run402 1.9.0 → 1.9.2

package/README.md

@@ -1,6 +1,6 @@
 # run402 CLI
 
-Command-line interface for [Run402](https://run402.com) — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 micropayments.
+Command-line interface for [Run402](https://run402.com) — provision Postgres databases, deploy static sites, generate images, and manage agent allowances via x402 micropayments.
 
 ## Installation
 
@@ -17,11 +17,11 @@ npx run402 <command>
 ## Getting Started
 
 ```bash
-# 1. Create a local wallet
-run402 wallet create
+# 1. Create a local agent allowance
+run402 allowance create
 
 # 2. Fund it with test USDC (Base Sepolia faucet)
-run402 wallet fund
+run402 allowance fund
 
 # 3. Deploy your app
 run402 deploy --tier prototype --manifest app.json
@@ -29,15 +29,15 @@ run402 deploy --tier prototype --manifest app.json
 
 ## Commands
 
-### `run402 wallet`
+### `run402 allowance`
 
-Manage your local x402 wallet.
+Manage your local agent allowance.
 
 ```bash
-run402 wallet create    # Generate a new wallet
-run402 wallet status    # Show address, network, funding status
-run402 wallet fund      # Request test USDC from the faucet
-run402 wallet export    # Print wallet address (for scripting)
+run402 allowance create    # Generate a new allowance
+run402 allowance status    # Show address, network, funding status
+run402 allowance fund      # Request test USDC from the faucet
+run402 allowance export    # Print allowance address (for scripting)
 ```
 
 ### `run402 deploy`
@@ -98,7 +98,7 @@ Every command supports `--help` / `-h`:
 
 ```bash
 run402 --help
-run402 wallet --help
+run402 allowance --help
 run402 deploy --help
 run402 projects --help
 run402 image --help
@@ -106,9 +106,9 @@ run402 image --help
 
 ## Notes
 
-- Wallet stored at `~/.run402/wallet.json`
+- Agent allowance stored at `~/.run402/allowance.json`
 - Project credentials stored at `~/.run402/projects.json`
-- Network: Base Sepolia (testnet) — USDC for x402 payments
+- Network: Base Sepolia (testnet) for prototype tier (free). Base mainnet or Stripe for paid tiers (hobby/team).
 - Payments are handled automatically — no manual signing required
 
 ## License

package/cli.mjs

@@ -13,8 +13,8 @@ Usage:
   run402 <command> [subcommand] [options]
 
 Commands:
-  init        Set up wallet, funding, and check tier status
-  wallet      Manage your x402 wallet (create, fund, balance, status)
+  init        Set up allowance, funding, and check tier status
+  allowance   Manage your agent allowance (create, fund, balance, status)
   tier        Manage tier subscription (status, set)
   projects    Manage projects (provision, list, query, inspect, delete)
   deploy      Deploy a full-stack app or static site (requires active tier)
@@ -31,8 +31,8 @@ Commands:
 Run 'run402 <command> --help' for detailed usage of each command.
 
 Examples:
-  run402 wallet create
-  run402 wallet fund
+  run402 allowance create
+  run402 allowance fund
   run402 deploy --manifest app.json
   run402 projects list
   run402 projects sql <project_id> "SELECT * FROM users LIMIT 5"
@@ -57,8 +57,8 @@ switch (cmd) {
     await run();
     break;
   }
-  case "wallet": {
-    const { run } = await import("./lib/wallet.mjs");
+  case "allowance": {
+    const { run } = await import("./lib/allowance.mjs");
     await run(sub, rest);
     break;
   }

package/core-dist/allowance-auth.js

@@ -0,0 +1,62 @@
+/**
+ * Allowance auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readAllowance } from "./allowance.js";
+/**
+ * EIP-191 personal_sign: sign a message with the allowance's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes);
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Get allowance auth headers for the Run402 API.
+ * Returns null if no allowance is configured.
+ */
+export function getAllowanceAuthHeaders(allowancePath) {
+    const allowance = readAllowance(allowancePath);
+    if (!allowance || !allowance.address || !allowance.privateKey)
+        return null;
+    const timestamp = Math.floor(Date.now() / 1000).toString();
+    const signature = personalSign(allowance.privateKey, allowance.address, `run402:${timestamp}`);
+    return {
+        "X-Run402-Wallet": allowance.address,
+        "X-Run402-Signature": signature,
+        "X-Run402-Timestamp": timestamp,
+    };
+}
+//# sourceMappingURL=allowance-auth.js.map

package/core-dist/allowance.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getAllowancePath } from "./config.js";
+export function readAllowance(path) {
+    const p = path ?? getAllowancePath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveAllowance(data, path) {
+    const p = path ?? getAllowancePath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.allowance.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=allowance.js.map

package/core-dist/client.js

@@ -0,0 +1,42 @@
+import { getApiBase } from "./config.js";
+export async function apiRequest(path, opts = {}) {
+    const { method = "GET", headers = {}, body, rawBody } = opts;
+    const url = `${getApiBase()}${path}`;
+    const fetchHeaders = { ...headers };
+    let fetchBody;
+    if (rawBody !== undefined) {
+        fetchBody = rawBody;
+    }
+    else if (body !== undefined) {
+        fetchHeaders["Content-Type"] = fetchHeaders["Content-Type"] || "application/json";
+        fetchBody = JSON.stringify(body);
+    }
+    let res;
+    try {
+        res = await fetch(url, {
+            method,
+            headers: fetchHeaders,
+            body: fetchBody,
+        });
+    }
+    catch (err) {
+        return {
+            ok: false,
+            status: 0,
+            body: { error: `Network error: ${err.message}` },
+        };
+    }
+    let resBody;
+    const contentType = res.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+        resBody = await res.json();
+    }
+    else {
+        resBody = await res.text();
+    }
+    if (res.status === 402) {
+        return { ok: false, is402: true, status: 402, body: resBody };
+    }
+    return { ok: res.ok, status: res.status, body: resBody };
+}
+//# sourceMappingURL=client.js.map

package/core-dist/config.js

@@ -0,0 +1,24 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { existsSync, renameSync, mkdirSync } from "node:fs";
+export function getApiBase() {
+    return process.env.RUN402_API_BASE || "https://api.run402.com";
+}
+export function getConfigDir() {
+    return process.env.RUN402_CONFIG_DIR || join(homedir(), ".config", "run402");
+}
+export function getKeystorePath() {
+    return join(getConfigDir(), "projects.json");
+}
+export function getAllowancePath() {
+    const dir = getConfigDir();
+    const newPath = join(dir, "allowance.json");
+    const oldPath = join(dir, "wallet.json");
+    // Auto-migrate from wallet.json → allowance.json
+    if (!existsSync(newPath) && existsSync(oldPath)) {
+        mkdirSync(dir, { recursive: true });
+        renameSync(oldPath, newPath);
+    }
+    return newPath;
+}
+//# sourceMappingURL=config.js.map

package/core-dist/keystore.js

@@ -0,0 +1,75 @@
+import { readFileSync, writeFileSync, mkdirSync, renameSync, chmodSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getKeystorePath } from "./config.js";
+/**
+ * Load the keystore from disk.
+ * Auto-migrates legacy formats:
+ * - Array format (CLI legacy): [{project_id, ...}] → {projects: {id: {...}}}
+ * - Old field name: expires_at → lease_expires_at
+ */
+export function loadKeyStore(path) {
+    const p = path ?? getKeystorePath();
+    try {
+        const data = readFileSync(p, "utf-8");
+        const parsed = JSON.parse(data);
+        // Auto-migrate array format (CLI legacy) to object format
+        if (Array.isArray(parsed)) {
+            const projects = {};
+            for (const item of parsed) {
+                if (item.project_id) {
+                    projects[item.project_id] = {
+                        anon_key: item.anon_key,
+                        service_key: item.service_key,
+                        tier: item.tier,
+                        lease_expires_at: item.lease_expires_at || item.expires_at || "",
+                        ...(item.site_url && { site_url: item.site_url }),
+                        ...(item.deployed_at && { deployed_at: item.deployed_at }),
+                    };
+                }
+            }
+            return { projects };
+        }
+        if (parsed && typeof parsed === "object" && parsed.projects) {
+            // Auto-normalize expires_at → lease_expires_at
+            for (const proj of Object.values(parsed.projects)) {
+                const rec = proj;
+                if (rec.expires_at && !rec.lease_expires_at) {
+                    rec.lease_expires_at = rec.expires_at;
+                    delete rec.expires_at;
+                }
+            }
+            return parsed;
+        }
+        return { projects: {} };
+    }
+    catch {
+        return { projects: {} };
+    }
+}
+export function saveKeyStore(store, path) {
+    const p = path ?? getKeystorePath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.projects.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(store, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+export function getProject(projectId, path) {
+    const store = loadKeyStore(path);
+    return store.projects[projectId];
+}
+export function saveProject(projectId, project, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    store.projects[projectId] = project;
+    saveKeyStore(store, p);
+}
+export function removeProject(projectId, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    delete store.projects[projectId];
+    saveKeyStore(store, p);
+}
+//# sourceMappingURL=keystore.js.map

package/core-dist/wallet-auth.js

@@ -0,0 +1,62 @@
+/**
+ * Wallet auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readWallet } from "./wallet.js";
+/**
+ * EIP-191 personal_sign: sign a message with the wallet's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes);
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Get wallet auth headers for the Run402 API.
+ * Returns null if no wallet is configured.
+ */
+export function getWalletAuthHeaders(walletPath) {
+    const wallet = readWallet(walletPath);
+    if (!wallet || !wallet.address || !wallet.privateKey)
+        return null;
+    const timestamp = Math.floor(Date.now() / 1000).toString();
+    const signature = personalSign(wallet.privateKey, wallet.address, `run402:${timestamp}`);
+    return {
+        "X-Run402-Wallet": wallet.address,
+        "X-Run402-Signature": signature,
+        "X-Run402-Timestamp": timestamp,
+    };
+}
+//# sourceMappingURL=wallet-auth.js.map

package/core-dist/wallet.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getWalletPath } from "./config.js";
+export function readWallet(path) {
+    const p = path ?? getWalletPath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveWallet(data, path) {
+    const p = path ?? getWalletPath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.wallet.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=wallet.js.map

package/lib/agent.mjs

@@ -1,4 +1,4 @@
-import { API, walletAuthHeaders } from "./config.mjs";
+import { API, allowanceAuthHeaders } from "./config.mjs";
 
 const HELP = `run402 agent — Manage agent identity
 
@@ -6,7 +6,7 @@ Usage:
   run402 agent contact --name <name> [--email <email>] [--webhook <url>]
 
 Notes:
-  - Free with wallet auth
+  - Free with allowance auth
   - Registers contact info so Run402 can reach your agent
   - Only name is required; email and webhook are optional
 
@@ -23,7 +23,7 @@ async function contact(args) {
     if (args[i] === "--webhook" && args[i + 1]) webhook = args[++i];
   }
   if (!name) { console.error(JSON.stringify({ status: "error", message: "Missing --name <name>" })); process.exit(1); }
-  const authHeaders = await walletAuthHeaders();
+  const authHeaders = await allowanceAuthHeaders();
 
   const body = { name };
   if (email) body.email = email;

package/lib/{wallet.mjs → allowance.mjs}

@@ -1,31 +1,31 @@
-import { readWallet, saveWallet, WALLET_FILE, API } from "./config.mjs";
+import { readAllowance, saveAllowance, ALLOWANCE_FILE, API } from "./config.mjs";
 
-const HELP = `run402 wallet — Manage your x402 wallet
+const HELP = `run402 allowance — Manage your agent allowance
 
 Usage:
-  run402 wallet <subcommand>
+  run402 allowance <subcommand>
 
 Subcommands:
-  status    Show wallet address, network, and funding status
-  create    Generate a new wallet and save it locally
+  status    Show allowance address, network, and funding status
+  create    Generate a new allowance and save it locally
   fund      Request test USDC from the Run402 faucet (Base Sepolia)
   balance   Show on-chain USDC (mainnet + testnet) and Run402 billing balance
-  export    Print the wallet address (useful for scripting)
+  export    Print the allowance address (useful for scripting)
   checkout  Create a billing checkout session (--amount <usd_micros>)
   history   View billing transaction history (--limit <n>)
 
 Notes:
-  - Wallet is stored locally at ~/.run402/wallet.json
-  - The wallet works on any EVM chain (currently Run402 uses Base Mainnet and Sepolia for testnet)
-  - You need to create and fund a wallet before any x402 transaction with Run402
+  - Agent allowance is stored locally at ~/.run402/allowance.json
+  - The allowance works on any EVM chain (currently Run402 uses Base Mainnet and Sepolia for testnet)
+  - You need to create and fund an allowance before any x402 transaction with Run402
 
 Examples:
-  run402 wallet create
-  run402 wallet status
-  run402 wallet fund
-  run402 wallet export
-  run402 wallet checkout --amount 5000000
-  run402 wallet history --limit 10
+  run402 allowance create
+  run402 allowance status
+  run402 allowance fund
+  run402 allowance export
+  run402 allowance checkout --amount 5000000
+  run402 allowance history --limit 10
 `;
 
 const USDC_ABI = [{ name: "balanceOf", type: "function", stateMutability: "view", inputs: [{ name: "account", type: "address" }], outputs: [{ name: "", type: "uint256" }] }];
@@ -40,29 +40,29 @@ async function loadDeps() {
 }
 
 async function status() {
-  const w = readWallet();
+  const w = readAllowance();
   if (!w) {
-    console.log(JSON.stringify({ status: "no_wallet", message: "No wallet found. Run: run402 wallet create" }));
+    console.log(JSON.stringify({ status: "no_wallet", message: "No agent allowance found. Run: run402 allowance create" }));
     return;
   }
-  console.log(JSON.stringify({ status: "ok", address: w.address, created: w.created, funded: w.funded || false, path: WALLET_FILE }));
+  console.log(JSON.stringify({ status: "ok", address: w.address, created: w.created, funded: w.funded || false, path: ALLOWANCE_FILE }));
 }
 
 async function create() {
-  if (readWallet()) {
-    console.log(JSON.stringify({ status: "error", message: "Wallet already exists. Use 'status' to check it." }));
+  if (readAllowance()) {
+    console.log(JSON.stringify({ status: "error", message: "Agent allowance already exists. Use 'status' to check it." }));
     process.exit(1);
   }
   const { generatePrivateKey, privateKeyToAccount } = await loadDeps();
   const privateKey = generatePrivateKey();
   const account = privateKeyToAccount(privateKey);
-  saveWallet({ address: account.address, privateKey, created: new Date().toISOString(), funded: false });
-  console.log(JSON.stringify({ status: "ok", address: account.address, message: `Wallet created. Stored locally at ${WALLET_FILE}` }));
+  saveAllowance({ address: account.address, privateKey, created: new Date().toISOString(), funded: false });
+  console.log(JSON.stringify({ status: "ok", address: account.address, message: `Agent allowance created. Stored locally at ${ALLOWANCE_FILE}` }));
 }
 
 async function fund() {
-  const w = readWallet();
-  if (!w) { console.log(JSON.stringify({ status: "error", message: "No wallet. Run: run402 wallet create" })); process.exit(1); }
+  const w = readAllowance();
+  if (!w) { console.log(JSON.stringify({ status: "error", message: "No agent allowance. Run: run402 allowance create" })); process.exit(1); }
 
   const { createPublicClient, http, baseSepolia } = await loadDeps();
   const client = createPublicClient({ chain: baseSepolia, transport: http() });
@@ -80,7 +80,7 @@ async function fund() {
     await new Promise(r => setTimeout(r, 1000));
     const now = await readUsdcBalance(client, USDC_SEPOLIA, w.address).catch(() => before);
     if (now > before) {
-      saveWallet({ ...w, funded: true, lastFaucet: new Date().toISOString() });
+      saveAllowance({ ...w, funded: true, lastFaucet: new Date().toISOString() });
       console.log(JSON.stringify({
         address: w.address,
         onchain: {
@@ -91,7 +91,7 @@ async function fund() {
     }
   }
 
-  saveWallet({ ...w, funded: true, lastFaucet: new Date().toISOString() });
+  saveAllowance({ ...w, funded: true, lastFaucet: new Date().toISOString() });
   console.log(JSON.stringify({ status: "ok", message: "Faucet request sent but balance not yet confirmed", ...data }));
 }
 
@@ -101,8 +101,8 @@ async function readUsdcBalance(client, usdc, address) {
 }
 
 async function balance() {
-  const w = readWallet();
-  if (!w) { console.log(JSON.stringify({ status: "error", message: "No wallet. Run: run402 wallet create" })); process.exit(1); }
+  const w = readAllowance();
+  if (!w) { console.log(JSON.stringify({ status: "error", message: "No agent allowance. Run: run402 allowance create" })); process.exit(1); }
 
   const { createPublicClient, http, base, baseSepolia } = await loadDeps();
   const mainnetClient = createPublicClient({ chain: base, transport: http() });
@@ -127,14 +127,14 @@ async function balance() {
 }
 
 async function exportAddr() {
-  const w = readWallet();
-  if (!w) { console.log(JSON.stringify({ status: "error", message: "No wallet." })); process.exit(1); }
+  const w = readAllowance();
+  if (!w) { console.log(JSON.stringify({ status: "error", message: "No agent allowance." })); process.exit(1); }
   console.log(w.address);
 }
 
 async function checkout(args) {
-  const w = readWallet();
-  if (!w) { console.log(JSON.stringify({ status: "error", message: "No wallet. Run: run402 wallet create" })); process.exit(1); }
+  const w = readAllowance();
+  if (!w) { console.log(JSON.stringify({ status: "error", message: "No agent allowance. Run: run402 allowance create" })); process.exit(1); }
   let amount = null;
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--amount" && args[i + 1]) amount = parseInt(args[++i], 10);
@@ -151,8 +151,8 @@ async function checkout(args) {
 }
 
 async function history(args) {
-  const w = readWallet();
-  if (!w) { console.log(JSON.stringify({ status: "error", message: "No wallet. Run: run402 wallet create" })); process.exit(1); }
+  const w = readAllowance();
+  if (!w) { console.log(JSON.stringify({ status: "error", message: "No agent allowance. Run: run402 allowance create" })); process.exit(1); }
   let limit = 20;
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--limit" && args[i + 1]) limit = parseInt(args[++i], 10);

package/lib/apps.mjs

@@ -1,4 +1,4 @@
-import { findProject, API, walletAuthHeaders, saveProject } from "./config.mjs";
+import { findProject, API, allowanceAuthHeaders, saveProject } from "./config.mjs";
 
 const HELP = `run402 apps — Browse and manage the app marketplace
 
@@ -47,7 +47,7 @@ async function fork(versionId, name, args) {
     if (args[i] === "--tier" && args[i + 1]) opts.tier = args[++i];
     if (args[i] === "--subdomain" && args[i + 1]) opts.subdomain = args[++i];
   }
-  const authHeaders = await walletAuthHeaders();
+  const authHeaders = await allowanceAuthHeaders();
 
   const body = { version_id: versionId, name };
   if (opts.subdomain) body.subdomain = opts.subdomain;

package/lib/config.mjs

@@ -3,28 +3,31 @@
  * Adds CLI-specific behavior: process.exit() on errors.
  */
 
-import { getApiBase, getConfigDir, getKeystorePath, getWalletPath } from "../../core/dist/config.js";
-import { readWallet as coreReadWallet, saveWallet as coreSaveWallet } from "../../core/dist/wallet.js";
-import { getWalletAuthHeaders } from "../../core/dist/wallet-auth.js";
-import { loadKeyStore, getProject, saveProject, removeProject, saveKeyStore } from "../../core/dist/keystore.js";
+import { getApiBase, getConfigDir, getKeystorePath, getAllowancePath } from "../core-dist/config.js";
+import { readAllowance as coreReadAllowance, saveAllowance as coreSaveAllowance } from "../core-dist/allowance.js";
+import { loadKeyStore, getProject, saveProject, removeProject, saveKeyStore } from "../core-dist/keystore.js";
 
 export const CONFIG_DIR = getConfigDir();
-export const WALLET_FILE = getWalletPath();
+export const ALLOWANCE_FILE = getAllowancePath();
 export const PROJECTS_FILE = getKeystorePath();
 export const API = getApiBase();
 
-export function readWallet() {
-  return coreReadWallet();
+export function readAllowance() {
+  return coreReadAllowance();
 }
 
-export function saveWallet(data) {
-  coreSaveWallet(data);
+export function saveAllowance(data) {
+  coreSaveAllowance(data);
 }
 
-export async function walletAuthHeaders() {
-  const headers = getWalletAuthHeaders();
-  if (!headers) { console.error(JSON.stringify({ status: "error", message: "No wallet found. Run: run402 wallet create" })); process.exit(1); }
-  return headers;
+export async function allowanceAuthHeaders() {
+  const w = readAllowance();
+  if (!w) { console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create" })); process.exit(1); }
+  const { privateKeyToAccount } = await import("viem/accounts");
+  const account = privateKeyToAccount(w.privateKey);
+  const timestamp = Math.floor(Date.now() / 1000).toString();
+  const signature = await account.signMessage({ message: `run402:${timestamp}` });
+  return { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp };
 }
 
 export function findProject(id) {

package/lib/deploy.mjs

@@ -1,5 +1,5 @@
 import { readFileSync } from "fs";
-import { API, walletAuthHeaders, saveProject } from "./config.mjs";
+import { API, allowanceAuthHeaders, saveProject } from "./config.mjs";
 
 const HELP = `run402 deploy — Deploy a full-stack app or static site on Run402
 
@@ -24,7 +24,7 @@ Examples:
   cat app.json | run402 deploy
 
 Prerequisites:
-  - run402 init                     Set up wallet and funding
+  - run402 init                     Set up allowance and funding
   - run402 tier set prototype       Subscribe to a tier
 
 Notes:
@@ -48,7 +48,7 @@ export async function run(args) {
 
   const manifest = opts.manifest ? JSON.parse(readFileSync(opts.manifest, "utf-8")) : JSON.parse(await readStdin());
 
-  const authHeaders = await walletAuthHeaders();
+  const authHeaders = await allowanceAuthHeaders();
   const res = await fetch(`${API}/deploy/v1`, { method: "POST", headers: { "Content-Type": "application/json", ...authHeaders }, body: JSON.stringify(manifest) });
   const result = await res.json();
   if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...result })); process.exit(1); }

package/lib/functions.mjs

@@ -1,5 +1,5 @@
 import { readFileSync, existsSync } from "fs";
-import { findProject, readWallet, API, WALLET_FILE } from "./config.mjs";
+import { findProject, readAllowance, API, ALLOWANCE_FILE } from "./config.mjs";
 
 const HELP = `run402 functions — Manage serverless functions
 
@@ -28,18 +28,18 @@ Notes:
 `;
 
 async function setupPaidFetch() {
-  if (!existsSync(WALLET_FILE)) {
-    console.error(JSON.stringify({ status: "error", message: "No wallet found. Run: run402 wallet create && run402 wallet fund" }));
+  if (!existsSync(ALLOWANCE_FILE)) {
+    console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create && run402 allowance fund" }));
     process.exit(1);
   }
-  const wallet = readWallet();
+  const allowance = readAllowance();
   const { privateKeyToAccount } = await import("viem/accounts");
   const { createPublicClient, http } = await import("viem");
   const { baseSepolia } = await import("viem/chains");
   const { x402Client, wrapFetchWithPayment } = await import("@x402/fetch");
   const { ExactEvmScheme } = await import("@x402/evm/exact/client");
   const { toClientEvmSigner } = await import("@x402/evm");
-  const account = privateKeyToAccount(wallet.privateKey);
+  const account = privateKeyToAccount(allowance.privateKey);
   const publicClient = createPublicClient({ chain: baseSepolia, transport: http() });
   const signer = toClientEvmSigner(account, publicClient);
   const client = new x402Client();

package/lib/image.mjs

@@ -1,5 +1,5 @@
 import { writeFileSync } from "fs";
-import { API, WALLET_FILE } from "./config.mjs";
+import { API, ALLOWANCE_FILE } from "./config.mjs";
 import { setupPaidFetch } from "./paid-fetch.mjs";
 
 const HELP = `run402 image — Generate AI images via x402 micropayments
@@ -22,7 +22,7 @@ Output (without --output):
   { "status": "ok", "aspect": "square", "content_type": "image/png", "image": "<base64>" }
 
 Notes:
-  - Requires a funded wallet (run402 wallet create && run402 wallet fund)
+  - Requires a funded allowance (run402 allowance create && run402 allowance fund)
   - Payments are processed automatically via x402 micropayments (Base Sepolia USDC)
   - Use --output to save directly to a file instead of printing base64
 `;

package/lib/init.mjs

@@ -1,4 +1,4 @@
-import { readWallet, saveWallet, loadKeyStore, CONFIG_DIR, WALLET_FILE, API } from "./config.mjs";
+import { readAllowance, saveAllowance, loadKeyStore, CONFIG_DIR, ALLOWANCE_FILE, API } from "./config.mjs";
 import { mkdirSync } from "fs";
 
 const USDC_ABI = [{ name: "balanceOf", type: "function", stateMutability: "view", inputs: [{ name: "account", type: "address" }], outputs: [{ name: "", type: "uint256" }] }];
@@ -14,17 +14,17 @@ export async function run() {
   mkdirSync(CONFIG_DIR, { recursive: true });
   line("Config", CONFIG_DIR);
 
-  // 2. Wallet
-  let wallet = readWallet();
-  if (!wallet) {
+  // 2. Allowance
+  let allowance = readAllowance();
+  if (!allowance) {
     const { generatePrivateKey, privateKeyToAccount } = await import("viem/accounts");
     const privateKey = generatePrivateKey();
     const account = privateKeyToAccount(privateKey);
-    wallet = { address: account.address, privateKey, created: new Date().toISOString(), funded: false };
-    saveWallet(wallet);
-    line("Wallet", `${short(wallet.address)} (created)`);
+    allowance = { address: account.address, privateKey, created: new Date().toISOString(), funded: false };
+    saveAllowance(allowance);
+    line("Allowance", `${short(allowance.address)} (created)`);
   } else {
-    line("Wallet", short(wallet.address));
+    line("Allowance", short(allowance.address));
   }
 
   // 3. Balance — check on-chain, faucet if zero
@@ -34,7 +34,7 @@ export async function run() {
 
   let balance = 0;
   try {
-    const raw = await client.readContract({ address: USDC_SEPOLIA, abi: USDC_ABI, functionName: "balanceOf", args: [wallet.address] });
+    const raw = await client.readContract({ address: USDC_SEPOLIA, abi: USDC_ABI, functionName: "balanceOf", args: [allowance.address] });
     balance = Number(raw);
   } catch {}
 
@@ -43,19 +43,19 @@ export async function run() {
     const res = await fetch(`${API}/faucet/v1`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ address: wallet.address }),
+      body: JSON.stringify({ address: allowance.address }),
     });
     if (res.ok) {
       // Poll for up to 30s
       for (let i = 0; i < 30; i++) {
         await new Promise(r => setTimeout(r, 1000));
         try {
-          const raw = await client.readContract({ address: USDC_SEPOLIA, abi: USDC_ABI, functionName: "balanceOf", args: [wallet.address] });
+          const raw = await client.readContract({ address: USDC_SEPOLIA, abi: USDC_ABI, functionName: "balanceOf", args: [allowance.address] });
           balance = Number(raw);
           if (balance > 0) break;
         } catch {}
       }
-      saveWallet({ ...wallet, funded: true, lastFaucet: new Date().toISOString() });
+      saveAllowance({ ...allowance, funded: true, lastFaucet: new Date().toISOString() });
       if (balance > 0) {
         line("Balance", `${(balance / 1e6).toFixed(2)} USDC (funded)`);
       } else {
@@ -74,7 +74,7 @@ export async function run() {
   let tierInfo = null;
   try {
     const { privateKeyToAccount } = await import("viem/accounts");
-    const account = privateKeyToAccount(wallet.privateKey);
+    const account = privateKeyToAccount(allowance.privateKey);
     const timestamp = Math.floor(Date.now() / 1000).toString();
     const signature = await account.signMessage({ message: `run402:${timestamp}` });
     const res = await fetch(`${API}/tiers/v1/status`, {

package/lib/message.mjs

@@ -1,4 +1,4 @@
-import { API, walletAuthHeaders } from "./config.mjs";
+import { API, allowanceAuthHeaders } from "./config.mjs";
 
 const HELP = `run402 message — Send messages to Run402 developers
 
@@ -6,8 +6,8 @@ Usage:
   run402 message send <text>
 
 Notes:
-  - Free with wallet auth
-  - Requires a wallet (run402 wallet create)
+  - Free with allowance auth
+  - Requires an allowance (run402 allowance create)
 
 Examples:
   run402 message send "Hello from my agent!"
@@ -15,7 +15,7 @@ Examples:
 
 async function send(text) {
   if (!text) { console.error(JSON.stringify({ status: "error", message: "Missing message text" })); process.exit(1); }
-  const authHeaders = await walletAuthHeaders();
+  const authHeaders = await allowanceAuthHeaders();
 
   const res = await fetch(`${API}/message/v1`, {
     method: "POST",

package/lib/paid-fetch.mjs

@@ -1,24 +1,24 @@
 /**
  * Shared x402 payment wrapper for CLI commands that need paid fetch.
- * Uses viem for wallet signing + @x402/fetch for payment wrapping.
+ * Uses viem for allowance signing + @x402/fetch for payment wrapping.
  */
 
-import { readWallet, WALLET_FILE } from "./config.mjs";
+import { readAllowance, ALLOWANCE_FILE } from "./config.mjs";
 import { existsSync } from "fs";
 
 export async function setupPaidFetch() {
-  if (!existsSync(WALLET_FILE)) {
-    console.error(JSON.stringify({ status: "error", message: "No wallet found. Run: run402 wallet create && run402 wallet fund" }));
+  if (!existsSync(ALLOWANCE_FILE)) {
+    console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create && run402 allowance fund" }));
     process.exit(1);
   }
-  const wallet = readWallet();
+  const allowance = readAllowance();
   const { privateKeyToAccount } = await import("viem/accounts");
   const { createPublicClient, http } = await import("viem");
   const { baseSepolia } = await import("viem/chains");
   const { x402Client, wrapFetchWithPayment } = await import("@x402/fetch");
   const { ExactEvmScheme } = await import("@x402/evm/exact/client");
   const { toClientEvmSigner } = await import("@x402/evm");
-  const account = privateKeyToAccount(wallet.privateKey);
+  const account = privateKeyToAccount(allowance.privateKey);
   const publicClient = createPublicClient({ chain: baseSepolia, transport: http() });
   const signer = toClientEvmSigner(account, publicClient);
   const client = new x402Client();

package/lib/projects.mjs

@@ -1,4 +1,4 @@
-import { findProject, loadKeyStore, saveProject, removeProject, API, walletAuthHeaders } from "./config.mjs";
+import { findProject, loadKeyStore, saveProject, removeProject, API, allowanceAuthHeaders } from "./config.mjs";
 
 const HELP = `run402 projects — Manage your deployed Run402 projects
 
@@ -31,7 +31,7 @@ Examples:
 Notes:
   - <id> is the project_id shown in 'run402 projects list'
   - 'rest' uses PostgREST query syntax (table name + optional query string)
-  - 'provision' requires a funded wallet — payment is automatic via x402
+  - 'provision' requires a funded allowance — payment is automatic via x402
   - RLS templates: user_owns_rows, public_read, public_read_write
 `;
 
@@ -48,7 +48,7 @@ async function provision(args) {
     if (args[i] === "--tier" && args[i + 1]) opts.tier = args[++i];
     if (args[i] === "--name" && args[i + 1]) opts.name = args[++i];
   }
-  const authHeaders = await walletAuthHeaders();
+  const authHeaders = await allowanceAuthHeaders();
   const body = { tier: opts.tier };
   if (opts.name) body.name = opts.name;
   const res = await fetch(`${API}/projects/v1`, {

package/lib/sites.mjs

@@ -1,5 +1,5 @@
 import { readFileSync } from "fs";
-import { API, walletAuthHeaders } from "./config.mjs";
+import { API, allowanceAuthHeaders } from "./config.mjs";
 
 const HELP = `run402 sites — Deploy and manage static sites
 
@@ -34,7 +34,7 @@ Examples:
 
 Notes:
   - Must include at least index.html in the files array
-  - Free with active tier — requires wallet auth
+  - Free with active tier — requires allowance auth
 `;
 
 async function readStdin() {
@@ -58,7 +58,7 @@ async function deploy(args) {
   if (opts.project) body.project = opts.project;
   if (opts.target) body.target = opts.target;
 
-  const authHeaders = await walletAuthHeaders();
+  const authHeaders = await allowanceAuthHeaders();
   const res = await fetch(`${API}/deployments/v1`, {
     method: "POST",
     headers: { "Content-Type": "application/json", ...authHeaders },

package/lib/tier.mjs

@@ -1,4 +1,4 @@
-import { readWallet, WALLET_FILE, API } from "./config.mjs";
+import { readAllowance, ALLOWANCE_FILE, API } from "./config.mjs";
 import { setupPaidFetch } from "./paid-fetch.mjs";
 
 const HELP = `run402 tier — Manage your Run402 tier subscription
@@ -10,9 +10,9 @@ Subcommands:
   status                Show current tier (tier name, status, expiry)
   set <tier>            Subscribe, renew, or upgrade (pays via x402)
 
-Tiers: prototype ($0.10/7d), hobby ($5/30d), team ($20/30d)
+Tiers: prototype (free/testnet, 7d), hobby ($5/30d), team ($20/30d)
 
-The server auto-detects the action based on your wallet state:
+The server auto-detects the action based on your allowance state:
   - No tier or expired  → subscribe
   - Same tier, active   → renew (extends from expiry)
   - Higher tier         → upgrade (prorated refund to allowance)
@@ -25,8 +25,8 @@ Examples:
 `;
 
 async function status() {
-  const w = readWallet();
-  if (!w) { console.log(JSON.stringify({ status: "error", message: "No wallet. Run: run402 wallet create" })); process.exit(1); }
+  const w = readAllowance();
+  if (!w) { console.log(JSON.stringify({ status: "error", message: "No agent allowance. Run: run402 allowance create" })); process.exit(1); }
   const { privateKeyToAccount } = await import("viem/accounts");
   const account = privateKeyToAccount(w.privateKey);
   const timestamp = Math.floor(Date.now() / 1000).toString();

package/package.json

@@ -1,14 +1,18 @@
 {
   "name": "run402",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 micropayments.",
   "type": "module",
   "bin": {
     "run402": "cli.mjs"
   },
+  "scripts": {
+    "prepack": "mkdir -p core-dist && cp ../core/dist/*.js core-dist/"
+  },
   "files": [
     "cli.mjs",
-    "lib/"
+    "lib/",
+    "core-dist/"
   ],
   "dependencies": {
     "@x402/evm": "^2.6.0",