Replace legacy 3-header wallet auth with SIWX (EIP-4361) across all interfaces

The Run402 API now expects a single SIGN-IN-WITH-X header using the CAIP-122 /
EIP-4361 (SIWE) standard instead of the legacy X-Run402-Wallet/Signature/Timestamp
headers. Inlines the SIWE message format in core to avoid heavy deps, and all
three interfaces (MCP, CLI, OpenClaw) now use core's single signing code path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: MajorTal

cli/lib/agent.mjs

@@ -23,7 +23,7 @@ async function contact(args) {
     if (args[i] === "--webhook" && args[i + 1]) webhook = args[++i];
   }
   if (!name) { console.error(JSON.stringify({ status: "error", message: "Missing --name <name>" })); process.exit(1); }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/agent/v1/contact");
 
   const body = { name };
   if (email) body.email = email;

cli/lib/apps.mjs

@@ -47,7 +47,7 @@ async function fork(versionId, name, args) {
     if (args[i] === "--tier" && args[i + 1]) opts.tier = args[++i];
     if (args[i] === "--subdomain" && args[i + 1]) opts.subdomain = args[++i];
   }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/fork/v1");
 
   const body = { version_id: versionId, name };
   if (opts.subdomain) body.subdomain = opts.subdomain;

cli/lib/config.mjs

@@ -6,6 +6,7 @@
 import { getApiBase, getConfigDir, getKeystorePath, getAllowancePath } from "../core-dist/config.js";
 import { readAllowance as coreReadAllowance, saveAllowance as coreSaveAllowance } from "../core-dist/allowance.js";
 import { loadKeyStore, getProject, saveProject, updateProject, removeProject, saveKeyStore, getActiveProjectId, setActiveProjectId } from "../core-dist/keystore.js";
+import { getAllowanceAuthHeaders as coreGetAllowanceAuthHeaders } from "../core-dist/allowance-auth.js";
 
 export const CONFIG_DIR = getConfigDir();
 export const ALLOWANCE_FILE = getAllowancePath();
@@ -20,14 +21,10 @@ export function saveAllowance(data) {
   coreSaveAllowance(data);
 }
 
-export async function allowanceAuthHeaders() {
-  const w = readAllowance();
-  if (!w) { console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create" })); process.exit(1); }
-  const { privateKeyToAccount } = await import("viem/accounts");
-  const account = privateKeyToAccount(w.privateKey);
-  const timestamp = Math.floor(Date.now() / 1000).toString();
-  const signature = await account.signMessage({ message: `run402:${timestamp}` });
-  return { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp };
+export function allowanceAuthHeaders(path) {
+  const headers = coreGetAllowanceAuthHeaders(path);
+  if (!headers) { console.error(JSON.stringify({ status: "error", message: "No agent allowance found. Run: run402 allowance create" })); process.exit(1); }
+  return headers;
 }
 
 export function findProject(id) {

cli/lib/deploy.mjs

@@ -67,7 +67,7 @@ export async function run(args) {
 
   const manifest = opts.manifest ? JSON.parse(readFileSync(opts.manifest, "utf-8")) : JSON.parse(await readStdin());
 
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/deploy/v1");
   const res = await fetch(`${API}/deploy/v1`, { method: "POST", headers: { "Content-Type": "application/json", ...authHeaders }, body: JSON.stringify(manifest) });
   const result = await res.json();
   if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...result })); process.exit(1); }

cli/lib/init.mjs

@@ -1,4 +1,5 @@
 import { readAllowance, saveAllowance, loadKeyStore, CONFIG_DIR, ALLOWANCE_FILE, API } from "./config.mjs";
+import { getAllowanceAuthHeaders } from "../core-dist/allowance-auth.js";
 import { mkdirSync } from "fs";
 
 const USDC_ABI = [{ name: "balanceOf", type: "function", stateMutability: "view", inputs: [{ name: "account", type: "address" }], outputs: [{ name: "", type: "uint256" }] }];
@@ -74,14 +75,13 @@ export async function run() {
   const store = loadKeyStore();
   let tierInfo = null;
   try {
-    const { privateKeyToAccount } = await import("viem/accounts");
-    const account = privateKeyToAccount(allowance.privateKey);
-    const timestamp = Math.floor(Date.now() / 1000).toString();
-    const signature = await account.signMessage({ message: `run402:${timestamp}` });
-    const res = await fetch(`${API}/tiers/v1/status`, {
-      headers: { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp },
-    });
-    if (res.ok) tierInfo = await res.json();
+    const authHeaders = getAllowanceAuthHeaders("/tiers/v1/status");
+    if (authHeaders) {
+      const res = await fetch(`${API}/tiers/v1/status`, {
+        headers: { ...authHeaders },
+      });
+      if (res.ok) tierInfo = await res.json();
+    }
   } catch {}
 
   if (tierInfo && tierInfo.tier && tierInfo.status === "active") {

cli/lib/message.mjs

@@ -15,7 +15,7 @@ Examples:
 
 async function send(text) {
   if (!text) { console.error(JSON.stringify({ status: "error", message: "Missing message text" })); process.exit(1); }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/message/v1");
 
   const res = await fetch(`${API}/message/v1`, {
     method: "POST",

cli/lib/projects.mjs

@@ -53,7 +53,7 @@ async function provision(args) {
     if (args[i] === "--tier" && args[i + 1]) opts.tier = args[++i];
     if (args[i] === "--name" && args[i + 1]) opts.name = args[++i];
   }
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/projects/v1");
   const body = { tier: opts.tier };
   if (opts.name) body.name = opts.name;
   const res = await fetch(`${API}/projects/v1`, {

cli/lib/sites.mjs

@@ -55,7 +55,7 @@ async function deploy(args) {
   const body = { files: manifest.files, project: projectId };
   if (opts.target) body.target = opts.target;
 
-  const authHeaders = await allowanceAuthHeaders();
+  const authHeaders = allowanceAuthHeaders("/deployments/v1");
   const res = await fetch(`${API}/deployments/v1`, {
     method: "POST",
     headers: { "Content-Type": "application/json", ...authHeaders },

cli/lib/tier.mjs

@@ -1,4 +1,4 @@
-import { readAllowance, ALLOWANCE_FILE, API } from "./config.mjs";
+import { readAllowance, ALLOWANCE_FILE, API, allowanceAuthHeaders } from "./config.mjs";
 import { setupPaidFetch } from "./paid-fetch.mjs";
 
 const HELP = `run402 tier — Manage your Run402 tier subscription
@@ -25,14 +25,9 @@ Examples:
 `;
 
 async function status() {
-  const w = readAllowance();
-  if (!w) { console.log(JSON.stringify({ status: "error", message: "No agent allowance. Run: run402 allowance create" })); process.exit(1); }
-  const { privateKeyToAccount } = await import("viem/accounts");
-  const account = privateKeyToAccount(w.privateKey);
-  const timestamp = Math.floor(Date.now() / 1000).toString();
-  const signature = await account.signMessage({ message: `run402:${timestamp}` });
+  const authHeaders = allowanceAuthHeaders("/tiers/v1/status");
   const res = await fetch(`${API}/tiers/v1/status`, {
-    headers: { "X-Run402-Wallet": account.address, "X-Run402-Signature": signature, "X-Run402-Timestamp": timestamp },
+    headers: { ...authHeaders },
   });
   const data = await res.json();
   if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }

core/src/allowance-auth.test.ts

@@ -0,0 +1,134 @@
+import { describe, it, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { toChecksumAddress, formatSIWEMessage, getAllowanceAuthHeaders } from "./allowance-auth.js";
+import { saveAllowance } from "./allowance.js";
+
+// Known test private key and derived address (do NOT use in production)
+const TEST_PRIVATE_KEY = "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80";
+const TEST_ADDRESS = "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266";
+
+let tempDir: string;
+let allowancePath: string;
+
+beforeEach(() => {
+  tempDir = mkdtempSync(join(tmpdir(), "run402-siwx-test-"));
+  allowancePath = join(tempDir, "allowance.json");
+  process.env.RUN402_CONFIG_DIR = tempDir;
+  process.env.RUN402_API_BASE = "https://api.run402.com";
+});
+
+afterEach(() => {
+  rmSync(tempDir, { recursive: true, force: true });
+  delete process.env.RUN402_CONFIG_DIR;
+  delete process.env.RUN402_API_BASE;
+});
+
+describe("toChecksumAddress", () => {
+  it("checksums a known address correctly", () => {
+    const input = "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266";
+    assert.equal(toChecksumAddress(input), TEST_ADDRESS);
+  });
+
+  it("handles already-checksummed address", () => {
+    assert.equal(toChecksumAddress(TEST_ADDRESS), TEST_ADDRESS);
+  });
+
+  it("checksums all-lowercase address", () => {
+    const result = toChecksumAddress("0xd8da6bf26964af9d7eed9e03e53415d37aa96045");
+    assert.equal(result, "0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045");
+  });
+});
+
+describe("formatSIWEMessage", () => {
+  it("produces correct EIP-4361 format", () => {
+    const msg = formatSIWEMessage(
+      {
+        domain: "api.run402.com",
+        uri: "https://api.run402.com/projects/v1",
+        statement: "Sign in to Run402",
+        version: "1",
+        chainId: 84532,
+        nonce: "abc123def456abcd",
+        issuedAt: "2026-03-17T00:00:00.000Z",
+      },
+      TEST_ADDRESS,
+    );
+
+    assert.ok(msg.startsWith("api.run402.com wants you to sign in with your Ethereum account:"));
+    assert.ok(msg.includes(TEST_ADDRESS));
+    assert.ok(msg.includes("Sign in to Run402"));
+    assert.ok(msg.includes("URI: https://api.run402.com/projects/v1"));
+    assert.ok(msg.includes("Version: 1"));
+    assert.ok(msg.includes("Chain ID: 84532"));
+    assert.ok(msg.includes("Nonce: abc123def456abcd"));
+    assert.ok(msg.includes("Issued At: 2026-03-17T00:00:00.000Z"));
+    assert.ok(!msg.includes("Expiration Time:"));
+  });
+
+  it("includes expiration time when provided", () => {
+    const msg = formatSIWEMessage(
+      {
+        domain: "api.run402.com",
+        uri: "https://api.run402.com/projects/v1",
+        statement: "Sign in to Run402",
+        version: "1",
+        chainId: 84532,
+        nonce: "abc123def456abcd",
+        issuedAt: "2026-03-17T00:00:00.000Z",
+        expirationTime: "2026-03-17T00:05:00.000Z",
+      },
+      TEST_ADDRESS,
+    );
+
+    assert.ok(msg.includes("Expiration Time: 2026-03-17T00:05:00.000Z"));
+  });
+});
+
+describe("getAllowanceAuthHeaders", () => {
+  it("returns null when no allowance exists", () => {
+    const result = getAllowanceAuthHeaders("/projects/v1", allowancePath);
+    assert.equal(result, null);
+  });
+
+  it("returns SIGN-IN-WITH-X header with valid base64 JSON", () => {
+    saveAllowance({ address: TEST_ADDRESS, privateKey: TEST_PRIVATE_KEY }, allowancePath);
+
+    const result = getAllowanceAuthHeaders("/projects/v1", allowancePath);
+    assert.ok(result);
+    assert.ok(result["SIGN-IN-WITH-X"]);
+
+    const decoded = JSON.parse(Buffer.from(result["SIGN-IN-WITH-X"], "base64").toString());
+    assert.equal(decoded.domain, "api.run402.com");
+    assert.equal(decoded.address, TEST_ADDRESS);
+    assert.equal(decoded.uri, "https://api.run402.com/projects/v1");
+    assert.equal(decoded.version, "1");
+    assert.equal(decoded.chainId, 84532);
+    assert.equal(decoded.type, "eip4361");
+    assert.ok(decoded.nonce);
+    assert.ok(decoded.issuedAt);
+    assert.ok(decoded.expirationTime);
+    assert.ok(decoded.signature);
+    assert.ok(decoded.signature.startsWith("0x"));
+  });
+
+  it("generates alphanumeric hex nonce (no hyphens)", () => {
+    saveAllowance({ address: TEST_ADDRESS, privateKey: TEST_PRIVATE_KEY }, allowancePath);
+
+    const result = getAllowanceAuthHeaders("/projects/v1", allowancePath);
+    assert.ok(result);
+    const decoded = JSON.parse(Buffer.from(result["SIGN-IN-WITH-X"], "base64").toString());
+    assert.match(decoded.nonce, /^[0-9a-f]{32}$/);
+  });
+
+  it("uses checksummed address in payload", () => {
+    saveAllowance({ address: TEST_ADDRESS.toLowerCase(), privateKey: TEST_PRIVATE_KEY }, allowancePath);
+
+    const result = getAllowanceAuthHeaders("/projects/v1", allowancePath);
+    assert.ok(result);
+    const decoded = JSON.parse(Buffer.from(result["SIGN-IN-WITH-X"], "base64").toString());
+    assert.equal(decoded.address, TEST_ADDRESS);
+  });
+});