run402 1.64.0 → 1.65.1

package/README.md

@@ -47,6 +47,7 @@ run402 allowance export    # print address (for funding)
 
 ```bash
 run402 projects sql <id> "CREATE TABLE items (id serial PRIMARY KEY, …)"
+run402 projects validate-expose <id> --file manifest.json # check auth manifest, no mutation
 run402 projects apply-expose <id> --file manifest.json   # declare what's reachable
 run402 projects rest <id> items "select=*&order=id.desc&limit=10"
 run402 projects schema <id>                              # introspect tables + RLS
@@ -113,7 +114,7 @@ run402 functions deploy <id> my-fn --file fn.ts \
   --timeout 30 --memory 256 \
   --schedule "*/15 * * * *" \
   --deps "stripe,zod@^3"
-run402 functions logs <id> my-fn --tail 100 --follow
+run402 functions logs <id> my-fn --tail 100 --request-id req_abc123 --follow
 run402 functions invoke <id> my-fn --body '{"hello":"world"}'
 ```
 

package/lib/deploy-v2.mjs

@@ -526,6 +526,14 @@ const ROUTE_WARNING_GUIDANCE = {
       "Add method coverage or static files deliberately.",
     ],
   },
+  WILDCARD_ROUTE_EXCLUDES_MUTATION_METHODS: {
+    hint: "A wildcard function route only allows GET/HEAD, so POST/PUT/PATCH/DELETE paths under that prefix will be rejected before the function runs.",
+    next_actions: [
+      "Add the mutation methods the routed function supports, such as POST.",
+      "Omit methods to allow every supported method when the route is an API surface.",
+      "Use --allow-warnings only if the wildcard prefix is intentionally read-only.",
+    ],
+  },
   ROUTE_TABLE_NEAR_LIMIT: {
     hint: "The route table is near the gateway/project limit.",
     next_actions: [

package/lib/functions.mjs

@@ -4,6 +4,8 @@ import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
 import { assertKnownFlags, hasHelp, normalizeArgv, parseIntegerFlag, validateRegularFile } from "./argparse.mjs";
 
+const FUNCTION_LOG_REQUEST_ID_RE = /^req_[A-Za-z0-9_-]{4,128}$/;
+
 const HELP = `run402 functions — Manage serverless functions
 
 Usage:
@@ -14,7 +16,7 @@ Subcommands:
                                        Deploy a function to a project
   invoke <id> <name> [--method <M>] [--body <json>]
                                        Invoke a deployed function
-  logs   <id> <name> [--tail <n>] [--since <ts>] [--follow]
+  logs   <id> <name> [--tail <n>] [--since <ts>] [--request-id <req_...>] [--follow]
                                        Get function logs
   update <id> <name> [--schedule <cron>] [--schedule-remove] [--timeout <s>] [--memory <mb>]
                                        Update function schedule or config without re-deploying
@@ -28,6 +30,7 @@ Examples:
   run402 functions invoke prj_abc123 stripe-webhook --body '{"event":"test"}'
   run402 functions logs prj_abc123 stripe-webhook --tail 100
   run402 functions logs prj_abc123 stripe-webhook --since 2026-03-29T14:00:00Z
+  run402 functions logs prj_abc123 stripe-webhook --request-id req_abc123
   run402 functions logs prj_abc123 stripe-webhook --follow
   run402 functions update prj_abc123 send-reminders --schedule '0 */4 * * *'
   run402 functions update prj_abc123 send-reminders --schedule-remove
@@ -110,13 +113,15 @@ Arguments:
   <name>              Function name
 
 Options:
-  --tail <n>          Number of most-recent entries (default 50)
+  --tail <n>          Number of most-recent entries (default 50, max 1000)
   --since <ts>        ISO timestamp or epoch ms; only entries after this
+  --request-id <id>   Only entries correlated to this req_... request id
   --follow            Poll every 3s and stream new entries (Ctrl-C to stop)
 
 Examples:
   run402 functions logs prj_abc123 stripe-webhook --tail 100
   run402 functions logs prj_abc123 stripe-webhook --since 2026-03-29T14:00:00Z
+  run402 functions logs prj_abc123 stripe-webhook --request-id req_abc123
   run402 functions logs prj_abc123 stripe-webhook --follow
 `,
   update: `run402 functions update — Update function config without re-deploying
@@ -227,14 +232,16 @@ async function invoke(projectId, name, args) {
 }
 
 async function logs(projectId, name, args) {
-  assertRequiredProjectAndName(projectId, name, "run402 functions logs <project_id> <name> [--tail <n>]");
-  assertKnownFlags(args, ["--tail", "--since", "--follow", "--help", "-h"], ["--tail", "--since"]);
+  assertRequiredProjectAndName(projectId, name, "run402 functions logs <project_id> <name> [--tail <n>] [--request-id <req_...>]");
+  assertKnownFlags(args, ["--tail", "--since", "--request-id", "--follow", "--help", "-h"], ["--tail", "--since", "--request-id"]);
   let tail = 50;
   let since = undefined;
+  let requestId = undefined;
   let follow = false;
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--tail") tail = parseIntegerFlag("--tail", args[++i], { min: 1 });
     if (args[i] === "--since" && args[i + 1]) since = args[++i];
+    if (args[i] === "--request-id" && args[i + 1]) requestId = args[++i];
     if (args[i] === "--follow") follow = true;
   }
 
@@ -254,12 +261,20 @@ async function logs(projectId, name, args) {
     }
     sinceIso = new Date(ms).toISOString();
   }
+  if (requestId !== undefined && !FUNCTION_LOG_REQUEST_ID_RE.test(requestId)) {
+    fail({
+      code: "BAD_USAGE",
+      message: `Invalid --request-id value: ${requestId}`,
+      details: { flag: "--request-id", value: requestId, expected: "req_<4-128 url-safe chars>" },
+    });
+  }
 
   const fetchLogs = async () => {
     try {
       const data = await getSdk().functions.logs(projectId, name, {
         tail,
         since: sinceIso,
+        requestId,
       });
       return data.logs || [];
     } catch (err) {
@@ -278,27 +293,60 @@ async function logs(projectId, name, args) {
   let running = true;
   process.on("SIGINT", () => { running = false; });
 
-  const initial = await fetchLogs();
-  for (const entry of initial) {
-    console.log(`[${entry.timestamp}] ${entry.message}`);
-  }
-  if (initial.length > 0) {
-    sinceIso = new Date(new Date(initial[initial.length - 1].timestamp).getTime() + 1).toISOString();
-  }
+  let highWaterMs = sinceIso === undefined ? Number.NEGATIVE_INFINITY : new Date(sinceIso).getTime();
+  let seenAtHighWater = new Set();
 
-  while (running) {
-    await new Promise(r => setTimeout(r, 3000));
-    if (!running) break;
-    const entries = await fetchLogs();
+  const printFreshEntries = (entries) => {
+    let nextHighWaterMs = highWaterMs;
+    const fresh = [];
     for (const entry of entries) {
+      const entryMs = logTimestampMs(entry);
+      const identity = logEntryIdentity(entry);
+      if (entryMs < highWaterMs) continue;
+      if (entryMs === highWaterMs && seenAtHighWater.has(identity)) continue;
+      fresh.push({ entry, entryMs, identity });
+      if (entryMs > nextHighWaterMs) nextHighWaterMs = entryMs;
+    }
+
+    for (const { entry } of fresh) {
       console.log(`[${entry.timestamp}] ${entry.message}`);
     }
-    if (entries.length > 0) {
-      sinceIso = new Date(new Date(entries[entries.length - 1].timestamp).getTime() + 1).toISOString();
+    if (fresh.length === 0 || !Number.isFinite(nextHighWaterMs)) return;
+
+    const nextSeenAtHighWater = new Set();
+    for (const entry of entries) {
+      if (logTimestampMs(entry) === nextHighWaterMs) {
+        nextSeenAtHighWater.add(logEntryIdentity(entry));
+      }
     }
+    for (const { entry, entryMs, identity } of fresh) {
+      if (entryMs === nextHighWaterMs) {
+        nextSeenAtHighWater.add(identity);
+      }
+    }
+    highWaterMs = nextHighWaterMs;
+    seenAtHighWater = nextSeenAtHighWater;
+    sinceIso = new Date(highWaterMs).toISOString();
+  };
+
+  printFreshEntries(await fetchLogs());
+
+  while (running) {
+    await new Promise(r => setTimeout(r, 3000));
+    if (!running) break;
+    printFreshEntries(await fetchLogs());
   }
 }
 
+function logTimestampMs(entry) {
+  const ms = new Date(entry.timestamp).getTime();
+  return Number.isNaN(ms) ? 0 : ms;
+}
+
+function logEntryIdentity(entry) {
+  return entry.event_id || `${entry.log_stream_name || ""}:${entry.timestamp || ""}:${entry.message || ""}`;
+}
+
 async function update(projectId, name, args) {
   assertRequiredProjectAndName(projectId, name, "run402 functions update <project_id> <name> [options]");
   assertKnownFlags(args, ["--schedule", "--schedule-remove", "--timeout", "--memory", "--help", "-h"], ["--schedule", "--timeout", "--memory"]);

package/lib/projects.mjs

@@ -23,6 +23,8 @@ Subcommands:
   schema [id]                             Inspect the database schema
   apply-expose [id] <manifest_json>       Apply a declarative authorization manifest
   apply-expose [id] --file <path>         Apply a manifest from a JSON file
+  validate-expose [id] <manifest_json>    Validate an authorization manifest without applying it
+  validate-expose [id] --file <path>      Validate a manifest file without mutating the project
   get-expose   [id]                       Get the current authorization manifest
   delete [id] --confirm                   Immediately and irreversibly delete a project (cascade purge) and remove from local state. Requires --confirm.
   pin   [id]                              Pin a project (admin only; uses admin allowance wallet)
@@ -43,6 +45,7 @@ Examples:
   run402 projects usage prj_abc123
   run402 projects costs prj_abc123 --window 30d
   run402 projects schema prj_abc123
+  run402 projects validate-expose prj_abc123 --file manifest.json
   run402 projects apply-expose prj_abc123 --file manifest.json
   run402 projects get-expose prj_abc123
   run402 projects keys prj_abc123
@@ -68,6 +71,9 @@ Notes:
     row), public_read_write_UNRESTRICTED (fully open; requires
     "i_understand_this_is_unrestricted": true on the entry), custom (provide
     custom_sql with CREATE POLICY statements).
+  - 'validate-expose' checks the same auth/expose manifest shape without
+    applying it. Optional migration SQL is used only for reference checks; it is
+    not executed as a PostgreSQL dry run.
 `;
 
 const SUB_HELP = {
@@ -135,6 +141,35 @@ Examples:
   run402 projects costs prj_abc123
   RUN402_ADMIN_COOKIE='run402_admin=...' run402 projects costs prj_abc123
   RUN402_ADMIN_COOKIE='run402_admin=...' run402 projects costs --window 7d
+`,
+  "validate-expose": `run402 projects validate-expose — Validate an authorization manifest without applying it
+
+Usage:
+  run402 projects validate-expose [id] <manifest_json> [options]
+  run402 projects validate-expose [id] --file <path> [options]
+  cat manifest.json | run402 projects validate-expose [id] [options]
+
+Arguments:
+  [id]                Optional project ID. When omitted, the active project is
+                      used if one is set; otherwise validation is projectless.
+  <manifest_json>     Inline auth/expose manifest JSON.
+
+Options:
+  --file <path>            Read the auth/expose manifest from a JSON file
+  --migration-file <path>  Read migration SQL for reference checks only
+  --migration-sql <sql>    Inline migration SQL for reference checks only
+
+Notes:
+  - This validates the auth/expose manifest used by manifest.json,
+    database.expose, and apply-expose. It does not validate deploy manifests.
+  - Migration SQL is parsed as context for references; it is not executed.
+  - Validation findings are returned in JSON with hasErrors and do not make the
+    command fail. Usage, file, auth, and network errors still exit non-zero.
+
+Examples:
+  run402 projects validate-expose --file manifest.json
+  run402 projects validate-expose prj_abc123 --file manifest.json --migration-file setup.sql
+  run402 projects validate-expose '{"version":"1","tables":[]}'
 `,
 };
 
@@ -237,6 +272,86 @@ async function applyExpose(projectId, args = []) {
   }
 }
 
+async function validateExpose(args = []) {
+  let projectId = null;
+  let file = null;
+  let inline = null;
+  let migrationFile = null;
+  let migrationSql = null;
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === "--file") {
+      if (args[i + 1] === undefined) {
+        fail({ code: "BAD_FLAG", message: "--file requires a value", details: { flag: "--file" } });
+      }
+      file = args[++i];
+    }
+    else if (arg === "--migration-file") {
+      if (args[i + 1] === undefined) {
+        fail({ code: "BAD_FLAG", message: "--migration-file requires a value", details: { flag: "--migration-file" } });
+      }
+      migrationFile = args[++i];
+    }
+    else if (arg === "--migration-sql") {
+      if (args[i + 1] === undefined) {
+        fail({ code: "BAD_FLAG", message: "--migration-sql requires a value", details: { flag: "--migration-sql" } });
+      }
+      migrationSql = args[++i];
+    }
+    else if (!projectId && typeof arg === "string" && arg.startsWith("prj_")) { projectId = arg; }
+    else if (!inline && typeof arg === "string" && !arg.startsWith("--")) { inline = arg; }
+    else if (typeof arg === "string" && !arg.startsWith("--")) {
+      fail({
+        code: "BAD_USAGE",
+        message: `Unexpected extra argument: ${arg}`,
+        hint: "run402 projects validate-expose [id] <manifest_json>",
+      });
+    }
+  }
+  if (file && inline) {
+    fail({
+      code: "BAD_USAGE",
+      message: "Provide either inline manifest JSON or --file <path>, not both.",
+      hint: "run402 projects validate-expose [id] --file manifest.json",
+    });
+  }
+  if (migrationFile && migrationSql !== null) {
+    fail({
+      code: "BAD_USAGE",
+      message: "Provide either --migration-file or --migration-sql, not both.",
+    });
+  }
+  if (file) validateRegularFile(file, "--file");
+  if (migrationFile) validateRegularFile(migrationFile, "--migration-file");
+
+  let raw = file ? readFileSync(file, "utf-8") : inline;
+  if (!raw && process.stdin && process.stdin.isTTY === false) {
+    raw = readFileSync(0, "utf-8");
+  }
+  if (!raw) {
+    fail({
+      code: "BAD_USAGE",
+      message: "Missing manifest.",
+      hint: "Provide inline JSON, pipe JSON to stdin, or use --file <path>",
+    });
+  }
+
+  const activeProjectId = getActiveProjectId();
+  const project = projectId || activeProjectId || undefined;
+  if (!project) allowanceAuthHeaders("/projects/v1/expose/validate");
+  const migration = migrationFile ? readFileSync(migrationFile, "utf-8") : migrationSql;
+
+  try {
+    const data = await getSdk().projects.validateExpose(raw, {
+      ...(project ? { project } : {}),
+      ...(migration !== null && migration !== undefined ? { migrationSql: migration } : {}),
+    });
+    console.log(JSON.stringify({ status: "ok", ...data }, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
+}
+
 async function getExpose(projectId) {
   try {
     const data = await getSdk().projects.getExpose(projectId);
@@ -463,6 +578,10 @@ const FLAGS_BY_SUB = {
   sql: { known: ["--file", "--params"], values: ["--file", "--params"] },
   costs: { known: ["--window"], values: ["--window"] },
   "apply-expose": { known: ["--file"], values: ["--file"] },
+  "validate-expose": {
+    known: ["--file", "--migration-file", "--migration-sql"],
+    values: ["--file", "--migration-file", "--migration-sql"],
+  },
   delete: { known: ["--confirm"], values: [] },
 };
 
@@ -495,6 +614,7 @@ export async function run(sub, args) {
     case "costs":     { const { projectId, rest } = resolvePositionalProject(args, { rejectBareFirst: true, valueFlags: FLAGS_BY_SUB.costs.values }); await costs(projectId, rest); break; }
     case "schema":    { const { projectId } = resolvePositionalProject(args, { rejectBareFirst: true }); await schema(projectId); break; }
     case "apply-expose": { const { projectId, rest } = resolvePositionalProject(args, { maxBarePositionals: 1, valueFlags: FLAGS_BY_SUB["apply-expose"].values, rejectBareFirstWhenFlagPresent: ["--file"] }); await applyExpose(projectId, rest); break; }
+    case "validate-expose": await validateExpose(args); break;
     case "get-expose":   { const { projectId } = resolvePositionalProject(args, { rejectBareFirst: true }); await getExpose(projectId); break; }
     case "delete":    { const { projectId, rest } = resolvePositionalProject(args, { rejectBareFirst: true }); await deleteProject(projectId, rest); break; }
     case "pin":       { const { projectId } = resolvePositionalProject(args, { rejectBareFirst: true }); await pin(projectId); break; }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "1.64.0",
+  "version": "1.65.1",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.",
   "type": "module",
   "bin": {

package/sdk/dist/namespaces/deploy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deploy.d.ts","sourceRoot":"","sources":["../../src/namespaces/deploy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAc3C,OAAO,KAAK,EACV,YAAY,EACZ,sBAAsB,EAKtB,WAAW,EACX,oBAAoB,EAEpB,kBAAkB,EAClB,eAAe,EACf,YAAY,EAWZ,iBAAiB,EAGjB,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,WAAW,EACX,oBAAoB,EACpB,YAAY,EACb,MAAM,mBAAmB,CAAC;AAgC3B,qBAAa,MAAM;IACL,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;IAE3C;;;;OAIG;IACG,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,YAAY,CAAC;IA4C9E;;;OAGG;IACH,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,eAAe,CAAC;IAI3E;;;;OAIG;IACG,IAAI,CACR,IAAI,EAAE,WAAW,EACjB,IAAI,GAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,OAAO,CAAA;KAAO,GACvD,OAAO,CAAC;QAAE,IAAI,EAAE,YAAY,CAAC;QAAC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;KAAE,CAAC;IAIxE;;;;;OAKG;IACG,MAAM,CACV,IAAI,EAAE,YAAY,EAClB,IAAI,EAAE;QACJ,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACrC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;KACxC,GACA,OAAO,CAAC,IAAI,CAAC;IAWhB;;;;;OAKG;IACG,MAAM,CACV,MAAM,EAAE,MAAM,EACd,IAAI,GAAE;QACJ,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QACvC,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,OAAO,CAAC,EAAE,MAAM,CAAC;KACb,GACL,OAAO,CAAC,YAAY,CAAC;IAMxB;;;;;;;;;OASG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GACtE,OAAO,CAAC,YAAY,CAAC;IAqBxB;;;;OAIG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GAC9B,OAAO,CAAC,iBAAiB,CAAC;IAQ7B;;;;;;OAMG;IACG,IAAI,CACR,IAAI,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GACjD,OAAO,CAAC,kBAAkB,CAAC;IAsB9B;;;;;;;;OAQG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,GACxB,OAAO,CAAC,oBAAoB,CAAC;IAmBhC;;;;OAIG;IACG,UAAU,CAAC,IAAI,EAAE,2BAA2B,GAAG,OAAO,CAAC,gBAAgB,CAAC;IACxE,UAAU,CACd,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,gBAAgB,CAAC;IAC5B;;;;;OAKG;IACG,UAAU,CACd,SAAS,EAAE,MAAM,EACjB,IAAI,CAAC,EAAE,OAAO,CAAC,uBAAuB,CAAC,GACtC,OAAO,CAAC,gBAAgB,CAAC;IA8B5B;;;;OAIG;IACG,gBAAgB,CACpB,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,sBAAsB,CAAC;IAgBlC;;;;OAIG;IACG,IAAI,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IACnE;;;;OAIG;IACG,IAAI,CACR,IAAI,EAAE,IAAI,CAAC,kBAAkB,EAAE,SAAS,CAAC,GAAG;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAC/D,OAAO,CAAC,oBAAoB,CAAC;CAkBjC;AAmwBD;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB"}
+{"version":3,"file":"deploy.d.ts","sourceRoot":"","sources":["../../src/namespaces/deploy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAc3C,OAAO,KAAK,EACV,YAAY,EACZ,sBAAsB,EAKtB,WAAW,EACX,oBAAoB,EAEpB,kBAAkB,EAClB,eAAe,EACf,YAAY,EAWZ,iBAAiB,EAGjB,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,WAAW,EACX,oBAAoB,EACpB,YAAY,EAEb,MAAM,mBAAmB,CAAC;AAgC3B,qBAAa,MAAM;IACL,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;IAE3C;;;;OAIG;IACG,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,YAAY,CAAC;IA4C9E;;;OAGG;IACH,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,eAAe,CAAC;IAI3E;;;;OAIG;IACG,IAAI,CACR,IAAI,EAAE,WAAW,EACjB,IAAI,GAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,OAAO,CAAA;KAAO,GACvD,OAAO,CAAC;QAAE,IAAI,EAAE,YAAY,CAAC;QAAC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;KAAE,CAAC;IAIxE;;;;;OAKG;IACG,MAAM,CACV,IAAI,EAAE,YAAY,EAClB,IAAI,EAAE;QACJ,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACrC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;KACxC,GACA,OAAO,CAAC,IAAI,CAAC;IAWhB;;;;;OAKG;IACG,MAAM,CACV,MAAM,EAAE,MAAM,EACd,IAAI,GAAE;QACJ,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QACvC,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,OAAO,CAAC,EAAE,MAAM,CAAC;KACb,GACL,OAAO,CAAC,YAAY,CAAC;IAMxB;;;;;;;;;OASG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GACtE,OAAO,CAAC,YAAY,CAAC;IAqBxB;;;;OAIG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GAC9B,OAAO,CAAC,iBAAiB,CAAC;IAQ7B;;;;;;OAMG;IACG,IAAI,CACR,IAAI,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GACjD,OAAO,CAAC,kBAAkB,CAAC;IAsB9B;;;;;;;;OAQG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,GACxB,OAAO,CAAC,oBAAoB,CAAC;IAmBhC;;;;OAIG;IACG,UAAU,CAAC,IAAI,EAAE,2BAA2B,GAAG,OAAO,CAAC,gBAAgB,CAAC;IACxE,UAAU,CACd,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,gBAAgB,CAAC;IAC5B;;;;;OAKG;IACG,UAAU,CACd,SAAS,EAAE,MAAM,EACjB,IAAI,CAAC,EAAE,OAAO,CAAC,uBAAuB,CAAC,GACtC,OAAO,CAAC,gBAAgB,CAAC;IA8B5B;;;;OAIG;IACG,gBAAgB,CACpB,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,sBAAsB,CAAC;IAgBlC;;;;OAIG;IACG,IAAI,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IACnE;;;;OAIG;IACG,IAAI,CACR,IAAI,EAAE,IAAI,CAAC,kBAAkB,EAAE,SAAS,CAAC,GAAG;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAC/D,OAAO,CAAC,oBAAoB,CAAC;CAkBjC;AAmwBD;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB"}

package/sdk/dist/namespaces/deploy.js

@@ -406,11 +406,11 @@ async function planInternal(client, spec, idempotencyKey, dryRun = false) {
     }
     let plan;
     try {
-        plan = normalizePlanResponse(await client.request(dryRun ? "/deploy/v2/plans?dry_run=true" : "/deploy/v2/plans", {
+        plan = withClientPlanWarnings(normalized, normalizePlanResponse(await client.request(dryRun ? "/deploy/v2/plans?dry_run=true" : "/deploy/v2/plans", {
             method: "POST",
             body,
             context: "planning deploy",
-        }));
+        })));
     }
     catch (err) {
         throw translateDeployError(err, "plan", null, null);
@@ -1297,6 +1297,59 @@ function emitPlanWarnings(plan, emit) {
         emit({ type: "plan.warnings", warnings: plan.warnings });
     }
 }
+function withClientPlanWarnings(spec, plan) {
+    const warnings = clientRoutePlanWarnings(spec);
+    if (warnings.length === 0)
+        return plan;
+    const seen = new Set(plan.warnings.map((warning) => warningKey(warning)));
+    const nextWarnings = [...plan.warnings];
+    for (const warning of warnings) {
+        const key = warningKey(warning);
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        nextWarnings.push(warning);
+    }
+    return { ...plan, warnings: nextWarnings };
+}
+function warningKey(warning) {
+    return `${warning.code}:${(warning.affected ?? []).join(",")}`;
+}
+function clientRoutePlanWarnings(spec) {
+    const routes = spec.routes;
+    if (!routes || !("replace" in routes))
+        return [];
+    const affected = routes.replace
+        .filter((route) => {
+        if (route.target.type !== "function")
+            return false;
+        if (!route.pattern.endsWith("/*"))
+            return false;
+        if (!route.methods)
+            return false;
+        const methods = new Set(route.methods);
+        return (methods.size > 0 &&
+            [...methods].every((method) => method === "GET" || method === "HEAD"));
+    })
+        .map((route) => route.pattern)
+        .sort();
+    if (affected.length === 0)
+        return [];
+    return [
+        {
+            code: "WILDCARD_ROUTE_EXCLUDES_MUTATION_METHODS",
+            severity: "warn",
+            requires_confirmation: true,
+            message: "A wildcard function route only allows GET/HEAD. Mutation endpoints under that prefix will be rejected by the gateway before the function runs.",
+            affected,
+            confidence: "heuristic",
+            details: {
+                missing_common_methods: ["POST", "PUT", "PATCH", "DELETE"],
+                fix: "Add the mutation methods your routed function supports, or omit methods to allow every supported method.",
+            },
+        },
+    ];
+}
 function abortOnConfirmationWarnings(plan, opts) {
     if (opts.allowWarnings)
         return;