@primitivedotdev/cli 0.30.0 → 0.30.1

package/bin/run.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 
-import { execute } from "@oclif/core";
-import { applyProxyAutoDetect } from "../dist/oclif/proxy-auto-detect.js";
+import { restartWithProxyEnvIfNeeded } from "../dist/oclif/proxy-auto-detect.js";
 
-// Auto-set NODE_USE_ENV_PROXY=1 when HTTP(S)_PROXY is in the env.
-// Must run before any network init (e.g. before oclif loads commands
-// that touch fetch). See proxy-auto-detect.ts for the full rationale.
-applyProxyAutoDetect();
+// Auto-restart with NODE_USE_ENV_PROXY=1 when HTTP(S)_PROXY is in the env.
+// Node reads NODE_USE_ENV_PROXY during process startup, so mutating
+// process.env inside this process is too late for built-in fetch.
+restartWithProxyEnvIfNeeded();
 
+const { execute } = await import("@oclif/core");
 await execute({ dir: import.meta.url });

package/dist/oclif/index.js

@@ -371,7 +371,7 @@ const mergeConfigs = (a, b) => {
 		...b
 	};
 	if (config.baseUrl?.endsWith("/")) config.baseUrl = config.baseUrl.substring(0, config.baseUrl.length - 1);
-	config.headers = mergeHeaders(a.headers, b.headers);
+	config.headers = mergeHeaders$1(a.headers, b.headers);
 	return config;
 };
 const headersEntries = (headers) => {
@@ -381,7 +381,7 @@ const headersEntries = (headers) => {
 	});
 	return entries;
 };
-const mergeHeaders = (...headers) => {
+const mergeHeaders$1 = (...headers) => {
 	const mergedHeaders = new Headers();
 	for (const header of headers) {
 		if (!header) continue;
@@ -461,7 +461,7 @@ const createClient = (config = {}) => {
 			..._config,
 			...options,
 			fetch: options.fetch ?? _config.fetch ?? globalThis.fetch,
-			headers: mergeHeaders(_config.headers, options.headers),
+			headers: mergeHeaders$1(_config.headers, options.headers),
 			serializedBody: void 0
 		};
 		if (opts.security) await setAuthParams({
@@ -1604,17 +1604,18 @@ const updateFunction = (options) => (options.client ?? client).put({
 * Sends a real test email from a Primitive-controlled sender to a
 * local-part on one of the org's verified inbound domains. By
 * default the recipient is a synthetic
-* `__primitive_function_test+<random>@<domain>` address that
-* every handler's catch-all routing receives identically; pass
-* `local_part` to override and exercise routing logic that
-* branches on a specific recipient (the common pattern when one
-* function handles multiple inboxes like `summarize@` and
-* `action@`). The function fires through the normal MX delivery
-* path, so reply / send-mail calls from inside the handler
-* against the inbound's `email.id` work the same as in
-* production. Returns immediately after the send is queued; the
-* invocation appears on the function's invocations list within a
-* few seconds.
+* `__primitive_function_test+<random>@<domain>` address on a
+* domain selected to route to the function. Scoped functions use
+* their scoped domain; fallback functions use a domain that has
+* no enabled domain-scoped endpoint. Pass `local_part` to
+* override and exercise routing logic that branches on a specific
+* recipient (the common pattern when one function handles multiple
+* inboxes like `summarize@` and `action@`). The function fires
+* through the normal MX delivery path, so reply / send-mail calls
+* from inside the handler against the inbound's `email.id` work
+* the same as in production. Returns immediately after the send is
+* queued; the invocation appears on the function's invocations
+* list within a few seconds.
 *
 * Requires that the function is currently `deployed`. Returns 422
 * if the function is in `pending` or `failed` state, or if the
@@ -3274,7 +3275,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "testFunction",
 				"summary": "Send a test invocation",
-				"description": "Sends a real test email from a Primitive-controlled sender to a\nlocal-part on one of the org's verified inbound domains. By\ndefault the recipient is a synthetic\n`__primitive_function_test+<random>@<domain>` address that\nevery handler's catch-all routing receives identically; pass\n`local_part` to override and exercise routing logic that\nbranches on a specific recipient (the common pattern when one\nfunction handles multiple inboxes like `summarize@` and\n`action@`). The function fires through the normal MX delivery\npath, so reply / send-mail calls from inside the handler\nagainst the inbound's `email.id` work the same as in\nproduction. Returns immediately after the send is queued; the\ninvocation appears on the function's invocations list within a\nfew seconds.\n\nRequires that the function is currently `deployed`. Returns 422\nif the function is in `pending` or `failed` state, or if the\norg has no verified inbound domain to receive the test mail.\nReturns 400 if `local_part` is set to a value that does not\nmatch the local-part character set.\n",
+				"description": "Sends a real test email from a Primitive-controlled sender to a\nlocal-part on one of the org's verified inbound domains. By\ndefault the recipient is a synthetic\n`__primitive_function_test+<random>@<domain>` address on a\ndomain selected to route to the function. Scoped functions use\ntheir scoped domain; fallback functions use a domain that has\nno enabled domain-scoped endpoint. Pass `local_part` to\noverride and exercise routing logic that branches on a specific\nrecipient (the common pattern when one function handles multiple\ninboxes like `summarize@` and `action@`). The function fires\nthrough the normal MX delivery path, so reply / send-mail calls\nfrom inside the handler against the inbound's `email.id` work\nthe same as in production. Returns immediately after the send is\nqueued; the invocation appears on the function's invocations\nlist within a few seconds.\n\nRequires that the function is currently `deployed`. Returns 422\nif the function is in `pending` or `failed` state, or if the\norg has no verified inbound domain to receive the test mail.\nReturns 400 if `local_part` is set to a value that does not\nmatch the local-part character set.\n",
 				"tags": ["Functions"],
 				"requestBody": {
 					"required": false,
@@ -9398,7 +9399,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": false,
 		"command": "test-function",
-		"description": "Sends a real test email from a Primitive-controlled sender to a\nlocal-part on one of the org's verified inbound domains. By\ndefault the recipient is a synthetic\n`__primitive_function_test+<random>@<domain>` address that\nevery handler's catch-all routing receives identically; pass\n`local_part` to override and exercise routing logic that\nbranches on a specific recipient (the common pattern when one\nfunction handles multiple inboxes like `summarize@` and\n`action@`). The function fires through the normal MX delivery\npath, so reply / send-mail calls from inside the handler\nagainst the inbound's `email.id` work the same as in\nproduction. Returns immediately after the send is queued; the\ninvocation appears on the function's invocations list within a\nfew seconds.\n\nRequires that the function is currently `deployed`. Returns 422\nif the function is in `pending` or `failed` state, or if the\norg has no verified inbound domain to receive the test mail.\nReturns 400 if `local_part` is set to a value that does not\nmatch the local-part character set.\n",
+		"description": "Sends a real test email from a Primitive-controlled sender to a\nlocal-part on one of the org's verified inbound domains. By\ndefault the recipient is a synthetic\n`__primitive_function_test+<random>@<domain>` address on a\ndomain selected to route to the function. Scoped functions use\ntheir scoped domain; fallback functions use a domain that has\nno enabled domain-scoped endpoint. Pass `local_part` to\noverride and exercise routing logic that branches on a specific\nrecipient (the common pattern when one function handles multiple\ninboxes like `summarize@` and `action@`). The function fires\nthrough the normal MX delivery path, so reply / send-mail calls\nfrom inside the handler against the inbound's `email.id` work\nthe same as in production. Returns immediately after the send is\nqueued; the invocation appears on the function's invocations\nlist within a few seconds.\n\nRequires that the function is currently `deployed`. Returns 422\nif the function is in `pending` or `failed` state, or if the\norg has no verified inbound domain to receive the test mail.\nReturns 400 if `local_part` is set to a value that does not\nmatch the local-part character set.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "testFunction",
@@ -10752,7 +10753,7 @@ const CREDENTIALS_FILE = "credentials.json";
 const CREDENTIALS_LOCK_DIR = "credentials.lock";
 const CREDENTIALS_LOCK_STALE_MS = 1800 * 1e3;
 const MALFORMED_CREDENTIALS_HINT = "Run `primitive logout` and then `primitive login`.";
-function isRecord$1(value) {
+function isRecord$2(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
 function requireString(value, key) {
@@ -10775,7 +10776,7 @@ var StaleCredentialFormatError = class extends Error {
 	}
 };
 function parseCredentials(raw) {
-	if (!isRecord$1(raw)) throw new Error(`Stored Primitive CLI credentials are malformed: expected a JSON object. ${MALFORMED_CREDENTIALS_HINT}`);
+	if (!isRecord$2(raw)) throw new Error(`Stored Primitive CLI credentials are malformed: expected a JSON object. ${MALFORMED_CREDENTIALS_HINT}`);
 	if (typeof raw.api_base_url_1 !== "string" && typeof raw.base_url === "string") throw new StaleCredentialFormatError();
 	const orgName = raw.org_name;
 	if (orgName !== null && typeof orgName !== "string") throw new Error(`Stored Primitive CLI credentials are malformed: org_name must be a string or null. ${MALFORMED_CREDENTIALS_HINT}`);
@@ -10920,6 +10921,269 @@ function resolveCliAuth(params) {
 	};
 }
 //#endregion
+//#region src/oclif/cli-config.ts
+const CONFIG_FILE = "config.json";
+const CONFIG_VERSION = 1;
+const DEFAULT_ENVIRONMENT = "default";
+function cliConfigPath(configDir) {
+	return join(configDir, CONFIG_FILE);
+}
+function cliConfigError(message) {
+	return new Errors.CLIError(`${message} Run \`primitive config reset\` to clear the local CLI config.`, { exit: 1 });
+}
+function isRecord$1(value) {
+	return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function normalizeCliEnvironmentName(name) {
+	const trimmed = name?.trim();
+	if (!trimmed) throw new Errors.CLIError("Environment name must be a non-empty string.", { exit: 1 });
+	if (!/^[A-Za-z0-9][A-Za-z0-9._-]{0,62}$/.test(trimmed)) throw new Errors.CLIError("Environment name must start with a letter or number and may only contain letters, numbers, '.', '_', or '-'.", { exit: 1 });
+	return trimmed;
+}
+function validateCliHeaderName(name) {
+	const trimmed = name.trim();
+	if (!trimmed) throw new Errors.CLIError("Header name must be a non-empty string.", { exit: 1 });
+	if (!/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/.test(trimmed)) throw new Errors.CLIError(`Invalid header name: ${name}`, { exit: 1 });
+	if (trimmed.toLowerCase() === "authorization") throw new Errors.CLIError("The Authorization header is managed by PRIMITIVE_API_KEY or saved CLI credentials.", { exit: 1 });
+	return trimmed;
+}
+function validateCliHeaderValue(value, name) {
+	if (value.length === 0) throw new Errors.CLIError(`Header ${name} value must not be empty.`, { exit: 1 });
+	if (/[\r\n\0]/.test(value)) throw new Errors.CLIError(`Header ${name} value must not contain CR, LF, or NUL characters.`, { exit: 1 });
+	return value;
+}
+function parseHeaderAssignment(assignment) {
+	const separator = assignment.indexOf("=");
+	if (separator <= 0) throw new Errors.CLIError("Header values must use name=value syntax, for example `x-custom=secret`.", { exit: 1 });
+	const name = validateCliHeaderName(assignment.slice(0, separator));
+	return [name, validateCliHeaderValue(assignment.slice(separator + 1), name)];
+}
+function parseHeaders(raw, context) {
+	if (raw === void 0) return {};
+	if (!isRecord$1(raw)) throw cliConfigError(`${context} headers must be a JSON object.`);
+	const headers = {};
+	for (const [rawName, rawValue] of Object.entries(raw)) {
+		const name = validateCliHeaderName(rawName);
+		if (typeof rawValue !== "string") throw cliConfigError(`${context} header ${name} must be a string.`);
+		headers[name] = validateCliHeaderValue(rawValue, name);
+	}
+	return headers;
+}
+function parseEnvironmentConfig(raw, context) {
+	if (!isRecord$1(raw)) throw cliConfigError(`${context} must be a JSON object.`);
+	const env = {};
+	if (raw.api_base_url_1 !== void 0) {
+		if (typeof raw.api_base_url_1 !== "string") throw cliConfigError(`${context}.api_base_url_1 must be a string.`);
+		env.api_base_url_1 = normalizeApiBaseUrl1(raw.api_base_url_1);
+	}
+	if (raw.api_base_url_2 !== void 0) {
+		if (typeof raw.api_base_url_2 !== "string") throw cliConfigError(`${context}.api_base_url_2 must be a string.`);
+		env.api_base_url_2 = normalizeApiBaseUrl2(raw.api_base_url_2);
+	}
+	const headers = parseHeaders(raw.headers, context);
+	if (Object.keys(headers).length > 0) env.headers = headers;
+	return env;
+}
+function parseStoredCliConfig(raw) {
+	if (!isRecord$1(raw)) throw cliConfigError("Primitive CLI config must be a JSON object.");
+	if (raw.version !== CONFIG_VERSION) throw cliConfigError(`Primitive CLI config version must be ${CONFIG_VERSION}.`);
+	const currentRaw = raw.current_environment;
+	const current_environment = currentRaw === null || currentRaw === void 0 ? null : typeof currentRaw === "string" ? normalizeCliEnvironmentName(currentRaw) : (() => {
+		throw cliConfigError("Primitive CLI config current_environment must be a string or null.");
+	})();
+	if (!isRecord$1(raw.environments)) throw cliConfigError("Primitive CLI config environments must be an object.");
+	const environments = {};
+	for (const [rawName, rawEnv] of Object.entries(raw.environments)) {
+		const name = normalizeCliEnvironmentName(rawName);
+		environments[name] = parseEnvironmentConfig(rawEnv, `Primitive CLI config environment ${name}`);
+	}
+	if (current_environment && !environments[current_environment]) throw cliConfigError(`Primitive CLI config current environment ${current_environment} does not exist.`);
+	return {
+		version: CONFIG_VERSION,
+		current_environment,
+		environments
+	};
+}
+function emptyCliConfig() {
+	return {
+		version: CONFIG_VERSION,
+		current_environment: null,
+		environments: {}
+	};
+}
+function loadCliConfig(configDir) {
+	const path = cliConfigPath(configDir);
+	let contents;
+	try {
+		contents = readFileSync(path, "utf8");
+	} catch (error) {
+		if (error && typeof error === "object" && error.code === "ENOENT") return null;
+		throw cliConfigError(`Could not read Primitive CLI config: ${error instanceof Error ? error.message : String(error)}.`);
+	}
+	try {
+		return parseStoredCliConfig(JSON.parse(contents));
+	} catch (error) {
+		if (error instanceof SyntaxError) throw cliConfigError("Primitive CLI config is not valid JSON.");
+		throw error;
+	}
+}
+function saveCliConfig(configDir, config) {
+	mkdirSync(configDir, {
+		mode: 448,
+		recursive: true
+	});
+	const path = cliConfigPath(configDir);
+	const tempPath = join(configDir, `${CONFIG_FILE}.${process.pid}.${randomUUID()}.tmp`);
+	try {
+		writeFileSync(tempPath, `${JSON.stringify(config, null, 2)}\n`, { mode: 384 });
+		renameSync(tempPath, path);
+	} catch (error) {
+		rmSync(tempPath, { force: true });
+		throw error;
+	}
+}
+function deleteCliConfig(configDir) {
+	rmSync(cliConfigPath(configDir), { force: true });
+}
+function resolveConfigEnvironment(config) {
+	if (!config) return null;
+	const current = config.current_environment;
+	if (current) {
+		const environment = config.environments[current];
+		return environment ? {
+			name: current,
+			config: environment
+		} : null;
+	}
+	const defaultEnvironment = config.environments[DEFAULT_ENVIRONMENT];
+	return defaultEnvironment ? {
+		name: DEFAULT_ENVIRONMENT,
+		config: defaultEnvironment
+	} : null;
+}
+function upsertCliEnvironment(params) {
+	const name = normalizeCliEnvironmentName(params.environmentName ?? DEFAULT_ENVIRONMENT);
+	const existing = params.config.environments[name] ?? {};
+	const nextHeaders = { ...existing.headers ?? {} };
+	for (const assignment of params.headers ?? []) {
+		const [headerName, value] = parseHeaderAssignment(assignment);
+		nextHeaders[headerName] = value;
+	}
+	for (const rawName of params.unsetHeaders ?? []) delete nextHeaders[validateCliHeaderName(rawName)];
+	const nextEnvironment = {
+		...existing,
+		...params.apiBaseUrl1 !== void 0 ? { api_base_url_1: normalizeApiBaseUrl1(params.apiBaseUrl1) } : {},
+		...params.apiBaseUrl2 !== void 0 ? { api_base_url_2: normalizeApiBaseUrl2(params.apiBaseUrl2) } : {},
+		...Object.keys(nextHeaders).length > 0 ? { headers: nextHeaders } : {}
+	};
+	if (Object.keys(nextHeaders).length === 0) delete nextEnvironment.headers;
+	return {
+		...params.config,
+		current_environment: params.use === false ? params.config.current_environment : name,
+		environments: {
+			...params.config.environments,
+			[name]: nextEnvironment
+		}
+	};
+}
+function removeCliEnvironment(config, environmentName) {
+	const name = normalizeCliEnvironmentName(environmentName);
+	const environments = { ...config.environments };
+	delete environments[name];
+	return {
+		...config,
+		current_environment: config.current_environment === name ? null : config.current_environment,
+		environments
+	};
+}
+function redactCliEnvironment(environment) {
+	const headers = environment.headers && Object.keys(environment.headers).length > 0 ? Object.fromEntries(Object.keys(environment.headers).map((name) => [name, "***"])) : void 0;
+	return {
+		...environment,
+		...headers ? { headers } : {}
+	};
+}
+//#endregion
+//#region src/oclif/api-client.ts
+const API_HEADERS_ENV = "PRIMITIVE_API_HEADERS";
+function mergeHeaders(...headers) {
+	const merged = {};
+	for (const headerSet of headers) {
+		if (!headerSet) continue;
+		for (const [name, value] of Object.entries(headerSet)) merged[name] = value;
+	}
+	return Object.keys(merged).length > 0 ? merged : void 0;
+}
+function parseHeadersJson(raw) {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch (error) {
+		const detail = error instanceof Error ? error.message : String(error);
+		throw new Errors.CLIError(`${API_HEADERS_ENV} must be valid JSON object syntax: ${detail}`, { exit: 1 });
+	}
+	if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) throw new Errors.CLIError(`${API_HEADERS_ENV} must be a JSON object.`, { exit: 1 });
+	const headers = {};
+	for (const [rawName, rawValue] of Object.entries(parsed)) {
+		const name = validateCliHeaderName(rawName);
+		if (typeof rawValue !== "string") throw new Errors.CLIError(`${API_HEADERS_ENV}.${name} must be a string.`, { exit: 1 });
+		headers[name] = validateCliHeaderValue(rawValue, name);
+	}
+	return headers;
+}
+function cliApiHeadersFromEnv(env = process.env) {
+	const rawGenericHeaders = env[API_HEADERS_ENV]?.trim();
+	return rawGenericHeaders ? parseHeadersJson(rawGenericHeaders) : void 0;
+}
+function resolveCliApiRequestConfig(params) {
+	const currentEnvironment = resolveConfigEnvironment(loadCliConfig(params.configDir));
+	const configuredApiBaseUrl1 = currentEnvironment?.config.api_base_url_1;
+	const configuredApiBaseUrl2 = currentEnvironment?.config.api_base_url_2;
+	const apiBaseUrl1 = params.apiBaseUrl1 !== void 0 ? normalizeApiBaseUrl1(params.apiBaseUrl1) : configuredApiBaseUrl1;
+	const apiBaseUrl2 = params.apiBaseUrl2 !== void 0 ? normalizeApiBaseUrl2(params.apiBaseUrl2) : configuredApiBaseUrl2;
+	return {
+		apiBaseUrl1,
+		apiBaseUrl2,
+		baseUrlOverridden: apiBaseUrl1 !== void 0 || apiBaseUrl2 !== void 0,
+		environmentName: currentEnvironment?.name ?? null,
+		headers: mergeHeaders(currentEnvironment?.config.headers, cliApiHeadersFromEnv(params.env)),
+		resolvedApiBaseUrl1: normalizeApiBaseUrl1(apiBaseUrl1),
+		resolvedApiBaseUrl2: normalizeApiBaseUrl2(apiBaseUrl2)
+	};
+}
+function createCliApiClient(params) {
+	const requestConfig = resolveCliApiRequestConfig(params);
+	return {
+		apiClient: new PrimitiveApiClient({
+			apiKey: params.apiKey,
+			apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+			apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
+			headers: requestConfig.headers
+		}),
+		requestConfig
+	};
+}
+function createAuthenticatedCliApiClient(params) {
+	const requestConfig = resolveCliApiRequestConfig(params);
+	const auth = resolveCliAuth({
+		apiKey: params.apiKey,
+		apiBaseUrl1: requestConfig.apiBaseUrl1,
+		apiBaseUrl2: requestConfig.apiBaseUrl2,
+		configDir: params.configDir
+	});
+	return {
+		apiClient: new PrimitiveApiClient({
+			apiKey: auth.apiKey,
+			apiBaseUrl1: auth.apiBaseUrl1,
+			apiBaseUrl2: auth.apiBaseUrl2,
+			headers: requestConfig.headers
+		}),
+		auth,
+		baseUrlOverridden: requestConfig.baseUrlOverridden,
+		requestConfig
+	};
+}
+//#endregion
 //#region src/oclif/endpoints-test-redirect.ts
 async function detectFunctionEndpoint(endpointId, listEndpoints) {
 	let response;
@@ -11243,7 +11507,7 @@ function writeErrorWithHints(payload) {
 function removeStaleSavedCredentialOnUnauthorized(params) {
 	if (extractErrorCode(params.payload) !== API_ERROR_CODES.unauthorized || params.auth.source !== "stored") return false;
 	if (params.baseUrlOverridden && params.auth.credentials !== null && params.auth.apiBaseUrl1 !== params.auth.credentials.api_base_url_1) {
-		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The local credential was not removed; unset PRIMITIVE_API_BASE_URL_1, or run `primitive logout` to remove the stored credential.\n");
+		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The local credential was not removed; unset PRIMITIVE_API_BASE_URL_1, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
 		return false;
 	}
 	deleteCliCredentials(params.configDir);
@@ -11268,9 +11532,6 @@ async function runWithTiming(enabled, fn) {
 const TIME_FLAG_DESCRIPTION = "Print the wall-clock duration of this command to stderr after it completes (e.g. `[time: 1.34s]`). Useful for measuring `--wait` send latency, comparing CLI overhead, or capturing timing in scripts.";
 const API_BASE_URL_1_FLAG_DESCRIPTION = "Override the primary API base URL. Internal testing only; not documented to customers.";
 const API_BASE_URL_2_FLAG_DESCRIPTION = "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.";
-function baseUrlOverriddenFromFlags(flags) {
-	return typeof flags["api-base-url-1"] === "string" || typeof flags["api-base-url-2"] === "string";
-}
 const HOST_2_OPERATIONS = new Set(["sendEmail"]);
 const RESERVED_FLAG_NAMES = new Set([
 	"api-key",
@@ -11379,18 +11640,12 @@ function createOperationCommand(operation) {
 			const { flags } = await this.parse(OperationCommand);
 			const parsedFlags = flags;
 			await runWithTiming(parsedFlags.time === true, async () => {
-				const baseUrlOverridden = typeof parsedFlags["api-base-url-1"] === "string" || typeof parsedFlags["api-base-url-2"] === "string";
-				const auth = resolveCliAuth({
+				const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 					apiKey: typeof parsedFlags["api-key"] === "string" ? parsedFlags["api-key"] : void 0,
 					apiBaseUrl1: typeof parsedFlags["api-base-url-1"] === "string" ? parsedFlags["api-base-url-1"] : void 0,
 					apiBaseUrl2: typeof parsedFlags["api-base-url-2"] === "string" ? parsedFlags["api-base-url-2"] : void 0,
 					configDir: this.config.configDir
 				});
-				const apiClient = new PrimitiveApiClient({
-					apiKey: auth.apiKey,
-					apiBaseUrl1: auth.apiBaseUrl1,
-					apiBaseUrl2: auth.apiBaseUrl2
-				});
 				let body;
 				if (operation.hasJsonBody) {
 					const explicit = readJsonBody(parsedFlags);
@@ -11482,6 +11737,128 @@ function canonicalizeCliReferences(description) {
 	return description.replaceAll("`primitive emails:latest`", "`primitive emails latest`").replaceAll("`primitive describe emails:get-email | jq '.responseSchema.properties'`", "`primitive describe emails:get | jq '.responseSchema.properties'`");
 }
 //#endregion
+//#region src/oclif/commands/config.ts
+function loadOrCreateConfig(configDir) {
+	return loadCliConfig(configDir) ?? emptyCliConfig();
+}
+function redactConfig(config) {
+	return {
+		...config,
+		environments: Object.fromEntries(Object.entries(config.environments).map(([name, environment]) => [name, redactCliEnvironment(environment)]))
+	};
+}
+var ConfigSetCommand = class ConfigSetCommand extends Command {
+	static hidden = true;
+	static summary = "Set hidden Primitive CLI request config";
+	static flags = {
+		environment: Flags.string({
+			char: "e",
+			description: "Environment name to create or update"
+		}),
+		"api-base-url-1": Flags.string({ description: "Primary API base URL" }),
+		"api-base-url-2": Flags.string({ description: "Attachments-supporting API base URL" }),
+		header: Flags.string({
+			description: "Request header in name=value form. Repeatable.",
+			multiple: true
+		}),
+		"unset-header": Flags.string({
+			description: "Request header name to remove. Repeatable.",
+			multiple: true
+		})
+	};
+	async run() {
+		const { flags } = await this.parse(ConfigSetCommand);
+		const headers = flags.header ?? [];
+		if (flags["api-base-url-1"] === void 0 && flags["api-base-url-2"] === void 0 && headers.length === 0 && (flags["unset-header"] ?? []).length === 0) throw new Errors.CLIError("Nothing to set. Pass an API base URL, --header, or --unset-header.", { exit: 1 });
+		const config = upsertCliEnvironment({
+			apiBaseUrl1: flags["api-base-url-1"],
+			apiBaseUrl2: flags["api-base-url-2"],
+			config: loadOrCreateConfig(this.config.configDir),
+			environmentName: flags.environment,
+			headers,
+			unsetHeaders: flags["unset-header"]
+		});
+		saveCliConfig(this.config.configDir, config);
+		process.stderr.write(`Primitive CLI environment ${config.current_environment} is active.\n`);
+	}
+};
+var ConfigUseCommand = class ConfigUseCommand extends Command {
+	static hidden = true;
+	static summary = "Switch active Primitive CLI request config";
+	static args = { environment: Args.string({
+		description: "Environment name to use",
+		required: true
+	}) };
+	async run() {
+		const { args } = await this.parse(ConfigUseCommand);
+		const environment = normalizeCliEnvironmentName(args.environment);
+		const config = loadOrCreateConfig(this.config.configDir);
+		if (!config.environments[environment]) throw new Errors.CLIError(`Primitive CLI environment ${environment} is not configured.`, { exit: 1 });
+		saveCliConfig(this.config.configDir, {
+			...config,
+			current_environment: environment
+		});
+		process.stderr.write(`Primitive CLI environment ${environment} is active.\n`);
+	}
+};
+var ConfigListCommand = class ConfigListCommand extends Command {
+	static hidden = true;
+	static summary = "List hidden Primitive CLI request configs";
+	static flags = {
+		json: Flags.boolean({ description: "Print JSON" }),
+		"show-secrets": Flags.boolean({ description: "Show header values instead of redacting them" })
+	};
+	async run() {
+		const { flags } = await this.parse(ConfigListCommand);
+		const config = loadOrCreateConfig(this.config.configDir);
+		const output = flags["show-secrets"] ? config : redactConfig(config);
+		if (flags.json) {
+			this.log(JSON.stringify(output, null, 2));
+			return;
+		}
+		const entries = Object.entries(config.environments);
+		if (entries.length === 0) {
+			this.log("No Primitive CLI environments configured.");
+			return;
+		}
+		const activeEnvironment = resolveConfigEnvironment(config)?.name ?? null;
+		for (const [name, environment] of entries) {
+			const active = activeEnvironment === name ? "*" : " ";
+			const headerNames = Object.keys(environment.headers ?? {});
+			this.log(`${active} ${name}`);
+			if (environment.api_base_url_1) this.log(`    api_base_url_1: ${environment.api_base_url_1}`);
+			if (environment.api_base_url_2) this.log(`    api_base_url_2: ${environment.api_base_url_2}`);
+			this.log(`    headers: ${headerNames.length > 0 ? headerNames.join(", ") : "(none)"}`);
+		}
+	}
+};
+var ConfigResetCommand = class ConfigResetCommand extends Command {
+	static hidden = true;
+	static summary = "Reset hidden Primitive CLI request config";
+	static flags = { environment: Flags.string({
+		char: "e",
+		description: "Only remove one environment"
+	}) };
+	async run() {
+		const { flags } = await this.parse(ConfigResetCommand);
+		if (flags.environment === void 0) {
+			deleteCliConfig(this.config.configDir);
+			process.stderr.write("Primitive CLI request config reset.\n");
+			return;
+		}
+		const environment = normalizeCliEnvironmentName(flags.environment);
+		const config = loadCliConfig(this.config.configDir);
+		if (!config?.environments[environment]) {
+			process.stderr.write(`Primitive CLI environment ${environment} was not configured.\n`);
+			return;
+		}
+		const nextConfig = removeCliEnvironment(config, environment);
+		if (Object.keys(nextConfig.environments).length === 0) deleteCliConfig(this.config.configDir);
+		else saveCliConfig(this.config.configDir, nextConfig);
+		process.stderr.write(`Primitive CLI environment ${environment} removed.\n`);
+	}
+};
+//#endregion
 //#region src/oclif/commands/doctor.ts
 const MIN_NODE_MAJOR = 22;
 function renderRow({ label, outcome }) {
@@ -11580,14 +11957,10 @@ function checkApiKey(opts) {
 		hint: "Run `primitive login`, pass --api-key explicitly, or export PRIMITIVE_API_KEY=prim_..."
 	};
 }
-async function checkAccount(opts) {
+async function checkAccount(client) {
 	try {
 		const result = await getAccount({
-			client: new PrimitiveApiClient({
-				apiKey: opts.apiKey,
-				apiBaseUrl1: opts.apiBaseUrl1,
-				apiBaseUrl2: opts.apiBaseUrl2
-			}).client,
+			client: client.client,
 			responseStyle: "fields"
 		});
 		const apiError = result.error;
@@ -11628,14 +12001,10 @@ async function checkAccount(opts) {
 		};
 	}
 }
-async function checkDomains(opts) {
+async function checkDomains(client) {
 	try {
 		const result = await listDomains({
-			client: new PrimitiveApiClient({
-				apiKey: opts.apiKey,
-				apiBaseUrl1: opts.apiBaseUrl1,
-				apiBaseUrl2: opts.apiBaseUrl2
-			}).client,
+			client: client.client,
 			responseStyle: "fields"
 		});
 		if (result.error) return {
@@ -11706,28 +12075,20 @@ var DoctorCommand = class DoctorCommand extends Command {
 			outcome: apiKeyCheck
 		});
 		if (apiKeyCheck.status !== "fail") {
-			const auth = resolveCliAuth({
+			const { apiClient, auth } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
 			if (auth.apiKey !== void 0) {
-				const accountCheck = await checkAccount({
-					apiKey: auth.apiKey,
-					apiBaseUrl1: auth.apiBaseUrl1,
-					apiBaseUrl2: auth.apiBaseUrl2
-				});
+				const accountCheck = await checkAccount(apiClient);
 				rows.push({
 					label: "API auth",
 					outcome: accountCheck.outcome
 				});
 				if (accountCheck.outcome.status === "ok") {
-					const domainsOutcome = await checkDomains({
-						apiKey: auth.apiKey,
-						apiBaseUrl1: auth.apiBaseUrl1,
-						apiBaseUrl2: auth.apiBaseUrl2
-					});
+					const domainsOutcome = await checkDomains(apiClient);
 					rows.push({
 						label: "Domains",
 						outcome: domainsOutcome
@@ -11821,19 +12182,14 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 	async run() {
 		const { flags } = await this.parse(EmailsLatestCommand);
 		await runWithTiming(flags.time, async () => {
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
 			const result = await listEmails({
-				client: new PrimitiveApiClient({
-					apiKey: auth.apiKey,
-					apiBaseUrl1: auth.apiBaseUrl1,
-					apiBaseUrl2: auth.apiBaseUrl2
-				}).client,
+				client: apiClient.client,
 				query: { limit: flags.limit },
 				responseStyle: "fields"
 			});
@@ -12030,18 +12386,12 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 	};
 	async run() {
 		const { flags } = await this.parse(EmailsWaitCommand);
-		const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-		const auth = resolveCliAuth({
+		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
 			configDir: this.config.configDir
 		});
-		const apiClient = new PrimitiveApiClient({
-			apiKey: auth.apiKey,
-			apiBaseUrl1: auth.apiBaseUrl1,
-			apiBaseUrl2: auth.apiBaseUrl2
-		});
 		let since;
 		try {
 			since = sinceFromFlags(flags);
@@ -12158,18 +12508,12 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 	};
 	async run() {
 		const { flags } = await this.parse(EmailsWatchCommand);
-		const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-		const auth = resolveCliAuth({
+		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
 			configDir: this.config.configDir
 		});
-		const apiClient = new PrimitiveApiClient({
-			apiKey: auth.apiKey,
-			apiBaseUrl1: auth.apiBaseUrl1,
-			apiBaseUrl2: auth.apiBaseUrl2
-		});
 		let since;
 		try {
 			since = sinceFromFlags(flags);
@@ -12860,18 +13204,12 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			const code = readTextFileFlag(flags.file, "--file");
 			const sourceMap = flags["source-map-file"] ? readTextFileFlag(flags["source-map-file"], "--source-map-file") : void 0;
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
-			const apiClient = new PrimitiveApiClient({
-				apiKey: auth.apiKey,
-				apiBaseUrl1: auth.apiBaseUrl1,
-				apiBaseUrl2: auth.apiBaseUrl2
-			});
 			const authFailureContext = {
 				auth,
 				baseUrlOverridden,
@@ -12978,8 +13316,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^0.30.0";
-const CLI_VERSION_RANGE = "^0.30.0";
+const SDK_VERSION_RANGE = "^0.30.1";
+const CLI_VERSION_RANGE = "^0.30.1";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY is auto-injected by the Primitive Functions runtime.
@@ -13001,14 +13339,14 @@ import {
 // the loop guard recognizes mail returning to it as self-traffic.
 const REPLY_FROM = "you@your-domain.primitive.email";
 
-// Loop protection. A deployed Function receives catch-all inbound for
-// the managed *.primitive.email subdomain, which includes bounces and
-// auto-replies generated by its own outbound traffic. Without this
-// guard the handler can respond to its own bounces and create a
-// fan-out loop.
+// Loop protection. A newly deployed Function starts as a fallback
+// endpoint for managed *.primitive.email domains that do not have a
+// domain-scoped endpoint. That can include bounces and auto-replies
+// generated by the handler's own outbound traffic. Without this guard
+// the handler can respond to its own bounces and create a fan-out loop.
 //
 // The default check returns true when From is on any *.primitive.email
-// address (covers the managed subdomain catch-all, the simple
+// address (covers managed-domain fallback mail, the simple
 // self-reply case, and bounces from mailer-daemon@*.primitive.email)
 // or when From contains REPLY_FROM as a case-insensitive substring.
 // Substring matching is deliberate so display-name forms like
@@ -13462,18 +13800,12 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 		if (flags["poll-interval"] <= 0) this.error("--poll-interval must be greater than 0.", { exit: 2 });
 		if (flags.follow && flags.cursor) this.error("--cursor cannot be combined with --follow.", { exit: 2 });
 		await runWithTiming(flags.time, async () => {
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
-			const apiClient = new PrimitiveApiClient({
-				apiKey: auth.apiKey,
-				apiBaseUrl1: auth.apiBaseUrl1,
-				apiBaseUrl2: auth.apiBaseUrl2
-			});
 			const seenIds = /* @__PURE__ */ new Set();
 			let completedInitialFollowPoll = false;
 			let hasObservedLogs = false;
@@ -13704,18 +14036,12 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 			const code = readTextFileFlag(flags.file, "--file");
 			const sourceMap = flags["source-map-file"] ? readTextFileFlag(flags["source-map-file"], "--source-map-file") : void 0;
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
-			const apiClient = new PrimitiveApiClient({
-				apiKey: auth.apiKey,
-				apiBaseUrl1: auth.apiBaseUrl1,
-				apiBaseUrl2: auth.apiBaseUrl2
-			});
 			const authFailureContext = {
 				auth,
 				baseUrlOverridden,
@@ -13925,18 +14251,12 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 	async run() {
 		const { flags } = await this.parse(FunctionsSetSecretCommand);
 		await runWithTiming(flags.time, async () => {
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
-			const apiClient = new PrimitiveApiClient({
-				apiKey: auth.apiKey,
-				apiBaseUrl1: auth.apiBaseUrl1,
-				apiBaseUrl2: auth.apiBaseUrl2
-			});
 			const authFailureContext = {
 				auth,
 				baseUrlOverridden,
@@ -14053,7 +14373,8 @@ function stringOrNull(value) {
 	return typeof value === "string" && value.length > 0 ? value : null;
 }
 function findMatchingFunctionEndpoints(params) {
-	const matches = [];
+	const domainMatches = [];
+	const fallbackMatches = [];
 	for (const endpoint of params.endpoints) {
 		if (endpoint.kind !== "function") continue;
 		if (endpoint.enabled === false) continue;
@@ -14063,20 +14384,22 @@ function findMatchingFunctionEndpoints(params) {
 		const domainId = stringOrNull(endpoint.domain_id);
 		if (domainId !== null && (params.inboundDomainId === null || domainId !== params.inboundDomainId)) continue;
 		const functionId = stringOrNull(endpoint.function_id);
-		matches.push({
+		const match = {
 			function_id: functionId,
 			id,
 			is_current_function: functionId === params.currentFunctionId,
-			scope: domainId === null ? "catch-all" : "domain"
-		});
+			scope: domainId === null ? "fallback" : "domain"
+		};
+		if (domainId === null) fallbackMatches.push(match);
+		else domainMatches.push(match);
 	}
-	return matches;
+	return domainMatches.length > 0 ? domainMatches : fallbackMatches;
 }
 function formatFunctionEndpointNoiseWarning(params) {
 	if (params.endpoints.filter((endpoint) => !endpoint.is_current_function).length === 0) return null;
 	const lines = [`Warning: ${params.endpoints.length} function endpoints may receive mail for ${params.toAddress}:`];
 	for (const endpoint of params.endpoints) {
-		const scope = endpoint.scope === "catch-all" ? "catch-all" : `scoped to ${params.inboundDomain}`;
+		const scope = endpoint.scope === "fallback" ? "fallback" : `scoped to ${params.inboundDomain}`;
 		const current = endpoint.is_current_function ? " (this function)" : "";
 		const target = endpoint.function_id ? ` -> function ${endpoint.function_id}` : "";
 		lines.push(`- endpoint ${endpoint.id}${target}, ${scope}${current}`);
@@ -14155,18 +14478,12 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 		const { flags } = await this.parse(FunctionsTestFunctionCommand);
 		const shouldWait = flags.wait || flags["show-sends"];
 		const shouldShowSends = flags["show-sends"];
-		const baseUrlOverridden = baseUrlOverriddenFromFlags(flags);
-		const auth = resolveCliAuth({
+		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
 			configDir: this.config.configDir
 		});
-		const apiClient = new PrimitiveApiClient({
-			apiKey: auth.apiKey,
-			apiBaseUrl1: auth.apiBaseUrl1,
-			apiBaseUrl2: auth.apiBaseUrl2
-		});
 		await runWithTiming(flags.time, async () => {
 			const triggerResult = await testFunction({
 				client: apiClient.client,
@@ -14306,11 +14623,16 @@ function retryAfterSeconds$1(result) {
 	return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
 }
 async function checkExistingLogin(params) {
-	const baseUrlOverridden = params.apiBaseUrl1 !== void 0;
-	const probeApiBaseUrl1 = baseUrlOverridden ? normalizeApiBaseUrl1(params.apiBaseUrl1) : params.credentials.api_base_url_1;
+	const requestConfig = resolveCliApiRequestConfig({
+		apiBaseUrl1: params.apiBaseUrl1,
+		configDir: params.configDir
+	});
+	const probeApiBaseUrl1 = requestConfig.apiBaseUrl1 ?? params.credentials.api_base_url_1;
 	const apiClient = new PrimitiveApiClient({
 		apiKey: params.credentials.api_key,
-		apiBaseUrl1: probeApiBaseUrl1
+		apiBaseUrl1: probeApiBaseUrl1,
+		apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
+		headers: requestConfig.headers
 	});
 	const result = await (params.checkAccount ?? ((client) => getAccount({
 		client: client.client,
@@ -14326,7 +14648,7 @@ async function checkExistingLogin(params) {
 			credentials: params.credentials,
 			source: "stored"
 		},
-		baseUrlOverridden,
+		baseUrlOverridden: requestConfig.baseUrlOverridden,
 		configDir: params.configDir,
 		payload
 	})) return { status: "removed_stale" };
@@ -14372,7 +14694,11 @@ var LoginCommand = class LoginCommand extends Command {
 		}
 	}
 	async runWithCredentialLock(flags) {
-		const apiBaseUrl1 = normalizeApiBaseUrl1(flags["api-base-url-1"]);
+		const { apiClient, requestConfig } = createCliApiClient({
+			apiBaseUrl1: flags["api-base-url-1"],
+			configDir: this.config.configDir
+		});
+		const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
 		let existing;
 		try {
 			existing = loadCliCredentials(this.config.configDir);
@@ -14395,7 +14721,6 @@ var LoginCommand = class LoginCommand extends Command {
 				throw cliError$2(existingStatus.message);
 			} else throw cliError$2(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before logging in again.`);
 		}
-		const apiClient = new PrimitiveApiClient({ apiBaseUrl1 });
 		const started = await startCliLogin({
 			body: { device_name: flags["device-name"] ?? hostname() },
 			client: apiClient.client,
@@ -14505,10 +14830,15 @@ var LogoutCommand = class LogoutCommand extends Command {
 			return;
 		}
 		if (!credentials) throw cliError$1("Not logged in. Run `primitive login` to create saved CLI credentials.");
-		const apiBaseUrl1 = flags["api-base-url-1"] ? normalizeApiBaseUrl1(flags["api-base-url-1"]) : credentials.api_base_url_1;
+		const requestConfig = resolveCliApiRequestConfig({
+			apiBaseUrl1: flags["api-base-url-1"],
+			configDir: this.config.configDir
+		});
+		const apiBaseUrl1 = requestConfig.apiBaseUrl1 ? normalizeApiBaseUrl1(requestConfig.apiBaseUrl1) : credentials.api_base_url_1;
 		const apiClient = new PrimitiveApiClient({
 			apiKey: credentials.api_key,
-			apiBaseUrl1
+			apiBaseUrl1,
+			headers: requestConfig.headers
 		});
 		const result = await cliLogout({
 			body: { key_id: credentials.key_id },
@@ -14689,18 +15019,12 @@ var ReplyCommand = class ReplyCommand extends Command {
 		});
 		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
 		await runWithTiming(flags.time, async () => {
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
-			const apiClient = new PrimitiveApiClient({
-				apiKey: auth.apiKey,
-				apiBaseUrl1: auth.apiBaseUrl1,
-				apiBaseUrl2: auth.apiBaseUrl2
-			});
 			const result = await replyToEmail({
 				body: {
 					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
@@ -14829,18 +15153,12 @@ var SendCommand = class SendCommand extends Command {
 		});
 		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
 		await runWithTiming(flags.time, async () => {
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
-			const apiClient = new PrimitiveApiClient({
-				apiKey: auth.apiKey,
-				apiBaseUrl1: auth.apiBaseUrl1,
-				apiBaseUrl2: auth.apiBaseUrl2
-			});
 			const authFailureContext = {
 				auth,
 				baseUrlOverridden,
@@ -15113,7 +15431,11 @@ async function runSignupWithCredentialLock(params) {
 	const startFn = deps.startCliSignup ?? startCliSignup;
 	const verifyFn = deps.verifyCliSignup ?? verifyCliSignup;
 	const checkExistingLoginFn = deps.checkExistingLogin ?? checkExistingLogin;
-	const apiBaseUrl1 = normalizeApiBaseUrl1(flags["api-base-url-1"]);
+	const { apiClient, requestConfig } = createCliApiClient({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir
+	});
+	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
 	let existing;
 	try {
 		existing = loadCliCredentials(configDir);
@@ -15137,7 +15459,6 @@ async function runSignupWithCredentialLock(params) {
 		} else throw cliError(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before creating a new account.`);
 	}
 	if (flags.force) deletePendingCliSignup(configDir);
-	const apiClient = new PrimitiveApiClient({ apiBaseUrl1 });
 	let start = flags.force ? null : loadPendingCliSignup(configDir, apiBaseUrl1);
 	const resumed = Boolean(start);
 	if (start) process$1.stderr.write(`Continuing pending Primitive CLI signup for ${start.email}.\n`);
@@ -15294,19 +15615,14 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 	async run() {
 		const { flags } = await this.parse(WhoamiCommand);
 		await runWithTiming(flags.time, async () => {
-			const baseUrlOverridden = flags["api-base-url-1"] !== void 0 || flags["api-base-url-2"] !== void 0;
-			const auth = resolveCliAuth({
+			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
 			const result = await getAccount({
-				client: new PrimitiveApiClient({
-					apiKey: auth.apiKey,
-					apiBaseUrl1: auth.apiBaseUrl1,
-					apiBaseUrl2: auth.apiBaseUrl2
-				}).client,
+				client: apiClient.client,
 				responseStyle: "fields"
 			});
 			if (result.error) {
@@ -15535,6 +15851,10 @@ const generatedCommands = Object.fromEntries(operationManifest.filter((operation
 const COMMANDS = {
 	completion: CompletionCommand,
 	"list-operations": ListOperationsCommand,
+	"config:list": ConfigListCommand,
+	"config:reset": ConfigResetCommand,
+	"config:set": ConfigSetCommand,
+	"config:use": ConfigUseCommand,
 	describe: DescribeCommand,
 	send: SendCommand,
 	reply: ReplyCommand,

package/dist/oclif/proxy-auto-detect.js

@@ -1,3 +1,4 @@
+import { spawnSync } from "node:child_process";
 //#region src/oclif/proxy-auto-detect.ts
 const PROXY_ENV_VARS = [
 	"HTTP_PROXY",
@@ -15,7 +16,7 @@ function detectProxyVars(env) {
 		return typeof value === "string" && value.length > 0;
 	});
 }
-function applyProxyAutoDetect(options = {}) {
+function restartWithProxyEnvIfNeeded(options = {}) {
 	const env = options.env ?? process.env;
 	const stderr = options.stderr ?? process.stderr;
 	const detectedVars = detectProxyVars(env);
@@ -29,17 +30,42 @@ function applyProxyAutoDetect(options = {}) {
 		detectedVars,
 		reason: "node_use_env_proxy_already_set"
 	};
-	env.NODE_USE_ENV_PROXY = "1";
+	const argv = options.argv ?? process.argv;
+	const entrypoint = argv[1];
+	if (!entrypoint) return {
+		applied: false,
+		detectedVars,
+		reason: "missing_entrypoint"
+	};
+	const execPath = options.execPath ?? process.execPath;
+	const execArgv = options.execArgv ?? process.execArgv;
+	const spawn = options.spawn ?? spawnSync;
+	const exit = options.exit ?? ((code) => {
+		process.exit(code);
+		throw new Error("process.exit returned unexpectedly");
+	});
 	if (!hintPrinted) {
 		hintPrinted = true;
 		const names = detectedVars.join("/");
-		stderr.write(`primitive: proxy detected via ${names}, NODE_USE_ENV_PROXY=1 set automatically\n`);
+		stderr.write(`primitive: proxy detected via ${names}, restarting with NODE_USE_ENV_PROXY=1\n`);
 	}
-	return {
-		applied: true,
-		detectedVars,
-		reason: "applied"
-	};
+	const child = spawn(execPath, [
+		...execArgv,
+		entrypoint,
+		...argv.slice(2)
+	], {
+		env: {
+			...env,
+			NODE_USE_ENV_PROXY: "1"
+		},
+		stdio: "inherit"
+	});
+	if (child.error) throw child.error;
+	if (child.signal) {
+		(options.kill ?? process.kill)(options.pid ?? process.pid, child.signal);
+		return exit(1);
+	}
+	return exit(child.status ?? 1);
 }
 //#endregion
-export { _resetHintLatchForTest, applyProxyAutoDetect };
+export { _resetHintLatchForTest, restartWithProxyEnvIfNeeded };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/cli",
-  "version": "0.30.0",
+  "version": "0.30.1",
   "description": "Official Primitive CLI: deploy Primitive Functions, send and inspect mail, manage endpoints, all from the terminal. Wraps the @primitivedotdev/sdk runtime client with one-shot commands.",
   "type": "module",
   "sideEffects": false,