run402 1.9.1 → 1.9.2

package/core-dist/allowance-auth.js

@@ -0,0 +1,62 @@
+/**
+ * Allowance auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readAllowance } from "./allowance.js";
+/**
+ * EIP-191 personal_sign: sign a message with the allowance's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes);
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Get allowance auth headers for the Run402 API.
+ * Returns null if no allowance is configured.
+ */
+export function getAllowanceAuthHeaders(allowancePath) {
+    const allowance = readAllowance(allowancePath);
+    if (!allowance || !allowance.address || !allowance.privateKey)
+        return null;
+    const timestamp = Math.floor(Date.now() / 1000).toString();
+    const signature = personalSign(allowance.privateKey, allowance.address, `run402:${timestamp}`);
+    return {
+        "X-Run402-Wallet": allowance.address,
+        "X-Run402-Signature": signature,
+        "X-Run402-Timestamp": timestamp,
+    };
+}
+//# sourceMappingURL=allowance-auth.js.map

package/core-dist/allowance.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getAllowancePath } from "./config.js";
+export function readAllowance(path) {
+    const p = path ?? getAllowancePath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveAllowance(data, path) {
+    const p = path ?? getAllowancePath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.allowance.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=allowance.js.map

package/core-dist/client.js

@@ -0,0 +1,42 @@
+import { getApiBase } from "./config.js";
+export async function apiRequest(path, opts = {}) {
+    const { method = "GET", headers = {}, body, rawBody } = opts;
+    const url = `${getApiBase()}${path}`;
+    const fetchHeaders = { ...headers };
+    let fetchBody;
+    if (rawBody !== undefined) {
+        fetchBody = rawBody;
+    }
+    else if (body !== undefined) {
+        fetchHeaders["Content-Type"] = fetchHeaders["Content-Type"] || "application/json";
+        fetchBody = JSON.stringify(body);
+    }
+    let res;
+    try {
+        res = await fetch(url, {
+            method,
+            headers: fetchHeaders,
+            body: fetchBody,
+        });
+    }
+    catch (err) {
+        return {
+            ok: false,
+            status: 0,
+            body: { error: `Network error: ${err.message}` },
+        };
+    }
+    let resBody;
+    const contentType = res.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+        resBody = await res.json();
+    }
+    else {
+        resBody = await res.text();
+    }
+    if (res.status === 402) {
+        return { ok: false, is402: true, status: 402, body: resBody };
+    }
+    return { ok: res.ok, status: res.status, body: resBody };
+}
+//# sourceMappingURL=client.js.map

package/core-dist/config.js

@@ -0,0 +1,24 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { existsSync, renameSync, mkdirSync } from "node:fs";
+export function getApiBase() {
+    return process.env.RUN402_API_BASE || "https://api.run402.com";
+}
+export function getConfigDir() {
+    return process.env.RUN402_CONFIG_DIR || join(homedir(), ".config", "run402");
+}
+export function getKeystorePath() {
+    return join(getConfigDir(), "projects.json");
+}
+export function getAllowancePath() {
+    const dir = getConfigDir();
+    const newPath = join(dir, "allowance.json");
+    const oldPath = join(dir, "wallet.json");
+    // Auto-migrate from wallet.json → allowance.json
+    if (!existsSync(newPath) && existsSync(oldPath)) {
+        mkdirSync(dir, { recursive: true });
+        renameSync(oldPath, newPath);
+    }
+    return newPath;
+}
+//# sourceMappingURL=config.js.map

package/core-dist/keystore.js

@@ -0,0 +1,75 @@
+import { readFileSync, writeFileSync, mkdirSync, renameSync, chmodSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getKeystorePath } from "./config.js";
+/**
+ * Load the keystore from disk.
+ * Auto-migrates legacy formats:
+ * - Array format (CLI legacy): [{project_id, ...}] → {projects: {id: {...}}}
+ * - Old field name: expires_at → lease_expires_at
+ */
+export function loadKeyStore(path) {
+    const p = path ?? getKeystorePath();
+    try {
+        const data = readFileSync(p, "utf-8");
+        const parsed = JSON.parse(data);
+        // Auto-migrate array format (CLI legacy) to object format
+        if (Array.isArray(parsed)) {
+            const projects = {};
+            for (const item of parsed) {
+                if (item.project_id) {
+                    projects[item.project_id] = {
+                        anon_key: item.anon_key,
+                        service_key: item.service_key,
+                        tier: item.tier,
+                        lease_expires_at: item.lease_expires_at || item.expires_at || "",
+                        ...(item.site_url && { site_url: item.site_url }),
+                        ...(item.deployed_at && { deployed_at: item.deployed_at }),
+                    };
+                }
+            }
+            return { projects };
+        }
+        if (parsed && typeof parsed === "object" && parsed.projects) {
+            // Auto-normalize expires_at → lease_expires_at
+            for (const proj of Object.values(parsed.projects)) {
+                const rec = proj;
+                if (rec.expires_at && !rec.lease_expires_at) {
+                    rec.lease_expires_at = rec.expires_at;
+                    delete rec.expires_at;
+                }
+            }
+            return parsed;
+        }
+        return { projects: {} };
+    }
+    catch {
+        return { projects: {} };
+    }
+}
+export function saveKeyStore(store, path) {
+    const p = path ?? getKeystorePath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.projects.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(store, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+export function getProject(projectId, path) {
+    const store = loadKeyStore(path);
+    return store.projects[projectId];
+}
+export function saveProject(projectId, project, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    store.projects[projectId] = project;
+    saveKeyStore(store, p);
+}
+export function removeProject(projectId, path) {
+    const p = path ?? getKeystorePath();
+    const store = loadKeyStore(p);
+    delete store.projects[projectId];
+    saveKeyStore(store, p);
+}
+//# sourceMappingURL=keystore.js.map

package/core-dist/wallet-auth.js

@@ -0,0 +1,62 @@
+/**
+ * Wallet auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readWallet } from "./wallet.js";
+/**
+ * EIP-191 personal_sign: sign a message with the wallet's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes);
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Get wallet auth headers for the Run402 API.
+ * Returns null if no wallet is configured.
+ */
+export function getWalletAuthHeaders(walletPath) {
+    const wallet = readWallet(walletPath);
+    if (!wallet || !wallet.address || !wallet.privateKey)
+        return null;
+    const timestamp = Math.floor(Date.now() / 1000).toString();
+    const signature = personalSign(wallet.privateKey, wallet.address, `run402:${timestamp}`);
+    return {
+        "X-Run402-Wallet": wallet.address,
+        "X-Run402-Signature": signature,
+        "X-Run402-Timestamp": timestamp,
+    };
+}
+//# sourceMappingURL=wallet-auth.js.map

package/core-dist/wallet.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getWalletPath } from "./config.js";
+export function readWallet(path) {
+    const p = path ?? getWalletPath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveWallet(data, path) {
+    const p = path ?? getWalletPath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.wallet.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=wallet.js.map

package/lib/config.mjs

@@ -3,10 +3,9 @@
  * Adds CLI-specific behavior: process.exit() on errors.
  */
 
-import { getApiBase, getConfigDir, getKeystorePath, getAllowancePath } from "../../core/dist/config.js";
-import { readAllowance as coreReadAllowance, saveAllowance as coreSaveAllowance } from "../../core/dist/allowance.js";
-import { getAllowanceAuthHeaders } from "../../core/dist/allowance-auth.js";
-import { loadKeyStore, getProject, saveProject, removeProject, saveKeyStore } from "../../core/dist/keystore.js";
+import { getApiBase, getConfigDir, getKeystorePath, getAllowancePath } from "../core-dist/config.js";
+import { readAllowance as coreReadAllowance, saveAllowance as coreSaveAllowance } from "../core-dist/allowance.js";
+import { loadKeyStore, getProject, saveProject, removeProject, saveKeyStore } from "../core-dist/keystore.js";
 
 export const CONFIG_DIR = getConfigDir();
 export const ALLOWANCE_FILE = getAllowancePath();
@@ -22,9 +21,13 @@ export function saveAllowance(data) {
 }
 
 export async function allowanceAuthHeaders() {
-  const headers = getAllowanceAuthHeaders();
-  if (!headers) { console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create" })); process.exit(1); }
-  return headers;
+  const w = readAllowance();
+  if (!w) { console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create" })); process.exit(1); }
+  const { privateKeyToAccount } = await import("viem/accounts");
+  const account = privateKeyToAccount(w.privateKey);
+  const timestamp = Math.floor(Date.now() / 1000).toString();
+  const signature = await account.signMessage({ message: `run402:${timestamp}` });
+  return { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp };
 }
 
 export function findProject(id) {

package/package.json

@@ -1,14 +1,18 @@
 {
   "name": "run402",
-  "version": "1.9.1",
+  "version": "1.9.2",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 micropayments.",
   "type": "module",
   "bin": {
     "run402": "cli.mjs"
   },
+  "scripts": {
+    "prepack": "mkdir -p core-dist && cp ../core/dist/*.js core-dist/"
+  },
   "files": [
     "cli.mjs",
-    "lib/"
+    "lib/",
+    "core-dist/"
   ],
   "dependencies": {
     "@x402/evm": "^2.6.0",