feat(cli): add safe-propose command for Safe multisig CCIP proposals

[SyedAsadKazmi]

Adds ccip-cli safe-propose — proposes a CCIP send to the Safe Transaction Service queue without on-chain execution, so other Safe owners can review and sign in the Safe UI.

• Proposes ERC-20 approvals as separate transactions with sequential nonces ahead of ccipSend
• Signs with EIP-712 via signTransaction()
• Warns if Safe balance is below estimated fee at proposal time
• Outputs Safe UI queue URL and safeTxHashes; --format json supported
• parseExtraArgs moved to utils.ts; RPCS_RE exported from providers/index.ts
• Adds safe-propose.mdx reference page, sidebar entry, and commands table row

Dependencies added (ccip-cli)

Package	Version
@safe-global/protocol-kit	^7.1.0
@safe-global/api-kit	^4.1.0

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ccip-tools-ts	Ready	Preview, Comment	Apr 30, 2026 4:36pm

[github-actions]

Coverage Report

ℹ tests 800
ℹ suites 233
ℹ pass 798
ℹ fail 0
ℹ cancelled 0
ℹ skipped 2
ℹ todo 0
ℹ duration_ms 150960.342559

> @chainlink/ccip-cli@1.5.1 test
> node --test

Verbose mode enabled
▶ getCtx
  ▶ output — always stdout
    ✔ output.write goes to stdout (1.307816ms)
    ✔ output.table goes to stdout (0.873116ms)
  ✔ output — always stdout (3.2377ms)
  ▶ logger — always stderr
    ✔ logger.info goes to stderr (0.625095ms)
    ✔ logger.warn goes to stderr (0.283278ms)
    ✔ logger.error goes to stderr (0.419812ms)
  ✔ logger — always stderr (1.504292ms)
  ▶ verbose mode
    ✔ logger.debug is a no-op when verbose is false (0.498869ms)
    ✔ logger.debug goes to stderr when verbose is true (1.201849ms)
  ✔ verbose mode (2.053434ms)
  ▶ destroy signal
    ✔ returns a working destroy function (11.723984ms)
    ✔ calling destroy twice does not throw (0.698331ms)
  ✔ destroy signal (12.602691ms)
✔ getCtx (20.200662ms)
▶ lane-latency command
  ✔ should output JSON format correctly (5.571747ms)
  ✔ should resolve chain IDs to chain selectors (0.719961ms)
  ✔ should use custom API URL when provided (3.28746ms)
  ✔ should output log format correctly (1.377559ms)
  ✔ should handle chain IDs as input (0.882493ms)
  ✔ should handle chain selectors as input (0.412438ms)
  ✔ should throw CCIPApiClientNotAvailableError when --no-api flag is set (0.967612ms)
  ✔ should work normally when --no-api flag is false (0.512294ms)
  ✔ should forward blockConfirmations to API URL (0.495864ms)
  ✔ should not include numOfBlocks when blockConfirmations is not provided (0.63903ms)
  ▶ CCIP_API environment variable integration
    ✔ should respect CCIP_API=false environment variable (0.488239ms)
  ✔ CCIP_API environment variable integration (0.683583ms)
✔ lane-latency command (17.772249ms)
▶ selectRequest non-interactive behavior
  ✔ returns the single request without prompting (1.540139ms)
  ✔ returns the request matching logIndex (0.25227ms)
  ✔ throws CCIPInteractiveRequiredError for multiple requests without logIndex (2.300434ms)
✔ selectRequest non-interactive behavior (5.863791ms)
▶ CCIPInteractiveRequiredError
  ✔ has correct code and is not transient (0.294038ms)
  ✔ uses default recovery when none provided (0.366833ms)
  ✔ preserves context fields (0.232263ms)
✔ CCIPInteractiveRequiredError (1.135425ms)
▶ preprocessArgv TTY auto-detection
  ✔ --interactive flag is defined in globalOpts (0.255506ms)
✔ preprocessArgv TTY auto-detection (0.413991ms)
▶ search messages command
  ✔ should throw CCIPApiClientNotAvailableError when --no-api flag is set (2.522648ms)
  ✔ should output JSON format correctly (16.986877ms)
  ✔ should pass sender filter to API (4.23645ms)
  ✔ should pass receiver filter to API (5.034313ms)
  ✔ should resolve source chain to selector (3.449013ms)
  ✔ should resolve dest chain to selector (3.456858ms)
  ✔ should pass manual-exec-only filter to API (3.315696ms)
  ✔ should treat limit 0 as unlimited (9.833486ms)
  ✔ should respect limit parameter (6.960624ms)
  ✔ should warn when no results found (1.098917ms)
  ✔ should use custom API URL when provided (5.313302ms)
  ✔ should warn on negative limit and fall back to default (2.111894ms)
  ✔ should output log format (2.014612ms)
✔ search messages command (68.167483ms)
▶ e2e command show EVM
  ▶ pretty format (default)
    ✔ should show complete CCIP transaction details EVM to EVM (11744.525461ms)
  ✔ pretty format (default) (11745.603008ms)
  ▶ json format
    ✔ should output a single valid JSON envelope with all expected fields (9122.426012ms)
  ✔ json format (9122.712747ms)
  ▶ log format
    ✔ should output in log format with object assignments (8576.118207ms)
  ✔ log format (8576.356912ms)
  ▶ verbose flag
    ✔ should work with verbose flag enabled (9463.763046ms)
  ✔ verbose flag (9463.980201ms)
  ▶ error handling
    ✔ should handle invalid transaction hash gracefully (5928.98578ms)
    ✔ should require transaction hash argument (1658.169658ms)
  ✔ error handling (7587.443845ms)
  ✔ should show complete CCIP transaction details EVM to Aptos (14140.115126ms)
  ✔ should show complete CCIP transaction details EVM to Solana (6831.177053ms)
✔ e2e command show EVM (67470.340949ms)
▶ e2e command show Solana
  ✔ should show complete CCIP transaction details Solana to EVM (10265.99416ms)
✔ e2e command show Solana (10266.287616ms)
▶ e2e command show Aptos
  ✔ should show complete CCIP transaction details Aptos to EVM (8972.329642ms)
✔ e2e command show Aptos (8972.522011ms)
﹣ e2e command show TON (0.056095ms) # SKIP
▶ formatCCIPError
  ✔ should return null for non-CCIPError instances (1.61623ms)
  ✔ should format CCIPError with code and message (0.496645ms)
  ✔ should include help section with recovery hint (0.196776ms)
  ✔ should include note section for transient errors (3.397818ms)
  ✔ should include retry timing for transient errors with retryAfterMs (0.388904ms)
  ✔ should not include note section for permanent errors (0.281274ms)
  ✔ should format error with structured output (0.315087ms)
  ✔ should include stack trace when verbose is true (0.387913ms)
  ✔ should not include stack trace when verbose is false (0.210913ms)
✔ formatCCIPError (8.955809ms)
ℹ tests 59
ℹ suites 21
ℹ pass 59
ℹ fail 0
ℹ cancelled 0
ℹ skipped 0
ℹ todo 0
ℹ duration_ms 89056.160005
-------------------------------|---------|----------|---------|---------|---------------------------
File                           | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s         
-------------------------------|---------|----------|---------|---------|---------------------------
All files                      |   74.47 |    77.14 |    61.7 |   74.47 |                           
 ccip-cli/src                  |   89.47 |    61.53 |      75 |   89.47 |                           
  index.ts                     |   89.47 |    61.53 |      75 |   89.47 | ...47-151,157-158,163-168 
 ccip-cli/src/commands         |   45.59 |     73.1 |   49.15 |   45.59 |                           
  index.ts                     |     100 |      100 |     100 |     100 |                           
  lane-latency.ts              |   72.56 |     90.9 |   33.33 |   72.56 | 41-56,63-70,105-111       
  manual-exec.ts               |   25.36 |      100 |       0 |   25.36 | 62-116,123-133,135-274    
  parse.ts                     |   57.14 |      100 |       0 |   57.14 | 46-50,57-64,66-91         
  safe-propose.ts              |   20.66 |      100 |       0 |   20.66 | ...42-245,251-258,260-571 
  search.ts                    |   81.25 |      100 |       0 |   81.25 | 24-29                     
  send.ts                      |   14.18 |      100 |       0 |   14.18 | 53-164,171-178,180-416    
  show.ts                      |   77.62 |    61.42 |   66.66 |   77.62 | ...49-257,261-274,305-306 
  supported-tokens.ts          |   17.66 |      100 |       0 |   17.66 | ...11-243,245-319,321-334 
  token.ts                     |   22.72 |      100 |       0 |   22.72 | 24-53,60-67,69-132        
  types.ts                     |     100 |      100 |     100 |     100 |                           
  utils.ts                     |   83.12 |    75.67 |   88.88 |   83.12 | ...26-651,658-666,676-682 
 ccip-cli/src/commands/search  |   49.39 |    83.33 |   14.28 |   49.39 |                           
  messages.ts                  |   49.39 |    83.33 |   14.28 |   49.39 | ...86-188,190-212,214-249 
 ccip-cli/src/providers        |   49.46 |    75.51 |      16 |   49.46 |                           
  aptos.ts                     |   51.47 |      100 |       0 |   51.47 | ...74,82-89,95-96,105-136 
  evm.ts                       |    36.3 |      100 |       0 |    36.3 | 27,47-63,69-104,116-168   
  index.ts                     |   80.16 |    72.72 |      80 |   80.16 | 51-52,193-237             
  solana.ts                    |   47.44 |      100 |       0 |   47.44 | ...,92-98,102-103,112-137 
  sui.ts                       |   64.28 |      100 |       0 |   64.28 | 10-14                     
  ton.ts                       |   15.03 |      100 |       0 |   15.03 | 24-153                    
 ccip-sdk/src                  |   94.78 |    81.87 |   93.02 |   94.78 |                           
  chain.ts                     |   93.05 |    78.75 |   71.42 |   93.05 | ...59,1709-1710,1743-1744 
  commits.ts                   |     100 |    95.23 |     100 |     100 | 54                        
  execution.ts                 |   92.19 |     92.3 |     100 |   92.19 | 130-137,149-156           
  explorer.ts                  |     100 |      100 |     100 |     100 |                           
  extra-args.ts                |      99 |    86.11 |     100 |      99 | 282-284                   
  gas.ts                       |   89.75 |       40 |     100 |   89.75 | 108-119,147-151           
  http-status.ts               |     100 |      100 |     100 |     100 |                           
  index.ts                     |     100 |      100 |     100 |     100 |                           
  messages.ts                  |   88.53 |    45.09 |     100 |   88.53 | ...20-221,230-231,255-256 
  offchain.ts                  |   94.14 |    79.54 |     100 |   94.14 | ...90,208,223-225,234-235 
  requests.ts                  |   94.58 |    82.11 |     100 |   94.58 | ...93,233,288-289,355-357 
  supported-chains.ts          |     100 |      100 |     100 |     100 |                           
  types.ts                     |     100 |      100 |     100 |     100 |                           
  utils.ts                     |   96.34 |    89.75 |     100 |   96.34 | ...63,779,881-882,889-897 
 ccip-sdk/src/api              |   93.75 |       85 |   94.11 |   93.75 |                           
  index.ts                     |   93.75 |       85 |   94.11 |   93.75 | ...39-744,755-758,761-764 
 ccip-sdk/src/aptos            |   56.96 |    68.88 |   56.66 |   56.96 |                           
  exec.ts                      |   29.31 |      100 |       0 |   29.31 | 18-58                     
  hasher.ts                    |   76.31 |       80 |   66.66 |   76.31 | 19-38,52-58               
  index.ts                     |    56.4 |       75 |   58.13 |    56.4 | ...26-828,832-858,862-873 
  logs.ts                      |   90.32 |    56.86 |   85.71 |   90.32 | ...85,187-189,194,196-202 
  send.ts                      |    25.2 |      100 |       0 |    25.2 | 10-51,62-79,92-123        
  token.ts                     |   23.75 |       75 |     100 |   23.75 | 35-156                    
  types.ts                     |   65.62 |      100 |       0 |   65.62 | 25-32,64-88               
 ccip-sdk/src/errors           |   87.35 |    76.16 |      48 |   87.35 |                           
  CCIPError.ts                 |     100 |      100 |     100 |     100 |                           
  codes.ts                     |     100 |      100 |     100 |     100 |                           
  index.ts                     |     100 |      100 |     100 |     100 |                           
  recovery.ts                  |     100 |      100 |     100 |     100 |                           
  specialized.ts               |   84.59 |    71.25 |   45.37 |   84.59 | ...44,3365-3374,3395-3404 
  utils.ts                     |   94.44 |    81.48 |     100 |   94.44 | 15,17,22,24               
 ccip-sdk/src/evm              |   83.53 |    75.91 |   89.02 |   83.53 |                           
  const.ts                     |     100 |      100 |     100 |     100 |                           
  errors.ts                    |   93.16 |    82.41 |     100 |   93.16 | ...02,156-161,170-172,219 
  extra-args.ts                |   94.47 |    61.01 |     100 |   94.47 | ...85-186,211-212,328-340 
  fork.test.data.ts            |     100 |      100 |     100 |     100 |                           
  gas.ts                       |   97.97 |    53.33 |     100 |   97.97 | 72-73,75                  
  hasher.ts                    |     100 |     92.3 |     100 |     100 | 134                       
  index.ts                     |   79.78 |    75.52 |   90.16 |   79.78 | ...65,2129-2145,2171-2178 
  logs.ts                      |    37.5 |    82.35 |      25 |    37.5 | ...14-215,232-260,279-303 
  messages.ts                  |     100 |      100 |     100 |     100 |                           
  offchain.ts                  |   81.25 |    33.33 |     100 |   81.25 | 11,13-14                  
  types.ts                     |     100 |      100 |     100 |     100 |                           
 ccip-sdk/src/evm/viem         |   79.76 |    90.62 |   69.23 |   79.76 |                           
  client-adapter.ts            |     100 |       90 |     100 |     100 | 48,74                     
  index.ts                     |     100 |      100 |     100 |     100 |                           
  wallet-adapter.ts            |   63.09 |     90.9 |   55.55 |   63.09 | ...6,53-73,91-124,131-157 
 ccip-sdk/src/hasher           |   94.29 |    78.94 |     100 |   94.29 |                           
  common.ts                    |     100 |      100 |     100 |     100 |                           
  hasher.ts                    |     100 |    66.66 |     100 |     100 | 19                        
  index.ts                     |     100 |      100 |     100 |     100 |                           
  merklemulti.ts               |   93.43 |       78 |     100 |   93.43 | ...59-260,306-307,315-316 
 ccip-sdk/src/shared           |   88.05 |    69.23 |     100 |   88.05 |                           
  bcs-codecs.ts                |   87.87 |    66.66 |     100 |   87.87 | 75-87,104-106             
  constants.ts                 |     100 |      100 |     100 |     100 |                           
 ccip-sdk/src/solana           |   73.07 |    70.13 |   76.74 |   73.07 |                           
  cleanup.ts                   |   26.95 |    66.66 |   33.33 |   26.95 | 43-53,59-101,114-227      
  exec.ts                      |   69.05 |    62.96 |   66.66 |   69.05 | ...61-463,468-472,512-513 
  fork.test.data.ts            |     100 |      100 |     100 |     100 |                           
  hasher.ts                    |   96.58 |    81.81 |     100 |   96.58 | 67-70                     
  index.ts                     |   76.66 |    74.67 |   78.84 |   76.66 | ...57,1561-1582,1586-1619 
  logs.ts                      |    73.1 |    60.71 |     100 |    73.1 | 51-52,54-55,62-89         
  offchain.ts                  |     100 |      100 |     100 |     100 |                           
  patchBorsh.ts                |   78.31 |       50 |     100 |   78.31 | 34-35,41-47,65-66,72-78   
  send.ts                      |   77.55 |    33.33 |      80 |   77.55 | ...45-346,351-359,402-441 
  types.ts                     |     100 |      100 |     100 |     100 |                           
  utils.ts                     |   67.41 |    68.96 |   63.63 |   67.41 | ...36-439,442-444,476-491 
 ccip-sdk/src/sui              |   35.21 |    86.66 |   19.29 |   35.21 |                           
  discovery.ts                 |   14.86 |      100 |       0 |   14.86 | 20-36,49-185,188-222      
  events.ts                    |   31.77 |       50 |      25 |   31.77 | ...95-113,118-275,297-298 
  exec.ts                      |   31.29 |      100 |       0 |   31.29 | 31-74,86-131              
  hasher.ts                    |   98.16 |    66.66 |     100 |   98.16 | 33,49                     
  index.ts                     |   40.44 |    93.18 |   17.94 |   40.44 | ...12-813,817-818,822-823 
  objects.ts                   |   18.93 |      100 |       0 |   18.93 | ...04-119,133-184,195-338 
 ccip-sdk/src/sui/manuallyExec |   39.63 |      100 |       0 |   39.63 |                           
  encoder.ts                   |   47.67 |      100 |       0 |   47.67 | 42-86                     
  index.ts                     |   34.35 |      100 |       0 |   34.35 | 46-131                    
 ccip-sdk/src/ton              |   76.17 |    79.86 |   71.08 |   76.17 |                           
  exec.ts                      |     100 |      100 |     100 |     100 |                           
  extra-args.ts                |   98.66 |    72.72 |     100 |   98.66 | 156-157,222               
  hasher.ts                    |   77.95 |    77.77 |      75 |   77.95 | 99-107,155-186            
  index.ts                     |   70.81 |    77.39 |   55.55 |   70.81 | ...03,1210-1211,1218-1219 
  logs.ts                      |     100 |    97.91 |     100 |     100 | 53                        
  send.ts                      |   95.93 |       70 |     100 |   95.93 | 37-44                     
  types.ts                     |   77.94 |    69.23 |   66.66 |   77.94 | ...-73,91,118-131,133-136 
  utils.ts                     |   63.02 |    78.18 |    90.9 |   63.02 | ...22-328,336-394,396-399 
-------------------------------|---------|----------|---------|---------|---------------------------

[andrevmatos]

I think this deserves to be an option for tx-sending commands, instead of its own command;
so probably a --safe <safeAddress> option side-by-side with wherever --wallet is defined/called.

In practice, you still need the current/existing --wallet logic, to load the account/signer with which you'll effectively sign the proposal and send the on-chain tx to Safe's inbox.

But then, the tx-sending logic can/should be "wrapped" by safe logic, caching its nonce locally and, instead of sending the tx to e.g. Router, it'd wrap the unsigned tx and send it to Safe instead as a proposal.

Everything should work mostly as is, with the only considerations being, when you read back the result, we may need to adjust the expectation that the tx contains a CCIP request (e.g. in the end of the EVMChain.sendMessage method), and also that simulation/estimateGas will always succeed or provide accurate gasLimit (due to ccipSend being simulated strictly after approvals are mined). But I think it should be feasible to work around or special those cases when --safe is provided

[andrevmatos]

Please, don't. Prefer to use source.provider directly if needed. Does safe libs have some form to integrate directly with ethers' providers? Would be even better than assuming a RPC url.

[andrevmatos]

Shouldn't either assume a private key; wallet could be a Ledger wallet.
Instead, let's make sure this works and simply wraps the discovered signer.

[andrevmatos]

Please, let's also avoid those mixed imports; there's usually some way to import them in nodejs, even if it requires importing or accessing explicit defaults properties

[andrevmatos]

Shouldn't need this move if safe is built as a wrapper for wallet instead