@primitivedotdev/cli 0.31.1 → 0.31.3

package/dist/oclif/index.js

@@ -667,11 +667,13 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	replayDelivery: () => replayDelivery,
 	replayEmailWebhooks: () => replayEmailWebhooks,
 	replyToEmail: () => replyToEmail,
+	resendAgentSignupVerification: () => resendAgentSignupVerification,
 	resendCliSignupVerification: () => resendCliSignupVerification,
 	rotateWebhookSecret: () => rotateWebhookSecret,
 	searchEmails: () => searchEmails,
 	sendEmail: () => sendEmail,
 	setFunctionSecret: () => setFunctionSecret,
+	startAgentSignup: () => startAgentSignup,
 	startCliLogin: () => startCliLogin,
 	startCliSignup: () => startCliSignup,
 	testEndpoint: () => testEndpoint,
@@ -681,6 +683,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	updateEndpoint: () => updateEndpoint,
 	updateFilter: () => updateFilter,
 	updateFunction: () => updateFunction,
+	verifyAgentSignup: () => verifyAgentSignup,
 	verifyCliSignup: () => verifyCliSignup,
 	verifyDomain: () => verifyDomain
 });
@@ -704,8 +707,8 @@ const startCliLogin = (options) => (options?.client ?? client).post({
 * Poll CLI browser login
 *
 * Polls a CLI login session until the browser approval either succeeds,
-* is denied, expires, or is polled too quickly. The API key is generated
-* only after approval and is returned exactly once.
+* is denied, expires, or is polled too quickly. The OAuth token set is
+* created only after approval and is returned exactly once.
 *
 */
 const pollCliLogin = (options) => (options.client ?? client).post({
@@ -749,11 +752,12 @@ const resendCliSignupVerification = (options) => (options.client ?? client).post
 	}
 });
 /**
-* Verify CLI signup and create API key
+* Verify CLI signup and create OAuth session
 *
 * Verifies the email code for a CLI signup session, creates the account,
-* redeems the reserved signup code, mints an org-scoped CLI API key, and
-* returns the raw key exactly once. This endpoint does not require an API key.
+* redeems the reserved signup code, creates an org-scoped OAuth CLI
+* session, and returns the token set exactly once. This endpoint does not
+* require an API key.
 *
 */
 const verifyCliSignup = (options) => (options.client ?? client).post({
@@ -765,10 +769,61 @@ const verifyCliSignup = (options) => (options.client ?? client).post({
 	}
 });
 /**
-* Revoke the current CLI API key
+* Start agent account signup
 *
-* Revokes the API key used to authenticate the request. CLI clients use
-* this endpoint during `primitive logout` before removing local credentials.
+* Starts an agent-native signup session. The API validates the signup code,
+* creates a pending signup session, sends an email verification code, and
+* returns an opaque signup token used by the resend and verify steps. This
+* endpoint does not require an API key.
+*
+*/
+const startAgentSignup = (options) => (options.client ?? client).post({
+	url: "/agent/signup/start",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Resend agent signup verification code
+*
+* Sends a new email verification code for a pending agent signup session.
+* This endpoint does not require an API key.
+*
+*/
+const resendAgentSignupVerification = (options) => (options.client ?? client).post({
+	url: "/agent/signup/resend",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Verify agent signup and create OAuth tokens
+*
+* Verifies the email code for an agent signup session, creates the account
+* when needed, redeems the reserved signup code, mints an org-scoped OAuth
+* session for CLI authentication, and returns the raw tokens exactly once.
+* For existing users, the optional `org_id` selects which accessible
+* workspace should receive the new session.
+*
+*/
+const verifyAgentSignup = (options) => (options.client ?? client).post({
+	url: "/agent/signup/verify",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Revoke the current CLI OAuth session
+*
+* Revokes the OAuth grant used to authenticate the request. API-key
+* authenticated legacy logout requests succeed without deleting server API
+* keys so old local CLI state can be cleared safely.
 *
 */
 const cliLogout = (options) => (options?.client ?? client).post({
@@ -1778,7 +1833,7 @@ const openapiDocument = {
 	"info": {
 		"title": "Primitive API",
 		"version": "1.0.0",
-		"description": "The Primitive API lets you manage domains, emails, webhook endpoints,\nfilters, and account settings programmatically.\n\n## Authentication\n\nMost endpoints require a Bearer token in the `Authorization` header:\n\n```\nAuthorization: Bearer prim_<your_api_key>\n```\n\nAPI keys are org-scoped. Create and manage them in your dashboard\nunder Settings > API Keys. CLI login and signup endpoints explicitly\ndeclare `security: []`; they do not require an API key because they\nare used to mint one.\n\n## Rate Limiting\n\nThe API enforces a sliding window rate limit of **120 requests per\n60 seconds** per organization. When exceeded, the API returns `429`\nwith a `Retry-After` header indicating how many seconds to wait.\n\n## Pagination\n\nList endpoints use cursor-based pagination. Responses include a\n`meta` object with `total`, `limit`, and `cursor` fields. Pass the\n`cursor` value as a query parameter to fetch the next page. When\n`cursor` is `null`, there are no more results.\n\n## Response Format\n\nAll responses use a consistent envelope:\n\n```json\n{\n  \"success\": true,\n  \"data\": { ... },\n  \"meta\": { \"total\": 42, \"limit\": 50, \"cursor\": \"...\" }\n}\n```\n\nErrors follow the same pattern:\n\n```json\n{\n  \"success\": false,\n  \"error\": { \"code\": \"not_found\", \"message\": \"Email not found\" }\n}\n```\n\n## Webhook signing\n\nOutbound webhook deliveries (configured via the `endpoints` API)\nare signed so receivers can verify they came from Primitive and\nhave not been tampered with in transit. The signing scheme is\ndeliberately simple so it can be reimplemented in any language\nin a few lines. The Node SDK's `verifyWebhookSignature` helper\nis the reference implementation; the wire details below let you\nwrite a verifier in Python, Go, Ruby, etc. without reading our\nsource.\n\n**Header**: `Primitive-Signature: t=<unix-seconds>,v1=<hex>`\n\nA legacy `MyMX-Signature` header is also sent on every delivery\nwith the same value, retained for back-compatibility with\nintegrations written before the rename. New code should read\n`Primitive-Signature`.\n\n**Signed string**: `${timestamp}.${rawBody}` where `timestamp`\nis the Unix-seconds integer from the `t=` parameter and\n`rawBody` is the exact bytes of the HTTP request body BEFORE\nany JSON decoding. Verify against the raw body, not a\nre-serialized parse, or you will silently mismatch on\ninsignificant whitespace.\n\n**Signature**: HMAC-SHA256 of the signed string, hex-encoded\n(lowercase). Use the account's webhook secret as the HMAC key,\nas a UTF-8 byte sequence.\n\n**Secret**: returned by `GET /account/webhook-secret`. The\nstring looks base64-shaped (e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`)\nbut is NOT base64; use it AS-IS as a UTF-8 string for the HMAC\nkey. Base64-decoding before HMAC will silently produce\nmismatched signatures.\n\n**Tolerance**: by convention, reject deliveries whose `t=`\ntimestamp is more than 5 minutes off your wall-clock to defend\nagainst replay attacks. The Node SDK's helper enforces this by\ndefault.\n\n**Verification recipe** (any language):\n\n```\n1. Read the raw HTTP body (do not parse).\n2. Read `Primitive-Signature: t=<ts>,v1=<sig>`.\n3. Reject if abs(now - ts) > 300 seconds.\n4. expected = HMAC_SHA256_hex(secret_utf8, f\"{ts}.{rawBody}\")\n5. Constant-time compare expected to sig. Reject if not equal.\n```\n\nFor Node, use `verifyWebhookSignature` from\n`@primitivedotdev/sdk/webhook` (or the higher-level\n`handleWebhook` helper if you want a one-liner). For other\nlanguages, the recipe above is everything you need.\n\nTest deliveries: `POST /endpoints/{id}/test` triggers a fake\ndelivery to your endpoint URL, signed with your real account\nsecret, so you can confirm verification end-to-end without\nneeding real inbound mail. The test response carries the exact\n`signature` header value sent on the wire so you can compare\nstrings directly.\n",
+		"description": "The Primitive API lets you manage domains, emails, webhook endpoints,\nfilters, and account settings programmatically.\n\n## Authentication\n\nMost endpoints require a Bearer token in the `Authorization` header:\n\n```\nAuthorization: Bearer prim_<your_api_key>\n```\n\nAPI keys are org-scoped. Create and manage them in your dashboard\nunder Settings > API Keys. CLI login plus CLI/agent signup endpoints\nexplicitly declare `security: []`; they do not require an API key because\nthey are used to create OAuth CLI sessions.\n\n## Rate Limiting\n\nThe API enforces a sliding window rate limit of **120 requests per\n60 seconds** per organization. When exceeded, the API returns `429`\nwith a `Retry-After` header indicating how many seconds to wait.\n\n## Pagination\n\nList endpoints use cursor-based pagination. Responses include a\n`meta` object with `total`, `limit`, and `cursor` fields. Pass the\n`cursor` value as a query parameter to fetch the next page. When\n`cursor` is `null`, there are no more results.\n\n## Response Format\n\nAll responses use a consistent envelope:\n\n```json\n{\n  \"success\": true,\n  \"data\": { ... },\n  \"meta\": { \"total\": 42, \"limit\": 50, \"cursor\": \"...\" }\n}\n```\n\nErrors follow the same pattern:\n\n```json\n{\n  \"success\": false,\n  \"error\": { \"code\": \"not_found\", \"message\": \"Email not found\" }\n}\n```\n\n## Webhook signing\n\nOutbound webhook deliveries (configured via the `endpoints` API)\nare signed so receivers can verify they came from Primitive and\nhave not been tampered with in transit. The signing scheme is\ndeliberately simple so it can be reimplemented in any language\nin a few lines. The Node SDK's `verifyWebhookSignature` helper\nis the reference implementation; the wire details below let you\nwrite a verifier in Python, Go, Ruby, etc. without reading our\nsource.\n\n**Header**: `Primitive-Signature: t=<unix-seconds>,v1=<hex>`\n\nA legacy `MyMX-Signature` header is also sent on every delivery\nwith the same value, retained for back-compatibility with\nintegrations written before the rename. New code should read\n`Primitive-Signature`.\n\n**Signed string**: `${timestamp}.${rawBody}` where `timestamp`\nis the Unix-seconds integer from the `t=` parameter and\n`rawBody` is the exact bytes of the HTTP request body BEFORE\nany JSON decoding. Verify against the raw body, not a\nre-serialized parse, or you will silently mismatch on\ninsignificant whitespace.\n\n**Signature**: HMAC-SHA256 of the signed string, hex-encoded\n(lowercase). Use the account's webhook secret as the HMAC key,\nas a UTF-8 byte sequence.\n\n**Secret**: returned by `GET /account/webhook-secret`. The\nstring looks base64-shaped (e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`)\nbut is NOT base64; use it AS-IS as a UTF-8 string for the HMAC\nkey. Base64-decoding before HMAC will silently produce\nmismatched signatures.\n\n**Tolerance**: by convention, reject deliveries whose `t=`\ntimestamp is more than 5 minutes off your wall-clock to defend\nagainst replay attacks. The Node SDK's helper enforces this by\ndefault.\n\n**Verification recipe** (any language):\n\n```\n1. Read the raw HTTP body (do not parse).\n2. Read `Primitive-Signature: t=<ts>,v1=<sig>`.\n3. Reject if abs(now - ts) > 300 seconds.\n4. expected = HMAC_SHA256_hex(secret_utf8, f\"{ts}.{rawBody}\")\n5. Constant-time compare expected to sig. Reject if not equal.\n```\n\nFor Node, use `verifyWebhookSignature` from\n`@primitivedotdev/sdk/webhook` (or the higher-level\n`handleWebhook` helper if you want a one-liner). For other\nlanguages, the recipe above is everything you need.\n\nTest deliveries: `POST /endpoints/{id}/test` triggers a fake\ndelivery to your endpoint URL, signed with your real account\nsecret, so you can confirm verification end-to-end without\nneeding real inbound mail. The test response carries the exact\n`signature` header value sent on the wire so you can compare\nstrings directly.\n",
 		"contact": {
 			"name": "Primitive",
 			"url": "https://primitive.dev"
@@ -1801,6 +1856,10 @@ const openapiDocument = {
 			"name": "CLI",
 			"description": "Browser-assisted CLI authentication"
 		},
+		{
+			"name": "Agent",
+			"description": "Agent signup and authentication"
+		},
 		{
 			"name": "Account",
 			"description": "Manage your account settings, storage, and webhook secret"
@@ -1864,7 +1923,7 @@ const openapiDocument = {
 		"/cli/login/poll": { "post": {
 			"operationId": "pollCliLogin",
 			"summary": "Poll CLI browser login",
-			"description": "Polls a CLI login session until the browser approval either succeeds,\nis denied, expires, or is polled too quickly. The API key is generated\nonly after approval and is returned exactly once.\n",
+			"description": "Polls a CLI login session until the browser approval either succeeds,\nis denied, expires, or is polled too quickly. The OAuth token set is\ncreated only after approval and is returned exactly once.\n",
 			"tags": ["CLI"],
 			"security": [],
 			"requestBody": {
@@ -1873,7 +1932,7 @@ const openapiDocument = {
 			},
 			"responses": {
 				"200": {
-					"description": "CLI login approved and API key created",
+					"description": "CLI login approved and OAuth token set created",
 					"headers": { "Cache-Control": {
 						"schema": { "type": "string" },
 						"description": "Always `no-store`"
@@ -2014,8 +2073,8 @@ const openapiDocument = {
 		} },
 		"/cli/signup/verify": { "post": {
 			"operationId": "verifyCliSignup",
-			"summary": "Verify CLI signup and create API key",
-			"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, mints an org-scoped CLI API key, and\nreturns the raw key exactly once. This endpoint does not require an API key.\n",
+			"summary": "Verify CLI signup and create OAuth session",
+			"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, creates an org-scoped OAuth CLI\nsession, and returns the token set exactly once. This endpoint does not\nrequire an API key.\n",
 			"tags": ["CLI"],
 			"security": [],
 			"requestBody": {
@@ -2024,7 +2083,7 @@ const openapiDocument = {
 			},
 			"responses": {
 				"200": {
-					"description": "CLI signup verified and API key created",
+					"description": "CLI signup verified and OAuth token set created",
 					"headers": { "Cache-Control": {
 						"schema": { "type": "string" },
 						"description": "Always `no-store`"
@@ -2041,10 +2100,106 @@ const openapiDocument = {
 				"429": { "$ref": "#/components/responses/RateLimited" }
 			}
 		} },
+		"/agent/signup/start": { "post": {
+			"operationId": "startAgentSignup",
+			"summary": "Start agent account signup",
+			"description": "Starts an agent-native signup session. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
+			"tags": ["Agent"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/StartAgentSignupInput" } } }
+			},
+			"responses": {
+				"201": {
+					"description": "Agent signup session created and verification email sent",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentSignupStartResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/agent/signup/resend": { "post": {
+			"operationId": "resendAgentSignupVerification",
+			"summary": "Resend agent signup verification code",
+			"description": "Sends a new email verification code for a pending agent signup session.\nThis endpoint does not require an API key.\n",
+			"tags": ["Agent"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ResendAgentSignupVerificationInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Verification email resent",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentSignupResendResult" } }
+					}] } } }
+				},
+				"400": {
+					"description": "Invalid token or expired token",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": {
+					"description": "Global rate limit exceeded or resend requested too quickly",
+					"headers": { "Retry-After": {
+						"schema": { "type": "integer" },
+						"description": "Seconds to wait before retrying"
+					} },
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				}
+			}
+		} },
+		"/agent/signup/verify": { "post": {
+			"operationId": "verifyAgentSignup",
+			"summary": "Verify agent signup and create OAuth tokens",
+			"description": "Verifies the email code for an agent signup session, creates the account\nwhen needed, redeems the reserved signup code, mints an org-scoped OAuth\nsession for CLI authentication, and returns the raw tokens exactly once.\nFor existing users, the optional `org_id` selects which accessible\nworkspace should receive the new session.\n",
+			"tags": ["Agent"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/VerifyAgentSignupInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Agent signup verified and OAuth tokens created",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentSignupVerifyResult" } }
+					}] } } }
+				},
+				"400": {
+					"description": "Invalid request, invalid verification code, expired token, invalid signup code, or account creation failure",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"403": { "$ref": "#/components/responses/Forbidden" },
+				"409": {
+					"description": "Existing account is not in a usable workspace state",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
 		"/cli/logout": { "post": {
 			"operationId": "cliLogout",
-			"summary": "Revoke the current CLI API key",
-			"description": "Revokes the API key used to authenticate the request. CLI clients use\nthis endpoint during `primitive logout` before removing local credentials.\n",
+			"summary": "Revoke the current CLI OAuth session",
+			"description": "Revokes the OAuth grant used to authenticate the request. API-key\nauthenticated legacy logout requests succeed without deleting server API\nkeys so old local CLI state can be cleared safely.\n",
 			"tags": ["CLI"],
 			"requestBody": {
 				"required": false,
@@ -2052,7 +2207,7 @@ const openapiDocument = {
 			},
 			"responses": {
 				"200": {
-					"description": "CLI API key revoked",
+					"description": "CLI logout completed",
 					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
 						"type": "object",
 						"properties": { "data": { "$ref": "#/components/schemas/CliLogoutResult" } }
@@ -3780,7 +3935,14 @@ const openapiDocument = {
 									"slow_down",
 									"access_denied",
 									"expired_token",
-									"invalid_device_code"
+									"invalid_device_code",
+									"invalid_signup_code",
+									"invalid_signup_token",
+									"invalid_verification_code",
+									"email_delivery_failed",
+									"clerk_signup_failed",
+									"no_orgs_for_user",
+									"org_not_accessible"
 								]
 							},
 							"message": { "type": "string" },
@@ -3964,13 +4126,42 @@ const openapiDocument = {
 				"properties": {
 					"api_key": {
 						"type": "string",
-						"description": "Newly-created API key for CLI authentication"
+						"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
 					},
 					"key_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "Legacy alias for oauth_grant_id"
+					},
+					"key_prefix": {
+						"type": "string",
+						"description": "Legacy display prefix derived from access_token"
+					},
+					"access_token": {
+						"type": "string",
+						"description": "OAuth access token for CLI API authentication"
+					},
+					"refresh_token": {
+						"type": "string",
+						"description": "OAuth refresh token used by the CLI to renew access"
+					},
+					"token_type": {
+						"type": "string",
+						"enum": ["Bearer"]
+					},
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until access_token expires"
+					},
+					"auth_method": {
+						"type": "string",
+						"enum": ["oauth"]
+					},
+					"oauth_grant_id": {
 						"type": "string",
 						"format": "uuid"
 					},
-					"key_prefix": { "type": "string" },
+					"oauth_client_id": { "type": "string" },
 					"org_id": {
 						"type": "string",
 						"format": "uuid"
@@ -3981,6 +4172,13 @@ const openapiDocument = {
 					"api_key",
 					"key_id",
 					"key_prefix",
+					"access_token",
+					"refresh_token",
+					"token_type",
+					"expires_in",
+					"auth_method",
+					"oauth_grant_id",
+					"oauth_client_id",
 					"org_id",
 					"org_name"
 				]
@@ -4008,7 +4206,7 @@ const openapiDocument = {
 						"type": "string",
 						"minLength": 1,
 						"maxLength": 80,
-						"description": "Human-readable device name used for the created CLI API key"
+						"description": "Human-readable device name used for the created CLI OAuth grant"
 					},
 					"metadata": {
 						"type": "object",
@@ -4109,24 +4307,49 @@ const openapiDocument = {
 						"maxLength": 1024
 					}
 				},
-				"required": [
-					"signup_token",
-					"verification_code",
-					"password"
-				]
+				"required": ["signup_token", "verification_code"]
 			},
 			"CliSignupVerifyResult": {
 				"type": "object",
 				"properties": {
 					"api_key": {
 						"type": "string",
-						"description": "Newly-created API key for CLI authentication"
+						"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
 					},
 					"key_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "Legacy alias for oauth_grant_id"
+					},
+					"key_prefix": {
+						"type": "string",
+						"description": "Legacy display prefix derived from access_token"
+					},
+					"access_token": {
+						"type": "string",
+						"description": "OAuth access token for CLI API authentication"
+					},
+					"refresh_token": {
+						"type": "string",
+						"description": "OAuth refresh token used by the CLI to renew access"
+					},
+					"token_type": {
+						"type": "string",
+						"enum": ["Bearer"]
+					},
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until access_token expires"
+					},
+					"auth_method": {
+						"type": "string",
+						"enum": ["oauth"]
+					},
+					"oauth_grant_id": {
 						"type": "string",
 						"format": "uuid"
 					},
-					"key_prefix": { "type": "string" },
+					"oauth_client_id": { "type": "string" },
 					"org_id": {
 						"type": "string",
 						"format": "uuid"
@@ -4137,93 +4360,311 @@ const openapiDocument = {
 					"api_key",
 					"key_id",
 					"key_prefix",
+					"access_token",
+					"refresh_token",
+					"token_type",
+					"expires_in",
+					"auth_method",
+					"oauth_grant_id",
+					"oauth_client_id",
 					"org_id",
 					"org_name"
 				]
 			},
-			"CliLogoutInput": {
+			"StartAgentSignupInput": {
 				"type": "object",
 				"additionalProperties": false,
-				"properties": { "key_id": {
-					"type": "string",
-					"format": "uuid",
-					"description": "Optional key id guard; when provided it must match the authenticated API key"
-				} }
-			},
-			"CliLogoutResult": {
-				"type": "object",
 				"properties": {
-					"revoked": {
+					"email": {
+						"type": "string",
+						"format": "email",
+						"maxLength": 254
+					},
+					"signup_code": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 128
+					},
+					"terms_accepted": {
 						"type": "boolean",
-						"const": true
+						"const": true,
+						"description": "Must be true to confirm acceptance of Primitive's Terms of Service and Privacy Policy"
 					},
-					"key_id": {
+					"device_name": {
 						"type": "string",
-						"format": "uuid"
+						"minLength": 1,
+						"maxLength": 80,
+						"description": "Human-readable device name used for the created agent OAuth session"
+					},
+					"metadata": {
+						"type": "object",
+						"additionalProperties": true,
+						"description": "Optional client metadata stored with the signup session; serialized JSON must be 2048 bytes or fewer"
 					}
 				},
-				"required": ["revoked", "key_id"]
+				"required": [
+					"email",
+					"signup_code",
+					"terms_accepted"
+				]
 			},
-			"Account": {
+			"AgentSignupStartResult": {
 				"type": "object",
 				"properties": {
-					"id": {
+					"signup_token": {
 						"type": "string",
-						"format": "uuid"
+						"description": "Opaque token used to verify or resend the pending agent signup"
 					},
-					"email": { "type": "string" },
-					"plan": { "type": "string" },
-					"created_at": {
+					"email": {
 						"type": "string",
-						"format": "date-time"
+						"format": "email"
 					},
-					"onboarding_completed": { "type": "boolean" },
-					"onboarding_step": { "type": ["string", "null"] },
-					"stripe_subscription_status": { "type": ["string", "null"] },
-					"subscription_current_period_end": {
-						"type": ["string", "null"],
-						"format": "date-time"
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until the pending signup expires"
 					},
-					"subscription_cancel_at_period_end": { "type": ["boolean", "null"] },
-					"spam_threshold": {
-						"type": ["number", "null"],
-						"minimum": 0,
-						"maximum": 15
+					"resend_after": {
+						"type": "integer",
+						"description": "Minimum seconds before requesting another verification email"
 					},
-					"discard_content_on_webhook_confirmed": { "type": "boolean" },
-					"webhook_secret_rotated_at": {
-						"type": ["string", "null"],
-						"format": "date-time"
+					"verification_code_length": {
+						"type": "integer",
+						"description": "Number of digits in the emailed verification code"
 					}
 				},
 				"required": [
-					"id",
+					"signup_token",
 					"email",
-					"plan",
-					"created_at",
-					"discard_content_on_webhook_confirmed"
+					"expires_in",
+					"resend_after",
+					"verification_code_length"
 				]
 			},
-			"AccountUpdated": {
+			"ResendAgentSignupVerificationInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": { "signup_token": {
+					"type": "string",
+					"minLength": 1
+				} },
+				"required": ["signup_token"]
+			},
+			"AgentSignupResendResult": {
 				"type": "object",
 				"properties": {
-					"id": {
+					"email": {
 						"type": "string",
-						"format": "uuid"
+						"format": "email"
 					},
-					"email": { "type": "string" },
-					"plan": { "type": "string" },
-					"spam_threshold": {
-						"type": ["number", "null"],
-						"minimum": 0,
-						"maximum": 15
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until the pending signup expires"
 					},
-					"discard_content_on_webhook_confirmed": { "type": "boolean" }
+					"resend_after": {
+						"type": "integer",
+						"description": "Minimum seconds before requesting another verification email"
+					},
+					"verification_code_length": {
+						"type": "integer",
+						"description": "Number of digits in the emailed verification code"
+					}
 				},
 				"required": [
-					"id",
 					"email",
-					"plan",
+					"expires_in",
+					"resend_after",
+					"verification_code_length"
+				]
+			},
+			"VerifyAgentSignupInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"signup_token": {
+						"type": "string",
+						"minLength": 1
+					},
+					"verification_code": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 32
+					},
+					"org_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "Optional workspace id to target when the verified email already belongs to multiple workspaces"
+					}
+				},
+				"required": ["signup_token", "verification_code"]
+			},
+			"AgentOrgRef": {
+				"type": "object",
+				"properties": {
+					"id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"name": { "type": ["string", "null"] }
+				},
+				"required": ["id", "name"]
+			},
+			"AgentSignupVerifyResult": {
+				"type": "object",
+				"properties": {
+					"api_key": {
+						"type": "string",
+						"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
+					},
+					"key_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "Legacy alias for oauth_grant_id"
+					},
+					"key_prefix": {
+						"type": "string",
+						"description": "Legacy display prefix derived from access_token"
+					},
+					"access_token": {
+						"type": "string",
+						"description": "OAuth access token for CLI API authentication"
+					},
+					"refresh_token": {
+						"type": "string",
+						"description": "OAuth refresh token used by the CLI to renew access"
+					},
+					"token_type": {
+						"type": "string",
+						"enum": ["Bearer"]
+					},
+					"expires_in": {
+						"type": "integer",
+						"description": "Seconds until access_token expires"
+					},
+					"auth_method": {
+						"type": "string",
+						"enum": ["oauth"]
+					},
+					"oauth_grant_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"oauth_client_id": { "type": "string" },
+					"org_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"org_name": { "type": ["string", "null"] },
+					"orgs": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/AgentOrgRef" },
+						"description": "Workspaces available to the verified email. The minted session targets `org_id`."
+					}
+				},
+				"required": [
+					"api_key",
+					"key_id",
+					"key_prefix",
+					"access_token",
+					"refresh_token",
+					"token_type",
+					"expires_in",
+					"auth_method",
+					"oauth_grant_id",
+					"oauth_client_id",
+					"org_id",
+					"org_name",
+					"orgs"
+				]
+			},
+			"CliLogoutInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": { "key_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "Optional id guard; when provided it must match the authenticated OAuth grant id or API key id"
+				} }
+			},
+			"CliLogoutResult": {
+				"type": "object",
+				"properties": {
+					"revoked": {
+						"type": "boolean",
+						"description": "True when an OAuth grant was revoked. False for API-key-authenticated legacy logout, which only clears local CLI state."
+					},
+					"key_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "API key id for API-key-authenticated legacy logout"
+					},
+					"oauth_grant_id": {
+						"type": "string",
+						"format": "uuid",
+						"description": "OAuth grant id revoked by OAuth-authenticated logout"
+					}
+				},
+				"required": ["revoked"]
+			},
+			"Account": {
+				"type": "object",
+				"properties": {
+					"id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"email": { "type": "string" },
+					"plan": { "type": "string" },
+					"created_at": {
+						"type": "string",
+						"format": "date-time"
+					},
+					"onboarding_completed": { "type": "boolean" },
+					"onboarding_step": { "type": ["string", "null"] },
+					"stripe_subscription_status": { "type": ["string", "null"] },
+					"subscription_current_period_end": {
+						"type": ["string", "null"],
+						"format": "date-time"
+					},
+					"subscription_cancel_at_period_end": { "type": ["boolean", "null"] },
+					"spam_threshold": {
+						"type": ["number", "null"],
+						"minimum": 0,
+						"maximum": 15
+					},
+					"discard_content_on_webhook_confirmed": { "type": "boolean" },
+					"webhook_secret_rotated_at": {
+						"type": ["string", "null"],
+						"format": "date-time"
+					}
+				},
+				"required": [
+					"id",
+					"email",
+					"plan",
+					"created_at",
+					"discard_content_on_webhook_confirmed"
+				]
+			},
+			"AccountUpdated": {
+				"type": "object",
+				"properties": {
+					"id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"email": { "type": "string" },
+					"plan": { "type": "string" },
+					"spam_threshold": {
+						"type": ["number", "null"],
+						"minimum": 0,
+						"maximum": 15
+					},
+					"discard_content_on_webhook_confirmed": { "type": "boolean" }
+				},
+				"required": [
+					"id",
+					"email",
+					"plan",
 					"discard_content_on_webhook_confirmed"
 				]
 			},
@@ -6366,105 +6807,15 @@ const operationManifest = [
 		"tag": "Account",
 		"tagCommand": "account"
 	},
-	{
-		"binaryResponse": false,
-		"bodyRequired": false,
-		"command": "cli-logout",
-		"description": "Revokes the API key used to authenticate the request. CLI clients use\nthis endpoint during `primitive logout` before removing local credentials.\n",
-		"hasJsonBody": true,
-		"method": "POST",
-		"operationId": "cliLogout",
-		"path": "/cli/logout",
-		"pathParams": [],
-		"queryParams": [],
-		"requestSchema": {
-			"type": "object",
-			"additionalProperties": false,
-			"properties": { "key_id": {
-				"type": "string",
-				"format": "uuid",
-				"description": "Optional key id guard; when provided it must match the authenticated API key"
-			} }
-		},
-		"responseSchema": {
-			"type": "object",
-			"properties": {
-				"revoked": {
-					"type": "boolean",
-					"const": true
-				},
-				"key_id": {
-					"type": "string",
-					"format": "uuid"
-				}
-			},
-			"required": ["revoked", "key_id"]
-		},
-		"sdkName": "cliLogout",
-		"summary": "Revoke the current CLI API key",
-		"tag": "CLI",
-		"tagCommand": "cli"
-	},
-	{
-		"binaryResponse": false,
-		"bodyRequired": true,
-		"command": "poll-cli-login",
-		"description": "Polls a CLI login session until the browser approval either succeeds,\nis denied, expires, or is polled too quickly. The API key is generated\nonly after approval and is returned exactly once.\n",
-		"hasJsonBody": true,
-		"method": "POST",
-		"operationId": "pollCliLogin",
-		"path": "/cli/login/poll",
-		"pathParams": [],
-		"queryParams": [],
-		"requestSchema": {
-			"type": "object",
-			"additionalProperties": false,
-			"properties": { "device_code": {
-				"type": "string",
-				"minLength": 1
-			} },
-			"required": ["device_code"]
-		},
-		"responseSchema": {
-			"type": "object",
-			"properties": {
-				"api_key": {
-					"type": "string",
-					"description": "Newly-created API key for CLI authentication"
-				},
-				"key_id": {
-					"type": "string",
-					"format": "uuid"
-				},
-				"key_prefix": { "type": "string" },
-				"org_id": {
-					"type": "string",
-					"format": "uuid"
-				},
-				"org_name": { "type": ["string", "null"] }
-			},
-			"required": [
-				"api_key",
-				"key_id",
-				"key_prefix",
-				"org_id",
-				"org_name"
-			]
-		},
-		"sdkName": "pollCliLogin",
-		"summary": "Poll CLI browser login",
-		"tag": "CLI",
-		"tagCommand": "cli"
-	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
-		"command": "resend-cli-signup-verification",
-		"description": "Sends a new email verification code for a pending CLI signup session.\nThis endpoint does not require an API key.\n",
+		"command": "resend-agent-signup-verification",
+		"description": "Sends a new email verification code for a pending agent signup session.\nThis endpoint does not require an API key.\n",
 		"hasJsonBody": true,
 		"method": "POST",
-		"operationId": "resendCliSignupVerification",
-		"path": "/cli/signup/resend",
+		"operationId": "resendAgentSignupVerification",
+		"path": "/agent/signup/resend",
 		"pathParams": [],
 		"queryParams": [],
 		"requestSchema": {
@@ -6503,98 +6854,27 @@ const operationManifest = [
 				"verification_code_length"
 			]
 		},
-		"sdkName": "resendCliSignupVerification",
-		"summary": "Resend CLI signup verification code",
-		"tag": "CLI",
-		"tagCommand": "cli"
+		"sdkName": "resendAgentSignupVerification",
+		"summary": "Resend agent signup verification code",
+		"tag": "Agent",
+		"tagCommand": "agent"
 	},
 	{
 		"binaryResponse": false,
-		"bodyRequired": false,
-		"command": "start-cli-login",
-		"description": "Starts a browser-assisted CLI login session. The response includes a\ndevice code for polling and a user code that the user approves in the\nbrowser. This endpoint does not require an API key.\n",
+		"bodyRequired": true,
+		"command": "start-agent-signup",
+		"description": "Starts an agent-native signup session. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
 		"hasJsonBody": true,
 		"method": "POST",
-		"operationId": "startCliLogin",
-		"path": "/cli/login/start",
+		"operationId": "startAgentSignup",
+		"path": "/agent/signup/start",
 		"pathParams": [],
 		"queryParams": [],
 		"requestSchema": {
 			"type": "object",
 			"additionalProperties": false,
 			"properties": {
-				"device_name": {
-					"type": "string",
-					"minLength": 1,
-					"maxLength": 80,
-					"description": "Human-readable device name shown during browser approval"
-				},
-				"metadata": {
-					"type": "object",
-					"additionalProperties": true,
-					"description": "Optional client metadata stored with the login session; serialized JSON must be 2048 bytes or fewer"
-				}
-			}
-		},
-		"responseSchema": {
-			"type": "object",
-			"properties": {
-				"device_code": {
-					"type": "string",
-					"description": "Opaque code used by the CLI to poll for approval"
-				},
-				"user_code": {
-					"type": "string",
-					"pattern": "^[BCDFGHJKLMNPQRSTVWXZ]{4}-[BCDFGHJKLMNPQRSTVWXZ]{4}$",
-					"description": "Short code the user confirms in the browser"
-				},
-				"verification_uri": {
-					"type": "string",
-					"description": "Browser URL where the user approves the login"
-				},
-				"verification_uri_complete": {
-					"type": "string",
-					"description": "Browser URL with the user code prefilled"
-				},
-				"expires_in": {
-					"type": "integer",
-					"description": "Seconds until the login session expires"
-				},
-				"interval": {
-					"type": "integer",
-					"description": "Minimum seconds between poll requests"
-				}
-			},
-			"required": [
-				"device_code",
-				"user_code",
-				"verification_uri",
-				"verification_uri_complete",
-				"expires_in",
-				"interval"
-			]
-		},
-		"sdkName": "startCliLogin",
-		"summary": "Start CLI browser login",
-		"tag": "CLI",
-		"tagCommand": "cli"
-	},
-	{
-		"binaryResponse": false,
-		"bodyRequired": true,
-		"command": "start-cli-signup",
-		"description": "Starts a terminal-native CLI signup. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
-		"hasJsonBody": true,
-		"method": "POST",
-		"operationId": "startCliSignup",
-		"path": "/cli/signup/start",
-		"pathParams": [],
-		"queryParams": [],
-		"requestSchema": {
-			"type": "object",
-			"additionalProperties": false,
-			"properties": {
-				"email": {
+				"email": {
 					"type": "string",
 					"format": "email",
 					"maxLength": 254
@@ -6613,7 +6893,7 @@ const operationManifest = [
 					"type": "string",
 					"minLength": 1,
 					"maxLength": 80,
-					"description": "Human-readable device name used for the created CLI API key"
+					"description": "Human-readable device name used for the created agent OAuth session"
 				},
 				"metadata": {
 					"type": "object",
@@ -6632,7 +6912,7 @@ const operationManifest = [
 			"properties": {
 				"signup_token": {
 					"type": "string",
-					"description": "Opaque token used to verify or resend the pending CLI signup"
+					"description": "Opaque token used to verify or resend the pending agent signup"
 				},
 				"email": {
 					"type": "string",
@@ -6659,20 +6939,20 @@ const operationManifest = [
 				"verification_code_length"
 			]
 		},
-		"sdkName": "startCliSignup",
-		"summary": "Start CLI account signup",
-		"tag": "CLI",
-		"tagCommand": "cli"
+		"sdkName": "startAgentSignup",
+		"summary": "Start agent account signup",
+		"tag": "Agent",
+		"tagCommand": "agent"
 	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
-		"command": "verify-cli-signup",
-		"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, mints an org-scoped CLI API key, and\nreturns the raw key exactly once. This endpoint does not require an API key.\n",
+		"command": "verify-agent-signup",
+		"description": "Verifies the email code for an agent signup session, creates the account\nwhen needed, redeems the reserved signup code, mints an org-scoped OAuth\nsession for CLI authentication, and returns the raw tokens exactly once.\nFor existing users, the optional `org_id` selects which accessible\nworkspace should receive the new session.\n",
 		"hasJsonBody": true,
 		"method": "POST",
-		"operationId": "verifyCliSignup",
-		"path": "/cli/signup/verify",
+		"operationId": "verifyAgentSignup",
+		"path": "/agent/signup/verify",
 		"pathParams": [],
 		"queryParams": [],
 		"requestSchema": {
@@ -6688,147 +6968,634 @@ const operationManifest = [
 					"minLength": 1,
 					"maxLength": 32
 				},
-				"password": {
+				"org_id": {
 					"type": "string",
-					"minLength": 1,
-					"maxLength": 1024
+					"format": "uuid",
+					"description": "Optional workspace id to target when the verified email already belongs to multiple workspaces"
 				}
 			},
-			"required": [
-				"signup_token",
-				"verification_code",
-				"password"
-			]
+			"required": ["signup_token", "verification_code"]
 		},
 		"responseSchema": {
 			"type": "object",
 			"properties": {
 				"api_key": {
 					"type": "string",
-					"description": "Newly-created API key for CLI authentication"
+					"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
 				},
 				"key_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "Legacy alias for oauth_grant_id"
+				},
+				"key_prefix": {
+					"type": "string",
+					"description": "Legacy display prefix derived from access_token"
+				},
+				"access_token": {
+					"type": "string",
+					"description": "OAuth access token for CLI API authentication"
+				},
+				"refresh_token": {
+					"type": "string",
+					"description": "OAuth refresh token used by the CLI to renew access"
+				},
+				"token_type": {
+					"type": "string",
+					"enum": ["Bearer"]
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until access_token expires"
+				},
+				"auth_method": {
+					"type": "string",
+					"enum": ["oauth"]
+				},
+				"oauth_grant_id": {
 					"type": "string",
 					"format": "uuid"
 				},
-				"key_prefix": { "type": "string" },
+				"oauth_client_id": { "type": "string" },
 				"org_id": {
 					"type": "string",
 					"format": "uuid"
 				},
-				"org_name": { "type": ["string", "null"] }
+				"org_name": { "type": ["string", "null"] },
+				"orgs": {
+					"type": "array",
+					"items": {
+						"type": "object",
+						"properties": {
+							"id": {
+								"type": "string",
+								"format": "uuid"
+							},
+							"name": { "type": ["string", "null"] }
+						},
+						"required": ["id", "name"]
+					},
+					"description": "Workspaces available to the verified email. The minted session targets `org_id`."
+				}
 			},
 			"required": [
 				"api_key",
 				"key_id",
 				"key_prefix",
+				"access_token",
+				"refresh_token",
+				"token_type",
+				"expires_in",
+				"auth_method",
+				"oauth_grant_id",
+				"oauth_client_id",
 				"org_id",
-				"org_name"
+				"org_name",
+				"orgs"
 			]
 		},
-		"sdkName": "verifyCliSignup",
-		"summary": "Verify CLI signup and create API key",
+		"sdkName": "verifyAgentSignup",
+		"summary": "Verify agent signup and create OAuth tokens",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "cli-logout",
+		"description": "Revokes the OAuth grant used to authenticate the request. API-key\nauthenticated legacy logout requests succeed without deleting server API\nkeys so old local CLI state can be cleared safely.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "cliLogout",
+		"path": "/cli/logout",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "key_id": {
+				"type": "string",
+				"format": "uuid",
+				"description": "Optional id guard; when provided it must match the authenticated OAuth grant id or API key id"
+			} }
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"revoked": {
+					"type": "boolean",
+					"description": "True when an OAuth grant was revoked. False for API-key-authenticated legacy logout, which only clears local CLI state."
+				},
+				"key_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "API key id for API-key-authenticated legacy logout"
+				},
+				"oauth_grant_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "OAuth grant id revoked by OAuth-authenticated logout"
+				}
+			},
+			"required": ["revoked"]
+		},
+		"sdkName": "cliLogout",
+		"summary": "Revoke the current CLI OAuth session",
 		"tag": "CLI",
 		"tagCommand": "cli"
 	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
-		"command": "add-domain",
-		"description": "Creates an unverified domain claim. You will receive a\n`verification_token` to add as a DNS TXT record before\ncalling the verify endpoint.\n",
+		"command": "poll-cli-login",
+		"description": "Polls a CLI login session until the browser approval either succeeds,\nis denied, expires, or is polled too quickly. The OAuth token set is\ncreated only after approval and is returned exactly once.\n",
 		"hasJsonBody": true,
 		"method": "POST",
-		"operationId": "addDomain",
-		"path": "/domains",
+		"operationId": "pollCliLogin",
+		"path": "/cli/login/poll",
 		"pathParams": [],
 		"queryParams": [],
 		"requestSchema": {
 			"type": "object",
 			"additionalProperties": false,
-			"properties": { "domain": {
+			"properties": { "device_code": {
 				"type": "string",
-				"minLength": 1,
-				"maxLength": 253,
-				"description": "The domain name to claim (e.g. \"example.com\")"
+				"minLength": 1
 			} },
-			"required": ["domain"]
+			"required": ["device_code"]
 		},
 		"responseSchema": {
 			"type": "object",
 			"properties": {
-				"id": {
+				"api_key": {
 					"type": "string",
-					"format": "uuid"
+					"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
 				},
-				"org_id": {
+				"key_id": {
 					"type": "string",
-					"format": "uuid"
+					"format": "uuid",
+					"description": "Legacy alias for oauth_grant_id"
 				},
-				"domain": { "type": "string" },
-				"verified": {
-					"type": "boolean",
-					"const": false
+				"key_prefix": {
+					"type": "string",
+					"description": "Legacy display prefix derived from access_token"
 				},
-				"verification_token": {
+				"access_token": {
 					"type": "string",
-					"description": "Add this value as a TXT record to verify ownership"
+					"description": "OAuth access token for CLI API authentication"
 				},
-				"created_at": {
+				"refresh_token": {
 					"type": "string",
-					"format": "date-time"
-				}
+					"description": "OAuth refresh token used by the CLI to renew access"
+				},
+				"token_type": {
+					"type": "string",
+					"enum": ["Bearer"]
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until access_token expires"
+				},
+				"auth_method": {
+					"type": "string",
+					"enum": ["oauth"]
+				},
+				"oauth_grant_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"oauth_client_id": { "type": "string" },
+				"org_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"org_name": { "type": ["string", "null"] }
 			},
 			"required": [
-				"id",
+				"api_key",
+				"key_id",
+				"key_prefix",
+				"access_token",
+				"refresh_token",
+				"token_type",
+				"expires_in",
+				"auth_method",
+				"oauth_grant_id",
+				"oauth_client_id",
 				"org_id",
-				"domain",
-				"verified",
-				"verification_token",
-				"created_at"
+				"org_name"
 			]
 		},
-		"sdkName": "addDomain",
-		"summary": "Claim a new domain",
-		"tag": "Domains",
-		"tagCommand": "domains"
-	},
-	{
-		"binaryResponse": false,
-		"bodyRequired": false,
-		"command": "delete-domain",
-		"description": "Deletes a verified or unverified domain claim.",
-		"hasJsonBody": false,
-		"method": "DELETE",
-		"operationId": "deleteDomain",
-		"path": "/domains/{id}",
-		"pathParams": [{
-			"description": "Resource UUID",
-			"enum": null,
-			"name": "id",
-			"required": true,
-			"type": "string"
-		}],
-		"queryParams": [],
-		"requestSchema": null,
-		"responseSchema": null,
-		"sdkName": "deleteDomain",
-		"summary": "Delete a domain",
-		"tag": "Domains",
-		"tagCommand": "domains"
+		"sdkName": "pollCliLogin",
+		"summary": "Poll CLI browser login",
+		"tag": "CLI",
+		"tagCommand": "cli"
 	},
 	{
 		"binaryResponse": false,
-		"bodyRequired": false,
-		"command": "list-domains",
-		"description": "Returns all verified and unverified domains for your organization,\nsorted by creation date (newest first). Each domain includes a\n`verified` boolean to distinguish between the two states.\n",
-		"hasJsonBody": false,
-		"method": "GET",
-		"operationId": "listDomains",
-		"path": "/domains",
+		"bodyRequired": true,
+		"command": "resend-cli-signup-verification",
+		"description": "Sends a new email verification code for a pending CLI signup session.\nThis endpoint does not require an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "resendCliSignupVerification",
+		"path": "/cli/signup/resend",
 		"pathParams": [],
 		"queryParams": [],
-		"requestSchema": null,
-		"responseSchema": {
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "signup_token": {
+				"type": "string",
+				"minLength": 1
+			} },
+			"required": ["signup_token"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"email": {
+					"type": "string",
+					"format": "email"
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until the pending signup expires"
+				},
+				"resend_after": {
+					"type": "integer",
+					"description": "Minimum seconds before requesting another verification email"
+				},
+				"verification_code_length": {
+					"type": "integer",
+					"description": "Number of digits in the emailed verification code"
+				}
+			},
+			"required": [
+				"email",
+				"expires_in",
+				"resend_after",
+				"verification_code_length"
+			]
+		},
+		"sdkName": "resendCliSignupVerification",
+		"summary": "Resend CLI signup verification code",
+		"tag": "CLI",
+		"tagCommand": "cli"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "start-cli-login",
+		"description": "Starts a browser-assisted CLI login session. The response includes a\ndevice code for polling and a user code that the user approves in the\nbrowser. This endpoint does not require an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "startCliLogin",
+		"path": "/cli/login/start",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"device_name": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 80,
+					"description": "Human-readable device name shown during browser approval"
+				},
+				"metadata": {
+					"type": "object",
+					"additionalProperties": true,
+					"description": "Optional client metadata stored with the login session; serialized JSON must be 2048 bytes or fewer"
+				}
+			}
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"device_code": {
+					"type": "string",
+					"description": "Opaque code used by the CLI to poll for approval"
+				},
+				"user_code": {
+					"type": "string",
+					"pattern": "^[BCDFGHJKLMNPQRSTVWXZ]{4}-[BCDFGHJKLMNPQRSTVWXZ]{4}$",
+					"description": "Short code the user confirms in the browser"
+				},
+				"verification_uri": {
+					"type": "string",
+					"description": "Browser URL where the user approves the login"
+				},
+				"verification_uri_complete": {
+					"type": "string",
+					"description": "Browser URL with the user code prefilled"
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until the login session expires"
+				},
+				"interval": {
+					"type": "integer",
+					"description": "Minimum seconds between poll requests"
+				}
+			},
+			"required": [
+				"device_code",
+				"user_code",
+				"verification_uri",
+				"verification_uri_complete",
+				"expires_in",
+				"interval"
+			]
+		},
+		"sdkName": "startCliLogin",
+		"summary": "Start CLI browser login",
+		"tag": "CLI",
+		"tagCommand": "cli"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "start-cli-signup",
+		"description": "Starts a terminal-native CLI signup. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "startCliSignup",
+		"path": "/cli/signup/start",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"email": {
+					"type": "string",
+					"format": "email",
+					"maxLength": 254
+				},
+				"signup_code": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 128
+				},
+				"terms_accepted": {
+					"type": "boolean",
+					"const": true,
+					"description": "Must be true to confirm acceptance of Primitive's Terms of Service and Privacy Policy"
+				},
+				"device_name": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 80,
+					"description": "Human-readable device name used for the created CLI OAuth grant"
+				},
+				"metadata": {
+					"type": "object",
+					"additionalProperties": true,
+					"description": "Optional client metadata stored with the signup session; serialized JSON must be 2048 bytes or fewer"
+				}
+			},
+			"required": [
+				"email",
+				"signup_code",
+				"terms_accepted"
+			]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"signup_token": {
+					"type": "string",
+					"description": "Opaque token used to verify or resend the pending CLI signup"
+				},
+				"email": {
+					"type": "string",
+					"format": "email"
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until the pending signup expires"
+				},
+				"resend_after": {
+					"type": "integer",
+					"description": "Minimum seconds before requesting another verification email"
+				},
+				"verification_code_length": {
+					"type": "integer",
+					"description": "Number of digits in the emailed verification code"
+				}
+			},
+			"required": [
+				"signup_token",
+				"email",
+				"expires_in",
+				"resend_after",
+				"verification_code_length"
+			]
+		},
+		"sdkName": "startCliSignup",
+		"summary": "Start CLI account signup",
+		"tag": "CLI",
+		"tagCommand": "cli"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "verify-cli-signup",
+		"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, creates an org-scoped OAuth CLI\nsession, and returns the token set exactly once. This endpoint does not\nrequire an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "verifyCliSignup",
+		"path": "/cli/signup/verify",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"signup_token": {
+					"type": "string",
+					"minLength": 1
+				},
+				"verification_code": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 32
+				},
+				"password": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 1024
+				}
+			},
+			"required": ["signup_token", "verification_code"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"api_key": {
+					"type": "string",
+					"description": "Legacy alias for access_token. New CLI builds should persist access_token and refresh_token."
+				},
+				"key_id": {
+					"type": "string",
+					"format": "uuid",
+					"description": "Legacy alias for oauth_grant_id"
+				},
+				"key_prefix": {
+					"type": "string",
+					"description": "Legacy display prefix derived from access_token"
+				},
+				"access_token": {
+					"type": "string",
+					"description": "OAuth access token for CLI API authentication"
+				},
+				"refresh_token": {
+					"type": "string",
+					"description": "OAuth refresh token used by the CLI to renew access"
+				},
+				"token_type": {
+					"type": "string",
+					"enum": ["Bearer"]
+				},
+				"expires_in": {
+					"type": "integer",
+					"description": "Seconds until access_token expires"
+				},
+				"auth_method": {
+					"type": "string",
+					"enum": ["oauth"]
+				},
+				"oauth_grant_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"oauth_client_id": { "type": "string" },
+				"org_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"org_name": { "type": ["string", "null"] }
+			},
+			"required": [
+				"api_key",
+				"key_id",
+				"key_prefix",
+				"access_token",
+				"refresh_token",
+				"token_type",
+				"expires_in",
+				"auth_method",
+				"oauth_grant_id",
+				"oauth_client_id",
+				"org_id",
+				"org_name"
+			]
+		},
+		"sdkName": "verifyCliSignup",
+		"summary": "Verify CLI signup and create OAuth session",
+		"tag": "CLI",
+		"tagCommand": "cli"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "add-domain",
+		"description": "Creates an unverified domain claim. You will receive a\n`verification_token` to add as a DNS TXT record before\ncalling the verify endpoint.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "addDomain",
+		"path": "/domains",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "domain": {
+				"type": "string",
+				"minLength": 1,
+				"maxLength": 253,
+				"description": "The domain name to claim (e.g. \"example.com\")"
+			} },
+			"required": ["domain"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"org_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"domain": { "type": "string" },
+				"verified": {
+					"type": "boolean",
+					"const": false
+				},
+				"verification_token": {
+					"type": "string",
+					"description": "Add this value as a TXT record to verify ownership"
+				},
+				"created_at": {
+					"type": "string",
+					"format": "date-time"
+				}
+			},
+			"required": [
+				"id",
+				"org_id",
+				"domain",
+				"verified",
+				"verification_token",
+				"created_at"
+			]
+		},
+		"sdkName": "addDomain",
+		"summary": "Claim a new domain",
+		"tag": "Domains",
+		"tagCommand": "domains"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "delete-domain",
+		"description": "Deletes a verified or unverified domain claim.",
+		"hasJsonBody": false,
+		"method": "DELETE",
+		"operationId": "deleteDomain",
+		"path": "/domains/{id}",
+		"pathParams": [{
+			"description": "Resource UUID",
+			"enum": null,
+			"name": "id",
+			"required": true,
+			"type": "string"
+		}],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": null,
+		"sdkName": "deleteDomain",
+		"summary": "Delete a domain",
+		"tag": "Domains",
+		"tagCommand": "domains"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "list-domains",
+		"description": "Returns all verified and unverified domains for your organization,\nsorted by creation date (newest first). Each domain includes a\n`verified` boolean to distinguish between the two states.\n",
+		"hasJsonBody": false,
+		"method": "GET",
+		"operationId": "listDomains",
+		"path": "/domains",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": {
 			"type": "array",
 			"items": {
 				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` for DNS verification.\n",
@@ -10741,7 +11508,7 @@ var PrimitiveApiClient = class {
 const CREDENTIALS_FILE = "credentials.json";
 const CREDENTIALS_LOCK_DIR = "credentials.lock";
 const CREDENTIALS_LOCK_STALE_MS = 1800 * 1e3;
-const MALFORMED_CREDENTIALS_HINT = "Run `primitive logout` and then `primitive login`.";
+const MALFORMED_CREDENTIALS_HINT = "Run `primitive logout` and then `primitive signin`.";
 function isRecord$2(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
@@ -10751,28 +11518,34 @@ function requireString(value, key) {
 	return raw;
 }
 /**
-* Sentinel returned by parseCredentials when the on-disk credentials
-* were written by a pre-dual-host CLI version (i.e. they have
-* `base_url` instead of `api_base_url_1`). The caller treats this as
-* "no saved credentials" after auto-cleaning the stale file. Defined
-* as a class-tagged error so loadCliCredentials can distinguish it
-* from a genuine malformed-credentials error.
+* Sentinel returned by parseCredentials when the on-disk credentials were
+* written by an API-key-based CLI. The caller treats this as "not logged in"
+* after clearing the local file. The backing API key is intentionally not
+* revoked; API keys still work when passed explicitly via --api-key/env.
 */
-var StaleCredentialFormatError = class extends Error {
+var LegacyApiKeyCredentialFormatError = class extends Error {
 	constructor() {
-		super("stale_credential_format");
-		this.name = "StaleCredentialFormatError";
+		super("legacy_api_key_credential_format");
+		this.name = "LegacyApiKeyCredentialFormatError";
 	}
 };
 function parseCredentials(raw) {
 	if (!isRecord$2(raw)) throw new Error(`Stored Primitive CLI credentials are malformed: expected a JSON object. ${MALFORMED_CREDENTIALS_HINT}`);
-	if (typeof raw.api_base_url_1 !== "string" && typeof raw.base_url === "string") throw new StaleCredentialFormatError();
+	if (raw.auth_method !== "oauth") {
+		if (typeof raw.api_key === "string" || typeof raw.key_id === "string" || typeof raw.base_url === "string") throw new LegacyApiKeyCredentialFormatError();
+		throw new Error(`Stored Primitive CLI credentials are malformed: auth_method must be oauth. ${MALFORMED_CREDENTIALS_HINT}`);
+	}
 	const orgName = raw.org_name;
 	if (orgName !== null && typeof orgName !== "string") throw new Error(`Stored Primitive CLI credentials are malformed: org_name must be a string or null. ${MALFORMED_CREDENTIALS_HINT}`);
+	if (requireString(raw, "token_type") !== "Bearer") throw new Error(`Stored Primitive CLI credentials are malformed: token_type must be Bearer. ${MALFORMED_CREDENTIALS_HINT}`);
 	return {
-		api_key: requireString(raw, "api_key"),
-		key_id: requireString(raw, "key_id"),
-		key_prefix: requireString(raw, "key_prefix"),
+		auth_method: "oauth",
+		access_token: requireString(raw, "access_token"),
+		refresh_token: requireString(raw, "refresh_token"),
+		token_type: "Bearer",
+		expires_at: requireString(raw, "expires_at"),
+		oauth_grant_id: requireString(raw, "oauth_grant_id"),
+		oauth_client_id: requireString(raw, "oauth_client_id"),
 		org_id: requireString(raw, "org_id"),
 		org_name: orgName,
 		api_base_url_1: requireString(raw, "api_base_url_1"),
@@ -10793,6 +11566,9 @@ function normalizeApiBaseUrl1(url) {
 function normalizeApiBaseUrl2(url) {
 	return normalize(url, DEFAULT_API_BASE_URL_2);
 }
+function cliAccessTokenExpiresAt(expiresInSeconds, now = Date.now) {
+	return new Date(now() + expiresInSeconds * 1e3).toISOString();
+}
 function loadCliCredentials(configDir) {
 	const path = credentialsPath(configDir);
 	let contents;
@@ -10806,14 +11582,14 @@ function loadCliCredentials(configDir) {
 	try {
 		return parseCredentials(JSON.parse(contents));
 	} catch (error) {
-		if (error instanceof StaleCredentialFormatError) {
+		if (error instanceof LegacyApiKeyCredentialFormatError) {
 			try {
 				rmSync(path, { force: true });
 			} catch {}
-			process.stderr.write("You've been logged out: your saved Primitive CLI credentials were created by an older CLI version and are no longer compatible. Run `primitive login` to re-authenticate.\n");
+			process.stderr.write("Removed local Primitive CLI API-key login state. API keys are still valid when passed explicitly, but saved CLI auth now uses OAuth. Run `primitive signin` to create an OAuth session. No API key was revoked.\n");
 			return null;
 		}
-		if (error instanceof SyntaxError) throw new Error("Stored Primitive CLI credentials are not valid JSON. Run `primitive logout` and then `primitive login`.");
+		if (error instanceof SyntaxError) throw new Error("Stored Primitive CLI credentials are not valid JSON. Run `primitive logout` and then `primitive signin`.");
 		throw error;
 	}
 }
@@ -10895,7 +11671,7 @@ function resolveCliAuth(params) {
 	};
 	const credentials = loadCliCredentials(params.configDir);
 	if (credentials) return {
-		apiKey: credentials.api_key,
+		apiKey: credentials.access_token,
 		apiBaseUrl1: params.apiBaseUrl1 ? normalizeApiBaseUrl1(params.apiBaseUrl1) : credentials.api_base_url_1,
 		apiBaseUrl2,
 		credentials,
@@ -10933,7 +11709,7 @@ function validateCliHeaderName(name) {
 	const trimmed = name.trim();
 	if (!trimmed) throw new Errors.CLIError("Header name must be a non-empty string.", { exit: 1 });
 	if (!/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/.test(trimmed)) throw new Errors.CLIError(`Invalid header name: ${name}`, { exit: 1 });
-	if (trimmed.toLowerCase() === "authorization") throw new Errors.CLIError("The Authorization header is managed by PRIMITIVE_API_KEY or saved CLI credentials.", { exit: 1 });
+	if (trimmed.toLowerCase() === "authorization") throw new Errors.CLIError("The Authorization header is managed by PRIMITIVE_API_KEY or saved OAuth CLI credentials.", { exit: 1 });
 	return trimmed;
 }
 function validateCliHeaderValue(value, name) {
@@ -11095,6 +11871,8 @@ function redactCliEnvironment(environment) {
 //#endregion
 //#region src/oclif/api-client.ts
 const API_HEADERS_ENV = "PRIMITIVE_API_HEADERS";
+const OAUTH_REFRESH_SKEW_MS = 60 * 1e3;
+const SAVED_CLI_OAUTH_SESSION_EXPIRED_MESSAGE = "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive signin` to authenticate again.";
 function mergeHeaders(...headers) {
 	const merged = {};
 	for (const headerSet of headers) {
@@ -11153,14 +11931,115 @@ function createCliApiClient(params) {
 		requestConfig
 	};
 }
-function createAuthenticatedCliApiClient(params) {
+function oauthTokenEndpoint(apiBaseUrl1) {
+	const url = new URL(apiBaseUrl1);
+	url.pathname = "/oauth/token";
+	url.search = "";
+	url.hash = "";
+	return url.toString();
+}
+function shouldRefresh(credentials, now) {
+	const expiresAt = Date.parse(credentials.expires_at);
+	if (!Number.isFinite(expiresAt)) return true;
+	return expiresAt <= now() + OAUTH_REFRESH_SKEW_MS;
+}
+function isOAuthRefreshSuccess(value) {
+	if (value === null || typeof value !== "object" || Array.isArray(value)) return false;
+	const row = value;
+	return typeof row.access_token === "string" && typeof row.refresh_token === "string" && row.token_type === "Bearer" && typeof row.expires_in === "number" && Number.isFinite(row.expires_in) && row.expires_in > 0;
+}
+function oauthErrorCode(value) {
+	if (value === null || typeof value !== "object" || Array.isArray(value)) return null;
+	const raw = value.error;
+	return typeof raw === "string" ? raw : null;
+}
+function oauthErrorDescription(value) {
+	if (value === null || typeof value !== "object" || Array.isArray(value)) return null;
+	const raw = value.error_description;
+	return typeof raw === "string" && raw.trim() ? raw : null;
+}
+async function refreshStoredCliCredentials(params) {
+	const now = params.now ?? Date.now;
+	if (!shouldRefresh(params.credentials, now)) return params.credentials;
+	let releaseLock;
+	try {
+		if (!params.credentialsLockHeld) try {
+			releaseLock = acquireCliCredentialsLock(params.configDir);
+		} catch (error) {
+			const detail = error instanceof Error ? error.message : String(error);
+			throw new Errors.CLIError(detail, { exit: 1 });
+		}
+		const current = loadCliCredentials(params.configDir);
+		if (!current) throw new Errors.CLIError("Saved Primitive CLI OAuth session is no longer available. Run `primitive signin` to authenticate again.", { exit: 1 });
+		if (!shouldRefresh(current, now)) return current;
+		const fetchImpl = params.fetch ?? fetch;
+		const body = new URLSearchParams({
+			client_id: current.oauth_client_id,
+			grant_type: "refresh_token",
+			refresh_token: current.refresh_token
+		});
+		let response;
+		try {
+			response = await fetchImpl(oauthTokenEndpoint(params.apiBaseUrl1), {
+				body,
+				headers: {
+					...params.headers ?? {},
+					"content-type": "application/x-www-form-urlencoded"
+				},
+				method: "POST"
+			});
+		} catch (error) {
+			const detail = error instanceof Error ? error.message : String(error);
+			throw new Errors.CLIError(`Could not refresh saved Primitive CLI OAuth credentials: ${detail}`, { exit: 1 });
+		}
+		const payload = await response.json().catch(() => null);
+		if (!response.ok) {
+			const code = oauthErrorCode(payload);
+			const description = oauthErrorDescription(payload);
+			if (code === "invalid_grant") {
+				deleteCliCredentials(params.configDir);
+				throw new Errors.CLIError(SAVED_CLI_OAUTH_SESSION_EXPIRED_MESSAGE, { exit: 1 });
+			}
+			throw new Errors.CLIError(`Could not refresh saved Primitive CLI OAuth credentials${description ? `: ${description}` : "."}`, { exit: 1 });
+		}
+		if (!isOAuthRefreshSuccess(payload)) throw new Errors.CLIError("Primitive OAuth token endpoint returned an unexpected refresh response.", { exit: 1 });
+		const next = {
+			...current,
+			access_token: payload.access_token,
+			expires_at: cliAccessTokenExpiresAt(payload.expires_in, now),
+			refresh_token: payload.refresh_token,
+			token_type: payload.token_type
+		};
+		saveCliCredentials(params.configDir, next);
+		return next;
+	} finally {
+		releaseLock?.();
+	}
+}
+async function createAuthenticatedCliApiClient(params) {
 	const requestConfig = resolveCliApiRequestConfig(params);
-	const auth = resolveCliAuth({
+	let auth = resolveCliAuth({
 		apiKey: params.apiKey,
 		apiBaseUrl1: requestConfig.apiBaseUrl1,
 		apiBaseUrl2: requestConfig.apiBaseUrl2,
 		configDir: params.configDir
 	});
+	if (auth.source === "stored" && auth.credentials) {
+		const refreshed = await refreshStoredCliCredentials({
+			apiBaseUrl1: auth.apiBaseUrl1,
+			configDir: params.configDir,
+			credentials: auth.credentials,
+			credentialsLockHeld: params.credentialsLockHeld,
+			fetch: params.fetch,
+			headers: requestConfig.headers,
+			now: params.now
+		});
+		auth = {
+			...auth,
+			apiKey: refreshed.access_token,
+			credentials: refreshed
+		};
+	}
 	return {
 		apiClient: new PrimitiveApiClient({
 			apiKey: auth.apiKey,
@@ -11400,26 +12279,26 @@ function coerceParameterValue(parameter, value) {
 	if (typeof value === "boolean" || typeof value === "number" || typeof value === "string") return value;
 	throw new Errors.CLIError(`Unsupported flag value for --${parameter.name}`);
 }
-function cliError$6(message) {
+function cliError$7(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function parseJson(source, flagLabel) {
 	try {
 		return JSON.parse(source);
 	} catch (error) {
-		throw cliError$6(`${flagLabel} is not valid JSON: ${error instanceof Error ? error.message : String(error)}`);
+		throw cliError$7(`${flagLabel} is not valid JSON: ${error instanceof Error ? error.message : String(error)}`);
 	}
 }
 function readJsonBody(flags) {
 	const bodyFile = flags["body-file"];
 	const rawBody = flags["raw-body"];
-	if (bodyFile && rawBody) throw cliError$6("Use either --raw-body or --body-file, not both");
+	if (bodyFile && rawBody) throw cliError$7("Use either --raw-body or --body-file, not both");
 	if (typeof bodyFile === "string") {
 		let contents;
 		try {
 			contents = readFileSync(bodyFile, "utf8");
 		} catch (error) {
-			throw cliError$6(`Could not read --body-file ${bodyFile}: ${error instanceof Error ? error.message : String(error)}`);
+			throw cliError$7(`Could not read --body-file ${bodyFile}: ${error instanceof Error ? error.message : String(error)}`);
 		}
 		return parseJson(contents, `--body-file ${bodyFile}`);
 	}
@@ -11429,7 +12308,7 @@ function readTextFileFlag(path, flagLabel) {
 	try {
 		return readFileSync(path, "utf8");
 	} catch (error) {
-		throw cliError$6(`Could not read ${flagLabel} ${path}: ${error instanceof Error ? error.message : String(error)}`);
+		throw cliError$7(`Could not read ${flagLabel} ${path}: ${error instanceof Error ? error.message : String(error)}`);
 	}
 }
 function extractErrorPayload(raw) {
@@ -11476,7 +12355,7 @@ function extractErrorCode(payload) {
 		if (typeof direct === "string") return direct;
 	}
 }
-const ERROR_CODE_HINTS = { [API_ERROR_CODES.unauthorized]: "Hint: run `primitive login`, pass --api-key explicitly, or set PRIMITIVE_API_KEY in your environment. `primitive whoami` is the fastest way to verify a key is live." };
+const ERROR_CODE_HINTS = { [API_ERROR_CODES.unauthorized]: "Hint: run `primitive signin`, pass --api-key explicitly, or set PRIMITIVE_API_KEY in your environment. `primitive whoami` is the fastest way to verify auth is live." };
 const NETWORK_ERROR_HINTS = {
 	ENETUNREACH: "Hint: the network is unreachable. If you're behind a proxy and set HTTP(S)_PROXY, re-run with NODE_USE_ENV_PROXY=1 (Node 22+ ignores those env vars by default). `primitive doctor` reports the local environment in one shot.",
 	ECONNREFUSED: "Hint: the server refused the connection. Check that your firewall allows egress to *.primitive.dev, that your PRIMITIVE_API_BASE_URL_* overrides (if any) point at a reachable host, and re-run with NODE_USE_ENV_PROXY=1 if you're behind a proxy. `primitive doctor` reports the local environment in one shot.",
@@ -11514,7 +12393,7 @@ function surfaceUnauthorizedHint(params) {
 		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The saved credential is preserved; unset PRIMITIVE_API_BASE_URL_1, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
 		return;
 	}
-	process.stderr.write("Your saved Primitive CLI credential was rejected. If the command was working a moment ago, please retry; brief retries often clear transient rejections. If it keeps failing, run `primitive logout && primitive login` to mint a fresh credential.\n");
+	process.stderr.write("Your saved Primitive CLI OAuth session was rejected. If the command was working a moment ago, please retry; brief retries often clear transient rejections. If it keeps failing, run `primitive logout && primitive signin` to mint a fresh session.\n");
 }
 function formatElapsed(ms) {
 	const seconds = ms / 1e3;
@@ -11564,7 +12443,7 @@ function bodyFieldFlag(field) {
 function buildFlags(operation) {
 	const flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -11642,7 +12521,7 @@ function createOperationCommand(operation) {
 			const { flags } = await this.parse(OperationCommand);
 			const parsedFlags = flags;
 			await runWithTiming(parsedFlags.time === true, async () => {
-				const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+				const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 					apiKey: typeof parsedFlags["api-key"] === "string" ? parsedFlags["api-key"] : void 0,
 					apiBaseUrl1: typeof parsedFlags["api-base-url-1"] === "string" ? parsedFlags["api-base-url-1"] : void 0,
 					apiBaseUrl2: typeof parsedFlags["api-base-url-2"] === "string" ? parsedFlags["api-base-url-2"] : void 0,
@@ -11765,7 +12644,7 @@ async function pickDefaultFromAddress(apiClient, authFailureContext) {
 				...authFailureContext,
 				payload: errorPayload
 			});
-			throw new Errors.CLIError("Cannot send: API key is missing or invalid (see hint above).", { exit: 1 });
+			throw new Errors.CLIError("Cannot send: CLI auth is missing or invalid (see hint above).", { exit: 1 });
 		}
 		throw new Errors.CLIError(`Could not look up your verified domains to default --from. Pass --from explicitly. Underlying error: ${formatErrorPayload(errorPayload)}`);
 	}
@@ -11877,11 +12756,11 @@ function sleep$1(ms) {
 //#region src/oclif/commands/chat.ts
 const DEFAULT_CHAT_TIMEOUT_SECONDS = 120;
 const DEFAULT_STRICT_PHASE_SECONDS = 60;
-function cliError$5(message) {
+function cliError$6(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 async function readStdinToString() {
-	if (process.stdin.isTTY) throw cliError$5("No message provided. Pass the message as the second positional argument or pipe it via stdin.");
+	if (process.stdin.isTTY) throw cliError$6("No message provided. Pass the message as the second positional argument or pipe it via stdin.");
 	const chunks = [];
 	for await (const chunk of process.stdin) chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
 	return Buffer.concat(chunks).toString("utf8");
@@ -11917,7 +12796,7 @@ var ChatCommand = class ChatCommand extends Command {
 	};
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive signin` credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -11962,9 +12841,9 @@ var ChatCommand = class ChatCommand extends Command {
 	async run() {
 		const { args, flags } = await this.parse(ChatCommand);
 		const message = args.message !== void 0 && args.message !== "" ? args.message : await readStdinToString();
-		if (!message.trim()) throw cliError$5("Message body is empty.");
+		if (!message.trim()) throw cliError$6("Message body is empty.");
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -12000,7 +12879,7 @@ var ChatCommand = class ChatCommand extends Command {
 				return;
 			}
 			const sent = sendResult.data?.data;
-			if (!sent) throw cliError$5("Send succeeded but the API returned no data.");
+			if (!sent) throw cliError$6("Send succeeded but the API returned no data.");
 			const reply = await waitForReply({
 				apiClient,
 				authFailureContext,
@@ -12317,25 +13196,30 @@ function checkApiKey(opts) {
 		} catch (error) {
 			parseError = error instanceof Error ? error.message : String(error);
 		}
-		if (parsed?.api_key) return {
+		if (parsed?.auth_method === "oauth" && typeof parsed.access_token === "string" && parsed.access_token.length > 0) return {
 			status: "ok",
-			message: `loaded from ${credsPath}`
+			message: `loaded OAuth session from ${credsPath}`
+		};
+		if (typeof parsed?.api_key === "string" && parsed.api_key.length > 0) return {
+			status: "fail",
+			message: `${credsPath} contains legacy API-key login state`,
+			hint: "Run `primitive signin` to create saved OAuth credentials. Existing API keys still work with --api-key or PRIMITIVE_API_KEY."
 		};
 		if (parsed) return {
 			status: "fail",
-			message: `${credsPath} exists but contains no api_key`,
-			hint: "Run `primitive logout` to clear it, then `primitive login` to recreate."
+			message: `${credsPath} exists but contains no OAuth access_token`,
+			hint: "Run `primitive logout` to clear it, then `primitive signin` to recreate."
 		};
 		return {
 			status: "fail",
 			message: `${credsPath} exists but is unreadable or malformed${parseError ? ` (${parseError})` : ""}`,
-			hint: "Run `primitive logout` to clear it, then `primitive login` to recreate."
+			hint: "Run `primitive logout` to clear it, then `primitive signin` to recreate."
 		};
 	}
 	return {
 		status: "fail",
-		message: "no API key found",
-		hint: "Run `primitive login`, pass --api-key explicitly, or export PRIMITIVE_API_KEY=prim_..."
+		message: "no CLI OAuth session or explicit API key found",
+		hint: "Run `primitive signin`, pass --api-key explicitly, or export PRIMITIVE_API_KEY=prim_..."
 	};
 }
 async function checkAccount(client) {
@@ -12417,12 +13301,12 @@ async function checkDomains(client) {
 	}
 }
 var DoctorCommand = class DoctorCommand extends Command {
-	static description = `Run a one-shot environment health check: Node version, proxy env, API key resolution, /account reachability, and verified-domain status. Fails fast on anything that would block other commands and prints actionable hints for each warning or failure.`;
+	static description = `Run a one-shot environment health check: Node version, proxy env, CLI auth resolution, /account reachability, and verified-domain status. Fails fast on anything that would block other commands and prints actionable hints for each warning or failure.`;
 	static summary = "Check the local environment and live API for common problems";
 	static examples = ["<%= config.bin %> doctor", "<%= config.bin %> doctor --api-key prim_..."];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -12452,11 +13336,11 @@ var DoctorCommand = class DoctorCommand extends Command {
 			configDir: this.config.configDir
 		});
 		rows.push({
-			label: "API key",
+			label: "Auth",
 			outcome: apiKeyCheck
 		});
 		if (apiKeyCheck.status !== "fail") {
-			const { apiClient, auth } = createAuthenticatedCliApiClient({
+			const { apiClient, auth } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -12538,7 +13422,7 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -12563,7 +13447,7 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 	async run() {
 		const { flags } = await this.parse(EmailsLatestCommand);
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -12605,7 +13489,7 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 //#endregion
 //#region src/oclif/commands/emails-wait.ts
 const DEFAULT_WAIT_TIMEOUT_SECONDS$1 = 300;
-function cliError$4(message) {
+function cliError$5(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 var EmailsWaitCommand = class EmailsWaitCommand extends Command {
@@ -12618,7 +13502,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -12670,7 +13554,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 	};
 	async run() {
 		const { flags } = await this.parse(EmailsWaitCommand);
-		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
@@ -12680,7 +13564,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 		try {
 			since = sinceFromFlags(flags);
 		} catch (error) {
-			throw cliError$4(error instanceof Error ? error.message : String(error));
+			throw cliError$5(error instanceof Error ? error.message : String(error));
 		}
 		const filters = filtersFromFlags(flags);
 		const deadline = flags.timeout === 0 ? null : Date.now() + flags.timeout * 1e3;
@@ -12731,7 +13615,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 };
 //#endregion
 //#region src/oclif/commands/emails-watch.ts
-function cliError$3(message) {
+function cliError$4(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 var EmailsWatchCommand = class EmailsWatchCommand extends Command {
@@ -12744,7 +13628,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -12792,7 +13676,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 	};
 	async run() {
 		const { flags } = await this.parse(EmailsWatchCommand);
-		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
@@ -12802,7 +13686,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 		try {
 			since = sinceFromFlags(flags);
 		} catch (error) {
-			throw cliError$3(error instanceof Error ? error.message : String(error));
+			throw cliError$4(error instanceof Error ? error.message : String(error));
 		}
 		const filters = filtersFromFlags(flags);
 		const deadline = flags.seconds ? Date.now() + flags.seconds * 1e3 : null;
@@ -13410,7 +14294,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -13487,7 +14371,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			const code = readTextFileFlag(flags.file, "--file");
 			const sourceMap = flags["source-map-file"] ? readTextFileFlag(flags["source-map-file"], "--source-map-file") : void 0;
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -13847,7 +14731,7 @@ The deploy step calls \`primitive functions deploy\` (provided by the
 \`npm install -g @primitivedotdev/cli\` or run via
 \`npx @primitivedotdev/cli@latest <command>\`). It requires
 \`PRIMITIVE_API_KEY\` to be set in your shell (or pass \`--api-key\`).
-Run \`primitive login\` once to save a key in your CLI config if you
+Run \`primitive signin\` once to save a key in your CLI config if you
 prefer that to an env var.
 `;
 }
@@ -14073,7 +14957,7 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -14112,7 +14996,7 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 		if (flags["poll-interval"] <= 0) this.error("--poll-interval must be greater than 0.", { exit: 2 });
 		if (flags.follow && flags.cursor) this.error("--cursor cannot be combined with --follow.", { exit: 2 });
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -14271,7 +15155,7 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -14348,7 +15232,7 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 			const code = readTextFileFlag(flags.file, "--file");
 			const sourceMap = flags["source-map-file"] ? readTextFileFlag(flags["source-map-file"], "--source-map-file") : void 0;
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -14531,7 +15415,7 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -14563,7 +15447,7 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 	async run() {
 		const { flags } = await this.parse(FunctionsSetSecretCommand);
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -14754,7 +15638,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -14790,7 +15674,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 		const { flags } = await this.parse(FunctionsTestFunctionCommand);
 		const shouldWait = flags.wait || flags["show-sends"];
 		const shouldShowSends = flags["show-sends"];
-		const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
@@ -14906,7 +15790,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 //#endregion
 //#region src/oclif/commands/login.ts
 const MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS = 60;
-function cliError$2(message) {
+function cliError$3(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function sleep(ms) {
@@ -14940,8 +15824,25 @@ async function checkExistingLogin(params) {
 		configDir: params.configDir
 	});
 	const probeApiBaseUrl1 = requestConfig.apiBaseUrl1 ?? params.credentials.api_base_url_1;
+	let credentials = params.credentials;
+	try {
+		credentials = await refreshStoredCliCredentials({
+			apiBaseUrl1: probeApiBaseUrl1,
+			configDir: params.configDir,
+			credentials,
+			credentialsLockHeld: params.credentialsLockHeld,
+			headers: requestConfig.headers
+		});
+	} catch (error) {
+		if (loadCliCredentials(params.configDir) === null) return { status: "removed_stale" };
+		return {
+			status: "blocked",
+			payload: error,
+			message: "A saved Primitive CLI OAuth session exists, but the CLI could not refresh it. Run `primitive logout` before logging in again."
+		};
+	}
 	const apiClient = new PrimitiveApiClient({
-		apiKey: params.credentials.api_key,
+		apiKey: credentials.access_token,
 		apiBaseUrl1: probeApiBaseUrl1,
 		apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
 		headers: requestConfig.headers
@@ -14956,17 +15857,17 @@ async function checkExistingLogin(params) {
 	const baseUrlDiffersFromSaved = requestConfig.baseUrlOverridden && requestConfig.apiBaseUrl1 !== params.credentials.api_base_url_1;
 	if (code === API_ERROR_CODES.unauthorized && !baseUrlDiffersFromSaved) {
 		deleteCliCredentials(params.configDir);
-		process.stderr.write("Removed saved Primitive CLI credentials because the existing key was rejected during login. Continuing with a fresh login.\n");
+		process.stderr.write("Removed saved Primitive CLI OAuth credentials because the existing session was rejected during login. Continuing with a fresh login.\n");
 		return { status: "removed_stale" };
 	}
 	return {
 		status: "blocked",
 		payload,
-		message: code === API_ERROR_CODES.unauthorized ? "Saved Primitive CLI credentials were rejected by an API URL different from the one they were saved with. Run `primitive logout` to remove them, or switch back to the original environment before logging in again." : "A saved Primitive CLI login exists, but the CLI could not verify whether it is still valid. Run `primitive logout` before logging in again."
+		message: code === API_ERROR_CODES.unauthorized ? "Saved Primitive CLI OAuth credentials were rejected by an API URL different from the one they were saved with. Run `primitive logout` to remove them, or switch back to the original environment before logging in again." : "A saved Primitive CLI OAuth session exists, but the CLI could not verify whether it is still valid. Run `primitive logout` before logging in again."
 	};
 }
-var LoginCommand = class LoginCommand extends Command {
-	static description = "Log in by opening Primitive in your browser and saving an org-scoped CLI API key locally.";
+var LoginCommand = class extends Command {
+	static description = "Log in by opening Primitive in your browser and saving an org-scoped OAuth session locally.";
 	static summary = "Log in with browser approval";
 	static examples = [
 		"<%= config.bin %> login",
@@ -14983,24 +15884,28 @@ var LoginCommand = class LoginCommand extends Command {
 		"no-browser": Flags.boolean({ description: "Do not attempt to open the browser automatically" }),
 		force: Flags.boolean({
 			char: "f",
-			description: "Replace saved credentials without first verifying the existing login"
+			description: "Replace saved credentials without first verifying the existing session"
 		})
 	};
 	async run() {
-		const { flags } = await this.parse(LoginCommand);
+		const commandClass = this.constructor;
+		const { flags } = await this.parse(commandClass);
 		let releaseCredentialsLock;
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError$2(error instanceof Error ? error.message : String(error));
+			throw cliError$3(error instanceof Error ? error.message : String(error));
 		}
 		try {
-			await this.runWithCredentialLock(flags);
+			await this.runWithCredentialLock(flags, this.retryCommand());
 		} finally {
 			releaseCredentialsLock();
 		}
 	}
-	async runWithCredentialLock(flags) {
+	retryCommand() {
+		return "login";
+	}
+	async runWithCredentialLock(flags, retryCommand) {
 		const { apiClient, requestConfig } = createCliApiClient({
 			apiBaseUrl1: flags["api-base-url-1"],
 			configDir: this.config.configDir
@@ -15020,13 +15925,14 @@ var LoginCommand = class LoginCommand extends Command {
 			const existingStatus = await checkExistingLogin({
 				apiBaseUrl1: flags["api-base-url-1"],
 				configDir: this.config.configDir,
-				credentials: existing
+				credentials: existing,
+				credentialsLockHeld: true
 			});
 			if (existingStatus.status === "removed_stale") process.stderr.write("Continuing with a new Primitive CLI login...\n");
 			else if (existingStatus.status === "blocked") {
 				writeErrorWithHints(existingStatus.payload);
-				throw cliError$2(existingStatus.message);
-			} else throw cliError$2(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before logging in again.`);
+				throw cliError$3(existingStatus.message);
+			} else throw cliError$3(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before logging in again.`);
 		}
 		const started = await startCliLogin({
 			body: { device_name: flags["device-name"] ?? hostname() },
@@ -15035,11 +15941,11 @@ var LoginCommand = class LoginCommand extends Command {
 		});
 		if (started.error) {
 			writeErrorWithHints(extractErrorPayload(started.error));
-			throw cliError$2("Could not start Primitive CLI login.");
+			throw cliError$3("Could not start Primitive CLI login.");
 		}
 		const start = unwrapData$2(started.data);
-		if (!start) throw cliError$2("Primitive API returned an empty CLI login response.");
-		process.stderr.write(`Your login code is: ${start.user_code}\n`);
+		if (!start) throw cliError$3("Primitive API returned an empty CLI login response.");
+		process.stderr.write(`Your sign-in code is: ${start.user_code}\n`);
 		if (!flags["no-browser"]) {
 			openBrowser(start.verification_uri_complete);
 			process.stderr.write("Opening Primitive in your browser...\n");
@@ -15059,15 +15965,19 @@ var LoginCommand = class LoginCommand extends Command {
 			});
 			if (polled.data) {
 				const login = unwrapData$2(polled.data);
-				if (!login) throw cliError$2("Primitive API returned an empty CLI poll response.");
+				if (!login) throw cliError$3("Primitive API returned an empty CLI poll response.");
 				saveCliCredentials(this.config.configDir, {
-					api_key: login.api_key,
+					access_token: login.access_token,
 					api_base_url_1: apiBaseUrl1,
+					auth_method: "oauth",
 					created_at: (/* @__PURE__ */ new Date()).toISOString(),
-					key_id: login.key_id,
-					key_prefix: login.key_prefix,
+					expires_at: cliAccessTokenExpiresAt(login.expires_in),
+					oauth_client_id: login.oauth_client_id,
+					oauth_grant_id: login.oauth_grant_id,
 					org_id: login.org_id,
-					org_name: login.org_name
+					org_name: login.org_name,
+					refresh_token: login.refresh_token,
+					token_type: login.token_type
 				});
 				const org = login.org_name ? ` (${login.org_name})` : "";
 				process.stderr.write(`Logged in to org ${login.org_id}${org}.\n`);
@@ -15085,26 +15995,84 @@ var LoginCommand = class LoginCommand extends Command {
 				nextPollDelay = interval;
 				continue;
 			}
-			if (code === API_ERROR_CODES.accessDenied) throw cliError$2("Primitive CLI login was denied in the browser.");
-			if (code === API_ERROR_CODES.expiredToken) throw cliError$2("Primitive CLI login expired. Run `primitive login` again.");
-			if (code === API_ERROR_CODES.invalidDeviceCode) throw cliError$2("Primitive CLI login device code is invalid. Run `primitive login` again.");
+			if (code === API_ERROR_CODES.accessDenied) throw cliError$3("Primitive CLI login was denied in the browser.");
+			if (code === API_ERROR_CODES.expiredToken) throw cliError$3(`Primitive CLI login expired. Run \`primitive ${retryCommand}\` again.`);
+			if (code === API_ERROR_CODES.invalidDeviceCode) throw cliError$3(`Primitive CLI login device code is invalid. Run \`primitive ${retryCommand}\` again.`);
 			writeErrorWithHints(payload);
-			throw cliError$2("Primitive CLI login failed while polling for approval.");
+			throw cliError$3("Primitive CLI login failed while polling for approval.");
 		}
-		throw cliError$2("Primitive CLI login expired. Run `primitive login` again.");
+		throw cliError$3(`Primitive CLI login expired. Run \`primitive ${retryCommand}\` again.`);
 	}
 };
 //#endregion
 //#region src/oclif/commands/logout.ts
-function cliError$1(message) {
+function cliError$2(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function unwrapData$1(value) {
 	return value?.data ?? null;
 }
+function isSavedOAuthSessionExpiredError(error) {
+	return error instanceof Error && error.message === "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive signin` to authenticate again.";
+}
+async function runLogoutWithCredentialLock(params) {
+	const deps = {
+		cliLogout,
+		createAuthenticatedCliApiClient,
+		...params.deps
+	};
+	let credentials;
+	try {
+		credentials = loadCliCredentials(params.configDir);
+	} catch (error) {
+		deleteCliCredentials(params.configDir);
+		const detail = error instanceof Error ? error.message : String(error);
+		process.stderr.write(`Removed unreadable Primitive CLI credentials. Backing OAuth grant was not revoked: ${detail}\n`);
+		process.exitCode = 1;
+		return;
+	}
+	if (!credentials) throw cliError$2("Not logged in. Run `primitive signin` to create saved CLI credentials.");
+	let authenticated;
+	try {
+		authenticated = await deps.createAuthenticatedCliApiClient({
+			apiBaseUrl1: params.flags["api-base-url-1"],
+			configDir: params.configDir,
+			credentialsLockHeld: true
+		});
+	} catch (error) {
+		if (isSavedOAuthSessionExpiredError(error) && loadCliCredentials(params.configDir) === null) {
+			process.stderr.write("Logged out (OAuth session was already expired or revoked on the server).\n");
+			return;
+		}
+		throw error;
+	}
+	const freshCredentials = authenticated.auth.credentials ?? credentials;
+	const result = await deps.cliLogout({
+		body: { key_id: freshCredentials.oauth_grant_id },
+		client: authenticated.apiClient.client,
+		responseStyle: "fields"
+	});
+	if (result.error) {
+		const payload = extractErrorPayload(result.error);
+		const code = extractErrorCode(payload);
+		if (code === API_ERROR_CODES.unauthorized || code === API_ERROR_CODES.notFound) {
+			deleteCliCredentials(params.configDir);
+			writeErrorWithHints(payload);
+			process.stderr.write("Removed saved Primitive CLI credentials because the backing OAuth grant is already unavailable.\n");
+			process.exitCode = 1;
+			return;
+		}
+		writeErrorWithHints(payload);
+		throw cliError$2("Could not revoke the saved Primitive CLI OAuth grant.");
+	}
+	const logout = unwrapData$1(result.data);
+	deleteCliCredentials(params.configDir);
+	const grantId = logout?.oauth_grant_id ?? freshCredentials.oauth_grant_id;
+	process.stderr.write(`Logged out and revoked OAuth grant ${grantId}.\n`);
+}
 var LogoutCommand = class LogoutCommand extends Command {
-	static description = "Log out by revoking the saved Primitive CLI API key and deleting local credentials.";
-	static summary = "Log out and revoke the saved CLI key";
+	static description = "Log out by revoking the saved Primitive CLI OAuth grant and deleting local credentials.";
+	static summary = "Log out and revoke the saved CLI OAuth grant";
 	static examples = ["<%= config.bin %> logout"];
 	static flags = { "api-base-url-1": Flags.string({
 		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
@@ -15117,59 +16085,17 @@ var LogoutCommand = class LogoutCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError$1(error instanceof Error ? error.message : String(error));
+			throw cliError$2(error instanceof Error ? error.message : String(error));
 		}
 		try {
-			await this.runWithCredentialLock(flags);
+			await runLogoutWithCredentialLock({
+				configDir: this.config.configDir,
+				flags
+			});
 		} finally {
 			releaseCredentialsLock();
 		}
 	}
-	async runWithCredentialLock(flags) {
-		let credentials;
-		try {
-			credentials = loadCliCredentials(this.config.configDir);
-		} catch (error) {
-			deleteCliCredentials(this.config.configDir);
-			const detail = error instanceof Error ? error.message : String(error);
-			process.stderr.write(`Removed unreadable Primitive CLI credentials. Backing API key was not revoked: ${detail}\n`);
-			process.exitCode = 1;
-			return;
-		}
-		if (!credentials) throw cliError$1("Not logged in. Run `primitive login` to create saved CLI credentials.");
-		const requestConfig = resolveCliApiRequestConfig({
-			apiBaseUrl1: flags["api-base-url-1"],
-			configDir: this.config.configDir
-		});
-		const apiBaseUrl1 = requestConfig.apiBaseUrl1 ? normalizeApiBaseUrl1(requestConfig.apiBaseUrl1) : credentials.api_base_url_1;
-		const apiClient = new PrimitiveApiClient({
-			apiKey: credentials.api_key,
-			apiBaseUrl1,
-			headers: requestConfig.headers
-		});
-		const result = await cliLogout({
-			body: { key_id: credentials.key_id },
-			client: apiClient.client,
-			responseStyle: "fields"
-		});
-		if (result.error) {
-			const payload = extractErrorPayload(result.error);
-			const code = extractErrorCode(payload);
-			if (code === API_ERROR_CODES.unauthorized || code === API_ERROR_CODES.notFound) {
-				deleteCliCredentials(this.config.configDir);
-				writeErrorWithHints(payload);
-				process.stderr.write("Removed saved Primitive CLI credentials because the backing API key is already unavailable.\n");
-				process.exitCode = 1;
-				return;
-			}
-			writeErrorWithHints(payload);
-			throw cliError$1("Could not revoke the saved Primitive CLI API key.");
-		}
-		const logout = unwrapData$1(result.data);
-		deleteCliCredentials(this.config.configDir);
-		const keyId = logout?.key_id ?? credentials.key_id;
-		process.stderr.write(`Logged out and revoked API key ${keyId}.\n`);
-	}
 };
 //#endregion
 //#region src/oclif/message-body-sources.ts
@@ -15286,7 +16212,7 @@ var ReplyCommand = class ReplyCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -15326,7 +16252,7 @@ var ReplyCommand = class ReplyCommand extends Command {
 		});
 		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -15385,7 +16311,7 @@ var SendCommand = class SendCommand extends Command {
 	];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -15427,7 +16353,7 @@ var SendCommand = class SendCommand extends Command {
 		});
 		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -15475,12 +16401,18 @@ var SendCommand = class SendCommand extends Command {
 //#endregion
 //#region src/oclif/commands/signup.ts
 const INVALID_VERIFICATION_CODE = "invalid_verification_code";
-const CLERK_PASSWORD_REJECTED = "clerk_password_rejected";
 const EXPIRED_TOKEN = "expired_token";
 const INVALID_SIGNUP_TOKEN = "invalid_signup_token";
 const SLOW_DOWN = "slow_down";
 const PENDING_SIGNUP_FILE = "signup.json";
-function cliError(message) {
+const DEFAULT_SIGNUP_COMMAND_COPY = {
+	actionNoun: "signup",
+	actionGerund: "creating a new account",
+	confirmCommand: (email) => `signup confirm ${email} <code>`,
+	resendCommand: (email) => `signup resend ${email}`,
+	startCommand: (email) => `signup ${email}`
+};
+function cliError$1(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function unwrapData(value) {
@@ -15489,6 +16421,9 @@ function unwrapData(value) {
 function isRecord(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
+function normalizeEmail(email) {
+	return email.trim().toLowerCase();
+}
 function pendingSignupFromJson(value) {
 	if (!isRecord(value)) return null;
 	if (typeof value.signup_token !== "string" || typeof value.email !== "string" || typeof value.expires_in !== "number" || typeof value.resend_after !== "number" || typeof value.verification_code_length !== "number" || typeof value.api_base_url_1 !== "string" || typeof value.created_at !== "string" || typeof value.expires_at !== "string") return null;
@@ -15506,7 +16441,7 @@ function pendingSignupFromJson(value) {
 function pendingSignupPath(configDir) {
 	return join(configDir, PENDING_SIGNUP_FILE);
 }
-function deletePendingCliSignup(configDir) {
+function deletePendingAgentSignup(configDir) {
 	rmSync(pendingSignupPath(configDir), { force: true });
 }
 function pendingSignupFromStart(start, apiBaseUrl1) {
@@ -15517,7 +16452,7 @@ function pendingSignupFromStart(start, apiBaseUrl1) {
 		expires_at: new Date(Date.now() + start.expires_in * 1e3).toISOString()
 	};
 }
-function savePendingCliSignup(configDir, start, apiBaseUrl1) {
+function savePendingAgentSignup(configDir, start, apiBaseUrl1) {
 	mkdirSync(configDir, {
 		mode: 448,
 		recursive: true
@@ -15536,7 +16471,7 @@ function savePendingCliSignup(configDir, start, apiBaseUrl1) {
 		throw error;
 	}
 }
-function loadPendingCliSignup(configDir, apiBaseUrl1) {
+function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 	const path = pendingSignupPath(configDir);
 	let contents;
 	try {
@@ -15552,12 +16487,12 @@ function loadPendingCliSignup(configDir, apiBaseUrl1) {
 		pending = null;
 	}
 	if (!pending) {
-		deletePendingCliSignup(configDir);
+		deletePendingAgentSignup(configDir);
 		return null;
 	}
 	if (pending.api_base_url_1 !== apiBaseUrl1) return null;
 	if (new Date(pending.expires_at).getTime() <= Date.now()) {
-		deletePendingCliSignup(configDir);
+		deletePendingAgentSignup(configDir);
 		return null;
 	}
 	return {
@@ -15565,6 +16500,13 @@ function loadPendingCliSignup(configDir, apiBaseUrl1) {
 		expires_in: Math.max(0, Math.ceil((new Date(pending.expires_at).getTime() - Date.now()) / 1e3))
 	};
 }
+function requirePendingSignupForEmail(params) {
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
+	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
+	if (!pending) throw cliError$1(`No pending ${copy.actionNoun} for ${params.email}. Run \`primitive ${copy.startCommand(params.email)}\` first.`);
+	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$1(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
+	return pending;
+}
 function retryAfterSeconds(result) {
 	const raw = result.response?.headers.get("retry-after");
 	if (!raw) return null;
@@ -15585,61 +16527,12 @@ async function promptLine(question) {
 		rl.close();
 	}
 }
-async function promptHidden(question) {
-	if (!process$1.stdin.isTTY || !process$1.stderr.isTTY || !process$1.stdin.setRawMode) throw cliError("Password input requires an interactive terminal with hidden input support.");
-	return new Promise((resolve, reject) => {
-		const input = process$1.stdin;
-		let value = "";
-		const cleanup = () => {
-			input.setRawMode(false);
-			input.pause();
-			input.off("data", onData);
-		};
-		const finish = () => {
-			cleanup();
-			process$1.stderr.write("\n");
-			resolve(value);
-		};
-		const onData = (chunk) => {
-			const text = chunk.toString("utf8");
-			for (const char of text) {
-				if (char === "") {
-					cleanup();
-					process$1.stderr.write("\n");
-					reject(cliError("Signup cancelled."));
-					return;
-				}
-				if (char === "\r" || char === "\n") {
-					finish();
-					return;
-				}
-				if (char === "\b" || char === "") {
-					value = value.slice(0, -1);
-					continue;
-				}
-				value += char;
-			}
-		};
-		process$1.stderr.write(question);
-		input.setRawMode(true);
-		input.resume();
-		input.on("data", onData);
-	});
-}
 function formatSignupSeconds(seconds) {
 	if (typeof seconds !== "number" || !Number.isFinite(seconds) || seconds <= 0) return "soon";
 	if (seconds < 60) return `${Math.ceil(seconds)} seconds`;
 	const minutes = Math.ceil(seconds / 60);
 	return `${minutes} minute${minutes === 1 ? "" : "s"}`;
 }
-function shouldRetrySignupPassword(errorCode) {
-	return errorCode === CLERK_PASSWORD_REJECTED;
-}
-function signupErrorMessage(payload) {
-	if (!isRecord(payload)) return null;
-	const message = (isRecord(payload.error) ? payload.error : payload).message;
-	return typeof message === "string" && message.trim() ? message : null;
-}
 async function promptRequired(question) {
 	while (true) {
 		const value = await promptLine(question);
@@ -15647,29 +16540,109 @@ async function promptRequired(question) {
 		process$1.stderr.write("Please enter a value.\n");
 	}
 }
-async function promptRequiredPassword(question) {
-	while (true) {
-		const value = await promptHidden(question);
-		if (value) return value;
-		process$1.stderr.write("Please enter a password.\n");
-	}
+async function confirmTerms() {
+	process$1.stderr.write("By continuing, you agree to Primitive's Terms of Service and Privacy Policy:\n");
+	process$1.stderr.write("  https://primitive.dev/terms\n");
+	process$1.stderr.write("  https://primitive.dev/privacy\n");
+	const answer = (await promptRequired("Type 'yes' to continue: ")).toLowerCase();
+	if (answer !== "yes" && answer !== "y") throw cliError$1("You must accept the terms to create an account.");
+}
+async function checkExistingCredentials(params) {
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
+	const checkExistingLoginFn = params.deps.checkExistingLogin ?? checkExistingLogin;
+	let existing;
+	try {
+		existing = loadCliCredentials(params.configDir);
+	} catch (error) {
+		if (!params.flags.force) throw error;
+		const detail = error instanceof Error ? error.message : String(error);
+		process$1.stderr.write(`Replacing unreadable Primitive CLI credentials because --force was set: ${detail}\n`);
+		existing = null;
+	}
+	if (existing && params.flags.force) {
+		process$1.stderr.write(`Replacing saved Primitive CLI credentials after ${copy.actionNoun} because --force was set.\n`);
+		return;
+	}
+	if (!existing) return;
+	const existingStatus = await checkExistingLoginFn({
+		apiBaseUrl1: params.apiBaseUrl1,
+		configDir: params.configDir,
+		credentials: existing,
+		credentialsLockHeld: true
+	});
+	if (existingStatus.status === "removed_stale") {
+		process$1.stderr.write("Continuing with Primitive signup...\n");
+		return;
+	}
+	if (existingStatus.status === "blocked") {
+		writeErrorWithHints(existingStatus.payload);
+		throw cliError$1(existingStatus.message);
+	}
+	throw cliError$1(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before ${copy.actionGerund}.`);
+}
+function saveSignupCredentials(params) {
+	saveCliCredentials(params.configDir, {
+		access_token: params.signup.access_token,
+		api_base_url_1: params.apiBaseUrl1,
+		auth_method: "oauth",
+		created_at: (/* @__PURE__ */ new Date()).toISOString(),
+		expires_at: cliAccessTokenExpiresAt(params.signup.expires_in),
+		oauth_client_id: params.signup.oauth_client_id,
+		oauth_grant_id: params.signup.oauth_grant_id,
+		org_id: params.signup.org_id,
+		org_name: params.signup.org_name,
+		refresh_token: params.signup.refresh_token,
+		token_type: params.signup.token_type
+	});
+}
+function writeStartInstructions(start, copy = DEFAULT_SIGNUP_COMMAND_COPY) {
+	process$1.stderr.write(`Sent a ${start.verification_code_length}-digit verification code to ${start.email}.\n`);
+	process$1.stderr.write(`The code expires in ${formatSignupSeconds(start.expires_in)}.\n`);
+	process$1.stderr.write(`Run \`primitive ${copy.confirmCommand(start.email)}\` to finish.\n`);
 }
-async function promptNewPassword() {
-	while (true) {
-		const password = await promptRequiredPassword("Password: ");
-		if (password === await promptRequiredPassword("Confirm password: ")) return password;
-		process$1.stderr.write("Passwords did not match. Try again.\n");
+async function startSignup(params) {
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
+	const existingPending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
+	if (existingPending && !params.flags.force) {
+		if (normalizeEmail(existingPending.email) === normalizeEmail(params.email)) {
+			process$1.stderr.write(`Continuing pending Primitive ${copy.actionNoun} for ${existingPending.email}.\n`);
+			process$1.stderr.write(`Run \`primitive ${copy.confirmCommand(existingPending.email)}\` to finish, or \`primitive ${copy.resendCommand(existingPending.email)}\` to send a new code.\n`);
+			return {
+				pending: existingPending,
+				started: false
+			};
+		}
+		throw cliError$1(`Pending ${copy.actionNoun} is for ${existingPending.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	}
-}
-async function confirmTerms() {
-	process$1.stderr.write("By creating an account, you agree to Primitive's Terms of Service and Privacy Policy:\n");
-	process$1.stderr.write("  https://primitive.dev/terms\n");
-	process$1.stderr.write("  https://primitive.dev/privacy\n");
-	const answer = (await promptRequired("Type 'yes' to continue: ")).toLowerCase();
-	if (answer !== "yes" && answer !== "y") throw cliError("You must accept the terms to create an account.");
+	if (params.flags.force) deletePendingAgentSignup(params.configDir);
+	const promptRequiredFn = params.deps.promptRequired ?? promptRequired;
+	const confirmTermsFn = params.deps.confirmTerms ?? confirmTerms;
+	const startFn = params.deps.startAgentSignup ?? startAgentSignup;
+	const signupCode = params.flags["signup-code"] ?? await promptRequiredFn("Signup code: ");
+	if (!params.flags["accept-terms"]) await confirmTermsFn();
+	const started = await startFn({
+		body: {
+			device_name: params.flags["device-name"] ?? hostname(),
+			email: params.email,
+			signup_code: signupCode,
+			terms_accepted: true
+		},
+		client: params.apiClient.client,
+		responseStyle: "fields"
+	});
+	if (started.error) {
+		writeErrorWithHints(extractErrorPayload(started.error));
+		throw cliError$1("Could not start Primitive agent signup.");
+	}
+	const startResult = unwrapData(started.data);
+	if (!startResult) throw cliError$1("Primitive API returned an empty agent signup response.");
+	return {
+		pending: savePendingAgentSignup(params.configDir, startResult, params.apiBaseUrl1),
+		started: true
+	};
 }
 async function resendVerificationCode(params) {
-	const resent = await (params.deps.resendCliSignupVerification ?? resendCliSignupVerification)({
+	const resent = await (params.deps.resendAgentSignupVerification ?? resendAgentSignupVerification)({
 		body: { signup_token: params.start.signup_token },
 		client: params.apiClient.client,
 		responseStyle: "fields"
@@ -15683,195 +16656,510 @@ async function resendVerificationCode(params) {
 			signup_token: params.start.signup_token,
 			verification_code_length: resend.verification_code_length
 		} : params.start;
-		savePendingCliSignup(params.configDir, next, params.apiBaseUrl1);
-		process$1.stderr.write(`Sent a new ${next.verification_code_length}-digit verification code. It expires in ${formatSignupSeconds(next.expires_in)}.\n`);
-		return next;
+		return {
+			pending: savePendingAgentSignup(params.configDir, next, params.apiBaseUrl1),
+			resent: true
+		};
 	}
 	const payload = extractErrorPayload(resent.error);
-	if (extractErrorCode(payload) === SLOW_DOWN) {
-		const suffix = ` Wait ${formatSignupSeconds(retryAfterSeconds(resent) ?? params.start.resend_after)} before trying again.`;
-		process$1.stderr.write(`Verification email was sent recently.${suffix}\n`);
-		return params.start;
+	const code = extractErrorCode(payload);
+	if (code === SLOW_DOWN) {
+		const retryAfter = retryAfterSeconds(resent) ?? params.start.resend_after;
+		process$1.stderr.write(`Verification email was sent recently. Wait ${formatSignupSeconds(retryAfter)} before trying again.\n`);
+		return {
+			pending: params.start,
+			resent: false
+		};
 	}
+	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(params.configDir);
 	writeErrorWithHints(payload);
-	throw cliError("Could not resend Primitive CLI signup verification email.");
+	throw cliError$1("Could not resend Primitive agent signup verification email.");
 }
-async function runSignupWithCredentialLock(params) {
+async function runSignupStartWithCredentialLock(params) {
 	const { configDir, flags } = params;
 	const deps = params.deps ?? {};
 	const promptRequiredFn = deps.promptRequired ?? promptRequired;
-	const promptNewPasswordFn = deps.promptNewPassword ?? promptNewPassword;
-	const confirmTermsFn = deps.confirmTerms ?? confirmTerms;
-	const startFn = deps.startCliSignup ?? startCliSignup;
-	const verifyFn = deps.verifyCliSignup ?? verifyCliSignup;
-	const checkExistingLoginFn = deps.checkExistingLogin ?? checkExistingLogin;
+	const email = params.email ?? await promptRequiredFn("Email: ");
+	await checkExistingCredentials({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir,
+		copy: params.copy,
+		deps,
+		flags
+	});
+	const { apiClient, requestConfig } = createCliApiClient({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir
+	});
+	const start = await startSignup({
+		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiClient,
+		configDir,
+		copy: params.copy,
+		deps,
+		email,
+		flags
+	});
+	if (start.started) writeStartInstructions(start.pending, params.copy);
+}
+async function runSignupConfirmWithCredentialLock(params) {
+	const { configDir, flags } = params;
+	const deps = params.deps ?? {};
+	if (!params.skipExistingCredentialCheck) await checkExistingCredentials({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir,
+		copy: params.copy,
+		deps,
+		flags
+	});
 	const { apiClient, requestConfig } = createCliApiClient({
 		apiBaseUrl1: flags["api-base-url-1"],
 		configDir
 	});
 	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
-	let existing;
-	try {
-		existing = loadCliCredentials(configDir);
-	} catch (error) {
-		if (!flags.force) throw error;
-		const detail = error instanceof Error ? error.message : String(error);
-		process$1.stderr.write(`Replacing unreadable Primitive CLI credentials because --force was set: ${detail}\n`);
-		existing = null;
-	}
-	if (existing && flags.force) process$1.stderr.write("Replacing saved Primitive CLI credentials after signup because --force was set.\n");
-	else if (existing) {
-		const existingStatus = await checkExistingLoginFn({
-			apiBaseUrl1: flags["api-base-url-1"],
+	const pending = requirePendingSignupForEmail({
+		apiBaseUrl1,
+		copy: params.copy,
+		configDir,
+		email: params.email
+	});
+	const verified = await (deps.verifyAgentSignup ?? verifyAgentSignup)({
+		body: {
+			...flags["org-id"] ? { org_id: flags["org-id"] } : {},
+			signup_token: pending.signup_token,
+			verification_code: params.code
+		},
+		client: apiClient.client,
+		responseStyle: "fields"
+	});
+	if (verified.data) {
+		const signup = unwrapData(verified.data);
+		if (!signup) throw cliError$1("Primitive API returned an empty agent signup verification response.");
+		saveSignupCredentials({
+			apiBaseUrl1,
 			configDir,
-			credentials: existing
-		});
-		if (existingStatus.status === "removed_stale") process$1.stderr.write("Continuing with Primitive CLI signup...\n");
-		else if (existingStatus.status === "blocked") {
-			writeErrorWithHints(existingStatus.payload);
-			throw cliError(existingStatus.message);
-		} else throw cliError(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before creating a new account.`);
-	}
-	if (flags.force) deletePendingCliSignup(configDir);
-	let start = flags.force ? null : loadPendingCliSignup(configDir, apiBaseUrl1);
-	const resumed = Boolean(start);
-	if (start) process$1.stderr.write(`Continuing pending Primitive CLI signup for ${start.email}.\n`);
-	else {
-		const signupCode = await promptRequiredFn("Signup code: ");
-		await confirmTermsFn();
-		const email = await promptRequiredFn("Email: ");
-		const started = await startFn({
-			body: {
-				device_name: flags["device-name"] ?? hostname(),
-				email,
-				signup_code: signupCode,
-				terms_accepted: true
-			},
-			client: apiClient.client,
-			responseStyle: "fields"
+			signup
 		});
-		if (started.error) {
-			writeErrorWithHints(extractErrorPayload(started.error));
-			throw cliError("Could not start Primitive CLI signup.");
-		}
-		const startResult = unwrapData(started.data);
-		if (!startResult) throw cliError("Primitive API returned an empty CLI signup response.");
-		start = savePendingCliSignup(configDir, startResult, apiBaseUrl1);
+		deletePendingAgentSignup(configDir);
+		const org = signup.org_name ? ` (${signup.org_name})` : "";
+		process$1.stderr.write(`Logged in to org ${signup.org_id}${org}.\n`);
+		process$1.stderr.write(`Saved credentials to ${credentialsPath(configDir)}.\n`);
+		return;
 	}
-	if (resumed) process$1.stderr.write(`Check your email for the ${start.verification_code_length}-digit verification code sent to ${start.email}.\n`);
-	else process$1.stderr.write(`Sent a ${start.verification_code_length}-digit verification code to ${start.email}.\n`);
+	const payload = extractErrorPayload(verified.error);
+	const code = extractErrorCode(payload);
+	if (code === INVALID_VERIFICATION_CODE) throw cliError$1(`Invalid verification code. Try again or run ${(params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY).resendCommand(params.email)}.`);
+	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(configDir);
+	writeErrorWithHints(payload);
+	throw cliError$1("Primitive agent signup failed while verifying the account.");
+}
+async function runSignupResendWithCredentialLock(params) {
+	const deps = params.deps ?? {};
+	const { apiClient, requestConfig } = createCliApiClient({
+		apiBaseUrl1: params.flags["api-base-url-1"],
+		configDir: params.configDir
+	});
+	const pending = requirePendingSignupForEmail({
+		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		copy: params.copy,
+		configDir: params.configDir,
+		email: params.email
+	});
+	const resend = await resendVerificationCode({
+		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiClient,
+		configDir: params.configDir,
+		deps,
+		start: pending
+	});
+	if (resend.resent) process$1.stderr.write(`Sent a new ${resend.pending.verification_code_length}-digit verification code to ${resend.pending.email}. It expires in ${formatSignupSeconds(resend.pending.expires_in)}.\n`);
+}
+async function runSignupInteractiveWithCredentialLock(params) {
+	const { configDir, flags } = params;
+	const deps = params.deps ?? {};
+	const promptRequiredFn = deps.promptRequired ?? promptRequired;
+	await checkExistingCredentials({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir,
+		deps,
+		flags
+	});
+	const { apiClient, requestConfig } = createCliApiClient({
+		apiBaseUrl1: flags["api-base-url-1"],
+		configDir
+	});
+	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
+	let start = flags.force ? null : loadPendingAgentSignup(configDir, apiBaseUrl1);
+	if (start) process$1.stderr.write(`Continuing pending Primitive signup for ${start.email}.\n`);
+	else start = (await startSignup({
+		apiBaseUrl1,
+		apiClient,
+		configDir,
+		deps,
+		email: await promptRequiredFn("Email: "),
+		flags
+	})).pending;
+	process$1.stderr.write(`Check your email for the ${start.verification_code_length}-digit verification code sent to ${start.email}.\n`);
 	process$1.stderr.write(`The code expires in ${formatSignupSeconds(start.expires_in)}.\n`);
 	process$1.stderr.write(`Enter the code from the email, or type \`resend\` to send a new code after ${formatSignupSeconds(start.resend_after)}.\n`);
 	while (true) {
 		const verificationCode = await promptRequiredFn(`Verification code (${start.verification_code_length} digits): `);
 		if (verificationCode.toLowerCase() === "resend") {
-			start = await resendVerificationCode({
+			const resend = await resendVerificationCode({
 				apiBaseUrl1,
 				apiClient,
 				configDir,
 				deps,
 				start
 			});
+			start = resend.pending;
+			if (resend.resent) process$1.stderr.write(`Sent a new ${start.verification_code_length}-digit verification code. It expires in ${formatSignupSeconds(start.expires_in)}.\n`);
 			continue;
 		}
-		let password = await promptNewPasswordFn();
-		while (true) {
-			const verified = await verifyFn({
-				body: {
-					password,
-					signup_token: start.signup_token,
-					verification_code: verificationCode
+		try {
+			await runSignupConfirmWithCredentialLock({
+				code: verificationCode,
+				configDir,
+				deps,
+				email: start.email,
+				flags: {
+					"api-base-url-1": flags["api-base-url-1"],
+					force: true
 				},
-				client: apiClient.client,
-				responseStyle: "fields"
+				skipExistingCredentialCheck: true
 			});
-			if (verified.data) {
-				const signup = unwrapData(verified.data);
-				if (!signup) throw cliError("Primitive API returned an empty CLI signup verification response.");
-				saveCliCredentials(configDir, {
-					api_key: signup.api_key,
-					api_base_url_1: apiBaseUrl1,
-					created_at: (/* @__PURE__ */ new Date()).toISOString(),
-					key_id: signup.key_id,
-					key_prefix: signup.key_prefix,
-					org_id: signup.org_id,
-					org_name: signup.org_name
-				});
-				deletePendingCliSignup(configDir);
-				const org = signup.org_name ? ` (${signup.org_name})` : "";
-				process$1.stderr.write(`Created account and logged in to org ${signup.org_id}${org}.\n`);
-				process$1.stderr.write(`Saved credentials to ${credentialsPath(configDir)}.\n`);
-				return;
-			}
-			const payload = extractErrorPayload(verified.error);
-			const code = extractErrorCode(payload);
-			if (code === INVALID_VERIFICATION_CODE) {
+			return;
+		} catch (error) {
+			if (error instanceof Errors.CLIError && error.message.startsWith("Invalid verification code.")) {
 				process$1.stderr.write("Invalid verification code. Try again or type `resend`.\n");
-				break;
-			}
-			if (shouldRetrySignupPassword(code)) {
-				const message = signupErrorMessage(payload);
-				if (message) process$1.stderr.write(`Password rejected: ${message}\n`);
-				process$1.stderr.write("Choose a different password and try again.\n");
-				password = await promptNewPasswordFn();
 				continue;
 			}
-			if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingCliSignup(configDir);
-			writeErrorWithHints(payload);
-			throw cliError("Primitive CLI signup failed while verifying the account.");
+			throw error;
 		}
 	}
 }
+function commonStartFlags() {
+	return {
+		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials or pending signup state when needed"
+		}),
+		"signup-code": Flags.string({
+			description: "Signup code required to create an account",
+			env: "PRIMITIVE_SIGNUP_CODE"
+		})
+	};
+}
 var SignupCommand = class SignupCommand extends Command {
-	static description = "Create a Primitive account from the terminal, verify your email, and save an org-scoped CLI API key locally.";
-	static summary = "Create an account and log in";
+	static args = { email: Args.string({
+		description: "Email address to sign up",
+		required: false
+	}) };
+	static description = "Start a Primitive account signup, send an email verification code, and save a pending signup token locally.";
+	static summary = "Start account signup";
 	static examples = [
-		"<%= config.bin %> signup",
-		"<%= config.bin %> signup --device-name work-laptop",
-		"<%= config.bin %> signup --force"
+		"<%= config.bin %> signup user@example.com",
+		"<%= config.bin %> signup user@example.com --signup-code invite-code --accept-terms",
+		"<%= config.bin %> signup confirm user@example.com 123456"
 	];
+	static flags = commonStartFlags();
+	async run() {
+		const { args, flags } = await this.parse(SignupCommand);
+		let releaseCredentialsLock;
+		try {
+			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+		} catch (error) {
+			throw cliError$1(error instanceof Error ? error.message : String(error));
+		}
+		try {
+			await runSignupStartWithCredentialLock({
+				configDir: this.config.configDir,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SignupConfirmCommand = class SignupConfirmCommand extends Command {
+	static args = {
+		email: Args.string({
+			description: "Email address used to start signup",
+			required: true
+		}),
+		code: Args.string({
+			description: "Verification code from the signup email",
+			required: true
+		})
+	};
+	static description = "Confirm a pending Primitive signup, create an OAuth session, and save CLI credentials locally.";
+	static summary = "Confirm account signup";
+	static examples = ["<%= config.bin %> signup confirm user@example.com 123456", "<%= config.bin %> signup confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
 	static flags = {
 		"api-base-url-1": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
 			env: "PRIMITIVE_API_BASE_URL_1",
 			hidden: true
 		}),
-		"device-name": Flags.string({ description: "Device name used for the created CLI API key" }),
 		force: Flags.boolean({
 			char: "f",
-			description: "Replace saved credentials without first verifying the existing login"
-		})
+			description: "Replace saved credentials after verification"
+		}),
+		"org-id": Flags.string({ description: "Workspace id to target when the email belongs to multiple workspaces" })
 	};
 	async run() {
-		const { flags } = await this.parse(SignupCommand);
+		const { args, flags } = await this.parse(SignupConfirmCommand);
 		let releaseCredentialsLock;
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError(error instanceof Error ? error.message : String(error));
+			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
-			await this.runWithCredentialLock(flags);
+			await runSignupConfirmWithCredentialLock({
+				code: args.code,
+				configDir: this.config.configDir,
+				email: args.email,
+				flags
+			});
 		} finally {
 			releaseCredentialsLock();
 		}
 	}
-	async runWithCredentialLock(flags) {
-		await runSignupWithCredentialLock({
-			configDir: this.config.configDir,
-			flags
-		});
+};
+var SignupResendCommand = class SignupResendCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address used to start signup",
+		required: true
+	}) };
+	static description = "Resend the verification code for a pending signup.";
+	static summary = "Resend signup verification code";
+	static examples = ["<%= config.bin %> signup resend user@example.com"];
+	static flags = { "api-base-url-1": Flags.string({
+		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+		env: "PRIMITIVE_API_BASE_URL_1",
+		hidden: true
+	}) };
+	async run() {
+		const { args, flags } = await this.parse(SignupResendCommand);
+		let releaseCredentialsLock;
+		try {
+			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+		} catch (error) {
+			throw cliError$1(error instanceof Error ? error.message : String(error));
+		}
+		try {
+			await runSignupResendWithCredentialLock({
+				configDir: this.config.configDir,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SignupInteractiveCommand = class SignupInteractiveCommand extends Command {
+	static description = "Run the full signup flow in one interactive terminal session.";
+	static summary = "Run interactive account signup";
+	static examples = ["<%= config.bin %> signup interactive"];
+	static flags = commonStartFlags();
+	async run() {
+		const { flags } = await this.parse(SignupInteractiveCommand);
+		let releaseCredentialsLock;
+		try {
+			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+		} catch (error) {
+			throw cliError$1(error instanceof Error ? error.message : String(error));
+		}
+		try {
+			await runSignupInteractiveWithCredentialLock({
+				configDir: this.config.configDir,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+//#endregion
+//#region src/oclif/commands/signin.ts
+function cliError(message) {
+	return new Errors.CLIError(message, { exit: 1 });
+}
+const SIGNIN_OTP_COPY = {
+	actionNoun: "sign-in",
+	actionGerund: "signing in",
+	confirmCommand: (email) => `signin otp confirm ${email} <code>`,
+	resendCommand: (email) => `signin otp resend ${email}`,
+	startCommand: (email) => `signin otp ${email}`
+};
+function acquireCredentialsLock(configDir) {
+	try {
+		return acquireCliCredentialsLock(configDir);
+	} catch (error) {
+		throw cliError(error instanceof Error ? error.message : String(error));
+	}
+}
+function commonOtpStartFlags() {
+	return {
+		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials or pending sign-in state when needed"
+		}),
+		"signup-code": Flags.string({
+			description: "Signup code required to start OTP sign-in",
+			env: "PRIMITIVE_SIGNUP_CODE"
+		})
+	};
+}
+var SigninCommand = class extends LoginCommand {
+	static description = `Sign in to an existing Primitive account with browser approval and save an org-scoped OAuth session locally.
+
+This is the canonical sign-in command. It defaults to the same browser approval flow as \`primitive signin browser\`. For email-code sign-in, use \`primitive signin otp <email> --signup-code <code>\`, then \`primitive signin otp confirm <email> <code>\`. For new account creation, use \`primitive signup <email>\`.`;
+	static summary = "Sign in to an existing account";
+	static examples = [
+		"<%= config.bin %> signin",
+		"<%= config.bin %> signin browser",
+		"<%= config.bin %> signin --no-browser",
+		"<%= config.bin %> signin otp user@example.com --signup-code invite-code --accept-terms",
+		"<%= config.bin %> signin otp confirm user@example.com 123456"
+	];
+	retryCommand() {
+		return "signin";
+	}
+};
+var SigninBrowserCommand = class extends LoginCommand {
+	static description = "Sign in to an existing Primitive account by opening Primitive in your browser and saving an org-scoped OAuth session locally.";
+	static summary = "Sign in with browser approval";
+	static examples = [
+		"<%= config.bin %> signin browser",
+		"<%= config.bin %> signin browser --device-name work-laptop",
+		"<%= config.bin %> signin browser --no-browser",
+		"<%= config.bin %> signin browser --force"
+	];
+	retryCommand() {
+		return "signin browser";
+	}
+};
+var SigninOtpCommand = class SigninOtpCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address to sign in with",
+		required: false
+	}) };
+	static description = "Start email-code sign-in using Primitive's signup/auth OTP flow, send a verification code, and save the pending token locally. Requires a signup code.";
+	static summary = "Start OTP sign-in";
+	static examples = ["<%= config.bin %> signin otp user@example.com --signup-code invite-code --accept-terms", "<%= config.bin %> signin otp confirm user@example.com 123456"];
+	static flags = commonOtpStartFlags();
+	async run() {
+		const { args, flags } = await this.parse(SigninOtpCommand);
+		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
+		try {
+			await runSignupStartWithCredentialLock({
+				configDir: this.config.configDir,
+				copy: SIGNIN_OTP_COPY,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SigninOtpConfirmCommand = class SigninOtpConfirmCommand extends Command {
+	static args = {
+		email: Args.string({
+			description: "Email address used to start OTP sign-in",
+			required: true
+		}),
+		code: Args.string({
+			description: "Verification code from the sign-in email",
+			required: true
+		})
+	};
+	static description = "Confirm a pending OTP sign-in, create an OAuth session, and save CLI credentials locally.";
+	static summary = "Confirm OTP sign-in";
+	static examples = ["<%= config.bin %> signin otp confirm user@example.com 123456", "<%= config.bin %> signin otp confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
+	static flags = {
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials after verification"
+		}),
+		"org-id": Flags.string({ description: "Workspace id to target when the email belongs to multiple workspaces" })
+	};
+	async run() {
+		const { args, flags } = await this.parse(SigninOtpConfirmCommand);
+		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
+		try {
+			await runSignupConfirmWithCredentialLock({
+				code: args.code,
+				configDir: this.config.configDir,
+				copy: SIGNIN_OTP_COPY,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SigninOtpResendCommand = class SigninOtpResendCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address used to start OTP sign-in",
+		required: true
+	}) };
+	static description = "Resend the verification code for a pending OTP sign-in.";
+	static summary = "Resend OTP sign-in code";
+	static examples = ["<%= config.bin %> signin otp resend user@example.com"];
+	static flags = { "api-base-url-1": Flags.string({
+		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+		env: "PRIMITIVE_API_BASE_URL_1",
+		hidden: true
+	}) };
+	async run() {
+		const { args, flags } = await this.parse(SigninOtpResendCommand);
+		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
+		try {
+			await runSignupResendWithCredentialLock({
+				configDir: this.config.configDir,
+				copy: SIGNIN_OTP_COPY,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
 	}
 };
 //#endregion
 //#region src/oclif/commands/whoami.ts
 var WhoamiCommand = class WhoamiCommand extends Command {
-	static description = `Print the account currently authenticated by the API key. Useful as a credentials smoke test: confirms the key is live and shows which account it belongs to.`;
+	static description = `Print the account currently authenticated by saved OAuth credentials or an explicit API key. Useful as a credentials smoke test: confirms auth is live and shows which account it belongs to.`;
 	static summary = "Print the authenticated account (credentials smoke test)";
 	static examples = ["<%= config.bin %> whoami", "<%= config.bin %> whoami --api-key prim_..."];
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -15889,7 +17177,7 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 	async run() {
 		const { flags } = await this.parse(WhoamiCommand);
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = createAuthenticatedCliApiClient({
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
 				apiBaseUrl1: flags["api-base-url-1"],
 				apiBaseUrl2: flags["api-base-url-2"],
@@ -15983,7 +17271,7 @@ function renderFishCompletion(binName) {
 		for (const operation of topicOperations) {
 			lines.push(`complete -c ${binName} -f -n '__fish_${binName}_topic_needs_subcommand ${fishEscape(topic)}' -a '${fishEscape(operation.command)}' -d '${fishEscape(operation.summary ?? `${operation.method} ${operation.path}`)}'`);
 			for (const parameter of [...operation.pathParams, ...operation.queryParams]) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l '${fishEscape(parameter.name.replace(/_/g, "-"))}' -r -d '${fishEscape(parameter.description ?? parameter.name)}'`);
-			lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'api-key' -r -d 'Primitive API key (defaults to PRIMITIVE_API_KEY or saved primitive login credentials)'`);
+			lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'api-key' -r -d 'Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)'`);
 			if (!operation.binaryResponse) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'envelope' -d 'Print the full response envelope, including pagination metadata'`);
 			if (operation.hasJsonBody) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body' -r -d 'JSON request body'`, `complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body-file' -r -d 'Path to a JSON file used as the request body'`);
 			if (operation.binaryResponse) lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'output' -r -d 'Write binary response bytes to a file'`);
@@ -16135,7 +17423,15 @@ const COMMANDS = {
 	reply: ReplyCommand,
 	chat: ChatCommand,
 	login: LoginCommand,
+	signin: SigninCommand,
+	"signin:browser": SigninBrowserCommand,
+	"signin:otp": SigninOtpCommand,
+	"signin:otp:confirm": SigninOtpConfirmCommand,
+	"signin:otp:resend": SigninOtpResendCommand,
 	signup: SignupCommand,
+	"signup:confirm": SignupConfirmCommand,
+	"signup:interactive": SignupInteractiveCommand,
+	"signup:resend": SignupResendCommand,
 	logout: LogoutCommand,
 	whoami: WhoamiCommand,
 	doctor: DoctorCommand,