(role, safe) {
-  const keystore = readJsonFile(resolveKeyPath(role, safe));
-  if (!keystore) {
-    throw new Error(
-      `No ${roleLabel(role)} found.
-Run "sailor keys generate" and choose "${roleLabel(role)}" first.`
-    );
-  }
-  const password = await promptHidden(`Password for ${roleLabel(role)} key`);
-  try {
-    return await LocalKeyring.fromKeystore(keystore, password);
-  } catch {
-    throw new Error("Invalid password.");
-  }
-}
-async function loadManagerSigner(safe) {
-  const passphrase = process.env.SAIL_PASSPHRASE;
-  if (passphrase) {
-    const keystore = readJsonFile(resolveKeyPath("manager", safe));
-    if (!keystore) {
-      throw new Error(
-        'No agent wallet found.\nRun "sailor keys generate" and choose "agent wallet".'
-      );
-    }
-    return LocalKeyring.fromKeystore(keystore, passphrase);
-  }
-  return loadKeyring("manager", safe);
-}
-function managerKeystorePath(managerAddr) {
-  if (!isAddress(managerAddr, { strict: false })) {
-    throw new Error(`managerKeystorePath: invalid address "${managerAddr}"`);
-  }
-  const hex = managerAddr.toLowerCase().replace(/^0x/, "");
-  return sailPath("keys", "managers", `${hex}.json`);
-}
-async function loadAnySigner() {
-  if (keyExists("permissionSigner")) return loadKeyring("permissionSigner");
-  if (keyExists("manager")) return loadKeyring("manager");
-  throw new Error('No signing key found.\nRun "sailor keys generate" first.');
-}
-
 // src/lib/packagePaths.ts
 var import_node_fs3 = __toESM(require("node:fs"), 1);
 var import_node_path2 = __toESM(require("node:path"), 1);
@@ -39330,86 +39245,6 @@ async function createSigningChannel(projectRoot = process.cwd()) {
 }
 
 // src/commands/account.ts
-function resolveChain(chainId) {
-  try {
-    return getChain(chainId);
-  } catch {
-    throw new Error(
-      `Chain ${chainId} is not yet configured in @sail/chains.
-The SailKernel and mandate-factory addresses for this chain are unknown,
-so an account cannot be created yet. Add the chain to @sail/chains once
-SailKernel is deployed there.`
-    );
-  }
-}
-async function accountCreate() {
-  if (!keyExists("manager")) {
-    throw new Error(
-      'No agent wallet found.\nRun "sailor keys generate" and choose "agent wallet" first.'
-    );
-  }
-  const env = parseEnvFile(sailPath(".env.local"));
-  const rpcUrl = env["RPC_URL"] ?? process.env["RPC_URL"];
-  const chainIdRaw = env["CHAIN_ID"] ?? process.env["CHAIN_ID"];
-  if (!rpcUrl || !chainIdRaw) {
-    throw new Error(
-      "RPC_URL and CHAIN_ID must be set in .sail/.env.local.\nCreate that file with, for example:\n  RPC_URL=https://your-rpc-endpoint\n  CHAIN_ID=8453"
-    );
-  }
-  const chainId = Number(chainIdRaw);
-  if (Number.isNaN(chainId)) {
-    throw new Error(`Invalid CHAIN_ID: "${chainIdRaw}" \u2014 must be a number.`);
-  }
-  const chain2 = resolveChain(chainId);
-  console.log(`Chain ${chainId} (${chain2.name})`);
-  console.log(`  SailKernel:      ${checksum4(chain2.kernel)}`);
-  console.log(`  Mandate factory: ${checksum4(chain2.mandateFactory)}
-`);
-  const manager = await loadKeyring("manager");
-  const managerAddr = checksum4(manager.address);
-  const safeFactory = await promptAddress("Safe factory address");
-  const safeSingleton = await promptAddress("Safe singleton address");
-  const owner2 = await promptAddress("Owner (EOA) address", managerAddr);
-  const permissionSigner = await promptAddress("Mandate signer address", managerAddr);
-  const feePolicy = await prompt("Fee policy", "none");
-  console.log("\nCreating SMA with:");
-  console.log(`  Owner:           ${owner2}`);
-  console.log(`  Agent wallet:    ${managerAddr}`);
-  console.log(`  Mandate signer:  ${permissionSigner}`);
-  console.log(`  Safe factory:    ${safeFactory}`);
-  console.log(`  Safe singleton:  ${safeSingleton}`);
-  console.log(`  Fee policy:      ${feePolicy}`);
-  const client = makeClient(chainId);
-  try {
-    const account2 = await client.account.create({
-      owner: owner2,
-      permissionSigner,
-      manager: managerAddr,
-      chainId
-    });
-    const stored = {
-      safe: checksum4(account2.safe),
-      owner: checksum4(account2.owner),
-      permissionSigner: checksum4(account2.permissionSigner),
-      manager: checksum4(account2.manager),
-      chainId: account2.chainId,
-      createdAtBlock: account2.createdAtBlock.toString()
-    };
-    upsertAccountInList(stored);
-    writeJsonFile(sailPath("account.json"), stored);
-    console.log(`
-SMA created. Address: ${stored.safe}`);
-    console.log("Saved to .sail/account.json");
-  } catch (err) {
-    if (err.message === "not implemented") {
-      console.log(
-        "\nOn-chain account creation is not wired up in this build yet \u2014\nclient.account.create is a stub until SailKernel is deployed and the\nSDK is connected. Nothing was created on-chain."
-      );
-      return;
-    }
-    throw err;
-  }
-}
 var SAIL_MAINNET_CHAINS = [1, 8453, 42161, 130];
 async function fetchProxyCreationCode(preferredChainId) {
   const rpcUrl = getRpcUrl(preferredChainId) ?? void 0;
@@ -39801,6 +39636,89 @@ function emit(json, human, payload) {
 
 // src/lib/project.ts
 init_esm2();
+
+// src/lib/keys.ts
+init_esm2();
+var ROLES = ["manager", "permissionSigner"];
+function normalizeRole(input) {
+  const n = input.trim().toLowerCase().replace(/[-_\s]/g, "");
+  if (n === "manager" || n === "mgr" || n === "m" || n === "agent" || n === "agentwallet") {
+    return "manager";
+  }
+  if (n === "permissionsigner" || n === "signer" || n === "ps" || n === "permission" || n === "mandatesigner" || n === "mandate") {
+    return "permissionSigner";
+  }
+  return null;
+}
+function roleLabel(role) {
+  return role === "manager" ? "agent wallet" : "mandate signer";
+}
+function safeHex(safe) {
+  return safe.toLowerCase().replace(/^0x/, "").replace(/[^0-9a-f]/g, "");
+}
+function keyPath(role, safe) {
+  if (safe) {
+    return sailPath("keys", `${role}-0x${safeHex(safe)}.json`);
+  }
+  return sailPath("keys", `${role}.json`);
+}
+function legacyKeyPath(role, safe) {
+  return sailPath("keys", `${role}-${safeHex(safe)}.json`);
+}
+function resolveKeyPath(role, safe) {
+  if (safe) {
+    const perSma = keyPath(role, safe);
+    if (fileExists(perSma)) return perSma;
+    const legacy = legacyKeyPath(role, safe);
+    if (fileExists(legacy)) return legacy;
+  }
+  return keyPath(role);
+}
+function keyExists(role, safe) {
+  return fileExists(resolveKeyPath(role, safe));
+}
+async function loadKeyring(role, safe) {
+  const keystore = readJsonFile(resolveKeyPath(role, safe));
+  if (!keystore) {
+    throw new Error(
+      `No ${roleLabel(role)} found.
+Run "sailor keys generate" and choose "${roleLabel(role)}" first.`
+    );
+  }
+  const password = await promptHidden(`Password for ${roleLabel(role)} key`);
+  try {
+    return await LocalKeyring.fromKeystore(keystore, password);
+  } catch {
+    throw new Error("Invalid password.");
+  }
+}
+async function loadManagerSigner(safe) {
+  const passphrase = process.env.SAIL_PASSPHRASE;
+  if (passphrase) {
+    const keystore = readJsonFile(resolveKeyPath("manager", safe));
+    if (!keystore) {
+      throw new Error(
+        'No agent wallet found.\nRun "sailor keys generate" and choose "agent wallet".'
+      );
+    }
+    return LocalKeyring.fromKeystore(keystore, passphrase);
+  }
+  return loadKeyring("manager", safe);
+}
+function managerKeystorePath(managerAddr) {
+  if (!isAddress(managerAddr, { strict: false })) {
+    throw new Error(`managerKeystorePath: invalid address "${managerAddr}"`);
+  }
+  const hex = managerAddr.toLowerCase().replace(/^0x/, "");
+  return sailPath("keys", "managers", `${hex}.json`);
+}
+async function loadAnySigner() {
+  if (keyExists("permissionSigner")) return loadKeyring("permissionSigner");
+  if (keyExists("manager")) return loadKeyring("manager");
+  throw new Error('No signing key found.\nRun "sailor keys generate" first.');
+}
+
+// src/lib/project.ts
 function nonEmpty(value) {
   return typeof value === "string" && value.trim().length > 0;
 }
@@ -40480,6 +40398,40 @@ interface IPermission {
     function discriminator() external view returns (bytes32);
 }
 `;
+var IBATCHPERMISSION_SOL = `// SPDX-License-Identifier: MIT
+pragma solidity 0.8.26;
+
+/// @notice A single subcall in a batch dispatch.
+/// @dev The kernel executes each Call as safe.execTransactionFromModule(target, value, data, 0)
+///      \u2014 operation is always CALL, never DELEGATECALL.
+struct Call {
+    address target; // MUST NOT equal the kernel (enforced by the kernel)
+    uint256 value;  // native ETH forwarded (wei)
+    bytes   data;   // calldata for the subcall
+}
+
+/// @notice Execution context passed to evaluateBatch on each batch dispatch (read-only snapshot).
+struct BatchContext {
+    address account;        // the Safe (SMA) whose assets are moved
+    address manager;        // the delegated signer who authorised the batch
+    address submitter;      // msg.sender of the dispatch (may differ from manager via a relayer)
+    address permission;     // this batch permission contract
+    bytes32 batchHash;      // keccak256(abi.encode(calls)) \u2014 stable id for the exact sequence
+    uint256 blockTimestamp; // block.timestamp at dispatch
+    uint256 blockNumber;    // block.number at dispatch
+}
+
+/// @title  IBatchPermission
+/// @notice Gates an atomic batch of subcalls. Evaluated via staticcall under a gas cap;
+///         a revert / OOG / malformed return is treated as \`false\` (fail-closed).
+interface IBatchPermission {
+    /// @notice Validate an entire batch of subcalls and their cross-call invariants.
+    function evaluateBatch(Call[] calldata calls, BatchContext calldata ctx) external view returns (bool);
+
+    /// @notice Marker the kernel uses (try/catch) to detect batch-aware permissions. MUST return true.
+    function isBatchPermission() external pure returns (bool);
+}
+`;
 var EXAMPLE_MANDATE_SOL = `// SPDX-License-Identifier: MIT
 pragma solidity 0.8.26;
 
@@ -40561,6 +40513,10 @@ function scaffoldFoundryWorkspace(root) {
     (0, import_node_path6.join)(root, ".sail", "contracts", "interfaces", "IPermission.sol"),
     IPERMISSION_SOL
   );
+  writeIfMissing(
+    (0, import_node_path6.join)(root, ".sail", "contracts", "interfaces", "IBatchPermission.sol"),
+    IBATCHPERMISSION_SOL
+  );
   writeIfMissing((0, import_node_path6.join)(root, "mandates", "BoundedCallPermission.sol"), EXAMPLE_MANDATE_SOL);
   writeIfMissing((0, import_node_path6.join)(root, "mandates", "README.md"), MANDATES_README);
 }
@@ -40722,6 +40678,10 @@ run from the repo root.` : ` Available: ${available}`;
   if (import_node_fs8.default.existsSync(examplesPermSrc)) {
     copyDirSync(examplesPermSrc, import_node_path7.default.join(dest, "examples", "permissions"));
   }
+  const customMandateSrc = import_node_path7.default.join(pkgRoot, "examples", "custom-mandate");
+  if (import_node_fs8.default.existsSync(customMandateSrc)) {
+    copyDirSync(customMandateSrc, import_node_path7.default.join(dest, "examples", "custom-mandate"));
+  }
   const permModelSrc = import_node_path7.default.join(pkgRoot, "docs", "PERMISSION_MODEL.md");
   if (import_node_fs8.default.existsSync(permModelSrc)) {
     import_node_fs8.default.mkdirSync(import_node_path7.default.join(dest, "docs"), { recursive: true });
@@ -40849,7 +40809,7 @@ Created ${name}/`);
     "\u2551                                                                      \u2551",
     "\u2551  DO THIS FIRST:                                                      \u2551",
     "\u2551    1. Read AGENTS.md in the project root (FULL FILE, not a skim)     \u2551",
-    "\u2551    2. Complete every step listed under Stage 1 \u2014 Onboarding          \u2551",
+    "\u2551    2. Follow it \u2014 the detailed steps live in .agents/skills/         \u2551",
     '\u2551    3. Confirm to the user: "I have read AGENTS.md and am ready."     \u2551',
     "\u2551                                                                      \u2551",
     "\u2551  If you skip this step, setup WILL break and you will have to        \u2551",
@@ -42317,7 +42277,7 @@ function mandateTemplates(options) {
       console.log("  2. Implement IPermission.evaluate(txData, ctx) with your policy logic");
       console.log("  3. forge build");
       console.log("  4. sailor mandate deploy --contract <Name> --attach --sma <yourSMA>");
-      console.log("\n  See templates/custom-mandate/README.md for the full guide.");
+      console.log("\n  See examples/custom-mandate/README.md for the full guide.");
       if (community.length > 0) {
         console.log(
           "\nCommunity-deployed permission contracts (informational \u2014 NOT audited or\nendorsed by Sail; review the source before registering any of them):"
@@ -42599,7 +42559,7 @@ function printNoPermissionsGuidance() {
 async function mandatePrepare() {
   const account2 = readJsonFile(sailPath("account.json"));
   if (!account2) {
-    throw new Error('No account found at .sail/account.json.\nRun "sailor account create" first.');
+    throw new Error('No account found at .sail/account.json.\nRun "sailor onboard --new-sma" first.');
   }
   const permissions = await trackedPermissionsFor(account2);
   if (permissions.length === 0) {
@@ -42632,7 +42592,7 @@ ${permissions.length} permission(s) tracked for SMA ${account2.safe}:
 async function mandateSign(opts = {}) {
   const account2 = readJsonFile(sailPath("account.json"));
   if (!account2) {
-    throw new Error('No account found at .sail/account.json.\nRun "sailor account create" first.');
+    throw new Error('No account found at .sail/account.json.\nRun "sailor onboard --new-sma" first.');
   }
   const permissions = await trackedPermissionsFor(account2);
   if (permissions.length === 0) {
@@ -43575,7 +43535,7 @@ async function runCommand(opts) {
   const once = opts.once === true;
   const account2 = readJsonFile(sailPath("account.json"));
   if (!account2) {
-    throw new Error('No account found at .sail/account.json.\nRun "sailor account create" first.');
+    throw new Error('No account found at .sail/account.json.\nRun "sailor onboard --new-sma" first.');
   }
   const mandateRaw = readJsonFile(sailPath("mandate.json"));
   const mandate2 = Array.isArray(mandateRaw) ? mandateRaw[0] : mandateRaw;
@@ -43638,7 +43598,7 @@ async function runCommand(opts) {
   if (!kernel) {
     throw new Error(
       `No SailKernel address for chain ${chainId}.
-Configure the chain in @sail/chains or set KERNEL_ADDRESS in .sail/.env.local.`
+Configure the chain in the SDK chain registry or set KERNEL_ADDRESS in .sail/.env.local.`
     );
   }
   const manager = await loadManagerSigner(account2.safe);
@@ -44029,7 +43989,7 @@ function requireAccount() {
   const account2 = readJsonFile(sailPath("account.json"));
   if (!account2) {
     throw new Error(
-      'No account found at .sail/account.json.\nRun "sailor account create" first.'
+      'No account found at .sail/account.json.\nRun "sailor onboard --new-sma" first.'
     );
   }
   return account2;
@@ -44197,7 +44157,7 @@ async function status() {
   if (account2) {
     console.log(`  \u2713 deployed   ${checksum4(account2.safe)}  (chain ${account2.chainId})`);
   } else {
-    console.log('  \u2717 not deployed   run "sailor account create"');
+    console.log('  \u2717 not deployed   run "sailor onboard --new-sma"');
   }
   console.log("Mandate:");
   if (mandate2) {
@@ -44316,8 +44276,16 @@ function uiStop() {
 }
 
 // src/index.ts
+function cliVersion() {
+  try {
+    const pkg = JSON.parse((0, import_node_fs18.readFileSync)((0, import_node_path14.join)(packageRoot(), "package.json"), "utf-8"));
+    return pkg.version ?? "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
 var program2 = new Command();
-program2.name("sailor").description("Operator toolkit for Sail Protocol").version("0.1.0");
+program2.name("sailor").description("Operator toolkit for Sail Protocol").version(cliVersion());
 function action(fn) {
   return async () => {
     try {
@@ -44364,7 +44332,6 @@ keys.command("export-ci").description(
   "Copy the encrypted agent wallet keystore to ci-keystore.json for committing to CI"
 ).action(action(keysExportCi));
 var account = program2.command("account").description("Manage the Sail SMA");
-account.command("create").description("Create a new Sail SMA on-chain").action(action(accountCreate));
 account.command("predict").description(
   "Compute the deterministic Safe address for a given owner + manager + salt (no gas, no deployment)"
 ).option("--owner <address>", "Owner EOA address (defaults to .sail/account.json)").option(
@@ -44416,12 +44383,6 @@ program2.command("capabilities").description(
   "Feasibility map (read-only): chains, kernel model, mandate templates, strategy primitives"
 ).option("--json", "Emit machine-readable JSON").action(actionWith(capabilities));
 program2.command("chains").description("List supported chains and their SailKernel deployment addresses").option("--verify", "Verify each kernel is deployed via eth_getCode (one RPC call per chain)").option("--json", "Emit machine-readable JSON").action(actionWith(chainsCommand));
-function stub(name, description) {
-  program2.command(name).description(description).allowUnknownOption().action(() => {
-    console.log(`sailor ${name}: not implemented yet`);
-  });
-}
-stub("dispatch preview", "Preview a dispatch without submitting");
 program2.parse(process.argv);
 /*! Bundled license information: