Fix SIWX signature (prehash:false) and add live integration test

@noble/curves v2 defaults to prehash:true (SHA-256 re-hashing), so our
keccak256 hash was being double-hashed. Adding {prehash: false} makes the
signature match viem's signMessage output byte-for-byte.

Also adds core/src/siwx-integration.integ.ts — 5 tests that hit the live
Run402 API with no mocks:
  - Happy path: fresh keypair → sign → server returns 200
  - Negative: garbage header → 401
  - Negative: tampered signature → 401
  - Negative: missing statement → 401
  - Negative: numeric chainId → 401

Runs locally via `npm run test:integration` and in CI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: MajorTal

.github/workflows/test.yml

@@ -22,3 +22,4 @@ jobs:
       - run: npm run test:sync
       - run: node --experimental-test-module-mocks --test --import tsx src/**/*.test.ts
       - run: npm run test:e2e
+      - run: npm run test:integration

cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "1.12.2",
+  "version": "1.12.3",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 micropayments.",
   "type": "module",
   "bin": {

core/src/allowance-auth.ts

@@ -44,7 +44,7 @@ function personalSign(privateKeyHex: string, address: string, message: string):
     ? privateKeyHex.slice(2)
     : privateKeyHex;
   const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
-  const rawSig = secp256k1.sign(hash, pkBytes);
+  const rawSig = secp256k1.sign(hash, pkBytes, { prehash: false });
   const sig = secp256k1.Signature.fromBytes(rawSig);
 
   // Determine recovery bit by trying both and matching the address

core/src/siwx-integration.integ.ts

@@ -0,0 +1,163 @@
+/**
+ * siwx-integration.test.ts — Real integration test for SIWX auth.
+ *
+ * Hits the LIVE Run402 API (no mocks) to verify:
+ *   1. The SIWE message format is byte-for-byte correct
+ *   2. The EIP-191 signature is valid and recoverable
+ *   3. The payload JSON matches the server's expected schema
+ *      (chainId as CAIP-2, type "eip191", statement present)
+ *   4. The server accepts the SIGN-IN-WITH-X header (HTTP 200, not 401)
+ *
+ * Uses GET /tiers/v1/status — a read-only, free, idempotent endpoint.
+ * A fresh random keypair is generated per run (no secrets needed).
+ *
+ * Run:
+ *   node --test --import tsx core/src/siwx-integration.test.ts
+ *   npm run test:integration
+ */
+
+import { describe, it, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { randomBytes, createECDH } from "node:crypto";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { saveAllowance } from "./allowance.js";
+import { getAllowanceAuthHeaders } from "./allowance-auth.js";
+
+const API = "https://api.run402.com";
+
+let tempDir: string;
+let allowancePath: string;
+
+/**
+ * Generate a fresh random EVM keypair (same logic as allowance-create).
+ */
+function generateKeypair() {
+  const privateKeyBytes = randomBytes(32);
+  const privateKey = `0x${privateKeyBytes.toString("hex")}`;
+  const ecdh = createECDH("secp256k1");
+  ecdh.setPrivateKey(privateKeyBytes);
+  const uncompressedPubKey = ecdh.getPublicKey();
+  const pubKeyBody = uncompressedPubKey.subarray(1);
+  const hash = keccak_256(pubKeyBody);
+  const addressBytes = hash.slice(-20);
+  const address = `0x${Buffer.from(addressBytes).toString("hex")}`;
+  return { address, privateKey };
+}
+
+beforeEach(() => {
+  tempDir = mkdtempSync(join(tmpdir(), "run402-siwx-integ-"));
+  allowancePath = join(tempDir, "allowance.json");
+  process.env.RUN402_CONFIG_DIR = tempDir;
+  process.env.RUN402_API_BASE = API;
+});
+
+afterEach(() => {
+  rmSync(tempDir, { recursive: true, force: true });
+  delete process.env.RUN402_CONFIG_DIR;
+  delete process.env.RUN402_API_BASE;
+});
+
+describe("SIWX auth integration (live API)", () => {
+  it("GET /tiers/v1/status accepts SIWX header and returns 200", async () => {
+    // 1. Generate a fresh keypair and save it as the allowance
+    const { address, privateKey } = generateKeypair();
+    saveAllowance({ address, privateKey, created: new Date().toISOString(), funded: false }, allowancePath);
+
+    // 2. Generate the SIWX auth header (the code under test)
+    const headers = getAllowanceAuthHeaders("/tiers/v1/status", allowancePath);
+    assert.ok(headers, "getAllowanceAuthHeaders should return headers");
+    assert.ok(headers["SIGN-IN-WITH-X"], "should have SIGN-IN-WITH-X header");
+
+    // 3. Verify payload structure before sending
+    const payload = JSON.parse(Buffer.from(headers["SIGN-IN-WITH-X"], "base64").toString());
+    assert.equal(payload.chainId, "eip155:84532", "chainId must be CAIP-2 format");
+    assert.equal(payload.type, "eip191", "type must be eip191");
+    assert.equal(payload.statement, "Sign in to Run402", "statement must be present");
+    assert.ok(payload.signature.startsWith("0x"), "signature must be hex");
+    assert.equal(payload.signature.length, 132, "signature must be 65 bytes (r+s+v) as hex");
+
+    // 4. Hit the real API
+    const res = await fetch(`${API}/tiers/v1/status`, {
+      headers: { ...headers },
+    });
+
+    // 5. Assert the server accepted our auth — the key assertion
+    assert.notEqual(res.status, 401, `Auth rejected (401). Body: ${await res.clone().text()}`);
+    assert.notEqual(res.status, 403, `Auth forbidden (403). Body: ${await res.clone().text()}`);
+    assert.ok(res.ok, `Expected 2xx, got ${res.status}. Body: ${await res.clone().text()}`);
+
+    // 6. Verify the response is valid JSON with expected shape
+    const data = await res.json();
+    assert.ok("tier" in data || "status" in data, "response should have tier or status field");
+  });
+
+  it("server rejects a malformed SIWX header", async () => {
+    // Send a garbage header to prove the server actually validates
+    const res = await fetch(`${API}/tiers/v1/status`, {
+      headers: { "SIGN-IN-WITH-X": Buffer.from("{}").toString("base64") },
+    });
+
+    assert.equal(res.status, 401, "server should reject empty/invalid SIWX payload");
+  });
+
+  it("server rejects a tampered signature", async () => {
+    const { address, privateKey } = generateKeypair();
+    saveAllowance({ address, privateKey, created: new Date().toISOString(), funded: false }, allowancePath);
+
+    const headers = getAllowanceAuthHeaders("/tiers/v1/status", allowancePath);
+    assert.ok(headers);
+
+    // Tamper with the signature (flip last hex char)
+    const payload = JSON.parse(Buffer.from(headers["SIGN-IN-WITH-X"], "base64").toString());
+    const lastChar = payload.signature.slice(-1);
+    payload.signature = payload.signature.slice(0, -1) + (lastChar === "0" ? "1" : "0");
+    const tampered = Buffer.from(JSON.stringify(payload)).toString("base64");
+
+    const res = await fetch(`${API}/tiers/v1/status`, {
+      headers: { "SIGN-IN-WITH-X": tampered },
+    });
+
+    assert.equal(res.status, 401, "server should reject tampered signature");
+  });
+
+  it("server rejects missing required fields", async () => {
+    const { address, privateKey } = generateKeypair();
+    saveAllowance({ address, privateKey, created: new Date().toISOString(), funded: false }, allowancePath);
+
+    const headers = getAllowanceAuthHeaders("/tiers/v1/status", allowancePath);
+    assert.ok(headers);
+
+    // Remove statement from payload
+    const payload = JSON.parse(Buffer.from(headers["SIGN-IN-WITH-X"], "base64").toString());
+    delete payload.statement;
+    const modified = Buffer.from(JSON.stringify(payload)).toString("base64");
+
+    const res = await fetch(`${API}/tiers/v1/status`, {
+      headers: { "SIGN-IN-WITH-X": modified },
+    });
+
+    assert.equal(res.status, 401, "server should reject payload missing statement");
+  });
+
+  it("server rejects numeric chainId (must be CAIP-2)", async () => {
+    const { address, privateKey } = generateKeypair();
+    saveAllowance({ address, privateKey, created: new Date().toISOString(), funded: false }, allowancePath);
+
+    const headers = getAllowanceAuthHeaders("/tiers/v1/status", allowancePath);
+    assert.ok(headers);
+
+    // Replace CAIP-2 chainId with numeric
+    const payload = JSON.parse(Buffer.from(headers["SIGN-IN-WITH-X"], "base64").toString());
+    payload.chainId = 84532;
+    const modified = Buffer.from(JSON.stringify(payload)).toString("base64");
+
+    const res = await fetch(`${API}/tiers/v1/status`, {
+      headers: { "SIGN-IN-WITH-X": modified },
+    });
+
+    assert.equal(res.status, 401, "server should reject numeric chainId");
+  });
+});

core/tsconfig.json

@@ -14,5 +14,5 @@
     "rootDir": "src"
   },
   "include": ["src"],
-  "exclude": ["src/**/*.test.ts"]
+  "exclude": ["src/**/*.test.ts", "src/**/*.integ.ts"]
 }

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "run402-mcp",
-  "version": "1.12.2",
+  "version": "1.12.3",
   "description": "MCP server for Run402 — AI-native Postgres databases with REST API, auth, storage, and row-level security. Pay with x402 USDC micropayments.",
   "type": "module",
   "main": "dist/index.js",
@@ -20,7 +20,8 @@
     "test:skill": "node --test --import tsx SKILL.test.ts",
     "test:sync": "node --test --import tsx sync.test.ts",
     "test": "node --experimental-test-module-mocks --test --import tsx SKILL.test.ts sync.test.ts core/src/**/*.test.ts src/**/*.test.ts && node --test cli-e2e.test.mjs",
-    "test:e2e": "node --test cli-e2e.test.mjs"
+    "test:e2e": "node --test cli-e2e.test.mjs",
+    "test:integration": "node --test --import tsx core/src/siwx-integration.integ.ts"
   },
   "keywords": [
     "mcp",