run402 1.40.1 → 1.40.2

package/lib/sdk.mjs

@@ -7,7 +7,7 @@
  * RUN402_API_BASE between runs.
  */
 
-import { run402 } from "../../sdk/dist/node/index.js";
+import { run402 } from "../sdk/dist/node/index.js";
 
 export function getSdk() {
   return run402();

package/package.json

@@ -1,18 +1,19 @@
 {
   "name": "run402",
-  "version": "1.40.1",
+  "version": "1.40.2",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.",
   "type": "module",
   "bin": {
     "run402": "cli.mjs"
   },
   "scripts": {
-    "prepack": "mkdir -p core-dist && cp ../core/dist/*.js core-dist/"
+    "prepack": "mkdir -p core-dist sdk/dist sdk/core-dist && cp ../core/dist/*.js core-dist/ && cp -R ../sdk/dist/. sdk/dist/ && cp ../sdk/core-dist/*.js sdk/core-dist/"
   },
   "files": [
     "cli.mjs",
     "lib/",
-    "core-dist/"
+    "core-dist/",
+    "sdk/"
   ],
   "dependencies": {
     "@noble/curves": "^2.0.1",

package/sdk/core-dist/allowance-auth.js

@@ -0,0 +1,129 @@
+/**
+ * Allowance auth helper — generates SIWX (Sign-In With X / EIP-4361) headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { randomBytes } from "node:crypto";
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readAllowance } from "./allowance.js";
+import { getApiBase } from "./config.js";
+/**
+ * EIP-55 mixed-case checksum encoding.
+ */
+export function toChecksumAddress(address) {
+    const lower = address.toLowerCase().replace("0x", "");
+    const hash = bytesToHex(keccak_256(new TextEncoder().encode(lower)));
+    let checksummed = "0x";
+    for (let i = 0; i < lower.length; i++) {
+        checksummed += parseInt(hash[i], 16) >= 8 ? lower[i].toUpperCase() : lower[i];
+    }
+    return checksummed;
+}
+/**
+ * EIP-191 personal_sign: sign a message with the allowance's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes, { prehash: false });
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Format an EIP-4361 (SIWE) message. Must be byte-for-byte compatible
+ * with the `siwe` library's message format used server-side for verification.
+ */
+export function formatSIWEMessage(opts, address) {
+    const checksummed = toChecksumAddress(address);
+    const lines = [
+        `${opts.domain} wants you to sign in with your Ethereum account:`,
+        checksummed,
+        "",
+        opts.statement,
+        "",
+        `URI: ${opts.uri}`,
+        `Version: ${opts.version}`,
+        `Chain ID: ${opts.chainId}`,
+        `Nonce: ${opts.nonce}`,
+        `Issued At: ${opts.issuedAt}`,
+    ];
+    if (opts.expirationTime) {
+        lines.push(`Expiration Time: ${opts.expirationTime}`);
+    }
+    return lines.join("\n");
+}
+/**
+ * Get SIWX auth headers for the Run402 API.
+ * Returns null if no allowance is configured.
+ *
+ * @param path - API path (e.g. "/projects/v1") used to build the SIWE uri field.
+ */
+export function getAllowanceAuthHeaders(path, allowancePath) {
+    const allowance = readAllowance(allowancePath);
+    if (!allowance || !allowance.address || !allowance.privateKey)
+        return null;
+    const apiBase = getApiBase();
+    const url = new URL(apiBase);
+    const domain = url.hostname;
+    const uri = `${apiBase}${path}`;
+    const nonce = randomBytes(16).toString("hex");
+    const now = new Date();
+    const issuedAt = now.toISOString();
+    const expirationTime = new Date(now.getTime() + 5 * 60 * 1000).toISOString();
+    const message = formatSIWEMessage({
+        domain,
+        uri,
+        statement: "Sign in to Run402",
+        version: "1",
+        chainId: 84532, // Base Sepolia
+        nonce,
+        issuedAt,
+        expirationTime,
+    }, allowance.address);
+    const signature = personalSign(allowance.privateKey, allowance.address, message);
+    const payload = {
+        domain,
+        address: toChecksumAddress(allowance.address),
+        statement: "Sign in to Run402",
+        uri,
+        version: "1",
+        chainId: "eip155:84532",
+        type: "eip191",
+        nonce,
+        issuedAt,
+        expirationTime,
+        signature,
+    };
+    return {
+        "SIGN-IN-WITH-X": Buffer.from(JSON.stringify(payload)).toString("base64"),
+    };
+}
+//# sourceMappingURL=allowance-auth.js.map

package/sdk/core-dist/allowance.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getAllowancePath } from "./config.js";
+export function readAllowance(path) {
+    const p = path ?? getAllowancePath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveAllowance(data, path) {
+    const p = path ?? getAllowancePath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.allowance.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=allowance.js.map

package/sdk/core-dist/client.js

@@ -0,0 +1,42 @@
+import { getApiBase } from "./config.js";
+export async function apiRequest(path, opts = {}) {
+    const { method = "GET", headers = {}, body, rawBody } = opts;
+    const url = `${getApiBase()}${path}`;
+    const fetchHeaders = { ...headers };
+    let fetchBody;
+    if (rawBody !== undefined) {
+        fetchBody = rawBody;
+    }
+    else if (body !== undefined) {
+        fetchHeaders["Content-Type"] = fetchHeaders["Content-Type"] || "application/json";
+        fetchBody = JSON.stringify(body);
+    }
+    let res;
+    try {
+        res = await fetch(url, {
+            method,
+            headers: fetchHeaders,
+            body: fetchBody,
+        });
+    }
+    catch (err) {
+        return {
+            ok: false,
+            status: 0,
+            body: { error: `Network error: ${err.message}` },
+        };
+    }
+    let resBody;
+    const contentType = res.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+        resBody = await res.json();
+    }
+    else {
+        resBody = await res.text();
+    }
+    if (res.status === 402) {
+        return { ok: false, is402: true, status: 402, body: resBody };
+    }
+    return { ok: res.ok, status: res.status, body: resBody };
+}
+//# sourceMappingURL=client.js.map

package/sdk/core-dist/config.js

@@ -0,0 +1,26 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { existsSync, renameSync, mkdirSync } from "node:fs";
+export function getApiBase() {
+    return process.env.RUN402_API_BASE || "https://api.run402.com";
+}
+export function getConfigDir() {
+    return process.env.RUN402_CONFIG_DIR || join(homedir(), ".config", "run402");
+}
+export function getKeystorePath() {
+    return join(getConfigDir(), "projects.json");
+}
+export function getAllowancePath() {
+    if (process.env.RUN402_ALLOWANCE_PATH)
+        return process.env.RUN402_ALLOWANCE_PATH;
+    const dir = getConfigDir();
+    const newPath = join(dir, "allowance.json");
+    const oldPath = join(dir, "wallet.json");
+    // Auto-migrate from wallet.json → allowance.json
+    if (!existsSync(newPath) && existsSync(oldPath)) {
+        mkdirSync(dir, { recursive: true });
+        renameSync(oldPath, newPath);
+    }
+    return newPath;
+}
+//# sourceMappingURL=config.js.map

package/sdk/core-dist/keystore.js

@@ -0,0 +1,97 @@
+import { readFileSync, writeFileSync, mkdirSync, renameSync, chmodSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getKeystorePath } from "./config.js";
+/**
+ * Load the keystore from disk.
+ * Auto-migrates legacy formats:
+ * - Array format (CLI legacy): [{project_id, ...}] → {projects: {id: {...}}}
+ * - Old field name: expires_at → lease_expires_at
+ */
+export function loadKeyStore(path) {
+    const p = path ?? getKeystorePath();
+    try {
+        const data = readFileSync(p, "utf-8");
+        const parsed = JSON.parse(data);
+        // Auto-migrate array format (CLI legacy) to object format
+        if (Array.isArray(parsed)) {
+            const projects = {};
+            for (const item of parsed) {
+                if (item.project_id) {
+                    projects[item.project_id] = {
+                        anon_key: item.anon_key,
+                        service_key: item.service_key,
+                        ...(item.site_url && { site_url: item.site_url }),
+                        ...(item.deployed_at && { deployed_at: item.deployed_at }),
+                    };
+                }
+            }
+            return { projects };
+        }
+        if (parsed && typeof parsed === "object" && parsed.projects) {
+            // Strip legacy fields (tier, lease_expires_at, expires_at) from projects
+            for (const proj of Object.values(parsed.projects)) {
+                const rec = proj;
+                delete rec.tier;
+                delete rec.lease_expires_at;
+                delete rec.expires_at;
+            }
+            return {
+                ...(parsed.active_project_id && { active_project_id: parsed.active_project_id }),
+                projects: parsed.projects,
+            };
+        }
+        return { projects: {} };
+    }
+    catch {
+        return { projects: {} };
+    }
+}
+export function saveKeyStore(store, path) {
+    const p = path ?? getKeystorePath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.projects.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(store, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+export function getProject(projectId, path) {
+    const store = loadKeyStore(path);
+    return store.projects[projectId];
+}
+export function saveProject(projectId, project, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    store.projects[projectId] = project;
+    saveKeyStore(store, p);
+}
+export function updateProject(projectId, update, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    const existing = store.projects[projectId];
+    if (existing) {
+        store.projects[projectId] = { ...existing, ...update };
+        saveKeyStore(store, p);
+    }
+}
+export function removeProject(projectId, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    delete store.projects[projectId];
+    if (store.active_project_id === projectId) {
+        delete store.active_project_id;
+    }
+    saveKeyStore(store, p);
+}
+export function getActiveProjectId(path) {
+    const store = loadKeyStore(path);
+    return store.active_project_id;
+}
+export function setActiveProjectId(projectId, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    store.active_project_id = projectId;
+    saveKeyStore(store, p);
+}
+//# sourceMappingURL=keystore.js.map

package/sdk/core-dist/wallet-auth.js

@@ -0,0 +1,62 @@
+/**
+ * Wallet auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readWallet } from "./wallet.js";
+/**
+ * EIP-191 personal_sign: sign a message with the wallet's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes);
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Get wallet auth headers for the Run402 API.
+ * Returns null if no wallet is configured.
+ */
+export function getWalletAuthHeaders(walletPath) {
+    const wallet = readWallet(walletPath);
+    if (!wallet || !wallet.address || !wallet.privateKey)
+        return null;
+    const timestamp = Math.floor(Date.now() / 1000).toString();
+    const signature = personalSign(wallet.privateKey, wallet.address, `run402:${timestamp}`);
+    return {
+        "X-Run402-Wallet": wallet.address,
+        "X-Run402-Signature": signature,
+        "X-Run402-Timestamp": timestamp,
+    };
+}
+//# sourceMappingURL=wallet-auth.js.map

package/sdk/core-dist/wallet.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getWalletPath } from "./config.js";
+export function readWallet(path) {
+    const p = path ?? getWalletPath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveWallet(data, path) {
+    const p = path ?? getWalletPath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.wallet.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=wallet.js.map

package/sdk/dist/credentials.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Credential provider interface for the Run402 SDK.
+ *
+ * The SDK's request kernel calls `getAuth` before each request to obtain
+ * signed auth headers, and `getProject` to resolve per-project anon/service
+ * keys. All filesystem, environment, and session-state access lives inside
+ * provider implementations — never in the kernel.
+ *
+ * Node consumers use {@link NodeCredentialsProvider} from `@run402/sdk/node`
+ * which wraps the local keystore + allowance. Sandbox consumers supply their
+ * own implementation bound to a session token issued by the supervisor.
+ *
+ * The two required methods (`getAuth`, `getProject`) support every API call.
+ * The optional methods let providers opt in to local persistence (keystore
+ * writes, active-project tracking). Namespace methods that need a missing
+ * optional method throw a descriptive error at runtime.
+ */
+export interface ProjectKeys {
+    anon_key: string;
+    service_key: string;
+    site_url?: string;
+    deployed_at?: string;
+    last_deployment_id?: string;
+    mailbox_id?: string;
+    mailbox_address?: string;
+}
+export interface AllowanceData {
+    address: string;
+    privateKey: string;
+    created?: string;
+    funded?: boolean;
+    lastFaucet?: string;
+    rail?: "x402" | "mpp";
+}
+export interface CredentialsProvider {
+    /**
+     * Return per-request auth headers for the given API path, or null if none
+     * are available. Typical headers: `SIGN-IN-WITH-X` (SIWE), `Authorization:
+     * Bearer ...`. The kernel merges these into the request headers without
+     * overwriting headers explicitly set on the request.
+     */
+    getAuth(path: string): Promise<Record<string, string> | null>;
+    /**
+     * Resolve the anon/service keys for a project. Returns null if the project
+     * is not known to this provider — the kernel then throws ProjectNotFound.
+     */
+    getProject(id: string): Promise<ProjectKeys | null>;
+    /**
+     * Persist project keys after a successful provision or deploy. Optional:
+     * providers without local storage (pure session providers) may omit this.
+     */
+    saveProject?(id: string, project: ProjectKeys): Promise<void>;
+    /** Partially update a project's stored fields (e.g. mailbox_id, last_deployment_id). Optional. */
+    updateProject?(id: string, patch: Partial<ProjectKeys>): Promise<void>;
+    /** Remove a project from local storage after deletion. Optional. */
+    removeProject?(id: string): Promise<void>;
+    /** Set the active/default project id in local state. Optional. */
+    setActiveProject?(id: string): Promise<void>;
+    /** Get the active/default project id from local state. Optional. */
+    getActiveProject?(): Promise<string | null>;
+    /** Read the local allowance (wallet). Optional — sandbox providers may omit. */
+    readAllowance?(): Promise<AllowanceData | null>;
+    /** Persist the local allowance. Optional. */
+    saveAllowance?(data: AllowanceData): Promise<void>;
+    /** Generate a fresh allowance keypair. Optional — Node default uses secp256k1 + keccak for the Ethereum address. */
+    createAllowance?(): Promise<AllowanceData>;
+    /** Return the absolute path to the local allowance file, for diagnostic output. Optional. */
+    getAllowancePath?(): string;
+}
+//# sourceMappingURL=credentials.d.ts.map

package/sdk/dist/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;CACvB;AAED,MAAM,WAAW,mBAAmB;IAClC;;;;;OAKG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC;IAE9D;;;OAGG;IACH,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAEpD;;;OAGG;IACH,WAAW,CAAC,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9D,kGAAkG;IAClG,aAAa,CAAC,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvE,oEAAoE;IACpE,aAAa,CAAC,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1C,kEAAkE;IAClE,gBAAgB,CAAC,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7C,oEAAoE;IACpE,gBAAgB,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAE5C,gFAAgF;IAChF,aAAa,CAAC,IAAI,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAEhD,6CAA6C;IAC7C,aAAa,CAAC,CAAC,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnD,oHAAoH;IACpH,eAAe,CAAC,IAAI,OAAO,CAAC,aAAa,CAAC,CAAC;IAE3C,6FAA6F;IAC7F,gBAAgB,CAAC,IAAI,MAAM,CAAC;CAC7B"}

package/sdk/dist/credentials.js

@@ -0,0 +1,19 @@
+/**
+ * Credential provider interface for the Run402 SDK.
+ *
+ * The SDK's request kernel calls `getAuth` before each request to obtain
+ * signed auth headers, and `getProject` to resolve per-project anon/service
+ * keys. All filesystem, environment, and session-state access lives inside
+ * provider implementations — never in the kernel.
+ *
+ * Node consumers use {@link NodeCredentialsProvider} from `@run402/sdk/node`
+ * which wraps the local keystore + allowance. Sandbox consumers supply their
+ * own implementation bound to a session token issued by the supervisor.
+ *
+ * The two required methods (`getAuth`, `getProject`) support every API call.
+ * The optional methods let providers opt in to local persistence (keystore
+ * writes, active-project tracking). Namespace methods that need a missing
+ * optional method throw a descriptive error at runtime.
+ */
+export {};
+//# sourceMappingURL=credentials.js.map

package/sdk/dist/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG"}

package/sdk/dist/errors.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Error hierarchy for the Run402 SDK. Every failure throws a subclass of
+ * {@link Run402Error}. Consumers (MCP handlers, CLI commands, user functions)
+ * translate these into their native error shapes at the edge.
+ */
+export declare abstract class Run402Error extends Error {
+    /** HTTP status, or null for local/network failures that produced no response. */
+    readonly status: number | null;
+    /** Parsed response body, or null when no body was received. */
+    readonly body: unknown;
+    /** Short verb phrase identifying the attempted operation (e.g. "provisioning project"). */
+    readonly context: string;
+    constructor(message: string, status: number | null, body: unknown, context: string);
+}
+/** HTTP 402 — the gateway requires payment (lease expired, insufficient balance, or x402 quote). */
+export declare class PaymentRequired extends Run402Error {
+}
+/** Project ID is not present in the credential provider (local miss) or the gateway returned 404. */
+export declare class ProjectNotFound extends Run402Error {
+    readonly projectId: string;
+    constructor(projectId: string, context: string, status?: number | null, body?: unknown);
+}
+/** HTTP 401 or 403 — authentication missing, invalid, or insufficient for the operation. */
+export declare class Unauthorized extends Run402Error {
+}
+/** Any other non-2xx HTTP response from the gateway. */
+export declare class ApiError extends Run402Error {
+}
+/** The underlying `fetch` threw before producing a response (DNS, connection reset, offline). */
+export declare class NetworkError extends Run402Error {
+    readonly cause: unknown;
+    constructor(message: string, cause: unknown, context: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/sdk/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,8BAAsB,WAAY,SAAQ,KAAK;IAC7C,iFAAiF;IACjF,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,+DAA+D;IAC/D,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,2FAA2F;IAC3F,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;gBAEb,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM;CAOnF;AAED,oGAAoG;AACpG,qBAAa,eAAgB,SAAQ,WAAW;CAAG;AAEnD,qGAAqG;AACrG,qBAAa,eAAgB,SAAQ,WAAW;IAC9C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;gBACf,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,GAAE,MAAM,GAAG,IAAW,EAAE,IAAI,GAAE,OAAc;CAInG;AAED,4FAA4F;AAC5F,qBAAa,YAAa,SAAQ,WAAW;CAAG;AAEhD,wDAAwD;AACxD,qBAAa,QAAS,SAAQ,WAAW;CAAG;AAE5C,iGAAiG;AACjG,qBAAa,YAAa,SAAQ,WAAW;IAC3C,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;gBACZ,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM;CAI7D"}

package/sdk/dist/errors.js

@@ -0,0 +1,46 @@
+/**
+ * Error hierarchy for the Run402 SDK. Every failure throws a subclass of
+ * {@link Run402Error}. Consumers (MCP handlers, CLI commands, user functions)
+ * translate these into their native error shapes at the edge.
+ */
+export class Run402Error extends Error {
+    /** HTTP status, or null for local/network failures that produced no response. */
+    status;
+    /** Parsed response body, or null when no body was received. */
+    body;
+    /** Short verb phrase identifying the attempted operation (e.g. "provisioning project"). */
+    context;
+    constructor(message, status, body, context) {
+        super(message);
+        this.name = this.constructor.name;
+        this.status = status;
+        this.body = body;
+        this.context = context;
+    }
+}
+/** HTTP 402 — the gateway requires payment (lease expired, insufficient balance, or x402 quote). */
+export class PaymentRequired extends Run402Error {
+}
+/** Project ID is not present in the credential provider (local miss) or the gateway returned 404. */
+export class ProjectNotFound extends Run402Error {
+    projectId;
+    constructor(projectId, context, status = null, body = null) {
+        super(`Project ${projectId} not found`, status, body, context);
+        this.projectId = projectId;
+    }
+}
+/** HTTP 401 or 403 — authentication missing, invalid, or insufficient for the operation. */
+export class Unauthorized extends Run402Error {
+}
+/** Any other non-2xx HTTP response from the gateway. */
+export class ApiError extends Run402Error {
+}
+/** The underlying `fetch` threw before producing a response (DNS, connection reset, offline). */
+export class NetworkError extends Run402Error {
+    cause;
+    constructor(message, cause, context) {
+        super(message, null, null, context);
+        this.cause = cause;
+    }
+}
+//# sourceMappingURL=errors.js.map

package/sdk/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,OAAgB,WAAY,SAAQ,KAAK;IAC7C,iFAAiF;IACxE,MAAM,CAAgB;IAC/B,+DAA+D;IACtD,IAAI,CAAU;IACvB,2FAA2F;IAClF,OAAO,CAAS;IAEzB,YAAY,OAAe,EAAE,MAAqB,EAAE,IAAa,EAAE,OAAe;QAChF,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;QAClC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;CACF;AAED,oGAAoG;AACpG,MAAM,OAAO,eAAgB,SAAQ,WAAW;CAAG;AAEnD,qGAAqG;AACrG,MAAM,OAAO,eAAgB,SAAQ,WAAW;IACrC,SAAS,CAAS;IAC3B,YAAY,SAAiB,EAAE,OAAe,EAAE,SAAwB,IAAI,EAAE,OAAgB,IAAI;QAChG,KAAK,CAAC,WAAW,SAAS,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAC/D,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;CACF;AAED,4FAA4F;AAC5F,MAAM,OAAO,YAAa,SAAQ,WAAW;CAAG;AAEhD,wDAAwD;AACxD,MAAM,OAAO,QAAS,SAAQ,WAAW;CAAG;AAE5C,iGAAiG;AACjG,MAAM,OAAO,YAAa,SAAQ,WAAW;IAClC,KAAK,CAAU;IACxB,YAAY,OAAe,EAAE,KAAc,EAAE,OAAe;QAC1D,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QACpC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;CACF"}