run402 1.11.0 → 1.12.1

package/core-dist/allowance-auth.js

@@ -1,11 +1,25 @@
 /**
- * Allowance auth helper — generates EIP-191 signature headers for Run402 API.
+ * Allowance auth helper — generates SIWX (Sign-In With X / EIP-4361) headers for Run402 API.
  * Uses @noble/curves (lighter than viem) for signing.
  */
+import { randomBytes } from "node:crypto";
 import { secp256k1 } from "@noble/curves/secp256k1.js";
 import { keccak_256 } from "@noble/hashes/sha3.js";
 import { bytesToHex } from "@noble/hashes/utils.js";
 import { readAllowance } from "./allowance.js";
+import { getApiBase } from "./config.js";
+/**
+ * EIP-55 mixed-case checksum encoding.
+ */
+export function toChecksumAddress(address) {
+    const lower = address.toLowerCase().replace("0x", "");
+    const hash = bytesToHex(keccak_256(new TextEncoder().encode(lower)));
+    let checksummed = "0x";
+    for (let i = 0; i < lower.length; i++) {
+        checksummed += parseInt(hash[i], 16) >= 8 ? lower[i].toUpperCase() : lower[i];
+    }
+    return checksummed;
+}
 /**
  * EIP-191 personal_sign: sign a message with the allowance's private key.
  */
@@ -44,19 +58,71 @@ function personalSign(privateKeyHex, address, message) {
     return "0x" + r + s + vHex;
 }
 /**
- * Get allowance auth headers for the Run402 API.
+ * Format an EIP-4361 (SIWE) message. Must be byte-for-byte compatible
+ * with the `siwe` library's message format used server-side for verification.
+ */
+export function formatSIWEMessage(opts, address) {
+    const checksummed = toChecksumAddress(address);
+    const lines = [
+        `${opts.domain} wants you to sign in with your Ethereum account:`,
+        checksummed,
+        "",
+        opts.statement,
+        "",
+        `URI: ${opts.uri}`,
+        `Version: ${opts.version}`,
+        `Chain ID: ${opts.chainId}`,
+        `Nonce: ${opts.nonce}`,
+        `Issued At: ${opts.issuedAt}`,
+    ];
+    if (opts.expirationTime) {
+        lines.push(`Expiration Time: ${opts.expirationTime}`);
+    }
+    return lines.join("\n");
+}
+/**
+ * Get SIWX auth headers for the Run402 API.
  * Returns null if no allowance is configured.
+ *
+ * @param path - API path (e.g. "/projects/v1") used to build the SIWE uri field.
  */
-export function getAllowanceAuthHeaders(allowancePath) {
+export function getAllowanceAuthHeaders(path, allowancePath) {
     const allowance = readAllowance(allowancePath);
     if (!allowance || !allowance.address || !allowance.privateKey)
         return null;
-    const timestamp = Math.floor(Date.now() / 1000).toString();
-    const signature = personalSign(allowance.privateKey, allowance.address, `run402:${timestamp}`);
+    const apiBase = getApiBase();
+    const url = new URL(apiBase);
+    const domain = url.hostname;
+    const uri = `${apiBase}${path}`;
+    const nonce = randomBytes(16).toString("hex");
+    const now = new Date();
+    const issuedAt = now.toISOString();
+    const expirationTime = new Date(now.getTime() + 5 * 60 * 1000).toISOString();
+    const message = formatSIWEMessage({
+        domain,
+        uri,
+        statement: "Sign in to Run402",
+        version: "1",
+        chainId: 84532, // Base Sepolia
+        nonce,
+        issuedAt,
+        expirationTime,
+    }, allowance.address);
+    const signature = personalSign(allowance.privateKey, allowance.address, message);
+    const payload = {
+        domain,
+        address: toChecksumAddress(allowance.address),
+        uri,
+        version: "1",
+        chainId: 84532,
+        type: "eip4361",
+        nonce,
+        issuedAt,
+        expirationTime,
+        signature,
+    };
     return {
-        "X-Run402-Wallet": allowance.address,
-        "X-Run402-Signature": signature,
-        "X-Run402-Timestamp": timestamp,
+        "SIGN-IN-WITH-X": Buffer.from(JSON.stringify(payload)).toString("base64"),
     };
 }
 //# sourceMappingURL=allowance-auth.js.map

package/lib/agent.mjs

@@ -23,7 +23,7 @@ async function contact(args) {
     if (args[i] === "--webhook" && args[i + 1]) webhook = args[++i];
   }
   if (!name) { console.error(JSON.stringify({ status: "error", message: "Missing --name <name>" })); process.exit(1); }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/agent/v1/contact");
 
   const body = { name };
   if (email) body.email = email;

package/lib/apps.mjs

@@ -47,7 +47,7 @@ async function fork(versionId, name, args) {
     if (args[i] === "--tier" && args[i + 1]) opts.tier = args[++i];
     if (args[i] === "--subdomain" && args[i + 1]) opts.subdomain = args[++i];
   }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/fork/v1");
 
   const body = { version_id: versionId, name };
   if (opts.subdomain) body.subdomain = opts.subdomain;

package/lib/config.mjs

@@ -6,6 +6,7 @@
 import { getApiBase, getConfigDir, getKeystorePath, getAllowancePath } from "../core-dist/config.js";
 import { readAllowance as coreReadAllowance, saveAllowance as coreSaveAllowance } from "../core-dist/allowance.js";
 import { loadKeyStore, getProject, saveProject, updateProject, removeProject, saveKeyStore, getActiveProjectId, setActiveProjectId } from "../core-dist/keystore.js";
+import { getAllowanceAuthHeaders as coreGetAllowanceAuthHeaders } from "../core-dist/allowance-auth.js";
 
 export const CONFIG_DIR = getConfigDir();
 export const ALLOWANCE_FILE = getAllowancePath();
@@ -20,14 +21,10 @@ export function saveAllowance(data) {
   coreSaveAllowance(data);
 }
 
-export async function allowanceAuthHeaders() {
-  const w = readAllowance();
-  if (!w) { console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create" })); process.exit(1); }
-  const { privateKeyToAccount } = await import("viem/accounts");
-  const account = privateKeyToAccount(w.privateKey);
-  const timestamp = Math.floor(Date.now() / 1000).toString();
-  const signature = await account.signMessage({ message: `run402:${timestamp}` });
-  return { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp };
+export function allowanceAuthHeaders(path) {
+  const headers = coreGetAllowanceAuthHeaders(path);
+  if (!headers) { console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create" })); process.exit(1); }
+  return headers;
 }
 
 export function findProject(id) {

package/lib/deploy.mjs

@@ -14,11 +14,30 @@ Options:
 Manifest format (JSON):
   {
     "name": "my-app",
-    "migrations": "CREATE TABLE items ...",
+    "migrations": "CREATE TABLE items (id serial PRIMARY KEY, title text NOT NULL, done boolean DEFAULT false)",
+    "rls": {
+      "template": "public_read_write",
+      "tables": [{ "table": "items" }]
+    },
+    "secrets": [{ "key": "OPENAI_API_KEY", "value": "sk-..." }],
+    "functions": [{
+      "name": "my-fn",
+      "code": "export default async (req) => new Response('ok')"
+    }],
     "files": [{ "file": "index.html", "data": "<html>...</html>" }],
     "subdomain": "my-app"
   }
 
+  All fields except "name" are optional.
+
+  RLS templates:
+    user_owns_rows   — users see only their rows (requires owner_column per table)
+    public_read      — anyone reads, authenticated users write
+    public_read_write — anyone reads and writes
+
+  ⚠️  Without RLS, tables are read-only via anon_key. If your app writes
+  data from the browser, you almost certainly need an rls block.
+
 Examples:
   run402 deploy --manifest app.json
   cat app.json | run402 deploy
@@ -48,7 +67,7 @@ export async function run(args) {
 
   const manifest = opts.manifest ? JSON.parse(readFileSync(opts.manifest, "utf-8")) : JSON.parse(await readStdin());
 
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/deploy/v1");
   const res = await fetch(`${API}/deploy/v1`, { method: "POST", headers: { "Content-Type": "application/json", ...authHeaders }, body: JSON.stringify(manifest) });
   const result = await res.json();
   if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...result })); process.exit(1); }

package/lib/init.mjs

@@ -1,4 +1,5 @@
 import { readAllowance, saveAllowance, loadKeyStore, CONFIG_DIR, ALLOWANCE_FILE, API } from "./config.mjs";
+import { getAllowanceAuthHeaders } from "../core-dist/allowance-auth.js";
 import { mkdirSync } from "fs";
 
 const USDC_ABI = [{ name: "balanceOf", type: "function", stateMutability: "view", inputs: [{ name: "account", type: "address" }], outputs: [{ name: "", type: "uint256" }] }];
@@ -74,14 +75,13 @@ export async function run() {
   const store = loadKeyStore();
   let tierInfo = null;
   try {
-    const { privateKeyToAccount } = await import("viem/accounts");
-    const account = privateKeyToAccount(allowance.privateKey);
-    const timestamp = Math.floor(Date.now() / 1000).toString();
-    const signature = await account.signMessage({ message: `run402:${timestamp}` });
-    const res = await fetch(`${API}/tiers/v1/status`, {
-      headers: { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp },
-    });
-    if (res.ok) tierInfo = await res.json();
+    const authHeaders = getAllowanceAuthHeaders("/tiers/v1/status");
+    if (authHeaders) {
+      const res = await fetch(`${API}/tiers/v1/status`, {
+        headers: { ...authHeaders },
+      });
+      if (res.ok) tierInfo = await res.json();
+    }
   } catch {}
 
   if (tierInfo && tierInfo.tier && tierInfo.status === "active") {

package/lib/message.mjs

@@ -15,7 +15,7 @@ Examples:
 
 async function send(text) {
   if (!text) { console.error(JSON.stringify({ status: "error", message: "Missing message text" })); process.exit(1); }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/message/v1");
 
   const res = await fetch(`${API}/message/v1`, {
     method: "POST",

package/lib/projects.mjs

@@ -53,7 +53,7 @@ async function provision(args) {
     if (args[i] === "--tier" && args[i + 1]) opts.tier = args[++i];
     if (args[i] === "--name" && args[i + 1]) opts.name = args[++i];
   }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/projects/v1");
   const body = { tier: opts.tier };
   if (opts.name) body.name = opts.name;
   const res = await fetch(`${API}/projects/v1`, {

package/lib/sites.mjs

@@ -55,7 +55,7 @@ async function deploy(args) {
   const body = { files: manifest.files, project: projectId };
   if (opts.target) body.target = opts.target;
 
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/deployments/v1");
   const res = await fetch(`${API}/deployments/v1`, {
     method: "POST",
     headers: { "Content-Type": "application/json", ...authHeaders },

package/lib/tier.mjs

@@ -1,4 +1,4 @@
-import { readAllowance, ALLOWANCE_FILE, API } from "./config.mjs";
+import { readAllowance, ALLOWANCE_FILE, API, allowanceAuthHeaders } from "./config.mjs";
 import { setupPaidFetch } from "./paid-fetch.mjs";
 
 const HELP = `run402 tier — Manage your Run402 tier subscription
@@ -25,14 +25,9 @@ Examples:
 `;
 
 async function status() {
-  const w = readAllowance();
-  if (!w) { console.log(JSON.stringify({ status: "error", message: "No agent allowance. Run: run402 allowance create" })); process.exit(1); }
-  const { privateKeyToAccount } = await import("viem/accounts");
-  const account = privateKeyToAccount(w.privateKey);
-  const timestamp = Math.floor(Date.now() / 1000).toString();
-  const signature = await account.signMessage({ message: `run402:${timestamp}` });
+  const authHeaders = allowanceAuthHeaders("/tiers/v1/status");
   const res = await fetch(`${API}/tiers/v1/status`, {
-    headers: { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp },
+    headers: { ...authHeaders },
   });
   const data = await res.json();
   if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "1.11.0",
+  "version": "1.12.1",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 micropayments.",
   "type": "module",
   "bin": {
@@ -15,12 +15,14 @@
     "core-dist/"
   ],
   "dependencies": {
+    "@noble/curves": "^2.0.1",
+    "@noble/hashes": "^2.0.1",
     "@x402/evm": "^2.6.0",
     "@x402/fetch": "^2.6.0",
     "viem": "^2.47.1"
   },
   "engines": {
-    "node": ">=20"
+    "node": ">=22"
   },
   "license": "MIT",
   "homepage": "https://run402.com",