run402 1.10.2 → 1.12.0

package/core-dist/allowance-auth.js

@@ -1,11 +1,25 @@
 /**
- * Allowance auth helper — generates EIP-191 signature headers for Run402 API.
+ * Allowance auth helper — generates SIWX (Sign-In With X / EIP-4361) headers for Run402 API.
  * Uses @noble/curves (lighter than viem) for signing.
  */
+import { randomBytes } from "node:crypto";
 import { secp256k1 } from "@noble/curves/secp256k1.js";
 import { keccak_256 } from "@noble/hashes/sha3.js";
 import { bytesToHex } from "@noble/hashes/utils.js";
 import { readAllowance } from "./allowance.js";
+import { getApiBase } from "./config.js";
+/**
+ * EIP-55 mixed-case checksum encoding.
+ */
+export function toChecksumAddress(address) {
+    const lower = address.toLowerCase().replace("0x", "");
+    const hash = bytesToHex(keccak_256(new TextEncoder().encode(lower)));
+    let checksummed = "0x";
+    for (let i = 0; i < lower.length; i++) {
+        checksummed += parseInt(hash[i], 16) >= 8 ? lower[i].toUpperCase() : lower[i];
+    }
+    return checksummed;
+}
 /**
  * EIP-191 personal_sign: sign a message with the allowance's private key.
  */
@@ -44,19 +58,71 @@ function personalSign(privateKeyHex, address, message) {
     return "0x" + r + s + vHex;
 }
 /**
- * Get allowance auth headers for the Run402 API.
+ * Format an EIP-4361 (SIWE) message. Must be byte-for-byte compatible
+ * with the `siwe` library's message format used server-side for verification.
+ */
+export function formatSIWEMessage(opts, address) {
+    const checksummed = toChecksumAddress(address);
+    const lines = [
+        `${opts.domain} wants you to sign in with your Ethereum account:`,
+        checksummed,
+        "",
+        opts.statement,
+        "",
+        `URI: ${opts.uri}`,
+        `Version: ${opts.version}`,
+        `Chain ID: ${opts.chainId}`,
+        `Nonce: ${opts.nonce}`,
+        `Issued At: ${opts.issuedAt}`,
+    ];
+    if (opts.expirationTime) {
+        lines.push(`Expiration Time: ${opts.expirationTime}`);
+    }
+    return lines.join("\n");
+}
+/**
+ * Get SIWX auth headers for the Run402 API.
  * Returns null if no allowance is configured.
+ *
+ * @param path - API path (e.g. "/projects/v1") used to build the SIWE uri field.
  */
-export function getAllowanceAuthHeaders(allowancePath) {
+export function getAllowanceAuthHeaders(path, allowancePath) {
     const allowance = readAllowance(allowancePath);
     if (!allowance || !allowance.address || !allowance.privateKey)
         return null;
-    const timestamp = Math.floor(Date.now() / 1000).toString();
-    const signature = personalSign(allowance.privateKey, allowance.address, `run402:${timestamp}`);
+    const apiBase = getApiBase();
+    const url = new URL(apiBase);
+    const domain = url.hostname;
+    const uri = `${apiBase}${path}`;
+    const nonce = randomBytes(16).toString("hex");
+    const now = new Date();
+    const issuedAt = now.toISOString();
+    const expirationTime = new Date(now.getTime() + 5 * 60 * 1000).toISOString();
+    const message = formatSIWEMessage({
+        domain,
+        uri,
+        statement: "Sign in to Run402",
+        version: "1",
+        chainId: 84532, // Base Sepolia
+        nonce,
+        issuedAt,
+        expirationTime,
+    }, allowance.address);
+    const signature = personalSign(allowance.privateKey, allowance.address, message);
+    const payload = {
+        domain,
+        address: toChecksumAddress(allowance.address),
+        uri,
+        version: "1",
+        chainId: 84532,
+        type: "eip4361",
+        nonce,
+        issuedAt,
+        expirationTime,
+        signature,
+    };
     return {
-        "X-Run402-Wallet": allowance.address,
-        "X-Run402-Signature": signature,
-        "X-Run402-Timestamp": timestamp,
+        "SIGN-IN-WITH-X": Buffer.from(JSON.stringify(payload)).toString("base64"),
     };
 }
 //# sourceMappingURL=allowance-auth.js.map

package/core-dist/keystore.js

@@ -21,8 +21,6 @@ export function loadKeyStore(path) {
                     projects[item.project_id] = {
                         anon_key: item.anon_key,
                         service_key: item.service_key,
-                        tier: item.tier,
-                        lease_expires_at: item.lease_expires_at || item.expires_at || "",
                         ...(item.site_url && { site_url: item.site_url }),
                         ...(item.deployed_at && { deployed_at: item.deployed_at }),
                     };
@@ -31,15 +29,17 @@ export function loadKeyStore(path) {
             return { projects };
         }
         if (parsed && typeof parsed === "object" && parsed.projects) {
-            // Auto-normalize expires_at → lease_expires_at
+            // Strip legacy fields (tier, lease_expires_at, expires_at) from projects
             for (const proj of Object.values(parsed.projects)) {
                 const rec = proj;
-                if (rec.expires_at && !rec.lease_expires_at) {
-                    rec.lease_expires_at = rec.expires_at;
-                    delete rec.expires_at;
-                }
+                delete rec.tier;
+                delete rec.lease_expires_at;
+                delete rec.expires_at;
             }
-            return parsed;
+            return {
+                ...(parsed.active_project_id && { active_project_id: parsed.active_project_id }),
+                projects: parsed.projects,
+            };
         }
         return { projects: {} };
     }
@@ -66,10 +66,32 @@ export function saveProject(projectId, project, path) {
     store.projects[projectId] = project;
     saveKeyStore(store, p);
 }
+export function updateProject(projectId, update, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    const existing = store.projects[projectId];
+    if (existing) {
+        store.projects[projectId] = { ...existing, ...update };
+        saveKeyStore(store, p);
+    }
+}
 export function removeProject(projectId, path) {
     const p = path ?? getKeystorePath();
     const store = loadKeyStore(p);
     delete store.projects[projectId];
+    if (store.active_project_id === projectId) {
+        delete store.active_project_id;
+    }
+    saveKeyStore(store, p);
+}
+export function getActiveProjectId(path) {
+    const store = loadKeyStore(path);
+    return store.active_project_id;
+}
+export function setActiveProjectId(projectId, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    store.active_project_id = projectId;
     saveKeyStore(store, p);
 }
 //# sourceMappingURL=keystore.js.map

package/lib/agent.mjs

@@ -23,7 +23,7 @@ async function contact(args) {
     if (args[i] === "--webhook" && args[i + 1]) webhook = args[++i];
   }
   if (!name) { console.error(JSON.stringify({ status: "error", message: "Missing --name <name>" })); process.exit(1); }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/agent/v1/contact");
 
   const body = { name };
   if (email) body.email = email;

package/lib/apps.mjs

@@ -47,7 +47,7 @@ async function fork(versionId, name, args) {
     if (args[i] === "--tier" && args[i + 1]) opts.tier = args[++i];
     if (args[i] === "--subdomain" && args[i + 1]) opts.subdomain = args[++i];
   }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/fork/v1");
 
   const body = { version_id: versionId, name };
   if (opts.subdomain) body.subdomain = opts.subdomain;

package/lib/config.mjs

@@ -5,7 +5,8 @@
 
 import { getApiBase, getConfigDir, getKeystorePath, getAllowancePath } from "../core-dist/config.js";
 import { readAllowance as coreReadAllowance, saveAllowance as coreSaveAllowance } from "../core-dist/allowance.js";
-import { loadKeyStore, getProject, saveProject, removeProject, saveKeyStore } from "../core-dist/keystore.js";
+import { loadKeyStore, getProject, saveProject, updateProject, removeProject, saveKeyStore, getActiveProjectId, setActiveProjectId } from "../core-dist/keystore.js";
+import { getAllowanceAuthHeaders as coreGetAllowanceAuthHeaders } from "../core-dist/allowance-auth.js";
 
 export const CONFIG_DIR = getConfigDir();
 export const ALLOWANCE_FILE = getAllowancePath();
@@ -20,14 +21,10 @@ export function saveAllowance(data) {
   coreSaveAllowance(data);
 }
 
-export async function allowanceAuthHeaders() {
-  const w = readAllowance();
-  if (!w) { console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create" })); process.exit(1); }
-  const { privateKeyToAccount } = await import("viem/accounts");
-  const account = privateKeyToAccount(w.privateKey);
-  const timestamp = Math.floor(Date.now() / 1000).toString();
-  const signature = await account.signMessage({ message: `run402:${timestamp}` });
-  return { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp };
+export function allowanceAuthHeaders(path) {
+  const headers = coreGetAllowanceAuthHeaders(path);
+  if (!headers) { console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create" })); process.exit(1); }
+  return headers;
 }
 
 export function findProject(id) {
@@ -36,5 +33,17 @@ export function findProject(id) {
   return p;
 }
 
+export function resolveProject(id) {
+  const projectId = id || getActiveProjectId();
+  if (!projectId) { console.error("Error: no project specified and no active project set. Run: run402 projects provision"); process.exit(1); }
+  return findProject(projectId);
+}
+
+export function resolveProjectId(id) {
+  const projectId = id || getActiveProjectId();
+  if (!projectId) { console.error("Error: no project specified and no active project set. Run: run402 projects provision"); process.exit(1); }
+  return projectId;
+}
+
 // Re-export core keystore functions for direct use
-export { loadKeyStore, saveProject, removeProject, saveKeyStore };
+export { loadKeyStore, saveProject, updateProject, removeProject, saveKeyStore, getActiveProjectId, setActiveProjectId };

package/lib/deploy.mjs

@@ -1,5 +1,5 @@
 import { readFileSync } from "fs";
-import { API, allowanceAuthHeaders, saveProject } from "./config.mjs";
+import { API, allowanceAuthHeaders, saveProject, setActiveProjectId } from "./config.mjs";
 
 const HELP = `run402 deploy — Deploy a full-stack app or static site on Run402
 
@@ -14,11 +14,30 @@ Options:
 Manifest format (JSON):
   {
     "name": "my-app",
-    "migrations": "CREATE TABLE items ...",
+    "migrations": "CREATE TABLE items (id serial PRIMARY KEY, title text NOT NULL, done boolean DEFAULT false)",
+    "rls": {
+      "template": "public_read_write",
+      "tables": [{ "table": "items" }]
+    },
+    "secrets": [{ "key": "OPENAI_API_KEY", "value": "sk-..." }],
+    "functions": [{
+      "name": "my-fn",
+      "code": "export default async (req) => new Response('ok')"
+    }],
     "files": [{ "file": "index.html", "data": "<html>...</html>" }],
     "subdomain": "my-app"
   }
 
+  All fields except "name" are optional.
+
+  RLS templates:
+    user_owns_rows   — users see only their rows (requires owner_column per table)
+    public_read      — anyone reads, authenticated users write
+    public_read_write — anyone reads and writes
+
+  ⚠️  Without RLS, tables are read-only via anon_key. If your app writes
+  data from the browser, you almost certainly need an rls block.
+
 Examples:
   run402 deploy --manifest app.json
   cat app.json | run402 deploy
@@ -48,17 +67,17 @@ export async function run(args) {
 
   const manifest = opts.manifest ? JSON.parse(readFileSync(opts.manifest, "utf-8")) : JSON.parse(await readStdin());
 
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/deploy/v1");
   const res = await fetch(`${API}/deploy/v1`, { method: "POST", headers: { "Content-Type": "application/json", ...authHeaders }, body: JSON.stringify(manifest) });
   const result = await res.json();
   if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...result })); process.exit(1); }
   if (result.project_id) {
     saveProject(result.project_id, {
       anon_key: result.anon_key, service_key: result.service_key,
-      tier: result.tier, lease_expires_at: result.lease_expires_at,
       site_url: result.site_url || result.subdomain_url,
       deployed_at: new Date().toISOString(),
     });
+    setActiveProjectId(result.project_id);
   }
   console.log(JSON.stringify(result, null, 2));
 }

package/lib/init.mjs

@@ -1,4 +1,5 @@
 import { readAllowance, saveAllowance, loadKeyStore, CONFIG_DIR, ALLOWANCE_FILE, API } from "./config.mjs";
+import { getAllowanceAuthHeaders } from "../core-dist/allowance-auth.js";
 import { mkdirSync } from "fs";
 
 const USDC_ABI = [{ name: "balanceOf", type: "function", stateMutability: "view", inputs: [{ name: "account", type: "address" }], outputs: [{ name: "", type: "uint256" }] }];
@@ -74,23 +75,15 @@ export async function run() {
   const store = loadKeyStore();
   let tierInfo = null;
   try {
-    const { privateKeyToAccount } = await import("viem/accounts");
-    const account = privateKeyToAccount(allowance.privateKey);
-    const timestamp = Math.floor(Date.now() / 1000).toString();
-    const signature = await account.signMessage({ message: `run402:${timestamp}` });
-    const res = await fetch(`${API}/tiers/v1/status`, {
-      headers: { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp },
-    });
-    if (res.ok) tierInfo = await res.json();
+    const authHeaders = getAllowanceAuthHeaders("/tiers/v1/status");
+    if (authHeaders) {
+      const res = await fetch(`${API}/tiers/v1/status`, {
+        headers: { ...authHeaders },
+      });
+      if (res.ok) tierInfo = await res.json();
+    }
   } catch {}
 
-  // Fall back to keystore if the API call failed or returned no tier
-  if (!tierInfo || !tierInfo.tier) {
-    const projects = Object.values(store.projects);
-    const active = projects.find(p => p.tier && p.lease_expires_at && new Date(p.lease_expires_at) > new Date());
-    if (active) tierInfo = { tier: active.tier, status: "active", lease_expires_at: active.lease_expires_at };
-  }
-
   if (tierInfo && tierInfo.tier && tierInfo.status === "active") {
     const expiry = tierInfo.lease_expires_at ? tierInfo.lease_expires_at.split("T")[0] : "unknown";
     line("Tier", `${tierInfo.tier} (expires ${expiry})`);

package/lib/message.mjs

@@ -15,7 +15,7 @@ Examples:
 
 async function send(text) {
   if (!text) { console.error(JSON.stringify({ status: "error", message: "Missing message text" })); process.exit(1); }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/message/v1");
 
   const res = await fetch(`${API}/message/v1`, {
     method: "POST",

package/lib/projects.mjs

@@ -1,4 +1,4 @@
-import { findProject, loadKeyStore, saveProject, removeProject, API, allowanceAuthHeaders } from "./config.mjs";
+import { findProject, loadKeyStore, saveProject, removeProject, API, allowanceAuthHeaders, setActiveProjectId, getActiveProjectId } from "./config.mjs";
 
 const HELP = `run402 projects — Manage your deployed Run402 projects
 
@@ -8,8 +8,9 @@ Usage:
 Subcommands:
   quote                                   Show pricing tiers
   provision [--tier <tier>] [--name <n>]  Provision a new Postgres project (pays via x402)
-  list                                    List all your projects (IDs, tiers, URLs, expiry)
-  info  <id>                              Show project details: REST URL, keys, expiry
+  use   <id>                              Set the active project (used as default for other commands)
+  list                                    List all your projects (IDs, URLs, active marker)
+  info  <id>                              Show project details: REST URL, keys
   sql   <id> "<query>"                    Run a SQL query against a project's Postgres DB
   rest  <id> <table> [params]             Query a table via the REST API (PostgREST)
   usage <id>                              Show compute/storage usage for a project
@@ -21,6 +22,7 @@ Examples:
   run402 projects quote
   run402 projects provision --tier prototype
   run402 projects provision --tier hobby --name my-app
+  run402 projects use prj_abc123
   run402 projects list
   run402 projects info abc123
   run402 projects sql abc123 "SELECT * FROM users LIMIT 5"
@@ -32,6 +34,7 @@ Examples:
 
 Notes:
   - <id> is the project_id shown in 'run402 projects list'
+  - Most commands that take <id> default to the active project if omitted
   - 'rest' uses PostgREST query syntax (table name + optional query string)
   - 'provision' requires a funded allowance — payment is automatic via x402
   - RLS templates: user_owns_rows, public_read, public_read_write
@@ -50,7 +53,7 @@ async function provision(args) {
     if (args[i] === "--tier" && args[i + 1]) opts.tier = args[++i];
     if (args[i] === "--name" && args[i + 1]) opts.name = args[++i];
   }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/projects/v1");
   const body = { tier: opts.tier };
   if (opts.name) body.name = opts.name;
   const res = await fetch(`${API}/projects/v1`, {
@@ -60,13 +63,13 @@ async function provision(args) {
   });
   const data = await res.json();
   if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  // Save project credentials locally
+  // Save project credentials locally and set as active
   if (data.project_id) {
     saveProject(data.project_id, {
       anon_key: data.anon_key, service_key: data.service_key,
-      tier: data.tier, lease_expires_at: data.lease_expires_at,
       deployed_at: new Date().toISOString(),
     });
+    setActiveProjectId(data.project_id);
   }
   console.log(JSON.stringify(data, null, 2));
 }
@@ -88,17 +91,14 @@ async function list() {
   const store = loadKeyStore();
   const entries = Object.entries(store.projects);
   if (entries.length === 0) { console.log(JSON.stringify({ status: "ok", projects: [], message: "No projects yet." })); return; }
-  console.log(JSON.stringify(entries.map(([id, p]) => ({ project_id: id, tier: p.tier, site_url: p.site_url, lease_expires_at: p.lease_expires_at, deployed_at: p.deployed_at })), null, 2));
+  const activeId = store.active_project_id;
+  console.log(JSON.stringify(entries.map(([id, p]) => ({ project_id: id, active: id === activeId, site_url: p.site_url, deployed_at: p.deployed_at })), null, 2));
 }
 
 async function info(projectId) {
   const p = findProject(projectId);
-  const active = p.lease_expires_at ? new Date(p.lease_expires_at) > new Date() : null;
   console.log(JSON.stringify({
     project_id: projectId,
-    tier: p.tier,
-    active,
-    lease_expires_at: p.lease_expires_at,
     rest_url: `${API}/rest/v1`,
     anon_key: p.anon_key,
     service_key: p.service_key,
@@ -135,6 +135,13 @@ async function schema(projectId) {
   console.log(JSON.stringify(data, null, 2));
 }
 
+async function use(projectId) {
+  if (!projectId) { console.error("Usage: run402 projects use <project_id>"); process.exit(1); }
+  findProject(projectId); // verify it exists
+  setActiveProjectId(projectId);
+  console.log(JSON.stringify({ status: "ok", active_project_id: projectId }));
+}
+
 async function deleteProject(projectId) {
   const p = findProject(projectId);
   const res = await fetch(`${API}/projects/v1/${projectId}`, { method: "DELETE", headers: { "Authorization": `Bearer ${p.service_key}` } });
@@ -155,6 +162,7 @@ export async function run(sub, args) {
   switch (sub) {
     case "quote":     await quote(); break;
     case "provision": await provision(args); break;
+    case "use":       await use(args[0]); break;
     case "list":      await list(); break;
     case "info":      await info(args[0]); break;
     case "sql":       await sqlCmd(args[0], args[1]); break;

package/lib/sites.mjs

@@ -1,21 +1,20 @@
 import { readFileSync } from "fs";
-import { API, allowanceAuthHeaders } from "./config.mjs";
+import { API, allowanceAuthHeaders, resolveProjectId, updateProject } from "./config.mjs";
 
 const HELP = `run402 sites — Deploy and manage static sites
 
 Usage:
-  run402 sites deploy --name <name> --manifest <file> [--project <id>] [--target <target>]
+  run402 sites deploy --manifest <file> [--project <id>] [--target <target>]
   run402 sites status <deployment_id>
-  cat manifest.json | run402 sites deploy --name <name>
+  cat manifest.json | run402 sites deploy
 
 Subcommands:
   deploy  Deploy a static site
   status  Check the status of a deployment
 
 Options (deploy):
-  --name <name>         Site name (e.g. 'portfolio', 'family-todo')
   --manifest <file>     Path to manifest JSON file (or read from stdin)
-  --project <id>        Optional project ID to link this deployment to
+  --project <id>        Project ID (defaults to active project)
   --target <target>     Deployment target (e.g. 'production')
   --help, -h            Show this help message
 
@@ -28,9 +27,9 @@ Manifest format (JSON):
   }
 
 Examples:
-  run402 sites deploy --name my-site --manifest site.json
-  run402 sites status dep_abc123
-  cat site.json | run402 sites deploy --name my-site
+  run402 sites deploy --manifest site.json
+  run402 sites status dpl_abc123
+  cat site.json | run402 sites deploy
 
 Notes:
   - Must include at least index.html in the files array
@@ -44,21 +43,19 @@ async function readStdin() {
 }
 
 async function deploy(args) {
-  const opts = { name: null, manifest: null, project: undefined, target: undefined };
+  const opts = { manifest: null, project: undefined, target: undefined };
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--help" || args[i] === "-h") { console.log(HELP); process.exit(0); }
-    if (args[i] === "--name" && args[i + 1]) opts.name = args[++i];
     if (args[i] === "--manifest" && args[i + 1]) opts.manifest = args[++i];
     if (args[i] === "--project" && args[i + 1]) opts.project = args[++i];
     if (args[i] === "--target" && args[i + 1]) opts.target = args[++i];
   }
-  if (!opts.name) { console.error(JSON.stringify({ status: "error", message: "Missing --name <name>" })); process.exit(1); }
+  const projectId = resolveProjectId(opts.project);
   const manifest = opts.manifest ? JSON.parse(readFileSync(opts.manifest, "utf-8")) : JSON.parse(await readStdin());
-  const body = { name: opts.name, files: manifest.files };
-  if (opts.project) body.project = opts.project;
+  const body = { files: manifest.files, project: projectId };
   if (opts.target) body.target = opts.target;
 
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/deployments/v1");
   const res = await fetch(`${API}/deployments/v1`, {
     method: "POST",
     headers: { "Content-Type": "application/json", ...authHeaders },
@@ -66,6 +63,9 @@ async function deploy(args) {
   });
   const data = await res.json();
   if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
+  if (data.deployment_id) {
+    updateProject(projectId, { last_deployment_id: data.deployment_id });
+  }
   console.log(JSON.stringify(data, null, 2));
 }
 

package/lib/subdomains.mjs

@@ -1,4 +1,4 @@
-import { findProject, API } from "./config.mjs";
+import { resolveProject, resolveProjectId, API } from "./config.mjs";
 
 const HELP = `run402 subdomains — Manage custom subdomains
 
@@ -6,31 +6,43 @@ Usage:
   run402 subdomains <subcommand> [args...]
 
 Subcommands:
-  claim  <deployment_id> <name> --project <id>    Claim a subdomain for a deployment
-  delete <name> --project <id>                     Release a subdomain
-  list   <id>                                       List subdomains for a project
+  claim  <name> [--project <id>] [--deployment <id>]   Claim a subdomain
+  delete <name> [--project <id>]                        Release a subdomain
+  list   [<id>]                                         List subdomains for a project
+
+Options default to the active project and its last deployment when omitted.
+Legacy syntax 'claim <deployment_id> <name>' is still supported.
 
 Examples:
-  run402 subdomains claim dpl_abc123 myapp
-  run402 subdomains claim dpl_abc123 myapp --project proj123
+  run402 subdomains claim myapp
+  run402 subdomains claim myapp --deployment dpl_abc123 --project proj123
   run402 subdomains delete myapp
-  run402 subdomains list proj123
+  run402 subdomains list
 
 Notes:
   - Subdomain names: 3-63 chars, lowercase alphanumeric + hyphens
   - Creates <name>.run402.com pointing to the deployment
 `;
 
-async function claim(deploymentId, name, args) {
-  const opts = { project: null };
-  for (let i = 0; i < args.length; i++) {
-    if (args[i] === "--project" && args[i + 1]) opts.project = args[++i];
+async function claim(positionalArgs, flagArgs) {
+  const opts = { project: null, deployment: null };
+  for (let i = 0; i < flagArgs.length; i++) {
+    if (flagArgs[i] === "--project" && flagArgs[i + 1]) opts.project = flagArgs[++i];
+    if (flagArgs[i] === "--deployment" && flagArgs[i + 1]) opts.deployment = flagArgs[++i];
   }
-  if (!opts.project) {
-    console.error("Error: --project <id> is required for subdomain claim.");
-    process.exit(1);
+  // positional: [name] or [deployment_id, name]
+  let name, deploymentId;
+  if (positionalArgs.length >= 2) {
+    deploymentId = positionalArgs[0];
+    name = positionalArgs[1];
+  } else if (positionalArgs.length === 1) {
+    name = positionalArgs[0];
   }
-  const p = findProject(opts.project);
+  if (!name) { console.error("Usage: run402 subdomains claim <name> [--project <id>] [--deployment <id>]"); process.exit(1); }
+  const projectId = resolveProjectId(opts.project);
+  const p = resolveProject(opts.project);
+  deploymentId = opts.deployment || deploymentId || p.last_deployment_id;
+  if (!deploymentId) { console.error("Error: no deployment_id specified and no recent deployment found. Deploy a site first or pass --deployment <id>."); process.exit(1); }
   const headers = { "Content-Type": "application/json", "Authorization": `Bearer ${p.service_key}` };
   const res = await fetch(`${API}/subdomains/v1`, {
     method: "POST",
@@ -47,11 +59,7 @@ async function deleteSubdomain(name, args) {
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--project" && args[i + 1]) opts.project = args[++i];
   }
-  if (!opts.project) {
-    console.error("Error: --project <id> is required for subdomain delete.");
-    process.exit(1);
-  }
-  const p = findProject(opts.project);
+  const p = resolveProject(opts.project);
   const headers = { "Authorization": `Bearer ${p.service_key}` };
   const res = await fetch(`${API}/subdomains/v1/${encodeURIComponent(name)}`, {
     method: "DELETE",
@@ -66,7 +74,7 @@ async function deleteSubdomain(name, args) {
 }
 
 async function list(projectId) {
-  const p = findProject(projectId);
+  const p = resolveProject(projectId);
   const res = await fetch(`${API}/subdomains/v1`, {
     headers: { "Authorization": `Bearer ${p.service_key}` },
   });
@@ -78,7 +86,17 @@ async function list(projectId) {
 export async function run(sub, args) {
   if (!sub || sub === '--help' || sub === '-h') { console.log(HELP); process.exit(0); }
   switch (sub) {
-    case "claim":  await claim(args[0], args[1], args.slice(2)); break;
+    case "claim": {
+      const positional = [];
+      const flags = [];
+      let i = 0;
+      while (i < args.length) {
+        if (args[i].startsWith("--")) { flags.push(args[i], args[i + 1]); i += 2; }
+        else { positional.push(args[i]); i++; }
+      }
+      await claim(positional, flags);
+      break;
+    }
     case "delete": await deleteSubdomain(args[0], args.slice(1)); break;
     case "list":   await list(args[0]); break;
     default:

package/lib/tier.mjs

@@ -1,4 +1,4 @@
-import { readAllowance, ALLOWANCE_FILE, API } from "./config.mjs";
+import { readAllowance, ALLOWANCE_FILE, API, allowanceAuthHeaders } from "./config.mjs";
 import { setupPaidFetch } from "./paid-fetch.mjs";
 
 const HELP = `run402 tier — Manage your Run402 tier subscription
@@ -25,14 +25,9 @@ Examples:
 `;
 
 async function status() {
-  const w = readAllowance();
-  if (!w) { console.log(JSON.stringify({ status: "error", message: "No agent allowance. Run: run402 allowance create" })); process.exit(1); }
-  const { privateKeyToAccount } = await import("viem/accounts");
-  const account = privateKeyToAccount(w.privateKey);
-  const timestamp = Math.floor(Date.now() / 1000).toString();
-  const signature = await account.signMessage({ message: `run402:${timestamp}` });
+  const authHeaders = allowanceAuthHeaders("/tiers/v1/status");
   const res = await fetch(`${API}/tiers/v1/status`, {
-    headers: { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp },
+    headers: { ...authHeaders },
   });
   const data = await res.json();
   if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "1.10.2",
+  "version": "1.12.0",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 micropayments.",
   "type": "module",
   "bin": {