chore: bump @run402/functions to v2.2.1

Fix ai.generateImage() calling wrong gateway path (/ai/v1/generate-image
→ /generate-image/v1). Add unit tests for translate, moderate, email,
and assets that pin every gateway path so endpoint mismatches are caught
immediately. Add fullstack integration test coverage for all five
previously untested @run402/functions helpers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: MajorTal

fullstack-integration.test.ts

@@ -33,6 +33,7 @@ const API =
   process.env.RUN402_API_BASE ??
   "https://api.run402.com";
 const EMAIL_TO = process.env.RUN402_FULLSTACK_EMAIL_TO;
+const EMAIL_TEMPLATE = process.env.RUN402_FULLSTACK_EMAIL_TEMPLATE;
 const RUN_ID = `${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 8)}`;
 const SUBDOMAIN = `fs-${RUN_ID}`;
 const TEST_SECRET_VALUE = `fullstack-secret-${RUN_ID}`;
@@ -662,6 +663,16 @@ describe("Run402 full-stack integration (live API, no mocks)", { timeout: 900_00
 
     const options = await fetch(`${routeBase}/api/fullstack`, { method: "OPTIONS" });
     assert.equal(options.status, 204);
+
+    // Gap 3: adminDb().from() — PostgREST /admin/v1/rest/* bypass path
+    const adminFrom = await directFunctionJson({
+      headers: apiHeaders("service"),
+      body: { action: "admin-db-from" },
+    });
+    assert.equal(adminFrom.ok, true);
+    const adminFromRows = rowsFromSql(adminFrom.rows);
+    assert.ok(adminFromRows.length > 0, "adminDb().from() should return seeded rows");
+    assert.ok(adminFromRows.some((row) => row.marker === "RUN402_FULLSTACK_SEED_ALPHA"), "adminDb().from() should see rows bypassing RLS");
   });
 
   it("uploads blobs, diagnoses CDN state, and exercises in-function storage", async () => {
@@ -747,6 +758,58 @@ describe("Run402 full-stack integration (live API, no mocks)", { timeout: 900_00
     } else {
       assert.ok(aiResult.reason);
     }
+
+    // Gap 1: ai.translate() — /ai/v1/translate
+    const translateResult = await directFunctionJson({
+      headers: apiHeaders("service"),
+      body: { action: "ai-translate" },
+    });
+    assert.ok(["ok", "skipped"].includes(String(translateResult.status)));
+    if (translateResult.status === "ok") {
+      assert.equal(translateResult.to, "es");
+      assert.equal(translateResult.has_text, true);
+    } else {
+      assert.ok(translateResult.reason);
+    }
+
+    // Gap 2: ai.generateImage() — /generate-image/v1
+    const generateImageResult = await directFunctionJson({
+      headers: apiHeaders("service"),
+      body: { action: "ai-generate-image" },
+    });
+    assert.ok(["ok", "skipped"].includes(String(generateImageResult.status)));
+    if (generateImageResult.status === "ok") {
+      assert.equal(generateImageResult.aspect, "square");
+      assert.equal(generateImageResult.has_image, true);
+      assert.ok(String(generateImageResult.content_type).startsWith("image/"));
+    } else {
+      assert.ok(generateImageResult.reason);
+    }
+
+    // Gap 4: email.send() with template — /mailboxes/v1/:id/messages with template body
+    const emailTemplateResult = await directFunctionJson({
+      headers: apiHeaders("service"),
+      body: { action: "email-template" },
+    });
+    if (EMAIL_TO && EMAIL_TEMPLATE) {
+      assert.equal(emailTemplateResult.status, "sent");
+      assert.ok(emailTemplateResult.id);
+    } else {
+      assert.equal(emailTemplateResult.status, "skipped");
+    }
+
+    // Gap 5: routedHttp helpers — callable in function runtime, produce correct RoutedHttpResponseV1 shape
+    const routedHttpResult = await directFunctionJson({
+      headers: apiHeaders("service"),
+      body: { action: "routedhttp" },
+    });
+    assert.equal(routedHttpResult.ok, true);
+    assert.equal((routedHttpResult.json as any)?.contentType, "application/json; charset=utf-8");
+    assert.equal((routedHttpResult.json as any)?.status, 200);
+    assert.ok(((routedHttpResult.json as any)?.bodySize ?? 0) > 0);
+    assert.equal((routedHttpResult.text as any)?.contentType, "text/plain; charset=utf-8");
+    assert.equal((routedHttpResult.text as any)?.status, 200);
+    assert.equal((routedHttpResult.bytes as any)?.bodySize, 3);
   });
 
   it("fetches active and by-id release inventories with full-stack resource metadata", async () => {

functions/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@run402/functions",
-  "version": "2.2.0",
+  "version": "2.2.1",
   "description": "In-function helper library for Run402 serverless functions — db, adminDb, getUser, email, ai, assets. Auto-bundled into deployed functions; also installable for local TypeScript autocomplete.",
   "type": "module",
   "main": "dist/index.js",
@@ -18,7 +18,7 @@
   ],
   "scripts": {
     "build": "tsc",
-    "test": "node --experimental-test-module-mocks --test --import tsx src/db.test.ts src/auth.test.ts src/ai.test.ts src/routed-http.test.ts"
+    "test": "node --experimental-test-module-mocks --test --import tsx src/db.test.ts src/auth.test.ts src/ai.test.ts src/email.test.ts src/assets.test.ts src/routed-http.test.ts"
   },
   "engines": {
     "node": ">=18"

functions/src/ai.test.ts

@@ -13,6 +13,91 @@ mock.module("./config.js", {
 
 const { ai } = await import("./ai.js");
 
+describe("ai.translate", () => {
+  let lastFetchUrl = "";
+  let lastFetchOpts: RequestInit = {};
+
+  beforeEach(() => {
+    lastFetchUrl = "";
+    lastFetchOpts = {};
+    mock.method(globalThis, "fetch", async (url: string, opts: RequestInit) => {
+      lastFetchUrl = url;
+      lastFetchOpts = opts;
+      return new Response(JSON.stringify({ text: "Hola mundo", from: "en", to: "es" }), {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      });
+    });
+  });
+
+  it("posts to /ai/v1/translate with service credentials", async () => {
+    const result = await ai.translate("Hello world", "es", { from: "en", context: "greeting" });
+
+    assert.equal(lastFetchUrl, "https://test.run402.com/ai/v1/translate");
+    assert.equal(lastFetchOpts.method, "POST");
+    const headers = lastFetchOpts.headers as Record<string, string>;
+    assert.equal(headers.Authorization, "Bearer sk_test");
+    assert.equal(headers["Content-Type"], "application/json");
+    assert.deepEqual(JSON.parse(lastFetchOpts.body as string), {
+      text: "Hello world",
+      to: "es",
+      from: "en",
+      context: "greeting",
+    });
+    assert.deepEqual(result, { text: "Hola mundo", from: "en", to: "es" });
+  });
+
+  it("omits optional from/context when not provided", async () => {
+    await ai.translate("Hello", "fr");
+    assert.deepEqual(JSON.parse(lastFetchOpts.body as string), { text: "Hello", to: "fr" });
+  });
+
+  it("throws on non-ok response", async () => {
+    mock.method(globalThis, "fetch", async () =>
+      new Response(JSON.stringify({ error: "quota exceeded" }), { status: 429 }),
+    );
+    await assert.rejects(
+      async () => { await ai.translate("x", "es"); },
+      /Translation failed \(429\)/,
+    );
+  });
+});
+
+describe("ai.moderate", () => {
+  it("posts to /ai/v1/moderate with service credentials", async () => {
+    let lastFetchUrl = "";
+    let lastFetchOpts: RequestInit = {};
+    mock.method(globalThis, "fetch", async (url: string, opts: RequestInit) => {
+      lastFetchUrl = url;
+      lastFetchOpts = opts;
+      return new Response(JSON.stringify({ flagged: false, categories: {} }), {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      });
+    });
+
+    const result = await ai.moderate("some text to check");
+
+    assert.equal(lastFetchUrl, "https://test.run402.com/ai/v1/moderate");
+    assert.equal(lastFetchOpts.method, "POST");
+    const headers = lastFetchOpts.headers as Record<string, string>;
+    assert.equal(headers.Authorization, "Bearer sk_test");
+    assert.equal(headers["Content-Type"], "application/json");
+    assert.deepEqual(JSON.parse(lastFetchOpts.body as string), { text: "some text to check" });
+    assert.deepEqual(result, { flagged: false, categories: {} });
+  });
+
+  it("throws on non-ok response", async () => {
+    mock.method(globalThis, "fetch", async () =>
+      new Response(JSON.stringify({ error: "rate limited" }), { status: 429 }),
+    );
+    await assert.rejects(
+      async () => { await ai.moderate("x"); },
+      /Moderation failed \(429\)/,
+    );
+  });
+});
+
 describe("ai.generateImage", () => {
   let lastFetchUrl = "";
   let lastFetchOpts: RequestInit = {};
@@ -40,7 +125,7 @@ describe("ai.generateImage", () => {
       aspect: "landscape",
     });
 
-    assert.equal(lastFetchUrl, "https://test.run402.com/ai/v1/generate-image");
+    assert.equal(lastFetchUrl, "https://test.run402.com/generate-image/v1");
     assert.equal(lastFetchOpts.method, "POST");
     const headers = lastFetchOpts.headers as Record<string, string>;
     assert.equal(headers.Authorization, "Bearer sk_test");

functions/src/ai.ts

@@ -113,7 +113,7 @@ export const ai = {
       throw new Error("Invalid image aspect: must be square, landscape, or portrait");
     }
 
-    const res = await fetch(config.API_BASE + "/ai/v1/generate-image", {
+    const res = await fetch(config.API_BASE + "/generate-image/v1", {
       method: "POST",
       headers: {
         Authorization: "Bearer " + config.SERVICE_KEY,

functions/src/assets.test.ts

@@ -0,0 +1,162 @@
+import { describe, it, mock, beforeEach } from "node:test";
+import assert from "node:assert/strict";
+
+mock.module("./config.js", {
+  namedExports: {
+    config: {
+      API_BASE: "https://test.run402.com",
+      PROJECT_ID: "prj_test",
+      SERVICE_KEY: "sk_test",
+    },
+  },
+});
+
+const { assets } = await import("./assets.js");
+
+const STUB_REF = {
+  key: "images/avatar.png",
+  sha256: "abc123",
+  size_bytes: 4,
+  content_type: "image/png",
+  visibility: "public",
+  immutable: true,
+  url: "https://cdn.run402.com/images/avatar.png",
+  immutable_url: "https://cdn.run402.com/images/avatar.png@abc123",
+  cdn_url: null,
+  cdn_immutable_url: null,
+  sri: null,
+  etag: "abc123",
+  content_digest: "sha256-abc123",
+};
+
+describe("assets.put — gateway path and auth", () => {
+  let capturedUrl = "";
+  let capturedOpts: RequestInit = {};
+
+  beforeEach(() => {
+    capturedUrl = "";
+    capturedOpts = {};
+    mock.method(globalThis, "fetch", async (url: string, opts: RequestInit) => {
+      capturedUrl = url;
+      capturedOpts = opts;
+      return new Response(JSON.stringify(STUB_REF), {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      });
+    });
+  });
+
+  it("posts to /apply/v1/service-asset-put with service credentials", async () => {
+    await assets.put("images/avatar.png", new Uint8Array([1, 2, 3, 4]));
+
+    assert.equal(capturedUrl, "https://test.run402.com/apply/v1/service-asset-put");
+    assert.equal(capturedOpts.method, "POST");
+    const headers = capturedOpts.headers as Record<string, string>;
+    assert.equal(headers.Authorization, "Bearer sk_test");
+  });
+
+  it("sets x-run402-asset-key header to the key argument", async () => {
+    await assets.put("images/avatar.png", new Uint8Array([1, 2, 3, 4]));
+
+    const headers = capturedOpts.headers as Record<string, string>;
+    assert.equal(headers["x-run402-asset-key"], "images/avatar.png");
+  });
+
+  it("defaults visibility to public and immutable to true", async () => {
+    await assets.put("images/avatar.png", new Uint8Array([1, 2, 3, 4]));
+
+    const headers = capturedOpts.headers as Record<string, string>;
+    assert.equal(headers["x-run402-asset-visibility"], "public");
+    assert.equal(headers["x-run402-asset-immutable"], "true");
+  });
+
+  it("forwards explicit visibility and immutable options", async () => {
+    await assets.put("data/secret.bin", new Uint8Array([1, 2, 3, 4]), {
+      visibility: "private",
+      immutable: false,
+    });
+
+    const headers = capturedOpts.headers as Record<string, string>;
+    assert.equal(headers["x-run402-asset-visibility"], "private");
+    assert.equal(headers["x-run402-asset-immutable"], "false");
+  });
+
+  it("guesses Content-Type from key extension", async () => {
+    await assets.put("styles/main.css", new Uint8Array([46, 99, 108, 115]));
+
+    const headers = capturedOpts.headers as Record<string, string>;
+    assert.equal(headers["Content-Type"], "text/css; charset=utf-8");
+  });
+
+  it("uses explicit contentType option over guessed extension", async () => {
+    await assets.put("data/blob", new Uint8Array([1, 2, 3, 4]), {
+      contentType: "application/msgpack",
+    });
+
+    const headers = capturedOpts.headers as Record<string, string>;
+    assert.equal(headers["Content-Type"], "application/msgpack");
+  });
+
+  it("sends raw binary body (not JSON)", async () => {
+    const bytes = new Uint8Array([10, 20, 30]);
+    await assets.put("file.bin", bytes);
+
+    assert.ok(capturedOpts.body instanceof ArrayBuffer, "body must be ArrayBuffer (binary)");
+    assert.notEqual(typeof capturedOpts.body, "string", "body must not be stringified");
+  });
+
+  it("accepts a string source — encodes to UTF-8 bytes", async () => {
+    await assets.put("hello.txt", "hello");
+
+    assert.ok(capturedOpts.body instanceof ArrayBuffer);
+    const decoded = new TextDecoder().decode(capturedOpts.body as ArrayBuffer);
+    assert.equal(decoded, "hello");
+  });
+
+  it("returns a widened AssetRef with camelCase aliases", async () => {
+    const ref = await assets.put("images/avatar.png", new Uint8Array([1, 2, 3, 4]));
+
+    assert.equal(ref.key, "images/avatar.png");
+    assert.equal(ref.immutableUrl, STUB_REF.immutable_url);
+    assert.equal(ref.contentType, STUB_REF.content_type);
+    assert.equal(ref.size, STUB_REF.size_bytes);
+    assert.equal(ref.contentSha256, STUB_REF.sha256);
+  });
+});
+
+describe("assets.put — validation", () => {
+  it("throws for empty key", async () => {
+    await assert.rejects(
+      async () => { await assets.put("", new Uint8Array([1])); },
+      /key must be a non-empty string/,
+    );
+  });
+
+  it("throws for empty source bytes", async () => {
+    await assert.rejects(
+      async () => { await assets.put("file.bin", new Uint8Array([])); },
+      /bytes must be non-empty/,
+    );
+  });
+
+  it("throws for object source with both content and bytes", async () => {
+    await assert.rejects(
+      async () => {
+        await assets.put("f.bin", { content: "hi", bytes: new Uint8Array([1]) });
+      },
+      /provide exactly one of/,
+    );
+  });
+
+  it("throws on non-ok response and preserves error detail", async () => {
+    mock.method(globalThis, "fetch", async () =>
+      new Response(JSON.stringify({ code: "STORAGE_QUOTA_EXCEEDED", message: "over limit" }), {
+        status: 402,
+      }),
+    );
+    await assert.rejects(
+      async () => { await assets.put("f.bin", new Uint8Array([1])); },
+      /Asset put failed \(402\): STORAGE_QUOTA_EXCEEDED: over limit/,
+    );
+  });
+});