run402 1.55.0 → 1.57.0

package/README.md

@@ -57,10 +57,13 @@ run402 projects schema <id>                              # introspect tables + R
 ```bash
 run402 sites deploy-dir ./dist                # incremental upload (plan/commit transport)
 run402 deploy --manifest app.json             # one-call full stack deploy
+run402 deploy release active                  # inspect current-live release inventory
+run402 deploy release diff --from empty --to active
 run402 subdomains claim my-app                # → my-app.run402.com (auto-reassigns on next deploy)
 ```
 
 `deploy-dir` hashes each file client-side and only uploads bytes the gateway doesn't already have. Re-deploying an unchanged tree returns immediately with `bytes_uploaded: 0`. Progress events stream to stderr.
+Release inspection commands print `{ status: "ok", release: ... }` or `{ status: "ok", diff: ... }`; use them after deploys to compare release inventory without starting another mutation.
 
 ### GitHub Actions OIDC deploys
 
@@ -119,6 +122,16 @@ import { db, adminDb, getUser, email, ai } from "@run402/functions";
 
 `db(req)` is the caller-context client (RLS applies); `adminDb()` bypasses RLS for platform-authored writes.
 
+### Secrets
+
+```bash
+run402 secrets set <id> OPENAI_API_KEY --file ./.secrets/openai-key
+run402 secrets list <id>
+run402 deploy apply --manifest run402.deploy.json   # manifest uses secrets.require, not values
+```
+
+Secret values are write-only. `list` returns keys and timestamps only; deploy manifests should declare dependencies with `secrets.require` and never contain values.
+
 ### Email
 
 ```bash

package/lib/deploy-v2.mjs

@@ -11,7 +11,7 @@
  *     "project_id": "...",
  *     "base":  { "release": "current" } | { "release": "empty" } | { "release_id": "..." },
  *     "database": { "migrations": [...], "expose": {...}, "zero_downtime": false },
- *     "secrets":   { "set": {...}, "delete": [...], "replace_all": {...} },
+ *     "secrets":   { "require": ["OPENAI_API_KEY"], "delete": ["OLD_KEY"] },
  *     "functions": { "replace": {...}, "patch": { "set": {...}, "delete": [...] } },
  *     "site":      { "replace": {...} } | { "patch": { "put": {...}, "delete": [...] } },
  *     "subdomains": { "set": ["..."], "add": [...], "remove": [...] },
@@ -33,8 +33,8 @@ import { API, allowanceAuthHeaders, getActiveProjectId, resolveProjectId } from
 const APPLY_HELP = `run402 deploy apply — Unified deploy primitive (v1.34+)
 
 Usage:
-  run402 deploy apply --manifest <path> [--project <id>] [--quiet]
-  run402 deploy apply --spec '<json>' [--project <id>] [--quiet]
+  run402 deploy apply --manifest <path> [--project <id>] [--quiet] [--allow-warnings]
+  run402 deploy apply --spec '<json>' [--project <id>] [--quiet] [--allow-warnings]
   cat spec.json | run402 deploy apply [--project <id>]
 
 Manifest format mirrors the MCP \`deploy\` tool's ReleaseSpec:
@@ -42,7 +42,7 @@ Manifest format mirrors the MCP \`deploy\` tool's ReleaseSpec:
     "project_id": "prj_...",
     "base": { "release": "current" },
     "database": { "migrations": [{ "id": "001_init", "sql": "CREATE TABLE ..." }], "expose": {...} },
-    "secrets":   { "set": { "OPENAI_API_KEY": { "value": "sk-..." } } },
+    "secrets":   { "require": ["OPENAI_API_KEY"], "delete": ["OLD_KEY"] },
     "functions": { "replace": { "api": { "source": { "data": "export default ..." } } } },
     "site":      { "replace": { "index.html": { "data": "<html>..." } } },
     "subdomains": { "set": ["my-app"] }
@@ -53,11 +53,18 @@ Options:
   --spec '<json>'         Inline JSON spec (single-quote in shell)
   --project <id>          Override project_id from the manifest
   --quiet                 Suppress per-event JSON-line stderr (final result still on stdout)
+  --allow-warnings        Continue past plan warnings that require confirmation
 
 Output:
-  stdout: { "status": "ok", "release_id": "rel_...", "operation_id": "op_...", "urls": {...} }
+  stdout: { "status": "ok", "release_id": "rel_...", "operation_id": "op_...", "urls": {...}, "warnings": [...] }
   stderr: one JSON event per line (suppressed with --quiet)
 
+Secrets:
+  Secret values do not belong in deploy manifests. Set them first:
+    run402 secrets set prj_... OPENAI_API_KEY --file ./.secrets/openai-key
+  Then deploy a value-free declaration:
+    { "project_id": "prj_...", "secrets": { "require": ["OPENAI_API_KEY"] } }
+
 Patch examples (only the listed file changes):
   { "project_id": "prj_...", "site": { "patch": { "put": { "index.html": { "data": "..." } } } } }
   { "project_id": "prj_...", "site": { "patch": { "delete": ["old.html"] } } }
@@ -103,11 +110,70 @@ Output:
   stdout: { "status": "ok", "events": [...] }
 `;
 
+const RELEASE_HELP = `run402 deploy release — Inspect deploy release inventory and diffs
+
+Usage:
+  run402 deploy release get <release_id> [--project <id>] [--site-limit <n>]
+  run402 deploy release active [--project <id>] [--site-limit <n>]
+  run402 deploy release diff --from <empty|active|release_id> --to <active|release_id> [--project <id>] [--limit <n>]
+
+Subcommands:
+  get       Fetch the inventory for a specific release id
+  active    Fetch the current-live release inventory for the project
+  diff      Diff two release targets
+
+Output:
+  get/active: { "status": "ok", "release": {...} }
+  diff:       { "status": "ok", "diff": {...} }
+`;
+
+const RELEASE_GET_HELP = `run402 deploy release get — Fetch a release inventory by id
+
+Usage:
+  run402 deploy release get <release_id> [--project <id>] [--site-limit <n>]
+
+Options:
+  --project <id>          Project ID that owns the release (default: active project)
+  --site-limit <n>        Maximum site path entries to include (gateway default: 5000)
+
+Output:
+  stdout: { "status": "ok", "release": {...} }
+`;
+
+const RELEASE_ACTIVE_HELP = `run402 deploy release active — Fetch the active release inventory
+
+Usage:
+  run402 deploy release active [--project <id>] [--site-limit <n>]
+
+Options:
+  --project <id>          Project ID to inspect (default: active project)
+  --site-limit <n>        Maximum site path entries to include (gateway default: 5000)
+
+Output:
+  stdout: { "status": "ok", "release": {...} }
+`;
+
+const RELEASE_DIFF_HELP = `run402 deploy release diff — Diff two release targets
+
+Usage:
+  run402 deploy release diff --from <empty|active|release_id> --to <active|release_id> [--project <id>] [--limit <n>]
+
+Options:
+  --from <target>         Diff source: empty, active, or rel_...
+  --to <target>           Diff target: active or rel_...
+  --project <id>          Project ID to inspect (default: active project)
+  --limit <n>             Maximum entries per site diff bucket (gateway default: 1000)
+
+Output:
+  stdout: { "status": "ok", "diff": {...} }
+`;
+
 export async function runDeployV2(sub, args) {
   if (sub === "apply") return await applyCmd(args);
   if (sub === "resume") return await resumeCmd(args);
   if (sub === "list") return await listCmd(args);
   if (sub === "events") return await eventsCmd(args);
+  if (sub === "release") return await releaseCmd(args);
   fail({
     code: "BAD_USAGE",
     message: `Unknown deploy subcommand: ${sub}`,
@@ -129,13 +195,14 @@ function makeStderrEventWriter(quiet) {
 }
 
 async function applyCmd(args) {
-  const opts = { manifest: null, spec: null, project: null, quiet: false };
+  const opts = { manifest: null, spec: null, project: null, quiet: false, allowWarnings: false };
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--help" || args[i] === "-h") { console.log(APPLY_HELP); process.exit(0); }
     if (args[i] === "--manifest" && args[i + 1]) { opts.manifest = args[++i]; continue; }
     if (args[i] === "--spec" && args[i + 1]) { opts.spec = args[++i]; continue; }
     if (args[i] === "--project" && args[i + 1]) { opts.project = args[++i]; continue; }
     if (args[i] === "--quiet") { opts.quiet = true; continue; }
+    if (args[i] === "--allow-warnings") { opts.allowWarnings = true; continue; }
   }
 
   let raw;
@@ -166,6 +233,10 @@ async function applyCmd(args) {
       details: { source: opts.manifest ? "manifest" : opts.spec ? "spec" : "stdin", parse_error: err.message },
     });
   }
+  rejectLegacySecretManifest(spec, {
+    source: opts.manifest ? "manifest" : opts.spec ? "spec" : "stdin",
+    ...(opts.manifest ? { path: resolve(opts.manifest) } : {}),
+  });
 
   // GH-232: Reject empty specs client-side. Without this guard,
   // `run402 deploy apply --spec '{}'` (and `--manifest <empty>`) would silently
@@ -241,6 +312,7 @@ async function applyCmd(args) {
     const result = await getSdk(sdkOpts).deploy.apply(releaseSpec, {
       onEvent: makeStderrEventWriter(opts.quiet),
       idempotencyKey,
+      allowWarnings: opts.allowWarnings,
     });
     console.log(JSON.stringify({ status: "ok", ...result }, null, 2));
   } catch (err) {
@@ -320,8 +392,43 @@ const CI_DEPLOY_ERROR_GUIDANCE = {
 };
 
 function reportDeployApplyError(err, useGithubActionsOidc) {
-  if (!useGithubActionsOidc) return reportSdkError(err);
-  return reportSdkError(enhanceCiDeployError(err));
+  const warningEnhanced = enhanceDeployWarningError(err);
+  if (!useGithubActionsOidc) return reportSdkError(warningEnhanced);
+  return reportSdkError(enhanceCiDeployError(warningEnhanced));
+}
+
+function enhanceDeployWarningError(err) {
+  const existingBody = err?.body && typeof err.body === "object" && !Array.isArray(err.body)
+    ? err.body
+    : {};
+  const warnings = Array.isArray(existingBody.warnings) ? existingBody.warnings : null;
+  const code = existingBody.code || err?.code || null;
+  if (!warnings && code !== "MISSING_REQUIRED_SECRET") return err;
+
+  const enhanced = Object.assign(new Error(err?.message || existingBody.message || String(code)), err);
+  const affected = warnings
+    ? warnings.flatMap((w) => Array.isArray(w?.affected) ? w.affected : [])
+    : [];
+  enhanced.body = {
+    ...existingBody,
+    code: code || "DEPLOY_WARNING_REQUIRES_CONFIRMATION",
+    message: existingBody.message || err?.message || "Deploy plan returned warnings that require confirmation.",
+    hint: existingBody.hint ||
+      (code === "MISSING_REQUIRED_SECRET"
+        ? "Set the missing secret values with `run402 secrets set`, then retry deploy apply. Use --allow-warnings only after explicit review."
+        : "Review the plan warnings, then retry with --allow-warnings if you intentionally accept them."),
+    next_actions: Array.isArray(existingBody.next_actions) && existingBody.next_actions.length > 0
+      ? existingBody.next_actions
+      : [
+          ...(affected.length > 0
+            ? [`Set or inspect affected secrets: ${Array.from(new Set(affected)).join(", ")}`]
+            : []),
+          "Retry `run402 deploy apply` after resolving warnings.",
+          "Use `--allow-warnings` only when the warning was explicitly reviewed.",
+        ],
+    ...(warnings ? { warnings } : {}),
+  };
+  return enhanced;
 }
 
 function enhanceCiDeployError(err) {
@@ -345,6 +452,37 @@ function enhanceCiDeployError(err) {
   return enhanced;
 }
 
+function rejectLegacySecretManifest(spec, details) {
+  if (!spec || typeof spec !== "object" || Array.isArray(spec)) return;
+  const secrets = spec.secrets;
+  if (secrets === undefined) return;
+  if (Array.isArray(secrets) && secrets.length > 0) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not contain secret values. Legacy secrets arrays are no longer supported by deploy apply.",
+      hint: "Run `run402 secrets set <project> <KEY> --file <path>` first, then use `\"secrets\": { \"require\": [\"KEY\"] }` in the deploy manifest.",
+      details: { ...details, field: "secrets", legacy_shape: "array" },
+    });
+  }
+  if (typeof secrets !== "object" || secrets === null) return;
+  if (Object.prototype.hasOwnProperty.call(secrets, "set")) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not use secrets.set. Secret values are write-only and must be set outside deploy specs.",
+      hint: "Run `run402 secrets set <project> <KEY> --file <path>` first, then use `\"secrets\": { \"require\": [\"KEY\"] }`.",
+      details: { ...details, field: "secrets.set" },
+    });
+  }
+  if (Object.prototype.hasOwnProperty.call(secrets, "replace_all")) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not use secrets.replace_all. Exact replacement is not representable in the value-free deploy contract.",
+      hint: "Use `secrets.require` for keys that must exist and `secrets.delete` for explicit removals.",
+      details: { ...details, field: "secrets.replace_all" },
+    });
+  }
+}
+
 async function resumeCmd(args) {
   const opts = { operationId: null, quiet: false };
   for (let i = 0; i < args.length; i++) {
@@ -419,6 +557,118 @@ async function eventsCmd(args) {
   }
 }
 
+async function releaseCmd(args) {
+  const action = args[0];
+  if (!action || action === "--help" || action === "-h") {
+    console.log(RELEASE_HELP);
+    process.exit(0);
+  }
+  if (action === "get") return await releaseGetCmd(args.slice(1));
+  if (action === "active") return await releaseActiveCmd(args.slice(1));
+  if (action === "diff") return await releaseDiffCmd(args.slice(1));
+  fail({
+    code: "BAD_USAGE",
+    message: `Unknown deploy release subcommand: ${action}`,
+    details: { subcommand: action },
+  });
+}
+
+async function releaseGetCmd(args) {
+  const opts = { releaseId: null, project: null, siteLimit: null };
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === "--help" || args[i] === "-h") { console.log(RELEASE_GET_HELP); process.exit(0); }
+    if (args[i] === "--project" && args[i + 1]) { opts.project = args[++i]; continue; }
+    if (args[i] === "--site-limit" && args[i + 1]) { opts.siteLimit = parsePositiveInt(args[++i], "--site-limit"); continue; }
+    if (!args[i].startsWith("-") && !opts.releaseId) opts.releaseId = args[i];
+  }
+  if (!opts.releaseId) {
+    fail({
+      code: "BAD_USAGE",
+      message: "Missing <release_id>.",
+      hint: "run402 deploy release get <release_id>",
+    });
+  }
+
+  const project = resolveProjectId(opts.project);
+
+  try {
+    const sdkOpts = { project };
+    if (opts.siteLimit !== null) sdkOpts.siteLimit = opts.siteLimit;
+    const release = await getSdk().deploy.getRelease(opts.releaseId, sdkOpts);
+    console.log(JSON.stringify({ status: "ok", release }, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
+}
+
+async function releaseActiveCmd(args) {
+  const opts = { project: null, siteLimit: null };
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === "--help" || args[i] === "-h") { console.log(RELEASE_ACTIVE_HELP); process.exit(0); }
+    if (args[i] === "--project" && args[i + 1]) { opts.project = args[++i]; continue; }
+    if (args[i] === "--site-limit" && args[i + 1]) { opts.siteLimit = parsePositiveInt(args[++i], "--site-limit"); continue; }
+  }
+
+  const project = resolveProjectId(opts.project);
+
+  try {
+    const sdkOpts = { project };
+    if (opts.siteLimit !== null) sdkOpts.siteLimit = opts.siteLimit;
+    const release = await getSdk().deploy.getActiveRelease(sdkOpts);
+    console.log(JSON.stringify({ status: "ok", release }, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
+}
+
+async function releaseDiffCmd(args) {
+  const opts = { project: null, from: null, to: null, limit: null };
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === "--help" || args[i] === "-h") { console.log(RELEASE_DIFF_HELP); process.exit(0); }
+    if (args[i] === "--project" && args[i + 1]) { opts.project = args[++i]; continue; }
+    if (args[i] === "--from" && args[i + 1]) { opts.from = args[++i]; continue; }
+    if (args[i] === "--to" && args[i + 1]) { opts.to = args[++i]; continue; }
+    if (args[i] === "--limit" && args[i + 1]) { opts.limit = parsePositiveInt(args[++i], "--limit"); continue; }
+  }
+  if (!opts.from || !opts.to) {
+    fail({
+      code: "BAD_USAGE",
+      message: "Missing --from or --to release target.",
+      hint: "run402 deploy release diff --from empty --to active",
+    });
+  }
+  if (opts.to === "empty") {
+    fail({
+      code: "BAD_USAGE",
+      message: "--to cannot be empty. Use active or a release id.",
+      details: { flag: "--to", value: opts.to },
+    });
+  }
+
+  const project = resolveProjectId(opts.project);
+
+  try {
+    const sdkOpts = { project, from: opts.from, to: opts.to };
+    if (opts.limit !== null) sdkOpts.limit = opts.limit;
+    const diff = await getSdk().deploy.diff(sdkOpts);
+    console.log(JSON.stringify({ status: "ok", diff }, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
+}
+
+function parsePositiveInt(value, flag) {
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed < 1) {
+    fail({
+      code: "BAD_USAGE",
+      message: `${flag} must be a positive integer.`,
+      details: { flag, value },
+    });
+  }
+  return parsed;
+}
+
 // ─── Manifest → ReleaseSpec ──────────────────────────────────────────────────
 
 function mapManifestToReleaseSpec(spec) {

package/lib/deploy.mjs

@@ -21,6 +21,7 @@ Subcommands (recommended for new manifests):
   run402 deploy resume <operation_id>       resume a stuck operation
   run402 deploy list [--project <id>]       list recent deploy operations
   run402 deploy events <operation_id>       fetch event stream for an operation
+  run402 deploy release ...                 inspect release inventory and diffs
 
 Manifest format (JSON, v2 ReleaseSpec — recommended):
   {
@@ -36,7 +37,7 @@ Manifest format (JSON, v2 ReleaseSpec — recommended):
         ]
       }
     },
-    "secrets":   { "set": { "OPENAI_API_KEY": { "value": "sk-..." } } },
+    "secrets":   { "require": ["OPENAI_API_KEY"], "delete": ["OLD_KEY"] },
     "functions": {
       "replace": {
         "api": {
@@ -63,9 +64,13 @@ Manifest format (JSON, v2 ReleaseSpec — recommended):
   Replace vs patch semantics per resource:
     "site": { "replace": {...} }        whole-site (omitted files removed)
     "site": { "patch": { "put": {...}, "delete": [...] } }   surgical updates
-  Same for "functions" and "secrets". Migrations are always additive (each
-  is keyed by id; re-shipping the same id+sql is a registry noop, same id
-  with different sql is a hard MIGRATION_CHECKSUM_MISMATCH error).
+  Same for "functions". Secrets are value-free declarations:
+    "secrets": { "require": ["OPENAI_API_KEY"], "delete": ["OLD_KEY"] }
+  Secret values must be set outside deploy manifests with:
+    run402 secrets set prj_... OPENAI_API_KEY --file ./.secrets/openai-key
+  Migrations are always additive (each is keyed by id; re-shipping the same
+  id+sql is a registry noop, same id with different sql is a hard
+  MIGRATION_CHECKSUM_MISMATCH error).
 
   File entries accept inline "data", a local "path", or a "sql_path"
   (migrations only) — paths are resolved relative to the manifest file's
@@ -94,12 +99,14 @@ Manifest format (JSON, v2 ReleaseSpec — recommended):
   ⚠️  Without an "expose" entry, tables are unreachable via anon_key.
 
 Legacy v1 bundle format (still accepted via compatibility shim):
-  Existing manifests with top-level "migrations" (string), "secrets" (array),
-  "functions" (array), "files" (array), "subdomain" (string), and the
+  Existing manifests with top-level "migrations" (string), "functions" (array),
+  "files" (array), "subdomain" (string), and the
   "files[].file/data/path" + inline "manifest.json" entry continue to work —
   the SDK translates them into a v2 ReleaseSpec under the hood. Prefer the
   v2 shape above for new manifests; the legacy form is preserved for the
-  deprecation window so existing scripts don't break.
+  deprecation window so existing scripts don't break. Legacy file manifests
+  with secret values no longer deploy: run 'run402 secrets set' first, then
+  use 'run402 deploy apply' with 'secrets.require'.
 
   "migrations_file": "setup.sql"   (legacy convenience) reads SQL from disk
   relative to the manifest file. Useful when JSONB literals make inline
@@ -224,6 +231,11 @@ async function loadManifest(opts) {
     });
   }
 
+  rejectUnsafeSecretManifest(manifest, {
+    source: opts.manifest ? "manifest" : "stdin",
+    ...(opts.manifest ? { path: resolve(opts.manifest) } : {}),
+  });
+
   if (opts.manifest) {
     try {
       resolveMigrationsFile(manifest, baseDir);
@@ -255,19 +267,52 @@ async function loadManifest(opts) {
   return manifest;
 }
 
+function rejectUnsafeSecretManifest(manifest, details) {
+  if (!manifest || typeof manifest !== "object" || Array.isArray(manifest)) return;
+  const secrets = manifest.secrets;
+  if (secrets === undefined) return;
+  if (Array.isArray(secrets) && secrets.length > 0) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not contain secret values. Legacy top-level secrets arrays are no longer supported.",
+      hint: "Run `run402 secrets set <project> <KEY> --file <path>` first, then use `run402 deploy apply` with `\"secrets\": { \"require\": [\"KEY\"] }`.",
+      details: { ...details, field: "secrets", legacy_shape: "array" },
+    });
+  }
+  if (!secrets || typeof secrets !== "object" || Array.isArray(secrets)) return;
+  if (Object.prototype.hasOwnProperty.call(secrets, "set")) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not use secrets.set. Secret values are write-only and must be set outside deploy specs.",
+      hint: "Run `run402 secrets set <project> <KEY> --file <path>` first, then deploy with `\"secrets\": { \"require\": [\"KEY\"] }`.",
+      details: { ...details, field: "secrets.set" },
+    });
+  }
+  if (Object.prototype.hasOwnProperty.call(secrets, "replace_all")) {
+    fail({
+      code: "UNSAFE_SECRET_MANIFEST",
+      message: "Deploy manifests must not use secrets.replace_all. Exact replacement is not representable in the value-free deploy contract.",
+      hint: "Use `secrets.require` for keys that must exist and `secrets.delete` for explicit removals.",
+      details: { ...details, field: "secrets.replace_all" },
+    });
+  }
+}
+
 export async function run(args) {
   // Subcommand dispatch (v1.34+):
   //   run402 deploy apply  ...    → unified deploy primitive (deploy.apply)
   //   run402 deploy resume <op>   → resume an activation_pending operation
   //   run402 deploy list          → list recent deploy operations
   //   run402 deploy events <op>   → fetch recorded event stream for an operation
+  //   run402 deploy release ...   → release inventory/diff observability
   //   run402 deploy --manifest …  → legacy bundle deploy (routes through v2)
   const sub = args[0];
   switch (sub) {
     case "apply":
     case "resume":
     case "list":
-    case "events": {
+    case "events":
+    case "release": {
       const { runDeployV2 } = await import("./deploy-v2.mjs");
       await runDeployV2(sub, args.slice(1));
       return;

package/lib/secrets.mjs

@@ -14,14 +14,15 @@ Subcommands:
   delete <id> <key>            Delete a secret from a project
 
 Examples:
-  run402 secrets set prj_abc123 STRIPE_KEY sk-1234
+  run402 secrets set prj_abc123 STRIPE_KEY --file ./.secrets/stripe-key
   run402 secrets set prj_abc123 TLS_CERT --file cert.pem
   run402 secrets list prj_abc123
   run402 secrets delete prj_abc123 STRIPE_KEY
 
 Notes:
   - Secrets are injected as process.env in serverless functions
-  - Values are write-only — list returns keys with a value_hash (first 8 hex chars of SHA-256) for verifying the correct value was set
+  - Values are write-only — list returns keys and timestamps only
+  - Deploy manifests should declare existing keys with secrets.require; never put values in deploy specs
 `;
 
 const SUB_HELP = {
@@ -41,10 +42,11 @@ Options:
 
 Notes:
   - Secrets are injected as process.env in serverless functions
-  - Values are write-only; 'list' returns a value_hash for verification
+  - Values are write-only; 'list' cannot verify values by hash
+  - Prefer --file for real secrets so values do not land in shell history
 
 Examples:
-  run402 secrets set prj_abc123 STRIPE_KEY sk-1234
+  run402 secrets set prj_abc123 STRIPE_KEY --file ./.secrets/stripe-key
   run402 secrets set prj_abc123 TLS_CERT --file cert.pem
 `,
   list: `run402 secrets list — List all secrets for a project
@@ -56,8 +58,7 @@ Arguments:
   <id>                Project ID (from 'run402 projects list')
 
 Notes:
-  - Returns secret keys with a value_hash (first 8 hex chars of SHA-256)
-    for verifying the correct value was set; raw values are write-only
+  - Returns secret keys and timestamps only; raw values and value-derived hashes are never returned
 
 Examples:
   run402 secrets list prj_abc123
@@ -103,7 +104,14 @@ async function set(projectId, key, args = []) {
 async function list(projectId) {
   try {
     const data = await getSdk().secrets.list(projectId);
-    console.log(JSON.stringify(data, null, 2));
+    const sanitized = {
+      secrets: (data.secrets || []).map((s) => ({
+        key: s.key,
+        ...(s.created_at ? { created_at: s.created_at } : {}),
+        ...(s.updated_at ? { updated_at: s.updated_at } : {}),
+      })),
+    };
+    console.log(JSON.stringify(sanitized, null, 2));
   } catch (err) {
     reportSdkError(err);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "1.55.0",
+  "version": "1.57.0",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.",
   "type": "module",
   "bin": {

package/sdk/dist/index.d.ts

@@ -130,5 +130,5 @@ export { Deploy } from "./namespaces/deploy.js";
 export { Ci, CI_AUDIENCE, CI_GITHUB_ACTIONS_ISSUER, CI_GITHUB_ACTIONS_PROVIDER, DEFAULT_CI_DELEGATION_CHAIN_ID, V1_CI_ALLOWED_ACTIONS, V1_CI_ALLOWED_EVENTS_DEFAULT, assertCiDeployableSpec, buildCiDelegationResourceUri, buildCiDelegationStatement, normalizeCiDelegationValues, validateCiNonce, validateCiSubjectMatch, } from "./namespaces/ci.js";
 export { ScopedRun402 } from "./scoped.js";
 export type { CiAllowedAction, CiAllowedEvent, CiBindingErrorCode, CiBindingRow, CiCreateBindingInput, CiDelegationValues, CiDeployErrorCode, CiErrorCode, CiListBindingsInput, CiListBindingsResult, CiProvider, CiTokenExchangeErrorCode, CiTokenExchangeInput, CiTokenExchangeRequestBody, CiTokenExchangeResponse, NormalizedCiDelegationValues, ParsedDelegation, } from "./namespaces/ci.types.js";
-export type { ApplyOptions, CommitResponse, CommitStatus, ContentRef, ContentSource, DatabaseSpec, DeployDiff, DeployEvent, DeployOperation, DeployResult, ExposeManifest, FileSet, FsFileSource, FunctionSpec, FunctionsSpec, MigrationSpec, MissingContent, OperationSnapshot, OperationStatus, PaymentRequiredHint, PlanRequest, PlanResponse, ReleaseSpec, RouteSpec, SecretsSpec, SiteSpec, SmokeCheck, StartOptions, SubdomainsSpec, } from "./namespaces/deploy.types.js";
+export type { ApplyOptions, ActiveReleaseInventory, CommitResponse, CommitStatus, ContentRef, ContentSource, DatabaseSpec, DeployObservabilityWarningEntry, DeployDiff, DeployEvent, DeployOperation, DeployResult, ExposeManifest, FileSet, FsFileSource, FunctionSpec, FunctionsDiff, FunctionsSpec, LegacyWarningEntry, MigrationAppliedEntry, MigrationSpec, MissingContent, OperationSnapshot, OperationStatus, PaymentRequiredHint, PlanDiffEnvelope, PlanMigrationDiff, PlanRequest, PlanResponse, ReleaseDiffOptions, ReleaseDiffTarget, ReleaseDiffToTarget, ReleaseFunctionEntry, ReleaseInventory, ReleaseInventoryBase, ReleaseInventoryByIdOptions, ReleaseInventoryOptions, ReleaseInventoryStateKind, ReleaseInventoryStatus, ReleaseSnapshotInventory, ReleaseSpec, ReleaseToReleaseDiff, RouteSpec, SecretsSpec, SecretsDiff, SiteDiff, SitePathEntry, SiteSpec, SmokeCheck, StartOptions, SubdomainsSpec, SubdomainsDiff, WarningEntry, } from "./namespaces/deploy.types.js";
 //# sourceMappingURL=index.d.ts.map

package/sdk/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,8BAA8B,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,MAAM,WAAW,aAAa;IAC5B,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC;IAChB,mFAAmF;IACnF,WAAW,EAAE,mBAAmB,CAAC;IACjC;;;;OAIG;IACH,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED,qBAAa,MAAM;;IACjB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC;IAChB,QAAQ,CAAC,KAAK,EAAG,EAAE,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC;gBAIJ,IAAI,EAAE,aAAa;IA6D/B;;;;;;;;;;;;;;;;OAgBG;IACG,OAAO,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAsBjD;;;;;;;;;;;OAWG;IACG,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;CAIpD;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,GAAG,OAAO,CAEpE;AAED;;;GAGG;AACH,wBAAgB,MAAM,CAAC,IAAI,EAAE,aAAa,GAAG,MAAM,CAElD;AAED,OAAO,EACL,WAAW,EACX,eAAe,EACf,eAAe,EACf,YAAY,EACZ,QAAQ,EACR,YAAY,EACZ,UAAU,EACV,iBAAiB,EACjB,aAAa,EACb,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,UAAU,EACV,cAAc,EACd,YAAY,EACZ,aAAa,EACb,sBAAsB,GACvB,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,eAAe,GAChB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,YAAY,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACzE,YAAY,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EACL,sBAAsB,EACtB,0BAA0B,EAC1B,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,2BAA2B,EAC3B,iCAAiC,EACjC,+BAA+B,GAChC,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EACL,EAAE,EACF,WAAW,EACX,wBAAwB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,qBAAqB,EACrB,4BAA4B,EAC5B,sBAAsB,EACtB,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,EAC3B,eAAe,EACf,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,YAAY,EACV,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,kBAAkB,EAClB,iBAAiB,EACjB,WAAW,EACX,mBAAmB,EACnB,oBAAoB,EACpB,UAAU,EACV,wBAAwB,EACxB,oBAAoB,EACpB,0BAA0B,EAC1B,uBAAuB,EACvB,4BAA4B,EAC5B,gBAAgB,GACjB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EACV,YAAY,EACZ,cAAc,EACd,YAAY,EACZ,UAAU,EACV,aAAa,EACb,YAAY,EACZ,UAAU,EACV,WAAW,EACX,eAAe,EACf,YAAY,EACZ,cAAc,EACd,OAAO,EACP,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,EACb,cAAc,EACd,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,WAAW,EACX,YAAY,EACZ,WAAW,EACX,SAAS,EACT,WAAW,EACX,QAAQ,EACR,UAAU,EACV,YAAY,EACZ,cAAc,GACf,MAAM,8BAA8B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,8BAA8B,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,MAAM,WAAW,aAAa;IAC5B,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC;IAChB,mFAAmF;IACnF,WAAW,EAAE,mBAAmB,CAAC;IACjC;;;;OAIG;IACH,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED,qBAAa,MAAM;;IACjB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC;IAChB,QAAQ,CAAC,KAAK,EAAG,EAAE,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC;gBAIJ,IAAI,EAAE,aAAa;IA6D/B;;;;;;;;;;;;;;;;OAgBG;IACG,OAAO,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAsBjD;;;;;;;;;;;OAWG;IACG,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;CAIpD;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,GAAG,OAAO,CAEpE;AAED;;;GAGG;AACH,wBAAgB,MAAM,CAAC,IAAI,EAAE,aAAa,GAAG,MAAM,CAElD;AAED,OAAO,EACL,WAAW,EACX,eAAe,EACf,eAAe,EACf,YAAY,EACZ,QAAQ,EACR,YAAY,EACZ,UAAU,EACV,iBAAiB,EACjB,aAAa,EACb,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,UAAU,EACV,cAAc,EACd,YAAY,EACZ,aAAa,EACb,sBAAsB,GACvB,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,eAAe,GAChB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,YAAY,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACzE,YAAY,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EACL,sBAAsB,EACtB,0BAA0B,EAC1B,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,2BAA2B,EAC3B,iCAAiC,EACjC,+BAA+B,GAChC,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EACL,EAAE,EACF,WAAW,EACX,wBAAwB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,qBAAqB,EACrB,4BAA4B,EAC5B,sBAAsB,EACtB,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,EAC3B,eAAe,EACf,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,YAAY,EACV,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,kBAAkB,EAClB,iBAAiB,EACjB,WAAW,EACX,mBAAmB,EACnB,oBAAoB,EACpB,UAAU,EACV,wBAAwB,EACxB,oBAAoB,EACpB,0BAA0B,EAC1B,uBAAuB,EACvB,4BAA4B,EAC5B,gBAAgB,GACjB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EACV,YAAY,EACZ,sBAAsB,EACtB,cAAc,EACd,YAAY,EACZ,UAAU,EACV,aAAa,EACb,YAAY,EACZ,+BAA+B,EAC/B,UAAU,EACV,WAAW,EACX,eAAe,EACf,YAAY,EACZ,cAAc,EACd,OAAO,EACP,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,qBAAqB,EACrB,aAAa,EACb,cAAc,EACd,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,gBAAgB,EAChB,iBAAiB,EACjB,WAAW,EACX,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,EACpB,gBAAgB,EAChB,oBAAoB,EACpB,2BAA2B,EAC3B,uBAAuB,EACvB,yBAAyB,EACzB,sBAAsB,EACtB,wBAAwB,EACxB,WAAW,EACX,oBAAoB,EACpB,SAAS,EACT,WAAW,EACX,WAAW,EACX,QAAQ,EACR,aAAa,EACb,QAAQ,EACR,UAAU,EACV,YAAY,EACZ,cAAc,EACd,cAAc,EACd,YAAY,GACb,MAAM,8BAA8B,CAAC"}

package/sdk/dist/namespaces/apps.d.ts

@@ -5,6 +5,7 @@
 import type { Client } from "../kernel.js";
 import type { ProjectTier, RlsTemplate, RlsTableSpec } from "./projects.types.js";
 import type { SiteFile } from "./sites.js";
+import type { WarningEntry } from "./deploy.types.js";
 export interface BundleRlsOptions {
     template: RlsTemplate;
     tables: RlsTableSpec[];
@@ -47,6 +48,7 @@ export interface BundleDeployResult {
         schedule?: string | null;
     }>;
     subdomain_url?: string;
+    warnings?: WarningEntry[];
 }
 export interface AppSummary {
     id: string;
@@ -128,10 +130,10 @@ export declare class Apps {
     private readonly client;
     constructor(client: Client);
     /**
-     * Deploy to an existing project: runs migrations, applies RLS, sets
-     * secrets, deploys functions, deploys a static site, and claims a
-     * subdomain. Payment flows through x402 when the project lease needs
-     * renewal.
+     * Deploy to an existing project: runs migrations, applies RLS, writes
+     * legacy in-memory secret values through the secrets API, deploys
+     * functions, deploys a static site, and claims a subdomain. Payment flows
+     * through x402 when the project lease needs renewal.
      *
      * **As of v1.34, this method is a thin compatibility shim over
      * {@link Deploy.apply}.** It translates the legacy bundle options into a
@@ -144,6 +146,11 @@ export declare class Apps {
      * the only behavior change vs. v1's blind re-execution and is safe for
      * idempotent migrations (the documented agent norm).
      *
+     * Legacy `opts.secrets` are not embedded in the release spec. They are
+     * pre-validated, written before deploy, then represented as
+     * `secrets.require` keys. Those writes are intentionally not atomic with
+     * the later deploy commit.
+     *
      * `inherit: true` is silently ignored;
      * patch semantics on `r.deploy.apply` replace it.
      */