Skip to content

v2.38.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 05 Jun 15:22
· 47 commits to main since this release
v2.38.0
470463e

Org-owned control plane — client cascade

The gateway (v1.77) made the org (billing account) own projects: a wallet now authenticates (SIWX resolves it to a control-plane principal) but no longer authorizes. SIWX auth is unchanged, so this release is additive — it teaches the clients the new authorization model.

SDK (@run402/sdk)

  • New typed NotAuthorizedError (kind: "not_authorized") for 403 NOT_AUTHORIZED control-plane denials, carrying requiredRole, requiredCapability, reason, and action lifted from the gateway details. The kernel routes only that code to it; every other 401/403 stays Unauthorized, so existing isUnauthorized callers are unaffected. Exported from both entry points with an isNotAuthorized type guard.
  • ProjectSummary / TierStatusProject gain optional billing_account_id (owning org) + created_by (provisioning principal).

MCP (run402-mcp)

  • NOT_AUTHORIZED now renders distinct org-authorization guidance (echoes the missing role / capability / reason) instead of the generic "lease expired" 403 text.

CLI (run402)

  • NOT_AUTHORIZED errors get an actionable hint in the JSON envelope; the structured code / details pass through unchanged.

Docs

  • Org-ownership wording + the new 403 NOT_AUTHORIZED error across llms-sdk.txt, llms-mcp.txt, llms-cli.txt, and SKILL.md.

Deferred to a later release (the gateway org-management routes don't exist yet): whoami → principal + memberships, the org.{members,invite,role,revoke} / project.grants SDK surface, run402 org …, and MCP org/membership tools.

Addresses #434.

Assets 2
Loading