run402 1.69.8 → 1.70.0

package/lib/deploy-v2.mjs

@@ -37,8 +37,8 @@ import { normalizeArgv } from "./argparse.mjs";
 const APPLY_HELP = `run402 deploy apply — Unified deploy primitive (v1.34+)
 
 Usage:
-  run402 deploy apply --manifest <path> [--project <id>] [--quiet] [--allow-warnings]
-  run402 deploy apply --spec '<json>' [--project <id>] [--quiet] [--allow-warnings]
+  run402 deploy apply --manifest <path> [--project <id>] [--quiet|--final-only] [--allow-warning <code>] [--allow-warnings]
+  run402 deploy apply --spec '<json>' [--project <id>] [--quiet|--final-only] [--allow-warning <code>] [--allow-warnings]
   cat spec.json | run402 deploy apply [--project <id>]
 
 Manifest format mirrors the MCP \`deploy\` tool's ReleaseSpec:
@@ -80,14 +80,17 @@ Options:
   --spec '<json>'         Inline JSON spec (single-quote in shell)
   --project <id>          Override project_id from the manifest
   --quiet                 Suppress per-event JSON-line stderr (final result still on stdout)
+  --final-only            Alias for --quiet; final success/error envelope is still preserved
+  --allow-warning <code>  Continue past this reviewed warning code (repeatable)
   --allow-warnings        Continue past plan warnings that require confirmation
 
 Output:
   stdout: { "status": "ok", "release_id": "rel_...", "operation_id": "op_...", "urls": {...}, "warnings": [...] }
-  stderr: one JSON event per line (suppressed with --quiet)
+  stderr: one JSON event per line (suppressed with --quiet or --final-only)
 
 Secrets:
   Secret values do not belong in deploy manifests. Set them first:
+    printf %s "$OPENAI_API_KEY" | run402 secrets set prj_... OPENAI_API_KEY --stdin
     run402 secrets set prj_... OPENAI_API_KEY --file ./.secrets/openai-key
   Then deploy a value-free declaration:
     { "project_id": "prj_...", "secrets": { "require": ["OPENAI_API_KEY"] } }
@@ -284,8 +287,8 @@ function makeStderrEventWriter(quiet) {
 }
 
 function parseApplyArgs(args) {
-  const opts = { manifest: null, spec: null, project: null, quiet: false, allowWarnings: false };
-  const allowedFlags = ["--manifest", "--spec", "--project", "--quiet", "--allow-warnings", "--help", "-h"];
+  const opts = { manifest: null, spec: null, project: null, quiet: false, allowWarnings: false, allowWarningCodes: [] };
+  const allowedFlags = ["--manifest", "--spec", "--project", "--quiet", "--final-only", "--allow-warning", "--allow-warnings", "--help", "-h"];
 
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
@@ -293,7 +296,7 @@ function parseApplyArgs(args) {
       console.log(APPLY_HELP);
       process.exit(0);
     }
-    if (arg === "--manifest" || arg === "--spec" || arg === "--project") {
+    if (arg === "--manifest" || arg === "--spec" || arg === "--project" || arg === "--allow-warning") {
       const value = args[i + 1];
       if (value === undefined || (typeof value === "string" && value.startsWith("--"))) {
         fail({
@@ -320,13 +323,15 @@ function parseApplyArgs(args) {
           });
         }
         opts.spec = value;
-      } else {
+      } else if (arg === "--project") {
         opts.project = value;
+      } else {
+        opts.allowWarningCodes.push(value);
       }
       i += 1;
       continue;
     }
-    if (arg === "--quiet") { opts.quiet = true; continue; }
+    if (arg === "--quiet" || arg === "--final-only") { opts.quiet = true; continue; }
     if (arg === "--allow-warnings") { opts.allowWarnings = true; continue; }
     if (typeof arg === "string" && arg.startsWith("-")) {
       fail({
@@ -491,6 +496,7 @@ async function applyCmd(args) {
       onEvent: makeStderrEventWriter(opts.quiet),
       idempotencyKey,
       allowWarnings: opts.allowWarnings,
+      allowWarningCodes: opts.allowWarningCodes,
     });
     console.log(JSON.stringify({ status: "ok", ...result }, null, 2));
   } catch (err) {
@@ -596,12 +602,28 @@ function enhanceDeployWarningError(err) {
   const affected = warnings
     ? warnings.flatMap((w) => Array.isArray(w?.affected) ? w.affected : [])
     : [];
+  const unacknowledgedCodes = Array.isArray(existingBody.unacknowledged_warning_codes)
+    ? existingBody.unacknowledged_warning_codes
+    : warnings
+      ? Array.from(new Set(warnings
+        .filter((w) => w?.requires_confirmation || w?.code === "MISSING_REQUIRED_SECRET")
+        .map((w) => w?.code)
+        .filter(Boolean)))
+      : code
+        ? [code]
+        : [];
+  const allowWarningAction = unacknowledgedCodes.length === 1
+    ? `Retry with \`--allow-warning ${unacknowledgedCodes[0]}\` only after reviewing that warning.`
+    : unacknowledgedCodes.length > 1
+      ? `Retry with one \`--allow-warning <code>\` per reviewed warning code: ${unacknowledgedCodes.join(", ")}.`
+      : "Retry with `--allow-warning <code>` only after reviewing the warning.";
   const defaultNextActions = [
     ...(affected.length > 0
       ? [`Set or inspect affected secrets: ${Array.from(new Set(affected)).join(", ")}`]
       : []),
     "Retry `run402 deploy apply` after resolving warnings.",
-    "Use `--allow-warnings` only when the warning was explicitly reviewed.",
+    allowWarningAction,
+    "Use `--allow-warnings` only when every warning was explicitly reviewed.",
   ];
   enhanced.body = {
     ...existingBody,
@@ -610,8 +632,8 @@ function enhanceDeployWarningError(err) {
     hint: existingBody.hint ||
       routeGuidance?.hint ||
       (code === "MISSING_REQUIRED_SECRET"
-        ? "Set the missing secret values with `run402 secrets set`, then retry deploy apply. Use --allow-warnings only after explicit review."
-        : "Review the plan warnings, then retry with --allow-warnings if you intentionally accept them."),
+        ? "Set the missing secret values with `run402 secrets set <project> <KEY> --stdin` or `--file <path>`, then retry deploy apply."
+        : "Review the plan warnings, then retry with --allow-warning <code> for reviewed warnings if you intentionally accept them."),
     next_actions: Array.isArray(existingBody.next_actions) && existingBody.next_actions.length > 0
       ? existingBody.next_actions
       : (routeGuidance?.next_actions ?? defaultNextActions),
@@ -665,7 +687,8 @@ const ROUTE_WARNING_GUIDANCE = {
     next_actions: [
       "Add the mutation methods the routed function supports, such as POST.",
       "Omit methods to allow every supported method when the route is an API surface.",
-      "Use --allow-warnings only if the wildcard prefix is intentionally read-only.",
+      "Set acknowledge_readonly: true on an intentionally read-only GET/HEAD wildcard function route.",
+      "Use --allow-warning WILDCARD_ROUTE_EXCLUDES_MUTATION_METHODS only as a reviewed CLI escape hatch.",
     ],
   },
   ROUTE_TABLE_NEAR_LIMIT: {

package/lib/secrets.mjs

@@ -14,8 +14,8 @@ Subcommands:
   delete <id> <key>            Delete a secret from a project
 
 Examples:
-  run402 secrets set prj_abc123 STRIPE_KEY --file ./.secrets/stripe-key
   printf %s "$STRIPE_KEY" | run402 secrets set prj_abc123 STRIPE_KEY --stdin
+  run402 secrets set prj_abc123 STRIPE_KEY --file ./.secrets/stripe-key
   run402 secrets set prj_abc123 TLS_CERT --file cert.pem
   run402 secrets list prj_abc123
   run402 secrets delete prj_abc123 STRIPE_KEY
@@ -30,27 +30,29 @@ const SUB_HELP = {
   set: `run402 secrets set — Set a secret on a project
 
 Usage:
-  run402 secrets set <id> <key> <value> [--file <path>]
+  run402 secrets set <id> <key> <value>
   run402 secrets set <id> <key> --file <path>
   run402 secrets set <id> <key> --stdin
 
 Arguments:
   <id>                Project ID (from 'run402 projects list')
   <key>               Secret key name (exposed as process.env.<key>)
-  <value>             Inline secret value (omit if using --file)
+  <value>             Inline secret value (omit if using --file or --stdin)
 
 Options:
-  --file <path>       Read the secret value from a file instead of inline. Use - or /dev/stdin to read stdin.
+  --file <path>       Read the secret value from a file instead of inline
+                      Use --file - or --file /dev/stdin to read from stdin
   --stdin             Read the secret value from stdin until EOF
 
 Notes:
   - Secrets are injected as process.env in serverless functions
   - Values are write-only; 'list' cannot verify values by hash
-  - Prefer --file or --stdin for real secrets so values do not land in shell history
+  - Prefer --stdin or --file for real secrets so values do not land in shell history
 
 Examples:
-  run402 secrets set prj_abc123 STRIPE_KEY --file ./.secrets/stripe-key
   printf %s "$STRIPE_KEY" | run402 secrets set prj_abc123 STRIPE_KEY --stdin
+  cat ./.secrets/stripe-key | run402 secrets set prj_abc123 STRIPE_KEY --file -
+  run402 secrets set prj_abc123 STRIPE_KEY --file ./.secrets/stripe-key
   run402 secrets set prj_abc123 TLS_CERT --file cert.pem
 `,
   list: `run402 secrets list — List all secrets for a project
@@ -87,15 +89,19 @@ export function readSecretValueForSet(parsedArgs, values, readers = {}) {
   const validateFile = readers.validateFile ?? validateRegularFile;
   const file = flagValue(parsedArgs, "--file");
   const stdinRequested = parsedArgs.includes("--stdin");
-  const stdinFile = file === "-" || file === "/dev/stdin";
-  const valueSources = [
-    values.length === 1 ? "inline value" : null,
-    file ? "--file" : null,
-    stdinRequested ? "--stdin" : null,
-  ].filter(Boolean);
-
-  if (valueSources.length > 1) {
-    fail({ code: "BAD_USAGE", message: `Provide exactly one secret value source, got: ${valueSources.join(", ")}.` });
+  const stdinFile = isStdinAlias(file);
+  const sources = [];
+  if (values.length === 1) sources.push("inline");
+  if (file) sources.push(stdinFile ? "--file stdin" : "--file");
+  if (stdinRequested) sources.push("--stdin");
+
+  if (sources.length > 1) {
+    fail({
+      code: "BAD_USAGE",
+      message: "Provide exactly one secret value source.",
+      details: { sources },
+      hint: "Use one of: inline value, --file <path>, or --stdin.",
+    });
   }
   if (file && !stdinFile) validateFile(file, "--file");
 
@@ -113,12 +119,12 @@ async function set(projectId, key, args = []) {
   if (values.length > 1) {
     fail({ code: "BAD_USAGE", message: `Unexpected argument for secrets set: ${values[1]}` });
   }
-  const val = readSecretValueForSet(parsedArgs, values);
+  const val = await readSecretValueForSet(parsedArgs, values, { readStdin: readStdinSecret });
   if (val === undefined) {
     fail({
       code: "BAD_USAGE",
       message: "Missing secret value.",
-      hint: "Provide inline, use --file <path>, or pipe with --stdin.",
+      hint: "Pipe a value to --stdin, use --file <path>, or provide an inline value only when shell history exposure is acceptable.",
     });
   }
   try {
@@ -129,6 +135,40 @@ async function set(projectId, key, args = []) {
   }
 }
 
+function isStdinAlias(file) {
+  return file === "-" || file === "/dev/stdin";
+}
+
+async function readStdinSecret() {
+  if (process.stdin?.isTTY) {
+    failMissingStdin();
+  }
+  const chunks = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk)));
+  }
+  if (chunks.length === 0) {
+    failMissingStdin();
+  }
+  const value = Buffer.concat(chunks).toString("utf-8");
+  if (value.length === 0) {
+    failMissingStdin();
+  }
+  return value;
+}
+
+function failMissingStdin() {
+  fail({
+    code: "BAD_USAGE",
+    message: "Missing secret value on stdin.",
+    hint: "Pipe a value, use --file <path>, or provide an inline value only when shell history exposure is acceptable.",
+    next_actions: [
+      "printf %s \"$VALUE\" | run402 secrets set <project> <KEY> --stdin",
+      "run402 secrets set <project> <KEY> --file <path>",
+    ],
+  });
+}
+
 async function list(projectId, args = []) {
   const parsedArgs = normalizeArgv(args);
   assertKnownFlags(parsedArgs, ["--help", "-h"]);

package/lib/tier.mjs

@@ -8,7 +8,7 @@ Usage:
   run402 tier <subcommand> [args...]
 
 Subcommands:
-  status                Show current tier (tier name, status, expiry)
+  status                Show current tier, expiry, usage, and function caps when returned
   set <tier>            Subscribe, renew, or upgrade (pays via x402)
 
 Tiers: prototype ($0.10/7d, free with testnet faucet), hobby ($5/30d), team ($20/30d)
@@ -32,7 +32,10 @@ Usage:
   run402 tier status
 
 Notes:
-  - Returns the current tier name, status, and expiry
+  - Returns the current tier name, status, expiry, and usage
+  - Newer gateways include function authoring caps such as max timeout,
+    max memory, max scheduled functions, minimum cron interval, and current
+    scheduled-function usage
   - Use 'run402 tier set <tier>' to subscribe, renew, or upgrade
 
 Examples:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "1.69.8",
+  "version": "1.70.0",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.",
   "type": "module",
   "bin": {

package/sdk/dist/namespaces/deploy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deploy.d.ts","sourceRoot":"","sources":["../../src/namespaces/deploy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAiB3C,OAAO,KAAK,EACV,YAAY,EACZ,sBAAsB,EAKtB,WAAW,EACX,oBAAoB,EAEpB,iBAAiB,EACjB,kBAAkB,EAClB,eAAe,EACf,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,EAWrB,iBAAiB,EAGjB,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,WAAW,EACX,oBAAoB,EACpB,YAAY,EAEb,MAAM,mBAAmB,CAAC;AAgC3B,qBAAa,MAAM;IACL,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;IAE3C;;;;OAIG;IACG,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,YAAY,CAAC;IA4C9E;;;OAGG;IACH,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,eAAe,CAAC;IAI3E;;;;OAIG;IACG,IAAI,CACR,IAAI,EAAE,WAAW,EACjB,IAAI,GAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,OAAO,CAAA;KAAO,GACvD,OAAO,CAAC;QAAE,IAAI,EAAE,YAAY,CAAC;QAAC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;KAAE,CAAC;IAIxE;;;;;OAKG;IACG,MAAM,CACV,IAAI,EAAE,YAAY,EAClB,IAAI,EAAE;QACJ,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACrC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;KACxC,GACA,OAAO,CAAC,IAAI,CAAC;IAWhB;;;;;OAKG;IACG,MAAM,CACV,MAAM,EAAE,MAAM,EACd,IAAI,GAAE;QACJ,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QACvC,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,OAAO,CAAC,EAAE,MAAM,CAAC;KACb,GACL,OAAO,CAAC,YAAY,CAAC;IAMxB;;;;;;;;;OASG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GACtE,OAAO,CAAC,YAAY,CAAC;IAqBxB;;;;OAIG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GAC9B,OAAO,CAAC,iBAAiB,CAAC;IAmB7B;;;;;;OAMG;IACG,IAAI,CACR,IAAI,EAAE,MAAM,GAAG,iBAAiB,GAC/B,OAAO,CAAC,kBAAkB,CAAC;IA6B9B;;;;;;;;OAQG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,GACxB,OAAO,CAAC,oBAAoB,CAAC;IAmBhC;;;;OAIG;IACG,UAAU,CAAC,IAAI,EAAE,2BAA2B,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA2B9E;;;;OAIG;IACG,gBAAgB,CACpB,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,sBAAsB,CAAC;IAqBlC;;;;OAIG;IACG,IAAI,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IA+BnE;;;;OAIG;IACG,OAAO,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,qBAAqB,CAAC;CAW1E;AAizBD;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB"}
+{"version":3,"file":"deploy.d.ts","sourceRoot":"","sources":["../../src/namespaces/deploy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAiB3C,OAAO,KAAK,EACV,YAAY,EACZ,sBAAsB,EAKtB,WAAW,EACX,oBAAoB,EAEpB,iBAAiB,EACjB,kBAAkB,EAClB,eAAe,EACf,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,EAWrB,iBAAiB,EAGjB,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,WAAW,EACX,oBAAoB,EACpB,YAAY,EAEb,MAAM,mBAAmB,CAAC;AAiE3B,qBAAa,MAAM;IACL,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;IAE3C;;;;OAIG;IACG,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,YAAY,CAAC;IA4C9E;;;OAGG;IACH,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,eAAe,CAAC;IAI3E;;;;OAIG;IACG,IAAI,CACR,IAAI,EAAE,WAAW,EACjB,IAAI,GAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,OAAO,CAAA;KAAO,GACvD,OAAO,CAAC;QAAE,IAAI,EAAE,YAAY,CAAC;QAAC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;KAAE,CAAC;IAIxE;;;;;OAKG;IACG,MAAM,CACV,IAAI,EAAE,YAAY,EAClB,IAAI,EAAE;QACJ,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACrC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;KACxC,GACA,OAAO,CAAC,IAAI,CAAC;IAWhB;;;;;OAKG;IACG,MAAM,CACV,MAAM,EAAE,MAAM,EACd,IAAI,GAAE;QACJ,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QACvC,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,OAAO,CAAC,EAAE,MAAM,CAAC;KACb,GACL,OAAO,CAAC,YAAY,CAAC;IAMxB;;;;;;;;;OASG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GACtE,OAAO,CAAC,YAAY,CAAC;IAqBxB;;;;OAIG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GAC9B,OAAO,CAAC,iBAAiB,CAAC;IAmB7B;;;;;;OAMG;IACG,IAAI,CACR,IAAI,EAAE,MAAM,GAAG,iBAAiB,GAC/B,OAAO,CAAC,kBAAkB,CAAC;IA6B9B;;;;;;;;OAQG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,GACxB,OAAO,CAAC,oBAAoB,CAAC;IAmBhC;;;;OAIG;IACG,UAAU,CAAC,IAAI,EAAE,2BAA2B,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA2B9E;;;;OAIG;IACG,gBAAgB,CACpB,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,sBAAsB,CAAC;IAqBlC;;;;OAIG;IACG,IAAI,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IA+BnE;;;;OAIG;IACG,OAAO,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,qBAAqB,CAAC;CAW1E;AAyyCD;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB"}