run402 1.35.3 → 1.36.0

package/lib/agent.mjs

@@ -41,6 +41,10 @@ async function contact(args) {
 
 export async function run(sub, args) {
   if (!sub || sub === '--help' || sub === '-h') { console.log(HELP); process.exit(0); }
+  if (Array.isArray(args) && (args.includes("--help") || args.includes("-h"))) {
+    console.log(HELP);
+    process.exit(0);
+  }
   if (sub !== "contact") {
     console.error(`Unknown subcommand: ${sub}\n`);
     console.log(HELP);

package/lib/auth.mjs

@@ -47,7 +47,11 @@ async function magicLink(args) {
 
   const res = await fetch(`${API}/auth/v1/magic-link`, {
     method: "POST",
-    headers: { "Authorization": `Bearer ${p.anon_key}`, "Content-Type": "application/json" },
+    headers: {
+      "apikey": p.anon_key,
+      "Authorization": `Bearer ${p.anon_key}`,
+      "Content-Type": "application/json",
+    },
     body: JSON.stringify({ email, redirect_url: redirect }),
   });
   const data = await res.json();
@@ -67,7 +71,11 @@ async function verify(args) {
 
   const res = await fetch(`${API}/auth/v1/token?grant_type=magic_link`, {
     method: "POST",
-    headers: { "Authorization": `Bearer ${p.anon_key}`, "Content-Type": "application/json" },
+    headers: {
+      "apikey": p.anon_key,
+      "Authorization": `Bearer ${p.anon_key}`,
+      "Content-Type": "application/json",
+    },
     body: JSON.stringify({ token }),
   });
   const data = await res.json();
@@ -111,7 +119,11 @@ async function settings(args) {
 
   const res = await fetch(`${API}/auth/v1/settings`, {
     method: "PATCH",
-    headers: { "Authorization": `Bearer ${p.service_key}`, "Content-Type": "application/json" },
+    headers: {
+      "apikey": p.anon_key,
+      "Authorization": `Bearer ${p.service_key}`,
+      "Content-Type": "application/json",
+    },
     body: JSON.stringify({ allow_password_set: allowPasswordSet === "true" }),
   });
   const data = await res.json();
@@ -127,7 +139,10 @@ async function providers(args) {
   const p = findProject(projectId);
 
   const res = await fetch(`${API}/auth/v1/providers`, {
-    headers: { "Authorization": `Bearer ${p.anon_key}` },
+    headers: {
+      "apikey": p.anon_key,
+      "Authorization": `Bearer ${p.anon_key}`,
+    },
   });
   const data = await res.json();
   if (!res.ok) {
@@ -139,6 +154,10 @@ async function providers(args) {
 
 export async function run(sub, args) {
   if (!sub || sub === "--help" || sub === "-h") { console.log(HELP); process.exit(0); }
+  if (Array.isArray(args) && (args.includes("--help") || args.includes("-h"))) {
+    console.log(HELP);
+    process.exit(0);
+  }
   switch (sub) {
     case "magic-link": await magicLink(args); break;
     case "verify": await verify(args); break;

package/lib/blob.mjs

@@ -427,6 +427,10 @@ export async function run(sub, args) {
     console.log(HELP);
     process.exit(0);
   }
+  if (Array.isArray(args) && (args.includes("--help") || args.includes("-h"))) {
+    console.log(HELP);
+    process.exit(0);
+  }
   const defaultProject = process.env.RUN402_PROJECT ?? null;
   switch (sub) {
     case "put":   await put(defaultProject, args); break;

package/lib/deploy.mjs

@@ -94,8 +94,9 @@ Manifest format (JSON):
     "migrations": "CREATE TABLE items (...)",
     "migrations_file": "setup.sql",
     "rls": {
-      "template": "public_read_write",
-      "tables": [{ "table": "items" }]
+      "template": "public_read_write_UNRESTRICTED",
+      "tables": [{ "table": "items" }],
+      "i_understand_this_is_unrestricted": true
     },
     "secrets": [{ "key": "OPENAI_API_KEY", "value": "sk-..." }],
     "functions": [{
@@ -128,10 +129,20 @@ Manifest format (JSON):
   Paths are resolved relative to the manifest file's directory.
   Binary files (images, fonts, etc.) are auto-detected and base64-encoded.
 
-  RLS templates:
-    user_owns_rows   — users see only their rows (requires owner_column per table)
-    public_read      — anyone reads, authenticated users write
-    public_read_write — anyone reads and writes
+  RLS templates (prefer user_owns_rows for anything user-scoped):
+    user_owns_rows                    users see only their own rows (requires
+                                      owner_column per table; uuid columns get
+                                      index-friendly policies automatically)
+    public_read_authenticated_write   anyone reads; any authenticated user can
+                                      INSERT/UPDATE/DELETE any row (not just
+                                      their own). For collaborative content
+                                      like shared boards or announcements.
+    public_read_write_UNRESTRICTED    ⚠  fully open — anon_key can read AND
+                                      write any row. Only for intentionally
+                                      public tables (guestbooks, waitlists,
+                                      feedback forms). REQUIRES the manifest's
+                                      rls block to include
+                                      "i_understand_this_is_unrestricted": true.
 
   ⚠️  Without RLS, tables are read-only via anon_key. If your app writes
   data from the browser, you almost certainly need an rls block.

package/lib/functions.mjs

@@ -212,6 +212,10 @@ async function deleteFunction(projectId, name) {
 
 export async function run(sub, args) {
   if (!sub || sub === '--help' || sub === '-h') { console.log(HELP); process.exit(0); }
+  if (Array.isArray(args) && (args.includes("--help") || args.includes("-h"))) {
+    console.log(HELP);
+    process.exit(0);
+  }
   switch (sub) {
     case "deploy": await deploy(args[0], args[1], args.slice(2)); break;
     case "invoke": await invoke(args[0], args[1], args.slice(2)); break;

package/lib/message.mjs

@@ -29,6 +29,10 @@ async function send(text) {
 
 export async function run(sub, args) {
   if (!sub || sub === '--help' || sub === '-h') { console.log(HELP); process.exit(0); }
+  if (Array.isArray(args) && (args.includes("--help") || args.includes("-h"))) {
+    console.log(HELP);
+    process.exit(0);
+  }
   if (sub !== "send") {
     console.error(`Unknown subcommand: ${sub}\n`);
     console.log(HELP);

package/lib/projects.mjs

@@ -36,7 +36,7 @@ Examples:
   run402 projects rest abc123 users "limit=10&select=id,name"
   run402 projects usage abc123
   run402 projects schema abc123
-  run402 projects rls abc123 public_read '[{"table":"posts"}]'
+  run402 projects rls abc123 public_read_authenticated_write '[{"table":"posts"}]'
   run402 projects keys abc123
   run402 projects delete abc123
 
@@ -45,7 +45,11 @@ Notes:
   - Most commands that take <id> default to the active project if omitted
   - 'rest' uses PostgREST query syntax (table name + optional query string)
   - 'provision' requires a funded allowance — payment is automatic via x402
-  - RLS templates: user_owns_rows, public_read, public_read_write
+  - RLS templates (prefer user_owns_rows for user-scoped data):
+      user_owns_rows                    users access only their own rows (requires owner_column)
+      public_read_authenticated_write   anyone reads; any authenticated user writes any row
+      public_read_write_UNRESTRICTED    fully open (anon_key writes); use 'run402 deploy' with a manifest
+                                        that includes "i_understand_this_is_unrestricted": true
 `;
 
 async function quote() {
@@ -179,20 +183,13 @@ async function use(projectId) {
 
 async function pin(projectId) {
   if (!projectId) { console.error(JSON.stringify({ status: "error", message: "Usage: run402 projects pin <project_id>" })); process.exit(1); }
-  const authHeaders = allowanceAuthHeaders(`/projects/v1/admin/${projectId}/pin`);
+  const p = findProject(projectId);
   const res = await fetch(`${API}/projects/v1/admin/${projectId}/pin`, {
     method: "POST",
-    headers: { ...authHeaders },
+    headers: { "Authorization": `Bearer ${p.service_key}` },
   });
   const data = await res.json();
-  if (!res.ok) {
-    if (res.status === 403 && data.admin_required) {
-      console.error(JSON.stringify({ status: "error", message: "This command requires admin access." }));
-    } else {
-      console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
-    }
-    process.exit(1);
-  }
+  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
   console.log(JSON.stringify(data, null, 2));
 }
 
@@ -239,6 +236,10 @@ export async function run(sub, args) {
     console.log(HELP);
     process.exit(0);
   }
+  if (Array.isArray(args) && (args.includes("--help") || args.includes("-h"))) {
+    console.log(HELP);
+    process.exit(0);
+  }
   switch (sub) {
     case "quote":     await quote(); break;
     case "provision": await provision(args); break;

package/lib/secrets.mjs

@@ -68,6 +68,10 @@ async function deleteSecret(projectId, key) {
 
 export async function run(sub, args) {
   if (!sub || sub === '--help' || sub === '-h') { console.log(HELP); process.exit(0); }
+  if (Array.isArray(args) && (args.includes("--help") || args.includes("-h"))) {
+    console.log(HELP);
+    process.exit(0);
+  }
   switch (sub) {
     case "set":    await set(args[0], args[1], args.slice(2)); break;
     case "list":   await list(args[0]); break;

package/lib/sender-domain.mjs

@@ -44,7 +44,7 @@ async function register(args) {
 
   const res = await fetch(`${API}/email/v1/domains`, {
     method: "POST",
-    headers: { apikey: p.service_key, "Content-Type": "application/json" },
+    headers: { Authorization: `Bearer ${p.service_key}`, "Content-Type": "application/json" },
     body: JSON.stringify({ domain }),
   });
   const data = await res.json();
@@ -60,7 +60,7 @@ async function status(args) {
   const p = findProject(projectId);
 
   const res = await fetch(`${API}/email/v1/domains`, {
-    headers: { apikey: p.service_key },
+    headers: { Authorization: `Bearer ${p.service_key}` },
   });
   const data = await res.json();
   if (!res.ok) {
@@ -76,7 +76,7 @@ async function remove(args) {
 
   const res = await fetch(`${API}/email/v1/domains`, {
     method: "DELETE",
-    headers: { apikey: p.service_key },
+    headers: { Authorization: `Bearer ${p.service_key}` },
   });
   const data = await res.json();
   if (!res.ok) {
@@ -104,7 +104,7 @@ async function inboundToggle(action, args) {
   const method = action === "enable" ? "POST" : "DELETE";
   const res = await fetch(`${API}/email/v1/domains/inbound`, {
     method,
-    headers: { apikey: p.service_key, "Content-Type": "application/json" },
+    headers: { Authorization: `Bearer ${p.service_key}`, "Content-Type": "application/json" },
     body: JSON.stringify({ domain }),
   });
   const data = await res.json();

package/lib/service.mjs

@@ -32,6 +32,10 @@ async function fetchAndEmit(path) {
 
 export async function run(sub, args) {
   if (!sub || sub === "--help" || sub === "-h") { console.log(HELP); process.exit(0); }
+  if (Array.isArray(args) && (args.includes("--help") || args.includes("-h"))) {
+    console.log(HELP);
+    process.exit(0);
+  }
   switch (sub) {
     case "status":
       await fetchAndEmit("/status");

package/lib/tier.mjs

@@ -55,6 +55,10 @@ export async function run(sub, args) {
     console.log(HELP);
     process.exit(0);
   }
+  if (Array.isArray(args) && (args.includes("--help") || args.includes("-h"))) {
+    console.log(HELP);
+    process.exit(0);
+  }
   switch (sub) {
     case "status": await status(); break;
     case "set":    await set(args[0]); break;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "1.35.3",
+  "version": "1.36.0",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.",
   "type": "module",
   "bin": {