@primitivedotdev/cli 0.31.0 → 0.31.2

package/dist/oclif/index.js

@@ -667,11 +667,13 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	replayDelivery: () => replayDelivery,
 	replayEmailWebhooks: () => replayEmailWebhooks,
 	replyToEmail: () => replyToEmail,
+	resendAgentSignupVerification: () => resendAgentSignupVerification,
 	resendCliSignupVerification: () => resendCliSignupVerification,
 	rotateWebhookSecret: () => rotateWebhookSecret,
 	searchEmails: () => searchEmails,
 	sendEmail: () => sendEmail,
 	setFunctionSecret: () => setFunctionSecret,
+	startAgentSignup: () => startAgentSignup,
 	startCliLogin: () => startCliLogin,
 	startCliSignup: () => startCliSignup,
 	testEndpoint: () => testEndpoint,
@@ -681,6 +683,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	updateEndpoint: () => updateEndpoint,
 	updateFilter: () => updateFilter,
 	updateFunction: () => updateFunction,
+	verifyAgentSignup: () => verifyAgentSignup,
 	verifyCliSignup: () => verifyCliSignup,
 	verifyDomain: () => verifyDomain
 });
@@ -704,8 +707,8 @@ const startCliLogin = (options) => (options?.client ?? client).post({
 * Poll CLI browser login
 *
 * Polls a CLI login session until the browser approval either succeeds,
-* is denied, expires, or is polled too quickly. The API key is generated
-* only after approval and is returned exactly once.
+* is denied, expires, or is polled too quickly. The OAuth token set is
+* created only after approval and is returned exactly once.
 *
 */
 const pollCliLogin = (options) => (options.client ?? client).post({
@@ -749,11 +752,12 @@ const resendCliSignupVerification = (options) => (options.client ?? client).post
 	}
 });
 /**
-* Verify CLI signup and create API key
+* Verify CLI signup and create OAuth session
 *
 * Verifies the email code for a CLI signup session, creates the account,
-* redeems the reserved signup code, mints an org-scoped CLI API key, and
-* returns the raw key exactly once. This endpoint does not require an API key.
+* redeems the reserved signup code, creates an org-scoped OAuth CLI
+* session, and returns the token set exactly once. This endpoint does not
+* require an API key.
 *
 */
 const verifyCliSignup = (options) => (options.client ?? client).post({
@@ -765,10 +769,61 @@ const verifyCliSignup = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Revoke the current CLI API key
+* Start agent account signup
 *
-* Revokes the API key used to authenticate the request. CLI clients use
-* this endpoint during `primitive logout` before removing local credentials.
+* Starts an agent-native signup session. The API validates the signup code,
+* creates a pending signup session, sends an email verification code, and
+* returns an opaque signup token used by the resend and verify steps. This
+* endpoint does not require an API key.
+*
+*/
+const startAgentSignup = (options) => (options.client ?? client).post({
+	url: "/agent/signup/start",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Resend agent signup verification code
+*
+* Sends a new email verification code for a pending agent signup session.
+* This endpoint does not require an API key.
+*
+*/
+const resendAgentSignupVerification = (options) => (options.client ?? client).post({
+	url: "/agent/signup/resend",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Verify agent signup and create OAuth tokens
+*
+* Verifies the email code for an agent signup session, creates the account
+* when needed, redeems the reserved signup code, mints an org-scoped OAuth
+* session for CLI authentication, and returns the raw tokens exactly once.
+* For existing users, the optional `org_id` selects which accessible
+* workspace should receive the new session.
+*
+*/
+const verifyAgentSignup = (options) => (options.client ?? client).post({
+	url: "/agent/signup/verify",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Revoke the current CLI OAuth session
+*
+* Revokes the OAuth grant used to authenticate the request. API-key
+* authenticated legacy logout requests succeed without deleting server API
+* keys so old local CLI state can be cleared safely.
 *
 */
 const cliLogout = (options) => (options?.client ?? client).post({
@@ -1478,9 +1533,8 @@ const getSentEmail = (options) => (options.client ?? client).get({
 * List functions
 *
 * Returns every active (non-deleted) function in the org, newest
-* first. Each entry carries the deploy status and the gateway URL
-* that the platform's webhook delivery loop posts to. To inspect
-* the source code or deploy errors, use `GET /functions/{id}`.
+* first. Each entry carries deploy status and timestamps. To
+* inspect the source code or deploy errors, use `GET /functions/{id}`.
 *
 */
 const listFunctions = (options) => (options?.client ?? client).get({
@@ -1496,13 +1550,14 @@ const listFunctions = (options) => (options?.client ?? client).get({
 *
 * Creates and deploys a new function. The handler must be a single
 * ESM module whose default export is an object with an async
-* `fetch(request, env)` method (Workers-style). The gateway
-* HMAC-verifies the POST against the org's webhook secret before
-* invoking the handler; the request body parses to an
-* `email.received` event (see `EmailReceivedEvent` and the
-* Webhook payload section for the full schema). Code is bundled
-* before being uploaded; ship a single self-contained file rather
-* than relying on external imports.
+* `fetch(request, env)` method (Workers-style). Primitive signs
+* each delivery and forwards the `Primitive-Signature` header to
+* the handler. Verify the raw request body with
+* `PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification
+* the request body parses to an `email.received` event (see
+* `EmailReceivedEvent` and the Webhook payload section for the full
+* schema). Code is bundled before being uploaded; ship a single
+* self-contained file rather than relying on external imports.
 *
 * **Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`
 * (optional) is capped at 5 MiB UTF-8, stored with each deployment
@@ -1512,12 +1567,12 @@ const listFunctions = (options) => (options?.client ?? client).get({
 * **Auto-wiring.** On successful deploy, Primitive automatically
 * creates a webhook endpoint that delivers inbound mail to the
 * function. There is nothing to configure on the Endpoints API
-* for this to work; the gateway URL returned here is for
-* reference only and is not directly callable from outside.
+* for this to work; the internal runtime URL is not returned by
+* the API and is not a customer-facing integration surface.
 *
 * **Secrets.** New functions ship with the managed secrets
-* (`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`) already
-* bound. Add user-set secrets via
+* (`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,
+* `PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via
 * `POST /functions/{id}/secrets`; secret writes only land in the
 * running handler on the next redeploy.
 *
@@ -1663,9 +1718,9 @@ const getFunctionTestRunTrace = (options) => (options.client ?? client).get({
 * never returned.** Secret writes are write-only.
 *
 * Managed entries (e.g. `PRIMITIVE_WEBHOOK_SECRET`,
-* `PRIMITIVE_API_KEY`) carry a `description` instead of
-* `created_at` / `updated_at`. They cannot be created, updated,
-* or deleted via this API.
+* `PRIMITIVE_API_KEY`, `PRIMITIVE_API_BASE_URL`) carry a
+* `description` instead of `created_at` / `updated_at`. They
+* cannot be created, updated, or deleted via this API.
 *
 */
 const listFunctionSecrets = (options) => (options.client ?? client).get({
@@ -1778,7 +1833,7 @@ const openapiDocument = {
 	"info": {
 		"title": "Primitive API",
 		"version": "1.0.0",
-		"description": "The Primitive API lets you manage domains, emails, webhook endpoints,\nfilters, and account settings programmatically.\n\n## Authentication\n\nMost endpoints require a Bearer token in the `Authorization` header:\n\n```\nAuthorization: Bearer prim_<your_api_key>\n```\n\nAPI keys are org-scoped. Create and manage them in your dashboard\nunder Settings > API Keys. CLI login and signup endpoints explicitly\ndeclare `security: []`; they do not require an API key because they\nare used to mint one.\n\n## Rate Limiting\n\nThe API enforces a sliding window rate limit of **120 requests per\n60 seconds** per organization. When exceeded, the API returns `429`\nwith a `Retry-After` header indicating how many seconds to wait.\n\n## Pagination\n\nList endpoints use cursor-based pagination. Responses include a\n`meta` object with `total`, `limit`, and `cursor` fields. Pass the\n`cursor` value as a query parameter to fetch the next page. When\n`cursor` is `null`, there are no more results.\n\n## Response Format\n\nAll responses use a consistent envelope:\n\n```json\n{\n  \"success\": true,\n  \"data\": { ... },\n  \"meta\": { \"total\": 42, \"limit\": 50, \"cursor\": \"...\" }\n}\n```\n\nErrors follow the same pattern:\n\n```json\n{\n  \"success\": false,\n  \"error\": { \"code\": \"not_found\", \"message\": \"Email not found\" }\n}\n```\n\n## Webhook signing\n\nOutbound webhook deliveries (configured via the `endpoints` API)\nare signed so receivers can verify they came from Primitive and\nhave not been tampered with in transit. The signing scheme is\ndeliberately simple so it can be reimplemented in any language\nin a few lines. The Node SDK's `verifyWebhookSignature` helper\nis the reference implementation; the wire details below let you\nwrite a verifier in Python, Go, Ruby, etc. without reading our\nsource.\n\n**Header**: `Primitive-Signature: t=<unix-seconds>,v1=<hex>`\n\nA legacy `MyMX-Signature` header is also sent on every delivery\nwith the same value, retained for back-compatibility with\nintegrations written before the rename. New code should read\n`Primitive-Signature`.\n\n**Signed string**: `${timestamp}.${rawBody}` where `timestamp`\nis the Unix-seconds integer from the `t=` parameter and\n`rawBody` is the exact bytes of the HTTP request body BEFORE\nany JSON decoding. Verify against the raw body, not a\nre-serialized parse, or you will silently mismatch on\ninsignificant whitespace.\n\n**Signature**: HMAC-SHA256 of the signed string, hex-encoded\n(lowercase). Use the account's webhook secret as the HMAC key,\nas a UTF-8 byte sequence.\n\n**Secret**: returned by `GET /account/webhook-secret`. The\nstring looks base64-shaped (e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`)\nbut is NOT base64; use it AS-IS as a UTF-8 string for the HMAC\nkey. Base64-decoding before HMAC will silently produce\nmismatched signatures.\n\n**Tolerance**: by convention, reject deliveries whose `t=`\ntimestamp is more than 5 minutes off your wall-clock to defend\nagainst replay attacks. The Node SDK's helper enforces this by\ndefault.\n\n**Verification recipe** (any language):\n\n```\n1. Read the raw HTTP body (do not parse).\n2. Read `Primitive-Signature: t=<ts>,v1=<sig>`.\n3. Reject if abs(now - ts) > 300 seconds.\n4. expected = HMAC_SHA256_hex(secret_utf8, f\"{ts}.{rawBody}\")\n5. Constant-time compare expected to sig. Reject if not equal.\n```\n\nFor Node, use `verifyWebhookSignature` from\n`@primitivedotdev/sdk/webhook` (or the higher-level\n`handleWebhook` helper if you want a one-liner). For other\nlanguages, the recipe above is everything you need.\n\nTest deliveries: `POST /endpoints/{id}/test` triggers a fake\ndelivery to your endpoint URL, signed with your real account\nsecret, so you can confirm verification end-to-end without\nneeding real inbound mail. The test response carries the exact\n`signature` header value sent on the wire so you can compare\nstrings directly.\n",
+		"description": "The Primitive API lets you manage domains, emails, webhook endpoints,\nfilters, and account settings programmatically.\n\n## Authentication\n\nMost endpoints require a Bearer token in the `Authorization` header:\n\n```\nAuthorization: Bearer prim_<your_api_key>\n```\n\nAPI keys are org-scoped. Create and manage them in your dashboard\nunder Settings > API Keys. CLI login plus CLI/agent signup endpoints\nexplicitly declare `security: []`; they do not require an API key because\nthey are used to create OAuth CLI sessions.\n\n## Rate Limiting\n\nThe API enforces a sliding window rate limit of **120 requests per\n60 seconds** per organization. When exceeded, the API returns `429`\nwith a `Retry-After` header indicating how many seconds to wait.\n\n## Pagination\n\nList endpoints use cursor-based pagination. Responses include a\n`meta` object with `total`, `limit`, and `cursor` fields. Pass the\n`cursor` value as a query parameter to fetch the next page. When\n`cursor` is `null`, there are no more results.\n\n## Response Format\n\nAll responses use a consistent envelope:\n\n```json\n{\n  \"success\": true,\n  \"data\": { ... },\n  \"meta\": { \"total\": 42, \"limit\": 50, \"cursor\": \"...\" }\n}\n```\n\nErrors follow the same pattern:\n\n```json\n{\n  \"success\": false,\n  \"error\": { \"code\": \"not_found\", \"message\": \"Email not found\" }\n}\n```\n\n## Webhook signing\n\nOutbound webhook deliveries (configured via the `endpoints` API)\nare signed so receivers can verify they came from Primitive and\nhave not been tampered with in transit. The signing scheme is\ndeliberately simple so it can be reimplemented in any language\nin a few lines. The Node SDK's `verifyWebhookSignature` helper\nis the reference implementation; the wire details below let you\nwrite a verifier in Python, Go, Ruby, etc. without reading our\nsource.\n\n**Header**: `Primitive-Signature: t=<unix-seconds>,v1=<hex>`\n\nA legacy `MyMX-Signature` header is also sent on every delivery\nwith the same value, retained for back-compatibility with\nintegrations written before the rename. New code should read\n`Primitive-Signature`.\n\n**Signed string**: `${timestamp}.${rawBody}` where `timestamp`\nis the Unix-seconds integer from the `t=` parameter and\n`rawBody` is the exact bytes of the HTTP request body BEFORE\nany JSON decoding. Verify against the raw body, not a\nre-serialized parse, or you will silently mismatch on\ninsignificant whitespace.\n\n**Signature**: HMAC-SHA256 of the signed string, hex-encoded\n(lowercase). Use the account's webhook secret as the HMAC key,\nas a UTF-8 byte sequence.\n\n**Secret**: returned by `GET /account/webhook-secret`. The\nstring looks base64-shaped (e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`)\nbut is NOT base64; use it AS-IS as a UTF-8 string for the HMAC\nkey. Base64-decoding before HMAC will silently produce\nmismatched signatures.\n\n**Tolerance**: by convention, reject deliveries whose `t=`\ntimestamp is more than 5 minutes off your wall-clock to defend\nagainst replay attacks. The Node SDK's helper enforces this by\ndefault.\n\n**Verification recipe** (any language):\n\n```\n1. Read the raw HTTP body (do not parse).\n2. Read `Primitive-Signature: t=<ts>,v1=<sig>`.\n3. Reject if abs(now - ts) > 300 seconds.\n4. expected = HMAC_SHA256_hex(secret_utf8, f\"{ts}.{rawBody}\")\n5. Constant-time compare expected to sig. Reject if not equal.\n```\n\nFor Node, use `verifyWebhookSignature` from\n`@primitivedotdev/sdk/webhook` (or the higher-level\n`handleWebhook` helper if you want a one-liner). For other\nlanguages, the recipe above is everything you need.\n\nTest deliveries: `POST /endpoints/{id}/test` triggers a fake\ndelivery to your endpoint URL, signed with your real account\nsecret, so you can confirm verification end-to-end without\nneeding real inbound mail. The test response carries the exact\n`signature` header value sent on the wire so you can compare\nstrings directly.\n",
 		"contact": {
 			"name": "Primitive",
 			"url": "https://primitive.dev"
@@ -1801,6 +1856,10 @@ const openapiDocument = {
 			"name": "CLI",
 			"description": "Browser-assisted CLI authentication"
 		},
+		{
+			"name": "Agent",
+			"description": "Agent signup and authentication"
+		},
 		{
 			"name": "Account",
 			"description": "Manage your account settings, storage, and webhook secret"
@@ -1831,7 +1890,7 @@ const openapiDocument = {
 		},
 		{
 			"name": "Functions",
-			"description": "Deploy JavaScript handlers that run on inbound mail. Each function\nis a single ESM module whose default export is an object with an\nasync `fetch(request, env)` method, in the shape of a Workers-style\nhandler. The gateway HMAC-verifies the inbound POST against the\norg's webhook secret before invoking `fetch`; the request body\nparses to an `email.received` event (see `EmailReceivedEvent` and\nthe Webhook payload section for the full schema). Code runs on\nPrimitive's edge runtime; there is no infrastructure to manage.\nSecrets land in `env` as encrypted bindings and are refreshed on\nevery redeploy.\n"
+			"description": "Deploy JavaScript handlers that run on inbound mail. Each function\nis a single ESM module whose default export is an object with an\nasync `fetch(request, env)` method, in the shape of a Workers-style\nhandler. Primitive signs each delivery and forwards the\n`Primitive-Signature` header to the handler; verify the raw request\nbody with `PRIMITIVE_WEBHOOK_SECRET` before trusting the parsed\n`email.received` event (see `EmailReceivedEvent` and the Webhook\npayload section for the full schema). Code runs on\nPrimitive's edge runtime; there is no infrastructure to manage.\nSecrets land in `env` as encrypted bindings and are refreshed on\nevery redeploy.\n"
 		}
 	],
 	"paths": {
@@ -1864,7 +1923,7 @@ const openapiDocument = {
 		"/cli/login/poll": { "post": {
 			"operationId": "pollCliLogin",
 			"summary": "Poll CLI browser login",
-			"description": "Polls a CLI login session until the browser approval either succeeds,\nis denied, expires, or is polled too quickly. The API key is generated\nonly after approval and is returned exactly once.\n",
+			"description": "Polls a CLI login session until the browser approval either succeeds,\nis denied, expires, or is polled too quickly. The OAuth token set is\ncreated only after approval and is returned exactly once.\n",
 			"tags": ["CLI"],
 			"security": [],
 			"requestBody": {
@@ -1873,7 +1932,7 @@ const openapiDocument = {
 			},
 			"responses": {
 				"200": {
-					"description": "CLI login approved and API key created",
+					"description": "CLI login approved and OAuth token set created",
 					"headers": { "Cache-Control": {
 						"schema": { "type": "string" },
 						"description": "Always `no-store`"
@@ -2014,8 +2073,8 @@ const openapiDocument = {
 		} },
 		"/cli/signup/verify": { "post": {
 			"operationId": "verifyCliSignup",
-			"summary": "Verify CLI signup and create API key",
-			"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, mints an org-scoped CLI API key, and\nreturns the raw key exactly once. This endpoint does not require an API key.\n",
+			"summary": "Verify CLI signup and create OAuth session",
+			"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, creates an org-scoped OAuth CLI\nsession, and returns the token set exactly once. This endpoint does not\nrequire an API key.\n",
 			"tags": ["CLI"],
 			"security": [],
 			"requestBody": {
@@ -2024,7 +2083,7 @@ const openapiDocument = {
 			},
 			"responses": {
 				"200": {
-					"description": "CLI signup verified and API key created",
+					"description": "CLI signup verified and OAuth token set created",
 					"headers": { "Cache-Control": {
 						"schema": { "type": "string" },
 						"description": "Always `no-store`"
@@ -2041,10 +2100,106 @@ const openapiDocument = {
 				"429": { "$ref": "#/components/responses/RateLimited" }
 			}
 		} },
+		"/agent/signup/start": { "post": {
+			"operationId": "startAgentSignup",
+			"summary": "Start agent account signup",
+			"description": "Starts an agent-native signup session. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
+			"tags": ["Agent"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/StartAgentSignupInput" } } }
+			},
+			"responses": {
+				"201": {
+					"description": "Agent signup session created and verification email sent",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentSignupStartResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/agent/signup/resend": { "post": {
+			"operationId": "resendAgentSignupVerification",
+			"summary": "Resend agent signup verification code",
+			"description": "Sends a new email verification code for a pending agent signup session.\nThis endpoint does not require an API key.\n",
+			"tags": ["Agent"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ResendAgentSignupVerificationInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Verification email resent",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentSignupResendResult" } }
+					}] } } }
+				},
+				"400": {
+					"description": "Invalid token or expired token",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": {
+					"description": "Global rate limit exceeded or resend requested too quickly",
+					"headers": { "Retry-After": {
+						"schema": { "type": "integer" },
+						"description": "Seconds to wait before retrying"
+					} },
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				}
+			}
+		} },
+		"/agent/signup/verify": { "post": {
+			"operationId": "verifyAgentSignup",
+			"summary": "Verify agent signup and create OAuth tokens",
+			"description": "Verifies the email code for an agent signup session, creates the account\nwhen needed, redeems the reserved signup code, mints an org-scoped OAuth\nsession for CLI authentication, and returns the raw tokens exactly once.\nFor existing users, the optional `org_id` selects which accessible\nworkspace should receive the new session.\n",
+			"tags": ["Agent"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/VerifyAgentSignupInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Agent signup verified and OAuth tokens created",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentSignupVerifyResult" } }
+					}] } } }
+				},
+				"400": {
+					"description": "Invalid request, invalid verification code, expired token, invalid signup code, or account creation failure",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"403": { "$ref": "#/components/responses/Forbidden" },
+				"409": {
+					"description": "Existing account is not in a usable workspace state",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
 		"/cli/logout": { "post": {
 			"operationId": "cliLogout",
-			"summary": "Revoke the current CLI API key",
-			"description": "Revokes the API key used to authenticate the request. CLI clients use\nthis endpoint during `primitive logout` before removing local credentials.\n",
+			"summary": "Revoke the current CLI OAuth session",
+			"description": "Revokes the OAuth grant used to authenticate the request. API-key\nauthenticated legacy logout requests succeed without deleting server API\nkeys so old local CLI state can be cleared safely.\n",
 			"tags": ["CLI"],
 			"requestBody": {
 				"required": false,
@@ -2052,7 +2207,7 @@ const openapiDocument = {
 			},
 			"responses": {
 				"200": {
-					"description": "CLI API key revoked",
+					"description": "CLI logout completed",
 					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
 						"type": "object",
 						"properties": { "data": { "$ref": "#/components/schemas/CliLogoutResult" } }
@@ -3171,7 +3326,7 @@ const openapiDocument = {
 			"get": {
 				"operationId": "listFunctions",
 				"summary": "List functions",
-				"description": "Returns every active (non-deleted) function in the org, newest\nfirst. Each entry carries the deploy status and the gateway URL\nthat the platform's webhook delivery loop posts to. To inspect\nthe source code or deploy errors, use `GET /functions/{id}`.\n",
+				"description": "Returns every active (non-deleted) function in the org, newest\nfirst. Each entry carries deploy status and timestamps. To\ninspect the source code or deploy errors, use `GET /functions/{id}`.\n",
 				"tags": ["Functions"],
 				"responses": {
 					"200": {
@@ -3190,7 +3345,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "createFunction",
 				"summary": "Deploy a function",
-				"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). The gateway\nHMAC-verifies the POST against the org's webhook secret before\ninvoking the handler; the request body parses to an\n`email.received` event (see `EmailReceivedEvent` and the\nWebhook payload section for the full schema). Code is bundled\nbefore being uploaded; ship a single self-contained file rather\nthan relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Auto-wiring.** On successful deploy, Primitive automatically\ncreates a webhook endpoint that delivers inbound mail to the\nfunction. There is nothing to configure on the Endpoints API\nfor this to work; the gateway URL returned here is for\nreference only and is not directly callable from outside.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`) already\nbound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
+				"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to an `email.received` event (see\n`EmailReceivedEvent` and the Webhook payload section for the full\nschema). Code is bundled before being uploaded; ship a single\nself-contained file rather than relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Auto-wiring.** On successful deploy, Primitive automatically\ncreates a webhook endpoint that delivers inbound mail to the\nfunction. There is nothing to configure on the Endpoints API\nfor this to work; the internal runtime URL is not returned by\nthe API and is not a customer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
 				"tags": ["Functions"],
 				"requestBody": {
 					"required": true,
@@ -3359,7 +3514,7 @@ const openapiDocument = {
 			"get": {
 				"operationId": "listFunctionSecrets",
 				"summary": "List a function's secrets",
-				"description": "Returns metadata for every secret bound to the function, with\nmanaged entries (provisioned by Primitive) listed first and\nuser-set entries listed alphabetically after. **Values are\nnever returned.** Secret writes are write-only.\n\nManaged entries (e.g. `PRIMITIVE_WEBHOOK_SECRET`,\n`PRIMITIVE_API_KEY`) carry a `description` instead of\n`created_at` / `updated_at`. They cannot be created, updated,\nor deleted via this API.\n",
+				"description": "Returns metadata for every secret bound to the function, with\nmanaged entries (provisioned by Primitive) listed first and\nuser-set entries listed alphabetically after. **Values are\nnever returned.** Secret writes are write-only.\n\nManaged entries (e.g. `PRIMITIVE_WEBHOOK_SECRET`,\n`PRIMITIVE_API_KEY`, `PRIMITIVE_API_BASE_URL`) carry a\n`description` instead of `created_at` / `updated_at`. They\ncannot be created, updated, or deleted via this API.\n",
 				"tags": ["Functions"],
 				"responses": {
 					"200": {
@@ -3780,7 +3935,14 @@ const openapiDocument = {
 									"slow_down",
 									"access_denied",
 									"expired_token",
-									"invalid_device_code"
+									"invalid_device_code",
+									"invalid_signup_code",
+									"invalid_signup_token",
+									"invalid_verification_code",
+									"email_delivery_failed",
+									"clerk_signup_failed",
+									"no_orgs_for_user",
+									"org_not_accessible"
 								]
 							},
 							"message": { "type": "string" },
@@ -3964,13 +4126,42 @@ const openapiDocument = {
 				"properties": {
 					"api_key": {
 						"type": "string",
-						"description": "Newly-created API key for CLI authentication"
+						"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
 					},
 					"key_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "Legacy alias for oauth_grant_id"
+					},
+					"key_prefix": {
+						"type": "string",
+						"description": "Legacy display prefix derived from access_token"
+					},
+					"access_token": {
+						"type": "string",
+						"description": "OAuth access token for CLI API authentication"
+					},
+					"refresh_token": {
+						"type": "string",
+						"description": "OAuth refresh token used by the CLI to renew access"
+					},
+					"token_type": {
+						"type": "string",
+						"enum": ["Bearer"]
+					},
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until access_token expires"
+					},
+					"auth_method": {
+						"type": "string",
+						"enum": ["oauth"]
+					},
+					"oauth_grant_id": {
 						"type": "string",
 						"format": "uuid"
 					},
-					"key_prefix": { "type": "string" },
+					"oauth_client_id": { "type": "string" },
 					"org_id": {
 						"type": "string",
 						"format": "uuid"
@@ -3981,6 +4172,13 @@ const openapiDocument = {
 					"api_key",
 					"key_id",
 					"key_prefix",
+					"access_token",
+					"refresh_token",
+					"token_type",
+					"expires_in",
+					"auth_method",
+					"oauth_grant_id",
+					"oauth_client_id",
 					"org_id",
 					"org_name"
 				]
@@ -4008,7 +4206,7 @@ const openapiDocument = {
 						"type": "string",
 						"minLength": 1,
 						"maxLength": 80,
-						"description": "Human-readable device name used for the created CLI API key"
+						"description": "Human-readable device name used for the created CLI OAuth grant"
 					},
 					"metadata": {
 						"type": "object",
@@ -4109,24 +4307,49 @@ const openapiDocument = {
 						"maxLength": 1024
 					}
 				},
-				"required": [
-					"signup_token",
-					"verification_code",
-					"password"
-				]
+				"required": ["signup_token", "verification_code"]
 			},
 			"CliSignupVerifyResult": {
 				"type": "object",
 				"properties": {
 					"api_key": {
 						"type": "string",
-						"description": "Newly-created API key for CLI authentication"
+						"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
 					},
 					"key_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "Legacy alias for oauth_grant_id"
+					},
+					"key_prefix": {
+						"type": "string",
+						"description": "Legacy display prefix derived from access_token"
+					},
+					"access_token": {
+						"type": "string",
+						"description": "OAuth access token for CLI API authentication"
+					},
+					"refresh_token": {
+						"type": "string",
+						"description": "OAuth refresh token used by the CLI to renew access"
+					},
+					"token_type": {
+						"type": "string",
+						"enum": ["Bearer"]
+					},
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until access_token expires"
+					},
+					"auth_method": {
+						"type": "string",
+						"enum": ["oauth"]
+					},
+					"oauth_grant_id": {
 						"type": "string",
 						"format": "uuid"
 					},
-					"key_prefix": { "type": "string" },
+					"oauth_client_id": { "type": "string" },
 					"org_id": {
 						"type": "string",
 						"format": "uuid"
@@ -4137,93 +4360,311 @@ const openapiDocument = {
 					"api_key",
 					"key_id",
 					"key_prefix",
+					"access_token",
+					"refresh_token",
+					"token_type",
+					"expires_in",
+					"auth_method",
+					"oauth_grant_id",
+					"oauth_client_id",
 					"org_id",
 					"org_name"
 				]
 			},
-			"CliLogoutInput": {
+			"StartAgentSignupInput": {
 				"type": "object",
 				"additionalProperties": false,
-				"properties": { "key_id": {
-					"type": "string",
-					"format": "uuid",
-					"description": "Optional key id guard; when provided it must match the authenticated API key"
-				} }
-			},
-			"CliLogoutResult": {
-				"type": "object",
 				"properties": {
-					"revoked": {
+					"email": {
+						"type": "string",
+						"format": "email",
+						"maxLength": 254
+					},
+					"signup_code": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 128
+					},
+					"terms_accepted": {
 						"type": "boolean",
-						"const": true
+						"const": true,
+						"description": "Must be true to confirm acceptance of Primitive's Terms of Service and Privacy Policy"
 					},
-					"key_id": {
+					"device_name": {
 						"type": "string",
-						"format": "uuid"
+						"minLength": 1,
+						"maxLength": 80,
+						"description": "Human-readable device name used for the created agent OAuth session"
+					},
+					"metadata": {
+						"type": "object",
+						"additionalProperties": true,
+						"description": "Optional client metadata stored with the signup session; serialized JSON must be 2048 bytes or fewer"
 					}
 				},
-				"required": ["revoked", "key_id"]
+				"required": [
+					"email",
+					"signup_code",
+					"terms_accepted"
+				]
 			},
-			"Account": {
+			"AgentSignupStartResult": {
 				"type": "object",
 				"properties": {
-					"id": {
+					"signup_token": {
 						"type": "string",
-						"format": "uuid"
+						"description": "Opaque token used to verify or resend the pending agent signup"
 					},
-					"email": { "type": "string" },
-					"plan": { "type": "string" },
-					"created_at": {
+					"email": {
 						"type": "string",
-						"format": "date-time"
+						"format": "email"
 					},
-					"onboarding_completed": { "type": "boolean" },
-					"onboarding_step": { "type": ["string", "null"] },
-					"stripe_subscription_status": { "type": ["string", "null"] },
-					"subscription_current_period_end": {
-						"type": ["string", "null"],
-						"format": "date-time"
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until the pending signup expires"
 					},
-					"subscription_cancel_at_period_end": { "type": ["boolean", "null"] },
-					"spam_threshold": {
-						"type": ["number", "null"],
-						"minimum": 0,
-						"maximum": 15
+					"resend_after": {
+						"type": "integer",
+						"description": "Minimum seconds before requesting another verification email"
 					},
-					"discard_content_on_webhook_confirmed": { "type": "boolean" },
-					"webhook_secret_rotated_at": {
-						"type": ["string", "null"],
-						"format": "date-time"
+					"verification_code_length": {
+						"type": "integer",
+						"description": "Number of digits in the emailed verification code"
 					}
 				},
 				"required": [
-					"id",
+					"signup_token",
 					"email",
-					"plan",
-					"created_at",
-					"discard_content_on_webhook_confirmed"
+					"expires_in",
+					"resend_after",
+					"verification_code_length"
 				]
 			},
-			"AccountUpdated": {
+			"ResendAgentSignupVerificationInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": { "signup_token": {
+					"type": "string",
+					"minLength": 1
+				} },
+				"required": ["signup_token"]
+			},
+			"AgentSignupResendResult": {
 				"type": "object",
 				"properties": {
-					"id": {
+					"email": {
 						"type": "string",
-						"format": "uuid"
+						"format": "email"
 					},
-					"email": { "type": "string" },
-					"plan": { "type": "string" },
-					"spam_threshold": {
-						"type": ["number", "null"],
-						"minimum": 0,
-						"maximum": 15
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until the pending signup expires"
 					},
-					"discard_content_on_webhook_confirmed": { "type": "boolean" }
+					"resend_after": {
+						"type": "integer",
+						"description": "Minimum seconds before requesting another verification email"
+					},
+					"verification_code_length": {
+						"type": "integer",
+						"description": "Number of digits in the emailed verification code"
+					}
 				},
 				"required": [
-					"id",
 					"email",
-					"plan",
+					"expires_in",
+					"resend_after",
+					"verification_code_length"
+				]
+			},
+			"VerifyAgentSignupInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"signup_token": {
+						"type": "string",
+						"minLength": 1
+					},
+					"verification_code": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 32
+					},
+					"org_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "Optional workspace id to target when the verified email already belongs to multiple workspaces"
+					}
+				},
+				"required": ["signup_token", "verification_code"]
+			},
+			"AgentOrgRef": {
+				"type": "object",
+				"properties": {
+					"id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"name": { "type": ["string", "null"] }
+				},
+				"required": ["id", "name"]
+			},
+			"AgentSignupVerifyResult": {
+				"type": "object",
+				"properties": {
+					"api_key": {
+						"type": "string",
+						"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
+					},
+					"key_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "Legacy alias for oauth_grant_id"
+					},
+					"key_prefix": {
+						"type": "string",
+						"description": "Legacy display prefix derived from access_token"
+					},
+					"access_token": {
+						"type": "string",
+						"description": "OAuth access token for CLI API authentication"
+					},
+					"refresh_token": {
+						"type": "string",
+						"description": "OAuth refresh token used by the CLI to renew access"
+					},
+					"token_type": {
+						"type": "string",
+						"enum": ["Bearer"]
+					},
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until access_token expires"
+					},
+					"auth_method": {
+						"type": "string",
+						"enum": ["oauth"]
+					},
+					"oauth_grant_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"oauth_client_id": { "type": "string" },
+					"org_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"org_name": { "type": ["string", "null"] },
+					"orgs": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/AgentOrgRef" },
+						"description": "Workspaces available to the verified email. The minted session targets `org_id`."
+					}
+				},
+				"required": [
+					"api_key",
+					"key_id",
+					"key_prefix",
+					"access_token",
+					"refresh_token",
+					"token_type",
+					"expires_in",
+					"auth_method",
+					"oauth_grant_id",
+					"oauth_client_id",
+					"org_id",
+					"org_name",
+					"orgs"
+				]
+			},
+			"CliLogoutInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": { "key_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "Optional id guard; when provided it must match the authenticated OAuth grant id or API key id"
+				} }
+			},
+			"CliLogoutResult": {
+				"type": "object",
+				"properties": {
+					"revoked": {
+						"type": "boolean",
+						"description": "True when an OAuth grant was revoked. False for API-key-authenticated legacy logout, which only clears local CLI state."
+					},
+					"key_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "API key id for API-key-authenticated legacy logout"
+					},
+					"oauth_grant_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "OAuth grant id revoked by OAuth-authenticated logout"
+					}
+				},
+				"required": ["revoked"]
+			},
+			"Account": {
+				"type": "object",
+				"properties": {
+					"id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"email": { "type": "string" },
+					"plan": { "type": "string" },
+					"created_at": {
+						"type": "string",
+						"format": "date-time"
+					},
+					"onboarding_completed": { "type": "boolean" },
+					"onboarding_step": { "type": ["string", "null"] },
+					"stripe_subscription_status": { "type": ["string", "null"] },
+					"subscription_current_period_end": {
+						"type": ["string", "null"],
+						"format": "date-time"
+					},
+					"subscription_cancel_at_period_end": { "type": ["boolean", "null"] },
+					"spam_threshold": {
+						"type": ["number", "null"],
+						"minimum": 0,
+						"maximum": 15
+					},
+					"discard_content_on_webhook_confirmed": { "type": "boolean" },
+					"webhook_secret_rotated_at": {
+						"type": ["string", "null"],
+						"format": "date-time"
+					}
+				},
+				"required": [
+					"id",
+					"email",
+					"plan",
+					"created_at",
+					"discard_content_on_webhook_confirmed"
+				]
+			},
+			"AccountUpdated": {
+				"type": "object",
+				"properties": {
+					"id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"email": { "type": "string" },
+					"plan": { "type": "string" },
+					"spam_threshold": {
+						"type": ["number", "null"],
+						"minimum": 0,
+						"maximum": 15
+					},
+					"discard_content_on_webhook_confirmed": { "type": "boolean" }
+				},
+				"required": [
+					"id",
+					"email",
+					"plan",
 					"discard_content_on_webhook_confirmed"
 				]
 			},
@@ -5525,11 +5966,6 @@ const openapiDocument = {
 						"format": "date-time",
 						"description": "Timestamp of the most recent successful deploy. Null until the first deploy succeeds."
 					},
-					"gateway_url": {
-						"type": "string",
-						"format": "uri",
-						"description": "URL the platform's webhook delivery loop posts to in order\nto invoke the function. Reference only; not directly\ncallable from outside.\n"
-					},
 					"created_at": {
 						"type": "string",
 						"format": "date-time"
@@ -5543,7 +5979,6 @@ const openapiDocument = {
 					"id",
 					"name",
 					"deploy_status",
-					"gateway_url",
 					"created_at",
 					"updated_at"
 				]
@@ -5570,10 +6005,6 @@ const openapiDocument = {
 						"type": ["string", "null"],
 						"format": "date-time"
 					},
-					"gateway_url": {
-						"type": "string",
-						"format": "uri"
-					},
 					"created_at": {
 						"type": "string",
 						"format": "date-time"
@@ -5588,7 +6019,6 @@ const openapiDocument = {
 					"name",
 					"code",
 					"deploy_status",
-					"gateway_url",
 					"created_at",
 					"updated_at"
 				]
@@ -5626,17 +6056,12 @@ const openapiDocument = {
 						"format": "uuid"
 					},
 					"name": { "type": "string" },
-					"deploy_status": { "$ref": "#/components/schemas/FunctionDeployStatus" },
-					"gateway_url": {
-						"type": "string",
-						"format": "uri"
-					}
+					"deploy_status": { "$ref": "#/components/schemas/FunctionDeployStatus" }
 				},
 				"required": [
 					"id",
 					"name",
-					"deploy_status",
-					"gateway_url"
+					"deploy_status"
 				]
 			},
 			"UpdateFunctionInput": {
@@ -6112,7 +6537,7 @@ const openapiDocument = {
 					"key": {
 						"type": "string",
 						"pattern": "^[A-Z_][A-Z0-9_]*$",
-						"description": "Uppercase letters, digits, and underscores. Must start with\na letter or underscore. System-managed keys (e.g.\nPRIMITIVE_WEBHOOK_SECRET) are reserved.\n"
+						"description": "Uppercase letters, digits, and underscores. Must start with\na letter or underscore. System-managed keys (e.g.\nPRIMITIVE_WEBHOOK_SECRET, PRIMITIVE_API_KEY, and\nPRIMITIVE_API_BASE_URL) are reserved.\n"
 					},
 					"value": {
 						"type": "string",
@@ -6382,105 +6807,15 @@ const operationManifest = [
 		"tag": "Account",
 		"tagCommand": "account"
 	},
-	{
-		"binaryResponse": false,
-		"bodyRequired": false,
-		"command": "cli-logout",
-		"description": "Revokes the API key used to authenticate the request. CLI clients use\nthis endpoint during `primitive logout` before removing local credentials.\n",
-		"hasJsonBody": true,
-		"method": "POST",
-		"operationId": "cliLogout",
-		"path": "/cli/logout",
-		"pathParams": [],
-		"queryParams": [],
-		"requestSchema": {
-			"type": "object",
-			"additionalProperties": false,
-			"properties": { "key_id": {
-				"type": "string",
-				"format": "uuid",
-				"description": "Optional key id guard; when provided it must match the authenticated API key"
-			} }
-		},
-		"responseSchema": {
-			"type": "object",
-			"properties": {
-				"revoked": {
-					"type": "boolean",
-					"const": true
-				},
-				"key_id": {
-					"type": "string",
-					"format": "uuid"
-				}
-			},
-			"required": ["revoked", "key_id"]
-		},
-		"sdkName": "cliLogout",
-		"summary": "Revoke the current CLI API key",
-		"tag": "CLI",
-		"tagCommand": "cli"
-	},
-	{
-		"binaryResponse": false,
-		"bodyRequired": true,
-		"command": "poll-cli-login",
-		"description": "Polls a CLI login session until the browser approval either succeeds,\nis denied, expires, or is polled too quickly. The API key is generated\nonly after approval and is returned exactly once.\n",
-		"hasJsonBody": true,
-		"method": "POST",
-		"operationId": "pollCliLogin",
-		"path": "/cli/login/poll",
-		"pathParams": [],
-		"queryParams": [],
-		"requestSchema": {
-			"type": "object",
-			"additionalProperties": false,
-			"properties": { "device_code": {
-				"type": "string",
-				"minLength": 1
-			} },
-			"required": ["device_code"]
-		},
-		"responseSchema": {
-			"type": "object",
-			"properties": {
-				"api_key": {
-					"type": "string",
-					"description": "Newly-created API key for CLI authentication"
-				},
-				"key_id": {
-					"type": "string",
-					"format": "uuid"
-				},
-				"key_prefix": { "type": "string" },
-				"org_id": {
-					"type": "string",
-					"format": "uuid"
-				},
-				"org_name": { "type": ["string", "null"] }
-			},
-			"required": [
-				"api_key",
-				"key_id",
-				"key_prefix",
-				"org_id",
-				"org_name"
-			]
-		},
-		"sdkName": "pollCliLogin",
-		"summary": "Poll CLI browser login",
-		"tag": "CLI",
-		"tagCommand": "cli"
-	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
-		"command": "resend-cli-signup-verification",
-		"description": "Sends a new email verification code for a pending CLI signup session.\nThis endpoint does not require an API key.\n",
+		"command": "resend-agent-signup-verification",
+		"description": "Sends a new email verification code for a pending agent signup session.\nThis endpoint does not require an API key.\n",
 		"hasJsonBody": true,
 		"method": "POST",
-		"operationId": "resendCliSignupVerification",
-		"path": "/cli/signup/resend",
+		"operationId": "resendAgentSignupVerification",
+		"path": "/agent/signup/resend",
 		"pathParams": [],
 		"queryParams": [],
 		"requestSchema": {
@@ -6519,10 +6854,394 @@ const operationManifest = [
 				"verification_code_length"
 			]
 		},
-		"sdkName": "resendCliSignupVerification",
-		"summary": "Resend CLI signup verification code",
-		"tag": "CLI",
-		"tagCommand": "cli"
+		"sdkName": "resendAgentSignupVerification",
+		"summary": "Resend agent signup verification code",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "start-agent-signup",
+		"description": "Starts an agent-native signup session. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "startAgentSignup",
+		"path": "/agent/signup/start",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"email": {
+					"type": "string",
+					"format": "email",
+					"maxLength": 254
+				},
+				"signup_code": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 128
+				},
+				"terms_accepted": {
+					"type": "boolean",
+					"const": true,
+					"description": "Must be true to confirm acceptance of Primitive's Terms of Service and Privacy Policy"
+				},
+				"device_name": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 80,
+					"description": "Human-readable device name used for the created agent OAuth session"
+				},
+				"metadata": {
+					"type": "object",
+					"additionalProperties": true,
+					"description": "Optional client metadata stored with the signup session; serialized JSON must be 2048 bytes or fewer"
+				}
+			},
+			"required": [
+				"email",
+				"signup_code",
+				"terms_accepted"
+			]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"signup_token": {
+					"type": "string",
+					"description": "Opaque token used to verify or resend the pending agent signup"
+				},
+				"email": {
+					"type": "string",
+					"format": "email"
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until the pending signup expires"
+				},
+				"resend_after": {
+					"type": "integer",
+					"description": "Minimum seconds before requesting another verification email"
+				},
+				"verification_code_length": {
+					"type": "integer",
+					"description": "Number of digits in the emailed verification code"
+				}
+			},
+			"required": [
+				"signup_token",
+				"email",
+				"expires_in",
+				"resend_after",
+				"verification_code_length"
+			]
+		},
+		"sdkName": "startAgentSignup",
+		"summary": "Start agent account signup",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "verify-agent-signup",
+		"description": "Verifies the email code for an agent signup session, creates the account\nwhen needed, redeems the reserved signup code, mints an org-scoped OAuth\nsession for CLI authentication, and returns the raw tokens exactly once.\nFor existing users, the optional `org_id` selects which accessible\nworkspace should receive the new session.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "verifyAgentSignup",
+		"path": "/agent/signup/verify",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"signup_token": {
+					"type": "string",
+					"minLength": 1
+				},
+				"verification_code": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 32
+				},
+				"org_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "Optional workspace id to target when the verified email already belongs to multiple workspaces"
+				}
+			},
+			"required": ["signup_token", "verification_code"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"api_key": {
+					"type": "string",
+					"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
+				},
+				"key_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "Legacy alias for oauth_grant_id"
+				},
+				"key_prefix": {
+					"type": "string",
+					"description": "Legacy display prefix derived from access_token"
+				},
+				"access_token": {
+					"type": "string",
+					"description": "OAuth access token for CLI API authentication"
+				},
+				"refresh_token": {
+					"type": "string",
+					"description": "OAuth refresh token used by the CLI to renew access"
+				},
+				"token_type": {
+					"type": "string",
+					"enum": ["Bearer"]
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until access_token expires"
+				},
+				"auth_method": {
+					"type": "string",
+					"enum": ["oauth"]
+				},
+				"oauth_grant_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"oauth_client_id": { "type": "string" },
+				"org_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"org_name": { "type": ["string", "null"] },
+				"orgs": {
+					"type": "array",
+					"items": {
+						"type": "object",
+						"properties": {
+							"id": {
+								"type": "string",
+								"format": "uuid"
+							},
+							"name": { "type": ["string", "null"] }
+						},
+						"required": ["id", "name"]
+					},
+					"description": "Workspaces available to the verified email. The minted session targets `org_id`."
+				}
+			},
+			"required": [
+				"api_key",
+				"key_id",
+				"key_prefix",
+				"access_token",
+				"refresh_token",
+				"token_type",
+				"expires_in",
+				"auth_method",
+				"oauth_grant_id",
+				"oauth_client_id",
+				"org_id",
+				"org_name",
+				"orgs"
+			]
+		},
+		"sdkName": "verifyAgentSignup",
+		"summary": "Verify agent signup and create OAuth tokens",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "cli-logout",
+		"description": "Revokes the OAuth grant used to authenticate the request. API-key\nauthenticated legacy logout requests succeed without deleting server API\nkeys so old local CLI state can be cleared safely.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "cliLogout",
+		"path": "/cli/logout",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "key_id": {
+				"type": "string",
+				"format": "uuid",
+				"description": "Optional id guard; when provided it must match the authenticated OAuth grant id or API key id"
+			} }
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"revoked": {
+					"type": "boolean",
+					"description": "True when an OAuth grant was revoked. False for API-key-authenticated legacy logout, which only clears local CLI state."
+				},
+				"key_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "API key id for API-key-authenticated legacy logout"
+				},
+				"oauth_grant_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "OAuth grant id revoked by OAuth-authenticated logout"
+				}
+			},
+			"required": ["revoked"]
+		},
+		"sdkName": "cliLogout",
+		"summary": "Revoke the current CLI OAuth session",
+		"tag": "CLI",
+		"tagCommand": "cli"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "poll-cli-login",
+		"description": "Polls a CLI login session until the browser approval either succeeds,\nis denied, expires, or is polled too quickly. The OAuth token set is\ncreated only after approval and is returned exactly once.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "pollCliLogin",
+		"path": "/cli/login/poll",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "device_code": {
+				"type": "string",
+				"minLength": 1
+			} },
+			"required": ["device_code"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"api_key": {
+					"type": "string",
+					"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
+				},
+				"key_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "Legacy alias for oauth_grant_id"
+				},
+				"key_prefix": {
+					"type": "string",
+					"description": "Legacy display prefix derived from access_token"
+				},
+				"access_token": {
+					"type": "string",
+					"description": "OAuth access token for CLI API authentication"
+				},
+				"refresh_token": {
+					"type": "string",
+					"description": "OAuth refresh token used by the CLI to renew access"
+				},
+				"token_type": {
+					"type": "string",
+					"enum": ["Bearer"]
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until access_token expires"
+				},
+				"auth_method": {
+					"type": "string",
+					"enum": ["oauth"]
+				},
+				"oauth_grant_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"oauth_client_id": { "type": "string" },
+				"org_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"org_name": { "type": ["string", "null"] }
+			},
+			"required": [
+				"api_key",
+				"key_id",
+				"key_prefix",
+				"access_token",
+				"refresh_token",
+				"token_type",
+				"expires_in",
+				"auth_method",
+				"oauth_grant_id",
+				"oauth_client_id",
+				"org_id",
+				"org_name"
+			]
+		},
+		"sdkName": "pollCliLogin",
+		"summary": "Poll CLI browser login",
+		"tag": "CLI",
+		"tagCommand": "cli"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "resend-cli-signup-verification",
+		"description": "Sends a new email verification code for a pending CLI signup session.\nThis endpoint does not require an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "resendCliSignupVerification",
+		"path": "/cli/signup/resend",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "signup_token": {
+				"type": "string",
+				"minLength": 1
+			} },
+			"required": ["signup_token"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"email": {
+					"type": "string",
+					"format": "email"
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until the pending signup expires"
+				},
+				"resend_after": {
+					"type": "integer",
+					"description": "Minimum seconds before requesting another verification email"
+				},
+				"verification_code_length": {
+					"type": "integer",
+					"description": "Number of digits in the emailed verification code"
+				}
+			},
+			"required": [
+				"email",
+				"expires_in",
+				"resend_after",
+				"verification_code_length"
+			]
+		},
+		"sdkName": "resendCliSignupVerification",
+		"summary": "Resend CLI signup verification code",
+		"tag": "CLI",
+		"tagCommand": "cli"
 	},
 	{
 		"binaryResponse": false,
@@ -6629,7 +7348,7 @@ const operationManifest = [
 					"type": "string",
 					"minLength": 1,
 					"maxLength": 80,
-					"description": "Human-readable device name used for the created CLI API key"
+					"description": "Human-readable device name used for the created CLI OAuth grant"
 				},
 				"metadata": {
 					"type": "object",
@@ -6684,7 +7403,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "verify-cli-signup",
-		"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, mints an org-scoped CLI API key, and\nreturns the raw key exactly once. This endpoint does not require an API key.\n",
+		"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, creates an org-scoped OAuth CLI\nsession, and returns the token set exactly once. This endpoint does not\nrequire an API key.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "verifyCliSignup",
@@ -6710,24 +7429,49 @@ const operationManifest = [
 					"maxLength": 1024
 				}
 			},
-			"required": [
-				"signup_token",
-				"verification_code",
-				"password"
-			]
+			"required": ["signup_token", "verification_code"]
 		},
 		"responseSchema": {
 			"type": "object",
 			"properties": {
 				"api_key": {
 					"type": "string",
-					"description": "Newly-created API key for CLI authentication"
+					"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
 				},
 				"key_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "Legacy alias for oauth_grant_id"
+				},
+				"key_prefix": {
+					"type": "string",
+					"description": "Legacy display prefix derived from access_token"
+				},
+				"access_token": {
+					"type": "string",
+					"description": "OAuth access token for CLI API authentication"
+				},
+				"refresh_token": {
+					"type": "string",
+					"description": "OAuth refresh token used by the CLI to renew access"
+				},
+				"token_type": {
+					"type": "string",
+					"enum": ["Bearer"]
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until access_token expires"
+				},
+				"auth_method": {
+					"type": "string",
+					"enum": ["oauth"]
+				},
+				"oauth_grant_id": {
 					"type": "string",
 					"format": "uuid"
 				},
-				"key_prefix": { "type": "string" },
+				"oauth_client_id": { "type": "string" },
 				"org_id": {
 					"type": "string",
 					"format": "uuid"
@@ -6738,12 +7482,19 @@ const operationManifest = [
 				"api_key",
 				"key_id",
 				"key_prefix",
+				"access_token",
+				"refresh_token",
+				"token_type",
+				"expires_in",
+				"auth_method",
+				"oauth_grant_id",
+				"oauth_client_id",
 				"org_id",
 				"org_name"
 			]
 		},
 		"sdkName": "verifyCliSignup",
-		"summary": "Verify CLI signup and create API key",
+		"summary": "Verify CLI signup and create OAuth session",
 		"tag": "CLI",
 		"tagCommand": "cli"
 	},
@@ -8437,7 +9188,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "create-function",
-		"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). The gateway\nHMAC-verifies the POST against the org's webhook secret before\ninvoking the handler; the request body parses to an\n`email.received` event (see `EmailReceivedEvent` and the\nWebhook payload section for the full schema). Code is bundled\nbefore being uploaded; ship a single self-contained file rather\nthan relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Auto-wiring.** On successful deploy, Primitive automatically\ncreates a webhook endpoint that delivers inbound mail to the\nfunction. There is nothing to configure on the Endpoints API\nfor this to work; the gateway URL returned here is for\nreference only and is not directly callable from outside.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`) already\nbound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
+		"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to an `email.received` event (see\n`EmailReceivedEvent` and the Webhook payload section for the full\nschema). Code is bundled before being uploaded; ship a single\nself-contained file rather than relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Auto-wiring.** On successful deploy, Primitive automatically\ncreates a webhook endpoint that delivers inbound mail to the\nfunction. There is nothing to configure on the Endpoints API\nfor this to work; the internal runtime URL is not returned by\nthe API and is not a customer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "createFunction",
@@ -8485,17 +9236,12 @@ const operationManifest = [
 						"failed"
 					],
 					"description": "Lifecycle state of the latest deploy attempt:\n  * `pending` — deploy in flight; the runtime has not yet\n    confirmed the new bundle is live.\n  * `deployed` — the running edge handler is the latest code.\n  * `failed` — the most recent deploy attempt failed; the\n    previously-live code (if any) is still running. The\n    `deploy_error` field carries the error message.\n"
-				},
-				"gateway_url": {
-					"type": "string",
-					"format": "uri"
 				}
 			},
 			"required": [
 				"id",
 				"name",
-				"deploy_status",
-				"gateway_url"
+				"deploy_status"
 			]
 		},
 		"sdkName": "createFunction",
@@ -8528,7 +9274,7 @@ const operationManifest = [
 				"key": {
 					"type": "string",
 					"pattern": "^[A-Z_][A-Z0-9_]*$",
-					"description": "Uppercase letters, digits, and underscores. Must start with\na letter or underscore. System-managed keys (e.g.\nPRIMITIVE_WEBHOOK_SECRET) are reserved.\n"
+					"description": "Uppercase letters, digits, and underscores. Must start with\na letter or underscore. System-managed keys (e.g.\nPRIMITIVE_WEBHOOK_SECRET, PRIMITIVE_API_KEY, and\nPRIMITIVE_API_BASE_URL) are reserved.\n"
 				},
 				"value": {
 					"type": "string",
@@ -8671,10 +9417,6 @@ const operationManifest = [
 					"type": ["string", "null"],
 					"format": "date-time"
 				},
-				"gateway_url": {
-					"type": "string",
-					"format": "uri"
-				},
 				"created_at": {
 					"type": "string",
 					"format": "date-time"
@@ -8689,7 +9431,6 @@ const operationManifest = [
 				"name",
 				"code",
 				"deploy_status",
-				"gateway_url",
 				"created_at",
 				"updated_at"
 			]
@@ -9235,7 +9976,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": false,
 		"command": "list-function-secrets",
-		"description": "Returns metadata for every secret bound to the function, with\nmanaged entries (provisioned by Primitive) listed first and\nuser-set entries listed alphabetically after. **Values are\nnever returned.** Secret writes are write-only.\n\nManaged entries (e.g. `PRIMITIVE_WEBHOOK_SECRET`,\n`PRIMITIVE_API_KEY`) carry a `description` instead of\n`created_at` / `updated_at`. They cannot be created, updated,\nor deleted via this API.\n",
+		"description": "Returns metadata for every secret bound to the function, with\nmanaged entries (provisioned by Primitive) listed first and\nuser-set entries listed alphabetically after. **Values are\nnever returned.** Secret writes are write-only.\n\nManaged entries (e.g. `PRIMITIVE_WEBHOOK_SECRET`,\n`PRIMITIVE_API_KEY`, `PRIMITIVE_API_BASE_URL`) carry a\n`description` instead of `created_at` / `updated_at`. They\ncannot be created, updated, or deleted via this API.\n",
 		"hasJsonBody": false,
 		"method": "GET",
 		"operationId": "listFunctionSecrets",
@@ -9291,7 +10032,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": false,
 		"command": "list-functions",
-		"description": "Returns every active (non-deleted) function in the org, newest\nfirst. Each entry carries the deploy status and the gateway URL\nthat the platform's webhook delivery loop posts to. To inspect\nthe source code or deploy errors, use `GET /functions/{id}`.\n",
+		"description": "Returns every active (non-deleted) function in the org, newest\nfirst. Each entry carries deploy status and timestamps. To\ninspect the source code or deploy errors, use `GET /functions/{id}`.\n",
 		"hasJsonBody": false,
 		"method": "GET",
 		"operationId": "listFunctions",
@@ -9328,11 +10069,6 @@ const operationManifest = [
 						"format": "date-time",
 						"description": "Timestamp of the most recent successful deploy. Null until the first deploy succeeds."
 					},
-					"gateway_url": {
-						"type": "string",
-						"format": "uri",
-						"description": "URL the platform's webhook delivery loop posts to in order\nto invoke the function. Reference only; not directly\ncallable from outside.\n"
-					},
 					"created_at": {
 						"type": "string",
 						"format": "date-time"
@@ -9346,7 +10082,6 @@ const operationManifest = [
 					"id",
 					"name",
 					"deploy_status",
-					"gateway_url",
 					"created_at",
 					"updated_at"
 				]
@@ -9575,10 +10310,6 @@ const operationManifest = [
 					"type": ["string", "null"],
 					"format": "date-time"
 				},
-				"gateway_url": {
-					"type": "string",
-					"format": "uri"
-				},
 				"created_at": {
 					"type": "string",
 					"format": "date-time"
@@ -9593,7 +10324,6 @@ const operationManifest = [
 				"name",
 				"code",
 				"deploy_status",
-				"gateway_url",
 				"created_at",
 				"updated_at"
 			]
@@ -10788,28 +11518,34 @@ function requireString(value, key) {
 	return raw;
 }
 /**
-* Sentinel returned by parseCredentials when the on-disk credentials
-* were written by a pre-dual-host CLI version (i.e. they have
-* `base_url` instead of `api_base_url_1`). The caller treats this as
-* "no saved credentials" after auto-cleaning the stale file. Defined
-* as a class-tagged error so loadCliCredentials can distinguish it
-* from a genuine malformed-credentials error.
+* Sentinel returned by parseCredentials when the on-disk credentials were
+* written by an API-key-based CLI. The caller treats this as "not logged in"
+* after clearing the local file. The backing API key is intentionally not
+* revoked; API keys still work when passed explicitly via --api-key/env.
 */
-var StaleCredentialFormatError = class extends Error {
+var LegacyApiKeyCredentialFormatError = class extends Error {
 	constructor() {
-		super("stale_credential_format");
-		this.name = "StaleCredentialFormatError";
+		super("legacy_api_key_credential_format");
+		this.name = "LegacyApiKeyCredentialFormatError";
 	}
 };
 function parseCredentials(raw) {
 	if (!isRecord$2(raw)) throw new Error(`Stored Primitive CLI credentials are malformed: expected a JSON object. ${MALFORMED_CREDENTIALS_HINT}`);
-	if (typeof raw.api_base_url_1 !== "string" && typeof raw.base_url === "string") throw new StaleCredentialFormatError();
+	if (raw.auth_method !== "oauth") {
+		if (typeof raw.api_key === "string" || typeof raw.key_id === "string" || typeof raw.base_url === "string") throw new LegacyApiKeyCredentialFormatError();
+		throw new Error(`Stored Primitive CLI credentials are malformed: auth_method must be oauth. ${MALFORMED_CREDENTIALS_HINT}`);
+	}
 	const orgName = raw.org_name;
 	if (orgName !== null && typeof orgName !== "string") throw new Error(`Stored Primitive CLI credentials are malformed: org_name must be a string or null. ${MALFORMED_CREDENTIALS_HINT}`);
+	if (requireString(raw, "token_type") !== "Bearer") throw new Error(`Stored Primitive CLI credentials are malformed: token_type must be Bearer. ${MALFORMED_CREDENTIALS_HINT}`);
 	return {
-		api_key: requireString(raw, "api_key"),
-		key_id: requireString(raw, "key_id"),
-		key_prefix: requireString(raw, "key_prefix"),
+		auth_method: "oauth",
+		access_token: requireString(raw, "access_token"),
+		refresh_token: requireString(raw, "refresh_token"),
+		token_type: "Bearer",
+		expires_at: requireString(raw, "expires_at"),
+		oauth_grant_id: requireString(raw, "oauth_grant_id"),
+		oauth_client_id: requireString(raw, "oauth_client_id"),
 		org_id: requireString(raw, "org_id"),
 		org_name: orgName,
 		api_base_url_1: requireString(raw, "api_base_url_1"),
@@ -10830,6 +11566,9 @@ function normalizeApiBaseUrl1(url) {
 function normalizeApiBaseUrl2(url) {
 	return normalize(url, DEFAULT_API_BASE_URL_2);
 }
+function cliAccessTokenExpiresAt(expiresInSeconds, now = Date.now) {
+	return new Date(now() + expiresInSeconds * 1e3).toISOString();
+}
 function loadCliCredentials(configDir) {
 	const path = credentialsPath(configDir);
 	let contents;
@@ -10843,11 +11582,11 @@ function loadCliCredentials(configDir) {
 	try {
 		return parseCredentials(JSON.parse(contents));
 	} catch (error) {
-		if (error instanceof StaleCredentialFormatError) {
+		if (error instanceof LegacyApiKeyCredentialFormatError) {
 			try {
 				rmSync(path, { force: true });
 			} catch {}
-			process.stderr.write("You've been logged out: your saved Primitive CLI credentials were created by an older CLI version and are no longer compatible. Run `primitive login` to re-authenticate.\n");
+			process.stderr.write("Removed local Primitive CLI API-key login state. API keys are still valid when passed explicitly, but `primitive login` now uses OAuth. Run `primitive login` to create an OAuth session. No API key was revoked.\n");
 			return null;
 		}
 		if (error instanceof SyntaxError) throw new Error("Stored Primitive CLI credentials are not valid JSON. Run `primitive logout` and then `primitive login`.");
@@ -10932,7 +11671,7 @@ function resolveCliAuth(params) {
 	};
 	const credentials = loadCliCredentials(params.configDir);
 	if (credentials) return {
-		apiKey: credentials.api_key,
+		apiKey: credentials.access_token,
 		apiBaseUrl1: params.apiBaseUrl1 ? normalizeApiBaseUrl1(params.apiBaseUrl1) : credentials.api_base_url_1,
 		apiBaseUrl2,
 		credentials,
@@ -10970,7 +11709,7 @@ function validateCliHeaderName(name) {
 	const trimmed = name.trim();
 	if (!trimmed) throw new Errors.CLIError("Header name must be a non-empty string.", { exit: 1 });
 	if (!/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/.test(trimmed)) throw new Errors.CLIError(`Invalid header name: ${name}`, { exit: 1 });
-	if (trimmed.toLowerCase() === "authorization") throw new Errors.CLIError("The Authorization header is managed by PRIMITIVE_API_KEY or saved CLI credentials.", { exit: 1 });
+	if (trimmed.toLowerCase() === "authorization") throw new Errors.CLIError("The Authorization header is managed by PRIMITIVE_API_KEY or saved OAuth CLI credentials.", { exit: 1 });
 	return trimmed;
 }
 function validateCliHeaderValue(value, name) {
@@ -11132,6 +11871,8 @@ function redactCliEnvironment(environment) {
 //#endregion
 //#region src/oclif/api-client.ts
 const API_HEADERS_ENV = "PRIMITIVE_API_HEADERS";
+const OAUTH_REFRESH_SKEW_MS = 60 * 1e3;
+const SAVED_CLI_OAUTH_SESSION_EXPIRED_MESSAGE = "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive login` to authenticate again.";
 function mergeHeaders(...headers) {
 	const merged = {};
 	for (const headerSet of headers) {
@@ -11190,14 +11931,115 @@ function createCliApiClient(params) {
 		requestConfig
 	};
 }
-function createAuthenticatedCliApiClient(params) {
+function oauthTokenEndpoint(apiBaseUrl1) {
+	const url = new URL(apiBaseUrl1);
+	url.pathname = "/oauth/token";
+	url.search = "";
+	url.hash = "";
+	return url.toString();
+}
+function shouldRefresh(credentials, now) {
+	const expiresAt = Date.parse(credentials.expires_at);
+	if (!Number.isFinite(expiresAt)) return true;
+	return expiresAt <= now() + OAUTH_REFRESH_SKEW_MS;
+}
+function isOAuthRefreshSuccess(value) {
+	if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
+	const row = value;
+	return typeof row.access_token === "string" && typeof row.refresh_token === "string" && row.token_type === "Bearer" && typeof row.expires_in === "number" && Number.isFinite(row.expires_in) && row.expires_in > 0;
+}
+function oauthErrorCode(value) {
+	if (value === null || typeof value !== "object" || Array.isArray(value)) return null;
+	const raw = value.error;
+	return typeof raw === "string" ? raw : null;
+}
+function oauthErrorDescription(value) {
+	if (value === null || typeof value !== "object" || Array.isArray(value)) return null;
+	const raw = value.error_description;
+	return typeof raw === "string" && raw.trim() ? raw : null;
+}
+async function refreshStoredCliCredentials(params) {
+	const now = params.now ?? Date.now;
+	if (!shouldRefresh(params.credentials, now)) return params.credentials;
+	let releaseLock;
+	try {
+		if (!params.credentialsLockHeld) try {
+			releaseLock = acquireCliCredentialsLock(params.configDir);
+		} catch (error) {
+			const detail = error instanceof Error ? error.message : String(error);
+			throw new Errors.CLIError(detail, { exit: 1 });
+		}
+		const current = loadCliCredentials(params.configDir);
+		if (!current) throw new Errors.CLIError("Saved Primitive CLI OAuth session is no longer available. Run `primitive login` to authenticate again.", { exit: 1 });
+		if (!shouldRefresh(current, now)) return current;
+		const fetchImpl = params.fetch ?? fetch;
+		const body = new URLSearchParams({
+			client_id: current.oauth_client_id,
+			grant_type: "refresh_token",
+			refresh_token: current.refresh_token
+		});
+		let response;
+		try {
+			response = await fetchImpl(oauthTokenEndpoint(params.apiBaseUrl1), {
+				body,
+				headers: {
+					...params.headers ?? {},
+					"content-type": "application/x-www-form-urlencoded"
+				},
+				method: "POST"
+			});
+		} catch (error) {
+			const detail = error instanceof Error ? error.message : String(error);
+			throw new Errors.CLIError(`Could not refresh saved Primitive CLI OAuth credentials: ${detail}`, { exit: 1 });
+		}
+		const payload = await response.json().catch(() => null);
+		if (!response.ok) {
+			const code = oauthErrorCode(payload);
+			const description = oauthErrorDescription(payload);
+			if (code === "invalid_grant") {
+				deleteCliCredentials(params.configDir);
+				throw new Errors.CLIError(SAVED_CLI_OAUTH_SESSION_EXPIRED_MESSAGE, { exit: 1 });
+			}
+			throw new Errors.CLIError(`Could not refresh saved Primitive CLI OAuth credentials${description ? `: ${description}` : "."}`, { exit: 1 });
+		}
+		if (!isOAuthRefreshSuccess(payload)) throw new Errors.CLIError("Primitive OAuth token endpoint returned an unexpected refresh response.", { exit: 1 });
+		const next = {
+			...current,
+			access_token: payload.access_token,
+			expires_at: cliAccessTokenExpiresAt(payload.expires_in, now),
+			refresh_token: payload.refresh_token,
+			token_type: payload.token_type
+		};
+		saveCliCredentials(params.configDir, next);
+		return next;
+	} finally {
+		releaseLock?.();
+	}
+}
+async function createAuthenticatedCliApiClient(params) {
 	const requestConfig = resolveCliApiRequestConfig(params);
-	const auth = resolveCliAuth({
+	let auth = resolveCliAuth({
 		apiKey: params.apiKey,
 		apiBaseUrl1: requestConfig.apiBaseUrl1,
 		apiBaseUrl2: requestConfig.apiBaseUrl2,
 		configDir: params.configDir
 	});
+	if (auth.source === "stored" && auth.credentials) {
+		const refreshed = await refreshStoredCliCredentials({
+			apiBaseUrl1: auth.apiBaseUrl1,
+			configDir: params.configDir,
+			credentials: auth.credentials,
+			credentialsLockHeld: params.credentialsLockHeld,
+			fetch: params.fetch,
+			headers: requestConfig.headers,
+			now: params.now
+		});
+		auth = {
+			...auth,
+			apiKey: refreshed.access_token,
+			credentials: refreshed
+		};
+	}
 	return {
 		apiClient: new PrimitiveApiClient({
 			apiKey: auth.apiKey,
@@ -11513,7 +12355,7 @@ function extractErrorCode(payload) {
 		if (typeof direct === "string") return direct;
 	}
 }
-const ERROR_CODE_HINTS = { [API_ERROR_CODES.unauthorized]: "Hint: run `primitive login`, pass --api-key explicitly, or set PRIMITIVE_API_KEY in your environment. `primitive whoami` is the fastest way to verify a key is live." };
+const ERROR_CODE_HINTS = { [API_ERROR_CODES.unauthorized]: "Hint: run `primitive login`, pass --api-key explicitly, or set PRIMITIVE_API_KEY in your environment. `primitive whoami` is the fastest way to verify auth is live." };
 const NETWORK_ERROR_HINTS = {
 	ENETUNREACH: "Hint: the network is unreachable. If you're behind a proxy and set HTTP(S)_PROXY, re-run with NODE_USE_ENV_PROXY=1 (Node 22+ ignores those env vars by default). `primitive doctor` reports the local environment in one shot.",
 	ECONNREFUSED: "Hint: the server refused the connection. Check that your firewall allows egress to *.primitive.dev, that your PRIMITIVE_API_BASE_URL_* overrides (if any) point at a reachable host, and re-run with NODE_USE_ENV_PROXY=1 if you're behind a proxy. `primitive doctor` reports the local environment in one shot.",
@@ -11551,7 +12393,7 @@ function surfaceUnauthorizedHint(params) {
 		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The saved credential is preserved; unset PRIMITIVE_API_BASE_URL_1, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
 		return;
 	}
-	process.stderr.write("Your saved Primitive CLI credential was rejected. If the command was working a moment ago, please retry; brief retries often clear transient rejections. If it keeps failing, run `primitive logout && primitive login` to mint a fresh credential.\n");
+	process.stderr.write("Your saved Primitive CLI OAuth session was rejected. If the command was working a moment ago, please retry; brief retries often clear transient rejections. If it keeps failing, run `primitive logout && primitive login` to mint a fresh session.\n");
 }
 function formatElapsed(ms) {
 	const seconds = ms / 1e3;
@@ -11601,7 +12443,7 @@ function bodyFieldFlag(field) {
 function buildFlags(operation) {
 	const flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -11679,7 +12521,7 @@ function createOperationCommand(operation) {
 			const { flags } = await this.parse(OperationCommand);
 			const parsedFlags = flags;
 			await runWithTiming(parsedFlags.time === true, async () => {
-				const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+				const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 					apiKey: typeof parsedFlags["api-key"] === "string" ? parsedFlags["api-key"] : void 0,
 					apiBaseUrl1: typeof parsedFlags["api-base-url-1"] === "string" ? parsedFlags["api-base-url-1"] : void 0,
 					apiBaseUrl2: typeof parsedFlags["api-base-url-2"] === "string" ? parsedFlags["api-base-url-2"] : void 0,
@@ -11802,7 +12644,7 @@ async function pickDefaultFromAddress(apiClient, authFailureContext) {
 				...authFailureContext,
 				payload: errorPayload
 			});
-			throw new Errors.CLIError("Cannot send: API key is missing or invalid (see hint above).", { exit: 1 });
+			throw new Errors.CLIError("Cannot send: CLI auth is missing or invalid (see hint above).", { exit: 1 });
 		}
 		throw new Errors.CLIError(`Could not look up your verified domains to default --from. Pass --from explicitly. Underlying error: ${formatErrorPayload(errorPayload)}`);
 	}
@@ -12001,7 +12843,7 @@ var ChatCommand = class ChatCommand extends Command {
 		const message = args.message !== void 0 && args.message !== "" ? args.message : await readStdinToString();
 		if (!message.trim()) throw cliError$5("Message body is empty.");
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -12354,13 +13196,18 @@ function checkApiKey(opts) {
 		} catch (error) {
 			parseError = error instanceof Error ? error.message : String(error);
 		}
-		if (parsed?.api_key) return {
+		if (parsed?.auth_method === "oauth" && typeof parsed.access_token === "string" && parsed.access_token.length > 0) return {
 			status: "ok",
-			message: `loaded from ${credsPath}`
+			message: `loaded OAuth session from ${credsPath}`
+		};
+		if (typeof parsed?.api_key === "string" && parsed.api_key.length > 0) return {
+			status: "fail",
+			message: `${credsPath} contains legacy API-key login state`,
+			hint: "Run `primitive login` to create saved OAuth credentials. Existing API keys still work with --api-key or PRIMITIVE_API_KEY."
 		};
 		if (parsed) return {
 			status: "fail",
-			message: `${credsPath} exists but contains no api_key`,
+			message: `${credsPath} exists but contains no OAuth access_token`,
 			hint: "Run `primitive logout` to clear it, then `primitive login` to recreate."
 		};
 		return {
@@ -12371,7 +13218,7 @@ function checkApiKey(opts) {
 	}
 	return {
 		status: "fail",
-		message: "no API key found",
+		message: "no CLI OAuth session or explicit API key found",
 		hint: "Run `primitive login`, pass --api-key explicitly, or export PRIMITIVE_API_KEY=prim_..."
 	};
 }
@@ -12454,12 +13301,12 @@ async function checkDomains(client) {
 	}
 }
 var DoctorCommand = class DoctorCommand extends Command {
-	static description = `Run a one-shot environment health check: Node version, proxy env, API key resolution, /account reachability, and verified-domain status. Fails fast on anything that would block other commands and prints actionable hints for each warning or failure.`;
+	static description = `Run a one-shot environment health check: Node version, proxy env, CLI auth resolution, /account reachability, and verified-domain status. Fails fast on anything that would block other commands and prints actionable hints for each warning or failure.`;
 	static summary = "Check the local environment and live API for common problems";
 	static examples = ["<%= config.bin %> doctor", "<%= config.bin %> doctor --api-key prim_..."];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -12489,11 +13336,11 @@ var DoctorCommand = class DoctorCommand extends Command {
 			configDir: this.config.configDir
 		});
 		rows.push({
-			label: "API key",
+			label: "Auth",
 			outcome: apiKeyCheck
 		});
 		if (apiKeyCheck.status !== "fail") {
-			const { apiClient, auth } = createAuthenticatedCliApiClient({
+			const { apiClient, auth } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -12575,7 +13422,7 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -12600,7 +13447,7 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 	async run() {
 		const { flags } = await this.parse(EmailsLatestCommand);
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -12655,7 +13502,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -12707,7 +13554,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 	};
 	async run() {
 		const { flags } = await this.parse(EmailsWaitCommand);
-		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
@@ -12781,7 +13628,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -12829,7 +13676,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 	};
 	async run() {
 		const { flags } = await this.parse(EmailsWatchCommand);
-		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
@@ -12913,7 +13760,6 @@ function toDeployWaitSnapshot(value) {
 		...value.deploy_error !== void 0 ? { deploy_error: value.deploy_error } : {},
 		deploy_status: value.deploy_status,
 		...value.deployed_at !== void 0 ? { deployed_at: value.deployed_at } : {},
-		gateway_url: value.gateway_url,
 		id: value.id,
 		name: value.name,
 		...value.updated_at !== void 0 ? { updated_at: value.updated_at } : {}
@@ -13448,7 +14294,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -13525,7 +14371,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			const code = readTextFileFlag(flags.file, "--file");
 			const sourceMap = flags["source-map-file"] ? readTextFileFlag(flags["source-map-file"], "--source-map-file") : void 0;
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -13637,22 +14483,33 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^0.31.0";
-const CLI_VERSION_RANGE = "^0.31.0";
+const SDK_VERSION_RANGE = "^0.31.1";
+const CLI_VERSION_RANGE = "^0.31.1";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
-	return `// env.PRIMITIVE_API_KEY is auto-injected by the Primitive Functions runtime.
+	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
+// env.PRIMITIVE_API_BASE_URL are auto-injected by the Primitive Functions runtime.
 //
 // Imports are taken from the \`/api\` subpath, NOT the package root.
 // The root export pulls in webhook signing helpers that depend on
 // \`node:crypto\`, which breaks Workers-style bundles. The \`/api\`
-// subpath is Workers-safe and exposes everything a handler needs.
+// subpath is Workers-safe and exposes everything a handler needs,
+// including Web Crypto signature verification.
 import {
   createPrimitiveClient,
   normalizeReceivedEmail,
+  PRIMITIVE_SIGNATURE_HEADER,
   type EmailReceivedEvent,
+  verifyWebhookSignature,
+  WebhookVerificationError,
 } from "@primitivedotdev/sdk/api";
 
+interface Env {
+  PRIMITIVE_API_KEY: string;
+  PRIMITIVE_API_BASE_URL: string;
+  PRIMITIVE_WEBHOOK_SECRET: string;
+}
+
 // Loop-protection knob. Only used by the isLoop helper below; the
 // handler's outbound reply address is server-defaulted (no
 // from-address parameter is passed to client.reply). Update this if
@@ -13702,10 +14559,26 @@ export function isLoop(event: EmailReceivedEvent): boolean {
 export default {
   async fetch(
     req: Request,
-    env: { PRIMITIVE_API_KEY: string },
+    env: Env,
   ): Promise<Response> {
     try {
-      const event = (await req.json()) as EmailReceivedEvent;
+      const rawBody = await req.text();
+      const signatureHeader = req.headers.get(PRIMITIVE_SIGNATURE_HEADER) ?? "";
+
+      try {
+        await verifyWebhookSignature({
+          rawBody,
+          signatureHeader,
+          secret: env.PRIMITIVE_WEBHOOK_SECRET,
+        });
+      } catch (signatureError) {
+        if (signatureError instanceof WebhookVerificationError) {
+          return new Response("invalid signature", { status: 401 });
+        }
+        throw signatureError;
+      }
+
+      const event = JSON.parse(rawBody) as EmailReceivedEvent;
 
       // Only "email.received" exists today. Future event types will
       // arrive with a different discriminator; return 2xx so the
@@ -13715,15 +14588,17 @@ export default {
         return Response.json({ ok: true, skipped: event.event });
       }
 
-      // Loop protection runs immediately after the event-type check
-      // (the gateway has already HMAC-verified the request before it
-      // reaches this handler). See isLoop above for what's covered and
-      // how to extend it.
+      // Loop protection runs immediately after signature verification
+      // and the event-type check. See isLoop above for what's covered
+      // and how to extend it.
       if (isLoop(event)) {
         return Response.json({ ok: true, skipped: "loop" });
       }
 
-      const client = createPrimitiveClient({ apiKey: env.PRIMITIVE_API_KEY });
+      const client = createPrimitiveClient({
+        apiKey: env.PRIMITIVE_API_KEY,
+        apiBaseUrl1: env.PRIMITIVE_API_BASE_URL,
+      });
 
       // Recipient gate
       // https://www.primitive.dev/docs/sending#who-you-can-send-to
@@ -13891,7 +14766,7 @@ function renderEmailReplyTemplateFiles(name) {
 const FUNCTION_TEMPLATES = [{
 	author: PRIMITIVE_TEAM_AUTHOR,
 	dependencies: ["@primitivedotdev/sdk"],
-	description: "A deployable TypeScript email handler that validates email.received events, skips likely loops, and replies with the Primitive SDK.",
+	description: "A deployable TypeScript email handler that verifies signed email.received events, skips likely loops, and replies with the Primitive SDK.",
 	devDependencies: [
 		"@primitivedotdev/cli",
 		"esbuild",
@@ -14082,7 +14957,7 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -14121,7 +14996,7 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 		if (flags["poll-interval"] <= 0) this.error("--poll-interval must be greater than 0.", { exit: 2 });
 		if (flags.follow && flags.cursor) this.error("--cursor cannot be combined with --follow.", { exit: 2 });
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -14280,7 +15155,7 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -14357,7 +15232,7 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 			const code = readTextFileFlag(flags.file, "--file");
 			const sourceMap = flags["source-map-file"] ? readTextFileFlag(flags["source-map-file"], "--source-map-file") : void 0;
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -14540,7 +15415,7 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -14572,7 +15447,7 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 	async run() {
 		const { flags } = await this.parse(FunctionsSetSecretCommand);
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -14763,7 +15638,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -14799,7 +15674,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 		const { flags } = await this.parse(FunctionsTestFunctionCommand);
 		const shouldWait = flags.wait || flags["show-sends"];
 		const shouldShowSends = flags["show-sends"];
-		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
@@ -14949,8 +15824,25 @@ async function checkExistingLogin(params) {
 		configDir: params.configDir
 	});
 	const probeApiBaseUrl1 = requestConfig.apiBaseUrl1 ?? params.credentials.api_base_url_1;
+	let credentials = params.credentials;
+	try {
+		credentials = await refreshStoredCliCredentials({
+			apiBaseUrl1: probeApiBaseUrl1,
+			configDir: params.configDir,
+			credentials,
+			credentialsLockHeld: params.credentialsLockHeld,
+			headers: requestConfig.headers
+		});
+	} catch (error) {
+		if (loadCliCredentials(params.configDir) === null) return { status: "removed_stale" };
+		return {
+			status: "blocked",
+			payload: error,
+			message: "A saved Primitive CLI OAuth session exists, but the CLI could not refresh it. Run `primitive logout` before logging in again."
+		};
+	}
 	const apiClient = new PrimitiveApiClient({
-		apiKey: params.credentials.api_key,
+		apiKey: credentials.access_token,
 		apiBaseUrl1: probeApiBaseUrl1,
 		apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
 		headers: requestConfig.headers
@@ -14965,17 +15857,17 @@ async function checkExistingLogin(params) {
 	const baseUrlDiffersFromSaved = requestConfig.baseUrlOverridden && requestConfig.apiBaseUrl1 !== params.credentials.api_base_url_1;
 	if (code === API_ERROR_CODES.unauthorized && !baseUrlDiffersFromSaved) {
 		deleteCliCredentials(params.configDir);
-		process.stderr.write("Removed saved Primitive CLI credentials because the existing key was rejected during login. Continuing with a fresh login.\n");
+		process.stderr.write("Removed saved Primitive CLI OAuth credentials because the existing session was rejected during login. Continuing with a fresh login.\n");
 		return { status: "removed_stale" };
 	}
 	return {
 		status: "blocked",
 		payload,
-		message: code === API_ERROR_CODES.unauthorized ? "Saved Primitive CLI credentials were rejected by an API URL different from the one they were saved with. Run `primitive logout` to remove them, or switch back to the original environment before logging in again." : "A saved Primitive CLI login exists, but the CLI could not verify whether it is still valid. Run `primitive logout` before logging in again."
+		message: code === API_ERROR_CODES.unauthorized ? "Saved Primitive CLI OAuth credentials were rejected by an API URL different from the one they were saved with. Run `primitive logout` to remove them, or switch back to the original environment before logging in again." : "A saved Primitive CLI OAuth session exists, but the CLI could not verify whether it is still valid. Run `primitive logout` before logging in again."
 	};
 }
 var LoginCommand = class LoginCommand extends Command {
-	static description = "Log in by opening Primitive in your browser and saving an org-scoped CLI API key locally.";
+	static description = "Log in by opening Primitive in your browser and saving an org-scoped OAuth session locally.";
 	static summary = "Log in with browser approval";
 	static examples = [
 		"<%= config.bin %> login",
@@ -15029,7 +15921,8 @@ var LoginCommand = class LoginCommand extends Command {
 			const existingStatus = await checkExistingLogin({
 				apiBaseUrl1: flags["api-base-url-1"],
 				configDir: this.config.configDir,
-				credentials: existing
+				credentials: existing,
+				credentialsLockHeld: true
 			});
 			if (existingStatus.status === "removed_stale") process.stderr.write("Continuing with a new Primitive CLI login...\n");
 			else if (existingStatus.status === "blocked") {
@@ -15070,13 +15963,17 @@ var LoginCommand = class LoginCommand extends Command {
 				const login = unwrapData$2(polled.data);
 				if (!login) throw cliError$2("Primitive API returned an empty CLI poll response.");
 				saveCliCredentials(this.config.configDir, {
-					api_key: login.api_key,
+					access_token: login.access_token,
 					api_base_url_1: apiBaseUrl1,
+					auth_method: "oauth",
 					created_at: (/* @__PURE__ */ new Date()).toISOString(),
-					key_id: login.key_id,
-					key_prefix: login.key_prefix,
+					expires_at: cliAccessTokenExpiresAt(login.expires_in),
+					oauth_client_id: login.oauth_client_id,
+					oauth_grant_id: login.oauth_grant_id,
 					org_id: login.org_id,
-					org_name: login.org_name
+					org_name: login.org_name,
+					refresh_token: login.refresh_token,
+					token_type: login.token_type
 				});
 				const org = login.org_name ? ` (${login.org_name})` : "";
 				process.stderr.write(`Logged in to org ${login.org_id}${org}.\n`);
@@ -15098,22 +15995,80 @@ var LoginCommand = class LoginCommand extends Command {
 			if (code === API_ERROR_CODES.expiredToken) throw cliError$2("Primitive CLI login expired. Run `primitive login` again.");
 			if (code === API_ERROR_CODES.invalidDeviceCode) throw cliError$2("Primitive CLI login device code is invalid. Run `primitive login` again.");
 			writeErrorWithHints(payload);
-			throw cliError$2("Primitive CLI login failed while polling for approval.");
+			throw cliError$2("Primitive CLI login failed while polling for approval.");
+		}
+		throw cliError$2("Primitive CLI login expired. Run `primitive login` again.");
+	}
+};
+//#endregion
+//#region src/oclif/commands/logout.ts
+function cliError$1(message) {
+	return new Errors.CLIError(message, { exit: 1 });
+}
+function unwrapData$1(value) {
+	return value?.data ?? null;
+}
+function isSavedOAuthSessionExpiredError(error) {
+	return error instanceof Error && error.message === "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive login` to authenticate again.";
+}
+async function runLogoutWithCredentialLock(params) {
+	const deps = {
+		cliLogout,
+		createAuthenticatedCliApiClient,
+		...params.deps
+	};
+	let credentials;
+	try {
+		credentials = loadCliCredentials(params.configDir);
+	} catch (error) {
+		deleteCliCredentials(params.configDir);
+		const detail = error instanceof Error ? error.message : String(error);
+		process.stderr.write(`Removed unreadable Primitive CLI credentials. Backing OAuth grant was not revoked: ${detail}\n`);
+		process.exitCode = 1;
+		return;
+	}
+	if (!credentials) throw cliError$1("Not logged in. Run `primitive login` to create saved CLI credentials.");
+	let authenticated;
+	try {
+		authenticated = await deps.createAuthenticatedCliApiClient({
+			apiBaseUrl1: params.flags["api-base-url-1"],
+			configDir: params.configDir,
+			credentialsLockHeld: true
+		});
+	} catch (error) {
+		if (isSavedOAuthSessionExpiredError(error) && loadCliCredentials(params.configDir) === null) {
+			process.stderr.write("Logged out (OAuth session was already expired or revoked on the server).\n");
+			return;
+		}
+		throw error;
+	}
+	const freshCredentials = authenticated.auth.credentials ?? credentials;
+	const result = await deps.cliLogout({
+		body: { key_id: freshCredentials.oauth_grant_id },
+		client: authenticated.apiClient.client,
+		responseStyle: "fields"
+	});
+	if (result.error) {
+		const payload = extractErrorPayload(result.error);
+		const code = extractErrorCode(payload);
+		if (code === API_ERROR_CODES.unauthorized || code === API_ERROR_CODES.notFound) {
+			deleteCliCredentials(params.configDir);
+			writeErrorWithHints(payload);
+			process.stderr.write("Removed saved Primitive CLI credentials because the backing OAuth grant is already unavailable.\n");
+			process.exitCode = 1;
+			return;
 		}
-		throw cliError$2("Primitive CLI login expired. Run `primitive login` again.");
+		writeErrorWithHints(payload);
+		throw cliError$1("Could not revoke the saved Primitive CLI OAuth grant.");
 	}
-};
-//#endregion
-//#region src/oclif/commands/logout.ts
-function cliError$1(message) {
-	return new Errors.CLIError(message, { exit: 1 });
-}
-function unwrapData$1(value) {
-	return value?.data ?? null;
+	const logout = unwrapData$1(result.data);
+	deleteCliCredentials(params.configDir);
+	const grantId = logout?.oauth_grant_id ?? freshCredentials.oauth_grant_id;
+	process.stderr.write(`Logged out and revoked OAuth grant ${grantId}.\n`);
 }
 var LogoutCommand = class LogoutCommand extends Command {
-	static description = "Log out by revoking the saved Primitive CLI API key and deleting local credentials.";
-	static summary = "Log out and revoke the saved CLI key";
+	static description = "Log out by revoking the saved Primitive CLI OAuth grant and deleting local credentials.";
+	static summary = "Log out and revoke the saved CLI OAuth grant";
 	static examples = ["<%= config.bin %> logout"];
 	static flags = { "api-base-url-1": Flags.string({
 		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
@@ -15129,56 +16084,14 @@ var LogoutCommand = class LogoutCommand extends Command {
 			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
-			await this.runWithCredentialLock(flags);
+			await runLogoutWithCredentialLock({
+				configDir: this.config.configDir,
+				flags
+			});
 		} finally {
 			releaseCredentialsLock();
 		}
 	}
-	async runWithCredentialLock(flags) {
-		let credentials;
-		try {
-			credentials = loadCliCredentials(this.config.configDir);
-		} catch (error) {
-			deleteCliCredentials(this.config.configDir);
-			const detail = error instanceof Error ? error.message : String(error);
-			process.stderr.write(`Removed unreadable Primitive CLI credentials. Backing API key was not revoked: ${detail}\n`);
-			process.exitCode = 1;
-			return;
-		}
-		if (!credentials) throw cliError$1("Not logged in. Run `primitive login` to create saved CLI credentials.");
-		const requestConfig = resolveCliApiRequestConfig({
-			apiBaseUrl1: flags["api-base-url-1"],
-			configDir: this.config.configDir
-		});
-		const apiBaseUrl1 = requestConfig.apiBaseUrl1 ? normalizeApiBaseUrl1(requestConfig.apiBaseUrl1) : credentials.api_base_url_1;
-		const apiClient = new PrimitiveApiClient({
-			apiKey: credentials.api_key,
-			apiBaseUrl1,
-			headers: requestConfig.headers
-		});
-		const result = await cliLogout({
-			body: { key_id: credentials.key_id },
-			client: apiClient.client,
-			responseStyle: "fields"
-		});
-		if (result.error) {
-			const payload = extractErrorPayload(result.error);
-			const code = extractErrorCode(payload);
-			if (code === API_ERROR_CODES.unauthorized || code === API_ERROR_CODES.notFound) {
-				deleteCliCredentials(this.config.configDir);
-				writeErrorWithHints(payload);
-				process.stderr.write("Removed saved Primitive CLI credentials because the backing API key is already unavailable.\n");
-				process.exitCode = 1;
-				return;
-			}
-			writeErrorWithHints(payload);
-			throw cliError$1("Could not revoke the saved Primitive CLI API key.");
-		}
-		const logout = unwrapData$1(result.data);
-		deleteCliCredentials(this.config.configDir);
-		const keyId = logout?.key_id ?? credentials.key_id;
-		process.stderr.write(`Logged out and revoked API key ${keyId}.\n`);
-	}
 };
 //#endregion
 //#region src/oclif/message-body-sources.ts
@@ -15295,7 +16208,7 @@ var ReplyCommand = class ReplyCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -15335,7 +16248,7 @@ var ReplyCommand = class ReplyCommand extends Command {
 		});
 		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -15394,7 +16307,7 @@ var SendCommand = class SendCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -15436,7 +16349,7 @@ var SendCommand = class SendCommand extends Command {
 		});
 		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -15484,7 +16397,6 @@ var SendCommand = class SendCommand extends Command {
 //#endregion
 //#region src/oclif/commands/signup.ts
 const INVALID_VERIFICATION_CODE = "invalid_verification_code";
-const CLERK_PASSWORD_REJECTED = "clerk_password_rejected";
 const EXPIRED_TOKEN = "expired_token";
 const INVALID_SIGNUP_TOKEN = "invalid_signup_token";
 const SLOW_DOWN = "slow_down";
@@ -15498,6 +16410,9 @@ function unwrapData(value) {
 function isRecord(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
+function normalizeEmail(email) {
+	return email.trim().toLowerCase();
+}
 function pendingSignupFromJson(value) {
 	if (!isRecord(value)) return null;
 	if (typeof value.signup_token !== "string" || typeof value.email !== "string" || typeof value.expires_in !== "number" || typeof value.resend_after !== "number" || typeof value.verification_code_length !== "number" || typeof value.api_base_url_1 !== "string" || typeof value.created_at !== "string" || typeof value.expires_at !== "string") return null;
@@ -15515,7 +16430,7 @@ function pendingSignupFromJson(value) {
 function pendingSignupPath(configDir) {
 	return join(configDir, PENDING_SIGNUP_FILE);
 }
-function deletePendingCliSignup(configDir) {
+function deletePendingAgentSignup(configDir) {
 	rmSync(pendingSignupPath(configDir), { force: true });
 }
 function pendingSignupFromStart(start, apiBaseUrl1) {
@@ -15526,7 +16441,7 @@ function pendingSignupFromStart(start, apiBaseUrl1) {
 		expires_at: new Date(Date.now() + start.expires_in * 1e3).toISOString()
 	};
 }
-function savePendingCliSignup(configDir, start, apiBaseUrl1) {
+function savePendingAgentSignup(configDir, start, apiBaseUrl1) {
 	mkdirSync(configDir, {
 		mode: 448,
 		recursive: true
@@ -15545,7 +16460,7 @@ function savePendingCliSignup(configDir, start, apiBaseUrl1) {
 		throw error;
 	}
 }
-function loadPendingCliSignup(configDir, apiBaseUrl1) {
+function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 	const path = pendingSignupPath(configDir);
 	let contents;
 	try {
@@ -15561,12 +16476,12 @@ function loadPendingCliSignup(configDir, apiBaseUrl1) {
 		pending = null;
 	}
 	if (!pending) {
-		deletePendingCliSignup(configDir);
+		deletePendingAgentSignup(configDir);
 		return null;
 	}
 	if (pending.api_base_url_1 !== apiBaseUrl1) return null;
 	if (new Date(pending.expires_at).getTime() <= Date.now()) {
-		deletePendingCliSignup(configDir);
+		deletePendingAgentSignup(configDir);
 		return null;
 	}
 	return {
@@ -15574,6 +16489,12 @@ function loadPendingCliSignup(configDir, apiBaseUrl1) {
 		expires_in: Math.max(0, Math.ceil((new Date(pending.expires_at).getTime() - Date.now()) / 1e3))
 	};
 }
+function requirePendingSignupForEmail(params) {
+	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
+	if (!pending) throw cliError(`No pending signup for ${params.email}. Run \`primitive signup ${params.email}\` first.`);
+	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError(`Pending signup is for ${pending.email}, not ${params.email}. Run \`primitive signup ${params.email} --force\` to replace it.`);
+	return pending;
+}
 function retryAfterSeconds(result) {
 	const raw = result.response?.headers.get("retry-after");
 	if (!raw) return null;
@@ -15594,61 +16515,12 @@ async function promptLine(question) {
 		rl.close();
 	}
 }
-async function promptHidden(question) {
-	if (!process$1.stdin.isTTY || !process$1.stderr.isTTY || !process$1.stdin.setRawMode) throw cliError("Password input requires an interactive terminal with hidden input support.");
-	return new Promise((resolve, reject) => {
-		const input = process$1.stdin;
-		let value = "";
-		const cleanup = () => {
-			input.setRawMode(false);
-			input.pause();
-			input.off("data", onData);
-		};
-		const finish = () => {
-			cleanup();
-			process$1.stderr.write("\n");
-			resolve(value);
-		};
-		const onData = (chunk) => {
-			const text = chunk.toString("utf8");
-			for (const char of text) {
-				if (char === "") {
-					cleanup();
-					process$1.stderr.write("\n");
-					reject(cliError("Signup cancelled."));
-					return;
-				}
-				if (char === "\r" || char === "\n") {
-					finish();
-					return;
-				}
-				if (char === "\b" || char === "") {
-					value = value.slice(0, -1);
-					continue;
-				}
-				value += char;
-			}
-		};
-		process$1.stderr.write(question);
-		input.setRawMode(true);
-		input.resume();
-		input.on("data", onData);
-	});
-}
 function formatSignupSeconds(seconds) {
 	if (typeof seconds !== "number" || !Number.isFinite(seconds) || seconds <= 0) return "soon";
 	if (seconds < 60) return `${Math.ceil(seconds)} seconds`;
 	const minutes = Math.ceil(seconds / 60);
 	return `${minutes} minute${minutes === 1 ? "" : "s"}`;
 }
-function shouldRetrySignupPassword(errorCode) {
-	return errorCode === CLERK_PASSWORD_REJECTED;
-}
-function signupErrorMessage(payload) {
-	if (!isRecord(payload)) return null;
-	const message = (isRecord(payload.error) ? payload.error : payload).message;
-	return typeof message === "string" && message.trim() ? message : null;
-}
 async function promptRequired(question) {
 	while (true) {
 		const value = await promptLine(question);
@@ -15656,20 +16528,6 @@ async function promptRequired(question) {
 		process$1.stderr.write("Please enter a value.\n");
 	}
 }
-async function promptRequiredPassword(question) {
-	while (true) {
-		const value = await promptHidden(question);
-		if (value) return value;
-		process$1.stderr.write("Please enter a password.\n");
-	}
-}
-async function promptNewPassword() {
-	while (true) {
-		const password = await promptRequiredPassword("Password: ");
-		if (password === await promptRequiredPassword("Confirm password: ")) return password;
-		process$1.stderr.write("Passwords did not match. Try again.\n");
-	}
-}
 async function confirmTerms() {
 	process$1.stderr.write("By creating an account, you agree to Primitive's Terms of Service and Privacy Policy:\n");
 	process$1.stderr.write("  https://primitive.dev/terms\n");
@@ -15677,8 +16535,100 @@ async function confirmTerms() {
 	const answer = (await promptRequired("Type 'yes' to continue: ")).toLowerCase();
 	if (answer !== "yes" && answer !== "y") throw cliError("You must accept the terms to create an account.");
 }
+async function checkExistingCredentials(params) {
+	const checkExistingLoginFn = params.deps.checkExistingLogin ?? checkExistingLogin;
+	let existing;
+	try {
+		existing = loadCliCredentials(params.configDir);
+	} catch (error) {
+		if (!params.flags.force) throw error;
+		const detail = error instanceof Error ? error.message : String(error);
+		process$1.stderr.write(`Replacing unreadable Primitive CLI credentials because --force was set: ${detail}\n`);
+		existing = null;
+	}
+	if (existing && params.flags.force) {
+		process$1.stderr.write("Replacing saved Primitive CLI credentials after signup because --force was set.\n");
+		return;
+	}
+	if (!existing) return;
+	const existingStatus = await checkExistingLoginFn({
+		apiBaseUrl1: params.apiBaseUrl1,
+		configDir: params.configDir,
+		credentials: existing,
+		credentialsLockHeld: true
+	});
+	if (existingStatus.status === "removed_stale") {
+		process$1.stderr.write("Continuing with Primitive signup...\n");
+		return;
+	}
+	if (existingStatus.status === "blocked") {
+		writeErrorWithHints(existingStatus.payload);
+		throw cliError(existingStatus.message);
+	}
+	throw cliError(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before creating a new account.`);
+}
+function saveSignupCredentials(params) {
+	saveCliCredentials(params.configDir, {
+		access_token: params.signup.access_token,
+		api_base_url_1: params.apiBaseUrl1,
+		auth_method: "oauth",
+		created_at: (/* @__PURE__ */ new Date()).toISOString(),
+		expires_at: cliAccessTokenExpiresAt(params.signup.expires_in),
+		oauth_client_id: params.signup.oauth_client_id,
+		oauth_grant_id: params.signup.oauth_grant_id,
+		org_id: params.signup.org_id,
+		org_name: params.signup.org_name,
+		refresh_token: params.signup.refresh_token,
+		token_type: params.signup.token_type
+	});
+}
+function writeStartInstructions(start) {
+	process$1.stderr.write(`Sent a ${start.verification_code_length}-digit verification code to ${start.email}.\n`);
+	process$1.stderr.write(`The code expires in ${formatSignupSeconds(start.expires_in)}.\n`);
+	process$1.stderr.write(`Run \`primitive signup confirm ${start.email} <code>\` to finish.\n`);
+}
+async function startSignup(params) {
+	const existingPending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
+	if (existingPending && !params.flags.force) {
+		if (normalizeEmail(existingPending.email) === normalizeEmail(params.email)) {
+			process$1.stderr.write(`Continuing pending Primitive signup for ${existingPending.email}.\n`);
+			process$1.stderr.write(`Run \`primitive signup confirm ${existingPending.email} <code>\` to finish, or \`primitive signup resend ${existingPending.email}\` to send a new code.\n`);
+			return {
+				pending: existingPending,
+				started: false
+			};
+		}
+		throw cliError(`Pending signup is for ${existingPending.email}. Run \`primitive signup ${params.email} --force\` to replace it.`);
+	}
+	if (params.flags.force) deletePendingAgentSignup(params.configDir);
+	const promptRequiredFn = params.deps.promptRequired ?? promptRequired;
+	const confirmTermsFn = params.deps.confirmTerms ?? confirmTerms;
+	const startFn = params.deps.startAgentSignup ?? startAgentSignup;
+	const signupCode = params.flags["signup-code"] ?? await promptRequiredFn("Signup code: ");
+	if (!params.flags["accept-terms"]) await confirmTermsFn();
+	const started = await startFn({
+		body: {
+			device_name: params.flags["device-name"] ?? hostname(),
+			email: params.email,
+			signup_code: signupCode,
+			terms_accepted: true
+		},
+		client: params.apiClient.client,
+		responseStyle: "fields"
+	});
+	if (started.error) {
+		writeErrorWithHints(extractErrorPayload(started.error));
+		throw cliError("Could not start Primitive agent signup.");
+	}
+	const startResult = unwrapData(started.data);
+	if (!startResult) throw cliError("Primitive API returned an empty agent signup response.");
+	return {
+		pending: savePendingAgentSignup(params.configDir, startResult, params.apiBaseUrl1),
+		started: true
+	};
+}
 async function resendVerificationCode(params) {
-	const resent = await (params.deps.resendCliSignupVerification ?? resendCliSignupVerification)({
+	const resent = await (params.deps.resendAgentSignupVerification ?? resendAgentSignupVerification)({
 		body: { signup_token: params.start.signup_token },
 		client: params.apiClient.client,
 		responseStyle: "fields"
@@ -15692,167 +16642,262 @@ async function resendVerificationCode(params) {
 			signup_token: params.start.signup_token,
 			verification_code_length: resend.verification_code_length
 		} : params.start;
-		savePendingCliSignup(params.configDir, next, params.apiBaseUrl1);
-		process$1.stderr.write(`Sent a new ${next.verification_code_length}-digit verification code. It expires in ${formatSignupSeconds(next.expires_in)}.\n`);
-		return next;
+		return {
+			pending: savePendingAgentSignup(params.configDir, next, params.apiBaseUrl1),
+			resent: true
+		};
 	}
 	const payload = extractErrorPayload(resent.error);
-	if (extractErrorCode(payload) === SLOW_DOWN) {
-		const suffix = ` Wait ${formatSignupSeconds(retryAfterSeconds(resent) ?? params.start.resend_after)} before trying again.`;
-		process$1.stderr.write(`Verification email was sent recently.${suffix}\n`);
-		return params.start;
+	const code = extractErrorCode(payload);
+	if (code === SLOW_DOWN) {
+		const retryAfter = retryAfterSeconds(resent) ?? params.start.resend_after;
+		process$1.stderr.write(`Verification email was sent recently. Wait ${formatSignupSeconds(retryAfter)} before trying again.\n`);
+		return {
+			pending: params.start,
+			resent: false
+		};
 	}
+	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(params.configDir);
 	writeErrorWithHints(payload);
-	throw cliError("Could not resend Primitive CLI signup verification email.");
+	throw cliError("Could not resend Primitive agent signup verification email.");
 }
-async function runSignupWithCredentialLock(params) {
+async function runSignupStartWithCredentialLock(params) {
 	const { configDir, flags } = params;
 	const deps = params.deps ?? {};
 	const promptRequiredFn = deps.promptRequired ?? promptRequired;
-	const promptNewPasswordFn = deps.promptNewPassword ?? promptNewPassword;
-	const confirmTermsFn = deps.confirmTerms ?? confirmTerms;
-	const startFn = deps.startCliSignup ?? startCliSignup;
-	const verifyFn = deps.verifyCliSignup ?? verifyCliSignup;
-	const checkExistingLoginFn = deps.checkExistingLogin ?? checkExistingLogin;
+	const email = params.email ?? await promptRequiredFn("Email: ");
+	await checkExistingCredentials({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir,
+		deps,
+		flags
+	});
+	const { apiClient, requestConfig } = createCliApiClient({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir
+	});
+	const start = await startSignup({
+		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiClient,
+		configDir,
+		deps,
+		email,
+		flags
+	});
+	if (start.started) writeStartInstructions(start.pending);
+}
+async function runSignupConfirmWithCredentialLock(params) {
+	const { configDir, flags } = params;
+	const deps = params.deps ?? {};
+	if (!params.skipExistingCredentialCheck) await checkExistingCredentials({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir,
+		deps,
+		flags
+	});
 	const { apiClient, requestConfig } = createCliApiClient({
 		apiBaseUrl1: flags["api-base-url-1"],
 		configDir
 	});
 	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
-	let existing;
-	try {
-		existing = loadCliCredentials(configDir);
-	} catch (error) {
-		if (!flags.force) throw error;
-		const detail = error instanceof Error ? error.message : String(error);
-		process$1.stderr.write(`Replacing unreadable Primitive CLI credentials because --force was set: ${detail}\n`);
-		existing = null;
-	}
-	if (existing && flags.force) process$1.stderr.write("Replacing saved Primitive CLI credentials after signup because --force was set.\n");
-	else if (existing) {
-		const existingStatus = await checkExistingLoginFn({
-			apiBaseUrl1: flags["api-base-url-1"],
+	const pending = requirePendingSignupForEmail({
+		apiBaseUrl1,
+		configDir,
+		email: params.email
+	});
+	const verified = await (deps.verifyAgentSignup ?? verifyAgentSignup)({
+		body: {
+			...flags["org-id"] ? { org_id: flags["org-id"] } : {},
+			signup_token: pending.signup_token,
+			verification_code: params.code
+		},
+		client: apiClient.client,
+		responseStyle: "fields"
+	});
+	if (verified.data) {
+		const signup = unwrapData(verified.data);
+		if (!signup) throw cliError("Primitive API returned an empty agent signup verification response.");
+		saveSignupCredentials({
+			apiBaseUrl1,
 			configDir,
-			credentials: existing
-		});
-		if (existingStatus.status === "removed_stale") process$1.stderr.write("Continuing with Primitive CLI signup...\n");
-		else if (existingStatus.status === "blocked") {
-			writeErrorWithHints(existingStatus.payload);
-			throw cliError(existingStatus.message);
-		} else throw cliError(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before creating a new account.`);
-	}
-	if (flags.force) deletePendingCliSignup(configDir);
-	let start = flags.force ? null : loadPendingCliSignup(configDir, apiBaseUrl1);
-	const resumed = Boolean(start);
-	if (start) process$1.stderr.write(`Continuing pending Primitive CLI signup for ${start.email}.\n`);
-	else {
-		const signupCode = await promptRequiredFn("Signup code: ");
-		await confirmTermsFn();
-		const email = await promptRequiredFn("Email: ");
-		const started = await startFn({
-			body: {
-				device_name: flags["device-name"] ?? hostname(),
-				email,
-				signup_code: signupCode,
-				terms_accepted: true
-			},
-			client: apiClient.client,
-			responseStyle: "fields"
+			signup
 		});
-		if (started.error) {
-			writeErrorWithHints(extractErrorPayload(started.error));
-			throw cliError("Could not start Primitive CLI signup.");
-		}
-		const startResult = unwrapData(started.data);
-		if (!startResult) throw cliError("Primitive API returned an empty CLI signup response.");
-		start = savePendingCliSignup(configDir, startResult, apiBaseUrl1);
+		deletePendingAgentSignup(configDir);
+		const org = signup.org_name ? ` (${signup.org_name})` : "";
+		process$1.stderr.write(`Logged in to org ${signup.org_id}${org}.\n`);
+		process$1.stderr.write(`Saved credentials to ${credentialsPath(configDir)}.\n`);
+		return;
 	}
-	if (resumed) process$1.stderr.write(`Check your email for the ${start.verification_code_length}-digit verification code sent to ${start.email}.\n`);
-	else process$1.stderr.write(`Sent a ${start.verification_code_length}-digit verification code to ${start.email}.\n`);
+	const payload = extractErrorPayload(verified.error);
+	const code = extractErrorCode(payload);
+	if (code === INVALID_VERIFICATION_CODE) throw cliError("Invalid verification code. Try again or run signup resend.");
+	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(configDir);
+	writeErrorWithHints(payload);
+	throw cliError("Primitive agent signup failed while verifying the account.");
+}
+async function runSignupResendWithCredentialLock(params) {
+	const deps = params.deps ?? {};
+	const { apiClient, requestConfig } = createCliApiClient({
+		apiBaseUrl1: params.flags["api-base-url-1"],
+		configDir: params.configDir
+	});
+	const pending = requirePendingSignupForEmail({
+		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		configDir: params.configDir,
+		email: params.email
+	});
+	const resend = await resendVerificationCode({
+		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiClient,
+		configDir: params.configDir,
+		deps,
+		start: pending
+	});
+	if (resend.resent) process$1.stderr.write(`Sent a new ${resend.pending.verification_code_length}-digit verification code to ${resend.pending.email}. It expires in ${formatSignupSeconds(resend.pending.expires_in)}.\n`);
+}
+async function runSignupInteractiveWithCredentialLock(params) {
+	const { configDir, flags } = params;
+	const deps = params.deps ?? {};
+	const promptRequiredFn = deps.promptRequired ?? promptRequired;
+	await checkExistingCredentials({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir,
+		deps,
+		flags
+	});
+	const { apiClient, requestConfig } = createCliApiClient({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir
+	});
+	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
+	let start = flags.force ? null : loadPendingAgentSignup(configDir, apiBaseUrl1);
+	if (start) process$1.stderr.write(`Continuing pending Primitive signup for ${start.email}.\n`);
+	else start = (await startSignup({
+		apiBaseUrl1,
+		apiClient,
+		configDir,
+		deps,
+		email: await promptRequiredFn("Email: "),
+		flags
+	})).pending;
+	process$1.stderr.write(`Check your email for the ${start.verification_code_length}-digit verification code sent to ${start.email}.\n`);
 	process$1.stderr.write(`The code expires in ${formatSignupSeconds(start.expires_in)}.\n`);
 	process$1.stderr.write(`Enter the code from the email, or type \`resend\` to send a new code after ${formatSignupSeconds(start.resend_after)}.\n`);
 	while (true) {
 		const verificationCode = await promptRequiredFn(`Verification code (${start.verification_code_length} digits): `);
 		if (verificationCode.toLowerCase() === "resend") {
-			start = await resendVerificationCode({
+			const resend = await resendVerificationCode({
 				apiBaseUrl1,
 				apiClient,
 				configDir,
 				deps,
 				start
 			});
+			start = resend.pending;
+			if (resend.resent) process$1.stderr.write(`Sent a new ${start.verification_code_length}-digit verification code. It expires in ${formatSignupSeconds(start.expires_in)}.\n`);
 			continue;
 		}
-		let password = await promptNewPasswordFn();
-		while (true) {
-			const verified = await verifyFn({
-				body: {
-					password,
-					signup_token: start.signup_token,
-					verification_code: verificationCode
+		try {
+			await runSignupConfirmWithCredentialLock({
+				code: verificationCode,
+				configDir,
+				deps,
+				email: start.email,
+				flags: {
+					"api-base-url-1": flags["api-base-url-1"],
+					force: true
 				},
-				client: apiClient.client,
-				responseStyle: "fields"
+				skipExistingCredentialCheck: true
 			});
-			if (verified.data) {
-				const signup = unwrapData(verified.data);
-				if (!signup) throw cliError("Primitive API returned an empty CLI signup verification response.");
-				saveCliCredentials(configDir, {
-					api_key: signup.api_key,
-					api_base_url_1: apiBaseUrl1,
-					created_at: (/* @__PURE__ */ new Date()).toISOString(),
-					key_id: signup.key_id,
-					key_prefix: signup.key_prefix,
-					org_id: signup.org_id,
-					org_name: signup.org_name
-				});
-				deletePendingCliSignup(configDir);
-				const org = signup.org_name ? ` (${signup.org_name})` : "";
-				process$1.stderr.write(`Created account and logged in to org ${signup.org_id}${org}.\n`);
-				process$1.stderr.write(`Saved credentials to ${credentialsPath(configDir)}.\n`);
-				return;
-			}
-			const payload = extractErrorPayload(verified.error);
-			const code = extractErrorCode(payload);
-			if (code === INVALID_VERIFICATION_CODE) {
+			return;
+		} catch (error) {
+			if (error instanceof Errors.CLIError && error.message.startsWith("Invalid verification code.")) {
 				process$1.stderr.write("Invalid verification code. Try again or type `resend`.\n");
-				break;
-			}
-			if (shouldRetrySignupPassword(code)) {
-				const message = signupErrorMessage(payload);
-				if (message) process$1.stderr.write(`Password rejected: ${message}\n`);
-				process$1.stderr.write("Choose a different password and try again.\n");
-				password = await promptNewPasswordFn();
 				continue;
 			}
-			if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingCliSignup(configDir);
-			writeErrorWithHints(payload);
-			throw cliError("Primitive CLI signup failed while verifying the account.");
+			throw error;
 		}
 	}
 }
+function commonStartFlags() {
+	return {
+		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials or pending signup state when needed"
+		}),
+		"signup-code": Flags.string({
+			description: "Signup code required to create an account",
+			env: "PRIMITIVE_SIGNUP_CODE"
+		})
+	};
+}
 var SignupCommand = class SignupCommand extends Command {
-	static description = "Create a Primitive account from the terminal, verify your email, and save an org-scoped CLI API key locally.";
-	static summary = "Create an account and log in";
+	static args = { email: Args.string({
+		description: "Email address to sign up",
+		required: false
+	}) };
+	static description = "Start a Primitive account signup, send an email verification code, and save a pending signup token locally.";
+	static summary = "Start account signup";
 	static examples = [
-		"<%= config.bin %> signup",
-		"<%= config.bin %> signup --device-name work-laptop",
-		"<%= config.bin %> signup --force"
+		"<%= config.bin %> signup user@example.com",
+		"<%= config.bin %> signup user@example.com --signup-code invite-code --accept-terms",
+		"<%= config.bin %> signup confirm user@example.com 123456"
 	];
+	static flags = commonStartFlags();
+	async run() {
+		const { args, flags } = await this.parse(SignupCommand);
+		let releaseCredentialsLock;
+		try {
+			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+		} catch (error) {
+			throw cliError(error instanceof Error ? error.message : String(error));
+		}
+		try {
+			await runSignupStartWithCredentialLock({
+				configDir: this.config.configDir,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SignupConfirmCommand = class SignupConfirmCommand extends Command {
+	static args = {
+		email: Args.string({
+			description: "Email address used to start signup",
+			required: true
+		}),
+		code: Args.string({
+			description: "Verification code from the signup email",
+			required: true
+		})
+	};
+	static description = "Confirm a pending Primitive signup, create an OAuth session, and save CLI credentials locally.";
+	static summary = "Confirm account signup";
+	static examples = ["<%= config.bin %> signup confirm user@example.com 123456", "<%= config.bin %> signup confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
 	static flags = {
 		"api-base-url-1": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
 			env: "PRIMITIVE_API_BASE_URL_1",
 			hidden: true
 		}),
-		"device-name": Flags.string({ description: "Device name used for the created CLI API key" }),
 		force: Flags.boolean({
 			char: "f",
-			description: "Replace saved credentials without first verifying the existing login"
-		})
+			description: "Replace saved credentials after verification"
+		}),
+		"org-id": Flags.string({ description: "Workspace id to target when the email belongs to multiple workspaces" })
 	};
 	async run() {
-		const { flags } = await this.parse(SignupCommand);
+		const { args, flags } = await this.parse(SignupConfirmCommand);
 		let releaseCredentialsLock;
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
@@ -15860,27 +16905,81 @@ var SignupCommand = class SignupCommand extends Command {
 			throw cliError(error instanceof Error ? error.message : String(error));
 		}
 		try {
-			await this.runWithCredentialLock(flags);
+			await runSignupConfirmWithCredentialLock({
+				code: args.code,
+				configDir: this.config.configDir,
+				email: args.email,
+				flags
+			});
 		} finally {
 			releaseCredentialsLock();
 		}
 	}
-	async runWithCredentialLock(flags) {
-		await runSignupWithCredentialLock({
-			configDir: this.config.configDir,
-			flags
-		});
+};
+var SignupResendCommand = class SignupResendCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address used to start signup",
+		required: true
+	}) };
+	static description = "Resend the verification code for a pending signup.";
+	static summary = "Resend signup verification code";
+	static examples = ["<%= config.bin %> signup resend user@example.com"];
+	static flags = { "api-base-url-1": Flags.string({
+		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+		env: "PRIMITIVE_API_BASE_URL_1",
+		hidden: true
+	}) };
+	async run() {
+		const { args, flags } = await this.parse(SignupResendCommand);
+		let releaseCredentialsLock;
+		try {
+			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+		} catch (error) {
+			throw cliError(error instanceof Error ? error.message : String(error));
+		}
+		try {
+			await runSignupResendWithCredentialLock({
+				configDir: this.config.configDir,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SignupInteractiveCommand = class SignupInteractiveCommand extends Command {
+	static description = "Run the full signup flow in one interactive terminal session.";
+	static summary = "Run interactive account signup";
+	static examples = ["<%= config.bin %> signup interactive"];
+	static flags = commonStartFlags();
+	async run() {
+		const { flags } = await this.parse(SignupInteractiveCommand);
+		let releaseCredentialsLock;
+		try {
+			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+		} catch (error) {
+			throw cliError(error instanceof Error ? error.message : String(error));
+		}
+		try {
+			await runSignupInteractiveWithCredentialLock({
+				configDir: this.config.configDir,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
 	}
 };
 //#endregion
 //#region src/oclif/commands/whoami.ts
 var WhoamiCommand = class WhoamiCommand extends Command {
-	static description = `Print the account currently authenticated by the API key. Useful as a credentials smoke test: confirms the key is live and shows which account it belongs to.`;
+	static description = `Print the account currently authenticated by saved OAuth credentials or an explicit API key. Useful as a credentials smoke test: confirms auth is live and shows which account it belongs to.`;
 	static summary = "Print the authenticated account (credentials smoke test)";
 	static examples = ["<%= config.bin %> whoami", "<%= config.bin %> whoami --api-key prim_..."];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -15898,7 +16997,7 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 	async run() {
 		const { flags } = await this.parse(WhoamiCommand);
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -15992,7 +17091,7 @@ function renderFishCompletion(binName) {
 		for (const operation of topicOperations) {
 			lines.push(`complete -c ${binName} -f -n '__fish_${binName}_topic_needs_subcommand ${fishEscape(topic)}' -a '${fishEscape(operation.command)}' -d '${fishEscape(operation.summary ?? `${operation.method} ${operation.path}`)}'`);
 			for (const parameter of [...operation.pathParams, ...operation.queryParams]) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l '${fishEscape(parameter.name.replace(/_/g, "-"))}' -r -d '${fishEscape(parameter.description ?? parameter.name)}'`);
-			lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'api-key' -r -d 'Primitive API key (defaults to PRIMITIVE_API_KEY or saved primitive login credentials)'`);
+			lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'api-key' -r -d 'Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)'`);
 			if (!operation.binaryResponse) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'envelope' -d 'Print the full response envelope, including pagination metadata'`);
 			if (operation.hasJsonBody) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body' -r -d 'JSON request body'`, `complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body-file' -r -d 'Path to a JSON file used as the request body'`);
 			if (operation.binaryResponse) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'output' -r -d 'Write binary response bytes to a file'`);
@@ -16145,6 +17244,9 @@ const COMMANDS = {
 	chat: ChatCommand,
 	login: LoginCommand,
 	signup: SignupCommand,
+	"signup:confirm": SignupConfirmCommand,
+	"signup:interactive": SignupInteractiveCommand,
+	"signup:resend": SignupResendCommand,
 	logout: LogoutCommand,
 	whoami: WhoamiCommand,
 	doctor: DoctorCommand,