run402 2.24.0 → 2.25.0

package/lib/doctor-source-scan.mjs

@@ -339,6 +339,49 @@ export function scanFileContent(content, opts = {}) {
     });
   }
 
+  // 8) Tenant-assertion session-mint call without the declared capability.
+  //    `auth.sessions.createResponseFromTenantAssertion(...)` mints a browser
+  //    session from a tenant's vouching. It works ONLY in a function whose
+  //    deploy/apply spec declares `capabilities: ["auth.sessionMint"]`
+  //    (FunctionSpec.capabilities — sibling to `config`, since the platform
+  //    has no code-export metadata channel). Service-key presence is NOT
+  //    sufficient. Without the capability the gateway returns
+  //    R402_AUTH_UNTRUSTED_CONTEXT at runtime and mints no session.
+  //
+  //    The pure file scanner can't see the per-function spec, so the caller
+  //    threads `opts.declaredCapabilities` (the union of capabilities declared
+  //    across run402.config.json function entries — see readDeclaredCapabilities).
+  //    We suppress the finding when "auth.sessionMint" is present anywhere in
+  //    that union. Global-union (not per-file) is a deliberate precision
+  //    trade-off: the file→function-entry mapping isn't reliable from source,
+  //    and the runtime gate catches the rare "function A declared it, function
+  //    B forgot" case. WARN severity (never block deploy): an inline/SDK spec
+  //    the doctor can't read might declare the capability.
+  const declaredCaps =
+    opts.declaredCapabilities instanceof Set
+      ? opts.declaredCapabilities
+      : new Set(Array.isArray(opts.declaredCapabilities) ? opts.declaredCapabilities : []);
+  if (!declaredCaps.has("auth.sessionMint")) {
+    const mintCallRegex = /\bcreateResponseFromTenantAssertion\s*\(/g;
+    let mintMatch;
+    while ((mintMatch = mintCallRegex.exec(content)) !== null) {
+      findings.push({
+        code: "R402_DOCTOR_AUTH_SESSION_MINT_CAPABILITY_MISSING",
+        severity: SCAN_SEVERITY.WARN,
+        file: filePath,
+        line: lineNumberFor(content, mintMatch.index),
+        message:
+          "createResponseFromTenantAssertion (tenant-assertion session mint) requires the " +
+          '"auth.sessionMint" capability, which no function declares in run402.config.json. ' +
+          "Without it the gateway returns R402_AUTH_UNTRUSTED_CONTEXT at runtime and mints no session.",
+        fix:
+          'Add "capabilities": ["auth.sessionMint"] to this function\'s entry in run402.config.json ' +
+          '(under functions.replace.<name>, a sibling to "config"). A service key is NOT sufficient.',
+        docs: "https://docs.run402.com/auth/tenant-assertion#capability",
+      });
+    }
+  }
+
   return findings;
 }
 
@@ -347,6 +390,10 @@ export function scanFileContent(content, opts = {}) {
  *  line for stable output. */
 export function scanSourceTree(srcDir, opts = {}) {
   const findings = [];
+  // Capability picture for the tenant-assertion mint check (#8). Read from
+  // run402.config.json unless the caller passed it explicitly (tests do).
+  const declaredCapabilities =
+    opts.declaredCapabilities ?? readDeclaredCapabilities(opts.cwd ?? srcDir);
   walk(srcDir, (filePath) => {
     if (!SCANNED_EXTENSIONS.has(extname(filePath))) return;
     let content;
@@ -362,7 +409,10 @@ export function scanSourceTree(srcDir, opts = {}) {
       return;
     }
     findings.push(
-      ...scanFileContent(content, { filePath: relative(opts.cwd ?? srcDir, filePath) }),
+      ...scanFileContent(content, {
+        filePath: relative(opts.cwd ?? srcDir, filePath),
+        declaredCapabilities,
+      }),
     );
   });
   findings.sort((a, b) => {
@@ -410,6 +460,38 @@ export function _testOnly_authProperties() {
   return HALLUCINATED_AUTH_PROPERTIES.slice();
 }
 
+/** Read the union of `capabilities` declared across all function entries in
+ *  `run402.config.json` (the apply spec). Used by the tenant-assertion mint
+ *  check (#8) to suppress the warning when "auth.sessionMint" is declared.
+ *
+ *  Functions live under `functions.replace.<name>` / `functions.set.<name>`
+ *  with `capabilities?: string[]` as a sibling to `config`. Best-effort:
+ *  a missing or malformed config returns an empty set (the scanner then
+ *  warns, which is the safe default — the runtime gate is the hard
+ *  enforcement). Returns a `Set<string>`. */
+export function readDeclaredCapabilities(cwd = process.cwd()) {
+  const caps = new Set();
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync(join(cwd, "run402.config.json"), "utf8"));
+  } catch {
+    return caps; // no config / unreadable / malformed → nothing declared
+  }
+  const fns = parsed?.functions;
+  if (!fns || typeof fns !== "object") return caps;
+  for (const bucket of ["replace", "set", "patch"]) {
+    const entries = fns[bucket];
+    if (!entries || typeof entries !== "object") continue;
+    for (const entry of Object.values(entries)) {
+      const declared = entry?.capabilities;
+      if (Array.isArray(declared)) {
+        for (const cap of declared) if (typeof cap === "string") caps.add(cap);
+      }
+    }
+  }
+  return caps;
+}
+
 /** Resolve the project's src/ directory. Astro convention is `<root>/src`;
  *  bare Node projects use `<root>/src` or `<root>`. We prefer `src/` if
  *  it exists. */

package/lib/doctor-source-scan.test.mjs

@@ -1,8 +1,13 @@
 import { describe, it } from "node:test";
 import assert from "node:assert/strict";
+import { mkdtempSync, mkdirSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
 
 import {
   scanFileContent,
+  scanSourceTree,
+  readDeclaredCapabilities,
   SCAN_SEVERITY,
   _testOnly_hallucinatedNames,
   _testOnly_authProperties,
@@ -316,3 +321,97 @@ describe("scanFileContent — line numbers + file paths", () => {
     assert.equal(findings[0].file, "src/pages/account.astro");
   });
 });
+
+describe("scanFileContent — tenant-assertion session-mint capability (#8, §5.3 / 7.9)", () => {
+  const MINT = 'auth.sessions.createResponseFromTenantAssertion({ tenant, user, method: "password" });';
+
+  it("flags a mint call when no capability is declared (default opts)", () => {
+    const content = [
+      'import { auth } from "@run402/functions";',
+      "export default async (req) =>",
+      `  ${MINT}`,
+    ].join("\n");
+    const findings = scanFileContent(content, { filePath: "src/pages/api/login.ts" });
+    const f = findings.find(
+      (x) => x.code === "R402_DOCTOR_AUTH_SESSION_MINT_CAPABILITY_MISSING",
+    );
+    assert.ok(f, "should flag the mint call");
+    assert.equal(f.severity, SCAN_SEVERITY.WARN);
+    assert.equal(f.line, 3);
+    assert.equal(f.file, "src/pages/api/login.ts");
+    assert.match(f.fix, /auth\.sessionMint/);
+    assert.match(f.message, /R402_AUTH_UNTRUSTED_CONTEXT/);
+  });
+
+  it("suppresses when declaredCapabilities (array) includes auth.sessionMint", () => {
+    const findings = scanFileContent(MINT, {
+      declaredCapabilities: ["auth.sessionMint"],
+    });
+    assert.ok(
+      !findings.some((f) => f.code === "R402_DOCTOR_AUTH_SESSION_MINT_CAPABILITY_MISSING"),
+    );
+  });
+
+  it("suppresses when declaredCapabilities (Set) includes auth.sessionMint", () => {
+    const findings = scanFileContent(MINT, {
+      declaredCapabilities: new Set(["auth.sessionMint"]),
+    });
+    assert.ok(
+      !findings.some((f) => f.code === "R402_DOCTOR_AUTH_SESSION_MINT_CAPABILITY_MISSING"),
+    );
+  });
+
+  it("does NOT flag the distinct createResponseFromIdentity proof path", () => {
+    const content =
+      "auth.sessions.createResponseFromIdentity({ provider, subject, proof, amr });";
+    const findings = scanFileContent(content);
+    assert.ok(
+      !findings.some((f) => f.code === "R402_DOCTOR_AUTH_SESSION_MINT_CAPABILITY_MISSING"),
+    );
+  });
+});
+
+describe("readDeclaredCapabilities — run402.config.json capability union", () => {
+  function writeConfig(obj) {
+    const dir = mkdtempSync(join(tmpdir(), "r402-doctor-cap-"));
+    writeFileSync(join(dir, "run402.config.json"), JSON.stringify(obj));
+    return dir;
+  }
+
+  it("collects capabilities across functions.replace + functions.set", () => {
+    const dir = writeConfig({
+      functions: {
+        replace: { api: { capabilities: ["auth.sessionMint"] } },
+        set: { cron: { capabilities: ["other.cap"] } },
+      },
+    });
+    const caps = readDeclaredCapabilities(dir);
+    assert.ok(caps.has("auth.sessionMint"));
+    assert.ok(caps.has("other.cap"));
+  });
+
+  it("returns an empty set when no config / no capabilities", () => {
+    const emptyDir = mkdtempSync(join(tmpdir(), "r402-doctor-nocfg-"));
+    assert.equal(readDeclaredCapabilities(emptyDir).size, 0);
+    const noCapDir = writeConfig({ functions: { replace: { api: { config: {} } } } });
+    assert.equal(readDeclaredCapabilities(noCapDir).size, 0);
+  });
+
+  it("scanSourceTree suppresses the mint warning when the config declares it", () => {
+    const dir = mkdtempSync(join(tmpdir(), "r402-doctor-tree-"));
+    mkdirSync(join(dir, "src"));
+    writeFileSync(
+      join(dir, "src", "login.ts"),
+      "export default async () => auth.sessions.createResponseFromTenantAssertion({});",
+    );
+    writeFileSync(
+      join(dir, "run402.config.json"),
+      JSON.stringify({ functions: { replace: { api: { capabilities: ["auth.sessionMint"] } } } }),
+    );
+    const findings = scanSourceTree(join(dir, "src"), { cwd: dir });
+    assert.ok(
+      !findings.some((f) => f.code === "R402_DOCTOR_AUTH_SESSION_MINT_CAPABILITY_MISSING"),
+      "config-declared capability should suppress the tree-scan warning",
+    );
+  });
+});

package/lib/email.mjs

@@ -13,8 +13,10 @@ Subcommands:
   info   [--project <id>]            Show mailbox info (ID, address, slug)
   status [--project <id>]            Alias for 'info' (prefer 'info')
   send   --to <email> [mode flags]   Send an email (template or raw HTML)
-  list   [--limit <n>] [--after <cursor>] [--project <id>]
-                                      List sent/received messages (paginated)
+  list   [--limit <n>] [--after <cursor>] [--direction <inbound|outbound>] [--project <id>]
+                                      List messages (paginated). Returns BOTH
+                                      sent + received by default; --direction
+                                      inbound is the reconciliation backstop.
   get    <message_id> [--project <id>]  Get a message with replies
   get-raw <message_id> --output <file> [--project <id>]
                                       Fetch raw RFC-822 bytes (inbound only).
@@ -35,6 +37,10 @@ Webhook subcommands:
                                                   Update a webhook
   webhooks register --url <url> --events <e1,e2> [--project <id>]
                                                   Register a new webhook
+  webhooks deliveries [--status <s>] [--project <id>]
+                                                  List durable delivery rows (DLQ visibility)
+  webhooks redrive <delivery_id> [--project <id>]
+                                                  Re-queue a dead-lettered delivery
 
 Send modes:
   Template:  --template <name> --var key=value [--var ...]  OR --vars '{"k":"v",...}'
@@ -286,16 +292,18 @@ async function send(args) {
 }
 
 async function list(args) {
-  const valueFlags = ["--project", "--limit", "--after", "--mailbox"];
+  const valueFlags = ["--project", "--limit", "--after", "--mailbox", "--direction"];
   validateArgs(args, valueFlags);
   const projectId = resolveProjectId(strictFlagValue(args, "--project"));
   const limit = strictFlagValue(args, "--limit");
   const after = strictFlagValue(args, "--after");
   const mailbox = strictFlagValue(args, "--mailbox");
+  const direction = strictFlagValue(args, "--direction");
   try {
     const data = await getSdk().email.list(projectId, {
       limit: limit ? parseIntegerFlag("--limit", limit) : undefined,
       after: after ?? undefined,
+      direction: direction ?? undefined,
       mailbox: mailbox ?? undefined,
     });
     console.log(JSON.stringify(data, null, 2));

package/lib/init-astro.mjs

@@ -264,6 +264,9 @@ const { user, role } = await auth.requireRole("admin");
 const { user, membership } = await auth.requireMembership("member");
 await auth.requireFresh({ maxAge: "10m", amr: ["passkey"] });
 
+// Rich, ownership-qualified account-security read (backs <AccountSecurity>):
+const sec = await auth.account.getSecurity();  // AccountSecurity | null
+
 // CSRF for hosted forms (server-side, in <form> rendering):
 const field = auth.csrfField();
 // → <input type="hidden" name="_csrf" value="..." />
@@ -301,7 +304,7 @@ routes (\`/auth/v1/sign-in\` etc.) with the CSRF token already wired:
 
 \`\`\`astro
 ---
-import { SignIn, SignUp, UserButton, SignedIn, SignedOut } from "@run402/astro";
+import { SignIn, SignUp, UserButton, AccountSecurity, SignedIn, SignedOut } from "@run402/astro";
 ---
 
 <SignedIn>
@@ -310,10 +313,21 @@ import { SignIn, SignUp, UserButton, SignedIn, SignedOut } from "@run402/astro";
 <SignedOut>
   <SignIn returnTo="/dashboard" />
 </SignedOut>
+
+<!-- On an account page (gate on <SignedIn>): change password, manage
+     passkeys, list/revoke sessions, sign out everywhere, link/unlink OAuth. -->
+<SignedIn>
+  <AccountSecurity sections={["password", "passkeys", "sessions", "identities"]} />
+</SignedIn>
 \`\`\`
 
-Do NOT roll your own sign-in form. The hosted routes handle CSRF, returnTo
-validation, OAuth provider bridges, and passkey ceremonies.
+The four hosted-auth components — \`<SignIn>\`, \`<SignUp>\`, \`<UserButton>\`,
+\`<AccountSecurity>\` — plus the \`<SignedIn>\`/\`<SignedOut>\` gates emit forms
+posting to the platform's hosted routes with the CSRF token already wired.
+Each accepts a default \`<slot>\` for extras (OAuth buttons, links, panels)
+without losing the zero-config default. Do NOT roll your own — the hosted
+routes handle CSRF, returnTo validation, OAuth provider bridges, and passkey
+ceremonies.
 
 ## Rendering-mode quick map
 

package/lib/webhooks.mjs

@@ -9,13 +9,22 @@ Usage:
   run402 email webhooks <action> [args...]
 
 Actions:
-  list     [--mailbox <slug|id>] [--project <id>]            List webhooks
-  get      <webhook_id> [--mailbox <slug|id>] [--project <id>]   Get a webhook
-  delete   <webhook_id> [--mailbox <slug|id>] [--project <id>]   Delete a webhook
-  update   <webhook_id> [--url <url>] [--events <e1,e2>] [--mailbox <slug|id>]  Update a webhook
-  register --url <url> --events <e1,e2> [--mailbox <slug|id>] [--project <id>]  Register a new webhook
+  list       [--mailbox <slug|id>] [--project <id>]            List webhooks
+  get        <webhook_id> [--mailbox <slug|id>] [--project <id>]   Get a webhook
+  delete     <webhook_id> [--mailbox <slug|id>] [--project <id>]   Delete a webhook
+  update     <webhook_id> [--url <url>] [--events <e1,e2>] [--mailbox <slug|id>]  Update a webhook
+  register   --url <url> --events <e1,e2> [--mailbox <slug|id>] [--project <id>]  Register a new webhook
+  deliveries [--status <s>] [--mailbox <slug|id>] [--project <id>]  List durable delivery rows (DLQ visibility)
+  redrive    <delivery_id> [--mailbox <slug|id>] [--project <id>]   Re-queue a dead-lettered delivery
 
 Valid events: delivery, bounced, complained, reply_received
+Delivery statuses: pending, in_flight, delivered, failed_permanent (the DLQ)
+
+Webhook delivery is durable + at-least-once: failures retry with backoff, then
+land in failed_permanent (the dead-letter queue). The delivered body is the
+canonical envelope { id, type, created_at, schema_version, idempotency_key,
+payload } — consumers MUST dedupe on idempotency_key. Use 'deliveries' to
+inspect what was lost and 'redrive' to replay a dead-lettered delivery.
 
 Pass --mailbox <slug|id> to target a specific mailbox when the project has more than one.
 
@@ -24,6 +33,8 @@ Examples:
   run402 email webhooks register --url https://example.com/hook --events delivery,bounced
   run402 email webhooks update whk_123 --url https://new.example.com/hook
   run402 email webhooks delete whk_123
+  run402 email webhooks deliveries --status failed_permanent
+  run402 email webhooks redrive wd_123
 `;
 
 const SUB_HELP = {
@@ -196,16 +207,60 @@ async function register(args) {
   }
 }
 
+async function deliveries(args) {
+  const valueFlags = ["--project", "--mailbox", "--status", "--limit", "--after"];
+  validateArgs(args, valueFlags);
+  const projectId = resolveProjectId(strictFlagValue(args, "--project"));
+  const mailbox = strictFlagValue(args, "--mailbox");
+  const status = strictFlagValue(args, "--status");
+  const limitRaw = strictFlagValue(args, "--limit");
+  const after = strictFlagValue(args, "--after");
+  try {
+    const data = await getSdk().email.webhooks.listDeliveries(projectId, {
+      status: status ?? undefined,
+      limit: limitRaw ? Number(limitRaw) : undefined,
+      after: after ?? undefined,
+      mailbox: mailbox ?? undefined,
+    });
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
+}
+
+async function redrive(args) {
+  const valueFlags = ["--project", "--mailbox"];
+  validateArgs(args, valueFlags);
+  const deliveryId = positionalArgs(args, valueFlags)[0] ?? null;
+  const projectId = resolveProjectId(strictFlagValue(args, "--project"));
+  const mailbox = strictFlagValue(args, "--mailbox");
+  if (!deliveryId) {
+    fail({
+      code: "BAD_USAGE",
+      message: "Missing delivery_id.",
+      hint: "run402 email webhooks redrive <delivery_id>",
+    });
+  }
+  try {
+    const data = await getSdk().email.webhooks.redriveDelivery(projectId, deliveryId, { mailbox: mailbox ?? undefined });
+    console.log(JSON.stringify(data, null, 2));
+  } catch (err) {
+    reportSdkError(err);
+  }
+}
+
 export async function run(sub, args) {
   args = normalizeArgv(args);
   if (!sub || sub === '--help' || sub === '-h') { console.log(HELP); process.exit(0); }
   if (Array.isArray(args) && (args.includes("--help") || args.includes("-h"))) { console.log(SUB_HELP[sub] || HELP); process.exit(0); }
   switch (sub) {
-    case "list":     await list(args); break;
-    case "get":      await get(args); break;
-    case "delete":   await del(args); break;
-    case "update":   await update(args); break;
-    case "register": await register(args); break;
+    case "list":       await list(args); break;
+    case "get":        await get(args); break;
+    case "delete":     await del(args); break;
+    case "update":     await update(args); break;
+    case "register":   await register(args); break;
+    case "deliveries": await deliveries(args); break;
+    case "redrive":    await redrive(args); break;
     default:
       console.error(`Unknown webhooks action: ${sub}\n`);
       console.log(HELP);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "2.24.0",
+  "version": "2.25.0",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.",
   "type": "module",
   "bin": {

package/sdk/dist/namespaces/deploy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deploy.d.ts","sourceRoot":"","sources":["../../src/namespaces/deploy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAiB3C,OAAO,KAAK,EACV,YAAY,EACZ,sBAAsB,EAQtB,WAAW,EACX,oBAAoB,EAEpB,iBAAiB,EACjB,kBAAkB,EAClB,eAAe,EACf,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,EAarB,iBAAiB,EAGjB,YAAY,EACZ,cAAc,EACd,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,WAAW,EACX,oBAAoB,EACpB,YAAY,EAEb,MAAM,mBAAmB,CAAC;AAqE3B,qBAAa,MAAM;IACL,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;IAE3C;;;;OAIG;IACG,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,YAAY,CAAC;IA4C9E;;;OAGG;IACH,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,eAAe,CAAC;IAI3E;;;;OAIG;IACG,IAAI,CACR,IAAI,EAAE,WAAW,EACjB,IAAI,GAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,OAAO,CAAA;KAAO,GACvD,OAAO,CAAC;QAAE,IAAI,EAAE,YAAY,CAAC;QAAC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;KAAE,CAAC;IAIxE;;;;;OAKG;IACG,MAAM,CACV,IAAI,EAAE,YAAY,EAClB,IAAI,EAAE;QACJ,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACrC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;KACxC,GACA,OAAO,CAAC,IAAI,CAAC;IAWhB;;;;;OAKG;IACG,MAAM,CACV,MAAM,EAAE,MAAM,EACd,IAAI,GAAE;QACJ,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QACvC,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,OAAO,CAAC,EAAE,MAAM,CAAC;KACb,GACL,OAAO,CAAC,YAAY,CAAC;IAMxB;;;;;;;;;OASG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GACtE,OAAO,CAAC,YAAY,CAAC;IAqBxB;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACG,OAAO,CACX,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,IAAI,GAAE,cAAmB,GACxB,OAAO,CAAC,aAAa,CAAC;IA2CzB;;;;OAIG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GAC9B,OAAO,CAAC,iBAAiB,CAAC;IAmB7B;;;;;;OAMG;IACG,IAAI,CACR,IAAI,EAAE,MAAM,GAAG,iBAAiB,GAC/B,OAAO,CAAC,kBAAkB,CAAC;IA6B9B;;;;;;;;OAQG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,GACxB,OAAO,CAAC,oBAAoB,CAAC;IAmBhC;;;;OAIG;IACG,UAAU,CAAC,IAAI,EAAE,2BAA2B,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA2B9E;;;;OAIG;IACG,gBAAgB,CACpB,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,sBAAsB,CAAC;IAqBlC;;;;OAIG;IACG,IAAI,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IA+BnE;;;;OAIG;IACG,OAAO,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,qBAAqB,CAAC;CAW1E;AA65CD;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;iEAG6D;IAC7D,KAAK,CAAC,EAAE,SAAS,GAAG,OAAO,GAAG,OAAO,CAAC;CACvC"}
+{"version":3,"file":"deploy.d.ts","sourceRoot":"","sources":["../../src/namespaces/deploy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAkB3C,OAAO,KAAK,EACV,YAAY,EACZ,sBAAsB,EAQtB,WAAW,EACX,oBAAoB,EAEpB,iBAAiB,EACjB,kBAAkB,EAClB,eAAe,EACf,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,EAarB,iBAAiB,EAGjB,YAAY,EACZ,cAAc,EACd,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,WAAW,EACX,oBAAoB,EACpB,YAAY,EAEb,MAAM,mBAAmB,CAAC;AAqE3B,qBAAa,MAAM;IACL,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;IAE3C;;;;OAIG;IACG,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,YAAY,CAAC;IA4C9E;;;OAGG;IACH,KAAK,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,eAAe,CAAC;IAI3E;;;;OAIG;IACG,IAAI,CACR,IAAI,EAAE,WAAW,EACjB,IAAI,GAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,OAAO,CAAA;KAAO,GACvD,OAAO,CAAC;QAAE,IAAI,EAAE,YAAY,CAAC;QAAC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;KAAE,CAAC;IAIxE;;;;;OAKG;IACG,MAAM,CACV,IAAI,EAAE,YAAY,EAClB,IAAI,EAAE;QACJ,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACrC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;KACxC,GACA,OAAO,CAAC,IAAI,CAAC;IAWhB;;;;;OAKG;IACG,MAAM,CACV,MAAM,EAAE,MAAM,EACd,IAAI,GAAE;QACJ,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QACvC,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,OAAO,CAAC,EAAE,MAAM,CAAC;KACb,GACL,OAAO,CAAC,YAAY,CAAC;IAMxB;;;;;;;;;OASG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GACtE,OAAO,CAAC,YAAY,CAAC;IAqBxB;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACG,OAAO,CACX,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,IAAI,GAAE,cAAmB,GACxB,OAAO,CAAC,aAAa,CAAC;IA2CzB;;;;OAIG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO,GAC9B,OAAO,CAAC,iBAAiB,CAAC;IAmB7B;;;;;;OAMG;IACG,IAAI,CACR,IAAI,EAAE,MAAM,GAAG,iBAAiB,GAC/B,OAAO,CAAC,kBAAkB,CAAC;IA6B9B;;;;;;;;OAQG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,GACxB,OAAO,CAAC,oBAAoB,CAAC;IAmBhC;;;;OAIG;IACG,UAAU,CAAC,IAAI,EAAE,2BAA2B,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA2B9E;;;;OAIG;IACG,gBAAgB,CACpB,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,sBAAsB,CAAC;IAqBlC;;;;OAIG;IACG,IAAI,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IA+BnE;;;;OAIG;IACG,OAAO,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,qBAAqB,CAAC;CAW1E;AA65CD;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;iEAG6D;IAC7D,KAAK,CAAC,EAAE,SAAS,GAAG,OAAO,GAAG,OAAO,CAAC;CACvC"}

package/sdk/dist/namespaces/deploy.js

@@ -21,7 +21,7 @@
 import { isCiSessionCredentials } from "../ci-credentials.js";
 import { assertCiDeployableSpec } from "./ci.js";
 import { ROUTE_HTTP_METHODS, normalizeDeployResolveRequest, } from "./deploy.types.js";
-import { ApiError, LocalError, NetworkError, PaymentRequired, Run402DeployError, Unauthorized, } from "../errors.js";
+import { ApiError, LocalError, NetworkError, PaymentRequired, Run402DeployError, Unauthorized, isTransferFreezeError, } from "../errors.js";
 import { assertAssetMetadata, assertExifPolicy, } from "./assets-validation.js";
 // ─── Constants ───────────────────────────────────────────────────────────────
 const PLAN_BODY_LIMIT_BYTES = 5 * 1024 * 1024;
@@ -3091,6 +3091,31 @@ function translateDeployError(err, phase, planId, operationId) {
             context: err.context,
         });
     }
+    // 409 transfer-freeze (PROJECT_HAS_PENDING_TRANSFER) arrives as a dedicated
+    // TransferFreezeError, not an ApiError. Route it through the same
+    // gateway-envelope path so the structured code, details (transfer_id), and
+    // next_actions (cancel/view transfer) survive instead of flattening to
+    // INTERNAL_ERROR. Use the structural guard so the check holds across
+    // duplicate SDK copies / realm boundaries (V8-isolate code-mode).
+    if (isTransferFreezeError(err)) {
+        const body = err.body && typeof err.body === "object" && !Array.isArray(err.body)
+            ? err.body
+            : null;
+        const gw = body ? extractGatewayError(body) : null;
+        if (gw) {
+            return translateGatewayError(gw, phase, planId, operationId);
+        }
+        return new Run402DeployError(err.message, {
+            code: "PROJECT_HAS_PENDING_TRANSFER",
+            phase,
+            retryable: false,
+            operationId,
+            planId,
+            status: err.status,
+            body: err.body,
+            context: err.context,
+        });
+    }
     if (err instanceof NetworkError) {
         return new Run402DeployError(err.message, {
             code: "NETWORK_ERROR",