kychee-com
diff --git a/‎AGENTS.md‎
Lines changed: 4 additions & 1 deletion b/‎AGENTS.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 2 additions & 1 deletion b/‎README.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎SKILL.md‎
Lines changed: 3 additions & 1 deletion b/‎SKILL.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎cli-help.test.mjs‎
Lines changed: 4 additions & 0 deletions b/‎cli-help.test.mjs‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cli-wallets.test.mjs‎
Lines changed: 181 additions & 0 deletions b/‎cli-wallets.test.mjs‎
Lines changed: 181 additions & 0 deletions
diff --git a/‎cli/README.md‎
Lines changed: 11 additions & 1 deletion b/‎cli/README.md‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎cli/cli.mjs‎
Lines changed: 33 additions & 6 deletions b/‎cli/cli.mjs‎
Lines changed: 33 additions & 6 deletions
diff --git a/‎cli/lib/allowance.mjs‎
Lines changed: 3 additions & 3 deletions b/‎cli/lib/allowance.mjs‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎cli/lib/config.mjs‎
Lines changed: 16 additions & 1 deletion b/‎cli/lib/config.mjs‎
Lines changed: 16 additions & 1 deletion
@@ -277,5 +277,8 @@ Two skill files coexist, serving different runtimes:
 | Variable | Default | Purpose |
 |----------|---------|---------|
 | `RUN402_API_BASE` | `https://api.run402.com` | API base URL (override for testing/staging) |
-| `RUN402_CONFIG_DIR` | `~/.config/run402` | Local credential storage directory |
+| `RUN402_CONFIG_DIR` | `~/.config/run402` | Local credential storage **base** directory. The `default` wallet lives here directly; named wallets live under `{base}/profiles/<name>/`. |
+| `RUN402_WALLET` | `default` | Active named wallet (profile). Selects which wallet a command uses; the `--wallet <name>` flag overrides it, and a per-directory `.run402.json` binding sets it. `RUN402_PROFILE` is an accepted alias. |
 | `RUN402_ALLOWANCE_PATH` | `{config_dir}/allowance.json` | Custom allowance (wallet) file path |
+
+**Named wallets (profiles).** Hold multiple wallets on one machine via `run402 wallets` (`list`, `new <name>`, `use <name>`, `rename`, `bind`/`unbind`, `import`, `rm`). Selection precedence: `--wallet <name>` flag > `RUN402_WALLET` env > nearest `.run402.json`/`.run402.local.json` directory binding > global `wallets use` default > `default`. A `--wallet`/binding that conflicts with `RUN402_WALLET` is a hard error (pass `--wallet`, unset the env, or `wallets unbind`). The binding file holds only a wallet *name* (no key) and is safe to commit. Each wallet has its own `allowance.json`, `projects.json`, and non-secret `meta.json` under `profiles/<name>/`; the human-readable name surfaces in `run402 status`, `r.whoami()` (SDK), the MCP `status` tool, and — via a signed server-side label (`r.wallets.setLabel`/`getLabel`, gateway endpoint `/wallets/v1/:address/label`) — the operator console (WEB). The label push is on by default (`RUN402_WALLET_LABEL_SYNC=0` opts out). Core path resolution lives in `core/src/config.ts` (`getConfigBaseDir`/`getActiveProfile`/`getConfigDir`) + `core/src/profiles.ts`; CLI-edge resolution in `cli/lib/wallet-context.mjs`.
@@ -545,7 +545,8 @@ The full MCP surface — every tool is a thin shim over an SDK call.
 | Variable | Default | Purpose |
 |----------|---------|---------|
 | `RUN402_API_BASE`        | `https://api.run402.com`         | API base URL (override for staging) |
-| `RUN402_CONFIG_DIR`      | `~/.config/run402`               | Local credential storage directory |
+| `RUN402_CONFIG_DIR`      | `~/.config/run402`               | Local credential storage base directory (named wallets live under `profiles/<name>/`) |
+| `RUN402_WALLET`          | `default`                        | Active named wallet (profile). Overridden by `--wallet <name>` and per-directory `.run402.json`; `RUN402_PROFILE` is an alias. See `run402 wallets`. |
 | `RUN402_ALLOWANCE_PATH`  | `{config_dir}/allowance.json`    | Custom allowance file path |
 
 Local state lives at:
 
@@ -561,7 +561,9 @@ For agents that need to sign Ethereum transactions. Private keys never leave AWS
 ### Allowance & account
 
 - **`init`** — one-shot setup: allowance + faucet + tier check + project list.
-- **`status`** — full account snapshot.
+- **`status`** — full account snapshot. Includes a `wallet` object naming the active named wallet.
+
+**Multiple wallets.** A user can hold several named wallets (profiles) on one machine — keys never leave the machine. The MCP server picks its wallet from the `RUN402_WALLET` environment variable in your server config (default `default`); set it to a wallet name (e.g. `kychon`) to operate that wallet's projects. The `status` tool surfaces which wallet is active. Wallet creation/selection/binding is done from the CLI (`run402 wallets …`), not via MCP tools.
 - **`allowance_status`** / **`allowance_create`** / **`allowance_export`** — local allowance management.
 - **`request_faucet`** — testnet USDC.
 - **`check_balance`** — USDC for an allowance address.
 
@@ -53,6 +53,10 @@ const MATRIX = {
     shared: ["status", "create", "fund", "balance", "export"],
     specific: ["checkout", "history"],
   },
+  wallets: {
+    shared: ["list", "current", "new", "use", "rename", "bind", "unbind", "import", "rm"],
+    specific: [],
+  },
   tier: { shared: [], specific: ["status", "set"] },
   projects: {
     shared: [
 
@@ -0,0 +1,181 @@
+/**
+ * End-to-end tests for the `run402 wallets` command family and wallet
+ * selection (named profiles). Spawns the real CLI as a subprocess. Wallet
+ * management is local (no network), so no fetch mocking is needed.
+ */
+
+import { describe, it, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import { spawnSync } from "node:child_process";
+import { mkdtempSync, mkdirSync, rmSync, writeFileSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { fileURLToPath } from "node:url";
+
+const repoRoot = fileURLToPath(new URL(".", import.meta.url));
+const CLI = join(repoRoot, "cli/cli.mjs");
+const API = "https://test-api.run402.com";
+
+let configDir;
+let workDir;
+
+beforeEach(() => {
+  configDir = mkdtempSync(join(tmpdir(), "run402-wallets-cfg-"));
+  workDir = mkdtempSync(join(tmpdir(), "run402-wallets-cwd-"));
+});
+
+afterEach(() => {
+  rmSync(configDir, { recursive: true, force: true });
+  rmSync(workDir, { recursive: true, force: true });
+});
+
+function run(args, { cwd = workDir, env = {} } = {}) {
+  // RUN402_WALLET_LABEL_SYNC=0 keeps these tests offline/hermetic — the
+  // server-side label push is on by default in real use.
+  const base = { ...process.env, RUN402_CONFIG_DIR: configDir, RUN402_API_BASE: API, RUN402_WALLET_LABEL_SYNC: "0" };
+  delete base.RUN402_WALLET;
+  delete base.RUN402_PROFILE;
+  const result = spawnSync(process.execPath, [CLI, ...args], {
+    cwd,
+    env: { ...base, ...env },
+    encoding: "utf-8",
+  });
+  return result;
+}
+
+function jsonOut(result) {
+  try {
+    return JSON.parse(result.stdout);
+  } catch {
+    throw new Error(`stdout not JSON: ${result.stdout}\nstderr: ${result.stderr}`);
+  }
+}
+
+function errEnvelope(result) {
+  const line = result.stderr.trim().split("\n").filter(Boolean).pop();
+  return JSON.parse(line);
+}
+
+describe("wallets — lifecycle", () => {
+  it("new → list → rm", () => {
+    assert.equal(run(["wallets", "new", "kychon"]).status, 0);
+    const list = jsonOut(run(["wallets", "list"]));
+    assert.deepEqual(list.map((w) => w.name).sort(), ["kychon"]);
+    assert.equal(list[0].label, "kychon");
+    // rm requires --yes
+    const noConfirm = run(["wallets", "rm", "kychon"]);
+    assert.notEqual(noConfirm.status, 0);
+    assert.equal(errEnvelope(noConfirm).code, "CONFIRMATION_REQUIRED");
+    assert.equal(run(["wallets", "rm", "kychon", "--yes"]).status, 0);
+    assert.deepEqual(jsonOut(run(["wallets", "list"])), []);
+  });
+
+  it("rename default migrates the root wallet into profiles/", () => {
+    assert.equal(run(["allowance", "create"]).status, 0); // creates the default wallet locally
+    assert.ok(existsSync(join(configDir, "allowance.json")));
+    assert.equal(run(["wallets", "rename", "default", "kychon"]).status, 0);
+    assert.ok(!existsSync(join(configDir, "allowance.json")), "root allowance.json migrated away");
+    assert.ok(existsSync(join(configDir, "profiles", "kychon", "allowance.json")));
+    assert.deepEqual(jsonOut(run(["wallets", "list"])).map((w) => w.name), ["kychon"]);
+  });
+});
+
+describe("wallets — selection precedence", () => {
+  beforeEach(() => {
+    run(["wallets", "new", "kychon"]);
+    run(["wallets", "new", "client-a"]);
+  });
+
+  it("flag wins and reports source=flag", () => {
+    const cur = jsonOut(run(["--wallet", "kychon", "wallets", "current"]));
+    assert.equal(cur.name, "kychon");
+    assert.equal(cur.source, "flag");
+  });
+
+  it("env selects when no flag", () => {
+    const cur = jsonOut(run(["wallets", "current"], { env: { RUN402_WALLET: "client-a" } }));
+    assert.equal(cur.name, "client-a");
+    assert.equal(cur.source, "env");
+  });
+
+  it("directory binding selects when no flag/env", () => {
+    writeFileSync(join(workDir, ".run402.json"), JSON.stringify({ wallet: "client-a" }));
+    const cur = jsonOut(run(["wallets", "current"]));
+    assert.equal(cur.name, "client-a");
+    assert.equal(cur.source, "binding");
+  });
+
+  it(".run402.local.json overrides .run402.json and walks up from a subdir", () => {
+    writeFileSync(join(workDir, ".run402.json"), JSON.stringify({ wallet: "client-a" }));
+    writeFileSync(join(workDir, ".run402.local.json"), JSON.stringify({ wallet: "kychon" }));
+    const sub = join(workDir, "api");
+    mkdirSync(sub);
+    const cur = jsonOut(run(["wallets", "current"], { cwd: sub }));
+    assert.equal(cur.name, "kychon");
+  });
+
+  it("global `wallets use` applies when no flag/env/binding", () => {
+    assert.equal(run(["wallets", "use", "kychon"]).status, 0);
+    const cur = jsonOut(run(["wallets", "current"]));
+    assert.equal(cur.name, "kychon");
+    assert.equal(cur.source, "config");
+  });
+
+  it("falls back to default when nothing selects", () => {
+    const cur = jsonOut(run(["wallets", "current"]));
+    assert.equal(cur.name, "default");
+    assert.equal(cur.source, "default");
+  });
+});
+
+describe("wallets — conflict + fail-closed", () => {
+  beforeEach(() => {
+    run(["wallets", "new", "kychon"]);
+    run(["wallets", "new", "client-a"]);
+  });
+
+  it("env vs binding mismatch is a hard error on a normal command", () => {
+    writeFileSync(join(workDir, ".run402.json"), JSON.stringify({ wallet: "client-a" }));
+    const r = run(["allowance", "export"], { env: { RUN402_WALLET: "kychon" } });
+    assert.notEqual(r.status, 0);
+    const env = errEnvelope(r);
+    assert.equal(env.code, "WALLET_SELECTION_CONFLICT");
+    assert.match(env.message, /kychon/);
+    assert.match(env.message, /client-a/);
+  });
+
+  it("--wallet resolves the conflict", () => {
+    writeFileSync(join(workDir, ".run402.json"), JSON.stringify({ wallet: "client-a" }));
+    const r = run(["--wallet", "kychon", "allowance", "export"], { env: { RUN402_WALLET: "client-a" } });
+    assert.equal(r.status, 0, r.stderr);
+  });
+
+  it("selecting an unknown wallet fails closed on a normal command", () => {
+    const r = run(["--wallet", "ghost", "allowance", "export"]);
+    assert.notEqual(r.status, 0);
+    assert.equal(errEnvelope(r).code, "WALLET_NOT_FOUND");
+  });
+
+  it("the wallets group itself is never blocked by a conflict (can unbind)", () => {
+    writeFileSync(join(workDir, ".run402.json"), JSON.stringify({ wallet: "client-a" }));
+    const r = run(["wallets", "unbind"], { env: { RUN402_WALLET: "kychon" } });
+    assert.equal(r.status, 0, r.stderr);
+    assert.ok(!existsSync(join(workDir, ".run402.json")));
+  });
+});
+
+describe("wallets — provenance", () => {
+  it("emits a provenance line for a non-default selection", () => {
+    run(["wallets", "new", "kychon"]);
+    const r = run(["--wallet", "kychon", "allowance", "export"]);
+    assert.equal(r.status, 0, r.stderr);
+    assert.match(r.stderr, /wallet: kychon/);
+  });
+
+  it("stays silent for the default wallet", () => {
+    run(["allowance", "create"]); // default wallet
+    const r = run(["allowance", "export"]);
+    assert.equal(r.status, 0, r.stderr);
+    assert.ok(!/↪ wallet:/.test(r.stderr), `expected no provenance line, got: ${r.stderr}`);
+  });
+});
@@ -193,8 +193,18 @@ Local state lives at:
 
 - `~/.config/run402/projects.json` (`0600`) — project credentials (`anon_key`, `service_key`, `tier`, `lease_expires_at`)
 - `~/.config/run402/allowance.json` (`0600`) — wallet for x402 signing
+- `~/.config/run402/config.json` (`0600`) — global default wallet pointer (`active_wallet`)
+- `~/.config/run402/profiles/<name>/` (`0700`) — named wallets, each with its own `allowance.json` + `projects.json` + non-secret `meta.json`
 
-Override with `RUN402_CONFIG_DIR` or `RUN402_ALLOWANCE_PATH`. Override the API base with `RUN402_API_BASE`.
+Override the base directory with `RUN402_CONFIG_DIR` or the allowance file with `RUN402_ALLOWANCE_PATH`. Override the API base with `RUN402_API_BASE`.
+
+### Named wallets (profiles)
+
+Hold several wallets on one machine and select between them:
+
+- `run402 wallets list | new <name> | use <name> | rename <old> <new> | bind [<name>] | unbind | import <name> --key <path|-> | rm <name> --yes`
+- Select per-command with `--wallet <name>` (alias `--profile`), the `RUN402_WALLET` env var, or a per-directory `.run402.json` (commit-safe — holds only a name) resolved by walking up the tree. Precedence: flag > env > binding > `wallets use` default > `default`. A conflicting env + binding is a hard error.
+- The active wallet name shows in `run402 status` and `run402 wallets current`.
 
 The CLI handles all x402 payment signing automatically — never ask the human for a private key or set up payment libraries by hand.
 
 
@@ -6,7 +6,7 @@
 
 import { readFileSync } from "node:fs";
 
-const [,, cmd, sub, ...rest] = process.argv;
+const rawArgv = process.argv.slice(2);
 
 const { version } = JSON.parse(
   readFileSync(new URL("./package.json", import.meta.url), "utf8")
@@ -22,6 +22,7 @@ Commands:
   init        Set up allowance, funding, and check tier status (x402 default)
   init mpp    Set up with MPP payment rail (Tempo Moderato testnet)
   status      Show full account state (allowance, balance, tier, projects)
+  wallets     Manage multiple named wallets (list, new, use, rename, bind, import)
   allowance   Manage your agent allowance (create, fund, balance, status)
   tier        Manage tier subscription (status, set)
   projects    Manage projects (provision, list, query, inspect, delete)
@@ -53,6 +54,10 @@ Commands:
   dev         Run Astro dev with Run402 env + credentials in scope
   logs        Fetch function logs by request id (--request-id req_...)
 
+Global options (any command):
+  --wallet <name>   Select a named wallet for this command (see 'run402 wallets')
+                    Also: RUN402_WALLET env, or a ./.run402.json directory binding.
+
 Run 'run402 <command> --help' for detailed usage of each command.
 
 Examples:
@@ -74,22 +79,39 @@ Getting started:
   run402 ci link github --project prj_... --manifest run402.deploy.json
 `;
 
-if (cmd === '--version' || cmd === '-v') {
+const first = rawArgv[0];
+
+if (first === '--version' || first === '-v') {
   console.log(version);
   process.exit(0);
 }
 
-if (!cmd || cmd === '--help' || cmd === '-h') {
+if (first === undefined || first === '--help' || first === '-h') {
   console.log(HELP);
   process.exit(0);
 }
 
+// Resolve the active wallet/profile from the global --wallet/--profile flag,
+// env, and any per-directory .run402.json binding BEFORE dispatch loads a
+// subcommand (whose config.mjs snapshots credential paths). splitWalletFlag
+// also strips the global flag so subcommands never see it.
+const { splitWalletFlag, applyWalletSelection } = await import("./lib/wallet-context.mjs");
+const { argv, walletFlag } = splitWalletFlag(rawArgv);
+const [cmd, sub, ...rest] = argv;
+
 try {
+  applyWalletSelection({
+    walletFlag,
+    cmd,
+    cwd: process.cwd(),
+    env: process.env,
+    quiet: rawArgv.includes("--quiet"),
+  });
   await dispatch();
 } catch (err) {
-  // Surface env/config errors (e.g. invalid RUN402_API_BASE) as a clean
-  // JSON envelope on stderr instead of a raw stack trace. We import the
-  // helper lazily so a broken env doesn't fail this catch handler too.
+  // Surface env/config errors (e.g. invalid RUN402_API_BASE, bad RUN402_WALLET)
+  // as a clean JSON envelope on stderr instead of a raw stack trace. We import
+  // the helper lazily so a broken env doesn't fail this catch handler too.
   const { fail } = await import("./lib/sdk-errors.mjs");
   fail({
     code: "BAD_ENV",
@@ -112,6 +134,11 @@ switch (cmd) {
     await run([sub, ...rest].filter(Boolean));
     break;
   }
+  case "wallets": {
+    const { run } = await import("./lib/wallets.mjs");
+    await run(sub, rest);
+    break;
+  }
   case "allowance": {
     const { run } = await import("./lib/allowance.mjs");
     await run(sub, rest);
 
@@ -1,4 +1,4 @@
-import { readAllowance, saveAllowance, ALLOWANCE_FILE } from "./config.mjs";
+import { readAllowance, saveAllowance, allowanceFile } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 import { assertKnownFlags, flagValue, normalizeArgv, parseIntegerFlag, positionalArgs } from "./argparse.mjs";
@@ -98,7 +98,7 @@ async function status() {
         // now" check, use `run402 allowance balance`.
         faucet_used: !!data.faucet_used,
         rail: w?.rail || "x402",
-        path: data.path ?? ALLOWANCE_FILE,
+        path: data.path ?? allowanceFile(),
       },
     }));
   } catch (err) {
@@ -111,7 +111,7 @@ async function create() {
     const result = await getSdk().allowance.create();
     console.log(JSON.stringify({
       address: result.address,
-      path: result.path ?? ALLOWANCE_FILE,
+      path: result.path ?? allowanceFile(),
       created: true,
     }));
   } catch (err) {
 
@@ -9,9 +9,24 @@ import { loadKeyStore, getProject, saveProject, updateProject, removeProject, sa
 import { getAllowanceAuthHeaders as coreGetAllowanceAuthHeaders } from "../core-dist/allowance-auth.js";
 import { fail } from "./sdk-errors.mjs";
 
+// Wallet-dependent paths are exposed as getters (preferred — they always
+// reflect the active profile, even if some future code path imports this module
+// before wallet resolution). Production code (init/doctor/allowance) uses these.
+export function configDir() { return getConfigDir(); }
+export function allowanceFile() { return getAllowancePath(); }
+export function projectsFile() { return getKeystorePath(); }
+
+// Snapshot constants, retained for backward compatibility (tests, the OpenClaw
+// config re-export). These are evaluated when this module is first imported.
+// That is safe in every real flow because the CLI resolves the active wallet
+// (publishing RUN402_WALLET) in cli.mjs BEFORE any subcommand imports this
+// module, and tests set RUN402_CONFIG_DIR before importing. New code should
+// prefer the getters above.
 export const CONFIG_DIR = getConfigDir();
 export const ALLOWANCE_FILE = getAllowancePath();
 export const PROJECTS_FILE = getKeystorePath();
+
+// API base is independent of the active wallet, so a module-load snapshot is safe.
 export const API = getApiBase();
 
 /**
@@ -32,7 +47,7 @@ export function readAllowance() {
       code: "BAD_ALLOWANCE_FILE",
       message: err?.message ?? "allowance.json is malformed",
       hint: "Back up ~/.config/run402/allowance.json and run 'run402 init' to recreate it.",
-      details: { path: ALLOWANCE_FILE },
+      details: { path: allowanceFile() },
     });
   }
 }