run402 2.22.0 → 2.24.0

package/lib/doctor-source-scan.test.mjs

@@ -0,0 +1,318 @@
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+import {
+  scanFileContent,
+  SCAN_SEVERITY,
+  _testOnly_hallucinatedNames,
+  _testOnly_authProperties,
+} from "./doctor-source-scan.mjs";
+
+describe("scanFileContent — hallucinated bare names", () => {
+  it("flags `import { getUser } from \"@run402/functions\"` as an error", () => {
+    const findings = scanFileContent(
+      `import { getUser } from "@run402/functions";\n`,
+      { filePath: "src/pages/index.astro" },
+    );
+    assert.ok(findings.length >= 1);
+    const f = findings.find((x) => x.attempted_name === "getUser" && x.line === 1);
+    assert.ok(f, "found getUser finding");
+    assert.equal(f.code, "R402_AUTH_UNKNOWN_EXPORT");
+    assert.equal(f.severity, SCAN_SEVERITY.ERROR);
+    assert.match(f.canonical_name, /auth\.user/);
+    assert.equal(f.file, "src/pages/index.astro");
+  });
+
+  it("flags `import { getSession, currentUser } from \"@run402/functions\"`", () => {
+    const findings = scanFileContent(
+      `import { getSession, currentUser } from "@run402/functions";`,
+    );
+    const names = new Set(findings.map((f) => f.attempted_name));
+    assert.ok(names.has("getSession"));
+    assert.ok(names.has("currentUser"));
+  });
+
+  it("flags bare `await getSession()` call sites", () => {
+    const findings = scanFileContent(`
+      const session = await getSession();
+    `);
+    assert.ok(findings.some((f) => f.attempted_name === "getSession"));
+  });
+
+  it("does not double-fire on `auth.getSession()` — that's the property scanner's job", () => {
+    const findings = scanFileContent(`
+      const session = await auth.getSession();
+    `);
+    // The bare-name scanner should NOT fire on `auth.getSession`; only
+    // the property scanner should. So exactly one finding for getSession.
+    const bareGetSession = findings.filter((f) => f.attempted_name === "getSession");
+    assert.equal(bareGetSession.length, 0, "bare getSession() must not fire on auth.getSession()");
+    const authGetSession = findings.filter((f) => f.attempted_name === "auth.getSession");
+    assert.equal(authGetSession.length, 1);
+  });
+
+  it("includes the canonical replacement and docs URL in the finding", () => {
+    const findings = scanFileContent(
+      `import { getUser } from "@run402/functions";`,
+    );
+    const f = findings[0];
+    assert.match(f.canonical_name, /auth\.user/);
+    assert.match(f.import_line, /@run402\/functions/);
+    assert.match(f.docs, /docs\.run402\.com\/auth\/sdk/);
+  });
+
+  it("covers every hallucinated name in the spec registry", () => {
+    const names = _testOnly_hallucinatedNames();
+    for (const entry of names) {
+      const findings = scanFileContent(`const x = ${entry.name}();`);
+      assert.ok(
+        findings.some((f) => f.attempted_name === entry.name),
+        `expected scanner to flag bare ${entry.name}()`,
+      );
+    }
+  });
+
+  it("does NOT fire on `auth.user()` (the canonical helper)", () => {
+    const findings = scanFileContent(`
+      const user = await auth.user();
+      const required = await auth.requireUser();
+    `);
+    // Should be zero R402_AUTH_UNKNOWN_EXPORT findings.
+    assert.equal(findings.length, 0, `unexpected findings: ${JSON.stringify(findings)}`);
+  });
+});
+
+describe("scanFileContent — auth.* property hallucinations", () => {
+  it("flags `auth.protect(...)` as an error pointing at auth.requireUser / auth.requireRole", () => {
+    const findings = scanFileContent(`const r = auth.protect({ role: "admin" });`);
+    const f = findings.find((x) => x.attempted_name === "auth.protect");
+    assert.ok(f);
+    assert.match(f.canonical_name, /requireUser|requireRole/);
+  });
+
+  it("flags `auth.signIn(...)` pointing at createResponseFromIdentity", () => {
+    const findings = scanFileContent(`return auth.signIn({ provider: "google" });`);
+    const f = findings.find((x) => x.attempted_name === "auth.signIn");
+    assert.ok(f);
+    assert.match(f.canonical_name, /createResponseFromIdentity|POST \/auth\/sign-in/);
+  });
+
+  it("covers every auth.* property in the registry", () => {
+    const props = _testOnly_authProperties();
+    for (const entry of props) {
+      const findings = scanFileContent(`const r = ${entry.name}();`);
+      assert.ok(
+        findings.some((f) => f.attempted_name === entry.name),
+        `expected scanner to flag ${entry.name}`,
+      );
+    }
+  });
+});
+
+describe("scanFileContent — browser-only patterns", () => {
+  it("flags `localStorage.getItem(\"wl_session\")`", () => {
+    const findings = scanFileContent(`
+      const token = localStorage.getItem("wl_session");
+    `);
+    assert.ok(findings.some((f) => f.attempted_name === "localStorage.wl_session"));
+  });
+
+  it("warns on Authorization: Bearer in browser-context code", () => {
+    const findings = scanFileContent(`
+      fetch("/api", { headers: { "Authorization": "Bearer " + token } });
+    `);
+    const f = findings.find((x) => x.attempted_name?.startsWith("Authorization"));
+    assert.ok(f);
+    assert.equal(f.severity, SCAN_SEVERITY.WARN, "Bearer is a warn, not an error");
+  });
+});
+
+describe("scanFileContent — prerendered pages calling auth.*", () => {
+  it("flags `export const prerender = true` + `auth.user()`", () => {
+    const findings = scanFileContent(
+      `---
+export const prerender = true;
+const user = await auth.user();
+---
+<html><body>{user?.email}</body></html>`,
+      { filePath: "src/pages/me.astro" },
+    );
+    const f = findings.find((x) => x.code === "R402_AUTH_PRERENDERED");
+    assert.ok(f, "expected R402_AUTH_PRERENDERED");
+    assert.equal(f.severity, SCAN_SEVERITY.ERROR);
+    assert.match(f.docs, /rendering-modes/);
+  });
+
+  it("does NOT fire when `prerender = true` page never calls auth.*", () => {
+    const findings = scanFileContent(
+      `---
+export const prerender = true;
+const title = "static page";
+---
+<html><body>{title}</body></html>`,
+      { filePath: "src/pages/static.astro" },
+    );
+    const f = findings.find((x) => x.code === "R402_AUTH_PRERENDERED");
+    assert.equal(f, undefined);
+  });
+
+  it("does NOT fire when the file lacks the prerender export", () => {
+    const findings = scanFileContent(
+      `const user = await auth.user();`,
+      { filePath: "src/pages/dynamic.astro" },
+    );
+    const f = findings.find((x) => x.code === "R402_AUTH_PRERENDERED");
+    assert.equal(f, undefined);
+  });
+});
+
+describe("scanFileContent — state-changing GET handlers", () => {
+  it("flags `export async function GET` with `db().insert(...)`", () => {
+    const findings = scanFileContent(`
+      import { db } from "@run402/functions";
+      export async function GET(req) {
+        await db().from("posts").insert({ title: "x" });
+        return new Response("ok");
+      }
+    `);
+    const f = findings.find((x) => x.code === "R402_AUTH_STATE_CHANGING_GET");
+    assert.ok(f);
+    assert.equal(f.severity, SCAN_SEVERITY.ERROR);
+  });
+
+  it("flags `export const GET` with `adminDb().sql(\"UPDATE ...\")`", () => {
+    const findings = scanFileContent(`
+      import { adminDb } from "@run402/functions";
+      export const GET = async () => {
+        await adminDb().sql("UPDATE foo SET x = 1");
+        return new Response("ok");
+      };
+    `);
+    const f = findings.find((x) => x.code === "R402_AUTH_STATE_CHANGING_GET");
+    assert.ok(f);
+  });
+
+  it("does NOT fire on read-only GET handlers", () => {
+    const findings = scanFileContent(`
+      import { db } from "@run402/functions";
+      export async function GET() {
+        const rows = await db().from("posts").select();
+        return Response.json(rows);
+      }
+    `);
+    const f = findings.find((x) => x.code === "R402_AUTH_STATE_CHANGING_GET");
+    assert.equal(f, undefined);
+  });
+});
+
+describe("scanFileContent — direct authz_version mutation", () => {
+  it("flags `UPDATE internal.sessions SET authz_version`", () => {
+    const findings = scanFileContent(`
+      adminDb().sql(\`UPDATE internal.sessions SET authz_version = authz_version + 1\`);
+    `);
+    const f = findings.find((x) => x.code === "R402_AUTH_AUTHZ_VERSION_PROHIBITED");
+    assert.ok(f);
+    assert.equal(f.severity, SCAN_SEVERITY.ERROR);
+    assert.match(f.docs, /authz-version/);
+  });
+
+  it("is case-insensitive (UPDATE / update / Update)", () => {
+    const variants = [
+      "update internal.sessions set authz_version = 5;",
+      "Update Internal.Sessions Set Authz_Version = 5;",
+    ];
+    for (const sql of variants) {
+      const findings = scanFileContent(sql);
+      assert.ok(
+        findings.some((f) => f.code === "R402_AUTH_AUTHZ_VERSION_PROHIBITED"),
+        `case variant failed: ${sql}`,
+      );
+    }
+  });
+});
+
+describe("scanFileContent — redundant user_id filter (R402_AUTH_REDUNDANT_USER_FILTER)", () => {
+  it("flags `.eq(\"user_id\", user.id)`", () => {
+    const content = [
+      'import { db, auth } from "@run402/functions";',
+      "const user = await auth.requireUser();",
+      'const rows = await db().from("posts").select("*").eq("user_id", user.id);',
+    ].join("\n");
+    const findings = scanFileContent(content);
+    const f = findings.find((x) => x.code === "R402_AUTH_REDUNDANT_USER_FILTER");
+    assert.ok(f, "expected a R402_AUTH_REDUNDANT_USER_FILTER finding");
+    assert.equal(f.severity, SCAN_SEVERITY.WARN);
+    assert.match(f.docs, /R402_AUTH_REDUNDANT_USER_FILTER/);
+    assert.equal(f.line, 3);
+  });
+
+  it("flags `.eq('user_id', actor.id)` with single quotes + different identifier", () => {
+    const content = "const r = q.eq('user_id', actor.id);";
+    const findings = scanFileContent(content);
+    assert.ok(findings.some((f) => f.code === "R402_AUTH_REDUNDANT_USER_FILTER"));
+  });
+
+  it("is silenced by `// run402-allow-user-filter:` on the same line", () => {
+    const content = [
+      'import { db, auth } from "@run402/functions";',
+      "const user = await auth.requireUser();",
+      'const rows = await db().from("posts").select("*").eq("user_id", user.id); // run402-allow-user-filter: explicit filter for analytics export',
+    ].join("\n");
+    const findings = scanFileContent(content);
+    assert.ok(
+      !findings.some((f) => f.code === "R402_AUTH_REDUNDANT_USER_FILTER"),
+      "annotated line should not produce a finding",
+    );
+  });
+
+  it("is silenced by `// run402-allow-user-filter:` on the preceding line", () => {
+    const content = [
+      'import { db, auth } from "@run402/functions";',
+      "const user = await auth.requireUser();",
+      "// run402-allow-user-filter: this table's RLS scopes on org_id, not user_id",
+      'const rows = await db().from("posts").select("*").eq("user_id", user.id);',
+    ].join("\n");
+    const findings = scanFileContent(content);
+    assert.ok(
+      !findings.some((f) => f.code === "R402_AUTH_REDUNDANT_USER_FILTER"),
+      "preceding annotation should silence",
+    );
+  });
+
+  it("does NOT flag `.eq(\"org_id\", user.org_id)` or `.eq(\"team_id\", ...)`", () => {
+    const content = [
+      'const rows1 = q.eq("org_id", user.id);', // non-user_id column
+      "const rows2 = q.eq(\"team_id\", actor.team_id);",
+      'const rows3 = q.eq("user_id", "fixed-uuid-literal");', // literal string, not <ident>.id
+    ].join("\n");
+    const findings = scanFileContent(content);
+    assert.ok(
+      !findings.some((f) => f.code === "R402_AUTH_REDUNDANT_USER_FILTER"),
+      "non-matching patterns should not fire",
+    );
+  });
+});
+
+describe("scanFileContent — line numbers + file paths", () => {
+  it("reports the line of the violation, not always line 1", () => {
+    const content = [
+      "// line 1: comment",
+      "// line 2: comment",
+      'import { auth } from "@run402/functions";',
+      "// line 4: comment",
+      'const u = await getSession(); // line 5',
+      "",
+    ].join("\n");
+    const findings = scanFileContent(content);
+    const f = findings.find((x) => x.attempted_name === "getSession");
+    assert.ok(f);
+    assert.equal(f.line, 5);
+  });
+
+  it("propagates filePath from the caller", () => {
+    const findings = scanFileContent(`const u = await getSession();`, {
+      filePath: "src/pages/account.astro",
+    });
+    assert.equal(findings[0].file, "src/pages/account.astro");
+  });
+});

package/lib/doctor.mjs

@@ -14,15 +14,24 @@
 import { existsSync, statSync } from "node:fs";
 import { CONFIG_DIR, readAllowance, loadKeyStore } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
+import {
+  resolveScanRoot,
+  scanSourceTree,
+  SCAN_SEVERITY,
+} from "./doctor-source-scan.mjs";
 
 const HELP = `run402 doctor — Health and config diagnostics
 
 Usage:
-  run402 doctor [--json] [--verbose]
+  run402 doctor [--verbose] [--no-scan] [--scan-dir <D>]
+
+Output:
+  Stdout is a JSON report { ok, checks: [{ name, status, value?, hint?, message? }] }.
 
 Options:
-  --json       Emit a structured JSON report on stdout
-  --verbose    Include extra detail (timing, error messages)
+  --verbose      Include extra detail (timing, error messages)
+  --no-scan      Skip the source-tree scan (config / health checks only)
+  --scan-dir D   Scan a custom directory instead of \`<cwd>/src\`
 
 Checks performed:
   - Config directory exists and is writable
@@ -30,6 +39,11 @@ Checks performed:
   - Keystore has at least one wallet
   - API_BASE is reachable (network check via /health)
   - Active tier resolves and is not 'past_due' / 'frozen'
+  - Source scan: hallucinated SDK auth names (R402_AUTH_UNKNOWN_EXPORT),
+    state-changing GET handlers (R402_AUTH_STATE_CHANGING_GET),
+    auth.* calls in prerendered pages (R402_AUTH_PRERENDERED),
+    direct mutation of internal.sessions.authz_version
+    (R402_AUTH_AUTHZ_VERSION_PROHIBITED).
 
 Exit codes:
   0  — all checks pass
@@ -42,8 +56,10 @@ export async function run(sub, args = []) {
     console.log(HELP);
     return;
   }
-  const json = all.includes("--json");
   const verbose = all.includes("--verbose");
+  const skipScan = all.includes("--no-scan");
+  const scanDirArgIdx = all.indexOf("--scan-dir");
+  const scanDirOverride = scanDirArgIdx >= 0 ? all[scanDirArgIdx + 1] : null;
 
   const checks = [];
 
@@ -222,32 +238,49 @@ export async function run(sub, args = []) {
     });
   }
 
+  // 7. Source-tree scan (auth-aware-ssr Section 9). Detects hallucinated
+  // SDK names, state-changing GETs, auth.* in prerendered pages, and
+  // direct mutation of internal.sessions.authz_version. Hits with severity
+  // `error` block deploy (`run402 deploy` wraps doctor and respects exit
+  // code). Skipped via --no-scan when the user wants config-only checks.
+  if (!skipScan) {
+    try {
+      const scanRoot = scanDirOverride ?? resolveScanRoot(process.cwd());
+      const findings = scanSourceTree(scanRoot, { cwd: process.cwd() });
+      const errorFindings = findings.filter((f) => f.severity === SCAN_SEVERITY.ERROR);
+      const warnFindings = findings.filter((f) => f.severity === SCAN_SEVERITY.WARN);
+      if (findings.length === 0) {
+        checks.push({ name: "source_scan", status: "ok", value: { scan_root: scanRoot, file_count_with_findings: 0 } });
+      } else {
+        checks.push({
+          name: "source_scan",
+          status: errorFindings.length > 0 ? "error" : "warning",
+          value: {
+            scan_root: scanRoot,
+            findings: errorFindings.length + warnFindings.length,
+            errors: errorFindings.length,
+            warnings: warnFindings.length,
+            details: findings,
+          },
+          hint: errorFindings.length > 0
+            ? "Fix the R402_AUTH_* findings above. `run402 deploy` will refuse to ship until these are resolved."
+            : "Source scan emitted warnings (non-blocking). Review and address when convenient.",
+        });
+      }
+    } catch (err) {
+      checks.push({
+        name: "source_scan",
+        status: "skipped",
+        message: err instanceof Error ? err.message : String(err),
+      });
+    }
+  }
+
   // 'warning' counts as ok for exit-code purposes — gaps are surfaced in
   // output but don't fail the doctor. Only hard 'error' / 'missing' /
   // 'empty' fail.
   const allOk = checks.every((c) => c.status === "ok" || c.status === "warning" || c.status === "skipped");
 
-  if (json) {
-    console.log(JSON.stringify({ ok: allOk, checks }, null, 2));
-  } else {
-    console.log(`Run402 doctor — ${allOk ? "all checks passed" : "issues found"}`);
-    console.log("");
-    for (const c of checks) {
-      const icon =
-        c.status === "ok" ? "✓"
-        : c.status === "warning" ? "⚠"
-        : c.status === "skipped" ? "·"
-        : c.status === "missing" || c.status === "empty" ? "⚠"
-        : "✗";
-      const status = c.status === "ok" ? "ok" : c.status;
-      console.log(`  ${icon} ${c.name.padEnd(16)} ${status}`);
-      if (c.hint) console.log(`     → ${c.hint}`);
-      if (c.message) console.log(`     ${c.message}`);
-      if (c.value && c.value.gaps && Array.isArray(c.value.gaps)) {
-        for (const gap of c.value.gaps) console.log(`     • ${gap}`);
-      }
-    }
-  }
-
+  console.log(JSON.stringify({ ok: allOk, checks }, null, 2));
   process.exit(allOk ? 0 : 1);
 }

package/lib/email.mjs

@@ -16,8 +16,11 @@ Subcommands:
   list   [--limit <n>] [--after <cursor>] [--project <id>]
                                       List sent/received messages (paginated)
   get    <message_id> [--project <id>]  Get a message with replies
-  get-raw <message_id> [--project <id>] [--output <file>]
-                                      Fetch raw RFC-822 bytes (inbound only)
+  get-raw <message_id> --output <file> [--project <id>]
+                                      Fetch raw RFC-822 bytes (inbound only).
+                                      --output is required: bytes are written
+                                      to the file; stdout receives a JSON
+                                      envelope { message_id, bytes, output }.
   reply  <message_id> --html "..." [--text "..."] [--subject "..."] [--from-name "..."] [--project <id>]
                                       Reply to an inbound message (threads via In-Reply-To)
   delete [<slug|mailbox_id>] --confirm [--project <id>]
@@ -123,7 +126,19 @@ compatibility; new code should use 'info'.
   "get-raw": `run402 email get-raw — Fetch raw RFC-822 bytes for an inbound message
 
 Usage:
-  run402 email get-raw <message_id> [--output <file>] [--project <id>]
+  run402 email get-raw <message_id> --output <file> [--project <id>]
+
+Arguments:
+  <message_id>        Inbound message ID
+
+Options:
+  --output <file>     Required: destination file for the raw RFC-822 bytes.
+                      stdout receives a JSON envelope
+                      { message_id, bytes, output } — the MIME body is never
+                      written to stdout, so the CLI stays pipeable.
+  --project <id>      Project ID (defaults to the active project)
+  --mailbox <slug|id> Target a specific mailbox (required when the project
+                      has more than one)
 `,
   create: `run402 email create — Create a project mailbox
 
@@ -321,21 +336,24 @@ async function getRaw(args) {
     fail({
       code: "BAD_USAGE",
       message: "Missing message_id.",
-      hint: "run402 email get-raw <message_id> [--output <file>]",
+      hint: "run402 email get-raw <message_id> --output <file>",
+    });
+  }
+  if (!outputFile) {
+    fail({
+      code: "BAD_USAGE",
+      message: "Missing --output <file>. Raw MIME bytes must be written to a file, not stdout.",
+      hint: "run402 email get-raw <message_id> --output <file>",
+      details: { flag: "--output" },
     });
   }
 
   try {
     const result = await getSdk().email.getRaw(projectId, messageId, { mailbox: mailbox ?? undefined });
     const buf = Buffer.from(result.bytes);
-
-    if (outputFile) {
-      const { writeFileSync } = await import("node:fs");
-      writeFileSync(outputFile, buf);
-      console.log(JSON.stringify({ message_id: messageId, bytes: buf.length, output: outputFile }));
-    } else {
-      process.stdout.write(buf);
-    }
+    const { writeFileSync } = await import("node:fs");
+    writeFileSync(outputFile, buf);
+    console.log(JSON.stringify({ message_id: messageId, bytes: buf.length, output: outputFile }));
   } catch (err) {
     reportSdkError(err);
   }

package/lib/functions.mjs

@@ -15,8 +15,12 @@ Usage:
 Subcommands:
   deploy <id> <name> --file <file> [--timeout <s>] [--memory <mb>] [--deps <pkg,...>] [--schedule <cron>]
                                        Deploy a function to a project
-  invoke <id> <name> [--method <M>] [--body <json>]
-                                       Invoke a deployed function
+  invoke <id> <name> [--method <M>] [--body <json>] [--raw]
+                                       Invoke a deployed function. Default
+                                       wraps the SDK result as JSON on stdout.
+                                       --raw prints the response body verbatim
+                                       (string body → text + newline, JSON
+                                       body → pretty-printed JSON).
   logs   <id> <name> [--tail <n>] [--since <ts>] [--request-id <req_...>] [--follow]
                                        Get function logs
   update <id> <name> [--schedule <cron>] [--schedule-remove] [--timeout <s>] [--memory <mb>]
@@ -99,10 +103,22 @@ Arguments:
 Options:
   --method <M>        HTTP method (default POST)
   --body <json>       Request body (ignored for GET/HEAD)
+  --raw               Skip JSON wrapping. Prints the response body verbatim:
+                      string body → text + trailing newline; JSON body →
+                      pretty-printed JSON. Useful when piping a text/plain
+                      function response to another tool.
+
+Output (default — without --raw):
+  Stdout is a single JSON envelope { http_status, body, duration_ms }.
+  Safe to pipe to jq even when the function returns a plain string.
+  The HTTP status is exposed as http_status (not status) so the payload
+  stays clean of the reserved top-level "status" field used in error
+  envelopes on stderr.
 
 Examples:
   run402 functions invoke prj_abc123 stripe-webhook --body '{"event":"test"}'
   run402 functions invoke prj_abc123 ping --method GET
+  run402 functions invoke prj_abc123 csv --raw > export.csv
 `,
   logs: `run402 functions logs — Fetch or tail function logs
 
@@ -117,7 +133,10 @@ Options:
   --tail <n>          Number of most-recent entries (default 50, max 1000)
   --since <ts>        ISO timestamp or epoch ms; only entries after this
   --request-id <id>   Only entries correlated to this req_... request id
-  --follow            Poll every 3s and stream new entries (Ctrl-C to stop)
+  --follow            Poll every 3s and stream new entries (Ctrl-C to stop).
+                      Emits NDJSON: one JSON log entry per line, no wrapping
+                      "logs:" envelope (the wrapping object is only used in
+                      the non-follow batch mode).
 
 Examples:
   run402 functions logs prj_abc123 stripe-webhook --tail 100
@@ -208,12 +227,13 @@ async function deploy(projectId, name, args) {
 }
 
 async function invoke(projectId, name, args) {
-  assertRequiredProjectAndName(projectId, name, "run402 functions invoke <project_id> <name> [--method <M>] [--body <json>]");
-  assertKnownFlags(args, ["--method", "--body", "--help", "-h"], ["--method", "--body"]);
-  const opts = { method: "POST", body: undefined };
+  assertRequiredProjectAndName(projectId, name, "run402 functions invoke <project_id> <name> [--method <M>] [--body <json>] [--raw]");
+  assertKnownFlags(args, ["--method", "--body", "--raw", "--help", "-h"], ["--method", "--body"]);
+  const opts = { method: "POST", body: undefined, raw: false };
   for (let i = 0; i < args.length; i++) {
     if (args[i] === "--method" && args[i + 1]) opts.method = args[++i];
     if (args[i] === "--body" && args[i + 1]) opts.body = args[++i];
+    if (args[i] === "--raw") opts.raw = true;
   }
   const invokeOpts = { method: opts.method };
   if (opts.body !== undefined && opts.method !== "GET" && opts.method !== "HEAD") {
@@ -221,12 +241,17 @@ async function invoke(projectId, name, args) {
   }
   try {
     const result = await getSdk().functions.invoke(projectId, name, invokeOpts);
-    const body = result.body;
-    if (typeof body === "string") {
-      process.stdout.write(body + "\n");
-    } else {
-      console.log(JSON.stringify(body, null, 2));
+    if (opts.raw) {
+      const body = result.body;
+      if (typeof body === "string") {
+        process.stdout.write(body + "\n");
+      } else {
+        console.log(JSON.stringify(body, null, 2));
+      }
+      return;
     }
+    const { status, ...rest } = result;
+    console.log(JSON.stringify({ http_status: status, ...rest }, null, 2));
   } catch (err) {
     reportSdkError(err);
   }
@@ -310,7 +335,7 @@ async function logs(projectId, name, args) {
     }
 
     for (const { entry } of fresh) {
-      console.log(`[${entry.timestamp}] ${entry.message}`);
+      console.log(JSON.stringify(entry));
     }
     if (fresh.length === 0 || !Number.isFinite(nextHighWaterMs)) return;