@dev.sail.money/sailor 1.2.0-73 → 1.2.0-75

package/examples/permissions/BoundedSwapNative_UniswapV3_Base.sol

@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.26;
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Protocol : Uniswap V3 — NATIVE-ASSET (ETH) swap
+// Version  : SwapRouter02 (NOT the older SwapRouter — different selectors)
+// Chain    : Base mainnet (8453)
+// Target   : SwapRouter02  0x2626664c2603336E57B271c5C0b26F421741e481  (verified on Basescan)
+//
+// WHY A SEPARATE EXAMPLE FOR NATIVE ETH:
+//   When the asset being spent is the chain's NATIVE asset (ETH), the value that actually
+//   leaves the account is the call's `msg.value` — exposed to the permission as `Context.value`
+//   (`ctx.value`) — NOT the calldata `amountIn`. SwapRouter02 swaps native ETH by wrapping the
+//   ETH you send (tokenIn = WETH in the calldata) into WETH inside the router. So a permission
+//   adapted naively from the ERC-20 swap example (BoundedSwap_UniswapV3_Base.sol) would bound
+//   `amountIn` while leaving `ctx.value` UNBOUNDED — and the on-chain bound would NOT cap the
+//   funds actually spent. That is the trap this example exists to close.
+//
+// THE RULE THIS EXAMPLE DEMONSTRATES:
+//   For ANY value-carrying call, `Context.value` MUST be explicitly bounded. Bounding the
+//   calldata amount is not enough — the real spend is `ctx.value`.
+//
+// ENFORCES ON-CHAIN (kernel calls evaluate() on every dispatch; false ⇒ dispatch blocked):
+//   exactInputSingle((address,address,uint24,address,uint256,uint256,uint160))  selector 0x04e45aaf
+//     • target must be SWAP_ROUTER
+//     • ctx.value ≤ MAX_AMOUNT_IN          ← bounds the REAL native spend
+//     • amountIn == ctx.value              ← forces the native path; no value/amount drift
+//     • tokenIn  must equal WETH           ← the router wraps ctx.value into WETH
+//     • tokenOut must be in ALLOWED_TOKENS_OUT
+//
+// AGENT-ENFORCED / NOT BOUNDED HERE (off-chain — can change without redeploying this contract):
+//   • fee tier, sqrtPriceLimitX96, recipient address
+//   • swap frequency / cadence
+//   • slippage — see the note below
+//
+// SLIPPAGE IS NOT BOUNDED ON-CHAIN HERE — AND CANNOT BE, without a price oracle:
+//   `amountOutMinimum` (output token) and `ctx.value`/`amountIn` (native ETH) are denominated in
+//   DIFFERENT tokens, so a ratio between them bounds nothing real (see BoundedSwap_UniswapV3_Base
+//   for the full explanation). Compute `amountOutMinimum` OFF-CHAIN from a live quote and pass it
+//   in per swap; the router reverts if the output falls below it. This contract only caps the
+//   native input spend (MAX_AMOUNT_IN).
+//
+// VERIFY BEFORE USE:
+//   • Confirm SwapRouter02 + WETH addresses on your chain (Base defaults shown; verify on-chain).
+//   • Native ETH swaps on SwapRouter02 are typically wrapped in a payable multicall (so the
+//     router can refundETH any unspent wei). This example bounds the single exactInputSingle
+//     leg; if your agent routes the swap through `multicall`, add a permission that decodes the
+//     multicall and applies these same ctx.value / amountIn checks to the inner call.
+//   • Selector 0x04e45aaf = exactInputSingle((address,address,uint24,address,uint256,uint256,uint160))
+//     on SwapRouter02 (verified via `cast sig`). The OLDER SwapRouter's exactInputSingle (the
+//     deadline variant) is 0x414bf389 — a different selector; do not confuse the two.
+// ─────────────────────────────────────────────────────────────────────────────
+
+import {IPermission, Context} from "@sail/interfaces/IPermission.sol";
+
+contract BoundedSwapNative_UniswapV3_Base is IPermission {
+    bytes32 private constant DISCRIMINATOR = keccak256("BoundedSwapNative_UniswapV3_Base");
+
+    address public immutable SWAP_ROUTER;
+    /// @dev The wrapped-native token (WETH). SwapRouter02 wraps the ETH sent as ctx.value
+    ///      into this token, so the calldata tokenIn for a native swap is WETH.
+    address public immutable WETH;
+    mapping(address => bool) public isAllowedTokenOut;
+    /// @dev Per-call cap on the native spend, in wei. Bounds ctx.value, the REAL spend.
+    uint256 public immutable MAX_AMOUNT_IN;
+
+    bytes4 private constant SEL_EXACT_INPUT_SINGLE = 0x04e45aaf;
+
+    struct ExactInputSingleParams {
+        address tokenIn;
+        address tokenOut;
+        uint24  fee;
+        address recipient;
+        uint256 amountIn;
+        uint256 amountOutMinimum;
+        uint160 sqrtPriceLimitX96;
+    }
+
+    /// @param swapRouter      SwapRouter02 address (0x2626... on Base)
+    /// @param weth            Wrapped-native token address (WETH on Base: 0x4200...0006)
+    /// @param allowedTokensOut  Tokens the agent may receive
+    /// @param maxAmountIn     Per-call native spend cap in wei (bounds ctx.value)
+    /// @dev No slippage parameter: slippage cannot be bounded on-chain without a price oracle
+    ///      (see the header note). Pass a tight `amountOutMinimum`, computed off-chain from a
+    ///      live quote, on each swap — the router enforces it by reverting.
+    constructor(
+        address swapRouter,
+        address weth,
+        address[] memory allowedTokensOut,
+        uint256 maxAmountIn
+    ) {
+        SWAP_ROUTER   = swapRouter;
+        WETH          = weth;
+        MAX_AMOUNT_IN = maxAmountIn;
+        for (uint256 i = 0; i < allowedTokensOut.length; i++) {
+            isAllowedTokenOut[allowedTokensOut[i]] = true;
+        }
+    }
+
+    function evaluate(bytes calldata txData, Context calldata ctx) external view returns (bool) {
+        if (txData.length < 4) return false;
+        if (ctx.target != SWAP_ROUTER || ctx.selector != SEL_EXACT_INPUT_SINGLE) return false;
+        if (txData.length < 4 + 7 * 32) return false;
+
+        ExactInputSingleParams memory p = abi.decode(txData[4:], (ExactInputSingleParams));
+
+        // Bound the REAL native spend. ctx.value is the ETH actually leaving the account;
+        // bounding amountIn alone would leave the spend uncapped.
+        if (ctx.value > MAX_AMOUNT_IN) return false;
+        // No drift between the declared amount and the native value sent — a native swap pays
+        // entirely with ctx.value, so amountIn must equal it exactly.
+        if (p.amountIn != ctx.value)  return false;
+
+        // tokenIn is WETH: the router wraps ctx.value into WETH before swapping.
+        if (p.tokenIn != WETH)              return false;
+        if (!isAllowedTokenOut[p.tokenOut]) return false;
+        // amountOutMinimum intentionally not checked — see header (slippage cannot be bounded
+        // on-chain; the router enforces the off-chain-computed value the agent passes in).
+        return true;
+    }
+
+    function discriminator() external pure returns (bytes32) { return DISCRIMINATOR; }
+}

package/examples/permissions/BoundedSwap_UniswapV3_Base.sol

@@ -13,7 +13,6 @@ pragma solidity 0.8.26;
 //     • tokenIn  must equal FIXED_TOKEN_IN
 //     • tokenOut must be in ALLOWED_TOKENS_OUT
 //     • amountIn ≤ MAX_AMOUNT_IN
-//     • amountOutMinimum ≥ amountIn × MIN_BPS / 10 000  (slippage floor — see caveat below)
 //   approve(address,uint256)  selector 0x095ea7b3
 //     • target must be FIXED_TOKEN_IN (the ERC-20 being approved)
 //     • spender must be SWAP_ROUTER
@@ -22,15 +21,24 @@ pragma solidity 0.8.26;
 // AGENT-ENFORCED / NOT BOUNDED HERE (off-chain — can change without redeploying this contract):
 //   • fee tier, sqrtPriceLimitX96, recipient address
 //   • swap frequency / cadence
-//   • real (cross-denomination) slippage — see MIN_BPS caveat in evaluate()
+//   • slippage — see the note below
+//
+// SLIPPAGE IS NOT BOUNDED ON-CHAIN HERE — AND CANNOT BE, without a price oracle:
+//   `amountOutMinimum` (output token) and `amountIn` (input token) are denominated in DIFFERENT
+//   tokens. Comparing them as a ratio — the pattern an earlier version of this example shipped —
+//   is meaningless for any pair whose tokens differ in price or decimals (e.g. USDC→WETH): the
+//   check is either trivially satisfied or trivially failed, giving false confidence while
+//   protecting nothing. So this permission deliberately does NOT constrain `amountOutMinimum`.
+//   Real slippage protection must be computed OFF-CHAIN from a live quote (e.g. the Quoter or a
+//   price feed) and passed in as `amountOutMinimum` on each swap — the router reverts if the
+//   output falls below it. Your agent owns choosing a tight, fresh value per call; this contract
+//   only caps the input spend (MAX_AMOUNT_IN).
 //
 // VERIFY BEFORE USE:
 //   • Confirm SwapRouter02 address on your chain (Base default shown above; verified on Basescan).
 //   • Selector 0x04e45aaf = exactInputSingle((address,address,uint24,address,uint256,uint256,uint160))
 //     on SwapRouter02 (verified via `cast sig`). The OLDER SwapRouter's exactInputSingle (the
 //     deadline variant) is 0x414bf389 — a different selector; do not confuse the two.
-//   • Confirm that amountOutMinimum slippage floor fits your price-impact expectations for the
-//     chosen pool. Large amountIn values may trigger price impact beyond MIN_BPS.
 // ─────────────────────────────────────────────────────────────────────────────
 
 import {IPermission, Context} from "@sail/interfaces/IPermission.sol";
@@ -42,8 +50,6 @@ contract BoundedSwap_UniswapV3_Base is IPermission {
     address public immutable FIXED_TOKEN_IN;
     mapping(address => bool) public isAllowedTokenOut;
     uint256 public immutable MAX_AMOUNT_IN;
-    /// @dev Slippage floor in basis points. 9 900 = allow at most 1% slippage.
-    uint256 public immutable MIN_BPS;
 
     bytes4 private constant SEL_EXACT_INPUT_SINGLE = 0x04e45aaf;
     bytes4 private constant SEL_APPROVE            = 0x095ea7b3;
@@ -62,21 +68,18 @@ contract BoundedSwap_UniswapV3_Base is IPermission {
     /// @param fixedTokenIn    The one token the agent is allowed to sell
     /// @param allowedTokensOut  Tokens the agent may receive
     /// @param maxAmountIn     Per-call spend cap in fixedTokenIn base units
-    /// @param minBps          Minimum amountOutMinimum as fraction of amountIn ×10 000
-    ///                        e.g. 9900 → require amountOutMinimum ≥ 99% of amountIn
-    ///                        (denominated in fixedTokenIn units, not USD — set per your pair)
+    /// @dev No slippage parameter: slippage cannot be bounded on-chain without a price oracle
+    ///      (see the header note). Pass a tight `amountOutMinimum`, computed off-chain from a
+    ///      live quote, on each swap — the router enforces it by reverting.
     constructor(
         address swapRouter,
         address fixedTokenIn,
         address[] memory allowedTokensOut,
-        uint256 maxAmountIn,
-        uint256 minBps
+        uint256 maxAmountIn
     ) {
-        require(minBps <= 10_000, "minBps > 10000");
         SWAP_ROUTER    = swapRouter;
         FIXED_TOKEN_IN = fixedTokenIn;
         MAX_AMOUNT_IN  = maxAmountIn;
-        MIN_BPS        = minBps;
         for (uint256 i = 0; i < allowedTokensOut.length; i++) {
             isAllowedTokenOut[allowedTokensOut[i]] = true;
         }
@@ -92,11 +95,10 @@ contract BoundedSwap_UniswapV3_Base is IPermission {
             if (p.tokenIn != FIXED_TOKEN_IN)         return false;
             if (!isAllowedTokenOut[p.tokenOut])      return false;
             if (p.amountIn > MAX_AMOUNT_IN)          return false;
-            // Slippage floor: amountOutMinimum ≥ amountIn × MIN_BPS / 10 000.
-            // WARNING: compares tokenOut against tokenIn base units. For same-price/same-decimal
-            // pairs this maps to a slippage %. For cross-price pairs (e.g. USDC→WETH) it is
-            // trivially satisfied — real slippage is enforced by the agent off-chain, not here.
-            if (p.amountOutMinimum < (p.amountIn * MIN_BPS) / 10_000) return false;
+            // amountOutMinimum is intentionally NOT checked here — it is denominated in the
+            // output token, so a ratio against amountIn (input token) bounds nothing real for a
+            // cross-price pair (see header). The router enforces the off-chain-computed
+            // amountOutMinimum the agent passes in.
             return true;
         }
 

package/examples/permissions/BoundedSwap_UniswapV4_Unichain.sol

@@ -19,12 +19,19 @@ pragma solidity 0.8.26;
 //     • tokenIn (from poolKey, derived by zeroForOne) must be FIXED_CURRENCY_IN
 //     • tokenOut must be in ALLOWED_CURRENCIES_OUT
 //     • amountIn ≤ MAX_AMOUNT_IN
-//     • amountOutMinimum ≥ amountIn × MIN_BPS / 10 000  (slippage floor — see caveat below)
 //
 // AGENT-ENFORCED / NOT BOUNDED HERE (off-chain — can change without redeploying this contract):
-//   • real (cross-denomination) slippage — see MIN_BPS caveat in evaluate()
+//   • slippage — see the note below
 //   • swap frequency / cadence
 //
+// SLIPPAGE IS NOT BOUNDED ON-CHAIN HERE — AND CANNOT BE, without a price oracle:
+//   `amountOutMinimum` (output currency) and `amountIn` (input currency) are denominated in
+//   DIFFERENT tokens. A ratio between them — the pattern an earlier version of this example
+//   shipped — bounds nothing real for any pair whose tokens differ in price or decimals. So this
+//   permission deliberately does NOT constrain `amountOutMinimum`. Compute it OFF-CHAIN from a
+//   live quote and pass it in per swap; the router reverts if the output falls below it. This
+//   contract only caps the input spend (MAX_AMOUNT_IN).
+//
 // DOCUMENTED LIMITATIONS (on-chain, but intentionally not constrained):
 //   • hookData is not inspected (hooks can alter swap behavior on-chain; if the
 //     pool uses a hook that significantly changes execution, this permission cannot
@@ -54,7 +61,6 @@ contract BoundedSwap_UniswapV4_Unichain is IPermission {
     address public immutable FIXED_CURRENCY_IN;
     mapping(address => bool) public isAllowedCurrencyOut;
     uint256 public immutable MAX_AMOUNT_IN;
-    uint256 public immutable MIN_BPS;
 
     // execute(bytes,bytes[],uint256) — with deadline
     bytes4 private constant SEL_EXECUTE_DEADLINE = 0x3593564c;
@@ -84,18 +90,18 @@ contract BoundedSwap_UniswapV4_Unichain is IPermission {
         bytes   hookData;   // not inspected — see limitations header
     }
 
+    /// @dev No slippage parameter: slippage cannot be bounded on-chain without a price oracle
+    ///      (see the header note). Pass a tight `amountOutMinimum`, computed off-chain from a
+    ///      live quote, on each swap — the router enforces it by reverting.
     constructor(
         address universalRouter,
         address fixedCurrencyIn,
         address[] memory allowedCurrenciesOut,
-        uint256 maxAmountIn,
-        uint256 minBps
+        uint256 maxAmountIn
     ) {
-        require(minBps <= 10_000, "minBps > 10000");
         UNIVERSAL_ROUTER  = universalRouter;
         FIXED_CURRENCY_IN = fixedCurrencyIn;
         MAX_AMOUNT_IN     = maxAmountIn;
-        MIN_BPS           = minBps;
         for (uint256 i = 0; i < allowedCurrenciesOut.length; i++) {
             isAllowedCurrencyOut[allowedCurrenciesOut[i]] = true;
         }
@@ -137,11 +143,10 @@ contract BoundedSwap_UniswapV4_Unichain is IPermission {
         if (tokenIn != FIXED_CURRENCY_IN)            return false;
         if (!isAllowedCurrencyOut[tokenOut])         return false;
         if (p.amountIn > MAX_AMOUNT_IN)              return false;
-        // Slippage floor: amountOutMinimum ≥ amountIn × MIN_BPS / 10 000.
-        // WARNING: compares tokenOut against tokenIn base units. For same-price/same-decimal
-        // pairs this maps to a slippage %. For cross-price pairs it is trivially satisfied —
-        // real slippage is enforced by the agent off-chain, not by this contract.
-        if (p.amountOutMinimum < (uint256(p.amountIn) * MIN_BPS) / 10_000) return false;
+        // amountOutMinimum is intentionally NOT checked — it is denominated in the output
+        // currency, so a ratio against amountIn (input currency) bounds nothing real for a
+        // cross-price pair (see header). The router enforces the off-chain-computed
+        // amountOutMinimum the agent passes in.
 
         return true;
     }

package/examples/permissions/README.md

@@ -23,6 +23,15 @@ against the protocol's real ABI, and confirm what it enforces before deploying.
 
 You own what you deploy.
 
+## Bound `Context.value` on every value-carrying call
+
+For any call that can carry native asset (ETH), the value actually leaving the account is the
+call's `msg.value` — exposed to your permission as `Context.value` (`ctx.value`) — **not** the
+calldata amount. A permission that bounds only a calldata `amount`/`amountIn` leaves the real
+spend uncapped. So: **every value-carrying call must explicitly bound `Context.value`**, and where
+the calldata also declares an amount, assert `amount == ctx.value` so the two cannot drift. See
+`BoundedSwapNative_UniswapV3_Base.sol` for the worked native-ETH example.
+
 ---
 
 ## Examples
@@ -35,6 +44,7 @@ off-chain agent code — these do *not* hold on-chain). Read both before deployi
 |---|---|---|---|---|
 | `BoundedSwap_UniswapV3_Base.sol` | Uniswap Swap | V3 SwapRouter02 | Base | Full decode |
 | `BoundedSwap_UniswapV4_Unichain.sol` | Uniswap Swap | V4 Universal Router | Unichain | Partial decode — see header |
+| `BoundedSwapNative_UniswapV3_Base.sol` | Uniswap Swap (native ETH) | V3 SwapRouter02 | Base | Full decode — bounds `Context.value` (native spend) |
 | `BoundedBorrow_AaveV3_Arbitrum.sol` | Aave Borrow | V3 Pool | Arbitrum | Full decode |
 | `BoundedSupply_AaveV3_Arbitrum.sol` | Aave Supply | V3 Pool | Arbitrum | Full decode |
 | `BoundedVault_ERC4626_Base.sol` | ERC-4626 Vault deposit/withdraw | EIP-4626 standard | Base (any EVM) | Full decode |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dev.sail.money/sailor",
-  "version": "1.2.0-73",
+  "version": "1.2.0-75",
   "description": "Operator toolkit for Sail Protocol",
   "bin": {
     "sailor": "packages/cli/dist/index.cjs"

package/packages/cli/dist/index.cjs

@@ -38686,9 +38686,13 @@ var SigningServer = class {
       http2.once("error", rej);
     });
     this.httpServer = http2;
-    if (this.advertise) this.writeRuntimeState();
+    if (this.advertise) {
+      reapStaleRuntimeState(this.projectRoot);
+      this.writeRuntimeState();
+    }
     process.once("SIGINT", () => this.stop());
     process.once("SIGTERM", () => this.stop());
+    process.once("exit", () => this.stop());
   }
   stop() {
     for (const [id, entry] of this.pending) {
@@ -38833,6 +38837,28 @@ var SigningServer = class {
   sailFile(...segments) {
     return (0, import_node_path4.join)(this.projectRoot, ".sail", ...segments);
   }
+  /**
+   * Persist the active chain into config.json. The onboarding stage machine keys
+   * off config.json.chainId; leaving it null after SMA creation misclassifies the
+   * stage on resume. Best-effort — never blocks the account save on a config write.
+   */
+  syncConfigChainId(chainId) {
+    if (chainId == null) return;
+    try {
+      const path9 = this.sailFile("config.json");
+      let config = {};
+      try {
+        config = JSON.parse((0, import_node_fs5.readFileSync)(path9, "utf-8"));
+      } catch {
+      }
+      if (Number(config.chainId) === Number(chainId)) return;
+      config.chainId = Number(chainId);
+      (0, import_node_fs5.mkdirSync)(this.sailFile(), { recursive: true });
+      (0, import_node_fs5.writeFileSync)(path9, `${JSON.stringify(config, null, 2)}
+`);
+    } catch {
+    }
+  }
   /** Stream a JSON file back, or a fallback body when it is missing/invalid. */
   sendJsonFile(res, filePath, fallback2) {
     try {
@@ -38875,6 +38901,7 @@ var SigningServer = class {
       (0, import_node_fs5.mkdirSync)(baseSailDir, { recursive: true });
       (0, import_node_fs5.writeFileSync)(this.sailFile("account.json"), `${JSON.stringify(record, null, 2)}
 `);
+      this.syncConfigChainId(chainId);
       res.writeHead(200, { "Content-Type": "application/json" });
       res.end(JSON.stringify({ ok: true }));
     }).catch((err) => {
@@ -39123,6 +39150,14 @@ var SigningServer = class {
     }
   }
   writeRuntimeState() {
+    const path9 = (0, import_node_path4.join)(this.runtimeDir, SERVER_STATE_FILE);
+    if ((0, import_node_fs5.existsSync)(path9)) {
+      try {
+        const existing = JSON.parse((0, import_node_fs5.readFileSync)(path9, "utf8"));
+        if (existing.pid != null && existing.pid !== process.pid && pidAlive(existing.pid)) return;
+      } catch {
+      }
+    }
     if (!(0, import_node_fs5.existsSync)(this.runtimeDir)) (0, import_node_fs5.mkdirSync)(this.runtimeDir, { recursive: true });
     (0, import_node_fs5.writeFileSync)(
       (0, import_node_path4.join)(this.runtimeDir, SERVER_STATE_FILE),
@@ -39143,11 +39178,33 @@ var SigningServer = class {
   removeRuntimeState() {
     const path9 = (0, import_node_path4.join)(this.runtimeDir, SERVER_STATE_FILE);
     try {
-      if ((0, import_node_fs5.existsSync)(path9)) (0, import_node_fs5.unlinkSync)(path9);
+      if (!(0, import_node_fs5.existsSync)(path9)) return;
+      const state = JSON.parse((0, import_node_fs5.readFileSync)(path9, "utf8"));
+      if (state.pid != null && state.pid !== process.pid) return;
+      (0, import_node_fs5.unlinkSync)(path9);
     } catch {
     }
   }
 };
+function pidAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    return err.code === "EPERM";
+  }
+}
+function reapStaleRuntimeState(projectRoot = process.cwd()) {
+  const path9 = (0, import_node_path4.join)(projectRoot, RUNTIME_SUBDIR, SERVER_STATE_FILE);
+  try {
+    if (!(0, import_node_fs5.existsSync)(path9)) return;
+    const state = JSON.parse((0, import_node_fs5.readFileSync)(path9, "utf8"));
+    if (state.pid != null && state.pid !== process.pid && !pidAlive(state.pid)) {
+      (0, import_node_fs5.unlinkSync)(path9);
+    }
+  } catch {
+  }
+}
 async function findAvailablePort(startPort) {
   return new Promise((res) => {
     const probe = (0, import_node_net.createServer)();
@@ -39256,9 +39313,10 @@ async function discoverDaemon(projectRoot = process.cwd()) {
   return await client.ping() ? client : null;
 }
 async function createSigningChannel(projectRoot = process.cwd()) {
+  reapStaleRuntimeState(projectRoot);
   const daemon = await discoverDaemon(projectRoot);
   if (daemon) return daemon;
-  return new SigningServer({ projectRoot, advertise: false });
+  return new SigningServer({ projectRoot, advertise: true });
 }
 
 // src/commands/account.ts
@@ -40121,15 +40179,20 @@ async function resolvePermissionForBatch(params) {
 }
 
 // src/commands/doctor.ts
-var LOW_GAS_THRESHOLD_WEI = 500000000000000n;
-async function nativeBalance(pc, address) {
+var LOW_GAS_THRESHOLD_L1_WEI = 5000000000000000n;
+var LOW_GAS_THRESHOLD_L2_WEI = 200000000000000n;
+var L1_GAS_CHAINS = /* @__PURE__ */ new Set([1, 11155111]);
+function lowGasThresholdWei(chainId) {
+  return L1_GAS_CHAINS.has(chainId) ? LOW_GAS_THRESHOLD_L1_WEI : LOW_GAS_THRESHOLD_L2_WEI;
+}
+async function nativeBalance(pc, address, chainId) {
   const wei = await pc.getBalance({ address });
   return {
     address,
     wei: wei.toString(),
     eth: formatEther(wei),
     funded: wei > 0n,
-    low: wei > 0n && wei < LOW_GAS_THRESHOLD_WEI
+    low: wei > 0n && wei < lowGasThresholdWei(chainId)
   };
 }
 function keystoreAddress(role, safe) {
@@ -40208,8 +40271,8 @@ async function doctor(options = {}) {
   let ownerBal = null;
   let managerBal = null;
   try {
-    if (ownerAddr) ownerBal = await nativeBalance(pc, ownerAddr);
-    if (managerAddr) managerBal = await nativeBalance(pc, managerAddr);
+    if (ownerAddr) ownerBal = await nativeBalance(pc, ownerAddr, chainId);
+    if (managerAddr) managerBal = await nativeBalance(pc, managerAddr, chainId);
   } catch {
   }
   if (options.json) {
@@ -41624,6 +41687,18 @@ Mandate command failed: ${msg}`), {
   });
   process.exit(1);
 }
+function announceSigningUrl(json) {
+  const url = signingPageUrl(void 0, projectPort(process.cwd()));
+  if (json) {
+    process.stdout.write(`${JSON.stringify({ status: "waiting_for_signature", url })}
+`);
+  } else {
+    console.log(`
+\u2192 Open the Sailor dashboard to approve signing requests:
+  ${url}
+`);
+  }
+}
 function publicClientFor(project) {
   return createPublicClient({
     chain: getChainById(project.chainId),
@@ -41677,15 +41752,8 @@ async function runDeploy(project, channel, options) {
   const deployData = encodeDeployData({ abi: abi2, bytecode, args });
   const chainId = project.chainId;
   const publicClient = publicClientFor(project);
-  say(() => {
-    console.log(
-      `
-\u2192 Open the Sailor dashboard to approve signing requests:
-  ${signingPageUrl(channel, projectPort(process.cwd()))}
-`
-    );
-    console.log(`Pushing deploy request for "${contractName}"\u2026`);
-  });
+  announceSigningUrl(json);
+  say(() => console.log(`Pushing deploy request for "${contractName}"\u2026`));
   const response = await channel.requestSignature({
     type: "transaction",
     kind: "deploy-mandate",
@@ -41835,6 +41903,15 @@ function parseAddressList(csv, flag) {
 }
 async function mandateDeployClone(options) {
   const project = requireProject();
+  const templateMap = project.deployment.standaloneTemplates ?? {};
+  if (Object.keys(templateMap).length === 0) {
+    fail(
+      new Error(
+        `deploy-clone is unavailable on chain ${project.chainId}: no clone templates are deployed against this kernel (${project.deployment.kernel}) yet. Deploy your permission directly with \`sailor mandate deploy\` instead.`
+      ),
+      options.json
+    );
+  }
   const channel = await createSigningChannel(process.cwd());
   try {
     await channel.start();
@@ -41911,11 +41988,8 @@ ${spec.label} clone (${options.template})`);
     console.log(`  predicted clone: ${clone}`);
     console.log(`  SMA:             ${sma}`);
     for (const d of spec.describe(initParams)) console.log(`  ${d.label}: ${d.value}`);
-    console.log(`
-\u2192 Open the Sailor dashboard to approve signing requests:
-  ${signingPageUrl(channel, projectPort(process.cwd()))}
-`);
   });
+  announceSigningUrl(json);
   const nonce = await publicClient.readContract({
     address: project.contracts.kernel,
     abi: SailKernelAbi,
@@ -42073,14 +42147,7 @@ async function runAttach(project, channel, options) {
   const mandateAddress = getAddress(rawAddress);
   const label = options.label ?? tracked?.name ?? "mandate";
   const publicClient = publicClientFor(project);
-  if (!json) {
-    console.log(
-      `
-\u2192 Open the Sailor dashboard to approve signing requests:
-  ${signingPageUrl(channel, projectPort(process.cwd()))}
-`
-    );
-  }
+  announceSigningUrl(json);
   const txHash = await attachToSma(
     project,
     channel,
@@ -42157,13 +42224,8 @@ async function runRevoke(project, channel, options) {
     console.log(`
 Revoking ${targets.length} permission(s) from ${sma}:`);
     for (const p of targets) console.log(`  ${nameFor(p) ?? p}  ${p}`);
-    console.log(
-      `
-\u2192 Open the Sailor dashboard to approve signing requests:
-  ${signingPageUrl(channel, projectPort(process.cwd()))}
-`
-    );
   });
+  announceSigningUrl(json);
   const response = await channel.requestSignature({
     type: "typed-data",
     kind: "revoke-permissions",
@@ -42340,21 +42402,27 @@ function mandateTemplates(options) {
     { chainId, community }
   );
 }
-function mandateContractsList() {
+function mandateContractsList(options = {}) {
   const store = new MandateStore();
   const mandates = store.list();
-  if (mandates.length === 0) {
-    console.log('No permission contracts deployed yet. Use "sailor mandate deploy".');
-    return;
-  }
-  for (const m of mandates) {
-    console.log(m.name, `(chain ${m.chainId})`);
-    console.log("  Address: ", m.address);
-    console.log("  Deployed:", m.deployedAt);
-    if (m.attachments?.length) {
-      console.log("  Registered on:", m.attachments.map((a) => a.sma).join(", "));
-    }
-  }
+  emit(
+    !!options.json,
+    () => {
+      if (mandates.length === 0) {
+        console.log('No permission contracts deployed yet. Use "sailor mandate deploy".');
+        return;
+      }
+      for (const m of mandates) {
+        console.log(m.name, `(chain ${m.chainId})`);
+        console.log("  Address: ", m.address);
+        console.log("  Deployed:", m.deployedAt);
+        if (m.attachments?.length) {
+          console.log("  Registered on:", m.attachments.map((a) => a.sma).join(", "));
+        }
+      }
+    },
+    { status: "ok", mandates }
+  );
 }
 function mandateUpdate(options) {
   const { address, name, sourcePath, artifactPath, json } = options;
@@ -42691,7 +42759,6 @@ ${unregistered.length} permission(s) are not yet registered on this SMA. Initiat
     safe: account2.safe,
     chainId,
     signedAt: (/* @__PURE__ */ new Date()).toISOString(),
-    signature: "",
     registeredOnChain: true,
     // Only include permissions that are currently active on-chain.
     permissions: activePermissions.map((p) => ({ template: p.label, params: {} }))
@@ -44965,14 +45032,14 @@ mandate.command("prepare").description("Prepare a mandate draft for review and s
 mandate.command("sign").description("Review and confirm the permissions authorized for your SMA").option("--yes", "Skip the confirmation prompt (for non-interactive / CI use)").action(actionWith(mandateSign));
 mandate.command("deploy").description("Deploy a Foundry-compiled permission contract via the browser signing UI").option("--artifact <path>", "Path to the Foundry artifact JSON (out/<Name>.sol/<Name>.json)").option("--contract <name>", "Contract name; resolves to <out>/<name>.sol/<name>.json").option("--out <dir>", "Foundry output directory", "out").option("--name <label>", "Label to track this permission under (defaults to contract name)").option("--args <json>", `Constructor args as JSON array. Bash: '["0x..","1"]'. PowerShell: '[\\"0x..\\",\\"1\\"]'. Use --args-file to avoid quoting.`).option("--args-file <path>", "Path to a JSON file containing constructor args array (recommended on PowerShell)").option("--build", "Run `forge build` before deploying").option("--attach", "After deploy, register the permission on --sma").option("--sma <address>", "SMA to register on (required with --attach)").option("--json", "Emit machine-readable JSON").action(actionWith(mandateDeploy));
 mandate.command("attach").description("Register an already-deployed permission on an SMA (EIP-712 RegisterPermission)").requiredOption("--address <mandateOrName>", "Permission address, or a name tracked locally").requiredOption("--sma <address>", "SMA to register the permission on").option("--label <label>", "Human-readable label shown in the signing UI").option("--json", "Emit machine-readable JSON").action(actionWith(mandateAttach));
-mandate.command("deploy-clone").description("Deploy + register a standalone clone permission (e.g. boundedApprove) via the signing UI").requiredOption("--template <key>", "Standalone clone template key (e.g. boundedApprove)").requiredOption("--sma <address>", "SMA to deploy the clone for and register it on").option("--tokens <csv>", "Comma-separated allowed token addresses").option("--spenders <csv>", "Comma-separated allowed spender addresses").option("--max <amount>", "Max amount per tx in base units (default: uint256 max)").option("--label <label>", "Human-readable label to track this permission under").option("--json", "Emit machine-readable JSON").action(actionWith(mandateDeployClone));
+mandate.command("deploy-clone").description("[currently unavailable \u2014 no clone templates deployed on any chain; use `mandate deploy`] Deploy + register a standalone clone permission via the signing UI").requiredOption("--template <key>", "Standalone clone template key (e.g. boundedApprove)").requiredOption("--sma <address>", "SMA to deploy the clone for and register it on").option("--tokens <csv>", "Comma-separated allowed token addresses").option("--spenders <csv>", "Comma-separated allowed spender addresses").option("--max <amount>", "Max amount per tx in base units (default: uint256 max)").option("--label <label>", "Human-readable label to track this permission under").option("--json", "Emit machine-readable JSON").action(actionWith(mandateDeployClone));
 mandate.command("revoke").description("Revoke permission(s) from an SMA (EIP-712 RevokePermissions, owner-authorized)").option("--address <permissionOrName>", "Permission address, or a name tracked locally").requiredOption("--sma <address>", "Safe (SMA) to revoke the permission(s) from").option("--all", "Revoke every permission currently registered on the SMA").option("--json", "Output JSON").action(actionWith(mandateRevoke));
 mandate.command("templates").description("Show how to author your own permission contract (and any community-deployed addresses)").option("--json", "Emit machine-readable JSON").action(actionWith(mandateTemplates));
 mandate.command("simulate").description(
   "Probe a permission against sample calls off-chain (eth_call, NO gas) \u2014 prove it accepts the calls you want and rejects the ones you don't, before authorizing on-chain"
 ).requiredOption("--address <permissionOrName>", "Permission to probe (address or tracked name)").option("--sma <address>", "SMA to probe as (ctx.account; defaults to .sail/account.json)").option("--target <address>", "Inline single call: target contract address").option("--calldata <hex>", "Inline single call: 0x-prefixed calldata").option("--value <wei>", "Inline single call: ETH value in wei (default 0)").option("--expect <pass|fail>", "Inline single call: expected outcome (sets non-zero exit on mismatch)").option("--label <text>", "Inline single call: human-readable label").option("--calls <file>", "Batch: JSON array of { target, calldata, value?, expect?, label? }").option("--json", "Emit machine-readable JSON").action(actionWith(mandateSimulate));
 mandate.command("update").description("Update metadata for a tracked permission contract (rename, source path, artifact path)").requiredOption("--address <mandateOrName>", "Permission address or tracked name to update").option("--name <label>", "New tracking label (must be unique within the same chain)").option("--source-path <path>", "Update the relative path to the Solidity source file").option("--artifact-path <path>", "Update the relative path to the Foundry artifact JSON").option("--json", "Emit machine-readable JSON").action(actionWith(mandateUpdate));
-mandate.command("list").description("List permission contracts deployed from this project").action(action(async () => mandateContractsList()));
+mandate.command("list").description("List permission contracts deployed from this project").option("--json", "Emit machine-readable JSON").action(actionWith(mandateContractsList));
 program2.command("onboard").description("Set up an SMA, register a permission, confirm the agent is operational").option("--sma <address>", "Use a specific SMA address instead of prompting").option("--new-sma", "Create a new SMA via SailKernel").option("--salt <n>", "CREATE2 salt for deterministic Safe address (default: 0; use 0 for first SMA, increment for subsequent)").option("--template <kindOrAddress>", "Register this permission contract (kind, label, or address)").option("--skip-mandate", "Skip the permission registration step").option("--json", "Emit machine-readable JSON (implies non-interactive)").action(actionWith(onboard));
 var station = program2.command("station").description("Manage the persistent signing station (browser signing daemon)");
 station.command("start").description("Start the signing station and keep it running (blocks \u2014 run in the background)").option("--json", "Emit machine-readable JSON").action(actionWith(stationStart));

package/packages/cli/dist/server.cjs

@@ -48831,6 +48831,24 @@ function startServer(sailDir, { port = PORT } = {}) {
   app.use((0, import_cors.default)({ origin: "http://localhost:3333" }));
   app.use(import_express.default.json());
   const at = (name) => import_node_path.default.join(sailDir, name);
+  const syncConfigChainId = (chainId) => {
+    if (chainId == null) return;
+    try {
+      const config = (() => {
+        try {
+          return JSON.parse(import_node_fs2.default.readFileSync(at("config.json"), "utf-8"));
+        } catch {
+          return {};
+        }
+      })();
+      if (Number(config.chainId) === Number(chainId)) return;
+      config.chainId = Number(chainId);
+      import_node_fs2.default.mkdirSync(sailDir, { recursive: true });
+      import_node_fs2.default.writeFileSync(at("config.json"), `${JSON.stringify(config, null, 2)}
+`);
+    } catch {
+    }
+  };
   const overviewCacheByAccount = /* @__PURE__ */ new Map();
   const overviewInFlight = /* @__PURE__ */ new Set();
   const overviewCacheKey = (safe, chainId) => `${safe.toLowerCase()}-${chainId}`;
@@ -48971,6 +48989,7 @@ function startServer(sailDir, { port = PORT } = {}) {
 `);
       import_node_fs2.default.writeFileSync(at("account.json"), `${JSON.stringify(record, null, 2)}
 `);
+      syncConfigChainId(chainId);
       res.json({ ok: true });
     } catch (err) {
       res.status(500).json({ error: String(err) });
@@ -49009,6 +49028,7 @@ function startServer(sailDir, { port = PORT } = {}) {
       }
       import_node_fs2.default.writeFileSync(at("account.json"), `${JSON.stringify(target, null, 2)}
 `);
+      syncConfigChainId(target.chainId);
       res.json({ ok: true, active: target });
     } catch (err) {
       res.status(500).json({ error: String(err) });
@@ -49535,7 +49555,14 @@ function startServer(sailDir, { port = PORT } = {}) {
       managerAddress = ks?.address ? getAddress(`0x${String(ks.address).replace(/^0x/, "")}`) : null;
     } catch {
     }
-    const chainId = config?.chainId ?? 8453;
+    const accountChainId = (() => {
+      try {
+        return JSON.parse(import_node_fs2.default.readFileSync(at("account.json"), "utf-8"))?.chainId ?? null;
+      } catch {
+        return null;
+      }
+    })();
+    const chainId = config?.chainId ?? accountChainId ?? 8453;
     let deployment = null;
     try {
       deployment = getSailDeployment(chainId);
@@ -49787,6 +49814,7 @@ function startServer(sailDir, { port = PORT } = {}) {
       }
       import_node_fs2.default.writeFileSync(at("account.json"), `${JSON.stringify(record, null, 2)}
 `);
+      syncConfigChainId(chainId);
       res.json({ ok: true, account: record });
     } catch (err) {
       res.status(500).json({ error: String(err) });

package/packages/sdk/dist/intelligence.d.ts

@@ -5,7 +5,7 @@
  * Do not edit manually — run `pnpm build` to regenerate.
  *
  * Spec version : 1.2.0
- * Generated at : 2026-06-16T18:14:40.231Z
+ * Generated at : 2026-06-17T16:48:08.178Z
  */
 export declare const SAIL_INTELLIGENCE_BASE_URL = "https://api.sail.money";
 export declare const SAIL_INTELLIGENCE_DOCS_URL = "https://api.sail.money/docs";

package/packages/sdk/dist/intelligence.js

@@ -5,7 +5,7 @@
  * Do not edit manually — run `pnpm build` to regenerate.
  *
  * Spec version : 1.2.0
- * Generated at : 2026-06-16T18:14:40.231Z
+ * Generated at : 2026-06-17T16:48:08.178Z
  */
 export const SAIL_INTELLIGENCE_BASE_URL = "https://api.sail.money";
 export const SAIL_INTELLIGENCE_DOCS_URL = "https://api.sail.money/docs";

package/templates/default/.agents/skills/sail-mandates/references/examples-index.md

@@ -6,8 +6,9 @@ Permissions only bound on-chain actions: venues with off-chain order matching (P
 
 | File | Protocol / chain | Teaches | Key verified selectors |
 |---|---|---|---|
-| `BoundedSwap_UniswapV3_Base.sol` | Uniswap V3 SwapRouter02 · Base | Selector allowlist + amount cap + tokenOut allowlist + min-out slippage floor (MIN_BPS) | `0x04e45aaf` exactInputSingle (SwapRouter02), `0x095ea7b3` approve |
-| `BoundedSwap_UniswapV4_Unichain.sol` | Uniswap V4 Universal Router · Unichain | Decoding command/action bytes: single V4_SWAP command, single SWAP_EXACT_IN_SINGLE action, currency + amount + slippage bounds | `0x3593564c` execute(bytes,bytes[],uint256), `0x24856bc3` execute(bytes,bytes[]) |
+| `BoundedSwap_UniswapV3_Base.sol` | Uniswap V3 SwapRouter02 · Base | Selector allowlist + input-spend cap + tokenOut allowlist; teaches why slippage CANNOT be bounded on-chain (amountOutMinimum is a different token than amountIn — pass an off-chain-quoted value) | `0x04e45aaf` exactInputSingle (SwapRouter02), `0x095ea7b3` approve |
+| `BoundedSwap_UniswapV4_Unichain.sol` | Uniswap V4 Universal Router · Unichain | Decoding command/action bytes: single V4_SWAP command, single SWAP_EXACT_IN_SINGLE action, currency + input-spend bounds; same slippage caveat as the V3 example | `0x3593564c` execute(bytes,bytes[],uint256), `0x24856bc3` execute(bytes,bytes[]) |
+| `BoundedSwapNative_UniswapV3_Base.sol` | Uniswap V3 SwapRouter02 (native ETH) · Base | Native-asset spend: bound `ctx.value` (the real spend) + assert `amountIn == ctx.value`; tokenIn = WETH (router wraps the sent ETH). The canonical "bound Context.value" example | `0x04e45aaf` exactInputSingle (SwapRouter02) |
 | `BoundedBorrow_AaveV3_Arbitrum.sol` | Aave V3 Pool · Arbitrum | Asset allowlist + borrow cap + `onBehalfOf == ctx.account` binding + rate-mode allowlist (use [2]; stable deprecated in V3.1) | `0xa415bcad` borrow(address,uint256,uint256,uint16,address) |
 | `BoundedSupply_AaveV3_Arbitrum.sol` | Aave V3 Pool · Arbitrum | SailCalldata-based decoding; supply cap + `onBehalfOf == ctx.account`; supply does NOT gate withdrawal, and the prior approve needs its own permission | `0x617ba037` supply(address,uint256,address,uint16) |
 | `BoundedVault_ERC4626_Base.sol` | ERC-4626 standard · any EVM | Vault allowlist; deposit capped + receiver bound; withdraw/redeem receiver+owner bound but amount-unbounded (SMA can always fully exit) | `0x6e553f65` deposit, `0xb460af94` withdraw, `0xba087652` redeem |
@@ -19,6 +20,8 @@ Permissions only bound on-chain actions: venues with off-chain order matching (P
 
 ## Lessons the examples encode
 
+- **Value-carrying calls — bound `Context.value`, always.** For any call that can carry native asset, the value actually leaving the account is `ctx.value` (`msg.value`), NOT the calldata amount. A permission that bounds only a calldata `amount`/`amountIn` leaves the real spend uncapped. Rule: **every value-carrying call must explicitly bound `Context.value`** — and where the calldata declares its own amount, also assert `amount == ctx.value` so the two can't drift. `BoundedSwapNative_UniswapV3_Base.sol` is the worked native-ETH example; the ERC-20 `BoundedSwap_UniswapV3_Base.sol` carries no value, so it bounds `amountIn` only. When in doubt, add `if (ctx.value > MAX) return false;`.
+- **Slippage can't be bounded on-chain without a price oracle.** `amountOutMinimum` (output token) and `amountIn`/`ctx.value` (input token) are different denominations — a ratio between them is meaningless for any cross-price pair (USDC→WETH), giving false confidence while protecting nothing. The swap examples deliberately do NOT constrain `amountOutMinimum`; the agent computes it off-chain from a live quote and the router enforces it by reverting. Bound the input spend on-chain; bound the output off-chain.
 - **Venice — the wrong-selector bug.** The live contract's function is `stake(address,uint256)` = `0xadc9772e`. The intuitive single-arg `stake(uint256)` = `0xa694fc3a` does not exist on the target. Gating the wrong selector fails closed: every legitimate stake silently rejected. Always confirm the selector against the deployed contract.
 - **GMX — versioned ABIs drift.** GMX has multiple ExchangeRouter deployments and the `CreateOrderParams` struct has gained fields over time. Before deploying: pick the exact router the agent calls, read its verified ABI, recompute with `cast sig "createOrder(<exact tuple>)"`, and update the selector and struct if they differ. The committed `0x212234c3` is verified against gmx-io/gmx-synthetics at time of writing — re-verify anyway.
 - **Limitless — unverified ABI as a worked warning.** The exchange address and `buy` signature are inferred from CTF patterns, not verified against the deployed contract. The contract's own header lists the verification steps; do them before any deploy.