@primitivedotdev/cli 0.26.3 → 0.28.0

package/dist/oclif/index.js

@@ -4,6 +4,8 @@ import { randomUUID } from "node:crypto";
 import { dirname, join, resolve } from "node:path";
 import { spawn } from "node:child_process";
 import { hostname } from "node:os";
+import process$1 from "node:process";
+import { createInterface } from "node:readline/promises";
 //#region \0rolldown/runtime.js
 var __defProp = Object.defineProperty;
 var __exportAll = (all, no_symbols) => {
@@ -664,11 +666,13 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	replayDelivery: () => replayDelivery,
 	replayEmailWebhooks: () => replayEmailWebhooks,
 	replyToEmail: () => replyToEmail,
+	resendCliSignupVerification: () => resendCliSignupVerification,
 	rotateWebhookSecret: () => rotateWebhookSecret,
 	searchEmails: () => searchEmails,
 	sendEmail: () => sendEmail,
 	setFunctionSecret: () => setFunctionSecret,
 	startCliLogin: () => startCliLogin,
+	startCliSignup: () => startCliSignup,
 	testEndpoint: () => testEndpoint,
 	testFunction: () => testFunction,
 	updateAccount: () => updateAccount,
@@ -676,6 +680,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	updateEndpoint: () => updateEndpoint,
 	updateFilter: () => updateFilter,
 	updateFunction: () => updateFunction,
+	verifyCliSignup: () => verifyCliSignup,
 	verifyDomain: () => verifyDomain
 });
 /**
@@ -711,6 +716,54 @@ const pollCliLogin = (options) => (options.client ?? client).post({
 	}
 });
 /**
+* Start CLI account signup
+*
+* Starts a terminal-native CLI signup. The API validates the signup code,
+* creates a pending signup session, sends an email verification code, and
+* returns an opaque signup token used by the resend and verify steps. This
+* endpoint does not require an API key.
+*
+*/
+const startCliSignup = (options) => (options.client ?? client).post({
+	url: "/cli/signup/start",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Resend CLI signup verification code
+*
+* Sends a new email verification code for a pending CLI signup session.
+* This endpoint does not require an API key.
+*
+*/
+const resendCliSignupVerification = (options) => (options.client ?? client).post({
+	url: "/cli/signup/resend",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Verify CLI signup and create API key
+*
+* Verifies the email code for a CLI signup session, creates the account,
+* redeems the reserved signup code, mints an org-scoped CLI API key, and
+* returns the raw key exactly once. This endpoint does not require an API key.
+*
+*/
+const verifyCliSignup = (options) => (options.client ?? client).post({
+	url: "/cli/signup/verify",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
 * Revoke the current CLI API key
 *
 * Revokes the API key used to authenticate the request. CLI clients use
@@ -1451,8 +1504,9 @@ const listFunctions = (options) => (options?.client ?? client).get({
 * than relying on external imports.
 *
 * **Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`
-* (optional) is capped at 5 MiB UTF-8 and is stored only on the
-* edge runtime side; it is not persisted in Primitive's database.
+* (optional) is capped at 5 MiB UTF-8, stored with each deployment
+* attempt, and sent to the runtime so stack traces can resolve to
+* original source files.
 *
 * **Auto-wiring.** On successful deploy, Primitive automatically
 * creates a webhook endpoint that delivers inbound mail to the
@@ -1525,11 +1579,10 @@ const getFunction = (options) => (options.client ?? client).get({
 * passing the same `code` re-runs the deploy and refreshes the
 * binding set with the latest values from the secrets table.
 *
-* On a 502 deploy failure, the previously-deployed code stays
-* live; the runtime never serves a half-built bundle. The
-* `deploy_error` field on the returned record carries the error
-* that came back from the runtime so you can surface it to users
-* without polling.
+* On deploy failure, the previously-deployed code stays live; the
+* runtime never serves a half-built bundle. The response uses
+* `error.code` `deploy_failed`, and the function's `deploy_error`
+* field carries the latest deploy error for dashboard/API reads.
 *
 */
 const updateFunction = (options) => (options.client ?? client).put({
@@ -1705,7 +1758,7 @@ const openapiDocument = {
 	"info": {
 		"title": "Primitive API",
 		"version": "1.0.0",
-		"description": "The Primitive API lets you manage domains, emails, webhook endpoints,\nfilters, and account settings programmatically.\n\n## Authentication\n\nAll endpoints require a Bearer token in the `Authorization` header:\n\n```\nAuthorization: Bearer prim_<your_api_key>\n```\n\nAPI keys are org-scoped. Create and manage them in your dashboard\nunder Settings > API Keys.\n\n## Rate Limiting\n\nThe API enforces a sliding window rate limit of **120 requests per\n60 seconds** per organization. When exceeded, the API returns `429`\nwith a `Retry-After` header indicating how many seconds to wait.\n\n## Pagination\n\nList endpoints use cursor-based pagination. Responses include a\n`meta` object with `total`, `limit`, and `cursor` fields. Pass the\n`cursor` value as a query parameter to fetch the next page. When\n`cursor` is `null`, there are no more results.\n\n## Response Format\n\nAll responses use a consistent envelope:\n\n```json\n{\n  \"success\": true,\n  \"data\": { ... },\n  \"meta\": { \"total\": 42, \"limit\": 50, \"cursor\": \"...\" }\n}\n```\n\nErrors follow the same pattern:\n\n```json\n{\n  \"success\": false,\n  \"error\": { \"code\": \"not_found\", \"message\": \"Email not found\" }\n}\n```\n\n## Webhook signing\n\nOutbound webhook deliveries (configured via the `endpoints` API)\nare signed so receivers can verify they came from Primitive and\nhave not been tampered with in transit. The signing scheme is\ndeliberately simple so it can be reimplemented in any language\nin a few lines. The Node SDK's `verifyWebhookSignature` helper\nis the reference implementation; the wire details below let you\nwrite a verifier in Python, Go, Ruby, etc. without reading our\nsource.\n\n**Header**: `Primitive-Signature: t=<unix-seconds>,v1=<hex>`\n\nA legacy `MyMX-Signature` header is also sent on every delivery\nwith the same value, retained for back-compatibility with\nintegrations written before the rename. New code should read\n`Primitive-Signature`.\n\n**Signed string**: `${timestamp}.${rawBody}` where `timestamp`\nis the Unix-seconds integer from the `t=` parameter and\n`rawBody` is the exact bytes of the HTTP request body BEFORE\nany JSON decoding. Verify against the raw body, not a\nre-serialized parse, or you will silently mismatch on\ninsignificant whitespace.\n\n**Signature**: HMAC-SHA256 of the signed string, hex-encoded\n(lowercase). Use the account's webhook secret as the HMAC key,\nas a UTF-8 byte sequence.\n\n**Secret**: returned by `GET /account/webhook-secret`. The\nstring looks base64-shaped (e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`)\nbut is NOT base64; use it AS-IS as a UTF-8 string for the HMAC\nkey. Base64-decoding before HMAC will silently produce\nmismatched signatures.\n\n**Tolerance**: by convention, reject deliveries whose `t=`\ntimestamp is more than 5 minutes off your wall-clock to defend\nagainst replay attacks. The Node SDK's helper enforces this by\ndefault.\n\n**Verification recipe** (any language):\n\n```\n1. Read the raw HTTP body (do not parse).\n2. Read `Primitive-Signature: t=<ts>,v1=<sig>`.\n3. Reject if abs(now - ts) > 300 seconds.\n4. expected = HMAC_SHA256_hex(secret_utf8, f\"{ts}.{rawBody}\")\n5. Constant-time compare expected to sig. Reject if not equal.\n```\n\nFor Node, use `verifyWebhookSignature` from\n`@primitivedotdev/sdk/webhook` (or the higher-level\n`handleWebhook` helper if you want a one-liner). For other\nlanguages, the recipe above is everything you need.\n\nTest deliveries: `POST /endpoints/{id}/test` triggers a fake\ndelivery to your endpoint URL, signed with your real account\nsecret, so you can confirm verification end-to-end without\nneeding real inbound mail. The test response carries the exact\n`signature` header value sent on the wire so you can compare\nstrings directly.\n",
+		"description": "The Primitive API lets you manage domains, emails, webhook endpoints,\nfilters, and account settings programmatically.\n\n## Authentication\n\nMost endpoints require a Bearer token in the `Authorization` header:\n\n```\nAuthorization: Bearer prim_<your_api_key>\n```\n\nAPI keys are org-scoped. Create and manage them in your dashboard\nunder Settings > API Keys. CLI login and signup endpoints explicitly\ndeclare `security: []`; they do not require an API key because they\nare used to mint one.\n\n## Rate Limiting\n\nThe API enforces a sliding window rate limit of **120 requests per\n60 seconds** per organization. When exceeded, the API returns `429`\nwith a `Retry-After` header indicating how many seconds to wait.\n\n## Pagination\n\nList endpoints use cursor-based pagination. Responses include a\n`meta` object with `total`, `limit`, and `cursor` fields. Pass the\n`cursor` value as a query parameter to fetch the next page. When\n`cursor` is `null`, there are no more results.\n\n## Response Format\n\nAll responses use a consistent envelope:\n\n```json\n{\n  \"success\": true,\n  \"data\": { ... },\n  \"meta\": { \"total\": 42, \"limit\": 50, \"cursor\": \"...\" }\n}\n```\n\nErrors follow the same pattern:\n\n```json\n{\n  \"success\": false,\n  \"error\": { \"code\": \"not_found\", \"message\": \"Email not found\" }\n}\n```\n\n## Webhook signing\n\nOutbound webhook deliveries (configured via the `endpoints` API)\nare signed so receivers can verify they came from Primitive and\nhave not been tampered with in transit. The signing scheme is\ndeliberately simple so it can be reimplemented in any language\nin a few lines. The Node SDK's `verifyWebhookSignature` helper\nis the reference implementation; the wire details below let you\nwrite a verifier in Python, Go, Ruby, etc. without reading our\nsource.\n\n**Header**: `Primitive-Signature: t=<unix-seconds>,v1=<hex>`\n\nA legacy `MyMX-Signature` header is also sent on every delivery\nwith the same value, retained for back-compatibility with\nintegrations written before the rename. New code should read\n`Primitive-Signature`.\n\n**Signed string**: `${timestamp}.${rawBody}` where `timestamp`\nis the Unix-seconds integer from the `t=` parameter and\n`rawBody` is the exact bytes of the HTTP request body BEFORE\nany JSON decoding. Verify against the raw body, not a\nre-serialized parse, or you will silently mismatch on\ninsignificant whitespace.\n\n**Signature**: HMAC-SHA256 of the signed string, hex-encoded\n(lowercase). Use the account's webhook secret as the HMAC key,\nas a UTF-8 byte sequence.\n\n**Secret**: returned by `GET /account/webhook-secret`. The\nstring looks base64-shaped (e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`)\nbut is NOT base64; use it AS-IS as a UTF-8 string for the HMAC\nkey. Base64-decoding before HMAC will silently produce\nmismatched signatures.\n\n**Tolerance**: by convention, reject deliveries whose `t=`\ntimestamp is more than 5 minutes off your wall-clock to defend\nagainst replay attacks. The Node SDK's helper enforces this by\ndefault.\n\n**Verification recipe** (any language):\n\n```\n1. Read the raw HTTP body (do not parse).\n2. Read `Primitive-Signature: t=<ts>,v1=<sig>`.\n3. Reject if abs(now - ts) > 300 seconds.\n4. expected = HMAC_SHA256_hex(secret_utf8, f\"{ts}.{rawBody}\")\n5. Constant-time compare expected to sig. Reject if not equal.\n```\n\nFor Node, use `verifyWebhookSignature` from\n`@primitivedotdev/sdk/webhook` (or the higher-level\n`handleWebhook` helper if you want a one-liner). For other\nlanguages, the recipe above is everything you need.\n\nTest deliveries: `POST /endpoints/{id}/test` triggers a fake\ndelivery to your endpoint URL, signed with your real account\nsecret, so you can confirm verification end-to-end without\nneeding real inbound mail. The test response carries the exact\n`signature` header value sent on the wire so you can compare\nstrings directly.\n",
 		"contact": {
 			"name": "Primitive",
 			"url": "https://primitive.dev"
@@ -1877,6 +1930,97 @@ const openapiDocument = {
 				}
 			}
 		} },
+		"/cli/signup/start": { "post": {
+			"operationId": "startCliSignup",
+			"summary": "Start CLI account signup",
+			"description": "Starts a terminal-native CLI signup. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
+			"tags": ["CLI"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/StartCliSignupInput" } } }
+			},
+			"responses": {
+				"201": {
+					"description": "CLI signup session created and verification email sent",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/CliSignupStartResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/cli/signup/resend": { "post": {
+			"operationId": "resendCliSignupVerification",
+			"summary": "Resend CLI signup verification code",
+			"description": "Sends a new email verification code for a pending CLI signup session.\nThis endpoint does not require an API key.\n",
+			"tags": ["CLI"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ResendCliSignupVerificationInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Verification email resent",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/CliSignupResendResult" } }
+					}] } } }
+				},
+				"400": {
+					"description": "Invalid token or expired token",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": {
+					"description": "Global rate limit exceeded or resend requested too quickly",
+					"headers": { "Retry-After": {
+						"schema": { "type": "integer" },
+						"description": "Seconds to wait before retrying"
+					} },
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				}
+			}
+		} },
+		"/cli/signup/verify": { "post": {
+			"operationId": "verifyCliSignup",
+			"summary": "Verify CLI signup and create API key",
+			"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, mints an org-scoped CLI API key, and\nreturns the raw key exactly once. This endpoint does not require an API key.\n",
+			"tags": ["CLI"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/VerifyCliSignupInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "CLI signup verified and API key created",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/CliSignupVerifyResult" } }
+					}] } } }
+				},
+				"400": {
+					"description": "Invalid request, invalid verification code, expired token, invalid signup code, rejected password, or account creation failure",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
 		"/cli/logout": { "post": {
 			"operationId": "cliLogout",
 			"summary": "Revoke the current CLI API key",
@@ -3017,7 +3161,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "createFunction",
 				"summary": "Deploy a function",
-				"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). The gateway\nHMAC-verifies the POST against the org's webhook secret before\ninvoking the handler; the request body parses to an\n`email.received` event (see `EmailReceivedEvent` and the\nWebhook payload section for the full schema). Code is bundled\nbefore being uploaded; ship a single self-contained file rather\nthan relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8 and is stored only on the\nedge runtime side; it is not persisted in Primitive's database.\n\n**Auto-wiring.** On successful deploy, Primitive automatically\ncreates a webhook endpoint that delivers inbound mail to the\nfunction. There is nothing to configure on the Endpoints API\nfor this to work; the gateway URL returned here is for\nreference only and is not directly callable from outside.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`) already\nbound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
+				"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). The gateway\nHMAC-verifies the POST against the org's webhook secret before\ninvoking the handler; the request body parses to an\n`email.received` event (see `EmailReceivedEvent` and the\nWebhook payload section for the full schema). Code is bundled\nbefore being uploaded; ship a single self-contained file rather\nthan relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Auto-wiring.** On successful deploy, Primitive automatically\ncreates a webhook endpoint that delivers inbound mail to the\nfunction. There is nothing to configure on the Endpoints API\nfor this to work; the gateway URL returned here is for\nreference only and is not directly callable from outside.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`) already\nbound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
 				"tags": ["Functions"],
 				"requestBody": {
 					"required": true,
@@ -3031,13 +3175,18 @@ const openapiDocument = {
 							"properties": { "data": { "$ref": "#/components/schemas/CreateFunctionResult" } }
 						}] } } }
 					},
-					"400": { "$ref": "#/components/responses/ValidationError" },
+					"400": {
+						"description": "Invalid request parameters or customer-correctable deploy rejection",
+						"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+					},
 					"401": { "$ref": "#/components/responses/Unauthorized" },
 					"409": {
 						"description": "A function with this name already exists in the org",
 						"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
 					},
-					"502": { "$ref": "#/components/responses/BadGateway" }
+					"424": { "$ref": "#/components/responses/DeployFailed" },
+					"429": { "$ref": "#/components/responses/DeployFailed" },
+					"503": { "$ref": "#/components/responses/DeployFailed" }
 				}
 			}
 		},
@@ -3063,7 +3212,7 @@ const openapiDocument = {
 			"put": {
 				"operationId": "updateFunction",
 				"summary": "Update and redeploy a function",
-				"description": "Replaces the function's source code with the body's `code` and\ntriggers a redeploy. Same size limits as `POST /functions`.\nUse this verb to push secret writes into the running handler:\npassing the same `code` re-runs the deploy and refreshes the\nbinding set with the latest values from the secrets table.\n\nOn a 502 deploy failure, the previously-deployed code stays\nlive; the runtime never serves a half-built bundle. The\n`deploy_error` field on the returned record carries the error\nthat came back from the runtime so you can surface it to users\nwithout polling.\n",
+				"description": "Replaces the function's source code with the body's `code` and\ntriggers a redeploy. Same size limits as `POST /functions`.\nUse this verb to push secret writes into the running handler:\npassing the same `code` re-runs the deploy and refreshes the\nbinding set with the latest values from the secrets table.\n\nOn deploy failure, the previously-deployed code stays live; the\nruntime never serves a half-built bundle. The response uses\n`error.code` `deploy_failed`, and the function's `deploy_error`\nfield carries the latest deploy error for dashboard/API reads.\n",
 				"tags": ["Functions"],
 				"requestBody": {
 					"required": true,
@@ -3077,10 +3226,15 @@ const openapiDocument = {
 							"properties": { "data": { "$ref": "#/components/schemas/FunctionDetail" } }
 						}] } } }
 					},
-					"400": { "$ref": "#/components/responses/ValidationError" },
+					"400": {
+						"description": "Invalid request parameters or customer-correctable deploy rejection",
+						"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+					},
 					"401": { "$ref": "#/components/responses/Unauthorized" },
 					"404": { "$ref": "#/components/responses/NotFound" },
-					"502": { "$ref": "#/components/responses/BadGateway" }
+					"424": { "$ref": "#/components/responses/DeployFailed" },
+					"429": { "$ref": "#/components/responses/DeployFailed" },
+					"503": { "$ref": "#/components/responses/DeployFailed" }
 				}
 			},
 			"delete": {
@@ -3399,6 +3553,19 @@ const openapiDocument = {
 					}
 				} }
 			},
+			"DeployFailed": {
+				"description": "Function deploy could not be completed; previously deployed code remains live",
+				"content": { "application/json": {
+					"schema": { "$ref": "#/components/schemas/ErrorResponse" },
+					"example": {
+						"success": false,
+						"error": {
+							"code": "deploy_failed",
+							"message": "Function deploy failed"
+						}
+					}
+				} }
+			},
 			"RateLimited": {
 				"description": "Rate limit exceeded",
 				"headers": { "Retry-After": {
@@ -3758,6 +3925,162 @@ const openapiDocument = {
 					"org_name"
 				]
 			},
+			"StartCliSignupInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"email": {
+						"type": "string",
+						"format": "email",
+						"maxLength": 254
+					},
+					"signup_code": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 128
+					},
+					"terms_accepted": {
+						"type": "boolean",
+						"const": true,
+						"description": "Must be true to confirm acceptance of Primitive's Terms of Service and Privacy Policy"
+					},
+					"device_name": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 80,
+						"description": "Human-readable device name used for the created CLI API key"
+					},
+					"metadata": {
+						"type": "object",
+						"additionalProperties": true,
+						"description": "Optional client metadata stored with the signup session; serialized JSON must be 2048 bytes or fewer"
+					}
+				},
+				"required": [
+					"email",
+					"signup_code",
+					"terms_accepted"
+				]
+			},
+			"CliSignupStartResult": {
+				"type": "object",
+				"properties": {
+					"signup_token": {
+						"type": "string",
+						"description": "Opaque token used to verify or resend the pending CLI signup"
+					},
+					"email": {
+						"type": "string",
+						"format": "email"
+					},
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until the pending signup expires"
+					},
+					"resend_after": {
+						"type": "integer",
+						"description": "Minimum seconds before requesting another verification email"
+					},
+					"verification_code_length": {
+						"type": "integer",
+						"description": "Number of digits in the emailed verification code"
+					}
+				},
+				"required": [
+					"signup_token",
+					"email",
+					"expires_in",
+					"resend_after",
+					"verification_code_length"
+				]
+			},
+			"ResendCliSignupVerificationInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": { "signup_token": {
+					"type": "string",
+					"minLength": 1
+				} },
+				"required": ["signup_token"]
+			},
+			"CliSignupResendResult": {
+				"type": "object",
+				"properties": {
+					"email": {
+						"type": "string",
+						"format": "email"
+					},
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until the pending signup expires"
+					},
+					"resend_after": {
+						"type": "integer",
+						"description": "Minimum seconds before requesting another verification email"
+					},
+					"verification_code_length": {
+						"type": "integer",
+						"description": "Number of digits in the emailed verification code"
+					}
+				},
+				"required": [
+					"email",
+					"expires_in",
+					"resend_after",
+					"verification_code_length"
+				]
+			},
+			"VerifyCliSignupInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"signup_token": {
+						"type": "string",
+						"minLength": 1
+					},
+					"verification_code": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 32
+					},
+					"password": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 1024
+					}
+				},
+				"required": [
+					"signup_token",
+					"verification_code",
+					"password"
+				]
+			},
+			"CliSignupVerifyResult": {
+				"type": "object",
+				"properties": {
+					"api_key": {
+						"type": "string",
+						"description": "Newly-created API key for CLI authentication"
+					},
+					"key_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"key_prefix": { "type": "string" },
+					"org_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"org_name": { "type": ["string", "null"] }
+				},
+				"required": [
+					"api_key",
+					"key_id",
+					"key_prefix",
+					"org_id",
+					"org_name"
+				]
+			},
 			"CliLogoutInput": {
 				"type": "object",
 				"additionalProperties": false,
@@ -5224,7 +5547,7 @@ const openapiDocument = {
 						"type": "string",
 						"minLength": 1,
 						"maxLength": 5242880,
-						"description": "Optional source map for the bundle. Up to 5 MiB UTF-8.\nStored only on the runtime side (not in Primitive's\ndatabase) and used to symbolicate stack traces in the\nfunction's logs.\n"
+						"description": "Optional source map for the bundle. Up to 5 MiB UTF-8.\nStored with the deployment attempt and sent to the runtime\nto symbolicate stack traces in the function's logs.\n"
 					}
 				},
 				"required": ["name", "code"]
@@ -5756,6 +6079,58 @@ const operationManifest = [
 		"tag": "CLI",
 		"tagCommand": "cli"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "resend-cli-signup-verification",
+		"description": "Sends a new email verification code for a pending CLI signup session.\nThis endpoint does not require an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "resendCliSignupVerification",
+		"path": "/cli/signup/resend",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "signup_token": {
+				"type": "string",
+				"minLength": 1
+			} },
+			"required": ["signup_token"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"email": {
+					"type": "string",
+					"format": "email"
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until the pending signup expires"
+				},
+				"resend_after": {
+					"type": "integer",
+					"description": "Minimum seconds before requesting another verification email"
+				},
+				"verification_code_length": {
+					"type": "integer",
+					"description": "Number of digits in the emailed verification code"
+				}
+			},
+			"required": [
+				"email",
+				"expires_in",
+				"resend_after",
+				"verification_code_length"
+			]
+		},
+		"sdkName": "resendCliSignupVerification",
+		"summary": "Resend CLI signup verification code",
+		"tag": "CLI",
+		"tagCommand": "cli"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
@@ -5822,8 +6197,160 @@ const operationManifest = [
 				"interval"
 			]
 		},
-		"sdkName": "startCliLogin",
-		"summary": "Start CLI browser login",
+		"sdkName": "startCliLogin",
+		"summary": "Start CLI browser login",
+		"tag": "CLI",
+		"tagCommand": "cli"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "start-cli-signup",
+		"description": "Starts a terminal-native CLI signup. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "startCliSignup",
+		"path": "/cli/signup/start",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"email": {
+					"type": "string",
+					"format": "email",
+					"maxLength": 254
+				},
+				"signup_code": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 128
+				},
+				"terms_accepted": {
+					"type": "boolean",
+					"const": true,
+					"description": "Must be true to confirm acceptance of Primitive's Terms of Service and Privacy Policy"
+				},
+				"device_name": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 80,
+					"description": "Human-readable device name used for the created CLI API key"
+				},
+				"metadata": {
+					"type": "object",
+					"additionalProperties": true,
+					"description": "Optional client metadata stored with the signup session; serialized JSON must be 2048 bytes or fewer"
+				}
+			},
+			"required": [
+				"email",
+				"signup_code",
+				"terms_accepted"
+			]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"signup_token": {
+					"type": "string",
+					"description": "Opaque token used to verify or resend the pending CLI signup"
+				},
+				"email": {
+					"type": "string",
+					"format": "email"
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until the pending signup expires"
+				},
+				"resend_after": {
+					"type": "integer",
+					"description": "Minimum seconds before requesting another verification email"
+				},
+				"verification_code_length": {
+					"type": "integer",
+					"description": "Number of digits in the emailed verification code"
+				}
+			},
+			"required": [
+				"signup_token",
+				"email",
+				"expires_in",
+				"resend_after",
+				"verification_code_length"
+			]
+		},
+		"sdkName": "startCliSignup",
+		"summary": "Start CLI account signup",
+		"tag": "CLI",
+		"tagCommand": "cli"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "verify-cli-signup",
+		"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, mints an org-scoped CLI API key, and\nreturns the raw key exactly once. This endpoint does not require an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "verifyCliSignup",
+		"path": "/cli/signup/verify",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"signup_token": {
+					"type": "string",
+					"minLength": 1
+				},
+				"verification_code": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 32
+				},
+				"password": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 1024
+				}
+			},
+			"required": [
+				"signup_token",
+				"verification_code",
+				"password"
+			]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"api_key": {
+					"type": "string",
+					"description": "Newly-created API key for CLI authentication"
+				},
+				"key_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"key_prefix": { "type": "string" },
+				"org_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"org_name": { "type": ["string", "null"] }
+			},
+			"required": [
+				"api_key",
+				"key_id",
+				"key_prefix",
+				"org_id",
+				"org_name"
+			]
+		},
+		"sdkName": "verifyCliSignup",
+		"summary": "Verify CLI signup and create API key",
 		"tag": "CLI",
 		"tagCommand": "cli"
 	},
@@ -7497,7 +8024,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "create-function",
-		"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). The gateway\nHMAC-verifies the POST against the org's webhook secret before\ninvoking the handler; the request body parses to an\n`email.received` event (see `EmailReceivedEvent` and the\nWebhook payload section for the full schema). Code is bundled\nbefore being uploaded; ship a single self-contained file rather\nthan relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8 and is stored only on the\nedge runtime side; it is not persisted in Primitive's database.\n\n**Auto-wiring.** On successful deploy, Primitive automatically\ncreates a webhook endpoint that delivers inbound mail to the\nfunction. There is nothing to configure on the Endpoints API\nfor this to work; the gateway URL returned here is for\nreference only and is not directly callable from outside.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`) already\nbound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
+		"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). The gateway\nHMAC-verifies the POST against the org's webhook secret before\ninvoking the handler; the request body parses to an\n`email.received` event (see `EmailReceivedEvent` and the\nWebhook payload section for the full schema). Code is bundled\nbefore being uploaded; ship a single self-contained file rather\nthan relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Auto-wiring.** On successful deploy, Primitive automatically\ncreates a webhook endpoint that delivers inbound mail to the\nfunction. There is nothing to configure on the Endpoints API\nfor this to work; the gateway URL returned here is for\nreference only and is not directly callable from outside.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`) already\nbound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "createFunction",
@@ -7523,7 +8050,7 @@ const operationManifest = [
 					"type": "string",
 					"minLength": 1,
 					"maxLength": 5242880,
-					"description": "Optional source map for the bundle. Up to 5 MiB UTF-8.\nStored only on the runtime side (not in Primitive's\ndatabase) and used to symbolicate stack traces in the\nfunction's logs.\n"
+					"description": "Optional source map for the bundle. Up to 5 MiB UTF-8.\nStored with the deployment attempt and sent to the runtime\nto symbolicate stack traces in the function's logs.\n"
 				}
 			},
 			"required": ["name", "code"]
@@ -8127,7 +8654,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "update-function",
-		"description": "Replaces the function's source code with the body's `code` and\ntriggers a redeploy. Same size limits as `POST /functions`.\nUse this verb to push secret writes into the running handler:\npassing the same `code` re-runs the deploy and refreshes the\nbinding set with the latest values from the secrets table.\n\nOn a 502 deploy failure, the previously-deployed code stays\nlive; the runtime never serves a half-built bundle. The\n`deploy_error` field on the returned record carries the error\nthat came back from the runtime so you can surface it to users\nwithout polling.\n",
+		"description": "Replaces the function's source code with the body's `code` and\ntriggers a redeploy. Same size limits as `POST /functions`.\nUse this verb to push secret writes into the running handler:\npassing the same `code` re-runs the deploy and refreshes the\nbinding set with the latest values from the secrets table.\n\nOn deploy failure, the previously-deployed code stays live; the\nruntime never serves a half-built bundle. The response uses\n`error.code` `deploy_failed`, and the function's `deploy_error`\nfield carries the latest deploy error for dashboard/API reads.\n",
 		"hasJsonBody": true,
 		"method": "PUT",
 		"operationId": "updateFunction",
@@ -9386,7 +9913,7 @@ const CREDENTIALS_FILE = "credentials.json";
 const CREDENTIALS_LOCK_DIR = "credentials.lock";
 const CREDENTIALS_LOCK_STALE_MS = 1800 * 1e3;
 const MALFORMED_CREDENTIALS_HINT = "Run `primitive logout` and then `primitive login`.";
-function isRecord(value) {
+function isRecord$1(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
 function requireString(value, key) {
@@ -9409,7 +9936,7 @@ var StaleCredentialFormatError = class extends Error {
 	}
 };
 function parseCredentials(raw) {
-	if (!isRecord(raw)) throw new Error(`Stored Primitive CLI credentials are malformed: expected a JSON object. ${MALFORMED_CREDENTIALS_HINT}`);
+	if (!isRecord$1(raw)) throw new Error(`Stored Primitive CLI credentials are malformed: expected a JSON object. ${MALFORMED_CREDENTIALS_HINT}`);
 	if (typeof raw.api_base_url_1 !== "string" && typeof raw.base_url === "string") throw new StaleCredentialFormatError();
 	const orgName = raw.org_name;
 	if (orgName !== null && typeof orgName !== "string") throw new Error(`Stored Primitive CLI credentials are malformed: org_name must be a string or null. ${MALFORMED_CREDENTIALS_HINT}`);
@@ -9582,7 +10109,7 @@ function formatFunctionEndpointRedirect(match) {
 	return [
 		"This is a function endpoint. Function endpoints are tested differently. Run:",
 		"",
-		`    primitive functions:test-function --id ${match.functionId}`,
+		`    primitive functions test --id ${match.functionId}`,
 		"",
 		`(pass the function id, not the endpoint id. endpoint_id=${match.endpointId} function_id=${match.functionId})`
 	].join("\n");
@@ -9597,6 +10124,32 @@ async function maybeWriteFunctionEndpointRedirect(inputs) {
 	return match;
 }
 //#endregion
+//#region src/oclif/idempotent-replay-banner.ts
+/**
+* If `data` carries `idempotent_replay: true`, write a multi-line
+* stderr banner explaining the replay condition and what the caller
+* can do to bypass it. Otherwise no-op.
+*/
+function writeIdempotentReplayBannerIfReplay(data, options) {
+	if (!isReplay(data)) return;
+	const probe = data;
+	const rowId = typeof probe.id === "string" ? probe.id : null;
+	const status = typeof probe.status === "string" ? probe.status : null;
+	const deliveryStatus = typeof probe.delivery_status === "string" ? probe.delivery_status : null;
+	const lines = ["note: idempotent replay. this exact send already happened earlier.", "      no new MX traffic was generated by this call. nothing new will arrive in any inbox."];
+	if (rowId) lines.push(`      cached row id: ${rowId}`);
+	if (status || deliveryStatus) {
+		const parts = [status ? `status=${status}` : null, deliveryStatus && deliveryStatus !== status ? `delivery_status=${deliveryStatus}` : null].filter((part) => part !== null);
+		if (parts.length > 0) lines.push(`      original ${parts.join(", ")}`);
+	}
+	lines.push("      to send a fresh copy: vary any field (subject, body, etc.) or", "      pass a unique Idempotency-Key on the underlying API call.");
+	options.write(`${lines.join("\n")}\n`);
+}
+function isReplay(data) {
+	if (data === null || typeof data !== "object") return false;
+	return data.idempotent_replay === true;
+}
+//#endregion
 //#region src/oclif/api-command.ts
 const API_ERROR_CODES = {
 	accessDenied: "access_denied",
@@ -9727,26 +10280,26 @@ function coerceParameterValue(parameter, value) {
 	if (typeof value === "boolean" || typeof value === "number" || typeof value === "string") return value;
 	throw new Errors.CLIError(`Unsupported flag value for --${parameter.name}`);
 }
-function cliError$4(message) {
+function cliError$5(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function parseJson(source, flagLabel) {
 	try {
 		return JSON.parse(source);
 	} catch (error) {
-		throw cliError$4(`${flagLabel} is not valid JSON: ${error instanceof Error ? error.message : String(error)}`);
+		throw cliError$5(`${flagLabel} is not valid JSON: ${error instanceof Error ? error.message : String(error)}`);
 	}
 }
 function readJsonBody(flags) {
 	const bodyFile = flags["body-file"];
 	const rawBody = flags["raw-body"];
-	if (bodyFile && rawBody) throw cliError$4("Use either --raw-body or --body-file, not both");
+	if (bodyFile && rawBody) throw cliError$5("Use either --raw-body or --body-file, not both");
 	if (typeof bodyFile === "string") {
 		let contents;
 		try {
 			contents = readFileSync(bodyFile, "utf8");
 		} catch (error) {
-			throw cliError$4(`Could not read --body-file ${bodyFile}: ${error instanceof Error ? error.message : String(error)}`);
+			throw cliError$5(`Could not read --body-file ${bodyFile}: ${error instanceof Error ? error.message : String(error)}`);
 		}
 		return parseJson(contents, `--body-file ${bodyFile}`);
 	}
@@ -9756,7 +10309,7 @@ function readTextFileFlag(path, flagLabel) {
 	try {
 		return readFileSync(path, "utf8");
 	} catch (error) {
-		throw cliError$4(`Could not read ${flagLabel} ${path}: ${error instanceof Error ? error.message : String(error)}`);
+		throw cliError$5(`Could not read ${flagLabel} ${path}: ${error instanceof Error ? error.message : String(error)}`);
 	}
 }
 function extractErrorPayload(raw) {
@@ -9928,14 +10481,14 @@ function collectValues(parameters, flags) {
 	return values;
 }
 const OPERATION_HINTS = {
-	createFunction: "Tip: prefer `primitive functions:deploy --name <name> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
-	updateFunction: "Tip: prefer `primitive functions:redeploy --id <id> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
-	createFunctionSecret: "Tip: prefer `primitive functions:set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON.",
-	setFunctionSecret: "Tip: prefer `primitive functions:set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON."
+	createFunction: "Tip: prefer `primitive functions deploy --name <name> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
+	updateFunction: "Tip: prefer `primitive functions redeploy --id <id> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
+	createFunctionSecret: "Tip: prefer `primitive functions set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON.",
+	setFunctionSecret: "Tip: prefer `primitive functions set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON."
 };
 function createOperationCommand(operation) {
 	const { flags, bodyFieldFlagToProperty } = buildFlags(operation);
-	const baseDescription = operation.description ?? `${operation.method} ${operation.path}`;
+	const baseDescription = operation.description !== null && operation.description !== void 0 ? canonicalizeCliReferences(operation.description) : `${operation.method} ${operation.path}`;
 	const schemaSummary = operation.hasJsonBody ? renderRequestSchemaSummary(operation.requestSchema) : null;
 	const hint = OPERATION_HINTS[operation.sdkName];
 	const descriptionWithSchema = schemaSummary ? `${baseDescription}\n\n${schemaSummary}` : baseDescription;
@@ -10031,6 +10584,9 @@ function createOperationCommand(operation) {
 					const hint = EMPTY_RESULT_HINTS[operation.sdkName];
 					if (hint) process.stderr.write(`${hint}\n`);
 				}
+				writeIdempotentReplayBannerIfReplay(envelope?.data, { write: (chunk) => {
+					process.stderr.write(chunk);
+				} });
 				this.log(JSON.stringify(envelope?.data ?? null, null, 2));
 			});
 		}
@@ -10038,12 +10594,15 @@ function createOperationCommand(operation) {
 	return OperationCommand;
 }
 const EMPTY_RESULT_HINTS = {
-	listDeliveries: "(no results) No webhook deliveries logged yet. If you have an endpoint configured but expected to see test fires here: test deliveries from `primitive endpoints:test-endpoint` are NOT logged in this list, they're synchronous and visible only in the test-endpoint command's response. Real deliveries are logged when an inbound `email.received` event fans out to your endpoints. If you have no endpoints, run `primitive endpoints:list-endpoints` to check.",
-	listEndpoints: "(no results) No webhook endpoints configured. Add one with `primitive endpoints:create-endpoint --url <your-url>`.",
-	listEmails: "(no results) No inbound emails received yet on this account. Send one to a verified domain to populate this list. For a compact view, prefer `primitive emails:latest`.",
-	listDomains: "(no results) No domains on this account. Add one with `primitive domains:add-domain --domain <yourdomain.example>`.",
+	listDeliveries: "(no results) No webhook deliveries logged yet. If you have an endpoint configured but expected to see test fires here: test deliveries from `primitive endpoints test` are NOT logged in this list, they're synchronous and visible only in the test-endpoint command's response. Real deliveries are logged when an inbound `email.received` event fans out to your endpoints. If you have no endpoints, run `primitive endpoints list` to check.",
+	listEndpoints: "(no results) No webhook endpoints configured. Add one with `primitive endpoints create --url <your-url>`.",
+	listEmails: "(no results) No inbound emails received yet on this account. Send one to a verified domain to populate this list. For a compact view, prefer `primitive emails latest`.",
+	listDomains: "(no results) No domains on this account. Add one with `primitive domains add --domain <yourdomain.example>`.",
 	listFilters: "(no results) No filter rules configured."
 };
+function canonicalizeCliReferences(description) {
+	return description.replaceAll("`primitive emails:latest`", "`primitive emails latest`").replaceAll("`primitive describe emails:get-email | jq '.responseSchema.properties'`", "`primitive describe emails:get | jq '.responseSchema.properties'`");
+}
 //#endregion
 //#region src/oclif/commands/doctor.ts
 const MIN_NODE_MAJOR = 22;
@@ -10204,7 +10763,7 @@ async function checkDomains(opts) {
 		if (result.error) return {
 			status: "warn",
 			message: "could not list domains",
-			hint: "Run `primitive domains:list-domains` for the full error envelope."
+			hint: "Run `primitive domains list` for the full error envelope."
 		};
 		const rows = result.data?.data ?? [];
 		const active = rows.filter((row) => row.is_active === true);
@@ -10216,7 +10775,7 @@ async function checkDomains(opts) {
 		if (active.length === 0) return {
 			status: "warn",
 			message: `${rows.length} domain(s), none active`,
-			hint: "Run `primitive domains:verify-domain --id <id>` for any domain you intend to send / receive on."
+			hint: "Run `primitive domains verify --id <id>` for any domain you intend to send / receive on."
 		};
 		return {
 			status: "ok",
@@ -10345,11 +10904,11 @@ function formatHeader(idWidth) {
 	return `${"ID".padEnd(idWidth)}  ${"RECEIVED (UTC)".padEnd(RECEIVED_DISPLAY_WIDTH)}  ${"FROM".padEnd(ADDRESS_DISPLAY_WIDTH)}  ${"TO".padEnd(ADDRESS_DISPLAY_WIDTH)}  SUBJECT`;
 }
 var EmailsLatestCommand = class EmailsLatestCommand extends Command {
-	static description = `Print the N most recent inbound emails as a one-line-per-row text table. Designed for quick triage and visual scanning. For programmatic access, use \`primitive emails:list-emails\` (full JSON envelope, cursor pagination, filters) or pass \`--json\` here for the same raw shape without pagination/filters.
+	static description = `Print the N most recent inbound emails as a one-line-per-row text table. Designed for quick triage and visual scanning. For programmatic access, use \`primitive emails list\` (full JSON envelope, cursor pagination, filters) or pass \`--json\` here for the same raw shape without pagination/filters.
 
   ID display is TTY-aware. When STDOUT is a terminal, the table truncates each row's id to the first ${ID_DISPLAY_WIDTH_SHORT} characters for readability. When STDOUT is piped or redirected (the row stream is being consumed by another command), the full UUID is printed so the id can be fed straight back into \`emails:get-email\`, \`emails:delete-email\`, etc. without a separate \`--json\` round-trip.
 
-  Output streams: the column header line is written to STDERR so the row data on STDOUT stays grep/awk-friendly. \`--json\` writes everything (including the envelope) to STDOUT and is equivalent to running \`emails:list-emails --limit N\` for the same N.`;
+  Output streams: the column header line is written to STDERR so the row data on STDOUT stays grep/awk-friendly. \`--json\` writes everything (including the envelope) to STDOUT and is equivalent to running \`emails list --limit N\` for the same N.`;
 	static summary = "Show the most recent inbound emails as a compact table";
 	static examples = [
 		"<%= config.bin %> emails latest",
@@ -10529,7 +11088,7 @@ function sleep$1(ms) {
 //#endregion
 //#region src/oclif/commands/emails-wait.ts
 const DEFAULT_WAIT_TIMEOUT_SECONDS$1 = 300;
-function cliError$3(message) {
+function cliError$4(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 var EmailsWaitCommand = class EmailsWaitCommand extends Command {
@@ -10609,7 +11168,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 		try {
 			since = sinceFromFlags(flags);
 		} catch (error) {
-			throw cliError$3(error instanceof Error ? error.message : String(error));
+			throw cliError$4(error instanceof Error ? error.message : String(error));
 		}
 		const filters = filtersFromFlags(flags);
 		const deadline = flags.timeout === 0 ? null : Date.now() + flags.timeout * 1e3;
@@ -10660,7 +11219,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 };
 //#endregion
 //#region src/oclif/commands/emails-watch.ts
-function cliError$2(message) {
+function cliError$3(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 var EmailsWatchCommand = class EmailsWatchCommand extends Command {
@@ -10737,7 +11296,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 		try {
 			since = sinceFromFlags(flags);
 		} catch (error) {
-			throw cliError$2(error instanceof Error ? error.message : String(error));
+			throw cliError$3(error instanceof Error ? error.message : String(error));
 		}
 		const filters = filtersFromFlags(flags);
 		const deadline = flags.seconds ? Date.now() + flags.seconds * 1e3 : null;
@@ -10967,14 +11526,14 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
   final update-function with the same bundle so the running handler
   picks up the bindings. If a secret write fails after the create
   step the function exists with whatever secrets succeeded and the
-  redeploy has NOT fired; re-run \`primitive functions:set-secret\`
-  for the missing keys, then \`primitive functions:redeploy\` to
+  redeploy has NOT fired; re-run \`primitive functions set-secret\`
+  for the missing keys, then \`primitive functions redeploy\` to
   push them live.`;
 	static summary = "Deploy a new function from a bundled handler file";
 	static examples = [
-		"<%= config.bin %> functions:deploy --name forwarder --file ./bundle.js",
-		"<%= config.bin %> functions:deploy --name forwarder --file ./bundle.js --source-map-file ./bundle.js.map",
-		"<%= config.bin %> functions:deploy --name forwarder --file ./bundle.js --secret OPENAI_KEY=sk-... --secret OWNER_EMAIL=me@example.com"
+		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js",
+		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --source-map-file ./bundle.js.map",
+		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret OPENAI_KEY=sk-... --secret OWNER_EMAIL=me@example.com"
 	];
 	static flags = {
 		"api-key": Flags.string({
@@ -10999,7 +11558,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			description: "Path to the bundled ESM handler file (single self-contained module). Loaded as the `code` body field.",
 			required: true
 		}),
-		"source-map-file": Flags.string({ description: "Optional path to a source map for the bundle. Stored only on the runtime side and used to symbolicate stack traces." }),
+		"source-map-file": Flags.string({ description: "Optional path to a source map for the bundle. Stored with the deployment attempt and used to symbolicate stack traces in function logs." }),
 		secret: Flags.string({
 			description: `Secret KEY=VALUE to seed on the deployed function. Repeatable. KEY must match \`^[A-Z_][A-Z0-9_]*$\`; VALUE may contain \`=\` (only the first \`=\` is treated as a delimiter). Each KEY may only appear once per command. Passing one or more --secret flags fans out the deploy to create-function, set-secret per pair, then a final redeploy so the running handler picks up the bindings. ${SECRET_FLAG_SECURITY_NOTE}`,
 			multiple: true
@@ -11074,10 +11633,10 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 					const succeeded = outcome.succeededKeys.length > 0 ? outcome.succeededKeys.join(", ") : "(none)";
 					const pending = outcome.pendingKeys.length > 0 ? outcome.pendingKeys.join(", ") : "(none)";
 					const allMissing = [outcome.failedKey, ...outcome.pendingKeys].join(", ");
-					process.stderr.write(`Function ${outcome.created.name} (${outcome.created.id}) was created, but writing secret ${outcome.failedKey} failed; succeeded keys so far: ${succeeded}; keys not yet attempted: ${pending}. The redeploy is NOT yet live. Re-run \`primitive functions:set-secret\` for each of [${allMissing}], then \`primitive functions:redeploy --id ${outcome.created.id} --file <bundle>\` to push them live.\n`);
+					process.stderr.write(`Function ${outcome.created.name} (${outcome.created.id}) was created, but writing secret ${outcome.failedKey} failed; succeeded keys so far: ${succeeded}; keys not yet attempted: ${pending}. The redeploy is NOT yet live. Re-run \`primitive functions set-secret\` for each of [${allMissing}], then \`primitive functions redeploy --id ${outcome.created.id} --file <bundle>\` to push them live.\n`);
 				} else if (outcome.stage === "redeploy") {
 					const succeeded = outcome.succeededKeys.length > 0 ? outcome.succeededKeys.join(", ") : "(none)";
-					process.stderr.write(`Function ${outcome.created.name} (${outcome.created.id}) was created and secrets [${succeeded}] were written, but the final redeploy failed; the new bindings are NOT yet live. Re-run \`primitive functions:redeploy --id ${outcome.created.id} --file <bundle>\` once the cause is fixed.\n`);
+					process.stderr.write(`Function ${outcome.created.name} (${outcome.created.id}) was created and secrets [${succeeded}] were written, but the final redeploy failed; the new bindings are NOT yet live. Re-run \`primitive functions redeploy --id ${outcome.created.id} --file <bundle>\` once the cause is fixed.\n`);
 				}
 				writeErrorWithHints(outcome.payload);
 				removeStaleSavedCredentialOnUnauthorized({
@@ -11094,8 +11653,8 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 };
 //#endregion
 //#region src/oclif/commands/functions-init.ts
-const SDK_VERSION_RANGE = "^0.27.1";
-const CLI_VERSION_RANGE = "^0.26.0";
+const SDK_VERSION_RANGE = "^0.28.0";
+const CLI_VERSION_RANGE = "^0.28.0";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 const VALID_NAME = /^[a-z0-9][a-z0-9_-]{0,62}$/;
 function isValidFunctionName(name) {
@@ -11240,8 +11799,8 @@ function renderPackageJson(name) {
 		type: "module",
 		scripts: {
 			build: "node build.mjs",
-			deploy: `npm run build && primitive functions:deploy --name ${name} --file ./dist/handler.js`,
-			redeploy: "npm run build && primitive functions:redeploy --id $PRIMITIVE_FUNCTION_ID --file ./dist/handler.js"
+			deploy: `npm run build && primitive functions deploy --name ${name} --file ./dist/handler.js`,
+			redeploy: "npm run build && primitive functions redeploy --id $PRIMITIVE_FUNCTION_ID --file ./dist/handler.js"
 		},
 		dependencies: { "@primitivedotdev/sdk": SDK_VERSION_RANGE },
 		devDependencies: {
@@ -11312,7 +11871,7 @@ npm run build
 npm run deploy
 \`\`\`
 
-The deploy step calls \`primitive functions:deploy\` (provided by the
+The deploy step calls \`primitive functions deploy\` (provided by the
 \`@primitivedotdev/cli\` package; install with
 \`npm install -g @primitivedotdev/cli\` or run via
 \`npx @primitivedotdev/cli@latest <command>\`). It requires
@@ -11388,12 +11947,12 @@ var FunctionsInitCommand = class FunctionsInitCommand extends Command {
   \`@primitivedotdev/sdk/api\` and demonstrates the canonical pattern:
   parse the email.received event, send a reply via the SDK, return a
   JSON envelope. The build script uses esbuild's JS API and emits
-  ./dist/handler.js, ready to hand to \`primitive functions:deploy --file\`.
+  ./dist/handler.js, ready to hand to \`primitive functions deploy --file\`.
 
   Refuses to overwrite an existing directory. Use --out-dir to pick a
   different target path than ./<name>/.`;
-	static summary = "Scaffold a new Primitive Function project ready for functions:deploy";
-	static examples = ["<%= config.bin %> functions:init my-fn", "<%= config.bin %> functions:init my-fn --out-dir ./functions/my-fn"];
+	static summary = "Scaffold a new Primitive Function project ready for functions deploy";
+	static examples = ["<%= config.bin %> functions init my-fn", "<%= config.bin %> functions init my-fn --out-dir ./functions/my-fn"];
 	static args = { name: Args.string({
 		description: "Function name. Lowercase letters, digits, hyphens, underscores. 1-63 chars. Used as the directory name (when --out-dir is not set) and as the package.json name.",
 		required: true
@@ -11411,7 +11970,7 @@ var FunctionsInitCommand = class FunctionsInitCommand extends Command {
 		this.log(`  cd ${outDir}`);
 		this.log("  npm install");
 		this.log("  npm run build");
-		this.log(`  primitive functions:deploy --name ${args.name} --file ./dist/handler.js`);
+		this.log(`  primitive functions deploy --name ${args.name} --file ./dist/handler.js`);
 	}
 };
 //#endregion
@@ -11495,9 +12054,9 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
   API calls (set-secret per pair, then update-function).`;
 	static summary = "Redeploy a function from a bundled handler file";
 	static examples = [
-		"<%= config.bin %> functions:redeploy --id <fn-id> --file ./bundle.js",
-		"<%= config.bin %> functions:redeploy --id <fn-id> --file ./bundle.js --source-map-file ./bundle.js.map",
-		"<%= config.bin %> functions:redeploy --id <fn-id> --file ./bundle.js --secret OPENAI_KEY=sk-... --secret OWNER_EMAIL=me@example.com"
+		"<%= config.bin %> functions redeploy --id <fn-id> --file ./bundle.js",
+		"<%= config.bin %> functions redeploy --id <fn-id> --file ./bundle.js --source-map-file ./bundle.js.map",
+		"<%= config.bin %> functions redeploy --id <fn-id> --file ./bundle.js --secret OPENAI_KEY=sk-... --secret OWNER_EMAIL=me@example.com"
 	];
 	static flags = {
 		"api-key": Flags.string({
@@ -11588,10 +12147,10 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 					const succeeded = outcome.succeededKeys.length > 0 ? outcome.succeededKeys.join(", ") : "(none)";
 					const pending = outcome.pendingKeys.length > 0 ? outcome.pendingKeys.join(", ") : "(none)";
 					const allMissing = [outcome.failedKey, ...outcome.pendingKeys].join(", ");
-					process.stderr.write(`Writing secret ${outcome.failedKey} failed before the redeploy; succeeded keys so far: ${succeeded}; keys not yet attempted: ${pending}. The new bundle has NOT been deployed. Re-run \`primitive functions:set-secret\` for each of [${allMissing}], then \`primitive functions:redeploy --id ${flags.id} --file <bundle>\` to push them live.\n`);
+					process.stderr.write(`Writing secret ${outcome.failedKey} failed before the redeploy; succeeded keys so far: ${succeeded}; keys not yet attempted: ${pending}. The new bundle has NOT been deployed. Re-run \`primitive functions set-secret\` for each of [${allMissing}], then \`primitive functions redeploy --id ${flags.id} --file <bundle>\` to push them live.\n`);
 				} else if (outcome.stage === "redeploy") {
 					const succeeded = outcome.succeededKeys.length > 0 ? outcome.succeededKeys.join(", ") : "(none)";
-					process.stderr.write(`Secrets [${succeeded}] were written, but the redeploy step failed; the new bindings are NOT yet live. Re-run \`primitive functions:redeploy --id ${flags.id} --file <bundle>\` once the cause is fixed.\n`);
+					process.stderr.write(`Secrets [${succeeded}] were written, but the redeploy step failed; the new bindings are NOT yet live. Re-run \`primitive functions redeploy --id ${flags.id} --file <bundle>\` once the cause is fixed.\n`);
 				}
 				writeErrorWithHints(outcome.payload);
 				removeStaleSavedCredentialOnUnauthorized({
@@ -11673,7 +12232,7 @@ async function runSetSecret(api, params) {
 	};
 }
 var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command {
-	static description = `Write a function secret and optionally redeploy so the new value lands in the running handler. Agent-grade shortcut for functions:set-function-secret + functions:redeploy.
+	static description = `Write a function secret and optionally redeploy so the new value lands in the running handler. Agent-grade shortcut for functions set-function-secret + functions redeploy.
 
   Without --redeploy this is a plain secret upsert: the value is
   encrypted at rest but is NOT visible to the running handler until
@@ -11685,7 +12244,7 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
   underscores; first character is a letter or underscore). System-
   managed keys are reserved and rejected.`;
 	static summary = "Write a function secret (optionally redeploying to push it live)";
-	static examples = ["<%= config.bin %> functions:set-secret --id <fn-id> --key API_TOKEN --value abc123", "<%= config.bin %> functions:set-secret --id <fn-id> --key API_TOKEN --value abc123 --redeploy"];
+	static examples = ["<%= config.bin %> functions set-secret --id <fn-id> --key API_TOKEN --value abc123", "<%= config.bin %> functions set-secret --id <fn-id> --key API_TOKEN --value abc123 --redeploy"];
 	static flags = {
 		"api-key": Flags.string({
 			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
@@ -11713,7 +12272,7 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 			description: "Secret value (up to 4096 UTF-8 bytes). Encrypted at rest.",
 			required: true
 		}),
-		redeploy: Flags.boolean({ description: "Also redeploy the function with its current code so the new value lands in the running handler. Without this, the secret is written but not visible to the handler until the next deploy. Note: source maps are stored only on the runtime side and getFunction does not return them, so this redeploy drops any previously-uploaded source map. If preserving stack-trace symbolication matters, use `functions:redeploy --file <bundle.js> --source-map-file <bundle.js.map>` instead." }),
+		redeploy: Flags.boolean({ description: "Also redeploy the function with its current code so the new value lands in the running handler. Without this, the secret is written but not visible to the handler until the next deploy. Note: when --redeploy re-uploads the function's current live code without a sourceMap field, the API preserves the current stored source map. Use `functions redeploy --file <bundle.js> --source-map-file <bundle.js.map>` to replace or restore a map." }),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
 	};
 	async run() {
@@ -11764,8 +12323,8 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 				value: flags.value
 			});
 			if (outcome.kind === "error") {
-				if (outcome.stage === "get-function") process.stderr.write("Secret was written, but reading current function code for redeploy failed; the secret is NOT yet live. Re-run with --redeploy, or call `primitive functions:redeploy --id <id> --file <bundle>` once you have the bundle.\n");
-				else if (outcome.stage === "redeploy") process.stderr.write("Secret was written, but the redeploy step failed; the secret is NOT yet live. Inspect the function's deploy_error and re-run `primitive functions:redeploy --id <id> --file <bundle>` once the cause is fixed.\n");
+				if (outcome.stage === "get-function") process.stderr.write("Secret was written, but reading current function code for redeploy failed; the secret is NOT yet live. Re-run with --redeploy, or call `primitive functions redeploy --id <id> --file <bundle>` once you have the bundle.\n");
+				else if (outcome.stage === "redeploy") process.stderr.write("Secret was written, but the redeploy step failed; the secret is NOT yet live. Inspect the function's deploy_error and re-run `primitive functions redeploy --id <id> --file <bundle>` once the cause is fixed.\n");
 				writeErrorWithHints(outcome.payload);
 				removeStaleSavedCredentialOnUnauthorized({
 					...authFailureContext,
@@ -11786,10 +12345,10 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 	static description = "Send a real test email through MX to trigger this function. With --wait, blocks until the function has processed the inbound; with --show-sends, also prints any outbound sends the function emitted in response.";
 	static summary = "Trigger a test invocation; with --wait, watch it land";
 	static examples = [
-		"<%= config.bin %> functions:test-function --id <fn-id>",
-		"<%= config.bin %> functions:test-function --id <fn-id> --local-part summarize",
-		"<%= config.bin %> functions:test-function --id <fn-id> --wait --show-sends",
-		"<%= config.bin %> functions:test-function --id <fn-id> --local-part summarize --wait --timeout 120"
+		"<%= config.bin %> functions test --id <fn-id>",
+		"<%= config.bin %> functions test --id <fn-id> --local-part summarize",
+		"<%= config.bin %> functions test --id <fn-id> --wait --show-sends",
+		"<%= config.bin %> functions test --id <fn-id> --local-part summarize --wait --timeout 120"
 	];
 	static flags = {
 		"api-key": Flags.string({
@@ -11946,7 +12505,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 //#endregion
 //#region src/oclif/commands/login.ts
 const MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS = 60;
-function cliError$1(message) {
+function cliError$2(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function sleep(ms) {
@@ -11965,10 +12524,10 @@ function openBrowser(url) {
 	child.on("error", () => void 0);
 	child.unref();
 }
-function unwrapData$1(value) {
+function unwrapData$2(value) {
 	return value?.data ?? null;
 }
-function retryAfterSeconds(result) {
+function retryAfterSeconds$1(result) {
 	const raw = result.response?.headers.get("retry-after");
 	if (!raw) return null;
 	const parsed = Number.parseInt(raw, 10);
@@ -12032,7 +12591,7 @@ var LoginCommand = class LoginCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError$1(error instanceof Error ? error.message : String(error));
+			throw cliError$2(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await this.runWithCredentialLock(flags);
@@ -12061,8 +12620,8 @@ var LoginCommand = class LoginCommand extends Command {
 			if (existingStatus.status === "removed_stale") process.stderr.write("Continuing with a new Primitive CLI login...\n");
 			else if (existingStatus.status === "blocked") {
 				writeErrorWithHints(existingStatus.payload);
-				throw cliError$1(existingStatus.message);
-			} else throw cliError$1(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before logging in again.`);
+				throw cliError$2(existingStatus.message);
+			} else throw cliError$2(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before logging in again.`);
 		}
 		const apiClient = new PrimitiveApiClient({ apiBaseUrl1 });
 		const started = await startCliLogin({
@@ -12072,10 +12631,10 @@ var LoginCommand = class LoginCommand extends Command {
 		});
 		if (started.error) {
 			writeErrorWithHints(extractErrorPayload(started.error));
-			throw cliError$1("Could not start Primitive CLI login.");
+			throw cliError$2("Could not start Primitive CLI login.");
 		}
-		const start = unwrapData$1(started.data);
-		if (!start) throw cliError$1("Primitive API returned an empty CLI login response.");
+		const start = unwrapData$2(started.data);
+		if (!start) throw cliError$2("Primitive API returned an empty CLI login response.");
 		process.stderr.write(`Your login code is: ${start.user_code}\n`);
 		if (!flags["no-browser"]) {
 			openBrowser(start.verification_uri_complete);
@@ -12095,8 +12654,8 @@ var LoginCommand = class LoginCommand extends Command {
 				responseStyle: "fields"
 			});
 			if (polled.data) {
-				const login = unwrapData$1(polled.data);
-				if (!login) throw cliError$1("Primitive API returned an empty CLI poll response.");
+				const login = unwrapData$2(polled.data);
+				if (!login) throw cliError$2("Primitive API returned an empty CLI poll response.");
 				saveCliCredentials(this.config.configDir, {
 					api_key: login.api_key,
 					api_base_url_1: apiBaseUrl1,
@@ -12118,25 +12677,25 @@ var LoginCommand = class LoginCommand extends Command {
 				continue;
 			}
 			if (code === API_ERROR_CODES.slowDown) {
-				interval = Math.min(retryAfterSeconds(polled) ?? interval + 5, MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS);
+				interval = Math.min(retryAfterSeconds$1(polled) ?? interval + 5, MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS);
 				nextPollDelay = interval;
 				continue;
 			}
-			if (code === API_ERROR_CODES.accessDenied) throw cliError$1("Primitive CLI login was denied in the browser.");
-			if (code === API_ERROR_CODES.expiredToken) throw cliError$1("Primitive CLI login expired. Run `primitive login` again.");
-			if (code === API_ERROR_CODES.invalidDeviceCode) throw cliError$1("Primitive CLI login device code is invalid. Run `primitive login` again.");
+			if (code === API_ERROR_CODES.accessDenied) throw cliError$2("Primitive CLI login was denied in the browser.");
+			if (code === API_ERROR_CODES.expiredToken) throw cliError$2("Primitive CLI login expired. Run `primitive login` again.");
+			if (code === API_ERROR_CODES.invalidDeviceCode) throw cliError$2("Primitive CLI login device code is invalid. Run `primitive login` again.");
 			writeErrorWithHints(payload);
-			throw cliError$1("Primitive CLI login failed while polling for approval.");
+			throw cliError$2("Primitive CLI login failed while polling for approval.");
 		}
-		throw cliError$1("Primitive CLI login expired. Run `primitive login` again.");
+		throw cliError$2("Primitive CLI login expired. Run `primitive login` again.");
 	}
 };
 //#endregion
 //#region src/oclif/commands/logout.ts
-function cliError(message) {
+function cliError$1(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
-function unwrapData(value) {
+function unwrapData$1(value) {
 	return value?.data ?? null;
 }
 var LogoutCommand = class LogoutCommand extends Command {
@@ -12154,7 +12713,7 @@ var LogoutCommand = class LogoutCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError(error instanceof Error ? error.message : String(error));
+			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await this.runWithCredentialLock(flags);
@@ -12173,7 +12732,7 @@ var LogoutCommand = class LogoutCommand extends Command {
 			process.exitCode = 1;
 			return;
 		}
-		if (!credentials) throw cliError("Not logged in. Run `primitive login` to create saved CLI credentials.");
+		if (!credentials) throw cliError$1("Not logged in. Run `primitive login` to create saved CLI credentials.");
 		const apiBaseUrl1 = flags["api-base-url-1"] ? normalizeApiBaseUrl1(flags["api-base-url-1"]) : credentials.api_base_url_1;
 		const apiClient = new PrimitiveApiClient({
 			apiKey: credentials.api_key,
@@ -12195,15 +12754,101 @@ var LogoutCommand = class LogoutCommand extends Command {
 				return;
 			}
 			writeErrorWithHints(payload);
-			throw cliError("Could not revoke the saved Primitive CLI API key.");
+			throw cliError$1("Could not revoke the saved Primitive CLI API key.");
 		}
-		const logout = unwrapData(result.data);
+		const logout = unwrapData$1(result.data);
 		deleteCliCredentials(this.config.configDir);
 		const keyId = logout?.key_id ?? credentials.key_id;
 		process.stderr.write(`Logged out and revoked API key ${keyId}.\n`);
 	}
 };
 //#endregion
+//#region src/oclif/commands/reply.ts
+var ReplyCommand = class ReplyCommand extends Command {
+	static description = `Reply to an inbound email.
+
+  The API derives recipients, the Re: subject, and threading headers from the inbound email id. Use \`primitive send --in-reply-to <message-id>\` only when you need to thread against a raw Message-Id instead of an inbound email stored by Primitive.`;
+	static summary = "Reply to an inbound email";
+	static examples = [
+		"<%= config.bin %> reply --id <inbound-email-id> --body 'Thanks, got it.'",
+		"<%= config.bin %> reply --id <inbound-email-id> --html '<p>Thanks, got it.</p>' --wait",
+		"<%= config.bin %> reply --id <inbound-email-id> --from 'Support <support@example.com>' --body 'Thanks!'"
+	];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"api-base-url-2": Flags.string({
+			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_2",
+			hidden: true
+		}),
+		id: Flags.string({
+			description: "Inbound email id to reply to.",
+			required: true
+		}),
+		body: Flags.string({ description: "Plain-text reply body. Either --body or --html (or both) is required." }),
+		html: Flags.string({ description: "HTML reply body. Either --body or --html (or both) is required." }),
+		from: Flags.string({ description: "Optional From header override. Defaults to the inbound recipient." }),
+		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the reply for delivery." }),
+		"wait-timeout-ms": Flags.integer({ description: "Maximum time to wait when --wait is set. Defaults to 30000ms." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(ReplyCommand);
+		if (!flags.body && !flags.html) throw new Errors.CLIError("Either --body or --html (or both) is required.");
+		await runWithTiming(flags.time, async () => {
+			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
+			const auth = resolveCliAuth({
+				apiKey: flags["api-key"],
+				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl2: flags["api-base-url-2"],
+				configDir: this.config.configDir
+			});
+			const apiClient = new PrimitiveApiClient({
+				apiKey: auth.apiKey,
+				apiBaseUrl1: auth.apiBaseUrl1,
+				apiBaseUrl2: auth.apiBaseUrl2
+			});
+			const result = await replyToEmail({
+				body: {
+					...flags.body !== void 0 ? { body_text: flags.body } : {},
+					...flags.html !== void 0 ? { body_html: flags.html } : {},
+					...flags.from !== void 0 ? { from: flags.from } : {},
+					...flags.wait !== void 0 ? { wait: flags.wait } : {},
+					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
+				},
+				client: apiClient.client,
+				path: { id: flags.id },
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const errorPayload = extractErrorPayload(result.error);
+				writeErrorWithHints(errorPayload);
+				removeStaleSavedCredentialOnUnauthorized({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const envelope = result.data;
+			writeIdempotentReplayBannerIfReplay(envelope?.data, { write: (chunk) => {
+				process.stderr.write(chunk);
+			} });
+			this.log(JSON.stringify(envelope?.data ?? null, null, 2));
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/send.ts
 const SUBJECT_MAX_LENGTH = 200;
 function deriveSubject(body) {
@@ -12235,17 +12880,17 @@ async function pickDefaultFromAddress(apiClient, authFailureContext) {
 		throw new Errors.CLIError(`Could not look up your verified domains to default --from. Pass --from explicitly. Underlying error: ${formatErrorPayload(errorPayload)}`);
 	}
 	const first = result.data?.data?.find(isVerifiedDomain);
-	if (!first) throw new Errors.CLIError("No active verified outbound domain found on this account; pass --from explicitly. To set up outbound, claim a domain via `primitive domains:add-domain` and verify it.");
+	if (!first) throw new Errors.CLIError("No active verified outbound domain found on this account; pass --from explicitly. To set up outbound, claim a domain via `primitive domains add` and verify it.");
 	return `agent@${first.domain}`;
 }
 var SendCommand = class SendCommand extends Command {
-	static description = `Send an outbound email. Agent-grade shortcut for sending:send-email with sensible defaults.
+	static description = `Send an outbound email. Agent-grade shortcut for \`sending send\` with sensible defaults.
 
   --from defaults to agent@<your-first-verified-outbound-domain> when omitted.
   --subject defaults to the first line of the body when omitted.
 
   For the full flag set (custom message-id threading on the wire,
-  references arrays, etc.), use \`primitive sending:send-email\`.`;
+  references arrays, etc.), use \`primitive sending send\`.`;
 	static summary = "Send an email (simplified, agent-friendly)";
 	static examples = [
 		"<%= config.bin %> send --to alice@example.com --body 'Hi Alice!'",
@@ -12277,7 +12922,7 @@ var SendCommand = class SendCommand extends Command {
 		subject: Flags.string({ description: "Subject line. Defaults to the first line of --body / --html when omitted." }),
 		body: Flags.string({ description: "Plain-text message body. Either --body or --html (or both) is required." }),
 		html: Flags.string({ description: "HTML message body. Either --body or --html (or both) is required." }),
-		"in-reply-to": Flags.string({ description: "Message-Id of the parent email when threading a reply on the wire. For replying to an inbound message you received, prefer `primitive sending:reply-to-email --id <inbound-id>`." }),
+		"in-reply-to": Flags.string({ description: "Message-Id of the parent email when threading a reply on the wire. For replying to an inbound message you received, prefer `primitive reply --id <inbound-id>`." }),
 		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the message for delivery." }),
 		"wait-timeout-ms": Flags.integer({ description: "Maximum time to wait when --wait is set. Defaults to 30000ms." }),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
@@ -12330,11 +12975,402 @@ var SendCommand = class SendCommand extends Command {
 				return;
 			}
 			const envelope = result.data;
+			writeIdempotentReplayBannerIfReplay(envelope?.data, { write: (chunk) => {
+				process.stderr.write(chunk);
+			} });
 			this.log(JSON.stringify(envelope?.data ?? null, null, 2));
 		});
 	}
 };
 //#endregion
+//#region src/oclif/commands/signup.ts
+const INVALID_VERIFICATION_CODE = "invalid_verification_code";
+const CLERK_PASSWORD_REJECTED = "clerk_password_rejected";
+const EXPIRED_TOKEN = "expired_token";
+const INVALID_SIGNUP_TOKEN = "invalid_signup_token";
+const SLOW_DOWN = "slow_down";
+const PENDING_SIGNUP_FILE = "signup.json";
+function cliError(message) {
+	return new Errors.CLIError(message, { exit: 1 });
+}
+function unwrapData(value) {
+	return value?.data ?? null;
+}
+function isRecord(value) {
+	return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function pendingSignupFromJson(value) {
+	if (!isRecord(value)) return null;
+	if (typeof value.signup_token !== "string" || typeof value.email !== "string" || typeof value.expires_in !== "number" || typeof value.resend_after !== "number" || typeof value.verification_code_length !== "number" || typeof value.api_base_url_1 !== "string" || typeof value.created_at !== "string" || typeof value.expires_at !== "string") return null;
+	return {
+		api_base_url_1: value.api_base_url_1,
+		created_at: value.created_at,
+		email: value.email,
+		expires_at: value.expires_at,
+		expires_in: value.expires_in,
+		resend_after: value.resend_after,
+		signup_token: value.signup_token,
+		verification_code_length: value.verification_code_length
+	};
+}
+function pendingSignupPath(configDir) {
+	return join(configDir, PENDING_SIGNUP_FILE);
+}
+function deletePendingCliSignup(configDir) {
+	rmSync(pendingSignupPath(configDir), { force: true });
+}
+function pendingSignupFromStart(start, apiBaseUrl1) {
+	return {
+		...start,
+		api_base_url_1: apiBaseUrl1,
+		created_at: (/* @__PURE__ */ new Date()).toISOString(),
+		expires_at: new Date(Date.now() + start.expires_in * 1e3).toISOString()
+	};
+}
+function savePendingCliSignup(configDir, start, apiBaseUrl1) {
+	mkdirSync(configDir, {
+		mode: 448,
+		recursive: true
+	});
+	const pending = pendingSignupFromStart(start, apiBaseUrl1);
+	const path = pendingSignupPath(configDir);
+	const tempPath = join(configDir, `${PENDING_SIGNUP_FILE}.${process$1.pid}.${randomUUID()}.tmp`);
+	try {
+		writeFileSync(tempPath, `${JSON.stringify(pending, null, 2)}\n`, { mode: 384 });
+		chmodSync(tempPath, 384);
+		renameSync(tempPath, path);
+		chmodSync(path, 384);
+		return pending;
+	} catch (error) {
+		rmSync(tempPath, { force: true });
+		throw error;
+	}
+}
+function loadPendingCliSignup(configDir, apiBaseUrl1) {
+	const path = pendingSignupPath(configDir);
+	let contents;
+	try {
+		contents = readFileSync(path, "utf8");
+	} catch (error) {
+		if (error && typeof error === "object" && error.code === "ENOENT") return null;
+		throw error;
+	}
+	let pending;
+	try {
+		pending = pendingSignupFromJson(JSON.parse(contents));
+	} catch {
+		pending = null;
+	}
+	if (!pending) {
+		deletePendingCliSignup(configDir);
+		return null;
+	}
+	if (pending.api_base_url_1 !== apiBaseUrl1) return null;
+	if (new Date(pending.expires_at).getTime() <= Date.now()) {
+		deletePendingCliSignup(configDir);
+		return null;
+	}
+	return {
+		...pending,
+		expires_in: Math.max(0, Math.ceil((new Date(pending.expires_at).getTime() - Date.now()) / 1e3))
+	};
+}
+function retryAfterSeconds(result) {
+	const raw = result.response?.headers.get("retry-after");
+	if (!raw) return null;
+	const parsed = Number.parseInt(raw, 10);
+	return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
+}
+function normalizeAnswer(value) {
+	return value.trim();
+}
+async function promptLine(question) {
+	const rl = createInterface({
+		input: process$1.stdin,
+		output: process$1.stderr
+	});
+	try {
+		return normalizeAnswer(await rl.question(question));
+	} finally {
+		rl.close();
+	}
+}
+async function promptHidden(question) {
+	if (!process$1.stdin.isTTY || !process$1.stderr.isTTY || !process$1.stdin.setRawMode) throw cliError("Password input requires an interactive terminal with hidden input support.");
+	return new Promise((resolve, reject) => {
+		const input = process$1.stdin;
+		let value = "";
+		const cleanup = () => {
+			input.setRawMode(false);
+			input.pause();
+			input.off("data", onData);
+		};
+		const finish = () => {
+			cleanup();
+			process$1.stderr.write("\n");
+			resolve(value);
+		};
+		const onData = (chunk) => {
+			const text = chunk.toString("utf8");
+			for (const char of text) {
+				if (char === "") {
+					cleanup();
+					process$1.stderr.write("\n");
+					reject(cliError("Signup cancelled."));
+					return;
+				}
+				if (char === "\r" || char === "\n") {
+					finish();
+					return;
+				}
+				if (char === "\b" || char === "") {
+					value = value.slice(0, -1);
+					continue;
+				}
+				value += char;
+			}
+		};
+		process$1.stderr.write(question);
+		input.setRawMode(true);
+		input.resume();
+		input.on("data", onData);
+	});
+}
+function formatSignupSeconds(seconds) {
+	if (typeof seconds !== "number" || !Number.isFinite(seconds) || seconds <= 0) return "soon";
+	if (seconds < 60) return `${Math.ceil(seconds)} seconds`;
+	const minutes = Math.ceil(seconds / 60);
+	return `${minutes} minute${minutes === 1 ? "" : "s"}`;
+}
+function shouldRetrySignupPassword(errorCode) {
+	return errorCode === CLERK_PASSWORD_REJECTED;
+}
+function signupErrorMessage(payload) {
+	if (!isRecord(payload)) return null;
+	const message = (isRecord(payload.error) ? payload.error : payload).message;
+	return typeof message === "string" && message.trim() ? message : null;
+}
+async function promptRequired(question) {
+	while (true) {
+		const value = await promptLine(question);
+		if (value) return value;
+		process$1.stderr.write("Please enter a value.\n");
+	}
+}
+async function promptRequiredPassword(question) {
+	while (true) {
+		const value = await promptHidden(question);
+		if (value) return value;
+		process$1.stderr.write("Please enter a password.\n");
+	}
+}
+async function promptNewPassword() {
+	while (true) {
+		const password = await promptRequiredPassword("Password: ");
+		if (password === await promptRequiredPassword("Confirm password: ")) return password;
+		process$1.stderr.write("Passwords did not match. Try again.\n");
+	}
+}
+async function confirmTerms() {
+	process$1.stderr.write("By creating an account, you agree to Primitive's Terms of Service and Privacy Policy:\n");
+	process$1.stderr.write("  https://primitive.dev/terms\n");
+	process$1.stderr.write("  https://primitive.dev/privacy\n");
+	const answer = (await promptRequired("Type 'yes' to continue: ")).toLowerCase();
+	if (answer !== "yes" && answer !== "y") throw cliError("You must accept the terms to create an account.");
+}
+async function resendVerificationCode(params) {
+	const resent = await (params.deps.resendCliSignupVerification ?? resendCliSignupVerification)({
+		body: { signup_token: params.start.signup_token },
+		client: params.apiClient.client,
+		responseStyle: "fields"
+	});
+	if (resent.data) {
+		const resend = unwrapData(resent.data);
+		const next = resend ? {
+			email: resend.email,
+			expires_in: resend.expires_in,
+			resend_after: resend.resend_after,
+			signup_token: params.start.signup_token,
+			verification_code_length: resend.verification_code_length
+		} : params.start;
+		savePendingCliSignup(params.configDir, next, params.apiBaseUrl1);
+		process$1.stderr.write(`Sent a new ${next.verification_code_length}-digit verification code. It expires in ${formatSignupSeconds(next.expires_in)}.\n`);
+		return next;
+	}
+	const payload = extractErrorPayload(resent.error);
+	if (extractErrorCode(payload) === SLOW_DOWN) {
+		const suffix = ` Wait ${formatSignupSeconds(retryAfterSeconds(resent) ?? params.start.resend_after)} before trying again.`;
+		process$1.stderr.write(`Verification email was sent recently.${suffix}\n`);
+		return params.start;
+	}
+	writeErrorWithHints(payload);
+	throw cliError("Could not resend Primitive CLI signup verification email.");
+}
+async function runSignupWithCredentialLock(params) {
+	const { configDir, flags } = params;
+	const deps = params.deps ?? {};
+	const promptRequiredFn = deps.promptRequired ?? promptRequired;
+	const promptNewPasswordFn = deps.promptNewPassword ?? promptNewPassword;
+	const confirmTermsFn = deps.confirmTerms ?? confirmTerms;
+	const startFn = deps.startCliSignup ?? startCliSignup;
+	const verifyFn = deps.verifyCliSignup ?? verifyCliSignup;
+	const checkExistingLoginFn = deps.checkExistingLogin ?? checkExistingLogin;
+	const apiBaseUrl1 = normalizeApiBaseUrl1(flags["api-base-url-1"]);
+	let existing;
+	try {
+		existing = loadCliCredentials(configDir);
+	} catch (error) {
+		if (!flags.force) throw error;
+		const detail = error instanceof Error ? error.message : String(error);
+		process$1.stderr.write(`Replacing unreadable Primitive CLI credentials because --force was set: ${detail}\n`);
+		existing = null;
+	}
+	if (existing && flags.force) process$1.stderr.write("Replacing saved Primitive CLI credentials after signup because --force was set.\n");
+	else if (existing) {
+		const existingStatus = await checkExistingLoginFn({
+			apiBaseUrl1: flags["api-base-url-1"],
+			configDir,
+			credentials: existing
+		});
+		if (existingStatus.status === "removed_stale") process$1.stderr.write("Continuing with Primitive CLI signup...\n");
+		else if (existingStatus.status === "blocked") {
+			writeErrorWithHints(existingStatus.payload);
+			throw cliError(existingStatus.message);
+		} else throw cliError(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before creating a new account.`);
+	}
+	if (flags.force) deletePendingCliSignup(configDir);
+	const apiClient = new PrimitiveApiClient({ apiBaseUrl1 });
+	let start = flags.force ? null : loadPendingCliSignup(configDir, apiBaseUrl1);
+	const resumed = Boolean(start);
+	if (start) process$1.stderr.write(`Continuing pending Primitive CLI signup for ${start.email}.\n`);
+	else {
+		const signupCode = await promptRequiredFn("Signup code: ");
+		await confirmTermsFn();
+		const email = await promptRequiredFn("Email: ");
+		const started = await startFn({
+			body: {
+				device_name: flags["device-name"] ?? hostname(),
+				email,
+				signup_code: signupCode,
+				terms_accepted: true
+			},
+			client: apiClient.client,
+			responseStyle: "fields"
+		});
+		if (started.error) {
+			writeErrorWithHints(extractErrorPayload(started.error));
+			throw cliError("Could not start Primitive CLI signup.");
+		}
+		const startResult = unwrapData(started.data);
+		if (!startResult) throw cliError("Primitive API returned an empty CLI signup response.");
+		start = savePendingCliSignup(configDir, startResult, apiBaseUrl1);
+	}
+	if (resumed) process$1.stderr.write(`Check your email for the ${start.verification_code_length}-digit verification code sent to ${start.email}.\n`);
+	else process$1.stderr.write(`Sent a ${start.verification_code_length}-digit verification code to ${start.email}.\n`);
+	process$1.stderr.write(`The code expires in ${formatSignupSeconds(start.expires_in)}.\n`);
+	process$1.stderr.write(`Enter the code from the email, or type \`resend\` to send a new code after ${formatSignupSeconds(start.resend_after)}.\n`);
+	while (true) {
+		const verificationCode = await promptRequiredFn(`Verification code (${start.verification_code_length} digits): `);
+		if (verificationCode.toLowerCase() === "resend") {
+			start = await resendVerificationCode({
+				apiBaseUrl1,
+				apiClient,
+				configDir,
+				deps,
+				start
+			});
+			continue;
+		}
+		let password = await promptNewPasswordFn();
+		while (true) {
+			const verified = await verifyFn({
+				body: {
+					password,
+					signup_token: start.signup_token,
+					verification_code: verificationCode
+				},
+				client: apiClient.client,
+				responseStyle: "fields"
+			});
+			if (verified.data) {
+				const signup = unwrapData(verified.data);
+				if (!signup) throw cliError("Primitive API returned an empty CLI signup verification response.");
+				saveCliCredentials(configDir, {
+					api_key: signup.api_key,
+					api_base_url_1: apiBaseUrl1,
+					created_at: (/* @__PURE__ */ new Date()).toISOString(),
+					key_id: signup.key_id,
+					key_prefix: signup.key_prefix,
+					org_id: signup.org_id,
+					org_name: signup.org_name
+				});
+				deletePendingCliSignup(configDir);
+				const org = signup.org_name ? ` (${signup.org_name})` : "";
+				process$1.stderr.write(`Created account and logged in to org ${signup.org_id}${org}.\n`);
+				process$1.stderr.write(`Saved credentials to ${credentialsPath(configDir)}.\n`);
+				return;
+			}
+			const payload = extractErrorPayload(verified.error);
+			const code = extractErrorCode(payload);
+			if (code === INVALID_VERIFICATION_CODE) {
+				process$1.stderr.write("Invalid verification code. Try again or type `resend`.\n");
+				break;
+			}
+			if (shouldRetrySignupPassword(code)) {
+				const message = signupErrorMessage(payload);
+				if (message) process$1.stderr.write(`Password rejected: ${message}\n`);
+				process$1.stderr.write("Choose a different password and try again.\n");
+				password = await promptNewPasswordFn();
+				continue;
+			}
+			if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingCliSignup(configDir);
+			writeErrorWithHints(payload);
+			throw cliError("Primitive CLI signup failed while verifying the account.");
+		}
+	}
+}
+var SignupCommand = class SignupCommand extends Command {
+	static description = "Create a Primitive account from the terminal, verify your email, and save an org-scoped CLI API key locally.";
+	static summary = "Create an account and log in";
+	static examples = [
+		"<%= config.bin %> signup",
+		"<%= config.bin %> signup --device-name work-laptop",
+		"<%= config.bin %> signup --force"
+	];
+	static flags = {
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"device-name": Flags.string({ description: "Device name used for the created CLI API key" }),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials without first verifying the existing login"
+		})
+	};
+	async run() {
+		const { flags } = await this.parse(SignupCommand);
+		let releaseCredentialsLock;
+		try {
+			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+		} catch (error) {
+			throw cliError(error instanceof Error ? error.message : String(error));
+		}
+		try {
+			await this.runWithCredentialLock(flags);
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+	async runWithCredentialLock(flags) {
+		await runSignupWithCredentialLock({
+			configDir: this.config.configDir,
+			flags
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/whoami.ts
 var WhoamiCommand = class WhoamiCommand extends Command {
 	static description = `Print the account currently authenticated by the API key. Useful as a credentials smoke test: confirms the key is live and shows which account it belongs to.`;
@@ -12477,7 +13513,7 @@ var ListOperationsCommand = class extends Command {
 	}
 };
 function lookupOperation(id) {
-	const trimmed = id.trim();
+	const trimmed = resolveOperationAlias(id.trim());
 	const sep = trimmed.indexOf(":");
 	const tag = sep === -1 ? "" : trimmed.slice(0, sep);
 	const cmd = sep === -1 ? trimmed : trimmed.slice(sep + 1);
@@ -12493,7 +13529,7 @@ function lookupOperation(id) {
 }
 var DescribeCommand = class DescribeCommand extends Command {
 	static args = { command: Args.string({
-		description: "Command id to describe, in `<topic>:<command>` form (e.g. `emails:get-email`). Run `primitive list-operations | jq -r '.[] | \"\\(.tagCommand):\\(.command)\"'` to enumerate.",
+		description: "Command id to describe, e.g. `emails:list` or `emails:get-email`. Run `primitive list-operations | jq -r '.[] | \"\\(.tagCommand):\\(.command)\"'` to enumerate generated operation ids.",
 		required: true
 	}) };
 	static description = `Print the full operation manifest entry for a single API command, including the path, request schema, response schema, and per-field descriptions sourced from the OpenAPI spec.
@@ -12501,15 +13537,15 @@ var DescribeCommand = class DescribeCommand extends Command {
   The manifest entry's \`responseSchema\` carries the inlined JSON Schema for the operation's 200/201 \`data\` envelope contents (\`$ref\`s resolved). Use it to look up what specific response fields mean. Examples:
 
       # Which of EmailDetail's sender-shaped fields is canonical?
-      primitive describe emails:get-email | jq '.responseSchema.properties | keys'
-      primitive describe emails:get-email | jq -r '.responseSchema.properties.from_email.description'
+      primitive describe emails:get | jq '.responseSchema.properties | keys'
+      primitive describe emails:get | jq -r '.responseSchema.properties.from_email.description'
 
       # What does each value of SentEmailStatus mean?
-      primitive describe sending:get-sent-email | jq -r '.responseSchema.properties.status.description'
+      primitive describe sent:get | jq -r '.responseSchema.properties.status.description'
 
   \`requestSchema\` is the same shape for the request body when one exists. For a single field across many operations at once, use \`primitive list-operations | jq\` instead.`;
 	static summary = "Describe a single API operation in detail";
-	static examples = ["<%= config.bin %> describe emails:get-email", "<%= config.bin %> describe sending:send-email"];
+	static examples = ["<%= config.bin %> describe emails:get", "<%= config.bin %> describe sent:get"];
 	async run() {
 		const { args } = await this.parse(DescribeCommand);
 		const { match, candidates } = lookupOperation(args.command);
@@ -12545,13 +13581,66 @@ var CompletionCommand = class CompletionCommand extends Command {
 function commandId(operation) {
 	return `${operation.tagCommand}:${operation.command}`;
 }
+const CANONICAL_OPERATION_ALIASES = {
+	"account:show": "account:get-account",
+	"account:storage": "account:get-storage-stats",
+	"account:webhook-secret": "account:get-webhook-secret",
+	"deliveries:list": "webhook-deliveries:list-deliveries",
+	"deliveries:replay": "webhook-deliveries:replay-delivery",
+	"domains:add": "domains:add-domain",
+	"domains:delete": "domains:delete-domain",
+	"domains:list": "domains:list-domains",
+	"domains:update": "domains:update-domain",
+	"domains:verify": "domains:verify-domain",
+	"emails:delete": "emails:delete-email",
+	"emails:discard-content": "emails:discard-email-content",
+	"emails:download-raw": "emails:download-raw-email",
+	"emails:get": "emails:get-email",
+	"emails:list": "emails:list-emails",
+	"emails:replay-webhooks": "emails:replay-email-webhooks",
+	"emails:search": "emails:search-emails",
+	"endpoints:create": "endpoints:create-endpoint",
+	"endpoints:delete": "endpoints:delete-endpoint",
+	"endpoints:list": "endpoints:list-endpoints",
+	"endpoints:test": "endpoints:test-endpoint",
+	"endpoints:update": "endpoints:update-endpoint",
+	"filters:create": "filters:create-filter",
+	"filters:delete": "filters:delete-filter",
+	"filters:list": "filters:list-filters",
+	"filters:update": "filters:update-filter",
+	"functions:delete": "functions:delete-function",
+	"functions:delete-secret": "functions:delete-function-secret",
+	"functions:get": "functions:get-function",
+	"functions:list": "functions:list-functions",
+	"functions:list-secrets": "functions:list-function-secrets",
+	"functions:logs": "functions:list-function-logs",
+	"sending:get": "sending:get-sent-email",
+	"sending:list": "sending:list-sent-emails",
+	"sending:permissions": "sending:get-send-permissions",
+	"sending:reply": "sending:reply-to-email",
+	"sending:send": "sending:send-email",
+	"sent:get": "sending:get-sent-email",
+	"sent:list": "sending:list-sent-emails",
+	"webhook-deliveries:list": "webhook-deliveries:list-deliveries",
+	"webhook-deliveries:replay": "webhook-deliveries:replay-delivery"
+};
+const DESCRIBE_OPERATION_ALIASES = {
+	...CANONICAL_OPERATION_ALIASES,
+	reply: "sending:reply-to-email"
+};
+function resolveOperationAlias(id) {
+	return DESCRIBE_OPERATION_ALIASES[id] ?? id;
+}
 const OVERRIDDEN_OPERATION_IDS = new Set(["functions:test-function"]);
+const generatedCommands = Object.fromEntries(operationManifest.filter((operation) => !OVERRIDDEN_OPERATION_IDS.has(commandId(operation))).map((operation) => [commandId(operation), createOperationCommand(operation)]));
 const COMMANDS = {
 	completion: CompletionCommand,
 	"list-operations": ListOperationsCommand,
 	describe: DescribeCommand,
 	send: SendCommand,
+	reply: ReplyCommand,
 	login: LoginCommand,
+	signup: SignupCommand,
 	logout: LogoutCommand,
 	whoami: WhoamiCommand,
 	doctor: DoctorCommand,
@@ -12562,8 +13651,14 @@ const COMMANDS = {
 	"functions:deploy": FunctionsDeployCommand,
 	"functions:redeploy": FunctionsRedeployCommand,
 	"functions:set-secret": FunctionsSetSecretCommand,
+	"functions:test": FunctionsTestFunctionCommand,
 	"functions:test-function": FunctionsTestFunctionCommand,
-	...Object.fromEntries(operationManifest.filter((operation) => !OVERRIDDEN_OPERATION_IDS.has(commandId(operation))).map((operation) => [commandId(operation), createOperationCommand(operation)]))
+	...Object.fromEntries(Object.entries(CANONICAL_OPERATION_ALIASES).map(([alias, target]) => {
+		const command = generatedCommands[target];
+		if (!command) throw new Error(`Missing generated command target for alias ${alias}`);
+		return [alias, command];
+	})),
+	...generatedCommands
 };
 //#endregion
-export { COMMANDS, lookupOperation };
+export { CANONICAL_OPERATION_ALIASES, COMMANDS, lookupOperation };