run402 1.9.1 → 1.10.0

package/core-dist/allowance-auth.js

@@ -0,0 +1,62 @@
+/**
+ * Allowance auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readAllowance } from "./allowance.js";
+/**
+ * EIP-191 personal_sign: sign a message with the allowance's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes);
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Get allowance auth headers for the Run402 API.
+ * Returns null if no allowance is configured.
+ */
+export function getAllowanceAuthHeaders(allowancePath) {
+    const allowance = readAllowance(allowancePath);
+    if (!allowance || !allowance.address || !allowance.privateKey)
+        return null;
+    const timestamp = Math.floor(Date.now() / 1000).toString();
+    const signature = personalSign(allowance.privateKey, allowance.address, `run402:${timestamp}`);
+    return {
+        "X-Run402-Wallet": allowance.address,
+        "X-Run402-Signature": signature,
+        "X-Run402-Timestamp": timestamp,
+    };
+}
+//# sourceMappingURL=allowance-auth.js.map

package/core-dist/allowance.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getAllowancePath } from "./config.js";
+export function readAllowance(path) {
+    const p = path ?? getAllowancePath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveAllowance(data, path) {
+    const p = path ?? getAllowancePath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.allowance.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=allowance.js.map

package/core-dist/client.js

@@ -0,0 +1,42 @@
+import { getApiBase } from "./config.js";
+export async function apiRequest(path, opts = {}) {
+    const { method = "GET", headers = {}, body, rawBody } = opts;
+    const url = `${getApiBase()}${path}`;
+    const fetchHeaders = { ...headers };
+    let fetchBody;
+    if (rawBody !== undefined) {
+        fetchBody = rawBody;
+    }
+    else if (body !== undefined) {
+        fetchHeaders["Content-Type"] = fetchHeaders["Content-Type"] || "application/json";
+        fetchBody = JSON.stringify(body);
+    }
+    let res;
+    try {
+        res = await fetch(url, {
+            method,
+            headers: fetchHeaders,
+            body: fetchBody,
+        });
+    }
+    catch (err) {
+        return {
+            ok: false,
+            status: 0,
+            body: { error: `Network error: ${err.message}` },
+        };
+    }
+    let resBody;
+    const contentType = res.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+        resBody = await res.json();
+    }
+    else {
+        resBody = await res.text();
+    }
+    if (res.status === 402) {
+        return { ok: false, is402: true, status: 402, body: resBody };
+    }
+    return { ok: res.ok, status: res.status, body: resBody };
+}
+//# sourceMappingURL=client.js.map

package/core-dist/config.js

@@ -0,0 +1,24 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { existsSync, renameSync, mkdirSync } from "node:fs";
+export function getApiBase() {
+    return process.env.RUN402_API_BASE || "https://api.run402.com";
+}
+export function getConfigDir() {
+    return process.env.RUN402_CONFIG_DIR || join(homedir(), ".config", "run402");
+}
+export function getKeystorePath() {
+    return join(getConfigDir(), "projects.json");
+}
+export function getAllowancePath() {
+    const dir = getConfigDir();
+    const newPath = join(dir, "allowance.json");
+    const oldPath = join(dir, "wallet.json");
+    // Auto-migrate from wallet.json → allowance.json
+    if (!existsSync(newPath) && existsSync(oldPath)) {
+        mkdirSync(dir, { recursive: true });
+        renameSync(oldPath, newPath);
+    }
+    return newPath;
+}
+//# sourceMappingURL=config.js.map

package/core-dist/keystore.js

@@ -0,0 +1,75 @@
+import { readFileSync, writeFileSync, mkdirSync, renameSync, chmodSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getKeystorePath } from "./config.js";
+/**
+ * Load the keystore from disk.
+ * Auto-migrates legacy formats:
+ * - Array format (CLI legacy): [{project_id, ...}] → {projects: {id: {...}}}
+ * - Old field name: expires_at → lease_expires_at
+ */
+export function loadKeyStore(path) {
+    const p = path ?? getKeystorePath();
+    try {
+        const data = readFileSync(p, "utf-8");
+        const parsed = JSON.parse(data);
+        // Auto-migrate array format (CLI legacy) to object format
+        if (Array.isArray(parsed)) {
+            const projects = {};
+            for (const item of parsed) {
+                if (item.project_id) {
+                    projects[item.project_id] = {
+                        anon_key: item.anon_key,
+                        service_key: item.service_key,
+                        tier: item.tier,
+                        lease_expires_at: item.lease_expires_at || item.expires_at || "",
+                        ...(item.site_url && { site_url: item.site_url }),
+                        ...(item.deployed_at && { deployed_at: item.deployed_at }),
+                    };
+                }
+            }
+            return { projects };
+        }
+        if (parsed && typeof parsed === "object" && parsed.projects) {
+            // Auto-normalize expires_at → lease_expires_at
+            for (const proj of Object.values(parsed.projects)) {
+                const rec = proj;
+                if (rec.expires_at && !rec.lease_expires_at) {
+                    rec.lease_expires_at = rec.expires_at;
+                    delete rec.expires_at;
+                }
+            }
+            return parsed;
+        }
+        return { projects: {} };
+    }
+    catch {
+        return { projects: {} };
+    }
+}
+export function saveKeyStore(store, path) {
+    const p = path ?? getKeystorePath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.projects.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(store, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+export function getProject(projectId, path) {
+    const store = loadKeyStore(path);
+    return store.projects[projectId];
+}
+export function saveProject(projectId, project, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    store.projects[projectId] = project;
+    saveKeyStore(store, p);
+}
+export function removeProject(projectId, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    delete store.projects[projectId];
+    saveKeyStore(store, p);
+}
+//# sourceMappingURL=keystore.js.map

package/core-dist/wallet-auth.js

@@ -0,0 +1,62 @@
+/**
+ * Wallet auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readWallet } from "./wallet.js";
+/**
+ * EIP-191 personal_sign: sign a message with the wallet's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes);
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Get wallet auth headers for the Run402 API.
+ * Returns null if no wallet is configured.
+ */
+export function getWalletAuthHeaders(walletPath) {
+    const wallet = readWallet(walletPath);
+    if (!wallet || !wallet.address || !wallet.privateKey)
+        return null;
+    const timestamp = Math.floor(Date.now() / 1000).toString();
+    const signature = personalSign(wallet.privateKey, wallet.address, `run402:${timestamp}`);
+    return {
+        "X-Run402-Wallet": wallet.address,
+        "X-Run402-Signature": signature,
+        "X-Run402-Timestamp": timestamp,
+    };
+}
+//# sourceMappingURL=wallet-auth.js.map

package/core-dist/wallet.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getWalletPath } from "./config.js";
+export function readWallet(path) {
+    const p = path ?? getWalletPath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveWallet(data, path) {
+    const p = path ?? getWalletPath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.wallet.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=wallet.js.map

package/lib/config.mjs

@@ -3,10 +3,9 @@
  * Adds CLI-specific behavior: process.exit() on errors.
  */
 
-import { getApiBase, getConfigDir, getKeystorePath, getAllowancePath } from "../../core/dist/config.js";
-import { readAllowance as coreReadAllowance, saveAllowance as coreSaveAllowance } from "../../core/dist/allowance.js";
-import { getAllowanceAuthHeaders } from "../../core/dist/allowance-auth.js";
-import { loadKeyStore, getProject, saveProject, removeProject, saveKeyStore } from "../../core/dist/keystore.js";
+import { getApiBase, getConfigDir, getKeystorePath, getAllowancePath } from "../core-dist/config.js";
+import { readAllowance as coreReadAllowance, saveAllowance as coreSaveAllowance } from "../core-dist/allowance.js";
+import { loadKeyStore, getProject, saveProject, removeProject, saveKeyStore } from "../core-dist/keystore.js";
 
 export const CONFIG_DIR = getConfigDir();
 export const ALLOWANCE_FILE = getAllowancePath();
@@ -22,9 +21,13 @@ export function saveAllowance(data) {
 }
 
 export async function allowanceAuthHeaders() {
-  const headers = getAllowanceAuthHeaders();
-  if (!headers) { console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create" })); process.exit(1); }
-  return headers;
+  const w = readAllowance();
+  if (!w) { console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create" })); process.exit(1); }
+  const { privateKeyToAccount } = await import("viem/accounts");
+  const account = privateKeyToAccount(w.privateKey);
+  const timestamp = Math.floor(Date.now() / 1000).toString();
+  const signature = await account.signMessage({ message: `run402:${timestamp}` });
+  return { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp };
 }
 
 export function findProject(id) {

package/lib/init.mjs

@@ -71,6 +71,7 @@ export async function run() {
   }
 
   // 4. Tier status
+  const store = loadKeyStore();
   let tierInfo = null;
   try {
     const { privateKeyToAccount } = await import("viem/accounts");
@@ -83,6 +84,13 @@ export async function run() {
     if (res.ok) tierInfo = await res.json();
   } catch {}
 
+  // Fall back to keystore if the API call failed or returned no tier
+  if (!tierInfo || !tierInfo.tier) {
+    const projects = Object.values(store.projects);
+    const active = projects.find(p => p.tier && p.lease_expires_at && new Date(p.lease_expires_at) > new Date());
+    if (active) tierInfo = { tier: active.tier, status: "active", lease_expires_at: active.lease_expires_at };
+  }
+
   if (tierInfo && tierInfo.tier && tierInfo.status === "active") {
     const expiry = tierInfo.lease_expires_at ? tierInfo.lease_expires_at.split("T")[0] : "unknown";
     line("Tier", `${tierInfo.tier} (expires ${expiry})`);
@@ -91,7 +99,6 @@ export async function run() {
   }
 
   // 5. Projects
-  const store = loadKeyStore();
   line("Projects", `${Object.keys(store.projects).length} active`);
 
   // 6. Next step

package/lib/projects.mjs

@@ -9,6 +9,7 @@ Subcommands:
   quote                                   Show pricing tiers
   provision [--tier <tier>] [--name <n>]  Provision a new Postgres project (pays via x402)
   list                                    List all your projects (IDs, tiers, URLs, expiry)
+  info  <id>                              Show project details: REST URL, keys, expiry
   sql   <id> "<query>"                    Run a SQL query against a project's Postgres DB
   rest  <id> <table> [params]             Query a table via the REST API (PostgREST)
   usage <id>                              Show compute/storage usage for a project
@@ -21,6 +22,7 @@ Examples:
   run402 projects provision --tier prototype
   run402 projects provision --tier hobby --name my-app
   run402 projects list
+  run402 projects info abc123
   run402 projects sql abc123 "SELECT * FROM users LIMIT 5"
   run402 projects rest abc123 users "limit=10&select=id,name"
   run402 projects usage abc123
@@ -89,6 +91,22 @@ async function list() {
   console.log(JSON.stringify(entries.map(([id, p]) => ({ project_id: id, tier: p.tier, site_url: p.site_url, lease_expires_at: p.lease_expires_at, deployed_at: p.deployed_at })), null, 2));
 }
 
+async function info(projectId) {
+  const p = findProject(projectId);
+  const active = p.lease_expires_at ? new Date(p.lease_expires_at) > new Date() : null;
+  console.log(JSON.stringify({
+    project_id: projectId,
+    tier: p.tier,
+    active,
+    lease_expires_at: p.lease_expires_at,
+    rest_url: `${API}/rest/v1`,
+    anon_key: p.anon_key,
+    service_key: p.service_key,
+    site_url: p.site_url || null,
+    deployed_at: p.deployed_at || null,
+  }, null, 2));
+}
+
 async function sqlCmd(projectId, query) {
   const p = findProject(projectId);
   const res = await fetch(`${API}/projects/v1/admin/${projectId}/sql`, { method: "POST", headers: { "Authorization": `Bearer ${p.service_key}`, "Content-Type": "text/plain" }, body: query });
@@ -138,6 +156,7 @@ export async function run(sub, args) {
     case "quote":     await quote(); break;
     case "provision": await provision(args); break;
     case "list":      await list(); break;
+    case "info":      await info(args[0]); break;
     case "sql":       await sqlCmd(args[0], args[1]); break;
     case "rest":      await rest(args[0], args[1], args[2]); break;
     case "usage":     await usage(args[0]); break;

package/package.json

@@ -1,14 +1,18 @@
 {
   "name": "run402",
-  "version": "1.9.1",
+  "version": "1.10.0",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 micropayments.",
   "type": "module",
   "bin": {
     "run402": "cli.mjs"
   },
+  "scripts": {
+    "prepack": "mkdir -p core-dist && cp ../core/dist/*.js core-dist/"
+  },
   "files": [
     "cli.mjs",
-    "lib/"
+    "lib/",
+    "core-dist/"
   ],
   "dependencies": {
     "@x402/evm": "^2.6.0",