run402 1.63.0 → 1.64.0

package/README.md

@@ -125,6 +125,10 @@ import { db, adminDb, getUser, email, ai } from "@run402/functions";
 
 `db(req)` is the caller-context client (RLS applies); `adminDb()` bypasses RLS for platform-authored writes.
 
+### Same-origin web routes
+
+`run402 deploy apply` accepts `routes.replace` as an array of route entries, not a path-keyed map. Use exact `/admin` plus final-wildcard `/admin/*` for a routed section root, and target a function deployed in the same release. Routed functions use Node 22 Fetch Request -> Response; `req.url` is the full public URL on managed subdomains, deployment hosts, and verified custom domains, so OAuth redirect URIs can be derived from `new URL(req.url).origin`. Direct `/functions/v1/:name` remains API-key protected. Runtime route failure codes to branch on: `ROUTE_MANIFEST_LOAD_FAILED` (manifest/propagation), `ROUTED_INVOKE_WORKER_SECRET_MISSING` (custom-domain Worker secret), `ROUTED_INVOKE_AUTH_FAILED` (internal invoke signature), `ROUTED_ROUTE_STALE` (selected route failed release revalidation), `ROUTE_METHOD_NOT_ALLOWED` (method mismatch), and `ROUTED_RESPONSE_TOO_LARGE` (body over 6 MiB).
+
 ### Secrets
 
 ```bash

package/lib/allowance.mjs

@@ -1,4 +1,4 @@
-import { readAllowance, saveAllowance, ALLOWANCE_FILE, API } from "./config.mjs";
+import { readAllowance, saveAllowance, ALLOWANCE_FILE } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 
@@ -173,14 +173,11 @@ async function fund() {
   const client = createPublicClient({ chain: baseSepolia, transport: http() });
   const before = await readUsdcBalance(client, USDC_SEPOLIA, w.address).catch(() => 0);
 
-  const res = await fetch(`${API}/faucet/v1`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ address: w.address }) });
-  const data = await res.json();
-  if (!res.ok) {
-    fail({
-      code: data?.code || "FAUCET_FAILED",
-      message: data?.message || "Faucet request failed",
-      details: { http: res.status, ...data },
-    });
+  let data;
+  try {
+    data = await getSdk().allowance.faucet(w.address);
+  } catch (err) {
+    reportSdkError(err);
   }
 
   const MAX_WAIT = 30;
@@ -228,11 +225,9 @@ async function balance() {
     readUsdcBalance(mainnetClient, USDC_MAINNET, w.address).catch(() => null),
     readUsdcBalance(sepoliaClient, USDC_SEPOLIA, w.address).catch(() => null),
     readUsdcBalance(tempoClient, PATH_USD, w.address).catch(() => null),
-    fetch(`${API}/billing/v1/accounts/${w.address.toLowerCase()}`),
+    getSdk().billing.checkBalance(w.address).catch(() => null),
   ]);
 
-  const billing = billingRes.ok ? await billingRes.json() : null;
-
   console.log(JSON.stringify({
     address: w.address,
     rail: w.rail || "x402",
@@ -241,7 +236,7 @@ async function balance() {
       "base-sepolia_usd_micros": sepoliaUsdc,
       "tempo-moderato_pathusd_micros": tempoPathUsd,
     },
-    run402: billing ? { balance_usd_micros: billing.available_usd_micros } : "no billing account",
+    run402: billingRes ? { balance_usd_micros: billingRes.available_usd_micros } : "no billing account",
   }, null, 2));
 }
 
@@ -274,14 +269,12 @@ async function checkout(args) {
       hint: "e.g. --amount 5000000 for $5",
     });
   }
-  const res = await fetch(`${API}/billing/v1/checkouts`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ wallet: w.address.toLowerCase(), amount_usd_micros: amount }),
-  });
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().billing.createCheckout(w.address, amount);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 async function history(args) {
@@ -297,10 +290,12 @@ async function history(args) {
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--limit" && args[i + 1]) limit = parseInt(args[++i], 10);
   }
-  const res = await fetch(`${API}/billing/v1/accounts/${w.address.toLowerCase()}/history?limit=${limit}`);
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().billing.history(w.address, limit);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 export async function run(sub, args) {

package/lib/auth.mjs

@@ -1,4 +1,4 @@
-import { findProject, resolveProjectId, API } from "./config.mjs";
+import { resolveProjectId } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 
@@ -546,22 +546,13 @@ async function deletePasskey(args) {
 }
 
 async function providers(args) {
-  // `providers` isn't in the pilot SDK surface — keep the direct fetch.
   const projectId = resolveProjectId(parseFlag(args, "--project"));
-  const p = findProject(projectId);
-
-  const res = await fetch(`${API}/auth/v1/providers`, {
-    headers: {
-      "apikey": p.anon_key,
-      "Authorization": `Bearer ${p.anon_key}`,
-    },
-  });
-  const data = await res.json();
-  if (!res.ok) {
-    console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
-    process.exit(1);
-  }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().auth.providers(projectId);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 export async function run(sub, args) {

package/lib/billing.mjs

@@ -1,4 +1,3 @@
-import { API } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 
@@ -224,7 +223,6 @@ async function autoRecharge(args) {
 }
 
 async function balance(args) {
-  // Accepts email OR wallet — SDK only models wallet, so keep direct fetch.
   const id = args[0];
   if (!id) {
     fail({
@@ -233,10 +231,12 @@ async function balance(args) {
       hint: "run402 billing balance <email-or-wallet>",
     });
   }
-  const res = await fetch(`${API}/billing/v1/accounts/${encodeURIComponent(id)}`);
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().billing.getAccount(id);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 async function history(args) {
@@ -249,10 +249,12 @@ async function history(args) {
     });
   }
   const limit = parseFlag(args, "--limit") || "50";
-  const res = await fetch(`${API}/billing/v1/accounts/${encodeURIComponent(id)}/history?limit=${encodeURIComponent(limit)}`);
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().billing.getHistory(id, Number(limit));
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 export async function run(sub, args) {

package/lib/blob.mjs

@@ -34,7 +34,7 @@ import { basename, dirname, join, resolve as resolvePath } from "node:path";
 import { homedir } from "node:os";
 import { pipeline } from "node:stream/promises";
 
-import { resolveProject, resolveProjectId, API } from "./config.mjs";
+import { resolveProjectId } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 import { assertKnownFlags, hasHelp, normalizeArgv, parseIntegerFlag } from "./argparse.mjs";
@@ -190,19 +190,6 @@ function die(msg, exit_code = 1) {
   fail({ code: "BAD_USAGE", message: msg, exit_code });
 }
 
-function dieApiFailure(prefix, http, body) {
-  if (body && typeof body === "object" && !Array.isArray(body)) {
-    const envelope = { status: "error", http, ...body };
-    if (!envelope.message && envelope.error) envelope.message = envelope.error;
-    console.error(JSON.stringify(envelope));
-    process.exit(1);
-  }
-  fail({
-    message: `${prefix}: HTTP ${http}${typeof body === "string" && body ? `: ${body.slice(0, 500)}` : ""}`,
-    details: { http },
-  });
-}
-
 function parseArgs(rawArgs) {
   const args = normalizeArgv(rawArgs);
   const valueFlags = ["--project", "--key", "--content-type", "--concurrency", "--prefix", "--limit", "--output", "-o", "--ttl"];
@@ -305,7 +292,7 @@ function findResumableStateForFile(projectId, localPath, key) {
 // put
 // ---------------------------------------------------------------------------
 
-async function putOne(project, filePath, opts) {
+async function putOne(projectId, filePath, opts) {
   const stat = statSync(filePath);
   const size = stat.size;
   const destKey = computeDestKey(filePath, opts.key);
@@ -317,15 +304,21 @@ async function putOne(project, filePath, opts) {
 
   // Attempt to resume
   let state = opts.resume
-    ? findResumableStateForFile(project.id, absLocal, destKey)
+    ? findResumableStateForFile(projectId, absLocal, destKey)
     : null;
   let initRes;
   if (state) {
     // Re-poll the session; if it's still active, resume. Otherwise start fresh.
-    const poll = await apiFetch(`${API}/storage/v1/uploads/${state.upload_id}`, "GET", project, null);
-    if (poll.status === 200 && poll.body.status === "active") {
+    const poll = await getSdk().blobs.getUploadSession(projectId, state.upload_id);
+    if (poll.status === "active") {
       log(opts, { event: "resume", upload_id: state.upload_id, key: destKey });
-      initRes = { upload_id: state.upload_id, mode: state.mode, parts: state.parts, part_count: state.part_count, part_size_bytes: state.part_size_bytes };
+      initRes = {
+        upload_id: state.upload_id,
+        mode: poll.mode ?? state.mode,
+        parts: poll.parts ?? state.parts,
+        part_count: poll.part_count ?? state.part_count,
+        part_size_bytes: poll.part_size_bytes ?? state.part_size_bytes,
+      };
     } else {
       removeState(state.upload_id);
       state = null;
@@ -333,7 +326,7 @@ async function putOne(project, filePath, opts) {
   }
 
   if (!state) {
-    const init = await apiFetch(`${API}/storage/v1/uploads`, "POST", project, {
+    initRes = await getSdk().blobs.initUploadSession(projectId, {
       key: destKey,
       size_bytes: size,
       content_type: opts.contentType ?? guessContentType(destKey),
@@ -341,11 +334,9 @@ async function putOne(project, filePath, opts) {
       immutable: opts.immutable,
       sha256,
     });
-    if (init.status !== 201) dieApiFailure("Init failed", init.status, init.body);
-    initRes = init.body;
-    saveState({
+    state = {
       upload_id: initRes.upload_id,
-      project_id: project.id,
+      project_id: projectId,
       local_path: absLocal,
       key: destKey,
       mode: initRes.mode,
@@ -355,8 +346,8 @@ async function putOne(project, filePath, opts) {
       parts_done: {},
       sha256,
       started_at: new Date().toISOString(),
-    });
-    state = loadState(initRes.upload_id);
+    };
+    if (opts.resume) saveState(state);
   }
 
   // Upload parts with concurrency limit. For single-PUT mode part_count=1 and
@@ -378,7 +369,7 @@ async function putOne(project, filePath, opts) {
     const { etag } = await putPart(filePath, part);
     etags[part.part_number - 1] = { etag };
     state.parts_done[String(part.part_number)] = { etag };
-    saveState(state);
+    if (opts.resume) saveState(state);
     log(opts, { event: "part", upload_id: state.upload_id, part_number: part.part_number, etag });
   });
 
@@ -386,12 +377,13 @@ async function putOne(project, filePath, opts) {
   const body = initRes.mode === "multipart"
     ? { parts: etags.map((e, i) => ({ part_number: i + 1, etag: e.etag })) }
     : {};
-  const complete = await apiFetch(`${API}/storage/v1/uploads/${state.upload_id}/complete`, "POST", project, body);
-  if (complete.status !== 200) dieApiFailure("Complete failed", complete.status, complete.body);
+  const result = await getSdk().blobs.completeUploadSession(projectId, state.upload_id, body, {
+    contentType: opts.contentType ?? guessContentType(destKey),
+  });
 
   removeState(state.upload_id);
-  log(opts, { event: "done", ...complete.body });
-  return complete.body;
+  log(opts, { event: "done", ...result });
+  return result;
 }
 
 function computeDestKey(filePath, keyOpt) {
@@ -443,7 +435,7 @@ function isSettled(p) {
 async function put(projectId, argv) {
   const opts = parseArgs(argv);
   opts.project = opts.project || projectId;
-  const project = resolveProject(opts.project);
+  const resolvedId = resolveProjectId(opts.project);
 
   if (opts.positional.length === 0) die("At least one file path is required");
   if (opts.immutable && opts.positional.length > 1 && opts.key && !opts.key.endsWith("/")) {
@@ -453,8 +445,12 @@ async function put(projectId, argv) {
   const results = [];
   for (const filePath of opts.positional) {
     if (!existsSync(filePath)) die(`File not found: ${filePath}`);
-    const r = await putOne(project, filePath, opts);
-    results.push({ file: filePath, ...r });
+    try {
+      const r = await putOne(resolvedId, filePath, opts);
+      results.push({ file: filePath, ...r });
+    } catch (err) {
+      reportSdkError(err);
+    }
   }
   if (!opts.json) console.log(JSON.stringify(results, null, 2));
 }
@@ -576,11 +572,6 @@ async function sign(projectId, argv) {
 // Shared helpers
 // ---------------------------------------------------------------------------
 
-function encodeKey(key) {
-  // Encode each path segment; preserve `/` as separator.
-  return key.split("/").map(encodeURIComponent).join("/");
-}
-
 function guessContentType(key) {
   const ext = key.slice(key.lastIndexOf(".") + 1).toLowerCase();
   const map = {
@@ -594,21 +585,6 @@ function guessContentType(key) {
   return map[ext] ?? "application/octet-stream";
 }
 
-async function apiFetch(url, method, project, body) {
-  const res = await fetch(url, {
-    method,
-    headers: {
-      "content-type": "application/json",
-      apikey: project.anon_key,
-      Authorization: `Bearer ${project.anon_key}`,
-    },
-    body: body === null ? undefined : JSON.stringify(body ?? {}),
-  });
-  const txt = await res.text();
-  let parsed; try { parsed = txt ? JSON.parse(txt) : null; } catch { parsed = txt; }
-  return { status: res.status, body: parsed };
-}
-
 function log(opts, event) {
   if (opts.json) console.log(JSON.stringify(event));
 }

package/lib/contracts.mjs

@@ -1,4 +1,3 @@
-import { findProject, API } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail, parseFlagJson } from "./sdk-errors.mjs";
 
@@ -138,7 +137,6 @@ function hasFlag(args, flag) {
 }
 
 async function provisionWallet(projectId, args) {
-  const p = findProject(projectId);
   const chain = parseFlag(args, "--chain");
   if (!chain) {
     fail({
@@ -147,25 +145,19 @@ async function provisionWallet(projectId, args) {
     });
   }
   const recovery = parseFlag(args, "--recovery");
-  // Soft default of one wallet — confirm if project already has one. This
-  // pre-check stays on raw fetch because it's a discovery best-effort, not
-  // a primary API call.
+  // Soft default of one wallet — confirm if project already has one.
+  let activeWallets = null;
   try {
-    const listRes = await fetch(`${API}/contracts/v1/wallets`, {
-      headers: { Authorization: `Bearer ${p.service_key}` },
-    });
-    if (listRes.ok) {
-      const list = await listRes.json();
-      const active = (list.wallets || []).filter((w) => w.status === "active");
-      if (active.length >= 1 && !hasFlag(args, "--yes")) {
-        fail({
-          code: "CONFIRMATION_REQUIRED",
-          message: `This project already has ${active.length} active wallet(s). Adding another costs $0.04/day each ($1.20/month). Re-run with --yes to confirm.`,
-          details: { active_wallets: active.length },
-        });
-      }
-    }
+    const list = await getSdk().contracts.listWallets(projectId);
+    activeWallets = (list.wallets || []).filter((w) => w.status === "active").length;
   } catch { /* best-effort */ }
+  if (activeWallets !== null && activeWallets >= 1 && !hasFlag(args, "--yes")) {
+    fail({
+      code: "CONFIRMATION_REQUIRED",
+      message: `This project already has ${activeWallets} active wallet(s). Adding another costs $0.04/day each ($1.20/month). Re-run with --yes to confirm.`,
+      details: { active_wallets: activeWallets },
+    });
+  }
 
   try {
     const data = await getSdk().contracts.provisionWallet(projectId, {

package/lib/deploy-v2.mjs

@@ -62,7 +62,7 @@ Complete static site + function + route manifest:
       "replace": {
         "api": {
           "runtime": "node22",
-          "source": { "data": "import { routedHttp } from '@run402/functions'; export default async (event) => routedHttp.json({ ok: true, path: event.path });" }
+          "source": { "data": "export default async function handler(req) { const url = new URL(req.url); return Response.json({ ok: true, path: url.pathname }); }" }
         }
       }
     },
@@ -93,7 +93,10 @@ Patch examples (only the listed file changes):
 Routes:
   Omit routes or pass "routes": null to carry forward base routes.
   Use "routes": { "replace": [] } to clear dynamic routes.
+  Route entries are array-based, not path-keyed maps. Use exact /admin plus final-wildcard /admin/* for a routed section root.
+  Routed functions use Node 22 Fetch Request -> Response. req.url is the full public URL on managed domains, deployment hosts, and verified custom domains.
   Routes activate atomically with the release. Direct /functions/v1/:name remains API-key protected.
+  Runtime route failure codes: ROUTE_MANIFEST_LOAD_FAILED, ROUTED_INVOKE_WORKER_SECRET_MISSING, ROUTED_INVOKE_AUTH_FAILED, ROUTED_ROUTE_STALE, ROUTE_METHOD_NOT_ALLOWED, ROUTED_RESPONSE_TOO_LARGE.
 `;
 
 const RESUME_HELP = `run402 deploy resume — Resume a stuck deploy operation

package/lib/init.mjs

@@ -1,5 +1,5 @@
-import { readAllowance, saveAllowance, loadKeyStore, CONFIG_DIR, ALLOWANCE_FILE, API } from "./config.mjs";
-import { getAllowanceAuthHeaders } from "../core-dist/allowance-auth.js";
+import { readAllowance, saveAllowance, loadKeyStore, CONFIG_DIR } from "./config.mjs";
+import { getSdk } from "./sdk.mjs";
 import { mkdirSync } from "fs";
 
 const USDC_ABI = [{ name: "balanceOf", type: "function", stateMutability: "view", inputs: [{ name: "account", type: "address" }], outputs: [{ name: "", type: "uint256" }] }];
@@ -39,6 +39,11 @@ Run this once to get started, or again to check your setup.
 
 function short(addr) { return addr.slice(0, 6) + "..." + addr.slice(-4); }
 
+function errorMessage(err) {
+  if (err?.body && typeof err.body === "object") return err.body.message || err.body.error || err.message;
+  return err?.message || String(err);
+}
+
 export async function run(args = []) {
   if (args.includes("--help") || args.includes("-h")) { console.log(HELP); process.exit(0); }
   const jsonMode = args.includes("--json");
@@ -178,12 +183,8 @@ export async function run(args = []) {
 
     if (balance === 0) {
       line("Balance", "0 USDC — requesting faucet...");
-      const res = await fetch(`${API}/faucet/v1`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ address: allowance.address }),
-      });
-      if (res.ok) {
+      try {
+        await getSdk().allowance.faucet(allowance.address);
         // Poll for up to 30s
         for (let i = 0; i < 30; i++) {
           await new Promise(r => setTimeout(r, 1000));
@@ -200,10 +201,8 @@ export async function run(args = []) {
         } else {
           line("Balance", "faucet sent — not yet confirmed on-chain");
         }
-      } else {
-        const data = await res.json().catch(() => ({}));
-        const msg = data.error || data.message || `HTTP ${res.status}`;
-        line("Balance", `faucet failed: ${msg}`);
+      } catch (err) {
+        line("Balance", `faucet failed: ${errorMessage(err)}`);
       }
     } else {
       line("Balance", `${(balance / 1e6).toFixed(2)} USDC`);
@@ -222,13 +221,7 @@ export async function run(args = []) {
   const store = loadKeyStore();
   let tierInfo = null;
   try {
-    const authHeaders = getAllowanceAuthHeaders("/tiers/v1/status");
-    if (authHeaders) {
-      const res = await fetch(`${API}/tiers/v1/status`, {
-        headers: { ...authHeaders },
-      });
-      if (res.ok) tierInfo = await res.json();
-    }
+    tierInfo = await getSdk().tier.status();
   } catch {}
 
   if (tierInfo && tierInfo.tier && tierInfo.active) {

package/lib/projects.mjs

@@ -1,5 +1,5 @@
 import { readFileSync } from "fs";
-import { findProject, loadKeyStore, API, allowanceAuthHeaders, resolveProjectId, getActiveProjectId } from "./config.mjs";
+import { loadKeyStore, API, allowanceAuthHeaders, resolveProjectId, getActiveProjectId } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail, parseFlagJson } from "./sdk-errors.mjs";
 import { assertKnownFlags, failBadProjectId, flagValue, hasHelp, normalizeArgv, positionalArgs, resolvePositionalProject, validateRegularFile } from "./argparse.mjs";
@@ -212,7 +212,6 @@ async function applyExpose(projectId, args = []) {
     else if (!inline && !args[i].startsWith("--")) { inline = args[i]; }
   }
   if (file) validateRegularFile(file, "--file");
-  const p = findProject(projectId);
   const raw = file ? readFileSync(file, "utf-8") : inline;
   if (!raw) {
     fail({
@@ -230,24 +229,21 @@ async function applyExpose(projectId, args = []) {
       details: { parse_error: err.message },
     });
   }
-  const res = await fetch(`${API}/projects/v1/admin/${projectId}/expose`, {
-    method: "POST",
-    headers: { "Authorization": `Bearer ${p.service_key}`, "Content-Type": "application/json" },
-    body: JSON.stringify(manifest),
-  });
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().projects.applyExpose(projectId, manifest);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 async function getExpose(projectId) {
-  const p = findProject(projectId);
-  const res = await fetch(`${API}/projects/v1/admin/${projectId}/expose`, {
-    headers: { "Authorization": `Bearer ${p.service_key}` },
-  });
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().projects.getExpose(projectId);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 async function list() {
@@ -292,7 +288,6 @@ async function sqlCmd(projectId, args = []) {
     else if (!query && !args[i].startsWith("--")) { query = args[i]; }
   }
   if (file) validateRegularFile(file, "--file");
-  const p = findProject(projectId);
   const sql = file ? readFileSync(file, "utf-8") : query;
   if (!sql) {
     fail({
@@ -311,13 +306,12 @@ async function sqlCmd(projectId, args = []) {
       });
     }
   }
-  const useParams = params && params.length > 0;
-  const headers = { "Authorization": `Bearer ${p.service_key}`, "Content-Type": useParams ? "application/json" : "text/plain" };
-  const body = useParams ? JSON.stringify({ sql, params }) : sql;
-  const res = await fetch(`${API}/projects/v1/admin/${projectId}/sql`, { method: "POST", headers, body });
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().projects.sql(projectId, sql, params);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 async function rest(projectId, table, queryParams) {
@@ -328,11 +322,12 @@ async function rest(projectId, table, queryParams) {
       hint: "Run 'run402 projects schema <id>' to list tables.",
     });
   }
-  const p = findProject(projectId);
-  const res = await fetch(`${API}/rest/v1/${table}${queryParams ? '?' + queryParams : ''}`, { headers: { "apikey": p.anon_key } });
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().projects.rest(projectId, table, queryParams);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 async function usage(projectId) {
@@ -420,15 +415,12 @@ async function promoteUser(projectId, email) {
       hint: "run402 projects promote-user <project_id> <email>",
     });
   }
-  const p = findProject(projectId);
-  const res = await fetch(`${API}/projects/v1/admin/${projectId}/promote-user`, {
-    method: "POST",
-    headers: { "Authorization": `Bearer ${p.service_key}`, "Content-Type": "application/json" },
-    body: JSON.stringify({ email }),
-  });
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    await getSdk().projects.promoteUser(projectId, email);
+    console.log(JSON.stringify({ status: "ok", email }));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 async function demoteUser(projectId, email) {
@@ -439,15 +431,12 @@ async function demoteUser(projectId, email) {
       hint: "run402 projects demote-user <project_id> <email>",
     });
   }
-  const p = findProject(projectId);
-  const res = await fetch(`${API}/projects/v1/admin/${projectId}/demote-user`, {
-    method: "POST",
-    headers: { "Authorization": `Bearer ${p.service_key}`, "Content-Type": "application/json" },
-    body: JSON.stringify({ email }),
-  });
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    await getSdk().projects.demoteUser(projectId, email);
+    console.log(JSON.stringify({ status: "ok", email }));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 async function deleteProject(projectId, args = []) {