run402 1.54.4 → 1.56.0

package/lib/deploy-v2.mjs

@@ -11,7 +11,7 @@
  *     "project_id": "...",
  *     "base":  { "release": "current" } | { "release": "empty" } | { "release_id": "..." },
  *     "database": { "migrations": [...], "expose": {...}, "zero_downtime": false },
- *     "secrets":   { "set": {...}, "delete": [...], "replace_all": {...} },
+ *     "secrets":   { "require": ["OPENAI_API_KEY"], "delete": ["OLD_KEY"] },
  *     "functions": { "replace": {...}, "patch": { "set": {...}, "delete": [...] } },
  *     "site":      { "replace": {...} } | { "patch": { "put": {...}, "delete": [...] } },
  *     "subdomains": { "set": ["..."], "add": [...], "remove": [...] },
@@ -25,15 +25,16 @@
 
 import { readFileSync } from "node:fs";
 import { resolve, dirname, isAbsolute, join } from "node:path";
+import { githubActionsCredentials } from "#sdk/node";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
-import { allowanceAuthHeaders, resolveProjectId } from "./config.mjs";
+import { API, allowanceAuthHeaders, getActiveProjectId, resolveProjectId } from "./config.mjs";
 
 const APPLY_HELP = `run402 deploy apply — Unified deploy primitive (v1.34+)
 
 Usage:
-  run402 deploy apply --manifest <path> [--project <id>] [--quiet]
-  run402 deploy apply --spec '<json>' [--project <id>] [--quiet]
+  run402 deploy apply --manifest <path> [--project <id>] [--quiet] [--allow-warnings]
+  run402 deploy apply --spec '<json>' [--project <id>] [--quiet] [--allow-warnings]
   cat spec.json | run402 deploy apply [--project <id>]
 
 Manifest format mirrors the MCP \`deploy\` tool's ReleaseSpec:
@@ -41,7 +42,7 @@ Manifest format mirrors the MCP \`deploy\` tool's ReleaseSpec:
     "project_id": "prj_...",
     "base": { "release": "current" },
     "database": { "migrations": [{ "id": "001_init", "sql": "CREATE TABLE ..." }], "expose": {...} },
-    "secrets":   { "set": { "OPENAI_API_KEY": { "value": "sk-..." } } },
+    "secrets":   { "require": ["OPENAI_API_KEY"], "delete": ["OLD_KEY"] },
     "functions": { "replace": { "api": { "source": { "data": "export default ..." } } } },
     "site":      { "replace": { "index.html": { "data": "<html>..." } } },
     "subdomains": { "set": ["my-app"] }
@@ -52,11 +53,18 @@ Options:
   --spec '<json>'         Inline JSON spec (single-quote in shell)
   --project <id>          Override project_id from the manifest
   --quiet                 Suppress per-event JSON-line stderr (final result still on stdout)
+  --allow-warnings        Continue past plan warnings that require confirmation
 
 Output:
-  stdout: { "status": "ok", "release_id": "rel_...", "operation_id": "op_...", "urls": {...} }
+  stdout: { "status": "ok", "release_id": "rel_...", "operation_id": "op_...", "urls": {...}, "warnings": [...] }
   stderr: one JSON event per line (suppressed with --quiet)
 
+Secrets:
+  Secret values do not belong in deploy manifests. Set them first:
+    run402 secrets set prj_... OPENAI_API_KEY --file ./.secrets/openai-key
+  Then deploy a value-free declaration:
+    { "project_id": "prj_...", "secrets": { "require": ["OPENAI_API_KEY"] } }
+
 Patch examples (only the listed file changes):
   { "project_id": "prj_...", "site": { "patch": { "put": { "index.html": { "data": "..." } } } } }
   { "project_id": "prj_...", "site": { "patch": { "delete": ["old.html"] } } }
@@ -128,13 +136,14 @@ function makeStderrEventWriter(quiet) {
 }
 
 async function applyCmd(args) {
-  const opts = { manifest: null, spec: null, project: null, quiet: false };
+  const opts = { manifest: null, spec: null, project: null, quiet: false, allowWarnings: false };
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--help" || args[i] === "-h") { console.log(APPLY_HELP); process.exit(0); }
     if (args[i] === "--manifest" && args[i + 1]) { opts.manifest = args[++i]; continue; }
     if (args[i] === "--spec" && args[i + 1]) { opts.spec = args[++i]; continue; }
     if (args[i] === "--project" && args[i + 1]) { opts.project = args[++i]; continue; }
     if (args[i] === "--quiet") { opts.quiet = true; continue; }
+    if (args[i] === "--allow-warnings") { opts.allowWarnings = true; continue; }
   }
 
   let raw;
@@ -165,6 +174,10 @@ async function applyCmd(args) {
       details: { source: opts.manifest ? "manifest" : opts.spec ? "spec" : "stdin", parse_error: err.message },
     });
   }
+  rejectLegacySecretManifest(spec, {
+    source: opts.manifest ? "manifest" : opts.spec ? "spec" : "stdin",
+    ...(opts.manifest ? { path: resolve(opts.manifest) } : {}),
+  });
 
   // GH-232: Reject empty specs client-side. Without this guard,
   // `run402 deploy apply --spec '{}'` (and `--manifest <empty>`) would silently
@@ -213,7 +226,10 @@ async function applyCmd(args) {
     });
   }
   if (opts.project) spec.project_id = opts.project;
-  if (!spec.project_id) spec.project_id = resolveProjectId(null);
+  const useGithubActionsOidc = hasGithubActionsOidcEnv();
+  if (!spec.project_id) {
+    spec.project_id = useGithubActionsOidc ? resolveCiProjectId() : resolveProjectId(null);
+  }
 
   // Translate { project_id, ... } envelope → ReleaseSpec ({ project, ... })
   // The SDK ReleaseSpec uses `project` rather than `project_id`; both shapes
@@ -222,17 +238,189 @@ async function applyCmd(args) {
   const releaseSpec = mapManifestToReleaseSpec(spec);
   const idempotencyKey = spec.idempotency_key;
 
-  // Preserve the aggressive early exit when no allowance is configured.
-  allowanceAuthHeaders("/deploy/v2/plans");
+  let sdkOpts;
+  if (useGithubActionsOidc) {
+    sdkOpts = {
+      credentials: githubActionsCredentials({ projectId: spec.project_id, apiBase: API }),
+      disablePaidFetch: true,
+    };
+  } else {
+    // Preserve the aggressive early exit when no allowance is configured.
+    allowanceAuthHeaders("/deploy/v2/plans");
+  }
 
   try {
-    const result = await getSdk().deploy.apply(releaseSpec, {
+    const result = await getSdk(sdkOpts).deploy.apply(releaseSpec, {
       onEvent: makeStderrEventWriter(opts.quiet),
       idempotencyKey,
+      allowWarnings: opts.allowWarnings,
     });
     console.log(JSON.stringify({ status: "ok", ...result }, null, 2));
   } catch (err) {
-    reportSdkError(err);
+    reportDeployApplyError(err, useGithubActionsOidc);
+  }
+}
+
+function hasGithubActionsOidcEnv(env = process.env) {
+  return env.GITHUB_ACTIONS === "true" &&
+    Boolean(env.ACTIONS_ID_TOKEN_REQUEST_URL) &&
+    Boolean(env.ACTIONS_ID_TOKEN_REQUEST_TOKEN);
+}
+
+function resolveCiProjectId(env = process.env) {
+  const projectId = getActiveProjectId() || env.RUN402_PROJECT_ID;
+  if (!projectId) {
+    fail({
+      code: "CI_PROJECT_REQUIRED",
+      message: "GitHub Actions OIDC deploy requires a project id.",
+      hint: "Pass --project <prj_...> in the workflow command, include project_id in the manifest, or set RUN402_PROJECT_ID.",
+      details: { sources: ["--project", "manifest.project_id", "active_project", "RUN402_PROJECT_ID"] },
+    });
+  }
+  return projectId;
+}
+
+const CI_DEPLOY_ERROR_GUIDANCE = {
+  invalid_token: {
+    hint: "Ensure the workflow has permissions: id-token: write and is running in the repository/branch linked with run402 ci link github.",
+    next_actions: [
+      "Check the workflow permissions block includes id-token: write.",
+      "Re-run run402 ci link github if the repository, branch, or environment changed.",
+    ],
+  },
+  access_denied: {
+    hint: "The OIDC token was valid, but no active Run402 CI binding allowed this workflow.",
+    next_actions: [
+      "Run run402 ci list --project <prj_...> locally to inspect bindings.",
+      "Run run402 ci link github again for this repository/branch/environment.",
+    ],
+  },
+  event_not_allowed: {
+    hint: "This binding only allows push and workflow_dispatch events in v1.",
+    next_actions: [
+      "Trigger the workflow with push or workflow_dispatch.",
+      "Create a separate follow-up design before enabling PR deploy events.",
+    ],
+  },
+  repository_id_mismatch: {
+    hint: "The GitHub repository id in the OIDC token does not match the linked binding.",
+    next_actions: [
+      "Run run402 ci link github again from the current repository.",
+      "If automatic lookup fails, pass --repository-id with the numeric GitHub repository id.",
+    ],
+  },
+  forbidden_spec_field: {
+    hint: "CI deploys in v1 can deploy site/functions/database content only; link locally for secrets, routes, subdomains, checks, or oversized manifests.",
+    next_actions: [
+      "Remove forbidden fields such as secrets, routes, subdomains, or checks from the CI manifest.",
+      "Keep the normalized manifest small enough to avoid manifest_ref.",
+    ],
+  },
+  forbidden_plan: {
+    hint: "The gateway rejected this deploy plan for CI. Keep CI deploys to the v1 allowed resources and re-link if policy changed.",
+    next_actions: [
+      "Inspect the gateway error details for the rejected resource.",
+      "Run the deploy locally with run402 deploy apply for operations outside the CI allowlist.",
+    ],
+  },
+  payment_required: {
+    hint: "The project tier or payment state does not allow this CI deploy.",
+    next_actions: [
+      "Run run402 tier status --project <prj_...> locally.",
+      "Renew or upgrade the project tier, then re-run the workflow.",
+    ],
+  },
+};
+
+function reportDeployApplyError(err, useGithubActionsOidc) {
+  const warningEnhanced = enhanceDeployWarningError(err);
+  if (!useGithubActionsOidc) return reportSdkError(warningEnhanced);
+  return reportSdkError(enhanceCiDeployError(warningEnhanced));
+}
+
+function enhanceDeployWarningError(err) {
+  const existingBody = err?.body && typeof err.body === "object" && !Array.isArray(err.body)
+    ? err.body
+    : {};
+  const warnings = Array.isArray(existingBody.warnings) ? existingBody.warnings : null;
+  const code = existingBody.code || err?.code || null;
+  if (!warnings && code !== "MISSING_REQUIRED_SECRET") return err;
+
+  const enhanced = Object.assign(new Error(err?.message || existingBody.message || String(code)), err);
+  const affected = warnings
+    ? warnings.flatMap((w) => Array.isArray(w?.affected) ? w.affected : [])
+    : [];
+  enhanced.body = {
+    ...existingBody,
+    code: code || "DEPLOY_WARNING_REQUIRES_CONFIRMATION",
+    message: existingBody.message || err?.message || "Deploy plan returned warnings that require confirmation.",
+    hint: existingBody.hint ||
+      (code === "MISSING_REQUIRED_SECRET"
+        ? "Set the missing secret values with `run402 secrets set`, then retry deploy apply. Use --allow-warnings only after explicit review."
+        : "Review the plan warnings, then retry with --allow-warnings if you intentionally accept them."),
+    next_actions: Array.isArray(existingBody.next_actions) && existingBody.next_actions.length > 0
+      ? existingBody.next_actions
+      : [
+          ...(affected.length > 0
+            ? [`Set or inspect affected secrets: ${Array.from(new Set(affected)).join(", ")}`]
+            : []),
+          "Retry `run402 deploy apply` after resolving warnings.",
+          "Use `--allow-warnings` only when the warning was explicitly reviewed.",
+        ],
+    ...(warnings ? { warnings } : {}),
+  };
+  return enhanced;
+}
+
+function enhanceCiDeployError(err) {
+  const existingBody = err?.body && typeof err.body === "object" && !Array.isArray(err.body)
+    ? err.body
+    : {};
+  const code = existingBody.code || err?.code || (err?.status === 402 ? "payment_required" : null);
+  const guidance = code ? CI_DEPLOY_ERROR_GUIDANCE[code] : null;
+  if (!guidance) return err;
+
+  const enhanced = Object.assign(new Error(err?.message || existingBody.message || String(code)), err);
+  enhanced.body = {
+    ...existingBody,
+    code,
+    message: existingBody.message || err?.message || "GitHub Actions OIDC deploy failed.",
+    hint: existingBody.hint || guidance.hint,
+    next_actions: Array.isArray(existingBody.next_actions) && existingBody.next_actions.length > 0
+      ? existingBody.next_actions
+      : guidance.next_actions,
+  };
+  return enhanced;
+}
+
+function rejectLegacySecretManifest(spec, details) {
+  if (!spec || typeof spec !== "object" || Array.isArray(spec)) return;
+  const secrets = spec.secrets;
+  if (secrets === undefined) return;
+  if (Array.isArray(secrets) && secrets.length > 0) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not contain secret values. Legacy secrets arrays are no longer supported by deploy apply.",
+      hint: "Run `run402 secrets set <project> <KEY> --file <path>` first, then use `\"secrets\": { \"require\": [\"KEY\"] }` in the deploy manifest.",
+      details: { ...details, field: "secrets", legacy_shape: "array" },
+    });
+  }
+  if (typeof secrets !== "object" || secrets === null) return;
+  if (Object.prototype.hasOwnProperty.call(secrets, "set")) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not use secrets.set. Secret values are write-only and must be set outside deploy specs.",
+      hint: "Run `run402 secrets set <project> <KEY> --file <path>` first, then use `\"secrets\": { \"require\": [\"KEY\"] }`.",
+      details: { ...details, field: "secrets.set" },
+    });
+  }
+  if (Object.prototype.hasOwnProperty.call(secrets, "replace_all")) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not use secrets.replace_all. Exact replacement is not representable in the value-free deploy contract.",
+      hint: "Use `secrets.require` for keys that must exist and `secrets.delete` for explicit removals.",
+      details: { ...details, field: "secrets.replace_all" },
+    });
   }
 }
 

package/lib/deploy.mjs

@@ -36,7 +36,7 @@ Manifest format (JSON, v2 ReleaseSpec — recommended):
         ]
       }
     },
-    "secrets":   { "set": { "OPENAI_API_KEY": { "value": "sk-..." } } },
+    "secrets":   { "require": ["OPENAI_API_KEY"], "delete": ["OLD_KEY"] },
     "functions": {
       "replace": {
         "api": {
@@ -63,9 +63,13 @@ Manifest format (JSON, v2 ReleaseSpec — recommended):
   Replace vs patch semantics per resource:
     "site": { "replace": {...} }        whole-site (omitted files removed)
     "site": { "patch": { "put": {...}, "delete": [...] } }   surgical updates
-  Same for "functions" and "secrets". Migrations are always additive (each
-  is keyed by id; re-shipping the same id+sql is a registry noop, same id
-  with different sql is a hard MIGRATION_CHECKSUM_MISMATCH error).
+  Same for "functions". Secrets are value-free declarations:
+    "secrets": { "require": ["OPENAI_API_KEY"], "delete": ["OLD_KEY"] }
+  Secret values must be set outside deploy manifests with:
+    run402 secrets set prj_... OPENAI_API_KEY --file ./.secrets/openai-key
+  Migrations are always additive (each is keyed by id; re-shipping the same
+  id+sql is a registry noop, same id with different sql is a hard
+  MIGRATION_CHECKSUM_MISMATCH error).
 
   File entries accept inline "data", a local "path", or a "sql_path"
   (migrations only) — paths are resolved relative to the manifest file's
@@ -94,12 +98,14 @@ Manifest format (JSON, v2 ReleaseSpec — recommended):
   ⚠️  Without an "expose" entry, tables are unreachable via anon_key.
 
 Legacy v1 bundle format (still accepted via compatibility shim):
-  Existing manifests with top-level "migrations" (string), "secrets" (array),
-  "functions" (array), "files" (array), "subdomain" (string), and the
+  Existing manifests with top-level "migrations" (string), "functions" (array),
+  "files" (array), "subdomain" (string), and the
   "files[].file/data/path" + inline "manifest.json" entry continue to work —
   the SDK translates them into a v2 ReleaseSpec under the hood. Prefer the
   v2 shape above for new manifests; the legacy form is preserved for the
-  deprecation window so existing scripts don't break.
+  deprecation window so existing scripts don't break. Legacy file manifests
+  with secret values no longer deploy: run 'run402 secrets set' first, then
+  use 'run402 deploy apply' with 'secrets.require'.
 
   "migrations_file": "setup.sql"   (legacy convenience) reads SQL from disk
   relative to the manifest file. Useful when JSONB literals make inline
@@ -224,6 +230,11 @@ async function loadManifest(opts) {
     });
   }
 
+  rejectUnsafeSecretManifest(manifest, {
+    source: opts.manifest ? "manifest" : "stdin",
+    ...(opts.manifest ? { path: resolve(opts.manifest) } : {}),
+  });
+
   if (opts.manifest) {
     try {
       resolveMigrationsFile(manifest, baseDir);
@@ -255,6 +266,37 @@ async function loadManifest(opts) {
   return manifest;
 }
 
+function rejectUnsafeSecretManifest(manifest, details) {
+  if (!manifest || typeof manifest !== "object" || Array.isArray(manifest)) return;
+  const secrets = manifest.secrets;
+  if (secrets === undefined) return;
+  if (Array.isArray(secrets) && secrets.length > 0) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not contain secret values. Legacy top-level secrets arrays are no longer supported.",
+      hint: "Run `run402 secrets set <project> <KEY> --file <path>` first, then use `run402 deploy apply` with `\"secrets\": { \"require\": [\"KEY\"] }`.",
+      details: { ...details, field: "secrets", legacy_shape: "array" },
+    });
+  }
+  if (!secrets || typeof secrets !== "object" || Array.isArray(secrets)) return;
+  if (Object.prototype.hasOwnProperty.call(secrets, "set")) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not use secrets.set. Secret values are write-only and must be set outside deploy specs.",
+      hint: "Run `run402 secrets set <project> <KEY> --file <path>` first, then deploy with `\"secrets\": { \"require\": [\"KEY\"] }`.",
+      details: { ...details, field: "secrets.set" },
+    });
+  }
+  if (Object.prototype.hasOwnProperty.call(secrets, "replace_all")) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not use secrets.replace_all. Exact replacement is not representable in the value-free deploy contract.",
+      hint: "Use `secrets.require` for keys that must exist and `secrets.delete` for explicit removals.",
+      details: { ...details, field: "secrets.replace_all" },
+    });
+  }
+}
+
 export async function run(args) {
   // Subcommand dispatch (v1.34+):
   //   run402 deploy apply  ...    → unified deploy primitive (deploy.apply)

package/lib/sdk.mjs

@@ -9,6 +9,6 @@
 
 import { run402 } from "#sdk/node";
 
-export function getSdk() {
-  return run402();
+export function getSdk(opts = {}) {
+  return run402(opts);
 }

package/lib/secrets.mjs

@@ -14,14 +14,15 @@ Subcommands:
   delete <id> <key>            Delete a secret from a project
 
 Examples:
-  run402 secrets set prj_abc123 STRIPE_KEY sk-1234
+  run402 secrets set prj_abc123 STRIPE_KEY --file ./.secrets/stripe-key
   run402 secrets set prj_abc123 TLS_CERT --file cert.pem
   run402 secrets list prj_abc123
   run402 secrets delete prj_abc123 STRIPE_KEY
 
 Notes:
   - Secrets are injected as process.env in serverless functions
-  - Values are write-only — list returns keys with a value_hash (first 8 hex chars of SHA-256) for verifying the correct value was set
+  - Values are write-only — list returns keys and timestamps only
+  - Deploy manifests should declare existing keys with secrets.require; never put values in deploy specs
 `;
 
 const SUB_HELP = {
@@ -41,10 +42,11 @@ Options:
 
 Notes:
   - Secrets are injected as process.env in serverless functions
-  - Values are write-only; 'list' returns a value_hash for verification
+  - Values are write-only; 'list' cannot verify values by hash
+  - Prefer --file for real secrets so values do not land in shell history
 
 Examples:
-  run402 secrets set prj_abc123 STRIPE_KEY sk-1234
+  run402 secrets set prj_abc123 STRIPE_KEY --file ./.secrets/stripe-key
   run402 secrets set prj_abc123 TLS_CERT --file cert.pem
 `,
   list: `run402 secrets list — List all secrets for a project
@@ -56,8 +58,7 @@ Arguments:
   <id>                Project ID (from 'run402 projects list')
 
 Notes:
-  - Returns secret keys with a value_hash (first 8 hex chars of SHA-256)
-    for verifying the correct value was set; raw values are write-only
+  - Returns secret keys and timestamps only; raw values and value-derived hashes are never returned
 
 Examples:
   run402 secrets list prj_abc123
@@ -103,7 +104,14 @@ async function set(projectId, key, args = []) {
 async function list(projectId) {
   try {
     const data = await getSdk().secrets.list(projectId);
-    console.log(JSON.stringify(data, null, 2));
+    const sanitized = {
+      secrets: (data.secrets || []).map((s) => ({
+        key: s.key,
+        ...(s.created_at ? { created_at: s.created_at } : {}),
+        ...(s.updated_at ? { updated_at: s.updated_at } : {}),
+      })),
+    };
+    console.log(JSON.stringify(sanitized, null, 2));
   } catch (err) {
     reportSdkError(err);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "1.54.4",
+  "version": "1.56.0",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.",
   "type": "module",
   "bin": {

package/sdk/core-dist/allowance-auth.js

@@ -70,16 +70,44 @@ export function formatSIWEMessage(opts, address) {
         opts.statement,
         "",
         `URI: ${opts.uri}`,
-        `Version: ${opts.version}`,
-        `Chain ID: ${opts.chainId}`,
+        `Version: ${opts.version ?? "1"}`,
+        `Chain ID: ${messageChainId(opts.chainId)}`,
         `Nonce: ${opts.nonce}`,
         `Issued At: ${opts.issuedAt}`,
     ];
     if (opts.expirationTime) {
         lines.push(`Expiration Time: ${opts.expirationTime}`);
     }
+    if (opts.resources && opts.resources.length > 0) {
+        lines.push("Resources:");
+        for (const resource of opts.resources)
+            lines.push(`- ${resource}`);
+    }
     return lines.join("\n");
 }
+export function buildSIWxAuthHeaders(opts) {
+    const message = formatSIWEMessage(opts, opts.allowance.address);
+    const signature = personalSign(opts.allowance.privateKey, opts.allowance.address, message);
+    const payload = {
+        domain: opts.domain,
+        address: toChecksumAddress(opts.allowance.address),
+        statement: opts.statement,
+        uri: opts.uri,
+        version: opts.version ?? "1",
+        chainId: payloadChainId(opts.chainId),
+        type: opts.type ?? "eip191",
+        nonce: opts.nonce,
+        issuedAt: opts.issuedAt,
+        expirationTime: opts.expirationTime,
+        signature,
+    };
+    if (opts.resources !== undefined) {
+        payload.resources = opts.resources;
+    }
+    return {
+        "SIGN-IN-WITH-X": Buffer.from(JSON.stringify(payload)).toString("base64"),
+    };
+}
 /**
  * Get SIWX auth headers for the Run402 API.
  * Returns null if no allowance is configured.
@@ -103,32 +131,24 @@ export function getAllowanceAuthHeaders(path, allowancePath) {
     const now = new Date();
     const issuedAt = now.toISOString();
     const expirationTime = new Date(now.getTime() + 5 * 60 * 1000).toISOString();
-    const message = formatSIWEMessage({
+    return buildSIWxAuthHeaders({
+        allowance,
         domain,
         uri,
         statement: "Sign in to Run402",
-        version: "1",
-        chainId: 84532, // Base Sepolia
-        nonce,
-        issuedAt,
-        expirationTime,
-    }, allowance.address);
-    const signature = personalSign(allowance.privateKey, allowance.address, message);
-    const payload = {
-        domain,
-        address: toChecksumAddress(allowance.address),
-        statement: "Sign in to Run402",
-        uri,
-        version: "1",
         chainId: "eip155:84532",
-        type: "eip191",
         nonce,
         issuedAt,
         expirationTime,
-        signature,
-    };
-    return {
-        "SIGN-IN-WITH-X": Buffer.from(JSON.stringify(payload)).toString("base64"),
-    };
+    });
+}
+function messageChainId(chainId) {
+    if (typeof chainId === "number")
+        return String(chainId);
+    const match = /^eip155:(\d+)$/.exec(chainId);
+    return match ? match[1] : chainId;
+}
+function payloadChainId(chainId) {
+    return typeof chainId === "number" ? `eip155:${chainId}` : chainId;
 }
 //# sourceMappingURL=allowance-auth.js.map

package/sdk/dist/ci-credentials.d.ts

@@ -0,0 +1,22 @@
+/** CI-session credential helpers for OIDC-backed deploy flows. */
+import type { CredentialsProvider } from "./credentials.js";
+export declare const CI_SESSION_CREDENTIALS: unique symbol;
+export interface CiMarkedCredentialsProvider extends CredentialsProvider {
+    readonly [CI_SESSION_CREDENTIALS]: true;
+}
+export interface CreateCiSessionCredentialsOptions {
+    projectId: string;
+    accessToken?: string;
+    getAccessToken?: () => Promise<string>;
+}
+export interface GithubActionsCredentialsOptions {
+    projectId: string;
+    apiBase?: string;
+    audience?: string;
+    refreshBeforeSeconds?: number;
+    fetch?: typeof globalThis.fetch;
+}
+export declare function isCiSessionCredentials(credentials: CredentialsProvider): credentials is CiMarkedCredentialsProvider;
+export declare function createCiSessionCredentials(opts: CreateCiSessionCredentialsOptions): CiMarkedCredentialsProvider;
+export declare function githubActionsCredentials(opts: GithubActionsCredentialsOptions): CiMarkedCredentialsProvider;
+//# sourceMappingURL=ci-credentials.d.ts.map

package/sdk/dist/ci-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ci-credentials.d.ts","sourceRoot":"","sources":["../src/ci-credentials.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAElE,OAAO,KAAK,EAAE,mBAAmB,EAAe,MAAM,kBAAkB,CAAC;AASzE,eAAO,MAAM,sBAAsB,eAAmD,CAAC;AAEvF,MAAM,WAAW,2BAA4B,SAAQ,mBAAmB;IACtE,QAAQ,CAAC,CAAC,sBAAsB,CAAC,EAAE,IAAI,CAAC;CACzC;AAED,MAAM,WAAW,iCAAiC;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,+BAA+B;IAC9C,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED,wBAAgB,sBAAsB,CACpC,WAAW,EAAE,mBAAmB,GAC/B,WAAW,IAAI,2BAA2B,CAE5C;AAED,wBAAgB,0BAA0B,CACxC,IAAI,EAAE,iCAAiC,GACtC,2BAA2B,CAuC7B;AAED,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,+BAA+B,GACpC,2BAA2B,CA4B7B"}