v2.41.0

Hosted control-plane session — SDK client surface (#444)

The browser/console login surface for the write-capable human principal (gateway v1.78 passkey-principals-onboarding) now ships in the SDK, completing the public-side client cascade started in v2.40.0.

SDK

• r.operator.session.* — the hosted session surface: email magic-link (email / verifyEmail), passkey login (passkeyOptions / passkeyVerify), oauthUrl() for Google / GitHub, session lifecycle (whoami / refresh / revoke), passkey enrollment, step-up (stepUpOptions / stepUpVerify), recovery codes, and authenticator management. Isomorphic; the bearer-or-provider auth model mirrors operator.overview({ token }), and WebAuthn payloads are opaque passthroughs (the browser runs the ceremony).
• controlPlaneSessionCredentials({ token | getToken }) — carry a control_plane_session bearer across the whole SDK, so r.org.* and r.admin.transfers.* act as that human principal ("accepted everywhere a SIWX wallet is"). Carries no project keys, so DB/project-key ops still use the wallet/keystore.

CLI

• run402 operator login --loopback now surfaces the orgs you belong to, including invites auto-claimed at first login (best-effort session.whoami → memberships[]). There's no invitee-side "accept" step; owner/admin invites claim once a passkey is enrolled, lower roles on any login.

Notes

• Browser-interactive by design: no MCP tool, no new CLI verb. The CLI write-login stays the loopback-PKCE ceremony; the hosted email / passkey / OAuth flows are console-side and exposed in the SDK for browser consumers.
• High-stakes writes still require a fresh passkey — an email/OAuth session raises StepUpRequiredError until it runs a step-up ceremony.
• The live Google / GitHub OAuth bridge pends gateway CONTROL_PLANE_{GOOGLE,GITHUB}_* provisioning. #444 remains open until the hosted login fully lands (console UI + OAuth bridges).

Lockstep release — run402-mcp, run402, @run402/sdk all at 2.41.0.