Changelog

Platform updates and new features

Machine-readable: /updates.txt

April 5, 2026

• Magic link auth — Passwordless email authentication for project users. Request a magic link via POST /auth/v1/magic-link, verify via grant_type=magic_link. Auto-creates users on first use. Includes password change/reset/set endpoint and project-level allow_password_set setting. Multi-method identity: users can have any combination of password, OAuth, and magic link.

April 2, 2026

• Extract functions package — Extracted @run402/functions runtime helper into standalone TypeScript npm package with full type definitions, replacing inlined heredoc in Lambda layer

March 31, 2026

• Public storage URLs — Unauthenticated public read route for storage files; public URL included in upload responses
• Incremental deploy — inherit: true flag on deploy requests to carry forward unchanged files from previous deployment via S3 server-side copy
• Auto Worker custom domains — Automatic Cloudflare Worker Custom Domain binding creation/deletion when domains are registered or released
• Domain status auth — Added auth middleware to domain status endpoint, closing security gap where project data was publicly queryable

March 30, 2026

• Project admin role — project_admin Postgres role with BYPASSRLS, is_admin flag on users, admin JWT issuance, and promote/demote endpoints

March 29, 2026

• on-signup hook — on-* lifecycle hook convention; gateway auto-invokes on-signup function fire-and-forget after first user signup
• Bundle deploy error detail — Fixed error swallowing in bundle deploy so errors propagate their message and status code to the client

March 28, 2026

• Full email — Raw HTML send mode, display name (from_name) support, bumped team tier daily send limit to 500
• Search Console coverage fix — Fixed 404s and missing sitemap entries by adding directory index pages and custom 404 page

March 26, 2026

• Scheduled functions — Cron-based scheduled invocation of deployed functions with deploy-time schedule config, manual trigger, and tier limits

March 25, 2026

• Secrets value hash — Truncated SHA-256 hash in secrets list response so agents can verify secret values without exposing them
• Input validation hardening — Centralized input validation (UUID, wallet, email, slug, URL) for all route handlers with clean 400 responses

March 24, 2026

• Project email — Per-project mailboxes at <slug>@mail.run402.com with template-based outbound, reply-only inbound, and SES integration
• Branded SQL type — Branded SQL type with sql() helper and libpg-query pre-flight validation
• Admin auth and operations — Admin auth middleware (ADMIN_KEY, SIWx, OAuth, service_key) with admin override on ownership-gated endpoints
• Test coverage — c8 coverage instrumentation for gateway unit tests with CI integration

March 23, 2026

• TypeScript type stripping — esbuild transpilation so edge functions in TypeScript deploy without SyntaxErrors
• Cascade project delete — Project archival cascade-deletes all owned resources (Lambda, secrets, subdomains, S3, deployments, apps)
• Bootstrap function — Convention-based bootstrap function auto-invoked after fork/deploy with caller-provided variables
• getUser() helper — getUser(req) in functions runtime to retrieve authenticated user inside edge functions via JWT