@primitivedotdev/cli 0.26.1 → 0.26.3

package/dist/oclif/commands/functions-deploy.js

@@ -1,302 +0,0 @@
-import { Command, Flags } from "@oclif/core";
-import { createFunction, PrimitiveApiClient, setFunctionSecret, updateFunction, } from "@primitivedotdev/sdk/api";
-import { extractErrorPayload, readTextFileFlag, removeStaleSavedCredentialOnUnauthorized, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
-import { resolveCliAuth } from "../auth.js";
-import { emitRawSendMailFetchWarning } from "../lint/raw-send-mail-fetch.js";
-import { parseSecretFlags, SECRET_FLAG_SECURITY_NOTE, } from "../secret-flags.js";
-// Pure-ish orchestration of create + (optional secrets + redeploy).
-// Mirrors runSetSecret in functions-set-secret.ts so the failure
-// stages map directly onto stderr hints in run() below. Pulled out
-// as a named export so the unit test can drive every branch with a
-// fake DeployApiSurface, without spinning up a real client or the
-// oclif command lifecycle.
-export async function runDeployWithSecrets(api, params) {
-    const createResult = await api.createFunction({
-        code: params.code,
-        name: params.name,
-        ...(params.sourceMap !== undefined ? { sourceMap: params.sourceMap } : {}),
-    });
-    if (createResult.error) {
-        return {
-            kind: "error",
-            payload: extractErrorPayload(createResult.error),
-            stage: "create",
-        };
-    }
-    const created = createResult.data?.data;
-    if (!created) {
-        return {
-            kind: "error",
-            payload: {
-                code: "client_error",
-                message: "Create function returned no data",
-            },
-            stage: "create",
-        };
-    }
-    // Fast path: no secrets means no extra round-trips. The naked
-    // create result is exactly what the pre-secrets-flag command
-    // returned, so this branch is byte-identical to the previous
-    // behavior.
-    if (params.secrets.length === 0) {
-        return { kind: "ok", result: { created } };
-    }
-    const writtenSecrets = [];
-    const succeededKeys = [];
-    for (let i = 0; i < params.secrets.length; i++) {
-        const pair = params.secrets[i];
-        // Pre-compute the keys that come AFTER the current pair so a
-        // set-secret failure can surface every key that was never
-        // attempted, not just the one that failed. Without this, a user
-        // following the recovery hint verbatim would re-run set-secret
-        // only for the failed key and silently leave the trailing keys
-        // un-written.
-        const pendingKeys = params.secrets.slice(i + 1).map((p) => p.key);
-        const setResult = await api.setSecret({
-            id: created.id,
-            key: pair.key,
-            value: pair.value,
-        });
-        if (setResult.error) {
-            return {
-                created,
-                failedKey: pair.key,
-                kind: "error",
-                payload: extractErrorPayload(setResult.error),
-                pendingKeys,
-                stage: "set-secret",
-                succeededKeys,
-            };
-        }
-        const secret = setResult.data?.data;
-        if (!secret) {
-            return {
-                created,
-                failedKey: pair.key,
-                kind: "error",
-                payload: {
-                    code: "client_error",
-                    message: "Secret write returned no data",
-                },
-                pendingKeys,
-                stage: "set-secret",
-                succeededKeys,
-            };
-        }
-        writtenSecrets.push(secret);
-        succeededKeys.push(pair.key);
-    }
-    const updateResult = await api.updateFunction({
-        code: params.code,
-        id: created.id,
-        ...(params.sourceMap !== undefined ? { sourceMap: params.sourceMap } : {}),
-    });
-    if (updateResult.error) {
-        return {
-            created,
-            kind: "error",
-            payload: extractErrorPayload(updateResult.error),
-            stage: "redeploy",
-            succeededKeys,
-        };
-    }
-    const redeployed = updateResult.data?.data;
-    if (!redeployed) {
-        return {
-            created,
-            kind: "error",
-            payload: {
-                code: "client_error",
-                message: "Redeploy returned no data",
-            },
-            stage: "redeploy",
-            succeededKeys,
-        };
-    }
-    return {
-        kind: "ok",
-        result: { created, redeploy: redeployed, secrets: writtenSecrets },
-    };
-}
-class FunctionsDeployCommand extends Command {
-    static description = `Deploy a new function from a bundled handler file. Agent-grade shortcut for functions:create-function.
-
-  Reads the bundle off disk (--file) instead of forcing the caller to
-  serialize the source into a JSON body. Use the underlying operation
-  \`functions:create-function\` if you need the full flag surface
-  (raw-body JSON, etc.).
-
-  Pass --secret KEY=VALUE (repeatable) to seed secret bindings in the
-  same command. Keys must match \`^[A-Z_][A-Z0-9_]*$\` (uppercase
-  letters, digits, underscores; first character is a letter or
-  underscore). With one or more --secret flags the deploy fans out to
-  multiple API calls: create-function, set-secret per pair, then a
-  final update-function with the same bundle so the running handler
-  picks up the bindings. If a secret write fails after the create
-  step the function exists with whatever secrets succeeded and the
-  redeploy has NOT fired; re-run \`primitive functions:set-secret\`
-  for the missing keys, then \`primitive functions:redeploy\` to
-  push them live.`;
-    static summary = "Deploy a new function from a bundled handler file";
-    static examples = [
-        "<%= config.bin %> functions:deploy --name forwarder --file ./bundle.js",
-        "<%= config.bin %> functions:deploy --name forwarder --file ./bundle.js --source-map-file ./bundle.js.map",
-        "<%= config.bin %> functions:deploy --name forwarder --file ./bundle.js --secret OPENAI_KEY=sk-... --secret OWNER_EMAIL=me@example.com",
-    ];
-    static flags = {
-        "api-key": Flags.string({
-            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
-            env: "PRIMITIVE_API_KEY",
-        }),
-        "api-base-url-1": Flags.string({
-            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-            env: "PRIMITIVE_API_BASE_URL_1",
-            hidden: true,
-        }),
-        "api-base-url-2": Flags.string({
-            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-            env: "PRIMITIVE_API_BASE_URL_2",
-            hidden: true,
-        }),
-        name: Flags.string({
-            description: "Slug-style name. Lowercase letters, digits, hyphens, underscores. 1-64 chars. Must be unique within the org.",
-            required: true,
-        }),
-        file: Flags.string({
-            description: "Path to the bundled ESM handler file (single self-contained module). Loaded as the `code` body field.",
-            required: true,
-        }),
-        "source-map-file": Flags.string({
-            description: "Optional path to a source map for the bundle. Stored only on the runtime side and used to symbolicate stack traces.",
-        }),
-        secret: Flags.string({
-            description: `Secret KEY=VALUE to seed on the deployed function. Repeatable. KEY must match \`^[A-Z_][A-Z0-9_]*$\`; VALUE may contain \`=\` (only the first \`=\` is treated as a delimiter). Each KEY may only appear once per command. Passing one or more --secret flags fans out the deploy to create-function, set-secret per pair, then a final redeploy so the running handler picks up the bindings. ${SECRET_FLAG_SECURITY_NOTE}`,
-            multiple: true,
-        }),
-        time: Flags.boolean({
-            description: TIME_FLAG_DESCRIPTION,
-        }),
-    };
-    async run() {
-        const { flags } = await this.parse(FunctionsDeployCommand);
-        await runWithTiming(flags.time, async () => {
-            // Validate --secret pairs BEFORE any disk read or API call so
-            // a malformed input fails fast with a clear error and zero
-            // side effects. The fast path (no --secret flags) skips this
-            // entirely.
-            const rawSecrets = flags.secret ?? [];
-            const parsedSecrets = parseSecretFlags(rawSecrets);
-            if (parsedSecrets.kind === "error") {
-                process.stderr.write(`${parsedSecrets.message}\n`);
-                process.exitCode = 1;
-                return;
-            }
-            // Reads are inside the timed block so --time captures disk I/O
-            // alongside the API call. A pathological filesystem (NFS, slow
-            // FUSE mount) showing up here is exactly the kind of latency
-            // surprise --time is meant to surface.
-            const code = readTextFileFlag(flags.file, "--file");
-            const sourceMap = flags["source-map-file"]
-                ? readTextFileFlag(flags["source-map-file"], "--source-map-file")
-                : undefined;
-            // Non-blocking deploy-time lint: if the bundle has a raw
-            // fetch(...) call against /send-mail, nudge the author toward
-            // `createPrimitiveClient` from `@primitivedotdev/sdk/api`.
-            // The warning lands on stderr so it never contaminates the
-            // JSON stdout the caller may pipe into jq.
-            emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
-            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
-                flags["api-base-url-2"] !== undefined;
-            const auth = resolveCliAuth({
-                apiKey: flags["api-key"],
-                apiBaseUrl1: flags["api-base-url-1"],
-                apiBaseUrl2: flags["api-base-url-2"],
-                configDir: this.config.configDir,
-            });
-            const apiClient = new PrimitiveApiClient({
-                apiKey: auth.apiKey,
-                apiBaseUrl1: auth.apiBaseUrl1,
-                apiBaseUrl2: auth.apiBaseUrl2,
-            });
-            const authFailureContext = {
-                auth,
-                baseUrlOverridden,
-                configDir: this.config.configDir,
-            };
-            // Adapter: thin wrappers around the generated SDK calls,
-            // routed through host 1 (apiClient.client). The function
-            // CRUD and secrets endpoints are not on host 2.
-            const apiSurface = {
-                createFunction: (p) => createFunction({
-                    body: {
-                        code: p.code,
-                        name: p.name,
-                        ...(p.sourceMap !== undefined ? { sourceMap: p.sourceMap } : {}),
-                    },
-                    client: apiClient.client,
-                    responseStyle: "fields",
-                }),
-                setSecret: (p) => setFunctionSecret({
-                    body: { value: p.value },
-                    client: apiClient.client,
-                    path: { id: p.id, key: p.key },
-                    responseStyle: "fields",
-                }),
-                updateFunction: (p) => updateFunction({
-                    body: {
-                        code: p.code,
-                        ...(p.sourceMap !== undefined ? { sourceMap: p.sourceMap } : {}),
-                    },
-                    client: apiClient.client,
-                    path: { id: p.id },
-                    responseStyle: "fields",
-                }),
-            };
-            const outcome = await runDeployWithSecrets(apiSurface, {
-                code,
-                name: flags.name,
-                secrets: parsedSecrets.secrets,
-                ...(sourceMap !== undefined ? { sourceMap } : {}),
-            });
-            if (outcome.kind === "error") {
-                // Stage-specific framing on stderr so callers can tell
-                // whether the function was created before a downstream
-                // failure left it without secrets or without the
-                // redeploy. The JSON envelope still goes through
-                // writeErrorWithHints so any actionable hint (e.g.
-                // unauthorized) is surfaced.
-                if (outcome.stage === "set-secret") {
-                    const succeeded = outcome.succeededKeys.length > 0
-                        ? outcome.succeededKeys.join(", ")
-                        : "(none)";
-                    const pending = outcome.pendingKeys.length > 0
-                        ? outcome.pendingKeys.join(", ")
-                        : "(none)";
-                    const allMissing = [outcome.failedKey, ...outcome.pendingKeys].join(", ");
-                    process.stderr.write(`Function ${outcome.created.name} (${outcome.created.id}) was created, but writing secret ${outcome.failedKey} failed; succeeded keys so far: ${succeeded}; keys not yet attempted: ${pending}. The redeploy is NOT yet live. Re-run \`primitive functions:set-secret\` for each of [${allMissing}], then \`primitive functions:redeploy --id ${outcome.created.id} --file <bundle>\` to push them live.\n`);
-                }
-                else if (outcome.stage === "redeploy") {
-                    const succeeded = outcome.succeededKeys.length > 0
-                        ? outcome.succeededKeys.join(", ")
-                        : "(none)";
-                    process.stderr.write(`Function ${outcome.created.name} (${outcome.created.id}) was created and secrets [${succeeded}] were written, but the final redeploy failed; the new bindings are NOT yet live. Re-run \`primitive functions:redeploy --id ${outcome.created.id} --file <bundle>\` once the cause is fixed.\n`);
-                }
-                writeErrorWithHints(outcome.payload);
-                removeStaleSavedCredentialOnUnauthorized({
-                    ...authFailureContext,
-                    payload: outcome.payload,
-                });
-                process.exitCode = 1;
-                return;
-            }
-            // On the happy path, prefer the redeployed FunctionDetail
-            // (when secrets fired) over the bare CreateFunctionResult,
-            // since the redeploy is the state the user actually
-            // deployed. When no secrets were passed, fall back to the
-            // create payload for byte-identical pre-flag behavior.
-            const payload = outcome.result.redeploy ?? outcome.result.created;
-            this.log(JSON.stringify(payload, null, 2));
-        });
-    }
-}
-export default FunctionsDeployCommand;

package/dist/oclif/commands/functions-init.js

@@ -1,376 +0,0 @@
-import { mkdirSync, rmSync, writeFileSync } from "node:fs";
-import { dirname, resolve } from "node:path";
-import { Args, Command, Errors, Flags } from "@oclif/core";
-// `primitive functions:init <name>` stamps a deployable Function project
-// into ./<name>/ so a new author can go from zero to a deployed handler
-// in two commands: `npm install && npm run build` then
-// `primitive functions:deploy --name <name> --file ./dist/handler.js`.
-//
-// The scaffolded handler imports `createPrimitiveClient` from
-// `@primitivedotdev/sdk/api`, NOT from the package root. The root export
-// pulls in webhook helpers that depend on `node:crypto`, which breaks
-// Workers-style bundles. The `/api` subpath is the runtime-client
-// surface and is the documented import for in-handler use.
-// The SDK version range that ships in the scaffolded package.json's
-// dependencies. Pinned to the current shipped minor with a caret so
-// patch releases of the SDK pick up automatically. Update alongside
-// any minor or major version bump of the SDK; keep in lockstep with
-// the CLI's own @primitivedotdev/sdk dep range in cli-node/package.json
-// so scaffolded projects use the same SDK version the CLI was built
-// and tested against.
-const SDK_VERSION_RANGE = "^0.25.0";
-// The CLI version range that ships in the scaffolded devDependencies.
-// Pinned separately from SDK_VERSION_RANGE because @primitivedotdev/cli
-// and @primitivedotdev/sdk are independent packages on independent
-// release cadences. Coupling them silently breaks `npm install` in
-// every scaffolded project the day we bump one without publishing the
-// other. Must include this CLI's own version: a `primitive
-// functions:init` run from CLI v1.2.3 should scaffold a project that
-// resolves at least v1.2.3, so the user does not silently downgrade
-// the bin under themselves. The lockstep test in functions-init.test.ts
-// enforces that invariant.
-const CLI_VERSION_RANGE = "^0.26.0";
-// esbuild version range. Pinned to the latest stable major used
-// elsewhere in the Primitive codebase for bundling Workers-style
-// handlers. Caret range so patch fixes flow in automatically.
-const ESBUILD_VERSION_RANGE = "^0.27.0";
-// Validate a directory name passed as the positional argument.
-// Matches a conservative slug shape: lowercase letters, digits,
-// hyphens, underscores. Rejecting weirder names up front prevents
-// surprises when the same string lands in package.json's `name`
-// field (which has its own validation rules) or in shell scripts.
-const VALID_NAME = /^[a-z0-9][a-z0-9_-]{0,62}$/;
-export function isValidFunctionName(name) {
-    return VALID_NAME.test(name);
-}
-// File contents for the scaffolded project. Each renderer takes the
-// function name and returns the raw file body. Kept as named exports
-// so the unit test can assert content without having to spin up the
-// oclif command lifecycle.
-export function renderHandler() {
-    return `// env.PRIMITIVE_API_KEY is auto-injected by the Primitive Functions runtime.
-import { createPrimitiveClient } from "@primitivedotdev/sdk/api";
-
-// TODO: replace with your verified sender address. Must be a domain
-// you own or your managed *.primitive.email subdomain. The isLoop
-// guard below compares incoming mail against this value (in addition
-// to the *.primitive.email suffix) so the handler does not reply to
-// its own outbound traffic when REPLY_FROM is on a non-managed
-// domain.
-const REPLY_FROM = "you@your-domain.primitive.email";
-
-interface EmailReceivedEvent {
-  event: string;
-  email: {
-    headers: { from?: string; to?: string; subject?: string };
-  };
-}
-
-// Loop protection. A deployed Function receives catch-all inbound for
-// the managed *.primitive.email subdomain, which includes bounces and
-// auto-replies generated by its own outbound traffic. Without this
-// guard the handler can respond to its own bounces and create a
-// fan-out loop.
-//
-// The default check returns true when From is on any *.primitive.email
-// address (covers the managed subdomain catch-all, the simple
-// self-reply case, and bounces from mailer-daemon@*.primitive.email)
-// or when From contains REPLY_FROM as a case-insensitive substring.
-// Substring matching is deliberate so display-name forms like
-// "Support <support@example.com>" match a bare-address REPLY_FROM,
-// but it also accepts false positives where REPLY_FROM is a suffix
-// of another address (e.g. REPLY_FROM="info@x.com" matches
-// "mr.info@x.com"). For strict equality, parse the address out of the
-// header and exact-match against REPLY_FROM.
-//
-// Extend this helper if you need stricter detection. Common additions:
-//   - Match the org's signup / account-owner email (not auto-injected
-//     into env today; either bake it into a SIGNUP_EMAIL const or read
-//     it from a secret you set via \`primitive functions:set-secret\`).
-//   - Honor RFC 3834 auto-response headers: skip when
-//     \`event.email.headers["auto-submitted"]\` is anything other than
-//     "no", or when a \`List-Unsubscribe\` / \`Precedence: bulk\` header
-//     is present.
-//   - Track Message-ID / In-Reply-To chains to break ping-pong loops
-//     between two cooperating handlers on different domains.
-export function isLoop(event: EmailReceivedEvent): boolean {
-  // event.email.headers.from is the raw RFC 2822 header value, so it
-  // may be a bare address ("alice@example.com") or a display-name form
-  // ("Alice <alice@example.com>"). Lowercase substring checks match
-  // both shapes without needing to parse the bracketed address.
-  const from = event.email.headers.from?.toLowerCase() ?? "";
-  if (!from) return false;
-  if (from.includes(".primitive.email")) return true;
-  if (from.includes(REPLY_FROM.toLowerCase())) return true;
-  return false;
-}
-
-export default {
-  async fetch(
-    req: Request,
-    env: { PRIMITIVE_API_KEY: string },
-  ): Promise<Response> {
-    try {
-      const event = (await req.json()) as EmailReceivedEvent;
-
-      // Only "email.received" exists today. Future event types will
-      // arrive with a different discriminator; return 2xx so the
-      // delivery loop does not burn its retry budget on payloads you
-      // intentionally skipped.
-      if (event.event !== "email.received") {
-        return Response.json({ ok: true, skipped: event.event });
-      }
-
-      // Loop protection runs immediately after the event-type check
-      // (the gateway has already HMAC-verified the request before it
-      // reaches this handler). See isLoop above for what's covered and
-      // how to extend it.
-      if (isLoop(event)) {
-        return Response.json({ ok: true, skipped: "loop" });
-      }
-
-      const client = createPrimitiveClient({ apiKey: env.PRIMITIVE_API_KEY });
-
-      // Recipient gate
-      // https://www.primitive.dev/docs/sending#who-you-can-send-to
-      // New accounts can send to *.primitive.email addresses,
-      // verified domains, addresses that have authenticated to you,
-      // and other org-member signup emails. Sends to arbitrary
-      // external addresses return 403 recipient_not_allowed with a
-      // structured gates[] array until the recipient has authenticated
-      // to you or support has enabled the gate.
-
-      // Recipient routing: a single function can handle multiple inbound
-      // addresses by branching on event.email.headers.to. For example,
-      // route "support@" to a ticketing flow and "sales@" to a lead
-      // capture flow before calling client.send.
-      const reply = await client.send({
-        from: REPLY_FROM,
-        to: event.email.headers.from ?? REPLY_FROM,
-        subject: \`Re: \${event.email.headers.subject ?? ""}\`,
-        bodyText: "Got your message.",
-      });
-
-      return Response.json({ ok: true, reply });
-    } catch (err) {
-      // Return 2xx so the webhook delivery loop does not retry a bug
-      // it cannot fix. The function-invocation row still records the
-      // error body for debugging. Flip to a 5xx status if you want
-      // transient failures retried (e.g. a flaky external API you call).
-      console.error("handler error:", err);
-      return Response.json(
-        { ok: false, error: err instanceof Error ? err.message : String(err) },
-        { status: 200 },
-      );
-    }
-  },
-};
-`;
-}
-export function renderPackageJson(name) {
-    const pkg = {
-        name,
-        version: "0.1.0",
-        private: true,
-        type: "module",
-        scripts: {
-            build: "node build.mjs",
-            deploy: `npm run build && primitive functions:deploy --name ${name} --file ./dist/handler.js`,
-            redeploy: "npm run build && primitive functions:redeploy --id $PRIMITIVE_FUNCTION_ID --file ./dist/handler.js",
-        },
-        dependencies: {
-            "@primitivedotdev/sdk": SDK_VERSION_RANGE,
-        },
-        devDependencies: {
-            // @primitivedotdev/cli ships the primitive bin. Including it as
-            // a devDep here means `node_modules/.bin/primitive` resolves to
-            // the real CLI inside the scaffolded project; otherwise the
-            // bin falls through to @primitivedotdev/sdk's deprecated CLI
-            // alias and every `npm run deploy` invocation prints the
-            // "CLI moved" stderr banner. Pinned via CLI_VERSION_RANGE, a
-            // dedicated constant so the version is decoupled from the SDK
-            // range and bumps are explicit on both ends.
-            "@primitivedotdev/cli": CLI_VERSION_RANGE,
-            esbuild: ESBUILD_VERSION_RANGE,
-            typescript: "^5.7.2",
-        },
-    };
-    return `${JSON.stringify(pkg, null, 2)}\n`;
-}
-export function renderBuildMjs() {
-    return `import { build } from "esbuild";
-
-// Bundle handler.ts into a single ESM file suitable for the Primitive
-// Functions runtime. The runtime is a Workers-style environment, so
-// we pick the "worker" / "browser" export conditions on @primitivedotdev/sdk
-// (which routes us to the /api subpath safely without dragging in
-// node:crypto-dependent webhook helpers).
-
-await build({
-  entryPoints: ["handler.ts"],
-  bundle: true,
-  format: "esm",
-  platform: "browser",
-  target: "es2022",
-  conditions: ["worker", "browser"],
-  outfile: "dist/handler.js",
-});
-`;
-}
-export function renderTsconfig() {
-    const tsconfig = {
-        compilerOptions: {
-            target: "ES2022",
-            module: "ESNext",
-            moduleResolution: "Bundler",
-            strict: true,
-            lib: ["ES2022", "WebWorker"],
-            types: [],
-            esModuleInterop: true,
-            skipLibCheck: true,
-        },
-        include: ["handler.ts"],
-    };
-    return `${JSON.stringify(tsconfig, null, 2)}\n`;
-}
-export function renderGitignore() {
-    return "node_modules\ndist\n";
-}
-export function renderReadme(name) {
-    return `# ${name}
-
-## What this is
-
-A Primitive Function: a JavaScript handler that runs on inbound mail.
-It receives the \`email.received\` event, demonstrates a basic reply
-via the Primitive SDK, and returns a JSON envelope.
-
-## Develop
-
-\`\`\`
-npm install
-npm run build
-\`\`\`
-
-## Deploy
-
-\`\`\`
-npm run deploy
-\`\`\`
-
-The deploy step calls \`primitive functions:deploy\` (provided by the
-\`@primitivedotdev/cli\` package; install with
-\`npm install -g @primitivedotdev/cli\` or run via
-\`npx @primitivedotdev/cli@latest <command>\`). It requires
-\`PRIMITIVE_API_KEY\` to be set in your shell (or pass \`--api-key\`).
-Run \`primitive login\` once to save a key in your CLI config if you
-prefer that to an env var.
-`;
-}
-// Files written by the scaffolder, in the order they're created.
-// Exported as a pure function so the unit test can verify the
-// exact content of every file without invoking the command and
-// touching disk.
-export function scaffoldFiles(name) {
-    return [
-        { contents: renderHandler(), relativePath: "handler.ts" },
-        { contents: renderPackageJson(name), relativePath: "package.json" },
-        { contents: renderBuildMjs(), relativePath: "build.mjs" },
-        { contents: renderTsconfig(), relativePath: "tsconfig.json" },
-        { contents: renderGitignore(), relativePath: ".gitignore" },
-        { contents: renderReadme(name), relativePath: "README.md" },
-    ];
-}
-// Write the scaffold to disk. Refuses to overwrite an existing
-// directory: if `outDir` exists the function throws and leaves the
-// filesystem untouched. On any write error after creating the
-// directory, the partially-written tree is cleaned up so re-runs
-// see a clean slate. Exported for unit testing.
-export function writeScaffold(params) {
-    if (!isValidFunctionName(params.name)) {
-        throw new Errors.CLIError(`Invalid function name "${params.name}". Use lowercase letters, digits, hyphens, or underscores (1-63 chars, must start with a letter or digit).`, { exit: 1 });
-    }
-    const files = scaffoldFiles(params.name);
-    const written = [];
-    // Create the target directory with recursive: false so the check
-    // and the create happen in one syscall. mkdirSync throws EEXIST
-    // atomically if the path already exists, which closes the TOCTOU
-    // window between a separate existsSync check and the mkdir call.
-    try {
-        mkdirSync(params.outDir, { recursive: false });
-    }
-    catch (error) {
-        const code = error.code;
-        if (code === "EEXIST") {
-            throw new Errors.CLIError(`Target directory already exists: ${params.outDir}. Refusing to overwrite. Remove it or pick a different --out-dir.`, { exit: 1 });
-        }
-        if (code === "ENOENT") {
-            throw new Errors.CLIError(`Parent directory does not exist for ${params.outDir}. Create it first or pick a different --out-dir.`, { exit: 1 });
-        }
-        const detail = error instanceof Error ? error.message : String(error);
-        throw new Errors.CLIError(`Failed to create ${params.outDir}: ${detail}`, {
-            exit: 1,
-        });
-    }
-    try {
-        for (const file of files) {
-            const fullPath = resolve(params.outDir, file.relativePath);
-            mkdirSync(dirname(fullPath), { recursive: true });
-            writeFileSync(fullPath, file.contents, "utf8");
-            written.push(fullPath);
-        }
-    }
-    catch (error) {
-        // Roll back the partial scaffold so the user can retry without
-        // tripping the "directory already exists" guard above.
-        try {
-            rmSync(params.outDir, { force: true, recursive: true });
-        }
-        catch {
-            // Best-effort cleanup; surface the original error regardless.
-        }
-        const detail = error instanceof Error ? error.message : String(error);
-        throw new Errors.CLIError(`Failed to write scaffold to ${params.outDir}: ${detail}`, { exit: 1 });
-    }
-    return { written };
-}
-class FunctionsInitCommand extends Command {
-    static description = `Scaffold a new Primitive Function project in ./<name>/ with handler.ts, package.json, build.mjs, tsconfig.json, .gitignore, and README.md.
-
-  The scaffolded handler imports \`createPrimitiveClient\` from
-  \`@primitivedotdev/sdk/api\` and demonstrates the canonical pattern:
-  parse the email.received event, send a reply via the SDK, return a
-  JSON envelope. The build script uses esbuild's JS API and emits
-  ./dist/handler.js, ready to hand to \`primitive functions:deploy --file\`.
-
-  Refuses to overwrite an existing directory. Use --out-dir to pick a
-  different target path than ./<name>/.`;
-    static summary = "Scaffold a new Primitive Function project ready for functions:deploy";
-    static examples = [
-        "<%= config.bin %> functions:init my-fn",
-        "<%= config.bin %> functions:init my-fn --out-dir ./functions/my-fn",
-    ];
-    static args = {
-        name: Args.string({
-            description: "Function name. Lowercase letters, digits, hyphens, underscores. 1-63 chars. Used as the directory name (when --out-dir is not set) and as the package.json name.",
-            required: true,
-        }),
-    };
-    static flags = {
-        "out-dir": Flags.string({
-            description: "Directory to scaffold into. Defaults to ./<name>/. Must not already exist.",
-        }),
-    };
-    async run() {
-        const { args, flags } = await this.parse(FunctionsInitCommand);
-        const outDir = resolve(flags["out-dir"] ?? `./${args.name}`);
-        writeScaffold({ name: args.name, outDir });
-        this.log(`Scaffolded ${outDir}.`);
-        this.log("Next:");
-        this.log(`  cd ${outDir}`);
-        this.log("  npm install");
-        this.log("  npm run build");
-        this.log(`  primitive functions:deploy --name ${args.name} --file ./dist/handler.js`);
-    }
-}
-export default FunctionsInitCommand;