run402 1.63.0 → 1.65.0

package/README.md

@@ -47,6 +47,7 @@ run402 allowance export    # print address (for funding)
 
 ```bash
 run402 projects sql <id> "CREATE TABLE items (id serial PRIMARY KEY, …)"
+run402 projects validate-expose <id> --file manifest.json # check auth manifest, no mutation
 run402 projects apply-expose <id> --file manifest.json   # declare what's reachable
 run402 projects rest <id> items "select=*&order=id.desc&limit=10"
 run402 projects schema <id>                              # introspect tables + RLS
@@ -113,7 +114,7 @@ run402 functions deploy <id> my-fn --file fn.ts \
   --timeout 30 --memory 256 \
   --schedule "*/15 * * * *" \
   --deps "stripe,zod@^3"
-run402 functions logs <id> my-fn --tail 100 --follow
+run402 functions logs <id> my-fn --tail 100 --request-id req_abc123 --follow
 run402 functions invoke <id> my-fn --body '{"hello":"world"}'
 ```
 
@@ -125,6 +126,10 @@ import { db, adminDb, getUser, email, ai } from "@run402/functions";
 
 `db(req)` is the caller-context client (RLS applies); `adminDb()` bypasses RLS for platform-authored writes.
 
+### Same-origin web routes
+
+`run402 deploy apply` accepts `routes.replace` as an array of route entries, not a path-keyed map. Use exact `/admin` plus final-wildcard `/admin/*` for a routed section root, and target a function deployed in the same release. Routed functions use Node 22 Fetch Request -> Response; `req.url` is the full public URL on managed subdomains, deployment hosts, and verified custom domains, so OAuth redirect URIs can be derived from `new URL(req.url).origin`. Direct `/functions/v1/:name` remains API-key protected. Runtime route failure codes to branch on: `ROUTE_MANIFEST_LOAD_FAILED` (manifest/propagation), `ROUTED_INVOKE_WORKER_SECRET_MISSING` (custom-domain Worker secret), `ROUTED_INVOKE_AUTH_FAILED` (internal invoke signature), `ROUTED_ROUTE_STALE` (selected route failed release revalidation), `ROUTE_METHOD_NOT_ALLOWED` (method mismatch), and `ROUTED_RESPONSE_TOO_LARGE` (body over 6 MiB).
+
 ### Secrets
 
 ```bash

package/lib/allowance.mjs

@@ -1,4 +1,4 @@
-import { readAllowance, saveAllowance, ALLOWANCE_FILE, API } from "./config.mjs";
+import { readAllowance, saveAllowance, ALLOWANCE_FILE } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 
@@ -173,14 +173,11 @@ async function fund() {
   const client = createPublicClient({ chain: baseSepolia, transport: http() });
   const before = await readUsdcBalance(client, USDC_SEPOLIA, w.address).catch(() => 0);
 
-  const res = await fetch(`${API}/faucet/v1`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ address: w.address }) });
-  const data = await res.json();
-  if (!res.ok) {
-    fail({
-      code: data?.code || "FAUCET_FAILED",
-      message: data?.message || "Faucet request failed",
-      details: { http: res.status, ...data },
-    });
+  let data;
+  try {
+    data = await getSdk().allowance.faucet(w.address);
+  } catch (err) {
+    reportSdkError(err);
   }
 
   const MAX_WAIT = 30;
@@ -228,11 +225,9 @@ async function balance() {
     readUsdcBalance(mainnetClient, USDC_MAINNET, w.address).catch(() => null),
     readUsdcBalance(sepoliaClient, USDC_SEPOLIA, w.address).catch(() => null),
     readUsdcBalance(tempoClient, PATH_USD, w.address).catch(() => null),
-    fetch(`${API}/billing/v1/accounts/${w.address.toLowerCase()}`),
+    getSdk().billing.checkBalance(w.address).catch(() => null),
   ]);
 
-  const billing = billingRes.ok ? await billingRes.json() : null;
-
   console.log(JSON.stringify({
     address: w.address,
     rail: w.rail || "x402",
@@ -241,7 +236,7 @@ async function balance() {
       "base-sepolia_usd_micros": sepoliaUsdc,
       "tempo-moderato_pathusd_micros": tempoPathUsd,
     },
-    run402: billing ? { balance_usd_micros: billing.available_usd_micros } : "no billing account",
+    run402: billingRes ? { balance_usd_micros: billingRes.available_usd_micros } : "no billing account",
   }, null, 2));
 }
 
@@ -274,14 +269,12 @@ async function checkout(args) {
       hint: "e.g. --amount 5000000 for $5",
     });
   }
-  const res = await fetch(`${API}/billing/v1/checkouts`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ wallet: w.address.toLowerCase(), amount_usd_micros: amount }),
-  });
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().billing.createCheckout(w.address, amount);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 async function history(args) {
@@ -297,10 +290,12 @@ async function history(args) {
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--limit" && args[i + 1]) limit = parseInt(args[++i], 10);
   }
-  const res = await fetch(`${API}/billing/v1/accounts/${w.address.toLowerCase()}/history?limit=${limit}`);
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().billing.history(w.address, limit);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 export async function run(sub, args) {

package/lib/auth.mjs

@@ -1,4 +1,4 @@
-import { findProject, resolveProjectId, API } from "./config.mjs";
+import { resolveProjectId } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 
@@ -546,22 +546,13 @@ async function deletePasskey(args) {
 }
 
 async function providers(args) {
-  // `providers` isn't in the pilot SDK surface — keep the direct fetch.
   const projectId = resolveProjectId(parseFlag(args, "--project"));
-  const p = findProject(projectId);
-
-  const res = await fetch(`${API}/auth/v1/providers`, {
-    headers: {
-      "apikey": p.anon_key,
-      "Authorization": `Bearer ${p.anon_key}`,
-    },
-  });
-  const data = await res.json();
-  if (!res.ok) {
-    console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
-    process.exit(1);
-  }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().auth.providers(projectId);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 export async function run(sub, args) {

package/lib/billing.mjs

@@ -1,4 +1,3 @@
-import { API } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 
@@ -224,7 +223,6 @@ async function autoRecharge(args) {
 }
 
 async function balance(args) {
-  // Accepts email OR wallet — SDK only models wallet, so keep direct fetch.
   const id = args[0];
   if (!id) {
     fail({
@@ -233,10 +231,12 @@ async function balance(args) {
       hint: "run402 billing balance <email-or-wallet>",
     });
   }
-  const res = await fetch(`${API}/billing/v1/accounts/${encodeURIComponent(id)}`);
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().billing.getAccount(id);
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 async function history(args) {
@@ -249,10 +249,12 @@ async function history(args) {
     });
   }
   const limit = parseFlag(args, "--limit") || "50";
-  const res = await fetch(`${API}/billing/v1/accounts/${encodeURIComponent(id)}/history?limit=${encodeURIComponent(limit)}`);
-  const data = await res.json();
-  if (!res.ok) { console.error(JSON.stringify({ status: "error", http: res.status, ...data })); process.exit(1); }
-  console.log(JSON.stringify(data, null, 2));
+  try {
+    const data = await getSdk().billing.getHistory(id, Number(limit));
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
 }
 
 export async function run(sub, args) {

package/lib/blob.mjs

@@ -34,7 +34,7 @@ import { basename, dirname, join, resolve as resolvePath } from "node:path";
 import { homedir } from "node:os";
 import { pipeline } from "node:stream/promises";
 
-import { resolveProject, resolveProjectId, API } from "./config.mjs";
+import { resolveProjectId } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 import { assertKnownFlags, hasHelp, normalizeArgv, parseIntegerFlag } from "./argparse.mjs";
@@ -190,19 +190,6 @@ function die(msg, exit_code = 1) {
   fail({ code: "BAD_USAGE", message: msg, exit_code });
 }
 
-function dieApiFailure(prefix, http, body) {
-  if (body && typeof body === "object" && !Array.isArray(body)) {
-    const envelope = { status: "error", http, ...body };
-    if (!envelope.message && envelope.error) envelope.message = envelope.error;
-    console.error(JSON.stringify(envelope));
-    process.exit(1);
-  }
-  fail({
-    message: `${prefix}: HTTP ${http}${typeof body === "string" && body ? `: ${body.slice(0, 500)}` : ""}`,
-    details: { http },
-  });
-}
-
 function parseArgs(rawArgs) {
   const args = normalizeArgv(rawArgs);
   const valueFlags = ["--project", "--key", "--content-type", "--concurrency", "--prefix", "--limit", "--output", "-o", "--ttl"];
@@ -305,7 +292,7 @@ function findResumableStateForFile(projectId, localPath, key) {
 // put
 // ---------------------------------------------------------------------------
 
-async function putOne(project, filePath, opts) {
+async function putOne(projectId, filePath, opts) {
   const stat = statSync(filePath);
   const size = stat.size;
   const destKey = computeDestKey(filePath, opts.key);
@@ -317,15 +304,21 @@ async function putOne(project, filePath, opts) {
 
   // Attempt to resume
   let state = opts.resume
-    ? findResumableStateForFile(project.id, absLocal, destKey)
+    ? findResumableStateForFile(projectId, absLocal, destKey)
     : null;
   let initRes;
   if (state) {
     // Re-poll the session; if it's still active, resume. Otherwise start fresh.
-    const poll = await apiFetch(`${API}/storage/v1/uploads/${state.upload_id}`, "GET", project, null);
-    if (poll.status === 200 && poll.body.status === "active") {
+    const poll = await getSdk().blobs.getUploadSession(projectId, state.upload_id);
+    if (poll.status === "active") {
       log(opts, { event: "resume", upload_id: state.upload_id, key: destKey });
-      initRes = { upload_id: state.upload_id, mode: state.mode, parts: state.parts, part_count: state.part_count, part_size_bytes: state.part_size_bytes };
+      initRes = {
+        upload_id: state.upload_id,
+        mode: poll.mode ?? state.mode,
+        parts: poll.parts ?? state.parts,
+        part_count: poll.part_count ?? state.part_count,
+        part_size_bytes: poll.part_size_bytes ?? state.part_size_bytes,
+      };
     } else {
       removeState(state.upload_id);
       state = null;
@@ -333,7 +326,7 @@ async function putOne(project, filePath, opts) {
   }
 
   if (!state) {
-    const init = await apiFetch(`${API}/storage/v1/uploads`, "POST", project, {
+    initRes = await getSdk().blobs.initUploadSession(projectId, {
       key: destKey,
       size_bytes: size,
       content_type: opts.contentType ?? guessContentType(destKey),
@@ -341,11 +334,9 @@ async function putOne(project, filePath, opts) {
       immutable: opts.immutable,
       sha256,
     });
-    if (init.status !== 201) dieApiFailure("Init failed", init.status, init.body);
-    initRes = init.body;
-    saveState({
+    state = {
       upload_id: initRes.upload_id,
-      project_id: project.id,
+      project_id: projectId,
       local_path: absLocal,
       key: destKey,
       mode: initRes.mode,
@@ -355,8 +346,8 @@ async function putOne(project, filePath, opts) {
       parts_done: {},
       sha256,
       started_at: new Date().toISOString(),
-    });
-    state = loadState(initRes.upload_id);
+    };
+    if (opts.resume) saveState(state);
   }
 
   // Upload parts with concurrency limit. For single-PUT mode part_count=1 and
@@ -378,7 +369,7 @@ async function putOne(project, filePath, opts) {
     const { etag } = await putPart(filePath, part);
     etags[part.part_number - 1] = { etag };
     state.parts_done[String(part.part_number)] = { etag };
-    saveState(state);
+    if (opts.resume) saveState(state);
     log(opts, { event: "part", upload_id: state.upload_id, part_number: part.part_number, etag });
   });
 
@@ -386,12 +377,13 @@ async function putOne(project, filePath, opts) {
   const body = initRes.mode === "multipart"
     ? { parts: etags.map((e, i) => ({ part_number: i + 1, etag: e.etag })) }
     : {};
-  const complete = await apiFetch(`${API}/storage/v1/uploads/${state.upload_id}/complete`, "POST", project, body);
-  if (complete.status !== 200) dieApiFailure("Complete failed", complete.status, complete.body);
+  const result = await getSdk().blobs.completeUploadSession(projectId, state.upload_id, body, {
+    contentType: opts.contentType ?? guessContentType(destKey),
+  });
 
   removeState(state.upload_id);
-  log(opts, { event: "done", ...complete.body });
-  return complete.body;
+  log(opts, { event: "done", ...result });
+  return result;
 }
 
 function computeDestKey(filePath, keyOpt) {
@@ -443,7 +435,7 @@ function isSettled(p) {
 async function put(projectId, argv) {
   const opts = parseArgs(argv);
   opts.project = opts.project || projectId;
-  const project = resolveProject(opts.project);
+  const resolvedId = resolveProjectId(opts.project);
 
   if (opts.positional.length === 0) die("At least one file path is required");
   if (opts.immutable && opts.positional.length > 1 && opts.key && !opts.key.endsWith("/")) {
@@ -453,8 +445,12 @@ async function put(projectId, argv) {
   const results = [];
   for (const filePath of opts.positional) {
     if (!existsSync(filePath)) die(`File not found: ${filePath}`);
-    const r = await putOne(project, filePath, opts);
-    results.push({ file: filePath, ...r });
+    try {
+      const r = await putOne(resolvedId, filePath, opts);
+      results.push({ file: filePath, ...r });
+    } catch (err) {
+      reportSdkError(err);
+    }
   }
   if (!opts.json) console.log(JSON.stringify(results, null, 2));
 }
@@ -576,11 +572,6 @@ async function sign(projectId, argv) {
 // Shared helpers
 // ---------------------------------------------------------------------------
 
-function encodeKey(key) {
-  // Encode each path segment; preserve `/` as separator.
-  return key.split("/").map(encodeURIComponent).join("/");
-}
-
 function guessContentType(key) {
   const ext = key.slice(key.lastIndexOf(".") + 1).toLowerCase();
   const map = {
@@ -594,21 +585,6 @@ function guessContentType(key) {
   return map[ext] ?? "application/octet-stream";
 }
 
-async function apiFetch(url, method, project, body) {
-  const res = await fetch(url, {
-    method,
-    headers: {
-      "content-type": "application/json",
-      apikey: project.anon_key,
-      Authorization: `Bearer ${project.anon_key}`,
-    },
-    body: body === null ? undefined : JSON.stringify(body ?? {}),
-  });
-  const txt = await res.text();
-  let parsed; try { parsed = txt ? JSON.parse(txt) : null; } catch { parsed = txt; }
-  return { status: res.status, body: parsed };
-}
-
 function log(opts, event) {
   if (opts.json) console.log(JSON.stringify(event));
 }

package/lib/contracts.mjs

@@ -1,4 +1,3 @@
-import { findProject, API } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail, parseFlagJson } from "./sdk-errors.mjs";
 
@@ -138,7 +137,6 @@ function hasFlag(args, flag) {
 }
 
 async function provisionWallet(projectId, args) {
-  const p = findProject(projectId);
   const chain = parseFlag(args, "--chain");
   if (!chain) {
     fail({
@@ -147,25 +145,19 @@ async function provisionWallet(projectId, args) {
     });
   }
   const recovery = parseFlag(args, "--recovery");
-  // Soft default of one wallet — confirm if project already has one. This
-  // pre-check stays on raw fetch because it's a discovery best-effort, not
-  // a primary API call.
+  // Soft default of one wallet — confirm if project already has one.
+  let activeWallets = null;
   try {
-    const listRes = await fetch(`${API}/contracts/v1/wallets`, {
-      headers: { Authorization: `Bearer ${p.service_key}` },
-    });
-    if (listRes.ok) {
-      const list = await listRes.json();
-      const active = (list.wallets || []).filter((w) => w.status === "active");
-      if (active.length >= 1 && !hasFlag(args, "--yes")) {
-        fail({
-          code: "CONFIRMATION_REQUIRED",
-          message: `This project already has ${active.length} active wallet(s). Adding another costs $0.04/day each ($1.20/month). Re-run with --yes to confirm.`,
-          details: { active_wallets: active.length },
-        });
-      }
-    }
+    const list = await getSdk().contracts.listWallets(projectId);
+    activeWallets = (list.wallets || []).filter((w) => w.status === "active").length;
   } catch { /* best-effort */ }
+  if (activeWallets !== null && activeWallets >= 1 && !hasFlag(args, "--yes")) {
+    fail({
+      code: "CONFIRMATION_REQUIRED",
+      message: `This project already has ${activeWallets} active wallet(s). Adding another costs $0.04/day each ($1.20/month). Re-run with --yes to confirm.`,
+      details: { active_wallets: activeWallets },
+    });
+  }
 
   try {
     const data = await getSdk().contracts.provisionWallet(projectId, {

package/lib/deploy-v2.mjs

@@ -62,7 +62,7 @@ Complete static site + function + route manifest:
       "replace": {
         "api": {
           "runtime": "node22",
-          "source": { "data": "import { routedHttp } from '@run402/functions'; export default async (event) => routedHttp.json({ ok: true, path: event.path });" }
+          "source": { "data": "export default async function handler(req) { const url = new URL(req.url); return Response.json({ ok: true, path: url.pathname }); }" }
         }
       }
     },
@@ -93,7 +93,10 @@ Patch examples (only the listed file changes):
 Routes:
   Omit routes or pass "routes": null to carry forward base routes.
   Use "routes": { "replace": [] } to clear dynamic routes.
+  Route entries are array-based, not path-keyed maps. Use exact /admin plus final-wildcard /admin/* for a routed section root.
+  Routed functions use Node 22 Fetch Request -> Response. req.url is the full public URL on managed domains, deployment hosts, and verified custom domains.
   Routes activate atomically with the release. Direct /functions/v1/:name remains API-key protected.
+  Runtime route failure codes: ROUTE_MANIFEST_LOAD_FAILED, ROUTED_INVOKE_WORKER_SECRET_MISSING, ROUTED_INVOKE_AUTH_FAILED, ROUTED_ROUTE_STALE, ROUTE_METHOD_NOT_ALLOWED, ROUTED_RESPONSE_TOO_LARGE.
 `;
 
 const RESUME_HELP = `run402 deploy resume — Resume a stuck deploy operation

package/lib/functions.mjs

@@ -4,6 +4,8 @@ import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 import { assertKnownFlags, hasHelp, normalizeArgv, parseIntegerFlag, validateRegularFile } from "./argparse.mjs";
 
+const FUNCTION_LOG_REQUEST_ID_RE = /^req_[A-Za-z0-9_-]{4,128}$/;
+
 const HELP = `run402 functions — Manage serverless functions
 
 Usage:
@@ -14,7 +16,7 @@ Subcommands:
                                        Deploy a function to a project
   invoke <id> <name> [--method <M>] [--body <json>]
                                        Invoke a deployed function
-  logs   <id> <name> [--tail <n>] [--since <ts>] [--follow]
+  logs   <id> <name> [--tail <n>] [--since <ts>] [--request-id <req_...>] [--follow]
                                        Get function logs
   update <id> <name> [--schedule <cron>] [--schedule-remove] [--timeout <s>] [--memory <mb>]
                                        Update function schedule or config without re-deploying
@@ -28,6 +30,7 @@ Examples:
   run402 functions invoke prj_abc123 stripe-webhook --body '{"event":"test"}'
   run402 functions logs prj_abc123 stripe-webhook --tail 100
   run402 functions logs prj_abc123 stripe-webhook --since 2026-03-29T14:00:00Z
+  run402 functions logs prj_abc123 stripe-webhook --request-id req_abc123
   run402 functions logs prj_abc123 stripe-webhook --follow
   run402 functions update prj_abc123 send-reminders --schedule '0 */4 * * *'
   run402 functions update prj_abc123 send-reminders --schedule-remove
@@ -110,13 +113,15 @@ Arguments:
   <name>              Function name
 
 Options:
-  --tail <n>          Number of most-recent entries (default 50)
+  --tail <n>          Number of most-recent entries (default 50, max 1000)
   --since <ts>        ISO timestamp or epoch ms; only entries after this
+  --request-id <id>   Only entries correlated to this req_... request id
   --follow            Poll every 3s and stream new entries (Ctrl-C to stop)
 
 Examples:
   run402 functions logs prj_abc123 stripe-webhook --tail 100
   run402 functions logs prj_abc123 stripe-webhook --since 2026-03-29T14:00:00Z
+  run402 functions logs prj_abc123 stripe-webhook --request-id req_abc123
   run402 functions logs prj_abc123 stripe-webhook --follow
 `,
   update: `run402 functions update — Update function config without re-deploying
@@ -227,14 +232,16 @@ async function invoke(projectId, name, args) {
 }
 
 async function logs(projectId, name, args) {
-  assertRequiredProjectAndName(projectId, name, "run402 functions logs <project_id> <name> [--tail <n>]");
-  assertKnownFlags(args, ["--tail", "--since", "--follow", "--help", "-h"], ["--tail", "--since"]);
+  assertRequiredProjectAndName(projectId, name, "run402 functions logs <project_id> <name> [--tail <n>] [--request-id <req_...>]");
+  assertKnownFlags(args, ["--tail", "--since", "--request-id", "--follow", "--help", "-h"], ["--tail", "--since", "--request-id"]);
   let tail = 50;
   let since = undefined;
+  let requestId = undefined;
   let follow = false;
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--tail") tail = parseIntegerFlag("--tail", args[++i], { min: 1 });
     if (args[i] === "--since" && args[i + 1]) since = args[++i];
+    if (args[i] === "--request-id" && args[i + 1]) requestId = args[++i];
     if (args[i] === "--follow") follow = true;
   }
 
@@ -254,12 +261,20 @@ async function logs(projectId, name, args) {
     }
     sinceIso = new Date(ms).toISOString();
   }
+  if (requestId !== undefined && !FUNCTION_LOG_REQUEST_ID_RE.test(requestId)) {
+    fail({
+      code: "BAD_USAGE",
+      message: `Invalid --request-id value: ${requestId}`,
+      details: { flag: "--request-id", value: requestId, expected: "req_<4-128 url-safe chars>" },
+    });
+  }
 
   const fetchLogs = async () => {
     try {
       const data = await getSdk().functions.logs(projectId, name, {
         tail,
         since: sinceIso,
+        requestId,
       });
       return data.logs || [];
     } catch (err) {
@@ -278,27 +293,60 @@ async function logs(projectId, name, args) {
   let running = true;
   process.on("SIGINT", () => { running = false; });
 
-  const initial = await fetchLogs();
-  for (const entry of initial) {
-    console.log(`[${entry.timestamp}] ${entry.message}`);
-  }
-  if (initial.length > 0) {
-    sinceIso = new Date(new Date(initial[initial.length - 1].timestamp).getTime() + 1).toISOString();
-  }
+  let highWaterMs = sinceIso === undefined ? Number.NEGATIVE_INFINITY : new Date(sinceIso).getTime();
+  let seenAtHighWater = new Set();
 
-  while (running) {
-    await new Promise(r => setTimeout(r, 3000));
-    if (!running) break;
-    const entries = await fetchLogs();
+  const printFreshEntries = (entries) => {
+    let nextHighWaterMs = highWaterMs;
+    const fresh = [];
     for (const entry of entries) {
+      const entryMs = logTimestampMs(entry);
+      const identity = logEntryIdentity(entry);
+      if (entryMs < highWaterMs) continue;
+      if (entryMs === highWaterMs && seenAtHighWater.has(identity)) continue;
+      fresh.push({ entry, entryMs, identity });
+      if (entryMs > nextHighWaterMs) nextHighWaterMs = entryMs;
+    }
+
+    for (const { entry } of fresh) {
       console.log(`[${entry.timestamp}] ${entry.message}`);
     }
-    if (entries.length > 0) {
-      sinceIso = new Date(new Date(entries[entries.length - 1].timestamp).getTime() + 1).toISOString();
+    if (fresh.length === 0 || !Number.isFinite(nextHighWaterMs)) return;
+
+    const nextSeenAtHighWater = new Set();
+    for (const entry of entries) {
+      if (logTimestampMs(entry) === nextHighWaterMs) {
+        nextSeenAtHighWater.add(logEntryIdentity(entry));
+      }
     }
+    for (const { entry, entryMs, identity } of fresh) {
+      if (entryMs === nextHighWaterMs) {
+        nextSeenAtHighWater.add(identity);
+      }
+    }
+    highWaterMs = nextHighWaterMs;
+    seenAtHighWater = nextSeenAtHighWater;
+    sinceIso = new Date(highWaterMs).toISOString();
+  };
+
+  printFreshEntries(await fetchLogs());
+
+  while (running) {
+    await new Promise(r => setTimeout(r, 3000));
+    if (!running) break;
+    printFreshEntries(await fetchLogs());
   }
 }
 
+function logTimestampMs(entry) {
+  const ms = new Date(entry.timestamp).getTime();
+  return Number.isNaN(ms) ? 0 : ms;
+}
+
+function logEntryIdentity(entry) {
+  return entry.event_id || `${entry.log_stream_name || ""}:${entry.timestamp || ""}:${entry.message || ""}`;
+}
+
 async function update(projectId, name, args) {
   assertRequiredProjectAndName(projectId, name, "run402 functions update <project_id> <name> [options]");
   assertKnownFlags(args, ["--schedule", "--schedule-remove", "--timeout", "--memory", "--help", "-h"], ["--schedule", "--timeout", "--memory"]);

package/lib/init.mjs

@@ -1,5 +1,5 @@
-import { readAllowance, saveAllowance, loadKeyStore, CONFIG_DIR, ALLOWANCE_FILE, API } from "./config.mjs";
-import { getAllowanceAuthHeaders } from "../core-dist/allowance-auth.js";
+import { readAllowance, saveAllowance, loadKeyStore, CONFIG_DIR } from "./config.mjs";
+import { getSdk } from "./sdk.mjs";
 import { mkdirSync } from "fs";
 
 const USDC_ABI = [{ name: "balanceOf", type: "function", stateMutability: "view", inputs: [{ name: "account", type: "address" }], outputs: [{ name: "", type: "uint256" }] }];
@@ -39,6 +39,11 @@ Run this once to get started, or again to check your setup.
 
 function short(addr) { return addr.slice(0, 6) + "..." + addr.slice(-4); }
 
+function errorMessage(err) {
+  if (err?.body && typeof err.body === "object") return err.body.message || err.body.error || err.message;
+  return err?.message || String(err);
+}
+
 export async function run(args = []) {
   if (args.includes("--help") || args.includes("-h")) { console.log(HELP); process.exit(0); }
   const jsonMode = args.includes("--json");
@@ -178,12 +183,8 @@ export async function run(args = []) {
 
     if (balance === 0) {
       line("Balance", "0 USDC — requesting faucet...");
-      const res = await fetch(`${API}/faucet/v1`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ address: allowance.address }),
-      });
-      if (res.ok) {
+      try {
+        await getSdk().allowance.faucet(allowance.address);
         // Poll for up to 30s
         for (let i = 0; i < 30; i++) {
           await new Promise(r => setTimeout(r, 1000));
@@ -200,10 +201,8 @@ export async function run(args = []) {
         } else {
           line("Balance", "faucet sent — not yet confirmed on-chain");
         }
-      } else {
-        const data = await res.json().catch(() => ({}));
-        const msg = data.error || data.message || `HTTP ${res.status}`;
-        line("Balance", `faucet failed: ${msg}`);
+      } catch (err) {
+        line("Balance", `faucet failed: ${errorMessage(err)}`);
       }
     } else {
       line("Balance", `${(balance / 1e6).toFixed(2)} USDC`);
@@ -222,13 +221,7 @@ export async function run(args = []) {
   const store = loadKeyStore();
   let tierInfo = null;
   try {
-    const authHeaders = getAllowanceAuthHeaders("/tiers/v1/status");
-    if (authHeaders) {
-      const res = await fetch(`${API}/tiers/v1/status`, {
-        headers: { ...authHeaders },
-      });
-      if (res.ok) tierInfo = await res.json();
-    }
+    tierInfo = await getSdk().tier.status();
   } catch {}
 
   if (tierInfo && tierInfo.tier && tierInfo.active) {