@primitivedotdev/cli 0.29.0 → 0.30.1

package/dist/oclif/index.js

@@ -371,7 +371,7 @@ const mergeConfigs = (a, b) => {
 		...b
 	};
 	if (config.baseUrl?.endsWith("/")) config.baseUrl = config.baseUrl.substring(0, config.baseUrl.length - 1);
-	config.headers = mergeHeaders(a.headers, b.headers);
+	config.headers = mergeHeaders$1(a.headers, b.headers);
 	return config;
 };
 const headersEntries = (headers) => {
@@ -381,7 +381,7 @@ const headersEntries = (headers) => {
 	});
 	return entries;
 };
-const mergeHeaders = (...headers) => {
+const mergeHeaders$1 = (...headers) => {
 	const mergedHeaders = new Headers();
 	for (const header of headers) {
 		if (!header) continue;
@@ -461,7 +461,7 @@ const createClient = (config = {}) => {
 			..._config,
 			...options,
 			fetch: options.fetch ?? _config.fetch ?? globalThis.fetch,
-			headers: mergeHeaders(_config.headers, options.headers),
+			headers: mergeHeaders$1(_config.headers, options.headers),
 			serializedBody: void 0
 		};
 		if (opts.security) await setAuthParams({
@@ -1604,17 +1604,18 @@ const updateFunction = (options) => (options.client ?? client).put({
 * Sends a real test email from a Primitive-controlled sender to a
 * local-part on one of the org's verified inbound domains. By
 * default the recipient is a synthetic
-* `__primitive_function_test+<random>@<domain>` address that
-* every handler's catch-all routing receives identically; pass
-* `local_part` to override and exercise routing logic that
-* branches on a specific recipient (the common pattern when one
-* function handles multiple inboxes like `summarize@` and
-* `action@`). The function fires through the normal MX delivery
-* path, so reply / send-mail calls from inside the handler
-* against the inbound's `email.id` work the same as in
-* production. Returns immediately after the send is queued; the
-* invocation appears on the function's invocations list within a
-* few seconds.
+* `__primitive_function_test+<random>@<domain>` address on a
+* domain selected to route to the function. Scoped functions use
+* their scoped domain; fallback functions use a domain that has
+* no enabled domain-scoped endpoint. Pass `local_part` to
+* override and exercise routing logic that branches on a specific
+* recipient (the common pattern when one function handles multiple
+* inboxes like `summarize@` and `action@`). The function fires
+* through the normal MX delivery path, so reply / send-mail calls
+* from inside the handler against the inbound's `email.id` work
+* the same as in production. Returns immediately after the send is
+* queued; the invocation appears on the function's invocations
+* list within a few seconds.
 *
 * Requires that the function is currently `deployed`. Returns 422
 * if the function is in `pending` or `failed` state, or if the
@@ -3274,7 +3275,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "testFunction",
 				"summary": "Send a test invocation",
-				"description": "Sends a real test email from a Primitive-controlled sender to a\nlocal-part on one of the org's verified inbound domains. By\ndefault the recipient is a synthetic\n`__primitive_function_test+<random>@<domain>` address that\nevery handler's catch-all routing receives identically; pass\n`local_part` to override and exercise routing logic that\nbranches on a specific recipient (the common pattern when one\nfunction handles multiple inboxes like `summarize@` and\n`action@`). The function fires through the normal MX delivery\npath, so reply / send-mail calls from inside the handler\nagainst the inbound's `email.id` work the same as in\nproduction. Returns immediately after the send is queued; the\ninvocation appears on the function's invocations list within a\nfew seconds.\n\nRequires that the function is currently `deployed`. Returns 422\nif the function is in `pending` or `failed` state, or if the\norg has no verified inbound domain to receive the test mail.\nReturns 400 if `local_part` is set to a value that does not\nmatch the local-part character set.\n",
+				"description": "Sends a real test email from a Primitive-controlled sender to a\nlocal-part on one of the org's verified inbound domains. By\ndefault the recipient is a synthetic\n`__primitive_function_test+<random>@<domain>` address on a\ndomain selected to route to the function. Scoped functions use\ntheir scoped domain; fallback functions use a domain that has\nno enabled domain-scoped endpoint. Pass `local_part` to\noverride and exercise routing logic that branches on a specific\nrecipient (the common pattern when one function handles multiple\ninboxes like `summarize@` and `action@`). The function fires\nthrough the normal MX delivery path, so reply / send-mail calls\nfrom inside the handler against the inbound's `email.id` work\nthe same as in production. Returns immediately after the send is\nqueued; the invocation appears on the function's invocations\nlist within a few seconds.\n\nRequires that the function is currently `deployed`. Returns 422\nif the function is in `pending` or `failed` state, or if the\norg has no verified inbound domain to receive the test mail.\nReturns 400 if `local_part` is set to a value that does not\nmatch the local-part character set.\n",
 				"tags": ["Functions"],
 				"requestBody": {
 					"required": false,
@@ -7375,8 +7376,11 @@ const operationManifest = [
 				"type": "string"
 			},
 			{
+				"default": 50,
 				"description": "Number of results per page",
 				"enum": null,
+				"maximum": 100,
+				"minimum": 1,
 				"name": "limit",
 				"required": false,
 				"type": "integer"
@@ -7645,13 +7649,17 @@ const operationManifest = [
 				"type": "string"
 			},
 			{
+				"default": 50,
 				"description": "Number of results per page",
 				"enum": null,
+				"maximum": 100,
+				"minimum": 1,
 				"name": "limit",
 				"required": false,
 				"type": "integer"
 			},
 			{
+				"default": "true",
 				"description": "Include subject/body highlight snippets when text search is active.",
 				"enum": ["true", "false"],
 				"name": "snippet",
@@ -7659,6 +7667,7 @@ const operationManifest = [
 				"type": "string"
 			},
 			{
+				"default": "true",
 				"description": "Include facet counts for sender, domain, status, and attachment presence.",
 				"enum": ["true", "false"],
 				"name": "include_facets",
@@ -9114,8 +9123,11 @@ const operationManifest = [
 			"type": "string"
 		}],
 		"queryParams": [{
+			"default": 50,
 			"description": "Maximum number of rows to return. Clamped to 1..200; default\n50.\n",
 			"enum": null,
+			"maximum": 200,
+			"minimum": 1,
 			"name": "limit",
 			"required": false,
 			"type": "integer"
@@ -9387,7 +9399,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": false,
 		"command": "test-function",
-		"description": "Sends a real test email from a Primitive-controlled sender to a\nlocal-part on one of the org's verified inbound domains. By\ndefault the recipient is a synthetic\n`__primitive_function_test+<random>@<domain>` address that\nevery handler's catch-all routing receives identically; pass\n`local_part` to override and exercise routing logic that\nbranches on a specific recipient (the common pattern when one\nfunction handles multiple inboxes like `summarize@` and\n`action@`). The function fires through the normal MX delivery\npath, so reply / send-mail calls from inside the handler\nagainst the inbound's `email.id` work the same as in\nproduction. Returns immediately after the send is queued; the\ninvocation appears on the function's invocations list within a\nfew seconds.\n\nRequires that the function is currently `deployed`. Returns 422\nif the function is in `pending` or `failed` state, or if the\norg has no verified inbound domain to receive the test mail.\nReturns 400 if `local_part` is set to a value that does not\nmatch the local-part character set.\n",
+		"description": "Sends a real test email from a Primitive-controlled sender to a\nlocal-part on one of the org's verified inbound domains. By\ndefault the recipient is a synthetic\n`__primitive_function_test+<random>@<domain>` address on a\ndomain selected to route to the function. Scoped functions use\ntheir scoped domain; fallback functions use a domain that has\nno enabled domain-scoped endpoint. Pass `local_part` to\noverride and exercise routing logic that branches on a specific\nrecipient (the common pattern when one function handles multiple\ninboxes like `summarize@` and `action@`). The function fires\nthrough the normal MX delivery path, so reply / send-mail calls\nfrom inside the handler against the inbound's `email.id` work\nthe same as in production. Returns immediately after the send is\nqueued; the invocation appears on the function's invocations\nlist within a few seconds.\n\nRequires that the function is currently `deployed`. Returns 422\nif the function is in `pending` or `failed` state, or if the\norg has no verified inbound domain to receive the test mail.\nReturns 400 if `local_part` is set to a value that does not\nmatch the local-part character set.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "testFunction",
@@ -9950,8 +9962,11 @@ const operationManifest = [
 				"type": "string"
 			},
 			{
+				"default": 50,
 				"description": "Number of results per page",
 				"enum": null,
+				"maximum": 100,
+				"minimum": 1,
 				"name": "limit",
 				"required": false,
 				"type": "integer"
@@ -10523,8 +10538,11 @@ const operationManifest = [
 				"type": "string"
 			},
 			{
+				"default": 50,
 				"description": "Number of results per page",
 				"enum": null,
+				"maximum": 100,
+				"minimum": 1,
 				"name": "limit",
 				"required": false,
 				"type": "integer"
@@ -10735,7 +10753,7 @@ const CREDENTIALS_FILE = "credentials.json";
 const CREDENTIALS_LOCK_DIR = "credentials.lock";
 const CREDENTIALS_LOCK_STALE_MS = 1800 * 1e3;
 const MALFORMED_CREDENTIALS_HINT = "Run `primitive logout` and then `primitive login`.";
-function isRecord$1(value) {
+function isRecord$2(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
 function requireString(value, key) {
@@ -10758,7 +10776,7 @@ var StaleCredentialFormatError = class extends Error {
 	}
 };
 function parseCredentials(raw) {
-	if (!isRecord$1(raw)) throw new Error(`Stored Primitive CLI credentials are malformed: expected a JSON object. ${MALFORMED_CREDENTIALS_HINT}`);
+	if (!isRecord$2(raw)) throw new Error(`Stored Primitive CLI credentials are malformed: expected a JSON object. ${MALFORMED_CREDENTIALS_HINT}`);
 	if (typeof raw.api_base_url_1 !== "string" && typeof raw.base_url === "string") throw new StaleCredentialFormatError();
 	const orgName = raw.org_name;
 	if (orgName !== null && typeof orgName !== "string") throw new Error(`Stored Primitive CLI credentials are malformed: org_name must be a string or null. ${MALFORMED_CREDENTIALS_HINT}`);
@@ -10903,6 +10921,269 @@ function resolveCliAuth(params) {
 	};
 }
 //#endregion
+//#region src/oclif/cli-config.ts
+const CONFIG_FILE = "config.json";
+const CONFIG_VERSION = 1;
+const DEFAULT_ENVIRONMENT = "default";
+function cliConfigPath(configDir) {
+	return join(configDir, CONFIG_FILE);
+}
+function cliConfigError(message) {
+	return new Errors.CLIError(`${message} Run \`primitive config reset\` to clear the local CLI config.`, { exit: 1 });
+}
+function isRecord$1(value) {
+	return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function normalizeCliEnvironmentName(name) {
+	const trimmed = name?.trim();
+	if (!trimmed) throw new Errors.CLIError("Environment name must be a non-empty string.", { exit: 1 });
+	if (!/^[A-Za-z0-9][A-Za-z0-9._-]{0,62}$/.test(trimmed)) throw new Errors.CLIError("Environment name must start with a letter or number and may only contain letters, numbers, '.', '_', or '-'.", { exit: 1 });
+	return trimmed;
+}
+function validateCliHeaderName(name) {
+	const trimmed = name.trim();
+	if (!trimmed) throw new Errors.CLIError("Header name must be a non-empty string.", { exit: 1 });
+	if (!/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/.test(trimmed)) throw new Errors.CLIError(`Invalid header name: ${name}`, { exit: 1 });
+	if (trimmed.toLowerCase() === "authorization") throw new Errors.CLIError("The Authorization header is managed by PRIMITIVE_API_KEY or saved CLI credentials.", { exit: 1 });
+	return trimmed;
+}
+function validateCliHeaderValue(value, name) {
+	if (value.length === 0) throw new Errors.CLIError(`Header ${name} value must not be empty.`, { exit: 1 });
+	if (/[\r\n\0]/.test(value)) throw new Errors.CLIError(`Header ${name} value must not contain CR, LF, or NUL characters.`, { exit: 1 });
+	return value;
+}
+function parseHeaderAssignment(assignment) {
+	const separator = assignment.indexOf("=");
+	if (separator <= 0) throw new Errors.CLIError("Header values must use name=value syntax, for example `x-custom=secret`.", { exit: 1 });
+	const name = validateCliHeaderName(assignment.slice(0, separator));
+	return [name, validateCliHeaderValue(assignment.slice(separator + 1), name)];
+}
+function parseHeaders(raw, context) {
+	if (raw === void 0) return {};
+	if (!isRecord$1(raw)) throw cliConfigError(`${context} headers must be a JSON object.`);
+	const headers = {};
+	for (const [rawName, rawValue] of Object.entries(raw)) {
+		const name = validateCliHeaderName(rawName);
+		if (typeof rawValue !== "string") throw cliConfigError(`${context} header ${name} must be a string.`);
+		headers[name] = validateCliHeaderValue(rawValue, name);
+	}
+	return headers;
+}
+function parseEnvironmentConfig(raw, context) {
+	if (!isRecord$1(raw)) throw cliConfigError(`${context} must be a JSON object.`);
+	const env = {};
+	if (raw.api_base_url_1 !== void 0) {
+		if (typeof raw.api_base_url_1 !== "string") throw cliConfigError(`${context}.api_base_url_1 must be a string.`);
+		env.api_base_url_1 = normalizeApiBaseUrl1(raw.api_base_url_1);
+	}
+	if (raw.api_base_url_2 !== void 0) {
+		if (typeof raw.api_base_url_2 !== "string") throw cliConfigError(`${context}.api_base_url_2 must be a string.`);
+		env.api_base_url_2 = normalizeApiBaseUrl2(raw.api_base_url_2);
+	}
+	const headers = parseHeaders(raw.headers, context);
+	if (Object.keys(headers).length > 0) env.headers = headers;
+	return env;
+}
+function parseStoredCliConfig(raw) {
+	if (!isRecord$1(raw)) throw cliConfigError("Primitive CLI config must be a JSON object.");
+	if (raw.version !== CONFIG_VERSION) throw cliConfigError(`Primitive CLI config version must be ${CONFIG_VERSION}.`);
+	const currentRaw = raw.current_environment;
+	const current_environment = currentRaw === null || currentRaw === void 0 ? null : typeof currentRaw === "string" ? normalizeCliEnvironmentName(currentRaw) : (() => {
+		throw cliConfigError("Primitive CLI config current_environment must be a string or null.");
+	})();
+	if (!isRecord$1(raw.environments)) throw cliConfigError("Primitive CLI config environments must be an object.");
+	const environments = {};
+	for (const [rawName, rawEnv] of Object.entries(raw.environments)) {
+		const name = normalizeCliEnvironmentName(rawName);
+		environments[name] = parseEnvironmentConfig(rawEnv, `Primitive CLI config environment ${name}`);
+	}
+	if (current_environment && !environments[current_environment]) throw cliConfigError(`Primitive CLI config current environment ${current_environment} does not exist.`);
+	return {
+		version: CONFIG_VERSION,
+		current_environment,
+		environments
+	};
+}
+function emptyCliConfig() {
+	return {
+		version: CONFIG_VERSION,
+		current_environment: null,
+		environments: {}
+	};
+}
+function loadCliConfig(configDir) {
+	const path = cliConfigPath(configDir);
+	let contents;
+	try {
+		contents = readFileSync(path, "utf8");
+	} catch (error) {
+		if (error && typeof error === "object" && error.code === "ENOENT") return null;
+		throw cliConfigError(`Could not read Primitive CLI config: ${error instanceof Error ? error.message : String(error)}.`);
+	}
+	try {
+		return parseStoredCliConfig(JSON.parse(contents));
+	} catch (error) {
+		if (error instanceof SyntaxError) throw cliConfigError("Primitive CLI config is not valid JSON.");
+		throw error;
+	}
+}
+function saveCliConfig(configDir, config) {
+	mkdirSync(configDir, {
+		mode: 448,
+		recursive: true
+	});
+	const path = cliConfigPath(configDir);
+	const tempPath = join(configDir, `${CONFIG_FILE}.${process.pid}.${randomUUID()}.tmp`);
+	try {
+		writeFileSync(tempPath, `${JSON.stringify(config, null, 2)}\n`, { mode: 384 });
+		renameSync(tempPath, path);
+	} catch (error) {
+		rmSync(tempPath, { force: true });
+		throw error;
+	}
+}
+function deleteCliConfig(configDir) {
+	rmSync(cliConfigPath(configDir), { force: true });
+}
+function resolveConfigEnvironment(config) {
+	if (!config) return null;
+	const current = config.current_environment;
+	if (current) {
+		const environment = config.environments[current];
+		return environment ? {
+			name: current,
+			config: environment
+		} : null;
+	}
+	const defaultEnvironment = config.environments[DEFAULT_ENVIRONMENT];
+	return defaultEnvironment ? {
+		name: DEFAULT_ENVIRONMENT,
+		config: defaultEnvironment
+	} : null;
+}
+function upsertCliEnvironment(params) {
+	const name = normalizeCliEnvironmentName(params.environmentName ?? DEFAULT_ENVIRONMENT);
+	const existing = params.config.environments[name] ?? {};
+	const nextHeaders = { ...existing.headers ?? {} };
+	for (const assignment of params.headers ?? []) {
+		const [headerName, value] = parseHeaderAssignment(assignment);
+		nextHeaders[headerName] = value;
+	}
+	for (const rawName of params.unsetHeaders ?? []) delete nextHeaders[validateCliHeaderName(rawName)];
+	const nextEnvironment = {
+		...existing,
+		...params.apiBaseUrl1 !== void 0 ? { api_base_url_1: normalizeApiBaseUrl1(params.apiBaseUrl1) } : {},
+		...params.apiBaseUrl2 !== void 0 ? { api_base_url_2: normalizeApiBaseUrl2(params.apiBaseUrl2) } : {},
+		...Object.keys(nextHeaders).length > 0 ? { headers: nextHeaders } : {}
+	};
+	if (Object.keys(nextHeaders).length === 0) delete nextEnvironment.headers;
+	return {
+		...params.config,
+		current_environment: params.use === false ? params.config.current_environment : name,
+		environments: {
+			...params.config.environments,
+			[name]: nextEnvironment
+		}
+	};
+}
+function removeCliEnvironment(config, environmentName) {
+	const name = normalizeCliEnvironmentName(environmentName);
+	const environments = { ...config.environments };
+	delete environments[name];
+	return {
+		...config,
+		current_environment: config.current_environment === name ? null : config.current_environment,
+		environments
+	};
+}
+function redactCliEnvironment(environment) {
+	const headers = environment.headers && Object.keys(environment.headers).length > 0 ? Object.fromEntries(Object.keys(environment.headers).map((name) => [name, "***"])) : void 0;
+	return {
+		...environment,
+		...headers ? { headers } : {}
+	};
+}
+//#endregion
+//#region src/oclif/api-client.ts
+const API_HEADERS_ENV = "PRIMITIVE_API_HEADERS";
+function mergeHeaders(...headers) {
+	const merged = {};
+	for (const headerSet of headers) {
+		if (!headerSet) continue;
+		for (const [name, value] of Object.entries(headerSet)) merged[name] = value;
+	}
+	return Object.keys(merged).length > 0 ? merged : void 0;
+}
+function parseHeadersJson(raw) {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch (error) {
+		const detail = error instanceof Error ? error.message : String(error);
+		throw new Errors.CLIError(`${API_HEADERS_ENV} must be valid JSON object syntax: ${detail}`, { exit: 1 });
+	}
+	if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) throw new Errors.CLIError(`${API_HEADERS_ENV} must be a JSON object.`, { exit: 1 });
+	const headers = {};
+	for (const [rawName, rawValue] of Object.entries(parsed)) {
+		const name = validateCliHeaderName(rawName);
+		if (typeof rawValue !== "string") throw new Errors.CLIError(`${API_HEADERS_ENV}.${name} must be a string.`, { exit: 1 });
+		headers[name] = validateCliHeaderValue(rawValue, name);
+	}
+	return headers;
+}
+function cliApiHeadersFromEnv(env = process.env) {
+	const rawGenericHeaders = env[API_HEADERS_ENV]?.trim();
+	return rawGenericHeaders ? parseHeadersJson(rawGenericHeaders) : void 0;
+}
+function resolveCliApiRequestConfig(params) {
+	const currentEnvironment = resolveConfigEnvironment(loadCliConfig(params.configDir));
+	const configuredApiBaseUrl1 = currentEnvironment?.config.api_base_url_1;
+	const configuredApiBaseUrl2 = currentEnvironment?.config.api_base_url_2;
+	const apiBaseUrl1 = params.apiBaseUrl1 !== void 0 ? normalizeApiBaseUrl1(params.apiBaseUrl1) : configuredApiBaseUrl1;
+	const apiBaseUrl2 = params.apiBaseUrl2 !== void 0 ? normalizeApiBaseUrl2(params.apiBaseUrl2) : configuredApiBaseUrl2;
+	return {
+		apiBaseUrl1,
+		apiBaseUrl2,
+		baseUrlOverridden: apiBaseUrl1 !== void 0 || apiBaseUrl2 !== void 0,
+		environmentName: currentEnvironment?.name ?? null,
+		headers: mergeHeaders(currentEnvironment?.config.headers, cliApiHeadersFromEnv(params.env)),
+		resolvedApiBaseUrl1: normalizeApiBaseUrl1(apiBaseUrl1),
+		resolvedApiBaseUrl2: normalizeApiBaseUrl2(apiBaseUrl2)
+	};
+}
+function createCliApiClient(params) {
+	const requestConfig = resolveCliApiRequestConfig(params);
+	return {
+		apiClient: new PrimitiveApiClient({
+			apiKey: params.apiKey,
+			apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+			apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
+			headers: requestConfig.headers
+		}),
+		requestConfig
+	};
+}
+function createAuthenticatedCliApiClient(params) {
+	const requestConfig = resolveCliApiRequestConfig(params);
+	const auth = resolveCliAuth({
+		apiKey: params.apiKey,
+		apiBaseUrl1: requestConfig.apiBaseUrl1,
+		apiBaseUrl2: requestConfig.apiBaseUrl2,
+		configDir: params.configDir
+	});
+	return {
+		apiClient: new PrimitiveApiClient({
+			apiKey: auth.apiKey,
+			apiBaseUrl1: auth.apiBaseUrl1,
+			apiBaseUrl2: auth.apiBaseUrl2,
+			headers: requestConfig.headers
+		}),
+		auth,
+		baseUrlOverridden: requestConfig.baseUrlOverridden,
+		requestConfig
+	};
+}
+//#endregion
 //#region src/oclif/endpoints-test-redirect.ts
 async function detectFunctionEndpoint(endpointId, listEndpoints) {
 	let response;
@@ -10988,6 +11269,22 @@ function flagName(parameterName) {
 function flagDescription(parameter) {
 	return parameter.description ?? parameter.name;
 }
+const numberFlag = Flags.custom({ async parse(input, _context, options) {
+	const trimmed = input.trim();
+	if (trimmed === "") throw new Errors.CLIError(`Expected a number but received: ${input}`);
+	const value = Number(trimmed);
+	if (!Number.isFinite(value)) throw new Errors.CLIError(`Expected a number but received: ${input}`);
+	if (options.min !== void 0 && value < options.min) throw new Errors.CLIError(`Expected a number greater than or equal to ${options.min} but received: ${input}`);
+	if (options.max !== void 0 && value > options.max) throw new Errors.CLIError(`Expected a number less than or equal to ${options.max} but received: ${input}`);
+	return value;
+} });
+function numericFlagOptions(parameter) {
+	return {
+		...typeof parameter.default === "number" ? { default: parameter.default } : {},
+		...typeof parameter.maximum === "number" ? { max: parameter.maximum } : {},
+		...typeof parameter.minimum === "number" ? { min: parameter.minimum } : {}
+	};
+}
 function extractBodyFields(schema) {
 	if (!schema || typeof schema !== "object") return [];
 	const properties = schema.properties;
@@ -11003,7 +11300,8 @@ function extractBodyFields(schema) {
 		if (typeof t === "string") {
 			displayType = t;
 			if (t === "string") kind = "string";
-			else if (t === "integer" || t === "number") kind = "integer";
+			else if (t === "integer") kind = "integer";
+			else if (t === "number") kind = "number";
 			else if (t === "boolean") kind = "boolean";
 			else if (t === "array") {
 				const items = propSchema.items;
@@ -11019,7 +11317,8 @@ function extractBodyFields(schema) {
 				const single = nonNull[0];
 				displayType = `${single}?`;
 				if (single === "string") kind = "string";
-				else if (single === "integer" || single === "number") kind = "integer";
+				else if (single === "integer") kind = "integer";
+				else if (single === "number") kind = "number";
 				else if (single === "boolean") kind = "boolean";
 				else kind = "complex";
 			} else {
@@ -11036,7 +11335,9 @@ function extractBodyFields(schema) {
 			required: required.has(name),
 			displayType,
 			kind,
-			...enumValues && enumValues.length > 0 ? { enumValues } : {}
+			...enumValues && enumValues.length > 0 ? { enumValues } : {},
+			...typeof propSchema.maximum === "number" ? { maximum: propSchema.maximum } : {},
+			...typeof propSchema.minimum === "number" ? { minimum: propSchema.minimum } : {}
 		});
 	}
 	return fields.sort((a, b) => {
@@ -11084,7 +11385,14 @@ function flagForParameter(parameter) {
 		required: parameter.required
 	};
 	if (parameter.type === "boolean") return Flags.boolean(common);
-	if (parameter.type === "integer") return Flags.integer(common);
+	if (parameter.type === "integer") return Flags.integer({
+		...common,
+		...numericFlagOptions(parameter)
+	});
+	if (parameter.type === "number") return numberFlag({
+		...common,
+		...numericFlagOptions(parameter)
+	});
 	if (parameter.enum && parameter.enum.length > 0) return Flags.string({
 		...common,
 		options: parameter.enum
@@ -11199,7 +11507,7 @@ function writeErrorWithHints(payload) {
 function removeStaleSavedCredentialOnUnauthorized(params) {
 	if (extractErrorCode(params.payload) !== API_ERROR_CODES.unauthorized || params.auth.source !== "stored") return false;
 	if (params.baseUrlOverridden && params.auth.credentials !== null && params.auth.apiBaseUrl1 !== params.auth.credentials.api_base_url_1) {
-		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The local credential was not removed; unset PRIMITIVE_API_BASE_URL_1, or run `primitive logout` to remove the stored credential.\n");
+		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The local credential was not removed; unset PRIMITIVE_API_BASE_URL_1, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
 		return false;
 	}
 	deleteCliCredentials(params.configDir);
@@ -11224,9 +11532,6 @@ async function runWithTiming(enabled, fn) {
 const TIME_FLAG_DESCRIPTION = "Print the wall-clock duration of this command to stderr after it completes (e.g. `[time: 1.34s]`). Useful for measuring `--wait` send latency, comparing CLI overhead, or capturing timing in scripts.";
 const API_BASE_URL_1_FLAG_DESCRIPTION = "Override the primary API base URL. Internal testing only; not documented to customers.";
 const API_BASE_URL_2_FLAG_DESCRIPTION = "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.";
-function baseUrlOverriddenFromFlags(flags) {
-	return typeof flags["api-base-url-1"] === "string" || typeof flags["api-base-url-2"] === "string";
-}
 const HOST_2_OPERATIONS = new Set(["sendEmail"]);
 const RESERVED_FLAG_NAMES = new Set([
 	"api-key",
@@ -11234,12 +11539,20 @@ const RESERVED_FLAG_NAMES = new Set([
 	"api-base-url-2",
 	"raw-body",
 	"body-file",
+	"envelope",
 	"output"
 ]);
 function bodyFieldFlag(field) {
 	const common = { description: field.description || field.name };
 	if (field.kind === "boolean") return Flags.boolean(common);
-	if (field.kind === "integer") return Flags.integer(common);
+	if (field.kind === "integer") return Flags.integer({
+		...common,
+		...numericFlagOptions(field)
+	});
+	if (field.kind === "number") return numberFlag({
+		...common,
+		...numericFlagOptions(field)
+	});
 	if (field.enumValues) return Flags.string({
 		...common,
 		options: field.enumValues
@@ -11264,6 +11577,7 @@ function buildFlags(operation) {
 		}),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
 	};
+	if (!operation.binaryResponse) flags.envelope = Flags.boolean({ description: "Print the full response envelope, including pagination metadata such as meta.cursor. Defaults to printing only the data payload for backward compatibility." });
 	for (const parameter of [...operation.pathParams, ...operation.queryParams]) flags[flagName(parameter.name)] = flagForParameter(parameter);
 	const bodyFieldFlagToProperty = /* @__PURE__ */ new Map();
 	if (operation.hasJsonBody) {
@@ -11302,6 +11616,9 @@ function collectValues(parameters, flags) {
 	}
 	return values;
 }
+function operationOutputPayload(envelope, includeEnvelope) {
+	return includeEnvelope ? envelope ?? null : envelope?.data ?? null;
+}
 const OPERATION_HINTS = {
 	createFunction: "Tip: prefer `primitive functions deploy --name <name> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
 	updateFunction: "Tip: prefer `primitive functions redeploy --id <id> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
@@ -11323,18 +11640,12 @@ function createOperationCommand(operation) {
 			const { flags } = await this.parse(OperationCommand);
 			const parsedFlags = flags;
 			await runWithTiming(parsedFlags.time === true, async () => {
-				const baseUrlOverridden = typeof parsedFlags["api-base-url-1"] === "string" || typeof parsedFlags["api-base-url-2"] === "string";
-				const auth = resolveCliAuth({
+				const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 					apiKey: typeof parsedFlags["api-key"] === "string" ? parsedFlags["api-key"] : void 0,
 					apiBaseUrl1: typeof parsedFlags["api-base-url-1"] === "string" ? parsedFlags["api-base-url-1"] : void 0,
 					apiBaseUrl2: typeof parsedFlags["api-base-url-2"] === "string" ? parsedFlags["api-base-url-2"] : void 0,
 					configDir: this.config.configDir
 				});
-				const apiClient = new PrimitiveApiClient({
-					apiKey: auth.apiKey,
-					apiBaseUrl1: auth.apiBaseUrl1,
-					apiBaseUrl2: auth.apiBaseUrl2
-				});
 				let body;
 				if (operation.hasJsonBody) {
 					const explicit = readJsonBody(parsedFlags);
@@ -11409,7 +11720,7 @@ function createOperationCommand(operation) {
 				writeIdempotentReplayBannerIfReplay(envelope?.data, { write: (chunk) => {
 					process.stderr.write(chunk);
 				} });
-				this.log(JSON.stringify(envelope?.data ?? null, null, 2));
+				this.log(JSON.stringify(operationOutputPayload(envelope, parsedFlags.envelope === true), null, 2));
 			});
 		}
 	}
@@ -11426,6 +11737,128 @@ function canonicalizeCliReferences(description) {
 	return description.replaceAll("`primitive emails:latest`", "`primitive emails latest`").replaceAll("`primitive describe emails:get-email | jq '.responseSchema.properties'`", "`primitive describe emails:get | jq '.responseSchema.properties'`");
 }
 //#endregion
+//#region src/oclif/commands/config.ts
+function loadOrCreateConfig(configDir) {
+	return loadCliConfig(configDir) ?? emptyCliConfig();
+}
+function redactConfig(config) {
+	return {
+		...config,
+		environments: Object.fromEntries(Object.entries(config.environments).map(([name, environment]) => [name, redactCliEnvironment(environment)]))
+	};
+}
+var ConfigSetCommand = class ConfigSetCommand extends Command {
+	static hidden = true;
+	static summary = "Set hidden Primitive CLI request config";
+	static flags = {
+		environment: Flags.string({
+			char: "e",
+			description: "Environment name to create or update"
+		}),
+		"api-base-url-1": Flags.string({ description: "Primary API base URL" }),
+		"api-base-url-2": Flags.string({ description: "Attachments-supporting API base URL" }),
+		header: Flags.string({
+			description: "Request header in name=value form. Repeatable.",
+			multiple: true
+		}),
+		"unset-header": Flags.string({
+			description: "Request header name to remove. Repeatable.",
+			multiple: true
+		})
+	};
+	async run() {
+		const { flags } = await this.parse(ConfigSetCommand);
+		const headers = flags.header ?? [];
+		if (flags["api-base-url-1"] === void 0 && flags["api-base-url-2"] === void 0 && headers.length === 0 && (flags["unset-header"] ?? []).length === 0) throw new Errors.CLIError("Nothing to set. Pass an API base URL, --header, or --unset-header.", { exit: 1 });
+		const config = upsertCliEnvironment({
+			apiBaseUrl1: flags["api-base-url-1"],
+			apiBaseUrl2: flags["api-base-url-2"],
+			config: loadOrCreateConfig(this.config.configDir),
+			environmentName: flags.environment,
+			headers,
+			unsetHeaders: flags["unset-header"]
+		});
+		saveCliConfig(this.config.configDir, config);
+		process.stderr.write(`Primitive CLI environment ${config.current_environment} is active.\n`);
+	}
+};
+var ConfigUseCommand = class ConfigUseCommand extends Command {
+	static hidden = true;
+	static summary = "Switch active Primitive CLI request config";
+	static args = { environment: Args.string({
+		description: "Environment name to use",
+		required: true
+	}) };
+	async run() {
+		const { args } = await this.parse(ConfigUseCommand);
+		const environment = normalizeCliEnvironmentName(args.environment);
+		const config = loadOrCreateConfig(this.config.configDir);
+		if (!config.environments[environment]) throw new Errors.CLIError(`Primitive CLI environment ${environment} is not configured.`, { exit: 1 });
+		saveCliConfig(this.config.configDir, {
+			...config,
+			current_environment: environment
+		});
+		process.stderr.write(`Primitive CLI environment ${environment} is active.\n`);
+	}
+};
+var ConfigListCommand = class ConfigListCommand extends Command {
+	static hidden = true;
+	static summary = "List hidden Primitive CLI request configs";
+	static flags = {
+		json: Flags.boolean({ description: "Print JSON" }),
+		"show-secrets": Flags.boolean({ description: "Show header values instead of redacting them" })
+	};
+	async run() {
+		const { flags } = await this.parse(ConfigListCommand);
+		const config = loadOrCreateConfig(this.config.configDir);
+		const output = flags["show-secrets"] ? config : redactConfig(config);
+		if (flags.json) {
+			this.log(JSON.stringify(output, null, 2));
+			return;
+		}
+		const entries = Object.entries(config.environments);
+		if (entries.length === 0) {
+			this.log("No Primitive CLI environments configured.");
+			return;
+		}
+		const activeEnvironment = resolveConfigEnvironment(config)?.name ?? null;
+		for (const [name, environment] of entries) {
+			const active = activeEnvironment === name ? "*" : " ";
+			const headerNames = Object.keys(environment.headers ?? {});
+			this.log(`${active} ${name}`);
+			if (environment.api_base_url_1) this.log(`    api_base_url_1: ${environment.api_base_url_1}`);
+			if (environment.api_base_url_2) this.log(`    api_base_url_2: ${environment.api_base_url_2}`);
+			this.log(`    headers: ${headerNames.length > 0 ? headerNames.join(", ") : "(none)"}`);
+		}
+	}
+};
+var ConfigResetCommand = class ConfigResetCommand extends Command {
+	static hidden = true;
+	static summary = "Reset hidden Primitive CLI request config";
+	static flags = { environment: Flags.string({
+		char: "e",
+		description: "Only remove one environment"
+	}) };
+	async run() {
+		const { flags } = await this.parse(ConfigResetCommand);
+		if (flags.environment === void 0) {
+			deleteCliConfig(this.config.configDir);
+			process.stderr.write("Primitive CLI request config reset.\n");
+			return;
+		}
+		const environment = normalizeCliEnvironmentName(flags.environment);
+		const config = loadCliConfig(this.config.configDir);
+		if (!config?.environments[environment]) {
+			process.stderr.write(`Primitive CLI environment ${environment} was not configured.\n`);
+			return;
+		}
+		const nextConfig = removeCliEnvironment(config, environment);
+		if (Object.keys(nextConfig.environments).length === 0) deleteCliConfig(this.config.configDir);
+		else saveCliConfig(this.config.configDir, nextConfig);
+		process.stderr.write(`Primitive CLI environment ${environment} removed.\n`);
+	}
+};
+//#endregion
 //#region src/oclif/commands/doctor.ts
 const MIN_NODE_MAJOR = 22;
 function renderRow({ label, outcome }) {
@@ -11524,14 +11957,10 @@ function checkApiKey(opts) {
 		hint: "Run `primitive login`, pass --api-key explicitly, or export PRIMITIVE_API_KEY=prim_..."
 	};
 }
-async function checkAccount(opts) {
+async function checkAccount(client) {
 	try {
 		const result = await getAccount({
-			client: new PrimitiveApiClient({
-				apiKey: opts.apiKey,
-				apiBaseUrl1: opts.apiBaseUrl1,
-				apiBaseUrl2: opts.apiBaseUrl2
-			}).client,
+			client: client.client,
 			responseStyle: "fields"
 		});
 		const apiError = result.error;
@@ -11572,14 +12001,10 @@ async function checkAccount(opts) {
 		};
 	}
 }
-async function checkDomains(opts) {
+async function checkDomains(client) {
 	try {
 		const result = await listDomains({
-			client: new PrimitiveApiClient({
-				apiKey: opts.apiKey,
-				apiBaseUrl1: opts.apiBaseUrl1,
-				apiBaseUrl2: opts.apiBaseUrl2
-			}).client,
+			client: client.client,
 			responseStyle: "fields"
 		});
 		if (result.error) return {
@@ -11650,28 +12075,20 @@ var DoctorCommand = class DoctorCommand extends Command {
 			outcome: apiKeyCheck
 		});
 		if (apiKeyCheck.status !== "fail") {
-			const auth = resolveCliAuth({
+			const { apiClient, auth } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
 			if (auth.apiKey !== void 0) {
-				const accountCheck = await checkAccount({
-					apiKey: auth.apiKey,
-					apiBaseUrl1: auth.apiBaseUrl1,
-					apiBaseUrl2: auth.apiBaseUrl2
-				});
+				const accountCheck = await checkAccount(apiClient);
 				rows.push({
 					label: "API auth",
 					outcome: accountCheck.outcome
 				});
 				if (accountCheck.outcome.status === "ok") {
-					const domainsOutcome = await checkDomains({
-						apiKey: auth.apiKey,
-						apiBaseUrl1: auth.apiBaseUrl1,
-						apiBaseUrl2: auth.apiBaseUrl2
-					});
+					const domainsOutcome = await checkDomains(apiClient);
 					rows.push({
 						label: "Domains",
 						outcome: domainsOutcome
@@ -11765,19 +12182,14 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 	async run() {
 		const { flags } = await this.parse(EmailsLatestCommand);
 		await runWithTiming(flags.time, async () => {
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
 			const result = await listEmails({
-				client: new PrimitiveApiClient({
-					apiKey: auth.apiKey,
-					apiBaseUrl1: auth.apiBaseUrl1,
-					apiBaseUrl2: auth.apiBaseUrl2
-				}).client,
+				client: apiClient.client,
 				query: { limit: flags.limit },
 				responseStyle: "fields"
 			});
@@ -11974,18 +12386,12 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 	};
 	async run() {
 		const { flags } = await this.parse(EmailsWaitCommand);
-		const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-		const auth = resolveCliAuth({
+		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
 			configDir: this.config.configDir
 		});
-		const apiClient = new PrimitiveApiClient({
-			apiKey: auth.apiKey,
-			apiBaseUrl1: auth.apiBaseUrl1,
-			apiBaseUrl2: auth.apiBaseUrl2
-		});
 		let since;
 		try {
 			since = sinceFromFlags(flags);
@@ -12102,18 +12508,12 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 	};
 	async run() {
 		const { flags } = await this.parse(EmailsWatchCommand);
-		const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-		const auth = resolveCliAuth({
+		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
 			configDir: this.config.configDir
 		});
-		const apiClient = new PrimitiveApiClient({
-			apiKey: auth.apiKey,
-			apiBaseUrl1: auth.apiBaseUrl1,
-			apiBaseUrl2: auth.apiBaseUrl2
-		});
 		let since;
 		try {
 			since = sinceFromFlags(flags);
@@ -12167,6 +12567,92 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/function-deploy-wait.ts
+function validateDeployWaitFlags(params) {
+	if (params.timeoutSeconds < 0) return "--timeout must be greater than or equal to 0.";
+	if (params.pollIntervalSeconds <= 0) return "--poll-interval must be greater than 0.";
+	return null;
+}
+function isTerminal(status) {
+	return status === "deployed" || status === "failed";
+}
+function resultForTerminal(snapshot) {
+	if (snapshot.deploy_status === "failed") return {
+		function: snapshot,
+		kind: "failed"
+	};
+	return {
+		function: snapshot,
+		kind: "ok"
+	};
+}
+function toDeployWaitSnapshot(value) {
+	return {
+		...value.created_at !== void 0 ? { created_at: value.created_at } : {},
+		...value.deploy_error !== void 0 ? { deploy_error: value.deploy_error } : {},
+		deploy_status: value.deploy_status,
+		...value.deployed_at !== void 0 ? { deployed_at: value.deployed_at } : {},
+		gateway_url: value.gateway_url,
+		id: value.id,
+		name: value.name,
+		...value.updated_at !== void 0 ? { updated_at: value.updated_at } : {}
+	};
+}
+function elapsedSeconds(startedAt, now) {
+	return Math.max(0, Math.round((now() - startedAt) / 1e3));
+}
+async function defaultSleep(ms) {
+	await new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function waitForFunctionDeploy(params) {
+	const now = params.now ?? Date.now;
+	const sleep = params.sleep ?? defaultSleep;
+	const writeStderr = params.writeStderr ?? ((chunk) => {
+		process.stderr.write(chunk);
+	});
+	const startedAt = now();
+	const timeoutMs = params.timeoutSeconds * 1e3;
+	const pollIntervalMs = params.pollIntervalSeconds * 1e3;
+	const hasTimeout = params.timeoutSeconds > 0;
+	let last = params.initial ? toDeployWaitSnapshot(params.initial) : null;
+	let lastStatus = last?.deploy_status ?? "unknown";
+	if (last && isTerminal(last.deploy_status)) return resultForTerminal(last);
+	writeStderr(`Waiting for function ${params.id} deploy to finish (current status: ${lastStatus})...\n`);
+	while (true) {
+		const elapsedMs = now() - startedAt;
+		if (hasTimeout && elapsedMs >= timeoutMs) return {
+			elapsedSeconds: elapsedSeconds(startedAt, now),
+			kind: "timeout",
+			lastFunction: last
+		};
+		await sleep(hasTimeout ? Math.min(pollIntervalMs, Math.max(0, timeoutMs - elapsedMs)) : pollIntervalMs);
+		if (hasTimeout && now() - startedAt >= timeoutMs) return {
+			elapsedSeconds: elapsedSeconds(startedAt, now),
+			kind: "timeout",
+			lastFunction: last
+		};
+		const result = await params.getFunction({ id: params.id });
+		if (result.error) return {
+			kind: "error",
+			payload: extractErrorPayload(result.error)
+		};
+		const fetched = result.data?.data;
+		if (!fetched) return {
+			kind: "error",
+			payload: {
+				code: "client_error",
+				message: "Get function returned no data while waiting for deploy"
+			}
+		};
+		last = toDeployWaitSnapshot(fetched);
+		if (last.deploy_status !== lastStatus) {
+			lastStatus = last.deploy_status;
+			writeStderr(`Function ${params.id} deploy status: ${last.deploy_status}\n`);
+		}
+		if (isTerminal(last.deploy_status)) return resultForTerminal(last);
+	}
+}
+//#endregion
 //#region src/oclif/lint/raw-send-mail-fetch.ts
 const RAW_SEND_MAIL_FETCH_REGEX = /fetch\s*\(\s*[`'"][^`'"]*primitive\.dev[^`'"]*\/send-mail(?![A-Za-z0-9_-])/g;
 const SNIPPET_PADDING = 60;
@@ -12208,8 +12694,8 @@ function resolveSecretFlags(input) {
 	const secrets = [];
 	const seenKeys = /* @__PURE__ */ new Set();
 	const env = input.env ?? process.env;
-	const readFile = input.readFile ?? defaultReadFile;
-	const readStdin = input.readStdin ?? defaultReadStdin;
+	const readFile = input.readFile ?? defaultReadFile$1;
+	const readStdin = input.readStdin ?? defaultReadStdin$1;
 	const envFileCache = /* @__PURE__ */ new Map();
 	const reserveSecretKey = (key, sourceLabel) => {
 		const keyError = validateKey(key, sourceLabel);
@@ -12291,6 +12777,8 @@ function resolveSecretFlags(input) {
 	};
 }
 function resolveSingleSecretValue(input) {
+	const keyError = validateKey(input.key, "--key");
+	if (keyError) return keyError;
 	if ([
 		input.value !== void 0 ? "--value" : null,
 		input.valueFromEnv !== void 0 ? "--value-from-env" : null,
@@ -12302,8 +12790,8 @@ function resolveSingleSecretValue(input) {
 		message: "Pass exactly one of --value, --value-from-env, --value-file, --value-from-env-file, or --stdin."
 	};
 	const env = input.env ?? process.env;
-	const readFile = input.readFile ?? defaultReadFile;
-	const readStdin = input.readStdin ?? defaultReadStdin;
+	const readFile = input.readFile ?? defaultReadFile$1;
+	const readStdin = input.readStdin ?? defaultReadStdin$1;
 	if (input.value !== void 0) return {
 		kind: "ok",
 		value: input.value
@@ -12341,10 +12829,10 @@ function resolveSingleSecretValue(input) {
 		message: "Pass exactly one of --value, --value-from-env, --value-file, --value-from-env-file, or --stdin."
 	};
 }
-function defaultReadFile(path) {
+function defaultReadFile$1(path) {
 	return readFileSync(path, "utf8");
 }
-function defaultReadStdin() {
+function defaultReadStdin$1() {
 	if (process.stdin.isTTY) throw new Error("stdin is a TTY; pipe a value into this command or pass a file/env source instead.");
 	return readFileSync(0, "utf8");
 }
@@ -12631,6 +13119,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 	static summary = "Deploy a new function from a bundled handler file";
 	static examples = [
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js",
+		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --wait",
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --source-map-file ./bundle.js.map",
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret OPENAI_KEY=sk-... --secret OWNER_EMAIL=me@example.com",
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret-from-env OPENAI_KEY --secret-from-env-file .env.local:OWNER_EMAIL",
@@ -12677,11 +13166,29 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			multiple: true
 		}),
 		"secret-from-stdin": Flags.string({ description: "Secret KEY to read from stdin and seed on the deployed function. A single trailing line ending is stripped. Stdin is consumed once, so this flag is not repeatable." }),
+		wait: Flags.boolean({ description: "Wait until the function deploy reaches deployed or failed. Progress is written to stderr; stdout remains the final JSON payload." }),
+		timeout: Flags.integer({
+			default: 120,
+			description: "Seconds to wait when --wait is set before exiting non-zero. Use 0 to wait forever."
+		}),
+		"poll-interval": Flags.integer({
+			default: 2,
+			description: "Seconds between deploy-status polls when --wait is set."
+		}),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
 	};
 	async run() {
 		const { flags } = await this.parse(FunctionsDeployCommand);
 		await runWithTiming(flags.time, async () => {
+			const waitFlagError = validateDeployWaitFlags({
+				pollIntervalSeconds: flags["poll-interval"],
+				timeoutSeconds: flags.timeout
+			});
+			if (waitFlagError) {
+				process.stderr.write(`${waitFlagError}\n`);
+				process.exitCode = 1;
+				return;
+			}
 			const parsedSecrets = resolveSecretFlags({
 				fromEnv: flags["secret-from-env"] ?? [],
 				fromEnvFile: flags["secret-from-env-file"] ?? [],
@@ -12697,18 +13204,12 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			const code = readTextFileFlag(flags.file, "--file");
 			const sourceMap = flags["source-map-file"] ? readTextFileFlag(flags["source-map-file"], "--source-map-file") : void 0;
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
-			const apiClient = new PrimitiveApiClient({
-				apiKey: auth.apiKey,
-				apiBaseUrl1: auth.apiBaseUrl1,
-				apiBaseUrl2: auth.apiBaseUrl2
-			});
 			const authFailureContext = {
 				auth,
 				baseUrlOverridden,
@@ -12767,6 +13268,42 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 				return;
 			}
 			const payload = outcome.result.redeploy ?? outcome.result.created;
+			if (flags.wait) {
+				const waitResult = await waitForFunctionDeploy({
+					getFunction: (p) => getFunction({
+						client: apiClient.client,
+						path: { id: p.id },
+						responseStyle: "fields"
+					}),
+					id: payload.id,
+					initial: payload,
+					pollIntervalSeconds: flags["poll-interval"],
+					timeoutSeconds: flags.timeout,
+					writeStderr: (chunk) => process.stderr.write(chunk)
+				});
+				if (waitResult.kind === "error") {
+					writeErrorWithHints(waitResult.payload);
+					removeStaleSavedCredentialOnUnauthorized({
+						...authFailureContext,
+						payload: waitResult.payload
+					});
+					process.exitCode = 1;
+					return;
+				}
+				if (waitResult.kind === "timeout") {
+					const status = waitResult.lastFunction?.deploy_status ?? "unknown";
+					process.stderr.write(`Timed out after ${flags.timeout}s waiting for function ${payload.id} deploy to finish (last status: ${status}).\n`);
+					process.exitCode = 2;
+					return;
+				}
+				this.log(JSON.stringify(waitResult.function, null, 2));
+				if (waitResult.kind === "failed") {
+					const detail = waitResult.function.deploy_error ? `: ${waitResult.function.deploy_error}` : ".";
+					process.stderr.write(`Function ${payload.id} deploy failed${detail}\n`);
+					process.exitCode = 1;
+				}
+				return;
+			}
 			this.log(JSON.stringify(payload, null, 2));
 		});
 	}
@@ -12779,8 +13316,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^0.29.0";
-const CLI_VERSION_RANGE = "^0.29.0";
+const SDK_VERSION_RANGE = "^0.30.1";
+const CLI_VERSION_RANGE = "^0.30.1";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY is auto-injected by the Primitive Functions runtime.
@@ -12802,14 +13339,14 @@ import {
 // the loop guard recognizes mail returning to it as self-traffic.
 const REPLY_FROM = "you@your-domain.primitive.email";
 
-// Loop protection. A deployed Function receives catch-all inbound for
-// the managed *.primitive.email subdomain, which includes bounces and
-// auto-replies generated by its own outbound traffic. Without this
-// guard the handler can respond to its own bounces and create a
-// fan-out loop.
+// Loop protection. A newly deployed Function starts as a fallback
+// endpoint for managed *.primitive.email domains that do not have a
+// domain-scoped endpoint. That can include bounces and auto-replies
+// generated by the handler's own outbound traffic. Without this guard
+// the handler can respond to its own bounces and create a fan-out loop.
 //
 // The default check returns true when From is on any *.primitive.email
-// address (covers the managed subdomain catch-all, the simple
+// address (covers managed-domain fallback mail, the simple
 // self-reply case, and bounces from mailer-daemon@*.primitive.email)
 // or when From contains REPLY_FROM as a case-insensitive substring.
 // Substring matching is deliberate so display-name forms like
@@ -13179,6 +13716,160 @@ var FunctionsInitCommand = class FunctionsInitCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/functions-logs.ts
+const DEFAULT_LOG_LIMIT = 50;
+const DEFAULT_LOG_POLL_INTERVAL_SECONDS = 2;
+function levelLabel(level) {
+	return level.toUpperCase().padEnd(5);
+}
+function orderFunctionLogsForDisplay(rows) {
+	return [...rows].reverse();
+}
+function formatFunctionLogLine(row) {
+	const metadata = row.metadata && Object.keys(row.metadata).length > 0 ? ` ${JSON.stringify(row.metadata)}` : "";
+	return `${row.ts} ${levelLabel(row.level)} ${row.message}${metadata}`;
+}
+function collectFreshFunctionLogsFromPage(rows, seenIds) {
+	const freshNewestFirst = [];
+	let reachedSeen = false;
+	for (const row of rows) {
+		if (seenIds.has(row.id)) {
+			reachedSeen = true;
+			continue;
+		}
+		freshNewestFirst.push(row);
+		seenIds.add(row.id);
+	}
+	return {
+		freshNewestFirst,
+		reachedSeen
+	};
+}
+function emitLogRows(rows, jsonl) {
+	for (const row of rows) {
+		const line = jsonl ? JSON.stringify(row) : formatFunctionLogLine(row);
+		process.stdout.write(`${line}\n`);
+	}
+}
+var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
+	static description = "List or follow function execution logs. Defaults to compact text output; use --jsonl for one JSON object per log row.";
+	static summary = "List or follow a function's execution logs";
+	static examples = [
+		"<%= config.bin %> functions logs --id <fn-id>",
+		"<%= config.bin %> functions logs --id <fn-id> --jsonl",
+		"<%= config.bin %> functions logs --id <fn-id> --follow"
+	];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"api-base-url-2": Flags.string({
+			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_2",
+			hidden: true
+		}),
+		id: Flags.string({
+			description: "Function id (UUID).",
+			required: true
+		}),
+		limit: Flags.integer({
+			default: DEFAULT_LOG_LIMIT,
+			description: "Maximum rows to fetch per poll. Server clamps to 1..200."
+		}),
+		cursor: Flags.string({ description: "Opaque pagination cursor from a previous logs response. Not supported with --follow." }),
+		follow: Flags.boolean({
+			char: "f",
+			description: "Keep polling the newest logs and print rows not seen yet."
+		}),
+		jsonl: Flags.boolean({ description: "Print one compact JSON object per log row." }),
+		"poll-interval": Flags.integer({
+			default: DEFAULT_LOG_POLL_INTERVAL_SECONDS,
+			description: "Seconds between polls when --follow is set."
+		}),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(FunctionsLogsCommand);
+		if (flags.limit <= 0) this.error("--limit must be greater than 0.", { exit: 2 });
+		if (flags["poll-interval"] <= 0) this.error("--poll-interval must be greater than 0.", { exit: 2 });
+		if (flags.follow && flags.cursor) this.error("--cursor cannot be combined with --follow.", { exit: 2 });
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl2: flags["api-base-url-2"],
+				configDir: this.config.configDir
+			});
+			const seenIds = /* @__PURE__ */ new Set();
+			let completedInitialFollowPoll = false;
+			let hasObservedLogs = false;
+			let wroteEmptyHint = false;
+			while (true) {
+				let cursor = flags.cursor;
+				let nextCursor = null;
+				let rows = [];
+				while (true) {
+					const result = await listFunctionLogs({
+						client: apiClient.client,
+						path: { id: flags.id },
+						query: {
+							...cursor ? { cursor } : {},
+							limit: flags.limit
+						},
+						responseStyle: "fields"
+					});
+					if (result.error) {
+						const errorPayload = extractErrorPayload(result.error);
+						writeErrorWithHints(errorPayload);
+						removeStaleSavedCredentialOnUnauthorized({
+							auth,
+							baseUrlOverridden,
+							configDir: this.config.configDir,
+							payload: errorPayload
+						});
+						process.exitCode = 1;
+						return;
+					}
+					const page = result.data?.data ?? {
+						items: [],
+						next_cursor: null
+					};
+					nextCursor = page.next_cursor;
+					if (!flags.follow) {
+						rows = orderFunctionLogsForDisplay(page.items);
+						break;
+					}
+					if (page.items.length > 0) hasObservedLogs = true;
+					const collected = collectFreshFunctionLogsFromPage(page.items, seenIds);
+					rows.push(...collected.freshNewestFirst);
+					if (!completedInitialFollowPoll || collected.reachedSeen || !page.next_cursor) {
+						rows = orderFunctionLogsForDisplay(rows);
+						break;
+					}
+					cursor = page.next_cursor;
+				}
+				if (rows.length === 0 && !wroteEmptyHint) {
+					process.stderr.write(flags.follow ? hasObservedLogs ? "Waiting for new function logs...\n" : "No function logs yet. Waiting for new rows...\n" : "No function logs yet. Trigger the function, then run this command again.\n");
+					wroteEmptyHint = true;
+				}
+				emitLogRows(rows, flags.jsonl);
+				if (!flags.follow) {
+					if (nextCursor) process.stderr.write(`next cursor: ${nextCursor}\n`);
+					return;
+				}
+				completedInitialFollowPoll = true;
+				await sleep$1(flags["poll-interval"] * 1e3);
+			}
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/functions-redeploy.ts
 async function runRedeployWithSecrets(api, params) {
 	const writtenSecrets = [];
@@ -13260,6 +13951,7 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 	static summary = "Redeploy a function from a bundled handler file";
 	static examples = [
 		"<%= config.bin %> functions redeploy --id <fn-id> --file ./bundle.js",
+		"<%= config.bin %> functions redeploy --id <fn-id> --file ./bundle.js --wait",
 		"<%= config.bin %> functions redeploy --id <fn-id> --file ./bundle.js --source-map-file ./bundle.js.map",
 		"<%= config.bin %> functions redeploy --id <fn-id> --file ./bundle.js --secret OPENAI_KEY=sk-... --secret OWNER_EMAIL=me@example.com",
 		"<%= config.bin %> functions redeploy --id <fn-id> --file ./bundle.js --secret-from-env OPENAI_KEY --secret-from-file PRIVATE_KEY=./private-key.pem",
@@ -13306,11 +13998,29 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 			multiple: true
 		}),
 		"secret-from-stdin": Flags.string({ description: "Secret KEY to read from stdin and write before the redeploy. A single trailing line ending is stripped. Stdin is consumed once, so this flag is not repeatable." }),
+		wait: Flags.boolean({ description: "Wait until the function deploy reaches deployed or failed. Progress is written to stderr; stdout remains the final JSON payload." }),
+		timeout: Flags.integer({
+			default: 120,
+			description: "Seconds to wait when --wait is set before exiting non-zero. Use 0 to wait forever."
+		}),
+		"poll-interval": Flags.integer({
+			default: 2,
+			description: "Seconds between deploy-status polls when --wait is set."
+		}),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
 	};
 	async run() {
 		const { flags } = await this.parse(FunctionsRedeployCommand);
 		await runWithTiming(flags.time, async () => {
+			const waitFlagError = validateDeployWaitFlags({
+				pollIntervalSeconds: flags["poll-interval"],
+				timeoutSeconds: flags.timeout
+			});
+			if (waitFlagError) {
+				process.stderr.write(`${waitFlagError}\n`);
+				process.exitCode = 1;
+				return;
+			}
 			const parsedSecrets = resolveSecretFlags({
 				fromEnv: flags["secret-from-env"] ?? [],
 				fromEnvFile: flags["secret-from-env-file"] ?? [],
@@ -13326,18 +14036,12 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 			const code = readTextFileFlag(flags.file, "--file");
 			const sourceMap = flags["source-map-file"] ? readTextFileFlag(flags["source-map-file"], "--source-map-file") : void 0;
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
-			const apiClient = new PrimitiveApiClient({
-				apiKey: auth.apiKey,
-				apiBaseUrl1: auth.apiBaseUrl1,
-				apiBaseUrl2: auth.apiBaseUrl2
-			});
 			const authFailureContext = {
 				auth,
 				baseUrlOverridden,
@@ -13386,6 +14090,42 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 				process.exitCode = 1;
 				return;
 			}
+			if (flags.wait) {
+				const waitResult = await waitForFunctionDeploy({
+					getFunction: (p) => getFunction({
+						client: apiClient.client,
+						path: { id: p.id },
+						responseStyle: "fields"
+					}),
+					id: outcome.result.redeploy.id,
+					initial: outcome.result.redeploy,
+					pollIntervalSeconds: flags["poll-interval"],
+					timeoutSeconds: flags.timeout,
+					writeStderr: (chunk) => process.stderr.write(chunk)
+				});
+				if (waitResult.kind === "error") {
+					writeErrorWithHints(waitResult.payload);
+					removeStaleSavedCredentialOnUnauthorized({
+						...authFailureContext,
+						payload: waitResult.payload
+					});
+					process.exitCode = 1;
+					return;
+				}
+				if (waitResult.kind === "timeout") {
+					const status = waitResult.lastFunction?.deploy_status ?? "unknown";
+					process.stderr.write(`Timed out after ${flags.timeout}s waiting for function ${outcome.result.redeploy.id} deploy to finish (last status: ${status}).\n`);
+					process.exitCode = 2;
+					return;
+				}
+				this.log(JSON.stringify(waitResult.function, null, 2));
+				if (waitResult.kind === "failed") {
+					const detail = waitResult.function.deploy_error ? `: ${waitResult.function.deploy_error}` : ".";
+					process.stderr.write(`Function ${outcome.result.redeploy.id} deploy failed${detail}\n`);
+					process.exitCode = 1;
+				}
+				return;
+			}
 			this.log(JSON.stringify(outcome.result.redeploy, null, 2));
 		});
 	}
@@ -13511,18 +14251,12 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 	async run() {
 		const { flags } = await this.parse(FunctionsSetSecretCommand);
 		await runWithTiming(flags.time, async () => {
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
-			const apiClient = new PrimitiveApiClient({
-				apiKey: auth.apiKey,
-				apiBaseUrl1: auth.apiBaseUrl1,
-				apiBaseUrl2: auth.apiBaseUrl2
-			});
 			const authFailureContext = {
 				auth,
 				baseUrlOverridden,
@@ -13630,11 +14364,17 @@ function buildFunctionTestOutcome(params) {
 	if (params.showSends) outcome.sent_emails = params.detail.replies;
 	return outcome;
 }
+function writeFunctionTestProgress(message, writeStderr = (chunk) => {
+	process.stderr.write(chunk);
+}) {
+	writeStderr(`${message}\n`);
+}
 function stringOrNull(value) {
 	return typeof value === "string" && value.length > 0 ? value : null;
 }
 function findMatchingFunctionEndpoints(params) {
-	const matches = [];
+	const domainMatches = [];
+	const fallbackMatches = [];
 	for (const endpoint of params.endpoints) {
 		if (endpoint.kind !== "function") continue;
 		if (endpoint.enabled === false) continue;
@@ -13644,20 +14384,22 @@ function findMatchingFunctionEndpoints(params) {
 		const domainId = stringOrNull(endpoint.domain_id);
 		if (domainId !== null && (params.inboundDomainId === null || domainId !== params.inboundDomainId)) continue;
 		const functionId = stringOrNull(endpoint.function_id);
-		matches.push({
+		const match = {
 			function_id: functionId,
 			id,
 			is_current_function: functionId === params.currentFunctionId,
-			scope: domainId === null ? "catch-all" : "domain"
-		});
+			scope: domainId === null ? "fallback" : "domain"
+		};
+		if (domainId === null) fallbackMatches.push(match);
+		else domainMatches.push(match);
 	}
-	return matches;
+	return domainMatches.length > 0 ? domainMatches : fallbackMatches;
 }
 function formatFunctionEndpointNoiseWarning(params) {
 	if (params.endpoints.filter((endpoint) => !endpoint.is_current_function).length === 0) return null;
 	const lines = [`Warning: ${params.endpoints.length} function endpoints may receive mail for ${params.toAddress}:`];
 	for (const endpoint of params.endpoints) {
-		const scope = endpoint.scope === "catch-all" ? "catch-all" : `scoped to ${params.inboundDomain}`;
+		const scope = endpoint.scope === "fallback" ? "fallback" : `scoped to ${params.inboundDomain}`;
 		const current = endpoint.is_current_function ? " (this function)" : "";
 		const target = endpoint.function_id ? ` -> function ${endpoint.function_id}` : "";
 		lines.push(`- endpoint ${endpoint.id}${target}, ${scope}${current}`);
@@ -13736,18 +14478,12 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 		const { flags } = await this.parse(FunctionsTestFunctionCommand);
 		const shouldWait = flags.wait || flags["show-sends"];
 		const shouldShowSends = flags["show-sends"];
-		const baseUrlOverridden = baseUrlOverriddenFromFlags(flags);
-		const auth = resolveCliAuth({
+		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
 			configDir: this.config.configDir
 		});
-		const apiClient = new PrimitiveApiClient({
-			apiKey: auth.apiKey,
-			apiBaseUrl1: auth.apiBaseUrl1,
-			apiBaseUrl2: auth.apiBaseUrl2
-		});
 		await runWithTiming(flags.time, async () => {
 			const triggerResult = await testFunction({
 				client: apiClient.client,
@@ -13784,7 +14520,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 			const timeoutMs = flags.timeout * 1e3;
 			const pollIntervalMs = flags["poll-interval"] * 1e3;
 			const isExpired = () => flags.timeout > 0 && Date.now() - startedAt > timeoutMs;
-			this.log(`Waiting for test inbound to arrive at ${invocation.to}...`);
+			writeFunctionTestProgress(`Waiting for test inbound to arrive at ${invocation.to}...`);
 			let inboundId;
 			while (!isExpired()) {
 				const page = await fetchEmailSearchPage({
@@ -13813,7 +14549,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 				await sleep$1(pollIntervalMs);
 			}
 			if (!inboundId) this.error(`Timed out after ${flags.timeout}s waiting for test inbound ${invocation.to} to land. Browse ${invocation.watch_url} for the live view.`, { exit: 2 });
-			this.log(`Inbound landed (${inboundId}). Waiting for function to run...`);
+			writeFunctionTestProgress(`Inbound landed (${inboundId}). Waiting for function to run...`);
 			let detail;
 			while (!isExpired()) {
 				const result = await getEmail({
@@ -13887,11 +14623,16 @@ function retryAfterSeconds$1(result) {
 	return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
 }
 async function checkExistingLogin(params) {
-	const baseUrlOverridden = params.apiBaseUrl1 !== void 0;
-	const probeApiBaseUrl1 = baseUrlOverridden ? normalizeApiBaseUrl1(params.apiBaseUrl1) : params.credentials.api_base_url_1;
+	const requestConfig = resolveCliApiRequestConfig({
+		apiBaseUrl1: params.apiBaseUrl1,
+		configDir: params.configDir
+	});
+	const probeApiBaseUrl1 = requestConfig.apiBaseUrl1 ?? params.credentials.api_base_url_1;
 	const apiClient = new PrimitiveApiClient({
 		apiKey: params.credentials.api_key,
-		apiBaseUrl1: probeApiBaseUrl1
+		apiBaseUrl1: probeApiBaseUrl1,
+		apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
+		headers: requestConfig.headers
 	});
 	const result = await (params.checkAccount ?? ((client) => getAccount({
 		client: client.client,
@@ -13907,7 +14648,7 @@ async function checkExistingLogin(params) {
 			credentials: params.credentials,
 			source: "stored"
 		},
-		baseUrlOverridden,
+		baseUrlOverridden: requestConfig.baseUrlOverridden,
 		configDir: params.configDir,
 		payload
 	})) return { status: "removed_stale" };
@@ -13953,7 +14694,11 @@ var LoginCommand = class LoginCommand extends Command {
 		}
 	}
 	async runWithCredentialLock(flags) {
-		const apiBaseUrl1 = normalizeApiBaseUrl1(flags["api-base-url-1"]);
+		const { apiClient, requestConfig } = createCliApiClient({
+			apiBaseUrl1: flags["api-base-url-1"],
+			configDir: this.config.configDir
+		});
+		const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
 		let existing;
 		try {
 			existing = loadCliCredentials(this.config.configDir);
@@ -13976,7 +14721,6 @@ var LoginCommand = class LoginCommand extends Command {
 				throw cliError$2(existingStatus.message);
 			} else throw cliError$2(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before logging in again.`);
 		}
-		const apiClient = new PrimitiveApiClient({ apiBaseUrl1 });
 		const started = await startCliLogin({
 			body: { device_name: flags["device-name"] ?? hostname() },
 			client: apiClient.client,
@@ -14086,10 +14830,15 @@ var LogoutCommand = class LogoutCommand extends Command {
 			return;
 		}
 		if (!credentials) throw cliError$1("Not logged in. Run `primitive login` to create saved CLI credentials.");
-		const apiBaseUrl1 = flags["api-base-url-1"] ? normalizeApiBaseUrl1(flags["api-base-url-1"]) : credentials.api_base_url_1;
+		const requestConfig = resolveCliApiRequestConfig({
+			apiBaseUrl1: flags["api-base-url-1"],
+			configDir: this.config.configDir
+		});
+		const apiBaseUrl1 = requestConfig.apiBaseUrl1 ? normalizeApiBaseUrl1(requestConfig.apiBaseUrl1) : credentials.api_base_url_1;
 		const apiClient = new PrimitiveApiClient({
 			apiKey: credentials.api_key,
-			apiBaseUrl1
+			apiBaseUrl1,
+			headers: requestConfig.headers
 		});
 		const result = await cliLogout({
 			body: { key_id: credentials.key_id },
@@ -14116,6 +14865,106 @@ var LogoutCommand = class LogoutCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/message-body-sources.ts
+function defaultReadFile(path) {
+	return readFileSync(path, "utf8");
+}
+function defaultReadStdin() {
+	if (process.stdin.isTTY) throw new Error("stdin is a TTY; pipe a value into this command or pass a file/string source instead.");
+	return readFileSync(0, "utf8");
+}
+function selectedSources(sources) {
+	return sources.filter(([, selected]) => selected).map(([label]) => label);
+}
+function readTextFile(path, label, readFile) {
+	try {
+		return {
+			content: readFile(path),
+			kind: "ok"
+		};
+	} catch (error) {
+		return {
+			kind: "error",
+			message: `Could not read ${label} ${path}: ${error instanceof Error ? error.message : String(error)}`
+		};
+	}
+}
+function readTextStdin(label, readStdin) {
+	try {
+		return {
+			content: readStdin(),
+			kind: "ok"
+		};
+	} catch (error) {
+		return {
+			kind: "error",
+			message: `Could not read ${label}: ${error instanceof Error ? error.message : String(error)}`
+		};
+	}
+}
+function resolveMessageBodies(input) {
+	const bodySources = selectedSources([
+		["--body", input.body !== void 0],
+		["--body-file", input.bodyFile !== void 0],
+		["--body-stdin", input.bodyStdin === true]
+	]);
+	if (bodySources.length > 1) return {
+		kind: "error",
+		message: `Pass only one plain-text body source (got ${bodySources.join(", ")}).`
+	};
+	const htmlSources = selectedSources([
+		["--html", input.html !== void 0],
+		["--html-file", input.htmlFile !== void 0],
+		["--html-stdin", input.htmlStdin === true]
+	]);
+	if (htmlSources.length > 1) return {
+		kind: "error",
+		message: `Pass only one HTML body source (got ${htmlSources.join(", ")}).`
+	};
+	const stdinSources = selectedSources([["--body-stdin", input.bodyStdin === true], ["--html-stdin", input.htmlStdin === true]]);
+	if (stdinSources.length > 1) return {
+		kind: "error",
+		message: `Stdin can only be consumed once (got ${stdinSources.join(", ")}).`
+	};
+	if (bodySources.length === 0 && htmlSources.length === 0) return {
+		kind: "error",
+		message: "Either a plain-text body source or an HTML body source is required."
+	};
+	const readFile = input.readFile ?? defaultReadFile;
+	const readStdin = input.readStdin ?? defaultReadStdin;
+	let body = input.body;
+	let html = input.html;
+	if (input.bodyFile !== void 0) {
+		const result = readTextFile(input.bodyFile, "--body-file", readFile);
+		if (result.kind === "error") return result;
+		body = result.content;
+	}
+	if (input.bodyStdin === true) {
+		const result = readTextStdin("--body-stdin", readStdin);
+		if (result.kind === "error") return result;
+		body = result.content;
+	}
+	if (input.htmlFile !== void 0) {
+		const result = readTextFile(input.htmlFile, "--html-file", readFile);
+		if (result.kind === "error") return result;
+		html = result.content;
+	}
+	if (input.htmlStdin === true) {
+		const result = readTextStdin("--html-stdin", readStdin);
+		if (result.kind === "error") return result;
+		html = result.content;
+	}
+	if (!body && !html) return {
+		kind: "error",
+		message: "Either a non-empty plain-text body or a non-empty HTML body is required."
+	};
+	return {
+		...body !== void 0 ? { body } : {},
+		...html !== void 0 ? { html } : {},
+		kind: "ok"
+	};
+}
+//#endregion
 //#region src/oclif/commands/reply.ts
 var ReplyCommand = class ReplyCommand extends Command {
 	static description = `Reply to an inbound email.
@@ -14124,6 +14973,7 @@ var ReplyCommand = class ReplyCommand extends Command {
 	static summary = "Reply to an inbound email";
 	static examples = [
 		"<%= config.bin %> reply --id <inbound-email-id> --body 'Thanks, got it.'",
+		"<%= config.bin %> reply --id <inbound-email-id> --body-file ./reply.txt",
 		"<%= config.bin %> reply --id <inbound-email-id> --html '<p>Thanks, got it.</p>' --wait",
 		"<%= config.bin %> reply --id <inbound-email-id> --from 'Support <support@example.com>' --body 'Thanks!'"
 	];
@@ -14147,7 +14997,11 @@ var ReplyCommand = class ReplyCommand extends Command {
 			required: true
 		}),
 		body: Flags.string({ description: "Plain-text reply body. Either --body or --html (or both) is required." }),
+		"body-file": Flags.string({ description: "Read the plain-text reply body from a UTF-8 file. Mutually exclusive with --body and --body-stdin." }),
+		"body-stdin": Flags.boolean({ description: "Read the plain-text reply body from stdin. Mutually exclusive with --body and --body-file. Stdin can only be consumed once." }),
 		html: Flags.string({ description: "HTML reply body. Either --body or --html (or both) is required." }),
+		"html-file": Flags.string({ description: "Read the HTML reply body from a UTF-8 file. Mutually exclusive with --html and --html-stdin." }),
+		"html-stdin": Flags.boolean({ description: "Read the HTML reply body from stdin. Mutually exclusive with --html and --html-file. Stdin can only be consumed once." }),
 		from: Flags.string({ description: "Optional From header override. Defaults to the inbound recipient." }),
 		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the reply for delivery." }),
 		"wait-timeout-ms": Flags.integer({ description: "Maximum time to wait when --wait is set. Defaults to 30000ms." }),
@@ -14155,24 +15009,26 @@ var ReplyCommand = class ReplyCommand extends Command {
 	};
 	async run() {
 		const { flags } = await this.parse(ReplyCommand);
-		if (!flags.body && !flags.html) throw new Errors.CLIError("Either --body or --html (or both) is required.");
+		const bodies = resolveMessageBodies({
+			body: flags.body,
+			bodyFile: flags["body-file"],
+			bodyStdin: flags["body-stdin"],
+			html: flags.html,
+			htmlFile: flags["html-file"],
+			htmlStdin: flags["html-stdin"]
+		});
+		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
 		await runWithTiming(flags.time, async () => {
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
-			const apiClient = new PrimitiveApiClient({
-				apiKey: auth.apiKey,
-				apiBaseUrl1: auth.apiBaseUrl1,
-				apiBaseUrl2: auth.apiBaseUrl2
-			});
 			const result = await replyToEmail({
 				body: {
-					...flags.body !== void 0 ? { body_text: flags.body } : {},
-					...flags.html !== void 0 ? { body_html: flags.html } : {},
+					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
+					...bodies.html !== void 0 ? { body_html: bodies.html } : {},
 					...flags.from !== void 0 ? { from: flags.from } : {},
 					...flags.wait !== void 0 ? { wait: flags.wait } : {},
 					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
@@ -14247,6 +15103,7 @@ var SendCommand = class SendCommand extends Command {
 	static summary = "Send an email (simplified, agent-friendly)";
 	static examples = [
 		"<%= config.bin %> send --to alice@example.com --body 'Hi Alice!'",
+		"<%= config.bin %> send --to alice@example.com --body-file ./message.txt",
 		"<%= config.bin %> send --to alice@example.com --from support@yourcompany.com --subject 'Quick question' --body 'Are you free Thursday?'",
 		"<%= config.bin %> send --to alice@example.com --html '<p>Hello!</p>'",
 		"<%= config.bin %> send --to alice@example.com --body 'Confirmed' --wait",
@@ -14274,7 +15131,11 @@ var SendCommand = class SendCommand extends Command {
 		from: Flags.string({ description: "Sender address. Defaults to agent@<your-first-verified-outbound-domain>." }),
 		subject: Flags.string({ description: "Subject line. Defaults to the first line of --body / --html when omitted." }),
 		body: Flags.string({ description: "Plain-text message body. Either --body or --html (or both) is required." }),
+		"body-file": Flags.string({ description: "Read the plain-text message body from a UTF-8 file. Mutually exclusive with --body and --body-stdin." }),
+		"body-stdin": Flags.boolean({ description: "Read the plain-text message body from stdin. Mutually exclusive with --body and --body-file. Stdin can only be consumed once." }),
 		html: Flags.string({ description: "HTML message body. Either --body or --html (or both) is required." }),
+		"html-file": Flags.string({ description: "Read the HTML message body from a UTF-8 file. Mutually exclusive with --html and --html-stdin." }),
+		"html-stdin": Flags.boolean({ description: "Read the HTML message body from stdin. Mutually exclusive with --html and --html-file. Stdin can only be consumed once." }),
 		"in-reply-to": Flags.string({ description: "Message-Id of the parent email when threading a reply on the wire. For replying to an inbound message you received, prefer `primitive reply --id <inbound-id>`." }),
 		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the message for delivery." }),
 		"wait-timeout-ms": Flags.integer({ description: "Maximum time to wait when --wait is set. Defaults to 30000ms." }),
@@ -14282,34 +15143,36 @@ var SendCommand = class SendCommand extends Command {
 	};
 	async run() {
 		const { flags } = await this.parse(SendCommand);
-		if (!flags.body && !flags.html) throw new Errors.CLIError("Either --body or --html (or both) is required.");
+		const bodies = resolveMessageBodies({
+			body: flags.body,
+			bodyFile: flags["body-file"],
+			bodyStdin: flags["body-stdin"],
+			html: flags.html,
+			htmlFile: flags["html-file"],
+			htmlStdin: flags["html-stdin"]
+		});
+		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
 		await runWithTiming(flags.time, async () => {
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
-			const apiClient = new PrimitiveApiClient({
-				apiKey: auth.apiKey,
-				apiBaseUrl1: auth.apiBaseUrl1,
-				apiBaseUrl2: auth.apiBaseUrl2
-			});
 			const authFailureContext = {
 				auth,
 				baseUrlOverridden,
 				configDir: this.config.configDir
 			};
 			const from = flags.from ?? await pickDefaultFromAddress(apiClient, authFailureContext);
-			const subject = flags.subject ?? (flags.body ? deriveSubject(flags.body) : "Message");
+			const subject = flags.subject ?? (bodies.body ? deriveSubject(bodies.body) : "Message");
 			const result = await sendEmail({
 				body: {
 					from,
 					to: flags.to,
 					subject,
-					...flags.body !== void 0 ? { body_text: flags.body } : {},
-					...flags.html !== void 0 ? { body_html: flags.html } : {},
+					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
+					...bodies.html !== void 0 ? { body_html: bodies.html } : {},
 					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
 					...flags.wait !== void 0 ? { wait: flags.wait } : {},
 					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
@@ -14568,7 +15431,11 @@ async function runSignupWithCredentialLock(params) {
 	const startFn = deps.startCliSignup ?? startCliSignup;
 	const verifyFn = deps.verifyCliSignup ?? verifyCliSignup;
 	const checkExistingLoginFn = deps.checkExistingLogin ?? checkExistingLogin;
-	const apiBaseUrl1 = normalizeApiBaseUrl1(flags["api-base-url-1"]);
+	const { apiClient, requestConfig } = createCliApiClient({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir
+	});
+	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
 	let existing;
 	try {
 		existing = loadCliCredentials(configDir);
@@ -14592,7 +15459,6 @@ async function runSignupWithCredentialLock(params) {
 		} else throw cliError(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before creating a new account.`);
 	}
 	if (flags.force) deletePendingCliSignup(configDir);
-	const apiClient = new PrimitiveApiClient({ apiBaseUrl1 });
 	let start = flags.force ? null : loadPendingCliSignup(configDir, apiBaseUrl1);
 	const resumed = Boolean(start);
 	if (start) process$1.stderr.write(`Continuing pending Primitive CLI signup for ${start.email}.\n`);
@@ -14749,19 +15615,14 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 	async run() {
 		const { flags } = await this.parse(WhoamiCommand);
 		await runWithTiming(flags.time, async () => {
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
 			const result = await getAccount({
-				client: new PrimitiveApiClient({
-					apiKey: auth.apiKey,
-					apiBaseUrl1: auth.apiBaseUrl1,
-					apiBaseUrl2: auth.apiBaseUrl2
-				}).client,
+				client: apiClient.client,
 				responseStyle: "fields"
 			});
 			if (result.error) {
@@ -14849,6 +15710,7 @@ function renderFishCompletion(binName) {
 			lines.push(`complete -c ${binName} -f -n '__fish_${binName}_topic_needs_subcommand ${fishEscape(topic)}' -a '${fishEscape(operation.command)}' -d '${fishEscape(operation.summary ?? `${operation.method} ${operation.path}`)}'`);
 			for (const parameter of [...operation.pathParams, ...operation.queryParams]) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l '${fishEscape(parameter.name.replace(/_/g, "-"))}' -r -d '${fishEscape(parameter.description ?? parameter.name)}'`);
 			lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'api-key' -r -d 'Primitive API key (defaults to PRIMITIVE_API_KEY or saved primitive login credentials)'`);
+			if (!operation.binaryResponse) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'envelope' -d 'Print the full response envelope, including pagination metadata'`);
 			if (operation.hasJsonBody) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body' -r -d 'JSON request body'`, `complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body-file' -r -d 'Path to a JSON file used as the request body'`);
 			if (operation.binaryResponse) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'output' -r -d 'Write binary response bytes to a file'`);
 		}
@@ -14966,7 +15828,6 @@ const CANONICAL_OPERATION_ALIASES = {
 	"functions:get": "functions:get-function",
 	"functions:list": "functions:list-functions",
 	"functions:list-secrets": "functions:list-function-secrets",
-	"functions:logs": "functions:list-function-logs",
 	"sending:get": "sending:get-sent-email",
 	"sending:list": "sending:list-sent-emails",
 	"sending:permissions": "sending:get-send-permissions",
@@ -14979,6 +15840,7 @@ const CANONICAL_OPERATION_ALIASES = {
 };
 const DESCRIBE_OPERATION_ALIASES = {
 	...CANONICAL_OPERATION_ALIASES,
+	"functions:logs": "functions:list-function-logs",
 	reply: "sending:reply-to-email"
 };
 function resolveOperationAlias(id) {
@@ -14989,6 +15851,10 @@ const generatedCommands = Object.fromEntries(operationManifest.filter((operation
 const COMMANDS = {
 	completion: CompletionCommand,
 	"list-operations": ListOperationsCommand,
+	"config:list": ConfigListCommand,
+	"config:reset": ConfigResetCommand,
+	"config:set": ConfigSetCommand,
+	"config:use": ConfigUseCommand,
 	describe: DescribeCommand,
 	send: SendCommand,
 	reply: ReplyCommand,
@@ -15012,7 +15878,8 @@ const COMMANDS = {
 		if (!command) throw new Error(`Missing generated command target for alias ${alias}`);
 		return [alias, command];
 	})),
-	...generatedCommands
+	...generatedCommands,
+	"functions:logs": FunctionsLogsCommand
 };
 //#endregion
 export { CANONICAL_OPERATION_ALIASES, COMMANDS, lookupOperation };