run402 2.27.0 → 2.28.0

package/lib/wallets.mjs

@@ -0,0 +1,344 @@
+/**
+ * run402 wallets — manage named wallets (profiles).
+ *
+ * Each named wallet is a self-contained profile directory under
+ * `{config_dir}/profiles/<name>/` with its own key, project keystore, and
+ * non-secret meta.json. The reserved `default` wallet lives at the config-dir
+ * root (zero migration). Selection (which wallet a normal command uses) is
+ * resolved at the CLI edge — see wallet-context.mjs. These subcommands operate
+ * on EXPLICIT named targets via core's path-aware helpers, so they are
+ * independent of the active selection.
+ *
+ * Agent-first: JSON to stdout, structured errors to stderr, no interactive
+ * prompts (destructive `rm` requires an explicit --yes).
+ */
+
+import { writeFileSync, readFileSync, existsSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { fail } from "./sdk-errors.mjs";
+import { isValidProfileName, getActiveProfile } from "../core-dist/config.js";
+import {
+  listProfileNames,
+  profileExists,
+  profileDir,
+  readMeta,
+  writeMeta,
+  ensureProfileDir,
+  removeProfile,
+  renameProfile,
+  getDefaultWallet,
+  setDefaultWallet,
+} from "../core-dist/profiles.js";
+import { readAllowance, saveAllowance } from "../core-dist/allowance.js";
+import { getSdk } from "./sdk.mjs";
+
+const DEFAULT = "default";
+const PRIVATE_KEY_RE = /^0x[0-9a-fA-F]{64}$/;
+
+const HELP = `run402 wallets — manage named wallets (profiles)
+
+Usage:
+  run402 wallets list                 List all wallets (name, label, address, rail, active)
+  run402 wallets current              Show the resolved active wallet + how it was selected
+  run402 wallets new <name>           Create a new named wallet (key stays local)
+  run402 wallets use <name>           Set the global default wallet
+  run402 wallets rename <old> <new>   Rename a wallet (migrates the default's files when old=default)
+  run402 wallets bind [<name>]        Write ./.run402.json binding this directory to a wallet
+  run402 wallets unbind               Remove ./.run402.json
+  run402 wallets import <name> --key <path|->   Adopt an existing private key as a named wallet
+  run402 wallets rm <name> --yes      Delete a wallet and its keys (requires --yes)
+
+Selection precedence for normal commands:
+  --wallet <name>  >  RUN402_WALLET  >  ./.run402.json  >  'wallets use' default  >  default
+
+Options:
+  --mpp           (new) create the wallet on the MPP rail instead of x402
+  --key <path|->  (import) read the private key from a file, or '-' for stdin
+  --yes           (rm) confirm deletion
+
+Notes:
+  • The reserved 'default' wallet lives at the config-dir root; renaming it moves it under profiles/.
+  • .run402.json holds only a wallet NAME (never a key) — safe to commit.
+`;
+
+function shortAddr(a) {
+  return typeof a === "string" && a.length >= 12 ? `${a.slice(0, 6)}…${a.slice(-4)}` : a ?? null;
+}
+
+function out(obj) {
+  console.log(JSON.stringify(obj, null, 2));
+}
+
+function requireName(name, what = "wallet name") {
+  if (!name) fail({ code: "BAD_USAGE", message: `Missing ${what}.`, hint: "run402 wallets --help" });
+  if (name === DEFAULT) return name;
+  if (!isValidProfileName(name)) {
+    fail({
+      code: "BAD_WALLET_NAME",
+      message: `Invalid ${what} ${JSON.stringify(name)}.`,
+      hint: "Names must match /^[a-z0-9][a-z0-9_-]{0,63}$/ (lowercase letters, digits, '_' and '-').",
+      details: { name },
+    });
+  }
+  return name;
+}
+
+function walletInfo(name, active) {
+  const meta = readMeta(name);
+  let address = meta?.address ?? null;
+  let rail = meta?.rail ?? null;
+  const label = meta?.label ?? null;
+  if (!address) {
+    try {
+      const a = readAllowance(join(profileDir(name), "allowance.json"));
+      address = a?.address ?? null;
+      rail = rail ?? a?.rail ?? null;
+    } catch {
+      /* best-effort */
+    }
+  }
+  return { name, label, address, address_short: shortAddr(address), rail, active: name === active };
+}
+
+function activeContext() {
+  try {
+    const ctx = JSON.parse(process.env.RUN402_ACTIVE_WALLET_JSON || "");
+    if (ctx && typeof ctx === "object") return ctx;
+  } catch {
+    /* not set / malformed */
+  }
+  return null;
+}
+
+function cmdList() {
+  const active = getActiveProfile();
+  out(listProfileNames().map((n) => walletInfo(n, active)));
+}
+
+function cmdCurrent() {
+  const ctx = activeContext();
+  const name = ctx?.name ?? getActiveProfile();
+  const info = walletInfo(name, name);
+  const warnings = [];
+  if (ctx?.diverged && ctx.binding) {
+    warnings.push({
+      code: "WALLET_SELECTION_CONFLICT",
+      message: `RUN402_WALLET=${ctx.envName} but ${ctx.binding.file} selects '${ctx.binding.wallet}'.`,
+      hint: "Resolve with: --wallet <name>, unset RUN402_WALLET, or run402 wallets unbind.",
+    });
+  }
+  if (info.label && info.label !== name) {
+    warnings.push({
+      code: "WALLET_LABEL_DRIFT",
+      message: `Local name '${name}' differs from the server label '${info.label}'.`,
+      hint: "Run 'run402 wallets rename' to reconcile.",
+    });
+  }
+  out({
+    name,
+    source: ctx?.source ?? "unknown",
+    source_detail: ctx?.sourceDetail ?? null,
+    address: info.address,
+    label: info.label,
+    warnings,
+  });
+}
+
+async function cmdNew(args) {
+  const name = requireName(args.find((a) => a && !a.startsWith("-")));
+  if (name === DEFAULT) {
+    fail({ code: "BAD_WALLET_NAME", message: "'default' is reserved. Use 'run402 init' for the default wallet.", details: { name } });
+  }
+  if (profileExists(name)) {
+    fail({ code: "WALLET_EXISTS", message: `A wallet named '${name}' already exists.`, hint: "run402 wallets list", details: { name } });
+  }
+  const rail = args.includes("--mpp") ? "mpp" : "x402";
+  const { generatePrivateKey, privateKeyToAccount } = await import("viem/accounts");
+  const privateKey = generatePrivateKey();
+  const address = privateKeyToAccount(privateKey).address;
+  const created = new Date().toISOString();
+  ensureProfileDir(name);
+  saveAllowance({ address, privateKey, created, funded: false, rail }, join(profileDir(name), "allowance.json"));
+  writeMeta(name, { name, address, label: name, rail, created });
+  await maybePushLabel(name, name, address);
+  out({ name, address, rail, created: true, next: `run402 wallets use ${name}  (or --wallet ${name} <command>)` });
+}
+
+function cmdUse(args) {
+  const name = requireName(args.find((a) => a && !a.startsWith("-")));
+  if (name !== DEFAULT && !profileExists(name)) {
+    fail({ code: "WALLET_NOT_FOUND", message: `No local wallet named '${name}'.`, hint: "run402 wallets list", details: { name } });
+  }
+  setDefaultWallet(name);
+  out({ name, active: true });
+}
+
+async function cmdRename(args) {
+  const positionals = args.filter((a) => a && !a.startsWith("-"));
+  const oldName = requireName(positionals[0], "old wallet name");
+  const newName = requireName(positionals[1], "new wallet name");
+  if (newName === DEFAULT) {
+    fail({ code: "BAD_WALLET_NAME", message: "Cannot rename a wallet to the reserved name 'default'.", details: { name: newName } });
+  }
+  if (!profileExists(oldName)) {
+    fail({ code: "WALLET_NOT_FOUND", message: `No local wallet named '${oldName}'.`, hint: "run402 wallets list", details: { name: oldName } });
+  }
+  try {
+    renameProfile(oldName, newName);
+  } catch (e) {
+    fail({ code: "WALLET_RENAME_FAILED", message: e?.message ?? "rename failed", details: { from: oldName, to: newName } });
+  }
+  if (getDefaultWallet() === oldName) setDefaultWallet(newName);
+  const meta = readMeta(newName) ?? {};
+  let address = meta.address ?? null;
+  if (!address) {
+    try {
+      address = readAllowance(join(profileDir(newName), "allowance.json"))?.address ?? null;
+    } catch {
+      /* best-effort */
+    }
+  }
+  writeMeta(newName, { ...meta, name: newName, label: newName, ...(address ? { address } : {}) });
+  await maybePushLabel(newName, newName, address);
+  out({ from: oldName, to: newName, renamed: true });
+}
+
+function cmdBind(args) {
+  let name = args.find((a) => a && !a.startsWith("-"));
+  name = name ? requireName(name) : getActiveProfile();
+  const file = join(process.cwd(), ".run402.json");
+  writeFileSync(file, JSON.stringify({ wallet: name }, null, 2) + "\n");
+  const result = {
+    wallet: name,
+    file: ".run402.json",
+    bound: true,
+    safe_to_commit: true,
+    note: "Safe to commit — contains no secrets, only the wallet name.",
+  };
+  if (name !== DEFAULT && !profileExists(name)) {
+    result.warning = `No local wallet named '${name}' yet — create it with 'run402 wallets new ${name}'.`;
+  }
+  out(result);
+}
+
+function cmdUnbind() {
+  const file = join(process.cwd(), ".run402.json");
+  const existed = existsSync(file);
+  if (existed) rmSync(file, { force: true });
+  out({ file: ".run402.json", unbound: existed });
+}
+
+async function cmdImport(args) {
+  const name = requireName(args.find((a) => a && !a.startsWith("-")));
+  if (name === DEFAULT) {
+    fail({ code: "BAD_WALLET_NAME", message: "'default' is reserved.", details: { name } });
+  }
+  if (profileExists(name)) {
+    fail({ code: "WALLET_EXISTS", message: `A wallet named '${name}' already exists.`, details: { name } });
+  }
+  const keyArg = flagVal(args, "--key");
+  if (!keyArg) {
+    fail({ code: "BAD_USAGE", message: "--key <path|-> is required for import.", hint: "Use '-' to read the key from stdin." });
+  }
+  let raw;
+  try {
+    raw = keyArg === "-" ? readFileSync(0, "utf8") : readFileSync(keyArg, "utf8");
+  } catch (e) {
+    fail({ code: "FILE_NOT_FOUND", message: `Could not read key from ${keyArg === "-" ? "stdin" : keyArg}: ${e?.message}`, details: { key: keyArg } });
+  }
+  const privateKey = raw.trim();
+  if (!PRIVATE_KEY_RE.test(privateKey)) {
+    fail({ code: "BAD_PRIVATE_KEY", message: "Key must be a 0x-prefixed 64-hex secp256k1 private key.", details: { name } });
+  }
+  const { privateKeyToAccount } = await import("viem/accounts");
+  let address;
+  try {
+    address = privateKeyToAccount(privateKey).address;
+  } catch (e) {
+    fail({ code: "BAD_PRIVATE_KEY", message: `Invalid private key: ${e?.message}`, details: { name } });
+  }
+  const created = new Date().toISOString();
+  ensureProfileDir(name);
+  saveAllowance({ address, privateKey, created, funded: false, rail: "x402" }, join(profileDir(name), "allowance.json"));
+  writeMeta(name, { name, address, label: name, rail: "x402", created });
+  await maybePushLabel(name, name, address);
+  out({ name, address, imported: true });
+}
+
+function cmdRm(args) {
+  const name = requireName(args.find((a) => a && !a.startsWith("-")));
+  if (name === DEFAULT) {
+    fail({ code: "WALLET_PROTECTED", message: "Refusing to remove the reserved 'default' wallet.", details: { name } });
+  }
+  if (!profileExists(name)) {
+    fail({ code: "WALLET_NOT_FOUND", message: `No local wallet named '${name}'.`, hint: "run402 wallets list", details: { name } });
+  }
+  if (!args.includes("--yes")) {
+    fail({
+      code: "CONFIRMATION_REQUIRED",
+      message: `Removing wallet '${name}' deletes its private key and project keystore. This cannot be undone.`,
+      hint: `Re-run with --yes to confirm: run402 wallets rm ${name} --yes`,
+      details: { name },
+    });
+  }
+  removeProfile(name);
+  if (getDefaultWallet() === name) setDefaultWallet(DEFAULT);
+  out({ name, removed: true });
+}
+
+function flagVal(args, flag) {
+  const i = args.indexOf(flag);
+  if (i === -1) return null;
+  const v = args[i + 1];
+  if (v === undefined || (typeof v === "string" && v.startsWith("-") && v !== "-")) {
+    fail({ code: "BAD_FLAG", message: `${flag} requires a value`, details: { flag } });
+  }
+  return v;
+}
+
+/**
+ * Best-effort server-side label push. Signs with the TARGET wallet's allowance
+ * (not the active one) so a just-created/renamed wallet can set its own label.
+ *
+ * ON by default — the gateway label endpoint is live, and the display label is
+ * what makes the wallet name show up cross-machine and in the operator console
+ * (WEB). Set `RUN402_WALLET_LABEL_SYNC=0` to disable (fully-offline wallet ops,
+ * or hermetic tests). The local folder name is always the source of truth; this
+ * only mirrors the display label to the server. Always best-effort — `setLabel`
+ * swallows its own errors and this never throws, so wallet creation/rename stays
+ * fully functional offline.
+ */
+async function maybePushLabel(name, label, address) {
+  if (process.env.RUN402_WALLET_LABEL_SYNC === "0") return;
+  if (!address) return;
+  try {
+    const sdk = getSdk({
+      allowancePath: join(profileDir(name), "allowance.json"),
+      keystorePath: join(profileDir(name), "projects.json"),
+    });
+    await sdk.wallets.setLabel(address, label);
+  } catch {
+    /* best-effort — never block the local operation */
+  }
+}
+
+export async function run(sub, args = []) {
+  const rest = Array.isArray(args) ? args : [];
+  if (!sub || sub === "--help" || sub === "-h" || rest.includes("--help") || rest.includes("-h")) {
+    console.log(HELP);
+    return;
+  }
+  switch (sub) {
+    case "list": return cmdList();
+    case "current": return cmdCurrent();
+    case "new": return cmdNew(rest);
+    case "use": return cmdUse(rest);
+    case "rename": return cmdRename(rest);
+    case "bind": return cmdBind(rest);
+    case "unbind": return cmdUnbind();
+    case "import": return cmdImport(rest);
+    case "rm": return cmdRm(rest);
+    default:
+      fail({ code: "BAD_USAGE", message: `Unknown wallets subcommand: ${sub}`, hint: "run402 wallets --help" });
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "2.27.0",
+  "version": "2.28.0",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.",
   "type": "module",
   "bin": {

package/sdk/core-dist/allowance.js

@@ -1,4 +1,4 @@
-import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync, statSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { randomBytes } from "node:crypto";
 import { getAllowancePath } from "./config.js";
@@ -26,10 +26,33 @@ const PRIVATE_KEY_RE = /^0x[a-fA-F0-9]{64}$/;
  * `src/tools/{status,init}.ts` callers translate the throw into their own
  * structured envelopes (`code: BAD_ALLOWANCE_FILE`).
  */
+/**
+ * If an allowance file is readable by group or other (any of the low 0o077
+ * bits set), tighten it to 0600 and warn once on stderr. This self-heals the
+ * historical case where a legacy world-readable `wallet.json` (mode 0644) was
+ * migrated to `allowance.json` via a mode-preserving rename, leaving the
+ * private key exposed on a shared machine. Best-effort: POSIX-only and silent
+ * on platforms without meaningful Unix modes (e.g. Windows).
+ */
+function selfHealPermissions(p) {
+    if (process.platform === "win32")
+        return;
+    try {
+        const mode = statSync(p).mode & 0o777;
+        if ((mode & 0o077) !== 0) {
+            chmodSync(p, 0o600);
+            process.stderr.write(`warning: tightened permissions on ${p} from ${mode.toString(8)} to 600 (was readable by other users).\n`);
+        }
+    }
+    catch {
+        // Best-effort; never block a read on a chmod/stat failure.
+    }
+}
 export function readAllowance(path) {
     const p = path ?? getAllowancePath();
     if (!existsSync(p))
         return null;
+    selfHealPermissions(p);
     let raw;
     try {
         raw = readFileSync(p, "utf-8");

package/sdk/core-dist/config.js

@@ -1,6 +1,6 @@
 import { homedir } from "node:os";
 import { join } from "node:path";
-import { existsSync, renameSync, mkdirSync } from "node:fs";
+import { existsSync, renameSync, mkdirSync, chmodSync } from "node:fs";
 const DEFAULT_API_BASE = "https://api.run402.com";
 /**
  * Validate a user-supplied API base URL. Throws a clear error message that
@@ -47,9 +47,71 @@ export function getDeployApiBase() {
     const validated = validateApiBase("RUN402_DEPLOY_API_BASE", process.env.RUN402_DEPLOY_API_BASE, fallback);
     return validated ?? fallback;
 }
-export function getConfigDir() {
+/**
+ * The base credential directory — the root under which the `default` wallet
+ * lives directly and named wallets live under `profiles/<name>/`. This is the
+ * value `RUN402_CONFIG_DIR` overrides; profiles nest *within* it.
+ */
+export function getConfigBaseDir() {
     return process.env.RUN402_CONFIG_DIR || join(homedir(), ".config", "run402");
 }
+export const DEFAULT_PROFILE = "default";
+// Filesystem-safe wallet/profile name. Lowercase only (avoids collisions on
+// case-insensitive filesystems like macOS), starts alphanumeric, then
+// alphanumeric/underscore/hyphen, max 64 chars. The CLI edge enforces this for
+// nice UX; core re-checks it as a defense-in-depth guard so a hostile
+// `RUN402_WALLET`/`RUN402_PROFILE` cannot traverse outside the profiles dir.
+const PROFILE_NAME_RE = /^[a-z0-9][a-z0-9_-]{0,63}$/;
+export function isValidProfileName(name) {
+    return PROFILE_NAME_RE.test(name);
+}
+/**
+ * Guard against path traversal from the profile env vars. The reserved
+ * `default` profile is always allowed (it maps to the base dir). Any other
+ * name must pass the filesystem-safe pattern; otherwise we throw rather than
+ * silently resolve a surprising path.
+ */
+function assertSafeProfileName(name) {
+    if (name === DEFAULT_PROFILE)
+        return;
+    if (!isValidProfileName(name)) {
+        throw new Error(`Invalid wallet/profile name ${JSON.stringify(name)}. ` +
+            "Names must match /^[a-z0-9][a-z0-9_-]{0,63}$/ (lowercase letters, digits, '_' and '-'). " +
+            "Check the RUN402_WALLET / RUN402_PROFILE env var.");
+    }
+}
+/**
+ * The active wallet/profile name from the environment. `RUN402_WALLET` is
+ * canonical; `RUN402_PROFILE` is accepted as an alias. Empty/unset → the
+ * reserved `default`. The CLI edge resolves the `--wallet` flag and any
+ * per-directory `.run402.json` binding into `RUN402_WALLET` *before* dispatch,
+ * so core stays env-only and never reads argv or cwd.
+ */
+export function getActiveProfile() {
+    const raw = process.env.RUN402_WALLET ?? process.env.RUN402_PROFILE;
+    const name = raw == null ? "" : raw.trim();
+    if (!name)
+        return DEFAULT_PROFILE;
+    assertSafeProfileName(name);
+    return name;
+}
+/** Directory holding all named wallets: `{base}/profiles`. */
+export function getProfilesDir() {
+    return join(getConfigBaseDir(), "profiles");
+}
+/**
+ * The effective config directory for the *active* wallet. The `default` wallet
+ * resolves to the base dir (zero migration for existing single-wallet
+ * installs); any named wallet resolves to `{base}/profiles/<name>`. Because
+ * keystore, allowance, and meta paths all derive from this, switching the
+ * profile env var moves the whole wallet bundle atomically — and the SDK/MCP
+ * inherit profile selection for free.
+ */
+export function getConfigDir() {
+    const base = getConfigBaseDir();
+    const profile = getActiveProfile();
+    return profile === DEFAULT_PROFILE ? base : join(base, "profiles", profile);
+}
 export function getKeystorePath() {
     return join(getConfigDir(), "projects.json");
 }
@@ -59,10 +121,20 @@ export function getAllowancePath() {
     const dir = getConfigDir();
     const newPath = join(dir, "allowance.json");
     const oldPath = join(dir, "wallet.json");
-    // Auto-migrate from wallet.json → allowance.json
+    // Auto-migrate from wallet.json → allowance.json. renameSync preserves the
+    // source file's mode, so a legacy world-readable wallet.json (mode 0644)
+    // would otherwise carry that mode forward and leave the private key
+    // world-readable on a shared machine. Tighten to 0600 after the rename.
     if (!existsSync(newPath) && existsSync(oldPath)) {
         mkdirSync(dir, { recursive: true });
         renameSync(oldPath, newPath);
+        try {
+            chmodSync(newPath, 0o600);
+        }
+        catch {
+            // Best-effort (e.g. Windows / exotic filesystems). Read-time self-heal
+            // in readAllowance() is the backstop.
+        }
     }
     return newPath;
 }

package/sdk/core-dist/profiles.js

@@ -0,0 +1,196 @@
+/**
+ * Named-wallet profile storage.
+ *
+ * A "wallet" is a whole config directory. The reserved `default` wallet lives
+ * at the base config dir (zero migration for existing installs); every named
+ * wallet lives under `{base}/profiles/<name>/` with its own `allowance.json`,
+ * `projects.json`, and this module's non-secret `meta.json`.
+ *
+ * Two levels of active state, mirroring the wallet → project model:
+ *   - base `{base}/config.json` `active_wallet`  — which wallet is the default
+ *   - per-wallet `projects.json` `active_project_id` — which project within it
+ *
+ * All writes are atomic (temp-file + rename) and owner-only (0600 files,
+ * 0700 dirs). `meta.json` holds only public/display data (no private key), so
+ * listing and name display never need to load key material.
+ */
+import { readFileSync, writeFileSync, mkdirSync, renameSync, chmodSync, existsSync, readdirSync, rmSync, } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getConfigBaseDir, getProfilesDir, DEFAULT_PROFILE, isValidProfileName, } from "./config.js";
+function atomicWrite(p, content, mode) {
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, content, { mode });
+    renameSync(tmp, p);
+    try {
+        chmodSync(p, mode);
+    }
+    catch {
+        /* best-effort on non-POSIX */
+    }
+}
+// --- base config.json (global default wallet pointer) ---
+function baseConfigPath() {
+    return join(getConfigBaseDir(), "config.json");
+}
+export function readBaseConfig() {
+    try {
+        const parsed = JSON.parse(readFileSync(baseConfigPath(), "utf-8"));
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+            return parsed;
+        }
+    }
+    catch {
+        /* missing / unreadable / malformed → empty */
+    }
+    return {};
+}
+export function writeBaseConfig(cfg) {
+    atomicWrite(baseConfigPath(), JSON.stringify(cfg, null, 2), 0o600);
+}
+/**
+ * The globally-selected default wallet (set via `wallets use`), or the
+ * reserved `default` when unset/invalid. This is precedence rung 4 — below the
+ * flag, env var, and per-directory binding.
+ */
+export function getDefaultWallet() {
+    const w = readBaseConfig().active_wallet;
+    return w && (w === DEFAULT_PROFILE || isValidProfileName(w)) ? w : DEFAULT_PROFILE;
+}
+export function setDefaultWallet(name) {
+    const cfg = readBaseConfig();
+    cfg.active_wallet = name;
+    writeBaseConfig(cfg);
+}
+// --- per-profile directory + meta.json ---
+/** Absolute directory for a wallet. `default` → base dir; named → profiles/<name>. */
+export function profileDir(name) {
+    return name === DEFAULT_PROFILE ? getConfigBaseDir() : join(getProfilesDir(), name);
+}
+/** Create (if needed) a wallet's directory with owner-only (0700) perms. */
+export function ensureProfileDir(name) {
+    const dir = profileDir(name);
+    if (name === DEFAULT_PROFILE) {
+        mkdirSync(dir, { recursive: true });
+        return dir;
+    }
+    const profilesRoot = getProfilesDir();
+    mkdirSync(profilesRoot, { recursive: true });
+    try {
+        chmodSync(profilesRoot, 0o700);
+    }
+    catch {
+        /* best-effort */
+    }
+    mkdirSync(dir, { recursive: true });
+    try {
+        chmodSync(dir, 0o700);
+    }
+    catch {
+        /* best-effort */
+    }
+    return dir;
+}
+function metaPath(name) {
+    return join(profileDir(name), "meta.json");
+}
+export function readMeta(name) {
+    try {
+        const parsed = JSON.parse(readFileSync(metaPath(name), "utf-8"));
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+            return parsed;
+        }
+    }
+    catch {
+        /* missing / unreadable / malformed → null */
+    }
+    return null;
+}
+export function writeMeta(name, meta) {
+    ensureProfileDir(name);
+    atomicWrite(metaPath(name), JSON.stringify(meta, null, 2), 0o600);
+}
+// --- enumeration + lifecycle ---
+/** True when a wallet's `allowance.json` exists on disk. */
+export function profileExists(name) {
+    return existsSync(join(profileDir(name), "allowance.json"));
+}
+/**
+ * All wallet names on disk: `default` (only if a root allowance.json exists)
+ * plus every valid directory under `profiles/`.
+ */
+export function listProfileNames() {
+    const names = [];
+    if (existsSync(join(getConfigBaseDir(), "allowance.json"))) {
+        names.push(DEFAULT_PROFILE);
+    }
+    try {
+        for (const entry of readdirSync(getProfilesDir(), { withFileTypes: true })) {
+            if (entry.isDirectory() && isValidProfileName(entry.name))
+                names.push(entry.name);
+        }
+    }
+    catch {
+        /* no profiles dir yet */
+    }
+    return names;
+}
+/** Delete a named wallet's directory. Refuses to remove the reserved default. */
+export function removeProfile(name) {
+    if (name === DEFAULT_PROFILE) {
+        throw new Error("Refusing to remove the reserved 'default' wallet");
+    }
+    rmSync(profileDir(name), { recursive: true, force: true });
+}
+/**
+ * Move a wallet to a new name. Renaming `default` migrates the root-level
+ * credential files into `profiles/<newName>/` (so a named wallet is always a
+ * directory). Does NOT update the `active_wallet` pointer — the caller owns
+ * that orchestration. Throws if the destination already exists or the source
+ * is missing.
+ */
+export function renameProfile(oldName, newName) {
+    if (!isValidProfileName(newName)) {
+        throw new Error(`Invalid wallet name ${JSON.stringify(newName)}.`);
+    }
+    if (newName === oldName)
+        return;
+    const dest = join(getProfilesDir(), newName);
+    if (existsSync(dest)) {
+        throw new Error(`A wallet named '${newName}' already exists.`);
+    }
+    mkdirSync(getProfilesDir(), { recursive: true });
+    try {
+        chmodSync(getProfilesDir(), 0o700);
+    }
+    catch {
+        /* best-effort */
+    }
+    if (oldName === DEFAULT_PROFILE) {
+        if (!profileExists(DEFAULT_PROFILE)) {
+            throw new Error("No 'default' wallet to rename.");
+        }
+        mkdirSync(dest, { recursive: true });
+        try {
+            chmodSync(dest, 0o700);
+        }
+        catch {
+            /* best-effort */
+        }
+        const base = getConfigBaseDir();
+        for (const f of ["allowance.json", "projects.json", "meta.json"]) {
+            const src = join(base, f);
+            if (existsSync(src))
+                renameSync(src, join(dest, f));
+        }
+        return;
+    }
+    const src = join(getProfilesDir(), oldName);
+    if (!existsSync(src)) {
+        throw new Error(`Wallet '${oldName}' not found.`);
+    }
+    renameSync(src, dest);
+}
+//# sourceMappingURL=profiles.js.map