feat(cli): normalize stdout envelope — drop status:ok wrapper, type local-state nulls

Unifies the CLI's stdout shape across every subcommand. Before this change,
about half of subcommands wrapped success payloads as `{ status: "ok", ...payload }`
and the other half emitted the raw payload — a split that grew organically and
followed no documented rule.

After this change every CLI success path emits its natural payload directly,
the contract is explicit in cli/llms-cli.txt's new Output Contract section,
and a drift-protection test (cli-output-contract.test.mjs, wired into
npm test) fails CI on any new top-level `JSON.stringify({ status: ... })`
outside cli/lib/sdk-errors.mjs.

Compatibility notes for anyone parsing CLI output:

- Drop `.status === "ok"` checks; gate on exit code instead.
- Mutations with no natural payload now echo identifier + state field,
  e.g. `{ key, project_id, set: true }` instead of `{ status: "ok", message: "..." }`.
- `run402 status` and `run402 allowance status` move special statuses into
  typed nullable payload fields (`{ allowance: null, hint }` / `{ wallet: null, hint }`)
  and now exit 0 when absent (was exit 1 with `status: "no_allowance"` /
  `status: "no_wallet"`). Absence is informational, not an error.
- Stderr error envelopes are unchanged. SDK return types are unchanged.
  MCP tool output shapes are unchanged.

Touched 68 emit sites across 19 cli/lib/*.mjs files, ~50 e2e test assertions,
cli/llms-cli.txt (Output Contract section + per-command sweep), openclaw/SKILL.md,
cli/README.md, and CHANGELOG.md. Three inline `console.error(JSON.stringify({
status: "error", ... }))` sites in init.mjs, projects.mjs, sites.mjs now route
through fail() in sdk-errors.mjs for envelope consistency.

OpenSpec change: openspec/changes/cli-drop-status-envelope/

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: MajorTal

CHANGELOG.md

@@ -2,6 +2,55 @@
 
 All notable changes to `@run402/sdk`, `run402` (CLI), and `run402-mcp`. Versions are kept in lockstep across the three packages in this repo. `@run402/functions` lives in the private gateway monorepo and publishes on its own cadence.
 
+## 2.16.0 — unreleased — CLI stdout envelope normalization
+
+Drops the `status: "ok"` wrapper from every `run402` CLI success-path stdout emission, unifying an envelope that was applied to roughly half the subcommands and absent from the other half. See [openspec change `cli-drop-status-envelope`](openspec/changes/cli-drop-status-envelope/proposal.md) for the full design.
+
+`@run402/sdk` and `run402-mcp` have **no code changes** in this release. Only the CLI's machine-readable stdout shape moved. Per the lockstep release policy, all three packages bump to 2.16.0 together.
+
+### Compatibility note (read this if you parse CLI JSON output)
+
+The `run402` CLI was agent-first and JSON-only by design, but its stdout envelope was never documented — about half of subcommands wrapped success payloads as `{ status: "ok", ...payload }`, the other half emitted the raw payload. The wrapper has been dropped across the board, the contract is now explicit in [`cli/llms-cli.txt`](cli/llms-cli.txt), and a drift-protection test (`cli-output-contract.test.mjs`, wired into `npm test`) prevents the inconsistency from coming back.
+
+If you have automation parsing CLI output:
+
+- **Drop any `.status === "ok"` checks.** They were never load-bearing for half the commands, and now load-bear for none. Gate on exit code (`0` = success, non-zero = error) instead.
+- **Mutations with no natural payload now echo identifier + state field:**
+
+  ```
+  # Before
+  $ run402 secrets set prj_abc FOO bar
+  {"status":"ok","message":"Secret 'FOO' set for project prj_abc."}
+
+  # After
+  $ run402 secrets set prj_abc FOO bar
+  {"key":"FOO","project_id":"prj_abc","set":true}
+  ```
+
+- **`run402 status` and `run402 allowance status` move special statuses into typed nullable payload fields and exit 0 when absent** (was exit 1 with `status: "no_allowance"` / `status: "no_wallet"`):
+
+  ```
+  # Before
+  $ run402 allowance status      # exit 1
+  {"status":"no_wallet","message":"No agent allowance found. Run: run402 allowance create"}
+
+  # After
+  $ run402 allowance status      # exit 0
+  {"wallet":null,"hint":"Run: run402 allowance create"}
+  ```
+
+- **What did NOT change:** stderr error envelopes (still `{ status: "error", code, message, ... }` with non-zero exit), all SDK return types, all MCP tool output shapes, per-item `status` fields inside payload objects (e.g. `run402 doctor`'s `checks[].status`).
+
+### Added
+
+- `cli/llms-cli.txt` now leads with an explicit "Output Contract" section documenting the stdout / stderr / exit-code shape across every subcommand.
+- `cli-output-contract.test.mjs` — drift-protection test that fails CI on any new top-level `JSON.stringify({ status: ... })` emission outside `cli/lib/sdk-errors.mjs`.
+
+### Changed
+
+- 68 success-path emit sites across 19 `cli/lib/*.mjs` files dropped their `status: "ok"` wrapper. Three `console.error(JSON.stringify({ status: "error", ... }))` sites in `cli/lib/init.mjs`, `cli/lib/projects.mjs`, and `cli/lib/sites.mjs` now route through `fail()` in `cli/lib/sdk-errors.mjs` instead of emitting the error envelope inline.
+- `~50` test assertions in `cli-e2e.test.mjs` migrated from `parsed.status === "ok"` to assertions on the new payload-specific fields. The two `CLI status exit codes (GH-191)` tests now assert the new exit-0 typed-null behavior for absent local state.
+
 ## 2.4.0 — unreleased
 
 Surfaces the v1.56 gateway verification-no-silent-fail bundle ([parent change: `verification-no-silent-fail` in run402-private](https://github.com/kychee-com/run402-private/tree/main/openspec/changes/verification-no-silent-fail)). Closes a class of UX bugs where SES auth-verdict rejections silently failed operator email verification with no signal to the operator. Additive — old clients silently ignore the new fields.

cli-e2e.test.mjs

@@ -0,0 +1,75 @@
+// Drift-protection for the CLI stdout output contract.
+//
+// Contract (see openspec/specs/cli-output-shape/spec.md):
+//   - Success-path stdout SHALL NOT contain a top-level `status` field.
+//   - The stderr error envelope (in cli/lib/sdk-errors.mjs) DOES use
+//     `status: "error"` as a sentinel; that is the allowlisted exception.
+//   - Per-item `status` fields inside payload objects (e.g. doctor's
+//     `checks[].status`) are NOT envelope statuses and are not matched
+//     by this scanner (the regex only matches `JSON.stringify({ status:`).
+//
+// If you are tempted to add a new `JSON.stringify({ status: ... })` to a
+// CLI subcommand handler, instead emit the raw payload. If the mutation
+// has no natural payload, echo the affected resource identifiers plus an
+// explicit boolean state field (e.g. `{ key, project_id, deleted: true }`).
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { readFileSync, readdirSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const CLI_LIB_DIR = join(__dirname, "cli", "lib");
+
+// Allowlist: file basenames whose `JSON.stringify({ status: ...` emissions
+// are legitimately stderr-bound error envelopes.
+const STDERR_ERROR_ENVELOPE_ALLOWLIST = new Set([
+  "sdk-errors.mjs",
+]);
+
+// Match `JSON.stringify({ status: "<literal>"` allowing whitespace and
+// newlines between paren, brace, and the `status` key. Multi-line tolerant.
+const ENVELOPE_PATTERN = /JSON\.stringify\s*\(\s*\{\s*status\s*:\s*"([^"]+)"/g;
+
+describe("CLI output contract drift protection", () => {
+  it("no cli/lib/*.mjs file emits a top-level `status` field on success paths", () => {
+    const files = readdirSync(CLI_LIB_DIR).filter((f) => f.endsWith(".mjs") && !f.endsWith(".test.mjs"));
+    const violations = [];
+
+    for (const file of files) {
+      if (STDERR_ERROR_ENVELOPE_ALLOWLIST.has(file)) continue;
+      const fullPath = join(CLI_LIB_DIR, file);
+      const source = readFileSync(fullPath, "utf-8");
+      const matches = source.matchAll(ENVELOPE_PATTERN);
+      for (const match of matches) {
+        const offset = match.index ?? 0;
+        const lineNumber = source.slice(0, offset).split("\n").length;
+        const statusValue = match[1];
+        violations.push({ file, line: lineNumber, statusValue });
+      }
+    }
+
+    if (violations.length > 0) {
+      const summary = violations
+        .map((v) => `  cli/lib/${v.file}:${v.line} → JSON.stringify({ status: "${v.statusValue}" ...`)
+        .join("\n");
+      assert.fail(
+        `Found ${violations.length} disallowed top-level \`status\` emission${violations.length === 1 ? "" : "s"} ` +
+        `in CLI success paths:\n${summary}\n\n` +
+        `The CLI stdout envelope contract (openspec/specs/cli-output-shape/spec.md) forbids a top-level ` +
+        `\`status\` field on success-path stdout. Emit the raw payload instead. For mutations with no natural ` +
+        `payload, echo the affected resource identifiers plus an explicit boolean state field ` +
+        `(e.g. \`{ key, project_id, deleted: true }\`). The only allowlisted emission is the stderr error ` +
+        `envelope in cli/lib/sdk-errors.mjs.`,
+      );
+    }
+  });
+
+  it("the stderr error envelope in sdk-errors.mjs continues to use status: \"error\"", () => {
+    // This is a positive assertion: sdk-errors.mjs MUST keep the
+    // `status: "error"` sentinel on stderr so consumers can branch on it.
+    const source = readFileSync(join(CLI_LIB_DIR, "sdk-errors.mjs"), "utf-8");
+    assert.match(source, /status:\s*"error"/, "sdk-errors.mjs must keep the `status: \"error\"` sentinel for the stderr error envelope");
+  });
+});

cli-output-contract.test.mjs

@@ -66,7 +66,7 @@ run402 subdomains claim my-app                # → my-app.run402.com (auto-reas
 ```
 
 `deploy-dir` hashes each file client-side and only uploads bytes the gateway doesn't already have. Re-deploying an unchanged tree returns immediately with `bytes_uploaded: 0`. Progress events stream to stderr.
-Release inspection commands print `{ status: "ok", release: ... }` or `{ status: "ok", diff: ... }`; use them after deploys to compare release inventory without starting another mutation. Inventories include `release_generation`, `static_manifest_sha256`, and nullable `static_manifest_metadata`; diffs include `static_assets` counters such as unchanged/changed/added/removed and CAS byte reuse. `deploy diagnose` / `deploy resolve --url` print URL-first diagnostics with `would_serve`, `diagnostic_status`, `match`, warnings, and next steps; host misses are successful diagnostic calls with `would_serve: false`. Stable-host resolve fields can include `authorization_result`, `cas_object`, `response_variant`, `allow`, `route_pattern`, `target_type`, `target_name`, and `target_file`.
+Release inspection commands print `{ release: ... }` or `{ diff: ... }` (raw payload, no envelope — see the "Output Contract" section in [llms-cli.txt](llms-cli.txt)); use them after deploys to compare release inventory without starting another mutation. Inventories include `release_generation`, `static_manifest_sha256`, and nullable `static_manifest_metadata`; diffs include `static_assets` counters such as unchanged/changed/added/removed and CAS byte reuse. `deploy diagnose` / `deploy resolve --url` print URL-first diagnostics with `would_serve`, `diagnostic_status`, `match`, warnings, and next steps; host misses are successful diagnostic calls with `would_serve: false`. Stable-host resolve fields can include `authorization_result`, `cas_object`, `response_variant`, `allow`, `route_pattern`, `target_type`, `target_name`, and `target_file`.
 
 ### GitHub Actions OIDC deploys
 

cli/README.md

@@ -151,7 +151,7 @@ async function translate(args) {
 
   try {
     const data = await getSdk().ai.translate(projectId, { text, to, from: from ?? undefined, context: context ?? undefined });
-    console.log(JSON.stringify({ status: "ok", text: data.text, from: data.from, to: data.to }));
+    console.log(JSON.stringify({ text: data.text, from: data.from, to: data.to }));
   } catch (err) {
     reportSdkError(err);
   }
@@ -194,7 +194,7 @@ async function moderate(args) {
 
   try {
     const data = await getSdk().ai.moderate(projectId, text);
-    console.log(JSON.stringify({ status: "ok", flagged: data.flagged, categories: data.categories, category_scores: data.category_scores }));
+    console.log(JSON.stringify({ flagged: data.flagged, categories: data.categories, category_scores: data.category_scores }));
   } catch (err) {
     reportSdkError(err);
   }
@@ -216,7 +216,7 @@ async function usage(args) {
 
   try {
     const data = await getSdk().ai.usage(projectId);
-    console.log(JSON.stringify({ status: "ok", ...data }));
+    console.log(JSON.stringify(data));
   } catch (err) {
     reportSdkError(err);
   }

cli/lib/ai.mjs

@@ -82,23 +82,24 @@ async function status() {
   try {
     const data = await getSdk().allowance.status();
     if (!data.configured) {
-      console.log(JSON.stringify({ status: "no_wallet", message: "No agent allowance found. Run: run402 allowance create" }));
-      process.exit(1);
+      console.log(JSON.stringify({ wallet: null, hint: "Run: run402 allowance create" }));
+      return;
     }
     // Preserve CLI's rail field (SDK doesn't surface it; read from local allowance).
     const w = readAllowance();
     console.log(JSON.stringify({
-      status: "ok",
-      address: data.address,
-      created: data.created,
-      configured: data.configured,
-      // GH-109: `funded` used to leak an on-disk marker that only tracks
-      // faucet invocation, not actual pay-readiness. Renamed to `faucet_used`
-      // to match its real semantics. For a true "can this account pay right
-      // now" check, use `run402 allowance balance`.
-      faucet_used: !!data.faucet_used,
-      rail: w?.rail || "x402",
-      path: data.path ?? ALLOWANCE_FILE,
+      wallet: {
+        address: data.address,
+        created: data.created,
+        configured: data.configured,
+        // GH-109: `funded` used to leak an on-disk marker that only tracks
+        // faucet invocation, not actual pay-readiness. Renamed to `faucet_used`
+        // to match its real semantics. For a true "can this account pay right
+        // now" check, use `run402 allowance balance`.
+        faucet_used: !!data.faucet_used,
+        rail: w?.rail || "x402",
+        path: data.path ?? ALLOWANCE_FILE,
+      },
     }));
   } catch (err) {
     reportSdkError(err);
@@ -109,9 +110,9 @@ async function create() {
   try {
     const result = await getSdk().allowance.create();
     console.log(JSON.stringify({
-      status: "ok",
       address: result.address,
-      message: `Agent allowance created. Stored locally at ${result.path ?? ALLOWANCE_FILE}`,
+      path: result.path ?? ALLOWANCE_FILE,
+      created: true,
     }));
   } catch (err) {
     const msg = (err instanceof Error) ? err.message : String(err);
@@ -199,7 +200,7 @@ async function fund() {
   }
 
   saveAllowance({ ...w, funded: true, lastFaucet: new Date().toISOString() });
-  console.log(JSON.stringify({ status: "ok", message: "Faucet request sent but balance not yet confirmed", ...data }));
+  console.log(JSON.stringify({ ...data, balance_confirmed: false, hint: "Faucet request sent but on-chain balance not yet confirmed" }));
 }
 
 async function readUsdcBalance(client, usdc, address) {

cli/lib/allowance.mjs

@@ -276,7 +276,7 @@ async function update(projectId, versionId, args) {
   if (parsedArgs.includes("--no-fork")) opts.fork_allowed = false;
   try {
     await getSdk().apps.updateVersion(positionals[0], positionals[1], opts);
-    console.log(JSON.stringify({ status: "ok", project_id: positionals[0], version_id: positionals[1] }));
+    console.log(JSON.stringify({ project_id: positionals[0], version_id: positionals[1], updated: true }));
   } catch (err) {
     reportSdkError(err);
   }
@@ -294,7 +294,7 @@ async function deleteVersion(projectId, versionId, args = []) {
   }
   try {
     await getSdk().apps.deleteVersion(positionals[0], positionals[1]);
-    console.log(JSON.stringify({ status: "ok", message: `Version ${positionals[1]} deleted.` }));
+    console.log(JSON.stringify({ project_id: positionals[0], version_id: positionals[1], deleted: true }));
   } catch (err) {
     reportSdkError(err);
   }

cli/lib/apps.mjs

@@ -505,7 +505,7 @@ async function get(projectId, argv) {
 
   mkdirSync(dirname(resolvePath(opts.output)), { recursive: true });
   await pipeline(res.body, createWriteStream(opts.output));
-  console.log(JSON.stringify({ status: "ok", key, output: opts.output }));
+  console.log(JSON.stringify({ key, project_id: resolvedId, output: opts.output }));
 }
 
 // ---------------------------------------------------------------------------
@@ -548,7 +548,7 @@ async function rm(projectId, argv) {
 
   try {
     await getSdk().assets.rm(resolvedId, key);
-    console.log(JSON.stringify({ status: "ok", key }));
+    console.log(JSON.stringify({ key, project_id: resolvedId, deleted: true }));
   } catch (err) {
     reportSdkError(err);
   }

cli/lib/assets.mjs

@@ -351,7 +351,7 @@ async function magicLink(args) {
       intent: intent ?? undefined,
       clientState: state ?? undefined,
     });
-    console.log(JSON.stringify({ status: "ok", email, redirect_url: redirect, intent: intent || "signin" }));
+    console.log(JSON.stringify({ email, redirect_url: redirect, intent: intent || "signin", sent: true }));
   } catch (err) {
     reportSdkError(err);
   }
@@ -380,7 +380,7 @@ async function createUser(args) {
       redirectUrl: redirectUrl ?? undefined,
       clientState: clientState ?? undefined,
     });
-    console.log(JSON.stringify({ status: "ok", ...data }));
+    console.log(JSON.stringify(data));
   } catch (err) {
     reportSdkError(err);
   }
@@ -407,7 +407,7 @@ async function inviteUser(args) {
       isAdmin,
       clientState: clientState ?? undefined,
     });
-    console.log(JSON.stringify({ status: "ok", ...data }));
+    console.log(JSON.stringify(data));
   } catch (err) {
     reportSdkError(err);
   }
@@ -423,7 +423,7 @@ async function verify(args) {
 
   try {
     const data = await getSdk().auth.verifyMagicLink(projectId, token);
-    console.log(JSON.stringify({ status: "ok", ...data }));
+    console.log(JSON.stringify(data));
   } catch (err) {
     reportSdkError(err);
   }
@@ -448,7 +448,7 @@ async function setPassword(args) {
       newPassword,
       currentPassword: currentPassword ?? undefined,
     });
-    console.log(JSON.stringify({ status: "ok" }));
+    console.log(JSON.stringify({ project_id: projectId, password_set: true }));
   } catch (err) {
     reportSdkError(err);
   }
@@ -496,7 +496,7 @@ async function settings(args) {
       require_passkey_for_project_admin: requireAdminPasskey,
     };
     const data = await getSdk().auth.settings(projectId, patch);
-    console.log(JSON.stringify({ status: "ok", ...patch, ...data }));
+    console.log(JSON.stringify({ ...patch, ...data }));
   } catch (err) {
     reportSdkError(err);
   }
@@ -534,7 +534,7 @@ async function passkeyRegisterVerify(args) {
       response,
       label: label ?? undefined,
     });
-    console.log(JSON.stringify({ status: "ok", ...data }));
+    console.log(JSON.stringify(data));
   } catch (err) {
     reportSdkError(err);
   }
@@ -566,7 +566,7 @@ async function passkeyLoginVerify(args) {
       challengeId,
       response,
     });
-    console.log(JSON.stringify({ status: "ok", ...data }));
+    console.log(JSON.stringify(data));
   } catch (err) {
     reportSdkError(err);
   }
@@ -595,7 +595,7 @@ async function deletePasskey(args) {
       accessToken,
       passkeyId,
     });
-    console.log(JSON.stringify({ status: "ok", passkey_id: passkeyId }));
+    console.log(JSON.stringify({ passkey_id: passkeyId, deleted: true }));
   } catch (err) {
     reportSdkError(err);
   }

cli/lib/auth.mjs

@@ -275,7 +275,7 @@ async function autoRecharge(args) {
       enabled: state === "on",
       threshold,
     });
-    console.log(JSON.stringify({ status: "ok", billing_account_id: accountId, enabled: state === "on" }));
+    console.log(JSON.stringify({ billing_account_id: accountId, enabled: state === "on", updated: true }));
   } catch (err) {
     reportSdkError(err);
   }