- AppControllerStorage gains an immutable safeTimelockFactory reference
  (constructor arg). No storage slot consumed; the field is used to
  detect governance-owned apps without adding a separate registry
  lookup.
- AppConfigStorage adds `bool timelocked` at byte 30 of the existing
  slot (immediately after BillingType at byte 29). This position was
  zero on every pre-v1.5.0 app, so the upgrade is byte-safe. An explicit
  byte-layout comment documents the invariant so a future reorder
  doesn't silently collide with isolated-billing's existing byte 29.
- AppController constructor takes the factory arg and forwards it.
- All historical release deploy scripts (v1.0.4, v1.1.1, v1.4.0) pass
  ISafeTimelockFactory(address(0)) so the repo still compiles; they
  are already applied on-chain and never run again.
- script/Deploy.s.sol (fresh-deploy fast path, used in tests) carries a
  TODO to deploy the factory before AppController when the v1.5.0
  governance release lands.

No governance behavior is enabled by this commit. The flag stays false
and none of the sensitive-op runtime gates exist yet. Follow-up commits
add canCall, team roles, transferOwnership semantics, and the release
script.

When the app's creator is a factory-deployed Timelock the sensitive
operations must be routed through Timelock.schedule → execute. Until
now those calls were gated only by PermissionControllerMixin, so any
admin the Timelock had granted via UAM could trigger an instant
upgrade or termination and bypass the delay entirely.

- _deployApp sets _appConfigs[app].timelocked = isTimelock(msg.sender)
  at creation. Previously the flag was unset on this path, so a
  Timelock calling createApp for itself skipped all of the new gates.
  Defensive zero-address check for historical deployments that have no
  factory wired in.
- upgradeApp requires msg.sender == creator when timelocked.
- terminateApp requires msg.sender == creator when timelocked.
- terminateAppByAdmin refuses to run against timelocked apps entirely —
  protocol admin must go through the Timelock, not around it.
- New view getAppTimelocked for off-chain tooling.

transferOwnership isn't on this branch yet; that semantic comes with
the team-RBAC overhaul in a later commit. For now the flag is only
written at creation.

- Deploy.s.sol now deploys TimelockControllerImpl and
  SafeTimelockFactory (impl + proxy) before the AppController and
  threads the factory proxy into the AppController constructor. Safe
  infrastructure addresses are left as zero — tests don't use
  deploySafe, and production releases will wire them via a dedicated
  release script.

- Five regression tests covering the timelocked gate on createApp,
  upgradeApp, terminateApp, and terminateAppByAdmin. Each tests
  mocks isTimelock(developer)=true, grants a PermissionController
  admin to a coAdmin, then confirms the coAdmin is blocked from the
  sensitive path while the Timelock-as-creator is not. Closes the
  bypass path that the audit flagged as V-1 / G-1 / A-1.

When an app's owner is handed off to a new address, the timelocked flag
must update atomically. Before this commit, apps could only acquire the
flag via the createApp path, so there was no way to opt an
already-running app into delayed governance — and no way back out.

- New transferOwnership(IApp, address). Gated by checkCanCall like
  other sensitive ops. When the app is already timelocked the caller
  must be the Timelock itself (msg.sender == creator), otherwise any
  admin granted via UAM could move the app out of governance without
  going through schedule → execute.
- New owner that is a factory-registered Timelock sets timelocked=true;
  any other address (EOA, externally deployed Safe, arbitrary contract)
  clears it.
- Active-app counter migration only happens for BillingType.DEFAULT
  apps. ISOLATED apps bill the app address, which doesn't change on
  transfer, so the counter must NOT move or a future terminate would
  double-decrement.
- New AppOwnershipTransferred event.

Six regression tests covering both directions of the flag flip, the
timelocked-gate, zero-address rejection, and the two billing accounting
branches.

- ICallValidator now inherits IERC165. Targets MUST advertise the
  interface via supportsInterface for their canCall to be consulted;
  a target that reverts canCall without advertising is treated as
  non-implementing (backwards compatible). A target that advertises
  and reverts is treated as a definitive "no" and the schedule is
  rejected — closing the fail-open bypass the audit called out
  (G-3 / V-4 / D-2 / A-7 / P-9).

- AppController implements ICallValidator + supportsInterface. canCall
  rejects at schedule time any operation that deterministically fails
  the runtime gate: non-owner upgradeApp/terminateApp/transferOwnership
  on a timelocked app, or terminateAppByAdmin against any timelocked
  app. All other calls pass through to runtime (PermissionController
  stays authoritative for non-governance auth).

- TimelockControllerImpl._validateTarget now:
  1. Short-circuits for EOAs / zero-code addresses.
  2. Probes ERC-165 supportsInterface with a 30k gas cap.
  3. Only calls canCall if the target claims support, capped at 200k
     gas with bounded returndata (32 bytes — ignores returndata bombs).
  4. Treats canCall revert as rejection (fail closed) rather than
     silent pass-through.

Tests:
- 5 new AppController.t.sol cases for canCall + supportsInterface.
- 8 new TimelockControllerImplValidation.t.sol cases with mock
  targets: no-ERC165, ERC165-says-no, allow, reject, revert, OOG,
  returndata-bomb, EOA fast path.

Full suite: 141 tests pass.

Unbounded growth of _pendingIds lets a misbehaving or compromised
proposer brick getPendingOperations() / getPendingOperationIds() for
off-chain tooling by queuing arbitrarily many ops with large calldata
blobs. Audit D-1 — High.

Introduce MAX_PENDING_OPS = 128 and a new TooManyPendingOperations
error. _addPending reverts when the cap is hit; executing or
cancelling an op frees a slot. 128 keeps getPendingOperations well
under the block gas limit even with multi-hundred-byte calldata per
op, and is an order of magnitude above any realistic governance
queue depth.

Test covers filling the cap, rejecting the next schedule, and being
able to schedule again after cancelling.

Two zeus phases:

1. EOA (1-deployGovernanceContracts.s.sol) — deploys in order:
   - TimelockControllerImpl (direct, no proxy; immutable master for
     the minimal-proxy Timelock clones created by the factory)
   - SafeTimelockFactory impl, referencing the canonical Gnosis Safe
     infrastructure (singleton / proxy factory / fallback handler)
     pulled from zeus env
   - SafeTimelockFactory TransparentUpgradeableProxy, owned by the
     existing protocol ProxyAdmin
   - New AppController implementation, wired to the factory proxy

2. Multisig (2-upgradeAppController.s.sol) — Env.proxyAdmin().upgrade
   points the AppController proxy at the new impl. No initializer call;
   the storage layout is append-only (new `bool timelocked` lands at
   byte 30, previously zero on every app).

Env.sol additions:
- Env.proxy.safeTimelockFactory(), Env.impl.safeTimelockFactory()
- Env.timelockControllerImpl()
- Env.safeSingleton() / safeProxyFactory() / safeFallbackHandler()

Zeus must supply the Safe infrastructure addresses per chain via env
keys safeSingleton / safeProxyFactory / safeFallbackHandler.

Smaller cap is more aggressive about preventing on-chain enumeration
bloat. 32 is still well above any realistic governance queue depth —
a team with that many concurrent pending ops has bigger problems than
list enumeration cost.

Replaces the PermissionController-based app-level auth with an
AppController-owned role set. The Timelock guarantees only bind when
the admin set the gates trust is a set this contract controls — which
was the underlying reason the previous gate (checkCanCall) couldn't
actually protect operational-layer control of a Timelocked app.

Roles, stored as mapping(IApp => mapping(TeamRole => AddressSet)):

  - ADMIN     → full app-level authority. Required for upgradeApp,
                transferOwnership, terminateApp, and for managing
                team membership. When the app is timelocked, ADMIN is
                further narrowed to msg.sender == creator for the
                three critical ops.
  - PAUSER    → operational. Can call stopApp.
  - DEVELOPER → operational. Can call updateAppMetadataURI.

Auditor findings A-2 and A-3 addressed by design:

  - grantTeamRole(ADMIN, _) on a timelocked app requires msg.sender == creator.
    Grants of PAUSER/DEVELOPER do NOT — those are operational powers
    the ADMIN can revoke at any time.
  - revokeTeamRole(ADMIN, _) on a timelocked app requires msg.sender == creator,
    closing the one-tx Timelock-stripping path.
  - renounceTeamRole refuses to drop the last ADMIN via CannotRevokeLastAdmin.

migrateAdmins(IApp[]) seeds ADMIN from the existing PermissionController
admin set per app — intended to be run once per existing app after the
v1.5.0 upgrade. Platform-admin gated (checkCanCall on AppController).

Changes:
  - Added TeamRole enum, events, errors, and function signatures to
    IAppController.
  - AppControllerStorage adds _teamRoles mapping; __gap shrunk by 1
    slot to keep the overall storage footprint stable.
  - Swapped checkCanCall(address(app)) on upgradeApp, transferOwnership,
    terminateApp, updateAppMetadataURI, startApp, stopApp for role-based
    gates (onlyAdmin or onlyRoleOrAdmin).
  - _deployApp now seeds the creator as the initial ADMIN and emits
    TeamRoleGranted.
  - transferOwnership auto-grants ADMIN to the new owner so the new
    team is not stranded without governance rights.

Tests:
  - Updated 7 existing tests where the expected revert shape shifted
    (InvalidPermissions → InvalidTeamRole when the role gate fires
    first, and so on). The co-admin-in-timelocked tests were rewritten
    to grant ADMIN via the new RBAC path instead of via UAM.
  - Added 15 new tests covering grant/revoke/renounce semantics, the
    A-2/A-3 timelocked ADMIN-grant gate, PAUSER/DEVELOPER behavior
    on stopApp and updateAppMetadataURI, transferOwnership auto-ADMIN,
    migrateAdmins seeding, and the platform-admin gate on migrateAdmins.

Full suite: 158 tests pass (from 142 pre-RBAC).

Move ownership and role state out of AppController into a dedicated
AppAuthority contract. AppController delegates auth checks to
AppAuthority; role management (grant/revoke/renounce/hasRole) is
called directly on AppAuthority by clients. Critical ops remain on
AppController and are owner-gated via AppAuthority.isScopeOwner.

Fixes the Option-2 invariants at the type level:
- The owner is always ADMIN on their scope; rotation only through
  transferScopeOwnership (add-before-remove preserves last-admin).
- ADMIN mutations (grant/revoke) are owner-only unconditionally.
- The owner cannot renounce or self-revoke ADMIN.

Storage layout: _teamRoles removed from AppController; __gap
restored to 45 slots. AppAuthority is a new upgradeable contract
behind its own proxy. AppController gets an IAppAuthority immutable.
Cached `creator` stays on AppController for billing / App.initialize
/ event stability; it mirrors AppAuthority.scopeOwner on transfer.

migrateAdmins becomes migrateAppsToAppAuthority: initializes each
legacy app's scope in AppAuthority from the cached creator, then
seeds ADMIN from the app's PermissionController admins (operational-
only under this model; no critical-op exposure).

AppController runtime size: 33,131 -> 30,288 bytes (-2,843).

Tests: 185/185 passing (was 161; +24 AppAuthority unit tests).

Remove the `timelocked` boolean from AppConfigStorage and every path
that wrote or read it. Under the owner-gated (Option-2) model the
flag is vestigial: critical ops are gated on `msg.sender == creator`
unconditionally, so a Timelock owner naturally forces schedule →
execute without a separate classification on AppController.

Behavior changes:

- terminateAppByAdmin no longer refuses Timelock-owned apps. Protocol
  admin (UAM-gated) can terminate any app uniformly. If the protocol
  wants delay-gated terminations, that's an operational decision
  about the UAM multisig, not an AppController concern.
- AppController no longer imports ISafeTimelockFactory. The factory
  is still deployed and usable for attested Safe/Timelock deployments,
  but AppController's correctness no longer depends on it.
- getAppTimelocked view removed.

Storage: AppConfigStorage byte 30 returns to unused (zero on all
existing chain state). SafeTimelockFactory immutable dropped from
AppControllerStorage; constructor goes 8 args → 7.

ISafe / ISafeProxyFactory interface files gain comments documenting
why they're hand-rolled (minimal surface, Safe v1.3.0–v1.4.1 stable
signatures) and when to reconsider.

Also closes audit findings:
- V-1 / A-7 (factory floors): factory boolean is no longer a security
  claim AppController relies on; user picks their own config.
- V-6 (Timelock → EOA drops protection): no protection to drop.
- A-4 (suspend not timelock-gated): no asymmetry to fix.

AppController runtime size: 30,288 → 29,058 (−1,230). Total shrinkage
vs pre-refactor: 33,131 → 29,058 (−4,073 / −12%).

Tests: 179/179 passing (was 185; 6 dropped tests were about the
flag-flipping behavior and the terminateAppByAdmin carve-out — both
gone now).

"Option-2" was a label from a design discussion, not anything defined
in the codebase. Reviewers coming to these files cold had no way to
know what it referred to. Swap it for descriptions of the actual
invariants: owner-gated critical ops, operational-only ADMIN, owner
cannot renounce/self-revoke, transferScopeOwnership is the sole owner
rotation path.

Merges master (v1.4.1 two-phase upgrade + ContainerPolicy) into this
branch. No conflicts in substance — master's changes are about release
state plumbing and coordinator migration races, while this branch's
changes are about auth (AppAuthority + owner-gated critical ops). The
two work streams don't overlap semantically; conflicts were positional.

From master:
- ContainerPolicy + EnvVar structs; Release struct gains
  containerPolicy field (KMS-006).
- pendingReleaseBlockNumber field on AppConfig / AppConfigStorage.
- confirmUpgrade(IApp) — UAM-gated; promotes pending release to
  confirmed. Prevents the coordinator /secrets race during GCP
  instance migration (KMS-009).
- _upgradeApp writes to pending; _deployApp auto-promotes initial
  release; getAppPendingReleaseBlockNumber view.
- 5 new two-phase upgrade tests.

Preserved from this branch:
- AppAuthority delegation (scope ownership + roles)
- Owner-gated critical ops (onlyCreator)
- transferOwnership, migrateAppsToAppAuthority
- NotCreator / InvalidTeamRole errors
- Governance (Timelock/Safe) infrastructure

Tests: 184/184 passing (was 179; +5 from master's two-phase tests).

Note: master added pendingReleaseBlockNumber (uint32) to
AppConfigStorage, which expands the struct past a single slot. This
is inherited from master, not introduced by this PR — the append-only
storage claim in the PR description should be updated to reflect that
status and billingType now live on slot 2 post-merge.

Picks up the ABI additions from c70f43e (two-step transferOwnership)
and 8f6e0e4 (migrateAppsToAppAuthority):

- acceptOwnership(IApp)
- cancelOwnershipTransfer(IApp)
- getPendingOwner(IApp) -> address
- migrateAppsToAppAuthority(IApp[])
- OwnershipTransferProposed(IApp, address, address) event
- OwnershipTransferCancelled(IApp, address, address) event
- AppConfigStorage.pendingOwner field

Go consumers (sidecar, ecloud-billing-api, coordinator tooling) must
update to the new surface. transferOwnership semantics change: no
longer atomic — receiver must call acceptOwnership in a second tx.