@run402/sdk 1.40.0

package/README.md

@@ -0,0 +1,69 @@
+# @run402/sdk
+
+Typed TypeScript client for the [Run402](https://run402.com) API.
+
+This package is the kernel shared by the `run402-mcp` MCP server, the `run402` CLI, and user-deployed run402 functions. It exposes every run402 API operation as a method on a resource namespace (`sdk.projects.provision()`, `sdk.blobs.put()`, `sdk.functions.deploy()`, etc.).
+
+## Install
+
+```bash
+npm install @run402/sdk
+```
+
+## Quick start (Node)
+
+The `/node` subpath provides zero-config defaults: reads credentials from the existing `~/.config/run402/` keystore and auto-retries x402 payments from your local allowance.
+
+```typescript
+import { run402 } from "@run402/sdk/node";
+
+const r = run402();
+const project = await r.projects.provision({ tier: "prototype" });
+await r.blobs.put(project.id, "hello.txt", "hello world");
+```
+
+## Quick start (isomorphic / sandbox)
+
+The root entry is isomorphic — no filesystem access, no Node-only imports. Supply your own `CredentialsProvider`:
+
+```typescript
+import { Run402 } from "@run402/sdk";
+
+const r = new Run402({
+  apiBase: "https://api.run402.com",
+  credentials: {
+    async getAuth(path) {
+      return { Authorization: `Bearer ${mySessionToken}` };
+    },
+    async getProject(id) {
+      return mySessionProjects[id] ?? null;
+    },
+  },
+});
+```
+
+## Stability
+
+This package is `0.x`. Breaking changes may occur between minor versions until `1.0`. Pin an exact version in production dependencies until stabilization.
+
+## Errors
+
+All failures throw subclasses of `Run402Error`:
+
+- `PaymentRequired` — HTTP 402, carries the x402 payment requirements
+- `ProjectNotFound` — project ID not in the credential provider
+- `Unauthorized` — HTTP 401 / 403
+- `ApiError` — other non-2xx responses
+- `NetworkError` — fetch rejected with no HTTP response
+
+```typescript
+import { PaymentRequired } from "@run402/sdk";
+
+try {
+  await r.projects.provision({ tier: "prototype" });
+} catch (e) {
+  if (e instanceof PaymentRequired) {
+    console.log("needs funding:", e.body);
+  } else throw e;
+}
+```

package/core-dist/allowance-auth.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Allowance auth helper — generates SIWX (Sign-In With X / EIP-4361) headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+export interface SIWxAuthHeaders {
+    "SIGN-IN-WITH-X": string;
+}
+/**
+ * EIP-55 mixed-case checksum encoding.
+ */
+export declare function toChecksumAddress(address: string): string;
+interface SIWEMessageOpts {
+    domain: string;
+    uri: string;
+    statement: string;
+    version: string;
+    chainId: number;
+    nonce: string;
+    issuedAt: string;
+    expirationTime?: string;
+}
+/**
+ * Format an EIP-4361 (SIWE) message. Must be byte-for-byte compatible
+ * with the `siwe` library's message format used server-side for verification.
+ */
+export declare function formatSIWEMessage(opts: SIWEMessageOpts, address: string): string;
+/**
+ * Get SIWX auth headers for the Run402 API.
+ * Returns null if no allowance is configured.
+ *
+ * @param path - API path (e.g. "/projects/v1") used to build the SIWE uri field.
+ */
+export declare function getAllowanceAuthHeaders(path: string, allowancePath?: string): SIWxAuthHeaders | null;
+export {};
+//# sourceMappingURL=allowance-auth.d.ts.map

package/core-dist/allowance-auth.js

@@ -0,0 +1,129 @@
+/**
+ * Allowance auth helper — generates SIWX (Sign-In With X / EIP-4361) headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { randomBytes } from "node:crypto";
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readAllowance } from "./allowance.js";
+import { getApiBase } from "./config.js";
+/**
+ * EIP-55 mixed-case checksum encoding.
+ */
+export function toChecksumAddress(address) {
+    const lower = address.toLowerCase().replace("0x", "");
+    const hash = bytesToHex(keccak_256(new TextEncoder().encode(lower)));
+    let checksummed = "0x";
+    for (let i = 0; i < lower.length; i++) {
+        checksummed += parseInt(hash[i], 16) >= 8 ? lower[i].toUpperCase() : lower[i];
+    }
+    return checksummed;
+}
+/**
+ * EIP-191 personal_sign: sign a message with the allowance's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes, { prehash: false });
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Format an EIP-4361 (SIWE) message. Must be byte-for-byte compatible
+ * with the `siwe` library's message format used server-side for verification.
+ */
+export function formatSIWEMessage(opts, address) {
+    const checksummed = toChecksumAddress(address);
+    const lines = [
+        `${opts.domain} wants you to sign in with your Ethereum account:`,
+        checksummed,
+        "",
+        opts.statement,
+        "",
+        `URI: ${opts.uri}`,
+        `Version: ${opts.version}`,
+        `Chain ID: ${opts.chainId}`,
+        `Nonce: ${opts.nonce}`,
+        `Issued At: ${opts.issuedAt}`,
+    ];
+    if (opts.expirationTime) {
+        lines.push(`Expiration Time: ${opts.expirationTime}`);
+    }
+    return lines.join("\n");
+}
+/**
+ * Get SIWX auth headers for the Run402 API.
+ * Returns null if no allowance is configured.
+ *
+ * @param path - API path (e.g. "/projects/v1") used to build the SIWE uri field.
+ */
+export function getAllowanceAuthHeaders(path, allowancePath) {
+    const allowance = readAllowance(allowancePath);
+    if (!allowance || !allowance.address || !allowance.privateKey)
+        return null;
+    const apiBase = getApiBase();
+    const url = new URL(apiBase);
+    const domain = url.hostname;
+    const uri = `${apiBase}${path}`;
+    const nonce = randomBytes(16).toString("hex");
+    const now = new Date();
+    const issuedAt = now.toISOString();
+    const expirationTime = new Date(now.getTime() + 5 * 60 * 1000).toISOString();
+    const message = formatSIWEMessage({
+        domain,
+        uri,
+        statement: "Sign in to Run402",
+        version: "1",
+        chainId: 84532, // Base Sepolia
+        nonce,
+        issuedAt,
+        expirationTime,
+    }, allowance.address);
+    const signature = personalSign(allowance.privateKey, allowance.address, message);
+    const payload = {
+        domain,
+        address: toChecksumAddress(allowance.address),
+        statement: "Sign in to Run402",
+        uri,
+        version: "1",
+        chainId: "eip155:84532",
+        type: "eip191",
+        nonce,
+        issuedAt,
+        expirationTime,
+        signature,
+    };
+    return {
+        "SIGN-IN-WITH-X": Buffer.from(JSON.stringify(payload)).toString("base64"),
+    };
+}
+//# sourceMappingURL=allowance-auth.js.map

package/core-dist/allowance.d.ts

@@ -0,0 +1,11 @@
+export interface AllowanceData {
+    address: string;
+    privateKey: string;
+    created?: string;
+    funded?: boolean;
+    lastFaucet?: string;
+    rail?: "x402" | "mpp";
+}
+export declare function readAllowance(path?: string): AllowanceData | null;
+export declare function saveAllowance(data: AllowanceData, path?: string): void;
+//# sourceMappingURL=allowance.d.ts.map

package/core-dist/allowance.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getAllowancePath } from "./config.js";
+export function readAllowance(path) {
+    const p = path ?? getAllowancePath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveAllowance(data, path) {
+    const p = path ?? getAllowancePath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.allowance.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=allowance.js.map

package/core-dist/client.d.ts

@@ -0,0 +1,15 @@
+export interface ApiResponse {
+    ok: boolean;
+    is402?: boolean;
+    status: number;
+    body: unknown;
+}
+export interface ApiRequestOptions {
+    method?: string;
+    headers?: Record<string, string>;
+    body?: unknown;
+    /** Send body as raw string (e.g. for text/plain SQL) */
+    rawBody?: string;
+}
+export declare function apiRequest(path: string, opts?: ApiRequestOptions): Promise<ApiResponse>;
+//# sourceMappingURL=client.d.ts.map

package/core-dist/client.js

@@ -0,0 +1,42 @@
+import { getApiBase } from "./config.js";
+export async function apiRequest(path, opts = {}) {
+    const { method = "GET", headers = {}, body, rawBody } = opts;
+    const url = `${getApiBase()}${path}`;
+    const fetchHeaders = { ...headers };
+    let fetchBody;
+    if (rawBody !== undefined) {
+        fetchBody = rawBody;
+    }
+    else if (body !== undefined) {
+        fetchHeaders["Content-Type"] = fetchHeaders["Content-Type"] || "application/json";
+        fetchBody = JSON.stringify(body);
+    }
+    let res;
+    try {
+        res = await fetch(url, {
+            method,
+            headers: fetchHeaders,
+            body: fetchBody,
+        });
+    }
+    catch (err) {
+        return {
+            ok: false,
+            status: 0,
+            body: { error: `Network error: ${err.message}` },
+        };
+    }
+    let resBody;
+    const contentType = res.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+        resBody = await res.json();
+    }
+    else {
+        resBody = await res.text();
+    }
+    if (res.status === 402) {
+        return { ok: false, is402: true, status: 402, body: resBody };
+    }
+    return { ok: res.ok, status: res.status, body: resBody };
+}
+//# sourceMappingURL=client.js.map

package/core-dist/config.d.ts

@@ -0,0 +1,5 @@
+export declare function getApiBase(): string;
+export declare function getConfigDir(): string;
+export declare function getKeystorePath(): string;
+export declare function getAllowancePath(): string;
+//# sourceMappingURL=config.d.ts.map

package/core-dist/config.js

@@ -0,0 +1,26 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { existsSync, renameSync, mkdirSync } from "node:fs";
+export function getApiBase() {
+    return process.env.RUN402_API_BASE || "https://api.run402.com";
+}
+export function getConfigDir() {
+    return process.env.RUN402_CONFIG_DIR || join(homedir(), ".config", "run402");
+}
+export function getKeystorePath() {
+    return join(getConfigDir(), "projects.json");
+}
+export function getAllowancePath() {
+    if (process.env.RUN402_ALLOWANCE_PATH)
+        return process.env.RUN402_ALLOWANCE_PATH;
+    const dir = getConfigDir();
+    const newPath = join(dir, "allowance.json");
+    const oldPath = join(dir, "wallet.json");
+    // Auto-migrate from wallet.json → allowance.json
+    if (!existsSync(newPath) && existsSync(oldPath)) {
+        mkdirSync(dir, { recursive: true });
+        renameSync(oldPath, newPath);
+    }
+    return newPath;
+}
+//# sourceMappingURL=config.js.map

package/core-dist/keystore.d.ts

@@ -0,0 +1,26 @@
+export interface StoredProject {
+    anon_key: string;
+    service_key: string;
+    site_url?: string;
+    deployed_at?: string;
+    last_deployment_id?: string;
+}
+export interface KeyStore {
+    active_project_id?: string;
+    projects: Record<string, StoredProject>;
+}
+/**
+ * Load the keystore from disk.
+ * Auto-migrates legacy formats:
+ * - Array format (CLI legacy): [{project_id, ...}] → {projects: {id: {...}}}
+ * - Old field name: expires_at → lease_expires_at
+ */
+export declare function loadKeyStore(path?: string): KeyStore;
+export declare function saveKeyStore(store: KeyStore, path?: string): void;
+export declare function getProject(projectId: string, path?: string): StoredProject | undefined;
+export declare function saveProject(projectId: string, project: StoredProject, path?: string): void;
+export declare function updateProject(projectId: string, update: Partial<StoredProject>, path?: string): void;
+export declare function removeProject(projectId: string, path?: string): void;
+export declare function getActiveProjectId(path?: string): string | undefined;
+export declare function setActiveProjectId(projectId: string, path?: string): void;
+//# sourceMappingURL=keystore.d.ts.map

package/core-dist/keystore.js

@@ -0,0 +1,97 @@
+import { readFileSync, writeFileSync, mkdirSync, renameSync, chmodSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getKeystorePath } from "./config.js";
+/**
+ * Load the keystore from disk.
+ * Auto-migrates legacy formats:
+ * - Array format (CLI legacy): [{project_id, ...}] → {projects: {id: {...}}}
+ * - Old field name: expires_at → lease_expires_at
+ */
+export function loadKeyStore(path) {
+    const p = path ?? getKeystorePath();
+    try {
+        const data = readFileSync(p, "utf-8");
+        const parsed = JSON.parse(data);
+        // Auto-migrate array format (CLI legacy) to object format
+        if (Array.isArray(parsed)) {
+            const projects = {};
+            for (const item of parsed) {
+                if (item.project_id) {
+                    projects[item.project_id] = {
+                        anon_key: item.anon_key,
+                        service_key: item.service_key,
+                        ...(item.site_url && { site_url: item.site_url }),
+                        ...(item.deployed_at && { deployed_at: item.deployed_at }),
+                    };
+                }
+            }
+            return { projects };
+        }
+        if (parsed && typeof parsed === "object" && parsed.projects) {
+            // Strip legacy fields (tier, lease_expires_at, expires_at) from projects
+            for (const proj of Object.values(parsed.projects)) {
+                const rec = proj;
+                delete rec.tier;
+                delete rec.lease_expires_at;
+                delete rec.expires_at;
+            }
+            return {
+                ...(parsed.active_project_id && { active_project_id: parsed.active_project_id }),
+                projects: parsed.projects,
+            };
+        }
+        return { projects: {} };
+    }
+    catch {
+        return { projects: {} };
+    }
+}
+export function saveKeyStore(store, path) {
+    const p = path ?? getKeystorePath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.projects.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(store, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+export function getProject(projectId, path) {
+    const store = loadKeyStore(path);
+    return store.projects[projectId];
+}
+export function saveProject(projectId, project, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    store.projects[projectId] = project;
+    saveKeyStore(store, p);
+}
+export function updateProject(projectId, update, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    const existing = store.projects[projectId];
+    if (existing) {
+        store.projects[projectId] = { ...existing, ...update };
+        saveKeyStore(store, p);
+    }
+}
+export function removeProject(projectId, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    delete store.projects[projectId];
+    if (store.active_project_id === projectId) {
+        delete store.active_project_id;
+    }
+    saveKeyStore(store, p);
+}
+export function getActiveProjectId(path) {
+    const store = loadKeyStore(path);
+    return store.active_project_id;
+}
+export function setActiveProjectId(projectId, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    store.active_project_id = projectId;
+    saveKeyStore(store, p);
+}
+//# sourceMappingURL=keystore.js.map

package/core-dist/wallet-auth.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Wallet auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+export interface WalletAuthHeaders {
+    "X-Run402-Wallet": string;
+    "X-Run402-Signature": string;
+    "X-Run402-Timestamp": string;
+}
+/**
+ * Get wallet auth headers for the Run402 API.
+ * Returns null if no wallet is configured.
+ */
+export declare function getWalletAuthHeaders(walletPath?: string): WalletAuthHeaders | null;
+//# sourceMappingURL=wallet-auth.d.ts.map

package/core-dist/wallet-auth.js

@@ -0,0 +1,62 @@
+/**
+ * Wallet auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readWallet } from "./wallet.js";
+/**
+ * EIP-191 personal_sign: sign a message with the wallet's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes);
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Get wallet auth headers for the Run402 API.
+ * Returns null if no wallet is configured.
+ */
+export function getWalletAuthHeaders(walletPath) {
+    const wallet = readWallet(walletPath);
+    if (!wallet || !wallet.address || !wallet.privateKey)
+        return null;
+    const timestamp = Math.floor(Date.now() / 1000).toString();
+    const signature = personalSign(wallet.privateKey, wallet.address, `run402:${timestamp}`);
+    return {
+        "X-Run402-Wallet": wallet.address,
+        "X-Run402-Signature": signature,
+        "X-Run402-Timestamp": timestamp,
+    };
+}
+//# sourceMappingURL=wallet-auth.js.map

package/core-dist/wallet.d.ts

@@ -0,0 +1,10 @@
+export interface WalletData {
+    address: string;
+    privateKey: string;
+    created?: string;
+    funded?: boolean;
+    lastFaucet?: string;
+}
+export declare function readWallet(path?: string): WalletData | null;
+export declare function saveWallet(data: WalletData, path?: string): void;
+//# sourceMappingURL=wallet.d.ts.map

package/core-dist/wallet.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getWalletPath } from "./config.js";
+export function readWallet(path) {
+    const p = path ?? getWalletPath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveWallet(data, path) {
+    const p = path ?? getWalletPath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.wallet.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=wallet.js.map

package/dist/credentials.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Credential provider interface for the Run402 SDK.
+ *
+ * The SDK's request kernel calls `getAuth` before each request to obtain
+ * signed auth headers, and `getProject` to resolve per-project anon/service
+ * keys. All filesystem, environment, and session-state access lives inside
+ * provider implementations — never in the kernel.
+ *
+ * Node consumers use {@link NodeCredentialsProvider} from `@run402/sdk/node`
+ * which wraps the local keystore + allowance. Sandbox consumers supply their
+ * own implementation bound to a session token issued by the supervisor.
+ *
+ * The two required methods (`getAuth`, `getProject`) support every API call.
+ * The optional methods let providers opt in to local persistence (keystore
+ * writes, active-project tracking). Namespace methods that need a missing
+ * optional method throw a descriptive error at runtime.
+ */
+export interface ProjectKeys {
+    anon_key: string;
+    service_key: string;
+    site_url?: string;
+    deployed_at?: string;
+    last_deployment_id?: string;
+    mailbox_id?: string;
+    mailbox_address?: string;
+}
+export interface AllowanceData {
+    address: string;
+    privateKey: string;
+    created?: string;
+    funded?: boolean;
+    lastFaucet?: string;
+    rail?: "x402" | "mpp";
+}
+export interface CredentialsProvider {
+    /**
+     * Return per-request auth headers for the given API path, or null if none
+     * are available. Typical headers: `SIGN-IN-WITH-X` (SIWE), `Authorization:
+     * Bearer ...`. The kernel merges these into the request headers without
+     * overwriting headers explicitly set on the request.
+     */
+    getAuth(path: string): Promise<Record<string, string> | null>;
+    /**
+     * Resolve the anon/service keys for a project. Returns null if the project
+     * is not known to this provider — the kernel then throws ProjectNotFound.
+     */
+    getProject(id: string): Promise<ProjectKeys | null>;
+    /**
+     * Persist project keys after a successful provision or deploy. Optional:
+     * providers without local storage (pure session providers) may omit this.
+     */
+    saveProject?(id: string, project: ProjectKeys): Promise<void>;
+    /** Partially update a project's stored fields (e.g. mailbox_id, last_deployment_id). Optional. */
+    updateProject?(id: string, patch: Partial<ProjectKeys>): Promise<void>;
+    /** Remove a project from local storage after deletion. Optional. */
+    removeProject?(id: string): Promise<void>;
+    /** Set the active/default project id in local state. Optional. */
+    setActiveProject?(id: string): Promise<void>;
+    /** Get the active/default project id from local state. Optional. */
+    getActiveProject?(): Promise<string | null>;
+    /** Read the local allowance (wallet). Optional — sandbox providers may omit. */
+    readAllowance?(): Promise<AllowanceData | null>;
+    /** Persist the local allowance. Optional. */
+    saveAllowance?(data: AllowanceData): Promise<void>;
+    /** Generate a fresh allowance keypair. Optional — Node default uses secp256k1 + keccak for the Ethereum address. */
+    createAllowance?(): Promise<AllowanceData>;
+    /** Return the absolute path to the local allowance file, for diagnostic output. Optional. */
+    getAllowancePath?(): string;
+}
+//# sourceMappingURL=credentials.d.ts.map