lesson: fork safety — ERC-4337 code, impersonation, chain addresses, docker perms

factory/best-practices/dev-agent.md

@@ -47,3 +47,32 @@ DO NOT try to find the specific PR that closed an issue. This is over-engineerin
 - The factory itself closes issues after merging, so closed = merged
 
 The only check needed: `issue.state == "closed"`.
+
+## Fork Safety (Base Sepolia / Base Mainnet)
+
+**ERC-4337 code at well-known addresses.** Base Sepolia (and potentially other L2s) has 23-byte Account Abstraction proxy code at ALL well-known addresses:
+- Anvil default mnemonic accounts (0xf39Fd6..., 0x70997...)
+- Deterministic addresses (CREATE2 salts, keccak derivations)
+- Any address that "looks" like an EOA might actually have code
+
+This breaks any contract that checks `address.code.length` to distinguish EOAs from contracts. Specifically: `feeDestinationLocked` in LiquidityManager.
+
+**Fix pattern:** Before deploying on a forked Anvil, strip code from addresses that need to be EOAs:
+```bash
+cast rpc --rpc-url $RPC anvil_setCode "$ADDRESS" "0x"
+```
+
+**Impersonated accounts need ETH.** `anvil_impersonateAccount` lets you send from any address, but gas estimation fails if the account has 0 balance:
+```bash
+cast rpc --rpc-url $RPC anvil_setBalance "$ADDRESS" "0xDE0B6B3A7640000"  # 1 ETH
+```
+
+**Mainnet vs Sepolia addresses differ.** Uniswap V3 contracts have different addresses per chain:
+- V3 Factory: `0x33128...` (mainnet) vs `0x4752...` (Sepolia)
+- SwapRouter02: `0x2626...` (mainnet) vs `0x94cC...` (Sepolia)
+Always verify which chain you're forking before using hardcoded addresses.
+
+**Docker creates root-owned files.** When forge runs inside a docker container, `cache/`, `out/`, `broadcast/` become root-owned. Subsequent runs as a non-root user fail with permission denied.
+```bash
+sudo chown -R "$(id -u):$(id -g)" cache out broadcast 2>/dev/null || true
+```