Changelog

Platform updates and new features

Machine-readable: /updates.txt

April 14, 2026

Project soft-delete lifecycle — Replaces the old 7-day silent destroy with a ~104-day state machine: active → past_due → frozen → dormant → purged. The live site keeps serving end users throughout — only the project owner's control plane (deploys, secret rotation, subdomain claims, function upload) is gated. Three warning emails across grace: past_due at day 0, frozen at day 14, final warning 24 hours before deletion. Subdomain reservation: the name is held for the original owner's wallet throughout grace, so a missed renewal can't lose the brand to a squatter. Any tier renewal during grace instantly reactivates the project and clears the countdown. Scheduled (cron) functions pause at day 44 to stop charging absent owners for compute. Operator rescue endpoints for admin-initiated reactivation and subdomain release. Motivated by saas-factory products: one missed renewal used to silently destroy a live brand's data and subdomain with no recourse — now it takes ~104 days, three emails, and the name is held until the tail expires.

Custom domain inbound email — Verified custom sender domains can now receive inbound email. Enable via POST /email/v1/domains/inbound, add the MX record to your DNS, and replies to <slug>@yourdomain.com route through the same pipeline as @mail.run402.com. Opt-in, requires DKIM-verified domain. Removing the sender domain cascades to disable inbound. Enables kysigned reply-to-sign at branded addresses.

Raw inbound MIME accessor — New GET /mailboxes/v1/:id/messages/:messageId/raw endpoint returns the exact RFC-822 bytes of an inbound message, fetched verbatim from S3 with no parsing or normalization. Inbound messages only, Content-Type: message/rfc822, 10MB cap. Use this for cryptographic verification — DKIM signature checks, zk-email proofs, archival-grade email storage. The existing JSON message endpoint still returns parsed body_text for display and threading. Apps doing signature verification over inbound mail (kysigned reply-to-sign, etc.) should always read raw bytes — any post-processing breaks the cryptographic chain.

KMS contract wallet — New /contracts/v1/* endpoints for AWS KMS-backed Ethereum wallets per project. Private keys never leave KMS. $0.04/day rental ($1.20/month, billed daily as kms_wallet_rental) plus $0.000005 per contract call (KMS sign fee, billed alongside chain gas at-cost). 30-day prepay required at creation. Provision via POST /contracts/v1/wallets; submit calls via POST /contracts/v1/call; non-custodial with optional drain endpoint and recovery address as safety nets. Wallets that stay suspended for 90 days are permanently deleted. Base mainnet first; chain registry config-only for adding more chains.
Email billing accounts + Stripe tier checkout + email packs — Create billing accounts with just an email (Stripe-only, no wallet required). Subscribe/renew/upgrade tiers via credit card at POST /billing/v1/tiers/:tier/checkout. Buy email packs ($5 = 10,000 emails, never expire) at POST /billing/v1/email-packs/checkout — require a verified custom sender domain to protect mail.run402.com reputation. Auto-recharge optional. Balance/history endpoints now auto-detect wallet or email identifiers. Backward compat preserved for all existing wallet flows.

Custom sender domains — Register a custom email sending domain via POST /email/v1/domains. DKIM verification via SES, DNS records provided. Once verified, email sends from <slug>@<your-domain>. Wallet-scoped ownership for multi-project reuse.
Magic link auth — Passwordless email authentication for project users. Request a magic link via POST /auth/v1/magic-link, verify via grant_type=magic_link. Auto-creates users on first use. Includes password change/reset/set endpoint and project-level allow_password_set setting. Multi-method identity: users can have any combination of password, OAuth, and magic link.

Extract functions package — Extracted @run402/functions runtime helper into standalone TypeScript npm package with full type definitions, replacing inlined heredoc in Lambda layer

Public storage URLs — Unauthenticated public read route for storage files; public URL included in upload responses
Incremental deploy — inherit: true flag on deploy requests to carry forward unchanged files from previous deployment via S3 server-side copy
Auto Worker custom domains — Automatic Cloudflare Worker Custom Domain binding creation/deletion when domains are registered or released
Domain status auth — Added auth middleware to domain status endpoint, closing security gap where project data was publicly queryable

Project admin role — project_admin Postgres role with BYPASSRLS, is_admin flag on users, admin JWT issuance, and promote/demote endpoints

on-signup hook — on-* lifecycle hook convention; gateway auto-invokes on-signup function fire-and-forget after first user signup
Bundle deploy error detail — Fixed error swallowing in bundle deploy so errors propagate their message and status code to the client

Full email — Raw HTML send mode, display name (from_name) support, bumped team tier daily send limit to 500
Search Console coverage fix — Fixed 404s and missing sitemap entries by adding directory index pages and custom 404 page

Scheduled functions — Cron-based scheduled invocation of deployed functions with deploy-time schedule config, manual trigger, and tier limits

Secrets value hash — Truncated SHA-256 hash in secrets list response so agents can verify secret values without exposing them
Input validation hardening — Centralized input validation (UUID, wallet, email, slug, URL) for all route handlers with clean 400 responses

Project email — Per-project mailboxes at <slug>@mail.run402.com with template-based outbound, reply-only inbound, and SES integration
Branded SQL type — Branded SQL type with sql() helper and libpg-query pre-flight validation
Admin auth and operations — Admin auth middleware (ADMIN_KEY, SIWx, OAuth, service_key) with admin override on ownership-gated endpoints
Test coverage — c8 coverage instrumentation for gateway unit tests with CI integration

TypeScript type stripping — esbuild transpilation so edge functions in TypeScript deploy without SyntaxErrors
Cascade project delete — Project archival cascade-deletes all owned resources (Lambda, secrets, subdomains, S3, deployments, apps)
Bootstrap function — Convention-based bootstrap function auto-invoked after fork/deploy with caller-provided variables
getUser() helper — getUser(req) in functions runtime to retrieve authenticated user inside edge functions via JWT