Add admin pin command and manifest path field support

- Add `pin_project` admin command (MCP, CLI, OpenClaw) gated by server-side
  allowance address whitelist; CLI help hidden behind RUN402_ADMIN env var
- Add `path` field alternative to `data` in deploy/sites manifests so files
  can be read from disk instead of inlined as JSON strings
- Update formatApiError to detect admin_required 403 responses

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: MajorTal

cli-e2e.test.mjs

@@ -516,6 +516,28 @@ describe("CLI e2e happy path", () => {
     assert.ok(captured().includes("prj_test123"), "should return project info");
   });
 
+  it("deploy with path fields in manifest", async () => {
+    const { run } = await import("./cli/lib/deploy.mjs");
+    const { writeFileSync: wf, mkdirSync } = await import("node:fs");
+    // Create a dist/ subdirectory with files
+    const distDir = join(tempDir, "dist");
+    mkdirSync(distDir, { recursive: true });
+    wf(join(distDir, "index.html"), "<h1>Built</h1>");
+    wf(join(distDir, "logo.png"), Buffer.from([0x89, 0x50, 0x4e, 0x47]));
+    // Manifest uses path fields resolved relative to manifest location
+    const manifestPath = join(tempDir, "path-manifest.json");
+    wf(manifestPath, JSON.stringify({
+      files: [
+        { file: "index.html", path: "dist/index.html" },
+        { file: "logo.png", path: "dist/logo.png" },
+      ],
+    }));
+    captureStart();
+    await run(["--manifest", manifestPath, "--project", "prj_test123"]);
+    captureStop();
+    assert.ok(captured().includes("prj_test123"), "should deploy with resolved paths");
+  });
+
   // ── Functions ───────────────────────────────────────────────────────────
 
   it("functions deploy", async () => {

cli/lib/deploy.mjs

@@ -1,5 +1,7 @@
 import { readFileSync } from "fs";
+import { dirname, resolve } from "path";
 import { API, allowanceAuthHeaders, findProject } from "./config.mjs";
+import { resolveFilePathsInManifest } from "./manifest.mjs";
 
 const HELP = `run402 deploy — Deploy to an existing project on Run402
 
@@ -25,13 +27,22 @@ Manifest format (JSON):
       "name": "my-fn",
       "code": "export default async (req) => new Response('ok')"
     }],
-    "files": [{ "file": "index.html", "data": "<html>...</html>" }],
+    "files": [
+      { "file": "index.html", "data": "<html>...</html>" },
+      { "file": "style.css", "path": "./dist/style.css" }
+    ],
     "subdomain": "my-app"
   }
 
   project_id is required (provision first with 'run402 provision').
   All other fields are optional.
 
+  Files can use either inline "data" or a local "path":
+    { "file": "index.html", "data": "<html>...</html>" }   ← inline content
+    { "file": "style.css",  "path": "./dist/style.css" }   ← read from disk
+  Paths are resolved relative to the manifest file's directory.
+  Binary files (images, fonts, etc.) are auto-detected and base64-encoded.
+
   RLS templates:
     user_owns_rows   — users see only their rows (requires owner_column per table)
     public_read      — anyone reads, authenticated users write
@@ -70,7 +81,9 @@ export async function run(args) {
     if (args[i] === "--project" && args[i + 1]) opts.project = args[++i];
   }
 
-  const manifest = opts.manifest ? JSON.parse(readFileSync(opts.manifest, "utf-8")) : JSON.parse(await readStdin());
+  const raw = opts.manifest ? readFileSync(opts.manifest, "utf-8") : await readStdin();
+  const manifest = JSON.parse(raw);
+  if (opts.manifest) resolveFilePathsInManifest(manifest, dirname(resolve(opts.manifest)));
 
   // --project flag overrides manifest's project_id
   if (opts.project) manifest.project_id = opts.project;

cli/lib/manifest.mjs

@@ -0,0 +1,45 @@
+import { readFileSync } from "fs";
+import { resolve, extname } from "path";
+
+const TEXT_EXTS = new Set([
+  ".html", ".htm", ".css", ".js", ".mjs", ".cjs", ".ts", ".tsx", ".jsx",
+  ".json", ".svg", ".xml", ".txt", ".md", ".yaml", ".yml", ".toml", ".csv",
+]);
+
+/**
+ * Resolve `path` fields in a manifest's files array.
+ *
+ * For each entry that has `path` instead of `data`, reads the file from disk
+ * and sets `data` + `encoding`. Paths are resolved relative to `baseDir`.
+ *
+ * Entries with `data` already set are left untouched.
+ *
+ * @param {object} manifest  Parsed manifest JSON (mutated in place)
+ * @param {string} baseDir   Directory to resolve relative paths from
+ * @returns {object}         The same manifest object
+ */
+export function resolveFilePathsInManifest(manifest, baseDir) {
+  if (!Array.isArray(manifest.files)) return manifest;
+
+  for (const entry of manifest.files) {
+    if (!entry.path || entry.data !== undefined) continue;
+
+    const abs = resolve(baseDir, entry.path);
+    const ext = extname(abs).toLowerCase();
+    const isText = TEXT_EXTS.has(ext);
+
+    if (isText) {
+      entry.data = readFileSync(abs, "utf-8");
+    } else {
+      entry.data = readFileSync(abs).toString("base64");
+      entry.encoding = "base64";
+    }
+
+    // If no explicit file (deploy target name), use the path value
+    if (!entry.file) entry.file = entry.path;
+
+    delete entry.path;
+  }
+
+  return manifest;
+}

cli/lib/manifest.test.mjs

@@ -0,0 +1,90 @@
+import { describe, it, before, after } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, writeFileSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { resolveFilePathsInManifest } from "./manifest.mjs";
+
+let tempDir;
+
+before(() => {
+  tempDir = mkdtempSync(join(tmpdir(), "manifest-test-"));
+  // Create test files
+  writeFileSync(join(tempDir, "index.html"), "<!DOCTYPE html><html><body>Hello</body></html>");
+  writeFileSync(join(tempDir, "style.css"), "body { margin: 0; }");
+  writeFileSync(join(tempDir, "logo.png"), Buffer.from([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a])); // PNG header
+});
+
+after(() => {
+  rmSync(tempDir, { recursive: true, force: true });
+});
+
+describe("resolveFilePathsInManifest", () => {
+  it("resolves path to inline data for text files", () => {
+    const manifest = {
+      files: [{ file: "index.html", path: "index.html" }],
+    };
+    resolveFilePathsInManifest(manifest, tempDir);
+    assert.equal(manifest.files[0].data, "<!DOCTYPE html><html><body>Hello</body></html>");
+    assert.equal(manifest.files[0].path, undefined, "path field should be removed");
+    assert.equal(manifest.files[0].encoding, undefined, "text files should not set encoding");
+  });
+
+  it("auto-detects binary files and base64-encodes them", () => {
+    const manifest = {
+      files: [{ file: "logo.png", path: "logo.png" }],
+    };
+    resolveFilePathsInManifest(manifest, tempDir);
+    assert.equal(manifest.files[0].encoding, "base64");
+    // Verify it's valid base64 that decodes to our PNG header
+    const buf = Buffer.from(manifest.files[0].data, "base64");
+    assert.equal(buf[0], 0x89);
+    assert.equal(buf[1], 0x50); // 'P'
+  });
+
+  it("leaves entries with existing data untouched", () => {
+    const manifest = {
+      files: [{ file: "index.html", data: "<h1>inline</h1>" }],
+    };
+    resolveFilePathsInManifest(manifest, tempDir);
+    assert.equal(manifest.files[0].data, "<h1>inline</h1>");
+  });
+
+  it("mixes path and data entries", () => {
+    const manifest = {
+      files: [
+        { file: "index.html", data: "<h1>inline</h1>" },
+        { file: "style.css", path: "style.css" },
+      ],
+    };
+    resolveFilePathsInManifest(manifest, tempDir);
+    assert.equal(manifest.files[0].data, "<h1>inline</h1>");
+    assert.equal(manifest.files[1].data, "body { margin: 0; }");
+    assert.equal(manifest.files[1].path, undefined);
+  });
+
+  it("uses path as file name when file is omitted", () => {
+    const manifest = {
+      files: [{ path: "style.css" }],
+    };
+    resolveFilePathsInManifest(manifest, tempDir);
+    assert.equal(manifest.files[0].file, "style.css");
+    assert.equal(manifest.files[0].data, "body { margin: 0; }");
+  });
+
+  it("handles manifest with no files array", () => {
+    const manifest = { migrations: "CREATE TABLE t (id int)" };
+    resolveFilePathsInManifest(manifest, tempDir);
+    assert.equal(manifest.files, undefined, "should not add a files array");
+  });
+
+  it("throws on missing file", () => {
+    const manifest = {
+      files: [{ file: "missing.html", path: "does-not-exist.html" }],
+    };
+    assert.throws(
+      () => resolveFilePathsInManifest(manifest, tempDir),
+      /ENOENT/,
+    );
+  });
+});

cli/lib/projects.mjs

@@ -16,7 +16,8 @@ Subcommands:
   usage <id>                              Show compute/storage usage for a project
   schema <id>                             Inspect the database schema
   rls   <id> <template> <tables_json>     Apply Row-Level Security policies
-  delete <id>                             Delete a project and remove it from local state
+  delete <id>                             Delete a project and remove it from local state${process.env.RUN402_ADMIN ? `
+  pin   <id>                              [admin] Pin a project (prevents expiry/GC)` : ""}
 
 Examples:
   run402 projects quote
@@ -142,6 +143,25 @@ async function use(projectId) {
   console.log(JSON.stringify({ status: "ok", active_project_id: projectId }));
 }
 
+async function pin(projectId) {
+  if (!projectId) { console.error(JSON.stringify({ status: "error", message: "Usage: run402 projects pin <project_id>" })); process.exit(1); }
+  const authHeaders = allowanceAuthHeaders(`/projects/v1/admin/${projectId}/pin`);
+  const res = await fetch(`${API}/projects/v1/admin/${projectId}/pin`, {
+    method: "POST",
+    headers: { ...authHeaders },
+  });
+  const data = await res.json();
+  if (!res.ok) {
+    if (res.status === 403 && data.admin_required) {
+      console.error(JSON.stringify({ status: "error", message: "This command requires admin access." }));
+    } else {
+      console.error(JSON.stringify({ status: "error", http: res.status, ...data }));
+    }
+    process.exit(1);
+  }
+  console.log(JSON.stringify(data, null, 2));
+}
+
 async function deleteProject(projectId) {
   const p = findProject(projectId);
   const res = await fetch(`${API}/projects/v1/${projectId}`, { method: "DELETE", headers: { "Authorization": `Bearer ${p.service_key}` } });
@@ -171,6 +191,7 @@ export async function run(sub, args) {
     case "schema":    await schema(args[0]); break;
     case "rls":       await rls(args[0], args[1], args[2]); break;
     case "delete":    await deleteProject(args[0]); break;
+    case "pin":       await pin(args[0]); break;
     default:
       console.error(`Unknown subcommand: ${sub}\n`);
       console.log(HELP);

cli/lib/sites.mjs

@@ -1,5 +1,7 @@
 import { readFileSync } from "fs";
+import { dirname, resolve } from "path";
 import { API, allowanceAuthHeaders, resolveProjectId, updateProject } from "./config.mjs";
+import { resolveFilePathsInManifest } from "./manifest.mjs";
 
 const HELP = `run402 sites — Deploy and manage static sites
 
@@ -22,10 +24,16 @@ Manifest format (JSON):
   {
     "files": [
       { "file": "index.html", "data": "<html>...</html>" },
-      { "file": "style.css", "data": "body { margin: 0; }" }
+      { "file": "style.css", "path": "./dist/style.css" }
     ]
   }
 
+  Files can use either inline "data" or a local "path":
+    { "file": "index.html", "data": "<html>...</html>" }   ← inline content
+    { "file": "style.css",  "path": "./dist/style.css" }   ← read from disk
+  Paths are resolved relative to the manifest file's directory.
+  Binary files (images, fonts, etc.) are auto-detected and base64-encoded.
+
 Examples:
   run402 sites deploy --manifest site.json
   run402 sites status dpl_abc123
@@ -51,7 +59,9 @@ async function deploy(args) {
     if (args[i] === "--target" && args[i + 1]) opts.target = args[++i];
   }
   const projectId = resolveProjectId(opts.project);
-  const manifest = opts.manifest ? JSON.parse(readFileSync(opts.manifest, "utf-8")) : JSON.parse(await readStdin());
+  const raw = opts.manifest ? readFileSync(opts.manifest, "utf-8") : await readStdin();
+  const manifest = JSON.parse(raw);
+  if (opts.manifest) resolveFilePathsInManifest(manifest, dirname(resolve(opts.manifest)));
   const body = { files: manifest.files, project: projectId };
   if (opts.target) body.target = opts.target;
 

src/errors.ts

@@ -63,9 +63,13 @@ export function formatApiError(
       );
       break;
     case 403:
-      lines.push(
-        `\nNext step: The project lease may have expired. Use \`get_usage\` to check status, or \`set_tier\` to renew the lease.`,
-      );
+      if (body && body.admin_required) {
+        lines.push(`\nThis command requires admin access.`);
+      } else {
+        lines.push(
+          `\nNext step: The project lease may have expired. Use \`get_usage\` to check status, or \`set_tier\` to renew the lease.`,
+        );
+      }
       break;
     case 404:
       lines.push(

src/index.ts

@@ -43,6 +43,7 @@ import { deleteSecretSchema, handleDeleteSecret } from "./tools/delete-secret.js
 // New tools — subdomains & projects
 import { listSubdomainsSchema, handleListSubdomains } from "./tools/list-subdomains.js";
 import { archiveProjectSchema, handleArchiveProject } from "./tools/archive-project.js";
+import { pinProjectSchema, handlePinProject } from "./tools/pin-project.js";
 
 // New tools — billing
 import { checkBalanceSchema, handleCheckBalance } from "./tools/check-balance.js";
@@ -302,6 +303,15 @@ server.tool(
   async (args) => handleArchiveProject(args),
 );
 
+// ─── Admin tools ─────────────────────────────────────────────────────────────
+
+server.tool(
+  "pin_project",
+  "Pin a project so it is not garbage-collected or expired. Requires admin access.",
+  pinProjectSchema,
+  async (args) => handlePinProject(args),
+);
+
 // ─── Billing & allowance tools ───────────────────────────────────────────────
 
 server.tool(

src/tools/pin-project.ts

@@ -0,0 +1,33 @@
+import { z } from "zod";
+import { apiRequest } from "../client.js";
+import { formatApiError } from "../errors.js";
+import { requireAllowanceAuth } from "../allowance-auth.js";
+
+export const pinProjectSchema = {
+  project_id: z.string().describe("The project ID to pin"),
+};
+
+export async function handlePinProject(
+  args: { project_id: string },
+): Promise<{ content: Array<{ type: "text"; text: string }>; isError?: boolean }> {
+  const auth = requireAllowanceAuth(`/projects/v1/admin/${args.project_id}/pin`);
+  if ("error" in auth) return auth.error;
+
+  const res = await apiRequest(`/projects/v1/admin/${args.project_id}/pin`, {
+    method: "POST",
+    headers: { ...auth.headers },
+  });
+
+  if (!res.ok) return formatApiError(res, "pinning project");
+
+  const body = res.body as { status: string; project_id: string; message?: string };
+
+  return {
+    content: [
+      {
+        type: "text",
+        text: `Project \`${args.project_id}\` pinned successfully.${body.message ? ` ${body.message}` : ""}`,
+      },
+    ],
+  };
+}

sync.test.ts

@@ -213,6 +213,9 @@ const SURFACE: Capability[] = [
   { id: "delete_version",    endpoint: "DELETE /projects/v1/admin/:id/versions/:version_id", mcp: "delete_version", cli: "apps:delete", openclaw: "apps:delete" },
   { id: "get_app",           endpoint: "GET /apps/v1/:version_id",          mcp: "get_app",             cli: "apps:inspect",     openclaw: "apps:inspect" },
 
+  // ── Admin ──────────────────────────────────────────────────────────────
+  { id: "pin_project",     endpoint: "POST /projects/v1/admin/:id/pin",    mcp: "pin_project",      cli: "projects:pin",     openclaw: "projects:pin" },
+
   // ── Tier management ────────────────────────────────────────────────────
   { id: "tier_status",       endpoint: "GET /tiers/v1/status",             mcp: "tier_status",      cli: "tier:status",      openclaw: "tier:status" },