run402 1.48.0 → 1.50.0

package/core-dist/config.js

@@ -4,6 +4,16 @@ import { existsSync, renameSync, mkdirSync } from "node:fs";
 export function getApiBase() {
     return process.env.RUN402_API_BASE || "https://api.run402.com";
 }
+/**
+ * API base for the deploy-v2 routes. Defaults to the same value as
+ * `getApiBase()`. Set `RUN402_DEPLOY_API_BASE` to point only deploy traffic
+ * elsewhere — useful when running deploy-v2 against a staging gateway while
+ * the rest of the SDK still talks to production. In normal use callers
+ * should not need this override.
+ */
+export function getDeployApiBase() {
+    return process.env.RUN402_DEPLOY_API_BASE || getApiBase();
+}
 export function getConfigDir() {
     return process.env.RUN402_CONFIG_DIR || join(homedir(), ".config", "run402");
 }

package/core-dist/wallet-auth.js

@@ -0,0 +1,62 @@
+/**
+ * Wallet auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readWallet } from "./wallet.js";
+/**
+ * EIP-191 personal_sign: sign a message with the wallet's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes);
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Get wallet auth headers for the Run402 API.
+ * Returns null if no wallet is configured.
+ */
+export function getWalletAuthHeaders(walletPath) {
+    const wallet = readWallet(walletPath);
+    if (!wallet || !wallet.address || !wallet.privateKey)
+        return null;
+    const timestamp = Math.floor(Date.now() / 1000).toString();
+    const signature = personalSign(wallet.privateKey, wallet.address, `run402:${timestamp}`);
+    return {
+        "X-Run402-Wallet": wallet.address,
+        "X-Run402-Signature": signature,
+        "X-Run402-Timestamp": timestamp,
+    };
+}
+//# sourceMappingURL=wallet-auth.js.map

package/core-dist/wallet.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getWalletPath } from "./config.js";
+export function readWallet(path) {
+    const p = path ?? getWalletPath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveWallet(data, path) {
+    const p = path ?? getWalletPath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.wallet.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=wallet.js.map

package/lib/deploy-v2.mjs

@@ -0,0 +1,359 @@
+/**
+ * `run402 deploy apply` and `run402 deploy resume` — CLI wrappers over the
+ * unified deploy primitive (`r.deploy.apply` / `r.deploy.resume`).
+ *
+ * The legacy `run402 deploy --manifest …` command is preserved in
+ * `cli/lib/deploy.mjs` and continues to work; this file adds the new
+ * subcommand surface.
+ *
+ * Manifest format mirrors the MCP `deploy` tool's input schema:
+ *   {
+ *     "project_id": "...",
+ *     "base":  { "release": "current" } | { "release": "empty" } | { "release_id": "..." },
+ *     "database": { "migrations": [...], "expose": {...}, "zero_downtime": false },
+ *     "secrets":   { "set": {...}, "delete": [...], "replace_all": {...} },
+ *     "functions": { "replace": {...}, "patch": { "set": {...}, "delete": [...] } },
+ *     "site":      { "replace": {...} } | { "patch": { "put": {...}, "delete": [...] } },
+ *     "subdomains": { "set": ["..."], "add": [...], "remove": [...] },
+ *     "idempotency_key": "..."
+ *   }
+ *
+ * File entries: `{ "data": "...", "encoding": "utf-8" | "base64", "contentType": "..." }`
+ * — same shape used by `bundle_deploy`. UTF-8 is the default; binary files
+ * pass `"encoding": "base64"`.
+ */
+
+import { readFileSync } from "node:fs";
+import { resolve, dirname, isAbsolute, join } from "node:path";
+import { getSdk } from "./sdk.mjs";
+import { reportSdkError } from "./sdk-errors.mjs";
+import { allowanceAuthHeaders, resolveProjectId } from "./config.mjs";
+
+const APPLY_HELP = `run402 deploy apply — Unified deploy primitive (v1.34+)
+
+Usage:
+  run402 deploy apply --manifest <path> [--project <id>] [--quiet]
+  run402 deploy apply --spec '<json>' [--project <id>] [--quiet]
+  cat spec.json | run402 deploy apply [--project <id>]
+
+Manifest format mirrors the MCP \`deploy\` tool's ReleaseSpec:
+  {
+    "project_id": "prj_...",
+    "base": { "release": "current" },
+    "database": { "migrations": [{ "id": "001_init", "sql": "CREATE TABLE ..." }], "expose": {...} },
+    "secrets":   { "set": { "OPENAI_API_KEY": { "value": "sk-..." } } },
+    "functions": { "replace": { "api": { "source": { "data": "export default ..." } } } },
+    "site":      { "replace": { "index.html": { "data": "<html>..." } } },
+    "subdomains": { "set": ["my-app"] }
+  }
+
+Options:
+  --manifest <path>       Read the spec from this JSON file
+  --spec '<json>'         Inline JSON spec (single-quote in shell)
+  --project <id>          Override project_id from the manifest
+  --quiet                 Suppress per-event JSON-line stderr (final result still on stdout)
+
+Output:
+  stdout: { "status": "ok", "release_id": "rel_...", "operation_id": "op_...", "urls": {...} }
+  stderr: one JSON event per line (suppressed with --quiet)
+
+Patch examples (only the listed file changes):
+  { "project_id": "prj_...", "site": { "patch": { "put": { "index.html": { "data": "..." } } } } }
+  { "project_id": "prj_...", "site": { "patch": { "delete": ["old.html"] } } }
+`;
+
+const RESUME_HELP = `run402 deploy resume — Resume a stuck deploy operation
+
+Usage:
+  run402 deploy resume <operation_id> [--quiet]
+
+Used when a previous \`deploy apply\` ended in \`activation_pending\` or
+\`schema_settling\` (e.g. transient gateway failure between SQL commit and
+the pointer-swap activation). The gateway re-runs only the failed phase
+forward — SQL is never replayed.
+
+Output:
+  stdout: { "status": "ok", "release_id": "...", "operation_id": "...", "urls": {...} }
+  stderr: one JSON event per line (suppressed with --quiet)
+`;
+
+export async function runDeployV2(sub, args) {
+  if (sub === "apply") return await applyCmd(args);
+  if (sub === "resume") return await resumeCmd(args);
+  console.error(JSON.stringify({ status: "error", message: `Unknown deploy subcommand: ${sub}` }));
+  process.exit(1);
+}
+
+async function readStdin() {
+  const chunks = [];
+  for await (const chunk of process.stdin) chunks.push(chunk);
+  return Buffer.concat(chunks).toString("utf-8");
+}
+
+function makeStderrEventWriter(quiet) {
+  if (quiet) return undefined;
+  return (event) => {
+    console.error(JSON.stringify(event));
+  };
+}
+
+async function applyCmd(args) {
+  const opts = { manifest: null, spec: null, project: null, quiet: false };
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === "--help" || args[i] === "-h") { console.log(APPLY_HELP); process.exit(0); }
+    if (args[i] === "--manifest" && args[i + 1]) { opts.manifest = args[++i]; continue; }
+    if (args[i] === "--spec" && args[i + 1]) { opts.spec = args[++i]; continue; }
+    if (args[i] === "--project" && args[i + 1]) { opts.project = args[++i]; continue; }
+    if (args[i] === "--quiet") { opts.quiet = true; continue; }
+  }
+
+  let raw;
+  if (opts.spec) {
+    raw = opts.spec;
+  } else if (opts.manifest) {
+    try {
+      const manifestPath = isAbsolute(opts.manifest) ? opts.manifest : resolve(process.cwd(), opts.manifest);
+      raw = readFileSync(manifestPath, "utf-8");
+    } catch (err) {
+      console.error(JSON.stringify({ status: "error", message: `Failed to read manifest: ${err.message}` }));
+      process.exit(1);
+    }
+  } else {
+    raw = await readStdin();
+  }
+
+  let spec;
+  try {
+    spec = JSON.parse(raw);
+  } catch (err) {
+    console.error(JSON.stringify({ status: "error", message: `Manifest is not valid JSON: ${err.message}` }));
+    process.exit(1);
+  }
+
+  if (opts.manifest) resolveFileDataPaths(spec, dirname(resolve(opts.manifest)));
+
+  if (opts.project && spec.project_id && spec.project_id !== opts.project) {
+    console.error(JSON.stringify({
+      status: "error",
+      message: `project_id conflict: spec.project_id=${spec.project_id} but --project=${opts.project}`,
+    }));
+    process.exit(1);
+  }
+  if (opts.project) spec.project_id = opts.project;
+  if (!spec.project_id) spec.project_id = resolveProjectId(null);
+
+  // Translate { project_id, ... } envelope → ReleaseSpec ({ project, ... })
+  // The SDK ReleaseSpec uses `project` rather than `project_id`; both shapes
+  // are accepted at the manifest layer (project_id is friendlier for agents
+  // sharing JSON manifests with the MCP tool).
+  const releaseSpec = mapManifestToReleaseSpec(spec);
+  const idempotencyKey = spec.idempotency_key;
+
+  // Preserve the aggressive early exit when no allowance is configured.
+  allowanceAuthHeaders("/deploy/v2/plans");
+
+  try {
+    const result = await getSdk().deploy.apply(releaseSpec, {
+      onEvent: makeStderrEventWriter(opts.quiet),
+      idempotencyKey,
+    });
+    console.log(JSON.stringify({ status: "ok", ...result }, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
+}
+
+async function resumeCmd(args) {
+  const opts = { operationId: null, quiet: false };
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === "--help" || args[i] === "-h") { console.log(RESUME_HELP); process.exit(0); }
+    if (args[i] === "--quiet") { opts.quiet = true; continue; }
+    if (!args[i].startsWith("-") && !opts.operationId) opts.operationId = args[i];
+  }
+  if (!opts.operationId) {
+    console.error(JSON.stringify({ status: "error", message: "Usage: run402 deploy resume <operation_id>" }));
+    process.exit(1);
+  }
+
+  allowanceAuthHeaders("/deploy/v2/operations");
+
+  try {
+    const result = await getSdk().deploy.resume(opts.operationId, {
+      onEvent: makeStderrEventWriter(opts.quiet),
+    });
+    console.log(JSON.stringify({ status: "ok", ...result }, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
+}
+
+// ─── Manifest → ReleaseSpec ──────────────────────────────────────────────────
+
+function mapManifestToReleaseSpec(spec) {
+  const out = { project: spec.project_id };
+  if (spec.base !== undefined) out.base = spec.base;
+  if (spec.subdomains !== undefined) out.subdomains = spec.subdomains;
+  if (spec.secrets !== undefined) out.secrets = spec.secrets;
+  if (spec.routes !== undefined) out.routes = spec.routes;
+  if (spec.checks !== undefined) out.checks = spec.checks;
+
+  if (spec.database) {
+    out.database = {};
+    if (spec.database.expose !== undefined) out.database.expose = spec.database.expose;
+    if (spec.database.zero_downtime !== undefined) out.database.zero_downtime = spec.database.zero_downtime;
+    if (spec.database.migrations) {
+      out.database.migrations = spec.database.migrations.map((m) => {
+        const mm = { id: m.id };
+        if (m.sql !== undefined) mm.sql = m.sql;
+        if (m.sql_ref !== undefined) mm.sql_ref = m.sql_ref;
+        if (m.checksum !== undefined) mm.checksum = m.checksum;
+        if (m.transaction !== undefined) mm.transaction = m.transaction;
+        return mm;
+      });
+    }
+  }
+
+  if (spec.functions) {
+    out.functions = {};
+    if (spec.functions.replace) out.functions.replace = mapFunctionMap(spec.functions.replace);
+    if (spec.functions.patch) {
+      out.functions.patch = {};
+      if (spec.functions.patch.set) out.functions.patch.set = mapFunctionMap(spec.functions.patch.set);
+      if (spec.functions.patch.delete) out.functions.patch.delete = spec.functions.patch.delete;
+    }
+  }
+
+  if (spec.site) {
+    if (spec.site.replace) {
+      out.site = { replace: mapFileMap(spec.site.replace) };
+    } else if (spec.site.patch) {
+      const patch = {};
+      if (spec.site.patch.put) patch.put = mapFileMap(spec.site.patch.put);
+      if (spec.site.patch.delete) patch.delete = spec.site.patch.delete;
+      out.site = { patch };
+    }
+  }
+
+  return out;
+}
+
+function mapFunctionMap(map) {
+  const out = {};
+  for (const [name, fn] of Object.entries(map)) {
+    const f = {};
+    if (fn.runtime) f.runtime = fn.runtime;
+    if (fn.source !== undefined) f.source = fileEntryToContentSource(fn.source);
+    if (fn.files) f.files = mapFileMap(fn.files);
+    if (fn.entrypoint !== undefined) f.entrypoint = fn.entrypoint;
+    if (fn.config !== undefined) f.config = fn.config;
+    if (fn.schedule !== undefined) f.schedule = fn.schedule;
+    out[name] = f;
+  }
+  return out;
+}
+
+function mapFileMap(map) {
+  const out = {};
+  for (const [path, entry] of Object.entries(map)) {
+    out[path] = fileEntryToContentSource(entry);
+  }
+  return out;
+}
+
+function fileEntryToContentSource(entry) {
+  if (entry === null || entry === undefined) return entry;
+  if (typeof entry === "string") return entry;
+  if (entry instanceof Uint8Array) return entry;
+  if (typeof entry === "object") {
+    if (entry.encoding === "base64" && typeof entry.data === "string") {
+      const bytes = Buffer.from(entry.data, "base64");
+      const u8 = new Uint8Array(bytes.buffer, bytes.byteOffset, bytes.byteLength);
+      return entry.contentType ? { data: u8, contentType: entry.contentType } : u8;
+    }
+    if (typeof entry.data === "string") {
+      return entry.contentType ? { data: entry.data, contentType: entry.contentType } : entry.data;
+    }
+    // Pre-resolved ContentRef shape — pass through.
+    if (typeof entry.sha256 === "string" && typeof entry.size === "number") {
+      return entry;
+    }
+  }
+  return entry;
+}
+
+/**
+ * Resolve any `{ "path": "..." }` entries in the manifest to inline data.
+ * Mirrors the legacy deploy.mjs behavior so `run402 deploy apply` accepts
+ * the same files-with-paths shape that `run402 deploy` does today.
+ */
+function resolveFileDataPaths(spec, baseDir) {
+  // Site files
+  if (spec.site?.replace) resolveMap(spec.site.replace, baseDir);
+  if (spec.site?.patch?.put) resolveMap(spec.site.patch.put, baseDir);
+  // Function files
+  const visitFns = (fnMap) => {
+    if (!fnMap) return;
+    for (const fn of Object.values(fnMap)) {
+      if (fn.source && typeof fn.source === "object" && fn.source.path) {
+        const resolved = readFileEntry(fn.source, baseDir);
+        if (resolved) fn.source = resolved;
+      }
+      if (fn.files) resolveMap(fn.files, baseDir);
+    }
+  };
+  visitFns(spec.functions?.replace);
+  visitFns(spec.functions?.patch?.set);
+  // Migration sql_path / sql_file
+  if (spec.database?.migrations) {
+    for (const m of spec.database.migrations) {
+      if (!m.sql && m.sql_path) {
+        try {
+          const p = isAbsolute(m.sql_path) ? m.sql_path : join(baseDir, m.sql_path);
+          m.sql = readFileSync(p, "utf-8");
+          delete m.sql_path;
+        } catch (err) {
+          console.error(JSON.stringify({
+            status: "error",
+            message: `Failed to read migration sql_path '${m.sql_path}': ${err.message}`,
+          }));
+          process.exit(1);
+        }
+      }
+    }
+  }
+}
+
+function resolveMap(map, baseDir) {
+  for (const [key, entry] of Object.entries(map)) {
+    if (entry && typeof entry === "object" && typeof entry.path === "string" && entry.data === undefined) {
+      const resolved = readFileEntry(entry, baseDir);
+      if (resolved) map[key] = resolved;
+    }
+  }
+}
+
+function readFileEntry(entry, baseDir) {
+  try {
+    const p = isAbsolute(entry.path) ? entry.path : join(baseDir, entry.path);
+    const buf = readFileSync(p);
+    const out = {};
+    // Detect text vs binary via simple UTF-8 round-trip; mirrors the bundle
+    // deploy behavior. Image/font types get base64; HTML/CSS/JS stay UTF-8.
+    const looksTextual = !entry.contentType?.match(/^(image|font|application\/(pdf|wasm|octet-stream|zip))/);
+    if (looksTextual) {
+      out.data = buf.toString("utf-8");
+      out.encoding = "utf-8";
+    } else {
+      out.data = buf.toString("base64");
+      out.encoding = "base64";
+    }
+    if (entry.contentType) out.contentType = entry.contentType;
+    return out;
+  } catch (err) {
+    console.error(JSON.stringify({
+      status: "error",
+      message: `Failed to read file '${entry.path}': ${err.message}`,
+    }));
+    process.exit(1);
+  }
+}

package/lib/deploy.mjs

@@ -255,6 +255,20 @@ async function loadManifest(opts) {
 }
 
 export async function run(args) {
+  // Subcommand dispatch (v1.34+):
+  //   run402 deploy apply  ...    → unified deploy primitive (deploy.apply)
+  //   run402 deploy resume <op>   → resume an activation_pending operation
+  //   run402 deploy --manifest …  → legacy bundle deploy (still works)
+  const sub = args[0];
+  switch (sub) {
+    case "apply":
+    case "resume": {
+      const { runDeployV2 } = await import("./deploy-v2.mjs");
+      await runDeployV2(sub, args.slice(1));
+      return;
+    }
+  }
+
   const opts = { manifest: null, project: null };
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--help" || args[i] === "-h") { console.log(HELP); process.exit(0); }

package/lib/functions.mjs

@@ -53,7 +53,15 @@ Options:
   --file <file>       Required: path to the function source file
   --timeout <s>       Runtime timeout in seconds
   --memory <mb>       Memory in MB
-  --deps <pkg,...>    Comma-separated npm deps to bundle
+  --deps <spec,...>   Comma-separated npm specs to install and bundle.
+                      Bare names (e.g. 'lodash') resolve to latest at
+                      deploy time; pinned ('lodash@4.17.21') or range
+                      ('date-fns@^3.0.0') specs are honored verbatim.
+                      '@run402/functions' is auto-bundled and is rejected
+                      here; the legacy 'run402-functions' name is also
+                      rejected. Max 30 entries, max 200 chars per spec.
+                      Native binary modules (sharp, canvas, native bcrypt)
+                      are rejected.
   --schedule <cron>   Cron schedule; pass '' to clear an existing schedule
 
 Notes:
@@ -61,6 +69,13 @@ Notes:
     export default async (req: Request) => Response
   Deploy may require payment if the project lease has expired.
 
+  The deploy response includes:
+  - runtime_version: the bundled @run402/functions version (e.g. "1.48.0")
+  - deps_resolved: map of each --deps name to the actually-installed
+    concrete version (e.g. {"lodash":"4.17.21"})
+  - warnings (optional, top-level, sibling to the record): non-fatal
+    notes such as bundle-size advisories
+
 Examples:
   run402 functions deploy abc123 stripe-webhook --file handler.ts
   run402 functions deploy abc123 send-reminders --file remind.ts \\

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "1.48.0",
+  "version": "1.50.0",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.",
   "type": "module",
   "bin": {

package/sdk/core-dist/config.js

@@ -4,6 +4,16 @@ import { existsSync, renameSync, mkdirSync } from "node:fs";
 export function getApiBase() {
     return process.env.RUN402_API_BASE || "https://api.run402.com";
 }
+/**
+ * API base for the deploy-v2 routes. Defaults to the same value as
+ * `getApiBase()`. Set `RUN402_DEPLOY_API_BASE` to point only deploy traffic
+ * elsewhere — useful when running deploy-v2 against a staging gateway while
+ * the rest of the SDK still talks to production. In normal use callers
+ * should not need this override.
+ */
+export function getDeployApiBase() {
+    return process.env.RUN402_DEPLOY_API_BASE || getApiBase();
+}
 export function getConfigDir() {
     return process.env.RUN402_CONFIG_DIR || join(homedir(), ".config", "run402");
 }

package/sdk/core-dist/wallet-auth.js

@@ -0,0 +1,62 @@
+/**
+ * Wallet auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readWallet } from "./wallet.js";
+/**
+ * EIP-191 personal_sign: sign a message with the wallet's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes);
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Get wallet auth headers for the Run402 API.
+ * Returns null if no wallet is configured.
+ */
+export function getWalletAuthHeaders(walletPath) {
+    const wallet = readWallet(walletPath);
+    if (!wallet || !wallet.address || !wallet.privateKey)
+        return null;
+    const timestamp = Math.floor(Date.now() / 1000).toString();
+    const signature = personalSign(wallet.privateKey, wallet.address, `run402:${timestamp}`);
+    return {
+        "X-Run402-Wallet": wallet.address,
+        "X-Run402-Signature": signature,
+        "X-Run402-Timestamp": timestamp,
+    };
+}
+//# sourceMappingURL=wallet-auth.js.map

package/sdk/core-dist/wallet.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getWalletPath } from "./config.js";
+export function readWallet(path) {
+    const p = path ?? getWalletPath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveWallet(data, path) {
+    const p = path ?? getWalletPath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.wallet.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=wallet.js.map

package/sdk/dist/errors.d.ts

@@ -36,4 +36,45 @@ export declare class LocalError extends Run402Error {
     readonly cause?: unknown;
     constructor(message: string, context: string, cause?: unknown);
 }
+/**
+ * Deploy-state-machine failure surfaced from the v2 deploy flow. Carries the
+ * structured error envelope the gateway returns alongside the operation
+ * snapshot — phase, resource, retryability, and an optional remediation hint.
+ *
+ * The `code` enumerates the gateway's deploy error codes; consumers may
+ * switch on it to decide whether to retry, prompt the user for payment, ask
+ * for a fix, or escalate. Unknown codes from a newer gateway pass through
+ * verbatim — callers should treat unrecognized values as opaque.
+ */
+export type Run402DeployErrorCode = "MIGRATION_FAILED" | "MIGRATION_CHECKSUM_MISMATCH" | "MIGRATION_SQL_NOT_FOUND" | "BASE_RELEASE_CONFLICT" | "PAYMENT_REQUIRED" | "SUBDOMAIN_MULTI_NOT_SUPPORTED" | "SCHEMA_SETTLE_TIMEOUT" | "ACTIVATION_FAILED" | "STORAGE_UNAVAILABLE" | "SITE_STAGE_FAILED" | "FUNCTION_BUILD_FAILED" | "CONTENT_UPLOAD_FAILED" | "INVALID_SPEC" | "OPERATION_NOT_FOUND" | "PLAN_NOT_FOUND" | "NOT_RESUMABLE" | "INVALID_STATE" | "RESUME_FAILED" | "INTERNAL_ERROR" | "PROJECT_NOT_FOUND" | (string & {});
+export interface Run402DeployErrorFix {
+    action: string;
+    path?: string;
+    [key: string]: unknown;
+}
+export declare class Run402DeployError extends Run402Error {
+    readonly code: Run402DeployErrorCode;
+    readonly phase: string | null;
+    readonly resource: string | null;
+    readonly retryable: boolean;
+    readonly operationId: string | null;
+    readonly planId: string | null;
+    readonly fix: Run402DeployErrorFix | null;
+    readonly logs: string[] | null;
+    readonly rolledBack: boolean;
+    constructor(message: string, init: {
+        code: Run402DeployErrorCode;
+        phase?: string | null;
+        resource?: string | null;
+        retryable?: boolean;
+        operationId?: string | null;
+        planId?: string | null;
+        fix?: Run402DeployErrorFix | null;
+        logs?: string[] | null;
+        rolledBack?: boolean;
+        status?: number | null;
+        body?: unknown;
+        context: string;
+    });
+}
 //# sourceMappingURL=errors.d.ts.map