@dev.sail.money/sailor 1.2.0-75 → 1.2.0-77

package/packages/sdk/dist/intelligence.d.ts

@@ -5,7 +5,7 @@
  * Do not edit manually — run `pnpm build` to regenerate.
  *
  * Spec version : 1.2.0
- * Generated at : 2026-06-17T16:48:08.178Z
+ * Generated at : 2026-06-18T13:14:28.996Z
  */
 export declare const SAIL_INTELLIGENCE_BASE_URL = "https://api.sail.money";
 export declare const SAIL_INTELLIGENCE_DOCS_URL = "https://api.sail.money/docs";

package/packages/sdk/dist/intelligence.js

@@ -5,7 +5,7 @@
  * Do not edit manually — run `pnpm build` to regenerate.
  *
  * Spec version : 1.2.0
- * Generated at : 2026-06-17T16:48:08.178Z
+ * Generated at : 2026-06-18T13:14:28.996Z
  */
 export const SAIL_INTELLIGENCE_BASE_URL = "https://api.sail.money";
 export const SAIL_INTELLIGENCE_DOCS_URL = "https://api.sail.money/docs";

package/scripts/check-docs.mjs

@@ -217,7 +217,7 @@ function checkSkills(errors) {
       errors.push(`templates/default/.agents/skills/${d}: missing SKILL.md`);
       continue;
     }
-    const fm = readFileSync(skillFile, "utf-8").match(/^---\n([\s\S]*?)\n---/);
+    const fm = readFileSync(skillFile, "utf-8").match(/^---\r?\n([\s\S]*?)\r?\n---/);
     if (!fm) {
       errors.push(`${rel(skillFile)}: missing YAML frontmatter`);
       continue;

package/scripts/check-init.mjs

@@ -2,18 +2,13 @@
 /**
  * `sailor init` smoke test.
  *
- * Scaffolds a fresh project from the in-tree CLI bundle into a temp dir and
- * asserts the scaffold succeeded. This exists to catch the class of regression
- * the doc-drift gate structurally cannot — e.g. `packageRoot()` resolving to a
- * `bin.sailor` package that ships no `templates/`, which made `init` fail from a
- * monorepo checkout with "Template ... not found. Available: none".
+ * PASS 1 — fresh init: scaffolds a new project and asserts expected files exist.
  *
- * It runs the REAL built bundle from a monorepo layout, which is exactly the
- * in-tree path that broke before. Pure Node + child_process; the only build
- * dependency is the CLI bundle (`pnpm --filter sailor build`).
+ * Template files are read live from disk (not bundled), so no rebuild is needed
+ * between runs — the in-tree templates/default/ IS the "latest version".
  *
  * Run:  node scripts/check-init.mjs   (CI builds the CLI first)
- * Exit: 0 = scaffold OK, 1 = failure (prints what was missing).
+ * Exit: 0 = all passes OK, 1 = failure (prints what went wrong).
  */
 
 import { execFileSync } from "node:child_process";
@@ -65,6 +60,9 @@ try {
     "foundry.toml",
     "mandates",
     "AGENTS.md",
+    "CLAUDE.md",
+    "Dockerfile",
+    ".dockerignore",
     ".sail/contracts/interfaces/IPermission.sol",
     ".sail/contracts/interfaces/IBatchPermission.sol",
     "test/BoundedCallPermission.t.sol",
@@ -75,7 +73,11 @@ try {
     ".agents/skills/sail-transactions/SKILL.md",
     ".agents/skills/sail-mandates/SKILL.md",
     ".agents/skills/sail-mandates/references/approvals.md",
-    ".agents/skills/sail-ci/SKILL.md",
+    ".agents/skills/sail-automation/SKILL.md",
+    ".agents/skills/sail-automation/references/docker-vm.md",
+    ".agents/skills/sail-automation/references/github-actions.md",
+    ".agents/skills/sail-automation/references/local-daemon.md",
+    ".agents/skills/sail-automation/references/self-hosted-runner.md",
     ".agents/skills/sail-extend/SKILL.md",
   ];
   for (const rel of mustExist) {
@@ -94,9 +96,10 @@ try {
     fail(`package.json still has "@sail/sdk": "workspace:*" — init did not resolve it`);
   }
 
-  // Regression guard: an absolute path outside the cwd must be REJECTED, not
-  // silently nested into `<cwd>/<abs path>`. (Pre-fix, `path.join` swallowed the
-  // leading slash and scaffolded a bogus nested tree while printing success.)
+  // ── Regression guard: absolute path outside cwd ───────────────────────────
+  // An absolute path outside the cwd must be REJECTED, not silently nested into
+  // `<cwd>/<abs path>`. (Pre-fix, `path.join` swallowed the leading slash and
+  // scaffolded a bogus nested tree while printing success.)
   const outside = path.join(os.tmpdir(), "sailor-init-outside", "agent");
   let rejected = false;
   try {

package/scripts/check-update.mjs

@@ -0,0 +1,177 @@
+#!/usr/bin/env node
+/**
+ * `sailor update` smoke tests.
+ *
+ * PASS 1 — standard update:
+ *   Deletes a template-owned file and a user skill, runs `sailor update`,
+ *   asserts the template file is restored and the user skill is untouched.
+ *
+ * PASS 2 — seeds missing user-space files:
+ *   Deletes a user-space file (package.json) and dir (src/), runs update,
+ *   asserts they are re-added. Asserts AGENTS.md / CLAUDE.md / Dockerfile
+ *   are NOT overwritten when they already exist.
+ *
+ * PASS 3 — stale path pruning:
+ *   Manually creates .agents/skills/sail-ci/ (orphan from old template version),
+ *   runs update, asserts it is deleted and sail-automation is present.
+ *
+ * PASS 4 — init-on-existing errors:
+ *   Runs `sailor init` inside the already-initialized project;
+ *   asserts it exits non-zero with an "already initialized" message.
+ *
+ * Run:  node scripts/check-update.mjs   (CI builds the CLI first)
+ * Exit: 0 = all passes OK, 1 = failure (prints what went wrong).
+ */
+
+import { execFileSync } from "node:child_process";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const ROOT = path.join(path.dirname(fileURLToPath(import.meta.url)), "..");
+const BUNDLE = path.join(ROOT, "packages/cli/dist/index.cjs");
+const PROJECT = "smoke-update";
+
+function fail(msg) {
+  console.error(`✗ update smoke test FAILED: ${msg}`);
+  process.exit(1);
+}
+
+if (!fs.existsSync(BUNDLE)) {
+  fail(`CLI bundle not found at ${BUNDLE}.\n  Build it first: pnpm --filter sailor build`);
+}
+
+const tmpRoot = fs.mkdtempSync(path.join(os.tmpdir(), "sailor-update-smoke-"));
+const dest = path.join(tmpRoot, PROJECT);
+
+try {
+  // Bootstrap: fresh init so we have a valid project to update.
+  try {
+    execFileSync(process.execPath, [BUNDLE, "init", PROJECT], {
+      cwd: tmpRoot,
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+  } catch (err) {
+    const out = `${err.stdout ?? ""}${err.stderr ?? ""}`.trim();
+    fail(`bootstrap \`sailor init ${PROJECT}\` exited non-zero.\n  ${out || err.message}`);
+  }
+
+  // ── PASS 1 — standard update ───────────────────────────────────────────────
+  // Delete a template-owned file and add a user skill that must survive update.
+  const templateOwned = path.join(dest, ".agents/skills/sail-automation/SKILL.md");
+  const cursorRules    = path.join(dest, ".cursor/rules");
+  const userSkill      = path.join(dest, ".agents/skills/my-custom-skill/SKILL.md");
+
+  fs.rmSync(templateOwned);
+  fs.rmSync(cursorRules);
+  fs.mkdirSync(path.dirname(userSkill), { recursive: true });
+  fs.writeFileSync(userSkill, "# custom skill\n", "utf-8");
+
+  try {
+    execFileSync(process.execPath, [BUNDLE, "update"], {
+      cwd: dest,
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+  } catch (err) {
+    const out = `${err.stdout ?? ""}${err.stderr ?? ""}`.trim();
+    fail(`Pass 1: \`sailor update\` exited non-zero.\n  ${out || err.message}`);
+  }
+
+  if (!fs.existsSync(templateOwned))
+    fail(`Pass 1: update did not restore "${path.relative(dest, templateOwned)}"`);
+  if (!fs.existsSync(cursorRules))
+    fail(`Pass 1: update did not restore "${path.relative(dest, cursorRules)}"`);
+  if (!fs.existsSync(userSkill))
+    fail(`Pass 1: update removed user file "${path.relative(dest, userSkill)}" — must be preserved`);
+
+  console.log("✓ Pass 1 passed — template files restored, user skill preserved");
+
+  // ── PASS 2 — seeds missing user-space files ───────────────────────────────
+  const agentsMd    = path.join(dest, "AGENTS.md");
+  const claudeMd    = path.join(dest, "CLAUDE.md");
+  const dockerfile  = path.join(dest, "Dockerfile");
+  const packageJson = path.join(dest, "package.json");
+  const srcDir      = path.join(dest, "src");
+
+  // Record AGENTS.md content before update — it must not change.
+  const agentsContentBefore = fs.readFileSync(agentsMd, "utf-8");
+
+  fs.rmSync(packageJson);
+  fs.rmSync(srcDir, { recursive: true });
+
+  try {
+    execFileSync(process.execPath, [BUNDLE, "update"], {
+      cwd: dest,
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+  } catch (err) {
+    const out = `${err.stdout ?? ""}${err.stderr ?? ""}`.trim();
+    fail(`Pass 2: \`sailor update\` exited non-zero.\n  ${out || err.message}`);
+  }
+
+  if (!fs.existsSync(packageJson))
+    fail(`Pass 2: update did not re-add missing "package.json"`);
+  if (!fs.existsSync(srcDir))
+    fail(`Pass 2: update did not re-add missing "src/" directory`);
+
+  // AGENTS.md, CLAUDE.md, Dockerfile must not be overwritten.
+  const agentsContentAfter = fs.readFileSync(agentsMd, "utf-8");
+  if (agentsContentAfter !== agentsContentBefore)
+    fail(`Pass 2: update overwrote "AGENTS.md" — user-space files must never be overwritten`);
+  if (!fs.existsSync(claudeMd))
+    fail(`Pass 2: "CLAUDE.md" is missing after update`);
+  if (!fs.existsSync(dockerfile))
+    fail(`Pass 2: "Dockerfile" is missing after update`);
+
+  console.log("✓ Pass 2 passed — missing user-space files seeded, existing ones untouched");
+
+  // ── PASS 3 — stale path pruning ───────────────────────────────────────────
+  const staleSkill = path.join(dest, ".agents/skills/sail-ci/SKILL.md");
+  fs.mkdirSync(path.dirname(staleSkill), { recursive: true });
+  fs.writeFileSync(staleSkill, "# old sail-ci skill\n", "utf-8");
+
+  try {
+    execFileSync(process.execPath, [BUNDLE, "update"], {
+      cwd: dest,
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+  } catch (err) {
+    const out = `${err.stdout ?? ""}${err.stderr ?? ""}`.trim();
+    fail(`Pass 3: \`sailor update\` exited non-zero.\n  ${out || err.message}`);
+  }
+
+  if (fs.existsSync(path.join(dest, ".agents/skills/sail-ci")))
+    fail(`Pass 3: stale ".agents/skills/sail-ci" was not removed`);
+  if (!fs.existsSync(path.join(dest, ".agents/skills/sail-automation/SKILL.md")))
+    fail(`Pass 3: ".agents/skills/sail-automation/SKILL.md" missing after update`);
+
+  console.log("✓ Pass 3 passed — stale sail-ci skill pruned, sail-automation present");
+
+  // ── PASS 4 — init-on-existing errors ──────────────────────────────────────
+  let initRejected = false;
+  let initOutput = "";
+  try {
+    initOutput = execFileSync(process.execPath, [BUNDLE, "init"], {
+      cwd: dest,
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+  } catch (err) {
+    initRejected = true;
+    initOutput = `${err.stdout ?? ""}${err.stderr ?? ""}`.trim();
+  }
+
+  if (!initRejected)
+    fail(`Pass 4: \`sailor init\` on existing project did not exit non-zero — should refuse`);
+  if (!/already initialized/i.test(initOutput))
+    fail(`Pass 4: error message did not mention "already initialized".\n  output: ${initOutput}`);
+
+  console.log("✓ Pass 4 passed — init on existing project correctly refused");
+} finally {
+  fs.rmSync(tmpRoot, { recursive: true, force: true });
+}

package/templates/default/.agents/skills/sail-automation/SKILL.md

@@ -0,0 +1,50 @@
+---
+name: sail-automation
+description: Run the agent unattended — four options by reliability and infra overhead: (1) GitHub Actions cloud runner (zero infra, cron drifts), (2) self-hosted runner (reliable timing, user-managed machine), (3) Docker image — run locally or on any cloud VM via a registry, (4) local daemon on the project machine (no Docker, simplest). See references/ for each option. Use after sailor run --once works.
+---
+
+# Sail automation — running the agent unattended
+
+Confirm `sailor run --once` works first. Four options; pick by latency, infra comfort, and uptime needs:
+
+| Option | Who it's for | Timing | Infra needed |
+|---|---|---|---|
+| [GitHub Actions](references/github-actions.md) | Any user, no infra knowledge | Low — cron drifts | None |
+| [Self-hosted runner](references/self-hosted-runner.md) | Users who need time-precise execution | High — dedicated runner | Dedicated machine |
+| [Docker](references/docker-vm.md) | Users with basic container knowledge | High — persistent process | Docker + any machine |
+| [Local daemon](references/local-daemon.md) | Any user, runs on the project machine | Medium — depends on uptime | None |
+
+## Which option fits you?
+
+**1. Do you want to run the agent in the cloud or on a local / dedicated machine?**
+
+→ **Local / dedicated machine**
+  The machine must be running 24/7 and connected to the internet — missed runs are silent.
+  Two options (no further questions needed):
+
+  - **[Local daemon](references/local-daemon.md)** — `sailor service install`. Simplest option: no extra tools, no extra steps. Runs directly in the project environment on the same machine.
+
+  - **[Docker](references/docker-vm.md)** — build the image and run it as a container on any machine that has Docker installed. Good if you want a portable setup or plan to move to a cloud deployment later — same image, no code changes.
+
+→ **Cloud**
+  Three options depending on timing requirements:
+
+  - **[GitHub Actions](references/github-actions.md)** — zero additional setup. Simplest cloud path. Execution timing is not guaranteed: cron drifts on GitHub's shared runners. Fine for daily DCA, hourly rebalances, treasury strategies.
+
+  - **Timing-sensitive (LP, liquidations, perps)?** Two options:
+
+    - **[Self-hosted runner](references/self-hosted-runner.md)** — install GitHub's runner on a machine you control (physical or cloud VM). Same workflow file as GitHub Actions, one line change. The runner picks up jobs immediately with no shared queue.
+
+    - **[Docker on a cloud VM](references/docker-vm.md)** — provision a VM on any provider, build the image locally, push to a registry, pull and run on the VM. Works with AWS, GCP, Azure, Oracle, Fly.io, and any other provider.
+
+## Cadence
+
+Match the interval to volatility: **LP / perp → minutes; DCA / rebalance → daily; treasury → hourly–daily.** GitHub Actions cron is a *heartbeat/backstop* that drifts and skips under load — not low-latency; for that, use the self-hosted runner or local execution options.
+
+## Keys & trust
+
+Cloud options commit only the **encrypted** keystore (`ci-keystore.json`); `SAIL_PASSPHRASE` is a secret, never committed. Local options (daemon, Docker) use keys already on disk — no export needed.
+
+Regardless of host, the on-chain **mandate is the backstop** — it bounds the manager's permissions no matter where or how the agent runs.
+
+A failing run's logs show the same stderr as the local runner (`reverted: <txHash>`, `skipped: no registered permission…`) — debug with the sail-transactions skill.

package/templates/default/.agents/skills/sail-automation/references/docker-vm.md

@@ -0,0 +1,113 @@
+# Docker — run locally or deploy to any machine
+
+**Who this is for:** users with basic Docker knowledge. Works on your local machine, a cloud VM, or any managed container service.
+
+**Best for:** users who want a portable, self-contained execution environment — build once, run anywhere. Also the right choice if you want to test locally and then move to a cloud VM or container service without changing anything.
+
+---
+
+## Requirements
+
+- Docker installed on the machine where the agent will run: https://docs.docker.com/get-docker/
+- `ci-keystore.json` present in the project root — generate it with `sailor keys export-ci`
+- `RPC_URL` and `SAIL_PASSPHRASE` available as environment variables (never baked into the image)
+
+---
+
+## Build the image
+
+From the project root (where `Dockerfile` lives):
+
+```bash
+docker build -t sailor-agent .
+```
+
+---
+
+## Run locally
+
+```bash
+docker run -d --restart=always \
+  -e RPC_URL=<your-rpc-url> \
+  -e SAIL_PASSPHRASE=<your-passphrase> \
+  -e CHAIN_ID=8453 \
+  -e AGENT_INTERVAL=300 \
+  --name sailor-agent \
+  sailor-agent
+```
+
+- `--restart=always` — Docker restarts the container automatically on crash or machine reboot (requires Docker daemon set to start on boot)
+- `AGENT_INTERVAL` — seconds between runs; default 300 (5 min). Set to `60` for per-minute, `3600` for hourly, `86400` for daily
+- Logs: `docker logs -f sailor-agent`
+- Stop: `docker stop sailor-agent && docker rm sailor-agent`
+
+---
+
+## Push to a registry (to deploy elsewhere)
+
+Build the image once, push to a registry, pull it on any machine.
+
+**Docker Hub**
+
+```bash
+docker tag sailor-agent <dockerhub-username>/sailor-agent:latest
+docker push <dockerhub-username>/sailor-agent:latest
+```
+
+**GitHub Container Registry (GHCR)**
+
+```bash
+echo $GITHUB_TOKEN | docker login ghcr.io -u <github-username> --password-stdin
+docker tag sailor-agent ghcr.io/<github-username>/sailor-agent:latest
+docker push ghcr.io/<github-username>/sailor-agent:latest
+```
+
+---
+
+## Pull and run on any other machine
+
+On the target machine (cloud VM, Raspberry Pi, VPS, etc.):
+
+```bash
+docker pull <registry>/<image>:latest
+
+docker run -d --restart=always \
+  -e RPC_URL=<your-rpc-url> \
+  -e SAIL_PASSPHRASE=<your-passphrase> \
+  -e CHAIN_ID=8453 \
+  -e AGENT_INTERVAL=300 \
+  <registry>/<image>:latest
+```
+
+No code changes — the same image runs everywhere that has Docker.
+
+---
+
+## Use with managed container services
+
+The same image works with any managed container service. Pass env vars through the service's UI — no code changes needed.
+
+| Service | Notes |
+|---|---|
+| AWS ECS / Fargate | Task definition with env vars; Fargate = no VM to manage |
+| Google Cloud Run | Trigger on schedule via Cloud Scheduler |
+| Azure Container Instances | Simple one-off or always-on container |
+| Fly.io | `fly launch` + set secrets via `fly secrets set` |
+| Railway | Point to image in registry, set env vars in dashboard |
+| Render | Background worker from Docker image |
+
+---
+
+## Updating the agent
+
+When you change your strategy code:
+
+```bash
+docker build -t sailor-agent .
+docker tag sailor-agent <registry>/<image>:latest
+docker push <registry>/<image>:latest
+# on the target machine:
+docker pull <registry>/<image>:latest
+docker stop sailor-agent && docker rm sailor-agent
+docker run -d --restart=always -e ... <registry>/<image>:latest
+```

package/templates/default/.agents/skills/sail-automation/references/github-actions.md

@@ -0,0 +1,50 @@
+# GitHub Actions — cloud-managed runner
+
+**Who this is for:** any user. No infrastructure setup beyond a GitHub account.
+
+**Best for:** daily DCA, slow rebalances, treasury strategies — anything where execution does not need to happen at a precise minute. If your strategy requires guaranteed timing (LP, perps, liquidations), use the [self-hosted runner](self-hosted-runner.md) or [Docker](docker-vm.md) options instead.
+
+---
+
+## How it works
+
+Your repo contains `.github/workflows/agent-tick.yml`. GitHub runs this on a cron schedule using their shared runner pool and via `workflow_dispatch` for on-demand or externally triggered runs.
+
+## Timing limitation
+
+GitHub's cron queue is shared across all users. Under load, scheduled jobs drift 5–30 minutes or are skipped entirely. This is a platform constraint — there is no workaround on GitHub's shared runners.
+
+**Use `workflow_dispatch` as your primary trigger** and treat cron as a heartbeat/backstop. Fire `workflow_dispatch` from an external event (price alert, on-chain event, keeper) via:
+
+```bash
+sailor trigger github
+```
+
+## Setup
+
+Full setup walkthrough is in the main `sail-automation` skill. Summary:
+
+1. `sailor keys export-ci` — generates `ci-keystore.json` (encrypted; safe to commit)
+2. Commit state files and push
+3. Set `SAIL_PASSPHRASE` and `RPC_URL` as GitHub Actions secrets
+4. The workflow runs on the next cron tick or on `workflow_dispatch`
+
+```bash
+gh secret set SAIL_PASSPHRASE
+gh secret set RPC_URL
+gh workflow run agent-tick.yml    # trigger a manual run to verify
+gh run view --log                 # check output
+```
+
+## Cron cadence
+
+Edit the `cron:` line in `.github/workflows/agent-tick.yml`:
+
+```yaml
+schedule:
+  - cron: "0 * * * *"    # hourly (default placeholder — change this)
+  # - cron: "*/5 * * * *"  # every 5 min (only reliable with a self-hosted runner)
+  # - cron: "0 0 * * *"    # daily
+```
+
+For sub-hourly cadence on GitHub's shared runners, the drift makes the schedule unreliable. Use the self-hosted runner option for that.

package/templates/default/.agents/skills/sail-automation/references/local-daemon.md

@@ -0,0 +1,34 @@
+# Local daemon — run on the project machine
+
+**Who this is for:** any user who wants simple automation without cloud accounts or containers. The agent runs directly on the machine where the project lives.
+
+**Best for:** development, testing, daily/slow strategies, or users who keep their machine on 24/7. Not suitable for strategies that require guaranteed execution at a precise time — if the machine is off or disconnected, the run is silently skipped.
+
+---
+
+## Setup
+
+Installs a system service that runs `sailor run --once` on a fixed interval. No keystore export or CI variable setup needed — the keys are already on disk in the project environment.
+
+```bash
+sailor service install --interval 300   # every 5 min; tune to your strategy
+sailor service status                   # check running state
+sailor service logs -f                  # tail .sail/agent.log
+sailor service stop                     # pause without uninstalling
+sailor service uninstall                # remove the service entirely
+```
+
+The service is installed as:
+- **macOS** — a `launchd` plist in `~/Library/LaunchAgents/`
+- **Linux** — a `systemd` user unit
+- **Windows** — a Task Scheduler entry
+
+`--project` and `--chain` scope the service to a specific project or chain. `--force` overrides a TCC path error or unresolved passphrase prompt.
+
+## Limitations
+
+- The machine must be powered on and internet-connected when the job fires
+- Missed runs are silent — there is no retry
+- Not suitable for 24/7 strategies unless the machine is always on
+
+If you want a portable setup that can move to a cloud deployment later, use [Docker](docker-vm.md) instead — same machine, same result, but the image runs anywhere.

package/templates/default/.agents/skills/sail-automation/references/self-hosted-runner.md

@@ -0,0 +1,72 @@
+# Self-hosted runner — reliable timing on a dedicated machine
+
+**Who this is for:** users who need time-precise execution. Requires a dedicated always-on machine that you manage.
+
+**Best for:** LP strategies, perps, liquidations, or any strategy where the agent must run within seconds of the scheduled time. A self-hosted runner polls GitHub directly — it picks up jobs immediately, with no shared queue and no drift.
+
+---
+
+## How it works
+
+Same `agent-tick.yml` workflow as the GitHub Actions option. One change: `runs-on: ubuntu-latest` becomes `runs-on: [self-hosted, linux]`. The job then runs on your machine instead of GitHub's shared pool.
+
+## Prerequisites
+
+- A machine that is **always powered on** and **always connected to the internet**
+- Do not use your personal computer — missed runs happen silently whenever it sleeps, restarts, or loses connectivity
+- Recommended hardware: Raspberry Pi 4+, a dedicated mini PC (NUC, Intel BRIX, etc.), or a cloud VM on any provider
+
+## Setup
+
+### 1. Register the runner on GitHub
+
+Go to your repo: **Settings → Actions → Runners → New self-hosted runner**
+
+Follow the official GitHub guide for your OS:
+https://docs.github.com/es/actions/how-tos/manage-runners/self-hosted-runners/add-runners
+
+The guide walks you through downloading the runner application, configuring it, and starting it as a service so it restarts automatically on reboot.
+
+### 2. Update the workflow
+
+In your local copy of `.github/workflows/agent-tick.yml`, change:
+
+```yaml
+jobs:
+  tick:
+    runs-on: ubuntu-latest      # ← change this
+```
+
+to:
+
+```yaml
+jobs:
+  tick:
+    runs-on: [self-hosted, linux]   # ← your runner label
+```
+
+Commit and push. The next run will be picked up by your runner.
+
+### 3. Verify
+
+```bash
+gh run list --workflow agent-tick.yml   # confirm runs show "self-hosted" runner
+gh run view --log                        # check for errors
+```
+
+## Machine options
+
+| Machine | Cost | Notes |
+|---|---|---|
+| Raspberry Pi 4 (2 GB+) | ~$45 one-time | Runs 24/7 on ~3W; plug into router via ethernet |
+| Mini PC (NUC, BRIX) | ~$100–200 | More headroom; good if you run other services too |
+| Cloud VM (Oracle Always Free) | Free | 2 AMD VMs permanently free; requires basic Linux knowledge |
+| Cloud VM (any provider) | ~$4–10/month | AWS t3.micro, GCP e2-micro, Hetzner CX11, etc. |
+
+## Your responsibility
+
+Sail does not manage this machine. You are responsible for:
+- Keeping it powered on and connected
+- OS updates and security patches
+- Restarting the runner service if it stops (configure it to start on boot during setup)
+- Monitoring that runs are completing as expected

package/templates/default/.agents/skills/sail-onboarding/SKILL.md

@@ -9,6 +9,8 @@ description: Walks the agent through setting up a new Sailor project or resuming
 
 The project does not install `sailor` as a dependency, so invoke it with **`npx sailor <command>`** unless it is installed globally (`npm i -g @sail.money/sailor`, then `sailor` works bare). Every `sailor …` command in these skills assumes one of those. Confirm the toolchain up front and pin a recent version — `npx sailor@latest --version` — because an old cached `npx` build can be missing newer commands (e.g. `mandate simulate`); if a documented command reports "unknown command", you are on a stale version, not hitting a missing feature.
 
+After upgrading the CLI, run `sailor update` from the project root to pull in updated skills, `AGENTS.md`, `Dockerfile`, and other tooling files. User files (`src/`, `mandates/`, `.sail/`, `package.json`) are never touched.
+
 Stage machine keyed off `.sail/`. Read the state, enter at the right stage, never re-run completed stages.
 
 ## Determine where the user is

package/templates/default/AGENTS.md

@@ -64,7 +64,7 @@ Detailed procedures live in skills. If your tooling does not auto-discover skill
 | sail-servers | Starting, stopping, or health-checking the dashboard or signing station | `.agents/skills/sail-servers/SKILL.md` |
 | sail-transactions | Building dispatches or any EVM transaction for the agent | `.agents/skills/sail-transactions/SKILL.md` |
 | sail-mandates | Designing, authoring, testing, deploying, or authorizing permission contracts | `.agents/skills/sail-mandates/SKILL.md` |
-| sail-ci | Automating the agent on a schedule via GitHub Actions | `.agents/skills/sail-ci/SKILL.md` |
+| sail-automation | Automating the agent — GitHub Actions, self-hosted runner, Docker, or local daemon | `.agents/skills/sail-automation/SKILL.md` |
 | sail-extend | Notifications or a custom dashboard, once the agent is live | `.agents/skills/sail-extend/SKILL.md` |
 
 ## Invariants — apply to every turn

package/templates/default/Dockerfile

@@ -0,0 +1,18 @@
+FROM node:20-slim
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm install
+
+COPY . .
+
+# Seconds between runs. Tune to your strategy: 60 = per-minute, 300 = 5 min, 86400 = daily.
+ENV AGENT_INTERVAL=300
+
+CMD ["sh", "-c", "\
+  mkdir -p .sail/keys && \
+  cp ci-keystore.json .sail/keys/manager.json && \
+  while true; do \
+    npx sailor run --once; \
+    sleep ${AGENT_INTERVAL}; \
+  done"]

package/templates/default/_dockerignore

@@ -0,0 +1,15 @@
+# Secrets and local state — never bake into the image.
+.sail/keys/
+.sail/runtime/
+.sail/state/
+.sail/.env.local
+.env
+.env.*
+!.env.example
+
+# Build outputs
+node_modules/
+out/
+cache/
+broadcast/
+dist/