@primitivedotdev/cli 0.31.2 → 0.31.3

package/README.md

@@ -18,8 +18,7 @@ This package wraps the [@primitivedotdev/sdk](https://www.npmjs.com/package/@pri
 ## Quickstart
 
 ```bash
-export PRIMITIVE_API_KEY=prim_...
-
+primitive signin
 primitive whoami
 primitive functions templates
 primitive functions init my-fn
@@ -32,6 +31,14 @@ primitive emails latest --limit 5
 
 Run `primitive --help` for the full command list. Per-command help (`primitive functions deploy --help`) carries enough detail that an agent can compose any operation without leaving the terminal.
 
+## Authentication
+
+Use `primitive signin` for existing accounts. It defaults to browser approval; `primitive signin browser` is the explicit form and `primitive login` remains available for compatibility.
+
+Use `primitive signin otp <email> --signup-code <code> --accept-terms`, then `primitive signin otp confirm <email> <code>` for email-code sign-in.
+
+Use `primitive signup <email>` for new account creation, then `primitive signup confirm <email> <code>` with the emailed verification code. Non-interactive signup is available with `--signup-code` and `--accept-terms`.
+
 ## Command style
 
 Use task-oriented commands for normal workflows:

package/dist/oclif/index.js

@@ -11508,7 +11508,7 @@ var PrimitiveApiClient = class {
 const CREDENTIALS_FILE = "credentials.json";
 const CREDENTIALS_LOCK_DIR = "credentials.lock";
 const CREDENTIALS_LOCK_STALE_MS = 1800 * 1e3;
-const MALFORMED_CREDENTIALS_HINT = "Run `primitive logout` and then `primitive login`.";
+const MALFORMED_CREDENTIALS_HINT = "Run `primitive logout` and then `primitive signin`.";
 function isRecord$2(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
@@ -11586,10 +11586,10 @@ function loadCliCredentials(configDir) {
 			try {
 				rmSync(path, { force: true });
 			} catch {}
-			process.stderr.write("Removed local Primitive CLI API-key login state. API keys are still valid when passed explicitly, but `primitive login` now uses OAuth. Run `primitive login` to create an OAuth session. No API key was revoked.\n");
+			process.stderr.write("Removed local Primitive CLI API-key login state. API keys are still valid when passed explicitly, but saved CLI auth now uses OAuth. Run `primitive signin` to create an OAuth session. No API key was revoked.\n");
 			return null;
 		}
-		if (error instanceof SyntaxError) throw new Error("Stored Primitive CLI credentials are not valid JSON. Run `primitive logout` and then `primitive login`.");
+		if (error instanceof SyntaxError) throw new Error("Stored Primitive CLI credentials are not valid JSON. Run `primitive logout` and then `primitive signin`.");
 		throw error;
 	}
 }
@@ -11872,7 +11872,7 @@ function redactCliEnvironment(environment) {
 //#region src/oclif/api-client.ts
 const API_HEADERS_ENV = "PRIMITIVE_API_HEADERS";
 const OAUTH_REFRESH_SKEW_MS = 60 * 1e3;
-const SAVED_CLI_OAUTH_SESSION_EXPIRED_MESSAGE = "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive login` to authenticate again.";
+const SAVED_CLI_OAUTH_SESSION_EXPIRED_MESSAGE = "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive signin` to authenticate again.";
 function mergeHeaders(...headers) {
 	const merged = {};
 	for (const headerSet of headers) {
@@ -11970,7 +11970,7 @@ async function refreshStoredCliCredentials(params) {
 			throw new Errors.CLIError(detail, { exit: 1 });
 		}
 		const current = loadCliCredentials(params.configDir);
-		if (!current) throw new Errors.CLIError("Saved Primitive CLI OAuth session is no longer available. Run `primitive login` to authenticate again.", { exit: 1 });
+		if (!current) throw new Errors.CLIError("Saved Primitive CLI OAuth session is no longer available. Run `primitive signin` to authenticate again.", { exit: 1 });
 		if (!shouldRefresh(current, now)) return current;
 		const fetchImpl = params.fetch ?? fetch;
 		const body = new URLSearchParams({
@@ -12279,26 +12279,26 @@ function coerceParameterValue(parameter, value) {
 	if (typeof value === "boolean" || typeof value === "number" || typeof value === "string") return value;
 	throw new Errors.CLIError(`Unsupported flag value for --${parameter.name}`);
 }
-function cliError$6(message) {
+function cliError$7(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function parseJson(source, flagLabel) {
 	try {
 		return JSON.parse(source);
 	} catch (error) {
-		throw cliError$6(`${flagLabel} is not valid JSON: ${error instanceof Error ? error.message : String(error)}`);
+		throw cliError$7(`${flagLabel} is not valid JSON: ${error instanceof Error ? error.message : String(error)}`);
 	}
 }
 function readJsonBody(flags) {
 	const bodyFile = flags["body-file"];
 	const rawBody = flags["raw-body"];
-	if (bodyFile && rawBody) throw cliError$6("Use either --raw-body or --body-file, not both");
+	if (bodyFile && rawBody) throw cliError$7("Use either --raw-body or --body-file, not both");
 	if (typeof bodyFile === "string") {
 		let contents;
 		try {
 			contents = readFileSync(bodyFile, "utf8");
 		} catch (error) {
-			throw cliError$6(`Could not read --body-file ${bodyFile}: ${error instanceof Error ? error.message : String(error)}`);
+			throw cliError$7(`Could not read --body-file ${bodyFile}: ${error instanceof Error ? error.message : String(error)}`);
 		}
 		return parseJson(contents, `--body-file ${bodyFile}`);
 	}
@@ -12308,7 +12308,7 @@ function readTextFileFlag(path, flagLabel) {
 	try {
 		return readFileSync(path, "utf8");
 	} catch (error) {
-		throw cliError$6(`Could not read ${flagLabel} ${path}: ${error instanceof Error ? error.message : String(error)}`);
+		throw cliError$7(`Could not read ${flagLabel} ${path}: ${error instanceof Error ? error.message : String(error)}`);
 	}
 }
 function extractErrorPayload(raw) {
@@ -12355,7 +12355,7 @@ function extractErrorCode(payload) {
 		if (typeof direct === "string") return direct;
 	}
 }
-const ERROR_CODE_HINTS = { [API_ERROR_CODES.unauthorized]: "Hint: run `primitive login`, pass --api-key explicitly, or set PRIMITIVE_API_KEY in your environment. `primitive whoami` is the fastest way to verify auth is live." };
+const ERROR_CODE_HINTS = { [API_ERROR_CODES.unauthorized]: "Hint: run `primitive signin`, pass --api-key explicitly, or set PRIMITIVE_API_KEY in your environment. `primitive whoami` is the fastest way to verify auth is live." };
 const NETWORK_ERROR_HINTS = {
 	ENETUNREACH: "Hint: the network is unreachable. If you're behind a proxy and set HTTP(S)_PROXY, re-run with NODE_USE_ENV_PROXY=1 (Node 22+ ignores those env vars by default). `primitive doctor` reports the local environment in one shot.",
 	ECONNREFUSED: "Hint: the server refused the connection. Check that your firewall allows egress to *.primitive.dev, that your PRIMITIVE_API_BASE_URL_* overrides (if any) point at a reachable host, and re-run with NODE_USE_ENV_PROXY=1 if you're behind a proxy. `primitive doctor` reports the local environment in one shot.",
@@ -12393,7 +12393,7 @@ function surfaceUnauthorizedHint(params) {
 		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The saved credential is preserved; unset PRIMITIVE_API_BASE_URL_1, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
 		return;
 	}
-	process.stderr.write("Your saved Primitive CLI OAuth session was rejected. If the command was working a moment ago, please retry; brief retries often clear transient rejections. If it keeps failing, run `primitive logout && primitive login` to mint a fresh session.\n");
+	process.stderr.write("Your saved Primitive CLI OAuth session was rejected. If the command was working a moment ago, please retry; brief retries often clear transient rejections. If it keeps failing, run `primitive logout && primitive signin` to mint a fresh session.\n");
 }
 function formatElapsed(ms) {
 	const seconds = ms / 1e3;
@@ -12756,11 +12756,11 @@ function sleep$1(ms) {
 //#region src/oclif/commands/chat.ts
 const DEFAULT_CHAT_TIMEOUT_SECONDS = 120;
 const DEFAULT_STRICT_PHASE_SECONDS = 60;
-function cliError$5(message) {
+function cliError$6(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 async function readStdinToString() {
-	if (process.stdin.isTTY) throw cliError$5("No message provided. Pass the message as the second positional argument or pipe it via stdin.");
+	if (process.stdin.isTTY) throw cliError$6("No message provided. Pass the message as the second positional argument or pipe it via stdin.");
 	const chunks = [];
 	for await (const chunk of process.stdin) chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
 	return Buffer.concat(chunks).toString("utf8");
@@ -12796,7 +12796,7 @@ var ChatCommand = class ChatCommand extends Command {
 	};
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive signin` credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -12841,7 +12841,7 @@ var ChatCommand = class ChatCommand extends Command {
 	async run() {
 		const { args, flags } = await this.parse(ChatCommand);
 		const message = args.message !== void 0 && args.message !== "" ? args.message : await readStdinToString();
-		if (!message.trim()) throw cliError$5("Message body is empty.");
+		if (!message.trim()) throw cliError$6("Message body is empty.");
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
@@ -12879,7 +12879,7 @@ var ChatCommand = class ChatCommand extends Command {
 				return;
 			}
 			const sent = sendResult.data?.data;
-			if (!sent) throw cliError$5("Send succeeded but the API returned no data.");
+			if (!sent) throw cliError$6("Send succeeded but the API returned no data.");
 			const reply = await waitForReply({
 				apiClient,
 				authFailureContext,
@@ -13203,23 +13203,23 @@ function checkApiKey(opts) {
 		if (typeof parsed?.api_key === "string" && parsed.api_key.length > 0) return {
 			status: "fail",
 			message: `${credsPath} contains legacy API-key login state`,
-			hint: "Run `primitive login` to create saved OAuth credentials. Existing API keys still work with --api-key or PRIMITIVE_API_KEY."
+			hint: "Run `primitive signin` to create saved OAuth credentials. Existing API keys still work with --api-key or PRIMITIVE_API_KEY."
 		};
 		if (parsed) return {
 			status: "fail",
 			message: `${credsPath} exists but contains no OAuth access_token`,
-			hint: "Run `primitive logout` to clear it, then `primitive login` to recreate."
+			hint: "Run `primitive logout` to clear it, then `primitive signin` to recreate."
 		};
 		return {
 			status: "fail",
 			message: `${credsPath} exists but is unreadable or malformed${parseError ? ` (${parseError})` : ""}`,
-			hint: "Run `primitive logout` to clear it, then `primitive login` to recreate."
+			hint: "Run `primitive logout` to clear it, then `primitive signin` to recreate."
 		};
 	}
 	return {
 		status: "fail",
 		message: "no CLI OAuth session or explicit API key found",
-		hint: "Run `primitive login`, pass --api-key explicitly, or export PRIMITIVE_API_KEY=prim_..."
+		hint: "Run `primitive signin`, pass --api-key explicitly, or export PRIMITIVE_API_KEY=prim_..."
 	};
 }
 async function checkAccount(client) {
@@ -13489,7 +13489,7 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 //#endregion
 //#region src/oclif/commands/emails-wait.ts
 const DEFAULT_WAIT_TIMEOUT_SECONDS$1 = 300;
-function cliError$4(message) {
+function cliError$5(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 var EmailsWaitCommand = class EmailsWaitCommand extends Command {
@@ -13564,7 +13564,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 		try {
 			since = sinceFromFlags(flags);
 		} catch (error) {
-			throw cliError$4(error instanceof Error ? error.message : String(error));
+			throw cliError$5(error instanceof Error ? error.message : String(error));
 		}
 		const filters = filtersFromFlags(flags);
 		const deadline = flags.timeout === 0 ? null : Date.now() + flags.timeout * 1e3;
@@ -13615,7 +13615,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 };
 //#endregion
 //#region src/oclif/commands/emails-watch.ts
-function cliError$3(message) {
+function cliError$4(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 var EmailsWatchCommand = class EmailsWatchCommand extends Command {
@@ -13686,7 +13686,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 		try {
 			since = sinceFromFlags(flags);
 		} catch (error) {
-			throw cliError$3(error instanceof Error ? error.message : String(error));
+			throw cliError$4(error instanceof Error ? error.message : String(error));
 		}
 		const filters = filtersFromFlags(flags);
 		const deadline = flags.seconds ? Date.now() + flags.seconds * 1e3 : null;
@@ -14731,7 +14731,7 @@ The deploy step calls \`primitive functions deploy\` (provided by the
 \`npm install -g @primitivedotdev/cli\` or run via
 \`npx @primitivedotdev/cli@latest <command>\`). It requires
 \`PRIMITIVE_API_KEY\` to be set in your shell (or pass \`--api-key\`).
-Run \`primitive login\` once to save a key in your CLI config if you
+Run \`primitive signin\` once to save a key in your CLI config if you
 prefer that to an env var.
 `;
 }
@@ -15790,7 +15790,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 //#endregion
 //#region src/oclif/commands/login.ts
 const MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS = 60;
-function cliError$2(message) {
+function cliError$3(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function sleep(ms) {
@@ -15866,7 +15866,7 @@ async function checkExistingLogin(params) {
 		message: code === API_ERROR_CODES.unauthorized ? "Saved Primitive CLI OAuth credentials were rejected by an API URL different from the one they were saved with. Run `primitive logout` to remove them, or switch back to the original environment before logging in again." : "A saved Primitive CLI OAuth session exists, but the CLI could not verify whether it is still valid. Run `primitive logout` before logging in again."
 	};
 }
-var LoginCommand = class LoginCommand extends Command {
+var LoginCommand = class extends Command {
 	static description = "Log in by opening Primitive in your browser and saving an org-scoped OAuth session locally.";
 	static summary = "Log in with browser approval";
 	static examples = [
@@ -15884,24 +15884,28 @@ var LoginCommand = class LoginCommand extends Command {
 		"no-browser": Flags.boolean({ description: "Do not attempt to open the browser automatically" }),
 		force: Flags.boolean({
 			char: "f",
-			description: "Replace saved credentials without first verifying the existing login"
+			description: "Replace saved credentials without first verifying the existing session"
 		})
 	};
 	async run() {
-		const { flags } = await this.parse(LoginCommand);
+		const commandClass = this.constructor;
+		const { flags } = await this.parse(commandClass);
 		let releaseCredentialsLock;
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError$2(error instanceof Error ? error.message : String(error));
+			throw cliError$3(error instanceof Error ? error.message : String(error));
 		}
 		try {
-			await this.runWithCredentialLock(flags);
+			await this.runWithCredentialLock(flags, this.retryCommand());
 		} finally {
 			releaseCredentialsLock();
 		}
 	}
-	async runWithCredentialLock(flags) {
+	retryCommand() {
+		return "login";
+	}
+	async runWithCredentialLock(flags, retryCommand) {
 		const { apiClient, requestConfig } = createCliApiClient({
 			apiBaseUrl1: flags["api-base-url-1"],
 			configDir: this.config.configDir
@@ -15927,8 +15931,8 @@ var LoginCommand = class LoginCommand extends Command {
 			if (existingStatus.status === "removed_stale") process.stderr.write("Continuing with a new Primitive CLI login...\n");
 			else if (existingStatus.status === "blocked") {
 				writeErrorWithHints(existingStatus.payload);
-				throw cliError$2(existingStatus.message);
-			} else throw cliError$2(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before logging in again.`);
+				throw cliError$3(existingStatus.message);
+			} else throw cliError$3(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before logging in again.`);
 		}
 		const started = await startCliLogin({
 			body: { device_name: flags["device-name"] ?? hostname() },
@@ -15937,11 +15941,11 @@ var LoginCommand = class LoginCommand extends Command {
 		});
 		if (started.error) {
 			writeErrorWithHints(extractErrorPayload(started.error));
-			throw cliError$2("Could not start Primitive CLI login.");
+			throw cliError$3("Could not start Primitive CLI login.");
 		}
 		const start = unwrapData$2(started.data);
-		if (!start) throw cliError$2("Primitive API returned an empty CLI login response.");
-		process.stderr.write(`Your login code is: ${start.user_code}\n`);
+		if (!start) throw cliError$3("Primitive API returned an empty CLI login response.");
+		process.stderr.write(`Your sign-in code is: ${start.user_code}\n`);
 		if (!flags["no-browser"]) {
 			openBrowser(start.verification_uri_complete);
 			process.stderr.write("Opening Primitive in your browser...\n");
@@ -15961,7 +15965,7 @@ var LoginCommand = class LoginCommand extends Command {
 			});
 			if (polled.data) {
 				const login = unwrapData$2(polled.data);
-				if (!login) throw cliError$2("Primitive API returned an empty CLI poll response.");
+				if (!login) throw cliError$3("Primitive API returned an empty CLI poll response.");
 				saveCliCredentials(this.config.configDir, {
 					access_token: login.access_token,
 					api_base_url_1: apiBaseUrl1,
@@ -15991,25 +15995,25 @@ var LoginCommand = class LoginCommand extends Command {
 				nextPollDelay = interval;
 				continue;
 			}
-			if (code === API_ERROR_CODES.accessDenied) throw cliError$2("Primitive CLI login was denied in the browser.");
-			if (code === API_ERROR_CODES.expiredToken) throw cliError$2("Primitive CLI login expired. Run `primitive login` again.");
-			if (code === API_ERROR_CODES.invalidDeviceCode) throw cliError$2("Primitive CLI login device code is invalid. Run `primitive login` again.");
+			if (code === API_ERROR_CODES.accessDenied) throw cliError$3("Primitive CLI login was denied in the browser.");
+			if (code === API_ERROR_CODES.expiredToken) throw cliError$3(`Primitive CLI login expired. Run \`primitive ${retryCommand}\` again.`);
+			if (code === API_ERROR_CODES.invalidDeviceCode) throw cliError$3(`Primitive CLI login device code is invalid. Run \`primitive ${retryCommand}\` again.`);
 			writeErrorWithHints(payload);
-			throw cliError$2("Primitive CLI login failed while polling for approval.");
+			throw cliError$3("Primitive CLI login failed while polling for approval.");
 		}
-		throw cliError$2("Primitive CLI login expired. Run `primitive login` again.");
+		throw cliError$3(`Primitive CLI login expired. Run \`primitive ${retryCommand}\` again.`);
 	}
 };
 //#endregion
 //#region src/oclif/commands/logout.ts
-function cliError$1(message) {
+function cliError$2(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function unwrapData$1(value) {
 	return value?.data ?? null;
 }
 function isSavedOAuthSessionExpiredError(error) {
-	return error instanceof Error && error.message === "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive login` to authenticate again.";
+	return error instanceof Error && error.message === "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive signin` to authenticate again.";
 }
 async function runLogoutWithCredentialLock(params) {
 	const deps = {
@@ -16027,7 +16031,7 @@ async function runLogoutWithCredentialLock(params) {
 		process.exitCode = 1;
 		return;
 	}
-	if (!credentials) throw cliError$1("Not logged in. Run `primitive login` to create saved CLI credentials.");
+	if (!credentials) throw cliError$2("Not logged in. Run `primitive signin` to create saved CLI credentials.");
 	let authenticated;
 	try {
 		authenticated = await deps.createAuthenticatedCliApiClient({
@@ -16059,7 +16063,7 @@ async function runLogoutWithCredentialLock(params) {
 			return;
 		}
 		writeErrorWithHints(payload);
-		throw cliError$1("Could not revoke the saved Primitive CLI OAuth grant.");
+		throw cliError$2("Could not revoke the saved Primitive CLI OAuth grant.");
 	}
 	const logout = unwrapData$1(result.data);
 	deleteCliCredentials(params.configDir);
@@ -16081,7 +16085,7 @@ var LogoutCommand = class LogoutCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError$1(error instanceof Error ? error.message : String(error));
+			throw cliError$2(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await runLogoutWithCredentialLock({
@@ -16401,7 +16405,14 @@ const EXPIRED_TOKEN = "expired_token";
 const INVALID_SIGNUP_TOKEN = "invalid_signup_token";
 const SLOW_DOWN = "slow_down";
 const PENDING_SIGNUP_FILE = "signup.json";
-function cliError(message) {
+const DEFAULT_SIGNUP_COMMAND_COPY = {
+	actionNoun: "signup",
+	actionGerund: "creating a new account",
+	confirmCommand: (email) => `signup confirm ${email} <code>`,
+	resendCommand: (email) => `signup resend ${email}`,
+	startCommand: (email) => `signup ${email}`
+};
+function cliError$1(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function unwrapData(value) {
@@ -16490,9 +16501,10 @@ function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 	};
 }
 function requirePendingSignupForEmail(params) {
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
-	if (!pending) throw cliError(`No pending signup for ${params.email}. Run \`primitive signup ${params.email}\` first.`);
-	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError(`Pending signup is for ${pending.email}, not ${params.email}. Run \`primitive signup ${params.email} --force\` to replace it.`);
+	if (!pending) throw cliError$1(`No pending ${copy.actionNoun} for ${params.email}. Run \`primitive ${copy.startCommand(params.email)}\` first.`);
+	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$1(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	return pending;
 }
 function retryAfterSeconds(result) {
@@ -16529,13 +16541,14 @@ async function promptRequired(question) {
 	}
 }
 async function confirmTerms() {
-	process$1.stderr.write("By creating an account, you agree to Primitive's Terms of Service and Privacy Policy:\n");
+	process$1.stderr.write("By continuing, you agree to Primitive's Terms of Service and Privacy Policy:\n");
 	process$1.stderr.write("  https://primitive.dev/terms\n");
 	process$1.stderr.write("  https://primitive.dev/privacy\n");
 	const answer = (await promptRequired("Type 'yes' to continue: ")).toLowerCase();
-	if (answer !== "yes" && answer !== "y") throw cliError("You must accept the terms to create an account.");
+	if (answer !== "yes" && answer !== "y") throw cliError$1("You must accept the terms to create an account.");
 }
 async function checkExistingCredentials(params) {
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const checkExistingLoginFn = params.deps.checkExistingLogin ?? checkExistingLogin;
 	let existing;
 	try {
@@ -16547,7 +16560,7 @@ async function checkExistingCredentials(params) {
 		existing = null;
 	}
 	if (existing && params.flags.force) {
-		process$1.stderr.write("Replacing saved Primitive CLI credentials after signup because --force was set.\n");
+		process$1.stderr.write(`Replacing saved Primitive CLI credentials after ${copy.actionNoun} because --force was set.\n`);
 		return;
 	}
 	if (!existing) return;
@@ -16563,9 +16576,9 @@ async function checkExistingCredentials(params) {
 	}
 	if (existingStatus.status === "blocked") {
 		writeErrorWithHints(existingStatus.payload);
-		throw cliError(existingStatus.message);
+		throw cliError$1(existingStatus.message);
 	}
-	throw cliError(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before creating a new account.`);
+	throw cliError$1(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before ${copy.actionGerund}.`);
 }
 function saveSignupCredentials(params) {
 	saveCliCredentials(params.configDir, {
@@ -16582,23 +16595,24 @@ function saveSignupCredentials(params) {
 		token_type: params.signup.token_type
 	});
 }
-function writeStartInstructions(start) {
+function writeStartInstructions(start, copy = DEFAULT_SIGNUP_COMMAND_COPY) {
 	process$1.stderr.write(`Sent a ${start.verification_code_length}-digit verification code to ${start.email}.\n`);
 	process$1.stderr.write(`The code expires in ${formatSignupSeconds(start.expires_in)}.\n`);
-	process$1.stderr.write(`Run \`primitive signup confirm ${start.email} <code>\` to finish.\n`);
+	process$1.stderr.write(`Run \`primitive ${copy.confirmCommand(start.email)}\` to finish.\n`);
 }
 async function startSignup(params) {
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const existingPending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
 	if (existingPending && !params.flags.force) {
 		if (normalizeEmail(existingPending.email) === normalizeEmail(params.email)) {
-			process$1.stderr.write(`Continuing pending Primitive signup for ${existingPending.email}.\n`);
-			process$1.stderr.write(`Run \`primitive signup confirm ${existingPending.email} <code>\` to finish, or \`primitive signup resend ${existingPending.email}\` to send a new code.\n`);
+			process$1.stderr.write(`Continuing pending Primitive ${copy.actionNoun} for ${existingPending.email}.\n`);
+			process$1.stderr.write(`Run \`primitive ${copy.confirmCommand(existingPending.email)}\` to finish, or \`primitive ${copy.resendCommand(existingPending.email)}\` to send a new code.\n`);
 			return {
 				pending: existingPending,
 				started: false
 			};
 		}
-		throw cliError(`Pending signup is for ${existingPending.email}. Run \`primitive signup ${params.email} --force\` to replace it.`);
+		throw cliError$1(`Pending ${copy.actionNoun} is for ${existingPending.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	}
 	if (params.flags.force) deletePendingAgentSignup(params.configDir);
 	const promptRequiredFn = params.deps.promptRequired ?? promptRequired;
@@ -16618,10 +16632,10 @@ async function startSignup(params) {
 	});
 	if (started.error) {
 		writeErrorWithHints(extractErrorPayload(started.error));
-		throw cliError("Could not start Primitive agent signup.");
+		throw cliError$1("Could not start Primitive agent signup.");
 	}
 	const startResult = unwrapData(started.data);
-	if (!startResult) throw cliError("Primitive API returned an empty agent signup response.");
+	if (!startResult) throw cliError$1("Primitive API returned an empty agent signup response.");
 	return {
 		pending: savePendingAgentSignup(params.configDir, startResult, params.apiBaseUrl1),
 		started: true
@@ -16659,7 +16673,7 @@ async function resendVerificationCode(params) {
 	}
 	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(params.configDir);
 	writeErrorWithHints(payload);
-	throw cliError("Could not resend Primitive agent signup verification email.");
+	throw cliError$1("Could not resend Primitive agent signup verification email.");
 }
 async function runSignupStartWithCredentialLock(params) {
 	const { configDir, flags } = params;
@@ -16669,6 +16683,7 @@ async function runSignupStartWithCredentialLock(params) {
 	await checkExistingCredentials({
 		apiBaseUrl1: flags["api-base-url-1"],
 		configDir,
+		copy: params.copy,
 		deps,
 		flags
 	});
@@ -16680,11 +16695,12 @@ async function runSignupStartWithCredentialLock(params) {
 		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
 		apiClient,
 		configDir,
+		copy: params.copy,
 		deps,
 		email,
 		flags
 	});
-	if (start.started) writeStartInstructions(start.pending);
+	if (start.started) writeStartInstructions(start.pending, params.copy);
 }
 async function runSignupConfirmWithCredentialLock(params) {
 	const { configDir, flags } = params;
@@ -16692,6 +16708,7 @@ async function runSignupConfirmWithCredentialLock(params) {
 	if (!params.skipExistingCredentialCheck) await checkExistingCredentials({
 		apiBaseUrl1: flags["api-base-url-1"],
 		configDir,
+		copy: params.copy,
 		deps,
 		flags
 	});
@@ -16702,6 +16719,7 @@ async function runSignupConfirmWithCredentialLock(params) {
 	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
 	const pending = requirePendingSignupForEmail({
 		apiBaseUrl1,
+		copy: params.copy,
 		configDir,
 		email: params.email
 	});
@@ -16716,7 +16734,7 @@ async function runSignupConfirmWithCredentialLock(params) {
 	});
 	if (verified.data) {
 		const signup = unwrapData(verified.data);
-		if (!signup) throw cliError("Primitive API returned an empty agent signup verification response.");
+		if (!signup) throw cliError$1("Primitive API returned an empty agent signup verification response.");
 		saveSignupCredentials({
 			apiBaseUrl1,
 			configDir,
@@ -16730,10 +16748,10 @@ async function runSignupConfirmWithCredentialLock(params) {
 	}
 	const payload = extractErrorPayload(verified.error);
 	const code = extractErrorCode(payload);
-	if (code === INVALID_VERIFICATION_CODE) throw cliError("Invalid verification code. Try again or run signup resend.");
+	if (code === INVALID_VERIFICATION_CODE) throw cliError$1(`Invalid verification code. Try again or run ${(params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY).resendCommand(params.email)}.`);
 	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(configDir);
 	writeErrorWithHints(payload);
-	throw cliError("Primitive agent signup failed while verifying the account.");
+	throw cliError$1("Primitive agent signup failed while verifying the account.");
 }
 async function runSignupResendWithCredentialLock(params) {
 	const deps = params.deps ?? {};
@@ -16743,6 +16761,7 @@ async function runSignupResendWithCredentialLock(params) {
 	});
 	const pending = requirePendingSignupForEmail({
 		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		copy: params.copy,
 		configDir: params.configDir,
 		email: params.email
 	});
@@ -16857,7 +16876,7 @@ var SignupCommand = class SignupCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError(error instanceof Error ? error.message : String(error));
+			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await runSignupStartWithCredentialLock({
@@ -16902,7 +16921,7 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError(error instanceof Error ? error.message : String(error));
+			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await runSignupConfirmWithCredentialLock({
@@ -16935,7 +16954,7 @@ var SignupResendCommand = class SignupResendCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError(error instanceof Error ? error.message : String(error));
+			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await runSignupResendWithCredentialLock({
@@ -16959,7 +16978,7 @@ var SignupInteractiveCommand = class SignupInteractiveCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError(error instanceof Error ? error.message : String(error));
+			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await runSignupInteractiveWithCredentialLock({
@@ -16972,6 +16991,167 @@ var SignupInteractiveCommand = class SignupInteractiveCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/signin.ts
+function cliError(message) {
+	return new Errors.CLIError(message, { exit: 1 });
+}
+const SIGNIN_OTP_COPY = {
+	actionNoun: "sign-in",
+	actionGerund: "signing in",
+	confirmCommand: (email) => `signin otp confirm ${email} <code>`,
+	resendCommand: (email) => `signin otp resend ${email}`,
+	startCommand: (email) => `signin otp ${email}`
+};
+function acquireCredentialsLock(configDir) {
+	try {
+		return acquireCliCredentialsLock(configDir);
+	} catch (error) {
+		throw cliError(error instanceof Error ? error.message : String(error));
+	}
+}
+function commonOtpStartFlags() {
+	return {
+		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials or pending sign-in state when needed"
+		}),
+		"signup-code": Flags.string({
+			description: "Signup code required to start OTP sign-in",
+			env: "PRIMITIVE_SIGNUP_CODE"
+		})
+	};
+}
+var SigninCommand = class extends LoginCommand {
+	static description = `Sign in to an existing Primitive account with browser approval and save an org-scoped OAuth session locally.
+
+This is the canonical sign-in command. It defaults to the same browser approval flow as \`primitive signin browser\`. For email-code sign-in, use \`primitive signin otp <email> --signup-code <code>\`, then \`primitive signin otp confirm <email> <code>\`. For new account creation, use \`primitive signup <email>\`.`;
+	static summary = "Sign in to an existing account";
+	static examples = [
+		"<%= config.bin %> signin",
+		"<%= config.bin %> signin browser",
+		"<%= config.bin %> signin --no-browser",
+		"<%= config.bin %> signin otp user@example.com --signup-code invite-code --accept-terms",
+		"<%= config.bin %> signin otp confirm user@example.com 123456"
+	];
+	retryCommand() {
+		return "signin";
+	}
+};
+var SigninBrowserCommand = class extends LoginCommand {
+	static description = "Sign in to an existing Primitive account by opening Primitive in your browser and saving an org-scoped OAuth session locally.";
+	static summary = "Sign in with browser approval";
+	static examples = [
+		"<%= config.bin %> signin browser",
+		"<%= config.bin %> signin browser --device-name work-laptop",
+		"<%= config.bin %> signin browser --no-browser",
+		"<%= config.bin %> signin browser --force"
+	];
+	retryCommand() {
+		return "signin browser";
+	}
+};
+var SigninOtpCommand = class SigninOtpCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address to sign in with",
+		required: false
+	}) };
+	static description = "Start email-code sign-in using Primitive's signup/auth OTP flow, send a verification code, and save the pending token locally. Requires a signup code.";
+	static summary = "Start OTP sign-in";
+	static examples = ["<%= config.bin %> signin otp user@example.com --signup-code invite-code --accept-terms", "<%= config.bin %> signin otp confirm user@example.com 123456"];
+	static flags = commonOtpStartFlags();
+	async run() {
+		const { args, flags } = await this.parse(SigninOtpCommand);
+		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
+		try {
+			await runSignupStartWithCredentialLock({
+				configDir: this.config.configDir,
+				copy: SIGNIN_OTP_COPY,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SigninOtpConfirmCommand = class SigninOtpConfirmCommand extends Command {
+	static args = {
+		email: Args.string({
+			description: "Email address used to start OTP sign-in",
+			required: true
+		}),
+		code: Args.string({
+			description: "Verification code from the sign-in email",
+			required: true
+		})
+	};
+	static description = "Confirm a pending OTP sign-in, create an OAuth session, and save CLI credentials locally.";
+	static summary = "Confirm OTP sign-in";
+	static examples = ["<%= config.bin %> signin otp confirm user@example.com 123456", "<%= config.bin %> signin otp confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
+	static flags = {
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials after verification"
+		}),
+		"org-id": Flags.string({ description: "Workspace id to target when the email belongs to multiple workspaces" })
+	};
+	async run() {
+		const { args, flags } = await this.parse(SigninOtpConfirmCommand);
+		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
+		try {
+			await runSignupConfirmWithCredentialLock({
+				code: args.code,
+				configDir: this.config.configDir,
+				copy: SIGNIN_OTP_COPY,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SigninOtpResendCommand = class SigninOtpResendCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address used to start OTP sign-in",
+		required: true
+	}) };
+	static description = "Resend the verification code for a pending OTP sign-in.";
+	static summary = "Resend OTP sign-in code";
+	static examples = ["<%= config.bin %> signin otp resend user@example.com"];
+	static flags = { "api-base-url-1": Flags.string({
+		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+		env: "PRIMITIVE_API_BASE_URL_1",
+		hidden: true
+	}) };
+	async run() {
+		const { args, flags } = await this.parse(SigninOtpResendCommand);
+		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
+		try {
+			await runSignupResendWithCredentialLock({
+				configDir: this.config.configDir,
+				copy: SIGNIN_OTP_COPY,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+//#endregion
 //#region src/oclif/commands/whoami.ts
 var WhoamiCommand = class WhoamiCommand extends Command {
 	static description = `Print the account currently authenticated by saved OAuth credentials or an explicit API key. Useful as a credentials smoke test: confirms auth is live and shows which account it belongs to.`;
@@ -17243,6 +17423,11 @@ const COMMANDS = {
 	reply: ReplyCommand,
 	chat: ChatCommand,
 	login: LoginCommand,
+	signin: SigninCommand,
+	"signin:browser": SigninBrowserCommand,
+	"signin:otp": SigninOtpCommand,
+	"signin:otp:confirm": SigninOtpConfirmCommand,
+	"signin:otp:resend": SigninOtpResendCommand,
 	signup: SignupCommand,
 	"signup:confirm": SignupConfirmCommand,
 	"signup:interactive": SignupInteractiveCommand,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/cli",
-  "version": "0.31.2",
+  "version": "0.31.3",
   "description": "Official Primitive CLI: deploy Primitive Functions, send and inspect mail, manage endpoints, all from the terminal. Wraps the @primitivedotdev/sdk runtime client with one-shot commands.",
   "type": "module",
   "sideEffects": false,
@@ -46,6 +46,9 @@
       "sending": {
         "description": "Send outbound emails. Prefer `primitive send` for fresh sends and `primitive reply --id <inbound-id>` for replies; use `primitive sending list`, `primitive sending get`, and `primitive sending permissions` for outbound history and permissions."
       },
+      "signin": {
+        "description": "Sign in to an existing Primitive account"
+      },
       "sent": {
         "description": "Short aliases for outbound sent-email history: `primitive sent list` and `primitive sent get`."
       },