@towns-protocol/contracts 0.0.352 → 0.0.354

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@towns-protocol/contracts",
-  "version": "0.0.352",
+  "version": "0.0.354",
   "packageManager": "yarn@3.8.0",
   "scripts": {
     "build-types": "bash scripts/build-contract-types.sh",
@@ -35,7 +35,7 @@
     "@layerzerolabs/oapp-evm": "^0.3.2",
     "@openzeppelin/merkle-tree": "^1.0.8",
     "@prb/test": "^0.6.4",
-    "@towns-protocol/prettier-config": "^0.0.352",
+    "@towns-protocol/prettier-config": "^0.0.354",
     "@typechain/ethers-v5": "^10.1.1",
     "@wagmi/cli": "^2.2.0",
     "forge-std": "github:foundry-rs/forge-std#v1.10.0",
@@ -57,5 +57,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "b3b37f6306c5f111996218bd0772adfc03498fcd"
+  "gitHead": "a6dc807ec679a6507c2f1b10bb54af6adf78e01e"
 }

package/scripts/deployments/diamonds/DeployAppRegistry.s.sol

@@ -56,6 +56,9 @@ contract DeployAppRegistry is IDiamondInitHelper, DiamondHelper, Deployer {
         facetHelper.add("OwnableFacet");
         facetHelper.add("MetadataFacet");
 
+        // Deploy the first batch of facets
+        facetHelper.deployBatch(deployer);
+
         // Get predicted addresses
         address facet = facetHelper.predictAddress("DiamondCutFacet");
         addFacet(

package/scripts/deployments/facets/DeployAppAccount.s.sol

@@ -15,11 +15,12 @@ library DeployAppAccount {
     using DynamicArrayLib for DynamicArrayLib.DynamicArray;
 
     function selectors() internal pure returns (bytes4[] memory res) {
-        DynamicArrayLib.DynamicArray memory arr = DynamicArrayLib.p().reserve(12);
+        DynamicArrayLib.DynamicArray memory arr = DynamicArrayLib.p().reserve(13);
         arr.p(AppAccount.execute.selector);
         arr.p(AppAccount.onInstallApp.selector);
         arr.p(AppAccount.onUninstallApp.selector);
         arr.p(AppAccount.onRenewApp.selector);
+        arr.p(AppAccount.onUpdateApp.selector);
         arr.p(AppAccount.isAppExecuting.selector);
         arr.p(AppAccount.isAppEntitled.selector);
         arr.p(AppAccount.disableApp.selector);

package/scripts/deployments/facets/DeployAppRegistryFacet.s.sol

@@ -16,7 +16,7 @@ library DeployAppRegistryFacet {
     using DynamicArrayLib for DynamicArrayLib.DynamicArray;
 
     function selectors() internal pure returns (bytes4[] memory res) {
-        DynamicArrayLib.DynamicArray memory arr = DynamicArrayLib.p().reserve(16);
+        DynamicArrayLib.DynamicArray memory arr = DynamicArrayLib.p().reserve(18);
         arr.p(AppRegistryFacet.getAppSchema.selector);
         arr.p(AppRegistryFacet.getAppSchemaId.selector);
         arr.p(AppRegistryFacet.getAppById.selector);
@@ -24,8 +24,10 @@ library DeployAppRegistryFacet {
         arr.p(AppRegistryFacet.registerApp.selector);
         arr.p(AppRegistryFacet.removeApp.selector);
         arr.p(AppRegistryFacet.createApp.selector);
+        arr.p(AppRegistryFacet.upgradeApp.selector);
         arr.p(AppRegistryFacet.installApp.selector);
         arr.p(AppRegistryFacet.uninstallApp.selector);
+        arr.p(AppRegistryFacet.updateApp.selector);
         arr.p(AppRegistryFacet.getAppPrice.selector);
         arr.p(AppRegistryFacet.getAppDuration.selector);
         arr.p(AppRegistryFacet.adminRegisterAppSchema.selector);

package/scripts/deployments/facets/DeploySubscriptionModuleFacet.s.sol

@@ -15,7 +15,7 @@ library DeploySubscriptionModuleFacet {
     using DynamicArrayLib for DynamicArrayLib.DynamicArray;
 
     function selectors() internal pure returns (bytes4[] memory res) {
-        DynamicArrayLib.DynamicArray memory arr = DynamicArrayLib.p().reserve(20);
+        DynamicArrayLib.DynamicArray memory arr = DynamicArrayLib.p().reserve(19);
         arr.p(SubscriptionModuleFacet.moduleId.selector);
         arr.p(SubscriptionModuleFacet.onInstall.selector);
         arr.p(SubscriptionModuleFacet.onUninstall.selector);
@@ -26,7 +26,7 @@ library DeploySubscriptionModuleFacet {
         arr.p(SubscriptionModuleFacet.preRuntimeValidationHook.selector);
         arr.p(SubscriptionModuleFacet.preSignatureValidationHook.selector);
         arr.p(SubscriptionModuleFacet.batchProcessRenewals.selector);
-        arr.p(SubscriptionModuleFacet.processRenewal.selector);
+        arr.p(SubscriptionModuleFacet.getRenewalBuffer.selector);
         arr.p(SubscriptionModuleFacet.getSubscription.selector);
         arr.p(SubscriptionModuleFacet.pauseSubscription.selector);
         arr.p(SubscriptionModuleFacet.getEntityIds.selector);
@@ -34,7 +34,6 @@ library DeploySubscriptionModuleFacet {
         arr.p(SubscriptionModuleFacet.grantOperator.selector);
         arr.p(SubscriptionModuleFacet.revokeOperator.selector);
         arr.p(bytes4(keccak256("MAX_BATCH_SIZE()")));
-        arr.p(bytes4(keccak256("RENEWAL_BUFFER()")));
         arr.p(bytes4(keccak256("GRACE_PERIOD()")));
 
         bytes32[] memory selectors_ = arr.asBytes32Array();

package/scripts/interactions/InteractDiamondCut.s.sol

@@ -2,7 +2,6 @@
 pragma solidity ^0.8.23;
 
 // interfaces
-import {IDiamond} from "@towns-protocol/diamond/src/Diamond.sol";
 import {IDiamondCut} from "@towns-protocol/diamond/src/facets/cut/IDiamondCut.sol";
 
 // libraries
@@ -12,16 +11,19 @@ import {console} from "forge-std/console.sol";
 import {Interaction} from "../common/Interaction.s.sol";
 import {AlphaHelper} from "./helpers/AlphaHelper.sol";
 
-// facet
-import {DeploySpaceOwnerFacet} from "scripts/deployments/facets/DeploySpaceOwnerFacet.s.sol";
+// fetch facet deployer contract
+import {DeploySubscriptionModuleFacet} from "scripts/deployments/facets/DeploySubscriptionModuleFacet.s.sol";
 
 contract InteractDiamondCut is Interaction, AlphaHelper {
     function __interact(address deployer) internal override {
-        address diamond = getDeployment("spaceOwner");
-        address spaceOwnerFacet = 0x09FCbC926F9Ec236fa3f825bF65b62776a9413aD;
+        // update with the diamond to cut
+        address diamond = getDeployment("subscriptionModule");
+
+        // update with the facet to remove
+        address facetToRemove = 0xf86be0b52aABa39C3fAAa2a78e340a658B90d9DB;
 
         address[] memory facetAddresses = new address[](1);
-        facetAddresses[0] = spaceOwnerFacet;
+        facetAddresses[0] = facetToRemove;
 
         // add the diamond cut to remove the facet
         addCutsToRemove(diamond, facetAddresses);
@@ -29,19 +31,15 @@ contract InteractDiamondCut is Interaction, AlphaHelper {
         // deploy the new facet
         console.log("deployer", deployer);
         vm.setEnv("OVERRIDE_DEPLOYMENTS", "1");
-        vm.broadcast(deployer);
-        spaceOwnerFacet = DeploySpaceOwnerFacet.deploy();
 
-        // add the new facet to the diamond
-        addCut(DeploySpaceOwnerFacet.makeCut(spaceOwnerFacet, FacetCutAction.Add));
+        // update with a call to the deploy function from your facet deployer contract
+        address facetAddress = DeploySubscriptionModuleFacet.deploy();
 
-        bytes memory initData = "";
+        // update with a call to the makeCut function from your facet deployer contract
+        addCut(DeploySubscriptionModuleFacet.makeCut(facetAddress, FacetCutAction.Add));
 
+        // execute the diamond cut
         vm.broadcast(deployer);
-        IDiamondCut(diamond).diamondCut(
-            baseFacets(),
-            initData.length > 0 ? spaceOwnerFacet : address(0),
-            initData
-        );
+        IDiamondCut(diamond).diamondCut(baseFacets(), address(0), "");
     }
 }

package/src/apps/facets/attest/AttestationBase.sol

@@ -4,7 +4,6 @@ pragma solidity ^0.8.23;
 // interfaces
 import {ISchemaResolver} from "@ethereum-attestation-service/eas-contracts/resolver/ISchemaResolver.sol";
 import {IAttestationRegistryBase} from "./IAttestationRegistry.sol";
-import {ISchemaBase} from "../schema/ISchema.sol";
 
 // libraries
 import {CustomRevert} from "src/utils/libraries/CustomRevert.sol";
@@ -14,7 +13,7 @@ import {AttestationStorage} from "./AttestationStorage.sol";
 
 // types
 import {SchemaStorage} from "../schema/SchemaStorage.sol";
-import {Attestation, EMPTY_UID, NO_EXPIRATION_TIME, NotFound} from "@ethereum-attestation-service/eas-contracts/Common.sol";
+import {Attestation, EMPTY_UID, NO_EXPIRATION_TIME} from "@ethereum-attestation-service/eas-contracts/Common.sol";
 import {AttestationRequest, AttestationRequestData, IEAS, RevocationRequestData} from "@ethereum-attestation-service/eas-contracts/IEAS.sol";
 import {SchemaRecord} from "@ethereum-attestation-service/eas-contracts/ISchemaRegistry.sol";
 
@@ -154,6 +153,7 @@ abstract contract AttestationBase is IAttestationRegistryBase {
 
         // Get the resolver contract for this schema
         ISchemaResolver resolver = ISchemaResolver(schema.resolver);
+
         // If no resolver is set, handle zero-value case and refund if this is the last batch
         if (address(resolver) == address(0)) {
             _refundIfZeroValue(values, availableValue, last);

package/src/apps/facets/registry/AppRegistryBase.sol

@@ -16,7 +16,7 @@ import {IAppAccount} from "../../../spaces/facets/account/IAppAccount.sol";
 // libraries
 import {CustomRevert} from "../../../utils/libraries/CustomRevert.sol";
 import {BasisPoints} from "../../../utils/libraries/BasisPoints.sol";
-import {AppRegistryStorage} from "./AppRegistryStorage.sol";
+import {AppRegistryStorage, ClientInfo, AppInfo} from "./AppRegistryStorage.sol";
 import {LibClone} from "solady/utils/LibClone.sol";
 import {FixedPointMathLib} from "solady/utils/FixedPointMathLib.sol";
 import {CurrencyTransfer} from "../../../utils/libraries/CurrencyTransfer.sol";
@@ -73,7 +73,7 @@ abstract contract AppRegistryBase is IAppRegistryBase, SchemaBase, AttestationBa
     /// @param app The address of the app
     /// @return The latest version ID
     function _getLatestAppId(address app) internal view returns (bytes32) {
-        AppRegistryStorage.AppInfo storage appInfo = AppRegistryStorage.getLayout().apps[app];
+        AppInfo storage appInfo = AppRegistryStorage.getLayout().apps[app];
         return appInfo.latestVersion;
     }
 
@@ -140,44 +140,77 @@ abstract contract AppRegistryBase is IAppRegistryBase, SchemaBase, AttestationBa
             duration
         );
 
-        version = _registerApp(app, params.client);
+        version = _registerApp(ITownsApp(app), params.client);
         emit AppCreated(app, version);
     }
 
-    /// @notice Registers a new app in the registry
-    /// @param app The address of the app to register
-    /// @param client The client address that can use the app
-    /// @return version The version ID of the registered app
-    /// @dev Reverts if app is banned, inputs are invalid, or caller is not the owner
-    function _registerApp(address app, address client) internal returns (bytes32 version) {
-        _verifyAddAppInputs(app, client);
+    function _upgradeApp(
+        ITownsApp app,
+        address client,
+        bytes32 versionId
+    ) internal returns (bytes32 newVersionId) {
+        if (versionId == EMPTY_UID) InvalidAppId.selector.revertWith();
 
-        AppRegistryStorage.Layout storage $ = AppRegistryStorage.getLayout();
-        AppRegistryStorage.AppInfo storage appInfo = $.apps[app];
-        AppRegistryStorage.ClientInfo storage clientInfo = $.client[client];
+        (
+            address owner,
+            bytes32[] memory permissions,
+            ExecutionManifest memory manifest,
+            uint48 duration
+        ) = _validateApp(app, client);
 
-        if (clientInfo.app != address(0)) ClientAlreadyRegistered.selector.revertWith();
+        if (msg.sender != owner) NotAllowed.selector.revertWith();
+
+        address appAddress = address(app);
+
+        AppRegistryStorage.Layout storage $ = AppRegistryStorage.getLayout();
+        AppInfo storage appInfo = $.apps[appAddress];
         if (appInfo.isBanned) BannedApp.selector.revertWith();
+        if (appInfo.latestVersion != versionId) InvalidAppId.selector.revertWith();
 
-        ITownsApp appContract = ITownsApp(app);
+        ClientInfo storage clientInfo = $.client[client];
+        if (clientInfo.app == address(0)) ClientNotRegistered.selector.revertWith();
 
-        uint256 installPrice = appContract.installPrice();
-        _validatePricing(installPrice);
+        App memory appData = App({
+            appId: versionId,
+            module: appAddress,
+            owner: owner,
+            client: client,
+            permissions: permissions,
+            manifest: manifest,
+            duration: duration
+        });
 
-        uint48 accessDuration = appContract.accessDuration();
-        uint48 duration = _validateDuration(accessDuration);
+        newVersionId = _attestApp(appData);
 
-        bytes32[] memory permissions = appContract.requiredPermissions();
-        if (permissions.length == 0) InvalidArrayInput.selector.revertWith();
+        appInfo.latestVersion = newVersionId;
+        emit AppUpgraded(appAddress, versionId, newVersionId);
+    }
 
-        address owner = appContract.moduleOwner();
-        if (owner == address(0)) InvalidAddressInput.selector.revertWith();
+    /// @notice Registers a new app in the registry
+    /// @param app The address of the app to register
+    /// @param client The client address that can use the app
+    /// @return version The version ID of the registered app
+    /// @dev Reverts if app is banned, inputs are invalid, or caller is not the owner
+    function _registerApp(ITownsApp app, address client) internal returns (bytes32 version) {
+        (
+            address owner,
+            bytes32[] memory permissions,
+            ExecutionManifest memory manifest,
+            uint48 duration
+        ) = _validateApp(app, client);
 
-        ExecutionManifest memory manifest = appContract.executionManifest();
+        address appAddress = address(app);
+
+        AppRegistryStorage.Layout storage $ = AppRegistryStorage.getLayout();
+        AppInfo storage appInfo = $.apps[appAddress];
+        ClientInfo storage clientInfo = $.client[client];
+
+        if (appInfo.isBanned) BannedApp.selector.revertWith();
+        if (clientInfo.app != address(0)) ClientAlreadyRegistered.selector.revertWith();
 
         App memory appData = App({
             appId: EMPTY_UID,
-            module: app,
+            module: appAddress,
             owner: owner,
             client: client,
             permissions: permissions,
@@ -185,27 +218,19 @@ abstract contract AppRegistryBase is IAppRegistryBase, SchemaBase, AttestationBa
             duration: duration
         });
 
-        AttestationRequest memory request;
-        request.schema = _getSchemaId();
-        request.data.recipient = app;
-        request.data.revocable = true;
-        request.data.refUID = appInfo.latestVersion;
-        request.data.data = abi.encode(appData);
-        version = _attest(msg.sender, msg.value, request).uid;
-
+        version = _attestApp(appData);
         appInfo.latestVersion = version;
-        appInfo.app = app;
-        clientInfo.app = app;
+        appInfo.app = appAddress;
+        clientInfo.app = appAddress;
 
-        emit AppRegistered(app, version);
+        emit AppRegistered(appAddress, version);
     }
 
     /// @notice Removes a app from the registry
-    /// @param revoker The address revoking the app
     /// @param appId The version ID of the app to remove
     /// @dev Reverts if app is not registered, revoked, or banned
     /// @dev Spaces that install this app will need to uninstall it
-    function _removeApp(address revoker, bytes32 appId) internal {
+    function _removeApp(bytes32 appId) internal {
         if (appId == EMPTY_UID) InvalidAppId.selector.revertWith();
 
         Attestation memory att = _getAttestation(appId);
@@ -214,20 +239,17 @@ abstract contract AppRegistryBase is IAppRegistryBase, SchemaBase, AttestationBa
         if (att.revocationTime > 0) AppRevoked.selector.revertWith();
 
         App memory appData = abi.decode(att.data, (App));
+        if (appData.owner != msg.sender) NotAllowed.selector.revertWith();
 
-        AppRegistryStorage.AppInfo storage appInfo = AppRegistryStorage.getLayout().apps[
-            appData.module
-        ];
+        AppInfo storage appInfo = AppRegistryStorage.getLayout().apps[appData.module];
 
         if (appInfo.isBanned) BannedApp.selector.revertWith();
 
         RevocationRequestData memory request;
         request.uid = appId;
-        _revoke(att.schema, request, revoker, 0, true);
+        _revoke(att.schema, request, msg.sender, 0, true);
 
-        AppRegistryStorage.ClientInfo storage clientInfo = AppRegistryStorage.getLayout().client[
-            appData.client
-        ];
+        ClientInfo storage clientInfo = AppRegistryStorage.getLayout().client[appData.client];
         clientInfo.app = address(0);
 
         emit AppUnregistered(appData.module, appId);
@@ -263,6 +285,20 @@ abstract contract AppRegistryBase is IAppRegistryBase, SchemaBase, AttestationBa
         emit AppUninstalled(app, address(account), appId);
     }
 
+    function _updateApp(address app, address space) internal {
+        if (_isBanned(app)) BannedApp.selector.revertWith();
+
+        bytes32 appId = _getLatestAppId(app);
+        if (appId == EMPTY_UID) AppNotInstalled.selector.revertWith();
+
+        Attestation memory att = _getAttestation(appId);
+        if (att.uid == EMPTY_UID) AppNotRegistered.selector.revertWith();
+        if (att.revocationTime > 0) AppRevoked.selector.revertWith();
+
+        IAppAccount(space).onUpdateApp(appId, abi.encode(app));
+        emit AppUpdated(app, space, appId);
+    }
+
     function _renewApp(address app, address account, bytes calldata data) internal {
         bytes32 appId = IAppAccount(account).getAppId(app);
         if (appId == EMPTY_UID) AppNotInstalled.selector.revertWith();
@@ -356,7 +392,7 @@ abstract contract AppRegistryBase is IAppRegistryBase, SchemaBase, AttestationBa
     function _banApp(address app) internal returns (bytes32 version) {
         if (app == address(0)) AppNotRegistered.selector.revertWith();
 
-        AppRegistryStorage.AppInfo storage appInfo = AppRegistryStorage.getLayout().apps[app];
+        AppInfo storage appInfo = AppRegistryStorage.getLayout().apps[app];
 
         if (appInfo.app == address(0)) AppNotRegistered.selector.revertWith();
         if (appInfo.isBanned) BannedApp.selector.revertWith();
@@ -368,10 +404,20 @@ abstract contract AppRegistryBase is IAppRegistryBase, SchemaBase, AttestationBa
         return appInfo.latestVersion;
     }
 
-    function _validatePricing(uint256 price) internal view {
-        IPlatformRequirements reqs = _getPlatformRequirements();
-        uint256 minPlatformFee = reqs.getMembershipFee();
+    function _attestApp(App memory appData) internal returns (bytes32 newVersionId) {
+        AttestationRequest memory request;
+        request.schema = _getSchemaId();
+        request.data.recipient = appData.module;
+        request.data.revocable = true;
+        request.data.refUID = appData.appId;
+        request.data.data = abi.encode(appData);
+        newVersionId = _attest(msg.sender, msg.value, request).uid;
+    }
+
+    function _validatePricing(uint256 price) internal view returns (uint256) {
+        uint256 minPlatformFee = _getPlatformRequirements().getMembershipFee();
         if (price > 0 && price < minPlatformFee) InvalidPrice.selector.revertWith();
+        return price;
     }
 
     function _validateDuration(uint48 duration) internal pure returns (uint48) {
@@ -380,21 +426,51 @@ abstract contract AppRegistryBase is IAppRegistryBase, SchemaBase, AttestationBa
         return duration;
     }
 
-    /// @notice Verifies inputs for adding a new app
-    /// @param app The app address to verify
+    /// @notice Validates inputs for adding a new app
+    /// @param appContract The app contract to verify
     /// @param client The client address to verify
     /// @dev Reverts if any input is invalid or app doesn't implement required interfaces
-    function _verifyAddAppInputs(address app, address client) internal view {
-        if (app == address(0)) InvalidAddressInput.selector.revertWith();
+    /// @return owner The owner of the app
+    /// @return permissions The permissions of the app
+    /// @return manifest The manifest of the app
+    /// @return duration The duration of the app
+    function _validateApp(
+        ITownsApp appContract,
+        address client
+    ) internal view returns (address, bytes32[] memory, ExecutionManifest memory, uint48) {
+        address appAddress = address(appContract);
+        if (appAddress == address(0)) InvalidAddressInput.selector.revertWith();
         if (client == address(0)) InvalidAddressInput.selector.revertWith();
 
+        (
+            uint256 installPrice,
+            uint48 accessDuration,
+            bytes32[] memory permissions,
+            address owner,
+            ExecutionManifest memory manifest
+        ) = (
+                appContract.installPrice(),
+                appContract.accessDuration(),
+                appContract.requiredPermissions(),
+                appContract.moduleOwner(),
+                appContract.executionManifest()
+            );
+
+        if (permissions.length == 0) InvalidArrayInput.selector.revertWith();
+        if (owner == address(0)) InvalidAddressInput.selector.revertWith();
+
+        _validatePricing(installPrice);
+        uint48 duration = _validateDuration(accessDuration);
+
         if (
-            !IERC165(app).supportsInterface(type(IModule).interfaceId) ||
-            !IERC165(app).supportsInterface(type(IExecutionModule).interfaceId) ||
-            !IERC165(app).supportsInterface(type(ITownsApp).interfaceId)
+            !IERC165(appAddress).supportsInterface(type(IModule).interfaceId) ||
+            !IERC165(appAddress).supportsInterface(type(IExecutionModule).interfaceId) ||
+            !IERC165(appAddress).supportsInterface(type(ITownsApp).interfaceId)
         ) {
             AppDoesNotImplementInterface.selector.revertWith();
         }
+
+        return (owner, permissions, manifest, duration);
     }
 
     function _getPlatformRequirements() internal view returns (IPlatformRequirements) {

package/src/apps/facets/registry/AppRegistryFacet.sol

@@ -52,32 +52,49 @@ contract AppRegistryFacet is IAppRegistry, AppRegistryBase, OwnableBase, Reentra
     /*                           App Functions                    */
     /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/
 
+    /// @notice Create an upgradeable simple app contract
+    /// @param params The parameters of the app
+    function createApp(
+        AppParams calldata params
+    ) external payable nonReentrant returns (address app, bytes32 appId) {
+        return _createApp(params);
+    }
+
     /// @notice Register a new app with permissions
     /// @param app The app address to register
     /// @param client The client address that will make calls from this app
-    /// @return versionId The version ID of the registered app
+    /// @return appId The app ID of the registered app
     function registerApp(
         ITownsApp app,
         address client
-    ) external payable nonReentrant returns (bytes32 versionId) {
-        return _registerApp(address(app), client);
+    ) external payable nonReentrant returns (bytes32) {
+        return _registerApp(app, client);
     }
 
-    /// @notice Remove a app from the registry
-    /// @param versionId The app ID to remove
-    /// @dev Only the owner of the app can remove it
-    function removeApp(bytes32 versionId) external nonReentrant {
-        _removeApp(msg.sender, versionId);
+    /// @notice Upgrade an app
+    /// @param app The app address to update
+    /// @param client The client address part of the app's identity
+    /// @param appId The app ID to upgrade
+    /// @return appId The new app ID of the updated app
+    function upgradeApp(
+        ITownsApp app,
+        address client,
+        bytes32 appId
+    ) external payable nonReentrant returns (bytes32) {
+        return _upgradeApp(app, client, appId);
     }
 
-    /// @notice Create an upgradeable simple app contract
-    /// @param params The parameters of the app
-    function createApp(
-        AppParams calldata params
-    ) external payable nonReentrant returns (address app, bytes32 versionId) {
-        return _createApp(params);
+    /// @notice Remove an app from the registry
+    /// @param appId The app ID to remove
+    /// @dev Only the owner of the app can remove it
+    function removeApp(bytes32 appId) external nonReentrant {
+        _removeApp(appId);
     }
 
+    /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/
+    /*                        Space Functions                     */
+    /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/
+
     /// @notice Install an app
     /// @param app The app address to install
     /// @param space The space to install the app to
@@ -93,15 +110,23 @@ contract AppRegistryFacet is IAppRegistry, AppRegistryBase, OwnableBase, Reentra
 
     /// @notice Uninstall an app
     /// @param app The app address to uninstall
-    /// @param account The account to uninstall the app from
+    /// @param space The space to uninstall the app from
     /// @param data The data to pass to the app's onUninstall function
     function uninstallApp(
         ITownsApp app,
-        IAppAccount account,
+        IAppAccount space,
         bytes calldata data
     ) external nonReentrant {
-        _onlyAllowed(address(account));
-        return _uninstallApp(address(app), address(account), data);
+        _onlyAllowed(address(space));
+        _uninstallApp(address(app), address(space), data);
+    }
+
+    /// @notice Update an app to the latest version
+    /// @param app The app address to update
+    /// @param space The space to update the app to
+    function updateApp(ITownsApp app, IAppAccount space) external nonReentrant {
+        _onlyAllowed(address(space));
+        _updateApp(address(app), address(space));
     }
 
     /// @notice Renew an app

package/src/apps/facets/registry/AppRegistryStorage.sol

@@ -7,21 +7,17 @@ pragma solidity ^0.8.23;
 
 // contracts
 
-library AppRegistryStorage {
-    /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/
-    /*                           STRUCTS                            */
-    /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/
-
-    struct AppInfo {
-        address app;
-        bytes32 latestVersion;
-        bool isBanned;
-    }
+struct AppInfo {
+    address app;
+    bytes32 latestVersion;
+    bool isBanned;
+}
 
-    struct ClientInfo {
-        address app;
-    }
+struct ClientInfo {
+    address app;
+}
 
+library AppRegistryStorage {
     struct Layout {
         // Registered schema ID
         bytes32 schemaId;

package/src/apps/facets/registry/IAppRegistry.sol

@@ -48,6 +48,7 @@ interface IAppRegistryBase {
     error InsufficientPayment();
     error NotAllowed();
     error ClientAlreadyRegistered();
+    error ClientNotRegistered();
 
     /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/
     /*                           EVENTS                           */
@@ -61,6 +62,12 @@ interface IAppRegistryBase {
     event AppInstalled(address indexed app, address indexed account, bytes32 indexed appId);
     event AppUninstalled(address indexed app, address indexed account, bytes32 indexed appId);
     event AppRenewed(address indexed app, address indexed account, bytes32 indexed appId);
+    event AppUpdated(address indexed app, address indexed account, bytes32 indexed appId);
+    event AppUpgraded(
+        address indexed app,
+        bytes32 indexed oldVersionId,
+        bytes32 indexed newVersionId
+    );
 }
 
 /// @title IAppRegistry Interface

package/src/apps/helpers/ISimpleApp.sol

@@ -23,6 +23,10 @@ interface ISimpleAppBase {
     /// @param installPrice The new install price
     /// @param accessDuration The new access duration
     event PricingUpdated(uint256 installPrice, uint48 accessDuration);
+
+    /// @notice Emitted when permissions are updated
+    /// @param permissions The new permissions
+    event PermissionsUpdated(bytes32[] permissions);
 }
 
 interface ISimpleApp is ISimpleAppBase {
@@ -35,6 +39,10 @@ interface ISimpleApp is ISimpleAppBase {
     /// @param accessDuration The new access duration
     function updatePricing(uint256 installPrice, uint48 accessDuration) external;
 
+    /// @notice Updates the permissions of the app
+    /// @param permissions The new permissions of the app
+    function updatePermissions(bytes32[] calldata permissions) external;
+
     /// @notice Initializes the app
     /// @param owner The owner of the app
     /// @param appId The ID of the app

package/src/apps/helpers/SimpleApp.sol

@@ -21,6 +21,7 @@ contract SimpleApp is ISimpleApp, Ownable, BaseApp, Initializable {
     using CustomRevert for bytes4;
     using SimpleAppStorage for SimpleAppStorage.Layout;
 
+    // External functions
     /// @inheritdoc ISimpleApp
     function initialize(
         address owner,
@@ -59,27 +60,32 @@ contract SimpleApp is ISimpleApp, Ownable, BaseApp, Initializable {
         emit PricingUpdated(installPrice, accessDuration);
     }
 
-    /// @inheritdoc ITownsApp
-    function requiredPermissions() external view returns (bytes32[] memory) {
+    /// @inheritdoc ISimpleApp
+    function updatePermissions(bytes32[] calldata permissions) external onlyOwner {
         SimpleAppStorage.Layout storage $ = SimpleAppStorage.getLayout();
-        return $.permissions;
+        $.permissions = permissions;
+        emit PermissionsUpdated(permissions);
+    }
+
+    /// @inheritdoc IExecutionModule
+    function executionManifest() external pure returns (ExecutionManifest memory) {
+        // solhint-disable no-empty-blocks
     }
 
+    // Public functions
     /// @inheritdoc IModule
     function moduleId() public view returns (string memory) {
         SimpleAppStorage.Layout storage $ = SimpleAppStorage.getLayout();
         return $.name;
     }
 
-    /// @inheritdoc IExecutionModule
-    function executionManifest() external pure returns (ExecutionManifest memory) {
-        // solhint-disable no-empty-blocks
+    /// @inheritdoc ITownsApp
+    function requiredPermissions() external view returns (bytes32[] memory) {
+        SimpleAppStorage.Layout storage $ = SimpleAppStorage.getLayout();
+        return $.permissions;
     }
 
-    /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/
-    /*                           OVERRIDES                        */
-    /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/
-
+    // Internal functions
     function _installPrice() internal view override returns (uint256) {
         SimpleAppStorage.Layout storage $ = SimpleAppStorage.getLayout();
         return $.installPrice;

package/src/apps/modules/subscription/ISubscriptionModule.sol

@@ -39,6 +39,7 @@ interface ISubscriptionModuleBase {
     error SubscriptionModule__EmptyBatch();
     error SubscriptionModule__InvalidTokenOwner();
     error SubscriptionModule__InsufficientBalance();
+    error SubscriptionModule__ActiveSubscription();
     /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/
     /*                           Events                           */
     /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/
@@ -53,6 +54,8 @@ interface ISubscriptionModuleBase {
 
     event SubscriptionDeactivated(address indexed account, uint32 indexed entityId);
 
+    event SubscriptionActivated(address indexed account, uint32 indexed entityId);
+
     event SubscriptionSpent(
         address indexed account,
         uint32 indexed entityId,
@@ -66,7 +69,15 @@ interface ISubscriptionModuleBase {
         uint256 nextRenewalTime
     );
 
+    /// @notice Emitted when a subscription's next renewal time is synced to on-chain expiration
+    event SubscriptionSynced(
+        address indexed account,
+        uint32 indexed entityId,
+        uint256 newNextRenewalTime
+    );
+
     event SubscriptionPaused(address indexed account, uint32 indexed entityId);
+    event SubscriptionNotDue(address indexed account, uint32 indexed entityId);
 
     event BatchRenewalSkipped(address indexed account, uint32 indexed entityId, string reason);
 
@@ -83,10 +94,6 @@ interface ISubscriptionModule is ISubscriptionModuleBase {
     /// @param params The parameters for the renewals
     function batchProcessRenewals(RenewalParams[] calldata params) external;
 
-    /// @notice Processes a single Towns membership renewal
-    /// @param params The parameters for the renewal
-    function processRenewal(RenewalParams calldata params) external;
-
     /// @notice Gets the subscription for an account and entity ID
     /// @param account The address of the account to get the subscription for
     /// @param entityId The entity ID of the subscription to get
@@ -96,6 +103,15 @@ interface ISubscriptionModule is ISubscriptionModuleBase {
         uint32 entityId
     ) external view returns (Subscription memory);
 
+    /// @notice Gets the renewal buffer for an expiration time
+    /// @param expirationTime The expiration time to get the renewal buffer for
+    /// @return The renewal buffer for the expiration time
+    function getRenewalBuffer(uint256 expirationTime) external view returns (uint256);
+
+    /// @notice Activates a subscription
+    /// @param entityId The entity ID of the subscription to activate
+    function activateSubscription(uint32 entityId) external;
+
     /// @notice Pauses a subscription
     /// @param entityId The entity ID of the subscription to pause
     function pauseSubscription(uint32 entityId) external;

package/src/apps/modules/subscription/SubscriptionModuleFacet.sol

@@ -43,9 +43,14 @@ contract SubscriptionModuleFacet is
     uint256 internal constant _SIG_VALIDATION_FAILED = 1;
 
     uint256 public constant MAX_BATCH_SIZE = 50;
-    uint256 public constant RENEWAL_BUFFER = 1 days;
     uint256 public constant GRACE_PERIOD = 3 days;
 
+    // Dynamic buffer times based on expiration proximity
+    uint256 public constant BUFFER_IMMEDIATE = 2 minutes; // For expirations within 1 hour
+    uint256 public constant BUFFER_SHORT = 1 hours; // For expirations within 6 hours
+    uint256 public constant BUFFER_MEDIUM = 6 hours; // For expirations within 24 hours
+    uint256 public constant BUFFER_LONG = 12 hours; // For expirations more than 24 hours away
+
     function __SubscriptionModule_init() external onlyInitializing {
         _addInterface(type(ISubscriptionModule).interfaceId);
         _addInterface(type(IValidationModule).interfaceId);
@@ -81,7 +86,8 @@ contract SubscriptionModuleFacet is
         sub.space = space;
         sub.active = true;
         sub.tokenId = tokenId;
-        sub.nextRenewalTime = uint40(expiresAt - RENEWAL_BUFFER);
+        sub.installTime = uint40(block.timestamp);
+        sub.nextRenewalTime = _calculateNextRenewalTime(expiresAt, sub.installTime);
 
         $.entityIds[msg.sender].add(entityId);
 
@@ -168,49 +174,69 @@ contract SubscriptionModuleFacet is
 
     /// @inheritdoc ISubscriptionModule
     function batchProcessRenewals(RenewalParams[] calldata params) external nonReentrant {
-        uint256 length = params.length;
-        if (length > MAX_BATCH_SIZE) SubscriptionModule__ExceedsMaxBatchSize.selector.revertWith();
-        if (length == 0) SubscriptionModule__EmptyBatch.selector.revertWith();
+        uint256 paramsLen = params.length;
+        if (paramsLen > MAX_BATCH_SIZE)
+            SubscriptionModule__ExceedsMaxBatchSize.selector.revertWith();
+        if (paramsLen == 0) SubscriptionModule__EmptyBatch.selector.revertWith();
 
         SubscriptionModuleStorage.Layout storage $ = SubscriptionModuleStorage.getLayout();
 
-        for (uint256 i; i < length; ++i) {
-            if (!_isAllowed($.operators, params[i].account))
-                SubscriptionModule__InvalidCaller.selector.revertWith();
+        if (!$.operators.contains(msg.sender))
+            SubscriptionModule__InvalidCaller.selector.revertWith();
 
+        for (uint256 i; i < paramsLen; ++i) {
             Subscription storage sub = $.subscriptions[params[i].account][params[i].entityId];
 
+            // Skip if renewal not due (check original nextRenewalTime first)
+            if (sub.nextRenewalTime > block.timestamp) {
+                emit SubscriptionNotDue(params[i].account, params[i].entityId);
+                continue;
+            }
+
             // Skip inactive subscriptions
             if (!sub.active) {
                 emit BatchRenewalSkipped(params[i].account, params[i].entityId, "INACTIVE");
                 continue;
             }
 
-            // Skip if renewal not due
-            if (block.timestamp < sub.nextRenewalTime) {
-                emit BatchRenewalSkipped(params[i].account, params[i].entityId, "NOT_DUE");
+            // Skip if past grace period
+            if (sub.nextRenewalTime + GRACE_PERIOD < block.timestamp) {
+                _pauseSubscription(sub, params[i].account, params[i].entityId);
+                emit BatchRenewalSkipped(params[i].account, params[i].entityId, "PAST_GRACE");
                 continue;
             }
 
-            // Skip if past grace period (will be handled by individual call)
-            if (block.timestamp > sub.nextRenewalTime + GRACE_PERIOD) {
-                emit BatchRenewalSkipped(params[i].account, params[i].entityId, "PAST_GRACE");
+            // Skip if account isn't owner anymore (for safety)
+            if (IERC721(sub.space).ownerOf(sub.tokenId) != params[i].account) {
+                _pauseSubscription(sub, params[i].account, params[i].entityId);
+                emit BatchRenewalSkipped(params[i].account, params[i].entityId, "NOT_OWNER");
                 continue;
             }
 
-            _processRenewal(sub, params[i]);
-        }
-    }
+            MembershipFacet membershipFacet = MembershipFacet(sub.space);
+            uint256 expiresAt = membershipFacet.expiresAt(sub.tokenId);
 
-    /// @inheritdoc ISubscriptionModule
-    function processRenewal(RenewalParams calldata renewalParams) external nonReentrant {
-        SubscriptionModuleStorage.Layout storage $ = SubscriptionModuleStorage.getLayout();
-        if (!_isAllowed($.operators, renewalParams.account))
-            SubscriptionModule__InvalidCaller.selector.revertWith();
-        _processRenewal(
-            $.subscriptions[renewalParams.account][renewalParams.entityId],
-            renewalParams
-        );
+            // Sync next renewal time from on-chain expiration if user called renewMembership directly
+            uint40 correctNextRenewalTime = _calculateNextRenewalTime(expiresAt, sub.installTime);
+            if (sub.nextRenewalTime != correctNextRenewalTime) {
+                sub.nextRenewalTime = correctNextRenewalTime;
+                emit SubscriptionSynced(params[i].account, params[i].entityId, sub.nextRenewalTime);
+            }
+
+            uint256 actualRenewalPrice = membershipFacet.getMembershipRenewalPrice(sub.tokenId);
+
+            if (params[i].account.balance < actualRenewalPrice) {
+                _pauseSubscription(sub, params[i].account, params[i].entityId);
+                emit BatchRenewalSkipped(
+                    params[i].account,
+                    params[i].entityId,
+                    "INSUFFICIENT_BALANCE"
+                );
+                continue;
+            }
+
+            _processRenewal(sub, params[i], membershipFacet, actualRenewalPrice);
+        }
     }
 
     /// @inheritdoc ISubscriptionModule
@@ -222,15 +248,38 @@ contract SubscriptionModuleFacet is
     }
 
     /// @inheritdoc ISubscriptionModule
-    function pauseSubscription(uint32 entityId) external {
+    function getRenewalBuffer(uint256 expirationTime) external view returns (uint256) {
+        return _getRenewalBuffer(expirationTime);
+    }
+
+    /// @inheritdoc ISubscriptionModule
+    function activateSubscription(uint32 entityId) external nonReentrant {
+        Subscription storage sub = SubscriptionModuleStorage.getLayout().subscriptions[msg.sender][
+            entityId
+        ];
+
+        if (sub.active) SubscriptionModule__ActiveSubscription.selector.revertWith();
+
+        sub.active = true;
+
+        address owner = IERC721(sub.space).ownerOf(sub.tokenId);
+        if (msg.sender != owner) SubscriptionModule__InvalidCaller.selector.revertWith();
+
+        emit SubscriptionActivated(msg.sender, entityId);
+    }
+
+    /// @inheritdoc ISubscriptionModule
+    function pauseSubscription(uint32 entityId) external nonReentrant {
         Subscription storage sub = SubscriptionModuleStorage.getLayout().subscriptions[msg.sender][
             entityId
         ];
 
         if (!sub.active) SubscriptionModule__InactiveSubscription.selector.revertWith();
 
-        sub.active = false;
-        emit SubscriptionPaused(msg.sender, entityId);
+        _pauseSubscription(sub, msg.sender, entityId);
+
+        address owner = IERC721(sub.space).ownerOf(sub.tokenId);
+        if (msg.sender != owner) SubscriptionModule__InvalidCaller.selector.revertWith();
     }
 
     /// @inheritdoc ISubscriptionModule
@@ -264,28 +313,12 @@ contract SubscriptionModuleFacet is
     /// @dev Processes a single subscription renewal
     /// @param sub The subscription to renew
     /// @param params The parameters for the renewal
-    function _processRenewal(Subscription storage sub, RenewalParams calldata params) internal {
-        if (!sub.active) SubscriptionModule__InactiveSubscription.selector.revertWith();
-
-        if (block.timestamp < sub.nextRenewalTime)
-            SubscriptionModule__RenewalNotDue.selector.revertWith();
-
-        // Check if we're past the grace period
-        if (block.timestamp > sub.nextRenewalTime + GRACE_PERIOD) {
-            sub.active = false;
-            emit SubscriptionPaused(params.account, params.entityId);
-            return;
-        }
-
-        MembershipFacet membershipFacet = MembershipFacet(sub.space);
-
-        // Get current renewal price from Towns contract
-        uint256 actualRenewalPrice = membershipFacet.getMembershipRenewalPrice(sub.tokenId);
-
-        // Check if the account has enough balance
-        if (params.account.balance < actualRenewalPrice)
-            SubscriptionModule__InsufficientBalance.selector.revertWith();
-
+    function _processRenewal(
+        Subscription storage sub,
+        RenewalParams calldata params,
+        MembershipFacet membershipFacet,
+        uint256 actualRenewalPrice
+    ) internal {
         // Construct the renewal call to space contract
         bytes memory renewalCall = abi.encodeCall(MembershipFacet.renewMembership, (sub.tokenId));
 
@@ -301,9 +334,10 @@ contract SubscriptionModuleFacet is
         );
 
         // Use the proper pack function from ValidationLocatorLib
-        bytes memory authorization = _runtimeFinal(
+        bytes memory authorization = ValidationLocatorLib.packSignature(
             params.entityId,
-            abi.encode(sub.space, sub.tokenId)
+            false, // selector-based
+            bytes.concat(hex"ff", abi.encode(sub.space, sub.tokenId))
         );
 
         // Call executeWithRuntimeValidation with the correct parameters
@@ -320,15 +354,68 @@ contract SubscriptionModuleFacet is
 
         // Get the actual new expiration time after successful renewal
         uint256 newExpiresAt = membershipFacet.expiresAt(sub.tokenId);
-
-        // Update subscription state after successful renewal
-        sub.nextRenewalTime = uint40(newExpiresAt - RENEWAL_BUFFER);
+        sub.nextRenewalTime = _calculateNextRenewalTime(newExpiresAt, sub.installTime);
         sub.lastRenewalTime = uint40(block.timestamp);
         sub.spent += actualRenewalPrice;
 
         emit SubscriptionRenewed(params.account, params.entityId, sub.nextRenewalTime);
     }
 
+    /// @dev Determines the appropriate renewal buffer time based on original membership duration
+    /// @param expirationTime The expiration timestamp of the membership
+    /// @param installTime The time when the subscription was installed
+    /// @return The appropriate buffer time in seconds before expiration
+    function _getRenewalBuffer(
+        uint256 expirationTime,
+        uint256 installTime
+    ) internal pure returns (uint256) {
+        uint256 originalDuration = expirationTime >= installTime ? expirationTime - installTime : 0;
+
+        // For memberships shorter than 1 hour, use immediate buffer (2 minutes)
+        if (originalDuration <= 1 hours) return BUFFER_IMMEDIATE;
+
+        // For memberships shorter than 6 hours, use short buffer (1 hour)
+        if (originalDuration <= 6 hours) return BUFFER_SHORT;
+
+        // For memberships shorter than 24 hours, use medium buffer (6 hours)
+        if (originalDuration <= 24 hours) return BUFFER_MEDIUM;
+
+        // For memberships longer than 24 hours, use long buffer (12 hours)
+        return BUFFER_LONG;
+    }
+
+    /// @dev Legacy function for backward compatibility - uses current time as install time
+    /// @param expirationTime The expiration timestamp of the membership
+    /// @return The appropriate buffer time in seconds before expiration
+    function _getRenewalBuffer(uint256 expirationTime) internal view returns (uint256) {
+        return _getRenewalBuffer(expirationTime, block.timestamp);
+    }
+
+    /// @dev Calculates the correct next renewal time for a given expiration using install time
+    /// @param expirationTime The expiration timestamp of the membership
+    /// @param installTime The time when the subscription was installed
+    /// @return The next renewal time as uint40
+    function _calculateNextRenewalTime(
+        uint256 expirationTime,
+        uint256 installTime
+    ) internal view returns (uint40) {
+        if (expirationTime <= block.timestamp) return uint40(block.timestamp);
+
+        uint256 buffer = _getRenewalBuffer(expirationTime, installTime);
+        uint256 timeUntilExpiration = expirationTime - block.timestamp;
+
+        if (buffer >= timeUntilExpiration) return uint40(block.timestamp);
+
+        return uint40(expirationTime - buffer);
+    }
+
+    /// @dev Legacy function for backward compatibility - uses current time as install time
+    /// @param expirationTime The expiration timestamp of the membership
+    /// @return The next renewal time as uint40
+    function _calculateNextRenewalTime(uint256 expirationTime) internal view returns (uint40) {
+        return _calculateNextRenewalTime(expirationTime, block.timestamp);
+    }
+
     /// @dev Creates the runtime final data for the renewal
     /// @param entityId The entity ID of the subscription
     /// @param finalData The final data for the renewal
@@ -345,15 +432,12 @@ contract SubscriptionModuleFacet is
             );
     }
 
-    /// @dev Checks if the caller is allowed to call the function
-    /// @param operators The set of operators
-    /// @param account The account to check
-    /// @return True if the caller is allowed to call the function
-    function _isAllowed(
-        EnumerableSetLib.AddressSet storage operators,
-        address account
-    ) internal view returns (bool) {
-        if (account == msg.sender) return true;
-        return operators.contains(msg.sender);
+    function _pauseSubscription(
+        Subscription storage sub,
+        address account,
+        uint32 entityId
+    ) internal {
+        sub.active = false;
+        emit SubscriptionPaused(account, entityId);
     }
 }

package/src/apps/modules/subscription/SubscriptionModuleStorage.sol

@@ -7,6 +7,7 @@ struct Subscription {
     uint256 tokenId; // 32 bytes
     uint256 spent; // 32 bytes
     address space; // 20 bytes
+    uint40 installTime; // 5 bytes - when subscription was first installed
     uint40 lastRenewalTime; // 5 bytes
     uint40 nextRenewalTime; // 5 bytes
     bool active; // 1 byte

package/src/spaces/facets/account/AppAccount.sol

@@ -53,6 +53,12 @@ contract AppAccount is IAppAccount, AppAccountBase, ReentrancyGuard, Facet {
         _onRenewApp(appId, data);
     }
 
+    /// @inheritdoc IAppAccount
+    function onUpdateApp(bytes32 appId, bytes calldata data) external nonReentrant {
+        _onlyRegistry();
+        _onUpdateApp(appId, data);
+    }
+
     /// @inheritdoc IAppAccount
     function enableApp(address app) external onlyOwner {
         _enableApp(app);

package/src/spaces/facets/account/AppAccountBase.sol

@@ -40,11 +40,15 @@ abstract contract AppAccountBase is
 
     uint48 private constant DEFAULT_DURATION = 365 days;
 
-    // External Functions
+    /// @notice Checks if the caller is the registry.
+    /// @dev Reverts if the caller is not the registry.
     function _onlyRegistry() internal view {
         if (msg.sender != address(_getAppRegistry())) InvalidCaller.selector.revertWith();
     }
 
+    /// @notice Installs an app.
+    /// @param appId The ID of the app to install.
+    /// @param postInstallData The data to pass to the app's onInstall function.
     function _installApp(bytes32 appId, bytes calldata postInstallData) internal {
         if (appId == EMPTY_UID) InvalidAppId.selector.revertWith();
 
@@ -57,7 +61,7 @@ abstract contract AppAccountBase is
         if (_isAppInstalled(app.module)) AppAlreadyInstalled.selector.revertWith();
 
         // set the group status to active
-        _setGroupStatus(app.appId, true, _getAppExpiration(app.appId, app.duration));
+        _setGroupStatus(app.appId, true, _calcExpiration(app.appId, app.duration));
         _addApp(app.module, app.appId);
         _grantGroupAccess({
             groupId: app.appId,
@@ -127,13 +131,42 @@ abstract contract AppAccountBase is
         emit ExecutionUninstalled(app.module, onUninstallSuccess, app.manifest);
     }
 
+    function _onUpdateApp(bytes32 appId, bytes calldata data) internal {
+        if (data.length < 32) InvalidAppAddress.selector.revertWith();
+
+        address module = abi.decode(data, (address));
+        if (module == address(0)) InvalidAppAddress.selector.revertWith();
+
+        bytes32 currentAppId = _getInstalledAppId(module);
+        if (currentAppId == EMPTY_UID) AppNotInstalled.selector.revertWith();
+        if (currentAppId == appId) AppAlreadyInstalled.selector.revertWith();
+
+        App memory app = _getAppRegistry().getAppById(appId);
+
+        // revoke the current app
+        _revokeGroupAccess(currentAppId, app.client);
+        _setGroupStatus(currentAppId, false);
+
+        // update the app
+        _addApp(app.module, appId);
+        _setGroupStatus(appId, true, _calcExpiration(appId, app.duration));
+        _grantGroupAccess({
+            groupId: appId,
+            account: app.client,
+            grantDelay: _getGroupGrantDelay(appId),
+            executionDelay: 0
+        });
+
+        emit ExecutionUpdated(app.module, app.manifest);
+    }
+
     function _onRenewApp(bytes32 appId, bytes calldata /* data */) internal {
         // Get the app data to determine the duration
         App memory app = _getAppRegistry().getAppById(appId);
         if (app.appId == EMPTY_UID) AppNotRegistered.selector.revertWith();
 
         // Calculate the new expiration time (extends current expiration by app duration)
-        uint48 newExpiration = _getAppExpiration(app.appId, app.duration);
+        uint48 newExpiration = _calcExpiration(app.appId, app.duration);
 
         // Update the group expiration
         _setGroupExpiration(app.appId, newExpiration);
@@ -149,7 +182,12 @@ abstract contract AppAccountBase is
     }
 
     // Internal Functions
-    function _getAppExpiration(
+
+    /// @notice Calculates the expiration for a group.
+    /// @param appId The ID of the app.
+    /// @param duration The duration of the app.
+    /// @return expiration The expiration for the group.
+    function _calcExpiration(
         bytes32 appId,
         uint48 duration
     ) internal view returns (uint48 expiration) {
@@ -161,29 +199,43 @@ abstract contract AppAccountBase is
         }
     }
 
+    /// @notice Adds an app to the account.
+    /// @param module The module of the app.
+    /// @param appId The ID of the app.
     function _addApp(address module, bytes32 appId) internal {
         AppAccountStorage.Layout storage $ = AppAccountStorage.getLayout();
         $.installedApps.add(module);
         $.appIdByApp[module] = appId;
     }
 
+    /// @notice Removes an app from the account.
+    /// @param module The module of the app.
     function _removeApp(address module) internal {
         AppAccountStorage.getLayout().installedApps.remove(module);
         delete AppAccountStorage.getLayout().appIdByApp[module];
     }
 
+    /// @notice Enables an app.
+    /// @param app The address of the app.
     function _enableApp(address app) internal {
         bytes32 appId = AppAccountStorage.getInstalledAppId(app);
         if (appId == EMPTY_UID) AppNotRegistered.selector.revertWith();
         _setGroupStatus(appId, true);
     }
 
+    /// @notice Disables an app.
+    /// @param app The address of the app.
     function _disableApp(address app) internal {
         bytes32 appId = AppAccountStorage.getInstalledAppId(app);
         if (appId == EMPTY_UID) AppNotRegistered.selector.revertWith();
         _setGroupStatus(appId, false);
     }
 
+    /// @notice Checks if an app is entitled to a permission.
+    /// @param module The module of the app.
+    /// @param client The client of the app.
+    /// @param permission The permission to check.
+    /// @return entitled True if the app is entitled to the permission, false otherwise.
     function _isAppEntitled(
         address module,
         address client,
@@ -192,22 +244,35 @@ abstract contract AppAccountBase is
         return AppAccountStorage.isAppEntitled(module, client, permission);
     }
 
+    /// @notice Gets the ID of the installed app.
+    /// @param module The module of the app.
+    /// @return appId The ID of the installed app.
     function _getInstalledAppId(address module) internal view returns (bytes32) {
         return AppAccountStorage.getInstalledAppId(module);
     }
 
+    /// @notice Gets the app.
+    /// @param module The module of the app.
+    /// @return app The app.
     function _getApp(address module) internal view returns (App memory app) {
         return AppAccountStorage.getApp(module);
     }
 
+    /// @notice Gets the app registry.
+    /// @return appRegistry The app registry.
     function _getAppRegistry() internal view returns (IAppRegistry) {
         return DependencyLib.getAppRegistry();
     }
 
+    /// @notice Gets the apps.
+    /// @return apps The apps.
     function _getApps() internal view returns (address[] memory) {
         return AppAccountStorage.getLayout().installedApps.values();
     }
 
+    /// @notice Checks if an app is executing.
+    /// @param app The address of the app.
+    /// @return executing True if the app is executing, false otherwise.
     function _isAppExecuting(address app) internal view returns (bool) {
         bytes32 currentExecutionId = ExecutorStorage.getExecutionId();
         if (currentExecutionId == bytes32(0)) return false;
@@ -222,10 +287,15 @@ abstract contract AppAccountBase is
         return true;
     }
 
+    /// @notice Checks if an app is installed.
+    /// @param module The module of the app.
+    /// @return installed True if the app is installed, false otherwise.
     function _isAppInstalled(address module) internal view returns (bool) {
         return AppAccountStorage.getLayout().installedApps.contains(module);
     }
 
+    /// @notice Checks if an app is authorized.
+    /// @param module The module of the app.
     function _checkAuthorized(address module) internal view {
         if (module == address(0)) InvalidAppAddress.selector.revertWith();
 
@@ -250,6 +320,11 @@ abstract contract AppAccountBase is
         }
     }
 
+    /// @notice Checks if an app is unauthorized.
+    /// @param module The module of the app.
+    /// @param factory The factory of the app.
+    /// @param deps The dependencies of the app.
+    /// @return unauthorized True if the app is unauthorized, false otherwise.
     function _isUnauthorizedTarget(
         address module,
         address factory,
@@ -263,6 +338,9 @@ abstract contract AppAccountBase is
             module == deps[3]; // AppRegistry
     }
 
+    /// @notice Checks if a selector is invalid.
+    /// @param selector The selector to check.
+    /// @return invalid True if the selector is invalid, false otherwise.
     function _isInvalidSelector(bytes4 selector) internal pure returns (bool) {
         return
             selector == IERC165.supportsInterface.selector ||

package/src/spaces/facets/account/IAppAccount.sol

@@ -18,6 +18,7 @@ interface IAppAccountBase {
 
     event ExecutionInstalled(address indexed module, ExecutionManifest manifest);
     event ExecutionUninstalled(address indexed module, bool success, ExecutionManifest manifest);
+    event ExecutionUpdated(address indexed module, ExecutionManifest manifest);
 }
 
 interface IAppAccount is IAppAccountBase {
@@ -36,6 +37,11 @@ interface IAppAccount is IAppAccountBase {
     /// @param data The data required for app renewal
     function onRenewApp(bytes32 appId, bytes calldata data) external;
 
+    /// @notice Updates an app
+    /// @param appId The ID of the app to update
+    /// @param data The data required for app update
+    function onUpdateApp(bytes32 appId, bytes calldata data) external;
+
     /// @notice Enables an app
     /// @param app The address of the app to enable
     function enableApp(address app) external;