run402 1.25.0 → 1.27.0

package/cli.mjs

@@ -37,6 +37,8 @@ Commands:
   image       Generate AI images via x402 or MPP micropayments
   email       Send template-based emails from your project
   message     Send messages to Run402 developers
+  auth        Manage project user authentication (magic link, passwords, settings)
+  sender-domain  Manage custom email sender domain (register, status, remove)
   agent       Manage agent identity (contact info)
 
 Run 'run402 <command> --help' for detailed usage of each command.
@@ -159,6 +161,16 @@ switch (cmd) {
     await run(sub, rest);
     break;
   }
+  case "auth": {
+    const { run } = await import("./lib/auth.mjs");
+    await run(sub, rest);
+    break;
+  }
+  case "sender-domain": {
+    const { run } = await import("./lib/sender-domain.mjs");
+    await run(sub, rest);
+    break;
+  }
   default:
     console.error(`Unknown command: ${cmd}\n`);
     console.log(HELP);

package/lib/auth.mjs

@@ -0,0 +1,153 @@
+import { findProject, resolveProjectId, API } from "./config.mjs";
+
+const HELP = `run402 auth — Manage project user authentication
+
+Usage:
+  run402 auth <subcommand> [args...]
+
+Subcommands:
+  magic-link --email <addr> --redirect <url> [--project <id>]
+    Send a passwordless login link to the given email. Auto-creates user on first use.
+
+  verify --token <token> [--project <id>]
+    Exchange a magic link token for access_token + refresh_token.
+
+  set-password --token <bearer> --new <password> [--current <password>] [--project <id>]
+    Change, reset, or set a user's password. Requires the user's access_token.
+
+  settings --allow-password-set <true|false> [--project <id>]
+    Update project auth settings (requires service_key).
+
+  providers [--project <id>]
+    List available auth providers for the project.
+
+Examples:
+  run402 auth magic-link --email user@example.com --redirect https://myapp.run402.com/cb
+  run402 auth verify --token abc123def456
+  run402 auth set-password --token eyJ... --new "new-pass" --current "old-pass"
+  run402 auth settings --allow-password-set true
+  run402 auth providers
+`;
+
+function parseFlag(args, flag) {
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === flag && args[i + 1]) return args[i + 1];
+  }
+  return null;
+}
+
+async function magicLink(args) {
+  const email = parseFlag(args, "--email");
+  const redirect = parseFlag(args, "--redirect");
+  const projectId = resolveProjectId(parseFlag(args, "--project"));
+  const p = findProject(projectId);
+
+  if (!email) { console.error(JSON.stringify({ status: "error", message: "Missing --email" })); process.exit(1); }
+  if (!redirect) { console.error(JSON.stringify({ status: "error", message: "Missing --redirect <url>" })); process.exit(1); }
+
+  const res = await fetch(`${API}/auth/v1/magic-link`, {
+    method: "POST",
+    headers: { "Authorization": `Bearer ${p.anon_key}`, "Content-Type": "application/json" },
+    body: JSON.stringify({ email, redirect_url: redirect }),
+  });
+  const data = await res.json();
+  if (!res.ok) {
+    console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
+    process.exit(1);
+  }
+  console.log(JSON.stringify({ status: "ok", ...data }));
+}
+
+async function verify(args) {
+  const token = parseFlag(args, "--token");
+  const projectId = resolveProjectId(parseFlag(args, "--project"));
+  const p = findProject(projectId);
+
+  if (!token) { console.error(JSON.stringify({ status: "error", message: "Missing --token" })); process.exit(1); }
+
+  const res = await fetch(`${API}/auth/v1/token?grant_type=magic_link`, {
+    method: "POST",
+    headers: { "Authorization": `Bearer ${p.anon_key}`, "Content-Type": "application/json" },
+    body: JSON.stringify({ token }),
+  });
+  const data = await res.json();
+  if (!res.ok) {
+    console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
+    process.exit(1);
+  }
+  console.log(JSON.stringify({ status: "ok", ...data }));
+}
+
+async function setPassword(args) {
+  const accessToken = parseFlag(args, "--token");
+  const newPassword = parseFlag(args, "--new");
+  const currentPassword = parseFlag(args, "--current");
+
+  if (!accessToken) { console.error(JSON.stringify({ status: "error", message: "Missing --token <bearer_token>" })); process.exit(1); }
+  if (!newPassword) { console.error(JSON.stringify({ status: "error", message: "Missing --new <password>" })); process.exit(1); }
+
+  const body = { new_password: newPassword };
+  if (currentPassword) body.current_password = currentPassword;
+
+  const res = await fetch(`${API}/auth/v1/user/password`, {
+    method: "PUT",
+    headers: { "Authorization": `Bearer ${accessToken}`, "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+  });
+  const data = await res.json();
+  if (!res.ok) {
+    console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
+    process.exit(1);
+  }
+  console.log(JSON.stringify({ status: "ok", ...data }));
+}
+
+async function settings(args) {
+  const allowPasswordSet = parseFlag(args, "--allow-password-set");
+  const projectId = resolveProjectId(parseFlag(args, "--project"));
+  const p = findProject(projectId);
+
+  if (allowPasswordSet === null) { console.error(JSON.stringify({ status: "error", message: "Missing --allow-password-set <true|false>" })); process.exit(1); }
+
+  const res = await fetch(`${API}/auth/v1/settings`, {
+    method: "PATCH",
+    headers: { "Authorization": `Bearer ${p.service_key}`, "Content-Type": "application/json" },
+    body: JSON.stringify({ allow_password_set: allowPasswordSet === "true" }),
+  });
+  const data = await res.json();
+  if (!res.ok) {
+    console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
+    process.exit(1);
+  }
+  console.log(JSON.stringify({ status: "ok", ...data }));
+}
+
+async function providers(args) {
+  const projectId = resolveProjectId(parseFlag(args, "--project"));
+  const p = findProject(projectId);
+
+  const res = await fetch(`${API}/auth/v1/providers`, {
+    headers: { "Authorization": `Bearer ${p.anon_key}` },
+  });
+  const data = await res.json();
+  if (!res.ok) {
+    console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
+    process.exit(1);
+  }
+  console.log(JSON.stringify(data, null, 2));
+}
+
+export async function run(sub, args) {
+  if (!sub || sub === "--help" || sub === "-h") { console.log(HELP); process.exit(0); }
+  switch (sub) {
+    case "magic-link": await magicLink(args); break;
+    case "verify": await verify(args); break;
+    case "set-password": await setPassword(args); break;
+    case "settings": await settings(args); break;
+    case "providers": await providers(args); break;
+    default:
+      console.error(`Unknown subcommand: ${sub}\n`);
+      console.log(HELP);
+      process.exit(1);
+  }
+}

package/lib/deploy.mjs

@@ -32,11 +32,13 @@ Manifest format (JSON):
       { "file": "index.html", "data": "<html>...</html>" },
       { "file": "style.css", "path": "./dist/style.css" }
     ],
-    "subdomain": "my-app"
+    "subdomain": "my-app",
+    "inherit": true
   }
 
   project_id is required (provision first with 'run402 provision').
   All other fields are optional.
+  inherit: copy unchanged site files from previous deployment (only upload changed files).
 
   Migrations can be inline or read from a file:
     "migrations": "CREATE TABLE ..."              ← inline SQL

package/lib/sender-domain.mjs

@@ -0,0 +1,96 @@
+import { findProject, resolveProjectId, API } from "./config.mjs";
+
+const HELP = `run402 sender-domain — Manage custom email sender domain
+
+Usage:
+  run402 sender-domain <subcommand> [args...]
+
+Subcommands:
+  register <domain> [--project <id>]   Register a custom sender domain (returns DNS records)
+  status [--project <id>]              Check domain verification status
+  remove [--project <id>]              Remove custom sender domain
+
+Examples:
+  run402 sender-domain register kysigned.com
+  run402 sender-domain status
+  run402 sender-domain remove
+`;
+
+function parseFlag(args, flag) {
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === flag && args[i + 1]) return args[i + 1];
+  }
+  return null;
+}
+
+async function register(args) {
+  let domain = null;
+  let projectOpt = null;
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === "--project" && args[i + 1]) { projectOpt = args[++i]; }
+    else if (!args[i].startsWith("--") && !domain) { domain = args[i]; }
+  }
+  const projectId = resolveProjectId(projectOpt);
+  const p = findProject(projectId);
+
+  if (!domain) {
+    console.error(JSON.stringify({ status: "error", message: "Missing domain. Usage: run402 sender-domain register <domain>" }));
+    process.exit(1);
+  }
+
+  const res = await fetch(`${API}/email/v1/domains`, {
+    method: "POST",
+    headers: { apikey: p.service_key, "Content-Type": "application/json" },
+    body: JSON.stringify({ domain }),
+  });
+  const data = await res.json();
+  if (!res.ok) {
+    console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
+    process.exit(1);
+  }
+  console.log(JSON.stringify(data, null, 2));
+}
+
+async function status(args) {
+  const projectId = resolveProjectId(parseFlag(args, "--project"));
+  const p = findProject(projectId);
+
+  const res = await fetch(`${API}/email/v1/domains`, {
+    headers: { apikey: p.service_key },
+  });
+  const data = await res.json();
+  if (!res.ok) {
+    console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
+    process.exit(1);
+  }
+  console.log(JSON.stringify(data, null, 2));
+}
+
+async function remove(args) {
+  const projectId = resolveProjectId(parseFlag(args, "--project"));
+  const p = findProject(projectId);
+
+  const res = await fetch(`${API}/email/v1/domains`, {
+    method: "DELETE",
+    headers: { apikey: p.service_key },
+  });
+  const data = await res.json();
+  if (!res.ok) {
+    console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
+    process.exit(1);
+  }
+  console.log(JSON.stringify(data));
+}
+
+export async function run(sub, args) {
+  if (!sub || sub === "--help" || sub === "-h") { console.log(HELP); process.exit(0); }
+  switch (sub) {
+    case "register": await register(args); break;
+    case "status": await status(args); break;
+    case "remove": await remove(args); break;
+    default:
+      console.error(`Unknown subcommand: ${sub}\n`);
+      console.log(HELP);
+      process.exit(1);
+  }
+}

package/lib/sites.mjs

@@ -18,6 +18,7 @@ Options (deploy):
   --manifest <file>     Path to manifest JSON file (or read from stdin)
   --project <id>        Project ID (defaults to active project)
   --target <target>     Deployment target (e.g. 'production')
+  --inherit             Copy unchanged files from the previous deployment (only upload changed files)
   --help, -h            Show this help message
 
 Manifest format (JSON):
@@ -51,12 +52,13 @@ async function readStdin() {
 }
 
 async function deploy(args) {
-  const opts = { manifest: null, project: undefined, target: undefined };
+  const opts = { manifest: null, project: undefined, target: undefined, inherit: false };
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--help" || args[i] === "-h") { console.log(HELP); process.exit(0); }
     if (args[i] === "--manifest" && args[i + 1]) opts.manifest = args[++i];
     if (args[i] === "--project" && args[i + 1]) opts.project = args[++i];
     if (args[i] === "--target" && args[i + 1]) opts.target = args[++i];
+    if (args[i] === "--inherit") opts.inherit = true;
   }
   const projectId = resolveProjectId(opts.project);
   const raw = opts.manifest ? readFileSync(opts.manifest, "utf-8") : await readStdin();
@@ -64,6 +66,7 @@ async function deploy(args) {
   if (opts.manifest) resolveFilePathsInManifest(manifest, dirname(resolve(opts.manifest)));
   const body = { files: manifest.files, project: projectId };
   if (opts.target) body.target = opts.target;
+  if (opts.inherit) body.inherit = true;
 
   const authHeaders = allowanceAuthHeaders("/deployments/v1");
   const res = await fetch(`${API}/deployments/v1`, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "1.25.0",
+  "version": "1.27.0",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.",
   "type": "module",
   "bin": {

package/core-dist/wallet-auth.js

@@ -1,62 +0,0 @@
-/**
- * Wallet auth helper — generates EIP-191 signature headers for Run402 API.
- * Uses @noble/curves (lighter than viem) for signing.
- */
-import { secp256k1 } from "@noble/curves/secp256k1.js";
-import { keccak_256 } from "@noble/hashes/sha3.js";
-import { bytesToHex } from "@noble/hashes/utils.js";
-import { readWallet } from "./wallet.js";
-/**
- * EIP-191 personal_sign: sign a message with the wallet's private key.
- */
-function personalSign(privateKeyHex, address, message) {
-    const msgBytes = new TextEncoder().encode(message);
-    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
-    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
-    prefixed.set(prefix);
-    prefixed.set(msgBytes, prefix.length);
-    const hash = keccak_256(prefixed);
-    const pkHex = privateKeyHex.startsWith("0x")
-        ? privateKeyHex.slice(2)
-        : privateKeyHex;
-    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
-    const rawSig = secp256k1.sign(hash, pkBytes);
-    const sig = secp256k1.Signature.fromBytes(rawSig);
-    // Determine recovery bit by trying both and matching the address
-    let recovery = 0;
-    for (const v of [0, 1]) {
-        try {
-            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
-            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
-            const addrBytes = keccak_256(pubBytes).slice(-20);
-            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
-                recovery = v;
-                break;
-            }
-        }
-        catch {
-            continue;
-        }
-    }
-    const r = sig.r.toString(16).padStart(64, "0");
-    const s = sig.s.toString(16).padStart(64, "0");
-    const vHex = (recovery + 27).toString(16).padStart(2, "0");
-    return "0x" + r + s + vHex;
-}
-/**
- * Get wallet auth headers for the Run402 API.
- * Returns null if no wallet is configured.
- */
-export function getWalletAuthHeaders(walletPath) {
-    const wallet = readWallet(walletPath);
-    if (!wallet || !wallet.address || !wallet.privateKey)
-        return null;
-    const timestamp = Math.floor(Date.now() / 1000).toString();
-    const signature = personalSign(wallet.privateKey, wallet.address, `run402:${timestamp}`);
-    return {
-        "X-Run402-Wallet": wallet.address,
-        "X-Run402-Signature": signature,
-        "X-Run402-Timestamp": timestamp,
-    };
-}
-//# sourceMappingURL=wallet-auth.js.map

package/core-dist/wallet.js

@@ -1,25 +0,0 @@
-import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
-import { dirname, join } from "node:path";
-import { randomBytes } from "node:crypto";
-import { getWalletPath } from "./config.js";
-export function readWallet(path) {
-    const p = path ?? getWalletPath();
-    if (!existsSync(p))
-        return null;
-    try {
-        return JSON.parse(readFileSync(p, "utf-8"));
-    }
-    catch {
-        return null;
-    }
-}
-export function saveWallet(data, path) {
-    const p = path ?? getWalletPath();
-    const dir = dirname(p);
-    mkdirSync(dir, { recursive: true });
-    const tmp = join(dir, `.wallet.${randomBytes(4).toString("hex")}.tmp`);
-    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
-    renameSync(tmp, p);
-    chmodSync(p, 0o600);
-}
-//# sourceMappingURL=wallet.js.map