@primitivedotdev/cli 0.26.1 → 0.26.3

package/dist/oclif/commands/send.js

@@ -1,221 +0,0 @@
-import { Command, Errors, Flags } from "@oclif/core";
-import { listDomains, PrimitiveApiClient, sendEmail, } from "@primitivedotdev/sdk/api";
-import { API_ERROR_CODES, extractErrorCode, extractErrorPayload, formatErrorPayload, removeStaleSavedCredentialOnUnauthorized, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
-import { resolveCliAuth } from "../auth.js";
-// `primitive send` is the agent-grade shortcut for the most common
-// case: send a fresh outbound email. It wraps `sending:send-email`
-// with two ergonomic defaults that the underlying operation can't
-// express through manifest-driven flag generation alone:
-//
-//   1. `--from` defaults to `agent@<first-verified-domain>` when
-//      omitted. Most agents don't know which domains their org has
-//      verified for outbound; making them list-domains first to
-//      derive a from-address is exactly the kind of email-ops cruft
-//      this command exists to hide. Customers with multiple
-//      domains, or who want a different local-part, pass --from
-//      explicitly.
-//   2. `--subject` defaults to the first non-empty line of the body
-//      (capped). Empty subjects get spam-scored, so we always emit
-//      something. Callers who want full control pass --subject.
-//
-// `--body` here is the message body (text). The full `send-email`
-// operation distinguishes `body_text` and `body_html`; this
-// shortcut keeps it simple by exposing `--body` for text and
-// `--html` for the HTML alternative. Users who need both can pass
-// both flags or fall back to `sending:send-email` for the full
-// flag list.
-//
-// Compared to `swaks` (which agents likely have in their training
-// data): this is `swaks`-shaped on purpose so an agent
-// pattern-matching from there lands in the happy path. We just
-// don't need swaks's `--server` / `--auth-*` flags because the
-// HTTPS API key is the auth and the server is implicit.
-// 200 chars is a generous cap that almost never trips on natural
-// first-line subjects (a sentence is typically <120 chars). The
-// previous 70-char limit was tight enough that legitimate one-line
-// bodies routinely produced ellipsis-truncated subjects in inbox
-// listings, e.g. `"this is the simplest possible send: agent typed
-// two flags and hit\\n e..."` from the AGX walkthrough. Real spam
-// scoring engines don't penalize subjects under ~200 chars, so 200
-// is both more useful and still well under the practical wire limit.
-const SUBJECT_MAX_LENGTH = 200;
-function deriveSubject(body) {
-    for (const line of body.split("\n")) {
-        const trimmed = line.trim();
-        if (!trimmed)
-            continue;
-        return trimmed.length > SUBJECT_MAX_LENGTH
-            ? `${trimmed.slice(0, SUBJECT_MAX_LENGTH - 3)}...`
-            : trimmed;
-    }
-    return "Message";
-}
-function isVerifiedDomain(domain) {
-    return domain.is_active === true;
-}
-async function pickDefaultFromAddress(apiClient, authFailureContext) {
-    const result = await listDomains({
-        client: apiClient.client,
-        responseStyle: "fields",
-    });
-    if (result.error) {
-        const errorPayload = extractErrorPayload(result.error);
-        // If the underlying failure is an auth problem, don't pretend
-        // --from will fix it: the actual sendEmail call would 401 too.
-        // Surface the auth hint via writeErrorWithHints and bail with
-        // a focused message instead of the verbose "underlying error"
-        // wrapping.
-        if (extractErrorCode(errorPayload) === API_ERROR_CODES.unauthorized) {
-            writeErrorWithHints(errorPayload);
-            removeStaleSavedCredentialOnUnauthorized({
-                ...authFailureContext,
-                payload: errorPayload,
-            });
-            // exit: 1 to match the run() unauthorized path (which uses
-            // `process.exitCode = 1`). oclif's CLIError defaults to 2,
-            // so without this override the same "unauthorized" condition
-            // exits 2 when surfaced from listDomains and 1 when surfaced
-            // from sendEmail, breaking callers that branch on exit code.
-            throw new Errors.CLIError("Cannot send: API key is missing or invalid (see hint above).", { exit: 1 });
-        }
-        throw new Errors.CLIError(`Could not look up your verified domains to default --from. Pass --from explicitly. Underlying error: ${formatErrorPayload(errorPayload)}`);
-    }
-    const envelope = result.data;
-    const first = envelope?.data?.find(isVerifiedDomain);
-    if (!first) {
-        throw new Errors.CLIError("No active verified outbound domain found on this account; pass --from explicitly. To set up outbound, claim a domain via `primitive domains:add-domain` and verify it.");
-    }
-    // Local-part: "agent". Any local-part is accepted on managed
-    // *.primitive.email subdomains, so this works out of the box for
-    // the auto-issued domain pool. For customers with BYO domains
-    // and their own MX, "agent@" may or may not be a routable
-    // mailbox; if you have a specific address you want to use, pass
-    // --from explicitly.
-    return `agent@${first.domain}`;
-}
-class SendCommand extends Command {
-    static description = `Send an outbound email. Agent-grade shortcut for sending:send-email with sensible defaults.
-
-  --from defaults to agent@<your-first-verified-outbound-domain> when omitted.
-  --subject defaults to the first line of the body when omitted.
-
-  For the full flag set (custom message-id threading on the wire,
-  references arrays, etc.), use \`primitive sending:send-email\`.`;
-    static summary = "Send an email (simplified, agent-friendly)";
-    static examples = [
-        "<%= config.bin %> send --to alice@example.com --body 'Hi Alice!'",
-        "<%= config.bin %> send --to alice@example.com --from support@yourcompany.com --subject 'Quick question' --body 'Are you free Thursday?'",
-        "<%= config.bin %> send --to alice@example.com --html '<p>Hello!</p>'",
-        "<%= config.bin %> send --to alice@example.com --body 'Confirmed' --wait",
-        "<%= config.bin %> send --to inbox@your-managed-domain.primitive.email --body 'self-loop smoke test' --wait  # any *.primitive.email address routes back to the sending account; useful for proving outbound + inbound work end-to-end",
-    ];
-    static flags = {
-        "api-key": Flags.string({
-            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
-            env: "PRIMITIVE_API_KEY",
-        }),
-        "api-base-url-1": Flags.string({
-            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-            env: "PRIMITIVE_API_BASE_URL_1",
-            hidden: true,
-        }),
-        "api-base-url-2": Flags.string({
-            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-            env: "PRIMITIVE_API_BASE_URL_2",
-            hidden: true,
-        }),
-        to: Flags.string({
-            description: "Recipient address (e.g. alice@example.com).",
-            required: true,
-        }),
-        from: Flags.string({
-            description: "Sender address. Defaults to agent@<your-first-verified-outbound-domain>.",
-        }),
-        subject: Flags.string({
-            description: "Subject line. Defaults to the first line of --body / --html when omitted.",
-        }),
-        body: Flags.string({
-            description: "Plain-text message body. Either --body or --html (or both) is required.",
-        }),
-        html: Flags.string({
-            description: "HTML message body. Either --body or --html (or both) is required.",
-        }),
-        "in-reply-to": Flags.string({
-            description: "Message-Id of the parent email when threading a reply on the wire. For replying to an inbound message you received, prefer `primitive sending:reply-to-email --id <inbound-id>`.",
-        }),
-        wait: Flags.boolean({
-            description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the message for delivery.",
-        }),
-        "wait-timeout-ms": Flags.integer({
-            description: "Maximum time to wait when --wait is set. Defaults to 30000ms.",
-        }),
-        time: Flags.boolean({
-            description: TIME_FLAG_DESCRIPTION,
-        }),
-    };
-    async run() {
-        const { flags } = await this.parse(SendCommand);
-        if (!flags.body && !flags.html) {
-            throw new Errors.CLIError("Either --body or --html (or both) is required.");
-        }
-        await runWithTiming(flags.time, async () => {
-            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
-                flags["api-base-url-2"] !== undefined;
-            const auth = resolveCliAuth({
-                apiKey: flags["api-key"],
-                apiBaseUrl1: flags["api-base-url-1"],
-                apiBaseUrl2: flags["api-base-url-2"],
-                configDir: this.config.configDir,
-            });
-            const apiClient = new PrimitiveApiClient({
-                apiKey: auth.apiKey,
-                apiBaseUrl1: auth.apiBaseUrl1,
-                apiBaseUrl2: auth.apiBaseUrl2,
-            });
-            const authFailureContext = {
-                auth,
-                baseUrlOverridden,
-                configDir: this.config.configDir,
-            };
-            const from = flags.from ??
-                (await pickDefaultFromAddress(apiClient, authFailureContext));
-            const subject = flags.subject ?? (flags.body ? deriveSubject(flags.body) : "Message");
-            const result = await sendEmail({
-                body: {
-                    from,
-                    to: flags.to,
-                    subject,
-                    ...(flags.body !== undefined ? { body_text: flags.body } : {}),
-                    ...(flags.html !== undefined ? { body_html: flags.html } : {}),
-                    ...(flags["in-reply-to"] !== undefined
-                        ? { in_reply_to: flags["in-reply-to"] }
-                        : {}),
-                    ...(flags.wait !== undefined ? { wait: flags.wait } : {}),
-                    ...(flags["wait-timeout-ms"] !== undefined
-                        ? { wait_timeout_ms: flags["wait-timeout-ms"] }
-                        : {}),
-                },
-                // /send-mail goes to the attachments-supporting host. The
-                // wrapper exposes the host-2 client as _sendClient for this
-                // and any other host-2 operation that lands here. Customer
-                // SDK callers should use PrimitiveClient.send() instead so
-                // the routing stays internal.
-                client: apiClient._sendClient,
-                responseStyle: "fields",
-            });
-            if (result.error) {
-                const errorPayload = extractErrorPayload(result.error);
-                writeErrorWithHints(errorPayload);
-                removeStaleSavedCredentialOnUnauthorized({
-                    ...authFailureContext,
-                    payload: errorPayload,
-                });
-                process.exitCode = 1;
-                return;
-            }
-            const envelope = result.data;
-            this.log(JSON.stringify(envelope?.data ?? null, null, 2));
-        });
-    }
-}
-export default SendCommand;

package/dist/oclif/commands/whoami.js

@@ -1,94 +0,0 @@
-import { Command, Errors, Flags } from "@oclif/core";
-import { getAccount, PrimitiveApiClient } from "@primitivedotdev/sdk/api";
-import { extractErrorPayload, removeStaleSavedCredentialOnUnauthorized, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
-import { resolveCliAuth } from "../auth.js";
-// `primitive whoami` is the credentials smoke-test the AGX
-// walkthrough kept asking for. Before this command, a user with a
-// suspect API key had no fast way to verify "is my key live and
-// pointed at the org I expect" short of trying any other call and
-// reading a 401. That ambiguity bit two consecutive walkthroughs.
-//
-// Implementation: thin wrapper over /api/v1/account that prints
-// the account email, plan, id, and onboarding status. Any auth
-// problem surfaces as the standard error envelope, same as the
-// generated commands.
-class WhoamiCommand extends Command {
-    static description = `Print the account currently authenticated by the API key. Useful as a credentials smoke test: confirms the key is live and shows which account it belongs to.`;
-    static summary = "Print the authenticated account (credentials smoke test)";
-    static examples = [
-        "<%= config.bin %> whoami",
-        "<%= config.bin %> whoami --api-key prim_...",
-    ];
-    static flags = {
-        "api-key": Flags.string({
-            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
-            env: "PRIMITIVE_API_KEY",
-        }),
-        "api-base-url-1": Flags.string({
-            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-            env: "PRIMITIVE_API_BASE_URL_1",
-            hidden: true,
-        }),
-        "api-base-url-2": Flags.string({
-            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-            env: "PRIMITIVE_API_BASE_URL_2",
-            hidden: true,
-        }),
-        time: Flags.boolean({
-            description: TIME_FLAG_DESCRIPTION,
-        }),
-    };
-    async run() {
-        const { flags } = await this.parse(WhoamiCommand);
-        await runWithTiming(flags.time, async () => {
-            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
-                flags["api-base-url-2"] !== undefined;
-            const auth = resolveCliAuth({
-                apiKey: flags["api-key"],
-                apiBaseUrl1: flags["api-base-url-1"],
-                apiBaseUrl2: flags["api-base-url-2"],
-                configDir: this.config.configDir,
-            });
-            const apiClient = new PrimitiveApiClient({
-                apiKey: auth.apiKey,
-                apiBaseUrl1: auth.apiBaseUrl1,
-                apiBaseUrl2: auth.apiBaseUrl2,
-            });
-            const result = await getAccount({
-                client: apiClient.client,
-                responseStyle: "fields",
-            });
-            if (result.error) {
-                const errorPayload = extractErrorPayload(result.error);
-                writeErrorWithHints(errorPayload);
-                removeStaleSavedCredentialOnUnauthorized({
-                    auth,
-                    baseUrlOverridden,
-                    configDir: this.config.configDir,
-                    payload: errorPayload,
-                });
-                process.exitCode = 1;
-                return;
-            }
-            const envelope = result.data;
-            const account = envelope?.data;
-            if (!account) {
-                process.stderr.write("Server returned an empty account body; this should not happen for a valid key.\n");
-                throw new Errors.CLIError("unexpected empty response");
-            }
-            // Concise human-readable summary on stderr; the full account
-            // JSON goes to stdout so a script can pipe it.
-            const onboarding = account.onboarding_completed === true
-                ? "complete"
-                : account.onboarding_step
-                    ? `in progress (step: ${account.onboarding_step})`
-                    : "incomplete";
-            process.stderr.write(`Authenticated as ${account.email}\n`);
-            process.stderr.write(`  Account id: ${account.id}\n`);
-            process.stderr.write(`  Plan:       ${account.plan}\n`);
-            process.stderr.write(`  Onboarding: ${onboarding}\n`);
-            this.log(JSON.stringify(account, null, 2));
-        });
-    }
-}
-export default WhoamiCommand;

package/dist/oclif/endpoints-test-redirect.js

@@ -1,94 +0,0 @@
-// `endpoints:test-endpoint` calls POST /endpoints/{id}/test. The server
-// implementation only resolves http-kind endpoints by url and returns
-// `not_found` for function-kind endpoints (where url is null). The same
-// function-endpoint id IS returned by `endpoints:list-endpoints`, so a
-// caller naturally tries it against test-endpoint and is greeted with
-// "Endpoint not found." Confusing.
-//
-// This helper closes the loop on the CLI side. After test-endpoint
-// returns `not_found`, the dispatcher in `api-command.ts` calls
-// `detectFunctionEndpoint` to see whether the id actually belongs to a
-// function-kind endpoint owned by the caller. If yes, we replace the
-// generic envelope with a redirect to `functions:test-function`,
-// surfacing both the endpoint id and the function id so the caller
-// does not have to look the function id up themselves.
-//
-// `kind` and `function_id` are not currently declared on the OpenAPI
-// `Endpoint` schema (so they are absent from the generated TS types),
-// but they are present in the JSON the server returns. We read them
-// off a loose Record<string, unknown> rather than relying on the
-// generated type, then sanity-check both fields before treating an
-// endpoint as a function endpoint.
-// Returns a `FunctionEndpointMatch` if and only if `endpointId` matches
-// an endpoint in the caller's `listEndpoints` response whose `kind` is
-// `function` and whose `function_id` is a non-empty string. Any other
-// outcome (no match, http-kind match, list call failure, missing
-// fields) returns `null` so the dispatcher falls back to surfacing the
-// original error envelope unchanged.
-export async function detectFunctionEndpoint(endpointId, listEndpoints) {
-    let response;
-    try {
-        response = await listEndpoints();
-    }
-    catch {
-        return null;
-    }
-    if (response.error)
-        return null;
-    const rows = response.data?.data;
-    if (!Array.isArray(rows))
-        return null;
-    // Relies on `listEndpoints` returning every endpoint in a single response.
-    // True today: the operation has `query?: never` in the generated types and
-    // the server returns all rows. If pagination is ever added, an endpoint on
-    // a later page would silently miss the redirect and reduce this to the
-    // original "Endpoint not found" UX. Update this call (filter-by-id or
-    // exhaust-pages) at the same time pagination lands on listEndpoints.
-    for (const row of rows) {
-        if (!row || typeof row !== "object")
-            continue;
-        if (row.id !== endpointId)
-            continue;
-        if (row.kind !== "function")
-            return null;
-        const functionId = row.function_id;
-        if (typeof functionId !== "string" || functionId.length === 0)
-            return null;
-        return { endpointId, functionId };
-    }
-    return null;
-}
-// Stderr copy printed when the dispatcher detects the
-// `endpoints:test-endpoint` `not_found` was really a function-kind
-// endpoint. Surfaces both ids so the caller does not have to run
-// `endpoints:list-endpoints` again to find the function_id. Returned
-// as a string rather than written here so the call site controls the
-// stream (stderr, in practice) and the tests can assert on the value.
-export function formatFunctionEndpointRedirect(match) {
-    return [
-        "This is a function endpoint. Function endpoints are tested differently. Run:",
-        "",
-        `    primitive functions:test-function --id ${match.functionId}`,
-        "",
-        `(pass the function id, not the endpoint id. endpoint_id=${match.endpointId} function_id=${match.functionId})`,
-    ].join("\n");
-}
-// Post-error hook: if the operation that just failed is
-// `endpoints:test-endpoint`, the failure is a `not_found`, and the
-// caller's id matches a function-kind endpoint they own, print a
-// redirect to `functions:test-function`. Returns the resolved match
-// so the caller (and the test) can assert the branch taken without
-// scraping stderr.
-export async function maybeWriteFunctionEndpointRedirect(inputs) {
-    if (inputs.sdkName !== "testEndpoint")
-        return null;
-    if (inputs.errorCode !== "not_found")
-        return null;
-    if (!inputs.endpointId)
-        return null;
-    const match = await detectFunctionEndpoint(inputs.endpointId, inputs.listEndpoints);
-    if (!match)
-        return null;
-    inputs.writeStderr(`${formatFunctionEndpointRedirect(match)}\n`);
-    return match;
-}

package/dist/oclif/fish-completion.js

@@ -1,87 +0,0 @@
-import { openapiDocument, operationManifest, } from "@primitivedotdev/sdk/openapi";
-function fishEscape(value) {
-    return value.replace(/\\/g, "\\\\").replace(/'/g, "\\'");
-}
-function toKebabCase(value) {
-    return value
-        .replace(/([a-z0-9])([A-Z])/g, "$1-$2")
-        .replace(/[^a-zA-Z0-9]+/g, "-")
-        .replace(/^-+|-+$/g, "")
-        .toLowerCase();
-}
-function tagDescriptions() {
-    const descriptions = new Map();
-    const tags = (openapiDocument.tags ??
-        []);
-    for (const tag of tags) {
-        if (tag.name) {
-            descriptions.set(toKebabCase(tag.name), tag.description ?? tag.name);
-        }
-    }
-    return descriptions;
-}
-function operationCondition(operation) {
-    return `__fish_${fishEscape(BIN_PLACEHOLDER)}_using_operation ${fishEscape(operation.tagCommand)} ${fishEscape(operation.command)}`;
-}
-const BIN_PLACEHOLDER = "__BIN__";
-export function renderFishCompletion(binName) {
-    const tagDescriptionByCommand = tagDescriptions();
-    const topLevelTopics = [
-        ...new Set(operationManifest.map((operation) => operation.tagCommand)),
-    ];
-    const lines = [
-        `function __fish_${binName}_needs_command`,
-        "  set -l cmd (commandline -opc)",
-        "  test (count $cmd) -le 1",
-        "end",
-        "",
-        `function __fish_${binName}_topic_needs_subcommand`,
-        "  set -l cmd (commandline -opc)",
-        "  test (count $cmd) -eq 2",
-        '  and test "$cmd[2]" = "$argv[1]"',
-        "end",
-        "",
-        `function __fish_${binName}_using_operation`,
-        "  set -l cmd (commandline -opc)",
-        "  test (count $cmd) -ge 3",
-        '  and test "$cmd[2]" = "$argv[1]"',
-        '  and test "$cmd[3]" = "$argv[2]"',
-        "end",
-        "",
-        `function __fish_${binName}_using_root_command`,
-        "  set -l cmd (commandline -opc)",
-        "  test (count $cmd) -eq 2",
-        '  and test "$cmd[2]" = "$argv[1]"',
-        "end",
-        "",
-        `complete -c ${binName} -f -n '__fish_${binName}_needs_command' -a 'list-operations' -d 'List all generated API operations'`,
-        `complete -c ${binName} -f -n '__fish_${binName}_needs_command' -a 'completion' -d 'Show shell completion output or installation instructions'`,
-        `complete -c ${binName} -f -n '__fish_${binName}_needs_command' -a 'autocomplete' -d 'Install or display shell autocomplete for bash, zsh, and powershell'`,
-        `complete -c ${binName} -f -n '__fish_${binName}_needs_command' -a 'help' -d 'Display help for ${binName}'`,
-    ];
-    for (const topic of topLevelTopics) {
-        lines.push(`complete -c ${binName} -f -n '__fish_${binName}_needs_command' -a '${fishEscape(topic)}' -d '${fishEscape(tagDescriptionByCommand.get(topic) ?? topic)}'`);
-    }
-    lines.push(`complete -c ${binName} -f -n '__fish_${binName}_using_root_command completion' -a 'bash zsh powershell fish' -d 'Shell type'`);
-    for (const topic of topLevelTopics) {
-        const topicOperations = operationManifest.filter((operation) => operation.tagCommand === topic);
-        for (const operation of topicOperations) {
-            lines.push(`complete -c ${binName} -f -n '__fish_${binName}_topic_needs_subcommand ${fishEscape(topic)}' -a '${fishEscape(operation.command)}' -d '${fishEscape(operation.summary ?? `${operation.method} ${operation.path}`)}'`);
-            for (const parameter of [
-                ...operation.pathParams,
-                ...operation.queryParams,
-            ]) {
-                lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l '${fishEscape(parameter.name.replace(/_/g, "-"))}' -r -d '${fishEscape(parameter.description ?? parameter.name)}'`);
-            }
-            lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'api-key' -r -d 'Primitive API key (defaults to PRIMITIVE_API_KEY or saved primitive login credentials)'`);
-            if (operation.hasJsonBody) {
-                lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body' -r -d 'JSON request body'`, `complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body-file' -r -d 'Path to a JSON file used as the request body'`);
-            }
-            if (operation.binaryResponse) {
-                lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'output' -r -d 'Write binary response bytes to a file'`);
-            }
-        }
-    }
-    lines.push(`complete -c ${binName} -l help -d 'Show help for ${binName}'`, `complete -c ${binName} -l version -d 'Show version for ${binName}'`);
-    return `${lines.join("\n")}\n`;
-}

package/dist/oclif/lint/raw-send-mail-fetch.js

@@ -1,98 +0,0 @@
-// Deploy-time lint for `functions:deploy --file <bundle>` and
-// `functions:redeploy --file <bundle>`. Looks for a raw
-// `fetch("...primitive.dev/.../send-mail", ...)` call in the bundle
-// text and, on a match, emits a stderr warning telling the author
-// to prefer `createPrimitiveClient` from `@primitivedotdev/sdk/api`.
-//
-// Why: a recurring pattern in agent-assisted Function deploys is to
-// copy the REST snippet from the docs and call `fetch` directly
-// against the Primitive send-mail endpoint, even after the docs
-// switched to leading with the SDK and `functions:init` ships a
-// scaffold that uses `createPrimitiveClient`. The SDK already
-// handles dual-host routing, error envelopes, and send-permission
-// gate denials; raw `fetch` re-discovers each of those by hand. The
-// warning is the catch-net at deploy time: the deploy still
-// proceeds.
-//
-// Scope by design:
-// - We only flag the empirically observed footgun: `/send-mail`.
-//   Not arbitrary calls to api.primitive.dev. Other endpoints have
-//   not surfaced the same pattern.
-// - We require the URL string literal to immediately follow the
-//   `fetch(` token (allowing whitespace) so we don't trip on a
-//   comment that merely mentions the URL. esbuild strips most
-//   comments anyway, but anchoring on `fetch(` keeps the rule
-//   honest without trying to parse JS.
-// - We only look at the bundle text passed in. Source maps and
-//   sibling files are not scanned.
-// - Variable-URL cases (`fetch(url, ...)` where `url` was assembled
-//   elsewhere) are accepted false negatives. The value here is
-//   catching the obvious inline-literal case, not full taint
-//   analysis.
-// Match `fetch(` then a string literal (single, double, or backtick)
-// whose contents include `primitive.dev` and end with `/send-mail`
-// (optionally with a query string or trailing path boundary). Examples
-// matched:
-//   fetch("https://api.primitive.dev/v1/send-mail", {...})
-//   fetch(`https://www.primitive.dev/api/v1/send-mail`, {...})
-//   fetch('https://primitive.dev/api/v1/send-mail?wait=1')
-//
-// The `[^`'"]*` inside the literal forbids the closing quote
-// character itself so we can't accidentally span across two adjacent
-// string literals. The trailing `(?![A-Za-z0-9_-])` forbids any
-// letter, digit, underscore, or hyphen immediately after `send-mail`
-// so `/send-mail-template-preview` does not trip the rule. (Plain
-// `\b` does not help here because `-` is itself a non-word character,
-// so `mail\b` still matches `mail-...`.)
-const RAW_SEND_MAIL_FETCH_REGEX = /fetch\s*\(\s*[`'"][^`'"]*primitive\.dev[^`'"]*\/send-mail(?![A-Za-z0-9_-])/g;
-// How much surrounding text to include on either side of the match
-// when building the sample snippet. Kept short on purpose: bundles
-// are minified and a 120-char window is enough to spot the call
-// without flooding stderr.
-const SNIPPET_PADDING = 60;
-export function detectRawSendMailFetch(bundleText) {
-    // Reset lastIndex defensively: this regex is module-scoped with
-    // the /g flag, so a prior call's state would skip the next match.
-    RAW_SEND_MAIL_FETCH_REGEX.lastIndex = 0;
-    const match = RAW_SEND_MAIL_FETCH_REGEX.exec(bundleText);
-    if (!match) {
-        return { found: false, sampleSnippet: null };
-    }
-    const start = Math.max(0, match.index - SNIPPET_PADDING);
-    const end = Math.min(bundleText.length, match.index + match[0].length + SNIPPET_PADDING);
-    const raw = bundleText.slice(start, end);
-    // Collapse newlines and runs of whitespace so the snippet is one
-    // readable line on stderr regardless of how the bundle was
-    // formatted.
-    const sampleSnippet = raw.replace(/\s+/g, " ").trim();
-    return { found: true, sampleSnippet };
-}
-// The stderr warning copy. Three beats: name the issue, name the
-// SDK alternative, link the docs. Plus a one-line "deploy proceeds"
-// reassurance. Kept punctuation simple (commas, periods, line
-// breaks) so it doesn't trip the no-em-dashes hook and so the lines
-// wrap predictably in a terminal.
-export const RAW_SEND_MAIL_FETCH_WARNING_LINES = [
-    "warning: this bundle calls fetch(...) against /send-mail directly.",
-    "The Primitive SDK exposes createPrimitiveClient from",
-    "@primitivedotdev/sdk/api which handles host routing, error envelopes,",
-    "and gate denials for you. See https://www.primitive.dev/docs/functions",
-    "for the recommended in-handler pattern. Continuing with deploy.",
-];
-export function formatRawSendMailFetchWarning(finding) {
-    const lines = [...RAW_SEND_MAIL_FETCH_WARNING_LINES];
-    if (finding.sampleSnippet) {
-        lines.push(`  found: ${finding.sampleSnippet}`);
-    }
-    return `${lines.join("\n")}\n`;
-}
-// Convenience: run the detector and, on a match, write the warning
-// to a stderr-shaped writer. Pulled out so both deploy and redeploy
-// share one code path and so the unit tests can pass a fake writer.
-export function emitRawSendMailFetchWarning(bundleText, write) {
-    const finding = detectRawSendMailFetch(bundleText);
-    if (finding.found) {
-        write(formatRawSendMailFetchWarning(finding));
-    }
-    return finding;
-}

package/dist/oclif/secret-flags.js

@@ -1,59 +0,0 @@
-// Shared parsing for the `--secret KEY=VALUE` flag used by both
-// functions:deploy and functions:redeploy. Lives in its own module so
-// neither command implicitly depends on the other's file path.
-// Server-side constraint on secret keys. Mirrored client-side so
-// malformed input is rejected before any side-effecting API call.
-export const SECRET_KEY_RE = /^[A-Z_][A-Z0-9_]*$/;
-// Split each `--secret KEY=VALUE` on the FIRST `=`. KEY must match
-// `^[A-Z_][A-Z0-9_]*$`; VALUE may contain `=` (only the first one
-// is treated as a delimiter). Duplicate KEYs are rejected: silently
-// accepting two pairs with the same key would fan out to two
-// setFunctionSecret writes where only the second wins, which is
-// almost always a typo and never the intent.
-export function parseSecretFlags(raw) {
-    const secrets = [];
-    const seenKeys = new Set();
-    for (const entry of raw) {
-        const eq = entry.indexOf("=");
-        if (eq === -1) {
-            return {
-                kind: "error",
-                message: `--secret expects KEY=VALUE (got ${JSON.stringify(entry)}). Example: --secret API_TOKEN=abc123`,
-            };
-        }
-        const key = entry.slice(0, eq);
-        const value = entry.slice(eq + 1);
-        if (key.length === 0) {
-            return {
-                kind: "error",
-                message: `--secret is missing a KEY before '=' (got ${JSON.stringify(entry)}). Example: --secret API_TOKEN=abc123`,
-            };
-        }
-        if (!SECRET_KEY_RE.test(key)) {
-            return {
-                kind: "error",
-                message: `--secret KEY ${JSON.stringify(key)} does not match ${SECRET_KEY_RE.source} (uppercase letters, digits, underscores; first character is a letter or underscore).`,
-            };
-        }
-        if (seenKeys.has(key)) {
-            return {
-                kind: "error",
-                message: `--secret KEY ${JSON.stringify(key)} was passed more than once. Each key may only appear once per command.`,
-            };
-        }
-        seenKeys.add(key);
-        secrets.push({ key, value });
-    }
-    return { kind: "ok", secrets };
-}
-// Shared flag-description copy so both functions:deploy and
-// functions:redeploy advertise the same security caveat and KEY
-// constraints. The shell-history note is the load-bearing piece:
-// CLI flag values land in ~/.bash_history, `ps aux`, and
-// /proc/[pid]/cmdline, so callers handling sensitive values
-// should set them via a shell variable (ideally read via `read -s`
-// or piped from a secrets manager) and reference the variable on
-// the command line. The variable still appears in `ps`-visible
-// argv, but at least the literal value does not get archived in
-// the user's shell history.
-export const SECRET_FLAG_SECURITY_NOTE = 'Note: values passed on the command line are visible in shell history (e.g. ~/.bash_history) and to other users via `ps aux` / /proc/[pid]/cmdline. For sensitive values prefer `--secret KEY="$VAR"` where `$VAR` is set out-of-band (read -s, a secrets manager, etc.).';