run402 2.26.0 → 2.28.0

package/README.md

@@ -193,8 +193,18 @@ Local state lives at:
 
 - `~/.config/run402/projects.json` (`0600`) — project credentials (`anon_key`, `service_key`, `tier`, `lease_expires_at`)
 - `~/.config/run402/allowance.json` (`0600`) — wallet for x402 signing
+- `~/.config/run402/config.json` (`0600`) — global default wallet pointer (`active_wallet`)
+- `~/.config/run402/profiles/<name>/` (`0700`) — named wallets, each with its own `allowance.json` + `projects.json` + non-secret `meta.json`
 
-Override with `RUN402_CONFIG_DIR` or `RUN402_ALLOWANCE_PATH`. Override the API base with `RUN402_API_BASE`.
+Override the base directory with `RUN402_CONFIG_DIR` or the allowance file with `RUN402_ALLOWANCE_PATH`. Override the API base with `RUN402_API_BASE`.
+
+### Named wallets (profiles)
+
+Hold several wallets on one machine and select between them:
+
+- `run402 wallets list | new <name> | use <name> | rename <old> <new> | bind [<name>] | unbind | import <name> --key <path|-> | rm <name> --yes`
+- Select per-command with `--wallet <name>` (alias `--profile`), the `RUN402_WALLET` env var, or a per-directory `.run402.json` (commit-safe — holds only a name) resolved by walking up the tree. Precedence: flag > env > binding > `wallets use` default > `default`. A conflicting env + binding is a hard error.
+- The active wallet name shows in `run402 status` and `run402 wallets current`.
 
 The CLI handles all x402 payment signing automatically — never ask the human for a private key or set up payment libraries by hand.
 

package/cli.mjs

@@ -6,7 +6,7 @@
 
 import { readFileSync } from "node:fs";
 
-const [,, cmd, sub, ...rest] = process.argv;
+const rawArgv = process.argv.slice(2);
 
 const { version } = JSON.parse(
   readFileSync(new URL("./package.json", import.meta.url), "utf8")
@@ -22,6 +22,7 @@ Commands:
   init        Set up allowance, funding, and check tier status (x402 default)
   init mpp    Set up with MPP payment rail (Tempo Moderato testnet)
   status      Show full account state (allowance, balance, tier, projects)
+  wallets     Manage multiple named wallets (list, new, use, rename, bind, import)
   allowance   Manage your agent allowance (create, fund, balance, status)
   tier        Manage tier subscription (status, set)
   projects    Manage projects (provision, list, query, inspect, delete)
@@ -53,6 +54,10 @@ Commands:
   dev         Run Astro dev with Run402 env + credentials in scope
   logs        Fetch function logs by request id (--request-id req_...)
 
+Global options (any command):
+  --wallet <name>   Select a named wallet for this command (see 'run402 wallets')
+                    Also: RUN402_WALLET env, or a ./.run402.json directory binding.
+
 Run 'run402 <command> --help' for detailed usage of each command.
 
 Examples:
@@ -74,22 +79,39 @@ Getting started:
   run402 ci link github --project prj_... --manifest run402.deploy.json
 `;
 
-if (cmd === '--version' || cmd === '-v') {
+const first = rawArgv[0];
+
+if (first === '--version' || first === '-v') {
   console.log(version);
   process.exit(0);
 }
 
-if (!cmd || cmd === '--help' || cmd === '-h') {
+if (first === undefined || first === '--help' || first === '-h') {
   console.log(HELP);
   process.exit(0);
 }
 
+// Resolve the active wallet/profile from the global --wallet/--profile flag,
+// env, and any per-directory .run402.json binding BEFORE dispatch loads a
+// subcommand (whose config.mjs snapshots credential paths). splitWalletFlag
+// also strips the global flag so subcommands never see it.
+const { splitWalletFlag, applyWalletSelection } = await import("./lib/wallet-context.mjs");
+const { argv, walletFlag } = splitWalletFlag(rawArgv);
+const [cmd, sub, ...rest] = argv;
+
 try {
+  applyWalletSelection({
+    walletFlag,
+    cmd,
+    cwd: process.cwd(),
+    env: process.env,
+    quiet: rawArgv.includes("--quiet"),
+  });
   await dispatch();
 } catch (err) {
-  // Surface env/config errors (e.g. invalid RUN402_API_BASE) as a clean
-  // JSON envelope on stderr instead of a raw stack trace. We import the
-  // helper lazily so a broken env doesn't fail this catch handler too.
+  // Surface env/config errors (e.g. invalid RUN402_API_BASE, bad RUN402_WALLET)
+  // as a clean JSON envelope on stderr instead of a raw stack trace. We import
+  // the helper lazily so a broken env doesn't fail this catch handler too.
   const { fail } = await import("./lib/sdk-errors.mjs");
   fail({
     code: "BAD_ENV",
@@ -112,6 +134,11 @@ switch (cmd) {
     await run([sub, ...rest].filter(Boolean));
     break;
   }
+  case "wallets": {
+    const { run } = await import("./lib/wallets.mjs");
+    await run(sub, rest);
+    break;
+  }
   case "allowance": {
     const { run } = await import("./lib/allowance.mjs");
     await run(sub, rest);

package/core-dist/allowance.js

@@ -1,4 +1,4 @@
-import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync, statSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { randomBytes } from "node:crypto";
 import { getAllowancePath } from "./config.js";
@@ -26,10 +26,33 @@ const PRIVATE_KEY_RE = /^0x[a-fA-F0-9]{64}$/;
  * `src/tools/{status,init}.ts` callers translate the throw into their own
  * structured envelopes (`code: BAD_ALLOWANCE_FILE`).
  */
+/**
+ * If an allowance file is readable by group or other (any of the low 0o077
+ * bits set), tighten it to 0600 and warn once on stderr. This self-heals the
+ * historical case where a legacy world-readable `wallet.json` (mode 0644) was
+ * migrated to `allowance.json` via a mode-preserving rename, leaving the
+ * private key exposed on a shared machine. Best-effort: POSIX-only and silent
+ * on platforms without meaningful Unix modes (e.g. Windows).
+ */
+function selfHealPermissions(p) {
+    if (process.platform === "win32")
+        return;
+    try {
+        const mode = statSync(p).mode & 0o777;
+        if ((mode & 0o077) !== 0) {
+            chmodSync(p, 0o600);
+            process.stderr.write(`warning: tightened permissions on ${p} from ${mode.toString(8)} to 600 (was readable by other users).\n`);
+        }
+    }
+    catch {
+        // Best-effort; never block a read on a chmod/stat failure.
+    }
+}
 export function readAllowance(path) {
     const p = path ?? getAllowancePath();
     if (!existsSync(p))
         return null;
+    selfHealPermissions(p);
     let raw;
     try {
         raw = readFileSync(p, "utf-8");

package/core-dist/config.js

@@ -1,6 +1,6 @@
 import { homedir } from "node:os";
 import { join } from "node:path";
-import { existsSync, renameSync, mkdirSync } from "node:fs";
+import { existsSync, renameSync, mkdirSync, chmodSync } from "node:fs";
 const DEFAULT_API_BASE = "https://api.run402.com";
 /**
  * Validate a user-supplied API base URL. Throws a clear error message that
@@ -47,9 +47,71 @@ export function getDeployApiBase() {
     const validated = validateApiBase("RUN402_DEPLOY_API_BASE", process.env.RUN402_DEPLOY_API_BASE, fallback);
     return validated ?? fallback;
 }
-export function getConfigDir() {
+/**
+ * The base credential directory — the root under which the `default` wallet
+ * lives directly and named wallets live under `profiles/<name>/`. This is the
+ * value `RUN402_CONFIG_DIR` overrides; profiles nest *within* it.
+ */
+export function getConfigBaseDir() {
     return process.env.RUN402_CONFIG_DIR || join(homedir(), ".config", "run402");
 }
+export const DEFAULT_PROFILE = "default";
+// Filesystem-safe wallet/profile name. Lowercase only (avoids collisions on
+// case-insensitive filesystems like macOS), starts alphanumeric, then
+// alphanumeric/underscore/hyphen, max 64 chars. The CLI edge enforces this for
+// nice UX; core re-checks it as a defense-in-depth guard so a hostile
+// `RUN402_WALLET`/`RUN402_PROFILE` cannot traverse outside the profiles dir.
+const PROFILE_NAME_RE = /^[a-z0-9][a-z0-9_-]{0,63}$/;
+export function isValidProfileName(name) {
+    return PROFILE_NAME_RE.test(name);
+}
+/**
+ * Guard against path traversal from the profile env vars. The reserved
+ * `default` profile is always allowed (it maps to the base dir). Any other
+ * name must pass the filesystem-safe pattern; otherwise we throw rather than
+ * silently resolve a surprising path.
+ */
+function assertSafeProfileName(name) {
+    if (name === DEFAULT_PROFILE)
+        return;
+    if (!isValidProfileName(name)) {
+        throw new Error(`Invalid wallet/profile name ${JSON.stringify(name)}. ` +
+            "Names must match /^[a-z0-9][a-z0-9_-]{0,63}$/ (lowercase letters, digits, '_' and '-'). " +
+            "Check the RUN402_WALLET / RUN402_PROFILE env var.");
+    }
+}
+/**
+ * The active wallet/profile name from the environment. `RUN402_WALLET` is
+ * canonical; `RUN402_PROFILE` is accepted as an alias. Empty/unset → the
+ * reserved `default`. The CLI edge resolves the `--wallet` flag and any
+ * per-directory `.run402.json` binding into `RUN402_WALLET` *before* dispatch,
+ * so core stays env-only and never reads argv or cwd.
+ */
+export function getActiveProfile() {
+    const raw = process.env.RUN402_WALLET ?? process.env.RUN402_PROFILE;
+    const name = raw == null ? "" : raw.trim();
+    if (!name)
+        return DEFAULT_PROFILE;
+    assertSafeProfileName(name);
+    return name;
+}
+/** Directory holding all named wallets: `{base}/profiles`. */
+export function getProfilesDir() {
+    return join(getConfigBaseDir(), "profiles");
+}
+/**
+ * The effective config directory for the *active* wallet. The `default` wallet
+ * resolves to the base dir (zero migration for existing single-wallet
+ * installs); any named wallet resolves to `{base}/profiles/<name>`. Because
+ * keystore, allowance, and meta paths all derive from this, switching the
+ * profile env var moves the whole wallet bundle atomically — and the SDK/MCP
+ * inherit profile selection for free.
+ */
+export function getConfigDir() {
+    const base = getConfigBaseDir();
+    const profile = getActiveProfile();
+    return profile === DEFAULT_PROFILE ? base : join(base, "profiles", profile);
+}
 export function getKeystorePath() {
     return join(getConfigDir(), "projects.json");
 }
@@ -59,10 +121,20 @@ export function getAllowancePath() {
     const dir = getConfigDir();
     const newPath = join(dir, "allowance.json");
     const oldPath = join(dir, "wallet.json");
-    // Auto-migrate from wallet.json → allowance.json
+    // Auto-migrate from wallet.json → allowance.json. renameSync preserves the
+    // source file's mode, so a legacy world-readable wallet.json (mode 0644)
+    // would otherwise carry that mode forward and leave the private key
+    // world-readable on a shared machine. Tighten to 0600 after the rename.
     if (!existsSync(newPath) && existsSync(oldPath)) {
         mkdirSync(dir, { recursive: true });
         renameSync(oldPath, newPath);
+        try {
+            chmodSync(newPath, 0o600);
+        }
+        catch {
+            // Best-effort (e.g. Windows / exotic filesystems). Read-time self-heal
+            // in readAllowance() is the backstop.
+        }
     }
     return newPath;
 }

package/core-dist/profiles.js

@@ -0,0 +1,196 @@
+/**
+ * Named-wallet profile storage.
+ *
+ * A "wallet" is a whole config directory. The reserved `default` wallet lives
+ * at the base config dir (zero migration for existing installs); every named
+ * wallet lives under `{base}/profiles/<name>/` with its own `allowance.json`,
+ * `projects.json`, and this module's non-secret `meta.json`.
+ *
+ * Two levels of active state, mirroring the wallet → project model:
+ *   - base `{base}/config.json` `active_wallet`  — which wallet is the default
+ *   - per-wallet `projects.json` `active_project_id` — which project within it
+ *
+ * All writes are atomic (temp-file + rename) and owner-only (0600 files,
+ * 0700 dirs). `meta.json` holds only public/display data (no private key), so
+ * listing and name display never need to load key material.
+ */
+import { readFileSync, writeFileSync, mkdirSync, renameSync, chmodSync, existsSync, readdirSync, rmSync, } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getConfigBaseDir, getProfilesDir, DEFAULT_PROFILE, isValidProfileName, } from "./config.js";
+function atomicWrite(p, content, mode) {
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, content, { mode });
+    renameSync(tmp, p);
+    try {
+        chmodSync(p, mode);
+    }
+    catch {
+        /* best-effort on non-POSIX */
+    }
+}
+// --- base config.json (global default wallet pointer) ---
+function baseConfigPath() {
+    return join(getConfigBaseDir(), "config.json");
+}
+export function readBaseConfig() {
+    try {
+        const parsed = JSON.parse(readFileSync(baseConfigPath(), "utf-8"));
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+            return parsed;
+        }
+    }
+    catch {
+        /* missing / unreadable / malformed → empty */
+    }
+    return {};
+}
+export function writeBaseConfig(cfg) {
+    atomicWrite(baseConfigPath(), JSON.stringify(cfg, null, 2), 0o600);
+}
+/**
+ * The globally-selected default wallet (set via `wallets use`), or the
+ * reserved `default` when unset/invalid. This is precedence rung 4 — below the
+ * flag, env var, and per-directory binding.
+ */
+export function getDefaultWallet() {
+    const w = readBaseConfig().active_wallet;
+    return w && (w === DEFAULT_PROFILE || isValidProfileName(w)) ? w : DEFAULT_PROFILE;
+}
+export function setDefaultWallet(name) {
+    const cfg = readBaseConfig();
+    cfg.active_wallet = name;
+    writeBaseConfig(cfg);
+}
+// --- per-profile directory + meta.json ---
+/** Absolute directory for a wallet. `default` → base dir; named → profiles/<name>. */
+export function profileDir(name) {
+    return name === DEFAULT_PROFILE ? getConfigBaseDir() : join(getProfilesDir(), name);
+}
+/** Create (if needed) a wallet's directory with owner-only (0700) perms. */
+export function ensureProfileDir(name) {
+    const dir = profileDir(name);
+    if (name === DEFAULT_PROFILE) {
+        mkdirSync(dir, { recursive: true });
+        return dir;
+    }
+    const profilesRoot = getProfilesDir();
+    mkdirSync(profilesRoot, { recursive: true });
+    try {
+        chmodSync(profilesRoot, 0o700);
+    }
+    catch {
+        /* best-effort */
+    }
+    mkdirSync(dir, { recursive: true });
+    try {
+        chmodSync(dir, 0o700);
+    }
+    catch {
+        /* best-effort */
+    }
+    return dir;
+}
+function metaPath(name) {
+    return join(profileDir(name), "meta.json");
+}
+export function readMeta(name) {
+    try {
+        const parsed = JSON.parse(readFileSync(metaPath(name), "utf-8"));
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+            return parsed;
+        }
+    }
+    catch {
+        /* missing / unreadable / malformed → null */
+    }
+    return null;
+}
+export function writeMeta(name, meta) {
+    ensureProfileDir(name);
+    atomicWrite(metaPath(name), JSON.stringify(meta, null, 2), 0o600);
+}
+// --- enumeration + lifecycle ---
+/** True when a wallet's `allowance.json` exists on disk. */
+export function profileExists(name) {
+    return existsSync(join(profileDir(name), "allowance.json"));
+}
+/**
+ * All wallet names on disk: `default` (only if a root allowance.json exists)
+ * plus every valid directory under `profiles/`.
+ */
+export function listProfileNames() {
+    const names = [];
+    if (existsSync(join(getConfigBaseDir(), "allowance.json"))) {
+        names.push(DEFAULT_PROFILE);
+    }
+    try {
+        for (const entry of readdirSync(getProfilesDir(), { withFileTypes: true })) {
+            if (entry.isDirectory() && isValidProfileName(entry.name))
+                names.push(entry.name);
+        }
+    }
+    catch {
+        /* no profiles dir yet */
+    }
+    return names;
+}
+/** Delete a named wallet's directory. Refuses to remove the reserved default. */
+export function removeProfile(name) {
+    if (name === DEFAULT_PROFILE) {
+        throw new Error("Refusing to remove the reserved 'default' wallet");
+    }
+    rmSync(profileDir(name), { recursive: true, force: true });
+}
+/**
+ * Move a wallet to a new name. Renaming `default` migrates the root-level
+ * credential files into `profiles/<newName>/` (so a named wallet is always a
+ * directory). Does NOT update the `active_wallet` pointer — the caller owns
+ * that orchestration. Throws if the destination already exists or the source
+ * is missing.
+ */
+export function renameProfile(oldName, newName) {
+    if (!isValidProfileName(newName)) {
+        throw new Error(`Invalid wallet name ${JSON.stringify(newName)}.`);
+    }
+    if (newName === oldName)
+        return;
+    const dest = join(getProfilesDir(), newName);
+    if (existsSync(dest)) {
+        throw new Error(`A wallet named '${newName}' already exists.`);
+    }
+    mkdirSync(getProfilesDir(), { recursive: true });
+    try {
+        chmodSync(getProfilesDir(), 0o700);
+    }
+    catch {
+        /* best-effort */
+    }
+    if (oldName === DEFAULT_PROFILE) {
+        if (!profileExists(DEFAULT_PROFILE)) {
+            throw new Error("No 'default' wallet to rename.");
+        }
+        mkdirSync(dest, { recursive: true });
+        try {
+            chmodSync(dest, 0o700);
+        }
+        catch {
+            /* best-effort */
+        }
+        const base = getConfigBaseDir();
+        for (const f of ["allowance.json", "projects.json", "meta.json"]) {
+            const src = join(base, f);
+            if (existsSync(src))
+                renameSync(src, join(dest, f));
+        }
+        return;
+    }
+    const src = join(getProfilesDir(), oldName);
+    if (!existsSync(src)) {
+        throw new Error(`Wallet '${oldName}' not found.`);
+    }
+    renameSync(src, dest);
+}
+//# sourceMappingURL=profiles.js.map

package/lib/allowance.mjs

@@ -1,4 +1,4 @@
-import { readAllowance, saveAllowance, ALLOWANCE_FILE } from "./config.mjs";
+import { readAllowance, saveAllowance, allowanceFile } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 import { assertKnownFlags, flagValue, normalizeArgv, parseIntegerFlag, positionalArgs } from "./argparse.mjs";
@@ -98,7 +98,7 @@ async function status() {
         // now" check, use `run402 allowance balance`.
         faucet_used: !!data.faucet_used,
         rail: w?.rail || "x402",
-        path: data.path ?? ALLOWANCE_FILE,
+        path: data.path ?? allowanceFile(),
       },
     }));
   } catch (err) {
@@ -111,7 +111,7 @@ async function create() {
     const result = await getSdk().allowance.create();
     console.log(JSON.stringify({
       address: result.address,
-      path: result.path ?? ALLOWANCE_FILE,
+      path: result.path ?? allowanceFile(),
       created: true,
     }));
   } catch (err) {

package/lib/config.mjs

@@ -9,9 +9,24 @@ import { loadKeyStore, getProject, saveProject, updateProject, removeProject, sa
 import { getAllowanceAuthHeaders as coreGetAllowanceAuthHeaders } from "../core-dist/allowance-auth.js";
 import { fail } from "./sdk-errors.mjs";
 
+// Wallet-dependent paths are exposed as getters (preferred — they always
+// reflect the active profile, even if some future code path imports this module
+// before wallet resolution). Production code (init/doctor/allowance) uses these.
+export function configDir() { return getConfigDir(); }
+export function allowanceFile() { return getAllowancePath(); }
+export function projectsFile() { return getKeystorePath(); }
+
+// Snapshot constants, retained for backward compatibility (tests, the OpenClaw
+// config re-export). These are evaluated when this module is first imported.
+// That is safe in every real flow because the CLI resolves the active wallet
+// (publishing RUN402_WALLET) in cli.mjs BEFORE any subcommand imports this
+// module, and tests set RUN402_CONFIG_DIR before importing. New code should
+// prefer the getters above.
 export const CONFIG_DIR = getConfigDir();
 export const ALLOWANCE_FILE = getAllowancePath();
 export const PROJECTS_FILE = getKeystorePath();
+
+// API base is independent of the active wallet, so a module-load snapshot is safe.
 export const API = getApiBase();
 
 /**
@@ -32,7 +47,7 @@ export function readAllowance() {
       code: "BAD_ALLOWANCE_FILE",
       message: err?.message ?? "allowance.json is malformed",
       hint: "Back up ~/.config/run402/allowance.json and run 'run402 init' to recreate it.",
-      details: { path: ALLOWANCE_FILE },
+      details: { path: allowanceFile() },
     });
   }
 }

package/lib/deploy-v2.mjs

@@ -603,14 +603,16 @@ async function mergeAstroReleaseSlice(spec, dirArg) {
     throw err;
   }
 
-  // Slice owns site/functions/routes. The caller's manifest can declare
-  // cross-cutting slices (database, secrets, i18n, subdomains) that the
-  // slice doesn't touch. On collision in `functions.replace`, the slice
-  // wins for its own function name; the caller's other functions are
-  // preserved. `site` and `routes` are whole-resource replacements — slice
-  // wins entirely on those.
+  // Slice owns site/functions. The caller's manifest can declare cross-cutting
+  // slices (database, secrets, i18n, subdomains, routes) that the slice doesn't
+  // touch. On collision in `functions.replace`, the slice wins for its own
+  // function name; the caller's other functions are preserved. `site` is a
+  // whole-resource replacement — slice wins entirely. The slice omits `routes`
+  // by default (the SSR catchall is implicit; base routes carry forward), so we
+  // only set `spec.routes` if the slice explicitly provides one; otherwise the
+  // caller's manifest `routes` (if any) is preserved.
   spec.site = slice.site;
-  spec.routes = slice.routes;
+  if (slice.routes !== undefined) spec.routes = slice.routes;
   const sliceFns = slice.functions?.replace ?? {};
   const existingFns =
     spec.functions && typeof spec.functions === "object" && spec.functions.replace

package/lib/doctor.mjs

@@ -12,7 +12,7 @@
  */
 
 import { existsSync, statSync } from "node:fs";
-import { CONFIG_DIR, readAllowance, loadKeyStore } from "./config.mjs";
+import { configDir, readAllowance, loadKeyStore } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import {
   resolveScanRoot,
@@ -62,6 +62,7 @@ export async function run(sub, args = []) {
   const scanDirOverride = scanDirArgIdx >= 0 ? all[scanDirArgIdx + 1] : null;
 
   const checks = [];
+  const CONFIG_DIR = configDir();
 
   // 1. Config directory.
   try {

package/lib/init.mjs

@@ -1,4 +1,4 @@
-import { readAllowance, saveAllowance, loadKeyStore, CONFIG_DIR } from "./config.mjs";
+import { readAllowance, saveAllowance, loadKeyStore, configDir } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { fail } from "./sdk-errors.mjs";
 import { mkdirSync } from "fs";
@@ -64,6 +64,10 @@ export async function run(args = []) {
 
   if (args.includes("--help") || args.includes("-h")) { console.log(HELP); process.exit(0); }
 
+  // Resolve once for this invocation — reflects the active wallet/profile that
+  // cli.mjs published to RUN402_WALLET before this module loaded.
+  const CONFIG_DIR = configDir();
+
   const isMpp = args[0] === "mpp";
   const requestedRail = isMpp ? "mpp" : "x402";
   const switchRailConfirmed = args.includes("--switch-rail");

package/lib/status.mjs

@@ -1,6 +1,8 @@
 import { readAllowance, loadKeyStore, getActiveProjectId } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { assertKnownFlags, hasHelp, normalizeArgv } from "./argparse.mjs";
+import { getActiveProfile } from "../core-dist/config.js";
+import { readMeta } from "../core-dist/profiles.js";
 
 const HELP = `run402 status — Show full account state in one shot
 
@@ -104,7 +106,18 @@ export async function run(args = []) {
     ? remote.projects.map(normalizeProject)
     : Object.keys(store.projects).map(id => ({ project_id: id }));
 
+  // Which named wallet this state belongs to. `name` is the active profile
+  // (default for single-wallet installs); `label` is the cached server-side
+  // display name (null until set / when offline).
+  const walletName = getActiveProfile();
+  const walletMeta = readMeta(walletName);
+
   const result = {
+    wallet: {
+      name: walletName,
+      address: allowance.address,
+      label: walletMeta?.label ?? null,
+    },
     allowance: {
       address: allowance.address,
       funded: allowance.funded || false,